Skip to main content

SearchProtectToolbar_pcap_14e6e6fb83


SearchProtectToolbar_pcap.YR, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Malware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 14e6e6fb83be47d5a41447c2e8584403

SHA1: 0d78275abd35c5435e1bd7596ee7aea36b899581

SHA256: 8113aa2634cd7f9a9fe4728728294f8ad9c537c5611575c9e0cf671d04f775ff

SSDeep: 1536:VQpQ5EP0ijnRTXJz68gkW RoeGd8yNkM/Dk22MpCOw78dfxkF:VQIURTXJz7Ozd8yNka7pCOjdKF

Size: 104760 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: GreenTree Applications SRL

Created at: 2009-12-06 00:50:46

Analyzed on: Windows7Ada SP1 64-bit

Summary: Malware. Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Malware creates the following process(es):

SP.EXE:1680
%original file name%.exe:4048
BrowserExtensionsSetupUAC.exe:1848
YTDSetup.exe:1508
~spD451.tmp:2164
BEHelper.exe:1440
SearchProtectionStub.exe:1560
Au_.exe:3976
Au_.exe:3828
~spE38E.tmp:3172
uninstall.exe:1712
uninstall.exe:4024
exthelper.exe:676

The Malware injects its code into the following process(es):

ytd.exe:1492

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process SP.EXE:1680 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal (9778 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R4C62WHO\favicon[1].ico (1150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences (324 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\yandex_ff.xml (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{38754113-2264-4057-B454-CF19832D9F10}.ico (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Web Data (4388 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\prefs.js (64 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\searchplugins\yandex.xml (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\yandex_ie.xml (496 bytes)

The process %original file name%.exe:4048 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskCC36.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskCC36.tmp\inetca.dll (804 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskCC35.tmp (2290 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskCC36.tmp\YTDSetup.exe (715970 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskCC36.tmp\UserInfo.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6CZBXF8H\YTDSetup[1].exe (671764 bytes)

The process BrowserExtensionsSetupUAC.exe:1848 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}\chrome\content (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsrB7AD.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7} (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsrB7AC.tmp (12592 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}\chrome\content (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions.json (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\prefs.js (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsrB7AD.tmp\NSISCouponsPlugin.dll (18372 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsrB7AD.tmp\UserInfo.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C} (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC} (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}\chrome\content (4 bytes)

The process YTDSetup.exe:1508 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_output\libdirectsound_plugin.dll (1552 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\LICENSE (1 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Uninstall.exe (8318 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1050.ini (14 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1049.ini (784 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\YTD Video Downloader\YTD Video Downloader.lnk (2 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\libvlc.dll (3616 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libvmem_plugin.dll (1552 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1036.ini (14 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_mixer\libinteger_mixer_plugin.dll (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\UserInfo.dll (8 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\librtmp.dll (60186 bytes)
C:\Users\Public\Desktop\YTD Video Downloader.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{9FDDFC18-F82F-43C9-9E27-411CD7019F0F}\SearchProtectionStub.exe (1828 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\System.dll (23 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_filter\libswscale_plugin.dll (19096 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\YTD Video Downloader\Web site.url (55 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1053.ini (13 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1034.ini (14 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1035.ini (13 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1048.ini (14 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1059.ini (784 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res2074.ini (13 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libdrawable_plugin.dll (1552 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_filter\libaudio_format_plugin.dll (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{9FDDFC18-F82F-43C9-9E27-411CD7019F0F}\exthelper.exe (1826 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libwingdi_plugin.dll (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EE.tmp (733038 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1031.ini (14 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1055.ini (14 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_filter\libugly_resampler_plugin.dll (1552 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res2070.ini (14 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\FFMPEG.EXE (395158 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1043.ini (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NV3AJTKT\so[1].xml (7285 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res2052.ini (12 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libdirect3d_plugin.dll (2392 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\codec\libavcodec_plugin.dll (326900 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\libvlccore.dll (69435 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\scripts.yds (6360 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1030.ini (13 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\YTD Video Downloader\Uninstall.lnk (2 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1025.ini (15 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\manual.bat (57 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1038.ini (13 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1044.ini (13 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1040.ini (13 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1032.ini (784 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1045.ini (13 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1029.ini (13 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\COPYING.LGPLv3 (7 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\COPYING.LGPLv2 (784 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1051.ini (14 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res9999.ini (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\NSISPluginW.dll (15982 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1061.ini (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\getCountry (2 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1060.ini (13 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1052.ini (13 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_filter\libtrivial_channel_mixer_plugin.dll (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\NSISHelper.dll (8801 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\COPYING.Apachev2 (11 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe (51136 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1026.ini (784 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1033.ini (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\modern-header.bmp (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\NSISdl.dll (31 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\nsDialogs.dll (21 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\access\libfilesystem_plugin.dll (1552 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_mixer\libfloat_mixer_plugin.dll (1552 bytes)

The process ~spD451.tmp:2164 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Search Protection\SP.exe (33796 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Search Protection\Uninstall.exe (15904 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsaDF1A.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~spE38E.tmp (1940 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsaDF1A.tmp\SP.dll (33090 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsaDF19.tmp (84143 bytes)

The process ytd.exe:1492 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

C:\ProgramData\YTD Video Downloader\scripts0.yds (673 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\plugins.dat.1492 (1444 bytes)
C:\ProgramData\YTD Video Downloader\scripts0.20150129 (22548 bytes)

The process BEHelper.exe:1440 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\chrome\content\config.json (965 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\chrome.manifest (192 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\chrome\content\redirects.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}_tmp\chrome\content\savingsslider.xul (606 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\icon.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}_tmp\icon.png (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}_tmp\chrome\content\main.js (394 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\chrome\content\main.js (134 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\chrome\content\newtab.xul (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\chrome\content\saebay.js (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}_tmp\chrome\content\spigot.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions.json (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NV3AJTKT\update[1].xml (375 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\chrome\content\ebay.xul (569 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\chrome\content\main.js (374 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\chrome\content\spigot.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\chrome\content\prefs.txt (171 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\chrome\content\spigot.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\chrome\content\main.xul (681 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\install.rdf (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}_tmp\chrome.manifest (148 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}_tmp\install.rdf (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\chrome.manifest (125 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\chrome\content\prefs.txt (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}_tmp\chrome\content\config.json (1235 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\icon.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}_tmp\chrome\content\savingsslider.js (392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\chrome\content\ebay.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\chrome\content\config.json (213 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\chrome\content\startpage.js (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}_tmp\chrome\content\prefs.txt (110 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\install.rdf (1 bytes)

The process SearchProtectionStub.exe:1560 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskD3C4.tmp\SP.dll (33090 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~spD451.tmp (1162 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsuD3B3.tmp (28806 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskD3C4.tmp\System.dll (23 bytes)

The process Au_.exe:3976 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbB57B.tmp\UserInfo.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbB57A.tmp (17495 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbB57B.tmp\NSISdl.dll (31 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbB57B.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbB57B.tmp\ping (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbB57B.tmp\BrowserExtensionsSetupUAC.exe (16750 bytes)

The process Au_.exe:3828 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw7A8D.tmp (27289 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq7ABC.tmp\SP.dll (33090 bytes)

The process ~spE38E.tmp:3172 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEDF8.tmp\NSISdl.dll (31 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\Button.exe (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEDF7.tmp (64389 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\saebay.xpi (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEDF8.tmp\UserInfo.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEDF8.tmp\NSISCouponsPlugin.dll (18372 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\Coupons.dll (12088 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\Uninstall.exe (17637 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\coupons.xpi (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\Coupons64.dll (13368 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\Button64.exe (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\ButtonWrap64.dll (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEDF8.tmp\ping (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\ButtonWrap.dll (2392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEDF8.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\BEHelper.exe (19640 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\startpage.xpi (8 bytes)

The process uninstall.exe:1712 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsb79C2.tmp (1568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~nsu.tmp\Au_.exe (3589 bytes)

The process uninstall.exe:4024 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsqB4ED.tmp (1568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~nsu.tmp\Au_.exe (3922 bytes)

The process exthelper.exe:676 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R4C62WHO\extconfig[1].xml (3777 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scr68B1.tmp (15 bytes)

Registry activity

The process SP.EXE:1680 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{38754113-2264-4057-B454-CF19832D9F10}]
"FaviconURL" = "http://www.yandex.com/favicon.ico"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadNetworkName" = "Network 3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{38754113-2264-4057-B454-CF19832D9F10}]
"DisplayName" = "Яндекс"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "D6 EC 6C 28 2B 41 D0 01"

[HKCU\Software\AppDataLow\Software\Search Protection]
"ping_ts" = "1423130703"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecision" = "0"

[HKCU\Software\AppDataLow\Software\Search Protection]
"GCFailed" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionTime" = "12 6D 3E 37 2B 41 D0 01"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{38754113-2264-4057-B454-CF19832D9F10}]
"URL" = "http://yandex.ru/yandsearch?clid=1782899&text={searchTerms}"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope" = "{38754113-2264-4057-B454-CF19832D9F10}"

[HKCU\Software\Microsoft\Internet Explorer\User Preferences]
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977" = "01 00 00 00 D0 8C 9D DF 01 15 D1 11 8C 7A 00 C0"

[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"NewTabPageShow" = "1"

[HKCU\Software\Microsoft\Internet Explorer\ContinuousBrowsing]
"Enabled" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 49 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.yandex.ru/?clid=1782898"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes]
"ShowSearchSuggestionsInAddressGlobal" = "1"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{38754113-2264-4057-B454-CF19832D9F10}]
"OSDFileURL" = "file:///C:/Users/adm/AppData/Local/Temp/yandex_ie.xml"
"FaviconPath" = "C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{38754113-2264-4057-B454-CF19832D9F10}.ico"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"
"WpadDecision" = "0"

[HKCU\Software\AppDataLow\Software\Search Protection]
"FFFailed" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecisionTime" = "12 6D 3E 37 2B 41 D0 01"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process %original file name%.exe:4048 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "55 81 2D 0C 2B 41 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadNetworkName" = "Network 3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 42 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecisionReason" = "1"

"WpadDecisionTime" = "55 81 2D 0C 2B 41 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionTime" = "55 81 2D 0C 2B 41 D0 01"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process BrowserExtensionsSetupUAC.exe:1848 makes changes in the system registry.


The Malware deletes the following registry key(s):

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}]
[HKCR\Wow6432Node\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{90E4CD0C-426F-4207-805B-7885AB32D43F}]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{61db39d5-034c-45c0-8bb2-daf857edcf3b}]
[HKCR\Wow6432Node\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}\Implemented Categories]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1672163f-8651-4c0d-9c05-4ba941123972}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{61db39d5-034c-45c0-8bb2-daf857edcf3b}]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1672163f-8651-4c0d-9c05-4ba941123972}]
[HKCR\Wow6432Node\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CAE9BEC8-4723-4347-AFC6-25EE3326BA5B}]
[HKCR\Wow6432Node\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}\InprocServer32]
[HKCR\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}\InprocServer32]
[HKCR\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}]
[HKCR\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}]
[HKCR\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}\Implemented Categories]

The process YTDSetup.exe:1508 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}]
"DisplayName" = "YTD Video Downloader 4.8.9"
"Publisher" = "GreenTree Applications SRL"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadNetworkName" = "Network 3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Wow6432Node\{DAF8B7E5-449D-4180-8281-10E536E597F2}]
"(Default)" = "4.8.9"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "55 81 2D 0C 2B 41 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecision" = "0"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\7711c0f3\python.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\7711c0f3\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{9FDDFC18-F82F-43C9-9E27-411CD7019F0F}\,"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}]
"VersionMajor" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached]
"{17FE9752-0B5A-4665-84CD-569794602F5C} {7F9185B0-CB92-43C5-80A9-92277A4F7B54} 0xFFFF" = "01 00 00 00 00 00 00 00 C2 9F 86 34 2B 41 D0 01"

[HKCU\Software\GreenTree Applications\YTD]
"ISN" = "F7DBCDBD737B449098794B4547AA6F06"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}]
"NoRepair" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionTime" = "AF C3 23 0E 2B 41 D0 01"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}]
"DisplayVersion" = "4.8.9"

[HKLM\SOFTWARE\Wow6432Node\{DAF8B7E5-449D-4180-8281-10E536E597F2}]
"it" = "20150205120417"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}]
"URLInfoAbout" = "http://www.ytddownloader.com"
"InstallDir" = "%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\"
"VersionMinor" = "8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 43 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}]
"MainApp" = "%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe"

[HKCU\Software\GreenTree Applications\YTD]
"Language" = "1033"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\GreenTree Applications\YTD]
"(Default)" = "%Program Files% (x86)\GreenTree Applications\YTD Video Downloader"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}]
"DisplayIcon" = "%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe,0"
"UninstallString" = "%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\uninstall.exe"

[HKCU\Software\GreenTree Applications\YTD]
"kitType" = "ytd"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}]
"InstallLocation" = "%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecisionTime" = "AF C3 23 0E 2B 41 D0 01"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}]
"NoModify" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process ~spD451.tmp:2164 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Search Protection]
"VersionMajor" = "1"

[HKCU\Software\AppDataLow\Software\Search Protection]
"CCV" = "198"

"WS_FF_AB" = "http://yandex.ru/yandsearch?clid=1782899&text="
"WS_GC_IB" = "http://yandex.ru/yandsearch?clid=1782899&text={searchTerms}"
"HP_IE" = "http://www.yandex.ru/?clid=1782898"
"WS_FF_IB" = "http://yandex.ru/yandsearch?clid=1782899&text={searchTerms}"
"ISN" = "CCF69B272FE54EE58735A380676F1DE4"
"ChannelID" = "937811"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Search Protection]
"NoRepair" = "1"

[HKCU\Software\AppDataLow\Software\Search Protection]
"HP_GC" = "http://www.yandex.ru/?clid=1782898"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Search Protection]
"UninstallString" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Search Protection\uninstall.exe"

[HKCU\Software\AppDataLow\Software\Search Protection]
"sdsprotection" = "1"
"InhibitGC" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Search Protection]
"NoModify" = "1"

[HKCU\Software\AppDataLow\Software\Search Protection]
"app_ver" = "10.8.0.1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Search Protection]
"DisplayName" = "Search Protection"

[HKCU\Software\AppDataLow\Software\Search Protection]
"FCV" = "198"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Search Protection]
"URLInfoAbout" = "http://www.spigot.com"
"VersionMinor" = "0"
"Publisher" = "Spigot, Inc."

[HKCU\Software\AppDataLow\Software\Search Protection]
"SPID" = "359"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Search Protection]
"DisplayVersion" = "10.8.0.1"

[HKCU\Software\AppDataLow\Software\Search Protection]
"WS_IE_IB" = "http://yandex.ru/yandsearch?clid=1782899&text={searchTerms}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Search Protection]
"InstallDir" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Search Protection\"
"InstallLocation" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Search Protection\"

[HKCU\Software\AppDataLow\Software\Search Protection]
"HP_FF" = "http://www.yandex.ru/?clid=1782898"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Search Protection]
"DisplayIcon" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Search Protection\SP.EXE,0"

[HKCU\Software\AppDataLow\Software\Search Protection]
"937811" = "1"
"WS_IE_AB" = "http://yandex.ru/yandsearch?clid=1782899&text={searchTerms}"

To automatically run itself each time Windows is booted, the Malware adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Search Protection" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Search Protection\SP.EXE /autostart"

The Malware deletes the following value(s) in system registry:


The Malware disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"SearchProtection"

The process ytd.exe:1492 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadNetworkName" = "Network 3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "AF C3 23 0E 2B 41 D0 01"

[HKCU\Software\{DAF8B7E5-449D-4180-8281-10E536E597F2}]
"lv" = "1423130669"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionTime" = "40 F6 E5 22 2B 41 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 44 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\GreenTree Applications\YTD]
"NextCheckAutoUpdate" = "1423134269"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\{DAF8B7E5-449D-4180-8281-10E536E597F2}]
"CheckInterval" = "3600"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"
"WpadDecision" = "0"

[HKCU\Software\GreenTree Applications\YTD]
"ConvertDirectory" = "C:\Users\"%CurrentUserName%"\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecisionTime" = "40 F6 E5 22 2B 41 D0 01"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process BEHelper.exe:1440 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "CA BC 38 36 2B 41 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\AppDataLow\Software\Browser Extensions\firefox]
"{54FBE89E-C878-46bb-A064-AB327EE26EBC}" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKCU\Software\AppDataLow\Software\Browser Extensions\firefox]
"{62DD0A97-FDD4-421b-94A5-D1A9434450C7}" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 4A 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

[HKCU\Software\AppDataLow\Software\Browser Extensions\firefox]
"{CA8C84C6-3918-41b1-BE77-049B2BDD887C}" = ""

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware deletes the following value(s) in system registry:

[HKCU\Software\AppDataLow\Software\Browser Extensions\firefox]
"{f894a29a-f065-40c3-bb19-da6057778493}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\AppDataLow\Software\Browser Extensions\firefox]
"{58d2a791-6199-482f-a9aa-9b725ec61362}"
"savingsslider@mybrowserbar.com"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKCU\Software\AppDataLow\Software\Browser Extensions\firefox]
"{32da2f20-827d-40aa-a3b4-2fc4a294352e}"
"saebay@mybrowserbar.com"
"{46eddf51-a4f6-4476-8d6c-31c5187b2a2f}"

The process Au_.exe:3976 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Malware deletes the following registry key(s):

[HKCU\Software\AppDataLow\Software\Browser Extensions]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{3A787631-66A2-4634-B928-A37E73B58FB6}]
[HKCU\Software\AppDataLow\Software\Browser Extensions\iexplorer]
[HKCU\Software\AppDataLow\Software\Browser Extensions\firefox]

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

"IntranetName"

The Malware disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Browser Extensions"

"Slick Savings"

The process Au_.exe:3828 makes changes in the system registry.


The Malware deletes the following registry key(s):

[HKCU\Software\AppDataLow\Software\Search Protection]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Search Protection]

The Malware deletes the following value(s) in system registry:


The Malware disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Search Protection"

The process ~spE38E.tmp:3172 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{3A787631-66A2-4634-B928-A37E73B58FB6}]
"InstallLocation" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1672163f-8651-4c0d-9c05-4ba941123972}]
"AppName" = "Button.exe"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{61db39d5-034c-45c0-8bb2-daf857edcf3b}]
"AppPath" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions"

[HKCR\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}]
"(Default)" = "Browser Extensions"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{3A787631-66A2-4634-B928-A37E73B58FB6}]
"VersionMinor" = "4"
"URLInfoAbout" = "http://www.spigot.com"
"NoRepair" = "1"

[HKCR\Wow6432Node\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{3A787631-66A2-4634-B928-A37E73B58FB6}]
"DisplayName" = "Browser Extensions"
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1672163f-8651-4c0d-9c05-4ba941123972}]
"AppPath" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions"

[HKCU\Software\AppDataLow\Software\Browser Extensions\iexplorer]
"cnid" = "937811"

[HKCU\Software\AppDataLow\Software\Browser Extensions\firefox]
"{CA8C84C6-3918-41b1-BE77-049B2BDD887C}" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\saebay.xpi|1|{cnid : 937811, cnid_overwrite : true}|saebay@mybrowserbar.com|{f894a29a-f065-40c3-bb19-da6057778493}"

[HKCU\Software\AppDataLow\Software\Browser Extensions]
"cnid" = "937811"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CAE9BEC8-4723-4347-AFC6-25EE3326BA5B}]
"Policy" = "3"

[HKCU\Software\AppDataLow\Software\Browser Extensions\iexplorer]
"iedns" = "1"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{61db39d5-034c-45c0-8bb2-daf857edcf3b}]
"AppName" = "Button64.exe"
"Policy" = "3"

[HKCR\Wow6432Node\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}\Implemented Categories]
"(Default)" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{3A787631-66A2-4634-B928-A37E73B58FB6}]
"DisplayIcon" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\BEHelper.exe,0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}]
"NoExplorer" = "1"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{61db39d5-034c-45c0-8bb2-daf857edcf3b}]
"AppPath" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions"

[HKCU\Software\AppDataLow\Software\Browser Extensions]
"SS_Ver" = "2.6"

[HKCU\Software\Microsoft\Internet Explorer\Approved Extensions]
"{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}" = "51 66 7A 6C 4C 1D 3B 1B 5B C4 BA 28 E3 9E A9 03"

[HKCR\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Wow6432Node\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}]
"(Default)" = ""

[HKCR\Wow6432Node\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}]
"(Default)" = "Browser Extensions"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{90E4CD0C-426F-4207-805B-7885AB32D43F}]
"Policy" = "3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{3A787631-66A2-4634-B928-A37E73B58FB6}]
"VersionMajor" = "1"

[HKCR\Wow6432Node\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}\InprocServer32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\Coupons.dll"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{90E4CD0C-426F-4207-805B-7885AB32D43F}]
"AppPath" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{3A787631-66A2-4634-B928-A37E73B58FB6}]
"NoModify" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}]
"(Default)" = "Browser Extensions"

[HKCU\Software\AppDataLow\Software\Browser Extensions\iexplorer]
"iecp" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CAE9BEC8-4723-4347-AFC6-25EE3326BA5B}]
"AppName" = "BEHelper.exe"

[HKCU\Software\AppDataLow\Software\Browser Extensions\iexplorer]
"ieeb" = "1"

[HKCU\Software\AppDataLow\Software\Browser Extensions\firefox]
"{54FBE89E-C878-46bb-A064-AB327EE26EBC}" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\coupons.xpi|1|{cnid : 937811, cnid_overwrite : true}|savingsslider@mybrowserbar.com|{46eddf51-a4f6-4476-8d6c-31c5187b2a2f}"

[HKCU\Software\AppDataLow\Software\Browser Extensions]
"ISN" = "E0BCB5085EA24F7699566D8CEBD03DB5"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1672163f-8651-4c0d-9c05-4ba941123972}]
"AppPath" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions"

[HKCR\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}]
"(Default)" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{3A787631-66A2-4634-B928-A37E73B58FB6}]
"Publisher" = "Spigot, Inc."

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CAE9BEC8-4723-4347-AFC6-25EE3326BA5B}]
"AppPath" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{3A787631-66A2-4634-B928-A37E73B58FB6}]
"DisplayVersion" = "2.6"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1672163f-8651-4c0d-9c05-4ba941123972}]
"Policy" = "3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{3A787631-66A2-4634-B928-A37E73B58FB6}]
"UninstallString" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\uninstall.exe"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{61db39d5-034c-45c0-8bb2-daf857edcf3b}]
"AppName" = "Button64.exe"

[HKCU\Software\AppDataLow\Software\Browser Extensions]
"(Default)" = ""

[HKCU\Software\AppDataLow\Software\Browser Extensions\iexplorer]
"ISN" = "E0BCB5085EA24F7699566D8CEBD03DB5"

[HKCR\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}\InprocServer32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\Coupons64.dll"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1672163f-8651-4c0d-9c05-4ba941123972}]
"AppName" = "Button.exe"

[HKCR\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}\Implemented Categories]
"(Default)" = ""

[HKCU\Software\AppDataLow\Software\Browser Extensions\firefox]
"{62DD0A97-FDD4-421b-94A5-D1A9434450C7}" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\startpage.xpi|1|{dns : true, ntp :true, cnid : 937811, cnid_overwrite : true, dummy : true}|{58d2a791-6199-482f-a9aa-9b725ec61362}|{32da2f20-827d-40aa-a3b4-2fc4a294352e}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{90E4CD0C-426F-4207-805B-7885AB32D43F}]
"AppName" = "BEHelper.exe"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1672163f-8651-4c0d-9c05-4ba941123972}]
"Policy" = "3"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{61db39d5-034c-45c0-8bb2-daf857edcf3b}]
"Policy" = "3"

[HKCU\Software\AppDataLow\Software\Browser Extensions]
"Src" = "install"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}]
"NoExplorer" = "1"

"(Default)" = "Browser Extensions"

To automatically run itself each time Windows is booted, the Malware adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Browser Extensions" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\BEHelper.exe"

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Internet Explorer\Approved Extensions]
"{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}"

The process uninstall.exe:1712 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\7711c0f3\python.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\7711c0f3\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{9FDDFC18-F82F-43C9-9E27-411CD7019F0F}\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\NSISPluginW.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~nsu.tmp\Au_.exe,"

The process uninstall.exe:4024 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\7711c0f3\python.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\7711c0f3\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{9FDDFC18-F82F-43C9-9E27-411CD7019F0F}\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\NSISPluginW.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~nsu.tmp\Au_.exe, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~nsu.tmp, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~nsu.tmp\Au_.exe,"

The process exthelper.exe:676 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "AF C3 23 0E 2B 41 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadNetworkName" = "Network 3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 45 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecisionReason" = "1"

"WpadDecisionTime" = "75 6B 7C 23 2B 41 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionTime" = "75 6B 7C 23 2B 41 D0 01"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

MD5 File path
39d11c773b46d3084ef4aac1f9863146c:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\FFMPEG.EXE
c1d1a3e711f0943527b3fc6f3c1b1f85c:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Uninstall.exe
921b64a7dace4c93161b942b80b6b41bc:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\librtmp.dll
ded3aa6b7920334e6b334eaed3db96c5c:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\libvlc.dll
3c07164ceba1068ee3eff672d8e11eb6c:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\libvlccore.dll
ab0a22194181d6d6ff01123dc9a376cec:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\access\libfilesystem_plugin.dll
91074f5c7288c67eaed2c2c657e373d3c:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_filter\libaudio_format_plugin.dll
43f19a5d4d42e3cd6514348ba5fbdd96c:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_filter\libtrivial_channel_mixer_plugin.dll
a3297b187aba1024501007bce77eeec4c:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_filter\libugly_resampler_plugin.dll
04a21f5ee0a9c27ca5e5dae050f3d275c:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_mixer\libfloat_mixer_plugin.dll
d4f826e68b616cccc1de1e5ef07738b8c:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_mixer\libinteger_mixer_plugin.dll
46672363f47a25d69a5324045f4e8d63c:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_output\libdirectsound_plugin.dll
4088b4e4ea76db97544c76ef7f2af08cc:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\codec\libavcodec_plugin.dll
416108272cc56d4036d5796fbb1b8f3cc:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_filter\libswscale_plugin.dll
350983ab596397b2d2703d658baeea8cc:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libdirect3d_plugin.dll
6d9fa70a05698e9b6aa1c6074def16e8c:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libdrawable_plugin.dll
3dee8d41db28133b3d00bfdf0fd16eafc:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libvmem_plugin.dll
ccc67f588880568bfd46c4b8140f41aac:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libwingdi_plugin.dll
520e9ab3b16bb164542ce6305036d98bc:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe
aacddb459301cfe5498d9d862aac02d3c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6CZBXF8H\YTDSetup[1].exe
1afbce9051d9a627097f04951b2765dbc:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\NSISPluginW.dll
5d2940775446f6dd29e25ce192aec206c:\Users\"%CurrentUserName%"\AppData\Local\Temp\{9FDDFC18-F82F-43C9-9E27-411CD7019F0F}\exthelper.exe
4f65a008acd242966d7e6ef4944e6fe0c:\Users\"%CurrentUserName%"\AppData\Local\Temp\~nsu.tmp\Au_.exe
fbb01457a61a080a2b42b77cf34f286cc:\Users\"%CurrentUserName%"\AppData\Local\Temp\~spD451.tmp
be546e15ca59c448dc5e1346605d401fc:\Users\"%CurrentUserName%"\AppData\Local\Temp\~spE38E.tmp

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    SP.EXE:1680
    %original file name%.exe:4048
    BrowserExtensionsSetupUAC.exe:1848
    YTDSetup.exe:1508
    ~spD451.tmp:2164
    BEHelper.exe:1440
    SearchProtectionStub.exe:1560
    Au_.exe:3976
    Au_.exe:3828
    ~spE38E.tmp:3172
    uninstall.exe:1712
    uninstall.exe:4024
    exthelper.exe:676

  2. Delete the original Malware file.
  3. Delete or disinfect the following files created/modified by the Malware:

    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal (9778 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R4C62WHO\favicon[1].ico (1150 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences (324 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\yandex_ff.xml (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{38754113-2264-4057-B454-CF19832D9F10}.ico (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\prefs.js (64 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\searchplugins\yandex.xml (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\yandex_ie.xml (496 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskCC36.tmp\System.dll (23 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskCC36.tmp\inetca.dll (804 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskCC35.tmp (2290 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskCC36.tmp\YTDSetup.exe (715970 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskCC36.tmp\UserInfo.dll (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6CZBXF8H\YTDSetup[1].exe (671764 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}\chrome\content (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsrB7AD.tmp\System.dll (23 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsrB7AC.tmp (12592 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}\chrome\content (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions.json (7 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsrB7AD.tmp\NSISCouponsPlugin.dll (18372 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsrB7AD.tmp\UserInfo.dll (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC} (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}\chrome\content (4 bytes)
    %Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_output\libdirectsound_plugin.dll (1552 bytes)
    %Program Files% (x86)\GreenTree Applications\YTD Video Downloader\LICENSE (1 bytes)
    %Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Uninstall.exe (8318 bytes)
    %Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1050.ini (14 bytes)
    %Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1049.ini (784 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\YTD Video Downloader\YTD Video Downloader.lnk (2 bytes)
    %Program Files% (x86)\GreenTree Applications\YTD Video Downloader\libvlc.dll (3616 bytes)
    %Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libvmem_plugin.dll (1552 bytes)
    %Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1036.ini (14 bytes)
    %Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_mixer\libinteger_mixer_plugin.dll (1552 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\UserInfo.dll (8 bytes)
    %Program Files% (x86)\GreenTree Applications\YTD Video Downloader\librtmp.dll (60186 bytes)
    C:\Users\Public\Desktop\YTD Video Downloader.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{9FDDFC18-F82F-43C9-9E27-411CD7019F0F}\SearchProtectionStub.exe (1828 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\System.dll (23 bytes)
    %Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_filter\libswscale_plugin.dll (19096 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\YTD Video Downloader\Web site.url (55 bytes)
    %Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1053.ini (13 bytes)
    %Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1034.ini (14 bytes)
    %Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1035.ini (13 bytes)
    %Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1048.ini (14 bytes)
    %Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1059.ini (784 bytes)
    %Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res2074.ini (13 bytes)
    %Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libdrawable_plugin.dll (1552 bytes)
    %Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_filter\libaudio_format_plugin.dll (1552 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{9FDDFC18-F82F-43C9-9E27-411CD7019F0F}\exthelper.exe (1826 bytes)
    %Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libwingdi_plugin.dll (1856 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EE.tmp (733038 bytes)
    %Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1031.ini (14 bytes)
    %Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1055.ini (14 bytes)
    %Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_filter\libugly_resampler_plugin.dll (1552 bytes)
    %Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res2070.ini (14 bytes)
    %Program Files% (x86)\GreenTree Applications\YTD Video Downloader\FFMPEG.EXE (395158 bytes)
    %Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1043.ini (13 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NV3AJTKT\so[1].xml (7285 bytes)
    %Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res2052.ini (12 bytes)
    %Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libdirect3d_plugin.dll (2392 bytes)
    %Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\codec\libavcodec_plugin.dll (326900 bytes)
    %Program Files% (x86)\GreenTree Applications\YTD Video Downloader\libvlccore.dll (69435 bytes)
    %Program Files% (x86)\GreenTree Applications\YTD Video Downloader\scripts.yds (6360 bytes)
    %Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1030.ini (13 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\YTD Video Downloader\Uninstall.lnk (2 bytes)
    %Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1025.ini (15 bytes)
    %Program Files% (x86)\GreenTree Applications\YTD Video Downloader\manual.bat (57 bytes)
    %Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1038.ini (13 bytes)
    %Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1044.ini (13 bytes)
    %Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1040.ini (13 bytes)
    %Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1032.ini (784 bytes)
    %Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1045.ini (13 bytes)
    %Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1029.ini (13 bytes)
    %Program Files% (x86)\GreenTree Applications\YTD Video Downloader\COPYING.LGPLv3 (7 bytes)
    %Program Files% (x86)\GreenTree Applications\YTD Video Downloader\COPYING.LGPLv2 (784 bytes)
    %Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1051.ini (14 bytes)
    %Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res9999.ini (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\NSISPluginW.dll (15982 bytes)
    %Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1061.ini (13 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\getCountry (2 bytes)
    %Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1060.ini (13 bytes)
    %Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1052.ini (13 bytes)
    %Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_filter\libtrivial_channel_mixer_plugin.dll (1552 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\NSISHelper.dll (8801 bytes)
    %Program Files% (x86)\GreenTree Applications\YTD Video Downloader\COPYING.Apachev2 (11 bytes)
    %Program Files% (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe (51136 bytes)
    %Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1026.ini (784 bytes)
    %Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1033.ini (13 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\modern-header.bmp (3312 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\NSISdl.dll (31 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\nsDialogs.dll (21 bytes)
    %Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\access\libfilesystem_plugin.dll (1552 bytes)
    %Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_mixer\libfloat_mixer_plugin.dll (1552 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Search Protection\SP.exe (33796 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Search Protection\Uninstall.exe (15904 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsaDF1A.tmp\System.dll (23 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~spE38E.tmp (1940 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsaDF1A.tmp\SP.dll (33090 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsaDF19.tmp (84143 bytes)
    C:\ProgramData\YTD Video Downloader\scripts0.yds (673 bytes)
    %Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\plugins.dat.1492 (1444 bytes)
    C:\ProgramData\YTD Video Downloader\scripts0.20150129 (22548 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\chrome\content\config.json (965 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\chrome.manifest (192 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\chrome\content\redirects.js (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}_tmp\chrome\content\savingsslider.xul (606 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\icon.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}_tmp\icon.png (196 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}_tmp\chrome\content\main.js (394 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\chrome\content\main.js (134 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\chrome\content\newtab.xul (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\chrome\content\saebay.js (196 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}_tmp\chrome\content\spigot.js (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NV3AJTKT\update[1].xml (375 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\chrome\content\ebay.xul (569 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\chrome\content\main.js (374 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\chrome\content\spigot.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\chrome\content\prefs.txt (171 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\chrome\content\spigot.js (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\chrome\content\main.xul (681 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\install.rdf (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}_tmp\chrome.manifest (148 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}_tmp\install.rdf (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\chrome.manifest (125 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\chrome\content\prefs.txt (43 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}_tmp\chrome\content\config.json (1235 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\icon.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}_tmp\chrome\content\savingsslider.js (392 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\chrome\content\ebay.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\chrome\content\config.json (213 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\chrome\content\startpage.js (196 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}_tmp\chrome\content\prefs.txt (110 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\install.rdf (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskD3C4.tmp\SP.dll (33090 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~spD451.tmp (1162 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsuD3B3.tmp (28806 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskD3C4.tmp\System.dll (23 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbB57B.tmp\UserInfo.dll (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbB57A.tmp (17495 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbB57B.tmp\NSISdl.dll (31 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbB57B.tmp\System.dll (23 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbB57B.tmp\ping (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbB57B.tmp\BrowserExtensionsSetupUAC.exe (16750 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw7A8D.tmp (27289 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq7ABC.tmp\SP.dll (33090 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEDF8.tmp\NSISdl.dll (31 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\Button.exe (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEDF7.tmp (64389 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\saebay.xpi (7 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEDF8.tmp\UserInfo.dll (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEDF8.tmp\NSISCouponsPlugin.dll (18372 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\Coupons.dll (12088 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\Uninstall.exe (17637 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\coupons.xpi (10 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\Coupons64.dll (13368 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\Button64.exe (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\ButtonWrap64.dll (3312 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEDF8.tmp\ping (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\ButtonWrap.dll (2392 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEDF8.tmp\System.dll (23 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\BEHelper.exe (19640 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\startpage.xpi (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsb79C2.tmp (1568 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~nsu.tmp\Au_.exe (3589 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsqB4ED.tmp (1568 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R4C62WHO\extconfig[1].xml (3777 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scr68B1.tmp (15 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Search Protection" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Search Protection\SP.EXE /autostart"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Browser Extensions" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\BEHelper.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: GreenTree Applications SRL
Product Name: YTD Video Downloader
Product Version: 4.8.6.3
Legal Copyright: (c) 2014 GreenTree Applications SRL. All rights reserved.
Legal Trademarks:
Original Filename: YTDStub.exe
Internal Name: YTDStubInstaller
File Version: 4.8.6.3
File Description: YTD Video Downloader stub
Comments:
Language: Language Neutral

Company Name: GreenTree Applications SRLProduct Name: YTD Video DownloaderProduct Version: 4.8.6.3Legal Copyright: (c) 2014 GreenTree Applications SRL. All rights reserved.Legal Trademarks: Original Filename: YTDStub.exeInternal Name: YTDStubInstallerFile Version: 4.8.6.3File Description: YTD Video Downloader stubComments: Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text409623130235524.448410bc2ffd32265a08d72b795b18265828d
.rdata28672449646083.59163f179218a059068529bdb4637ef5fa28e
.data3686411048810243.26405975304d6dd6c4a4f076b15511e2bbbc0
.ndata1474564505600d41d8cd98f00b204e9800998ecf8427e
.rsrc19251248912491524.76321571b2c67eb88f22b898e779f7a691ef9

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL IP
hxxp://ytd4.greentreeapps.ro/kits/ytd/YTDSetup.exe
hxxp://ytd2.greentreeapps.ro/images/pixel.gif?action=install&point=start&cid=cb821f7c3eeccf6c312c56e821a0e91a&isn=F7DBCDBD737B449098794B4547AA6F06&kt=ytd
hxxp://ytd2.greentreeapps.ro/getcountry.html
hxxp://www.mybrowserbar.com/kits/EasyBundlingDLL/937811/so.xml?kt=ytd&rsv=3174.36.215.20
hxxp://www.mybrowserbar.com/kits/hlp/exthelper.exe174.36.215.20
hxxp://ytd2.greentreeapps.ro/api/rcsvc.php?kt=ytd
hxxp://ytd2.greentreeapps.ro/scripts/win/scripts-20150129.yds
hxxp://www.mybrowserbar.com/cgi/extconfig.cgi?cnid=937811&ver=2.3&rsv=3.2&kt=ytd&ot=ytdsanth&bver=39.0.2171.95&dbrw=Internet Explorer&cid=c0322acd5e5d42f0b163c591ee6ff5b9174.36.215.20
hxxp://www.mybrowserbar.com/gc/silent2.html?ot=ytdsanth&cnid=937811&kt=ytd&ext[]=cekonfccladjgbdhpgobceahgjdcdbod&ext[]=jloeihbcjbkgigodmcacomgfihpiaiip&ts=1423130670174.36.215.20
hxxp://googleapis.l.google.com/ajax/libs/jquery/1.9.1/jquery.min.js
hxxp://plus.l.google.com/analytics.js
hxxp://www.mybrowserbar.com/favicon.ico174.36.215.20
hxxp://www.mybrowserbar.com/images/pixel.gif?isn=d78a223d20363802cfbd313af6e664df&ver=1.2&cnid=937811&ct=shagc&event=install174.36.215.20
hxxp://www.mybrowserbar.com/cgi/coupons.cgi/d78a223d20363802cfbd313af6e664df/937811/1.2/shagc?rsv=2174.36.215.20
hxxp://www.mybrowserbar.com/images/pixel.gif?isn=9d357cad646259e5aec21e92440c2512&ver=1.5&cnid=937811&ct=nthgc&event=install174.36.215.20
hxxp://www.mybrowserbar.com/cgi/nta/config.cgi/9d357cad646259e5aec21e92440c2512/937811/1.5/nthgc174.36.215.20
hxxp://www.mybrowserbar.com/images/pixel.gif?kt=ytd&ot=ytdsanth&cnid=937811&sil=1&cid=c0322acd5e5d42f0b163c591ee6ff5b9&cekonfccladjgbdhpgobceahgjdcdbod=1&jloeihbcjbkgigodmcacomgfihpiaiip=1174.36.215.20
hxxp://www.mybrowserbar.com/kits/sds/SearchProtectionStub.exe174.36.215.20
hxxp://update.mybrowserbar.com/kits/sds/update.xml108.59.13.14
hxxp://www.mybrowserbar.com/kits/sds/update.xml174.36.215.20
hxxp://update.mybrowserbar.com/kits/sds/SearchProtectionSetup.exe108.59.13.14
hxxp://www.mybrowserbar.com/images/pixel.gif?ct=ebd2&ies=3&eo=sgbe&cnid=937811&kt=ytd&isn=6D55661F1F404E278EE9A5E3F94B5F4B&tov=20&sbe=1&sds=1&shp=1174.36.215.20
hxxp://www.mybrowserbar.com/cgi/api.cgi/937811/CCF69B272FE54EE58735A380676F1DE4/vloc/20174.36.215.20
hxxp://ytd2.greentreeapps.ro/images/pixel.gif?action=install&point=finish&cid=cb821f7c3eeccf6c312c56e821a0e91a&isn=F7DBCDBD737B449098794B4547AA6F06&kt=ytd
hxxp://ytd4.greentreeapps.ro/images/pixel.gif?src=stub&kt=ytd&event=run&exit=0
hxxp://ytd4.greentreeapps.ro/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0
hxxp://www.mybrowserbar.com/cgi/api.cgi/937811/CCF69B272FE54EE58735A380676F1DE4/vrst/20174.36.215.20
hxxp://ytd4.greentreeapps.ro/js/main.js
hxxp://ytd4.greentreeapps.ro/images/ytd-logo.png
hxxp://ytd4.greentreeapps.ro/styles.css
hxxp://fallback.global-ssl.fastly.net/js/250/addthis_widget.js
hxxp://ytd4.greentreeapps.ro/images/header-bg-repeat.jpg
hxxp://ytd4.greentreeapps.ro/images/header-bg.jpg
hxxp://fallback.global-ssl.fastly.net/static/r07/core181.js
hxxp://plus.l.google.com/ga.js
hxxp://update.mybrowserbar.com/update/wt/ie/coupons/update.xml?src=stub&cnid=937811108.59.13.14
hxxp://e3821.dspe1.akamaiedge.net/en_US/all.js
hxxp://plus.l.google.com/r/__utm.gif?utmwv=5.6.2&utms=1&utmn=1243149095&utmhn=www.ytddownloader.com&utmcs=windows-1252&utmsr=1683x901&utmvp=1683x804&utmsc=24-bit&utmul=en-us&utmje=1&utmfl=-&utmdt=YTD Video Converter&utmhid=380816574&utmr=-&utmp=/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0&utmht=1423130702591&utmac=UA-25210420-2&utmcc=__utma=135583929.141684822.1423130703.1423130703.1423130703.1;+__utmz=135583929.1423130703.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmjid=2102772812&utmredir=1&utmu=qAAAAAAAAAAAAAAAAAAAAAAE~
hxxp://ytd4.greentreeapps.ro/images/top-header-bg.jpg
hxxp://ytd4.greentreeapps.ro/images/upgrade-pro-btn.png
hxxp://fallback.global-ssl.fastly.net/static/r07/widget/css/widget010.old.css
hxxp://update.mybrowserbar.com/update/wt/ie/coupons/BrowserExtensionsSetup.exe108.59.13.14
hxxp://fallback.global-ssl.fastly.net/static/r07/sh186.html
hxxp://fallback.global-ssl.fastly.net/static/r07/menu171.js
hxxp://fallback.global-ssl.fastly.net/static/r07/plugins/counter020.js
hxxp://fallback.global-ssl.fastly.net/static/r07/plugins/counter015.css
hxxp://fallback.global-ssl.fastly.net/static/r07/widget/img/widget010.old.32.top.png
hxxp://a749.dsw4.akamai.net/connect/xd_arbiter/DU1Ia251o0y.js?version=41
hxxp://a.ssl.fastly.net/url/shares.json?url=http://www.ytddownloader.com/&callback=_ate.cbs.sc_httpwwwytddownloadercom0
hxxp://a1294.w20.akamai.net/b?c1=7&c2=2000001&c3=1&rn=1hz14wz&c7=http://www.ytddownloader.com/thankyou.html&c8=YTD Video Converter&cv=1.7
hxxp://m.addthisedge.com/live/red_lojson/300lo.json?6iew35&colc=1423130703205&si=54d3404edc48256c&uid=54d3404fe20ab507&pub=ytdcs&rev=15.1&jsl=33&ln=en&pc=men&vpc=&dp=www.ytddownloader.com&fp=thankyou.html&aa=0&of=0&uf=1&nt=cs;5,ce;5,dc;319,dclee;319,dcles;319,di;316,dl;311,dle;5,dls;5,fs;5,lee;u,les;319,ns;0,rs;310,rspe;314,rsps;311,scs;u&pd=0&irt=0&ct=1&tct=0&abt=0&lt=347&cdn=0&lnlc=US&whcs=1&tl=c=347,m=356,i=402,xm=733,xp=736&pi=1&&rb=0&gen=1000&gen=100&callback=_ate.track.hsr&uvs=54d3404eae96086b000&chr=windows-1252&md=0&vcl=08.37.70.26
hxxp://www.yandex.com/favicon.ico213.180.204.62
hxxp://m.addthisedge.com/live/t00/mu.gif?a=sc&r=1&err=18.37.70.26
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?45d861ae400f132c
hxxp://www.public-trust.com/cgi-bin/CRL/2018/cdp.crl64.18.20.10
hxxp://gs1.wac.v2cdn.net/baltimoreroot/MEUwQzBBMD8wPTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom/nYB45SPUEwQU5Z1ZMIJHWMys+ghUNoZ7OrUETfACBAcnpGo=
hxxp://a1158.b.akamai.net/MFUwUzBRME8wTTAJBgUrDgMCGgUABBS856ddZAq5lE7vDJmoUDW1u98SMAQU3WyAfLq1MhelhEFA8NIEZhMvqZACFGozgiJkrf5JafrJHx/pwJ6+De+O
hxxp://ytd4.greentreeapps.ro/favicon.ico
hxxp://www.mybrowserbar.com/images/pixel.gif?isn=E0BCB5085EA24F7699566D8CEBD03DB5&ver=2.6&cnid=937811&ct=bekit&event=install174.36.215.20
hxxp://update.mybrowserbar.com/update/wt/ie/coupons/update.xml?cnid=937811108.59.13.14
hxxp://a1363.dscg.akamai.net/pki/crl/products/microsoftrootcert.crl
hxxp://a1363.dscg.akamai.net/pki/crl/products/WinPCA.crl
hxxp://a1363.dscg.akamai.net/pki/crl/products/MicrosoftTimeStampPCA.crl
hxxp://a1294.w20.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab?77e52b9fc60a860d
hxxp://gs1.wac.v2cdn.net/baltimoreroot/MEUwQzBBMD8wPTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom/nYB45SPUEwQU5Z1ZMIJHWMys+ghUNoZ7OrUETfACBAcnqkc=
hxxp://hostedocsp.globalsign.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQmECJms4f7i5EbxtN7NbzQCBwAdAQUUa8kJpz0aCJXgCYrO0ZiFXsezKUCE1oAAHevvgBk+xJc0C0AAQAAd68=
hxxp://www.mybrowserbar.com/images/pixel.gif?isn=E0BCB5085EA24F7699566D8CEBD03DB5&ver=2.6&cnid=937811&ct=bekit&event=uninstall174.36.215.20
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI=
hxxp://a1294.w20.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8=
hxxp://download.ytddownloader.com/kits/ytd/YTDSetup.exe5.79.67.100
hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl87.245.202.16
hxxp://www.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=05.79.67.100
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=23.43.139.27
hxxp://api.mybrowserbar.com/cgi/api.cgi/937811/CCF69B272FE54EE58735A380676F1DE4/vloc/20174.36.215.20
hxxp://connect.facebook.net/en_US/all.js23.64.223.139
hxxp://www.google-analytics.com/ga.js173.194.113.206
hxxp://www.ytddownloader.com/images/pixel.gif?src=stub&kt=ytd&event=run&exit=05.79.67.100
hxxp://www.youtubedownloadersite.com/images/pixel.gif?action=install&point=finish&cid=cb821f7c3eeccf6c312c56e821a0e91a&isn=F7DBCDBD737B449098794B4547AA6F06&kt=ytd95.211.187.90
hxxp://www.ytddownloader.com/styles.css5.79.67.100
hxxp://www.youtubedownloadersite.com/getcountry.html95.211.187.90
hxxp://s7.addthis.com/static/r07/core181.js185.31.17.184
hxxp://www.ytddownloader.com/images/top-header-bg.jpg5.79.67.100
hxxp://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js64.233.161.95
hxxp://www.google-analytics.com/analytics.js173.194.113.206
hxxp://m.addthis.com/live/red_lojson/300lo.json?6iew35&colc=1423130703205&si=54d3404edc48256c&uid=54d3404fe20ab507&pub=ytdcs&rev=15.1&jsl=33&ln=en&pc=men&vpc=&dp=www.ytddownloader.com&fp=thankyou.html&aa=0&of=0&uf=1&nt=cs;5,ce;5,dc;319,dclee;319,dcles;319,di;316,dl;311,dle;5,dls;5,fs;5,lee;u,les;319,ns;0,rs;310,rspe;314,rsps;311,scs;u&pd=0&irt=0&ct=1&tct=0&abt=0&lt=347&cdn=0&lnlc=US&whcs=1&tl=c=347,m=356,i=402,xm=733,xp=736&pi=1&&rb=0&gen=1000&gen=100&callback=_ate.track.hsr&uvs=54d3404eae96086b000&chr=windows-1252&md=0&vcl=08.37.70.26
hxxp://download.mybrowserbar.com/kits/sds/SearchProtectionStub.exe174.36.215.20
hxxp://s7.addthis.com/static/r07/plugins/counter015.css185.31.17.184
hxxp://ocsp.msocsp.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQmECJms4f7i5EbxtN7NbzQCBwAdAQUUa8kJpz0aCJXgCYrO0ZiFXsezKUCE1oAAHevvgBk+xJc0C0AAQAAd68=108.162.232.204
hxxp://webupdate.mybrowserbar.com/kits/sds/SearchProtectionSetup.exe108.59.13.15
hxxp://s7.addthis.com/js/250/addthis_widget.js185.31.17.184
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI=23.43.139.27
hxxp://s7.addthis.com/static/r07/widget/css/widget010.old.css185.31.17.184
hxxp://ocsp.omniroot.com/baltimoreroot/MEUwQzBBMD8wPTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom/nYB45SPUEwQU5Z1ZMIJHWMys+ghUNoZ7OrUETfACBAcnqkc=93.184.220.20
hxxp://crl.microsoft.com/pki/crl/products/WinPCA.crl87.245.202.16
hxxp://s7.addthis.com/static/r07/plugins/counter020.js185.31.17.184
hxxp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl87.245.202.16
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?77e52b9fc60a860d87.245.202.35
hxxp://s7.addthis.com/static/r07/widget/img/widget010.old.32.top.png185.31.17.184
hxxp://www.ytddownloader.com/images/header-bg-repeat.jpg5.79.67.100
hxxp://www.ytddownloader.com/images/ytd-logo.png5.79.67.100
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8=23.43.139.27
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl87.245.202.16
hxxp://static.ak.facebook.com/connect/xd_arbiter/DU1Ia251o0y.js?version=4187.245.202.42
hxxp://www.ytddownloader.com/images/upgrade-pro-btn.png5.79.67.100
hxxp://www.youtubedownloadersite.com/images/pixel.gif?action=install&point=start&cid=cb821f7c3eeccf6c312c56e821a0e91a&isn=F7DBCDBD737B449098794B4547AA6F06&kt=ytd95.211.187.90
hxxp://api.mybrowserbar.com/cgi/api.cgi/937811/CCF69B272FE54EE58735A380676F1DE4/vrst/20174.36.215.20
hxxp://www.youtubedownloadersite.com/scripts/win/scripts-20150129.yds95.211.187.90
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?45d861ae400f132c87.245.202.35
hxxp://s7.addthis.com/static/r07/menu171.js185.31.17.184
hxxp://www.google-analytics.com/r/__utm.gif?utmwv=5.6.2&utms=1&utmn=1243149095&utmhn=www.ytddownloader.com&utmcs=windows-1252&utmsr=1683x901&utmvp=1683x804&utmsc=24-bit&utmul=en-us&utmje=1&utmfl=-&utmdt=YTD Video Converter&utmhid=380816574&utmr=-&utmp=/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0&utmht=1423130702591&utmac=UA-25210420-2&utmcc=__utma=135583929.141684822.1423130703.1423130703.1423130703.1;+__utmz=135583929.1423130703.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmjid=2102772812&utmredir=1&utmu=qAAAAAAAAAAAAAAAAAAAAAAE~173.194.113.206
hxxp://api-public.addthis.com/url/shares.json?url=http://www.ytddownloader.com/&callback=_ate.cbs.sc_httpwwwytddownloadercom023.235.43.130
hxxp://ocsp.omniroot.com/baltimoreroot/MEUwQzBBMD8wPTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom/nYB45SPUEwQU5Z1ZMIJHWMys+ghUNoZ7OrUETfACBAcnpGo=93.184.220.20
hxxp://b.scorecardresearch.com/b?c1=7&c2=2000001&c3=1&rn=1hz14wz&c7=http://www.ytddownloader.com/thankyou.html&c8=YTD Video Converter&cv=1.787.245.202.32
hxxp://vassg141.ocsp.omniroot.com/MFUwUzBRME8wTTAJBgUrDgMCGgUABBS856ddZAq5lE7vDJmoUDW1u98SMAQU3WyAfLq1MhelhEFA8NIEZhMvqZACFGozgiJkrf5JafrJHx/pwJ6+De+O88.221.132.153
hxxp://www.youtubedownloadersite.com/api/rcsvc.php?kt=ytd95.211.187.90
hxxp://www.ytddownloader.com/js/main.js5.79.67.100
hxxp://s7.addthis.com/static/r07/sh186.html185.31.17.184
hxxp://download.mybrowserbar.com/kits/hlp/exthelper.exe174.36.215.20
hxxp://www.ytddownloader.com/images/header-bg.jpg5.79.67.100
clients3.google.com173.194.113.201
translate.googleapis.com64.233.165.95
chrome.google.com173.194.113.198
www.googleapis.com74.125.143.95
clients2.google.com173.194.113.198
sb-ssl.google.com173.194.113.195
www.google.com.ua173.194.113.223
dns.msftncsi.com131.107.255.255
clients4.google.com173.194.113.201
s-static.ak.facebook.com23.64.210.110
www.gstatic.com173.194.113.215
ssl.gstatic.com173.194.113.215
apis.google.com173.194.113.201
time.windows.com64.4.10.33
clients2.googleusercontent.com173.194.113.203
lh3.googleusercontent.com173.194.113.202
ieonline.microsoft.com204.79.197.200

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /images/pixel.gif?ct=ebd2&ies=3&eo=sgbe&cnid=937811&kt=ytd&isn=6D55661F1F404E278EE9A5E3F94B5F4B&tov=20&sbe=1&sds=1&shp=1 HTTP/1.1

Host: VVV.mybrowserbar.com

Accept: */*

Accept-Encoding: gzip,deflate

HTTP/1.1 200 OK

Date: Thu, 05 Feb 2015 10:05:00 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 1093

Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform

Pragma: no-cache

Expires: Thu, 01 Jan 1970 00:00:00 GMT

Content-Type: image/gif

GIF89a.............!..XMP DataXMP<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:68AF816F211411E187C8D4C48A462294" xmpMM:DocumentID="xmp.did:68AF8170211411E187C8D4C48A462294"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:68AF816D211411E187C8D4C48A462294" stRef:documentID="xmp.did:68AF816E211411E187C8D4C48A462294"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>..................................................................................................................................~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-, *)('&%$#"! .................................!.......,...........D..;..

GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?77e52b9fc60a860d HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Fri, 12 Sep 2014 18:47:05 GMT

If-None-Match: "805a83f2b9cecf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ctldl.windowsupdate.com

HTTP/1.1 200 OK

Cache-Control: max-age=604800

Content-Type: application/octet-stream

Last-Modified: Fri, 23 Jan 2015 02:29:11 GMT

Accept-Ranges: bytes

ETag: "803565fb436d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 57591

Date: Thu, 05 Feb 2015 10:05:34 GMT

Connection: keep-alive

MSCF............,...................I.................6Fm. .authroot.stl......8..CK...<T...g.v!M.d..f.%d..}K..5......dM*K..J.,%K"...!..=.k..........{=/....{g.~...............'....6..N....w......(.$.>.7...........'.....`.bx....^..$.'.^.K.C......<b=J..u....@.....2..e....pr.....usXq.d.i.jF$.4.........KI.Q........A2m:..E.P|...(.^p..=G|.....m...... .6...H.e.....X'...%$r.Y.(..)........|...;...V^r.VM.._*X.I. ..4.....*.....Y..`.0w.u...c.i.[..-...x..<.8.<.p..,..y.[v.Yn`......!.s...4e......B...$.,..........w.Pd.)....,..#.%..h...8...`.A...8.i(.!.$/.=.....i.\X.H......"...a...k...y6....F.._?\*.&..3.AJo.!..`....9....=.p.u..u....f.f....w...?..S..I.;.....5._...F.f..G?$......."..kq.y'.6tJ.e%..G.n.....z<.pX"....1..g."........V:.H.-...!}LM..t..-.y.j&...n{..-.]H. .....A.O.Xg..B...#.f.-..V@.g..8.....Ov...ET..*.....T...}o._./S..h@$.....!.@.D....c...A1..#.:?."....1..v.....&G...?O1x6"5.@..$.U...n.J...w.Y.{..........E.N.&...&.rC..W.....M.........,.e.....&eI(/eSO.B..K...R. K...s.@9....Jv.....(..Y./;-..M5.0.H2.y....:...........a.U....%.S.).^....1.B..a..=...q...X .B....F.../..../.Z...'..t....C....,.^...N=..t%N|IC.#.)6...q.E.J.i.E.>....".L........>...Vy.7.jxx......G........._q.1^..H&.4Z......^.E.K 9.Xg...qO.6%>..T....;n..s.'u.-...=.........p..p.Rn.........=.......F........d. d.AR.0U..........9b...=N..#....c.Icz......u.0............Y.q..b.wYE.......R...s..W....r].....hT....k.g..[...s.....X..`=zb.>..../..=........J.N.h...(}.5.7. .;..=F..F...'.?..2...3...=...B..`....{...f.`Kb..@..`Z.0!^8.t..<l.j..lI.P.q.>k

<<< skipped >>>

GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Wed, 28 Jan 2015 06:05:55 GMT

Accept-Ranges: bytes

ETag: "75565c7ac03ad01:0"

Server: Microsoft-IIS/8.0

VTag: 791666644800000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 554

Cache-Control: max-age=900

Date: Thu, 05 Feb 2015 10:09:17 GMT

Connection: keep-alive

0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA..150127173215Z..150428055215Z.a0_0...U.#..0..........X..7.3...L...0... .....7.........0...U......Y0... .....7......150427174215Z0...*.H......................YIw.. ..(..y..O.G].B.."?.@...[1.}.X...]...e.J....pP.I....!6...%.D.k...>c.|R.?.i..yt.z..B.........b....n..m5...0....2..I!)v....z....y.#pXz.DO.....mF...e.'e...@.%...6./.bPZ...=....bp..j....lo....4........T9j...S.7Q.@.W..@.. ...M....z....Q...{u. .W....

GET /update/wt/ie/coupons/update.xml?src=stub&cnid=937811 HTTP/1.1

User-Agent: SDS

Host: update.mybrowserbar.com

Accept: */*

Accept-Encoding: gzip,deflate

HTTP/1.1 200 OK

Server: nginx/0.7.65

Date: Thu, 05 Feb 2015 10:05:02 GMT

Content-Type: text/xml; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

177..<?xml version='1.0' encoding='UTF-8'?>.<cpupdate>. <libid>{40C6AC97-5316-4D22-BA61-3BF0D585FB22}</libid>. <url>hXXp://update.mybrowserbar.com/update/wt/ie/coupons/coupons_1.6.zip</url>. <ver>1.6</ver>. <setupurl>hXXp://update.mybrowserbar.com/update/wt/ie/coupons/BrowserExtensionsSetup.exe</setupurl>. <setupver>2.6</setupver>. <gc>1</gc>..</cpupdate>...0..

GET /images/ytd-logo.png HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.ytddownloader.com

DNT: 1

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.2.1

Date: Thu, 05 Feb 2015 10:05:01 GMT

Content-Type: image/png

Content-Length: 34724

Last-Modified: Fri, 05 Oct 2012 14:07:53 GMT

Connection: keep-alive

Accept-Ranges: bytes

.PNG........IHDR.......x.....h.......tEXtSoftware.Adobe ImageReadyq.e<...fiTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c061 64.140949, 2010/12/07-10:57:01 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:48617E8EC10BE2118B4BD91E24AB7A59" xmpMM:DocumentID="xmp.did:72065B650C8711E28A8AE4B10473ECB4" xmpMM:InstanceID="xmp.iid:72065B640C8711E28A8AE4B10473ECB4" xmp:CreatorTool="Adobe Photoshop CS5.1 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:48617E8EC10BE2118B4BD91E24AB7A59" stRef:documentID="xmp.did:48617E8EC10BE2118B4BD91E24AB7A59"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>O.......IDATx.....eYY'..s.........EA.[.6... .....c.8.[.........n.i[.g..F...F..i...V....(j...5"c}...|.s.yq#2.2.*....|U/.-..{.9....#.Rt.q.q.......\{\{\c.k.k..S....!......~....F.K.v....h..d0"$=*Fk.n...7...5}.........RPv....*%9..&..~z........@..;.G.?...x.qz}.zj..E...c.Z@i.qhff..sc-...)....777G.~..4.F._.f.. .Q=....$..~ ...<........6....>C..w.q.......#...<..........A.......`.L}.m.-.i.....~.....?.LEY.x8..hi&....LW..0......#..&..og....K...}@I\.<]... .p\~*!.x!...KU.:4...x.;.=.3....{.S*.EB...ovaq.J...1.5f.....W.$.wG...N....

<<< skipped >>>

GET /images/header-bg.jpg HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.ytddownloader.com

DNT: 1

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.2.1

Date: Thu, 05 Feb 2015 10:05:01 GMT

Content-Type: image/jpeg

Content-Length: 123553

Last-Modified: Thu, 10 Oct 2013 14:08:34 GMT

Connection: keep-alive

Accept-Ranges: bytes

......Exif..II*.................Ducky.......Z..... hXXp://ns.adobe.com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c061 64.140949, 2010/12/07-10:57:01 "> <rdf:RDF xmlns:rdf="http://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5.1 Windows" xmpMM:InstanceID="xmp.iid:02967DEC099B11E388E0A65379C2936F" xmpMM:DocumentID="xmp.did:02967DED099B11E388E0A65379C2936F"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:02967DEA099B11E388E0A65379C2936F" stRef:documentID="xmp.did:02967DEB099B11E388E0A65379C2936F"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d.................................................................................................................................................j.......................................................................................!.1.AQ.aq".....2R...B#...r.3..b..c...S..C....$T.4Ds......................!1.AQ.......a.."2qR...B............?....\}6..1....D...au.lxW....~k.n^.....:q.a..HH.....&....Z.Ut...3.Y.i.3(\x......Qe$.Eg...'...x._R_?........xQ..J..?.]QQ8../...~./...e?........L]>..7.*|j.`71au.lxV.<.r...d. u.:t.1O.$$n...~.CMK.=z..|.....i.i.3b.......AQe$.$P.U.OE%.=W.......m..n.......[.....N..#.....

<<< skipped >>>

GET /images/top-header-bg.jpg HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.ytddownloader.com

DNT: 1

Connection: Keep-Alive

Cookie: __utma=135583929.141684822.1423130703.1423130703.1423130703.1; __utmb=135583929.1.10.1423130703; __utmc=135583929; __utmz=135583929.1423130703.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1

HTTP/1.1 200 OK

Server: nginx/1.2.1

Date: Thu, 05 Feb 2015 10:05:02 GMT

Content-Type: image/jpeg

Content-Length: 2458

Last-Modified: Fri, 05 Oct 2012 14:07:53 GMT

Connection: keep-alive

Accept-Ranges: bytes

......Exif..II*.................Ducky.......d.....ohXXp://ns.adobe.com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c061 64.140949, 2010/12/07-10:57:01 "> <rdf:RDF xmlns:rdf="http://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:48617E8EC10BE2118B4BD91E24AB7A59" xmpMM:DocumentID="xmp.did:FC5012C60BCB11E2AA79CB95D10CA426" xmpMM:InstanceID="xmp.iid:FC5012C50BCB11E2AA79CB95D10CA426" xmp:CreatorTool="Adobe Photoshop CS5.1 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:48617E8EC10BE2118B4BD91E24AB7A59" stRef:documentID="xmp.did:48617E8EC10BE2118B4BD91E24AB7A59"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d..............................................................................................................................................................................................................................................!1....Aa....Q"q...2.......#3$....B.Cd5E..........................!#.1A."..a2.C....B3$.%.q.D..4d5E.8............?..}.4.i....#v...jq.[Lj.....]Hzc.=12..........<.....w.....t.E=..K...U......vt...-.x.hY.].j...#..de.t....yf. .".`.n.....a....i"8.C. ......A..aFs~.By..d..|..V.k.h.;'-.p.}..W.d.IM...v'...Z_.Ak]m

<<< skipped >>>

GET /static/r07/menu171.js HTTP/1.1

Accept: application/javascript, */*;q=0.8

Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: s7.addthis.com

DNT: 1

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Apache

Last-Modified: Thu, 22 Jan 2015 11:14:57 GMT

Content-Encoding: gzip

Cache-Control: public, no-check, max-age=86313600

Content-Type: text/javascript

Content-Length: 20323

Accept-Ranges: bytes

Date: Thu, 05 Feb 2015 10:05:02 GMT

Via: 1.1 varnish

Age: 1205260

Connection: keep-alive

X-Host: s7.addthis.com

X-Served-By: cache-fra1229-FRA

X-Cache: HIT

X-Cache-Hits: 785230

X-Timer: S1423130702.429801,VS0,VE0

Vary: Accept-Encoding

............}....0....$.#...")..AC.....8qc7n*..K.$a.....d..........l.=......".o.......m.........;....w...:K............<....3I..(.d. .....q..IY0.v......5....X...o.#^...B=..[W<.C..Y.y..e.;.7.fn...ix...u:......{.....bJ.D...A.8..N....0.5..j=.._....%....y..]...;..OL.8...[.r0K3.hDI#.. Q.$..e.... ..!Ha(....j.-......Ze......R.X(....v.A#.YEY..o.k......I....n......._^..4V.X.'N.-...1M.<J.x.;.,.,.h.8..q.....b.......5z.aop.X....^...x..\.......'Z.M.d............y8.#.Gi"{..M.....J../H.M.;@..v...-...h../.qLo^..yl.N..0)L.9...&4...N;.....>{SdQ2w=..... .Q...!...;.T.X.l./.....@-...z.`.L/..0" _..5)_'.M..W@. *_.|~..;Z>..._E......{.2.8.av..=..5,.Y...r......*K...`.y;py'..y...:A.i.......'.B...@.........._.p..0..&.O..WqT.0y^'_D3...hig. s..\oG....iV.....T,.`.sN?@....B..|.aox.<...c.<.....?,B.Aq...........H..@.!)...\>,.....(9.[.`..g...-t..,z .M.;.8.:.t..T.;...a..0..HM..Z..^....71L...(E<...z..%...%r..QJ....@...Gs!.....$p.....m.....Q.t^.E.A.....z>..$.."HiJ4*.((.:....G.u@&......7..^.f3..........P...`..v......%.'.0e..s.X.,..@1...&.Jl6.....;......)<...[...l^.../.1......;... 7'g......x..r........q.... :..z]6.......XX..,......9....2....k....z.ET.(@7.b=...L;s.R.I... .4vbM...cUtP....&A..}'.&.L...I...r.....k..47.<.."F.h.C.|..;9:j...K...'....t#..o.p*.*..@..u......^...Ah._....l].?:rr..L>H...k......&D....5.k....mPd.wE0..NPx......(......,&0."'............M...().,.11..X.N9.0.r.BD..f.8k*.V..[0"....TI...l......f.X....I.e.ta.Q\...~..N...a.v.N.....!.ZJ.].._)L(......OB.._..z..e..W.-<.O.L._..B...."...v.E.wfY...W..Z...

<<< skipped >>>

GET /ga.js HTTP/1.1

Accept: application/javascript, */*;q=0.8

Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.google-analytics.com

DNT: 1

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Thu, 05 Feb 2015 08:36:27 GMT

Expires: Thu, 05 Feb 2015 10:36:27 GMT

Last-Modified: Fri, 16 Jan 2015 00:55:08 GMT

X-Content-Type-Options: nosniff

Content-Type: text/javascript

Vary: Accept-Encoding

Content-Encoding: gzip

Server: Golfe2

Content-Length: 16151

Age: 5314

Alternate-Protocol: 80:quic,p=0.02

Cache-Control: public, max-age=7200

............yW...8.?..|{.....S..7.(m.....Ms.dY.iB....%.g..A..$...y.z..%..<mm.I~2...3....k9Z.2.}5....G.........dx.O:.Nz'...:.....I*b.v.o..q....Bh..z6..V.|.})...H..Q.Y....@.a4....'...`....3i..RC.%..0.Fz..J{.'C/...#O\BP]..^..../e..<1..p0...&.i......f{..zm..'&.w1...:...Y:...........p....`.n4....vz.W....|\c.-GX...:...5.y..".F:.. $....'..b2......k....:.....e.. t-{..^.^.....P....3........d..6.nM...."...^..|..1z......dq.t.}.....I46..Kb....1..A...t...q.N.7zt .P.a......o:0.>..$Y..x:=.$.....r./..0........n.%.vA.Ke.*....P/.....My..\..t...J(WW....,.A..<Q..........E..e.(.K.$......uBa ..1..yN.v..E....D=...:..[...>..zX.l^.._..z C..o.......Mk.............^\.G.I?.7.[...l.l=..@.......;...e./y,.cR.w`.d_...0.L/..F.q` j......y.5L....Zp*....#w0.%....]..:T..W...l.4.1U.,.W~.q0.=XO.z'..f.,/e..K..P".F.e..^..9..S...1..1..J.. .4....WW....K..I..x......\....@..c]...tj..3w$...cA... XD..F.a.......3...?..41.!.w}..T 8...vj..(.....q.P...........S^r.......A..X.e.K=J.5,o..0..Q.|=.v..l........j..';...B..$..-....$Z.R.L.OB.tL/:....t..g[..:A......i..4o[e8..3grr..SJI...2...\YW..j3.^J%.................x.?.6...){...o..V.c.........@hi.8.=..jR....]....x^.`.<..7........y1..8...YT...iLm}..Ye7T. X..d..T L Ui.....q}........#....elF.........m.6-..[./.-.x[{5 ....,.<....b.e..aK\].VWMZ....{.x(....O........p..[3I.@....4.)..x...Fk......4.Z.i p.7..`>.o.Z..O*<.c.....i.f...fk.g....J..a..y.....c_.X..%..4.Gz.M$....j5oe.0......$T~..}....0FtC].`-...Z.O..V.:Z..54o.4...oI...... .) ..6*...Y.1......B..-._..{r..1]F.....f..|8..u.OY...38..}5.c.`.. ....`.

<<< skipped >>>

GET /r/__utm.gif?utmwv=5.6.2&utms=1&utmn=1243149095&utmhn=VVV.ytddownloader.com&utmcs=windows-1252&utmsr=1683x901&utmvp=1683x804&utmsc=24-bit&utmul=en-us&utmje=1&utmfl=-&utmdt=YTD Video Converter&utmhid=380816574&utmr=-&utmp=/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0&utmht=1423130702591&utmac=UA-25210420-2&utmcc=__utma=135583929.141684822.1423130703.1423130703.1423130703.1;+__utmz=135583929.1423130703.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmjid=2102772812&utmredir=1&utmu=qAAAAAAAAAAAAAAAAAAAAAAE~ HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.google-analytics.com

DNT: 1

Connection: Keep-Alive

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

Date: Thu, 05 Feb 2015 10:05:02 GMT

Pragma: no-cache

Expires: Fri, 01 Jan 1990 00:00:00 GMT

Cache-Control: no-cache, no-store, must-revalidate

Last-Modified: Sun, 17 May 1998 03:00:00 GMT

X-Content-Type-Options: nosniff

Content-Type: image/gif

Server: Golfe2

Content-Length: 35

Alternate-Protocol: 80:quic,p=0.02

GIF89a.............,...........D..;HTTP/1.1 200 OK..Access-Control-Allow-Origin: *..Date: Thu, 05 Feb 2015 10:05:02 GMT..Pragma: no-cache..Expires: Fri, 01 Jan 1990 00:00:00 GMT..Cache-Control: no-cache, no-store, must-revalidate..Last-Modified: Sun, 17 May 1998 03:00:00 GMT..X-Content-Type-Options: nosniff..Content-Type: image/gif..Server: Golfe2..Content-Length: 35..Alternate-Protocol: 80:quic,p=0.02..GIF89a.............,...........D..;..

GET /b?c1=7&c2=2000001&c3=1&rn=1hz14wz&c7=http://VVV.ytddownloader.com/thankyou.html&c8=YTD Video Converter&cv=1.7 HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://s7.addthis.com/static/r07/sh186.html

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: b.scorecardresearch.com

DNT: 1

Connection: Keep-Alive

Cookie: UID=120c9bfd-194.221.64.106-1384780341; UIDR=1384780341

HTTP/1.1 204 No Content

Content-Length: 0

Date: Thu, 05 Feb 2015 10:05:02 GMT

Connection: keep-alive

Set-Cookie: UID=120c9bfd-194.221.64.106-1384780341; expires=Wed, 25-Jan-2017 10:05:02 GMT; path=/; domain=.scorecardresearch.com

Set-Cookie: UIDR=1423130702; expires=Wed, 25-Jan-2017 10:05:02 GMT; path=/; domain=.scorecardresearch.com

P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC"

Pragma: no-cache

Expires: Mon, 01 Jan 1990 00:00:00 GMT

Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate

HTTP/1.1 204 No Content..Content-Length: 0..Date: Thu, 05 Feb 2015 10:05:02 GMT..Connection: keep-alive..Set-Cookie: UID=120c9bfd-194.221.64.106-1384780341; expires=Wed, 25-Jan-2017 10:05:02 GMT; path=/; domain=.scorecardresearch.com..Set-Cookie: UIDR=1423130702; expires=Wed, 25-Jan-2017 10:05:02 GMT; path=/; domain=.scorecardresearch.com..P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC"..Pragma: no-cache..Expires: Mon, 01 Jan 1990 00:00:00 GMT..Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate..

GET /getcountry.html HTTP/1.0

Host: VVV.youtubedownloadersite.com

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*

HTTP/1.1 200 OK

Server: nginx

Date: Thu, 05 Feb 2015 10:03:53 GMT

Content-Type: text/html; charset=utf-8

Content-Length: 2

Connection: close

UA..

POST /api/rcsvc.php?kt=ytd HTTP/1.1

Accept-Encoding: gzip,deflate

User-Agent: Primeport

Host: VVV.youtubedownloadersite.com

Content-Length: 544

Connection: Keep-Alive

Cache-Control: no-cache

j.=W....T..7q..qg...h.-....y.0...I..!.Pl.t.....y._.{)FK......T./...5W......7[T ..q...fPt........d!.;..T.w.". T".....a..........._.K.X....M.k..mI..|..j...z.v`JR..{Ri.LVk........ .#..`......1.....k;)..X..r...&c.l.:.....!&.a

.Z.....^.Y%..V.X..r...'Z.o.;..`._.}....../HY......8..b..Bb..S..&..I ..~...J~.d.j....eB.mS...Z....O..q.......Q..:.h.P.V...9..~1,y. .p;z.

.#..]5.%q..#.6=|....4RT2.p...5.w.....e.u..M.....PT..8....8..b..Bb..S...V...."]"...:u.B,.....W.w.N7....O!..e=.y.d.w..#...c...&...j........0b.g.......?G...ec....u.9 . .G. .K..s..\.'..

HTTP/1.1 200 OK

Server: nginx

Date: Thu, 05 Feb 2015 10:04:28 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Content-Encoding: gzip

374...................VO..1......?W....S.Pp...H......~j...?.kosbvc~...^...A .w...z...'|_}..&w....%.J.:Zr....~.........mwy...q!....s../......5.oS..@}J.z..;xZw.t...%....$..f......].No._..........J....m.z....\.{.#.j..f{..V...t.../.....".\.....u..o..m.lXw...4.....b~.........'w...a...*...%.|....^.r.`.i..n...?)'........O...q..S.X..u&.Vs..l..k..].;...o..h.....Wj.....Y.i..P..........~_.z`:..WsR"...}...|.~..^.L..[.....ibB.......>J..P)...........R?. Uw.|9s..cF.>..U]......./........Q.@r...O) m.....&.>...3......A[.......f......L..n.pW..?nN.&M.5A....2n.g...*....v.......n.b....L.`.....E........<..[.V..S.........~.<....M/..Uz..?|..7i.yv.......S..?q...hZ.....Z.....~.!~.n.....s.V.0.w.....>..~.T.Q...G..e.{d.../.(....g.._...........tQ.~..le.....>..bX8So....s...i;......<.k....%..]8.....dU..'_u..e...r.........I..q...M{..7..B]5.#w......{........?Z..r/N..'.Cy}.~.. Yk........~....'....}L.{?...L."x.....0......

GET /scripts/win/scripts-20150129.yds HTTP/1.1

Accept-Encoding: gzip,deflate

User-Agent: Primeport

Host: VVV.youtubedownloadersite.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Thu, 05 Feb 2015 10:04:28 GMT

Content-Type: application/octet-stream

Content-Length: 175248

Last-Modified: Fri, 30 Jan 2015 14:41:23 GMT

Connection: keep-alive

Accept-Ranges: bytes

Y>8.F...#"..R..AC....Z..go B9..?r.$...A...0q.V.<S..~7...K...".Gn..u......vN.2.0..C.D....kd!.Af..@z..,4......9.....8.... .....C@R.Ny;... ..@.4.......:..,..U..R-.;..yeFz!...]:.....2.....h.....}.J..Y.).......2!.v.0.....Ej.n.=.z%".g.....o......52.q..........E..,.....>.......Xi...........".g...}...OXE.&dl... .\..j...$..PKLT.(.dp...2.....o..b........(._...m4W.R<..5.(#..Wt.....$...-....6*K..s...C........7.y.....Y.%:..X.4.....6.>.e...Xp...... B...wo.3].k.\....s(v...........R.bd[q....>...>.R......Q..].....qR.........2pfnY..i).~.|[.RP....I...Ro~.o!|.j.v...n..I.1x8I.m...i..-..{.c.N..{.rYb..j.R`..c<...1...N.Z...OZ.o.Ip.:C?...<o..]Hv..."|\?'!.y`.X.]R2.. .0..&/...b..)....s&-..)7.... ?]...].TS.-Z..q.?Q.L.......N.Z...OZ.o.Ip.:,.ih..q.D`....nd.v..q.:......4.......*.T...T..d/.a1C...l....QS...?.pcM.ySc.T..?el.I.....V.:wOU...... .}....]...Y...%pD.....y.Be...uHV..?.@9.........\b.l..*.'..5...d.Rv.iu..We..g..../.....7n...9_.wI...Z.o.Ip.:z..o......~. y..[..._4i".D..~ ...F4i.i..sx..^P...t>.S$m..y.^.........I-...z=... J.J@.S...d..|..l.........$dt.5..;.%...iO...F.4.pF.....w[..X}.]....g.%.....T...m..|&.7.X.w7Z..R.Q..E..j........F..z.Q.....n....5a.....eU...K.4c.@../...M.B.~.U..4.1f..#.dli...)g............}(y....!w..0...BK.A.>.p\.kv..4."..`U..z.........K.n..:LGa7U...m..<q!./..[..aP.F.Y4....|.4...w{G...f..f..Si..y0..Nb....z.M...o.......(....<Xk)./.l[.L.....CS...aO...........k....~O/..dLH..)..t-G>.Q..X.vd).~.......;.aH}G!B..Z ....S=.. |.t....CE.R..Z.`Hz'...;..s........q.........F.~.r.......H..p.i.....

<<< skipped >>>

GET /cgi/extconfig.cgi?cnid=937811&ver=2.3&rsv=3.2&kt=ytd&ot=ytdsanth&bver=39.0.2171.95&dbrw=Internet Explorer&cid=c0322acd5e5d42f0b163c591ee6ff5b9 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: VVV.mybrowserbar.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Thu, 05 Feb 2015 10:04:30 GMT

Server: Apache

Vary: Host

Keep-Alive: timeout=30, max=100

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-Type: text/xml; charset=utf-8

56e5..<?xml version="1.0"?>.<extensions>. <rsv>3.2</rsv>. <silent>true</silent>. <usepopup>true</usepopup>. <wait>true</wait>. <height>390</height>. <width>500</width>. <buttontext>Install from Chrome Web Store</buttontext>. <confirmbuttontext>Add</confirmbuttontext>. <captionwndtext>Add to Chrome</captionwndtext>. <screen><![CDATA[/9j/4QAYRXhpZgAASUkqAAgAAAAAAAAAAAAAAP/sABFEdWNreQABAAQAAABTAAD/4QNvaHR0cDov.L25zLmFkb2JlLmNvbS94YXAvMS4wLwA8P3hwYWNrZXQgYmVnaW49Iu 7vyIgaWQ9Ilc1TTBNcENl.aGlIenJlU3pOVGN6a2M5ZCI/PiA8eDp4bXBtZXRhIHhtbG5zOng9ImFkb2JlOm5zOm1ldGEvIiB4.OnhtcHRrPSJBZG9iZSBYTVAgQ29yZSA1LjAtYzA2MSA2NC4xNDA5NDksIDIwMTAvMTIvMDctMTA6.NTc6MDEgICAgICAgICI IDxyZGY6UkRGIHhtbG5zOnJkZj0iaHR0cDovL3d3dy53My5vcmcvMTk5.OS8wMi8yMi1yZGYtc3ludGF4LW5zIyI IDxyZGY6RGVzY3JpcHRpb24gcmRmOmFib3V0PSIiIHht.bG5zOnhtcE1NPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvbW0vIiB4bWxuczpzdFJlZj0i.aHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL3NUeXBlL1Jlc291cmNlUmVmIyIgeG1sbnM6eG1w.PSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvIiB4bXBNTTpPcmlnaW5hbERvY3VtZW50SUQ9.InhtcC5kaWQ6ODVDOEQzNUVGRDE3RTQxMUFBMkNCMTA2NURERjkwRTIiIHhtcE1NOkRvY3VtZW50.SUQ9InhtcC5kaWQ6RkE5NEZGNzAyMjBDMTFFNDgxNUFGMkE1QkZGOTdFRjAiIHhtcE1NOkluc3Rh.bmNlSUQ9InhtcC5paWQ6RkE5NEZGNkYyMjBDMTFFNDgxNUFGMkE1QkZGOTdFRjAiIHhtcDpDcmVh.dG9yVG9vbD0iQWRvYmUgUGhvdG9zaG9wIENTNS4xIFdpbmRvd3MiPiA8eG1wTU06RGVyaXZlZEZy.b20gc3RSZWY6aW5zdGFuY2VJRD0ieG1wLmlpZDo4NU

<<< skipped >>>

POST /images/pixel.gif?kt=ytd&ot=ytdsanth&cnid=937811&sil=1&cid=c0322acd5e5d42f0b163c591ee6ff5b9&cekonfccladjgbdhpgobceahgjdcdbod=1&jloeihbcjbkgigodmcacomgfihpiaiip=1 HTTP/1.1

Accept-Encoding: gzip,deflate

Content-Type: text/xml

User-Agent: WidgiToolbar

Host: VVV.mybrowserbar.com

Content-Length: 1408

Connection: Keep-Alive

Cache-Control: no-cache

MDUvMDIvMTUgLSAxMjowNDozMCAgY2hyb21lIGlzIG5vdCBydW5uaW5nCjA1LzAyLzE1IC0gMTI6MDQ6MzAgIHN0YXJ0ZWQgY2hyb21lIHdpdGggcGFyYW1zIEM6XFByb2dyYW0gRmlsZXMgKHg4NilcR29vZ2xlXENocm9tZVxBcHBsaWNhdGlvblxjaHJvbWUuZXhlICAtLWZvcmNlLXJlbmRlcmVyLWFjY2Vzc2liaWxpdHkgLS1sYW5nPWVuLVVTIC0tZGlzYWJsZS1pbmZvYmFycyAtLW5ldy13aW5kb3cgImh0dHA6Ly93d3cubXlicm93c2VyYmFyLmNvbS9nYy9zaWxlbnQyLmh0bWw/b3Q9eXRkc2FudGgmY25pZD05Mzc4MTEma3Q9eXRkJmV4dFtdPWNla29uZmNjbGFkamdiZGhwZ29iY2VhaGdqZGNkYm9kJmV4dFtdPWpsb2VpaGJjamJrZ2lnb2RtY2Fjb21nZmlocGlhaWlwJnRzPTE0MjMxMzA2NzAiCjA1LzAyLzE1IC0gMTI6MDQ6MzIgIGluc3RhbGxpbmcgY2Vrb25mY2NsYWRqZ2JkaHBnb2JjZWFoZ2pkY2Rib2QKMDUvMDIvMTUgLSAxMjowNDozMiAgbm9udGhlbWVkCjA1LzAyLzE1IC0gMTI6MDQ6MzMgIGNsaWNrZWQgaW5zdGFsbAowNS8wMi8xNSAtIDEyOjA0OjM2ICBmb3VuZCB0aGUgY29uZmlybWF0aW9uIHdpbmRvdyB1c2luZyBhY2Nlc2liaWxpdHkKMDUvMDIvMTUgLSAxMjowNDozNyAgY2xpY2sgYWRkIGZhaWxlZCAwCjA1LzAyLzE1IC0gMTI6MDQ6MzcgIGdvdCBsb2NhdGlvbgowNS8wMi8xNSAtIDEyOjA0OjQxICBFeHRlbnNpb24gc3RhdGUgMQowNS8wMi8xNSAtIDEyOjA0OjQxICBpbnN0YWxsaW5nIGpsb2VpaGJjamJrZ2lnb2RtY2Fjb21nZmlocGlhaWlwCjA1LzAyLzE1IC0gMTI6MDQ6NDEgIG5vbnRoZW1lZAowNS8wMi8xNSAtIDEyOjA0OjQxICBjbGlja2VkIGluc3RhbGwKMDUvMDIvMTUgLSAxMjowNDo0MyAgZm91bmQgdGhlIGNvbmZpc

HTTP/1.1 200 OK

Date: Thu, 05 Feb 2015 10:04:55 GMT

Server: Apache

Vary: Host

Cache-Control: max-age=604800

Expires: Thu, 12 Feb 2015 10:04:55 GMT

Content-Length: 0

Keep-Alive: timeout=30, max=99

Connection: Keep-Alive

Content-Type: image/gif

GET /analytics.js HTTP/1.1

Host: VVV.google-analytics.com

Connection: keep-alive

Accept: */*

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36

Referer: hXXp://VVV.mybrowserbar.com/gc/silent2.html?ot=ytdsanth&cnid=937811&kt=ytd&ext[]=cekonfccladjgbdhpgobceahgjdcdbod&ext[]=jloeihbcjbkgigodmcacomgfihpiaiip&ts=1423130670

Accept-Encoding: gzip, deflate, sdch

Accept-Language: en-US,en;q=0.8

HTTP/1.1 200 OK

Date: Thu, 05 Feb 2015 08:22:16 GMT

Expires: Thu, 05 Feb 2015 10:22:16 GMT

Last-Modified: Fri, 16 Jan 2015 00:55:08 GMT

X-Content-Type-Options: nosniff

Content-Type: text/javascript

Vary: Accept-Encoding

Content-Encoding: gzip

Server: Golfe2

Content-Length: 11479

Age: 6136

Alternate-Protocol: 80:quic,p=0.02

Cache-Control: public, max-age=7200

...........}iw.;..w..P.vW..2.NN.....'.I...,.$cb....1....gK.*0....^}.jk...,%<..T......B..H....j....G...p`..8I.{.=...L&&{.;7.i&....N...;oT(E...M6.....tlN.t..8.K....P.5t.V%....R.@.L.-3...$8..:....O.@...L..p..b..jldf...9.4.=.R.^..{.4..4...AS#Ip:.P.=*6..(.0..C%1.@......^....#3..i..V.`....@.1.'4..0..a.ZL..M8.g4..l..(9.......N..)wA..5.......{....4...(.%...\.R.=*........?...$.#....A7...I...F*....0..Q.>..~.....Q...4.c.N .Q...<.y....=.....4..F..@.%:..ue6....M{$.T...M .'..a..~Am._./.......5...|...&;.M..D.f...yW..ubZ..e...Tjsn.B'.sIm.;.%J^hT.....t..l:....>.T.j*..FM..gZ..2...za.2..M..S.d8..d.P...S..#..ZS.J...4U...m.I.g6.Tu.6..4iw..[.l...0m.....e6.Ghk..[}wW..~Tj%].;.{........x..................2U......g...p.s<....W..j....{..|.... V.r.GX.Y...;.i.y'.....O0...1&..c4j....f.P.l........lf.AA.`..O..8[Y.=L........u.*..7vR6<.-.~..-.k>.?W5t.b..wj.D..o.wC....-?U...4.vF..........Z.%.D...LV.#[..Vu..o......u..<uw. ..F@..........0z.4.f._..'uJ..Q..d.../.\LK.D7s.j...I(...MU..0..eF~.X...p.Ai......%4........O.....M230..mP..5%*..5(3..:......0..P.......MtC..3....\..m.xl...f.....#....6...>K..K...@.')vM&j..e.h..,(.U..C^H.C.rr=PD.@wx.R:.*&.E....d...q......{@D.h.].4u.C..i..?=4t.M.. .|...vG.4.F.......N.Ig.......$.....;....\^^.AD..i'.!......I.>1...7.?....V.x.xs...I...:.=.k...f.o..........D.f..o..I....J"u..6in.C...u?....8.s.k.b...ts}}0.. ..Q:.....d..|.X...TB'..R|..F..j].<:CD....!.L..j.t...P.....O{LH.F.%...?..DDS.z...?1w....S.I..P~T.#.....R......?. RLh....R..1...=jy.....j.jm.y.8u.(...}..%........F....&}..r..`..k.t..,...V

<<< skipped >>>

GET /live/red_lojson/300lo.json?6iew35&colc=1423130703205&si=54d3404edc48256c&uid=54d3404fe20ab507&pub=ytdcs&rev=15.1&jsl=33&ln=en&pc=men&vpc=&dp=VVV.ytddownloader.com&fp=thankyou.html&aa=0&of=0&uf=1&nt=cs;5,ce;5,dc;319,dclee;319,dcles;319,di;316,dl;311,dle;5,dls;5,fs;5,lee;u,les;319,ns;0,rs;310,rspe;314,rsps;311,scs;u&pd=0&irt=0&ct=1&tct=0&abt=0&lt=347&cdn=0&lnlc=US&whcs=1&tl=c=347,m=356,i=402,xm=733,xp=736&pi=1&&rb=0&gen=1000&gen=100&callback=_ate.track.hsr&uvs=54d3404eae96086b000&chr=windows-1252&md=0&vcl=0 HTTP/1.1

Accept: application/javascript, */*;q=0.8

Referer: hXXp://s7.addthis.com/static/r07/sh186.html

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: m.addthis.com

DNT: 1

Connection: Keep-Alive

Cookie: uid=54d3404fe20ab507; uvc=1|5; uit=1

HTTP/1.1 200 OK

Date: Thu, 05 Feb 2015 10:05:03 GMT

Cache-Control: max-age=0, no-cache, no-store

Pragma: no-cache

Set-Cookie: di2=NJAMOF.UYM;Path=/;Domain=.addthis.com;Expires=Sat, 04-Feb-2017 10:05:03 GMT

Set-Cookie: bt=;Path=/;Domain=.addthis.com;Expires=Thu, 01-Jan-1970 00:00:00 GMT

Set-Cookie: dt=X;Path=/;Domain=.addthis.com;Expires=Sat, 07-Mar-2015 10:05:03 GMT

Expires: Thu, 01 Jan 1970 00:00:00 GMT

P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"

Content-Type: application/javascript;charset=UTF-8

Content-Encoding: gzip

Connection: close

...........O,I. )JL...(...V*NM.M. )V....Q*-...r.....|]..}]........J.* ?...L.@pX...R..5.[u|i[.....

GET /images/pixel.gif?action=install&point=finish&cid=cb821f7c3eeccf6c312c56e821a0e91a&isn=F7DBCDBD737B449098794B4547AA6F06&kt=ytd HTTP/1.0

Host: VVV.youtubedownloadersite.com

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*

HTTP/1.1 200 OK

Server: nginx

Date: Thu, 05 Feb 2015 10:05:01 GMT

Content-Type: text/html; charset=utf-8

Connection: close

GET /baltimoreroot/MEUwQzBBMD8wPTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom/nYB45SPUEwQU5Z1ZMIJHWMys+ghUNoZ7OrUETfACBAcnqkc= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.omniroot.com

HTTP/1.1 200 OK

Accept-Ranges: bytes

Content-Type: application/ocsp-response

Date: Thu, 05 Feb 2015 10:06:06 GMT

Last-Modified: Thu, 29 Jan 2015 15:18:48 GMT

Server: ECS (frf/8799)

X-Cache: HIT

Content-Length: 1406

0..z......s0..o.. .....0.....`0..\0......`;.l.uZ..k.F..^|A.Tb..20150129064609Z0g0e0=0... ........./Ev..Y..].....x.#......Y0.GX....T6.{:..M....'.G....20141203203511Z....20150428204011Z0...*.H.............?.v..qY.8.[t.8..9-.g".hl..H3|Z..Vw.2.............Mt..DB@..s .8a......u............$].o...NK....9.qxd....}.n..WZU.Z7.....bH._...[.....c'.O.T(=..1G{.......G.U.=}C..$~.......v..OL.V....7p.8.z!..k...G`|>.J..I..R.S......'...>..&~.N...c...`[k..`.8....4.X...H0,G.....0...0...0...........'..0...*.H........0Z1.0...U....IE1.0...U....Baltimore1.0...U....CyberTrust1"0 ..U....Baltimore CyberTrust Root0...150114195242Z..160114195229Z0G1.0...U....US1.0...U....Cybertrust1#0!..U....Cybertrust-Validation-20110.."0...*.H.............0.........?....(Fb....G... ..=..(L..wK...04..I......C...1.Z......U.$b.f..Pa.....S...#..B.........^T..IP8..........h8GM..*.4.MP..../D4n.=ZTeH.B=kOT.v..2@F.2L..A...yn.4......fP...L...2.x....$..@@....q2...Uby.e......D....lf...C....ZP}O......7...mM..c.g..j.\.>.O....G.A........0..0... .....0......0...U.......0.0...U...........0...U.%..0... .......0...U.#..0.....Y0.GX....T6.{:..M.0...U......`;.l.uZ..k.F..^|A.Tb0...*.H.............n.h\Ch*G.c..yr..."._....J.-....j.t%..e.....(.h@.Z.7.a!m...sZH.N..>.S....K..........7wi3..x.D..l..ud.....CC......<.&.2. ..d...T.......;.S....\... ......m.6......#(.&....q.[z.........r..T....W...7ea.}..B.1........al.]i.F...-.0c...y.=?....E...........'>..O.._..

<<< skipped >>>

GET /js/250/addthis_widget.js HTTP/1.1

Accept: application/javascript, */*;q=0.8

Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: s7.addthis.com

DNT: 1

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Apache

Last-Modified: Thu, 22 Jan 2015 19:52:12 GMT

ETag: "310041b-29c1-50d4302104bff"

Content-Encoding: gzip

Content-Type: text/javascript

Content-Length: 4161

Accept-Ranges: bytes

Date: Thu, 05 Feb 2015 10:05:01 GMT

Via: 1.1 varnish

Age: 571

Connection: keep-alive

X-Referer-Domain: hXXp://VVV.ytddownloader.com

X-Host: s7.addthis.com

X-Served-By: cache-fra1240-FRA

X-Cache: HIT

X-Cache-Hits: 34087

X-Timer: S1423130701.810289,VS0,VE0

Vary: Accept-Encoding

...........:kw..... d.G%#."..wM..Iw7....N.i?(..EB..........;..E=...v.Y.......<.....y..D...A..t. ..s&I...;_..t..NV..`79.f.....S..N..z...Y].....|J$a....?#<X...$.....n!.<......iI..#..5.....!...n...jQur`z.......0.Z..}......{.U.W.......uI;..zY......\..N........._>.............#....).......%..z=.5..I.ge...E..._...T..........#..`Mj.......R......J.].%."Y...oXX..V..Y..........*N..i.u.*........R.o...R}.Yq...2..J.k.~..k9..zMV/.H............?..%X9.<?.,..9.4.e..(...I@d.........A...i.&S.B.?..kZ...@....x...k..~....i.@sa.....q.....cC. 5.n..'`D.*.N..)\..8. .%..1.L.....D...j\YS8.'.....{%..s.E...[..|.V../.....!|L'#.3f.T$>6A~..@......?...x.~...n.....?.0..n..._....-Y..J...t.J.T.y.H.....T$l......Z.....T.1.R.`/H......" ........PNV.... .... G.....f.....Tl...T.AR`..Hg ...8.".?q.a..x...f.9..Ns.......IJ}I.`..P.77 ...n.....y.6l.4.k.h..L.C..b.~`.(...q.s.S...m..C..U.-.......h"R..... ...Z...g`w;....xZ.T..2..."X....~..!....za.5 ..3...S....|,B@M.]... ..o..9..#.Q]......v.)....v..h...W.A2...0E...1h9...t{.T...K.5....a...Z.H...Ls.|8.`..mM...........I._....ci.......m.......<.8....-,...6..|~..oc....h....s..p..e...aU.|A....n.z..)M....LU...{..^.-.m.@...!..k&.....6.p..Y...s... h..C........`.......E.Am..j-...T.{......v.4.8.v.u....u.\...#.....l......u#.....:.l.>f.W......h..E..~wu.=.).y{ ...{.%.r....-;..H...@PX.V...-.l......Be...,....M..<-x.ws./C45.B.L.>5.H....&..|...`h......../.....`...0.=.......&....'^|.....-M.bR.@....<.......G.....4..4[,.ppJrl.$....'.0...,5]L.)~O....8&..K...>0...K..J.H>..R....Pd.Yr.9.7.....w.tyQ.

<<< skipped >>>

GET /static/r07/core181.js HTTP/1.1

Accept: application/javascript, */*;q=0.8

Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: s7.addthis.com

DNT: 1

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Apache

Last-Modified: Thu, 22 Jan 2015 19:51:58 GMT

Content-Encoding: gzip

Cache-Control: public, no-check, max-age=86313600

Content-Type: text/javascript

Content-Length: 75057

Accept-Ranges: bytes

Date: Thu, 05 Feb 2015 10:05:01 GMT

Via: 1.1 varnish

Age: 1174324

Connection: keep-alive

X-Host: s7.addthis.com

X-Served-By: cache-fra1240-FRA

X-Cache: HIT

X-Cache-Hits: 63641282

X-Timer: S1423130701.982167,VS0,VE0

Vary: Accept-Encoding

.............b.H.8..?O!..e...H.......\...r[rUw.4.@.$a....(Y..>...b.Gf".B..{~...."..... #v..a...n.s.....o..F..(..o.`./;..9.. ..x#.s.....1........f|.\r(....n....Z.....d.....Q.nm.@..d[[...y....T..q0.Wq...Z./...'i...u..q.o..x.1OF.,.xb.....rz.4M..E;HF.g.?}..............-Q.....m....E...{.Z......v..f..-.....r.c.2v//...ljj.........d(x.V2.~R%.............%/..,.'....ZNjG8... ...^....1i.....v..GE:...,.Eo.5.8"......9O-....E...,O.xR.U...?......d...u...@.....y........l.....)...U.E.l1.r..Y......#(4:....]..a........v..a.......v...r.ah.........FV..^....,..w .B..E...X..2.Huv..c|.....|X...-[.....l..|;vV.r..Vz."9..M...'.meA.-rhR.3."V..Tk2X...&.pj{.U;...`.m3.i.>.oN.v...].e4..y.Kf9/..[[. .K.....l_W.8.t.b....n..y4....$...f$T...M?..?.p.....-.$....g3sc.bf.3.k.F ...7J.b..D.-...R.^.....?.z{...I.....J.=......Z..nwwu)v.[....2,.(..au..,.....E.C&....^.....5.U.v...{..}.f.,@.O._.k...J.....`).. 0...V0K...F.%Tk...>.......b.......-...(......x...m.J..c....=q\.../..[......-.._.....I....x$g............O..V3C..|...`..X&.h.Bi... .&....I.gE.....~4sa....`....I.......e.mR..I.`.5.........G.&`..e.FR-ww;..g.u.v<.Q.I2...F..#&'...$q...8v.p..)..........O...O...D...........su`...r........?k.......aZ{.........I..D..........V7....ur....g...O?.^..?z.....7....>.....D....O.?9"Q..0....4.1.p.L.....}..q.8r.HG.P.N.........O.r..-..= ..F.].....4b....8.5N........g$T.W....7.#..N.K.......U.JA$W.m....j....z..........w..j...Yn.Fc.].S9..;..PV.5w............c...o...BI.....1.....p.C...4.az./...T..4V...D!.b".b(.b N..8...^..y.Y.8..sF$......q..4........a.i.8..........

<<< skipped >>>

GET /static/r07/widget/css/widget010.old.css HTTP/1.1

Accept: text/css

Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: s7.addthis.com

DNT: 1

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Apache

Last-Modified: Thu, 22 Jan 2015 11:14:15 GMT

Content-Encoding: gzip

Cache-Control: public, no-check, max-age=86313600

Content-Type: text/css

Content-Length: 16960

Accept-Ranges: bytes

Date: Thu, 05 Feb 2015 10:05:02 GMT

Via: 1.1 varnish

Age: 1205337

Connection: keep-alive

X-Host: s7.addthis.com

X-Served-By: cache-fra1240-FRA

X-Cache: HIT

X-Cache-Hits: 64094798

X-Timer: S1423130702.331959,VS0,VE0

Vary: Accept-Encoding

...........}W..:.............EQ.*zc)..2Sz...%:..e.....@.Pf...lLe..t.|.=...w./..o..G...g.av..N...k...#p.......j..K..3E..mH......|w,..O.....,.O....}.$..t...\X..._........)y...L....~.v,.y.J...~V.L..R.Z..K....X...I..C...lK........C.y....OP..........~......d].....E.$........".....;.0?mG.u...;....2...|..MA7...q.].EL.a.O.\9.&..c.~...DQ....um.#......>.O.tl..,?y.....iQ;..... ..O.G..Re..%.....GD.2}......J.....c~..........-5...W..8..a...|._.CW...l...4,..8.'&.C..G..HD:#.....%Y.]!..p. ...............G]U...(8.`......!..xt-...x.w.V8....l.%.....Wl.|.-'.....('|(...(.........7M6N2.w../h.)|....K.............x.M.Qd3....|...p.E.........H..l...O.o.OQ...f4..t..d~fE.......)3.qEfg8.<].$.........B...8w.._....*..3.... .7..1]..aW.y.o.\k.......M~.>....\.......[.v.....u;o4....]6.....}....EY..c..4....Y..G.v....U~._......z.u...-.R.k.....a..b]n........?.E...}).......tO..r.....'..!. .d.iOB<}.<G.>.9..%...........I..w.,..]..<D.....[<.cU..4Y..w.9!.a.....r}4-m..z.4@..%.......$[Q. ..../u..t.....h..C.u.~...X.K........x.=.$ B`.9..o.KX..b%^..W.}.~..}%.W.....7_..5..i..kUb?.`...@....r.ZE._...%....*...*$...D...S.0...b.Z1H...VL^.B.)............!..Ib,._\A...G.._.}...'. ..a..n.............}...(l.]# .R../...P$.].!....O.z.?.!c .......a...:J....TE..@.. yP$.G.....g..&F.w....MP..t...B.....G..^..6..........5....X.eFB.|.r.......h.)~.9.P...?E...u..%.M[.....[...g.]Q....[.E...........&..].qe.<.$...../m.d.....|........>Q...H.........."..h.P...T...j.....[^Bj....}^.^.t...})Rf..e../...)..M.._...YM.|.pS...H.....5....#5..-...).JU..;.7|.!iq.j..)

<<< skipped >>>

GET /static/r07/sh186.html HTTP/1.1

Accept: text/html, application/xhtml xml, */*

Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: s7.addthis.com

DNT: 1

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Apache

Last-Modified: Thu, 22 Jan 2015 11:14:02 GMT

Content-Encoding: gzip

Cache-Control: public, no-check, max-age=86313600

P3P: CP="NON ADM OUR DEV IND COM STA"

Content-Type: text/html; charset=UTF-8

Content-Length: 22035

Accept-Ranges: bytes

Date: Thu, 05 Feb 2015 10:05:02 GMT

Via: 1.1 varnish

Age: 1205337

Connection: keep-alive

X-Host: s7.addthis.com

X-Served-By: cache-fra1240-FRA

X-Cache: HIT

X-Cache-Hits: 65415257

X-Timer: S1423130702.391832,VS0,VE0

Vary: Accept-Encoding

...........}k{.F......f...!....!>..3.....Nf.....h..@..E.,...z....I%...o...}G_...../..}.......hY....~..wo_.Y'..?...............;.F...e.UI..Y...o.YG.....<^.....Q^.......-..U..6j..:.._..nWiV..Z.^.x! [(..a..,.YGm...a|..N.T.......:j.$M...y......|9.Egy|wT.w...Y.]/.....(O...>.a)..:..4...*..v..[UT&E}T..T.....sx..T.|...................,.h...}..q...v....s.....)E...QxF..(..:."...^.ex....Td.z9.X.%.8@W.L........2..Y...yP_L..........t.@..0M..Z...n....H q.......n....t .......j............iN...We.Q).4...............x.Z.3..Z7..#.L...t.......K...q..v.!. .."......l....lQ =....4X'Y..Gi..h..'T>....#......5ORa9..C.U8.....*..i1~.l.,..0.:.......[CD...;...yUg..]..n.dKU.0..s.4.hi...(.0...d..y9j*Q.Z.$....|-..a%l...8...e.k5.n..5..==*...o.W...q......{*..e.j<.EU.M...E.z..GOF^.....N.zyu......H..3.,..K..h.V.mV.*.........x$nE.B."/h...9..Q;..v..e.].DZ....]......O.>{~.9..;F..X.c..g.7...c.X\RsaF?...Fm=.;.P.!.....q.X.]....r.....N.....fw..b....O..O..^Nf..................7..~<.b...O...J.......L.?.I.......P./v.....&.9.?&\......?C.d....N.*'....n...,.F.......0..L........,.TIz..Z...o.....!......7?[...b.....Sl3.E....8u.........w&..4..Y#...U.X9[$.;.)V.....EU./.*\PE ....a/..c...]d..o.Q....r.&.|.i"q@.@Cu`).q...\a....a'...!bT..m-V..-.Z.D(V...i..5iz....BMP....6.,\.>.D.N......x..(3..L.v2..f._3n3.....*U.B;..\.Dh'..m.v...6.f?.n3.....,.M.o.X.x..s.aR.O&..^.>..... C.....n<[...IbY$,..hA.Z|./..eX-..R:B..,.E..DT...7.`:....%.D.R...}.........!..{e$n.......*.m.._..hT....0.-J8...!. 8.I.f...g.........g..r.a..t. .h......w...Y..I.K...:..J...=.&.

<<< skipped >>>

GET /static/r07/widget/img/widget010.old.32.top.png HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: s7.addthis.com

DNT: 1

Connection: Keep-Alive

Cookie: uid=54d3404fe20ab507; uvc=1|5; uit=1

HTTP/1.1 200 OK

Server: Apache

Last-Modified: Thu, 22 Jan 2015 11:15:10 GMT

Cache-Control: public, no-check, max-age=86313600

Content-Type: image/png

Content-Length: 4769

Accept-Ranges: bytes

Date: Thu, 05 Feb 2015 10:05:02 GMT

Via: 1.1 varnish

Age: 1205210

Connection: keep-alive

X-Host: s7.addthis.com

X-Served-By: cache-fra1240-FRA

X-Cache: HIT

X-Cache-Hits: 15406581

X-Timer: S1423130702.766587,VS0,VE0

.PNG........IHDR... .........k.......PLTE.....................................................Y.................e.."..@..9..#..&......................................x..............C..z.....H........i.....G...u..w..w.....s..r..C..S..q.^r..p..o..L..,.....e..X..G..D..X..H..d.V ..........=..<..}.n*.iM.R)..~.}..xZ.ma.XYnnnv]A]..a.._r.Z|?XXXJ..8..,r.@w.0.....Pu.Tiv5m7.h.1h.,hw.h..h.LXuDXX0X..T..M9.I..((..%.......IIHHH.8E.F..(@.(*...g>e]E7......8HSC@^888:#O/Pp.JW&8G%(;(((.........%.......IDATx......6...G.r.pe..!{oK]$..$........N...c..o...;..........g.Z.UO....,._.....0.....z_.r..E.|..j....l.l..g=...9`P...#.P..@...:...X..h.S.....E.U........H.A `.c...|-@.e.3.O~O..oX..Lt..N.r.(a...o{`...z.(?.......y..X(..~...Z\k....-.x...............935..R*D.........H..P..e...(..\...%@c.~<S..r.....8...K...`?..!ufZ..9..!...M......e...xz..2.....<..'=..........-(..d....d.J.4.......bG0..>.j.|...'.....`K...u....N.Z.....P..9...s...zZ...a'.7A.A...3.p$.U.K...c.@.....8e..}...x.nO......rh..0.:....k...5...8m....`..3.84.?..^..=.-.G.`j.P.Y@.v..z........:.,.../.D.L..@?..x......C9.......0q.....Ff.Q........6 ..*....u7..E..x...d....<x..p...i...#@P...j.*Q.N.N:.....K.C...a..j.i.a.D..-4AX.F.V.t7..m.!...$.....-..,M.I.P8..Pi6..^..L..x............V..xV.....`6.......A....j.....^..-O...fL.6.k?.....u....@....'"........(..3...LTT..k............[7...6....$./.N..?....96y.i...9V..y..;.........sg.c........~.N.\.%.o.l.....6..5...T.Wb...i.....4..[.......?ZFI#.~.'8....XZ..l....(e.4I...........WC=...[.......W..'.N|S7.0........Ho.....%..Gq..Ij.z..A.....mm

<<< skipped >>>

GET /kits/ytd/YTDSetup.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: download.ytddownloader.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx/1.2.1

Date: Thu, 05 Feb 2015 10:03:51 GMT

Content-Type: application/octet-stream

Content-Length: 11127472

Last-Modified: Wed, 14 Jan 2015 15:21:11 GMT

Connection: keep-alive

Accept-Ranges: bytes

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................p.......B...9............@.......................... )...........@.................................d........@(..............................................................................................................text....o.......p.................. ..`.rdata...*.......,...t..............@..@.data....~..........................@....ndata....!..0...........................rsrc........@(.....................@..@.reloc........).....................@..B........................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....-G..H.P.u..u..u.....@..K...SV.5.-G.W.E.P.u.....@..e...E..E.P.u.....@..}..e....D.@........FR..VV..U... M..........M........E...FQ.....NU..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.P.u.....@..u....E..9}...n....~X.te.v4..L.@..E...tU.}.j.W.E......E.......P.@..vXW..T.@..u..5X.@.W..h ....E..E.Pj.h..F.W....@..u.W...u....E.P.u.....@._^3.[.....L$...-G...i. @...T.....tUVW.q.3.;5.-G.sD..i. @...D..S.....t.G.....t...O..t .....u...3....3...F. @..;5.-G.r.[_^...U..QQ

<<< skipped >>>

GET /MFUwUzBRME8wTTAJBgUrDgMCGgUABBS856ddZAq5lE7vDJmoUDW1u98SMAQU3WyAfLq1MhelhEFA8NIEZhMvqZACFGozgiJkrf5JafrJHx/pwJ6+De+O HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: vassg141.ocsp.omniroot.com

HTTP/1.1 200 OK

Server: nginx

Content-Type: application/ocsp-response

Content-Length: 1765

Last-Modified: Thu, 05 Feb 2015 10:00:43 GMT

ETag: "8e644f2ffdb4851fac4f1eaf5eac8ffd9b9f390d"

Cache-Control: public, no-transform, must-revalidate, max-age=339752

Expires: Mon, 09 Feb 2015 08:27:36 GMT

Date: Thu, 05 Feb 2015 10:05:04 GMT

Connection: keep-alive

0..........0..... .....0......0...0..........[us..Ni......f....20150205100043Z0w0u0M0... ...........]d...N....P5....0...l.|..2...A@...f./....j3."d..Ii...............20150205100043Z....20150209100043Z0...*.H.............A...........B..L^.(..qk..A?..p*\i9T...4......t..........q......`..&...-.h.S?.-...4..K.n(.'A.._..$.g lD;.X|. .A.Dw.....{)B.h(...........s)....A..n<.D.<.Q.7...2xd..LX... ..?...$.:'.%...C...}d.MQ.c..P.t.\&!..(..B..6.U.pw_....R.z......D*B...Al8..^...9.............0...0...0...........=......Ri..\..(.{..0...*.H........0..1.0...U....NL1.0...U....Amsterdam1%0#..U....Verizon Enterprise Solutions1.0...U....Cybertrust1.0,..U...%Verizon Akamai SureServer CA G14-SHA10...140410115548Z..150410115548Z0..1.0...U....NL1.0...U....Amsterdam1%0#..U....Verizon Enterprise Solutions1.0...U....Cybertrust1806..U.../Verizon Akamai SureServer CA G14-SHA1 Responder0.."0...*.H.............0.........f..).1.............Z.45..l. IB..r`...f....h.....h..._i'...J....|.c....E.D0bg.b.v..........:Q....W._U.w..3....i...k........t.....m.CO$..j@.....>..Q.m......1/Z.r......L..a.n..;..KoIY.......fk{..c..d...IU.......zy.X...zp...F.1..F......b...Z...=9.o...N.fL.%Z.........H0..D0... .....0......0L..U. .E0C0A.. .....>..0402.. ........&hXXps://secure.omniroot.com/repository0~.. ........r0p06.. .....0..*hXXps://cacert.a.omniroot.com/vassg141.crt06.. .....0..*hXXps://cacert.a.omniroot.com/vassg141.der0...U...........0...U.%..0... .......0...U.#..0....l.|..2...A@...f./..0...U..........[us..Ni......f..0...*.H.............Fk:..%..H.:.|P.

<<< skipped >>>

GET /kits/sds/update.xml HTTP/1.1

User-Agent: SDS

Host: VVV.mybrowserbar.com

Accept: */*

Accept-Encoding: gzip,deflate

HTTP/1.1 200 OK

Date: Thu, 05 Feb 2015 10:04:58 GMT

Server: Apache

Transfer-Encoding: chunked

Content-Type: text/xml; charset=utf-8

b9..<?xml version='1.0' encoding='UTF-8'?>.<SearchProtection>. <updatecheck path='hXXp://webupdate.mybrowserbar.com/kits/sds/SearchProtectionSetup.exe' ccv='198' />. </SearchProtection>...0..

GET /connect/xd_arbiter/DU1Ia251o0y.js?version=41 HTTP/1.1

Accept: text/html, application/xhtml xml, */*

Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: static.ak.facebook.com

DNT: 1

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/html; charset=utf-8

X-Content-Type-Options: nosniff

X-XSS-Protection: 0

Content-Encoding: gzip

X-FB-Debug: zGxUGTr28XP7LnfwC2GGF OIn6bjOuos9aNngxqem9Pi37XxlKarvu0z350i8DLG2VlRRxBUVhfLuq5OHNeTcA==

Vary: Accept-Encoding

Content-Length: 9955

Cache-Control: public, max-age=30775202

Expires: Wed, 27 Jan 2016 14:45:04 GMT

Date: Thu, 05 Feb 2015 10:05:02 GMT

Connection: keep-alive

...........}y..F....) nB.C.....TK..r..|...d.d.k.M.$.P.(.".>....h.....{./...Y]U]W....W.^~....V.........y..y./_3...df.L.,k.J.,..w<..$.'V...O/...E[..%..."..p._Z~.-.<.[..M-{..my...Y..9{..l.......t...<Lb....b...("y.&.V.../...N.$u...).r .,lc%...}>.c...w.RkDY:..d......O..O. .\N.@0.;.9.......(.(......e.0.)...k.....v'......t9......v..;..:.....~uV\...n.(..Q..!..w...w..9.Z1_..!.......[w,Zr.{Bft..X.9.;sC....!.y......".O.......4......S..p.0{..;1.n....i..8.1... -<(`........-h.?...f.J*O..R.$.[.4.....'....ZN.....H~...m.)...us...?nn....vz.r....5....y...._.u..p...8xe!P..`.c..CK.{g&....H..z,..|....[.*...*v.B..@........(.j.4.\.{.F....D....d.N\N.B.DS..4,.ud..d...N.<..$...._A...bX!;p2.Z...y~..X..C`..q..'d.C0z....&E.....Q.3<... ..w`.s........No...[..S...9ow..m.{.../;.m......Ak.%..q.F..]..8..lA......XR@.........e%.N....R..D..d...hL..'.h...!. p. .....L)*.zB..Q.J.k...D......^.tj.0..@... ...1Q5...J.....H..V..hL..Gd.Z,....3d....;.......... .(.....$......B).B\.X.Y.....7t'.P.3......T...e...c...k;.4...2./-D..aLN..-P.lpYo.E......q.N......H`....u.l.....L.p...e....v..;...,s:n.)9.!K.#].u.U..W..Rj...ie/...v%..-..Do.t d........)..s.%..-Vma...$.B.....\.1MR.....i.*.N...V...5...D....1.r.....5..W.....;djY\.V......a..;..-...8.4W..}..Z....L*..X~........R...e....i.^H.zAl.D.2>.H....@B.]....rGJ:..H.^.t=j$|.8..!.E...............E.0..B.L....p...............l..G.i.!i^.=...{.o.a...8 V;.5...p.w....\1.i....A..m...F......w....#....?=...7.^.Z..R..........r........`Q.~y...........h. .iw...O.......MH..;...(d....,.=.t...^.]P.......@....5.c.

<<< skipped >>>

GET /update/wt/ie/coupons/BrowserExtensionsSetup.exe HTTP/1.1

User-Agent: SDS

Host: update.mybrowserbar.com

Accept: */*

<<< skipped >>>

GET /ajax/libs/jquery/1.9.1/jquery.min.js HTTP/1.1

Host: ajax.googleapis.com

Connection: keep-alive

Accept: */*

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36

X-Client-Data: CIS2yQEIpLbJAQiptskBCMG2yQEInobKAQjxiMoB

Referer: hXXp://VVV.mybrowserbar.com/gc/silent2.html?ot=ytdsanth&cnid=937811&kt=ytd&ext[]=cekonfccladjgbdhpgobceahgjdcdbod&ext[]=jloeihbcjbkgigodmcacomgfihpiaiip&ts=1423130670

Accept-Encoding: gzip, deflate, sdch

Accept-Language: en-US,en;q=0.8

HTTP/1.1 200 OK

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Type: text/javascript; charset=UTF-8

Last-Modified: Fri, 08 Feb 2013 15:35:10 GMT

Date: Wed, 04 Feb 2015 11:37:07 GMT

Expires: Thu, 04 Feb 2016 11:37:07 GMT

Access-Control-Allow-Origin: *

Timing-Allow-Origin: *

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 32819

X-XSS-Protection: 1; mode=block

Cache-Control: public, max-age=31536000

Age: 80844

Alternate-Protocol: 80:quic,p=0.02

............{{...7...."........o...v..q.[cg'-E..HPBL....RD....[kf0.Pq.~.sNZ.....f......._..M...wg.?...vG.<8z2.........E...q...:z..GT.._.f.....t.de.....uT..b.|.o6iv..._E..:.F.x...O..6..*?QUp....2U.4..6I.<.T.%.E>....R1....4^..tIm...ZE.{5..3..<.....|4.3.D-.r.-o..]......4[$....:Z...UUP_...........|....z.mF.r...f......Q..?..-3.0..F..^.F....l.O........\..f.|1..t..NG2U.}tz.jxz.^G.o......./^\.>......#*........../.../........|zp2{...N.3*....~.\../O'...g...g.;.~.M.Tx..,g.....).y..w*@...i.^...]........2 ..n;.\.'..'/f....*.4:..oP...f..]Ul..2^.....V........V.P.N....z......o3z.........aC..,.....K.\p...x......WiY%YR.v.*..^.......<_oVI..a>*.xq....$8>....u%......n ..V?.Q.:..4....o.~.g..Q...S_..Y.....G)..T.".......<......&...*..Z.t%..s@it5..y.c.....p.h...X.*/. .H.....){4U.y...I`..&-.. y.....L.O....Lf..X<..1M.w.xD;;.....3zgn...'S.....g.~3Jn.9-..... .....3..A..e#.....".-i.S..].9..3..=GE..,..R*.gs..j.M..0.._'.u......E.|.....K.Q'FY.H^..'.(.OK.\.-.T...8...Q....v||5J..Vq.}{.K2..K..z.R....o_..G..t.L....NF.W.}....."{.NLP|.T_........j..,P..q.Q..o..<.x...Q..t=..$nJ.%:S...,..N...*.......d.`....M...)....T.7....|$...[......E..h.......`b.......iQ.w...-n>.=OIw..*........H...r.....h..V.Aj..&t..9M..is.j.t]~../...ik......l.p.....mT.=[E..7v....n./$...y=T.X.s...J......j.w.W.|.x..F..*..:....>K...d....f..........&...7./.2-..P......j.?X.p.....9u.Ae.0...D.....~f.......&...l6..3......i}.(.. m.Je.x...p5.:..d...gWz...G..@.*\.2/*..............>...g..`...w....f.....\.D...#D...E.%.......G..s`K.*.WI...NI.......LeO...&

<<< skipped >>>

GET /kits/sds/SearchProtectionStub.exe HTTP/1.1

Host: download.mybrowserbar.com

Accept: */*

Accept-Encoding: gzip,deflate

HTTP/1.1 200 OK

Date: Thu, 05 Feb 2015 10:04:56 GMT

Server: Apache

Last-Modified: Mon, 19 Jan 2015 14:12:15 GMT

Accept-Ranges: bytes

Content-Length: 532232

Content-Type: application/x-msdos-program

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................p.......B...9............@..................................i....@.................................d...........x...............8............................................................................................text....o.......p.................. ..`.rdata...*.......,...t..............@..@.data....~..........................@....ndata...P...0...........................rsrc...x...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....-G..H.P.u..u..u.....@..K...SV.5.-G.W.E.P.u.....@..e...E..E.P.u.....@..}..e....D.@........FR..VV..U... M..........M........E...FQ.....NU..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E...VhL.@..]M..YY.....3.FV....@..&...h0.@..=M..Y.u...@.@........9].u%.....G....@.G.3.A.S....M......G.........@.G......G.......u..4...G...3.;....#M....D........4...G.........F..5D.@.;.t.QP...U....F.;...~...RP...u...j.......u...Vh..@...L......u.V....@.....I....E.....h..@..YL..Y.2...

<<< skipped >>>

GET /live/t00/mu.gif?a=sc&r=1&err=1 HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: m.addthisedge.com

DNT: 1

Connection: Keep-Alive

HTTP/1.1 204 No Content

Date: Thu, 05 Feb 2015 10:05:03 GMT

Cache-Control: max-age=0, no-cache, no-store

Pragma: no-cache

Connection: close

GET /cgi/nta/config.cgi/9d357cad646259e5aec21e92440c2512/937811/1.5/nthgc HTTP/1.1

Host: VVV.mybrowserbar.com

Connection: keep-alive

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36

Accept: */*

Accept-Encoding: gzip, deflate, sdch

Accept-Language: en-US,en;q=0.8

Cookie: _ga=GA1.2.1138944218.1423130672

HTTP/1.1 200 OK

Date: Thu, 05 Feb 2015 10:04:50 GMT

Server: Apache

Vary: Host

Keep-Alive: timeout=30, max=100

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-Type: text/xml; charset=utf-8

ce..<?xml version="1.0" encoding="UTF-8"?>.<dea>. <url>hXXps://search.yahoo.com/search?fr=spigot-nt-gc&ei=utf-8&ilc=12&type=937811&p={searchTerms}</url>. <vulcun_offer>0</vulcun_offer>.</dea>...0..HTTP/1.1 200 OK..Date: Thu, 05 Feb 2015 10:04:50 GMT..Server: Apache..Vary: Host..Keep-Alive: timeout=30, max=100..Connection: Keep-Alive..Transfer-Encoding: chunked..Content-Type: text/xml; charset=utf-8..ce..<?xml version="1.0" encoding="UTF-8"?>.<dea>. <url>hXXps://search.yahoo.com/search?fr=spigot-nt-gc&ei=utf-8&ilc=12&type=937811&p={searchTerms}</url>. <vulcun_offer>0</vulcun_offer>.</dea>...0..

GET /MFQwUjBQME4wTDAJBgUrDgMCGgUABBQmECJms4f7i5EbxtN7NbzQCBwAdAQUUa8kJpz0aCJXgCYrO0ZiFXsezKUCE1oAAHevvgBk+xJc0C0AAQAAd68= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.msocsp.com

HTTP/1.1 200 OK

Date: Thu, 05 Feb 2015 10:06:06 GMT

Content-Type: application/ocsp-response

Content-Length: 1757

Connection: keep-alive

Set-Cookie: __cfduid=daa641d14fedb9c0747aed2e3ae47fdce1423130766; expires=Fri, 05-Feb-16 10:06:06 GMT; path=/; domain=.msocsp.com; HttpOnly

Last-Modified: Mon, 02 Feb 2015 23:13:04 GMT

Expires: Fri, 06 Feb 2015 23:13:04 GMT

ETag: "32dc2dc5ade4e5867c219925d83ebab0609e8b04"

Cache-Control: max-age=345599,public,no-transform,must-revalidate

CF-Cache-Status: HIT

Server: cloudflare-nginx

CF-RAY: 1b3e4b1d1a680bff-AMS

0..........0..... .....0......0...0..........<.|7...@N6p.I.e|..20150202231304Z0..0..0L0... ........&."f........{5.....t..Q.$&..h"W.& ;Fb.{.....Z..w...d..\.-....w.....20150202231304Z....20150206231304Z."0 0... .....0......20140202231304Z0...*.H.............B.....>#..;n5{?Z..aq.S(.~.F. ...KU.<.....@..=;|...!.%@.":.Y.E.VN....S..p97..L|;.......~...~..../5..%.r?...Hy.h3......>g.'..>....q..j..p.:..S=s..q..j.P!6p..9T.v,.d.....$!.....Z..$m].(......n....... 9...';S...]}v.....Q.g...Iu...{......Z....E;.@.v....?<g|........0...0...0..........Z..~..M..<ZYJ....~.0...*.H........0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1.0...U....Microsoft IT1.0...U....Microsoft IT SSL SHA20...141229205745Z..150314205745Z0!1.0...U....Should be ignore by CA0.."0...*.H.............0...........&!(..$.K...."=f....x.d.._s.....j....9`..l.Z..............^f..u......-e.&.bG.(i.Q...........bEy...^7A...A..c....CF-&...e.7..7F....."..w...y.:..`.w{~..D.x*.......x3Os......q...... S.fB .ig.....L..3......4E..}..7...M....e ...6.M.O.....<5:......r.....]..A.5........0..0...U..........<.|7...@N6p.I.e|0...U.#..0...Q.$&..h"W.& ;Fb.{...0...U...........0...U.%..0... .......0... .....7....0.0... .......0... .....0......0...*.H..................sa....^`.U.h.....(c[..j.|. ..#....3.5.?..L.....Z....J......*.w...w.$.z..Y.d.....l.....G#.....o.\t.......(.B =..P..T....0./P.....z.3....L.O3....z...Wxo..~.OeH....c.i.@."..?d.......=v(.....m..LN..PP....<.}T.X......K.&e.S...|....% ...(F.=k..~.j..C......4.....

<<< skipped >>>

GET /en_US/all.js HTTP/1.1

Accept: application/javascript, */*;q=0.8

Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: connect.facebook.net

DNT: 1

Connection: Keep-Alive

HTTP/1.1 200 OK

ETag: "e7a53c95dea3821e936847030459760f"

Content-Type: application/x-javascript; charset=utf-8

Timing-Allow-Origin: *

Vary: Accept-Encoding

Content-Encoding: gzip

Content-MD5: OwvuCluN9SXnDHn1UJMFUA==

X-FB-Debug: U5mvkYE3qNXtolM8JJLDfrzyq1VZrnmJHuKfvIo0V4MhGfXMfIIfgOr2ifF8QS9gRdHcm/2 DMPXFyFDBmEH5A==

Content-Length: 52552

Cache-Control: public, max-age=1200

Expires: Thu, 05 Feb 2015 10:25:02 GMT

Date: Thu, 05 Feb 2015 10:05:02 GMT

Connection: keep-alive

............{..../...^..$.1.(J..4...%.....=.l(....H... %Q..k..[..h. %'.s~.l.......U.U.G?.?99=>y..i........x..g..<.'....../._<..I..o?....u..O.......gQ.?/}.:a;.....N....K..'I.--&.pV.....i..?*. .5.%.E..ZC..|>......T..Y.g....N.~.....o...........M4..7..?...R.r1.A.%.-...u0 %.....$. u..b.N.&..S.\....&4t.t.G.RM..p.=.......y..8....`.)....(.f.M..Rd..Lr..i....k.EEhtz..p<./?h(...e.........?..S..f.|1...f..q..r.....,.ZD..k.....T..m.u.u.O.o:.Q..F...:....$.G.4...nI..qw1B..v....s.P..1........j?H>.L...i8./.....v..E..........9Y.F.y....&.M..l.....<..S. N.Z(M.y.....B..m.c.=.M]y}.W.......2.....:.'.y..xC.y...vQc....WQcT....&.w..~st..:AB]*...~......!.. ..........d.5.)C}.e...].W..0.$...,F..^...Fe..x^..au.H...}........xC....&.V&M.Nv3....>..|9..KZ......... .S..ai..j'.t.9...Z.....&}..O....4.pD....@.....%.6Q......7.Y.$..........M.......c.]h7...`.N..E.T.{.TR..N....o~.....l.....L0.........Je.R..R4)..G......F..(..U...?j`...{.......>.xH.......cr4!{zc..dR..I...4.^R=....;.4$...).y..u8[..Cf..n...\p..h.....C.......y....h.x#o`..e@(.W....G..c.&.....1.03.... .o?_..-.......Gj?zUs..?..4.W.F$C.......G......H.|xL....`.{......F....M3.fa...y.....@i.Hp...D.4...Ji=^.....|.....f5.O$..f=.\......_.....)bKg....i.u.vw.d:.....7...gTw*..N_.....:.3..>...o.Y4..(.F..T3t.F.@*q..ZI.?.RTg...,.A..#.xm...8h.Z$.,.......Qu...4dy)..q.T....<.y...l.y@..=...V.....:w.....?0......v|}|.i1n...5...n].h.).DG.....C..`....IY>......^..3..4=(...]. ..D .<....D..(p.q.eL.9z4..).F..R.f..P..J.......!....Q......$$Y.....`7a..&...$. Q?.(..#..].._A.....3U.ak.

<<< skipped >>>

POST /cgi/api.cgi/937811/CCF69B272FE54EE58735A380676F1DE4/vrst/20 HTTP/1.1

User-Agent: WidgiToolbar-198-937811

Host: api.mybrowserbar.com

Accept: */*

Accept-Encoding: gzip,deflate

Content-Length: 623

Content-Type: application/x-www-form-urlencoded

<drq><auth><ccv>198</ccv><cnid>937811</cnid><isn>CCF69B272FE54EE58735A380676F1DE4</isn><ct>20</ct><dlid>1033</dlid><lngid>1033</lngid><wv>6.1</wv><brw><ie>10.0.9200.16521</ie><ff>29.0.1</ff><gc>39.0.2171.95</gc><dbrw>Internet Explorer</dbrw></brw></auth>

<vrst><isn>CCF69B272FE54EE58735A380676F1DE4</isn><cnid>937811</cnid><code_ver>198</code_ver><type>install</type><ct>20</ct><src>12</src><cid>c0322acd5e5d42f0b163c591ee6ff5b9</cid><cmdline>"C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~spD451.tmp" /fpd /cnid 937811 /runbe /iebf=15 /ffbf=15 /noeh /dsie /dsff /dsgc /register /seprotect /hp /wait /ntp_ie /S</cmdline></vrst></drq>

HTTP/1.1 200 OK

Date: Thu, 05 Feb 2015 10:05:01 GMT

Server: Apache

Pragma: no-cache

Cache-control: no-cache

Transfer-Encoding: chunked

Content-Type: text/html

Expires: Thu, 05 Feb 2015 10:05:01 GMT

2b..<drp><auth>. <scv>198</scv>.</auth>.</drp>..0..

GET /images/pixel.gif?action=install&point=start&cid=cb821f7c3eeccf6c312c56e821a0e91a&isn=F7DBCDBD737B449098794B4547AA6F06&kt=ytd HTTP/1.0

Host: VVV.youtubedownloadersite.com

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*

HTTP/1.1 200 OK

Server: nginx

Date: Thu, 05 Feb 2015 10:03:53 GMT

Content-Type: text/html; charset=utf-8

Connection: close

GET /cgi-bin/CRL/2018/cdp.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: VVV.public-trust.com

HTTP/1.1 200 OK

Server: Apache/2.2.15 (CentOS)

Last-Modified: Wed, 04 Feb 2015 20:30:01 GMT

ETag: "200c0-420-50e490d42fd35"

Accept-Ranges: bytes

Content-Type: application/x-pkcs7-crl

Connection: Keep-Alive

Date: Thu, 05 Feb 2015 10:06:43 GMT

Content-Length: 1056

0...0......0...*.H........0u1.0...U....US1.0...U....GTE Corporation1'0%..U....GTE CyberTrust Solutions, Inc.1#0!..U....GTE CyberTrust Global Root..150204203344Z..150510203844Z0...0....'.x..110110211653Z0....'....141119195306Z0....'B...141119195752Z0....'....141119200006Z0....'1-..150204203232Z0....'.:..071121154528Z0....'.v..080219183346Z0....'....080514142515Z0....'....080515170349Z0....'....080924143337Z0....'#...081203144336Z0....''j..090209174351Z0....'b...100414181148Z0....'....080917150432Z0....'#...081203144209Z0....'#...081203144241Z0....'#...081203144304Z0....'%u..081203144409Z0....'/9..090318130930Z0....'8...090715181853Z0....'TU..100113191852Z0....'k...101130163724Z0....'.B..111107193907Z0....'@...141119200409Z0....'....080917150312Z0....'....140709175318Z0....'....141210173900Z0....'-E..141119195854Z0....'....141119200037Z0....'F...141217193909Z0....'F...141217193956Z..0.0...U........0...*.H............&O......@<7.@..a%~Uy.A.u.F...........?..a.wqf?.....U......m^....%..4.>....}.). ..%...GD....S...Y.L.D~....t{..@....^N..q..&EXR.p,HTTP/1.1 200 OK..Server: Apache/2.2.15 (CentOS)..Last-Modified: Wed, 04 Feb 2015 20:30:01 GMT..ETag: "200c0-420-50e490d42fd35"..Accept-Ranges: bytes..Content-Type: application/x-pkcs7-crl..Connection: Keep-Alive..Date: Thu, 05 Feb 2015 10:06:43 GMT..Content-Length: 1056..0...0......0...*.H........0u1.0...U....US1.0...U....GTE Corporation1'0%..U....GTE CyberTrust Solutions, Inc.1#0!..U....GTE CyberTrust Global Root..150204203344Z..150510203844Z0...0....'.x..110110211653Z

<<< skipped >>>

GET /static/r07/plugins/counter020.js HTTP/1.1

Accept: application/javascript, */*;q=0.8

Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: s7.addthis.com

DNT: 1

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Apache

Last-Modified: Tue, 05 Aug 2014 18:10:35 GMT

Content-Encoding: gzip

Cache-Control: public, no-check, max-age=86313600

Content-Type: text/javascript

Content-Length: 3552

Accept-Ranges: bytes

Date: Thu, 05 Feb 2015 10:05:02 GMT

Via: 1.1 varnish

Age: 15058791

Connection: keep-alive

X-Host: s7.addthis.com

X-Served-By: cache-fra1243-FRA

X-Cache: HIT

X-Cache-Hits: 11063027

X-Timer: S1423130702.450932,VS0,VE0

Vary: Host,Accept-Encoding

...........Z.s.6..Wd..B.`JJ_.*..M.i..]..>h<...$......W..~....d;n....H<.....>..E..Z...l.c...h.......>..p...U(.2K....<..G.......gK.:....;.x..>`....u..0.c.....BU.B.^.T.J,...M...z.......>c..u.D....5.............xo`..<#..^.0......[.......{.....`R..:.......x."...~.P..STZ.l)........=.EY!eT...L.0..k.C._....U..N[z.3 ..m..._.v...t...x..."..z..RP...(......~_.Q....r.{.&H..j.".i..8.Z...L.~..........b. *H...EdKM...h.'j..R...~... ...u#@..V.e.a4n.?rJ........{!.V...x....j...;..&R.`..."K..w.. D.^*}.r/8;..IG'....%C...Ox..R.. .&.&..$. ...<[.]..5h..........Ei{ .....-......7..]... &9].1.=.......Y.,......9..=....!.w.\......_...i..$..5.4.......Y...d....F3a".7.-..<....ER.I=/...K..xHx....J...w....k\...g.........[Cb@.z;p.'.9J......<\ aw.......\,W.zOG.G4.....b....yA....(z:....b...?I..o.Qwo..`q0T.<)c8@..7... R/...x...P.p..N.t..."..$...t..x....q0.$..........^JX.Tg.....F.....=.f...HF'...x)W\nD.#.VO........^.#K..g.....-.<.sP....Gm.......1.2......}d,...{yh... .5..t;.H.n..9<8i.$`"@.!5.;q....jOttv J..e#.^_.....v...Zo....[^..7O....Ad.......$_P......ZC.T..V....b.M...p......5..`.Q.r)s8x.E.....$b.~...c|6....,.f4........n...,C.c&.D...xJl........m.\)....e....#6.@b.....h........}..&U...ctXj.B....C.......i.......~..A....Xs?8..v.f...Ko / h.._...d......(..s....So8\....%...0..>...p]..:M.Uq_Ro0.n.^....T.S...c.m......u.Z4..[y.^ .......#.!XqH.@.....R..g.....@%.[u-?...>........r.`P....&m*......B..%.w..62..Ck;....)..H.....B.,M..BaPvR.U....,.B.....f.... .....-8.x....@@~-.........ti..k...$X....A|....N...t.h..8.,.

<<< skipped >>>

GET /images/pixel.gif?isn=E0BCB5085EA24F7699566D8CEBD03DB5&ver=2.6&cnid=937811&ct=bekit&event=install HTTP/1.0

Host: VVV.mybrowserbar.com

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*

HTTP/1.1 200 OK

Date: Thu, 05 Feb 2015 10:05:05 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 1093

Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform

Pragma: no-cache

Expires: Thu, 01 Jan 1970 00:00:00 GMT

Connection: close

Content-Type: image/gif

GIF89a.............!..XMP DataXMP<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:68AF816F211411E187C8D4C48A462294" xmpMM:DocumentID="xmp.did:68AF8170211411E187C8D4C48A462294"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:68AF816D211411E187C8D4C48A462294" stRef:documentID="xmp.did:68AF816E211411E187C8D4C48A462294"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>..................................................................................................................................~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-, *)('&%$#"! .................................!.......,...........D..;..

POST /cgi/api.cgi/937811/CCF69B272FE54EE58735A380676F1DE4/vloc/20 HTTP/1.1

User-Agent: WidgiToolbar-198-937811

Host: api.mybrowserbar.com

Accept: */*

Accept-Encoding: gzip,deflate

Content-Length: 486

Content-Type: application/x-www-form-urlencoded

<drq><auth><ccv>198</ccv><fcv>198</fcv><cnid>937811</cnid><tbcnid></tbcnid><isn>CCF69B272FE54EE58735A380676F1DE4</isn><ct>20</ct><dlid>1033</dlid><lngid>1033</lngid><wv>6.1</wv><brw><ie>10.0.9200.16521</ie><ff>29.0.1</ff><gc>39.0.2171.95</gc><dbrw>Internet Explorer</dbrw></brw></auth>

<vloc><type>install</type><key>1</key><key>3</key><key>2</key><key>4</key><key>5</key><key>6</key><key>7</key><key>8</key><key>9</key><key>10</key><key>11</key><key>14</key><key>15</key></vloc></drq>

HTTP/1.1 200 OK

Date: Thu, 05 Feb 2015 10:05:01 GMT

Server: Apache

Pragma: no-cache

Cache-control: no-cache

Transfer-Encoding: chunked

Content-Type: text/html

Expires: Thu, 05 Feb 2015 10:05:01 GMT

453..<drp><auth>. <scv>198</scv>.</auth>.<vloc>. <li>. <key>1</key>. <value>hXXp://yandex.ru/yandsearch?clid=1782899&text={searchTerms}</value>. </li>. <li>. <key>3</key>. <value>hXXp://yandex.ru/yandsearch?clid=1782899&text={searchTerms}</value>. </li>. <li>. <key>2</key>. <value>hXXp://yandex.ru/yandsearch?clid=1782899&text={searchTerms}</value>. </li>. <li>. <key>4</key>. <value>hXXp://yandex.ru/yandsearch?clid=1782899&text=</value>. </li>. <li>. <key>5</key>. <value>hXXp://yandex.ru/yandsearch?clid=1782899&text={searchTerms}</value>. </li>. <li>. <key>6</key>. <value>hXXp://VVV.yandex.ru/?clid=1782898</value>. </li>. <li>. <key>7</key>. <value>hXXp://VVV.yandex.ru/?clid=1782898</value>. </li>. <li>. <key>8</key>. <value>hXXp://VVV.yandex.ru/?clid=1782898</value>. </li>. <li>. <key>9</key>. <value>359</value>. </li>. <li>. <key>10</key>. <value>undef</value>. </li>. <li>. <key>11</key>. <value>937811</value>. </li>. <li>. <key>14</key>. <value>tru

<<< skipped >>>

GET /update/wt/ie/coupons/update.xml?cnid=937811 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: update.mybrowserbar.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/0.7.65

Date: Thu, 05 Feb 2015 10:05:05 GMT

Content-Type: text/xml; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

177..<?xml version='1.0' encoding='UTF-8'?>.<cpupdate>. <libid>{40C6AC97-5316-4D22-BA61-3BF0D585FB22}</libid>. <url>hXXp://update.mybrowserbar.com/update/wt/ie/coupons/coupons_1.6.zip</url>. <ver>1.6</ver>. <setupurl>hXXp://update.mybrowserbar.com/update/wt/ie/coupons/BrowserExtensionsSetup.exe</setupurl>. <setupver>2.6</setupver>. <gc>1</gc>..</cpupdate>...0..

GET /favicon.ico HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: VVV.yandex.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Thu, 05 Feb 2015 10:05:03 GMT

Content-Type: image/x-icon

Last-Modified: Wed, 04 Feb 2015 14:33:16 GMT

ETag: "54d22dac-47e"

Accept-Ranges: bytes

Content-Length: 1150

............ .h.......(....... ..... ............................~...............................................................................................................{............................................................................................................................................................PP..((.....................................<............................ii..................................................................%%.................................f....................//..\\..CC..................................................AB..{|...........................................................*...............(.............................f................8N..............*A.................................................._y..........8Y.........................<............................Y|..Ai..Lr.................................................................................................................................................x...............{............................................................................................................................HTTP/1.1 200 OK..Date: Thu, 05 Feb 2015 10:05:03 GMT..Content-Type: image/x-icon..Last-Modified: Wed, 04 Feb 2015 14:33:16 GMT..ETag: "54d22dac-47e"..Accept-Ranges: bytes..Content-Length: 1150.............. .h.......(....... ..... ............................~...............................................................................................................{........

<<< skipped >>>

GET /kits/EasyBundlingDLL/937811/so.xml?kt=ytd&rsv=3 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: VVV.mybrowserbar.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Thu, 05 Feb 2015 10:03:54 GMT

Server: Apache

Vary: Host

Keep-Alive: timeout=30, max=100

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-Type: text/xml; charset=utf-8

bd80..<?xml version="1.0" encoding="UTF-8"?>.<so>..<rsv>3</rsv>. ....<o>....<n>sgbe</n>....<nos>&tov=20&sbe=0&sds=0&shp=0</nos>....<rk />....<c>....<![CDATA[..<!DOCTYPE html>..<html>...<head>....<meta http-equiv="MSThemeCompatible" content="yes" />....<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">....<script>.....window.onerror = function() { return true; }.....function regularLinkClick() {......window.event.returnValue = false;......external.OpenLink(window.event.srcElement.href);.....}.....var strTOV = '20';.....var setupURL = 'hXXp://download.mybrowserbar.com/kits/sds/SearchProtectionStub.exe';.....var cmdBE = " /runbe /iebf=15 /ffbf=15 /noeh";.....var cmdDS = " /dsie /dsff /dsgc /register /seprotect";.....var cmdHP = " /hp /wait /ntp_ie";.....var ehURL = "hXXp://download.mybrowserbar.com/kits/hlp/exthelper.exe";.....var ehCmd = "";.....function UpdateCommandLine().....{......var cmdLineParams = "";......var statsParams = "";......if (document.getElementById("express").checked) {.......statsParams = "&sbe=1&sds=1&shp=1";.......cmdLineParams = cmdLineParams cmdBE;.......cmdLineParams = cmdLineParams cmdDS;.......cmdLineParams = cmdLineParams cmdHP;.......ehCmd = "/ot ytdsanth";......}......else {.......statsParams = (document.getElementById("cbBE").checked ? "&sbe=1" : "&sbe=2");.......statsParams = statsParams (document.getElementById("cbDS").checked ? "&sds

<<< skipped >>>

GET /images/pixel.gif?isn=E0BCB5085EA24F7699566D8CEBD03DB5&ver=2.6&cnid=937811&ct=bekit&event=uninstall HTTP/1.0

Host: VVV.mybrowserbar.com

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*

HTTP/1.1 200 OK

Date: Thu, 05 Feb 2015 10:08:06 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 1093

Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform

Pragma: no-cache

Expires: Thu, 01 Jan 1970 00:00:00 GMT

Connection: close

Content-Type: image/gif

GIF89a.............!..XMP DataXMP<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:68AF816F211411E187C8D4C48A462294" xmpMM:DocumentID="xmp.did:68AF8170211411E187C8D4C48A462294"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:68AF816D211411E187C8D4C48A462294" stRef:documentID="xmp.did:68AF816E211411E187C8D4C48A462294"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>..................................................................................................................................~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-, *)('&%$#"! .................................!.......,...........D..;..

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1453

content-transfer-encoding: binary

Cache-Control: max-age=442940, public, no-transform, must-revalidate

Last-Modified: Tue, 3 Feb 2015 13:06:37 GMT

Expires: Tue, 10 Feb 2015 13:06:37 GMT

Date: Thu, 05 Feb 2015 10:09:13 GMT

Connection: keep-alive

0..........0..... .....0......0...0......T3t.%..O.E..~..F.=....20150203130637Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._)..a..eR&.....Y.)..".\....20150203130637Z....20150210130637Z0...*.H...............qZ.0.B.:."m..L[.J......~9X.......?1.S....{....,..2...I.R...g.c.vM.?.._o}......0......?.0f"K..t.%....Z&.].O....A..u..\..,-/.;L)I........'.....F...z.4.......F......'.s..=...W....v....Z.s....he..V.`V.gJ/.....A.".....Oa..M..z...H.Bz......7......Ju.s...K...g]....0...0...0..3......./...b.v..-....l}0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority0...141202000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G1 OCSP Responder Certificate 30.."0...*.H.............0..........'......Y..x.3B1.7..Q..`..d.. ....s..t.$a.....j2R.{ ,*..c{.3.....H..3-; ).....0._...*..9M..V...... ...{m...-.......)..tR..{D....~...M...T..pS.p..^|o....S..v.).).....r.v.qo$......C.V!....@.h#qh...u1T.].G0.]E...=._...... ........TE...Sa.s4........r...3.............0..0...U....0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........0... .....0......0!..U....0...0.1.0...U....TGV-B-2730...*.H.............$..H......oU....Y!.z{*.V.M..u.._z..3>.. 0....3..m.....e.......a..D...........e..F6:.y.....di.......<y.Z.......x}..q.2....UZ1 :,....

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=485119, public, no-transform, must-revalidate

Last-Modified: Wed, 4 Feb 2015 00:53:58 GMT

Expires: Wed, 11 Feb 2015 00:53:58 GMT

Date: Thu, 05 Feb 2015 10:09:13 GMT

Connection: keep-alive

0..........0..... .....0......0...0........6?s....V....OlL".O..20150204005358Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5........M.s.Q~...@?j.......20150204005358Z....20150211005358Z0...*.H...............CJ.....Txt..y.....x...n...4...'..y8..=Yy.Y.u-.. .T.....Q#..i_....h....3`.. .p.S.h.....<;.....#mG.v.s...{..U...`......&...x....4.nf..(.....g..R..|T........9..K.Q.\........a,..x.....{B..........ew.v.............1..y..s.....\..P..w....SV......<..)c.Z.....fx...#0...0...0..........<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.........{(..t....2.Vf.....&;6).i*FK....W@....F....jnb.w._p.E.6.|.mk....(..........p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H

<<< skipped >>>

GET /kits/sds/update.xml HTTP/1.1

User-Agent: SDS

Host: update.mybrowserbar.com

Accept: */*

Accept-Encoding: gzip,deflate

HTTP/1.1 301 Moved Permanently

Server: nginx/0.7.65

Date: Thu, 05 Feb 2015 10:04:58 GMT

Content-Type: text/html

Content-Length: 185

Connection: keep-alive

Location: hXXp://VVV.mybrowserbar.com/kits/sds/update.xml

<html>..<head><title>301 Moved Permanently</title></head>..<body bgcolor="white">..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx/0.7.65</center>..</body>..</html>..HTTP/1.1 301 Moved Permanently..Server: nginx/0.7.65..Date: Thu, 05 Feb 2015 10:04:58 GMT..Content-Type: text/html..Content-Length: 185..Connection: keep-alive..Location: hXXp://VVV.mybrowserbar.com/kits/sds/update.xml..<html>..<head><title>301 Moved Permanently</title></head>..<body bgcolor="white">..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx/0.7.65</center>..</body>..</html>....

GET /kits/hlp/exthelper.exe HTTP/1.1

Host: download.mybrowserbar.com

Accept: */*

Accept-Encoding: gzip,deflate

HTTP/1.1 200 OK

Date: Thu, 05 Feb 2015 10:04:28 GMT

Server: Apache

Last-Modified: Mon, 02 Feb 2015 15:52:02 GMT

Accept-Ranges: bytes

Content-Length: 488416

Content-Type: application/x-msdos-program

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............@...@...@..m@...@..r@...@..{@g..@..k@...@...@...@..|@...@..l@...@..i@...@Rich...@................PE..L......T..........................................@.......................................@..........................................@...............V.......P...:...................................o..@...............H............................text...~........................... ..`.rdata..J...........................@..@.data....<..........................@....rsrc........@......................@..@.reloc...M...P...N..................@..B........................................................................................................................................................................................................................................................................................................................................................V.D$.P...`.......E...^.......E......V......E.......D$..t.V.w...Y..^....D$....D$..P...@..u. ..U...u..u..u..u..z....E....].U...u..u..u..u.......E....]....L$..........D$............t....3.....L$. .....@...3.9.....j..X.E.........u..t....e...u..N.....E.........}......V..j.j..N.....E..I#....^.....V........D$..t.V.}...Y..^...V.t$............E...^.......E......V......E.......D$..t.V.8...Y..^...j..X.E.........u.......e...u..N...p.E................V..j.j..N...p.E..."....^.c....y$.r..A...A..V........D$..t.V.....Y..

<<< skipped >>>

GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?45d861ae400f132c HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Thu, 03 Jul 2014 23:34:12 GMT

If-None-Match: "0b2464b1797cf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ctldl.windowsupdate.com

HTTP/1.1 304 Not Modified

Content-Type: application/octet-stream

Last-Modified: Thu, 03 Jul 2014 23:34:12 GMT

ETag: "0b2464b1797cf1:0"

Cache-Control: max-age=86400

Date: Thu, 05 Feb 2015 10:05:03 GMT

Connection: keep-alive

HTTP/1.1 304 Not Modified..Content-Type: application/octet-stream..Last-Modified: Thu, 03 Jul 2014 23:34:12 GMT..ETag: "0b2464b1797cf1:0"..Cache-Control: max-age=86400..Date: Thu, 05 Feb 2015 10:05:03 GMT..Connection: keep-alive..

GET /thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0 HTTP/1.1

Accept: text/html, application/xhtml xml, */*

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.ytddownloader.com

DNT: 1

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.2.1

Date: Thu, 05 Feb 2015 10:05:01 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.4.6-1ubuntu1.8

Content-Encoding: gzip

6f8.............Wks.6..,..kv..fC.....-..W..I.4....d4..R.)..@K.6.}.@R.j....H...>.=.._........f.....wo.....?.Wax}.M....O.h....b..F..eaxs..77.8...j..N.....c.....p..... 6.79.Y!..Y.?#L.'.p./"...d....j.V[G.L..4W<.{.l2..Hk....c.......Y#0..x.B.;.v"..\D,.j]-.6&..*.$...".......Y..Z.......(.i...0d...R)...B.*..ka&f:\.Zr.......~.."......J.....s..%{&...<^.'V.@H..yb..)........./.v...E........".d.....>\..W......?.~.?.G....,.O....U.K.<.....o62......XF...&..g..d........9.,..@.......6....v.*9Lr.q.Q.b.k....4n....Y..BI##...T....Y.....f.}..u....e.1".2......k...^.......=Ko.....|...tP0..oe...k..%O..... ]..k.... .]5tF.x"...d. )...,.P:M.Lv......m. @d.]`)Y8......5.: ...-.......}R..*..ju.).'.,.1.#..d.(4H$..G&HX.gR>.97!...w!.2...u2[f..W.....]...Z.........,<5......n.....QX!..h&..E..z.!=...@.[l...w.,|{..m.....?Kq..Z}..X)V..,.}~.-..g2.T.Y.g<.ig5L.@:..c..HBN,.....N..X.[eA.....T.......H.,.....Z8|..C..r.C...c..._u #...\W.(.....r?.....6....3..`.....Z.J. ...;.d..5....u.1.fro.ZqN...f{k.Cx...8..cZX.....J...*=.|..E..c..KcdN.7o.....S[...)3...=.. 33u.k.z:\...5.....T.a..<.L.95..L sF.Z..f.....yR.. .]...l,.9...f)W......*F.I~.7.O.....$.A[..Y.3.......tV.f....;...._..b7.....&.@.D.......6usr.e"z.abzgvv}m.. ......j.:.._A}.k.........*R..E9..@.G..........njw.y....j.4.-4...#..a....J...Z..j.........._......U...Y..E..T...S..]..\.....s...;....S....4..$...-5.>............7...........3~.M..[....6.........$...pc.........%..0..|.E4byL......-Jm............3...0l....<w..$:......3...j....e.(.....K@@..n........?..........z..U.N.P.{>...oj.

<<< skipped >>>

GET /js/main.js HTTP/1.1

Accept: application/javascript, */*;q=0.8

Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.ytddownloader.com

DNT: 1

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.2.1

Date: Thu, 05 Feb 2015 10:05:01 GMT

Content-Type: application/x-javascript

Content-Length: 1272

Last-Modified: Fri, 08 Nov 2013 13:22:51 GMT

Connection: keep-alive

Accept-Ranges: bytes

$(document).ready(function() {. //setting os..$(".os-redirect").click(function(){...setCookie('user_os', $(this).attr("os"), 1,'/');..});....$(".dropdown img.flag").addClass("flagvisibility");.. $(".dropdown dt a").click(function() {. $(".dropdown dd div").toggle();. });. . $(".dropdown dd ul li a").click(function() {. var text = $(this).html();. $(".dropdown dt a span").html(text);. $(".dropdown dd div").hide();... });. . $(document).bind('click', function(e) {. var $clicked = $(e.target);. if (! $clicked.parents().hasClass("dropdown")). $(".dropdown dd div").hide();. });...//setting locale...$(".langselector, #language-bar a").click(function(){...setCookie('ytd_locale', $(this).attr("hreflang"), 1,'/');..});....change_auto_renew();.});..function setCookie(c_name,value,exdays, path).{..var exdate=new Date();..exdate.setDate(exdate.getDate() exdays);..var c_value=escape(value) ((exdays==null) ? "" : "; expires=" exdate.toUTCString()) ((path) ? "; path=" path : "") ;..document.cookie=c_name "=" c_value;..}.function change_auto_renew() {. $("input[name=src]").each(function() {. $(this).val($(this).val() == 0 ? 1 : 0 );. });.}....

GET /styles.css HTTP/1.1

Accept: text/css

Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.ytddownloader.com

DNT: 1

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.2.1

Date: Thu, 05 Feb 2015 10:05:01 GMT

Content-Type: text/css

Content-Length: 17587

Last-Modified: Thu, 27 Nov 2014 15:47:33 GMT

Connection: keep-alive

Accept-Ranges: bytes

/* hXXp://meyerweb.com/eric/tools/css/reset/ . v2.0 | 20110126. License: none (public domain).*/..html, body, div, span, applet, object, iframe,.h1, h2, h3, h4, h5, h6, p, blockquote, pre,.a, abbr, acronym, address, big, cite, code,.del, dfn, em, img, ins, kbd, q, s, samp,.small, strike, strong, sub, sup, tt, var,.b, u, i, center,.dl, dt, dd, ol, ul, li,.fieldset, form, label, legend,.table, caption, tbody, tfoot, thead, tr, th, td,.article, aside, canvas, details, embed, .figure, figcaption, footer, header, hgroup, .menu, nav, output, ruby, section, summary,.time, mark, audio, video {..margin: 0;..padding: 0;..border: 0;..font-size: 100%;..font: inherit;..font-size:13px;..line-height:18px;..vertical-align: baseline;..font-family:Tahoma, Arial, Helvetica, sans-serifl.}./* HTML5 display-role reset for older browsers */.article, aside, details, figcaption, figure, .footer, header, hgroup, menu, nav, section {..display: block;.}.body {..line-height: 1;.}.ol, ul {..list-style: none;.}.blockquote, q {..quotes: none;.}.blockquote:before, blockquote:after,.q:before, q:after {..content: '';..content: none;.}.table {..border-collapse: collapse;..border-spacing: 0;.}..clearfix:after {..content: ".";..display: block;..clear: both;..visibility: hidden;..line-height: 0;..height: 0;.}. ..clearfix {..display: inline-block;.}. .html[xmlns] .clearfix {..display: block;.}. .* html .clearfix {..height: 1%;.}.a:link, a:visited, a:hover, a:active {color:#2c4b00; text-decoration:underline;}.h1 {font-size:24px; margin-bottom:8px;

<<< skipped >>>

GET /images/header-bg-repeat.jpg HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.ytddownloader.com

DNT: 1

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.2.1

Date: Thu, 05 Feb 2015 10:05:01 GMT

Content-Type: image/jpeg

Content-Length: 1497

Last-Modified: Fri, 05 Oct 2012 14:07:53 GMT

Connection: keep-alive

Accept-Ranges: bytes

......Exif..II*.................Ducky.......d.....ohXXp://ns.adobe.com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c061 64.140949, 2010/12/07-10:57:01 "> <rdf:RDF xmlns:rdf="http://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:48617E8EC10BE2118B4BD91E24AB7A59" xmpMM:DocumentID="xmp.did:FC5012CA0BCB11E2AA79CB95D10CA426" xmpMM:InstanceID="xmp.iid:FC5012C90BCB11E2AA79CB95D10CA426" xmp:CreatorTool="Adobe Photoshop CS5.1 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:48617E8EC10BE2118B4BD91E24AB7A59" stRef:documentID="xmp.did:48617E8EC10BE2118B4BD91E24AB7A59"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d.................................................................................................................................................................~...................................................................1.!A.."3Qaq....2........................!1A.Q.....2Bb...3............?..s.}..4v$...y ....a[.C................wZ%..Y..G.T.r...J."n...5.h.....G...qs...NH~._.....Wu....K.g...\.V1.r.f.n.`.. ..X8..o....s]..I.\[#..[..`.6..5..9.....r..&.F.....S2_...Ea.....U....c...GIo...............x&.T.B..l..E.......J.z.}im..>#.@...

<<< skipped >>>

GET /images/upgrade-pro-btn.png HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.ytddownloader.com

DNT: 1

Connection: Keep-Alive

Cookie: __utma=135583929.141684822.1423130703.1423130703.1423130703.1; __utmb=135583929.1.10.1423130703; __utmc=135583929; __utmz=135583929.1423130703.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1

HTTP/1.1 200 OK

Server: nginx/1.2.1

Date: Thu, 05 Feb 2015 10:05:02 GMT

Content-Type: image/png

Content-Length: 13813

Last-Modified: Thu, 24 Oct 2013 10:30:42 GMT

Connection: keep-alive

Accept-Ranges: bytes

.PNG........IHDR.......T.............tEXtSoftware.Adobe ImageReadyq.e<..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c061 64.140949, 2010/12/07-10:57:01 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5.1 Windows" xmpMM:InstanceID="xmp.iid:6223BDC2438711E199DFDADE185FF648" xmpMM:DocumentID="xmp.did:6223BDC3438711E199DFDADE185FF648"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:6223BDC0438711E199DFDADE185FF648" stRef:documentID="xmp.did:6223BDC1438711E199DFDADE185FF648"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>7._...2iIDATx..}y.eGy....{.{o.E..4h..ZF...bDd.#BA...`'..."... .........O*.............. 1.lJ.-.,a./#....7..{.9.;.|_.w..........;.-......_..O(.`...|.!..?K..g.x..?....................Y....D..AB&2.....O..{..<..d1........O,~........z..?xl..q.-.......b..o..'?../pW..<..ms..}[....Wn...w...m...R?!3O.Z.^.t..{O...?......O....kx|......?...>..n...?^B...".V..<...7...u..M....5^...Qw..p.A..4 ..f.&...o~..Pfuy.vxt.qP/....yx.8.B......_>..?..w.g.m........5{....ZJ..yU.._.......{...r....@0.....3}o@..............7at7@u7....l...W...~~Z.2c.\.....?.3.n..u..3....r...2...w.F..U..S.=..^....y.*.\.y.u....)1

<<< skipped >>>

POST /cgi/api.cgi/937811/CCF69B272FE54EE58735A380676F1DE4/vrst/20 HTTP/1.1

User-Agent: WidgiToolbar-198-937811

Host: api.mybrowserbar.com

Accept: */*

Accept-Encoding: gzip,deflate

Content-Length: 469

Content-Type: application/x-www-form-urlencoded

<drq><auth><ccv>198</ccv><cnid>937811</cnid><isn>CCF69B272FE54EE58735A380676F1DE4</isn><ct>20</ct><dlid>1033</dlid><lngid>1033</lngid><wv>6.1</wv><brw><ie>10.0.9200.16521</ie><ff>29.0.1</ff><gc>39.0.2171.95</gc><dbrw>Internet Explorer</dbrw></brw></auth>

<vrst><isn>CCF69B272FE54EE58735A380676F1DE4</isn><cnid>937811</cnid><code_ver>198</code_ver><type>uninstall</type><ct>20</ct><src>12</src><cid>c0322acd5e5d42f0b163c591ee6ff5b9</cid><cmdline></cmdline></vrst></drq>

HTTP/1.1 200 OK

Date: Thu, 05 Feb 2015 10:07:51 GMT

Server: Apache

Pragma: no-cache

Cache-control: no-cache

Transfer-Encoding: chunked

Content-Type: text/html

Expires: Thu, 05 Feb 2015 10:07:51 GMT

2b..<drp><auth>. <scv>198</scv>.</auth>.</drp>..0..

GET /baltimoreroot/MEUwQzBBMD8wPTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom/nYB45SPUEwQU5Z1ZMIJHWMys+ghUNoZ7OrUETfACBAcnpGo= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.omniroot.com

HTTP/1.1 200 OK

Accept-Ranges: bytes

Content-Type: application/ocsp-response

Date: Thu, 05 Feb 2015 10:05:03 GMT

Last-Modified: Thu, 29 Jan 2015 15:18:40 GMT

Server: ECS (frf/87D3)

X-Cache: HIT

Content-Length: 1406

0..z......s0..o.. .....0.....`0..\0......`;.l.uZ..k.F..^|A.Tb..20150129064609Z0g0e0=0... ........./Ev..Y..].....x.#......Y0.GX....T6.{:..M....'.j....20141203203511Z....20150428204011Z0...*.H..............-H.$.............^=....G..ai...I...,)vG.D..[R,.G.#(.D.<..Cg,}...;..2J#......GX....<b.&UFe'...I... I.o...&'....e..`..6.....`..~#......q.h|.....C..#:2w..}.......39.EF.....Rj.M.9...^.....c.?Y/Rz...Q.~.2.I...5..,.$o..U.....cg.H.[.(.....=.(..;.5...[.n....b*.......0...0...0...........'..0...*.H........0Z1.0...U....IE1.0...U....Baltimore1.0...U....CyberTrust1"0 ..U....Baltimore CyberTrust Root0...150114195242Z..160114195229Z0G1.0...U....US1.0...U....Cybertrust1#0!..U....Cybertrust-Validation-20110.."0...*.H.............0.........?....(Fb....G... ..=..(L..wK...04..I......C...1.Z......U.$b.f..Pa.....S...#..B.........^T..IP8..........h8GM..*.4.MP..../D4n.=ZTeH.B=kOT.v..2@F.2L..A...yn.4......fP...L...2.x....$..@@....q2...Uby.e......D....lf...C....ZP}O......7...mM..c.g..j.\.>.O....G.A........0..0... .....0......0...U.......0.0...U...........0...U.%..0... .......0...U.#..0.....Y0.GX....T6.{:..M.0...U......`;.l.uZ..k.F..^|A.Tb0...*.H.............n.h\Ch*G.c..yr..."._....J.-....j.t%..e.....(.h@.Z.7.a!m...sZH.N..>.S....K..........7wi3..x.D..l..ud.....CC......<.&.2. ..d...T.......;.S....\... ......m.6......#(.&....q.[z.........r..T....W...7ea.}..B.1........al.]i.F...-.0c...y.=?....E...........'>..O.._..

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=591067, public, no-transform, must-revalidate

Last-Modified: Thu, 5 Feb 2015 06:19:11 GMT

Expires: Thu, 12 Feb 2015 06:19:11 GMT

Date: Thu, 05 Feb 2015 10:09:18 GMT

Connection: keep-alive

0..........0..... .....0......0...0........6?s....V....OlL".O..20150205061911Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5.......A..2.....:...:......20150205061911Z....20150212061911Z0...*.H.............0....(.9e.X.W..!s[k,....B....C.....w>..h..3>}..St.O..A.GOV..G..5...3.se.......2q.{....r..../c...4.G..=.%].%.b7.5].B.>s...... ..2.... )..t.....n..`...w...A=.....Cd>.Mx..,.....E..k.='C.r..........G-..C....#..#,...w...9j.........?Ht.,...-#......I.d4@.RY....b]...#0...0...0..........<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.........{(..t....2.Vf.....&;6).i*FK....W@....F....jnb.w._p.E.6.|.mk....(..........p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://www.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-24710

<<< skipped >>>

GET /images/pixel.gif?src=stub&kt=ytd&event=run&exit=0 HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: VVV.ytddownloader.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 404 Not Found

Server: nginx/1.2.1

Date: Thu, 05 Feb 2015 10:05:01 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.4.6-1ubuntu1.8

10..File not found....0..

GET /url/shares.json?url=http://VVV.ytddownloader.com/&callback=_ate.cbs.sc_httpwwwytddownloadercom0 HTTP/1.1

Accept: application/javascript, */*;q=0.8

Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: api-public.addthis.com

DNT: 1

Connection: Keep-Alive

Cookie: uid=54d3404fe20ab507; uvc=1|5; uit=1

HTTP/1.1 200 OK

Cache-Control: no-cache, no-transform, must-revalidate, s-maxage=3600

Last-Modified: Thu, 05 Feb 2015 09:12:51 GMT

Content-Type: application/json

Content-Encoding: gzip

Via: 1.1 varnish

Content-Length: 76

Accept-Ranges: bytes

Date: Thu, 05 Feb 2015 10:05:02 GMT

Via: 1.1 varnish

Age: 3131

Connection: keep-alive

X-Served-By: cache-ams4126-AMS

X-Cache: HIT

X-Cache-Hits: 29

X-Timer: S1423130702.921343565,VS0,VE0

...........O,I.KN*. N..())(//.,II./...OLI-J..5..V*.H,J-V.240133.......C.8...HTTP/1.1 200 OK..Cache-Control: no-cache, no-transform, must-revalidate, s-maxage=3600..Last-Modified: Thu, 05 Feb 2015 09:12:51 GMT..Content-Type: application/json..Content-Encoding: gzip..Via: 1.1 varnish..Content-Length: 76..Accept-Ranges: bytes..Date: Thu, 05 Feb 2015 10:05:02 GMT..Via: 1.1 varnish..Age: 3131..Connection: keep-alive..X-Served-By: cache-ams4126-AMS..X-Cache: HIT..X-Cache-Hits: 29..X-Timer: S1423130702.921343565,VS0,VE0.............O,I.KN*. N..())(//.,II./...OLI-J..5..V*.H,J-V.240133.......C.8.....

GET /baltimoreroot/MEUwQzBBMD8wPTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom/nYB45SPUEwQU5Z1ZMIJHWMys+ghUNoZ7OrUETfACBAcnqkc= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.omniroot.com

HTTP/1.1 200 OK

Accept-Ranges: bytes

Content-Type: application/ocsp-response

Date: Thu, 05 Feb 2015 10:06:06 GMT

Last-Modified: Thu, 29 Jan 2015 15:18:48 GMT

Server: ECS (frf/8799)

X-Cache: HIT

Content-Length: 1406

0..z......s0..o.. .....0.....`0..\0......`;.l.uZ..k.F..^|A.Tb..20150129064609Z0g0e0=0... ........./Ev..Y..].....x.#......Y0.GX....T6.{:..M....'.G....20141203203511Z....20150428204011Z0...*.H.............?.v..qY.8.[t.8..9-.g".hl..H3|Z..Vw.2.............Mt..DB@..s .8a......u............$].o...NK....9.qxd....}.n..WZU.Z7.....bH._...[.....c'.O.T(=..1G{.......G.U.=}C..$~.......v..OL.V....7p.8.z!..k...G`|>.J..I..R.S......'...>..&~.N...c...`[k..`.8....4.X...H0,G.....0...0...0...........'..0...*.H........0Z1.0...U....IE1.0...U....Baltimore1.0...U....CyberTrust1"0 ..U....Baltimore CyberTrust Root0...150114195242Z..160114195229Z0G1.0...U....US1.0...U....Cybertrust1#0!..U....Cybertrust-Validation-20110.."0...*.H.............0.........?....(Fb....G... ..=..(L..wK...04..I......C...1.Z......U.$b.f..Pa.....S...#..B.........^T..IP8..........h8GM..*.4.MP..../D4n.=ZTeH.B=kOT.v..2@F.2L..A...yn.4......fP...L...2.x....$..@@....q2...Uby.e......D....lf...C....ZP}O......7...mM..c.g..j.\.>.O....G.A........0..0... .....0......0...U.......0.0...U...........0...U.%..0... .......0...U.#..0.....Y0.GX....T6.{:..M.0...U......`;.l.uZ..k.F..^|A.Tb0...*.H.............n.h\Ch*G.c..yr..."._....J.-....j.t%..e.....(.h@.Z.7.a!m...sZH.N..>.S....K..........7wi3..x.D..l..ud.....CC......<.&.2. ..d...T.......;.S....\... ......m.6......#(.&....q.[z.........r..T....W...7ea.}..B.1........al.]i.F...-.0c...y.=?....E...........'>..O.._..

<<< skipped >>>

GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Thu, 23 Oct 2014 05:05:32 GMT

If-None-Match: "a2f3ff97eeecf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Wed, 07 Jan 2015 06:02:43 GMT

Accept-Ranges: bytes

ETag: "88c4768d3f2ad01:0"

Server: Microsoft-IIS/8.0

VTag: 791450244700000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 813

Cache-Control: max-age=798

Date: Thu, 05 Feb 2015 10:05:34 GMT

Connection: keep-alive

0..)0......0...*.H........0_1.0.....&...,d....com1.0.....&...,d....microsoft1-0 ..U...$Microsoft Root Certificate Authority..150106214825Z..150407100825Z0.0...a......../..100208014912Z._0]0...U.#..0......`@V'..%..*..S.Y..0... .....7.......0...U......(0... .....7......150406215825Z0...*.H..............vQ..r..L.Q.N..=#.......V;..r../\.m..<.."...F/U....(:.....xm.....P.e.F..BE8......=...G....6t:...?...L..B.v..p.M........z..Q.%J.6..I.......8...U. .g..=T=K....L..$w...^....y~..-a.'...*s#N.o..Qs.$h..:duV'~....8.6..w..b3.... .~)...|.I.y".>R.nJq.ws...3.....f}.E)\......EB.d\.2.....h...lMjT.7..lj.'lj.b....".L.Os6{.s...@....f.|7z.. ......>..Q...(......._....UM.EN.@.K\]#..Y.*.......T. .C.....A'..5FW.ETDvX..tE.....g5.....&..&.....x.^H;...../7..'9.t.I&<[.HX.j....Qw......}...qy3..q`<.....LB.9w|....;..Qw..a ..=.C.:.........

GET /pki/crl/products/WinPCA.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Mon, 06 Oct 2014 05:06:02 GMT

If-None-Match: "3e1c83923e1cf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Sun, 21 Dec 2014 06:03:02 GMT

Accept-Ranges: bytes

ETag: "d2e35dc7e31cd01:0"

Server: Microsoft-IIS/8.0

VTag: 27948442200000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 561

Cache-Control: max-age=900

Date: Thu, 05 Feb 2015 10:05:34 GMT

Connection: keep-alive

0..-0......0...*.H........0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1 0)..U..."Microsoft Windows Verification PCA..141220223154Z..150321105154Z._0]0...U.#..0.......p............<.J0... .....7.......0...U......30... .....7......150320224154Z0...*.H.............h.~oH#i.J.vh_.....A'B..g...........F....9c.{.m@Q.M.p...g.^ 4.r..Wv.Q.0.w..j....c9..w....I..%.~.l..F.......xo...._...o...7BR.;<..\R/ .....b.(....~..]|.v.u.i.X.B....I......./*...P..A..fi.}& .x.v{TFP[.G......A......L.o...)R.......V.u..V.../.Q..(L.].....uki~......

GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Sat, 04 Oct 2014 05:06:12 GMT

If-None-Match: "58cddbea90dfcf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Fri, 19 Dec 2014 06:02:00 GMT

Accept-Ranges: bytes

ETag: "9a9a44d511bd01:0"

Server: Microsoft-IIS/8.0

VTag: 279252244600000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 550

Cache-Control: max-age=900

Date: Thu, 05 Feb 2015 10:05:34 GMT

Connection: keep-alive

0.."0......0...*.H........0w1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1!0...U....Microsoft Time-Stamp PCA..141218221600Z..150319103600Z._0]0...U.#..0...#4..RFp..@.v.. ..5..0... .....7.......0...U......10... .....7......150318222600Z0...*.H............./..0Q~.r.}.E....&\....F.Z.C..#..F.s........<&\..9G..-....j..N... .C.Fk....;l.....2.K5D.........-.>...(...g.0.S.[?...T4q>.ln...z..L.......5.5s@d.q.('..e...Y..Bo..q..........I....'....i>..y:.eH@h`..\...UA.m#.~.. ;.3..d..;..<..........p..s..J..N `Az......@..lHTTP/1.1 200 OK..Content-Type: application/pkix-crl..Last-Modified: Fri, 19 Dec 2014 06:02:00 GMT..Accept-Ranges: bytes..ETag: "9a9a44d511bd01:0"..Server: Microsoft-IIS/8.0..VTag: 279252244600000000..P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"..X-Powered-By: ASP.NET..Content-Length: 550..Cache-Control: max-age=900..Date: Thu, 05 Feb 2015 10:05:34 GMT..Connection: keep-alive..0.."0......0...*.H........0w1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1!0...U....Microsoft Time-Stamp PCA..141218221600Z..150319103600Z._0]0...U.#..0...#4..RFp..@.v.. ..5..0... .....7.......0...U......10... .....7......150318222600Z0...*.H............./..0Q~.r.}.E....&\....F.Z.C..#..F.s........<&\..9G..-....j..N... .C.Fk....;l.....2.K5D.........-.>...(...g.0.S.[?...T4q>.ln...z..L.......5.5s@d.q.('..e...Y..Bo..q..........I....'....i>..y:.eH@h`..\...UA.m#.~.. ;.3..

<<< skipped >>>

GET /MFQwUjBQME4wTDAJBgUrDgMCGgUABBQmECJms4f7i5EbxtN7NbzQCBwAdAQUUa8kJpz0aCJXgCYrO0ZiFXsezKUCE1oAAHevvgBk+xJc0C0AAQAAd68= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.msocsp.com

HTTP/1.1 200 OK

Date: Thu, 05 Feb 2015 10:06:06 GMT

Content-Type: application/ocsp-response

Content-Length: 1757

Connection: keep-alive

Set-Cookie: __cfduid=df754fea60b97687e095e41842ddd612e1423130766; expires=Fri, 05-Feb-16 10:06:06 GMT; path=/; domain=.msocsp.com; HttpOnly

Last-Modified: Mon, 02 Feb 2015 23:13:04 GMT

Expires: Fri, 06 Feb 2015 23:13:04 GMT

ETag: "32dc2dc5ade4e5867c219925d83ebab0609e8b04"

Cache-Control: max-age=345599,public,no-transform,must-revalidate

CF-Cache-Status: HIT

Server: cloudflare-nginx

CF-RAY: 1b3e4b1d5ecf0cad-AMS

0..........0..... .....0......0...0..........<.|7...@N6p.I.e|..20150202231304Z0..0..0L0... ........&."f........{5.....t..Q.$&..h"W.& ;Fb.{.....Z..w...d..\.-....w.....20150202231304Z....20150206231304Z."0 0... .....0......20140202231304Z0...*.H.............B.....>#..;n5{?Z..aq.S(.~.F. ...KU.<.....@..=;|...!.%@.":.Y.E.VN....S..p97..L|;.......~...~..../5..%.r?...Hy.h3......>g.'..>....q..j..p.:..S=s..q..j.P!6p..9T.v,.d.....$!.....Z..$m].(......n....... 9...';S...]}v.....Q.g...Iu...{......Z....E;.@.v....?<g|........0...0...0..........Z..~..M..<ZYJ....~.0...*.H........0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1.0...U....Microsoft IT1.0...U....Microsoft IT SSL SHA20...141229205745Z..150314205745Z0!1.0...U....Should be ignore by CA0.."0...*.H.............0...........&!(..$.K...."=f....x.d.._s.....j....9`..l.Z..............^f..u......-e.&.bG.(i.Q...........bEy...^7A...A..c....CF-&...e.7..7F....."..w...y.:..`.w{~..D.x*.......x3Os......q...... S.fB .ig.....L..3......4E..}..7...M....e ...6.M.O.....<5:......r.....]..A.5........0..0...U..........<.|7...@N6p.I.e|0...U.#..0...Q.$&..h"W.& ;Fb.{...0...U...........0...U.%..0... .......0... .....7....0.0... .......0... .....0......0...*.H..................sa....^`.U.h.....(c[..j.|. ..#....3.5.?..L.....Z....J......*.w...w.$.z..Y.d.....l.....G#.....o.\t.......(.B =..P..T....0./P.....z.3....L.O3....z...Wxo..~.OeH....c.i.@."..?d.......=v(.....m..LN..PP....<.}T.X......K.&e.S...|....% ...(F.=k..~.j..C......4.....

<<< skipped >>>

GET /ajax/libs/jquery/1.9.1/jquery.min.js HTTP/1.1

Accept: application/javascript, */*;q=0.8

Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: ajax.googleapis.com

DNT: 1

Connection: Keep-Alive

HTTP/1.1 200 OK

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Type: text/javascript; charset=UTF-8

Last-Modified: Fri, 08 Feb 2013 15:35:10 GMT

Date: Wed, 04 Feb 2015 07:00:55 GMT

Expires: Thu, 04 Feb 2016 07:00:55 GMT

Access-Control-Allow-Origin: *

Timing-Allow-Origin: *

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 32819

X-XSS-Protection: 1; mode=block

Cache-Control: public, max-age=31536000

Age: 97446

Alternate-Protocol: 80:quic,p=0.02

............{{...7...."........o...v..q.[cg'-E..HPBL....RD....[kf0.Pq.~.sNZ.....f......._..M...wg.?...vG.<8z2.........E...q...:z..GT.._.f.....t.de.....uT..b.|.o6iv..._E..:.F.x...O..6..*?QUp....2U.4..6I.<.T.%.E>....R1....4^..tIm...ZE.{5..3..<.....|4.3.D-.r.-o..]......4[$....:Z...UUP_...........|....z.mF.r...f......Q..?..-3.0..F..^.F....l.O........\..f.|1..t..NG2U.}tz.jxz.^G.o......./^\.>......#*........../.../........|zp2{...N.3*....~.\../O'...g...g.;.~.M.Tx..,g.....).y..w*@...i.^...]........2 ..n;.\.'..'/f....*.4:..oP...f..]Ul..2^.....V........V.P.N....z......o3z.........aC..,.....K.\p...x......WiY%YR.v.*..^.......<_oVI..a>*.xq....$8>....u%......n ..V?.Q.:..4....o.~.g..Q...S_..Y.....G)..T.".......<......&...*..Z.t%..s@it5..y.c.....p.h...X.*/. .H.....){4U.y...I`..&-.. y.....L.O....Lf..X<..1M.w.xD;;.....3zgn...'S.....g.~3Jn.9-..... .....3..A..e#.....".-i.S..].9..3..=GE..,..R*.gs..j.M..0.._'.u......E.|.....K.Q'FY.H^..'.(.OK.\.-.T...8...Q....v||5J..Vq.}{.K2..K..z.R....o_..G..t.L....NF.W.}....."{.NLP|.T_........j..,P..q.Q..o..<.x...Q..t=..$nJ.%:S...,..N...*.......d.`....M...)....T.7....|$...[......E..h.......`b.......iQ.w...-n>.=OIw..*........H...r.....h..V.Aj..&t..9M..is.j.t]~../...ik......l.p.....mT.=[E..7v....n./$...y=T.X.s...J......j.w.W.|.x..F..*..:....>K...d....f..........&...7./.2-..P......j.?X.p.....9u.Ae.0...D.....~f.......&...l6..3......i}.(.. m.Je.x...p5.:..d...gWz...G..@.*\.2/*..............>...g..`...w....f.....\.D...#D...E.%.......G..s`K.*.WI...NI.......LeO...&

<<< skipped >>>

GET /kits/sds/SearchProtectionSetup.exe HTTP/1.1

User-Agent: SDS

Host: webupdate.mybrowserbar.com

Accept: */*

HTTP/1.1 200 OK

Server: nginx/0.7.65

Date: Thu, 05 Feb 2015 10:04:58 GMT

Content-Type: application/octet-stream

Content-Length: 1558376

Last-Modified: Mon, 19 Jan 2015 14:12:15 GMT

Connection: keep-alive

Accept-Ranges: bytes

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................p.......B...9............@..........................`............@.................................d........@..x...........0...8............................................................................................text....o.......p.................. ..`.rdata...*.......,...t..............@..@.data....~..........................@....ndata.......0...........................rsrc...x....@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....-G..H.P.u..u..u.....@..K...SV.5.-G.W.E.P.u.....@..e...E..E.P.u.....@..}..e....D.@........FR..VV..U... M..........M........E...FQ.....NU..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.P.u.....@..u....E..9}...n....~X.te.v4..L.@..E...tU.}.j.W.E......E.......P.@..vXW..T.@..u..5X.@.W..h ....E..E.Pj.h..F.W....@..u.W...u....E.P.u.....@._^3.[.....L$...-G...i. @...T.....tUVW.q.3.;5.-G.sD..i. @...D..S.....t.G.....t...O..t .....u...3....3...F. @..;5.-G.r.[_^...U..QQ

<<< skipped >>>

GET /static/r07/plugins/counter015.css HTTP/1.1

Accept: text/css

Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: s7.addthis.com

DNT: 1

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Apache

Last-Modified: Tue, 05 Aug 2014 12:38:26 GMT

Content-Encoding: gzip

Cache-Control: public, no-check, max-age=86313600

Content-Type: text/css

Content-Length: 2690

Accept-Ranges: bytes

Date: Thu, 05 Feb 2015 10:05:02 GMT

Via: 1.1 varnish

Age: 15157266

Connection: keep-alive

X-Host: s7.addthis.com

X-Served-By: cache-fra1233-FRA

X-Cache: HIT

X-Cache-Hits: 13052002

X-Timer: S1423130702.450722,VS0,VE0

Vary: Host,Accept-Encoding

...........X...H...O.C...f.h...........`I6A..DE.{#U.....'fp......7...$.k..9n...s.....a.P..v...........;....G=LL.t..0.|....!x4.$..N.....F..O..,..../&..=.[<Nhi...;Z.j.W..;....5.`........Q.d...3Pf.&0.D....=8......O..y..|....X.....2.[..F.K..gY...2....']3.vR.2;y...7S....h6@#h?.Z...Ww....6..!S_sQv8...z..OW.2........!pv......]...K.?.0.cW......X...~....6j.m.8.0...>.!..M..T.&..&1D..D).G.._.....C......H.Q.2$b?...2l.w..U*.. Z4!.K..3....P2....P<E..:$5."Q......'.k.... m.'5.C.;.".C.2QM....%.FV...g. .E#......C.....{..z..R?'Zm..m......h...a....UZ..!f.p)J.....S..=:.B....2......I.....'....4.....D.-g.@_....l......[....[y.F......9..m...]Y..p...`7F...eQ.a!...8*..y...v.9..D.....<W.,v.P$f.......I.b.6.[....."...C..D...~H..E,..5.....".....k33...2_@z..s..6!.-...'..[..M....M..k0@.Ag;...y.2.7q=_.'...Z{.2 UU.i....... c[.........h.3h..HO.F...0...H.C.&ad.)'...t...8....1D"....B.)iT..f...c.R[..,5..d9.....EQ..*..).t..<bW.doy.u.Z.|0......$-=~...]"Q..4..i8.G4...1K.6.j.d.M4|..7..(.5..*l.pE.i.{....<..{T........=.)8............a....3(..M.s.p...l.(.=...b.....9./..K&.}....N..1[....f#*...e.P.^I.........AT..j.7....%.7.k..c.T....0.)..]w__...o#4,.a.G2.[...9....xv..P.).[.w.l.g{M.9.e.... ..9..T... .}..&.fDM. .'.....m3B.cYFn.............v.h.......xa..../e.K.c..........C."....'.T.}.-..>x {...={.1.....l.[f2..E....[...c..W..^.!.2\}#0.c. 2...<*NC..z..d.. 5...'#j....N..lR.?.....'Q.?...N{0...=..y/. -..b.mcI.HyZ..".M.!......*.....6..U...[&/Zr.....3..QG..SU..$n{j.r.@r#..F.....{..9.OB..... ..d..fT.e.,.l....6...6S......e/K..VF...C.kK......1L...

<<< skipped >>>

GET /gc/silent2.html?ot=ytdsanth&cnid=937811&kt=ytd&ext[]=cekonfccladjgbdhpgobceahgjdcdbod&ext[]=jloeihbcjbkgigodmcacomgfihpiaiip&ts=1423130670 HTTP/1.1

Host: VVV.mybrowserbar.com

Connection: keep-alive

Accept: text/html,application/xhtml xml,application/xml;q=0.9,image/webp,*/*;q=0.8

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36

Accept-Encoding: gzip, deflate, sdch

Accept-Language: en-US,en;q=0.8

HTTP/1.1 200 OK

Date: Thu, 05 Feb 2015 10:04:31 GMT

Server: Apache

Vary: Host

Last-Modified: Mon, 12 Jan 2015 12:49:37 GMT

Accept-Ranges: bytes

Content-Length: 2543

Keep-Alive: timeout=30, max=100

Connection: Keep-Alive

Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://VVV.w3.org/TR/html4/loose.dtd" />.<html>.<head>. <meta name="google" value="notranslate" />. <meta http-equiv="Cache-Control" content="no-cache, no-store, must-revalidate" />. <meta http-equiv="Pragma" content="no-cache" />. <meta http-equiv="Expires" content="0" />. <title>Extensions Installation</title>..<link rel="chrome-webstore-item" href="hXXps://chrome.google.com/webstore/detail/pfndaklgolladniicklehhancnlgocpp">..<script src="//ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js"></script>.<script>. (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){. (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),. m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m). })(window,document,'script','//VVV.google-analytics.com/analytics.js','ga');. . ga('create', 'UA-49853190-2', 'mybrowserbar.com');..</script>.</head>..<body>.<div id="extensions">.....<button href="#" id="close">close offer</button>..</div>...<script language="javascript">.$( document ).ready(function() {..var extensions = getURLParam('ext[]');..if (extensions !== null) {. for (var i=extensions.length-1; i>=0; i--) {. var e = extensions[i];. var item_html = $.parseHTML('<div id="offer_' e '" class="offer" ><div class="a

<<< skipped >>>

GET /favicon.ico HTTP/1.1

Host: VVV.mybrowserbar.com

Connection: keep-alive

Accept: */*

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36

Accept-Encoding: gzip, deflate, sdch

Accept-Language: en-US,en;q=0.8

Cookie: _ga=GA1.2.1138944218.1423130672

HTTP/1.1 200 OK

Date: Thu, 05 Feb 2015 10:04:32 GMT

Server: Apache

Vary: Host,User-Agent

Last-Modified: Wed, 21 Oct 2009 21:42:22 GMT

Accept-Ranges: bytes

Content-Length: 9062

Cache-Control: max-age=604800

Expires: Thu, 12 Feb 2015 10:04:32 GMT

Keep-Alive: timeout=30, max=99

Connection: Keep-Alive

Content-Type: image/x-icon

...... .... .....F... .................... .h...............h.......(... ...@..... ...... ......................@@@.@@@.@@@.@@@.@@@.@@@.@@@.@@@.@@@.@@@.@@@.@@@.@@@.@@@.@@@.@@@.@@@.@@@.@@@.@@@.@@@.@@@.@@@.@@@.@@@.@@@.@@@.@@@.@@@.@@@.....@@@.........................................................................................................................@@@.@@@.........................................................................................................................@@@.@@@.........................................................................................................................@@@.@@@.........................................................................................................................@@@.@@@.........................................................................................................................@@@.@@@.......................................................................n.................................................@@@.@@@.........................................................................................................................@@@.@@@.........................................................................................................................@@@.@@@...........................................................................................................Y...k.........@@@.@@@...........................................................................................................[...R...n.....@@@.@@@...............

<<< skipped >>>

GET /images/pixel.gif?isn=d78a223d20363802cfbd313af6e664df&ver=1.2&cnid=937811&ct=shagc&event=install HTTP/1.1

Host: VVV.mybrowserbar.com

Connection: keep-alive

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36

Accept: */*

Accept-Encoding: gzip, deflate, sdch

Accept-Language: en-US,en;q=0.8

Cookie: _ga=GA1.2.1138944218.1423130672

HTTP/1.1 200 OK

Date: Thu, 05 Feb 2015 10:04:49 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 1093

Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform

Pragma: no-cache

Expires: Thu, 01 Jan 1970 00:00:00 GMT

Keep-Alive: timeout=30, max=98

Connection: Keep-Alive

Content-Type: image/gif

GIF89a.............!..XMP DataXMP<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:68AF816F211411E187C8D4C48A462294" xmpMM:DocumentID="xmp.did:68AF8170211411E187C8D4C48A462294"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:68AF816D211411E187C8D4C48A462294" stRef:documentID="xmp.did:68AF816E211411E187C8D4C48A462294"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>..................................................................................................................................~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-, *)('&%$#"! .................................!.......,...........D..;....

GET /cgi/coupons.cgi/d78a223d20363802cfbd313af6e664df/937811/1.2/shagc?rsv=2 HTTP/1.1

Host: VVV.mybrowserbar.com

Connection: keep-alive

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36

Accept: */*

Accept-Encoding: gzip, deflate, sdch

Accept-Language: en-US,en;q=0.8

Cookie: _ga=GA1.2.1138944218.1423130672

HTTP/1.1 200 OK

Date: Thu, 05 Feb 2015 10:04:49 GMT

Server: Apache

Vary: Host

Keep-Alive: timeout=30, max=97

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-Type: text/xml; charset=utf-8

12c..<?xml version="1.0" encoding="UTF-8"?>.<cp>. <rsv>2</rsv>. <insecure>. <url>hXXp://i.sgbfjs.info/sgbf/javascript.js?hid=40&channel=GC</url>. </insecure>. <secure>. <url>hXXps://i_sgbfjs_info.tlscdn.com/sgbf/javascript.js?hid=40&channel=GC</url> . </secure>.</cp>...0..HTTP/1.1 200 OK..Date: Thu, 05 Feb 2015 10:04:49 GMT..Server: Apache..Vary: Host..Keep-Alive: timeout=30, max=97..Connection: Keep-Alive..Transfer-Encoding: chunked..Content-Type: text/xml; charset=utf-8..12c..<?xml version="1.0" encoding="UTF-8"?>.<cp>. <rsv>2</rsv>. <insecure>. <url>hXXp://i.sgbfjs.info/sgbf/javascript.js?hid=40&channel=GC</url>. </insecure>. <secure>. <url>hXXps://i_sgbfjs_info.tlscdn.com/sgbf/javascript.js?hid=40&channel=GC</url> . </secure>.</cp>...0......

GET /images/pixel.gif?isn=9d357cad646259e5aec21e92440c2512&ver=1.5&cnid=937811&ct=nthgc&event=install HTTP/1.1

Host: VVV.mybrowserbar.com

Connection: keep-alive

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36

Accept: */*

Accept-Encoding: gzip, deflate, sdch

Accept-Language: en-US,en;q=0.8

Cookie: _ga=GA1.2.1138944218.1423130672

HTTP/1.1 200 OK

Date: Thu, 05 Feb 2015 10:04:50 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 1093

Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform

Pragma: no-cache

Expires: Thu, 01 Jan 1970 00:00:00 GMT

Keep-Alive: timeout=30, max=96

Connection: Keep-Alive

Content-Type: image/gif

GIF89a.............!..XMP DataXMP<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:68AF816F211411E187C8D4C48A462294" xmpMM:DocumentID="xmp.did:68AF8170211411E187C8D4C48A462294"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:68AF816D211411E187C8D4C48A462294" stRef:documentID="xmp.did:68AF816E211411E187C8D4C48A462294"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>..................................................................................................................................~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-, *)('&%$#"! .................................!.......,...........D..;HTTP/1.1 200 OK..Date: Thu, 05 Feb 2015 10:04:50 GMT..Server: Apache..Accept-Ranges: bytes..Content-Length: 1093..Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform..Pragma: no-cache..Expires: Thu, 01 Jan 1970 00:00:00 GMT..Keep-Alive: timeout=30, max=96..Connection: Keep-Alive..Content-Type: image/gif..GIF89a.............!..XMP DataXMP&l

<<< skipped >>>

Map

The Malware connects to the servers at the folowing location(s):

Strings from Dumps

ytd.exe_1492:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

@.reloc

@.reloc

8%u3P

8%u3P

N

N

|.hT!

|.hT!

|.hp!

|.hp!

|.hP#

|.hP#

|.hd#

|.hd#

|.hT$

|.hT$

SShxT

SShxT

vSSSh

vSSSh

It.It It!It

It.It It!It

FTPjK

FTPjK

FtPj;

FtPj;

C.PjRV

C.PjRV

tGHt.Ht&

tGHt.Ht&

`'\%D,3

`'\%D,3

kernel32.dll

kernel32.dll

Please contact the application's support team for more information.

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- CRT not initialized

- floating point support not loaded

- floating point support not loaded

ADVAPI32.DLL

ADVAPI32.DLL

portuguese-brazilian

portuguese-brazilian

operator

operator

GetProcessWindowStation

GetProcessWindowStation

USER32.DLL

USER32.DLL

()$^.* ?[]|\-{},:=!

()$^.* ?[]|\-{},:=!

RegDeleteKeyExW

RegDeleteKeyExW

invalid _N_type: %d

invalid _N_type: %d

RTMP_ParseURL

RTMP_ParseURL

%s://%.*s:%d/%.*s

%s://%.*s:%d/%.*s

d:\Autobuild\CleanSVN\ytd\branches\Win\YTD_4.8.9\Application3.0\Release\YouTubeDownloader.pdb

d:\Autobuild\CleanSVN\ytd\branches\Win\YTD_4.8.9\Application3.0\Release\YouTubeDownloader.pdb

HttpQueryInfoW

HttpQueryInfoW

HttpOpenRequestW

HttpOpenRequestW

HttpSendRequestW

HttpSendRequestW

InternetCrackUrlW

InternetCrackUrlW

WININET.dll

WININET.dll

UxTheme.dll

UxTheme.dll

WS2_32.dll

WS2_32.dll

IPHLPAPI.DLL

IPHLPAPI.DLL

GdiplusShutdown

GdiplusShutdown

GdipSetPenLineJoin

GdipSetPenLineJoin

gdiplus.dll

gdiplus.dll

PSAPI.DLL

PSAPI.DLL

libvlc_video_set_key_input

libvlc_video_set_key_input

CreatePipe

CreatePipe

CreateNamedPipeW

CreateNamedPipeW

ConnectNamedPipe

ConnectNamedPipe

DisconnectNamedPipe

DisconnectNamedPipe

WaitNamedPipeW

WaitNamedPipeW

SetNamedPipeHandleState

SetNamedPipeHandleState

GetProcessHeap

GetProcessHeap

KERNEL32.dll

KERNEL32.dll

GetKeyState

GetKeyState

SetWindowsHookExW

SetWindowsHookExW

UnhookWindowsHookEx

UnhookWindowsHookEx

CreateDialogIndirectParamW

CreateDialogIndirectParamW

USER32.dll

USER32.dll

SetViewportOrgEx

SetViewportOrgEx

GDI32.dll

GDI32.dll

COMDLG32.dll

COMDLG32.dll

RegDeleteKeyW

RegDeleteKeyW

RegCloseKey

RegCloseKey

RegQueryInfoKeyW

RegQueryInfoKeyW

RegEnumKeyExW

RegEnumKeyExW

RegOpenKeyExW

RegOpenKeyExW

RegCreateKeyExW

RegCreateKeyExW

ADVAPI32.dll

ADVAPI32.dll

ShellExecuteW

ShellExecuteW

SHFileOperationW

SHFileOperationW

SHELL32.dll

SHELL32.dll

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

SHLWAPI.dll

SHLWAPI.dll

COMCTL32.dll

COMCTL32.dll

MSIMG32.dll

MSIMG32.dll

GetCPInfo

GetCPInfo

GetConsoleOutputCP

GetConsoleOutputCP

libvlc.dll

libvlc.dll

zcÁ

zcÁ

.?AV?$_IDispEventLocator@$00$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@

.?AV?$_IDispEventLocator@$00$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@

.?AV?$IDispEventSimpleImpl@$00VBrowserEvents@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@

.?AV?$IDispEventSimpleImpl@$00VBrowserEvents@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@

.?AV?$IDispEventImpl@$00VBrowserEvents@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B$1?LIBID_SHDocVw@@3U3@B$00$00VCComTypeInfoHolder@ATL@@@ATL@@

.?AV?$IDispEventImpl@$00VBrowserEvents@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B$1?LIBID_SHDocVw@@3U3@B$00$00VCComTypeInfoHolder@ATL@@@ATL@@

.?AV?$CWinDataExchange@VRequestLoginDlg@@@WTL@@

.?AV?$CWinDataExchange@VRequestLoginDlg@@@WTL@@

.?AV?$CDialogImpl@VRequestLoginDlg@@VCWindow@ATL@@@ATL@@

.?AV?$CDialogImpl@VRequestLoginDlg@@VCWindow@ATL@@@ATL@@

.?AVRequestLoginDlg@@

.?AVRequestLoginDlg@@

.?AUIWebNotifier@@

.?AUIWebNotifier@@

.?AV?$CWinDataExchange@VWebBrowserDlg@@@WTL@@

.?AV?$CWinDataExchange@VWebBrowserDlg@@@WTL@@

.?AV?$CAxDialogImpl@VWebBrowserDlg@@VCWindow@ATL@@@ATL@@

.?AV?$CAxDialogImpl@VWebBrowserDlg@@VCWindow@ATL@@@ATL@@

.?AVWebBrowserDlg@@

.?AVWebBrowserDlg@@

m`X

m`X

|qjD2#(Q>(Q>(Q>(Q>(Q>(Q>(Q>(Q>(K9&K9&H6Ò#D2#D2#m`X

|qjD2#(Q>(Q>(Q>(Q>(Q>(Q>(Q>(Q>(K9&K9&H6Ò#D2#D2#m`X

SD:(UA*UA*YE,YE,YE,YE,]H.]H.]H.YE,YE,YE,YE,YE,UA*UA*Q>(Q>(K9&H6Ò#E5*|qj

SD:(UA*UA*YE,YE,YE,YE,]H.]H.]H.YE,YE,YE,YE,YE,UA*UA*Q>(Q>(K9&H6Ò#E5*|qj

i\T(UA*YE,]H.]H.cM0cM0cM0fP2fP2fP2fP2fP2jT3fP2fP2cM0cM0cM0]H.]H.YE,UA*UA*M;(K9&D2#D2#fXP

i\T(UA*YE,]H.]H.cM0cM0cM0fP2fP2fP2fP2fP2jT3fP2fP2cM0cM0cM0]H.]H.YE,UA*UA*M;(K9&D2#D2#fXP

|(UA*YE,YE,`K/cM0cM0jT3jT3jT3qZ6qZ6qZ6u^8u^8u^8qZ6qZ6qZ6nX5jT3jT3jT3fP2cM0`K/]H.YE,UA*Q>(K9&D2#D2#m`X

|(UA*YE,YE,`K/cM0cM0jT3jT3jT3qZ6qZ6qZ6u^8u^8u^8qZ6qZ6qZ6nX5jT3jT3jT3fP2cM0`K/]H.YE,UA*Q>(K9&D2#D2#m`X

L(UA*YE,]H.cM0fP2jT3nX5u^8kUIdO[WIlT@

L(UA*YE,]H.cM0fP2jT3nX5u^8kUIdO[WIlT@

YHxYHx`LpcOjfRefRepZPzb:zb:zb:zb:qZ6qZ6jT3jT3fP2cM0]H.YE,UA*Q>(K9&D2#@."ujb

YHxYHx`LpcOjfRefRepZPzb:zb:zb:zb:qZ6qZ6jT3jT3fP2cM0]H.YE,UA*Q>(K9&D2#@."ujb

@."

@."

YHxjU]zb:zb:u^8qZ6jT3jT3fP2]H.YE,UA*M;(H6Ò#D2#

YHxjU]zb:zb:u^8qZ6jT3jT3fP2]H.YE,UA*M;(H6Ò#D2#

`Lpt]Fu^8qZ6jT3jT3cM0]H.YE,Q>(K9&D2#

`Lpt]Fu^8qZ6jT3jT3cM0]H.YE,Q>(K9&D2#

YHxiS:jT3cM0]H.UA*M;(H6%@."D2#

YHxiS:jT3cM0]H.UA*M;(H6%@."D2#

`KLfP2]H.YE,Q>(H6%@."

`KLfP2]H.YE,Q>(H6%@."

Q>c]H.UA*M;(H6%@."

Q>c]H.UA*M;(H6%@."

]H.UA*H6%@."

]H.UA*H6%@."

fP2]H.UA*H6%@."

fP2]H.UA*H6%@."

iS:]H.UA*K9&D2#

iS:]H.UA*K9&D2#

fP2]H.UA*K9&D2#

fP2]H.UA*K9&D2#

jT3]H.UA*K9&@."

jT3]H.UA*K9&@."

jT3]H.UA*H6%@."

jT3]H.UA*H6%@."

bTKD2#K9&Q>(YE,]H.cM0jT3qZ6tcQ

bTKD2#K9&Q>(YE,]H.cM0jT3qZ6tcQ

qd\D2#H6%Q>(UA*]H.cM0jT3nX5qZ6zb:

qd\D2#H6%Q>(UA*]H.cM0jT3nX5qZ6zb:

ujbD2#H6%K9&Q>(UA*YE,]H.cM0fP2jT3jT3qZ6qZ6u^8u^8zb:zb:zb:zb:zb:yb@vbG{jX

ujbD2#H6%K9&Q>(UA*YE,]H.cM0fP2jT3jT3qZ6qZ6u^8u^8zb:zb:zb:zb:zb:yb@vbG{jX

f`z_T][LCYE,UA*M;(H6Ò#

f`z_T][LCYE,UA*M;(H6Ò#

SD:D2#H6%K9&Q>(UA*YE,]H.`K/cM0fP2jT3jT3jT3jT3nX5nX5qZ6qZ6qZ6qZ6jT3jT3jT3jT3fP2cM0`K/]H.YE,YE,Q>(M;(H6Ò#@."

SD:D2#H6%K9&Q>(UA*YE,]H.`K/cM0fP2jT3jT3jT3jT3nX5nX5qZ6qZ6qZ6qZ6jT3jT3jT3jT3fP2cM0`K/]H.YE,YE,Q>(M;(H6Ò#@."

D2#D2#D2#K9&M;(Q>(UA*YE,YE,]H.`K/cM0cM0cM0cM0cM0cM0cM0cM0cM0cM0`K/]H.YE,YE,UA*UA*Q>(K9&H6Ò#@."

D2#D2#D2#K9&M;(Q>(UA*YE,YE,]H.`K/cM0cM0cM0cM0cM0cM0cM0cM0cM0cM0`K/]H.YE,YE,UA*UA*Q>(K9&H6Ò#@."

VH>D2#D2#H6%K9&M;(Q>(Q>(UA*UA*YE,YE,YE,YE,YE,YE,YE,YE,UA*UA*UA*Q>(M;(K9&H6Ò#D2#

VH>D2#D2#H6%K9&M;(Q>(Q>(UA*UA*YE,YE,YE,YE,YE,YE,YE,YE,UA*UA*UA*Q>(M;(K9&H6Ò#D2#

QA6D2#jXD]H.cM0fP2cM0`K/jXDcSA

QA6D2#jXD]H.cM0fP2cM0`K/jXDcSA

[[\[[\[[\[[\

[[\[[\[[\[[\

__`__`__`__`

__`__`__`__`

[[\[[\[[\[[\[[\[[\[[\[[\[[\[[\[[\[[\

[[\[[\[[\[[\[[\[[\[[\[[\[[\[[\[[\[[\

__`__`__`__`__`__`__`__`__`__`__`__`

__`__`__`__`__`__`__`__`__`__`__`__`

}}}---888

}}}---888

!!!---}}}

!!!---}}}

133336633

133336633

0153668886663311

0153668886663311

1536888

1536888

;886631 ~

;886631 ~

113688;

113688;

86351 ($

86351 ($

>1367631%

>1367631%

848=8_8}8

848=8_8}8

2/2v2

2/2v2

4O4x4

4O4x4

0!0(020?0

0!0(020?0

1!1(121?1

1!1(121?1

2!2(222?2

2!2(222?2

3!3(323?3

3!3(323?3

3(3&5;5{5

3(3&5;5{5

2)21292\2

2)21292\2

`>

`>

9*949:9@9

9*949:9@9

7'7-767=7_7

7'7-767=7_7

9 9$9(9,989

9 9$9(9,989

4 4$4(4,4044484

4 4$4(4,4044484

=0=

=0=

:4:@:`:|:

:4:@:`:|:

mscoree.dll

mscoree.dll

KERNEL32.DLL

KERNEL32.DLL

HKEY_CURRENT_CONFIG

HKEY_CURRENT_CONFIG

HKEY_DYN_DATA

HKEY_DYN_DATA

HKEY_PERFORMANCE_DATA

HKEY_PERFORMANCE_DATA

HKEY_USERS

HKEY_USERS

HKEY_LOCAL_MACHINE

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

HKEY_CLASSES_ROOT

Global\{861C592B-5428-471f-8082-A5FFB5B93894}

Global\{861C592B-5428-471f-8082-A5FFB5B93894}

Advapi32.dll

Advapi32.dll

hXXp://ffmpeg.org/

hXXp://ffmpeg.org/

hXXp://VVV.gnu.org/licenses/lgpl.html

hXXp://VVV.gnu.org/licenses/lgpl.html

hXXp://VVV.ytddownloader.com/src/ffmpeg-20130206.zip

hXXp://VVV.ytddownloader.com/src/ffmpeg-20130206.zip

hXXp://lame.sourceforge.net/

hXXp://lame.sourceforge.net/

hXXp://VVV.gnu.org/licenses/old-licenses/lgpl-2.0.html

hXXp://VVV.gnu.org/licenses/old-licenses/lgpl-2.0.html

hXXp://VVV.ytddownloader.com/src/lame-3.99.5.zip

hXXp://VVV.ytddownloader.com/src/lame-3.99.5.zip

hXXp://opencore-amr.sourceforge.net/

hXXp://opencore-amr.sourceforge.net/

hXXp://VVV.apache.org/licenses/LICENSE-2.0

hXXp://VVV.apache.org/licenses/LICENSE-2.0

hXXp://VVV.ytddownloader.com/src/opencore-amr-0.1.3.zip

hXXp://VVV.ytddownloader.com/src/opencore-amr-0.1.3.zip

hXXp://rtmpdump.mplayerhq.hu/librtmp.3.html

hXXp://rtmpdump.mplayerhq.hu/librtmp.3.html

hXXp://VVV.ytddownloader.com/src/librtmp-2.3.zip

hXXp://VVV.ytddownloader.com/src/librtmp-2.3.zip

hXXp://VVV.openssl.org/

hXXp://VVV.openssl.org/

hXXp://VVV.ytddownloader.com/src/openssl-1.0.0d.zip

hXXp://VVV.ytddownloader.com/src/openssl-1.0.0d.zip

hXXp://VVV.openssl.org/source/license.html

hXXp://VVV.openssl.org/source/license.html

hXXp://VVV.ytddownloader.com/

hXXp://VVV.ytddownloader.com/

hXXps://VVV.videolan.org/

hXXps://VVV.videolan.org/

hXXp://VVV.gnu.org/licenses/lgpl-2.1.html

hXXp://VVV.gnu.org/licenses/lgpl-2.1.html

hXXp://VVV.ytddownloader.com/src/vlc-2.1.0-20130926.zip

hXXp://VVV.ytddownloader.com/src/vlc-2.1.0-20130926.zip

dlg.about.lbl.version

dlg.about.lbl.version

dlg.about.title

dlg.about.title

dlg.about.btn.ok

dlg.about.btn.ok

dlg.about.lbl.gpls

dlg.about.lbl.gpls

hXXp://VVV.ytddownloader.com/

hXXp://VVV.ytddownloader.com/

dlg.about.lbl.copy

dlg.about.lbl.copy

OnKeyUpFromEdit VK_ESCAPE

OnKeyUpFromEdit VK_ESCAPE

OnKeyUpFromEdit VK_RETURN

OnKeyUpFromEdit VK_RETURN

OnKeyUpFromEdit VK_A VK_CONTROL

OnKeyUpFromEdit VK_A VK_CONTROL

grid.column.name.video

grid.column.name.video

grid.column.name.progress

grid.column.name.progress

grid.column.name.speed

grid.column.name.speed

grid.column.name.status

grid.column.name.status

grid.column.name.eta

grid.column.name.eta

grid.column.name.filesize

grid.column.name.filesize

dlg.download.lbl.esttimeh

dlg.download.lbl.esttimeh

%1m %2s

%1m %2s

dlg.download.lbl.esttimem

dlg.download.lbl.esttimem

dlg.download.lbl.esttimes

dlg.download.lbl.esttimes

dlg.download.lbl.speedmb

dlg.download.lbl.speedmb

dlg.download.lbl.speedkb

dlg.download.lbl.speedkb

grid.item.filesizemb

grid.item.filesizemb

grid.item.state.queued

grid.item.state.queued

grid.item.state.downloading

grid.item.state.downloading

grid.item.state.converting

grid.item.state.converting

grid.item.state.canceled

grid.item.state.canceled

grid.item.state.paused

grid.item.state.paused

grid.item.state.retry

grid.item.state.retry

grid.item.state.completed

grid.item.state.completed

grid.item.state.failed

grid.item.state.failed

OnKeyUp VK_A VK_CONTROL

OnKeyUp VK_A VK_CONTROL

OnKeyUp VK_F2

OnKeyUp VK_F2

=%%

=%%

comctl32.dll

comctl32.dll

shell32.dll

shell32.dll

dlg.checkupd.lbl.speed

dlg.checkupd.lbl.speed

dlg.checkupd.lbl.eta

dlg.checkupd.lbl.eta

ytd_installer.exe

ytd_installer.exe

dlg.checkupd.lbl.anewer

dlg.checkupd.lbl.anewer

dlg.checkupd.lbl.clickon

dlg.checkupd.lbl.clickon

dlg.checkupd.lbl.alternatively

dlg.checkupd.lbl.alternatively

dlg.checkupd.lbl.whatsnew

dlg.checkupd.lbl.whatsnew

dlg.checkupd.title

dlg.checkupd.title

dlg.checkupd.btn.installnow

dlg.checkupd.btn.installnow

dlg.checkupd.btn.remind

dlg.checkupd.btn.remind

dlg.checkupd.lbl.dwnldstatus.completed

dlg.checkupd.lbl.dwnldstatus.completed

dlg.ckeckupd.msgbx.runningitems

dlg.ckeckupd.msgbx.runningitems

dlg.checkupd.lbl.dwnldstatus.started

dlg.checkupd.lbl.dwnldstatus.started

dlg.checkupd.btn.tryagain

dlg.checkupd.btn.tryagain

dlg.checkupd.lbl.dwnldstatus.failed

dlg.checkupd.lbl.dwnldstatus.failed

dlg.checkupd.lbl.dwnldstatus.failed.inst

dlg.checkupd.lbl.dwnldstatus.failed.inst

hXXp://VVV.youtubedownloadersite.com/help.html

hXXp://VVV.youtubedownloadersite.com/help.html

ffmpeg -i %1 -strict -2 -vf scale=420:-1 -r 14 -b:v 50k -ar 44100 -ab 56k -ac 1 %2.mp4

ffmpeg -i %1 -strict -2 -vf scale=420:-1 -r 14 -b:v 50k -ar 44100 -ab 56k -ac 1 %2.mp4

dlg.manconv.title

dlg.manconv.title

dlg.manconv.lbl.input.file

dlg.manconv.lbl.input.file

dlg.manconv.lbl.vid.size

dlg.manconv.lbl.vid.size

dlg.manconv.lbl.vid.frame

dlg.manconv.lbl.vid.frame

dlg.manconv.lbl.vid.rate

dlg.manconv.lbl.vid.rate

dlg.manconv.lbl.aud.sample

dlg.manconv.lbl.aud.sample

dlg.manconv.lbl.aud.rate

dlg.manconv.lbl.aud.rate

dlg.manconv.lbl.aud.chanel

dlg.manconv.lbl.aud.chanel

dlg.manconv.lbl.output.file

dlg.manconv.lbl.output.file

dlg.manconv.lbl.improve.qlty

dlg.manconv.lbl.improve.qlty

dlg.manconv.lbl.warn.cell

dlg.manconv.lbl.warn.cell

dlg.btn.ok

dlg.btn.ok

dlg.btn.cancel

dlg.btn.cancel

dlg.btn.help

dlg.btn.help

uxtheme.dll

uxtheme.dll

https

https

testname .com.bat.exe.dll

testname .com.bat.exe.dll

SelfTestSitesUrls.txt

SelfTestSitesUrls.txt

Site is not supported

Site is not supported

tab.name.download

tab.name.download

tab.name.convert

tab.name.convert

tab.name.activity

tab.name.activity

tab.name.play

tab.name.play

dlg.main.btn.help

dlg.main.btn.help

dlg.main.btn.upgrade

dlg.main.btn.upgrade

dlg.main.lbl.link.menu

dlg.main.lbl.link.menu

menu.item.help.faq

menu.item.help.faq

menu.item.help.sup.sites

menu.item.help.sup.sites

menu.item.help.checkupdates

menu.item.help.checkupdates

menu.item.help.about

menu.item.help.about

menu.item.help.registration

menu.item.help.registration

menu.item.help.transfer

menu.item.help.transfer

menu.item.help.license.txt

menu.item.help.license.txt

menu.item.help.privacy.txt

menu.item.help.privacy.txt

menu.item.help.language

menu.item.help.language

hXXp://VVV.ytddownloader.com/faq.html

hXXp://VVV.ytddownloader.com/faq.html

hXXp://VVV.ytddownloader.com/video_sites.html

hXXp://VVV.ytddownloader.com/video_sites.html

hXXp://VVV.youtubedownloadersite.com/license_agreement.txt

hXXp://VVV.youtubedownloadersite.com/license_agreement.txt

hXXp://VVV.youtubedownloadersite.com/privacy_policy.txt

hXXp://VVV.youtubedownloadersite.com/privacy_policy.txt

hXXps://VVV.facebook.com/sharer/sharer.php?app_id=113869198637480&sdk=joey&u=http://ytddownloader.com/&ref=plugin

hXXps://VVV.facebook.com/sharer/sharer.php?app_id=113869198637480&sdk=joey&u=http://ytddownloader.com/&ref=plugin

Got a click with ID=%s

Got a click with ID=%s

hXXp://VVV.ytddownloader.com/contact_us.html

hXXp://VVV.ytddownloader.com/contact_us.html

hXXp://VVV.facebook.com/YTDYouTubeDownloaderConverter

hXXp://VVV.facebook.com/YTDYouTubeDownloaderConverter

hXXp://VVV.youtubedownloadersite.com/review-submission.html

hXXp://VVV.youtubedownloadersite.com/review-submission.html

Added %d languages toi the interface.

Added %d languages toi the interface.

dlg.checkupd.msgbx.runningitems

dlg.checkupd.msgbx.runningitems

dwNextAutoupdate=%d dwCrtTime=%d

dwNextAutoupdate=%d dwCrtTime=%d

csComm.CheckForUpdate() returned=%d

csComm.CheckForUpdate() returned=%d

config.GetNextCheckAutoUpdate() returned=%d

config.GetNextCheckAutoUpdate() returned=%d

DisplayCheckForUpdatesMsg

DisplayCheckForUpdatesMsg

msg.manual.check.updscript

msg.manual.check.updscript

msg.manual.check.upd

msg.manual.check.upd

TransferYourLicense

TransferYourLicense

transferlic.firstmsg

transferlic.firstmsg

PipeMessage

PipeMessage

addurl

addurl

OnTransferLicenseMsg

OnTransferLicenseMsg

Your license key was reset. You can now use key %1% on another computer.

Your license key was reset. You can now use key %1% on another computer.

transferlic.secondmsg

transferlic.secondmsg

OnRegistrationMsg

OnRegistrationMsg

register.success

register.success

dlg.register.error.invalid

dlg.register.error.invalid

hXXp://VVV.youtubedownloadersite.com/reset_license.html

hXXp://VVV.youtubedownloadersite.com/reset_license.html

dlg.register.error.inuse

dlg.register.error.inuse

dlg.register.link.help

dlg.register.link.help

dlg.register.error.again

dlg.register.error.again

dlg.register.error.free

dlg.register.error.free

dlg.register.error.buy

dlg.register.error.buy

dlg.register.error.title

dlg.register.error.title

hXXp://VVV.youtubedownloadersite.com/premium.html?ft=0

hXXp://VVV.youtubedownloadersite.com/premium.html?ft=0

dlg.register.error.commerr

dlg.register.error.commerr

OnBrowserLogin

OnBrowserLogin

Please login

Please login

dlg.about.lbl.licensekey

dlg.about.lbl.licensekey

dlg.register.lbl.expiration

dlg.register.lbl.expiration

dlg.register.invalid.lic

dlg.register.invalid.lic

dlg.register.lbl.please

dlg.register.lbl.please

dlg.register.syslink

dlg.register.syslink

dlg.register.btn.cancel

dlg.register.btn.cancel

dlg.register.btn.register

dlg.register.btn.register

dlg.register.title

dlg.register.title

YouTube Login

YouTube Login

dlg.login.title.yt

dlg.login.title.yt

dlg.login.lbl.yt

dlg.login.lbl.yt

Facebook Login

Facebook Login

dlg.login.title.fb

dlg.login.title.fb

dlg.login.lbl.fb

dlg.login.lbl.fb

dlg.login.lbl.username

dlg.login.lbl.username

dlg.login.lbl.pwd

dlg.login.lbl.pwd

tab.activity.btn.play.tooltip

tab.activity.btn.play.tooltip

tab.activity.btn.pause.tooltip

tab.activity.btn.pause.tooltip

tab.activity.btn.stop.tooltip

tab.activity.btn.stop.tooltip

tab.activity.btn.clear.tooltip

tab.activity.btn.clear.tooltip

tab.activity.btn.browse.tooltip

tab.activity.btn.browse.tooltip

tab.activity.btn.pro

tab.activity.btn.pro

grid.menu.item.playytd

grid.menu.item.playytd

grid.menu.item.play

grid.menu.item.play

grid.menu.item.delete

grid.menu.item.delete

grid.menu.item.deletefile

grid.menu.item.deletefile

grid.menu.item.stop

grid.menu.item.stop

grid.menu.item.pause

grid.menu.item.pause

grid.menu.item.rename

grid.menu.item.rename

grid.menu.item.open

grid.menu.item.open

explorer.exe

explorer.exe

grid.menu.item.msgbox

grid.menu.item.msgbox

user32.dll

user32.dll

tab.convert.url.gopro

tab.convert.url.gopro

dlg.main.combo.convrt.ipad

dlg.main.combo.convrt.ipad

dlg.main.combo.convrt.ipod

dlg.main.combo.convrt.ipod

dlg.main.combo.convrt.iphone

dlg.main.combo.convrt.iphone

dlg.main.combo.convrt.psp

dlg.main.combo.convrt.psp

dlg.main.combo.convrt.cell

dlg.main.combo.convrt.cell

Windows Media Video (V.7 WMV)

Windows Media Video (V.7 WMV)

dlg.main.combo.convrt.wmv

dlg.main.combo.convrt.wmv

dlg.main.combo.convrt.xvid

dlg.main.combo.convrt.xvid

dlg.main.combo.convrt.mpeg

dlg.main.combo.convrt.mpeg

dlg.main.combo.convrt.manual

dlg.main.combo.convrt.manual

dlg.main.combo.convrtquality.high

dlg.main.combo.convrtquality.high

dlg.main.combo.convrtquality.opt

dlg.main.combo.convrtquality.opt

dlg.main.combo.convrtquality.med

dlg.main.combo.convrtquality.med

dlg.main.combo.convrtquality.low

dlg.main.combo.convrtquality.low

dlg.main.combo.convrtquality.same

dlg.main.combo.convrtquality.same

dlg.main.btn.convert

dlg.main.btn.convert

dlg.main.lbl.edit.slct.file

dlg.main.lbl.edit.slct.file

dlg.main.lbl.combo.convert.to

dlg.main.lbl.combo.convert.to

dlg.main.tab.convrt.cut

dlg.main.tab.convrt.cut

dlg.main.tab.convrt.start

dlg.main.tab.convrt.start

dlg.main.tab.convrt.end

dlg.main.tab.convrt.end

dlg.main.tab.convrt.advanced

dlg.main.tab.convrt.advanced

dlg.main.tab.convrt.videovol

dlg.main.tab.convrt.videovol

dlg.main.tab.convrt.replace

dlg.main.tab.convrt.replace

dlg.main.tab.convrt.sameasdwnld

dlg.main.tab.convrt.sameasdwnld

dlg.main.tab.convrt.quality

dlg.main.tab.convrt.quality

dlg.main.lbl.saveto

dlg.main.lbl.saveto

dlg.main.check.del.orgconv.file

dlg.main.check.del.orgconv.file

dlg.main.lbl.gopro

dlg.main.lbl.gopro

00:00:00

00:00:00

tab.convert.msg.invalid.cut.time

tab.convert.msg.invalid.cut.time

msg.select.file

msg.select.file

msg.notexist.download.dir

msg.notexist.download.dir

Failed to CreateFullPathFolder(%s)

Failed to CreateFullPathFolder(%s)

grid.item.name.default

grid.item.name.default

tab.convert.dlg.open

tab.convert.dlg.open

All Video Files (*.flv;*.mp4;*.mov;*.avi;*.vmw;*.m4v;*.3gp)

All Video Files (*.flv;*.mp4;*.mov;*.avi;*.vmw;*.m4v;*.3gp)

*.flv;*.mp4;*.mov;*.avi;*.vmw;*.m4v;*.3gp

*.flv;*.mp4;*.mov;*.avi;*.vmw;*.m4v;*.3gp

All Files (*.*)

All Files (*.*)

Avi Files (*.avi)

Avi Files (*.avi)

*.avi

*.avi

Flv Files (*.flv)

Flv Files (*.flv)

*.flv

*.flv

Mov Files (*.mov)

Mov Files (*.mov)

*.mov

*.mov

Mp4 Files (*.mp4)

Mp4 Files (*.mp4)

*.mp4

*.mp4

Wmv Files (*.wmv)

Wmv Files (*.wmv)

*.wmv

*.wmv

msg.choose.convert.dir

msg.choose.convert.dir

For multiple URLs go PRO!

For multiple URLs go PRO!

dlg.main.btn.browse

dlg.main.btn.browse

dlg.main.btn.download

dlg.main.btn.download

dlg.main.btn.paste

dlg.main.btn.paste

dlg.main.lbl.edit.url2.dwnld

dlg.main.lbl.edit.url2.dwnld

dlg.main.lbl.dwnl.qlty

dlg.main.lbl.dwnl.qlty

dlg.main.check.autoconvert.to

dlg.main.check.autoconvert.to

dlg.main.combo.dwnl.best

dlg.main.combo.dwnl.best

dlg.main.combo.dwnl.fullhd

dlg.main.combo.dwnl.fullhd

dlg.main.combo.dwnl.hd

dlg.main.combo.dwnl.hd

dlg.main.combo.dwnl.standard

dlg.main.combo.dwnl.standard

dlg.main.combo.dwnl.mediumflv

dlg.main.combo.dwnl.mediumflv

dlg.main.combo.dwnl.mediummp4

dlg.main.combo.dwnl.mediummp4

dlg.main.combo.dwnl.low

dlg.main.combo.dwnl.low

dlg.main.combo.dwnl.verylow

dlg.main.combo.dwnl.verylow

Enter video URL!

Enter video URL!

msg.err.enter.url

msg.err.enter.url

Please check a list of streaming sites here: hXXp://VVV.ytddownloader.com/video_sites.html.

Please check a list of streaming sites here: hXXp://VVV.ytddownloader.com/video_sites.html.

msg.err.unsuport.site

msg.err.unsuport.site

msg.download.playlist

msg.download.playlist

One or more URLs are full channels. The videos in the channel will be downloaded one at a time. Depending on the size of the videos, this could take a long time.

One or more URLs are full channels. The videos in the channel will be downloaded one at a time. Depending on the size of the videos, this could take a long time.

msg.download.channel

msg.download.channel

msg.choose.download.dir

msg.choose.download.dir

hXXp://

hXXp://

hXXps://

hXXps://

Failed to Open(HKEY_CURRENT_USER, %s)

Failed to Open(HKEY_CURRENT_USER, %s)

tab.play.combo.view.mru.dirs

tab.play.combo.view.mru.dirs

tab.play.files.list

tab.play.files.list

tab.play.choose.dir

tab.play.choose.dir

player.btn.play

player.btn.play

player.btn.previous

player.btn.previous

player.btn.next

player.btn.next

player.btn.fullscreen

player.btn.fullscreen

player.btn.mute

player.btn.mute

player.btn.closefullscreen

player.btn.closefullscreen

Visit our website

Visit our website

player.btn.logo

player.btn.logo

m_lastAction=%s oldMediaState=%s mediaState=%s, m_bPlayBtnState=%d, m_bFullScreen=%d, m_ulDurationMs=%d, m_nTrackerPos=%d, m_bMute=%d, m_nVolumePos=%d.

m_lastAction=%s oldMediaState=%s mediaState=%s, m_bPlayBtnState=%d, m_bFullScreen=%d, m_ulDurationMs=%d, m_nTrackerPos=%d, m_bMute=%d, m_nVolumePos=%d.

m_vlcEngine.PlayFile(m_strFileToPlay=%s) m_ulDurationMs=%d).

m_vlcEngine.PlayFile(m_strFileToPlay=%s) m_ulDurationMs=%d).

Going to play file=%s.

Going to play file=%s.

Going to resume play file and after play file=%s.

Going to resume play file and after play file=%s.

TogglePlayPause to m_bPlayBtnState=%d.

TogglePlayPause to m_bPlayBtnState=%d.

*.mp3

*.mp3

*.fid

*.fid

.tmp.

.tmp.

OnKeyUpFromEdit

OnKeyUpFromEdit

player.btn.unmute

player.btn.unmute

player.btn.pause

player.btn.pause

OnKeyDownFromPlayer

OnKeyDownFromPlayer

Shell.Explorer

Shell.Explorer

(%d).

(%d).

grid.item.state.failCodes.threading

grid.item.state.failCodes.threading

grid.item.state.failCodes.rtmperror

grid.item.state.failCodes.rtmperror

grid.item.state.failCodes.sizeerror

grid.item.state.failCodes.sizeerror

grid.item.state.failCodes.ioerror

grid.item.state.failCodes.ioerror

grid.item.state.failCodes.httpcode

grid.item.state.failCodes.httpcode

grid.item.state.failCodes.invalidurl

grid.item.state.failCodes.invalidurl

grid.item.state.failCodes.servererror

grid.item.state.failCodes.servererror

grid.item.state.failCodes.noconection

grid.item.state.failCodes.noconection

grid.item.state.failCodes.unknown

grid.item.state.failCodes.unknown

4.8.9

4.8.9

Lang\res%1.ini

Lang\res%1.ini

Software\{DAF8B7E5-449D-4180-8281-10E536E597F2}\

Software\{DAF8B7E5-449D-4180-8281-10E536E597F2}\

c:\TempForSelfTest

c:\TempForSelfTest

scripts.yds

scripts.yds

scripts%d.yds

scripts%d.yds

savedItems.ysi

savedItems.ysi

ext = %s

ext = %s

append = %s

append = %s

outputTempFile = %s : outputFile = %s

outputTempFile = %s : outputFile = %s

GetCmdLine

GetCmdLine

CmdLine = %s

CmdLine = %s

Returned %s

Returned %s

Returned size.cx=%d, size.cy=%d

Returned size.cx=%d, size.cy=%d

Returned original size cx=%d, cy=%d

Returned original size cx=%d, cy=%d

Returned size cx=%d, cy=%d

Returned size cx=%d, cy=%d

Returning %s

Returning %s

-vf scale=%d:-1

-vf scale=%d:-1

-q:v %d

-q:v %d

-ar %d

-ar %d

-ac %d

-ac %d

-vol %d

-vol %d

SetOutputFile(%s)

SetOutputFile(%s)

SetTempFilename(%s)

SetTempFilename(%s)

Will call SuspendThread(%d)

Will call SuspendThread(%d)

Failed to WriteFile(q). err=%d.

Failed to WriteFile(q). err=%d.

quit for ffmpeg.exe process manual=%d bFail=%d.

quit for ffmpeg.exe process manual=%d bFail=%d.

TerminateProcess(%d)

TerminateProcess(%d)

Failed to PreparePipes().

Failed to PreparePipes().

PreparePipes

PreparePipes

Failed to CreatePipe(StdOut). err=%d.

Failed to CreatePipe(StdOut). err=%d.

Failed to SetHandleInformation() err=%d.

Failed to SetHandleInformation() err=%d.

Failed to CreatePipe(StdIn). err=%d.

Failed to CreatePipe(StdIn). err=%d.

Exiting with m_hStdOutRead=%d, m_hStdOutWrite=%d, m_hStdInRead=%d, m_hStdInWrite=%d

Exiting with m_hStdOutRead=%d, m_hStdOutWrite=%d, m_hStdInRead=%d, m_hStdInWrite=%d

Failed to CreateProcess(%s).

Failed to CreateProcess(%s).

Success, CreateProcess(%s)

Success, CreateProcess(%s)

\manual.bat "

\manual.bat "

Failed to GetExitCodeProcess(%d) with err=%d

Failed to GetExitCodeProcess(%d) with err=%d

Failed to WaitForSingleObject(%d) on ffmpeg.exe handle. It may crashed!

Failed to WaitForSingleObject(%d) on ffmpeg.exe handle. It may crashed!

Failed to FileUtils::DeleteFile(%s)

Failed to FileUtils::DeleteFile(%s)

Failure, file %s do not exists

Failure, file %s do not exists

Failed to RenameTempToFinalName() from %s to %s

Failed to RenameTempToFinalName() from %s to %s

Failed to ::DeleteFile(%s)

Failed to ::DeleteFile(%s)

Will try to ResumeThread(%d).

Will try to ResumeThread(%d).

Failed to ResumeThread(%d).

Failed to ResumeThread(%d).

Failure, you shouldn't call this since status is %d and m_processInfo.hThread=%d

Failure, you shouldn't call this since status is %d and m_processInfo.hThread=%d

Start WaitForSingleObject on ffmpeg.exe process handle.

Start WaitForSingleObject on ffmpeg.exe process handle.

Start looping on ffmpeg.exe process console output.

Start looping on ffmpeg.exe process console output.

%s %d Stop detected. m_hStdOutRead=%d m_bAppClosing=%d m_bStop=%d.

%s %d Stop detected. m_hStdOutRead=%d m_bAppClosing=%d m_bStop=%d.

%s %d Failed to ReadFile(m_hStdOutRead=%d). m_bStop=%d m_bAppClosing=%d

%s %d Failed to ReadFile(m_hStdOutRead=%d). m_bStop=%d m_bAppClosing=%d

%s %d ReadFile(m_hStdOutRead=%d) returned zero bytes. m_bStop=%d m_bAppClosing=%d

%s %d ReadFile(m_hStdOutRead=%d) returned zero bytes. m_bStop=%d m_bAppClosing=%d

%s %d Output of ::ReadFile(from std out) is: %s

%s %d Output of ::ReadFile(from std out) is: %s

Try to set max progress using: %s

Try to set max progress using: %s

Current time=%s

Current time=%s

Success m_bStop=%d.

Success m_bStop=%d.

advapi32.dll

advapi32.dll

Primeport

Primeport

GetSync(strRequestURL=%s, parResponse=%d) returned %d

GetSync(strRequestURL=%s, parResponse=%d) returned %d

strRequestURL=%s, strFilePath=%s, bStop=%d

strRequestURL=%s, strFilePath=%s, bStop=%d

GetSync(strRequestURL=%s, bStop=%d) returned %d

GetSync(strRequestURL=%s, bStop=%d) returned %d

strRequestURL=%s, bStop=%d, parResponse=%d, bSaveToFile=%d

strRequestURL=%s, bStop=%d, parResponse=%d, bSaveToFile=%d

Status code: %s

Status code: %s

Received header: %s

Received header: %s

Send header: %s

Send header: %s

IsHTTPStatusOK

IsHTTPStatusOK

IsHTTPStatusRedirect

IsHTTPStatusRedirect

Failed to InternetSetOption(NULL, INTERNET_OPTION_MAX_CONNS_PER_SERVER, 64) last error = %d

Failed to InternetSetOption(NULL, INTERNET_OPTION_MAX_CONNS_PER_SERVER, 64) last error = %d

Failed to InternetSetOption(NULL, INTERNET_OPTION_MAX_CONNS_PER_1_0_SERVER, 64) last error = %d

Failed to InternetSetOption(NULL, INTERNET_OPTION_MAX_CONNS_PER_1_0_SERVER, 64) last error = %d

Failed to InternetSetOption(NULL, INTERNET_OPTION_CONNECT_RETRIES, 4) last error = %d

Failed to InternetSetOption(NULL, INTERNET_OPTION_CONNECT_RETRIES, 4) last error = %d

GetLastError() = %d

GetLastError() = %d

HTTP/1.1

HTTP/1.1

::HttpOpenRequest() did worked.

::HttpOpenRequest() did worked.

SerializeHeader = %s

SerializeHeader = %s

::HttpSendRequest(GET) returned=%d.

::HttpSendRequest(GET) returned=%d.

::HttpSendRequest(POST) returned=%d. Posted data=%s

::HttpSendRequest(POST) returned=%d. Posted data=%s

strRequestURL=%s, bStop=%d, pINotifier=%d, pStatisticsNotify=%d, bSaveToFile=%d

strRequestURL=%s, bStop=%d, pINotifier=%d, pStatisticsNotify=%d, bSaveToFile=%d

strRequestURL=%s, strVerb=%s, bAutoRedirect=%d

strRequestURL=%s, strVerb=%s, bAutoRedirect=%d

this->InternetOpen(bStop=%d) returned error=%s

this->InternetOpen(bStop=%d) returned error=%s

this->SendRequest(strRequestURL=%s, strVerb=%s, bStop=%d) returned hInternetGETRequest=%x and error=%s

this->SendRequest(strRequestURL=%s, strVerb=%s, bStop=%d) returned hInternetGETRequest=%x and error=%s

this->IsHTTPStatusOK(hInternetGETRequest=%x) returned false

this->IsHTTPStatusOK(hInternetGETRequest=%x) returned false

strRequestURL=%s

strRequestURL=%s

this->InternetOpen(bStop=%d) returned err=%s;

this->InternetOpen(bStop=%d) returned err=%s;

this->AddSendHeaderValue(%s, %s))

this->AddSendHeaderValue(%s, %s))

AddSendHeaderValue(HTTP_RANGE, %s))

AddSendHeaderValue(HTTP_RANGE, %s))

this->SendRequest(strRequestURL, %s, %d) returned err=%s;

this->SendRequest(strRequestURL, %s, %d) returned err=%s;

GetStatusCode = %s

GetStatusCode = %s

Using ranges. strContentLength = %s ulRespStart=%lld, ulRespEnd=%lld

Using ranges. strContentLength = %s ulRespStart=%lld, ulRespEnd=%lld

GetStartEndFromHeaders(strRange=%s, ulRespStart=%lld, ulRespEnd=%lld) but we asked for %lld -> %lld

GetStartEndFromHeaders(strRange=%s, ulRespStart=%lld, ulRespEnd=%lld) but we asked for %lld -> %lld

Not using ranges. strContentLength = %s

Not using ranges. strContentLength = %s

InternetReadFileEx Failed last error = %d. ulTotalBytesToRead=%lld ulFileOffset=%lld ulStartOffset=%lld

InternetReadFileEx Failed last error = %d. ulTotalBytesToRead=%lld ulFileOffset=%lld ulStartOffset=%lld

youtube.com

youtube.com

hXXp://VVV.youtube.com/watch?

hXXp://VVV.youtube.com/watch?

hXXps://VVV.youtube.com/watch?

hXXps://VVV.youtube.com/watch?

hXXp://VVV.youtube.com/watch_popup?

hXXp://VVV.youtube.com/watch_popup?

hXXps://VVV.youtube.com/watch_popup?

hXXps://VVV.youtube.com/watch_popup?

hXXp://VVV.youtube.com/embed/

hXXp://VVV.youtube.com/embed/

hXXps://VVV.youtube.com/embed/

hXXps://VVV.youtube.com/embed/

hXXp://VVV.youtube.com/watch?v=

hXXp://VVV.youtube.com/watch?v=

m_status=%s

m_status=%s

OldStatus=%s Status=%s Url=%s

OldStatus=%s Status=%s Url=%s

Wrong state %s for Run().

Wrong state %s for Run().

New state %d ? Should treat it.

New state %d ? Should treat it.

SubItems count=%d, Url=%s

SubItems count=%d, Url=%s

Sub item seems to be finished already, pMultiSubItem=%x m_ulStart=%lld is NOT LESS then m_ulEnd=%lld

Sub item seems to be finished already, pMultiSubItem=%x m_ulStart=%lld is NOT LESS then m_ulEnd=%lld

Failed to create AsyncDownload thread pSubItem=%x

Failed to create AsyncDownload thread pSubItem=%x

IsRunning()=%d spSubItem->AsyncResume()=%d pSubItem->m_hThread=%x

IsRunning()=%d spSubItem->AsyncResume()=%d pSubItem->m_hThread=%x

Sub item seems to be invalid or finished already pSubItem=%x

Sub item seems to be invalid or finished already pSubItem=%x

Yes master, oldState=%s and current state=%s

Yes master, oldState=%s and current state=%s

Failed to m_parser.Run() Url=%s

Failed to m_parser.Run() Url=%s

Failed to m_fileOutput.Create() Url=%s fileName=%s

Failed to m_fileOutput.Create() Url=%s fileName=%s

Failed to CrackUrl(VidUrl) Url=%s VidUrl=%s

Failed to CrackUrl(VidUrl) Url=%s VidUrl=%s

IsMultistream=%d OldStatus=%s Status=%s Url=%s

IsMultistream=%d OldStatus=%s Status=%s Url=%s

Failed to RunOneStreamThread(VidUrl) Url=%s VidUrl=%s

Failed to RunOneStreamThread(VidUrl) Url=%s VidUrl=%s

Failed to RunMultiStreamThreads(VidUrl) Url=%s VidUrl=%s

Failed to RunMultiStreamThreads(VidUrl) Url=%s VidUrl=%s

Failed to RTMP RunOneStreamThread(VidUrl) Url=%s VidUrl=%s

Failed to RTMP RunOneStreamThread(VidUrl) Url=%s VidUrl=%s

Failed to m_parser.Run() for Url=%s and err=%d. Will put it for retry.

Failed to m_parser.Run() for Url=%s and err=%d. Will put it for retry.

Closed %x thread at iteration=%d

Closed %x thread at iteration=%d

It's only directory so new temp file name generated to be %s.

It's only directory so new temp file name generated to be %s.

Failed to create temp file %s with hResult=%x lastError=%d

Failed to create temp file %s with hResult=%x lastError=%d

Succeeded to create/open temp file %s CREATE_ALWAYS=%d

Succeeded to create/open temp file %s CREATE_ALWAYS=%d

Failed to m_fileOutput.SetSize(pItem->m_ulFileSize=%lld)

Failed to m_fileOutput.SetSize(pItem->m_ulFileSize=%lld)

StartSubItemThread() Url=%s ulStart=%lld ulEnd=%lld

StartSubItemThread() Url=%s ulStart=%lld ulEnd=%lld

Failed to AddDownloadSubItem(of subItemType=%d) Url=%s

Failed to AddDownloadSubItem(of subItemType=%d) Url=%s

CreateThread(AsyncDownload) of subItemType=%d Url=%s

CreateThread(AsyncDownload) of subItemType=%d Url=%s

Failed to CreateThread(AsyncDonwload) Url=%s

Failed to CreateThread(AsyncDonwload) Url=%s

Url=%s err=%d

Url=%s err=%d

Failed to Run() subItem=%d.

Failed to Run() subItem=%d.

iteration=%d

iteration=%d

dwRuningSubItems=%d

dwRuningSubItems=%d

ERR_DNET_PARSING_INVALID_URL

ERR_DNET_PARSING_INVALID_URL

ERR_DNET_PARSING_HTTP_STATUS_NOK

ERR_DNET_PARSING_HTTP_STATUS_NOK

ERR_DLD_INVALID_URL

ERR_DLD_INVALID_URL

ERR_DNET_DLD_INVALID_URL

ERR_DNET_DLD_INVALID_URL

ERR_DNET_DLD_HTTP_STATUS_NOK

ERR_DNET_DLD_HTTP_STATUS_NOK

pSubItem->m_type=%d Old status=%s status=%s m_bSubItemStop=%d error=%s

pSubItem->m_type=%d Old status=%s status=%s m_bSubItemStop=%d error=%s

Multi stream sub item finished with error=%s HTTPstatus=%s.

Multi stream sub item finished with error=%s HTTPstatus=%s.

Failed with netw error=%d and HTTP status=%s.

Failed with netw error=%d and HTTP status=%s.

Exiting with result=%s.

Exiting with result=%s.

Net err=%s and HTTP status=%s m_ulStart=%lld m_ulEnd=%lld.

Net err=%s and HTTP status=%s m_ulStart=%lld m_ulEnd=%lld.

Exiting with result=%s m_ulStart=%lld, m_ulEnd=%lld, m_ulCurrentOffset=%lld.

Exiting with result=%s m_ulStart=%lld, m_ulEnd=%lld, m_ulCurrentOffset=%lld.

m_ulStart=%lld m_ulEnd=%lld m_hThread=%x.

m_ulStart=%lld m_ulEnd=%lld m_hThread=%x.

Finished DownloadToFile with error=%s.

Finished DownloadToFile with error=%s.

Rename tempFileName=%s TO fileName=%s

Rename tempFileName=%s TO fileName=%s

oldStatus=%s status=%s networkError=%s HTTPstatus=%s failedError=%s. Url=%s

oldStatus=%s status=%s networkError=%s HTTPstatus=%s failedError=%s. Url=%s

Post the item complete message to main dialog. Url=%s

Post the item complete message to main dialog. Url=%s

Try to delete the outputFile=%s fileExist=%d.

Try to delete the outputFile=%s fileExist=%d.

(%s).

(%s).

Found error nb=%s HTTPstatus=%s downloading Url=%s

Found error nb=%s HTTPstatus=%s downloading Url=%s

%s_part_d

%s_part_d

Running multi part for URL=%s

Running multi part for URL=%s

Page does not contain searched info. URL=%s

Page does not contain searched info. URL=%s

Failed to create new DownloadItem(%s).

Failed to create new DownloadItem(%s).

status = %s oldStatus = %s nb of downloads items =%d URL=%s

status = %s oldStatus = %s nb of downloads items =%d URL=%s

Failed to pMainItem->ParseParts(), failCode is=%d and HTTPstatus is=%s, customError=%s

Failed to pMainItem->ParseParts(), failCode is=%d and HTTPstatus is=%s, customError=%s

Failure, pMainItem->m_lstDownloads.GetCount() is zero.

Failure, pMainItem->m_lstDownloads.GetCount() is zero.

Failed to download video Url=%s, err =%d

Failed to download video Url=%s, err =%d

WaitForSingleObject failed, dwError = %d

WaitForSingleObject failed, dwError = %d

Ended waiting for %d

Ended waiting for %d

WriteTextToFile %s

WriteTextToFile %s

Entering to Pause current item = %x, URL=%s, m_status=%s

Entering to Pause current item = %x, URL=%s, m_status=%s

Paused current item = %x, URL=%s

Paused current item = %x, URL=%s

Will Stop Url=%s with m_pCurrentItem=%d m_lstDownloads.GetCount=%d m_status became %s

Will Stop Url=%s with m_pCurrentItem=%d m_lstDownloads.GetCount=%d m_status became %s

strEntireFileName=%s strPartsListFile=%s

strEntireFileName=%s strPartsListFile=%s

\ffmpeg.exe

\ffmpeg.exe

cmd /c

cmd /c

lang.name

lang.name

lang.id

lang.id

\Lang\*.ini

\Lang\*.ini

%s-%s.log

%s-%s.log

%H:%M:%S

%H:%M:%S

0xX~0xX~%s~%s~%s::%s()~

0xX~0xX~%s~%s~%s::%s()~

IDispatch error #%d

IDispatch error #%d

bRet=%d for FileUtils::RenameFile(%s, %s)

bRet=%d for FileUtils::RenameFile(%s, %s)

Failed to open .flv file

Failed to open .flv file

Failed to write .flv file

Failed to write .flv file

Failed to open file %s

Failed to open file %s

Failed to read from file %s

Failed to read from file %s

Failed to write %s file

Failed to write %s file

"%s" -f concat -i "%s" -c copy "%s"

"%s" -f concat -i "%s" -c copy "%s"

bRet=%d for SysUtils::ExecuteCommand(%s, INFINITE)

bRet=%d for SysUtils::ExecuteCommand(%s, INFINITE)

"%s" -i "%s" -i "%s" -vcodec copy -acodec copy "%s"

"%s" -i "%s" -i "%s" -vcodec copy -acodec copy "%s"

\\.\pipe\p{861C592B-5428-471f-8082-A5FFB5B93894}

\\.\pipe\p{861C592B-5428-471f-8082-A5FFB5B93894}

ERR_CRACK_URL_FAILED

ERR_CRACK_URL_FAILED

ERR_HTTP_STATUS_NOK

ERR_HTTP_STATUS_NOK

All files (*.*)

All files (*.*)

cmd /c icacls "%s" /grant BUILTINUsers:(F) /t /c

cmd /c icacls "%s" /grant BUILTINUsers:(F) /t /c

%d;

%d;

%d;

%d;

u00%x

u00%x

Initiating StopAllActivity() for %d items.

Initiating StopAllActivity() for %d items.

Next item=0x%x

Next item=0x%x

Remove from grid item=%x

Remove from grid item=%x

Stopping item=%x removed from grid

Stopping item=%x removed from grid

Just removed from active list item=%x

Just removed from active list item=%x

pNextQueued->Run(0x%x)

pNextQueued->Run(0x%x)

hXXp://VVV.youtubedownloadersite.com/api/rcsvc.php?kt=[regKT]

hXXp://VVV.youtubedownloadersite.com/api/rcsvc.php?kt=[regKT]

Windows

Windows

12F8B979-DFB5-4551-82CC-7A8D9254DE78

12F8B979-DFB5-4551-82CC-7A8D9254DE78

*.log

*.log

Failed to Init m_parser! Missing scripts0.yds??

Failed to Init m_parser! Missing scripts0.yds??

Failed to Load saved items from file %s.

Failed to Load saved items from file %s.

Will try to create item for %s

Will try to create item for %s

Failed to create new download item for %s!

Failed to create new download item for %s!

Failed to create new convert item for %s!

Failed to create new convert item for %s!

Output conversion directory does not exist %s.

Output conversion directory does not exist %s.

Nonexistent conversion input fileName %s.

Nonexistent conversion input fileName %s.

FilterUnsupportedSites

FilterUnsupportedSites

Empty URLs list.

Empty URLs list.

Localized resource file %s does not exist.

Localized resource file %s does not exist.

Failed to m_parser.Init.

Failed to m_parser.Init.

hXXp://VVV.youtubedownloadersite.com/premium.html?lngid=%1&lt=%2&isn=%3&av=%4&ft=%5

hXXp://VVV.youtubedownloadersite.com/premium.html?lngid=%1&lt=%2&isn=%3&av=%4&ft=%5

Successfully read the strFileName=%s

Successfully read the strFileName=%s

Wrong format of file! line=%s

Wrong format of file! line=%s

Successfully read the line=%s

Successfully read the line=%s

FileUtils::WriteTextToFile() failed with err=%d

FileUtils::WriteTextToFile() failed with err=%d

Second FileUtils::WriteTextToFile() failed with err=%d

Second FileUtils::WriteTextToFile() failed with err=%d

Successfully saved items into strFileName=%s

Successfully saved items into strFileName=%s

Failed, m_appCfg.GetNormalScriptPath()

Failed, m_appCfg.GetNormalScriptPath()

Failed to LoadScripts(%s)

Failed to LoadScripts(%s)

VIDURL

VIDURL

REQUESTLOGINWEB

REQUESTLOGINWEB

REQUESTLOGIN

REQUESTLOGIN

RTMP_SWFURL

RTMP_SWFURL

RTMP_PAGEURL

RTMP_PAGEURL

login

login

Empty keyword or var name found

Empty keyword or var name found

ISURLALIVE

ISURLALIVE

URLDCD

URLDCD

URLENC

URLENC

SiteParser::ExecuteStatement() Failed, exception caught.

SiteParser::ExecuteStatement() Failed, exception caught.

ExecVidUrl

ExecVidUrl

Wrong VIDURL statement, var name empty.

Wrong VIDURL statement, var name empty.

VIDURL=%s

VIDURL=%s

GETTITLE=%s

GETTITLE=%s

VIDNAME=%s

VIDNAME=%s

ExecIsURLAlive

ExecIsURLAlive

strURL=%s

strURL=%s

ISURLALIVE=FALSE err=%d

ISURLALIVE=FALSE err=%d

ISURLALIVE=TRUE

ISURLALIVE=TRUE

LENGTH(%s)=%s

LENGTH(%s)=%s

REVERSE(%s)=%s

REVERSE(%s)=%s

RUNJS(%s)=%s

RUNJS(%s)=%s

SetUserAgent(%s)

SetUserAgent(%s)

Failure, net.GetSync() return error=%s

Failure, net.GetSync() return error=%s

SUBSTR=%s

SUBSTR=%s

ADDSTR=%s

ADDSTR=%s

GetHtml=%s

GetHtml=%s

net.GetSync(%s) return error=%d

net.GetSync(%s) return error=%d

GETHTML2=%s

GETHTML2=%s

ExecUrlEncode

ExecUrlEncode

Wrong URLENC statement

Wrong URLENC statement

URLENCODE=%s

URLENCODE=%s

ExecUrlDecode

ExecUrlDecode

Wrong URLDCD statement

Wrong URLDCD statement

URLDCD=%s

URLDCD=%s

JSDCD=%s

JSDCD=%s

JSUDCD=%s

JSUDCD=%s

REPLACE=%s

REPLACE=%s

POST(%s, %s, %s)=%s

POST(%s, %s, %s)=%s

BINPOST(%s, %s, %s)=%s

BINPOST(%s, %s, %s)=%s

net.GetSync() return %s %d

net.GetSync() return %s %d

HEX=%s

HEX=%s

STRFROMARR=%s

STRFROMARR=%s

FINDSTR=%s

FINDSTR=%s

HTMLDECODE=%s

HTMLDECODE=%s

Using UserAgent=%s

Using UserAgent=%s

Failure, net.GetCookie() return error=%d

Failure, net.GetCookie() return error=%d

GETCOOKIE=%s

GETCOOKIE=%s

Failure, net.SetCookie() return error=%d

Failure, net.SetCookie() return error=%d

SETCOOKIE succeeded for site=%s cookieName=%s cookieVal=%s.

SETCOOKIE succeeded for site=%s cookieName=%s cookieVal=%s.

GETYOUTUBEQ=%s

GETYOUTUBEQ=%s

GetFormatYoutube found %s

GetFormatYoutube found %s

IF %s=%s %s %s=%s THEN

IF %s=%s %s %s=%s THEN

ExecRequestLoginWeb

ExecRequestLoginWeb

Wrong REQUESTLOGINWEB statement

Wrong REQUESTLOGINWEB statement

BrowserLoginClosed

BrowserLoginClosed

Failed to CreateEvent(BrowserLoginClosed)

Failed to CreateEvent(BrowserLoginClosed)

REQUESTLOGINWEB for %s executed successfully.

REQUESTLOGINWEB for %s executed successfully.

ExecRequestLogin

ExecRequestLogin

Wrong REQUESTLOGIN statement

Wrong REQUESTLOGIN statement

ERRMSG

ERRMSG

ERRMSGID

ERRMSGID

facebook.com

facebook.com

LoginToYoutube

LoginToYoutube

youtubelogin

youtubelogin

youtubelogin script missing from scripts.txt

youtubelogin script missing from scripts.txt

LoginToYoutube executed. Exit code is %s

LoginToYoutube executed. Exit code is %s

LoginToFacebook

LoginToFacebook

facebooklogin

facebooklogin

facebooklogin script missing from scripts.txt

facebooklogin script missing from scripts.txt

LoginToFacebook executed. Exit code is %s

LoginToFacebook executed. Exit code is %s

GOTO found MARK: %s at index =%d

GOTO found MARK: %s at index =%d

GOTO invalid MARK: %s

GOTO invalid MARK: %s

ORGURL

ORGURL

ExecMD5

ExecMD5

MD5=%s

MD5=%s

DATEDIFF=%s

DATEDIFF=%s

ExecRTMP_SetPlayPath

ExecRTMP_SetPlayPath

RTMP_PLAYPATH=%s

RTMP_PLAYPATH=%s

ExecRTMP_SetSwfUrl

ExecRTMP_SetSwfUrl

Wrong RTMP_SWFURL statement.

Wrong RTMP_SWFURL statement.

RTMP_SWFURL=%s

RTMP_SWFURL=%s

ExecRTMP_SetPageUrl

ExecRTMP_SetPageUrl

Wrong RTMP_PAGEURL statement.

Wrong RTMP_PAGEURL statement.

RTMP_PAGEURL=%s

RTMP_PAGEURL=%s

GETREDIRECT = %s

GETREDIRECT = %s

DEC2HEX=%s

DEC2HEX=%s

INCREMENT=%s

INCREMENT=%s

GETFRAGS=%s

GETFRAGS=%s

GETFILEID = %s

GETFILEID = %s

GENSID = %s

GENSID = %s

GETPART = %s

GETPART = %s

FORMATFILEID = %s

FORMATFILEID = %s

Failed with err=%d to net.GetHeader(%s)

Failed with err=%d to net.GetHeader(%s)

Failed GetRecvHeaderValue(HTTP_CONTENT_TYPE)

Failed GetRecvHeaderValue(HTTP_CONTENT_TYPE)

Found extension be a %s.

Found extension be a %s.

Failed to GetHeaders with netw err code = %d.

Failed to GetHeaders with netw err code = %d.

Failed to GetRecvHeaderValue HTTP_CONTENT_LENGTH with netw err code = %d.

Failed to GetRecvHeaderValue HTTP_CONTENT_LENGTH with netw err code = %d.

Failed with ERANGE to _wtoi64(%s) = %d.

Failed with ERANGE to _wtoi64(%s) = %d.

Initial title=%s

Initial title=%s

Set sanitized title=%s

Set sanitized title=%s

Found ErrorFromScript=%s and NetworkError=%s

Found ErrorFromScript=%s and NetworkError=%s

PLAYLISTIDS = %s

PLAYLISTIDS = %s

Reset VIDURL, VIDNAME, EMPTY, ERRMSG, USERAGENT, ORGURL=%s

Reset VIDURL, VIDNAME, EMPTY, ERRMSG, USERAGENT, ORGURL=%s

Just SetEvent(%d)

Just SetEvent(%d)

librtmp.dll

librtmp.dll

%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe

%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe

hXXp://VVV.ytddownloader.com

hXXp://VVV.ytddownloader.com

Your license is already in use on a different computer.hXXp://VVV.youtubedownloadersite.com/reset_license.html

Your license is already in use on a different computer.hXXp://VVV.youtubedownloadersite.com/reset_license.html

Password:

Password:

Alternatively, visit hXXp://VVV.youtubedownloadersite.com to download the most recent version.

Alternatively, visit hXXp://VVV.youtubedownloadersite.com to download the most recent version.

%2.xxx= Output file (.xxx the format to convert!)

%2.xxx= Output file (.xxx the format to convert!)

Enter the URL of the video you want to download (e.g. hXXp://youtube.com/watch?v=f5Jz8...)

Enter the URL of the video you want to download (e.g. hXXp://youtube.com/watch?v=f5Jz8...)

Paste URL

Paste URL

D:\My Documents

D:\My Documents

00:00:00 / 00:00:00

00:00:00 / 00:00:00

00:00:00/00:00:00

00:00:00/00:00:00

4, 8, 9, 6

4, 8, 9, 6

ytd.exe

ytd.exe