PUP.Win32.Spigot_ec69638e26

by malwarelabrobot on January 7th, 2015 in Malware Descriptions.

mzpefinder_pcap_file.YR, PUPSpigot.YR (Lavasoft MAS)
Behaviour: PUP

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: ec69638e2649a3cb8719b3f94e7d1f46
SHA1: fe0c1bd7d2500cd94c67921489b941fe65c8af3f
SHA256: e1a226856f787b66fce53699b993511a3359914f626d0ef1d7c3aad0499efab5
SSDeep: 49152:nHjQLjMK2nDIHE6Ain ULJWhJc8W0oeWlE39G:nHsLjMKSDIHE/Ak2HPoNG
Size: 1581592 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: NCH Software
Created at: 2013-12-10 07:05:55
Analyzed on: Windows7Ada SP1 64-bit

Summary:

PUP. Potentially Unwanted Program. An application that does not display malicious behavior yet is installed without having first sought affirmative user consent for installation. Users may not realize, due to the nature of the installation procedure, that an application they have not explicitly agreed to has been installed. This category can also be used to classify other applications which in a certain context can be wanted e.g. remote administration tools or IRC clients.

Payload

No specific payload has been found.

Process activity

The PUP creates the following process(es):

TPAutoConnSvc.exe:1776
GoogleUpdate.exe:3288
GoogleUpdate.exe:3284
GoogleUpdate.exe:3864
GoogleUpdate.exe:3348
GoogleUpdate.exe:2184
NCH_GoogleToolbar.exe:3520
debut.exe:1832
debut.exe:2348
googletoolbarinstaller_en_signed.exe:2776
GoogleUpdaterService_B33FC4DD36A473C6.exe:3408
x264enc5.exe:2976
SearchWithGoogleUpdate_C993F490EED40C1B.exe:2388
GoogleUpdateSetup_latest.exe:2100
nchsetup.exe:2944
GoogleToolbarManager_8CA8B41417E66DEB.exe:3676
GoogleToolbarManager_8CA8B41417E66DEB.exe:3740
GoogleToolbarManager_8CA8B41417E66DEB.exe:3536
GoogleToolbarNotifier.exe:1696
GoogleToolbarNotifier.exe:2304
GoogleUpdaterService.exe:3384
GoogleUpdaterService.exe:1660
regsvr32.exe:3208
%original file name%.exe:3524
mp3el2.exe:2980

The PUP injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process GoogleUpdate.exe:3288 makes changes in the file system.
The PUP creates and/or writes to the following file(s):

%Program Files% (x86)\Google\Update\Download\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}\0.0.0.0\googletoolbarinstaller_en_signed.exe (38249 bytes)
C:\Windows\Temp\guiC12C.tmp (15 bytes)
%Program Files% (x86)\Google\Update\Install\{80E8A347-A15D-4F70-8A14-834F39A8DBB8}\googletoolbarinstaller_en_signed.exe (38734 bytes)

The process GoogleUpdate.exe:3284 makes changes in the file system.
The PUP creates and/or writes to the following file(s):

%Program Files% (x86)\GUM8C57.tmp\goopdate.dll (835 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_en.dll (28 bytes)

The process NCH_GoogleToolbar.exe:3520 makes changes in the file system.
The PUP creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsz8C0A.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GoogleUpdateSetup_latest.exe (25250 bytes)

The process debut.exe:1832 makes changes in the file system.
The PUP creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_debut_rl_adm (8 bytes)

The process googletoolbarinstaller_en_signed.exe:2776 makes changes in the file system.
The PUP creates and/or writes to the following file(s):

%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarUser_32_52E818EF81C83A9B.exe (620 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbar.7.5.5111.1712.manifest.xml (36 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_0A4439FF67F61065.dll (2 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\SearchWithGoogleUpdate_C993F490EED40C1B.exe (50 bytes)
C:\Windows\System32\config\SOFTWARE (63799 bytes)
C:\ (96 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_64_F8ED9B719A89F8EF.dll (489 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_32_8E471B27054D20F5.dll (149 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbar_32_365102BD7F6C8091.dll (390 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarUser_64_4D9709C1FA1422BA.exe (801 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleCld_187F9D811452062B.dll (50 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GoogleToolbarInstaller2.log (43972 bytes)
C:\$Directory (384 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_8CA8B41417E66DEB.exe (50 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbar_64_54BD4059920ABC8A.dll (514 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleUpdateSetup_5CC4B0F53D73AD88.exe (1480 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleUpdaterService_B33FC4DD36A473C6.exe (390 bytes)
C:\Windows\System32\config\SOFTWARE.LOG1 (60980 bytes)

The process GoogleUpdaterService_B33FC4DD36A473C6.exe:3408 makes changes in the file system.
The PUP creates and/or writes to the following file(s):

%Program Files% (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe (390 bytes)

The process x264enc5.exe:2976 makes changes in the file system.
The PUP creates and/or writes to the following file(s):

%Program Files% (x86)\NCH Software\Components\x264enc5\x264enc5.exe (20838 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\x264enc5_.cab (467 bytes)

The process SearchWithGoogleUpdate_C993F490EED40C1B.exe:2388 makes changes in the file system.
The PUP creates and/or writes to the following file(s):

%Program Files%\Google\GoogleToolbarNotifier\5.7.9012.1008\swg64.dll (346 bytes)
%Program Files% (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\gth.dll (49 bytes)
%Program Files% (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (79 bytes)
%Program Files% (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\Readme.url (212 bytes)
%Program Files% (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\gtn.dll (150 bytes)
%Program Files% (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll (1 bytes)

The process GoogleUpdateSetup_latest.exe:2100 makes changes in the file system.
The PUP creates and/or writes to the following file(s):

%Program Files% (x86)\GUM8C57.tmp (28 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_lt.dll (28 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_hi.dll (29 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_es-419.dll (29 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdate.dll (1702 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_vi.dll (28 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_zh-CN.dll (21 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_zh-TW.dll (21 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_en.dll (27 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_el.dll (30 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_sw.dll (29 bytes)
%Program Files% (x86)\GUT8C58.tmp (4 bytes)
%Program Files% (x86)\GUM8C57.tmp\GoogleCrashHandler.exe (212 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_id.dll (28 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_hu.dll (29 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_gu.dll (28 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_et.dll (28 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_ur.dll (28 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_pl.dll (30 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_fr.dll (30 bytes)
%Program Files% (x86)\GUM8C57.tmp\psmachine.dll (159 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_kn.dll (29 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_ta.dll (30 bytes)
%Program Files% (x86)\GUM8C57.tmp\psuser.dll (159 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_sr.dll (29 bytes)
%Program Files% (x86)\GUM8C57.tmp\GoogleUpdateSetup.exe (5441 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_it.dll (30 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_sl.dll (29 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_ca.dll (29 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_ru.dll (28 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_am.dll (25 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_ar.dll (26 bytes)
%Program Files% (x86)\GUM8C57.tmp\npGoogleUpdate3.dll (838 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_th.dll (27 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_is.dll (28 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_fa.dll (27 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_sv.dll (29 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_pt-BR.dll (29 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_pt-PT.dll (29 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_ro.dll (29 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_iw.dll (26 bytes)
%Program Files% (x86)\GUM8C57.tmp\GoogleUpdateOnDemand.exe (59 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_ko.dll (23 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_hr.dll (29 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_ja.dll (24 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_tr.dll (29 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_en-GB.dll (28 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_de.dll (31 bytes)
%Program Files% (x86)\GUM8C57.tmp\GoogleUpdateBroker.exe (59 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_no.dll (29 bytes)
%Program Files% (x86)\GUM8C57.tmp\GoogleCrashHandler64.exe (550 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_bg.dll (30 bytes)
%Program Files% (x86)\GUM8C57.tmp\GoogleUpdateHelper.msi (25 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_uk.dll (28 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_sk.dll (29 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_cs.dll (28 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_ms.dll (28 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_ml.dll (31 bytes)
%Program Files% (x86)\GUM8C57.tmp\GoogleUpdate.exe (234 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_te.dll (29 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_lv.dll (30 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_mr.dll (28 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_bn.dll (28 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_fil.dll (30 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_da.dll (29 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_fi.dll (29 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_nl.dll (30 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_es.dll (31 bytes)

The process nchsetup.exe:2944 makes changes in the file system.
The PUP creates and/or writes to the following file(s):

%Program Files% (x86)\NCH Software\Debut\debutfilterinstallerx86.exe (9476 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Produktpalette\Doxillion Dokumentenkonverter.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Videoverwandte Programme\VideoPad Video-Editor.lnk (1 bytes)
%Program Files% (x86)\NCH Software\Debut\Help\about.html (196 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Videoverwandte Programme\PrÃƒÂ¤sentationsersteller-Software.lnk (1 bytes)
%Program Files% (x86)\NCH Software\Debut\Help\hlp.css (1 bytes)
%Program Files% (x86)\NCH Software\Debut\Help\other.html (196 bytes)
%Program Files% (x86)\NCH Software\Debut\Help\devices.html (196 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Produktpalette\VideoPad Video-Editor.lnk (1 bytes)
%Program Files% (x86)\NCH Software\Debut\cursorright.png (1 bytes)
%Program Files% (x86)\NCH Software\Debut\Help\colorsettings.html (2 bytes)
C:\Users\"%CurrentUserName%"\Favorites\Downloadseite von NCH Software.lnk (312 bytes)
%Program Files% (x86)\NCH Software\Debut\Help\oodevices.html (3 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Videoverwandte Programme\Videoaufnahme-Software.lnk (1 bytes)
%Program Files% (x86)\NCH Software\Debut\Help\scheduler.html (3 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Produktpalette\Express Zip Dateikomprimierung.lnk (1 bytes)
%Program Files% (x86)\NCH Software\Debut\debutfilterinstallerx64.exe (19348 bytes)
%Program Files% (x86)\NCH Software\Debut\Help\licenceterms.html (3 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Produktpalette\Rechnungssoftware.lnk (1 bytes)
%Program Files% (x86)\NCH Software\Debut\debutfilterx64.sys (4708 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Videoverwandte Programme\Videokassette-zu-DVD-Konverter.lnk (1 bytes)
%Program Files% (x86)\NCH Software\Debut\debut.exe (15423 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Produktpalette\Express Rip CD-Ripper.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Produktpalette\Grafikdatei-Konverter.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Produktpalette\Classic FTP Software.lnk (1 bytes)
%Program Files% (x86)\NCH Software\Debut\debutfilterx86.inf (2 bytes)
%Program Files% (x86)\NCH Software\Debut\Help\snapshot.html (3 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Produktpalette\Videoaufnahme-Software.lnk (1 bytes)
C:\Users\Public\Desktop\Debut Videorekorder.lnk (1 bytes)
%Program Files% (x86)\NCH Software\Debut\Help\recordingcontrols.html (388 bytes)
%Program Files% (x86)\NCH Software\Debut\_debuthooksdll.dll (8844 bytes)
%Program Files% (x86)\NCH Software\Debut\Help\record.html (3 bytes)
%Program Files% (x86)\NCH Software\Debut\debutfilterx86.cat (388 bytes)
%Program Files% (x86)\NCH Software\Debut\Help\keychange.html (1 bytes)
%Program Files% (x86)\NCH Software\Debut\Help\edittaskdlg.html (2 bytes)
%Program Files% (x86)\NCH Software\Debut\Help\recordingslist.html (196 bytes)
%Program Files% (x86)\NCH Software\Debut\Help\commandline.html (196 bytes)
%Program Files% (x86)\NCH Software\Debut\Help\help.js (2 bytes)
%Program Files% (x86)\NCH Software\Debut\Help\selectiontool.html (196 bytes)
%Program Files% (x86)\NCH Software\Debut\Help\flickrauth.html (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Produktpalette\SoundTap Streaming-Rekorder.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Produktpalette\Buchhaltungssoftware.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Videoverwandte Programme\Videostreaming Server.lnk (1 bytes)
%Program Files% (x86)\NCH Software\Debut\Help\options.html (1 bytes)
%Program Files% (x86)\NCH Software\Debut\clickup.wav (3 bytes)
%Program Files% (x86)\NCH Software\Debut\clickraw.png (3 bytes)
%Program Files% (x86)\NCH Software\Debut\Help\index.html (196 bytes)
%Program Files% (x86)\NCH Software\Debut\cursorboth.png (2 bytes)
%Program Files% (x86)\NCH Software\Debut\Help\followmousecursor.html (3 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Produktpalette\Express Burn CD, DVD oder Blu-Ray.lnk (1 bytes)
%Program Files% (x86)\NCH Software\Debut\mp3el2.exe (24344 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Produktpalette\MixPad Mehrspur-Mixer.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Produktpalette\Express Dictate Rekorder.lnk (1 bytes)
%Program Files% (x86)\NCH Software\Debut\Help\arrowlist.gif (455 bytes)
%Program Files% (x86)\NCH Software\Debut\Help\oonetwork.html (3 bytes)
%Program Files% (x86)\NCH Software\Components\NCHToolbars\google\NCH_GoogleToolbar.exe (382441 bytes)
%Program Files% (x86)\NCH Software\Debut\debutsetup_v1.95.exe (10177 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Produktpalette\WavePad Sound-Editor.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Produktpalette\RecordPad Soundrekorder.lnk (1 bytes)
%Program Files% (x86)\NCH Software\Debut\cursorleft.png (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Videoverwandte Programme\Videodatei-Formatkonverter.lnk (1 bytes)
%Program Files% (x86)\NCH Software\Debut\Help\ltaskdatapanel.html (1 bytes)
%Program Files% (x86)\NCH Software\Debut\Help\control.html (2 bytes)
%Program Files% (x86)\NCH Software\Debut\clickdown.wav (3 bytes)
%Program Files% (x86)\NCH Software\Debut\Help\textcaption.html (3 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Produktpalette\Switch Sounddatei-Konverter.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Produktpalette\Prism Videodatei-Formatkonverter.lnk (1 bytes)
%Program Files% (x86)\NCH Software\Debut\x264enc5.exe (62431 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Debut Videorekorder.lnk (1 bytes)
%Program Files% (x86)\NCH Software\Debut\Help\output.html (4 bytes)
%Program Files% (x86)\NCH Software\Debut\debutfilterx86.sys (6532 bytes)
%Program Files% (x86)\NCH Software\Debut\debutfilterx64.inf (2 bytes)
%Program Files% (x86)\NCH Software\Debut\Help\ooscreen.html (3 bytes)
%Program Files% (x86)\NCH Software\Debut\debutfilterx64.cat (388 bytes)
%Program Files% (x86)\NCH Software\Debut\Help\watermark.html (3 bytes)

The process GoogleToolbarManager_8CA8B41417E66DEB.exe:3676 makes changes in the file system.
The PUP creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GoogleToolbarInstaller1.log (2418 bytes)

The process GoogleToolbarManager_8CA8B41417E66DEB.exe:3740 makes changes in the file system.
The PUP creates and/or writes to the following file(s):

%Program Files% (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (1281 bytes)
%Program Files% (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (673 bytes)
%Program Files% (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe (1425 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GoogleToolbarInstaller1.log (41641 bytes)
%Program Files% (x86)\Google\Google Toolbar\GoogleToolbarHelper_signed.msi (28 bytes)
%Program Files% (x86)\Google\Google Toolbar\GoogleToolbarUser_64.exe (2321 bytes)
%Program Files% (x86)\Google\Google Toolbar\GoogleToolbarHelperPatch_signed.msp (125 bytes)

The process GoogleToolbarManager_8CA8B41417E66DEB.exe:3536 makes changes in the file system.
The PUP creates and/or writes to the following file(s):

C:\ProgramData\Google\Custom Buttons\toolbar.google.com_O8Y91YHB24Z6SR0SGYSK.XML (12 bytes)

The process GoogleToolbarNotifier.exe:1696 makes changes in the file system.
The PUP creates and/or writes to the following file(s):

%Program Files% (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll (1 bytes)
%Program Files% (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\gtn.dll (151 bytes)

The process regsvr32.exe:3208 makes changes in the file system.
The PUP creates and/or writes to the following file(s):

%Program Files%\Google\GoogleToolbarNotifier\5.7.9012.1008\swg64.dll (348 bytes)

The process %original file name%.exe:3524 makes changes in the file system.
The PUP creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchdata.dat (17751 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchsetup.cab (736 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchdata.cab (825 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchsetup.exe (34178 bytes)

The process mp3el2.exe:2980 makes changes in the file system.
The PUP creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mp3el2_.cab (180 bytes)
%Program Files% (x86)\NCH Software\Components\mp3el2\lame.exe (7384 bytes)

Registry activity

The process TPAutoConnSvc.exe:1776 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\ThinPrint\TPPrnUI\NPI456AB0 (HP LaserJet Professional M1212nf MFP)#:1]
"TrayData" = "2,Tray 3, 3,Tray 2, 1,Tray 1, 4,Manual Feed, 7,Auto Select"
"FormData" = "1,2159,2794,LetterÃ‚Â¶40,40,2086,2712, 5,2159,3556,LegalÃ‚Â¶40,40,2086,3474, 9,2100,2970,A4Ã‚Â¶39,39,2032,2890, 7,1842,2667,ExecutiveÃ‚Â¶40,40,1761,2585, 258,2159,3302,8.5 x 13 (custom)Ã‚Â¶40,40,2086,3220, 11,1480,2100,A5Ã‚Â¶39,39,1408,2020, 70,1050,1480,A6Ã‚Â¶39,39,975,1399, 13,1820,2570,B5 (JIS)Ã‚Â¶39,39,1747,2490, 264,1950,2700,16K 195x270Ã‚Â¶39,39,1882,2620, 263,1840,2600,16K 184x260Ã‚Â¶39,39,1761,2520, 257,1970,2730,16K 197x273Ã‚Â¶39,39,1896,2650, 43,1000,1480,Japanese PostcardÃ‚Â¶39,39,921,1399, 82,1480,2000,Double Japan Postcard RotatedÃ‚Â¶39,39,1408,1919, 20,1046,2413,Envelope #10Ã‚Â¶40,40,975,2331, 37,983,1905,Envelope MonarchÃ‚Â¶40,40,907,1823, 34,1760,2500,Envelope B5Ã‚Â¶39,39,1693,2420, 28,1620,2290,Envelope C5Ã‚Â¶39,39,1544,2209, 27,1100,2200,Envelope DLÃ‚Â¶39,39,1029,2120"
"DelAfterCreate" = "1"

[HKU\.DEFAULT\Printers\DevModes2]
"NPI456AB0 (HP LaserJet Professional M1212nf MFP)#:1" = "4E 00 50 00 49 00 34 00 35 00 36 00 41 00 42 00"

The PUP deletes the following registry key(s):

[HKLM\SOFTWARE\ThinPrint\TPPrnUI\NPI456AB0 (HP LaserJet Professional M1212nf MFP)#:1]

The process GoogleUpdate.exe:3288 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\29\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"DayOfLastActivity" = "4294967295"
"pv" = "7.5.5111.1712"
"usagestats" = "0"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}\CurrentState]
"InstallProgressPercent" = "4294967295"
"StateValue" = "3"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"DayOfLastRollCall" = "4294967295"
"LastCheckSuccess" = "1420521619"

[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}\CurrentState]
"DownloadTimeRemainingMs" = "4294967295"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"DayOfInstall" = "2926"
"InstallTime" = "1420521598"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}\CurrentState]
"InstallTimeRemainingMs" = "4294967295"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"brand" = "NCHD"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}\CurrentState]
"DownloadProgressPercent" = "0"

The PUP deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"LastInstallerExtraCode1"
"LastInstallerSuccessLaunchCmdLine"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientStateMedium\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"eulaaccepted"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"UpdateAvailableCount"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientStateMedium\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"usagestats"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"ap"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"LastInstallerResult"
"old-uid"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"iid"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"uid"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"LastInstallerResult"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"LastInstallerResultUIString"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"eulaaccepted"
"UpdateAvailableSince"
"LastInstallerError"
"LastInstallerResultUIString"
"experiment_labels"
"tttoken"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"LastInstallerError"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"browser"
"LastInstallerExtraCode1"
"LastInstallerSuccessLaunchCmdLine"

The process GoogleUpdate.exe:3284 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"usagestats" = "0"

The PUP deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"uid"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableSince"
"UpdateAvailableCount"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\network\secure]
"sk"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"eulaaccepted"

[HKCU\Software\Google\Update]
"old-uid"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"old-uid"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\network\secure]
"c"

[HKCU\Software\Google\Update]
"uid"

The process GoogleUpdate.exe:3864 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"usagestats" = "0"

The PUP deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"uid"
"old-uid"
"eulaaccepted"

The process GoogleUpdate.exe:3348 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\2A\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"

The PUP deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"uid"
"old-uid"

The process GoogleUpdate.exe:2184 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\29\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"

The PUP deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"uid"
"old-uid"

The process debut.exe:1832 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKCU\Software\NCH Software\Debut\FindPlay]
"DefaultRecordFolder" = "C:\Users\"%CurrentUserName%"\Videos\Debut"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1395168576"

[HKCU\Software\NCH Software\Debut\Settings]
"ScreenCaptureRight" = "1716"

[HKCU\Software\NCH Software\Debut\ScreenVideoSettings]
"Format" = ".avi"

[HKCU\Software\NCH Software\Debut\Settings]
"ScreenCaptureBottom" = "901"

[HKCU\Software\NCH Software\Debut\ScreenVideoSettings]
"WindowsMedia_VideoBitrate" = "16384000"

[HKCU\Software\NCH Software\Debut\Settings]
"CaptureMode" = "0"
"Zoom" = "100"
"ScreenCaptureLeft" = "0"

[HKCU\Software\NCH Software\Debut\Registration]
"Name" = ""
"RD" = "1420521620"
"LR" = "1420521620"

[HKCU\Software\NCH Software\Debut\Settings]
"ScreenCaptureTop" = "0"
"FullScreenSelected" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "debut.exe"

The PUP deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Debut\Scheduler]
"SevenDays"

The process debut.exe:2348 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Debut\Scheduler]
"SevenDays" = "1"

The process googletoolbarinstaller_en_signed.exe:2776 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\29\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Branding]
"sin" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component]
"NextVersion" = "7.5.5111.1712"
"currentVersion" = "7.5.5111.1712"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Branding]
"ein" = "1"

[HKCU\Software\Google\Google Toolbar\4.0\Setup]
"InstallProgress" = "3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 41 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "B9 8C 35 76 70 29 D0 01"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar]
"test" = "41"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"EnabledExperiments" = "POSI,PUMA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

[HKCU\Software\Google\Google Toolbar\4.0\Setup]
"Command" = "2"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"FirstInstallTime" = "1420521619"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The PUP deletes the following value(s) in system registry:

[HKCU\Software\Google\Google Toolbar]
"LastInstallError"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component]
"NextVersion"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"
"ProxyServer"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component]
"PrimaryInstallDone"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"FailedInstallPing"

The process GoogleUpdaterService_B33FC4DD36A473C6.exe:3408 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Common\Google Updater\apps\tbie]
"auto" = "0"

[HKLM\SOFTWARE\Wow6432Node\Google\Common\Google Updater]
"Path" = "%Program Files% (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe"
"Version" = "2.4.2617.4952"

The process x264enc5.exe:2976 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKCU\Software\NCH Software\Components\x264enc5]
"Version" = "1.00"

[HKLM\SOFTWARE\Wow6432Node\NCH Swift Sound\Components\x264enc5]
"Version" = "1.00"

[HKCU\Software\NCH Swift Sound\Components\x264enc5]
"Version" = "1.00"

[HKCU\Software\NCH Software\Components\x264enc5]
"Path" = "%Program Files% (x86)\NCH Software\Components\x264enc5\x264enc5.exe"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Components\x264enc5]
"Version" = "1.00"

[HKCU\Software\NCH Swift Sound\Components\x264enc5]
"Path" = "%Program Files% (x86)\NCH Software\Components\x264enc5\x264enc5.exe"

[HKLM\SOFTWARE\Wow6432Node\NCH Swift Sound\Components\x264enc5]
"Path" = "%Program Files% (x86)\NCH Software\Components\x264enc5\x264enc5.exe"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Components\x264enc5]
"Path" = "%Program Files% (x86)\NCH Software\Components\x264enc5\x264enc5.exe"

The process SearchWithGoogleUpdate_C993F490EED40C1B.exe:2388 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\GoogleToolbarNotifier]
"Version" = "5.7.9012.1008"
"ID" = "79719f98482242cd813a5027b10bbf6c"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Program Files% (x86)\Google\Update\1.3.24.15, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\327c54aa\python.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\327c54aa\, , \??\%Program Files% (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008,"

[HKCU\Software\Google\GoogleToolbarNotifier\Temp]
"ust" = "100"

[HKLM\SOFTWARE\Wow6432Node\Google\GoogleToolbarNotifier\Clients]
"ietb" = "0"

[HKLM\SOFTWARE\Wow6432Node\Google\GoogleToolbarNotifier]
"brand" = "NCHD"

The PUP deletes the following registry key(s):

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]

The process nchsetup.exe:2944 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKCU\Software\Classes\rtffile\Shell]
"(Default)" = "open"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Components\GoogleToolbar]
"State" = "attempted"

[HKCU\Software\Classes\divxfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\.mp4]
"(Default)" = "mp4file"

[HKCU\Software\NCH Software\Debut\ScreenVideoSettings]
"Format" = ".avi"

[HKCU\Software\Microsoft\ActiveMovie\devenum\{33D9A762-90C8-11D0-BD43-00A0C911CE86}\Microphone (High Definition Aud]
"WaveInId" = "0"

[HKCU\Software\NCH Software\Debut\Software]
"Toolbar" = "cnm-installed"

[HKCU\Software\Classes\.WAV]
"(Default)" = "wavfile"

[HKCU\Software\Classes\aifffile\Shell\NCHconvertsound]
"(Default)" = "Sounddatei konvertieren"

[HKCU\Software\Classes\mpegfile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind Prism %L"

[HKCU\Software\Classes\.mov]
"(Default)" = "movfile"

[HKCU\Software\Classes\giffile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\docfile\Shell\NCHconvertdoc]
"(Default)" = "Dateityp konvertieren"

[HKCU\Software\Classes\AcroExch.Document\Shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind Doxillion %L"

[HKCU\Software\Microsoft\ActiveMovie\devenum\{33D9A762-90C8-11D0-BD43-00A0C911CE86}\Microphone (High Definition Aud]
"FilterData" = "02 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00"

[HKCU\Software\Classes\.MP3]
"(Default)" = "mp3file"

[HKCU\Software\Microsoft\ActiveMovie\devenum\{33D9A762-90C8-11D0-BD43-00A0C911CE86}\Microphone (High Definition Aud]
"FriendlyName" = "Microphone (High Definition Aud"

[HKCU\Software\Classes\FirefoxHTML\shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind Doxillion %L"

[HKCU\Software\Classes\wavfile\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind Switch %L"

[HKCU\Software\Classes\gsmfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\avifile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\giffile\Shell\NCHconvertimage]
"(Default)" = "Imagedatei konvertieren"

[HKCU\Software\Classes\jpegfile\Shell\NCHconvertimage]
"(Default)" = "Imagedatei konvertieren"

[HKCU\Software\NCH Software\Debut\Hotkey\4]
"key" = "131194"

[HKCU\Software\Classes\.OGG]
"(Default)" = "oggfile"

[HKCU\Software\NCH Software\Debut\IPCameraVideoSettings]
"Format" = ".avi"

[HKCU\Software\Classes\mohfile\DefaultIcon]
"(Default)" = "%SystemRoot%\SysWow64\shell32.dll,19"

[HKCU\Software\Classes\Paint.Picture\Shell\NCHconvertimage]
"(Default)" = "Imagedatei konvertieren"

[HKCU\Software\Classes\movfile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind Prism %L"

[HKCU\Software\NCH Software\Debut\Hotkey\2]
"Command" = "12"

[HKCU\Software\Classes\docfile\Shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind Doxillion %L"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Debut\Software]
"Installer" = "%Program Files% (x86)\NCH Software\Debut\debutsetup_v1.95.exe"

[HKCU\Software\Classes\flacfile\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind Switch %L"

[HKCU\Software\Classes\jpegfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\neffile\Shell\NCHconvertimage]
"(Default)" = "Imagedatei konvertieren"

[HKCU\Software\Classes\pngfile\Shell\NCHslideshow\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind PhotoStage %L"

[HKCU\Software\Classes\aufile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind WavePad %L"

[HKCU\Software\Classes\dctfile\DefaultIcon]
"(Default)" = "%SystemRoot%\SysWow64\shell32.dll,19"

[HKCU\Software\Classes\m4vfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\tar.gzfile\Shell\NCHextract]
"(Default)" = "Mit Express Zip extrahieren"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Debut]
"DisplayVersion" = "1.95"

[HKCU\Software\NCH Software\Debut\WebCamVideoSettings]
"Format" = ".avi"

[HKCU\Software\Classes\.dss]
"(Default)" = "dssfile"

[HKCU\Software\Classes\mpdpfile]
"(Default)" = "Unbehandelter Erweiterungshandler-Finder"

[HKCU\Software\Classes\aacfile\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind Switch %L"

[HKCU\Software\Classes\mpgfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\Paint.Picture\Shell\NCHslideshow\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind PhotoStage %L"

[HKCU\Software\Classes\vocfile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind WavePad %L"

[HKCU\Software\Classes\wpfile\Shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind Doxillion %L"

[HKCU\Software\Classes\jpegfile\Shell\NCHconvertimage\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind Pixillion %L"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Debut]
"Version" = "1.95"

[HKCU\Software\Classes\wavfile\Shell\NCHconvertsound]
"(Default)" = "Sounddatei konvertieren"

[HKCU\Software\Classes\.AAC]
"(Default)" = "aacfile"

[HKCU\Software\Classes\avifile\Shell\NCHeditvideo]
"(Default)" = "Videodatei bearbeiten"

[HKCU\Software\Classes\xvidfile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind Prism %L"

[HKCU\Software\Classes\ds2file\DefaultIcon]
"(Default)" = "%SystemRoot%\SysWow64\shell32.dll,19"

[HKCU\Software\Classes\asffile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind VideoPad %L"

[HKLM\SOFTWARE\Wow6432Node\Google\GCAPITemp]
"test" = "testv"

[HKCU\Software\NCH Software\Debut\Hotkey\1]
"key" = "131195"

[HKCU\Software\Classes\m4afile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind WavePad %L"

[HKCU\Software\Classes\aacfile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind WavePad %L"

[HKCU\Software\Classes\oggfile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind WavePad %L"

[HKCU\Software\Classes\wpdfile\Shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind Doxillion %L"

[HKCU\Software\Classes\asffile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind Prism %L"

[HKCU\Software\Classes\vobfile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind VideoPad %L"

[HKCU\Software\Classes\mpgfile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind VideoPad %L"

[HKCU\Software\Classes\AcroExch.Document\Shell\NCHconvertdoc]
"(Default)" = "Dateityp konvertieren"

[HKCU\Software\Classes\mp3file\Shell\NCHconvertsound]
"(Default)" = "Sounddatei konvertieren"

[HKCU\Software\Classes\gzfile\Shell\NCHextract]
"(Default)" = "Mit Express Zip extrahieren"

[HKCU\Software\Classes\mpeg2file\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind Prism %L"

[HKCU\Software\Classes\pngfile\Shell\NCHconvertimage\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind Pixillion %L"

[HKCU\Software\Classes\aufile\Shell\NCHconvertsound]
"(Default)" = "Sounddatei konvertieren"

[HKCU\Software\Classes\.gz]
"(Default)" = "gzfile"

[HKCU\Software\Classes\giffile\Shell\NCHslideshow]
"(Default)" = "Diashow erstellen"

[HKCU\Software\Classes\mpeg2file\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind VideoPad %L"

[HKCU\Software\Classes\.meo]
"(Default)" = "meofile"

[HKCU\Software\NCH Software\Debut\Hotkey\0]
"Command" = "3"

[HKCU\Software\NCH Software\Debut\Settings]
"InstallDate" = "1420521569"

[HKCU\Software\Classes\wpdfile\Shell\NCHconvertdoc]
"(Default)" = "Dateityp konvertieren"

[HKCU\Software\Classes\Windows.IsoFile\shell]
"(Default)" = "open"

[HKCU\Software\Classes\m4vfile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind VideoPad %L"

[HKCU\Software\Classes\.nef]
"(Default)" = "neffile"

[HKCU\Software\Classes\voxfile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind WavePad %L"

[HKCU\Software\Classes\.wp]
"(Default)" = "wpfile"

[HKCU\Software\Classes\divxfile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind Prism %L"

[HKCU\Software\Classes\mpegfile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind VideoPad %L"

[HKCU\Software\Classes\mp4file\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind VideoPad %L"

[HKCU\Software\Classes\m4afile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\wmafile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind WavePad %L"

[HKCU\Software\Classes\dctfile]
"(Default)" = "Unbehandelter Erweiterungshandler-Finder"

[HKCU\Software\Classes\neffile\Shell\NCHslideshow\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind PhotoStage %L"

[HKCU\Software\Classes\mp4file\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind Prism %L"

[HKCU\Software\Classes\jpegfile\Shell\NCHslideshow\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind PhotoStage %L"

[HKCU\Software\Classes\xvidfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\mpgfile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind Prism %L"

[HKCU\Software\Classes\mp3file\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\.rar]
"(Default)" = "rarfile"

[HKCU\Software\Classes\xvidfile\Shell\NCHconvertvideo]
"(Default)" = "Videodatei konvertieren"

[HKCU\Software\Microsoft\ActiveMovie\devenum\{33D9A762-90C8-11D0-BD43-00A0C911CE86}\Microphone (High Definition Aud]
"CLSID" = "{E30629D2-27E5-11CE-875D-00608CB78066}"

[HKCU\Software\Classes\CABFolder\Shell\NCHextract\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind ExpressZip %L"

[HKCU\Software\Classes\mp3file\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind Switch %L"

[HKCU\Software\Classes\meofile\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind Meo %L"

[HKCU\Software\Classes\.divx]
"(Default)" = "divxfile"

[HKCU\Software\Classes\aiffile\Shell\NCHconvertsound]
"(Default)" = "Sounddatei konvertieren"

[HKCU\Software\Classes\m4vfile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind Prism %L"

[HKCU\Software\Classes\aiffile\Shell]
"(Default)" = "open"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Debut]
"DisplayIcon" = "%Program Files% (x86)\NCH Software\Debut\debut.exe"

[HKCU\Software\Classes\wavfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\.avi]
"(Default)" = "avifile"

[HKCU\Software\Classes\mp4file\Shell\NCHeditvideo]
"(Default)" = "Videodatei bearbeiten"

[HKCU\Software\Classes\Windows.IsoFile\shell\NCHextract]
"(Default)" = "Mit Express Zip extrahieren"

[HKCU\Software\Classes\7zfile\Shell\NCHextract\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind ExpressZip %L"

[HKCU\Software\Classes\tar.gzfile\Shell\NCHextract\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind ExpressZip %L"

[HKCU\Software\Classes\mpeg2file\Shell\NCHeditvideo]
"(Default)" = "Videodatei bearbeiten"

[HKCU\Software\Classes\aufile\Shell\NCHeditsound]
"(Default)" = "Sounddatei bearbeiten"

[HKCU\Software\Classes\pngfile\Shell\NCHslideshow]
"(Default)" = "Diashow erstellen"

[HKCU\Software\Classes\giffile\Shell\NCHconvertimage\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind Pixillion %L"

[HKCU\Software\Classes\ds2file\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind Scribe %L"

[HKCU\Software\Classes\vobfile\Shell\NCHconvertvideo]
"(Default)" = "Videodatei konvertieren"

[HKCU\Software\Classes\wavfile\Shell\NCHeditsound]
"(Default)" = "Sounddatei bearbeiten"

[HKCU\Software\Classes\mpeg2file\Shell\NCHconvertvideo]
"(Default)" = "Videodatei konvertieren"

[HKCU\Software\NCH Software\Components\GoogleToolbar]
"State" = "attempted"

[HKCU\Software\Classes\.mpdp]
"(Default)" = "mpdpfile"

[HKCU\Software\NCH Software\Debut\Settings]
"InstalledByAdmin" = "1"

[HKCU\Software\Classes\voxfile\Shell\NCHconvertsound]
"(Default)" = "Sounddatei konvertieren"

[HKCU\Software\Classes\.mpeg]
"(Default)" = "mpegfile"

[HKCU\Software\Classes\rtffile\Shell\NCHconvertdoc]
"(Default)" = "Dateityp konvertieren"

[HKCU\Software\Classes\rtffile\Shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind Doxillion %L"

[HKCU\Software\NCH Software\Debut\Settings]
"InstallerPath" = "%Program Files% (x86)\NCH Software\Debut"

[HKCU\Software\Classes\ds2file\shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind Switch %L"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Debut]
"InstallLocation" = "%Program Files% (x86)\NCH Software\Debut"

[HKCU\Software\Classes\tar.gzfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\TIFImage.Document\Shell\NCHconvertimage]
"(Default)" = "Imagedatei konvertieren"

[HKCU\Software\Classes\xvidfile\Shell\NCHeditvideo]
"(Default)" = "Videodatei bearbeiten"

[HKCU\Software\Classes\aiffile\Shell\NCHeditsound]
"(Default)" = "Sounddatei bearbeiten"

[HKCU\Software\Classes\.AU]
"(Default)" = "aufile"

[HKCU\Software\Classes\.ivr]
"(Default)" = "ivrfile"

[HKCU\Software\Classes\docxfile\Shell\NCHconvertdoc]
"(Default)" = "Dateityp konvertieren"

[HKCU\Software\Classes\divxfile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind VideoPad %L"

[HKCU\Software\Classes\.WMA]
"(Default)" = "wmafile"

[HKCU\Software\Classes\wmafile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\.xvid]
"(Default)" = "xvidfile"

[HKCU\Software\Classes\odtfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\mpdpfile\DefaultIcon]
"(Default)" = "%SystemRoot%\SysWow64\shell32.dll,19"

[HKCU\Software\Classes\gsmfile\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind Switch %L"

[HKCU\Software\Classes\.asf]
"(Default)" = "asffile"

[HKCU\Software\Classes\gzfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\movfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\odtfile\Shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind Doxillion %L"

[HKCU\Software\Classes\gsmfile\Shell\NCHconvertsound]
"(Default)" = "Sounddatei konvertieren"

[HKCU\Software\Classes\meofile\DefaultIcon]
"(Default)" = "%SystemRoot%\SysWow64\shell32.dll,19"

[HKCU\Software\Classes\CABFolder\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\CABFolder\Shell\NCHextract]
"(Default)" = "Mit Express Zip extrahieren"

[HKCU\Software\Classes\divxfile\Shell\NCHconvertvideo]
"(Default)" = "Videodatei konvertieren"

[HKCU\Software\Classes\docxfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\wpfile\Shell]
"(Default)" = "open"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Debut]
"DisplayName" = "Debut Videorekorder"

[HKCU\Software\Classes\rarfile\Shell\NCHextract]
"(Default)" = "Mit Express Zip extrahieren"

[HKCU\Software\NCH Software\Debut\Settings]
"currentVersion" = "1.95"

[HKCU\Software\Classes\wpdfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\vobfile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind Prism %L"

[HKCU\Software\Classes\asffile\Shell\NCHeditvideo]
"(Default)" = "Videodatei bearbeiten"

[HKCU\Software\Classes\oggfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\docxfile\Shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind Doxillion %L"

[HKCU\Software\Classes\.vox]
"(Default)" = "voxfile"

[HKCU\Software\Classes\Windows.IsoFile\shell\NCHextract\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind ExpressZip %L"

[HKCU\Software\Classes\mp4file\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\jpegfile\Shell\NCHslideshow]
"(Default)" = "Diashow erstellen"

[HKCU\Software\Classes\TIFImage.Document\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\neffile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\voxfile\Shell\NCHeditsound]
"(Default)" = "Sounddatei bearbeiten"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Debut]
"URLUpdateInfo" = "www.nchsoftware.com/capture/de/index.html"

[HKCU\Software\NCH Software\Debut\Hotkey\3]
"Command" = "10"

[HKCU\Software\Classes\flacfile\Shell\NCHconvertsound]
"(Default)" = "Sounddatei konvertieren"

[HKCU\Software\Classes\.M4A]
"(Default)" = "m4afile"

[HKCU\Software\NCH Software\Debut\Hotkey\2]
"key" = "131170"

[HKCU\Software\Classes\rarfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\dssfile\DefaultIcon]
"(Default)" = "%SystemRoot%\SysWow64\shell32.dll,19"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Debut]
"Publisher" = "NCH Software"

[HKCU\Software\Classes\mpegfile\Shell\NCHeditvideo]
"(Default)" = "Videodatei bearbeiten"

[HKCU\Software\Classes\.7z]
"(Default)" = "7zfile"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Debut]
"URLInfoAbout" = "www.nchsoftware.com/capture/de/support.html"

[HKCU\Software\Classes\.mpeg2]
"(Default)" = "mpeg2file"

[HKCU\Software\Classes\avifile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind Prism %L"

[HKCU\Software\Classes\odtfile\Shell\NCHconvertdoc]
"(Default)" = "Dateityp konvertieren"

[HKCU\Software\Classes\.moh]
"(Default)" = "mohfile"

[HKCU\Software\Classes\.ds2]
"(Default)" = "ds2file"

[HKCU\Software\Classes\neffile\Shell\NCHslideshow]
"(Default)" = "Diashow erstellen"

[HKCU\Software\Classes\gzfile\Shell\NCHextract\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind ExpressZip %L"

[HKCU\Software\NCH Software\Debut\Hotkey\3]
"key" = "131169"

[HKCU\Software\Classes\.vpj]
"(Default)" = "vpjfile"

[HKCU\Software\Classes\mp3file\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind WavePad %L"

[HKCU\Software\Classes\.FLAC]
"(Default)" = "flacfile"

[HKCU\Software\Classes\.tar]
"(Default)" = "tarfile"

[HKCU\Software\Classes\mpeg2file\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\asffile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\.voc]
"(Default)" = "vocfile"

[HKCU\Software\Classes\spjfile\DefaultIcon]
"(Default)" = "%SystemRoot%\SysWow64\shell32.dll,19"

[HKCU\Software\Classes\mpdpfile\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind MixPad %L"

[HKCU\Software\Classes\m4afile\Shell\NCHeditsound]
"(Default)" = "Sounddatei bearbeiten"

[HKCU\Software\Classes\aiffile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind WavePad %L"

[HKCU\Software\Classes\avifile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind VideoPad %L"

[HKCU\Software\Classes\.AIFF]
"(Default)" = "aifffile"

[HKCU\Software\Classes\mohfile]
"(Default)" = "Unbehandelter Erweiterungshandler-Finder"

[HKCU\Software\Classes\aifffile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind WavePad %L"

[HKCU\Software\Classes\meofile]
"(Default)" = "Unbehandelter Erweiterungshandler-Finder"

[HKCU\Software\Classes\aifffile\Shell\NCHeditsound]
"(Default)" = "Sounddatei bearbeiten"

[HKCU\Software\Classes\divxfile\Shell\NCHeditvideo]
"(Default)" = "Videodatei bearbeiten"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Debut]
"VersionMajor" = "1"

[HKCU\Software\Classes\wmafile\Shell\NCHeditsound]
"(Default)" = "Sounddatei bearbeiten"

[HKCU\Software\Classes\giffile\Shell\NCHslideshow\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind PhotoStage %L"

[HKCU\Software\Classes\Windows.IsoFile\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind ExpressBurn %L"

[HKCU\Software\Classes\vobfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\7zfile\Shell\NCHextract]
"(Default)" = "Mit Express Zip extrahieren"

[HKCU\Software\Classes\.gsm]
"(Default)" = "gsmfile"

[HKCU\Software\Classes\ivrfile]
"(Default)" = "Unbehandelter Erweiterungshandler-Finder"

[HKCU\Software\Classes\neffile\Shell\NCHconvertimage\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind Pixillion %L"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Debut\Settings]
"RelatedRuns" = "-1"

[HKCU\Software\Microsoft\ActiveMovie\devenum]
"Version" = "7"

[HKCU\Software\Classes\mohfile\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind IMS %L"

[HKCU\Software\Classes\ds2file]
"(Default)" = "Unbehandelter Erweiterungshandler-Finder"

[HKCU\Software\Classes\7zfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\aacfile\Shell\NCHeditsound]
"(Default)" = "Sounddatei bearbeiten"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Classes\ds2file\shell]
"(Default)" = "open"

[HKCU\Software\Classes\m4vfile\Shell\NCHeditvideo]
"(Default)" = "Videodatei bearbeiten"

[HKCU\Software\Classes\pngfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\vpjfile\DefaultIcon]
"(Default)" = "%SystemRoot%\SysWow64\shell32.dll,19"

[HKCU\Software\Classes\AcroExch.Document\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\Paint.Picture\Shell\NCHconvertimage\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind Pixillion %L"

[HKCU\Software\Classes\vocfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\wmafile\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind Switch %L"

[HKCU\Software\Classes\.dct]
"(Default)" = "dctfile"

[HKCU\Software\NCH Software\Debut\Hotkey\1]
"Command" = "5"

[HKCU\Software\Classes\Paint.Picture\Shell\NCHslideshow]
"(Default)" = "Diashow erstellen"

[HKCU\Software\Classes\TIFImage.Document\Shell\NCHconvertimage\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind Pixillion %L"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Classes\mpgfile\Shell\NCHconvertvideo]
"(Default)" = "Videodatei konvertieren"

[HKCU\Software\Classes\.doc]
"(Default)" = "docfile"

[HKCU\Software\Classes\.wpd]
"(Default)" = "wpdfile"

[HKCU\Software\NCH Software\Debut\Hotkey]
"maxId" = "1"

[HKCU\Software\Classes\aacfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\spjfile]
"(Default)" = "Unbehandelter Erweiterungshandler-Finder"

[HKCU\Software\Classes\wmafile\Shell\NCHconvertsound]
"(Default)" = "Sounddatei konvertieren"

[HKCU\Software\Microsoft\ActiveMovie\devenum\{33D9A762-90C8-11D0-BD43-00A0C911CE86}\Microphone (High Definition Aud]
"ClassManagerFlags" = "2"

[HKCU\Software\Classes\dssfile\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind Scribe %L"

[HKCU\Software\Classes\aufile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\vpjfile]
"(Default)" = "Unbehandelter Erweiterungshandler-Finder"

[HKCU\Software\Classes\asffile\Shell\NCHconvertvideo]
"(Default)" = "Videodatei konvertieren"

[HKCU\Software\Classes\flacfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\avifile\Shell\NCHconvertvideo]
"(Default)" = "Videodatei konvertieren"

[HKCU\Software\Classes\docfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\vobfile\Shell\NCHeditvideo]
"(Default)" = "Videodatei bearbeiten"

[HKCU\Software\Classes\aifffile\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind Switch %L"

[HKCU\Software\NCH Software\Debut\Hotkey\4]
"Command" = "13"

[HKCU\Software\Classes\aiffile\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind Switch %L"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Debut]
"UninstallString" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -uninstall"
"VersionMinor" = "95"

[HKCU\Software\Classes\.m4v]
"(Default)" = "m4vfile"

[HKCU\Software\NCH Software\Debut\Hotkey\0]
"key" = "131193"

[HKCU\Software\Classes\pngfile\Shell\NCHconvertimage]
"(Default)" = "Imagedatei konvertieren"

[HKCU\Software\Classes\mpgfile\Shell\NCHeditvideo]
"(Default)" = "Videodatei bearbeiten"

[HKCU\Software\Classes\oggfile\Shell\NCHeditsound]
"(Default)" = "Sounddatei bearbeiten"

[HKCU\Software\Classes\mp3file\Shell\NCHeditsound]
"(Default)" = "Sounddatei bearbeiten"

[HKCU\Software\Classes\Paint.Picture\Shell]
"(Default)" = "open"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Debut\Settings]
"InstallerPath" = "%Program Files% (x86)\NCH Software\Debut"

[HKCU\Software\Classes\movfile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind VideoPad %L"

[HKCU\Software\Classes\aifffile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\m4vfile\Shell\NCHconvertvideo]
"(Default)" = "Videodatei konvertieren"

[HKCU\Software\Classes\voxfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\dssfile]
"(Default)" = "Unbehandelter Erweiterungshandler-Finder"

[HKCU\Software\Classes\ivrfile\DefaultIcon]
"(Default)" = "%SystemRoot%\SysWow64\shell32.dll,19"

[HKCU\Software\Classes\mpegfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\movfile\Shell\NCHconvertvideo]
"(Default)" = "Videodatei konvertieren"

[HKCU\Software\Classes\wavfile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind WavePad %L"

[HKCU\Software\Classes\.mpg]
"(Default)" = "mpgfile"

[HKCU\Software\Classes\tarfile\Shell\NCHextract]
"(Default)" = "Mit Express Zip extrahieren"

[HKCU\Software\Classes\mpegfile\Shell\NCHconvertvideo]
"(Default)" = "Videodatei konvertieren"

[HKCU\Software\Classes\voxfile\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind Switch %L"

[HKCU\Software\Classes\.vob]
"(Default)" = "vobfile"

[HKCU\Software\Classes\ivrfile\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind IVM %L"

[HKCU\Software\Classes\ds2file\shell\NCHconvertsound]
"(Default)" = "Sounddatei konvertieren"

[HKCU\Software\Classes\.tar.gz]
"(Default)" = "tar.gzfile"

[HKCU\Software\Classes\.spj]
"(Default)" = "spjfile"

[HKCU\Software\Classes\vocfile\Shell\NCHeditsound]
"(Default)" = "Sounddatei bearbeiten"

[HKCU\Software\Classes\tarfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\aacfile\Shell\NCHconvertsound]
"(Default)" = "Sounddatei konvertieren"

[HKCU\Software\Classes\dctfile\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind Scribe %L"

[HKCU\Software\Classes\spjfile\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind PhotoStage %L"

[HKCU\Software\Classes\FirefoxHTML\shell\NCHconvertdoc]
"(Default)" = "Dateityp konvertieren"

[HKCU\Software\Classes\rarfile\Shell\NCHextract\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind ExpressZip %L"

[HKCU\Software\Classes\mp4file\Shell\NCHconvertvideo]
"(Default)" = "Videodatei konvertieren"

[HKCU\Software\Classes\xvidfile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind VideoPad %L"

[HKCU\Software\Classes\Windows.IsoFile\DefaultIcon]
"(Default)" = "%SystemRoot%\SysWow64\shell32.dll,19"

[HKCU\Software\Classes\movfile\Shell\NCHeditvideo]
"(Default)" = "Videodatei bearbeiten"

[HKCU\Software\Classes\wpfile\Shell\NCHconvertdoc]
"(Default)" = "Dateityp konvertieren"

[HKCU\Software\Classes\tarfile\Shell\NCHextract\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind ExpressZip %L"

[HKCU\Software\NCH Software\Debut\Software]
"SVar" = "LLIBShowrelatedwhenchromeoff"

[HKCU\Software\Classes\.AIF]
"(Default)" = "aiffile"

[HKCU\Software\Classes\aufile\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind Switch %L"

[HKCU\Software\Classes\vpjfile\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Debut\debut.exe -extfind VideoPad %L"

The PUP deletes the following registry key(s):

[HKLM\SOFTWARE\Wow6432Node\Google\GCAPITemp]

The PUP deletes the following value(s) in system registry:

[HKCU\Software\NCH Software\Debut\Software]
"_ShowSurveyNow"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Wow6432Node\Google\GCAPITemp]
"test"

[HKCU\Software\NCH Software\Debut\Software]
"ShowSurvey"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\NCH Software\Debut\Software]
"_ShowSurvey"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\NCH Software\Debut\Software]
"InstalledBy"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\NCH Software\Debut\Software]
"ShowSurveyNow"

"_InstalledBy"

The PUP disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"_DebutUninstall"

"DebutUninstall4"

"DebutUninstall"

"DebutUninstall5"

"DebutUninstall2"

"_DebutUninstall5"

"_DebutUninstall4"

"_DebutUninstall3"

"_DebutUninstall2"

"DebutUninstall3"

The process GoogleToolbarManager_8CA8B41417E66DEB.exe:3676 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component\Used]
"GoogleToolbarManager.exe" = "1"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"pv" = "7.5.5111.1712"

The process GoogleToolbarManager_8CA8B41417E66DEB.exe:3740 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1A972DAF-A7EC-4ce3-B6C9-7B523CD6685F}]
"Policy" = "3"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"DisplayVersion" = "7.5.5111.1712"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"ToastOfferTime" = "0"

[HKCU\Software\Classes\Local Settings\MuiCache\2A\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EE0B94B9-335F-4d2c-8B43-DACCD1EA6FF1}]
"AppPath" = "%Program Files% (x86)\Google\Google Toolbar"

[HKCR\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
"(Default)" = "Google Toolbar Helper"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"Publisher" = "Google Inc."

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"SystemPatchLevel" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"GTB7.5" = ""

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\GoogleUpdate]
"InstallTimestamp" = "1420521598"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"cmd_7.5.5111.1712_5" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_8CA8B41417E66DEB.exe /execute:5"
"cmd_7.5.5111.1712_4" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_8CA8B41417E66DEB.exe /execute:4"
"cmd_7.5.5111.1712_7" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_8CA8B41417E66DEB.exe /execute:7"
"cmd_7.5.5111.1712_6" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_8CA8B41417E66DEB.exe /execute:6"
"cmd_7.5.5111.1712_1" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_8CA8B41417E66DEB.exe /execute:1"
"cmd_7.5.5111.1712_0" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_8CA8B41417E66DEB.exe /execute:0"
"cmd_7.5.5111.1712_3" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_8CA8B41417E66DEB.exe /execute:3"
"cmd_7.5.5111.1712_2" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_8CA8B41417E66DEB.exe /execute:2"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = "00"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Branding]
"InstallType" = "3"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"cmd_7.5.5111.1712_9" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_8CA8B41417E66DEB.exe /execute:9"
"cmd_7.5.5111.1712_8" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_8CA8B41417E66DEB.exe /execute:8"

[HKCU\Software\Google\Google Toolbar\4.0\Options]
"ToastSetDefaultSearch" = "3"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"AllowInteractions" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"DisplayName" = "Google Toolbar for Internet Explorer"

[HKCR\Wow6432Node\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"(Default)" = "Google Toolbar"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"EnableUsageStats" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EE0B94B9-335F-4d2c-8B43-DACCD1EA6FF1}]
"Policy" = "3"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"UninstallString" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_8CA8B41417E66DEB.exe /uninstall"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EE0B94B9-335F-4d2c-8B43-DACCD1EA6FF1}]
"AppName" = "GoogleToolbarUser_64.exe"

[HKCU\Software\Google\Google Toolbar\4.0\Options]
"{14C626CA-ACAB-46e5-8A99-53C9E11CCCA0}_enabled" = "0"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Branding]
"InstallTime" = "1420521599"

[HKCR\Installer\Products\18555481990E8AB4CBB63FB4F26006C0]
"AuthorizedLUAApp" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"DisplayIcon" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_8CA8B41417E66DEB.exe"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1A972DAF-A7EC-4ce3-B6C9-7B523CD6685F}]
"Policy" = "3"

[HKCU\Software\Google\Google Toolbar\4.0\Options]
"ButtonPageRank" = "0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1A972DAF-A7EC-4ce3-B6C9-7B523CD6685F}]
"AppPath" = "%Program Files% (x86)\Google\Google Toolbar"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar]
"test" = "41"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1A972DAF-A7EC-4ce3-B6C9-7B523CD6685F}]
"AppName" = "GoogleToolbarUser_32.exe"

[HKCR\Wow6432Node\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCU\Software\Google\Google Toolbar\4.0\Options]
"ToastSetPageRank" = "2"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\GoogleUpdate]
"InstallResult" = "pi"

[HKCU\Software\Google\Google Toolbar\4.0\Options]
"RbbsBreak" = "1"

[HKCR\Wow6432Node\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"EulaAccepted" = "1"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Enable Browser Extensions" = "yes"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EE0B94B9-335F-4d2c-8B43-DACCD1EA6FF1}]
"Policy" = "3"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"Compatibility Flags" = "1024"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component\Used]
"GoogleUpdaterService.exe" = "1"
"SearchWithGoogleUpdate.exe" = "1"
"GoogleToolbarManager.exe" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = "00"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Branding]
"brand" = "NCHD"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1A972DAF-A7EC-4ce3-B6C9-7B523CD6685F}]
"AppName" = "GoogleToolbarUser_32.exe"

[HKCR\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\Google Toolbar\GoogleToolbar_64.dll"

[HKCR\Wow6432Node\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\Google Toolbar\GoogleToolbar_32.dll"

[HKCR\Wow6432Node\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
"(Default)" = "Google Toolbar Helper"

[HKCU\Software\Google\Google Toolbar\4.0\Options]
"BrowseByName" = "0"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component]
"PrimaryInstallDone" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"Compatibility Flags" = "1024"

[HKCU\Software\Google\Google Toolbar\4.0\Options]
"ToastSetHomePage" = "2"

[HKCU\Software\Classes\Local Settings\MuiCache\2A\52C64B7E\@%SystemRoot%\system32]
"dnsapi.dll,-103" = "Domain Name System (DNS) Server Trust"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1A972DAF-A7EC-4ce3-B6C9-7B523CD6685F}]
"AppPath" = "%Program Files% (x86)\Google\Google Toolbar"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"GTB7.5" = ""

[HKCR\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\Google Toolbar\GoogleToolbar_64.dll"

[HKCU\Software\Google\Google Toolbar\4.0\Options]
"UsageStatsEnabled" = "1"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"DisableBrowseByName" = "0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"MinorVersion" = "5"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"Name" = "Google Toolbar"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Branding]
"ID" = "AC4C401CF3D73E6A044F1AA29EA5304205DE1wZWKM"

[HKCR\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"InstallLocation" = "%Program Files% (x86)\Google\Google Toolbar\"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Installations]
"1420521616" = "v=7.5.5111.1712&tbbrand=NCHD&i=0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"NoModify" = "1"
"MajorVersion" = "7"
"NoRepair" = "1"

[HKCU\Software\Classes\Local Settings\MuiCache\2A\52C64B7E\@%SystemRoot%\system32]
"p2pcollab.dll,-8042" = "Peer to Peer Trust"

[HKCR\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"(Default)" = "Google Toolbar"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EE0B94B9-335F-4d2c-8B43-DACCD1EA6FF1}]
"AppName" = "GoogleToolbarUser_64.exe"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"brand" = "NCHD"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EE0B94B9-335F-4d2c-8B43-DACCD1EA6FF1}]
"AppPath" = "%Program Files% (x86)\Google\Google Toolbar"

[HKCR\Wow6432Node\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\Google Toolbar\GoogleToolbar_32.dll"

The PUP deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}]
[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\ProgID]
[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\TypeLib]
[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\Programmable]
[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\InprocServer32]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}\Enum]
[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\VersionIndependentProgID]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\ProgID]
[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\TypeLib]
[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\VersionIndependentProgID]
[HKCU\Software\Classes\Local Settings\MuiCache\29]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum]
[HKCU\Software\Classes\Local Settings\MuiCache\29\52C64B7E]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}]
[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\Programmable]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}]
[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}\Enum]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}]
[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\InprocServer32]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum]

The PUP deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"UseIe64"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}"

[HKCU\Software\Google\Google Toolbar\4.0\Options]
"Vendor"

[HKCU\Software\Google\Google Toolbar\4.0]
"Update"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"RefreshIE"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"lang"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"WelcomePage"

The process GoogleToolbarManager_8CA8B41417E66DEB.exe:3536 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component\NonManifest\C:\ProgramData\Google\Custom Buttons]
"toolbar.google.com_O8Y91YHB24Z6SR0SGYSK.XML" = "1"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component\Used]
"GoogleToolbarDynamic_mui_en.dll" = "1"

The process GoogleToolbarNotifier.exe:1696 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKCR\Interface\{BACAB2F3-7213-4865-96E9-B6B06BF49192}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{DD65ABB2-2628-425B-86F5-825E4A3D3AD9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{91F39C2A-95E7-497A-A539-0AC715DC66D2}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\ProtectorExe.ProtectorHost.1\CLSID]
"(Default)" = "{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}"

[HKCR\Wow6432Node\Interface\{F1A383D4-0364-4092-82E0-C39DAE5D801D}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{AF606610-3627-4DF2-A6D5-32C6A355ACD1}\TypeLib]
"Version" = "1a.0"

[HKCR\Interface\{17484B9D-89FA-484F-912E-017D06C41FE0}]
"(Default)" = "IProtectorLib7"

[HKCR\Wow6432Node\Interface\{91959FBB-853A-4AC7-A082-2DDF787F4CA9}\TypeLib]
"Version" = "1a.0"

[HKCR\Interface\{315A0BBF-D55B-4FCE-833E-8BAA5B6344F6}]
"(Default)" = "IProtector11"

[HKCR\Interface\{F1A383D4-0364-4092-82E0-C39DAE5D801D}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{F1A383D4-0364-4092-82E0-C39DAE5D801D}\TypeLib]
"Version" = "1a.0"

[HKCR\Interface\{2212951C-1623-4095-906B-AC50B8F91016}]
"(Default)" = "IProtector2"

[HKCR\Interface\{480AD54B-C652-44B9-BCF6-746745055CD3}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll"

[HKCR\Wow6432Node\Interface\{1F7328B7-E25A-4527-B24B-D9173401BB89}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{AF606610-3627-4DF2-A6D5-32C6A355ACD1}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{AF606610-3627-4DF2-A6D5-32C6A355ACD1}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{A45CDEEB-65F5-49AE-AA3E-9376F4806075}]
"(Default)" = "IProtector8"

[HKCR\Wow6432Node\Interface\{315A0BBF-D55B-4FCE-833E-8BAA5B6344F6}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{6EACF525-5F81-4381-9E46-DC316C39E0D2}]
"(Default)" = "IProtector6"

[HKCR\Interface\{A45CDEEB-65F5-49AE-AA3E-9376F4806075}\TypeLib]
"Version" = "1a.0"

[HKCR\Interface\{91959FBB-853A-4AC7-A082-2DDF787F4CA9}]
"(Default)" = "IProtectorHost2"

[HKCR\Wow6432Node\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\ProgID]
"(Default)" = "protector_dll.ProtectorLib.1"

[HKCR\Interface\{91959FBB-853A-4AC7-A082-2DDF787F4CA9}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{9D932020-700E-4F0D-8446-2872ABD8B4FA}\TypeLib]
"Version" = "1a.0"

[HKCR\Interface\{315A0BBF-D55B-4FCE-833E-8BAA5B6344F6}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{AF606610-3627-4DF2-A6D5-32C6A355ACD1}]
"(Default)" = "IProtectorLib"

[HKCR\Wow6432Node\Interface\{6C110376-C248-47F6-9DB2-CFCDEADB6A3E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{2212951C-1623-4095-906B-AC50B8F91016}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{6C110376-C248-47F6-9DB2-CFCDEADB6A3E}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{91F39C2A-95E7-497A-A539-0AC715DC66D2}]
"(Default)" = "IProtector3"

[HKCR\Interface\{DA69D3CC-7676-4A65-889F-C052977F1AA9}\TypeLib]
"Version" = "1a.0"

[HKCR\TypeLib\{C7CB459A-7261-4AE6-A87A-17041EE98A40}\1a.0]
"(Default)" = "protector_dllLib"

[HKCR\Interface\{480AD54B-C652-44B9-BCF6-746745055CD3}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{2212951C-1623-4095-906B-AC50B8F91016}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{BACAB2F3-7213-4865-96E9-B6B06BF49192}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{17484B9D-89FA-484F-912E-017D06C41FE0}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{6EACF525-5F81-4381-9E46-DC316C39E0D2}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{9D932020-700E-4F0D-8446-2872ABD8B4FA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AppID\{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}]
"(Default)" = "protector_dll"

[HKCR\Interface\{277FD1E8-9884-4E0A-9392-7CFF83F067B2}]
"(Default)" = "IProtector9"

[HKCR\Interface\{2212951C-1623-4095-906B-AC50B8F91016}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AppID\{A97CA128-6998-4F8E-807E-8ED05FADAFB0}]
"(Default)" = "ProtectorExe"

[HKCR\Interface\{BACAB2F3-7213-4865-96E9-B6B06BF49192}]
"(Default)" = "IProtectorLib8"

[HKCR\Interface\{315A0BBF-D55B-4FCE-833E-8BAA5B6344F6}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{BACAB2F3-7213-4865-96E9-B6B06BF49192}]
"(Default)" = "IProtectorLib8"

[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
"(Default)" = "Google Toolbar Notifier BHO"

[HKCR\Interface\{17484B9D-89FA-484F-912E-017D06C41FE0}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{A0CF48B9-DB91-49A5-BEE7-2FB45BA2F610}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{9891812B-5820-4A77-827E-772B200239E1}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}]
"AppID" = "{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80B84A0A-EDA4-47fd-8BE1-6B49F4197EE5}]
"AppPath" = "%Program Files% (x86)\Google\GoogleToolbarNotifier"

[HKCR\Wow6432Node\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{17484B9D-89FA-484F-912E-017D06C41FE0}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{17484B9D-89FA-484F-912E-017D06C41FE0}]
"(Default)" = "IProtectorLib7"

[HKCR\protector_dll.ProtectorLib.1]
"(Default)" = "ProtectorLib Class"

[HKCR\Wow6432Node\Interface\{9891812B-5820-4A77-827E-772B200239E1}]
"(Default)" = "IProtector4"

[HKCR\Wow6432Node\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}]
"Depend" = "%Program Files% (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\gtn.dll"

[HKCR\Wow6432Node\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}]
"(Default)" = "ProtectorLib Class"

[HKCR\Wow6432Node\Interface\{A45CDEEB-65F5-49AE-AA3E-9376F4806075}\TypeLib]
"Version" = "1a.0"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80B84A0A-EDA4-47fd-8BE1-6B49F4197EE5}]
"AppName" = "GoogleToolbarNotifier.exe"

[HKCR\Wow6432Node\Interface\{1F7328B7-E25A-4527-B24B-D9173401BB89}]
"(Default)" = "IProtector5"

[HKCR\Interface\{315A0BBF-D55B-4FCE-833E-8BAA5B6344F6}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{235317AD-6EF4-4209-9354-F88869E1A3BB}]
"(Default)" = "IProtectorLib5"

[HKCR\Wow6432Node\Interface\{9891812B-5820-4A77-827E-772B200239E1}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{2212951C-1623-4095-906B-AC50B8F91016}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{9891812B-5820-4A77-827E-772B200239E1}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{235317AD-6EF4-4209-9354-F88869E1A3BB}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{A0CF48B9-DB91-49A5-BEE7-2FB45BA2F610}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{1F7328B7-E25A-4527-B24B-D9173401BB89}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}]
"(Default)" = "ProtectorHost Class"

[HKCR\Interface\{9891812B-5820-4A77-827E-772B200239E1}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{DA69D3CC-7676-4A65-889F-C052977F1AA9}]
"(Default)" = "IProtectorHost"

[HKCR\Wow6432Node\CLSID\{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll"

[HKCR\Interface\{6C110376-C248-47F6-9DB2-CFCDEADB6A3E}]
"(Default)" = "IProtector10"

[HKCR\Wow6432Node\CLSID\{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Wow6432Node\Interface\{A0CF48B9-DB91-49A5-BEE7-2FB45BA2F610}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{F1A383D4-0364-4092-82E0-C39DAE5D801D}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\VersionIndependentProgID]
"(Default)" = "protector_dll.ProtectorBho"

[HKCR\Wow6432Node\Interface\{91F39C2A-95E7-497A-A539-0AC715DC66D2}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{6C110376-C248-47F6-9DB2-CFCDEADB6A3E}]
"(Default)" = "IProtector10"

[HKCR\Wow6432Node\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\ProgID]
"(Default)" = "ProtectorExe.ProtectorHost.1"

[HKCR\Interface\{235317AD-6EF4-4209-9354-F88869E1A3BB}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{91959FBB-853A-4AC7-A082-2DDF787F4CA9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{DA69D3CC-7676-4A65-889F-C052977F1AA9}\TypeLib]
"Version" = "1a.0"

[HKCR\protector_dll.ProtectorLib\CurVer]
"(Default)" = "protector_dll.ProtectorLib.1"

[HKCR\Interface\{91959FBB-853A-4AC7-A082-2DDF787F4CA9}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{9891812B-5820-4A77-827E-772B200239E1}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{2212951C-1623-4095-906B-AC50B8F91016}]
"(Default)" = "IProtector2"

[HKCR\Interface\{1F7328B7-E25A-4527-B24B-D9173401BB89}]
"(Default)" = "IProtector5"

[HKCR\Interface\{6C110376-C248-47F6-9DB2-CFCDEADB6A3E}\TypeLib]
"Version" = "1a.0"

[HKCR\Interface\{17484B9D-89FA-484F-912E-017D06C41FE0}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{A45CDEEB-65F5-49AE-AA3E-9376F4806075}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{6C110376-C248-47F6-9DB2-CFCDEADB6A3E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41}\TypeLib]
"Version" = "1a.0"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80B84A0A-EDA4-47fd-8BE1-6B49F4197EE5}]
"AppPath" = "%Program Files% (x86)\Google\GoogleToolbarNotifier"

[HKCR\Interface\{DA69D3CC-7676-4A65-889F-C052977F1AA9}]
"(Default)" = "IProtectorHost"

[HKCR\Interface\{91F39C2A-95E7-497A-A539-0AC715DC66D2}]
"(Default)" = "IProtector3"

[HKCR\Interface\{6EACF525-5F81-4381-9E46-DC316C39E0D2}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\AppID\ProtectorExe.EXE]
"AppID" = "{A97CA128-6998-4F8E-807E-8ED05FADAFB0}"

[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
"AppID" = "{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}"

[HKCR\protector_dll.Protector.1\CLSID]
"(Default)" = "{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}"

[HKCR\ProtectorExe.ProtectorHost\CLSID]
"(Default)" = "{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}"

[HKCR\protector_dll.ProtectorBho]
"(Default)" = "Google Toolbar Notifier BHO"

[HKCR\Wow6432Node\Interface\{DD65ABB2-2628-425B-86F5-825E4A3D3AD9}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\AppID\protector_dll.DLL]
"AppID" = "{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}"

[HKCR\Interface\{91959FBB-853A-4AC7-A082-2DDF787F4CA9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{DA69D3CC-7676-4A65-889F-C052977F1AA9}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{BACAB2F3-7213-4865-96E9-B6B06BF49192}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{A0CF48B9-DB91-49A5-BEE7-2FB45BA2F610}]
"(Default)" = "IProtectorLib2"

[HKCR\Interface\{F1A383D4-0364-4092-82E0-C39DAE5D801D}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}\ProgID]
"(Default)" = "protector_dll.Protector.1"

[HKCR\Wow6432Node\Interface\{1F7328B7-E25A-4527-B24B-D9173401BB89}\TypeLib]
"Version" = "1a.0"

[HKCR\Interface\{2212951C-1623-4095-906B-AC50B8F91016}\TypeLib]
"Version" = "1a.0"

[HKCR\Interface\{480AD54B-C652-44B9-BCF6-746745055CD3}]
"(Default)" = "IProtectorLib6"

[HKCR\protector_dll.Protector\CLSID]
"(Default)" = "{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}"

[HKCR\Wow6432Node\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\VersionIndependentProgID]
"(Default)" = "ProtectorExe.ProtectorHost"

[HKCR\Wow6432Node\Interface\{2212951C-1623-4095-906B-AC50B8F91016}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{BACAB2F3-7213-4865-96E9-B6B06BF49192}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41}]
"(Default)" = "IProtector7"

[HKCR\Wow6432Node\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\ProtectorExe.ProtectorHost]
"(Default)" = "ProtectorHost Class"

[HKCR\Wow6432Node\Interface\{91F39C2A-95E7-497A-A539-0AC715DC66D2}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{9891812B-5820-4A77-827E-772B200239E1}]
"(Default)" = "IProtector4"

[HKCR\Wow6432Node\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Wow6432Node\Interface\{DD65ABB2-2628-425B-86F5-825E4A3D3AD9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\protector_dll.ProtectorBho.1\CLSID]
"(Default)" = "{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}"

[HKCR\TypeLib\{C7CB459A-7261-4AE6-A87A-17041EE98A40}\1a.0\HELPDIR]
"(Default)" = ""

[HKCR\Wow6432Node\Interface\{DD65ABB2-2628-425B-86F5-825E4A3D3AD9}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{9D932020-700E-4F0D-8446-2872ABD8B4FA}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\protector_dll.ProtectorBho.1]
"(Default)" = "Google Toolbar Notifier BHO"

[HKCR\Interface\{9D932020-700E-4F0D-8446-2872ABD8B4FA}]
"(Default)" = "IProtectorLib3"

[HKCR\Wow6432Node\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\VersionIndependentProgID]
"(Default)" = "protector_dll.ProtectorLib"

[HKCR\Wow6432Node\Interface\{315A0BBF-D55B-4FCE-833E-8BAA5B6344F6}]
"(Default)" = "IProtector11"

[HKCR\Wow6432Node\Interface\{F1A383D4-0364-4092-82E0-C39DAE5D801D}]
"(Default)" = "IProtector12"

[HKCR\Wow6432Node\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\TypeLib\{C7CB459A-7261-4AE6-A87A-17041EE98A40}\1a.0\FLAGS]
"(Default)" = "0"

[HKCR\Wow6432Node\Interface\{315A0BBF-D55B-4FCE-833E-8BAA5B6344F6}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}\VersionIndependentProgID]
"(Default)" = "protector_dll.Protector"

[HKCR\Interface\{AF606610-3627-4DF2-A6D5-32C6A355ACD1}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{277FD1E8-9884-4E0A-9392-7CFF83F067B2}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{A0CF48B9-DB91-49A5-BEE7-2FB45BA2F610}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\ProgID]
"(Default)" = "protector_dll.ProtectorBho.1"

[HKCR\protector_dll.ProtectorLib.1\CLSID]
"(Default)" = "{84798B8E-69F8-4846-9516-373C2996E2F7}"

[HKCR\Interface\{BACAB2F3-7213-4865-96E9-B6B06BF49192}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{9D932020-700E-4F0D-8446-2872ABD8B4FA}]
"(Default)" = "IProtectorLib3"

[HKCR\Interface\{9891812B-5820-4A77-827E-772B200239E1}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{17484B9D-89FA-484F-912E-017D06C41FE0}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}]
"AppID" = "{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}"

[HKCR\Interface\{DD65ABB2-2628-425B-86F5-825E4A3D3AD9}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{235317AD-6EF4-4209-9354-F88869E1A3BB}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{6EACF525-5F81-4381-9E46-DC316C39E0D2}\TypeLib]
"Version" = "1a.0"

[HKCR\Interface\{A0CF48B9-DB91-49A5-BEE7-2FB45BA2F610}\TypeLib]
"Version" = "1a.0"

[HKCR\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659}]
"(Default)" = "IProtector"

[HKCR\Interface\{6EACF525-5F81-4381-9E46-DC316C39E0D2}]
"(Default)" = "IProtector6"

[HKCR\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659}\TypeLib]
"Version" = "1a.0"

[HKCR\ProtectorExe.ProtectorHost.1]
"(Default)" = "ProtectorHost Class"

[HKCR\Wow6432Node\Interface\{BACAB2F3-7213-4865-96E9-B6B06BF49192}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\protector_dll.Protector\CurVer]
"(Default)" = "protector_dll.Protector.1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80B84A0A-EDA4-47fd-8BE1-6B49F4197EE5}]
"AppName" = "GoogleToolbarNotifier.exe"

[HKCR\Interface\{91F39C2A-95E7-497A-A539-0AC715DC66D2}\TypeLib]
"Version" = "1a.0"

[HKCR\Interface\{A45CDEEB-65F5-49AE-AA3E-9376F4806075}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{277FD1E8-9884-4E0A-9392-7CFF83F067B2}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{91F39C2A-95E7-497A-A539-0AC715DC66D2}\TypeLib]
"Version" = "1a.0"

[HKCR\AppID\{A97CA128-6998-4F8E-807E-8ED05FADAFB0}]
"RunAs" = "Interactive User"

[HKCR\Wow6432Node\Interface\{235317AD-6EF4-4209-9354-F88869E1A3BB}]
"(Default)" = "IProtectorLib5"

[HKCR\Interface\{DD65ABB2-2628-425B-86F5-825E4A3D3AD9}\TypeLib]
"Version" = "1a.0"

[HKCR\Interface\{9D932020-700E-4F0D-8446-2872ABD8B4FA}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{A0CF48B9-DB91-49A5-BEE7-2FB45BA2F610}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{9D932020-700E-4F0D-8446-2872ABD8B4FA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80B84A0A-EDA4-47fd-8BE1-6B49F4197EE5}]
"Policy" = "3"

[HKCR\protector_dll.ProtectorBho\CLSID]
"(Default)" = "{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}"

[HKCR\Wow6432Node\Interface\{235317AD-6EF4-4209-9354-F88869E1A3BB}\TypeLib]
"Version" = "1a.0"

[HKCR\Interface\{1F7328B7-E25A-4527-B24B-D9173401BB89}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}]
"AppID" = "{A97CA128-6998-4F8E-807E-8ED05FADAFB0}"

[HKCR\Wow6432Node\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

[HKCR\protector_dll.ProtectorBho\CurVer]
"(Default)" = "protector_dll.ProtectorBho.1"

[HKCR\Wow6432Node\Interface\{A45CDEEB-65F5-49AE-AA3E-9376F4806075}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\ProtectorExe.ProtectorHost\CurVer]
"(Default)" = "ProtectorExe.ProtectorHost.1"

[HKCR\Wow6432Node\CLSID\{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{DA69D3CC-7676-4A65-889F-C052977F1AA9}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{235317AD-6EF4-4209-9354-F88869E1A3BB}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\TypeLib\{C7CB459A-7261-4AE6-A87A-17041EE98A40}\1a.0\0\win32]
"(Default)" = "%Program Files% (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll"

[HKCR\Wow6432Node\Interface\{17484B9D-89FA-484F-912E-017D06C41FE0}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80B84A0A-EDA4-47fd-8BE1-6B49F4197EE5}]
"Policy" = "3"

[HKCR\Wow6432Node\Interface\{6C110376-C248-47F6-9DB2-CFCDEADB6A3E}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{480AD54B-C652-44B9-BCF6-746745055CD3}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{F1A383D4-0364-4092-82E0-C39DAE5D801D}]
"(Default)" = "IProtector12"

[HKCR\Wow6432Node\Interface\{91959FBB-853A-4AC7-A082-2DDF787F4CA9}]
"(Default)" = "IProtectorHost2"

[HKCR\Interface\{91F39C2A-95E7-497A-A539-0AC715DC66D2}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{1F7328B7-E25A-4527-B24B-D9173401BB89}\TypeLib]
"Version" = "1a.0"

[HKCR\protector_dll.Protector.1]
"(Default)" = "Protector Class"

[HKCR\Wow6432Node\Interface\{6EACF525-5F81-4381-9E46-DC316C39E0D2}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll"

[HKCR\protector_dll.Protector]
"(Default)" = "Protector Class"

[HKCR\protector_dll.ProtectorLib\CLSID]
"(Default)" = "{84798B8E-69F8-4846-9516-373C2996E2F7}"

[HKCR\Interface\{AF606610-3627-4DF2-A6D5-32C6A355ACD1}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{277FD1E8-9884-4E0A-9392-7CFF83F067B2}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{DA69D3CC-7676-4A65-889F-C052977F1AA9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{9D932020-700E-4F0D-8446-2872ABD8B4FA}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{315A0BBF-D55B-4FCE-833E-8BAA5B6344F6}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{A45CDEEB-65F5-49AE-AA3E-9376F4806075}]
"(Default)" = "IProtector8"

[HKCR\Wow6432Node\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659}]
"(Default)" = "IProtector"

[HKCR\Wow6432Node\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{6EACF525-5F81-4381-9E46-DC316C39E0D2}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{277FD1E8-9884-4E0A-9392-7CFF83F067B2}]
"(Default)" = "IProtector9"

[HKCR\Interface\{F1A383D4-0364-4092-82E0-C39DAE5D801D}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{DA69D3CC-7676-4A65-889F-C052977F1AA9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}]
"(Default)" = "Protector Class"

[HKCR\Interface\{277FD1E8-9884-4E0A-9392-7CFF83F067B2}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{DD65ABB2-2628-425B-86F5-825E4A3D3AD9}]
"(Default)" = "IProtectorLib4"

[HKCR\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41}]
"(Default)" = "IProtector7"

[HKCR\Interface\{AF606610-3627-4DF2-A6D5-32C6A355ACD1}]
"(Default)" = "IProtectorLib"

[HKCR\Wow6432Node\Interface\{277FD1E8-9884-4E0A-9392-7CFF83F067B2}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{A45CDEEB-65F5-49AE-AA3E-9376F4806075}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{DD65ABB2-2628-425B-86F5-825E4A3D3AD9}]
"(Default)" = "IProtectorLib4"

[HKCR\protector_dll.ProtectorLib]
"(Default)" = "ProtectorLib Class"

[HKCR\Wow6432Node\Interface\{6EACF525-5F81-4381-9E46-DC316C39E0D2}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{AF606610-3627-4DF2-A6D5-32C6A355ACD1}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{480AD54B-C652-44B9-BCF6-746745055CD3}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{480AD54B-C652-44B9-BCF6-746745055CD3}]
"(Default)" = "IProtectorLib6"

[HKCR\Wow6432Node\Interface\{6C110376-C248-47F6-9DB2-CFCDEADB6A3E}\TypeLib]
"Version" = "1a.0"

[HKCR\Interface\{480AD54B-C652-44B9-BCF6-746745055CD3}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{480AD54B-C652-44B9-BCF6-746745055CD3}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{235317AD-6EF4-4209-9354-F88869E1A3BB}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{A0CF48B9-DB91-49A5-BEE7-2FB45BA2F610}]
"(Default)" = "IProtectorLib2"

[HKCR\Wow6432Node\Interface\{1F7328B7-E25A-4527-B24B-D9173401BB89}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{91959FBB-853A-4AC7-A082-2DDF787F4CA9}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{277FD1E8-9884-4E0A-9392-7CFF83F067B2}\TypeLib]
"Version" = "1a.0"

The process GoogleToolbarNotifier.exe:2304 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKCU\Software\Google\GoogleToolbarNotifier\Stats]
"HideUI_Throttled" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\GoogleToolbarNotifier_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Google\GoogleToolbarNotifier\Stats]
"DetectChange_DS" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionReason" = "1"

[HKCU\Software\Google\GoogleToolbarNotifier]
"KeepDS" = "688508711"
"FirstRun" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadNetworkName" = "Network 3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Google\GoogleToolbarNotifier\Stats]
"Icon_Click" = "0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\GoogleToolbarNotifier_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "B9 8C 35 76 70 29 D0 01"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\GoogleToolbarNotifier_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Classes\Local Settings\MuiCache\2A\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecision" = "0"

[HKCU\Software\Google\GoogleToolbarNotifier]
"UpdateURL" = "http://clients1.google.com/tools/swg2/update"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Google\GoogleToolbarNotifier]
"lds" = "http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7"

[HKCU\Software\Google\GoogleToolbarNotifier\Stats]
"ShowUI_TrayIcon" = "0"

[HKCU\Software\Google\Google Toolbar\4.0]
"UpdateResult" = "98"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionTime" = "B9 8C 35 76 70 29 D0 01"

[HKCU\Software\Google\GoogleToolbarNotifier]
"DefaultLanguage" = "en"
"TS" = "1420521619"

[HKCU\Software\Google\GoogleToolbarNotifier\Stats]
"Bubble_Click" = "0"
"UserAllowChange_DS" = "0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\GoogleToolbarNotifier_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Google\GoogleToolbarNotifier]
"AppPath" = "%Program Files% (x86)\Google\GoogleToolbarNotifier"

[HKCU\Software\Google\GoogleToolbarNotifier\Stats]
"ShowUI_Popup" = "0"

[HKCU\Software\Google\GoogleToolbarNotifier]
"InstalledVersion" = "5.7.9012.1008"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 40 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Google\GoogleToolbarNotifier\Stats]
"LastReportTime" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Google\GoogleToolbarNotifier\Temp]
"scShowTrayIcon" = "ffffffff"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\GoogleToolbarNotifier_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\Google\GoogleToolbarNotifier]
"UsageStat" = "1"

[HKCU\Software\Google\GoogleToolbarNotifier\Stats]
"ModifyUI_UserIntent" = "0"

[HKCU\Software\Google\GoogleToolbarNotifier]
"Version" = "5.7.9012.1008"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKCU\Software\Google\Google Toolbar\4.0\Options]
"Extc" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

[HKCU\Software\Google\GoogleToolbarNotifier\Temp]
"scKeepDS" = "2909cf27"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\GoogleToolbarNotifier_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecisionTime" = "B9 8C 35 76 70 29 D0 01"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The PUP deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoDetect"

[HKCU\Software\Google\GoogleToolbarNotifier]
"WantProductRestart"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Google\GoogleToolbarNotifier]
"ts"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Google\GoogleToolbarNotifier]
"DSPSuspended"
"SuspendedDS"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"

The process GoogleUpdaterService.exe:3384 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Common\Google Updater\apps\swg]
"auto" = "0"

The process GoogleUpdaterService.exe:1660 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKCR\Wow6432Node\Interface\{C07A89E4-82A3-4A29-9908-DFC9DEBF8267}]
"(Default)" = "ISilentUpdater"

[HKCR\TypeLib\{5924C60B-6D7F-4AD6-8084-24A59431C967}\1.0\HELPDIR]
"(Default)" = ""

[HKCR\Interface\{5C8CE0B5-6DA0-49A1-B675-78FD03EA3224}]
"(Default)" = "IUpdaterScheduler"

[HKCR\Interface\{5C8CE0B5-6DA0-49A1-B675-78FD03EA3224}\TypeLib]
"(Default)" = "{5924C60B-6D7F-4AD6-8084-24A59431C967}"

[HKCR\AppID\GoogleUpdaterService.exe]
"AppID" = "{61E28BF8-C02B-499F-8E7A-34C1E4A1C649}"

[HKCR\Wow6432Node\CLSID\{89DAE4CD-9F17-4980-902A-99BA84A8F5C8}\TypeLib]
"(Default)" = "{5924C60B-6D7F-4AD6-8084-24A59431C967}"

[HKCR\GUSchedulerCtl.UpdaterScheduler]
"(Default)" = "Google Updater Scheduler class"

[HKCR\Interface\{C07A89E4-82A3-4A29-9908-DFC9DEBF8267}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\Interface\{C07A89E4-82A3-4A29-9908-DFC9DEBF8267}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{C07A89E4-82A3-4A29-9908-DFC9DEBF8267}\TypeLib]
"(Default)" = "{5924C60B-6D7F-4AD6-8084-24A59431C967}"

[HKCR\Wow6432Node\CLSID\{89DAE4CD-9F17-4980-902A-99BA84A8F5C8}\ProgID]
"(Default)" = "GUServiceCtl.SilentUpdater.1"

[HKCR\Wow6432Node\CLSID\{89DAE4CD-9F17-4980-902A-99BA84A8F5C8}]
"AppID" = "{61E28BF8-C02B-499F-8E7A-34C1E4A1C649}"

[HKCR\Wow6432Node\CLSID\{B53B7061-6584-46AA-A033-D610EB10BD9B}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe"

[HKCR\Wow6432Node\CLSID\{B53B7061-6584-46AA-A033-D610EB10BD9B}]
"(Default)" = "Google Updater Scheduler class"

[HKCR\Wow6432Node\Interface\{C07A89E4-82A3-4A29-9908-DFC9DEBF8267}\TypeLib]
"Version" = "1.0"

[HKCR\GUServiceCtl.SilentUpdater]
"(Default)" = "Google Silent Updater class"

[HKCR\GUServiceCtl.SilentUpdater\CLSID]
"(Default)" = "{89DAE4CD-9F17-4980-902A-99BA84A8F5C8}"

[HKCR\Wow6432Node\CLSID\{89DAE4CD-9F17-4980-902A-99BA84A8F5C8}]
"(Default)" = "Google Silent Updater class"

[HKCR\Interface\{5C8CE0B5-6DA0-49A1-B675-78FD03EA3224}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\CLSID\{B53B7061-6584-46AA-A033-D610EB10BD9B}\TypeLib]
"(Default)" = "{5924C60B-6D7F-4AD6-8084-24A59431C967}"

[HKCR\GUSchedulerCtl.UpdaterScheduler.1\CLSID]
"(Default)" = "{B53B7061-6584-46AA-A033-D610EB10BD9B}"

[HKCR\GUServiceCtl.SilentUpdater\CurVer]
"(Default)" = "GUServiceCtl.SilentUpdater.1"

[HKCR\Wow6432Node\Interface\{C07A89E4-82A3-4A29-9908-DFC9DEBF8267}\TypeLib]
"(Default)" = "{5924C60B-6D7F-4AD6-8084-24A59431C967}"

[HKCR\AppID\{61E28BF8-C02B-499F-8E7A-34C1E4A1C649}]
"LocalService" = "gusvc"

[HKCR\Wow6432Node\CLSID\{89DAE4CD-9F17-4980-902A-99BA84A8F5C8}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe"

[HKCR\Wow6432Node\Interface\{5C8CE0B5-6DA0-49A1-B675-78FD03EA3224}]
"(Default)" = "IUpdaterScheduler"

[HKCR\AppID\{61E28BF8-C02B-499F-8E7A-34C1E4A1C649}]
"(Default)" = "gusvc"

[HKCR\TypeLib\{5924C60B-6D7F-4AD6-8084-24A59431C967}\1.0]
"(Default)" = "Google Updater Service 1.0 Type Library"

[HKCR\GUServiceCtl.SilentUpdater.1\CLSID]
"(Default)" = "{89DAE4CD-9F17-4980-902A-99BA84A8F5C8}"

[HKCR\Wow6432Node\CLSID\{B53B7061-6584-46AA-A033-D610EB10BD9B}\VersionIndependentProgID]
"(Default)" = "GUSchedulerCtl.UpdaterScheduler"

[HKCR\Wow6432Node\CLSID\{B53B7061-6584-46AA-A033-D610EB10BD9B}]
"AppID" = "{61E28BF8-C02B-499F-8E7A-34C1E4A1C649}"

[HKCR\GUServiceCtl.SilentUpdater.1]
"(Default)" = "Google Silent Updater class"

[HKCR\Wow6432Node\Interface\{5C8CE0B5-6DA0-49A1-B675-78FD03EA3224}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{5924C60B-6D7F-4AD6-8084-24A59431C967}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Wow6432Node\Interface\{5C8CE0B5-6DA0-49A1-B675-78FD03EA3224}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{C07A89E4-82A3-4A29-9908-DFC9DEBF8267}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{5924C60B-6D7F-4AD6-8084-24A59431C967}\1.0\0\win32]
"(Default)" = "%Program Files% (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe"

[HKCR\Wow6432Node\CLSID\{B53B7061-6584-46AA-A033-D610EB10BD9B}\ProgID]
"(Default)" = "GUSchedulerCtl.UpdaterScheduler.1"

[HKCR\Interface\{5C8CE0B5-6DA0-49A1-B675-78FD03EA3224}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{89DAE4CD-9F17-4980-902A-99BA84A8F5C8}\VersionIndependentProgID]
"(Default)" = "GUServiceCtl.SilentUpdater"

[HKCR\Interface\{C07A89E4-82A3-4A29-9908-DFC9DEBF8267}]
"(Default)" = "ISilentUpdater"

[HKCR\GUSchedulerCtl.UpdaterScheduler\CLSID]
"(Default)" = "{B53B7061-6584-46AA-A033-D610EB10BD9B}"

[HKCR\GUSchedulerCtl.UpdaterScheduler.1]
"(Default)" = "Google Updater Scheduler class"

[HKCR\GUSchedulerCtl.UpdaterScheduler\CurVer]
"(Default)" = "GUSchedulerCtl.UpdaterScheduler.1"

[HKCR\Wow6432Node\Interface\{5C8CE0B5-6DA0-49A1-B675-78FD03EA3224}\TypeLib]
"(Default)" = "{5924C60B-6D7F-4AD6-8084-24A59431C967}"

The PUP deletes the following value(s) in system registry:

[HKCR\AppID\{61E28BF8-C02B-499F-8E7A-34C1E4A1C649}]
"LocalService"

The process regsvr32.exe:3208 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKCR\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\ProgID]
"(Default)" = "ProtectorExe.ProtectorHost.1"

[HKCR\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}]
"(Default)" = "ProtectorHost Class"

[HKCR\protector_dll.ProtectorBho\CurVer]
"(Default)" = "protector_dll.ProtectorBho.1"

[HKCR\protector_dll.ProtectorLib\CurVer]
"(Default)" = "protector_dll.ProtectorLib.1"

[HKCR\AppID\{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}]
"(Default)" = "protector_dll"

[HKCR\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}]
"(Default)" = "ProtectorLib Class"

[HKCR\protector_dll.ProtectorBho.1\CLSID]
"(Default)" = "{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}"

[HKCR\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\VersionIndependentProgID]
"(Default)" = "protector_dll.ProtectorLib"

[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\VersionIndependentProgID]
"(Default)" = "protector_dll.ProtectorBho"

[HKCR\protector_dll.ProtectorBho.1]
"(Default)" = "Google Toolbar Notifier BHO"

[HKCR\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\protector_dll.ProtectorLib\CLSID]
"(Default)" = "{84798B8E-69F8-4846-9516-373C2996E2F7}"

[HKCR\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\protector_dll.ProtectorLib.1\CLSID]
"(Default)" = "{84798B8E-69F8-4846-9516-373C2996E2F7}"

[HKCR\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}]
"AppID" = "{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}"

[HKCR\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}]
"AppID" = "{A97CA128-6998-4F8E-807E-8ED05FADAFB0}"

[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\InprocServer32]
"(Default)" = "%Program Files%\Google\GoogleToolbarNotifier\5.7.9012.1008\swg64.dll"

[HKCR\protector_dll.ProtectorLib]
"(Default)" = "ProtectorLib Class"

[HKCR\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}]
"Depend" = "%Program Files% (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\gtn.dll"

[HKCR\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\ProgID]
"(Default)" = "protector_dll.ProtectorLib.1"

[HKCR\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\VersionIndependentProgID]
"(Default)" = "ProtectorExe.ProtectorHost"

[HKCR\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
"AppID" = "{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}"

[HKCR\protector_dll.ProtectorLib.1]
"(Default)" = "ProtectorLib Class"

[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\ProgID]
"(Default)" = "protector_dll.ProtectorBho.1"

[HKCR\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
"(Default)" = "Google Toolbar Notifier BHO"

[HKCR\protector_dll.ProtectorBho]
"(Default)" = "Google Toolbar Notifier BHO"

[HKCR\AppID\protector_dll.DLL]
"AppID" = "{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}"

[HKCR\protector_dll.ProtectorBho\CLSID]
"(Default)" = "{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}"

[HKCR\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\InprocServer32]
"(Default)" = "%Program Files%\Google\GoogleToolbarNotifier\5.7.9012.1008\swg64.dll"

The process %original file name%.exe:3524 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The PUP deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process mp3el2.exe:2980 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Components\mp3el2]
"Path" = "%Program Files% (x86)\NCH Software\Components\mp3el2\lame.exe"

[HKLM\SOFTWARE\Wow6432Node\NCH Swift Sound\Components\mp3el2]
"Path" = "%Program Files% (x86)\NCH Software\Components\mp3el2\lame.exe"

[HKCU\Software\NCH Software\Components\mp3el2]
"Path" = "%Program Files% (x86)\NCH Software\Components\mp3el2\lame.exe"

[HKCU\Software\NCH Swift Sound\Components\mp3el2]
"Path" = "%Program Files% (x86)\NCH Software\Components\mp3el2\lame.exe"

Dropped PE files

MD5	File path
5d4bc124faae6730ac002cdb67bf1a1c	c:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
1223e7efa6dda842c37985a62f10001f	c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleCld_187F9D811452062B.dll
6fffd47eb8cc3a6ca44619f16a7d0ae6	c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_32_8E471B27054D20F5.dll
96af87c526ec7a8f32dc3f1f2a63a4a7	c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_64_F8ED9B719A89F8EF.dll
d2d2a0e0ecd8a2ea750d6be34337d00d	c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_0A4439FF67F61065.dll
4c401fcc6d0c95e1a5d989e403e18f2f	c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_8CA8B41417E66DEB.exe
e8b7fd67da14a7be57a5cb80e3139e60	c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarUser_32_52E818EF81C83A9B.exe
211f96eb417ff837a70f5130e63a1a45	c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarUser_64_4D9709C1FA1422BA.exe
81590207a8efab40bafe743d8073eb9b	c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbar_32_365102BD7F6C8091.dll
30c83447379d5955e992bd43be8d115e	c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbar_64_54BD4059920ABC8A.dll
1f2afab903c0d48480561f3bbd4539c2	c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleUpdateSetup_5CC4B0F53D73AD88.exe
4beaf576cb43358c4db9f45ac7c09cdb	c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleUpdaterService_B33FC4DD36A473C6.exe
4b78e9ae06f7c310e30ee2fa5b7ebc3c	c:\Program Files (x86)\Google\Google Toolbar\Component\SearchWithGoogleUpdate_C993F490EED40C1B.exe
e8b7fd67da14a7be57a5cb80e3139e60	c:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
211f96eb417ff837a70f5130e63a1a45	c:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_64.exe
81590207a8efab40bafe743d8073eb9b	c:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
30c83447379d5955e992bd43be8d115e	c:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
13d401e46ad0c5a8442fc57fadbf5751	c:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\gth.dll
aeb43d2a8158fb535f48f440cc266953	c:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\gtn.dll
d3088606c810a355eae9b9056c9b5392	c:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll
5d61be7db55b026a5d61a3eed09d0ead	c:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
5a6381e0afb4e0b9fd318c1c76efe9dc	c:\Program Files (x86)\Google\Update\Download\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}\0.0.0.0\googletoolbarinstaller_en_signed.exe
5a6381e0afb4e0b9fd318c1c76efe9dc	c:\Program Files (x86)\Google\Update\Install\{80E8A347-A15D-4F70-8A14-834F39A8DBB8}\googletoolbarinstaller_en_signed.exe
6154f737535b3dbea39c63223d52f5b8	c:\Program Files (x86)\NCH Software\Components\NCHToolbars\google\NCH_GoogleToolbar.exe
80d70ec9d85ca32c4fdc19dba5134aa7	c:\Program Files (x86)\NCH Software\Components\mp3el2\lame.exe
91c23901ccb21230c26d3b5973534c16	c:\Program Files (x86)\NCH Software\Components\x264enc5\x264enc5.exe
1274263b78ee15b4ccf0f4ce77daafc7	c:\Program Files (x86)\NCH Software\Debut\debut.exe
9231adf1e68637a62ebfa8af56b7b9b9	c:\Program Files (x86)\NCH Software\Debut\debutfilterinstallerx64.exe
ad37a7089dec78c1c782ebfff56f54f8	c:\Program Files (x86)\NCH Software\Debut\debutfilterinstallerx86.exe
984ab6b7c4eaf453f58db7867ee44799	c:\Program Files (x86)\NCH Software\Debut\debutfilterx64.sys
c873a762bc98bea93c8423a45796552a	c:\Program Files (x86)\NCH Software\Debut\debutfilterx86.sys
2b8a4b0a04e5de89eb37e11276d73e8d	c:\Program Files (x86)\NCH Software\Debut\debuthooksdll.dll
3e1b2a1ae171d50463f56efaeddda5fc	c:\Program Files (x86)\NCH Software\Debut\mp3el2.exe
dd162d2d231767b75b80c4230ecf4d6d	c:\Program Files (x86)\NCH Software\Debut\x264enc5.exe
dd481c837b6303531af365d95637692f	c:\Program Files\Google\GoogleToolbarNotifier\5.7.9012.1008\swg64.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: NCH Software
Product Name: Debut
Product Version:
Legal Copyright: NCH Software
Legal Trademarks:
Original Filename:
Internal Name: Debut
File Version: 1.95DE
File Description: Debut Videorekorder
Comments:
Language: English (Australia)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.rdata	4096	2338	2560	2.76389	a322bee8b6315dcdf55664104eb8aed4
.data	8192	1596	2048	3.48789	cc10a049565dcd8a13f7ded9f6d7749b
.rsrc	12288	1569892	1570304	5.54468	44a609bfcd8f73ddcd00514b7b5da5a2

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://audiochannel.net/versions/components/tb_google_row.dat
hxxp://audiochannel.net/components/toolbars/NCH_GoogleToolbar.exe
hxxp://tools.l.google.com/dl/toolbar/t7/data/7.5.5111.1712/googletoolbarinstaller_en_signed.exe
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?88e08b79f1e607bf
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CECkSxwyaK4o+9vYHRmLWi40=
hxxp://clients.l.google.com/tools/swg2/update?type=c&as=swg&os=win&osv=6.1.7601&hl=en&ie=10.0.9200.16521&ds=0&pds=0&su=0&hpi=-1&brand=NCHD&pa=9&cl=1&tbv=&id=79719f98482242cd813a5027b10bbf6ceb587e9422&from=&to=5.7.9012.1008
hxxp://clients.l.google.com/tools/pso/ping?as=tbin&gu=pi&mode=3&sin=1&ein=0&version=7.5.5111.1712&brand=NCHD&hl=en&tbiv=7.5.5111.1712&time=1420521619&fitime=1420521619&browser=9.10.9200.16521&osver=6.1&ossp=1.0&osarch=64&ext=EXE&id=AC4C401CF3D73E6A044F1AA29EA5304205DE1wZWKM
hxxp://a1363.g.akamai.net/pki/crl/products/microsoftrootcert.crl
hxxp://a1363.g.akamai.net/pki/crl/products/WinPCA.crl
hxxp://a1363.g.akamai.net/pki/crl/products/MicrosoftTimeStampPCA.crl
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d66599f683368af4
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI=
hxxp://e6845.ce.akamaiedge.net/pca3.crl
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY=
hxxp://a1363.g.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD/yl6nWPkczAQUe1tFz6/Oy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS+zcBkvzl4=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9+WQCtWAQU1A1lP3q9NMb+R+dMDcC98t4Vq3ECEGpWCCD6PprY5UEXNLHUCtU=
hxxp://clients1.google.com/tools/pso/ping?as=tbin&gu=pi&mode=3&sin=1&ein=0&version=7.5.5111.1712&brand=NCHD&hl=en&tbiv=7.5.5111.1712&time=1420521619&fitime=1420521619&browser=9.10.9200.16521&osver=6.1&ossp=1.0&osarch=64&ext=EXE&id=AC4C401CF3D73E6A044F1AA29EA5304205DE1wZWKM	173.194.44.128
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI=	23.43.139.27
hxxp://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD/yl6nWPkczAQUe1tFz6/Oy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS+zcBkvzl4=	23.43.139.27
hxxp://www.audiochannel.net/versions/components/tb_google_row.dat	66.39.83.117
hxxp://crl.verisign.com/pca3.crl	23.43.133.163
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk=	23.43.139.27
hxxp://dl.google.com/dl/toolbar/t7/data/7.5.5111.1712/googletoolbarinstaller_en_signed.exe	216.58.209.160
hxxp://crl.microsoft.com/pki/crl/products/WinPCA.crl	88.221.132.166
hxxp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl	88.221.132.166
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl	88.221.132.166
hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl	88.221.132.166
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?88e08b79f1e607bf	88.221.132.177
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=	23.43.139.27
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY=	23.43.139.27
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8=	23.43.139.27
hxxp://clients1.google.com/tools/swg2/update?type=c&as=swg&os=win&osv=6.1.7601&hl=en&ie=10.0.9200.16521&ds=0&pds=0&su=0&hpi=-1&brand=NCHD&pa=9&cl=1&tbv=&id=79719f98482242cd813a5027b10bbf6ceb587e9422&from=&to=5.7.9012.1008	173.194.44.128
hxxp://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9+WQCtWAQU1A1lP3q9NMb+R+dMDcC98t4Vq3ECEGpWCCD6PprY5UEXNLHUCtU=	23.43.139.27
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CECkSxwyaK4o+9vYHRmLWi40=	23.43.139.27
hxxp://www.audiochannel.net/components/toolbars/NCH_GoogleToolbar.exe	66.39.83.117
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c=	23.43.139.27
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d66599f683368af4	88.221.132.177
tools.google.com	216.58.209.160

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

SURICATA UDPv4 invalid checksum
SURICATA IPv4 invalid checksum

Traffic

GET /tools/swg2/update?type=c&as=swg&os=win&osv=6.1.7601&hl=en&ie=10.0.9200.16521&ds=0&pds=0&su=0&hpi=-1&brand=NCHD&pa=9&cl=1&tbv=&id=79719f98482242cd813a5027b10bbf6ceb587e9422&from=&to=5.7.9012.1008 HTTP/1.1

Accept: */*

User-Agent: SearchWithGoogle

Host: clients1.google.com


HTTP/1.1 200 OK

Content-Type: text/plain

Date: Tue, 06 Jan 2015 05:20:41 GMT

Expires: Tue, 06 Jan 2015 05:20:41 GMT

Cache-Control: private, max-age=0

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-XSS-Protection: 1; mode=block

Server: GSE

Alternate-Protocol: 80:quic,p=0.02

Transfer-Encoding: chunked

16..rlz: 1R______enUA622..0..HTTP/1.1 200 OK..Content-Type: text/plain
..Date: Tue, 06 Jan 2015 05:20:41 GMT..Expires: Tue, 06 Jan 2015 05:20
:41 GMT..Cache-Control: private, max-age=0..X-Content-Type-Options: no
sniff..X-Frame-Options: SAMEORIGIN..X-XSS-Protection: 1; mode=block..S
erver: GSE..Alternate-Protocol: 80:quic,p=0.02..Transfer-Encoding: chu
nked..16..rlz: 1R______enUA622..0..

GET /versions/components/tb_google_row.dat HTTP/1.0

Host: VVV.audiochannel.net


HTTP/1.1 404 Not Found

Date: Tue, 06 Jan 2015 05:20:04 GMT

Server: Apache/2.2.29

Content-Length: 235

Connection: close

Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /ve
rsions/components/tb_google_row.dat was not found on this server.</
p>.</body></html>...

GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?d66599f683368af4 HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Wed, 12 Mar 2014 20:20:10 GMT

If-None-Match: "0b96c77303ecf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ctldl.windowsupdate.com


HTTP/1.1 200 OK

Cache-Control: max-age=604800

Content-Type: application/octet-stream

Last-Modified: Fri, 12 Sep 2014 18:47:05 GMT

Accept-Ranges: bytes

ETag: "805a83f2b9cecf1:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 56928

Date: Tue, 06 Jan 2015 05:21:08 GMT

Connection: keep-alive
MSCF....`.......,...................I.................,E.Y .authroot.s
tl..Y-..8..CK...<T...g.v!M.d..f.%d..}K..5..F. ...T..%.,YJ.,!T......
_..x.<=O.....yy....;3..>.|..~..\.....|......;..8..~.za...."A...q
.......g..m......<X........j"I........!..-w.....w....P...H..(.?}..2
.N. .u..a. ...=.C..D.F>rC.. ..|).=.. ..3b.8H.M...(...u8.%...W.g...\
YB.m:.....dE.........V....$....Dn:....0...S."...o..q.....K...I..K...(x
%....>A.R...`.0 .........<`L0mp...%....y.....g.n...R0Op..<..,
....`0$z.@..&.x"....T..H...<........~..E..".....<<.\B(.......
[email protected]/"...f.......k..Jm7j....R.5q....Rz.
.!@...].......Y.[........4.. .D8..&...t.J^O..Q.._..1.J.m5<'k.,....%
T....i.\.;.;q..S./ 8.?Bu.............}D.Q....L....*..[.."e......15m...
_.0.M........#..v!..<...@..?sc.y....*.....tX[........{.W4.Q...^u@..
*..QP.......~.L9N....2r...4.....B..-\(...b.d...K...O.8..Un.......V.<
;.......A...V.....(..s..f..q.{N0.hS.,..;M.|G|[email protected].._.....7._6...C.0...
A;L....%...M=Y.....f.JV.(.5.....0..?*...KZ....jM...8.6U...#...ew.?..?.
..........WE.Or..O>..{.'[email protected]}.o:?~....]&l
t;!...%....}@.d...L.p.a.g ..K."..N1!%..S.bT.H.-.....e..`.0$...0t..DX..
{.....#./...8.5..M...T.......D......V\C.zy.....3E:..>.{..).QW......
q....9..n..1....8%,.........r.p@.>. ...Q.?.p..7.?..7...&..!........
.`. .=....Sf..q.l.A.....L...t.}g..;...f....=.e.~.z....C..*R....H-..=..
.f..(t'.."....F...g._....n.J..U.4vr`}.....1..o@.....@.#...R. L8....z..
].|......3..y..-./....K..6{...s.<R`.}[email protected]....<<< skipped >>>

HEAD /dl/toolbar/t7/data/7.5.5111.1712/googletoolbarinstaller_en_signed.exe HTTP/1.1

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

Host: dl.google.com


HTTP/1.1 200 OK

Accept-Ranges: bytes

Content-Length: 5030744

Content-Type: application/x-msdos-program

Etag: "416d3"

Expires: Tue, 06 Jan 2015 21:20:13 PST

Last-Modified: Tue, 25 Mar 2014 23:15:00 GMT

Server: downloads

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Tue, 06 Jan 2015 05:20:13 GMT

Alternate-Protocol: 80:quic,p=0.02

....

GET /dl/toolbar/t7/data/7.5.5111.1712/googletoolbarinstaller_en_signed.exe HTTP/1.1

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

If-Unmodified-Since: Tue, 25 Mar 2014 23:15:00 GMT

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

Host: dl.google.com


HTTP/1.1 200 OK

Accept-Ranges: bytes

Content-Length: 5030744

Content-Type: application/x-msdos-program

Etag: "416d3"

Expires: Tue, 06 Jan 2015 21:20:13 PST

Last-Modified: Tue, 25 Mar 2014 23:15:00 GMT

Server: downloads

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Tue, 06 Jan 2015 05:20:13 GMT

Alternate-Protocol: 80:quic,p=0.02

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........R.&.3eu.3eu
.3eu...u.3eu...u:3eu...u.3eu.3du.2eu...u.3eu...u.3eu.3eu.3eu...u.3euRi
ch.3eu........................PE..L....F.S.................z..........
[email protected]...@...............
..................|...H.....................L.X.......................
.....................................................................t
ext.............K.....PEC2*O......`....rsrc.................K.........
.... ....reloc................L.............@.........................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................7%..l....7%.......{[email protected].
i..Y.. ....O}...X..Q>!L........f.l.Hs..s...5.*.O..{0=L...L..j2}.\b.
....s?P.........n......}M...^.......7..........5..).SF.f6..:.#.0...@|y
.a-h......5>b......Jb6......u?l.q..Iu..fI$M.ex..A..5.3.)......k..u.
.~....y...U:..[[email protected].."%.'
..E.........).t.............{%...m.n............y.}.s.......a(..."....
.9.f...#."..l/....M..aA.3M.....B.k'.......]..z..w.8.B..2..S.z..l_....7
=..3I[.l(.V.I.......!.K."c...`..5.7......w. .........3A...`.~.....

<<< skipped >>>

GET /pca3.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.verisign.com


HTTP/1.1 200 OK

Server: Apache

ETag: "66304c4a5660ab8615727e6bb27b3cdb:1418950819"

Last-Modified: Fri, 19 Dec 2014 01:00:19 GMT

Date: Tue, 06 Jan 2015 05:24:54 GMT

Content-Length: 933

Connection: keep-alive

Content-Type: application/pkix-crl

0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U
....Class 3 Public Primary Certification Authority..141210000000Z..150
331235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y
.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.....
..fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!............R
.e.53..010207212458Z0!..!......Y...ISi....010706171411Z0!..$-..I{r....
u<._...080403172226Z0!..&.."?..y..51}..1..010706172118Z0!..4....2..
..{W......080605175030Z0!..B....c............070411175910Z0!..H.Py...N
....* [email protected]!..Y......w
`G........070411175657Z0!..Z`[email protected].*q..080403172017Z0!..l....I..
.Y..] .c..010706171749Z0"......T=deQ...1u.]...010207212247Z0".....p..1
..7<.....e..010207211822Z0...*.H............5..v...V.._)....A... ..
..>.5]....6.(.0uFW.*:T...6$.....R...Y.N.k........%Jn..I.j*.6.3~...r
../[email protected]?....0.A.HTTP/1.1 200 OK..Server: Apache.
.ETag: "66304c4a5660ab8615727e6bb27b3cdb:1418950819"..Last-Modified: F
ri, 19 Dec 2014 01:00:19 GMT..Date: Tue, 06 Jan 2015 05:24:54 GMT..Con
tent-Length: 933..Connection: keep-alive..Content-Type: application/pk
ix-crl..0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc
.1705..U....Class 3 Public Primary Certification Authority..1412100000
00Z..150331235959Z0..x0!...v....a_>..2......020924164823Z0!.....A..
...{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y
..q.......fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!.

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com


HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1762

content-transfer-encoding: binary

Cache-Control: max-age=574357, public, no-transform, must-revalidate

Last-Modified: Mon, 5 Jan 2015 20:49:30 GMT

Expires: Mon, 12 Jan 2015 20:49:30 GMT

Date: Tue, 06 Jan 2015 05:20:32 GMT

Connection: keep-alive

0..........0..... .....0......0...0......;O}a.!..u...au..eUNp..2015010
5204930Z0s0q0I0... ...................B.>.I.$&.....e......0..C9...3
13..R...%V.......K3.....20150105204930Z....20150112204930Z0...*.H.....
........$M.....sd...e&...|.W3.y........bQ.N.I.nT.. A.G^fJ.@3(...Z.....
..&0*..u.n......uC......^...0e..W..J..wD8....u..G....?i.r...k.R.....tx
.x...c.f.m.R.....el\.sG.......c%.h%.d...w"[email protected].*6...F
......".._..s.....e...:..;X$..:......rb.9%G..Z..Hl...n....0...0...0...
........2...'U.BM...g.B0...*.H........0..1.0...U....US1.0...U....VeriS
ign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign
, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Public 
Primary Certification Authority - G50...141202000000Z..151216235959Z0.
.1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust
 Network1?0=..U...6Symantec Class 3 PCA - G5 OCSP Responder Certificat
e 30.."0...*.H.............0...............2&..PL...,..2....:..tH...`J
G.%..*...s.c%[email protected]"1.5?..s.....3[.
..u......]...R0..Z}....l..I.Y.....j\H.q...#.uw.4qz.#.J.....@2$"..$l.B.
......D.ye..(..2.........@...... ...."... E..0M,..b{.^..s'....f.6.pr4.
J........'j..........0...0...U.......0.0l..U. .e0c0a..`.H...E....0R0&.
. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.symaut
h.com/rpa0...U.%..0... .......0...U...........0... .....0......0!..U..
..0...0.1.0...U....TGV-B-2760...U......;O}a.!..u...au..eUNp0...U.#..0.
....e......0..C9...3130...*.H.............(.&..Dgr.Ve..#...5.N.v.Q

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CECkSxwyaK4o+9vYHRmLWi40= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com


HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1725

content-transfer-encoding: binary

Cache-Control: max-age=508188, public, no-transform, must-revalidate

Last-Modified: Mon, 5 Jan 2015 02:29:17 GMT

Expires: Mon, 12 Jan 2015 02:29:17 GMT

Date: Tue, 06 Jan 2015 05:20:37 GMT

Connection: keep-alive
0..........0..... .....0......0...0......u\..3Oo?U...H.....O!..2015010
5022917Z0s0q0I0... ...................F....0.yV......{&.K......&......
.).... .>...Fb.......20150105022917Z....20150112022917Z0...*.H.....
..........=*.5.....V.j...8f........]#=..4...^....~..h..c..r.R.L1.S....
... ..B..Pd.T}..3.~%6....@.&..a..YK..3...m.%.....X.T.HZ.`..Z..&...18..
M.?.V........23.0E--o.\....7...2....G.PQ....Og>........Lc....C....H
...c0"......)T.....}k....|.8y...5]5....&h...R.W........F.....0...0...0
........../...nj0...}..i..0...*.H........0..1.0...U....US1.0...U....Ve
riSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use a
t hXXps://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code S
igning 2010 CA0...141204000000Z..150304235959Z0..1.0...U....US1.0...U.
...VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1VeriSign 
Class 3 Code Signing 2010 OCSP Responder0.."0...*.H.............0.....
....4.4...........o....?..f.........I.!.b.L...L..U.........rM.,.....=.
.cR4d.~*..k..x......=.WT.<.A2n1.qZyM.M..Q_...8....9....d.... ...'..
.......h..Z..I...(.b.jK..DO.ra..gb..j..A.(....mrzU.w.......Bv...l.:s..
L....y.....u..n.)W......Y!....Q...,.i|.....:.Mu..DD1.........0...0...U
....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.veris
ign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incor
p. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U...
.....0... .....0......0"..U....0...0.1.0...U....TGV-B-24600...*.H.....
[email protected].=.. ...........hi.......>....<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com



QG.d.}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.
l....(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0.
..U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.ve
risign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS in
corp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U
........0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H..
...........P.j.EA .\.w.ur.....1........]^.....rG....8..Q..d.j..t....H.
..9.i......=s..;(oq.A.....A.......5w......s..=.....4......Q....kR..<
;.Qcx.....4..|b..^..e=.......41.^.?.Stn...i....L.G..:W...8 .Wq........
5..NK.lmg<q.6~(.*.......}[email protected].:....80|N..

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com


HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1453

content-transfer-encoding: binary

Cache-Control: max-age=447212, public, no-transform, must-revalidate

Last-Modified: Sun, 4 Jan 2015 09:34:14 GMT

Expires: Sun, 11 Jan 2015 09:34:14 GMT

Date: Tue, 06 Jan 2015 05:24:53 GMT

Connection: keep-alive
0..........0..... .....0......0...0......T3t.%..O.E..~..F.=....2015010
4093414Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._)..a.
.eR&.....Y.)..".\....20150104093414Z....20150111093414Z0...*.H........
.........P.OK.w3.B.R..9_*..-....][\....5'.A.jL..=.OZ...|.......?..R..#
YB.6q|...'.P..G ..h...I.H9.`G.M.}..M...3.......p.."Ug....U...7.3.?....
...$.._Q.\_./.....|.L..[......gzO'.C..6.....B.sK.D..H[......iPI.... ..
.Xp.T.]..LR....R:.m.J..T...lDP..p....J..d./D.F....2....0...0...0..3...
..../...b.v..-....l}0...*.H........0_1.0...U....US1.0...U....VeriSign,
 Inc.1705..U....Class 3 Public Primary Certification Authority0...1412
02000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporatio
n1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G1
 OCSP Responder Certificate 30.."0...*.H.............0..........'.....
.Y..x.3B1.7..Q..`..d.. ....s..t.$a.....j2R.{ ,*..c{.3.....H..3-; )....
.0._...*..9M..V...... ...{m...-.......)..tR..{D....~...M...T..pS.p..^|
o....S..v.).)[email protected]#qh...u1T.].G0.]E...=._.....
. ........TE...Sa.s4........r...3.............0..0...U....0.0l..U. .e0
c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......
0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........0... .
....0......0!..U....0...0.1.0...U....TGV-B-2730...*.H.............$..H
......oU....Y!.z{*.V.M..u.._z..3>.. 0....3..m.....e.......a..D.....
......e..F6:.y.....di.......<y.Z.......x}..q.2....UZ1 :,....
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com


HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=495631, public, no-transform, must-revalidate

Last-Modified: Sun, 4 Jan 2015 23:04:05 GMT

Expires: Sun, 11 Jan 2015 23:04:05 GMT

Date: Tue, 06 Jan 2015 05:24:53 GMT

Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..2015010
4230405Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
..M.s.Q~...@?j.......20150104230405Z....20150111230405Z0...*.H........
........G..z./....,FS?..1..H.b*.!\..U.X)._...\d.V.....a.....). ......;
..9.pD.o4.....!...........5.O*....Gt...DM'...a.S../......<{;.Q#....
*..~g...p.._WB.:1.....~T....=.1...w'.p#*q..]$.NO..!..e5.`[email protected]. ..v
....~......F.....l.........3U..T...^p3.....q..i,RMX%&....#0...0...0...
.......<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....Ve
riSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use a
t hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code S
igning 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...
U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms o
f use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Clas
s 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.......
..{(..t....2.Vf.....&;6).i*[email protected]._p.E.6.|.mk....(....
......p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.
}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....
(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U..
..0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisig
n.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp.
 by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U.....
...0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H...<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD/yl6nWPkczAQUe1tFz6/Oy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS+zcBkvzl4= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.thawte.com


HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1503

content-transfer-encoding: binary

Cache-Control: max-age=447628, public, no-transform, must-revalidate

Last-Modified: Sun, 4 Jan 2015 09:44:13 GMT

Expires: Sun, 11 Jan 2015 09:44:13 GMT

Date: Tue, 06 Jan 2015 05:25:01 GMT

Connection: keep-alive
0..........0..... .....0......0...0......&Km...."....}....,.c..2015010
4094413Z0s0q0I0... ........0..k....&..p..^.X.....{[E....z.1..j..F.WHP.
.G.Mxs..../.p./.^....20150104094413Z....20150111094413Z0...*.H........
.....I..S..2....$......<R......#/..].O...G..a@#..*.QKU.aU}5..G..O..
D.e}...x.Z6...nM..~...l...F....$.... .D..t?..K.1.E!....N....u.)Z.I_.Q.
....t.^w.Q.. ......R...;{%.#k.......j..M.$...y..|.]....<.:..]N`....
...{....z.d....Q.....m1..&.{..LL.MR..bWa ..c.l..|.P.5.L......0...0...0
............I...*....^n...0...*.H........0..1.0...U....US1.0...U....th
awte, Inc.1(0&..U....Certification Services Division1806..U.../(c) 200
6 thawte, Inc. - For authorized use only1.0...U....thawte Primary Root
 CA0...141202000000Z..151216235959Z0_1.0...U....US1.0...U....thawte, I
nc.1907..U...0thawte Primary Root OCSP Responder Certificate 30.."0...
*.H.............0.........x...F83..,.D.,2D.;JGc.|_.k.....B.7.....G}.M.
s.....S.i.Uu.h.Aq..v...4:l..U.......T7l...~vl...r....{*..........V.o..
8|.B..^.a.. ...z....x..s...\[Y....<....'> ..YC..7.zVk.$...o3..ka
o]c...>C./bPX.......I..Oc.....NN......g.....,/..]......qN.....V!<
;.3.)...y#.........i0g0...U.%..0... .......0... .....0......0...U.....
..0.0...U...........0!..U....0...0.1.0...U....TGV-B-2770...*.H........
........lt..\..z. ..N.f.!.S5d?J.&....r...D........L.`.s.p...HC.L.8f...
 .........GA7......P..Z.%.../............z.n.6~I...].).....W...W\|.uya
..:...^...hW..7.Z.uc.'....:.xL...HS.....>.........5......%....3S...
.h........U....o.C.\.t.....G.._.C0(l.E9..6UTxg.gF ..;.....
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9+WQCtWAQU1A1lP3q9NMb+R+dMDcC98t4Vq3ECEGpWCCD6PprY5UEXNLHUCtU= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.thawte.com


HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1396

content-transfer-encoding: binary

Cache-Control: max-age=501778, public, no-transform, must-revalidate

Last-Modified: Mon, 5 Jan 2015 00:44:23 GMT

Expires: Mon, 12 Jan 2015 00:44:23 GMT

Date: Tue, 06 Jan 2015 05:25:01 GMT

Connection: keep-alive
0..p......i0..e.. .....0.....V0..R0...............w/.|`....a...2015010
5004423Z0s0q0I0... ........l....r.vdv0..*.~Y..X....e?z.4..G.L.......q.
.jV. .>...A.4........20150105004423Z....20150112004423Z0...*.H.....
........7...8.....f......V8I.d..............r.d.{v/......T]8.e.8A...1.
wE....N.~.J..].#*3..R.4.E...\w.K.. 3..F1..C....Z......Q}x..3..R,..TNv.
t.iEpW...>......D[) .bU..NU....=.....h...U.*}.!Tg.>..h...1.$..s.
i_n!..o....{..9.=.". ...9..."5<.N....@o.?.H..u0_.1r.<.....;.....
[email protected]...*.H........0J1.0...U....US1.0..
.U....Thawte, Inc.1$0"..U....Thawte Code Signing CA - G20...1412100000
00Z..150310235959Z0Y1.0...U....US1.0...U....Thawte, Inc.1301..U...*Tha
wte Code Signing ..

GET /tools/pso/ping?as=tbin&gu=pi&mode=3&sin=1&ein=0&version=7.5.5111.1712&brand=NCHD&hl=en&tbiv=7.5.5111.1712&time=1420521619&fitime=1420521619&browser=9.10.9200.16521&osver=6.1&ossp=1.0&osarch=64&ext=EXE&id=AC4C401CF3D73E6A044F1AA29EA5304205DE1wZWKM HTTP/1.1

User-Agent: Google Toolbar installer

Host: clients1.google.com


HTTP/1.1 200 OK

Content-Type: text/html; charset=utf-8

Date: Tue, 06 Jan 2015 05:20:42 GMT

Expires: Tue, 06 Jan 2015 05:20:42 GMT

Cache-Control: private, max-age=0

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-XSS-Protection: 1; mode=block

Server: GSE

Alternate-Protocol: 80:quic,p=0.02

Transfer-Encoding: chunked

2..ok..0..

GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com


HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Thu, 13 Nov 2014 06:02:42 GMT

Accept-Ranges: bytes

ETag: "88cab6f7ffcf1:0"

Server: Microsoft-IIS/8.5

VTag: 791163458000000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 554

Cache-Control: max-age=900

Date: Tue, 06 Jan 2015 05:25:00 GMT

Connection: keep-alive
0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Si
gning PCA..141112173206Z..150211055206Z.a0_0...U.#..0..........X..7.3.
..L...0... .....7.........0...U......W0... .....7......150210174206Z0.
..*.H................].`...D..9.>LO.ey...Qx%.^.P.& ...D.......b}.K.
.[.....5.m....).....H..6R....G/ju.........:..A.#.9!......D5...|".w.x..
=.u..X6.7{..).XN....g......B.8.!&...........<7fS$..........t<X)%
.b([email protected]... ,...K\....U1cp).........y.T..?rm.t..Y.}.E..
-@...

GET /components/toolbars/NCH_GoogleToolbar.exe HTTP/1.0

Host: VVV.audiochannel.net


HTTP/1.1 200 OK

Date: Tue, 06 Jan 2015 05:20:04 GMT

Server: Apache/2.2.29

Last-Modified: Fri, 17 May 2013 06:15:28 GMT

ETag: "befd0-4dce3e8c8c000"

Accept-Ranges: bytes

Content-Length: 782288

Connection: close

Content-Type: application/octet-stream

X-Pad: avoid browser bug
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........#yd.B.7.B.7
.B.7..z7.B.7..l7.B.7.B.7.B.7.:.7.B.7...7.B.7.:.7.B.7Rich.B.7..........
[email protected]............@.
................................z.....................................
......................................................................
.....................................................text....g.......h
.................. ..`.rdata...............l..............@[email protected]...
[email protected]................................
...rsrc...............................@..@............................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
...G..H.P.u..u..u...|[email protected][email protected].....@
..}[email protected]... M..........M........E...FQ.....NU..M
.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.P.u
[email protected]}[email protected].}.j.W.E......E.......P
[email protected][email protected][email protected] [email protected]..
...@._^3.[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..S..
...t.G.....t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ.U.<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com


HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1697

content-transfer-encoding: binary

Cache-Control: max-age=510852, public, no-transform, must-revalidate

Last-Modified: Mon, 5 Jan 2015 03:19:06 GMT

Expires: Mon, 12 Jan 2015 03:19:06 GMT

Date: Tue, 06 Jan 2015 05:24:54 GMT

Connection: keep-alive
0..........0..... .....0......0...0...A0?1=0;..U...4VeriSign Class 3 C
ode Signing 2004 CA OCSP Responder..20150105031906Z0s0q0I0... ........
[email protected].!......Q...==d6|h.[x....7..`..........cV.!.....201501
05031906Z....20150112031906Z0...*.H..............S.X.....3d*L....._.u.
.M...U...#..kf.?yG$Z...g#..=.R.~..#...S=<.;..K..,.......G..%eUb..'.
..K.vBd..u8`..H..4..\..2.........1.....J........N.......'|....}.xq...9
Y..l.f.[..q)DfS%;.}I......tm>O;.......b.0..(DZ.....x{]..\[...%.D...
. ..NM........5..V.;t.l..2........0...0...0..{.........[..I|.....Zm..0
...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....Veri
Sign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/
rpa (c)041.0,..U...%VeriSign Class 3 Code Signing 2004 CA0...140428000
000Z..150729235959Z0?1=0;..U...4VeriSign Class 3 Code Signing 2004 CA 
OCSP Responder0.."0...*.H.............0.........Y....h..@..>.....%.
-.....O...' y.........x..Gw.xF.....?..Z..u,.X.&..........3C..H.l.....f
..;]s!.\"v...|....][email protected]. ..W....n..*
..-f?EY.......UN...r...........-_.%..,P;b.....)(.P.4...,.%....<..6.
....[r^X.EV..S...5#'Y.. .TD...........0...0...U.......0.0...U.%..0... 
.......0...U...........0... .....0......0f..U. ._0]0[..`.H...E....0L0#
.. .........hXXps://d.symcb.com/cps0%.. .......0...hXXps://d.symcb.com
/rpa0!..U....0...0.1.0...U....TGV-B-1080...U......"...?....`>q..i1o
...0...U.#..0.....Q...==d6|h.[x....70...*.H.............B8@.$..wo.....
.E.....P52"b*@'C\.y.(...n....h.f..7f.....v...pb<...]..|........<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com


HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=566541, public, no-transform, must-revalidate

Last-Modified: Mon, 5 Jan 2015 18:44:32 GMT

Expires: Mon, 12 Jan 2015 18:44:32 GMT

Date: Tue, 06 Jan 2015 05:25:00 GMT

Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..2015010
5184432Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
.A..2.....:...:......20150105184432Z....20150112184432Z0...*.H........
.....P*........D..)..Ex/.......P?)...K...BJ..G..x. \2....6y....\..t..0
.1,y..S...{.....:..<... vn....&.$[.3...I...\ ...._.L..1@=cZ;..J....
w.o.]s.n.......F.3.....V...P..NA/......\... ..%.`[email protected]
pi..E....%w.Z:~.C............`..:...:....UE..x...x.......#0...0...0...
.......<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....Ve
riSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use a
t hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code S
igning 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...
U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms o
f use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Clas
s 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.......
..{(..t....2.Vf.....&;6).i*[email protected]._p.E.6.|.mk....(....
......p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.
}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....
(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U..
..0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisig
n.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp.
 by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U.....
...0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H...<<< skipped >>>

GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?88e08b79f1e607bf HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Thu, 03 Jul 2014 23:34:12 GMT

If-None-Match: "0b2464b1797cf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ctldl.windowsupdate.com


HTTP/1.1 304 Not Modified

Content-Type: application/octet-stream

Last-Modified: Thu, 03 Jul 2014 23:34:12 GMT

ETag: "0b2464b1797cf1:0"

Cache-Control: max-age=86400

Date: Tue, 06 Jan 2015 05:20:27 GMT

Connection: keep-alive

HTTP/1.1 304 Not Modified..Content-Type: application/octet-stream..Las
t-Modified: Thu, 03 Jul 2014 23:34:12 GMT..ETag: "0b2464b1797cf1:0"..C
ache-Control: max-age=86400..Date: Tue, 06 Jan 2015 05:20:27 GMT..Conn
ection: keep-alive..

GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1

Cache-Control: max-age = 812

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Thu, 23 Oct 2014 05:05:32 GMT

If-None-Match: "a2f3ff97eeecf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com


HTTP/1.1 304 Not Modified

Content-Type: application/pkix-crl

Last-Modified: Thu, 23 Oct 2014 05:05:32 GMT

ETag: "a2f3ff97eeecf1:0"

Cache-Control: max-age=900

Date: Tue, 06 Jan 2015 05:21:08 GMT

Connection: keep-alive

....

GET /pki/crl/products/WinPCA.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Mon, 06 Oct 2014 05:06:02 GMT

If-None-Match: "3e1c83923e1cf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com


HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Sun, 21 Dec 2014 06:03:02 GMT

Accept-Ranges: bytes

ETag: "d2e35dc7e31cd01:0"

Server: Microsoft-IIS/8.5

VTag: 4389615400000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 561

Cache-Control: max-age=900

Date: Tue, 06 Jan 2015 05:21:08 GMT

Connection: keep-alive
0..-0......0...*.H........0..1.0...U....US1.0...U....Washington1.0...U
....Redmond1.0...U....Microsoft Corporation1 0)..U..."Microsoft Window
s Verification PCA..141220223154Z..150321105154Z._0]0...U.#..0.......p
............<.J0... .....7.......0...U......30... .....7......15032
0224154Z0...*.H.............h.~oH#i.J.vh_.....A'B..g...........F....9c
.{[email protected].^ 4.r..Wv.Q.0.w..j....c9..w....I..%.~.l..F.......xo....
_...o...7BR.;<..\R/ .....b.(....~..]|.v.u.i.X.B....I......./*...P..
A..fi.}& .x.v{TFP[.G......A......L.o...)R.......V.u..V.../.Q..(L.]....
.uki~......


GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Sat, 04 Oct 2014 05:06:12 GMT

If-None-Match: "58cddbea90dfcf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com


HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Fri, 19 Dec 2014 06:02:00 GMT

Accept-Ranges: bytes

ETag: "9a9a44d511bd01:0"

Server: Microsoft-IIS/8.0

VTag: 438346843700000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 550

Cache-Control: max-age=900

Date: Tue, 06 Jan 2015 05:21:08 GMT

Connection: keep-alive
0.."0......0...*.H........0w1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1!0...U....Microsoft Time-St
amp PCA..141218221600Z..150319103600Z._0]0...U.#..0...#[email protected].. .
.5..0... .....7.......0...U......10... .....7......150318222600Z0...*.
H............./..0Q~.r.}.E....&\....F.Z.C..#..F.s........<&\..9G..-
....j..N... .C.Fk....;l.....2.K5D.........-.>...(...g.0.S.[?...T4q&
gt;[email protected].('..e...Y..Bo..q..........I....'....i>
..y:.eH@h`..\...UA.m#.~.. ;.3..d..;..<..........p..s..J..N `Az.....
[email protected]/1.1 200 OK..Content-Type: application/pkix-crl..Last-Modifie
d: Fri, 19 Dec 2014 06:02:00 GMT..Accept-Ranges: bytes..ETag: "9a9a44d
511bd01:0"..Server: Microsoft-IIS/8.0..VTag: 438346843700000000..P3P: 
CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR S
AMo CNT COM INT NAV ONL PHY PRE PUR UNI"..X-Powered-By: ASP.NET..Conte
nt-Length: 550..Cache-Control: max-age=900..Date: Tue, 06 Jan 2015 05:
21:08 GMT..Connection: keep-alive..0.."0......0...*.H........0w1.0...U
....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corp
oration1!0...U....Microsoft Time-Stamp PCA..141218221600Z..15031910360
0Z._0]0...U.#..0...#[email protected].. ..5..0... .....7.......0...U......10
... .....7......150318222600Z0...*.H............./..0Q~.r.}.E....&\...
.F.Z.C..#..F.s........<&\..9G..-....j..N... .C.Fk....;l.....2.K5D..
.......-.>...(...g.0.S.[?...T4q>[email protected].('..e.
..Y..Bo..q..........I....'....i>..y:.eH@h`..\...UA.m#.~.. ;.3..<<< skipped >>>

The PUP connects to the servers at the folowing location(s):

debut.exe_1832:

.rdata

@.data

.rsrc

mscoree.dll

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

.mixcrt

KERNEL32.DLL

GetProcessWindowStation

USER32.DLL

operator

user32.dll

hXXp://%s/components/de/%s

hXXp://%s/components/%s

hXXp://VVV.audiochannel.net/versions/components/%s_de.txt

%s%d%d%d

kernel32.dll

hXXp://cgi.nch.com.au/cgi-bin/regcheck.exe?cmd=v&id=%d&magic=%d&magicb=%d

Cannot put days of week interval: %x

tb_%s_row.dat

hXXp://VVV.audiochannel.net/versions/components/%s

hXXp://VVV.audiochannel.net/components/toolbars/NCH_Chrome.exe

hXXp://VVV.audiochannel.net/components/toolbars/NCH_GoogleToolbar.exe

version="%s"

</%s>

hXXp://VVV.audiochannel.net/versions/debut_de.txt

comctl32.dll

TaskDialogIndirect

UxTheme.dll

dwmapi.dll

%d %d

--%s--

GET %s HTTP/1.0

Host: %s

graph-video.facebook.com

graph.facebook.com

POST /me/%s? HTTP/1.0

Content-Length: %d

Content-Disposition: form-data; name="%s"

flickr.auth.getFrob

%sapi_key%smethod%s

api.flickr.com/services/rest/

%s?api_key=%s&api_sig=%s&method=%s

%sapi_key%sfrob%sperms%s

VVV.flickr.com/services/auth/

flickr.auth.getToken

%sapi_key%sfrob%smethod%s

%s?api_key=%s&frob=%s&method=%s&api_sig=%s

http=

CONNECT %s:%d HTTP/1.0

%s/%s

HTTP/1.

..\llib\net\ssl.cpp

HTTP/1.1

Email=%s&Passwd=%s&service=youtube&source=NCH Software-Debut-1.95

POST /accounts/ClientLogin HTTP/1.0

Host: google.com

Content-Type: application/x-www-form-urlencoded

X-GData-Key: key=AI39si7iPVmebTnCN7UJpEAyFCl4RVfIx0zMzzwRMeX_9Nu-XzbjjazMrGIu90vaGka0C9qBj0rAJCnJEGFbd_vf90Ru4DrqFg

Content-Length: %u

<entry xmlns="hXXp://VVV.w3.org/2005/Atom"

xmlns:media="hXXp://search.yahoo.com/mrss/"

xmlns:yt="hXXp://gdata.youtube.com/schemas/2007">

<media:title type="plain">%s</media:title>

<media:description type="plain">%s</media:description>

<media:category scheme="hXXp://gdata.youtube.com/schemas/2007/categories.cat">%s</media:category>

<media:keywords>%s</media:keywords>

%s</media:group>

Content-Type: video/%s

POST /feeds/api/users/default/uploads HTTP/1.1

Host: uploads.gdata.youtube.com

Authorization: GoogleLogin auth=%s

Slug: %s

Content-Disposition: form-data; name="photo"; filename="%s"

Content-Type: image/%s; charset=UTF-8

POST /services/upload/ HTTP/1.1

Host: api.flickr.com

Content-Type: multipart/form-data; boundary=%s

url_open_buf

url_close_buf

Authorization: Basic %s

User-Agent: %s

HTTP/

%dx%d

?#%X.y

GetProcessHeap

CreatePipe

PeekNamedPipe

SetThreadExecutionState

KERNEL32.dll

RegOpenKeyExW

RegCloseKey

RegDeleteKeyW

RegSetKeySecurity

RegCreateKeyExW

CryptDeriveKey

RegOpenKeyW

RegQueryInfoKeyW

RegEnumKeyExW

ADVAPI32.dll

COMCTL32.dll

comdlg32.dll

GetViewportExtEx

SetViewportExtEx

GDI32.dll

acmDriverClose

acmDriverDetailsW

acmDriverEnum

acmDriverOpen

MSACM32.dll

ole32.dll

OLEAUT32.dll

ShellExecuteW

ShellExecuteExW

SHELL32.dll

SHDeleteEmptyKeyW

SHDeleteKeyW

SHLWAPI.dll

CreateDialogIndirectParamW

MsgWaitForMultipleObjects

ExitWindowsEx

UnhookWindowsHookEx

SetWindowsHookExW

GetKeyState

GetKeyNameTextW

UnregisterHotKey

RegisterHotKey

MapVirtualKeyW

USER32.dll

WINMM.dll

WS2_32.dll

NETAPI32.dll

MSIMG32.dll

GdiplusShutdown

gdiplus.dll

iphlpapi.dll

WININET.dll

GetCPInfo

GetConsoleOutputCP

zcÁ

ndssh

WQSSh

SSShn

SSSho

SSSh.

SSSh/

|$`SRjePSSSSh

|$dRjgPSSSSh

PRSSSSh

SQWRSSSSh

RSSSSh

SPj{QSSSSh

SPj|QSSSSh

QSSSSh

PSSSSSSh

SPSSSSSSShd6@

L$<SRjePSSSSh

SSSSh

SQjfRSSSSh

RQSSSSh

SPjgQSSSSh

SPjhQSSSSh

SSShlSB

tASSh

u ShP%C

RPSSh

 |$ WPSSh

SRSSSSSSShd6@

t.Vh \C

W)SSh

O)SSh

G)SSh

D$9SSh

N)SSh

F)SSh

V)SSh

L$.QR

%Program Files% (x86)\NCH Software\Debut\debut.exe

ssshhhWWW

VVV...}}}

666666666666666666

777777777

777777999

;7/30). %&$"*('

(%xSK

/'//'77'/'

&&'&'$##

5'%%'%%;

'.ONKD@;

%6SUq

&&&((((( %F

...02213

[.EJJEEEEED:88988888888[

[$88480<48<<,''%&'&'&'&[

,,,,-,,,,%,%

(6266662

6(6666%--*.

.)&&&(('*---.

&(&((&(&(

()))())))0

|{{{{|{{{{|{{|{{|{{{|

.CC./

" " "3871!

###{||||

#42 (

& 479830

*27==<73

15<>?><6

58=@@?><

 . 6 ::.

@7387>@3

13111(((

!%X=P

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*"/>

<requestedExecutionLevel level="asInvoker" />

<!-- Windows 8.1 -->

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>

<!--The ID below indicates app support for Windows 8 -->

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<!--The ID below indicates app support for Windows 7 -->

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<!--The ID below indicates app support for Windows Vista -->

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

mhXXp://ns.adobe.com/xap/1.0/

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:3277C77D7132E0118D16E72A4E8059DE" xmpMM:DocumentID="xmp.did:314D5A19534B11E0A6A5AAFBD55133F0" xmpMM:InstanceID="xmp.iid:314D5A18534B11E0A6A5AAFBD55133F0" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:B6AAD5DF4A53E0118E8DE62C10C1BCAC" stRef:documentID="xmp.did:3277C77D7132E0118D16E72A4E8059DE"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

hXXp://ns.adobe.com/xap/1.0/

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:DocumentID="xmp.did:EC33168E5B4211E29AA2C64FF91BF288" xmpMM:InstanceID="xmp.iid:EC33168D5B4211E29AA2C64FF91BF288" xmp:CreatorTool="Adobe Photoshop CS6 Windows"> <xmpMM:DerivedFrom stRef:instanceID="F1FEE9759C37E82BF754E40544FE9D38" stRef:documentID="F1FEE9759C37E82BF754E40544FE9D38"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

%d x %d %s

%d x %d

%d F/s

%d FPS

Webcam

\\.\DebutFilter

debutfilterx64.inf

debutfilterinstallerx64.exe

debutfilterx86.inf

debutfilterinstallerx86.exe

%d:%d:%d

shell32.dll

Software\NCH Software\%s\Settings

Software\NCH Swift Sound\%s\Settings

"%s" %%s

hXXp://VVV.nch.com.au/components/%s.exe

Warte auf %s

Debut wird fortfahren, wenn %s schlie

Datei nicht vorhanden: %s

gbar, um %s zu laden

ffnen: %s

%d:%d:%d:%d

recordings.log

%s %s

%u %c

Datei "%s" bereits vorhanden. M

-show -type data -label BACKUP -list "%s" -burn -exit

%s Upload fehlgeschlagen.

Konnte %s nicht hochladen

%d von %d Dateien erfolgreich hochgeladen

Einstellungen und Optionen anpassen

Von einer Webkamera aufzeichnen

%s\%s

Hotkey

SOFTWARE\Microsoft\Windows\Currentversion\RunOnce

%s - Lizenzierte software

%s - Lizenziert f

%s (Nicht lizenziert) Nur nicht-gewerbliche Privatnutzung

%sFormat

%sAspectRatio

%sAspectRatioNum

%sAspectRatioDen

%sMPEG2Transport

%sVideoInputPin

%sAudioInputPin

Software\NCH Software\%s\Registration

SendRunExe

@debuthooksdll.dll

..\debuthooksdll\release\debuthooksdll.dll

WindowsMedia_VideoBitrate

Unbekanntes Format: %s

Um im WMV- oder ASF-Format aufzunehmen, ist (mindestens) Windows Media Player Version 9 notwendig.

IPcamURL

Unbekannter Befehl: %s

_debuthooksdll.dll

WebCamVideoSettings

IPcamPassword

Item %d

WebcamDeinterlace

%s (%s)

Aufnahme (F5) oder (%s)

Pause (F6) oder (%s)

Stopp (F7) oder (%s)

Momentaufnahme als JPG- oder PNG-Datei speichern (F8) oder (%s)

%s (%s) oder (%s)

pfung %s verwenden oder das Symbol in der Taskleiste dr

Windows Media Bildschirmcodec unterst

Windows Media Bildschirmcodec ist nur f

Webkamera

Wenn Sie fortfahren, wird Ihre Aufnahme angehalten. Sind Sie sicher, dass Sie zum Aufnahmemodus %s wechseln m

Momentaufnahmen-Datei %s ist bereits vorhanden.

Ihre geplante Aufnahme '%s' wurde jetzt begonnen - Dauer: %s

Ihre geplante Aufnahme '%s' konnte nicht starten

Zur Erstellung eines Webcam-Sicherheitssystems

@device:cm:{33D9A760-90C8-11D0-BD43-00A0C911CE86}\divx

Kann "%s" Videokompressor nicht verwenden. Kompressoreinstellung wurde ge

Zwischen der Zeitdauer (%s) und der tats

chlichen Aufnahmedauer (%s) wurde eine gro

%s %d

*.asf

*.avi

*.flv

*.mkv

*.mov

*.mp4

*.mpg

*.wmv

*.jpg

*.png

Wasserzeichen-Videoeffekte anpassen

Farbe anpassen und Videoeffekte

Farbe der Videoeffekte anpassen

Beschriftung der Videoeffekte anpassen

Webkamera aufnehmen als:

0:00:00.000

A%d:%.2d:%.2d:%.3d

%d verwerfen

%d F/s/%d verwerfen

8:00:00.000

Ý% = Aktueller Tag

%SS% = Aktuelle Sekunde

hlter Bereich: %d,%d; %d x %d

hlen: {%d, %d, %d, %d} Breite %d, H

he %d

hlen: %s

sndvol32.exe

sndvol.exe

control.exe mmsys.cpl,,1

sndvol32.exe /rec

URL der Netzwerkkamera eingeben

hXXp://VVV.altoedge.com/usbcapture/index.html

Anzeigen, wie man die URL der Netzwerkkamera abruft

hXXp://VVV.nch.com.au/kb/de/10245.html

ltige URL

URL ist ung

hren, um in Windows XP Aufnahme von Lautsprechern zu aktivieren.

WebcamStretch

Audioaufnahme von %s

Wenn Sie die Einstellungen anpassen, werden Aufnahme und Vorschau angehalten. Sind Sie sicher, dass Sie die Einstellungen anpassen m

hrend der Anpassung dieser Einstellungen wird die Hauptvorschau pausiert. M

password

URL der Netzwerkkamera %s wurde entfernt

URL der Netzwerkkamera entfernt

LTIGES FORMAT - erfordert entweder %autonumber%, %YYYY%, %MM%, Ý%, %HH%, %MIN% oder %SS%

%s.avi

chste AutoNummerierung: %d

Bitte geben Sie die EXE- oder BAT-Datei an, die Sie ausf

%s.jpg

nger als %s (h:mm:ss).

%s_%d

WebcamVideoSettings

Hochladen %s

Global\%s

fmm%s

API-Test OK [%s].

Local_Response_%d

help/arrowlist.gif

help/help.js

help/hlp.css

help/other.html

help/snapshot.html

help/record.html

help/output.html

help/devices.html

help/ooscreen.html

help/oonetwork.html

help/oodevices.html

help/ltaskdatapanel.html

help/edittaskdlg.html

help/scheduler.html

help/watermark.html

help/flickrauth.html

help/licenceterms.html

help/followmousecursor.html

help/selectiontool.html

help/colorsettings.html

help/textcaption.html

help/keychange.html

help/control.html

help/options.html

help/recordingslist.html

help/commandline.html

help/recordingcontrols.html

help/about.html

help/index.html

/InternetRepo/nch_com_au/components/x264enc5.exe

/InternetRepo/nch_com_au/components/mp3el2.exe

clickup.wav

clickdown.wav

cursorright.png

cursorboth.png

cursorleft.png

clickraw.png

debutfilterx64.sys

debutfilterx86.sys

debutfilterx64.cat

debutfilterx86.cat

debut.exe

VVV.nchsoftware.com/capture/de/index.html

Debut Videorekorder.lnk

Software\Microsoft\Windows\CurrentVersion\Uninstall\Debut

VVV.nchsoftware.com/capture/de/support.html

URLInfoAbout

URLUpdateInfo

Software\Microsoft\Windows\CurrentVersion

uninst.exe

nnen Sie diese von VVV.nchsoftware.com/de herunterladen.

"%s" -uninstall

debutsetup_v1.95.exe

FSoftware\NCH Software\Debut\%s

Software\NCH Software\Components\%s

-LQUIET -instby %sDebut

audiochannel.net

VVV.nch.com.au

hren Sie dies von unten stehender URL aus und versuchen es erneut.

n%d-%d-%d

%s=%s

%s%s%s

_debut_rl_%s

hXXp://VVV.nch.com.au/software/de/bug.html?software=Debut&version=1.95&xi=AbTermOrHang-Win%d%d

Win%d%d

Ukn0(Msg%dLstCmd%d)

(Cmd%d)

%s-%s-%s-%s

dbghelp.dll

hXXp://VVV.nch.com.au/software/de/bug.html?software=Debut&version=1.95&lang=de&xi=GUI-%s

%d-%d-%%d

*.exe;*.com;*.bat;

*.dat

hXXps://secure.nch.com.au/cgi-bin/register-de.exe?software=debut&source=softwaretrial

mhXXp://VVV.nchsoftware.com

nnen Sie auf der unten stehenden Webseite finden. Sie k

&usage=XX

hrten Instanzen von Debut Videorekorder beendet wurden, sowie alle anderen Programme, die die Datei "%s" verwenden k

Installation kann nicht beendet werden, da in Datei "%s" nicht geschrieben werden kann.

LLIBShowrelatedwhenchromeoff

LLIBShowrelatedwhenchromeon

LLIBShowrelatedwhennochromeoff

LLIBShowrelatedwhennochromeon

Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\%s\UserChoice

Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\%s

explorer.exe

Advapi32.dll

W"%s" %s

explorer.exe "%s"

explorer.exe /select,"%s"

hXXp://VVV.nchsoftware.com/%s.html

hXXp://VVV.nchsoftware.com/de/index.html

hXXp://VVV.nch.com.au/%s.html

hXXp://VVV.nch.com.au/kb/de/%d.html

%%.ß

%sLock

Local\DebutProcessEXE%s

hXXp://VVV.nch.com.au/upgrade/de/index.html?software=debut&upgradeid=%d&upgradekey=%s

hXXp://VVV.nch.com.au/activate/de/index.html?code=%s

hXXps://secure.nch.com.au/cgi-bin/register-de.exe?software=debut&version=1.95%s%s%s%s%s%s%s%s&instby=%s

hXXp://VVV.nchsoftware.com/software/de/registered.html?software=%s&appname=%s&version=1.95&base=capture&domain=nchsoftware%s%s%s%s%s%s%s

ID - Key:

%s-%s

hXXp://VVV.nch.com.au/upgrade/de/index.html

%s Registrierungscode:

%s registrieren

Hier klicken, wenn Sie Ihre 12-stellige Seriennummer noch nicht online aktiviert und keinen ID-Key erhalten haben.

Wenn Sie Ihre Seriennummer bereits online aktiviert haben, sehen Sie in Ihren E-Mails nach dem ID-Key. Klicken Sie dann hier, um Ihren ID-Key einzugeben.

ssen Ihre Seriennummer online aktivieren, um den ID-Key zu erhalten, welcher zur Registrierung der Software n

ID-Key ist notwendig, um die Registrierung abzuschlie

Alter Versionskey

- Sie verwenden die richtige ID und den richtigen Key f

- Nur die ID und der Key f

support/de/reg

registration.txt

Name: %s

Lokation: %s

ID - Key: %d - %s

-clear -label "Debut Videorekorder Installer" -type data "%s" "%s"

Key kann nicht validiert werden. Bitte gehen Sie ins Internet und versuchen Sie es erneut.

support/reg

Hier klicken, um auf die NCH Software Webseite zu gehen und die aktuellen Preise anzuzeigen

00:00:00

2013-12-01

InstallReport

nch.com.au

nchsoftware.com

hXXp://VVV.%s/%s

%s [Empfohlen]

Google Chrome, der schnelle Webbrowser

Kostenlose Spiele, Designs und Extras im Google Chrome Web Store

Warum Chrome:

Google Chrome als Standardbrowser installieren

Mit der Google Toolbar wird die Suche im Web noch einfacher:

Suche von jeder beliebigen Website aus

bersetzung von Webseiten

hXXp://VVV.google.com/toolbar/ie/partnereula.html?hl=de

hXXp://VVV.google.com/accounts/TOS?hl=de

hXXp://VVV.google.com/intl/de/privacy/privacy-policy.html

hXXp://VVV.google.com/chrome/intl/de/eula_text.html

hXXp://VVV.google.com/chrome/intl/de/privacy.html

von Google Chrome zu.

reject-chrome

Automatischer Download der Installation-bei-Bedarf-Komponente "%s" fehlgeschlagen.

Webseite wird nun ge

Webseite

NCH Software\Debut%s

Debut%s

%sT%s

%s%sshmf%ii.bin.tmp

{2318C2B1-4965-11d4-9B18-009027A5CD4F}

software\microsoft\windows\currentversion\app paths\%s

.html

%s\shell\open\command

http\shell\open\command

iexplore.exe

iexplorer.exe

firefox.exe

chrome.exe

Wird installiert: Google Chrome

ChromeRequiresLaunch

ChromeDebut

software\Google\No Chrome Offer Until

InstallingChrome

LaunchChromeOnInstall

hXXp://VVV.nchsoftware.com/software/de/thanks.html?software=Debut&appname=%s&version=1.95&base=capture&domain=nchsoftware&buyoffer=debut&pclass=plus%s%s%s%s%s%s%s%s&instby=%s

NCH_Chrome.exe

Chrome wurde leider nicht installiert, da w

Chrome

NCH_GoogleToolbar.exe

chrome-google

chrome

Google Chrome installieren - Gratis

Chrome f

Wir empfehlen Google Chrome als bevorzugten Viewer unserer Hilfedateien.

Google Chrome ist kostenlos und schnell.

Google Chrome wird installiert

(EOF) Element <%s> should be terminated with </%s>. Check you have terminated your element properly.

Tag <%s> hat kein schlie

Misplaced </%s> which does not match a <%s>.

Element <%s> should be terminated with </%s>, was with %s. Check you have terminated your element properly.

Ln %d, Col %d: %s

Parts of this software are copyright and fall under the Info-Zip License. To view the license terms please open VVV.nchsoftware.com/backup/kb/1188.html.

hXXp://VVV.nchsoftware.com/software/de/newsletter.html?software=Debut&version=1.95&lang=de%s%s

Die Version 1.95 von Debut Videorekorder funktioniert nur mit Windows 8 oder fr

nnen Sie auf VVV.nchsoftware.com/de herunterladen.

%s%*c

Software\Microsoft\Windows\CurrentVersion\Run

"%s" -logon

-setautorun %s

Technische Support-Seite

Classic FTP Software

tar.gz

cftpsetup

ClassicFTP

Software\Classes\%s

Software\NCH Software\%s

Software\NCH Swift Sound\%s

Schnelle Installation bei Bedarf %s

-extfind %s

Software\Classes\.%s

software\microsoft\windows\currentversion\explorer\fileexts\.%s\userchoice

%sfile

%s\shell

%s\shell\open

"%s" -extfind %s "%%L"

%s\DefaultIcon

%SystemRoot%\system32\shell32.dll,19

Software\Classes\%s\Shell\%s\command

Software\Classes\%s\Shell\%s

Software\Classes\%s\Shell

NCH Software\%s\%s.exe

NCH Swift Sound\%s\%s.exe

%s "%s"

Software\Classes\%s\shell\open\command

Software\Classes\%s\shell

Software\Classes\%s\shell\open

Software\Classes\%s\DefaultIcon

%s%s%s%s

hXXp://VVV.nch.com.au/suggestions/de/index.html?software=Debut&version=1.95&lang=de%s%s

hXXp://VVV.nch.com.au/software/de/bug.html?software=Debut&version=1.95&lang=de

hXXp://VVV.nchsoftware.com/software/de/video.html

hXXp://VVV.facebook.com/NCHSoftwareDE

hXXp://twitter.com/nchsoftwarede

hXXps://plus.google.com/ nchsoftware

hXXp://VVV.facebook.com/sharer/sharer.php?u=%s

Ich habe gerade %s heruntergeladen. Probiere es hier aus:

hXXp://VVV.twitter.com/home?status=%s%s

hXXps://plusone.google.com/_/ 1/confirm?hl=de&url=%s

hXXp://VVV.stumbleupon.com/submit?url=%s&title=NCH Software

hXXp://VVV.linkedin.com/shareArticle?url=%s&title=NCH Software&mini=true

hXXp://VVV.nchsoftware.com/software/de/rateit.html?software=Debut&appname=%s&version=1.95&rating=%d&buyoffer=debut&os=Win&lang=de&base=capture&domain=nchsoftware%s%s%s%s%s&instby=%s

%s Startseite

UVVV.nchsoftware.com/capture/de

splash.jpg

Vertrieben von %s

Lizenzierter Benutzer: %s

Zoom: %d%%

*.bmp;*.jif;*.jiff;*.jpeg;*.wmf;*.ico;*.gif;*.jpg;*.jif;*.jiff;*.jpeg;*.exif;*.png;*.tif;*.tiff

{8856F961-340A-11D0-A96B-00C04FD705A2}

Col%d

Bild %s wird entschl

Bild %s wird verschl

Portable Anymap

Portable Network Graphics

Joint Photographic Experts Group

.wbmp

.tiff

.jpeg

%s wird geladen

%s wird gespeichert

%s/microsoft/windows mail/local folders/%s

SMTP_Server

SMTP_Email_Address

00000001

Software\Microsoft\Internet Account Manager\Accounts\%s

SMTP Email Address

SMTP Server

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\%s

{ED475418-B0D6-11D2-8C3B-00104B2A6676}

%s\%s\d

%s\Thunderbird

%s\profiles.ini

%s\%s\prefs.js

mail.accountmanager.defaultaccount

mail.account.%s.identities

mail.identity.%s.useremail

mail.smtp.defaultserver

mail.smtpserver.%s.hostname

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Eudora.exe

deudora.ini

eudora.ini

%s\Qualcomm\Eudora\eudora.ini

SMTPServer

Windows Mail

Mozilla Thunderbird

hXXps://VVV.facebook.com/dialog/oauth?client_id=257995060915392&scope=publish_stream&redirect_uri=hXXps://VVV.facebook.com/connect/login_success.html&response_type=token

hXXps://VVV.facebook.com/connect/login_success.html

login_error.php?

{"value": "%s"}

Content-Disposition: form-data; filename="%s"

Facebook hat Fehlercode (%d) zur

ltiger API-Key

ltige URL gefunden

hXXp://%s?api_key=%s&perms=%s&frob=%s&api_sig=%s

hXXp://google.com

hXXp://yahoo.com

%d.%d.%d.%d

libeay32.dll

ssleay32.dll

google.com

Sport

Sports

Passwort ist notwendig.

uploads.gdata.youtube.com

ckgegeben: "%s"

Von Lokation: "%s"

Ewmvcore.dll

Windows Media Video 9

Windows Media Video 8

Windows Media Video 7

32 bit support

WebCam JPEG

hXXp://VVV.altoedge.com/usbcapture/video.html

chen anpassen.

Unsupported

%d x %d [%s], %.2lf fps, %s

%d x %d, %.2lf fps, %s

NCHScreenCapture %d %d %d %d %lf %d %d %d %d %d %d %d

NCHIPCamrCapture&url=%s

&user=%s

&password=%s

LAudioMixer %d

%d %s

%s/clickdown.wav

%s/clickup.wav

nnen Sie die Codierung Ihres Videos individuell anpassen. Bedenken Sie haupts

Passt Gr

e des Ausgabevideos anzupassen (d.h. Aufl

Falsche Video-Bitrate festgelegt, muss von %d bis %d sein

%d Hz, %lu kbps, %s

%d Hz, %s

BWindows Media Video 9 Screen

Falsche Video-Bitrate angegeben, muss von 24 bis %d sein

K.wff

@device:sw:{33D9A760-90C8-11D0-BD43-00A0C911CE86}\ffdshow video encoder

WindowsMedia_Format

WindowsMedia_VideoCodec

WindowsMedia_SoundCodecIndex

WindowsMedia_SoundFormatIndex

VOB_TwoPass

%s_AVI

@device:sw:{860BB310-5D01-11D0-BD3B-00A0C911CE86}\{00CADAC6-7EA1-418B-8DDD-DF8510030101}

Nmsvfw32.dll

e.cfg

Sie haben %s den Zugriff auf Ihr Facebook-Konto nicht erteilt.

hrend dem Uploadvorgang %s evtl. mehrere Male erneut autorisieren, wenn Sie nur tempor

ExportDialog

ltiger API-Key f

api_key

api.flickr.com

Portable_Preset

Portable_FilePath

Youtube_Password

Youtube_Keywords

Passwort notwendig.

Stichwort ist zu kurz: %s

Stichwort ist zu lang: '%s'

YouTube Passwort:

hXXp://ffmpeg.org

avutil-52.nch.dll

swscale-2.nch.dll

avcodec-54.nch.dll

avformat-54.nch.dll

swresample-0.nch.dll

t.wpp

.divx

.mjpeg

.mpeg

.rmvb

.webm

.xvid

E%s:%s

Kann Antwort nicht verstehen: %s

Server hat ein Problem %d: %s

Server hat kein Bild, aber stattdessen eine Webseite genannt.

Server zeigt Format an, welches nicht verstanden wird. %s

Webserver reagiert nicht.

Webserver hat Frame ausgegeben, der nicht entschl

Konnte nicht von Webserver lesen

.clpi

Jeden Tag %s

%s, %s

%s (n

%s (gleicher Tage)

K%s/clickraw.png

Momentaufnahme %d

"%s" - -

"%s" -s %d -d -w -

FAAD2 AAC/HE-AAC/HE-AACv2/DRM decoder (c) Nero AG, VVV.nero.com

"%s" -o raw

Copyright (C) 2000-2002 Michel Lespinasse <[email protected]>

Copyright (C) 1999-2000 Aaron Holtzman <[email protected]>

r diese Komponente finden Sie auf: hXXp://VVV.opensource.org/licenses/lgpl-license.php

"%s" %s - -

"%s" -C %d -R %d -b %d

"%s" -r

-b %d --cbr --nores --nchvideo - -

Geplante_Aufnahme_%s

Die Aufnahme "%s" ist zu lang. Sie muss k

Diese Aufnahme hat Start- oder Endzeiten, welche mit der Aufnahme "%s"

nger als die maximal erlaubte Aufnahmedauer (Optionen->Aufnahme->Maximale Aufnahmedauer begrenzen). Die Aufnahme wird nach %s angehalten. M

%u:%.2u:%.2u.%.3u

%u:%.2u:%.2u

@device:cm:{33D9A760-90C8-11D0-BD43-00A0C911CE86}\iyuv

@device:cm:{33D9A760-90C8-11D0-BD43-00A0C911CE86}\i420

Farbeinstellungen vom Video anpassen, indem Sie die Schieber nach links/rechts ziehen. Sie k

Oddraw.dll

@device:sw:{33D9A760-90C8-11D0-BD43-00A0C911CE86}\DV Video Encoder

@device:cm:{33D9A760-90C8-11D0-BD43-00A0C911CE86}\ffds

@device:cm:{33D9A760-90C8-11D0-BD43-00A0C911CE86}\mrle

@device:cm:{33D9A760-90C8-11D0-BD43-00A0C911CE86}\m261

@device:cm:{33D9A760-90C8-11D0-BD43-00A0C911CE86}\m263

@device:cm:{33D9A760-90C8-11D0-BD43-00A0C911CE86}\fps1

@device:cm:{33D9A760-90C8-11D0-BD43-00A0C911CE86}\yv12

%s (i420)

%s (iyuv)

%d Hz, %d Bit, %s

Windows Media Audio V1

Windows Media Audio V2

ACELP.net

T.spx

"%s" "%s" "%s" -d

"%s" -x "%s" "%s"

"%s" -d -o "%s" -F "%s"

"%s" -o "%s" "%s"

"%s" -d -o "%s" "%s"

"%s" "%s" "%s"

.flac

SYSTEM\CurrentControlSet\Services\%s

hren. Wenn das Problem weiterhin auftritt, kontaktieren Sie bitte den NCH Software Support.

en Sie alle Programme und versuchen es erneut. Wenn das Problem weiterhin auftritt, kontaktieren Sie bitte den NCH Software Support.

hXXp://VVV.mp3dev.org

%d:%.2d:%.2d

.wavpcm

.sndt

.sndr

.vorbis

.nist

.maud

.mat5

.mat4

.lpc10

.ircam

.hcom

.gsrt

.fssd

.dvms

.cvsd

.cdda

.amr-wb

.amr-nb

Speex ACM Codec xiph.org

(unverified) For the Record - hXXp://VVV.fortherecord.com

Aureal Semiconductor RAW SPORT

Windows Media Audio Lossless V9

Windows Media Audio Professional V9

Windows Media Audio V2 V7 V8 V9 / DivX audio (WMA) / Alex AC3 Audio

Windows Media Audio V1 / DivX audio (WMA)

Sipro Lab Telecom ACELP.KELVIN

Sipro Lab Telecom ACELP.net

Microsoft Windows Media, RT Voice

Compaq Computer VSELP (codec for Windows CE 2.0 devices)

%Program Files% (x86)\NCH Software\Debut

C.diV@

,|F.hJYam;

.MHCQH

:] %U

%UNdv

SMTP verwenden, um E-Mail direkt zum Mailserver zu senden

SMTP-Mailhost:

Passwort:

Direkt an andere Seite senden (als eigener SMTP-Server fungieren)

Eine komplette Liste unserer Produkte finden Sie auf unserer unten stehenden Webseite. Dort finden Sie ggf. ein anderes Produkt, das sich besser f

e anpassen

Proportionen beschr

&ID - Key:

e anpassen:

SMTP verwenden, um E-Mails direkt an den E-Mail-Server zu versenden

WebM-Encodereinstellungen

Zwei-Pass-Codierung

Encodereinstellungen von Windows Media

Bitrate automatisch kalkulieren, damit Ihr Video auf eine DVD passt

Dieses Programm erfordert Ihre Autorisierung bevor es Ihre Fotos auf Flickr lesen oder hochladen kann. Flickr-Webseite muss verwendet werden, um dieses Programm zu autorisieren.

Webcam / Aufnahmeger

hren (erweiterte Option, %file% als Dateipfad verwenden)

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

TPAutoConnSvc.exe:1776
GoogleUpdate.exe:3288
GoogleUpdate.exe:3284
GoogleUpdate.exe:3864
GoogleUpdate.exe:3348
GoogleUpdate.exe:2184
NCH_GoogleToolbar.exe:3520
debut.exe:1832
debut.exe:2348
googletoolbarinstaller_en_signed.exe:2776
GoogleUpdaterService_B33FC4DD36A473C6.exe:3408
x264enc5.exe:2976
SearchWithGoogleUpdate_C993F490EED40C1B.exe:2388
GoogleUpdateSetup_latest.exe:2100
nchsetup.exe:2944
GoogleToolbarManager_8CA8B41417E66DEB.exe:3676
GoogleToolbarManager_8CA8B41417E66DEB.exe:3740
GoogleToolbarManager_8CA8B41417E66DEB.exe:3536
GoogleToolbarNotifier.exe:1696
GoogleToolbarNotifier.exe:2304
GoogleUpdaterService.exe:3384
GoogleUpdaterService.exe:1660
regsvr32.exe:3208
%original file name%.exe:3524
mp3el2.exe:2980
Delete the original PUP file.
Delete or disinfect the following files created/modified by the PUP:

%Program Files% (x86)\Google\Update\Download\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}\0.0.0.0\googletoolbarinstaller_en_signed.exe (38249 bytes)
C:\Windows\Temp\guiC12C.tmp (15 bytes)
%Program Files% (x86)\Google\Update\Install\{80E8A347-A15D-4F70-8A14-834F39A8DBB8}\googletoolbarinstaller_en_signed.exe (38734 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdate.dll (835 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_en.dll (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsz8C0A.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GoogleUpdateSetup_latest.exe (25250 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_debut_rl_adm (8 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarUser_32_52E818EF81C83A9B.exe (620 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbar.7.5.5111.1712.manifest.xml (36 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_0A4439FF67F61065.dll (2 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\SearchWithGoogleUpdate_C993F490EED40C1B.exe (50 bytes)
C:\Windows\System32\config\SOFTWARE (63799 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_64_F8ED9B719A89F8EF.dll (489 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_32_8E471B27054D20F5.dll (149 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbar_32_365102BD7F6C8091.dll (390 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarUser_64_4D9709C1FA1422BA.exe (801 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleCld_187F9D811452062B.dll (50 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GoogleToolbarInstaller2.log (43972 bytes)
C:\$Directory (384 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_8CA8B41417E66DEB.exe (50 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbar_64_54BD4059920ABC8A.dll (514 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleUpdateSetup_5CC4B0F53D73AD88.exe (1480 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleUpdaterService_B33FC4DD36A473C6.exe (390 bytes)
C:\Windows\System32\config\SOFTWARE.LOG1 (60980 bytes)
%Program Files% (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe (390 bytes)
%Program Files% (x86)\NCH Software\Components\x264enc5\x264enc5.exe (20838 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\x264enc5_.cab (467 bytes)
%Program Files%\Google\GoogleToolbarNotifier\5.7.9012.1008\swg64.dll (346 bytes)
%Program Files% (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\gth.dll (49 bytes)
%Program Files% (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (79 bytes)
%Program Files% (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\Readme.url (212 bytes)
%Program Files% (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\gtn.dll (150 bytes)
%Program Files% (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll (1 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_lt.dll (28 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_hi.dll (29 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_es-419.dll (29 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_vi.dll (28 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_zh-CN.dll (21 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_zh-TW.dll (21 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_el.dll (30 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_sw.dll (29 bytes)
%Program Files% (x86)\GUT8C58.tmp (4 bytes)
%Program Files% (x86)\GUM8C57.tmp\GoogleCrashHandler.exe (212 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_id.dll (28 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_hu.dll (29 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_gu.dll (28 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_et.dll (28 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_ur.dll (28 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_pl.dll (30 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_fr.dll (30 bytes)
%Program Files% (x86)\GUM8C57.tmp\psmachine.dll (159 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_kn.dll (29 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_ta.dll (30 bytes)
%Program Files% (x86)\GUM8C57.tmp\psuser.dll (159 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_sr.dll (29 bytes)
%Program Files% (x86)\GUM8C57.tmp\GoogleUpdateSetup.exe (5441 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_it.dll (30 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_sl.dll (29 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_ca.dll (29 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_ru.dll (28 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_am.dll (25 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_ar.dll (26 bytes)
%Program Files% (x86)\GUM8C57.tmp\npGoogleUpdate3.dll (838 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_th.dll (27 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_is.dll (28 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_fa.dll (27 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_sv.dll (29 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_pt-BR.dll (29 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_pt-PT.dll (29 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_ro.dll (29 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_iw.dll (26 bytes)
%Program Files% (x86)\GUM8C57.tmp\GoogleUpdateOnDemand.exe (59 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_ko.dll (23 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_hr.dll (29 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_ja.dll (24 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_tr.dll (29 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_en-GB.dll (28 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_de.dll (31 bytes)
%Program Files% (x86)\GUM8C57.tmp\GoogleUpdateBroker.exe (59 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_no.dll (29 bytes)
%Program Files% (x86)\GUM8C57.tmp\GoogleCrashHandler64.exe (550 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_bg.dll (30 bytes)
%Program Files% (x86)\GUM8C57.tmp\GoogleUpdateHelper.msi (25 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_uk.dll (28 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_sk.dll (29 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_cs.dll (28 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_ms.dll (28 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_ml.dll (31 bytes)
%Program Files% (x86)\GUM8C57.tmp\GoogleUpdate.exe (234 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_te.dll (29 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_lv.dll (30 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_mr.dll (28 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_bn.dll (28 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_fil.dll (30 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_da.dll (29 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_fi.dll (29 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_nl.dll (30 bytes)
%Program Files% (x86)\GUM8C57.tmp\goopdateres_es.dll (31 bytes)
%Program Files% (x86)\NCH Software\Debut\debutfilterinstallerx86.exe (9476 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Produktpalette\Doxillion Dokumentenkonverter.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Videoverwandte Programme\VideoPad Video-Editor.lnk (1 bytes)
%Program Files% (x86)\NCH Software\Debut\Help\about.html (196 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Videoverwandte Programme\PrÃƒÂ¤sentationsersteller-Software.lnk (1 bytes)
%Program Files% (x86)\NCH Software\Debut\Help\hlp.css (1 bytes)
%Program Files% (x86)\NCH Software\Debut\Help\other.html (196 bytes)
%Program Files% (x86)\NCH Software\Debut\Help\devices.html (196 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Produktpalette\VideoPad Video-Editor.lnk (1 bytes)
%Program Files% (x86)\NCH Software\Debut\cursorright.png (1 bytes)
%Program Files% (x86)\NCH Software\Debut\Help\colorsettings.html (2 bytes)
C:\Users\"%CurrentUserName%"\Favorites\Downloadseite von NCH Software.lnk (312 bytes)
%Program Files% (x86)\NCH Software\Debut\Help\oodevices.html (3 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Videoverwandte Programme\Videoaufnahme-Software.lnk (1 bytes)
%Program Files% (x86)\NCH Software\Debut\Help\scheduler.html (3 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Produktpalette\Express Zip Dateikomprimierung.lnk (1 bytes)
%Program Files% (x86)\NCH Software\Debut\debutfilterinstallerx64.exe (19348 bytes)
%Program Files% (x86)\NCH Software\Debut\Help\licenceterms.html (3 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Produktpalette\Rechnungssoftware.lnk (1 bytes)
%Program Files% (x86)\NCH Software\Debut\debutfilterx64.sys (4708 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Videoverwandte Programme\Videokassette-zu-DVD-Konverter.lnk (1 bytes)
%Program Files% (x86)\NCH Software\Debut\debut.exe (15423 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Produktpalette\Express Rip CD-Ripper.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Produktpalette\Grafikdatei-Konverter.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Produktpalette\Classic FTP Software.lnk (1 bytes)
%Program Files% (x86)\NCH Software\Debut\debutfilterx86.inf (2 bytes)
%Program Files% (x86)\NCH Software\Debut\Help\snapshot.html (3 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Produktpalette\Videoaufnahme-Software.lnk (1 bytes)
C:\Users\Public\Desktop\Debut Videorekorder.lnk (1 bytes)
%Program Files% (x86)\NCH Software\Debut\Help\recordingcontrols.html (388 bytes)
%Program Files% (x86)\NCH Software\Debut\_debuthooksdll.dll (8844 bytes)
%Program Files% (x86)\NCH Software\Debut\Help\record.html (3 bytes)
%Program Files% (x86)\NCH Software\Debut\debutfilterx86.cat (388 bytes)
%Program Files% (x86)\NCH Software\Debut\Help\keychange.html (1 bytes)
%Program Files% (x86)\NCH Software\Debut\Help\edittaskdlg.html (2 bytes)
%Program Files% (x86)\NCH Software\Debut\Help\recordingslist.html (196 bytes)
%Program Files% (x86)\NCH Software\Debut\Help\commandline.html (196 bytes)
%Program Files% (x86)\NCH Software\Debut\Help\help.js (2 bytes)
%Program Files% (x86)\NCH Software\Debut\Help\selectiontool.html (196 bytes)
%Program Files% (x86)\NCH Software\Debut\Help\flickrauth.html (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Produktpalette\SoundTap Streaming-Rekorder.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Produktpalette\Buchhaltungssoftware.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Videoverwandte Programme\Videostreaming Server.lnk (1 bytes)
%Program Files% (x86)\NCH Software\Debut\Help\options.html (1 bytes)
%Program Files% (x86)\NCH Software\Debut\clickup.wav (3 bytes)
%Program Files% (x86)\NCH Software\Debut\clickraw.png (3 bytes)
%Program Files% (x86)\NCH Software\Debut\Help\index.html (196 bytes)
%Program Files% (x86)\NCH Software\Debut\cursorboth.png (2 bytes)
%Program Files% (x86)\NCH Software\Debut\Help\followmousecursor.html (3 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Produktpalette\Express Burn CD, DVD oder Blu-Ray.lnk (1 bytes)
%Program Files% (x86)\NCH Software\Debut\mp3el2.exe (24344 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Produktpalette\MixPad Mehrspur-Mixer.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Produktpalette\Express Dictate Rekorder.lnk (1 bytes)
%Program Files% (x86)\NCH Software\Debut\Help\arrowlist.gif (455 bytes)
%Program Files% (x86)\NCH Software\Debut\Help\oonetwork.html (3 bytes)
%Program Files% (x86)\NCH Software\Components\NCHToolbars\google\NCH_GoogleToolbar.exe (382441 bytes)
%Program Files% (x86)\NCH Software\Debut\debutsetup_v1.95.exe (10177 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Produktpalette\WavePad Sound-Editor.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Produktpalette\RecordPad Soundrekorder.lnk (1 bytes)
%Program Files% (x86)\NCH Software\Debut\cursorleft.png (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Videoverwandte Programme\Videodatei-Formatkonverter.lnk (1 bytes)
%Program Files% (x86)\NCH Software\Debut\Help\ltaskdatapanel.html (1 bytes)
%Program Files% (x86)\NCH Software\Debut\Help\control.html (2 bytes)
%Program Files% (x86)\NCH Software\Debut\clickdown.wav (3 bytes)
%Program Files% (x86)\NCH Software\Debut\Help\textcaption.html (3 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Produktpalette\Switch Sounddatei-Konverter.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Produktpalette\Prism Videodatei-Formatkonverter.lnk (1 bytes)
%Program Files% (x86)\NCH Software\Debut\x264enc5.exe (62431 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Debut Videorekorder.lnk (1 bytes)
%Program Files% (x86)\NCH Software\Debut\Help\output.html (4 bytes)
%Program Files% (x86)\NCH Software\Debut\debutfilterx86.sys (6532 bytes)
%Program Files% (x86)\NCH Software\Debut\debutfilterx64.inf (2 bytes)
%Program Files% (x86)\NCH Software\Debut\Help\ooscreen.html (3 bytes)
%Program Files% (x86)\NCH Software\Debut\debutfilterx64.cat (388 bytes)
%Program Files% (x86)\NCH Software\Debut\Help\watermark.html (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GoogleToolbarInstaller1.log (2418 bytes)
%Program Files% (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (1281 bytes)
%Program Files% (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (673 bytes)
%Program Files% (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe (1425 bytes)
%Program Files% (x86)\Google\Google Toolbar\GoogleToolbarHelper_signed.msi (28 bytes)
%Program Files% (x86)\Google\Google Toolbar\GoogleToolbarUser_64.exe (2321 bytes)
%Program Files% (x86)\Google\Google Toolbar\GoogleToolbarHelperPatch_signed.msp (125 bytes)
C:\ProgramData\Google\Custom Buttons\toolbar.google.com_O8Y91YHB24Z6SR0SGYSK.XML (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchdata.dat (17751 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchsetup.cab (736 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchdata.cab (825 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchsetup.exe (34178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mp3el2_.cab (180 bytes)
%Program Files% (x86)\NCH Software\Components\mp3el2\lame.exe (7384 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

PUP.Win32.Spigot_ec69638e26

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

PUP.Win32.Spigot_ec69638e26

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet