mzpefinder_pcap_file.YR, GenericEmailWorm.YR, PUPSpigot.YR (Lavasoft MAS)Behaviour: Worm, EmailWorm, PUP
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 9f12ba22dce98832b0a9cd8b2c5f88c2
SHA1: c05ed5de222386df39966c77fdbfd62d0876b0e0
SHA256: cc0ecf41435430a919377fb24582003d301ce06fe911c744cb3f31b9f563e470
SSDeep: 24576:s6QMkQ5hw6oqQ5UO9PyF 0Z6mU4otcRW7C0aqxgf4eXJT5LOA/NO: y7ToUGAZ6mYoALeZTROAVO
Size: 936536 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: NCH Software
Created at: 2013-12-10 07:05:55
Analyzed on: Windows7Ada SP1 64-bit
Summary: PUP. Potentially Unwanted Program. An application that does not display malicious behavior yet is installed without having first sought affirmative user consent for installation. Users may not realize, due to the nature of the installation procedure, that an application they have not explicitly agreed to has been installed. This category can also be used to classify other applications which in a certain context can be wanted e.g. remote administration tools or IRC clients.
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| EmailWorm | Worm can send e-mails. |
Process activity
The PUP creates the following process(es):
GoogleUpdate.exe:1704
GoogleUpdate.exe:3660
GoogleUpdate.exe:3252
GoogleUpdate.exe:1684
GoogleUpdate.exe:280
GoogleUpdate.exe:328
GoogleUpdate.exe:3284
GoogleUpdate.exe:3296
GoogleUpdate.exe:3160
googletoolbarinstaller_en_signed.exe:2208
googletoolbarinstaller_en_signed.exe:3468
NCH_GoogleToolbar.exe:3220
NCH_GoogleToolbar.exe:2488
GoogleToolbarManager_BA9226F4C70BECC2.exe:3600
GoogleToolbarManager_BA9226F4C70BECC2.exe:3108
GoogleToolbarManager_BA9226F4C70BECC2.exe:3588
GoogleToolbarManager_BA9226F4C70BECC2.exe:3492
GoogleToolbarManager_BA9226F4C70BECC2.exe:3096
GoogleToolbarManager_BA9226F4C70BECC2.exe:1404
fastfox.exe:2132
GoogleUpdaterService_B33FC4DD36A473C6.exe:2220
GoogleUpdaterService_B33FC4DD36A473C6.exe:3536
scribe.exe:2020
scribe.exe:1004
scribe.exe:1836
edsetup.exe:2812
nchsetup.exe:336
nchsetup.exe:1372
nchsetup.exe:2512
regsvr32.exe:2320
GoogleUpdateSetup_latest.exe:3240
GoogleUpdateSetup_latest.exe:2188
GoogleUpdaterService.exe:1128
GoogleUpdaterService.exe:3568
express.exe:1732
ffsetup.exe:2652
SearchWithGoogleUpdate_6F4EEAE8D7FCDAD8.exe:3560
SearchWithGoogleUpdate_6F4EEAE8D7FCDAD8.exe:304
GoogleToolbarNotifier.exe:1412
GoogleToolbarNotifier.exe:1636
%original file name%.exe:624
The PUP injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process GoogleUpdate.exe:1704 makes changes in the file system.
The PUP creates and/or writes to the following file(s):
%Program Files% (x86)\Google\Update\Download\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}\0.0.0.0\googletoolbarinstaller_en_signed.exe (38295 bytes)
C:\Windows\Temp\guiB682.tmp (15 bytes)
C:\Windows\Temp\gui1094.tmp (15 bytes)
%Program Files% (x86)\Google\Update\Install\{4B398FB8-FDA6-468E-A6BF-725792C3320C}\googletoolbarinstaller_en_signed.exe (38780 bytes)
%Program Files% (x86)\Google\Update\Install\{6C712992-D2F2-41C1-8E3E-60022AFAD2B1}\googletoolbarinstaller_en_signed.exe (38780 bytes)
The process GoogleUpdate.exe:3252 makes changes in the file system.
The PUP creates and/or writes to the following file(s):
%Program Files% (x86)\GUM30C.tmp\goopdateres_en.dll (28 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdate.dll (835 bytes)
The process GoogleUpdate.exe:280 makes changes in the file system.
The PUP creates and/or writes to the following file(s):
%Program Files% (x86)\GUM98D5.tmp\goopdate.dll (835 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_en.dll (28 bytes)
The process googletoolbarinstaller_en_signed.exe:2208 makes changes in the file system.
The PUP creates and/or writes to the following file(s):
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarUser_32_52E818EF81C83A9B.exe (620 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbar_64_62C1B48EAF0FD125.dll (514 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_0A4439FF67F61065.dll (2 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_64_2AD99D2EA038D2F2.dll (489 bytes)
C:\Windows\System32\config\SOFTWARE (67172 bytes)
C:\ (96 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_32_75A7C54F0BE42E8E.dll (149 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarUser_64_4D9709C1FA1422BA.exe (801 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbar.7.5.6227.252.manifest.xml (36 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_BA9226F4C70BECC2.exe (50 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbar_32_3934E923EEC91A78.dll (390 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GoogleToolbarInstaller2.log (43839 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\SearchWithGoogleUpdate_6F4EEAE8D7FCDAD8.exe (50 bytes)
C:\Windows (288 bytes)
C:\$Directory (384 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleUpdateSetup_5CC4B0F53D73AD88.exe (1480 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleUpdaterService_B33FC4DD36A473C6.exe (390 bytes)
C:\Windows\System32\config\SOFTWARE.LOG1 (61484 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleCld_187F9D811452062B.dll (50 bytes)
The process googletoolbarinstaller_en_signed.exe:3468 makes changes in the file system.
The PUP creates and/or writes to the following file(s):
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarUser_32_52E818EF81C83A9B.exe (620 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbar_64_62C1B48EAF0FD125.dll (514 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_0A4439FF67F61065.dll (2 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_64_2AD99D2EA038D2F2.dll (489 bytes)
C:\Windows\System32\config\SOFTWARE (16375 bytes)
C:\ (96 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_32_75A7C54F0BE42E8E.dll (149 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarUser_64_4D9709C1FA1422BA.exe (801 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbar.7.5.6227.252.manifest.xml (36 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_BA9226F4C70BECC2.exe (50 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbar_32_3934E923EEC91A78.dll (390 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GoogleToolbarInstaller2.log (58152 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\SearchWithGoogleUpdate_6F4EEAE8D7FCDAD8.exe (50 bytes)
C:\Windows (288 bytes)
C:\$Directory (384 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleUpdateSetup_5CC4B0F53D73AD88.exe (1480 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleUpdaterService_B33FC4DD36A473C6.exe (390 bytes)
C:\Windows\System32\config\SOFTWARE.LOG1 (14164 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleCld_187F9D811452062B.dll (50 bytes)
The process NCH_GoogleToolbar.exe:3220 makes changes in the file system.
The PUP creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi2BF.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GoogleUpdateSetup_latest.exe (25250 bytes)
The process NCH_GoogleToolbar.exe:2488 makes changes in the file system.
The PUP creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GoogleUpdateSetup_latest.exe (25250 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn9888.tmp\System.dll (23 bytes)
The process GoogleToolbarManager_BA9226F4C70BECC2.exe:3600 makes changes in the file system.
The PUP creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GoogleToolbarInstaller1.log (1467 bytes)
The process GoogleToolbarManager_BA9226F4C70BECC2.exe:3108 makes changes in the file system.
The PUP creates and/or writes to the following file(s):
C:\ProgramData\Google\Custom Buttons\toolbar.google.com_O8Y91YHB24Z6SR0SGYSK.XML (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GoogleToolbarInstaller1.log (3159 bytes)
The process GoogleToolbarManager_BA9226F4C70BECC2.exe:3588 makes changes in the file system.
The PUP creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GoogleToolbarInstaller1.log (1704 bytes)
The process GoogleToolbarManager_BA9226F4C70BECC2.exe:3492 makes changes in the file system.
The PUP creates and/or writes to the following file(s):
%Program Files% (x86)\Google\Google Toolbar\GoogleToolbarHelperPatch_signed.msp (125 bytes)
%Program Files% (x86)\Google\Google Toolbar\GoogleToolbarHelper_signed.msi (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GoogleToolbarInstaller1.log (49169 bytes)
The process GoogleToolbarManager_BA9226F4C70BECC2.exe:3096 makes changes in the file system.
The PUP creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GoogleToolbarInstaller1.log (2406 bytes)
The process GoogleToolbarManager_BA9226F4C70BECC2.exe:1404 makes changes in the file system.
The PUP creates and/or writes to the following file(s):
%Program Files% (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (1281 bytes)
%Program Files% (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (673 bytes)
%Program Files% (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe (1425 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GoogleToolbarInstaller1.log (41404 bytes)
%Program Files% (x86)\Google\Google Toolbar\GoogleToolbarHelper_signed.msi (28 bytes)
%Program Files% (x86)\Google\Google Toolbar\GoogleToolbarUser_64.exe (2321 bytes)
%Program Files% (x86)\Google\Google Toolbar\GoogleToolbarHelperPatch_signed.msp (125 bytes)
The process GoogleUpdaterService_B33FC4DD36A473C6.exe:2220 makes changes in the file system.
The PUP creates and/or writes to the following file(s):
%Program Files% (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe (390 bytes)
The process scribe.exe:1004 makes changes in the file system.
The PUP creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_scribe_rl_adm (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\NCH Software\Scribe\Status\s0000000.sta (44 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\NCH Software\Scribe\Current\Welcome.wav (1425 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\NCH Software\Scribe\Current\Welcome.dat (832 bytes)
The process scribe.exe:1836 makes changes in the file system.
The PUP creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ffsetup.exe (268985 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\edsetup.exe (296411 bytes)
The process edsetup.exe:2812 makes changes in the file system.
The PUP creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchdata.dat (2104 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchsetup.cab (560 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchdata.cab (27 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchsetup.exe (24321 bytes)
The process nchsetup.exe:336 makes changes in the file system.
The PUP creates and/or writes to the following file(s):
%Program Files% (x86)\NCH Software\FastFox\Help\licenceterms.html (3 bytes)
C:\Users\"%CurrentUserName%"\Favorites\NCH Software Download Site.lnk (260 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\shortcuts.html (3 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Utilities\Classic FTP Software.lnk (1 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\restoredatadlg.html (1 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\autocompleteoptions.html (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Utilities\Text-to-Speech Reader.lnk (1 bytes)
%Program Files% (x86)\NCH Software\FastFox\_ffhook64.dll (7772 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\arrowlist.gif (455 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\fastfinishcontent.html (2 bytes)
C:\ProgramData\NCH Software\FastFox\demo.rtf (600 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\groups.html (1 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\quickstart.html (3 bytes)
C:\Users\Public\Desktop\FastFox.lnk (1 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\hotkeys.html (2 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\adminpassworddlg.html (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Utilities\Backup Software.lnk (1 bytes)
C:\ProgramData\NCH Software\FastFox\shared_abbrev.dat (66548 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\help.js (2 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\editpicture.html (2 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\editrich.html (2 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\generaldlg.html (2 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\autocase.html (3 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\introduction.html (2 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\groupprop.html (1 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\editsuggestiondlg.html (995 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\backupdatadlg.html (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Utilities\Express Zip File Compression.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Utilities\Encryption and Decryption Software.lnk (1 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\generalsetup.html (1 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\index.html (3 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\autocompletesetup.html (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Utilities\Doxillion Document Converter.lnk (1 bytes)
C:\Users\Public\Desktop\NCH Software.lnk (1 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\sharedabbreviation.html (2 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\hlp.css (1 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\selstoragedlg.html (1 bytes)
%Program Files% (x86)\NCH Software\FastFox\fastfoxsetup_v2.32.exe (3361 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\using.html (196 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FastFox.lnk (1 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\deletegroupdlg.html (1 bytes)
%Program Files% (x86)\NCH Software\FastFox\_fastfox64.exe (12076 bytes)
%Program Files% (x86)\NCH Software\Components\NCHToolbars\google\NCH_GoogleToolbar.exe (382879 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Utilities\Bolt PDF Printer.lnk (1 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\sysdate.html (2 bytes)
%Program Files% (x86)\NCH Software\FastFox\fastfox.exe (8020 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Utilities\Typing Expander Software.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Utilities\CD, DVD, BluRay Burner.lnk (1 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\editkeystroke.html (388 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\addshortcut.html (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Utilities\Uploader Software.lnk (1 bytes)
C:\ProgramData\NCH Software\FastFox\local\abbrev.dat (66548 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\902.html (1 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\editsimple.html (2 bytes)
%Program Files% (x86)\NCH Software\FastFox\_ffhook.dll (7332 bytes)
The process nchsetup.exe:1372 makes changes in the file system.
The PUP creates and/or writes to the following file(s):
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Video Capture Software.lnk (1 bytes)
C:\ProgramData\NCH Software\Scribe\Current\Welcome.wav (34532 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Express Burn CD, DVD or Blu-Ray.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\Favorites\NCH Software Download Site.lnk (310 bytes)
%Program Files% (x86)\NCH Software\Scribe\hookappcommand.dll (6988 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Express Zip File Compression.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\MixPad MultiTrack Mixer.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\WavePad Sound Editor.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Express Rip CD Ripper.lnk (1 bytes)
%Program Files% (x86)\NCH Software\Scribe\scribe.exe (13171 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Express Scribe Transcription Software.lnk (1 bytes)
C:\Users\Public\Desktop\Express Scribe Transcription Software.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Express Dictate Recorder.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dictation and Transcription Programs\Typing Expander Software.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Switch Sound File Converter.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Graphics File Converter.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\VideoPad Video Editor.lnk (1 bytes)
C:\ProgramData\NCH Software\Scribe\Current\Welcome.dat (96 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Invoicing Software.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Classic FTP Software.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Prism Video File Format Converter.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\RecordPad Sound Recorder.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Doxillion Document Converter.lnk (1 bytes)
C:\Users\Public\Desktop\NCH Suite.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Accounting Software.lnk (1 bytes)
C:\ProgramData\NCH Software\Scribe\Status\Template.doc (8844 bytes)
%Program Files% (x86)\NCH Software\Scribe\scribesetup_v5.69.exe (7345 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\SoundTap Streaming Recorder.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dictation and Transcription Programs\Dictation Recorder.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dictation and Transcription Programs\Transcription Software.lnk (1 bytes)
The process nchsetup.exe:2512 makes changes in the file system.
The PUP creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\Favorites\NCH Software Download Site.lnk (320 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Accounting Software.lnk (1 bytes)
C:\ProgramData\NCH Software\Express\tone-recordstart.wav (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Express Burn CD, DVD or Blu-Ray.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dictation and Transcription Programs\Transcription Software.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\SoundTap Streaming Recorder.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Express Zip File Compression.lnk (1 bytes)
%Program Files% (x86)\NCH Software\Express\express.exe (10864 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\WavePad Sound Editor.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Invoicing Software.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dictation and Transcription Programs\Dictation Recorder.lnk (1 bytes)
%Program Files% (x86)\NCH Software\Express\hookappcommand.dll (6988 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Switch Sound File Converter.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Express Rip CD Ripper.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Doxillion Document Converter.lnk (1 bytes)
C:\ProgramData\NCH Software\Express\tone-error.wav (3 bytes)
C:\ProgramData\NCH Software\Express\tone-recordstartoverwrite.wav (862 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Express Dictate Recorder.lnk (1 bytes)
C:\ProgramData\NCH Software\Express\tone-recordstop.wav (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Prism Video File Format Converter.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\RecordPad Sound Recorder.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Express Dictate Digital Dictation Software.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Graphics File Converter.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\VideoPad Video Editor.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Video Capture Software.lnk (1 bytes)
C:\ProgramData\NCH Software\Express\test.wav (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\MixPad MultiTrack Mixer.lnk (1 bytes)
%Program Files% (x86)\NCH Software\Express\expresssetup_v5.82.exe (4185 bytes)
C:\Users\Public\Desktop\Express Dictate Digital Dictation Software.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Classic FTP Software.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dictation and Transcription Programs\Typing Expander Software.lnk (1 bytes)
The process regsvr32.exe:2320 makes changes in the file system.
The PUP creates and/or writes to the following file(s):
%Program Files%\Google\GoogleToolbarNotifier\5.10.11023.1534\swg64.dll (299 bytes)
The process GoogleUpdateSetup_latest.exe:3240 makes changes in the file system.
The PUP creates and/or writes to the following file(s):
%Program Files% (x86)\GUM30C.tmp\goopdateres_kn.dll (29 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_sv.dll (29 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_sl.dll (29 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_mr.dll (28 bytes)
%Program Files% (x86)\GUM30C.tmp\GoogleUpdateHelper.msi (25 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_ur.dll (28 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_gu.dll (28 bytes)
%Program Files% (x86)\GUM30C.tmp\psuser.dll (159 bytes)
%Program Files% (x86)\GUM30C.tmp\GoogleUpdateBroker.exe (59 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_am.dll (25 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_pt-BR.dll (29 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_ko.dll (23 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_de.dll (31 bytes)
%Program Files% (x86)\GUM30C.tmp\psmachine.dll (159 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_th.dll (27 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdate.dll (1702 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_bg.dll (30 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_vi.dll (28 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_cs.dll (28 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_ar.dll (26 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_ca.dll (29 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_zh-TW.dll (21 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_nl.dll (30 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_es-419.dll (29 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_is.dll (28 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_uk.dll (28 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_el.dll (30 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_sr.dll (29 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_lv.dll (30 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_zh-CN.dll (21 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_hu.dll (29 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_ta.dll (30 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_pl.dll (30 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_ru.dll (28 bytes)
%Program Files% (x86)\GUM30C.tmp\GoogleUpdateSetup.exe (5441 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_ro.dll (29 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_lt.dll (28 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_te.dll (29 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_fil.dll (30 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_fa.dll (27 bytes)
%Program Files% (x86)\GUM30C.tmp (28 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_ms.dll (28 bytes)
%Program Files% (x86)\GUM30C.tmp\GoogleUpdateOnDemand.exe (59 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_id.dll (28 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_sw.dll (29 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_hr.dll (29 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_iw.dll (26 bytes)
%Program Files% (x86)\GUM30C.tmp\GoogleUpdate.exe (234 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_ml.dll (31 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_tr.dll (29 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_da.dll (29 bytes)
%Program Files% (x86)\GUM30C.tmp\GoogleCrashHandler64.exe (550 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_hi.dll (29 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_it.dll (30 bytes)
%Program Files% (x86)\GUT30D.tmp (4 bytes)
%Program Files% (x86)\GUM30C.tmp\npGoogleUpdate3.dll (838 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_en.dll (27 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_no.dll (29 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_pt-PT.dll (29 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_fi.dll (29 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_es.dll (31 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_en-GB.dll (28 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_ja.dll (24 bytes)
%Program Files% (x86)\GUM30C.tmp\GoogleCrashHandler.exe (212 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_et.dll (28 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_sk.dll (29 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_fr.dll (30 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_bn.dll (28 bytes)
The process GoogleUpdateSetup_latest.exe:2188 makes changes in the file system.
The PUP creates and/or writes to the following file(s):
%Program Files% (x86)\GUM98D5.tmp\GoogleCrashHandler64.exe (550 bytes)
%Program Files% (x86)\GUM98D5.tmp\GoogleUpdateOnDemand.exe (59 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_it.dll (30 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_ca.dll (29 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_et.dll (28 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_es-419.dll (29 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_ru.dll (28 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_ja.dll (24 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_hi.dll (29 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_pl.dll (30 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_iw.dll (26 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_lv.dll (30 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_id.dll (28 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_nl.dll (30 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_is.dll (28 bytes)
%Program Files% (x86)\GUM98D5.tmp\GoogleUpdateHelper.msi (25 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_ko.dll (23 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_zh-CN.dll (21 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_tr.dll (29 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_am.dll (25 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_hu.dll (29 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_en-GB.dll (28 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_sr.dll (29 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_fil.dll (30 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_sw.dll (29 bytes)
%Program Files% (x86)\GUM98D5.tmp\GoogleUpdate.exe (234 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_el.dll (30 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_lt.dll (28 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_hr.dll (29 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_uk.dll (28 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_en.dll (27 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_ro.dll (29 bytes)
%Program Files% (x86)\GUT98D6.tmp (4 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_sl.dll (29 bytes)
%Program Files% (x86)\GUM98D5.tmp\npGoogleUpdate3.dll (838 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_da.dll (29 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_ar.dll (26 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_cs.dll (28 bytes)
%Program Files% (x86)\GUM98D5.tmp\psuser.dll (159 bytes)
%Program Files% (x86)\GUM98D5.tmp (28 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_te.dll (29 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_zh-TW.dll (21 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_ml.dll (31 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_kn.dll (29 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_gu.dll (28 bytes)
%Program Files% (x86)\GUM98D5.tmp\GoogleUpdateBroker.exe (59 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_fr.dll (30 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_de.dll (31 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_ur.dll (28 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_fi.dll (29 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_es.dll (31 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_sv.dll (29 bytes)
%Program Files% (x86)\GUM98D5.tmp\GoogleCrashHandler.exe (212 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_th.dll (27 bytes)
%Program Files% (x86)\GUM98D5.tmp\psmachine.dll (159 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_ms.dll (28 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_ta.dll (30 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_vi.dll (28 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_bg.dll (30 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_fa.dll (27 bytes)
%Program Files% (x86)\GUM98D5.tmp\GoogleUpdateSetup.exe (5441 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_sk.dll (29 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_pt-BR.dll (29 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_mr.dll (28 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdate.dll (1702 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_bn.dll (28 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_pt-PT.dll (29 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_no.dll (29 bytes)
The process ffsetup.exe:2652 makes changes in the file system.
The PUP creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchdata.dat (18795 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchsetup.cab (382 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchdata.cab (143 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchsetup.exe (18257 bytes)
The process SearchWithGoogleUpdate_6F4EEAE8D7FCDAD8.exe:304 makes changes in the file system.
The PUP creates and/or writes to the following file(s):
%Program Files% (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534\gtn.dll (144 bytes)
%Program Files% (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (79 bytes)
%Program Files% (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534\gth.dll (40 bytes)
%Program Files%\Google\GoogleToolbarNotifier\5.10.11023.1534\swg64.dll (298 bytes)
%Program Files% (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534\swg.dll (981 bytes)
%Program Files% (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534\Readme.url (212 bytes)
The process GoogleToolbarNotifier.exe:1636 makes changes in the file system.
The PUP creates and/or writes to the following file(s):
%Program Files% (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534\swg.dll (983 bytes)
%Program Files% (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534\gtn.dll (147 bytes)
The process %original file name%.exe:624 makes changes in the file system.
The PUP creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchdata.dat (7384 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchsetup.cab (646 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchdata.cab (270 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchsetup.exe (29704 bytes)
Registry activity
The process GoogleUpdate.exe:1704 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"DayOfLastActivity" = "4294967295"
"usagestats" = "0"
"pv" = "7.5.6227.252"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}\CurrentState]
"InstallProgressPercent" = "4294967295"
"StateValue" = "3"
"DownloadTimeRemainingMs" = "4294967295"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"LastCheckSuccess" = "1432028303"
[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"
[HKCU\Software\Classes\Local Settings\MuiCache\2C\52C64B7E]
"LanguageList" = "en-US, en"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"DayOfInstall" = "3060"
"InstallTime" = "1432028284"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}\CurrentState]
"InstallTimeRemainingMs" = "4294967295"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"DayOfLastRollCall" = "4294967295"
"brand" = "NCHD"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}\CurrentState]
"DownloadProgressPercent" = "0"
The PUP deletes the following registry key(s):
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}\CurrentState]
The PUP deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"LastInstallerExtraCode1"
"LastInstallerSuccessLaunchCmdLine"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientStateMedium\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"eulaaccepted"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"UpdateAvailableCount"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientStateMedium\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"usagestats"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"ap"
[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"LastInstallerResult"
"old-uid"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"iid"
[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"uid"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"LastInstallerResult"
[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"LastInstallerResultUIString"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"eulaaccepted"
"UpdateAvailableSince"
"LastInstallerError"
"LastInstallerResultUIString"
"experiment_labels"
"tttoken"
[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"LastInstallerError"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"browser"
"LastInstallerExtraCode1"
"LastInstallerSuccessLaunchCmdLine"
The process GoogleUpdate.exe:3660 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:
[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"
[HKCU\Software\Classes\Local Settings\MuiCache\2E\52C64B7E]
"LanguageList" = "en-US, en"
The PUP deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"uid"
"old-uid"
The process GoogleUpdate.exe:3252 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"usagestats" = "0"
The PUP deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"uid"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableSince"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientStateMedium\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"usagestats"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableCount"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\network\secure]
"sk"
[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"eulaaccepted"
[HKCU\Software\Google\Update]
"old-uid"
[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"old-uid"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\network\secure]
"c"
[HKCU\Software\Google\Update]
"uid"
The process GoogleUpdate.exe:1684 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:
[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"
[HKCU\Software\Classes\Local Settings\MuiCache\2C\52C64B7E]
"LanguageList" = "en-US, en"
The PUP deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"uid"
"old-uid"
The process GoogleUpdate.exe:280 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"usagestats" = "0"
The PUP deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"uid"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableSince"
"UpdateAvailableCount"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\network\secure]
"sk"
[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"eulaaccepted"
[HKCU\Software\Google\Update]
"old-uid"
[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"old-uid"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\network\secure]
"c"
[HKCU\Software\Google\Update]
"uid"
The process GoogleUpdate.exe:328 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"usagestats" = "0"
The PUP deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"uid"
"old-uid"
"eulaaccepted"
The process GoogleUpdate.exe:3284 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:
[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"
[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"
The PUP deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"uid"
"old-uid"
The process GoogleUpdate.exe:3296 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"usagestats" = "0"
The PUP deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"uid"
"old-uid"
"eulaaccepted"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientStateMedium\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"usagestats"
The process GoogleUpdate.exe:3160 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:
[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"
[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"
The PUP deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"uid"
"old-uid"
The process googletoolbarinstaller_en_signed.exe:2208 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Branding]
"sin" = "0"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component]
"NextVersion" = "7.5.6227.252"
"currentVersion" = "7.5.6227.252"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Branding]
"ein" = "1"
[HKCU\Software\Google\Google Toolbar\4.0\Setup]
"InstallProgress" = "3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 45 00 00 00 09 00 00 00 00 00 00 00"
[HKCU\Software\Classes\Local Settings\MuiCache\2C\52C64B7E]
"LanguageList" = "en-US, en"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar]
"test" = "41"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"EnabledExperiments" = "POSI,PUMA"
[HKCU\Software\Google\Google Toolbar\4.0\Setup]
"Command" = "2"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"FirstInstallTime" = "1432028303"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The PUP deletes the following value(s) in system registry:
[HKCU\Software\Google\Google Toolbar]
"LastInstallError"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component]
"NextVersion"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"
"ProxyServer"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component]
"PrimaryInstallDone"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"FailedInstallPing"
The process googletoolbarinstaller_en_signed.exe:3468 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Branding]
"sin" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component]
"NextVersion" = "7.5.6227.252"
"currentVersion" = "7.5.6227.252"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Branding]
"ein" = "1"
[HKCU\Software\Google\Google Toolbar\4.0\Setup]
"InstallProgress" = "3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""
[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 46 00 00 00 09 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "68 F8 F4 8D 17 92 D0 01"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar]
"test" = "41"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"EnabledExperiments" = "POSI,PUMA"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"
[HKCU\Software\Google\Google Toolbar\4.0\Setup]
"Command" = "2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The PUP deletes the following value(s) in system registry:
[HKCU\Software\Google\Google Toolbar]
"LastInstallError"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component]
"NextVersion"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"
"ProxyServer"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component]
"PrimaryInstallDone"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"FailedInstallPing"
The process GoogleToolbarManager_BA9226F4C70BECC2.exe:3600 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component\Used]
"GoogleToolbarDynamic_mui_en.dll" = "1"
The process GoogleToolbarManager_BA9226F4C70BECC2.exe:3108 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component\NonManifest\C:\ProgramData\Google\Custom Buttons]
"toolbar.google.com_O8Y91YHB24Z6SR0SGYSK.XML" = "1"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component\Used]
"GoogleToolbarDynamic_mui_en.dll" = "1"
The process GoogleToolbarManager_BA9226F4C70BECC2.exe:3588 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component\Used]
"GoogleToolbarManager.exe" = "1"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"pv" = "7.5.6227.252"
The process GoogleToolbarManager_BA9226F4C70BECC2.exe:3492 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:
[HKCR\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
"(Default)" = "Google Toolbar Helper"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"DisplayVersion" = "7.5.6227.252"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EE0B94B9-335F-4d2c-8B43-DACCD1EA6FF1}]
"Policy" = "3"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EE0B94B9-335F-4d2c-8B43-DACCD1EA6FF1}]
"AppPath" = "%Program Files% (x86)\Google\Google Toolbar"
[HKCR\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\Google Toolbar\GoogleToolbar_64.dll"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"SystemPatchLevel" = "2"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\GoogleUpdate]
"InstallTimestamp" = "1432028308"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1A972DAF-A7EC-4ce3-B6C9-7B523CD6685F}]
"Policy" = "3"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"Publisher" = "Google Inc."
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component\Used]
"GoogleUpdaterService.exe" = "1"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = "00"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Branding]
"InstallType" = "3"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EE0B94B9-335F-4d2c-8B43-DACCD1EA6FF1}]
"AppName" = "GoogleToolbarUser_64.exe"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = "00"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"AllowInteractions" = "1"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"DisplayName" = "Google Toolbar for Internet Explorer (x64)"
[HKCR\Wow6432Node\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"(Default)" = "Google Toolbar"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"EnableUsageStats" = "1"
[HKCR\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\Google Toolbar\GoogleToolbar_64.dll"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1A972DAF-A7EC-4ce3-B6C9-7B523CD6685F}]
"AppName" = "GoogleToolbarUser_32.exe"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"UninstallString" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_BA9226F4C70BECC2.exe /uninstall"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EE0B94B9-335F-4d2c-8B43-DACCD1EA6FF1}]
"AppName" = "GoogleToolbarUser_64.exe"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component\Used]
"SearchWithGoogleUpdate.exe" = "1"
[HKCR\Installer\Products\18555481990E8AB4CBB63FB4F26006C0]
"AuthorizedLUAApp" = "1"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"DisplayIcon" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_BA9226F4C70BECC2.exe"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"cmd_7.5.6227.252_7" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_BA9226F4C70BECC2.exe /execute:7"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1A972DAF-A7EC-4ce3-B6C9-7B523CD6685F}]
"AppPath" = "%Program Files% (x86)\Google\Google Toolbar"
[HKCU\Software\Google\Google Toolbar\4.0\Options]
"ToastSetDefaultSearch" = "3"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar]
"test" = "41"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1A972DAF-A7EC-4ce3-B6C9-7B523CD6685F}]
"AppName" = "GoogleToolbarUser_32.exe"
[HKCR\Wow6432Node\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCU\Software\Google\Google Toolbar\4.0\Options]
"ToastSetPageRank" = "2"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\GoogleUpdate]
"InstallResult" = "pi"
[HKCU\Software\Google\Google Toolbar\4.0\Options]
"RbbsBreak" = "1"
[HKCR\Wow6432Node\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"EulaAccepted" = "1"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Enable Browser Extensions" = "yes"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EE0B94B9-335F-4d2c-8B43-DACCD1EA6FF1}]
"Policy" = "3"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"Compatibility Flags" = "1024"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"cmd_7.5.6227.252_9" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_BA9226F4C70BECC2.exe /execute:9"
"cmd_7.5.6227.252_8" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_BA9226F4C70BECC2.exe /execute:8"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component\Used]
"GoogleToolbarManager.exe" = "1"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"cmd_7.5.6227.252_6" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_BA9226F4C70BECC2.exe /execute:6"
"cmd_7.5.6227.252_5" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_BA9226F4C70BECC2.exe /execute:5"
"cmd_7.5.6227.252_4" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_BA9226F4C70BECC2.exe /execute:4"
"cmd_7.5.6227.252_3" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_BA9226F4C70BECC2.exe /execute:3"
"cmd_7.5.6227.252_2" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_BA9226F4C70BECC2.exe /execute:2"
"cmd_7.5.6227.252_1" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_BA9226F4C70BECC2.exe /execute:1"
"cmd_7.5.6227.252_0" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_BA9226F4C70BECC2.exe /execute:0"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1A972DAF-A7EC-4ce3-B6C9-7B523CD6685F}]
"Policy" = "3"
[HKCU\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32]
"p2pcollab.dll,-8042" = "Peer to Peer Trust"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component]
"PrimaryInstallDone" = "1"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"Compatibility Flags" = "1024"
[HKCU\Software\Google\Google Toolbar\4.0\Options]
"ToastSetHomePage" = "2"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1A972DAF-A7EC-4ce3-B6C9-7B523CD6685F}]
"AppPath" = "%Program Files% (x86)\Google\Google Toolbar"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"GTB7.5" = ""
[HKCR\Wow6432Node\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\Google Toolbar\GoogleToolbar_32.dll"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"GTB7.5" = ""
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Installations]
"1432028309" = "v=7.5.6227.252&tbbrand=NCHD&i=0"
[HKCR\Wow6432Node\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
"(Default)" = "Google Toolbar Helper"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"MinorVersion" = "5"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"Name" = "Google Toolbar"
[HKCR\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"InstallLocation" = "%Program Files% (x86)\Google\Google Toolbar\"
[HKCU\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32]
"dnsapi.dll,-103" = "Domain Name System (DNS) Server Trust"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"NoModify" = "1"
"MajorVersion" = "7"
"NoRepair" = "1"
[HKCU\Software\Classes\Local Settings\MuiCache\2E\52C64B7E]
"LanguageList" = "en-US, en"
[HKCR\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"(Default)" = "Google Toolbar"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"brand" = "NCHD"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EE0B94B9-335F-4d2c-8B43-DACCD1EA6FF1}]
"AppPath" = "%Program Files% (x86)\Google\Google Toolbar"
[HKCR\Wow6432Node\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\Google Toolbar\GoogleToolbar_32.dll"
The PUP deletes the following registry key(s):
[HKCR\Wow6432Node\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
[HKCR\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
[HKCR\Wow6432Node\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\Implemented Categories]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
[HKCR\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\Implemented Categories]
[HKCR\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}\Implemented Categories]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
[HKCU\Software\Classes\Local Settings\MuiCache\2D]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
[HKCR\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
[HKCR\Wow6432Node\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}\InprocServer32]
[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
[HKCR\Wow6432Node\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4D91-8333-CF10577473F7}]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
[HKCR\Wow6432Node\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\InprocServer32]
[HKCR\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}\InprocServer32]
[HKCR\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
[HKCR\Wow6432Node\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
[HKCR\Wow6432Node\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}\Implemented Categories]
[HKCR\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
[HKCR\Wow6432Node\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
[HKCR\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\InprocServer32]
The PUP deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"GTB7.5"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"UseIe64"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}"
[HKCU\Software\Google\Google Toolbar\4.0\Options]
"Vendor"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"GTB7.5"
[HKCU\Software\Google\Google Toolbar\4.0]
"Update"
[HKCU\Software\Google\Google Toolbar\4.0\Options]
"Hidden"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"RefreshIE"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Installations]
"1432028302"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"lang"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"WelcomePage"
The process GoogleToolbarManager_BA9226F4C70BECC2.exe:3096 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component\Used]
"GoogleToolbarManager.exe" = "1"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"pv" = "7.5.6227.252"
The process GoogleToolbarManager_BA9226F4C70BECC2.exe:1404 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:
[HKCR\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
"(Default)" = "Google Toolbar Helper"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"DisplayVersion" = "7.5.6227.252"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"ToastOfferTime" = "0"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EE0B94B9-335F-4d2c-8B43-DACCD1EA6FF1}]
"AppPath" = "%Program Files% (x86)\Google\Google Toolbar"
[HKCR\Wow6432Node\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
"(Default)" = "Google Toolbar Helper"
[HKCR\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\Google Toolbar\GoogleToolbar_64.dll"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"SystemPatchLevel" = "1"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\GoogleUpdate]
"InstallTimestamp" = "1432028285"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1A972DAF-A7EC-4ce3-B6C9-7B523CD6685F}]
"Policy" = "3"
[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EE0B94B9-335F-4d2c-8B43-DACCD1EA6FF1}]
"Policy" = "3"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"Publisher" = "Google Inc."
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component\Used]
"GoogleUpdaterService.exe" = "1"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = "00"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Branding]
"InstallType" = "3"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EE0B94B9-335F-4d2c-8B43-DACCD1EA6FF1}]
"AppName" = "GoogleToolbarUser_64.exe"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = "00"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"AllowInteractions" = "1"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"DisplayName" = "Google Toolbar for Internet Explorer"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1A972DAF-A7EC-4ce3-B6C9-7B523CD6685F}]
"AppPath" = "%Program Files% (x86)\Google\Google Toolbar"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"EnableUsageStats" = "1"
[HKCR\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\Google Toolbar\GoogleToolbar_64.dll"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1A972DAF-A7EC-4ce3-B6C9-7B523CD6685F}]
"AppName" = "GoogleToolbarUser_32.exe"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"UninstallString" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_BA9226F4C70BECC2.exe /uninstall"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EE0B94B9-335F-4d2c-8B43-DACCD1EA6FF1}]
"AppName" = "GoogleToolbarUser_64.exe"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component\Used]
"SearchWithGoogleUpdate.exe" = "1"
[HKCU\Software\Google\Google Toolbar\4.0\Options]
"{14C626CA-ACAB-46e5-8A99-53C9E11CCCA0}_enabled" = "0"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Branding]
"InstallTime" = "1432028285"
[HKCR\Installer\Products\18555481990E8AB4CBB63FB4F26006C0]
"AuthorizedLUAApp" = "1"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"DisplayIcon" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_BA9226F4C70BECC2.exe"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"cmd_7.5.6227.252_7" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_BA9226F4C70BECC2.exe /execute:7"
[HKCU\Software\Google\Google Toolbar\4.0\Options]
"ButtonPageRank" = "0"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1A972DAF-A7EC-4ce3-B6C9-7B523CD6685F}]
"AppPath" = "%Program Files% (x86)\Google\Google Toolbar"
[HKCU\Software\Google\Google Toolbar\4.0\Options]
"ToastSetDefaultSearch" = "3"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar]
"test" = "41"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1A972DAF-A7EC-4ce3-B6C9-7B523CD6685F}]
"AppName" = "GoogleToolbarUser_32.exe"
[HKCR\Wow6432Node\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"(Default)" = "Google Toolbar"
[HKCR\Wow6432Node\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCU\Software\Google\Google Toolbar\4.0\Options]
"ToastSetPageRank" = "2"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\GoogleUpdate]
"InstallResult" = "pi"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"cmd_7.5.6227.252_5" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_BA9226F4C70BECC2.exe /execute:5"
[HKCR\Wow6432Node\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"EulaAccepted" = "1"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Enable Browser Extensions" = "yes"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EE0B94B9-335F-4d2c-8B43-DACCD1EA6FF1}]
"Policy" = "3"
[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32]
"dnsapi.dll,-103" = "Domain Name System (DNS) Server Trust"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"Compatibility Flags" = "1024"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"cmd_7.5.6227.252_9" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_BA9226F4C70BECC2.exe /execute:9"
"cmd_7.5.6227.252_8" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_BA9226F4C70BECC2.exe /execute:8"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component\Used]
"GoogleToolbarManager.exe" = "1"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"cmd_7.5.6227.252_6" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_BA9226F4C70BECC2.exe /execute:6"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Branding]
"brand" = "NCHD"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"cmd_7.5.6227.252_4" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_BA9226F4C70BECC2.exe /execute:4"
"cmd_7.5.6227.252_3" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_BA9226F4C70BECC2.exe /execute:3"
"cmd_7.5.6227.252_2" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_BA9226F4C70BECC2.exe /execute:2"
"cmd_7.5.6227.252_1" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_BA9226F4C70BECC2.exe /execute:1"
"cmd_7.5.6227.252_0" = "%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_BA9226F4C70BECC2.exe /execute:0"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1A972DAF-A7EC-4ce3-B6C9-7B523CD6685F}]
"Policy" = "3"
[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32]
"p2pcollab.dll,-8042" = "Peer to Peer Trust"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Component]
"PrimaryInstallDone" = "1"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"Compatibility Flags" = "1024"
[HKCU\Software\Google\Google Toolbar\4.0\Options]
"ToastSetHomePage" = "2"
"BrowseByName" = "0"
"RbbsBreak" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"GTB7.5" = ""
[HKCR\Wow6432Node\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\Google Toolbar\GoogleToolbar_32.dll"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"GTB7.5" = ""
[HKCU\Software\Google\Google Toolbar\4.0\Options]
"UsageStatsEnabled" = "1"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"DisableBrowseByName" = "0"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"MinorVersion" = "5"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"Name" = "Google Toolbar"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Branding]
"ID" = "6BA3A3DD8C86609F54CC8AB84959F665663D1aFIBM"
[HKCR\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"InstallLocation" = "%Program Files% (x86)\Google\Google Toolbar\"
"NoModify" = "1"
"MajorVersion" = "7"
"NoRepair" = "1"
[HKCR\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
"(Default)" = "Google Toolbar"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\Installations]
"1432028302" = "v=7.5.6227.252&tbbrand=NCHD&i=0"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"brand" = "NCHD"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EE0B94B9-335F-4d2c-8B43-DACCD1EA6FF1}]
"AppPath" = "%Program Files% (x86)\Google\Google Toolbar"
[HKCR\Wow6432Node\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\Google Toolbar\GoogleToolbar_32.dll"
The PUP deletes the following registry key(s):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}]
[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\ProgID]
[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\TypeLib]
[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\Programmable]
[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\InprocServer32]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}\Enum]
[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\VersionIndependentProgID]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}]
[HKCU\Software\Classes\Local Settings\MuiCache\2C]
[HKCU\Software\Classes\Local Settings\MuiCache\2C\52C64B7E]
[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\ProgID]
[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\TypeLib]
[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\VersionIndependentProgID]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}]
[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\Programmable]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}]
[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}\Enum]
[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\InprocServer32]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum]
The PUP deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"UseIe64"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}"
[HKCU\Software\Google\Google Toolbar\4.0\Options]
"Vendor"
[HKCU\Software\Google\Google Toolbar\4.0]
"Update"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"RefreshIE"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}]
"lang"
[HKLM\SOFTWARE\Wow6432Node\Google\Google Toolbar\4.0\Setup]
"WelcomePage"
The process fastfox.exe:2132 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Wow6432Node\NCH Software\FastFox\Scheduler]
"SevenDays" = "1"
The process GoogleUpdaterService_B33FC4DD36A473C6.exe:2220 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Wow6432Node\Google\Common\Google Updater\apps\tbie]
"auto" = "0"
[HKLM\SOFTWARE\Wow6432Node\Google\Common\Google Updater]
"Path" = "%Program Files% (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe"
"Version" = "2.4.2617.4952"
The process GoogleUpdaterService_B33FC4DD36A473C6.exe:3536 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Wow6432Node\Google\Common\Google Updater\apps\tbie]
"auto" = "0"
The process scribe.exe:2020 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Wow6432Node\NCH Software\Scribe\Scheduler]
"SevenDays" = "1"
The process scribe.exe:1004 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\DirectInput\MostRecentApplication]
"MostRecentStart" = "75 0C 25 74 17 92 D0 01"
[HKCU\Software\NCH Software\Scribe\Registration]
"RD" = "1432028262"
"Name" = ""
[HKCU\Software\NCH Software\Scribe\MainWindow]
"MiniWindowPositionX" = "453"
[HKCU\Software\NCH Software\Scribe\Settings]
"WordCount" = "1"
[HKCU\Software\Microsoft\DirectInput\MostRecentApplication]
"ID" = "SCRIBE.EXE53E24FA8001CE258"
[HKCU\Software\NCH Software\Scribe\Settings]
"UseWordProc" = "1"
"WordDefault" = "0"
"DataFolderCurrent" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\NCH Software\Scribe"
[HKCU\Software\NCH Software\Scribe\Software]
"SVar" = "LLIBShowrelatedwhenchromeonLLIBShowSuiteButtonOn"
[HKCU\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput\VID_0E0F&PID_0003\Calibration\0]
"Guid" = "00 A9 17 D7 23 FE E4 11 80 01 44 45 53 54 00 00"
[HKCU\Software\Microsoft\DirectInput\MostRecentApplication]
"Version" = "00 07 00 00"
[HKCU\Software\NCH Software\Scribe\Settings]
"Word0" = "C:\ProgramData\NCH Software\Scribe\Status\Template.doc"
[HKCU\Software\NCH Software\Scribe\Registration]
"LR" = "1432028262"
[HKCU\Software\NCH Software\Scribe\MainWindow]
"MiniWindowPositionY" = "190"
[HKCU\Software\NCH Software\Scribe\Settings]
"currentfile" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\NCH Software\Scribe\Current\Welcome.dat"
[HKCU\Software\Microsoft\DirectInput\MostRecentApplication]
"Name" = "SCRIBE.EXE"
[HKCU\Software\NCH Software\Scribe\Settings]
"CleanExit" = "0"
"DataFolderPrevious" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\NCH Software\Scribe"
The process scribe.exe:1836 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\NCH Software\Scribe\Software]
"Toolbar" = "cnm-installed,gac,google"
[HKCU\Software\NCH Software\Components\GoogleToolbar]
"State" = "attempted"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 43 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Wow6432Node\NCH Software\Components\GoogleToolbar]
"State" = "attempted"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The PUP deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
The process edsetup.exe:2812 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
The PUP deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
The process nchsetup.exe:336 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:
[HKCU\Software\NCH Software\FastFox\ShortcutExempt]
"fmt" = "1"
[HKCU\Software\Classes\NCH.Scribe.aif\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind Switch %L"
[HKCU\Software\Classes\Paint.Picture\Shell\NCHconvertimage]
"(Default)" = "Convert image file"
[HKCU\Software\Classes\AcroExch.Document\Shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind Doxillion %L"
[HKCU\Software\Classes\mpegfile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind Prism %L"
[HKCU\Software\NCH Software\FastFox\Settings]
"ExePath" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe"
[HKCU\Software\Classes\NCH.Scribe.wav\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"
[HKCU\Software\NCH Software\FastFox\Software]
"InstalledBy" = "rpScribe"
[HKCU\Software\Classes\FirefoxHTML\shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind Doxillion %L"
[HKCU\Software\Classes\vobfile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"
[HKLM\SOFTWARE\Wow6432Node\NCH Software\Components\GoogleToolbar]
"State" = "attempted"
[HKCU\Software\Classes\rtffile\Shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind Doxillion %L"
[HKCU\Software\Classes\NCH.Scribe.mp3\Shell\NCHeditsound]
"(Default)" = "Edit sound file"
[HKCU\Software\Classes\m4vfile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind Prism %L"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\FastFox]
"VersionMinor" = "32"
[HKCU\Software\Classes\NCH.Scribe.wma\Shell\NCHeditsound]
"(Default)" = "Edit sound file"
[HKCU\Software\Classes\docfile\Shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind Doxillion %L"
[HKCU\Software\Classes\NCH.Scribe.wav\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind Switch %L"
[HKCU\Software\Classes\neffile\Shell\NCHconvertimage]
"(Default)" = "Convert image file"
[HKCU\Software\Classes\pngfile\Shell\NCHslideshow\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind PhotoStage %L"
[HKCU\Software\Classes\aufile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind WavePad %L"
[HKCU\Software\Classes\tar.gzfile\Shell\NCHextract]
"(Default)" = "Extract with Express Zip"
[HKCU\Software\Classes\mpegfile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"
[HKCU\Software\Classes\7zfile\Shell\NCHextract\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind ExpressZip %L"
[HKCU\Software\Classes\aacfile\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind Switch %L"
[HKCU\Software\Classes\Paint.Picture\Shell\NCHslideshow\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind PhotoStage %L"
[HKCU\Software\Classes\m4afile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind WavePad %L"
[HKCU\Software\Classes\wpfile\Shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind Doxillion %L"
[HKCU\Software\Classes\NCH.Scribe.mp3\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"
[HKCU\Software\Classes\avifile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"
[HKCU\Software\Classes\xvidfile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind Prism %L"
[HKCU\Software\Classes\asffile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind VideoPad %L"
[HKCU\Software\Classes\vocfile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind WavePad %L"
[HKCU\Software\Classes\NCH.Scribe.aif\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"
[HKCU\Software\Classes\pngfile\Shell\NCHconvertimage\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind Pixillion %L"
[HKCU\Software\Classes\aacfile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind WavePad %L"
[HKCU\Software\Classes\asffile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind Prism %L"
[HKCU\Software\Classes\vobfile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind VideoPad %L"
[HKCU\Software\Classes\mpgfile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind VideoPad %L"
[HKCU\Software\Classes\giffile\Shell\NCHslideshow\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind PhotoStage %L"
[HKCU\Software\Classes\mpeg2file\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind Prism %L"
[HKCU\Software\Classes\mpgfile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"
[HKCU\Software\Classes\vobfile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind Prism %L"
[HKCU\Software\Classes\giffile\Shell\NCHslideshow]
"(Default)" = "Create slideshow"
[HKCU\Software\Classes\mpeg2file\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind VideoPad %L"
[HKCU\Software\Classes\gsmfile\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind Switch %L"
[HKCU\Software\Classes\wpdfile\Shell\NCHconvertdoc]
"(Default)" = "Convert file type"
[HKCU\Software\Classes\pngfile\Shell\NCHslideshow]
"(Default)" = "Create slideshow"
[HKCU\Software\Classes\divxfile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind Prism %L"
[HKCU\Software\Classes\mpegfile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind VideoPad %L"
[HKCU\Software\Classes\mp4file\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind VideoPad %L"
[HKCU\Software\Classes\Windows.IsoFile\shell\NCHextract\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind ExpressZip %L"
[HKCU\Software\Classes\AcroExch.Document\Shell\NCHconvertdoc]
"(Default)" = "Convert file type"
[HKCU\Software\Classes\NCH.Scribe.aif\Shell\NCHeditsound]
"(Default)" = "Edit sound file"
[HKCU\Software\Classes\jpegfile\Shell\NCHslideshow\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind PhotoStage %L"
[HKCU\Software\Classes\docfile\Shell\NCHconvertdoc]
"(Default)" = "Convert file type"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\FastFox]
"URLUpdateInfo" = "www.nch.com.au/fastfox/index.html"
[HKCU\Software\Classes\xvidfile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"
[HKCU\Software\Classes\wpdfile\Shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind Doxillion %L"
[HKCU\Software\Classes\neffile\Shell\NCHconvertimage\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind Pixillion %L"
[HKCU\Software\Conduit\AppPaths\FastFox.exe]
"AppPath" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\FastFox]
"VersionMajor" = "2"
[HKCU\Software\Classes\flacfile\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind Switch %L"
[HKCU\Software\Classes\mp4file\Shell\NCHeditvideo]
"(Default)" = "Edit video file"
[HKCU\Software\Classes\Windows.IsoFile\shell\NCHextract]
"(Default)" = "Extract with Express Zip"
[HKCU\Software\Classes\tar.gzfile\Shell\NCHextract\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind ExpressZip %L"
[HKCU\Software\Classes\mpeg2file\Shell\NCHeditvideo]
"(Default)" = "Edit video file"
[HKCU\Software\Classes\aufile\Shell\NCHeditsound]
"(Default)" = "Edit sound file"
[HKCU\Software\NCH Software\FastFox\Settings]
"InstalledByAdmin" = "1"
[HKCU\Software\Classes\giffile\Shell\NCHconvertimage\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind Pixillion %L"
[HKCU\Software\Classes\vobfile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\FastFox]
"InstallLocation" = "%Program Files% (x86)\NCH Software\FastFox"
[HKCU\Software\NCH Software\Components\GoogleToolbar]
"State" = "attempted"
[HKCU\Software\Classes\voxfile\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"
[HKCU\Software\Classes\rtffile\Shell\NCHconvertdoc]
"(Default)" = "Convert file type"
[HKLM\SOFTWARE\Wow6432Node\Conduit\AppPaths\FastFox.exe]
"AppPath" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe"
[HKCU\Software\Classes\TIFImage.Document\Shell\NCHconvertimage]
"(Default)" = "Convert image file"
[HKCU\Software\Classes\xvidfile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"
[HKCU\Software\Classes\NCH.Scribe.wav\Shell\NCHeditsound]
"(Default)" = "Edit sound file"
[HKCU\Software\Classes\docxfile\Shell\NCHconvertdoc]
"(Default)" = "Convert file type"
[HKCU\Software\Classes\divxfile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind VideoPad %L"
[HKCU\Software\Classes\NCH.Scribe.wma\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind Switch %L"
[HKCU\Software\Classes\odtfile\Shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind Doxillion %L"
[HKCU\Software\Classes\gsmfile\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"
[HKCU\Software\Classes\gzfile\Shell\NCHextract]
"(Default)" = "Extract with Express Zip"
[HKCU\Software\Classes\NCH.Scribe.wav\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind WavePad %L"
[HKCU\Software\Classes\divxfile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"
[HKCU\Software\Classes\CABFolder\Shell\NCHextract\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind ExpressZip %L"
[HKCU\Software\NCH Software\FastFox\Settings]
"InstallerPath" = "%Program Files% (x86)\NCH Software\FastFox"
[HKCU\Software\Classes\asffile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"
[HKCU\Software\Classes\docxfile\Shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind Doxillion %L"
[HKCU\Software\Classes\mpgfile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind Prism %L"
[HKCU\Software\Classes\jpegfile\Shell\NCHslideshow]
"(Default)" = "Create slideshow"
[HKCU\Software\Classes\voxfile\Shell\NCHeditsound]
"(Default)" = "Edit sound file"
[HKCU\Software\NCH Software\FastFox\Software]
"Toolbar" = "cnm-installed"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\FastFox]
"Publisher" = "NCH Software"
[HKCU\Software\Classes\flacfile\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"
[HKCU\Software\Classes\rarfile\Shell\NCHextract]
"(Default)" = "Extract with Express Zip"
[HKCU\Software\Classes\mpegfile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"
[HKCU\Software\Classes\movfile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind Prism %L"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\FastFox]
"URLInfoAbout" = "http://www.nch.com.au/fastfox/support.html"
[HKCU\Software\Classes\odtfile\Shell\NCHconvertdoc]
"(Default)" = "Convert file type"
[HKCU\Software\Classes\NCH.Scribe.mp3\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind Switch %L"
[HKCU\Software\Classes\neffile\Shell\NCHslideshow]
"(Default)" = "Create slideshow"
[HKCU\Software\Classes\ds2file\shell\NCHconvertsound]
"(Default)" = "Convert sound file"
[HKCU\Software\Classes\ds2file\shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind Switch %L"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\FastFox]
"DisplayVersion" = "2.32"
[HKCU\Software\Classes\NCH.Scribe.wma\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"
[HKCU\Software\Classes\NCH.Scribe.aif\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind WavePad %L"
[HKCU\Software\Classes\m4afile\Shell\NCHeditsound]
"(Default)" = "Edit sound file"
[HKCU\Software\Classes\NCH.Scribe.aiff\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind WavePad %L"
[HKCU\Software\Classes\avifile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind VideoPad %L"
[HKCU\Software\Classes\Paint.Picture\Shell\NCHconvertimage\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind Pixillion %L"
[HKCU\Software\Classes\NCH.Scribe.aiff\Shell\NCHeditsound]
"(Default)" = "Edit sound file"
[HKCU\Software\Classes\divxfile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"
[HKLM\SOFTWARE\Wow6432Node\Google\GCAPITemp]
"test" = "testv"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\FastFox]
"Version" = "2.32"
[HKCU\Software\Classes\aufile\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"
[HKCU\Software\Classes\7zfile\Shell\NCHextract]
"(Default)" = "Extract with Express Zip"
[HKCU\Software\Classes\neffile\Shell\NCHslideshow\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind PhotoStage %L"
[HKCU\Software\Classes\NCH.Scribe.aiff\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind Switch %L"
[HKCU\Software\Classes\jpegfile\Shell\NCHconvertimage\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind Pixillion %L"
[HKLM\SOFTWARE\Wow6432Node\NCH Software\FastFox\Settings]
"RelatedRuns" = "-1"
[HKCU\Software\Classes\mpeg2file\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"
[HKCU\Software\Classes\aacfile\Shell\NCHeditsound]
"(Default)" = "Edit sound file"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Classes\m4vfile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"
[HKCU\Software\Classes\gzfile\Shell\NCHextract\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind ExpressZip %L"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCU\Software\Classes\TIFImage.Document\Shell\NCHconvertimage\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind Pixillion %L"
[HKCU\Software\Classes\tarfile\Shell\NCHextract\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind ExpressZip %L"
[HKCU\Software\Classes\Paint.Picture\Shell\NCHslideshow]
"(Default)" = "Create slideshow"
[HKCU\Software\Classes\tarfile\Shell\NCHextract]
"(Default)" = "Extract with Express Zip"
[HKCU\Software\Classes\mpgfile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"
[HKCU\Software\Classes\giffile\Shell\NCHconvertimage]
"(Default)" = "Convert image file"
[HKCU\Software\Classes\m4vfile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"
[HKCU\Software\Classes\avifile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"
[HKCU\Software\NCH Software\FastFox\Settings]
"currentVersion" = "2.32"
[HKCU\Software\Classes\asffile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"
[HKCU\Software\Classes\mp4file\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind Prism %L"
[HKCU\Software\Classes\aufile\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind Switch %L"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\FastFox]
"DisplayName" = "FastFox"
[HKCU\Software\Classes\jpegfile\Shell\NCHconvertimage]
"(Default)" = "Convert image file"
[HKCU\Software\Classes\NCH.Scribe.aiff\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"
[HKCU\Software\NCH Software\FastFox\ShortcutExempt]
"txt" = "1"
[HKCU\Software\NCH Software\FastFox\Settings]
"InstallDate" = "1432028268"
[HKCU\Software\Classes\oggfile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind WavePad %L"
[HKCU\Software\Classes\pngfile\Shell\NCHconvertimage]
"(Default)" = "Convert image file"
[HKCU\Software\NCH Software\FastFox\Settings]
"PicShortcutsConvertedToWindowMetaFile" = "0"
[HKCU\Software\Classes\oggfile\Shell\NCHeditsound]
"(Default)" = "Edit sound file"
[HKCU\Software\Classes\voxfile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind WavePad %L"
[HKCU\Software\Classes\movfile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind VideoPad %L"
[HKCU\Software\Classes\m4vfile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind VideoPad %L"
[HKCU\Software\Classes\wpfile\Shell\NCHconvertdoc]
"(Default)" = "Convert file type"
[HKCU\Software\Classes\movfile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"
[HKCU\Software\Classes\avifile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind Prism %L"
[HKCU\Software\Classes\NCH.Scribe.mp3\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind WavePad %L"
[HKCU\Software\Classes\voxfile\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind Switch %L"
[HKCU\Software\Classes\vocfile\Shell\NCHeditsound]
"(Default)" = "Edit sound file"
[HKCU\Software\Classes\aacfile\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"
[HKCU\Software\NCH Software\FastFox\ShortcutExempt]
"CTRL SHIFT T" = "1"
[HKCU\Software\Classes\FirefoxHTML\shell\NCHconvertdoc]
"(Default)" = "Convert file type"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\FastFox]
"UninstallString" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -uninstall"
[HKCU\Software\Classes\rarfile\Shell\NCHextract\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind ExpressZip %L"
[HKCU\Software\Classes\mp4file\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"
[HKCU\Software\Classes\NCH.Scribe.wma\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind WavePad %L"
[HKCU\Software\Classes\xvidfile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -extfind VideoPad %L"
[HKLM\SOFTWARE\Wow6432Node\NCH Software\FastFox\Settings]
"InstallerPath" = "%Program Files% (x86)\NCH Software\FastFox"
[HKCU\Software\Classes\CABFolder\Shell\NCHextract]
"(Default)" = "Extract with Express Zip"
[HKCU\Software\Classes\movfile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"
[HKCU\Software\NCH Software\FastFox\ShortcutExempt]
"PIC1" = "1"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\FastFox]
"DisplayIcon" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe"
[HKLM\SOFTWARE\Wow6432Node\NCH Software\FastFox\Software]
"Installer" = "%Program Files% (x86)\NCH Software\FastFox\fastfoxsetup_v2.32.exe"
To automatically run itself each time Windows is booted, the PUP adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"FastFox" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -logon"
The PUP deletes the following registry key(s):
[HKLM\SOFTWARE\Wow6432Node\Google\GCAPITemp]
The PUP deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Wow6432Node\Google\GCAPITemp]
"test"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
The PUP disables automatic startup of the application by deleting the following autorun value:
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"FastFoxUninstall"
"_FastFoxUninstall4"
"_FastFoxUninstall5"
"_FastFoxUninstall2"
"_FastFoxUninstall3"
"_FastFoxUninstall"
"FastFoxUninstall2"
"FastFoxUninstall3"
"FastFoxUninstall4"
"FastFoxUninstall5"
The process nchsetup.exe:1372 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:
[HKCR\NCH.Scribe.dvs\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe %L"
[HKCU\Software\Classes\NCH.Scribe.aif\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Switch %L"
[HKCR\NCH.Scribe.dvs\shell]
"(Default)" = "Open"
[HKCU\Software\Classes\NCH.Scribe.aiff\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind WavePad %L"
[HKCU\Software\NCH Software\Scribe\Settings]
"InstallerPath" = "%Program Files% (x86)\NCH Software\Scribe"
[HKCU\Software\Classes\.OGG]
"(Default)" = "oggfile"
[HKCU\Software\Classes\docfile\Shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Doxillion %L"
[HKCU\Software\Classes\.tar]
"(Default)" = "tarfile"
[HKCU\Software\Classes\m4vfile\Shell]
"(Default)" = "open"
[HKLM\SOFTWARE\Wow6432Node\NCH Software\Scribe\Capabilities\FileAssociations]
".aif" = "NCH.Scribe.aif"
[HKCR\.wav\OpenWithProgIds]
"NCH.Scribe.wav" = "Type: REG_NONE, Length: 0"
[HKCU\Software\Classes\Paint.Picture\Shell\NCHslideshow\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind PhotoStage %L"
[HKCR\.msv]
"(Default)" = "NCH.Scribe.msv"
[HKCU\Software\Classes\NCH.Scribe.mp3\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"
[HKCU\Software\Classes\.AAC]
"(Default)" = "aacfile"
[HKCU\Software\Classes\avifile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"
[HKCU\Software\Classes\vocfile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind WavePad %L"
[HKLM\SOFTWARE\Wow6432Node\NCH Software\Scribe\Capabilities\FileTypes]
".wma" = "NCH.Scribe.wma"
[HKCU\Software\Classes\mpeg2file\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Prism %L"
[HKCR\NCH.Scribe.mp3\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe %L"
[HKCU\Software\Classes\.meo]
"(Default)" = "meofile"
[HKCU\Software\Classes\.7z]
"(Default)" = "7zfile"
[HKCU\Software\Classes\.nef]
"(Default)" = "neffile"
[HKCU\Software\Classes\tar.gzfile\Shell\NCHextract]
"(Default)" = "Extract with Express Zip"
[HKCR\NCH.Scribe.dss\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe %L"
[HKCR\NCH.Scribe.aif\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe %L"
[HKCU\Software\Classes\m4afile\Shell]
"(Default)" = "open"
[HKLM\SOFTWARE\Wow6432Node\NCH Software\Scribe\Capabilities\FileTypes]
".aif" = "NCH.Scribe.aif"
[HKCU\Software\Classes\mp4file\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Prism %L"
[HKCU\Software\Classes\docfile\Shell\NCHconvertdoc]
"(Default)" = "Convert file type"
[HKCR\SystemFileAssociations\.dct\Shell\Transcribe with Express Scribe Transcription Software\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe %L"
[HKCU\Software\Classes\.rar]
"(Default)" = "rarfile"
[HKCU\Software\Classes\xvidfile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"
[HKCU\Software\Classes\neffile\Shell\NCHconvertimage\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Pixillion %L"
[HKCU\Software\Classes\.avi]
"(Default)" = "avifile"
[HKCU\Software\Classes\Windows.IsoFile\shell\NCHextract]
"(Default)" = "Extract with Express Zip"
[HKLM\SOFTWARE\Wow6432Node\NCH Software\Scribe\Capabilities\FileAssociations]
".aiff" = "NCH.Scribe.aiff"
[HKCU\Software\Classes\mpeg2file\Shell\NCHeditvideo]
"(Default)" = "Edit video file"
[HKCU\Software\Classes\aufile\Shell\NCHeditsound]
"(Default)" = "Edit sound file"
[HKCU\Software\Classes\pngfile\Shell\NCHslideshow]
"(Default)" = "Create slideshow"
[HKCR\NCH.Scribe.aiff\DefaultIcon]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe,0"
[HKCU\Software\Classes\TIFImage.Document\Shell\NCHconvertimage]
"(Default)" = "Convert image file"
[HKLM\SOFTWARE\Wow6432Node\NCH Software\Scribe\Capabilities\FileAssociations]
".wma" = "NCH.Scribe.wma"
[HKCU\Software\Classes\.asf]
"(Default)" = "asffile"
[HKCU\Software\Classes\gsmfile\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"
[HKCU\Software\Classes\gzfile\Shell\NCHextract]
"(Default)" = "Extract with Express Zip"
[HKCU\Software\Classes\divxfile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"
[HKCR\.dvs\OpenWithProgIds]
"NCH.Scribe.dvs" = "Type: REG_NONE, Length: 0"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Scribe]
"Publisher" = "NCH Software"
[HKCU\Software\Classes\vobfile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Prism %L"
[HKCU\Software\Classes\jpegfile\Shell\NCHslideshow]
"(Default)" = "Create slideshow"
[HKCU\Software\Classes\.vox]
"(Default)" = "voxfile"
[HKCR\NCH.Scribe.dvs\DefaultIcon]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe,0"
[HKCR\NCH.Scribe.dct\shell\Transcribe with Express Scribe Transcription Software\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe %L"
[HKCU\Software\Classes\neffile\Shell\NCHslideshow]
"(Default)" = "Create slideshow"
[HKCU\Software\Classes\ds2file\shell\NCHconvertsound]
"(Default)" = "Convert sound file"
[HKCU\Software\Classes\.vpj]
"(Default)" = "vpjfile"
[HKLM\SOFTWARE\Wow6432Node\NCH Software\Scribe\Settings]
"InstallerPath" = "%Program Files% (x86)\NCH Software\Scribe"
[HKCR\Applications\scribe.exe]
"(Default)" = "Express Scribe Transcription Software"
[HKCR\NCH.Scribe.dvs]
"(Default)" = "Express Scribe Dictation File"
[HKCU\Software\NCH Software\Scribe\Hotkey\6]
"Command" = "7"
[HKCU\Software\Classes\meofile]
"(Default)" = "Unhandled Extension Handler Finder"
[HKCU\Software\Classes\divxfile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"
[HKCU\Software\Classes\vobfile\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\neffile\Shell\NCHslideshow\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind PhotoStage %L"
[HKCU\Software\Classes\7zfile\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\m4vfile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"
[HKCU\Software\Classes\TIFImage.Document\Shell]
"(Default)" = "open"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Scribe]
"DisplayIcon" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe"
[HKCR\NCH.Scribe.msv\DefaultIcon]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe,0"
[HKCU\Software\Classes\m4vfile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"
[HKCU\Software\Classes\asffile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"
[HKCR\.aiff\OpenWithProgIds]
"NCH.Scribe.aiff" = "Type: REG_NONE, Length: 0"
[HKLM\SOFTWARE\Wow6432Node\NCH Software\Scribe\Capabilities\FileAssociations]
".dvs" = "NCH.Scribe.dvs"
[HKCU\Software\Classes\jpegfile\Shell\NCHconvertimage]
"(Default)" = "Convert image file"
[HKCU\Software\Classes\AcroExch.Document\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\mp4file\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\Paint.Picture\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\m4vfile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind VideoPad %L"
[HKCU\Software\Classes\voxfile\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\.AU]
"(Default)" = "aufile"
[HKCU\Software\Classes\.mpg]
"(Default)" = "mpgfile"
[HKCU\Software\Classes\.vob]
"(Default)" = "vobfile"
[HKCU\Software\Classes\mpdpfile]
"(Default)" = "Unhandled Extension Handler Finder"
[HKCU\Software\Classes\asffile\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\mp4file\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"
[HKCU\Software\Classes\NCH.Scribe.wma\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind WavePad %L"
[HKCR\NCH.Scribe.mp3\shell]
"(Default)" = "Open"
[HKCR\SystemFileAssociations\.mp3\Shell\Transcribe with Express Scribe Transcription Software\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe %L"
[HKCR\NCH.Scribe.aiff\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe %L"
[HKCU\Software\Classes\vpjfile\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind VideoPad %L"
[HKCU\Software\Classes\Paint.Picture\Shell\NCHconvertimage]
"(Default)" = "Convert image file"
[HKLM\SOFTWARE\Wow6432Node\NCH Software\Scribe\Capabilities\FileTypes]
".MP3" = "NCH.Scribe.mp3"
[HKCU\Software\Classes\.WAV]
"(Default)" = "NCH.Scribe.wav"
[HKCU\Software\Classes\.mov]
"(Default)" = "movfile"
[HKCR\.msv]
"Scribe.BAK" = ""
[HKCU\Software\Classes\rtffile\Shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Doxillion %L"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Scribe]
"URLInfoAbout" = "www.nch.com.au/scribe/support.html"
[HKCU\Software\Classes\asffile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"
[HKCU\Software\Classes\mohfile\DefaultIcon]
"(Default)" = "%SystemRoot%\SysWow64\shell32.dll,19"
[HKCR\NCH.Scribe.wma\DefaultIcon]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe,0"
[HKCU\Software\Classes\NCH.Scribe.wav\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Switch %L"
[HKCU\Software\NCH Software\Scribe\Software]
"Toolbar" = "cnm-installed"
[HKCU\Software\Classes\wpfile\Shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Doxillion %L"
[HKCR\.aif\OpenWithProgIds]
"NCH.Scribe.aif" = "Type: REG_NONE, Length: 0"
[HKCR\NCH.Scribe.aiff\shell]
"(Default)" = "Open"
[HKCU\Software\NCH Software\Scribe\Settings]
"InstallDate" = "1432028237"
[HKCU\Software\NCH Software\Scribe\Hotkey\1]
"Command" = "10"
[HKCU\Software\Classes\asffile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Prism %L"
[HKCR\Applications\scribe.exe\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe %L"
[HKCU\Software\Classes\.gz]
"(Default)" = "gzfile"
[HKCU\Software\Classes\giffile\Shell\NCHslideshow]
"(Default)" = "Create slideshow"
[HKCU\Software\Classes\mpeg2file\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind VideoPad %L"
[HKCU\Software\Classes\wpdfile\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\mpegfile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind VideoPad %L"
[HKCU\Software\Classes\mp4file\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind VideoPad %L"
[HKCR\.dct\OpenWithProgIds]
"NCH.Scribe.dct" = "Type: REG_NONE, Length: 0"
[HKCU\Software\Classes\NCH.Scribe.aif\Shell\NCHeditsound]
"(Default)" = "Edit sound file"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dvs\UserChoice]
"Progid" = "NCH.Scribe.dvs"
[HKCR\.dss\OpenWithProgIds]
"NCH.Scribe.dss" = "Type: REG_NONE, Length: 0"
[HKCU\Software\Classes\flacfile\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Switch %L"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Scribe]
"URLUpdateInfo" = "www.nch.com.au/scribe/index.html"
[HKLM\SOFTWARE\Wow6432Node\NCH Software\Scribe\Settings]
"RelatedRuns" = "-1"
[HKCU\Software\Classes\.mpeg]
"(Default)" = "mpegfile"
[HKCU\Software\Classes\rtffile\Shell\NCHconvertdoc]
"(Default)" = "Convert file type"
[HKLM\SOFTWARE\Wow6432Node\NCH Software\Scribe\Capabilities\FileTypes]
".aiff" = "NCH.Scribe.aiff"
[HKCU\Software\Classes\.ds2]
"(Default)" = "ds2file"
[HKCU\Software\Classes\tar.gzfile\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\docxfile\Shell\NCHconvertdoc]
"(Default)" = "Convert file type"
[HKCR\.mp3\OpenWithProgIds]
"NCH.Scribe.mp3" = "Type: REG_NONE, Length: 0"
[HKCU\Software\Classes\.WMA]
"(Default)" = "NCH.Scribe.wma"
[HKCU\Software\Classes\.xvid]
"(Default)" = "xvidfile"
[HKCR\NCH.Scribe.wma]
"(Default)" = ""
[HKCU\Software\Classes\NCH.Scribe.wma\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Switch %L"
[HKCU\Software\NCH Software\Scribe\Settings]
"InstalledByAdmin" = "1"
[HKCR\NCH.Scribe.dct\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe %L"
[HKCR\.wma\OpenWithProgIds]
"NCH.Scribe.wma" = "Type: REG_NONE, Length: 0"
[HKCU\Software\Classes\mpgfile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Prism %L"
[HKLM\SOFTWARE\Wow6432Node\NCH Software\Scribe\Software]
"Installer" = "%Program Files% (x86)\NCH Software\Scribe\scribesetup_v5.69.exe"
[HKCU\Software\NCH Software\Scribe\Hotkey\0]
"key" = "122"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Scribe]
"DisplayName" = "Express Scribe Transcription Software"
[HKCR\.dvs]
"(Default)" = "NCH.Scribe.dvs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.msv\UserChoice]
"Progid" = "NCH.Scribe.msv"
[HKCU\Software\Classes\.moh]
"(Default)" = "mohfile"
[HKCU\Software\Classes\.mpeg2]
"(Default)" = "mpeg2file"
[HKCU\Software\Classes\avifile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Prism %L"
[HKCU\Software\Classes\NCH.Scribe.aiff\Shell\NCHeditsound]
"(Default)" = "Edit sound file"
[HKCU\Software\Classes\gzfile\Shell\NCHextract\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind ExpressZip %L"
[HKCR\NCH.Scribe.wma\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe %L"
[HKCU\Software\Classes\mpeg2file\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\.voc]
"(Default)" = "vocfile"
[HKCU\Software\Classes\spjfile\DefaultIcon]
"(Default)" = "%SystemRoot%\SysWow64\shell32.dll,19"
[HKCU\Software\Classes\NCH.Scribe.aif\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind WavePad %L"
[HKCU\Software\Classes\vocfile\Shell\NCHeditsound]
"(Default)" = "Edit sound file"
[HKCR\NCH.Scribe.dct\shell]
"(Default)" = "Open"
[HKCU\Software\Classes\.wp]
"(Default)" = "wpfile"
[HKCU\Software\Classes\Paint.Picture\Shell\NCHconvertimage\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Pixillion %L"
[HKCR\NCH.Scribe.mp3]
"(Default)" = ""
[HKCU\Software\Classes\aufile\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"
[HKCU\Software\NCH Software\Scribe\Hotkey\7]
"Command" = "2"
[HKCU\Software\Classes\.divx]
"(Default)" = "divxfile"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dss\UserChoice]
"Progid" = "NCH.Scribe.dss"
[HKCU\Software\Classes\mohfile\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind IMS %L"
[HKCU\Software\Classes\aacfile\Shell\NCHeditsound]
"(Default)" = "Edit sound file"
[HKCR\NCH.Scribe.wav\DefaultIcon]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe,0"
[HKCU\Software\Classes\.AIFF]
"(Default)" = "NCH.Scribe.aiff"
[HKCU\Software\Classes\Paint.Picture\Shell\NCHslideshow]
"(Default)" = "Create slideshow"
[HKLM\SOFTWARE\Wow6432Node\NCH Software\Scribe\Capabilities\FileAssociations]
".msv" = "NCH.Scribe.msv"
[HKCU\Software\Classes\.wpd]
"(Default)" = "wpdfile"
[HKCU\Software\Classes\spjfile]
"(Default)" = "Unhandled Extension Handler Finder"
[HKCU\Software\Classes\vpjfile]
"(Default)" = "Unhandled Extension Handler Finder"
[HKCU\Software\Classes\vobfile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"
[HKCU\Software\Classes\NCH.Scribe.wma\Shell\NCHeditsound]
"(Default)" = "Edit sound file"
[HKCU\Software\Classes\pngfile\Shell\NCHconvertimage\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Pixillion %L"
[HKCU\Software\Classes\xvidfile\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\ivrfile\DefaultIcon]
"(Default)" = "%SystemRoot%\SysWow64\shell32.dll,19"
[HKCU\Software\Classes\mpegfile\Shell]
"(Default)" = "open"
[HKCR\.dct]
"Scribe.BAK" = ""
[HKCU\Software\Classes\voxfile\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Switch %L"
[HKCU\Software\Classes\ivrfile\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind IVM %L"
[HKCU\Software\Classes\tarfile\Shell]
"(Default)" = "open"
[HKCR\NCH.Scribe.aif]
"(Default)" = ""
[HKCU\Software\Classes\FirefoxHTML\shell\NCHconvertdoc]
"(Default)" = "Convert file type"
[HKCU\Software\Classes\xvidfile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind VideoPad %L"
[HKCU\Software\Classes\movfile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"
[HKCR\NCH.Scribe.dct\DefaultIcon]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe,0"
[HKCU\Software\Classes\mpegfile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Prism %L"
[HKCR\.dvs]
"Scribe.BAK" = ""
[HKCR\.dss]
"Scribe.BAK" = ""
[HKCU\Software\Classes\giffile\Shell\NCHconvertimage]
"(Default)" = "Convert image file"
[HKCU\Software\Classes\odtfile\Shell]
"(Default)" = "open"
[HKLM\SOFTWARE\RegisteredApplications]
"Scribe" = "Software\NCH Software\Scribe\Capabilities"
[HKCU\Software\Classes\movfile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Prism %L"
[HKCU\Software\Classes\jpegfile\Shell]
"(Default)" = "open"
[HKCR\NCH.Scribe.dss]
"(Default)" = "Express Scribe Dictation File"
[HKCU\Software\Classes\pngfile\Shell\NCHslideshow\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind PhotoStage %L"
[HKCU\Software\Classes\aufile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind WavePad %L"
[HKCU\Software\Classes\mpgfile\Shell]
"(Default)" = "open"
[HKLM\SOFTWARE\Wow6432Node\NCH Software\Scribe\Capabilities\FileTypes]
".dct" = "NCH.Scribe.dct"
[HKCU\Software\Classes\xvidfile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Prism %L"
[HKCR\NCH.Scribe.aiff\Shell\Transcribe with Express Scribe Transcription Software\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe %L"
[HKLM\SOFTWARE\Wow6432Node\Google\GCAPITemp]
"test" = "testvlp"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Scribe]
"VersionMinor" = "69"
[HKCU\Software\Classes\m4afile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind WavePad %L"
[HKCU\Software\Classes\NCH.Scribe.aif\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"
[HKCU\Software\Classes\vobfile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind VideoPad %L"
[HKCU\Software\Classes\mpgfile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind VideoPad %L"
[HKCU\Software\Classes\.tar.gz]
"(Default)" = "tar.gzfile"
[HKCU\Software\NCH Software\Scribe\Hotkey\4]
"key" = "117"
[HKCU\Software\Classes\gsmfile\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Switch %L"
[HKCR\.msv\OpenWithProgIds]
"NCH.Scribe.msv" = "Type: REG_NONE, Length: 0"
[HKCU\Software\Classes\.MP3]
"(Default)" = "NCH.Scribe.mp3"
[HKLM\SOFTWARE\Wow6432Node\NCH Software\Scribe\Capabilities\FileAssociations]
".MP3" = "NCH.Scribe.mp3"
[HKCU\Software\Classes\divxfile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Prism %L"
[HKCU\Software\NCH Software\Scribe\Software]
"SVar" = "LLIBShowrelatedwhenchromeon"
[HKCU\Software\Classes\vocfile\Shell]
"(Default)" = "open"
[HKCR\NCH.Scribe.wav\shell]
"(Default)" = "Open"
[HKCU\Software\Classes\jpegfile\Shell\NCHslideshow\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind PhotoStage %L"
[HKCU\Software\Classes\.spj]
"(Default)" = "spjfile"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Scribe]
"UninstallString" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -uninstall"
[HKCU\Software\Classes\meofile\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Meo %L"
[HKCU\Software\Classes\giffile\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\mp4file\Shell\NCHeditvideo]
"(Default)" = "Edit video file"
[HKCU\Software\NCH Software\Scribe\Hotkey\2]
"key" = "115"
[HKCU\Software\Classes\Windows.IsoFile\shell]
"(Default)" = "open"
[HKCU\Software\Classes\vobfile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"
[HKCU\Software\Classes\mpeg2file\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"
[HKCU\Software\Classes\voxfile\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"
[HKCU\Software\Classes\avifile\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\xvidfile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"
[HKCR\NCH.Scribe.msv]
"(Default)" = "Express Scribe Dictation File"
[HKCU\Software\NCH Software\Scribe\Hotkey\1]
"key" = "114"
[HKCR\NCH.Scribe.mp3\Shell\Transcribe with Express Scribe Transcription Software\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe %L"
[HKCU\Software\Classes\.ivr]
"(Default)" = "ivrfile"
[HKCR\NCH.Scribe.wma\Shell\Transcribe with Express Scribe Transcription Software\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe %L"
[HKCR\SystemFileAssociations\.aiff\Shell\Transcribe with Express Scribe Transcription Software\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe %L"
[HKCU\Software\Classes\meofile\DefaultIcon]
"(Default)" = "%SystemRoot%\SysWow64\shell32.dll,19"
[HKCU\Software\Classes\CABFolder\Shell]
"(Default)" = "open"
[HKCU\Software\NCH Software\Scribe\Hotkey\3]
"key" = "116"
[HKLM\SOFTWARE\Wow6432Node\NCH Software\Scribe\Capabilities\FileTypes]
".WAV" = "NCH.Scribe.wav"
[HKCU\Software\Classes\oggfile\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\docxfile\Shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Doxillion %L"
[HKCU\Software\Classes\neffile\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\voxfile\Shell\NCHeditsound]
"(Default)" = "Edit sound file"
[HKCR\NCH.Scribe.msv\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe %L"
[HKCU\Software\Classes\NCH.Scribe.wav\Shell\NCHeditsound]
"(Default)" = "Edit sound file"
[HKCU\Software\Classes\flacfile\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"
[HKCR\NCH.Scribe.msv\shell]
"(Default)" = "Open"
[HKCU\Software\Classes\rarfile\Shell\NCHextract]
"(Default)" = "Extract with Express Zip"
[HKCU\Software\Classes\odtfile\Shell\NCHconvertdoc]
"(Default)" = "Convert file type"
[HKCU\Software\Classes\NCH.Scribe.mp3\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Switch %L"
[HKCU\Software\Classes\ds2file\shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Switch %L"
[HKCU\Software\Classes\.FLAC]
"(Default)" = "flacfile"
[HKCU\Software\Classes\NCH.Scribe.wma\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"
[HKCU\Software\Classes\mpdpfile\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind MixPad %L"
[HKCU\Software\NCH Software\Scribe\Hotkey]
"maxId" = "9"
[HKCU\Software\Classes\NCH.Scribe.wav\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"
[HKCR\NCH.Scribe.aif\DefaultIcon]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe,0"
[HKCU\Software\NCH Software\Scribe\Hotkey\8]
"key" = "121"
[HKCU\Software\Classes\ds2file\shell]
"(Default)" = "open"
[HKCR\NCH.Scribe.aiff]
"(Default)" = ""
[HKCU\Software\Classes\giffile\Shell\NCHslideshow\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind PhotoStage %L"
[HKCU\Software\Classes\.gsm]
"(Default)" = "gsmfile"
[HKCU\Software\Classes\NCH.Scribe.aiff\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Switch %L"
[HKCU\Software\Classes\ivrfile]
"(Default)" = "Unhandled Extension Handler Finder"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\NCH Software\Scribe\Hotkey\4]
"Command" = "1"
[HKCU\Software\Classes\tarfile\Shell\NCHextract]
"(Default)" = "Extract with Express Zip"
[HKCU\Software\Classes\tarfile\Shell\NCHextract\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind ExpressZip %L"
[HKCU\Software\NCH Software\Scribe\Hotkey\2]
"Command" = "3"
[HKCU\Software\NCH Software\Scribe\Hotkey\5]
"Command" = "6"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCR\NCH.Scribe.dct]
"(Default)" = "Express Scribe Dictation File"
[HKCU\Software\NCH Software\Scribe\Settings]
"currentVersion" = "5.69"
[HKCU\Software\Classes\avifile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"
[HKCR\NCH.Scribe.mp3\DefaultIcon]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe,0"
[HKCU\Software\Classes\oggfile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind WavePad %L"
[HKCU\Software\Classes\oggfile\Shell\NCHeditsound]
"(Default)" = "Edit sound file"
[HKCU\Software\Classes\movfile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind VideoPad %L"
[HKCU\Software\Classes\movfile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"
[HKCU\Software\Classes\.M4A]
"(Default)" = "m4afile"
[HKCU\Software\Classes\aacfile\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"
[HKCU\Software\Classes\spjfile\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind PhotoStage %L"
[HKCU\Software\Classes\rarfile\Shell\NCHextract\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind ExpressZip %L"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Scribe]
"VersionMajor" = "5"
[HKCU\Software\Classes\CABFolder\Shell\NCHextract]
"(Default)" = "Extract with Express Zip"
[HKCU\Software\Classes\wpfile\Shell\NCHconvertdoc]
"(Default)" = "Convert file type"
[HKCR\NCH.Scribe.wav]
"(Default)" = ""
[HKLM\SOFTWARE\Wow6432Node\NCH Software\Scribe\Capabilities\FileAssociations]
".dct" = "NCH.Scribe.dct"
[HKCU\Software\Classes\.AIF]
"(Default)" = "NCH.Scribe.aif"
[HKCU\Software\Classes\flacfile\Shell]
"(Default)" = "open"
[HKCU\Software\NCH Software\Scribe\Hotkey\6]
"key" = "119"
[HKCU\Software\NCH Software\Scribe\Hotkey\3]
"Command" = "0"
[HKCU\Software\Classes\7zfile\Shell\NCHextract\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind ExpressZip %L"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer]
"GlobalAssocChangedCounter" = "35"
[HKCR\NCH.Scribe.aif\shell]
"(Default)" = "Open"
[HKCU\Software\Classes\FirefoxHTML\shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Doxillion %L"
[HKCU\Software\Classes\gsmfile\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\NCH.Scribe.mp3\Shell\NCHeditsound]
"(Default)" = "Edit sound file"
[HKCR\NCH.Scribe.wav\Shell\Transcribe with Express Scribe Transcription Software\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe %L"
[HKCU\Software\Classes\neffile\Shell\NCHconvertimage]
"(Default)" = "Convert image file"
[HKCU\Software\Classes\TIFImage.Document\Shell\NCHconvertimage\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Pixillion %L"
[HKCU\Software\Classes\mpegfile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"
[HKCU\Software\Classes\aacfile\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Switch %L"
[HKLM\SOFTWARE\Wow6432Node\NCH Software\Scribe\Capabilities]
"ApplicationDescription" = "Express Scribe Transcription Software"
[HKCU\Software\NCH Software\Scribe\Hotkey\7]
"key" = "120"
[HKCU\Software\NCH Software\Scribe\Hotkey\5]
"key" = "118"
[HKCU\Software\Classes\asffile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind VideoPad %L"
[HKLM\SOFTWARE\Wow6432Node\NCH Software\Scribe\Capabilities\FileAssociations]
".dss" = "NCH.Scribe.dss"
[HKCU\Software\Classes\aacfile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind WavePad %L"
[HKCU\Software\Classes\AcroExch.Document\Shell\NCHconvertdoc]
"(Default)" = "Convert file type"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Scribe]
"InstallLocation" = "%Program Files% (x86)\NCH Software\Scribe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dct\UserChoice]
"Progid" = "NCH.Scribe.dct"
[HKCU\Software\Classes\wpdfile\Shell\NCHconvertdoc]
"(Default)" = "Convert file type"
[HKCU\Software\Classes\Windows.IsoFile\shell\NCHextract\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind ExpressZip %L"
[HKCU\Software\Classes\aacfile\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\.m4v]
"(Default)" = "m4vfile"
[HKCU\Software\Classes\divxfile\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\AcroExch.Document\Shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Doxillion %L"
[HKCU\Software\Classes\m4vfile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Prism %L"
[HKCU\Software\Classes\tar.gzfile\Shell\NCHextract\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind ExpressZip %L"
[HKCU\Software\Classes\giffile\Shell\NCHconvertimage\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Pixillion %L"
[HKCU\Software\Classes\wpdfile\Shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Doxillion %L"
[HKCU\Software\Classes\.mpdp]
"(Default)" = "mpdpfile"
[HKCU\Software\Classes\mpdpfile\DefaultIcon]
"(Default)" = "%SystemRoot%\SysWow64\shell32.dll,19"
[HKCU\Software\Classes\NCH.Scribe.wav\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind WavePad %L"
[HKCU\Software\Classes\docxfile\Shell]
"(Default)" = "open"
[HKCR\NCH.Scribe.aif\Shell\Transcribe with Express Scribe Transcription Software\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe %L"
[HKCR\NCH.Scribe.wma\shell]
"(Default)" = "Open"
[HKCR\.dss]
"(Default)" = "NCH.Scribe.dss"
[HKCU\Software\Classes\movfile\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\odtfile\Shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Doxillion %L"
[HKCR\Applications\scribe.exe\shell]
"(Default)" = "Open"
[HKCU\Software\Classes\wpfile\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\rarfile\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\CABFolder\Shell\NCHextract\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind ExpressZip %L"
[HKCU\Software\Classes\divxfile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind VideoPad %L"
[HKCU\Software\Classes\gzfile\Shell]
"(Default)" = "open"
[HKCR\Applications\scribe.exe\DefaultIcon]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe,0"
[HKCU\Software\Classes\mpegfile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"
[HKCU\Software\Classes\m4afile\Shell\NCHeditsound]
"(Default)" = "Edit sound file"
[HKCU\Software\Classes\avifile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind VideoPad %L"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Scribe]
"Version" = "5.69"
[HKCU\Software\Classes\mohfile]
"(Default)" = "Unhandled Extension Handler Finder"
[HKCU\Software\Classes\.mp4]
"(Default)" = "mp4file"
[HKCU\Software\Classes\Windows.IsoFile\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind ExpressBurn %L"
[HKCU\Software\Classes\7zfile\Shell\NCHextract]
"(Default)" = "Extract with Express Zip"
[HKCR\.dct]
"(Default)" = "NCH.Scribe.dct"
[HKCU\Software\Classes\jpegfile\Shell\NCHconvertimage\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Pixillion %L"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Scribe]
"DisplayVersion" = "5.69"
[HKCR\NCH.Scribe.dss\DefaultIcon]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe,0"
[HKCU\Software\Classes\pngfile\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\vpjfile\DefaultIcon]
"(Default)" = "%SystemRoot%\SysWow64\shell32.dll,19"
[HKLM\SOFTWARE\Wow6432Node\NCH Software\Scribe\Capabilities\FileAssociations]
".WAV" = "NCH.Scribe.wav"
[HKCR\SystemFileAssociations\.wma\Shell\Transcribe with Express Scribe Transcription Software\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe %L"
[HKCU\Software\Classes\mpgfile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"
[HKCU\Software\NCH Software\Scribe\Hotkey\0]
"Command" = "9"
[HKCU\Software\Classes\.doc]
"(Default)" = "docfile"
[HKCU\Software\NCH Software\Scribe\Hotkey\8]
"Command" = "8"
[HKCU\Software\Classes\aufile\Shell]
"(Default)" = "open"
[HKCR\NCH.Scribe.wav\shell\open\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe %L"
[HKCU\Software\Classes\aufile\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind Switch %L"
[HKCU\Software\Classes\rtffile\Shell]
"(Default)" = "open"
[HKCU\Software\Classes\docfile\Shell]
"(Default)" = "open"
[HKCR\NCH.Scribe.dss\shell]
"(Default)" = "Open"
[HKCU\Software\Classes\NCH.Scribe.aiff\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"
[HKCR\SystemFileAssociations\.aif\Shell\Transcribe with Express Scribe Transcription Software\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe %L"
[HKCU\Software\Classes\pngfile\Shell\NCHconvertimage]
"(Default)" = "Convert image file"
[HKCU\Software\Classes\mpgfile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"
[HKCU\Software\Classes\voxfile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind WavePad %L"
[HKCR\SystemFileAssociations\.wav\Shell\Transcribe with Express Scribe Transcription Software\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe %L"
[HKCU\Software\Classes\NCH.Scribe.mp3\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Scribe\scribe.exe -extfind WavePad %L"
[HKCU\Software\Classes\Windows.IsoFile\DefaultIcon]
"(Default)" = "%SystemRoot%\SysWow64\shell32.dll,19"
The PUP deletes the following registry key(s):
[HKLM\SOFTWARE\Wow6432Node\Google\GCAPITemp]
The PUP deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dvs\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Wow6432Node\Google\GCAPITemp]
"test"
[HKCU\Software\NCH Software\Scribe\Software]
"_ShowSurvey"
"InstalledBy"
"ShowSurveyNow"
"ShowSurvey"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.msv\UserChoice]
"Progid"
[HKCU\Software\NCH Software\Scribe\Software]
"_ShowSurveyNow"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dss\UserChoice]
"Progid"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\NCH Software\Scribe\Software]
"_InstalledBy"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dct\UserChoice]
"Progid"
The process nchsetup.exe:2512 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:
[HKCU\Software\Classes\NCH.Scribe.aif\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind Switch %L"
[HKCU\Software\Classes\Paint.Picture\Shell\NCHconvertimage]
"(Default)" = "Convert image file"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Express]
"VersionMajor" = "5"
[HKCU\Software\Classes\mpegfile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind Prism %L"
[HKCU\Software\Classes\NCH.Scribe.aiff\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind WavePad %L"
[HKCU\Software\Classes\FirefoxHTML\shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind Doxillion %L"
[HKCU\Software\Classes\rtffile\Shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind Doxillion %L"
[HKCU\Software\Classes\NCH.Scribe.mp3\Shell\NCHeditsound]
"(Default)" = "Edit sound file"
[HKCU\Software\Classes\asffile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"
[HKCU\Software\Classes\NCH.Scribe.wma\Shell\NCHeditsound]
"(Default)" = "Edit sound file"
[HKCU\Software\Classes\docfile\Shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind Doxillion %L"
[HKCU\Software\Classes\NCH.Scribe.wav\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind Switch %L"
[HKCU\Software\Classes\neffile\Shell\NCHconvertimage]
"(Default)" = "Convert image file"
[HKCU\Software\Classes\pngfile\Shell\NCHslideshow\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind PhotoStage %L"
[HKCU\Software\Classes\aufile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind WavePad %L"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Express]
"DisplayName" = "Express Dictate Digital Dictation Software"
[HKCU\Software\Classes\7zfile\Shell\NCHextract\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind ExpressZip %L"
[HKCU\Software\Classes\aacfile\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind Switch %L"
[HKCU\Software\Classes\Paint.Picture\Shell\NCHslideshow\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind PhotoStage %L"
[HKCU\Software\Classes\m4afile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind WavePad %L"
[HKCU\Software\Classes\wpfile\Shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind Doxillion %L"
[HKCU\Software\Classes\NCH.Scribe.mp3\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"
[HKCU\Software\Classes\avifile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"
[HKCU\Software\Classes\xvidfile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind Prism %L"
[HKCU\Software\Classes\asffile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind VideoPad %L"
[HKCU\Software\Classes\vocfile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind WavePad %L"
[HKCU\Software\Classes\NCH.Scribe.aif\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"
[HKCU\Software\Classes\aacfile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind WavePad %L"
[HKCU\Software\Classes\asffile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind Prism %L"
[HKCU\Software\Classes\vobfile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind VideoPad %L"
[HKCU\Software\Classes\mpgfile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind VideoPad %L"
[HKCU\Software\Classes\AcroExch.Document\Shell\NCHconvertdoc]
"(Default)" = "Convert file type"
[HKCU\Software\Classes\mpeg2file\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind Prism %L"
[HKCU\Software\Classes\pngfile\Shell\NCHconvertimage\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind Pixillion %L"
[HKCU\Software\NCH Software\Express\Settings]
"WorkingDataFolderPrevious" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\NCH Software\Express"
[HKCU\Software\Classes\giffile\Shell\NCHslideshow]
"(Default)" = "Create slideshow"
[HKCU\Software\Classes\mpeg2file\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind VideoPad %L"
[HKCU\Software\Classes\gsmfile\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind Switch %L"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Express]
"Publisher" = "NCH Software"
[HKCU\Software\Classes\wpdfile\Shell\NCHconvertdoc]
"(Default)" = "Convert file type"
[HKLM\SOFTWARE\Wow6432Node\NCH Software\Express\Settings]
"InstallerPath" = "%Program Files% (x86)\NCH Software\Express"
[HKCU\Software\NCH Software\Express\Settings]
"WorkingDataFolder" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\NCH Software\Express"
[HKCU\Software\Classes\tar.gzfile\Shell\NCHextract]
"(Default)" = "Extract with Express Zip"
[HKCU\Software\Classes\divxfile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind Prism %L"
[HKCU\Software\Classes\mpegfile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind VideoPad %L"
[HKCU\Software\Classes\mp4file\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind VideoPad %L"
[HKCU\Software\Classes\Windows.IsoFile\shell\NCHextract\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind ExpressZip %L"
[HKCU\Software\Classes\NCH.Scribe.aif\Shell\NCHeditsound]
"(Default)" = "Edit sound file"
[HKCU\Software\Classes\jpegfile\Shell\NCHslideshow\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind PhotoStage %L"
[HKCU\Software\Classes\docfile\Shell\NCHconvertdoc]
"(Default)" = "Convert file type"
[HKCU\Software\Classes\xvidfile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"
[HKCU\Software\NCH Software\Express\Settings]
"InstalledByAdmin" = "1"
[HKCU\Software\Classes\neffile\Shell\NCHconvertimage\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind Pixillion %L"
[HKCU\Software\Classes\m4vfile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind Prism %L"
[HKCU\Software\Classes\flacfile\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind Switch %L"
[HKCU\Software\Classes\mp4file\Shell\NCHeditvideo]
"(Default)" = "Edit video file"
[HKCU\Software\Classes\Windows.IsoFile\shell\NCHextract]
"(Default)" = "Extract with Express Zip"
[HKCU\Software\Classes\tar.gzfile\Shell\NCHextract\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind ExpressZip %L"
[HKCU\Software\Classes\mpeg2file\Shell\NCHeditvideo]
"(Default)" = "Edit video file"
[HKCU\Software\Classes\aufile\Shell\NCHeditsound]
"(Default)" = "Edit sound file"
[HKCU\Software\Classes\pngfile\Shell\NCHslideshow]
"(Default)" = "Create slideshow"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Express]
"DisplayIcon" = "%Program Files% (x86)\NCH Software\Express\express.exe"
[HKCU\Software\Classes\giffile\Shell\NCHconvertimage\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind Pixillion %L"
[HKCU\Software\Classes\vobfile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Express]
"Version" = "5.82"
[HKCU\Software\Classes\voxfile\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"
[HKCU\Software\Classes\rtffile\Shell\NCHconvertdoc]
"(Default)" = "Convert file type"
[HKCU\Software\Classes\TIFImage.Document\Shell\NCHconvertimage]
"(Default)" = "Convert image file"
[HKCU\Software\Classes\xvidfile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"
[HKCU\Software\Classes\giffile\Shell\NCHconvertimage]
"(Default)" = "Convert image file"
[HKCU\Software\Classes\docxfile\Shell\NCHconvertdoc]
"(Default)" = "Convert file type"
[HKCU\Software\Classes\divxfile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind VideoPad %L"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Express]
"URLUpdateInfo" = "www.nch.com.au/express/index.html"
[HKCU\Software\Classes\NCH.Scribe.wma\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind Switch %L"
[HKCU\Software\Classes\odtfile\Shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind Doxillion %L"
[HKCU\Software\Classes\gsmfile\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"
[HKCU\Software\Classes\gzfile\Shell\NCHextract]
"(Default)" = "Extract with Express Zip"
[HKCU\Software\Classes\NCH.Scribe.wav\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind WavePad %L"
[HKCU\Software\Classes\divxfile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Express]
"UninstallString" = "%Program Files% (x86)\NCH Software\Express\express.exe -uninstall"
[HKCU\Software\Classes\CABFolder\Shell\NCHextract\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind ExpressZip %L"
[HKCU\Software\Classes\vobfile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind Prism %L"
[HKCU\Software\Classes\docxfile\Shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind Doxillion %L"
[HKCU\Software\Classes\mpgfile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind Prism %L"
[HKCU\Software\Classes\jpegfile\Shell\NCHslideshow]
"(Default)" = "Create slideshow"
[HKCU\Software\Classes\voxfile\Shell\NCHeditsound]
"(Default)" = "Edit sound file"
[HKCU\Software\Classes\NCH.Scribe.wav\Shell\NCHeditsound]
"(Default)" = "Edit sound file"
[HKCU\Software\Classes\flacfile\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"
[HKCU\Software\Classes\rarfile\Shell\NCHextract]
"(Default)" = "Extract with Express Zip"
[HKCU\Software\Classes\mpegfile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"
[HKCU\Software\Classes\movfile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind Prism %L"
[HKCU\Software\Classes\avifile\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind Prism %L"
[HKCU\Software\Classes\odtfile\Shell\NCHconvertdoc]
"(Default)" = "Convert file type"
[HKCU\Software\Classes\NCH.Scribe.mp3\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind WavePad %L"
[HKCU\Software\Classes\NCH.Scribe.mp3\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind Switch %L"
[HKCU\Software\Classes\neffile\Shell\NCHslideshow]
"(Default)" = "Create slideshow"
[HKCU\Software\Classes\ds2file\shell\NCHconvertsound]
"(Default)" = "Convert sound file"
[HKCU\Software\Classes\ds2file\shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind Switch %L"
[HKLM\SOFTWARE\Wow6432Node\NCH Software\Express\Software]
"Installer" = "%Program Files% (x86)\NCH Software\Express\expresssetup_v5.82.exe"
[HKCU\Software\Classes\NCH.Scribe.wma\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"
[HKCU\Software\Classes\NCH.Scribe.aif\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind WavePad %L"
[HKCU\Software\Classes\m4afile\Shell\NCHeditsound]
"(Default)" = "Edit sound file"
[HKCU\Software\NCH Software\Express\Settings]
"InstallerPath" = "%Program Files% (x86)\NCH Software\Express"
[HKCU\Software\Classes\NCH.Scribe.wav\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"
[HKCU\Software\Classes\avifile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind VideoPad %L"
[HKCU\Software\Classes\Paint.Picture\Shell\NCHconvertimage\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind Pixillion %L"
[HKCU\Software\Classes\NCH.Scribe.aiff\Shell\NCHeditsound]
"(Default)" = "Edit sound file"
[HKCU\Software\Classes\divxfile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"
[HKCU\Software\Classes\giffile\Shell\NCHslideshow\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind PhotoStage %L"
[HKCU\Software\Classes\aufile\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"
[HKCU\Software\Classes\7zfile\Shell\NCHextract]
"(Default)" = "Extract with Express Zip"
[HKCU\Software\Classes\neffile\Shell\NCHslideshow\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind PhotoStage %L"
[HKCU\Software\Classes\NCH.Scribe.aiff\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind Switch %L"
[HKCU\Software\Classes\jpegfile\Shell\NCHconvertimage\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind Pixillion %L"
[HKCU\Software\Classes\mpeg2file\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"
[HKCU\Software\Classes\aacfile\Shell\NCHeditsound]
"(Default)" = "Edit sound file"
[HKCU\Software\Classes\m4vfile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"
[HKCU\Software\Classes\gzfile\Shell\NCHextract\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind ExpressZip %L"
[HKCU\Software\NCH Software\Express\Settings]
"InstallDateFirst" = "1432028265"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Express]
"DisplayVersion" = "5.82"
"InstallLocation" = "%Program Files% (x86)\NCH Software\Express"
[HKCU\Software\Classes\Paint.Picture\Shell\NCHslideshow]
"(Default)" = "Create slideshow"
[HKCU\Software\Classes\TIFImage.Document\Shell\NCHconvertimage\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind Pixillion %L"
[HKCU\Software\Classes\tarfile\Shell\NCHextract]
"(Default)" = "Extract with Express Zip"
[HKCU\Software\Classes\mpgfile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"
[HKCU\Software\Classes\mp4file\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"
[HKCU\Software\Classes\m4vfile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"
[HKCU\Software\Classes\avifile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"
[HKCU\Software\Classes\asffile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"
[HKCU\Software\Classes\mp4file\Shell\NCHconvertvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind Prism %L"
[HKCU\Software\Classes\aufile\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind Switch %L"
[HKCU\Software\Classes\AcroExch.Document\Shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind Doxillion %L"
[HKCU\Software\Classes\vobfile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"
[HKCU\Software\Classes\jpegfile\Shell\NCHconvertimage]
"(Default)" = "Convert image file"
[HKCU\Software\Classes\NCH.Scribe.aiff\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"
[HKCU\Software\Classes\oggfile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind WavePad %L"
[HKCU\Software\Classes\pngfile\Shell\NCHconvertimage]
"(Default)" = "Convert image file"
[HKCU\Software\Classes\mpgfile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"
[HKCU\Software\Classes\oggfile\Shell\NCHeditsound]
"(Default)" = "Edit sound file"
[HKCU\Software\Classes\voxfile\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind WavePad %L"
[HKCU\Software\Classes\movfile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind VideoPad %L"
[HKCU\Software\Classes\m4vfile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind VideoPad %L"
[HKCU\Software\NCH Software\Express\Software]
"InstalledBy" = "rpScribe"
[HKCU\Software\Classes\wpdfile\Shell\NCHconvertdoc\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind Doxillion %L"
[HKCU\Software\Classes\movfile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"
[HKCU\Software\NCH Software\Express\Settings]
"currentVersion" = "5.82"
[HKCU\Software\Classes\mpegfile\Shell\NCHconvertvideo]
"(Default)" = "Convert video file"
[HKCU\Software\Classes\voxfile\Shell\NCHconvertsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind Switch %L"
[HKCU\Software\Classes\vocfile\Shell\NCHeditsound]
"(Default)" = "Edit sound file"
[HKCU\Software\Classes\aacfile\Shell\NCHconvertsound]
"(Default)" = "Convert sound file"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Express]
"URLInfoAbout" = "www.nch.com.au/express/support.html"
[HKCU\Software\Classes\FirefoxHTML\shell\NCHconvertdoc]
"(Default)" = "Convert file type"
[HKCU\Software\Classes\rarfile\Shell\NCHextract\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind ExpressZip %L"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Express]
"VersionMinor" = "82"
[HKCU\Software\Classes\NCH.Scribe.wma\Shell\NCHeditsound\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind WavePad %L"
[HKCU\Software\Classes\xvidfile\Shell\NCHeditvideo\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind VideoPad %L"
[HKCU\Software\Classes\CABFolder\Shell\NCHextract]
"(Default)" = "Extract with Express Zip"
[HKCU\Software\Classes\movfile\Shell\NCHeditvideo]
"(Default)" = "Edit video file"
[HKCU\Software\Classes\wpfile\Shell\NCHconvertdoc]
"(Default)" = "Convert file type"
[HKCU\Software\Classes\tarfile\Shell\NCHextract\command]
"(Default)" = "%Program Files% (x86)\NCH Software\Express\express.exe -extfind ExpressZip %L"
[HKCU\Software\NCH Software\Express\Settings]
"InstallDate" = "1432028265"
The PUP deletes the following value(s) in system registry:
[HKCU\Software\NCH Software\Express\Settings]
"OSCheck"
"InstalledByAdmin"
"_NewerVersion"
"_OSCheck"
"NewerVersion"
"_InstalledByAdmin"
The process regsvr32.exe:2320 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:
[HKCR\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\ProgID]
"(Default)" = "ProtectorExe.ProtectorHost.1"
[HKCR\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}]
"(Default)" = "ProtectorHost Class"
[HKCR\protector_dll.ProtectorBho\CurVer]
"(Default)" = "protector_dll.ProtectorBho.1"
[HKCR\protector_dll.ProtectorLib\CurVer]
"(Default)" = "protector_dll.ProtectorLib.1"
[HKCR\AppID\{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}]
"(Default)" = "protector_dll"
[HKCR\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}]
"(Default)" = "ProtectorLib Class"
[HKCR\protector_dll.ProtectorBho.1\CLSID]
"(Default)" = "{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}"
[HKCR\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\VersionIndependentProgID]
"(Default)" = "protector_dll.ProtectorLib"
[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\VersionIndependentProgID]
"(Default)" = "protector_dll.ProtectorBho"
[HKCR\protector_dll.ProtectorBho.1]
"(Default)" = "Google Toolbar Notifier BHO"
[HKCR\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\protector_dll.ProtectorLib\CLSID]
"(Default)" = "{84798B8E-69F8-4846-9516-373C2996E2F7}"
[HKCR\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\protector_dll.ProtectorLib.1\CLSID]
"(Default)" = "{84798B8E-69F8-4846-9516-373C2996E2F7}"
[HKCR\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}]
"AppID" = "{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}"
[HKCR\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}]
"AppID" = "{A97CA128-6998-4F8E-807E-8ED05FADAFB0}"
[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\InprocServer32]
"(Default)" = "%Program Files%\Google\GoogleToolbarNotifier\5.10.11023.1534\swg64.dll"
[HKCR\protector_dll.ProtectorLib]
"(Default)" = "ProtectorLib Class"
[HKCR\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}]
"Depend" = "%Program Files% (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534\gtn.dll"
[HKCR\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\ProgID]
"(Default)" = "protector_dll.ProtectorLib.1"
[HKCR\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\VersionIndependentProgID]
"(Default)" = "ProtectorExe.ProtectorHost"
[HKCR\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
"AppID" = "{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}"
[HKCR\protector_dll.ProtectorLib.1]
"(Default)" = "ProtectorLib Class"
[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\ProgID]
"(Default)" = "protector_dll.ProtectorBho.1"
[HKCR\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
"(Default)" = "Google Toolbar Notifier BHO"
[HKCR\protector_dll.ProtectorBho]
"(Default)" = "Google Toolbar Notifier BHO"
[HKCR\AppID\protector_dll.DLL]
"AppID" = "{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}"
[HKCR\protector_dll.ProtectorBho\CLSID]
"(Default)" = "{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}"
[HKCR\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\InprocServer32]
"(Default)" = "%Program Files%\Google\GoogleToolbarNotifier\5.10.11023.1534\swg64.dll"
The process GoogleUpdaterService.exe:1128 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:
[HKCR\Wow6432Node\Interface\{C07A89E4-82A3-4A29-9908-DFC9DEBF8267}]
"(Default)" = "ISilentUpdater"
[HKCR\TypeLib\{5924C60B-6D7F-4AD6-8084-24A59431C967}\1.0\HELPDIR]
"(Default)" = ""
[HKCR\Interface\{5C8CE0B5-6DA0-49A1-B675-78FD03EA3224}]
"(Default)" = "IUpdaterScheduler"
[HKCR\Interface\{5C8CE0B5-6DA0-49A1-B675-78FD03EA3224}\TypeLib]
"(Default)" = "{5924C60B-6D7F-4AD6-8084-24A59431C967}"
[HKLM\SOFTWARE\Wow6432Node\Google\Common\Google Updater\apps\swg]
"auto" = "0"
[HKCR\AppID\GoogleUpdaterService.exe]
"AppID" = "{61E28BF8-C02B-499F-8E7A-34C1E4A1C649}"
[HKCR\Wow6432Node\CLSID\{89DAE4CD-9F17-4980-902A-99BA84A8F5C8}\TypeLib]
"(Default)" = "{5924C60B-6D7F-4AD6-8084-24A59431C967}"
[HKCR\GUSchedulerCtl.UpdaterScheduler]
"(Default)" = "Google Updater Scheduler class"
[HKCR\Interface\{C07A89E4-82A3-4A29-9908-DFC9DEBF8267}\TypeLib]
"Version" = "1.0"
[HKCR\Wow6432Node\Interface\{C07A89E4-82A3-4A29-9908-DFC9DEBF8267}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{C07A89E4-82A3-4A29-9908-DFC9DEBF8267}\TypeLib]
"(Default)" = "{5924C60B-6D7F-4AD6-8084-24A59431C967}"
[HKCR\Wow6432Node\CLSID\{89DAE4CD-9F17-4980-902A-99BA84A8F5C8}\ProgID]
"(Default)" = "GUServiceCtl.SilentUpdater.1"
[HKCR\Wow6432Node\CLSID\{89DAE4CD-9F17-4980-902A-99BA84A8F5C8}]
"AppID" = "{61E28BF8-C02B-499F-8E7A-34C1E4A1C649}"
[HKCR\Wow6432Node\CLSID\{B53B7061-6584-46AA-A033-D610EB10BD9B}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe"
[HKCR\Wow6432Node\CLSID\{B53B7061-6584-46AA-A033-D610EB10BD9B}]
"(Default)" = "Google Updater Scheduler class"
[HKCR\Wow6432Node\Interface\{C07A89E4-82A3-4A29-9908-DFC9DEBF8267}\TypeLib]
"Version" = "1.0"
[HKCR\GUServiceCtl.SilentUpdater]
"(Default)" = "Google Silent Updater class"
[HKCR\GUServiceCtl.SilentUpdater\CLSID]
"(Default)" = "{89DAE4CD-9F17-4980-902A-99BA84A8F5C8}"
[HKCR\Wow6432Node\CLSID\{89DAE4CD-9F17-4980-902A-99BA84A8F5C8}]
"(Default)" = "Google Silent Updater class"
[HKCR\Interface\{5C8CE0B5-6DA0-49A1-B675-78FD03EA3224}\TypeLib]
"Version" = "1.0"
[HKCR\Wow6432Node\CLSID\{B53B7061-6584-46AA-A033-D610EB10BD9B}\TypeLib]
"(Default)" = "{5924C60B-6D7F-4AD6-8084-24A59431C967}"
[HKCR\GUSchedulerCtl.UpdaterScheduler.1\CLSID]
"(Default)" = "{B53B7061-6584-46AA-A033-D610EB10BD9B}"
[HKCR\GUServiceCtl.SilentUpdater\CurVer]
"(Default)" = "GUServiceCtl.SilentUpdater.1"
[HKCR\Wow6432Node\Interface\{C07A89E4-82A3-4A29-9908-DFC9DEBF8267}\TypeLib]
"(Default)" = "{5924C60B-6D7F-4AD6-8084-24A59431C967}"
[HKCR\AppID\{61E28BF8-C02B-499F-8E7A-34C1E4A1C649}]
"LocalService" = "gusvc"
[HKCR\Wow6432Node\CLSID\{89DAE4CD-9F17-4980-902A-99BA84A8F5C8}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe"
[HKCR\Wow6432Node\Interface\{5C8CE0B5-6DA0-49A1-B675-78FD03EA3224}]
"(Default)" = "IUpdaterScheduler"
[HKCR\AppID\{61E28BF8-C02B-499F-8E7A-34C1E4A1C649}]
"(Default)" = "gusvc"
[HKCR\TypeLib\{5924C60B-6D7F-4AD6-8084-24A59431C967}\1.0]
"(Default)" = "Google Updater Service 1.0 Type Library"
[HKCR\GUServiceCtl.SilentUpdater.1\CLSID]
"(Default)" = "{89DAE4CD-9F17-4980-902A-99BA84A8F5C8}"
[HKCR\Wow6432Node\CLSID\{B53B7061-6584-46AA-A033-D610EB10BD9B}\VersionIndependentProgID]
"(Default)" = "GUSchedulerCtl.UpdaterScheduler"
[HKCR\Wow6432Node\CLSID\{B53B7061-6584-46AA-A033-D610EB10BD9B}]
"AppID" = "{61E28BF8-C02B-499F-8E7A-34C1E4A1C649}"
[HKCR\GUServiceCtl.SilentUpdater.1]
"(Default)" = "Google Silent Updater class"
[HKCR\Wow6432Node\Interface\{5C8CE0B5-6DA0-49A1-B675-78FD03EA3224}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{5924C60B-6D7F-4AD6-8084-24A59431C967}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\Wow6432Node\Interface\{5C8CE0B5-6DA0-49A1-B675-78FD03EA3224}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{C07A89E4-82A3-4A29-9908-DFC9DEBF8267}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{5924C60B-6D7F-4AD6-8084-24A59431C967}\1.0\0\win32]
"(Default)" = "%Program Files% (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe"
[HKCR\Wow6432Node\CLSID\{B53B7061-6584-46AA-A033-D610EB10BD9B}\ProgID]
"(Default)" = "GUSchedulerCtl.UpdaterScheduler.1"
[HKCR\Interface\{5C8CE0B5-6DA0-49A1-B675-78FD03EA3224}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Wow6432Node\CLSID\{89DAE4CD-9F17-4980-902A-99BA84A8F5C8}\VersionIndependentProgID]
"(Default)" = "GUServiceCtl.SilentUpdater"
[HKCR\Interface\{C07A89E4-82A3-4A29-9908-DFC9DEBF8267}]
"(Default)" = "ISilentUpdater"
[HKCR\GUSchedulerCtl.UpdaterScheduler\CLSID]
"(Default)" = "{B53B7061-6584-46AA-A033-D610EB10BD9B}"
[HKCR\GUSchedulerCtl.UpdaterScheduler.1]
"(Default)" = "Google Updater Scheduler class"
[HKCR\GUSchedulerCtl.UpdaterScheduler\CurVer]
"(Default)" = "GUSchedulerCtl.UpdaterScheduler.1"
[HKCR\Wow6432Node\Interface\{5C8CE0B5-6DA0-49A1-B675-78FD03EA3224}\TypeLib]
"(Default)" = "{5924C60B-6D7F-4AD6-8084-24A59431C967}"
The PUP deletes the following value(s) in system registry:
[HKCR\AppID\{61E28BF8-C02B-499F-8E7A-34C1E4A1C649}]
"LocalService"
The process GoogleUpdaterService.exe:3568 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Wow6432Node\Google\Common\Google Updater\apps\swg]
"auto" = "0"
The process express.exe:1732 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:
[HKCU\Software\NCH Software\Express\Settings]
"WorkingDataFolderPrevious" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\NCH Software\Express"
[HKLM\SOFTWARE\Wow6432Node\NCH Software\Express\Scheduler]
"SevenDays" = "1"
[HKCU\Software\NCH Software\Express\Settings]
"WorkingDataFolder" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\NCH Software\Express"
The process ffsetup.exe:2652 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
The PUP deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
The process SearchWithGoogleUpdate_6F4EEAE8D7FCDAD8.exe:3560 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:
[HKCU\Software\Google\GoogleToolbarNotifier\Temp]
"ust" = "100"
[HKLM\SOFTWARE\Wow6432Node\Google\GoogleToolbarNotifier\Clients]
"ietb" = "0"
The process SearchWithGoogleUpdate_6F4EEAE8D7FCDAD8.exe:304 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Wow6432Node\Google\GoogleToolbarNotifier]
"Version" = "5.10.11023.1534"
"ID" = "6fcd4572f44047df87447927667a9779"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Program Files% (x86)\Google\Update\1.3.25.11, , \??\%Program Files% (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534,"
[HKCU\Software\Google\GoogleToolbarNotifier\Temp]
"ust" = "100"
[HKLM\SOFTWARE\Wow6432Node\Google\GoogleToolbarNotifier\Clients]
"ietb" = "0"
[HKLM\SOFTWARE\Wow6432Node\Google\GoogleToolbarNotifier]
"brand" = "NCHD"
The PUP deletes the following registry key(s):
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
The process GoogleToolbarNotifier.exe:1412 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:
[HKCU\Software\Google\GoogleToolbarNotifier\Stats]
"HideUI_Throttled" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\GoogleToolbarNotifier_RASAPI32]
"EnableConsoleTracing" = "0"
[HKCU\Software\Google\GoogleToolbarNotifier\Stats]
"DetectChange_DS" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionTime" = "68 F8 F4 8D 17 92 D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"
[HKCU\Software\Google\GoogleToolbarNotifier]
"FirstRun" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCU\Software\Google\GoogleToolbarNotifier\Stats]
"Icon_Click" = "0"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\GoogleToolbarNotifier_RASAPI32]
"FileDirectory" = "%windir%\tracing"
[HKCU\Software\Google\GoogleToolbarNotifier\Stats]
"UserAllowChange_DS" = "0"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\GoogleToolbarNotifier_RASAPI32]
"EnableFileTracing" = "0"
[HKCU\Software\Google\GoogleToolbarNotifier]
"UpdateURL" = "http://clients1.google.com/tools/swg2/update"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""
[HKCU\Software\Google\GoogleToolbarNotifier]
"lds" = "http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7"
[HKCU\Software\Google\GoogleToolbarNotifier\Stats]
"ShowUI_TrayIcon" = "0"
[HKCU\Software\Google\GoogleToolbarNotifier]
"DefaultLanguage" = "en"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecision" = "0"
[HKCU\Software\Google\GoogleToolbarNotifier]
"TS" = "1432028303"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "68 F8 F4 8D 17 92 D0 01"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\GoogleToolbarNotifier_RASAPI32]
"ConsoleTracingMask" = "4294901760"
[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"
[HKCU\Software\Google\GoogleToolbarNotifier]
"AppPath" = "%Program Files% (x86)\Google\GoogleToolbarNotifier"
[HKCU\Software\Google\GoogleToolbarNotifier\Stats]
"ShowUI_Popup" = "0"
[HKCU\Software\Google\GoogleToolbarNotifier]
"InstalledVersion" = "5.10.11023.1534"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 44 00 00 00 09 00 00 00 00 00 00 00"
[HKCU\Software\Google\GoogleToolbarNotifier\Stats]
"LastReportTime" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"
[HKCU\Software\Google\GoogleToolbarNotifier\Temp]
"scShowTrayIcon" = "ffffffff"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadNetworkName" = "Network 4"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\GoogleToolbarNotifier_RASAPI32]
"MaxFileSize" = "1048576"
[HKCU\Software\Google\GoogleToolbarNotifier]
"UsageStat" = "1"
[HKCU\Software\Google\GoogleToolbarNotifier\Stats]
"ModifyUI_UserIntent" = "0"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\GoogleToolbarNotifier_RASAPI32]
"FileTracingMask" = "4294901760"
[HKCU\Software\Google\GoogleToolbarNotifier\Stats]
"Bubble_Click" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionReason" = "1"
[HKCU\Software\Google\GoogleToolbarNotifier]
"Version" = "5.10.11023.1534"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The PUP deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDetectedUrl"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoDetect"
[HKCU\Software\Google\GoogleToolbarNotifier]
"WantProductRestart"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKCU\Software\Google\GoogleToolbarNotifier]
"ts"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Google\GoogleToolbarNotifier]
"DSPSuspended"
"SuspendedDS"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
The process GoogleToolbarNotifier.exe:1636 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:
[HKCR\Interface\{BACAB2F3-7213-4865-96E9-B6B06BF49192}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{DD65ABB2-2628-425B-86F5-825E4A3D3AD9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{91F39C2A-95E7-497A-A539-0AC715DC66D2}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\ProtectorExe.ProtectorHost.1\CLSID]
"(Default)" = "{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}"
[HKCR\Wow6432Node\Interface\{F1A383D4-0364-4092-82E0-C39DAE5D801D}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{AF606610-3627-4DF2-A6D5-32C6A355ACD1}\TypeLib]
"Version" = "1a.0"
[HKCR\Interface\{17484B9D-89FA-484F-912E-017D06C41FE0}]
"(Default)" = "IProtectorLib7"
[HKCR\Wow6432Node\Interface\{91959FBB-853A-4AC7-A082-2DDF787F4CA9}\TypeLib]
"Version" = "1a.0"
[HKCR\Interface\{315A0BBF-D55B-4FCE-833E-8BAA5B6344F6}]
"(Default)" = "IProtector11"
[HKCR\Interface\{F1A383D4-0364-4092-82E0-C39DAE5D801D}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Wow6432Node\Interface\{F1A383D4-0364-4092-82E0-C39DAE5D801D}\TypeLib]
"Version" = "1a.0"
[HKCR\Interface\{2212951C-1623-4095-906B-AC50B8F91016}]
"(Default)" = "IProtector2"
[HKCR\Interface\{480AD54B-C652-44B9-BCF6-746745055CD3}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Wow6432Node\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534\swg.dll"
[HKCR\Wow6432Node\Interface\{1F7328B7-E25A-4527-B24B-D9173401BB89}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Wow6432Node\Interface\{AF606610-3627-4DF2-A6D5-32C6A355ACD1}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Wow6432Node\Interface\{AF606610-3627-4DF2-A6D5-32C6A355ACD1}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Interface\{A45CDEEB-65F5-49AE-AA3E-9376F4806075}]
"(Default)" = "IProtector8"
[HKCR\Wow6432Node\Interface\{315A0BBF-D55B-4FCE-833E-8BAA5B6344F6}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Wow6432Node\Interface\{6EACF525-5F81-4381-9E46-DC316C39E0D2}]
"(Default)" = "IProtector6"
[HKCR\Interface\{A45CDEEB-65F5-49AE-AA3E-9376F4806075}\TypeLib]
"Version" = "1a.0"
[HKCR\Interface\{91959FBB-853A-4AC7-A082-2DDF787F4CA9}]
"(Default)" = "IProtectorHost2"
[HKCR\Wow6432Node\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\ProgID]
"(Default)" = "protector_dll.ProtectorLib.1"
[HKCR\Interface\{91959FBB-853A-4AC7-A082-2DDF787F4CA9}\TypeLib]
"Version" = "1a.0"
[HKCR\Wow6432Node\Interface\{9D932020-700E-4F0D-8446-2872ABD8B4FA}\TypeLib]
"Version" = "1a.0"
[HKCR\Interface\{315A0BBF-D55B-4FCE-833E-8BAA5B6344F6}\TypeLib]
"Version" = "1a.0"
[HKCR\Wow6432Node\Interface\{AF606610-3627-4DF2-A6D5-32C6A355ACD1}]
"(Default)" = "IProtectorLib"
[HKCR\Wow6432Node\Interface\{6C110376-C248-47F6-9DB2-CFCDEADB6A3E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{2212951C-1623-4095-906B-AC50B8F91016}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Interface\{6C110376-C248-47F6-9DB2-CFCDEADB6A3E}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Wow6432Node\Interface\{91F39C2A-95E7-497A-A539-0AC715DC66D2}]
"(Default)" = "IProtector3"
[HKCR\Interface\{DA69D3CC-7676-4A65-889F-C052977F1AA9}\TypeLib]
"Version" = "1a.0"
[HKCR\TypeLib\{C7CB459A-7261-4AE6-A87A-17041EE98A40}\1a.0]
"(Default)" = "protector_dllLib"
[HKCR\Interface\{480AD54B-C652-44B9-BCF6-746745055CD3}\TypeLib]
"Version" = "1a.0"
[HKCR\Wow6432Node\Interface\{2212951C-1623-4095-906B-AC50B8F91016}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Wow6432Node\Interface\{BACAB2F3-7213-4865-96E9-B6B06BF49192}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Interface\{17484B9D-89FA-484F-912E-017D06C41FE0}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Interface\{6EACF525-5F81-4381-9E46-DC316C39E0D2}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Wow6432Node\Interface\{9D932020-700E-4F0D-8446-2872ABD8B4FA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\AppID\{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}]
"(Default)" = "protector_dll"
[HKCR\Interface\{277FD1E8-9884-4E0A-9392-7CFF83F067B2}]
"(Default)" = "IProtector9"
[HKCR\Interface\{2212951C-1623-4095-906B-AC50B8F91016}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\AppID\{A97CA128-6998-4F8E-807E-8ED05FADAFB0}]
"(Default)" = "ProtectorExe"
[HKCR\Interface\{BACAB2F3-7213-4865-96E9-B6B06BF49192}]
"(Default)" = "IProtectorLib8"
[HKCR\Interface\{315A0BBF-D55B-4FCE-833E-8BAA5B6344F6}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Wow6432Node\Interface\{BACAB2F3-7213-4865-96E9-B6B06BF49192}]
"(Default)" = "IProtectorLib8"
[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
"(Default)" = "Google Toolbar Notifier BHO"
[HKCR\Interface\{17484B9D-89FA-484F-912E-017D06C41FE0}\TypeLib]
"Version" = "1a.0"
[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Interface\{A0CF48B9-DB91-49A5-BEE7-2FB45BA2F610}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Wow6432Node\Interface\{9891812B-5820-4A77-827E-772B200239E1}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Wow6432Node\CLSID\{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}]
"AppID" = "{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80B84A0A-EDA4-47fd-8BE1-6B49F4197EE5}]
"AppPath" = "%Program Files% (x86)\Google\GoogleToolbarNotifier"
[HKCR\Wow6432Node\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41}\TypeLib]
"Version" = "1a.0"
[HKCR\Wow6432Node\Interface\{17484B9D-89FA-484F-912E-017D06C41FE0}\TypeLib]
"Version" = "1a.0"
[HKCR\Wow6432Node\Interface\{17484B9D-89FA-484F-912E-017D06C41FE0}]
"(Default)" = "IProtectorLib7"
[HKCR\protector_dll.ProtectorLib.1]
"(Default)" = "ProtectorLib Class"
[HKCR\Wow6432Node\Interface\{9891812B-5820-4A77-827E-772B200239E1}]
"(Default)" = "IProtector4"
[HKCR\Wow6432Node\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}]
"Depend" = "%Program Files% (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534\gtn.dll"
[HKCR\Wow6432Node\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}]
"(Default)" = "ProtectorLib Class"
[HKCR\Wow6432Node\Interface\{A45CDEEB-65F5-49AE-AA3E-9376F4806075}\TypeLib]
"Version" = "1a.0"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80B84A0A-EDA4-47fd-8BE1-6B49F4197EE5}]
"AppName" = "GoogleToolbarNotifier.exe"
[HKCR\Wow6432Node\Interface\{1F7328B7-E25A-4527-B24B-D9173401BB89}]
"(Default)" = "IProtector5"
[HKCR\Interface\{315A0BBF-D55B-4FCE-833E-8BAA5B6344F6}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Interface\{235317AD-6EF4-4209-9354-F88869E1A3BB}]
"(Default)" = "IProtectorLib5"
[HKCR\Wow6432Node\Interface\{9891812B-5820-4A77-827E-772B200239E1}\TypeLib]
"Version" = "1a.0"
[HKCR\Wow6432Node\Interface\{2212951C-1623-4095-906B-AC50B8F91016}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{9891812B-5820-4A77-827E-772B200239E1}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{235317AD-6EF4-4209-9354-F88869E1A3BB}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Wow6432Node\Interface\{A0CF48B9-DB91-49A5-BEE7-2FB45BA2F610}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Interface\{1F7328B7-E25A-4527-B24B-D9173401BB89}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Wow6432Node\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}]
"(Default)" = "ProtectorHost Class"
[HKCR\Interface\{9891812B-5820-4A77-827E-772B200239E1}\TypeLib]
"Version" = "1a.0"
[HKCR\Wow6432Node\Interface\{DA69D3CC-7676-4A65-889F-C052977F1AA9}]
"(Default)" = "IProtectorHost"
[HKCR\Wow6432Node\CLSID\{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534\swg.dll"
[HKCR\Interface\{6C110376-C248-47F6-9DB2-CFCDEADB6A3E}]
"(Default)" = "IProtector10"
[HKCR\Wow6432Node\CLSID\{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Wow6432Node\Interface\{A0CF48B9-DB91-49A5-BEE7-2FB45BA2F610}\TypeLib]
"Version" = "1a.0"
[HKCR\Wow6432Node\Interface\{F1A383D4-0364-4092-82E0-C39DAE5D801D}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\VersionIndependentProgID]
"(Default)" = "protector_dll.ProtectorBho"
[HKCR\Wow6432Node\Interface\{91F39C2A-95E7-497A-A539-0AC715DC66D2}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Wow6432Node\Interface\{6C110376-C248-47F6-9DB2-CFCDEADB6A3E}]
"(Default)" = "IProtector10"
[HKCR\Wow6432Node\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\ProgID]
"(Default)" = "ProtectorExe.ProtectorHost.1"
[HKCR\Interface\{235317AD-6EF4-4209-9354-F88869E1A3BB}\TypeLib]
"Version" = "1a.0"
[HKCR\Wow6432Node\Interface\{91959FBB-853A-4AC7-A082-2DDF787F4CA9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Wow6432Node\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659}\TypeLib]
"Version" = "1a.0"
[HKCR\Wow6432Node\Interface\{DA69D3CC-7676-4A65-889F-C052977F1AA9}\TypeLib]
"Version" = "1a.0"
[HKCR\protector_dll.ProtectorLib\CurVer]
"(Default)" = "protector_dll.ProtectorLib.1"
[HKCR\Interface\{91959FBB-853A-4AC7-A082-2DDF787F4CA9}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Wow6432Node\Interface\{9891812B-5820-4A77-827E-772B200239E1}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Wow6432Node\Interface\{2212951C-1623-4095-906B-AC50B8F91016}]
"(Default)" = "IProtector2"
[HKCR\Interface\{1F7328B7-E25A-4527-B24B-D9173401BB89}]
"(Default)" = "IProtector5"
[HKCR\Interface\{6C110376-C248-47F6-9DB2-CFCDEADB6A3E}\TypeLib]
"Version" = "1a.0"
[HKCR\Interface\{17484B9D-89FA-484F-912E-017D06C41FE0}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{A45CDEEB-65F5-49AE-AA3E-9376F4806075}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{6C110376-C248-47F6-9DB2-CFCDEADB6A3E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41}\TypeLib]
"Version" = "1a.0"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80B84A0A-EDA4-47fd-8BE1-6B49F4197EE5}]
"AppPath" = "%Program Files% (x86)\Google\GoogleToolbarNotifier"
[HKCR\Interface\{DA69D3CC-7676-4A65-889F-C052977F1AA9}]
"(Default)" = "IProtectorHost"
[HKCR\Interface\{91F39C2A-95E7-497A-A539-0AC715DC66D2}]
"(Default)" = "IProtector3"
[HKCR\Interface\{6EACF525-5F81-4381-9E46-DC316C39E0D2}\TypeLib]
"Version" = "1a.0"
[HKCR\Wow6432Node\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\AppID\ProtectorExe.EXE]
"AppID" = "{A97CA128-6998-4F8E-807E-8ED05FADAFB0}"
[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
"AppID" = "{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}"
[HKCR\protector_dll.Protector.1\CLSID]
"(Default)" = "{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}"
[HKCR\ProtectorExe.ProtectorHost\CLSID]
"(Default)" = "{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}"
[HKCR\protector_dll.ProtectorBho]
"(Default)" = "Google Toolbar Notifier BHO"
[HKCR\Wow6432Node\Interface\{DD65ABB2-2628-425B-86F5-825E4A3D3AD9}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\AppID\protector_dll.DLL]
"AppID" = "{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}"
[HKCR\Interface\{91959FBB-853A-4AC7-A082-2DDF787F4CA9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{DA69D3CC-7676-4A65-889F-C052977F1AA9}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Interface\{BACAB2F3-7213-4865-96E9-B6B06BF49192}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Interface\{A0CF48B9-DB91-49A5-BEE7-2FB45BA2F610}]
"(Default)" = "IProtectorLib2"
[HKCR\Interface\{F1A383D4-0364-4092-82E0-C39DAE5D801D}\TypeLib]
"Version" = "1a.0"
[HKCR\Wow6432Node\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Wow6432Node\CLSID\{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}\ProgID]
"(Default)" = "protector_dll.Protector.1"
[HKCR\Wow6432Node\Interface\{1F7328B7-E25A-4527-B24B-D9173401BB89}\TypeLib]
"Version" = "1a.0"
[HKCR\Interface\{2212951C-1623-4095-906B-AC50B8F91016}\TypeLib]
"Version" = "1a.0"
[HKCR\Interface\{480AD54B-C652-44B9-BCF6-746745055CD3}]
"(Default)" = "IProtectorLib6"
[HKCR\protector_dll.Protector\CLSID]
"(Default)" = "{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}"
[HKCR\Wow6432Node\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\VersionIndependentProgID]
"(Default)" = "ProtectorExe.ProtectorHost"
[HKCR\Wow6432Node\Interface\{2212951C-1623-4095-906B-AC50B8F91016}\TypeLib]
"Version" = "1a.0"
[HKCR\Wow6432Node\Interface\{BACAB2F3-7213-4865-96E9-B6B06BF49192}\TypeLib]
"Version" = "1a.0"
[HKCR\Wow6432Node\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41}]
"(Default)" = "IProtector7"
[HKCR\Wow6432Node\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\ProtectorExe.ProtectorHost]
"(Default)" = "ProtectorHost Class"
[HKCR\Wow6432Node\Interface\{91F39C2A-95E7-497A-A539-0AC715DC66D2}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Interface\{9891812B-5820-4A77-827E-772B200239E1}]
"(Default)" = "IProtector4"
[HKCR\Wow6432Node\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Wow6432Node\Interface\{DD65ABB2-2628-425B-86F5-825E4A3D3AD9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\protector_dll.ProtectorBho.1\CLSID]
"(Default)" = "{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}"
[HKCR\TypeLib\{C7CB459A-7261-4AE6-A87A-17041EE98A40}\1a.0\HELPDIR]
"(Default)" = "%Program Files% (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534"
[HKCR\Wow6432Node\Interface\{DD65ABB2-2628-425B-86F5-825E4A3D3AD9}\TypeLib]
"Version" = "1a.0"
[HKCR\Wow6432Node\Interface\{9D932020-700E-4F0D-8446-2872ABD8B4FA}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\protector_dll.ProtectorBho.1]
"(Default)" = "Google Toolbar Notifier BHO"
[HKCR\Interface\{9D932020-700E-4F0D-8446-2872ABD8B4FA}]
"(Default)" = "IProtectorLib3"
[HKCR\Wow6432Node\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\VersionIndependentProgID]
"(Default)" = "protector_dll.ProtectorLib"
[HKCR\Wow6432Node\Interface\{315A0BBF-D55B-4FCE-833E-8BAA5B6344F6}]
"(Default)" = "IProtector11"
[HKCR\Wow6432Node\Interface\{F1A383D4-0364-4092-82E0-C39DAE5D801D}]
"(Default)" = "IProtector12"
[HKCR\Wow6432Node\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\TypeLib\{C7CB459A-7261-4AE6-A87A-17041EE98A40}\1a.0\FLAGS]
"(Default)" = "0"
[HKCR\Wow6432Node\Interface\{315A0BBF-D55B-4FCE-833E-8BAA5B6344F6}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Wow6432Node\CLSID\{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}\VersionIndependentProgID]
"(Default)" = "protector_dll.Protector"
[HKCR\Interface\{AF606610-3627-4DF2-A6D5-32C6A355ACD1}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Wow6432Node\Interface\{277FD1E8-9884-4E0A-9392-7CFF83F067B2}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{A0CF48B9-DB91-49A5-BEE7-2FB45BA2F610}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\ProgID]
"(Default)" = "protector_dll.ProtectorBho.1"
[HKCR\protector_dll.ProtectorLib.1\CLSID]
"(Default)" = "{84798B8E-69F8-4846-9516-373C2996E2F7}"
[HKCR\Interface\{BACAB2F3-7213-4865-96E9-B6B06BF49192}\TypeLib]
"Version" = "1a.0"
[HKCR\Wow6432Node\Interface\{9D932020-700E-4F0D-8446-2872ABD8B4FA}]
"(Default)" = "IProtectorLib3"
[HKCR\Interface\{9891812B-5820-4A77-827E-772B200239E1}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Wow6432Node\Interface\{17484B9D-89FA-484F-912E-017D06C41FE0}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Wow6432Node\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}]
"AppID" = "{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}"
[HKCR\Interface\{DD65ABB2-2628-425B-86F5-825E4A3D3AD9}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Wow6432Node\Interface\{235317AD-6EF4-4209-9354-F88869E1A3BB}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Wow6432Node\Interface\{6EACF525-5F81-4381-9E46-DC316C39E0D2}\TypeLib]
"Version" = "1a.0"
[HKCR\Interface\{A0CF48B9-DB91-49A5-BEE7-2FB45BA2F610}\TypeLib]
"Version" = "1a.0"
[HKCR\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659}]
"(Default)" = "IProtector"
[HKCR\Interface\{6EACF525-5F81-4381-9E46-DC316C39E0D2}]
"(Default)" = "IProtector6"
[HKCR\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659}\TypeLib]
"Version" = "1a.0"
[HKCR\ProtectorExe.ProtectorHost.1]
"(Default)" = "ProtectorHost Class"
[HKCR\Wow6432Node\Interface\{BACAB2F3-7213-4865-96E9-B6B06BF49192}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\protector_dll.Protector\CurVer]
"(Default)" = "protector_dll.Protector.1"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80B84A0A-EDA4-47fd-8BE1-6B49F4197EE5}]
"AppName" = "GoogleToolbarNotifier.exe"
[HKCR\Interface\{91F39C2A-95E7-497A-A539-0AC715DC66D2}\TypeLib]
"Version" = "1a.0"
[HKCR\Interface\{A45CDEEB-65F5-49AE-AA3E-9376F4806075}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Wow6432Node\Interface\{277FD1E8-9884-4E0A-9392-7CFF83F067B2}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Wow6432Node\Interface\{91F39C2A-95E7-497A-A539-0AC715DC66D2}\TypeLib]
"Version" = "1a.0"
[HKCR\AppID\{A97CA128-6998-4F8E-807E-8ED05FADAFB0}]
"RunAs" = "Interactive User"
[HKCR\Wow6432Node\Interface\{235317AD-6EF4-4209-9354-F88869E1A3BB}]
"(Default)" = "IProtectorLib5"
[HKCR\Interface\{DD65ABB2-2628-425B-86F5-825E4A3D3AD9}\TypeLib]
"Version" = "1a.0"
[HKCR\Interface\{9D932020-700E-4F0D-8446-2872ABD8B4FA}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Wow6432Node\Interface\{A0CF48B9-DB91-49A5-BEE7-2FB45BA2F610}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{9D932020-700E-4F0D-8446-2872ABD8B4FA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80B84A0A-EDA4-47fd-8BE1-6B49F4197EE5}]
"Policy" = "3"
[HKCR\protector_dll.ProtectorBho\CLSID]
"(Default)" = "{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}"
[HKCR\Wow6432Node\Interface\{235317AD-6EF4-4209-9354-F88869E1A3BB}\TypeLib]
"Version" = "1a.0"
[HKCR\Interface\{1F7328B7-E25A-4527-B24B-D9173401BB89}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Wow6432Node\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}]
"AppID" = "{A97CA128-6998-4F8E-807E-8ED05FADAFB0}"
[HKCR\Wow6432Node\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
[HKCR\protector_dll.ProtectorBho\CurVer]
"(Default)" = "protector_dll.ProtectorBho.1"
[HKCR\Wow6432Node\Interface\{A45CDEEB-65F5-49AE-AA3E-9376F4806075}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\ProtectorExe.ProtectorHost\CurVer]
"(Default)" = "ProtectorExe.ProtectorHost.1"
[HKCR\Wow6432Node\CLSID\{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Wow6432Node\Interface\{DA69D3CC-7676-4A65-889F-C052977F1AA9}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Interface\{235317AD-6EF4-4209-9354-F88869E1A3BB}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\TypeLib\{C7CB459A-7261-4AE6-A87A-17041EE98A40}\1a.0\0\win32]
"(Default)" = "%Program Files% (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534\swg.dll"
[HKCR\Wow6432Node\Interface\{17484B9D-89FA-484F-912E-017D06C41FE0}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80B84A0A-EDA4-47fd-8BE1-6B49F4197EE5}]
"Policy" = "3"
[HKCR\Wow6432Node\Interface\{6C110376-C248-47F6-9DB2-CFCDEADB6A3E}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Wow6432Node\Interface\{480AD54B-C652-44B9-BCF6-746745055CD3}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Interface\{F1A383D4-0364-4092-82E0-C39DAE5D801D}]
"(Default)" = "IProtector12"
[HKCR\Wow6432Node\Interface\{91959FBB-853A-4AC7-A082-2DDF787F4CA9}]
"(Default)" = "IProtectorHost2"
[HKCR\Interface\{91F39C2A-95E7-497A-A539-0AC715DC66D2}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{1F7328B7-E25A-4527-B24B-D9173401BB89}\TypeLib]
"Version" = "1a.0"
[HKCR\protector_dll.Protector.1]
"(Default)" = "Protector Class"
[HKCR\Wow6432Node\Interface\{6EACF525-5F81-4381-9E46-DC316C39E0D2}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Wow6432Node\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534\swg.dll"
[HKCR\protector_dll.Protector]
"(Default)" = "Protector Class"
[HKCR\protector_dll.ProtectorLib\CLSID]
"(Default)" = "{84798B8E-69F8-4846-9516-373C2996E2F7}"
[HKCR\Interface\{AF606610-3627-4DF2-A6D5-32C6A355ACD1}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{277FD1E8-9884-4E0A-9392-7CFF83F067B2}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{DA69D3CC-7676-4A65-889F-C052977F1AA9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{9D932020-700E-4F0D-8446-2872ABD8B4FA}\TypeLib]
"Version" = "1a.0"
[HKCR\Wow6432Node\Interface\{315A0BBF-D55B-4FCE-833E-8BAA5B6344F6}\TypeLib]
"Version" = "1a.0"
[HKCR\Wow6432Node\Interface\{A45CDEEB-65F5-49AE-AA3E-9376F4806075}]
"(Default)" = "IProtector8"
[HKCR\Wow6432Node\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659}]
"(Default)" = "IProtector"
[HKCR\Wow6432Node\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{6EACF525-5F81-4381-9E46-DC316C39E0D2}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Wow6432Node\Interface\{277FD1E8-9884-4E0A-9392-7CFF83F067B2}]
"(Default)" = "IProtector9"
[HKCR\Interface\{F1A383D4-0364-4092-82E0-C39DAE5D801D}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Wow6432Node\Interface\{DA69D3CC-7676-4A65-889F-C052977F1AA9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Wow6432Node\CLSID\{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}]
"(Default)" = "Protector Class"
[HKCR\Interface\{277FD1E8-9884-4E0A-9392-7CFF83F067B2}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Wow6432Node\Interface\{DD65ABB2-2628-425B-86F5-825E4A3D3AD9}]
"(Default)" = "IProtectorLib4"
[HKCR\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41}]
"(Default)" = "IProtector7"
[HKCR\Interface\{AF606610-3627-4DF2-A6D5-32C6A355ACD1}]
"(Default)" = "IProtectorLib"
[HKCR\Wow6432Node\Interface\{277FD1E8-9884-4E0A-9392-7CFF83F067B2}\TypeLib]
"Version" = "1a.0"
[HKCR\Wow6432Node\Interface\{A45CDEEB-65F5-49AE-AA3E-9376F4806075}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Interface\{DD65ABB2-2628-425B-86F5-825E4A3D3AD9}]
"(Default)" = "IProtectorLib4"
[HKCR\protector_dll.ProtectorLib]
"(Default)" = "ProtectorLib Class"
[HKCR\Wow6432Node\Interface\{6EACF525-5F81-4381-9E46-DC316C39E0D2}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Wow6432Node\Interface\{AF606610-3627-4DF2-A6D5-32C6A355ACD1}\TypeLib]
"Version" = "1a.0"
[HKCR\Wow6432Node\Interface\{480AD54B-C652-44B9-BCF6-746745055CD3}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Wow6432Node\Interface\{480AD54B-C652-44B9-BCF6-746745055CD3}]
"(Default)" = "IProtectorLib6"
[HKCR\Wow6432Node\Interface\{6C110376-C248-47F6-9DB2-CFCDEADB6A3E}\TypeLib]
"Version" = "1a.0"
[HKCR\Interface\{480AD54B-C652-44B9-BCF6-746745055CD3}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Wow6432Node\Interface\{480AD54B-C652-44B9-BCF6-746745055CD3}\TypeLib]
"Version" = "1a.0"
[HKCR\Wow6432Node\Interface\{235317AD-6EF4-4209-9354-F88869E1A3BB}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Wow6432Node\Interface\{A0CF48B9-DB91-49A5-BEE7-2FB45BA2F610}]
"(Default)" = "IProtectorLib2"
[HKCR\Wow6432Node\Interface\{1F7328B7-E25A-4527-B24B-D9173401BB89}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Wow6432Node\Interface\{91959FBB-853A-4AC7-A082-2DDF787F4CA9}\TypeLib]
"(Default)" = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}"
[HKCR\Interface\{277FD1E8-9884-4E0A-9392-7CFF83F067B2}\TypeLib]
"Version" = "1a.0"
The process %original file name%.exe:624 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
The PUP deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
Dropped PE files
| MD5 | File path |
|---|---|
| 5d4bc124faae6730ac002cdb67bf1a1c | c:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe |
| 786996ff4ea890b9f43ed68dd55ffd7b | c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleCld_187F9D811452062B.dll |
| c74e54032b25934882f5da142135f6e4 | c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_32_75A7C54F0BE42E8E.dll |
| d257b5fafad4fe93cd13ac792bf9b152 | c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_64_2AD99D2EA038D2F2.dll |
| d59b2b86e3b0f21c42700cb4f60c8f4d | c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_0A4439FF67F61065.dll |
| 327c893aa5966ac436ca275f8d64c8c0 | c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_BA9226F4C70BECC2.exe |
| adf24d7a7195453f85e2f5cef3cbcc33 | c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarUser_32_52E818EF81C83A9B.exe |
| 852fd4db3205ff0cb6d8f473776f99b1 | c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarUser_64_4D9709C1FA1422BA.exe |
| aa9bc44f6d065f76902e516d0b45db6d | c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbar_32_3934E923EEC91A78.dll |
| ba214814e91a9eae3eeeaed77841f82a | c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbar_64_62C1B48EAF0FD125.dll |
| 1f2afab903c0d48480561f3bbd4539c2 | c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleUpdateSetup_5CC4B0F53D73AD88.exe |
| 4beaf576cb43358c4db9f45ac7c09cdb | c:\Program Files (x86)\Google\Google Toolbar\Component\GoogleUpdaterService_B33FC4DD36A473C6.exe |
| 78206b34bd050db564bf5b4b8c697925 | c:\Program Files (x86)\Google\Google Toolbar\Component\SearchWithGoogleUpdate_6F4EEAE8D7FCDAD8.exe |
| adf24d7a7195453f85e2f5cef3cbcc33 | c:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe |
| 852fd4db3205ff0cb6d8f473776f99b1 | c:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_64.exe |
| aa9bc44f6d065f76902e516d0b45db6d | c:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll |
| ba214814e91a9eae3eeeaed77841f82a | c:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll |
| 34c575178bacadb9744f3fb7f86b5ee3 | c:\Program Files (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534\gth.dll |
| c9188d8d26ceedbe77fa96f128f10fec | c:\Program Files (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534\gtn.dll |
| 68ba0437b07cd40c453c606dd762f6e0 | c:\Program Files (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534\swg.dll |
| 5d61be7db55b026a5d61a3eed09d0ead | c:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe |
| 5050eb8b35a2ec4e17772690bb3e815c | c:\Program Files (x86)\Google\Update\Download\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}\0.0.0.0\googletoolbarinstaller_en_signed.exe |
| 5050eb8b35a2ec4e17772690bb3e815c | c:\Program Files (x86)\Google\Update\Install\{4B398FB8-FDA6-468E-A6BF-725792C3320C}\googletoolbarinstaller_en_signed.exe |
| 5050eb8b35a2ec4e17772690bb3e815c | c:\Program Files (x86)\Google\Update\Install\{6C712992-D2F2-41C1-8E3E-60022AFAD2B1}\googletoolbarinstaller_en_signed.exe |
| 6154f737535b3dbea39c63223d52f5b8 | c:\Program Files (x86)\NCH Software\Components\NCHToolbars\google\NCH_GoogleToolbar.exe |
| 3b8a57229f677c0caf11ed463000a6d9 | c:\Program Files (x86)\NCH Software\Express\express.exe |
| 49159400a6781fab5788101a3f889c56 | c:\Program Files (x86)\NCH Software\Express\expresssetup_v5.82.exe |
| c9d7f12d4b1567ef2b823a9f872b3c9d | c:\Program Files (x86)\NCH Software\Express\hookappcommand.dll |
| fe5850d91f9c8205d422acca377346bf | c:\Program Files (x86)\NCH Software\FastFox\fastfox.exe |
| 0ac6d8149334dd8d3b9aa91170abd2e2 | c:\Program Files (x86)\NCH Software\FastFox\fastfox64.exe |
| 0227c222caf66dcb59c3713fb249b308 | c:\Program Files (x86)\NCH Software\FastFox\fastfoxsetup_v2.32.exe |
| 705d4f8e11a8dfdcd0e726235bf85690 | c:\Program Files (x86)\NCH Software\FastFox\ffhook.dll |
| fb3b9e5688cce1eb4870f564c0152f1c | c:\Program Files (x86)\NCH Software\FastFox\ffhook64.dll |
| c9d7f12d4b1567ef2b823a9f872b3c9d | c:\Program Files (x86)\NCH Software\Scribe\hookappcommand.dll |
| d7f759c72dfbb1c8c20de009f3fcdc17 | c:\Program Files (x86)\NCH Software\Scribe\scribe.exe |
| f440fbe175ee3222a3424a9b9b2030a0 | c:\Program Files\Google\GoogleToolbarNotifier\5.10.11023.1534\swg64.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
GoogleUpdate.exe:1704
GoogleUpdate.exe:3660
GoogleUpdate.exe:3252
GoogleUpdate.exe:1684
GoogleUpdate.exe:280
GoogleUpdate.exe:328
GoogleUpdate.exe:3284
GoogleUpdate.exe:3296
GoogleUpdate.exe:3160
googletoolbarinstaller_en_signed.exe:2208
googletoolbarinstaller_en_signed.exe:3468
NCH_GoogleToolbar.exe:3220
NCH_GoogleToolbar.exe:2488
GoogleToolbarManager_BA9226F4C70BECC2.exe:3600
GoogleToolbarManager_BA9226F4C70BECC2.exe:3108
GoogleToolbarManager_BA9226F4C70BECC2.exe:3588
GoogleToolbarManager_BA9226F4C70BECC2.exe:3492
GoogleToolbarManager_BA9226F4C70BECC2.exe:3096
GoogleToolbarManager_BA9226F4C70BECC2.exe:1404
fastfox.exe:2132
GoogleUpdaterService_B33FC4DD36A473C6.exe:2220
GoogleUpdaterService_B33FC4DD36A473C6.exe:3536
scribe.exe:2020
scribe.exe:1004
scribe.exe:1836
edsetup.exe:2812
nchsetup.exe:336
nchsetup.exe:1372
nchsetup.exe:2512
regsvr32.exe:2320
GoogleUpdateSetup_latest.exe:3240
GoogleUpdateSetup_latest.exe:2188
GoogleUpdaterService.exe:1128
GoogleUpdaterService.exe:3568
express.exe:1732
ffsetup.exe:2652
SearchWithGoogleUpdate_6F4EEAE8D7FCDAD8.exe:3560
SearchWithGoogleUpdate_6F4EEAE8D7FCDAD8.exe:304
GoogleToolbarNotifier.exe:1412
GoogleToolbarNotifier.exe:1636
%original file name%.exe:624 - Delete the original PUP file.
- Delete or disinfect the following files created/modified by the PUP:
%Program Files% (x86)\Google\Update\Download\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}\0.0.0.0\googletoolbarinstaller_en_signed.exe (38295 bytes)
C:\Windows\Temp\guiB682.tmp (15 bytes)
C:\Windows\Temp\gui1094.tmp (15 bytes)
%Program Files% (x86)\Google\Update\Install\{4B398FB8-FDA6-468E-A6BF-725792C3320C}\googletoolbarinstaller_en_signed.exe (38780 bytes)
%Program Files% (x86)\Google\Update\Install\{6C712992-D2F2-41C1-8E3E-60022AFAD2B1}\googletoolbarinstaller_en_signed.exe (38780 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_en.dll (28 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdate.dll (835 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdate.dll (835 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_en.dll (28 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarUser_32_52E818EF81C83A9B.exe (620 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbar_64_62C1B48EAF0FD125.dll (514 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_0A4439FF67F61065.dll (2 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_64_2AD99D2EA038D2F2.dll (489 bytes)
C:\Windows\System32\config\SOFTWARE (67172 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_32_75A7C54F0BE42E8E.dll (149 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarUser_64_4D9709C1FA1422BA.exe (801 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbar.7.5.6227.252.manifest.xml (36 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_BA9226F4C70BECC2.exe (50 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleToolbar_32_3934E923EEC91A78.dll (390 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GoogleToolbarInstaller2.log (43839 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\SearchWithGoogleUpdate_6F4EEAE8D7FCDAD8.exe (50 bytes)
C:\$Directory (384 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleUpdateSetup_5CC4B0F53D73AD88.exe (1480 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleUpdaterService_B33FC4DD36A473C6.exe (390 bytes)
C:\Windows\System32\config\SOFTWARE.LOG1 (61484 bytes)
%Program Files% (x86)\Google\Google Toolbar\Component\GoogleCld_187F9D811452062B.dll (50 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi2BF.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GoogleUpdateSetup_latest.exe (25250 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn9888.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GoogleToolbarInstaller1.log (1467 bytes)
C:\ProgramData\Google\Custom Buttons\toolbar.google.com_O8Y91YHB24Z6SR0SGYSK.XML (12 bytes)
%Program Files% (x86)\Google\Google Toolbar\GoogleToolbarHelperPatch_signed.msp (125 bytes)
%Program Files% (x86)\Google\Google Toolbar\GoogleToolbarHelper_signed.msi (28 bytes)
%Program Files% (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (1281 bytes)
%Program Files% (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (673 bytes)
%Program Files% (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe (1425 bytes)
%Program Files% (x86)\Google\Google Toolbar\GoogleToolbarUser_64.exe (2321 bytes)
%Program Files% (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe (390 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_scribe_rl_adm (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\NCH Software\Scribe\Status\s0000000.sta (44 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\NCH Software\Scribe\Current\Welcome.wav (1425 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\NCH Software\Scribe\Current\Welcome.dat (832 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ffsetup.exe (268985 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\edsetup.exe (296411 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchdata.dat (2104 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchsetup.cab (560 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchdata.cab (27 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\n1s\nchsetup.exe (24321 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\licenceterms.html (3 bytes)
C:\Users\"%CurrentUserName%"\Favorites\NCH Software Download Site.lnk (260 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\shortcuts.html (3 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Utilities\Classic FTP Software.lnk (1 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\restoredatadlg.html (1 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\autocompleteoptions.html (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Utilities\Text-to-Speech Reader.lnk (1 bytes)
%Program Files% (x86)\NCH Software\FastFox\_ffhook64.dll (7772 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\arrowlist.gif (455 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\fastfinishcontent.html (2 bytes)
C:\ProgramData\NCH Software\FastFox\demo.rtf (600 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\groups.html (1 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\quickstart.html (3 bytes)
C:\Users\Public\Desktop\FastFox.lnk (1 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\hotkeys.html (2 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\adminpassworddlg.html (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Utilities\Backup Software.lnk (1 bytes)
C:\ProgramData\NCH Software\FastFox\shared_abbrev.dat (66548 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\help.js (2 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\editpicture.html (2 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\editrich.html (2 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\generaldlg.html (2 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\autocase.html (3 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\introduction.html (2 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\groupprop.html (1 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\editsuggestiondlg.html (995 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\backupdatadlg.html (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Utilities\Express Zip File Compression.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Utilities\Encryption and Decryption Software.lnk (1 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\generalsetup.html (1 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\index.html (3 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\autocompletesetup.html (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Utilities\Doxillion Document Converter.lnk (1 bytes)
C:\Users\Public\Desktop\NCH Software.lnk (1 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\sharedabbreviation.html (2 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\hlp.css (1 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\selstoragedlg.html (1 bytes)
%Program Files% (x86)\NCH Software\FastFox\fastfoxsetup_v2.32.exe (3361 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\using.html (196 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FastFox.lnk (1 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\deletegroupdlg.html (1 bytes)
%Program Files% (x86)\NCH Software\FastFox\_fastfox64.exe (12076 bytes)
%Program Files% (x86)\NCH Software\Components\NCHToolbars\google\NCH_GoogleToolbar.exe (382879 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Utilities\Bolt PDF Printer.lnk (1 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\sysdate.html (2 bytes)
%Program Files% (x86)\NCH Software\FastFox\fastfox.exe (8020 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Utilities\Typing Expander Software.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Utilities\CD, DVD, BluRay Burner.lnk (1 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\editkeystroke.html (388 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\addshortcut.html (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Utilities\Uploader Software.lnk (1 bytes)
C:\ProgramData\NCH Software\FastFox\local\abbrev.dat (66548 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\902.html (1 bytes)
%Program Files% (x86)\NCH Software\FastFox\Help\editsimple.html (2 bytes)
%Program Files% (x86)\NCH Software\FastFox\_ffhook.dll (7332 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Video Capture Software.lnk (1 bytes)
C:\ProgramData\NCH Software\Scribe\Current\Welcome.wav (34532 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Express Burn CD, DVD or Blu-Ray.lnk (1 bytes)
%Program Files% (x86)\NCH Software\Scribe\hookappcommand.dll (6988 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Express Zip File Compression.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\MixPad MultiTrack Mixer.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\WavePad Sound Editor.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Express Rip CD Ripper.lnk (1 bytes)
%Program Files% (x86)\NCH Software\Scribe\scribe.exe (13171 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Express Scribe Transcription Software.lnk (1 bytes)
C:\Users\Public\Desktop\Express Scribe Transcription Software.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Express Dictate Recorder.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dictation and Transcription Programs\Typing Expander Software.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Switch Sound File Converter.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Graphics File Converter.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\VideoPad Video Editor.lnk (1 bytes)
C:\ProgramData\NCH Software\Scribe\Current\Welcome.dat (96 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Invoicing Software.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Classic FTP Software.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Prism Video File Format Converter.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\RecordPad Sound Recorder.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Doxillion Document Converter.lnk (1 bytes)
C:\Users\Public\Desktop\NCH Suite.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Accounting Software.lnk (1 bytes)
C:\ProgramData\NCH Software\Scribe\Status\Template.doc (8844 bytes)
%Program Files% (x86)\NCH Software\Scribe\scribesetup_v5.69.exe (7345 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\SoundTap Streaming Recorder.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dictation and Transcription Programs\Dictation Recorder.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dictation and Transcription Programs\Transcription Software.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Accounting Software.lnk (1 bytes)
C:\ProgramData\NCH Software\Express\tone-recordstart.wav (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Express Burn CD, DVD or Blu-Ray.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dictation and Transcription Programs\Transcription Software.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\SoundTap Streaming Recorder.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Express Zip File Compression.lnk (1 bytes)
%Program Files% (x86)\NCH Software\Express\express.exe (10864 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\WavePad Sound Editor.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Invoicing Software.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dictation and Transcription Programs\Dictation Recorder.lnk (1 bytes)
%Program Files% (x86)\NCH Software\Express\hookappcommand.dll (6988 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Switch Sound File Converter.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Express Rip CD Ripper.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Doxillion Document Converter.lnk (1 bytes)
C:\ProgramData\NCH Software\Express\tone-error.wav (3 bytes)
C:\ProgramData\NCH Software\Express\tone-recordstartoverwrite.wav (862 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Express Dictate Recorder.lnk (1 bytes)
C:\ProgramData\NCH Software\Express\tone-recordstop.wav (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Prism Video File Format Converter.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\RecordPad Sound Recorder.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Express Dictate Digital Dictation Software.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Graphics File Converter.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\VideoPad Video Editor.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Video Capture Software.lnk (1 bytes)
C:\ProgramData\NCH Software\Express\test.wav (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\MixPad MultiTrack Mixer.lnk (1 bytes)
%Program Files% (x86)\NCH Software\Express\expresssetup_v5.82.exe (4185 bytes)
C:\Users\Public\Desktop\Express Dictate Digital Dictation Software.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NCH Software Suite\Classic FTP Software.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dictation and Transcription Programs\Typing Expander Software.lnk (1 bytes)
%Program Files%\Google\GoogleToolbarNotifier\5.10.11023.1534\swg64.dll (299 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_kn.dll (29 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_sv.dll (29 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_sl.dll (29 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_mr.dll (28 bytes)
%Program Files% (x86)\GUM30C.tmp\GoogleUpdateHelper.msi (25 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_ur.dll (28 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_gu.dll (28 bytes)
%Program Files% (x86)\GUM30C.tmp\psuser.dll (159 bytes)
%Program Files% (x86)\GUM30C.tmp\GoogleUpdateBroker.exe (59 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_am.dll (25 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_pt-BR.dll (29 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_ko.dll (23 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_de.dll (31 bytes)
%Program Files% (x86)\GUM30C.tmp\psmachine.dll (159 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_th.dll (27 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_bg.dll (30 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_vi.dll (28 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_cs.dll (28 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_ar.dll (26 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_ca.dll (29 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_zh-TW.dll (21 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_nl.dll (30 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_es-419.dll (29 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_is.dll (28 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_uk.dll (28 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_el.dll (30 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_sr.dll (29 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_lv.dll (30 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_zh-CN.dll (21 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_hu.dll (29 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_ta.dll (30 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_pl.dll (30 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_ru.dll (28 bytes)
%Program Files% (x86)\GUM30C.tmp\GoogleUpdateSetup.exe (5441 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_ro.dll (29 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_lt.dll (28 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_te.dll (29 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_fil.dll (30 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_fa.dll (27 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_ms.dll (28 bytes)
%Program Files% (x86)\GUM30C.tmp\GoogleUpdateOnDemand.exe (59 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_id.dll (28 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_sw.dll (29 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_hr.dll (29 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_iw.dll (26 bytes)
%Program Files% (x86)\GUM30C.tmp\GoogleUpdate.exe (234 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_ml.dll (31 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_tr.dll (29 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_da.dll (29 bytes)
%Program Files% (x86)\GUM30C.tmp\GoogleCrashHandler64.exe (550 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_hi.dll (29 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_it.dll (30 bytes)
%Program Files% (x86)\GUT30D.tmp (4 bytes)
%Program Files% (x86)\GUM30C.tmp\npGoogleUpdate3.dll (838 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_no.dll (29 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_pt-PT.dll (29 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_fi.dll (29 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_es.dll (31 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_en-GB.dll (28 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_ja.dll (24 bytes)
%Program Files% (x86)\GUM30C.tmp\GoogleCrashHandler.exe (212 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_et.dll (28 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_sk.dll (29 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_fr.dll (30 bytes)
%Program Files% (x86)\GUM30C.tmp\goopdateres_bn.dll (28 bytes)
%Program Files% (x86)\GUM98D5.tmp\GoogleCrashHandler64.exe (550 bytes)
%Program Files% (x86)\GUM98D5.tmp\GoogleUpdateOnDemand.exe (59 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_it.dll (30 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_ca.dll (29 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_et.dll (28 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_es-419.dll (29 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_ru.dll (28 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_ja.dll (24 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_hi.dll (29 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_pl.dll (30 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_iw.dll (26 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_lv.dll (30 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_id.dll (28 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_nl.dll (30 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_is.dll (28 bytes)
%Program Files% (x86)\GUM98D5.tmp\GoogleUpdateHelper.msi (25 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_ko.dll (23 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_zh-CN.dll (21 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_tr.dll (29 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_am.dll (25 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_hu.dll (29 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_en-GB.dll (28 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_sr.dll (29 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_fil.dll (30 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_sw.dll (29 bytes)
%Program Files% (x86)\GUM98D5.tmp\GoogleUpdate.exe (234 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_el.dll (30 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_lt.dll (28 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_hr.dll (29 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_uk.dll (28 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_ro.dll (29 bytes)
%Program Files% (x86)\GUT98D6.tmp (4 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_sl.dll (29 bytes)
%Program Files% (x86)\GUM98D5.tmp\npGoogleUpdate3.dll (838 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_da.dll (29 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_ar.dll (26 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_cs.dll (28 bytes)
%Program Files% (x86)\GUM98D5.tmp\psuser.dll (159 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_te.dll (29 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_zh-TW.dll (21 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_ml.dll (31 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_kn.dll (29 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_gu.dll (28 bytes)
%Program Files% (x86)\GUM98D5.tmp\GoogleUpdateBroker.exe (59 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_fr.dll (30 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_de.dll (31 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_ur.dll (28 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_fi.dll (29 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_es.dll (31 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_sv.dll (29 bytes)
%Program Files% (x86)\GUM98D5.tmp\GoogleCrashHandler.exe (212 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_th.dll (27 bytes)
%Program Files% (x86)\GUM98D5.tmp\psmachine.dll (159 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_ms.dll (28 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_ta.dll (30 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_vi.dll (28 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_bg.dll (30 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_fa.dll (27 bytes)
%Program Files% (x86)\GUM98D5.tmp\GoogleUpdateSetup.exe (5441 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_sk.dll (29 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_pt-BR.dll (29 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_mr.dll (28 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_bn.dll (28 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_pt-PT.dll (29 bytes)
%Program Files% (x86)\GUM98D5.tmp\goopdateres_no.dll (29 bytes)
%Program Files% (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534\gtn.dll (144 bytes)
%Program Files% (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (79 bytes)
%Program Files% (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534\gth.dll (40 bytes)
%Program Files% (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534\swg.dll (981 bytes)
%Program Files% (x86)\Google\GoogleToolbarNotifier\5.10.11023.1534\Readme.url (212 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"FastFox" = "%Program Files% (x86)\NCH Software\FastFox\fastfox.exe -logon" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Static Analysis
VersionInfo
Company Name: NCH Software
Product Name: ExpressScribe
Product Version:
Legal Copyright: NCH Software
Legal Trademarks:
Original Filename:
Internal Name: Scribe
File Version: 5.69
File Description: Express Scribe Transcription Software
Comments:
Language: Language Neutral
Company Name: NCH SoftwareProduct Name: ExpressScribeProduct Version: Legal Copyright: NCH SoftwareLegal Trademarks: Original Filename: Internal Name: ScribeFile Version: 5.69 File Description: Express Scribe Transcription SoftwareComments: Language: Language Neutral
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .rdata | 4096 | 2338 | 2560 | 2.76389 | a322bee8b6315dcdf55664104eb8aed4 |
| .data | 8192 | 1596 | 2048 | 3.48789 | cc10a049565dcd8a13f7ded9f6d7749b |
| .rsrc | 12288 | 925152 | 925184 | 5.54423 | 6eb1b0b97765e7dbf38b8e9c13da15b0 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://audiochannel.net/components/edsetup.exe | 66.39.83.117 |
| hxxp://audiochannel.net/components/ffsetup.exe | 66.39.83.117 |
| hxxp://audiochannel.net/versions/components/tb_google_row.dat | 66.39.83.117 |
| hxxp://audiochannel.net/components/toolbars/NCH_GoogleToolbar.exe | 66.39.83.117 |
| hxxp://dl.l.google.com/dl/toolbar/t7/data/7.5.6227.252/googletoolbarinstaller_en_signed.exe | |
| hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?8375aa7c3aaffcf1 | |
| hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c= | |
| hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CECkSxwyaK4o+9vYHRmLWi40= | |
| hxxp://google.com/tools/swg2/update?type=c&as=swg&os=win&osv=6.1.7601&hl=en&ie=10.0.9200.16521&ds=0&pds=0&su=0&hpi=-1&brand=NCHD&pa=9&cl=1&tbv=&id=6fcd4572f44047df87447927667a9779eb587e9442&from=&to=5.10.11023.1534 | 216.58.209.174 |
| hxxp://google.com/tools/pso/ping?as=tbin&gu=pi&mode=3&sin=1&ein=0&version=7.5.6227.252&brand=NCHD&hl=en&tbiv=7.5.6227.252&time=1432028303&fitime=1432028303&browser=9.10.9200.16521&osver=6.1&ossp=1.0&osarch=64&ext=EXE&id=6BA3A3DD8C86609F54CC8AB84959F665663D1aFIBM | 216.58.209.174 |
| hxxp://google.com/tools/pso/ping?as=tbin&gu=pi&mode=3&sin=2&ein=0&version=7.5.6227.252&brand=NCHD&hl=en&tbiv=7.5.6227.252&time=1432028309&fitime=1432028303&verold=7.5.6227.252&brandold=NCHD&browser=9.10.9200.16521&osver=6.1&ossp=1.0&osarch=64&ext=EXE&id=6BA3A3DD8C86609F54CC8AB84959F665663D1aFIBM | 216.58.209.174 |
| hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab?4b69c6918b9372a6 | |
| hxxp://a1363.dscg.akamai.net/pki/crl/products/WinPCA.crl | |
| hxxp://a1363.dscg.akamai.net/pki/crl/products/MicrosoftTimeStampPCA.crl | |
| hxxp://a1363.dscg.akamai.net/pki/crl/products/microsoftrootcert.crl | |
| hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= | |
| hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= | |
| hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEALa8SdwQh28+NjkQGqVhx8= | |
| hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEGO+CyDUoFQBjrKVo87pCRc= | |
| hxxp://a1363.dscg.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl | |
| hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= | |
| hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD/yl6nWPkczAQUe1tFz6/Oy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS+zcBkvzl4= | |
| hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9+WQCtWAQU1A1lP3q9NMb+R+dMDcC98t4Vq3ECEGpWCCD6PprY5UEXNLHUCtU= | |
| hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc= | |
| hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTEemCaVgs8Tuh2B9fGVE0pKKNyzgQUTF+nNhcF4oZhIkk5jLmo40rgOBoCEC6utoKGY/7ZdVX4/iTzOxo= | |
| hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRODEXefhs/UZFum2o8YfzOFwceMwQUkz5j3yJ0BOBkhDHd2yOfDq+2TZMCEA89qsgV9niZmSI6gIO0S/U= | |
| hxxp://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD/yl6nWPkczAQUe1tFz6/Oy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS+zcBkvzl4= | 23.43.139.27 |
| hxxp://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9+WQCtWAQU1A1lP3q9NMb+R+dMDcC98t4Vq3ECEGpWCCD6PprY5UEXNLHUCtU= | 23.43.139.27 |
| hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= | 23.43.139.27 |
| hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEGO+CyDUoFQBjrKVo87pCRc= | 23.43.139.27 |
| hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRODEXefhs/UZFum2o8YfzOFwceMwQUkz5j3yJ0BOBkhDHd2yOfDq+2TZMCEA89qsgV9niZmSI6gIO0S/U= | 23.43.139.27 |
| hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc= | 23.43.139.27 |
| hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTEemCaVgs8Tuh2B9fGVE0pKKNyzgQUTF+nNhcF4oZhIkk5jLmo40rgOBoCEC6utoKGY/7ZdVX4/iTzOxo= | 23.43.139.27 |
| hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= | 23.43.139.27 |
| hxxp://clients1.google.com/tools/pso/ping?as=tbin&gu=pi&mode=3&sin=2&ein=0&version=7.5.6227.252&brand=NCHD&hl=en&tbiv=7.5.6227.252&time=1432028309&fitime=1432028303&verold=7.5.6227.252&brandold=NCHD&browser=9.10.9200.16521&osver=6.1&ossp=1.0&osarch=64&ext=EXE&id=6BA3A3DD8C86609F54CC8AB84959F665663D1aFIBM | 216.58.209.174 |
| hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= | 23.43.139.27 |
| hxxp://www.audiochannel.net/versions/components/tb_google_row.dat | 66.39.83.117 |
| hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEALa8SdwQh28+NjkQGqVhx8= | 23.43.139.27 |
| hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CECkSxwyaK4o+9vYHRmLWi40= | 23.43.139.27 |
| hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl | 87.245.221.113 |
| hxxp://clients1.google.com/tools/swg2/update?type=c&as=swg&os=win&osv=6.1.7601&hl=en&ie=10.0.9200.16521&ds=0&pds=0&su=0&hpi=-1&brand=NCHD&pa=9&cl=1&tbv=&id=6fcd4572f44047df87447927667a9779eb587e9442&from=&to=5.10.11023.1534 | 216.58.209.174 |
| hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl | 87.245.221.113 |
| hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?4b69c6918b9372a6 | 87.245.221.90 |
| hxxp://dl.google.com/dl/toolbar/t7/data/7.5.6227.252/googletoolbarinstaller_en_signed.exe | 216.58.211.14 |
| hxxp://crl.microsoft.com/pki/crl/products/WinPCA.crl | 87.245.221.113 |
| hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?8375aa7c3aaffcf1 | 87.245.221.90 |
| hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c= | 23.43.139.27 |
| hxxp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl | 87.245.221.113 |
| hxxp://clients1.google.com/tools/pso/ping?as=tbin&gu=pi&mode=3&sin=1&ein=0&version=7.5.6227.252&brand=NCHD&hl=en&tbiv=7.5.6227.252&time=1432028303&fitime=1432028303&browser=9.10.9200.16521&osver=6.1&ossp=1.0&osarch=64&ext=EXE&id=6BA3A3DD8C86609F54CC8AB84959F665663D1aFIBM | 216.58.209.174 |
| hxxp://www.audiochannel.net/components/toolbars/NCH_GoogleToolbar.exe | 66.39.83.117 |
| tools.google.com | 173.194.44.39 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD/yl6nWPkczAQUe1tFz6/Oy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS+zcBkvzl4= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.thawte.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1503
content-transfer-encoding: binary
Cache-Control: max-age=343207, public, no-transform, must-revalidate
Last-Modified: Sat, 16 May 2015 09:00:21 GMT
Expires: Sat, 23 May 2015 09:00:21 GMT
Date: Tue, 19 May 2015 09:41:53 GMT
Connection: keep-alive
0..........0..... .....0......0...0......&Km...."....}....,.c..20150516090021Z0s0q0I0... ........0..k....&..p..^.X.....{[E....z.1..j..F.WHP..G.Mxs..../.p./.^....20150516090021Z....20150523090021Z0...*.H...............Y..W..n.W5\.BO(f.X..Us2..g.8;..'k.-W..3l...._3.L]....>....>..*..a_^.........d..;._...@..F{e?.2.....dh)6....#..H...P."...E.l.fe.}.@.G.....sHX.[E.kv.].).$^...:....c8.3...)....r...Z.a..........4$*.wq...`zA]..Z9...`.[.....ss1..* H..!.a@.M..y.7.~....=...p...2....0...0...0............I...*....^n...0...*.H........0..1.0...U....US1.0...U....thawte, Inc.1(0&..U....Certification Services Division1806..U.../(c) 2006 thawte, Inc. - For authorized use only1.0...U....thawte Primary Root CA0...141202000000Z..151216235959Z0_1.0...U....US1.0...U....thawte, Inc.1907..U...0thawte Primary Root OCSP Responder Certificate 30.."0...*.H.............0.........x...F83..,.D.,2D.;JGc.|_.k.....B.7.....G}.M.s.....S.i.Uu.h.Aq..v...4:l..U.......T7l...~vl...r....{*..........V.o..8|.B..^.a.. ...z....x..s...\[Y....<....'> ..YC..7.zVk.$...o3..kao]c...>C./bPX.......I..Oc.....NN......g.....,/..]......qN.....V!<.3.)...y#.........i0g0...U.%..0... .......0... .....0......0...U.......0.0...U...........0!..U....0...0.1.0...U....TGV-B-2770...*.H................lt..\..z. ..N.f.!.S5d?J.&....r...D........L.`.s.p...HC.L.8f... .........GA7......P..Z.%.../............z.n.6~I...].).....W...W\|.uya..:...^...hW..7.Z.uc.'....:.xL...HS.....>.........5......%....3S....h........U....o.C.\.t.....G.._.C0(l.E9..6UTxg.gF ..;.....
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9+WQCtWAQU1A1lP3q9NMb+R+dMDcC98t4Vq3ECEGpWCCD6PprY5UEXNLHUCtU= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.thawte.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1396
content-transfer-encoding: binary
Cache-Control: max-age=587316, public, no-transform, must-revalidate
Last-Modified: Tue, 19 May 2015 04:50:05 GMT
Expires: Tue, 26 May 2015 04:50:05 GMT
Date: Tue, 19 May 2015 09:41:53 GMT
Connection: keep-alive
0..p......i0..e.. .....0.....V0..R0......Qw.}`.Z8...JV...r@z...20150519045005Z0s0q0I0... ........l....r.vdv0..*.~Y..X....e?z.4..G.L.......q..jV. .>...A.4........20150519045005Z....20150526045005Z0...*.H..............m...I....'H8....|....9j...........-S.........?8..a~W.(...b..7...j..5..........I.T.H..{-..y.&..6.`.%t..:!T.....X...mW..j.....6....i....D.@/..}M.R%U.0...0.......^.R...M..F.n/..b.{.:.g<f...i.;..M.b......P.U.-....(....NI.2......M.q..F.P.T....6.|......&.a.Z-.H....0...0...0..y.......^..........N...)0...*.H........0J1.0...U....US1.0...U....Thawte, Inc.1$0"..U....Thawte Code Signing CA - G20...150303000000Z..150601235959Z0Y1.0...U....US1.0...U....Thawte, Inc.1301..U...*Thawte Code Signing CA - G2 OCSP Responder0.."0...*.H.............0............).Z.......O.~.l...,\.3.".'.'W .ih./..}OA...K...HJd....K^..<.....-.rWJ.j.U.._......W.../.6....J.y.u-.\...2..U.52B.>...=F...RbR.y.zm.......{b.bj....Y..J..m...*=.^......V.}p......rmA......9.L ...{?.g.-Y............8...k.$.:.5..6#4..F.#....t.B.8.O)'F.p).........d0b0...U....0.0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-32450...*.H..............C.....8.Aw.{....`...y1N...W4M..M.J.3~..7#}..X..:x..5....$...Z^%.?6..e...}I.)....... .A.w......_...B..j.T..Yu.o.....g....H....q.Ju.SA`K.....~..O_.....S....I>..O.X..E.......]...y..L..F....K......../...._XSk6.:a};.?`...:^.....p....4Z.3L;.......t....>.....j....
<<< skipped >>>
GET /components/edsetup.exe HTTP/1.0
Host: audiochannel.net
HTTP/1.1 200 OK
Date: Tue, 19 May 2015 09:37:43 GMT
Server: Apache/2.2.29
Last-Modified: Thu, 23 Oct 2014 21:37:01 GMT
ETag: "94860-5061ddd597940"
Accept-Ranges: bytes
Content-Length: 608352
Connection: close
Content-Type: application/octet-stream
X-Pad: avoid browser bug
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......I.. ...s...s...s...s...s...s-..s*7.s...s*7.s...s*7.s...sRich...s........................PE..L...3..R.............................!............@..........................P..................................................x....0...............2..`............................................................................................rdata.."...........................@..@.data...<.... ......................@....rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................v...`...v...................................,...B...P...f...........................F...:.......................bad allocation..kernel32.dll....VerifyVersionInfoA..W.i.n.d.o.w.s. .9.8./.M.E. .S.u.p.p.o.r.t...T.h.i.s. .v.e.r.s.i.o.n. .o.f. .t.h.e. .a.p.p.l.i.c.a.t.i.o.n. .r.e.q.u.i.r.e.s. .W.i.n.d.o.w.s. .X.P./.2.0.0.3. .o.r. .l.a.t.e.r.......D.o. .y.o.u. .w.a.n.t. .t.o. .g.o. .t.h.e. .w.e.b.s.i.t.e. .a.n.d. .d.o.w.n.l.o.a.d. .t.h.e. .W.i.n.d.o.w.s. .9.8./.M.E. .v.e
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEGO+CyDUoFQBjrKVo87pCRc= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1724
content-transfer-encoding: binary
Cache-Control: max-age=597481, public, no-transform, must-revalidate
Last-Modified: Tue, 19 May 2015 07:39:49 GMT
Expires: Tue, 26 May 2015 07:39:49 GMT
Date: Tue, 19 May 2015 09:41:48 GMT
Connection: keep-alive
0..........0..... .....0......0...0......s]c...{6SFe..z.%......20150519073949Z0s0q0I0... ...................F....0.yV......{&.K......&.......c.. ..T.............20150519073949Z....20150526073949Z0...*.H...............v.....8...;.o.4.?(3[.....).;....t.W...N\.. ..<S[.|^=.^...N.W.^7..3d..[.XaJ...J.\$X...\.t.x.........5.Z(..jWL...............p....<....d9...I2C...<zm......A.........L....R..l..`...^..Y.\.....*J...}&be......X.e$..:.s..Vx.....o..A.Hh..p\..N Ve...`.{9......W....0...0...0..........KA.w.aD*.2"6..Em0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code Signing 2010 CA0...150519000000Z..150817235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1VeriSign Class 3 Code Signing 2010 OCSP Responder0.."0...*.H.............0.........w.n...}.{...{....G....;.X.e...A.....Z.6bmZ..A#.1.E........HHlY.9H..t......X.`b|(}Z......8:...T.%...nl.(.........). H=p.5...7.....0...&M...)9-.......\C..MD.W.L....gtl..p.....7...5...]......T2~.=P.i..4..1.............U"W...8.U..g.0..y....g.q.......0....nw.{.........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0!..U....0...0.1.0...U....TGV-C-5800...*.H..............2.........P ..$.y..=|G(T...I...s3.b.D .KwD...!T..o.X...%.
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=554911, public, no-transform, must-revalidate
Last-Modified: Mon, 18 May 2015 19:50:23 GMT
Expires: Mon, 25 May 2015 19:50:23 GMT
Date: Tue, 19 May 2015 09:41:52 GMT
Connection: keep-alive
0..........0..... .....0......0...0......'.V.8.F.V....H....JW..20150518195023Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5.......A..2.....:...:......20150518195023Z....20150525195023Z0...*.H..............MI......._.3}...$.f?....]..._j..a.....H...E.H..A....}..o.w.C6...0.)j.._..N...7.....0s..j.V.{B.6....O..4...n..p..;}a?.lh.....t.w.Uph.....i`....U\.sQ.P..5..S.DNt\./W.....T..]r.O.".Lp....4....qO.J..G._..> ...R..... ...[y..02..|.......R..>....bl....".Ov.S@......#0...0...0..........r..?.*......y"..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...150226000000Z..150527235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.............m5*R........2....>...yU4..L.. ...........u..Hez..Pn.....d...nz(...V7.}^...d!RX...bl..[..a...L.. .~..Ij......%..%p.-...u..:..i..F*]...*....{NH..|0...gHX.Q.r....S..........._.9.(w...suC...N..s.....&."...:.C.Q.i~rl..<..krS..8.B..o].y..L.4...iB@..s.....mw.........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-32010...*.H
<<< skipped >>>
GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Tue, 14 Apr 2015 05:02:07 GMT
Accept-Ranges: bytes
ETag: "2711f7277076d01:0"
Server: Microsoft-IIS/8.5
VTag: 279782516600000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 554
Cache-Control: max-age=900
Date: Tue, 19 May 2015 09:41:52 GMT
Connection: keep-alive
0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA..150413163223Z..150713045223Z.a0_0...U.#..0..........X..7.3...L...0... .....7.........0...U......Z0... .....7......150712164223Z0...*.H.............WK....e.\.-.n......./......."]..E!.. //=...[....w... ..........#...[.l.J..f|..... .s......w...J._.......3.[..#.z....ko.I..Q{....e.nV......F..d}..rF\H.jlH]dQ.E....x......W............j....&L. 2.$.?...X?.#.(.....pK.v.......y..r....t......=.AW......K.G.gJD.b...
GET /versions/components/tb_google_row.dat HTTP/1.0
Host: VVV.audiochannel.net
HTTP/1.1 404 Not Found
Date: Tue, 19 May 2015 09:38:24 GMT
Server: Apache/2.2.29
Content-Length: 235
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /versions/components/tb_google_row.dat was not found on this server.</p>.</body></html>...
GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?8375aa7c3aaffcf1 HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 24 Mar 2015 16:17:41 GMT
If-None-Match: "804047d4e66d01:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com
HTTP/1.1 304 Not Modified
Content-Type: application/octet-stream
Last-Modified: Tue, 24 Mar 2015 16:17:41 GMT
ETag: "804047d4e66d01:0"
Cache-Control: max-age=86400
Date: Tue, 19 May 2015 09:38:11 GMT
Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/octet-stream..Last-Modified: Tue, 24 Mar 2015 16:17:41 GMT..ETag: "804047d4e66d01:0"..Cache-Control: max-age=86400..Date: Tue, 19 May 2015 09:38:11 GMT..Connection: keep-alive..
GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 24 Mar 2015 05:02:25 GMT
If-None-Match: "a1132b8ef65d01:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 304 Not Modified
Content-Type: application/pkix-crl
Last-Modified: Tue, 24 Mar 2015 05:02:25 GMT
ETag: "a1132b8ef65d01:0"
Cache-Control: max-age=808
Date: Tue, 19 May 2015 09:41:43 GMT
Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/pkix-crl..Last-Modified: Tue, 24 Mar 2015 05:02:25 GMT..ETag: "a1132b8ef65d01:0"..Cache-Control: max-age=808..Date: Tue, 19 May 2015 09:41:43 GMT..Connection: keep-alive..
GET /tools/swg2/update?type=c&as=swg&os=win&osv=6.1.7601&hl=en&ie=10.0.9200.16521&ds=0&pds=0&su=0&hpi=-1&brand=NCHD&pa=9&cl=1&tbv=&id=6fcd4572f44047df87447927667a9779eb587e9442&from=&to=5.10.11023.1534 HTTP/1.1
Accept: */*
User-Agent: SearchWithGoogle
Host: clients1.google.com
HTTP/1.1 200 OK
Content-Type: text/plain
Transfer-Encoding: chunked
Date: Tue, 19 May 2015 09:38:23 GMT
Expires: Tue, 19 May 2015 09:38:23 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Alternate-Protocol: 80:quic,p=1
16..rlz: 1R______enUA641..0..
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEALa8SdwQh28+NjkQGqVhx8= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1725
content-transfer-encoding: binary
Cache-Control: max-age=559424, public, no-transform, must-revalidate
Last-Modified: Mon, 18 May 2015 21:05:30 GMT
Expires: Mon, 25 May 2015 21:05:30 GMT
Date: Tue, 19 May 2015 09:41:47 GMT
Connection: keep-alive
0..........0..... .....0......0...0......N$p...v....1.;..vn....20150518210530Z0s0q0I0... ...................F....0.yV......{&.K......&..........'pB.....@j.......20150518210530Z....20150525210530Z0...*.H................^.M...a..b....0....}......Q.^..E.#s5'mX...Mj.X$1,....k...v\.....9....k.L":d.l..%.0......-..JGH.c&TCn.MD..K..w.9..a....=.3;E...a...../.l.R.....b.1..^x.-...5..1...w%By.s...N4...u2>.ai Z..X...%..........S.7.._...$[.^.....'LTY.M....R..cO.A...m.;k.....;.........0...0...0............F...I]A(M..s@.0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at https://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code Signing 2010 CA0...150225000000Z..150526235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1VeriSign Class 3 Code Signing 2010 OCSP Responder0.."0...*.H.............0.........q<...A...#......A...u..Lz.............o..D.vQ%..s.......f....e../jI.d.W.....|K;.j5...#.B%.]..~S.... .|;S.&.....N..`...5.....!D.p....M/.. ..;j...q..`6...2.Ck..BnLHvCZn%....,.w.Ooi..z'...\.Yx......b..L...5.o..o..{..}.........%e.....N..._i........*Bc....:yQg.........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-31830...*.H..............-..^.........f.P`...s.....8.....V.......... .... B.(@-)6.Rf.
<<< skipped >>>
GET /components/ffsetup.exe HTTP/1.0
Host: audiochannel.net
HTTP/1.1 200 OK
Date: Tue, 19 May 2015 09:37:46 GMT
Server: Apache/2.2.29
Last-Modified: Tue, 21 Jan 2014 19:35:24 GMT
ETag: "85618-4f0801c0df700"
Accept-Ranges: bytes
Content-Length: 546328
Connection: close
Content-Type: application/octet-stream
X-Pad: avoid browser bug
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......I.. ...s...s...s...s...s...s-..s*7.s...s*7.s...s*7.s...sRich...s........................PE..L...3..R.....................<.......!............@..........................`....... ..........................................x....0..t(...........@...............................................................................................rdata.."...........................@..@.data...<.... ......................@....rsrc...t(...0...*..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................v...`...v...................................,...B...P...f...........................F...:.......................bad allocation..kernel32.dll....VerifyVersionInfoA..W.i.n.d.o.w.s. .9.8./.M.E. .S.u.p.p.o.r.t...T.h.i.s. .v.e.r.s.i.o.n. .o.f. .t.h.e. .a.p.p.l.i.c.a.t.i.o.n. .r.e.q.u.i.r.e.s. .W.i.n.d.o.w.s. .X.P./.2.0.0.3. .o.r. .l.a.t.e.r.......D.o. .y.o.u. .w.a.n.t. .t.o. .g.o. .t.h.e. .w.e.b.s.i.t.e. .a.n.d. .d.o.w.n.l.o.a.d. .t.h.e. .W.i.n.d.o.w.s. .9.8./.M.E. .
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=545742, public, no-transform, must-revalidate
Last-Modified: Mon, 18 May 2015 17:15:12 GMT
Expires: Mon, 25 May 2015 17:15:12 GMT
Date: Tue, 19 May 2015 09:42:02 GMT
Connection: keep-alive
0..........0..... .....0......0...0......'.V.8.F.V....H....JW..20150518171512Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5..........^.3@..cL.1.......20150518171512Z....20150525171512Z0...*.H............."...S...P......,;...X..d]..1Do......c...i.{g..'...K...1...5.E.6.I.F.. .......2...-Dy2"..PPF.n....A"6:A4>..G.,.ei...'.......2Jt^.....1CP...F..@......:6.q...U '...hJ..W_\.J.Z..= ..i......l_S...a......p..e..]....B......v .M.x.S..1S..P%...........w.....w..sp;....#0...0...0..........r..?.*......y"..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at https://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...150226000000Z..150527235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.............m5*R........2....>...yU4..L.. ...........u..Hez..Pn.....d...nz(...V7.}^...d!RX...bl..[..a...L.. .~..Ij......%..%p.-...u..:..i..F*]...*....{NH..|0...gHX.Q.r....S..........._.9.(w...suC...N..s.....&."...:.C.Q.i~rl..<..krS..8.B..o].y..L.4...iB@..s.....mw.........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-32010...*.H...
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTEemCaVgs8Tuh2B9fGVE0pKKNyzgQUTF+nNhcF4oZhIkk5jLmo40rgOBoCEC6utoKGY/7ZdVX4/iTzOxo= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1552
content-transfer-encoding: binary
Cache-Control: max-age=573171, public, no-transform, must-revalidate
Last-Modified: Tue, 19 May 2015 00:50:21 GMT
Expires: Tue, 26 May 2015 00:50:21 GMT
Date: Tue, 19 May 2015 09:42:02 GMT
Connection: keep-alive
0..........0..... .....0......0...0........C...4N...@..6...v...20150519005021Z0s0q0I0... .........z`.V.<N.v...TM)(.r...L_.6....a"I9....J.8........c..uU..$.;.....20150519005021Z....20150526005021Z0...*.H.............X..~.$.T..w......6..!O.Y....N.{*.`.......S.u..{....$Q.fO.).. ...1z..A..::O..?.g......d*.Z......l..uq...nx....(..n.}d6 .........?_..X.T.....1..Y&.....n.. ..?..%gE.6.3.C.*[r..0C...._.y...../..c.m.J.....T....99Jkc.a.n}%.....4..W....t1...O.....i..S_V..z.hV.2.u...50..10..-0..........y.P}~.EY....T]. 0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1<0:..U...3Class 3 Public Primary Certification Authority - G21:08..U...1(c) 1998 VeriSign, Inc. - For authorized use only1.0...U....VeriSign Trust Network0...141202000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G2 OCSP Responder Certificate 30.."0...*.H.............0..........6..]......w';.r........I..c..4.... .........TyW......hd_.....!C.k......SE<?o.H.. .me.c..9N.&....e.^-..a.....i\:..*."..u...|....".Nf3.~.L...QW...p.....-]UV8U...J&.<./.G.....I...4.T....#I*.i.E0\..~q$.I.......X?G....f.t......v.l.U.Ld.I...B.....=...Sf...H.s.........0..0...U....0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........0... .....0......0!..U....0...0.1.0...U....TGV-B-2740...*.H............1.`...i.....H.C.i.9~.i..Z.r.*$..(./.ag9.....J.Q.~.`.$?b..C....<.h.........d&....3.kV.....f...3I..
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRODEXefhs/UZFum2o8YfzOFwceMwQUkz5j3yJ0BOBkhDHd2yOfDq+2TZMCEA89qsgV9niZmSI6gIO0S/U= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1725
content-transfer-encoding: binary
Cache-Control: max-age=563875, public, no-transform, must-revalidate
Last-Modified: Mon, 18 May 2015 22:15:43 GMT
Expires: Mon, 25 May 2015 22:15:43 GMT
Date: Tue, 19 May 2015 09:42:02 GMT
Connection: keep-alive
0..........0..... .....0......0...0......%bn.$..5.......?'4....20150518221543Z0s0q0I0... ........N.E.~.?Q.n.j<a.....3...>c."t..d.1..#....M....=....x..":...K.....20150518221543Z....20150525221543Z0...*.H.............i.`._..84...".FlP.T.LzX../f.....&..f...X.>.Ig.N4*....d......=....|q. p....J...m[.V.Kz....2.c.Zj\.s...^}...............'H.7i.u.nD..J.....Jw.yI....vGi......_........o*z..Z....cH[...w.8.....K.}.1..=|.(.l.e.CC77..l.kR.....?.x...>...o3d.....JQ.tS3v....<...3f.\.....0...0...0..........7.R.~|..r."....#0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091.0,..U...%VeriSign Class 3 Code Signing 2009 CA0...150401000000Z..150630235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1VeriSign Class 3 Code Signing 2009 OCSP Responder0.."0...*.H.............0..........z..|..>.....5.Z ...2.C MWIH.5......M.\.... ...eW..`.B=..`:..R. ...Z.k.Y.....p@.(3.c....a.;..[E....J:'...`...B....M..&......{. (........%......^[v[....m....*.T.o&4..3.....3.........G...e)...'?.K..2s..8=?..z.:..T..-.8R..8wv7*U.K..c...<s...]{.........6.?_...........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........https://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-34920...*.H.............,..-......q3a........z....t;B.z.h...]...#}.6.,
<<< skipped >>>
GET /components/toolbars/NCH_GoogleToolbar.exe HTTP/1.0
Host: VVV.audiochannel.net
HTTP/1.1 200 OK
Date: Tue, 19 May 2015 09:37:55 GMT
Server: Apache
Last-Modified: Mon, 07 Apr 2014 23:51:36 GMT
Accept-Ranges: bytes
Content-Length: 782288
Connection: close
Content-Type: application/x-msdownload
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#yd.B.7.B.7.B.7..z7.B.7..l7.B.7.B.7.B.7.:.7.B.7...7.B.7.:.7.B.7Rich.B.7........................PE..L...?..I.................h...@...B...4............@.................................z................................................................................................................................................................text....g.......h.................. ..`.rdata...............l..............@..@.data...............................@....ndata...................................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H......G..H.P.u..u..u...|.@..K...SV.5..G.W.E.P.u.....@..e...E..E.P.u.....@..}..e....D.@........FR..VV..U... M..........M........E...FQ.....NU..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.P.u.....@..u....E..9}...n....~X.te.v4..L.@..E...tU.}.j.W.E......E.......P.@..vXW..T.@..u..5X.@.W..h ....E..E.Pj.h.2G.W....@..u.W...u....E.P.u.....@._^3.[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..S.....t.G.....t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ.U.
<<< skipped >>>
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?4b69c6918b9372a6 HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 24 Feb 2015 00:37:01 GMT
If-None-Match: "80b4d90ca4fd01:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com
HTTP/1.1 304 Not Modified
Content-Type: application/octet-stream
Last-Modified: Tue, 24 Feb 2015 00:37:01 GMT
ETag: "80b4d90ca4fd01:0"
Cache-Control: max-age=604800
Date: Tue, 19 May 2015 09:38:52 GMT
Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/octet-stream..Last-Modified: Tue, 24 Feb 2015 00:37:01 GMT..ETag: "80b4d90ca4fd01:0"..Cache-Control: max-age=604800..Date: Tue, 19 May 2015 09:38:52 GMT..Connection: keep-alive..
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1453
content-transfer-encoding: binary
Cache-Control: max-age=574824, public, no-transform, must-revalidate
Last-Modified: Tue, 19 May 2015 01:20:15 GMT
Expires: Tue, 26 May 2015 01:20:15 GMT
Date: Tue, 19 May 2015 09:41:46 GMT
Connection: keep-alive
0..........0..... .....0......0...0......T3t.%..O.E..~..F.=....20150519012015Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._)..a..eR&.....Y.)..".\....20150519012015Z....20150526012015Z0...*.H.............U.[.....lB..h2..\"........]......(wA..H..M4,`.o..Pz.L..h..$c ...l.....EO&3.?.{O.Dw..5v.x...A..C..=f*!.P..#..cM.....y.%..... o|...).q.b.....Y3....D..U...pr7..p.p.y..R.|Z......W......U....^D.WW...B...N......l...{.).g...sS...4>~<.IB.c....t1.(...P.J.:...).G.b.....0...0...0..3......./...b.v..-....l}0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority0...141202000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G1 OCSP Responder Certificate 30.."0...*.H.............0..........'......Y..x.3B1.7..Q..`..d.. ....s..t.$a.....j2R.{ ,*..c{.3.....H..3-; ).....0._...*..9M..V...... ...{m...-.......)..tR..{D....~...M...T..pS.p..^|o....S..v.).).....r.v.qo$......C.V!....@.h#qh...u1T.].G0.]E...=._...... ........TE...Sa.s4........r...3.............0..0...U....0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........0... .....0......0!..U....0...0.1.0...U....TGV-B-2730...*.H.............$..H......oU....Y!.z{*.V.M..u.._z..3>.. 0....3..m.....e.......a..D...........e..F6:.y.....di.......<y.Z.......x}..q.2....UZ1 :,t>....
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=364386, public, no-transform, must-revalidate
Last-Modified: Sat, 16 May 2015 14:50:04 GMT
Expires: Sat, 23 May 2015 14:50:04 GMT
Date: Tue, 19 May 2015 09:41:46 GMT
Connection: keep-alive
0..........0..... .....0......0...0......'.V.8.F.V....H....JW..20150516145004Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5........M.s.Q~...@?j.......20150516145004Z....20150523145004Z0...*.H.................T.....j....../.....i....A.......\.<2.Lg.....kBq......\..."}.HO6..%M..k....g.#..U......I..T"...~..%s.&).i...._.!.K.0W....n....V..&.....m.G.......l|....p...l7.`..0............n......-4X..K..^.uN....U.X.:3...e..H-..K..Y9.Q.)p]......H='jn............n.).l....#0...0...0..........r..?.*......y"..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at https://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...150226000000Z..150527235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.............m5*R........2....>...yU4..L.. ...........u..Hez..Pn.....d...nz(...V7.}^...d!RX...bl..[..a...L.. .~..Ij......%..%p.-...u..:..i..F*]...*....{NH..|0...gHX.Q.r....S..........._.9.(w...suC...N..s.....&."...:.C.Q.i~rl..<..krS..8.B..o].y..L.4...iB@..s.....mw.........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-32010...*.H...
<<< skipped >>>
HEAD /dl/toolbar/t7/data/7.5.6227.252/googletoolbarinstaller_en_signed.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
Host: dl.google.com
HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 5059928
Content-Type: application/x-msdos-program
Etag: "506e4"
Expires: Wed, 20 May 2015 02:38:03 PDT
Last-Modified: Fri, 27 Feb 2015 23:15:00 GMT
Server: downloads
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Date: Tue, 19 May 2015 09:38:03 GMT
Alternate-Protocol: 80:quic,p=1
....
GET /dl/toolbar/t7/data/7.5.6227.252/googletoolbarinstaller_en_signed.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Fri, 27 Feb 2015 23:15:00 GMT
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
Host: dl.google.com
HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 5059928
Content-Type: application/x-msdos-program
Etag: "506e4"
Expires: Wed, 20 May 2015 02:38:03 PDT
Last-Modified: Fri, 27 Feb 2015 23:15:00 GMT
Server: downloads
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Date: Tue, 19 May 2015 09:38:03 GMT
Alternate-Protocol: 80:quic,p=1
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........R.&.3eu.3eu.3eu...u.3eu...u:3eu...u.3eu.3du.2eu...u.3eu...u.3eu.3eu.3eu...u.3euRich.3eu........................PE..L...r..T.................z...8......9u............@..........................P........M...@.................................| ..H....p................M.X....@.......................................................................................text....`.......FL.....PEC2*O......`....rsrc........p.......JL............. ....reloc.......@........M.............@...................................................................................................................................................................................................................................................................................................................................................................................................................................7...l....7........{...@.k.i..Y.. ....O}...X..Q>!L........f.l.Hs..s...5.*.O..{0=L...L..j2}.\b.....s?P.........n......}M...^.......7..........5..).SF.f6..:.#.0...@|y.a-h......5>b......Jb6......u?l.q..Iu..fI$M.ex..A..5.3.)......k..u..~....y...U:..[.B..cHD.X...Yn...c............@..........2.F....q.."%.'..E.........).t.............{%...m.n............y.}.s.......a(...".....9.f...#."..l/....M..aA.3M.....B.k'.......]..z..w.8.B..2..S.z..l_....7=..3I[.l(.V.I.......!.K."c...`..5.7......w. .........3A...`.~.....
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1762
content-transfer-encoding: binary
Cache-Control: max-age=364533, public, no-transform, must-revalidate
Last-Modified: Sat, 16 May 2015 14:50:06 GMT
Expires: Sat, 23 May 2015 14:50:06 GMT
Date: Tue, 19 May 2015 09:38:16 GMT
Connection: keep-alive
0..........0..... .....0......0...0......;O}a.!..u...au..eUNp..20150516145006Z0s0q0I0... ...................B.>.I.$&.....e......0..C9...313..R...%V.......K3.....20150516145006Z....20150523145006Z0...*.H......................v q....?.J.........o.....Q_.?6....t:....2..g.....7.=./...a...cr*N*.mE...R(6N...W......`FS.M..Z.Du.....Zr........(>......W.N...Aa..;..Xe=.`h....!D..............:dx......[...........D#".....2..&...`.]n.!.`.]......=Q.........w....L.Fl.?....(5=...j.Y.....0...0...0...........2...'U.BM...g.B0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Public Primary Certification Authority - G50...141202000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G5 OCSP Responder Certificate 30.."0...*.H.............0...............2&..PL...,..2....:..tH...`JG.%..*...s.c%...?t..J..0.q....~..k@X.l.i....0..kk..h.9"1.5?..s.....3[...u......]...R0..Z}....l..I.Y.....j\H.q...#.uw.4qz.#.J.....@2$"..$l.B.......D.ye..(..2.........@...... ...."... E..0M,..b{.^..s'....f.6.pr4.J........'j..........0...0...U.......0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U...........0... .....0......0!..U....0...0.1.0...U....TGV-B-2760...U......;O}a.!..u...au..eUNp0...U.#..0.....e......0..C9...3130...*.H.............(.&..Dgr.Ve..#...5.N.
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CECkSxwyaK4o+9vYHRmLWi40= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1725
content-transfer-encoding: binary
Cache-Control: max-age=469128, public, no-transform, must-revalidate
Last-Modified: Sun, 17 May 2015 19:55:28 GMT
Expires: Sun, 24 May 2015 19:55:28 GMT
Date: Tue, 19 May 2015 09:38:21 GMT
Connection: keep-alive
0..........0..... .....0......0...0......N$p...v....1.;..vn....20150517195528Z0s0q0I0... ...................F....0.yV......{&.K......&.......).... .>...Fb.......20150517195528Z....20150524195528Z0...*.H.............V!.HE...\.bq..y.@....2i}..`G\...T.{.'..NQ<1....-.-x.}It....0.....G.. .(Q.....I.?.....a.....f..?..\...o._M..@..0..7.`m..>./..!.Y...6..7v...QI9.k............]..4|.*..}G.....1._> ...H[...H..H...N..s)W.{zt.c..2..wR.1W.R.o.>M;.y..pK.h.-9;W.......~..........{.......0...0...0............F...I]A(M..s@.0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code Signing 2010 CA0...150225000000Z..150526235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1VeriSign Class 3 Code Signing 2010 OCSP Responder0.."0...*.H.............0.........q<...A...#......A...u..Lz.............o..D.vQ%..s.......f....e../jI.d.W.....|K;.j5...#.B%.]..~S.... .|;S.&.....N..`...5.....!D.p....M/.. ..;j...q..`6...2.Ck..BnLHvCZn%....,.w.Ooi..z'...\.Yx......b..L...5.o..o..{..}.........%e.....N..._i........*Bc....:yQg.........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-31830...*.H..............-..^.........f.P`...s.....8.....V.......... ....
<<< skipped >>>
GET /tools/pso/ping?as=tbin&gu=pi&mode=3&sin=1&ein=0&version=7.5.6227.252&brand=NCHD&hl=en&tbiv=7.5.6227.252&time=1432028303&fitime=1432028303&browser=9.10.9200.16521&osver=6.1&ossp=1.0&osarch=64&ext=EXE&id=6BA3A3DD8C86609F54CC8AB84959F665663D1aFIBM HTTP/1.1
User-Agent: Google Toolbar installer
Host: clients1.google.com
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 2
Date: Tue, 19 May 2015 09:38:23 GMT
Expires: Tue, 19 May 2015 09:38:23 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Alternate-Protocol: 80:quic,p=1
ok..
GET /versions/components/tb_google_row.dat HTTP/1.0
Host: VVV.audiochannel.net
HTTP/1.1 404 Not Found
Date: Tue, 19 May 2015 09:37:54 GMT
Server: Apache
Content-Length: 236
Connection: close
Content-Type: text/html; charset=iso-8859-1
<html><head><title>Error 404 - Not Found</title><head><body><h1>Error 404 - Not Found</h1><p>The document you are looking for may have been removed or re-named. Please contact the web site owner for further assistance.</p></body></html>..
GET /tools/pso/ping?as=tbin&gu=pi&mode=3&sin=2&ein=0&version=7.5.6227.252&brand=NCHD&hl=en&tbiv=7.5.6227.252&time=1432028309&fitime=1432028303&verold=7.5.6227.252&brandold=NCHD&browser=9.10.9200.16521&osver=6.1&ossp=1.0&osarch=64&ext=EXE&id=6BA3A3DD8C86609F54CC8AB84959F665663D1aFIBM HTTP/1.1
User-Agent: Google Toolbar installer
Host: clients1.google.com
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 2
Date: Tue, 19 May 2015 09:38:29 GMT
Expires: Tue, 19 May 2015 09:38:29 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Alternate-Protocol: 80:quic,p=1
ok..
GET /pki/crl/products/WinPCA.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Sat, 07 Mar 2015 06:01:44 GMT
Accept-Ranges: bytes
ETag: "dde36a309c58d01:0"
Server: Microsoft-IIS/8.0
VTag: 43879645100000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 561
Cache-Control: max-age=900
Date: Tue, 19 May 2015 09:41:12 GMT
Connection: keep-alive
0..-0......0...*.H........0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1 0)..U..."Microsoft Windows Verification PCA..150306223202Z..150605105201Z._0]0...U.#..0.......p............<.J0... .....7.......0...U......40... .....7......150604224201Z0...*.H.............4......n[.t........'....Dx.P3R.!3.|D.6vL.."k..9'....L..k......e.4......._..N..TJ......N.fP...H.....8...TJA...fGA.e...^"{../...H?..E.Y.U....h..0/.......d...6..K..V?QM...{..h.....{.3...v.....\~.7n..5..'..k.Ia.YL..LP.b....._7.V..%......z*$q..Y..f.b..L8<~..v.w....
GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Thu, 05 Mar 2015 06:01:35 GMT
Accept-Ranges: bytes
ETag: "cf2633d6957d01:0"
Server: Microsoft-IIS/8.5
VTag: 79131127200000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 550
Cache-Control: max-age=900
Date: Tue, 19 May 2015 09:41:12 GMT
Connection: keep-alive
0.."0......0...*.H........0w1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1!0...U....Microsoft Time-Stamp PCA..150304221607Z..150603103607Z._0]0...U.#..0...#4..RFp..@.v.. ..5..0... .....7.......0...U......20... .....7......150602222607Z0...*.H.............Y..}y`....T.Z..`B<..I.N..O... E:....7......a..).........._|W5laoqi(..>t~.."...&`.._.7J...:..{bO_Kyi...R...!...B.s..I.c&j...(I\.S{._;@B...[i.e.[."...R` \...........M^k.=q[.V...9y..G.1o#k3<.W.......H.$>}...U...2qyd2|b.fB.....r....H.P...;....Q...b......5%.P.#..
Map
The PUP connects to the servers at the folowing location(s):
Strings from Dumps
scribe.exe_1836:
.rdata
.rdata
@.data
@.data
.rsrc
.rsrc
mscoree.dll
mscoree.dll
Please contact the application's support team for more information.
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
.mixcrt
.mixcrt
KERNEL32.DLL
KERNEL32.DLL
GetProcessWindowStation
GetProcessWindowStation
USER32.DLL
USER32.DLL
operator
operator
CWD %s
CWD %s
DELE %s
DELE %s
RNFR %s
RNFR %s
RNTO %s
RNTO %s
UxTheme.dll
UxTheme.dll
dwmapi.dll
dwmapi.dll
software=Scribe&version=5.69&report=UINSTALL&text=%s-%s&language=en&platform=Win&extra1=%d%s
software=Scribe&version=5.69&report=UINSTALL&text=%s-%s&language=en&platform=Win&extra1=%d%s
hXXp://%s/components/%s
hXXp://%s/components/%s
user32.dll
user32.dll
hXXp://VVV.audiochannel.net/versions/components/%s.txt
hXXp://VVV.audiochannel.net/versions/components/%s.txt
%s%d%d%d
%s%d%d%d
kernel32.dll
kernel32.dll
hXXp://cgi.nch.com.au/cgi-bin/regcheck.exe?cmd=v&id=%d&magic=%d&magicb=%d
hXXp://cgi.nch.com.au/cgi-bin/regcheck.exe?cmd=v&id=%d&magic=%d&magicb=%d
tb_%s_us.dat
tb_%s_us.dat
tb_%s_uk.dat
tb_%s_uk.dat
tb_%s_row.dat
tb_%s_row.dat
hXXp://VVV.audiochannel.net/versions/components/%s
hXXp://VVV.audiochannel.net/versions/components/%s
hXXp://VVV.audiochannel.net/components/toolbars/NCH_Chrome.exe
hXXp://VVV.audiochannel.net/components/toolbars/NCH_Chrome.exe
hXXp://VVV.audiochannel.net/components/toolbars/NCH_GoogleToolbar.exe
hXXp://VVV.audiochannel.net/components/toolbars/NCH_GoogleToolbar.exe
hXXp://VVV.audiochannel.net/versions/scribe.txt
hXXp://VVV.audiochannel.net/versions/scribe.txt
comctl32.dll
comctl32.dll
TaskDialogIndirect
TaskDialogIndirect
software=Scribe&version=5.69&report=COMMENT&text=COMMENT-%s&language=en&platform=Win
software=Scribe&version=5.69&report=COMMENT&text=COMMENT-%s&language=en&platform=Win
%s%s%s
%s%s%s
MAPI32.DLL
MAPI32.DLL
SMTP:%s
SMTP:%s
%s, %.2d %s 20%.2d %.2d:%.2d:%.2d %s%.2d%.2d
%s, %.2d %s 20%.2d %.2d:%.2d:%.2d %s%.2d%.2d
From: %s
From: %s
To: %s
To: %s
Subject: %s
Subject: %s
Date: %s
Date: %s
X-Mailer: Scribe VVV.nch.com.au/software
X-Mailer: Scribe VVV.nch.com.au/software
gc0p4Jq0M2Yt08jU534c%d
gc0p4Jq0M2Yt08jU534c%d
Content-Type: multipart/mixed; boundary=%s
Content-Type: multipart/mixed; boundary=%s
Content-Type: %s; name="%s"
Content-Type: %s; name="%s"
Content-Disposition: attachment; filename="%s"
Content-Disposition: attachment; filename="%s"
--%s--
--%s--
AUTH LOGIN
AUTH LOGIN
MKD %s
MKD %s
RMD %s
RMD %s
USER %s
USER %s
PASS %s
PASS %s
RETR %s
RETR %s
%s %s
%s %s
STOR %s
STOR %s
MFMT dddddd %s
MFMT dddddd %s
MDTM %s
MDTM %s
MLST %s
MLST %s
MLSD %s
MLSD %s
Windows_NT
Windows_NT
LIST %s
LIST %s
LIST %s*
LIST %s*
SIZE %s
SIZE %s
folder %s
folder %s
http=
http=
%s/%s
%s/%s
POST %s HTTP/1.0
POST %s HTTP/1.0
Host: %s
Host: %s
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Content-Length: %d
Content-Length: %d
HTTP/1.
HTTP/1.
google.com
google.com
yahoo.com
yahoo.com
C:\SourceCode\llib\include\../net/ssl.cpp
C:\SourceCode\llib\include\../net/ssl.cpp
GET %s HTTP/1.0
GET %s HTTP/1.0
CONNECT %s:%d HTTP/1.0
CONNECT %s:%d HTTP/1.0
GET %s%s%s HTTP/1.0
GET %s%s%s HTTP/1.0
User-Agent: %s
User-Agent: %s
webm
webm
%d %d
%d %d
?#%X.y
?#%X.y
PeekNamedPipe
PeekNamedPipe
GetProcessHeap
GetProcessHeap
CreatePipe
CreatePipe
KERNEL32.dll
KERNEL32.dll
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
RegEnumKeyW
RegEnumKeyW
RegDeleteKeyW
RegDeleteKeyW
RegOpenKeyW
RegOpenKeyW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegCreateKeyExW
RegCreateKeyExW
CryptDeriveKey
CryptDeriveKey
RegSetKeySecurity
RegSetKeySecurity
RegEnumKeyExW
RegEnumKeyExW
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
comdlg32.dll
comdlg32.dll
SetViewportExtEx
SetViewportExtEx
GetViewportExtEx
GetViewportExtEx
GDI32.dll
GDI32.dll
acmDriverClose
acmDriverClose
acmDriverEnum
acmDriverEnum
acmDriverOpen
acmDriverOpen
acmDriverDetailsW
acmDriverDetailsW
MSACM32.dll
MSACM32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
ShellExecuteW
ShellExecuteW
ShellExecuteExW
ShellExecuteExW
SHELL32.dll
SHELL32.dll
SHDeleteKeyW
SHDeleteKeyW
SHDeleteEmptyKeyW
SHDeleteEmptyKeyW
SHLWAPI.dll
SHLWAPI.dll
GetKeyState
GetKeyState
GetAsyncKeyState
GetAsyncKeyState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
CreateDialogIndirectParamW
CreateDialogIndirectParamW
UnregisterHotKey
UnregisterHotKey
SetWindowsHookExW
SetWindowsHookExW
GetKeyNameTextW
GetKeyNameTextW
MapVirtualKeyW
MapVirtualKeyW
RegisterHotKey
RegisterHotKey
UnhookWindowsHookEx
UnhookWindowsHookEx
USER32.dll
USER32.dll
WINMM.dll
WINMM.dll
WS2_32.dll
WS2_32.dll
NETAPI32.dll
NETAPI32.dll
MSIMG32.dll
MSIMG32.dll
iphlpapi.dll
iphlpapi.dll
WININET.dll
WININET.dll
DNSAPI.dll
DNSAPI.dll
GdiplusShutdown
GdiplusShutdown
gdiplus.dll
gdiplus.dll
GetCPInfo
GetCPInfo
GetConsoleOutputCP
GetConsoleOutputCP
zcÃ
zcÃ
SSShB
SSShB
SSSSSSShl
SSSSSSShl
SSSSSSShx5@
SSSSSSShx5@
u.SSW
u.SSW
z
z
PVVj.Vf
PVVj.Vf
D$`PWWj.Wf
D$`PWWj.Wf
PSShD
PSShD
PSSSSSSh
PSSSSSSh
SSShlcB
SSShlcB
SShx5@
SShx5@
}rSSh7
}rSSh7
ttSSh
ttSSh
C%uuQ
C%uuQ
!t.Ht
!t.Ht
Ht.Ht
Ht.Ht
PWSSh0
PWSSh0
.snduG
.snduG
t8Ht.Ht$Ht
t8Ht.Ht$Ht
PVSShl`C
PVSShl`C
%Program Files% (x86)\NCH Software\Scribe\scribe.exe
%Program Files% (x86)\NCH Software\Scribe\scribe.exe
ssshhhWWW
ssshhhWWW
-!.WF
-!.WF
2%SGE
2%SGE
(%xSK
(%xSK
=#"$%$&%$&%$&%$&%$"$/.0
=#"$%$&%$&%$&%$&%$"$/.0
3333333
3333333
33333333
33333333
"((("&&!
"((("&&!
"((("&&&
"((("&&&
"((("'''
"((("'''
3% !5&!%
3% !5&!%
5&!%3% !
5&!%3% !
D3.DD3.
D3.DD3.
.HKLJ
.HKLJ
SHD.SHD
SHD.SHD
44444444444
44444444444
4444444
4444444
4444444444
4444444444
44444444
44444444
444444444
444444444
mhXXp://ns.adobe.com/xap/1.0/
mhXXp://ns.adobe.com/xap/1.0/
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
Attachments of "%s"
Attachments of "%s"
%s file already exists. Do you want to replace it?
%s file already exists. Do you want to replace it?
%s\%s
%s\%s
Password
Password
.webm
.webm
"%s" "%s"
"%s" "%s"
%s -w %s
%s -w %s
"%s" "%s" "%s"
"%s" "%s" "%s"
Cannot open the file "%s" because it is corrupt.
Cannot open the file "%s" because it is corrupt.
Cannot open the file "%s". Check it exists and you have read access.
Cannot open the file "%s". Check it exists and you have read access.
Cannot open the file "%s". It is possible the file format is not supported by this program. Please see "hXXp://VVV.nch.com.au/acm/formats.html" for more information.
Cannot open the file "%s". It is possible the file format is not supported by this program. Please see "hXXp://VVV.nch.com.au/acm/formats.html" for more information.
Cannot open the file "%s" because the required codec ("%s") is not installed. See "hXXp://nch.com.au/acm/index.html" for more information.
Cannot open the file "%s" because the required codec ("%s") is not installed. See "hXXp://nch.com.au/acm/index.html" for more information.
Cannot open the file "%s" because it is using an unknown codec or is possibly not a real wave file.
Cannot open the file "%s" because it is using an unknown codec or is possibly not a real wave file.
Cannot open the file "%s". It is possibly either corrupt or not a true layer-3 MPEG file.
Cannot open the file "%s". It is possibly either corrupt or not a true layer-3 MPEG file.
Visit "hXXp://VVV.microsoft.com/directx" to obtain the latest version.
Visit "hXXp://VVV.microsoft.com/directx" to obtain the latest version.
.flac
.flac
The decoder process failed when decompressing the file "%s" to wave format. It is possible your logon account does not have write access to the folder "%s"
The decoder process failed when decompressing the file "%s" to wave format. It is possible your logon account does not have write access to the folder "%s"
Cannot open file "%s". It is possible that the file is protected with Digital Rights Management (DRM) which limits where the audio file can be used.
Cannot open file "%s". It is possible that the file is protected with Digital Rights Management (DRM) which limits where the audio file can be used.
Cannot open the file "%s". It is possible you do not have the Sony plugin installed or your recorder is not supported. If you do not have the plugin please download it from "hXXp://VVV.nch.com.au/scribe/sony.html".
Cannot open the file "%s". It is possible you do not have the Sony plugin installed or your recorder is not supported. If you do not have the plugin please download it from "hXXp://VVV.nch.com.au/scribe/sony.html".
key%u
key%u
Unable to load an encrypted recording because the decryption key has not been set. Please enter the decryption key and try to load the dictation again.
Unable to load an encrypted recording because the decryption key has not been set. Please enter the decryption key and try to load the dictation again.
The notes for this dictation are too long to display in the notes window. They have been moved to an attachment called "%s".
The notes for this dictation are too long to display in the notes window. They have been moved to an attachment called "%s".
_%d.owf
_%d.owf
Saving: %s
Saving: %s
Unable to open dct or wav file because audio compression codec is not installed on this computer or file is corrupt. If the problem persists see VVV.nch.com.au/acm for more information about codecs. You might need to install further Audio Compression Manager codecs from your Windows CD-ROM. If it is a wav file, try to open it with Windows Media Player to auto-install codecs.
Unable to open dct or wav file because audio compression codec is not installed on this computer or file is corrupt. If the problem persists see VVV.nch.com.au/acm for more information about codecs. You might need to install further Audio Compression Manager codecs from your Windows CD-ROM. If it is a wav file, try to open it with Windows Media Player to auto-install codecs.
Attempt to delete the file "%s" failed. It is possible that the folder is read only or your do not have delete access rights on the folder.
Attempt to delete the file "%s" failed. It is possible that the folder is read only or your do not have delete access rights on the folder.
Component download or installation failed. (%s)
Component download or installation failed. (%s)
The %s format is not supported by Express Scribe.
The %s format is not supported by Express Scribe.
_%s_%s
_%s_%s
*._%s_%s
*._%s_%s
Checking for files to load from FTP...
Checking for files to load from FTP...
Cannot log onto the FTP server "%s". The server may be having problems. Otherwise please check you have entered the server name and any required user and password correctly.
Cannot log onto the FTP server "%s". The server may be having problems. Otherwise please check you have entered the server name and any required user and password correctly.
Cannot find the directory "%s" on the FTP server.
Cannot find the directory "%s" on the FTP server.
Incoming%d
Incoming%d
FTPSecure
FTPSecure
FTPServer
FTPServer
.aiff
.aiff
.aifc
.aifc
Temp%d.wav
Temp%d.wav
.dart
.dart
.mpdp
.mpdp
shell32.dll
shell32.dll
%sAscend
%sAscend
Bookmarks of "%s"
Bookmarks of "%s"
Track %d
Track %d
CD%.2dTrack%.2d_Dur%s.cda
CD%.2dTrack%.2d_Dur%s.cda
.orig
.orig
.dvr-ms
.dvr-ms
bookmark%d
bookmark%d
bookmarkÃœreatedate
bookmarkÃœreatedate
bookmarkÃata
bookmarkÃata
%.8u.dat
%.8u.dat
%s:%s:%s.000
%s:%s:%s.000
*.dat
*.dat
Video playback requires %s
Video playback requires %s
UseSMTPHost
UseSMTPHost
MailSMTPHost
MailSMTPHost
SMTPAuthOn
SMTPAuthOn
SMTPUserName
SMTPUserName
SMTPPassword
SMTPPassword
Dictation (%s)
Dictation (%s)
Transcript.txt
Transcript.txt
F%sChannel
F%sChannel
control.exe mmsys.cpl,,1
control.exe mmsys.cpl,,1
sndvol32.exe /rec
sndvol32.exe /rec
Dock %u
Dock %u
Please connect your portable recorder to your computer and press the play button on your portable recorder.
Please connect your portable recorder to your computer and press the play button on your portable recorder.
FtpServer
FtpServer
FtpUserName
FtpUserName
FtpPassword
FtpPassword
FtpDirectory
FtpDirectory
dctfwd%sender-num%-%dict-num%-%dict-name%
dctfwd%sender-num%-%dict-num%-%dict-name%
FTP Server Details Required.
FTP Server Details Required.
Please enter the FTP server name, user name, password and directory.
Please enter the FTP server name, user name, password and directory.
Hotkey
Hotkey
FTPAnonymous
FTPAnonymous
hXXps://secure.nch.com.au/cgi-bin/register.exe?software=scribe
hXXps://secure.nch.com.au/cgi-bin/register.exe?software=scribe
Time must be between %s and %s.
Time must be between %s and %s.
%sColumn
%sColumn
%sText
%sText
VVV.nch.com.au/scribe/index.html
VVV.nch.com.au/scribe/index.html
VVV.nch.com.au/scribe/support.html
VVV.nch.com.au/scribe/support.html
hXXp://VVV.nch.com.au/suggestions/index.html?software=Scribe&version=5.69
hXXp://VVV.nch.com.au/suggestions/index.html?software=Scribe&version=5.69
hXXp://VVV.nch.com.au/software/bug.html?software=Scribe&version=5.69
hXXp://VVV.nch.com.au/software/bug.html?software=Scribe&version=5.69
Dock a recording from a portable recorder (using default method)
Dock a recording from a portable recorder (using default method)
System-Wide Hot-Keys...
System-Wide Hot-Keys...
Float Above Other Windows
Float Above Other Windows
High Pass Filter
High Pass Filter
Export Notes...
Export Notes...
Transfer from Portable (Dock)
Transfer from Portable (Dock)
scribe.exe
scribe.exe
%s - Licensed software
%s - Licensed software
%s - Licensed to %s
%s - Licensed to %s
%s (Unlicensed) Non-commercial home use only
%s (Unlicensed) Non-commercial home use only
WindowStandard
WindowStandard
%s Mini
%s Mini
%s v 5.69
%s v 5.69
Welcome.dat
Welcome.dat
List %d of %lu
List %d of %lu
This %s file is not supported by Express Scribe.
This %s file is not supported by Express Scribe.
*.dct
*.dct
%s.dct
%s.dct
A file with the name '%s' already exists.
A file with the name '%s' already exists.
ExportNotesFolder
ExportNotesFolder
notes.txt
notes.txt
Export Notes
Export Notes
Error exporting notes.
Error exporting notes.
The wordprocessor base file %s does not exist.
The wordprocessor base file %s does not exist.
%s: %s
%s: %s
highpass
highpass
Disable system-wide hot-keys
Disable system-wide hot-keys
Enable system-wide hot-keys
Enable system-wide hot-keys
"%s" has sent a dictation cancel and recover notice for the file "%s". Do you want to delete this file from the list?
"%s" has sent a dictation cancel and recover notice for the file "%s". Do you want to delete this file from the list?
%s File Format
%s File Format
Speed (%d%%)
Speed (%d%%)
Playback Speed (%d%%)
Playback Speed (%d%%)
The file '%s' that Express Scribe is attempting to load is encrypted. A decryption key has not been set so it cannot load the file. Would you like to set one now?
The file '%s' that Express Scribe is attempting to load is encrypted. A decryption key has not been set so it cannot load the file. Would you like to set one now?
Set Key
Set Key
Decryption Key Not Set
Decryption Key Not Set
The space on the hard drive is running low. Currently only %dMB is free. Please free space by deleting unused files.
The space on the hard drive is running low. Currently only %dMB is free. Please free space by deleting unused files.
@ (%s)
@ (%s)
%d of %d Loaded
%d of %d Loaded
Encryption key not set for this Dictation
Encryption key not set for this Dictation
File: %s
File: %s
From: %s
From: %s
Email: %s
Email: %s
You must have Express Scribe installed to open the file. Express Scribe can be downloaded free at VVV.nch.com.au/scribe.
You must have Express Scribe installed to open the file. Express Scribe can be downloaded free at VVV.nch.com.au/scribe.
Forwarded to %s
Forwarded to %s
Unable to copy the file "%s" into the send folder "%s".
Unable to copy the file "%s" into the send folder "%s".
Unable to logon to ftp server "%s" with user name "%s" and the entered password.
Unable to logon to ftp server "%s" with user name "%s" and the entered password.
FTP upload failed because the directory "%s" was not found on the server "%s".
FTP upload failed because the directory "%s" was not found on the server "%s".
FTP upload of file "%s" failed.
FTP upload of file "%s" failed.
Forwarded to %s/%s
Forwarded to %s/%s
=:d
=:d
%d:d
%d:d
=:d.d
=:d.d
%d:d.d
%d:d.d
d:d
d:d
d:d.d
d:d.d
-:d:d
-:d:d
%d:d:d
%d:d:d
d:d:d
d:d:d
d:d:d.d
d:d:d.d
-:d:d.d
-:d:d.d
%d:d:d.d
%d:d:d.d
.divx
.divx
.mjpeg
.mjpeg
.moov
.moov
.mp4v
.mp4v
.mpeg
.mpeg
.rmvb
.rmvb
.xvid
.xvid
.mpga
.mpga
tload.dat
tload.dat
Welcome.wav
Welcome.wav
Template.doc
Template.doc
Word%d
Word%d
[MME] %s
[MME] %s
*.wav;
*.wav;
Invalid encryption key
Invalid encryption key
key%d
key%d
This file type is not supported
This file type is not supported
Express Delegate (%s)
Express Delegate (%s)
FTP (%s)
FTP (%s)
Folder (%s)
Folder (%s)
Automatic every %d mins
Automatic every %d mins
Invalid profile for user %d
Invalid profile for user %d
No default profiles found. Please create a profile by using Windows' Control Panel -> Speech.
No default profiles found. Please create a profile by using Windows' Control Panel -> Speech.
[Default] %s
[Default] %s
*.wpd;
*.wpd;
Microsoft Windows Write Files
Microsoft Windows Write Files
*.wri;
*.wri;
*.doc;*.docm;*.docx;*.dot;*.dotm;*.dotx;
*.doc;*.docm;*.docx;*.dot;*.dotm;*.dotx;
*.wps;*.wpt;
*.wps;*.wpt;
*.odt;*.ott;
*.odt;*.ott;
*.sdw;*.stw;*.sxw;*.vor;
*.sdw;*.stw;*.sxw;*.vor;
*.rtf;*.txt;
*.rtf;*.txt;
Web Pages
Web Pages
*.htm;*.html;*.mht;*.mhtml;*.url;
*.htm;*.html;*.mht;*.mhtml;*.url;
*.xml;
*.xml;
The file "%s" cannot be added to the word template list. Please do not select a file with extension ".dat" as word proccessor template.
The file "%s" cannot be added to the word template list. Please do not select a file with extension ".dat" as word proccessor template.
*.sta
*.sta
s%.7u.sta
s%.7u.sta
%s-%s.sta
%s-%s.sta
{2318C2B1-4965-11d4-9B18-009027A5CD4F}
{2318C2B1-4965-11d4-9B18-009027A5CD4F}
FTP file transfers
FTP file transfers
Upload your website using ftp
Upload your website using ftp
Manage stock, procurements and reporting
Manage stock, procurements and reporting
Track and Report Income and Expenditures
Track and Report Income and Expenditures
Zulu Disc Jockey Software
Zulu Disc Jockey Software
Clean and optimize your Windows registry by removing the old and damaged data that is bogging down your computer performance.
Clean and optimize your Windows registry by removing the old and damaged data that is bogging down your computer performance.
Voxal is a real time voice changing program. Change your voice live through speakers, in softphone calls, or any application or game that uses a microphone.
Voxal is a real time voice changing program. Change your voice live through speakers, in softphone calls, or any application or game that uses a microphone.
twelvekeys
twelvekeys
TwelveKeys Music Transcription
TwelveKeys Music Transcription
Universal audio converting software supports all popular audio formats including mp3, wma, wav, midi, m4a, and more. Use it to convert and compress sound files.
Universal audio converting software supports all popular audio formats including mp3, wma, wav, midi, m4a, and more. Use it to convert and compress sound files.
Orion finds and recovers deleted files on hard drives, external and portable drives. Or use the drive scrubber to ensure deleted files can't be recovered.
Orion finds and recovers deleted files on hard drives, external and portable drives. Or use the drive scrubber to ensure deleted files can't be recovered.
Key Blaze Typing Tutor Software
Key Blaze Typing Tutor Software
A powerful FTP client that integrates with Windows Explorer for manual or automatic file uploading, or sync/mirror files and folders via FTP.
A powerful FTP client that integrates with Windows Explorer for manual or automatic file uploading, or sync/mirror files and folders via FTP.
Fling FTP Sync Software Client
Fling FTP Sync Software Client
Easy to use file backup software to automatically back up critical data to CD, DVD, Blu-ray or a remote FTP server. Don't take chances with your valuable data.
Easy to use file backup software to automatically back up critical data to CD, DVD, Blu-ray or a remote FTP server. Don't take chances with your valuable data.
Use this text expansion software to create keyboard shortcuts that will expand to an entire word, sentence, paragraph or document. A useful time saving tool.
Use this text expansion software to create keyboard shortcuts that will expand to an entire word, sentence, paragraph or document. A useful time saving tool.
Digital dictation software to record and send dictation for transcription directly from your computer, or dock and send dictation from a portable device.
Digital dictation software to record and send dictation for transcription directly from your computer, or dock and send dictation from a portable device.
Professional accounting software to manage and report business income and expenses, sales, invoices and payments. Great for small and medium-sized companies.
Professional accounting software to manage and report business income and expenses, sales, invoices and payments. Great for small and medium-sized companies.
Easy to use video recording software lets you capture and record video from a webcam, your computer screen, an external video device or online streaming video.
Easy to use video recording software lets you capture and record video from a webcam, your computer screen, an external video device or online streaming video.
Easy and reliable FTP client software. View, edit, upload, download, delete and otherwise manage files on a remote server, website or network.
Easy and reliable FTP client software. View, edit, upload, download, delete and otherwise manage files on a remote server, website or network.
cftpsetup
cftpsetup
Classic FTP - FTP Client Software
Classic FTP - FTP Client Software
ClassicFTP
ClassicFTP
Use your PC to broadcast live or recorded video from a webcam, computer screen or video input device. Video streams will play in all popular web browsers.
Use your PC to broadcast live or recorded video from a webcam, computer screen or video input device. Video streams will play in all popular web browsers.
InstallReport
InstallReport
hXXps://secure.nch.com.au/cgi-bin/register.exe?software=scribe&source=softwaretrial
hXXps://secure.nch.com.au/cgi-bin/register.exe?software=scribe&source=softwaretrial
mhXXp://VVV.nchsoftware.com
mhXXp://VVV.nchsoftware.com
A full list of our products can be found at the below website. You may find another product that is more suitable for your needs.
A full list of our products can be found at the below website. You may find another product that is more suitable for your needs.
nhookappcommand.dll
nhookappcommand.dll
software\microsoft\windows\currentversion\app paths\%s
software\microsoft\windows\currentversion\app paths\%s
Global\%s
Global\%s
fmm%s
fmm%s
API Test OK [%s].
API Test OK [%s].
Local_Response_%d
Local_Response_%d
Software\Classes\%s
Software\Classes\%s
hXXp://VVV.nch.com.au/upgrade/index.html?software=scribe&upgradeid=%d&upgradekey=%s
hXXp://VVV.nch.com.au/upgrade/index.html?software=scribe&upgradeid=%d&upgradekey=%s
hXXp://VVV.nch.com.au/activate/index.html?code=%s
hXXp://VVV.nch.com.au/activate/index.html?code=%s
%d:%d:%d
%d:%d:%d
%d-%d-%d
%d-%d-%d
Express Scribe Transcription Software.lnk
Express Scribe Transcription Software.lnk
NCH Software.lnk
NCH Software.lnk
NCH Suite.lnk
NCH Suite.lnk
Software\Microsoft\Windows\CurrentVersion\Uninstall\Scribe
Software\Microsoft\Windows\CurrentVersion\Uninstall\Scribe
URLInfoAbout
URLInfoAbout
URLUpdateInfo
URLUpdateInfo
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
hXXp://cgi.nch.com.au/cgi-bin/report.exe
hXXp://cgi.nch.com.au/cgi-bin/report.exe
uninst.exe
uninst.exe
Uninstall is complete. If you need to reinstall this software again you can download it from VVV.nchsoftware.com.
Uninstall is complete. If you need to reinstall this software again you can download it from VVV.nchsoftware.com.
Software\NCH Software\Components\%s
Software\NCH Software\Components\%s
s.exe
s.exe
%sLock
%sLock
InstallingChrome
InstallingChrome
LaunchChromeOnInstall
LaunchChromeOnInstall
Express Scribe Transcription Software
Express Scribe Transcription Software
hXXp://VVV.nchsoftware.com/software/thanks.html?software=Scribe&appname=%s&version=5.69&base=scribe&domain=nch&buyoffer=scribe&pclass=plus%s%s%s%s%s%s%s%s&instby=%s
hXXp://VVV.nchsoftware.com/software/thanks.html?software=Scribe&appname=%s&version=5.69&base=scribe&domain=nch&buyoffer=scribe&pclass=plus%s%s%s%s%s%s%s%s&instby=%s
&usage=XX
&usage=XX
"%s" -uninstall
"%s" -uninstall
scribesetup_v5.69.exe
scribesetup_v5.69.exe
Software\NCH Software\Scribe\%s
Software\NCH Software\Scribe\%s
-LQUIET -instby %sScribe
-LQUIET -instby %sScribe
%s (%s)
%s (%s)
audiochannel.net
audiochannel.net
VVV.nch.com.au
VVV.nch.com.au
hXXp://VVV.nch.com.au/components/%s.exe
hXXp://VVV.nch.com.au/components/%s.exe
An install-on-demand component could not be installed automatically. Please run it from the URL below then try again.
An install-on-demand component could not be installed automatically. Please run it from the URL below then try again.
%s=%s
%s=%s
_scribe_rl_%s
_scribe_rl_%s
Report Bug
Report Bug
Would you be willing to complete an NCH Software Bug Report so our programmers can try to fix this? Please click 'Report Bug' and then enter the field to tell us exactly what you did so we can attempt to repeat it and fix it.
Would you be willing to complete an NCH Software Bug Report so our programmers can try to fix this? Please click 'Report Bug' and then enter the field to tell us exactly what you did so we can attempt to repeat it and fix it.
hXXp://VVV.nch.com.au/software/bug.html?software=Scribe&version=5.69&xi=AbTermOrHang-Win%d%d
hXXp://VVV.nch.com.au/software/bug.html?software=Scribe&version=5.69&xi=AbTermOrHang-Win%d%d
Win%d%d
Win%d%d
Ukn0(Msg%dLstCmd%d)
Ukn0(Msg%dLstCmd%d)
(Cmd%d)
(Cmd%d)
%s-%s-%s-%s
%s-%s-%s-%s
dbghelp.dll
dbghelp.dll
Abnormal Execution Problem
Abnormal Execution Problem
Would you be willing to complete a NCH Software Bug Report so our programmers can try to fix this? If so, please click 'Report Bug' and then enter the field to tell us exactly what you did so we can attempt to repeat it and fix it.
Would you be willing to complete a NCH Software Bug Report so our programmers can try to fix this? If so, please click 'Report Bug' and then enter the field to tell us exactly what you did so we can attempt to repeat it and fix it.
hXXp://VVV.nch.com.au/software/bug.html?software=Scribe&version=5.69&xi=GUI-%s
hXXp://VVV.nch.com.au/software/bug.html?software=Scribe&version=5.69&xi=GUI-%s
%d-%d-%%d
%d-%d-%%d
Please check you have exited any previous running instances of Express Scribe Transcription Software and any other programs that might be using the file "%s". Then run the installer again.
Please check you have exited any previous running instances of Express Scribe Transcription Software and any other programs that might be using the file "%s". Then run the installer again.
Installation cannot be completed because the file "%s" cannot be written to.
Installation cannot be completed because the file "%s" cannot be written to.
LLIBShowrelatedwhenchromeoff
LLIBShowrelatedwhenchromeoff
LLIBShowrelatedwhenchromeon
LLIBShowrelatedwhenchromeon
LLIBShowrelatedwhennochromeoff
LLIBShowrelatedwhennochromeoff
LLIBShowrelatedwhennochromeon
LLIBShowrelatedwhennochromeon
Please read the following important information before continuing.
Please read the following important information before continuing.
c:\program files (x86)\
c:\program files (x86)\
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\%s\UserChoice
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\%s\UserChoice
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\%s
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\%s
NCH.Scribe%s
NCH.Scribe%s
Scribe.BAK
Scribe.BAK
%s\FileAssociations
%s\FileAssociations
reg.exe
reg.exe
%s\OpenWithProgIds
%s\OpenWithProgIds
Applications\scribe.exe
Applications\scribe.exe
%sfile
%sfile
%s\DefaultIcon
%s\DefaultIcon
%s,%d
%s,%d
%s\shell
%s\shell
%s\shell\open\command
%s\shell\open\command
"%s" "%%L"
"%s" "%%L"
Applications\scribe.exe\shell\open\command
Applications\scribe.exe\shell\open\command
Applications\scribe.exe\shell
Applications\scribe.exe\shell
Applications\scribe.exe\DefaultIcon
Applications\scribe.exe\DefaultIcon
software\classes\%s
software\classes\%s
-addremfiletyperun "%s" "%s" "%s" "%s" %d
-addremfiletyperun "%s" "%s" "%s" "%s" %d
%s\Shell\%s\command
%s\Shell\%s\command
SystemFileAssociations\%s\Shell\%s\command
SystemFileAssociations\%s\Shell\%s\command
"%s" %s "%%L"
"%s" %s "%%L"
Software\Classes\%s\Shell\%s\command
Software\Classes\%s\Shell\%s\command
-addfiletyperunspecial "%s" "%s" "%s" %d
-addfiletyperunspecial "%s" "%s" "%s" %d
%s\Shell\%s
%s\Shell\%s
SystemFileAssociations\%s\Shell\%s
SystemFileAssociations\%s\Shell\%s
-remfiletyperunspecial "%s" "%s"
-remfiletyperunspecial "%s" "%s"
explorer.exe
explorer.exe
Advapi32.dll
Advapi32.dll
W"%s" %s
W"%s" %s
hXXp://VVV.nchsoftware.com/%s.html
hXXp://VVV.nchsoftware.com/%s.html
hXXp://VVV.nch.com.au/%s.html
hXXp://VVV.nch.com.au/%s.html
hXXp://VVV.nch.com.au/kb/%d.html
hXXp://VVV.nch.com.au/kb/%d.html
.html
.html
hXXp://help.nchsoftware.com/help/en/scribe/win/%s.html
hXXp://help.nchsoftware.com/help/en/scribe/win/%s.html
Local\ScribeProcessEXE%s
Local\ScribeProcessEXE%s
-elevated %s %s
-elevated %s %s
"%s" -exe %s
"%s" -exe %s
Software\NCH Software\%s\Settings
Software\NCH Software\%s\Settings
Software\NCH Swift Sound\%s\Settings
Software\NCH Swift Sound\%s\Settings
"%s" %%s
"%s" %%s
Waiting for %s
Waiting for %s
ExpressScribe will continue when %s closes.
ExpressScribe will continue when %s closes.
TwelveKeys
TwelveKeys
twelvekeyssetup
twelvekeyssetup
KeyBlaze
KeyBlaze
hXXps://secure.nch.com.au/cgi-bin/register.exe?software=scribe&version=5.69%s%s%s%s%s%s%s%s&instby=%s
hXXps://secure.nch.com.au/cgi-bin/register.exe?software=scribe&version=5.69%s%s%s%s%s%s%s%s&instby=%s
hXXp://VVV.nchsoftware.com/software/registered.html?software=%s&appname=%s&version=5.69&base=scribe&domain=nch%s%s%s%s%s%s%s
hXXp://VVV.nchsoftware.com/software/registered.html?software=%s&appname=%s&version=5.69&base=scribe&domain=nch%s%s%s%s%s%s%s
ID - Key:
ID - Key:
%s-%s
%s-%s
hXXp://VVV.nch.com.au/upgrade/index.html
hXXp://VVV.nch.com.au/upgrade/index.html
%s Registration Code:
%s Registration Code:
Register %s
Register %s
Click here if you have not activated your 12-digit serial number online and have not received an ID-Key.
Click here if you have not activated your 12-digit serial number online and have not received an ID-Key.
If you have already activated your serial number online, check your email for the ID-key. Then, click here to enter your ID-Key.
If you have already activated your serial number online, check your email for the ID-key. Then, click here to enter your ID-Key.
The code that you have entered is a license serial number. You must activate your serial number online to receive the ID-Key needed to register this software.
The code that you have entered is a license serial number. You must activate your serial number online to receive the ID-Key needed to register this software.
ID-Key is required to complete the registration.
ID-Key is required to complete the registration.
Old Version Key
Old Version Key
- You are using the correct ID and key for the correct product. Only the ID and key for Express Scribe Transcription Software will be accepted.
- You are using the correct ID and key for the correct product. Only the ID and key for Express Scribe Transcription Software will be accepted.
support/reg
support/reg
registration.txt
registration.txt
Name: %s
Name: %s
Location: %s
Location: %s
ID - Key: %d - %s
ID - Key: %d - %s
-clear -label "Express Scribe Transcription Software Installer" -type data "%s" "%s"
-clear -label "Express Scribe Transcription Software Installer" -type data "%s" "%s"
Validate Key
Validate Key
Key cannot be validated. Please connect to the internet and try again.
Key cannot be validated. Please connect to the internet and try again.
Click here to go to the NCH Software website to view the latest pricing
Click here to go to the NCH Software website to view the latest pricing
00:00:00
00:00:00
2014-02-01
2014-02-01
nch.com.au
nch.com.au
nchsoftware.com
nchsoftware.com
hXXp://VVV.%s/%s
hXXp://VVV.%s/%s
%s [Recommended]
%s [Recommended]
Google Chrome, a faster way to browse the web
Google Chrome, a faster way to browse the web
Free games, themes and utilities from the Google Chrome Store
Free games, themes and utilities from the Google Chrome Store
Why people choose Chrome:
Why people choose Chrome:
Install Google Chrome as my default browser
Install Google Chrome as my default browser
Google Toolbar makes web browsing more convenient:
Google Toolbar makes web browsing more convenient:
Search from any website
Search from any website
Translate web pages instantly
Translate web pages instantly
hXXp://VVV.google.com/toolbar/ie/partnereula.html?hl=en
hXXp://VVV.google.com/toolbar/ie/partnereula.html?hl=en
hXXp://VVV.google.com/accounts/TOS?hl=en
hXXp://VVV.google.com/accounts/TOS?hl=en
hXXp://VVV.google.com/intl/en/privacy/privacy-policy.html
hXXp://VVV.google.com/intl/en/privacy/privacy-policy.html
By installing this application, you agree to the Google Chrome
By installing this application, you agree to the Google Chrome
By installing this application, you agree to the Google Chrome
By installing this application, you agree to the Google Chrome
hXXp://VVV.google.com/chrome/intl/en/eula_text.html
hXXp://VVV.google.com/chrome/intl/en/eula_text.html
hXXp://VVV.google.com/chrome/intl/en/privacy.html
hXXp://VVV.google.com/chrome/intl/en/privacy.html
reject-chrome
reject-chrome
Automatic download of the install-on-demand component "%s" failed.
Automatic download of the install-on-demand component "%s" failed.
The website will now be opened where you can download it manually.
The website will now be opened where you can download it manually.
Open Website
Open Website
-installrelated %x -toolbar %x
-installrelated %x -toolbar %x
NCH Software\Scribe%s
NCH Software\Scribe%s
Scribe%s
Scribe%s
%sT%s
%sT%s
Click to install and run %s
Click to install and run %s
Click to run %s
Click to run %s
Express Scribe Transcription Software cannot launch the program required to perform the selected task. Please go to nch.com.au/software to download it and try again.
Express Scribe Transcription Software cannot launch the program required to perform the selected task. Please go to nch.com.au/software to download it and try again.
hXXp://VVV.nchsoftware.com/software/index.html
hXXp://VVV.nchsoftware.com/software/index.html
hXXp://VVV.nchsoftware.com/software/newsletter.html%s%s
hXXp://VVV.nchsoftware.com/software/newsletter.html%s%s
hXXps://secure.nch.com.au/cgi-bin/register.exe%s%s
hXXps://secure.nch.com.au/cgi-bin/register.exe%s%s
hXXp://cgi.nch.com.au/cgi-bin/search.exe?q=%s&site=VVV.nchsoftware.com%s%s
hXXp://cgi.nch.com.au/cgi-bin/search.exe?q=%s&site=VVV.nchsoftware.com%s%s
Click to visit our website
Click to visit our website
(EOF) Element should be terminated with %s>. Check you have terminated your element properly.
(EOF) Element should be terminated with %s>. Check you have terminated your element properly.
Tag does not have a closing '>'
Tag does not have a closing '>'
Misplaced %s> which does not match a .
Misplaced %s> which does not match a .
Element should be terminated with %s>, was with %s. Check you have terminated your element properly.
Element should be terminated with %s>, was with %s. Check you have terminated your element properly.
Ln %d, Col %d: %s
Ln %d, Col %d: %s
http\shell\open\command
http\shell\open\command
iexplore.exe
iexplore.exe
iexplorer.exe
iexplorer.exe
firefox.exe
firefox.exe
chrome.exe
chrome.exe
Installing Google Chrome
Installing Google Chrome
The Google Chrome installer could not be downloaded.
The Google Chrome installer could not be downloaded.
ChromeRequiresLaunch
ChromeRequiresLaunch
ChromeScribe
ChromeScribe
software\Google\No Chrome Offer Until
software\Google\No Chrome Offer Until
NCH_Chrome.exe
NCH_Chrome.exe
Sorry, Chrome was not installed because of some problems encountered during the installation process.
Sorry, Chrome was not installed because of some problems encountered during the installation process.
Chrome
Chrome
NCH_GoogleToolbar.exe
NCH_GoogleToolbar.exe
chrome-google
chrome-google
chrome
chrome
Install Google Chrome - Free
Install Google Chrome - Free
Get Chrome to View Help Files
Get Chrome to View Help Files
We recommend Google Chrome as the preferred viewer for our help pages.
We recommend Google Chrome as the preferred viewer for our help pages.
Google Chrome is free and fast.
Google Chrome is free and fast.
%.4d-%.2d-%.2d Express Scribe Transcription Software Log.txt
%.4d-%.2d-%.2d Express Scribe Transcription Software Log.txt
%s%sshmf%ii.bin.tmp
%s%sshmf%ii.bin.tmp
Technical Support Page
Technical Support Page
Send Bug Report
Send Bug Report
Classic FTP Software
Classic FTP Software
tar.gz
tar.gz
VVV.nch.com.au/scribe
VVV.nch.com.au/scribe
splash.jpg
splash.jpg
hXXp://VVV.nch.com.au/suggestions/index.html?software=Scribe&version=5.69%s%s
hXXp://VVV.nch.com.au/suggestions/index.html?software=Scribe&version=5.69%s%s
hXXp://VVV.nchsoftware.com/software/newsletter.html?software=Scribe&version=5.69%s%s
hXXp://VVV.nchsoftware.com/software/newsletter.html?software=Scribe&version=5.69%s%s
hXXp://VVV.nch.com.au/software/dictation.html
hXXp://VVV.nch.com.au/software/dictation.html
hXXp://VVV.facebook.com/NCHSoftware
hXXp://VVV.facebook.com/NCHSoftware
hXXp://twitter.com/nchsoftware
hXXp://twitter.com/nchsoftware
hXXps://plus.google.com/ nchsoftware
hXXps://plus.google.com/ nchsoftware
hXXp://VVV.facebook.com/sharer/sharer.php?u=%s
hXXp://VVV.facebook.com/sharer/sharer.php?u=%s
I just downloaded %s. Try it here:
I just downloaded %s. Try it here:
hXXp://VVV.twitter.com/home?status=%s%s
hXXp://VVV.twitter.com/home?status=%s%s
hXXps://plusone.google.com/_/ 1/confirm?hl=en&url=%s
hXXps://plusone.google.com/_/ 1/confirm?hl=en&url=%s
hXXp://VVV.stumbleupon.com/submit?url=%s&title=NCH Software
hXXp://VVV.stumbleupon.com/submit?url=%s&title=NCH Software
hXXp://VVV.linkedin.com/shareArticle?url=%s&title=NCH Software&mini=true
hXXp://VVV.linkedin.com/shareArticle?url=%s&title=NCH Software&mini=true
hXXp://VVV.nchsoftware.com/software/rateit.html?software=Scribe&appname=%s&version=5.69&rating=%d&buyoffer=scribe&os=Win&lang=en&base=scribe&domain=nch%s%s%s%s%s&instby=%s
hXXp://VVV.nchsoftware.com/software/rateit.html?software=Scribe&appname=%s&version=5.69&rating=%d&buyoffer=scribe&os=Win&lang=en&base=scribe&domain=nch%s%s%s%s%s&instby=%s
This version 5.69 of Express Scribe Transcription Software will only work on Windows 8 or earlier. A newer version is available for download on VVV.nchsoftware.com.
This version 5.69 of Express Scribe Transcription Software will only work on Windows 8 or earlier. A newer version is available for download on VVV.nchsoftware.com.
Software\NCH Software\%s
Software\NCH Software\%s
Software\NCH Swift Sound\%s
Software\NCH Swift Sound\%s
Quick Install-on-Demand %s
Quick Install-on-Demand %s
-extsuite %s
-extsuite %s
-extfind %s
-extfind %s
Software\Classes\.%s
Software\Classes\.%s
software\microsoft\windows\currentversion\explorer\fileexts\.%s\userchoice
software\microsoft\windows\currentversion\explorer\fileexts\.%s\userchoice
%s\shell\open
%s\shell\open
"%s" -extfind %s "%%L"
"%s" -extfind %s "%%L"
%SystemRoot%\system32\shell32.dll,19
%SystemRoot%\system32\shell32.dll,19
Software\Classes\%s\Shell\%s
Software\Classes\%s\Shell\%s
Software\Classes\%s\Shell
Software\Classes\%s\Shell
hXXp://VVV.nch.com.au/index.html
hXXp://VVV.nch.com.au/index.html
An install-on-demand component is required for this operation.
An install-on-demand component is required for this operation.
NCH Software\%s\%s.exe
NCH Software\%s\%s.exe
NCH Swift Sound\%s\%s.exe
NCH Swift Sound\%s\%s.exe
%s "%s"
%s "%s"
Software\Classes\%s\shell\open\command
Software\Classes\%s\shell\open\command
Software\Classes\%s\shell
Software\Classes\%s\shell
Software\Classes\%s\shell\open
Software\Classes\%s\shell\open
Software\Classes\%s\DefaultIcon
Software\Classes\%s\DefaultIcon
%s%s%s%s
%s%s%s%s
Report a Problem
Report a Problem
Click here if you would like to report a problem with Express Scribe Transcription Software.
Click here if you would like to report a problem with Express Scribe Transcription Software.
If you find any problems with this release please let us know by reporting them.
If you find any problems with this release please let us know by reporting them.
%s Home Page
%s Home Page
hXXp://VVV.nch.com.au/software/audio.html
hXXp://VVV.nch.com.au/software/audio.html
Distributed by %s
Distributed by %s
Licensed User: %s
Licensed User: %s
Item %d
Item %d
Col%d
Col%d
%d.%d.%d
%d.%d.%d
lAdd New Hot-Key
lAdd New Hot-Key
Click "Change..." to assign key
Click "Change..." to assign key
Hot-key Required
Hot-key Required
Please click here to assign the hot-key.
Please click here to assign the hot-key.
Key Already In Use
Key Already In Use
Sorry, the key you have chosen is already in use as a hot-key. Please choose another key.
Sorry, the key you have chosen is already in use as a hot-key. Please choose another key.
F12 is reserved for the operating system. Please choose another key.
F12 is reserved for the operating system. Please choose another key.
Alt F4 is already used by the operating system. Please choose another key.
Alt F4 is already used by the operating system. Please choose another key.
Command Already Assigned A Key
Command Already Assigned A Key
Sorry, the command you have chosen already has a hot-key associated with it. Please choose another command.
Sorry, the command you have chosen already has a hot-key associated with it. Please choose another command.
Delete Hot-Key(s)
Delete Hot-Key(s)
Delete the selected hot-key(s)?
Delete the selected hot-key(s)?
Set Default Hot-Keys
Set Default Hot-Keys
Reset all hot-keys to the default configuration?
Reset all hot-keys to the default configuration?
Channel-%u-
Channel-%u-
0:00:00.000
0:00:00.000
J.grf
J.grf
SMTP
SMTP
IPM.Note
IPM.Note
xMAPI32.DLL
xMAPI32.DLL
e.g., mail.myisp.net
e.g., mail.myisp.net
e.g., myemail@myco.com
e.g., myemail@myco.com
Your email software (e.g., Outlook, Eudora, etc.) has not been set up for MAPI. Refer to your email software Help to find out how to set it up for MAPI. Otherwise use the SMTP option.
Your email software (e.g., Outlook, Eudora, etc.) has not been set up for MAPI. Refer to your email software Help to find out how to set it up for MAPI. Otherwise use the SMTP option.
If you choose SMTP you must enter a valid reply-to address. Enter your email address.
If you choose SMTP you must enter a valid reply-to address. Enter your email address.
If you choose SMTP you must enter an SMTP mail host. Call your ISP if you don't know what your SMTP mail host is.
If you choose SMTP you must enter an SMTP mail host. Call your ISP if you don't know what your SMTP mail host is.
If your SMTP server requires authentication, you must enter a SMTP username to connect to your server.
If your SMTP server requires authentication, you must enter a SMTP username to connect to your server.
Password Required
Password Required
If your SMTP server requires authentication, you must enter a valid SMTP password to connect to your server.
If your SMTP server requires authentication, you must enter a valid SMTP password to connect to your server.
Unable to connect to mail server "%s" when sending an email to "%s".
Unable to connect to mail server "%s" when sending an email to "%s".
Unable to connect to either mail server "%s" or the mail server at "%s".
Unable to connect to either mail server "%s" or the mail server at "%s".
Unable to connect to mail server "%s".
Unable to connect to mail server "%s".
Mail host server error (HELO not accepted, error code 504) for destination email %s - usually this means the email address is not valid.
Mail host server error (HELO not accepted, error code 504) for destination email %s - usually this means the email address is not valid.
Mail host server error (HELO not accepted): %d emailto: %s
Mail host server error (HELO not accepted): %d emailto: %s
Email authentication username or password not accepted
Email authentication username or password not accepted
Scribe@%s
Scribe@%s
Error while trying to send email. Email address may be wrong or your SMTP server may require a username or password. Please check address again and see Email Settings.
Error while trying to send email. Email address may be wrong or your SMTP server may require a username or password. Please check address again and see Email Settings.
The recipient's email server does not allow email to be received in this manner. Please use an SMTP account for sending email to this address.
The recipient's email server does not allow email to be received in this manner. Please use an SMTP account for sending email to this address.
The recipient's email server rejected this email because of an unspecified reason. Try using an SMTP account for sending email to this address.
The recipient's email server rejected this email because of an unspecified reason. Try using an SMTP account for sending email to this address.
Mail host server error (data terminator not accepted) emailto: %s mailhost: %s error: %d
Mail host server error (data terminator not accepted) emailto: %s mailhost: %s error: %d
n%d.%d.%d.%d:%d
n%d.%d.%d.%d:%d
This FTP server does not support the required protected mode data transfers for SSL connections.
This FTP server does not support the required protected mode data transfers for SSL connections.
Deleting %s/%s/%s
Deleting %s/%s/%s
%s: %2.0f%%
%s: %2.0f%%
Testing FTP...
Testing FTP...
Unable to connect to server "%s".
Unable to connect to server "%s".
Server "%s" is OK.
Server "%s" is OK.
Unable to logon with username "%s" or entered password.
Unable to logon with username "%s" or entered password.
Unable to change to the directory "%s".
Unable to change to the directory "%s".
Current directory is: %s
Current directory is: %s
Passive Connection Failed!
Passive Connection Failed!
see VVV.nch.com.au/kb/10047.html
see VVV.nch.com.au/kb/10047.html
d_ftptest
d_ftptest
Passive mode
Passive mode
Changing directory to %s
Changing directory to %s
FTP Explorer
FTP Explorer
FTP Explorer - %s
FTP Explorer - %s
FTP Explorer - Change Directory
FTP Explorer - Change Directory
%d objects
%d objects
FTP Download
FTP Download
FTP Explorer - View File
FTP Explorer - View File
Check you have permission to download files with this FTP user account.
Check you have permission to download files with this FTP user account.
FTP Explorer - Confirm Delete
FTP Explorer - Confirm Delete
Deleting file: %s
Deleting file: %s
Unable to delete file "%s".
Unable to delete file "%s".
FTP Explorer - Delete File
FTP Explorer - Delete File
Deleting folder: %s
Deleting folder: %s
Unable to delete directory "%s".
Unable to delete directory "%s".
FTP Explorer - Delete Directory
FTP Explorer - Delete Directory
FTP Explorer - Open File
FTP Explorer - Open File
FTP Explorer - Create Directory
FTP Explorer - Create Directory
Directory already exists or you do not have permission to create directories with this FTP user account.
Directory already exists or you do not have permission to create directories with this FTP user account.
FTP Explorer - Rename File
FTP Explorer - Rename File
Check you have permission to rename files with this FTP user account.
Check you have permission to rename files with this FTP user account.
Date Modified: %s Size: %s
Date Modified: %s Size: %s
%d objects selected
%d objects selected
FTP Connect
FTP Connect
FtpExplorer
FtpExplorer
KFile does not exist: %s
KFile does not exist: %s
Not enough memory available to load %s
Not enough memory available to load %s
Cannot open xml file: %s
Cannot open xml file: %s
%s/microsoft/windows mail/local folders/%s
%s/microsoft/windows mail/local folders/%s
SMTP_Server
SMTP_Server
SMTP_Email_Address
SMTP_Email_Address
00000001
00000001
Software\Microsoft\Internet Account Manager\Accounts\%s
Software\Microsoft\Internet Account Manager\Accounts\%s
SMTP Email Address
SMTP Email Address
SMTP Server
SMTP Server
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\%s
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\%s
{ED475418-B0D6-11D2-8C3B-00104B2A6676}
{ED475418-B0D6-11D2-8C3B-00104B2A6676}
%s\%s\d
%s\%s\d
%s\Thunderbird
%s\Thunderbird
%s\profiles.ini
%s\profiles.ini
%s\%s\prefs.js
%s\%s\prefs.js
mail.accountmanager.defaultaccount
mail.accountmanager.defaultaccount
mail.account.%s.identities
mail.account.%s.identities
mail.identity.%s.useremail
mail.identity.%s.useremail
mail.smtp.defaultserver
mail.smtp.defaultserver
mail.smtpserver.%s.hostname
mail.smtpserver.%s.hostname
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Eudora.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Eudora.exe
deudora.ini
deudora.ini
eudora.ini
eudora.ini
%s\Qualcomm\Eudora\eudora.ini
%s\Qualcomm\Eudora\eudora.ini
SMTPServer
SMTPServer
Windows Mail
Windows Mail
Mozilla Thunderbird
Mozilla Thunderbird
%d.%d.%d.%d
%d.%d.%d.%d
127.0.0.1
127.0.0.1
libeay32.dll
libeay32.dll
ssleay32.dll
ssleay32.dll
Windows Media Audio V1
Windows Media Audio V1
Windows Media Audio V2
Windows Media Audio V2
ACELP.net
ACELP.net
Loading %s
Loading %s
Loading CD Track %d
Loading CD Track %d
Only supports conversion of CD tracks to mono or stereo.
Only supports conversion of CD tracks to mono or stereo.
"%s" "%s" "%s" -d
"%s" "%s" "%s" -d
"%s" -x "%s" "%s"
"%s" -x "%s" "%s"
"%s" -d -o "%s" -F "%s"
"%s" -d -o "%s" -F "%s"
"%s" -o "%s" "%s"
"%s" -o "%s" "%s"
"%s" -d -o "%s" "%s"
"%s" -d -o "%s" "%s"
Decoding %s file
Decoding %s file
Express Scribe Transcription Software could not locate a plugin for the file with extension "%s".
Express Scribe Transcription Software could not locate a plugin for the file with extension "%s".
You will need to download and install the plugin yourself from here: hXXp://VVV.nch.com.au/components/%s.exe.
You will need to download and install the plugin yourself from here: hXXp://VVV.nch.com.au/components/%s.exe.
Express Scribe Transcription Software could not locate a plugin for the file with extension "%s". No plugin appears to be available, therefore this format may be unsupported. Visit hXXp://VVV.nch.com.au/components/index.html to check if there is a plugin for this format.
Express Scribe Transcription Software could not locate a plugin for the file with extension "%s". No plugin appears to be available, therefore this format may be unsupported. Visit hXXp://VVV.nch.com.au/components/index.html to check if there is a plugin for this format.
*.aud
*.aud
*.grf
*.grf
Unsupported DCT file format version
Unsupported DCT file format version
Decryption key is incorrect
Decryption key is incorrect
Attempting to skip extensible data in an encrypted dictation without the correct decryption key
Attempting to skip extensible data in an encrypted dictation without the correct decryption key
Attachment%d%s
Attachment%d%s
Loading DCT File: %s
Loading DCT File: %s
Saving DCT File: %s
Saving DCT File: %s
Unable to load the installed %s decoder component.
Unable to load the installed %s decoder component.
Unable to initiate the installed %s decoder component.
Unable to initiate the installed %s decoder component.
%s decoding failed.
%s decoding failed.
Unable to open the %s file.
Unable to open the %s file.
The file is not a valid %s file.
The file is not a valid %s file.
Unrecognized %s format variant.
Unrecognized %s format variant.
%s file header removal failed.
%s file header removal failed.
s520.dll
s520.dll
Unable to load %s.
Unable to load %s.
Unable to load decoder from %s.
Unable to load decoder from %s.
Please check that the %s file is valid and complete.
Please check that the %s file is valid and complete.
a1600.dll
a1600.dll
a1800.dll
a1800.dll
a4800.dll
a4800.dll
LWindows Record Mixer
LWindows Record Mixer
%s/%d.aud
%s/%d.aud
%s%d.aud
%s%d.aud
Read %s of %s
Read %s of %s
%d:%.2d:%.2d
%d:%.2d:%.2d
.wavpcm
.wavpcm
.sndt
.sndt
.sndr
.sndr
.vorbis
.vorbis
.nist
.nist
.maud
.maud
.mat5
.mat5
.mat4
.mat4
.lpc10
.lpc10
.ircam
.ircam
.hcom
.hcom
.gsrt
.gsrt
.fssd
.fssd
.dvms
.dvms
.cvsd
.cvsd
.cdda
.cdda
.amr-wb
.amr-wb
.amr-nb
.amr-nb
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech\Recognizers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech\Recognizers
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Speech\RecoProfiles
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Speech\RecoProfiles
VID_Cmd
VID_Cmd
langid=%d
langid=%d
type=%s
type=%s
High Pass
High Pass
Speex ACM Codec xiph.org
Speex ACM Codec xiph.org
(unverified) For the Record - hXXp://VVV.fortherecord.com
(unverified) For the Record - hXXp://VVV.fortherecord.com
Aureal Semiconductor RAW SPORT
Aureal Semiconductor RAW SPORT
Windows Media Audio Lossless V9
Windows Media Audio Lossless V9
Windows Media Audio Professional V9
Windows Media Audio Professional V9
Windows Media Audio V2 V7 V8 V9 / DivX audio (WMA) / Alex AC3 Audio
Windows Media Audio V2 V7 V8 V9 / DivX audio (WMA) / Alex AC3 Audio
Windows Media Audio V1 / DivX audio (WMA)
Windows Media Audio V1 / DivX audio (WMA)
Sipro Lab Telecom ACELP.KELVIN
Sipro Lab Telecom ACELP.KELVIN
Sipro Lab Telecom ACELP.net
Sipro Lab Telecom ACELP.net
Microsoft Windows Media, RT Voice
Microsoft Windows Media, RT Voice
Compaq Computer VSELP (codec for Windows CE 2.0 devices)
Compaq Computer VSELP (codec for Windows CE 2.0 devices)
wmvcore.dll
wmvcore.dll
C:\Windows\System32\pedaldrv.dll
C:\Windows\System32\pedaldrv.dll
Function not found in driver: %s
Function not found in driver: %s
{x-x-x-xx-xxxxxx}
{x-x-x-xx-xxxxxx}
{00000000-0000-0000-0000-000000000000}
{00000000-0000-0000-0000-000000000000}
{555504B4-0000-0000-0000-504944564944}
{555504B4-0000-0000-0000-504944564944}
{18440911-0000-0000-0000-504944564944}
{18440911-0000-0000-0000-504944564944}
NPort
NPort
Port open failed
Port open failed
0xX
0xX
Switch: %s
Switch: %s
MCouldn't read input report
MCouldn't read input report
Invalid input report length
Invalid input report length
Foot pedal status: %s
Foot pedal status: %s
Windows %d.%d
Windows %d.%d
%s can be controlled by a foot pedal controller. If you have purchased a controller, please connect it now and click on "Controller setup wizard"
%s can be controlled by a foot pedal controller. If you have purchased a controller, please connect it now and click on "Controller setup wizard"
hXXps://secure.nch.com.au/cgi-bin/register.exe?software=%s
hXXps://secure.nch.com.au/cgi-bin/register.exe?software=%s
Purchase %s for compatibility with more pedals
Purchase %s for compatibility with more pedals
hXXp://VVV.nch.com.au/hardware/pedals.html
hXXp://VVV.nch.com.au/hardware/pedals.html
e.g.pedaldrv.dll
e.g.pedaldrv.dll
Plug and play controller diagnostics for %s
Plug and play controller diagnostics for %s
v %s (%s):
v %s (%s):
Vendor ID: %s
Vendor ID: %s
Product ID: %s
Product ID: %s
Revision: %s
Revision: %s
Product string: %s
Product string: %s
Path: %s
Path: %s
Usage page: %u
Usage page: %u
Model data: %s
Model data: %s
Key: N/A
Key: N/A
Key: %s
Key: %s
Company: %s
Company: %s
Model: %s
Model: %s
Allowed: %s
Allowed: %s
Product name: %s
Product name: %s
N\\.\%s
N\\.\%s
Nhid.dll
Nhid.dll
cfgmgr32.dll
cfgmgr32.dll
setupapi.dll
setupapi.dll
%sname
%sname
%ssize
%ssize
%smd5hash
%smd5hash
Express Delegate [%s]
Express Delegate [%s]
password
password
DelegateServerPort
DelegateServerPort
DelegateLoginEmail
DelegateLoginEmail
DelegateLoginPassword
DelegateLoginPassword
Password:
Password:
Auto-import source
Auto-import source
AutoImport
AutoImport
FTP Connection Test
FTP Connection Test
Download from an FTP server
Download from an FTP server
Invalid port
Invalid port
hXXp://VVV.nch.com.au/delegate/index.html
hXXp://VVV.nch.com.au/delegate/index.html
e.g., delegate.company.com
e.g., delegate.company.com
Port:
Port:
e.g., name@company.com
e.g., name@company.com
%s v %d.d
%s v %d.d
Server name: %s
Server name: %s
Server description: %s
Server description: %s
Server application: %s
Server application: %s
Server SDK: v %d
Server SDK: v %d
Database ID: %s
Database ID: %s
FTP options
FTP options
e.g., PTF.company.com
e.g., PTF.company.com
Secure connection (FTPES)
Secure connection (FTPES)
Warning: Dictations will be automatically deleted from the FTP server once they are loaded.
Warning: Dictations will be automatically deleted from the FTP server once they are loaded.
Windows Media Video 9
Windows Media Video 9
Windows Media Video 8
Windows Media Video 8
Windows Media Video 7
Windows Media Video 7
32 bit support
32 bit support
WebCam JPEG
WebCam JPEG
@device:cm:{33D9A760-90C8-11D0-BD43-00A0C911CE86}\i420
@device:cm:{33D9A760-90C8-11D0-BD43-00A0C911CE86}\i420
@device:cm:{33D9A760-90C8-11D0-BD43-00A0C911CE86}\iyuv
@device:cm:{33D9A760-90C8-11D0-BD43-00A0C911CE86}\iyuv
@device:sw:{33D9A760-90C8-11D0-BD43-00A0C911CE86}\ffdshow video encoder
@device:sw:{33D9A760-90C8-11D0-BD43-00A0C911CE86}\ffdshow video encoder
hXXp://ffmpeg.org
hXXp://ffmpeg.org
avutil-52.nch.dll
avutil-52.nch.dll
swscale-2.nch.dll
swscale-2.nch.dll
avcodec-55.nch.dll
avcodec-55.nch.dll
avformat-55.nch.dll
avformat-55.nch.dll
swresample-0.nch.dll
swresample-0.nch.dll
S.wpp
S.wpp
.clpi
.clpi
"%s" - -
"%s" - -
"%s" -s %d -d -w -
"%s" -s %d -d -w -
FAAD2 AAC/HE-AAC/HE-AACv2/DRM decoder (c) Nero AG, VVV.nero.com
FAAD2 AAC/HE-AAC/HE-AACv2/DRM decoder (c) Nero AG, VVV.nero.com
"%s" -o raw
"%s" -o raw
Copyright (C) 2000-2002 Michel Lespinasse
Copyright (C) 2000-2002 Michel Lespinasse
Copyright (C) 1999-2000 Aaron Holtzman
Copyright (C) 1999-2000 Aaron Holtzman
License terms for this component can be found at: hXXp://VVV.opensource.org/licenses/lgpl-license.php
License terms for this component can be found at: hXXp://VVV.opensource.org/licenses/lgpl-license.php
"%s" %s - -
"%s" %s - -
"%s" -C %d -R %d -b %d
"%s" -C %d -R %d -b %d
"%s" -r
"%s" -r
-b %d --cbr --nores --nchvideo - -
-b %d --cbr --nores --nchvideo - -
%s 00:00:00
%s 00:00:00
%s %.2d:%.2d:%.2d
%s %.2d:%.2d:%.2d
%s %d
%s %d
Pddraw.dll
Pddraw.dll
Portable Anymap
Portable Anymap
Portable Network Graphics
Portable Network Graphics
Joint Photographic Experts Group
Joint Photographic Experts Group
.wbmp
.wbmp
.tiff
.tiff
.jpeg
.jpeg
Certain parts of this software fall under the Little CMS License:
Certain parts of this software fall under the Little CMS License:
Portions of this software are Copyright (c) 1998-2011 Marti Maria Saguer.
Portions of this software are Copyright (c) 1998-2011 Marti Maria Saguer.
Certain parts of this software fall under the LibJPEG License:
Certain parts of this software fall under the LibJPEG License:
Encoding %s image
Encoding %s image
C:\Users\"%CurrentUserName%"\AppData\Roaming\NCH Software\Scribe\Logs
C:\Users\"%CurrentUserName%"\AppData\Roaming\NCH Software\Scribe\Logs
Use SMTP to send email directly to the mail server
Use SMTP to send email directly to the mail server
SMTP mail host:
SMTP mail host:
Send directly to other side (work as own SMTP server)
Send directly to other side (work as own SMTP server)
A full list of our products can be found at our below website. This may help you to find another product that is more suitable for your needs.
A full list of our products can be found at our below website. This may help you to find another product that is more suitable for your needs.
Constrain Proportions
Constrain Proportions
Change Key
Change Key
&ID - Key:
&ID - Key:
Change Hot-Key Command
Change Hot-Key Command
Hot-Key
Hot-Key
Press Key
Press Key
Press a key or a key combination.
Press a key or a key combination.
FTP Connection Test Results
FTP Connection Test Results
WebM Encoding Settings
WebM Encoding Settings
Two Pass Encoding
Two Pass Encoding
Windows Media Encoding Settings
Windows Media Encoding Settings
User Encryption Key
User Encryption Key
User encryption key
User encryption key
Set key:
Set key:
Set key
Set key
Upload to server (FTP)
Upload to server (FTP)
Use secure FTP connection (SSL/TLS)
Use secure FTP connection (SSL/TLS)
(if a key is available for the original sender)
(if a key is available for the original sender)
Hot-Keys
Hot-Keys
Key assignment
Key assignment
Express Scribe can automatically download recordings on demand from a folder on your computer network (LAN) or an email attachments folder or via the Internet (using an FTP Server).
Express Scribe can automatically download recordings on demand from a folder on your computer network (LAN) or an email attachments folder or via the Internet (using an FTP Server).
Set user's decryption key (to accept encrypted files)...
Set user's decryption key (to accept encrypted files)...