Trojan.Win32.Llac.kdqo (Kaspersky), Gen:Variant.Kazy.723308 (AdAware), Trojan.NSIS.StartPage.FD, TrojanDropperVtimrun.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 0cb533e444832fc669b44d737bbd025b
SHA1: fa09e8f514b92a0c27e00605f059d5e0d1f08631
SHA256: 587d4872d90945da2707838dcd454c32268f9431ab28f48c7792313472ba7927
SSDeep: 98304:isQVdfnIlbHlkM07BJ aPNUNL2PNBjsAZjHu7:LsIlbHlkD7DPONL2NZu
Size: 3553792 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-10-14 08:50:27
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:1516
YOUTUB~1.EXE:128
The Trojan injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:1516 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\64bit.exe (7960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\YOUTUB~1.EXE (49498 bytes)
The process YOUTUB~1.EXE:128 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp\Dealio_install.bmp (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp\ioSpecial.ini (4681 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp\InstallOptions.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp\modern-wizard.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp (7382 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh1.tmp (0 bytes)
Registry activity
The process %original file name%.exe:1516 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 7B 06 73 96 2E 30 57 95 09 6A 97 E8 67 3E C3"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"
The process YOUTUB~1.EXE:128 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 9C 7D D4 FB 45 B9 F3 C6 9B 40 4C 6E 76 EE 74"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
Dropped PE files
| MD5 | File path |
|---|---|
| f447db340c60e3727da66328ed090e6e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\IXP000.TMP\64bit.exe |
| 875bae6178eae1bc15e80497017a79e3 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\IXP000.TMP\YOUTUB~1.EXE |
| 271b5d1043c4402f08ddeae383f6979c | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsn3.tmp\InstallOptions.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1516
YOUTUB~1.EXE:128 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\64bit.exe (7960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\YOUTUB~1.EXE (49498 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp\Dealio_install.bmp (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp\ioSpecial.ini (4681 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp\InstallOptions.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp\modern-wizard.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp (7382 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"
Static Analysis
VersionInfo
Company Name: Microsoft Corporation
Product Name: Internet Explorer
Product Version: 11.00.9600.16428
Legal Copyright: (c) Microsoft Corporation. All rights reserved.
Legal Trademarks:
Original Filename: WEXTRACT.EXE .MUI
Internal Name: Wextract
File Version: 11.00.9600.16428 (winblue_gdr.131013-1700)
File Description: Win32 Cabinet Self-Extractor
Comments:
Language: Language Neutral
Company Name: Microsoft CorporationProduct Name: Internet ExplorerProduct Version: 11.00.9600.16428Legal Copyright: (c) Microsoft Corporation. All rights reserved.Legal Trademarks: Original Filename: WEXTRACT.EXE .MUIInternal Name: Wextract File Version: 11.00.9600.16428 (winblue_gdr.131013-1700)File Description: Win32 Cabinet Self-Extractor Comments: Language: Language Neutral
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 26060 | 26112 | 4.42567 | e9bf1a1e456a9a811b1b86e6602e3636 |
| .data | 32768 | 6796 | 1024 | 2.20139 | 317f8a934ee443eee01c2a315bde9ca1 |
| .idata | 40960 | 4216 | 4608 | 3.49941 | d8675ba112ef922c6057a02546757a1a |
| .rsrc | 49152 | 3515739 | 3515904 | 5.54165 | a9deef2e42b8405da9f1f19f5763db4f |
| .reloc | 3567616 | 5038 | 5120 | 2.58043 | 83de2f9b2c95be6fea06bced7e8a058e |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_1516:
.text
.text
`.data
`.data
.idata
.idata
@.rsrc
@.rsrc
@.reloc
@.reloc
Invalid parameter passed to C runtime function.
Invalid parameter passed to C runtime function.
advapi32.dll
advapi32.dll
setupx.dll
setupx.dll
setupapi.dll
setupapi.dll
advpack.dll
advpack.dll
wininit.ini
wininit.ini
Software\Microsoft\Windows\CurrentVersion\App Paths
Software\Microsoft\Windows\CurrentVersion\App Paths
ADMQCMD
ADMQCMD
USRQCMD
USRQCMD
FINISHMSG
FINISHMSG
IXPd.TMP
IXPd.TMP
msdownld.tmp
msdownld.tmp
TMP4351$.TMP
TMP4351$.TMP
wextract.pdb
wextract.pdb
PSSSSSSh
PSSSSSSh
SSSh
SSSh
PSSShp
PSSShp
PSShp
PSShp
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"
System\CurrentControlSet\Control\Session Manager\FileRenameOperations
System\CurrentControlSet\Control\Session Manager\FileRenameOperations
wextract_cleanup%d
wextract_cleanup%d
Command.com /c %s
Command.com /c %s
rundll32.exe %s,InstallHinfSection %s 128 %s
rundll32.exe %s,InstallHinfSection %s 128 %s
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows\CurrentVersion\RunOnce
%s /D:%s
%s /D:%s
PendingFileRenameOperations
PendingFileRenameOperations
SHELL32.DLL
SHELL32.DLL
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryInfoKeyA
RegCloseKey
RegCloseKey
ADVAPI32.dll
ADVAPI32.dll
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
GDI32.dll
GDI32.dll
ExitWindowsEx
ExitWindowsEx
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
USER32.dll
USER32.dll
_amsg_exit
_amsg_exit
_acmdln
_acmdln
msvcrt.dll
msvcrt.dll
COMCTL32.dll
COMCTL32.dll
Cabinet.dll
Cabinet.dll
VERSION.dll
VERSION.dll
)-.Yln
)-.Yln
YOUTUB~1.EXE
YOUTUB~1.EXE
64bit.exe
64bit.exe
.Ake
.Ake
.IQMThV
.IQMThV
J@:'%S
J@:'%S
zMu.BF
zMu.BF
59^".);,)
59^".);,)
|.Ti h
|.Ti h
cwC*WX.ad)
cwC*WX.ad)
v.NR2
v.NR2
x.Ija
x.Ija
i.wJ4
i.wJ4
NgT%sT
NgT%sT
a_BÉ
a_BÉ
%F K.
%F K.
?/.ZQW
?/.ZQW
-.NANq
-.NANq
Z7.vH
Z7.vH
\.tC;
\.tC;
sJ3A%s
sJ3A%s
J%XxBs
J%XxBs
k.Ac=
k.Ac=
D.mj:
D.mj:
l%CP6Y
l%CP6Y
m6=%s
m6=%s
(h.hz
(h.hz
%5u*F
%5u*F
).aXX
).aXX
O<.fk>
O<.fk>
V(.cp
V(.cp
.Eug^"
.Eug^"
Lb%sh
Lb%sh
84%UQ
84%UQ
9=.Ul
9=.Ul
S.sB]
S.sB]
p:.cNO
p:.cNO
]s.Â`A
]s.Â`A
%xTm5
%xTm5
Md.HJ
Md.HJ
}X[%c
}X[%c
$t{k%s
$t{k%s
%CkbP
%CkbP
.cJ.[
.cJ.[
U.rmu0
U.rmu0
O.WXwV
O.WXwV
%D]H4
%D]H4
P.IX^
P.IX^
jG.wD2@
jG.wD2@
A.NW%>
A.NW%>
.bqlT
.bqlT
.tuC8
.tuC8
/q{%u
/q{%u
K.Mb3
K.Mb3
keY2u
keY2u
-rr}J
-rr}J
9?j.dV
9?j.dV
.JhB{
.JhB{
÷#rd
÷#rd
.tXuh?
.tXuh?
yM.FN
yM.FN
Tu.qb
Tu.qb
.oZk]4%
.oZk]4%
.wg//
.wg//
6h: P.BLIp
6h: P.BLIp
N0P.qi
N0P.qi
f%cjW
f%cjW
ovi%D
ovi%D
a.Pxr
a.Pxr
=m$%D
=m$%D
b{.ra|
b{.ra|
%ci!ktK
%ci!ktK
.ystb
.ystb
3.RHp
3.RHp
P.GKNt
P.GKNt
ZO.HE
ZO.HE
=SQlNI
=SQlNI
K.pX@(
K.pX@(
Pkd%XB
Pkd%XB
G2.Qx
G2.Qx
P:.mwx4
P:.mwx4
I.Vm}
I.Vm}
d-j}~
d-j}~
%U;uU
%U;uU
iQ%XW
iQ%XW
>t%SG5
>t%SG5
.cNCV
.cNCV
qzG%DX
qzG%DX
|B.WP5R
|B.WP5R
p=N%D
p=N%D
@o.mZ
@o.mZ
$9.MA;1
$9.MA;1
2.YSR}
2.YSR}
wûY
wûY
9-oE}
9-oE}
%s;st
%s;st
%SClg
%SClg
AA.fF
AA.fF
2|.pGu
2|.pGu
x
x
l.msW
l.msW
0%Cj[
0%Cj[
>`.Dw
>`.Dw
D?.AJ
D?.AJ
"I:4x.kZ
"I:4x.kZ
x-STg}
x-STg}
aV#.Dd
aV#.Dd
.mu^[
.mu^[
VpY.qg*
VpY.qg*
YK.dN
YK.dN
E.vAL
E.vAL
^h<.jrx>
^h<.jrx>
Vs47.KBZ
Vs47.KBZ
.IbW>
.IbW>
@^n
@^n
^zE%Ct
^zE%Ct
,5L
,5L
H.vA%>h
H.vA%>h
TMuRL`5
TMuRL`5
EC`%UG
EC`%UG
.jaF:H
.jaF:H
j .bB
j .bB
\*Y%U
\*Y%U
XY.fb
XY.fb
%s7N,
%s7N,
*D%x$X
*D%x$X
X!%x)?
X!%x)?
x.Aa$
x.Aa$
Tj&.Me
Tj&.Me
c0-I}
c0-I}
weBE5{
weBE5{
#".krzN
#".krzN
.TTSv
.TTSv
4%FUy)
4%FUy)
haÊ
haÊ
,;%F&
,;%F&
y0%FY
y0%FY
Ö).e
Ö).e
xs.Dp
xs.Dp
%DubL
%DubL
3.rJr_
3.rJr_
.gbYs,
.gbYs,
%Dg(k
%Dg(k
#.rFB
#.rFB
Kvn.aCc
Kvn.aCc
e%S~~~
e%S~~~
;=fTp,L
;=fTp,L
o.Nm:
o.Nm:
D\{.iY
D\{.iY
%D|d
%D|d
8%F_`
8%F_`
*S%xOqYz`
*S%xOqYz`
%xLAr
%xLAr
5u.wB
5u.wB
G%fj0
G%fj0
k.FfgH%^
k.FfgH%^
:.qH=
:.qH=
1g}%s
1g}%s
>%c}
>%c}
yNJ.EZ
yNJ.EZ
W`@%Sw
W`@%Sw
x.hLc
x.hLc
i%XSs
i%XSs
%UAiv
%UAiv
3.oY/3H] q,
3.oY/3H] q,
2;.UYs
2;.UYs
.bHHV
.bHHV
Zo.jG4
Zo.jG4
ui.iT0
ui.iT0
5h8.kVU
5h8.kVU
I\.PN
I\.PN
{z9
{z9
/4%0u;
/4%0u;
rb7^.mD
rb7^.mD
h.RZ`
h.RZ`
3.Lmz-
3.Lmz-
/.Frc
/.Frc
#.nEg
#.nEg
>FC.Ju
>FC.Ju
Q.ZMz2J(E
Q.ZMz2J(E
y[.taL
y[.taL
fTP{7
fTP{7
~#.Ac&
~#.Ac&
d^R.P%f
d^R.P%f
VWEb
VWEb
4A.hs8^
4A.hs8^
(v.Rae
(v.Rae
dZ.Tj
dZ.Tj
#jz%D
#jz%D
Rzs47%f
Rzs47%f
[DQs.Ab
[DQs.Ab
p.zrVN:)
p.zrVN:)
%d}D;#
%d}D;#
yQ.JA
yQ.JA
oKW%4s
oKW%4s
gSyR%Ci
gSyR%Ci
)Ë;
)Ë;
*u.Vku
*u.Vku
kT.IN_{
kT.IN_{
bþ"
bþ"
(G%Sg
(G%Sg
}PiÛ
}PiÛ
I.mH=
I.mH=
o.Ac%
o.Ac%
5j.fUN
5j.fUN
%Csfj
%Csfj
.nvB*
.nvB*
.kW\.
.kW\.
6U.to
6U.to
F%FXG
F%FXG
0.ZRU/7
0.ZRU/7
Jq%C}3
Jq%C}3
2iÃ
2iÃ
":.wi7
":.wi7
.NNo#
.NNo#
%d E*
%d E*
.vDYO
.vDYO
:HT5%s
:HT5%s
.OT
.OT
"SSh*)j
"SSh*)j
za_.pT=zbly
za_.pT=zbly
m\i3%S
m\i3%S
L.zuq
L.zuq
Y.iViC
Y.iViC
u.dKl
u.dKl
#v^=.Ub
#v^=.Ub
ÀY;
ÀY;
9Z$%F
9Z$%F
1%X0f
1%X0f
.AZ2&6
.AZ2&6
^=.gqO
^=.gqO
&%S8Q
&%S8Q
m.QEo
m.QEo
/8.lZ
/8.lZ
O.zx'
O.zx'
yD.pITv?y
yD.pITv?y
.rml03
.rml03
p{yq.fR
p{yq.fR
V8.OEw
V8.OEw
Zxq.Dr!S
Zxq.Dr!S
.skan
.skan
j.Gs&
j.Gs&
.iHfE
.iHfE
%Cu i ^M
%Cu i ^M
nb.Il)
nb.Il)
zÚ"
zÚ"
.ekR{
.ekR{
.XzM&g
.XzM&g
n.JW4
n.JW4
%S3 n
%S3 n
3.RT
3.RT
XKeyg
XKeyg
rcq~.WB}
rcq~.WB}
&.Omu
&.Omu
[ro
[ro
.qAj%
.qAj%
H e3%U
H e3%U
lmw%F
lmw%F
lxs%C
lxs%C
Nk4(%S
Nk4(%S
a~].fu
a~].fu
.jNBe
.jNBe
'.reH
'.reH
|:>%s
|:>%s
.qv4`
.qv4`
m0X%Q6%dzM
m0X%Q6%dzM
E%fSK
E%fSK
v%c`h
v%c`h
qDv`mh.fhBlso` ,
qDv`mh.fhBlso` ,
35
35
%U1sems
%U1sems
x)Ma.TDL
x)Ma.TDL
B.BJc
B.BJc
(tCp;o
(tCp;o
RG.Dk
RG.Dk
4y.Iw
4y.Iw
.fr~S
.fr~S
h.WGI
h.WGI
`.dC#i
`.dC#i
GrZo%U
GrZo%U
p.aFqsf
p.aFqsf
c'zpK.Da
c'zpK.Da
EmSGv
EmSGv
d:hP~l%F
d:hP~l%F
g.mjH
g.mjH
q.TGc
q.TGc
.Fmg
.Fmg
.ci~d
.ci~d
W.bKd
W.bKd
C~LMÄ*OWl
C~LMÄ*OWl
[.fZP#
[.fZP#
WtCp
WtCp
%&.Jg
%&.Jg
.deI n
.deI n
$%SIt
$%SIt
.efY)
.efY)
2.a%s
2.a%s
OBv.Su
OBv.Su
KcMd>
KcMd>
,Q.ohBEf
,Q.ohBEf
;.wyw
;.wyw
D%Fm=
D%Fm=
.etCoz
.etCoz
~'.Dk_C
~'.Dk_C
.bLSs
.bLSs
s =.Og
s =.Og
][m%F
][m%F
rW.Ol?
rW.Ol?
w .rAm
w .rAm
name="Microsoft.Windows.Common-Controls"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
Kernel32.dll
Kernel32.dll
Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement.
Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement.
CFailed to get disk space information from: %s.
CFailed to get disk space information from: %s.
System Message: %s.&A required resource cannot be located. Are you sure you want to cancel?
System Message: %s.&A required resource cannot be located. Are you sure you want to cancel?
8Unable to retrieve operating system version information.!Memory allocation request failed.
8Unable to retrieve operating system version information.!Memory allocation request failed.
Filetable full.Ên not change to destination folder.
Filetable full.Ên not change to destination folder.
Setup could not find a drive with %s KB free disk space to install the program. Please free up some space first and press RETRY or press CANCEL to exit setup.KThat folder is invalid. Please make sure the folder exists and is writable.IYou must specify a folder with fully qualified pathname or choose Cancel.KKan geen informatie krijgen over schijfruimte van: %s.
Setup could not find a drive with %s KB free disk space to install the program. Please free up some space first and press RETRY or press CANCEL to exit setup.KThat folder is invalid. Please make sure the folder exists and is writable.IYou must specify a folder with fully qualified pathname or choose Cancel.KKan geen informatie krijgen over schijfruimte van: %s.
Systeemmelding: %s.#Kan een benodigde bron niet vinden."Weet u zeker dat u wilt annuleren?
Systeemmelding: %s.#Kan een benodigde bron niet vinden."Weet u zeker dat u wilt annuleren?
Setup kan geen station vinden met %s kB beschikbare schijfruimte om het programma te installeren. Maak schijfruimte vrij en probeer het opnieuw of annuleer de installatie.QDe map is ongeldig. Controleer of de map bestaat en of deze niet alleen-lezen is.DU moet een map met een volledig pad opgeven of op Annuleren klikken.
Setup kan geen station vinden met %s kB beschikbare schijfruimte om het programma te installeren. Maak schijfruimte vrij en probeer het opnieuw of annuleer de installatie.QDe map is ongeldig. Controleer of de map bestaat en of deze niet alleen-lezen is.DU moet een map met een volledig pad opgeven of op Annuleren klikken.
!Could not update folder edit box.5Could not load functions required for browser dialog.7Could not load Shell32.dll required for browser dialog.
!Could not update folder edit box.5Could not load functions required for browser dialog.7Could not load Shell32.dll required for browser dialog.
(Error creating process . Reason: %s1The cluster size in this system is not supported.,A required resource appears to be corrupted.QWindows 95 or Windows NT 4.0 Beta 2 or greater is required for this installation.
(Error creating process . Reason: %s1The cluster size in this system is not supported.,A required resource appears to be corrupted.QWindows 95 or Windows NT 4.0 Beta 2 or greater is required for this installation.
Error loading %shGetProcAddress() failed on function '%s'. Possible reason: incorrect version of advpack.dll being used./Windows 95 or Windows NT is required to install
Error loading %shGetProcAddress() failed on function '%s'. Possible reason: incorrect version of advpack.dll being used./Windows 95 or Windows NT is required to install
Could not create folder '%s'
Could not create folder '%s'
To install this program, you need %s KB disk space on drive %s. It is recommended that you free up the required disk space before you continue.
To install this program, you need %s KB disk space on drive %s. It is recommended that you free up the required disk space before you continue.
-Kan het invoervak voor de map niet bijwerken.KKan de functies die vereist zijn voor het bladerdialoogvenster, niet laden.UKan het bestand Shell32.dll dat vereist is voor het bladerdialoogvenster, niet laden.
-Kan het invoervak voor de map niet bijwerken.KKan de functies die vereist zijn voor het bladerdialoogvenster, niet laden.UKan het bestand Shell32.dll dat vereist is voor het bladerdialoogvenster, niet laden.
-Fout bij het maken van proces . Reden: %s8De clustergrootte in dit systeem wordt niet ondersteund. Een vereiste bron lijkt beschadigd te zijn.^Voor deze installatie is Windows 95 of Windows NT 4.0 B
-Fout bij het maken van proces . Reden: %s8De clustergrootte in dit systeem wordt niet ondersteund. Een vereiste bron lijkt beschadigd te zijn.^Voor deze installatie is Windows 95 of Windows NT 4.0 B
Fout bij het laden van %s.uGetProcAddress() is mislukt bij functie %s. Mogelijke reden: er wordt een incorrecte versie van advpack.dll gebruikt.7Voor de installatie is Windows 95 of Windows NT vereist
Fout bij het laden van %s.uGetProcAddress() is mislukt bij functie %s. Mogelijke reden: er wordt een incorrecte versie van advpack.dll gebruikt.7Voor de installatie is Windows 95 of Windows NT vereist
Kan de map %s niet maken.
Kan de map %s niet maken.
U hebt %s kB schijfruimte nodig op station %s om het programma te installeren. Het wordt aanbevolen de benodigde schijfruimte vrij te maken voordat u verdergaat.
U hebt %s kB schijfruimte nodig op station %s om het programma te installeren. Het wordt aanbevolen de benodigde schijfruimte vrij te maken voordat u verdergaat.
Error retrieving Windows folder
Error retrieving Windows folder
$NT Shutdown: OpenProcessToken error.)NT Shutdown: AdjustTokenPrivileges error.!NT Shutdown: ExitWindowsEx error.}Extracting file failed. It is most likely caused by low memory (low disk space for swapping file) or corrupted Cabinet file.aThe setup program could not retrieve the volume information for drive (%s) .
$NT Shutdown: OpenProcessToken error.)NT Shutdown: AdjustTokenPrivileges error.!NT Shutdown: ExitWindowsEx error.}Extracting file failed. It is most likely caused by low memory (low disk space for swapping file) or corrupted Cabinet file.aThe setup program could not retrieve the volume information for drive (%s) .
System message: %s.xSetup could not find a drive with %s KB free disk space to install the program. Please free up some space and try again.eThe installation program appears to be damaged or corrupted. Contact the vendor of this application.
System message: %s.xSetup could not find a drive with %s KB free disk space to install the program. Please free up some space and try again.eThe installation program appears to be damaged or corrupted. Contact the vendor of this application.
$Fout bij het ophalen van Windows-map
$Fout bij het ophalen van Windows-map
NT wordt afgesloten: OpenProcessToken-fout.0NT wordt afgesloten: AdjustTokenPrivileges-fout.(NT wordt afgesloten: ExitWindowsEx-fout.
NT wordt afgesloten: OpenProcessToken-fout.0NT wordt afgesloten: AdjustTokenPrivileges-fout.(NT wordt afgesloten: ExitWindowsEx-fout.
Het uitpakken van het bestand is mislukt. Waarschijnlijk door gebrek aan geheugen (te weinig schijfruimte voor wisselbestand) of beschadigd CAB-bestand.bHet installatieprogramma kan de volumegegevens voor station (%s) niet ophalen.
Het uitpakken van het bestand is mislukt. Waarschijnlijk door gebrek aan geheugen (te weinig schijfruimte voor wisselbestand) of beschadigd CAB-bestand.bHet installatieprogramma kan de volumegegevens voor station (%s) niet ophalen.
Systeembericht: %s.
Systeembericht: %s.
Setup kan geen station vinden met %s kB vrije schijfruimte voor de installatie van het programma. Maak schijfruimte vrij en probeer het opnieuw.\Het installatieprogramma is beschadigd. Neem contact op met de verkoper van deze toepassing.
Setup kan geen station vinden met %s kB vrije schijfruimte voor de installatie van het programma. Maak schijfruimte vrij en probeer het opnieuw.\Het installatieprogramma is beschadigd. Neem contact op met de verkoper van deze toepassing.
/C: -- Override Install Command defined by author.
/C: -- Override Install Command defined by author.
eAnother copy of the '%s' package is already running on your system. Do you want to run another copy?
eAnother copy of the '%s' package is already running on your system. Do you want to run another copy?
Could not find the file: %s.
Could not find the file: %s.
jEr wordt al een exemplaar van het pakket %s op de computer uitgevoerd. Wilt u een extra exemplaar starten?
jEr wordt al een exemplaar van het pakket %s op de computer uitgevoerd. Wilt u een extra exemplaar starten?
Kan het bestand %s niet vinden.
Kan het bestand %s niet vinden.
:The folder '%s' does not exist. Do you want to create it?hAnother copy of the '%s' package is already running on your system. You can only run one copy at a time.OThe '%s' package is not compatible with the version of Windows you are running.SThe '%s' package is not compatible with the version of the file: %s on your system.
:The folder '%s' does not exist. Do you want to create it?hAnother copy of the '%s' package is already running on your system. You can only run one copy at a time.OThe '%s' package is not compatible with the version of Windows you are running.SThe '%s' package is not compatible with the version of the file: %s on your system.
.De map %s bestaat niet. Wilt u deze map maken?hHet pakket %s is al op het systeem ge
.De map %s bestaat niet. Wilt u deze map maken?hHet pakket %s is al op het systeem ge
n exemplaar tegelijkertijd gebruiken.FHet pakket %s is niet compatibel met de Windows-versie die u gebruikt.QHet pakket %s is niet compatibel met de versie van het bestand %s op de computer.
n exemplaar tegelijkertijd gebruiken.FHet pakket %s is niet compatibel met de Windows-versie die u gebruikt.QHet pakket %s is niet compatibel met de versie van het bestand %s op de computer.
11.00.9600.16428 (winblue_gdr.131013-1700)
11.00.9600.16428 (winblue_gdr.131013-1700)
WEXTRACT.EXE .MUI
WEXTRACT.EXE .MUI
11.00.9600.16428
11.00.9600.16428
YOUTUB~1.EXE_128:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
uDSSh
uDSSh
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegEnumKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
verifying installer: %d%%
verifying installer: %d%%
unpacking data: %d%%
unpacking data: %d%%
... %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
RegDeleteKeyExA
RegDeleteKeyExA
%s=%s
%s=%s
*?|/":
*?|/":
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn3.tmp\InstallOptions.dll
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn3.tmp\InstallOptions.dll
Tube Downloader 2.5.3.\r\n\r\nIt is recommended that you close all other applications before starting Setup. This will make it possible to update relevant system files without having to reboot your computer.\r\n\r\nClick Next to continue.
Tube Downloader 2.5.3.\r\n\r\nIt is recommended that you close all other applications before starting Setup. This will make it possible to update relevant system files without having to reboot your computer.\r\n\r\nClick Next to continue.
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn3.tmp\InstallOptions.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn3.tmp\InstallOptions.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn3.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn3.tmp
installation of YouTube Downloader 2.5.3.\r\n\r\nIt is recommended that you close all other applications before starting Setup. This will make it possible to update relevant system files without having to reboot your computer.\r\n\r\nClick Next to continue.
installation of YouTube Downloader 2.5.3.\r\n\r\nIt is recommended that you close all other applications before starting Setup. This will make it possible to update relevant system files without having to reboot your computer.\r\n\r\nClick Next to continue.
COMDLG32.DLL
COMDLG32.DLL
FC:\Windows\system32\stdole2.tlb
FC:\Windows\system32\stdole2.tlb
%Program Files%\Microsoft Visual Studio\VB98\Flash9f.oca
%Program Files%\Microsoft Visual Studio\VB98\Flash9f.oca
frmLogin
frmLogin
modExecCmd
modExecCmd
modGetHTMLFromURL
modGetHTMLFromURL
modURLEncoding
modURLEncoding
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
cmdOk
cmdOk
lblURL
lblURL
shell32.dll
shell32.dll
VBA6.DLL
VBA6.DLL
&cmdCancel
&cmdCancel
txtPassword
txtPassword
LoginSucceeded
LoginSucceeded
Password
Password
Comctl32.dll
Comctl32.dll
LxcmdAbort
LxcmdAbort
C:\Windows\system32\MSVBVM60.DLL\3
C:\Windows\system32\MSVBVM60.DLL\3
%Program Files%\Microsoft Visual Studio\VB98\MSCOMCTL.oca
%Program Files%\Microsoft Visual Studio\VB98\MSCOMCTL.oca
advapi32.dll
advapi32.dll
shdocvw.dll
shdocvw.dll
wininet.dll
wininet.dll
InternetOpenUrlA
InternetOpenUrlA
OWebBrowser1
OWebBrowser1
SC:\Windows\system32\ieframe.oca
SC:\Windows\system32\ieframe.oca
cmdPlayVideo
cmdPlayVideo
cmdDownloadOptions
cmdDownloadOptions
txtURL
txtURL
lblWebLink
lblWebLink
cmdShowFiles
cmdShowFiles
cmdPickFile
cmdPickFile
cmdDownloadFolder
cmdDownloadFolder
@.reloc
@.reloc
comdlg32.dll
comdlg32.dll
InstallOptions.dll
InstallOptions.dll
PASSWORD
PASSWORD
Field %d
Field %d
All Files|*.*
All Files|*.*
O%D=s
O%D=s
YouTube Downloader 2.5.3 Setup
YouTube Downloader 2.5.3 Setup
nsn3.tmp
nsn3.tmp
his wizard will guide you through the installation of YouTube Downloader 2.5.3.\r\n\r\nIt is recommended that you close all other applications before starting Setup. This will make it possible to update relevant system files without having to reboot your computer.\r\n\r\nClick Next to continue.
his wizard will guide you through the installation of YouTube Downloader 2.5.3.\r\n\r\nIt is recommended that you close all other applications before starting Setup. This will make it possible to update relevant system files without having to reboot your computer.\r\n\r\nClick Next to continue.
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\YOUTUB~1.EXE
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\YOUTUB~1.EXE
%Program Files%\YouTube Downloader
%Program Files%\YouTube Downloader
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP
YOUTUB~1.EXE
YOUTUB~1.EXE
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh1.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
1114414
1114414
ard will guide you through the installation of YouTube Downloader 2.5.3.\r\n\r\nIt is recommended that you close all other applications before starting Setup. This will make it possible to update relevant system files without having to reboot your computer.\r\n\r\nClick Next to continue.
ard will guide you through the installation of YouTube Downloader 2.5.3.\r\n\r\nIt is recommended that you close all other applications before starting Setup. This will make it possible to update relevant system files without having to reboot your computer.\r\n\r\nClick Next to continue.
1074398204
1074398204
1441914
1441914
)-.Yln
)-.Yln
Nullsoft Install System v2.39
Nullsoft Install System v2.39
.CommonDialog
.CommonDialog
.VBError
.VBError
.clsAnimControl
.clsAnimControl
comctl32.dll
comctl32.dll
Show video file URL
Show video file URL
hXXp://youtubedownload.altervista.org/notifier.htm
hXXp://youtubedownload.altervista.org/notifier.htm