Worm.Win32.AutoItGen_3ee7b24cb9

by malwarelabrobot on February 14th, 2015 in Malware Descriptions.

mzpefinder_pcap_file.YR, GenericEmailWorm.YR, WormAutoItGen.YR, PUPSpigot.YR (Lavasoft MAS)
Behaviour: Worm, EmailWorm, PUP


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 3ee7b24cb9c194581274bf779833009a
SHA1: 1568e5a258d882eabfa4eb3f7bb01a0c32e941a1
SHA256: 4ce50fda6feaa6a3683cfc46b882a9dd5a21dbbd285ccba85eb301d84898f255
SSDeep: 24576:efq0UWcA7XRI16f/gDhg2I1hrRlWbbjwx2X jhqb4T0h4ZkA:b0UDVm/gDhP4lQ0wGK8kA
Size: 1134160 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: NCH Software
Created at: 2014-12-18 02:47:27
Analyzed on: Windows7Ada SP1 64-bit


Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Worm creates the following process(es):

GoogleUpdate.exe:1996
GoogleUpdate.exe:1960
GoogleUpdate.exe:3008
GoogleUpdate.exe:4028
GoogleUpdate.exe:1808
ffmpeg16.exe:3088
NCH_GoogleToolbar.exe:860
googletoolbarinstaller_en_signed.exe:3328
GoogleUpdaterService_B33FC4DD36A473C6.exe:3800
GoogleUpdateSetup_latest.exe:1228
nchsetup.exe:1656
nchsetup.exe:264
regsvr32.exe:3852
GoogleToolbarManager_8CA8B41417E66DEB.exe:3452
GoogleToolbarManager_8CA8B41417E66DEB.exe:3972
GoogleToolbarManager_8CA8B41417E66DEB.exe:3960
GoogleToolbarNotifier.exe:3840
GoogleToolbarNotifier.exe:3880
GoogleUpdaterService.exe:3860
GoogleUpdaterService.exe:3820
eyeline.exe:2824
eyeline.exe:108
eyeline.exe:2100
eyeline.exe:2176
eyeline.exe:1900
%original file name%.exe:1632
x264enc6.exe:1676
SearchWithGoogleUpdate_C993F490EED40C1B.exe:3832

The Worm injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process GoogleUpdate.exe:1960 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Program Files% (x86)\Google\Update\Install\{240D2921-958E-4DFC-A1AE-1CB4B1E42CE2}\googletoolbarinstaller_en_signed.exe (38734 bytes)
%Program Files% (x86)\Google\Update\Download\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}\0.0.0.0\googletoolbarinstaller_en_signed.exe (38249 bytes)
C:\Windows\Temp\gui3D8D.tmp (15 bytes)

The process GoogleUpdate.exe:3008 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Program Files% (x86)\GUM1E4.tmp\goopdateres_en.dll (28 bytes)
%Program Files% (x86)\GUM1E4.tmp\goopdate.dll (835 bytes)

The process ffmpeg16.exe:3088 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Windows\Temp\250D.tmp (2 bytes)
%Program Files% (x86)\NCH Software\Components\ffmpeg16\swscale-2.nch.dll (6720 bytes)
%Program Files% (x86)\NCH Software\Components\ffmpeg16\swresample-0.nch.dll (2712 bytes)
%Program Files% (x86)\NCH Software\Components\ffmpeg16\avcodec-54.nch.dll (85319 bytes)
%Program Files% (x86)\NCH Software\Components\ffmpeg16\avformat-54.nch.dll (17751 bytes)
%Program Files% (x86)\NCH Software\Components\ffmpeg16\avdevice-54.nch.dll (22 bytes)
C:\Windows\Temp\25FB.tmp (6 bytes)
%Program Files% (x86)\NCH Software\Components\ffmpeg16\avfilter-3.nch.dll (8368 bytes)
C:\Windows\Temp\260D.tmp (33 bytes)
C:\Windows\Temp\25FC.tmp (146 bytes)
%Program Files% (x86)\NCH Software\Components\ffmpeg16\avutil-52.nch.dll (4232 bytes)
C:\Windows\Temp\258C.tmp (82 bytes)
C:\Windows\Temp\257C.tmp (439 bytes)
C:\Windows\Temp\25EB.tmp (88 bytes)

The process NCH_GoogleToolbar.exe:860 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjFC88.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GoogleUpdateSetup_latest.exe (25250 bytes)

The process googletoolbarinstaller_en_signed.exe:3328 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarUser_32_52E818EF81C83A9B.exe (620 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbar.7.5.5111.1712.manifest.xml (36 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_0A4439FF67F61065.dll (2 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\SearchWithGoogleUpdate_C993F490EED40C1B.exe (50 bytes)
C:\Windows\System32\config\SOFTWARE (77691 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_64_F8ED9B719A89F8EF.dll (489 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_32_8E471B27054D20F5.dll (149 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbar_32_365102BD7F6C8091.dll (390 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarUser_64_4D9709C1FA1422BA.exe (801 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleCld_187F9D811452062B.dll (50 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GoogleToolbarInstaller2.log (43974 bytes)
C:\$Directory (288 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_8CA8B41417E66DEB.exe (50 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbar_64_54BD4059920ABC8A.dll (514 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleUpdateSetup_5CC4B0F53D73AD88.exe (1480 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleUpdaterService_B33FC4DD36A473C6.exe (390 bytes)
C:\Windows\System32\config\SOFTWARE.LOG1 (72244 bytes)

The process GoogleUpdaterService_B33FC4DD36A473C6.exe:3800 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Program Files% (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe (390 bytes)

The process GoogleUpdateSetup_latest.exe:1228 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Program Files% (x86)\GUM1E4.tmp\goopdateres_el.dll (30 bytes)
%Program Files% (x86)\GUM1E4.tmp\goopdateres_vi.dll (28 bytes)
%Program Files% (x86)\GUM1E4.tmp (28 bytes)
%Program Files% (x86)\GUM1E4.tmp\goopdateres_hi.dll (29 bytes)
%Program Files% (x86)\GUM1E4.tmp\goopdateres_da.dll (29 bytes)
%Program Files% (x86)\GUM1E4.tmp\goopdateres_uk.dll (28 bytes)
%Program Files% (x86)\GUM1E4.tmp\goopdateres_nl.dll (30 bytes)
%Program Files% (x86)\GUM1E4.tmp\goopdateres_ko.dll (23 bytes)
%Program Files% (x86)\GUM1E4.tmp\goopdateres_zh-CN.dll (21 bytes)
%Program Files% (x86)\GUM1E4.tmp\goopdateres_sw.dll (29 bytes)
%Program Files% (x86)\GUM1E4.tmp\goopdateres_mr.dll (28 bytes)
%Program Files% (x86)\GUM1E4.tmp\goopdateres_pt-PT.dll (29 bytes)
%Program Files% (x86)\GUM1E4.tmp\goopdateres_it.dll (30 bytes)
%Program Files% (x86)\GUM1E4.tmp\goopdateres_pt-BR.dll (29 bytes)
%Program Files% (x86)\GUM1E4.tmp\goopdateres_es-419.dll (29 bytes)
%Program Files% (x86)\GUM1E4.tmp\goopdateres_ja.dll (24 bytes)
%Program Files% (x86)\GUM1E4.tmp\GoogleUpdateHelper.msi (25 bytes)
%Program Files% (x86)\GUM1E4.tmp\npGoogleUpdate3.dll (838 bytes)
%Program Files% (x86)\GUM1E4.tmp\goopdateres_fr.dll (30 bytes)
%Program Files% (x86)\GUM1E4.tmp\goopdateres_ml.dll (31 bytes)
%Program Files% (x86)\GUM1E4.tmp\goopdateres_fil.dll (30 bytes)
%Program Files% (x86)\GUM1E4.tmp\goopdateres_sl.dll (29 bytes)
%Program Files% (x86)\GUM1E4.tmp\goopdateres_en-GB.dll (28 bytes)
%Program Files% (x86)\GUM1E4.tmp\GoogleUpdate.exe (234 bytes)
%Program Files% (x86)\GUM1E4.tmp\goopdateres_ar.dll (26 bytes)
%Program Files% (x86)\GUM1E4.tmp\goopdateres_ms.dll (28 bytes)
%Program Files% (x86)\GUM1E4.tmp\goopdateres_th.dll (27 bytes)
%Program Files% (x86)\GUM1E4.tmp\goopdateres_bn.dll (28 bytes)
%Program Files% (x86)\GUM1E4.tmp\goopdateres_hu.dll (29 bytes)
%Program Files% (x86)\GUM1E4.tmp\goopdate.dll (1702 bytes)
%Program Files% (x86)\GUM1E4.tmp\goopdateres_is.dll (28 bytes)
%Program Files% (x86)\GUM1E4.tmp\GoogleUpdateSetup.exe (5441 bytes)
%Program Files% (x86)\GUM1E4.tmp\GoogleCrashHandler64.exe (550 bytes)
%Program Files% (x86)\GUM1E4.tmp\goopdateres_fi.dll (29 bytes)
%Program Files% (x86)\GUM1E4.tmp\goopdateres_hr.dll (29 bytes)
%Program Files% (x86)\GUM1E4.tmp\psmachine.dll (159 bytes)
%Program Files% (x86)\GUM1E4.tmp\goopdateres_ca.dll (29 bytes)
%Program Files% (x86)\GUM1E4.tmp\goopdateres_ur.dll (28 bytes)
%Program Files% (x86)\GUM1E4.tmp\GoogleCrashHandler.exe (212 bytes)
%Program Files% (x86)\GUM1E4.tmp\goopdateres_sr.dll (29 bytes)
%Program Files% (x86)\GUM1E4.tmp\goopdateres_de.dll (31 bytes)
%Program Files% (x86)\GUM1E4.tmp\goopdateres_iw.dll (26 bytes)
%Program Files% (x86)\GUM1E4.tmp\goopdateres_sv.dll (29 bytes)
%Program Files% (x86)\GUM1E4.tmp\goopdateres_lt.dll (28 bytes)
%Program Files% (x86)\GUM1E4.tmp\goopdateres_zh-TW.dll (21 bytes)
%Program Files% (x86)\GUM1E4.tmp\goopdateres_tr.dll (29 bytes)
%Program Files% (x86)\GUM1E4.tmp\goopdateres_te.dll (29 bytes)
%Program Files% (x86)\GUM1E4.tmp\goopdateres_pl.dll (30 bytes)
%Program Files% (x86)\GUM1E4.tmp\goopdateres_kn.dll (29 bytes)
%Program Files% (x86)\GUM1E4.tmp\goopdateres_am.dll (25 bytes)
%Program Files% (x86)\GUM1E4.tmp\goopdateres_ru.dll (28 bytes)
%Program Files% (x86)\GUM1E4.tmp\goopdateres_id.dll (28 bytes)
%Program Files% (x86)\GUM1E4.tmp\goopdateres_en.dll (27 bytes)
%Program Files% (x86)\GUM1E4.tmp\goopdateres_gu.dll (28 bytes)
%Program Files% (x86)\GUM1E4.tmp\goopdateres_cs.dll (28 bytes)
%Program Files% (x86)\GUM1E4.tmp\goopdateres_bg.dll (30 bytes)
%Program Files% (x86)\GUM1E4.tmp\psuser.dll (159 bytes)
%Program Files% (x86)\GUT1F5.tmp (4 bytes)
%Program Files% (x86)\GUM1E4.tmp\goopdateres_sk.dll (29 bytes)
%Program Files% (x86)\GUM1E4.tmp\goopdateres_fa.dll (27 bytes)
%Program Files% (x86)\GUM1E4.tmp\goopdateres_es.dll (31 bytes)
%Program Files% (x86)\GUM1E4.tmp\goopdateres_no.dll (29 bytes)
%Program Files% (x86)\GUM1E4.tmp\goopdateres_ro.dll (29 bytes)
%Program Files% (x86)\GUM1E4.tmp\goopdateres_et.dll (28 bytes)
%Program Files% (x86)\GUM1E4.tmp\goopdateres_lv.dll (30 bytes)
%Program Files% (x86)\GUM1E4.tmp\goopdateres_ta.dll (30 bytes)
%Program Files% (x86)\GUM1E4.tmp\GoogleUpdateOnDemand.exe (59 bytes)
%Program Files% (x86)\GUM1E4.tmp\GoogleUpdateBroker.exe (59 bytes)

The process nchsetup.exe:1656 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Program Files% (x86)\NCH Software\Eyeline\x264enc6.exe (483 bytes)

The process nchsetup.exe:264 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Video Capture Software.lnk (1 bytes)
C:\ProgramData\NCH Software\Eyeline\Web\ajax.js (2 bytes)
C:\ProgramData\NCH Software\Eyeline\Web\table.js (388 bytes)
C:\Users\"%CurrentUserName%"\Favorites\NCH Software Download Site.lnk (312 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Switch Sound File Converter.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Express Zip File Compression.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\MixPad MultiTrack Mixer.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Video Related Programs\Video Capture Software.lnk (1 bytes)
C:\ProgramData\NCH Software\Eyeline\Web\greybg.gif (275 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Express Rip CD Ripper.lnk (1 bytes)
%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe (11567 bytes)
%Program Files% (x86)\NCH Software\Eyeline\eyelinesetup_v2.01.exe (7547 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Video Related Programs\Slideshow Creator Software.lnk (1 bytes)
C:\ProgramData\NCH Software\Eyeline\Web\upsort.gif (123 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Express Burn CD, DVD or Blu-Ray.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Graphics File Converter.lnk (1 bytes)
C:\ProgramData\NCH Software\Eyeline\Web\nchplayer.swf (1444 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\SoundTap Streaming Recorder.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Eyeline Video Surveillance System.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\WavePad Sound Editor.lnk (1 bytes)
C:\ProgramData\NCH Software\Eyeline\Web\downsort.gif (123 bytes)
C:\ProgramData\NCH Software\Eyeline\Web\print.css (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Invoicing Software.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\RecordPad Sound Recorder.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Classic FTP Software.lnk (1 bytes)
C:\Users\Public\Desktop\Eyeline Video Surveillance System.lnk (1 bytes)
C:\ProgramData\NCH Software\Eyeline\Web\s.css (196 bytes)
C:\ProgramData\NCH Software\Eyeline\Web\darkblue.gif (257 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Prism Video File Format Converter.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Video Related Programs\Video Streaming Server.lnk (1 bytes)
C:\ProgramData\NCH Software\Eyeline\Email Template.txt (208 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Video Related Programs\Video File Format Converter.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Doxillion Document Converter.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Video Related Programs\Video Tape to DVD Converter.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Express Dictate Recorder.lnk (1 bytes)
C:\Users\Public\Desktop\NCH Suite.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Accounting Software.lnk (1 bytes)
%Program Files% (x86)\NCH Software\Eyeline\x264enc6.exe (61948 bytes)
C:\ProgramData\NCH Software\Eyeline\Web\favicon.ico (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Video Related Programs\VideoPad Video Editor.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\VideoPad Video Editor.lnk (1 bytes)

The process regsvr32.exe:3852 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Program Files%\Google\GoogleToolbarNotifier\5.7.9012.1008\swg64.dll (348 bytes)

The process GoogleToolbarManager_8CA8B41417E66DEB.exe:3452 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Program Files% (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (1281 bytes)
%Program Files% (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (673 bytes)
%Program Files% (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe (1425 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GoogleToolbarInstaller1.log (41641 bytes)
%Program Files% (x86)\Google\Google Toolbar\GoogleToolbarHelper_signed.msi (28 bytes)
%Program Files% (x86)\Google\Google Toolbar\GoogleToolbarUser_64.exe (2321 bytes)
%Program Files% (x86)\Google\Google Toolbar\GoogleToolbarHelperPatch_signed.msp (125 bytes)

The process GoogleToolbarManager_8CA8B41417E66DEB.exe:3972 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\ProgramData\Google\Custom Buttons\toolbar.google.com_O8Y91YHB24Z6SR0SGYSK.XML (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GoogleToolbarInstaller1.log (3179 bytes)

The process GoogleToolbarManager_8CA8B41417E66DEB.exe:3960 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GoogleToolbarInstaller1.log (2418 bytes)

The process GoogleToolbarNotifier.exe:3840 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Program Files% (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll (1 bytes)
%Program Files% (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\gtn.dll (151 bytes)

The process eyeline.exe:2824 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Windows\Temp\Eyeline-980-1\ffmpeg16.exe (39 bytes)

The process eyeline.exe:108 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\ProgramData\NCH Software\Eyeline\Logs\2015-02-13 Eyeline Video Surveillance System Log.txt (141 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_eyeline_rl_adm (8 bytes)

The process eyeline.exe:2100 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Program Files% (x86)\NCH Software\Components\NCHToolbars\google\NCH_GoogleToolbar.exe (382879 bytes)

The process eyeline.exe:1900 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Windows\Temp\Eyeline-980-1\ffmpeg16.exe (1416950 bytes)

The process %original file name%.exe:1632 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchdata.dat (10160 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchsetup.cab (616 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchdata.cab (497 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchsetup.exe (25694 bytes)

The process x264enc6.exe:1676 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Program Files% (x86)\NCH Software\Components\x264enc6\x264enc6.exe (20838 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\x264enc6_.cab (468 bytes)

The process SearchWithGoogleUpdate_C993F490EED40C1B.exe:3832 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Program Files%\Google\GoogleToolbarNotifier\5.7.9012.1008\swg64.dll (346 bytes)
%Program Files% (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\gth.dll (49 bytes)
%Program Files% (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (79 bytes)
%Program Files% (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\Readme.url (212 bytes)
%Program Files% (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\gtn.dll (150 bytes)
%Program Files% (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll (1 bytes)

Registry activity

The process GoogleUpdate.exe:1996 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"usagestats" = "0"

The Worm deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"uid"
"old-uid"
"eulaaccepted"

The process GoogleUpdate.exe:1960 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"DayOfLastActivity" = "4294967295"
"usagestats" = "0"

[HKCU\Software\Classes\Local Settings\MuiCache\2B\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"pv" = "7.5.5111.1712"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}\CurrentState]
"InstallProgressPercent" = "4294967295"
"StateValue" = "3"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"DayOfLastRollCall" = "4294967295"
"LastCheckSuccess" = "1423812338"

[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}\CurrentState]
"DownloadTimeRemainingMs" = "4294967295"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"DayOfInstall" = "2964"
"InstallTime" = "1423812312"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}\CurrentState]
"InstallTimeRemainingMs" = "4294967295"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"brand" = "NCHD"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}\CurrentState]
"DownloadProgressPercent" = "0"

The Worm deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"LastInstallerExtraCode1"
"LastInstallerSuccessLaunchCmdLine"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientStateMedium\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"eulaaccepted"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"UpdateAvailableCount"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientStateMedium\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"usagestats"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"ap"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"LastInstallerResult"
"old-uid"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"iid"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"uid"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"LastInstallerResult"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"LastInstallerResultUIString"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"eulaaccepted"
"UpdateAvailableSince"
"LastInstallerError"
"LastInstallerResultUIString"
"experiment_labels"
"tttoken"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"LastInstallerError"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"browser"
"LastInstallerExtraCode1"
"LastInstallerSuccessLaunchCmdLine"

The process GoogleUpdate.exe:3008 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"usagestats" = "0"

The Worm deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"uid"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableSince"
"UpdateAvailableCount"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\network\secure]
"sk"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"eulaaccepted"

[HKCU\Software\Google\Update]
"old-uid"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"old-uid"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\network\secure]
"c"

[HKCU\Software\Google\Update]
"uid"

The process GoogleUpdate.exe:4028 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"

[HKCU\Software\Classes\Local Settings\MuiCache\2C\52C64B7E]
"LanguageList" = "en-US, en"

The Worm deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"uid"
"old-uid"

The process GoogleUpdate.exe:1808 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"

[HKCU\Software\Classes\Local Settings\MuiCache\2B\52C64B7E]
"LanguageList" = "en-US, en"

The Worm deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"uid"
"old-uid"

The process ffmpeg16.exe:3088 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKU\.DEFAULT\SOFTWARE\NCH Swift Sound\Components\ffmpeg16]
"Version" = "1.02"

[HKLM\SOFTWARE\Wow6432Node\NCH Swift Sound\Components\ffmpeg16]
"Version" = "1.02"

[HKU\.DEFAULT\SOFTWARE\NCH Software\Components\ffmpeg16]
"Version" = "1.02"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Components\ffmpeg16]
"Version" = "1.02"
"Path" = "%Program Files% (x86)\NCH Software\Components\ffmpeg16\avcodec-54.nch.dll"

[HKU\.DEFAULT\SOFTWARE\NCH Swift Sound\Components\ffmpeg16]
"Path" = "%Program Files% (x86)\NCH Software\Components\ffmpeg16\avcodec-54.nch.dll"

[HKU\.DEFAULT\SOFTWARE\NCH Software\Components\ffmpeg16]
"Path" = "%Program Files% (x86)\NCH Software\Components\ffmpeg16\avcodec-54.nch.dll"

[HKLM\SOFTWARE\Wow6432Node\NCH Swift Sound\Components\ffmpeg16]
"Path" = "%Program Files% (x86)\NCH Software\Components\ffmpeg16\avcodec-54.nch.dll"

The process googletoolbarinstaller_en_signed.exe:3328 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Branding]
"sin" = "0"

[HKCU\Software\Classes\Local Settings\MuiCache\2B\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component]
"NextVersion" = "7.5.5111.1712"
"currentVersion" = "7.5.5111.1712"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Branding]
"ein" = "1"

[HKCU\Software\Google\Google Toolbar\4.0\Setup]
"InstallProgress" = "3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar]
"test" = "41"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"EnabledExperiments" = "POSI,PUMA"

[HKCU\Software\Google\Google Toolbar\4.0\Setup]
"Command" = "2"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"FirstInstallTime" = "1423812338"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Google\Google Toolbar]
"LastInstallError"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component]
"NextVersion"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"
"ProxyServer"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component]
"PrimaryInstallDone"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"FailedInstallPing"

The process GoogleUpdaterService_B33FC4DD36A473C6.exe:3800 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Common\Google Updater\apps\tbie]
"auto" = "0"

[HKLM\SOFTWARE\Wow6432Node\Google\Common\Google Updater]
"Path" = "%Program Files% (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe"
"Version" = "2.4.2617.4952"

The process nchsetup.exe:1656 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Worm deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process nchsetup.exe:264 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\DialUp]
"EditOutput_Resize" = "0"

[HKCU\Software\Classes\CABFolder\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\divxfile\Shell]
"(Default)" = "open"

[HKCU\Software\NCH Software\Eyeline\Settings]
"InstallerPath" = "%Program Files% (x86)\NCH Software\Eyeline"

[HKCU\Software\Classes\pngfile\Shell\NCHslideshow\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind PhotoStage %L"

[HKCU\Software\Classes\Paint.Picture\Shell\NCHconvertimage]
"(Default)" = "Convert image file"

[HKCU\Software\Classes\neffile\Shell\NCHconvertimage\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind Pixillion %L"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Eyeline]
"VersionMinor" = "01"

[HKCU\Software\Classes\aifffile\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"

[HKCU\Software\Classes\mpegfile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind Prism %L"

[HKCU\Software\Classes\.mov]
"(Default)" = "movfile"

[HKCU\Software\Classes\giffile\Shell]
"(Default)" = "open"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\BroadBand]
"WindowsMedia_LiveSource" = "0"

[HKCU\Software\Classes\docfile\Shell\NCHconvertdoc]
"(Default)" = "Convert file type"

[HKCU\Software\Classes\AcroExch.Document\Shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind Doxillion %L"

[HKCU\Software\Classes\.MP3]
"(Default)" = "mp3file"

[HKCU\Software\Classes\.AAC]
"(Default)" = "aacfile"

[HKCU\Software\Classes\FirefoxHTML\shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind Doxillion %L"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\DialUp]
"FLV_VideoCodec" = "28"

[HKCU\Software\Classes\wavfile\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind Switch %L"

[HKCU\Software\Classes\gsmfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\avifile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\giffile\Shell\NCHconvertimage]
"(Default)" = "Convert image file"

[HKCU\Software\Classes\jpegfile\Shell\NCHconvertimage]
"(Default)" = "Convert image file"

[HKCU\Software\Classes\odtfile\Shell]
"(Default)" = "open"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\WebServer]
"Enabled" = "0"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\Service]
"Enabled" = "1"

[HKCU\Software\Classes\.OGG]
"(Default)" = "oggfile"

[HKCU\Software\Classes\asffile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"

[HKCU\Software\Classes\mohfile\DefaultIcon]
"(Default)" = "%SystemRoot%\SysWow64\shell32.dll,19"

[HKCU\Software\Classes\movfile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind Prism %L"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\BroadBand]
"WindowsMedia_VideoCodec" = "0"

[HKCU\Software\Classes\docfile\Shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind Doxillion %L"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\Settings]
"InstalledByAdmin" = "1"

[HKCU\Software\Classes\.tar]
"(Default)" = "tarfile"

[HKCU\Software\Classes\.WAV]
"(Default)" = "wavfile"

[HKCU\Software\Classes\neffile\Shell\NCHconvertimage]
"(Default)" = "Convert image file"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\Software]
"Toolbar" = "cnm-installed"

[HKCU\Software\Classes\aufile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind WavePad %L"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\BroadBand]
"EditOutput_Height" = "576"

[HKCU\Software\Classes\dctfile\DefaultIcon]
"(Default)" = "%SystemRoot%\SysWow64\shell32.dll,19"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\DialUp]
"EditOutput_ChangeFramerate" = "0"

[HKCU\Software\Classes\tar.gzfile\Shell\NCHextract]
"(Default)" = "Extract with Express Zip"

[HKCU\Software\Classes\TIFImage.Document\Shell\NCHconvertimage\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind Pixillion %L"

[HKCU\Software\Classes\.dss]
"(Default)" = "dssfile"

[HKCU\Software\Classes\mpdpfile]
"(Default)" = "Unhandled Extension Handler Finder"

[HKCU\Software\Classes\aacfile\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind Switch %L"

[HKCU\Software\Classes\mpgfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\Paint.Picture\Shell\NCHslideshow\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind PhotoStage %L"

[HKCU\Software\Classes\vocfile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind WavePad %L"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\Settings]
"RelatedRuns" = "-1"

[HKCU\Software\Classes\jpegfile\Shell\NCHconvertimage\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind Pixillion %L"

[HKCU\Software\Classes\.m4v]
"(Default)" = "m4vfile"

[HKCU\Software\Classes\wavfile\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\DialUp]
"EditOutput_ResizeKeepRatio" = "0"

[HKCU\Software\Classes\avifile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"

[HKCU\Software\Classes\xvidfile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind Prism %L"

[HKCU\Software\Classes\ds2file\DefaultIcon]
"(Default)" = "%SystemRoot%\SysWow64\shell32.dll,19"

[HKCU\Software\Classes\asffile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind VideoPad %L"

[HKCU\Software\Classes\.mp4]
"(Default)" = "mp4file"

[HKCU\Software\Classes\m4afile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind WavePad %L"

[HKCU\Software\Classes\aacfile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind WavePad %L"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\Service]
"StartTypeText" = "Auto Start"

[HKCU\Software\Classes\wpdfile\Shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind Doxillion %L"

[HKCU\Software\Classes\asffile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind Prism %L"

[HKCU\Software\Classes\vobfile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind VideoPad %L"

[HKCU\Software\Classes\mpgfile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind VideoPad %L"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\BroadBand]
"WindowsMedia_VideoBitrate" = "512000"
"FLV_AudioBitrate" = "64"

[HKCU\Software\Classes\mp3file\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"

[HKCU\Software\Classes\gzfile\Shell\NCHextract]
"(Default)" = "Extract with Express Zip"

[HKCU\Software\Classes\mpeg2file\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind Prism %L"

[HKCU\Software\Classes\pngfile\Shell\NCHconvertimage\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind Pixillion %L"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Eyeline]
"VersionMajor" = "2"

[HKCU\Software\Classes\aufile\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"

[HKCU\Software\Classes\.gz]
"(Default)" = "gzfile"

[HKCU\Software\Classes\oggfile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind WavePad %L"

[HKCU\Software\Classes\mpeg2file\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind VideoPad %L"

[HKCU\Software\Classes\.meo]
"(Default)" = "meofile"

[HKCU\Software\Classes\gsmfile\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind Switch %L"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\HLSBroadBand]
"HLS_Samplerate" = "22050"

[HKCU\Software\Classes\wpdfile\Shell\NCHconvertdoc]
"(Default)" = "Convert file type"

[HKCU\Software\Classes\Windows.IsoFile\shell]
"(Default)" = "open"

[HKCU\Software\Classes\m4vfile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind VideoPad %L"

[HKCU\Software\Classes\divxfile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"

[HKCU\Software\Classes\.nef]
"(Default)" = "neffile"

[HKCU\Software\Classes\pngfile\Shell\NCHslideshow]
"(Default)" = "Create slideshow"

[HKCU\Software\Classes\voxfile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind WavePad %L"

[HKCU\Software\Classes\.wp]
"(Default)" = "wpfile"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\BroadBand]
"WindowsMedia_VideoQuality" = "50"

[HKCU\Software\Classes\divxfile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind Prism %L"

[HKCU\Software\Classes\mpegfile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind VideoPad %L"

[HKCU\Software\Classes\mp4file\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind VideoPad %L"

[HKCU\Software\Classes\m4afile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\dctfile]
"(Default)" = "Unhandled Extension Handler Finder"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\HLSBroadBand]
"EditOutput_ResizeType" = "0"

[HKCU\Software\Classes\mp4file\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind Prism %L"

[HKCU\Software\Classes\jpegfile\Shell\NCHslideshow\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind PhotoStage %L"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\Software]
"Installer" = "%Program Files% (x86)\NCH Software\Eyeline\eyelinesetup_v2.01.exe"

[HKCU\Software\Classes\xvidfile\Shell]
"(Default)" = "open"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\HLSBroadBand]
"EditOutput_ChangeFramerate" = "0"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\WebServer]
"PublicEnabled" = "0"

[HKCU\Software\Classes\.spj]
"(Default)" = "spjfile"

[HKCU\Software\Classes\.rar]
"(Default)" = "rarfile"

[HKCU\Software\Classes\xvidfile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"

[HKCU\Software\Classes\jpegfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\CABFolder\Shell\NCHextract\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind ExpressZip %L"

[HKCU\Software\Classes\mp3file\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind Switch %L"

[HKCU\Software\Classes\meofile\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind Meo %L"

[HKCU\Software\Classes\.divx]
"(Default)" = "divxfile"

[HKCU\Software\Classes\aiffile\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"

[HKCU\Software\Classes\m4vfile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind Prism %L"

[HKCU\Software\Classes\aiffile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\flacfile\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind Switch %L"

[HKCU\Software\Classes\wavfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\.avi]
"(Default)" = "avifile"

[HKCU\Software\Classes\mp4file\Shell\NCHeditvideo]
"(Default)" = "Edit video file"

[HKCU\Software\Classes\Windows.IsoFile\shell\NCHextract]
"(Default)" = "Extract with Express Zip"

[HKCU\Software\Classes\7zfile\Shell\NCHextract\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind ExpressZip %L"

[HKCU\Software\Classes\tar.gzfile\Shell\NCHextract\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind ExpressZip %L"

[HKCU\Software\Classes\mpeg2file\Shell\NCHeditvideo]
"(Default)" = "Edit video file"

[HKCU\Software\Classes\aufile\Shell\NCHeditsound]
"(Default)" = "Edit sound file"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\DialUp]
"EditOutput_Framerate" = "30.000000"

[HKCU\Software\Classes\giffile\Shell\NCHconvertimage\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind Pixillion %L"

[HKCU\Software\Classes\ds2file\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind Scribe %L"

[HKCU\Software\Classes\vobfile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\BroadBand]
"EditOutput_Framerate" = "30.000000"
"FLV_VideoCodec" = "28"

[HKCU\Software\Classes\mohfile\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind IMS %L"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\HLSBroadBand]
"EditOutput_Height" = "360"

[HKCU\Software\Classes\dssfile]
"(Default)" = "Unhandled Extension Handler Finder"

[HKCU\Software\Classes\.mpdp]
"(Default)" = "mpdpfile"

[HKCU\Software\Classes\mpdpfile\DefaultIcon]
"(Default)" = "%SystemRoot%\SysWow64\shell32.dll,19"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\HLSBroadBand]
"EditOutput_Width" = "480"

[HKCU\Software\Classes\.mpeg]
"(Default)" = "mpegfile"

[HKCU\Software\Classes\rtffile\Shell\NCHconvertdoc]
"(Default)" = "Convert file type"

[HKCU\Software\Classes\rtffile\Shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind Doxillion %L"

[HKCU\Software\Classes\mpegfile\Shell]
"(Default)" = "open"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\BroadBand]
"EditOutput_ResizeKeepRatio" = "0"

[HKCU\Software\Classes\.ds2]
"(Default)" = "ds2file"

[HKCU\Software\Classes\tar.gzfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\TIFImage.Document\Shell\NCHconvertimage]
"(Default)" = "Convert image file"

[HKCU\Software\Classes\xvidfile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\BroadBand]
"FLV_CRF" = "280"

[HKCU\Software\Classes\aiffile\Shell\NCHeditsound]
"(Default)" = "Edit sound file"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\HLSBroadBand]
"EditOutput_Resize" = "0"

[HKCU\Software\Classes\.ivr]
"(Default)" = "ivrfile"

[HKCU\Software\Classes\docxfile\Shell\NCHconvertdoc]
"(Default)" = "Convert file type"

[HKCU\Software\Classes\divxfile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind VideoPad %L"

[HKCU\Software\Classes\wavfile\Shell\NCHeditsound]
"(Default)" = "Edit sound file"

[HKCU\Software\Classes\wmafile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\.xvid]
"(Default)" = "xvidfile"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\DialUp]
"FLV_MaximumBitrate" = "128"
"EditOutput_ResizeType" = "0"

[HKCU\Software\Classes\.asf]
"(Default)" = "asffile"

[HKCU\Software\Classes\gzfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\m4vfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\movfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\odtfile\Shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind Doxillion %L"

[HKCU\Software\Classes\gsmfile\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"

[HKCU\Software\Classes\meofile\DefaultIcon]
"(Default)" = "%SystemRoot%\SysWow64\shell32.dll,19"

[HKCU\Software\Classes\voxfile\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"

[HKCU\Software\Classes\CABFolder\Shell\NCHextract]
"(Default)" = "Extract with Express Zip"

[HKCU\Software\Classes\divxfile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\Settings]
"currentVersion" = "2.01"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\HLSBroadBand]
"HLS_AudioCodec" = "86018"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\BroadBand]
"EditOutput_ResizeType" = "0"

[HKCU\Software\Classes\wpfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\aacfile\Shell\NCHeditsound]
"(Default)" = "Edit sound file"

[HKCU\Software\Classes\rarfile\Shell\NCHextract]
"(Default)" = "Extract with Express Zip"

[HKCU\Software\Classes\docxfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\wpdfile\Shell]
"(Default)" = "open"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Eyeline]
"DisplayName" = "Eyeline Video Surveillance System"

[HKCU\Software\Classes\vobfile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind Prism %L"

[HKCU\Software\Classes\oggfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\docxfile\Shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind Doxillion %L"

[HKCU\Software\Classes\mpgfile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind Prism %L"

[HKCU\Software\Classes\vocfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\mp4file\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\jpegfile\Shell\NCHslideshow]
"(Default)" = "Create slideshow"

[HKCU\Software\Classes\m4vfile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"

[HKCU\Software\Classes\neffile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\voxfile\Shell\NCHeditsound]
"(Default)" = "Edit sound file"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Eyeline]
"InstallLocation" = "%Program Files% (x86)\NCH Software\Eyeline"

[HKCU\Software\Classes\TIFImage.Document\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\flacfile\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"

[HKCU\Software\Classes\.M4A]
"(Default)" = "m4afile"

[HKCU\Software\Classes\vpjfile\DefaultIcon]
"(Default)" = "%SystemRoot%\SysWow64\shell32.dll,19"

[HKCU\Software\Classes\rarfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\dssfile\DefaultIcon]
"(Default)" = "%SystemRoot%\SysWow64\shell32.dll,19"

[HKCU\Software\Classes\.vox]
"(Default)" = "voxfile"

[HKCU\Software\Classes\mpegfile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"

[HKCU\Software\Classes\.7z]
"(Default)" = "7zfile"

[HKCU\Software\Classes\FirefoxHTML\shell\NCHconvertdoc]
"(Default)" = "Convert file type"

[HKCU\Software\Classes\.moh]
"(Default)" = "mohfile"

[HKCU\Software\Classes\ds2file\shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind Switch %L"

[HKCU\Software\Classes\avifile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind Prism %L"

[HKCU\Software\Classes\odtfile\Shell\NCHconvertdoc]
"(Default)" = "Convert file type"

[HKCU\Software\Classes\.tar.gz]
"(Default)" = "tar.gzfile"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Eyeline]
"URLUpdateInfo" = "www.nchsoftware.com/surveillance/index.html"

[HKCU\Software\Classes\AcroExch.Document\Shell\NCHconvertdoc]
"(Default)" = "Convert file type"

[HKCU\Software\Classes\neffile\Shell\NCHslideshow]
"(Default)" = "Create slideshow"

[HKCU\Software\Classes\gzfile\Shell\NCHextract\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind ExpressZip %L"

[HKCU\Software\Classes\.mpeg2]
"(Default)" = "mpeg2file"

[HKCU\Software\Classes\.vpj]
"(Default)" = "vpjfile"

[HKCU\Software\Classes\mp3file\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind WavePad %L"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Eyeline]
"Publisher" = "NCH Software"

[HKCU\Software\Classes\.FLAC]
"(Default)" = "flacfile"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\HLSBroadBand]
"EditOutput_ResizeKeepRatio" = "0"

[HKCU\Software\Classes\mpeg2file\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\asffile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\.voc]
"(Default)" = "vocfile"

[HKCU\Software\Classes\spjfile\DefaultIcon]
"(Default)" = "%SystemRoot%\SysWow64\shell32.dll,19"

[HKCU\Software\Classes\Windows.IsoFile\shell\NCHextract\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind ExpressZip %L"

[HKCU\Software\Classes\mpdpfile\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind MixPad %L"

[HKCU\Software\Classes\m4afile\Shell\NCHeditsound]
"(Default)" = "Edit sound file"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\BroadBand]
"WindowsMedia_SoundCodecIndex" = "0"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\Settings]
"InstallDate" = "1423812287"

[HKCU\Software\Classes\aiffile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind WavePad %L"

[HKCU\Software\Classes\avifile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind VideoPad %L"

[HKCU\Software\Classes\.AIFF]
"(Default)" = "aifffile"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\DialUp]
"FLV_CRF" = "280"

[HKCU\Software\Classes\mohfile]
"(Default)" = "Unhandled Extension Handler Finder"

[HKCU\Software\Classes\aifffile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind WavePad %L"

[HKCU\Software\Classes\meofile]
"(Default)" = "Unhandled Extension Handler Finder"

[HKCU\Software\Classes\aifffile\Shell\NCHeditsound]
"(Default)" = "Edit sound file"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\BroadBand]
"EditOutput_Width" = "768"

[HKLM\SOFTWARE\Wow6432Node\Google\GCAPITemp]
"test" = "testݶ"

[HKCU\Software\Classes\wmafile\Shell\NCHeditsound]
"(Default)" = "Edit sound file"

[HKCU\Software\Classes\giffile\Shell\NCHslideshow\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind PhotoStage %L"

[HKCU\Software\Classes\Windows.IsoFile\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind ExpressBurn %L"

[HKCU\Software\Classes\vobfile\Shell]
"(Default)" = "open"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\BroadBand]
"WindowsMedia_SoundFormatIndex" = "0"

[HKCU\Software\Classes\7zfile\Shell\NCHextract]
"(Default)" = "Extract with Express Zip"

[HKCU\Software\Classes\.gsm]
"(Default)" = "gsmfile"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\WebServer]
"PreviousServerPort" = "85"

[HKCU\Software\Classes\ivrfile]
"(Default)" = "Unhandled Extension Handler Finder"

[HKCU\Software\Classes\rtffile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\ds2file]
"(Default)" = "Unhandled Extension Handler Finder"

[HKCU\Software\Classes\7zfile\Shell]
"(Default)" = "open"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\DialUp]
"FLV_AudioBitrate" = "32"

[HKCU\Software\Classes\neffile\Shell\NCHslideshow\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind PhotoStage %L"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Classes\ds2file\shell]
"(Default)" = "open"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\HLSBroadBand]
"HLS_VideoCodec" = "28"

[HKCU\Software\Classes\pngfile\Shell]
"(Default)" = "open"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\DialUp]
"EditOutput_Width" = "768"

[HKCU\Software\Classes\AcroExch.Document\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\Paint.Picture\Shell\NCHconvertimage\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind Pixillion %L"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Classes\wmafile\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind Switch %L"

[HKCU\Software\Classes\.dct]
"(Default)" = "dctfile"

[HKCU\Software\Classes\.WMA]
"(Default)" = "wmafile"

[HKCU\Software\Classes\tarfile\Shell\NCHextract\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind ExpressZip %L"

[HKCU\Software\Classes\Paint.Picture\Shell\NCHslideshow]
"(Default)" = "Create slideshow"

[HKCU\Software\Classes\.AU]
"(Default)" = "aufile"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Eyeline]
"DisplayIcon" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\BroadBand]
"FLV_MaximumBitrate" = "2048"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\Settings]
"InstallerPath" = "%Program Files% (x86)\NCH Software\Eyeline"

[HKCU\Software\Classes\mpgfile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Eyeline]
"UninstallString" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -uninstall"

[HKCU\Software\Classes\.doc]
"(Default)" = "docfile"

[HKCU\Software\Classes\.wpd]
"(Default)" = "wpdfile"

[HKCU\Software\Classes\aacfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\spjfile]
"(Default)" = "Unhandled Extension Handler Finder"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\BroadBand]
"FLV_AverageBitrate" = "1024"

[HKCU\Software\Classes\dssfile\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind Scribe %L"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\Settings]
"InstallDateFirst" = "1423812287"

[HKCU\Software\Classes\aufile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\vpjfile]
"(Default)" = "Unhandled Extension Handler Finder"

[HKCU\Software\Classes\asffile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"

[HKCU\Software\Classes\flacfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\avifile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\BroadBand]
"WindowsMedia_Format" = "0"

[HKCU\Software\Classes\docfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\vobfile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"

[HKCU\Software\Classes\aifffile\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind Switch %L"

[HKCU\Software\Classes\aiffile\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind Switch %L"

[HKCU\Software\Classes\wmafile\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Eyeline]
"Version" = "2.01"

[HKCU\Software\Classes\pngfile\Shell\NCHconvertimage]
"(Default)" = "Convert image file"

[HKCU\Software\Classes\mpgfile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"

[HKCU\Software\Classes\oggfile\Shell\NCHeditsound]
"(Default)" = "Edit sound file"

[HKCU\Software\Classes\mp3file\Shell\NCHeditsound]
"(Default)" = "Edit sound file"

[HKCU\Software\Classes\Paint.Picture\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\wmafile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind WavePad %L"

[HKCU\Software\Classes\movfile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind VideoPad %L"

[HKCU\Software\Classes\aifffile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\m4vfile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\BroadBand]
"EditOutput_Resize" = "0"

[HKCU\Software\Classes\giffile\Shell\NCHslideshow]
"(Default)" = "Create slideshow"

[HKCU\Software\Classes\voxfile\Shell]
"(Default)" = "open"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\DialUp]
"EditOutput_Height" = "576"

[HKCU\Software\Classes\ivrfile\DefaultIcon]
"(Default)" = "%SystemRoot%\SysWow64\shell32.dll,19"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\BroadBand]
"EditOutput_ChangeFramerate" = "0"

[HKCU\Software\Classes\movfile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"

[HKCU\Software\Classes\wavfile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind WavePad %L"

[HKCU\Software\Classes\.mpg]
"(Default)" = "mpgfile"

[HKCU\Software\Classes\mpeg2file\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"

[HKCU\Software\Classes\tarfile\Shell\NCHextract]
"(Default)" = "Extract with Express Zip"

[HKCU\Software\Classes\mpegfile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"

[HKCU\Software\Classes\voxfile\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind Switch %L"

[HKCU\Software\Classes\.vob]
"(Default)" = "vobfile"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\HLSBroadBand]
"EditOutput_Framerate" = "15.000000"

[HKCU\Software\Classes\ivrfile\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind IVM %L"

[HKCU\Software\Classes\ds2file\shell\NCHconvertsound]
"(Default)" = "Convert sound file"

[HKCU\Software\Classes\mp3file\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\vocfile\Shell\NCHeditsound]
"(Default)" = "Edit sound file"

[HKCU\Software\Classes\tarfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\aacfile\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"

[HKCU\Software\Classes\dctfile\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind Scribe %L"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\Service]
"STARTTYPE" = "2"

[HKCU\Software\Classes\spjfile\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind PhotoStage %L"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Eyeline]
"DisplayVersion" = "2.01"

[HKCU\Software\Classes\rarfile\Shell\NCHextract\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind ExpressZip %L"

[HKCU\Software\Classes\mp4file\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"

[HKCU\Software\Classes\xvidfile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind VideoPad %L"

[HKCU\Software\Classes\Windows.IsoFile\DefaultIcon]
"(Default)" = "%SystemRoot%\SysWow64\shell32.dll,19"

[HKCU\Software\Classes\movfile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"

[HKCU\Software\Classes\wpfile\Shell\NCHconvertdoc]
"(Default)" = "Convert file type"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\DialUp]
"FLV_AverageBitrate" = "64"

[HKCU\Software\Classes\wpfile\Shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind Doxillion %L"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Eyeline]
"URLInfoAbout" = "www.nchsoftware.com/surveillance/support.html"

[HKCU\Software\Classes\.AIF]
"(Default)" = "aiffile"

[HKCU\Software\Classes\aufile\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind Switch %L"

[HKCU\Software\Classes\vpjfile\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -extfind VideoPad %L"

To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Eyeline" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -logon"

The Worm deletes the following registry key(s):

[HKLM\SOFTWARE\Wow6432Node\Google\GCAPITemp]

The Worm deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\Software]
"_InstalledBy"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Wow6432Node\Google\GCAPITemp]
"test"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\Software]
"InstalledBy"
"ShowSurvey"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\Software]
"_ShowSurvey"
"_ShowSurveyNow"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\Software]
"ShowSurveyNow"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process regsvr32.exe:3852 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCR\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\ProgID]
"(Default)" = "ProtectorExe.ProtectorHost.1"

[HKCR\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}]
"(Default)" = "ProtectorHost Class"

[HKCR\protector_dll.ProtectorBho\CurVer]
"(Default)" = "protector_dll.ProtectorBho.1"

[HKCR\protector_dll.ProtectorLib\CurVer]
"(Default)" = "protector_dll.ProtectorLib.1"

[HKCR\AppID\{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}]
"(Default)" = "protector_dll"

[HKCR\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}]
"(Default)" = "ProtectorLib Class"

[HKCR\protector_dll.ProtectorBho.1\CLSID]
"(Default)" = "{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}"

[HKCR\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\VersionIndependentProgID]
"(Default)" = "protector_dll.ProtectorLib"

[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\VersionIndependentProgID]
"(Default)" = "protector_dll.ProtectorBho"

[HKCR\protector_dll.ProtectorBho.1]
"(Default)" = "Google Toolbar Notifier BHO"

[HKCR\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\protector_dll.ProtectorLib\CLSID]
"(Default)" = "{84798B8E-69F8-4846-9516-373C2996E2F7}"

[HKCR\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\protector_dll.ProtectorLib.1\CLSID]
"(Default)" = "{84798B8E-69F8-4846-9516-373C2996E2F7}"

[HKCR\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}]
"AppID" = "{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}"

[HKCR\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}]
"AppID" = "{A97CA128-6998-4F8E-807E-8ED05FADAFB0}"

[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\InprocServer32]
"(Default)" = "%Program Files%\Google\GoogleToolbarNotifier\5.7.9012.1008\swg64.dll"

[HKCR\protector_dll.ProtectorLib]
"(Default)" = "ProtectorLib Class"

[HKCR\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}]
"Depend" = "%Program Files% (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\gtn.dll"

[HKCR\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\ProgID]
"(Default)" = "protector_dll.ProtectorLib.1"

[HKCR\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\VersionIndependentProgID]
"(Default)" = "ProtectorExe.ProtectorHost"

[HKCR\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
"AppID" = "{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}"

[HKCR\protector_dll.ProtectorLib.1]
"(Default)" = "ProtectorLib Class"

[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\ProgID]
"(Default)" = "protector_dll.ProtectorBho.1"

[HKCR\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
"(Default)" = "Google Toolbar Notifier BHO"

[HKCR\protector_dll.ProtectorBho]
"(Default)" = "Google Toolbar Notifier BHO"

[HKCR\AppID\protector_dll.DLL]
"AppID" = "{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}"

[HKCR\protector_dll.ProtectorBho\CLSID]
"(Default)" = "{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}"

[HKCR\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\InprocServer32]
"(Default)" = "%Program Files%\Google\GoogleToolbarNotifier\5.7.9012.1008\swg64.dll"

The process GoogleToolbarManager_8CA8B41417E66DEB.exe:3452 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1A972DAF-A7EC-4ce3-B6C9-7B523CD6685F}]
"Policy" = "3"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"DisplayVersion" = "7.5.5111.1712"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"ToastOfferTime" = "0"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EE0B94B9-335F-4d2c-8B43-DACCD1EA6FF1}]
"AppPath" = "%Program Files% (x86)\Google\Google Toolbar"

[HKCR\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
"(Default)" = "Google Toolbar Helper"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"Publisher" = "Google Inc."

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"SystemPatchLevel" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"GTB7.5" = ""

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\GoogleUpdate]
"InstallTimestamp" = "1423812315"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"cmd_7.5.5111.1712_5" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_8CA8B41417E66DEB.exe /execute:5"
"cmd_7.5.5111.1712_4" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_8CA8B41417E66DEB.exe /execute:4"
"cmd_7.5.5111.1712_7" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_8CA8B41417E66DEB.exe /execute:7"
"cmd_7.5.5111.1712_6" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_8CA8B41417E66DEB.exe /execute:6"
"cmd_7.5.5111.1712_1" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_8CA8B41417E66DEB.exe /execute:1"
"cmd_7.5.5111.1712_0" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_8CA8B41417E66DEB.exe /execute:0"
"cmd_7.5.5111.1712_3" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_8CA8B41417E66DEB.exe /execute:3"
"cmd_7.5.5111.1712_2" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_8CA8B41417E66DEB.exe /execute:2"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = "00"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Branding]
"InstallType" = "3"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"cmd_7.5.5111.1712_9" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_8CA8B41417E66DEB.exe /execute:9"
"cmd_7.5.5111.1712_8" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_8CA8B41417E66DEB.exe /execute:8"

[HKCU\Software\Google\Google Toolbar\4.0\Options]
"ToastSetDefaultSearch" = "3"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"AllowInteractions" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"DisplayName" = "Google Toolbar for Internet Explorer"

[HKCR\Wow6432Node\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"(Default)" = "Google Toolbar"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"EnableUsageStats" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EE0B94B9-335F-4d2c-8B43-DACCD1EA6FF1}]
"Policy" = "3"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"UninstallString" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_8CA8B41417E66DEB.exe /uninstall"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EE0B94B9-335F-4d2c-8B43-DACCD1EA6FF1}]
"AppName" = "GoogleToolbarUser_64.exe"

[HKCU\Software\Google\Google Toolbar\4.0\Options]
"ButtonPageRank" = "0"
"{14C626CA-ACAB-46e5-8A99-53C9E11CCCA0}_enabled" = "0"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Branding]
"InstallTime" = "1423812315"

[HKCR\Installer\Products\18555481990E8AB4CBB63FB4F26006C0]
"AuthorizedLUAApp" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"DisplayIcon" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_8CA8B41417E66DEB.exe"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1A972DAF-A7EC-4ce3-B6C9-7B523CD6685F}]
"Policy" = "3"

[HKCU\Software\Classes\Local Settings\MuiCache\2C\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1A972DAF-A7EC-4ce3-B6C9-7B523CD6685F}]
"AppPath" = "%Program Files% (x86)\Google\Google Toolbar"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar]
"test" = "41"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1A972DAF-A7EC-4ce3-B6C9-7B523CD6685F}]
"AppName" = "GoogleToolbarUser_32.exe"

[HKCR\Wow6432Node\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCU\Software\Google\Google Toolbar\4.0\Options]
"ToastSetPageRank" = "2"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\GoogleUpdate]
"InstallResult" = "pi"

[HKCU\Software\Google\Google Toolbar\4.0\Options]
"RbbsBreak" = "1"

[HKCR\Wow6432Node\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"EulaAccepted" = "1"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Enable Browser Extensions" = "yes"

[HKCU\Software\Classes\Local Settings\MuiCache\2C\52C64B7E\@%SystemRoot%\system32]
"p2pcollab.dll,-8042" = "Peer to Peer Trust"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EE0B94B9-335F-4d2c-8B43-DACCD1EA6FF1}]
"Policy" = "3"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"Compatibility Flags" = "1024"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component\Used]
"GoogleUpdaterService.exe" = "1"
"SearchWithGoogleUpdate.exe" = "1"
"GoogleToolbarManager.exe" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = "00"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Branding]
"brand" = "NCHD"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1A972DAF-A7EC-4ce3-B6C9-7B523CD6685F}]
"AppName" = "GoogleToolbarUser_32.exe"

[HKCR\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\Google Toolbar\GoogleToolbar_64.dll"

[HKCR\Wow6432Node\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\Google Toolbar\GoogleToolbar_32.dll"

[HKCR\Wow6432Node\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
"(Default)" = "Google Toolbar Helper"

[HKCU\Software\Google\Google Toolbar\4.0\Options]
"BrowseByName" = "0"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component]
"PrimaryInstallDone" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"Compatibility Flags" = "1024"

[HKCU\Software\Google\Google Toolbar\4.0\Options]
"ToastSetHomePage" = "2"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1A972DAF-A7EC-4ce3-B6C9-7B523CD6685F}]
"AppPath" = "%Program Files% (x86)\Google\Google Toolbar"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"GTB7.5" = ""

[HKCR\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\Google Toolbar\GoogleToolbar_64.dll"

[HKCU\Software\Google\Google Toolbar\4.0\Options]
"UsageStatsEnabled" = "1"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"DisableBrowseByName" = "0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"MinorVersion" = "5"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"Name" = "Google Toolbar"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Installations]
"1423812337" = "v=7.5.5111.1712&tbbrand=NCHD&i=0"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Branding]
"ID" = "304A78B0488F53F23D4AC1A1BD355D4D69BF4FuXHNH"

[HKCR\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"InstallLocation" = "%Program Files% (x86)\Google\Google Toolbar\"

[HKCU\Software\Classes\Local Settings\MuiCache\2C\52C64B7E\@%SystemRoot%\system32]
"dnsapi.dll,-103" = "Domain Name System (DNS) Server Trust"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"NoModify" = "1"
"MajorVersion" = "7"
"NoRepair" = "1"

[HKCR\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"(Default)" = "Google Toolbar"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EE0B94B9-335F-4d2c-8B43-DACCD1EA6FF1}]
"AppName" = "GoogleToolbarUser_64.exe"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"brand" = "NCHD"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EE0B94B9-335F-4d2c-8B43-DACCD1EA6FF1}]
"AppPath" = "%Program Files% (x86)\Google\Google Toolbar"

[HKCR\Wow6432Node\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\Google Toolbar\GoogleToolbar_32.dll"

The Worm deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}]
[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\ProgID]
[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\TypeLib]
[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\Programmable]
[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\InprocServer32]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}\Enum]
[HKCU\Software\Classes\Local Settings\MuiCache\2B\52C64B7E]
[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\VersionIndependentProgID]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
[HKCU\Software\Classes\Local Settings\MuiCache\2B]
[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\ProgID]
[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\TypeLib]
[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\VersionIndependentProgID]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}]
[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\Programmable]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}]
[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}\Enum]
[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\InprocServer32]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum]

The Worm deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"UseIe64"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}"

[HKCU\Software\Google\Google Toolbar\4.0\Options]
"Vendor"

[HKCU\Software\Google\Google Toolbar\4.0]
"Update"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"RefreshIE"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"lang"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"WelcomePage"

The process GoogleToolbarManager_8CA8B41417E66DEB.exe:3972 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component\NonManifest\C:\ProgramData\Google\Custom Buttons]
"toolbar.google.com_O8Y91YHB24Z6SR0SGYSK.XML" = "1"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component\Used]
"GoogleToolbarDynamic_mui_en.dll" = "1"

The process GoogleToolbarManager_8CA8B41417E66DEB.exe:3960 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component\Used]
"GoogleToolbarManager.exe" = "1"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"pv" = "7.5.5111.1712"

The process GoogleToolbarNotifier.exe:3840 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCR\Interface\{BACAB2F3-7213-4865-96E9-B6B06BF49192}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{DD65ABB2-2628-425B-86F5-825E4A3D3AD9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{91F39C2A-95E7-497A-A539-0AC715DC66D2}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\ProtectorExe.ProtectorHost.1\CLSID]
"(Default)" = "{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}"

[HKCR\Wow6432Node\Interface\{F1A383D4-0364-4092-82E0-C39DAE5D801D}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{AF606610-3627-4DF2-A6D5-32C6A355ACD1}\TypeLib]
"Version" = "1a.0"

[HKCR\Interface\{17484B9D-89FA-484F-912E-017D06C41FE0}]
"(Default)" = "IProtectorLib7"

[HKCR\Wow6432Node\Interface\{91959FBB-853A-4AC7-A082-2DDF787F4CA9}\TypeLib]
"Version" = "1a.0"

[HKCR\Interface\{315A0BBF-D55B-4FCE-833E-8BAA5B6344F6}]
"(Default)" = "IProtector11"

[HKCR\Interface\{F1A383D4-0364-4092-82E0-C39DAE5D801D}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{F1A383D4-0364-4092-82E0-C39DAE5D801D}\TypeLib]
"Version" = "1a.0"

[HKCR\Interface\{2212951C-1623-4095-906B-AC50B8F91016}]
"(Default)" = "IProtector2"

[HKCR\Interface\{480AD54B-C652-44B9-BCF6-746745055CD3}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll"

[HKCR\Wow6432Node\Interface\{1F7328B7-E25A-4527-B24B-D9173401BB89}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{AF606610-3627-4DF2-A6D5-32C6A355ACD1}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{AF606610-3627-4DF2-A6D5-32C6A355ACD1}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{A45CDEEB-65F5-49AE-AA3E-9376F4806075}]
"(Default)" = "IProtector8"

[HKCR\Wow6432Node\Interface\{315A0BBF-D55B-4FCE-833E-8BAA5B6344F6}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{6EACF525-5F81-4381-9E46-DC316C39E0D2}]
"(Default)" = "IProtector6"

[HKCR\Interface\{A45CDEEB-65F5-49AE-AA3E-9376F4806075}\TypeLib]
"Version" = "1a.0"

[HKCR\Interface\{91959FBB-853A-4AC7-A082-2DDF787F4CA9}]
"(Default)" = "IProtectorHost2"

[HKCR\Wow6432Node\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\ProgID]
"(Default)" = "protector_dll.ProtectorLib.1"

[HKCR\Interface\{91959FBB-853A-4AC7-A082-2DDF787F4CA9}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{9D932020-700E-4F0D-8446-2872ABD8B4FA}\TypeLib]
"Version" = "1a.0"

[HKCR\Interface\{315A0BBF-D55B-4FCE-833E-8BAA5B6344F6}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{AF606610-3627-4DF2-A6D5-32C6A355ACD1}]
"(Default)" = "IProtectorLib"

[HKCR\Wow6432Node\Interface\{6C110376-C248-47F6-9DB2-CFCDEADB6A3E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{2212951C-1623-4095-906B-AC50B8F91016}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{6C110376-C248-47F6-9DB2-CFCDEADB6A3E}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{91F39C2A-95E7-497A-A539-0AC715DC66D2}]
"(Default)" = "IProtector3"

[HKCR\Interface\{DA69D3CC-7676-4A65-889F-C052977F1AA9}\TypeLib]
"Version" = "1a.0"

[HKCR\TypeLib\{C7CB459A-7261-4AE6-A87A-17041EE98A40}\1a.0]
"(Default)" = "protector_dllLib"

[HKCR\Interface\{480AD54B-C652-44B9-BCF6-746745055CD3}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{2212951C-1623-4095-906B-AC50B8F91016}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{BACAB2F3-7213-4865-96E9-B6B06BF49192}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{17484B9D-89FA-484F-912E-017D06C41FE0}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{6EACF525-5F81-4381-9E46-DC316C39E0D2}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{9D932020-700E-4F0D-8446-2872ABD8B4FA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AppID\{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}]
"(Default)" = "protector_dll"

[HKCR\Interface\{277FD1E8-9884-4E0A-9392-7CFF83F067B2}]
"(Default)" = "IProtector9"

[HKCR\Interface\{2212951C-1623-4095-906B-AC50B8F91016}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AppID\{A97CA128-6998-4F8E-807E-8ED05FADAFB0}]
"(Default)" = "ProtectorExe"

[HKCR\Interface\{BACAB2F3-7213-4865-96E9-B6B06BF49192}]
"(Default)" = "IProtectorLib8"

[HKCR\Interface\{315A0BBF-D55B-4FCE-833E-8BAA5B6344F6}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{BACAB2F3-7213-4865-96E9-B6B06BF49192}]
"(Default)" = "IProtectorLib8"

[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
"(Default)" = "Google Toolbar Notifier BHO"

[HKCR\Interface\{17484B9D-89FA-484F-912E-017D06C41FE0}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{A0CF48B9-DB91-49A5-BEE7-2FB45BA2F610}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{9891812B-5820-4A77-827E-772B200239E1}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}]
"AppID" = "{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80B84A0A-EDA4-47fd-8BE1-6B49F4197EE5}]
"AppPath" = "%Program Files% (x86)\Google\GoogleToolbarNotifier"

[HKCR\Wow6432Node\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{17484B9D-89FA-484F-912E-017D06C41FE0}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{17484B9D-89FA-484F-912E-017D06C41FE0}]
"(Default)" = "IProtectorLib7"

[HKCR\protector_dll.ProtectorLib.1]
"(Default)" = "ProtectorLib Class"

[HKCR\Wow6432Node\Interface\{9891812B-5820-4A77-827E-772B200239E1}]
"(Default)" = "IProtector4"

[HKCR\Wow6432Node\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}]
"Depend" = "%Program Files% (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\gtn.dll"

[HKCR\Wow6432Node\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}]
"(Default)" = "ProtectorLib Class"

[HKCR\Wow6432Node\Interface\{A45CDEEB-65F5-49AE-AA3E-9376F4806075}\TypeLib]
"Version" = "1a.0"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80B84A0A-EDA4-47fd-8BE1-6B49F4197EE5}]
"AppName" = "GoogleToolbarNotifier.exe"

[HKCR\Wow6432Node\Interface\{1F7328B7-E25A-4527-B24B-D9173401BB89}]
"(Default)" = "IProtector5"

[HKCR\Interface\{315A0BBF-D55B-4FCE-833E-8BAA5B6344F6}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{235317AD-6EF4-4209-9354-F88869E1A3BB}]
"(Default)" = "IProtectorLib5"

[HKCR\Wow6432Node\Interface\{9891812B-5820-4A77-827E-772B200239E1}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{2212951C-1623-4095-906B-AC50B8F91016}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{9891812B-5820-4A77-827E-772B200239E1}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{235317AD-6EF4-4209-9354-F88869E1A3BB}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{A0CF48B9-DB91-49A5-BEE7-2FB45BA2F610}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{1F7328B7-E25A-4527-B24B-D9173401BB89}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}]
"(Default)" = "ProtectorHost Class"

[HKCR\Interface\{9891812B-5820-4A77-827E-772B200239E1}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{DA69D3CC-7676-4A65-889F-C052977F1AA9}]
"(Default)" = "IProtectorHost"

[HKCR\Wow6432Node\CLSID\{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll"

[HKCR\Interface\{6C110376-C248-47F6-9DB2-CFCDEADB6A3E}]
"(Default)" = "IProtector10"

[HKCR\Wow6432Node\CLSID\{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Wow6432Node\Interface\{A0CF48B9-DB91-49A5-BEE7-2FB45BA2F610}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{F1A383D4-0364-4092-82E0-C39DAE5D801D}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\VersionIndependentProgID]
"(Default)" = "protector_dll.ProtectorBho"

[HKCR\Wow6432Node\Interface\{91F39C2A-95E7-497A-A539-0AC715DC66D2}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{6C110376-C248-47F6-9DB2-CFCDEADB6A3E}]
"(Default)" = "IProtector10"

[HKCR\Wow6432Node\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\ProgID]
"(Default)" = "ProtectorExe.ProtectorHost.1"

[HKCR\Interface\{235317AD-6EF4-4209-9354-F88869E1A3BB}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{91959FBB-853A-4AC7-A082-2DDF787F4CA9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{DA69D3CC-7676-4A65-889F-C052977F1AA9}\TypeLib]
"Version" = "1a.0"

[HKCR\protector_dll.ProtectorLib\CurVer]
"(Default)" = "protector_dll.ProtectorLib.1"

[HKCR\Interface\{91959FBB-853A-4AC7-A082-2DDF787F4CA9}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{9891812B-5820-4A77-827E-772B200239E1}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{2212951C-1623-4095-906B-AC50B8F91016}]
"(Default)" = "IProtector2"

[HKCR\Interface\{1F7328B7-E25A-4527-B24B-D9173401BB89}]
"(Default)" = "IProtector5"

[HKCR\Interface\{6C110376-C248-47F6-9DB2-CFCDEADB6A3E}\TypeLib]
"Version" = "1a.0"

[HKCR\Interface\{17484B9D-89FA-484F-912E-017D06C41FE0}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{A45CDEEB-65F5-49AE-AA3E-9376F4806075}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{6C110376-C248-47F6-9DB2-CFCDEADB6A3E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41}\TypeLib]
"Version" = "1a.0"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80B84A0A-EDA4-47fd-8BE1-6B49F4197EE5}]
"AppPath" = "%Program Files% (x86)\Google\GoogleToolbarNotifier"

[HKCR\Interface\{DA69D3CC-7676-4A65-889F-C052977F1AA9}]
"(Default)" = "IProtectorHost"

[HKCR\Interface\{91F39C2A-95E7-497A-A539-0AC715DC66D2}]
"(Default)" = "IProtector3"

[HKCR\Interface\{6EACF525-5F81-4381-9E46-DC316C39E0D2}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\AppID\ProtectorExe.EXE]
"AppID" = "{A97CA128-6998-4F8E-807E-8ED05FADAFB0}"

[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
"AppID" = "{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}"

[HKCR\protector_dll.Protector.1\CLSID]
"(Default)" = "{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}"

[HKCR\ProtectorExe.ProtectorHost\CLSID]
"(Default)" = "{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}"

[HKCR\protector_dll.ProtectorBho]
"(Default)" = "Google Toolbar Notifier BHO"

[HKCR\Wow6432Node\Interface\{DD65ABB2-2628-425B-86F5-825E4A3D3AD9}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\AppID\protector_dll.DLL]
"AppID" = "{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}"

[HKCR\Interface\{91959FBB-853A-4AC7-A082-2DDF787F4CA9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{DA69D3CC-7676-4A65-889F-C052977F1AA9}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{BACAB2F3-7213-4865-96E9-B6B06BF49192}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{A0CF48B9-DB91-49A5-BEE7-2FB45BA2F610}]
"(Default)" = "IProtectorLib2"

[HKCR\Interface\{F1A383D4-0364-4092-82E0-C39DAE5D801D}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}\ProgID]
"(Default)" = "protector_dll.Protector.1"

[HKCR\Wow6432Node\Interface\{1F7328B7-E25A-4527-B24B-D9173401BB89}\TypeLib]
"Version" = "1a.0"

[HKCR\Interface\{2212951C-1623-4095-906B-AC50B8F91016}\TypeLib]
"Version" = "1a.0"

[HKCR\Interface\{480AD54B-C652-44B9-BCF6-746745055CD3}]
"(Default)" = "IProtectorLib6"

[HKCR\protector_dll.Protector\CLSID]
"(Default)" = "{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}"

[HKCR\Wow6432Node\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\VersionIndependentProgID]
"(Default)" = "ProtectorExe.ProtectorHost"

[HKCR\Wow6432Node\Interface\{2212951C-1623-4095-906B-AC50B8F91016}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{BACAB2F3-7213-4865-96E9-B6B06BF49192}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41}]
"(Default)" = "IProtector7"

[HKCR\Wow6432Node\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\ProtectorExe.ProtectorHost]
"(Default)" = "ProtectorHost Class"

[HKCR\Wow6432Node\Interface\{91F39C2A-95E7-497A-A539-0AC715DC66D2}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{9891812B-5820-4A77-827E-772B200239E1}]
"(Default)" = "IProtector4"

[HKCR\Wow6432Node\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Wow6432Node\Interface\{DD65ABB2-2628-425B-86F5-825E4A3D3AD9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\protector_dll.ProtectorBho.1\CLSID]
"(Default)" = "{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}"

[HKCR\TypeLib\{C7CB459A-7261-4AE6-A87A-17041EE98A40}\1a.0\HELPDIR]
"(Default)" = ""

[HKCR\Wow6432Node\Interface\{DD65ABB2-2628-425B-86F5-825E4A3D3AD9}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{9D932020-700E-4F0D-8446-2872ABD8B4FA}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\protector_dll.ProtectorBho.1]
"(Default)" = "Google Toolbar Notifier BHO"

[HKCR\Interface\{9D932020-700E-4F0D-8446-2872ABD8B4FA}]
"(Default)" = "IProtectorLib3"

[HKCR\Wow6432Node\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\VersionIndependentProgID]
"(Default)" = "protector_dll.ProtectorLib"

[HKCR\Wow6432Node\Interface\{315A0BBF-D55B-4FCE-833E-8BAA5B6344F6}]
"(Default)" = "IProtector11"

[HKCR\Wow6432Node\Interface\{F1A383D4-0364-4092-82E0-C39DAE5D801D}]
"(Default)" = "IProtector12"

[HKCR\Wow6432Node\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\TypeLib\{C7CB459A-7261-4AE6-A87A-17041EE98A40}\1a.0\FLAGS]
"(Default)" = "0"

[HKCR\Wow6432Node\Interface\{315A0BBF-D55B-4FCE-833E-8BAA5B6344F6}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}\VersionIndependentProgID]
"(Default)" = "protector_dll.Protector"

[HKCR\Interface\{AF606610-3627-4DF2-A6D5-32C6A355ACD1}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{277FD1E8-9884-4E0A-9392-7CFF83F067B2}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{A0CF48B9-DB91-49A5-BEE7-2FB45BA2F610}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\ProgID]
"(Default)" = "protector_dll.ProtectorBho.1"

[HKCR\protector_dll.ProtectorLib.1\CLSID]
"(Default)" = "{84798B8E-69F8-4846-9516-373C2996E2F7}"

[HKCR\Interface\{BACAB2F3-7213-4865-96E9-B6B06BF49192}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{9D932020-700E-4F0D-8446-2872ABD8B4FA}]
"(Default)" = "IProtectorLib3"

[HKCR\Interface\{9891812B-5820-4A77-827E-772B200239E1}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{17484B9D-89FA-484F-912E-017D06C41FE0}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}]
"AppID" = "{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}"

[HKCR\Interface\{DD65ABB2-2628-425B-86F5-825E4A3D3AD9}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{235317AD-6EF4-4209-9354-F88869E1A3BB}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{6EACF525-5F81-4381-9E46-DC316C39E0D2}\TypeLib]
"Version" = "1a.0"

[HKCR\Interface\{A0CF48B9-DB91-49A5-BEE7-2FB45BA2F610}\TypeLib]
"Version" = "1a.0"

[HKCR\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659}]
"(Default)" = "IProtector"

[HKCR\Interface\{6EACF525-5F81-4381-9E46-DC316C39E0D2}]
"(Default)" = "IProtector6"

[HKCR\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659}\TypeLib]
"Version" = "1a.0"

[HKCR\ProtectorExe.ProtectorHost.1]
"(Default)" = "ProtectorHost Class"

[HKCR\Wow6432Node\Interface\{BACAB2F3-7213-4865-96E9-B6B06BF49192}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\protector_dll.Protector\CurVer]
"(Default)" = "protector_dll.Protector.1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80B84A0A-EDA4-47fd-8BE1-6B49F4197EE5}]
"AppName" = "GoogleToolbarNotifier.exe"

[HKCR\Interface\{91F39C2A-95E7-497A-A539-0AC715DC66D2}\TypeLib]
"Version" = "1a.0"

[HKCR\Interface\{A45CDEEB-65F5-49AE-AA3E-9376F4806075}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{277FD1E8-9884-4E0A-9392-7CFF83F067B2}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{91F39C2A-95E7-497A-A539-0AC715DC66D2}\TypeLib]
"Version" = "1a.0"

[HKCR\AppID\{A97CA128-6998-4F8E-807E-8ED05FADAFB0}]
"RunAs" = "Interactive User"

[HKCR\Wow6432Node\Interface\{235317AD-6EF4-4209-9354-F88869E1A3BB}]
"(Default)" = "IProtectorLib5"

[HKCR\Interface\{DD65ABB2-2628-425B-86F5-825E4A3D3AD9}\TypeLib]
"Version" = "1a.0"

[HKCR\Interface\{9D932020-700E-4F0D-8446-2872ABD8B4FA}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{A0CF48B9-DB91-49A5-BEE7-2FB45BA2F610}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{9D932020-700E-4F0D-8446-2872ABD8B4FA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80B84A0A-EDA4-47fd-8BE1-6B49F4197EE5}]
"Policy" = "3"

[HKCR\protector_dll.ProtectorBho\CLSID]
"(Default)" = "{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}"

[HKCR\Wow6432Node\Interface\{235317AD-6EF4-4209-9354-F88869E1A3BB}\TypeLib]
"Version" = "1a.0"

[HKCR\Interface\{1F7328B7-E25A-4527-B24B-D9173401BB89}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}]
"AppID" = "{A97CA128-6998-4F8E-807E-8ED05FADAFB0}"

[HKCR\Wow6432Node\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

[HKCR\protector_dll.ProtectorBho\CurVer]
"(Default)" = "protector_dll.ProtectorBho.1"

[HKCR\Wow6432Node\Interface\{A45CDEEB-65F5-49AE-AA3E-9376F4806075}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\ProtectorExe.ProtectorHost\CurVer]
"(Default)" = "ProtectorExe.ProtectorHost.1"

[HKCR\Wow6432Node\CLSID\{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{DA69D3CC-7676-4A65-889F-C052977F1AA9}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{235317AD-6EF4-4209-9354-F88869E1A3BB}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\TypeLib\{C7CB459A-7261-4AE6-A87A-17041EE98A40}\1a.0\0\win32]
"(Default)" = "%Program Files% (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll"

[HKCR\Wow6432Node\Interface\{17484B9D-89FA-484F-912E-017D06C41FE0}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80B84A0A-EDA4-47fd-8BE1-6B49F4197EE5}]
"Policy" = "3"

[HKCR\Wow6432Node\Interface\{6C110376-C248-47F6-9DB2-CFCDEADB6A3E}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{480AD54B-C652-44B9-BCF6-746745055CD3}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{F1A383D4-0364-4092-82E0-C39DAE5D801D}]
"(Default)" = "IProtector12"

[HKCR\Wow6432Node\Interface\{91959FBB-853A-4AC7-A082-2DDF787F4CA9}]
"(Default)" = "IProtectorHost2"

[HKCR\Interface\{91F39C2A-95E7-497A-A539-0AC715DC66D2}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{1F7328B7-E25A-4527-B24B-D9173401BB89}\TypeLib]
"Version" = "1a.0"

[HKCR\protector_dll.Protector.1]
"(Default)" = "Protector Class"

[HKCR\Wow6432Node\Interface\{6EACF525-5F81-4381-9E46-DC316C39E0D2}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll"

[HKCR\protector_dll.Protector]
"(Default)" = "Protector Class"

[HKCR\protector_dll.ProtectorLib\CLSID]
"(Default)" = "{84798B8E-69F8-4846-9516-373C2996E2F7}"

[HKCR\Interface\{AF606610-3627-4DF2-A6D5-32C6A355ACD1}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{277FD1E8-9884-4E0A-9392-7CFF83F067B2}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{DA69D3CC-7676-4A65-889F-C052977F1AA9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{9D932020-700E-4F0D-8446-2872ABD8B4FA}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{315A0BBF-D55B-4FCE-833E-8BAA5B6344F6}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{A45CDEEB-65F5-49AE-AA3E-9376F4806075}]
"(Default)" = "IProtector8"

[HKCR\Wow6432Node\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659}]
"(Default)" = "IProtector"

[HKCR\Wow6432Node\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{6EACF525-5F81-4381-9E46-DC316C39E0D2}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{277FD1E8-9884-4E0A-9392-7CFF83F067B2}]
"(Default)" = "IProtector9"

[HKCR\Interface\{F1A383D4-0364-4092-82E0-C39DAE5D801D}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{DA69D3CC-7676-4A65-889F-C052977F1AA9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}]
"(Default)" = "Protector Class"

[HKCR\Interface\{277FD1E8-9884-4E0A-9392-7CFF83F067B2}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{DD65ABB2-2628-425B-86F5-825E4A3D3AD9}]
"(Default)" = "IProtectorLib4"

[HKCR\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41}]
"(Default)" = "IProtector7"

[HKCR\Interface\{AF606610-3627-4DF2-A6D5-32C6A355ACD1}]
"(Default)" = "IProtectorLib"

[HKCR\Wow6432Node\Interface\{277FD1E8-9884-4E0A-9392-7CFF83F067B2}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{A45CDEEB-65F5-49AE-AA3E-9376F4806075}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{DD65ABB2-2628-425B-86F5-825E4A3D3AD9}]
"(Default)" = "IProtectorLib4"

[HKCR\protector_dll.ProtectorLib]
"(Default)" = "ProtectorLib Class"

[HKCR\Wow6432Node\Interface\{6EACF525-5F81-4381-9E46-DC316C39E0D2}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{AF606610-3627-4DF2-A6D5-32C6A355ACD1}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{480AD54B-C652-44B9-BCF6-746745055CD3}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{480AD54B-C652-44B9-BCF6-746745055CD3}]
"(Default)" = "IProtectorLib6"

[HKCR\Wow6432Node\Interface\{6C110376-C248-47F6-9DB2-CFCDEADB6A3E}\TypeLib]
"Version" = "1a.0"

[HKCR\Interface\{480AD54B-C652-44B9-BCF6-746745055CD3}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{480AD54B-C652-44B9-BCF6-746745055CD3}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{235317AD-6EF4-4209-9354-F88869E1A3BB}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{A0CF48B9-DB91-49A5-BEE7-2FB45BA2F610}]
"(Default)" = "IProtectorLib2"

[HKCR\Wow6432Node\Interface\{1F7328B7-E25A-4527-B24B-D9173401BB89}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{91959FBB-853A-4AC7-A082-2DDF787F4CA9}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{277FD1E8-9884-4E0A-9392-7CFF83F067B2}\TypeLib]
"Version" = "1a.0"

The process GoogleToolbarNotifier.exe:3880 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Google\GoogleToolbarNotifier\Stats]
"HideUI_Throttled" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\GoogleToolbarNotifier_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ef-0d-5d]
"WpadDecision" = "0"

[HKCU\Software\Google\GoogleToolbarNotifier\Stats]
"DetectChange_DS" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Google\GoogleToolbarNotifier]
"KeepDS" = "688508711"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE1E4E39-627C-4D52-9D86-A515AB38A003}]
"WpadDecisionReason" = "1"

[HKCU\Software\Google\GoogleToolbarNotifier]
"FirstRun" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE1E4E39-627C-4D52-9D86-A515AB38A003}]
"WpadDecision" = "0"

[HKCU\Software\Google\GoogleToolbarNotifier\Stats]
"Icon_Click" = "0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\GoogleToolbarNotifier_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Google\GoogleToolbarNotifier\Stats]
"UserAllowChange_DS" = "0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\GoogleToolbarNotifier_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE1E4E39-627C-4D52-9D86-A515AB38A003}]
"WpadNetworkName" = "Network"

[HKCU\Software\Google\GoogleToolbarNotifier]
"UpdateURL" = "http://clients1.google.com/tools/swg2/update"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE1E4E39-627C-4D52-9D86-A515AB38A003}]
"WpadDecisionTime" = "5A 13 E1 44 5E 47 D0 01"

[HKCU\Software\Classes\Local Settings\MuiCache\2C\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Google\GoogleToolbarNotifier]
"lds" = "http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7"

[HKCU\Software\Google\GoogleToolbarNotifier\Stats]
"ShowUI_TrayIcon" = "0"

[HKCU\Software\Google\Google Toolbar\4.0]
"UpdateResult" = "98"

[HKCU\Software\Google\GoogleToolbarNotifier]
"DefaultLanguage" = "en"
"TS" = "1423812337"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\GoogleToolbarNotifier_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Google\GoogleToolbarNotifier]
"AppPath" = "%Program Files% (x86)\Google\GoogleToolbarNotifier"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ef-0d-5d]
"WpadDecisionReason" = "1"

[HKCU\Software\Google\GoogleToolbarNotifier\Stats]
"ShowUI_Popup" = "0"

[HKCU\Software\Google\GoogleToolbarNotifier]
"InstalledVersion" = "5.7.9012.1008"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3D 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Google\GoogleToolbarNotifier\Stats]
"LastReportTime" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Google\GoogleToolbarNotifier\Temp]
"scShowTrayIcon" = "ffffffff"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ef-0d-5d]
"WpadDecisionTime" = "5A 13 E1 44 5E 47 D0 01"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\GoogleToolbarNotifier_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\Google\GoogleToolbarNotifier]
"UsageStat" = "1"

[HKCU\Software\Google\GoogleToolbarNotifier\Stats]
"ModifyUI_UserIntent" = "0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\GoogleToolbarNotifier_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Google\GoogleToolbarNotifier\Stats]
"Bubble_Click" = "0"

[HKCU\Software\Google\Google Toolbar\4.0\Options]
"Extc" = "1"

[HKCU\Software\Google\GoogleToolbarNotifier\Temp]
"scKeepDS" = "2909cf27"

[HKCU\Software\Google\GoogleToolbarNotifier]
"Version" = "5.7.9012.1008"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Worm deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE1E4E39-627C-4D52-9D86-A515AB38A003}]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoDetect"

[HKCU\Software\Google\GoogleToolbarNotifier]
"WantProductRestart"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Google\GoogleToolbarNotifier]
"ts"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Google\GoogleToolbarNotifier]
"DSPSuspended"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ef-0d-5d]
"WpadDetectedUrl"

[HKCU\Software\Google\GoogleToolbarNotifier]
"SuspendedDS"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"

The process GoogleUpdaterService.exe:3860 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Common\Google Updater\apps\swg]
"auto" = "0"

The process GoogleUpdaterService.exe:3820 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCR\Wow6432Node\Interface\{C07A89E4-82A3-4A29-9908-DFC9DEBF8267}]
"(Default)" = "ISilentUpdater"

[HKCR\TypeLib\{5924C60B-6D7F-4AD6-8084-24A59431C967}\1.0\HELPDIR]
"(Default)" = ""

[HKCR\Interface\{5C8CE0B5-6DA0-49A1-B675-78FD03EA3224}]
"(Default)" = "IUpdaterScheduler"

[HKCR\Interface\{5C8CE0B5-6DA0-49A1-B675-78FD03EA3224}\TypeLib]
"(Default)" = "{5924C60B-6D7F-4AD6-8084-24A59431C967}"

[HKCR\AppID\GoogleUpdaterService.exe]
"AppID" = "{61E28BF8-C02B-499F-8E7A-34C1E4A1C649}"

[HKCR\Wow6432Node\CLSID\{89DAE4CD-9F17-4980-902A-99BA84A8F5C8}\TypeLib]
"(Default)" = "{5924C60B-6D7F-4AD6-8084-24A59431C967}"

[HKCR\GUSchedulerCtl.UpdaterScheduler]
"(Default)" = "Google Updater Scheduler class"

[HKCR\Interface\{C07A89E4-82A3-4A29-9908-DFC9DEBF8267}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\Interface\{C07A89E4-82A3-4A29-9908-DFC9DEBF8267}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{C07A89E4-82A3-4A29-9908-DFC9DEBF8267}\TypeLib]
"(Default)" = "{5924C60B-6D7F-4AD6-8084-24A59431C967}"

[HKCR\Wow6432Node\CLSID\{89DAE4CD-9F17-4980-902A-99BA84A8F5C8}\ProgID]
"(Default)" = "GUServiceCtl.SilentUpdater.1"

[HKCR\Wow6432Node\CLSID\{89DAE4CD-9F17-4980-902A-99BA84A8F5C8}]
"AppID" = "{61E28BF8-C02B-499F-8E7A-34C1E4A1C649}"

[HKCR\Wow6432Node\CLSID\{B53B7061-6584-46AA-A033-D610EB10BD9B}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe"

[HKCR\Wow6432Node\CLSID\{B53B7061-6584-46AA-A033-D610EB10BD9B}]
"(Default)" = "Google Updater Scheduler class"

[HKCR\Wow6432Node\Interface\{C07A89E4-82A3-4A29-9908-DFC9DEBF8267}\TypeLib]
"Version" = "1.0"

[HKCR\GUServiceCtl.SilentUpdater]
"(Default)" = "Google Silent Updater class"

[HKCR\GUServiceCtl.SilentUpdater\CLSID]
"(Default)" = "{89DAE4CD-9F17-4980-902A-99BA84A8F5C8}"

[HKCR\Wow6432Node\CLSID\{89DAE4CD-9F17-4980-902A-99BA84A8F5C8}]
"(Default)" = "Google Silent Updater class"

[HKCR\Interface\{5C8CE0B5-6DA0-49A1-B675-78FD03EA3224}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\CLSID\{B53B7061-6584-46AA-A033-D610EB10BD9B}\TypeLib]
"(Default)" = "{5924C60B-6D7F-4AD6-8084-24A59431C967}"

[HKCR\GUSchedulerCtl.UpdaterScheduler.1\CLSID]
"(Default)" = "{B53B7061-6584-46AA-A033-D610EB10BD9B}"

[HKCR\GUServiceCtl.SilentUpdater\CurVer]
"(Default)" = "GUServiceCtl.SilentUpdater.1"

[HKCR\Wow6432Node\Interface\{C07A89E4-82A3-4A29-9908-DFC9DEBF8267}\TypeLib]
"(Default)" = "{5924C60B-6D7F-4AD6-8084-24A59431C967}"

[HKCR\AppID\{61E28BF8-C02B-499F-8E7A-34C1E4A1C649}]
"LocalService" = "gusvc"

[HKCR\Wow6432Node\CLSID\{89DAE4CD-9F17-4980-902A-99BA84A8F5C8}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe"

[HKCR\Wow6432Node\Interface\{5C8CE0B5-6DA0-49A1-B675-78FD03EA3224}]
"(Default)" = "IUpdaterScheduler"

[HKCR\AppID\{61E28BF8-C02B-499F-8E7A-34C1E4A1C649}]
"(Default)" = "gusvc"

[HKCR\TypeLib\{5924C60B-6D7F-4AD6-8084-24A59431C967}\1.0]
"(Default)" = "Google Updater Service 1.0 Type Library"

[HKCR\GUServiceCtl.SilentUpdater.1\CLSID]
"(Default)" = "{89DAE4CD-9F17-4980-902A-99BA84A8F5C8}"

[HKCR\Wow6432Node\CLSID\{B53B7061-6584-46AA-A033-D610EB10BD9B}\VersionIndependentProgID]
"(Default)" = "GUSchedulerCtl.UpdaterScheduler"

[HKCR\Wow6432Node\CLSID\{B53B7061-6584-46AA-A033-D610EB10BD9B}]
"AppID" = "{61E28BF8-C02B-499F-8E7A-34C1E4A1C649}"

[HKCR\GUServiceCtl.SilentUpdater.1]
"(Default)" = "Google Silent Updater class"

[HKCR\Wow6432Node\Interface\{5C8CE0B5-6DA0-49A1-B675-78FD03EA3224}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{5924C60B-6D7F-4AD6-8084-24A59431C967}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Wow6432Node\Interface\{5C8CE0B5-6DA0-49A1-B675-78FD03EA3224}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{C07A89E4-82A3-4A29-9908-DFC9DEBF8267}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{5924C60B-6D7F-4AD6-8084-24A59431C967}\1.0\0\win32]
"(Default)" = "%Program Files% (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe"

[HKCR\Wow6432Node\CLSID\{B53B7061-6584-46AA-A033-D610EB10BD9B}\ProgID]
"(Default)" = "GUSchedulerCtl.UpdaterScheduler.1"

[HKCR\Interface\{5C8CE0B5-6DA0-49A1-B675-78FD03EA3224}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{89DAE4CD-9F17-4980-902A-99BA84A8F5C8}\VersionIndependentProgID]
"(Default)" = "GUServiceCtl.SilentUpdater"

[HKCR\Interface\{C07A89E4-82A3-4A29-9908-DFC9DEBF8267}]
"(Default)" = "ISilentUpdater"

[HKCR\GUSchedulerCtl.UpdaterScheduler\CLSID]
"(Default)" = "{B53B7061-6584-46AA-A033-D610EB10BD9B}"

[HKCR\GUSchedulerCtl.UpdaterScheduler.1]
"(Default)" = "Google Updater Scheduler class"

[HKCR\GUSchedulerCtl.UpdaterScheduler\CurVer]
"(Default)" = "GUSchedulerCtl.UpdaterScheduler.1"

[HKCR\Wow6432Node\Interface\{5C8CE0B5-6DA0-49A1-B675-78FD03EA3224}\TypeLib]
"(Default)" = "{5924C60B-6D7F-4AD6-8084-24A59431C967}"

The Worm deletes the following value(s) in system registry:

[HKCR\AppID\{61E28BF8-C02B-499F-8E7A-34C1E4A1C649}]
"LocalService"

The process eyeline.exe:2824 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
"AutoDetect" = "1"

The Worm deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

The process eyeline.exe:108 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\Registration]
"RD" = "1423812290"
"Name" = ""
"LR" = "1423812306"

[HKCU\Software\NCH Software\Eyeline\Settings]
"LogWindowFontSize" = "13"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\Settings]
"TestAdmin" = "1"

[HKCU\Software\Microsoft\ActiveMovie\devenum]
"Version" = "7"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\Software]
"SVar" = "LLIBBuybmp2on"

The Worm deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\Settings]
"TestAdmin"

The process eyeline.exe:2100 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\NCH Software\Components\GoogleToolbar]
"State" = "attempted"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\Software]
"Toolbar" = "cnm-installed,gac,google"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Components\GoogleToolbar]
"State" = "attempted"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Worm deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process eyeline.exe:2176 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Eyeline\Scheduler]
"SevenDays" = "1"

The process eyeline.exe:1900 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
"AutoDetect" = "1"

The Worm deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

The process %original file name%.exe:1632 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Worm deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process x264enc6.exe:1676 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\NCH Swift Sound\Components\x264enc6]
"Path" = "%Program Files% (x86)\NCH Software\Components\x264enc6\x264enc6.exe"

[HKCU\Software\NCH Software\Components\x264enc6]
"Path" = "%Program Files% (x86)\NCH Software\Components\x264enc6\x264enc6.exe"

[HKLM\SOFTWARE\Wow6432Node\NCH Swift Sound\Components\x264enc6]
"Version" = "1.00"

[HKCU\Software\NCH Software\Components\x264enc6]
"Version" = "1.00"

[HKLM\SOFTWARE\Wow6432Node\NCH Swift Sound\Components\x264enc6]
"Path" = "%Program Files% (x86)\NCH Software\Components\x264enc6\x264enc6.exe"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Components\x264enc6]
"Path" = "%Program Files% (x86)\NCH Software\Components\x264enc6\x264enc6.exe"
"Version" = "1.00"

[HKCU\Software\NCH Swift Sound\Components\x264enc6]
"Version" = "1.00"

The process SearchWithGoogleUpdate_C993F490EED40C1B.exe:3832 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\GoogleToolbarNotifier]
"Version" = "5.7.9012.1008"
"ID" = "9da6939a80964d4ea5db1fc2eaad4422"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\31ec1c24\PUPautoinsaller_v1.exe, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\31ec1c24\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\6c88b866\python.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\6c88b866\, , \??\%Program Files% (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008,"

[HKCU\Software\Google\GoogleToolbarNotifier\Temp]
"ust" = "100"

[HKLM\SOFTWARE\Wow6432Node\Google\GoogleToolbarNotifier\Clients]
"ietb" = "0"

[HKLM\SOFTWARE\Wow6432Node\Google\GoogleToolbarNotifier]
"brand" = "NCHD"

The Worm deletes the following registry key(s):

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]

Dropped PE files

MD5 File path
5d4bc124faae6730ac002cdb67bf1a1c c:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
1223e7efa6dda842c37985a62f10001f c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleCld_187F9D811452062B.dll
6fffd47eb8cc3a6ca44619f16a7d0ae6 c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_32_8E471B27054D20F5.dll
96af87c526ec7a8f32dc3f1f2a63a4a7 c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_64_F8ED9B719A89F8EF.dll
d2d2a0e0ecd8a2ea750d6be34337d00d c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_0A4439FF67F61065.dll
4c401fcc6d0c95e1a5d989e403e18f2f c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_8CA8B41417E66DEB.exe
e8b7fd67da14a7be57a5cb80e3139e60 c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarUser_32_52E818EF81C83A9B.exe
211f96eb417ff837a70f5130e63a1a45 c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarUser_64_4D9709C1FA1422BA.exe
81590207a8efab40bafe743d8073eb9b c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbar_32_365102BD7F6C8091.dll
30c83447379d5955e992bd43be8d115e c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbar_64_54BD4059920ABC8A.dll
1f2afab903c0d48480561f3bbd4539c2 c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleUpdateSetup_5CC4B0F53D73AD88.exe
4beaf576cb43358c4db9f45ac7c09cdb c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleUpdaterService_B33FC4DD36A473C6.exe
4b78e9ae06f7c310e30ee2fa5b7ebc3c c:\Program Files (x86)\Google\Google Toolbar\Component\SearchWithGoogleUpdate_C993F490EED40C1B.exe
e8b7fd67da14a7be57a5cb80e3139e60 c:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
211f96eb417ff837a70f5130e63a1a45 c:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_64.exe
81590207a8efab40bafe743d8073eb9b c:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
30c83447379d5955e992bd43be8d115e c:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
13d401e46ad0c5a8442fc57fadbf5751 c:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\gth.dll
aeb43d2a8158fb535f48f440cc266953 c:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\gtn.dll
d3088606c810a355eae9b9056c9b5392 c:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll
5d61be7db55b026a5d61a3eed09d0ead c:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
5a6381e0afb4e0b9fd318c1c76efe9dc c:\Program Files (x86)\Google\Update\Download\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}\0.0.0.0\googletoolbarinstaller_en_signed.exe
5a6381e0afb4e0b9fd318c1c76efe9dc c:\Program Files (x86)\Google\Update\Install\{240D2921-958E-4DFC-A1AE-1CB4B1E42CE2}\googletoolbarinstaller_en_signed.exe
1b9343a7532e5cd49606ff2fe310975e c:\Program Files (x86)\NCH Software\Components\ffmpeg16\avcodec-54.nch.dll
ff7bd12b284507cf15d759897a3aaeaa c:\Program Files (x86)\NCH Software\Components\ffmpeg16\avdevice-54.nch.dll
1e30e14c5cd1e8eb9c8245018fec6b12 c:\Program Files (x86)\NCH Software\Components\ffmpeg16\avfilter-3.nch.dll
75ca93b442b8a83394daa6d562cdf122 c:\Program Files (x86)\NCH Software\Components\ffmpeg16\avformat-54.nch.dll
3c4b3297161ab2a485ffe41b5fa0ff9d c:\Program Files (x86)\NCH Software\Components\ffmpeg16\avutil-52.nch.dll
183aeebe9dce253e5a1fab352996908e c:\Program Files (x86)\NCH Software\Components\ffmpeg16\swresample-0.nch.dll
b877ca44d0a54ad53acff90503a94671 c:\Program Files (x86)\NCH Software\Components\ffmpeg16\swscale-2.nch.dll
df279701fde8111a0965ff152503da6d c:\Program Files (x86)\NCH Software\Components\x264enc6\x264enc6.exe
3d8bf44310e5cf627175b37308e302aa c:\Program Files (x86)\NCH Software\Eyeline\eyeline.exe
a19583e799643cec2502dbdad8c96cc6 c:\Program Files (x86)\NCH Software\Eyeline\x264enc6.exe
dd481c837b6303531af365d95637692f c:\Program Files\Google\GoogleToolbarNotifier\5.7.9012.1008\swg64.dll
3d8bf44310e5cf627175b37308e302aa c:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchsetup.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: NCH Software
Product Name: Eyeline
Product Version: 2.01
Legal Copyright: NCH Software
Legal Trademarks:
Original Filename: Eyeline.exe
Internal Name: Eyeline
File Version: 2.01
File Description: Eyeline Video Surveillance System
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 1419 1536 3.84912 5f46758ca161da709771972c616169d3
.rdata 8192 2234 2560 2.67878 192d315f8f462441fcdb186344694d5e
.data 12288 4 512 0.042395 14016a81a0c54d41cd5f1547a9d48cd9
.rsrc 16384 1122156 1122304 5.54437 7106dea73b9176223d88bd2cf10b1b24
.reloc 1138688 292 512 1.40481 2d179c9aa107d7bddda7367b54a8f8e3

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://audiochannel.net/versions/components/tb_google_row.dat 184.106.55.21
hxxp://audiochannel.net/components/toolbars/NCH_GoogleToolbar.exe 184.106.55.21
hxxp://audiochannel.net/components/ffmpeg16.exe 184.106.55.21
hxxp://tools.l.google.com/dl/toolbar/t7/data/7.5.5111.1712/googletoolbarinstaller_en_signed.exe
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CECkSxwyaK4o+9vYHRmLWi40=
hxxp://tools.l.google.com/tools/swg2/update?type=c&as=swg&os=win&osv=6.1.7601&hl=en&ie=10.0.9200.16521&ds=0&pds=0&su=0&hpi=-1&brand=NCHD&pa=9&cl=1&tbv=&id=9da6939a80964d4ea5db1fc2eaad4422eb587e9423&from=&to=5.7.9012.1008
hxxp://tools.l.google.com/tools/pso/ping?as=tbin&gu=pi&mode=3&sin=1&ein=0&version=7.5.5111.1712&brand=NCHD&hl=en&tbiv=7.5.5111.1712&time=1423812338&fitime=1423812338&browser=9.10.9200.16521&osver=6.1&ossp=1.0&osarch=64&ext=EXE&id=304A78B0488F53F23D4AC1A1BD355D4D69BF4FuXHNH
hxxp://a1363.dscg.akamai.net/pki/crl/products/MicrosoftTimeStampPCA.crl
hxxp://a1363.dscg.akamai.net/pki/crl/products/microsoftrootcert.crl
hxxp://a1363.dscg.akamai.net/pki/crl/products/WinPCA.crl
hxxp://a1363.dscg.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab?6cfb37d68de1b4d0
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI=
hxxp://e6845.ce.akamaiedge.net/pca3.crl
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD/yl6nWPkczAQUe1tFz6/Oy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS+zcBkvzl4=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9+WQCtWAQU1A1lP3q9NMb+R+dMDcC98t4Vq3ECEGpWCCD6PprY5UEXNLHUCtU=
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= 23.43.139.27
hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl 88.221.133.16
hxxp://dl.google.com/dl/toolbar/t7/data/7.5.5111.1712/googletoolbarinstaller_en_signed.exe 173.194.113.194
hxxp://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD/yl6nWPkczAQUe1tFz6/Oy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS+zcBkvzl4= 23.43.139.27
hxxp://www.audiochannel.net/components/toolbars/NCH_GoogleToolbar.exe 66.39.83.117
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= 23.43.139.27
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= 23.43.139.27
hxxp://www.audiochannel.net/versions/components/tb_google_row.dat 66.39.83.117
hxxp://crl.verisign.com/pca3.crl 23.43.133.163
hxxp://clients1.google.com/tools/pso/ping?as=tbin&gu=pi&mode=3&sin=1&ein=0&version=7.5.5111.1712&brand=NCHD&hl=en&tbiv=7.5.5111.1712&time=1423812338&fitime=1423812338&browser=9.10.9200.16521&osver=6.1&ossp=1.0&osarch=64&ext=EXE&id=304A78B0488F53F23D4AC1A1BD355D4D69BF4FuXHNH 173.194.113.192
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk= 23.43.139.27
hxxp://crl.microsoft.com/pki/crl/products/WinPCA.crl 88.221.133.16
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CECkSxwyaK4o+9vYHRmLWi40= 23.43.139.27
hxxp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl 88.221.133.16
hxxp://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9+WQCtWAQU1A1lP3q9NMb+R+dMDcC98t4Vq3ECEGpWCCD6PprY5UEXNLHUCtU= 23.43.139.27
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl 88.221.133.16
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?52afbcbf40078ee8 88.221.132.231
hxxp://clients1.google.com/tools/swg2/update?type=c&as=swg&os=win&osv=6.1.7601&hl=en&ie=10.0.9200.16521&ds=0&pds=0&su=0&hpi=-1&brand=NCHD&pa=9&cl=1&tbv=&id=9da6939a80964d4ea5db1fc2eaad4422eb587e9423&from=&to=5.7.9012.1008 173.194.113.192
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?6cfb37d68de1b4d0 88.221.132.231
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY= 23.43.139.27
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c= 23.43.139.27
tools.google.com 173.194.113.194


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

SURICATA UDPv4 invalid checksum
SURICATA IPv4 invalid checksum

Traffic

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1762
content-transfer-encoding: binary
Cache-Control: max-age=451880, public, no-transform, must-revalidate
Last-Modified: Wed, 11 Feb 2015 12:54:51 GMT
Expires: Wed, 18 Feb 2015 12:54:51 GMT
Date: Fri, 13 Feb 2015 07:25:29 GMT
Connection: keep-alive
0..........0..... .....0......0...0......;O}a.!..u...au..eUNp..2015021
1125451Z0s0q0I0... ...................B.>.I.$&.....e......0..C9...3
13..R...%V.......K3.....20150211125451Z....20150218125451Z0...*.H.....
...........8..{....7..Q.S*.yPd.n.b....a...!..b...mLw.t...w)...%Y.q....
....$..G.w.2..y.....B.K..#.F..x`...V...hf?;9.&'..l.q..J.*WD.p..K....a.
N..d.&..O...9.....^......,..C.e.I....P.........7.%P.....BD"...ik......
.nS..*g........z......j.yA.S..e|0E..U...RjO.p..3....ZU....0...0...0...
........2...'U.BM...g.B0...*.H........0..1.0...U....US1.0...U....VeriS
ign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign
, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Public 
Primary Certification Authority - G50...141202000000Z..151216235959Z0.
.1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust
 Network1?0=..U...6Symantec Class 3 PCA - G5 OCSP Responder Certificat
e 30.."0...*.H.............0...............2&..PL...,..2....:..tH...`J
G.%..*...s.c%[email protected]"1.5?..s.....3[.
..u......]...R0..Z}....l..I.Y.....j\H.q...#.uw.4qz.#.J.....@2$"..$l.B.
......D.ye..(..2.........@...... ...."... E..0M,..b{.^..s'....f.6.pr4.
J........'j..........0...0...U.......0.0l..U. .e0c0a..`.H...E....0R0&.
. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.symaut
h.com/rpa0...U.%..0... .......0...U...........0... .....0......0!..U..
..0...0.1.0...U....TGV-B-2760...U......;O}a.!..u...au..eUNp0...U.#..0.
....e......0..C9...3130...*.H.............(.&..Dgr.Ve..#...5.N.v.Q
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CECkSxwyaK4o+9vYHRmLWi40= HTTP/1.1


Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1725
content-transfer-encoding: binary
Cache-Control: max-age=372587, public, no-transform, must-revalidate
Last-Modified: Tue, 10 Feb 2015 14:54:13 GMT
Expires: Tue, 17 Feb 2015 14:54:13 GMT
Date: Fri, 13 Feb 2015 07:25:35 GMT
Connection: keep-alive
0..........0..... .....0......0...0......u\..3Oo?U...H.....O!..2015021
0145413Z0s0q0I0... ...................F....0.yV......{&.K......&......
.).... .>...Fb.......20150210145413Z....20150217145413Z0...*.H.....
............Q...p.H?9....F^....Z..,.w....[F.6.....<...u..}7.6.{.,.b
.t.9...I......!.Td.P.n.P....EV.6..u..|.W.o......M.:.&F..O...2U. .{mq.?
.=._..X.6D#m-=.2#M.}.v&0n...&.al.....D....H!Mt'.#..I?.....(P.s..Y.ysx.
....0Duh7.W.............H..C..S....P.K.z....).%[email protected]
........../...nj0...}..i..0...*.H........0..1.0...U....US1.0...U....Ve
riSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use a
t hXXps://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code S
igning 2010 CA0...141204000000Z..150304235959Z0..1.0...U....US1.0...U.
...VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1VeriSign 
Class 3 Code Signing 2010 OCSP Responder0.."0...*.H.............0.....
....4.4...........o....?..f.........I.!.b.L...L..U.........rM.,.....=.
.cR4d.~*..k..x......=.WT.<.A2n1.qZyM.M..Q_...8....9....d.... ...'..
.......h..Z..I...(.b.jK..DO.ra..gb..j..A.(....mrzU.w.......Bv...l.:s..
L....y.....u..n.)W......Y!....Q...,.i|.....:.Mu..DD1.........0...0...U
....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.veris
ign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incor
p. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U...
.....0... .....0......0"..U....0...0.1.0...U....TGV-B-24600...*.H.....
[email protected].=.. ...........hi.......>....
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=413752, public, no-transform, must-revalidate
Last-Modified: Wed, 11 Feb 2015 02:24:43 GMT
Expires: Wed, 18 Feb 2015 02:24:43 GMT
Date: Fri, 13 Feb 2015 07:28:51 GMT
Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..2015021
1022443Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
.A..2.....:...:......20150211022443Z....20150218022443Z0...*.H........
.....<..|~!....'s.bW....e4x...VTE.L.....m.v.4-...2:,7.2oY../....~.L
......Ty.P<...*kV........0.0...X......<....XWn0=2;~%./..s...bw..
............"[email protected]....%.....M.3.<.6...)..g%
.Q..B).[[email protected]"..A.U...p. X.OXh.R.4.... ,N..........#0..
.0...0..........<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0.
..U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms
 of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class
 3 Code Signing 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U...
.US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U..
.2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3Veri
Sign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H............
.0.........{(..t....2.Vf.....&;6).i*[email protected]._p.E.6.|.mk
....(..........p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..J
A..~QG.d.}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h&
lt;.l....(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0.
..0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://ww
w.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CP
S incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0
...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-24710
<<< skipped >>>


GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?6cfb37d68de1b4d0 HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 12 Mar 2014 20:20:10 GMT
If-None-Match: "0b96c77303ecf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com


HTTP/1.1 200 OK
Cache-Control: max-age=604800
Content-Type: application/octet-stream
Last-Modified: Fri, 23 Jan 2015 02:29:11 GMT
Accept-Ranges: bytes
ETag: "803565fb436d01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 57591
Date: Fri, 13 Feb 2015 07:26:06 GMT
Connection: keep-alive
MSCF............,...................I.................6Fm. .authroot.s
tl......8..CK...<T...g.v!M.d..f.%d..}K..5......dM*K..J.,%K"...!..=.
k..........{=/....{g.~...............'....6..N....w......(.$.>.7...
........'.....`.bx....^..$.'.^.K.C......<[email protected]
.....usXq.d.i.jF$.4.........KI.Q........A2m:..E.P|...(.^p..=G|.....m..
....  .6...H.e.....X'...%$r.Y.(..)........|...;...V^r.VM.._*X.I. ..4..
...*.....Y..`.0w.u...c.i.[..-...x..<.8.<.p..,..y.[v.Yn`......!.s
...4e......B...$.,..........w.Pd.)....,..#.%..h...8...`.A...8.i(.!.$/.
=.....i.\X.H......"...a...k...y6....F.._?\*.&..3.AJo.!..`....9....=.p.
u..u....f.f....w...?..S..I.;.....5._...F.f..G?$......."..kq.y'.6tJ.e%.
.G.n.....z<.pX"....1..g."........V:.H.-...!}LM..t..-.y.j&...n{..-.]
H. .....A.O.Xg..B...#[email protected]..*.....T...}o._./S..h@$
[email protected]..#.:?."....1..v.....&G...?O1x6"5.@..$.U...n.J...w
.Y.{..........E.N.&...&.rC..W.....M.........,.e.....&eI(/eSO.B..K...R.
 [email protected].....(..Y./;-..M5.0.H2.y....:...........a.U....%.S.).^.
...1.B..a..=...q...X .B....F.../..../.Z...'..t....C....,.^...N=..t%N|I
C.#.)6...q.E.J.i.E.>....".L........>...Vy.7.jxx......G........._
q.1^..H&.4Z......^.E.K 9.Xg...qO.6%>..T....;n..s.'u.-...=.........p
..p.Rn.........=.......F........d. d.AR.0U..........9b...=N..#....c.Ic
z......u.0............Y.q..b.wYE.......R...s..W....r].....hT....k.g..[
...s.....X..`=zb.>..../..=........J.N.h...(}.5.7. .;..=F..F...'.?..
2...3...=...B..`....{...f.`Kb..@..`Z.0!^8.t..<l.j..lI.P.q.>k
<<< skipped >>>


HEAD /dl/toolbar/t7/data/7.5.5111.1712/googletoolbarinstaller_en_signed.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
Host: dl.google.com


HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 5030744
Content-Type: application/x-msdos-program
Etag: "416d3"
Expires: Fri, 13 Feb 2015 23:25:10 PST
Last-Modified: Tue, 25 Mar 2014 23:15:00 GMT
Server: downloads
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Date: Fri, 13 Feb 2015 07:25:10 GMT
Alternate-Protocol: 80:quic,p=0.08
....


GET /dl/toolbar/t7/data/7.5.5111.1712/googletoolbarinstaller_en_signed.exe HTTP/1.1


Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 25 Mar 2014 23:15:00 GMT
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
Host: dl.google.com


HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 5030744
Content-Type: application/x-msdos-program
Etag: "416d3"
Expires: Fri, 13 Feb 2015 23:25:10 PST
Last-Modified: Tue, 25 Mar 2014 23:15:00 GMT
Server: downloads
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Date: Fri, 13 Feb 2015 07:25:10 GMT
Alternate-Protocol: 80:quic,p=0.08
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........R.&.3eu.3eu
.3eu...u.3eu...u:3eu...u.3eu.3du.2eu...u.3eu...u.3eu.3eu.3eu...u.3euRi
ch.3eu........................PE..L....F.S.................z..........
[email protected]...@...............
..................|...H.....................L.X.......................
.....................................................................t
ext.............K.....PEC2*O......`....rsrc.................K.........
.... ....reloc................L.............@.........................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................7%..l....7%.......{[email protected].
i..Y.. ....O}...X..Q>!L........f.l.Hs..s...5.*.O..{0=L...L..j2}.\b.
....s?P.........n......}M...^.......7..........5..).SF.f6..:.#.0...@|y
.a-h......5>b......Jb6......u?l.q..Iu..fI$M.ex..A..5.3.)......k..u.
.~....y...U:..[[email protected].."%.'
..E.........).t.............{%...m.n............y.}.s.......a(..."....
.9.f...#."..l/....M..aA.3M.....B.k'.......]..z..w.8.B..2..S.z..l_....7
=..3I[.l(.V.I.......!.K."c...`..5.7......w. .........3A...`.~.....
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1453
content-transfer-encoding: binary
Cache-Control: max-age=531961, public, no-transform, must-revalidate
Last-Modified: Thu, 12 Feb 2015 11:12:42 GMT
Expires: Thu, 19 Feb 2015 11:12:42 GMT
Date: Fri, 13 Feb 2015 07:28:44 GMT
Connection: keep-alive
0..........0..... .....0......0...0......T3t.%..O.E..~..F.=....2015021
2111242Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._)..a.
.eR&.....Y.)..".\....20150212111242Z....20150219111242Z0...*.H........
.....C....W.........c..4.`...h...{DL!...ky..=........>........:GM..
..E....|..C...^...'...w..$......m.s..d.....b.1U<s...;.s$B..he..5_..
b..'5t..^..?.(,m9 J......9.g...63n.W...c]#....;Z.....C....v9!..w)...S%
....r..j.i....1.A.Et.r...)T...i....R......L. L..,....a.Q}....0...0...0
..3......./...b.v..-....l}0...*.H........0_1.0...U....US1.0...U....Ver
iSign, Inc.1705..U....Class 3 Public Primary Certification Authority0.
..141202000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corp
oration1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PC
A - G1 OCSP Responder Certificate 30.."0...*.H.............0..........
'......Y..x.3B1.7..Q..`..d.. ....s..t.$a.....j2R.{ ,*..c{.3.....H..3-;
 ).....0._...*..9M..V...... ...{m...-.......)..tR..{D....~...M...T..pS
.p..^|o....S..v.).)[email protected]#qh...u1T.].G0.]E...=.
_...... ........TE...Sa.s4........r...3.............0..0...U....0.0l..
U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .
......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........
0... .....0......0!..U....0...0.1.0...U....TGV-B-2730...*.H...........
..$..H......oU....Y!.z{*.V.M..u.._z..3>.. 0....3..m.....e.......a..
D...........e..F6:.y.....di.......<y.Z.......x}..q.2....UZ1 :,t>....
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= HTTP/1.1


Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=547677, public, no-transform, must-revalidate
Last-Modified: Thu, 12 Feb 2015 15:32:45 GMT
Expires: Thu, 19 Feb 2015 15:32:45 GMT
Date: Fri, 13 Feb 2015 07:28:44 GMT
Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..2015021
2153245Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
..M.s.Q~...@?j.......20150212153245Z....20150219153245Z0...*.H........
.....G>.B.......r(uA...o.t...q.V*!q...OG.. ..Q).y0S....;....v.,...{
..X.2...D...sK.....$.....qT.<......N.hv....=1G..`....~.{.^W.:...j..
a_.;...l..4.......j...P>....U".NF. .U#.3]jJ........XT`.U\.x.8...<
;Y?..E.71G...p:Z!.rP..nO.l.d.a.el...*.....v#..:;..w.t....gU.......#0..
.0...0..........<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0.
..U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms
 of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class
 3 Code Signing 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U...
.US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U..
.2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3Veri
Sign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H............
.0.........{(..t....2.Vf.....&;6).i*[email protected]._p.E.6.|.mk
....(..........p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..J
A..~QG.d.}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h&
lt;.l....(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0.
..0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://ww
w.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CP
S incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0
...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-24710
<<< skipped >>>


GET /components/ffmpeg16.exe HTTP/1.0
Host: audiochannel.net


HTTP/1.1 200 OK
Server: Apache/2.2
Content-Type: application/octet-stream
Date: Fri, 13 Feb 2015 07:24:55 GMT
Accept-Ranges: bytes
Connection: close
Set-Cookie: X-Mapping-mhbgahjm=61D5573BADF5C6D1F5CA851543EB599B; path=/
Last-Modified: Tue, 22 Jul 2014 02:28:02 GMT
Content-Length: 2936832
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......O.Q..o?E.o?E
.o?E.`bE.o?E.o>E.o?E,.ME.o?E,.CE.o?E,.GE.o?ERich.o?E........PE..L..
....S......................,......"............@......................
.....,.................................................d....0....,....
......................................................................
................................rdata..............................@..
@.data........ ....... [email protected].....,..0....,..0.......
.......@..@...........................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................................
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD/yl6nWPkczAQUe1tFz6/Oy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS+zcBkvzl4= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.thawte.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1503
content-transfer-encoding: binary
Cache-Control: max-age=562059, public, no-transform, must-revalidate
Last-Modified: Thu, 12 Feb 2015 19:32:48 GMT
Expires: Thu, 19 Feb 2015 19:32:48 GMT
Date: Fri, 13 Feb 2015 07:28:53 GMT
Connection: keep-alive
0..........0..... .....0......0...0......&Km...."....}....,.c..2015021
2193248Z0s0q0I0... ........0..k....&..p..^.X.....{[E....z.1..j..F.WHP.
.G.Mxs..../.p./.^....20150212193248Z....20150219193248Z0...*.H........
.....>.K.p...5.~`"....bN.B....ho.o..9......?C.....6..u;..Mm.F  .t..
...j.S4..F.F...&C....qgPJk.B..i.......E|[email protected].... .
[email protected].;/..~.KxyU......&Z..Z.=.Fx0...T(sF..g.kQ.s..9*...FO..
...`.l:.......v....i.&..%.M..T..LO&....H..6?.U.b...[......0...0...0...
.........I...*....^n...0...*.H........0..1.0...U....US1.0...U....thawt
e, Inc.1(0&..U....Certification Services Division1806..U.../(c) 2006 t
hawte, Inc. - For authorized use only1.0...U....thawte Primary Root CA
0...141202000000Z..151216235959Z0_1.0...U....US1.0...U....thawte, Inc.
1907..U...0thawte Primary Root OCSP Responder Certificate 30.."0...*.H
.............0.........x...F83..,.D.,2D.;JGc.|_.k.....B.7.....G}.M.s..
...S.i.Uu.h.Aq..v...4:l..U.......T7l...~vl...r....{*..........V.o..8|.
B..^.a.. ...z....x..s...\[Y....<....'> ..YC..7.zVk.$...o3..kao]c
...>C./bPX.......I..Oc.....NN......g.....,/..]......qN.....V!<.3
.)...y#.........i0g0...U.%..0... .......0... .....0......0...U.......0
.0...U...........0!..U....0...0.1.0...U....TGV-B-2770...*.H...........
.....lt..\..z. ..N.f.!.S5d?J.&....r...D........L.`.s.p...HC.L.8f... ..
.......GA7......P..Z.%.../............z.n.6~I...].).....W...W\|.uya..:
...^...hW..7.Z.uc.'....:.xL...HS.....>.........5......%....3S....h.
.......U....o.C.\.t.....G.._.C0(l.E9..6UTxg.gF ..;.....
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9+WQCtWAQU1A1lP3q9NMb+R+dMDcC98t4Vq3ECEGpWCCD6PprY5UEXNLHUCtU= HTTP/1.1


Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.thawte.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1396
content-transfer-encoding: binary
Cache-Control: max-age=423457, public, no-transform, must-revalidate
Last-Modified: Wed, 11 Feb 2015 05:04:32 GMT
Expires: Wed, 18 Feb 2015 05:04:32 GMT
Date: Fri, 13 Feb 2015 07:28:53 GMT
Connection: keep-alive
0..p......i0..e.. .....0.....V0..R0...............w/.|`....a...2015021
1050432Z0s0q0I0... ........l....r.vdv0..*.~Y..X....e?z.4..G.L.......q.
.jV. .>...A.4........20150211050432Z....20150218050432Z0...*.H.....
........N.r.....wP/......i.5.....4....C%[@.....('......N..G0B....b....
tS...._..W..n..q..5.}=A...=>w.......c.,.<.E.}.....lh]M...C.M..".
d..H.x.....6....{v.8Rjo.&...is-.(...&..8.....G.O^..5b!{............q..
....l...}......(.D..9.qM...84.....~.......J.C.}R..6}...H..e.....0...0.
[email protected]...*.H........0J1.0...U....US1.0...U....
Thawte, Inc.1$0"..U....Thawte Code Signing CA - G20...141210000000Z..1
50310235959Z0Y1.0...U....US1.0...U....Thawte, Inc.1301..U...*Thawte Co
de Signing CA - G2 OCSP Responder0.."0...*.H.............0..........P.
....].8?e...8.0.. ...-.uP.3....pQ......mi..wVt.......<....{d.?..9..
z%.?..}.N`.V.........I.X...E#...*.f...X.;...75......%...n.%..#..T.<
.....fEQ.\\.f.{M.H...M..u...9~..C....B.o..........dc...V...



GET /tools/pso/ping?as=tbin&gu=pi&mode=3&sin=1&ein=0&version=7.5.5111.1712&brand=NCHD&hl=en&tbiv=7.5.5111.1712&time=1423812338&fitime=1423812338&browser=9.10.9200.16521&osver=6.1&ossp=1.0&osarch=64&ext=EXE&id=304A78B0488F53F23D4AC1A1BD355D4D69BF4FuXHNH HTTP/1.1
User-Agent: Google Toolbar installer
Host: clients1.google.com


HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 2
Date: Fri, 13 Feb 2015 07:25:38 GMT
Expires: Fri, 13 Feb 2015 07:25:38 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Alternate-Protocol: 80:quic,p=0.08
ok..



GET /components/toolbars/NCH_GoogleToolbar.exe HTTP/1.0
Host: VVV.audiochannel.net


HTTP/1.1 200 OK
Date: Fri, 13 Feb 2015 07:24:49 GMT
Server: Apache/2.2.29
Last-Modified: Fri, 17 May 2013 06:15:28 GMT
ETag: "befd0-4dce3e8c8c000"
Accept-Ranges: bytes
Content-Length: 782288
Connection: close
Content-Type: application/octet-stream
X-Pad: avoid browser bug
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........#yd.B.7.B.7
.B.7..z7.B.7..l7.B.7.B.7.B.7.:.7.B.7...7.B.7.:.7.B.7Rich.B.7..........
[email protected]............@.
................................z.....................................
......................................................................
.....................................................text....g.......h
.................. ..`.rdata...............l..............@[email protected]...
[email protected]................................
...rsrc...............................@..@............................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
...G..H.P.u..u..u...|[email protected][email protected].....@
..}[email protected]... M..........M........E...FQ.....NU..M
.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.P.u
[email protected]}[email protected].}.j.W.E......E.......P
[email protected][email protected][email protected] [email protected]..
...@._^3.[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..S..
...t.G.....t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ.U.
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=547682, public, no-transform, must-revalidate
Last-Modified: Thu, 12 Feb 2015 15:32:45 GMT
Expires: Thu, 19 Feb 2015 15:32:45 GMT
Date: Fri, 13 Feb 2015 07:28:47 GMT
Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..2015021
2153245Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
.l$.%t...............20150212153245Z....20150219153245Z0...*.H........
.....)oq........S..x...o.8.|.Ls..g'...K...X.....c..:.M0.a.?......*..:.
.......e/N..v.F......J.0...a.#.2..#,g.&;>.O.e...N..!L.v..[...i...D.
....d....g4|.4G.ZI.r.........r...8.>bm... .fn..U.~.B..v../....x..i.
7.50.G.Q,B.rae....I....j..`H.th....%..N.3B#{..c.=.m.........#0...0...0
..........<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U...
.VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of us
e at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Cod
e Signing 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0
...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Term
s of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign C
lass 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0....
.....{(..t....2.Vf.....&;6).i*[email protected]._p.E.6.|.mk....(.
.........p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG
.d.}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l.
...(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...
U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.veri
sign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS inco
rp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U..
......0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H
<<< skipped >>>


GET /pca3.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.verisign.com


HTTP/1.1 200 OK
Server: Apache
ETag: "66304c4a5660ab8615727e6bb27b3cdb:1418950819"
Last-Modified: Fri, 19 Dec 2014 01:00:19 GMT
Date: Fri, 13 Feb 2015 07:28:45 GMT
Content-Length: 933
Connection: keep-alive
Content-Type: application/pkix-crl
0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U
....Class 3 Public Primary Certification Authority..141210000000Z..150
331235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y
.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.....
..fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!............R
.e.53..010207212458Z0!..!......Y...ISi....010706171411Z0!..$-..I{r....
u<._...080403172226Z0!..&.."?..y..51}..1..010706172118Z0!..4....2..
..{W......080605175030Z0!..B....c............070411175910Z0!..H.Py...N
....* [email protected]!..Y......w
`G........070411175657Z0!..Z`[email protected].*q..080403172017Z0!..l....I..
.Y..] .c..010706171749Z0"......T=deQ...1u.]...010207212247Z0".....p..1
..7<.....e..010207211822Z0...*.H............5..v...V.._)....A... ..
..>.5]....6.(.0uFW.*:T...6$.....R...Y.N.k........%Jn..I.j*.6.3~...r
../[email protected]?....0.A.HTTP/1.1 200 OK..Server: Apache.
.ETag: "66304c4a5660ab8615727e6bb27b3cdb:1418950819"..Last-Modified: F
ri, 19 Dec 2014 01:00:19 GMT..Date: Fri, 13 Feb 2015 07:28:45 GMT..Con
tent-Length: 933..Connection: keep-alive..Content-Type: application/pk
ix-crl..0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc
.1705..U....Class 3 Public Primary Certification Authority..1412100000
00Z..150331235959Z0..x0!...v....a_>..2......020924164823Z0!.....A..
...{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y
..q.......fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!.
<<< skipped >>>


GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Mon, 05 May 2014 05:04:34 GMT
If-None-Match: "87fbb3811f68cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Fri, 19 Dec 2014 06:02:00 GMT
Accept-Ranges: bytes
ETag: "9a9a44d511bd01:0"
Server: Microsoft-IIS/8.0
VTag: 79181643600000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 550
Cache-Control: max-age=900
Date: Fri, 13 Feb 2015 07:26:05 GMT
Connection: keep-alive
0.."0......0...*.H........0w1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1!0...U....Microsoft Time-St
amp PCA..141218221600Z..150319103600Z._0]0...U.#..0...#[email protected].. .
.5..0... .....7.......0...U......10... .....7......150318222600Z0...*.
H............./..0Q~.r.}.E....&\....F.Z.C..#..F.s........<&\..9G..-
....j..N... .C.Fk....;l.....2.K5D.........-.>...(...g.0.S.[?...T4q&
gt;[email protected].('..e...Y..Bo..q..........I....'....i>
..y:.eH@h`..\...UA.m#.~.. ;.3..d..;..<..........p..s..J..N `Az.....
[email protected]....


GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1


Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sat, 24 May 2014 05:04:51 GMT
If-None-Match: "96bfbfb1d77cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Wed, 07 Jan 2015 06:02:43 GMT
Accept-Ranges: bytes
ETag: "88c4768d3f2ad01:0"
Server: Microsoft-IIS/8.5
VTag: 791607156900000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 813
Cache-Control: max-age=900
Date: Fri, 13 Feb 2015 07:26:05 GMT
Connection: keep-alive
0..)0......0...*.H........0_1.0.....&...,d....com1.0.....&...,d....mic
rosoft1-0 ..U...$Microsoft Root Certificate Authority..150106214825Z..
150407100825Z0.0...a......../..100208014912Z._0]0...U.#..0......`@V'..
%..*..S.Y..0... .....7.......0...U......(0... .....7......150406215825
Z0...*.H..............vQ..r..L.Q.N..=#.......V;..r../\.m..<.."...F/
U....(:.....xm.....P.e.F..BE8......=...G....6t:...?...L..B.v..p.M.....
...z..Q.%J.6..I.......8...U. .g..=T=K....L..$w...^....y~..-a.'...*s#N.
o..Qs.$h..:duV'~....8.6..w..b3.... .~)...|.I.y".>R.nJq.ws...3.....f
}.E)\......EB.d\.2.....h...lMjT.7..lj.'lj.b....".L.Os6{[email protected].|7z
.. ......>..Q...([email protected]\]#..Y.*.......T. .C.....A'..
5FW.ETDvX..tE.....g5.....&..&.....x.^H;...../7..'9.t.I&<[.HX.j....Q
w......}...qy3..q`<.....LB.9w|....;..Qw..a ..=.C.:.........


GET /pki/crl/products/WinPCA.crl HTTP/1.1


Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 07 May 2014 05:04:02 GMT
If-None-Match: "a413fc3b169cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Sun, 21 Dec 2014 06:03:02 GMT
Accept-Ranges: bytes
ETag: "d2e35dc7e31cd01:0"
Server: Microsoft-IIS/8.5
VTag: 79125357800000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 561
Cache-Control: max-age=900
Date: Fri, 13 Feb 2015 07:26:05 GMT
Connection: keep-alive
0..-0......0...*.H........0..1.0...U....US1.0...U....Washington1.0...U
....Redmond1.0...U....Microsoft Corporation1 0)..U..."Microsoft Window
s Verification PCA..141220223154Z..150321105154Z._0]0...U.#..0.......p
............<.J0... .....7.......0...U......30... .....7......15032
0224154Z0...*.H.............h.~oH#i.J.vh_.....A'B..g...........F....9c
.{[email protected].^ 4.r..Wv.Q.0.w..j....c9..w....I..%.~.l..F.......xo....
_...o...7BR.;<..\R/ .....b.(....~..]|.v.u.i.X.B....I......./*...P..
A..fi.}& .x.v{TFP[.G......A......L.o...)R.......V.u..V.../.Q..(L.]....
.uki~......


GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1


Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 01 Jul 2014 05:04:34 GMT
If-None-Match: "924558f3e994cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Wed, 28 Jan 2015 06:05:55 GMT
Accept-Ranges: bytes
ETag: "75565c7ac03ad01:0"
Server: Microsoft-IIS/8.5
VTag: 279732615200000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 554
Cache-Control: max-age=900
Date: Fri, 13 Feb 2015 07:26:05 GMT
Connection: keep-alive
0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Si
gning PCA..150127173215Z..150428055215Z.a0_0...U.#..0..........X..7.3.
..L...0... .....7.........0...U......Y0... .....7......150427174215Z0.
..*.H......................YIw.. ..(..y..O.G].B.."?.@...[1.}.X...]...e
.J....pP.I....!6...%.D.k...>c.|R.?.i..yt.z..B.........b....n..m5...
0....2..I!)v....z....y.#pXz.DO.....mF...e.'e...@.%...6./.bPZ...=....bp
[email protected]..@.. ...M....z....Q...{u. .W..HTT
P/1.1 200 OK..Content-Type: application/pkix-crl..Last-Modified: Wed, 
28 Jan 2015 06:05:55 GMT..Accept-Ranges: bytes..ETag: "75565c7ac03ad01
:0"..Server: Microsoft-IIS/8.5..VTag: 279732615200000000..P3P: CP="ALL
 IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT
 COM INT NAV ONL PHY PRE PUR UNI"..X-Powered-By: ASP.NET..Content-Leng
th: 554..Cache-Control: max-age=900..Date: Fri, 13 Feb 2015 07:26:05 G
MT..Connection: keep-alive..0..&0......0...*.H........0y1.0...U....US1
.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation
1#0!..U....Microsoft Code Signing PCA..150127173215Z..150428055215Z.a0
_0...U.#..0..........X..7.3...L...0... .....7.........0...U......Y0...
 .....7......150427174215Z0...*.H......................YIw.. ..(..y..O
.G].B.."?.@...[1.}.X...]...e.J....pP.I....!6...%.D.k...>c.|R.?.i..y
t.z..B.........b....n..m5...0....2..I!)v....z....y.#pXz.DO.....mF...e.
'e...@.%...6./[email protected]..
<<< skipped >>>


GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?52afbcbf40078ee8 HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 05 Dec 2013 22:47:50 GMT
If-None-Match: "0af536cf2ce1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com


HTTP/1.1 200 OK
Cache-Control: max-age=86400
Content-Type: application/octet-stream
Last-Modified: Thu, 03 Jul 2014 23:34:12 GMT
Accept-Ranges: bytes
ETag: "0b2464b1797cf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 6408
Date: Fri, 13 Feb 2015 07:25:24 GMT
Connection: keep-alive
MSCF............,...................O.......'#.........D.z .disallowed
cert.stl....2..'#CK...8T...g........g.k..".....mlI."d..m...P$"....e.J.
.......z.....\..........9g.9....~.........Q.Q......Q..DL.8.C.PS.K0.!P.
0........#.DY.8.....V.....$.C....a.0...........`......;.S.....0#...m..
. ..`0...?.!vR?.....d....`......_@..}....$...i..OR'..$....K..'Z....o.g
..*.Vc.....[nY e./.EJ...B.Y.......Ag......!....9......u..!..1Yy.......
r...Ss^@...M.Dtl\....i.k....3...B.Z.:.p.N....*......x,...ah/..].[....G
B..T..$A....SY..t.E5R..R...9!....*.*68V....1... ...Q{..."[email protected];
xd{.C.u?..e.U.=f.nx.........y.G..0.......\L .'.^....$......N=..m...Ujr
Zs...J.I.C....;......q_..e......?.T..2..bw....E.L.{...S...~.<......
...-.Q..|.l. .1..6r....[}!J..,...naPk.U.... ..{@LH..W....>.Sq...8.5
.,.z..0.jL.S..........]...yW_...Y.1..h.7...9{.....I......g.Y.,1...i8n.
6..........4.]...........=........^..n.K7...c.g).Z. .0..$7.ys.p...B.5.
].f...|(3!.|..P...j..^..j....#([email protected]..*.O..i..u....9..S.Y.n..HXW..
.F ..i...:.......!.] r......D..*ld.b.>>:Pp.....5:1 o=..5.'..4...
....hO....{.V.rx..V...%.}..u...6Wv-..".iV.b..B0.Q..,...E.Dy...x..5....
?Z.$L..1.....4...=.....g!....%..:..c..j..v~....._R.6.......;.#.Y*p..J.
4.#'..Vo...g^K...J....._.^..u...)....&/.....q....o......4.....S...,q..
...p.8IIe.....d|.3{)...M.0.X...4.."..P.......Hk.... ]!.!... ..#.x..<
;..X.........'.E(<b[.......#.. ....XiLl|[email protected] 
[email protected][email protected]..;.......mm....>~............j%..>
;.X.,V...J...C ....*..Z.8- RKGW...0./Z.__..)7g_'{.......pr......;.
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1697
content-transfer-encoding: binary
Cache-Control: max-age=390954, public, no-transform, must-revalidate
Last-Modified: Tue, 10 Feb 2015 20:04:39 GMT
Expires: Tue, 17 Feb 2015 20:04:39 GMT
Date: Fri, 13 Feb 2015 07:28:45 GMT
Connection: keep-alive
0..........0..... .....0......0...0...A0?1=0;..U...4VeriSign Class 3 C
ode Signing 2004 CA OCSP Responder..20150210200439Z0s0q0I0... ........
[email protected].!......Q...==d6|h.[x....7..`..........cV.!.....201502
10200439Z....20150217200439Z0...*.H...............U.#..&1x1.......n...
tJ...-..`.-d...X.......\._......[]n\].;....n..}b..Y...b1.q....".2.<
.../..:....\..... ..?...Y. .EF.e....Y!T#SLa.......&....I.t..v...Cy'uGK
...g......-.........G>}q......1....p...pxP,.l.e^f5..i)xoE....]....t
..?.....~..Su......D.,...\........0...0...0..{.........[..I|.....Zm..0
...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....Veri
Sign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/
rpa (c)041.0,..U...%VeriSign Class 3 Code Signing 2004 CA0...140428000
000Z..150729235959Z0?1=0;..U...4VeriSign Class 3 Code Signing 2004 CA 
OCSP Responder0.."0...*.H.............0.........Y....h..@..>.....%.
-.....O...' y.........x..Gw.xF.....?..Z..u,.X.&..........3C..H.l.....f
..;]s!.\"v...|....][email protected]. ..W....n..*
..-f?EY.......UN...r...........-_.%..,P;b.....)(.P.4...,.%....<..6.
....[r^X.EV..S...5#'Y.. .TD...........0...0...U.......0.0...U.%..0... 
.......0...U...........0... .....0......0f..U. ._0]0[..`.H...E....0L0#
.. .........hXXps://d.symcb.com/cps0%.. .......0...hXXps://d.symcb.com
/rpa0!..U....0...0.1.0...U....TGV-B-1080...U......"...?....`>q..i1o
...0...U.#..0.....Q...==d6|h.[x....70...*.H.............B8@.$..wo.....
.E.....P52"b*@'C\.y.(...n....h.f..7f.....v...pb<...]..|........
<<< skipped >>>


GET /versions/components/tb_google_row.dat HTTP/1.0
Host: VVV.audiochannel.net


HTTP/1.1 404 Not Found
Date: Fri, 13 Feb 2015 07:24:48 GMT
Server: Apache/2.2.29
Content-Length: 235
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /ve
rsions/components/tb_google_row.dat was not found on this server.</
p>.</body></html>.HTTP/1.1 404 Not Found..Date: Fri, 13
 Feb 2015 07:24:48 GMT..Server: Apache/2.2.29..Content-Length: 235..Co
nnection: close..Content-Type: text/html; charset=iso-8859-1..<!DOC
TYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head&
gt;.<title>404 Not Found</title>.</head><body>
.<h1>Not Found</h1>.<p>The requested URL /versions/c
omponents/tb_google_row.dat was not found on this server.</p>.&l
t;/body></html>...



GET /tools/swg2/update?type=c&as=swg&os=win&osv=6.1.7601&hl=en&ie=10.0.9200.16521&ds=0&pds=0&su=0&hpi=-1&brand=NCHD&pa=9&cl=1&tbv=&id=9da6939a80964d4ea5db1fc2eaad4422eb587e9423&from=&to=5.7.9012.1008 HTTP/1.1
Accept: */*
User-Agent: SearchWithGoogle
Host: clients1.google.com


HTTP/1.1 200 OK
Content-Type: text/plain
Transfer-Encoding: chunked
Date: Fri, 13 Feb 2015 07:25:37 GMT
Expires: Fri, 13 Feb 2015 07:25:37 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Alternate-Protocol: 80:quic,p=0.08
16..rlz: 1R______enUA627..0..

The Worm connects to the servers at the folowing location(s):

eyeline.exe_108:

.rdata
@.data
.rsrc
.mixcrt
KERNEL32.DLL
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
mscoree.dll
GetProcessWindowStation
USER32.DLL
operator
UxTheme.dll
dwmapi.dll
Authorization: Basic %s
/videostream.cgi
GET %s HTTP/1.0
Host: %s
User-Agent: %S
HTTP/
hXXp://%s%s
HTTP/1.1 200 OK
Server: Rex/10.0.0.3802
</tr><tr class=headerrow2><td class=headercopyright colspan=2>v 2.01 © NCH Software <a href='hXXp://VVV.nchsoftware.com/index.html' target=_blank>VVV.nchsoftware.com</a></td>
<meta name='viewport' content='width=device-width'>
</title><link href=s.css type='text/css' rel=stylesheet><link href=print.css type='text/css' media=print rel=stylesheet>
application/vnd.apple.mpegURL
%s%s%s
software=Eyeline&version=2.01&report=UINSTALL&text=%s-%s&language=en&platform=Win&extra1=%d%s
hXXp://%s/components/%s
user32.dll
hXXp://VVV.audiochannel.net/versions/components/%s.txt
%s%d%d%d
kernel32.dll
hXXp://cgi.nch.com.au/cgi-bin/regcheck.exe?cmd=v&id=%d&magic=%d&magicb=%d
tb_%s_us.dat
tb_%s_uk.dat
tb_%s_row.dat
hXXp://VVV.audiochannel.net/versions/components/%s
hXXp://VVV.nch.com.au/components/toolbars/NCH_Chrome.exe
hXXp://VVV.audiochannel.net/components/toolbars/NCH_Chrome.exe
hXXp://VVV.nch.com.au/components/toolbars/NCH_GoogleToolbar.exe
hXXp://VVV.audiochannel.net/components/toolbars/NCH_GoogleToolbar.exe
hXXp://VVV.audiochannel.net/versions/eyeline.txt
comctl32.dll
TaskDialogIndirect
software=Eyeline&version=2.01&report=COMMENT&text=COMMENT-%s&language=en&platform=Win
%s, %.2d %s 20%.2d %.2d:%.2d:%.2d %s%.2d%.2d
From: %s
To: %s
Subject: %s
Date: %s
X-Mailer: Eyeline VVV.nch.com.au/software
gc0p4Jq0M2Yt08jU534c%d
Content-Type: multipart/mixed; boundary=%s
Content-Type: %s; name="%s"
Content-Disposition: attachment; filename="%s"
--%s--
AUTH LOGIN
RCPT TO:<[email protected]>
USER %s
PASS %s
%s %s
STOR %s
MFMT dddddd %s
MLST %s
MLSD %s
LIST %s
SIZE %s
folder %s
http=
%s/%s
POST %s HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: %d
HTTP/1.
c:\SourceCode\llib\include\../net/ssl.cpp
hXXp://cgi.nch.com.au/cgi-bin/pingme.exe?port=%d
hXXp://cgi.nch.com.au/cgi-bin/pingme.exe
<serviceType>urn:schemas-upnp-org:service:%s
<controlURL>
M-SEARCH * HTTP/1.1
HOST: 239.255.255.250:1900
239.255.255.250
<s:Envelope xmlns:s="hXXp://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="hXXp://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:%s xmlns:u="urn:schemas-upnp-org:service:%s">%s</u:%s></s:Body></s:Envelope>
POST %s HTTP/1.1
CONTENT-LENGTH: %d
SOAPACTION: "urn:schemas-upnp-org:service:%s#%s"
<NewRemoteHost></NewRemoteHost><NewExternalPort>%d</NewExternalPort><NewProtocol>%s</NewProtocol><NewInternalPort>%d</NewInternalPort><NewInternalClient>%s</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>Eyeline Video Surveillance System %s Redirection</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration>
AddPortMapping
User-Agent: %s
%dx%d
<script type='text/javascript' src='%s'></script>
function LAddEventListener(obj, evName, handler){if (!obj.addEventListener) obj.addEventListener = function(evtName, hand) { this.attachEvent('on'   evtName, hand); };
if (evName.substring(0, 2) == 'on') evName = evName.substring(2);
if (typeof handler == 'string') {obj.addEventListener(evName, function () { eval(handler); }, false);} else {obj.addEventListener(evName, function (e){if (!e) e = window.event;handler(e);}, false);}}
window.location = '%s';
document.cookie = '%s=%s; path=/%s';
<center>Your password has been changed.<p>Click <a href='main'>here</a> to return.</center>
<center>Your password has been reset and sent to your email address.<p>Click <a href="logon">here</a> to log on when you receive your password.</center>
function CmSubmit() {window.onbeforeunload = null;DisableSubmits(true);SimpleAjaxCall('%s', GetParams('dialogform')   'submit='   document.pressed, HandleAjaxJSReturn, function() { DisableSubmits(false); }, function() { DisableSubmits(false); }, 1200000);return false;}
function DisableSubmits(bDisable) {submits = document.getElementsByName('submit');for (i = 0; i < submits.length; i  ) {submits[i].disabled = bDisable;}}
<div id=dialogcontainer%s>
<table id=dialogcontainer border=0%s><tr><td>
onsubmit='return (%sCmSubmit())'
<table id=controltable style='border:#bbbbbb 1px solid; width:%s'>
<tr style='background-color:#fbfbfb;'><td colspan=2 style='%sborder-bottom: 1px solid #bbbbbb;'><table border=0>
function enablectls() {%s
function validatedata() {%s
LAddEventListener(window, 'onload', function() {setTimeout('document.getElementById(%d).focus();', 1)});
invalidNode = document.getElementById('invalidTag');if (invalidNode) {invalidRow = invalidNode.parentNode.parentNode;if (invalidRow.parentNode) {invalidRow.parentNode.removeChild(invalidRow);};while (invalidNode.firstChild) {invalidNode.removeChild(invalidNode.firstChild);}} else {invalidRow = document.createElement('tr');invalidCell = document.createElement('td');invalidCell.colSpan = 2;invalidNode = document.createElement('div');invalidNode.id = 'invalidTag';invalidNode.style.color = '#a00000';invalidRow.appendChild(invalidCell);invalidCell.appendChild(invalidNode);};invalidControl = document.getElementById("%s");if (invalidControl) {container = invalidControl.parentNode.parentNode.parentNode;invalidText = document.createTextNode("%s");invalidNode.appendChild(invalidText);while ((splitPos = invalidText.data.lastIndexOf('\n')) != -1) {var newTextNode = invalidText.splitText(splitPos);newTextNode.deleteData(0, 1);var br = document.createElement('br');invalidNode.insertBefore(br, newTextNode);}container.insertBefore(invalidRow, invalidControl.parentNode.parentNode);invalidControl.focus();}
window.scroll(0,0);
HTTP/1.1 404 Not Found
HTTP/1.1 304 Not Modified
%s, %.2d %s 20%.2d %.2d:%.2d:%.2d GMT
Content-Disposition: attachment; filename="%s"; filename*=UTF-8''%U
HTTP/1.1 416 Requested Range Not Satisfiable
HTTP/1.1 206 Partial Content
Content-Range: bytes %d-%d/%d
Content-Type: %s
%sCache-Control: %s
Last-Modified: %s
ETag: '%s'
WEBC
HTTP/1.1 501 Not Implemented
HTTP/1.1 500 Content Length Too Long
HTTP/1.1 302 Found
Location: %s
<html><head><title>Eyeline Video Surveillance System</title><link href=s.css type='text/css' rel=stylesheet><link href=print.css type='text/css' media=print rel=stylesheet>
<div class=contenttable%s%s>
registeredControl = document.getElementById('%s');
function JScript%s(evt) {%s
LAddEventListener(registeredControl, '%s', function(evt) {if (!evt.target) evt.target = evt.srcElement;
if (!JScript%s(evt)) return false;
var ajaxArgs = '';var elementId = evt.target.id;var nextArg = '';
nextArg = GetArg(document.getElementById('%s'));if (nextArg.length != 0) {ajaxArgs  = '&'   nextArg;nextArg = '';}
ajaxArgs  = '&MainControlId='   elementId;SimpleAjaxCall('%s', 'isComAJAX=1&'   ajaxArgs, HandleAjaxJSReturn);
CONNECT %s:%d HTTP/1.0
%d %d
?#%X.y
c:\SourceCode\eyeline\Release\eyeline.pdb
DisconnectNamedPipe
ConnectNamedPipe
CreateNamedPipeW
PeekNamedPipe
SetThreadExecutionState
GetProcessHeap
WaitNamedPipeW
CreatePipe
KERNEL32.dll
RegOpenKeyExW
RegCloseKey
CryptDeriveKey
RegQueryInfoKeyW
RegCreateKeyExW
RegSetKeySecurity
RegEnumKeyExW
RegDeleteKeyW
RegOpenKeyW
ADVAPI32.dll
COMCTL32.dll
comdlg32.dll
GetViewportExtEx
SetViewportExtEx
GDI32.dll
acmDriverOpen
acmDriverEnum
acmDriverDetailsW
acmDriverClose
MSACM32.dll
ole32.dll
OLEAUT32.dll
SHFileOperationW
ShellExecuteW
ShellExecuteExW
SHELL32.dll
SHDeleteEmptyKeyW
SHDeleteKeyW
SHLWAPI.dll
GetKeyState
CreateDialogIndirectParamW
UnhookWindowsHookEx
MapVirtualKeyW
GetKeyNameTextW
SetWindowsHookExW
MsgWaitForMultipleObjects
USER32.dll
WINMM.dll
WS2_32.dll
NETAPI32.dll
GdiplusShutdown
GdipSetPenLineJoin
gdiplus.dll
MSIMG32.dll
iphlpapi.dll
WININET.dll
DNSAPI.dll
GetCPInfo
GetConsoleOutputCP
zcÁ
SShxr@
USSSh
j.hl?@
PSShhr@
F"PSSh
t%f=g
PSSSh
QPSSh
PSSSSSSh
SSShD
Fth4%C
FthL%C
Fthd%C
SSh`B@
SSh8pB
SShxpB
PVh.KI
SShxpC
PWSSh
SShr2
%Shv2
%Shy2
z<%uv
%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe
ssshhhWWW
-!.WF
2%SGE
(%xSK
/'//'77'/'
0777777777777777
7777777777777
77777777777
7777777
5'%%'%%;
'.ONKD@;
!%X=P
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*"/>
<requestedExecutionLevel level="asInvoker" />
<!-- Windows 8.1 -->
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
<!--The ID below indicates app support for Windows 8 -->
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
<!--The ID below indicates app support for Windows 7 -->
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<!--The ID below indicates app support for Windows Vista -->
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
mhXXp://ns.adobe.com/xap/1.0/
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:3277C77D7132E0118D16E72A4E8059DE" xmpMM:DocumentID="xmp.did:314D5A19534B11E0A6A5AAFBD55133F0" xmpMM:InstanceID="xmp.iid:314D5A18534B11E0A6A5AAFBD55133F0" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:B6AAD5DF4A53E0118E8DE62C10C1BCAC" stRef:documentID="xmp.did:3277C77D7132E0118D16E72A4E8059DE"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
?!z.RS
banner.jpg
stream.asf
stream.asx
asf.html
flash.html
hls.html
frame.jpg
stream.jpg
stream.html
live.html
Duration (hh:mm:ss.mmm)
%s\%s
Starting web server
%s (%s)
Stopping web server
BackupFTP
RunExternalExe
bgnetwork.lst
bgPTF.lst
bgrunexe.lst
bglogmd5.lst
bgemail.lst
VVV.nchsoftware.com/surveillance/index.html
VVV.nchsoftware.com/surveillance/support.html
hXXp://VVV.nch.com.au/software/bug.html?software=Eyeline&version=2.01
InstallingChrome
LaunchChromeOnInstall
hXXp://VVV.nchsoftware.com/software/thanks.html
Eyeline Video Surveillance System
hXXp://VVV.nchsoftware.com/software/rateit.html?software=Eyeline&appname=%s&version=2.01&rating=%d&buyoffer=eyeline&os=Win&lang=en&base=surveillance&domain=nchsoftware%s%s%s%s%s&instby=%s
hXXp://VVV.nchsoftware.com/software/thanksforusing.html
?software=Eyeline&appname=%s&version=2.01&base=surveillance&domain=nchsoftware&buyoffer=eyeline%s%s%s%s%s%s%s%s&instby=%s
&days=%d&runs=%d&rgst=%d
&usage=XX
%s v 2.01
%sFormat
%sAspectRatio
%sAspectRatioNum
%sAspectRatioDen
%sMPEG2Transport
%sVideoInputPin
%sAudioInputPin
Started by user: %s
Stopped by user: %s
Web camera %s open error. Unable to start %s. Please reconnect the camera.
Camera %s open error. Unable to restart. Please, reconnect the camera and restart it manually.
Device %s is unplugged.
Device %s is plugged back.
Web camera %s open error. Please reconnect the camera.
IP camera %s open error. Please, check your IP connection.
Camera %s open error.
msimg32.dll
%s: %d:%.2d:%.2d:%.3d
Eyeline Motion Detected: Êmera%, Úte% %time%
Email Template.txt
\\.\pipe\CAMERA%dSINK
Unable to initialize JPG output sink for the Web engine, device:
Unable to initialize Flash(High quality) output sink for the Web engine, device:
Unable to initialize Flash(Low quality) output sink for the Web engine, device:
%s %d
Recording from %s is started.
Recording from %s is stopped.
Duration: %s
File name: %s
Motion detecting on %s is started.
Motion detecting on %s is stopped.
%s\%d
Motion Detected for Camera %s at %s
Trial has expired. Cannot set initial state for camera: %s
Recording is disabled for camera: %s
Motion detection is disabled for camera: %s
%s %i %s %i %s
%s %i %s
TempWebcam
TempWebcamFormat
TempWebcamAspectRatio
TempWebcamVideoInputPin
TempWebcamAudioInputPin
Software\NCH Software\%s\Settings
Software\NCH Swift Sound\%s\Settings
"%s" %%s
hXXp://VVV.nch.com.au/components/%s.exe
Waiting for %s
Eyeline will continue when %s closes.
cftpsetup
ClassicFTP
Run ClassicFTP
Software\NCH Software\%s\Registration
hXXp://VVV.nch.com.au/suggestions/index.html?software=Eyeline&version=2.01
shell32.dll
%s\%s\%s
%s already exists.
-show -type data -label BACKUP -list "%s" -burn -exit
Program failed to launch. Please download and install manually from hXXp://VVV.nchsoftware.com/prism/index.html
UseSMTPHost
MailSMTPHost
SMTPAuthOn
SMTPUserName
SMTPPassword
WebServer
Software\Microsoft\Windows\CurrentVersion\Run
Click the "Add Camera" button to add your cameras and right click on the video windows for commands
MotDetExecuteCommand
Failed to connect to camera %s. Please check the camera settings or remove the camera.
Can't add camera %s to Eyeline for a scheduled task.
Due to a scheduled task, the camera %s is added to Eyeline.
Your scheduled recording '%s' has now stopped.
Your scheduled recording '%s' has now started - Duration: %s
Your scheduled recording '%s' has failed to start
This camera device %s has not been opened.
Open Web Access
Can't connect because the server isn't started. Would you like to open the Web Access options to start it?
hXXp://127.0.0.1:%d
Could not connect to camera %s
Camera %s is already present
Could not add camera %s
The camera '%s' is currently recording.
The camera '%s' will be removed.
Camera %s is removed.
Web camera %s open error. Camera settings are not available. Please reconnect the camera.
iFTPAdCount
ShowClassicFTPAd
C:\Windows\Media\notify.wav
Try Classic FTP File Transfer Software Now
For FTP software
%s %s %s.%s
Backup on %s created successfully
Attempting FTP Backup on:
FTPServer
FTPPassword
FTPUser
FTPDirectory
FTP Backup on %s created successfully
Unable to perform FTP backup on:
Could not FTP backup file:
File was removed from backup queue. Please manually FTP this file.
Could not log on to FTP Server for backup. Queued to try again.
Attempting to Run External Executable on:
ExternalExePath
"%s" "%s"
Could not run external executable for backup. Queued to try again.
Could not run the external exe for:
External EXE %s run successfully
MD5 Checksum is %s for file %s
MD5Log.txt
%.4d-%.2d %s
MD5 Checksum Logging for %s created successfully
Invalid URL
URL is invalid. Please try again.
%s %i
The user name and password of existing network camera "%s" are updated
Item %d
password
FTP Server is mandatory
FTP Username is mandatory
External EXE file path is mandatory
Application (*.exe)
*.exe
Choose external exe to run...
hXXp://VVV.nch.com.au/kb/10003.html
Wav File (*.wav)
*.wav
%s %s %s
PreviousServerPort
Eyeline Video Surveillance System Web Server
%s\%s\%u\%u.m3u8
%d-%d-%d %d-%d-%d %[^
d:d:d.d
-:-:-.=
%s:%s
Failed to process the HTTP headers
Invalid HTTP response
Server returned an error %d %S
<script type="text/javascript">function AnyChecked() {var elements = document.getElementsByTagName('input');for (i = 0; i < elements.length; i  ) {if ((elements[i].getAttribute('type') == 'checkbox') && (elements[i].getAttribute('name') == 'file')) {if (elements[i].checked) return true;}}return false;}function EnableSubmit(enable) {var elements = document.getElementsByTagName('input');for (i = 0; i < elements.length; i  ) {if ((elements[i].getAttribute('type') == 'submit') && (elements[i].getAttribute('value') == 'Delete')) {if (enable) elements[i].removeAttribute('disabled');else elements[i].setAttribute('disabled', 'disabled');return;}}}function CheckSubmit() {EnableSubmit(AnyChecked());}function CheckAll(check) {var elements = document.getElementsByTagName('input');for (i = 0; i < elements.length; i  ) {if (elements[i].getAttribute('type') == 'checkbox') elements[i].checked = check;}EnableSubmit(AnyChecked());}function DeleteMultiple() {if (!AnyChecked()) return;var elements = document.getElementsByTagName('input');var form = document.createElement('form');form.setAttribute('method', 'post');form.setAttribute('action', 'deletemultiple');var hiddenField = document.createElement('input');hiddenField.setAttribute('type', 'hidden');hiddenField.setAttribute('name', 'sess');form.appendChild(hiddenField);var sess = document.getElementsByName('deletemultiplesess')[0].getAttribute('value');hiddenField.setAttribute('value', sess);var iFileCount = 0;for (i = 0; i < elements.length; i  ) {if (elements[i].getAttribute('type') == 'checkbox' && elements[i].checked && elements[i].getAttribute('name') == 'file') {var hiddenField = document.createElement('input');hiddenField.setAttribute('type', 'hidden');hiddenField.setAttribute('name', 'file'   iFileCount);hiddenField.setAttribute('value', elements[i].getAttribute('value'));form.appendChild(hiddenField);iFileCount  ;}}var r = confirm("Are you sure you want to delete the selected files?");if (!r) return;document.body.appendChild(form);form.submit();}function DeleteSingle(name) {var r = confirm("Are you sure you want to delete "   name   " ?");if (!r) return;var form = document.createElement('form');form.setAttribute('method', 'post');form.setAttribute('action', 'deletemultiple');var hiddenField = document.createElement('input');hiddenField.setAttribute('type', 'hidden');hiddenField.setAttribute('name', 'sess');form.appendChild(hiddenField);var sess = document.getElementsByName('deletemultiplesess')[0].getAttribute('value');hiddenField.setAttribute('value', sess);var hiddenField = document.createElement('input');hiddenField.setAttribute('type', 'hidden');hiddenField.setAttribute('name', 'file0');hiddenField.setAttribute('value', name);form.appendChild(hiddenField);document.body.appendChild(form);form.submit();}function FormValidation() {var startdate = document.getElementsByName('startdate')[0].value;var enddate = document.getElementsByName('enddate')[0].value;if (startdate && !DateValidation(startdate)) return false;if (enddate && !DateValidation(enddate)) return false;return true;}function DateValidation(text) {var pattern =/^([0-9]{4})-([0-9]{2})-([0-9]{2})$/;text.replace(/ /g, '');if (pattern.test(text)) {var date = new Date(text);var day = text[8]   text[9];if ((Date.parse(text) > 0) && (Object.prototype.toString.call(date) === '[object Date]') && !isNaN(date.getTime()) && (date.getDate() == day)) {return true;} else {alert("Inserted date is invalid, please insert valid date in the format YYYY-MM-DD");return false;}}alert("Search dates must be in the format YYYY-MM-DD");return false;}</script>
<center><p><table width=100%% border=0 cellspacing=0><tr bgcolor=#426792><td width=1%%></td><td width="70%%" align=left><font color=#ffffff><b>%s</b></font></td><td align=right><font color=#ffffff>Image Stream</font></td><td width=1%%></td></tr></table><table width=100%% border=0 cellspacing=0>
<tr bgcolor=#%s><td width=1%%></td><td><a href="hXXp://%s/live.html?camera=%d">%s</a></td><td align=right><a href="hXXp://%s/stream.html?camera=%d">jpg</a></td><td width=1%%></td></tr>
<form action="main" method=post onSubmit="return FormValidation()"><input name=sess type=hidden value="%s"><input name=search type=hidden value=yes><table width=100%% border=0 cellspacing=0><tr bgcolor=#426792><td width=1%%></td><td><font color=#ffffff><b>Search Recordings</b></font></td><td></td><td width=1%%></td></tr><tr><td></td><td style="white-space:pre;">%s</td><td align=right><input name=startdate size=12 value="%s"></td><td></td></tr><tr><td></td><td style="white-space:pre;">%s</td><td align=right><input name=enddate size=12 value="%s"></td><td></td></tr><tr bgcolor=#426792><td></td><td></td><td align=right><input type=submit value=Search Again></td><td></td></tr></table></form><p><br>
00:00:00
23:59:59
<table width=100%% border=0 cellspacing=0><tr bgcolor=#426792><td width=1%%></td><td width=%d%% align=left><input type = "checkbox" title="Select All Recordings" onclick="CheckAll(this.checked);"><font color=#ffffff><b>Recordings</b></font></td>%s%s<td width=20%% align=right><font color=#ffffff>Operations</font></td><td width=1%%></td></tr></table><form action = "javascript: DeleteMultiple();" name = "deletemultiple"><input name=deletemultiplesess type=hidden value="%s">
<a href="play?file=%s">%s</a>
<a href="download?file=%s">%s *</a>
<td width=10%%>%s</td><td width=10%%></td>
<a href="download?file=%s">save</a>
<tr bgcolor=#%s><td width=1%%></td><td width=%d%%><input type="checkbox" name="file" value="%s" title="Select Recording" onclick=CheckSubmit();>%s</td>%s<td width=20%% align=right>%s<a href="#" onclick="DeleteSingle('%s');">delete</a></td><td width=1%%></td></tr>
<tr bgcolor=#426792><td width=1%%></td><td width=%d%%></td>%s%s<td width=20%% align=right><input type=submit %s value=Delete disabled="disabled"></td><td width=1%$=></td></tr></table></center></form>
<video controls autoplay src="download?file=%s"><p>Sorry, your browser does not support HTML5 video tag.</p></video></td>
var c = %d;
if (navigator.appVersion.indexOf("Mac") != -1) {
document.img.src = "stream.jpg?camera=%d";
return;}pl.onload=display;pl.src = "frame.jpg?camera=%d&id="   c;
document.img.src = pl.src;
setTimeout('updatelink()', %d);
pl.onload=display;onLoad=StartScreen();</script>
<div style="font-family: Arial,sans-serif;" onLoad="StartScreen();"><p><table width=100%% height=90%% cellpadding=0 cellspacing=0><tr><td align=center valign=center><img name="img" src="frame.jpg?camera=%d"></td></tr></table></div>
Eyeline Video Surveillance System Live %d
hasFlash = Boolean(new ActiveXObject('ShockwaveFlash.ShockwaveFlash'));
hasFlash = ('undefined' != typeof navigator.mimeTypes['application/x-shockwave-flash']);
if (!hasFlash) window.location.replace("hXXp://%s/%s?camera=%d")
%s:%d
hXXp://%s/nchplayer.swf?host=%s&scope=Eyeline&streamName=live&bandwidth=%d&src=%d&autostart=true
<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="hXXp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=9,0,0,0" width="480" height="385">
<param name="movie" value="%s">
<embed src="%s" width="480" height="385" allowfullscreen="true" quality="high" type="application/x-shockwave-flash" pluginspage="hXXp://VVV.adobe.com/go/getflashplayer"/>
<a href="hXXp://%s/live.html?camera=%d&speed=%d"><b>Switch to %s quality</b></a>
%s</td>
hXXp://%s/stream.asx?camera=%d
<object id="mediaplayer" classid="clsid:22d6f312-b0f6-11d0-94ab-0080c74c7e95" codebase="hXXp://activex.microsoft.com/activex/controls/mplayer/en/nsmp2inf.cab#version=5,1,52,701" standby="loading microsoft windows media player components..." type="application/x-oleobject" width="%u" height="%u">
<param name="filename" value="%s">
<embed src="%s" autostart="true" showcontrols="true" showstatusbar="true" bgcolor="white" width="%u" height="%u">
<script language="javascript" src="ajax.js"></script>
<TITLE>%s</TITLE>
<BANNER HREF = "hXXp://%s/banner.jpg">
<MOREINFO href = "hXXp://VVV.nch.com.au" />
<ABSTRACT>Click here to go to hXXp://VVV.nch.com.au</ABSTRACT>
<REF HREF = "hXXp://%s/stream.asf?camera=%d" />
<REF HREF = "mmsh://%s/stream.asf?camera=%d" />
Pragma%d
Content-Type: application/vnd.ms.wms-hdr.asfv1
Eyeline Video Surveillance System Live %s
if (!document.createElement('video').canPlayType('application/vnd.apple.mpegURL')) {
window.location.replace("hXXp://%s/stream.html?camera=%d")
<video id="live_stream" width="%d" height="%d" controls autoplay src="hXXp://%s/playlist.m3u8?camera=%d&quality=%s"> <p>Sorry, your browser does not support Live Streaming.</p> </video> <div id="messages"></div> </td>
<script type="text/javascript">var bCheck = true;var video = document.getElementById('live_stream');video.style.display = 'none';addMessage();function doTimer() {if (bCheck) {var httpRequest = getNewHttpObject();httpRequest.open("GET", "hXXp://%s/playlist.m3u8?camera=%d&quality=%s", false);httpRequest.send();if (httpRequest.status == 200) {bCheck = false;removeMessage();video.style.display = 'block';video.load();}}}setInterval("doTimer()", 2000);function addMessage() {var para = document.createElement('p');var node = document.createTextNode('Loading the stream, please wait.');para.setAttribute("id","loading_message");para.appendChild(node);document.getElementById('messages').appendChild(para);}function removeMessage() {var child = document.getElementById('loading_message');document.getElementById('messages').removeChild(child);}function getNewHttpObject() {var objType = false;try {objType = new ActiveXObject('Msxml2.XMLHTTP');} catch(e) {try {objType = new ActiveXObject('Microsoft.XMLHTTP');} catch(e) {objType = new XMLHttpRequest();}}return objType;}</script>
%s\%s\%d\%d.m3u8
Enter your password. If you have forgotten what it is, please click Forgot your password.
help/login.html
><div class=headernavlinks style='font-size: 16pt; line-height: 44px; margin-top: 3px'>%s</div>
<td class=headernavlinks>%s</td>
<tr class=headerrow1 style='height: %spx'><td class=headerapp style='font-size: %spt; cursor: pointer; cursor: hand' onclick="document.location='main'" title='Click to go to the Main Page'>%H</td>
<style type='text/css'>%s</style>
This is the resolution of the output video. Only certain pre-defined values are permitted.
Windows Media Video 9
Windows Media Video 8
Windows Media Video 7
32 bit support
WebCam JPEG
Application.GC
Application.Shutdown
Application.Resource.LowMemory
Application.Script.Warning
Application.Script.Error
NetStream.Data.Start
NetStream.Unpause.Notify
NetStream.Pause.Notify
NetStream.Seek.Failed
NetStream.Seek.Notify
NetStream.Play.Complete
NetStream.Play.Switch
NetStream.Play.UnpublishNotify
NetStream.Play.PublishNotify
NetStream.Play.Reset
NetStream.Play.Stop
NetStream.Play.StreamNotFound
NetStream.Play.Start
NetStream.Play.InsufficientBW
NetStream.Record.Failed
NetStream.Record.Stop
NetStream.Record.NoAccess
NetStream.Record.Start
NetStream.Unpublish.Success
NetStream.Failed
NetStream.Publish.BadName
NetStream.Publish.Start
NetStream.Clear.Failed
NetStream.Clear.Success
NetStream.InvalidArg
NetConnection.Connect.InvalidApp
NetConnection.Connect.Success
NetConnection.Connect.Rejected
NetConnection.Connect.Failed
NetConnection.Connect.Closed
NetConnection.Connect.AppShutdown
NetConnection.Call.BadVersion
NetConnection.Call.Failed
@device:sw:{860BB310-5D01-11D0-BD3B-00A0C911CE86}\{00CADAC6-7EA1-418B-8DDD-DF8510030101}
Speex ACM Codec xiph.org
(unverified) For the Record - hXXp://VVV.fortherecord.com
Aureal Semiconductor RAW SPORT
Windows Media Audio Lossless V9
Windows Media Audio Professional V9
Windows Media Audio V2 V7 V8 V9 / DivX audio (WMA) / Alex AC3 Audio
Windows Media Audio V1 / DivX audio (WMA)
Sipro Lab Telecom ACELP.KELVIN
Sipro Lab Telecom ACELP.net
Microsoft Windows Media, RT Voice
Compaq Computer VSELP (codec for Windows CE 2.0 devices)
Classic FTP Software
tar.gz
hXXp://VVV.nchsoftware.com/goldenvideos/
hXXp://VVV.nchsoftware.com/broadcam/
hXXp://VVV.nch.com.au/soundtap/
hXXp://VVV.nch.com.au/recordpad/
hXXp://VVV.nch.com.au/golden/
hXXp://VVV.nch.com.au/talk/
hXXp://VVV.nch.com.au/rip/
hXXp://VVV.nchsoftware.com/invoice/
hXXp://VVV.nchsoftware.com/accounting/
hXXp://VVV.nch.com.au/express/
hXXp://VVV.nchsoftware.com/capture/
hXXp://VVV.nchsoftware.com/classic/
Classic FTP
hXXp://VVV.nchsoftware.com/zip/
hXXp://VVV.nchsoftware.com/documentconvert/
hXXp://VVV.nchsoftware.com/imageconverter/
hXXp://VVV.nchsoftware.com/prism/
hXXp://VVV.nch.com.au/switch/
hXXp://VVV.nchsoftware.com/slideshow/
hXXp://VVV.nch.com.au/wavepad/
hXXp://VVV.nchsoftware.com/videopad/
hXXp://VVV.nch.com.au/scribe/
hXXp://VVV.nch.com.au/mixpad/
hXXp://VVV.nchsoftware.com/encrypt/
hXXp://VVV.nch.com.au/ivm/
hXXp://VVV.nch.com.au/ims/
hXXp://VVV.nch.com.au/burn/
Portable Anymap
Portable Network Graphics
Joint Photographic Experts Group
.wbmp
.tiff
.jpeg
{2318C2B1-4965-11d4-9B18-009027A5CD4F}
FTP file transfers
Upload your website using ftp
Manage stock, procurements and reporting
Track and Report Income and Expenditures
Zulu Disc Jockey Software
Clean and optimize your Windows registry by removing the old and damaged data that is bogging down your computer performance.
Voxal is a real time voice changing program. Change your voice live through speakers, in softphone calls, or any application or game that uses a microphone.
twelvekeys
TwelveKeys Music Transcription
Universal audio converting software supports all popular audio formats including mp3, wma, wav, midi, m4a, and more. Use it to convert and compress sound files.
Orion finds and recovers deleted files on hard drives, external and portable drives. Or use the drive scrubber to ensure deleted files can't be recovered.
Key Blaze Typing Tutor Software
A powerful FTP client that integrates with Windows Explorer for manual or automatic file uploading, or sync/mirror files and folders via FTP.
Fling FTP Sync Software Client
Easy to use file backup software to automatically back up critical data to CD, DVD, Blu-ray or a remote FTP server. Don't take chances with your valuable data.
Use this text expansion software to create keyboard shortcuts that will expand to an entire word, sentence, paragraph or document. A useful time saving tool.
Digital dictation software to record and send dictation for transcription directly from your computer, or dock and send dictation from a portable device.
Professional accounting software to manage and report business income and expenses, sales, invoices and payments. Great for small and medium-sized companies.
Easy to use video recording software lets you capture and record video from a webcam, your computer screen, an external video device or online streaming video.
Easy and reliable FTP client software. View, edit, upload, download, delete and otherwise manage files on a remote server, website or network.
Classic FTP - FTP Client Software
Use your PC to broadcast live or recorded video from a webcam, computer screen or video input device. Video streams will play in all popular web browsers.
Debut is a reliable video recording program for capturing video with a webcam or video input, and is a screen recorder to record almost anything on your screen.
Prism is a program for Windows that lets you convert video files from one format to another.
InstallReport
hXXps://secure.nch.com.au/cgi-bin/register.exe?software=eyeline&source=softwaretrial
mhXXp://VVV.nchsoftware.com
A full list of our products can be found at the below website. You may find another product that is more suitable for your needs.
/InternetRepo/nch_com_au/components/x264enc6.exe
nchplayer.swf
favicon.ico
greybg.gif
darkblue.gif
downsort.gif
upsort.gif
table.js
ajax.js
s.css
print.css
software\microsoft\windows\currentversion\app paths\%s
Eyeline-%d-%d
eyeline.exe
%d:%d:%d
%d-%d-%d
Global\%s
Software\Classes\%s
*.dat
hXXp://VVV.nch.com.au/upgrade/index.html?software=eyeline&upgradeid=%d&upgradekey=%s
hXXp://VVV.nch.com.au/activate/index.html?code=%s
VVV.nchsoftware.com/surveillance
hXXp://%s
splash.jpg
%d.%d.%d.%d
%d.%d.%d.%d:%d
Password
Eyeline Video Surveillance System.lnk
NCH Software.lnk
NCH Suite.lnk
Software\Microsoft\Windows\CurrentVersion\Uninstall\Eyeline
URLInfoAbout
URLUpdateInfo
Software\Microsoft\Windows\CurrentVersion
hXXp://cgi.nch.com.au/cgi-bin/report.exe
uninst.exe
Uninstall is complete. If you need to reinstall this software again you can download it from VVV.nchsoftware.com.
Software\NCH Software\Components\%s
\\.\pipe\%s
Special discount pricing ends on the 15th of %s.
Special discount pricing ends at the end of %s.
88:88:88
hXXp://VVV.nch.com.au/suggestions/index.html?software=Eyeline&version=2.01%s%s
hXXp://VVV.nchsoftware.com/software/newsletter.html?software=Eyeline&version=2.01%s%s
hXXp://VVV.nchsoftware.com/software/video.html
hXXp://VVV.facebook.com/NCHSoftware
hXXp://twitter.com/nchsoftware
hXXps://plus.google.com/ nchsoftware
hXXp://VVV.facebook.com/sharer/sharer.php?u=%s
hXXp://VVV.twitter.com/?status=%U%s
hXXps://plusone.google.com/_/ 1/confirm?hl=en&url=%s
hXXp://VVV.stumbleupon.com/submit?url=%s&title=NCH Software
hXXp://VVV.linkedin.com/shareArticle?url=%s&title=NCH Software&mini=true
%s by NCH Software%s%s
- Licensed to %s
Unsupported
%d x %d [%s], %.2lf fps, %s
%d x %d, %.2lf fps, %s
Restarting web server
Windows CE
LRTMPNumber == %f
LRTMPBoolean == %s
LRTMPString == %s
"%s" -uninstall
eyelinesetup_v2.01.exe
Software\NCH Software\Eyeline\%s
Global\NCHSharedEvent%d
-LQUIET -instby %sEyeline
-installcomponent "%s" %d
audiochannel.net
VVV.nch.com.au
An install-on-demand component could not be installed automatically. Please run it from the URL below then try again.
%s=%s
_eyeline_rl_%s
Report Bug
Would you be willing to complete an NCH Software Bug Report so our programmers can try to fix this? Please click 'Report Bug' and then enter the field to tell us exactly what you did so we can attempt to repeat it and fix it.
hXXp://VVV.nch.com.au/software/bug.html?software=Eyeline&version=2.01&xi=AbTermOrHang-Win%d%d
Win%d%d
Ukn0(Msg%dLstCmd%d)
(Cmd%d)
%s-%s-%s-%s
dbghelp.dll
XI: %s
Abnormal Execution Problem
Would you be willing to complete a NCH Software Bug Report so our programmers can try to fix this? If so, please click 'Report Bug' and then enter the field to tell us exactly what you did so we can attempt to repeat it and fix it.
hXXp://VVV.nch.com.au/software/bug.html?software=Eyeline&version=2.01&xi=GUI-%s
%d-%d-%%d
Please check you have exited any previous running instances of Eyeline Video Surveillance System and any other programs that might be using the file "%s". Then run the installer again.
Installation cannot be completed because the file "%s" cannot be written to.
Please read the following important information before continuing.
c:\program files (x86)\
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\%s\UserChoice
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\%s
explorer.exe
Advapi32.dll
W"%s" %s
explorer.exe "%s"
hXXp://VVV.nchsoftware.com/%s.html
hXXp://VVV.nch.com.au/%s.html
hXXp://VVV.nch.com.au/kb/%d.html
.html
hXXp://help.nchsoftware.com/help/en/eyeline/win/%s.html
%.4d-%.2d-%.2d Eyeline Video Surveillance System Log.txt
TwelveKeys
twelvekeyssetup
KeyBlaze
hXXps://secure.nch.com.au/cgi-bin/register.exe?software=eyeline&version=2.01%s%s%s%s%s%s%s%s&instby=%s
hXXp://VVV.nchsoftware.com/software/registered.html?software=%s&appname=%s&version=2.01&base=surveillance&domain=nchsoftware%s%s%s%s%s%s%s
ID - Key:
%s-%s
hXXp://VVV.nch.com.au/upgrade/index.html
%s Registration Code:
Register %s
Click here if you have not activated your 12-digit serial number online and have not received an ID-Key.
If you have already activated your serial number online, check your email for the ID-key. Then, click here to enter your ID-Key.
The code that you have entered is a license serial number. You must activate your serial number online to receive the ID-Key needed to register this software.
ID-Key is required to complete the registration.
Old Version Key
- You are using the correct ID and key for the correct product. Only the ID and key for Eyeline Video Surveillance System will be accepted.
support/reg
registration.txt
Name: %s
Location: %s
ID - Key: %d - %s
-clear -label "Eyeline Video Surveillance System Installer" -type data "%s" "%s"
Validate Key
Key cannot be validated. Please connect to the internet and try again.
Click here to go to the NCH Software website to view the latest pricing
2014-07-01
nch.com.au
nchsoftware.com
hXXp://VVV.%s/%s
%s [Recommended]
Google Chrome, a faster way to browse the web
Free games, themes and utilities from the Google Chrome Store
Why people choose Chrome:
Install Google Chrome as my default browser
Google Toolbar makes web browsing more convenient:
Search from any website
Translate web pages instantly
hXXp://VVV.google.com/toolbar/ie/partnereula.html?hl=en
hXXp://VVV.google.com/accounts/TOS?hl=en
hXXp://VVV.google.com/intl/en/privacy/privacy-policy.html
By installing this application, you agree to the Google Chrome
By installing this application, you agree to the Google Chrome
hXXp://VVV.google.com/chrome/intl/en/eula_text.html
hXXp://VVV.google.com/chrome/intl/en/privacy.html
reject-chrome
Automatic download of the install-on-demand component "%s" failed.
The website will now be opened where you can download it manually.
Open Website
-installrelated %x -toolbar %x
NCH Software\Eyeline%s
Eyeline%s
%sT%s
Click to install and run %s
Click to run %s
Eyeline Video Surveillance System cannot launch the program required to perform the selected task. Please go to nch.com.au/software to download it and try again.
hXXp://VVV.nchsoftware.com/software/index.html
hXXp://VVV.nchsoftware.com/software/newsletter.html%s%s
hXXps://secure.nch.com.au/cgi-bin/register.exe%s%s
hXXp://cgi.nch.com.au/cgi-bin/search.exe?q=%s&site=VVV.nch.com.au%s%s
Click to visit our website
File does not exist: %s
Not enough memory available to load %s
Cannot open xml file: %s
(EOF) Element <%s> should be terminated with </%s>. Check you have terminated your element properly.
Tag <%s> does not have a closing '>'
Misplaced </%s> which does not match a <%s>.
Element <%s> should be terminated with </%s>, was with %s. Check you have terminated your element properly.
Ln %d, Col %d: %s
%s\shell\open\command
http\shell\open\command
iexplore.exe
iexplorer.exe
firefox.exe
chrome.exe
Installing Google Chrome
The Google Chrome installer could not be downloaded.
ChromeRequiresLaunch
ChromeEyeline
software\Google\No Chrome Offer Until
NCH_Chrome.exe
Sorry, Chrome was not installed because of some problems encountered during the installation process.
cnm-%X
Chrome
NCH_GoogleToolbar.exe
gnm-%X
chrome-google
chrome
Install Google Chrome - Free
Get Chrome to View Help Files
We recommend Google Chrome as the preferred viewer for our help pages.
Google Chrome is free and fast.
"%s" -logon
-setautorun %s
"%s" -service
-setaccount "%s" "%s"
\\.\pipe\EyelineService
Please enter the new account password here.
Services cannot be run as an account without a password.
Please use an user account that has a password or add a password to the user account if you would like to use it to run the service.
Unable to set the service account. Check user name or password. The user name can be in the form Domain\Account if a Domain is required. You must be running this program as Administrator.
%%.ß
%s%sshmf%ii.bin.tmp
Loading %s
The file format is not supported.
Saving %s
Certain parts of this software fall under the Little CMS License:
Portions of this software are Copyright (c) 1998-2011 Marti Maria Saguer.
Certain parts of this software fall under the LibJPEG License:
Technical Support Page
Send Bug Report
About %s
This version 2.01 of Eyeline Video Surveillance System will only work on Windows 8.1 or earlier. A newer version is available for download on VVV.nchsoftware.com.
%s%*c
Software\NCH Software\%s
Software\NCH Swift Sound\%s
Quick Install-on-Demand %s
-extsuite %s
-extfind %s
Software\Classes\.%s
software\microsoft\windows\currentversion\explorer\fileexts\.%s\userchoice
%sfile
%s\shell
%s\shell\open
"%s" -extfind %s "%%L"
%s\DefaultIcon
%SystemRoot%\system32\shell32.dll,19
Software\Classes\%s\Shell\%s\command
Software\Classes\%s\Shell\%s
Software\Classes\%s\Shell
hXXp://VVV.nchsoftware.com/index.html
An install-on-demand tool (%s) is required for this operation.
hXXp://VVV.nch.com.au/kb/10271.html
Run %s
NCH Software\%s\%s.exe
NCH Swift Sound\%s\%s.exe
%s "%s"
Software\Classes\%s\shell\open\command
Software\Classes\%s\shell
Software\Classes\%s\shell\open
Software\Classes\%s\DefaultIcon
%s%s%s%s
Report a Problem
Click here if you would like to report a problem with Eyeline Video Surveillance System.
If you find any problems with this release please let us know by reporting them.
hXXp://VVV.nch.com.au/software/bug.html?software=Eyeline&version=2.01&xi=Service-%s
%s Home Page
%s v 2.01
Distributed by %s
Licensed User: %s
Col%d
Using SMTP is recommended to avoid email being junked.
e.g., mail.myisp.net
e.g., [email protected]
If you choose SMTP you must enter a valid reply-to address. Enter your email address.
If you choose SMTP you must enter an SMTP mail host. Call your ISP if you don't know what your SMTP mail host is.
If your SMTP server requires authentication, you must enter a SMTP username to connect to your server.
Password Required
If your SMTP server requires authentication, you must enter a valid SMTP password to connect to your server.
Unable to connect to mail server "%s" when sending an email to "%s".
Unable to connect to either mail server "%s" or the mail server at "%s".
Unable to connect to mail server "%s".
Mail host server error (HELO not accepted, error code 504) for destination email %s - usually this means the email address is not valid.
Mail host server error (HELO not accepted): %d emailto: %s
Email authentication username or password not accepted
Eyeline@%s
Mail host server error (MAIL FROM not accepted). Please check your Email Settings.%s - (%d - %s)
Error while trying to send email. Email address may be wrong or your SMTP server may require a username or password. Please check address again and see Email Settings.
The recipient's email server does not allow email to be received in this manner. Please use an SMTP account for sending email to this address. emailto: %s mailhost: %s
The recipient's email server rejected this email because of an unspecified reason. Try using an SMTP account for sending email to this address.
Mail host server error (data terminator not accepted) emailto: %s mailhost: %s error: %d
Checking SMTP Settings
Mail host server error (HELO not accepted): %d
Mail host server error (MAIL FROM not accepted). Please check your Email Settings. (%d)
Email address may be wrong or your SMTP server may require a username or password.
Sending Email: %s
This FTP server does not support the required protected mode data transfers for SSL connections.
%s: %2.0f%%
%s/microsoft/windows mail/local folders/%s
SMTP_Server
SMTP_Email_Address
00000001
Software\Microsoft\Internet Account Manager\Accounts\%s
SMTP Email Address
SMTP Server
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\%s
{ED475418-B0D6-11D2-8C3B-00104B2A6676}
%s\%s\d
%s\Thunderbird
%s\profiles.ini
%s\%s\prefs.js
mail.accountmanager.defaultaccount
mail.account.%s.identities
mail.identity.%s.useremail
mail.smtp.defaultserver
mail.smtpserver.%s.hostname
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Eudora.exe
deudora.ini
eudora.ini
%s\Qualcomm\Eudora\eudora.ini
SMTPServer
Windows Mail
Mozilla Thunderbird
.127.0.0.1
LTCPListener
HNetCfg.HNetShare.1
-firewall %s %d "%s"
libeay32.dll
ssleay32.dll
%s [%s]
Eyeline Video Surveillance System TCP/IP Port
Connection test failed. Please check your firewall settings that it is not blocking TCP/IP port %d.
uPNP Router Control Port
Connection test failed. Please check router's firewall is not blocking TCP/IP port %d and your computer firewall is not blocking port %d.
Router uPNP Disabled. Please log into your router and add TCP/IP port forwarding from public port %d to %s port %d or enable uPNP and try again.
Router configuration required. Please log into your router and add TCP/IP port forwarding from public port %d to %s port %d.
%d Hz, %d Bits, %s
Windows Media Audio V1
Windows Media Audio V2
ACELP.net
%d:%.2d:%.2d
%d:%.2d:%.2d.%.3d
wmvcore.dll
hXXp://VVV.altoedge.com/usbcapture/video.html
hXXp://VVV.altoedge.com/usbcapture/webcams.html
NCHScreenCapture %d %d %d %d %lf %d %d %d %d %d %d %d
NCHIPCamrCapture&url=%s
&user=%s
&password=%s
Can't understand response: %s
Server had an issue %d: %s
Server didn't gave an image but a web page instead.
Server is displaying a format that can not be understood. %s
Web server stop responding.
Web server gave a frame that couldn't be decoded.
Couldn't read from the web server
.dvr-ms
@device:sw:{33D9A760-90C8-11D0-BD43-00A0C911CE86}\ffdshow video encoder
@device:cm:{33D9A760-90C8-11D0-BD43-00A0C911CE86}\iyuv
@device:cm:{33D9A760-90C8-11D0-BD43-00A0C911CE86}\i420
Ping: value1 == %d, value2 == %d, value3 == %d, value4 == %d
Stream Name is %d
ChunkSize: nSize == %d
Audio ts: %d
StreamBytesRead: nBytesRead == %d
ServerBW: nBandwidth == %d
ClientBW: nBandwidth == %d, nValue2 == %d
%s.%s
%s = %s
ConnectionParams: %s
Size of data = %d
Video ts: %d
Attemption frameType is KEYFRAME
Size of data = %d
Failed to %s (stream ID: %d)
Error while invoking %s (stream ID: %d)
tcUrl
No scope " %s " on this server.
Application at " %s " is currently shutting down.
Call of Service: = %s
Method: = %s
Num Params: %s
Pending Call of Service: = %s
Result == %s
Playing and resetting %s.
Started playing %s.
Stopped playing %s.
Seeking %d (stream ID: %d).
The stream doesn't support seeking.
Everyday %s
%s, %s
%s (day after)
%s (same day)
Scheduled_recording_%s
The recording "%s" is too long. It must be less than 10 hours long.
This recording has start or end time that overlaps recording "%s".
The scheduled recording time is longer than the maximum allowed recording time (Options -> Record -> Limit maximum recording time). The recording will be stopped after %s duration. Do you want to proceed?
%u:%.2u:%.2u.%.3u
%u:%.2u:%.2u
@device:sw:{33D9A760-90C8-11D0-BD43-00A0C911CE86}\DV Video Encoder
@device:cm:{33D9A760-90C8-11D0-BD43-00A0C911CE86}\ffds
@device:cm:{33D9A760-90C8-11D0-BD43-00A0C911CE86}\mrle
@device:cm:{33D9A760-90C8-11D0-BD43-00A0C911CE86}\m261
@device:cm:{33D9A760-90C8-11D0-BD43-00A0C911CE86}\m263
@device:cm:{33D9A760-90C8-11D0-BD43-00A0C911CE86}\fps1
@device:cm:{33D9A760-90C8-11D0-BD43-00A0C911CE86}\yv12
%s (i420)
%s (iyuv)
Wrong video bitrate specified, must be from %d to %d
%d Hz, %lu kbps, %s
%d Hz, %s
%d x %d
Wrong video bitrate specified, must be from 24 to %d
WindowsMedia_Format
WindowsMedia_VideoCodec
WindowsMedia_VideoBitrate
WindowsMedia_SoundCodecIndex
WindowsMedia_SoundFormatIndex
WindowsMedia_VideoQuality
WindowsMedia_LiveSource
msvfw32.dll
hXXp://ffmpeg.org
avutil-52.nch.dll
swscale-2.nch.dll
avcodec-54.nch.dll
avformat-54.nch.dll
swresample-0.nch.dll
S.wpp
%d_%d.ts
%d.m3u8
#EXT-X-TARGETDURATION:%d
#EXT-X-MEDIA-SEQUENCE:%d
#EXTINF:%d,
v.clpi
"%s" - -
"%s" -s %d -d -w -
FAAD2 AAC/HE-AAC/HE-AACv2/DRM decoder (c) Nero AG, VVV.nero.com
"%s" -o raw
Copyright (C) 2000-2002 Michel Lespinasse <[email protected]>
Copyright (C) 1999-2000 Aaron Holtzman <[email protected]>
License terms for this component can be found at: hXXp://VVV.opensource.org/licenses/lgpl-license.php
"%s" %s - -
"%s" -C %d -R %d -b %d
"%s" -r
-b %d --cbr --nores --nchvideo - -
Ý% = Current Day
%SS% = Current Second
ddraw.dll
%s: %s
PublicPort
Eyeline Server: %s (over the Internet)
Eyeline Server: %s (on the local network)
Email: %s
Password: %s
help/password.html
Change Password
changepasswordchanged
Old Password:
New Password:
Reenter New Password:
The reentered new password does not match the first entry of the new password.
Invalid password. Please try again.
>Reset Password
lostpasswordsent
Please enter your email address. Your password will be reset and sent to you by email.
changepassword
lostpassword
<div%s style='color:#a00000; font-weight:bold; padding:0px 12px;'>%H</div><br>
<form id=dialogform action='%s' method=post
<tr class=dc><td%s>%H</td>
<tr><td style='font-size:x-small;'><label style='vertical-align: middle;'><input type=checkbox title='%H' id=%d%s name=%d%s%s style='vertical-align: middle;'/>%H</label></td><td style='text-align:right;'>
id=%d
<input type=submit name=submit value='%H' %s onclick='document.pressed=this.value' style='font-family: Arial,sans-serif; font-size: 10pt;'>
document.pressed=this.value
 <input type=submit name=submit value='%H' %s onclick='%s' style='font-family: Arial,sans-serif; font-size: 10pt;'>
<label for=%d>%H</label></td><td><input id=%d name=%d type=text value='%H' size=%d title='%s'>
<label for=%d>%H</label></td><td><input id=%d name=%d type=email value='%H' size=%d title='%H'>
<label for=%d>%H</label></td><td><input id=%d name=%d type=password value='%H' size=%d title='%H'>
<font size=-2><a id=%d name=%d href='%s' title='%H'>%H</a></font>
%H</td><td><input type=text name=%d id=%d value='%H' maxlength=15 size=15 style='font-family: Arial,sans-serif; font-size: 10pt;' title='%H'>
LWebletConnectionThread::ThreadFunction ProcessRecvBytes (post data) FAILED: sending %d bytes failed after %d seconds
Port
will not operate correctly because JavaScript is not enabled. Please consult your web browser's help for instructions on how to enable JavaScript.
Login
Login
Password:
Forgot your password?
Login failed. Please check you have the right password.
logon?onok=%U%?%s
<a href='%s' class=toptext%s>%H</a>  
Many web browsers do not allow http or https access to port %u.
Reserved Port Number
Test connection to port %u succeeded
Test connection to port %u failed
Passwords do not match
You must enter a password
webaccess
The current configuration has not been tested. Please click on the Run Web Routing and Test Wizard button to run the test.
%s%s%d
.sess
*.sess
Webserver cannot bind to TCP/IP port.
Some other program may be using port %d.
Decoding %s image
Encoding %s image
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_eyeline_rl_adm
C:\ProgramData\NCH Software\Eyeline\Logs
09:25:06
C:\ProgramData\NCH Software\Eyeline\Logs\2015-02-13 Eyeline Video Surveillance System Log.txt
Use SMTP to send email directly to the mail server
SMTP mail host:
Send directly to other side (work as own SMTP server)
A full list of our products can be found at our below website. This may help you to find another product that is more suitable for your needs.
Constrain Proportions
&ID - Key:
Press Key
Press a key or a key combination.
FTP Connection Test Results
You must have a webcam or a video input device to see live video on your computer.
If you have a webcam or a USB video capture device, please check it is plugged in now and press Try Again.
If you don't have a webcam or a video capture device, they are available online:
See recommended webcams
WebM Encoding Settings
Two Pass Encoding
Windows Media Encoding Settings
Local Port:
Public Port:
Webcam
Web Access
Run Web Routing and Test Wizard
Login Account
Confirm Password:
Back up recordings via FTP
FTP Server:
Password:
Run external exe
Eyeline.exe

eyeline.exe_1900:

.rdata
@.data
.rsrc
.mixcrt
KERNEL32.DLL
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
mscoree.dll
GetProcessWindowStation
USER32.DLL
operator
UxTheme.dll
dwmapi.dll
Authorization: Basic %s
/videostream.cgi
GET %s HTTP/1.0
Host: %s
User-Agent: %S
HTTP/
hXXp://%s%s
HTTP/1.1 200 OK
Server: Rex/10.0.0.3802
</tr><tr class=headerrow2><td class=headercopyright colspan=2>v 2.01 © NCH Software <a href='hXXp://VVV.nchsoftware.com/index.html' target=_blank>VVV.nchsoftware.com</a></td>
<meta name='viewport' content='width=device-width'>
</title><link href=s.css type='text/css' rel=stylesheet><link href=print.css type='text/css' media=print rel=stylesheet>
application/vnd.apple.mpegURL
%s%s%s
software=Eyeline&version=2.01&report=UINSTALL&text=%s-%s&language=en&platform=Win&extra1=%d%s
hXXp://%s/components/%s
user32.dll
hXXp://VVV.audiochannel.net/versions/components/%s.txt
%s%d%d%d
kernel32.dll
hXXp://cgi.nch.com.au/cgi-bin/regcheck.exe?cmd=v&id=%d&magic=%d&magicb=%d
tb_%s_us.dat
tb_%s_uk.dat
tb_%s_row.dat
hXXp://VVV.audiochannel.net/versions/components/%s
hXXp://VVV.nch.com.au/components/toolbars/NCH_Chrome.exe
hXXp://VVV.audiochannel.net/components/toolbars/NCH_Chrome.exe
hXXp://VVV.nch.com.au/components/toolbars/NCH_GoogleToolbar.exe
hXXp://VVV.audiochannel.net/components/toolbars/NCH_GoogleToolbar.exe
hXXp://VVV.audiochannel.net/versions/eyeline.txt
comctl32.dll
TaskDialogIndirect
software=Eyeline&version=2.01&report=COMMENT&text=COMMENT-%s&language=en&platform=Win
%s, %.2d %s 20%.2d %.2d:%.2d:%.2d %s%.2d%.2d
From: %s
To: %s
Subject: %s
Date: %s
X-Mailer: Eyeline VVV.nch.com.au/software
gc0p4Jq0M2Yt08jU534c%d
Content-Type: multipart/mixed; boundary=%s
Content-Type: %s; name="%s"
Content-Disposition: attachment; filename="%s"
--%s--
AUTH LOGIN
RCPT TO:<[email protected]>
USER %s
PASS %s
%s %s
STOR %s
MFMT dddddd %s
MLST %s
MLSD %s
LIST %s
SIZE %s
folder %s
http=
%s/%s
POST %s HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: %d
HTTP/1.
c:\SourceCode\llib\include\../net/ssl.cpp
hXXp://cgi.nch.com.au/cgi-bin/pingme.exe?port=%d
hXXp://cgi.nch.com.au/cgi-bin/pingme.exe
<serviceType>urn:schemas-upnp-org:service:%s
<controlURL>
M-SEARCH * HTTP/1.1
HOST: 239.255.255.250:1900
239.255.255.250
<s:Envelope xmlns:s="hXXp://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="hXXp://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:%s xmlns:u="urn:schemas-upnp-org:service:%s">%s</u:%s></s:Body></s:Envelope>
POST %s HTTP/1.1
CONTENT-LENGTH: %d
SOAPACTION: "urn:schemas-upnp-org:service:%s#%s"
<NewRemoteHost></NewRemoteHost><NewExternalPort>%d</NewExternalPort><NewProtocol>%s</NewProtocol><NewInternalPort>%d</NewInternalPort><NewInternalClient>%s</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>Eyeline Video Surveillance System %s Redirection</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration>
AddPortMapping
User-Agent: %s
%dx%d
<script type='text/javascript' src='%s'></script>
function LAddEventListener(obj, evName, handler){if (!obj.addEventListener) obj.addEventListener = function(evtName, hand) { this.attachEvent('on'   evtName, hand); };
if (evName.substring(0, 2) == 'on') evName = evName.substring(2);
if (typeof handler == 'string') {obj.addEventListener(evName, function () { eval(handler); }, false);} else {obj.addEventListener(evName, function (e){if (!e) e = window.event;handler(e);}, false);}}
window.location = '%s';
document.cookie = '%s=%s; path=/%s';
<center>Your password has been changed.<p>Click <a href='main'>here</a> to return.</center>
<center>Your password has been reset and sent to your email address.<p>Click <a href="logon">here</a> to log on when you receive your password.</center>
function CmSubmit() {window.onbeforeunload = null;DisableSubmits(true);SimpleAjaxCall('%s', GetParams('dialogform')   'submit='   document.pressed, HandleAjaxJSReturn, function() { DisableSubmits(false); }, function() { DisableSubmits(false); }, 1200000);return false;}
function DisableSubmits(bDisable) {submits = document.getElementsByName('submit');for (i = 0; i < submits.length; i  ) {submits[i].disabled = bDisable;}}
<div id=dialogcontainer%s>
<table id=dialogcontainer border=0%s><tr><td>
onsubmit='return (%sCmSubmit())'
<table id=controltable style='border:#bbbbbb 1px solid; width:%s'>
<tr style='background-color:#fbfbfb;'><td colspan=2 style='%sborder-bottom: 1px solid #bbbbbb;'><table border=0>
function enablectls() {%s
function validatedata() {%s
LAddEventListener(window, 'onload', function() {setTimeout('document.getElementById(%d).focus();', 1)});
invalidNode = document.getElementById('invalidTag');if (invalidNode) {invalidRow = invalidNode.parentNode.parentNode;if (invalidRow.parentNode) {invalidRow.parentNode.removeChild(invalidRow);};while (invalidNode.firstChild) {invalidNode.removeChild(invalidNode.firstChild);}} else {invalidRow = document.createElement('tr');invalidCell = document.createElement('td');invalidCell.colSpan = 2;invalidNode = document.createElement('div');invalidNode.id = 'invalidTag';invalidNode.style.color = '#a00000';invalidRow.appendChild(invalidCell);invalidCell.appendChild(invalidNode);};invalidControl = document.getElementById("%s");if (invalidControl) {container = invalidControl.parentNode.parentNode.parentNode;invalidText = document.createTextNode("%s");invalidNode.appendChild(invalidText);while ((splitPos = invalidText.data.lastIndexOf('\n')) != -1) {var newTextNode = invalidText.splitText(splitPos);newTextNode.deleteData(0, 1);var br = document.createElement('br');invalidNode.insertBefore(br, newTextNode);}container.insertBefore(invalidRow, invalidControl.parentNode.parentNode);invalidControl.focus();}
window.scroll(0,0);
HTTP/1.1 404 Not Found
HTTP/1.1 304 Not Modified
%s, %.2d %s 20%.2d %.2d:%.2d:%.2d GMT
Content-Disposition: attachment; filename="%s"; filename*=UTF-8''%U
HTTP/1.1 416 Requested Range Not Satisfiable
HTTP/1.1 206 Partial Content
Content-Range: bytes %d-%d/%d
Content-Type: %s
%sCache-Control: %s
Last-Modified: %s
ETag: '%s'
WEBC
HTTP/1.1 501 Not Implemented
HTTP/1.1 500 Content Length Too Long
HTTP/1.1 302 Found
Location: %s
<html><head><title>Eyeline Video Surveillance System</title><link href=s.css type='text/css' rel=stylesheet><link href=print.css type='text/css' media=print rel=stylesheet>
<div class=contenttable%s%s>
registeredControl = document.getElementById('%s');
function JScript%s(evt) {%s
LAddEventListener(registeredControl, '%s', function(evt) {if (!evt.target) evt.target = evt.srcElement;
if (!JScript%s(evt)) return false;
var ajaxArgs = '';var elementId = evt.target.id;var nextArg = '';
nextArg = GetArg(document.getElementById('%s'));if (nextArg.length != 0) {ajaxArgs  = '&'   nextArg;nextArg = '';}
ajaxArgs  = '&MainControlId='   elementId;SimpleAjaxCall('%s', 'isComAJAX=1&'   ajaxArgs, HandleAjaxJSReturn);
CONNECT %s:%d HTTP/1.0
%d %d
?#%X.y
c:\SourceCode\eyeline\Release\eyeline.pdb
DisconnectNamedPipe
ConnectNamedPipe
CreateNamedPipeW
PeekNamedPipe
SetThreadExecutionState
GetProcessHeap
WaitNamedPipeW
CreatePipe
KERNEL32.dll
RegOpenKeyExW
RegCloseKey
CryptDeriveKey
RegQueryInfoKeyW
RegCreateKeyExW
RegSetKeySecurity
RegEnumKeyExW
RegDeleteKeyW
RegOpenKeyW
ADVAPI32.dll
COMCTL32.dll
comdlg32.dll
GetViewportExtEx
SetViewportExtEx
GDI32.dll
acmDriverOpen
acmDriverEnum
acmDriverDetailsW
acmDriverClose
MSACM32.dll
ole32.dll
OLEAUT32.dll
SHFileOperationW
ShellExecuteW
ShellExecuteExW
SHELL32.dll
SHDeleteEmptyKeyW
SHDeleteKeyW
SHLWAPI.dll
GetKeyState
CreateDialogIndirectParamW
UnhookWindowsHookEx
MapVirtualKeyW
GetKeyNameTextW
SetWindowsHookExW
MsgWaitForMultipleObjects
USER32.dll
WINMM.dll
WS2_32.dll
NETAPI32.dll
GdiplusShutdown
GdipSetPenLineJoin
gdiplus.dll
MSIMG32.dll
iphlpapi.dll
WININET.dll
DNSAPI.dll
GetCPInfo
GetConsoleOutputCP
zcÁ
SShxr@
USSSh
j.hl?@
PSShhr@
F"PSSh
t%f=g
PSSSh
QPSSh
PSSSSSSh
SSShD
Fth4%C
FthL%C
Fthd%C
SSh`B@
SSh8pB
SShxpB
PVh.KI
SShxpC
PWSSh
SShr2
%Shv2
%Shy2
z<%uv
%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe
ssshhhWWW
-!.WF
2%SGE
(%xSK
/'//'77'/'
0777777777777777
7777777777777
77777777777
7777777
5'%%'%%;
'.ONKD@;
!%X=P
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*"/>
<requestedExecutionLevel level="asInvoker" />
<!-- Windows 8.1 -->
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
<!--The ID below indicates app support for Windows 8 -->
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
<!--The ID below indicates app support for Windows 7 -->
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<!--The ID below indicates app support for Windows Vista -->
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
mhXXp://ns.adobe.com/xap/1.0/
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:3277C77D7132E0118D16E72A4E8059DE" xmpMM:DocumentID="xmp.did:314D5A19534B11E0A6A5AAFBD55133F0" xmpMM:InstanceID="xmp.iid:314D5A18534B11E0A6A5AAFBD55133F0" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:B6AAD5DF4A53E0118E8DE62C10C1BCAC" stRef:documentID="xmp.did:3277C77D7132E0118D16E72A4E8059DE"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
?!z.RS
banner.jpg
stream.asf
stream.asx
asf.html
flash.html
hls.html
frame.jpg
stream.jpg
stream.html
live.html
Duration (hh:mm:ss.mmm)
%s\%s
Starting web server
%s (%s)
Stopping web server
BackupFTP
RunExternalExe
bgnetwork.lst
bgPTF.lst
bgrunexe.lst
bglogmd5.lst
bgemail.lst
VVV.nchsoftware.com/surveillance/index.html
VVV.nchsoftware.com/surveillance/support.html
hXXp://VVV.nch.com.au/software/bug.html?software=Eyeline&version=2.01
InstallingChrome
LaunchChromeOnInstall
hXXp://VVV.nchsoftware.com/software/thanks.html
Eyeline Video Surveillance System
hXXp://VVV.nchsoftware.com/software/rateit.html?software=Eyeline&appname=%s&version=2.01&rating=%d&buyoffer=eyeline&os=Win&lang=en&base=surveillance&domain=nchsoftware%s%s%s%s%s&instby=%s
hXXp://VVV.nchsoftware.com/software/thanksforusing.html
?software=Eyeline&appname=%s&version=2.01&base=surveillance&domain=nchsoftware&buyoffer=eyeline%s%s%s%s%s%s%s%s&instby=%s
&days=%d&runs=%d&rgst=%d
&usage=XX
%s v 2.01
%sFormat
%sAspectRatio
%sAspectRatioNum
%sAspectRatioDen
%sMPEG2Transport
%sVideoInputPin
%sAudioInputPin
Started by user: %s
Stopped by user: %s
Web camera %s open error. Unable to start %s. Please reconnect the camera.
Camera %s open error. Unable to restart. Please, reconnect the camera and restart it manually.
Device %s is unplugged.
Device %s is plugged back.
Web camera %s open error. Please reconnect the camera.
IP camera %s open error. Please, check your IP connection.
Camera %s open error.
msimg32.dll
%s: %d:%.2d:%.2d:%.3d
Eyeline Motion Detected: Êmera%, Úte% %time%
Email Template.txt
\\.\pipe\CAMERA%dSINK
Unable to initialize JPG output sink for the Web engine, device:
Unable to initialize Flash(High quality) output sink for the Web engine, device:
Unable to initialize Flash(Low quality) output sink for the Web engine, device:
%s %d
Recording from %s is started.
Recording from %s is stopped.
Duration: %s
File name: %s
Motion detecting on %s is started.
Motion detecting on %s is stopped.
%s\%d
Motion Detected for Camera %s at %s
Trial has expired. Cannot set initial state for camera: %s
Recording is disabled for camera: %s
Motion detection is disabled for camera: %s
%s %i %s %i %s
%s %i %s
TempWebcam
TempWebcamFormat
TempWebcamAspectRatio
TempWebcamVideoInputPin
TempWebcamAudioInputPin
Software\NCH Software\%s\Settings
Software\NCH Swift Sound\%s\Settings
"%s" %%s
hXXp://VVV.nch.com.au/components/%s.exe
Waiting for %s
Eyeline will continue when %s closes.
cftpsetup
ClassicFTP
Run ClassicFTP
Software\NCH Software\%s\Registration
hXXp://VVV.nch.com.au/suggestions/index.html?software=Eyeline&version=2.01
shell32.dll
%s\%s\%s
%s already exists.
-show -type data -label BACKUP -list "%s" -burn -exit
Program failed to launch. Please download and install manually from hXXp://VVV.nchsoftware.com/prism/index.html
UseSMTPHost
MailSMTPHost
SMTPAuthOn
SMTPUserName
SMTPPassword
WebServer
Software\Microsoft\Windows\CurrentVersion\Run
Click the "Add Camera" button to add your cameras and right click on the video windows for commands
MotDetExecuteCommand
Failed to connect to camera %s. Please check the camera settings or remove the camera.
Can't add camera %s to Eyeline for a scheduled task.
Due to a scheduled task, the camera %s is added to Eyeline.
Your scheduled recording '%s' has now stopped.
Your scheduled recording '%s' has now started - Duration: %s
Your scheduled recording '%s' has failed to start
This camera device %s has not been opened.
Open Web Access
Can't connect because the server isn't started. Would you like to open the Web Access options to start it?
hXXp://127.0.0.1:%d
Could not connect to camera %s
Camera %s is already present
Could not add camera %s
The camera '%s' is currently recording.
The camera '%s' will be removed.
Camera %s is removed.
Web camera %s open error. Camera settings are not available. Please reconnect the camera.
iFTPAdCount
ShowClassicFTPAd
C:\Windows\Media\notify.wav
Try Classic FTP File Transfer Software Now
For FTP software
%s %s %s.%s
Backup on %s created successfully
Attempting FTP Backup on:
FTPServer
FTPPassword
FTPUser
FTPDirectory
FTP Backup on %s created successfully
Unable to perform FTP backup on:
Could not FTP backup file:
File was removed from backup queue. Please manually FTP this file.
Could not log on to FTP Server for backup. Queued to try again.
Attempting to Run External Executable on:
ExternalExePath
"%s" "%s"
Could not run external executable for backup. Queued to try again.
Could not run the external exe for:
External EXE %s run successfully
MD5 Checksum is %s for file %s
MD5Log.txt
%.4d-%.2d %s
MD5 Checksum Logging for %s created successfully
Invalid URL
URL is invalid. Please try again.
%s %i
The user name and password of existing network camera "%s" are updated
Item %d
password
FTP Server is mandatory
FTP Username is mandatory
External EXE file path is mandatory
Application (*.exe)
*.exe
Choose external exe to run...
hXXp://VVV.nch.com.au/kb/10003.html
Wav File (*.wav)
*.wav
%s %s %s
PreviousServerPort
Eyeline Video Surveillance System Web Server
%s\%s\%u\%u.m3u8
%d-%d-%d %d-%d-%d %[^
d:d:d.d
-:-:-.=
%s:%s
Failed to process the HTTP headers
Invalid HTTP response
Server returned an error %d %S
<script type="text/javascript">function AnyChecked() {var elements = document.getElementsByTagName('input');for (i = 0; i < elements.length; i  ) {if ((elements[i].getAttribute('type') == 'checkbox') && (elements[i].getAttribute('name') == 'file')) {if (elements[i].checked) return true;}}return false;}function EnableSubmit(enable) {var elements = document.getElementsByTagName('input');for (i = 0; i < elements.length; i  ) {if ((elements[i].getAttribute('type') == 'submit') && (elements[i].getAttribute('value') == 'Delete')) {if (enable) elements[i].removeAttribute('disabled');else elements[i].setAttribute('disabled', 'disabled');return;}}}function CheckSubmit() {EnableSubmit(AnyChecked());}function CheckAll(check) {var elements = document.getElementsByTagName('input');for (i = 0; i < elements.length; i  ) {if (elements[i].getAttribute('type') == 'checkbox') elements[i].checked = check;}EnableSubmit(AnyChecked());}function DeleteMultiple() {if (!AnyChecked()) return;var elements = document.getElementsByTagName('input');var form = document.createElement('form');form.setAttribute('method', 'post');form.setAttribute('action', 'deletemultiple');var hiddenField = document.createElement('input');hiddenField.setAttribute('type', 'hidden');hiddenField.setAttribute('name', 'sess');form.appendChild(hiddenField);var sess = document.getElementsByName('deletemultiplesess')[0].getAttribute('value');hiddenField.setAttribute('value', sess);var iFileCount = 0;for (i = 0; i < elements.length; i  ) {if (elements[i].getAttribute('type') == 'checkbox' && elements[i].checked && elements[i].getAttribute('name') == 'file') {var hiddenField = document.createElement('input');hiddenField.setAttribute('type', 'hidden');hiddenField.setAttribute('name', 'file'   iFileCount);hiddenField.setAttribute('value', elements[i].getAttribute('value'));form.appendChild(hiddenField);iFileCount  ;}}var r = confirm("Are you sure you want to delete the selected files?");if (!r) return;document.body.appendChild(form);form.submit();}function DeleteSingle(name) {var r = confirm("Are you sure you want to delete "   name   " ?");if (!r) return;var form = document.createElement('form');form.setAttribute('method', 'post');form.setAttribute('action', 'deletemultiple');var hiddenField = document.createElement('input');hiddenField.setAttribute('type', 'hidden');hiddenField.setAttribute('name', 'sess');form.appendChild(hiddenField);var sess = document.getElementsByName('deletemultiplesess')[0].getAttribute('value');hiddenField.setAttribute('value', sess);var hiddenField = document.createElement('input');hiddenField.setAttribute('type', 'hidden');hiddenField.setAttribute('name', 'file0');hiddenField.setAttribute('value', name);form.appendChild(hiddenField);document.body.appendChild(form);form.submit();}function FormValidation() {var startdate = document.getElementsByName('startdate')[0].value;var enddate = document.getElementsByName('enddate')[0].value;if (startdate && !DateValidation(startdate)) return false;if (enddate && !DateValidation(enddate)) return false;return true;}function DateValidation(text) {var pattern =/^([0-9]{4})-([0-9]{2})-([0-9]{2})$/;text.replace(/ /g, '');if (pattern.test(text)) {var date = new Date(text);var day = text[8]   text[9];if ((Date.parse(text) > 0) && (Object.prototype.toString.call(date) === '[object Date]') && !isNaN(date.getTime()) && (date.getDate() == day)) {return true;} else {alert("Inserted date is invalid, please insert valid date in the format YYYY-MM-DD");return false;}}alert("Search dates must be in the format YYYY-MM-DD");return false;}</script>
<center><p><table width=100%% border=0 cellspacing=0><tr bgcolor=#426792><td width=1%%></td><td width="70%%" align=left><font color=#ffffff><b>%s</b></font></td><td align=right><font color=#ffffff>Image Stream</font></td><td width=1%%></td></tr></table><table width=100%% border=0 cellspacing=0>
<tr bgcolor=#%s><td width=1%%></td><td><a href="hXXp://%s/live.html?camera=%d">%s</a></td><td align=right><a href="hXXp://%s/stream.html?camera=%d">jpg</a></td><td width=1%%></td></tr>
<form action="main" method=post onSubmit="return FormValidation()"><input name=sess type=hidden value="%s"><input name=search type=hidden value=yes><table width=100%% border=0 cellspacing=0><tr bgcolor=#426792><td width=1%%></td><td><font color=#ffffff><b>Search Recordings</b></font></td><td></td><td width=1%%></td></tr><tr><td></td><td style="white-space:pre;">%s</td><td align=right><input name=startdate size=12 value="%s"></td><td></td></tr><tr><td></td><td style="white-space:pre;">%s</td><td align=right><input name=enddate size=12 value="%s"></td><td></td></tr><tr bgcolor=#426792><td></td><td></td><td align=right><input type=submit value=Search Again></td><td></td></tr></table></form><p><br>
00:00:00
23:59:59
<table width=100%% border=0 cellspacing=0><tr bgcolor=#426792><td width=1%%></td><td width=%d%% align=left><input type = "checkbox" title="Select All Recordings" onclick="CheckAll(this.checked);"><font color=#ffffff><b>Recordings</b></font></td>%s%s<td width=20%% align=right><font color=#ffffff>Operations</font></td><td width=1%%></td></tr></table><form action = "javascript: DeleteMultiple();" name = "deletemultiple"><input name=deletemultiplesess type=hidden value="%s">
<a href="play?file=%s">%s</a>
<a href="download?file=%s">%s *</a>
<td width=10%%>%s</td><td width=10%%></td>
<a href="download?file=%s">save</a>
<tr bgcolor=#%s><td width=1%%></td><td width=%d%%><input type="checkbox" name="file" value="%s" title="Select Recording" onclick=CheckSubmit();>%s</td>%s<td width=20%% align=right>%s<a href="#" onclick="DeleteSingle('%s');">delete</a></td><td width=1%%></td></tr>
<tr bgcolor=#426792><td width=1%%></td><td width=%d%%></td>%s%s<td width=20%% align=right><input type=submit %s value=Delete disabled="disabled"></td><td width=1%$=></td></tr></table></center></form>
<video controls autoplay src="download?file=%s"><p>Sorry, your browser does not support HTML5 video tag.</p></video></td>
var c = %d;
if (navigator.appVersion.indexOf("Mac") != -1) {
document.img.src = "stream.jpg?camera=%d";
return;}pl.onload=display;pl.src = "frame.jpg?camera=%d&id="   c;
document.img.src = pl.src;
setTimeout('updatelink()', %d);
pl.onload=display;onLoad=StartScreen();</script>
<div style="font-family: Arial,sans-serif;" onLoad="StartScreen();"><p><table width=100%% height=90%% cellpadding=0 cellspacing=0><tr><td align=center valign=center><img name="img" src="frame.jpg?camera=%d"></td></tr></table></div>
Eyeline Video Surveillance System Live %d
hasFlash = Boolean(new ActiveXObject('ShockwaveFlash.ShockwaveFlash'));
hasFlash = ('undefined' != typeof navigator.mimeTypes['application/x-shockwave-flash']);
if (!hasFlash) window.location.replace("hXXp://%s/%s?camera=%d")
%s:%d
hXXp://%s/nchplayer.swf?host=%s&scope=Eyeline&streamName=live&bandwidth=%d&src=%d&autostart=true
<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="hXXp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=9,0,0,0" width="480" height="385">
<param name="movie" value="%s">
<embed src="%s" width="480" height="385" allowfullscreen="true" quality="high" type="application/x-shockwave-flash" pluginspage="hXXp://VVV.adobe.com/go/getflashplayer"/>
<a href="hXXp://%s/live.html?camera=%d&speed=%d"><b>Switch to %s quality</b></a>
%s</td>
hXXp://%s/stream.asx?camera=%d
<object id="mediaplayer" classid="clsid:22d6f312-b0f6-11d0-94ab-0080c74c7e95" codebase="hXXp://activex.microsoft.com/activex/controls/mplayer/en/nsmp2inf.cab#version=5,1,52,701" standby="loading microsoft windows media player components..." type="application/x-oleobject" width="%u" height="%u">
<param name="filename" value="%s">
<embed src="%s" autostart="true" showcontrols="true" showstatusbar="true" bgcolor="white" width="%u" height="%u">
<script language="javascript" src="ajax.js"></script>
<TITLE>%s</TITLE>
<BANNER HREF = "hXXp://%s/banner.jpg">
<MOREINFO href = "hXXp://VVV.nch.com.au" />
<ABSTRACT>Click here to go to hXXp://VVV.nch.com.au</ABSTRACT>
<REF HREF = "hXXp://%s/stream.asf?camera=%d" />
<REF HREF = "mmsh://%s/stream.asf?camera=%d" />
Pragma%d
Content-Type: application/vnd.ms.wms-hdr.asfv1
Eyeline Video Surveillance System Live %s
if (!document.createElement('video').canPlayType('application/vnd.apple.mpegURL')) {
window.location.replace("hXXp://%s/stream.html?camera=%d")
<video id="live_stream" width="%d" height="%d" controls autoplay src="hXXp://%s/playlist.m3u8?camera=%d&quality=%s"> <p>Sorry, your browser does not support Live Streaming.</p> </video> <div id="messages"></div> </td>
<script type="text/javascript">var bCheck = true;var video = document.getElementById('live_stream');video.style.display = 'none';addMessage();function doTimer() {if (bCheck) {var httpRequest = getNewHttpObject();httpRequest.open("GET", "hXXp://%s/playlist.m3u8?camera=%d&quality=%s", false);httpRequest.send();if (httpRequest.status == 200) {bCheck = false;removeMessage();video.style.display = 'block';video.load();}}}setInterval("doTimer()", 2000);function addMessage() {var para = document.createElement('p');var node = document.createTextNode('Loading the stream, please wait.');para.setAttribute("id","loading_message");para.appendChild(node);document.getElementById('messages').appendChild(para);}function removeMessage() {var child = document.getElementById('loading_message');document.getElementById('messages').removeChild(child);}function getNewHttpObject() {var objType = false;try {objType = new ActiveXObject('Msxml2.XMLHTTP');} catch(e) {try {objType = new ActiveXObject('Microsoft.XMLHTTP');} catch(e) {objType = new XMLHttpRequest();}}return objType;}</script>
%s\%s\%d\%d.m3u8
Enter your password. If you have forgotten what it is, please click Forgot your password.
help/login.html
><div class=headernavlinks style='font-size: 16pt; line-height: 44px; margin-top: 3px'>%s</div>
<td class=headernavlinks>%s</td>
<tr class=headerrow1 style='height: %spx'><td class=headerapp style='font-size: %spt; cursor: pointer; cursor: hand' onclick="document.location='main'" title='Click to go to the Main Page'>%H</td>
<style type='text/css'>%s</style>
This is the resolution of the output video. Only certain pre-defined values are permitted.
Windows Media Video 9
Windows Media Video 8
Windows Media Video 7
32 bit support
WebCam JPEG
Application.GC
Application.Shutdown
Application.Resource.LowMemory
Application.Script.Warning
Application.Script.Error
NetStream.Data.Start
NetStream.Unpause.Notify
NetStream.Pause.Notify
NetStream.Seek.Failed
NetStream.Seek.Notify
NetStream.Play.Complete
NetStream.Play.Switch
NetStream.Play.UnpublishNotify
NetStream.Play.PublishNotify
NetStream.Play.Reset
NetStream.Play.Stop
NetStream.Play.StreamNotFound
NetStream.Play.Start
NetStream.Play.InsufficientBW
NetStream.Record.Failed
NetStream.Record.Stop
NetStream.Record.NoAccess
NetStream.Record.Start
NetStream.Unpublish.Success
NetStream.Failed
NetStream.Publish.BadName
NetStream.Publish.Start
NetStream.Clear.Failed
NetStream.Clear.Success
NetStream.InvalidArg
NetConnection.Connect.InvalidApp
NetConnection.Connect.Success
NetConnection.Connect.Rejected
NetConnection.Connect.Failed
NetConnection.Connect.Closed
NetConnection.Connect.AppShutdown
NetConnection.Call.BadVersion
NetConnection.Call.Failed
@device:sw:{860BB310-5D01-11D0-BD3B-00A0C911CE86}\{00CADAC6-7EA1-418B-8DDD-DF8510030101}
Speex ACM Codec xiph.org
(unverified) For the Record - hXXp://VVV.fortherecord.com
Aureal Semiconductor RAW SPORT
Windows Media Audio Lossless V9
Windows Media Audio Professional V9
Windows Media Audio V2 V7 V8 V9 / DivX audio (WMA) / Alex AC3 Audio
Windows Media Audio V1 / DivX audio (WMA)
Sipro Lab Telecom ACELP.KELVIN
Sipro Lab Telecom ACELP.net
Microsoft Windows Media, RT Voice
Compaq Computer VSELP (codec for Windows CE 2.0 devices)
Classic FTP Software
tar.gz
hXXp://VVV.nchsoftware.com/goldenvideos/
hXXp://VVV.nchsoftware.com/broadcam/
hXXp://VVV.nch.com.au/soundtap/
hXXp://VVV.nch.com.au/recordpad/
hXXp://VVV.nch.com.au/golden/
hXXp://VVV.nch.com.au/talk/
hXXp://VVV.nch.com.au/rip/
hXXp://VVV.nchsoftware.com/invoice/
hXXp://VVV.nchsoftware.com/accounting/
hXXp://VVV.nch.com.au/express/
hXXp://VVV.nchsoftware.com/capture/
hXXp://VVV.nchsoftware.com/classic/
Classic FTP
hXXp://VVV.nchsoftware.com/zip/
hXXp://VVV.nchsoftware.com/documentconvert/
hXXp://VVV.nchsoftware.com/imageconverter/
hXXp://VVV.nchsoftware.com/prism/
hXXp://VVV.nch.com.au/switch/
hXXp://VVV.nchsoftware.com/slideshow/
hXXp://VVV.nch.com.au/wavepad/
hXXp://VVV.nchsoftware.com/videopad/
hXXp://VVV.nch.com.au/scribe/
hXXp://VVV.nch.com.au/mixpad/
hXXp://VVV.nchsoftware.com/encrypt/
hXXp://VVV.nch.com.au/ivm/
hXXp://VVV.nch.com.au/ims/
hXXp://VVV.nch.com.au/burn/
Portable Anymap
Portable Network Graphics
Joint Photographic Experts Group
.wbmp
.tiff
.jpeg
{2318C2B1-4965-11d4-9B18-009027A5CD4F}
FTP file transfers
Upload your website using ftp
Manage stock, procurements and reporting
Track and Report Income and Expenditures
Zulu Disc Jockey Software
Clean and optimize your Windows registry by removing the old and damaged data that is bogging down your computer performance.
Voxal is a real time voice changing program. Change your voice live through speakers, in softphone calls, or any application or game that uses a microphone.
twelvekeys
TwelveKeys Music Transcription
Universal audio converting software supports all popular audio formats including mp3, wma, wav, midi, m4a, and more. Use it to convert and compress sound files.
Orion finds and recovers deleted files on hard drives, external and portable drives. Or use the drive scrubber to ensure deleted files can't be recovered.
Key Blaze Typing Tutor Software
A powerful FTP client that integrates with Windows Explorer for manual or automatic file uploading, or sync/mirror files and folders via FTP.
Fling FTP Sync Software Client
Easy to use file backup software to automatically back up critical data to CD, DVD, Blu-ray or a remote FTP server. Don't take chances with your valuable data.
Use this text expansion software to create keyboard shortcuts that will expand to an entire word, sentence, paragraph or document. A useful time saving tool.
Digital dictation software to record and send dictation for transcription directly from your computer, or dock and send dictation from a portable device.
Professional accounting software to manage and report business income and expenses, sales, invoices and payments. Great for small and medium-sized companies.
Easy to use video recording software lets you capture and record video from a webcam, your computer screen, an external video device or online streaming video.
Easy and reliable FTP client software. View, edit, upload, download, delete and otherwise manage files on a remote server, website or network.
Classic FTP - FTP Client Software
Use your PC to broadcast live or recorded video from a webcam, computer screen or video input device. Video streams will play in all popular web browsers.
Debut is a reliable video recording program for capturing video with a webcam or video input, and is a screen recorder to record almost anything on your screen.
Prism is a program for Windows that lets you convert video files from one format to another.
InstallReport
hXXps://secure.nch.com.au/cgi-bin/register.exe?software=eyeline&source=softwaretrial
mhXXp://VVV.nchsoftware.com
A full list of our products can be found at the below website. You may find another product that is more suitable for your needs.
/InternetRepo/nch_com_au/components/x264enc6.exe
nchplayer.swf
favicon.ico
greybg.gif
darkblue.gif
downsort.gif
upsort.gif
table.js
ajax.js
s.css
print.css
software\microsoft\windows\currentversion\app paths\%s
Eyeline-%d-%d
eyeline.exe
%d:%d:%d
%d-%d-%d
Global\%s
Software\Classes\%s
*.dat
hXXp://VVV.nch.com.au/upgrade/index.html?software=eyeline&upgradeid=%d&upgradekey=%s
hXXp://VVV.nch.com.au/activate/index.html?code=%s
VVV.nchsoftware.com/surveillance
hXXp://%s
splash.jpg
%d.%d.%d.%d
%d.%d.%d.%d:%d
Password
Eyeline Video Surveillance System.lnk
NCH Software.lnk
NCH Suite.lnk
Software\Microsoft\Windows\CurrentVersion\Uninstall\Eyeline
URLInfoAbout
URLUpdateInfo
Software\Microsoft\Windows\CurrentVersion
hXXp://cgi.nch.com.au/cgi-bin/report.exe
uninst.exe
Uninstall is complete. If you need to reinstall this software again you can download it from VVV.nchsoftware.com.
Software\NCH Software\Components\%s
\\.\pipe\%s
Special discount pricing ends on the 15th of %s.
Special discount pricing ends at the end of %s.
88:88:88
hXXp://VVV.nch.com.au/suggestions/index.html?software=Eyeline&version=2.01%s%s
hXXp://VVV.nchsoftware.com/software/newsletter.html?software=Eyeline&version=2.01%s%s
hXXp://VVV.nchsoftware.com/software/video.html
hXXp://VVV.facebook.com/NCHSoftware
hXXp://twitter.com/nchsoftware
hXXps://plus.google.com/ nchsoftware
hXXp://VVV.facebook.com/sharer/sharer.php?u=%s
hXXp://VVV.twitter.com/?status=%U%s
hXXps://plusone.google.com/_/ 1/confirm?hl=en&url=%s
hXXp://VVV.stumbleupon.com/submit?url=%s&title=NCH Software
hXXp://VVV.linkedin.com/shareArticle?url=%s&title=NCH Software&mini=true
%s by NCH Software%s%s
- Licensed to %s
Unsupported
%d x %d [%s], %.2lf fps, %s
%d x %d, %.2lf fps, %s
Restarting web server
Windows CE
LRTMPNumber == %f
LRTMPBoolean == %s
LRTMPString == %s
"%s" -uninstall
eyelinesetup_v2.01.exe
Software\NCH Software\Eyeline\%s
Global\NCHSharedEvent%d
-LQUIET -instby %sEyeline
-installcomponent "%s" %d
audiochannel.net
VVV.nch.com.au
An install-on-demand component could not be installed automatically. Please run it from the URL below then try again.
%s=%s
_eyeline_rl_%s
Report Bug
Would you be willing to complete an NCH Software Bug Report so our programmers can try to fix this? Please click 'Report Bug' and then enter the field to tell us exactly what you did so we can attempt to repeat it and fix it.
hXXp://VVV.nch.com.au/software/bug.html?software=Eyeline&version=2.01&xi=AbTermOrHang-Win%d%d
Win%d%d
Ukn0(Msg%dLstCmd%d)
(Cmd%d)
%s-%s-%s-%s
dbghelp.dll
XI: %s
Abnormal Execution Problem
Would you be willing to complete a NCH Software Bug Report so our programmers can try to fix this? If so, please click 'Report Bug' and then enter the field to tell us exactly what you did so we can attempt to repeat it and fix it.
hXXp://VVV.nch.com.au/software/bug.html?software=Eyeline&version=2.01&xi=GUI-%s
%d-%d-%%d
Please check you have exited any previous running instances of Eyeline Video Surveillance System and any other programs that might be using the file "%s". Then run the installer again.
Installation cannot be completed because the file "%s" cannot be written to.
Please read the following important information before continuing.
c:\program files (x86)\
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\%s\UserChoice
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\%s
explorer.exe
Advapi32.dll
W"%s" %s
explorer.exe "%s"
hXXp://VVV.nchsoftware.com/%s.html
hXXp://VVV.nch.com.au/%s.html
hXXp://VVV.nch.com.au/kb/%d.html
.html
hXXp://help.nchsoftware.com/help/en/eyeline/win/%s.html
%.4d-%.2d-%.2d Eyeline Video Surveillance System Log.txt
TwelveKeys
twelvekeyssetup
KeyBlaze
hXXps://secure.nch.com.au/cgi-bin/register.exe?software=eyeline&version=2.01%s%s%s%s%s%s%s%s&instby=%s
hXXp://VVV.nchsoftware.com/software/registered.html?software=%s&appname=%s&version=2.01&base=surveillance&domain=nchsoftware%s%s%s%s%s%s%s
ID - Key:
%s-%s
hXXp://VVV.nch.com.au/upgrade/index.html
%s Registration Code:
Register %s
Click here if you have not activated your 12-digit serial number online and have not received an ID-Key.
If you have already activated your serial number online, check your email for the ID-key. Then, click here to enter your ID-Key.
The code that you have entered is a license serial number. You must activate your serial number online to receive the ID-Key needed to register this software.
ID-Key is required to complete the registration.
Old Version Key
- You are using the correct ID and key for the correct product. Only the ID and key for Eyeline Video Surveillance System will be accepted.
support/reg
registration.txt
Name: %s
Location: %s
ID - Key: %d - %s
-clear -label "Eyeline Video Surveillance System Installer" -type data "%s" "%s"
Validate Key
Key cannot be validated. Please connect to the internet and try again.
Click here to go to the NCH Software website to view the latest pricing
2014-07-01
nch.com.au
nchsoftware.com
hXXp://VVV.%s/%s
%s [Recommended]
Google Chrome, a faster way to browse the web
Free games, themes and utilities from the Google Chrome Store
Why people choose Chrome:
Install Google Chrome as my default browser
Google Toolbar makes web browsing more convenient:
Search from any website
Translate web pages instantly
hXXp://VVV.google.com/toolbar/ie/partnereula.html?hl=en
hXXp://VVV.google.com/accounts/TOS?hl=en
hXXp://VVV.google.com/intl/en/privacy/privacy-policy.html
By installing this application, you agree to the Google Chrome
By installing this application, you agree to the Google Chrome
hXXp://VVV.google.com/chrome/intl/en/eula_text.html
hXXp://VVV.google.com/chrome/intl/en/privacy.html
reject-chrome
Automatic download of the install-on-demand component "%s" failed.
The website will now be opened where you can download it manually.
Open Website
-installrelated %x -toolbar %x
NCH Software\Eyeline%s
Eyeline%s
%sT%s
Click to install and run %s
Click to run %s
Eyeline Video Surveillance System cannot launch the program required to perform the selected task. Please go to nch.com.au/software to download it and try again.
hXXp://VVV.nchsoftware.com/software/index.html
hXXp://VVV.nchsoftware.com/software/newsletter.html%s%s
hXXps://secure.nch.com.au/cgi-bin/register.exe%s%s
hXXp://cgi.nch.com.au/cgi-bin/search.exe?q=%s&site=VVV.nch.com.au%s%s
Click to visit our website
File does not exist: %s
Not enough memory available to load %s
Cannot open xml file: %s
(EOF) Element <%s> should be terminated with </%s>. Check you have terminated your element properly.
Tag <%s> does not have a closing '>'
Misplaced </%s> which does not match a <%s>.
Element <%s> should be terminated with </%s>, was with %s. Check you have terminated your element properly.
Ln %d, Col %d: %s
%s\shell\open\command
http\shell\open\command
iexplore.exe
iexplorer.exe
firefox.exe
chrome.exe
Installing Google Chrome
The Google Chrome installer could not be downloaded.
ChromeRequiresLaunch
ChromeEyeline
software\Google\No Chrome Offer Until
NCH_Chrome.exe
Sorry, Chrome was not installed because of some problems encountered during the installation process.
cnm-%X
Chrome
NCH_GoogleToolbar.exe
gnm-%X
chrome-google
chrome
Install Google Chrome - Free
Get Chrome to View Help Files
We recommend Google Chrome as the preferred viewer for our help pages.
Google Chrome is free and fast.
"%s" -logon
-setautorun %s
"%s" -service
-setaccount "%s" "%s"
\\.\pipe\EyelineService
Please enter the new account password here.
Services cannot be run as an account without a password.
Please use an user account that has a password or add a password to the user account if you would like to use it to run the service.
Unable to set the service account. Check user name or password. The user name can be in the form Domain\Account if a Domain is required. You must be running this program as Administrator.
%%.ß
%s%sshmf%ii.bin.tmp
Loading %s
The file format is not supported.
Saving %s
Certain parts of this software fall under the Little CMS License:
Portions of this software are Copyright (c) 1998-2011 Marti Maria Saguer.
Certain parts of this software fall under the LibJPEG License:
Technical Support Page
Send Bug Report
About %s
This version 2.01 of Eyeline Video Surveillance System will only work on Windows 8.1 or earlier. A newer version is available for download on VVV.nchsoftware.com.
%s%*c
Software\NCH Software\%s
Software\NCH Swift Sound\%s
Quick Install-on-Demand %s
-extsuite %s
-extfind %s
Software\Classes\.%s
software\microsoft\windows\currentversion\explorer\fileexts\.%s\userchoice
%sfile
%s\shell
%s\shell\open
"%s" -extfind %s "%%L"
%s\DefaultIcon
%SystemRoot%\system32\shell32.dll,19
Software\Classes\%s\Shell\%s\command
Software\Classes\%s\Shell\%s
Software\Classes\%s\Shell
hXXp://VVV.nchsoftware.com/index.html
An install-on-demand tool (%s) is required for this operation.
hXXp://VVV.nch.com.au/kb/10271.html
Run %s
NCH Software\%s\%s.exe
NCH Swift Sound\%s\%s.exe
%s "%s"
Software\Classes\%s\shell\open\command
Software\Classes\%s\shell
Software\Classes\%s\shell\open
Software\Classes\%s\DefaultIcon
%s%s%s%s
Report a Problem
Click here if you would like to report a problem with Eyeline Video Surveillance System.
If you find any problems with this release please let us know by reporting them.
hXXp://VVV.nch.com.au/software/bug.html?software=Eyeline&version=2.01&xi=Service-%s
%s Home Page
%s v 2.01
Distributed by %s
Licensed User: %s
Col%d
Using SMTP is recommended to avoid email being junked.
e.g., mail.myisp.net
e.g., [email protected]
If you choose SMTP you must enter a valid reply-to address. Enter your email address.
If you choose SMTP you must enter an SMTP mail host. Call your ISP if you don't know what your SMTP mail host is.
If your SMTP server requires authentication, you must enter a SMTP username to connect to your server.
Password Required
If your SMTP server requires authentication, you must enter a valid SMTP password to connect to your server.
Unable to connect to mail server "%s" when sending an email to "%s".
Unable to connect to either mail server "%s" or the mail server at "%s".
Unable to connect to mail server "%s".
Mail host server error (HELO not accepted, error code 504) for destination email %s - usually this means the email address is not valid.
Mail host server error (HELO not accepted): %d emailto: %s
Email authentication username or password not accepted
Eyeline@%s
Mail host server error (MAIL FROM not accepted). Please check your Email Settings.%s - (%d - %s)
Error while trying to send email. Email address may be wrong or your SMTP server may require a username or password. Please check address again and see Email Settings.
The recipient's email server does not allow email to be received in this manner. Please use an SMTP account for sending email to this address. emailto: %s mailhost: %s
The recipient's email server rejected this email because of an unspecified reason. Try using an SMTP account for sending email to this address.
Mail host server error (data terminator not accepted) emailto: %s mailhost: %s error: %d
Checking SMTP Settings
Mail host server error (HELO not accepted): %d
Mail host server error (MAIL FROM not accepted). Please check your Email Settings. (%d)
Email address may be wrong or your SMTP server may require a username or password.
Sending Email: %s
This FTP server does not support the required protected mode data transfers for SSL connections.
%s: %2.0f%%
%s/microsoft/windows mail/local folders/%s
SMTP_Server
SMTP_Email_Address
00000001
Software\Microsoft\Internet Account Manager\Accounts\%s
SMTP Email Address
SMTP Server
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\%s
{ED475418-B0D6-11D2-8C3B-00104B2A6676}
%s\%s\d
%s\Thunderbird
%s\profiles.ini
%s\%s\prefs.js
mail.accountmanager.defaultaccount
mail.account.%s.identities
mail.identity.%s.useremail
mail.smtp.defaultserver
mail.smtpserver.%s.hostname
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Eudora.exe
deudora.ini
eudora.ini
%s\Qualcomm\Eudora\eudora.ini
SMTPServer
Windows Mail
Mozilla Thunderbird
.127.0.0.1
LTCPListener
HNetCfg.HNetShare.1
-firewall %s %d "%s"
libeay32.dll
ssleay32.dll
%s [%s]
Eyeline Video Surveillance System TCP/IP Port
Connection test failed. Please check your firewall settings that it is not blocking TCP/IP port %d.
uPNP Router Control Port
Connection test failed. Please check router's firewall is not blocking TCP/IP port %d and your computer firewall is not blocking port %d.
Router uPNP Disabled. Please log into your router and add TCP/IP port forwarding from public port %d to %s port %d or enable uPNP and try again.
Router configuration required. Please log into your router and add TCP/IP port forwarding from public port %d to %s port %d.
%d Hz, %d Bits, %s
Windows Media Audio V1
Windows Media Audio V2
ACELP.net
%d:%.2d:%.2d
%d:%.2d:%.2d.%.3d
wmvcore.dll
hXXp://VVV.altoedge.com/usbcapture/video.html
hXXp://VVV.altoedge.com/usbcapture/webcams.html
NCHScreenCapture %d %d %d %d %lf %d %d %d %d %d %d %d
NCHIPCamrCapture&url=%s
&user=%s
&password=%s
Can't understand response: %s
Server had an issue %d: %s
Server didn't gave an image but a web page instead.
Server is displaying a format that can not be understood. %s
Web server stop responding.
Web server gave a frame that couldn't be decoded.
Couldn't read from the web server
.dvr-ms
@device:sw:{33D9A760-90C8-11D0-BD43-00A0C911CE86}\ffdshow video encoder
@device:cm:{33D9A760-90C8-11D0-BD43-00A0C911CE86}\iyuv
@device:cm:{33D9A760-90C8-11D0-BD43-00A0C911CE86}\i420
Ping: value1 == %d, value2 == %d, value3 == %d, value4 == %d
Stream Name is %d
ChunkSize: nSize == %d
Audio ts: %d
StreamBytesRead: nBytesRead == %d
ServerBW: nBandwidth == %d
ClientBW: nBandwidth == %d, nValue2 == %d
%s.%s
%s = %s
ConnectionParams: %s
Size of data = %d
Video ts: %d
Attemption frameType is KEYFRAME
Size of data = %d
Failed to %s (stream ID: %d)
Error while invoking %s (stream ID: %d)
tcUrl
No scope " %s " on this server.
Application at " %s " is currently shutting down.
Call of Service: = %s
Method: = %s
Num Params: %s
Pending Call of Service: = %s
Result == %s
Playing and resetting %s.
Started playing %s.
Stopped playing %s.
Seeking %d (stream ID: %d).
The stream doesn't support seeking.
Everyday %s
%s, %s
%s (day after)
%s (same day)
Scheduled_recording_%s
The recording "%s" is too long. It must be less than 10 hours long.
This recording has start or end time that overlaps recording "%s".
The scheduled recording time is longer than the maximum allowed recording time (Options -> Record -> Limit maximum recording time). The recording will be stopped after %s duration. Do you want to proceed?
%u:%.2u:%.2u.%.3u
%u:%.2u:%.2u
@device:sw:{33D9A760-90C8-11D0-BD43-00A0C911CE86}\DV Video Encoder
@device:cm:{33D9A760-90C8-11D0-BD43-00A0C911CE86}\ffds
@device:cm:{33D9A760-90C8-11D0-BD43-00A0C911CE86}\mrle
@device:cm:{33D9A760-90C8-11D0-BD43-00A0C911CE86}\m261
@device:cm:{33D9A760-90C8-11D0-BD43-00A0C911CE86}\m263
@device:cm:{33D9A760-90C8-11D0-BD43-00A0C911CE86}\fps1
@device:cm:{33D9A760-90C8-11D0-BD43-00A0C911CE86}\yv12
%s (i420)
%s (iyuv)
Wrong video bitrate specified, must be from %d to %d
%d Hz, %lu kbps, %s
%d Hz, %s
%d x %d
Wrong video bitrate specified, must be from 24 to %d
WindowsMedia_Format
WindowsMedia_VideoCodec
WindowsMedia_VideoBitrate
WindowsMedia_SoundCodecIndex
WindowsMedia_SoundFormatIndex
WindowsMedia_VideoQuality
WindowsMedia_LiveSource
msvfw32.dll
hXXp://ffmpeg.org
avutil-52.nch.dll
swscale-2.nch.dll
avcodec-54.nch.dll
avformat-54.nch.dll
swresample-0.nch.dll
S.wpp
%d_%d.ts
%d.m3u8
#EXT-X-TARGETDURATION:%d
#EXT-X-MEDIA-SEQUENCE:%d
#EXTINF:%d,
v.clpi
"%s" - -
"%s" -s %d -d -w -
FAAD2 AAC/HE-AAC/HE-AACv2/DRM decoder (c) Nero AG, VVV.nero.com
"%s" -o raw
Copyright (C) 2000-2002 Michel Lespinasse <[email protected]>
Copyright (C) 1999-2000 Aaron Holtzman <[email protected]>
License terms for this component can be found at: hXXp://VVV.opensource.org/licenses/lgpl-license.php
"%s" %s - -
"%s" -C %d -R %d -b %d
"%s" -r
-b %d --cbr --nores --nchvideo - -
Ý% = Current Day
%SS% = Current Second
ddraw.dll
%s: %s
PublicPort
Eyeline Server: %s (over the Internet)
Eyeline Server: %s (on the local network)
Email: %s
Password: %s
help/password.html
Change Password
changepasswordchanged
Old Password:
New Password:
Reenter New Password:
The reentered new password does not match the first entry of the new password.
Invalid password. Please try again.
>Reset Password
lostpasswordsent
Please enter your email address. Your password will be reset and sent to you by email.
changepassword
lostpassword
<div%s style='color:#a00000; font-weight:bold; padding:0px 12px;'>%H</div><br>
<form id=dialogform action='%s' method=post
<tr class=dc><td%s>%H</td>
<tr><td style='font-size:x-small;'><label style='vertical-align: middle;'><input type=checkbox title='%H' id=%d%s name=%d%s%s style='vertical-align: middle;'/>%H</label></td><td style='text-align:right;'>
id=%d
<input type=submit name=submit value='%H' %s onclick='document.pressed=this.value' style='font-family: Arial,sans-serif; font-size: 10pt;'>
document.pressed=this.value
 <input type=submit name=submit value='%H' %s onclick='%s' style='font-family: Arial,sans-serif; font-size: 10pt;'>
<label for=%d>%H</label></td><td><input id=%d name=%d type=text value='%H' size=%d title='%s'>
<label for=%d>%H</label></td><td><input id=%d name=%d type=email value='%H' size=%d title='%H'>
<label for=%d>%H</label></td><td><input id=%d name=%d type=password value='%H' size=%d title='%H'>
<font size=-2><a id=%d name=%d href='%s' title='%H'>%H</a></font>
%H</td><td><input type=text name=%d id=%d value='%H' maxlength=15 size=15 style='font-family: Arial,sans-serif; font-size: 10pt;' title='%H'>
LWebletConnectionThread::ThreadFunction ProcessRecvBytes (post data) FAILED: sending %d bytes failed after %d seconds
Port
will not operate correctly because JavaScript is not enabled. Please consult your web browser's help for instructions on how to enable JavaScript.
Login
Login
Password:
Forgot your password?
Login failed. Please check you have the right password.
logon?onok=%U%?%s
<a href='%s' class=toptext%s>%H</a>  
Many web browsers do not allow http or https access to port %u.
Reserved Port Number
Test connection to port %u succeeded
Test connection to port %u failed
Passwords do not match
You must enter a password
webaccess
The current configuration has not been tested. Please click on the Run Web Routing and Test Wizard button to run the test.
%s%s%d
.sess
*.sess
Webserver cannot bind to TCP/IP port.
Some other program may be using port %d.
Decoding %s image
Encoding %s image
C:\ProgramData\NCH Software\Eyeline\Logs
Use SMTP to send email directly to the mail server
SMTP mail host:
Send directly to other side (work as own SMTP server)
A full list of our products can be found at our below website. This may help you to find another product that is more suitable for your needs.
Constrain Proportions
&ID - Key:
Press Key
Press a key or a key combination.
FTP Connection Test Results
You must have a webcam or a video input device to see live video on your computer.
If you have a webcam or a USB video capture device, please check it is plugged in now and press Try Again.
If you don't have a webcam or a video capture device, they are available online:
See recommended webcams
WebM Encoding Settings
Two Pass Encoding
Windows Media Encoding Settings
Local Port:
Public Port:
Webcam
Web Access
Run Web Routing and Test Wizard
Login Account
Confirm Password:
Back up recordings via FTP
FTP Server:
Password:
Run external exe
Eyeline.exe


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    GoogleUpdate.exe:1996
    GoogleUpdate.exe:1960
    GoogleUpdate.exe:3008
    GoogleUpdate.exe:4028
    GoogleUpdate.exe:1808
    ffmpeg16.exe:3088
    NCH_GoogleToolbar.exe:860
    googletoolbarinstaller_en_signed.exe:3328
    GoogleUpdaterService_B33FC4DD36A473C6.exe:3800
    GoogleUpdateSetup_latest.exe:1228
    nchsetup.exe:1656
    nchsetup.exe:264
    regsvr32.exe:3852
    GoogleToolbarManager_8CA8B41417E66DEB.exe:3452
    GoogleToolbarManager_8CA8B41417E66DEB.exe:3972
    GoogleToolbarManager_8CA8B41417E66DEB.exe:3960
    GoogleToolbarNotifier.exe:3840
    GoogleToolbarNotifier.exe:3880
    GoogleUpdaterService.exe:3860
    GoogleUpdaterService.exe:3820
    eyeline.exe:2824
    eyeline.exe:108
    eyeline.exe:2100
    eyeline.exe:2176
    eyeline.exe:1900
    %original file name%.exe:1632
    x264enc6.exe:1676
    SearchWithGoogleUpdate_C993F490EED40C1B.exe:3832

  2. Delete the original Worm file.
  3. Delete or disinfect the following files created/modified by the Worm:

    %Program Files% (x86)\Google\Update\Install\{240D2921-958E-4DFC-A1AE-1CB4B1E42CE2}\googletoolbarinstaller_en_signed.exe (38734 bytes)
    %Program Files% (x86)\Google\Update\Download\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}\0.0.0.0\googletoolbarinstaller_en_signed.exe (38249 bytes)
    C:\Windows\Temp\gui3D8D.tmp (15 bytes)
    %Program Files% (x86)\GUM1E4.tmp\goopdateres_en.dll (28 bytes)
    %Program Files% (x86)\GUM1E4.tmp\goopdate.dll (835 bytes)
    C:\Windows\Temp\250D.tmp (2 bytes)
    %Program Files% (x86)\NCH Software\Components\ffmpeg16\swscale-2.nch.dll (6720 bytes)
    %Program Files% (x86)\NCH Software\Components\ffmpeg16\swresample-0.nch.dll (2712 bytes)
    %Program Files% (x86)\NCH Software\Components\ffmpeg16\avcodec-54.nch.dll (85319 bytes)
    %Program Files% (x86)\NCH Software\Components\ffmpeg16\avformat-54.nch.dll (17751 bytes)
    %Program Files% (x86)\NCH Software\Components\ffmpeg16\avdevice-54.nch.dll (22 bytes)
    C:\Windows\Temp\25FB.tmp (6 bytes)
    %Program Files% (x86)\NCH Software\Components\ffmpeg16\avfilter-3.nch.dll (8368 bytes)
    C:\Windows\Temp\260D.tmp (33 bytes)
    C:\Windows\Temp\25FC.tmp (146 bytes)
    %Program Files% (x86)\NCH Software\Components\ffmpeg16\avutil-52.nch.dll (4232 bytes)
    C:\Windows\Temp\258C.tmp (82 bytes)
    C:\Windows\Temp\257C.tmp (439 bytes)
    C:\Windows\Temp\25EB.tmp (88 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjFC88.tmp\System.dll (23 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GoogleUpdateSetup_latest.exe (25250 bytes)
    %Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarUser_32_52E818EF81C83A9B.exe (620 bytes)
    %Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbar.7.5.5111.1712.manifest.xml (36 bytes)
    %Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_0A4439FF67F61065.dll (2 bytes)
    %Program Files% (x86)\Google\Google Toolbar\Component\SearchWithGoogleUpdate_C993F490EED40C1B.exe (50 bytes)
    C:\Windows\System32\config\SOFTWARE (77691 bytes)
    %Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_64_F8ED9B719A89F8EF.dll (489 bytes)
    %Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_32_8E471B27054D20F5.dll (149 bytes)
    %Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbar_32_365102BD7F6C8091.dll (390 bytes)
    %Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarUser_64_4D9709C1FA1422BA.exe (801 bytes)
    %Program Files% (x86)\Google\Google Toolbar\Component\GoogleCld_187F9D811452062B.dll (50 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GoogleToolbarInstaller2.log (43974 bytes)
    C:\$Directory (288 bytes)
    %Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_8CA8B41417E66DEB.exe (50 bytes)
    %Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbar_64_54BD4059920ABC8A.dll (514 bytes)
    %Program Files% (x86)\Google\Google Toolbar\Component\GoogleUpdateSetup_5CC4B0F53D73AD88.exe (1480 bytes)
    %Program Files% (x86)\Google\Google Toolbar\Component\GoogleUpdaterService_B33FC4DD36A473C6.exe (390 bytes)
    C:\Windows\System32\config\SOFTWARE.LOG1 (72244 bytes)
    %Program Files% (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe (390 bytes)
    %Program Files% (x86)\GUM1E4.tmp\goopdateres_el.dll (30 bytes)
    %Program Files% (x86)\GUM1E4.tmp\goopdateres_vi.dll (28 bytes)
    %Program Files% (x86)\GUM1E4.tmp\goopdateres_hi.dll (29 bytes)
    %Program Files% (x86)\GUM1E4.tmp\goopdateres_da.dll (29 bytes)
    %Program Files% (x86)\GUM1E4.tmp\goopdateres_uk.dll (28 bytes)
    %Program Files% (x86)\GUM1E4.tmp\goopdateres_nl.dll (30 bytes)
    %Program Files% (x86)\GUM1E4.tmp\goopdateres_ko.dll (23 bytes)
    %Program Files% (x86)\GUM1E4.tmp\goopdateres_zh-CN.dll (21 bytes)
    %Program Files% (x86)\GUM1E4.tmp\goopdateres_sw.dll (29 bytes)
    %Program Files% (x86)\GUM1E4.tmp\goopdateres_mr.dll (28 bytes)
    %Program Files% (x86)\GUM1E4.tmp\goopdateres_pt-PT.dll (29 bytes)
    %Program Files% (x86)\GUM1E4.tmp\goopdateres_it.dll (30 bytes)
    %Program Files% (x86)\GUM1E4.tmp\goopdateres_pt-BR.dll (29 bytes)
    %Program Files% (x86)\GUM1E4.tmp\goopdateres_es-419.dll (29 bytes)
    %Program Files% (x86)\GUM1E4.tmp\goopdateres_ja.dll (24 bytes)
    %Program Files% (x86)\GUM1E4.tmp\GoogleUpdateHelper.msi (25 bytes)
    %Program Files% (x86)\GUM1E4.tmp\npGoogleUpdate3.dll (838 bytes)
    %Program Files% (x86)\GUM1E4.tmp\goopdateres_fr.dll (30 bytes)
    %Program Files% (x86)\GUM1E4.tmp\goopdateres_ml.dll (31 bytes)
    %Program Files% (x86)\GUM1E4.tmp\goopdateres_fil.dll (30 bytes)
    %Program Files% (x86)\GUM1E4.tmp\goopdateres_sl.dll (29 bytes)
    %Program Files% (x86)\GUM1E4.tmp\goopdateres_en-GB.dll (28 bytes)
    %Program Files% (x86)\GUM1E4.tmp\GoogleUpdate.exe (234 bytes)
    %Program Files% (x86)\GUM1E4.tmp\goopdateres_ar.dll (26 bytes)
    %Program Files% (x86)\GUM1E4.tmp\goopdateres_ms.dll (28 bytes)
    %Program Files% (x86)\GUM1E4.tmp\goopdateres_th.dll (27 bytes)
    %Program Files% (x86)\GUM1E4.tmp\goopdateres_bn.dll (28 bytes)
    %Program Files% (x86)\GUM1E4.tmp\goopdateres_hu.dll (29 bytes)
    %Program Files% (x86)\GUM1E4.tmp\goopdateres_is.dll (28 bytes)
    %Program Files% (x86)\GUM1E4.tmp\GoogleUpdateSetup.exe (5441 bytes)
    %Program Files% (x86)\GUM1E4.tmp\GoogleCrashHandler64.exe (550 bytes)
    %Program Files% (x86)\GUM1E4.tmp\goopdateres_fi.dll (29 bytes)
    %Program Files% (x86)\GUM1E4.tmp\goopdateres_hr.dll (29 bytes)
    %Program Files% (x86)\GUM1E4.tmp\psmachine.dll (159 bytes)
    %Program Files% (x86)\GUM1E4.tmp\goopdateres_ca.dll (29 bytes)
    %Program Files% (x86)\GUM1E4.tmp\goopdateres_ur.dll (28 bytes)
    %Program Files% (x86)\GUM1E4.tmp\GoogleCrashHandler.exe (212 bytes)
    %Program Files% (x86)\GUM1E4.tmp\goopdateres_sr.dll (29 bytes)
    %Program Files% (x86)\GUM1E4.tmp\goopdateres_de.dll (31 bytes)
    %Program Files% (x86)\GUM1E4.tmp\goopdateres_iw.dll (26 bytes)
    %Program Files% (x86)\GUM1E4.tmp\goopdateres_sv.dll (29 bytes)
    %Program Files% (x86)\GUM1E4.tmp\goopdateres_lt.dll (28 bytes)
    %Program Files% (x86)\GUM1E4.tmp\goopdateres_zh-TW.dll (21 bytes)
    %Program Files% (x86)\GUM1E4.tmp\goopdateres_tr.dll (29 bytes)
    %Program Files% (x86)\GUM1E4.tmp\goopdateres_te.dll (29 bytes)
    %Program Files% (x86)\GUM1E4.tmp\goopdateres_pl.dll (30 bytes)
    %Program Files% (x86)\GUM1E4.tmp\goopdateres_kn.dll (29 bytes)
    %Program Files% (x86)\GUM1E4.tmp\goopdateres_am.dll (25 bytes)
    %Program Files% (x86)\GUM1E4.tmp\goopdateres_ru.dll (28 bytes)
    %Program Files% (x86)\GUM1E4.tmp\goopdateres_id.dll (28 bytes)
    %Program Files% (x86)\GUM1E4.tmp\goopdateres_gu.dll (28 bytes)
    %Program Files% (x86)\GUM1E4.tmp\goopdateres_cs.dll (28 bytes)
    %Program Files% (x86)\GUM1E4.tmp\goopdateres_bg.dll (30 bytes)
    %Program Files% (x86)\GUM1E4.tmp\psuser.dll (159 bytes)
    %Program Files% (x86)\GUT1F5.tmp (4 bytes)
    %Program Files% (x86)\GUM1E4.tmp\goopdateres_sk.dll (29 bytes)
    %Program Files% (x86)\GUM1E4.tmp\goopdateres_fa.dll (27 bytes)
    %Program Files% (x86)\GUM1E4.tmp\goopdateres_es.dll (31 bytes)
    %Program Files% (x86)\GUM1E4.tmp\goopdateres_no.dll (29 bytes)
    %Program Files% (x86)\GUM1E4.tmp\goopdateres_ro.dll (29 bytes)
    %Program Files% (x86)\GUM1E4.tmp\goopdateres_et.dll (28 bytes)
    %Program Files% (x86)\GUM1E4.tmp\goopdateres_lv.dll (30 bytes)
    %Program Files% (x86)\GUM1E4.tmp\goopdateres_ta.dll (30 bytes)
    %Program Files% (x86)\GUM1E4.tmp\GoogleUpdateOnDemand.exe (59 bytes)
    %Program Files% (x86)\GUM1E4.tmp\GoogleUpdateBroker.exe (59 bytes)
    %Program Files% (x86)\NCH Software\Eyeline\x264enc6.exe (483 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Video Capture Software.lnk (1 bytes)
    C:\ProgramData\NCH Software\Eyeline\Web\ajax.js (2 bytes)
    C:\ProgramData\NCH Software\Eyeline\Web\table.js (388 bytes)
    C:\Users\"%CurrentUserName%"\Favorites\NCH Software Download Site.lnk (312 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Switch Sound File Converter.lnk (1 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Express Zip File Compression.lnk (1 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\MixPad MultiTrack Mixer.lnk (1 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Video Related Programs\Video Capture Software.lnk (1 bytes)
    C:\ProgramData\NCH Software\Eyeline\Web\greybg.gif (275 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Express Rip CD Ripper.lnk (1 bytes)
    %Program Files% (x86)\NCH Software\Eyeline\eyeline.exe (11567 bytes)
    %Program Files% (x86)\NCH Software\Eyeline\eyelinesetup_v2.01.exe (7547 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Video Related Programs\Slideshow Creator Software.lnk (1 bytes)
    C:\ProgramData\NCH Software\Eyeline\Web\upsort.gif (123 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Express Burn CD, DVD or Blu-Ray.lnk (1 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Graphics File Converter.lnk (1 bytes)
    C:\ProgramData\NCH Software\Eyeline\Web\nchplayer.swf (1444 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\SoundTap Streaming Recorder.lnk (1 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Eyeline Video Surveillance System.lnk (1 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\WavePad Sound Editor.lnk (1 bytes)
    C:\ProgramData\NCH Software\Eyeline\Web\downsort.gif (123 bytes)
    C:\ProgramData\NCH Software\Eyeline\Web\print.css (1 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Invoicing Software.lnk (1 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\RecordPad Sound Recorder.lnk (1 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Classic FTP Software.lnk (1 bytes)
    C:\Users\Public\Desktop\Eyeline Video Surveillance System.lnk (1 bytes)
    C:\ProgramData\NCH Software\Eyeline\Web\s.css (196 bytes)
    C:\ProgramData\NCH Software\Eyeline\Web\darkblue.gif (257 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Prism Video File Format Converter.lnk (1 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Video Related Programs\Video Streaming Server.lnk (1 bytes)
    C:\ProgramData\NCH Software\Eyeline\Email Template.txt (208 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Video Related Programs\Video File Format Converter.lnk (1 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Doxillion Document Converter.lnk (1 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Video Related Programs\Video Tape to DVD Converter.lnk (1 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Express Dictate Recorder.lnk (1 bytes)
    C:\Users\Public\Desktop\NCH Suite.lnk (1 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Accounting Software.lnk (1 bytes)
    C:\ProgramData\NCH Software\Eyeline\Web\favicon.ico (1 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Video Related Programs\VideoPad Video Editor.lnk (1 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\VideoPad Video Editor.lnk (1 bytes)
    %Program Files%\Google\GoogleToolbarNotifier\5.7.9012.1008\swg64.dll (348 bytes)
    %Program Files% (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (1281 bytes)
    %Program Files% (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (673 bytes)
    %Program Files% (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe (1425 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GoogleToolbarInstaller1.log (41641 bytes)
    %Program Files% (x86)\Google\Google Toolbar\GoogleToolbarHelper_signed.msi (28 bytes)
    %Program Files% (x86)\Google\Google Toolbar\GoogleToolbarUser_64.exe (2321 bytes)
    %Program Files% (x86)\Google\Google Toolbar\GoogleToolbarHelperPatch_signed.msp (125 bytes)
    C:\ProgramData\Google\Custom Buttons\toolbar.google.com_O8Y91YHB24Z6SR0SGYSK.XML (12 bytes)
    %Program Files% (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll (1 bytes)
    %Program Files% (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\gtn.dll (151 bytes)
    C:\Windows\Temp\Eyeline-980-1\ffmpeg16.exe (39 bytes)
    C:\ProgramData\NCH Software\Eyeline\Logs\2015-02-13 Eyeline Video Surveillance System Log.txt (141 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_eyeline_rl_adm (8 bytes)
    %Program Files% (x86)\NCH Software\Components\NCHToolbars\google\NCH_GoogleToolbar.exe (382879 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchdata.dat (10160 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchsetup.cab (616 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchdata.cab (497 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchsetup.exe (25694 bytes)
    %Program Files% (x86)\NCH Software\Components\x264enc6\x264enc6.exe (20838 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\x264enc6_.cab (468 bytes)
    %Program Files% (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\gth.dll (49 bytes)
    %Program Files% (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (79 bytes)
    %Program Files% (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\Readme.url (212 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "Eyeline" = "%Program Files% (x86)\NCH Software\Eyeline\eyeline.exe -logon"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now