MD5: 8835c399e73e8ee751e5e981b5bb7ad9
SHA1: f8d1c25393b79ca1f574cc09c699fbc62a50605b
SHA256: 95143da74bfca4ae04bd524afe21db1daa3d8194ebb19abcc4f999be590b3bda
SSDeep: 49152:UTdItv/KsHbw5zPZg/M/u oLQFalAf6DLwJoNIv:UTdIl/5Hbw5tg/z oLQFala63w3
Size: 1888256 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PECompactV2X, PECompactv20, UPolyXv05_v6
Company: no certificate found
Created at: 2009-05-16 01:07:43
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

GoogleToolbarManager_9DE96A29E721D90A.exe:2024
GoogleToolbarManager_9DE96A29E721D90A.exe:1804
GoogleToolbarManager_9DE96A29E721D90A.exe:1332
%original file name%.exe:352
GoogleToolbarNotifier.exe:844
GoogleToolbarNotifier.exe:1296
GoogleToolbarNotifier.exe:972
GoogleToolbarNotifier.exe:1180
SearchWithGoogleUpdate_4DE6AC39DE1AFE56.exe:236
GoogleUpdaterService_5898FABCFA121C11.exe:1532
GoogleUpdaterService.exe:1840
GoogleUpdaterService.exe:668

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process GoogleToolbarManager_9DE96A29E721D90A.exe:2024 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\Google\Custom Buttons\toolbar.google.com_O8Y91YHB24Z6SR0SGYSK.XML (12 bytes)

The process GoogleToolbarManager_9DE96A29E721D90A.exe:1804 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Google\Google Toolbar\GoogleToolbarUser.exe (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GoogleToolbarInstaller1.log (23494 bytes)
%Program Files%\Google\Google Toolbar\GoogleToolbarHelper_signed.msi (28 bytes)
%Program Files%\Google\Google Toolbar\GoogleToolbar.dll (1281 bytes)
%Program Files%\Google\Google Toolbar\GoogleToolbarHelperPatch_signed.msp (125 bytes)

The process GoogleToolbarManager_9DE96A29E721D90A.exe:1332 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\GoogleToolbarInstaller1.log (501 bytes)

The process %original file name%.exe:352 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\303572DF538EDD8B1D606185F1D559B8 (228 bytes)
%Program Files%\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (1751 bytes)
%System%\config\software (24847 bytes)
%System%\config\SOFTWARE.LOG (29547 bytes)
%Program Files%\Google\Google Toolbar\Component\GoogleToolbarDynamic_6BC68FE03E7B66EC.dll (20506 bytes)
%Program Files%\Google\Google Toolbar\Component\GoogleToolbarManager_9DE96A29E721D90A.exe (5442 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GoogleToolbarInstaller2.log (40367 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\79841F8EF00FBA86D33CC5A47696F165 (413 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\A8FABA189DB7D25FBA7CAC806625FD30 (224 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\A8FABA189DB7D25FBA7CAC806625FD30 (96 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\79841F8EF00FBA86D33CC5A47696F165 (172 bytes)
%Program Files%\Google\Google Toolbar\Component\SearchWithGoogleUpdate_4DE6AC39DE1AFE56.exe (6375 bytes)
%Program Files%\Google\Google Toolbar\Component\GoogleToolbarUser_FCDD4C5F33EE805C.exe (280 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5 (164 bytes)
%Program Files%\Google\Google Toolbar\Component\GoogleToolbar.6.1.1715.1442.manifest.xml (15 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\303572DF538EDD8B1D606185F1D559B8 (341 bytes)
%Program Files%\Google\Google Toolbar\Component\GoogleToolbar_1682201815E52F0C.dll (259 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5 (933 bytes)
%Program Files%\Google\Google Toolbar\Component\GoogleUpdaterService_5898FABCFA121C11.exe (182 bytes)

The process SearchWithGoogleUpdate_4DE6AC39DE1AFE56.exe:236 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (3741 bytes)
%Program Files%\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (39 bytes)
%Program Files%\Google\GoogleToolbarNotifier\5.1.1309.3572\gth.dll (10 bytes)
%Program Files%\Google\GoogleToolbarNotifier\5.1.1309.3572\Readme.url (128 bytes)
%Program Files%\Google\GoogleToolbarNotifier\5.1.1309.3572\gtn.dll (119 bytes)

The process GoogleUpdaterService_5898FABCFA121C11.exe:1532 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Google\Common\Google Updater\GoogleUpdaterService.exe (182 bytes)

Registry activity

The process GoogleToolbarManager_9DE96A29E721D90A.exe:2024 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "29 A2 9B 45 5D 55 7F 1D 8C F3 F3 0A EF BE 26 8D"

[HKLM\SOFTWARE\Google\Google Toolbar\Component\NonManifest\%Documents and Settings%\All Users\Application Data\Google\Custom Buttons]
"toolbar.google.com_O8Y91YHB24Z6SR0SGYSK.XML" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Google\Google Toolbar\Component\Used]
"GoogleToolbarDynamic.dll" = "1"

The process GoogleToolbarManager_9DE96A29E721D90A.exe:1804 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Google\Google Toolbar\Component\Used]
"GoogleToolbarManager.exe" = "1"

[HKCR\CLSID\{E16DC1FE-7C34-43f2-B754-F3AD12DDF97C}\InprocServer32]
"(Default)" = "%Program Files%\Google\Google Toolbar\GoogleToolbar.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"NoModify" = "1"

[HKCR\CLSID\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}\VersionIndependentProgID]
"(Default)" = "FASTSEARCHBHO.FASTSEARCHBHO"

[HKCR\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
"(Default)" = "Google Toolbar Helper"

[HKLM\SOFTWARE\Google\Google Toolbar\Branding]
"ID" = "1427F97BFE29B46D3F488DBA6E9F6BCA571323kLIIN"
"InstallType" = "3"

[HKCR\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}\InprocServer32]
"(Default)" = "%Program Files%\Google\Google Toolbar\GoogleToolbar.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"GTB6" = ""

[HKCR\CLSID\{B1759355-3EEC-4C1E-B0F1-B719FE26E377}]
"(Default)" = "Google Dictionary Compression filter"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1A972DAF-A7EC-4ce3-B6C9-7B523CD6685F}]
"Policy" = "3"

[HKLM\SOFTWARE\Google\FastSearch]
"module_path" = "%Program Files%\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll"

[HKCR\CLSID\{00EF2092-6AC5-47c0-BD25-CF2D5D657FEB}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\TypeLib\{CCD973EF-4D88-48B2-ABF4-13EAF25BAE3B}\1.0\HELPDIR]
"(Default)" = ""

[HKCR\FASTSEARCHBHO.FASTSEARCHBHO.1\CLSID]
"(Default)" = "{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"Publisher" = "Google Inc."
"InstallLocation" = "%Program Files%\Google\Google Toolbar\"

[HKLM\SOFTWARE\Google\Google Toolbar\Branding]
"brand" = "GUEA"

[HKCR\CLSID\{00EF2092-6AC5-47c0-BD25-CF2D5D657FEB}\InprocServer32]
"(Default)" = "%Program Files%\Google\Google Toolbar\GoogleToolbar.dll"

[HKLM\SOFTWARE\Google\Google Toolbar\4.0\Setup]
"IsInstalling" = "1"

[HKCR\AppID\{9C52D5C7-F8F6-4f58-A0CD-C5E6991AD256}]
"(Default)" = "fastsearch"

[HKCU\Software\Google\Google Toolbar\4.0\Options]
"ToastSetDefaultSearch" = "3"

[HKCR\CLSID\{E16DC1FE-7C34-43f2-B754-F3AD12DDF97C}]
"(Default)" = "Google Find Bar"

[HKCR\FASTSEARCH.FASTSEARCHBHO]
"(Default)" = "Google Dictionary Compression sdch"

[HKLM\SOFTWARE\Google\Google Toolbar\4.0\Setup]
"ToastOfferTime" = "0"

[HKLM\SOFTWARE\Google\Google Toolbar\Installations]
"1447466391" = "v=6.1.1715.1442&tbbrand=GUEA&i=1"

[HKCR\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\InprocServer32]
"(Default)" = "%Program Files%\Google\Google Toolbar\GoogleToolbar.dll"

[HKCR\CLSID\{B1759355-3EEC-4C1E-B0F1-B719FE26E377}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"DisplayName" = "Google Toolbar for Internet Explorer"

[HKCR\TypeLib\{CCD973EF-4D88-48B2-ABF4-13EAF25BAE3B}\1.0\FLAGS]
"(Default)" = "0"

[HKCU\Software\Google\Google Toolbar\4.0\Options]
"ButtonPageRank" = "0"

[HKCR\AppID\fastsearch.DLL]
"AppID" = "{9C52D5C7-F8F6-4f58-A0CD-C5E6991AD256}"

[HKCR\CLSID\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]
"(Default)" = "Google Dictionary Compression sdch"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1A972DAF-A7EC-4ce3-B6C9-7B523CD6685F}]
"AppName" = "GoogleToolbarUser.exe"

[HKLM\SOFTWARE\Google\Update\Clients\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"pv" = "6.1.1715.1442"

[HKCR\PROTOCOLS\Filter\x-sdch]
"(Default)" = "Google Dictionary Compression filter"

[HKCU\Software\Google\Google Toolbar\4.0\Options]
"ToastSetPageRank" = "2"

[HKCR\CLSID\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}\TypeLib]
"(Default)" = "{CCD973EF-4D88-48b2-ABF4-13EAF25BAE3B}"

[HKCR\PROTOCOLS\Filter\x-sdch]
"CLSID" = "{B1759355-3EEC-4C1E-B0F1-B719FE26E377}"

[HKLM\SOFTWARE\Google\Google Toolbar]
"test" = "41"

[HKLM\SOFTWARE\Google\Google Toolbar\Component\Used]
"SearchWithGoogleUpdate.exe" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"UninstallString" = "%Program Files%\Google\Google Toolbar\Component\GoogleToolbarManager_9DE96A29E721D90A.exe /uninstall"

[HKCR\FASTSEARCH.FASTSEARCHBHO\CLSID]
"(Default)" = "{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}"

[HKCU\Software\Google\Google Toolbar\4.0\Options]
"RbbsBreak" = "1"

[HKLM\SOFTWARE\Google\Google Toolbar\4.0\Setup]
"SystemPatchLevel" = "1"

[HKLM\SOFTWARE\Google\Google Toolbar\Branding]
"InstallTime" = "1447466379"

[HKCR\CLSID\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}\ProgID]
"(Default)" = "FASTSEARCHBHO.FASTSEARCHBHO.1"

[HKCU\Software\Google\Google Toolbar\4.0\Options]
"BrowseByName" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"DisplayIcon" = "%Program Files%\Google\Google Toolbar\Component\GoogleToolbarManager_9DE96A29E721D90A.exe"

[HKCR\CLSID\{E16DC1FE-7C34-43f2-B754-F3AD12DDF97C}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Google\Google Toolbar\Component\Used]
"fastsearch.dll" = "1"

[HKLM\SOFTWARE\Google\Google Toolbar\4.0\Setup]
"EnableUsageStats" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"NoRepair" = "1"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1A972DAF-A7EC-4ce3-B6C9-7B523CD6685F}]
"AppPath" = "%Program Files%\Google\Google Toolbar"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Enable Browser Extensions" = "yes"

[HKCR\Installer\Products\18555481990E8AB4CBB63FB4F26006C0]
"AuthorizedLUAApp" = "1"

[HKCR\CLSID\{00EF2092-6AC5-47c0-BD25-CF2D5D657FEB}]
"(Default)" = "Google Script Object"

[HKCR\FASTSEARCHBHO.FASTSEARCHBHO.1]
"(Default)" = "Google Dictionary Compression sdch"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "91 A4 96 DB E8 74 9D F0 C7 81 0E 89 8C 1E CD C7"

[HKCU\Software\Google\Google Toolbar\4.0\Options]
"UsageStatsEnabled" = "1"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"Compatibility Flags" = "1024"

[HKLM\SOFTWARE\Google\Update\Clients\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"lang" = "en"

[HKCR\TypeLib\{CCD973EF-4D88-48B2-ABF4-13EAF25BAE3B}\1.0]
"(Default)" = "Google Dictionary Compression sdch Type Library"

[HKCR\TypeLib\{CCD973EF-4D88-48B2-ABF4-13EAF25BAE3B}\1.0\0\win32]
"(Default)" = "%Program Files%\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll"

[HKCR\CLSID\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]
"AppID" = "{9C52D5C7-F8F6-4f58-A0CD-C5E6991AD256}"

[HKCR\FASTSEARCH.FASTSEARCHBHO\CurVer]
"(Default)" = "FASTSEARCHBHO.FASTSEARCHBHO.1"

[HKLM\SOFTWARE\Google\Update\Clients\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"Name" = "Google Toolbar"

[HKCR\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Google\Google Toolbar\Component\Used]
"GoogleUpdaterService.exe" = "1"

[HKCR\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = "00"

[HKCR\CLSID\{B1759355-3EEC-4C1E-B0F1-B719FE26E377}\InprocServer32]
"(Default)" = "%Program Files%\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll"

[HKLM\SOFTWARE\Google\Google Toolbar\4.0\Setup]
"DisableBrowseByName" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"MinorVersion" = "1"
"MajorVersion" = "6"

[HKLM\SOFTWARE\Google\Google Toolbar\4.0\Setup]
"WelcomePage" = "http://toolbar.google.com/tbredir?r=di&l=en&v=6.1&tbbrand="

[HKCU\Software\Google\Google Toolbar\4.0\Options]
"ToastSetHomePage" = "2"

[HKCR\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"(Default)" = "Google Toolbar"

[HKCR\CLSID\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}\InprocServer32]
"ThreadingModel" = "Apartment"
"(Default)" = "%Program Files%\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll"

[HKLM\SOFTWARE\Google\Google Toolbar\4.0\Setup]
"EulaAccepted" = "0"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]
"NoExplorer" = "1"

"(Default)" = "Google Dictionary Compression sdch"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Google\Google Toolbar\4.0\Options]
"Vendor"

[HKCU\Software\Google\Google Toolbar\4.0]
"Update"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}"

[HKLM\SOFTWARE\Google\Google Toolbar\4.0\Setup]
"WelcomePage"
"IsInstalling"
"RefreshIE"

The process GoogleToolbarManager_9DE96A29E721D90A.exe:1332 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "93 2B 94 21 08 0F 3E 8E 6D 1B 98 4C 1D 47 F6 6F"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Google\Google Toolbar\4.0\Setup]
"WelcomePage"

The process %original file name%.exe:352 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2C 38 8F 9F AA 5A 6C D9 61 6C 74 92 E6 2F 3C 14"

[HKLM\SOFTWARE\Google\Google Toolbar\4.0\Setup]
"FirstInstallTime" = "1447466393"

[HKLM\SOFTWARE\Google\Google Toolbar\Branding]
"ein" = "1"

[HKLM\SOFTWARE\Google\Google Toolbar\Component]
"currentVersion" = "6.1.1715.1442"
"NextVersion" = "6.1.1715.1442"

[HKLM\SOFTWARE\Google\Google Toolbar\Branding]
"sin" = "0"

[HKLM\SOFTWARE\Google\Google Toolbar\4.0\Setup]
"FailedInstallPing" = "http://clients1.google.com/tools/pso/ping?as=tbin&mode=3&sin=1&ein=0&version=6.1.1715.1442&brand=GUEA&hl=en&tbiv=6.1.1715.1442&time=1447466393&fitime=1447466393&verold=6.1.1715.1442&brandold=GUEA&browser=6.0.2900.5512&osver=5.1&ossp=3.0&ext=EXE&id=1427F97BFE29B46D3F488DBA6E9F6BCA571323kLIIN"

[HKLM\SOFTWARE\Google\Google Toolbar]
"test" = "41"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Google\Google Toolbar\Component]
"NextVersion"

The process GoogleToolbarNotifier.exe:844 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 42 10 7A B6 D5 CE 3E 94 E7 32 AB ED 0E C8 69"

[HKCU\Software\Google\GoogleToolbarNotifier]
"AppPath" = "%Program Files%\Google\GoogleToolbarNotifier"
"iemc" = "1"
"TS" = "1447466399"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Google\GoogleToolbarNotifier]
"UpdateURL" = "http://www.google.com/tools/swg2/update"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Google\GoogleToolbarNotifier]
"InstalledVersion" = "5.1.1309.3572"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Google\GoogleToolbarNotifier]
"WantProductRestart"
"ts"

The process GoogleToolbarNotifier.exe:1296 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A0 79 2D 8B 05 92 22 BF 57 89 11 00 D4 78 4F 8D"

[HKCU\Software\Google\GoogleToolbarNotifier]
"DefaultLanguage" = "en"
"AppPath" = "%Program Files%\Google\GoogleToolbarNotifier"
"iemc" = "1"
"TS" = "1447466391"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Google\GoogleToolbarNotifier]
"UpdateURL" = "http://www.google.com/tools/swg2/update"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Google\GoogleToolbarNotifier]
"InstalledVersion" = "5.1.1309.3572"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Google\GoogleToolbarNotifier]
"WantProductRestart"
"ts"

The process GoogleToolbarNotifier.exe:972 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Google\GoogleToolbarNotifier\Stats]
"HideUI_Throttled" = "0"

[HKCU\Software\Google\GoogleToolbarNotifier]
"iemc" = "1"

[HKCU\Software\Google\GoogleToolbarNotifier\Stats]
"DetectChange_DS" = "0"

[HKCU\Software\Google\GoogleToolbarNotifier]
"UpdateURL" = "http://www.google.com/tools/swg2/update"
"KeepDS" = "2280758659"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Google\GoogleToolbarNotifier]
"FirstRun" = "0"

[HKCU\Software\Google\GoogleToolbarNotifier\Stats]
"Icon_Click" = "0"
"UserAllowChange_DS" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Google\GoogleToolbarNotifier\Stats]
"ShowUI_TrayIcon" = "0"

[HKCU\Software\Google\Google Toolbar\4.0]
"UpdateResult" = "98"

[HKCU\Software\Google\GoogleToolbarNotifier]
"DefaultLanguage" = "en"
"TS" = "1447466391"
"AppPath" = "%Program Files%\Google\GoogleToolbarNotifier"

[HKCU\Software\Google\GoogleToolbarNotifier\Stats]
"ShowUI_Popup" = "0"

[HKCU\Software\Google\GoogleToolbarNotifier]
"InstalledVersion" = "5.1.1309.3572"

[HKCU\Software\Google\GoogleToolbarNotifier\Stats]
"LastReportTime" = "0"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4B 8B C1 7A 31 68 5E 76 C0 82 00 80 37 10 FC 72"

[HKCU\Software\Google\GoogleToolbarNotifier\Temp]
"scShowTrayIcon" = "ffffffff"

[HKCU\Software\Google\GoogleToolbarNotifier\Stats]
"ModifyUI_UserIntent" = "0"
"Bubble_Click" = "0"

[HKCU\Software\Google\Google Toolbar\4.0\Options]
"Extc" = "1"

[HKCU\Software\Google\GoogleToolbarNotifier\Temp]
"scKeepDS" = "87f19d83"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Google\GoogleToolbarNotifier]
"WantProductRestart"
"ts"

The process GoogleToolbarNotifier.exe:1180 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\ProgID]
"(Default)" = "ProtectorExe.ProtectorHost.1"

[HKCR\Interface\{DD65ABB2-2628-425B-86F5-825E4A3D3AD9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{91F39C2A-95E7-497A-A539-0AC715DC66D2}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\ProtectorExe.ProtectorHost.1\CLSID]
"(Default)" = "{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}"

[HKCR\Interface\{AF606610-3627-4DF2-A6D5-32C6A355ACD1}\TypeLib]
"Version" = "13.0"

[HKCR\Interface\{235317AD-6EF4-4209-9354-F88869E1A3BB}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{1F7328B7-E25A-4527-B24B-D9173401BB89}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}\InprocServer32]
"(Default)" = "%Program Files%\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll"

[HKCR\Interface\{235317AD-6EF4-4209-9354-F88869E1A3BB}\TypeLib]
"Version" = "13.0"

[HKCR\Interface\{A45CDEEB-65F5-49AE-AA3E-9376F4806075}]
"(Default)" = "IProtector8"

[HKCR\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}\VersionIndependentProgID]
"(Default)" = "protector_dll.Protector"

[HKCR\Interface\{2212951C-1623-4095-906B-AC50B8F91016}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{DA69D3CC-7676-4A65-889F-C052977F1AA9}\TypeLib]
"Version" = "13.0"

[HKCR\TypeLib\{C7CB459A-7261-4AE6-A87A-17041EE98A40}\13.0\FLAGS]
"(Default)" = "0"

[HKCR\Interface\{6EACF525-5F81-4381-9E46-DC316C39E0D2}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\TypeLib\{C7CB459A-7261-4AE6-A87A-17041EE98A40}\13.0]
"(Default)" = "protector_dllLib"

[HKCR\AppID\{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}]
"(Default)" = "protector_dll"

[HKCR\Interface\{9D932020-700E-4F0D-8446-2872ABD8B4FA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AppID\{A97CA128-6998-4F8E-807E-8ED05FADAFB0}]
"(Default)" = "ProtectorExe"

[HKCR\Interface\{9D932020-700E-4F0D-8446-2872ABD8B4FA}\TypeLib]
"Version" = "13.0"

[HKCR\Interface\{A0CF48B9-DB91-49A5-BEE7-2FB45BA2F610}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{A0CF48B9-DB91-49A5-BEE7-2FB45BA2F610}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{6EACF525-5F81-4381-9E46-DC316C39E0D2}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\protector_dll.ProtectorLib.1]
"(Default)" = "ProtectorLib Class"

[HKCR\Interface\{A0CF48B9-DB91-49A5-BEE7-2FB45BA2F610}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{91959FBB-853A-4AC7-A082-2DDF787F4CA9}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{DD65ABB2-2628-425B-86F5-825E4A3D3AD9}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{9891812B-5820-4A77-827E-772B200239E1}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{235317AD-6EF4-4209-9354-F88869E1A3BB}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{91959FBB-853A-4AC7-A082-2DDF787F4CA9}\TypeLib]
"Version" = "13.0"

[HKCR\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}]
"(Default)" = "ProtectorLib Class"

[HKCR\Interface\{9891812B-5820-4A77-827E-772B200239E1}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{9891812B-5820-4A77-827E-772B200239E1}\TypeLib]
"Version" = "13.0"

[HKCR\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\VersionIndependentProgID]
"(Default)" = "protector_dll.ProtectorLib"

[HKCR\protector_dll.Protector.1\CLSID]
"(Default)" = "{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}"

[HKCR\Interface\{2212951C-1623-4095-906B-AC50B8F91016}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\protector_dll.ProtectorLib\CurVer]
"(Default)" = "protector_dll.ProtectorLib.1"

[HKCR\Interface\{91959FBB-853A-4AC7-A082-2DDF787F4CA9}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}]
"AppID" = "{A97CA128-6998-4F8E-807E-8ED05FADAFB0}"

[HKCR\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{A45CDEEB-65F5-49AE-AA3E-9376F4806075}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{A45CDEEB-65F5-49AE-AA3E-9376F4806075}\TypeLib]
"Version" = "13.0"

[HKCR\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41}\TypeLib]
"Version" = "13.0"

[HKCR\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\ProgID]
"(Default)" = "protector_dll.ProtectorLib.1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A2 D0 A3 A9 7B D6 94 AE F3 E7 AA E6 12 5F 81 78"

[HKCR\CLSID\{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}\ProgID]
"(Default)" = "protector_dll.Protector.1"

[HKCR\Interface\{91F39C2A-95E7-497A-A539-0AC715DC66D2}]
"(Default)" = "IProtector3"

[HKCR\Interface\{6EACF525-5F81-4381-9E46-DC316C39E0D2}\TypeLib]
"Version" = "13.0"

[HKCR\AppID\ProtectorExe.EXE]
"AppID" = "{A97CA128-6998-4F8E-807E-8ED05FADAFB0}"

[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\InprocServer32]
"(Default)" = "%Program Files%\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll"

[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
"(Default)" = "Google Toolbar Notifier BHO"

[HKCR\ProtectorExe.ProtectorHost\CLSID]
"(Default)" = "{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}"

[HKCR\protector_dll.ProtectorBho]
"(Default)" = "Google Toolbar Notifier BHO"

[HKCR\AppID\protector_dll.DLL]
"AppID" = "{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}"

[HKCR\Interface\{91959FBB-853A-4AC7-A082-2DDF787F4CA9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{DA69D3CC-7676-4A65-889F-C052977F1AA9}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\InprocServer32]
"(Default)" = "%Program Files%\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll"

[HKCR\Interface\{A0CF48B9-DB91-49A5-BEE7-2FB45BA2F610}]
"(Default)" = "IProtectorLib2"

[HKCR\Interface\{2212951C-1623-4095-906B-AC50B8F91016}]
"(Default)" = "IProtector2"

[HKCR\Interface\{2212951C-1623-4095-906B-AC50B8F91016}\TypeLib]
"Version" = "13.0"

[HKCR\protector_dll.Protector\CLSID]
"(Default)" = "{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}"

[HKCR\Interface\{2212951C-1623-4095-906B-AC50B8F91016}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{1F7328B7-E25A-4527-B24B-D9173401BB89}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{DA69D3CC-7676-4A65-889F-C052977F1AA9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\ProtectorExe.ProtectorHost]
"(Default)" = "ProtectorHost Class"

[HKCR\Interface\{9891812B-5820-4A77-827E-772B200239E1}]
"(Default)" = "IProtector4"

[HKCR\protector_dll.ProtectorBho.1\CLSID]
"(Default)" = "{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}"

[HKCR\Interface\{9D932020-700E-4F0D-8446-2872ABD8B4FA}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\protector_dll.ProtectorBho.1]
"(Default)" = "Google Toolbar Notifier BHO"

[HKCR\Interface\{9D932020-700E-4F0D-8446-2872ABD8B4FA}]
"(Default)" = "IProtectorLib3"

[HKCR\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}]
"(Default)" = "ProtectorHost Class"

[HKCR\Interface\{AF606610-3627-4DF2-A6D5-32C6A355ACD1}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\CLSID\{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{DA69D3CC-7676-4A65-889F-C052977F1AA9}]
"(Default)" = "IProtectorHost"

[HKCR\Interface\{91F39C2A-95E7-497A-A539-0AC715DC66D2}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{AF606610-3627-4DF2-A6D5-32C6A355ACD1}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{9891812B-5820-4A77-827E-772B200239E1}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{AF606610-3627-4DF2-A6D5-32C6A355ACD1}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{DD65ABB2-2628-425B-86F5-825E4A3D3AD9}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{DD65ABB2-2628-425B-86F5-825E4A3D3AD9}]
"(Default)" = "IProtectorLib4"

[HKCR\Interface\{A0CF48B9-DB91-49A5-BEE7-2FB45BA2F610}\TypeLib]
"Version" = "13.0"

[HKCR\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659}]
"(Default)" = "IProtector"

[HKCR\Interface\{6EACF525-5F81-4381-9E46-DC316C39E0D2}]
"(Default)" = "IProtector6"

[HKCR\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659}\TypeLib]
"Version" = "13.0"

[HKCR\ProtectorExe.ProtectorHost.1]
"(Default)" = "ProtectorHost Class"

[HKCR\protector_dll.Protector\CurVer]
"(Default)" = "protector_dll.Protector.1"

[HKCR\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}]
"Depend" = "%Program Files%\Google\GoogleToolbarNotifier\5.1.1309.3572\gtn.dll"

[HKCR\Interface\{91959FBB-853A-4AC7-A082-2DDF787F4CA9}]
"(Default)" = "IProtectorHost2"

[HKCR\TypeLib\{C7CB459A-7261-4AE6-A87A-17041EE98A40}\13.0\HELPDIR]
"(Default)" = "%Program Files%\Google\GoogleToolbarNotifier\5.1.1309.3572\"

[HKCR\Interface\{A45CDEEB-65F5-49AE-AA3E-9376F4806075}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\AppID\{A97CA128-6998-4F8E-807E-8ED05FADAFB0}]
"RunAs" = "Interactive User"

[HKCR\Interface\{235317AD-6EF4-4209-9354-F88869E1A3BB}]
"(Default)" = "IProtectorLib5"

[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
"AppID" = "{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}"

[HKCR\CLSID\{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}]
"AppID" = "{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}"

[HKCR\Interface\{9D932020-700E-4F0D-8446-2872ABD8B4FA}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{A45CDEEB-65F5-49AE-AA3E-9376F4806075}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\protector_dll.ProtectorBho\CLSID]
"(Default)" = "{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}"

[HKCR\Interface\{1F7328B7-E25A-4527-B24B-D9173401BB89}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\protector_dll.ProtectorBho\CurVer]
"(Default)" = "protector_dll.ProtectorBho.1"

[HKCR\protector_dll.ProtectorLib.1\CLSID]
"(Default)" = "{84798B8E-69F8-4846-9516-373C2996E2F7}"

[HKCR\ProtectorExe.ProtectorHost\CurVer]
"(Default)" = "ProtectorExe.ProtectorHost.1"

[HKCR\Interface\{235317AD-6EF4-4209-9354-F88869E1A3BB}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{91F39C2A-95E7-497A-A539-0AC715DC66D2}\TypeLib]
"Version" = "13.0"

[HKCR\Interface\{91F39C2A-95E7-497A-A539-0AC715DC66D2}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{1F7328B7-E25A-4527-B24B-D9173401BB89}\TypeLib]
"Version" = "13.0"

[HKCR\protector_dll.Protector.1]
"(Default)" = "Protector Class"

[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\VersionIndependentProgID]
"(Default)" = "protector_dll.ProtectorBho"

[HKCR\Interface\{DA69D3CC-7676-4A65-889F-C052977F1AA9}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\protector_dll.Protector]
"(Default)" = "Protector Class"

[HKCR\protector_dll.ProtectorLib\CLSID]
"(Default)" = "{84798B8E-69F8-4846-9516-373C2996E2F7}"

[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\ProgID]
"(Default)" = "protector_dll.ProtectorBho.1"

[HKCR\CLSID\{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}]
"(Default)" = "Protector Class"

[HKCR\Interface\{6EACF525-5F81-4381-9E46-DC316C39E0D2}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}]
"AppID" = "{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}"

[HKCR\TypeLib\{C7CB459A-7261-4AE6-A87A-17041EE98A40}\13.0\0\win32]
"(Default)" = "%Program Files%\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll"

[HKCR\Interface\{1F7328B7-E25A-4527-B24B-D9173401BB89}]
"(Default)" = "IProtector5"

[HKCR\Interface\{AF606610-3627-4DF2-A6D5-32C6A355ACD1}]
"(Default)" = "IProtectorLib"

[HKCR\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41}]
"(Default)" = "IProtector7"

[HKCR\protector_dll.ProtectorLib]
"(Default)" = "ProtectorLib Class"

[HKCR\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\VersionIndependentProgID]
"(Default)" = "ProtectorExe.ProtectorHost"

[HKCR\Interface\{DD65ABB2-2628-425B-86F5-825E4A3D3AD9}\TypeLib]
"Version" = "13.0"

[HKCR\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\LocalServer32]
"(Default)" = "%Program Files%\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

[HKCR\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

The process SearchWithGoogleUpdate_4DE6AC39DE1AFE56.exe:236 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 E6 D1 3F 0C 52 6F 14 48 70 4A 0F 1E 65 43 3E"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80B84A0A-EDA4-47fd-8BE1-6B49F4197EE5}]
"AppName" = "GoogleToolbarNotifier.exe"

[HKLM\SOFTWARE\Google\GoogleToolbarNotifier\Clients]
"ietb" = "0"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Program Files%\Google\GoogleToolbarNotifier\5.1.1309.3572,"

[HKCU\Software\Google\GoogleToolbarNotifier\Temp]
"ust" = "100"

[HKLM\SOFTWARE\Google\GoogleToolbarNotifier]
"brand" = "GUEA"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80B84A0A-EDA4-47fd-8BE1-6B49F4197EE5}]
"Policy" = "3"

[HKLM\SOFTWARE\Google\GoogleToolbarNotifier]
"Version" = "5.1.1309.3572"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80B84A0A-EDA4-47fd-8BE1-6B49F4197EE5}]
"AppPath" = "%Program Files%\Google\GoogleToolbarNotifier"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"swg" = "%Program Files%\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

The process GoogleUpdaterService_5898FABCFA121C11.exe:1532 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 5C 35 2F 09 AC B0 D6 18 8F B1 7B F6 05 E8 1D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Google\Common\Google Updater\apps\tbie]
"auto" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Google\Common\Google Updater]
"Path" = "%Program Files%\Google\Common\Google Updater\GoogleUpdaterService.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Google\Common\Google Updater]
"Version" = "2.4.1441.4352"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process GoogleUpdaterService.exe:1840 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CA 1C 9A 5A 29 0B F8 6E DE E9 BF 38 21 C2 E5 EE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Google\Common\Google Updater\apps\swg]
"auto" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process GoogleUpdaterService.exe:668 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\TypeLib\{5924C60B-6D7F-4AD6-8084-24A59431C967}\1.0\HELPDIR]
"(Default)" = ""

[HKCR\Interface\{C07A89E4-82A3-4A29-9908-DFC9DEBF8267}\TypeLib]
"(Default)" = "{5924C60B-6D7F-4AD6-8084-24A59431C967}"

[HKCR\Interface\{5C8CE0B5-6DA0-49A1-B675-78FD03EA3224}\TypeLib]
"(Default)" = "{5924C60B-6D7F-4AD6-8084-24A59431C967}"

[HKCR\GUSchedulerCtl.UpdaterScheduler]
"(Default)" = "Google Updater Scheduler class"

[HKCR\CLSID\{89DAE4CD-9F17-4980-902A-99BA84A8F5C8}]
"(Default)" = "Google Silent Updater class"

[HKCR\Interface\{C07A89E4-82A3-4A29-9908-DFC9DEBF8267}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{89DAE4CD-9F17-4980-902A-99BA84A8F5C8}\VersionIndependentProgID]
"(Default)" = "GUServiceCtl.SilentUpdater"

[HKCR\CLSID\{89DAE4CD-9F17-4980-902A-99BA84A8F5C8}]
"AppID" = "{61E28BF8-C02B-499F-8E7A-34C1E4A1C649}"

[HKCR\CLSID\{B53B7061-6584-46AA-A033-D610EB10BD9B}\LocalServer32]
"(Default)" = "%Program Files%\Google\Common\Google Updater\GoogleUpdaterService.exe"

[HKCR\CLSID\{89DAE4CD-9F17-4980-902A-99BA84A8F5C8}\LocalServer32]
"(Default)" = "%Program Files%\Google\Common\Google Updater\GoogleUpdaterService.exe"

[HKCR\CLSID\{B53B7061-6584-46AA-A033-D610EB10BD9B}]
"(Default)" = "Google Updater Scheduler class"

[HKCR\Interface\{5C8CE0B5-6DA0-49A1-B675-78FD03EA3224}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\GUServiceCtl.SilentUpdater]
"(Default)" = "Google Silent Updater class"

[HKCR\GUServiceCtl.SilentUpdater\CLSID]
"(Default)" = "{89DAE4CD-9F17-4980-902A-99BA84A8F5C8}"

[HKCR\Interface\{5C8CE0B5-6DA0-49A1-B675-78FD03EA3224}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{89DAE4CD-9F17-4980-902A-99BA84A8F5C8}\TypeLib]
"(Default)" = "{5924C60B-6D7F-4AD6-8084-24A59431C967}"

[HKCR\GUSchedulerCtl.UpdaterScheduler.1\CLSID]
"(Default)" = "{B53B7061-6584-46AA-A033-D610EB10BD9B}"

[HKCR\GUServiceCtl.SilentUpdater\CurVer]
"(Default)" = "GUServiceCtl.SilentUpdater.1"

[HKCR\CLSID\{B53B7061-6584-46AA-A033-D610EB10BD9B}\ProgID]
"(Default)" = "GUSchedulerCtl.UpdaterScheduler.1"

[HKCR\Interface\{5C8CE0B5-6DA0-49A1-B675-78FD03EA3224}]
"(Default)" = "IUpdaterScheduler"

[HKCR\CLSID\{B53B7061-6584-46AA-A033-D610EB10BD9B}\TypeLib]
"(Default)" = "{5924C60B-6D7F-4AD6-8084-24A59431C967}"

[HKCR\AppID\{61E28BF8-C02B-499F-8E7A-34C1E4A1C649}]
"LocalService" = "gusvc"
"(Default)" = "gusvc"

[HKCR\TypeLib\{5924C60B-6D7F-4AD6-8084-24A59431C967}\1.0]
"(Default)" = "Google Updater Service 1.0 Type Library"

[HKCR\GUServiceCtl.SilentUpdater.1\CLSID]
"(Default)" = "{89DAE4CD-9F17-4980-902A-99BA84A8F5C8}"

[HKCR\CLSID\{89DAE4CD-9F17-4980-902A-99BA84A8F5C8}\ProgID]
"(Default)" = "GUServiceCtl.SilentUpdater.1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C 88 1B F7 DD D9 34 93 07 3E 59 82 C2 32 81 81"

[HKCR\GUServiceCtl.SilentUpdater.1]
"(Default)" = "Google Silent Updater class"

[HKCR\TypeLib\{5924C60B-6D7F-4AD6-8084-24A59431C967}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Interface\{C07A89E4-82A3-4A29-9908-DFC9DEBF8267}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{5924C60B-6D7F-4AD6-8084-24A59431C967}\1.0\0\win32]
"(Default)" = "%Program Files%\Google\Common\Google Updater\GoogleUpdaterService.exe"

[HKCR\AppID\GoogleUpdaterService.exe]
"AppID" = "{61E28BF8-C02B-499F-8E7A-34C1E4A1C649}"

[HKCR\CLSID\{B53B7061-6584-46AA-A033-D610EB10BD9B}]
"AppID" = "{61E28BF8-C02B-499F-8E7A-34C1E4A1C649}"

[HKCR\Interface\{C07A89E4-82A3-4A29-9908-DFC9DEBF8267}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\GUSchedulerCtl.UpdaterScheduler\CurVer]
"(Default)" = "GUSchedulerCtl.UpdaterScheduler.1"

[HKCR\Interface\{C07A89E4-82A3-4A29-9908-DFC9DEBF8267}]
"(Default)" = "ISilentUpdater"

[HKCR\GUSchedulerCtl.UpdaterScheduler\CLSID]
"(Default)" = "{B53B7061-6584-46AA-A033-D610EB10BD9B}"

[HKCR\Interface\{5C8CE0B5-6DA0-49A1-B675-78FD03EA3224}\TypeLib]
"Version" = "1.0"

[HKCR\GUSchedulerCtl.UpdaterScheduler.1]
"(Default)" = "Google Updater Scheduler class"

[HKCR\CLSID\{B53B7061-6584-46AA-A033-D610EB10BD9B}\VersionIndependentProgID]
"(Default)" = "GUSchedulerCtl.UpdaterScheduler"

The Trojan deletes the following value(s) in system registry:

[HKCR\AppID\{61E28BF8-C02B-499F-8E7A-34C1E4A1C649}]
"LocalService"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Google Inc.
Product Name: Google Toolbar for Internet Explorer
Product Version: 6, 1, 1715, 1442
Legal Copyright: Copyright (c) 2000-2008
Legal Trademarks:
Original Filename: GoogleToolbarInstaller.exe
Internal Name: GoogleToolbarInstaller
File Version: 6, 1, 1715, 1442
File Description: Google Toolbar Installer
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://tools.l.google.com/tbredir?r=di&l=en&v=6.1&tbbrand=
hxxp://tools.l.google.com/T6/done.html
hxxp://www.google.com/toolbar/ie/done.html	173.194.113.210
hxxp://www.google.com/js/gweb/analytics/autotrack.js	173.194.113.210
hxxp://www.google.com/toolbar/css/maia.css	173.194.113.210
hxxp://www-google-analytics.l.google.com/ga.js
hxxp://tools.l.google.com/toolbar/js-utils.js
hxxp://googleadapis.l.google.com/css?family=Open Sans:300,400,600,700&subset=latin
hxxp://www-google-analytics.l.google.com/r/__utm.gif?utmwv=5.6.7&utms=1&utmn=923990238&utmhn=www.google.com&utmcs=utf-8&utmsr=1916x902&utmvp=1912x719&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Google Toolbar – Google&utmhid=1813921697&utmr=-&utmp=/toolbar/ie/done.html&utmht=1447466398559&utmac=UA-18002-1&utmcc=__utma=173272373.932545686.1447466398.1447466398.1447466398.1;+__utmz=173272373.1447466398.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmjid=2124076644&utmredir=1&utmu=qKCAAAAAAAAAAAAAAAAAAAAE~
hxxp://gstaticadssl.l.google.com/s/opensans/v13/cJZKeOuBrn4kERxqtaUH3fY6323mHUZFJMgTvxaG2iE.eot
hxxp://www.google.com/css/maia.css	173.194.113.210
hxxp://www.google.com/js/gweb/analytics/doubletrack.js	173.194.113.210
hxxp://www.google.com/images/logos/google_logo_41.png	173.194.113.210
hxxp://www.google.com/toolbar/ie/images/ie9overlay-arrow.png	173.194.113.210
hxxp://www.google.com/toolbar/ie/images/x.png	173.194.113.210
hxxp://www.google.com/toolbar/ie/images/tour-plus-th.jpg	173.194.113.210
hxxp://www.google.com/toolbar/ie/images/tour-instant-th.jpg	173.194.113.210
hxxp://www.google.com/toolbar/ie/images/tour-translate-th.jpg	173.194.113.210
hxxp://www.google.com/toolbar/ie/images/tour-tools-th.jpg	173.194.113.210
hxxp://www.google.com/toolbar/ie/images/tour-plus.jpg	173.194.113.210
hxxp://www.google.com/toolbar/ie/images/tour-instant.jpg	173.194.113.210
hxxp://www.google.com/toolbar/ie/images/tour-tools.jpg	173.194.113.210
hxxp://www.google.com/toolbar/ie/images/tour-translate.jpg	173.194.113.210
hxxp://www.google.com/js/gweb/core.js	173.194.113.210
hxxp://www.google.com/js/gweb/ui/gtabs.js	173.194.113.210
hxxp://dart.l.doubleclick.net/activityi;src=2542116;type=searc340;cat=tbx;ord=2739021834538.0327?
hxxp://pagead.l.doubleclick.net/pagead/conversion.js
hxxp://toolbar.google.com/T6/done.html	216.58.209.206
hxxp://www.google-analytics.com/ga.js	173.194.113.198
hxxp://2542116.fls.doubleclick.net/activityi;src=2542116;type=searc340;cat=tbx;ord=2739021834538.0327?	173.194.113.220
hxxp://tools.google.com/toolbar/js-utils.js	216.58.209.206
hxxp://www.google-analytics.com/r/__utm.gif?utmwv=5.6.7&utms=1&utmn=923990238&utmhn=www.google.com&utmcs=utf-8&utmsr=1916x902&utmvp=1912x719&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Google Toolbar – Google&utmhid=1813921697&utmr=-&utmp=/toolbar/ie/done.html&utmht=1447466398559&utmac=UA-18002-1&utmcc=__utma=173272373.932545686.1447466398.1447466398.1447466398.1;+__utmz=173272373.1447466398.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmjid=2124076644&utmredir=1&utmu=qKCAAAAAAAAAAAAAAAAAAAAE~	173.194.113.198
hxxp://fonts.gstatic.com/s/opensans/v13/cJZKeOuBrn4kERxqtaUH3fY6323mHUZFJMgTvxaG2iE.eot	173.194.113.223
hxxp://toolbar.google.com/tbredir?r=di&l=en&v=6.1&tbbrand=	216.58.209.206
hxxp://www.googleadservices.com/pagead/conversion.js	173.194.113.217
hxxp://fonts.googleapis.com/css?family=Open Sans:300,400,600,700&subset=latin	74.125.205.95
www.google.com.ua	173.194.113.207
googleads.g.doubleclick.net	173.194.113.217

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /toolbar/ie/images/ie9overlay-arrow.png HTTP/1.1

Accept: */*

Referer: hXXp://VVV.google.com/toolbar/ie/done.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB6; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google.com

Connection: Keep-Alive

Cookie: __utma=173272373.932545686.1447466398.1447466398.1447466398.1; __utmb=173272373.1.10.1447466398; __utmc=173272373; __utmz=173272373.1447466398.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1

HTTP/1.1 200 OK

Content-Type: image/png

Date: Sat, 14 Nov 2015 01:59:56 GMT

Expires: Sat, 14 Nov 2015 01:59:56 GMT

Cache-Control: private, max-age=31536000

Last-Modified: Fri, 09 Mar 2012 18:38:38 GMT

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 1487

X-XSS-Protection: 1; mode=block
.PNG........IHDR...'...o.....o..4....tEXtSoftware.Adobe ImageReadyq.e&
lt;...qIDATx...Yl.U..o..%Hq...-..VYK..........h..`P"<I..H.#[email protected]
"{.&F.....-.j...QP. .|....89=...o.s....;.|....{..3C..;&.k...F....". }N
......-p.H.I..~..Ioh..A...wk. ...m.4..6.m...h...t..M'.j.;Kz....n...{.^
........S..k.j!s..... HM.....0.".p.l...4.5............#u.Q;W.\.0j.W...
.ka..........7/..s...~.|.....~'mg. I...zHo..;5..v...Y.........,cm..r..
.v...Z.>.e.?Z.....i'..eU[..a.....5..>.r..YD.0p8.....j.p..<.4B
...-.7C..Q6.y.B..Nm..-Fj..mb...b...m.S,Z......V.6^..*.v....8/..63....p
X....f.....u........p..O...<.5......Z...)...~..0 v0.(.`.p.a-...p-p[
....pFXG1......`.<....9w8.f.].t.....p.&-p....Z..B.c..vZ.....0......
..L...q.Z.\G...a.F..1..B.'p.~C.k(.Z.6.......1..D-p...X-p.._..Vr..}....
H>..['L.MZ.6..:-p.._c.e...z.e.d(.4...Z..:-=. ..M........|.....2....
...C:(.......5..8a,i8.9...p.....-p..rqJ.."i._H..o.0.s.;N:)..*N ..C..Z.
p.1bgh..RH...........>i...........%......X..,.p....*VST....n..U.I..
.=..._...."......x...H...1C..]A..4..Z<.s.#..J.Q..o....eNF.{..~..m.u
...C$.x`k....GG.....'./%.........W<........].e..}.!...;..vZ.c...~.q
,...^,..........m...1O.ax.k..8../.(........7O:....o....Do=Q.$...J....}
..I....E.4......../....?cm.4/9r.n{..q...[.i.g....'............b .G...~
v.3..f........J. ..iG.~4..~s....Jpa..i...I.0.$.2-t....K......v.<_..
.....&.l.2..Xa.k._i.........5...........r.p..W.k0.....R...%?.a.N.ZeV..
.p...u........OA;.........^E.~..y_.E.Y[..[....[Vp....z.-LTI....w..Y...
.c.)[.H..6..<........[.l.......0....4.$.5....IEND.B`....
<<< skipped >>>

GET /toolbar/ie/images/tour-plus-th.jpg HTTP/1.1

Accept: */*

Referer: hXXp://VVV.google.com/toolbar/ie/done.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB6; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google.com

Connection: Keep-Alive

Cookie: __utma=173272373.932545686.1447466398.1447466398.1447466398.1; __utmb=173272373.1.10.1447466398; __utmc=173272373; __utmz=173272373.1447466398.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1

HTTP/1.1 200 OK

Content-Type: image/jpeg

Date: Sat, 14 Nov 2015 01:59:56 GMT

Expires: Sat, 14 Nov 2015 01:59:56 GMT

Cache-Control: private, max-age=31536000

Last-Modified: Mon, 19 Mar 2012 16:53:18 GMT

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 3581

X-XSS-Protection: 1; mode=block
......................................................................
......................................................................
..2...................................................................
.........................!...1..T.UAQ"S..aq..2...s.$.R..%.Bb..#c..t...
....................!Q..1.Aaq..."......2.BRr#..3.4.............?...'.{
.O... .X.qo&.....9?.......L..=C.r..O)Mc..L..=C.r..O)Mc..L...=.'.....&l
t;...O..=.'.....<....=C.r..O)MY... .Z......R......'.{.O...).y....z.
.....R..y....%.{.O... :.#y0<OP....S.SVdo&.......jyJk.F.`x...9?.....
..L...=.'.....<....-C.r..O)Mc..L...)%L.j.HC..[mP....)...3j...Me."..
..c......u.&..ki}..vn.M...qi% .B.P5.".Jt..j......................-[).X
....F.J..Ot.....U...{.?5..J...S.....:UE......_...(-..L~j..N.QC. .y..$%
WRT.n......Ue..k%..c#......;.R...P.&....Z5*...diW....k=5...~R`b......:
....o6..q._....".v,..o....7.z.O.Hx.8>[...fsM.....Ii.....u ...Z...V.
.._.9.j..-..[...u."....LW..@&[..o..R...2.......P..@(......P...D......&
D ....}.......z.........x...YN.T.>j....$i....,."v9....$.{>.od.X.
.."B...|-zY|.n......b.<MsR..3.m.3.i)..p:.g.7....P.-{{#v.M...>...
...Z.O...W.3...N.......kD.....y.y.pYC......D...7.J.......{.!........[.
.Z}...}..........?..A..o4.w.ZV.lJH"......N.rX0..nw...M.p..l..y.!i.B...
[email protected]@...`2......'}..s.XU?6.%......2..uT..9.....
i..4..nF%r....q..ZI*...]wII....o...T...\..M...<LlsY..M.d6........P.
....=$.T......M....7r5.......\e.....m`..Z..v.......^.lo.."*5(..t.bl...
}...&2...\.E....J....^..*...>k...;....$g7..c.M..V.F...T...[IR.}
<<< skipped >>>

GET /toolbar/ie/images/tour-translate-th.jpg HTTP/1.1

Accept: */*

Referer: hXXp://VVV.google.com/toolbar/ie/done.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB6; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google.com

Connection: Keep-Alive

Cookie: __utma=173272373.932545686.1447466398.1447466398.1447466398.1; __utmb=173272373.1.10.1447466398; __utmc=173272373; __utmz=173272373.1447466398.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1

HTTP/1.1 200 OK

Content-Type: image/jpeg

Date: Sat, 14 Nov 2015 01:59:56 GMT

Expires: Sat, 14 Nov 2015 01:59:56 GMT

Cache-Control: private, max-age=31536000

Last-Modified: Fri, 09 Mar 2012 21:41:25 GMT

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 3120

X-XSS-Protection: 1; mode=block
......................................................................
......................................................................
..2...................................................................
........................T.!.....1A....Q..S..a"R...s$tEU..q...2Bb#3...5
.....................Q...1..!a"A...2.q......B.$.............?..{%...u.
..7>.4i..d..k..x..,)..d..k..x..,)..d..k..x..XSe...0._0.aXXSe....]|.
..aaM..%...u......l........, ..l..3.....,>...q.f.5..<XV...q.f.5.
.<X|,)..d....a........0a..a...aM..&`.]|.......6L...........6K.....,
>...q...5..<X|,)..d..k..x..,)..d..k..x..XSe....]|...aaM.".}..$..
...I_v....R.JI.W(.tQ..!).....K....lnj_.JQ...#Qq...Zn.W.....j....x.2...
O.i..|@...Oa..'.4..> 0....0I..7...........L..h.<0.. ....Y~4_....
s..... .....f9d.Z~...2pC.L.'.{A..!.&b.........1I.^.d..r..../h2c.9d.R~.
..1...f)?......Y3.....L`.,..O...&0C.L.'.{A..#.....i....5.DZ.-T.....quE
rT:o.HV.b.3\.a*$..UJR..R^.~.2.<#..~...r.T.....M........Y-.H.Z..F..I
...h}.z.=.}.jk...../!8.\....W....0../&.L).]g........_..=t.....^....m..
.}..oKn. A...QT.Q:..*qq......0<7........4..Y'..3${.$...kU.c'Dd.N.fE
jj -....S....Sh2J.E.#Q....q........g.)*..P..#.P..I.D.D`...$....Qp.....
....5u...6..%..bD.U.(..Ix..j.#...T..%.R..y3....Y..V........)yA..V..;.P
.(...Q..Oy.FzSC.......\.....t.s;.Cd^....U.Q....>...~..<.0w...3q.
.Z...J.UT......G.'..7.O........g..%,.^....e...7'.W..B?.3.SV........m..
.eW.iW...9....#\.........]=V.......U.....Q..l[&..I..O/f.....&.qb....n.
.Z.J...j-....4y3L...LV.%.fTE:.i4..-Z..-.H.%.Y..6nGp.JT..N. .......
<<< skipped >>>

GET /toolbar/ie/images/tour-plus.jpg HTTP/1.1

Accept: */*

Referer: hXXp://VVV.google.com/toolbar/ie/done.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB6; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google.com

Connection: Keep-Alive

Cookie: __utma=173272373.932545686.1447466398.1447466398.1447466398.1; __utmb=173272373.1.10.1447466398; __utmc=173272373; __utmz=173272373.1447466398.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1

HTTP/1.1 200 OK

Content-Type: image/jpeg

Date: Sat, 14 Nov 2015 01:59:57 GMT

Expires: Sat, 14 Nov 2015 01:59:57 GMT

Cache-Control: private, max-age=31536000

Last-Modified: Mon, 19 Mar 2012 16:53:18 GMT

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 45539

X-XSS-Protection: 1; mode=block
......................................................................
......................................................................
..^...................................................................
...........................!.1A"Q......aq..2R.T.U.....B#S.4.6V.br3..$t
.u....cs%...C.d.D.5E&..F......................!Q.1A...q...Ra."2B......
b3C.r#....$...............?.......)P.SJ..jP.jP..%..%..%..%..%..%..%..%
..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%.
.%..%..%..%..%..%..%..%..%..%.^rP.jP.jP..%..%.]t.u..T.uP..............
n.........1.yhpd......2j...H&B...^../H............}#l...o...t.>..O.
.7..|:.....xq.,c....m.....c...}cl...o...t...d...~X....X.'.....>....
.?.8..1....6........@>..O..7..|:.....xq.,c....m.....c...}cl...o...t
...d...~X....X.'.....>.....?.8..1....6........@>..O..7..|:.....x
q.,c....m.....c...}cl...o...t...d...~X....X.'.....>.....?.8..1....6
........@>..O..7..|:.....xq.,c....m.....c...}cl...o...t...d...~X...
.X.'.....>.....?.8..1....6........@>..O..7..|:.....xq.,c....m...
..c...}cl...o...t...d...~X....X.'.....>.....?.8..1....6........@>
;..O..7..|:.......pcW...c.........../..V...2...K.....S?...;.k.Ff...Z.T
.Q..p.2.......3....FJ*........0..>:...~..9.atLa}g..@e.........=..(.
.......... .........b.....J..Z.]............GA).a........Db.........Tx
.`.z...h.2....]......,.8.&."...[.. ...vZ.&.;..?'.9...8..|I...3_.......
...O6<.......~.8...y..|...........O6<......}.p...I...._.........
.O6<.......~.8...y..|...........O6<......}.p...I...3_.....N.
<<< skipped >>>

GET /toolbar/ie/images/tour-translate.jpg HTTP/1.1

Accept: */*

Referer: hXXp://VVV.google.com/toolbar/ie/done.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB6; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google.com

Connection: Keep-Alive

Cookie: __utma=173272373.932545686.1447466398.1447466398.1447466398.1; __utmb=173272373.1.10.1447466398; __utmc=173272373; __utmz=173272373.1447466398.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1

HTTP/1.1 200 OK

Content-Type: image/jpeg

Date: Sat, 14 Nov 2015 01:59:57 GMT

Expires: Sat, 14 Nov 2015 01:59:57 GMT

Cache-Control: private, max-age=31536000

Last-Modified: Fri, 09 Mar 2012 18:38:38 GMT

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 38992

X-XSS-Protection: 1; mode=block
......................................................................
......................................................................
..^...................................................................
...........................!.1A...Q"2R...T.U.aq..#S..d..V..B.3s....u.6
.r..c$.ë...45..Ct7.....&......................!Q...1Aa.".q..2..B#3C.
...Rb....r....Sc...............?.....4....)..n.(..(.o..o..o..o..o..o..
o..o..o..o..o..o..o..o..o..o..o..o..o..o..o..o..o..o..o..o..o..o..o..o
..o..o..o..o..o..o..o..o..o..o..o....(..(..(....o...z....j....4.q.....
...P.M.(.-.Wi.T..s.C. ...d.i.PUTBA2...T...]#h..V.,..../H.#........zF.?
Xm.X.w@=#h..6.,c.....O..o.1...H.'.........m......wt..6...m..;....D.a..
c......~..|....zF.?Xm.X.w@=#h..6.,c.....O..o.1...H.'.........m......wt
..6...m..;....D.a..c......~..|....zF.?Xm.X.w@=#h..6.,c.....O..o.1...H.
'.........m......wt..6...m..;....D.a..c......~..|....zF.?Xm.X.w@=#h..6
.,c.....O..o.1...H.'.........m......wt..6...m..;....D.a..c......~..|..
..zF.?Xm.X.w@=#h..6.,c.....O..o.1...H.'.........m......wt..6...m..;...
.D.a..c......~..|....zF.?Xm.X.w@\."h.........w@^:..G/..............^./
..{.. .M.... .Ik..2.....v.......0.{.p\....}...u...'._Y...3...\.._Y...2
...pIi...Z.(...........A}..1_....b.......i-.......e..^.......0.Id\EPSi
.1BDQ\1..-..G.....A}... . .E....o.i........W.n.t..2..jx......{....n9#.
..c./^?'.9.M.....c..^?'.9.M.....c..^?'..-6......w.x...|...HnO69....{..
...HnO69....{.....HnO69....{...n9!.<..{......M.....c./^?'..-6......
w.x....-6......w.x....-6......w.x....-6......w.x...|...HnO69....{.
<<< skipped >>>

GET /js/gweb/ui/gtabs.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.google.com/toolbar/ie/done.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB6; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Type: text/javascript

Date: Sat, 14 Nov 2015 01:59:57 GMT

Expires: Sat, 14 Nov 2015 01:59:57 GMT

Cache-Control: private, max-age=0

Last-Modified: Mon, 02 Apr 2012 02:13:37 GMT

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 4661

X-XSS-Protection: 1; mode=block
...........Z{w.6....Bb{u..a....5..$..8i.6N...v...)..).....w..<HH..w
.....x.............b..........o.....X..W...ZxK..7......Niw.j.....!on..
L..d..r...\D....c.w..u.ED..T.......S9..F../..)....gM....A.#A\`.VP...zm
8.sQ......E(*g4...e.Eb..U..$ Dl..zKQ57'.1N.........\GQv..D.....-..q.&.
.d....76J..?.Btq'f F.N .*...,..vd..y7...hq{]CU.H....%;..N......\e.?...
hf~..e..b.E\.\......../?.../............~q...mW..~.^.<.....V..W..A.
..o...7|Tlt....Yd..^;R......kH..L.k..7...z..D2A*.........R4... ....E.5
3d.N._.e..p.~..a.9.........?.C/b..;X.....f"..^.......s....N...$.t.t..u
|.y.....s...^..7...R]`^.J.8......$F*3.O.)...xj.s.N.._...~.............
Y.Eg...l....""w....R...^.W.=.h'....i.D.f.Qga%..w....Y....K.jqR4....e^~
..\.....#k..........Y..."...L!j;K....l. ...`/0...M.`.8.....6.._..,K(N.
7...%<......].0.......0O9..D..X...ci...$.[.Z..k.4~.=bh....F.#B...c.
.H/.sg.....H.<j.YU^.....8..KQ.S...#.>.^.;.O.....irh.&...n.}..!_0
#.n.fZ.m..'[email protected]...._.z..8b..m..."n-].......k^.....^.f..-W.Cx.,...Y0
....p..m...L.)....(0$-..%..'[email protected].'.R..c.m..k.n....t.t.4....[h.R.....c
/....`.../.......:......I.../...1.P../$.......(...[s.g.y'p...28..1...&
gt;....7g'...rT..v.."|.5.7US...Q&.X......".(..k_ ...x...2...Ly..n...qz
[email protected]`_n.%G.<.....>...]K./....j.l....%...a.../A..d.s`
'.au.y....3..c.i......^.....z|...IG...C....;..Dq..~...T..-.p.......r.9
....v...4...x...3.....~......X......}..P......2$ ....R*..~k.. ..m.5L..
. .r...x..#.....z..u......H....z2.%.Q.u....m....Jt.....!..L{.\.u....P.
..80IE..)E.N.".&....{Dx3I.r'.>..z... ......w.,.1o..Y.:.... .]..
<<< skipped >>>

GET /css?family=Open Sans:300,400,600,700&subset=latin HTTP/1.1

Accept: */*

Referer: hXXp://VVV.google.com/toolbar/ie/done.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB6; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: fonts.googleapis.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/css

Access-Control-Allow-Origin: *

Timing-Allow-Origin: *

Expires: Sat, 14 Nov 2015 01:59:53 GMT

Date: Sat, 14 Nov 2015 01:59:53 GMT

Cache-Control: private, max-age=86400

Content-Length: 186

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-XSS-Protection: 1; mode=block

Server: GSE
@font-face {.  font-family: 'Open Sans';.  font-style: normal;.  font-
weight: 400;.  src: url(hXXp://fonts.gstatic.com/s/opensans/v13/cJZKeO
uBrn4kERxqtaUH3fY6323mHUZFJMgTvxaG2iE.eot);.}.HTTP/1.1 200 OK..Content
-Type: text/css..Access-Control-Allow-Origin: *..Timing-Allow-Origin: 
*..Expires: Sat, 14 Nov 2015 01:59:53 GMT..Date: Sat, 14 Nov 2015 01:5
9:53 GMT..Cache-Control: private, max-age=86400..Content-Length: 186..
X-Content-Type-Options: nosniff..X-Frame-Options: SAMEORIGIN..X-XSS-Pr
otection: 1; mode=block..Server: GSE..@font-face {.  font-family: 'Ope
n Sans';.  font-style: normal;.  font-weight: 400;.  src: url(hXXp://f
onts.gstatic.com/s/opensans/v13/cJZKeOuBrn4kERxqtaUH3fY6323mHUZFJMgTvx
aG2iE.eot);.}...

GET /toolbar/js-utils.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.google.com/toolbar/ie/done.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB6; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: tools.google.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Expires: Sat, 14 Nov 2015 02:59:53 GMT

Date: Sat, 14 Nov 2015 01:59:53 GMT

Last-Modified: Thu, 01 Oct 2009 02:11:03 GMT

Content-Type: application/x-javascript

Content-Encoding: gzip

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-XSS-Protection: 1; mode=block

Content-Length: 915

Server: GSE

Cache-Control: public, max-age=3600

Age: 0
...........UQo.6.~...pu.[r.)-.>...t.....$i....-Q...TH*.......d.M..X
.,.......xNS8j\..!\.<..f...{w'M........`.."3.vP4*sB ..6...sf`..V8n.
.....ww`..<..g...)..3..`Y...f.....w%G\)...fe..u..K......}x.........
...J.gXv..].Q...3..-.{ca.....wc$.\....P.^&Rg...>...'....rf.2J.W..^.
..$..B..p..S|p3.]....%.:k*.\"*......;?1..,.m.{76....K..I(./..>....T
..@.../..G5..P...'@]G~kB.G`.{.6..R...$%5.a.8...b........]`..Z..[...)|S
4:.X..an.........7.......s.a.Rf..z!y...bx4..'1|.......v..n...a8...2...
.....<.0.Y..O$W.Wz...D.:... .%H....D~..8..Y.X...ra.. .....z..5.@..|
n..Q..qX.l81)..O.:KR....k...........2&%..;(.F.. .].r...h......N.|{rv.o
.es..L|....M|...7.F_4u....p...z.]l..m..v#Bi.......e.F.....5..j...%.G.t
..;....P1......Q.B]M.......gw.t...l...n..LS.V,..&..v....../...?/..Ur0.
.......6T.....*..?c}......5...&.<...c..'.G.........i?..n...hR..b...
..Q...:...q...B....L.[gV.'...F.....y.y7....F...../..?F..ck..[V.J.Pc_.w
....^.`0.lN..~......0.N...HTTP/1.1 200 OK..Expires: Sat, 14 Nov 2015 0
2:59:53 GMT..Date: Sat, 14 Nov 2015 01:59:53 GMT..Last-Modified: Thu, 
01 Oct 2009 02:11:03 GMT..Content-Type: application/x-javascript..Cont
ent-Encoding: gzip..X-Content-Type-Options: nosniff..X-Frame-Options: 
SAMEORIGIN..X-XSS-Protection: 1; mode=block..Content-Length: 915..Serv
er: GSE..Cache-Control: public, max-age=3600..Age: 0.............UQo.6
.~...pu.[r.)-.>...t.....$i....-Q...TH*.......d.M..X.,.......xNS8j\.
.!\.<..f...{w'M........`.."3.vP4*sB ..6...sf`..V8n......ww`..<..
g...)..3..`Y...f.....w%G\)...fe..u..K......}x............J.gXv..].
<<< skipped >>>

GET /tbredir?r=di&l=en&v=6.1&tbbrand= HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB6; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: toolbar.google.com

Connection: Keep-Alive

HTTP/1.1 302 Moved Temporarily

Location: hXXp://toolbar.google.com/T6/done.html#tbbrand=

Content-Type: text/html; charset=UTF-8

Content-Encoding: gzip

Date: Sat, 14 Nov 2015 01:59:52 GMT

Expires: Sat, 14 Nov 2015 01:59:52 GMT

Cache-Control: private, max-age=0

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-XSS-Protection: 1; mode=block

Content-Length: 191

Server: GSE
..........m....0...>E.....Pb@..."H....`.. iZ..7.=v........M.#V.i...
........4 .......!b.............q...(.... .....y7.J......C.. .r,EUW..V
..GJ...zKf.YK2...@'X$Q.......).\I .M9...^...}.............


GET /T6/done.html HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB6; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: toolbar.google.com

Connection: Keep-Alive

HTTP/1.1 302 Moved Temporarily

Location: hXXp://VVV.google.com/toolbar/ie/done.html

Content-Type: text/html; charset=UTF-8

Content-Encoding: gzip

Date: Sat, 14 Nov 2015 01:59:52 GMT

Expires: Sat, 14 Nov 2015 01:59:52 GMT

Cache-Control: private, max-age=0

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-XSS-Protection: 1; mode=block

Content-Length: 185

Server: GSE
..........m....0.D.|ES.T..4.)b.!!=..aCI(Kj...B..\6;;....*...\..:.E.R..
..(03.......!...L..F...*.:.....%.j].^t.=.k[.@i ..O..#.y..s<&y-..j..
#c...=b?B..a.q.7...:. ...Th..Y,..p#.....-uK.......

GET /pagead/conversion.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.google.com/toolbar/ie/done.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB6; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.googleadservices.com

Connection: Keep-Alive

HTTP/1.1 200 OK

P3P: policyref="hXXp://VVV.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"

Content-Type: text/javascript; charset=UTF-8

ETag: 12540843983809954984

Date: Sat, 14 Nov 2015 01:59:57 GMT

Expires: Sat, 14 Nov 2015 01:59:57 GMT

Cache-Control: private, max-age=86400

X-Content-Type-Options: nosniff

Content-Disposition: attachment; filename="f.txt"

Content-Encoding: gzip

Server: cafe

Content-Length: 4394

X-XSS-Protection: 1; mode=block
...........Zks....._....&(..x....J.o6..sqv.{.u.....D$.v...t.ht....[..5
.==..<=...#/....?6<i.X6.R._...q.5}..[../6"...i&"......5.m:.V.qo.
..v.i.8".T..c- c.....I.c......m.......\%"../.A..7.....G...w.d.b. .....
..n..e....9$.2..z{3.M...:MJ..#@-.xs.....3..W.....i....#H..1-wo.j.C..S.
...p)UB.......V..n...|U....mz,...`..@A.... ..g6e.q.D,....E#........E..
.jme. J.{.k..`N.)..cnj....'..-.y.m.=A.....ng.q8.g|..p..s.1H...L...F...
E..Y..,Y...V&R....)l...7.-E.mm...i.Iet.H..{......L....V.....Ux..J.,.nW
....r.}H..H.[..a..}.n.......3........n..,..YE.....>...c......U.=at.
......M:......$.....e..g...=....=...}[email protected]."..f<...l..2.....NE.|.
......w..q..........Kp..>f...".... ..O.....?|..>?..J.. YC.w.__@.
....|tD..!....1..96.'...[...T...S1..........y...2gz.....s....g..H^.1..
l..c...:..5.t...%n.....S.%Q..k.............p...%.:..&..>.n.B._.}.d.
~...zo^.....co.D..V.9L.....(......A.......g....e9...$.i'Kn!4..T.......
..">p.`."...4l....;.'.R..s.....R.jA...oC.....W.......0b...I.`\.3}vc
.}...JW.Z.b.A{%..9.....Z....B....../......s....p.......G...T3d.~M.'1..
Y......p....)1......\......%.p...#.).&...\1........z.|..6..e......V...
..Cn.kHIH6..5e.F.u.....N...U4...M$..v.....t.g.zg` {.u.T....n...`...A.?
......g....'_.v...~...Nin..R...86.`./!...y..R..s...z..r...f..n.2....~.
09....y.\...!d.\6.8...E:u...L.$.w.q.|..q..0*.#w2..o...>e~foq.....Av
40-...`A:......... ...\..............V.|.`.....|......Q.:.-....6.t....
'........?. .....{.Q.t..5."......4..0.....E.0..........s./.<}&.1...
.....j.).....B........Q.?y.$...).7/.]e.5..'..O..E.n...a...OO.?.g.H
<<< skipped >>>

GET /toolbar/ie/done.html HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB6; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Type: text/html

Date: Sat, 14 Nov 2015 01:59:52 GMT

Expires: Sat, 14 Nov 2015 01:59:52 GMT

Cache-Control: private, max-age=0

Last-Modified: Mon, 26 Mar 2012 18:41:17 GMT

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 2860

X-XSS-Protection: 1; mode=block
...........Z.n.7....`g.J.....%v<...s..MZ;..m.P#jD{...r,.E....Z`...$
{...Q....4i.  1..s.9.9..}....../N.D....#.C..*....i...Q.......B.&....@.
.*)y...t..H4...t......5.Y......MX7.ihg.i.mul.w.:..7.#.T9.:.....?..^T.4
_9..$.Z*.......`.I..c....9.z*....[$......S>..x..x.z.# ....8........
..2!O...\.lHK....tU.]....Qe..Q4.NC z..<.PQ:e.....4OTD -uI...B..%...
........!.<..._.....E).<c....aop.....:M....m....$.....1(V9.i...!
Q....<....&6..P.w............i^.W...,.....,[email protected]..`.
..Y\.g..A......G.......}"......[.G.z*.y.]`X.^.9...&W`.....T.P......-..
C1......Hy.Y.Mm......6..4....P.....>..B..,I.......N...a.D.'P...L_.(
.|....?.....ffB..tmW7.9&.....9H..y~....o)..F..B.A.;8..o.....l.E..9..,&
.D..$.O......G..u.K....8y.....3]r.v..J..R...~n.^....nA`._...-.v$ 0.5n{
.Y...P.f..._.x....>....-V...2.V.M#......#...........#...f..O...|..U
QyNS..L...6...... ,D....x.Q..h..Q..;.."J.....VA9;[email protected]*
..S.x..... .v....Z...S._......l.....*`[email protected]..~......#C....
...),...-..b....... a..mB.ZTxL..0.,.t....z..2..X.4..o...VU......J.P.g.
.Y..J.Z462..P0.\'.oK..=.0P..4..................P/@X...... ..a!7P..!...
.........CE.....E...E..p.0....k.:..^.U..8.t.i....WW..f..........G..E..
..PC..%....P,.1...w..,..7....Q......2.XA.dk.{fG|0IL6p....F)L.....1=c.c
.4 ?..%.].[..8...........jir.#T8....E.c.;.,.a.e}K^...UY....]..u.z{ ...
.W .Z.,.,2. .z.!....Q...1.....u...DJY..K.%...Z.ZA4W...R1.*.G0.)#.t.H..
@@..Rj........q..".. [email protected].&.R.1O(......%[email protected]. T........TL.H l=
. SAJ..Qz..e.....@.[...x*z....R..I" H.o....Q.H..~..&.z..#... .....
<<< skipped >>>

GET /js/gweb/analytics/autotrack.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.google.com/toolbar/ie/done.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB6; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Type: text/javascript

Date: Sat, 14 Nov 2015 01:59:53 GMT

Expires: Sat, 14 Nov 2015 01:59:53 GMT

Cache-Control: private, max-age=0

Last-Modified: Wed, 02 Apr 2014 00:36:24 GMT

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 1934

X-XSS-Protection: 1; mode=block
...........X.o.8..._a.......a_........n{H..C.[P.m..DE.......!......69.
...o>hgUe\.2s.... [email protected].... )..W.I.....F.......l...8....w..sU.
..C.4."3.W.pp-..KD.V....A...x..J}....I...*......^<,.c.....|.Ck...uC
.R.U...y.%...<.;...,rY..R.......Is0^9cF........[..{?.......D.MQ....
RI...W&1.Z...q......n...9O..\U..eo..Q...=...p........i..4.......'....9
....*.l.P......!.S...q..B..y...Z[.*I..9#....n..1.q.>.....{M........
.I....v.w.r.../............M.R...x.......%...m........0"6....9...1.<
;U0.M.l[BV.._.5.%m._.}.. Q.....%...d....4h...bQ.>\.....D,.W...#..,.
.b..BU..bx../.r../..../../.}...3:....8.B.1..........B...........!Db..D
}x.8...... .....m..!..."1...7...o..c\V."nk.\..x.'...M..u...d.....LN.}.
.[e..3.n.D.n2...q.W.W..x... !:.wK............'o...c./.'..qD..{..f]..T.
[email protected]..)..f1....YF..uqN.....U.Y..(... 0.1.z.W2S..7
.-..u.Y.8.c..]..)......W.\..<.......M...|..V!....7.J8o...y..Z...i..
........W2l...m..n....L.K... ../l-.b..k...A..B\.QL.......!..G.....1.T_
9q.:...J .$.=...`J|H...R..../(........}gO.R...}..n.....C6J........`..2
YX...,.(....n.#...Z.u".Y....y.X.....$..V.Z(ki.n...1.;.....W`1.)..Z.B..
...[6.s.>....E.-..,....G[.\R...li...D.......|....i.3.CG.g....k._d;.
.|p...^`...O.I...L_.LJg`..b....Q.j......#!..7........)^..A..io|....n.-
[email protected]...&.v<....8j......Xb2..W.|.z..3?..S...;)..2.0
._..!$`<..;Q,Y).Z.!..F...V...1......r..L..3$.z....W.p.-8....;....qS
..F..~6.0m......=..A....rg..Sa.....9....P)...K...9.A....7mV.5:.H[..!.G
.^}.{..z.....d..(....-.....b.hkw"....I....MC.`..=...>`F..v/..B.
<<< skipped >>>

GET /toolbar/css/maia.css HTTP/1.1

Accept: */*

Referer: hXXp://VVV.google.com/toolbar/ie/done.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB6; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Type: text/css

Date: Sat, 14 Nov 2015 01:59:53 GMT

Expires: Sat, 14 Nov 2015 01:59:53 GMT

Cache-Control: private, max-age=0

Last-Modified: Thu, 15 Aug 2013 22:02:15 GMT

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 830

X-XSS-Protection: 1; mode=block
...........U...:.}..U..m...l[......Xk<.6%).._.|,d.....x...3g....Cm.
^.o__^.a.k.ZB\b.R...2.b.......J.zl....Y.].$Jr..K....%(........I0c...Zc
.8... P.$......'.D........Iv.BI. .#%y.8w.ir..7 ....<....P..Be......
l.P.......Z.(Tp.%S..(6..P.A;'I$T....;..-....B..mC.$....,....H......8..
..5..*.z9Ja\..*[email protected](..o.4...f{...6b...VW..<.. .......4...
l..J".........O.v.H.O..w.p5..0...........L.....D..>eY...6n..b..y..0
[email protected].>#.R..)=.9i../.W.G7y....#.................`.
..5S~/.;&.....LR::.....v.... ........ ;.!)b.4.{.^^[email protected]...`..,9-
O....oi..Y....>w.9..........O..;..P......a5lQ<UU.....|.%.q......
6......(}s.!....q...W.....dC./..f...%...5..8.=.y..G..y`h....v...J....6
~......2b..h..;>..8....\.P.. .,..z.n.D.m.<uY.......a,._c.f..)...
....IN........=.....$G.,n...N........./|....N...k.......u.:...k..R...'
..q#C....Y..Nh...HTTP/1.1 200 OK..Vary: Accept-Encoding..Content-Encod
ing: gzip..Content-Type: text/css..Date: Sat, 14 Nov 2015 01:59:53 GMT
..Expires: Sat, 14 Nov 2015 01:59:53 GMT..Cache-Control: private, max-
age=0..Last-Modified: Thu, 15 Aug 2013 22:02:15 GMT..X-Content-Type-Op
tions: nosniff..Server: sffe..Content-Length: 830..X-XSS-Protection: 1
; mode=block.............U...:.}..U..m...l[......Xk<.6%).._.|,d....
.x...3g....Cm.^.o__^.a.k.ZB\b.R...2.b.......J.zl....Y.].$Jr..K....%(..
......I0c...Zc.8... P.$......'.D........Iv.BI. .#%y.8w.ir..7 ....<.
...P..Be......l.P.......Z.(Tp.%S..(6..P.A;'I$T....;..-....B..mC.$....,
....H......8....5..*.z9Ja\..*[email protected](..o.4...f{...6b...VW..
<<< skipped >>>

GET /css/maia.css HTTP/1.1

Accept: */*

Referer: hXXp://VVV.google.com/toolbar/ie/done.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB6; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Type: text/css

Date: Sat, 14 Nov 2015 01:59:55 GMT

Expires: Sat, 14 Nov 2015 01:59:55 GMT

Cache-Control: private, max-age=0

Last-Modified: Fri, 18 Sep 2015 17:33:35 GMT

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 12081

X-XSS-Protection: 1; mode=block
...........}i..8.._.Vo.]..i.G&f.|...A.....-Y.$........~....dI..N.].3..
\.).. ...A....DA.r.o....0..........M.5.E........3E.....W..........X..z
.DS.....Te'......w..$....L......T1......Ck)....... ..e.p.... v.o.U.}..
..~wq}[.. ......a......a.......w[...|.Te.{WE....A1.f....h....}...v..m.
e.._.......*.[...6....t,g.N..Y.0'.z..@a.>.$."..%./.dr. ............
.N.n..............oa,...$}...P....s......?2..c,.xq9#<...xL.......;.
.'I.>.....O.A|..;.!..$._...%..7.3...v.}...........r.z..U!...k......
.A....d.... ~....S..Cro.......................z.u#hxl.a,H...C ..7.S.W.
..|[email protected]@(...S .h........`. [email protected]*B~.]....F o.p
..6.............?...uXQ...V.u.....#....~.,..wk.......r..WZy.Vv2`...y.%
..P.Kr...P......TD3..O_^.//.........Z...i.NQ...........D^798.|...b..).
.4M..L.t..$....AU.;...Q....f.h....wsu.........@z.........}..H......-..
..}6._......-I.TRL....t.&...a.C../..I.E.....4 EU........J.........tU..
"Wn# .`....l..T_ ...J$..$.|...S..../...w|u.gI...|.g..........,. ..q...
.. [email protected]..;[...%..#`0W.}.r?.P7./........&..zR.04,.\...
...M-89........p.....;.^/...N......5..........].xR*..i...o..~.R.......
?....z... ?G.7..\...%.U.Y...k...0........./.5R.$........<./.F.....'
._\...... ....T.ZG............2.4.1>.......;wI..Z...B..../.3....n.;
..........8...1........i.xuY9A...z..h..&(..(....F...WHQ m..p...W.4..p 
.....T...rP.|..72....R.......}Y..Z..P.............b-.^E."..f./.S.%.?.N
o^.7^..n...8.|......<[.....b..`._q..X.GX..nC.J..Qq....l...y....?.T.
.....0.7a..#....rU:P..R 1.Icm.V.1...b..b.C..OA..WX...,.I...7Wh.k..
<<< skipped >>>

GET /js/gweb/analytics/doubletrack.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.google.com/toolbar/ie/done.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB6; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Type: text/javascript

Date: Sat, 14 Nov 2015 01:59:56 GMT

Expires: Sat, 14 Nov 2015 01:59:56 GMT

Cache-Control: private, max-age=0

Last-Modified: Tue, 04 Nov 2014 03:04:23 GMT

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 3308

X-XSS-Protection: 1; mode=block
...........Yks....._!.f.2.)).~.iD.$N....;M[Y.....Z".......=..%.N{g..G$
..b......-.Y.ib.w..D....4..j.3....w4%.p..,.,.2..../G.q.t..j/t...g2...j
.....f]"..(.,..|..T2)...V...O...l......*..N.s..C.....~<..wk....ji..
0....].4..?.,...*Y0........I^.D..Q..[;S.2K....o..j&%Q'..N.....".=."= .
8..R..=[.02.t..I.^.!..v e. ..h...%.y.2|TG....I..8Q!.kf.FR=4.A.* nO.c0V
..f.....b...wuS....~%....2.O"..F...l.f......4.#=D..Tp..1....F....],i\.
......C...a....p\...M.].E..}...7..........37l2.hGV;..v.b1.....A..M....
.Vl-.......i.^w.....}..a..<..7...[...K..Q-q.U... ...?Yo..T.D#Jy2...
..............(......"..;.q..`...d.....S...M.Q.W.#..!7..e%.U).Yw.<.
p.h...>..u.m......... /umQ.p........ ....k^.f.C.x>l$m..f,{..;...
LHe...]..7.?...........-xSf..[.Py.....O...a...4%x.._......$.&>.!>
;.........K.N..}..l.....ez/.';._.._?<........?&..&...&...{.P.......
.^.......y.....G,.v.{#z.?|...{~.(oZ..v.?.8..42^..'...\...`....p...*!Z{
..&..O....8.klC.V`4.(.._.HB.D..w......N ...:...k1....... .j.)^.K.}..B.
?.b.....w.....'.t.-.]X.,8...T.....;........_v.T.I.9.../FrL.V.R..?.....
............../...N......d.'....:.}..........t...;J.Gmg)..X........%.A
K.].~x..!6..p..~*'.%N....o}.i.......x".4#......;w...h.?.....[...2%..3.
.........ri....M...%.I.$......h....3...u....:q......s_..)..). ...*.t..
l.E.R..........a/8.N..#(..f..Q.k_.g.m.W!~.....c..,-.G2.NA.yZ....DhU.Eb
..R....m......W...O....n..gq........1V|.^....)a..B..K.......V.e\....?n
i;Qu..a....e.$..a*.Qj.G.Uc.Pix........./..u..j...t.......p.T.c...:.:.-
D..i..^vu.Y.?.l.....{..=..f..k..iW..=.:.....[....wqq.....v........
<<< skipped >>>

GET /images/logos/google_logo_41.png HTTP/1.1

Accept: */*

Referer: hXXp://VVV.google.com/toolbar/ie/done.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB6; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Date: Sat, 14 Nov 2015 01:59:56 GMT

Expires: Sat, 14 Nov 2015 01:59:56 GMT

Cache-Control: private, max-age=31536000

Last-Modified: Wed, 11 Dec 2013 16:03:07 GMT

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 2357

X-XSS-Protection: 1; mode=block
.PNG........IHDR...t...)......T.<....PLTE....c..g..`..g..j..7'._..d
..c..F3.<).......l..O?.i..q..d........R?.i.....9&....j..e..d..d..?*
.7%.?/.B/.o........@*.;'.E/./..o..G1.UA.o..f...G.7'.B .A,.c..e.....o..
.E.j..='....o..E1.b.....7%.f..k..5%....g..m..._.> ..\.>*.P>.C
/.f...J.o..;(.g..h.....9'.WE.i.....P>.R>.H4.O?....F1....b..q....
.Q?.r..m..O:..a.._..K....=(..J.....K.a...O..M.c....................^..
O;....d..L:.G/.......N:.<'.UC.TB....:'.TB.G3.K8....f..l.!r..l..k..o
..d..A .g..i..B-....j..g..m. s..q..r..q..i..>*.?*.=).E1..Y..L.D/.e.
.f..J5.n..G2.f...X..X.<)"t...V.n.....`..H5.M8....J7.`..M:.i..^..G3.
7%.f..VE.SA.m..e........<'..U..`.VD.j........P=....> .A.....F1..
P..W.c.........[....UB..V.:(...........S....a..Q=.......B..7%.M<.O&
gt;.J9..]........a..^[email protected]....<[email protected]
NS.... . [email protected]@....pp.P`.0. `..`0..P@.`.@`.`..0.@`p.....0.``.....Pp0..
.P....@.`0p.p....`..p 0.....pP.0.`[email protected][email protected]..@0..@[email protected]
...Bz...qIDATx^..ep.X......an.h.....23.... .333Ifv........L_o.,Y......
s./k.g.~..y...f..E....V...1./P..Y.f.B.c42.{2T.}..o......=-&.....H..2,.
..R.../]...G...eQQK...o.TS.}.;...ASQ...Q.^s.v.t.........._!........r..
K.8qJk..}...}...D:.j6..W..4'.Z..Z).H...HG*.... .m..w..s.C.@..];.A^.:[.
bv.../.....D...?. ~...p.J.....~.7.}?$d......"..?...k..W*  o..g.......&
..D.........5..."..n99%3zk....~... *.G.m...1..q......i/j.."S..WR......
.....R......I...^.~w.............?....?.<[email protected].....
.M..c..S.<x0D..sss......MB....._..6.L|..........,~.....3..d...C
<<< skipped >>>

GET /toolbar/ie/images/x.png HTTP/1.1

Accept: */*

Referer: hXXp://VVV.google.com/toolbar/ie/done.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB6; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google.com

Connection: Keep-Alive

Cookie: __utma=173272373.932545686.1447466398.1447466398.1447466398.1; __utmb=173272373.1.10.1447466398; __utmc=173272373; __utmz=173272373.1447466398.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1

HTTP/1.1 200 OK

Content-Type: image/png

Date: Sat, 14 Nov 2015 01:59:56 GMT

Expires: Sat, 14 Nov 2015 01:59:56 GMT

Cache-Control: private, max-age=31536000

Last-Modified: Fri, 09 Mar 2012 18:38:38 GMT

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 167

X-XSS-Protection: 1; mode=block
.PNG........IHDR.............[9......PLTE...............Q;j.....tRNS..
0..k.....CIDATx^.....!.Du...S.!.HRA.o... .uN.a>.N..q_\].-|.{.?;h. \
N.Lv...z...w.q>IXx....IEND.B`.....


GET /toolbar/ie/images/tour-instant-th.jpg HTTP/1.1

Accept: */*

Referer: hXXp://VVV.google.com/toolbar/ie/done.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB6; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google.com

Connection: Keep-Alive

Cookie: __utma=173272373.932545686.1447466398.1447466398.1447466398.1; __utmb=173272373.1.10.1447466398; __utmc=173272373; __utmz=173272373.1447466398.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1

HTTP/1.1 200 OK

Content-Type: image/jpeg

Date: Sat, 14 Nov 2015 01:59:56 GMT

Expires: Sat, 14 Nov 2015 01:59:56 GMT

Cache-Control: private, max-age=31536000

Last-Modified: Fri, 09 Mar 2012 21:41:25 GMT

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 3640

X-XSS-Protection: 1; mode=block
......................................................................
......................................................................
..2...................................................................
.........................T.!....1..5..AQa"2R3.6.b.Scs4q..B#.$d%.7.r...
.......................Q!1..Aaq......."...2.B.#............?...{*.k.E.
...8.....L....O%U..Trwx^..,.3 .u.....>...u .mq.9<....FO.W.|..K/v
...!..G..o........M......u{...0..6|.7.../.......W~k W.w...P..Z....Ipc.
[email protected].}Y...^..*.".....Jj:......HC....2.."[email protected]{......1C..EN.
.Dz.-...J.d.U..;]B..eUh6G.R..P.(.=Z....Z.ZY..V....Q!..j.).B...}j..X...
L-W.C{.e..&;y.72aj....2...o#..\-W.C{.Z....p......op._......0.^....k.c.
..s&...!..-|.v.8nd..{D7.e....G...Z.h.....1......U.......;y.72aj....2.1
......U.......;y.72aj....2...o#..L-W.C{.Z....p......op._......0.^....k
.c...s&...!..-|.v.8nd..{D7.e....G...Z.h.....1......U.......;y6...`.GoV
#v....PdP...].eZ.l...R.S.6........h....K.h."...........~?.c.)....o.gE.
..LJ......%.!(....S...N1o.}V...j]YJ.N.E.....=.4. ...hU.zi...T.0)."..k.
....mpk..k..J.oF\E..:.rg) ..Kd9.c.O......O^*.)...,J<....L..K..2m.%.
.j.!.d.XK.p(TCH.D<.Q7....D...X.y.ma...z.!.d.XK"....G.6.....K..2m.%.
.z.!.d.XK...,B<....L..K..2m.%...R.#..k.b....G.6....w.b..M... ].X.y.
m!,..j.!.d.XK"....G.6....v.b..M....3=..f..Nro..:]U.7.u.)..A.../.:....u
..%U.7.......}..e.M2..0...c.d..Dc..}..........i..$VUw..`.#.......BY./)
.2..kW...M......N J.[._.....3e..J.f....*...%.U...........r..{..}......
 R.Wej.Yr......3.N......7)L....by..(.}Q..5..[n.V.%N.....s..j...u..
<<< skipped >>>

GET /toolbar/ie/images/tour-tools-th.jpg HTTP/1.1

Accept: */*

Referer: hXXp://VVV.google.com/toolbar/ie/done.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB6; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google.com

Connection: Keep-Alive

Cookie: __utma=173272373.932545686.1447466398.1447466398.1447466398.1; __utmb=173272373.1.10.1447466398; __utmc=173272373; __utmz=173272373.1447466398.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1

HTTP/1.1 200 OK

Content-Type: image/jpeg

Date: Sat, 14 Nov 2015 01:59:56 GMT

Expires: Sat, 14 Nov 2015 01:59:56 GMT

Cache-Control: private, max-age=31536000

Last-Modified: Fri, 09 Mar 2012 21:41:25 GMT

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 3885

X-XSS-Protection: 1; mode=block
......................................................................
......................................................................
..2...................................................................
........................!.T.1A.....Q2..aq."S..#$t...R.3c4.%..Bb..s..F.
......................Q..!1A..q...a.."#.....R..............?...-...W.S
........G..^. .)..*......I..}E9.e^..u.[.8\...7L..cn..u'.......z.m.yn..
r....2.A...-...W.S..U.1.Q.......st...6.<.Rp._QNn.W...G..N. .)..*...
...I..}E9.e^..u.[.8\...7L..cn..u'.......z.m.yn..r....2.A...-...W.S..U.
1.Q.......st...6.<.Rp._QNn.W...G..N. .)..*......K..}E9.e^..u.[.8\..
.7L..cn..u'.......z.m.yn..r....2.A... ....n... D..=1.E.EGy..D7.%N.....
.]...i....ZfSJ......Q%.vC......$.Z.5uU6kF.! j.aj.j.f........%..WRXw|..
../...a..<C?..6...w.......:...#.3.K.h..w|..../...a..\C?..6.....jC@.
...o{..*(..T.....K...A...8..E.t....P...(h.b."......[\.rN.jQ....".P.O..
.1._.6&E.q.&.h.n.`.T...........i.f..$.*.2GO...Z.V....{..=.5....|...u..
I-b..........q7l.HZ...:...s......B..[lu...f.....e..d..m.e..y.......D..
$..e.*|.....=.L.]C..&I...^r[.K..Df...... ^....|&.}..m.!.l...o.5.4...Fw
.~.W....C*..x.OmF.k*....y....}....=..".4..*.(.{.^.]U5..UDK.UU.5.......
.....c. .n.d....1S}\.@([email protected].;.8...E.;(.,P..G]m....].....PX1
..../....w|[email protected]<..F...z9m.[e.......M... %...y.........a."e7]7.
.............;7....8I...c#.}.oKt..;*....^..j.f#7..BI...d!.(...........
El.4....Q~...<...{R.t.V..][email protected]^..9.N.
-H.........e.w.l..[A.%.M.B..Wo......h.6GEN.....d.].]>._..q....c
<<< skipped >>>

GET /toolbar/ie/images/tour-instant.jpg HTTP/1.1

Accept: */*

Referer: hXXp://VVV.google.com/toolbar/ie/done.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB6; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google.com

Connection: Keep-Alive

Cookie: __utma=173272373.932545686.1447466398.1447466398.1447466398.1; __utmb=173272373.1.10.1447466398; __utmc=173272373; __utmz=173272373.1447466398.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1

HTTP/1.1 200 OK

Content-Type: image/jpeg

Date: Sat, 14 Nov 2015 01:59:57 GMT

Expires: Sat, 14 Nov 2015 01:59:57 GMT

Cache-Control: private, max-age=31536000

Last-Modified: Fri, 09 Mar 2012 18:38:38 GMT

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 29269

X-XSS-Protection: 1; mode=block
......................................................................
......................................................................
..^...................................................................
..........................!1.AQ"....a..2R.S.T..U.q.#..u6V...B.s...5...
r.3.$tE..bCc.4d.%&7........................Q...!1.Aa..q..."2B...C..r.3
S..Rb.#..4....s.............?....*....5..v... ......6... [email protected]...
...6... [email protected]... [email protected]... [email protected]...
 [email protected]@.R.]..m..q..0.@ ... P...0.)@![.......j...;.82..q,.
.. 4.... RN.I.@` .l........,>..G..o.1..O.l......q.>..O..o.1...F.
?Xm.x.....$.a....p..l......q.>..O..o.1...F.?Xm.x.....$.a....p..l...
...q.>..O..o.1...F.?Xm.x.....$.a....p..l......q.>..O..o.1...F.?X
m.x.....$.a....p..l......q.>..O..o.1...F.?Xm.x.....$.a....p..l.....
.q.>..O..o.1...F.?Xm.x.....$.a....p..l......q.>..O..o.1...F.?Xm.
x.....$.a....p..l......q.>..O..o.1...F.?Xm.x.....$.a....p..l......q
.>..O..o.1...F.?Xm.x.....$.a....p..l......q.>..O..o.1...F.?Xm.x.
....$.a....p..l......q.\]"d...-....p..?...~...lq.J....U..........\.^`.
.%.0.S....]...!.0....*.r.~....J..fV....u...&.lV.....; %M...Ih......S2)
.y..".../.z......... .T.Z...........yv.r.IT.0.Ie....m4...Di:U:h`8..^.:
.(/...Z."B.ivC.:-..T7.qE.JW...=;r..3WV...?..^_'.s.=6...{..'./^_'.s..v.
.....{.........A.~2z^...ye.Cn. ...=/z..<..!.n.n_....y|.Y..m.....'..
^_'.s..v......{........p.r.d...........A.~2zb...ye.Cn. ...=/z..<...
...7/.OK...O,.d6........./..9...p.r.d...........A.~2z^...ye.Cn. ..
<<< skipped >>>

GET /toolbar/ie/images/tour-tools.jpg HTTP/1.1

Accept: */*

Referer: hXXp://VVV.google.com/toolbar/ie/done.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB6; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google.com

Connection: Keep-Alive

Cookie: __utma=173272373.932545686.1447466398.1447466398.1447466398.1; __utmb=173272373.1.10.1447466398; __utmc=173272373; __utmz=173272373.1447466398.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1

HTTP/1.1 200 OK

Content-Type: image/jpeg

Date: Sat, 14 Nov 2015 01:59:57 GMT

Expires: Sat, 14 Nov 2015 01:59:57 GMT

Cache-Control: private, max-age=31536000

Last-Modified: Fri, 09 Mar 2012 18:38:38 GMT

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 48046

X-XSS-Protection: 1; mode=block
......................................................................
......................................................................
..^...................................................................
..........................!1.A".Q...aq.2.#.T.U...BR.S..6V...b3.$.Eu..s
%.r..C.4d5c.t...&7.......................Q...!.1aAq.2...."B.C...R3...b
r...#S4....s$.c...............?............=T.:.A..P.d.:.@u...%..J....
Y(..P.d.:.@u...%..J....Y(..P.d.:.@u...%..J....Y(..P.d.:.@u...%..J....Y
(..P.d.:.@u...%..J....Y(..Pw...U(..Pw...Q(;.....T..@^...(..-....7mAK..
.o. c.....!G..2.d..U..L.mqT........x..y...!}cl...o.1..9.F.?.8.<c...
.m......>...F.?.8.<c....m......>...F.?.8.<c....m......>
...F.?.8.<c....m......>...F.?.8.<c....m......>...F.?.8.<
;c....m......>...F.?.8.<c....m......>...F.?.8.<c....m.....
.>...F.?.8.<c....m......>...F.?.8.<c....m......>...F.?.
8.<c....m......>...F.?.8.<c....m......>...F.?.8.<c....m
......>...F.?.8.<c....m......>...F.?.8.<c....m......>..
.F.?.8.<c....m......>...F.?.8.<c....m......>...F.?.8.<c
....m......>...F.?.8.<c....m......>...F.?.8.<c....m......&
gt;...F.?.8.<c..)[email protected][email protected]?.....]yf`..%.
.@....\........xw>..d..........b.>:[email protected]......\.......t
fE^O....Ov..}..b.u(.. .R.WJ...Gt.A.....{w ...R ..%.q.AM.....Emq.e..G..
...A}... . .E.....|.....j"/.....t.G3wv.....K...'...k...C......k..~Y.v.
u..K.#......g=.q.(9/..K...'.....r......k..~X..q.(9/..K...'...i.\..
<<< skipped >>>

GET /js/gweb/core.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.google.com/toolbar/ie/done.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB6; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Type: text/javascript

Date: Sat, 14 Nov 2015 01:59:57 GMT

Expires: Sat, 14 Nov 2015 01:59:57 GMT

Cache-Control: private, max-age=0

Last-Modified: Mon, 02 Apr 2012 02:13:37 GMT

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 17435

X-XSS-Protection: 1; mode=block
...........}.w.8.... ....n.w.3.;...%.$...@^M.=.-..l.!...o.U%..&...s...
`.Q*.J..RI..1W...Q....>....;..v_.j.m...~.........Y8F...\..x...{y.-|
.u.\..wF.K....|.....D0..&.>.M....87/.Ga.....F..Y..x.p..p...!.......
..x.....t|{2..(.y...R.....Y..H.'#/..{2.A........Q..r...U|G$.t...g.T..r
.....N....F}...|...[ii.... [email protected].:..pS..`.1......Fw .....".....
.F>.ZcO.............y......}.X..:|T.(.S...M/\...N7.....>..!...!`
........^...U....`.V....)..1...^..(.W:.>.......m.a............>.
t.......h@xW.}._E........Xi..2.#.(F.Y-.z.Z#n....e.}......{....G.ZM"...
...~..N g .....7.2.x..Us.;.....v....CQ$a...sH.6.........o\"b......O.1.
.E...?*#[email protected]{[email protected].}5v7...w=...r....o.va.;..].
...&e...M.......%......f.7wZ]/g.[[...X.G..8.........K0.y|wJ.Ymmm....A.
....^..n~SfX..iq.n:-.*../9h....O1O.o.}..x..4..i!.a.6 ..G.YM..C).......
...`...t...d...aY....n.Q..cz.D..X......e"C.....D.45.....A!...z..{6. .F
|6.o.S9.a..y.jVy....U.TS...Z.|.6.T.l....i[[a...n.MS..w".y.[KY....d=M.e
.5..j%...D..1=T.I!.m.._.....!..][$.Y..L.#....K4..i....T..`..J.....e.%M
...2.`.JE....y.%.8%.o.......(.HR..x...H.M..f.?..4....<.........a..O
.m...=j[....i..f....&1i....n?.... .;...[ .n.}..yx..............?......
.k......e.......L.AI}.9..as=^..._.4Q..f......p?.~.1...=....L.j.6z..$..
R.a..6.I.....2.1ib.\zRs),.>G.$..Vj.....,c...l..(1'1..`.6H.......`..
._?...{.....{=.....J.N.....,....../.........`..a..8.......XF.....!.Ahv
...hz .G.\.M.(a..Q..g.........>`...R...b.H....S.....T..i~...(.z.F&g
t;.... o^.-...27.]....1.&.<.....K...T...\.$_.L....:..v)..`>.
<<< skipped >>>

GET /s/opensans/v13/cJZKeOuBrn4kERxqtaUH3fY6323mHUZFJMgTvxaG2iE.eot HTTP/1.1

Accept: */*

Referer: hXXp://VVV.google.com/toolbar/ie/done.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB6; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: fonts.gstatic.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Vary: Accept-Encoding

Content-Type: font/eot

Access-Control-Allow-Origin: *

Timing-Allow-Origin: *

Date: Fri, 13 Nov 2015 21:43:51 GMT

Expires: Sat, 12 Nov 2016 21:43:51 GMT

Last-Modified: Mon, 27 Apr 2015 23:46:39 GMT

X-Content-Type-Options: nosniff

Content-Encoding: gzip

Server: sffe

X-XSS-Protection: 1; mode=block

Content-Length: 17914

Age: 15363

Cache-Control: public, max-age=31536000
............eT.A....l`....NpwVVV......w..$.ww....A..r.y..........].{..
.U.R...$........CCCB..@.. ......./..-=..0.._#..@...#[email protected].]..
0.[...H.......`.7s....4.&.............b..}.. .&.......f..<..$.L8h..
Q.f.Z...m..<.h.lX.ih .ksW[?|.[....d....3KY...^-.C...U\j.-.j..s;i.6.
$<e.n.......m.7t.~..D9..;.2...... .tO...}.'.H.o.gc.b...........[A=q
;'[email protected].&.).n...;.....O.U1....=M.O&p....5...Y.k.I...Hw^...M.
..G.jci....I....q...nbC....c..-.PD.b)[email protected]
..%...........I.....>....q...... )....9...:Z.0L7...".z". ......T..r
.r.ty.M.2......>!.^$..=.P......g}g.B.-.?9t.."m.?.z.>.`....k.6.CE
.J..)..\.LL..0&Y.a....7..k.....0H....M.......I........4!..&.`..E......
i...p.....4. .....0..;......Y...................A...e...1......=f....6
.'...].]i([email protected]...%.r....A*...ry.........6aQ.<.....W.b.
J.....}....{e..*<.........o.......[.A.s..B.....6....hZ.k{.q:.......
)`...F.~. ..1.^ ..|.x.......ea..c...a.&..>.....R...2.pYkG.[.O.'j.C.
\..].8.1`....'......X.....m_...)...bE}....pK.y3....'.......lp.........
/.B..M.....$...P.&6....KC.8....'....n|.eu.S..qG~...J.8.........!..~r..
.7.. A9u.!). [email protected].^.&.*........
.....S..WW...A"l....?..i..;.x.!...RY`......w......t.e..|0;.bx......s..
...G.d..ot2N0_7}..1..w...J.........9......?|...X^....y>...q.i..tQs5
L..F..>.tX.B.....4.l...^.Hl$...'..[[email protected])./,...,[email protected]!.4'.....
.D.IFYG...M..&!....8E:.C.S..L....=V.{u.......v{[email protected]}C2..9.e.
.P...m..<..~.G.s..AK......L#..<H%.%...e.....k.....=M-......x
<<< skipped >>>

GET /activityi;src=2542116;type=searc340;cat=tbx;ord=2739021834538.0327? HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://VVV.google.com/toolbar/ie/done.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB6; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 2542116.fls.doubleclick.net

Connection: Keep-Alive

HTTP/1.1 200 OK

P3P: policyref="hXXp://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"

Date: Sat, 14 Nov 2015 01:59:57 GMT

Expires: Sat, 14 Nov 2015 01:59:57 GMT

Cache-Control: private, max-age=0

Content-Type: text/html; charset=UTF-8

X-Content-Type-Options: nosniff

Content-Encoding: gzip

Server: cafe

Content-Length: 589

X-XSS-Protection: 1; mode=block

Set-Cookie: test_cookie=CheckForPermission; expires=Sat, 14-Nov-2015 02:14:57 GMT; path=/; domain=.doubleclick.net
...........U[o.0.}.W|[email protected]..\......?;.:iE..iO.C|..w|.
...:.......f.a....2..G.k#Fh..."...Y...(,43L...:......w.Z...u.&U....J5.
.R..1...n..)&..0.i/D.v;;.d..l8...N.... ~*.T.0.9...c.U}.>J.q..$.....
.).. .a ..KL .c...,,X...v.0.....UB.*..0..2....G...Y.WAG.Vo.A?......l..
..O.......z.j..'......" .s....!........1.1..P>.q..(w.TLf...$....z.'
...E ....z.....9.!....g.U....?..%.DS.b)..T.Qn}..=........!.].V.p..s.7.
&8.....e.s.......5#f^.vy..P.....n.`n.o. z>k...8z..wx.w.......o.Du.9
.V.k.2_........X.djGc...4.0...7t....&2.2../.......q.O.}Z>.....?...8
..&Eq.>.......?.]._..O......|.3...G,Py...HTTP/1.1 200 OK..P3P: poli
cyref="hXXp://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CU
Ra ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OT
C NOI DSP COR"..Date: Sat, 14 Nov 2015 01:59:57 GMT..Expires: Sat, 14 
Nov 2015 01:59:57 GMT..Cache-Control: private, max-age=0..Content-Type
: text/html; charset=UTF-8..X-Content-Type-Options: nosniff..Content-E
ncoding: gzip..Server: cafe..Content-Length: 589..X-XSS-Protection: 1;
 mode=block..Set-Cookie: test_cookie=CheckForPermission; expires=Sat, 
14-Nov-2015 02:14:57 GMT; path=/; domain=.doubleclick.net.............
U[o.0.}.W|[email protected]..\......?;.:iE..iO.C|..w|....:.......
f.a....2..G.k#Fh..."...Y...(,43L...:......w.Z...u.&U....J5..R..1...n..
)&..0.i/D.v;;.d..l8...N.... ~*.T.0.9...c.U}.>J.q..$......).. .a ..K
L .c...,,X...v.0.....UB.*..0..2....G...Y.WAG.Vo.A?......l....O.......z
.j..'......" .s....!........1.1..P>.q..(w.TLf...$....z.'...E ..
<<< skipped >>>

GET /ga.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.google.com/toolbar/ie/done.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB6; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google-analytics.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sat, 14 Nov 2015 01:15:02 GMT

Expires: Sat, 14 Nov 2015 03:15:02 GMT

Last-Modified: Thu, 05 Nov 2015 22:24:16 GMT

X-Content-Type-Options: nosniff

Content-Type: text/javascript

Vary: Accept-Encoding

Content-Encoding: gzip

Server: Golfe2

Content-Length: 16022

Age: 2691

Cache-Control: public, max-age=7200
...........}kW....w~........pk..f......ZZ(O.,.!$$!q.....gft...>{...
.%.G..>..fF~2........;>..i...&.9.....v*.|x.|$....L.....y. 5.....
!..R*i..........>[email protected]<_-.|aa.......F.p,...
.yA.....Q.{'...kyA....^.S...'o.2......5K..2o'~.....F#....*.7...c.#.l.P
. >.L.j.4....h...L~-....JW.Z..bm.I.9....s..;...=..Ue...b....r......
...........).......dO.c....v.f...^:....=.}.N'.-4.5m|h..tb.6v..W..r$.@.
8................v......e...T.t.h.c:..(....~.e0.].....{[email protected]
Z.q.s.8...T...9..1r...u.KS..(xa!..{0!..5.4.^...7..."..........J8... ..
...O....t...q...|...a......a.V.q.5.e.([2..F[.........E...W.|....5a...0
..0...Ma.ML.....d....3.....=/.z`....i....ku#.4.b.Ra.^.:.-.j.*..L......
.A.;...Q.{2i.....}l..H.....T...Y._.Q!q [email protected]..!x!...p.e4...
'$c......x....'..AF&*i.../..@...!..zx..bq.{<..9...~..]...cW.Q....@A
...........U..}. .ihA..n..KK0:[email protected]>...-=...|..E.
._.W.pS..5....4.Ma..|.B......w...b>X. ...a....gV.1...ra!ZX.).,...[.
.*[.....)s8.. .....X8.c..D6'ai.6..Q.u10..N...p...>V.............!V.
......p#.....#.j...b......C....^........#..>E.`.........y.....%..M.
D.e...Y.HB.....a.G(.b.P.=.......'...&.T._.B..C......T....8..Ra.5.o.*..
.!.o..t ....`"@...='..<.Z.n..}`...m...TY...-...&".!.p....j...H....z
........|....H.....*...4"...K.0D8..2...`.O..R......../`2.6.F.W..,...2.
....I..Y....o...8..yA].....G.....8..8[..U.*x..).]...=.\...0<.pu....
7%.e?".P..f../.C??.h..8|Y.....W.j...^.O(.O.....3W\Q....~.N.G.Z.3.OO..W
.....7i(....c...!.Az....*...*..pdo.c4.k.%..}.......". ..f...{_.z..
<<< skipped >>>

GET /r/__utm.gif?utmwv=5.6.7&utms=1&utmn=923990238&utmhn=VVV.google.com&utmcs=utf-8&utmsr=1916x902&utmvp=1912x719&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Google Toolbar – Google&utmhid=1813921697&utmr=-&utmp=/toolbar/ie/done.html&utmht=1447466398559&utmac=UA-18002-1&utmcc=__utma=173272373.932545686.1447466398.1447466398.1447466398.1;+__utmz=173272373.1447466398.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmjid=2124076644&utmredir=1&utmu=qKCAAAAAAAAAAAAAAAAAAAAE~ HTTP/1.1

Accept: */*

Referer: hXXp://VVV.google.com/toolbar/ie/done.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB6; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google-analytics.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

Date: Sat, 14 Nov 2015 01:59:54 GMT

Pragma: no-cache

Expires: Fri, 01 Jan 1990 00:00:00 GMT

Cache-Control: no-cache, no-store, must-revalidate

Last-Modified: Sun, 17 May 1998 03:00:00 GMT

X-Content-Type-Options: nosniff

Content-Type: image/gif

Server: Golfe2

Content-Length: 35
GIF89a.............,...........D..;HTTP/1.1 200 OK..Access-Control-All
ow-Origin: *..Date: Sat, 14 Nov 2015 01:59:54 GMT..Pragma: no-cache..E
xpires: Fri, 01 Jan 1990 00:00:00 GMT..Cache-Control: no-cache, no-sto
re, must-revalidate..Last-Modified: Sun, 17 May 1998 03:00:00 GMT..X-C
ontent-Type-Options: nosniff..Content-Type: image/gif..Server: Golfe2.
.Content-Length: 35..GIF89a.............,...........D..;..

The Trojan connects to the servers at the folowing location(s):

%?9-*09,*19}*09

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

USER32.dll

SHLWAPI.dll

SHDOCVW.dll

Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess

IE-X-X

rsabase.dll

System\CurrentControlSet\Control\Windows

dw15 -x -s %u

watson.microsoft.com

IEWatsonURL

%s -h %u

iedw.exe

Iexplore.XPExceptionFilter

jscript.DLL

mshtml.dll

mlang.dll

urlmon.dll

wininet.dll

shdocvw.DLL

browseui.DLL

comctl32.DLL

IEXPLORE.EXE

iexplore.pdb

ADVAPI32.dll

MsgWaitForMultipleObjects

IExplorer.EXE

IIIIIB(II<.Fg

7?_____ZZSSH%

)z.UUUUUUUU

,....Qym

````2```

{.QLQIIIKGKGKGKGKGKG

;33;33;0

8888880

8887080

browseui.dll

shdocvw.dll

6.00.2900.5512 (xpsp.080413-2105)

Windows

Operating System

6.00.2900.5512

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   GoogleToolbarManager_9DE96A29E721D90A.exe:2024
   GoogleToolbarManager_9DE96A29E721D90A.exe:1804
   GoogleToolbarManager_9DE96A29E721D90A.exe:1332
   %original file name%.exe:352
   GoogleToolbarNotifier.exe:844
   GoogleToolbarNotifier.exe:1296
   GoogleToolbarNotifier.exe:972
   GoogleToolbarNotifier.exe:1180
   SearchWithGoogleUpdate_4DE6AC39DE1AFE56.exe:236
   GoogleUpdaterService_5898FABCFA121C11.exe:1532
   GoogleUpdaterService.exe:1840
   GoogleUpdaterService.exe:668
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\All Users\Application Data\Google\Custom Buttons\toolbar.google.com_O8Y91YHB24Z6SR0SGYSK.XML (12 bytes)
   %Program Files%\Google\Google Toolbar\GoogleToolbarUser.exe (1425 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GoogleToolbarInstaller1.log (23494 bytes)
   %Program Files%\Google\Google Toolbar\GoogleToolbarHelper_signed.msi (28 bytes)
   %Program Files%\Google\Google Toolbar\GoogleToolbar.dll (1281 bytes)
   %Program Files%\Google\Google Toolbar\GoogleToolbarHelperPatch_signed.msp (125 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\303572DF538EDD8B1D606185F1D559B8 (228 bytes)
   %Program Files%\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (1751 bytes)
   %System%\config\software (24847 bytes)
   %System%\config\SOFTWARE.LOG (29547 bytes)
   %Program Files%\Google\Google Toolbar\Component\GoogleToolbarDynamic_6BC68FE03E7B66EC.dll (20506 bytes)
   %Program Files%\Google\Google Toolbar\Component\GoogleToolbarManager_9DE96A29E721D90A.exe (5442 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\GoogleToolbarInstaller2.log (40367 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\79841F8EF00FBA86D33CC5A47696F165 (413 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\A8FABA189DB7D25FBA7CAC806625FD30 (224 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\A8FABA189DB7D25FBA7CAC806625FD30 (96 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\79841F8EF00FBA86D33CC5A47696F165 (172 bytes)
   %Program Files%\Google\Google Toolbar\Component\SearchWithGoogleUpdate_4DE6AC39DE1AFE56.exe (6375 bytes)
   %Program Files%\Google\Google Toolbar\Component\GoogleToolbarUser_FCDD4C5F33EE805C.exe (280 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5 (164 bytes)
   %Program Files%\Google\Google Toolbar\Component\GoogleToolbar.6.1.1715.1442.manifest.xml (15 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\303572DF538EDD8B1D606185F1D559B8 (341 bytes)
   %Program Files%\Google\Google Toolbar\Component\GoogleToolbar_1682201815E52F0C.dll (259 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5 (933 bytes)
   %Program Files%\Google\Google Toolbar\Component\GoogleUpdaterService_5898FABCFA121C11.exe (182 bytes)
   %Program Files%\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (3741 bytes)
   %Program Files%\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (39 bytes)
   %Program Files%\Google\GoogleToolbarNotifier\5.1.1309.3572\gth.dll (10 bytes)
   %Program Files%\Google\GoogleToolbarNotifier\5.1.1309.3572\Readme.url (128 bytes)
   %Program Files%\Google\GoogleToolbarNotifier\5.1.1309.3572\gtn.dll (119 bytes)
   %Program Files%\Google\Common\Google Updater\GoogleUpdaterService.exe (182 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "swg" = "%Program Files%\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.