mzpefinder_pcap_file.YR, GenericEmailWorm.YR (Lavasoft MAS)Behaviour: Worm, EmailWorm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: d2bafd920ba06a6ed1f36957281c3765
SHA1: 7899c8b50c53a3ee498b836d436cfc757294dd62
SHA256: 673f038517ae646325acaa659dca5a2b1660e654c693ea55c2d2a2abe985a568
SSDeep: 12288:JdE7td8eVQrzHREwEupiX DjaxCOBR1dtsJS//cYP9EhxclYVItfRIln7t:QfdYzxpEuTACKGS/0euhxc4SQp
Size: 560720 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: NCH Software
Created at: 2013-12-10 07:05:55
Analyzed on: Windows7Ada SP1 64-bit
Summary: Worm. A program that is primarily replicating on networks or removable drives.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
EmailWorm | Worm can send e-mails. |
Process activity
The Worm creates the following process(es):
googletoolbarinstaller_en_signed.exe:3068
NCH_GoogleToolbar.exe:1916
GoogleUpdateSetup_latest.exe:968
nchsetup.exe:816
regsvr32.exe:588
SearchWithGoogleUpdate_6F4EEAE8D7FCDAD8.exe:600
GoogleUpdaterService.exe:3016
GoogleUpdaterService.exe:1812
%original file name%.exe:964
GoogleToolbarManager_BA9226F4C70BECC2.exe:2772
GoogleToolbarManager_BA9226F4C70BECC2.exe:2564
GoogleToolbarManager_BA9226F4C70BECC2.exe:3008
GoogleUpdaterService_B33FC4DD36A473C6.exe:456
GoogleToolbarNotifier.exe:3040
GoogleToolbarNotifier.exe:1936
openssl.exe:956
moneyline.exe:2996
moneyline.exe:2612
The Worm injects its code into the following process(es):
moneyline.exe:644
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process googletoolbarinstaller_en_signed.exe:3068 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarUser_32_52E818EF81C83A9B.exe (620 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbar_64_62C1B48EAF0FD125.dll (514 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_0A4439FF67F61065.dll (2 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_64_2AD99D2EA038D2F2.dll (489 bytes)
C:\Windows\System32\config\SOFTWARE (67572 bytes)
C:\ (96 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_32_75A7C54F0BE42E8E.dll (149 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarUser_64_4D9709C1FA1422BA.exe (801 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbar.7.5.6227.252.manifest.xml (36 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_BA9226F4C70BECC2.exe (50 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbar_32_3934E923EEC91A78.dll (390 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GoogleToolbarInstaller2.log (43839 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\SearchWithGoogleUpdate_6F4EEAE8D7FCDAD8.exe (50 bytes)
C:\Windows (288 bytes)
C:\$Directory (384 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleUpdateSetup_5CC4B0F53D73AD88.exe (1480 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleUpdaterService_B33FC4DD36A473C6.exe (390 bytes)
C:\Windows\System32\config\SOFTWARE.LOG1 (61428 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleCld_187F9D811452062B.dll (50 bytes)
The process NCH_GoogleToolbar.exe:1916 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GoogleUpdateSetup_latest.exe (25250 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx6142.tmp\System.dll (23 bytes)
The process GoogleUpdateSetup_latest.exe:968 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Program Files% (x86)\GUM621C.tmp\goopdateres_es-419.dll (29 bytes)
%Program Files% (x86)\GUM621C.tmp\GoogleUpdateSetup.exe (5441 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_bn.dll (28 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_ur.dll (28 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_fi.dll (29 bytes)
%Program Files% (x86)\GUM621C.tmp (28 bytes)
%Program Files% (x86)\GUM621C.tmp\psmachine.dll (159 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_pl.dll (30 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_nl.dll (30 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_vi.dll (28 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_pt-PT.dll (29 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_ko.dll (23 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_is.dll (28 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_de.dll (31 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_zh-TW.dll (21 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_da.dll (29 bytes)
%Program Files% (x86)\GUM621C.tmp\psuser.dll (159 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdate.dll (1702 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_sw.dll (29 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_fa.dll (27 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_hr.dll (29 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_ru.dll (28 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_ar.dll (26 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_zh-CN.dll (21 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_lv.dll (30 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_am.dll (25 bytes)
%Program Files% (x86)\GUM621C.tmp\GoogleUpdateOnDemand.exe (59 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_ta.dll (30 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_it.dll (30 bytes)
%Program Files% (x86)\GUM621C.tmp\GoogleUpdateBroker.exe (59 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_iw.dll (26 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_ro.dll (29 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_ml.dll (31 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_fil.dll (30 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_en-GB.dll (28 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_id.dll (28 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_fr.dll (30 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_hi.dll (29 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_cs.dll (28 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_el.dll (30 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_sr.dll (29 bytes)
%Program Files% (x86)\GUM621C.tmp\GoogleUpdate.exe (234 bytes)
%Program Files% (x86)\GUT621D.tmp (4 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_bg.dll (30 bytes)
%Program Files% (x86)\GUM621C.tmp\GoogleUpdateHelper.msi (25 bytes)
%Program Files% (x86)\GUM621C.tmp\GoogleCrashHandler64.exe (550 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_no.dll (29 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_tr.dll (29 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_uk.dll (28 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_mr.dll (28 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_et.dll (28 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_es.dll (31 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_en.dll (27 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_th.dll (27 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_kn.dll (29 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_ca.dll (29 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_gu.dll (28 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_ja.dll (24 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_te.dll (29 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_sk.dll (29 bytes)
%Program Files% (x86)\GUM621C.tmp\npGoogleUpdate3.dll (838 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_hu.dll (29 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_pt-BR.dll (29 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_sv.dll (29 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_lt.dll (28 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_sl.dll (29 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_ms.dll (28 bytes)
%Program Files% (x86)\GUM621C.tmp\GoogleCrashHandler.exe (212 bytes)
The process nchsetup.exe:816 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Video Capture Software.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\NCH Software\MoneyLine\MoneyLine.vdb-journal (2742 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Express Burn CD, DVD or Blu-Ray.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\Favorites\NCH Software Download Site.lnk (264 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Express Zip File Compression.lnk (1 bytes)
%Program Files% (x86)\NCH Software\MoneyLine\moneyline-0.vdb (7772 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\MixPad MultiTrack Mixer.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\WavePad Sound Editor.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Express Rip CD Ripper.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\NCH Software\MoneyLine\moneyline.vdb (202 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Express Dictate Recorder.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Switch Sound File Converter.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Graphics File Converter.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\VideoPad Video Editor.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Business Related Programs\Inventory Software.lnk (1 bytes)
%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe (9147 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Business Related Programs\Time Tracking Software.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Invoicing Software.lnk (1 bytes)
C:\Users\Public\Desktop\MoneyLine.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Classic FTP Software.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Business Related Programs\Accounting Software.lnk (1 bytes)
%Program Files% (x86)\NCH Software\MoneyLine\moneylinesetup_v1.23.exe (3361 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Prism Video File Format Converter.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\RecordPad Sound Recorder.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Doxillion Document Converter.lnk (1 bytes)
C:\Users\Public\Desktop\NCH Suite.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Accounting Software.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\SoundTap Streaming Recorder.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Business Related Programs\Invoicing Software.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Business Related Programs\Retail POS point of sale software system.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MoneyLine.lnk (1 bytes)
The process regsvr32.exe:588 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Program Files%\Google\GoogleToolbarNotifier\5.10.11023.1534\swg64.dll (299 bytes)
The process SearchWithGoogleUpdate_6F4EEAE8D7FCDAD8.exe:600 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Program Files% (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534\gtn.dll (144 bytes)
%Program Files% (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (79 bytes)
%Program Files% (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534\gth.dll (40 bytes)
%Program Files%\Google\GoogleToolbarNotifier\5.10.11023.1534\swg64.dll (298 bytes)
%Program Files% (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534\swg.dll (981 bytes)
%Program Files% (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534\Readme.url (212 bytes)
The process %original file name%.exe:964 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchdata.dat (1568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchsetup.cab (524 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchdata.cab (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchsetup.exe (20887 bytes)
The process GoogleToolbarManager_BA9226F4C70BECC2.exe:2772 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\ProgramData\Google\Custom Buttons\toolbar.google.com_O8Y91YHB24Z6SR0SGYSK.XML (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GoogleToolbarInstaller1.log (3159 bytes)
The process GoogleToolbarManager_BA9226F4C70BECC2.exe:2564 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Program Files% (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (1281 bytes)
%Program Files% (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (673 bytes)
%Program Files% (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe (1425 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GoogleToolbarInstaller1.log (41404 bytes)
%Program Files% (x86)\Google\Google Toolbar\GoogleToolbarHelper_signed.msi (28 bytes)
%Program Files% (x86)\Google\Google Toolbar\GoogleToolbarUser_64.exe (2321 bytes)
%Program Files% (x86)\Google\Google Toolbar\GoogleToolbarHelperPatch_signed.msp (125 bytes)
The process GoogleToolbarManager_BA9226F4C70BECC2.exe:3008 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GoogleToolbarInstaller1.log (2406 bytes)
The process GoogleUpdaterService_B33FC4DD36A473C6.exe:456 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Program Files% (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe (390 bytes)
The process GoogleToolbarNotifier.exe:1936 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Program Files% (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534\swg.dll (983 bytes)
%Program Files% (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534\gtn.dll (147 bytes)
The process openssl.exe:956 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\openssl_.cab (472 bytes)
%Program Files% (x86)\NCH Software\Components\openssl\ssleay32.dll (4232 bytes)
%Program Files% (x86)\NCH Software\Components\openssl\libeay32.dll (17231 bytes)
The process moneyline.exe:644 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\openssl.exe (238856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\NCH Software\MoneyLine\MoneyLine.vdb-journal (8226 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\NCH Software\MoneyLine\moneyline.vdb (1144 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_moneyline_rl_adm (8 bytes)
The process moneyline.exe:2612 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Program Files% (x86)\NCH Software\Components\NCHToolbars\google\NCH_GoogleToolbar.exe (382879 bytes)
Registry activity
The process googletoolbarinstaller_en_signed.exe:3068 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Branding]
"sin" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component]
"NextVersion" = "7.5.6227.252"
"currentVersion" = "7.5.6227.252"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Branding]
"ein" = "1"
[HKCU\Software\Google\Google Toolbar\4.0\Setup]
"InstallProgress" = "3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""
[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 4A 00 00 00 09 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "2D 85 33 3A 90 73 D0 01"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar]
"test" = "41"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"EnabledExperiments" = "POSI,PUMA"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"
[HKCU\Software\Google\Google Toolbar\4.0\Setup]
"Command" = "2"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"FirstInstallTime" = "1429399011"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Worm deletes the following value(s) in system registry:
[HKCU\Software\Google\Google Toolbar]
"LastInstallError"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component]
"NextVersion"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"
"ProxyServer"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component]
"PrimaryInstallDone"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"FailedInstallPing"
The process nchsetup.exe:816 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKCU\Software\Classes\divxfile\Shell]
"(Default)" = "open"
[HKLM\SOFTWARE\Wow6432Node\NCH Software\MoneyLine\Settings]
"InstallerPath" = "%Program Files% (x86)\NCH Software\MoneyLine"
[HKCU\Software\NCH Software\MoneyLine\Settings]
"InstallDate" = "1429398989"
[HKCU\Software\Classes\Paint.Picture\Shell\NCHconvertimage]
"(Default)" = "Convert image file"
[HKCU\Software\Classes\neffile\Shell\NCHconvertimage\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Pixillion %L"
[HKCU\Software\Classes\.WAV]
"(Default)" = "wavfile"
[HKCU\Software\Classes\aifffile\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MoneyLine]
"URLInfoAbout" = "www.nchsoftware.com/personalfinance/support.html"
[HKCU\Software\Classes\mpegfile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Prism %L"
[HKCU\Software\Classes\.mov]
"(Default)" = "movfile"
[HKCU\Software\Classes\giffile\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\docfile\Shell\NCHconvertdoc]
"(Default)" = "Convert file type"
[HKCU\Software\Classes\AcroExch.Document\Shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Doxillion %L"
[HKCU\Software\Classes\.MP3]
"(Default)" = "mp3file"
[HKCU\Software\NCH Software\MoneyLine\Registration]
"RD" = "1429399021"
[HKCU\Software\Classes\FirefoxHTML\shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Doxillion %L"
[HKLM\SOFTWARE\Wow6432Node\NCH Software\MoneyLine\Settings]
"RelatedRuns" = "-1"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MoneyLine]
"Version" = "1.23"
[HKCU\Software\Classes\Paint.Picture\Shell\NCHconvertimage\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Pixillion %L"
[HKCU\Software\Classes\gsmfile\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\avifile\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\giffile\Shell\NCHconvertimage]
"(Default)" = "Convert image file"
[HKCU\Software\Classes\jpegfile\Shell\NCHconvertimage]
"(Default)" = "Convert image file"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MoneyLine]
"UninstallString" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -uninstall"
[HKCU\Software\NCH Software\MoneyLine\Settings]
"InstallerPath" = "%Program Files% (x86)\NCH Software\MoneyLine"
[HKCU\Software\Classes\.OGG]
"(Default)" = "oggfile"
[HKCU\Software\Classes\asffile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"
[HKCU\Software\Classes\mohfile\DefaultIcon]
"(Default)" = "%SystemRoot%\SysWow64\shell32.dll,19"
[HKCU\Software\Classes\movfile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Prism %L"
[HKCU\Software\Classes\docfile\Shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Doxillion %L"
[HKCU\Software\Classes\.tar]
"(Default)" = "tarfile"
[HKCU\Software\Classes\jpegfile\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\neffile\Shell\NCHconvertimage]
"(Default)" = "Convert image file"
[HKCU\Software\Classes\pngfile\Shell\NCHslideshow\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind PhotoStage %L"
[HKCU\Software\Classes\aufile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind WavePad %L"
[HKCU\Software\NCH Software\MoneyLine\Settings]
"InstalledByAdmin" = "1"
[HKCU\Software\Classes\dctfile\DefaultIcon]
"(Default)" = "%SystemRoot%\SysWow64\shell32.dll,19"
[HKCU\Software\Classes\m4vfile\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\tar.gzfile\Shell\NCHextract]
"(Default)" = "Extract with Express Zip"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MoneyLine]
"VersionMajor" = "1"
[HKCU\Software\Classes\.dss]
"(Default)" = "dssfile"
[HKCU\Software\Classes\mpdpfile]
"(Default)" = "Unhandled Extension Handler Finder"
[HKCU\Software\Classes\aacfile\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Switch %L"
[HKCU\Software\Classes\mpgfile\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\Paint.Picture\Shell\NCHslideshow\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind PhotoStage %L"
[HKCU\Software\Classes\vocfile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind WavePad %L"
[HKCU\Software\Classes\wpfile\Shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Doxillion %L"
[HKCU\Software\Classes\jpegfile\Shell\NCHconvertimage\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Pixillion %L"
[HKCU\Software\Classes\wavfile\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"
[HKCU\Software\Classes\.AAC]
"(Default)" = "aacfile"
[HKCU\Software\Classes\avifile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"
[HKCU\Software\Classes\xvidfile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Prism %L"
[HKCU\Software\Classes\ds2file\DefaultIcon]
"(Default)" = "%SystemRoot%\SysWow64\shell32.dll,19"
[HKCU\Software\Classes\asffile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind VideoPad %L"
[HKCU\Software\Classes\.mp4]
"(Default)" = "mp4file"
[HKLM\SOFTWARE\Wow6432Node\NCH Software\MoneyLine\Software]
"Installer" = "%Program Files% (x86)\NCH Software\MoneyLine\moneylinesetup_v1.23.exe"
[HKCU\Software\Classes\m4afile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind WavePad %L"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCU\Software\Classes\aacfile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind WavePad %L"
[HKCU\Software\Classes\wpdfile\Shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Doxillion %L"
[HKCU\Software\Classes\wmafile\Shell\NCHeditsound]
"(Default)" = "Edit sound file"
[HKCU\Software\Classes\vobfile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind VideoPad %L"
[HKCU\Software\Classes\mpgfile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind VideoPad %L"
[HKCU\Software\Classes\AcroExch.Document\Shell\NCHconvertdoc]
"(Default)" = "Convert file type"
[HKCU\Software\Classes\mp3file\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"
[HKCU\Software\Classes\gzfile\Shell\NCHextract]
"(Default)" = "Extract with Express Zip"
[HKCU\Software\Classes\mpeg2file\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Prism %L"
[HKCU\Software\Classes\pngfile\Shell\NCHconvertimage\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Pixillion %L"
[HKCU\Software\Classes\aufile\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"
[HKCU\Software\Classes\.gz]
"(Default)" = "gzfile"
[HKCU\Software\Classes\giffile\Shell\NCHslideshow]
"(Default)" = "Create slideshow"
[HKCU\Software\Classes\mpeg2file\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind VideoPad %L"
[HKCU\Software\Classes\.meo]
"(Default)" = "meofile"
[HKCU\Software\Classes\gsmfile\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Switch %L"
[HKCU\Software\Classes\asffile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Prism %L"
[HKCU\Software\Classes\wpdfile\Shell\NCHconvertdoc]
"(Default)" = "Convert file type"
[HKCU\Software\Classes\Windows.IsoFile\shell]
"(Default)" = "open"
[HKCU\Software\Classes\m4vfile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind VideoPad %L"
[HKCU\Software\NCH Software\MoneyLine\Software]
"Toolbar" = "cnm-installed"
[HKCU\Software\Classes\.nef]
"(Default)" = "neffile"
[HKCU\Software\Classes\voxfile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind WavePad %L"
[HKCU\Software\Classes\.wp]
"(Default)" = "wpfile"
[HKCU\Software\Classes\divxfile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Prism %L"
[HKCU\Software\Classes\mpegfile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind VideoPad %L"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MoneyLine]
"DisplayIcon" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe"
[HKCU\Software\Classes\m4afile\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\dctfile]
"(Default)" = "Unhandled Extension Handler Finder"
[HKCU\Software\Classes\neffile\Shell\NCHslideshow\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind PhotoStage %L"
[HKCU\Software\Classes\mp4file\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Prism %L"
[HKCU\Software\Classes\jpegfile\Shell\NCHslideshow\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind PhotoStage %L"
[HKCU\Software\Classes\xvidfile\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\.spj]
"(Default)" = "spjfile"
[HKCU\Software\NCH Software\MoneyLine\Settings]
"currentVersion" = "1.23"
[HKCU\Software\Classes\.rar]
"(Default)" = "rarfile"
[HKCU\Software\Classes\xvidfile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"
[HKCU\Software\Classes\CABFolder\Shell\NCHextract\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind ExpressZip %L"
[HKCU\Software\Classes\mp3file\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Switch %L"
[HKCU\Software\Classes\meofile\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Meo %L"
[HKCU\Software\Classes\.divx]
"(Default)" = "divxfile"
[HKCU\Software\Classes\aiffile\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"
[HKCU\Software\Classes\m4vfile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Prism %L"
[HKCU\Software\Classes\aiffile\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\flacfile\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Switch %L"
[HKCU\Software\Classes\wavfile\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\.avi]
"(Default)" = "avifile"
[HKCU\Software\Classes\mp4file\Shell\NCHeditvideo]
"(Default)" = "Edit video file"
[HKCU\Software\Classes\Windows.IsoFile\shell\NCHextract]
"(Default)" = "Extract with Express Zip"
[HKCU\Software\Classes\7zfile\Shell\NCHextract\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind ExpressZip %L"
[HKCU\Software\Classes\tar.gzfile\Shell\NCHextract\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind ExpressZip %L"
[HKCU\Software\Classes\mpeg2file\Shell\NCHeditvideo]
"(Default)" = "Edit video file"
[HKCU\Software\Classes\aufile\Shell\NCHeditsound]
"(Default)" = "Edit sound file"
[HKCU\Software\Classes\pngfile\Shell\NCHslideshow]
"(Default)" = "Create slideshow"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MoneyLine]
"URLUpdateInfo" = "www.nchsoftware.com/personalfinance/index.html"
[HKCU\Software\Classes\giffile\Shell\NCHconvertimage\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Pixillion %L"
[HKCU\Software\Classes\ds2file\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Scribe %L"
[HKCU\Software\Classes\vobfile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"
[HKCU\Software\Classes\wavfile\Shell\NCHeditsound]
"(Default)" = "Edit sound file"
[HKCU\Software\Classes\mpeg2file\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"
[HKCU\Software\NCH Software\MoneyLine\Registration]
"Name" = ""
[HKCU\Software\Classes\.mpdp]
"(Default)" = "mpdpfile"
[HKCU\Software\Classes\mpdpfile\DefaultIcon]
"(Default)" = "%SystemRoot%\SysWow64\shell32.dll,19"
[HKCU\Software\Classes\voxfile\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"
[HKCU\Software\Classes\.mpeg]
"(Default)" = "mpegfile"
[HKCU\Software\Classes\rtffile\Shell\NCHconvertdoc]
"(Default)" = "Convert file type"
[HKCU\Software\Classes\rtffile\Shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Doxillion %L"
[HKCU\Software\Classes\7zfile\Shell]
"(Default)" = "open"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MoneyLine]
"InstallLocation" = "%Program Files% (x86)\NCH Software\MoneyLine"
[HKCU\Software\Classes\ds2file\shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Switch %L"
[HKCU\Software\Classes\.ds2]
"(Default)" = "ds2file"
[HKCU\Software\Classes\tar.gzfile\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\TIFImage.Document\Shell\NCHconvertimage]
"(Default)" = "Convert image file"
[HKCU\Software\Classes\xvidfile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"
[HKCU\Software\Classes\aiffile\Shell\NCHeditsound]
"(Default)" = "Edit sound file"
[HKCU\Software\Classes\.AU]
"(Default)" = "aufile"
[HKCU\Software\Classes\.ivr]
"(Default)" = "ivrfile"
[HKCU\Software\Classes\docxfile\Shell\NCHconvertdoc]
"(Default)" = "Convert file type"
[HKCU\Software\Classes\divxfile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind VideoPad %L"
[HKCU\Software\Classes\.WMA]
"(Default)" = "wmafile"
[HKCU\Software\Classes\wmafile\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\.xvid]
"(Default)" = "xvidfile"
[HKCU\Software\Classes\odtfile\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\.asf]
"(Default)" = "asffile"
[HKCU\Software\Classes\gzfile\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\movfile\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\odtfile\Shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Doxillion %L"
[HKCU\Software\Classes\gsmfile\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"
[HKCU\Software\Classes\meofile\DefaultIcon]
"(Default)" = "%SystemRoot%\SysWow64\shell32.dll,19"
[HKCU\Software\Classes\CABFolder\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\CABFolder\Shell\NCHextract]
"(Default)" = "Extract with Express Zip"
[HKCU\Software\Classes\divxfile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"
[HKCU\Software\Classes\docxfile\Shell]
"(Default)" = "open"
[HKCU\Software\Microsoft\Registration\NCH]
"MoneyLine" = "1"
[HKCU\Software\Classes\wpfile\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\rarfile\Shell\NCHextract]
"(Default)" = "Extract with Express Zip"
[HKCU\Software\Classes\wpdfile\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\vobfile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Prism %L"
[HKCU\Software\Classes\oggfile\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\docxfile\Shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Doxillion %L"
[HKCU\Software\Classes\mpgfile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Prism %L"
[HKCU\Software\Classes\Windows.IsoFile\shell\NCHextract\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind ExpressZip %L"
[HKCU\Software\Classes\mp4file\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\jpegfile\Shell\NCHslideshow]
"(Default)" = "Create slideshow"
[HKCU\Software\Classes\.tar.gz]
"(Default)" = "tar.gzfile"
[HKCU\Software\Classes\neffile\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\voxfile\Shell\NCHeditsound]
"(Default)" = "Edit sound file"
[HKCU\Software\Classes\TIFImage.Document\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\flacfile\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"
[HKCU\Software\Classes\ivrfile\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind IVM %L"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MoneyLine]
"DisplayName" = "MoneyLine"
[HKCU\Software\Classes\rarfile\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\dssfile\DefaultIcon]
"(Default)" = "%SystemRoot%\SysWow64\shell32.dll,19"
[HKCU\Software\Classes\.vox]
"(Default)" = "voxfile"
[HKCU\Software\Classes\mpegfile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"
[HKCU\Software\Classes\.7z]
"(Default)" = "7zfile"
[HKCU\Software\Classes\.moh]
"(Default)" = "mohfile"
[HKCU\Software\Classes\.mpeg2]
"(Default)" = "mpeg2file"
[HKCU\Software\Classes\avifile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Prism %L"
[HKCU\Software\Classes\odtfile\Shell\NCHconvertdoc]
"(Default)" = "Convert file type"
[HKCU\Software\Classes\neffile\Shell\NCHslideshow]
"(Default)" = "Create slideshow"
[HKCU\Software\Classes\gzfile\Shell\NCHextract\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind ExpressZip %L"
[HKCU\Software\Classes\.vpj]
"(Default)" = "vpjfile"
[HKCU\Software\Classes\mp3file\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind WavePad %L"
[HKCU\Software\Classes\.FLAC]
"(Default)" = "flacfile"
[HKCU\Software\Classes\mpeg2file\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\asffile\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\.voc]
"(Default)" = "vocfile"
[HKCU\Software\Classes\spjfile\DefaultIcon]
"(Default)" = "%SystemRoot%\SysWow64\shell32.dll,19"
[HKCU\Software\Classes\mpdpfile\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind MixPad %L"
[HKCU\Software\Classes\m4afile\Shell\NCHeditsound]
"(Default)" = "Edit sound file"
[HKCU\Software\Classes\aiffile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind WavePad %L"
[HKCU\Software\Classes\avifile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind VideoPad %L"
[HKCU\Software\Classes\wavfile\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Switch %L"
[HKCU\Software\Classes\mohfile]
"(Default)" = "Unhandled Extension Handler Finder"
[HKCU\Software\Classes\aifffile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind WavePad %L"
[HKCU\Software\Classes\meofile]
"(Default)" = "Unhandled Extension Handler Finder"
[HKCU\Software\Classes\aifffile\Shell\NCHeditsound]
"(Default)" = "Edit sound file"
[HKCU\Software\Classes\divxfile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"
[HKLM\SOFTWARE\Wow6432Node\Google\GCAPITemp]
"test" = "testv"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MoneyLine]
"Publisher" = "NCH Software"
[HKCU\Software\Classes\giffile\Shell\NCHslideshow\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind PhotoStage %L"
[HKCU\Software\Classes\Windows.IsoFile\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind ExpressBurn %L"
[HKCU\Software\Classes\vobfile\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\7zfile\Shell\NCHextract]
"(Default)" = "Extract with Express Zip"
[HKCU\Software\Classes\.gsm]
"(Default)" = "gsmfile"
[HKCU\Software\Classes\ivrfile]
"(Default)" = "Unhandled Extension Handler Finder"
[HKCU\Software\Classes\rtffile\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\mohfile\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind IMS %L"
[HKCU\Software\Classes\ds2file]
"(Default)" = "Unhandled Extension Handler Finder"
[HKCU\Software\Classes\mp4file\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind VideoPad %L"
[HKCU\Software\Classes\aacfile\Shell\NCHeditsound]
"(Default)" = "Edit sound file"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MoneyLine]
"VersionMinor" = "23"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Classes\ds2file\shell]
"(Default)" = "open"
[HKCU\Software\Classes\m4vfile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"
[HKCU\Software\Classes\pngfile\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\vpjfile\DefaultIcon]
"(Default)" = "%SystemRoot%\SysWow64\shell32.dll,19"
[HKCU\Software\Classes\AcroExch.Document\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\vocfile\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\wmafile\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Switch %L"
[HKCU\Software\Classes\.dct]
"(Default)" = "dctfile"
[HKCU\Software\Classes\.AIFF]
"(Default)" = "aifffile"
[HKCU\Software\Classes\Paint.Picture\Shell\NCHslideshow]
"(Default)" = "Create slideshow"
[HKCU\Software\Classes\TIFImage.Document\Shell\NCHconvertimage\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Pixillion %L"
[HKCU\Software\Classes\tarfile\Shell\NCHextract]
"(Default)" = "Extract with Express Zip"
[HKCU\Software\Classes\mpgfile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"
[HKCU\Software\Classes\.doc]
"(Default)" = "docfile"
[HKCU\Software\Classes\.wpd]
"(Default)" = "wpdfile"
[HKCU\Software\Classes\aacfile\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\spjfile]
"(Default)" = "Unhandled Extension Handler Finder"
[HKCU\Software\Classes\wmafile\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"
[HKCU\Software\Classes\dssfile\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Scribe %L"
[HKCU\Software\Classes\aufile\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\vpjfile]
"(Default)" = "Unhandled Extension Handler Finder"
[HKCU\Software\Classes\asffile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"
[HKCU\Software\Classes\flacfile\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\avifile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"
[HKCU\Software\Classes\docfile\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\vobfile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"
[HKCU\Software\Classes\aifffile\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Switch %L"
[HKCU\Software\Classes\aiffile\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Switch %L"
[HKCU\Software\Classes\.m4v]
"(Default)" = "m4vfile"
[HKCU\Software\Classes\oggfile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind WavePad %L"
[HKCU\Software\Classes\pngfile\Shell\NCHconvertimage]
"(Default)" = "Convert image file"
[HKCU\Software\Classes\mpgfile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"
[HKCU\Software\Classes\oggfile\Shell\NCHeditsound]
"(Default)" = "Edit sound file"
[HKCU\Software\Classes\mp3file\Shell\NCHeditsound]
"(Default)" = "Edit sound file"
[HKCU\Software\Classes\Paint.Picture\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\wmafile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind WavePad %L"
[HKCU\Software\Classes\movfile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind VideoPad %L"
[HKCU\Software\Classes\aifffile\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\m4vfile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MoneyLine]
"DisplayVersion" = "1.23"
[HKCU\Software\Classes\voxfile\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\dssfile]
"(Default)" = "Unhandled Extension Handler Finder"
[HKCU\Software\Classes\ivrfile\DefaultIcon]
"(Default)" = "%SystemRoot%\SysWow64\shell32.dll,19"
[HKCU\Software\Classes\mpegfile\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\movfile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"
[HKCU\Software\Classes\wavfile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind WavePad %L"
[HKCU\Software\Classes\.mpg]
"(Default)" = "mpgfile"
[HKCU\Software\Classes\mpegfile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"
[HKCU\Software\Classes\voxfile\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Switch %L"
[HKCU\Software\Classes\.vob]
"(Default)" = "vobfile"
[HKCU\Software\Classes\.M4A]
"(Default)" = "m4afile"
[HKCU\Software\Classes\ds2file\shell\NCHconvertsound]
"(Default)" = "Convert sound file"
[HKCU\Software\Classes\mp3file\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\vocfile\Shell\NCHeditsound]
"(Default)" = "Edit sound file"
[HKCU\Software\Classes\tarfile\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\aacfile\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"
[HKCU\Software\Classes\dctfile\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Scribe %L"
[HKCU\Software\Classes\spjfile\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind PhotoStage %L"
[HKCU\Software\Classes\FirefoxHTML\shell\NCHconvertdoc]
"(Default)" = "Convert file type"
[HKCU\Software\Classes\rarfile\Shell\NCHextract\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind ExpressZip %L"
[HKCU\Software\Classes\mp4file\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"
[HKCU\Software\Classes\xvidfile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind VideoPad %L"
[HKCU\Software\Classes\Windows.IsoFile\DefaultIcon]
"(Default)" = "%SystemRoot%\SysWow64\shell32.dll,19"
[HKCU\Software\Classes\movfile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"
[HKCU\Software\Classes\wpfile\Shell\NCHconvertdoc]
"(Default)" = "Convert file type"
[HKCU\Software\Classes\tarfile\Shell\NCHextract\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind ExpressZip %L"
[HKCU\Software\Classes\.AIF]
"(Default)" = "aiffile"
[HKCU\Software\Classes\aufile\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind Switch %L"
[HKCU\Software\Classes\vpjfile\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe -extfind VideoPad %L"
The Worm deletes the following registry key(s):
[HKLM\SOFTWARE\Wow6432Node\Google\GCAPITemp]
The Worm deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Wow6432Node\Google\GCAPITemp]
"test"
[HKCU\Software\NCH Software\MoneyLine\Software]
"_ShowSurvey"
[HKCU\Software\NCH Software\MoneyLine\Registration]
"_XD"
[HKCU\Software\NCH Software\MoneyLine\Software]
"_ShowSurveyNow"
"ShowSurvey"
[HKCU\Software\NCH Software\MoneyLine\Registration]
"XD"
[HKCU\Software\NCH Software\MoneyLine\Software]
"_InstalledBy"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKCU\Software\NCH Software\MoneyLine\Software]
"ShowSurveyNow"
"InstalledBy"
The process regsvr32.exe:588 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKCR\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\ProgID]
"(Default)" = "ProtectorExe.ProtectorHost.1"
[HKCR\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}]
"(Default)" = "ProtectorHost Class"
[HKCR\protector_dll.ProtectorBho\CurVer]
"(Default)" = "protector_dll.ProtectorBho.1"
[HKCR\protector_dll.ProtectorLib\CurVer]
"(Default)" = "protector_dll.ProtectorLib.1"
[HKCR\AppID\{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}]
"(Default)" = "protector_dll"
[HKCR\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}]
"(Default)" = "ProtectorLib Class"
[HKCR\protector_dll.ProtectorBho.1\CLSID]
"(Default)" = "{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}"
[HKCR\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\VersionIndependentProgID]
"(Default)" = "protector_dll.ProtectorLib"
[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\VersionIndependentProgID]
"(Default)" = "protector_dll.ProtectorBho"
[HKCR\protector_dll.ProtectorBho.1]
"(Default)" = "Google Toolbar Notifier BHO"
[HKCR\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\protector_dll.ProtectorLib\CLSID]
"(Default)" = "{84798B8E-69F8-4846-9516-373C2996E2F7}"
[HKCR\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\protector_dll.ProtectorLib.1\CLSID]
"(Default)" = "{84798B8E-69F8-4846-9516-373C2996E2F7}"
[HKCR\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}]
"AppID" = "{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}"
[HKCR\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}]
"AppID" = "{A97CA128-6998-4F8E-807E-8ED05FADAFB0}"
[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\InprocServer32]
"(Default)" = "%Program Files%\Google\GoogleToolbarNotifier\5.10.11023.1534\swg64.dll"
[HKCR\protector_dll.ProtectorLib]
"(Default)" = "ProtectorLib Class"
[HKCR\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}]
"Depend" = "%Program Files% (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534\gtn.dll"
[HKCR\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\ProgID]
"(Default)" = "protector_dll.ProtectorLib.1"
[HKCR\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\VersionIndependentProgID]
"(Default)" = "ProtectorExe.ProtectorHost"
[HKCR\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
"AppID" = "{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}"
[HKCR\protector_dll.ProtectorLib.1]
"(Default)" = "ProtectorLib Class"
[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\ProgID]
"(Default)" = "protector_dll.ProtectorBho.1"
[HKCR\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
"(Default)" = "Google Toolbar Notifier BHO"
[HKCR\protector_dll.ProtectorBho]
"(Default)" = "Google Toolbar Notifier BHO"
[HKCR\AppID\protector_dll.DLL]
"AppID" = "{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}"
[HKCR\protector_dll.ProtectorBho\CLSID]
"(Default)" = "{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}"
[HKCR\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\InprocServer32]
"(Default)" = "%Program Files%\Google\GoogleToolbarNotifier\5.10.11023.1534\swg64.dll"
The process SearchWithGoogleUpdate_6F4EEAE8D7FCDAD8.exe:600 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Wow6432Node\Google\GoogleToolbarNotifier]
"Version" = "5.10.11023.1534"
"ID" = "7dc11b2a2ae540689b55d8be2d64b263"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Program Files% (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534,"
[HKCU\Software\Google\GoogleToolbarNotifier\Temp]
"ust" = "100"
[HKLM\SOFTWARE\Wow6432Node\Google\GoogleToolbarNotifier\Clients]
"ietb" = "0"
[HKLM\SOFTWARE\Wow6432Node\Google\GoogleToolbarNotifier]
"brand" = "NCHD"
The Worm deletes the following registry key(s):
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
The process GoogleUpdaterService.exe:3016 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Wow6432Node\Google\Common\Google Updater\apps\swg]
"auto" = "0"
The process GoogleUpdaterService.exe:1812 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKCR\Wow6432Node\Interface\{C07A89E4-82A3-4A29-9908-DFC9DEBF8267}]
"(Default)" = "ISilentUpdater"
[HKCR\TypeLib\{5924C60B-6D7F-4AD6-8084-24A59431C967}\1.0\HELPDIR]
"(Default)" = ""
[HKCR\Interface\{5C8CE0B5-6DA0-49A1-B675-78FD03EA3224}]
"(Default)" = "IUpdaterScheduler"
[HKCR\Interface\{5C8CE0B5-6DA0-49A1-B675-78FD03EA3224}\TypeLib]
"(Default)" = "{5924C60B-6D7F-4AD6-8084-24A59431C967}"
[HKCR\AppID\GoogleUpdaterService.exe]
"AppID" = "{61E28BF8-C02B-499F-8E7A-34C1E4A1C649}"
[HKCR\Wow6432Node\CLSID\{89DAE4CD-9F17-4980-902A-99BA84A8F5C8}\TypeLib]
"(Default)" = "{5924C60B-6D7F-4AD6-8084-24A59431C967}"
[HKCR\GUSchedulerCtl.UpdaterScheduler]
"(Default)" = "Google Updater Scheduler class"
[HKCR\Interface\{C07A89E4-82A3-4A29-9908-DFC9DEBF8267}\TypeLib]
"Version" = "1.0"
[HKCR\Wow6432Node\Interface\{C07A89E4-82A3-4A29-9908-DFC9DEBF8267}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{C07A89E4-82A3-4A29-9908-DFC9DEBF8267}\TypeLib]
"(Default)" = "{5924C60B-6D7F-4AD6-8084-24A59431C967}"
[HKCR\Wow6432Node\CLSID\{89DAE4CD-9F17-4980-902A-99BA84A8F5C8}\ProgID]
"(Default)" = "GUServiceCtl.SilentUpdater.1"
[HKCR\Wow6432Node\CLSID\{89DAE4CD-9F17-4980-902A-99BA84A8F5C8}]
"AppID" = "{61E28BF8-C02B-499F-8E7A-34C1E4A1C649}"
[HKCR\Wow6432Node\CLSID\{B53B7061-6584-46AA-A033-D610EB10BD9B}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe"
[HKCR\Wow6432Node\CLSID\{B53B7061-6584-46AA-A033-D610EB10BD9B}]
"(Default)" = "Google Updater Scheduler class"
[HKCR\Wow6432Node\Interface\{C07A89E4-82A3-4A29-9908-DFC9DEBF8267}\TypeLib]
"Version" = "1.0"
[HKCR\GUServiceCtl.SilentUpdater]
"(Default)" = "Google Silent Updater class"
[HKCR\GUServiceCtl.SilentUpdater\CLSID]
"(Default)" = "{89DAE4CD-9F17-4980-902A-99BA84A8F5C8}"
[HKCR\Wow6432Node\CLSID\{89DAE4CD-9F17-4980-902A-99BA84A8F5C8}]
"(Default)" = "Google Silent Updater class"
[HKCR\Interface\{5C8CE0B5-6DA0-49A1-B675-78FD03EA3224}\TypeLib]
"Version" = "1.0"
[HKCR\Wow6432Node\CLSID\{B53B7061-6584-46AA-A033-D610EB10BD9B}\TypeLib]
"(Default)" = "{5924C60B-6D7F-4AD6-8084-24A59431C967}"
[HKCR\GUSchedulerCtl.UpdaterScheduler.1\CLSID]
"(Default)" = "{B53B7061-6584-46AA-A033-D610EB10BD9B}"
[HKCR\GUServiceCtl.SilentUpdater\CurVer]
"(Default)" = "GUServiceCtl.SilentUpdater.1"
[HKCR\Wow6432Node\Interface\{C07A89E4-82A3-4A29-9908-DFC9DEBF8267}\TypeLib]
"(Default)" = "{5924C60B-6D7F-4AD6-8084-24A59431C967}"
[HKCR\AppID\{61E28BF8-C02B-499F-8E7A-34C1E4A1C649}]
"LocalService" = "gusvc"
[HKCR\Wow6432Node\CLSID\{89DAE4CD-9F17-4980-902A-99BA84A8F5C8}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe"
[HKCR\Wow6432Node\Interface\{5C8CE0B5-6DA0-49A1-B675-78FD03EA3224}]
"(Default)" = "IUpdaterScheduler"
[HKCR\AppID\{61E28BF8-C02B-499F-8E7A-34C1E4A1C649}]
"(Default)" = "gusvc"
[HKCR\TypeLib\{5924C60B-6D7F-4AD6-8084-24A59431C967}\1.0]
"(Default)" = "Google Updater Service 1.0 Type Library"
[HKCR\GUServiceCtl.SilentUpdater.1\CLSID]
"(Default)" = "{89DAE4CD-9F17-4980-902A-99BA84A8F5C8}"
[HKCR\Wow6432Node\CLSID\{B53B7061-6584-46AA-A033-D610EB10BD9B}\VersionIndependentProgID]
"(Default)" = "GUSchedulerCtl.UpdaterScheduler"
[HKCR\Wow6432Node\CLSID\{B53B7061-6584-46AA-A033-D610EB10BD9B}]
"AppID" = "{61E28BF8-C02B-499F-8E7A-34C1E4A1C649}"
[HKCR\GUServiceCtl.SilentUpdater.1]
"(Default)" = "Google Silent Updater class"
[HKCR\Wow6432Node\Interface\{5C8CE0B5-6DA0-49A1-B675-78FD03EA3224}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{5924C60B-6D7F-4AD6-8084-24A59431C967}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\Wow6432Node\Interface\{5C8CE0B5-6DA0-49A1-B675-78FD03EA3224}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{C07A89E4-82A3-4A29-9908-DFC9DEBF8267}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{5924C60B-6D7F-4AD6-8084-24A59431C967}\1.0\0\win32]
"(Default)" = "%Program Files% (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe"
[HKCR\Wow6432Node\CLSID\{B53B7061-6584-46AA-A033-D610EB10BD9B}\ProgID]
"(Default)" = "GUSchedulerCtl.UpdaterScheduler.1"
[HKCR\Interface\{5C8CE0B5-6DA0-49A1-B675-78FD03EA3224}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Wow6432Node\CLSID\{89DAE4CD-9F17-4980-902A-99BA84A8F5C8}\VersionIndependentProgID]
"(Default)" = "GUServiceCtl.SilentUpdater"
[HKCR\Interface\{C07A89E4-82A3-4A29-9908-DFC9DEBF8267}]
"(Default)" = "ISilentUpdater"
[HKCR\GUSchedulerCtl.UpdaterScheduler\CLSID]
"(Default)" = "{B53B7061-6584-46AA-A033-D610EB10BD9B}"
[HKCR\GUSchedulerCtl.UpdaterScheduler.1]
"(Default)" = "Google Updater Scheduler class"
[HKCR\GUSchedulerCtl.UpdaterScheduler\CurVer]
"(Default)" = "GUSchedulerCtl.UpdaterScheduler.1"
[HKCR\Wow6432Node\Interface\{5C8CE0B5-6DA0-49A1-B675-78FD03EA3224}\TypeLib]
"(Default)" = "{5924C60B-6D7F-4AD6-8084-24A59431C967}"
The Worm deletes the following value(s) in system registry:
[HKCR\AppID\{61E28BF8-C02B-499F-8E7A-34C1E4A1C649}]
"LocalService"
The process %original file name%.exe:964 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
The Worm deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
The process GoogleToolbarManager_BA9226F4C70BECC2.exe:2772 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component\NonManifest\C:\ProgramData\Google\Custom Buttons]
"toolbar.google.com_O8Y91YHB24Z6SR0SGYSK.XML" = "1"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component\Used]
"GoogleToolbarDynamic_mui_en.dll" = "1"
The process GoogleToolbarManager_BA9226F4C70BECC2.exe:2564 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKCR\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
"(Default)" = "Google Toolbar Helper"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"DisplayVersion" = "7.5.6227.252"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"ToastOfferTime" = "0"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EE0B94B9-335F-4d2c-8B43-DACCD1EA6FF1}]
"AppPath" = "%Program Files% (x86)\Google\Google Toolbar"
[HKCR\Wow6432Node\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
"(Default)" = "Google Toolbar Helper"
[HKCR\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\Google Toolbar\GoogleToolbar_64.dll"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"SystemPatchLevel" = "1"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\GoogleUpdate]
"InstallTimestamp" = "1429399007"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1A972DAF-A7EC-4ce3-B6C9-7B523CD6685F}]
"Policy" = "3"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EE0B94B9-335F-4d2c-8B43-DACCD1EA6FF1}]
"Policy" = "3"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"Publisher" = "Google Inc."
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component\Used]
"GoogleUpdaterService.exe" = "1"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = "00"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Branding]
"InstallType" = "3"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EE0B94B9-335F-4d2c-8B43-DACCD1EA6FF1}]
"AppName" = "GoogleToolbarUser_64.exe"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = "00"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"AllowInteractions" = "1"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"DisplayName" = "Google Toolbar for Internet Explorer"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1A972DAF-A7EC-4ce3-B6C9-7B523CD6685F}]
"AppPath" = "%Program Files% (x86)\Google\Google Toolbar"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"EnableUsageStats" = "1"
[HKCR\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\Google Toolbar\GoogleToolbar_64.dll"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1A972DAF-A7EC-4ce3-B6C9-7B523CD6685F}]
"AppName" = "GoogleToolbarUser_32.exe"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"UninstallString" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_BA9226F4C70BECC2.exe /uninstall"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EE0B94B9-335F-4d2c-8B43-DACCD1EA6FF1}]
"AppName" = "GoogleToolbarUser_64.exe"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component\Used]
"SearchWithGoogleUpdate.exe" = "1"
[HKCU\Software\Google\Google Toolbar\4.0\Options]
"{14C626CA-ACAB-46e5-8A99-53C9E11CCCA0}_enabled" = "0"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Branding]
"InstallTime" = "1429399008"
[HKCR\Installer\Products\18555481990E8AB4CBB63FB4F26006C0]
"AuthorizedLUAApp" = "1"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"DisplayIcon" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_BA9226F4C70BECC2.exe"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"cmd_7.5.6227.252_7" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_BA9226F4C70BECC2.exe /execute:7"
[HKCU\Software\Google\Google Toolbar\4.0\Options]
"ButtonPageRank" = "0"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1A972DAF-A7EC-4ce3-B6C9-7B523CD6685F}]
"AppPath" = "%Program Files% (x86)\Google\Google Toolbar"
[HKCU\Software\Google\Google Toolbar\4.0\Options]
"ToastSetDefaultSearch" = "3"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar]
"test" = "41"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1A972DAF-A7EC-4ce3-B6C9-7B523CD6685F}]
"AppName" = "GoogleToolbarUser_32.exe"
[HKCR\Wow6432Node\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"(Default)" = "Google Toolbar"
[HKCR\Wow6432Node\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCU\Software\Google\Google Toolbar\4.0\Options]
"ToastSetPageRank" = "2"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\GoogleUpdate]
"InstallResult" = "ti"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"cmd_7.5.6227.252_5" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_BA9226F4C70BECC2.exe /execute:5"
[HKCR\Wow6432Node\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"EulaAccepted" = "1"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Enable Browser Extensions" = "yes"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EE0B94B9-335F-4d2c-8B43-DACCD1EA6FF1}]
"Policy" = "3"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"Compatibility Flags" = "1024"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"cmd_7.5.6227.252_9" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_BA9226F4C70BECC2.exe /execute:9"
"cmd_7.5.6227.252_8" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_BA9226F4C70BECC2.exe /execute:8"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component\Used]
"GoogleToolbarManager.exe" = "1"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"cmd_7.5.6227.252_6" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_BA9226F4C70BECC2.exe /execute:6"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Branding]
"brand" = "NCHD"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"cmd_7.5.6227.252_4" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_BA9226F4C70BECC2.exe /execute:4"
"cmd_7.5.6227.252_3" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_BA9226F4C70BECC2.exe /execute:3"
"cmd_7.5.6227.252_2" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_BA9226F4C70BECC2.exe /execute:2"
"cmd_7.5.6227.252_1" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_BA9226F4C70BECC2.exe /execute:1"
"cmd_7.5.6227.252_0" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_BA9226F4C70BECC2.exe /execute:0"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1A972DAF-A7EC-4ce3-B6C9-7B523CD6685F}]
"Policy" = "3"
[HKCU\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32]
"p2pcollab.dll,-8042" = "Peer to Peer Trust"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component]
"PrimaryInstallDone" = "1"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"Compatibility Flags" = "1024"
[HKCU\Software\Google\Google Toolbar\4.0\Options]
"ToastSetHomePage" = "2"
"BrowseByName" = "0"
"RbbsBreak" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"GTB7.5" = ""
[HKCR\Wow6432Node\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\Google Toolbar\GoogleToolbar_32.dll"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"GTB7.5" = ""
[HKCU\Software\Google\Google Toolbar\4.0\Options]
"UsageStatsEnabled" = "1"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"DisableBrowseByName" = "0"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"MinorVersion" = "5"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"Name" = "Google Toolbar"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Branding]
"ID" = "782C522357179724943B09F8A7BD5A00E3785qKNSN"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Installations]
"1429399010" = "v=7.5.6227.252&tbbrand=NCHD&i=0"
[HKCR\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"InstallLocation" = "%Program Files% (x86)\Google\Google Toolbar\"
[HKCU\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32]
"dnsapi.dll,-103" = "Domain Name System (DNS) Server Trust"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"NoModify" = "1"
"MajorVersion" = "7"
"NoRepair" = "1"
[HKCU\Software\Classes\Local Settings\MuiCache\2E\52C64B7E]
"LanguageList" = "en-US, en"
[HKCR\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"(Default)" = "Google Toolbar"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"brand" = "NCHD"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EE0B94B9-335F-4d2c-8B43-DACCD1EA6FF1}]
"AppPath" = "%Program Files% (x86)\Google\Google Toolbar"
[HKCR\Wow6432Node\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\Google Toolbar\GoogleToolbar_32.dll"
The Worm deletes the following registry key(s):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}]
[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\ProgID]
[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\TypeLib]
[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\Programmable]
[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\InprocServer32]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}\Enum]
[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\VersionIndependentProgID]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
[HKCU\Software\Classes\Local Settings\MuiCache\2D]
[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\ProgID]
[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\TypeLib]
[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\VersionIndependentProgID]
[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}]
[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\Programmable]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}]
[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}\Enum]
[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\InprocServer32]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum]
The Worm deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"UseIe64"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}"
[HKCU\Software\Google\Google Toolbar\4.0\Options]
"Vendor"
[HKCU\Software\Google\Google Toolbar\4.0]
"Update"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"RefreshIE"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"lang"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"WelcomePage"
The process GoogleToolbarManager_BA9226F4C70BECC2.exe:3008 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component\Used]
"GoogleToolbarManager.exe" = "1"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"pv" = "7.5.6227.252"
The process GoogleUpdaterService_B33FC4DD36A473C6.exe:456 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Wow6432Node\Google\Common\Google Updater\apps\tbie]
"auto" = "0"
[HKLM\SOFTWARE\Wow6432Node\Google\Common\Google Updater]
"Path" = "%Program Files% (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe"
"Version" = "2.4.2617.4952"
The process GoogleToolbarNotifier.exe:3040 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKCU\Software\Google\GoogleToolbarNotifier\Stats]
"HideUI_Throttled" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\GoogleToolbarNotifier_RASAPI32]
"EnableConsoleTracing" = "0"
[HKCU\Software\Google\GoogleToolbarNotifier\Stats]
"DetectChange_DS" = "0"
[HKCU\Software\Classes\Local Settings\MuiCache\2E\52C64B7E]
"LanguageList" = "en-US, en"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"
[HKCU\Software\Google\GoogleToolbarNotifier]
"FirstRun" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9BA14452-3A93-4712-8A0D-BF6CFCC6695B}]
"WpadDecisionTime" = "F7 2A CA C1 2D 7A D0 01"
[HKCU\Software\Google\GoogleToolbarNotifier\Stats]
"Icon_Click" = "0"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\GoogleToolbarNotifier_RASAPI32]
"FileDirectory" = "%windir%\tracing"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "2D 85 33 3A 90 73 D0 01"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\GoogleToolbarNotifier_RASAPI32]
"EnableFileTracing" = "0"
[HKCU\Software\Google\GoogleToolbarNotifier]
"UpdateURL" = "http://clients1.google.com/tools/swg2/update"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9BA14452-3A93-4712-8A0D-BF6CFCC6695B}]
"WpadDecision" = "0"
"WpadNetworkName" = "Network 4"
[HKCU\Software\Google\GoogleToolbarNotifier]
"lds" = "http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7"
[HKCU\Software\Google\GoogleToolbarNotifier\Stats]
"ShowUI_TrayIcon" = "0"
[HKCU\Software\Google\GoogleToolbarNotifier]
"DefaultLanguage" = "en"
"TS" = "1429399011"
[HKCU\Software\Google\GoogleToolbarNotifier\Stats]
"Bubble_Click" = "0"
"UserAllowChange_DS" = "0"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\GoogleToolbarNotifier_RASAPI32]
"ConsoleTracingMask" = "4294901760"
[HKCU\Software\Google\GoogleToolbarNotifier]
"AppPath" = "%Program Files% (x86)\Google\GoogleToolbarNotifier"
[HKCU\Software\Google\GoogleToolbarNotifier\Stats]
"ShowUI_Popup" = "0"
[HKCU\Software\Google\GoogleToolbarNotifier]
"InstalledVersion" = "5.10.11023.1534"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 49 00 00 00 09 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9BA14452-3A93-4712-8A0D-BF6CFCC6695B}]
"WpadDecisionReason" = "1"
[HKCU\Software\Google\GoogleToolbarNotifier\Stats]
"LastReportTime" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"
[HKCU\Software\Google\GoogleToolbarNotifier\Temp]
"scShowTrayIcon" = "ffffffff"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\GoogleToolbarNotifier_RASAPI32]
"MaxFileSize" = "1048576"
[HKCU\Software\Google\GoogleToolbarNotifier]
"UsageStat" = "1"
[HKCU\Software\Google\GoogleToolbarNotifier\Stats]
"ModifyUI_UserIntent" = "0"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\GoogleToolbarNotifier_RASAPI32]
"FileTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"
"WpadDecision" = "0"
[HKCU\Software\Google\GoogleToolbarNotifier]
"Version" = "5.10.11023.1534"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Worm deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoDetect"
[HKCU\Software\Google\GoogleToolbarNotifier]
"WantProductRestart"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKCU\Software\Google\GoogleToolbarNotifier]
"ts"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Google\GoogleToolbarNotifier]
"DSPSuspended"
"SuspendedDS"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9BA14452-3A93-4712-8A0D-BF6CFCC6695B}]
"WpadDetectedUrl"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
The process GoogleToolbarNotifier.exe:1936 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKCR\Interface\{BACAB2F3-7213-4865-96E9-B6B06BF49192}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{DD65ABB2-2628-425B-86F5-825E4A3D3AD9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{91F39C2A-95E7-497A-A539-0AC715DC66D2}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\ProtectorExe.ProtectorHost.1\CLSID]
"(Default)" = "{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}"
[HKCR\Wow6432Node\Interface\{F1A383D4-0364-4092-82E0-C39DAE5D801D}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{AF606610-3627-4DF2-A6D5-32C6A355ACD1}\TypeLib]
"Version" = "1a.0"
[HKCR\Interface\{17484B9D-89FA-484F-912E-017D06C41FE0}]
"(Default)" = "IProtectorLib7"
[HKCR\Wow6432Node\Interface\{91959FBB-853A-4AC7-A082-2DDF787F4CA9}\TypeLib]
"Version" = "1a.0"
[HKCR\Interface\{315A0BBF-D55B-4FCE-833E-8BAA5B6344F6}]
"(Default)" = "IProtector11"
[HKCR\Interface\{F1A383D4-0364-4092-82E0-C39DAE5D801D}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Wow6432Node\Interface\{F1A383D4-0364-4092-82E0-C39DAE5D801D}\TypeLib]
"Version" = "1a.0"
[HKCR\Interface\{2212951C-1623-4095-906B-AC50B8F91016}]
"(Default)" = "IProtector2"
[HKCR\Interface\{480AD54B-C652-44B9-BCF6-746745055CD3}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Wow6432Node\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534\swg.dll"
[HKCR\Wow6432Node\Interface\{1F7328B7-E25A-4527-B24B-D9173401BB89}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Wow6432Node\Interface\{AF606610-3627-4DF2-A6D5-32C6A355ACD1}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Wow6432Node\Interface\{AF606610-3627-4DF2-A6D5-32C6A355ACD1}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Interface\{A45CDEEB-65F5-49AE-AA3E-9376F4806075}]
"(Default)" = "IProtector8"
[HKCR\Wow6432Node\Interface\{315A0BBF-D55B-4FCE-833E-8BAA5B6344F6}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Wow6432Node\Interface\{6EACF525-5F81-4381-9E46-DC316C39E0D2}]
"(Default)" = "IProtector6"
[HKCR\Interface\{A45CDEEB-65F5-49AE-AA3E-9376F4806075}\TypeLib]
"Version" = "1a.0"
[HKCR\Interface\{91959FBB-853A-4AC7-A082-2DDF787F4CA9}]
"(Default)" = "IProtectorHost2"
[HKCR\Wow6432Node\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\ProgID]
"(Default)" = "protector_dll.ProtectorLib.1"
[HKCR\Interface\{91959FBB-853A-4AC7-A082-2DDF787F4CA9}\TypeLib]
"Version" = "1a.0"
[HKCR\Wow6432Node\Interface\{9D932020-700E-4F0D-8446-2872ABD8B4FA}\TypeLib]
"Version" = "1a.0"
[HKCR\Interface\{315A0BBF-D55B-4FCE-833E-8BAA5B6344F6}\TypeLib]
"Version" = "1a.0"
[HKCR\Wow6432Node\Interface\{AF606610-3627-4DF2-A6D5-32C6A355ACD1}]
"(Default)" = "IProtectorLib"
[HKCR\Wow6432Node\Interface\{6C110376-C248-47F6-9DB2-CFCDEADB6A3E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{2212951C-1623-4095-906B-AC50B8F91016}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Interface\{6C110376-C248-47F6-9DB2-CFCDEADB6A3E}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Wow6432Node\Interface\{91F39C2A-95E7-497A-A539-0AC715DC66D2}]
"(Default)" = "IProtector3"
[HKCR\Interface\{DA69D3CC-7676-4A65-889F-C052977F1AA9}\TypeLib]
"Version" = "1a.0"
[HKCR\TypeLib\{C7CB459A-7261-4AE6-A87A-17041EE98A40}\1a.0]
"(Default)" = "protector_dllLib"
[HKCR\Interface\{480AD54B-C652-44B9-BCF6-746745055CD3}\TypeLib]
"Version" = "1a.0"
[HKCR\Wow6432Node\Interface\{2212951C-1623-4095-906B-AC50B8F91016}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Wow6432Node\Interface\{BACAB2F3-7213-4865-96E9-B6B06BF49192}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Interface\{17484B9D-89FA-484F-912E-017D06C41FE0}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Interface\{6EACF525-5F81-4381-9E46-DC316C39E0D2}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Wow6432Node\Interface\{9D932020-700E-4F0D-8446-2872ABD8B4FA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\AppID\{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}]
"(Default)" = "protector_dll"
[HKCR\Interface\{277FD1E8-9884-4E0A-9392-7CFF83F067B2}]
"(Default)" = "IProtector9"
[HKCR\Interface\{2212951C-1623-4095-906B-AC50B8F91016}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\AppID\{A97CA128-6998-4F8E-807E-8ED05FADAFB0}]
"(Default)" = "ProtectorExe"
[HKCR\Interface\{BACAB2F3-7213-4865-96E9-B6B06BF49192}]
"(Default)" = "IProtectorLib8"
[HKCR\Interface\{315A0BBF-D55B-4FCE-833E-8BAA5B6344F6}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Wow6432Node\Interface\{BACAB2F3-7213-4865-96E9-B6B06BF49192}]
"(Default)" = "IProtectorLib8"
[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
"(Default)" = "Google Toolbar Notifier BHO"
[HKCR\Interface\{17484B9D-89FA-484F-912E-017D06C41FE0}\TypeLib]
"Version" = "1a.0"
[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Interface\{A0CF48B9-DB91-49A5-BEE7-2FB45BA2F610}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Wow6432Node\Interface\{9891812B-5820-4A77-827E-772B200239E1}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Wow6432Node\CLSID\{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}]
"AppID" = "{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80B84A0A-EDA4-47fd-8BE1-6B49F4197EE5}]
"AppPath" = "%Program Files% (x86)\Google\GoogleToolbarNotifier"
[HKCR\Wow6432Node\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41}\TypeLib]
"Version" = "1a.0"
[HKCR\Wow6432Node\Interface\{17484B9D-89FA-484F-912E-017D06C41FE0}\TypeLib]
"Version" = "1a.0"
[HKCR\Wow6432Node\Interface\{17484B9D-89FA-484F-912E-017D06C41FE0}]
"(Default)" = "IProtectorLib7"
[HKCR\protector_dll.ProtectorLib.1]
"(Default)" = "ProtectorLib Class"
[HKCR\Wow6432Node\Interface\{9891812B-5820-4A77-827E-772B200239E1}]
"(Default)" = "IProtector4"
[HKCR\Wow6432Node\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}]
"Depend" = "%Program Files% (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534\gtn.dll"
[HKCR\Wow6432Node\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}]
"(Default)" = "ProtectorLib Class"
[HKCR\Wow6432Node\Interface\{A45CDEEB-65F5-49AE-AA3E-9376F4806075}\TypeLib]
"Version" = "1a.0"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80B84A0A-EDA4-47fd-8BE1-6B49F4197EE5}]
"AppName" = "GoogleToolbarNotifier.exe"
[HKCR\Wow6432Node\Interface\{1F7328B7-E25A-4527-B24B-D9173401BB89}]
"(Default)" = "IProtector5"
[HKCR\Interface\{315A0BBF-D55B-4FCE-833E-8BAA5B6344F6}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Interface\{235317AD-6EF4-4209-9354-F88869E1A3BB}]
"(Default)" = "IProtectorLib5"
[HKCR\Wow6432Node\Interface\{9891812B-5820-4A77-827E-772B200239E1}\TypeLib]
"Version" = "1a.0"
[HKCR\Wow6432Node\Interface\{2212951C-1623-4095-906B-AC50B8F91016}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{9891812B-5820-4A77-827E-772B200239E1}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{235317AD-6EF4-4209-9354-F88869E1A3BB}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Wow6432Node\Interface\{A0CF48B9-DB91-49A5-BEE7-2FB45BA2F610}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Interface\{1F7328B7-E25A-4527-B24B-D9173401BB89}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Wow6432Node\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}]
"(Default)" = "ProtectorHost Class"
[HKCR\Interface\{9891812B-5820-4A77-827E-772B200239E1}\TypeLib]
"Version" = "1a.0"
[HKCR\Wow6432Node\Interface\{DA69D3CC-7676-4A65-889F-C052977F1AA9}]
"(Default)" = "IProtectorHost"
[HKCR\Wow6432Node\CLSID\{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534\swg.dll"
[HKCR\Interface\{6C110376-C248-47F6-9DB2-CFCDEADB6A3E}]
"(Default)" = "IProtector10"
[HKCR\Wow6432Node\CLSID\{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Wow6432Node\Interface\{A0CF48B9-DB91-49A5-BEE7-2FB45BA2F610}\TypeLib]
"Version" = "1a.0"
[HKCR\Wow6432Node\Interface\{F1A383D4-0364-4092-82E0-C39DAE5D801D}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\VersionIndependentProgID]
"(Default)" = "protector_dll.ProtectorBho"
[HKCR\Wow6432Node\Interface\{91F39C2A-95E7-497A-A539-0AC715DC66D2}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Wow6432Node\Interface\{6C110376-C248-47F6-9DB2-CFCDEADB6A3E}]
"(Default)" = "IProtector10"
[HKCR\Wow6432Node\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\ProgID]
"(Default)" = "ProtectorExe.ProtectorHost.1"
[HKCR\Interface\{235317AD-6EF4-4209-9354-F88869E1A3BB}\TypeLib]
"Version" = "1a.0"
[HKCR\Wow6432Node\Interface\{91959FBB-853A-4AC7-A082-2DDF787F4CA9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Wow6432Node\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659}\TypeLib]
"Version" = "1a.0"
[HKCR\Wow6432Node\Interface\{DA69D3CC-7676-4A65-889F-C052977F1AA9}\TypeLib]
"Version" = "1a.0"
[HKCR\protector_dll.ProtectorLib\CurVer]
"(Default)" = "protector_dll.ProtectorLib.1"
[HKCR\Interface\{91959FBB-853A-4AC7-A082-2DDF787F4CA9}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Wow6432Node\Interface\{9891812B-5820-4A77-827E-772B200239E1}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Wow6432Node\Interface\{2212951C-1623-4095-906B-AC50B8F91016}]
"(Default)" = "IProtector2"
[HKCR\Interface\{1F7328B7-E25A-4527-B24B-D9173401BB89}]
"(Default)" = "IProtector5"
[HKCR\Interface\{6C110376-C248-47F6-9DB2-CFCDEADB6A3E}\TypeLib]
"Version" = "1a.0"
[HKCR\Interface\{17484B9D-89FA-484F-912E-017D06C41FE0}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{A45CDEEB-65F5-49AE-AA3E-9376F4806075}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{6C110376-C248-47F6-9DB2-CFCDEADB6A3E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41}\TypeLib]
"Version" = "1a.0"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80B84A0A-EDA4-47fd-8BE1-6B49F4197EE5}]
"AppPath" = "%Program Files% (x86)\Google\GoogleToolbarNotifier"
[HKCR\Interface\{DA69D3CC-7676-4A65-889F-C052977F1AA9}]
"(Default)" = "IProtectorHost"
[HKCR\Interface\{91F39C2A-95E7-497A-A539-0AC715DC66D2}]
"(Default)" = "IProtector3"
[HKCR\Interface\{6EACF525-5F81-4381-9E46-DC316C39E0D2}\TypeLib]
"Version" = "1a.0"
[HKCR\Wow6432Node\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\AppID\ProtectorExe.EXE]
"AppID" = "{A97CA128-6998-4F8E-807E-8ED05FADAFB0}"
[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
"AppID" = "{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}"
[HKCR\protector_dll.Protector.1\CLSID]
"(Default)" = "{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}"
[HKCR\ProtectorExe.ProtectorHost\CLSID]
"(Default)" = "{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}"
[HKCR\protector_dll.ProtectorBho]
"(Default)" = "Google Toolbar Notifier BHO"
[HKCR\Wow6432Node\Interface\{DD65ABB2-2628-425B-86F5-825E4A3D3AD9}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\AppID\protector_dll.DLL]
"AppID" = "{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}"
[HKCR\Interface\{91959FBB-853A-4AC7-A082-2DDF787F4CA9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{DA69D3CC-7676-4A65-889F-C052977F1AA9}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Interface\{BACAB2F3-7213-4865-96E9-B6B06BF49192}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Interface\{A0CF48B9-DB91-49A5-BEE7-2FB45BA2F610}]
"(Default)" = "IProtectorLib2"
[HKCR\Interface\{F1A383D4-0364-4092-82E0-C39DAE5D801D}\TypeLib]
"Version" = "1a.0"
[HKCR\Wow6432Node\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Wow6432Node\CLSID\{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}\ProgID]
"(Default)" = "protector_dll.Protector.1"
[HKCR\Wow6432Node\Interface\{1F7328B7-E25A-4527-B24B-D9173401BB89}\TypeLib]
"Version" = "1a.0"
[HKCR\Interface\{2212951C-1623-4095-906B-AC50B8F91016}\TypeLib]
"Version" = "1a.0"
[HKCR\Interface\{480AD54B-C652-44B9-BCF6-746745055CD3}]
"(Default)" = "IProtectorLib6"
[HKCR\protector_dll.Protector\CLSID]
"(Default)" = "{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}"
[HKCR\Wow6432Node\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\VersionIndependentProgID]
"(Default)" = "ProtectorExe.ProtectorHost"
[HKCR\Wow6432Node\Interface\{2212951C-1623-4095-906B-AC50B8F91016}\TypeLib]
"Version" = "1a.0"
[HKCR\Wow6432Node\Interface\{BACAB2F3-7213-4865-96E9-B6B06BF49192}\TypeLib]
"Version" = "1a.0"
[HKCR\Wow6432Node\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41}]
"(Default)" = "IProtector7"
[HKCR\Wow6432Node\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\ProtectorExe.ProtectorHost]
"(Default)" = "ProtectorHost Class"
[HKCR\Wow6432Node\Interface\{91F39C2A-95E7-497A-A539-0AC715DC66D2}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Interface\{9891812B-5820-4A77-827E-772B200239E1}]
"(Default)" = "IProtector4"
[HKCR\Wow6432Node\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Wow6432Node\Interface\{DD65ABB2-2628-425B-86F5-825E4A3D3AD9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\protector_dll.ProtectorBho.1\CLSID]
"(Default)" = "{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}"
[HKCR\TypeLib\{C7CB459A-7261-4AE6-A87A-17041EE98A40}\1a.0\HELPDIR]
"(Default)" = "%Program Files% (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534"
[HKCR\Wow6432Node\Interface\{DD65ABB2-2628-425B-86F5-825E4A3D3AD9}\TypeLib]
"Version" = "1a.0"
[HKCR\Wow6432Node\Interface\{9D932020-700E-4F0D-8446-2872ABD8B4FA}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\protector_dll.ProtectorBho.1]
"(Default)" = "Google Toolbar Notifier BHO"
[HKCR\Interface\{9D932020-700E-4F0D-8446-2872ABD8B4FA}]
"(Default)" = "IProtectorLib3"
[HKCR\Wow6432Node\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\VersionIndependentProgID]
"(Default)" = "protector_dll.ProtectorLib"
[HKCR\Wow6432Node\Interface\{315A0BBF-D55B-4FCE-833E-8BAA5B6344F6}]
"(Default)" = "IProtector11"
[HKCR\Wow6432Node\Interface\{F1A383D4-0364-4092-82E0-C39DAE5D801D}]
"(Default)" = "IProtector12"
[HKCR\Wow6432Node\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\TypeLib\{C7CB459A-7261-4AE6-A87A-17041EE98A40}\1a.0\FLAGS]
"(Default)" = "0"
[HKCR\Wow6432Node\Interface\{315A0BBF-D55B-4FCE-833E-8BAA5B6344F6}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Wow6432Node\CLSID\{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}\VersionIndependentProgID]
"(Default)" = "protector_dll.Protector"
[HKCR\Interface\{AF606610-3627-4DF2-A6D5-32C6A355ACD1}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Wow6432Node\Interface\{277FD1E8-9884-4E0A-9392-7CFF83F067B2}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{A0CF48B9-DB91-49A5-BEE7-2FB45BA2F610}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\ProgID]
"(Default)" = "protector_dll.ProtectorBho.1"
[HKCR\protector_dll.ProtectorLib.1\CLSID]
"(Default)" = "{84798B8E-69F8-4846-9516-373C2996E2F7}"
[HKCR\Interface\{BACAB2F3-7213-4865-96E9-B6B06BF49192}\TypeLib]
"Version" = "1a.0"
[HKCR\Wow6432Node\Interface\{9D932020-700E-4F0D-8446-2872ABD8B4FA}]
"(Default)" = "IProtectorLib3"
[HKCR\Interface\{9891812B-5820-4A77-827E-772B200239E1}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Wow6432Node\Interface\{17484B9D-89FA-484F-912E-017D06C41FE0}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Wow6432Node\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}]
"AppID" = "{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}"
[HKCR\Interface\{DD65ABB2-2628-425B-86F5-825E4A3D3AD9}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Wow6432Node\Interface\{235317AD-6EF4-4209-9354-F88869E1A3BB}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Wow6432Node\Interface\{6EACF525-5F81-4381-9E46-DC316C39E0D2}\TypeLib]
"Version" = "1a.0"
[HKCR\Interface\{A0CF48B9-DB91-49A5-BEE7-2FB45BA2F610}\TypeLib]
"Version" = "1a.0"
[HKCR\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659}]
"(Default)" = "IProtector"
[HKCR\Interface\{6EACF525-5F81-4381-9E46-DC316C39E0D2}]
"(Default)" = "IProtector6"
[HKCR\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659}\TypeLib]
"Version" = "1a.0"
[HKCR\ProtectorExe.ProtectorHost.1]
"(Default)" = "ProtectorHost Class"
[HKCR\Wow6432Node\Interface\{BACAB2F3-7213-4865-96E9-B6B06BF49192}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\protector_dll.Protector\CurVer]
"(Default)" = "protector_dll.Protector.1"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80B84A0A-EDA4-47fd-8BE1-6B49F4197EE5}]
"AppName" = "GoogleToolbarNotifier.exe"
[HKCR\Interface\{91F39C2A-95E7-497A-A539-0AC715DC66D2}\TypeLib]
"Version" = "1a.0"
[HKCR\Interface\{A45CDEEB-65F5-49AE-AA3E-9376F4806075}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Wow6432Node\Interface\{277FD1E8-9884-4E0A-9392-7CFF83F067B2}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Wow6432Node\Interface\{91F39C2A-95E7-497A-A539-0AC715DC66D2}\TypeLib]
"Version" = "1a.0"
[HKCR\AppID\{A97CA128-6998-4F8E-807E-8ED05FADAFB0}]
"RunAs" = "Interactive User"
[HKCR\Wow6432Node\Interface\{235317AD-6EF4-4209-9354-F88869E1A3BB}]
"(Default)" = "IProtectorLib5"
[HKCR\Interface\{DD65ABB2-2628-425B-86F5-825E4A3D3AD9}\TypeLib]
"Version" = "1a.0"
[HKCR\Interface\{9D932020-700E-4F0D-8446-2872ABD8B4FA}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Wow6432Node\Interface\{A0CF48B9-DB91-49A5-BEE7-2FB45BA2F610}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{9D932020-700E-4F0D-8446-2872ABD8B4FA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80B84A0A-EDA4-47fd-8BE1-6B49F4197EE5}]
"Policy" = "3"
[HKCR\protector_dll.ProtectorBho\CLSID]
"(Default)" = "{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}"
[HKCR\Wow6432Node\Interface\{235317AD-6EF4-4209-9354-F88869E1A3BB}\TypeLib]
"Version" = "1a.0"
[HKCR\Interface\{1F7328B7-E25A-4527-B24B-D9173401BB89}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Wow6432Node\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}]
"AppID" = "{A97CA128-6998-4F8E-807E-8ED05FADAFB0}"
[HKCR\Wow6432Node\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
[HKCR\protector_dll.ProtectorBho\CurVer]
"(Default)" = "protector_dll.ProtectorBho.1"
[HKCR\Wow6432Node\Interface\{A45CDEEB-65F5-49AE-AA3E-9376F4806075}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\ProtectorExe.ProtectorHost\CurVer]
"(Default)" = "ProtectorExe.ProtectorHost.1"
[HKCR\Wow6432Node\CLSID\{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Wow6432Node\Interface\{DA69D3CC-7676-4A65-889F-C052977F1AA9}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Interface\{235317AD-6EF4-4209-9354-F88869E1A3BB}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\TypeLib\{C7CB459A-7261-4AE6-A87A-17041EE98A40}\1a.0\0\win32]
"(Default)" = "%Program Files% (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534\swg.dll"
[HKCR\Wow6432Node\Interface\{17484B9D-89FA-484F-912E-017D06C41FE0}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80B84A0A-EDA4-47fd-8BE1-6B49F4197EE5}]
"Policy" = "3"
[HKCR\Wow6432Node\Interface\{6C110376-C248-47F6-9DB2-CFCDEADB6A3E}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Wow6432Node\Interface\{480AD54B-C652-44B9-BCF6-746745055CD3}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Interface\{F1A383D4-0364-4092-82E0-C39DAE5D801D}]
"(Default)" = "IProtector12"
[HKCR\Wow6432Node\Interface\{91959FBB-853A-4AC7-A082-2DDF787F4CA9}]
"(Default)" = "IProtectorHost2"
[HKCR\Interface\{91F39C2A-95E7-497A-A539-0AC715DC66D2}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{1F7328B7-E25A-4527-B24B-D9173401BB89}\TypeLib]
"Version" = "1a.0"
[HKCR\protector_dll.Protector.1]
"(Default)" = "Protector Class"
[HKCR\Wow6432Node\Interface\{6EACF525-5F81-4381-9E46-DC316C39E0D2}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Wow6432Node\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534\swg.dll"
[HKCR\protector_dll.Protector]
"(Default)" = "Protector Class"
[HKCR\protector_dll.ProtectorLib\CLSID]
"(Default)" = "{84798B8E-69F8-4846-9516-373C2996E2F7}"
[HKCR\Interface\{AF606610-3627-4DF2-A6D5-32C6A355ACD1}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{277FD1E8-9884-4E0A-9392-7CFF83F067B2}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{DA69D3CC-7676-4A65-889F-C052977F1AA9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{9D932020-700E-4F0D-8446-2872ABD8B4FA}\TypeLib]
"Version" = "1a.0"
[HKCR\Wow6432Node\Interface\{315A0BBF-D55B-4FCE-833E-8BAA5B6344F6}\TypeLib]
"Version" = "1a.0"
[HKCR\Wow6432Node\Interface\{A45CDEEB-65F5-49AE-AA3E-9376F4806075}]
"(Default)" = "IProtector8"
[HKCR\Wow6432Node\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659}]
"(Default)" = "IProtector"
[HKCR\Wow6432Node\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{6EACF525-5F81-4381-9E46-DC316C39E0D2}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Wow6432Node\Interface\{277FD1E8-9884-4E0A-9392-7CFF83F067B2}]
"(Default)" = "IProtector9"
[HKCR\Interface\{F1A383D4-0364-4092-82E0-C39DAE5D801D}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Wow6432Node\Interface\{DA69D3CC-7676-4A65-889F-C052977F1AA9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Wow6432Node\CLSID\{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}]
"(Default)" = "Protector Class"
[HKCR\Interface\{277FD1E8-9884-4E0A-9392-7CFF83F067B2}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Wow6432Node\Interface\{DD65ABB2-2628-425B-86F5-825E4A3D3AD9}]
"(Default)" = "IProtectorLib4"
[HKCR\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41}]
"(Default)" = "IProtector7"
[HKCR\Interface\{AF606610-3627-4DF2-A6D5-32C6A355ACD1}]
"(Default)" = "IProtectorLib"
[HKCR\Wow6432Node\Interface\{277FD1E8-9884-4E0A-9392-7CFF83F067B2}\TypeLib]
"Version" = "1a.0"
[HKCR\Wow6432Node\Interface\{A45CDEEB-65F5-49AE-AA3E-9376F4806075}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Interface\{DD65ABB2-2628-425B-86F5-825E4A3D3AD9}]
"(Default)" = "IProtectorLib4"
[HKCR\protector_dll.ProtectorLib]
"(Default)" = "ProtectorLib Class"
[HKCR\Wow6432Node\Interface\{6EACF525-5F81-4381-9E46-DC316C39E0D2}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Wow6432Node\Interface\{AF606610-3627-4DF2-A6D5-32C6A355ACD1}\TypeLib]
"Version" = "1a.0"
[HKCR\Wow6432Node\Interface\{480AD54B-C652-44B9-BCF6-746745055CD3}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Wow6432Node\Interface\{480AD54B-C652-44B9-BCF6-746745055CD3}]
"(Default)" = "IProtectorLib6"
[HKCR\Wow6432Node\Interface\{6C110376-C248-47F6-9DB2-CFCDEADB6A3E}\TypeLib]
"Version" = "1a.0"
[HKCR\Interface\{480AD54B-C652-44B9-BCF6-746745055CD3}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Wow6432Node\Interface\{480AD54B-C652-44B9-BCF6-746745055CD3}\TypeLib]
"Version" = "1a.0"
[HKCR\Wow6432Node\Interface\{235317AD-6EF4-4209-9354-F88869E1A3BB}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Wow6432Node\Interface\{A0CF48B9-DB91-49A5-BEE7-2FB45BA2F610}]
"(Default)" = "IProtectorLib2"
[HKCR\Wow6432Node\Interface\{1F7328B7-E25A-4527-B24B-D9173401BB89}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Wow6432Node\Interface\{91959FBB-853A-4AC7-A082-2DDF787F4CA9}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Interface\{277FD1E8-9884-4E0A-9392-7CFF83F067B2}\TypeLib]
"Version" = "1a.0"
The process openssl.exe:956 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Wow6432Node\NCH Swift Sound\Components\openssl]
"Path" = "%Program Files% (x86)\NCH Software\Components\openssl\ssleay32.dll"
[HKCU\Software\NCH Swift Sound\Components\openssl]
"Path" = "%Program Files% (x86)\NCH Software\Components\openssl\ssleay32.dll"
[HKLM\SOFTWARE\Wow6432Node\NCH Software\Components\openssl]
"Path" = "%Program Files% (x86)\NCH Software\Components\openssl\ssleay32.dll"
[HKCU\Software\NCH Software\Components\openssl]
"Path" = "%Program Files% (x86)\NCH Software\Components\openssl\ssleay32.dll"
The process moneyline.exe:644 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Registration\NCH]
"MoneyLine" = "2"
[HKCU\Software\NCH Software\MoneyLine\Setting]
"LastBackup" = "1429398999"
[HKCU\Software\NCH Software\MoneyLine\Settings]
"BubbleTipSetupAccount" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 48 00 00 00 09 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCU\Software\NCH Software\MoneyLine\Registration]
"Name" = ""
"RD" = "1428966996"
[HKCU\Software\NCH Software\MoneyLine\Software]
"SVar" = "LLIBShowSuiteButtonOn"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Worm deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
The process moneyline.exe:2996 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Wow6432Node\NCH Software\MoneyLine\Scheduler]
"SevenDays" = "1"
The process moneyline.exe:2612 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKCU\Software\NCH Software\Components\GoogleToolbar]
"State" = "attempted"
[HKCU\Software\NCH Software\MoneyLine\Software]
"Toolbar" = "cnm-installed,gac,google"
[HKLM\SOFTWARE\Wow6432Node\NCH Software\Components\GoogleToolbar]
"State" = "attempted"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
The Worm deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
Dropped PE files
MD5 | File path |
---|---|
5d4bc124faae6730ac002cdb67bf1a1c | c:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe |
786996ff4ea890b9f43ed68dd55ffd7b | c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleCld_187F9D811452062B.dll |
c74e54032b25934882f5da142135f6e4 | c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_32_75A7C54F0BE42E8E.dll |
d257b5fafad4fe93cd13ac792bf9b152 | c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_64_2AD99D2EA038D2F2.dll |
d59b2b86e3b0f21c42700cb4f60c8f4d | c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_0A4439FF67F61065.dll |
327c893aa5966ac436ca275f8d64c8c0 | c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_BA9226F4C70BECC2.exe |
adf24d7a7195453f85e2f5cef3cbcc33 | c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarUser_32_52E818EF81C83A9B.exe |
852fd4db3205ff0cb6d8f473776f99b1 | c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarUser_64_4D9709C1FA1422BA.exe |
aa9bc44f6d065f76902e516d0b45db6d | c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbar_32_3934E923EEC91A78.dll |
ba214814e91a9eae3eeeaed77841f82a | c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbar_64_62C1B48EAF0FD125.dll |
1f2afab903c0d48480561f3bbd4539c2 | c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleUpdateSetup_5CC4B0F53D73AD88.exe |
4beaf576cb43358c4db9f45ac7c09cdb | c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleUpdaterService_B33FC4DD36A473C6.exe |
78206b34bd050db564bf5b4b8c697925 | c:\Program Files (x86)\Google\Google Toolbar\Component\SearchWithGoogleUpdate_6F4EEAE8D7FCDAD8.exe |
adf24d7a7195453f85e2f5cef3cbcc33 | c:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe |
852fd4db3205ff0cb6d8f473776f99b1 | c:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_64.exe |
aa9bc44f6d065f76902e516d0b45db6d | c:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll |
ba214814e91a9eae3eeeaed77841f82a | c:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll |
34c575178bacadb9744f3fb7f86b5ee3 | c:\Program Files (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534\gth.dll |
c9188d8d26ceedbe77fa96f128f10fec | c:\Program Files (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534\gtn.dll |
68ba0437b07cd40c453c606dd762f6e0 | c:\Program Files (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534\swg.dll |
5d61be7db55b026a5d61a3eed09d0ead | c:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe |
5050eb8b35a2ec4e17772690bb3e815c | c:\Program Files (x86)\Google\Update\Download\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}\0.0.0.0\googletoolbarinstaller_en_signed.exe |
5050eb8b35a2ec4e17772690bb3e815c | c:\Program Files (x86)\Google\Update\Install\{2EE51953-8013-47B0-AF95-53733957A5EC}\googletoolbarinstaller_en_signed.exe |
6154f737535b3dbea39c63223d52f5b8 | c:\Program Files (x86)\NCH Software\Components\NCHToolbars\google\NCH_GoogleToolbar.exe |
1c167f58b26b4afa6163303750aae802 | c:\Program Files (x86)\NCH Software\Components\openssl\libeay32.dll |
3125384cf278a4cd29e4b2731c13c7af | c:\Program Files (x86)\NCH Software\Components\openssl\ssleay32.dll |
13c2b288833eddaa220097b104f43ef1 | c:\Program Files (x86)\NCH Software\MoneyLine\moneyline.exe |
f440fbe175ee3222a3424a9b9b2030a0 | c:\Program Files\Google\GoogleToolbarNotifier\5.10.11023.1534\swg64.dll |
a1785c15213bdda8df5c1e167214e617 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\openssl.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
googletoolbarinstaller_en_signed.exe:3068
NCH_GoogleToolbar.exe:1916
GoogleUpdateSetup_latest.exe:968
nchsetup.exe:816
regsvr32.exe:588
SearchWithGoogleUpdate_6F4EEAE8D7FCDAD8.exe:600
GoogleUpdaterService.exe:3016
GoogleUpdaterService.exe:1812
%original file name%.exe:964
GoogleToolbarManager_BA9226F4C70BECC2.exe:2772
GoogleToolbarManager_BA9226F4C70BECC2.exe:2564
GoogleToolbarManager_BA9226F4C70BECC2.exe:3008
GoogleUpdaterService_B33FC4DD36A473C6.exe:456
GoogleToolbarNotifier.exe:3040
GoogleToolbarNotifier.exe:1936
openssl.exe:956
moneyline.exe:2996
moneyline.exe:2612 - Delete the original Worm file.
- Delete or disinfect the following files created/modified by the Worm:
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarUser_32_52E818EF81C83A9B.exe (620 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbar_64_62C1B48EAF0FD125.dll (514 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_0A4439FF67F61065.dll (2 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_64_2AD99D2EA038D2F2.dll (489 bytes)
C:\Windows\System32\config\SOFTWARE (67572 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_32_75A7C54F0BE42E8E.dll (149 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarUser_64_4D9709C1FA1422BA.exe (801 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbar.7.5.6227.252.manifest.xml (36 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_BA9226F4C70BECC2.exe (50 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbar_32_3934E923EEC91A78.dll (390 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GoogleToolbarInstaller2.log (43839 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\SearchWithGoogleUpdate_6F4EEAE8D7FCDAD8.exe (50 bytes)
C:\$Directory (384 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleUpdateSetup_5CC4B0F53D73AD88.exe (1480 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleUpdaterService_B33FC4DD36A473C6.exe (390 bytes)
C:\Windows\System32\config\SOFTWARE.LOG1 (61428 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleCld_187F9D811452062B.dll (50 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GoogleUpdateSetup_latest.exe (25250 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx6142.tmp\System.dll (23 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_es-419.dll (29 bytes)
%Program Files% (x86)\GUM621C.tmp\GoogleUpdateSetup.exe (5441 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_bn.dll (28 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_ur.dll (28 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_fi.dll (29 bytes)
%Program Files% (x86)\GUM621C.tmp\psmachine.dll (159 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_pl.dll (30 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_nl.dll (30 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_vi.dll (28 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_pt-PT.dll (29 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_ko.dll (23 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_is.dll (28 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_de.dll (31 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_zh-TW.dll (21 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_da.dll (29 bytes)
%Program Files% (x86)\GUM621C.tmp\psuser.dll (159 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdate.dll (1702 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_sw.dll (29 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_fa.dll (27 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_hr.dll (29 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_ru.dll (28 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_ar.dll (26 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_zh-CN.dll (21 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_lv.dll (30 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_am.dll (25 bytes)
%Program Files% (x86)\GUM621C.tmp\GoogleUpdateOnDemand.exe (59 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_ta.dll (30 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_it.dll (30 bytes)
%Program Files% (x86)\GUM621C.tmp\GoogleUpdateBroker.exe (59 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_iw.dll (26 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_ro.dll (29 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_ml.dll (31 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_fil.dll (30 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_en-GB.dll (28 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_id.dll (28 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_fr.dll (30 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_hi.dll (29 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_cs.dll (28 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_el.dll (30 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_sr.dll (29 bytes)
%Program Files% (x86)\GUM621C.tmp\GoogleUpdate.exe (234 bytes)
%Program Files% (x86)\GUT621D.tmp (4 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_bg.dll (30 bytes)
%Program Files% (x86)\GUM621C.tmp\GoogleUpdateHelper.msi (25 bytes)
%Program Files% (x86)\GUM621C.tmp\GoogleCrashHandler64.exe (550 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_no.dll (29 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_tr.dll (29 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_uk.dll (28 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_mr.dll (28 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_et.dll (28 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_es.dll (31 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_en.dll (27 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_th.dll (27 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_kn.dll (29 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_ca.dll (29 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_gu.dll (28 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_ja.dll (24 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_te.dll (29 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_sk.dll (29 bytes)
%Program Files% (x86)\GUM621C.tmp\npGoogleUpdate3.dll (838 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_hu.dll (29 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_pt-BR.dll (29 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_sv.dll (29 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_lt.dll (28 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_sl.dll (29 bytes)
%Program Files% (x86)\GUM621C.tmp\goopdateres_ms.dll (28 bytes)
%Program Files% (x86)\GUM621C.tmp\GoogleCrashHandler.exe (212 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Video Capture Software.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\NCH Software\MoneyLine\MoneyLine.vdb-journal (2742 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Express Burn CD, DVD or Blu-Ray.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\Favorites\NCH Software Download Site.lnk (264 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Express Zip File Compression.lnk (1 bytes)
%Program Files% (x86)\NCH Software\MoneyLine\moneyline-0.vdb (7772 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\MixPad MultiTrack Mixer.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\WavePad Sound Editor.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Express Rip CD Ripper.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\NCH Software\MoneyLine\moneyline.vdb (202 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Express Dictate Recorder.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Switch Sound File Converter.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Graphics File Converter.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\VideoPad Video Editor.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Business Related Programs\Inventory Software.lnk (1 bytes)
%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe (9147 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Business Related Programs\Time Tracking Software.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Invoicing Software.lnk (1 bytes)
C:\Users\Public\Desktop\MoneyLine.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Classic FTP Software.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Business Related Programs\Accounting Software.lnk (1 bytes)
%Program Files% (x86)\NCH Software\MoneyLine\moneylinesetup_v1.23.exe (3361 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Prism Video File Format Converter.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\RecordPad Sound Recorder.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Doxillion Document Converter.lnk (1 bytes)
C:\Users\Public\Desktop\NCH Suite.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Accounting Software.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\SoundTap Streaming Recorder.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Business Related Programs\Invoicing Software.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Business Related Programs\Retail POS point of sale software system.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MoneyLine.lnk (1 bytes)
%Program Files%\Google\GoogleToolbarNotifier\5.10.11023.1534\swg64.dll (299 bytes)
%Program Files% (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534\gtn.dll (144 bytes)
%Program Files% (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (79 bytes)
%Program Files% (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534\gth.dll (40 bytes)
%Program Files% (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534\swg.dll (981 bytes)
%Program Files% (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534\Readme.url (212 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchdata.dat (1568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchsetup.cab (524 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchdata.cab (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchsetup.exe (20887 bytes)
C:\ProgramData\Google\Custom Buttons\toolbar.google.com_O8Y91YHB24Z6SR0SGYSK.XML (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GoogleToolbarInstaller1.log (3159 bytes)
%Program Files% (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (1281 bytes)
%Program Files% (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (673 bytes)
%Program Files% (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe (1425 bytes)
%Program Files% (x86)\Google\Google Toolbar\GoogleToolbarHelper_signed.msi (28 bytes)
%Program Files% (x86)\Google\Google Toolbar\GoogleToolbarUser_64.exe (2321 bytes)
%Program Files% (x86)\Google\Google Toolbar\GoogleToolbarHelperPatch_signed.msp (125 bytes)
%Program Files% (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe (390 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\openssl_.cab (472 bytes)
%Program Files% (x86)\NCH Software\Components\openssl\ssleay32.dll (4232 bytes)
%Program Files% (x86)\NCH Software\Components\openssl\libeay32.dll (17231 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\openssl.exe (238856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_moneyline_rl_adm (8 bytes)
%Program Files% (x86)\NCH Software\Components\NCHToolbars\google\NCH_GoogleToolbar.exe (382879 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: NCH Software
Product Name: MoneyLine
Product Version:
Legal Copyright: NCH Software
Legal Trademarks:
Original Filename:
Internal Name: MoneyLine
File Version: 1.23
File Description: MoneyLine
Comments:
Language: English (Australia)
Company Name: NCH SoftwareProduct Name: MoneyLineProduct Version: Legal Copyright: NCH SoftwareLegal Trademarks: Original Filename: Internal Name: MoneyLineFile Version: 1.23File Description: MoneyLineComments: Language: English (Australia)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.rdata | 4096 | 2338 | 2560 | 2.76389 | a322bee8b6315dcdf55664104eb8aed4 |
.data | 8192 | 1596 | 2048 | 3.48789 | cc10a049565dcd8a13f7ded9f6d7749b |
.rsrc | 12288 | 549244 | 549376 | 5.54264 | 8058fed9343d20b1ab7a9eb0279be339 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://audiochannel.net/versions/components/tb_google_row.dat | 66.39.83.117 |
hxxp://audiochannel.net/components/openssl.exe | 66.39.83.117 |
hxxp://audiochannel.net/components/toolbars/NCH_GoogleToolbar.exe | 66.39.83.117 |
hxxp://google.com/dl/toolbar/t7/data/7.5.6227.252/googletoolbarinstaller_en_signed.exe | 216.58.209.206 |
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f92e6d35e1df3589 | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c= | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CECkSxwyaK4o+9vYHRmLWi40= | |
hxxp://google.com/tools/swg2/update?type=c&as=swg&os=win&osv=6.1.7601&hl=en&ie=10.0.9200.16521&ds=0&pds=0&su=0&hpi=-1&brand=NCHD&pa=9&cl=1&tbv=&id=7dc11b2a2ae540689b55d8be2d64b263eb587e94ac&from=&to=5.10.11023.1534 | 216.58.209.206 |
hxxp://google.com/tools/pso/ping?as=tbin&gu=ti&mode=3&sin=1&ein=0&version=7.5.6227.252&brand=NCHD&hl=en&tbiv=7.5.6227.252&time=1429399011&fitime=1429399011&browser=9.10.9200.16521&osver=6.1&ossp=1.0&osarch=64&ext=EXE&id=782C522357179724943B09F8A7BD5A00E3785qKNSN | 216.58.209.206 |
hxxp://a1363.dscg.akamai.net/pki/crl/products/microsoftrootcert.crl | |
hxxp://a1363.dscg.akamai.net/pki/crl/products/WinPCA.crl | |
hxxp://a1363.dscg.akamai.net/pki/crl/products/MicrosoftTimeStampPCA.crl | |
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab?527573d03e1370e5 | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9+WQCtWAQU1A1lP3q9NMb+R+dMDcC98t4Vq3ECECVRccvD8Qb29B4D63fPT+k= | |
hxxp://a1363.dscg.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD/yl6nWPkczAQUe1tFz6/Oy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS+zcBkvzl4= | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9+WQCtWAQU1A1lP3q9NMb+R+dMDcC98t4Vq3ECEGpWCCD6PprY5UEXNLHUCtU= | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc= | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTEemCaVgs8Tuh2B9fGVE0pKKNyzgQUTF+nNhcF4oZhIkk5jLmo40rgOBoCEC6utoKGY/7ZdVX4/iTzOxo= | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRODEXefhs/UZFum2o8YfzOFwceMwQUkz5j3yJ0BOBkhDHd2yOfDq+2TZMCEA89qsgV9niZmSI6gIO0S/U= | |
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?527573d03e1370e5 | 87.245.216.25 |
hxxp://www.audiochannel.net/components/toolbars/NCH_GoogleToolbar.exe | 173.247.250.125 |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc= | 23.51.123.27 |
hxxp://www.audiochannel.net/versions/components/tb_google_row.dat | 173.247.250.125 |
hxxp://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9+WQCtWAQU1A1lP3q9NMb+R+dMDcC98t4Vq3ECECVRccvD8Qb29B4D63fPT+k= | 23.51.123.27 |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= | 23.51.123.27 |
hxxp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl | 87.245.216.33 |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CECkSxwyaK4o+9vYHRmLWi40= | 23.51.123.27 |
hxxp://dl.google.com/dl/toolbar/t7/data/7.5.6227.252/googletoolbarinstaller_en_signed.exe | 216.58.209.206 |
hxxp://clients1.google.com/tools/pso/ping?as=tbin&gu=ti&mode=3&sin=1&ein=0&version=7.5.6227.252&brand=NCHD&hl=en&tbiv=7.5.6227.252&time=1429399011&fitime=1429399011&browser=9.10.9200.16521&osver=6.1&ossp=1.0&osarch=64&ext=EXE&id=782C522357179724943B09F8A7BD5A00E3785qKNSN | 216.58.209.206 |
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl | 87.245.216.33 |
hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl | 87.245.216.33 |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= | 23.51.123.27 |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c= | 23.51.123.27 |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTEemCaVgs8Tuh2B9fGVE0pKKNyzgQUTF+nNhcF4oZhIkk5jLmo40rgOBoCEC6utoKGY/7ZdVX4/iTzOxo= | 23.51.123.27 |
hxxp://crl.microsoft.com/pki/crl/products/WinPCA.crl | 87.245.216.33 |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= | 23.51.123.27 |
hxxp://clients1.google.com/tools/swg2/update?type=c&as=swg&os=win&osv=6.1.7601&hl=en&ie=10.0.9200.16521&ds=0&pds=0&su=0&hpi=-1&brand=NCHD&pa=9&cl=1&tbv=&id=7dc11b2a2ae540689b55d8be2d64b263eb587e94ac&from=&to=5.10.11023.1534 | 216.58.209.206 |
hxxp://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD/yl6nWPkczAQUe1tFz6/Oy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS+zcBkvzl4= | 23.51.123.27 |
hxxp://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9+WQCtWAQU1A1lP3q9NMb+R+dMDcC98t4Vq3ECEGpWCCD6PprY5UEXNLHUCtU= | 23.51.123.27 |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRODEXefhs/UZFum2o8YfzOFwceMwQUkz5j3yJ0BOBkhDHd2yOfDq+2TZMCEA89qsgV9niZmSI6gIO0S/U= | 23.51.123.27 |
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f92e6d35e1df3589 | 87.245.216.25 |
tools.google.com | 216.58.209.206 |
time.windows.com | 23.102.23.44 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?527573d03e1370e5 HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 24 Feb 2015 00:37:01 GMT
If-None-Match: "80b4d90ca4fd01:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com
HTTP/1.1 304 Not Modified
Content-Type: application/octet-stream
Last-Modified: Tue, 24 Feb 2015 00:37:01 GMT
ETag: "80b4d90ca4fd01:0"
Cache-Control: max-age=604800
Date: Sat, 18 Apr 2015 23:17:19 GMT
Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/octet-stream..Last-Modified: Tue, 24 Feb 2015 00:37:01 GMT..ETag: "80b4d90ca4fd01:0"..Cache-Control: max-age=604800..Date: Sat, 18 Apr 2015 23:17:19 GMT..Connection: keep-alive..
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1762
content-transfer-encoding: binary
Cache-Control: max-age=574211, public, no-transform, must-revalidate
Last-Modified: Sat, 18 Apr 2015 14:45:04 GMT
Expires: Sat, 25 Apr 2015 14:45:04 GMT
Date: Sat, 18 Apr 2015 23:16:48 GMT
Connection: keep-alive
0..........0..... .....0......0...0......;O}a.!..u...au..eUNp..20150418144504Z0s0q0I0... ...................B.>.I.$&.....e......0..C9...313..R...%V.......K3.....20150418144504Z....20150425144504Z0...*.H.............cG..0.<.3....Z}.. .A.D.c.O.l5.%9|.;q..E..{d...3u~....4....Hw....,w..p.<H.I ....0..M....V...|DY....&.nP.sD..B......,D0.{....Bp.....'j......C1.7[..N..........]..w.R....^......`F..sd.i.....A....._.j..\.9.j..gV)e..nv8..<...|..Y....x.J.S.{ ..W......7...yC~..vnP....0...0...0...........2...'U.BM...g.B0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Public Primary Certification Authority - G50...141202000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G5 OCSP Responder Certificate 30.."0...*.H.............0...............2&..PL...,..2....:..tH...`JG.%..*...s.c%...?t..J..0.q....~..k@X.l.i....0..kk..h.9"1.5?..s.....3[...u......]...R0..Z}....l..I.Y.....j\H.q...#.uw.4qz.#.J.....@2$"..$l.B.......D.ye..(..2.........@...... ...."... E..0M,..b{.^..s'....f.6.pr4.J........'j..........0...0...U.......0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://www.symauth.com/rpa0...U.%..0... .......0...U...........0... .....0......0!..U....0...0.1.0...U....TGV-B-2760...U......;O}a.!..u...au..eUNp0...U.#..0.....e......0..C9...3130...*.H.............(.&..Dgr.Ve..#.
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CECkSxwyaK4o+9vYHRmLWi40= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1725
content-transfer-encoding: binary
Cache-Control: max-age=456321, public, no-transform, must-revalidate
Last-Modified: Fri, 17 Apr 2015 05:59:48 GMT
Expires: Fri, 24 Apr 2015 05:59:48 GMT
Date: Sat, 18 Apr 2015 23:16:48 GMT
Connection: keep-alive
0..........0..... .....0......0...0......N$p...v....1.;..vn....20150417055948Z0s0q0I0... ...................F....0.yV......{&.K......&.......).... .>...Fb.......20150417055948Z....20150424055948Z0...*.H....................n...}U..E.....K.0.;.l..;I.....E..l.}(u....ca.U.......P..O..~..F...:..g....pP...Ecd(Q.!...!.4.C.....z....Q....n.I..KND.r...8wm.|L...8 ....X.n..-.......1.$....RXd....I..2...>..^...4..e..?..c.4..'.\...V.....H..\9...\.{m,O}.6...'..&..2....e..t..K.....mr....0...0...0............F...I]A(M..s@.0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code Signing 2010 CA0...150225000000Z..150526235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1VeriSign Class 3 Code Signing 2010 OCSP Responder0.."0...*.H.............0.........q<...A...#......A...u..Lz.............o..D.vQ%..s.......f....e../jI.d.W.....|K;.j5...#.B%.]..~S.... .|;S.&.....N..`...5.....!D.p....M/.. ..;j...q..`6...2.Ck..BnLHvCZn%....,.w.Ooi..z'...\.Yx......b..L...5.o..o..{..}.........%e.....N..._i........*Bc....:yQg.........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-31830...*.H..............-..^.........f.P`...s.....8.....V.......... .... B.(@-)6.
<<< skipped >>>
GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 24 Mar 2015 05:02:25 GMT
If-None-Match: "a1132b8ef65d01:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 304 Not Modified
Content-Type: application/pkix-crl
Last-Modified: Tue, 24 Mar 2015 05:02:25 GMT
ETag: "a1132b8ef65d01:0"
Cache-Control: max-age=900
Date: Sat, 18 Apr 2015 23:17:19 GMT
Connection: keep-alive
....
GET /pki/crl/products/WinPCA.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sat, 07 Mar 2015 06:01:44 GMT
If-None-Match: "dde36a309c58d01:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 304 Not Modified
Content-Type: application/pkix-crl
Last-Modified: Sat, 07 Mar 2015 06:01:44 GMT
ETag: "dde36a309c58d01:0"
Cache-Control: max-age=900
Date: Sat, 18 Apr 2015 23:17:19 GMT
Connection: keep-alive
....
GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 05 Mar 2015 06:01:35 GMT
If-None-Match: "cf2633d6957d01:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 304 Not Modified
Content-Type: application/pkix-crl
Last-Modified: Thu, 05 Mar 2015 06:01:35 GMT
ETag: "cf2633d6957d01:0"
Cache-Control: max-age=765
Date: Sat, 18 Apr 2015 23:17:19 GMT
Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/pkix-crl..Last-Modified: Thu, 05 Mar 2015 06:01:35 GMT..ETag: "cf2633d6957d01:0"..Cache-Control: max-age=765..Date: Sat, 18 Apr 2015 23:17:19 GMT..Connection: keep-alive..
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=485494, public, no-transform, must-revalidate
Last-Modified: Fri, 17 Apr 2015 14:10:10 GMT
Expires: Fri, 24 Apr 2015 14:10:10 GMT
Date: Sat, 18 Apr 2015 23:21:01 GMT
Connection: keep-alive
0..........0..... .....0......0...0......'.V.8.F.V....H....JW..20150417141010Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5.......A..2.....:...:......20150417141010Z....20150424141010Z0...*.H................c.8.c..d8..6_.S.O..~Q.0..biaE3.C......MY.W.J.'gu...5.U.X...........p..R.........7.ErNBD.....7.5..Z..k.8S.Y..=.h...]_.<...[t.?..D6...6(..@...C..rks.../A".....:.v....'.._.'.thz.}.e..W...RC..5.1f/.Z..61.~.7......F...>.FO...dw.G(5U'.[;;......T..`P. ... .......#0...0...0..........r..?.*......y"..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...150226000000Z..150527235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.............m5*R........2....>...yU4..L.. ...........u..Hez..Pn.....d...nz(...V7.}^...d!RX...bl..[..a...L.. .~..Ij......%..%p.-...u..:..i..F*]...*....{NH..|0...gHX.Q.r....S..........._.9.(w...suC...N..s.....&."...:.C.Q.i~rl..<..krS..8.B..o].y..L.4...iB@..s.....mw.........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-32010...*.H
<<< skipped >>>
GET /components/openssl.exe HTTP/1.0
Host: audiochannel.net
HTTP/1.1 200 OK
Date: Sat, 18 Apr 2015 23:16:36 GMT
Server: Apache/2.2.29
Last-Modified: Wed, 07 Jul 2010 00:06:23 GMT
ETag: "77000-48ac0f0abfdc0"
Accept-Ranges: bytes
Content-Length: 487424
Connection: close
Content-Type: application/octet-stream
X-Pad: avoid browser bug
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O.Q..g?E.g?E.g?E.hbE.g?E.g>E.g?E,.ME.g?E,.CE.g?E,.GE.g?ERich.g?E........................PE..L......H.....................`......."............@..........................p..............................................0...d....0...8..............................................................................|............................rdata..............................@..@.data........ ....... ..............@....rsrc....8...0...@...0..............@..@.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
<<< skipped >>>
GET /versions/components/tb_google_row.dat HTTP/1.0
Host: VVV.audiochannel.net
HTTP/1.1 404 Not Found
Date: Sat, 18 Apr 2015 23:16:36 GMT
Server: Apache
Content-Length: 236
Connection: close
Content-Type: text/html; charset=iso-8859-1
<html><head><title>Error 404 - Not Found</title><head><body><h1>Error 404 - Not Found</h1><p>The document you are looking for may have been removed or re-named. Please contact the web site owner for further assistance.</p></body></html>..
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=463374, public, no-transform, must-revalidate
Last-Modified: Fri, 17 Apr 2015 08:00:00 GMT
Expires: Fri, 24 Apr 2015 08:00:00 GMT
Date: Sat, 18 Apr 2015 23:21:09 GMT
Connection: keep-alive
0..........0..... .....0......0...0......'.V.8.F.V....H....JW..20150417080000Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5..........^.3@..cL.1.......20150417080000Z....20150424080000Z0...*.H.............A..`.............Q.q..M....mq'.9.*..u..Y....TU..!T..J...i.Apu.q.e,.9.v...D......i...-.;.a.....e..z.)Et....x..4\j..<.....B[.........3......}..@<.6..:B"...^.....%.H.u4........{.B.M..].b....*..Q.8........_....C.fg.....Zs3.r....n|..t'..t..F...o....T.p...*3:..!...#0...0...0..........r..?.*......y"..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...150226000000Z..150527235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.............m5*R........2....>...yU4..L.. ...........u..Hez..Pn.....d...nz(...V7.}^...d!RX...bl..[..a...L.. .~..Ij......%..%p.-...u..:..i..F*]...*....{NH..|0...gHX.Q.r....S..........._.9.(w...suC...N..s.....&."...:.C.Q.i~rl..<..krS..8.B..o].y..L.4...iB@..s.....mw.........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-32010...*.H
<<< skipped >>>
GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Tue, 14 Apr 2015 05:02:07 GMT
Accept-Ranges: bytes
ETag: "2711f7277076d01:0"
Server: Microsoft-IIS/8.5
VTag: 438486457400000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 554
Cache-Control: max-age=900
Date: Sat, 18 Apr 2015 23:21:00 GMT
Connection: keep-alive
0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA..150413163223Z..150713045223Z.a0_0...U.#..0..........X..7.3...L...0... .....7.........0...U......Z0... .....7......150712164223Z0...*.H.............WK....e.\.-.n......./......."]..E!.. //=...[....w... ..........#...[.l.J..f|..... .s......w...J._.......3.[..#.z....ko.I..Q{....e.nV......F..d}..rF\H.jlH]dQ.E....x......W............j....&L. 2.$.?...X?.#.(.....pK.v.......y..r....t......=.AW......K.G.gJD.b...
GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f92e6d35e1df3589 HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 24 Mar 2015 16:17:41 GMT
If-None-Match: "804047d4e66d01:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com
HTTP/1.1 304 Not Modified
Content-Type: application/octet-stream
Last-Modified: Tue, 24 Mar 2015 16:17:41 GMT
ETag: "804047d4e66d01:0"
Cache-Control: max-age=86400
Date: Sat, 18 Apr 2015 23:16:48 GMT
Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/octet-stream..Last-Modified: Tue, 24 Mar 2015 16:17:41 GMT..ETag: "804047d4e66d01:0"..Cache-Control: max-age=86400..Date: Sat, 18 Apr 2015 23:16:48 GMT..Connection: keep-alive..
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9+WQCtWAQU1A1lP3q9NMb+R+dMDcC98t4Vq3ECECVRccvD8Qb29B4D63fPT+k= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.thawte.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1396
content-transfer-encoding: binary
Cache-Control: max-age=447158, public, no-transform, must-revalidate
Last-Modified: Fri, 17 Apr 2015 03:30:03 GMT
Expires: Fri, 24 Apr 2015 03:30:03 GMT
Date: Sat, 18 Apr 2015 23:20:57 GMT
Connection: keep-alive
0..p......i0..e.. .....0.....V0..R0......Qw.}`.Z8...JV...r@z...20150417033003Z0s0q0I0... ........l....r.vdv0..*.~Y..X....e?z.4..G.L.......q..%Qq.........w.O.....20150417033003Z....20150424033003Z0...*.H..............<.t.72.....&.Rtn....} ....-G....... ...9...E...M.I.E..:...M.=.8v..*.b.Êk...M=..Bu..S5c.s...i.Q...0......?....@c..T...p....[(j..K.t.d.....!.....j.....(f.C*. I.......N.....rU.x.U..9.9$..L..|(t.w-aR<.0,(..'L$ ...L..[.......v.......w{{.w)s...i.d~.....M...;~....0...0...0..y.......^..........N...)0...*.H........0J1.0...U....US1.0...U....Thawte, Inc.1$0"..U....Thawte Code Signing CA - G20...150303000000Z..150601235959Z0Y1.0...U....US1.0...U....Thawte, Inc.1301..U...*Thawte Code Signing CA - G2 OCSP Responder0.."0...*.H.............0............).Z.......O.~.l...,\.3.".'.'W .ih./..}OA...K...HJd....K^..<.....-.rWJ.j.U.._......W.../.6....J.y.u-.\...2..U.52B.>...=F...RbR.y.zm.......{b.bj....Y..J..m...*=.^......V.}p......rmA......9.L ...{?.g.-Y............8...k.$.:.5..6#4..F.#....t.B.8.O)'F.p).........d0b0...U....0.0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-32450...*.H..............C.....8.Aw.{....`...y1N...W4M..M.J.3~..7#}..X..:x..5....$...Z^%.?6..e...}I.)....... .A.w......_...B..j.T..Yu.o.....g....H....q.Ju.SA`K.....~..O_.....S....I>..O.X..E.......]...y..L..F....K......../...._XSk6.:a};.?`...:^.....p....4Z.3L;.......t....>.....j....
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTEemCaVgs8Tuh2B9fGVE0pKKNyzgQUTF+nNhcF4oZhIkk5jLmo40rgOBoCEC6utoKGY/7ZdVX4/iTzOxo= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1552
content-transfer-encoding: binary
Cache-Control: max-age=482847, public, no-transform, must-revalidate
Last-Modified: Fri, 17 Apr 2015 13:24:57 GMT
Expires: Fri, 24 Apr 2015 13:24:57 GMT
Date: Sat, 18 Apr 2015 23:21:10 GMT
Connection: keep-alive
0..........0..... .....0......0...0........C...4N...@..6...v...20150417132457Z0s0q0I0... .........z`.V.<N.v...TM)(.r...L_.6....a"I9....J.8........c..uU..$.;.....20150417132457Z....20150424132457Z0...*.H.............Y.4.<..&r.....&.>'.TqX.E...*...............Lp3.p.MU..^.....!e4.xN..1u.#.ox.....5.....j....&.....E...H=}..S....l..5{.........BO.......8[.~2:[}..W.SVd.y..%\f.x.op...]uE..W0.......}.. .S..Fp..".....:Iw ....M.....9l.>G.........;.#.>.B..... h...&.4.dARH..8(...r...50..10..-0..........y.P}~.EY....T]. 0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1<0:..U...3Class 3 Public Primary Certification Authority - G21:08..U...1(c) 1998 VeriSign, Inc. - For authorized use only1.0...U....VeriSign Trust Network0...141202000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G2 OCSP Responder Certificate 30.."0...*.H.............0..........6..]......w';.r........I..c..4.... .........TyW......hd_.....!C.k......SE<?o.H.. .me.c..9N.&....e.^-..a.....i\:..*."..u...|....".Nf3.~.L...QW...p.....-]UV8U...J&.<./.G.....I...4.T....#I*.i.E0\..~q$.I.......X?G....f.t......v.l.U.Ld.I...B.....=...Sf...H.s.........0..0...U....0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........0... .....0......0!..U....0...0.1.0...U....TGV-B-2740...*.H............1.`...i.....H.C.i.9~.i..Z.r.*$..(./.ag9.....J.Q.~.`.$?b..C....<.h.........d&....3.kV.
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRODEXefhs/UZFum2o8YfzOFwceMwQUkz5j3yJ0BOBkhDHd2yOfDq+2TZMCEA89qsgV9niZmSI6gIO0S/U= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1725
content-transfer-encoding: binary
Cache-Control: max-age=513024, public, no-transform, must-revalidate
Last-Modified: Fri, 17 Apr 2015 21:49:58 GMT
Expires: Fri, 24 Apr 2015 21:49:58 GMT
Date: Sat, 18 Apr 2015 23:21:10 GMT
Connection: keep-alive
0..........0..... .....0......0...0......%bn.$..5.......?'4....20150417214958Z0s0q0I0... ........N.E.~.?Q.n.j<a.....3...>c."t..d.1..#....M....=....x..":...K.....20150417214958Z....20150424214958Z0...*.H.............y...eJ.K&.u&..HV..M'.m6K.,........N.Ou.{..#.Z.....GZ s.?.{......%..;m....N........u.p.>....T.Ez.......X..a...K..XU....)'.......e...F.5..7.}..VH....[...........^]...].Q..QH...*...'...G`....*...S......U....C.. ?.....l......|6.U)Z..a.wz.o...6.Sq...D.%Q..U........0...0...0..........7.R.~|..r."....#0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091.0,..U...%VeriSign Class 3 Code Signing 2009 CA0...150401000000Z..150630235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1VeriSign Class 3 Code Signing 2009 OCSP Responder0.."0...*.H.............0..........z..|..>.....5.Z ...2.C MWIH.5......M.\.... ...eW..`.B=..`:..R. ...Z.k.Y.....p@.(3.c....a.;..[E....J:'...`...B....M..&......{. (........%......^[v[....m....*.T.o&4..3.....3.........G...e)...'?.K..2s..8=?..z.:..T..-.8R..8wv7*U.K..c...<s...]{.........6.?_...........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://www.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-34920...*.H.............,..-...
<<< skipped >>>
GET /components/toolbars/NCH_GoogleToolbar.exe HTTP/1.0
Host: VVV.audiochannel.net
HTTP/1.1 200 OK
Date: Sat, 18 Apr 2015 23:16:37 GMT
Server: Apache
Last-Modified: Mon, 07 Apr 2014 23:51:36 GMT
Accept-Ranges: bytes
Content-Length: 782288
Connection: close
Content-Type: application/x-msdownload
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#yd.B.7.B.7.B.7..z7.B.7..l7.B.7.B.7.B.7.:.7.B.7...7.B.7.:.7.B.7Rich.B.7........................PE..L...?..I.................h...@...B...4............@.................................z................................................................................................................................................................text....g.......h.................. ..`.rdata...............l..............@..@.data...............................@....ndata...................................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H......G..H.P.u..u..u...|.@..K...SV.5..G.W.E.P.u.....@..e...E..E.P.u.....@..}..e....D.@........FR..VV..U... M..........M........E...FQ.....NU..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.P.u.....@..u....E..9}...n....~X.te.v4..L.@..E...tU.}.j.W.E......E.......P.@..vXW..T.@..u..5X.@.W..h ....E..E.Pj.h.2G.W....@..u.W...u....E.P.u.....@._^3.[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..S.....t.G.....t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ.U.
<<< skipped >>>
GET /tools/pso/ping?as=tbin&gu=ti&mode=3&sin=1&ein=0&version=7.5.6227.252&brand=NCHD&hl=en&tbiv=7.5.6227.252&time=1429399011&fitime=1429399011&browser=9.10.9200.16521&osver=6.1&ossp=1.0&osarch=64&ext=EXE&id=782C522357179724943B09F8A7BD5A00E3785qKNSN HTTP/1.1
User-Agent: Google Toolbar installer
Host: clients1.google.com
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 2
Date: Sat, 18 Apr 2015 23:16:51 GMT
Expires: Sat, 18 Apr 2015 23:16:51 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Alternate-Protocol: 80:quic,p=1
ok..
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1453
content-transfer-encoding: binary
Cache-Control: max-age=545479, public, no-transform, must-revalidate
Last-Modified: Sat, 18 Apr 2015 06:50:09 GMT
Expires: Sat, 25 Apr 2015 06:50:09 GMT
Date: Sat, 18 Apr 2015 23:20:55 GMT
Connection: keep-alive
0..........0..... .....0......0...0......T3t.%..O.E..~..F.=....20150418065009Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._)..a..eR&.....Y.)..".\....20150418065009Z....20150425065009Z0...*.H..................3..9..A..A....kqk......".R.P.....A.......A.7.......WT...=p.m.b...az.K..#..`.j\...g...._..v.OV...Z.......yr...m..bi..}."......O.."3..4.......... l...e.[Y....6p..yh.....u..r]A....j...U..z...ae..'.7.'.7 ..../.......`|....$..DU.p......n. :.:.........n.-......0...0...0..3......./...b.v..-....l}0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority0...141202000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G1 OCSP Responder Certificate 30.."0...*.H.............0..........'......Y..x.3B1.7..Q..`..d.. ....s..t.$a.....j2R.{ ,*..c{.3.....H..3-; ).....0._...*..9M..V...... ...{m...-.......)..tR..{D....~...M...T..pS.p..^|o....S..v.).).....r.v.qo$......C.V!....@.h#qh...u1T.].G0.]E...=._...... ........TE...Sa.s4........r...3.............0..0...U....0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........0... .....0......0!..U....0...0.1.0...U....TGV-B-2730...*.H.............$..H......oU....Y!.z{*.V.M..u.._z..3>.. 0....3..m.....e.......a..D...........e..F6:.y.....di.......<y.Z.......x}..q.2....UZ1 :,....
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=591654, public, no-transform, must-revalidate
Last-Modified: Sat, 18 Apr 2015 19:40:18 GMT
Expires: Sat, 25 Apr 2015 19:40:18 GMT
Date: Sat, 18 Apr 2015 23:20:55 GMT
Connection: keep-alive
0..........0..... .....0......0...0......'.V.8.F.V....H....JW..20150418194018Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5........M.s.Q~...@?j.......20150418194018Z....20150425194018Z0...*.H...............$c.!|..m..L.Z..N....u."%x..'.9.R...C.ZU3F.F:.J7.....F...X..?8..).H34< .-...q..w.F...%.*........1.b#GA`U*....H.e.p-.r....5..oK.1r...S.. *..H/83.b.1...`..(....c4.f...d\.>....aO>.4.%...a...`.;/.....hO%......"...O.......7............p.......4|U...p....s.P;.....#0...0...0..........r..?.*......y"..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...150226000000Z..150527235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.............m5*R........2....>...yU4..L.. ...........u..Hez..Pn.....d...nz(...V7.}^...d!RX...bl..[..a...L.. .~..Ij......%..%p.-...u..:..i..F*]...*....{NH..|0...gHX.Q.r....S..........._.9.(w...suC...N..s.....&."...:.C.Q.i~rl..<..krS..8.B..o].y..L.4...iB@..s.....mw.........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-32010...
<<< skipped >>>
GET /tools/swg2/update?type=c&as=swg&os=win&osv=6.1.7601&hl=en&ie=10.0.9200.16521&ds=0&pds=0&su=0&hpi=-1&brand=NCHD&pa=9&cl=1&tbv=&id=7dc11b2a2ae540689b55d8be2d64b263eb587e94ac&from=&to=5.10.11023.1534 HTTP/1.1
Accept: */*
User-Agent: SearchWithGoogle
Host: clients1.google.com
HTTP/1.1 200 OK
Content-Type: text/plain
Transfer-Encoding: chunked
Date: Sat, 18 Apr 2015 23:16:51 GMT
Expires: Sat, 18 Apr 2015 23:16:51 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Alternate-Protocol: 80:quic,p=1
16..rlz: 1R______enUA636..0..
HEAD /dl/toolbar/t7/data/7.5.6227.252/googletoolbarinstaller_en_signed.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
Host: dl.google.com
HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 5059928
Content-Type: application/x-msdos-program
Etag: "506e4"
Expires: Sun, 19 Apr 2015 16:16:46 PDT
Last-Modified: Fri, 27 Feb 2015 23:15:00 GMT
Server: downloads
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Date: Sat, 18 Apr 2015 23:16:46 GMT
Alternate-Protocol: 80:quic,p=1
....
GET /dl/toolbar/t7/data/7.5.6227.252/googletoolbarinstaller_en_signed.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Fri, 27 Feb 2015 23:15:00 GMT
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
Host: dl.google.com
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD/yl6nWPkczAQUe1tFz6/Oy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS+zcBkvzl4= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.thawte.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1503
content-transfer-encoding: binary
Cache-Control: max-age=600035, public, no-transform, must-revalidate
Last-Modified: Sat, 18 Apr 2015 22:00:00 GMT
Expires: Sat, 25 Apr 2015 22:00:00 GMT
X-EdgeConnect-Cache-Status: 1
Date: Sat, 18 Apr 2015 23:21:01 GMT
Connection: keep-alive
0..........0..... .....0......0...0......&Km...."....}....,.c..20150418220000Z0s0q0I0... ........0..k....&..p..^.X.....{[E....z.1..j..F.WHP..G.Mxs..../.p./.^....20150418220000Z....20150425220000Z0...*.H.............D`]1.;...>.....i..Wv.vC...u7|..0.C.wyr!....K...1<...^.v.z.....5...{.4...e..........7qzm[.G.h...l....x.>.l.^.K^a.....i..Af......%o......8..t....O... x..S3.l.#.:S.&.[5HtJ.tkl.'.. ...B...).....Zv...GH..)....'7.%&.I..N...R@.r..@'.k.t.*....i...Q(}.........l.}4.....0...0...0............I...*....^n...0...*.H........0..1.0...U....US1.0...U....thawte, Inc.1(0&..U....Certification Services Division1806..U.../(c) 2006 thawte, Inc. - For authorized use only1.0...U....thawte Primary Root CA0...141202000000Z..151216235959Z0_1.0...U....US1.0...U....thawte, Inc.1907..U...0thawte Primary Root OCSP Responder Certificate 30.."0...*.H.............0.........x...F83..,.D.,2D.;JGc.|_.k.....B.7.....G}.M.s.....S.i.Uu.h.Aq..v...4:l..U.......T7l...~vl...r....{*..........V.o..8|.B..^.a.. ...z....x..s...\[Y....<....'> ..YC..7.zVk.$...o3..kao]c...>C./bPX.......I..Oc.....NN......g.....,/..]......qN.....V!<.3.)...y#.........i0g0...U.%..0... .......0... .....0......0...U.......0.0...U...........0!..U....0...0.1.0...U....TGV-B-2770...*.H................lt..\..z. ..N.f.!.S5d?J.&....r...D........L.`.s.p...HC.L.8f... .........GA7......P..Z.%.../............z.n.6~I...].).....W...W\|.uya..:...^...hW..7.Z.uc.'....:.xL...HS.....>.........5......%....3S....h........U....o.C.\.t.....G.._.C0(l.E9..6UTxg.gF ..;...
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9+WQCtWAQU1A1lP3q9NMb+R+dMDcC98t4Vq3ECEGpWCCD6PprY5UEXNLHUCtU= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.thawte.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1396
content-transfer-encoding: binary
Cache-Control: max-age=595878, public, no-transform, must-revalidate
Last-Modified: Sat, 18 Apr 2015 20:50:09 GMT
Expires: Sat, 25 Apr 2015 20:50:09 GMT
Date: Sat, 18 Apr 2015 23:21:01 GMT
Connection: keep-alive
0..p......i0..e.. .....0.....V0..R0......Qw.}`.Z8...JV...r@z...20150418205009Z0s0q0I0... ........l....r.vdv0..*.~Y..X....e?z.4..G.L.......q..jV. .>...A.4........20150418205009Z....20150425205009Z0...*.H.............B.. 4Y..!.Y..C..r2..N.mV"J......O....!.[......:....I.n.1&.6....Z.....9.....)..J..s.H..868;..H.z.vp.XUD.....Y.].... D.. ...(*...6...I...a..vp..|.Z...9.L4.....U..in....0.>..w.V.]....v....F.Nw....7.=. ..{.i9d.C9...Q.;.Z...0......N....X.(...Zy..Bw*.....f ...lN....0...0...0..y.......^..........N...)0...*.H........0J1.0...U....US1.0...U....Thawte, Inc.1$0"..U....Thawte Code Signing CA - G20...150303000000Z..150601235959Z0Y1.0...U....US1.0...U....Thawte, Inc.1301..U...*Thawte Code Signing CA - G2 OCSP Responder0.."0...*.H.............0............).Z.......O.~.l...,\.3.".'.'W .ih./..}OA...K...HJd....K^..<.....-.rWJ.j.U.._......W.../.6....J.y.u-.\...2..U.52B.>...=F...RbR.y.zm.......{b.bj....Y..J..m...*=.^......V.}p......rmA......9.L ...{?.g.-Y............8...k.$.:.5..6#4..F.#....t.B.8.O)'F.p).........d0b0...U....0.0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-32450...*.H..............C.....8.Aw.{....`...y1N...W4M..M.J.3~..7#}..X..:x..5....$...Z^%.?6..e...}I.)....... .A.w......_...B..j.T..Yu.o.....g....H....q.Ju.SA`K.....~..O_.....S....I>..O.X..E.......]...y..L..F....K......../...._XSk6.:a};.?`...:^.....p....4Z.3L;.......t....>.....j....
<<< skipped >>>
Map
The Worm connects to the servers at the folowing location(s):
Strings from Dumps
moneyline.exe_644:
.rdata
.rdata
@.data
@.data
.rsrc
.rsrc
@Uu.AUu$
@Uu.AUu$
.mixcrt
.mixcrt
KERNEL32.DLL
KERNEL32.DLL
mscoree.dll
mscoree.dll
Please contact the application's support team for more information.
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
portuguese-brazilian
portuguese-brazilian
GetProcessWindowStation
GetProcessWindowStation
USER32.DLL
USER32.DLL
operator
operator
} ~ % $ ,
} ~ % $ ,
' '!'"'#'$'%'&'''
' '!'"'#'$'%'&'''
%X'Y'Z'['\']'^'
%X'Y'Z'['\']'^'
SQLite format 3
SQLite format 3
CREATE TABLE sqlite_master(
CREATE TABLE sqlite_master(
sql text
sql text
CREATE TEMP TABLE sqlite_temp_master(
CREATE TEMP TABLE sqlite_temp_master(
* NO.NOPQRST}~
* NO.NOPQRST}~
REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSCONSTRAINTERSECTRIGGEREFERENCESUNIQUERYATTACHAVINGROUPDATEMPORARYBEGINNERENAMEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHEREPLACEAFTERESTRICTANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFINTOFFSETISNULLORDERIGHTOUTEROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY
REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSCONSTRAINTERSECTRIGGEREFERENCESUNIQUERYATTACHAVINGROUPDATEMPORARYBEGINNERENAMEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHEREPLACEAFTERESTRICTANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFINTOFFSETISNULLORDERIGHTOUTEROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY
3.6.6.2
3.6.6.2
UxTheme.dll
UxTheme.dll
Mddddd.000[-7:MST]
Mddddd.000[-7:MST]
POST %s HTTP/1.1
POST %s HTTP/1.1
Host: %s:443
Host: %s:443
Content-Length: %d
Content-Length: %d
Mddddd
Mddddd
software=MoneyLine&version=1.23&report=UINSTALL&text=%s-%s&language=en&platform=Win&extra1=%d%s
software=MoneyLine&version=1.23&report=UINSTALL&text=%s-%s&language=en&platform=Win&extra1=%d%s
hXXp://%s/components/%s
hXXp://%s/components/%s
user32.dll
user32.dll
kernel32.dll
kernel32.dll
hXXp://cgi.nch.com.au/cgi-bin/regcheck.exe?cmd=v&id=%d&magic=%d&magicb=%d
hXXp://cgi.nch.com.au/cgi-bin/regcheck.exe?cmd=v&id=%d&magic=%d&magicb=%d
tb_%s_us.dat
tb_%s_us.dat
tb_%s_uk.dat
tb_%s_uk.dat
tb_%s_row.dat
tb_%s_row.dat
hXXp://VVV.audiochannel.net/versions/components/%s
hXXp://VVV.audiochannel.net/versions/components/%s
hXXp://VVV.audiochannel.net/components/toolbars/NCH_Chrome.exe
hXXp://VVV.audiochannel.net/components/toolbars/NCH_Chrome.exe
hXXp://VVV.audiochannel.net/components/toolbars/NCH_GoogleToolbar.exe
hXXp://VVV.audiochannel.net/components/toolbars/NCH_GoogleToolbar.exe
%f 0 0 %f 0 0 cm
%f 0 0 %f 0 0 cm
%d 0 obj%s
%d 0 obj%s
%d 0 obj
%d 0 obj
>
>
>
>
%f %f %f %f %f %f cm
%f %f %f %f %f %f cm
%f %f %f %f %f %f Tm
%f %f %f %f %f %f Tm
>
>
%d 0 R
%d 0 R
%f %f m
%f %f m
%f %f l
%f %f l
%f %f %f RG
%f %f %f RG
%s %d 0 R
%s %d 0 R
>
>
>
>
1 0 0 1 %d %d cm
1 0 0 1 %d %d cm
%s Do
%s Do
%d 0 R
%d 0 R
0 R /MediaBox [0 0 %d %d]
0 R /MediaBox [0 0 %d %d]
>
>
>
>
%f %f %f rg
%f %f %f rg
%s %f Tf %f Tz %f Tw
%s %f Tf %f Tz %f Tw
%f %f Td
%f %f Td
(%s) Tj
(%s) Tj
dwmapi.dll
dwmapi.dll
hXXp://VVV.audiochannel.net/versions/moneyline.txt
hXXp://VVV.audiochannel.net/versions/moneyline.txt
comctl32.dll
comctl32.dll
TaskDialogIndirect
TaskDialogIndirect
software=MoneyLine&version=1.23&report=COMMENT&text=COMMENT-%s&language=en&platform=Win
software=MoneyLine&version=1.23&report=COMMENT&text=COMMENT-%s&language=en&platform=Win
%s%s%s
%s%s%s
MAPI32.DLL
MAPI32.DLL
SMTP:%s
SMTP:%s
%s, %.2d %s 20%.2d %.2d:%.2d:%.2d %s%.2d%.2d
%s, %.2d %s 20%.2d %.2d:%.2d:%.2d %s%.2d%.2d
From: %s
From: %s
To: %s
To: %s
Subject: %s
Subject: %s
Date: %s
Date: %s
X-Mailer: MoneyLine VVV.nch.com.au/software
X-Mailer: MoneyLine VVV.nch.com.au/software
gc0p4Jq0M2Yt08jU534c%d
gc0p4Jq0M2Yt08jU534c%d
Content-Type: multipart/mixed; boundary=%s
Content-Type: multipart/mixed; boundary=%s
Content-Type: %s; name="%s"
Content-Type: %s; name="%s"
Content-Disposition: attachment; filename="%s"
Content-Disposition: attachment; filename="%s"
--%s--
--%s--
AUTH LOGIN
AUTH LOGIN
http=
http=
%s/%s
%s/%s
POST %s HTTP/1.0
POST %s HTTP/1.0
Host: %s
Host: %s
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
HTTP/1.
HTTP/1.
google.com
google.com
yahoo.com
yahoo.com
C:\SourceCode\llib\include\../net/ssl.cpp
C:\SourceCode\llib\include\../net/ssl.cpp
GET %s HTTP/1.0
GET %s HTTP/1.0
CONNECT %s:%d HTTP/1.0
CONNECT %s:%d HTTP/1.0
sqlite_version
sqlite_version
sqlite_attach
sqlite_attach
sqlite_detach
sqlite_detach
RowKey
RowKey
d-d-d d:d:d
d-d-d d:d:d
d:d:d
d:d:d
d-d-d
d-d-d
922337203685477580
922337203685477580
%s\etilqs_
%s\etilqs_
OsError 0x%x (%u)
OsError 0x%x (%u)
invalid page number %d
invalid page number %d
2nd reference to page %d
2nd reference to page %d
Failed to read ptrmap key=%d
Failed to read ptrmap key=%d
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
%d of %d pages missing from overflow list starting at %d
%d of %d pages missing from overflow list starting at %d
failed to get page %d
failed to get page %d
freelist leaf count too big on page %d
freelist leaf count too big on page %d
Page %d:
Page %d:
unable to get the page. error code=%d
unable to get the page. error code=%d
sqlite3BtreeInitPage() returns error code %d
sqlite3BtreeInitPage() returns error code %d
On tree page %d cell %d:
On tree page %d cell %d:
On page %d at right child:
On page %d at right child:
Corruption detected in header on page %d
Corruption detected in header on page %d
Corruption detected in cell %d on page %d
Corruption detected in cell %d on page %d
Multiple uses for byte %d of page %d
Multiple uses for byte %d of page %d
Fragmented space is %d byte reported as %d on page %d
Fragmented space is %d byte reported as %d on page %d
Page %d is never used
Page %d is never used
Pointer map page %d is referenced
Pointer map page %d is referenced
Outstanding page count goes from %d to %d during this analysis
Outstanding page count goes from %d to %d during this analysis
keyinfo(%d
keyinfo(%d
%s(%d)
%s(%d)
%s-mjX
%s-mjX
unable to use function %s in the requested context
unable to use function %s in the requested context
cannot rollback transaction - SQL statements in progress
cannot rollback transaction - SQL statements in progress
cannot commit transaction - SQL statements in progress
cannot commit transaction - SQL statements in progress
sqlite_temp_master
sqlite_temp_master
sqlite_master
sqlite_master
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s
database table is locked: %s
database table is locked: %s
cannot open virtual table: %s
cannot open virtual table: %s
cannot open view: %s
cannot open view: %s
no such column: "%s"
no such column: "%s"
cannot open indexed column for writing
cannot open indexed column for writing
cannot open value of type %s
cannot open value of type %s
misuse of aliased aggregate %s
misuse of aliased aggregate %s
%s: %s.%s.%s
%s: %s.%s.%s
%s: %s.%s
%s: %s.%s
%s: %s
%s: %s
not authorized to use function: %s
not authorized to use function: %s
%r %s BY term out of range - should be between 1 and %d
%r %s BY term out of range - should be between 1 and %d
too many terms in %s BY clause
too many terms in %s BY clause
Expression tree is too large (maximum depth %d)
Expression tree is too large (maximum depth %d)
variable number must be between ?1 and ?%d
variable number must be between ?1 and ?%d
too many SQL variables
too many SQL variables
too many columns in %s
too many columns in %s
%.*s"%w"%s
%.*s"%w"%s
sqlite_rename_table
sqlite_rename_table
sqlite_rename_trigger
sqlite_rename_trigger
%s OR name=%Q
%s OR name=%Q
there is already another table or index with this name: %s
there is already another table or index with this name: %s
sqlite_
sqlite_
table %s may not be altered
table %s may not be altered
view %s may not be altered
view %s may not be altered
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
sqlite_sequence
sqlite_sequence
UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q
UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Cannot add a PRIMARY KEY column
Cannot add a PRIMARY KEY column
UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q
UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q
sqlite_stat1
sqlite_stat1
CREATE TABLE %Q.sqlite_stat1(tbl,idx,stat)
CREATE TABLE %Q.sqlite_stat1(tbl,idx,stat)
DELETE FROM %Q.sqlite_stat1 WHERE tbl=%Q
DELETE FROM %Q.sqlite_stat1 WHERE tbl=%Q
SELECT idx, stat FROM %Q.sqlite_stat1
SELECT idx, stat FROM %Q.sqlite_stat1
too many attached databases - max %d
too many attached databases - max %d
database %s is already in use
database %s is already in use
unable to open database: %s
unable to open database: %s
no such database: %s
no such database: %s
cannot detach database %s
cannot detach database %s
database %s is locked
database %s is locked
%s %T cannot reference objects in database %s
%s %T cannot reference objects in database %s
illegal return value (%d) from the authorization function - should be SQLITE_OK, SQLITE_IGNORE, or SQLITE_DENY
illegal return value (%d) from the authorization function - should be SQLITE_OK, SQLITE_IGNORE, or SQLITE_DENY
access to %s.%s.%s is prohibited
access to %s.%s.%s is prohibited
access to %s.%s is prohibited
access to %s.%s is prohibited
object name reserved for internal use: %s
object name reserved for internal use: %s
there is already an index named %s
there is already an index named %s
too many columns on %s
too many columns on %s
duplicate column name: %s
duplicate column name: %s
default value of column [%s] is not constant
default value of column [%s] is not constant
table "%s" has more than one primary key
table "%s" has more than one primary key
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
CREATE %s %.*s
CREATE %s %.*s
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d
CREATE TABLE %Q.sqlite_sequence(name,seq)
CREATE TABLE %Q.sqlite_sequence(name,seq)
view %s is circularly defined
view %s is circularly defined
UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d
UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d
table %s may not be dropped
table %s may not be dropped
use DROP TABLE to delete table %s
use DROP TABLE to delete table %s
use DROP VIEW to delete view %s
use DROP VIEW to delete view %s
DELETE FROM %s.sqlite_sequence WHERE name=%Q
DELETE FROM %s.sqlite_sequence WHERE name=%Q
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
foreign key on %s should reference only one column of table %T
foreign key on %s should reference only one column of table %T
number of columns in foreign key does not match the number of columns in the referenced table
number of columns in foreign key does not match the number of columns in the referenced table
unknown column "%s" in foreign key definition
unknown column "%s" in foreign key definition
indexed columns are not unique
indexed columns are not unique
table %s may not be indexed
table %s may not be indexed
views may not be indexed
views may not be indexed
virtual tables may not be indexed
virtual tables may not be indexed
there is already a table named %s
there is already a table named %s
index %s already exists
index %s already exists
sqlite_autoindex_%s_%d
sqlite_autoindex_%s_%d
table %s has no column named %s
table %s has no column named %s
CREATE%s INDEX %.*s
CREATE%s INDEX %.*s
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
no such index: %S
no such index: %S
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
DELETE FROM %Q.%s WHERE name=%Q
DELETE FROM %Q.%s WHERE name=%Q
DELETE FROM %Q.sqlite_stat1 WHERE idx=%Q
DELETE FROM %Q.sqlite_stat1 WHERE idx=%Q
unable to identify the object to be reindexed
unable to identify the object to be reindexed
no such collation sequence: %s
no such collation sequence: %s
table %s may not be modified
table %s may not be modified
cannot modify %s because it is a view
cannot modify %s because it is a view
table %S has %d columns but %d values were supplied
table %S has %d columns but %d values were supplied
%d values for %d columns
%d values for %d columns
table %S has no column named %s
table %S has no column named %s
%s.%s may not be NULL
%s.%s may not be NULL
PRIMARY KEY must be unique
PRIMARY KEY must be unique
sqlite3_extension_init
sqlite3_extension_init
unable to open shared library [%s]
unable to open shared library [%s]
no entry point [%s] in shared library [%s]
no entry point [%s] in shared library [%s]
error during initialization: %s
error during initialization: %s
automatic extension loading failed: %s
automatic extension loading failed: %s
foreign_key_list
foreign_key_list
*** in database %s ***
*** in database %s ***
unsupported encoding: %s
unsupported encoding: %s
malformed database schema (%s)
malformed database schema (%s)
%s - %s
%s - %s
unsupported file format
unsupported file format
SELECT name, rootpage, sql FROM '%q'.%s
SELECT name, rootpage, sql FROM '%q'.%s
database schema is locked: %s
database schema is locked: %s
unknown or unsupported join type: %T %T%s%T
unknown or unsupported join type: %T %T%s%T
RIGHT and FULL OUTER JOINs are not currently supported
RIGHT and FULL OUTER JOINs are not currently supported
a NATURAL join may not have an ON or USING clause
a NATURAL join may not have an ON or USING clause
cannot have both ON and USING clauses in the same join
cannot have both ON and USING clauses in the same join
cannot join using column %s - column not present in both tables
cannot join using column %s - column not present in both tables
%s.%s
%s.%s
%s:%d
%s:%d
ORDER BY clause should come after %s not before
ORDER BY clause should come after %s not before
LIMIT clause should come after %s not before
LIMIT clause should come after %s not before
SELECTs to the left and right of %s do not have the same number of result columns
SELECTs to the left and right of %s do not have the same number of result columns
no such index: %s
no such index: %s
sqlite_subquery_%p_
sqlite_subquery_%p_
no such table: %s
no such table: %s
sqlite3_get_table() called with two or more incompatible queries
sqlite3_get_table() called with two or more incompatible queries
cannot create %s trigger on view: %S
cannot create %s trigger on view: %S
cannot create INSTEAD OF trigger on table: %S
cannot create INSTEAD OF trigger on table: %S
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
no such trigger: %S
no such trigger: %S
-- TRIGGER %s
-- TRIGGER %s
no such column: %s
no such column: %s
PRAGMA vacuum_db.synchronous=OFF
PRAGMA vacuum_db.synchronous=OFF
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';'FROM sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';'FROM sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d
vtable constructor failed: %s
vtable constructor failed: %s
vtable constructor did not declare schema: %s
vtable constructor did not declare schema: %s
no such module: %s
no such module: %s
table %s: xBestIndex returned an invalid plan
table %s: xBestIndex returned an invalid plan
at most %d tables in a join
at most %d tables in a join
cannot use index: %s
cannot use index: %s
TABLE %s
TABLE %s
%s AS %s
%s AS %s
%s WITH INDEX %s
%s WITH INDEX %s
%s USING PRIMARY KEY
%s USING PRIMARY KEY
%s VIRTUAL TABLE INDEX %d:%s
%s VIRTUAL TABLE INDEX %d:%s
%s ORDER BY
%s ORDER BY
SQL logic error or missing database
SQL logic error or missing database
large file support is disabled
large file support is disabled
no such vfs: %s
no such vfs: %s
bracerighttp
bracerighttp
bracketrighttp
bracketrighttp
parenrighttp
parenrighttp
proportional
proportional
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
RegDeleteKeyW
RegDeleteKeyW
RegOpenKeyExW
RegOpenKeyExW
RegOpenKeyW
RegOpenKeyW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegCreateKeyExW
RegCreateKeyExW
RegCloseKey
RegCloseKey
CryptDeriveKey
CryptDeriveKey
RegSetKeySecurity
RegSetKeySecurity
RegEnumKeyExW
RegEnumKeyExW
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
comdlg32.dll
comdlg32.dll
SetViewportOrgEx
SetViewportOrgEx
GetViewportExtEx
GetViewportExtEx
SetViewportExtEx
SetViewportExtEx
GDI32.dll
GDI32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
ShellExecuteW
ShellExecuteW
ShellExecuteExW
ShellExecuteExW
SHELL32.dll
SHELL32.dll
SHDeleteKeyW
SHDeleteKeyW
SHDeleteEmptyKeyW
SHDeleteEmptyKeyW
SHLWAPI.dll
SHLWAPI.dll
GetKeyState
GetKeyState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
CreateDialogIndirectParamW
CreateDialogIndirectParamW
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExW
SetWindowsHookExW
MapVirtualKeyW
MapVirtualKeyW
GetKeyNameTextW
GetKeyNameTextW
USER32.dll
USER32.dll
WS2_32.dll
WS2_32.dll
NETAPI32.dll
NETAPI32.dll
MSIMG32.dll
MSIMG32.dll
WINSPOOL.DRV
WINSPOOL.DRV
iphlpapi.dll
iphlpapi.dll
WININET.dll
WININET.dll
DNSAPI.dll
DNSAPI.dll
GdiplusShutdown
GdiplusShutdown
gdiplus.dll
gdiplus.dll
GetCPInfo
GetCPInfo
GetConsoleOutputCP
GetConsoleOutputCP
zcÃ
zcÃ
SShHG@
SShHG@
sù>
sù>
t>HHt.Ht Ht
t>HHt.Ht Ht
C%d A
C%d A
SSSh@
SSSh@
PSSSSSSh
PSSSSSSh
t%f=g
t%f=g
j0SSSSSSSh
j0SSSSSSSh
}rSSh7
}rSSh7
ttSSh
ttSSh
C%uuQ
C%uuQ
t.VPjg
t.VPjg
PSSht
PSSht
PWSSh
PWSSh
t8It.IIt#
t8It.IIt#
.GFy"
.GFy"
t*9St|%9U
t*9St|%9U
Jt.Ht!
Jt.Ht!
ufSShP
ufSShP
u)SShX
u)SShX
u*SSh`
u*SSh`
)0)0))123
)0)0))123
aSSSh
aSSSh
FTPjK
FTPjK
FtPj;
FtPj;
C.PjRV
C.PjRV
%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe
%Program Files% (x86)\NCH Software\MoneyLine\moneyline.exe
(%xSK
(%xSK
ssshhhWWW
ssshhhWWW
-!.WF
-!.WF
2%SGE
2%SGE
.OBDFFFFFFT.
.OBDFFFFFFT.
!22)()2222)
!22)()2222)
^7777'//
^7777'//
'777/'/'
'777/'/'
]77/7''/
]77/7''/
[.//.%%[
[.//.%%[
$$$w$$$w$$$w$$$w$$$w$$$w%%%t%%%f%%%f%%%f%%%f%%%f%%%f%%%f%%%f%%%f%%%f%%%f%%%f%%%f&&&W%%%R%%$=&&&
$$$w$$$w$$$w$$$w$$$w$$$w%%%t%%%f%%%f%%%f%%%f%%%f%%%f%%%f%%%f%%%f%%%f%%%f%%%f%%%f&&&W%%%R%%$=&&&
%%%"%%%"%%%"%%%"%%%"%%%"%%%"%%%"
%%%"%%%"%%%"%%%"%%%"%%%"%%%"%%%"
'%%''%%%%''%%'
'%%''%%%%''%%'
'%%'$$%%$$'%%'
'%%'$$%%$$'%%'
'%%%%$$$$%%%%'
'%%%%$$$$%%%%'
$0000
$0000
mhXXp://ns.adobe.com/xap/1.0/
mhXXp://ns.adobe.com/xap/1.0/
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
(7),01444
(7),01444
'9=82<.342>
'9=82<.342>
NULLSecureKey
NULLSecureKey
AcctUserPass
AcctUserPass
SELECT MAX(DATE(TransactionDate)) FROM Transactions WHERE Account = %s AND Note = "Balancing entry for reconciliation" AND Deleted = 0
SELECT MAX(DATE(TransactionDate)) FROM Transactions WHERE Account = %s AND Note = "Balancing entry for reconciliation" AND Deleted = 0
SELECT COUNT(*) AS Cnt FROM Transactions WHERE Account = %s AND Deleted = 0
SELECT COUNT(*) AS Cnt FROM Transactions WHERE Account = %s AND Deleted = 0
SELECT ID FROM Accounts WHERE AcctName = '%s' AND Deleted = 0
SELECT ID FROM Accounts WHERE AcctName = '%s' AND Deleted = 0
SELECT NextKey FROM RecordKeys WHERE ListName = '%Q'
SELECT NextKey FROM RecordKeys WHERE ListName = '%Q'
UPDATE RecordKeys SET NextKey = '%Q' WHERE ListName = '%Q'
UPDATE RecordKeys SET NextKey = '%Q' WHERE ListName = '%Q'
CREATE TABLE RecordKeys (ListName VARCHAR(255), NextKey VARCHAR(255))
CREATE TABLE RecordKeys (ListName VARCHAR(255), NextKey VARCHAR(255))
INSERT INTO RecordKeys (ListName, NextKey) VALUES ('%Q', '2')
INSERT INTO RecordKeys (ListName, NextKey) VALUES ('%Q', '2')
SELECT * FROM %s WHERE %s = '%Q'%s
SELECT * FROM %s WHERE %s = '%Q'%s
SELECT * FROM %s%s
SELECT * FROM %s%s
UPDATE %s SET
UPDATE %s SET
%s = '%Q'
%s = '%Q'
%s%s =
%s%s =
WHERE %s = '%Q'%s
WHERE %s = '%Q'%s
INSERT INTO %s (
INSERT INTO %s (
VVV.nchsoftware.com/personalfinance/index.html
VVV.nchsoftware.com/personalfinance/index.html
VVV.nchsoftware.com/personalfinance/support.html
VVV.nchsoftware.com/personalfinance/support.html
hXXp://VVV.nch.com.au/suggestions/index.html?software=MoneyLine&version=1.23
hXXp://VVV.nch.com.au/suggestions/index.html?software=MoneyLine&version=1.23
hXXp://VVV.nch.com.au/software/bug.html?software=MoneyLine&version=1.23
hXXp://VVV.nch.com.au/software/bug.html?software=MoneyLine&version=1.23
shell32.dll
shell32.dll
Are you sure that you would like to delete the selected accounts?%s
Are you sure that you would like to delete the selected accounts?%s
The string "%s" cannot be found in Account Names, Account Numbers or Financial Institutions.
The string "%s" cannot be found in Account Names, Account Numbers or Financial Institutions.
No more accounts matching "%s" could be found.
No more accounts matching "%s" could be found.
Enter the balance held by the account prior to the earliest transaction entered or imported into MoneyLine.
Enter the balance held by the account prior to the earliest transaction entered or imported into MoneyLine.
Enter the password associated with the above user ID.
Enter the password associated with the above user ID.
00:00:00
00:00:00
Last Import Date
Last Import Date
Last import date needs to be prior to the current date.
Last import date needs to be prior to the current date.
Password
Password
UseSMTPHost
UseSMTPHost
MailSMTPHost
MailSMTPHost
SMTPAuthOn
SMTPAuthOn
SMTPUserName
SMTPUserName
SMTPPassword
SMTPPassword
PasswordHint
PasswordHint
Password Hint: %s
Password Hint: %s
Click this button to send a password recovery email to the address you registered during setup.
Click this button to send a password recovery email to the address you registered during setup.
The password you typed is incorrect. Please retype your current password.
The password you typed is incorrect. Please retype your current password.
Your MoneyLine password is %s.
Your MoneyLine password is %s.
You can change your password or remove password protection from the Options ~ Others ~ Security window in the program.
You can change your password or remove password protection from the Options ~ Others ~ Security window in the program.
MoneyLine password recovery
MoneyLine password recovery
Password Recovery
Password Recovery
MoneyLine failed to send your password to your email address.
MoneyLine failed to send your password to your email address.
MoneyLine has sent your password to your email address. Please open the email and enter your password to access MoneyLine.
MoneyLine has sent your password to your email address. Please open the email and enter your password to access MoneyLine.
SELECT ID FROM Budgets WHERE BudgetName = '%s' AND Deleted = 0
SELECT ID FROM Budgets WHERE BudgetName = '%s' AND Deleted = 0
%s AND ID != %s
%s AND ID != %s
SELECT count(*) as Count FROM BudgetAccounts WHERE BudgetID = %d AND AccountID = %d
SELECT count(*) as Count FROM BudgetAccounts WHERE BudgetID = %d AND AccountID = %d
DELETE FROM BudgetAccounts WHERE BudgetID = %d AND AccountID = %d
DELETE FROM BudgetAccounts WHERE BudgetID = %d AND AccountID = %d
DELETE FROM BudgetAccounts WHERE BudgetID = %d
DELETE FROM BudgetAccounts WHERE BudgetID = %d
SELECT count(*) as Count FROM BudgetAccounts WHERE AccountID = %d
SELECT count(*) as Count FROM BudgetAccounts WHERE AccountID = %d
DELETE FROM BudgetCategories WHERE BudgetID = %d AND CategoryID = %d
DELETE FROM BudgetCategories WHERE BudgetID = %d AND CategoryID = %d
DELETE FROM BudgetCategories WHERE BudgetID = %d
DELETE FROM BudgetCategories WHERE BudgetID = %d
SELECT Amount FROM BudgetCategories WHERE BudgetID = %d AND CategoryID = %d
SELECT Amount FROM BudgetCategories WHERE BudgetID = %d AND CategoryID = %d
UPDATE BudgetCategories SET Amount = %lld WHERE BudgetID = %d AND CategoryID = %d
UPDATE BudgetCategories SET Amount = %lld WHERE BudgetID = %d AND CategoryID = %d
SELECT count(*) as Count FROM BudgetCategories WHERE BudgetID = %d AND CategoryID = %d
SELECT count(*) as Count FROM BudgetCategories WHERE BudgetID = %d AND CategoryID = %d
SELECT count(*) as Count FROM BudgetCategories WHERE CategoryID = %d
SELECT count(*) as Count FROM BudgetCategories WHERE CategoryID = %d
View budget report
View budget report
Report
Report
View Report
View Report
Total income every month: %s
Total income every month: %s
Total expenses every month: %s
Total expenses every month: %s
SELECT ID FROM Categories WHERE PayCategory = '%s' AND Parent = %d AND Deleted = 0
SELECT ID FROM Categories WHERE PayCategory = '%s' AND Parent = %d AND Deleted = 0
%s | %s
%s | %s
SELECT ID FROM Categories WHERE PayCategory = '%s'
SELECT ID FROM Categories WHERE PayCategory = '%s'
SELECT ID FROM Categories WHERE PayCategory = '%s' and Parent = %s
SELECT ID FROM Categories WHERE PayCategory = '%s' and Parent = %s
AND Parent = %d
AND Parent = %d
SELECT ID FROM Categories WHERE PayCategory = '%s' %s AND Deleted = 0
SELECT ID FROM Categories WHERE PayCategory = '%s' %s AND Deleted = 0
SELECT Header FROM Categories WHERE ID = %s AND Deleted = 0
SELECT Header FROM Categories WHERE ID = %s AND Deleted = 0
SELECT COUNT(*) as Cnt FROM Categories WHERE Parent = %s AND Deleted = 0
SELECT COUNT(*) as Cnt FROM Categories WHERE Parent = %s AND Deleted = 0
SELECT Expense FROM Categories WHERE ID = %s
SELECT Expense FROM Categories WHERE ID = %s
Are you sure that you would like to delete the selected categories?%s
Are you sure that you would like to delete the selected categories?%s
The string "%s" cannot be found in Categories.
The string "%s" cannot be found in Categories.
No more categories matching "%s" could be found.
No more categories matching "%s" could be found.
12:00:00
12:00:00
%s%c%s%c%s
%s%c%s%c%s
%s\NCH Software\MoneyLine\moneyline.vdb
%s\NCH Software\MoneyLine\moneyline.vdb
Error importing
Error importing
The Amount and Transaction Date fields must have fields from the CSV file assigned in order to import.
The Amount and Transaction Date fields must have fields from the CSV file assigned in order to import.
FIUrl
FIUrl
FIPort
FIPort
Enter the URL used by the financial institution for accepting OFX (transaction data) requests.
Enter the URL used by the financial institution for accepting OFX (transaction data) requests.
Enter the port number used by the financial institution for accepting OFX (transaction data) requests.
Enter the port number used by the financial institution for accepting OFX (transaction data) requests.
Please enter a valid URL.
Please enter a valid URL.
SELECT ID FROM PayAccounts WHERE PayName = '%s' AND Deleted = 0
SELECT ID FROM PayAccounts WHERE PayName = '%s' AND Deleted = 0
SELECT ID FROM PayAccounts WHERE PayName = '%s'
SELECT ID FROM PayAccounts WHERE PayName = '%s'
Importing Transactions
Importing Transactions
The amount must be less than %s.
The amount must be less than %s.
transactionimport
transactionimport
Import Transactions
Import Transactions
Import
Import
All selected transactions will be imported as new transactions.
All selected transactions will be imported as new transactions.
New transactions for import:
New transactions for import:
Balance after import:
Balance after import:
There may be no transactions since your last import or your account information may not be set up correctly. Check the help section for tips for retrieving transactions from your financial institution.
There may be no transactions since your last import or your account information may not be set up correctly. Check the help section for tips for retrieving transactions from your financial institution.
Balance after import:
Balance after import:
M-----.%*3d[%f:%s]
M-----.%*3d[%f:%s]
BANKMSGSRSV
BANKMSGSRSV
CREDITCARDMSGSRSV
CREDITCARDMSGSRSV
Reports
Reports
Import from CSV file
Import from CSV file
Import from OFX/QFX file
Import from OFX/QFX file
%sAscend
%sAscend
ImportDialog
ImportDialog
%s\NCH Software\MoneyLine\moneyline-0.vdb
%s\NCH Software\MoneyLine\moneyline-0.vdb
Click to view transactions for %s.
Click to view transactions for %s.
Assets: %s
Assets: %s
Liabilities: %s
Liabilities: %s
Last reconciled: %s
Last reconciled: %s
moneyline.vdb
moneyline.vdb
*.ofx;*.qfx
*.ofx;*.qfx
*.csv
*.csv
BubbleTipImportCount
BubbleTipImportCount
Budget Report
Budget Report
No transactions matching "%s" were found.
No transactions matching "%s" were found.
No more transactions matching "%s" could be found.
No more transactions matching "%s" could be found.
Warning: This transaction exceeds the monthly budgeted spending amount for category "%s" in the following budgets: %s
Warning: This transaction exceeds the monthly budgeted spending amount for category "%s" in the following budgets: %s
moneyline-0.vdb
moneyline-0.vdb
Enter the password to access your bank account:
Enter the password to access your bank account:
Must change USERPASS (INFO)
Must change USERPASS (INFO)
Contact your financial institution to change your password.
Contact your financial institution to change your password.
Your sign on information is invalid. Check your routing number, account number, user ID and password under the account information dialog.
Your sign on information is invalid. Check your routing number, account number, user ID and password under the account information dialog.
USERPASS Lockout (ERROR)
USERPASS Lockout (ERROR)
%s information has not been properly set up for this account. Would you like to set this up now?
%s information has not been properly set up for this account. Would you like to set this up now?
-split- %s
-split- %s
SELECT Balance, BalanceReconciled FROM MonthlyBalances WHERE Account = %d AND TimeStamp = %d
SELECT Balance, BalanceReconciled FROM MonthlyBalances WHERE Account = %d AND TimeStamp = %d
SELECT ID FROM MonthlyBalances WHERE Account = %d AND TimeStamp = %d
SELECT ID FROM MonthlyBalances WHERE Account = %d AND TimeStamp = %d
Add password
Add password
Please type your current password.
Please type your current password.
Please type your new password.
Please type your new password.
Please re-type your new password.
Please re-type your new password.
Please type a password hint.
Please type a password hint.
Please type your email address where you want to receive your password.
Please type your email address where you want to receive your password.
Please type the new password in both boxes.
Please type the new password in both boxes.
The password you typed do not match. Please retype the new password in both boxes.
The password you typed do not match. Please retype the new password in both boxes.
Save password settings
Save password settings
The string "%s" cannot be found in Payee Names or Payee Notes.
The string "%s" cannot be found in Payee Names or Payee Notes.
No more payees matching "%s" could be found.
No more payees matching "%s" could be found.
Reconcile Transactions (%s)
Reconcile Transactions (%s)
Transfer from %s
Transfer from %s
Transfer to %s
Transfer to %s
Difference: %s
Difference: %s
E%s %s
E%s %s
%s %s is attached to this email.
%s %s is attached to this email.
This report has been generated automatically by MoneyLine.
This report has been generated automatically by MoneyLine.
There is no information available for this report.
There is no information available for this report.
Transactions Report for Category: %s
Transactions Report for Category: %s
Period: %s to %s
Period: %s to %s
Transactions Report for Payee: %s
Transactions Report for Payee: %s
JournalReport
JournalReport
reportperiod
reportperiod
23:59:59
23:59:59
reportperiodexpandbyaccounts
reportperiodexpandbyaccounts
reportperiodaccounts
reportperiodaccounts
Select a valid year to run the report.
Select a valid year to run the report.
Select a valid month to run the report.
Select a valid month to run the report.
reportperiodbudgets
reportperiodbudgets
Income/Expenses Report By Category
Income/Expenses Report By Category
Expense Report By Payee
Expense Report By Payee
%s Transactions
%s Transactions
%s Report
%s Report
HSend this report by fax
HSend this report by fax
Send this report by email
Send this report by email
Save this report as a CSV or PDF file
Save this report as a CSV or PDF file
Print this report
Print this report
View the print preview of this report
View the print preview of this report
&Report
&Report
ReportView
ReportView
Report: %s
Report: %s
reportview
reportview
ReportEmail
ReportEmail
ReportFax
ReportFax
%s page %lu
%s page %lu
MoneyLine%d.pdf
MoneyLine%d.pdf
%s.pdf
%s.pdf
SELECT COUNT(*) FROM %s WHERE %s = '%Q'%s
SELECT COUNT(*) FROM %s WHERE %s = '%Q'%s
26.07.00
26.07.00
07.26.00
07.26.00
2000.07.26
2000.07.26
26.07.2000
26.07.2000
07.26.2000
07.26.2000
26-07-00
26-07-00
07-26-00
07-26-00
2000-07-26
2000-07-26
26-07-2000
26-07-2000
07-26-2000
07-26-2000
26/07/00
26/07/00
07/26/00
07/26/00
2000/07/26
2000/07/26
26/07/2000
26/07/2000
07/26/2000
07/26/2000
passwordchange
passwordchange
passwordremove
passwordremove
SELECT ID, Amount, Category FROM SplitTransactions where TransactionID = %d AND Deleted != 1
SELECT ID, Amount, Category FROM SplitTransactions where TransactionID = %d AND Deleted != 1
The split transactions must sum to the original transaction amount of %s.
The split transactions must sum to the original transaction amount of %s.
Do you have a %s that you would like to manage?
Do you have a %s that you would like to manage?
SELECT MIN(DATE(TransactionDate)) from Transactions where Account = %d AND Deleted = 0
SELECT MIN(DATE(TransactionDate)) from Transactions where Account = %d AND Deleted = 0
SELECT MAX(DATE(TransactionDate)) from Transactions where Account = %d AND Deleted = 0
SELECT MAX(DATE(TransactionDate)) from Transactions where Account = %d AND Deleted = 0
SELECT MAX(ID) from Transactions where TransactionDate in (SELECT MAX(TransactionDate) FROM Transactions where Account = %d and TransactionDate
SELECT MAX(ID) from Transactions where TransactionDate in (SELECT MAX(TransactionDate) FROM Transactions where Account = %d and TransactionDate
SELECT count(*) from Transactions where Account = %d and TransactionNumber = '%s' AND Deleted = 0
SELECT count(*) from Transactions where Account = %d and TransactionNumber = '%s' AND Deleted = 0
UPDATE Transactions SET PayAccount = '%s' WHERE PayAccount = '%s' and TransactionType != %d
UPDATE Transactions SET PayAccount = '%s' WHERE PayAccount = '%s' and TransactionType != %d
%s%s"%s"
%s%s"%s"
Account = %d AND PayAccount = %d
Account = %d AND PayAccount = %d
PayAccount = %d
PayAccount = %d
Account = %d
Account = %d
SELECT * FROM Transactions WHERE %s AND TransactionDate >= DATE('%s') AND TransactionDate
SELECT * FROM Transactions WHERE %s AND TransactionDate >= DATE('%s') AND TransactionDate
Edit Transaction (%s)
Edit Transaction (%s)
Add Transaction (%s)
Add Transaction (%s)
ALTER TABLE %s ADD COLUMN %s %s
ALTER TABLE %s ADD COLUMN %s %s
SELECT tbl_name, sql FROM sqlite_master WHERE type='table'
SELECT tbl_name, sql FROM sqlite_master WHERE type='table'
Software\NCH Software\%s\Settings
Software\NCH Software\%s\Settings
Software\NCH Swift Sound\%s\Settings
Software\NCH Swift Sound\%s\Settings
"%s" %%s
"%s" %%s
hXXp://VVV.nch.com.au/components/%s.exe
hXXp://VVV.nch.com.au/components/%s.exe
Waiting for %s
Waiting for %s
MoneyLine will continue when %s closes.
MoneyLine will continue when %s closes.
-show -type data -burn -exit "%s"
-show -type data -burn -exit "%s"
MoneyLine-Backup-%s
MoneyLine-Backup-%s
F.tmp
F.tmp
hXXp://VVV.nch.com.au/fax/services.html
hXXp://VVV.nch.com.au/fax/services.html
Enter the gateway domain. For example to send a fax to [FaxNumber]@yourfaxco.com enter yourfaxco.com as the domain.
Enter the gateway domain. For example to send a fax to [FaxNumber]@yourfaxco.com enter yourfaxco.com as the domain.
H{2318C2B1-4965-11d4-9B18-009027A5CD4F}
H{2318C2B1-4965-11d4-9B18-009027A5CD4F}
FTP file transfers
FTP file transfers
Upload your website using ftp
Upload your website using ftp
Manage stock, procurements and reporting
Manage stock, procurements and reporting
Track and Report Income and Expenditures
Track and Report Income and Expenditures
Zulu Disc Jockey Software
Zulu Disc Jockey Software
Clean and optimize your Windows registry by removing the old and damaged data that is bogging down your computer performance.
Clean and optimize your Windows registry by removing the old and damaged data that is bogging down your computer performance.
Voxal is a real time voice changing program. Change your voice live through speakers, in softphone calls, or any application or game that uses a microphone.
Voxal is a real time voice changing program. Change your voice live through speakers, in softphone calls, or any application or game that uses a microphone.
twelvekeys
twelvekeys
TwelveKeys Music Transcription
TwelveKeys Music Transcription
Universal audio converting software supports all popular audio formats including mp3, wma, wav, midi, m4a, and more. Use it to convert and compress sound files.
Universal audio converting software supports all popular audio formats including mp3, wma, wav, midi, m4a, and more. Use it to convert and compress sound files.
Key Blaze Typing Tutor Software
Key Blaze Typing Tutor Software
A powerful FTP client that integrates with Windows Explorer for manual or automatic file uploading, or sync/mirror files and folders via FTP.
A powerful FTP client that integrates with Windows Explorer for manual or automatic file uploading, or sync/mirror files and folders via FTP.
Fling FTP Sync Software Client
Fling FTP Sync Software Client
Easy to use file backup software to automatically back up critical data to CD, DVD, Blu-ray or a remote FTP server. Don't take chances with your valuable data.
Easy to use file backup software to automatically back up critical data to CD, DVD, Blu-ray or a remote FTP server. Don't take chances with your valuable data.
Use this text expansion software to create keyboard shortcuts that will expand to an entire word, sentence, paragraph or document. A useful time saving tool.
Use this text expansion software to create keyboard shortcuts that will expand to an entire word, sentence, paragraph or document. A useful time saving tool.
Digital dictation software to record and send dictation for transcription directly from your computer, or dock and send dictation from a portable device.
Digital dictation software to record and send dictation for transcription directly from your computer, or dock and send dictation from a portable device.
Professional accounting software to manage and report business income and expenses, sales, invoices and payments. Great for small and medium-sized companies.
Professional accounting software to manage and report business income and expenses, sales, invoices and payments. Great for small and medium-sized companies.
Easy to use video recording software lets you capture and record video from a webcam, your computer screen, an external video device or online streaming video.
Easy to use video recording software lets you capture and record video from a webcam, your computer screen, an external video device or online streaming video.
Easy and reliable FTP client software. View, edit, upload, download, delete and otherwise manage files on a remote server, website or network.
Easy and reliable FTP client software. View, edit, upload, download, delete and otherwise manage files on a remote server, website or network.
cftpsetup
cftpsetup
Classic FTP - FTP Client Software
Classic FTP - FTP Client Software
ClassicFTP
ClassicFTP
Use your PC to broadcast live or recorded video from a webcam, computer screen or video input device. Video streams will play in all popular web browsers.
Use your PC to broadcast live or recorded video from a webcam, computer screen or video input device. Video streams will play in all popular web browsers.
Orion finds and recovers deleted files on hard drives, external and portable drives. Or use the drive scrubber to ensure deleted files can't be recovered.
Orion finds and recovers deleted files on hard drives, external and portable drives. Or use the drive scrubber to ensure deleted files can't be recovered.
With Express Zip you can easily create zip files of your important documents, images, music and more to help save disk space, or to quickly email or burn to a CD.
With Express Zip you can easily create zip files of your important documents, images, music and more to help save disk space, or to quickly email or burn to a CD.
InstallReport
InstallReport
hXXps://secure.nch.com.au/cgi-bin/register.exe?software=moneyline&source=softwaretrial
hXXps://secure.nch.com.au/cgi-bin/register.exe?software=moneyline&source=softwaretrial
mhXXp://VVV.nchsoftware.com
mhXXp://VVV.nchsoftware.com
A full list of our products can be found at the below website. You may find another product that is more suitable for your needs.
A full list of our products can be found at the below website. You may find another product that is more suitable for your needs.
software\microsoft\windows\currentversion\app paths\%s
software\microsoft\windows\currentversion\app paths\%s
Global\%s
Global\%s
moneyline.exe
moneyline.exe
hXXp://VVV.nch.com.au/upgrade/index.html?software=moneyline&upgradeid=%d&upgradekey=%s
hXXp://VVV.nch.com.au/upgrade/index.html?software=moneyline&upgradeid=%d&upgradekey=%s
hXXp://VVV.nch.com.au/activate/index.html?code=%s
hXXp://VVV.nch.com.au/activate/index.html?code=%s
%d:%d:%d
%d:%d:%d
%d-%d-%d
%d-%d-%d
MoneyLine.lnk
MoneyLine.lnk
NCH Software.lnk
NCH Software.lnk
NCH Suite.lnk
NCH Suite.lnk
Software\Microsoft\Windows\CurrentVersion\Uninstall\MoneyLine
Software\Microsoft\Windows\CurrentVersion\Uninstall\MoneyLine
URLInfoAbout
URLInfoAbout
URLUpdateInfo
URLUpdateInfo
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
shXXp://cgi.nch.com.au/cgi-bin/report.exe
shXXp://cgi.nch.com.au/cgi-bin/report.exe
uninst.exe
uninst.exe
Uninstall is complete. If you need to reinstall this software again you can download it from VVV.nchsoftware.com.
Uninstall is complete. If you need to reinstall this software again you can download it from VVV.nchsoftware.com.
Software\NCH Software\Components\%s
Software\NCH Software\Components\%s
Special discount pricing ends on the 15th of %s.
Special discount pricing ends on the 15th of %s.
Special discount pricing ends at the end of %s.
Special discount pricing ends at the end of %s.
InstallingChrome
InstallingChrome
LaunchChromeOnInstall
LaunchChromeOnInstall
hXXp://VVV.nchsoftware.com/software/thanks.html?software=MoneyLine&appname=%s&version=1.23&base=personalfinance&domain=nchsoftware&buyoffer=moneyline&plus=%s&pclass=free%s%s%s%s%s%s%s%s&instby=%s
hXXp://VVV.nchsoftware.com/software/thanks.html?software=MoneyLine&appname=%s&version=1.23&base=personalfinance&domain=nchsoftware&buyoffer=moneyline&plus=%s&pclass=free%s%s%s%s%s%s%s%s&instby=%s
&usage=XX
&usage=XX
"%s" -uninstall
"%s" -uninstall
moneylinesetup_v1.23.exe
moneylinesetup_v1.23.exe
Software\NCH Software\MoneyLine\%s
Software\NCH Software\MoneyLine\%s
-LQUIET -instby %sMoneyLine
-LQUIET -instby %sMoneyLine
%s (%s)
%s (%s)
audiochannel.net
audiochannel.net
VVV.nch.com.au
VVV.nch.com.au
An install-on-demand component could not be installed automatically. Please run it from the URL below then try again.
An install-on-demand component could not be installed automatically. Please run it from the URL below then try again.
%s=%s
%s=%s
_moneyline_rl_%s
_moneyline_rl_%s
Report Bug
Report Bug
Would you be willing to complete an NCH Software Bug Report so our programmers can try to fix this? Please click 'Report Bug' and then enter the field to tell us exactly what you did so we can attempt to repeat it and fix it.
Would you be willing to complete an NCH Software Bug Report so our programmers can try to fix this? Please click 'Report Bug' and then enter the field to tell us exactly what you did so we can attempt to repeat it and fix it.
hXXp://VVV.nch.com.au/software/bug.html?software=MoneyLine&version=1.23&xi=AbTermOrHang-Win%d%d
hXXp://VVV.nch.com.au/software/bug.html?software=MoneyLine&version=1.23&xi=AbTermOrHang-Win%d%d
Win%d%d
Win%d%d
Ukn0(Msg%dLstCmd%d)
Ukn0(Msg%dLstCmd%d)
(Cmd%d)
(Cmd%d)
%s-%s-%s-%s
%s-%s-%s-%s
dbghelp.dll
dbghelp.dll
Abnormal Execution Problem
Abnormal Execution Problem
Would you be willing to complete a NCH Software Bug Report so our programmers can try to fix this? If so, please click 'Report Bug' and then enter the field to tell us exactly what you did so we can attempt to repeat it and fix it.
Would you be willing to complete a NCH Software Bug Report so our programmers can try to fix this? If so, please click 'Report Bug' and then enter the field to tell us exactly what you did so we can attempt to repeat it and fix it.
hXXp://VVV.nch.com.au/software/bug.html?software=MoneyLine&version=1.23&xi=GUI-%s
hXXp://VVV.nch.com.au/software/bug.html?software=MoneyLine&version=1.23&xi=GUI-%s
%d-%d-%%d
%d-%d-%%d
File "%s" already exists. Do you want to overwrite it?
File "%s" already exists. Do you want to overwrite it?
Please check you have exited any previous running instances of MoneyLine and any other programs that might be using the file "%s". Then run the installer again.
Please check you have exited any previous running instances of MoneyLine and any other programs that might be using the file "%s". Then run the installer again.
Installation cannot be completed because the file "%s" cannot be written to.
Installation cannot be completed because the file "%s" cannot be written to.
LLIBShowrelatedwhenchromeoff
LLIBShowrelatedwhenchromeoff
LLIBShowrelatedwhenchromeon
LLIBShowrelatedwhenchromeon
LLIBShowrelatedwhennochromeoff
LLIBShowrelatedwhennochromeoff
LLIBShowrelatedwhennochromeon
LLIBShowrelatedwhennochromeon
Please read the following important information before continuing.
Please read the following important information before continuing.
c:\program files (x86)\
c:\program files (x86)\
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\%s\UserChoice
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\%s\UserChoice
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\%s
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\%s
explorer.exe
explorer.exe
Advapi32.dll
Advapi32.dll
W"%s" %s
W"%s" %s
hXXp://VVV.nchsoftware.com/%s.html
hXXp://VVV.nchsoftware.com/%s.html
hXXp://VVV.nch.com.au/%s.html
hXXp://VVV.nch.com.au/%s.html
hXXp://VVV.nch.com.au/kb/%d.html
hXXp://VVV.nch.com.au/kb/%d.html
.html
.html
hXXp://help.nchsoftware.com/help/en/moneyline/win/%s.html
hXXp://help.nchsoftware.com/help/en/moneyline/win/%s.html
TwelveKeys
TwelveKeys
twelvekeyssetup
twelvekeyssetup
KeyBlaze
KeyBlaze
hXXps://secure.nch.com.au/cgi-bin/register.exe?software=moneyline&version=1.23%s%s%s%s%s%s%s%s&instby=%s
hXXps://secure.nch.com.au/cgi-bin/register.exe?software=moneyline&version=1.23%s%s%s%s%s%s%s%s&instby=%s
hXXp://VVV.nchsoftware.com/software/registered.html?software=%s&appname=%s&version=1.23&base=personalfinance&domain=nchsoftware%s%s%s%s%s%s%s
hXXp://VVV.nchsoftware.com/software/registered.html?software=%s&appname=%s&version=1.23&base=personalfinance&domain=nchsoftware%s%s%s%s%s%s%s
ID - Key:
ID - Key:
%s-%s
%s-%s
hXXp://VVV.nch.com.au/upgrade/index.html
hXXp://VVV.nch.com.au/upgrade/index.html
%s Registration Code:
%s Registration Code:
Register %s
Register %s
Click here if you have not activated your 12-digit serial number online and have not received an ID-Key.
Click here if you have not activated your 12-digit serial number online and have not received an ID-Key.
If you have already activated your serial number online, check your email for the ID-key. Then, click here to enter your ID-Key.
If you have already activated your serial number online, check your email for the ID-key. Then, click here to enter your ID-Key.
The code that you have entered is a license serial number. You must activate your serial number online to receive the ID-Key needed to register this software.
The code that you have entered is a license serial number. You must activate your serial number online to receive the ID-Key needed to register this software.
ID-Key is required to complete the registration.
ID-Key is required to complete the registration.
Old Version Key
Old Version Key
- You are using the correct ID and key for the correct product. Only the ID and key for MoneyLine will be accepted.
- You are using the correct ID and key for the correct product. Only the ID and key for MoneyLine will be accepted.
support/reg
support/reg
registration.txt
registration.txt
Name: %s
Name: %s
Location: %s
Location: %s
ID - Key: %d - %s
ID - Key: %d - %s
-clear -label "MoneyLine Installer" -type data "%s" "%s"
-clear -label "MoneyLine Installer" -type data "%s" "%s"
Validate Key
Validate Key
Key cannot be validated. Please connect to the internet and try again.
Key cannot be validated. Please connect to the internet and try again.
2014-01-01
2014-01-01
%s Version Required
%s Version Required
nch.com.au
nch.com.au
nchsoftware.com
nchsoftware.com
hXXp://VVV.%s/%s
hXXp://VVV.%s/%s
%s [Recommended]
%s [Recommended]
Google Chrome, a faster way to browse the web
Google Chrome, a faster way to browse the web
Free games, themes and utilities from the Google Chrome Store
Free games, themes and utilities from the Google Chrome Store
Why people choose Chrome:
Why people choose Chrome:
Install Google Chrome as my default browser
Install Google Chrome as my default browser
Google Toolbar makes web browsing more convenient:
Google Toolbar makes web browsing more convenient:
Search from any website
Search from any website
Translate web pages instantly
Translate web pages instantly
hXXp://VVV.google.com/toolbar/ie/partnereula.html?hl=en
hXXp://VVV.google.com/toolbar/ie/partnereula.html?hl=en
hXXp://VVV.google.com/accounts/TOS?hl=en
hXXp://VVV.google.com/accounts/TOS?hl=en
hXXp://VVV.google.com/intl/en/privacy/privacy-policy.html
hXXp://VVV.google.com/intl/en/privacy/privacy-policy.html
By installing this application, you agree to the Google Chrome
By installing this application, you agree to the Google Chrome
By installing this application, you agree to the Google Chrome
By installing this application, you agree to the Google Chrome
hXXp://VVV.google.com/chrome/intl/en/eula_text.html
hXXp://VVV.google.com/chrome/intl/en/eula_text.html
hXXp://VVV.google.com/chrome/intl/en/privacy.html
hXXp://VVV.google.com/chrome/intl/en/privacy.html
reject-chrome
reject-chrome
Automatic download of the install-on-demand component "%s" failed.
Automatic download of the install-on-demand component "%s" failed.
The website will now be opened where you can download it manually.
The website will now be opened where you can download it manually.
Open Website
Open Website
-installrelated %x -toolbar %x
-installrelated %x -toolbar %x
NCH Software\MoneyLine%s
NCH Software\MoneyLine%s
MoneyLine%s
MoneyLine%s
%sT%s
%sT%s
Click to install and run %s
Click to install and run %s
Click to run %s
Click to run %s
MoneyLine cannot launch the program required to perform the selected task. Please go to nch.com.au/software to download it and try again.
MoneyLine cannot launch the program required to perform the selected task. Please go to nch.com.au/software to download it and try again.
hXXp://VVV.nchsoftware.com/software/index.html
hXXp://VVV.nchsoftware.com/software/index.html
hXXp://VVV.nchsoftware.com/software/newsletter.html%s%s
hXXp://VVV.nchsoftware.com/software/newsletter.html%s%s
hXXps://secure.nch.com.au/cgi-bin/register.exe%s%s
hXXps://secure.nch.com.au/cgi-bin/register.exe%s%s
hXXp://cgi.nch.com.au/cgi-bin/search.exe?q=%s&site=VVV.nch.com.au%s%s
hXXp://cgi.nch.com.au/cgi-bin/search.exe?q=%s&site=VVV.nch.com.au%s%s
Click to visit our website
Click to visit our website
(EOF) Element should be terminated with %s>. Check you have terminated your element properly.
(EOF) Element should be terminated with %s>. Check you have terminated your element properly.
Tag does not have a closing '>'
Tag does not have a closing '>'
Misplaced %s> which does not match a .
Misplaced %s> which does not match a .
Element should be terminated with %s>, was with %s. Check you have terminated your element properly.
Element should be terminated with %s>, was with %s. Check you have terminated your element properly.
Ln %d, Col %d: %s
Ln %d, Col %d: %s
%s\shell\open\command
%s\shell\open\command
http\shell\open\command
http\shell\open\command
iexplore.exe
iexplore.exe
iexplorer.exe
iexplorer.exe
firefox.exe
firefox.exe
chrome.exe
chrome.exe
Installing Google Chrome
Installing Google Chrome
The Google Chrome installer could not be downloaded.
The Google Chrome installer could not be downloaded.
ChromeRequiresLaunch
ChromeRequiresLaunch
ChromeMoneyLine
ChromeMoneyLine
software\Google\No Chrome Offer Until
software\Google\No Chrome Offer Until
NCH_Chrome.exe
NCH_Chrome.exe
Sorry, Chrome was not installed because of some problems encountered during the installation process.
Sorry, Chrome was not installed because of some problems encountered during the installation process.
Chrome
Chrome
NCH_GoogleToolbar.exe
NCH_GoogleToolbar.exe
chrome-google
chrome-google
chrome
chrome
Install Google Chrome - Free
Install Google Chrome - Free
Get Chrome to View Help Files
Get Chrome to View Help Files
We recommend Google Chrome as the preferred viewer for our help pages.
We recommend Google Chrome as the preferred viewer for our help pages.
Google Chrome is free and fast.
Google Chrome is free and fast.
%%.ß
%%.ß
%s%.*d
%s%.*d
%d%s%.3d
%d%s%.3d
%lld%s%.3d%s%.3d
%lld%s%.3d%s%.3d
topic%d
topic%d
Technical Support Page
Technical Support Page
Send Bug Report
Send Bug Report
Classic FTP Software
Classic FTP Software
tar.gz
tar.gz
Software\Classes\%s
Software\Classes\%s
VVV.nchsoftware.com/personalfinance
VVV.nchsoftware.com/personalfinance
splash.jpg
splash.jpg
hXXp://VVV.nch.com.au/suggestions/index.html?software=MoneyLine&version=1.23%s%s
hXXp://VVV.nch.com.au/suggestions/index.html?software=MoneyLine&version=1.23%s%s
hXXp://VVV.nchsoftware.com/software/newsletter.html?software=MoneyLine&version=1.23%s%s
hXXp://VVV.nchsoftware.com/software/newsletter.html?software=MoneyLine&version=1.23%s%s
hXXp://VVV.nchsoftware.com/software/business.html
hXXp://VVV.nchsoftware.com/software/business.html
hXXp://VVV.facebook.com/NCHSoftware
hXXp://VVV.facebook.com/NCHSoftware
hXXp://twitter.com/nchsoftware
hXXp://twitter.com/nchsoftware
hXXps://plus.google.com/ nchsoftware
hXXps://plus.google.com/ nchsoftware
hXXp://VVV.facebook.com/sharer/sharer.php?u=%s
hXXp://VVV.facebook.com/sharer/sharer.php?u=%s
I just downloaded %s. Try it here:
I just downloaded %s. Try it here:
hXXp://VVV.twitter.com/home?status=%s%s
hXXp://VVV.twitter.com/home?status=%s%s
hXXps://plusone.google.com/_/ 1/confirm?hl=en&url=%s
hXXps://plusone.google.com/_/ 1/confirm?hl=en&url=%s
hXXp://VVV.stumbleupon.com/submit?url=%s&title=NCH Software
hXXp://VVV.stumbleupon.com/submit?url=%s&title=NCH Software
hXXp://VVV.linkedin.com/shareArticle?url=%s&title=NCH Software&mini=true
hXXp://VVV.linkedin.com/shareArticle?url=%s&title=NCH Software&mini=true
hXXp://VVV.nchsoftware.com/software/rateit.html?software=MoneyLine&appname=%s&version=1.23&rating=%d&upgradeoffer=moneyline&os=Win&lang=en&base=personalfinance&domain=nchsoftware%s%s%s%s%s&instby=%s
hXXp://VVV.nchsoftware.com/software/rateit.html?software=MoneyLine&appname=%s&version=1.23&rating=%d&upgradeoffer=moneyline&os=Win&lang=en&base=personalfinance&domain=nchsoftware%s%s%s%s%s&instby=%s
Certify this program is being used for non-commercial, home use only
Certify this program is being used for non-commercial, home use only
This version 1.23 of MoneyLine will only work on Windows 8 or earlier. A newer version is available for download on VVV.nchsoftware.com.
This version 1.23 of MoneyLine will only work on Windows 8 or earlier. A newer version is available for download on VVV.nchsoftware.com.
Software\NCH Software\%s
Software\NCH Software\%s
Software\NCH Swift Sound\%s
Software\NCH Swift Sound\%s
Quick Install-on-Demand %s
Quick Install-on-Demand %s
-extsuite %s
-extsuite %s
-extfind %s
-extfind %s
Software\Classes\.%s
Software\Classes\.%s
software\microsoft\windows\currentversion\explorer\fileexts\.%s\userchoice
software\microsoft\windows\currentversion\explorer\fileexts\.%s\userchoice
%sfile
%sfile
%s\shell
%s\shell
%s\shell\open
%s\shell\open
"%s" -extfind %s "%%L"
"%s" -extfind %s "%%L"
%s\DefaultIcon
%s\DefaultIcon
%SystemRoot%\system32\shell32.dll,19
%SystemRoot%\system32\shell32.dll,19
Software\Classes\%s\Shell\%s\command
Software\Classes\%s\Shell\%s\command
Software\Classes\%s\Shell\%s
Software\Classes\%s\Shell\%s
Software\Classes\%s\Shell
Software\Classes\%s\Shell
hXXp://VVV.nchsoftware.com/index.html
hXXp://VVV.nchsoftware.com/index.html
An install-on-demand component is required for this operation.
An install-on-demand component is required for this operation.
NCH Software\%s\%s.exe
NCH Software\%s\%s.exe
NCH Swift Sound\%s\%s.exe
NCH Swift Sound\%s\%s.exe
%s "%s"
%s "%s"
Software\Classes\%s\shell\open\command
Software\Classes\%s\shell\open\command
Software\Classes\%s\shell
Software\Classes\%s\shell
Software\Classes\%s\shell\open
Software\Classes\%s\shell\open
Software\Classes\%s\DefaultIcon
Software\Classes\%s\DefaultIcon
%s%s%s%s
%s%s%s%s
Report a Problem
Report a Problem
Click here if you would like to report a problem with MoneyLine.
Click here if you would like to report a problem with MoneyLine.
If you find any problems with this release please let us know by reporting them.
If you find any problems with this release please let us know by reporting them.
%s Home Page
%s Home Page
Distributed by %s
Distributed by %s
Licensed User: %s
Licensed User: %s
Page %d of %lu
Page %d of %lu
SMTP
SMTP
IPM.Note
IPM.Note
xMAPI32.DLL
xMAPI32.DLL
e.g., mail.myisp.net
e.g., mail.myisp.net
e.g., myemail@myco.com
e.g., myemail@myco.com
Your email software (e.g., Outlook, Eudora, etc.) has not been set up for MAPI. Refer to your email software Help to find out how to set it up for MAPI. Otherwise use the SMTP option.
Your email software (e.g., Outlook, Eudora, etc.) has not been set up for MAPI. Refer to your email software Help to find out how to set it up for MAPI. Otherwise use the SMTP option.
If you choose SMTP you must enter a valid reply-to address. Enter your email address.
If you choose SMTP you must enter a valid reply-to address. Enter your email address.
If you choose SMTP you must enter an SMTP mail host. Call your ISP if you don't know what your SMTP mail host is.
If you choose SMTP you must enter an SMTP mail host. Call your ISP if you don't know what your SMTP mail host is.
If your SMTP server requires authentication, you must enter a SMTP username to connect to your server.
If your SMTP server requires authentication, you must enter a SMTP username to connect to your server.
Password Required
Password Required
If your SMTP server requires authentication, you must enter a valid SMTP password to connect to your server.
If your SMTP server requires authentication, you must enter a valid SMTP password to connect to your server.
Unable to connect to mail server "%s" when sending an email to "%s".
Unable to connect to mail server "%s" when sending an email to "%s".
Unable to connect to either mail server "%s" or the mail server at "%s".
Unable to connect to either mail server "%s" or the mail server at "%s".
Unable to connect to mail server "%s".
Unable to connect to mail server "%s".
Mail host server error (HELO not accepted, error code 504) for destination email %s - usually this means the email address is not valid.
Mail host server error (HELO not accepted, error code 504) for destination email %s - usually this means the email address is not valid.
Mail host server error (HELO not accepted): %d emailto: %s
Mail host server error (HELO not accepted): %d emailto: %s
Email authentication username or password not accepted
Email authentication username or password not accepted
MoneyLine@%s
MoneyLine@%s
Error while trying to send email. Email address may be wrong or your SMTP server may require a username or password. Please check address again and see Email Settings.
Error while trying to send email. Email address may be wrong or your SMTP server may require a username or password. Please check address again and see Email Settings.
The recipient's email server does not allow email to be received in this manner. Please use an SMTP account for sending email to this address.
The recipient's email server does not allow email to be received in this manner. Please use an SMTP account for sending email to this address.
The recipient's email server rejected this email because of an unspecified reason. Try using an SMTP account for sending email to this address.
The recipient's email server rejected this email because of an unspecified reason. Try using an SMTP account for sending email to this address.
Mail host server error (data terminator not accepted) emailto: %s mailhost: %s error: %d
Mail host server error (data terminator not accepted) emailto: %s mailhost: %s error: %d
HFile does not exist: %s
HFile does not exist: %s
Not enough memory available to load %s
Not enough memory available to load %s
Cannot open xml file: %s
Cannot open xml file: %s
%s/microsoft/windows mail/local folders/%s
%s/microsoft/windows mail/local folders/%s
SMTP_Server
SMTP_Server
SMTP_Email_Address
SMTP_Email_Address
00000001
00000001
Software\Microsoft\Internet Account Manager\Accounts\%s
Software\Microsoft\Internet Account Manager\Accounts\%s
SMTP Email Address
SMTP Email Address
SMTP Server
SMTP Server
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\%s
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\%s
{ED475418-B0D6-11D2-8C3B-00104B2A6676}
{ED475418-B0D6-11D2-8C3B-00104B2A6676}
%s\%s\d
%s\%s\d
%s\Thunderbird
%s\Thunderbird
%s\profiles.ini
%s\profiles.ini
%s\%s\prefs.js
%s\%s\prefs.js
mail.accountmanager.defaultaccount
mail.accountmanager.defaultaccount
mail.account.%s.identities
mail.account.%s.identities
mail.identity.%s.useremail
mail.identity.%s.useremail
mail.smtp.defaultserver
mail.smtp.defaultserver
mail.smtpserver.%s.hostname
mail.smtpserver.%s.hostname
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Eudora.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Eudora.exe
deudora.ini
deudora.ini
eudora.ini
eudora.ini
%s\Qualcomm\Eudora\eudora.ini
%s\Qualcomm\Eudora\eudora.ini
SMTPServer
SMTPServer
Windows Mail
Windows Mail
Mozilla Thunderbird
Mozilla Thunderbird
%d.%d.%d.%d
%d.%d.%d.%d
127.0.0.1
127.0.0.1
libeay32.dll
libeay32.dll
ssleay32.dll
ssleay32.dll
SIGNONMSGSRSV1
SIGNONMSGSRSV1
Use SMTP to send email directly to the mail server
Use SMTP to send email directly to the mail server
SMTP mail host:
SMTP mail host:
Password:
Password:
Send directly to other side (work as own SMTP server)
Send directly to other side (work as own SMTP server)
A full list of our products can be found at our below website. This may help you to find another product that is more suitable for your needs.
A full list of our products can be found at our below website. This may help you to find another product that is more suitable for your needs.
&ID - Key:
&ID - Key:
Upload to a remote web server with Fling
Upload to a remote web server with Fling
Enter your password
Enter your password
Prompt me for my password when connecting to my bank
Prompt me for my password when connecting to my bank
Last Import:
Last Import:
Port Number:
Port Number:
Change Password Settings
Change Password Settings
Current Password:
Current Password:
New Password:
New Password:
Confirm New Password:
Confirm New Password:
Password Hint:
Password Hint:
Change password
Change password
Remove Password
Remove Password
To remove your MoneyLine password, type the existing password.
To remove your MoneyLine password, type the existing password.
Please enter your password:
Please enter your password:
Password Hint
Password Hint
Send password to registered email
Send password to registered email
Report Period
Report Period
Generate Report for Period
Generate Report for Period
Report Period For Account
Report Period For Account
Report Period Account Activity
Report Period Account Activity
f%xPi
f%xPi
Budget Report Period
Budget Report Period
f%xPh
f%xPh
Import Transactions from CSV
Import Transactions from CSV
Password protect access to MoneyLine
Password protect access to MoneyLine
Change Your Password
Change Your Password
Remove Your Password
Remove Your Password