PUP.Win32.Spigot_b5f20e3c5e

by malwarelabrobot on December 19th, 2014 in Malware Descriptions.

mzpefinder_pcap_file.YR, GenericEmailWorm.YR, PUPSpigot.YR (Lavasoft MAS)
Behaviour: Worm, EmailWorm, PUP

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: b5f20e3c5e7371945f84b59bb3731fd7
SHA1: 82cfccd1c86c960f37d6232ebe573d946b1e33d1
SHA256: beb529d69225ad02ace8094e559df7a574098e9c2cf0e1a08d4c21e59f71fb65
SSDeep: 24576:dZQMkQ5hw6oqQ5UO9revCwM6ZYbXDMSMHFZ9nD6l f0D7CuHw:gy7ToUG2Cf6qbXDNMlznD6l1fCuHw
Size: 937560 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: NCH Software
Created at: 2013-12-10 07:05:55
Analyzed on: Windows7Ada SP1 64-bit

Summary:

PUP. Potentially Unwanted Program. An application that does not display malicious behavior yet is installed without having first sought affirmative user consent for installation. Users may not realize, due to the nature of the installation procedure, that an application they have not explicitly agreed to has been installed. This category can also be used to classify other applications which in a certain context can be wanted e.g. remote administration tools or IRC clients.

Payload

Behaviour	Description
EmailWorm	Worm can send e-mails.

Process activity

The PUP creates the following process(es):

TPAutoConnSvc.exe:1776
GoogleUpdate.exe:1160
GoogleUpdate.exe:3620
GoogleUpdate.exe:3708
GoogleUpdate.exe:2608
GoogleUpdate.exe:1440
GoogleUpdaterService.exe:3320
GoogleUpdaterService.exe:1448
googletoolbarinstaller_en_signed.exe:2364
GoogleUpdaterService_B33FC4DD36A473C6.exe:2448
scribe.exe:476
scribe.exe:2252
scribe.exe:2676
%original file name%.exe:1960
GoogleUpdateSetup_latest.exe:1664
nchsetup.exe:3836
GoogleToolbarManager_8CA8B41417E66DEB.exe:3948
GoogleToolbarManager_8CA8B41417E66DEB.exe:3128
GoogleToolbarManager_8CA8B41417E66DEB.exe:1808
GoogleToolbarNotifier.exe:1940
GoogleToolbarNotifier.exe:1752
regsvr32.exe:3096
NCH_GoogleToolbar.exe:1532
SearchWithGoogleUpdate_C993F490EED40C1B.exe:2360

The PUP injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process GoogleUpdate.exe:3620 makes changes in the file system.
The PUP creates and/or writes to the following file(s):

%Program Files% (x86)\Google\Update\Install\{9ED6278D-3499-43D2-BA30-93D0A1DF8374}\googletoolbarinstaller_en_signed.exe (38734 bytes)
C:\Windows\Temp\guiACB2.tmp (15 bytes)
%Program Files% (x86)\Google\Update\Download\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}\0.0.0.0\googletoolbarinstaller_en_signed.exe (38249 bytes)

The process GoogleUpdate.exe:3708 makes changes in the file system.
The PUP creates and/or writes to the following file(s):

%Program Files% (x86)\GUM8F82.tmp\goopdate.dll (835 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_en.dll (28 bytes)

The process googletoolbarinstaller_en_signed.exe:2364 makes changes in the file system.
The PUP creates and/or writes to the following file(s):

%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarUser_32_52E818EF81C83A9B.exe (620 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbar.7.5.5111.1712.manifest.xml (36 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_0A4439FF67F61065.dll (2 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\SearchWithGoogleUpdate_C993F490EED40C1B.exe (50 bytes)
C:\Windows\System32\config\SOFTWARE (59603 bytes)
C:\ (96 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_64_F8ED9B719A89F8EF.dll (489 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_32_8E471B27054D20F5.dll (149 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbar_32_365102BD7F6C8091.dll (390 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarUser_64_4D9709C1FA1422BA.exe (801 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleCld_187F9D811452062B.dll (50 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GoogleToolbarInstaller2.log (43972 bytes)
C:\$Directory (672 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_8CA8B41417E66DEB.exe (50 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbar_64_54BD4059920ABC8A.dll (514 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleUpdateSetup_5CC4B0F53D73AD88.exe (1480 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleUpdaterService_B33FC4DD36A473C6.exe (390 bytes)
C:\Windows\System32\config\SOFTWARE.LOG1 (54812 bytes)

The process GoogleUpdaterService_B33FC4DD36A473C6.exe:2448 makes changes in the file system.
The PUP creates and/or writes to the following file(s):

%Program Files% (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe (390 bytes)

The process scribe.exe:2252 makes changes in the file system.
The PUP creates and/or writes to the following file(s):

%Program Files% (x86)\NCH Software\Components\NCHToolbars\google\NCH_GoogleToolbar.exe (382879 bytes)

The process scribe.exe:2676 makes changes in the file system.
The PUP creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_scribe_rl_adm (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\NCH Software\Scribe\Status\s0000000.sta (44 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\NCH Software\Scribe\Current\Welcome.wav (1425 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\NCH Software\Scribe\Current\Welcome.dat (832 bytes)

The process %original file name%.exe:1960 makes changes in the file system.
The PUP creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchdata.dat (7384 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchsetup.cab (647 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchdata.cab (270 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchsetup.exe (29704 bytes)

The process GoogleUpdateSetup_latest.exe:1664 makes changes in the file system.
The PUP creates and/or writes to the following file(s):

%Program Files% (x86)\GUM8F82.tmp\goopdateres_mr.dll (28 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_lv.dll (30 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_fi.dll (29 bytes)
%Program Files% (x86)\GUM8F82.tmp\npGoogleUpdate3.dll (838 bytes)
%Program Files% (x86)\GUM8F82.tmp\GoogleUpdateHelper.msi (25 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_sw.dll (29 bytes)
%Program Files% (x86)\GUM8F82.tmp\GoogleCrashHandler64.exe (550 bytes)
%Program Files% (x86)\GUM8F82.tmp\GoogleUpdateBroker.exe (59 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_nl.dll (30 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_ta.dll (30 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_tr.dll (29 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_te.dll (29 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_ml.dll (31 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_ms.dll (28 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdate.dll (1702 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_pl.dll (30 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_es.dll (31 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_bn.dll (28 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_ur.dll (28 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_iw.dll (26 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_gu.dll (28 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_sl.dll (29 bytes)
%Program Files% (x86)\GUM8F82.tmp\psuser.dll (159 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_en.dll (27 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_el.dll (30 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_fil.dll (30 bytes)
%Program Files% (x86)\GUM8F82.tmp\GoogleUpdate.exe (234 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_ja.dll (24 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_et.dll (28 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_es-419.dll (29 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_pt-BR.dll (29 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_sk.dll (29 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_da.dll (29 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_fr.dll (30 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_de.dll (31 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_kn.dll (29 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_uk.dll (28 bytes)
%Program Files% (x86)\GUM8F82.tmp\psmachine.dll (159 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_no.dll (29 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_th.dll (27 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_bg.dll (30 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_pt-PT.dll (29 bytes)
%Program Files% (x86)\GUM8F82.tmp (28 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_vi.dll (28 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_sv.dll (29 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_lt.dll (28 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_zh-CN.dll (21 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_ko.dll (23 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_hu.dll (29 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_zh-TW.dll (21 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_ar.dll (26 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_it.dll (30 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_is.dll (28 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_ro.dll (29 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_en-GB.dll (28 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_hi.dll (29 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_hr.dll (29 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_fa.dll (27 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_id.dll (28 bytes)
%Program Files% (x86)\GUM8F82.tmp\GoogleCrashHandler.exe (212 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_am.dll (25 bytes)
%Program Files% (x86)\GUM8F82.tmp\GoogleUpdateOnDemand.exe (59 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_sr.dll (29 bytes)
%Program Files% (x86)\GUM8F82.tmp\GoogleUpdateSetup.exe (5441 bytes)
%Program Files% (x86)\GUT8F83.tmp (4 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_cs.dll (28 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_ca.dll (29 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_ru.dll (28 bytes)

The process nchsetup.exe:3836 makes changes in the file system.
The PUP creates and/or writes to the following file(s):

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Video Capture Software.lnk (1 bytes)
C:\ProgramData\NCH Software\Scribe\Current\Welcome.wav (34532 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Express Burn CD, DVD or Blu-Ray.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\Favorites\NCH Software Download Site.lnk (310 bytes)
%Program Files% (x86)\NCH Software\Scribe\hookappcommand.dll (6988 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Express Zip File Compression.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\MixPad MultiTrack Mixer.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\WavePad Sound Editor.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Express Rip CD Ripper.lnk (1 bytes)
%Program Files% (x86)\NCH Software\Scribe\scribe.exe (13171 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Express Scribe Transcription Software.lnk (1 bytes)
C:\Users\Public\Desktop\Express Scribe Transcription Software.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Express Dictate Recorder.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dictation and Transcription Programs\Typing Expander Software.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Switch Sound File Converter.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Graphics File Converter.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\VideoPad Video Editor.lnk (1 bytes)
C:\ProgramData\NCH Software\Scribe\Current\Welcome.dat (96 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Invoicing Software.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Classic FTP Software.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Prism Video File Format Converter.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\RecordPad Sound Recorder.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Doxillion Document Converter.lnk (1 bytes)
C:\Users\Public\Desktop\NCH Suite.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Accounting Software.lnk (1 bytes)
C:\ProgramData\NCH Software\Scribe\Status\Template.doc (8844 bytes)
%Program Files% (x86)\NCH Software\Scribe\scribesetup_v5.69.exe (7345 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\SoundTap Streaming Recorder.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dictation and Transcription Programs\Dictation Recorder.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dictation and Transcription Programs\Transcription Software.lnk (1 bytes)

The process GoogleToolbarManager_8CA8B41417E66DEB.exe:3948 makes changes in the file system.
The PUP creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GoogleToolbarInstaller1.log (2418 bytes)

The process GoogleToolbarManager_8CA8B41417E66DEB.exe:3128 makes changes in the file system.
The PUP creates and/or writes to the following file(s):

%Program Files% (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (1281 bytes)
%Program Files% (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (673 bytes)
%Program Files% (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe (1425 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GoogleToolbarInstaller1.log (41641 bytes)
%Program Files% (x86)\Google\Google Toolbar\GoogleToolbarHelper_signed.msi (28 bytes)
%Program Files% (x86)\Google\Google Toolbar\GoogleToolbarUser_64.exe (2321 bytes)
%Program Files% (x86)\Google\Google Toolbar\GoogleToolbarHelperPatch_signed.msp (125 bytes)

The process GoogleToolbarManager_8CA8B41417E66DEB.exe:1808 makes changes in the file system.
The PUP creates and/or writes to the following file(s):

C:\ProgramData\Google\Custom Buttons\toolbar.google.com_O8Y91YHB24Z6SR0SGYSK.XML (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GoogleToolbarInstaller1.log (3179 bytes)

The process GoogleToolbarNotifier.exe:1940 makes changes in the file system.
The PUP creates and/or writes to the following file(s):

%Program Files% (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll (1 bytes)
%Program Files% (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\gtn.dll (151 bytes)

The process regsvr32.exe:3096 makes changes in the file system.
The PUP creates and/or writes to the following file(s):

%Program Files%\Google\GoogleToolbarNotifier\5.7.9012.1008\swg64.dll (348 bytes)

The process NCH_GoogleToolbar.exe:1532 makes changes in the file system.
The PUP creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse8F35.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GoogleUpdateSetup_latest.exe (25250 bytes)

The process SearchWithGoogleUpdate_C993F490EED40C1B.exe:2360 makes changes in the file system.
The PUP creates and/or writes to the following file(s):

%Program Files%\Google\GoogleToolbarNotifier\5.7.9012.1008\swg64.dll (346 bytes)
%Program Files% (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\gth.dll (49 bytes)
%Program Files% (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (79 bytes)
%Program Files% (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\Readme.url (212 bytes)
%Program Files% (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\gtn.dll (150 bytes)
%Program Files% (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll (1 bytes)

Registry activity

The process TPAutoConnSvc.exe:1776 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\ThinPrint\TPPrnUI\NPI456AB0 (HP LaserJet Professional M1212nf MFP)#:1]
"TrayData" = "2,Tray 3, 3,Tray 2, 1,Tray 1, 4,Manual Feed, 7,Auto Select"
"FormData" = "1,2159,2794,LetterÃ‚Â¶40,40,2086,2712, 5,2159,3556,LegalÃ‚Â¶40,40,2086,3474, 9,2100,2970,A4Ã‚Â¶39,39,2032,2890, 7,1842,2667,ExecutiveÃ‚Â¶40,40,1761,2585, 258,2159,3302,8.5 x 13 (custom)Ã‚Â¶40,40,2086,3220, 11,1480,2100,A5Ã‚Â¶39,39,1408,2020, 70,1050,1480,A6Ã‚Â¶39,39,975,1399, 13,1820,2570,B5 (JIS)Ã‚Â¶39,39,1747,2490, 264,1950,2700,16K 195x270Ã‚Â¶39,39,1882,2620, 263,1840,2600,16K 184x260Ã‚Â¶39,39,1761,2520, 257,1970,2730,16K 197x273Ã‚Â¶39,39,1896,2650, 43,1000,1480,Japanese PostcardÃ‚Â¶39,39,921,1399, 82,1480,2000,Double Japan Postcard RotatedÃ‚Â¶39,39,1408,1919, 20,1046,2413,Envelope #10Ã‚Â¶40,40,975,2331, 37,983,1905,Envelope MonarchÃ‚Â¶40,40,907,1823, 34,1760,2500,Envelope B5Ã‚Â¶39,39,1693,2420, 28,1620,2290,Envelope C5Ã‚Â¶39,39,1544,2209, 27,1100,2200,Envelope DLÃ‚Â¶39,39,1029,2120"
"DelAfterCreate" = "1"

[HKU\.DEFAULT\Printers\DevModes2]
"NPI456AB0 (HP LaserJet Professional M1212nf MFP)#:1" = "4E 00 50 00 49 00 34 00 35 00 36 00 41 00 42 00"

The PUP deletes the following registry key(s):

[HKLM\SOFTWARE\ThinPrint\TPPrnUI\NPI456AB0 (HP LaserJet Professional M1212nf MFP)#:1]

The process GoogleUpdate.exe:1160 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\2A\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"

The PUP deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"uid"
"old-uid"

The process GoogleUpdate.exe:3620 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\29\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"DayOfLastActivity" = "4294967295"
"pv" = "7.5.5111.1712"
"usagestats" = "0"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}\CurrentState]
"InstallProgressPercent" = "4294967295"
"StateValue" = "3"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"DayOfLastRollCall" = "4294967295"
"LastCheckSuccess" = "1418883492"

[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}\CurrentState]
"DownloadTimeRemainingMs" = "4294967295"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"DayOfInstall" = "2907"
"InstallTime" = "1418883471"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}\CurrentState]
"InstallTimeRemainingMs" = "4294967295"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"brand" = "NCHD"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}\CurrentState]
"DownloadProgressPercent" = "0"

The PUP deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"LastInstallerExtraCode1"
"LastInstallerSuccessLaunchCmdLine"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientStateMedium\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"eulaaccepted"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"UpdateAvailableCount"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientStateMedium\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"usagestats"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"ap"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"LastInstallerResult"
"old-uid"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"iid"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"uid"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"LastInstallerResult"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"LastInstallerResultUIString"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"eulaaccepted"
"UpdateAvailableSince"
"LastInstallerError"
"LastInstallerResultUIString"
"experiment_labels"
"tttoken"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"LastInstallerError"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"browser"
"LastInstallerExtraCode1"
"LastInstallerSuccessLaunchCmdLine"

The process GoogleUpdate.exe:3708 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"usagestats" = "0"

The PUP deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"uid"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableSince"
"UpdateAvailableCount"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\network\secure]
"sk"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"eulaaccepted"

[HKCU\Software\Google\Update]
"old-uid"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"old-uid"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\network\secure]
"c"

[HKCU\Software\Google\Update]
"uid"

The process GoogleUpdate.exe:2608 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\29\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"

The PUP deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"uid"
"old-uid"

The process GoogleUpdate.exe:1440 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"usagestats" = "0"

The PUP deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"uid"
"old-uid"
"eulaaccepted"

The process GoogleUpdaterService.exe:3320 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKCR\Wow6432Node\Interface\{C07A89E4-82A3-4A29-9908-DFC9DEBF8267}]
"(Default)" = "ISilentUpdater"

[HKCR\TypeLib\{5924C60B-6D7F-4AD6-8084-24A59431C967}\1.0\HELPDIR]
"(Default)" = ""

[HKCR\Interface\{5C8CE0B5-6DA0-49A1-B675-78FD03EA3224}]
"(Default)" = "IUpdaterScheduler"

[HKCR\Interface\{5C8CE0B5-6DA0-49A1-B675-78FD03EA3224}\TypeLib]
"(Default)" = "{5924C60B-6D7F-4AD6-8084-24A59431C967}"

[HKCR\AppID\GoogleUpdaterService.exe]
"AppID" = "{61E28BF8-C02B-499F-8E7A-34C1E4A1C649}"

[HKCR\Wow6432Node\CLSID\{89DAE4CD-9F17-4980-902A-99BA84A8F5C8}\TypeLib]
"(Default)" = "{5924C60B-6D7F-4AD6-8084-24A59431C967}"

[HKCR\GUSchedulerCtl.UpdaterScheduler]
"(Default)" = "Google Updater Scheduler class"

[HKCR\Interface\{C07A89E4-82A3-4A29-9908-DFC9DEBF8267}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\Interface\{C07A89E4-82A3-4A29-9908-DFC9DEBF8267}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{C07A89E4-82A3-4A29-9908-DFC9DEBF8267}\TypeLib]
"(Default)" = "{5924C60B-6D7F-4AD6-8084-24A59431C967}"

[HKCR\Wow6432Node\CLSID\{89DAE4CD-9F17-4980-902A-99BA84A8F5C8}\ProgID]
"(Default)" = "GUServiceCtl.SilentUpdater.1"

[HKCR\Wow6432Node\CLSID\{89DAE4CD-9F17-4980-902A-99BA84A8F5C8}]
"AppID" = "{61E28BF8-C02B-499F-8E7A-34C1E4A1C649}"

[HKCR\Wow6432Node\CLSID\{B53B7061-6584-46AA-A033-D610EB10BD9B}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe"

[HKCR\Wow6432Node\CLSID\{B53B7061-6584-46AA-A033-D610EB10BD9B}]
"(Default)" = "Google Updater Scheduler class"

[HKCR\Wow6432Node\Interface\{C07A89E4-82A3-4A29-9908-DFC9DEBF8267}\TypeLib]
"Version" = "1.0"

[HKCR\GUServiceCtl.SilentUpdater]
"(Default)" = "Google Silent Updater class"

[HKCR\GUServiceCtl.SilentUpdater\CLSID]
"(Default)" = "{89DAE4CD-9F17-4980-902A-99BA84A8F5C8}"

[HKCR\Wow6432Node\CLSID\{89DAE4CD-9F17-4980-902A-99BA84A8F5C8}]
"(Default)" = "Google Silent Updater class"

[HKCR\Interface\{5C8CE0B5-6DA0-49A1-B675-78FD03EA3224}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\CLSID\{B53B7061-6584-46AA-A033-D610EB10BD9B}\TypeLib]
"(Default)" = "{5924C60B-6D7F-4AD6-8084-24A59431C967}"

[HKCR\GUSchedulerCtl.UpdaterScheduler.1\CLSID]
"(Default)" = "{B53B7061-6584-46AA-A033-D610EB10BD9B}"

[HKCR\GUServiceCtl.SilentUpdater\CurVer]
"(Default)" = "GUServiceCtl.SilentUpdater.1"

[HKCR\Wow6432Node\Interface\{C07A89E4-82A3-4A29-9908-DFC9DEBF8267}\TypeLib]
"(Default)" = "{5924C60B-6D7F-4AD6-8084-24A59431C967}"

[HKCR\AppID\{61E28BF8-C02B-499F-8E7A-34C1E4A1C649}]
"LocalService" = "gusvc"

[HKCR\Wow6432Node\CLSID\{89DAE4CD-9F17-4980-902A-99BA84A8F5C8}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe"

[HKCR\Wow6432Node\Interface\{5C8CE0B5-6DA0-49A1-B675-78FD03EA3224}]
"(Default)" = "IUpdaterScheduler"

[HKCR\AppID\{61E28BF8-C02B-499F-8E7A-34C1E4A1C649}]
"(Default)" = "gusvc"

[HKCR\TypeLib\{5924C60B-6D7F-4AD6-8084-24A59431C967}\1.0]
"(Default)" = "Google Updater Service 1.0 Type Library"

[HKCR\GUServiceCtl.SilentUpdater.1\CLSID]
"(Default)" = "{89DAE4CD-9F17-4980-902A-99BA84A8F5C8}"

[HKCR\Wow6432Node\CLSID\{B53B7061-6584-46AA-A033-D610EB10BD9B}\VersionIndependentProgID]
"(Default)" = "GUSchedulerCtl.UpdaterScheduler"

[HKCR\Wow6432Node\CLSID\{B53B7061-6584-46AA-A033-D610EB10BD9B}]
"AppID" = "{61E28BF8-C02B-499F-8E7A-34C1E4A1C649}"

[HKCR\GUServiceCtl.SilentUpdater.1]
"(Default)" = "Google Silent Updater class"

[HKCR\Wow6432Node\Interface\{5C8CE0B5-6DA0-49A1-B675-78FD03EA3224}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{5924C60B-6D7F-4AD6-8084-24A59431C967}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Wow6432Node\Interface\{5C8CE0B5-6DA0-49A1-B675-78FD03EA3224}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{C07A89E4-82A3-4A29-9908-DFC9DEBF8267}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{5924C60B-6D7F-4AD6-8084-24A59431C967}\1.0\0\win32]
"(Default)" = "%Program Files% (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe"

[HKCR\Wow6432Node\CLSID\{B53B7061-6584-46AA-A033-D610EB10BD9B}\ProgID]
"(Default)" = "GUSchedulerCtl.UpdaterScheduler.1"

[HKCR\Interface\{5C8CE0B5-6DA0-49A1-B675-78FD03EA3224}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{89DAE4CD-9F17-4980-902A-99BA84A8F5C8}\VersionIndependentProgID]
"(Default)" = "GUServiceCtl.SilentUpdater"

[HKCR\Interface\{C07A89E4-82A3-4A29-9908-DFC9DEBF8267}]
"(Default)" = "ISilentUpdater"

[HKCR\GUSchedulerCtl.UpdaterScheduler\CLSID]
"(Default)" = "{B53B7061-6584-46AA-A033-D610EB10BD9B}"

[HKCR\GUSchedulerCtl.UpdaterScheduler.1]
"(Default)" = "Google Updater Scheduler class"

[HKCR\GUSchedulerCtl.UpdaterScheduler\CurVer]
"(Default)" = "GUSchedulerCtl.UpdaterScheduler.1"

[HKCR\Wow6432Node\Interface\{5C8CE0B5-6DA0-49A1-B675-78FD03EA3224}\TypeLib]
"(Default)" = "{5924C60B-6D7F-4AD6-8084-24A59431C967}"

The PUP deletes the following value(s) in system registry:

[HKCR\AppID\{61E28BF8-C02B-499F-8E7A-34C1E4A1C649}]
"LocalService"

The process GoogleUpdaterService.exe:1448 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Common\Google Updater\apps\swg]
"auto" = "0"

The process googletoolbarinstaller_en_signed.exe:2364 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\29\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Branding]
"sin" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component]
"NextVersion" = "7.5.5111.1712"
"currentVersion" = "7.5.5111.1712"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Branding]
"ein" = "1"

[HKCU\Software\Google\Google Toolbar\4.0\Setup]
"InstallProgress" = "3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 41 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "C0 12 95 66 8A 1A D0 01"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar]
"test" = "41"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"EnabledExperiments" = "POSI,PUMA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

[HKCU\Software\Google\Google Toolbar\4.0\Setup]
"Command" = "2"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"FirstInstallTime" = "1418883492"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The PUP deletes the following value(s) in system registry:

[HKCU\Software\Google\Google Toolbar]
"LastInstallError"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component]
"NextVersion"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"
"ProxyServer"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component]
"PrimaryInstallDone"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"FailedInstallPing"

The process GoogleUpdaterService_B33FC4DD36A473C6.exe:2448 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Common\Google Updater\apps\tbie]
"auto" = "0"

[HKLM\SOFTWARE\Wow6432Node\Google\Common\Google Updater]
"Path" = "%Program Files% (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe"
"Version" = "2.4.2617.4952"

The process scribe.exe:476 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Scribe\Scheduler]
"SevenDays" = "1"

The process scribe.exe:2252 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKCU\Software\NCH Software\Components\GoogleToolbar]
"State" = "attempted"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Components\GoogleToolbar]
"State" = "attempted"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\NCH Software\Scribe\Software]
"Toolbar" = "cnm-installed,gac,google"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

The PUP deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process scribe.exe:2676 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\DirectInput\MostRecentApplication]
"MostRecentStart" = "C5 17 E4 53 8A 1A D0 01"

[HKCU\Software\NCH Software\Scribe\MainWindow]
"MiniWindowPositionY" = "190"

[HKCU\Software\NCH Software\Scribe\Registration]
"Name" = ""

[HKCU\Software\NCH Software\Scribe\MainWindow]
"MiniWindowPositionX" = "453"

[HKCU\Software\NCH Software\Scribe\Settings]
"WordCount" = "1"

[HKCU\Software\Microsoft\DirectInput\MostRecentApplication]
"ID" = "SCRIBE.EXE53E24F3B001CEC58"

[HKCU\Software\NCH Software\Scribe\Settings]
"UseWordProc" = "1"
"WordDefault" = "0"
"DataFolderCurrent" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\NCH Software\Scribe"

[HKCU\Software\NCH Software\Scribe\Software]
"SVar" = "LLIBShowSuiteButtonOff"

[HKCU\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput\VID_0E0F&PID_0003\Calibration\0]
"Guid" = "D0 9D 14 55 8E 86 E4 11 80 01 44 45 53 54 00 00"

[HKCU\Software\Microsoft\DirectInput\MostRecentApplication]
"Version" = "00 07 00 00"

[HKCU\Software\NCH Software\Scribe\Settings]
"Word0" = "C:\ProgramData\NCH Software\Scribe\Status\Template.doc"
"currentfile" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\NCH Software\Scribe\Current\Welcome.dat"

[HKCU\Software\Microsoft\DirectInput\MostRecentApplication]
"Name" = "SCRIBE.EXE"

[HKCU\Software\NCH Software\Scribe\Settings]
"CleanExit" = "0"
"DataFolderPrevious" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\NCH Software\Scribe"

The process %original file name%.exe:1960 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The PUP deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process nchsetup.exe:3836 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKCR\NCH.Scribe.dvs\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe %L"

[HKCU\Software\Classes\NCH.Scribe.aif\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Switch %L"

[HKCR\NCH.Scribe.dvs\shell]
"(Default)" = "Open"

[HKCU\Software\Classes\NCH.Scribe.aiff\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind WavePad %L"

[HKCU\Software\NCH Software\Scribe\Settings]
"InstallerPath" = "%Program Files% (x86)\NCH Software\Scribe"

[HKCU\Software\Classes\.OGG]
"(Default)" = "oggfile"

[HKCU\Software\Classes\docfile\Shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Doxillion %L"

[HKCU\Software\Classes\.tar]
"(Default)" = "tarfile"

[HKCU\Software\Classes\m4vfile\Shell]
"(Default)" = "open"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Scribe\Capabilities\FileAssociations]
".aif" = "NCH.Scribe.aif"

[HKCR\.wav\OpenWithProgIds]
"NCH.Scribe.wav" = "Type: REG_NONE, Length: 0"

[HKCU\Software\Classes\Paint.Picture\Shell\NCHslideshow\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind PhotoStage %L"

[HKCR\.msv]
"(Default)" = "NCH.Scribe.msv"

[HKCU\Software\Classes\NCH.Scribe.mp3\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"

[HKCU\Software\Classes\.AAC]
"(Default)" = "aacfile"

[HKCU\Software\Classes\avifile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"

[HKCU\Software\Classes\vocfile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind WavePad %L"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Scribe\Capabilities\FileTypes]
".wma" = "NCH.Scribe.wma"

[HKCU\Software\Classes\mpeg2file\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Prism %L"

[HKCR\NCH.Scribe.mp3\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe %L"

[HKCU\Software\Classes\.meo]
"(Default)" = "meofile"

[HKCU\Software\Classes\.7z]
"(Default)" = "7zfile"

[HKCU\Software\Classes\.nef]
"(Default)" = "neffile"

[HKCU\Software\Classes\tar.gzfile\Shell\NCHextract]
"(Default)" = "Extract with Express Zip"

[HKCR\NCH.Scribe.dss\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe %L"

[HKCR\NCH.Scribe.aif\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe %L"

[HKCU\Software\Classes\m4afile\Shell]
"(Default)" = "open"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Scribe\Capabilities\FileTypes]
".aif" = "NCH.Scribe.aif"

[HKCU\Software\Classes\mp4file\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Prism %L"

[HKCU\Software\Classes\docfile\Shell\NCHconvertdoc]
"(Default)" = "Convert file type"

[HKCR\SystemFileAssociations\.dct\Shell\Transcribe with Express Scribe Transcription Software\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe %L"

[HKCU\Software\Classes\.rar]
"(Default)" = "rarfile"

[HKCU\Software\Classes\xvidfile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"

[HKCU\Software\Classes\neffile\Shell\NCHconvertimage\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Pixillion %L"

[HKCU\Software\Classes\.avi]
"(Default)" = "avifile"

[HKCU\Software\Classes\Windows.IsoFile\shell\NCHextract]
"(Default)" = "Extract with Express Zip"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Scribe\Capabilities\FileAssociations]
".aiff" = "NCH.Scribe.aiff"

[HKCU\Software\Classes\mpeg2file\Shell\NCHeditvideo]
"(Default)" = "Edit video file"

[HKCU\Software\Classes\aufile\Shell\NCHeditsound]
"(Default)" = "Edit sound file"

[HKCU\Software\Classes\pngfile\Shell\NCHslideshow]
"(Default)" = "Create slideshow"

[HKCR\NCH.Scribe.aiff\DefaultIcon]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe,0"

[HKCU\Software\Classes\TIFImage.Document\Shell\NCHconvertimage]
"(Default)" = "Convert image file"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Scribe\Capabilities\FileAssociations]
".wma" = "NCH.Scribe.wma"

[HKCU\Software\Classes\.asf]
"(Default)" = "asffile"

[HKCU\Software\Classes\gsmfile\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"

[HKCU\Software\Classes\gzfile\Shell\NCHextract]
"(Default)" = "Extract with Express Zip"

[HKCU\Software\Classes\divxfile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"

[HKCR\.dvs\OpenWithProgIds]
"NCH.Scribe.dvs" = "Type: REG_NONE, Length: 0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Scribe]
"Publisher" = "NCH Software"

[HKCU\Software\Classes\vobfile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Prism %L"

[HKCU\Software\Classes\jpegfile\Shell\NCHslideshow]
"(Default)" = "Create slideshow"

[HKCU\Software\Classes\.vox]
"(Default)" = "voxfile"

[HKCR\NCH.Scribe.dvs\DefaultIcon]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe,0"

[HKCR\NCH.Scribe.dct\shell\Transcribe with Express Scribe Transcription Software\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe %L"

[HKCU\Software\Classes\neffile\Shell\NCHslideshow]
"(Default)" = "Create slideshow"

[HKCU\Software\Classes\ds2file\shell\NCHconvertsound]
"(Default)" = "Convert sound file"

[HKCU\Software\Classes\.vpj]
"(Default)" = "vpjfile"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Scribe\Settings]
"InstallerPath" = "%Program Files% (x86)\NCH Software\Scribe"

[HKCR\Applications\scribe.exe]
"(Default)" = "Express Scribe Transcription Software"

[HKCR\NCH.Scribe.dvs]
"(Default)" = "Express Scribe Dictation File"

[HKCU\Software\NCH Software\Scribe\Hotkey\6]
"Command" = "7"

[HKCU\Software\Classes\meofile]
"(Default)" = "Unhandled Extension Handler Finder"

[HKCU\Software\Classes\divxfile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"

[HKCU\Software\Classes\vobfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\neffile\Shell\NCHslideshow\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind PhotoStage %L"

[HKCU\Software\Classes\7zfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\m4vfile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"

[HKCU\Software\Classes\TIFImage.Document\Shell]
"(Default)" = "open"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Scribe]
"DisplayIcon" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe"

[HKCR\NCH.Scribe.msv\DefaultIcon]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe,0"

[HKCU\Software\Classes\m4vfile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"

[HKCU\Software\Classes\asffile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"

[HKCR\.aiff\OpenWithProgIds]
"NCH.Scribe.aiff" = "Type: REG_NONE, Length: 0"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Scribe\Capabilities\FileAssociations]
".dvs" = "NCH.Scribe.dvs"

[HKCU\Software\Classes\jpegfile\Shell\NCHconvertimage]
"(Default)" = "Convert image file"

[HKCU\Software\Classes\AcroExch.Document\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\mp4file\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\Paint.Picture\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\m4vfile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind VideoPad %L"

[HKCU\Software\Classes\voxfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\.AU]
"(Default)" = "aufile"

[HKCU\Software\Classes\.mpg]
"(Default)" = "mpgfile"

[HKCU\Software\Classes\.vob]
"(Default)" = "vobfile"

[HKCU\Software\Classes\mpdpfile]
"(Default)" = "Unhandled Extension Handler Finder"

[HKCU\Software\Classes\asffile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\mp4file\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"

[HKCU\Software\Classes\NCH.Scribe.wma\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind WavePad %L"

[HKCR\NCH.Scribe.mp3\shell]
"(Default)" = "Open"

[HKCR\SystemFileAssociations\.mp3\Shell\Transcribe with Express Scribe Transcription Software\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe %L"

[HKCR\NCH.Scribe.aiff\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe %L"

[HKCU\Software\Classes\vpjfile\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind VideoPad %L"

[HKCU\Software\Classes\Paint.Picture\Shell\NCHconvertimage]
"(Default)" = "Convert image file"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Scribe\Capabilities\FileTypes]
".MP3" = "NCH.Scribe.mp3"

[HKCU\Software\Classes\.WAV]
"(Default)" = "NCH.Scribe.wav"

[HKCU\Software\Classes\.mov]
"(Default)" = "movfile"

[HKCR\.msv]
"Scribe.BAK" = ""

[HKCU\Software\Classes\rtffile\Shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Doxillion %L"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Scribe]
"URLInfoAbout" = "www.nch.com.au/scribe/support.html"

[HKCU\Software\Classes\asffile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"

[HKCU\Software\Classes\mohfile\DefaultIcon]
"(Default)" = "%SystemRoot%\SysWow64\shell32.dll,19"

[HKCR\NCH.Scribe.wma\DefaultIcon]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe,0"

[HKCU\Software\Classes\NCH.Scribe.wav\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Switch %L"

[HKCU\Software\NCH Software\Scribe\Software]
"Toolbar" = "cnm-installed"

[HKCU\Software\Classes\wpfile\Shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Doxillion %L"

[HKCR\.aif\OpenWithProgIds]
"NCH.Scribe.aif" = "Type: REG_NONE, Length: 0"

[HKCR\NCH.Scribe.aiff\shell]
"(Default)" = "Open"

[HKCU\Software\NCH Software\Scribe\Settings]
"InstallDate" = "1418883448"

[HKCU\Software\NCH Software\Scribe\Hotkey\1]
"Command" = "10"

[HKCU\Software\Classes\asffile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Prism %L"

[HKCR\Applications\scribe.exe\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe %L"

[HKCU\Software\Classes\.gz]
"(Default)" = "gzfile"

[HKCU\Software\Classes\giffile\Shell\NCHslideshow]
"(Default)" = "Create slideshow"

[HKCU\Software\Classes\mpeg2file\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind VideoPad %L"

[HKCU\Software\Classes\wpdfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\mpegfile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind VideoPad %L"

[HKCU\Software\Classes\mp4file\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind VideoPad %L"

[HKCR\.dct\OpenWithProgIds]
"NCH.Scribe.dct" = "Type: REG_NONE, Length: 0"

[HKCU\Software\Classes\NCH.Scribe.aif\Shell\NCHeditsound]
"(Default)" = "Edit sound file"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dvs\UserChoice]
"Progid" = "NCH.Scribe.dvs"

[HKCR\.dss\OpenWithProgIds]
"NCH.Scribe.dss" = "Type: REG_NONE, Length: 0"

[HKCU\Software\Classes\flacfile\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Switch %L"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Scribe]
"URLUpdateInfo" = "www.nch.com.au/scribe/index.html"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Scribe\Settings]
"RelatedRuns" = "-1"

[HKCU\Software\Classes\.mpeg]
"(Default)" = "mpegfile"

[HKCU\Software\Classes\rtffile\Shell\NCHconvertdoc]
"(Default)" = "Convert file type"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Scribe\Capabilities\FileTypes]
".aiff" = "NCH.Scribe.aiff"

[HKCU\Software\Classes\.ds2]
"(Default)" = "ds2file"

[HKCU\Software\Classes\tar.gzfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\docxfile\Shell\NCHconvertdoc]
"(Default)" = "Convert file type"

[HKCR\.mp3\OpenWithProgIds]
"NCH.Scribe.mp3" = "Type: REG_NONE, Length: 0"

[HKCU\Software\Classes\.WMA]
"(Default)" = "NCH.Scribe.wma"

[HKCU\Software\Classes\.xvid]
"(Default)" = "xvidfile"

[HKCR\NCH.Scribe.wma]
"(Default)" = ""

[HKCU\Software\Classes\NCH.Scribe.wma\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Switch %L"

[HKCU\Software\NCH Software\Scribe\Settings]
"InstalledByAdmin" = "1"

[HKCR\NCH.Scribe.dct\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe %L"

[HKCR\.wma\OpenWithProgIds]
"NCH.Scribe.wma" = "Type: REG_NONE, Length: 0"

[HKCU\Software\Classes\mpgfile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Prism %L"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Scribe\Software]
"Installer" = "%Program Files% (x86)\NCH Software\Scribe\scribesetup_v5.69.exe"

[HKCU\Software\NCH Software\Scribe\Hotkey\0]
"key" = "122"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Scribe]
"DisplayName" = "Express Scribe Transcription Software"

[HKCR\.dvs]
"(Default)" = "NCH.Scribe.dvs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.msv\UserChoice]
"Progid" = "NCH.Scribe.msv"

[HKCU\Software\Classes\.moh]
"(Default)" = "mohfile"

[HKCU\Software\Classes\.mpeg2]
"(Default)" = "mpeg2file"

[HKCU\Software\Classes\avifile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Prism %L"

[HKCU\Software\Classes\NCH.Scribe.aiff\Shell\NCHeditsound]
"(Default)" = "Edit sound file"

[HKCU\Software\Classes\gzfile\Shell\NCHextract\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind ExpressZip %L"

[HKCR\NCH.Scribe.wma\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe %L"

[HKCU\Software\Classes\mpeg2file\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\.voc]
"(Default)" = "vocfile"

[HKCU\Software\Classes\spjfile\DefaultIcon]
"(Default)" = "%SystemRoot%\SysWow64\shell32.dll,19"

[HKCU\Software\Classes\NCH.Scribe.aif\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind WavePad %L"

[HKCU\Software\Classes\vocfile\Shell\NCHeditsound]
"(Default)" = "Edit sound file"

[HKCR\NCH.Scribe.dct\shell]
"(Default)" = "Open"

[HKCU\Software\Classes\.wp]
"(Default)" = "wpfile"

[HKCU\Software\Classes\Paint.Picture\Shell\NCHconvertimage\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Pixillion %L"

[HKCR\NCH.Scribe.mp3]
"(Default)" = ""

[HKCU\Software\Classes\aufile\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"

[HKCU\Software\NCH Software\Scribe\Hotkey\7]
"Command" = "2"

[HKCU\Software\Classes\.divx]
"(Default)" = "divxfile"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dss\UserChoice]
"Progid" = "NCH.Scribe.dss"

[HKCU\Software\Classes\mohfile\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind IMS %L"

[HKCU\Software\Classes\aacfile\Shell\NCHeditsound]
"(Default)" = "Edit sound file"

[HKCR\NCH.Scribe.wav\DefaultIcon]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe,0"

[HKCU\Software\Classes\.AIFF]
"(Default)" = "NCH.Scribe.aiff"

[HKCU\Software\Classes\Paint.Picture\Shell\NCHslideshow]
"(Default)" = "Create slideshow"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Scribe\Capabilities\FileAssociations]
".msv" = "NCH.Scribe.msv"

[HKCU\Software\Classes\.wpd]
"(Default)" = "wpdfile"

[HKCU\Software\Classes\spjfile]
"(Default)" = "Unhandled Extension Handler Finder"

[HKCU\Software\Classes\vpjfile]
"(Default)" = "Unhandled Extension Handler Finder"

[HKCU\Software\Classes\vobfile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"

[HKCU\Software\Classes\NCH.Scribe.wma\Shell\NCHeditsound]
"(Default)" = "Edit sound file"

[HKCU\Software\Classes\pngfile\Shell\NCHconvertimage\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Pixillion %L"

[HKCU\Software\Classes\xvidfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\ivrfile\DefaultIcon]
"(Default)" = "%SystemRoot%\SysWow64\shell32.dll,19"

[HKCU\Software\Classes\mpegfile\Shell]
"(Default)" = "open"

[HKCR\.dct]
"Scribe.BAK" = ""

[HKCU\Software\Classes\voxfile\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Switch %L"

[HKCU\Software\Classes\ivrfile\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind IVM %L"

[HKCU\Software\Classes\tarfile\Shell]
"(Default)" = "open"

[HKCR\NCH.Scribe.aif]
"(Default)" = ""

[HKCU\Software\Classes\FirefoxHTML\shell\NCHconvertdoc]
"(Default)" = "Convert file type"

[HKCU\Software\Classes\xvidfile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind VideoPad %L"

[HKCU\Software\Classes\movfile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"

[HKCR\NCH.Scribe.dct\DefaultIcon]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe,0"

[HKCU\Software\NCH Software\Scribe\Registration]
"Name" = ""

[HKCU\Software\Classes\mpegfile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Prism %L"

[HKCR\.dvs]
"Scribe.BAK" = ""

[HKCR\.dss]
"Scribe.BAK" = ""

[HKCU\Software\Classes\giffile\Shell\NCHconvertimage]
"(Default)" = "Convert image file"

[HKCU\Software\Classes\odtfile\Shell]
"(Default)" = "open"

[HKLM\SOFTWARE\RegisteredApplications]
"Scribe" = "Software\NCH Software\Scribe\Capabilities"

[HKCU\Software\Classes\movfile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Prism %L"

[HKCU\Software\Classes\jpegfile\Shell]
"(Default)" = "open"

[HKCR\NCH.Scribe.dss]
"(Default)" = "Express Scribe Dictation File"

[HKCU\Software\Classes\pngfile\Shell\NCHslideshow\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind PhotoStage %L"

[HKCU\Software\Classes\aufile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind WavePad %L"

[HKCU\Software\Classes\mpgfile\Shell]
"(Default)" = "open"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Scribe\Capabilities\FileTypes]
".dct" = "NCH.Scribe.dct"

[HKCU\Software\Classes\xvidfile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Prism %L"

[HKCR\NCH.Scribe.aiff\Shell\Transcribe with Express Scribe Transcription Software\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe %L"

[HKLM\SOFTWARE\Wow6432Node\Google\GCAPITemp]
"test" = "testv"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Scribe]
"VersionMinor" = "69"

[HKCU\Software\Classes\m4afile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind WavePad %L"

[HKCU\Software\Classes\NCH.Scribe.aif\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"

[HKCU\Software\Classes\vobfile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind VideoPad %L"

[HKCU\Software\Classes\mpgfile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind VideoPad %L"

[HKCU\Software\Classes\.tar.gz]
"(Default)" = "tar.gzfile"

[HKCU\Software\NCH Software\Scribe\Hotkey\4]
"key" = "117"

[HKCU\Software\Classes\gsmfile\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Switch %L"

[HKCR\.msv\OpenWithProgIds]
"NCH.Scribe.msv" = "Type: REG_NONE, Length: 0"

[HKCU\Software\Classes\.MP3]
"(Default)" = "NCH.Scribe.mp3"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Scribe\Capabilities\FileAssociations]
".MP3" = "NCH.Scribe.mp3"

[HKCU\Software\Classes\divxfile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Prism %L"

[HKCU\Software\Classes\vocfile\Shell]
"(Default)" = "open"

[HKCR\NCH.Scribe.wav\shell]
"(Default)" = "Open"

[HKCU\Software\Classes\jpegfile\Shell\NCHslideshow\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind PhotoStage %L"

[HKCU\Software\NCH Software\Scribe\Registration]
"RD" = "1418883436"

[HKCU\Software\Classes\.spj]
"(Default)" = "spjfile"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Scribe]
"UninstallString" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -uninstall"

[HKCU\Software\Classes\meofile\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Meo %L"

[HKCU\Software\Classes\giffile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\mp4file\Shell\NCHeditvideo]
"(Default)" = "Edit video file"

[HKCU\Software\NCH Software\Scribe\Hotkey\2]
"key" = "115"

[HKCU\Software\Classes\Windows.IsoFile\shell]
"(Default)" = "open"

[HKCU\Software\Classes\vobfile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"

[HKCU\Software\Classes\mpeg2file\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"

[HKCU\Software\Classes\voxfile\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"

[HKCU\Software\Classes\avifile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\xvidfile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"

[HKCR\NCH.Scribe.msv]
"(Default)" = "Express Scribe Dictation File"

[HKCU\Software\NCH Software\Scribe\Hotkey\1]
"key" = "114"

[HKCR\NCH.Scribe.mp3\Shell\Transcribe with Express Scribe Transcription Software\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe %L"

[HKCU\Software\Classes\.ivr]
"(Default)" = "ivrfile"

[HKCR\NCH.Scribe.wma\Shell\Transcribe with Express Scribe Transcription Software\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe %L"

[HKCR\SystemFileAssociations\.aiff\Shell\Transcribe with Express Scribe Transcription Software\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe %L"

[HKCU\Software\Classes\meofile\DefaultIcon]
"(Default)" = "%SystemRoot%\SysWow64\shell32.dll,19"

[HKCU\Software\Classes\CABFolder\Shell]
"(Default)" = "open"

[HKCU\Software\NCH Software\Scribe\Hotkey\3]
"key" = "116"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Scribe\Capabilities\FileTypes]
".WAV" = "NCH.Scribe.wav"

[HKCU\Software\Classes\oggfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\docxfile\Shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Doxillion %L"

[HKCU\Software\Classes\neffile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\voxfile\Shell\NCHeditsound]
"(Default)" = "Edit sound file"

[HKCR\NCH.Scribe.msv\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe %L"

[HKCU\Software\Classes\NCH.Scribe.wav\Shell\NCHeditsound]
"(Default)" = "Edit sound file"

[HKCU\Software\Classes\flacfile\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"

[HKCR\NCH.Scribe.msv\shell]
"(Default)" = "Open"

[HKCU\Software\Classes\rarfile\Shell\NCHextract]
"(Default)" = "Extract with Express Zip"

[HKCU\Software\Classes\odtfile\Shell\NCHconvertdoc]
"(Default)" = "Convert file type"

[HKCU\Software\Classes\NCH.Scribe.mp3\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Switch %L"

[HKCU\Software\Classes\ds2file\shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Switch %L"

[HKCU\Software\Classes\.FLAC]
"(Default)" = "flacfile"

[HKCU\Software\Classes\NCH.Scribe.wma\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"

[HKCU\Software\Classes\mpdpfile\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind MixPad %L"

[HKCU\Software\NCH Software\Scribe\Hotkey]
"maxId" = "9"

[HKCU\Software\Classes\NCH.Scribe.wav\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"

[HKCR\NCH.Scribe.aif\DefaultIcon]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe,0"

[HKCU\Software\NCH Software\Scribe\Hotkey\8]
"key" = "121"

[HKCU\Software\Classes\ds2file\shell]
"(Default)" = "open"

[HKCR\NCH.Scribe.aiff]
"(Default)" = ""

[HKCU\Software\Classes\giffile\Shell\NCHslideshow\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind PhotoStage %L"

[HKCU\Software\Classes\.gsm]
"(Default)" = "gsmfile"

[HKCU\Software\Classes\NCH.Scribe.aiff\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Switch %L"

[HKCU\Software\Classes\ivrfile]
"(Default)" = "Unhandled Extension Handler Finder"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Scribe\Capabilities\FileAssociations]
".WAV" = "NCH.Scribe.wav"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\NCH Software\Scribe\Hotkey\4]
"Command" = "1"

[HKCU\Software\Classes\tarfile\Shell\NCHextract]
"(Default)" = "Extract with Express Zip"

[HKCU\Software\Classes\tarfile\Shell\NCHextract\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind ExpressZip %L"

[HKCU\Software\NCH Software\Scribe\Hotkey\2]
"Command" = "3"

[HKCU\Software\NCH Software\Scribe\Hotkey\5]
"Command" = "6"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCR\NCH.Scribe.dct]
"(Default)" = "Express Scribe Dictation File"

[HKCU\Software\NCH Software\Scribe\Settings]
"currentVersion" = "5.69"

[HKCU\Software\Classes\avifile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"

[HKCR\NCH.Scribe.mp3\DefaultIcon]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe,0"

[HKCU\Software\Classes\oggfile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind WavePad %L"

[HKCU\Software\Classes\oggfile\Shell\NCHeditsound]
"(Default)" = "Edit sound file"

[HKCU\Software\Classes\movfile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind VideoPad %L"

[HKCU\Software\Classes\movfile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"

[HKCU\Software\Classes\.M4A]
"(Default)" = "m4afile"

[HKCU\Software\Classes\aacfile\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"

[HKCU\Software\Classes\spjfile\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind PhotoStage %L"

[HKCU\Software\Classes\rarfile\Shell\NCHextract\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind ExpressZip %L"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Scribe]
"VersionMajor" = "5"

[HKCU\Software\Classes\CABFolder\Shell\NCHextract]
"(Default)" = "Extract with Express Zip"

[HKCU\Software\Classes\wpfile\Shell\NCHconvertdoc]
"(Default)" = "Convert file type"

[HKCR\NCH.Scribe.wav]
"(Default)" = ""

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Scribe\Capabilities\FileAssociations]
".dct" = "NCH.Scribe.dct"

[HKCU\Software\Classes\.AIF]
"(Default)" = "NCH.Scribe.aif"

[HKCU\Software\Classes\flacfile\Shell]
"(Default)" = "open"

[HKCU\Software\NCH Software\Scribe\Hotkey\6]
"key" = "119"

[HKCU\Software\NCH Software\Scribe\Hotkey\3]
"Command" = "0"

[HKCU\Software\Classes\7zfile\Shell\NCHextract\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind ExpressZip %L"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer]
"GlobalAssocChangedCounter" = "35"

[HKCR\NCH.Scribe.aif\shell]
"(Default)" = "Open"

[HKCU\Software\Classes\FirefoxHTML\shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Doxillion %L"

[HKCU\Software\Classes\gsmfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\NCH.Scribe.mp3\Shell\NCHeditsound]
"(Default)" = "Edit sound file"

[HKCR\NCH.Scribe.wav\Shell\Transcribe with Express Scribe Transcription Software\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe %L"

[HKCU\Software\Classes\neffile\Shell\NCHconvertimage]
"(Default)" = "Convert image file"

[HKCU\Software\Classes\TIFImage.Document\Shell\NCHconvertimage\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Pixillion %L"

[HKCU\Software\Classes\mpegfile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"

[HKCU\Software\Classes\aacfile\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Switch %L"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Scribe\Capabilities]
"ApplicationDescription" = "Express Scribe Transcription Software"

[HKCU\Software\NCH Software\Scribe\Hotkey\7]
"key" = "120"

[HKCU\Software\NCH Software\Scribe\Hotkey\5]
"key" = "118"

[HKCU\Software\Classes\asffile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind VideoPad %L"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Scribe\Capabilities\FileAssociations]
".dss" = "NCH.Scribe.dss"

[HKCU\Software\Classes\aacfile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind WavePad %L"

[HKCU\Software\Classes\AcroExch.Document\Shell\NCHconvertdoc]
"(Default)" = "Convert file type"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Scribe]
"InstallLocation" = "%Program Files% (x86)\NCH Software\Scribe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dct\UserChoice]
"Progid" = "NCH.Scribe.dct"

[HKCU\Software\Classes\wpdfile\Shell\NCHconvertdoc]
"(Default)" = "Convert file type"

[HKCU\Software\Classes\Windows.IsoFile\shell\NCHextract\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind ExpressZip %L"

[HKCU\Software\Classes\aacfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\.m4v]
"(Default)" = "m4vfile"

[HKCU\Software\Classes\divxfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\AcroExch.Document\Shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Doxillion %L"

[HKCU\Software\Classes\m4vfile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Prism %L"

[HKCU\Software\Classes\tar.gzfile\Shell\NCHextract\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind ExpressZip %L"

[HKCU\Software\Classes\giffile\Shell\NCHconvertimage\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Pixillion %L"

[HKCU\Software\Classes\wpdfile\Shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Doxillion %L"

[HKCU\Software\Classes\.mpdp]
"(Default)" = "mpdpfile"

[HKCU\Software\Classes\mpdpfile\DefaultIcon]
"(Default)" = "%SystemRoot%\SysWow64\shell32.dll,19"

[HKCU\Software\Classes\NCH.Scribe.wav\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind WavePad %L"

[HKCU\Software\Classes\docxfile\Shell]
"(Default)" = "open"

[HKCR\NCH.Scribe.aif\Shell\Transcribe with Express Scribe Transcription Software\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe %L"

[HKCR\NCH.Scribe.wma\shell]
"(Default)" = "Open"

[HKCR\.dss]
"(Default)" = "NCH.Scribe.dss"

[HKCU\Software\Classes\movfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\odtfile\Shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Doxillion %L"

[HKCR\Applications\scribe.exe\shell]
"(Default)" = "Open"

[HKCU\Software\Classes\wpfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\rarfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\CABFolder\Shell\NCHextract\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind ExpressZip %L"

[HKCU\Software\Classes\divxfile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind VideoPad %L"

[HKCU\Software\Classes\gzfile\Shell]
"(Default)" = "open"

[HKCR\Applications\scribe.exe\DefaultIcon]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe,0"

[HKCU\Software\Classes\mpegfile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"

[HKCU\Software\Classes\m4afile\Shell\NCHeditsound]
"(Default)" = "Edit sound file"

[HKCU\Software\Classes\avifile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind VideoPad %L"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Scribe]
"Version" = "5.69"

[HKCU\Software\Classes\mohfile]
"(Default)" = "Unhandled Extension Handler Finder"

[HKCU\Software\Classes\.mp4]
"(Default)" = "mp4file"

[HKCU\Software\Classes\Windows.IsoFile\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind ExpressBurn %L"

[HKCU\Software\Classes\7zfile\Shell\NCHextract]
"(Default)" = "Extract with Express Zip"

[HKCR\.dct]
"(Default)" = "NCH.Scribe.dct"

[HKCU\Software\Classes\jpegfile\Shell\NCHconvertimage\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Pixillion %L"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Scribe]
"DisplayVersion" = "5.69"

[HKCR\NCH.Scribe.dss\DefaultIcon]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe,0"

[HKCU\Software\Classes\pngfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\vpjfile\DefaultIcon]
"(Default)" = "%SystemRoot%\SysWow64\shell32.dll,19"

[HKCU\Software\Microsoft\Registration\NCH]
"Scribe" = "1"

[HKCR\SystemFileAssociations\.wma\Shell\Transcribe with Express Scribe Transcription Software\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe %L"

[HKCU\Software\Classes\mpgfile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"

[HKCU\Software\NCH Software\Scribe\Hotkey\0]
"Command" = "9"

[HKCU\Software\Classes\.doc]
"(Default)" = "docfile"

[HKCU\Software\NCH Software\Scribe\Hotkey\8]
"Command" = "8"

[HKCU\Software\Classes\aufile\Shell]
"(Default)" = "open"

[HKCR\NCH.Scribe.wav\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe %L"

[HKCU\Software\Classes\aufile\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Switch %L"

[HKCU\Software\Classes\rtffile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\docfile\Shell]
"(Default)" = "open"

[HKCR\NCH.Scribe.dss\shell]
"(Default)" = "Open"

[HKCU\Software\Classes\NCH.Scribe.aiff\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"

[HKCR\SystemFileAssociations\.aif\Shell\Transcribe with Express Scribe Transcription Software\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe %L"

[HKCU\Software\Classes\pngfile\Shell\NCHconvertimage]
"(Default)" = "Convert image file"

[HKCU\Software\Classes\mpgfile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"

[HKCU\Software\Classes\voxfile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind WavePad %L"

[HKCR\SystemFileAssociations\.wav\Shell\Transcribe with Express Scribe Transcription Software\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe %L"

[HKCU\Software\Classes\NCH.Scribe.mp3\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind WavePad %L"

[HKCU\Software\Classes\Windows.IsoFile\DefaultIcon]
"(Default)" = "%SystemRoot%\SysWow64\shell32.dll,19"

The PUP deletes the following registry key(s):

[HKLM\SOFTWARE\Wow6432Node\Google\GCAPITemp]

The PUP deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dvs\UserChoice]
"Progid"

[HKCU\Software\NCH Software\Scribe\Software]
"_InstalledBy"

[HKLM\SOFTWARE\Wow6432Node\Google\GCAPITemp]
"test"

[HKCU\Software\NCH Software\Scribe\Registration]
"XD"

[HKCU\Software\NCH Software\Scribe\Software]
"_ShowSurvey"
"InstalledBy"
"ShowSurveyNow"
"ShowSurvey"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.msv\UserChoice]
"Progid"

[HKCU\Software\NCH Software\Scribe\Software]
"_ShowSurveyNow"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dss\UserChoice]
"Progid"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\NCH Software\Scribe\Registration]
"_XD"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dct\UserChoice]
"Progid"

The process GoogleToolbarManager_8CA8B41417E66DEB.exe:3948 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component\Used]
"GoogleToolbarManager.exe" = "1"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"pv" = "7.5.5111.1712"

The process GoogleToolbarManager_8CA8B41417E66DEB.exe:3128 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1A972DAF-A7EC-4ce3-B6C9-7B523CD6685F}]
"Policy" = "3"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"DisplayVersion" = "7.5.5111.1712"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"ToastOfferTime" = "0"

[HKCU\Software\Classes\Local Settings\MuiCache\2A\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EE0B94B9-335F-4d2c-8B43-DACCD1EA6FF1}]
"AppPath" = "%Program Files% (x86)\Google\Google Toolbar"

[HKCR\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
"(Default)" = "Google Toolbar Helper"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"Publisher" = "Google Inc."

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"SystemPatchLevel" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"GTB7.5" = ""

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\GoogleUpdate]
"InstallTimestamp" = "1418883472"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"cmd_7.5.5111.1712_5" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_8CA8B41417E66DEB.exe /execute:5"
"cmd_7.5.5111.1712_4" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_8CA8B41417E66DEB.exe /execute:4"
"cmd_7.5.5111.1712_7" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_8CA8B41417E66DEB.exe /execute:7"
"cmd_7.5.5111.1712_6" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_8CA8B41417E66DEB.exe /execute:6"
"cmd_7.5.5111.1712_1" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_8CA8B41417E66DEB.exe /execute:1"
"cmd_7.5.5111.1712_0" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_8CA8B41417E66DEB.exe /execute:0"
"cmd_7.5.5111.1712_3" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_8CA8B41417E66DEB.exe /execute:3"
"cmd_7.5.5111.1712_2" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_8CA8B41417E66DEB.exe /execute:2"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = "00"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Branding]
"InstallType" = "3"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"cmd_7.5.5111.1712_9" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_8CA8B41417E66DEB.exe /execute:9"
"cmd_7.5.5111.1712_8" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_8CA8B41417E66DEB.exe /execute:8"

[HKCU\Software\Google\Google Toolbar\4.0\Options]
"ToastSetDefaultSearch" = "3"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"AllowInteractions" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"DisplayName" = "Google Toolbar for Internet Explorer"

[HKCR\Wow6432Node\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"(Default)" = "Google Toolbar"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"EnableUsageStats" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EE0B94B9-335F-4d2c-8B43-DACCD1EA6FF1}]
"Policy" = "3"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"UninstallString" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_8CA8B41417E66DEB.exe /uninstall"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EE0B94B9-335F-4d2c-8B43-DACCD1EA6FF1}]
"AppName" = "GoogleToolbarUser_64.exe"

[HKCU\Software\Google\Google Toolbar\4.0\Options]
"{14C626CA-ACAB-46e5-8A99-53C9E11CCCA0}_enabled" = "0"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Branding]
"InstallTime" = "1418883472"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Installations]
"1418883489" = "v=7.5.5111.1712&tbbrand=NCHD&i=0"

[HKCR\Installer\Products\18555481990E8AB4CBB63FB4F26006C0]
"AuthorizedLUAApp" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"DisplayIcon" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_8CA8B41417E66DEB.exe"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1A972DAF-A7EC-4ce3-B6C9-7B523CD6685F}]
"Policy" = "3"

[HKCU\Software\Google\Google Toolbar\4.0\Options]
"ButtonPageRank" = "0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1A972DAF-A7EC-4ce3-B6C9-7B523CD6685F}]
"AppPath" = "%Program Files% (x86)\Google\Google Toolbar"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar]
"test" = "41"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1A972DAF-A7EC-4ce3-B6C9-7B523CD6685F}]
"AppName" = "GoogleToolbarUser_32.exe"

[HKCR\Wow6432Node\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCU\Software\Google\Google Toolbar\4.0\Options]
"ToastSetPageRank" = "2"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\GoogleUpdate]
"InstallResult" = "pi"

[HKCU\Software\Google\Google Toolbar\4.0\Options]
"RbbsBreak" = "1"

[HKCR\Wow6432Node\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"EulaAccepted" = "1"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Enable Browser Extensions" = "yes"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EE0B94B9-335F-4d2c-8B43-DACCD1EA6FF1}]
"Policy" = "3"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"Compatibility Flags" = "1024"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component\Used]
"GoogleUpdaterService.exe" = "1"
"SearchWithGoogleUpdate.exe" = "1"
"GoogleToolbarManager.exe" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = "00"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Branding]
"brand" = "NCHD"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1A972DAF-A7EC-4ce3-B6C9-7B523CD6685F}]
"AppName" = "GoogleToolbarUser_32.exe"

[HKCR\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\Google Toolbar\GoogleToolbar_64.dll"

[HKCR\Wow6432Node\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\Google Toolbar\GoogleToolbar_32.dll"

[HKCR\Wow6432Node\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
"(Default)" = "Google Toolbar Helper"

[HKCU\Software\Google\Google Toolbar\4.0\Options]
"BrowseByName" = "0"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component]
"PrimaryInstallDone" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"Compatibility Flags" = "1024"

[HKCU\Software\Google\Google Toolbar\4.0\Options]
"ToastSetHomePage" = "2"

[HKCU\Software\Classes\Local Settings\MuiCache\2A\52C64B7E\@%SystemRoot%\system32]
"dnsapi.dll,-103" = "Domain Name System (DNS) Server Trust"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1A972DAF-A7EC-4ce3-B6C9-7B523CD6685F}]
"AppPath" = "%Program Files% (x86)\Google\Google Toolbar"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"GTB7.5" = ""

[HKCR\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\Google Toolbar\GoogleToolbar_64.dll"

[HKCU\Software\Google\Google Toolbar\4.0\Options]
"UsageStatsEnabled" = "1"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"DisableBrowseByName" = "0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"MinorVersion" = "5"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"Name" = "Google Toolbar"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Branding]
"ID" = "AB0A80C9D2FDA747740FD9725D3094D66CC61iHFEF"

[HKCR\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"InstallLocation" = "%Program Files% (x86)\Google\Google Toolbar\"
"NoModify" = "1"
"MajorVersion" = "7"
"NoRepair" = "1"

[HKCU\Software\Classes\Local Settings\MuiCache\2A\52C64B7E\@%SystemRoot%\system32]
"p2pcollab.dll,-8042" = "Peer to Peer Trust"

[HKCR\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"(Default)" = "Google Toolbar"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EE0B94B9-335F-4d2c-8B43-DACCD1EA6FF1}]
"AppName" = "GoogleToolbarUser_64.exe"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"brand" = "NCHD"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EE0B94B9-335F-4d2c-8B43-DACCD1EA6FF1}]
"AppPath" = "%Program Files% (x86)\Google\Google Toolbar"

[HKCR\Wow6432Node\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\Google Toolbar\GoogleToolbar_32.dll"

The PUP deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}]
[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\ProgID]
[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\TypeLib]
[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\Programmable]
[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\InprocServer32]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}\Enum]
[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\VersionIndependentProgID]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\ProgID]
[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\TypeLib]
[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\VersionIndependentProgID]
[HKCU\Software\Classes\Local Settings\MuiCache\29]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum]
[HKCU\Software\Classes\Local Settings\MuiCache\29\52C64B7E]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}]
[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\Programmable]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}]
[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}\Enum]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}]
[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\InprocServer32]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum]

The PUP deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"UseIe64"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}"

[HKCU\Software\Google\Google Toolbar\4.0\Options]
"Vendor"

[HKCU\Software\Google\Google Toolbar\4.0]
"Update"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"RefreshIE"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"lang"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"WelcomePage"

The process GoogleToolbarManager_8CA8B41417E66DEB.exe:1808 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component\NonManifest\C:\ProgramData\Google\Custom Buttons]
"toolbar.google.com_O8Y91YHB24Z6SR0SGYSK.XML" = "1"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component\Used]
"GoogleToolbarDynamic_mui_en.dll" = "1"

The process GoogleToolbarNotifier.exe:1940 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKCR\Interface\{BACAB2F3-7213-4865-96E9-B6B06BF49192}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{DD65ABB2-2628-425B-86F5-825E4A3D3AD9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{91F39C2A-95E7-497A-A539-0AC715DC66D2}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\ProtectorExe.ProtectorHost.1\CLSID]
"(Default)" = "{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}"

[HKCR\Wow6432Node\Interface\{F1A383D4-0364-4092-82E0-C39DAE5D801D}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{AF606610-3627-4DF2-A6D5-32C6A355ACD1}\TypeLib]
"Version" = "1a.0"

[HKCR\Interface\{17484B9D-89FA-484F-912E-017D06C41FE0}]
"(Default)" = "IProtectorLib7"

[HKCR\Wow6432Node\Interface\{91959FBB-853A-4AC7-A082-2DDF787F4CA9}\TypeLib]
"Version" = "1a.0"

[HKCR\Interface\{315A0BBF-D55B-4FCE-833E-8BAA5B6344F6}]
"(Default)" = "IProtector11"

[HKCR\Interface\{F1A383D4-0364-4092-82E0-C39DAE5D801D}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{F1A383D4-0364-4092-82E0-C39DAE5D801D}\TypeLib]
"Version" = "1a.0"

[HKCR\Interface\{2212951C-1623-4095-906B-AC50B8F91016}]
"(Default)" = "IProtector2"

[HKCR\Interface\{480AD54B-C652-44B9-BCF6-746745055CD3}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll"

[HKCR\Wow6432Node\Interface\{1F7328B7-E25A-4527-B24B-D9173401BB89}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{AF606610-3627-4DF2-A6D5-32C6A355ACD1}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{AF606610-3627-4DF2-A6D5-32C6A355ACD1}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{A45CDEEB-65F5-49AE-AA3E-9376F4806075}]
"(Default)" = "IProtector8"

[HKCR\Wow6432Node\Interface\{315A0BBF-D55B-4FCE-833E-8BAA5B6344F6}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{6EACF525-5F81-4381-9E46-DC316C39E0D2}]
"(Default)" = "IProtector6"

[HKCR\Interface\{A45CDEEB-65F5-49AE-AA3E-9376F4806075}\TypeLib]
"Version" = "1a.0"

[HKCR\Interface\{91959FBB-853A-4AC7-A082-2DDF787F4CA9}]
"(Default)" = "IProtectorHost2"

[HKCR\Wow6432Node\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\ProgID]
"(Default)" = "protector_dll.ProtectorLib.1"

[HKCR\Interface\{91959FBB-853A-4AC7-A082-2DDF787F4CA9}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{9D932020-700E-4F0D-8446-2872ABD8B4FA}\TypeLib]
"Version" = "1a.0"

[HKCR\Interface\{315A0BBF-D55B-4FCE-833E-8BAA5B6344F6}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{AF606610-3627-4DF2-A6D5-32C6A355ACD1}]
"(Default)" = "IProtectorLib"

[HKCR\Wow6432Node\Interface\{6C110376-C248-47F6-9DB2-CFCDEADB6A3E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{2212951C-1623-4095-906B-AC50B8F91016}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{6C110376-C248-47F6-9DB2-CFCDEADB6A3E}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{91F39C2A-95E7-497A-A539-0AC715DC66D2}]
"(Default)" = "IProtector3"

[HKCR\Interface\{DA69D3CC-7676-4A65-889F-C052977F1AA9}\TypeLib]
"Version" = "1a.0"

[HKCR\TypeLib\{C7CB459A-7261-4AE6-A87A-17041EE98A40}\1a.0]
"(Default)" = "protector_dllLib"

[HKCR\Interface\{480AD54B-C652-44B9-BCF6-746745055CD3}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{2212951C-1623-4095-906B-AC50B8F91016}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{BACAB2F3-7213-4865-96E9-B6B06BF49192}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{17484B9D-89FA-484F-912E-017D06C41FE0}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{6EACF525-5F81-4381-9E46-DC316C39E0D2}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{9D932020-700E-4F0D-8446-2872ABD8B4FA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AppID\{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}]
"(Default)" = "protector_dll"

[HKCR\Interface\{277FD1E8-9884-4E0A-9392-7CFF83F067B2}]
"(Default)" = "IProtector9"

[HKCR\Interface\{2212951C-1623-4095-906B-AC50B8F91016}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AppID\{A97CA128-6998-4F8E-807E-8ED05FADAFB0}]
"(Default)" = "ProtectorExe"

[HKCR\Interface\{BACAB2F3-7213-4865-96E9-B6B06BF49192}]
"(Default)" = "IProtectorLib8"

[HKCR\Interface\{315A0BBF-D55B-4FCE-833E-8BAA5B6344F6}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{BACAB2F3-7213-4865-96E9-B6B06BF49192}]
"(Default)" = "IProtectorLib8"

[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
"(Default)" = "Google Toolbar Notifier BHO"

[HKCR\Interface\{17484B9D-89FA-484F-912E-017D06C41FE0}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{A0CF48B9-DB91-49A5-BEE7-2FB45BA2F610}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{9891812B-5820-4A77-827E-772B200239E1}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}]
"AppID" = "{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80B84A0A-EDA4-47fd-8BE1-6B49F4197EE5}]
"AppPath" = "%Program Files% (x86)\Google\GoogleToolbarNotifier"

[HKCR\Wow6432Node\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{17484B9D-89FA-484F-912E-017D06C41FE0}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{17484B9D-89FA-484F-912E-017D06C41FE0}]
"(Default)" = "IProtectorLib7"

[HKCR\protector_dll.ProtectorLib.1]
"(Default)" = "ProtectorLib Class"

[HKCR\Wow6432Node\Interface\{9891812B-5820-4A77-827E-772B200239E1}]
"(Default)" = "IProtector4"

[HKCR\Wow6432Node\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}]
"Depend" = "%Program Files% (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\gtn.dll"

[HKCR\Wow6432Node\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}]
"(Default)" = "ProtectorLib Class"

[HKCR\Wow6432Node\Interface\{A45CDEEB-65F5-49AE-AA3E-9376F4806075}\TypeLib]
"Version" = "1a.0"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80B84A0A-EDA4-47fd-8BE1-6B49F4197EE5}]
"AppName" = "GoogleToolbarNotifier.exe"

[HKCR\Wow6432Node\Interface\{1F7328B7-E25A-4527-B24B-D9173401BB89}]
"(Default)" = "IProtector5"

[HKCR\Interface\{315A0BBF-D55B-4FCE-833E-8BAA5B6344F6}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{235317AD-6EF4-4209-9354-F88869E1A3BB}]
"(Default)" = "IProtectorLib5"

[HKCR\Wow6432Node\Interface\{9891812B-5820-4A77-827E-772B200239E1}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{2212951C-1623-4095-906B-AC50B8F91016}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{9891812B-5820-4A77-827E-772B200239E1}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{235317AD-6EF4-4209-9354-F88869E1A3BB}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{A0CF48B9-DB91-49A5-BEE7-2FB45BA2F610}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{1F7328B7-E25A-4527-B24B-D9173401BB89}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}]
"(Default)" = "ProtectorHost Class"

[HKCR\Interface\{9891812B-5820-4A77-827E-772B200239E1}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{DA69D3CC-7676-4A65-889F-C052977F1AA9}]
"(Default)" = "IProtectorHost"

[HKCR\Wow6432Node\CLSID\{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll"

[HKCR\Interface\{6C110376-C248-47F6-9DB2-CFCDEADB6A3E}]
"(Default)" = "IProtector10"

[HKCR\Wow6432Node\CLSID\{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Wow6432Node\Interface\{A0CF48B9-DB91-49A5-BEE7-2FB45BA2F610}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{F1A383D4-0364-4092-82E0-C39DAE5D801D}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\VersionIndependentProgID]
"(Default)" = "protector_dll.ProtectorBho"

[HKCR\Wow6432Node\Interface\{91F39C2A-95E7-497A-A539-0AC715DC66D2}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{6C110376-C248-47F6-9DB2-CFCDEADB6A3E}]
"(Default)" = "IProtector10"

[HKCR\Wow6432Node\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\ProgID]
"(Default)" = "ProtectorExe.ProtectorHost.1"

[HKCR\Interface\{235317AD-6EF4-4209-9354-F88869E1A3BB}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{91959FBB-853A-4AC7-A082-2DDF787F4CA9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{DA69D3CC-7676-4A65-889F-C052977F1AA9}\TypeLib]
"Version" = "1a.0"

[HKCR\protector_dll.ProtectorLib\CurVer]
"(Default)" = "protector_dll.ProtectorLib.1"

[HKCR\Interface\{91959FBB-853A-4AC7-A082-2DDF787F4CA9}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{9891812B-5820-4A77-827E-772B200239E1}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{2212951C-1623-4095-906B-AC50B8F91016}]
"(Default)" = "IProtector2"

[HKCR\Interface\{1F7328B7-E25A-4527-B24B-D9173401BB89}]
"(Default)" = "IProtector5"

[HKCR\Interface\{6C110376-C248-47F6-9DB2-CFCDEADB6A3E}\TypeLib]
"Version" = "1a.0"

[HKCR\Interface\{17484B9D-89FA-484F-912E-017D06C41FE0}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{A45CDEEB-65F5-49AE-AA3E-9376F4806075}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{6C110376-C248-47F6-9DB2-CFCDEADB6A3E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41}\TypeLib]
"Version" = "1a.0"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80B84A0A-EDA4-47fd-8BE1-6B49F4197EE5}]
"AppPath" = "%Program Files% (x86)\Google\GoogleToolbarNotifier"

[HKCR\Interface\{DA69D3CC-7676-4A65-889F-C052977F1AA9}]
"(Default)" = "IProtectorHost"

[HKCR\Interface\{91F39C2A-95E7-497A-A539-0AC715DC66D2}]
"(Default)" = "IProtector3"

[HKCR\Interface\{6EACF525-5F81-4381-9E46-DC316C39E0D2}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\AppID\ProtectorExe.EXE]
"AppID" = "{A97CA128-6998-4F8E-807E-8ED05FADAFB0}"

[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
"AppID" = "{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}"

[HKCR\protector_dll.Protector.1\CLSID]
"(Default)" = "{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}"

[HKCR\ProtectorExe.ProtectorHost\CLSID]
"(Default)" = "{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}"

[HKCR\protector_dll.ProtectorBho]
"(Default)" = "Google Toolbar Notifier BHO"

[HKCR\Wow6432Node\Interface\{DD65ABB2-2628-425B-86F5-825E4A3D3AD9}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\AppID\protector_dll.DLL]
"AppID" = "{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}"

[HKCR\Interface\{91959FBB-853A-4AC7-A082-2DDF787F4CA9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{DA69D3CC-7676-4A65-889F-C052977F1AA9}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{BACAB2F3-7213-4865-96E9-B6B06BF49192}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{A0CF48B9-DB91-49A5-BEE7-2FB45BA2F610}]
"(Default)" = "IProtectorLib2"

[HKCR\Interface\{F1A383D4-0364-4092-82E0-C39DAE5D801D}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}\ProgID]
"(Default)" = "protector_dll.Protector.1"

[HKCR\Wow6432Node\Interface\{1F7328B7-E25A-4527-B24B-D9173401BB89}\TypeLib]
"Version" = "1a.0"

[HKCR\Interface\{2212951C-1623-4095-906B-AC50B8F91016}\TypeLib]
"Version" = "1a.0"

[HKCR\Interface\{480AD54B-C652-44B9-BCF6-746745055CD3}]
"(Default)" = "IProtectorLib6"

[HKCR\protector_dll.Protector\CLSID]
"(Default)" = "{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}"

[HKCR\Wow6432Node\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\VersionIndependentProgID]
"(Default)" = "ProtectorExe.ProtectorHost"

[HKCR\Wow6432Node\Interface\{2212951C-1623-4095-906B-AC50B8F91016}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{BACAB2F3-7213-4865-96E9-B6B06BF49192}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41}]
"(Default)" = "IProtector7"

[HKCR\Wow6432Node\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\ProtectorExe.ProtectorHost]
"(Default)" = "ProtectorHost Class"

[HKCR\Wow6432Node\Interface\{91F39C2A-95E7-497A-A539-0AC715DC66D2}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{9891812B-5820-4A77-827E-772B200239E1}]
"(Default)" = "IProtector4"

[HKCR\Wow6432Node\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Wow6432Node\Interface\{DD65ABB2-2628-425B-86F5-825E4A3D3AD9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\protector_dll.ProtectorBho.1\CLSID]
"(Default)" = "{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}"

[HKCR\TypeLib\{C7CB459A-7261-4AE6-A87A-17041EE98A40}\1a.0\HELPDIR]
"(Default)" = ""

[HKCR\Wow6432Node\Interface\{DD65ABB2-2628-425B-86F5-825E4A3D3AD9}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{9D932020-700E-4F0D-8446-2872ABD8B4FA}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\protector_dll.ProtectorBho.1]
"(Default)" = "Google Toolbar Notifier BHO"

[HKCR\Interface\{9D932020-700E-4F0D-8446-2872ABD8B4FA}]
"(Default)" = "IProtectorLib3"

[HKCR\Wow6432Node\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\VersionIndependentProgID]
"(Default)" = "protector_dll.ProtectorLib"

[HKCR\Wow6432Node\Interface\{315A0BBF-D55B-4FCE-833E-8BAA5B6344F6}]
"(Default)" = "IProtector11"

[HKCR\Wow6432Node\Interface\{F1A383D4-0364-4092-82E0-C39DAE5D801D}]
"(Default)" = "IProtector12"

[HKCR\Wow6432Node\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\TypeLib\{C7CB459A-7261-4AE6-A87A-17041EE98A40}\1a.0\FLAGS]
"(Default)" = "0"

[HKCR\Wow6432Node\Interface\{315A0BBF-D55B-4FCE-833E-8BAA5B6344F6}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}\VersionIndependentProgID]
"(Default)" = "protector_dll.Protector"

[HKCR\Interface\{AF606610-3627-4DF2-A6D5-32C6A355ACD1}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{277FD1E8-9884-4E0A-9392-7CFF83F067B2}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{A0CF48B9-DB91-49A5-BEE7-2FB45BA2F610}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\ProgID]
"(Default)" = "protector_dll.ProtectorBho.1"

[HKCR\protector_dll.ProtectorLib.1\CLSID]
"(Default)" = "{84798B8E-69F8-4846-9516-373C2996E2F7}"

[HKCR\Interface\{BACAB2F3-7213-4865-96E9-B6B06BF49192}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{9D932020-700E-4F0D-8446-2872ABD8B4FA}]
"(Default)" = "IProtectorLib3"

[HKCR\Interface\{9891812B-5820-4A77-827E-772B200239E1}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{17484B9D-89FA-484F-912E-017D06C41FE0}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}]
"AppID" = "{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}"

[HKCR\Interface\{DD65ABB2-2628-425B-86F5-825E4A3D3AD9}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{235317AD-6EF4-4209-9354-F88869E1A3BB}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{6EACF525-5F81-4381-9E46-DC316C39E0D2}\TypeLib]
"Version" = "1a.0"

[HKCR\Interface\{A0CF48B9-DB91-49A5-BEE7-2FB45BA2F610}\TypeLib]
"Version" = "1a.0"

[HKCR\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659}]
"(Default)" = "IProtector"

[HKCR\Interface\{6EACF525-5F81-4381-9E46-DC316C39E0D2}]
"(Default)" = "IProtector6"

[HKCR\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659}\TypeLib]
"Version" = "1a.0"

[HKCR\ProtectorExe.ProtectorHost.1]
"(Default)" = "ProtectorHost Class"

[HKCR\Wow6432Node\Interface\{BACAB2F3-7213-4865-96E9-B6B06BF49192}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\protector_dll.Protector\CurVer]
"(Default)" = "protector_dll.Protector.1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80B84A0A-EDA4-47fd-8BE1-6B49F4197EE5}]
"AppName" = "GoogleToolbarNotifier.exe"

[HKCR\Interface\{91F39C2A-95E7-497A-A539-0AC715DC66D2}\TypeLib]
"Version" = "1a.0"

[HKCR\Interface\{A45CDEEB-65F5-49AE-AA3E-9376F4806075}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{277FD1E8-9884-4E0A-9392-7CFF83F067B2}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{91F39C2A-95E7-497A-A539-0AC715DC66D2}\TypeLib]
"Version" = "1a.0"

[HKCR\AppID\{A97CA128-6998-4F8E-807E-8ED05FADAFB0}]
"RunAs" = "Interactive User"

[HKCR\Wow6432Node\Interface\{235317AD-6EF4-4209-9354-F88869E1A3BB}]
"(Default)" = "IProtectorLib5"

[HKCR\Interface\{DD65ABB2-2628-425B-86F5-825E4A3D3AD9}\TypeLib]
"Version" = "1a.0"

[HKCR\Interface\{9D932020-700E-4F0D-8446-2872ABD8B4FA}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{A0CF48B9-DB91-49A5-BEE7-2FB45BA2F610}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{9D932020-700E-4F0D-8446-2872ABD8B4FA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80B84A0A-EDA4-47fd-8BE1-6B49F4197EE5}]
"Policy" = "3"

[HKCR\protector_dll.ProtectorBho\CLSID]
"(Default)" = "{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}"

[HKCR\Wow6432Node\Interface\{235317AD-6EF4-4209-9354-F88869E1A3BB}\TypeLib]
"Version" = "1a.0"

[HKCR\Interface\{1F7328B7-E25A-4527-B24B-D9173401BB89}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}]
"AppID" = "{A97CA128-6998-4F8E-807E-8ED05FADAFB0}"

[HKCR\Wow6432Node\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

[HKCR\protector_dll.ProtectorBho\CurVer]
"(Default)" = "protector_dll.ProtectorBho.1"

[HKCR\Wow6432Node\Interface\{A45CDEEB-65F5-49AE-AA3E-9376F4806075}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\ProtectorExe.ProtectorHost\CurVer]
"(Default)" = "ProtectorExe.ProtectorHost.1"

[HKCR\Wow6432Node\CLSID\{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{DA69D3CC-7676-4A65-889F-C052977F1AA9}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{235317AD-6EF4-4209-9354-F88869E1A3BB}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\TypeLib\{C7CB459A-7261-4AE6-A87A-17041EE98A40}\1a.0\0\win32]
"(Default)" = "%Program Files% (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll"

[HKCR\Wow6432Node\Interface\{17484B9D-89FA-484F-912E-017D06C41FE0}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80B84A0A-EDA4-47fd-8BE1-6B49F4197EE5}]
"Policy" = "3"

[HKCR\Wow6432Node\Interface\{6C110376-C248-47F6-9DB2-CFCDEADB6A3E}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{480AD54B-C652-44B9-BCF6-746745055CD3}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{F1A383D4-0364-4092-82E0-C39DAE5D801D}]
"(Default)" = "IProtector12"

[HKCR\Wow6432Node\Interface\{91959FBB-853A-4AC7-A082-2DDF787F4CA9}]
"(Default)" = "IProtectorHost2"

[HKCR\Interface\{91F39C2A-95E7-497A-A539-0AC715DC66D2}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{1F7328B7-E25A-4527-B24B-D9173401BB89}\TypeLib]
"Version" = "1a.0"

[HKCR\protector_dll.Protector.1]
"(Default)" = "Protector Class"

[HKCR\Wow6432Node\Interface\{6EACF525-5F81-4381-9E46-DC316C39E0D2}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll"

[HKCR\protector_dll.Protector]
"(Default)" = "Protector Class"

[HKCR\protector_dll.ProtectorLib\CLSID]
"(Default)" = "{84798B8E-69F8-4846-9516-373C2996E2F7}"

[HKCR\Interface\{AF606610-3627-4DF2-A6D5-32C6A355ACD1}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{277FD1E8-9884-4E0A-9392-7CFF83F067B2}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{DA69D3CC-7676-4A65-889F-C052977F1AA9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{9D932020-700E-4F0D-8446-2872ABD8B4FA}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{315A0BBF-D55B-4FCE-833E-8BAA5B6344F6}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{A45CDEEB-65F5-49AE-AA3E-9376F4806075}]
"(Default)" = "IProtector8"

[HKCR\Wow6432Node\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659}]
"(Default)" = "IProtector"

[HKCR\Wow6432Node\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{6EACF525-5F81-4381-9E46-DC316C39E0D2}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{277FD1E8-9884-4E0A-9392-7CFF83F067B2}]
"(Default)" = "IProtector9"

[HKCR\Interface\{F1A383D4-0364-4092-82E0-C39DAE5D801D}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{DA69D3CC-7676-4A65-889F-C052977F1AA9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}]
"(Default)" = "Protector Class"

[HKCR\Interface\{277FD1E8-9884-4E0A-9392-7CFF83F067B2}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{DD65ABB2-2628-425B-86F5-825E4A3D3AD9}]
"(Default)" = "IProtectorLib4"

[HKCR\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41}]
"(Default)" = "IProtector7"

[HKCR\Interface\{AF606610-3627-4DF2-A6D5-32C6A355ACD1}]
"(Default)" = "IProtectorLib"

[HKCR\Wow6432Node\Interface\{277FD1E8-9884-4E0A-9392-7CFF83F067B2}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{A45CDEEB-65F5-49AE-AA3E-9376F4806075}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{DD65ABB2-2628-425B-86F5-825E4A3D3AD9}]
"(Default)" = "IProtectorLib4"

[HKCR\protector_dll.ProtectorLib]
"(Default)" = "ProtectorLib Class"

[HKCR\Wow6432Node\Interface\{6EACF525-5F81-4381-9E46-DC316C39E0D2}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{AF606610-3627-4DF2-A6D5-32C6A355ACD1}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{480AD54B-C652-44B9-BCF6-746745055CD3}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{480AD54B-C652-44B9-BCF6-746745055CD3}]
"(Default)" = "IProtectorLib6"

[HKCR\Wow6432Node\Interface\{6C110376-C248-47F6-9DB2-CFCDEADB6A3E}\TypeLib]
"Version" = "1a.0"

[HKCR\Interface\{480AD54B-C652-44B9-BCF6-746745055CD3}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{480AD54B-C652-44B9-BCF6-746745055CD3}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{235317AD-6EF4-4209-9354-F88869E1A3BB}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{A0CF48B9-DB91-49A5-BEE7-2FB45BA2F610}]
"(Default)" = "IProtectorLib2"

[HKCR\Wow6432Node\Interface\{1F7328B7-E25A-4527-B24B-D9173401BB89}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{91959FBB-853A-4AC7-A082-2DDF787F4CA9}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{277FD1E8-9884-4E0A-9392-7CFF83F067B2}\TypeLib]
"Version" = "1a.0"

The process GoogleToolbarNotifier.exe:1752 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKCU\Software\Google\GoogleToolbarNotifier\Stats]
"HideUI_Throttled" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\GoogleToolbarNotifier_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Google\GoogleToolbarNotifier\Stats]
"DetectChange_DS" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionReason" = "1"

[HKCU\Software\Google\GoogleToolbarNotifier]
"KeepDS" = "688508711"
"FirstRun" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadNetworkName" = "Network 3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Google\GoogleToolbarNotifier\Stats]
"Icon_Click" = "0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\GoogleToolbarNotifier_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "C0 12 95 66 8A 1A D0 01"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\GoogleToolbarNotifier_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Classes\Local Settings\MuiCache\2A\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecision" = "0"

[HKCU\Software\Google\GoogleToolbarNotifier]
"UpdateURL" = "http://clients1.google.com/tools/swg2/update"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Google\GoogleToolbarNotifier]
"lds" = "http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7"

[HKCU\Software\Google\GoogleToolbarNotifier\Stats]
"ShowUI_TrayIcon" = "0"

[HKCU\Software\Google\Google Toolbar\4.0]
"UpdateResult" = "98"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionTime" = "C0 12 95 66 8A 1A D0 01"

[HKCU\Software\Google\GoogleToolbarNotifier]
"DefaultLanguage" = "en"
"TS" = "1418883492"

[HKCU\Software\Google\GoogleToolbarNotifier\Stats]
"Bubble_Click" = "0"
"UserAllowChange_DS" = "0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\GoogleToolbarNotifier_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Google\GoogleToolbarNotifier]
"AppPath" = "%Program Files% (x86)\Google\GoogleToolbarNotifier"

[HKCU\Software\Google\GoogleToolbarNotifier\Stats]
"ShowUI_Popup" = "0"

[HKCU\Software\Google\GoogleToolbarNotifier]
"InstalledVersion" = "5.7.9012.1008"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 40 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Google\GoogleToolbarNotifier\Stats]
"LastReportTime" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Google\GoogleToolbarNotifier\Temp]
"scShowTrayIcon" = "ffffffff"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\GoogleToolbarNotifier_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\Google\GoogleToolbarNotifier]
"UsageStat" = "1"

[HKCU\Software\Google\GoogleToolbarNotifier\Stats]
"ModifyUI_UserIntent" = "0"

[HKCU\Software\Google\GoogleToolbarNotifier]
"Version" = "5.7.9012.1008"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKCU\Software\Google\Google Toolbar\4.0\Options]
"Extc" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

[HKCU\Software\Google\GoogleToolbarNotifier\Temp]
"scKeepDS" = "2909cf27"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\GoogleToolbarNotifier_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecisionTime" = "C0 12 95 66 8A 1A D0 01"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The PUP deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoDetect"

[HKCU\Software\Google\GoogleToolbarNotifier]
"WantProductRestart"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Google\GoogleToolbarNotifier]
"ts"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Google\GoogleToolbarNotifier]
"DSPSuspended"
"SuspendedDS"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"

The process regsvr32.exe:3096 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKCR\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\ProgID]
"(Default)" = "ProtectorExe.ProtectorHost.1"

[HKCR\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}]
"(Default)" = "ProtectorHost Class"

[HKCR\protector_dll.ProtectorBho\CurVer]
"(Default)" = "protector_dll.ProtectorBho.1"

[HKCR\protector_dll.ProtectorLib\CurVer]
"(Default)" = "protector_dll.ProtectorLib.1"

[HKCR\AppID\{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}]
"(Default)" = "protector_dll"

[HKCR\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}]
"(Default)" = "ProtectorLib Class"

[HKCR\protector_dll.ProtectorBho.1\CLSID]
"(Default)" = "{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}"

[HKCR\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\VersionIndependentProgID]
"(Default)" = "protector_dll.ProtectorLib"

[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\VersionIndependentProgID]
"(Default)" = "protector_dll.ProtectorBho"

[HKCR\protector_dll.ProtectorBho.1]
"(Default)" = "Google Toolbar Notifier BHO"

[HKCR\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\protector_dll.ProtectorLib\CLSID]
"(Default)" = "{84798B8E-69F8-4846-9516-373C2996E2F7}"

[HKCR\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\protector_dll.ProtectorLib.1\CLSID]
"(Default)" = "{84798B8E-69F8-4846-9516-373C2996E2F7}"

[HKCR\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}]
"AppID" = "{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}"

[HKCR\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}]
"AppID" = "{A97CA128-6998-4F8E-807E-8ED05FADAFB0}"

[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\InprocServer32]
"(Default)" = "%Program Files%\Google\GoogleToolbarNotifier\5.7.9012.1008\swg64.dll"

[HKCR\protector_dll.ProtectorLib]
"(Default)" = "ProtectorLib Class"

[HKCR\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}]
"Depend" = "%Program Files% (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\gtn.dll"

[HKCR\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\ProgID]
"(Default)" = "protector_dll.ProtectorLib.1"

[HKCR\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\VersionIndependentProgID]
"(Default)" = "ProtectorExe.ProtectorHost"

[HKCR\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
"AppID" = "{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}"

[HKCR\protector_dll.ProtectorLib.1]
"(Default)" = "ProtectorLib Class"

[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\ProgID]
"(Default)" = "protector_dll.ProtectorBho.1"

[HKCR\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
"(Default)" = "Google Toolbar Notifier BHO"

[HKCR\protector_dll.ProtectorBho]
"(Default)" = "Google Toolbar Notifier BHO"

[HKCR\AppID\protector_dll.DLL]
"AppID" = "{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}"

[HKCR\protector_dll.ProtectorBho\CLSID]
"(Default)" = "{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}"

[HKCR\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\InprocServer32]
"(Default)" = "%Program Files%\Google\GoogleToolbarNotifier\5.7.9012.1008\swg64.dll"

The process SearchWithGoogleUpdate_C993F490EED40C1B.exe:2360 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\GoogleToolbarNotifier]
"Version" = "5.7.9012.1008"
"ID" = "e169e429ea1b47a2bac23449a7cbdad6"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Program Files% (x86)\Google\Update\1.3.24.15, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\327c54aa\python.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\327c54aa\, , \??\%Program Files% (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008,"

[HKCU\Software\Google\GoogleToolbarNotifier\Temp]
"ust" = "100"

[HKLM\SOFTWARE\Wow6432Node\Google\GoogleToolbarNotifier\Clients]
"ietb" = "0"

[HKLM\SOFTWARE\Wow6432Node\Google\GoogleToolbarNotifier]
"brand" = "NCHD"

The PUP deletes the following registry key(s):

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]

Dropped PE files

MD5	File path
5d4bc124faae6730ac002cdb67bf1a1c	c:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
1223e7efa6dda842c37985a62f10001f	c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleCld_187F9D811452062B.dll
6fffd47eb8cc3a6ca44619f16a7d0ae6	c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_32_8E471B27054D20F5.dll
96af87c526ec7a8f32dc3f1f2a63a4a7	c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_64_F8ED9B719A89F8EF.dll
d2d2a0e0ecd8a2ea750d6be34337d00d	c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_0A4439FF67F61065.dll
4c401fcc6d0c95e1a5d989e403e18f2f	c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_8CA8B41417E66DEB.exe
e8b7fd67da14a7be57a5cb80e3139e60	c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarUser_32_52E818EF81C83A9B.exe
211f96eb417ff837a70f5130e63a1a45	c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarUser_64_4D9709C1FA1422BA.exe
81590207a8efab40bafe743d8073eb9b	c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbar_32_365102BD7F6C8091.dll
30c83447379d5955e992bd43be8d115e	c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbar_64_54BD4059920ABC8A.dll
1f2afab903c0d48480561f3bbd4539c2	c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleUpdateSetup_5CC4B0F53D73AD88.exe
4beaf576cb43358c4db9f45ac7c09cdb	c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleUpdaterService_B33FC4DD36A473C6.exe
4b78e9ae06f7c310e30ee2fa5b7ebc3c	c:\Program Files (x86)\Google\Google Toolbar\Component\SearchWithGoogleUpdate_C993F490EED40C1B.exe
e8b7fd67da14a7be57a5cb80e3139e60	c:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
211f96eb417ff837a70f5130e63a1a45	c:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_64.exe
81590207a8efab40bafe743d8073eb9b	c:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
30c83447379d5955e992bd43be8d115e	c:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
13d401e46ad0c5a8442fc57fadbf5751	c:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\gth.dll
aeb43d2a8158fb535f48f440cc266953	c:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\gtn.dll
d3088606c810a355eae9b9056c9b5392	c:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll
5d61be7db55b026a5d61a3eed09d0ead	c:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
5a6381e0afb4e0b9fd318c1c76efe9dc	c:\Program Files (x86)\Google\Update\Download\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}\0.0.0.0\googletoolbarinstaller_en_signed.exe
5a6381e0afb4e0b9fd318c1c76efe9dc	c:\Program Files (x86)\Google\Update\Install\{9ED6278D-3499-43D2-BA30-93D0A1DF8374}\googletoolbarinstaller_en_signed.exe
6154f737535b3dbea39c63223d52f5b8	c:\Program Files (x86)\NCH Software\Components\NCHToolbars\google\NCH_GoogleToolbar.exe
c9d7f12d4b1567ef2b823a9f872b3c9d	c:\Program Files (x86)\NCH Software\Scribe\hookappcommand.dll
361881c965f3b2f45f45de2979f6b7fe	c:\Program Files (x86)\NCH Software\Scribe\scribe.exe
dd481c837b6303531af365d95637692f	c:\Program Files\Google\GoogleToolbarNotifier\5.7.9012.1008\swg64.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: NCH Software
Product Name: ExpressScribe
Product Version:
Legal Copyright: NCH Software
Legal Trademarks:
Original Filename:
Internal Name: Scribe
File Version: 5.69
File Description: Express Scribe Transcription Software
Comments:
Language: English (Australia)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.rdata	4096	2338	2560	2.76389	a322bee8b6315dcdf55664104eb8aed4
.data	8192	1596	2048	3.48789	cc10a049565dcd8a13f7ded9f6d7749b
.rsrc	12288	926180	926208	5.54419	f66a72f3858d6369e9336af805d17452

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://audiochannel.net/versions/components/tb_google_row.dat
hxxp://audiochannel.net/components/toolbars/NCH_GoogleToolbar.exe
hxxp://tools.l.google.com/dl/toolbar/t7/data/7.5.5111.1712/googletoolbarinstaller_en_signed.exe
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?7e5273f67c02628d
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CECkSxwyaK4o+9vYHRmLWi40=
hxxp://tools.l.google.com/tools/swg2/update?type=c&as=swg&os=win&osv=6.1.7601&hl=en&ie=10.0.9200.16521&ds=0&pds=0&su=0&hpi=-1&brand=NCHD&pa=9&cl=1&tbv=&id=e169e429ea1b47a2bac23449a7cbdad6eb587e946e&from=&to=5.7.9012.1008
hxxp://tools.l.google.com/tools/pso/ping?as=tbin&gu=pi&mode=3&sin=1&ein=0&version=7.5.5111.1712&brand=NCHD&hl=en&tbiv=7.5.5111.1712&time=1418883492&fitime=1418883492&browser=9.10.9200.16521&osver=6.1&ossp=1.0&osarch=64&ext=EXE&id=AB0A80C9D2FDA747740FD9725D3094D66CC61iHFEF
hxxp://a1363.g.akamai.net/pki/crl/products/microsoftrootcert.crl
hxxp://a1363.g.akamai.net/pki/crl/products/WinPCA.crl
hxxp://a1363.g.akamai.net/pki/crl/products/MicrosoftTimeStampPCA.crl
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab?03c3bc9a7f722e83
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI=
hxxp://e6845.ce.akamaiedge.net/pca3.crl
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY=
hxxp://a1363.g.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD/yl6nWPkczAQUe1tFz6/Oy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS+zcBkvzl4=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9+WQCtWAQU1A1lP3q9NMb+R+dMDcC98t4Vq3ECEGpWCCD6PprY5UEXNLHUCtU=
hxxp://clients1.google.com/tools/swg2/update?type=c&as=swg&os=win&osv=6.1.7601&hl=en&ie=10.0.9200.16521&ds=0&pds=0&su=0&hpi=-1&brand=NCHD&pa=9&cl=1&tbv=&id=e169e429ea1b47a2bac23449a7cbdad6eb587e946e&from=&to=5.7.9012.1008	173.194.113.200
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=	23.43.139.27
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8=	23.43.139.27
hxxp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl	88.221.132.244
hxxp://www.audiochannel.net/versions/components/tb_google_row.dat	66.39.83.117
hxxp://dl.google.com/dl/toolbar/t7/data/7.5.5111.1712/googletoolbarinstaller_en_signed.exe	173.194.113.193
hxxp://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9+WQCtWAQU1A1lP3q9NMb+R+dMDcC98t4Vq3ECEGpWCCD6PprY5UEXNLHUCtU=	23.43.139.27
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl	88.221.132.244
hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl	88.221.132.244
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?03c3bc9a7f722e83	88.221.132.223
hxxp://clients1.google.com/tools/pso/ping?as=tbin&gu=pi&mode=3&sin=1&ein=0&version=7.5.5111.1712&brand=NCHD&hl=en&tbiv=7.5.5111.1712&time=1418883492&fitime=1418883492&browser=9.10.9200.16521&osver=6.1&ossp=1.0&osarch=64&ext=EXE&id=AB0A80C9D2FDA747740FD9725D3094D66CC61iHFEF	173.194.113.200
hxxp://www.audiochannel.net/components/toolbars/NCH_GoogleToolbar.exe	66.39.83.117
hxxp://crl.microsoft.com/pki/crl/products/WinPCA.crl	88.221.132.244
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk=	23.43.139.27
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY=	23.43.139.27
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CECkSxwyaK4o+9vYHRmLWi40=	23.43.139.27
hxxp://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD/yl6nWPkczAQUe1tFz6/Oy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS+zcBkvzl4=	23.43.139.27
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c=	23.43.139.27
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?7e5273f67c02628d	88.221.132.223
hxxp://crl.verisign.com/pca3.crl	23.43.133.163
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI=	23.43.139.27
tools.google.com	173.194.113.198

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

SURICATA UDPv4 invalid checksum
SURICATA IPv4 invalid checksum

Traffic

GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1

Cache-Control: max-age = 812

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Thu, 23 Oct 2014 05:05:32 GMT

If-None-Match: "a2f3ff97eeecf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com


HTTP/1.1 304 Not Modified

Content-Type: application/pkix-crl

Last-Modified: Thu, 23 Oct 2014 05:05:32 GMT

ETag: "a2f3ff97eeecf1:0"

Cache-Control: max-age=900

Date: Thu, 18 Dec 2014 06:18:38 GMT

Connection: keep-alive

....

GET /pki/crl/products/WinPCA.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Mon, 06 Oct 2014 05:06:02 GMT

If-None-Match: "3e1c83923e1cf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com


HTTP/1.1 304 Not Modified

Content-Type: application/pkix-crl

Last-Modified: Mon, 06 Oct 2014 05:06:02 GMT

ETag: "3e1c83923e1cf1:0"

Cache-Control: max-age=900

Date: Thu, 18 Dec 2014 06:18:38 GMT

Connection: keep-alive

....

GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Sat, 04 Oct 2014 05:06:12 GMT

If-None-Match: "58cddbea90dfcf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com


HTTP/1.1 304 Not Modified

Content-Type: application/pkix-crl

Last-Modified: Sat, 04 Oct 2014 05:06:12 GMT

ETag: "58cddbea90dfcf1:0"

Cache-Control: max-age=900

Date: Thu, 18 Dec 2014 06:18:38 GMT

Connection: keep-alive

HTTP/1.1 304 Not Modified..Content-Type: application/pkix-crl..Last-Mo
dified: Sat, 04 Oct 2014 05:06:12 GMT..ETag: "58cddbea90dfcf1:0"..Cach
e-Control: max-age=900..Date: Thu, 18 Dec 2014 06:18:38 GMT..Connectio
n: keep-alive..

GET /versions/components/tb_google_row.dat HTTP/1.0

Host: VVV.audiochannel.net


HTTP/1.1 404 Not Found

Date: Thu, 18 Dec 2014 06:17:41 GMT

Server: Apache/2.2.29

Content-Length: 235

Connection: close

Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /ve
rsions/components/tb_google_row.dat was not found on this server.</
p>.</body></html>...

GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?03c3bc9a7f722e83 HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Wed, 12 Mar 2014 20:20:10 GMT

If-None-Match: "0b96c77303ecf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ctldl.windowsupdate.com


HTTP/1.1 200 OK

Cache-Control: max-age=604800

Content-Type: application/octet-stream

Last-Modified: Fri, 12 Sep 2014 18:47:05 GMT

Accept-Ranges: bytes

ETag: "805a83f2b9cecf1:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 56928

Date: Thu, 18 Dec 2014 06:18:39 GMT

Connection: keep-alive
MSCF....`.......,...................I.................,E.Y .authroot.s
tl..Y-..8..CK...<T...g.v!M.d..f.%d..}K..5..F. ...T..%.,YJ.,!T......
_..x.<=O.....yy....;3..>.|..~..\.....|......;..8..~.za...."A...q
.......g..m......<X........j"I........!..-w.....w....P...H..(.?}..2
.N. .u..a. ...=.C..D.F>rC.. ..|).=.. ..3b.8H.M...(...u8.%...W.g...\
YB.m:.....dE.........V....$....Dn:....0...S."...o..q.....K...I..K...(x
%....>A.R...`.0 .........<`L0mp...%....y.....g.n...R0Op..<..,
....`0$z.@..&.x"....T..H...<........~..E..".....<<.\B(.......
..............@.....L.........KNAy8/"...f.......k..Jm7j....R.5q....Rz.
.!@...].......Y.[........4.. .D8..&...t.J^O..Q.._..1.J.m5<'k.,....%
T....i.\.;.;q..S./ 8.?Bu.............}D.Q....L....*..[.."e......15m...
_.0.M........#..v!..<...@..?sc.y....*.....tX[........{.W4.Q...^u@..
*..QP.......~.L9N....2r...4.....B..-\(...b.d...K...O.8..Un.......V.<
;.......A...V.....(..s..f..q.{N0.hS.,..;M.|G|.@.M.._.....7._6...C.0...
A;L....%...M=Y.....f.JV.(.5.....0..?*...KZ....jM...8.6U...#...ew.?..?.
..........WE.Or..O>..{.'W2.........3m.O.u..Z8....H4@.w}.o:?~....]&l
t;!...%....}@.d...L.p.a.g ..K."..N1!%..S.bT.H.-.....e..`.0$...0t..DX..
{.....#./...8.5..M...T.......D......V\C.zy.....3E:..>.{..).QW......
q....9..n..1....8%,.........r.p@.>. ...Q.?.p..7.?..7...&..!........
.`. .=....Sf..q.l.A.....L...t.}g..;...f....=.e.~.z....C..*R....H-..=..
.f..(t'.."....F...g._....n.J..U.4vr`}.....1..o@.....@.#...R. L8....z..
].|......3..y..-./....K..6{...s.<R`.}6....?.......-..@.g..S....<<< skipped >>>

GET /pca3.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.verisign.com


HTTP/1.1 200 OK

Server: Apache

ETag: "8f6b3bcd9bb64555001fba64f5b01b92:1411517716"

Last-Modified: Wed, 24 Sep 2014 00:15:16 GMT

Date: Thu, 18 Dec 2014 06:22:11 GMT

Content-Length: 933

Connection: keep-alive

Content-Type: application/pkix-crl

0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U
....Class 3 Public Primary Certification Authority..140922000000Z..141
231235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y
.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.....
..fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!............R
.e.53..010207212458Z0!..!......Y...ISi....010706171411Z0!..$-..I{r....
u<._...080403172226Z0!..&.."?..y..51}..1..010706172118Z0!..4....2..
..{W......080605175030Z0!..B....c............070411175910Z0!..H.Py...N
....* ....010207212031Z0!..N....-.1Gq.@...C..040401175251Z0!..Y......w
`G........070411175657Z0!..Z`..H.@B....Z.*q..080403172017Z0!..l....I..
.Y..] .c..010706171749Z0"......T=deQ...1u.]...010207212247Z0".....p..1
..7<.....e..010207211822Z0...*.H............M....s#..Lo...TU...tM.3
...'.U......:Z...w.x.=....K.0;...!....D....9...,!....B.t. <........
..-.....k.$<i{O.<.E...*.......Ow _..J.HTTP/1.1 200 OK..Server: A
pache..ETag: "8f6b3bcd9bb64555001fba64f5b01b92:1411517716"..Last-Modif
ied: Wed, 24 Sep 2014 00:15:16 GMT..Date: Thu, 18 Dec 2014 06:22:11 GM
T..Content-Length: 933..Connection: keep-alive..Content-Type: applicat
ion/pkix-crl..0...0...0...*.H........0_1.0...U....US1.0...U....VeriSig
n, Inc.1705..U....Class 3 Public Primary Certification Authority..1409
22000000Z..141231235959Z0..x0!...v....a_>..2......020924164823Z0!..
...A.....{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0
!...`y..q.......fh...020923171400Z0!...?A....a.nF`.P....0209231715

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com


HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1762

content-transfer-encoding: binary

Cache-Control: max-age=572801, public, no-transform, must-revalidate

Last-Modified: Wed, 17 Dec 2014 21:24:36 GMT

Expires: Wed, 24 Dec 2014 21:24:36 GMT

Date: Thu, 18 Dec 2014 06:18:03 GMT

Connection: keep-alive

0..........0..... .....0......0...0......;O}a.!..u...au..eUNp..2014121
7212436Z0s0q0I0... ...................B.>.I.$&.....e......0..C9...3
13..R...%V.......K3.....20141217212436Z....20141224212436Z0...*.H.....
............X2.I...~.."...c.6U.....&H."....u......F..Y{.$.q......5....
H......6....:..z.d,..ct.. ../.....~......V.-.#. j2x.t...>...I.@p.Tk
.....PX!{WR.....-'..~...p..1*M.oT.rV.I/.c..........l.>.}.I....@Z.8,
.n..[.5.y...x.$s.O.?.....D..1...v...1.E7#m=m ..........W........0...0.
..0...........2...'U.BM...g.B0...*.H........0..1.0...U....US1.0...U...
.VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 Ve
riSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 P
ublic Primary Certification Authority - G50...141202000000Z..151216235
959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec
 Trust Network1?0=..U...6Symantec Class 3 PCA - G5 OCSP Responder Cert
ificate 30.."0...*.H.............0...............2&..PL...,..2....:..t
H...`JG.%..*...s.c%...?t..J..0.q....~..k@X.l.i....0..kk..h.9"1.5?..s..
...3[...u......]...R0..Z}....l..I.Y.....j\H.q...#.uw.4qz.#.J.....@2$".
.$l.B.......D.ye..(..2.........@...... ...."... E..0M,..b{.^..s'....f.
6.pr4.J........'j..........0...0...U.......0.0l..U. .e0c0a..`.H...E...
.0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.
symauth.com/rpa0...U.%..0... .......0...U...........0... .....0......0
!..U....0...0.1.0...U....TGV-B-2760...U......;O}a.!..u...au..eUNp0...U
.#..0.....e......0..C9...3130...*.H.............(.&..Dgr.Ve..#...5

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CECkSxwyaK4o+9vYHRmLWi40= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com


HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1725

content-transfer-encoding: binary

Cache-Control: max-age=455079, public, no-transform, must-revalidate

Last-Modified: Tue, 16 Dec 2014 12:39:32 GMT

Expires: Tue, 23 Dec 2014 12:39:32 GMT

Date: Thu, 18 Dec 2014 06:18:08 GMT

Connection: keep-alive
0..........0..... .....0......0...0......u\..3Oo?U...H.....O!..2014121
6123932Z0s0q0I0... ...................F....0.yV......{&.K......&......
.).... .>...Fb.......20141216123932Z....20141223123932Z0...*.H.....
........q...^..g.V.~..1[...'...Y....j4....4.N.~p.c6F...q{=.p.T.A.~.}&.
.[....A.i...@.9...{...}.$U.9$.......@.%..Ka.i6....  C....J.m[.o.|...S.
r.'W.......qD.0.]9...@l.ww....m.,j._.uc........u'Q9i{7a.m..8....H.f...
~.5..V...F3.\.ie`/....ZD....".hJ[..%......2...d......A....0...0...0...
......./...nj0...}..i..0...*.H........0..1.0...U....US1.0...U....VeriS
ign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at h
ttps://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code Sign
ing 2010 CA0...141204000000Z..150304235959Z0..1.0...U....US1.0...U....
VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1VeriSign Cla
ss 3 Code Signing 2010 OCSP Responder0.."0...*.H.............0........
.4.4...........o....?..f.........I.!.b.L...L..U.........rM.,.....=..cR
4d.~*..k..x......=.WT.<.A2n1.qZyM.M..Q_...8....9....d.... ...'.....
....h..Z..I...(.b.jK..DO.ra..gb..j..A.(....mrzU.w.......Bv...l.:s..L..
..y.....u..n.)W......Y!....Q...,.i|.....:.Mu..DD1.........0...0...U...
.0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign
.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. 
by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U......
..0... .....0......0"..U....0...0.1.0...U....TGV-B-24600...*.H........
......pjd....VpE.6.tO..@.....7.=.. ...........hi.......>....Q.?<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com


HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=504753, public, no-transform, must-revalidate

Last-Modified: Wed, 17 Dec 2014 02:34:46 GMT

Expires: Wed, 24 Dec 2014 02:34:46 GMT

Date: Thu, 18 Dec 2014 06:22:13 GMT

Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..2014121
7023446Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
.l$.%t...............20141217023446Z....20141224023446Z0...*.H........
........!..4./....*Dj...$."......1.".x..C...}.o.u.-...:..V..IG.p......
.G@."..~...c.....s.5sf...C;.`C.S~.....v...H..w..V...oo.z7.}C...m...8.-
t..|?32.V...Q).txG.........Y.|N...l.#..;.......&.T.je.=.C?..f...T?....
(.iv.})_q.....R.'0@...uW.y..8),.....J...7.............#0...0...0......
....<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....VeriS
ign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at h
ttps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Sign
ing 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...U..
..VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of u
se at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3
 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.........{
(..t....2.Vf.....&;6).i*FK....W@....F....jnb.w._p.E.6.|.mk....(.......
...p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.}..
.r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....(n.
.i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U....0
.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.c
om/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by
 reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........
0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H......<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com


HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1453

content-transfer-encoding: binary

Cache-Control: max-age=484239, public, no-transform, must-revalidate

Last-Modified: Tue, 16 Dec 2014 20:49:17 GMT

Expires: Tue, 23 Dec 2014 20:49:17 GMT

Date: Thu, 18 Dec 2014 06:22:11 GMT

Connection: keep-alive
0..........0..... .....0......0...0......T3t.%..O.E..~..F.=....2014121
6204917Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._)..a.
.eR&.....Y.)..".\....20141216204917Z....20141223204917Z0...*.H........
..........8*.6....l...7.y.......P.j..(.V"L........]/.o%.P..A.Z.Etv...C
.....{......BC|R..tD..T. ....IbA......`...7..`....).. |Q\.....|~...U..
z,m.@...).`.Z.8.Trky. ..r...TUg.h*....Z.&......,8r.../.2..,E....V..D..
}'.]....8Lt...........}Jc..s{..|.!..b_.^..._..E`.......0...0...0..3...
..../...b.v..-....l}0...*.H........0_1.0...U....US1.0...U....VeriSign,
 Inc.1705..U....Class 3 Public Primary Certification Authority0...1412
02000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporatio
n1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G1
 OCSP Responder Certificate 30.."0...*.H.............0..........'.....
.Y..x.3B1.7..Q..`..d.. ....s..t.$a.....j2R.{ ,*..c{.3.....H..3-; )....
.0._...*..9M..V...... ...{m...-.......)..tR..{D....~...M...T..pS.p..^|
o....S..v.).).....r.v.qo$......C.V!....@.h#qh...u1T.].G0.]E...=._.....
. ........TE...Sa.s4........r...3.............0..0...U....0.0l..U. .e0
c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......
0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........0... .
....0......0!..U....0...0.1.0...U....TGV-B-2730...*.H.............$..H
......oU....Y!.z{*.V.M..u.._z..3>.. 0....3..m.....e.......a..D.....
......e..F6:.y.....di.......<y.Z.......x}..q.2....UZ1 :,....
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com


HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=500183, public, no-transform, must-revalidate

Last-Modified: Wed, 17 Dec 2014 01:14:37 GMT

Expires: Wed, 24 Dec 2014 01:14:37 GMT

Date: Thu, 18 Dec 2014 06:22:11 GMT

Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..2014121
7011437Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
..M.s.Q~...@?j.......20141217011437Z....20141224011437Z0...*.H........
.....@.v..Q.[k.2......."7..".m...".=....z.C.........(....F-Q\#.....P..
...;.....":W.......'(........3...r.....OB..............JV5...7X.*..QM.
...Uf...6.....g.p.#....98..&...<.......I.@.|../!.qT.....W..qB..o.x.
^(..3.#....}.....o...Lq...Y.~...X.\.?......~..opF.u......#0...0...0...
.......<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....Ve
riSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use a
t hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code S
igning 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...
U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms o
f use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Clas
s 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.......
..{(..t....2.Vf.....&;6).i*FK....W@....F....jnb.w._p.E.6.|.mk....(....
......p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.
}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....
(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U..
..0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisig
n.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp.
 by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U.....
...0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H...<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD/yl6nWPkczAQUe1tFz6/Oy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS+zcBkvzl4= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.thawte.com


HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1503

content-transfer-encoding: binary

Cache-Control: max-age=487560, public, no-transform, must-revalidate

Last-Modified: Tue, 16 Dec 2014 21:44:34 GMT

Expires: Tue, 23 Dec 2014 21:44:34 GMT

Date: Thu, 18 Dec 2014 06:22:17 GMT

Connection: keep-alive
0..........0..... .....0......0...0......&Km...."....}....,.c..2014121
6214434Z0s0q0I0... ........0..k....&..p..^.X.....{[E....z.1..j..F.WHP.
.G.Mxs..../.p./.^....20141216214434Z....20141223214434Z0...*.H........
.....*M..q."...|l......R...L....X.Kmf.C..=..`.Dq.l.iO..../...g-.^...y.
.f*f..d..L.....~5.i..O2.8..........45...e{;p....w1Li.......,K.K...r...
..,X8.^.$ld...h.j..(`..uG$^...#....Xl.5...*f......h.v...vp9..(......%1
..#.z?r4q`:.....I.S.b..p.t.1...E......`..9...%.y.......0...0...0......
......I...*....^n...0...*.H........0..1.0...U....US1.0...U....thawte, 
Inc.1(0&..U....Certification Services Division1806..U.../(c) 2006 thaw
te, Inc. - For authorized use only1.0...U....thawte Primary Root CA0..
.141202000000Z..151216235959Z0_1.0...U....US1.0...U....thawte, Inc.190
7..U...0thawte Primary Root OCSP Responder Certificate 30.."0...*.H...
..........0.........x...F83..,.D.,2D.;JGc.|_.k.....B.7.....G}.M.s.....
S.i.Uu.h.Aq..v...4:l..U.......T7l...~vl...r....{*..........V.o..8|.B..
^.a.. ...z....x..s...\[Y....<....'> ..YC..7.zVk.$...o3..kao]c...
>C./bPX.......I..Oc.....NN......g.....,/..]......qN.....V!<.3.).
..y#.........i0g0...U.%..0... .......0... .....0......0...U.......0.0.
..U...........0!..U....0...0.1.0...U....TGV-B-2770...*.H..............
..lt..\..z. ..N.f.!.S5d?J.&....r...D........L.`.s.p...HC.L.8f... .....
....GA7......P..Z.%.../............z.n.6~I...].).....W...W\|.uya..:...
^...hW..7.Z.uc.'....:.xL...HS.....>.........5......%....3S....h....
....U....o.C.\.t.....G.._.C0(l.E9..6UTxg.gF ..;.....
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9+WQCtWAQU1A1lP3q9NMb+R+dMDcC98t4Vq3ECEGpWCCD6PprY5UEXNLHUCtU= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.thawte.com


HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1396

content-transfer-encoding: binary

Cache-Control: max-age=556432, public, no-transform, must-revalidate

Last-Modified: Wed, 17 Dec 2014 16:54:28 GMT

Expires: Wed, 24 Dec 2014 16:54:28 GMT

Date: Thu, 18 Dec 2014 06:22:17 GMT

Connection: keep-alive
0..p......i0..e.. .....0.....V0..R0...............w/.|`....a...2014121
7165428Z0s0q0I0... ........l....r.vdv0..*.~Y..X....e?z.4..G.L.......q.
.jV. .>...A.4........20141217165428Z....20141224165428Z0...*.H.....
..........._.9..(.l.N....Z.pMM...V.*.*...2....3.q..ur..{.b...W..(%p[.c
3Q...Y=..g..Y...R....Lh!.I...w..;.0.;b..9......i.y...M.QY.V..c...U....
....|..e4.s.Iv....jY.M.....,B...k.....v....TK..ol.N.i.X..*H...{.,.....
].C.aR.." .q.|.gdO.r...Oe@M......I.1...

GET /tools/swg2/update?type=c&as=swg&os=win&osv=6.1.7601&hl=en&ie=10.0.9200.16521&ds=0&pds=0&su=0&hpi=-1&brand=NCHD&pa=9&cl=1&tbv=&id=e169e429ea1b47a2bac23449a7cbdad6eb587e946e&from=&to=5.7.9012.1008 HTTP/1.1

Accept: */*

User-Agent: SearchWithGoogle

Host: clients1.google.com


HTTP/1.1 200 OK

Content-Type: text/plain

Date: Thu, 18 Dec 2014 06:18:12 GMT

Expires: Thu, 18 Dec 2014 06:18:12 GMT

Cache-Control: private, max-age=0

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-XSS-Protection: 1; mode=block

Server: GSE

Alternate-Protocol: 80:quic,p=0.002

Transfer-Encoding: chunked

16..rlz: 1R______enUA619..0..HTTP/1.1 200 OK..Content-Type: text/plain
..Date: Thu, 18 Dec 2014 06:18:12 GMT..Expires: Thu, 18 Dec 2014 06:18
:12 GMT..Cache-Control: private, max-age=0..X-Content-Type-Options: no
sniff..X-Frame-Options: SAMEORIGIN..X-XSS-Protection: 1; mode=block..S
erver: GSE..Alternate-Protocol: 80:quic,p=0.002..Transfer-Encoding: ch
unked..16..rlz: 1R______enUA619..0..

GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com


HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Thu, 13 Nov 2014 06:02:42 GMT

Accept-Ranges: bytes

ETag: "88cab6f7ffcf1:0"

Server: Microsoft-IIS/8.5

VTag: 279123815300000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 554

Cache-Control: max-age=900

Date: Thu, 18 Dec 2014 06:22:16 GMT

Connection: keep-alive
0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Si
gning PCA..141112173206Z..150211055206Z.a0_0...U.#..0..........X..7.3.
..L...0... .....7.........0...U......W0... .....7......150210174206Z0.
..*.H................].`...D..9.>LO.ey...Qx%.^.P.& ...D.......b}.K.
.[.....5.m....).....H..6R....G/ju.........:..A.#.9!......D5...|".w.x..
=.u..X6.7{..).XN....g......B.8.!&...........<7fS$..........t<X)%
.b(0.L@..i..Kn.......fX... ,...K\....U1cp).........y.T..?rm.t..Y.}.E..
-@...

GET /tools/pso/ping?as=tbin&gu=pi&mode=3&sin=1&ein=0&version=7.5.5111.1712&brand=NCHD&hl=en&tbiv=7.5.5111.1712&time=1418883492&fitime=1418883492&browser=9.10.9200.16521&osver=6.1&ossp=1.0&osarch=64&ext=EXE&id=AB0A80C9D2FDA747740FD9725D3094D66CC61iHFEF HTTP/1.1

User-Agent: Google Toolbar installer

Host: clients1.google.com


HTTP/1.1 200 OK

Content-Type: text/html; charset=utf-8

Date: Thu, 18 Dec 2014 06:18:12 GMT

Expires: Thu, 18 Dec 2014 06:18:12 GMT

Cache-Control: private, max-age=0

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-XSS-Protection: 1; mode=block

Server: GSE

Alternate-Protocol: 80:quic,p=0.002

Transfer-Encoding: chunked

2..ok..0..

GET /components/toolbars/NCH_GoogleToolbar.exe HTTP/1.0

Host: VVV.audiochannel.net


HTTP/1.1 200 OK

Date: Thu, 18 Dec 2014 06:17:41 GMT

Server: Apache/2.2.29

Last-Modified: Fri, 17 May 2013 06:15:28 GMT

ETag: "befd0-4dce3e8c8c000"

Accept-Ranges: bytes

Content-Length: 782288

Connection: close

Content-Type: application/octet-stream

X-Pad: avoid browser bug

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........#yd.B.7.B.7
.B.7..z7.B.7..l7.B.7.B.7.B.7.:.7.B.7...7.B.7.:.7.B.7Rich.B.7..........
..............PE..L...?..I.................h...@...B...4............@.
................................z.....................................
......................................................................
.....................................................text....g.......h
.................. ..`.rdata...............l..............@..@.data...
............................@....ndata................................
...rsrc...............................@..@............................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
...G..H.P.u..u..u...|.@..K...SV.5..G.W.E.P.u.....@..e...E..E.P.u.....@
..}..e....D.@........FR..VV..U... M..........M........E...FQ.....NU..M
.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.P.u
.....@..u....E..9}...n....~X.te.v4..L.@..E...tU.}.j.W.E......E.......P
.@..vXW..T.@..u..5X.@.W..h ....E..E.Pj.h.2G.W....@..u.W...u....E.P.u..
...@._^3.[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..S..
...t.G.....t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ.U.

<<< skipped >>>

GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?7e5273f67c02628d HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Thu, 03 Jul 2014 23:34:12 GMT

If-None-Match: "0b2464b1797cf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ctldl.windowsupdate.com


HTTP/1.1 304 Not Modified

Content-Type: application/octet-stream

Last-Modified: Thu, 03 Jul 2014 23:34:12 GMT

ETag: "0b2464b1797cf1:0"

Cache-Control: max-age=86400

Date: Thu, 18 Dec 2014 06:17:57 GMT

Connection: keep-alive

HTTP/1.1 304 Not Modified..Content-Type: application/octet-stream..Las
t-Modified: Thu, 03 Jul 2014 23:34:12 GMT..ETag: "0b2464b1797cf1:0"..C
ache-Control: max-age=86400..Date: Thu, 18 Dec 2014 06:17:57 GMT..Conn
ection: keep-alive..

HEAD /dl/toolbar/t7/data/7.5.5111.1712/googletoolbarinstaller_en_signed.exe HTTP/1.1

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

Host: dl.google.com


HTTP/1.1 200 OK

Accept-Ranges: bytes

Content-Length: 5030744

Content-Type: application/x-msdos-program

Etag: "416d3"

Expires: Thu, 18 Dec 2014 22:17:50 PST

Last-Modified: Tue, 25 Mar 2014 23:15:00 GMT

Server: downloads

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Thu, 18 Dec 2014 06:17:50 GMT

Alternate-Protocol: 80:quic,p=0.002

....

GET /dl/toolbar/t7/data/7.5.5111.1712/googletoolbarinstaller_en_signed.exe HTTP/1.1

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

If-Unmodified-Since: Tue, 25 Mar 2014 23:15:00 GMT

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

Host: dl.google.com


HTTP/1.1 200 OK

Accept-Ranges: bytes

Content-Length: 5030744

Content-Type: application/x-msdos-program

Etag: "416d3"

Expires: Thu, 18 Dec 2014 22:17:50 PST

Last-Modified: Tue, 25 Mar 2014 23:15:00 GMT

Server: downloads

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Thu, 18 Dec 2014 06:17:50 GMT

Alternate-Protocol: 80:quic,p=0.002

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........R.&.3eu.3eu
.3eu...u.3eu...u:3eu...u.3eu.3du.2eu...u.3eu...u.3eu.3eu.3eu...u.3euRi
ch.3eu........................PE..L....F.S.................z..........
9u............@...................................L...@...............
..................|...H.....................L.X.......................
.....................................................................t
ext.............K.....PEC2*O......`....rsrc.................K.........
.... ....reloc................L.............@.........................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................7%..l....7%.......{...@.k.
i..Y.. ....O}...X..Q>!L........f.l.Hs..s...5.*.O..{0=L...L..j2}.\b.
....s?P.........n......}M...^.......7..........5..).SF.f6..:.#.0...@|y
.a-h......5>b......Jb6......u?l.q..Iu..fI$M.ex..A..5.3.)......k..u.
.~....y...U:..[.B..cHD.X...Yn...c............@..........2.F....q.."%.'
..E.........).t.............{%...m.n............y.}.s.......a(..."....
.9.f...#."..l/....M..aA.3M.....B.k'.......]..z..w.8.B..2..S.z..l_....7
=..3I[.l(.V.I.......!.K."c...`..5.7......w. .........3A...`.~.....

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com


HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1697

content-transfer-encoding: binary

Cache-Control: max-age=340474, public, no-transform, must-revalidate

Last-Modified: Mon, 15 Dec 2014 04:54:07 GMT

Expires: Mon, 22 Dec 2014 04:54:07 GMT

Date: Thu, 18 Dec 2014 06:22:11 GMT

Connection: keep-alive
0..........0..... .....0......0...0...A0?1=0;..U...4VeriSign Class 3 C
ode Signing 2004 CA OCSP Responder..20141215045407Z0s0q0I0... ........
?.@..w.........Y.!......Q...==d6|h.[x....7..`..........cV.!.....201412
15045407Z....20141222045407Z0...*.H.............O.1.P*........i..]w.. 
..P.Z.....4....t#..LzE8>.4".....:..t9..eUg.U....1..J\=.'...I....?,.
mr. |4<I..!..........Vd...m. ......H[x.1H./........f).........}....
W8..bv?.CHZ2.hK..wx..ia....z@.f-o8.l....)>..Z..`$.p9.E..p...y..;4.n
^.o.........Q....p..3.,..Lz>...3.....0...0...0..{.........[..I|....
.Zm..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U..
..VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisig
n.com/rpa (c)041.0,..U...%VeriSign Class 3 Code Signing 2004 CA0...140
428000000Z..150729235959Z0?1=0;..U...4VeriSign Class 3 Code Signing 20
04 CA OCSP Responder0.."0...*.H.............0.........Y....h..@..>.
....%.-.....O...' y.........x..Gw.xF.....?..Z..u,.X.&..........3C..H.l
.....f..;]s!.\"v...|....].@.....K7m2...N......-S.I......5n...G7. ..W..
..n..*..-f?EY.......UN...r...........-_.%..,P;b.....)(.P.4...,.%....&l
t;..6.....[r^X.EV..S...5#'Y.. .TD...........0...0...U.......0.0...U.%.
.0... .......0...U...........0... .....0......0f..U. ._0]0[..`.H...E..
..0L0#.. .........hXXps://d.symcb.com/cps0%.. .......0...hXXps://d.sym
cb.com/rpa0!..U....0...0.1.0...U....TGV-B-1080...U......"...?....`>
q..i1o...0...U.#..0.....Q...==d6|h.[x....70...*.H.............B8@.$..w
o......E.....P52"b*@'C\.y.(...n....h.f..7f.....v...pb<...]..|..<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com


HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=359954, public, no-transform, must-revalidate

Last-Modified: Mon, 15 Dec 2014 10:19:02 GMT

Expires: Mon, 22 Dec 2014 10:19:02 GMT

Date: Thu, 18 Dec 2014 06:22:17 GMT

Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..2014121
5101902Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
.A..2.....:...:......20141215101902Z....20141222101902Z0...*.H........
.....A.?v....x...R..IV..........9.%...OQ.&lm..L81!.l4......v,.....:e..
.....m.2\$K.I.GS..E95.J.G;...T...lj.....f.=.5!$..cM..0'....F.k.n.$.6s.
..V.<.xbrT....).nC...`Q.m18d.....V...?9O..X.$...bZ...[.....%z^.....
'...l..e....b.(q..CH. .........T.M.d.:...@4.Sk.d!..-,....#0...0...0...
.......<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....Ve
riSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use a
t hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code S
igning 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...
U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms o
f use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Clas
s 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.......
..{(..t....2.Vf.....&;6).i*FK....W@....F....jnb.w._p.E.6.|.mk....(....
......p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.
}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....
(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U..
..0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisig
n.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp.
 by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U.....
...0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H...<<< skipped >>>

The PUP connects to the servers at the folowing location(s):

scribe.exe_2676:

.rdata

@.data

.rsrc

mscoree.dll

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

.mixcrt

KERNEL32.DLL

GetProcessWindowStation

USER32.DLL

operator

CWD %s

DELE %s

RNFR %s

RNTO %s

UxTheme.dll

dwmapi.dll

software=Scribe&version=5.69&report=UINSTALL&text=%s-%s&language=en&platform=Win&extra1=%d%s

hXXp://%s/components/%s

user32.dll

hXXp://VVV.audiochannel.net/versions/components/%s.txt

%s%d%d%d

kernel32.dll

hXXp://cgi.nch.com.au/cgi-bin/regcheck.exe?cmd=v&id=%d&magic=%d&magicb=%d

tb_%s_us.dat

tb_%s_uk.dat

tb_%s_row.dat

hXXp://VVV.audiochannel.net/versions/components/%s

hXXp://VVV.audiochannel.net/components/toolbars/NCH_Chrome.exe

hXXp://VVV.audiochannel.net/components/toolbars/NCH_GoogleToolbar.exe

hXXp://VVV.audiochannel.net/versions/scribe.txt

comctl32.dll

TaskDialogIndirect

software=Scribe&version=5.69&report=COMMENT&text=COMMENT-%s&language=en&platform=Win

%s%s%s

MAPI32.DLL

SMTP:%s

%s, %.2d %s 20%.2d %.2d:%.2d:%.2d %s%.2d%.2d

From: %s

To: %s

Subject: %s

Date: %s

X-Mailer: Scribe VVV.nch.com.au/software

gc0p4Jq0M2Yt08jU534c%d

Content-Type: multipart/mixed; boundary=%s

Content-Type: %s; name="%s"

Content-Disposition: attachment; filename="%s"

--%s--

AUTH LOGIN

MKD %s

RMD %s

USER %s

PASS %s

RETR %s

%s %s

STOR %s

MFMT dddddd %s

MDTM %s

MLST %s

MLSD %s

Windows_NT

LIST %s

LIST %s*

SIZE %s

folder %s

http=

%s/%s

POST %s HTTP/1.0

Host: %s

Content-Type: application/x-www-form-urlencoded

Content-Length: %d

HTTP/1.

google.com

yahoo.com

C:\SourceCode\llib\include\../net/ssl.cpp

GET %s HTTP/1.0

CONNECT %s:%d HTTP/1.0

GET %s%s%s HTTP/1.0

User-Agent: %s

webm

%d %d

?#%X.y

PeekNamedPipe

GetProcessHeap

CreatePipe

KERNEL32.dll

RegCloseKey

RegOpenKeyExW

RegEnumKeyW

RegSetKeySecurity

RegDeleteKeyW

RegOpenKeyW

RegQueryInfoKeyW

RegCreateKeyExW

CryptDeriveKey

RegEnumKeyExW

ADVAPI32.dll

COMCTL32.dll

comdlg32.dll

GetViewportExtEx

SetViewportExtEx

GDI32.dll

acmDriverClose

acmDriverDetailsW

acmDriverEnum

acmDriverOpen

MSACM32.dll

ole32.dll

OLEAUT32.dll

ShellExecuteW

ShellExecuteExW

SHELL32.dll

SHDeleteKeyW

SHDeleteEmptyKeyW

SHLWAPI.dll

GetKeyState

GetAsyncKeyState

CreateDialogIndirectParamW

MsgWaitForMultipleObjects

UnhookWindowsHookEx

UnregisterHotKey

SetWindowsHookExW

GetKeyNameTextW

MapVirtualKeyW

RegisterHotKey

USER32.dll

WINMM.dll

WS2_32.dll

NETAPI32.dll

MSIMG32.dll

iphlpapi.dll

WININET.dll

DNSAPI.dll

GdiplusShutdown

gdiplus.dll

GetCPInfo

GetConsoleOutputCP

zcÁ

SSShB

SSSSSSSh$

SSSSSSShp5@

u.SSW

z<%uv

SSShh

PVVj.Vf

D$`PWWj.Wf

PSSh4

F%XrB

PSSSSSSh

SSShTfB

_^[t.hp

}rSSh7

ttSSh

C%uuQ

!t.Ht

Ht.Ht

PWSSh

.snduG

Ph<%C

Vh,%C

Ph\%C

WhL%C

Phl%C

Wh|%C

t8Ht.Ht$Ht

PVSSh

%Program Files% (x86)\NCH Software\Scribe\scribe.exe

ssshhhWWW

-!.WF

2%SGE

(%xSK

=<>#"$%$&%$&%$&%$&%$&#"$/.0

33333333

"((("&&!

"((("&&&

"((("'''

3% !5&!%

5&!%3% !

D3.DD3.

.HKLJ

SHD.SHD

44444444444

4444444444

44444444

444444444

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*"/>

<requestedExecutionLevel level="asInvoker" />

<!-- Windows 8.1 -->

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>

<!--The ID below indicates app support for Windows 8 -->

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<!--The ID below indicates app support for Windows 7 -->

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<!--The ID below indicates app support for Windows Vista -->

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

mhXXp://ns.adobe.com/xap/1.0/

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:3277C77D7132E0118D16E72A4E8059DE" xmpMM:DocumentID="xmp.did:314D5A19534B11E0A6A5AAFBD55133F0" xmpMM:InstanceID="xmp.iid:314D5A18534B11E0A6A5AAFBD55133F0" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:B6AAD5DF4A53E0118E8DE62C10C1BCAC" stRef:documentID="xmp.did:3277C77D7132E0118D16E72A4E8059DE"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

Attachments of "%s"

%s file already exists. Do you want to replace it?

%s\%s

Password

.webm

"%s" "%s"

%s -w %s

"%s" "%s" "%s"

Cannot open the file "%s" because it is corrupt.

Cannot open the file "%s". Check it exists and you have read access.

Cannot open the file "%s". It is possible the file format is not supported by this program. Please see "hXXp://VVV.nch.com.au/acm/formats.html" for more information.

Cannot open the file "%s" because the required codec ("%s") is not installed. See "hXXp://nch.com.au/acm/index.html" for more information.

Cannot open the file "%s" because it is using an unknown codec or is possibly not a real wave file.

Cannot open the file "%s". It is possibly either corrupt or not a true layer-3 MPEG file.

Visit "hXXp://VVV.microsoft.com/directx" to obtain the latest version.

.flac

The decoder process failed when decompressing the file "%s" to wave format. It is possible your logon account does not have write access to the folder "%s"

Cannot open file "%s". It is possible that the file is protected with Digital Rights Management (DRM) which limits where the audio file can be used.

Cannot open the file "%s". It is possible you do not have the Sony plugin installed or your recorder is not supported. If you do not have the plugin please download it from "hXXp://VVV.nch.com.au/scribe/sony.html".

key%u

Unable to load an encrypted recording because the decryption key has not been set. Please enter the decryption key and try to load the dictation again.

The notes for this dictation are too long to display in the notes window. They have been moved to an attachment called "%s".

_%d.owf

Saving: %s

Unable to open dct or wav file because audio compression codec is not installed on this computer or file is corrupt. If the problem persists see VVV.nch.com.au/acm for more information about codecs. You might need to install further Audio Compression Manager codecs from your Windows CD-ROM. If it is a wav file, try to open it with Windows Media Player to auto-install codecs.

Attempt to delete the file "%s" failed. It is possible that the folder is read only or your do not have delete access rights on the folder.

Component download or installation failed. (%s)

The %s format is not supported by Express Scribe.

_%s_%s

*._%s_%s

Checking for files to load from FTP...

Cannot log onto the FTP server "%s". The server may be having problems. Otherwise please check you have entered the server name and any required user and password correctly.

Cannot find the directory "%s" on the FTP server.

Incoming%d

FTPSecure

FTPServer

.aiff

.aifc

Temp%d.wav

.dart

.mpdp

shell32.dll

%sAscend

Bookmarks of "%s"

Track %d

CD%.2dTrack%.2d_Dur%s.cda

.orig

.dvr-ms

bookmark%d

bookmarkÜreatedate

bookmarkÝata

%.8u.dat

%s:%s:%s.000

*.dat

Video playback requires %s

UseSMTPHost

MailSMTPHost

SMTPAuthOn

SMTPUserName

SMTPPassword

Dictation (%s)

Transcript.txt

F%sChannel

control.exe mmsys.cpl,,1

sndvol32.exe /rec

Dock %u

Please connect your portable recorder to your computer and press the play button on your portable recorder.

FtpServer

FtpUserName

FtpPassword

FtpDirectory

dctfwd%sender-num%-%dict-num%-%dict-name%

FTP Server Details Required.

Please enter the FTP server name, user name, password and directory.

Hotkey

FTPAnonymous

hXXps://secure.nch.com.au/cgi-bin/register.exe?software=scribe

Time must be between %s and %s.

%sColumn

%sText

VVV.nch.com.au/scribe/index.html

VVV.nch.com.au/scribe/support.html

hXXp://VVV.nch.com.au/suggestions/index.html?software=Scribe&version=5.69

hXXp://VVV.nch.com.au/software/bug.html?software=Scribe&version=5.69

Dock a recording from a portable recorder (using default method)

System-Wide Hot-Keys...

Float Above Other Windows

High Pass Filter

Export Notes...

Transfer from Portable (Dock)

scribe.exe

%s - Licensed software

%s - Licensed to %s

%s (Unlicensed) Non-commercial home use only

WindowStandard

%s Mini

%s v 5.69

Welcome.dat

List %d of %lu

This %s file is not supported by Express Scribe.

*.dct

%s.dct

A file with the name '%s' already exists.

ExportNotesFolder

notes.txt

Export Notes

Error exporting notes.

The wordprocessor base file %s does not exist.

%s: %s

highpass

Disable system-wide hot-keys

Enable system-wide hot-keys

"%s" has sent a dictation cancel and recover notice for the file "%s". Do you want to delete this file from the list?

%s File Format

Speed (%d%%)

Playback Speed (%d%%)

The file '%s' that Express Scribe is attempting to load is encrypted. A decryption key has not been set so it cannot load the file. Would you like to set one now?

Set Key

Decryption Key Not Set

The space on the hard drive is running low. Currently only %dMB is free. Please free space by deleting unused files.

@ (%s)

%d of %d Loaded

Encryption key not set for this Dictation

File: %s

From: %s

Email: %s

You must have Express Scribe installed to open the file. Express Scribe can be downloaded free at VVV.nch.com.au/scribe.

Forwarded to %s

Unable to copy the file "%s" into the send folder "%s".

Unable to logon to ftp server "%s" with user name "%s" and the entered password.

FTP upload failed because the directory "%s" was not found on the server "%s".

FTP upload of file "%s" failed.

Forwarded to %s/%s

=:d

%d:d

=:d.d

%d:d.d

d:d

d:d.d

-:d:d

%d:d:d

d:d:d

d:d:d.d

-:d:d.d

%d:d:d.d

.divx

.mjpeg

.moov

.mp4v

.mpeg

.rmvb

.xvid

.mpga

tload.dat

Welcome.wav

Template.doc

Word%d

[MME] %s

*.wav;

Invalid encryption key

key%d

This file type is not supported

Express Delegate (%s)

FTP (%s)

Folder (%s)

Automatic every %d mins

Invalid profile for user %d

No default profiles found. Please create a profile by using Windows' Control Panel -> Speech.

[Default] %s

*.wpd;

Microsoft Windows Write Files

*.wri;

*.doc;*.docm;*.docx;*.dot;*.dotm;*.dotx;

*.wps;*.wpt;

*.odt;*.ott;

*.sdw;*.stw;*.sxw;*.vor;

*.rtf;*.txt;

Web Pages

*.htm;*.html;*.mht;*.mhtml;*.url;

*.xml;

The file "%s" cannot be added to the word template list. Please do not select a file with extension ".dat" as word proccessor template.

*.sta

s%.7u.sta

%s-%s.sta

{2318C2B1-4965-11d4-9B18-009027A5CD4F}

FTP file transfers

Upload your website using ftp

Manage stock, procurements and reporting

Track and Report Income and Expenditures

Zulu Disc Jockey Software

Clean and optimize your Windows registry by removing the old and damaged data that is bogging down your computer performance.

Voxal is a real time voice changing program. Change your voice live through speakers, in softphone calls, or any application or game that uses a microphone.

twelvekeys

TwelveKeys Music Transcription

Universal audio converting software supports all popular audio formats including mp3, wma, wav, midi, m4a, and more. Use it to convert and compress sound files.

Orion finds and recovers deleted files on hard drives, external and portable drives. Or use the drive scrubber to ensure deleted files can't be recovered.

Key Blaze Typing Tutor Software

A powerful FTP client that integrates with Windows Explorer for manual or automatic file uploading, or sync/mirror files and folders via FTP.

Fling FTP Sync Software Client

Easy to use file backup software to automatically back up critical data to CD, DVD, Blu-ray or a remote FTP server. Don't take chances with your valuable data.

Use this text expansion software to create keyboard shortcuts that will expand to an entire word, sentence, paragraph or document. A useful time saving tool.

Digital dictation software to record and send dictation for transcription directly from your computer, or dock and send dictation from a portable device.

Professional accounting software to manage and report business income and expenses, sales, invoices and payments. Great for small and medium-sized companies.

Easy to use video recording software lets you capture and record video from a webcam, your computer screen, an external video device or online streaming video.

Easy and reliable FTP client software. View, edit, upload, download, delete and otherwise manage files on a remote server, website or network.

cftpsetup

Classic FTP - FTP Client Software

ClassicFTP

Use your PC to broadcast live or recorded video from a webcam, computer screen or video input device. Video streams will play in all popular web browsers.

InstallReport

hXXps://secure.nch.com.au/cgi-bin/register.exe?software=scribe&source=softwaretrial

mhXXp://VVV.nchsoftware.com

A full list of our products can be found at the below website. You may find another product that is more suitable for your needs.

nhookappcommand.dll

software\microsoft\windows\currentversion\app paths\%s

Global\%s

fmm%s

API Test OK [%s].

Local_Response_%d

Software\Classes\%s

hXXp://VVV.nch.com.au/upgrade/index.html?software=scribe&upgradeid=%d&upgradekey=%s

hXXp://VVV.nch.com.au/activate/index.html?code=%s

%d:%d:%d

%d-%d-%d

Express Scribe Transcription Software.lnk

NCH Software.lnk

NCH Suite.lnk

Software\Microsoft\Windows\CurrentVersion\Uninstall\Scribe

URLInfoAbout

URLUpdateInfo

Software\Microsoft\Windows\CurrentVersion

hXXp://cgi.nch.com.au/cgi-bin/report.exe

uninst.exe

Uninstall is complete. If you need to reinstall this software again you can download it from VVV.nchsoftware.com.

Software\NCH Software\Components\%s

s.exe

%sLock

Special discount pricing ends on the 15th of %s.

Special discount pricing ends at the end of %s.

InstallingChrome

LaunchChromeOnInstall

Express Scribe Transcription Software

hXXp://VVV.nchsoftware.com/software/thanks.html?software=Scribe&appname=%s&version=5.69&base=scribe&domain=nch&buyoffer=scribe&plus=%s&pclass=free%s%s%s%s%s%s%s%s&instby=%s

&usage=XX

"%s" -uninstall

scribesetup_v5.69.exe

Software\NCH Software\Scribe\%s

-LQUIET -instby %sScribe

%s (%s)

audiochannel.net

VVV.nch.com.au

hXXp://VVV.nch.com.au/components/%s.exe

An install-on-demand component could not be installed automatically. Please run it from the URL below then try again.

%s=%s

_scribe_rl_%s

Report Bug

Would you be willing to complete an NCH Software Bug Report so our programmers can try to fix this? Please click 'Report Bug' and then enter the field to tell us exactly what you did so we can attempt to repeat it and fix it.

hXXp://VVV.nch.com.au/software/bug.html?software=Scribe&version=5.69&xi=AbTermOrHang-Win%d%d

Win%d%d

Ukn0(Msg%dLstCmd%d)

(Cmd%d)

%s-%s-%s-%s

dbghelp.dll

Abnormal Execution Problem

Would you be willing to complete a NCH Software Bug Report so our programmers can try to fix this? If so, please click 'Report Bug' and then enter the field to tell us exactly what you did so we can attempt to repeat it and fix it.

hXXp://VVV.nch.com.au/software/bug.html?software=Scribe&version=5.69&xi=GUI-%s

%d-%d-%%d

Please check you have exited any previous running instances of Express Scribe Transcription Software and any other programs that might be using the file "%s". Then run the installer again.

Installation cannot be completed because the file "%s" cannot be written to.

LLIBShowrelatedwhenchromeoff

LLIBShowrelatedwhenchromeon

LLIBShowrelatedwhennochromeoff

LLIBShowrelatedwhennochromeon

Please read the following important information before continuing.

c:\program files (x86)\

Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\%s\UserChoice

Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\%s

NCH.Scribe%s

Scribe.BAK

%s\FileAssociations

reg.exe

%s\OpenWithProgIds

Applications\scribe.exe

%sfile

%s\DefaultIcon

%s,%d

%s\shell

%s\shell\open\command

"%s" "%%L"

Applications\scribe.exe\shell\open\command

Applications\scribe.exe\shell

Applications\scribe.exe\DefaultIcon

software\classes\%s

-addremfiletyperun "%s" "%s" "%s" "%s" %d

%s\Shell\%s\command

SystemFileAssociations\%s\Shell\%s\command

"%s" %s "%%L"

Software\Classes\%s\Shell\%s\command

-addfiletyperunspecial "%s" "%s" "%s" %d

%s\Shell\%s

SystemFileAssociations\%s\Shell\%s

-remfiletyperunspecial "%s" "%s"

explorer.exe

Advapi32.dll

W"%s" %s

hXXp://VVV.nchsoftware.com/%s.html

hXXp://VVV.nch.com.au/%s.html

hXXp://VVV.nch.com.au/kb/%d.html

.html

hXXp://help.nchsoftware.com/help/en/scribe/win/%s.html

Local\ScribeProcessEXE%s

-elevated %s %s

"%s" -exe %s

Software\NCH Software\%s\Settings

Software\NCH Swift Sound\%s\Settings

"%s" %%s

Waiting for %s

ExpressScribe will continue when %s closes.

TwelveKeys

twelvekeyssetup

KeyBlaze

hXXps://secure.nch.com.au/cgi-bin/register.exe?software=scribe&version=5.69%s%s%s%s%s%s%s%s&instby=%s

hXXp://VVV.nchsoftware.com/software/registered.html?software=%s&appname=%s&version=5.69&base=scribe&domain=nch%s%s%s%s%s%s%s

ID - Key:

%s-%s

hXXp://VVV.nch.com.au/upgrade/index.html

%s Registration Code:

Register %s

Click here if you have not activated your 12-digit serial number online and have not received an ID-Key.

If you have already activated your serial number online, check your email for the ID-key. Then, click here to enter your ID-Key.

The code that you have entered is a license serial number. You must activate your serial number online to receive the ID-Key needed to register this software.

ID-Key is required to complete the registration.

Old Version Key

- You are using the correct ID and key for the correct product. Only the ID and key for Express Scribe Transcription Software will be accepted.

support/reg

registration.txt

Name: %s

Location: %s

ID - Key: %d - %s

-clear -label "Express Scribe Transcription Software Installer" -type data "%s" "%s"

Validate Key

Key cannot be validated. Please connect to the internet and try again.

00:00:00

2014-02-01

%s - %s Version Required

%s Version Required

nch.com.au

nchsoftware.com

hXXp://VVV.%s/%s

%s [Recommended]

Google Chrome, a faster way to browse the web

Free games, themes and utilities from the Google Chrome Store

Why people choose Chrome:

Install Google Chrome as my default browser

Google Toolbar makes web browsing more convenient:

Search from any website

Translate web pages instantly

hXXp://VVV.google.com/toolbar/ie/partnereula.html?hl=en

hXXp://VVV.google.com/accounts/TOS?hl=en

hXXp://VVV.google.com/intl/en/privacy/privacy-policy.html

By installing this application, you agree to the Google Chrome

By installing this application, you agree to the Google Chrome

hXXp://VVV.google.com/chrome/intl/en/eula_text.html

hXXp://VVV.google.com/chrome/intl/en/privacy.html

reject-chrome

Automatic download of the install-on-demand component "%s" failed.

The website will now be opened where you can download it manually.

Open Website

-installrelated %x -toolbar %x

NCH Software\Scribe%s

Scribe%s

%sT%s

Click to install and run %s

Click to run %s

Express Scribe Transcription Software cannot launch the program required to perform the selected task. Please go to nch.com.au/software to download it and try again.

hXXp://VVV.nchsoftware.com/software/index.html

hXXp://VVV.nchsoftware.com/software/newsletter.html%s%s

hXXps://secure.nch.com.au/cgi-bin/register.exe%s%s

hXXp://cgi.nch.com.au/cgi-bin/search.exe?q=%s&site=VVV.nchsoftware.com%s%s

Click to visit our website

(EOF) Element <%s> should be terminated with </%s>. Check you have terminated your element properly.

Tag <%s> does not have a closing '>'

Misplaced </%s> which does not match a <%s>.

Element <%s> should be terminated with </%s>, was with %s. Check you have terminated your element properly.

Ln %d, Col %d: %s

http\shell\open\command

iexplore.exe

iexplorer.exe

firefox.exe

chrome.exe

Installing Google Chrome

The Google Chrome installer could not be downloaded.

ChromeRequiresLaunch

ChromeScribe

software\Google\No Chrome Offer Until

NCH_Chrome.exe

Sorry, Chrome was not installed because of some problems encountered during the installation process.

Chrome

NCH_GoogleToolbar.exe

chrome-google

chrome

Install Google Chrome - Free

Get Chrome to View Help Files

We recommend Google Chrome as the preferred viewer for our help pages.

Google Chrome is free and fast.

%.4d-%.2d-%.2d Express Scribe Transcription Software Log.txt

%s%sshmf%ii.bin.tmp

Technical Support Page

Send Bug Report

Classic FTP Software

tar.gz

VVV.nch.com.au/scribe

splash.jpg

hXXp://VVV.nch.com.au/suggestions/index.html?software=Scribe&version=5.69%s%s

hXXp://VVV.nchsoftware.com/software/newsletter.html?software=Scribe&version=5.69%s%s

hXXp://VVV.nch.com.au/software/dictation.html

hXXp://VVV.facebook.com/NCHSoftware

hXXp://twitter.com/nchsoftware

hXXps://plus.google.com/ nchsoftware

hXXp://VVV.facebook.com/sharer/sharer.php?u=%s

I just downloaded %s. Try it here:

hXXp://VVV.twitter.com/home?status=%s%s

hXXps://plusone.google.com/_/ 1/confirm?hl=en&url=%s

hXXp://VVV.stumbleupon.com/submit?url=%s&title=NCH Software

hXXp://VVV.linkedin.com/shareArticle?url=%s&title=NCH Software&mini=true

hXXp://VVV.nchsoftware.com/software/rateit.html?software=Scribe&appname=%s&version=5.69&rating=%d&upgradeoffer=scribe&os=Win&lang=en&base=scribe&domain=nch%s%s%s%s%s&instby=%s

Certify this program is being used for non-commercial, home use only

This version 5.69 of Express Scribe Transcription Software will only work on Windows 8 or earlier. A newer version is available for download on VVV.nchsoftware.com.

Software\NCH Software\%s

Software\NCH Swift Sound\%s

Quick Install-on-Demand %s

-extsuite %s

-extfind %s

Software\Classes\.%s

software\microsoft\windows\currentversion\explorer\fileexts\.%s\userchoice

%s\shell\open

"%s" -extfind %s "%%L"

%SystemRoot%\system32\shell32.dll,19

Software\Classes\%s\Shell\%s

Software\Classes\%s\Shell

hXXp://VVV.nch.com.au/index.html

An install-on-demand component is required for this operation.

NCH Software\%s\%s.exe

NCH Swift Sound\%s\%s.exe

%s "%s"

Software\Classes\%s\shell\open\command

Software\Classes\%s\shell

Software\Classes\%s\shell\open

Software\Classes\%s\DefaultIcon

%s%s%s%s

Report a Problem

Click here if you would like to report a problem with Express Scribe Transcription Software.

If you find any problems with this release please let us know by reporting them.

%s Home Page

hXXp://VVV.nch.com.au/software/audio.html

Distributed by %s

Licensed User: %s

Item %d

Col%d

%d.%d.%d

lAdd New Hot-Key

Click "Change..." to assign key

Hot-key Required

Please click here to assign the hot-key.

Key Already In Use

Sorry, the key you have chosen is already in use as a hot-key. Please choose another key.

F12 is reserved for the operating system. Please choose another key.

Alt F4 is already used by the operating system. Please choose another key.

Command Already Assigned A Key

Sorry, the command you have chosen already has a hot-key associated with it. Please choose another command.

Delete Hot-Key(s)

Delete the selected hot-key(s)?

Set Default Hot-Keys

Reset all hot-keys to the default configuration?

Channel-%u-

0:00:00.000

J.grf

SMTP

IPM.Note

xMAPI32.DLL

e.g., mail.myisp.net

e.g., myemail@myco.com

Your email software (e.g., Outlook, Eudora, etc.) has not been set up for MAPI. Refer to your email software Help to find out how to set it up for MAPI. Otherwise use the SMTP option.

If you choose SMTP you must enter a valid reply-to address. Enter your email address.

If you choose SMTP you must enter an SMTP mail host. Call your ISP if you don't know what your SMTP mail host is.

If your SMTP server requires authentication, you must enter a SMTP username to connect to your server.

Password Required

If your SMTP server requires authentication, you must enter a valid SMTP password to connect to your server.

Unable to connect to mail server "%s" when sending an email to "%s".

Unable to connect to either mail server "%s" or the mail server at "%s".

Unable to connect to mail server "%s".

Mail host server error (HELO not accepted, error code 504) for destination email %s - usually this means the email address is not valid.

Mail host server error (HELO not accepted): %d emailto: %s

Email authentication username or password not accepted

Scribe@%s

<Mail host server error (MAIL FROM not accepted). Please check your Email Settings.%s - (%d - %s)

Error while trying to send email. Email address may be wrong or your SMTP server may require a username or password. Please check address again and see Email Settings.

The recipient's email server does not allow email to be received in this manner. Please use an SMTP account for sending email to this address.

The recipient's email server rejected this email because of an unspecified reason. Try using an SMTP account for sending email to this address.

Mail host server error (data terminator not accepted) emailto: %s mailhost: %s error: %d

n%d.%d.%d.%d:%d

This FTP server does not support the required protected mode data transfers for SSL connections.

Deleting %s/%s/%s

%s: %2.0f%%

Testing FTP...

Unable to connect to server "%s".

Server "%s" is OK.

Unable to logon with username "%s" or entered password.

Unable to change to the directory "%s".

Current directory is: %s

Passive Connection Failed!

see VVV.nch.com.au/kb/10047.html

d_ftptest

Passive mode

Changing directory to %s

FTP Explorer

FTP Explorer - %s

FTP Explorer - Change Directory

%d objects

FTP Download

FTP Explorer - View File

Check you have permission to download files with this FTP user account.

FTP Explorer - Confirm Delete

Deleting file: %s

Unable to delete file "%s".

FTP Explorer - Delete File

Deleting folder: %s

Unable to delete directory "%s".

FTP Explorer - Delete Directory

FTP Explorer - Open File

FTP Explorer - Create Directory

Directory already exists or you do not have permission to create directories with this FTP user account.

FTP Explorer - Rename File

Check you have permission to rename files with this FTP user account.

Date Modified: %s Size: %s

%d objects selected

FTP Connect

FtpExplorer

KFile does not exist: %s

Not enough memory available to load %s

Cannot open xml file: %s

%s/microsoft/windows mail/local folders/%s

SMTP_Server

SMTP_Email_Address

00000001

Software\Microsoft\Internet Account Manager\Accounts\%s

SMTP Email Address

SMTP Server

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\%s

{ED475418-B0D6-11D2-8C3B-00104B2A6676}

%s\%s\d

%s\Thunderbird

%s\profiles.ini

%s\%s\prefs.js

mail.accountmanager.defaultaccount

mail.account.%s.identities

mail.identity.%s.useremail

mail.smtp.defaultserver

mail.smtpserver.%s.hostname

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Eudora.exe

deudora.ini

eudora.ini

%s\Qualcomm\Eudora\eudora.ini

SMTPServer

Windows Mail

Mozilla Thunderbird

%d.%d.%d.%d

127.0.0.1

libeay32.dll

ssleay32.dll

Windows Media Audio V1

Windows Media Audio V2

ACELP.net

Loading %s

Loading CD Track %d

Only supports conversion of CD tracks to mono or stereo.

"%s" "%s" "%s" -d

"%s" -x "%s" "%s"

"%s" -d -o "%s" -F "%s"

"%s" -o "%s" "%s"

"%s" -d -o "%s" "%s"

Decoding %s file

Express Scribe Transcription Software could not locate a plugin for the file with extension "%s".

You will need to download and install the plugin yourself from here: hXXp://VVV.nch.com.au/components/%s.exe.

Express Scribe Transcription Software could not locate a plugin for the file with extension "%s". No plugin appears to be available, therefore this format may be unsupported. Visit hXXp://VVV.nch.com.au/components/index.html to check if there is a plugin for this format.

*.aud

*.grf

Unsupported DCT file format version

Decryption key is incorrect

Attempting to skip extensible data in an encrypted dictation without the correct decryption key

Attachment%d%s

Loading DCT File: %s

Saving DCT File: %s

Unable to load the installed %s decoder component.

Unable to initiate the installed %s decoder component.

%s decoding failed.

Unable to open the %s file.

The file is not a valid %s file.

Unrecognized %s format variant.

%s file header removal failed.

s520.dll

Unable to load %s.

Unable to load decoder from %s.

Please check that the %s file is valid and complete.

a1600.dll

a1800.dll

a4800.dll

Windows Record Mixer

%s/%d.aud

%s%d.aud

Read %s of %s

%d:%.2d:%.2d

.wavpcm

.sndt

.sndr

.vorbis

.nist

.maud

.mat5

.mat4

.lpc10

.ircam

.hcom

.gsrt

.fssd

.dvms

.cvsd

.cdda

.amr-wb

.amr-nb

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech\Recognizers

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Speech\RecoProfiles

VID_Cmd

langid=%d

type=%s

High Pass

Speex ACM Codec xiph.org

(unverified) For the Record - hXXp://VVV.fortherecord.com

Aureal Semiconductor RAW SPORT

Windows Media Audio Lossless V9

Windows Media Audio Professional V9

Windows Media Audio V2 V7 V8 V9 / DivX audio (WMA) / Alex AC3 Audio

Windows Media Audio V1 / DivX audio (WMA)

Sipro Lab Telecom ACELP.KELVIN

Sipro Lab Telecom ACELP.net

Microsoft Windows Media, RT Voice

Compaq Computer VSELP (codec for Windows CE 2.0 devices)

wmvcore.dll

C:\Windows\System32\pedaldrv.dll

Function not found in driver: %s

{x-x-x-xx-xxxxxx}

{00000000-0000-0000-0000-000000000000}

{555504B4-0000-0000-0000-504944564944}

{18440911-0000-0000-0000-504944564944}

NPort

Port open failed

0xX

Switch: %s

NCouldn't read input report

Invalid input report length

Foot pedal status: %s

Windows %d.%d

%s can be controlled by a foot pedal controller. If you have purchased a controller, please connect it now and click on "Controller setup wizard"

hXXps://secure.nch.com.au/cgi-bin/register.exe?software=%s

Purchase %s for compatibility with more pedals

hXXp://VVV.nch.com.au/hardware/pedals.html

e.g.pedaldrv.dll

Plug and play controller diagnostics for %s

v %s (%s):

Vendor ID: %s

Product ID: %s

Revision: %s

Product string: %s

Path: %s

Usage page: %u

Model data: %s

Key: N/A

Key: %s

Company: %s

Model: %s

Allowed: %s

Product name: %s

N\\.\%s

Nhid.dll

cfgmgr32.dll

setupapi.dll

%sname

%ssize

%smd5hash

Express Delegate [%s]

password

DelegateServerPort

DelegateLoginEmail

DelegateLoginPassword

Password:

Auto-import source

AutoImport

FTP Connection Test

Download from an FTP server

Invalid port

hXXp://VVV.nch.com.au/delegate/index.html

e.g., delegate.company.com

Port:

e.g., name@company.com

%s v %d.d

Server name: %s

Server description: %s

Server application: %s

Server SDK: v %d

Database ID: %s

FTP options

e.g., PTF.company.com

Secure connection (FTPES)

Warning: Dictations will be automatically deleted from the FTP server once they are loaded.

Windows Media Video 9

Windows Media Video 8

Windows Media Video 7

32 bit support

WebCam JPEG

@device:cm:{33D9A760-90C8-11D0-BD43-00A0C911CE86}\i420

@device:cm:{33D9A760-90C8-11D0-BD43-00A0C911CE86}\iyuv

@device:sw:{33D9A760-90C8-11D0-BD43-00A0C911CE86}\ffdshow video encoder

hXXp://ffmpeg.org

avutil-52.nch.dll

swscale-2.nch.dll

avcodec-55.nch.dll

avformat-55.nch.dll

swresample-0.nch.dll

S.wpp

.clpi

"%s" - -

"%s" -s %d -d -w -

FAAD2 AAC/HE-AAC/HE-AACv2/DRM decoder (c) Nero AG, VVV.nero.com

"%s" -o raw

Copyright (C) 2000-2002 Michel Lespinasse <walken@zoy.org>

Copyright (C) 1999-2000 Aaron Holtzman <aholtzma@ess.engr.uvic.ca>

License terms for this component can be found at: hXXp://VVV.opensource.org/licenses/lgpl-license.php

"%s" %s - -

"%s" -C %d -R %d -b %d

"%s" -r

-b %d --cbr --nores --nchvideo - -

%s 00:00:00

%s %.2d:%.2d:%.2d

%s %d

Fddraw.dll

Portable Anymap

Portable Network Graphics

Joint Photographic Experts Group

.wbmp

.tiff

.jpeg

Certain parts of this software fall under the Little CMS License:

Portions of this software are Copyright (c) 1998-2011 Marti Maria Saguer.

Certain parts of this software fall under the LibJPEG License:

Encoding %s image

%Program Files% (x86)\NCH Software\Scribe

C:\Users\"%CurrentUserName%"\AppData\Roaming\NCH Software\Scribe

C:\Users\"%CurrentUserName%"\AppData\Roaming\NCH Software\Scribe\Current

C:\Users\"%CurrentUserName%"\AppData\Roaming\NCH Software\Scribe\Done

C:\Users\"%CurrentUserName%"\AppData\Roaming\NCH Software\Scribe\Status

C:\Users\"%CurrentUserName%"\AppData\Roaming\NCH Software\Scribe\Logs

Use SMTP to send email directly to the mail server

SMTP mail host:

Send directly to other side (work as own SMTP server)

A full list of our products can be found at our below website. This may help you to find another product that is more suitable for your needs.

Constrain Proportions

Change Key

&ID - Key:

Change Hot-Key Command

Hot-Key

Press Key

Press a key or a key combination.

FTP Connection Test Results

WebM Encoding Settings

Two Pass Encoding

Windows Media Encoding Settings

User Encryption Key

User encryption key

Set key:

Set key

Upload to server (FTP)

Use secure FTP connection (SSL/TLS)

(if a key is available for the original sender)

Hot-Keys

Key assignment

Express Scribe can automatically download recordings on demand from a folder on your computer network (LAN) or an email attachments folder or via the Internet (using an FTP Server).

Set user's decryption key (to accept encrypted files)...

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

TPAutoConnSvc.exe:1776
GoogleUpdate.exe:1160
GoogleUpdate.exe:3620
GoogleUpdate.exe:3708
GoogleUpdate.exe:2608
GoogleUpdate.exe:1440
GoogleUpdaterService.exe:3320
GoogleUpdaterService.exe:1448
googletoolbarinstaller_en_signed.exe:2364
GoogleUpdaterService_B33FC4DD36A473C6.exe:2448
scribe.exe:476
scribe.exe:2252
scribe.exe:2676
%original file name%.exe:1960
GoogleUpdateSetup_latest.exe:1664
nchsetup.exe:3836
GoogleToolbarManager_8CA8B41417E66DEB.exe:3948
GoogleToolbarManager_8CA8B41417E66DEB.exe:3128
GoogleToolbarManager_8CA8B41417E66DEB.exe:1808
GoogleToolbarNotifier.exe:1940
GoogleToolbarNotifier.exe:1752
regsvr32.exe:3096
NCH_GoogleToolbar.exe:1532
SearchWithGoogleUpdate_C993F490EED40C1B.exe:2360
Delete the original PUP file.
Delete or disinfect the following files created/modified by the PUP:

%Program Files% (x86)\Google\Update\Install\{9ED6278D-3499-43D2-BA30-93D0A1DF8374}\googletoolbarinstaller_en_signed.exe (38734 bytes)
C:\Windows\Temp\guiACB2.tmp (15 bytes)
%Program Files% (x86)\Google\Update\Download\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}\0.0.0.0\googletoolbarinstaller_en_signed.exe (38249 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdate.dll (835 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_en.dll (28 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarUser_32_52E818EF81C83A9B.exe (620 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbar.7.5.5111.1712.manifest.xml (36 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_0A4439FF67F61065.dll (2 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\SearchWithGoogleUpdate_C993F490EED40C1B.exe (50 bytes)
C:\Windows\System32\config\SOFTWARE (59603 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_64_F8ED9B719A89F8EF.dll (489 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_32_8E471B27054D20F5.dll (149 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbar_32_365102BD7F6C8091.dll (390 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarUser_64_4D9709C1FA1422BA.exe (801 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleCld_187F9D811452062B.dll (50 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GoogleToolbarInstaller2.log (43972 bytes)
C:\$Directory (672 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_8CA8B41417E66DEB.exe (50 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbar_64_54BD4059920ABC8A.dll (514 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleUpdateSetup_5CC4B0F53D73AD88.exe (1480 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleUpdaterService_B33FC4DD36A473C6.exe (390 bytes)
C:\Windows\System32\config\SOFTWARE.LOG1 (54812 bytes)
%Program Files% (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe (390 bytes)
%Program Files% (x86)\NCH Software\Components\NCHToolbars\google\NCH_GoogleToolbar.exe (382879 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_scribe_rl_adm (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\NCH Software\Scribe\Status\s0000000.sta (44 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\NCH Software\Scribe\Current\Welcome.wav (1425 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\NCH Software\Scribe\Current\Welcome.dat (832 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchdata.dat (7384 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchsetup.cab (647 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchdata.cab (270 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchsetup.exe (29704 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_mr.dll (28 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_lv.dll (30 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_fi.dll (29 bytes)
%Program Files% (x86)\GUM8F82.tmp\npGoogleUpdate3.dll (838 bytes)
%Program Files% (x86)\GUM8F82.tmp\GoogleUpdateHelper.msi (25 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_sw.dll (29 bytes)
%Program Files% (x86)\GUM8F82.tmp\GoogleCrashHandler64.exe (550 bytes)
%Program Files% (x86)\GUM8F82.tmp\GoogleUpdateBroker.exe (59 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_nl.dll (30 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_ta.dll (30 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_tr.dll (29 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_te.dll (29 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_ml.dll (31 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_ms.dll (28 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_pl.dll (30 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_es.dll (31 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_bn.dll (28 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_ur.dll (28 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_iw.dll (26 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_gu.dll (28 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_sl.dll (29 bytes)
%Program Files% (x86)\GUM8F82.tmp\psuser.dll (159 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_el.dll (30 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_fil.dll (30 bytes)
%Program Files% (x86)\GUM8F82.tmp\GoogleUpdate.exe (234 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_ja.dll (24 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_et.dll (28 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_es-419.dll (29 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_pt-BR.dll (29 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_sk.dll (29 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_da.dll (29 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_fr.dll (30 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_de.dll (31 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_kn.dll (29 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_uk.dll (28 bytes)
%Program Files% (x86)\GUM8F82.tmp\psmachine.dll (159 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_no.dll (29 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_th.dll (27 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_bg.dll (30 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_pt-PT.dll (29 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_vi.dll (28 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_sv.dll (29 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_lt.dll (28 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_zh-CN.dll (21 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_ko.dll (23 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_hu.dll (29 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_zh-TW.dll (21 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_ar.dll (26 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_it.dll (30 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_is.dll (28 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_ro.dll (29 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_en-GB.dll (28 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_hi.dll (29 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_hr.dll (29 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_fa.dll (27 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_id.dll (28 bytes)
%Program Files% (x86)\GUM8F82.tmp\GoogleCrashHandler.exe (212 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_am.dll (25 bytes)
%Program Files% (x86)\GUM8F82.tmp\GoogleUpdateOnDemand.exe (59 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_sr.dll (29 bytes)
%Program Files% (x86)\GUM8F82.tmp\GoogleUpdateSetup.exe (5441 bytes)
%Program Files% (x86)\GUT8F83.tmp (4 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_cs.dll (28 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_ca.dll (29 bytes)
%Program Files% (x86)\GUM8F82.tmp\goopdateres_ru.dll (28 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Video Capture Software.lnk (1 bytes)
C:\ProgramData\NCH Software\Scribe\Current\Welcome.wav (34532 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Express Burn CD, DVD or Blu-Ray.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\Favorites\NCH Software Download Site.lnk (310 bytes)
%Program Files% (x86)\NCH Software\Scribe\hookappcommand.dll (6988 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Express Zip File Compression.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\MixPad MultiTrack Mixer.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\WavePad Sound Editor.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Express Rip CD Ripper.lnk (1 bytes)
%Program Files% (x86)\NCH Software\Scribe\scribe.exe (13171 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Express Scribe Transcription Software.lnk (1 bytes)
C:\Users\Public\Desktop\Express Scribe Transcription Software.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Express Dictate Recorder.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dictation and Transcription Programs\Typing Expander Software.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Switch Sound File Converter.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Graphics File Converter.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\VideoPad Video Editor.lnk (1 bytes)
C:\ProgramData\NCH Software\Scribe\Current\Welcome.dat (96 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Invoicing Software.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Classic FTP Software.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Prism Video File Format Converter.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\RecordPad Sound Recorder.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Doxillion Document Converter.lnk (1 bytes)
C:\Users\Public\Desktop\NCH Suite.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Accounting Software.lnk (1 bytes)
C:\ProgramData\NCH Software\Scribe\Status\Template.doc (8844 bytes)
%Program Files% (x86)\NCH Software\Scribe\scribesetup_v5.69.exe (7345 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\SoundTap Streaming Recorder.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dictation and Transcription Programs\Dictation Recorder.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dictation and Transcription Programs\Transcription Software.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GoogleToolbarInstaller1.log (2418 bytes)
%Program Files% (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (1281 bytes)
%Program Files% (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (673 bytes)
%Program Files% (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe (1425 bytes)
%Program Files% (x86)\Google\Google Toolbar\GoogleToolbarHelper_signed.msi (28 bytes)
%Program Files% (x86)\Google\Google Toolbar\GoogleToolbarUser_64.exe (2321 bytes)
%Program Files% (x86)\Google\Google Toolbar\GoogleToolbarHelperPatch_signed.msp (125 bytes)
C:\ProgramData\Google\Custom Buttons\toolbar.google.com_O8Y91YHB24Z6SR0SGYSK.XML (12 bytes)
%Program Files% (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll (1 bytes)
%Program Files% (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\gtn.dll (151 bytes)
%Program Files%\Google\GoogleToolbarNotifier\5.7.9012.1008\swg64.dll (348 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse8F35.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GoogleUpdateSetup_latest.exe (25250 bytes)
%Program Files% (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\gth.dll (49 bytes)
%Program Files% (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (79 bytes)
%Program Files% (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\Readme.url (212 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

PUP.Win32.Spigot_b5f20e3c5e

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

PUP.Win32.Spigot_b5f20e3c5e

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet