Sample_d2bafd920b

by malwarelabrobot on April 20th, 2015 in Malware Descriptions.

mzpefinder_pcap_file.YR, GenericEmailWorm.YR (Lavasoft MAS)
Behaviour: Worm, EmailWorm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: d2bafd920ba06a6ed1f36957281c3765
SHA1: 7899c8b50c53a3ee498b836d436cfc757294dd62
SHA256: 673f038517ae646325acaa659dca5a2b1660e654c693ea55c2d2a2abe985a568
SSDeep: 12288:JdE7td8eVQrzHREwEupiX DjaxCOBR1dtsJS//cYP9EhxclYVItfRIln7t:QfdYzxpEuTACKGS/0euhxc4SQp
Size: 560720 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: NCH Software
Created at: 2013-12-10 07:05:55
Analyzed on: Windows7Ada SP1 64-bit


Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Worm creates the following process(es):

googletoolbarinstaller_en_signed.exe:3068
NCH_GoogleToolbar.exe:1916
GoogleUpdateSetup_latest.exe:968
nchsetup.exe:816
regsvr32.exe:588
SearchWithGoogleUpdate_6F4EEAE8D7FCDAD8.exe:600
GoogleUpdaterService.exe:3016
GoogleUpdaterService.exe:1812
%original file name%.exe:964
GoogleToolbarManager_BA9226F4C70BECC2.exe:2772
GoogleToolbarManager_BA9226F4C70BECC2.exe:2564
GoogleToolbarManager_BA9226F4C70BECC2.exe:3008
GoogleUpdaterService_B33FC4DD36A473C6.exe:456
GoogleToolbarNotifier.exe:3040
GoogleToolbarNotifier.exe:1936
openssl.exe:956
moneyline.exe:2996
moneyline.exe:2612

The Worm injects its code into the following process(es):

moneyline.exe:644

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process googletoolbarinstaller_en_signed.exe:3068 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarUser_32_52E818EF81C83A9B.exe (620 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbar_64_62C1B48EAF0FD125.dll (514 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_0A4439FF67F61065.dll (2 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_64_2AD99D2EA038D2F2.dll (489 bytes)
C:\Windows\System32\config\SOFTWARE (67572 bytes)
C:\ (96 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_32_75A7C54F0BE42E8E.dll (149 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarUser_64_4D9709C1FA1422BA.exe (801 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbar.7.5.6227.252.manifest.xml (36 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_BA9226F4C70BECC2.exe (50 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbar_32_3934E923EEC91A78.dll (390 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GoogleToolbarInstaller2.log (43839 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\SearchWithGoogleUpdate_6F4EEAE8D7FCDAD8.exe (50 bytes)
C:\Windows (288 bytes)
C:\$Directory (384 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleUpdateSetup_5CC4B0F53D73AD88.exe (1480 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleUpdaterService_B33FC4DD36A473C6.exe (390 bytes)
C:\Windows\System32\config\SOFTWARE.LOG1 (61428 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleCld_187F9D811452062B.dll (50 bytes)

The process NCH_GoogleToolbar.exe:1916 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GoogleUpdateSetup_latest.exe (25250 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx6142.tmp\System.dll (23 bytes)

The process GoogleUpdateSetup_latest.exe:968 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Program Files% (x86)\GUM621C.tmp\goopdateres_es-419.dll (29 bytes)
%Program Files% (x86)\GUM621C.tmp\GoogleUpdateSetup.exe (5441 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_bn.dll (28 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_ur.dll (28 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_fi.dll (29 bytes)
%Program Files% (x86)\GUM621C.tmp (28 bytes)
%Program Files% (x86)\GUM621C.tmp\psmachine.dll (159 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_pl.dll (30 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_nl.dll (30 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_vi.dll (28 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_pt-PT.dll (29 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_ko.dll (23 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_is.dll (28 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_de.dll (31 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_zh-TW.dll (21 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_da.dll (29 bytes)
%Program Files% (x86)\GUM621C.tmp\psuser.dll (159 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdate.dll (1702 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_sw.dll (29 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_fa.dll (27 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_hr.dll (29 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_ru.dll (28 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_ar.dll (26 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_zh-CN.dll (21 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_lv.dll (30 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_am.dll (25 bytes)
%Program Files% (x86)\GUM621C.tmp\GoogleUpdateOnDemand.exe (59 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_ta.dll (30 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_it.dll (30 bytes)
%Program Files% (x86)\GUM621C.tmp\GoogleUpdateBroker.exe (59 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_iw.dll (26 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_ro.dll (29 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_ml.dll (31 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_fil.dll (30 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_en-GB.dll (28 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_id.dll (28 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_fr.dll (30 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_hi.dll (29 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_cs.dll (28 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_el.dll (30 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_sr.dll (29 bytes)
%Program Files% (x86)\GUM621C.tmp\GoogleUpdate.exe (234 bytes)
%Program Files% (x86)\GUT621D.tmp (4 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_bg.dll (30 bytes)
%Program Files% (x86)\GUM621C.tmp\GoogleUpdateHelper.msi (25 bytes)
%Program Files% (x86)\GUM621C.tmp\GoogleCrashHandler64.exe (550 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_no.dll (29 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_tr.dll (29 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_uk.dll (28 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_mr.dll (28 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_et.dll (28 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_es.dll (31 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_en.dll (27 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_th.dll (27 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_kn.dll (29 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_ca.dll (29 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_gu.dll (28 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_ja.dll (24 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_te.dll (29 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_sk.dll (29 bytes)
%Program Files% (x86)\GUM621C.tmp\npGoogleUpdate3.dll (838 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_hu.dll (29 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_pt-BR.dll (29 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_sv.dll (29 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_lt.dll (28 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_sl.dll (29 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_ms.dll (28 bytes)
%Program Files% (x86)\GUM621C.tmp\GoogleCrashHandler.exe (212 bytes)

The process nchsetup.exe:816 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Video Capture Software.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\NCH Software\MoneyLine\MoneyLine.vdb-journal (2742 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Express Burn CD, DVD or Blu-Ray.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\Favorites\NCH Software Download Site.lnk (264 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Express Zip File Compression.lnk (1 bytes)
%Program Files% (x86)\NCH Software\MoneyLine\moneyline-0.vdb (7772 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\MixPad MultiTrack Mixer.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\WavePad Sound Editor.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Express Rip CD Ripper.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\NCH Software\MoneyLine\moneyline.vdb (202 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Express Dictate Recorder.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Switch Sound File Converter.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Graphics File Converter.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\VideoPad Video Editor.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Business Related Programs\Inventory Software.lnk (1 bytes)
%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe (9147 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Business Related Programs\Time Tracking Software.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Invoicing Software.lnk (1 bytes)
C:\Users\Public\Desktop\MoneyLine.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Classic FTP Software.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Business Related Programs\Accounting Software.lnk (1 bytes)
%Program Files% (x86)\NCH Software\MoneyLine\moneylinesetup_v1.23.exe (3361 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Prism Video File Format Converter.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\RecordPad Sound Recorder.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Doxillion Document Converter.lnk (1 bytes)
C:\Users\Public\Desktop\NCH Suite.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Accounting Software.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\SoundTap Streaming Recorder.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Business Related Programs\Invoicing Software.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Business Related Programs\Retail POS point of sale software system.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MoneyLine.lnk (1 bytes)

The process regsvr32.exe:588 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Program Files%\Google\GoogleToolbarNotifier\5.10.11023.1534\swg64.dll (299 bytes)

The process SearchWithGoogleUpdate_6F4EEAE8D7FCDAD8.exe:600 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Program Files% (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534\gtn.dll (144 bytes)
%Program Files% (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (79 bytes)
%Program Files% (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534\gth.dll (40 bytes)
%Program Files%\Google\GoogleToolbarNotifier\5.10.11023.1534\swg64.dll (298 bytes)
%Program Files% (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534\swg.dll (981 bytes)
%Program Files% (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534\Readme.url (212 bytes)

The process %original file name%.exe:964 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchdata.dat (1568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchsetup.cab (524 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchdata.cab (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchsetup.exe (20887 bytes)

The process GoogleToolbarManager_BA9226F4C70BECC2.exe:2772 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\ProgramData\Google\Custom Buttons\toolbar.google.com_O8Y91YHB24Z6SR0SGYSK.XML (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GoogleToolbarInstaller1.log (3159 bytes)

The process GoogleToolbarManager_BA9226F4C70BECC2.exe:2564 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Program Files% (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (1281 bytes)
%Program Files% (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (673 bytes)
%Program Files% (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe (1425 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GoogleToolbarInstaller1.log (41404 bytes)
%Program Files% (x86)\Google\Google Toolbar\GoogleToolbarHelper_signed.msi (28 bytes)
%Program Files% (x86)\Google\Google Toolbar\GoogleToolbarUser_64.exe (2321 bytes)
%Program Files% (x86)\Google\Google Toolbar\GoogleToolbarHelperPatch_signed.msp (125 bytes)

The process GoogleToolbarManager_BA9226F4C70BECC2.exe:3008 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GoogleToolbarInstaller1.log (2406 bytes)

The process GoogleUpdaterService_B33FC4DD36A473C6.exe:456 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Program Files% (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe (390 bytes)

The process GoogleToolbarNotifier.exe:1936 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Program Files% (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534\swg.dll (983 bytes)
%Program Files% (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534\gtn.dll (147 bytes)

The process openssl.exe:956 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\openssl_.cab (472 bytes)
%Program Files% (x86)\NCH Software\Components\openssl\ssleay32.dll (4232 bytes)
%Program Files% (x86)\NCH Software\Components\openssl\libeay32.dll (17231 bytes)

The process moneyline.exe:644 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\openssl.exe (238856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\NCH Software\MoneyLine\MoneyLine.vdb-journal (8226 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\NCH Software\MoneyLine\moneyline.vdb (1144 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_moneyline_rl_adm (8 bytes)

The process moneyline.exe:2612 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Program Files% (x86)\NCH Software\Components\NCHToolbars\google\NCH_GoogleToolbar.exe (382879 bytes)

Registry activity

The process googletoolbarinstaller_en_signed.exe:3068 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Branding]
"sin" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component]
"NextVersion" = "7.5.6227.252"
"currentVersion" = "7.5.6227.252"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Branding]
"ein" = "1"

[HKCU\Software\Google\Google Toolbar\4.0\Setup]
"InstallProgress" = "3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 4A 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "2D 85 33 3A 90 73 D0 01"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar]
"test" = "41"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"EnabledExperiments" = "POSI,PUMA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

[HKCU\Software\Google\Google Toolbar\4.0\Setup]
"Command" = "2"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"FirstInstallTime" = "1429399011"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Google\Google Toolbar]
"LastInstallError"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component]
"NextVersion"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"
"ProxyServer"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component]
"PrimaryInstallDone"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"FailedInstallPing"

The process nchsetup.exe:816 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Classes\divxfile\Shell]
"(Default)" = "open"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\MoneyLine\Settings]
"InstallerPath" = "%Program Files% (x86)\NCH Software\MoneyLine"

[HKCU\Software\NCH Software\MoneyLine\Settings]
"InstallDate" = "1429398989"

[HKCU\Software\Classes\Paint.Picture\Shell\NCHconvertimage]
"(Default)" = "Convert image file"

[HKCU\Software\Classes\neffile\Shell\NCHconvertimage\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Pixillion %L"

[HKCU\Software\Classes\.WAV]
"(Default)" = "wavfile"

[HKCU\Software\Classes\aifffile\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MoneyLine]
"URLInfoAbout" = "www.nchsoftware.com/personalfinance/support.html"

[HKCU\Software\Classes\mpegfile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Prism %L"

[HKCU\Software\Classes\.mov]
"(Default)" = "movfile"

[HKCU\Software\Classes\giffile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\docfile\Shell\NCHconvertdoc]
"(Default)" = "Convert file type"

[HKCU\Software\Classes\AcroExch.Document\Shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Doxillion %L"

[HKCU\Software\Classes\.MP3]
"(Default)" = "mp3file"

[HKCU\Software\NCH Software\MoneyLine\Registration]
"RD" = "1429399021"

[HKCU\Software\Classes\FirefoxHTML\shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Doxillion %L"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\MoneyLine\Settings]
"RelatedRuns" = "-1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MoneyLine]
"Version" = "1.23"

[HKCU\Software\Classes\Paint.Picture\Shell\NCHconvertimage\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Pixillion %L"

[HKCU\Software\Classes\gsmfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\avifile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\giffile\Shell\NCHconvertimage]
"(Default)" = "Convert image file"

[HKCU\Software\Classes\jpegfile\Shell\NCHconvertimage]
"(Default)" = "Convert image file"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MoneyLine]
"UninstallString" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -uninstall"

[HKCU\Software\NCH Software\MoneyLine\Settings]
"InstallerPath" = "%Program Files% (x86)\NCH Software\MoneyLine"

[HKCU\Software\Classes\.OGG]
"(Default)" = "oggfile"

[HKCU\Software\Classes\asffile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"

[HKCU\Software\Classes\mohfile\DefaultIcon]
"(Default)" = "%SystemRoot%\SysWow64\shell32.dll,19"

[HKCU\Software\Classes\movfile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Prism %L"

[HKCU\Software\Classes\docfile\Shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Doxillion %L"

[HKCU\Software\Classes\.tar]
"(Default)" = "tarfile"

[HKCU\Software\Classes\jpegfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\neffile\Shell\NCHconvertimage]
"(Default)" = "Convert image file"

[HKCU\Software\Classes\pngfile\Shell\NCHslideshow\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind PhotoStage %L"

[HKCU\Software\Classes\aufile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind WavePad %L"

[HKCU\Software\NCH Software\MoneyLine\Settings]
"InstalledByAdmin" = "1"

[HKCU\Software\Classes\dctfile\DefaultIcon]
"(Default)" = "%SystemRoot%\SysWow64\shell32.dll,19"

[HKCU\Software\Classes\m4vfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\tar.gzfile\Shell\NCHextract]
"(Default)" = "Extract with Express Zip"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MoneyLine]
"VersionMajor" = "1"

[HKCU\Software\Classes\.dss]
"(Default)" = "dssfile"

[HKCU\Software\Classes\mpdpfile]
"(Default)" = "Unhandled Extension Handler Finder"

[HKCU\Software\Classes\aacfile\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Switch %L"

[HKCU\Software\Classes\mpgfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\Paint.Picture\Shell\NCHslideshow\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind PhotoStage %L"

[HKCU\Software\Classes\vocfile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind WavePad %L"

[HKCU\Software\Classes\wpfile\Shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Doxillion %L"

[HKCU\Software\Classes\jpegfile\Shell\NCHconvertimage\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Pixillion %L"

[HKCU\Software\Classes\wavfile\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"

[HKCU\Software\Classes\.AAC]
"(Default)" = "aacfile"

[HKCU\Software\Classes\avifile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"

[HKCU\Software\Classes\xvidfile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Prism %L"

[HKCU\Software\Classes\ds2file\DefaultIcon]
"(Default)" = "%SystemRoot%\SysWow64\shell32.dll,19"

[HKCU\Software\Classes\asffile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind VideoPad %L"

[HKCU\Software\Classes\.mp4]
"(Default)" = "mp4file"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\MoneyLine\Software]
"Installer" = "%Program Files% (x86)\NCH Software\MoneyLine\moneylinesetup_v1.23.exe"

[HKCU\Software\Classes\m4afile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind WavePad %L"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Classes\aacfile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind WavePad %L"

[HKCU\Software\Classes\wpdfile\Shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Doxillion %L"

[HKCU\Software\Classes\wmafile\Shell\NCHeditsound]
"(Default)" = "Edit sound file"

[HKCU\Software\Classes\vobfile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind VideoPad %L"

[HKCU\Software\Classes\mpgfile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind VideoPad %L"

[HKCU\Software\Classes\AcroExch.Document\Shell\NCHconvertdoc]
"(Default)" = "Convert file type"

[HKCU\Software\Classes\mp3file\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"

[HKCU\Software\Classes\gzfile\Shell\NCHextract]
"(Default)" = "Extract with Express Zip"

[HKCU\Software\Classes\mpeg2file\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Prism %L"

[HKCU\Software\Classes\pngfile\Shell\NCHconvertimage\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Pixillion %L"

[HKCU\Software\Classes\aufile\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"

[HKCU\Software\Classes\.gz]
"(Default)" = "gzfile"

[HKCU\Software\Classes\giffile\Shell\NCHslideshow]
"(Default)" = "Create slideshow"

[HKCU\Software\Classes\mpeg2file\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind VideoPad %L"

[HKCU\Software\Classes\.meo]
"(Default)" = "meofile"

[HKCU\Software\Classes\gsmfile\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Switch %L"

[HKCU\Software\Classes\asffile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Prism %L"

[HKCU\Software\Classes\wpdfile\Shell\NCHconvertdoc]
"(Default)" = "Convert file type"

[HKCU\Software\Classes\Windows.IsoFile\shell]
"(Default)" = "open"

[HKCU\Software\Classes\m4vfile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind VideoPad %L"

[HKCU\Software\NCH Software\MoneyLine\Software]
"Toolbar" = "cnm-installed"

[HKCU\Software\Classes\.nef]
"(Default)" = "neffile"

[HKCU\Software\Classes\voxfile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind WavePad %L"

[HKCU\Software\Classes\.wp]
"(Default)" = "wpfile"

[HKCU\Software\Classes\divxfile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Prism %L"

[HKCU\Software\Classes\mpegfile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind VideoPad %L"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MoneyLine]
"DisplayIcon" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe"

[HKCU\Software\Classes\m4afile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\dctfile]
"(Default)" = "Unhandled Extension Handler Finder"

[HKCU\Software\Classes\neffile\Shell\NCHslideshow\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind PhotoStage %L"

[HKCU\Software\Classes\mp4file\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Prism %L"

[HKCU\Software\Classes\jpegfile\Shell\NCHslideshow\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind PhotoStage %L"

[HKCU\Software\Classes\xvidfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\.spj]
"(Default)" = "spjfile"

[HKCU\Software\NCH Software\MoneyLine\Settings]
"currentVersion" = "1.23"

[HKCU\Software\Classes\.rar]
"(Default)" = "rarfile"

[HKCU\Software\Classes\xvidfile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"

[HKCU\Software\Classes\CABFolder\Shell\NCHextract\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind ExpressZip %L"

[HKCU\Software\Classes\mp3file\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Switch %L"

[HKCU\Software\Classes\meofile\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Meo %L"

[HKCU\Software\Classes\.divx]
"(Default)" = "divxfile"

[HKCU\Software\Classes\aiffile\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"

[HKCU\Software\Classes\m4vfile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Prism %L"

[HKCU\Software\Classes\aiffile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\flacfile\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Switch %L"

[HKCU\Software\Classes\wavfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\.avi]
"(Default)" = "avifile"

[HKCU\Software\Classes\mp4file\Shell\NCHeditvideo]
"(Default)" = "Edit video file"

[HKCU\Software\Classes\Windows.IsoFile\shell\NCHextract]
"(Default)" = "Extract with Express Zip"

[HKCU\Software\Classes\7zfile\Shell\NCHextract\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind ExpressZip %L"

[HKCU\Software\Classes\tar.gzfile\Shell\NCHextract\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind ExpressZip %L"

[HKCU\Software\Classes\mpeg2file\Shell\NCHeditvideo]
"(Default)" = "Edit video file"

[HKCU\Software\Classes\aufile\Shell\NCHeditsound]
"(Default)" = "Edit sound file"

[HKCU\Software\Classes\pngfile\Shell\NCHslideshow]
"(Default)" = "Create slideshow"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MoneyLine]
"URLUpdateInfo" = "www.nchsoftware.com/personalfinance/index.html"

[HKCU\Software\Classes\giffile\Shell\NCHconvertimage\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Pixillion %L"

[HKCU\Software\Classes\ds2file\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Scribe %L"

[HKCU\Software\Classes\vobfile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"

[HKCU\Software\Classes\wavfile\Shell\NCHeditsound]
"(Default)" = "Edit sound file"

[HKCU\Software\Classes\mpeg2file\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"

[HKCU\Software\NCH Software\MoneyLine\Registration]
"Name" = ""

[HKCU\Software\Classes\.mpdp]
"(Default)" = "mpdpfile"

[HKCU\Software\Classes\mpdpfile\DefaultIcon]
"(Default)" = "%SystemRoot%\SysWow64\shell32.dll,19"

[HKCU\Software\Classes\voxfile\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"

[HKCU\Software\Classes\.mpeg]
"(Default)" = "mpegfile"

[HKCU\Software\Classes\rtffile\Shell\NCHconvertdoc]
"(Default)" = "Convert file type"

[HKCU\Software\Classes\rtffile\Shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Doxillion %L"

[HKCU\Software\Classes\7zfile\Shell]
"(Default)" = "open"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MoneyLine]
"InstallLocation" = "%Program Files% (x86)\NCH Software\MoneyLine"

[HKCU\Software\Classes\ds2file\shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Switch %L"

[HKCU\Software\Classes\.ds2]
"(Default)" = "ds2file"

[HKCU\Software\Classes\tar.gzfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\TIFImage.Document\Shell\NCHconvertimage]
"(Default)" = "Convert image file"

[HKCU\Software\Classes\xvidfile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"

[HKCU\Software\Classes\aiffile\Shell\NCHeditsound]
"(Default)" = "Edit sound file"

[HKCU\Software\Classes\.AU]
"(Default)" = "aufile"

[HKCU\Software\Classes\.ivr]
"(Default)" = "ivrfile"

[HKCU\Software\Classes\docxfile\Shell\NCHconvertdoc]
"(Default)" = "Convert file type"

[HKCU\Software\Classes\divxfile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind VideoPad %L"

[HKCU\Software\Classes\.WMA]
"(Default)" = "wmafile"

[HKCU\Software\Classes\wmafile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\.xvid]
"(Default)" = "xvidfile"

[HKCU\Software\Classes\odtfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\.asf]
"(Default)" = "asffile"

[HKCU\Software\Classes\gzfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\movfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\odtfile\Shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Doxillion %L"

[HKCU\Software\Classes\gsmfile\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"

[HKCU\Software\Classes\meofile\DefaultIcon]
"(Default)" = "%SystemRoot%\SysWow64\shell32.dll,19"

[HKCU\Software\Classes\CABFolder\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\CABFolder\Shell\NCHextract]
"(Default)" = "Extract with Express Zip"

[HKCU\Software\Classes\divxfile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"

[HKCU\Software\Classes\docxfile\Shell]
"(Default)" = "open"

[HKCU\Software\Microsoft\Registration\NCH]
"MoneyLine" = "1"

[HKCU\Software\Classes\wpfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\rarfile\Shell\NCHextract]
"(Default)" = "Extract with Express Zip"

[HKCU\Software\Classes\wpdfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\vobfile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Prism %L"

[HKCU\Software\Classes\oggfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\docxfile\Shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Doxillion %L"

[HKCU\Software\Classes\mpgfile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Prism %L"

[HKCU\Software\Classes\Windows.IsoFile\shell\NCHextract\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind ExpressZip %L"

[HKCU\Software\Classes\mp4file\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\jpegfile\Shell\NCHslideshow]
"(Default)" = "Create slideshow"

[HKCU\Software\Classes\.tar.gz]
"(Default)" = "tar.gzfile"

[HKCU\Software\Classes\neffile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\voxfile\Shell\NCHeditsound]
"(Default)" = "Edit sound file"

[HKCU\Software\Classes\TIFImage.Document\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\flacfile\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"

[HKCU\Software\Classes\ivrfile\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind IVM %L"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MoneyLine]
"DisplayName" = "MoneyLine"

[HKCU\Software\Classes\rarfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\dssfile\DefaultIcon]
"(Default)" = "%SystemRoot%\SysWow64\shell32.dll,19"

[HKCU\Software\Classes\.vox]
"(Default)" = "voxfile"

[HKCU\Software\Classes\mpegfile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"

[HKCU\Software\Classes\.7z]
"(Default)" = "7zfile"

[HKCU\Software\Classes\.moh]
"(Default)" = "mohfile"

[HKCU\Software\Classes\.mpeg2]
"(Default)" = "mpeg2file"

[HKCU\Software\Classes\avifile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Prism %L"

[HKCU\Software\Classes\odtfile\Shell\NCHconvertdoc]
"(Default)" = "Convert file type"

[HKCU\Software\Classes\neffile\Shell\NCHslideshow]
"(Default)" = "Create slideshow"

[HKCU\Software\Classes\gzfile\Shell\NCHextract\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind ExpressZip %L"

[HKCU\Software\Classes\.vpj]
"(Default)" = "vpjfile"

[HKCU\Software\Classes\mp3file\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind WavePad %L"

[HKCU\Software\Classes\.FLAC]
"(Default)" = "flacfile"

[HKCU\Software\Classes\mpeg2file\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\asffile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\.voc]
"(Default)" = "vocfile"

[HKCU\Software\Classes\spjfile\DefaultIcon]
"(Default)" = "%SystemRoot%\SysWow64\shell32.dll,19"

[HKCU\Software\Classes\mpdpfile\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind MixPad %L"

[HKCU\Software\Classes\m4afile\Shell\NCHeditsound]
"(Default)" = "Edit sound file"

[HKCU\Software\Classes\aiffile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind WavePad %L"

[HKCU\Software\Classes\avifile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind VideoPad %L"

[HKCU\Software\Classes\wavfile\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Switch %L"

[HKCU\Software\Classes\mohfile]
"(Default)" = "Unhandled Extension Handler Finder"

[HKCU\Software\Classes\aifffile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind WavePad %L"

[HKCU\Software\Classes\meofile]
"(Default)" = "Unhandled Extension Handler Finder"

[HKCU\Software\Classes\aifffile\Shell\NCHeditsound]
"(Default)" = "Edit sound file"

[HKCU\Software\Classes\divxfile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"

[HKLM\SOFTWARE\Wow6432Node\Google\GCAPITemp]
"test" = "testv"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MoneyLine]
"Publisher" = "NCH Software"

[HKCU\Software\Classes\giffile\Shell\NCHslideshow\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind PhotoStage %L"

[HKCU\Software\Classes\Windows.IsoFile\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind ExpressBurn %L"

[HKCU\Software\Classes\vobfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\7zfile\Shell\NCHextract]
"(Default)" = "Extract with Express Zip"

[HKCU\Software\Classes\.gsm]
"(Default)" = "gsmfile"

[HKCU\Software\Classes\ivrfile]
"(Default)" = "Unhandled Extension Handler Finder"

[HKCU\Software\Classes\rtffile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\mohfile\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind IMS %L"

[HKCU\Software\Classes\ds2file]
"(Default)" = "Unhandled Extension Handler Finder"

[HKCU\Software\Classes\mp4file\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind VideoPad %L"

[HKCU\Software\Classes\aacfile\Shell\NCHeditsound]
"(Default)" = "Edit sound file"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MoneyLine]
"VersionMinor" = "23"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Classes\ds2file\shell]
"(Default)" = "open"

[HKCU\Software\Classes\m4vfile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"

[HKCU\Software\Classes\pngfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\vpjfile\DefaultIcon]
"(Default)" = "%SystemRoot%\SysWow64\shell32.dll,19"

[HKCU\Software\Classes\AcroExch.Document\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\vocfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\wmafile\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Switch %L"

[HKCU\Software\Classes\.dct]
"(Default)" = "dctfile"

[HKCU\Software\Classes\.AIFF]
"(Default)" = "aifffile"

[HKCU\Software\Classes\Paint.Picture\Shell\NCHslideshow]
"(Default)" = "Create slideshow"

[HKCU\Software\Classes\TIFImage.Document\Shell\NCHconvertimage\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Pixillion %L"

[HKCU\Software\Classes\tarfile\Shell\NCHextract]
"(Default)" = "Extract with Express Zip"

[HKCU\Software\Classes\mpgfile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"

[HKCU\Software\Classes\.doc]
"(Default)" = "docfile"

[HKCU\Software\Classes\.wpd]
"(Default)" = "wpdfile"

[HKCU\Software\Classes\aacfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\spjfile]
"(Default)" = "Unhandled Extension Handler Finder"

[HKCU\Software\Classes\wmafile\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"

[HKCU\Software\Classes\dssfile\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Scribe %L"

[HKCU\Software\Classes\aufile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\vpjfile]
"(Default)" = "Unhandled Extension Handler Finder"

[HKCU\Software\Classes\asffile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"

[HKCU\Software\Classes\flacfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\avifile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"

[HKCU\Software\Classes\docfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\vobfile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"

[HKCU\Software\Classes\aifffile\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Switch %L"

[HKCU\Software\Classes\aiffile\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Switch %L"

[HKCU\Software\Classes\.m4v]
"(Default)" = "m4vfile"

[HKCU\Software\Classes\oggfile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind WavePad %L"

[HKCU\Software\Classes\pngfile\Shell\NCHconvertimage]
"(Default)" = "Convert image file"

[HKCU\Software\Classes\mpgfile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"

[HKCU\Software\Classes\oggfile\Shell\NCHeditsound]
"(Default)" = "Edit sound file"

[HKCU\Software\Classes\mp3file\Shell\NCHeditsound]
"(Default)" = "Edit sound file"

[HKCU\Software\Classes\Paint.Picture\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\wmafile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind WavePad %L"

[HKCU\Software\Classes\movfile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind VideoPad %L"

[HKCU\Software\Classes\aifffile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\m4vfile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MoneyLine]
"DisplayVersion" = "1.23"

[HKCU\Software\Classes\voxfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\dssfile]
"(Default)" = "Unhandled Extension Handler Finder"

[HKCU\Software\Classes\ivrfile\DefaultIcon]
"(Default)" = "%SystemRoot%\SysWow64\shell32.dll,19"

[HKCU\Software\Classes\mpegfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\movfile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"

[HKCU\Software\Classes\wavfile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind WavePad %L"

[HKCU\Software\Classes\.mpg]
"(Default)" = "mpgfile"

[HKCU\Software\Classes\mpegfile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"

[HKCU\Software\Classes\voxfile\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Switch %L"

[HKCU\Software\Classes\.vob]
"(Default)" = "vobfile"

[HKCU\Software\Classes\.M4A]
"(Default)" = "m4afile"

[HKCU\Software\Classes\ds2file\shell\NCHconvertsound]
"(Default)" = "Convert sound file"

[HKCU\Software\Classes\mp3file\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\vocfile\Shell\NCHeditsound]
"(Default)" = "Edit sound file"

[HKCU\Software\Classes\tarfile\Shell]
"(Default)" = "open"

[HKCU\Software\Classes\aacfile\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"

[HKCU\Software\Classes\dctfile\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Scribe %L"

[HKCU\Software\Classes\spjfile\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind PhotoStage %L"

[HKCU\Software\Classes\FirefoxHTML\shell\NCHconvertdoc]
"(Default)" = "Convert file type"

[HKCU\Software\Classes\rarfile\Shell\NCHextract\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind ExpressZip %L"

[HKCU\Software\Classes\mp4file\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"

[HKCU\Software\Classes\xvidfile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind VideoPad %L"

[HKCU\Software\Classes\Windows.IsoFile\DefaultIcon]
"(Default)" = "%SystemRoot%\SysWow64\shell32.dll,19"

[HKCU\Software\Classes\movfile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"

[HKCU\Software\Classes\wpfile\Shell\NCHconvertdoc]
"(Default)" = "Convert file type"

[HKCU\Software\Classes\tarfile\Shell\NCHextract\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind ExpressZip %L"

[HKCU\Software\Classes\.AIF]
"(Default)" = "aiffile"

[HKCU\Software\Classes\aufile\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Switch %L"

[HKCU\Software\Classes\vpjfile\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind VideoPad %L"

The Worm deletes the following registry key(s):

[HKLM\SOFTWARE\Wow6432Node\Google\GCAPITemp]

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Wow6432Node\Google\GCAPITemp]
"test"

[HKCU\Software\NCH Software\MoneyLine\Software]
"_ShowSurvey"

[HKCU\Software\NCH Software\MoneyLine\Registration]
"_XD"

[HKCU\Software\NCH Software\MoneyLine\Software]
"_ShowSurveyNow"
"ShowSurvey"

[HKCU\Software\NCH Software\MoneyLine\Registration]
"XD"

[HKCU\Software\NCH Software\MoneyLine\Software]
"_InstalledBy"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKCU\Software\NCH Software\MoneyLine\Software]
"ShowSurveyNow"
"InstalledBy"

The process regsvr32.exe:588 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCR\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\ProgID]
"(Default)" = "ProtectorExe.ProtectorHost.1"

[HKCR\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}]
"(Default)" = "ProtectorHost Class"

[HKCR\protector_dll.ProtectorBho\CurVer]
"(Default)" = "protector_dll.ProtectorBho.1"

[HKCR\protector_dll.ProtectorLib\CurVer]
"(Default)" = "protector_dll.ProtectorLib.1"

[HKCR\AppID\{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}]
"(Default)" = "protector_dll"

[HKCR\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}]
"(Default)" = "ProtectorLib Class"

[HKCR\protector_dll.ProtectorBho.1\CLSID]
"(Default)" = "{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}"

[HKCR\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\VersionIndependentProgID]
"(Default)" = "protector_dll.ProtectorLib"

[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\VersionIndependentProgID]
"(Default)" = "protector_dll.ProtectorBho"

[HKCR\protector_dll.ProtectorBho.1]
"(Default)" = "Google Toolbar Notifier BHO"

[HKCR\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\protector_dll.ProtectorLib\CLSID]
"(Default)" = "{84798B8E-69F8-4846-9516-373C2996E2F7}"

[HKCR\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\protector_dll.ProtectorLib.1\CLSID]
"(Default)" = "{84798B8E-69F8-4846-9516-373C2996E2F7}"

[HKCR\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}]
"AppID" = "{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}"

[HKCR\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}]
"AppID" = "{A97CA128-6998-4F8E-807E-8ED05FADAFB0}"

[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\InprocServer32]
"(Default)" = "%Program Files%\Google\GoogleToolbarNotifier\5.10.11023.1534\swg64.dll"

[HKCR\protector_dll.ProtectorLib]
"(Default)" = "ProtectorLib Class"

[HKCR\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}]
"Depend" = "%Program Files% (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534\gtn.dll"

[HKCR\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\ProgID]
"(Default)" = "protector_dll.ProtectorLib.1"

[HKCR\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\VersionIndependentProgID]
"(Default)" = "ProtectorExe.ProtectorHost"

[HKCR\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
"AppID" = "{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}"

[HKCR\protector_dll.ProtectorLib.1]
"(Default)" = "ProtectorLib Class"

[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\ProgID]
"(Default)" = "protector_dll.ProtectorBho.1"

[HKCR\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
"(Default)" = "Google Toolbar Notifier BHO"

[HKCR\protector_dll.ProtectorBho]
"(Default)" = "Google Toolbar Notifier BHO"

[HKCR\AppID\protector_dll.DLL]
"AppID" = "{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}"

[HKCR\protector_dll.ProtectorBho\CLSID]
"(Default)" = "{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}"

[HKCR\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\InprocServer32]
"(Default)" = "%Program Files%\Google\GoogleToolbarNotifier\5.10.11023.1534\swg64.dll"

The process SearchWithGoogleUpdate_6F4EEAE8D7FCDAD8.exe:600 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\GoogleToolbarNotifier]
"Version" = "5.10.11023.1534"
"ID" = "7dc11b2a2ae540689b55d8be2d64b263"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Program Files% (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534,"

[HKCU\Software\Google\GoogleToolbarNotifier\Temp]
"ust" = "100"

[HKLM\SOFTWARE\Wow6432Node\Google\GoogleToolbarNotifier\Clients]
"ietb" = "0"

[HKLM\SOFTWARE\Wow6432Node\Google\GoogleToolbarNotifier]
"brand" = "NCHD"

The Worm deletes the following registry key(s):

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]

The process GoogleUpdaterService.exe:3016 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Common\Google Updater\apps\swg]
"auto" = "0"

The process GoogleUpdaterService.exe:1812 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCR\Wow6432Node\Interface\{C07A89E4-82A3-4A29-9908-DFC9DEBF8267}]
"(Default)" = "ISilentUpdater"

[HKCR\TypeLib\{5924C60B-6D7F-4AD6-8084-24A59431C967}\1.0\HELPDIR]
"(Default)" = ""

[HKCR\Interface\{5C8CE0B5-6DA0-49A1-B675-78FD03EA3224}]
"(Default)" = "IUpdaterScheduler"

[HKCR\Interface\{5C8CE0B5-6DA0-49A1-B675-78FD03EA3224}\TypeLib]
"(Default)" = "{5924C60B-6D7F-4AD6-8084-24A59431C967}"

[HKCR\AppID\GoogleUpdaterService.exe]
"AppID" = "{61E28BF8-C02B-499F-8E7A-34C1E4A1C649}"

[HKCR\Wow6432Node\CLSID\{89DAE4CD-9F17-4980-902A-99BA84A8F5C8}\TypeLib]
"(Default)" = "{5924C60B-6D7F-4AD6-8084-24A59431C967}"

[HKCR\GUSchedulerCtl.UpdaterScheduler]
"(Default)" = "Google Updater Scheduler class"

[HKCR\Interface\{C07A89E4-82A3-4A29-9908-DFC9DEBF8267}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\Interface\{C07A89E4-82A3-4A29-9908-DFC9DEBF8267}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{C07A89E4-82A3-4A29-9908-DFC9DEBF8267}\TypeLib]
"(Default)" = "{5924C60B-6D7F-4AD6-8084-24A59431C967}"

[HKCR\Wow6432Node\CLSID\{89DAE4CD-9F17-4980-902A-99BA84A8F5C8}\ProgID]
"(Default)" = "GUServiceCtl.SilentUpdater.1"

[HKCR\Wow6432Node\CLSID\{89DAE4CD-9F17-4980-902A-99BA84A8F5C8}]
"AppID" = "{61E28BF8-C02B-499F-8E7A-34C1E4A1C649}"

[HKCR\Wow6432Node\CLSID\{B53B7061-6584-46AA-A033-D610EB10BD9B}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe"

[HKCR\Wow6432Node\CLSID\{B53B7061-6584-46AA-A033-D610EB10BD9B}]
"(Default)" = "Google Updater Scheduler class"

[HKCR\Wow6432Node\Interface\{C07A89E4-82A3-4A29-9908-DFC9DEBF8267}\TypeLib]
"Version" = "1.0"

[HKCR\GUServiceCtl.SilentUpdater]
"(Default)" = "Google Silent Updater class"

[HKCR\GUServiceCtl.SilentUpdater\CLSID]
"(Default)" = "{89DAE4CD-9F17-4980-902A-99BA84A8F5C8}"

[HKCR\Wow6432Node\CLSID\{89DAE4CD-9F17-4980-902A-99BA84A8F5C8}]
"(Default)" = "Google Silent Updater class"

[HKCR\Interface\{5C8CE0B5-6DA0-49A1-B675-78FD03EA3224}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\CLSID\{B53B7061-6584-46AA-A033-D610EB10BD9B}\TypeLib]
"(Default)" = "{5924C60B-6D7F-4AD6-8084-24A59431C967}"

[HKCR\GUSchedulerCtl.UpdaterScheduler.1\CLSID]
"(Default)" = "{B53B7061-6584-46AA-A033-D610EB10BD9B}"

[HKCR\GUServiceCtl.SilentUpdater\CurVer]
"(Default)" = "GUServiceCtl.SilentUpdater.1"

[HKCR\Wow6432Node\Interface\{C07A89E4-82A3-4A29-9908-DFC9DEBF8267}\TypeLib]
"(Default)" = "{5924C60B-6D7F-4AD6-8084-24A59431C967}"

[HKCR\AppID\{61E28BF8-C02B-499F-8E7A-34C1E4A1C649}]
"LocalService" = "gusvc"

[HKCR\Wow6432Node\CLSID\{89DAE4CD-9F17-4980-902A-99BA84A8F5C8}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe"

[HKCR\Wow6432Node\Interface\{5C8CE0B5-6DA0-49A1-B675-78FD03EA3224}]
"(Default)" = "IUpdaterScheduler"

[HKCR\AppID\{61E28BF8-C02B-499F-8E7A-34C1E4A1C649}]
"(Default)" = "gusvc"

[HKCR\TypeLib\{5924C60B-6D7F-4AD6-8084-24A59431C967}\1.0]
"(Default)" = "Google Updater Service 1.0 Type Library"

[HKCR\GUServiceCtl.SilentUpdater.1\CLSID]
"(Default)" = "{89DAE4CD-9F17-4980-902A-99BA84A8F5C8}"

[HKCR\Wow6432Node\CLSID\{B53B7061-6584-46AA-A033-D610EB10BD9B}\VersionIndependentProgID]
"(Default)" = "GUSchedulerCtl.UpdaterScheduler"

[HKCR\Wow6432Node\CLSID\{B53B7061-6584-46AA-A033-D610EB10BD9B}]
"AppID" = "{61E28BF8-C02B-499F-8E7A-34C1E4A1C649}"

[HKCR\GUServiceCtl.SilentUpdater.1]
"(Default)" = "Google Silent Updater class"

[HKCR\Wow6432Node\Interface\{5C8CE0B5-6DA0-49A1-B675-78FD03EA3224}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{5924C60B-6D7F-4AD6-8084-24A59431C967}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Wow6432Node\Interface\{5C8CE0B5-6DA0-49A1-B675-78FD03EA3224}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{C07A89E4-82A3-4A29-9908-DFC9DEBF8267}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{5924C60B-6D7F-4AD6-8084-24A59431C967}\1.0\0\win32]
"(Default)" = "%Program Files% (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe"

[HKCR\Wow6432Node\CLSID\{B53B7061-6584-46AA-A033-D610EB10BD9B}\ProgID]
"(Default)" = "GUSchedulerCtl.UpdaterScheduler.1"

[HKCR\Interface\{5C8CE0B5-6DA0-49A1-B675-78FD03EA3224}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{89DAE4CD-9F17-4980-902A-99BA84A8F5C8}\VersionIndependentProgID]
"(Default)" = "GUServiceCtl.SilentUpdater"

[HKCR\Interface\{C07A89E4-82A3-4A29-9908-DFC9DEBF8267}]
"(Default)" = "ISilentUpdater"

[HKCR\GUSchedulerCtl.UpdaterScheduler\CLSID]
"(Default)" = "{B53B7061-6584-46AA-A033-D610EB10BD9B}"

[HKCR\GUSchedulerCtl.UpdaterScheduler.1]
"(Default)" = "Google Updater Scheduler class"

[HKCR\GUSchedulerCtl.UpdaterScheduler\CurVer]
"(Default)" = "GUSchedulerCtl.UpdaterScheduler.1"

[HKCR\Wow6432Node\Interface\{5C8CE0B5-6DA0-49A1-B675-78FD03EA3224}\TypeLib]
"(Default)" = "{5924C60B-6D7F-4AD6-8084-24A59431C967}"

The Worm deletes the following value(s) in system registry:

[HKCR\AppID\{61E28BF8-C02B-499F-8E7A-34C1E4A1C649}]
"LocalService"

The process %original file name%.exe:964 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Worm deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process GoogleToolbarManager_BA9226F4C70BECC2.exe:2772 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component\NonManifest\C:\ProgramData\Google\Custom Buttons]
"toolbar.google.com_O8Y91YHB24Z6SR0SGYSK.XML" = "1"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component\Used]
"GoogleToolbarDynamic_mui_en.dll" = "1"

The process GoogleToolbarManager_BA9226F4C70BECC2.exe:2564 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCR\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
"(Default)" = "Google Toolbar Helper"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"DisplayVersion" = "7.5.6227.252"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"ToastOfferTime" = "0"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EE0B94B9-335F-4d2c-8B43-DACCD1EA6FF1}]
"AppPath" = "%Program Files% (x86)\Google\Google Toolbar"

[HKCR\Wow6432Node\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
"(Default)" = "Google Toolbar Helper"

[HKCR\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\Google Toolbar\GoogleToolbar_64.dll"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"SystemPatchLevel" = "1"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\GoogleUpdate]
"InstallTimestamp" = "1429399007"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1A972DAF-A7EC-4ce3-B6C9-7B523CD6685F}]
"Policy" = "3"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EE0B94B9-335F-4d2c-8B43-DACCD1EA6FF1}]
"Policy" = "3"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"Publisher" = "Google Inc."

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component\Used]
"GoogleUpdaterService.exe" = "1"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = "00"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Branding]
"InstallType" = "3"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EE0B94B9-335F-4d2c-8B43-DACCD1EA6FF1}]
"AppName" = "GoogleToolbarUser_64.exe"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = "00"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"AllowInteractions" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"DisplayName" = "Google Toolbar for Internet Explorer"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1A972DAF-A7EC-4ce3-B6C9-7B523CD6685F}]
"AppPath" = "%Program Files% (x86)\Google\Google Toolbar"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"EnableUsageStats" = "1"

[HKCR\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\Google Toolbar\GoogleToolbar_64.dll"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1A972DAF-A7EC-4ce3-B6C9-7B523CD6685F}]
"AppName" = "GoogleToolbarUser_32.exe"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"UninstallString" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_BA9226F4C70BECC2.exe /uninstall"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EE0B94B9-335F-4d2c-8B43-DACCD1EA6FF1}]
"AppName" = "GoogleToolbarUser_64.exe"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component\Used]
"SearchWithGoogleUpdate.exe" = "1"

[HKCU\Software\Google\Google Toolbar\4.0\Options]
"{14C626CA-ACAB-46e5-8A99-53C9E11CCCA0}_enabled" = "0"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Branding]
"InstallTime" = "1429399008"

[HKCR\Installer\Products\18555481990E8AB4CBB63FB4F26006C0]
"AuthorizedLUAApp" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"DisplayIcon" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_BA9226F4C70BECC2.exe"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"cmd_7.5.6227.252_7" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_BA9226F4C70BECC2.exe /execute:7"

[HKCU\Software\Google\Google Toolbar\4.0\Options]
"ButtonPageRank" = "0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1A972DAF-A7EC-4ce3-B6C9-7B523CD6685F}]
"AppPath" = "%Program Files% (x86)\Google\Google Toolbar"

[HKCU\Software\Google\Google Toolbar\4.0\Options]
"ToastSetDefaultSearch" = "3"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar]
"test" = "41"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1A972DAF-A7EC-4ce3-B6C9-7B523CD6685F}]
"AppName" = "GoogleToolbarUser_32.exe"

[HKCR\Wow6432Node\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"(Default)" = "Google Toolbar"

[HKCR\Wow6432Node\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCU\Software\Google\Google Toolbar\4.0\Options]
"ToastSetPageRank" = "2"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\GoogleUpdate]
"InstallResult" = "ti"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"cmd_7.5.6227.252_5" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_BA9226F4C70BECC2.exe /execute:5"

[HKCR\Wow6432Node\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"EulaAccepted" = "1"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Enable Browser Extensions" = "yes"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EE0B94B9-335F-4d2c-8B43-DACCD1EA6FF1}]
"Policy" = "3"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"Compatibility Flags" = "1024"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"cmd_7.5.6227.252_9" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_BA9226F4C70BECC2.exe /execute:9"
"cmd_7.5.6227.252_8" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_BA9226F4C70BECC2.exe /execute:8"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component\Used]
"GoogleToolbarManager.exe" = "1"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"cmd_7.5.6227.252_6" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_BA9226F4C70BECC2.exe /execute:6"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Branding]
"brand" = "NCHD"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"cmd_7.5.6227.252_4" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_BA9226F4C70BECC2.exe /execute:4"
"cmd_7.5.6227.252_3" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_BA9226F4C70BECC2.exe /execute:3"
"cmd_7.5.6227.252_2" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_BA9226F4C70BECC2.exe /execute:2"
"cmd_7.5.6227.252_1" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_BA9226F4C70BECC2.exe /execute:1"
"cmd_7.5.6227.252_0" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_BA9226F4C70BECC2.exe /execute:0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1A972DAF-A7EC-4ce3-B6C9-7B523CD6685F}]
"Policy" = "3"

[HKCU\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32]
"p2pcollab.dll,-8042" = "Peer to Peer Trust"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component]
"PrimaryInstallDone" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"Compatibility Flags" = "1024"

[HKCU\Software\Google\Google Toolbar\4.0\Options]
"ToastSetHomePage" = "2"
"BrowseByName" = "0"
"RbbsBreak" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"GTB7.5" = ""

[HKCR\Wow6432Node\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\Google Toolbar\GoogleToolbar_32.dll"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"GTB7.5" = ""

[HKCU\Software\Google\Google Toolbar\4.0\Options]
"UsageStatsEnabled" = "1"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"DisableBrowseByName" = "0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"MinorVersion" = "5"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"Name" = "Google Toolbar"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Branding]
"ID" = "782C522357179724943B09F8A7BD5A00E3785qKNSN"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Installations]
"1429399010" = "v=7.5.6227.252&tbbrand=NCHD&i=0"

[HKCR\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"InstallLocation" = "%Program Files% (x86)\Google\Google Toolbar\"

[HKCU\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32]
"dnsapi.dll,-103" = "Domain Name System (DNS) Server Trust"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"NoModify" = "1"
"MajorVersion" = "7"
"NoRepair" = "1"

[HKCU\Software\Classes\Local Settings\MuiCache\2E\52C64B7E]
"LanguageList" = "en-US, en"

[HKCR\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"(Default)" = "Google Toolbar"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"brand" = "NCHD"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EE0B94B9-335F-4d2c-8B43-DACCD1EA6FF1}]
"AppPath" = "%Program Files% (x86)\Google\Google Toolbar"

[HKCR\Wow6432Node\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\Google Toolbar\GoogleToolbar_32.dll"

The Worm deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}]
[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\ProgID]
[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\TypeLib]
[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\Programmable]
[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\InprocServer32]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}\Enum]
[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\VersionIndependentProgID]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
[HKCU\Software\Classes\Local Settings\MuiCache\2D]
[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\ProgID]
[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\TypeLib]
[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\VersionIndependentProgID]
[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}]
[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\Programmable]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}]
[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}\Enum]
[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\InprocServer32]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum]

The Worm deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"UseIe64"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}"

[HKCU\Software\Google\Google Toolbar\4.0\Options]
"Vendor"

[HKCU\Software\Google\Google Toolbar\4.0]
"Update"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"RefreshIE"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"lang"

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"WelcomePage"

The process GoogleToolbarManager_BA9226F4C70BECC2.exe:3008 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component\Used]
"GoogleToolbarManager.exe" = "1"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"pv" = "7.5.6227.252"

The process GoogleUpdaterService_B33FC4DD36A473C6.exe:456 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Common\Google Updater\apps\tbie]
"auto" = "0"

[HKLM\SOFTWARE\Wow6432Node\Google\Common\Google Updater]
"Path" = "%Program Files% (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe"
"Version" = "2.4.2617.4952"

The process GoogleToolbarNotifier.exe:3040 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Google\GoogleToolbarNotifier\Stats]
"HideUI_Throttled" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\GoogleToolbarNotifier_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Google\GoogleToolbarNotifier\Stats]
"DetectChange_DS" = "0"

[HKCU\Software\Classes\Local Settings\MuiCache\2E\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Google\GoogleToolbarNotifier]
"FirstRun" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9BA14452-3A93-4712-8A0D-BF6CFCC6695B}]
"WpadDecisionTime" = "F7 2A CA C1 2D 7A D0 01"

[HKCU\Software\Google\GoogleToolbarNotifier\Stats]
"Icon_Click" = "0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\GoogleToolbarNotifier_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "2D 85 33 3A 90 73 D0 01"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\GoogleToolbarNotifier_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Google\GoogleToolbarNotifier]
"UpdateURL" = "http://clients1.google.com/tools/swg2/update"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9BA14452-3A93-4712-8A0D-BF6CFCC6695B}]
"WpadDecision" = "0"
"WpadNetworkName" = "Network 4"

[HKCU\Software\Google\GoogleToolbarNotifier]
"lds" = "http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7"

[HKCU\Software\Google\GoogleToolbarNotifier\Stats]
"ShowUI_TrayIcon" = "0"

[HKCU\Software\Google\GoogleToolbarNotifier]
"DefaultLanguage" = "en"
"TS" = "1429399011"

[HKCU\Software\Google\GoogleToolbarNotifier\Stats]
"Bubble_Click" = "0"
"UserAllowChange_DS" = "0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\GoogleToolbarNotifier_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Google\GoogleToolbarNotifier]
"AppPath" = "%Program Files% (x86)\Google\GoogleToolbarNotifier"

[HKCU\Software\Google\GoogleToolbarNotifier\Stats]
"ShowUI_Popup" = "0"

[HKCU\Software\Google\GoogleToolbarNotifier]
"InstalledVersion" = "5.10.11023.1534"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 49 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9BA14452-3A93-4712-8A0D-BF6CFCC6695B}]
"WpadDecisionReason" = "1"

[HKCU\Software\Google\GoogleToolbarNotifier\Stats]
"LastReportTime" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Google\GoogleToolbarNotifier\Temp]
"scShowTrayIcon" = "ffffffff"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\GoogleToolbarNotifier_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\Google\GoogleToolbarNotifier]
"UsageStat" = "1"

[HKCU\Software\Google\GoogleToolbarNotifier\Stats]
"ModifyUI_UserIntent" = "0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\GoogleToolbarNotifier_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"
"WpadDecision" = "0"

[HKCU\Software\Google\GoogleToolbarNotifier]
"Version" = "5.10.11023.1534"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Worm deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoDetect"

[HKCU\Software\Google\GoogleToolbarNotifier]
"WantProductRestart"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Google\GoogleToolbarNotifier]
"ts"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Google\GoogleToolbarNotifier]
"DSPSuspended"
"SuspendedDS"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9BA14452-3A93-4712-8A0D-BF6CFCC6695B}]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"

The process GoogleToolbarNotifier.exe:1936 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCR\Interface\{BACAB2F3-7213-4865-96E9-B6B06BF49192}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{DD65ABB2-2628-425B-86F5-825E4A3D3AD9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{91F39C2A-95E7-497A-A539-0AC715DC66D2}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\ProtectorExe.ProtectorHost.1\CLSID]
"(Default)" = "{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}"

[HKCR\Wow6432Node\Interface\{F1A383D4-0364-4092-82E0-C39DAE5D801D}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{AF606610-3627-4DF2-A6D5-32C6A355ACD1}\TypeLib]
"Version" = "1a.0"

[HKCR\Interface\{17484B9D-89FA-484F-912E-017D06C41FE0}]
"(Default)" = "IProtectorLib7"

[HKCR\Wow6432Node\Interface\{91959FBB-853A-4AC7-A082-2DDF787F4CA9}\TypeLib]
"Version" = "1a.0"

[HKCR\Interface\{315A0BBF-D55B-4FCE-833E-8BAA5B6344F6}]
"(Default)" = "IProtector11"

[HKCR\Interface\{F1A383D4-0364-4092-82E0-C39DAE5D801D}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{F1A383D4-0364-4092-82E0-C39DAE5D801D}\TypeLib]
"Version" = "1a.0"

[HKCR\Interface\{2212951C-1623-4095-906B-AC50B8F91016}]
"(Default)" = "IProtector2"

[HKCR\Interface\{480AD54B-C652-44B9-BCF6-746745055CD3}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534\swg.dll"

[HKCR\Wow6432Node\Interface\{1F7328B7-E25A-4527-B24B-D9173401BB89}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{AF606610-3627-4DF2-A6D5-32C6A355ACD1}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{AF606610-3627-4DF2-A6D5-32C6A355ACD1}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{A45CDEEB-65F5-49AE-AA3E-9376F4806075}]
"(Default)" = "IProtector8"

[HKCR\Wow6432Node\Interface\{315A0BBF-D55B-4FCE-833E-8BAA5B6344F6}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{6EACF525-5F81-4381-9E46-DC316C39E0D2}]
"(Default)" = "IProtector6"

[HKCR\Interface\{A45CDEEB-65F5-49AE-AA3E-9376F4806075}\TypeLib]
"Version" = "1a.0"

[HKCR\Interface\{91959FBB-853A-4AC7-A082-2DDF787F4CA9}]
"(Default)" = "IProtectorHost2"

[HKCR\Wow6432Node\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\ProgID]
"(Default)" = "protector_dll.ProtectorLib.1"

[HKCR\Interface\{91959FBB-853A-4AC7-A082-2DDF787F4CA9}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{9D932020-700E-4F0D-8446-2872ABD8B4FA}\TypeLib]
"Version" = "1a.0"

[HKCR\Interface\{315A0BBF-D55B-4FCE-833E-8BAA5B6344F6}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{AF606610-3627-4DF2-A6D5-32C6A355ACD1}]
"(Default)" = "IProtectorLib"

[HKCR\Wow6432Node\Interface\{6C110376-C248-47F6-9DB2-CFCDEADB6A3E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{2212951C-1623-4095-906B-AC50B8F91016}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{6C110376-C248-47F6-9DB2-CFCDEADB6A3E}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{91F39C2A-95E7-497A-A539-0AC715DC66D2}]
"(Default)" = "IProtector3"

[HKCR\Interface\{DA69D3CC-7676-4A65-889F-C052977F1AA9}\TypeLib]
"Version" = "1a.0"

[HKCR\TypeLib\{C7CB459A-7261-4AE6-A87A-17041EE98A40}\1a.0]
"(Default)" = "protector_dllLib"

[HKCR\Interface\{480AD54B-C652-44B9-BCF6-746745055CD3}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{2212951C-1623-4095-906B-AC50B8F91016}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{BACAB2F3-7213-4865-96E9-B6B06BF49192}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{17484B9D-89FA-484F-912E-017D06C41FE0}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{6EACF525-5F81-4381-9E46-DC316C39E0D2}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{9D932020-700E-4F0D-8446-2872ABD8B4FA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AppID\{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}]
"(Default)" = "protector_dll"

[HKCR\Interface\{277FD1E8-9884-4E0A-9392-7CFF83F067B2}]
"(Default)" = "IProtector9"

[HKCR\Interface\{2212951C-1623-4095-906B-AC50B8F91016}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AppID\{A97CA128-6998-4F8E-807E-8ED05FADAFB0}]
"(Default)" = "ProtectorExe"

[HKCR\Interface\{BACAB2F3-7213-4865-96E9-B6B06BF49192}]
"(Default)" = "IProtectorLib8"

[HKCR\Interface\{315A0BBF-D55B-4FCE-833E-8BAA5B6344F6}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{BACAB2F3-7213-4865-96E9-B6B06BF49192}]
"(Default)" = "IProtectorLib8"

[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
"(Default)" = "Google Toolbar Notifier BHO"

[HKCR\Interface\{17484B9D-89FA-484F-912E-017D06C41FE0}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{A0CF48B9-DB91-49A5-BEE7-2FB45BA2F610}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{9891812B-5820-4A77-827E-772B200239E1}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}]
"AppID" = "{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80B84A0A-EDA4-47fd-8BE1-6B49F4197EE5}]
"AppPath" = "%Program Files% (x86)\Google\GoogleToolbarNotifier"

[HKCR\Wow6432Node\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{17484B9D-89FA-484F-912E-017D06C41FE0}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{17484B9D-89FA-484F-912E-017D06C41FE0}]
"(Default)" = "IProtectorLib7"

[HKCR\protector_dll.ProtectorLib.1]
"(Default)" = "ProtectorLib Class"

[HKCR\Wow6432Node\Interface\{9891812B-5820-4A77-827E-772B200239E1}]
"(Default)" = "IProtector4"

[HKCR\Wow6432Node\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}]
"Depend" = "%Program Files% (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534\gtn.dll"

[HKCR\Wow6432Node\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}]
"(Default)" = "ProtectorLib Class"

[HKCR\Wow6432Node\Interface\{A45CDEEB-65F5-49AE-AA3E-9376F4806075}\TypeLib]
"Version" = "1a.0"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80B84A0A-EDA4-47fd-8BE1-6B49F4197EE5}]
"AppName" = "GoogleToolbarNotifier.exe"

[HKCR\Wow6432Node\Interface\{1F7328B7-E25A-4527-B24B-D9173401BB89}]
"(Default)" = "IProtector5"

[HKCR\Interface\{315A0BBF-D55B-4FCE-833E-8BAA5B6344F6}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{235317AD-6EF4-4209-9354-F88869E1A3BB}]
"(Default)" = "IProtectorLib5"

[HKCR\Wow6432Node\Interface\{9891812B-5820-4A77-827E-772B200239E1}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{2212951C-1623-4095-906B-AC50B8F91016}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{9891812B-5820-4A77-827E-772B200239E1}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{235317AD-6EF4-4209-9354-F88869E1A3BB}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{A0CF48B9-DB91-49A5-BEE7-2FB45BA2F610}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{1F7328B7-E25A-4527-B24B-D9173401BB89}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}]
"(Default)" = "ProtectorHost Class"

[HKCR\Interface\{9891812B-5820-4A77-827E-772B200239E1}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{DA69D3CC-7676-4A65-889F-C052977F1AA9}]
"(Default)" = "IProtectorHost"

[HKCR\Wow6432Node\CLSID\{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534\swg.dll"

[HKCR\Interface\{6C110376-C248-47F6-9DB2-CFCDEADB6A3E}]
"(Default)" = "IProtector10"

[HKCR\Wow6432Node\CLSID\{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Wow6432Node\Interface\{A0CF48B9-DB91-49A5-BEE7-2FB45BA2F610}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{F1A383D4-0364-4092-82E0-C39DAE5D801D}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\VersionIndependentProgID]
"(Default)" = "protector_dll.ProtectorBho"

[HKCR\Wow6432Node\Interface\{91F39C2A-95E7-497A-A539-0AC715DC66D2}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{6C110376-C248-47F6-9DB2-CFCDEADB6A3E}]
"(Default)" = "IProtector10"

[HKCR\Wow6432Node\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\ProgID]
"(Default)" = "ProtectorExe.ProtectorHost.1"

[HKCR\Interface\{235317AD-6EF4-4209-9354-F88869E1A3BB}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{91959FBB-853A-4AC7-A082-2DDF787F4CA9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{DA69D3CC-7676-4A65-889F-C052977F1AA9}\TypeLib]
"Version" = "1a.0"

[HKCR\protector_dll.ProtectorLib\CurVer]
"(Default)" = "protector_dll.ProtectorLib.1"

[HKCR\Interface\{91959FBB-853A-4AC7-A082-2DDF787F4CA9}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{9891812B-5820-4A77-827E-772B200239E1}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{2212951C-1623-4095-906B-AC50B8F91016}]
"(Default)" = "IProtector2"

[HKCR\Interface\{1F7328B7-E25A-4527-B24B-D9173401BB89}]
"(Default)" = "IProtector5"

[HKCR\Interface\{6C110376-C248-47F6-9DB2-CFCDEADB6A3E}\TypeLib]
"Version" = "1a.0"

[HKCR\Interface\{17484B9D-89FA-484F-912E-017D06C41FE0}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{A45CDEEB-65F5-49AE-AA3E-9376F4806075}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{6C110376-C248-47F6-9DB2-CFCDEADB6A3E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41}\TypeLib]
"Version" = "1a.0"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80B84A0A-EDA4-47fd-8BE1-6B49F4197EE5}]
"AppPath" = "%Program Files% (x86)\Google\GoogleToolbarNotifier"

[HKCR\Interface\{DA69D3CC-7676-4A65-889F-C052977F1AA9}]
"(Default)" = "IProtectorHost"

[HKCR\Interface\{91F39C2A-95E7-497A-A539-0AC715DC66D2}]
"(Default)" = "IProtector3"

[HKCR\Interface\{6EACF525-5F81-4381-9E46-DC316C39E0D2}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\AppID\ProtectorExe.EXE]
"AppID" = "{A97CA128-6998-4F8E-807E-8ED05FADAFB0}"

[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
"AppID" = "{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}"

[HKCR\protector_dll.Protector.1\CLSID]
"(Default)" = "{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}"

[HKCR\ProtectorExe.ProtectorHost\CLSID]
"(Default)" = "{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}"

[HKCR\protector_dll.ProtectorBho]
"(Default)" = "Google Toolbar Notifier BHO"

[HKCR\Wow6432Node\Interface\{DD65ABB2-2628-425B-86F5-825E4A3D3AD9}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\AppID\protector_dll.DLL]
"AppID" = "{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}"

[HKCR\Interface\{91959FBB-853A-4AC7-A082-2DDF787F4CA9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{DA69D3CC-7676-4A65-889F-C052977F1AA9}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{BACAB2F3-7213-4865-96E9-B6B06BF49192}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{A0CF48B9-DB91-49A5-BEE7-2FB45BA2F610}]
"(Default)" = "IProtectorLib2"

[HKCR\Interface\{F1A383D4-0364-4092-82E0-C39DAE5D801D}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}\ProgID]
"(Default)" = "protector_dll.Protector.1"

[HKCR\Wow6432Node\Interface\{1F7328B7-E25A-4527-B24B-D9173401BB89}\TypeLib]
"Version" = "1a.0"

[HKCR\Interface\{2212951C-1623-4095-906B-AC50B8F91016}\TypeLib]
"Version" = "1a.0"

[HKCR\Interface\{480AD54B-C652-44B9-BCF6-746745055CD3}]
"(Default)" = "IProtectorLib6"

[HKCR\protector_dll.Protector\CLSID]
"(Default)" = "{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}"

[HKCR\Wow6432Node\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\VersionIndependentProgID]
"(Default)" = "ProtectorExe.ProtectorHost"

[HKCR\Wow6432Node\Interface\{2212951C-1623-4095-906B-AC50B8F91016}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{BACAB2F3-7213-4865-96E9-B6B06BF49192}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41}]
"(Default)" = "IProtector7"

[HKCR\Wow6432Node\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\ProtectorExe.ProtectorHost]
"(Default)" = "ProtectorHost Class"

[HKCR\Wow6432Node\Interface\{91F39C2A-95E7-497A-A539-0AC715DC66D2}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{9891812B-5820-4A77-827E-772B200239E1}]
"(Default)" = "IProtector4"

[HKCR\Wow6432Node\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Wow6432Node\Interface\{DD65ABB2-2628-425B-86F5-825E4A3D3AD9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\protector_dll.ProtectorBho.1\CLSID]
"(Default)" = "{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}"

[HKCR\TypeLib\{C7CB459A-7261-4AE6-A87A-17041EE98A40}\1a.0\HELPDIR]
"(Default)" = "%Program Files% (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534"

[HKCR\Wow6432Node\Interface\{DD65ABB2-2628-425B-86F5-825E4A3D3AD9}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{9D932020-700E-4F0D-8446-2872ABD8B4FA}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\protector_dll.ProtectorBho.1]
"(Default)" = "Google Toolbar Notifier BHO"

[HKCR\Interface\{9D932020-700E-4F0D-8446-2872ABD8B4FA}]
"(Default)" = "IProtectorLib3"

[HKCR\Wow6432Node\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\VersionIndependentProgID]
"(Default)" = "protector_dll.ProtectorLib"

[HKCR\Wow6432Node\Interface\{315A0BBF-D55B-4FCE-833E-8BAA5B6344F6}]
"(Default)" = "IProtector11"

[HKCR\Wow6432Node\Interface\{F1A383D4-0364-4092-82E0-C39DAE5D801D}]
"(Default)" = "IProtector12"

[HKCR\Wow6432Node\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\TypeLib\{C7CB459A-7261-4AE6-A87A-17041EE98A40}\1a.0\FLAGS]
"(Default)" = "0"

[HKCR\Wow6432Node\Interface\{315A0BBF-D55B-4FCE-833E-8BAA5B6344F6}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}\VersionIndependentProgID]
"(Default)" = "protector_dll.Protector"

[HKCR\Interface\{AF606610-3627-4DF2-A6D5-32C6A355ACD1}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{277FD1E8-9884-4E0A-9392-7CFF83F067B2}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{A0CF48B9-DB91-49A5-BEE7-2FB45BA2F610}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\ProgID]
"(Default)" = "protector_dll.ProtectorBho.1"

[HKCR\protector_dll.ProtectorLib.1\CLSID]
"(Default)" = "{84798B8E-69F8-4846-9516-373C2996E2F7}"

[HKCR\Interface\{BACAB2F3-7213-4865-96E9-B6B06BF49192}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{9D932020-700E-4F0D-8446-2872ABD8B4FA}]
"(Default)" = "IProtectorLib3"

[HKCR\Interface\{9891812B-5820-4A77-827E-772B200239E1}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{17484B9D-89FA-484F-912E-017D06C41FE0}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}]
"AppID" = "{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}"

[HKCR\Interface\{DD65ABB2-2628-425B-86F5-825E4A3D3AD9}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{235317AD-6EF4-4209-9354-F88869E1A3BB}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{6EACF525-5F81-4381-9E46-DC316C39E0D2}\TypeLib]
"Version" = "1a.0"

[HKCR\Interface\{A0CF48B9-DB91-49A5-BEE7-2FB45BA2F610}\TypeLib]
"Version" = "1a.0"

[HKCR\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659}]
"(Default)" = "IProtector"

[HKCR\Interface\{6EACF525-5F81-4381-9E46-DC316C39E0D2}]
"(Default)" = "IProtector6"

[HKCR\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659}\TypeLib]
"Version" = "1a.0"

[HKCR\ProtectorExe.ProtectorHost.1]
"(Default)" = "ProtectorHost Class"

[HKCR\Wow6432Node\Interface\{BACAB2F3-7213-4865-96E9-B6B06BF49192}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\protector_dll.Protector\CurVer]
"(Default)" = "protector_dll.Protector.1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80B84A0A-EDA4-47fd-8BE1-6B49F4197EE5}]
"AppName" = "GoogleToolbarNotifier.exe"

[HKCR\Interface\{91F39C2A-95E7-497A-A539-0AC715DC66D2}\TypeLib]
"Version" = "1a.0"

[HKCR\Interface\{A45CDEEB-65F5-49AE-AA3E-9376F4806075}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{277FD1E8-9884-4E0A-9392-7CFF83F067B2}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{91F39C2A-95E7-497A-A539-0AC715DC66D2}\TypeLib]
"Version" = "1a.0"

[HKCR\AppID\{A97CA128-6998-4F8E-807E-8ED05FADAFB0}]
"RunAs" = "Interactive User"

[HKCR\Wow6432Node\Interface\{235317AD-6EF4-4209-9354-F88869E1A3BB}]
"(Default)" = "IProtectorLib5"

[HKCR\Interface\{DD65ABB2-2628-425B-86F5-825E4A3D3AD9}\TypeLib]
"Version" = "1a.0"

[HKCR\Interface\{9D932020-700E-4F0D-8446-2872ABD8B4FA}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{A0CF48B9-DB91-49A5-BEE7-2FB45BA2F610}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{9D932020-700E-4F0D-8446-2872ABD8B4FA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80B84A0A-EDA4-47fd-8BE1-6B49F4197EE5}]
"Policy" = "3"

[HKCR\protector_dll.ProtectorBho\CLSID]
"(Default)" = "{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}"

[HKCR\Wow6432Node\Interface\{235317AD-6EF4-4209-9354-F88869E1A3BB}\TypeLib]
"Version" = "1a.0"

[HKCR\Interface\{1F7328B7-E25A-4527-B24B-D9173401BB89}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}]
"AppID" = "{A97CA128-6998-4F8E-807E-8ED05FADAFB0}"

[HKCR\Wow6432Node\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

[HKCR\protector_dll.ProtectorBho\CurVer]
"(Default)" = "protector_dll.ProtectorBho.1"

[HKCR\Wow6432Node\Interface\{A45CDEEB-65F5-49AE-AA3E-9376F4806075}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\ProtectorExe.ProtectorHost\CurVer]
"(Default)" = "ProtectorExe.ProtectorHost.1"

[HKCR\Wow6432Node\CLSID\{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{DA69D3CC-7676-4A65-889F-C052977F1AA9}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{235317AD-6EF4-4209-9354-F88869E1A3BB}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\TypeLib\{C7CB459A-7261-4AE6-A87A-17041EE98A40}\1a.0\0\win32]
"(Default)" = "%Program Files% (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534\swg.dll"

[HKCR\Wow6432Node\Interface\{17484B9D-89FA-484F-912E-017D06C41FE0}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80B84A0A-EDA4-47fd-8BE1-6B49F4197EE5}]
"Policy" = "3"

[HKCR\Wow6432Node\Interface\{6C110376-C248-47F6-9DB2-CFCDEADB6A3E}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{480AD54B-C652-44B9-BCF6-746745055CD3}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{F1A383D4-0364-4092-82E0-C39DAE5D801D}]
"(Default)" = "IProtector12"

[HKCR\Wow6432Node\Interface\{91959FBB-853A-4AC7-A082-2DDF787F4CA9}]
"(Default)" = "IProtectorHost2"

[HKCR\Interface\{91F39C2A-95E7-497A-A539-0AC715DC66D2}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{1F7328B7-E25A-4527-B24B-D9173401BB89}\TypeLib]
"Version" = "1a.0"

[HKCR\protector_dll.Protector.1]
"(Default)" = "Protector Class"

[HKCR\Wow6432Node\Interface\{6EACF525-5F81-4381-9E46-DC316C39E0D2}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534\swg.dll"

[HKCR\protector_dll.Protector]
"(Default)" = "Protector Class"

[HKCR\protector_dll.ProtectorLib\CLSID]
"(Default)" = "{84798B8E-69F8-4846-9516-373C2996E2F7}"

[HKCR\Interface\{AF606610-3627-4DF2-A6D5-32C6A355ACD1}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{277FD1E8-9884-4E0A-9392-7CFF83F067B2}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{DA69D3CC-7676-4A65-889F-C052977F1AA9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{9D932020-700E-4F0D-8446-2872ABD8B4FA}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{315A0BBF-D55B-4FCE-833E-8BAA5B6344F6}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{A45CDEEB-65F5-49AE-AA3E-9376F4806075}]
"(Default)" = "IProtector8"

[HKCR\Wow6432Node\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659}]
"(Default)" = "IProtector"

[HKCR\Wow6432Node\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{6EACF525-5F81-4381-9E46-DC316C39E0D2}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{277FD1E8-9884-4E0A-9392-7CFF83F067B2}]
"(Default)" = "IProtector9"

[HKCR\Interface\{F1A383D4-0364-4092-82E0-C39DAE5D801D}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{DA69D3CC-7676-4A65-889F-C052977F1AA9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}]
"(Default)" = "Protector Class"

[HKCR\Interface\{277FD1E8-9884-4E0A-9392-7CFF83F067B2}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{DD65ABB2-2628-425B-86F5-825E4A3D3AD9}]
"(Default)" = "IProtectorLib4"

[HKCR\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41}]
"(Default)" = "IProtector7"

[HKCR\Interface\{AF606610-3627-4DF2-A6D5-32C6A355ACD1}]
"(Default)" = "IProtectorLib"

[HKCR\Wow6432Node\Interface\{277FD1E8-9884-4E0A-9392-7CFF83F067B2}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{A45CDEEB-65F5-49AE-AA3E-9376F4806075}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{DD65ABB2-2628-425B-86F5-825E4A3D3AD9}]
"(Default)" = "IProtectorLib4"

[HKCR\protector_dll.ProtectorLib]
"(Default)" = "ProtectorLib Class"

[HKCR\Wow6432Node\Interface\{6EACF525-5F81-4381-9E46-DC316C39E0D2}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{AF606610-3627-4DF2-A6D5-32C6A355ACD1}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{480AD54B-C652-44B9-BCF6-746745055CD3}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{480AD54B-C652-44B9-BCF6-746745055CD3}]
"(Default)" = "IProtectorLib6"

[HKCR\Wow6432Node\Interface\{6C110376-C248-47F6-9DB2-CFCDEADB6A3E}\TypeLib]
"Version" = "1a.0"

[HKCR\Interface\{480AD54B-C652-44B9-BCF6-746745055CD3}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{480AD54B-C652-44B9-BCF6-746745055CD3}\TypeLib]
"Version" = "1a.0"

[HKCR\Wow6432Node\Interface\{235317AD-6EF4-4209-9354-F88869E1A3BB}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Wow6432Node\Interface\{A0CF48B9-DB91-49A5-BEE7-2FB45BA2F610}]
"(Default)" = "IProtectorLib2"

[HKCR\Wow6432Node\Interface\{1F7328B7-E25A-4527-B24B-D9173401BB89}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{91959FBB-853A-4AC7-A082-2DDF787F4CA9}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"

[HKCR\Interface\{277FD1E8-9884-4E0A-9392-7CFF83F067B2}\TypeLib]
"Version" = "1a.0"

The process openssl.exe:956 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\NCH Swift Sound\Components\openssl]
"Path" = "%Program Files% (x86)\NCH Software\Components\openssl\ssleay32.dll"

[HKCU\Software\NCH Swift Sound\Components\openssl]
"Path" = "%Program Files% (x86)\NCH Software\Components\openssl\ssleay32.dll"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Components\openssl]
"Path" = "%Program Files% (x86)\NCH Software\Components\openssl\ssleay32.dll"

[HKCU\Software\NCH Software\Components\openssl]
"Path" = "%Program Files% (x86)\NCH Software\Components\openssl\ssleay32.dll"

The process moneyline.exe:644 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Registration\NCH]
"MoneyLine" = "2"

[HKCU\Software\NCH Software\MoneyLine\Setting]
"LastBackup" = "1429398999"

[HKCU\Software\NCH Software\MoneyLine\Settings]
"BubbleTipSetupAccount" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 48 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\NCH Software\MoneyLine\Registration]
"Name" = ""
"RD" = "1428966996"

[HKCU\Software\NCH Software\MoneyLine\Software]
"SVar" = "LLIBShowSuiteButtonOn"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process moneyline.exe:2996 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\NCH Software\MoneyLine\Scheduler]
"SevenDays" = "1"

The process moneyline.exe:2612 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\NCH Software\Components\GoogleToolbar]
"State" = "attempted"

[HKCU\Software\NCH Software\MoneyLine\Software]
"Toolbar" = "cnm-installed,gac,google"

[HKLM\SOFTWARE\Wow6432Node\NCH Software\Components\GoogleToolbar]
"State" = "attempted"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Worm deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

Dropped PE files

MD5 File path
5d4bc124faae6730ac002cdb67bf1a1c c:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
786996ff4ea890b9f43ed68dd55ffd7b c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleCld_187F9D811452062B.dll
c74e54032b25934882f5da142135f6e4 c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_32_75A7C54F0BE42E8E.dll
d257b5fafad4fe93cd13ac792bf9b152 c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_64_2AD99D2EA038D2F2.dll
d59b2b86e3b0f21c42700cb4f60c8f4d c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_0A4439FF67F61065.dll
327c893aa5966ac436ca275f8d64c8c0 c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_BA9226F4C70BECC2.exe
adf24d7a7195453f85e2f5cef3cbcc33 c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarUser_32_52E818EF81C83A9B.exe
852fd4db3205ff0cb6d8f473776f99b1 c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarUser_64_4D9709C1FA1422BA.exe
aa9bc44f6d065f76902e516d0b45db6d c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbar_32_3934E923EEC91A78.dll
ba214814e91a9eae3eeeaed77841f82a c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbar_64_62C1B48EAF0FD125.dll
1f2afab903c0d48480561f3bbd4539c2 c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleUpdateSetup_5CC4B0F53D73AD88.exe
4beaf576cb43358c4db9f45ac7c09cdb c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleUpdaterService_B33FC4DD36A473C6.exe
78206b34bd050db564bf5b4b8c697925 c:\Program Files (x86)\Google\Google Toolbar\Component\SearchWithGoogleUpdate_6F4EEAE8D7FCDAD8.exe
adf24d7a7195453f85e2f5cef3cbcc33 c:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
852fd4db3205ff0cb6d8f473776f99b1 c:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_64.exe
aa9bc44f6d065f76902e516d0b45db6d c:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
ba214814e91a9eae3eeeaed77841f82a c:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
34c575178bacadb9744f3fb7f86b5ee3 c:\Program Files (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534\gth.dll
c9188d8d26ceedbe77fa96f128f10fec c:\Program Files (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534\gtn.dll
68ba0437b07cd40c453c606dd762f6e0 c:\Program Files (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534\swg.dll
5d61be7db55b026a5d61a3eed09d0ead c:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
5050eb8b35a2ec4e17772690bb3e815c c:\Program Files (x86)\Google\Update\Download\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}\0.0.0.0\googletoolbarinstaller_en_signed.exe
5050eb8b35a2ec4e17772690bb3e815c c:\Program Files (x86)\Google\Update\Install\{2EE51953-8013-47B0-AF95-53733957A5EC}\googletoolbarinstaller_en_signed.exe
6154f737535b3dbea39c63223d52f5b8 c:\Program Files (x86)\NCH Software\Components\NCHToolbars\google\NCH_GoogleToolbar.exe
1c167f58b26b4afa6163303750aae802 c:\Program Files (x86)\NCH Software\Components\openssl\libeay32.dll
3125384cf278a4cd29e4b2731c13c7af c:\Program Files (x86)\NCH Software\Components\openssl\ssleay32.dll
13c2b288833eddaa220097b104f43ef1 c:\Program Files (x86)\NCH Software\MoneyLine\moneyline.exe
f440fbe175ee3222a3424a9b9b2030a0 c:\Program Files\Google\GoogleToolbarNotifier\5.10.11023.1534\swg64.dll
a1785c15213bdda8df5c1e167214e617 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\openssl.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: NCH Software
Product Name: MoneyLine
Product Version:
Legal Copyright: NCH Software
Legal Trademarks:
Original Filename:
Internal Name: MoneyLine
File Version: 1.23
File Description: MoneyLine
Comments:
Language: English (Australia)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.rdata 4096 2338 2560 2.76389 a322bee8b6315dcdf55664104eb8aed4
.data 8192 1596 2048 3.48789 cc10a049565dcd8a13f7ded9f6d7749b
.rsrc 12288 549244 549376 5.54264 8058fed9343d20b1ab7a9eb0279be339

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://audiochannel.net/versions/components/tb_google_row.dat 66.39.83.117
hxxp://audiochannel.net/components/openssl.exe 66.39.83.117
hxxp://audiochannel.net/components/toolbars/NCH_GoogleToolbar.exe 66.39.83.117
hxxp://google.com/dl/toolbar/t7/data/7.5.6227.252/googletoolbarinstaller_en_signed.exe 216.58.209.206
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f92e6d35e1df3589
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CECkSxwyaK4o+9vYHRmLWi40=
hxxp://google.com/tools/swg2/update?type=c&as=swg&os=win&osv=6.1.7601&hl=en&ie=10.0.9200.16521&ds=0&pds=0&su=0&hpi=-1&brand=NCHD&pa=9&cl=1&tbv=&id=7dc11b2a2ae540689b55d8be2d64b263eb587e94ac&from=&to=5.10.11023.1534 216.58.209.206
hxxp://google.com/tools/pso/ping?as=tbin&gu=ti&mode=3&sin=1&ein=0&version=7.5.6227.252&brand=NCHD&hl=en&tbiv=7.5.6227.252&time=1429399011&fitime=1429399011&browser=9.10.9200.16521&osver=6.1&ossp=1.0&osarch=64&ext=EXE&id=782C522357179724943B09F8A7BD5A00E3785qKNSN 216.58.209.206
hxxp://a1363.dscg.akamai.net/pki/crl/products/microsoftrootcert.crl
hxxp://a1363.dscg.akamai.net/pki/crl/products/WinPCA.crl
hxxp://a1363.dscg.akamai.net/pki/crl/products/MicrosoftTimeStampPCA.crl
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab?527573d03e1370e5
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9+WQCtWAQU1A1lP3q9NMb+R+dMDcC98t4Vq3ECECVRccvD8Qb29B4D63fPT+k=
hxxp://a1363.dscg.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD/yl6nWPkczAQUe1tFz6/Oy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS+zcBkvzl4=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9+WQCtWAQU1A1lP3q9NMb+R+dMDcC98t4Vq3ECEGpWCCD6PprY5UEXNLHUCtU=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTEemCaVgs8Tuh2B9fGVE0pKKNyzgQUTF+nNhcF4oZhIkk5jLmo40rgOBoCEC6utoKGY/7ZdVX4/iTzOxo=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRODEXefhs/UZFum2o8YfzOFwceMwQUkz5j3yJ0BOBkhDHd2yOfDq+2TZMCEA89qsgV9niZmSI6gIO0S/U=
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?527573d03e1370e5 87.245.216.25
hxxp://www.audiochannel.net/components/toolbars/NCH_GoogleToolbar.exe 173.247.250.125
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc= 23.51.123.27
hxxp://www.audiochannel.net/versions/components/tb_google_row.dat 173.247.250.125
hxxp://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9+WQCtWAQU1A1lP3q9NMb+R+dMDcC98t4Vq3ECECVRccvD8Qb29B4D63fPT+k= 23.51.123.27
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= 23.51.123.27
hxxp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl 87.245.216.33
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CECkSxwyaK4o+9vYHRmLWi40= 23.51.123.27
hxxp://dl.google.com/dl/toolbar/t7/data/7.5.6227.252/googletoolbarinstaller_en_signed.exe 216.58.209.206
hxxp://clients1.google.com/tools/pso/ping?as=tbin&gu=ti&mode=3&sin=1&ein=0&version=7.5.6227.252&brand=NCHD&hl=en&tbiv=7.5.6227.252&time=1429399011&fitime=1429399011&browser=9.10.9200.16521&osver=6.1&ossp=1.0&osarch=64&ext=EXE&id=782C522357179724943B09F8A7BD5A00E3785qKNSN 216.58.209.206
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl 87.245.216.33
hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl 87.245.216.33
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= 23.51.123.27
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c= 23.51.123.27
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTEemCaVgs8Tuh2B9fGVE0pKKNyzgQUTF+nNhcF4oZhIkk5jLmo40rgOBoCEC6utoKGY/7ZdVX4/iTzOxo= 23.51.123.27
hxxp://crl.microsoft.com/pki/crl/products/WinPCA.crl 87.245.216.33
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= 23.51.123.27
hxxp://clients1.google.com/tools/swg2/update?type=c&as=swg&os=win&osv=6.1.7601&hl=en&ie=10.0.9200.16521&ds=0&pds=0&su=0&hpi=-1&brand=NCHD&pa=9&cl=1&tbv=&id=7dc11b2a2ae540689b55d8be2d64b263eb587e94ac&from=&to=5.10.11023.1534 216.58.209.206
hxxp://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD/yl6nWPkczAQUe1tFz6/Oy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS+zcBkvzl4= 23.51.123.27
hxxp://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9+WQCtWAQU1A1lP3q9NMb+R+dMDcC98t4Vq3ECEGpWCCD6PprY5UEXNLHUCtU= 23.51.123.27
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRODEXefhs/UZFum2o8YfzOFwceMwQUkz5j3yJ0BOBkhDHd2yOfDq+2TZMCEA89qsgV9niZmSI6gIO0S/U= 23.51.123.27
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f92e6d35e1df3589 87.245.216.25
tools.google.com 216.58.209.206
time.windows.com 23.102.23.44


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

SURICATA UDPv4 invalid checksum
SURICATA IPv4 invalid checksum

Traffic

GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?527573d03e1370e5 HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 24 Feb 2015 00:37:01 GMT
If-None-Match: "80b4d90ca4fd01:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com


HTTP/1.1 304 Not Modified
Content-Type: application/octet-stream
Last-Modified: Tue, 24 Feb 2015 00:37:01 GMT
ETag: "80b4d90ca4fd01:0"
Cache-Control: max-age=604800
Date: Sat, 18 Apr 2015 23:17:19 GMT
Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/octet-stream..Las
t-Modified: Tue, 24 Feb 2015 00:37:01 GMT..ETag: "80b4d90ca4fd01:0"..C
ache-Control: max-age=604800..Date: Sat, 18 Apr 2015 23:17:19 GMT..Con
nection: keep-alive..



GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1762
content-transfer-encoding: binary
Cache-Control: max-age=574211, public, no-transform, must-revalidate
Last-Modified: Sat, 18 Apr 2015 14:45:04 GMT
Expires: Sat, 25 Apr 2015 14:45:04 GMT
Date: Sat, 18 Apr 2015 23:16:48 GMT
Connection: keep-alive
0..........0..... .....0......0...0......;O}a.!..u...au..eUNp..2015041
8144504Z0s0q0I0... ...................B.>.I.$&.....e......0..C9...3
13..R...%V.......K3.....20150418144504Z....20150425144504Z0...*.H.....
........cG..0.<.3....Z}.. .A.D.c.O.l5.%9|.;q..E..{d...3u~....4....H
w....,w..p.<H.I ....0..M....V...|DY....&.nP.sD..B......,D0.{....Bp.
....'j......C1.7[..N..........]..w.R....^......`F..sd.i.....A....._.j.
.\.9.j..gV)e..nv8..<...|..Y....x.J.S.{ ..W......7...yC~..vnP....0..
.0...0...........2...'U.BM...g.B0...*.H........0..1.0...U....US1.0...U
....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006
 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 
3 Public Primary Certification Authority - G50...141202000000Z..151216
235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Syman
tec Trust Network1?0=..U...6Symantec Class 3 PCA - G5 OCSP Responder C
ertificate 30.."0...*.H.............0...............2&..PL...,..2....:
..tH...`JG.%..*...s.c%[email protected]"1.5?..
s.....3[...u......]...R0..Z}....l..I.Y.....j\H.q...#.uw.4qz.#.J.....@2
$"..$l.B.......D.ye..(..2.........@...... ...."... E..0M,..b{.^..s'...
.f.6.pr4.J........'j..........0...0...U.......0.0l..U. .e0c0a..`.H...E
....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://w
ww.symauth.com/rpa0...U.%..0... .......0...U...........0... .....0....
..0!..U....0...0.1.0...U....TGV-B-2760...U......;O}a.!..u...au..eUNp0.
..U.#..0.....e......0..C9...3130...*.H.............(.&..Dgr.Ve..#.
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CECkSxwyaK4o+9vYHRmLWi40= HTTP/1.1


Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1725
content-transfer-encoding: binary
Cache-Control: max-age=456321, public, no-transform, must-revalidate
Last-Modified: Fri, 17 Apr 2015 05:59:48 GMT
Expires: Fri, 24 Apr 2015 05:59:48 GMT
Date: Sat, 18 Apr 2015 23:16:48 GMT
Connection: keep-alive
0..........0..... .....0......0...0......N$p...v....1.;..vn....2015041
7055948Z0s0q0I0... ...................F....0.yV......{&.K......&......
.).... .>...Fb.......20150417055948Z....20150424055948Z0...*.H.....
...............n...}U..E.....K.0.;.l..;I.....E..l.}(u....ca.U.......P.
.O..~..F...:..g....pP...Ecd(Q.!...!.4.C.....z....Q....n.I..KND.r...8wm
.|L...8 ....X.n..-.......1.$....RXd....I..2...>..^...4..e..?..c.4..
'.\...V.....H..\9...\.{m,O}.6...'..&..2....e..t..K.....mr....0...0...0
............F...I]A([email protected]...*.H........0..1.0...U....US1.0...U....Ve
riSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use a
t hXXps://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code S
igning 2010 CA0...150225000000Z..150526235959Z0..1.0...U....US1.0...U.
...VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1VeriSign 
Class 3 Code Signing 2010 OCSP Responder0.."0...*.H.............0.....
....q<...A...#......A...u..Lz.............o..D.vQ%..s.......f....e.
./jI.d.W.....|K;.j5...#.B%.]..~S.... .|;S.&.....N..`...5.....!D.p....M
/.. ..;j...q..`6...2.Ck..BnLHvCZn%....,.w.Ooi..z'...\.Yx......b..L...5
.o..o..{..}.........%e.....N..._i........*Bc....:yQg.........0...0...U
....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.veris
ign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incor
p. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U...
.....0... .....0......0"..U....0...0.1.0...U....TGV-B-31830...*.H.....
.........-..^.........f.P`...s.....8.....V.......... .... B.(@-)6.
<<< skipped >>>


GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 24 Mar 2015 05:02:25 GMT
If-None-Match: "a1132b8ef65d01:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 304 Not Modified
Content-Type: application/pkix-crl
Last-Modified: Tue, 24 Mar 2015 05:02:25 GMT
ETag: "a1132b8ef65d01:0"
Cache-Control: max-age=900
Date: Sat, 18 Apr 2015 23:17:19 GMT
Connection: keep-alive
....


GET /pki/crl/products/WinPCA.crl HTTP/1.1


Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sat, 07 Mar 2015 06:01:44 GMT
If-None-Match: "dde36a309c58d01:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 304 Not Modified
Content-Type: application/pkix-crl
Last-Modified: Sat, 07 Mar 2015 06:01:44 GMT
ETag: "dde36a309c58d01:0"
Cache-Control: max-age=900
Date: Sat, 18 Apr 2015 23:17:19 GMT
Connection: keep-alive
....


GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1


Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 05 Mar 2015 06:01:35 GMT
If-None-Match: "cf2633d6957d01:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 304 Not Modified
Content-Type: application/pkix-crl
Last-Modified: Thu, 05 Mar 2015 06:01:35 GMT
ETag: "cf2633d6957d01:0"
Cache-Control: max-age=765
Date: Sat, 18 Apr 2015 23:17:19 GMT
Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/pkix-crl..Last-Mo
dified: Thu, 05 Mar 2015 06:01:35 GMT..ETag: "cf2633d6957d01:0"..Cache
-Control: max-age=765..Date: Sat, 18 Apr 2015 23:17:19 GMT..Connection
: keep-alive..



GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=485494, public, no-transform, must-revalidate
Last-Modified: Fri, 17 Apr 2015 14:10:10 GMT
Expires: Fri, 24 Apr 2015 14:10:10 GMT
Date: Sat, 18 Apr 2015 23:21:01 GMT
Connection: keep-alive
0..........0..... .....0......0...0......'.V.8.F.V....H....JW..2015041
7141010Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
.A..2.....:...:......20150417141010Z....20150424141010Z0...*.H........
........c.8.c..d8..6_.S.O..~Q.0..biaE3.C......MY.W.J.'gu...5.U.X......
.....p..R.........7.ErNBD.....7.5..Z..k.8S.Y..=.h...]_.<...[t.?..D6
...6([email protected].../A".....:.v....'.._.'.thz.}.e..W...RC..5.1f/.Z..61
.~.7......F...>.FO...dw.G(5U'.[;;......T..`P. ... .......#0...0...0
..........r..?.*......y"..0...*.H........0..1.0...U....US1.0...U....Ve
riSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use a
t hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code S
igning 2009-2 CA0...150226000000Z..150527235959Z0..1.0...U....US1.0...
U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms o
f use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Clas
s 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.......
......m5*R........2....>...yU4..L.. ...........u..Hez..Pn.....d...n
z(...V7.}^...d!RX...bl..[..a...L.. .~..Ij......%..%p.-...u..:..i..F*].
..*....{NH..|0...gHX.Q.r....S..........._.9.(w...suC...N..s.....&."...
:.C.Q.i~rl..<..krS..8.B..o][email protected]...
U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.veri
sign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS inco
rp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U..
......0... .....0......0"..U....0...0.1.0...U....TGV-B-32010...*.H
<<< skipped >>>


GET /components/openssl.exe HTTP/1.0
Host: audiochannel.net


HTTP/1.1 200 OK
Date: Sat, 18 Apr 2015 23:16:36 GMT
Server: Apache/2.2.29
Last-Modified: Wed, 07 Jul 2010 00:06:23 GMT
ETag: "77000-48ac0f0abfdc0"
Accept-Ranges: bytes
Content-Length: 487424
Connection: close
Content-Type: application/octet-stream
X-Pad: avoid browser bug
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......O.Q..g?E.g?E
.g?E.hbE.g?E.g>E.g?E,.ME.g?E,.CE.g?E,.GE.g?ERich.g?E...............
.........PE..L......H.....................`......."............@......
....................p..............................................0..
.d....0...8...........................................................
...................|............................rdata.................
.............@[email protected]........ ....... [email protected]...
[email protected]..............@..@...........................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................................
<<< skipped >>>


GET /versions/components/tb_google_row.dat HTTP/1.0
Host: VVV.audiochannel.net


HTTP/1.1 404 Not Found
Date: Sat, 18 Apr 2015 23:16:36 GMT
Server: Apache
Content-Length: 236
Connection: close
Content-Type: text/html; charset=iso-8859-1
<html><head><title>Error 404 - Not Found</title&g
t;<head><body><h1>Error 404 - Not Found</h1>&l
t;p>The document you are looking for may have been removed or re-na
med. Please contact the web site owner for further assistance.</p&g
t;</body></html>..



GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=463374, public, no-transform, must-revalidate
Last-Modified: Fri, 17 Apr 2015 08:00:00 GMT
Expires: Fri, 24 Apr 2015 08:00:00 GMT
Date: Sat, 18 Apr 2015 23:21:09 GMT
Connection: keep-alive
0..........0..... .....0......0...0......'.V.8.F.V....H....JW..2015041
7080000Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
....^[email protected]...*.H........
.....A..`.............Q.q..M....mq'.9.*..u..Y....TU..!T..J...i.Apu.q.e
,.9.v...D......i...-.;.a.....e..z.)Et....x..4\j..<.....B[.........3
......}..@<.6..:B"...^.....%.H.u4........{.B.M..].b....*..Q.8......
.._....C.fg.....Zs3.r....n|..t'..t..F...o....T.p...*3:..!...#0...0...0
..........r..?.*......y"..0...*.H........0..1.0...U....US1.0...U....Ve
riSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use a
t hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code S
igning 2009-2 CA0...150226000000Z..150527235959Z0..1.0...U....US1.0...
U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms o
f use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Clas
s 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.......
......m5*R........2....>...yU4..L.. ...........u..Hez..Pn.....d...n
z(...V7.}^...d!RX...bl..[..a...L.. .~..Ij......%..%p.-...u..:..i..F*].
..*....{NH..|0...gHX.Q.r....S..........._.9.(w...suC...N..s.....&."...
:.C.Q.i~rl..<..krS..8.B..o][email protected]...
U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.veri
sign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS inco
rp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U..
......0... .....0......0"..U....0...0.1.0...U....TGV-B-32010...*.H
<<< skipped >>>


GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Tue, 14 Apr 2015 05:02:07 GMT
Accept-Ranges: bytes
ETag: "2711f7277076d01:0"
Server: Microsoft-IIS/8.5
VTag: 438486457400000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 554
Cache-Control: max-age=900
Date: Sat, 18 Apr 2015 23:21:00 GMT
Connection: keep-alive
0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Si
gning PCA..150413163223Z..150713045223Z.a0_0...U.#..0..........X..7.3.
..L...0... .....7.........0...U......Z0... .....7......150712164223Z0.
..*.H.............WK....e.\.-.n......./......."]..E!.. //=...[....w...
 ..........#...[.l.J..f|..... .s......w...J._.......3.[..#.z....ko.I..
Q{....e.nV......F..d}..rF\H.jlH]dQ.E....x......W............j....&L. 2
.$.?...X?.#.(.....pK.v.......y..r....t......=.AW......K.G.gJD.b...



GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f92e6d35e1df3589 HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 24 Mar 2015 16:17:41 GMT
If-None-Match: "804047d4e66d01:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com


HTTP/1.1 304 Not Modified
Content-Type: application/octet-stream
Last-Modified: Tue, 24 Mar 2015 16:17:41 GMT
ETag: "804047d4e66d01:0"
Cache-Control: max-age=86400
Date: Sat, 18 Apr 2015 23:16:48 GMT
Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/octet-stream..Las
t-Modified: Tue, 24 Mar 2015 16:17:41 GMT..ETag: "804047d4e66d01:0"..C
ache-Control: max-age=86400..Date: Sat, 18 Apr 2015 23:16:48 GMT..Conn
ection: keep-alive..



GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9+WQCtWAQU1A1lP3q9NMb+R+dMDcC98t4Vq3ECECVRccvD8Qb29B4D63fPT+k= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.thawte.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1396
content-transfer-encoding: binary
Cache-Control: max-age=447158, public, no-transform, must-revalidate
Last-Modified: Fri, 17 Apr 2015 03:30:03 GMT
Expires: Fri, 24 Apr 2015 03:30:03 GMT
Date: Sat, 18 Apr 2015 23:20:57 GMT
Connection: keep-alive
0..p......i0..e.. .....0.....V0..R0......Qw.}`[email protected]
7033003Z0s0q0I0... ........l....r.vdv0..*.~Y..X....e?z.4..G.L.......q.
.%Qq.........w.O.....20150417033003Z....20150424033003Z0...*.H........
......<.t.72.....&.Rtn....} ....-G....... ...9...E...M.I.E..:...M.=
.8v..*.b.Ê[email protected]....[(j..K.
t.d.....!.....j.....(f.C*. I.......N.....rU.x.U..9.9$..L..|(t.w-aR<
.0,(..'L$ ...L..[.......v.......w{{.w)s...i.d~.....M...;~....0...0...0
..y.......^..........N...)0...*.H........0J1.0...U....US1.0...U....Tha
wte, Inc.1$0"..U....Thawte Code Signing CA - G20...150303000000Z..1506
01235959Z0Y1.0...U....US1.0...U....Thawte, Inc.1301..U...*Thawte Code 
Signing CA - G2 OCSP Responder0.."0...*.H.............0............).Z
.......O.~.l...,\.3.".'.'W .ih./..}OA...K...HJd....K^..<.....-.rWJ.
j.U.._......W.../.6....J.y.u-.\...2..U.52B.>...=F...RbR.y.zm.......
{b.bj....Y..J..m...*=.^......V.}p......rmA......9.L ...{?.g.-Y........
....8...k.$.:.5..6#4..F.#....t.B.8.O)'F.p).........d0b0...U....0.0...U
.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U..
..TGV-B-32450...*.H..............C.....8.Aw.{....`...y1N...W4M..M.J.3~
..7#}..X..:x..5....$...Z^%.?6..e...}I.)....... .A.w......_...B..j.T..Y
u.o.....g....H....q.Ju.SA`K.....~..O_.....S....I>..O.X..E.......]..
.y..L..F....K......../...._XSk6.:a};.?`...:^.....p....4Z.3L;.......t..
..>.....j....
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTEemCaVgs8Tuh2B9fGVE0pKKNyzgQUTF+nNhcF4oZhIkk5jLmo40rgOBoCEC6utoKGY/7ZdVX4/iTzOxo= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1552
content-transfer-encoding: binary
Cache-Control: max-age=482847, public, no-transform, must-revalidate
Last-Modified: Fri, 17 Apr 2015 13:24:57 GMT
Expires: Fri, 24 Apr 2015 13:24:57 GMT
Date: Sat, 18 Apr 2015 23:21:10 GMT
Connection: keep-alive
0..........0..... [email protected]
7132457Z0s0q0I0... .........z`.V.<N.v...TM)(.r...L_.6....a"I9....J.
8........c..uU..$.;.....20150417132457Z....20150424132457Z0...*.H.....
........Y.4.<..&r.....&.>'.TqX.E...*...............Lp3.p.MU..^..
...!e4.xN..1u.#.ox.....5.....j....&.....E...H=}..S....l..5{.........BO
.......8[.~2:[}..W.SVd.y..%\f.x.op...]uE..W0.......}.. .S..Fp..".....:
Iw ....M.....9l.>G.........;.#.>.B..... h...&.4.dARH..8(...r...5
0..10..-0..........y.P}~.EY....T]. 0...*.H........0..1.0...U....US1.0.
..U....VeriSign, Inc.1<0:..U...3Class 3 Public Primary Certificatio
n Authority - G21:08..U...1(c) 1998 VeriSign, Inc. - For authorized us
e only1.0...U....VeriSign Trust Network0...141202000000Z..151216235959
Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Tr
ust Network1?0=..U...6Symantec Class 3 PCA - G2 OCSP Responder Certifi
cate 30.."0...*.H.............0..........6..]......w';.r........I..c..
4.... .........TyW......hd_.....!C.k......SE<?o.H.. .me.c..9N.&....
e.^-..a.....i\:..*."..u...|....".Nf3.~.L...QW...p.....-]UV8U...J&.<
./.G.....I...4.T....#I*.i.E0\..~q$.I.......X?G....f.t......v.l.U.Ld.I.
..B.....=...Sf...H.s.........0..0...U....0.0l..U. .e0c0a..`.H...E....0
R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.sy
mauth.com/rpa0...U.%..0... .......0...U........0... .....0......0!..U.
...0...0.1.0...U....TGV-B-2740...*.H............1.`...i.....H.C.i.9~.i
..Z.r.*$..(./.ag9.....J.Q.~.`.$?b..C....<.h.........d&....3.kV.
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRODEXefhs/UZFum2o8YfzOFwceMwQUkz5j3yJ0BOBkhDHd2yOfDq+2TZMCEA89qsgV9niZmSI6gIO0S/U= HTTP/1.1


Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1725
content-transfer-encoding: binary
Cache-Control: max-age=513024, public, no-transform, must-revalidate
Last-Modified: Fri, 17 Apr 2015 21:49:58 GMT
Expires: Fri, 24 Apr 2015 21:49:58 GMT
Date: Sat, 18 Apr 2015 23:21:10 GMT
Connection: keep-alive
0..........0..... .....0......0...0......%bn.$..5.......?'4....2015041
7214958Z0s0q0I0... ........N.E.~.?Q.n.j<a.....3...>c."t..d.1..#.
...M....=....x..":...K.....20150417214958Z....20150424214958Z0...*.H..
...........y...eJ.K&.u&..HV..M'.m6K.,........N.Ou.{..#.Z.....GZ s.?.{.
.....%..;m....N........u.p.>....T.Ez.......X..a...K..XU....)'......
.e...F.5..7.}..VH....[...........^]...].Q..QH...*...'...G`....*...S...
...U....C.. ?.....l......|6.U)Z..a.wz.o...6.Sq...D.%Q..U........0...0.
..0..........7.R.~|..r."....#0...*.H........0..1.0...U....US1.0...U...
.VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of us
e at hXXps://VVV.verisign.com/rpa (c)091.0,..U...%VeriSign Class 3 Cod
e Signing 2009 CA0...150401000000Z..150630235959Z0..1.0...U....US1.0..
.U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1VeriSi
gn Class 3 Code Signing 2009 OCSP Responder0.."0...*.H.............0..
........z..|..>.....5.Z ...2.C MWIH.5......M.\.... ...eW..`.B=..`:.
.R. ...Z.k.Y.....p@.(3.c....a.;..[E....J:'...`...B....M..&......{. (..
......%......^[v[....m....*.T.o&4..3.....3.........G...e)...'?.K..2s..
8=?..z.:..T..-.8R..8wv7*U.K..c...<s...]{.........6.?_...........0..
.0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://www
.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS
 incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0.
..U........0... .....0......0"..U....0...0.1.0...U....TGV-B-34920...*.
H.............,..-...
<<< skipped >>>


GET /components/toolbars/NCH_GoogleToolbar.exe HTTP/1.0
Host: VVV.audiochannel.net


HTTP/1.1 200 OK
Date: Sat, 18 Apr 2015 23:16:37 GMT
Server: Apache
Last-Modified: Mon, 07 Apr 2014 23:51:36 GMT
Accept-Ranges: bytes
Content-Length: 782288
Connection: close
Content-Type: application/x-msdownload
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........#yd.B.7.B.7
.B.7..z7.B.7..l7.B.7.B.7.B.7.:.7.B.7...7.B.7.:.7.B.7Rich.B.7..........
[email protected]............@.
................................z.....................................
......................................................................
.....................................................text....g.......h
.................. ..`.rdata...............l..............@[email protected]...
[email protected]................................
...rsrc...............................@..@............................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
...G..H.P.u..u..u...|[email protected][email protected].....@
..}[email protected]... M..........M........E...FQ.....NU..M
.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.P.u
[email protected]}[email protected].}.j.W.E......E.......P
[email protected][email protected][email protected] [email protected]..
...@._^3.[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..S..
...t.G.....t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ.U.
<<< skipped >>>


GET /tools/pso/ping?as=tbin&gu=ti&mode=3&sin=1&ein=0&version=7.5.6227.252&brand=NCHD&hl=en&tbiv=7.5.6227.252&time=1429399011&fitime=1429399011&browser=9.10.9200.16521&osver=6.1&ossp=1.0&osarch=64&ext=EXE&id=782C522357179724943B09F8A7BD5A00E3785qKNSN HTTP/1.1
User-Agent: Google Toolbar installer
Host: clients1.google.com


HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 2
Date: Sat, 18 Apr 2015 23:16:51 GMT
Expires: Sat, 18 Apr 2015 23:16:51 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Alternate-Protocol: 80:quic,p=1
ok..



GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1453
content-transfer-encoding: binary
Cache-Control: max-age=545479, public, no-transform, must-revalidate
Last-Modified: Sat, 18 Apr 2015 06:50:09 GMT
Expires: Sat, 25 Apr 2015 06:50:09 GMT
Date: Sat, 18 Apr 2015 23:20:55 GMT
Connection: keep-alive
0..........0..... .....0......0...0......T3t.%..O.E..~..F.=....2015041
8065009Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._)..a.
.eR&.....Y.)..".\....20150418065009Z....20150425065009Z0...*.H........
..........3..9..A..A....kqk......".R.P.....A.......A.7.......WT...=p.m
.b...az.K..#..`.j\...g...._..v.OV...Z.......yr...m..bi..}."......O.."3
..4.......... l...e.[Y....6p..yh.....u..r]A....j...U..z...ae..'.7.'.7 
..../.......`|....$..DU.p......n. :.:.........n.-......0...0...0..3...
..../...b.v..-....l}0...*.H........0_1.0...U....US1.0...U....VeriSign,
 Inc.1705..U....Class 3 Public Primary Certification Authority0...1412
02000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporatio
n1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G1
 OCSP Responder Certificate 30.."0...*.H.............0..........'.....
.Y..x.3B1.7..Q..`..d.. ....s..t.$a.....j2R.{ ,*..c{.3.....H..3-; )....
.0._...*..9M..V...... ...{m...-.......)..tR..{D....~...M...T..pS.p..^|
o....S..v.).)[email protected]#qh...u1T.].G0.]E...=._.....
. ........TE...Sa.s4........r...3.............0..0...U....0.0l..U. .e0
c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......
0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........0... .
....0......0!..U....0...0.1.0...U....TGV-B-2730...*.H.............$..H
......oU....Y!.z{*.V.M..u.._z..3>.. 0....3..m.....e.......a..D.....
......e..F6:.y.....di.......<y.Z.......x}..q.2....UZ1 :,....
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= HTTP/1.1


Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=591654, public, no-transform, must-revalidate
Last-Modified: Sat, 18 Apr 2015 19:40:18 GMT
Expires: Sat, 25 Apr 2015 19:40:18 GMT
Date: Sat, 18 Apr 2015 23:20:55 GMT
Connection: keep-alive
0..........0..... .....0......0...0......'.V.8.F.V....H....JW..2015041
8194018Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
..M.s.Q~...@?j.......20150418194018Z....20150425194018Z0...*.H........
.......$c.!|..m..L.Z..N....u."%x..'.9.R...C.ZU3F.F:.J7.....F...X..?8..
).H34< .-...q..w.F...%.*........1.b#GA`U*....H.e.p-.r....5..oK.1r..
.S.. *..H/83.b.1...`..(....c4.f...d\.>....aO>.4.%...a...`.;/....
.hO%......"...O.......7............p.......4|U...p....s.P;.....#0...0.
..0..........r..?.*......y"..0...*.H........0..1.0...U....US1.0...U...
.VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of us
e at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Cod
e Signing 2009-2 CA0...150226000000Z..150527235959Z0..1.0...U....US1.0
...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Term
s of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign C
lass 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0....
.........m5*R........2....>...yU4..L.. ...........u..Hez..Pn.....d.
..nz(...V7.}^...d!RX...bl..[..a...L.. .~..Ij......%..%p.-...u..:..i..F
*]...*....{NH..|0...gHX.Q.r....S..........._.9.(w...suC...N..s.....&."
...:.C.Q.i~rl..<..krS..8.B..o][email protected]
...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.v
erisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS i
ncorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...
U........0... .....0......0"..U....0...0.1.0...U....TGV-B-32010...
<<< skipped >>>


GET /tools/swg2/update?type=c&as=swg&os=win&osv=6.1.7601&hl=en&ie=10.0.9200.16521&ds=0&pds=0&su=0&hpi=-1&brand=NCHD&pa=9&cl=1&tbv=&id=7dc11b2a2ae540689b55d8be2d64b263eb587e94ac&from=&to=5.10.11023.1534 HTTP/1.1
Accept: */*
User-Agent: SearchWithGoogle
Host: clients1.google.com


HTTP/1.1 200 OK
Content-Type: text/plain
Transfer-Encoding: chunked
Date: Sat, 18 Apr 2015 23:16:51 GMT
Expires: Sat, 18 Apr 2015 23:16:51 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Alternate-Protocol: 80:quic,p=1
16..rlz: 1R______enUA636..0..



HEAD /dl/toolbar/t7/data/7.5.6227.252/googletoolbarinstaller_en_signed.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
Host: dl.google.com


HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 5059928
Content-Type: application/x-msdos-program
Etag: "506e4"
Expires: Sun, 19 Apr 2015 16:16:46 PDT
Last-Modified: Fri, 27 Feb 2015 23:15:00 GMT
Server: downloads
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Date: Sat, 18 Apr 2015 23:16:46 GMT
Alternate-Protocol: 80:quic,p=1
....


GET /dl/toolbar/t7/data/7.5.6227.252/googletoolbarinstaller_en_signed.exe HTTP/1.1


Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Fri, 27 Feb 2015 23:15:00 GMT
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
Host: dl.google.com



X..Q>!L........f.l.Hs..s...5.*.O..{0=L...L..j2}.\b.....s?P.........
n......}M...^.......7..........5..).SF.f6..:.#.0...@|y.a-h......5>b
......Jb6......u?l.q..Iu..fI$M.ex..A..5.3.)......k..u..~....y...U:..[.
[email protected].."%.'..E.........).t.
............{%...m.n............y.}.s.......a(...".....9.f...#."..l/..
..M..aA.3M.....B.k'.......]..z..w.8.B..2..S.z..l_....7=..3I[.l(.V.I...
....!.K."c...`..5.7......w. .........3A...`.~......4..(..i.zp....~..t.
$........3..:.._....Wp7.$...8..N^...}q..)..G.....nK...=J.Pb.|0/..I....
4.Q.....s..YS..".[..l.....I..| R2.'..9..4.4[..N...J.....T.a...b.7]..".
.S.{Mw..c...PL.\m..I.....%;....<..0...}.\.|uh.X^.#..C.)...3.x#..'..
.,....\..G"*%.)D.#y/..'....$......"~...!F.agk........~..E..3..g....A.k
...*5F,l}..P.VRMq....9......n...*._P.....,`M..........0$....\.0..Q.o..
..N.).H(........q ...j}..W.7.....)..V.....'[email protected]_..
.3e...d..#.i.~&...\.!..b.....{1.. .....j........x.o!..aC)..*Ld.(.G.U..
^E.{4-...W-.L./.0[:W.].K.be..E..0)M.e._..a..P8u.*N).......x..-.=H.A.O.
.:Y..e....!.XhH..-i].e.......2....,..w$...R..8.......;...Ts:;...e.i.r.
..=.z.N}0l...n....e]q..i;..9.{{..ZW.._...Zf C.4.g.uj...)k....h.`..4G..
].._r...$.6.E.:.Lx..P. ...1.S......V#...E...t...V.2.......X''d..%j.2..
M.."yd.......#...6q.*. .u|h..}.'....X....)....u..0g......g.:TK..<`c
...{\..:.........eY.........\.....)-....h..s...D}c.jp5..!^E.:...k.^..m
.a..AI.wAh.......6`}8?0D ....Dc.....m...g...](..Pn:Oh... ......IW.....
.......1...%.).......of'..R...p.y.lL. .0%..........<.0/...-..n.
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD/yl6nWPkczAQUe1tFz6/Oy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS+zcBkvzl4= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.thawte.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1503
content-transfer-encoding: binary
Cache-Control: max-age=600035, public, no-transform, must-revalidate
Last-Modified: Sat, 18 Apr 2015 22:00:00 GMT
Expires: Sat, 25 Apr 2015 22:00:00 GMT
X-EdgeConnect-Cache-Status: 1
Date: Sat, 18 Apr 2015 23:21:01 GMT
Connection: keep-alive
0..........0..... .....0......0...0......&Km...."....}....,.c..2015041
8220000Z0s0q0I0... ........0..k....&..p..^.X.....{[E....z.1..j..F.WHP.
.G.Mxs..../.p./.^....20150418220000Z....20150425220000Z0...*.H........
.....D`]1.;...>.....i..Wv.vC...u7|..0.C.wyr!....K...1<...^.v.z..
...5...{.4...e..........7qzm[.G.h...l....x.>.l.^.K^a.....i..Af.....
.%o......8..t....O... x..S3.l.#.:S.&.[5HtJ.tkl.'.. ...B...).....Zv...G
H..)....'7.%[email protected]..@'.k.t.*....i...Q(}.........l.}4.....0...0.
..0............I...*....^n...0...*.H........0..1.0...U....US1.0...U...
.thawte, Inc.1(0&..U....Certification Services Division1806..U.../(c) 
2006 thawte, Inc. - For authorized use only1.0...U....thawte Primary R
oot CA0...141202000000Z..151216235959Z0_1.0...U....US1.0...U....thawte
, Inc.1907..U...0thawte Primary Root OCSP Responder Certificate 30.."0
...*.H.............0.........x...F83..,.D.,2D.;JGc.|_.k.....B.7.....G}
.M.s.....S.i.Uu.h.Aq..v...4:l..U.......T7l...~vl...r....{*..........V.
o..8|.B..^.a.. ...z....x..s...\[Y....<....'> ..YC..7.zVk.$...o3.
.kao]c...>C./bPX.......I..Oc.....NN......g.....,/..]......qN.....V!
<.3.)...y#.........i0g0...U.%..0... .......0... .....0......0...U..
.....0.0...U...........0!..U....0...0.1.0...U....TGV-B-2770...*.H.....
...........lt..\..z. ..N.f.!.S5d?J.&....r...D........L.`.s.p...HC.L.8f
... .........GA7......P..Z.%.../............z.n.6~I...].).....W...W\|.
uya..:...^...hW..7.Z.uc.'....:.xL...HS.....>.........5......%....3S
....h........U....o.C.\.t.....G.._.C0(l.E9..6UTxg.gF ..;...
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9+WQCtWAQU1A1lP3q9NMb+R+dMDcC98t4Vq3ECEGpWCCD6PprY5UEXNLHUCtU= HTTP/1.1


Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.thawte.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1396
content-transfer-encoding: binary
Cache-Control: max-age=595878, public, no-transform, must-revalidate
Last-Modified: Sat, 18 Apr 2015 20:50:09 GMT
Expires: Sat, 25 Apr 2015 20:50:09 GMT
Date: Sat, 18 Apr 2015 23:21:01 GMT
Connection: keep-alive
0..p......i0..e.. .....0.....V0..R0......Qw.}`[email protected]
8205009Z0s0q0I0... ........l....r.vdv0..*.~Y..X....e?z.4..G.L.......q.
.jV. .>...A.4........20150418205009Z....20150425205009Z0...*.H.....
........B.. 4Y..!.Y..C..r2..N.mV"J......O....!.[......:....I.n.1&.6...
.Z.....9.....)..J..s.H..868;..H.z.vp.XUD.....Y.].... D.. ...(*...6...I
...a..vp..|.Z...9.L4.....U..in....0.>..w.V.]....v....F.Nw....7.=. .
.{.i9d.C9...Q.;.Z...0......N....X.(...Zy..Bw*.....f ...lN....0...0...0
..y.......^..........N...)0...*.H........0J1.0...U....US1.0...U....Tha
wte, Inc.1$0"..U....Thawte Code Signing CA - G20...150303000000Z..1506
01235959Z0Y1.0...U....US1.0...U....Thawte, Inc.1301..U...*Thawte Code 
Signing CA - G2 OCSP Responder0.."0...*.H.............0............).Z
.......O.~.l...,\.3.".'.'W .ih./..}OA...K...HJd....K^..<.....-.rWJ.
j.U.._......W.../.6....J.y.u-.\...2..U.52B.>...=F...RbR.y.zm.......
{b.bj....Y..J..m...*=.^......V.}p......rmA......9.L ...{?.g.-Y........
....8...k.$.:.5..6#4..F.#....t.B.8.O)'F.p).........d0b0...U....0.0...U
.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U..
..TGV-B-32450...*.H..............C.....8.Aw.{....`...y1N...W4M..M.J.3~
..7#}..X..:x..5....$...Z^%.?6..e...}I.)....... .A.w......_...B..j.T..Y
u.o.....g....H....q.Ju.SA`K.....~..O_.....S....I>..O.X..E.......]..
.y..L..F....K......../...._XSk6.:a};.?`...:^.....p....4Z.3L;.......t..
..>.....j....
<<< skipped >>>

The Worm connects to the servers at the folowing location(s):

moneyline.exe_644:

.rdata
@.data
.rsrc
@Uu.AUu$
.mixcrt
KERNEL32.DLL
mscoree.dll
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
portuguese-brazilian
GetProcessWindowStation
USER32.DLL
operator
} ~ % $ ,
' '!'"'#'$'%'&'''
%X'Y'Z'['\']'^'
SQLite format 3
CREATE TABLE sqlite_master(
sql text
CREATE TEMP TABLE sqlite_temp_master(
* NO.NOPQRST}~
REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSCONSTRAINTERSECTRIGGEREFERENCESUNIQUERYATTACHAVINGROUPDATEMPORARYBEGINNERENAMEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHEREPLACEAFTERESTRICTANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFINTOFFSETISNULLORDERIGHTOUTEROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY
3.6.6.2
UxTheme.dll
<SIGNONMSGSRQV1>
Mddddd.000[-7:MST]
<USERPASS>
</SIGNONMSGSRQV1>
POST %s HTTP/1.1
Host: %s:443
Content-Length: %d
Mddddd
<BANKMSGSRQV1>
</BANKMSGSRQV1>
<CREDITCARDMSGSRQV1>
</CREDITCARDMSGSRQV1>
software=MoneyLine&version=1.23&report=UINSTALL&text=%s-%s&language=en&platform=Win&extra1=%d%s
hXXp://%s/components/%s
user32.dll
kernel32.dll
hXXp://cgi.nch.com.au/cgi-bin/regcheck.exe?cmd=v&id=%d&magic=%d&magicb=%d
tb_%s_us.dat
tb_%s_uk.dat
tb_%s_row.dat
hXXp://VVV.audiochannel.net/versions/components/%s
hXXp://VVV.audiochannel.net/components/toolbars/NCH_Chrome.exe
hXXp://VVV.audiochannel.net/components/toolbars/NCH_GoogleToolbar.exe
%f 0 0 %f 0 0 cm
%d 0 obj%s
%d 0 obj
<</Size %d /Root %d 0 R>>
<</Type/Catalog /Pages %d 0 R>>
%f %f %f %f %f %f cm
%f %f %f %f %f %f Tm
<</Length %d>>
%d 0 R
%f %f m
%f %f l
%f %f %f RG
%s %d 0 R
<</Type /XObject /Subtype /Image /Width %d /Height %d /ColorSpace /DeviceGray /BitsPerComponent 8 /Length %d %s>>
<</Type /XObject /Subtype /Image /Width %d /Height %d /SMask %d 0 R /ColorSpace %s /BitsPerComponent 8 /Length %d %s>>
1 0 0 1 %d %d cm
%s Do
<</Type/Pages /Count %d
%d 0 R
0 R /MediaBox [0 0 %d %d]
<</Type /Font /BaseFont /%s /Subtype /TrueType /Encoding /WinAnsiEncoding>>
<</Type /Font /BaseFont /%s /Subtype /Type1 /Encoding /WinAnsiEncoding>>
%f %f %f rg
%s %f Tf %f Tz %f Tw
%f %f Td
(%s) Tj
dwmapi.dll
hXXp://VVV.audiochannel.net/versions/moneyline.txt
comctl32.dll
TaskDialogIndirect
software=MoneyLine&version=1.23&report=COMMENT&text=COMMENT-%s&language=en&platform=Win
%s%s%s
MAPI32.DLL
SMTP:%s
%s, %.2d %s 20%.2d %.2d:%.2d:%.2d %s%.2d%.2d
From: %s
To: %s
Subject: %s
Date: %s
X-Mailer: MoneyLine VVV.nch.com.au/software
gc0p4Jq0M2Yt08jU534c%d
Content-Type: multipart/mixed; boundary=%s
Content-Type: %s; name="%s"
Content-Disposition: attachment; filename="%s"
--%s--
AUTH LOGIN
http=
%s/%s
POST %s HTTP/1.0
Host: %s
Content-Type: application/x-www-form-urlencoded
HTTP/1.
google.com
yahoo.com
C:\SourceCode\llib\include\../net/ssl.cpp
GET %s HTTP/1.0
CONNECT %s:%d HTTP/1.0
sqlite_version
sqlite_attach
sqlite_detach
RowKey
d-d-d d:d:d
d:d:d
d-d-d
922337203685477580
%s\etilqs_
OsError 0x%x (%u)
invalid page number %d
2nd reference to page %d
Failed to read ptrmap key=%d
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
%d of %d pages missing from overflow list starting at %d
failed to get page %d
freelist leaf count too big on page %d
Page %d:
unable to get the page. error code=%d
sqlite3BtreeInitPage() returns error code %d
On tree page %d cell %d:
On page %d at right child:
Corruption detected in header on page %d
Corruption detected in cell %d on page %d
Multiple uses for byte %d of page %d
Fragmented space is %d byte reported as %d on page %d
Page %d is never used
Pointer map page %d is referenced
Outstanding page count goes from %d to %d during this analysis
keyinfo(%d
%s(%d)
%s-mjX
unable to use function %s in the requested context
cannot rollback transaction - SQL statements in progress
cannot commit transaction - SQL statements in progress
sqlite_temp_master
sqlite_master
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s
database table is locked: %s
cannot open virtual table: %s
cannot open view: %s
no such column: "%s"
cannot open indexed column for writing
cannot open value of type %s
misuse of aliased aggregate %s
%s: %s.%s.%s
%s: %s.%s
%s: %s
not authorized to use function: %s
%r %s BY term out of range - should be between 1 and %d
too many terms in %s BY clause
Expression tree is too large (maximum depth %d)
variable number must be between ?1 and ?%d
too many SQL variables
too many columns in %s
%.*s"%w"%s
sqlite_rename_table
sqlite_rename_trigger
%s OR name=%Q
there is already another table or index with this name: %s
sqlite_
table %s may not be altered
view %s may not be altered
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
sqlite_sequence
UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Cannot add a PRIMARY KEY column
UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q
sqlite_stat1
CREATE TABLE %Q.sqlite_stat1(tbl,idx,stat)
DELETE FROM %Q.sqlite_stat1 WHERE tbl=%Q
SELECT idx, stat FROM %Q.sqlite_stat1
too many attached databases - max %d
database %s is already in use
unable to open database: %s
no such database: %s
cannot detach database %s
database %s is locked
%s %T cannot reference objects in database %s
illegal return value (%d) from the authorization function - should be SQLITE_OK, SQLITE_IGNORE, or SQLITE_DENY
access to %s.%s.%s is prohibited
access to %s.%s is prohibited
object name reserved for internal use: %s
there is already an index named %s
too many columns on %s
duplicate column name: %s
default value of column [%s] is not constant
table "%s" has more than one primary key
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
CREATE %s %.*s
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d
CREATE TABLE %Q.sqlite_sequence(name,seq)
view %s is circularly defined
UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d
table %s may not be dropped
use DROP TABLE to delete table %s
use DROP VIEW to delete view %s
DELETE FROM %s.sqlite_sequence WHERE name=%Q
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
foreign key on %s should reference only one column of table %T
number of columns in foreign key does not match the number of columns in the referenced table
unknown column "%s" in foreign key definition
indexed columns are not unique
table %s may not be indexed
views may not be indexed
virtual tables may not be indexed
there is already a table named %s
index %s already exists
sqlite_autoindex_%s_%d
table %s has no column named %s
CREATE%s INDEX %.*s
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
no such index: %S
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
DELETE FROM %Q.%s WHERE name=%Q
DELETE FROM %Q.sqlite_stat1 WHERE idx=%Q
unable to identify the object to be reindexed
no such collation sequence: %s
table %s may not be modified
cannot modify %s because it is a view
table %S has %d columns but %d values were supplied
%d values for %d columns
table %S has no column named %s
%s.%s may not be NULL
PRIMARY KEY must be unique
sqlite3_extension_init
unable to open shared library [%s]
no entry point [%s] in shared library [%s]
error during initialization: %s
automatic extension loading failed: %s
foreign_key_list
*** in database %s ***
unsupported encoding: %s
malformed database schema (%s)
%s - %s
unsupported file format
SELECT name, rootpage, sql FROM '%q'.%s
database schema is locked: %s
unknown or unsupported join type: %T %T%s%T
RIGHT and FULL OUTER JOINs are not currently supported
a NATURAL join may not have an ON or USING clause
cannot have both ON and USING clauses in the same join
cannot join using column %s - column not present in both tables
%s.%s
%s:%d
ORDER BY clause should come after %s not before
LIMIT clause should come after %s not before
SELECTs to the left and right of %s do not have the same number of result columns
no such index: %s
sqlite_subquery_%p_
no such table: %s
sqlite3_get_table() called with two or more incompatible queries
cannot create %s trigger on view: %S
cannot create INSTEAD OF trigger on table: %S
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
no such trigger: %S
-- TRIGGER %s
no such column: %s
PRAGMA vacuum_db.synchronous=OFF
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';'FROM sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d
vtable constructor failed: %s
vtable constructor did not declare schema: %s
no such module: %s
table %s: xBestIndex returned an invalid plan
at most %d tables in a join
cannot use index: %s
TABLE %s
%s AS %s
%s WITH INDEX %s
%s USING PRIMARY KEY
%s VIRTUAL TABLE INDEX %d:%s
%s ORDER BY
SQL logic error or missing database
large file support is disabled
no such vfs: %s
bracerighttp
bracketrighttp
parenrighttp
proportional
GetProcessHeap
KERNEL32.dll
RegDeleteKeyW
RegOpenKeyExW
RegOpenKeyW
RegQueryInfoKeyW
RegCreateKeyExW
RegCloseKey
CryptDeriveKey
RegSetKeySecurity
RegEnumKeyExW
ADVAPI32.dll
COMCTL32.dll
comdlg32.dll
SetViewportOrgEx
GetViewportExtEx
SetViewportExtEx
GDI32.dll
ole32.dll
OLEAUT32.dll
ShellExecuteW
ShellExecuteExW
SHELL32.dll
SHDeleteKeyW
SHDeleteEmptyKeyW
SHLWAPI.dll
GetKeyState
MsgWaitForMultipleObjects
CreateDialogIndirectParamW
UnhookWindowsHookEx
SetWindowsHookExW
MapVirtualKeyW
GetKeyNameTextW
USER32.dll
WS2_32.dll
NETAPI32.dll
MSIMG32.dll
WINSPOOL.DRV
iphlpapi.dll
WININET.dll
DNSAPI.dll
GdiplusShutdown
gdiplus.dll
GetCPInfo
GetConsoleOutputCP
zcÁ
SShHG@
sù>
t>HHt.Ht Ht
C%d A
SSSh@
PSSSSSSh
t%f=g
j0SSSSSSSh
}rSSh7
ttSSh
C%uuQ
t.VPjg
PSSht
PWSSh
<9%u?
t8It.IIt#
.GFy"
t*9St|%9U
Jt.Ht!
ufSShP
u)SShX
u*SSh`
)0)0))123
aSSSh
FTPjK
FtPj;
C.PjRV
%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe
(%xSK
ssshhhWWW
-!.WF
2%SGE
.OBDFFFFFFT.
!22)()2222)
^7777'//
'777/'/'
]77/7''/
[.//.%%[
$$$w$$$w$$$w$$$w$$$w$$$w%%%t%%%f%%%f%%%f%%%f%%%f%%%f%%%f%%%f%%%f%%%f%%%f%%%f%%%f&&&W%%%R%%$=&&&
%%%"%%%"%%%"%%%"%%%"%%%"%%%"%%%"
'%%''%%%%''%%'
'%%'$$%%$$'%%'
'%%%%$$$$%%%%'
$0000<222<<<9$
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*"/>
<requestedExecutionLevel level="asInvoker" />
<!-- Windows 8.1 -->
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
<!--The ID below indicates app support for Windows 8 -->
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
<!--The ID below indicates app support for Windows 7 -->
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<!--The ID below indicates app support for Windows Vista -->
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
mhXXp://ns.adobe.com/xap/1.0/
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:3277C77D7132E0118D16E72A4E8059DE" xmpMM:DocumentID="xmp.did:314D5A19534B11E0A6A5AAFBD55133F0" xmpMM:InstanceID="xmp.iid:314D5A18534B11E0A6A5AAFBD55133F0" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:B6AAD5DF4A53E0118E8DE62C10C1BCAC" stRef:documentID="xmp.did:3277C77D7132E0118D16E72A4E8059DE"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
(7),01444
'9=82<.342
NULLSecureKey
AcctUserPass
SELECT MAX(DATE(TransactionDate)) FROM Transactions WHERE Account = %s AND Note = "Balancing entry for reconciliation" AND Deleted = 0
SELECT COUNT(*) AS Cnt FROM Transactions WHERE Account = %s AND Deleted = 0
SELECT ID FROM Accounts WHERE AcctName = '%s' AND Deleted = 0
SELECT NextKey FROM RecordKeys WHERE ListName = '%Q'
UPDATE RecordKeys SET NextKey = '%Q' WHERE ListName = '%Q'
CREATE TABLE RecordKeys (ListName VARCHAR(255), NextKey VARCHAR(255))
INSERT INTO RecordKeys (ListName, NextKey) VALUES ('%Q', '2')
SELECT * FROM %s WHERE %s = '%Q'%s
SELECT * FROM %s%s
UPDATE %s SET
%s = '%Q'
%s%s =
WHERE %s = '%Q'%s
INSERT INTO %s (
VVV.nchsoftware.com/personalfinance/index.html
VVV.nchsoftware.com/personalfinance/support.html
hXXp://VVV.nch.com.au/suggestions/index.html?software=MoneyLine&version=1.23
hXXp://VVV.nch.com.au/software/bug.html?software=MoneyLine&version=1.23
shell32.dll
Are you sure that you would like to delete the selected accounts?%s
The string "%s" cannot be found in Account Names, Account Numbers or Financial Institutions.
No more accounts matching "%s" could be found.
Enter the balance held by the account prior to the earliest transaction entered or imported into MoneyLine.
Enter the password associated with the above user ID.
00:00:00
Last Import Date
Last import date needs to be prior to the current date.
Password
UseSMTPHost
MailSMTPHost
SMTPAuthOn
SMTPUserName
SMTPPassword
PasswordHint
Password Hint: %s
Click this button to send a password recovery email to the address you registered during setup.
The password you typed is incorrect. Please retype your current password.
Your MoneyLine password is %s.
You can change your password or remove password protection from the Options ~ Others ~ Security window in the program.
MoneyLine password recovery
Password Recovery
MoneyLine failed to send your password to your email address.
MoneyLine has sent your password to your email address. Please open the email and enter your password to access MoneyLine.
SELECT ID FROM Budgets WHERE BudgetName = '%s' AND Deleted = 0
%s AND ID != %s
SELECT count(*) as Count FROM BudgetAccounts WHERE BudgetID = %d AND AccountID = %d
DELETE FROM BudgetAccounts WHERE BudgetID = %d AND AccountID = %d
DELETE FROM BudgetAccounts WHERE BudgetID = %d
SELECT count(*) as Count FROM BudgetAccounts WHERE AccountID = %d
DELETE FROM BudgetCategories WHERE BudgetID = %d AND CategoryID = %d
DELETE FROM BudgetCategories WHERE BudgetID = %d
SELECT Amount FROM BudgetCategories WHERE BudgetID = %d AND CategoryID = %d
UPDATE BudgetCategories SET Amount = %lld WHERE BudgetID = %d AND CategoryID = %d
SELECT count(*) as Count FROM BudgetCategories WHERE BudgetID = %d AND CategoryID = %d
SELECT count(*) as Count FROM BudgetCategories WHERE CategoryID = %d
View budget report
Report
View Report
Total income every month: %s
Total expenses every month: %s
SELECT ID FROM Categories WHERE PayCategory = '%s' AND Parent = %d AND Deleted = 0
%s | %s
SELECT ID FROM Categories WHERE PayCategory = '%s'
SELECT ID FROM Categories WHERE PayCategory = '%s' and Parent = %s
AND Parent = %d
SELECT ID FROM Categories WHERE PayCategory = '%s' %s AND Deleted = 0
SELECT Header FROM Categories WHERE ID = %s AND Deleted = 0
SELECT COUNT(*) as Cnt FROM Categories WHERE Parent = %s AND Deleted = 0
SELECT Expense FROM Categories WHERE ID = %s
Are you sure that you would like to delete the selected categories?%s
The string "%s" cannot be found in Categories.
No more categories matching "%s" could be found.
12:00:00
%s%c%s%c%s
%s\NCH Software\MoneyLine\moneyline.vdb
Error importing
The Amount and Transaction Date fields must have fields from the CSV file assigned in order to import.
FIUrl
FIPort
Enter the URL used by the financial institution for accepting OFX (transaction data) requests.
Enter the port number used by the financial institution for accepting OFX (transaction data) requests.
Please enter a valid URL.
SELECT ID FROM PayAccounts WHERE PayName = '%s' AND Deleted = 0
SELECT ID FROM PayAccounts WHERE PayName = '%s'
Importing Transactions
The amount must be less than %s.
transactionimport
Import Transactions
Import
All selected transactions will be imported as new transactions.
New transactions for import:
Balance after import:
There may be no transactions since your last import or your account information may not be set up correctly. Check the help section for tips for retrieving transactions from your financial institution.
Balance after import:
M-----.%*3d[%f:%s]
BANKMSGSRSV
CREDITCARDMSGSRSV
Reports
Import from CSV file
Import from OFX/QFX file
%sAscend
ImportDialog
%s\NCH Software\MoneyLine\moneyline-0.vdb
Click to view transactions for %s.
Assets: %s
Liabilities: %s
Last reconciled: %s
moneyline.vdb
*.ofx;*.qfx
*.csv
BubbleTipImportCount
Budget Report
No transactions matching "%s" were found.
No more transactions matching "%s" could be found.
Warning: This transaction exceeds the monthly budgeted spending amount for category "%s" in the following budgets: %s
moneyline-0.vdb
Enter the password to access your bank account:
Must change USERPASS (INFO)
Contact your financial institution to change your password.
Your sign on information is invalid. Check your routing number, account number, user ID and password under the account information dialog.
USERPASS Lockout (ERROR)
%s information has not been properly set up for this account. Would you like to set this up now?
-split- %s
SELECT Balance, BalanceReconciled FROM MonthlyBalances WHERE Account = %d AND TimeStamp = %d
SELECT ID FROM MonthlyBalances WHERE Account = %d AND TimeStamp = %d
Add password
Please type your current password.
Please type your new password.
Please re-type your new password.
Please type a password hint.
Please type your email address where you want to receive your password.
Please type the new password in both boxes.
The password you typed do not match. Please retype the new password in both boxes.
Save password settings
The string "%s" cannot be found in Payee Names or Payee Notes.
No more payees matching "%s" could be found.
Reconcile Transactions (%s)
Transfer from %s
Transfer to %s
Difference: %s
E%s %s
%s %s is attached to this email.
This report has been generated automatically by MoneyLine.
There is no information available for this report.
Transactions Report for Category: %s
Period: %s to %s
Transactions Report for Payee: %s
JournalReport
reportperiod
23:59:59
reportperiodexpandbyaccounts
reportperiodaccounts
Select a valid year to run the report.
Select a valid month to run the report.
reportperiodbudgets
Income/Expenses Report By Category
Expense Report By Payee
%s Transactions
%s Report
HSend this report by fax
Send this report by email
Save this report as a CSV or PDF file
Print this report
View the print preview of this report
&Report
ReportView
Report: %s
reportview
ReportEmail
ReportFax
*.pdf
%s page %lu
MoneyLine%d.pdf
%s.pdf
SELECT COUNT(*) FROM %s WHERE %s = '%Q'%s
26.07.00
07.26.00
2000.07.26
26.07.2000
07.26.2000
26-07-00
07-26-00
2000-07-26
26-07-2000
07-26-2000
26/07/00
07/26/00
2000/07/26
26/07/2000
07/26/2000
passwordchange
passwordremove
SELECT ID, Amount, Category FROM SplitTransactions where TransactionID = %d AND Deleted != 1
The split transactions must sum to the original transaction amount of %s.
Do you have a %s that you would like to manage?
SELECT MIN(DATE(TransactionDate)) from Transactions where Account = %d AND Deleted = 0
SELECT MAX(DATE(TransactionDate)) from Transactions where Account = %d AND Deleted = 0
SELECT MAX(ID) from Transactions where TransactionDate in (SELECT MAX(TransactionDate) FROM Transactions where Account = %d and TransactionDate <= DATE('%s') AND Deleted = 0) AND Account = %d AND Deleted = 0
SELECT count(*) from Transactions where Account = %d and TransactionNumber = '%s' AND Deleted = 0
UPDATE Transactions SET PayAccount = '%s' WHERE PayAccount = '%s' and TransactionType != %d
%s%s"%s"
Account = %d AND PayAccount = %d
PayAccount = %d
Account = %d
SELECT * FROM Transactions WHERE %s AND TransactionDate >= DATE('%s') AND TransactionDate <= DATE('%s') AND Deleted = 0 ORDER BY %s
Edit Transaction (%s)
Add Transaction (%s)
ALTER TABLE %s ADD COLUMN %s %s
SELECT tbl_name, sql FROM sqlite_master WHERE type='table'
Software\NCH Software\%s\Settings
Software\NCH Swift Sound\%s\Settings
"%s" %%s
hXXp://VVV.nch.com.au/components/%s.exe
Waiting for %s
MoneyLine will continue when %s closes.
-show -type data -burn -exit "%s"
MoneyLine-Backup-%s
F.tmp
hXXp://VVV.nch.com.au/fax/services.html
Enter the gateway domain. For example to send a fax to [FaxNumber]@yourfaxco.com enter yourfaxco.com as the domain.
H{2318C2B1-4965-11d4-9B18-009027A5CD4F}
FTP file transfers
Upload your website using ftp
Manage stock, procurements and reporting
Track and Report Income and Expenditures
Zulu Disc Jockey Software
Clean and optimize your Windows registry by removing the old and damaged data that is bogging down your computer performance.
Voxal is a real time voice changing program. Change your voice live through speakers, in softphone calls, or any application or game that uses a microphone.
twelvekeys
TwelveKeys Music Transcription
Universal audio converting software supports all popular audio formats including mp3, wma, wav, midi, m4a, and more. Use it to convert and compress sound files.
Key Blaze Typing Tutor Software
A powerful FTP client that integrates with Windows Explorer for manual or automatic file uploading, or sync/mirror files and folders via FTP.
Fling FTP Sync Software Client
Easy to use file backup software to automatically back up critical data to CD, DVD, Blu-ray or a remote FTP server. Don't take chances with your valuable data.
Use this text expansion software to create keyboard shortcuts that will expand to an entire word, sentence, paragraph or document. A useful time saving tool.
Digital dictation software to record and send dictation for transcription directly from your computer, or dock and send dictation from a portable device.
Professional accounting software to manage and report business income and expenses, sales, invoices and payments. Great for small and medium-sized companies.
Easy to use video recording software lets you capture and record video from a webcam, your computer screen, an external video device or online streaming video.
Easy and reliable FTP client software. View, edit, upload, download, delete and otherwise manage files on a remote server, website or network.
cftpsetup
Classic FTP - FTP Client Software
ClassicFTP
Use your PC to broadcast live or recorded video from a webcam, computer screen or video input device. Video streams will play in all popular web browsers.
Orion finds and recovers deleted files on hard drives, external and portable drives. Or use the drive scrubber to ensure deleted files can't be recovered.
With Express Zip you can easily create zip files of your important documents, images, music and more to help save disk space, or to quickly email or burn to a CD.
InstallReport
hXXps://secure.nch.com.au/cgi-bin/register.exe?software=moneyline&source=softwaretrial
mhXXp://VVV.nchsoftware.com
A full list of our products can be found at the below website. You may find another product that is more suitable for your needs.
software\microsoft\windows\currentversion\app paths\%s
Global\%s
moneyline.exe
hXXp://VVV.nch.com.au/upgrade/index.html?software=moneyline&upgradeid=%d&upgradekey=%s
hXXp://VVV.nch.com.au/activate/index.html?code=%s
%d:%d:%d
%d-%d-%d
MoneyLine.lnk
NCH Software.lnk
NCH Suite.lnk
Software\Microsoft\Windows\CurrentVersion\Uninstall\MoneyLine
URLInfoAbout
URLUpdateInfo
Software\Microsoft\Windows\CurrentVersion
shXXp://cgi.nch.com.au/cgi-bin/report.exe
uninst.exe
Uninstall is complete. If you need to reinstall this software again you can download it from VVV.nchsoftware.com.
Software\NCH Software\Components\%s
Special discount pricing ends on the 15th of %s.
Special discount pricing ends at the end of %s.
InstallingChrome
LaunchChromeOnInstall
hXXp://VVV.nchsoftware.com/software/thanks.html?software=MoneyLine&appname=%s&version=1.23&base=personalfinance&domain=nchsoftware&buyoffer=moneyline&plus=%s&pclass=free%s%s%s%s%s%s%s%s&instby=%s
&usage=XX
"%s" -uninstall
moneylinesetup_v1.23.exe
Software\NCH Software\MoneyLine\%s
-LQUIET -instby %sMoneyLine
%s (%s)
audiochannel.net
VVV.nch.com.au
An install-on-demand component could not be installed automatically. Please run it from the URL below then try again.
%s=%s
_moneyline_rl_%s
Report Bug
Would you be willing to complete an NCH Software Bug Report so our programmers can try to fix this? Please click 'Report Bug' and then enter the field to tell us exactly what you did so we can attempt to repeat it and fix it.
hXXp://VVV.nch.com.au/software/bug.html?software=MoneyLine&version=1.23&xi=AbTermOrHang-Win%d%d
Win%d%d
Ukn0(Msg%dLstCmd%d)
(Cmd%d)
%s-%s-%s-%s
dbghelp.dll
Abnormal Execution Problem
Would you be willing to complete a NCH Software Bug Report so our programmers can try to fix this? If so, please click 'Report Bug' and then enter the field to tell us exactly what you did so we can attempt to repeat it and fix it.
hXXp://VVV.nch.com.au/software/bug.html?software=MoneyLine&version=1.23&xi=GUI-%s
%d-%d-%%d
File "%s" already exists. Do you want to overwrite it?
Please check you have exited any previous running instances of MoneyLine and any other programs that might be using the file "%s". Then run the installer again.
Installation cannot be completed because the file "%s" cannot be written to.
LLIBShowrelatedwhenchromeoff
LLIBShowrelatedwhenchromeon
LLIBShowrelatedwhennochromeoff
LLIBShowrelatedwhennochromeon
Please read the following important information before continuing.
c:\program files (x86)\
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\%s\UserChoice
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\%s
explorer.exe
Advapi32.dll
W"%s" %s
hXXp://VVV.nchsoftware.com/%s.html
hXXp://VVV.nch.com.au/%s.html
hXXp://VVV.nch.com.au/kb/%d.html
.html
hXXp://help.nchsoftware.com/help/en/moneyline/win/%s.html
TwelveKeys
twelvekeyssetup
KeyBlaze
hXXps://secure.nch.com.au/cgi-bin/register.exe?software=moneyline&version=1.23%s%s%s%s%s%s%s%s&instby=%s
hXXp://VVV.nchsoftware.com/software/registered.html?software=%s&appname=%s&version=1.23&base=personalfinance&domain=nchsoftware%s%s%s%s%s%s%s
ID - Key:
%s-%s
hXXp://VVV.nch.com.au/upgrade/index.html
%s Registration Code:
Register %s
Click here if you have not activated your 12-digit serial number online and have not received an ID-Key.
If you have already activated your serial number online, check your email for the ID-key. Then, click here to enter your ID-Key.
The code that you have entered is a license serial number. You must activate your serial number online to receive the ID-Key needed to register this software.
ID-Key is required to complete the registration.
Old Version Key
- You are using the correct ID and key for the correct product. Only the ID and key for MoneyLine will be accepted.
support/reg
registration.txt
Name: %s
Location: %s
ID - Key: %d - %s
-clear -label "MoneyLine Installer" -type data "%s" "%s"
Validate Key
Key cannot be validated. Please connect to the internet and try again.
2014-01-01
%s Version Required
nch.com.au
nchsoftware.com
hXXp://VVV.%s/%s
%s [Recommended]
Google Chrome, a faster way to browse the web
Free games, themes and utilities from the Google Chrome Store
Why people choose Chrome:
Install Google Chrome as my default browser
Google Toolbar makes web browsing more convenient:
Search from any website
Translate web pages instantly
hXXp://VVV.google.com/toolbar/ie/partnereula.html?hl=en
hXXp://VVV.google.com/accounts/TOS?hl=en
hXXp://VVV.google.com/intl/en/privacy/privacy-policy.html
By installing this application, you agree to the Google Chrome
By installing this application, you agree to the Google Chrome
hXXp://VVV.google.com/chrome/intl/en/eula_text.html
hXXp://VVV.google.com/chrome/intl/en/privacy.html
reject-chrome
Automatic download of the install-on-demand component "%s" failed.
The website will now be opened where you can download it manually.
Open Website
-installrelated %x -toolbar %x
NCH Software\MoneyLine%s
MoneyLine%s
%sT%s
Click to install and run %s
Click to run %s
MoneyLine cannot launch the program required to perform the selected task. Please go to nch.com.au/software to download it and try again.
hXXp://VVV.nchsoftware.com/software/index.html
hXXp://VVV.nchsoftware.com/software/newsletter.html%s%s
hXXps://secure.nch.com.au/cgi-bin/register.exe%s%s
hXXp://cgi.nch.com.au/cgi-bin/search.exe?q=%s&site=VVV.nch.com.au%s%s
Click to visit our website
(EOF) Element <%s> should be terminated with </%s>. Check you have terminated your element properly.
Tag <%s> does not have a closing '>'
Misplaced </%s> which does not match a <%s>.
Element <%s> should be terminated with </%s>, was with %s. Check you have terminated your element properly.
Ln %d, Col %d: %s
%s\shell\open\command
http\shell\open\command
iexplore.exe
iexplorer.exe
firefox.exe
chrome.exe
Installing Google Chrome
The Google Chrome installer could not be downloaded.
ChromeRequiresLaunch
ChromeMoneyLine
software\Google\No Chrome Offer Until
NCH_Chrome.exe
Sorry, Chrome was not installed because of some problems encountered during the installation process.
Chrome
NCH_GoogleToolbar.exe
chrome-google
chrome
Install Google Chrome - Free
Get Chrome to View Help Files
We recommend Google Chrome as the preferred viewer for our help pages.
Google Chrome is free and fast.
%%.ß
%s%.*d
%d%s%.3d
%lld%s%.3d%s%.3d
topic%d
Technical Support Page
Send Bug Report
Classic FTP Software
tar.gz
Software\Classes\%s
VVV.nchsoftware.com/personalfinance
splash.jpg
hXXp://VVV.nch.com.au/suggestions/index.html?software=MoneyLine&version=1.23%s%s
hXXp://VVV.nchsoftware.com/software/newsletter.html?software=MoneyLine&version=1.23%s%s
hXXp://VVV.nchsoftware.com/software/business.html
hXXp://VVV.facebook.com/NCHSoftware
hXXp://twitter.com/nchsoftware
hXXps://plus.google.com/ nchsoftware
hXXp://VVV.facebook.com/sharer/sharer.php?u=%s
I just downloaded %s. Try it here:
hXXp://VVV.twitter.com/home?status=%s%s
hXXps://plusone.google.com/_/ 1/confirm?hl=en&url=%s
hXXp://VVV.stumbleupon.com/submit?url=%s&title=NCH Software
hXXp://VVV.linkedin.com/shareArticle?url=%s&title=NCH Software&mini=true
hXXp://VVV.nchsoftware.com/software/rateit.html?software=MoneyLine&appname=%s&version=1.23&rating=%d&upgradeoffer=moneyline&os=Win&lang=en&base=personalfinance&domain=nchsoftware%s%s%s%s%s&instby=%s
Certify this program is being used for non-commercial, home use only
This version 1.23 of MoneyLine will only work on Windows 8 or earlier. A newer version is available for download on VVV.nchsoftware.com.
Software\NCH Software\%s
Software\NCH Swift Sound\%s
Quick Install-on-Demand %s
-extsuite %s
-extfind %s
Software\Classes\.%s
software\microsoft\windows\currentversion\explorer\fileexts\.%s\userchoice
%sfile
%s\shell
%s\shell\open
"%s" -extfind %s "%%L"
%s\DefaultIcon
%SystemRoot%\system32\shell32.dll,19
Software\Classes\%s\Shell\%s\command
Software\Classes\%s\Shell\%s
Software\Classes\%s\Shell
hXXp://VVV.nchsoftware.com/index.html
An install-on-demand component is required for this operation.
NCH Software\%s\%s.exe
NCH Swift Sound\%s\%s.exe
%s "%s"
Software\Classes\%s\shell\open\command
Software\Classes\%s\shell
Software\Classes\%s\shell\open
Software\Classes\%s\DefaultIcon
%s%s%s%s
Report a Problem
Click here if you would like to report a problem with MoneyLine.
If you find any problems with this release please let us know by reporting them.
%s Home Page
Distributed by %s
Licensed User: %s
Page %d of %lu
SMTP
IPM.Note
xMAPI32.DLL
e.g., mail.myisp.net
e.g., [email protected]
Your email software (e.g., Outlook, Eudora, etc.) has not been set up for MAPI. Refer to your email software Help to find out how to set it up for MAPI. Otherwise use the SMTP option.
If you choose SMTP you must enter a valid reply-to address. Enter your email address.
If you choose SMTP you must enter an SMTP mail host. Call your ISP if you don't know what your SMTP mail host is.
If your SMTP server requires authentication, you must enter a SMTP username to connect to your server.
Password Required
If your SMTP server requires authentication, you must enter a valid SMTP password to connect to your server.
Unable to connect to mail server "%s" when sending an email to "%s".
Unable to connect to either mail server "%s" or the mail server at "%s".
Unable to connect to mail server "%s".
Mail host server error (HELO not accepted, error code 504) for destination email %s - usually this means the email address is not valid.
Mail host server error (HELO not accepted): %d emailto: %s
Email authentication username or password not accepted
MoneyLine@%s
<Mail host server error (MAIL FROM not accepted). Please check your Email Settings.%s - (%d - %s)
Error while trying to send email. Email address may be wrong or your SMTP server may require a username or password. Please check address again and see Email Settings.
The recipient's email server does not allow email to be received in this manner. Please use an SMTP account for sending email to this address.
The recipient's email server rejected this email because of an unspecified reason. Try using an SMTP account for sending email to this address.
Mail host server error (data terminator not accepted) emailto: %s mailhost: %s error: %d
HFile does not exist: %s
Not enough memory available to load %s
Cannot open xml file: %s
%s/microsoft/windows mail/local folders/%s
SMTP_Server
SMTP_Email_Address
00000001
Software\Microsoft\Internet Account Manager\Accounts\%s
SMTP Email Address
SMTP Server
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\%s
{ED475418-B0D6-11D2-8C3B-00104B2A6676}
%s\%s\d
%s\Thunderbird
%s\profiles.ini
%s\%s\prefs.js
mail.accountmanager.defaultaccount
mail.account.%s.identities
mail.identity.%s.useremail
mail.smtp.defaultserver
mail.smtpserver.%s.hostname
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Eudora.exe
deudora.ini
eudora.ini
%s\Qualcomm\Eudora\eudora.ini
SMTPServer
Windows Mail
Mozilla Thunderbird
%d.%d.%d.%d
127.0.0.1
libeay32.dll
ssleay32.dll
SIGNONMSGSRSV1
Use SMTP to send email directly to the mail server
SMTP mail host:
Password:
Send directly to other side (work as own SMTP server)
A full list of our products can be found at our below website. This may help you to find another product that is more suitable for your needs.
&ID - Key:
Upload to a remote web server with Fling
Enter your password
Prompt me for my password when connecting to my bank
Last Import:
Port Number:
Change Password Settings
Current Password:
New Password:
Confirm New Password:
Password Hint:
Change password
Remove Password
To remove your MoneyLine password, type the existing password.
Please enter your password:
Password Hint
Send password to registered email
Report Period
Generate Report for Period
Report Period For Account
Report Period Account Activity
f%xPi
Budget Report Period
f%xPh
Import Transactions from CSV
Password protect access to MoneyLine
Change Your Password
Remove Your Password


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    googletoolbarinstaller_en_signed.exe:3068
    NCH_GoogleToolbar.exe:1916
    GoogleUpdateSetup_latest.exe:968
    nchsetup.exe:816
    regsvr32.exe:588
    SearchWithGoogleUpdate_6F4EEAE8D7FCDAD8.exe:600
    GoogleUpdaterService.exe:3016
    GoogleUpdaterService.exe:1812
    %original file name%.exe:964
    GoogleToolbarManager_BA9226F4C70BECC2.exe:2772
    GoogleToolbarManager_BA9226F4C70BECC2.exe:2564
    GoogleToolbarManager_BA9226F4C70BECC2.exe:3008
    GoogleUpdaterService_B33FC4DD36A473C6.exe:456
    GoogleToolbarNotifier.exe:3040
    GoogleToolbarNotifier.exe:1936
    openssl.exe:956
    moneyline.exe:2996
    moneyline.exe:2612

  2. Delete the original Worm file.
  3. Delete or disinfect the following files created/modified by the Worm:

    %Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarUser_32_52E818EF81C83A9B.exe (620 bytes)
    %Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbar_64_62C1B48EAF0FD125.dll (514 bytes)
    %Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_0A4439FF67F61065.dll (2 bytes)
    %Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_64_2AD99D2EA038D2F2.dll (489 bytes)
    C:\Windows\System32\config\SOFTWARE (67572 bytes)
    %Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_32_75A7C54F0BE42E8E.dll (149 bytes)
    %Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarUser_64_4D9709C1FA1422BA.exe (801 bytes)
    %Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbar.7.5.6227.252.manifest.xml (36 bytes)
    %Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_BA9226F4C70BECC2.exe (50 bytes)
    %Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbar_32_3934E923EEC91A78.dll (390 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GoogleToolbarInstaller2.log (43839 bytes)
    %Program Files% (x86)\Google\Google Toolbar\Component\SearchWithGoogleUpdate_6F4EEAE8D7FCDAD8.exe (50 bytes)
    C:\$Directory (384 bytes)
    %Program Files% (x86)\Google\Google Toolbar\Component\GoogleUpdateSetup_5CC4B0F53D73AD88.exe (1480 bytes)
    %Program Files% (x86)\Google\Google Toolbar\Component\GoogleUpdaterService_B33FC4DD36A473C6.exe (390 bytes)
    C:\Windows\System32\config\SOFTWARE.LOG1 (61428 bytes)
    %Program Files% (x86)\Google\Google Toolbar\Component\GoogleCld_187F9D811452062B.dll (50 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GoogleUpdateSetup_latest.exe (25250 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx6142.tmp\System.dll (23 bytes)
    %Program Files% (x86)\GUM621C.tmp\goopdateres_es-419.dll (29 bytes)
    %Program Files% (x86)\GUM621C.tmp\GoogleUpdateSetup.exe (5441 bytes)
    %Program Files% (x86)\GUM621C.tmp\goopdateres_bn.dll (28 bytes)
    %Program Files% (x86)\GUM621C.tmp\goopdateres_ur.dll (28 bytes)
    %Program Files% (x86)\GUM621C.tmp\goopdateres_fi.dll (29 bytes)
    %Program Files% (x86)\GUM621C.tmp\psmachine.dll (159 bytes)
    %Program Files% (x86)\GUM621C.tmp\goopdateres_pl.dll (30 bytes)
    %Program Files% (x86)\GUM621C.tmp\goopdateres_nl.dll (30 bytes)
    %Program Files% (x86)\GUM621C.tmp\goopdateres_vi.dll (28 bytes)
    %Program Files% (x86)\GUM621C.tmp\goopdateres_pt-PT.dll (29 bytes)
    %Program Files% (x86)\GUM621C.tmp\goopdateres_ko.dll (23 bytes)
    %Program Files% (x86)\GUM621C.tmp\goopdateres_is.dll (28 bytes)
    %Program Files% (x86)\GUM621C.tmp\goopdateres_de.dll (31 bytes)
    %Program Files% (x86)\GUM621C.tmp\goopdateres_zh-TW.dll (21 bytes)
    %Program Files% (x86)\GUM621C.tmp\goopdateres_da.dll (29 bytes)
    %Program Files% (x86)\GUM621C.tmp\psuser.dll (159 bytes)
    %Program Files% (x86)\GUM621C.tmp\goopdate.dll (1702 bytes)
    %Program Files% (x86)\GUM621C.tmp\goopdateres_sw.dll (29 bytes)
    %Program Files% (x86)\GUM621C.tmp\goopdateres_fa.dll (27 bytes)
    %Program Files% (x86)\GUM621C.tmp\goopdateres_hr.dll (29 bytes)
    %Program Files% (x86)\GUM621C.tmp\goopdateres_ru.dll (28 bytes)
    %Program Files% (x86)\GUM621C.tmp\goopdateres_ar.dll (26 bytes)
    %Program Files% (x86)\GUM621C.tmp\goopdateres_zh-CN.dll (21 bytes)
    %Program Files% (x86)\GUM621C.tmp\goopdateres_lv.dll (30 bytes)
    %Program Files% (x86)\GUM621C.tmp\goopdateres_am.dll (25 bytes)
    %Program Files% (x86)\GUM621C.tmp\GoogleUpdateOnDemand.exe (59 bytes)
    %Program Files% (x86)\GUM621C.tmp\goopdateres_ta.dll (30 bytes)
    %Program Files% (x86)\GUM621C.tmp\goopdateres_it.dll (30 bytes)
    %Program Files% (x86)\GUM621C.tmp\GoogleUpdateBroker.exe (59 bytes)
    %Program Files% (x86)\GUM621C.tmp\goopdateres_iw.dll (26 bytes)
    %Program Files% (x86)\GUM621C.tmp\goopdateres_ro.dll (29 bytes)
    %Program Files% (x86)\GUM621C.tmp\goopdateres_ml.dll (31 bytes)
    %Program Files% (x86)\GUM621C.tmp\goopdateres_fil.dll (30 bytes)
    %Program Files% (x86)\GUM621C.tmp\goopdateres_en-GB.dll (28 bytes)
    %Program Files% (x86)\GUM621C.tmp\goopdateres_id.dll (28 bytes)
    %Program Files% (x86)\GUM621C.tmp\goopdateres_fr.dll (30 bytes)
    %Program Files% (x86)\GUM621C.tmp\goopdateres_hi.dll (29 bytes)
    %Program Files% (x86)\GUM621C.tmp\goopdateres_cs.dll (28 bytes)
    %Program Files% (x86)\GUM621C.tmp\goopdateres_el.dll (30 bytes)
    %Program Files% (x86)\GUM621C.tmp\goopdateres_sr.dll (29 bytes)
    %Program Files% (x86)\GUM621C.tmp\GoogleUpdate.exe (234 bytes)
    %Program Files% (x86)\GUT621D.tmp (4 bytes)
    %Program Files% (x86)\GUM621C.tmp\goopdateres_bg.dll (30 bytes)
    %Program Files% (x86)\GUM621C.tmp\GoogleUpdateHelper.msi (25 bytes)
    %Program Files% (x86)\GUM621C.tmp\GoogleCrashHandler64.exe (550 bytes)
    %Program Files% (x86)\GUM621C.tmp\goopdateres_no.dll (29 bytes)
    %Program Files% (x86)\GUM621C.tmp\goopdateres_tr.dll (29 bytes)
    %Program Files% (x86)\GUM621C.tmp\goopdateres_uk.dll (28 bytes)
    %Program Files% (x86)\GUM621C.tmp\goopdateres_mr.dll (28 bytes)
    %Program Files% (x86)\GUM621C.tmp\goopdateres_et.dll (28 bytes)
    %Program Files% (x86)\GUM621C.tmp\goopdateres_es.dll (31 bytes)
    %Program Files% (x86)\GUM621C.tmp\goopdateres_en.dll (27 bytes)
    %Program Files% (x86)\GUM621C.tmp\goopdateres_th.dll (27 bytes)
    %Program Files% (x86)\GUM621C.tmp\goopdateres_kn.dll (29 bytes)
    %Program Files% (x86)\GUM621C.tmp\goopdateres_ca.dll (29 bytes)
    %Program Files% (x86)\GUM621C.tmp\goopdateres_gu.dll (28 bytes)
    %Program Files% (x86)\GUM621C.tmp\goopdateres_ja.dll (24 bytes)
    %Program Files% (x86)\GUM621C.tmp\goopdateres_te.dll (29 bytes)
    %Program Files% (x86)\GUM621C.tmp\goopdateres_sk.dll (29 bytes)
    %Program Files% (x86)\GUM621C.tmp\npGoogleUpdate3.dll (838 bytes)
    %Program Files% (x86)\GUM621C.tmp\goopdateres_hu.dll (29 bytes)
    %Program Files% (x86)\GUM621C.tmp\goopdateres_pt-BR.dll (29 bytes)
    %Program Files% (x86)\GUM621C.tmp\goopdateres_sv.dll (29 bytes)
    %Program Files% (x86)\GUM621C.tmp\goopdateres_lt.dll (28 bytes)
    %Program Files% (x86)\GUM621C.tmp\goopdateres_sl.dll (29 bytes)
    %Program Files% (x86)\GUM621C.tmp\goopdateres_ms.dll (28 bytes)
    %Program Files% (x86)\GUM621C.tmp\GoogleCrashHandler.exe (212 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Video Capture Software.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\NCH Software\MoneyLine\MoneyLine.vdb-journal (2742 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Express Burn CD, DVD or Blu-Ray.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\Favorites\NCH Software Download Site.lnk (264 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Express Zip File Compression.lnk (1 bytes)
    %Program Files% (x86)\NCH Software\MoneyLine\moneyline-0.vdb (7772 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\MixPad MultiTrack Mixer.lnk (1 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\WavePad Sound Editor.lnk (1 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Express Rip CD Ripper.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\NCH Software\MoneyLine\moneyline.vdb (202 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Express Dictate Recorder.lnk (1 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Switch Sound File Converter.lnk (1 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Graphics File Converter.lnk (1 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\VideoPad Video Editor.lnk (1 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Business Related Programs\Inventory Software.lnk (1 bytes)
    %Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe (9147 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Business Related Programs\Time Tracking Software.lnk (1 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Invoicing Software.lnk (1 bytes)
    C:\Users\Public\Desktop\MoneyLine.lnk (1 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Classic FTP Software.lnk (1 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Business Related Programs\Accounting Software.lnk (1 bytes)
    %Program Files% (x86)\NCH Software\MoneyLine\moneylinesetup_v1.23.exe (3361 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Prism Video File Format Converter.lnk (1 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\RecordPad Sound Recorder.lnk (1 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Doxillion Document Converter.lnk (1 bytes)
    C:\Users\Public\Desktop\NCH Suite.lnk (1 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Accounting Software.lnk (1 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\SoundTap Streaming Recorder.lnk (1 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Business Related Programs\Invoicing Software.lnk (1 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Business Related Programs\Retail POS point of sale software system.lnk (1 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MoneyLine.lnk (1 bytes)
    %Program Files%\Google\GoogleToolbarNotifier\5.10.11023.1534\swg64.dll (299 bytes)
    %Program Files% (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534\gtn.dll (144 bytes)
    %Program Files% (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (79 bytes)
    %Program Files% (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534\gth.dll (40 bytes)
    %Program Files% (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534\swg.dll (981 bytes)
    %Program Files% (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534\Readme.url (212 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchdata.dat (1568 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchsetup.cab (524 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchdata.cab (16 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchsetup.exe (20887 bytes)
    C:\ProgramData\Google\Custom Buttons\toolbar.google.com_O8Y91YHB24Z6SR0SGYSK.XML (12 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GoogleToolbarInstaller1.log (3159 bytes)
    %Program Files% (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (1281 bytes)
    %Program Files% (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (673 bytes)
    %Program Files% (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe (1425 bytes)
    %Program Files% (x86)\Google\Google Toolbar\GoogleToolbarHelper_signed.msi (28 bytes)
    %Program Files% (x86)\Google\Google Toolbar\GoogleToolbarUser_64.exe (2321 bytes)
    %Program Files% (x86)\Google\Google Toolbar\GoogleToolbarHelperPatch_signed.msp (125 bytes)
    %Program Files% (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe (390 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\openssl_.cab (472 bytes)
    %Program Files% (x86)\NCH Software\Components\openssl\ssleay32.dll (4232 bytes)
    %Program Files% (x86)\NCH Software\Components\openssl\libeay32.dll (17231 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\openssl.exe (238856 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_moneyline_rl_adm (8 bytes)
    %Program Files% (x86)\NCH Software\Components\NCHToolbars\google\NCH_GoogleToolbar.exe (382879 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now