SearchProtectToolbar_pcap.YR, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Malware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 14e6e6fb83be47d5a41447c2e8584403
SHA1: 0d78275abd35c5435e1bd7596ee7aea36b899581
SHA256: 8113aa2634cd7f9a9fe4728728294f8ad9c537c5611575c9e0cf671d04f775ff
SSDeep: 1536:VQpQ5EP0ijnRTXJz68gkW RoeGd8yNkM/Dk22MpCOw78dfxkF:VQIURTXJz7Ozd8yNka7pCOjdKF
Size: 104760 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: GreenTree Applications SRL
Created at: 2009-12-06 00:50:46
Analyzed on: Windows7Ada SP1 64-bit
Summary: Malware. Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Malware creates the following process(es):
SP.EXE:1680
%original file name%.exe:4048
BrowserExtensionsSetupUAC.exe:1848
YTDSetup.exe:1508
~spD451.tmp:2164
BEHelper.exe:1440
SearchProtectionStub.exe:1560
Au_.exe:3976
Au_.exe:3828
~spE38E.tmp:3172
uninstall.exe:1712
uninstall.exe:4024
exthelper.exe:676
The Malware injects its code into the following process(es):
ytd.exe:1492
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process SP.EXE:1680 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal (9778 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R4C62WHO\favicon[1].ico (1150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences (324 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\yandex_ff.xml (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{38754113-2264-4057-B454-CF19832D9F10}.ico (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Web Data (4388 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\prefs.js (64 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\searchplugins\yandex.xml (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\yandex_ie.xml (496 bytes)
The process %original file name%.exe:4048 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskCC36.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskCC36.tmp\inetca.dll (804 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskCC35.tmp (2290 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskCC36.tmp\YTDSetup.exe (715970 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskCC36.tmp\UserInfo.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6CZBXF8H\YTDSetup[1].exe (671764 bytes)
The process BrowserExtensionsSetupUAC.exe:1848 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}\chrome\content (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsrB7AD.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7} (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsrB7AC.tmp (12592 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}\chrome\content (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions.json (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\prefs.js (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsrB7AD.tmp\NSISCouponsPlugin.dll (18372 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsrB7AD.tmp\UserInfo.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C} (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC} (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}\chrome\content (4 bytes)
The process YTDSetup.exe:1508 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_output\libdirectsound_plugin.dll (1552 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\LICENSE (1 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Uninstall.exe (8318 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1050.ini (14 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1049.ini (784 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\YTD Video Downloader\YTD Video Downloader.lnk (2 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\libvlc.dll (3616 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libvmem_plugin.dll (1552 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1036.ini (14 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_mixer\libinteger_mixer_plugin.dll (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\UserInfo.dll (8 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\librtmp.dll (60186 bytes)
C:\Users\Public\Desktop\YTD Video Downloader.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{9FDDFC18-F82F-43C9-9E27-411CD7019F0F}\SearchProtectionStub.exe (1828 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\System.dll (23 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_filter\libswscale_plugin.dll (19096 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\YTD Video Downloader\Web site.url (55 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1053.ini (13 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1034.ini (14 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1035.ini (13 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1048.ini (14 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1059.ini (784 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res2074.ini (13 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libdrawable_plugin.dll (1552 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_filter\libaudio_format_plugin.dll (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{9FDDFC18-F82F-43C9-9E27-411CD7019F0F}\exthelper.exe (1826 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libwingdi_plugin.dll (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EE.tmp (733038 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1031.ini (14 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1055.ini (14 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_filter\libugly_resampler_plugin.dll (1552 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res2070.ini (14 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\FFMPEG.EXE (395158 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1043.ini (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NV3AJTKT\so[1].xml (7285 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res2052.ini (12 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libdirect3d_plugin.dll (2392 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\codec\libavcodec_plugin.dll (326900 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\libvlccore.dll (69435 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\scripts.yds (6360 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1030.ini (13 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\YTD Video Downloader\Uninstall.lnk (2 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1025.ini (15 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\manual.bat (57 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1038.ini (13 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1044.ini (13 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1040.ini (13 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1032.ini (784 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1045.ini (13 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1029.ini (13 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\COPYING.LGPLv3 (7 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\COPYING.LGPLv2 (784 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1051.ini (14 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res9999.ini (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\NSISPluginW.dll (15982 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1061.ini (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\getCountry (2 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1060.ini (13 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1052.ini (13 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_filter\libtrivial_channel_mixer_plugin.dll (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\NSISHelper.dll (8801 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\COPYING.Apachev2 (11 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe (51136 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1026.ini (784 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1033.ini (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\modern-header.bmp (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\NSISdl.dll (31 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\nsDialogs.dll (21 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\access\libfilesystem_plugin.dll (1552 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_mixer\libfloat_mixer_plugin.dll (1552 bytes)
The process ~spD451.tmp:2164 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\Search Protection\SP.exe (33796 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Search Protection\Uninstall.exe (15904 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsaDF1A.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~spE38E.tmp (1940 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsaDF1A.tmp\SP.dll (33090 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsaDF19.tmp (84143 bytes)
The process ytd.exe:1492 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
C:\ProgramData\YTD Video Downloader\scripts0.yds (673 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\plugins.dat.1492 (1444 bytes)
C:\ProgramData\YTD Video Downloader\scripts0.20150129 (22548 bytes)
The process BEHelper.exe:1440 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\chrome\content\config.json (965 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\chrome.manifest (192 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\chrome\content\redirects.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}_tmp\chrome\content\savingsslider.xul (606 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\icon.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}_tmp\icon.png (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}_tmp\chrome\content\main.js (394 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\chrome\content\main.js (134 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\chrome\content\newtab.xul (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\chrome\content\saebay.js (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}_tmp\chrome\content\spigot.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions.json (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NV3AJTKT\update[1].xml (375 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\chrome\content\ebay.xul (569 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\chrome\content\main.js (374 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\chrome\content\spigot.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\chrome\content\prefs.txt (171 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\chrome\content\spigot.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\chrome\content\main.xul (681 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\install.rdf (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}_tmp\chrome.manifest (148 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}_tmp\install.rdf (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\chrome.manifest (125 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\chrome\content\prefs.txt (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}_tmp\chrome\content\config.json (1235 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\icon.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}_tmp\chrome\content\savingsslider.js (392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\chrome\content\ebay.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\chrome\content\config.json (213 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\chrome\content\startpage.js (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}_tmp\chrome\content\prefs.txt (110 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\install.rdf (1 bytes)
The process SearchProtectionStub.exe:1560 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskD3C4.tmp\SP.dll (33090 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~spD451.tmp (1162 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsuD3B3.tmp (28806 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskD3C4.tmp\System.dll (23 bytes)
The process Au_.exe:3976 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbB57B.tmp\UserInfo.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbB57A.tmp (17495 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbB57B.tmp\NSISdl.dll (31 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbB57B.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbB57B.tmp\ping (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbB57B.tmp\BrowserExtensionsSetupUAC.exe (16750 bytes)
The process Au_.exe:3828 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw7A8D.tmp (27289 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq7ABC.tmp\SP.dll (33090 bytes)
The process ~spE38E.tmp:3172 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEDF8.tmp\NSISdl.dll (31 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\Button.exe (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEDF7.tmp (64389 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\saebay.xpi (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEDF8.tmp\UserInfo.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEDF8.tmp\NSISCouponsPlugin.dll (18372 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\Coupons.dll (12088 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\Uninstall.exe (17637 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\coupons.xpi (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\Coupons64.dll (13368 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\Button64.exe (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\ButtonWrap64.dll (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEDF8.tmp\ping (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\ButtonWrap.dll (2392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEDF8.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\BEHelper.exe (19640 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\startpage.xpi (8 bytes)
The process uninstall.exe:1712 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsb79C2.tmp (1568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~nsu.tmp\Au_.exe (3589 bytes)
The process uninstall.exe:4024 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsqB4ED.tmp (1568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~nsu.tmp\Au_.exe (3922 bytes)
The process exthelper.exe:676 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R4C62WHO\extconfig[1].xml (3777 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scr68B1.tmp (15 bytes)
Registry activity
The process SP.EXE:1680 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{38754113-2264-4057-B454-CF19832D9F10}]
"FaviconURL" = "http://www.yandex.com/favicon.ico"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionReason" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadNetworkName" = "Network 3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{38754113-2264-4057-B454-CF19832D9F10}]
"DisplayName" = "ïýôõúÑÂ"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "D6 EC 6C 28 2B 41 D0 01"
[HKCU\Software\AppDataLow\Software\Search Protection]
"ping_ts" = "1423130703"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecision" = "0"
[HKCU\Software\AppDataLow\Software\Search Protection]
"GCFailed" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecisionReason" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionTime" = "12 6D 3E 37 2B 41 D0 01"
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{38754113-2264-4057-B454-CF19832D9F10}]
"URL" = "http://yandex.ru/yandsearch?clid=1782899&text={searchTerms}"
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope" = "{38754113-2264-4057-B454-CF19832D9F10}"
[HKCU\Software\Microsoft\Internet Explorer\User Preferences]
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977" = "01 00 00 00 D0 8C 9D DF 01 15 D1 11 8C 7A 00 C0"
[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"NewTabPageShow" = "1"
[HKCU\Software\Microsoft\Internet Explorer\ContinuousBrowsing]
"Enabled" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 49 00 00 00 09 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecision" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.yandex.ru/?clid=1782898"
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes]
"ShowSearchSuggestionsInAddressGlobal" = "1"
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{38754113-2264-4057-B454-CF19832D9F10}]
"OSDFileURL" = "file:///C:/Users/adm/AppData/Local/Temp/yandex_ie.xml"
"FaviconPath" = "C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{38754113-2264-4057-B454-CF19832D9F10}.ico"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"
"WpadDecision" = "0"
[HKCU\Software\AppDataLow\Software\Search Protection]
"FFFailed" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecisionTime" = "12 6D 3E 37 2B 41 D0 01"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Malware deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDetectedUrl"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
"AutoDetect"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDetectedUrl"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
The process %original file name%.exe:4048 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "55 81 2D 0C 2B 41 D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecision" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionReason" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadNetworkName" = "Network 3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecision" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 42 00 00 00 09 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecisionReason" = "1"
"WpadDecisionTime" = "55 81 2D 0C 2B 41 D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionTime" = "55 81 2D 0C 2B 41 D0 01"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Malware deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDetectedUrl"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDetectedUrl"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
The process BrowserExtensionsSetupUAC.exe:1848 makes changes in the system registry.
The Malware deletes the following registry key(s):
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}]
[HKCR\Wow6432Node\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{90E4CD0C-426F-4207-805B-7885AB32D43F}]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{61db39d5-034c-45c0-8bb2-daf857edcf3b}]
[HKCR\Wow6432Node\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}\Implemented Categories]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1672163f-8651-4c0d-9c05-4ba941123972}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{61db39d5-034c-45c0-8bb2-daf857edcf3b}]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1672163f-8651-4c0d-9c05-4ba941123972}]
[HKCR\Wow6432Node\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CAE9BEC8-4723-4347-AFC6-25EE3326BA5B}]
[HKCR\Wow6432Node\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}\InprocServer32]
[HKCR\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}\InprocServer32]
[HKCR\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}]
[HKCR\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}]
[HKCR\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}\Implemented Categories]
The process YTDSetup.exe:1508 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}]
"DisplayName" = "YTD Video Downloader 4.8.9"
"Publisher" = "GreenTree Applications SRL"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionReason" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadNetworkName" = "Network 3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKLM\SOFTWARE\Wow6432Node\{DAF8B7E5-449D-4180-8281-10E536E597F2}]
"(Default)" = "4.8.9"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "55 81 2D 0C 2B 41 D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecision" = "0"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\7711c0f3\python.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\7711c0f3\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{9FDDFC18-F82F-43C9-9E27-411CD7019F0F}\,"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}]
"VersionMajor" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached]
"{17FE9752-0B5A-4665-84CD-569794602F5C} {7F9185B0-CB92-43C5-80A9-92277A4F7B54} 0xFFFF" = "01 00 00 00 00 00 00 00 C2 9F 86 34 2B 41 D0 01"
[HKCU\Software\GreenTree Applications\YTD]
"ISN" = "F7DBCDBD737B449098794B4547AA6F06"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}]
"NoRepair" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecisionReason" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionTime" = "AF C3 23 0E 2B 41 D0 01"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}]
"DisplayVersion" = "4.8.9"
[HKLM\SOFTWARE\Wow6432Node\{DAF8B7E5-449D-4180-8281-10E536E597F2}]
"it" = "20150205120417"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}]
"URLInfoAbout" = "http://www.ytddownloader.com"
"InstallDir" = "%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\"
"VersionMinor" = "8"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 43 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}]
"MainApp" = "%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe"
[HKCU\Software\GreenTree Applications\YTD]
"Language" = "1033"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecision" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"
[HKCU\Software\GreenTree Applications\YTD]
"(Default)" = "%Program Files% (x86)\GreenTree Applications\YTD Video Downloader"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}]
"DisplayIcon" = "%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe,0"
"UninstallString" = "%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\uninstall.exe"
[HKCU\Software\GreenTree Applications\YTD]
"kitType" = "ytd"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}]
"InstallLocation" = "%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecisionTime" = "AF C3 23 0E 2B 41 D0 01"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}]
"NoModify" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Malware deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDetectedUrl"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
"AutoDetect"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDetectedUrl"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
The process ~spD451.tmp:2164 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Search Protection]
"VersionMajor" = "1"
[HKCU\Software\AppDataLow\Software\Search Protection]
"CCV" = "198"
"WS_FF_AB" = "http://yandex.ru/yandsearch?clid=1782899&text="
"WS_GC_IB" = "http://yandex.ru/yandsearch?clid=1782899&text={searchTerms}"
"HP_IE" = "http://www.yandex.ru/?clid=1782898"
"WS_FF_IB" = "http://yandex.ru/yandsearch?clid=1782899&text={searchTerms}"
"ISN" = "CCF69B272FE54EE58735A380676F1DE4"
"ChannelID" = "937811"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Search Protection]
"NoRepair" = "1"
[HKCU\Software\AppDataLow\Software\Search Protection]
"HP_GC" = "http://www.yandex.ru/?clid=1782898"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Search Protection]
"UninstallString" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Search Protection\uninstall.exe"
[HKCU\Software\AppDataLow\Software\Search Protection]
"sdsprotection" = "1"
"InhibitGC" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Search Protection]
"NoModify" = "1"
[HKCU\Software\AppDataLow\Software\Search Protection]
"app_ver" = "10.8.0.1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Search Protection]
"DisplayName" = "Search Protection"
[HKCU\Software\AppDataLow\Software\Search Protection]
"FCV" = "198"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Search Protection]
"URLInfoAbout" = "http://www.spigot.com"
"VersionMinor" = "0"
"Publisher" = "Spigot, Inc."
[HKCU\Software\AppDataLow\Software\Search Protection]
"SPID" = "359"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Search Protection]
"DisplayVersion" = "10.8.0.1"
[HKCU\Software\AppDataLow\Software\Search Protection]
"WS_IE_IB" = "http://yandex.ru/yandsearch?clid=1782899&text={searchTerms}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Search Protection]
"InstallDir" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Search Protection\"
"InstallLocation" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Search Protection\"
[HKCU\Software\AppDataLow\Software\Search Protection]
"HP_FF" = "http://www.yandex.ru/?clid=1782898"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Search Protection]
"DisplayIcon" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Search Protection\SP.EXE,0"
[HKCU\Software\AppDataLow\Software\Search Protection]
"937811" = "1"
"WS_IE_AB" = "http://yandex.ru/yandsearch?clid=1782899&text={searchTerms}"
To automatically run itself each time Windows is booted, the Malware adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Search Protection" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Search Protection\SP.EXE /autostart"
The Malware deletes the following value(s) in system registry:
The Malware disables automatic startup of the application by deleting the following autorun value:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"SearchProtection"
The process ytd.exe:1492 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionReason" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadNetworkName" = "Network 3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "AF C3 23 0E 2B 41 D0 01"
[HKCU\Software\{DAF8B7E5-449D-4180-8281-10E536E597F2}]
"lv" = "1423130669"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecision" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecisionReason" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionTime" = "40 F6 E5 22 2B 41 D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 44 00 00 00 09 00 00 00 00 00 00 00"
[HKCU\Software\GreenTree Applications\YTD]
"NextCheckAutoUpdate" = "1423134269"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecision" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"
[HKCU\Software\{DAF8B7E5-449D-4180-8281-10E536E597F2}]
"CheckInterval" = "3600"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"
"WpadDecision" = "0"
[HKCU\Software\GreenTree Applications\YTD]
"ConvertDirectory" = "C:\Users\"%CurrentUserName%"\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecisionTime" = "40 F6 E5 22 2B 41 D0 01"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Malware deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDetectedUrl"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDetectedUrl"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
The process BEHelper.exe:1440 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "CA BC 38 36 2B 41 D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\AppDataLow\Software\Browser Extensions\firefox]
"{54FBE89E-C878-46bb-A064-AB327EE26EBC}" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"
[HKCU\Software\AppDataLow\Software\Browser Extensions\firefox]
"{62DD0A97-FDD4-421b-94A5-D1A9434450C7}" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 4A 00 00 00 09 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"
[HKCU\Software\AppDataLow\Software\Browser Extensions\firefox]
"{CA8C84C6-3918-41b1-BE77-049B2BDD887C}" = ""
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Malware deletes the following value(s) in system registry:
[HKCU\Software\AppDataLow\Software\Browser Extensions\firefox]
"{f894a29a-f065-40c3-bb19-da6057778493}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
"AutoDetect"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\AppDataLow\Software\Browser Extensions\firefox]
"{58d2a791-6199-482f-a9aa-9b725ec61362}"
"savingsslider@mybrowserbar.com"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
[HKCU\Software\AppDataLow\Software\Browser Extensions\firefox]
"{32da2f20-827d-40aa-a3b4-2fc4a294352e}"
"saebay@mybrowserbar.com"
"{46eddf51-a4f6-4476-8d6c-31c5187b2a2f}"
The process Au_.exe:3976 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
The Malware deletes the following registry key(s):
[HKCU\Software\AppDataLow\Software\Browser Extensions]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{3A787631-66A2-4634-B928-A37E73B58FB6}]
[HKCU\Software\AppDataLow\Software\Browser Extensions\iexplorer]
[HKCU\Software\AppDataLow\Software\Browser Extensions\firefox]
The Malware deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
The Malware disables automatic startup of the application by deleting the following autorun value:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Browser Extensions"
"Slick Savings"
The process Au_.exe:3828 makes changes in the system registry.
The Malware deletes the following registry key(s):
[HKCU\Software\AppDataLow\Software\Search Protection]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Search Protection]
The Malware deletes the following value(s) in system registry:
The Malware disables automatic startup of the application by deleting the following autorun value:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Search Protection"
The process ~spE38E.tmp:3172 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{3A787631-66A2-4634-B928-A37E73B58FB6}]
"InstallLocation" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1672163f-8651-4c0d-9c05-4ba941123972}]
"AppName" = "Button.exe"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{61db39d5-034c-45c0-8bb2-daf857edcf3b}]
"AppPath" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions"
[HKCR\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}]
"(Default)" = "Browser Extensions"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{3A787631-66A2-4634-B928-A37E73B58FB6}]
"VersionMinor" = "4"
"URLInfoAbout" = "http://www.spigot.com"
"NoRepair" = "1"
[HKCR\Wow6432Node\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{3A787631-66A2-4634-B928-A37E73B58FB6}]
"DisplayName" = "Browser Extensions"
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1672163f-8651-4c0d-9c05-4ba941123972}]
"AppPath" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions"
[HKCU\Software\AppDataLow\Software\Browser Extensions\iexplorer]
"cnid" = "937811"
[HKCU\Software\AppDataLow\Software\Browser Extensions\firefox]
"{CA8C84C6-3918-41b1-BE77-049B2BDD887C}" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\saebay.xpi|1|{cnid : 937811, cnid_overwrite : true}|saebay@mybrowserbar.com|{f894a29a-f065-40c3-bb19-da6057778493}"
[HKCU\Software\AppDataLow\Software\Browser Extensions]
"cnid" = "937811"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CAE9BEC8-4723-4347-AFC6-25EE3326BA5B}]
"Policy" = "3"
[HKCU\Software\AppDataLow\Software\Browser Extensions\iexplorer]
"iedns" = "1"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{61db39d5-034c-45c0-8bb2-daf857edcf3b}]
"AppName" = "Button64.exe"
"Policy" = "3"
[HKCR\Wow6432Node\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}\Implemented Categories]
"(Default)" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{3A787631-66A2-4634-B928-A37E73B58FB6}]
"DisplayIcon" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\BEHelper.exe,0"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}]
"NoExplorer" = "1"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{61db39d5-034c-45c0-8bb2-daf857edcf3b}]
"AppPath" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions"
[HKCU\Software\AppDataLow\Software\Browser Extensions]
"SS_Ver" = "2.6"
[HKCU\Software\Microsoft\Internet Explorer\Approved Extensions]
"{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}" = "51 66 7A 6C 4C 1D 3B 1B 5B C4 BA 28 E3 9E A9 03"
[HKCR\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Wow6432Node\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}]
"(Default)" = ""
[HKCR\Wow6432Node\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}]
"(Default)" = "Browser Extensions"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{90E4CD0C-426F-4207-805B-7885AB32D43F}]
"Policy" = "3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{3A787631-66A2-4634-B928-A37E73B58FB6}]
"VersionMajor" = "1"
[HKCR\Wow6432Node\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}\InprocServer32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\Coupons.dll"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{90E4CD0C-426F-4207-805B-7885AB32D43F}]
"AppPath" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{3A787631-66A2-4634-B928-A37E73B58FB6}]
"NoModify" = "1"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}]
"(Default)" = "Browser Extensions"
[HKCU\Software\AppDataLow\Software\Browser Extensions\iexplorer]
"iecp" = "1"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CAE9BEC8-4723-4347-AFC6-25EE3326BA5B}]
"AppName" = "BEHelper.exe"
[HKCU\Software\AppDataLow\Software\Browser Extensions\iexplorer]
"ieeb" = "1"
[HKCU\Software\AppDataLow\Software\Browser Extensions\firefox]
"{54FBE89E-C878-46bb-A064-AB327EE26EBC}" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\coupons.xpi|1|{cnid : 937811, cnid_overwrite : true}|savingsslider@mybrowserbar.com|{46eddf51-a4f6-4476-8d6c-31c5187b2a2f}"
[HKCU\Software\AppDataLow\Software\Browser Extensions]
"ISN" = "E0BCB5085EA24F7699566D8CEBD03DB5"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1672163f-8651-4c0d-9c05-4ba941123972}]
"AppPath" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions"
[HKCR\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}]
"(Default)" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{3A787631-66A2-4634-B928-A37E73B58FB6}]
"Publisher" = "Spigot, Inc."
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CAE9BEC8-4723-4347-AFC6-25EE3326BA5B}]
"AppPath" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{3A787631-66A2-4634-B928-A37E73B58FB6}]
"DisplayVersion" = "2.6"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1672163f-8651-4c0d-9c05-4ba941123972}]
"Policy" = "3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{3A787631-66A2-4634-B928-A37E73B58FB6}]
"UninstallString" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\uninstall.exe"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{61db39d5-034c-45c0-8bb2-daf857edcf3b}]
"AppName" = "Button64.exe"
[HKCU\Software\AppDataLow\Software\Browser Extensions]
"(Default)" = ""
[HKCU\Software\AppDataLow\Software\Browser Extensions\iexplorer]
"ISN" = "E0BCB5085EA24F7699566D8CEBD03DB5"
[HKCR\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}\InprocServer32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\Coupons64.dll"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1672163f-8651-4c0d-9c05-4ba941123972}]
"AppName" = "Button.exe"
[HKCR\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}\Implemented Categories]
"(Default)" = ""
[HKCU\Software\AppDataLow\Software\Browser Extensions\firefox]
"{62DD0A97-FDD4-421b-94A5-D1A9434450C7}" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\startpage.xpi|1|{dns : true, ntp :true, cnid : 937811, cnid_overwrite : true, dummy : true}|{58d2a791-6199-482f-a9aa-9b725ec61362}|{32da2f20-827d-40aa-a3b4-2fc4a294352e}"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{90E4CD0C-426F-4207-805B-7885AB32D43F}]
"AppName" = "BEHelper.exe"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1672163f-8651-4c0d-9c05-4ba941123972}]
"Policy" = "3"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{61db39d5-034c-45c0-8bb2-daf857edcf3b}]
"Policy" = "3"
[HKCU\Software\AppDataLow\Software\Browser Extensions]
"Src" = "install"
It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}]
"NoExplorer" = "1"
"(Default)" = "Browser Extensions"
To automatically run itself each time Windows is booted, the Malware adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Browser Extensions" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\BEHelper.exe"
The Malware deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Internet Explorer\Approved Extensions]
"{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}"
The process uninstall.exe:1712 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\7711c0f3\python.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\7711c0f3\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{9FDDFC18-F82F-43C9-9E27-411CD7019F0F}\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\NSISPluginW.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~nsu.tmp\Au_.exe,"
The process uninstall.exe:4024 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\7711c0f3\python.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\7711c0f3\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{9FDDFC18-F82F-43C9-9E27-411CD7019F0F}\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\NSISPluginW.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~nsu.tmp\Au_.exe, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~nsu.tmp, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~nsu.tmp\Au_.exe,"
The process exthelper.exe:676 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "AF C3 23 0E 2B 41 D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecision" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecision" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionReason" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadNetworkName" = "Network 3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 45 00 00 00 09 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecisionReason" = "1"
"WpadDecisionTime" = "75 6B 7C 23 2B 41 D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionTime" = "75 6B 7C 23 2B 41 D0 01"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Malware deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDetectedUrl"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
"AutoDetect"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDetectedUrl"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
Dropped PE files
MD5 | File path |
---|---|
39d11c773b46d3084ef4aac1f9863146 | c:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\FFMPEG.EXE |
c1d1a3e711f0943527b3fc6f3c1b1f85 | c:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Uninstall.exe |
921b64a7dace4c93161b942b80b6b41b | c:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\librtmp.dll |
ded3aa6b7920334e6b334eaed3db96c5 | c:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\libvlc.dll |
3c07164ceba1068ee3eff672d8e11eb6 | c:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\libvlccore.dll |
ab0a22194181d6d6ff01123dc9a376ce | c:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\access\libfilesystem_plugin.dll |
91074f5c7288c67eaed2c2c657e373d3 | c:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_filter\libaudio_format_plugin.dll |
43f19a5d4d42e3cd6514348ba5fbdd96 | c:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_filter\libtrivial_channel_mixer_plugin.dll |
a3297b187aba1024501007bce77eeec4 | c:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_filter\libugly_resampler_plugin.dll |
04a21f5ee0a9c27ca5e5dae050f3d275 | c:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_mixer\libfloat_mixer_plugin.dll |
d4f826e68b616cccc1de1e5ef07738b8 | c:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_mixer\libinteger_mixer_plugin.dll |
46672363f47a25d69a5324045f4e8d63 | c:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_output\libdirectsound_plugin.dll |
4088b4e4ea76db97544c76ef7f2af08c | c:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\codec\libavcodec_plugin.dll |
416108272cc56d4036d5796fbb1b8f3c | c:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_filter\libswscale_plugin.dll |
350983ab596397b2d2703d658baeea8c | c:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libdirect3d_plugin.dll |
6d9fa70a05698e9b6aa1c6074def16e8 | c:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libdrawable_plugin.dll |
3dee8d41db28133b3d00bfdf0fd16eaf | c:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libvmem_plugin.dll |
ccc67f588880568bfd46c4b8140f41aa | c:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libwingdi_plugin.dll |
520e9ab3b16bb164542ce6305036d98b | c:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe |
aacddb459301cfe5498d9d862aac02d3 | c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6CZBXF8H\YTDSetup[1].exe |
1afbce9051d9a627097f04951b2765db | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\NSISPluginW.dll |
5d2940775446f6dd29e25ce192aec206 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\{9FDDFC18-F82F-43C9-9E27-411CD7019F0F}\exthelper.exe |
4f65a008acd242966d7e6ef4944e6fe0 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\~nsu.tmp\Au_.exe |
fbb01457a61a080a2b42b77cf34f286c | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\~spD451.tmp |
be546e15ca59c448dc5e1346605d401f | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\~spE38E.tmp |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
SP.EXE:1680
%original file name%.exe:4048
BrowserExtensionsSetupUAC.exe:1848
YTDSetup.exe:1508
~spD451.tmp:2164
BEHelper.exe:1440
SearchProtectionStub.exe:1560
Au_.exe:3976
Au_.exe:3828
~spE38E.tmp:3172
uninstall.exe:1712
uninstall.exe:4024
exthelper.exe:676 - Delete the original Malware file.
- Delete or disinfect the following files created/modified by the Malware:
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal (9778 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R4C62WHO\favicon[1].ico (1150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences (324 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\yandex_ff.xml (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{38754113-2264-4057-B454-CF19832D9F10}.ico (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\prefs.js (64 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\searchplugins\yandex.xml (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\yandex_ie.xml (496 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskCC36.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskCC36.tmp\inetca.dll (804 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskCC35.tmp (2290 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskCC36.tmp\YTDSetup.exe (715970 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskCC36.tmp\UserInfo.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6CZBXF8H\YTDSetup[1].exe (671764 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}\chrome\content (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsrB7AD.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsrB7AC.tmp (12592 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}\chrome\content (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions.json (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsrB7AD.tmp\NSISCouponsPlugin.dll (18372 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsrB7AD.tmp\UserInfo.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC} (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}\chrome\content (4 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_output\libdirectsound_plugin.dll (1552 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\LICENSE (1 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Uninstall.exe (8318 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1050.ini (14 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1049.ini (784 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\YTD Video Downloader\YTD Video Downloader.lnk (2 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\libvlc.dll (3616 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libvmem_plugin.dll (1552 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1036.ini (14 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_mixer\libinteger_mixer_plugin.dll (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\UserInfo.dll (8 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\librtmp.dll (60186 bytes)
C:\Users\Public\Desktop\YTD Video Downloader.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{9FDDFC18-F82F-43C9-9E27-411CD7019F0F}\SearchProtectionStub.exe (1828 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\System.dll (23 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_filter\libswscale_plugin.dll (19096 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\YTD Video Downloader\Web site.url (55 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1053.ini (13 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1034.ini (14 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1035.ini (13 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1048.ini (14 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1059.ini (784 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res2074.ini (13 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libdrawable_plugin.dll (1552 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_filter\libaudio_format_plugin.dll (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{9FDDFC18-F82F-43C9-9E27-411CD7019F0F}\exthelper.exe (1826 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libwingdi_plugin.dll (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EE.tmp (733038 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1031.ini (14 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1055.ini (14 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_filter\libugly_resampler_plugin.dll (1552 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res2070.ini (14 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\FFMPEG.EXE (395158 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1043.ini (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NV3AJTKT\so[1].xml (7285 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res2052.ini (12 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libdirect3d_plugin.dll (2392 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\codec\libavcodec_plugin.dll (326900 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\libvlccore.dll (69435 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\scripts.yds (6360 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1030.ini (13 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\YTD Video Downloader\Uninstall.lnk (2 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1025.ini (15 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\manual.bat (57 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1038.ini (13 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1044.ini (13 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1040.ini (13 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1032.ini (784 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1045.ini (13 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1029.ini (13 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\COPYING.LGPLv3 (7 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\COPYING.LGPLv2 (784 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1051.ini (14 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res9999.ini (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\NSISPluginW.dll (15982 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1061.ini (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\getCountry (2 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1060.ini (13 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1052.ini (13 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_filter\libtrivial_channel_mixer_plugin.dll (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\NSISHelper.dll (8801 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\COPYING.Apachev2 (11 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe (51136 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1026.ini (784 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1033.ini (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\modern-header.bmp (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\NSISdl.dll (31 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\nsDialogs.dll (21 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\access\libfilesystem_plugin.dll (1552 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_mixer\libfloat_mixer_plugin.dll (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Search Protection\SP.exe (33796 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Search Protection\Uninstall.exe (15904 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsaDF1A.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~spE38E.tmp (1940 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsaDF1A.tmp\SP.dll (33090 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsaDF19.tmp (84143 bytes)
C:\ProgramData\YTD Video Downloader\scripts0.yds (673 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\plugins.dat.1492 (1444 bytes)
C:\ProgramData\YTD Video Downloader\scripts0.20150129 (22548 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\chrome\content\config.json (965 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\chrome.manifest (192 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\chrome\content\redirects.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}_tmp\chrome\content\savingsslider.xul (606 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\icon.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}_tmp\icon.png (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}_tmp\chrome\content\main.js (394 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\chrome\content\main.js (134 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\chrome\content\newtab.xul (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\chrome\content\saebay.js (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}_tmp\chrome\content\spigot.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NV3AJTKT\update[1].xml (375 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\chrome\content\ebay.xul (569 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\chrome\content\main.js (374 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\chrome\content\spigot.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\chrome\content\prefs.txt (171 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\chrome\content\spigot.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\chrome\content\main.xul (681 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\install.rdf (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}_tmp\chrome.manifest (148 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}_tmp\install.rdf (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\chrome.manifest (125 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\chrome\content\prefs.txt (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}_tmp\chrome\content\config.json (1235 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\icon.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}_tmp\chrome\content\savingsslider.js (392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\chrome\content\ebay.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\chrome\content\config.json (213 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\chrome\content\startpage.js (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}_tmp\chrome\content\prefs.txt (110 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\install.rdf (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskD3C4.tmp\SP.dll (33090 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~spD451.tmp (1162 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsuD3B3.tmp (28806 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskD3C4.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbB57B.tmp\UserInfo.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbB57A.tmp (17495 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbB57B.tmp\NSISdl.dll (31 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbB57B.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbB57B.tmp\ping (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbB57B.tmp\BrowserExtensionsSetupUAC.exe (16750 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw7A8D.tmp (27289 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq7ABC.tmp\SP.dll (33090 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEDF8.tmp\NSISdl.dll (31 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\Button.exe (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEDF7.tmp (64389 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\saebay.xpi (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEDF8.tmp\UserInfo.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEDF8.tmp\NSISCouponsPlugin.dll (18372 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\Coupons.dll (12088 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\Uninstall.exe (17637 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\coupons.xpi (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\Coupons64.dll (13368 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\Button64.exe (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\ButtonWrap64.dll (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEDF8.tmp\ping (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\ButtonWrap.dll (2392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEDF8.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\BEHelper.exe (19640 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\startpage.xpi (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsb79C2.tmp (1568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~nsu.tmp\Au_.exe (3589 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsqB4ED.tmp (1568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R4C62WHO\extconfig[1].xml (3777 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scr68B1.tmp (15 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Search Protection" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Search Protection\SP.EXE /autostart"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Browser Extensions" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\BEHelper.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: GreenTree Applications SRL
Product Name: YTD Video Downloader
Product Version: 4.8.6.3
Legal Copyright: (c) 2014 GreenTree Applications SRL. All rights reserved.
Legal Trademarks:
Original Filename: YTDStub.exe
Internal Name: YTDStubInstaller
File Version: 4.8.6.3
File Description: YTD Video Downloader stub
Comments:
Language: Language Neutral
Company Name: GreenTree Applications SRLProduct Name: YTD Video DownloaderProduct Version: 4.8.6.3Legal Copyright: (c) 2014 GreenTree Applications SRL. All rights reserved.Legal Trademarks: Original Filename: YTDStub.exeInternal Name: YTDStubInstallerFile Version: 4.8.6.3File Description: YTD Video Downloader stubComments: Language: Language Neutral
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 23130 | 23552 | 4.44841 | 0bc2ffd32265a08d72b795b18265828d |
.rdata | 28672 | 4496 | 4608 | 3.59163 | f179218a059068529bdb4637ef5fa28e |
.data | 36864 | 110488 | 1024 | 3.26405 | 975304d6dd6c4a4f076b15511e2bbbc0 |
.ndata | 147456 | 45056 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 192512 | 48912 | 49152 | 4.76321 | 571b2c67eb88f22b898e779f7a691ef9 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://ytd4.greentreeapps.ro/kits/ytd/YTDSetup.exe | |
hxxp://ytd2.greentreeapps.ro/images/pixel.gif?action=install&point=start&cid=cb821f7c3eeccf6c312c56e821a0e91a&isn=F7DBCDBD737B449098794B4547AA6F06&kt=ytd | |
hxxp://ytd2.greentreeapps.ro/getcountry.html | |
hxxp://www.mybrowserbar.com/kits/EasyBundlingDLL/937811/so.xml?kt=ytd&rsv=3 | 174.36.215.20 |
hxxp://www.mybrowserbar.com/kits/hlp/exthelper.exe | 174.36.215.20 |
hxxp://ytd2.greentreeapps.ro/api/rcsvc.php?kt=ytd | |
hxxp://ytd2.greentreeapps.ro/scripts/win/scripts-20150129.yds | |
hxxp://www.mybrowserbar.com/cgi/extconfig.cgi?cnid=937811&ver=2.3&rsv=3.2&kt=ytd&ot=ytdsanth&bver=39.0.2171.95&dbrw=Internet Explorer&cid=c0322acd5e5d42f0b163c591ee6ff5b9 | 174.36.215.20 |
hxxp://www.mybrowserbar.com/gc/silent2.html?ot=ytdsanth&cnid=937811&kt=ytd&ext[]=cekonfccladjgbdhpgobceahgjdcdbod&ext[]=jloeihbcjbkgigodmcacomgfihpiaiip&ts=1423130670 | 174.36.215.20 |
hxxp://googleapis.l.google.com/ajax/libs/jquery/1.9.1/jquery.min.js | |
hxxp://plus.l.google.com/analytics.js | |
hxxp://www.mybrowserbar.com/favicon.ico | 174.36.215.20 |
hxxp://www.mybrowserbar.com/images/pixel.gif?isn=d78a223d20363802cfbd313af6e664df&ver=1.2&cnid=937811&ct=shagc&event=install | 174.36.215.20 |
hxxp://www.mybrowserbar.com/cgi/coupons.cgi/d78a223d20363802cfbd313af6e664df/937811/1.2/shagc?rsv=2 | 174.36.215.20 |
hxxp://www.mybrowserbar.com/images/pixel.gif?isn=9d357cad646259e5aec21e92440c2512&ver=1.5&cnid=937811&ct=nthgc&event=install | 174.36.215.20 |
hxxp://www.mybrowserbar.com/cgi/nta/config.cgi/9d357cad646259e5aec21e92440c2512/937811/1.5/nthgc | 174.36.215.20 |
hxxp://www.mybrowserbar.com/images/pixel.gif?kt=ytd&ot=ytdsanth&cnid=937811&sil=1&cid=c0322acd5e5d42f0b163c591ee6ff5b9&cekonfccladjgbdhpgobceahgjdcdbod=1&jloeihbcjbkgigodmcacomgfihpiaiip=1 | 174.36.215.20 |
hxxp://www.mybrowserbar.com/kits/sds/SearchProtectionStub.exe | 174.36.215.20 |
hxxp://update.mybrowserbar.com/kits/sds/update.xml | 108.59.13.14 |
hxxp://www.mybrowserbar.com/kits/sds/update.xml | 174.36.215.20 |
hxxp://update.mybrowserbar.com/kits/sds/SearchProtectionSetup.exe | 108.59.13.14 |
hxxp://www.mybrowserbar.com/images/pixel.gif?ct=ebd2&ies=3&eo=sgbe&cnid=937811&kt=ytd&isn=6D55661F1F404E278EE9A5E3F94B5F4B&tov=20&sbe=1&sds=1&shp=1 | 174.36.215.20 |
hxxp://www.mybrowserbar.com/cgi/api.cgi/937811/CCF69B272FE54EE58735A380676F1DE4/vloc/20 | 174.36.215.20 |
hxxp://ytd2.greentreeapps.ro/images/pixel.gif?action=install&point=finish&cid=cb821f7c3eeccf6c312c56e821a0e91a&isn=F7DBCDBD737B449098794B4547AA6F06&kt=ytd | |
hxxp://ytd4.greentreeapps.ro/images/pixel.gif?src=stub&kt=ytd&event=run&exit=0 | |
hxxp://ytd4.greentreeapps.ro/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0 | |
hxxp://www.mybrowserbar.com/cgi/api.cgi/937811/CCF69B272FE54EE58735A380676F1DE4/vrst/20 | 174.36.215.20 |
hxxp://ytd4.greentreeapps.ro/js/main.js | |
hxxp://ytd4.greentreeapps.ro/images/ytd-logo.png | |
hxxp://ytd4.greentreeapps.ro/styles.css | |
hxxp://fallback.global-ssl.fastly.net/js/250/addthis_widget.js | |
hxxp://ytd4.greentreeapps.ro/images/header-bg-repeat.jpg | |
hxxp://ytd4.greentreeapps.ro/images/header-bg.jpg | |
hxxp://fallback.global-ssl.fastly.net/static/r07/core181.js | |
hxxp://plus.l.google.com/ga.js | |
hxxp://update.mybrowserbar.com/update/wt/ie/coupons/update.xml?src=stub&cnid=937811 | 108.59.13.14 |
hxxp://e3821.dspe1.akamaiedge.net/en_US/all.js | |
hxxp://plus.l.google.com/r/__utm.gif?utmwv=5.6.2&utms=1&utmn=1243149095&utmhn=www.ytddownloader.com&utmcs=windows-1252&utmsr=1683x901&utmvp=1683x804&utmsc=24-bit&utmul=en-us&utmje=1&utmfl=-&utmdt=YTD Video Converter&utmhid=380816574&utmr=-&utmp=/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0&utmht=1423130702591&utmac=UA-25210420-2&utmcc=__utma=135583929.141684822.1423130703.1423130703.1423130703.1;+__utmz=135583929.1423130703.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmjid=2102772812&utmredir=1&utmu=qAAAAAAAAAAAAAAAAAAAAAAE~ | |
hxxp://ytd4.greentreeapps.ro/images/top-header-bg.jpg | |
hxxp://ytd4.greentreeapps.ro/images/upgrade-pro-btn.png | |
hxxp://fallback.global-ssl.fastly.net/static/r07/widget/css/widget010.old.css | |
hxxp://update.mybrowserbar.com/update/wt/ie/coupons/BrowserExtensionsSetup.exe | 108.59.13.14 |
hxxp://fallback.global-ssl.fastly.net/static/r07/sh186.html | |
hxxp://fallback.global-ssl.fastly.net/static/r07/menu171.js | |
hxxp://fallback.global-ssl.fastly.net/static/r07/plugins/counter020.js | |
hxxp://fallback.global-ssl.fastly.net/static/r07/plugins/counter015.css | |
hxxp://fallback.global-ssl.fastly.net/static/r07/widget/img/widget010.old.32.top.png | |
hxxp://a749.dsw4.akamai.net/connect/xd_arbiter/DU1Ia251o0y.js?version=41 | |
hxxp://a.ssl.fastly.net/url/shares.json?url=http://www.ytddownloader.com/&callback=_ate.cbs.sc_httpwwwytddownloadercom0 | |
hxxp://a1294.w20.akamai.net/b?c1=7&c2=2000001&c3=1&rn=1hz14wz&c7=http://www.ytddownloader.com/thankyou.html&c8=YTD Video Converter&cv=1.7 | |
hxxp://m.addthisedge.com/live/red_lojson/300lo.json?6iew35&colc=1423130703205&si=54d3404edc48256c&uid=54d3404fe20ab507&pub=ytdcs&rev=15.1&jsl=33&ln=en&pc=men&vpc=&dp=www.ytddownloader.com&fp=thankyou.html&aa=0&of=0&uf=1&nt=cs;5,ce;5,dc;319,dclee;319,dcles;319,di;316,dl;311,dle;5,dls;5,fs;5,lee;u,les;319,ns;0,rs;310,rspe;314,rsps;311,scs;u&pd=0&irt=0&ct=1&tct=0&abt=0<=347&cdn=0&lnlc=US&whcs=1&tl=c=347,m=356,i=402,xm=733,xp=736&pi=1&&rb=0&gen=1000&gen=100&callback=_ate.track.hsr&uvs=54d3404eae96086b000&chr=windows-1252&md=0&vcl=0 | 8.37.70.26 |
hxxp://www.yandex.com/favicon.ico | 213.180.204.62 |
hxxp://m.addthisedge.com/live/t00/mu.gif?a=sc&r=1&err=1 | 8.37.70.26 |
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?45d861ae400f132c | |
hxxp://www.public-trust.com/cgi-bin/CRL/2018/cdp.crl | 64.18.20.10 |
hxxp://gs1.wac.v2cdn.net/baltimoreroot/MEUwQzBBMD8wPTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom/nYB45SPUEwQU5Z1ZMIJHWMys+ghUNoZ7OrUETfACBAcnpGo= | |
hxxp://a1158.b.akamai.net/MFUwUzBRME8wTTAJBgUrDgMCGgUABBS856ddZAq5lE7vDJmoUDW1u98SMAQU3WyAfLq1MhelhEFA8NIEZhMvqZACFGozgiJkrf5JafrJHx/pwJ6+De+O | |
hxxp://ytd4.greentreeapps.ro/favicon.ico | |
hxxp://www.mybrowserbar.com/images/pixel.gif?isn=E0BCB5085EA24F7699566D8CEBD03DB5&ver=2.6&cnid=937811&ct=bekit&event=install | 174.36.215.20 |
hxxp://update.mybrowserbar.com/update/wt/ie/coupons/update.xml?cnid=937811 | 108.59.13.14 |
hxxp://a1363.dscg.akamai.net/pki/crl/products/microsoftrootcert.crl | |
hxxp://a1363.dscg.akamai.net/pki/crl/products/WinPCA.crl | |
hxxp://a1363.dscg.akamai.net/pki/crl/products/MicrosoftTimeStampPCA.crl | |
hxxp://a1294.w20.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab?77e52b9fc60a860d | |
hxxp://gs1.wac.v2cdn.net/baltimoreroot/MEUwQzBBMD8wPTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom/nYB45SPUEwQU5Z1ZMIJHWMys+ghUNoZ7OrUETfACBAcnqkc= | |
hxxp://hostedocsp.globalsign.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQmECJms4f7i5EbxtN7NbzQCBwAdAQUUa8kJpz0aCJXgCYrO0ZiFXsezKUCE1oAAHevvgBk+xJc0C0AAQAAd68= | |
hxxp://www.mybrowserbar.com/images/pixel.gif?isn=E0BCB5085EA24F7699566D8CEBD03DB5&ver=2.6&cnid=937811&ct=bekit&event=uninstall | 174.36.215.20 |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= | |
hxxp://a1294.w20.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= | |
hxxp://download.ytddownloader.com/kits/ytd/YTDSetup.exe | 5.79.67.100 |
hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl | 87.245.202.16 |
hxxp://www.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0 | 5.79.67.100 |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= | 23.43.139.27 |
hxxp://api.mybrowserbar.com/cgi/api.cgi/937811/CCF69B272FE54EE58735A380676F1DE4/vloc/20 | 174.36.215.20 |
hxxp://connect.facebook.net/en_US/all.js | 23.64.223.139 |
hxxp://www.google-analytics.com/ga.js | 173.194.113.206 |
hxxp://www.ytddownloader.com/images/pixel.gif?src=stub&kt=ytd&event=run&exit=0 | 5.79.67.100 |
hxxp://www.youtubedownloadersite.com/images/pixel.gif?action=install&point=finish&cid=cb821f7c3eeccf6c312c56e821a0e91a&isn=F7DBCDBD737B449098794B4547AA6F06&kt=ytd | 95.211.187.90 |
hxxp://www.ytddownloader.com/styles.css | 5.79.67.100 |
hxxp://www.youtubedownloadersite.com/getcountry.html | 95.211.187.90 |
hxxp://s7.addthis.com/static/r07/core181.js | 185.31.17.184 |
hxxp://www.ytddownloader.com/images/top-header-bg.jpg | 5.79.67.100 |
hxxp://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js | 64.233.161.95 |
hxxp://www.google-analytics.com/analytics.js | 173.194.113.206 |
hxxp://m.addthis.com/live/red_lojson/300lo.json?6iew35&colc=1423130703205&si=54d3404edc48256c&uid=54d3404fe20ab507&pub=ytdcs&rev=15.1&jsl=33&ln=en&pc=men&vpc=&dp=www.ytddownloader.com&fp=thankyou.html&aa=0&of=0&uf=1&nt=cs;5,ce;5,dc;319,dclee;319,dcles;319,di;316,dl;311,dle;5,dls;5,fs;5,lee;u,les;319,ns;0,rs;310,rspe;314,rsps;311,scs;u&pd=0&irt=0&ct=1&tct=0&abt=0<=347&cdn=0&lnlc=US&whcs=1&tl=c=347,m=356,i=402,xm=733,xp=736&pi=1&&rb=0&gen=1000&gen=100&callback=_ate.track.hsr&uvs=54d3404eae96086b000&chr=windows-1252&md=0&vcl=0 | 8.37.70.26 |
hxxp://download.mybrowserbar.com/kits/sds/SearchProtectionStub.exe | 174.36.215.20 |
hxxp://s7.addthis.com/static/r07/plugins/counter015.css | 185.31.17.184 |
hxxp://ocsp.msocsp.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQmECJms4f7i5EbxtN7NbzQCBwAdAQUUa8kJpz0aCJXgCYrO0ZiFXsezKUCE1oAAHevvgBk+xJc0C0AAQAAd68= | 108.162.232.204 |
hxxp://webupdate.mybrowserbar.com/kits/sds/SearchProtectionSetup.exe | 108.59.13.15 |
hxxp://s7.addthis.com/js/250/addthis_widget.js | 185.31.17.184 |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= | 23.43.139.27 |
hxxp://s7.addthis.com/static/r07/widget/css/widget010.old.css | 185.31.17.184 |
hxxp://ocsp.omniroot.com/baltimoreroot/MEUwQzBBMD8wPTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom/nYB45SPUEwQU5Z1ZMIJHWMys+ghUNoZ7OrUETfACBAcnqkc= | 93.184.220.20 |
hxxp://crl.microsoft.com/pki/crl/products/WinPCA.crl | 87.245.202.16 |
hxxp://s7.addthis.com/static/r07/plugins/counter020.js | 185.31.17.184 |
hxxp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl | 87.245.202.16 |
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?77e52b9fc60a860d | 87.245.202.35 |
hxxp://s7.addthis.com/static/r07/widget/img/widget010.old.32.top.png | 185.31.17.184 |
hxxp://www.ytddownloader.com/images/header-bg-repeat.jpg | 5.79.67.100 |
hxxp://www.ytddownloader.com/images/ytd-logo.png | 5.79.67.100 |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= | 23.43.139.27 |
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl | 87.245.202.16 |
hxxp://static.ak.facebook.com/connect/xd_arbiter/DU1Ia251o0y.js?version=41 | 87.245.202.42 |
hxxp://www.ytddownloader.com/images/upgrade-pro-btn.png | 5.79.67.100 |
hxxp://www.youtubedownloadersite.com/images/pixel.gif?action=install&point=start&cid=cb821f7c3eeccf6c312c56e821a0e91a&isn=F7DBCDBD737B449098794B4547AA6F06&kt=ytd | 95.211.187.90 |
hxxp://api.mybrowserbar.com/cgi/api.cgi/937811/CCF69B272FE54EE58735A380676F1DE4/vrst/20 | 174.36.215.20 |
hxxp://www.youtubedownloadersite.com/scripts/win/scripts-20150129.yds | 95.211.187.90 |
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?45d861ae400f132c | 87.245.202.35 |
hxxp://s7.addthis.com/static/r07/menu171.js | 185.31.17.184 |
hxxp://www.google-analytics.com/r/__utm.gif?utmwv=5.6.2&utms=1&utmn=1243149095&utmhn=www.ytddownloader.com&utmcs=windows-1252&utmsr=1683x901&utmvp=1683x804&utmsc=24-bit&utmul=en-us&utmje=1&utmfl=-&utmdt=YTD Video Converter&utmhid=380816574&utmr=-&utmp=/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0&utmht=1423130702591&utmac=UA-25210420-2&utmcc=__utma=135583929.141684822.1423130703.1423130703.1423130703.1;+__utmz=135583929.1423130703.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmjid=2102772812&utmredir=1&utmu=qAAAAAAAAAAAAAAAAAAAAAAE~ | 173.194.113.206 |
hxxp://api-public.addthis.com/url/shares.json?url=http://www.ytddownloader.com/&callback=_ate.cbs.sc_httpwwwytddownloadercom0 | 23.235.43.130 |
hxxp://ocsp.omniroot.com/baltimoreroot/MEUwQzBBMD8wPTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom/nYB45SPUEwQU5Z1ZMIJHWMys+ghUNoZ7OrUETfACBAcnpGo= | 93.184.220.20 |
hxxp://b.scorecardresearch.com/b?c1=7&c2=2000001&c3=1&rn=1hz14wz&c7=http://www.ytddownloader.com/thankyou.html&c8=YTD Video Converter&cv=1.7 | 87.245.202.32 |
hxxp://vassg141.ocsp.omniroot.com/MFUwUzBRME8wTTAJBgUrDgMCGgUABBS856ddZAq5lE7vDJmoUDW1u98SMAQU3WyAfLq1MhelhEFA8NIEZhMvqZACFGozgiJkrf5JafrJHx/pwJ6+De+O | 88.221.132.153 |
hxxp://www.youtubedownloadersite.com/api/rcsvc.php?kt=ytd | 95.211.187.90 |
hxxp://www.ytddownloader.com/js/main.js | 5.79.67.100 |
hxxp://s7.addthis.com/static/r07/sh186.html | 185.31.17.184 |
hxxp://download.mybrowserbar.com/kits/hlp/exthelper.exe | 174.36.215.20 |
hxxp://www.ytddownloader.com/images/header-bg.jpg | 5.79.67.100 |
clients3.google.com | 173.194.113.201 |
translate.googleapis.com | 64.233.165.95 |
chrome.google.com | 173.194.113.198 |
www.googleapis.com | 74.125.143.95 |
clients2.google.com | 173.194.113.198 |
sb-ssl.google.com | 173.194.113.195 |
www.google.com.ua | 173.194.113.223 |
dns.msftncsi.com | 131.107.255.255 |
clients4.google.com | 173.194.113.201 |
s-static.ak.facebook.com | 23.64.210.110 |
www.gstatic.com | 173.194.113.215 |
ssl.gstatic.com | 173.194.113.215 |
apis.google.com | 173.194.113.201 |
time.windows.com | 64.4.10.33 |
clients2.googleusercontent.com | 173.194.113.203 |
lh3.googleusercontent.com | 173.194.113.202 |
ieonline.microsoft.com | 204.79.197.200 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /images/pixel.gif?ct=ebd2&ies=3&eo=sgbe&cnid=937811&kt=ytd&isn=6D55661F1F404E278EE9A5E3F94B5F4B&tov=20&sbe=1&sds=1&shp=1 HTTP/1.1
Host: VVV.mybrowserbar.com
Accept: */*
Accept-Encoding: gzip,deflate
HTTP/1.1 200 OK
Date: Thu, 05 Feb 2015 10:05:00 GMT
Server: Apache
Accept-Ranges: bytes
Content-Length: 1093
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: image/gif
GIF89a.............!..XMP DataXMP<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:68AF816F211411E187C8D4C48A462294" xmpMM:DocumentID="xmp.did:68AF8170211411E187C8D4C48A462294"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:68AF816D211411E187C8D4C48A462294" stRef:documentID="xmp.did:68AF816E211411E187C8D4C48A462294"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>..................................................................................................................................~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-, *)('&%$#"! .................................!.......,...........D..;..
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?77e52b9fc60a860d HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Fri, 12 Sep 2014 18:47:05 GMT
If-None-Match: "805a83f2b9cecf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com
HTTP/1.1 200 OK
Cache-Control: max-age=604800
Content-Type: application/octet-stream
Last-Modified: Fri, 23 Jan 2015 02:29:11 GMT
Accept-Ranges: bytes
ETag: "803565fb436d01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 57591
Date: Thu, 05 Feb 2015 10:05:34 GMT
Connection: keep-alive
MSCF............,...................I.................6Fm. .authroot.stl......8..CK...<T...g.v!M.d..f.%d..}K..5......dM*K..J.,%K"...!..=.k..........{=/....{g.~...............'....6..N....w......(.$.>.7...........'.....`.bx....^..$.'.^.K.C......<b=J..u....@.....2..e....pr.....usXq.d.i.jF$.4.........KI.Q........A2m:..E.P|...(.^p..=G|.....m...... .6...H.e.....X'...%$r.Y.(..)........|...;...V^r.VM.._*X.I. ..4.....*.....Y..`.0w.u...c.i.[..-...x..<.8.<.p..,..y.[v.Yn`......!.s...4e......B...$.,..........w.Pd.)....,..#.%..h...8...`.A...8.i(.!.$/.=.....i.\X.H......"...a...k...y6....F.._?\*.&..3.AJo.!..`....9....=.p.u..u....f.f....w...?..S..I.;.....5._...F.f..G?$......."..kq.y'.6tJ.e%..G.n.....z<.pX"....1..g."........V:.H.-...!}LM..t..-.y.j&...n{..-.]H. .....A.O.Xg..B...#.f.-..V@.g..8.....Ov...ET..*.....T...}o._./S..h@$.....!.@.D....c...A1..#.:?."....1..v.....&G...?O1x6"5.@..$.U...n.J...w.Y.{..........E.N.&...&.rC..W.....M.........,.e.....&eI(/eSO.B..K...R. K...s.@9....Jv.....(..Y./;-..M5.0.H2.y....:...........a.U....%.S.).^....1.B..a..=...q...X .B....F.../..../.Z...'..t....C....,.^...N=..t%N|IC.#.)6...q.E.J.i.E.>....".L........>...Vy.7.jxx......G........._q.1^..H&.4Z......^.E.K 9.Xg...qO.6%>..T....;n..s.'u.-...=.........p..p.Rn.........=.......F........d. d.AR.0U..........9b...=N..#....c.Icz......u.0............Y.q..b.wYE.......R...s..W....r].....hT....k.g..[...s.....X..`=zb.>..../..=........J.N.h...(}.5.7. .;..=F..F...'.?..2...3...=...B..`....{...f.`Kb..@..`Z.0!^8.t..<l.j..lI.P.q.>k
<<< skipped >>>
GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Wed, 28 Jan 2015 06:05:55 GMT
Accept-Ranges: bytes
ETag: "75565c7ac03ad01:0"
Server: Microsoft-IIS/8.0
VTag: 791666644800000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 554
Cache-Control: max-age=900
Date: Thu, 05 Feb 2015 10:09:17 GMT
Connection: keep-alive
0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA..150127173215Z..150428055215Z.a0_0...U.#..0..........X..7.3...L...0... .....7.........0...U......Y0... .....7......150427174215Z0...*.H......................YIw.. ..(..y..O.G].B.."?.@...[1.}.X...]...e.J....pP.I....!6...%.D.k...>c.|R.?.i..yt.z..B.........b....n..m5...0....2..I!)v....z....y.#pXz.DO.....mF...e.'e...@.%...6./.bPZ...=....bp..j....lo....4........T9j...S.7Q.@.W..@.. ...M....z....Q...{u. .W....
GET /update/wt/ie/coupons/update.xml?src=stub&cnid=937811 HTTP/1.1
User-Agent: SDS
Host: update.mybrowserbar.com
Accept: */*
Accept-Encoding: gzip,deflate
HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Thu, 05 Feb 2015 10:05:02 GMT
Content-Type: text/xml; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
177..<?xml version='1.0' encoding='UTF-8'?>.<cpupdate>. <libid>{40C6AC97-5316-4D22-BA61-3BF0D585FB22}</libid>. <url>hXXp://update.mybrowserbar.com/update/wt/ie/coupons/coupons_1.6.zip</url>. <ver>1.6</ver>. <setupurl>hXXp://update.mybrowserbar.com/update/wt/ie/coupons/BrowserExtensionsSetup.exe</setupurl>. <setupver>2.6</setupver>. <gc>1</gc>..</cpupdate>...0..
GET /images/ytd-logo.png HTTP/1.1
Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5
Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
Host: VVV.ytddownloader.com
DNT: 1
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Thu, 05 Feb 2015 10:05:01 GMT
Content-Type: image/png
Content-Length: 34724
Last-Modified: Fri, 05 Oct 2012 14:07:53 GMT
Connection: keep-alive
Accept-Ranges: bytes
.PNG........IHDR.......x.....h.......tEXtSoftware.Adobe ImageReadyq.e<...fiTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c061 64.140949, 2010/12/07-10:57:01 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:48617E8EC10BE2118B4BD91E24AB7A59" xmpMM:DocumentID="xmp.did:72065B650C8711E28A8AE4B10473ECB4" xmpMM:InstanceID="xmp.iid:72065B640C8711E28A8AE4B10473ECB4" xmp:CreatorTool="Adobe Photoshop CS5.1 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:48617E8EC10BE2118B4BD91E24AB7A59" stRef:documentID="xmp.did:48617E8EC10BE2118B4BD91E24AB7A59"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>O.......IDATx.....eYY'..s.........EA.[.6... .....c.8.[.........n.i[.g..F...F..i...V....(j...5"c}...|.s.yq#2.2.*....|U/.-..{.9....#.Rt.q.q.......\{\{\c.k.k..S....!......~....F.K.v....h..d0"$=*Fk.n...7...5}.........RPv....*%9..&..~z........@..;.G.?...x.qz}.zj..E...c.Z@i.qhff..sc-...)....777G.~..4.F._.f.. .Q=....$..~ ...<........6....>C..w.q.......#...<..........A.......`.L}.m.-.i.....~.....?.LEY.x8..hi&....LW..0......#..&..og....K...}@I\.<]... .p\~*!.x!...KU.:4...x.;.=.3....{.S*.EB...ovaq.J...1.5f.....W.$.wG...N....
<<< skipped >>>
GET /images/header-bg.jpg HTTP/1.1
Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5
Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
Host: VVV.ytddownloader.com
DNT: 1
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Thu, 05 Feb 2015 10:05:01 GMT
Content-Type: image/jpeg
Content-Length: 123553
Last-Modified: Thu, 10 Oct 2013 14:08:34 GMT
Connection: keep-alive
Accept-Ranges: bytes
......Exif..II*.................Ducky.......Z..... hXXp://ns.adobe.com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c061 64.140949, 2010/12/07-10:57:01 "> <rdf:RDF xmlns:rdf="http://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5.1 Windows" xmpMM:InstanceID="xmp.iid:02967DEC099B11E388E0A65379C2936F" xmpMM:DocumentID="xmp.did:02967DED099B11E388E0A65379C2936F"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:02967DEA099B11E388E0A65379C2936F" stRef:documentID="xmp.did:02967DEB099B11E388E0A65379C2936F"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d.................................................................................................................................................j.......................................................................................!.1.AQ.aq".....2R...B#...r.3..b..c...S..C....$T.4Ds......................!1.AQ.......a.."2qR...B............?....\}6..1....D...au.lxW....~k.n^.....:q.a..HH.....&....Z.Ut...3.Y.i.3(\x......Qe$.Eg...'...x._R_?........xQ..J..?.]QQ8../...~./...e?........L]>..7.*|j.`71au.lxV.<.r...d. u.:t.1O.$$n...~.CMK.=z..|.....i.i.3b.......AQe$.$P.U.OE%.=W.......m..n.......[.....N..#.....
<<< skipped >>>
GET /images/top-header-bg.jpg HTTP/1.1
Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5
Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
Host: VVV.ytddownloader.com
DNT: 1
Connection: Keep-Alive
Cookie: __utma=135583929.141684822.1423130703.1423130703.1423130703.1; __utmb=135583929.1.10.1423130703; __utmc=135583929; __utmz=135583929.1423130703.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1
HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Thu, 05 Feb 2015 10:05:02 GMT
Content-Type: image/jpeg
Content-Length: 2458
Last-Modified: Fri, 05 Oct 2012 14:07:53 GMT
Connection: keep-alive
Accept-Ranges: bytes
......Exif..II*.................Ducky.......d.....ohXXp://ns.adobe.com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c061 64.140949, 2010/12/07-10:57:01 "> <rdf:RDF xmlns:rdf="http://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:48617E8EC10BE2118B4BD91E24AB7A59" xmpMM:DocumentID="xmp.did:FC5012C60BCB11E2AA79CB95D10CA426" xmpMM:InstanceID="xmp.iid:FC5012C50BCB11E2AA79CB95D10CA426" xmp:CreatorTool="Adobe Photoshop CS5.1 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:48617E8EC10BE2118B4BD91E24AB7A59" stRef:documentID="xmp.did:48617E8EC10BE2118B4BD91E24AB7A59"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d..............................................................................................................................................................................................................................................!1....Aa....Q"q...2.......#3$....B.Cd5E..........................!#.1A."..a2.C....B3$.%.q.D..4d5E.8............?..}.4.i....#v...jq.[Lj.....]Hzc.=12..........<.....w.....t.E=..K...U......vt...-.x.hY.].j...#..de.t....yf. .".`.n.....a....i"8.C. ......A..aFs~.By..d..|..V.k.h.;'-.p.}..W.d.IM...v'...Z_.Ak]m
<<< skipped >>>
GET /static/r07/menu171.js HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
Host: s7.addthis.com
DNT: 1
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
Last-Modified: Thu, 22 Jan 2015 11:14:57 GMT
Content-Encoding: gzip
Cache-Control: public, no-check, max-age=86313600
Content-Type: text/javascript
Content-Length: 20323
Accept-Ranges: bytes
Date: Thu, 05 Feb 2015 10:05:02 GMT
Via: 1.1 varnish
Age: 1205260
Connection: keep-alive
X-Host: s7.addthis.com
X-Served-By: cache-fra1229-FRA
X-Cache: HIT
X-Cache-Hits: 785230
X-Timer: S1423130702.429801,VS0,VE0
Vary: Accept-Encoding
............}....0....$.#...")..AC.....8qc7n*..K.$a.....d..........l.=......".o.......m.........;....w...:K............<....3I..(.d. .....q..IY0.v......5....X...o.#^...B=..[W<.C..Y.y..e.;.7.fn...ix...u:......{.....bJ.D...A.8..N....0.5..j=.._....%....y..]...;..OL.8...[.r0K3.hDI#.. Q.$..e.... ..!Ha(....j.-......Ze......R.X(....v.A#.YEY..o.k......I....n......._^..4V.X.'N.-...1M.<J.x.;.,.,.h.8..q.....b.......5z.aop.X....^...x..\.......'Z.M.d............y8.#.Gi"{..M.....J../H.M.;@..v...-...h../.qLo^..yl.N..0)L.9...&4...N;.....>{SdQ2w=..... .Q...!...;.T.X.l./.....@-...z.`.L/..0" _..5)_'.M..W@. *_.|~..;Z>..._E......{.2.8.av..=..5,.Y...r......*K...`.y;py'..y...:A.i.......'.B...@.........._.p..0..&.O..WqT.0y^'_D3...hig. s..\oG....iV.....T,.`.sN?@....B..|.aox.<...c.<.....?,B.Aq...........H..@.!)...\>,.....(9.[.`..g...-t..,z .M.;.8.:.t..T.;...a..0..HM..Z..^....71L...(E<...z..%...%r..QJ....@...Gs!.....$p.....m.....Q.t^.E.A.....z>..$.."HiJ4*.((.:....G.u@&......7..^.f3..........P...`..v......%.'.0e..s.X.,..@1...&.Jl6.....;......)<...[...l^.../.1......;... 7'g......x..r........q.... :..z]6.......XX..,......9....2....k....z.ET.(@7.b=...L;s.R.I... .4vbM...cUtP....&A..}'.&.L...I...r.....k..47.<.."F.h.C.|..;9:j...K...'....t#..o.p*.*..@..u......^...Ah._....l].?:rr..L>H...k......&D....5.k....mPd.wE0..NPx......(......,&0."'............M...().,.11..X.N9.0.r.BD..f.8k*.V..[0"....TI...l......f.X....I.e.ta.Q\...~..N...a.v.N.....!.ZJ.].._)L(......OB.._..z..e..W.-<.O.L._..B...."...v.E.wfY...W..Z...
<<< skipped >>>
GET /ga.js HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
Host: VVV.google-analytics.com
DNT: 1
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 05 Feb 2015 08:36:27 GMT
Expires: Thu, 05 Feb 2015 10:36:27 GMT
Last-Modified: Fri, 16 Jan 2015 00:55:08 GMT
X-Content-Type-Options: nosniff
Content-Type: text/javascript
Vary: Accept-Encoding
Content-Encoding: gzip
Server: Golfe2
Content-Length: 16151
Age: 5314
Alternate-Protocol: 80:quic,p=0.02
Cache-Control: public, max-age=7200
............yW...8.?..|{.....S..7.(m.....Ms.dY.iB....%.g..A..$...y.z..%..<mm.I~2...3....k9Z.2.}5....G.........dx.O:.Nz'...:.....I*b.v.o..q....Bh..z6..V.|.})...H..Q.Y....@.a4....'...`....3i..RC.%..0.Fz..J{.'C/...#O\BP]..^..../e..<1..p0...&.i......f{..zm..'&.w1...:...Y:...........p....`.n4....vz.W....|\c.-GX...:...5.y..".F:.. $....'..b2......k....:.....e.. t-{..^.^.....P....3........d..6.nM...."...^..|..1z......dq.t.}.....I46..Kb....1..A...t...q.N.7zt .P.a......o:0.>..$Y..x:=.$.....r./..0........n.%.vA.Ke.*....P/.....My..\..t...J(WW....,.A..<Q..........E..e.(.K.$......uBa ..1..yN.v..E....D=...:..[...>..zX.l^.._..z C..o.......Mk.............^\.G.I?.7.[...l.l=..@.......;...e./y,.cR.w`.d_...0.L/..F.q` j......y.5L....Zp*....#w0.%....]..:T..W...l.4.1U.,.W~.q0.=XO.z'..f.,/e..K..P".F.e..^..9..S...1..1..J.. .4....WW....K..I..x......\....@..c]...tj..3w$...cA... XD..F.a.......3...?..41.!.w}..T 8...vj..(.....q.P...........S^r.......A..X.e.K=J.5,o..0..Q.|=.v..l........j..';...B..$..-....$Z.R.L.OB.tL/:....t..g[..:A......i..4o[e8..3grr..SJI...2...\YW..j3.^J%.................x.?.6...){...o..V.c.........@hi.8.=..jR....]....x^.`.<..7........y1..8...YT...iLm}..Ye7T. X..d..T L Ui.....q}........#....elF.........m.6-..[./.-.x[{5 ....,.<....b.e..aK\].VWMZ....{.x(....O........p..[3I.@....4.)..x...Fk......4.Z.i p.7..`>.o.Z..O*<.c.....i.f...fk.g....J..a..y.....c_.X..%..4.Gz.M$....j5oe.0......$T~..}....0FtC].`-...Z.O..V.:Z..54o.4...oI...... .) ..6*...Y.1......B..-._..{r..1]F.....f..|8..u.OY...38..}5.c.`.. ....`.
<<< skipped >>>
GET /r/__utm.gif?utmwv=5.6.2&utms=1&utmn=1243149095&utmhn=VVV.ytddownloader.com&utmcs=windows-1252&utmsr=1683x901&utmvp=1683x804&utmsc=24-bit&utmul=en-us&utmje=1&utmfl=-&utmdt=YTD Video Converter&utmhid=380816574&utmr=-&utmp=/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0&utmht=1423130702591&utmac=UA-25210420-2&utmcc=__utma=135583929.141684822.1423130703.1423130703.1423130703.1;+__utmz=135583929.1423130703.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmjid=2102772812&utmredir=1&utmu=qAAAAAAAAAAAAAAAAAAAAAAE~ HTTP/1.1
Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5
Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
Host: VVV.google-analytics.com
DNT: 1
Connection: Keep-Alive
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Date: Thu, 05 Feb 2015 10:05:02 GMT
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate
Last-Modified: Sun, 17 May 1998 03:00:00 GMT
X-Content-Type-Options: nosniff
Content-Type: image/gif
Server: Golfe2
Content-Length: 35
Alternate-Protocol: 80:quic,p=0.02
GIF89a.............,...........D..;HTTP/1.1 200 OK..Access-Control-Allow-Origin: *..Date: Thu, 05 Feb 2015 10:05:02 GMT..Pragma: no-cache..Expires: Fri, 01 Jan 1990 00:00:00 GMT..Cache-Control: no-cache, no-store, must-revalidate..Last-Modified: Sun, 17 May 1998 03:00:00 GMT..X-Content-Type-Options: nosniff..Content-Type: image/gif..Server: Golfe2..Content-Length: 35..Alternate-Protocol: 80:quic,p=0.02..GIF89a.............,...........D..;..
GET /b?c1=7&c2=2000001&c3=1&rn=1hz14wz&c7=http://VVV.ytddownloader.com/thankyou.html&c8=YTD Video Converter&cv=1.7 HTTP/1.1
Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5
Referer: hXXp://s7.addthis.com/static/r07/sh186.html
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
Host: b.scorecardresearch.com
DNT: 1
Connection: Keep-Alive
Cookie: UID=120c9bfd-194.221.64.106-1384780341; UIDR=1384780341
HTTP/1.1 204 No Content
Content-Length: 0
Date: Thu, 05 Feb 2015 10:05:02 GMT
Connection: keep-alive
Set-Cookie: UID=120c9bfd-194.221.64.106-1384780341; expires=Wed, 25-Jan-2017 10:05:02 GMT; path=/; domain=.scorecardresearch.com
Set-Cookie: UIDR=1423130702; expires=Wed, 25-Jan-2017 10:05:02 GMT; path=/; domain=.scorecardresearch.com
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC"
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate
HTTP/1.1 204 No Content..Content-Length: 0..Date: Thu, 05 Feb 2015 10:05:02 GMT..Connection: keep-alive..Set-Cookie: UID=120c9bfd-194.221.64.106-1384780341; expires=Wed, 25-Jan-2017 10:05:02 GMT; path=/; domain=.scorecardresearch.com..Set-Cookie: UIDR=1423130702; expires=Wed, 25-Jan-2017 10:05:02 GMT; path=/; domain=.scorecardresearch.com..P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC"..Pragma: no-cache..Expires: Mon, 01 Jan 1990 00:00:00 GMT..Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate..
GET /getcountry.html HTTP/1.0
Host: VVV.youtubedownloadersite.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 05 Feb 2015 10:03:53 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 2
Connection: close
UA..
POST /api/rcsvc.php?kt=ytd HTTP/1.1
Accept-Encoding: gzip,deflate
User-Agent: Primeport
Host: VVV.youtubedownloadersite.com
Content-Length: 544
Connection: Keep-Alive
Cache-Control: no-cache
j.=W....T..7q..qg...h.-....y.0...I..!.Pl.t.....y._.{)FK......T./...5W......7[T ..q...fPt........d!.;..T.w.". T".....a..........._.K.X....M.k..mI..|..j...z.v`JR..{Ri.LVk........ .#..`......1.....k;)..X..r...&c.l.:.....!&.a
.Z.....^.Y%..V.X..r...'Z.o.;..`._.}....../HY......8..b..Bb..S..&..I ..~...J~.d.j....eB.mS...Z....O..q.......Q..:.h.P.V...9..~1,y. .p;z.
.#..]5.%q..#.6=|....4RT2.p...5.w.....e.u..M.....PT..8....8..b..Bb..S...V...."]"...:u.B,.....W.w.N7....O!..e=.y.d.w..#...c...&...j........0b.g.......?G...ec....u.9 . .G. .K..s..\.'..
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 05 Feb 2015 10:04:28 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Content-Encoding: gzip
374...................VO..1......?W....S.Pp...H......~j...?.kosbvc~...^...A .w...z...'|_}..&w....%.J.:Zr....~.........mwy...q!....s../......5.oS..@}J.z..;xZw.t...%....$..f......].No._..........J....m.z....\.{.#.j..f{..V...t.../.....".\.....u..o..m.lXw...4.....b~.........'w...a...*...%.|....^.r.`.i..n...?)'........O...q..S.X..u&.Vs..l..k..].;...o..h.....Wj.....Y.i..P..........~_.z`:..WsR"...}...|.~..^.L..[.....ibB.......>J..P)...........R?. Uw.|9s..cF.>..U]......./........Q.@r...O) m.....&.>...3......A[.......f......L..n.pW..?nN.&M.5A....2n.g...*....v.......n.b....L.`.....E........<..[.V..S.........~.<....M/..Uz..?|..7i.yv.......S..?q...hZ.....Z.....~.!~.n.....s.V.0.w.....>..~.T.Q...G..e.{d.../.(....g.._...........tQ.~..le.....>..bX8So....s...i;......<.k....%..]8.....dU..'_u..e...r.........I..q...M{..7..B]5.#w......{........?Z..r/N..'.Cy}.~.. Yk........~....'....}L.{?...L."x.....0......
GET /scripts/win/scripts-20150129.yds HTTP/1.1
Accept-Encoding: gzip,deflate
User-Agent: Primeport
Host: VVV.youtubedownloadersite.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 05 Feb 2015 10:04:28 GMT
Content-Type: application/octet-stream
Content-Length: 175248
Last-Modified: Fri, 30 Jan 2015 14:41:23 GMT
Connection: keep-alive
Accept-Ranges: bytes
Y>8.F...#"..R..AC....Z..go B9..?r.$...A...0q.V.<S..~7...K...".Gn..u......vN.2.0..C.D....kd!.Af..@z..,4......9.....8.... .....C@R.Ny;... ..@.4.......:..,..U..R-.;..yeFz!...]:.....2.....h.....}.J..Y.).......2!.v.0.....Ej.n.=.z%".g.....o......52.q..........E..,.....>.......Xi...........".g...}...OXE.&dl... .\..j...$..PKLT.(.dp...2.....o..b........(._...m4W.R<..5.(#..Wt.....$...-....6*K..s...C........7.y.....Y.%:..X.4.....6.>.e...Xp...... B...wo.3].k.\....s(v...........R.bd[q....>...>.R......Q..].....qR.........2pfnY..i).~.|[.RP....I...Ro~.o!|.j.v...n..I.1x8I.m...i..-..{.c.N..{.rYb..j.R`..c<...1...N.Z...OZ.o.Ip.:C?...<o..]Hv..."|\?'!.y`.X.]R2.. .0..&/...b..)....s&-..)7.... ?]...].TS.-Z..q.?Q.L.......N.Z...OZ.o.Ip.:,.ih..q.D`....nd.v..q.:......4.......*.T...T..d/.a1C...l....QS...?.pcM.ySc.T..?el.I.....V.:wOU...... .}....]...Y...%pD.....y.Be...uHV..?.@9.........\b.l..*.'..5...d.Rv.iu..We..g..../.....7n...9_.wI...Z.o.Ip.:z..o......~. y..[..._4i".D..~ ...F4i.i..sx..^P...t>.S$m..y.^.........I-...z=... J.J@.S...d..|..l.........$dt.5..;.%...iO...F.4.pF.....w[..X}.]....g.%.....T...m..|&.7.X.w7Z..R.Q..E..j........F..z.Q.....n....5a.....eU...K.4c.@../...M.B.~.U..4.1f..#.dli...)g............}(y....!w..0...BK.A.>.p\.kv..4."..`U..z.........K.n..:LGa7U...m..<q!./..[..aP.F.Y4....|.4...w{G...f..f..Si..y0..Nb....z.M...o.......(....<Xk)./.l[.L.....CS...aO...........k....~O/..dLH..)..t-G>.Q..X.vd).~.......;.aH}G!B..Z ....S=.. |.t....CE.R..Z.`Hz'...;..s........q.........F.~.r.......H..p.i.....
<<< skipped >>>
GET /cgi/extconfig.cgi?cnid=937811&ver=2.3&rsv=3.2&kt=ytd&ot=ytdsanth&bver=39.0.2171.95&dbrw=Internet Explorer&cid=c0322acd5e5d42f0b163c591ee6ff5b9 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.mybrowserbar.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 05 Feb 2015 10:04:30 GMT
Server: Apache
Vary: Host
Keep-Alive: timeout=30, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/xml; charset=utf-8
56e5..<?xml version="1.0"?>.<extensions>. <rsv>3.2</rsv>. <silent>true</silent>. <usepopup>true</usepopup>. <wait>true</wait>. <height>390</height>. <width>500</width>. <buttontext>Install from Chrome Web Store</buttontext>. <confirmbuttontext>Add</confirmbuttontext>. <captionwndtext>Add to Chrome</captionwndtext>. <screen><![CDATA[/9j/4QAYRXhpZgAASUkqAAgAAAAAAAAAAAAAAP/sABFEdWNreQABAAQAAABTAAD/4QNvaHR0cDov.L25zLmFkb2JlLmNvbS94YXAvMS4wLwA8P3hwYWNrZXQgYmVnaW49Iu 7vyIgaWQ9Ilc1TTBNcENl.aGlIenJlU3pOVGN6a2M5ZCI/PiA8eDp4bXBtZXRhIHhtbG5zOng9ImFkb2JlOm5zOm1ldGEvIiB4.OnhtcHRrPSJBZG9iZSBYTVAgQ29yZSA1LjAtYzA2MSA2NC4xNDA5NDksIDIwMTAvMTIvMDctMTA6.NTc6MDEgICAgICAgICI IDxyZGY6UkRGIHhtbG5zOnJkZj0iaHR0cDovL3d3dy53My5vcmcvMTk5.OS8wMi8yMi1yZGYtc3ludGF4LW5zIyI IDxyZGY6RGVzY3JpcHRpb24gcmRmOmFib3V0PSIiIHht.bG5zOnhtcE1NPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvbW0vIiB4bWxuczpzdFJlZj0i.aHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL3NUeXBlL1Jlc291cmNlUmVmIyIgeG1sbnM6eG1w.PSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvIiB4bXBNTTpPcmlnaW5hbERvY3VtZW50SUQ9.InhtcC5kaWQ6ODVDOEQzNUVGRDE3RTQxMUFBMkNCMTA2NURERjkwRTIiIHhtcE1NOkRvY3VtZW50.SUQ9InhtcC5kaWQ6RkE5NEZGNzAyMjBDMTFFNDgxNUFGMkE1QkZGOTdFRjAiIHhtcE1NOkluc3Rh.bmNlSUQ9InhtcC5paWQ6RkE5NEZGNkYyMjBDMTFFNDgxNUFGMkE1QkZGOTdFRjAiIHhtcDpDcmVh.dG9yVG9vbD0iQWRvYmUgUGhvdG9zaG9wIENTNS4xIFdpbmRvd3MiPiA8eG1wTU06RGVyaXZlZEZy.b20gc3RSZWY6aW5zdGFuY2VJRD0ieG1wLmlpZDo4NU
<<< skipped >>>
POST /images/pixel.gif?kt=ytd&ot=ytdsanth&cnid=937811&sil=1&cid=c0322acd5e5d42f0b163c591ee6ff5b9&cekonfccladjgbdhpgobceahgjdcdbod=1&jloeihbcjbkgigodmcacomgfihpiaiip=1 HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: text/xml
User-Agent: WidgiToolbar
Host: VVV.mybrowserbar.com
Content-Length: 1408
Connection: Keep-Alive
Cache-Control: no-cache
MDUvMDIvMTUgLSAxMjowNDozMCAgY2hyb21lIGlzIG5vdCBydW5uaW5nCjA1LzAyLzE1IC0gMTI6MDQ6MzAgIHN0YXJ0ZWQgY2hyb21lIHdpdGggcGFyYW1zIEM6XFByb2dyYW0gRmlsZXMgKHg4NilcR29vZ2xlXENocm9tZVxBcHBsaWNhdGlvblxjaHJvbWUuZXhlICAtLWZvcmNlLXJlbmRlcmVyLWFjY2Vzc2liaWxpdHkgLS1sYW5nPWVuLVVTIC0tZGlzYWJsZS1pbmZvYmFycyAtLW5ldy13aW5kb3cgImh0dHA6Ly93d3cubXlicm93c2VyYmFyLmNvbS9nYy9zaWxlbnQyLmh0bWw/b3Q9eXRkc2FudGgmY25pZD05Mzc4MTEma3Q9eXRkJmV4dFtdPWNla29uZmNjbGFkamdiZGhwZ29iY2VhaGdqZGNkYm9kJmV4dFtdPWpsb2VpaGJjamJrZ2lnb2RtY2Fjb21nZmlocGlhaWlwJnRzPTE0MjMxMzA2NzAiCjA1LzAyLzE1IC0gMTI6MDQ6MzIgIGluc3RhbGxpbmcgY2Vrb25mY2NsYWRqZ2JkaHBnb2JjZWFoZ2pkY2Rib2QKMDUvMDIvMTUgLSAxMjowNDozMiAgbm9udGhlbWVkCjA1LzAyLzE1IC0gMTI6MDQ6MzMgIGNsaWNrZWQgaW5zdGFsbAowNS8wMi8xNSAtIDEyOjA0OjM2ICBmb3VuZCB0aGUgY29uZmlybWF0aW9uIHdpbmRvdyB1c2luZyBhY2Nlc2liaWxpdHkKMDUvMDIvMTUgLSAxMjowNDozNyAgY2xpY2sgYWRkIGZhaWxlZCAwCjA1LzAyLzE1IC0gMTI6MDQ6MzcgIGdvdCBsb2NhdGlvbgowNS8wMi8xNSAtIDEyOjA0OjQxICBFeHRlbnNpb24gc3RhdGUgMQowNS8wMi8xNSAtIDEyOjA0OjQxICBpbnN0YWxsaW5nIGpsb2VpaGJjamJrZ2lnb2RtY2Fjb21nZmlocGlhaWlwCjA1LzAyLzE1IC0gMTI6MDQ6NDEgIG5vbnRoZW1lZAowNS8wMi8xNSAtIDEyOjA0OjQxICBjbGlja2VkIGluc3RhbGwKMDUvMDIvMTUgLSAxMjowNDo0MyAgZm91bmQgdGhlIGNvbmZpc
HTTP/1.1 200 OK
Date: Thu, 05 Feb 2015 10:04:55 GMT
Server: Apache
Vary: Host
Cache-Control: max-age=604800
Expires: Thu, 12 Feb 2015 10:04:55 GMT
Content-Length: 0
Keep-Alive: timeout=30, max=99
Connection: Keep-Alive
Content-Type: image/gif
GET /analytics.js HTTP/1.1
Host: VVV.google-analytics.com
Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Referer: hXXp://VVV.mybrowserbar.com/gc/silent2.html?ot=ytdsanth&cnid=937811&kt=ytd&ext[]=cekonfccladjgbdhpgobceahgjdcdbod&ext[]=jloeihbcjbkgigodmcacomgfihpiaiip&ts=1423130670
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
HTTP/1.1 200 OK
Date: Thu, 05 Feb 2015 08:22:16 GMT
Expires: Thu, 05 Feb 2015 10:22:16 GMT
Last-Modified: Fri, 16 Jan 2015 00:55:08 GMT
X-Content-Type-Options: nosniff
Content-Type: text/javascript
Vary: Accept-Encoding
Content-Encoding: gzip
Server: Golfe2
Content-Length: 11479
Age: 6136
Alternate-Protocol: 80:quic,p=0.02
Cache-Control: public, max-age=7200
...........}iw.;..w..P.vW..2.NN.....'.I...,.$cb....1....gK.*0....^}.jk...,%<..T......B..H....j....G...p`..8I.{.=...L&&{.;7.i&....N...;oT(E...M6.....tlN.t..8.K....P.5t.V%....R.@.L.-3...$8..:....O.@...L..p..b..jldf...9.4.=.R.^..{.4..4...AS#Ip:.P.=*6..(.0..C%1.@......^....#3..i..V.`....@.1.'4..0..a.ZL..M8.g4..l..(9.......N..)wA..5.......{....4...(.%...\.R.=*........?...$.#....A7...I...F*....0..Q.>..~.....Q...4.c.N .Q...<.y....=.....4..F..@.%:..ue6....M{$.T...M .'..a..~Am._./.......5...|...&;.M..D.f...yW..ubZ..e...Tjsn.B'.sIm.;.%J^hT.....t..l:....>.T.j*..FM..gZ..2...za.2..M..S.d8..d.P...S..#..ZS.J...4U...m.I.g6.Tu.6..4iw..[.l...0m.....e6.Ghk..[}wW..~Tj%].;.{........x..................2U......g...p.s<....W..j....{..|.... V.r.GX.Y...;.i.y'.....O0...1&..c4j....f.P.l........lf.AA.`..O..8[Y.=L........u.*..7vR6<.-.~..-.k>.?W5t.b..wj.D..o.wC....-?U...4.vF..........Z.%.D...LV.#[..Vu..o......u..<uw. ..F@..........0z.4.f._..'uJ..Q..d.../.\LK.D7s.j...I(...MU..0..eF~.X...p.Ai......%4........O.....M230..mP..5%*..5(3..:......0..P.......MtC..3....\..m.xl...f.....#....6...>K..K...@.')vM&j..e.h..,(.U..C^H.C.rr=PD.@wx.R:.*&.E....d...q......{@D.h.].4u.C..i..?=4t.M.. .|...vG.4.F.......N.Ig.......$.....;....\^^.AD..i'.!......I.>1...7.?....V.x.xs...I...:.=.k...f.o..........D.f..o..I....J"u..6in.C...u?....8.s.k.b...ts}}0.. ..Q:.....d..|.X...TB'..R|..F..j].<:CD....!.L..j.t...P.....O{LH.F.%...?..DDS.z...?1w....S.I..P~T.#.....R......?. RLh....R..1...=jy.....j.jm.y.8u.(...}..%........F....&}..r..`..k.t..,...V
<<< skipped >>>
GET /live/red_lojson/300lo.json?6iew35&colc=1423130703205&si=54d3404edc48256c&uid=54d3404fe20ab507&pub=ytdcs&rev=15.1&jsl=33&ln=en&pc=men&vpc=&dp=VVV.ytddownloader.com&fp=thankyou.html&aa=0&of=0&uf=1&nt=cs;5,ce;5,dc;319,dclee;319,dcles;319,di;316,dl;311,dle;5,dls;5,fs;5,lee;u,les;319,ns;0,rs;310,rspe;314,rsps;311,scs;u&pd=0&irt=0&ct=1&tct=0&abt=0<=347&cdn=0&lnlc=US&whcs=1&tl=c=347,m=356,i=402,xm=733,xp=736&pi=1&&rb=0&gen=1000&gen=100&callback=_ate.track.hsr&uvs=54d3404eae96086b000&chr=windows-1252&md=0&vcl=0 HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: hXXp://s7.addthis.com/static/r07/sh186.html
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
Host: m.addthis.com
DNT: 1
Connection: Keep-Alive
Cookie: uid=54d3404fe20ab507; uvc=1|5; uit=1
HTTP/1.1 200 OK
Date: Thu, 05 Feb 2015 10:05:03 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Set-Cookie: di2=NJAMOF.UYM;Path=/;Domain=.addthis.com;Expires=Sat, 04-Feb-2017 10:05:03 GMT
Set-Cookie: bt=;Path=/;Domain=.addthis.com;Expires=Thu, 01-Jan-1970 00:00:00 GMT
Set-Cookie: dt=X;Path=/;Domain=.addthis.com;Expires=Sat, 07-Mar-2015 10:05:03 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Content-Type: application/javascript;charset=UTF-8
Content-Encoding: gzip
Connection: close
...........O,I. )JL...(...V*NM.M. )V....Q*-...r.....|]..}]........J.* ?...L.@pX...R..5.[u|i[.....
GET /images/pixel.gif?action=install&point=finish&cid=cb821f7c3eeccf6c312c56e821a0e91a&isn=F7DBCDBD737B449098794B4547AA6F06&kt=ytd HTTP/1.0
Host: VVV.youtubedownloadersite.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 05 Feb 2015 10:05:01 GMT
Content-Type: text/html; charset=utf-8
Connection: close
GET /baltimoreroot/MEUwQzBBMD8wPTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom/nYB45SPUEwQU5Z1ZMIJHWMys+ghUNoZ7OrUETfACBAcnqkc= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.omniroot.com
HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Type: application/ocsp-response
Date: Thu, 05 Feb 2015 10:06:06 GMT
Last-Modified: Thu, 29 Jan 2015 15:18:48 GMT
Server: ECS (frf/8799)
X-Cache: HIT
Content-Length: 1406
0..z......s0..o.. .....0.....`0..\0......`;.l.uZ..k.F..^|A.Tb..20150129064609Z0g0e0=0... ........./Ev..Y..].....x.#......Y0.GX....T6.{:..M....'.G....20141203203511Z....20150428204011Z0...*.H.............?.v..qY.8.[t.8..9-.g".hl..H3|Z..Vw.2.............Mt..DB@..s .8a......u............$].o...NK....9.qxd....}.n..WZU.Z7.....bH._...[.....c'.O.T(=..1G{.......G.U.=}C..$~.......v..OL.V....7p.8.z!..k...G`|>.J..I..R.S......'...>..&~.N...c...`[k..`.8....4.X...H0,G.....0...0...0...........'..0...*.H........0Z1.0...U....IE1.0...U....Baltimore1.0...U....CyberTrust1"0 ..U....Baltimore CyberTrust Root0...150114195242Z..160114195229Z0G1.0...U....US1.0...U....Cybertrust1#0!..U....Cybertrust-Validation-20110.."0...*.H.............0.........?....(Fb....G... ..=..(L..wK...04..I......C...1.Z......U.$b.f..Pa.....S...#..B.........^T..IP8..........h8GM..*.4.MP..../D4n.=ZTeH.B=kOT.v..2@F.2L..A...yn.4......fP...L...2.x....$..@@....q2...Uby.e......D....lf...C....ZP}O......7...mM..c.g..j.\.>.O....G.A........0..0... .....0......0...U.......0.0...U...........0...U.%..0... .......0...U.#..0.....Y0.GX....T6.{:..M.0...U......`;.l.uZ..k.F..^|A.Tb0...*.H.............n.h\Ch*G.c..yr..."._....J.-....j.t%..e.....(.h@.Z.7.a!m...sZH.N..>.S....K..........7wi3..x.D..l..ud.....CC......<.&.2. ..d...T.......;.S....\... ......m.6......#(.&....q.[z.........r..T....W...7ea.}..B.1........al.]i.F...-.0c...y.=?....E...........'>..O.._..
<<< skipped >>>
GET /js/250/addthis_widget.js HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
Host: s7.addthis.com
DNT: 1
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
Last-Modified: Thu, 22 Jan 2015 19:52:12 GMT
ETag: "310041b-29c1-50d4302104bff"
Content-Encoding: gzip
Content-Type: text/javascript
Content-Length: 4161
Accept-Ranges: bytes
Date: Thu, 05 Feb 2015 10:05:01 GMT
Via: 1.1 varnish
Age: 571
Connection: keep-alive
X-Referer-Domain: hXXp://VVV.ytddownloader.com
X-Host: s7.addthis.com
X-Served-By: cache-fra1240-FRA
X-Cache: HIT
X-Cache-Hits: 34087
X-Timer: S1423130701.810289,VS0,VE0
Vary: Accept-Encoding
...........:kw..... d.G%#."..wM..Iw7....N.i?(..EB..........;..E=...v.Y.......<.....y..D...A..t. ..s&I...;_..t..NV..`79.f.....S..N..z...Y].....|J$a....?#<X...$.....n!.<......iI..#..5.....!...n...jQur`z.......0.Z..}......{.U.W.......uI;..zY......\..N........._>.............#....).......%..z=.5..I.ge...E..._...T..........#..`Mj.......R......J.].%."Y...oXX..V..Y..........*N..i.u.*........R.o...R}.Yq...2..J.k.~..k9..zMV/.H............?..%X9.<?.,..9.4.e..(...I@d.........A...i.&S.B.?..kZ...@....x...k..~....i.@sa.....q.....cC. 5.n..'`D.*.N..)\..8. .%..1.L.....D...j\YS8.'.....{%..s.E...[..|.V../.....!|L'#.3f.T$>6A~..@......?...x.~...n.....?.0..n..._....-Y..J...t.J.T.y.H.....T$l......Z.....T.1.R.`/H......" ........PNV.... .... G.....f.....Tl...T.AR`..Hg ...8.".?q.a..x...f.9..Ns.......IJ}I.`..P.77 ...n.....y.6l.4.k.h..L.C..b.~`.(...q.s.S...m..C..U.-.......h"R..... ...Z...g`w;....xZ.T..2..."X....~..!....za.5 ..3...S....|,B@M.]... ..o..9..#.Q]......v.)....v..h...W.A2...0E...1h9...t{.T...K.5....a...Z.H...Ls.|8.`..mM...........I._....ci.......m.......<.8....-,...6..|~..oc....h....s..p..e...aU.|A....n.z..)M....LU...{..^.-.m.@...!..k&.....6.p..Y...s... h..C........`.......E.Am..j-...T.{......v.4.8.v.u....u.\...#.....l......u#.....:.l.>f.W......h..E..~wu.=.).y{ ...{.%.r....-;..H...@PX.V...-.l......Be...,....M..<-x.ws./C45.B.L.>5.H....&..|...`h......../.....`...0.=.......&....'^|.....-M.bR.@....<.......G.....4..4[,.ppJrl.$....'.0...,5]L.)~O....8&..K...>0...K..J.H>..R....Pd.Yr.9.7.....w.tyQ.
<<< skipped >>>
GET /static/r07/core181.js HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
Host: s7.addthis.com
DNT: 1
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
Last-Modified: Thu, 22 Jan 2015 19:51:58 GMT
Content-Encoding: gzip
Cache-Control: public, no-check, max-age=86313600
Content-Type: text/javascript
Content-Length: 75057
Accept-Ranges: bytes
Date: Thu, 05 Feb 2015 10:05:01 GMT
Via: 1.1 varnish
Age: 1174324
Connection: keep-alive
X-Host: s7.addthis.com
X-Served-By: cache-fra1240-FRA
X-Cache: HIT
X-Cache-Hits: 63641282
X-Timer: S1423130701.982167,VS0,VE0
Vary: Accept-Encoding
.............b.H.8..?O!..e...H.......\...r[rUw.4.@.$a....(Y..>...b.Gf".B..{~...."..... #v..a...n.s.....o..F..(..o.`./;..9.. ..x#.s.....1........f|.\r(....n....Z.....d.....Q.nm.@..d[[...y....T..q0.Wq...Z./...'i...u..q.o..x.1OF.,.xb.....rz.4M..E;HF.g.?}..............-Q.....m....E...{.Z......v..f..-.....r.c.2v//...ljj.........d(x.V2.~R%.............%/..,.'....ZNjG8... ...^....1i.....v..GE:...,.Eo.5.8"......9O-....E...,O.xR.U...?......d...u...@.....y........l.....)...U.E.l1.r..Y......#(4:....]..a........v..a.......v...r.ah.........FV..^....,..w .B..E...X..2.Huv..c|.....|X...-[.....l..|;vV.r..Vz."9..M...'.meA.-rhR.3."V..Tk2X...&.pj{.U;...`.m3.i.>.oN.v...].e4..y.Kf9/..[[. .K.....l_W.8.t.b....n..y4....$...f$T...M?..?.p.....-.$....g3sc.bf.3.k.F ...7J.b..D.-...R.^.....?.z{...I.....J.=......Z..nwwu)v.[....2,.(..au..,.....E.C&....^.....5.U.v...{..}.f.,@.O._.k...J.....`).. 0...V0K...F.%Tk...>.......b.......-...(......x...m.J..c....=q\.../..[......-.._.....I....x$g............O..V3C..|...`..X&.h.Bi... .&....I.gE.....~4sa....`....I.......e.mR..I.`.5.........G.&`..e.FR-ww;..g.u.v<.Q.I2...F..#&'...$q...8v.p..)..........O...O...D...........su`...r........?k.......aZ{.........I..D..........V7....ur....g...O?.^..?z.....7....>.....D....O.?9"Q..0....4.1.p.L.....}..q.8r.HG.P.N.........O.r..-..= ..F.].....4b....8.5N........g$T.W....7.#..N.K.......U.JA$W.m....j....z..........w..j...Yn.Fc.].S9..;..PV.5w............c...o...BI.....1.....p.C...4.az./...T..4V...D!.b".b(.b N..8...^..y.Y.8..sF$......q..4........a.i.8..........
<<< skipped >>>
GET /static/r07/widget/css/widget010.old.css HTTP/1.1
Accept: text/css
Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
Host: s7.addthis.com
DNT: 1
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
Last-Modified: Thu, 22 Jan 2015 11:14:15 GMT
Content-Encoding: gzip
Cache-Control: public, no-check, max-age=86313600
Content-Type: text/css
Content-Length: 16960
Accept-Ranges: bytes
Date: Thu, 05 Feb 2015 10:05:02 GMT
Via: 1.1 varnish
Age: 1205337
Connection: keep-alive
X-Host: s7.addthis.com
X-Served-By: cache-fra1240-FRA
X-Cache: HIT
X-Cache-Hits: 64094798
X-Timer: S1423130702.331959,VS0,VE0
Vary: Accept-Encoding
...........}W..:.............EQ.*zc)..2Sz...%:..e.....@.Pf...lLe..t.|.=...w./..o..G...g.av..N...k...#p.......j..K..3E..mH......|w,..O.....,.O....}.$..t...\X..._........)y...L....~.v,.y.J...~V.L..R.Z..K....X...I..C...lK........C.y....OP..........~......d].....E.$........".....;.0?mG.u...;....2...|..MA7...q.].EL.a.O.\9.&..c.~...DQ....um.#......>.O.tl..,?y.....iQ;..... ..O.G..Re..%.....GD.2}......J.....c~..........-5...W..8..a...|._.CW...l...4,..8.'&.C..G..HD:#.....%Y.]!..p. ...............G]U...(8.`......!..xt-...x.w.V8....l.%.....Wl.|.-'.....('|(...(.........7M6N2.w../h.)|....K.............x.M.Qd3....|...p.E.........H..l...O.o.OQ...f4..t..d~fE.......)3.qEfg8.<].$.........B...8w.._....*..3.... .7..1]..aW.y.o.\k.......M~.>....\.......[.v.....u;o4....]6.....}....EY..c..4....Y..G.v....U~._......z.u...-.R.k.....a..b]n........?.E...}).......tO..r.....'..!. .d.iOB<}.<G.>.9..%...........I..w.,..]..<D.....[<.cU..4Y..w.9!.a.....r}4-m..z.4@..%.......$[Q. ..../u..t.....h..C.u.~...X.K........x.=.$ B`.9..o.KX..b%^..W.}.~..}%.W.....7_..5..i..kUb?.`...@....r.ZE._...%....*...*$...D...S.0...b.Z1H...VL^.B.)............!..Ib,._\A...G.._.}...'. ..a..n.............}...(l.]# .R../...P$.].!....O.z.?.!c .......a...:J....TE..@.. yP$.G.....g..&F.w....MP..t...B.....G..^..6..........5....X.eFB.|.r.......h.)~.9.P...?E...u..%.M[.....[...g.]Q....[.E...........&..].qe.<.$...../m.d.....|........>Q...H.........."..h.P...T...j.....[^Bj....}^.^.t...})Rf..e../...)..M.._...YM.|.pS...H.....5....#5..-...).JU..;.7|.!iq.j..)
<<< skipped >>>
GET /static/r07/sh186.html HTTP/1.1
Accept: text/html, application/xhtml xml, */*
Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
Host: s7.addthis.com
DNT: 1
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
Last-Modified: Thu, 22 Jan 2015 11:14:02 GMT
Content-Encoding: gzip
Cache-Control: public, no-check, max-age=86313600
P3P: CP="NON ADM OUR DEV IND COM STA"
Content-Type: text/html; charset=UTF-8
Content-Length: 22035
Accept-Ranges: bytes
Date: Thu, 05 Feb 2015 10:05:02 GMT
Via: 1.1 varnish
Age: 1205337
Connection: keep-alive
X-Host: s7.addthis.com
X-Served-By: cache-fra1240-FRA
X-Cache: HIT
X-Cache-Hits: 65415257
X-Timer: S1423130702.391832,VS0,VE0
Vary: Accept-Encoding
...........}k{.F......f...!....!>..3.....Nf.....h..@..E.,...z....I%...o...}G_...../..}.......hY....~..wo_.Y'..?...............;.F...e.UI..Y...o.YG.....<^.....Q^.......-..U..6j..:.._..nWiV..Z.^.x! [(..a..,.YGm...a|..N.T.......:j.$M...y......|9.Egy|wT.w...Y.]/.....(O...>.a)..:..4...*..v..[UT&E}T..T.....sx..T.|...................,.h...}..q...v....s.....)E...QxF..(..:."...^.ex....Td.z9.X.%.8@W.L........2..Y...yP_L..........t.@..0M..Z...n....H q.......n....t .......j............iN...We.Q).4...............x.Z.3..Z7..#.L...t.......K...q..v.!. .."......l....lQ =....4X'Y..Gi..h..'T>....#......5ORa9..C.U8.....*..i1~.l.,..0.:.......[CD...;...yUg..]..n.dKU.0..s.4.hi...(.0...d..y9j*Q.Z.$....|-..a%l...8...e.k5.n..5..==*...o.W...q......{*..e.j<.EU.M...E.z..GOF^.....N.zyu......H..3.,..K..h.V.mV.*.........x$nE.B."/h...9..Q;..v..e.].DZ....]......O.>{~.9..;F..X.c..g.7...c.X\RsaF?...Fm=.;.P.!.....q.X.]....r.....N.....fw..b....O..O..^Nf..................7..~<.b...O...J.......L.?.I.......P./v.....&.9.?&\......?C.d....N.*'....n...,.F.......0..L........,.TIz..Z...o.....!......7?[...b.....Sl3.E....8u.........w&..4..Y#...U.X9[$.;.)V.....EU./.*\PE ....a/..c...]d..o.Q....r.&.|.i"q@.@Cu`).q...\a....a'...!bT..m-V..-.Z.D(V...i..5iz....BMP....6.,\.>.D.N......x..(3..L.v2..f._3n3.....*U.B;..\.Dh'..m.v...6.f?.n3.....,.M.o.X.x..s.aR.O&..^.>..... C.....n<[...IbY$,..hA.Z|./..eX-..R:B..,.E..DT...7.`:....%.D.R...}.........!..{e$n.......*.m.._..hT....0.-J8...!. 8.I.f...g.........g..r.a..t. .h......w...Y..I.K...:..J...=.&.
<<< skipped >>>
GET /static/r07/widget/img/widget010.old.32.top.png HTTP/1.1
Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5
Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
Host: s7.addthis.com
DNT: 1
Connection: Keep-Alive
Cookie: uid=54d3404fe20ab507; uvc=1|5; uit=1
HTTP/1.1 200 OK
Server: Apache
Last-Modified: Thu, 22 Jan 2015 11:15:10 GMT
Cache-Control: public, no-check, max-age=86313600
Content-Type: image/png
Content-Length: 4769
Accept-Ranges: bytes
Date: Thu, 05 Feb 2015 10:05:02 GMT
Via: 1.1 varnish
Age: 1205210
Connection: keep-alive
X-Host: s7.addthis.com
X-Served-By: cache-fra1240-FRA
X-Cache: HIT
X-Cache-Hits: 15406581
X-Timer: S1423130702.766587,VS0,VE0
.PNG........IHDR... .........k.......PLTE.....................................................Y.................e.."..@..9..#..&......................................x..............C..z.....H........i.....G...u..w..w.....s..r..C..S..q.^r..p..o..L..,.....e..X..G..D..X..H..d.V ..........=..<..}.n*.iM.R)..~.}..xZ.ma.XYnnnv]A]..a.._r.Z|?XXXJ..8..,r.@w.0.....Pu.Tiv5m7.h.1h.,hw.h..h.LXuDXX0X..T..M9.I..((..%.......IIHHH.8E.F..(@.(*...g>e]E7......8HSC@^888:#O/Pp.JW&8G%(;(((.........%.......IDATx......6...G.r.pe..!{oK]$..$........N...c..o...;..........g.Z.UO....,._.....0.....z_.r..E.|..j....l.l..g=...9`P...#.P..@...:...X..h.S.....E.U........H.A `.c...|-@.e.3.O~O..oX..Lt..N.r.(a...o{`...z.(?.......y..X(..~...Z\k....-.x...............935..R*D.........H..P..e...(..\...%@c.~<S..r.....8...K...`?..!ufZ..9..!...M......e...xz..2.....<..'=..........-(..d....d.J.4.......bG0..>.j.|...'.....`K...u....N.Z.....P..9...s...zZ...a'.7A.A...3.p$.U.K...c.@.....8e..}...x.nO......rh..0.:....k...5...8m....`..3.84.?..^..=.-.G.`j.P.Y@.v..z........:.,.../.D.L..@?..x......C9.......0q.....Ff.Q........6 ..*....u7..E..x...d....<x..p...i...#@P...j.*Q.N.N:.....K.C...a..j.i.a.D..-4AX.F.V.t7..m.!...$.....-..,M.I.P8..Pi6..^..L..x............V..xV.....`6.......A....j.....^..-O...fL.6.k?.....u....@....'"........(..3...LTT..k............[7...6....$./.N..?....96y.i...9V..y..;.........sg.c........~.N.\.%.o.l.....6..5...T.Wb...i.....4..[.......?ZFI#.~.'8....XZ..l....(e.4I...........WC=...[.......W..'.N|S7.0........Ho.....%..Gq..Ij.z..A.....mm
<<< skipped >>>
GET /kits/ytd/YTDSetup.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: download.ytddownloader.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Thu, 05 Feb 2015 10:03:51 GMT
Content-Type: application/octet-stream
Content-Length: 11127472
Last-Modified: Wed, 14 Jan 2015 15:21:11 GMT
Connection: keep-alive
Accept-Ranges: bytes
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................p.......B...9............@.......................... )...........@.................................d........@(..............................................................................................................text....o.......p.................. ..`.rdata...*.......,...t..............@..@.data....~..........................@....ndata....!..0...........................rsrc........@(.....................@..@.reloc........).....................@..B........................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....-G..H.P.u..u..u.....@..K...SV.5.-G.W.E.P.u.....@..e...E..E.P.u.....@..}..e....D.@........FR..VV..U... M..........M........E...FQ.....NU..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.P.u.....@..u....E..9}...n....~X.te.v4..L.@..E...tU.}.j.W.E......E.......P.@..vXW..T.@..u..5X.@.W..h ....E..E.Pj.h..F.W....@..u.W...u....E.P.u.....@._^3.[.....L$...-G...i. @...T.....tUVW.q.3.;5.-G.sD..i. @...D..S.....t.G.....t...O..t .....u...3....3...F. @..;5.-G.r.[_^...U..QQ
<<< skipped >>>
GET /MFUwUzBRME8wTTAJBgUrDgMCGgUABBS856ddZAq5lE7vDJmoUDW1u98SMAQU3WyAfLq1MhelhEFA8NIEZhMvqZACFGozgiJkrf5JafrJHx/pwJ6+De+O HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: vassg141.ocsp.omniroot.com
HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 1765
Last-Modified: Thu, 05 Feb 2015 10:00:43 GMT
ETag: "8e644f2ffdb4851fac4f1eaf5eac8ffd9b9f390d"
Cache-Control: public, no-transform, must-revalidate, max-age=339752
Expires: Mon, 09 Feb 2015 08:27:36 GMT
Date: Thu, 05 Feb 2015 10:05:04 GMT
Connection: keep-alive
0..........0..... .....0......0...0..........[us..Ni......f....20150205100043Z0w0u0M0... ...........]d...N....P5....0...l.|..2...A@...f./....j3."d..Ii...............20150205100043Z....20150209100043Z0...*.H.............A...........B..L^.(..qk..A?..p*\i9T...4......t..........q......`..&...-.h.S?.-...4..K.n(.'A.._..$.g lD;.X|. .A.Dw.....{)B.h(...........s)....A..n<.D.<.Q.7...2xd..LX... ..?...$.:'.%...C...}d.MQ.c..P.t.\&!..(..B..6.U.pw_....R.z......D*B...Al8..^...9.............0...0...0...........=......Ri..\..(.{..0...*.H........0..1.0...U....NL1.0...U....Amsterdam1%0#..U....Verizon Enterprise Solutions1.0...U....Cybertrust1.0,..U...%Verizon Akamai SureServer CA G14-SHA10...140410115548Z..150410115548Z0..1.0...U....NL1.0...U....Amsterdam1%0#..U....Verizon Enterprise Solutions1.0...U....Cybertrust1806..U.../Verizon Akamai SureServer CA G14-SHA1 Responder0.."0...*.H.............0.........f..).1.............Z.45..l. IB..r`...f....h.....h..._i'...J....|.c....E.D0bg.b.v..........:Q....W._U.w..3....i...k........t.....m.CO$..j@.....>..Q.m......1/Z.r......L..a.n..;..KoIY.......fk{..c..d...IU.......zy.X...zp...F.1..F......b...Z...=9.o...N.fL.%Z.........H0..D0... .....0......0L..U. .E0C0A.. .....>..0402.. ........&hXXps://secure.omniroot.com/repository0~.. ........r0p06.. .....0..*hXXps://cacert.a.omniroot.com/vassg141.crt06.. .....0..*hXXps://cacert.a.omniroot.com/vassg141.der0...U...........0...U.%..0... .......0...U.#..0....l.|..2...A@...f./..0...U..........[us..Ni......f..0...*.H.............Fk:..%..H.:.|P.
<<< skipped >>>
GET /kits/sds/update.xml HTTP/1.1
User-Agent: SDS
Host: VVV.mybrowserbar.com
Accept: */*
Accept-Encoding: gzip,deflate
HTTP/1.1 200 OK
Date: Thu, 05 Feb 2015 10:04:58 GMT
Server: Apache
Transfer-Encoding: chunked
Content-Type: text/xml; charset=utf-8
b9..<?xml version='1.0' encoding='UTF-8'?>.<SearchProtection>. <updatecheck path='hXXp://webupdate.mybrowserbar.com/kits/sds/SearchProtectionSetup.exe' ccv='198' />. </SearchProtection>...0..
GET /connect/xd_arbiter/DU1Ia251o0y.js?version=41 HTTP/1.1
Accept: text/html, application/xhtml xml, */*
Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
Host: static.ak.facebook.com
DNT: 1
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Content-Encoding: gzip
X-FB-Debug: zGxUGTr28XP7LnfwC2GGF OIn6bjOuos9aNngxqem9Pi37XxlKarvu0z350i8DLG2VlRRxBUVhfLuq5OHNeTcA==
Vary: Accept-Encoding
Content-Length: 9955
Cache-Control: public, max-age=30775202
Expires: Wed, 27 Jan 2016 14:45:04 GMT
Date: Thu, 05 Feb 2015 10:05:02 GMT
Connection: keep-alive
...........}y..F....) nB.C.....TK..r..|...d.d.k.M.$.P.(.".>....h.....{./...Y]U]W....W.^~....V.........y..y./_3...df.L.,k.J.,..w<..$.'V...O/...E[..%..."..p._Z~.-.<.[..M-{..my...Y..9{..l.......t...<Lb....b...("y.&.V.../...N.$u...).r .,lc%...}>.c...w.RkDY:..d......O..O. .\N.@0.;.9.......(.(......e.0.)...k.....v'......t9......v..;..:.....~uV\...n.(..Q..!..w...w..9.Z1_..!.......[w,Zr.{Bft..X.9.;sC....!.y......".O.......4......S..p.0{..;1.n....i..8.1... -<(`........-h.?...f.J*O..R.$.[.4.....'....ZN.....H~...m.)...us...?nn....vz.r....5....y...._.u..p...8xe!P..`.c..CK.{g&....H..z,..|....[.*...*v.B..@........(.j.4.\.{.F....D....d.N\N.B.DS..4,.ud..d...N.<..$...._A...bX!;p2.Z...y~..X..C`..q..'d.C0z....&E.....Q.3<... ..w`.s........No...[..S...9ow..m.{.../;.m......Ak.%..q.F..]..8..lA......XR@.........e%.N....R..D..d...hL..'.h...!. p. .....L)*.zB..Q.J.k...D......^.tj.0..@... ...1Q5...J.....H..V..hL..Gd.Z,....3d....;.......... .(.....$......B).B\.X.Y.....7t'.P.3......T...e...c...k;.4...2./-D..aLN..-P.lpYo.E......q.N......H`....u.l.....L.p...e....v..;...,s:n.)9.!K.#].u.U..W..Rj...ie/...v%..-..Do.t d........)..s.%..-Vma...$.B.....\.1MR.....i.*.N...V...5...D....1.r.....5..W.....;djY\.V......a..;..-...8.4W..}..Z....L*..X~........R...e....i.^H.zAl.D.2>.H....@B.]....rGJ:..H.^.t=j$|.8..!.E...............E.0..B.L....p...............l..G.i.!i^.=...{.o.a...8 V;.5...p.w....\1.i....A..m...F......w....#....?=...7.^.Z..R..........r........`Q.~y...........h. .iw...O.......MH..;...(d....,.=.t...^.]P.......@....5.c.
<<< skipped >>>
GET /update/wt/ie/coupons/BrowserExtensionsSetup.exe HTTP/1.1
User-Agent: SDS
Host: update.mybrowserbar.com
Accept: */*
<<< skipped >>>
GET /ajax/libs/jquery/1.9.1/jquery.min.js HTTP/1.1
Host: ajax.googleapis.com
Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
X-Client-Data: CIS2yQEIpLbJAQiptskBCMG2yQEInobKAQjxiMoB
Referer: hXXp://VVV.mybrowserbar.com/gc/silent2.html?ot=ytdsanth&cnid=937811&kt=ytd&ext[]=cekonfccladjgbdhpgobceahgjdcdbod&ext[]=jloeihbcjbkgigodmcacomgfihpiaiip&ts=1423130670
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
HTTP/1.1 200 OK
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Type: text/javascript; charset=UTF-8
Last-Modified: Fri, 08 Feb 2013 15:35:10 GMT
Date: Wed, 04 Feb 2015 11:37:07 GMT
Expires: Thu, 04 Feb 2016 11:37:07 GMT
Access-Control-Allow-Origin: *
Timing-Allow-Origin: *
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 32819
X-XSS-Protection: 1; mode=block
Cache-Control: public, max-age=31536000
Age: 80844
Alternate-Protocol: 80:quic,p=0.02
............{{...7...."........o...v..q.[cg'-E..HPBL....RD....[kf0.Pq.~.sNZ.....f......._..M...wg.?...vG.<8z2.........E...q...:z..GT.._.f.....t.de.....uT..b.|.o6iv..._E..:.F.x...O..6..*?QUp....2U.4..6I.<.T.%.E>....R1....4^..tIm...ZE.{5..3..<.....|4.3.D-.r.-o..]......4[$....:Z...UUP_...........|....z.mF.r...f......Q..?..-3.0..F..^.F....l.O........\..f.|1..t..NG2U.}tz.jxz.^G.o......./^\.>......#*........../.../........|zp2{...N.3*....~.\../O'...g...g.;.~.M.Tx..,g.....).y..w*@...i.^...]........2 ..n;.\.'..'/f....*.4:..oP...f..]Ul..2^.....V........V.P.N....z......o3z.........aC..,.....K.\p...x......WiY%YR.v.*..^.......<_oVI..a>*.xq....$8>....u%......n ..V?.Q.:..4....o.~.g..Q...S_..Y.....G)..T.".......<......&...*..Z.t%..s@it5..y.c.....p.h...X.*/. .H.....){4U.y...I`..&-.. y.....L.O....Lf..X<..1M.w.xD;;.....3zgn...'S.....g.~3Jn.9-..... .....3..A..e#.....".-i.S..].9..3..=GE..,..R*.gs..j.M..0.._'.u......E.|.....K.Q'FY.H^..'.(.OK.\.-.T...8...Q....v||5J..Vq.}{.K2..K..z.R....o_..G..t.L....NF.W.}....."{.NLP|.T_........j..,P..q.Q..o..<.x...Q..t=..$nJ.%:S...,..N...*.......d.`....M...)....T.7....|$...[......E..h.......`b.......iQ.w...-n>.=OIw..*........H...r.....h..V.Aj..&t..9M..is.j.t]~../...ik......l.p.....mT.=[E..7v....n./$...y=T.X.s...J......j.w.W.|.x..F..*..:....>K...d....f..........&...7./.2-..P......j.?X.p.....9u.Ae.0...D.....~f.......&...l6..3......i}.(.. m.Je.x...p5.:..d...gWz...G..@.*\.2/*..............>...g..`...w....f.....\.D...#D...E.%.......G..s`K.*.WI...NI.......LeO...&
<<< skipped >>>
GET /kits/sds/SearchProtectionStub.exe HTTP/1.1
Host: download.mybrowserbar.com
Accept: */*
Accept-Encoding: gzip,deflate
HTTP/1.1 200 OK
Date: Thu, 05 Feb 2015 10:04:56 GMT
Server: Apache
Last-Modified: Mon, 19 Jan 2015 14:12:15 GMT
Accept-Ranges: bytes
Content-Length: 532232
Content-Type: application/x-msdos-program
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................p.......B...9............@..................................i....@.................................d...........x...............8............................................................................................text....o.......p.................. ..`.rdata...*.......,...t..............@..@.data....~..........................@....ndata...P...0...........................rsrc...x...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....-G..H.P.u..u..u.....@..K...SV.5.-G.W.E.P.u.....@..e...E..E.P.u.....@..}..e....D.@........FR..VV..U... M..........M........E...FQ.....NU..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E...VhL.@..]M..YY.....3.FV....@..&...h0.@..=M..Y.u...@.@........9].u%.....G....@.G.3.A.S....M......G.........@.G......G.......u..4...G...3.;....#M....D........4...G.........F..5D.@.;.t.QP...U....F.;...~...RP...u...j.......u...Vh..@...L......u.V....@.....I....E.....h..@..YL..Y.2...
<<< skipped >>>
GET /live/t00/mu.gif?a=sc&r=1&err=1 HTTP/1.1
Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5
Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
Host: m.addthisedge.com
DNT: 1
Connection: Keep-Alive
HTTP/1.1 204 No Content
Date: Thu, 05 Feb 2015 10:05:03 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Connection: close
GET /cgi/nta/config.cgi/9d357cad646259e5aec21e92440c2512/937811/1.5/nthgc HTTP/1.1
Host: VVV.mybrowserbar.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Accept: */*
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: _ga=GA1.2.1138944218.1423130672
HTTP/1.1 200 OK
Date: Thu, 05 Feb 2015 10:04:50 GMT
Server: Apache
Vary: Host
Keep-Alive: timeout=30, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/xml; charset=utf-8
ce..<?xml version="1.0" encoding="UTF-8"?>.<dea>. <url>hXXps://search.yahoo.com/search?fr=spigot-nt-gc&ei=utf-8&ilc=12&type=937811&p={searchTerms}</url>. <vulcun_offer>0</vulcun_offer>.</dea>...0..HTTP/1.1 200 OK..Date: Thu, 05 Feb 2015 10:04:50 GMT..Server: Apache..Vary: Host..Keep-Alive: timeout=30, max=100..Connection: Keep-Alive..Transfer-Encoding: chunked..Content-Type: text/xml; charset=utf-8..ce..<?xml version="1.0" encoding="UTF-8"?>.<dea>. <url>hXXps://search.yahoo.com/search?fr=spigot-nt-gc&ei=utf-8&ilc=12&type=937811&p={searchTerms}</url>. <vulcun_offer>0</vulcun_offer>.</dea>...0..
GET /MFQwUjBQME4wTDAJBgUrDgMCGgUABBQmECJms4f7i5EbxtN7NbzQCBwAdAQUUa8kJpz0aCJXgCYrO0ZiFXsezKUCE1oAAHevvgBk+xJc0C0AAQAAd68= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.msocsp.com
HTTP/1.1 200 OK
Date: Thu, 05 Feb 2015 10:06:06 GMT
Content-Type: application/ocsp-response
Content-Length: 1757
Connection: keep-alive
Set-Cookie: __cfduid=daa641d14fedb9c0747aed2e3ae47fdce1423130766; expires=Fri, 05-Feb-16 10:06:06 GMT; path=/; domain=.msocsp.com; HttpOnly
Last-Modified: Mon, 02 Feb 2015 23:13:04 GMT
Expires: Fri, 06 Feb 2015 23:13:04 GMT
ETag: "32dc2dc5ade4e5867c219925d83ebab0609e8b04"
Cache-Control: max-age=345599,public,no-transform,must-revalidate
CF-Cache-Status: HIT
Server: cloudflare-nginx
CF-RAY: 1b3e4b1d1a680bff-AMS
0..........0..... .....0......0...0..........<.|7...@N6p.I.e|..20150202231304Z0..0..0L0... ........&."f........{5.....t..Q.$&..h"W.& ;Fb.{.....Z..w...d..\.-....w.....20150202231304Z....20150206231304Z."0 0... .....0......20140202231304Z0...*.H.............B.....>#..;n5{?Z..aq.S(.~.F. ...KU.<.....@..=;|...!.%@.":.Y.E.VN....S..p97..L|;.......~...~..../5..%.r?...Hy.h3......>g.'..>....q..j..p.:..S=s..q..j.P!6p..9T.v,.d.....$!.....Z..$m].(......n....... 9...';S...]}v.....Q.g...Iu...{......Z....E;.@.v....?<g|........0...0...0..........Z..~..M..<ZYJ....~.0...*.H........0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1.0...U....Microsoft IT1.0...U....Microsoft IT SSL SHA20...141229205745Z..150314205745Z0!1.0...U....Should be ignore by CA0.."0...*.H.............0...........&!(..$.K...."=f....x.d.._s.....j....9`..l.Z..............^f..u......-e.&.bG.(i.Q...........bEy...^7A...A..c....CF-&...e.7..7F....."..w...y.:..`.w{~..D.x*.......x3Os......q...... S.fB .ig.....L..3......4E..}..7...M....e ...6.M.O.....<5:......r.....]..A.5........0..0...U..........<.|7...@N6p.I.e|0...U.#..0...Q.$&..h"W.& ;Fb.{...0...U...........0...U.%..0... .......0... .....7....0.0... .......0... .....0......0...*.H..................sa....^`.U.h.....(c[..j.|. ..#....3.5.?..L.....Z....J......*.w...w.$.z..Y.d.....l.....G#.....o.\t.......(.B =..P..T....0./P.....z.3....L.O3....z...Wxo..~.OeH....c.i.@."..?d.......=v(.....m..LN..PP....<.}T.X......K.&e.S...|....% ...(F.=k..~.j..C......4.....
<<< skipped >>>
GET /en_US/all.js HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
Host: connect.facebook.net
DNT: 1
Connection: Keep-Alive
HTTP/1.1 200 OK
ETag: "e7a53c95dea3821e936847030459760f"
Content-Type: application/x-javascript; charset=utf-8
Timing-Allow-Origin: *
Vary: Accept-Encoding
Content-Encoding: gzip
Content-MD5: OwvuCluN9SXnDHn1UJMFUA==
X-FB-Debug: U5mvkYE3qNXtolM8JJLDfrzyq1VZrnmJHuKfvIo0V4MhGfXMfIIfgOr2ifF8QS9gRdHcm/2 DMPXFyFDBmEH5A==
Content-Length: 52552
Cache-Control: public, max-age=1200
Expires: Thu, 05 Feb 2015 10:25:02 GMT
Date: Thu, 05 Feb 2015 10:05:02 GMT
Connection: keep-alive
............{..../...^..$.1.(J..4...%.....=.l(....H... %Q..k..[..h. %'.s~.l.......U.U.G?.?99=>y..i........x..g..<.'....../._<..I..o?....u..O.......gQ.?/}.:a;.....N....K..'I.--&.pV.....i..?*. .5.%.E..ZC..|>......T..Y.g....N.~.....o...........M4..7..?...R.r1.A.%.-...u0 %.....$. u..b.N.&..S.\....&4t.t.G.RM..p.=.......y..8....`.)....(.f.M..Rd..Lr..i....k.EEhtz..p<./?h(...e.........?..S..f.|1...f..q..r.....,.ZD..k.....T..m.u.u.O.o:.Q..F...:....$.G.4...nI..qw1B..v....s.P..1........j?H>.L...i8./.....v..E..........9Y.F.y....&.M..l.....<..S. N.Z(M.y.....B..m.c.=.M]y}.W.......2.....:.'.y..xC.y...vQc....WQcT....&.w..~st..:AB]*...~......!.. ..........d.5.)C}.e...].W..0.$...,F..^...Fe..x^..au.H...}........xC....&.V&M.Nv3....>..|9..KZ......... .S..ai..j'.t.9...Z.....&}..O....4.pD....@.....%.6Q......7.Y.$..........M.......c.]h7...`.N..E.T.{.TR..N....o~.....l.....L0.........Je.R..R4)..G......F..(..U...?j`...{.......>.xH.......cr4!{zc..dR..I...4.^R=....;.4$...).y..u8[..Cf..n...\p..h.....C.......y....h.x#o`..e@(.W....G..c.&.....1.03.... .o?_..-.......Gj?zUs..?..4.W.F$C.......G......H.|xL....`.{......F....M3.fa...y.....@i.Hp...D.4...Ji=^.....|.....f5.O$..f=.\......_.....)bKg....i.u.vw.d:.....7...gTw*..N_.....:.3..>...o.Y4..(.F..T3t.F.@*q..ZI.?.RTg...,.A..#.xm...8h.Z$.,.......Qu...4dy)..q.T....<.y...l.y@..=...V.....:w.....?0......v|}|.i1n...5...n].h.).DG.....C..`....IY>......^..3..4=(...]. ..D .<....D..(p.q.eL.9z4..).F..R.f..P..J.......!....Q......$$Y.....`7a..&...$. Q?.(..#..].._A.....3U.ak.
<<< skipped >>>
POST /cgi/api.cgi/937811/CCF69B272FE54EE58735A380676F1DE4/vrst/20 HTTP/1.1
User-Agent: WidgiToolbar-198-937811
Host: api.mybrowserbar.com
Accept: */*
Accept-Encoding: gzip,deflate
Content-Length: 623
Content-Type: application/x-www-form-urlencoded
<drq><auth><ccv>198</ccv><cnid>937811</cnid><isn>CCF69B272FE54EE58735A380676F1DE4</isn><ct>20</ct><dlid>1033</dlid><lngid>1033</lngid><wv>6.1</wv><brw><ie>10.0.9200.16521</ie><ff>29.0.1</ff><gc>39.0.2171.95</gc><dbrw>Internet Explorer</dbrw></brw></auth>
<vrst><isn>CCF69B272FE54EE58735A380676F1DE4</isn><cnid>937811</cnid><code_ver>198</code_ver><type>install</type><ct>20</ct><src>12</src><cid>c0322acd5e5d42f0b163c591ee6ff5b9</cid><cmdline>"C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~spD451.tmp" /fpd /cnid 937811 /runbe /iebf=15 /ffbf=15 /noeh /dsie /dsff /dsgc /register /seprotect /hp /wait /ntp_ie /S</cmdline></vrst></drq>
HTTP/1.1 200 OK
Date: Thu, 05 Feb 2015 10:05:01 GMT
Server: Apache
Pragma: no-cache
Cache-control: no-cache
Transfer-Encoding: chunked
Content-Type: text/html
Expires: Thu, 05 Feb 2015 10:05:01 GMT
2b..<drp><auth>. <scv>198</scv>.</auth>.</drp>..0..
GET /images/pixel.gif?action=install&point=start&cid=cb821f7c3eeccf6c312c56e821a0e91a&isn=F7DBCDBD737B449098794B4547AA6F06&kt=ytd HTTP/1.0
Host: VVV.youtubedownloadersite.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 05 Feb 2015 10:03:53 GMT
Content-Type: text/html; charset=utf-8
Connection: close
GET /cgi-bin/CRL/2018/cdp.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: VVV.public-trust.com
HTTP/1.1 200 OK
Server: Apache/2.2.15 (CentOS)
Last-Modified: Wed, 04 Feb 2015 20:30:01 GMT
ETag: "200c0-420-50e490d42fd35"
Accept-Ranges: bytes
Content-Type: application/x-pkcs7-crl
Connection: Keep-Alive
Date: Thu, 05 Feb 2015 10:06:43 GMT
Content-Length: 1056
0...0......0...*.H........0u1.0...U....US1.0...U....GTE Corporation1'0%..U....GTE CyberTrust Solutions, Inc.1#0!..U....GTE CyberTrust Global Root..150204203344Z..150510203844Z0...0....'.x..110110211653Z0....'....141119195306Z0....'B...141119195752Z0....'....141119200006Z0....'1-..150204203232Z0....'.:..071121154528Z0....'.v..080219183346Z0....'....080514142515Z0....'....080515170349Z0....'....080924143337Z0....'#...081203144336Z0....''j..090209174351Z0....'b...100414181148Z0....'....080917150432Z0....'#...081203144209Z0....'#...081203144241Z0....'#...081203144304Z0....'%u..081203144409Z0....'/9..090318130930Z0....'8...090715181853Z0....'TU..100113191852Z0....'k...101130163724Z0....'.B..111107193907Z0....'@...141119200409Z0....'....080917150312Z0....'....140709175318Z0....'....141210173900Z0....'-E..141119195854Z0....'....141119200037Z0....'F...141217193909Z0....'F...141217193956Z..0.0...U........0...*.H............&O......@<7.@..a%~Uy.A.u.F...........?..a.wqf?.....U......m^....%..4.>....}.). ..%...GD....S...Y.L.D~....t{..@....^N..q..&EXR.p,HTTP/1.1 200 OK..Server: Apache/2.2.15 (CentOS)..Last-Modified: Wed, 04 Feb 2015 20:30:01 GMT..ETag: "200c0-420-50e490d42fd35"..Accept-Ranges: bytes..Content-Type: application/x-pkcs7-crl..Connection: Keep-Alive..Date: Thu, 05 Feb 2015 10:06:43 GMT..Content-Length: 1056..0...0......0...*.H........0u1.0...U....US1.0...U....GTE Corporation1'0%..U....GTE CyberTrust Solutions, Inc.1#0!..U....GTE CyberTrust Global Root..150204203344Z..150510203844Z0...0....'.x..110110211653Z
<<< skipped >>>
GET /static/r07/plugins/counter020.js HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
Host: s7.addthis.com
DNT: 1
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
Last-Modified: Tue, 05 Aug 2014 18:10:35 GMT
Content-Encoding: gzip
Cache-Control: public, no-check, max-age=86313600
Content-Type: text/javascript
Content-Length: 3552
Accept-Ranges: bytes
Date: Thu, 05 Feb 2015 10:05:02 GMT
Via: 1.1 varnish
Age: 15058791
Connection: keep-alive
X-Host: s7.addthis.com
X-Served-By: cache-fra1243-FRA
X-Cache: HIT
X-Cache-Hits: 11063027
X-Timer: S1423130702.450932,VS0,VE0
Vary: Host,Accept-Encoding
...........Z.s.6..Wd..B.`JJ_.*..M.i..]..>h<...$......W..~....d;n....H<.....>..E..Z...l.c...h.......>..p...U(.2K....<..G.......gK.:....;.x..>`....u..0.c.....BU.B.^.T.J,...M...z.......>c..u.D....5.............xo`..<#..^.0......[.......{.....`R..:.......x."...~.P..STZ.l)........=.EY!eT...L.0..k.C._....U..N[z.3 ..m..._.v...t...x..."..z..RP...(......~_.Q....r.{.&H..j.".i..8.Z...L.~..........b. *H...EdKM...h.'j..R...~... ...u#@..V.e.a4n.?rJ........{!.V...x....j...;..&R.`..."K..w.. D.^*}.r/8;..IG'....%C...Ox..R.. .&.&..$. ...<[.]..5h..........Ei{ .....-......7..]... &9].1.=.......Y.,......9..=....!.w.\......_...i..$..5.4.......Y...d....F3a".7.-..<....ER.I=/...K..xHx....J...w....k\...g.........[Cb@.z;p.'.9J......<\ aw.......\,W.zOG.G4.....b....yA....(z:....b...?I..o.Qwo..`q0T.<)c8@..7... R/...x...P.p..N.t..."..$...t..x....q0.$..........^JX.Tg.....F.....=.f...HF'...x)W\nD.#.VO........^.#K..g.....-.<.sP....Gm.......1.2......}d,...{yh... .5..t;.H.n..9<8i.$`"@.!5.;q....jOttv J..e#.^_.....v...Zo....[^..7O....Ad.......$_P......ZC.T..V....b.M...p......5..`.Q.r)s8x.E.....$b.~...c|6....,.f4........n...,C.c&.D...xJl........m.\)....e....#6.@b.....h........}..&U...ctXj.B....C.......i.......~..A....Xs?8..v.f...Ko / h.._...d......(..s....So8\....%...0..>...p]..:M.Uq_Ro0.n.^....T.S...c.m......u.Z4..[y.^ .......#.!XqH.@.....R..g.....@%.[u-?...>........r.`P....&m*......B..%.w..62..Ck;....)..H.....B.,M..BaPvR.U....,.B.....f.... .....-8.x....@@~-.........ti..k...$X....A|....N...t.h..8.,.
<<< skipped >>>
GET /images/pixel.gif?isn=E0BCB5085EA24F7699566D8CEBD03DB5&ver=2.6&cnid=937811&ct=bekit&event=install HTTP/1.0
Host: VVV.mybrowserbar.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 200 OK
Date: Thu, 05 Feb 2015 10:05:05 GMT
Server: Apache
Accept-Ranges: bytes
Content-Length: 1093
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Connection: close
Content-Type: image/gif
GIF89a.............!..XMP DataXMP<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:68AF816F211411E187C8D4C48A462294" xmpMM:DocumentID="xmp.did:68AF8170211411E187C8D4C48A462294"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:68AF816D211411E187C8D4C48A462294" stRef:documentID="xmp.did:68AF816E211411E187C8D4C48A462294"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>..................................................................................................................................~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-, *)('&%$#"! .................................!.......,...........D..;..
POST /cgi/api.cgi/937811/CCF69B272FE54EE58735A380676F1DE4/vloc/20 HTTP/1.1
User-Agent: WidgiToolbar-198-937811
Host: api.mybrowserbar.com
Accept: */*
Accept-Encoding: gzip,deflate
Content-Length: 486
Content-Type: application/x-www-form-urlencoded
<drq><auth><ccv>198</ccv><fcv>198</fcv><cnid>937811</cnid><tbcnid></tbcnid><isn>CCF69B272FE54EE58735A380676F1DE4</isn><ct>20</ct><dlid>1033</dlid><lngid>1033</lngid><wv>6.1</wv><brw><ie>10.0.9200.16521</ie><ff>29.0.1</ff><gc>39.0.2171.95</gc><dbrw>Internet Explorer</dbrw></brw></auth>
<vloc><type>install</type><key>1</key><key>3</key><key>2</key><key>4</key><key>5</key><key>6</key><key>7</key><key>8</key><key>9</key><key>10</key><key>11</key><key>14</key><key>15</key></vloc></drq>
HTTP/1.1 200 OK
Date: Thu, 05 Feb 2015 10:05:01 GMT
Server: Apache
Pragma: no-cache
Cache-control: no-cache
Transfer-Encoding: chunked
Content-Type: text/html
Expires: Thu, 05 Feb 2015 10:05:01 GMT
453..<drp><auth>. <scv>198</scv>.</auth>.<vloc>. <li>. <key>1</key>. <value>hXXp://yandex.ru/yandsearch?clid=1782899&text={searchTerms}</value>. </li>. <li>. <key>3</key>. <value>hXXp://yandex.ru/yandsearch?clid=1782899&text={searchTerms}</value>. </li>. <li>. <key>2</key>. <value>hXXp://yandex.ru/yandsearch?clid=1782899&text={searchTerms}</value>. </li>. <li>. <key>4</key>. <value>hXXp://yandex.ru/yandsearch?clid=1782899&text=</value>. </li>. <li>. <key>5</key>. <value>hXXp://yandex.ru/yandsearch?clid=1782899&text={searchTerms}</value>. </li>. <li>. <key>6</key>. <value>hXXp://VVV.yandex.ru/?clid=1782898</value>. </li>. <li>. <key>7</key>. <value>hXXp://VVV.yandex.ru/?clid=1782898</value>. </li>. <li>. <key>8</key>. <value>hXXp://VVV.yandex.ru/?clid=1782898</value>. </li>. <li>. <key>9</key>. <value>359</value>. </li>. <li>. <key>10</key>. <value>undef</value>. </li>. <li>. <key>11</key>. <value>937811</value>. </li>. <li>. <key>14</key>. <value>tru
<<< skipped >>>
GET /update/wt/ie/coupons/update.xml?cnid=937811 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: update.mybrowserbar.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Thu, 05 Feb 2015 10:05:05 GMT
Content-Type: text/xml; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
177..<?xml version='1.0' encoding='UTF-8'?>.<cpupdate>. <libid>{40C6AC97-5316-4D22-BA61-3BF0D585FB22}</libid>. <url>hXXp://update.mybrowserbar.com/update/wt/ie/coupons/coupons_1.6.zip</url>. <ver>1.6</ver>. <setupurl>hXXp://update.mybrowserbar.com/update/wt/ie/coupons/BrowserExtensionsSetup.exe</setupurl>. <setupver>2.6</setupver>. <gc>1</gc>..</cpupdate>...0..
GET /favicon.ico HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.yandex.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 05 Feb 2015 10:05:03 GMT
Content-Type: image/x-icon
Last-Modified: Wed, 04 Feb 2015 14:33:16 GMT
ETag: "54d22dac-47e"
Accept-Ranges: bytes
Content-Length: 1150
............ .h.......(....... ..... ............................~...............................................................................................................{............................................................................................................................................................PP..((.....................................<............................ii..................................................................%%.................................f....................//..\\..CC..................................................AB..{|...........................................................*...............(.............................f................8N..............*A.................................................._y..........8Y.........................<............................Y|..Ai..Lr.................................................................................................................................................x...............{............................................................................................................................HTTP/1.1 200 OK..Date: Thu, 05 Feb 2015 10:05:03 GMT..Content-Type: image/x-icon..Last-Modified: Wed, 04 Feb 2015 14:33:16 GMT..ETag: "54d22dac-47e"..Accept-Ranges: bytes..Content-Length: 1150.............. .h.......(....... ..... ............................~...............................................................................................................{........
<<< skipped >>>
GET /kits/EasyBundlingDLL/937811/so.xml?kt=ytd&rsv=3 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Host: VVV.mybrowserbar.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 05 Feb 2015 10:03:54 GMT
Server: Apache
Vary: Host
Keep-Alive: timeout=30, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/xml; charset=utf-8
bd80..<?xml version="1.0" encoding="UTF-8"?>.<so>..<rsv>3</rsv>. ....<o>....<n>sgbe</n>....<nos>&tov=20&sbe=0&sds=0&shp=0</nos>....<rk />....<c>....<![CDATA[..<!DOCTYPE html>..<html>...<head>....<meta http-equiv="MSThemeCompatible" content="yes" />....<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">....<script>.....window.onerror = function() { return true; }.....function regularLinkClick() {......window.event.returnValue = false;......external.OpenLink(window.event.srcElement.href);.....}.....var strTOV = '20';.....var setupURL = 'hXXp://download.mybrowserbar.com/kits/sds/SearchProtectionStub.exe';.....var cmdBE = " /runbe /iebf=15 /ffbf=15 /noeh";.....var cmdDS = " /dsie /dsff /dsgc /register /seprotect";.....var cmdHP = " /hp /wait /ntp_ie";.....var ehURL = "hXXp://download.mybrowserbar.com/kits/hlp/exthelper.exe";.....var ehCmd = "";.....function UpdateCommandLine().....{......var cmdLineParams = "";......var statsParams = "";......if (document.getElementById("express").checked) {.......statsParams = "&sbe=1&sds=1&shp=1";.......cmdLineParams = cmdLineParams cmdBE;.......cmdLineParams = cmdLineParams cmdDS;.......cmdLineParams = cmdLineParams cmdHP;.......ehCmd = "/ot ytdsanth";......}......else {.......statsParams = (document.getElementById("cbBE").checked ? "&sbe=1" : "&sbe=2");.......statsParams = statsParams (document.getElementById("cbDS").checked ? "&sds
<<< skipped >>>
GET /images/pixel.gif?isn=E0BCB5085EA24F7699566D8CEBD03DB5&ver=2.6&cnid=937811&ct=bekit&event=uninstall HTTP/1.0
Host: VVV.mybrowserbar.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 200 OK
Date: Thu, 05 Feb 2015 10:08:06 GMT
Server: Apache
Accept-Ranges: bytes
Content-Length: 1093
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Connection: close
Content-Type: image/gif
GIF89a.............!..XMP DataXMP<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:68AF816F211411E187C8D4C48A462294" xmpMM:DocumentID="xmp.did:68AF8170211411E187C8D4C48A462294"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:68AF816D211411E187C8D4C48A462294" stRef:documentID="xmp.did:68AF816E211411E187C8D4C48A462294"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>..................................................................................................................................~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-, *)('&%$#"! .................................!.......,...........D..;..
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1453
content-transfer-encoding: binary
Cache-Control: max-age=442940, public, no-transform, must-revalidate
Last-Modified: Tue, 3 Feb 2015 13:06:37 GMT
Expires: Tue, 10 Feb 2015 13:06:37 GMT
Date: Thu, 05 Feb 2015 10:09:13 GMT
Connection: keep-alive
0..........0..... .....0......0...0......T3t.%..O.E..~..F.=....20150203130637Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._)..a..eR&.....Y.)..".\....20150203130637Z....20150210130637Z0...*.H...............qZ.0.B.:."m..L[.J......~9X.......?1.S....{....,..2...I.R...g.c.vM.?.._o}......0......?.0f"K..t.%....Z&.].O....A..u..\..,-/.;L)I........'.....F...z.4.......F......'.s..=...W....v....Z.s....he..V.`V.gJ/.....A.".....Oa..M..z...H.Bz......7......Ju.s...K...g]....0...0...0..3......./...b.v..-....l}0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority0...141202000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G1 OCSP Responder Certificate 30.."0...*.H.............0..........'......Y..x.3B1.7..Q..`..d.. ....s..t.$a.....j2R.{ ,*..c{.3.....H..3-; ).....0._...*..9M..V...... ...{m...-.......)..tR..{D....~...M...T..pS.p..^|o....S..v.).).....r.v.qo$......C.V!....@.h#qh...u1T.].G0.]E...=._...... ........TE...Sa.s4........r...3.............0..0...U....0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........0... .....0......0!..U....0...0.1.0...U....TGV-B-2730...*.H.............$..H......oU....Y!.z{*.V.M..u.._z..3>.. 0....3..m.....e.......a..D...........e..F6:.y.....di.......<y.Z.......x}..q.2....UZ1 :,....
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=485119, public, no-transform, must-revalidate
Last-Modified: Wed, 4 Feb 2015 00:53:58 GMT
Expires: Wed, 11 Feb 2015 00:53:58 GMT
Date: Thu, 05 Feb 2015 10:09:13 GMT
Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..20150204005358Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5........M.s.Q~...@?j.......20150204005358Z....20150211005358Z0...*.H...............CJ.....Txt..y.....x...n...4...'..y8..=Yy.Y.u-.. .T.....Q#..i_....h....3`.. .p.S.h.....<;.....#mG.v.s...{..U...`......&...x....4.nf..(.....g..R..|T........9..K.Q.\........a,..x.....{B..........ew.v.............1..y..s.....\..P..w....SV......<..)c.Z.....fx...#0...0...0..........<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.........{(..t....2.Vf.....&;6).i*FK....W@....F....jnb.w._p.E.6.|.mk....(..........p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H
<<< skipped >>>
GET /kits/sds/update.xml HTTP/1.1
User-Agent: SDS
Host: update.mybrowserbar.com
Accept: */*
Accept-Encoding: gzip,deflate
HTTP/1.1 301 Moved Permanently
Server: nginx/0.7.65
Date: Thu, 05 Feb 2015 10:04:58 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: hXXp://VVV.mybrowserbar.com/kits/sds/update.xml
<html>..<head><title>301 Moved Permanently</title></head>..<body bgcolor="white">..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx/0.7.65</center>..</body>..</html>..HTTP/1.1 301 Moved Permanently..Server: nginx/0.7.65..Date: Thu, 05 Feb 2015 10:04:58 GMT..Content-Type: text/html..Content-Length: 185..Connection: keep-alive..Location: hXXp://VVV.mybrowserbar.com/kits/sds/update.xml..<html>..<head><title>301 Moved Permanently</title></head>..<body bgcolor="white">..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx/0.7.65</center>..</body>..</html>....
GET /kits/hlp/exthelper.exe HTTP/1.1
Host: download.mybrowserbar.com
Accept: */*
Accept-Encoding: gzip,deflate
HTTP/1.1 200 OK
Date: Thu, 05 Feb 2015 10:04:28 GMT
Server: Apache
Last-Modified: Mon, 02 Feb 2015 15:52:02 GMT
Accept-Ranges: bytes
Content-Length: 488416
Content-Type: application/x-msdos-program
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............@...@...@..m@...@..r@...@..{@g..@..k@...@...@...@..|@...@..l@...@..i@...@Rich...@................PE..L......T..........................................@.......................................@..........................................@...............V.......P...:...................................o..@...............H............................text...~........................... ..`.rdata..J...........................@..@.data....<..........................@....rsrc........@......................@..@.reloc...M...P...N..................@..B........................................................................................................................................................................................................................................................................................................................................................V.D$.P...`.......E...^.......E......V......E.......D$..t.V.w...Y..^....D$....D$..P...@..u. ..U...u..u..u..u..z....E....].U...u..u..u..u.......E....]....L$..........D$............t....3.....L$. .....@...3.9.....j..X.E.........u..t....e...u..N.....E.........}......V..j.j..N.....E..I#....^.....V........D$..t.V.}...Y..^...V.t$............E...^.......E......V......E.......D$..t.V.8...Y..^...j..X.E.........u.......e...u..N...p.E................V..j.j..N...p.E..."....^.c....y$.r..A...A..V........D$..t.V.....Y..
<<< skipped >>>
GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?45d861ae400f132c HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 03 Jul 2014 23:34:12 GMT
If-None-Match: "0b2464b1797cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com
HTTP/1.1 304 Not Modified
Content-Type: application/octet-stream
Last-Modified: Thu, 03 Jul 2014 23:34:12 GMT
ETag: "0b2464b1797cf1:0"
Cache-Control: max-age=86400
Date: Thu, 05 Feb 2015 10:05:03 GMT
Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/octet-stream..Last-Modified: Thu, 03 Jul 2014 23:34:12 GMT..ETag: "0b2464b1797cf1:0"..Cache-Control: max-age=86400..Date: Thu, 05 Feb 2015 10:05:03 GMT..Connection: keep-alive..
GET /thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0 HTTP/1.1
Accept: text/html, application/xhtml xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
Host: VVV.ytddownloader.com
DNT: 1
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Thu, 05 Feb 2015 10:05:01 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.6-1ubuntu1.8
Content-Encoding: gzip
6f8.............Wks.6..,..kv..fC.....-..W..I.4....d4..R.)..@K.6.}.@R.j....H...>.=.._........f.....wo.....?.Wax}.M....O.h....b..F..eaxs..77.8...j..N.....c.....p..... 6.79.Y!..Y.?#L.'.p./"...d....j.V[G.L..4W<.{.l2..Hk....c.......Y#0..x.B.;.v"..\D,.j]-.6&..*.$...".......Y..Z.......(.i...0d...R)...B.*..ka&f:\.Zr.......~.."......J.....s..%{&...<^.'V.@H..yb..)........./.v...E........".d.....>\..W......?.~.?.G....,.O....U.K.<.....o62......XF...&..g..d........9.,..@.......6....v.*9Lr.q.Q.b.k....4n....Y..BI##...T....Y.....f.}..u....e.1".2......k...^.......=Ko.....|...tP0..oe...k..%O..... ]..k.... .]5tF.x"...d. )...,.P:M.Lv......m. @d.]`)Y8......5.: ...-.......}R..*..ju.).'.,.1.#..d.(4H$..G&HX.gR>.97!...w!.2...u2[f..W.....]...Z.........,<5......n.....QX!..h&..E..z.!=...@.[l...w.,|{..m.....?Kq..Z}..X)V..,.}~.-..g2.T.Y.g<.ig5L.@:..c..HBN,.....N..X.[eA.....T.......H.,.....Z8|..C..r.C...c..._u #...\W.(.....r?.....6....3..`.....Z.J. ...;.d..5....u.1.fro.ZqN...f{k.Cx...8..cZX.....J...*=.|..E..c..KcdN.7o.....S[...)3...=.. 33u.k.z:\...5.....T.a..<.L.95..L sF.Z..f.....yR.. .]...l,.9...f)W......*F.I~.7.O.....$.A[..Y.3.......tV.f....;...._..b7.....&.@.D.......6usr.e"z.abzgvv}m.. ......j.:.._A}.k.........*R..E9..@.G..........njw.y....j.4.-4...#..a....J...Z..j.........._......U...Y..E..T...S..]..\.....s...;....S....4..$...-5.>............7...........3~.M..[....6.........$...pc.........%..0..|.E4byL......-Jm............3...0l....<w..$:......3...j....e.(.....K@@..n........?..........z..U.N.P.{>...oj.
<<< skipped >>>
GET /js/main.js HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
Host: VVV.ytddownloader.com
DNT: 1
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Thu, 05 Feb 2015 10:05:01 GMT
Content-Type: application/x-javascript
Content-Length: 1272
Last-Modified: Fri, 08 Nov 2013 13:22:51 GMT
Connection: keep-alive
Accept-Ranges: bytes
$(document).ready(function() {. //setting os..$(".os-redirect").click(function(){...setCookie('user_os', $(this).attr("os"), 1,'/');..});....$(".dropdown img.flag").addClass("flagvisibility");.. $(".dropdown dt a").click(function() {. $(".dropdown dd div").toggle();. });. . $(".dropdown dd ul li a").click(function() {. var text = $(this).html();. $(".dropdown dt a span").html(text);. $(".dropdown dd div").hide();... });. . $(document).bind('click', function(e) {. var $clicked = $(e.target);. if (! $clicked.parents().hasClass("dropdown")). $(".dropdown dd div").hide();. });...//setting locale...$(".langselector, #language-bar a").click(function(){...setCookie('ytd_locale', $(this).attr("hreflang"), 1,'/');..});....change_auto_renew();.});..function setCookie(c_name,value,exdays, path).{..var exdate=new Date();..exdate.setDate(exdate.getDate() exdays);..var c_value=escape(value) ((exdays==null) ? "" : "; expires=" exdate.toUTCString()) ((path) ? "; path=" path : "") ;..document.cookie=c_name "=" c_value;..}.function change_auto_renew() {. $("input[name=src]").each(function() {. $(this).val($(this).val() == 0 ? 1 : 0 );. });.}....
GET /styles.css HTTP/1.1
Accept: text/css
Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
Host: VVV.ytddownloader.com
DNT: 1
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Thu, 05 Feb 2015 10:05:01 GMT
Content-Type: text/css
Content-Length: 17587
Last-Modified: Thu, 27 Nov 2014 15:47:33 GMT
Connection: keep-alive
Accept-Ranges: bytes
/* hXXp://meyerweb.com/eric/tools/css/reset/ . v2.0 | 20110126. License: none (public domain).*/..html, body, div, span, applet, object, iframe,.h1, h2, h3, h4, h5, h6, p, blockquote, pre,.a, abbr, acronym, address, big, cite, code,.del, dfn, em, img, ins, kbd, q, s, samp,.small, strike, strong, sub, sup, tt, var,.b, u, i, center,.dl, dt, dd, ol, ul, li,.fieldset, form, label, legend,.table, caption, tbody, tfoot, thead, tr, th, td,.article, aside, canvas, details, embed, .figure, figcaption, footer, header, hgroup, .menu, nav, output, ruby, section, summary,.time, mark, audio, video {..margin: 0;..padding: 0;..border: 0;..font-size: 100%;..font: inherit;..font-size:13px;..line-height:18px;..vertical-align: baseline;..font-family:Tahoma, Arial, Helvetica, sans-serifl.}./* HTML5 display-role reset for older browsers */.article, aside, details, figcaption, figure, .footer, header, hgroup, menu, nav, section {..display: block;.}.body {..line-height: 1;.}.ol, ul {..list-style: none;.}.blockquote, q {..quotes: none;.}.blockquote:before, blockquote:after,.q:before, q:after {..content: '';..content: none;.}.table {..border-collapse: collapse;..border-spacing: 0;.}..clearfix:after {..content: ".";..display: block;..clear: both;..visibility: hidden;..line-height: 0;..height: 0;.}. ..clearfix {..display: inline-block;.}. .html[xmlns] .clearfix {..display: block;.}. .* html .clearfix {..height: 1%;.}.a:link, a:visited, a:hover, a:active {color:#2c4b00; text-decoration:underline;}.h1 {font-size:24px; margin-bottom:8px;
<<< skipped >>>
GET /images/header-bg-repeat.jpg HTTP/1.1
Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5
Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
Host: VVV.ytddownloader.com
DNT: 1
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Thu, 05 Feb 2015 10:05:01 GMT
Content-Type: image/jpeg
Content-Length: 1497
Last-Modified: Fri, 05 Oct 2012 14:07:53 GMT
Connection: keep-alive
Accept-Ranges: bytes
......Exif..II*.................Ducky.......d.....ohXXp://ns.adobe.com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c061 64.140949, 2010/12/07-10:57:01 "> <rdf:RDF xmlns:rdf="http://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:48617E8EC10BE2118B4BD91E24AB7A59" xmpMM:DocumentID="xmp.did:FC5012CA0BCB11E2AA79CB95D10CA426" xmpMM:InstanceID="xmp.iid:FC5012C90BCB11E2AA79CB95D10CA426" xmp:CreatorTool="Adobe Photoshop CS5.1 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:48617E8EC10BE2118B4BD91E24AB7A59" stRef:documentID="xmp.did:48617E8EC10BE2118B4BD91E24AB7A59"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d.................................................................................................................................................................~...................................................................1.!A.."3Qaq....2........................!1A.Q.....2Bb...3............?..s.}..4v$...y ....a[.C................wZ%..Y..G.T.r...J."n...5.h.....G...qs...NH~._.....Wu....K.g...\.V1.r.f.n.`.. ..X8..o....s]..I.\[#..[..`.6..5..9.....r..&.F.....S2_...Ea.....U....c...GIo...............x&.T.B..l..E.......J.z.}im..>#.@...
<<< skipped >>>
GET /images/upgrade-pro-btn.png HTTP/1.1
Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5
Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
Host: VVV.ytddownloader.com
DNT: 1
Connection: Keep-Alive
Cookie: __utma=135583929.141684822.1423130703.1423130703.1423130703.1; __utmb=135583929.1.10.1423130703; __utmc=135583929; __utmz=135583929.1423130703.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1
HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Thu, 05 Feb 2015 10:05:02 GMT
Content-Type: image/png
Content-Length: 13813
Last-Modified: Thu, 24 Oct 2013 10:30:42 GMT
Connection: keep-alive
Accept-Ranges: bytes
.PNG........IHDR.......T.............tEXtSoftware.Adobe ImageReadyq.e<..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c061 64.140949, 2010/12/07-10:57:01 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5.1 Windows" xmpMM:InstanceID="xmp.iid:6223BDC2438711E199DFDADE185FF648" xmpMM:DocumentID="xmp.did:6223BDC3438711E199DFDADE185FF648"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:6223BDC0438711E199DFDADE185FF648" stRef:documentID="xmp.did:6223BDC1438711E199DFDADE185FF648"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>7._...2iIDATx..}y.eGy....{.{o.E..4h..ZF...bDd.#BA...`'..."... .........O*.............. 1.lJ.-.,a./#....7..{.9.;.|_.w..........;.-......_..O(.`...|.!..?K..g.x..?....................Y....D..AB&2.....O..{..<..d1........O,~........z..?xl..q.-.......b..o..'?../pW..<..ms..}[....Wn...w...m...R?!3O.Z.^.t..{O...?......O....kx|......?...>..n...?^B...".V..<...7...u..M....5^...Qw..p.A..4 ..f.&...o~..Pfuy.vxt.qP/....yx.8.B......_>..?..w.g.m........5{....ZJ..yU.._.......{...r....@0.....3}o@..............7at7@u7....l...W...~~Z.2c.\.....?.3.n..u..3....r...2...w.F..U..S.=..^....y.*.\.y.u....)1
<<< skipped >>>
POST /cgi/api.cgi/937811/CCF69B272FE54EE58735A380676F1DE4/vrst/20 HTTP/1.1
User-Agent: WidgiToolbar-198-937811
Host: api.mybrowserbar.com
Accept: */*
Accept-Encoding: gzip,deflate
Content-Length: 469
Content-Type: application/x-www-form-urlencoded
<drq><auth><ccv>198</ccv><cnid>937811</cnid><isn>CCF69B272FE54EE58735A380676F1DE4</isn><ct>20</ct><dlid>1033</dlid><lngid>1033</lngid><wv>6.1</wv><brw><ie>10.0.9200.16521</ie><ff>29.0.1</ff><gc>39.0.2171.95</gc><dbrw>Internet Explorer</dbrw></brw></auth>
<vrst><isn>CCF69B272FE54EE58735A380676F1DE4</isn><cnid>937811</cnid><code_ver>198</code_ver><type>uninstall</type><ct>20</ct><src>12</src><cid>c0322acd5e5d42f0b163c591ee6ff5b9</cid><cmdline></cmdline></vrst></drq>
HTTP/1.1 200 OK
Date: Thu, 05 Feb 2015 10:07:51 GMT
Server: Apache
Pragma: no-cache
Cache-control: no-cache
Transfer-Encoding: chunked
Content-Type: text/html
Expires: Thu, 05 Feb 2015 10:07:51 GMT
2b..<drp><auth>. <scv>198</scv>.</auth>.</drp>..0..
GET /baltimoreroot/MEUwQzBBMD8wPTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom/nYB45SPUEwQU5Z1ZMIJHWMys+ghUNoZ7OrUETfACBAcnpGo= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.omniroot.com
HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Type: application/ocsp-response
Date: Thu, 05 Feb 2015 10:05:03 GMT
Last-Modified: Thu, 29 Jan 2015 15:18:40 GMT
Server: ECS (frf/87D3)
X-Cache: HIT
Content-Length: 1406
0..z......s0..o.. .....0.....`0..\0......`;.l.uZ..k.F..^|A.Tb..20150129064609Z0g0e0=0... ........./Ev..Y..].....x.#......Y0.GX....T6.{:..M....'.j....20141203203511Z....20150428204011Z0...*.H..............-H.$.............^=....G..ai...I...,)vG.D..[R,.G.#(.D.<..Cg,}...;..2J#......GX....<b.&UFe'...I... I.o...&'....e..`..6.....`..~#......q.h|.....C..#:2w..}.......39.EF.....Rj.M.9...^.....c.?Y/Rz...Q.~.2.I...5..,.$o..U.....cg.H.[.(.....=.(..;.5...[.n....b*.......0...0...0...........'..0...*.H........0Z1.0...U....IE1.0...U....Baltimore1.0...U....CyberTrust1"0 ..U....Baltimore CyberTrust Root0...150114195242Z..160114195229Z0G1.0...U....US1.0...U....Cybertrust1#0!..U....Cybertrust-Validation-20110.."0...*.H.............0.........?....(Fb....G... ..=..(L..wK...04..I......C...1.Z......U.$b.f..Pa.....S...#..B.........^T..IP8..........h8GM..*.4.MP..../D4n.=ZTeH.B=kOT.v..2@F.2L..A...yn.4......fP...L...2.x....$..@@....q2...Uby.e......D....lf...C....ZP}O......7...mM..c.g..j.\.>.O....G.A........0..0... .....0......0...U.......0.0...U...........0...U.%..0... .......0...U.#..0.....Y0.GX....T6.{:..M.0...U......`;.l.uZ..k.F..^|A.Tb0...*.H.............n.h\Ch*G.c..yr..."._....J.-....j.t%..e.....(.h@.Z.7.a!m...sZH.N..>.S....K..........7wi3..x.D..l..ud.....CC......<.&.2. ..d...T.......;.S....\... ......m.6......#(.&....q.[z.........r..T....W...7ea.}..B.1........al.]i.F...-.0c...y.=?....E...........'>..O.._..
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=591067, public, no-transform, must-revalidate
Last-Modified: Thu, 5 Feb 2015 06:19:11 GMT
Expires: Thu, 12 Feb 2015 06:19:11 GMT
Date: Thu, 05 Feb 2015 10:09:18 GMT
Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..20150205061911Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5.......A..2.....:...:......20150205061911Z....20150212061911Z0...*.H.............0....(.9e.X.W..!s[k,....B....C.....w>..h..3>}..St.O..A.GOV..G..5...3.se.......2q.{....r..../c...4.G..=.%].%.b7.5].B.>s...... ..2.... )..t.....n..`...w...A=.....Cd>.Mx..,.....E..k.='C.r..........G-..C....#..#,...w...9j.........?Ht.,...-#......I.d4@.RY....b]...#0...0...0..........<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.........{(..t....2.Vf.....&;6).i*FK....W@....F....jnb.w._p.E.6.|.mk....(..........p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://www.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-24710
<<< skipped >>>
GET /images/pixel.gif?src=stub&kt=ytd&event=run&exit=0 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.ytddownloader.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 404 Not Found
Server: nginx/1.2.1
Date: Thu, 05 Feb 2015 10:05:01 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.6-1ubuntu1.8
10..File not found....0..
GET /url/shares.json?url=http://VVV.ytddownloader.com/&callback=_ate.cbs.sc_httpwwwytddownloadercom0 HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
Host: api-public.addthis.com
DNT: 1
Connection: Keep-Alive
Cookie: uid=54d3404fe20ab507; uvc=1|5; uit=1
HTTP/1.1 200 OK
Cache-Control: no-cache, no-transform, must-revalidate, s-maxage=3600
Last-Modified: Thu, 05 Feb 2015 09:12:51 GMT
Content-Type: application/json
Content-Encoding: gzip
Via: 1.1 varnish
Content-Length: 76
Accept-Ranges: bytes
Date: Thu, 05 Feb 2015 10:05:02 GMT
Via: 1.1 varnish
Age: 3131
Connection: keep-alive
X-Served-By: cache-ams4126-AMS
X-Cache: HIT
X-Cache-Hits: 29
X-Timer: S1423130702.921343565,VS0,VE0
...........O,I.KN*. N..())(//.,II./...OLI-J..5..V*.H,J-V.240133.......C.8...HTTP/1.1 200 OK..Cache-Control: no-cache, no-transform, must-revalidate, s-maxage=3600..Last-Modified: Thu, 05 Feb 2015 09:12:51 GMT..Content-Type: application/json..Content-Encoding: gzip..Via: 1.1 varnish..Content-Length: 76..Accept-Ranges: bytes..Date: Thu, 05 Feb 2015 10:05:02 GMT..Via: 1.1 varnish..Age: 3131..Connection: keep-alive..X-Served-By: cache-ams4126-AMS..X-Cache: HIT..X-Cache-Hits: 29..X-Timer: S1423130702.921343565,VS0,VE0.............O,I.KN*. N..())(//.,II./...OLI-J..5..V*.H,J-V.240133.......C.8.....
GET /baltimoreroot/MEUwQzBBMD8wPTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom/nYB45SPUEwQU5Z1ZMIJHWMys+ghUNoZ7OrUETfACBAcnqkc= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.omniroot.com
HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Type: application/ocsp-response
Date: Thu, 05 Feb 2015 10:06:06 GMT
Last-Modified: Thu, 29 Jan 2015 15:18:48 GMT
Server: ECS (frf/8799)
X-Cache: HIT
Content-Length: 1406
0..z......s0..o.. .....0.....`0..\0......`;.l.uZ..k.F..^|A.Tb..20150129064609Z0g0e0=0... ........./Ev..Y..].....x.#......Y0.GX....T6.{:..M....'.G....20141203203511Z....20150428204011Z0...*.H.............?.v..qY.8.[t.8..9-.g".hl..H3|Z..Vw.2.............Mt..DB@..s .8a......u............$].o...NK....9.qxd....}.n..WZU.Z7.....bH._...[.....c'.O.T(=..1G{.......G.U.=}C..$~.......v..OL.V....7p.8.z!..k...G`|>.J..I..R.S......'...>..&~.N...c...`[k..`.8....4.X...H0,G.....0...0...0...........'..0...*.H........0Z1.0...U....IE1.0...U....Baltimore1.0...U....CyberTrust1"0 ..U....Baltimore CyberTrust Root0...150114195242Z..160114195229Z0G1.0...U....US1.0...U....Cybertrust1#0!..U....Cybertrust-Validation-20110.."0...*.H.............0.........?....(Fb....G... ..=..(L..wK...04..I......C...1.Z......U.$b.f..Pa.....S...#..B.........^T..IP8..........h8GM..*.4.MP..../D4n.=ZTeH.B=kOT.v..2@F.2L..A...yn.4......fP...L...2.x....$..@@....q2...Uby.e......D....lf...C....ZP}O......7...mM..c.g..j.\.>.O....G.A........0..0... .....0......0...U.......0.0...U...........0...U.%..0... .......0...U.#..0.....Y0.GX....T6.{:..M.0...U......`;.l.uZ..k.F..^|A.Tb0...*.H.............n.h\Ch*G.c..yr..."._....J.-....j.t%..e.....(.h@.Z.7.a!m...sZH.N..>.S....K..........7wi3..x.D..l..ud.....CC......<.&.2. ..d...T.......;.S....\... ......m.6......#(.&....q.[z.........r..T....W...7ea.}..B.1........al.]i.F...-.0c...y.=?....E...........'>..O.._..
<<< skipped >>>
GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 23 Oct 2014 05:05:32 GMT
If-None-Match: "a2f3ff97eeecf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Wed, 07 Jan 2015 06:02:43 GMT
Accept-Ranges: bytes
ETag: "88c4768d3f2ad01:0"
Server: Microsoft-IIS/8.0
VTag: 791450244700000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 813
Cache-Control: max-age=798
Date: Thu, 05 Feb 2015 10:05:34 GMT
Connection: keep-alive
0..)0......0...*.H........0_1.0.....&...,d....com1.0.....&...,d....microsoft1-0 ..U...$Microsoft Root Certificate Authority..150106214825Z..150407100825Z0.0...a......../..100208014912Z._0]0...U.#..0......`@V'..%..*..S.Y..0... .....7.......0...U......(0... .....7......150406215825Z0...*.H..............vQ..r..L.Q.N..=#.......V;..r../\.m..<.."...F/U....(:.....xm.....P.e.F..BE8......=...G....6t:...?...L..B.v..p.M........z..Q.%J.6..I.......8...U. .g..=T=K....L..$w...^....y~..-a.'...*s#N.o..Qs.$h..:duV'~....8.6..w..b3.... .~)...|.I.y".>R.nJq.ws...3.....f}.E)\......EB.d\.2.....h...lMjT.7..lj.'lj.b....".L.Os6{.s...@....f.|7z.. ......>..Q...(......._....UM.EN.@.K\]#..Y.*.......T. .C.....A'..5FW.ETDvX..tE.....g5.....&..&.....x.^H;...../7..'9.t.I&<[.HX.j....Qw......}...qy3..q`<.....LB.9w|....;..Qw..a ..=.C.:.........
GET /pki/crl/products/WinPCA.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Mon, 06 Oct 2014 05:06:02 GMT
If-None-Match: "3e1c83923e1cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Sun, 21 Dec 2014 06:03:02 GMT
Accept-Ranges: bytes
ETag: "d2e35dc7e31cd01:0"
Server: Microsoft-IIS/8.0
VTag: 27948442200000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 561
Cache-Control: max-age=900
Date: Thu, 05 Feb 2015 10:05:34 GMT
Connection: keep-alive
0..-0......0...*.H........0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1 0)..U..."Microsoft Windows Verification PCA..141220223154Z..150321105154Z._0]0...U.#..0.......p............<.J0... .....7.......0...U......30... .....7......150320224154Z0...*.H.............h.~oH#i.J.vh_.....A'B..g...........F....9c.{.m@Q.M.p...g.^ 4.r..Wv.Q.0.w..j....c9..w....I..%.~.l..F.......xo...._...o...7BR.;<..\R/ .....b.(....~..]|.v.u.i.X.B....I......./*...P..A..fi.}& .x.v{TFP[.G......A......L.o...)R.......V.u..V.../.Q..(L.].....uki~......
GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sat, 04 Oct 2014 05:06:12 GMT
If-None-Match: "58cddbea90dfcf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Fri, 19 Dec 2014 06:02:00 GMT
Accept-Ranges: bytes
ETag: "9a9a44d511bd01:0"
Server: Microsoft-IIS/8.0
VTag: 279252244600000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 550
Cache-Control: max-age=900
Date: Thu, 05 Feb 2015 10:05:34 GMT
Connection: keep-alive
0.."0......0...*.H........0w1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1!0...U....Microsoft Time-Stamp PCA..141218221600Z..150319103600Z._0]0...U.#..0...#4..RFp..@.v.. ..5..0... .....7.......0...U......10... .....7......150318222600Z0...*.H............./..0Q~.r.}.E....&\....F.Z.C..#..F.s........<&\..9G..-....j..N... .C.Fk....;l.....2.K5D.........-.>...(...g.0.S.[?...T4q>.ln...z..L.......5.5s@d.q.('..e...Y..Bo..q..........I....'....i>..y:.eH@h`..\...UA.m#.~.. ;.3..d..;..<..........p..s..J..N `Az......@..lHTTP/1.1 200 OK..Content-Type: application/pkix-crl..Last-Modified: Fri, 19 Dec 2014 06:02:00 GMT..Accept-Ranges: bytes..ETag: "9a9a44d511bd01:0"..Server: Microsoft-IIS/8.0..VTag: 279252244600000000..P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"..X-Powered-By: ASP.NET..Content-Length: 550..Cache-Control: max-age=900..Date: Thu, 05 Feb 2015 10:05:34 GMT..Connection: keep-alive..0.."0......0...*.H........0w1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1!0...U....Microsoft Time-Stamp PCA..141218221600Z..150319103600Z._0]0...U.#..0...#4..RFp..@.v.. ..5..0... .....7.......0...U......10... .....7......150318222600Z0...*.H............./..0Q~.r.}.E....&\....F.Z.C..#..F.s........<&\..9G..-....j..N... .C.Fk....;l.....2.K5D.........-.>...(...g.0.S.[?...T4q>.ln...z..L.......5.5s@d.q.('..e...Y..Bo..q..........I....'....i>..y:.eH@h`..\...UA.m#.~.. ;.3..
<<< skipped >>>
GET /MFQwUjBQME4wTDAJBgUrDgMCGgUABBQmECJms4f7i5EbxtN7NbzQCBwAdAQUUa8kJpz0aCJXgCYrO0ZiFXsezKUCE1oAAHevvgBk+xJc0C0AAQAAd68= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.msocsp.com
HTTP/1.1 200 OK
Date: Thu, 05 Feb 2015 10:06:06 GMT
Content-Type: application/ocsp-response
Content-Length: 1757
Connection: keep-alive
Set-Cookie: __cfduid=df754fea60b97687e095e41842ddd612e1423130766; expires=Fri, 05-Feb-16 10:06:06 GMT; path=/; domain=.msocsp.com; HttpOnly
Last-Modified: Mon, 02 Feb 2015 23:13:04 GMT
Expires: Fri, 06 Feb 2015 23:13:04 GMT
ETag: "32dc2dc5ade4e5867c219925d83ebab0609e8b04"
Cache-Control: max-age=345599,public,no-transform,must-revalidate
CF-Cache-Status: HIT
Server: cloudflare-nginx
CF-RAY: 1b3e4b1d5ecf0cad-AMS
0..........0..... .....0......0...0..........<.|7...@N6p.I.e|..20150202231304Z0..0..0L0... ........&."f........{5.....t..Q.$&..h"W.& ;Fb.{.....Z..w...d..\.-....w.....20150202231304Z....20150206231304Z."0 0... .....0......20140202231304Z0...*.H.............B.....>#..;n5{?Z..aq.S(.~.F. ...KU.<.....@..=;|...!.%@.":.Y.E.VN....S..p97..L|;.......~...~..../5..%.r?...Hy.h3......>g.'..>....q..j..p.:..S=s..q..j.P!6p..9T.v,.d.....$!.....Z..$m].(......n....... 9...';S...]}v.....Q.g...Iu...{......Z....E;.@.v....?<g|........0...0...0..........Z..~..M..<ZYJ....~.0...*.H........0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1.0...U....Microsoft IT1.0...U....Microsoft IT SSL SHA20...141229205745Z..150314205745Z0!1.0...U....Should be ignore by CA0.."0...*.H.............0...........&!(..$.K...."=f....x.d.._s.....j....9`..l.Z..............^f..u......-e.&.bG.(i.Q...........bEy...^7A...A..c....CF-&...e.7..7F....."..w...y.:..`.w{~..D.x*.......x3Os......q...... S.fB .ig.....L..3......4E..}..7...M....e ...6.M.O.....<5:......r.....]..A.5........0..0...U..........<.|7...@N6p.I.e|0...U.#..0...Q.$&..h"W.& ;Fb.{...0...U...........0...U.%..0... .......0... .....7....0.0... .......0... .....0......0...*.H..................sa....^`.U.h.....(c[..j.|. ..#....3.5.?..L.....Z....J......*.w...w.$.z..Y.d.....l.....G#.....o.\t.......(.B =..P..T....0./P.....z.3....L.O3....z...Wxo..~.OeH....c.i.@."..?d.......=v(.....m..LN..PP....<.}T.X......K.&e.S...|....% ...(F.=k..~.j..C......4.....
<<< skipped >>>
GET /ajax/libs/jquery/1.9.1/jquery.min.js HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
Host: ajax.googleapis.com
DNT: 1
Connection: Keep-Alive
HTTP/1.1 200 OK
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Type: text/javascript; charset=UTF-8
Last-Modified: Fri, 08 Feb 2013 15:35:10 GMT
Date: Wed, 04 Feb 2015 07:00:55 GMT
Expires: Thu, 04 Feb 2016 07:00:55 GMT
Access-Control-Allow-Origin: *
Timing-Allow-Origin: *
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 32819
X-XSS-Protection: 1; mode=block
Cache-Control: public, max-age=31536000
Age: 97446
Alternate-Protocol: 80:quic,p=0.02
............{{...7...."........o...v..q.[cg'-E..HPBL....RD....[kf0.Pq.~.sNZ.....f......._..M...wg.?...vG.<8z2.........E...q...:z..GT.._.f.....t.de.....uT..b.|.o6iv..._E..:.F.x...O..6..*?QUp....2U.4..6I.<.T.%.E>....R1....4^..tIm...ZE.{5..3..<.....|4.3.D-.r.-o..]......4[$....:Z...UUP_...........|....z.mF.r...f......Q..?..-3.0..F..^.F....l.O........\..f.|1..t..NG2U.}tz.jxz.^G.o......./^\.>......#*........../.../........|zp2{...N.3*....~.\../O'...g...g.;.~.M.Tx..,g.....).y..w*@...i.^...]........2 ..n;.\.'..'/f....*.4:..oP...f..]Ul..2^.....V........V.P.N....z......o3z.........aC..,.....K.\p...x......WiY%YR.v.*..^.......<_oVI..a>*.xq....$8>....u%......n ..V?.Q.:..4....o.~.g..Q...S_..Y.....G)..T.".......<......&...*..Z.t%..s@it5..y.c.....p.h...X.*/. .H.....){4U.y...I`..&-.. y.....L.O....Lf..X<..1M.w.xD;;.....3zgn...'S.....g.~3Jn.9-..... .....3..A..e#.....".-i.S..].9..3..=GE..,..R*.gs..j.M..0.._'.u......E.|.....K.Q'FY.H^..'.(.OK.\.-.T...8...Q....v||5J..Vq.}{.K2..K..z.R....o_..G..t.L....NF.W.}....."{.NLP|.T_........j..,P..q.Q..o..<.x...Q..t=..$nJ.%:S...,..N...*.......d.`....M...)....T.7....|$...[......E..h.......`b.......iQ.w...-n>.=OIw..*........H...r.....h..V.Aj..&t..9M..is.j.t]~../...ik......l.p.....mT.=[E..7v....n./$...y=T.X.s...J......j.w.W.|.x..F..*..:....>K...d....f..........&...7./.2-..P......j.?X.p.....9u.Ae.0...D.....~f.......&...l6..3......i}.(.. m.Je.x...p5.:..d...gWz...G..@.*\.2/*..............>...g..`...w....f.....\.D...#D...E.%.......G..s`K.*.WI...NI.......LeO...&
<<< skipped >>>
GET /kits/sds/SearchProtectionSetup.exe HTTP/1.1
User-Agent: SDS
Host: webupdate.mybrowserbar.com
Accept: */*
HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Thu, 05 Feb 2015 10:04:58 GMT
Content-Type: application/octet-stream
Content-Length: 1558376
Last-Modified: Mon, 19 Jan 2015 14:12:15 GMT
Connection: keep-alive
Accept-Ranges: bytes
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................p.......B...9............@..........................`............@.................................d........@..x...........0...8............................................................................................text....o.......p.................. ..`.rdata...*.......,...t..............@..@.data....~..........................@....ndata.......0...........................rsrc...x....@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....-G..H.P.u..u..u.....@..K...SV.5.-G.W.E.P.u.....@..e...E..E.P.u.....@..}..e....D.@........FR..VV..U... M..........M........E...FQ.....NU..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.P.u.....@..u....E..9}...n....~X.te.v4..L.@..E...tU.}.j.W.E......E.......P.@..vXW..T.@..u..5X.@.W..h ....E..E.Pj.h..F.W....@..u.W...u....E.P.u.....@._^3.[.....L$...-G...i. @...T.....tUVW.q.3.;5.-G.sD..i. @...D..S.....t.G.....t...O..t .....u...3....3...F. @..;5.-G.r.[_^...U..QQ
<<< skipped >>>
GET /static/r07/plugins/counter015.css HTTP/1.1
Accept: text/css
Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
Host: s7.addthis.com
DNT: 1
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
Last-Modified: Tue, 05 Aug 2014 12:38:26 GMT
Content-Encoding: gzip
Cache-Control: public, no-check, max-age=86313600
Content-Type: text/css
Content-Length: 2690
Accept-Ranges: bytes
Date: Thu, 05 Feb 2015 10:05:02 GMT
Via: 1.1 varnish
Age: 15157266
Connection: keep-alive
X-Host: s7.addthis.com
X-Served-By: cache-fra1233-FRA
X-Cache: HIT
X-Cache-Hits: 13052002
X-Timer: S1423130702.450722,VS0,VE0
Vary: Host,Accept-Encoding
...........X...H...O.C...f.h...........`I6A..DE.{#U.....'fp......7...$.k..9n...s.....a.P..v...........;....G=LL.t..0.|....!x4.$..N.....F..O..,..../&..=.[<Nhi...;Z.j.W..;....5.`........Q.d...3Pf.&0.D....=8......O..y..|....X.....2.[..F.K..gY...2....']3.vR.2;y...7S....h6@#h?.Z...Ww....6..!S_sQv8...z..OW.2........!pv......]...K.?.0.cW......X...~....6j.m.8.0...>.!..M..T.&..&1D..D).G.._.....C......H.Q.2$b?...2l.w..U*.. Z4!.K..3....P2....P<E..:$5."Q......'.k.... m.'5.C.;.".C.2QM....%.FV...g. .E#......C.....{..z..R?'Zm..m......h...a....UZ..!f.p)J.....S..=:.B....2......I.....'....4.....D.-g.@_....l......[....[y.F......9..m...]Y..p...`7F...eQ.a!...8*..y...v.9..D.....<W.,v.P$f.......I.b.6.[....."...C..D...~H..E,..5.....".....k33...2_@z..s..6!.-...'..[..M....M..k0@.Ag;...y.2.7q=_.'...Z{.2 UU.i....... c[.........h.3h..HO.F...0...H.C.&ad.)'...t...8....1D"....B.)iT..f...c.R[..,5..d9.....EQ..*..).t..<bW.doy.u.Z.|0......$-=~...]"Q..4..i8.G4...1K.6.j.d.M4|..7..(.5..*l.pE.i.{....<..{T........=.)8............a....3(..M.s.p...l.(.=...b.....9./..K&.}....N..1[....f#*...e.P.^I.........AT..j.7....%.7.k..c.T....0.)..]w__...o#4,.a.G2.[...9....xv..P.).[.w.l.g{M.9.e.... ..9..T... .}..&.fDM. .'.....m3B.cYFn.............v.h.......xa..../e.K.c..........C."....'.T.}.-..>x {...={.1.....l.[f2..E....[...c..W..^.!.2\}#0.c. 2...<*NC..z..d.. 5...'#j....N..lR.?.....'Q.?...N{0...=..y/. -..b.mcI.HyZ..".M.!......*.....6..U...[&/Zr.....3..QG..SU..$n{j.r.@r#..F.....{..9.OB..... ..d..fT.e.,.l....6...6S......e/K..VF...C.kK......1L...
<<< skipped >>>
GET /gc/silent2.html?ot=ytdsanth&cnid=937811&kt=ytd&ext[]=cekonfccladjgbdhpgobceahgjdcdbod&ext[]=jloeihbcjbkgigodmcacomgfihpiaiip&ts=1423130670 HTTP/1.1
Host: VVV.mybrowserbar.com
Connection: keep-alive
Accept: text/html,application/xhtml xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
HTTP/1.1 200 OK
Date: Thu, 05 Feb 2015 10:04:31 GMT
Server: Apache
Vary: Host
Last-Modified: Mon, 12 Jan 2015 12:49:37 GMT
Accept-Ranges: bytes
Content-Length: 2543
Keep-Alive: timeout=30, max=100
Connection: Keep-Alive
Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://VVV.w3.org/TR/html4/loose.dtd" />.<html>.<head>. <meta name="google" value="notranslate" />. <meta http-equiv="Cache-Control" content="no-cache, no-store, must-revalidate" />. <meta http-equiv="Pragma" content="no-cache" />. <meta http-equiv="Expires" content="0" />. <title>Extensions Installation</title>..<link rel="chrome-webstore-item" href="hXXps://chrome.google.com/webstore/detail/pfndaklgolladniicklehhancnlgocpp">..<script src="//ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js"></script>.<script>. (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){. (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),. m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m). })(window,document,'script','//VVV.google-analytics.com/analytics.js','ga');. . ga('create', 'UA-49853190-2', 'mybrowserbar.com');..</script>.</head>..<body>.<div id="extensions">.....<button href="#" id="close">close offer</button>..</div>...<script language="javascript">.$( document ).ready(function() {..var extensions = getURLParam('ext[]');..if (extensions !== null) {. for (var i=extensions.length-1; i>=0; i--) {. var e = extensions[i];. var item_html = $.parseHTML('<div id="offer_' e '" class="offer" ><div class="a
<<< skipped >>>
GET /favicon.ico HTTP/1.1
Host: VVV.mybrowserbar.com
Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: _ga=GA1.2.1138944218.1423130672
HTTP/1.1 200 OK
Date: Thu, 05 Feb 2015 10:04:32 GMT
Server: Apache
Vary: Host,User-Agent
Last-Modified: Wed, 21 Oct 2009 21:42:22 GMT
Accept-Ranges: bytes
Content-Length: 9062
Cache-Control: max-age=604800
Expires: Thu, 12 Feb 2015 10:04:32 GMT
Keep-Alive: timeout=30, max=99
Connection: Keep-Alive
Content-Type: image/x-icon
...... .... .....F... .................... .h...............h.......(... ...@..... ...... ......................@@@.@@@.@@@.@@@.@@@.@@@.@@@.@@@.@@@.@@@.@@@.@@@.@@@.@@@.@@@.@@@.@@@.@@@.@@@.@@@.@@@.@@@.@@@.@@@.@@@.@@@.@@@.@@@.@@@.@@@.....@@@.........................................................................................................................@@@.@@@.........................................................................................................................@@@.@@@.........................................................................................................................@@@.@@@.........................................................................................................................@@@.@@@.........................................................................................................................@@@.@@@.......................................................................n.................................................@@@.@@@.........................................................................................................................@@@.@@@.........................................................................................................................@@@.@@@...........................................................................................................Y...k.........@@@.@@@...........................................................................................................[...R...n.....@@@.@@@...............
<<< skipped >>>
GET /images/pixel.gif?isn=d78a223d20363802cfbd313af6e664df&ver=1.2&cnid=937811&ct=shagc&event=install HTTP/1.1
Host: VVV.mybrowserbar.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Accept: */*
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: _ga=GA1.2.1138944218.1423130672
HTTP/1.1 200 OK
Date: Thu, 05 Feb 2015 10:04:49 GMT
Server: Apache
Accept-Ranges: bytes
Content-Length: 1093
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Keep-Alive: timeout=30, max=98
Connection: Keep-Alive
Content-Type: image/gif
GIF89a.............!..XMP DataXMP<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:68AF816F211411E187C8D4C48A462294" xmpMM:DocumentID="xmp.did:68AF8170211411E187C8D4C48A462294"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:68AF816D211411E187C8D4C48A462294" stRef:documentID="xmp.did:68AF816E211411E187C8D4C48A462294"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>..................................................................................................................................~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-, *)('&%$#"! .................................!.......,...........D..;....
GET /cgi/coupons.cgi/d78a223d20363802cfbd313af6e664df/937811/1.2/shagc?rsv=2 HTTP/1.1
Host: VVV.mybrowserbar.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Accept: */*
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: _ga=GA1.2.1138944218.1423130672
HTTP/1.1 200 OK
Date: Thu, 05 Feb 2015 10:04:49 GMT
Server: Apache
Vary: Host
Keep-Alive: timeout=30, max=97
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/xml; charset=utf-8
12c..<?xml version="1.0" encoding="UTF-8"?>.<cp>. <rsv>2</rsv>. <insecure>. <url>hXXp://i.sgbfjs.info/sgbf/javascript.js?hid=40&channel=GC</url>. </insecure>. <secure>. <url>hXXps://i_sgbfjs_info.tlscdn.com/sgbf/javascript.js?hid=40&channel=GC</url> . </secure>.</cp>...0..HTTP/1.1 200 OK..Date: Thu, 05 Feb 2015 10:04:49 GMT..Server: Apache..Vary: Host..Keep-Alive: timeout=30, max=97..Connection: Keep-Alive..Transfer-Encoding: chunked..Content-Type: text/xml; charset=utf-8..12c..<?xml version="1.0" encoding="UTF-8"?>.<cp>. <rsv>2</rsv>. <insecure>. <url>hXXp://i.sgbfjs.info/sgbf/javascript.js?hid=40&channel=GC</url>. </insecure>. <secure>. <url>hXXps://i_sgbfjs_info.tlscdn.com/sgbf/javascript.js?hid=40&channel=GC</url> . </secure>.</cp>...0......
GET /images/pixel.gif?isn=9d357cad646259e5aec21e92440c2512&ver=1.5&cnid=937811&ct=nthgc&event=install HTTP/1.1
Host: VVV.mybrowserbar.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Accept: */*
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: _ga=GA1.2.1138944218.1423130672
HTTP/1.1 200 OK
Date: Thu, 05 Feb 2015 10:04:50 GMT
Server: Apache
Accept-Ranges: bytes
Content-Length: 1093
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Keep-Alive: timeout=30, max=96
Connection: Keep-Alive
Content-Type: image/gif
GIF89a.............!..XMP DataXMP<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:68AF816F211411E187C8D4C48A462294" xmpMM:DocumentID="xmp.did:68AF8170211411E187C8D4C48A462294"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:68AF816D211411E187C8D4C48A462294" stRef:documentID="xmp.did:68AF816E211411E187C8D4C48A462294"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>..................................................................................................................................~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-, *)('&%$#"! .................................!.......,...........D..;HTTP/1.1 200 OK..Date: Thu, 05 Feb 2015 10:04:50 GMT..Server: Apache..Accept-Ranges: bytes..Content-Length: 1093..Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform..Pragma: no-cache..Expires: Thu, 01 Jan 1970 00:00:00 GMT..Keep-Alive: timeout=30, max=96..Connection: Keep-Alive..Content-Type: image/gif..GIF89a.............!..XMP DataXMP&l
<<< skipped >>>
Map
The Malware connects to the servers at the folowing location(s):
Strings from Dumps
ytd.exe_1492:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
8%u3P
8%u3P
N
N
|.hT!
|.hT!
|.hp!
|.hp!
|.hP#
|.hP#
|.hd#
|.hd#
|.hT$
|.hT$
SShxT
SShxT
vSSSh
vSSSh
It.It It!It
It.It It!It
FTPjK
FTPjK
FtPj;
FtPj;
C.PjRV
C.PjRV
tGHt.Ht&
tGHt.Ht&
`'\%D,3
`'\%D,3
kernel32.dll
kernel32.dll
Please contact the application's support team for more information.
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
ADVAPI32.DLL
ADVAPI32.DLL
portuguese-brazilian
portuguese-brazilian
operator
operator
GetProcessWindowStation
GetProcessWindowStation
USER32.DLL
USER32.DLL
()$^.* ?[]|\-{},:=!
()$^.* ?[]|\-{},:=!
RegDeleteKeyExW
RegDeleteKeyExW
invalid _N_type: %d
invalid _N_type: %d
RTMP_ParseURL
RTMP_ParseURL
%s://%.*s:%d/%.*s
%s://%.*s:%d/%.*s
d:\Autobuild\CleanSVN\ytd\branches\Win\YTD_4.8.9\Application3.0\Release\YouTubeDownloader.pdb
d:\Autobuild\CleanSVN\ytd\branches\Win\YTD_4.8.9\Application3.0\Release\YouTubeDownloader.pdb
HttpQueryInfoW
HttpQueryInfoW
HttpOpenRequestW
HttpOpenRequestW
HttpSendRequestW
HttpSendRequestW
InternetCrackUrlW
InternetCrackUrlW
WININET.dll
WININET.dll
UxTheme.dll
UxTheme.dll
WS2_32.dll
WS2_32.dll
IPHLPAPI.DLL
IPHLPAPI.DLL
GdiplusShutdown
GdiplusShutdown
GdipSetPenLineJoin
GdipSetPenLineJoin
gdiplus.dll
gdiplus.dll
PSAPI.DLL
PSAPI.DLL
libvlc_video_set_key_input
libvlc_video_set_key_input
CreatePipe
CreatePipe
CreateNamedPipeW
CreateNamedPipeW
ConnectNamedPipe
ConnectNamedPipe
DisconnectNamedPipe
DisconnectNamedPipe
WaitNamedPipeW
WaitNamedPipeW
SetNamedPipeHandleState
SetNamedPipeHandleState
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
GetKeyState
GetKeyState
SetWindowsHookExW
SetWindowsHookExW
UnhookWindowsHookEx
UnhookWindowsHookEx
CreateDialogIndirectParamW
CreateDialogIndirectParamW
USER32.dll
USER32.dll
SetViewportOrgEx
SetViewportOrgEx
GDI32.dll
GDI32.dll
COMDLG32.dll
COMDLG32.dll
RegDeleteKeyW
RegDeleteKeyW
RegCloseKey
RegCloseKey
RegQueryInfoKeyW
RegQueryInfoKeyW
RegEnumKeyExW
RegEnumKeyExW
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyExW
RegCreateKeyExW
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteW
ShellExecuteW
SHFileOperationW
SHFileOperationW
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
SHLWAPI.dll
SHLWAPI.dll
COMCTL32.dll
COMCTL32.dll
MSIMG32.dll
MSIMG32.dll
GetCPInfo
GetCPInfo
GetConsoleOutputCP
GetConsoleOutputCP
libvlc.dll
libvlc.dll
zcÁ
zcÁ
.?AV?$_IDispEventLocator@$00$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@
.?AV?$_IDispEventLocator@$00$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@
.?AV?$IDispEventSimpleImpl@$00VBrowserEvents@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@
.?AV?$IDispEventSimpleImpl@$00VBrowserEvents@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@
.?AV?$IDispEventImpl@$00VBrowserEvents@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B$1?LIBID_SHDocVw@@3U3@B$00$00VCComTypeInfoHolder@ATL@@@ATL@@
.?AV?$IDispEventImpl@$00VBrowserEvents@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B$1?LIBID_SHDocVw@@3U3@B$00$00VCComTypeInfoHolder@ATL@@@ATL@@
.?AV?$CWinDataExchange@VRequestLoginDlg@@@WTL@@
.?AV?$CWinDataExchange@VRequestLoginDlg@@@WTL@@
.?AV?$CDialogImpl@VRequestLoginDlg@@VCWindow@ATL@@@ATL@@
.?AV?$CDialogImpl@VRequestLoginDlg@@VCWindow@ATL@@@ATL@@
.?AVRequestLoginDlg@@
.?AVRequestLoginDlg@@
.?AUIWebNotifier@@
.?AUIWebNotifier@@
.?AV?$CWinDataExchange@VWebBrowserDlg@@@WTL@@
.?AV?$CWinDataExchange@VWebBrowserDlg@@@WTL@@
.?AV?$CAxDialogImpl@VWebBrowserDlg@@VCWindow@ATL@@@ATL@@
.?AV?$CAxDialogImpl@VWebBrowserDlg@@VCWindow@ATL@@@ATL@@
.?AVWebBrowserDlg@@
.?AVWebBrowserDlg@@
m`X
m`X
|qjD2#(Q>(Q>(Q>(Q>(Q>(Q>(Q>(Q>(K9&K9&H6Ò#D2#D2#m`X
|qjD2#(Q>(Q>(Q>(Q>(Q>(Q>(Q>(Q>(K9&K9&H6Ò#D2#D2#m`X
SD:(UA*UA*YE,YE,YE,YE,]H.]H.]H.YE,YE,YE,YE,YE,UA*UA*Q>(Q>(K9&H6Ò#E5*|qj
SD:(UA*UA*YE,YE,YE,YE,]H.]H.]H.YE,YE,YE,YE,YE,UA*UA*Q>(Q>(K9&H6Ò#E5*|qj
i\T(UA*YE,]H.]H.cM0cM0cM0fP2fP2fP2fP2fP2jT3fP2fP2cM0cM0cM0]H.]H.YE,UA*UA*M;(K9&D2#D2#fXP
i\T(UA*YE,]H.]H.cM0cM0cM0fP2fP2fP2fP2fP2jT3fP2fP2cM0cM0cM0]H.]H.YE,UA*UA*M;(K9&D2#D2#fXP
|(UA*YE,YE,`K/cM0cM0jT3jT3jT3qZ6qZ6qZ6u^8u^8u^8qZ6qZ6qZ6nX5jT3jT3jT3fP2cM0`K/]H.YE,UA*Q>(K9&D2#D2#m`X
|(UA*YE,YE,`K/cM0cM0jT3jT3jT3qZ6qZ6qZ6u^8u^8u^8qZ6qZ6qZ6nX5jT3jT3jT3fP2cM0`K/]H.YE,UA*Q>(K9&D2#D2#m`X
L(UA*YE,]H.cM0fP2jT3nX5u^8kUIdO[WIlT@
L(UA*YE,]H.cM0fP2jT3nX5u^8kUIdO[WIlT@
YHxYHx`LpcOjfRefRepZPzb:zb:zb:zb:qZ6qZ6jT3jT3fP2cM0]H.YE,UA*Q>(K9&D2#@."ujb
YHxYHx`LpcOjfRefRepZPzb:zb:zb:zb:qZ6qZ6jT3jT3fP2cM0]H.YE,UA*Q>(K9&D2#@."ujb
@."
@."
YHxjU]zb:zb:u^8qZ6jT3jT3fP2]H.YE,UA*M;(H6Ò#D2#
YHxjU]zb:zb:u^8qZ6jT3jT3fP2]H.YE,UA*M;(H6Ò#D2#
`Lpt]Fu^8qZ6jT3jT3cM0]H.YE,Q>(K9&D2#
`Lpt]Fu^8qZ6jT3jT3cM0]H.YE,Q>(K9&D2#
YHxiS:jT3cM0]H.UA*M;(H6%@."D2#
YHxiS:jT3cM0]H.UA*M;(H6%@."D2#
`KLfP2]H.YE,Q>(H6%@."
`KLfP2]H.YE,Q>(H6%@."
Q>c]H.UA*M;(H6%@."
Q>c]H.UA*M;(H6%@."
]H.UA*H6%@."
]H.UA*H6%@."
fP2]H.UA*H6%@."
fP2]H.UA*H6%@."
iS:]H.UA*K9&D2#
iS:]H.UA*K9&D2#
fP2]H.UA*K9&D2#
fP2]H.UA*K9&D2#
jT3]H.UA*K9&@."
jT3]H.UA*K9&@."
jT3]H.UA*H6%@."
jT3]H.UA*H6%@."
bTKD2#K9&Q>(YE,]H.cM0jT3qZ6tcQ
bTKD2#K9&Q>(YE,]H.cM0jT3qZ6tcQ
qd\D2#H6%Q>(UA*]H.cM0jT3nX5qZ6zb:
qd\D2#H6%Q>(UA*]H.cM0jT3nX5qZ6zb:
ujbD2#H6%K9&Q>(UA*YE,]H.cM0fP2jT3jT3qZ6qZ6u^8u^8zb:zb:zb:zb:zb:yb@vbG{jX
ujbD2#H6%K9&Q>(UA*YE,]H.cM0fP2jT3jT3qZ6qZ6u^8u^8zb:zb:zb:zb:zb:yb@vbG{jX
f`z_T][LCYE,UA*M;(H6Ò#
f`z_T][LCYE,UA*M;(H6Ò#
SD:D2#H6%K9&Q>(UA*YE,]H.`K/cM0fP2jT3jT3jT3jT3nX5nX5qZ6qZ6qZ6qZ6jT3jT3jT3jT3fP2cM0`K/]H.YE,YE,Q>(M;(H6Ò#@."
SD:D2#H6%K9&Q>(UA*YE,]H.`K/cM0fP2jT3jT3jT3jT3nX5nX5qZ6qZ6qZ6qZ6jT3jT3jT3jT3fP2cM0`K/]H.YE,YE,Q>(M;(H6Ò#@."
D2#D2#D2#K9&M;(Q>(UA*YE,YE,]H.`K/cM0cM0cM0cM0cM0cM0cM0cM0cM0cM0`K/]H.YE,YE,UA*UA*Q>(K9&H6Ò#@."
D2#D2#D2#K9&M;(Q>(UA*YE,YE,]H.`K/cM0cM0cM0cM0cM0cM0cM0cM0cM0cM0`K/]H.YE,YE,UA*UA*Q>(K9&H6Ò#@."
VH>D2#D2#H6%K9&M;(Q>(Q>(UA*UA*YE,YE,YE,YE,YE,YE,YE,YE,UA*UA*UA*Q>(M;(K9&H6Ò#D2#
VH>D2#D2#H6%K9&M;(Q>(Q>(UA*UA*YE,YE,YE,YE,YE,YE,YE,YE,UA*UA*UA*Q>(M;(K9&H6Ò#D2#
QA6D2#jXD]H.cM0fP2cM0`K/jXDcSA
QA6D2#jXD]H.cM0fP2cM0`K/jXDcSA
[[\[[\[[\[[\
[[\[[\[[\[[\
__`__`__`__`
__`__`__`__`
[[\[[\[[\[[\[[\[[\[[\[[\[[\[[\[[\[[\
[[\[[\[[\[[\[[\[[\[[\[[\[[\[[\[[\[[\
__`__`__`__`__`__`__`__`__`__`__`__`
__`__`__`__`__`__`__`__`__`__`__`__`
}}}---888
}}}---888
!!!---}}}
!!!---}}}
133336633
133336633
0153668886663311
0153668886663311
1536888
1536888
;886631 ~
;886631 ~
113688;
113688;
86351 ($
86351 ($
>1367631%
>1367631%
848=8_8}8
848=8_8}8
2/2v2
2/2v2
4O4x4
4O4x4
0!0(020?0
0!0(020?0
1!1(121?1
1!1(121?1
2!2(222?2
2!2(222?2
3!3(323?3
3!3(323?3
3(3&5;5{5
3(3&5;5{5
2)21292\2
2)21292\2
`>
`>
9*949:9@9
9*949:9@9
7'7-767=7_7
7'7-767=7_7
9 9$9(9,989
9 9$9(9,989
4 4$4(4,4044484
4 4$4(4,4044484
=0=
=0=
:4:@:`:|:
:4:@:`:|:
mscoree.dll
mscoree.dll
KERNEL32.DLL
KERNEL32.DLL
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
HKEY_DYN_DATA
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
Global\{861C592B-5428-471f-8082-A5FFB5B93894}
Global\{861C592B-5428-471f-8082-A5FFB5B93894}
Advapi32.dll
Advapi32.dll
hXXp://ffmpeg.org/
hXXp://ffmpeg.org/
hXXp://VVV.gnu.org/licenses/lgpl.html
hXXp://VVV.gnu.org/licenses/lgpl.html
hXXp://VVV.ytddownloader.com/src/ffmpeg-20130206.zip
hXXp://VVV.ytddownloader.com/src/ffmpeg-20130206.zip
hXXp://lame.sourceforge.net/
hXXp://lame.sourceforge.net/
hXXp://VVV.gnu.org/licenses/old-licenses/lgpl-2.0.html
hXXp://VVV.gnu.org/licenses/old-licenses/lgpl-2.0.html
hXXp://VVV.ytddownloader.com/src/lame-3.99.5.zip
hXXp://VVV.ytddownloader.com/src/lame-3.99.5.zip
hXXp://opencore-amr.sourceforge.net/
hXXp://opencore-amr.sourceforge.net/
hXXp://VVV.apache.org/licenses/LICENSE-2.0
hXXp://VVV.apache.org/licenses/LICENSE-2.0
hXXp://VVV.ytddownloader.com/src/opencore-amr-0.1.3.zip
hXXp://VVV.ytddownloader.com/src/opencore-amr-0.1.3.zip
hXXp://rtmpdump.mplayerhq.hu/librtmp.3.html
hXXp://rtmpdump.mplayerhq.hu/librtmp.3.html
hXXp://VVV.ytddownloader.com/src/librtmp-2.3.zip
hXXp://VVV.ytddownloader.com/src/librtmp-2.3.zip
hXXp://VVV.openssl.org/
hXXp://VVV.openssl.org/
hXXp://VVV.ytddownloader.com/src/openssl-1.0.0d.zip
hXXp://VVV.ytddownloader.com/src/openssl-1.0.0d.zip
hXXp://VVV.openssl.org/source/license.html
hXXp://VVV.openssl.org/source/license.html
hXXp://VVV.ytddownloader.com/
hXXp://VVV.ytddownloader.com/
hXXps://VVV.videolan.org/
hXXps://VVV.videolan.org/
hXXp://VVV.gnu.org/licenses/lgpl-2.1.html
hXXp://VVV.gnu.org/licenses/lgpl-2.1.html
hXXp://VVV.ytddownloader.com/src/vlc-2.1.0-20130926.zip
hXXp://VVV.ytddownloader.com/src/vlc-2.1.0-20130926.zip
dlg.about.lbl.version
dlg.about.lbl.version
dlg.about.title
dlg.about.title
dlg.about.btn.ok
dlg.about.btn.ok
dlg.about.lbl.gpls
dlg.about.lbl.gpls
dlg.about.lbl.copy
dlg.about.lbl.copy
OnKeyUpFromEdit VK_ESCAPE
OnKeyUpFromEdit VK_ESCAPE
OnKeyUpFromEdit VK_RETURN
OnKeyUpFromEdit VK_RETURN
OnKeyUpFromEdit VK_A VK_CONTROL
OnKeyUpFromEdit VK_A VK_CONTROL
grid.column.name.video
grid.column.name.video
grid.column.name.progress
grid.column.name.progress
grid.column.name.speed
grid.column.name.speed
grid.column.name.status
grid.column.name.status
grid.column.name.eta
grid.column.name.eta
grid.column.name.filesize
grid.column.name.filesize
dlg.download.lbl.esttimeh
dlg.download.lbl.esttimeh
%1m %2s
%1m %2s
dlg.download.lbl.esttimem
dlg.download.lbl.esttimem
dlg.download.lbl.esttimes
dlg.download.lbl.esttimes
dlg.download.lbl.speedmb
dlg.download.lbl.speedmb
dlg.download.lbl.speedkb
dlg.download.lbl.speedkb
grid.item.filesizemb
grid.item.filesizemb
grid.item.state.queued
grid.item.state.queued
grid.item.state.downloading
grid.item.state.downloading
grid.item.state.converting
grid.item.state.converting
grid.item.state.canceled
grid.item.state.canceled
grid.item.state.paused
grid.item.state.paused
grid.item.state.retry
grid.item.state.retry
grid.item.state.completed
grid.item.state.completed
grid.item.state.failed
grid.item.state.failed
OnKeyUp VK_A VK_CONTROL
OnKeyUp VK_A VK_CONTROL
OnKeyUp VK_F2
OnKeyUp VK_F2
=%%
=%%
comctl32.dll
comctl32.dll
shell32.dll
shell32.dll
dlg.checkupd.lbl.speed
dlg.checkupd.lbl.speed
dlg.checkupd.lbl.eta
dlg.checkupd.lbl.eta
ytd_installer.exe
ytd_installer.exe
dlg.checkupd.lbl.anewer
dlg.checkupd.lbl.anewer
dlg.checkupd.lbl.clickon
dlg.checkupd.lbl.clickon
dlg.checkupd.lbl.alternatively
dlg.checkupd.lbl.alternatively
dlg.checkupd.lbl.whatsnew
dlg.checkupd.lbl.whatsnew
dlg.checkupd.title
dlg.checkupd.title
dlg.checkupd.btn.installnow
dlg.checkupd.btn.installnow
dlg.checkupd.btn.remind
dlg.checkupd.btn.remind
dlg.checkupd.lbl.dwnldstatus.completed
dlg.checkupd.lbl.dwnldstatus.completed
dlg.ckeckupd.msgbx.runningitems
dlg.ckeckupd.msgbx.runningitems
dlg.checkupd.lbl.dwnldstatus.started
dlg.checkupd.lbl.dwnldstatus.started
dlg.checkupd.btn.tryagain
dlg.checkupd.btn.tryagain
dlg.checkupd.lbl.dwnldstatus.failed
dlg.checkupd.lbl.dwnldstatus.failed
dlg.checkupd.lbl.dwnldstatus.failed.inst
dlg.checkupd.lbl.dwnldstatus.failed.inst
hXXp://VVV.youtubedownloadersite.com/help.html
hXXp://VVV.youtubedownloadersite.com/help.html
ffmpeg -i %1 -strict -2 -vf scale=420:-1 -r 14 -b:v 50k -ar 44100 -ab 56k -ac 1 %2.mp4
ffmpeg -i %1 -strict -2 -vf scale=420:-1 -r 14 -b:v 50k -ar 44100 -ab 56k -ac 1 %2.mp4
dlg.manconv.title
dlg.manconv.title
dlg.manconv.lbl.input.file
dlg.manconv.lbl.input.file
dlg.manconv.lbl.vid.size
dlg.manconv.lbl.vid.size
dlg.manconv.lbl.vid.frame
dlg.manconv.lbl.vid.frame
dlg.manconv.lbl.vid.rate
dlg.manconv.lbl.vid.rate
dlg.manconv.lbl.aud.sample
dlg.manconv.lbl.aud.sample
dlg.manconv.lbl.aud.rate
dlg.manconv.lbl.aud.rate
dlg.manconv.lbl.aud.chanel
dlg.manconv.lbl.aud.chanel
dlg.manconv.lbl.output.file
dlg.manconv.lbl.output.file
dlg.manconv.lbl.improve.qlty
dlg.manconv.lbl.improve.qlty
dlg.manconv.lbl.warn.cell
dlg.manconv.lbl.warn.cell
dlg.btn.ok
dlg.btn.ok
dlg.btn.cancel
dlg.btn.cancel
dlg.btn.help
dlg.btn.help
uxtheme.dll
uxtheme.dll
https
https
testname .com.bat.exe.dll
testname .com.bat.exe.dll
SelfTestSitesUrls.txt
SelfTestSitesUrls.txt
Site is not supported
Site is not supported
tab.name.download
tab.name.download
tab.name.convert
tab.name.convert
tab.name.activity
tab.name.activity
tab.name.play
tab.name.play
dlg.main.btn.help
dlg.main.btn.help
dlg.main.btn.upgrade
dlg.main.btn.upgrade
dlg.main.lbl.link.menu
dlg.main.lbl.link.menu
menu.item.help.faq
menu.item.help.faq
menu.item.help.sup.sites
menu.item.help.sup.sites
menu.item.help.checkupdates
menu.item.help.checkupdates
menu.item.help.about
menu.item.help.about
menu.item.help.registration
menu.item.help.registration
menu.item.help.transfer
menu.item.help.transfer
menu.item.help.license.txt
menu.item.help.license.txt
menu.item.help.privacy.txt
menu.item.help.privacy.txt
menu.item.help.language
menu.item.help.language
hXXp://VVV.ytddownloader.com/faq.html
hXXp://VVV.ytddownloader.com/faq.html
hXXp://VVV.ytddownloader.com/video_sites.html
hXXp://VVV.ytddownloader.com/video_sites.html
hXXp://VVV.youtubedownloadersite.com/license_agreement.txt
hXXp://VVV.youtubedownloadersite.com/license_agreement.txt
hXXp://VVV.youtubedownloadersite.com/privacy_policy.txt
hXXp://VVV.youtubedownloadersite.com/privacy_policy.txt
hXXps://VVV.facebook.com/sharer/sharer.php?app_id=113869198637480&sdk=joey&u=http://ytddownloader.com/&ref=plugin
hXXps://VVV.facebook.com/sharer/sharer.php?app_id=113869198637480&sdk=joey&u=http://ytddownloader.com/&ref=plugin
Got a click with ID=%s
Got a click with ID=%s
hXXp://VVV.ytddownloader.com/contact_us.html
hXXp://VVV.ytddownloader.com/contact_us.html
hXXp://VVV.facebook.com/YTDYouTubeDownloaderConverter
hXXp://VVV.facebook.com/YTDYouTubeDownloaderConverter
hXXp://VVV.youtubedownloadersite.com/review-submission.html
hXXp://VVV.youtubedownloadersite.com/review-submission.html
Added %d languages toi the interface.
Added %d languages toi the interface.
dlg.checkupd.msgbx.runningitems
dlg.checkupd.msgbx.runningitems
dwNextAutoupdate=%d dwCrtTime=%d
dwNextAutoupdate=%d dwCrtTime=%d
csComm.CheckForUpdate() returned=%d
csComm.CheckForUpdate() returned=%d
config.GetNextCheckAutoUpdate() returned=%d
config.GetNextCheckAutoUpdate() returned=%d
DisplayCheckForUpdatesMsg
DisplayCheckForUpdatesMsg
msg.manual.check.updscript
msg.manual.check.updscript
msg.manual.check.upd
msg.manual.check.upd
TransferYourLicense
TransferYourLicense
transferlic.firstmsg
transferlic.firstmsg
PipeMessage
PipeMessage
addurl
addurl
OnTransferLicenseMsg
OnTransferLicenseMsg
Your license key was reset. You can now use key %1% on another computer.
Your license key was reset. You can now use key %1% on another computer.
transferlic.secondmsg
transferlic.secondmsg
OnRegistrationMsg
OnRegistrationMsg
register.success
register.success
dlg.register.error.invalid
dlg.register.error.invalid
hXXp://VVV.youtubedownloadersite.com/reset_license.html
hXXp://VVV.youtubedownloadersite.com/reset_license.html
dlg.register.error.inuse
dlg.register.error.inuse
dlg.register.link.help
dlg.register.link.help
dlg.register.error.again
dlg.register.error.again
dlg.register.error.free
dlg.register.error.free
dlg.register.error.buy
dlg.register.error.buy
dlg.register.error.title
dlg.register.error.title
hXXp://VVV.youtubedownloadersite.com/premium.html?ft=0
hXXp://VVV.youtubedownloadersite.com/premium.html?ft=0
dlg.register.error.commerr
dlg.register.error.commerr
OnBrowserLogin
OnBrowserLogin
Please login
Please login
dlg.about.lbl.licensekey
dlg.about.lbl.licensekey
dlg.register.lbl.expiration
dlg.register.lbl.expiration
dlg.register.invalid.lic
dlg.register.invalid.lic
dlg.register.lbl.please
dlg.register.lbl.please
dlg.register.syslink
dlg.register.syslink
dlg.register.btn.cancel
dlg.register.btn.cancel
dlg.register.btn.register
dlg.register.btn.register
dlg.register.title
dlg.register.title
YouTube Login
YouTube Login
dlg.login.title.yt
dlg.login.title.yt
dlg.login.lbl.yt
dlg.login.lbl.yt
Facebook Login
Facebook Login
dlg.login.title.fb
dlg.login.title.fb
dlg.login.lbl.fb
dlg.login.lbl.fb
dlg.login.lbl.username
dlg.login.lbl.username
dlg.login.lbl.pwd
dlg.login.lbl.pwd
tab.activity.btn.play.tooltip
tab.activity.btn.play.tooltip
tab.activity.btn.pause.tooltip
tab.activity.btn.pause.tooltip
tab.activity.btn.stop.tooltip
tab.activity.btn.stop.tooltip
tab.activity.btn.clear.tooltip
tab.activity.btn.clear.tooltip
tab.activity.btn.browse.tooltip
tab.activity.btn.browse.tooltip
tab.activity.btn.pro
tab.activity.btn.pro
grid.menu.item.playytd
grid.menu.item.playytd
grid.menu.item.play
grid.menu.item.play
grid.menu.item.delete
grid.menu.item.delete
grid.menu.item.deletefile
grid.menu.item.deletefile
grid.menu.item.stop
grid.menu.item.stop
grid.menu.item.pause
grid.menu.item.pause
grid.menu.item.rename
grid.menu.item.rename
grid.menu.item.open
grid.menu.item.open
explorer.exe
explorer.exe
grid.menu.item.msgbox
grid.menu.item.msgbox
user32.dll
user32.dll
tab.convert.url.gopro
tab.convert.url.gopro
dlg.main.combo.convrt.ipad
dlg.main.combo.convrt.ipad
dlg.main.combo.convrt.ipod
dlg.main.combo.convrt.ipod
dlg.main.combo.convrt.iphone
dlg.main.combo.convrt.iphone
dlg.main.combo.convrt.psp
dlg.main.combo.convrt.psp
dlg.main.combo.convrt.cell
dlg.main.combo.convrt.cell
Windows Media Video (V.7 WMV)
Windows Media Video (V.7 WMV)
dlg.main.combo.convrt.wmv
dlg.main.combo.convrt.wmv
dlg.main.combo.convrt.xvid
dlg.main.combo.convrt.xvid
dlg.main.combo.convrt.mpeg
dlg.main.combo.convrt.mpeg
dlg.main.combo.convrt.manual
dlg.main.combo.convrt.manual
dlg.main.combo.convrtquality.high
dlg.main.combo.convrtquality.high
dlg.main.combo.convrtquality.opt
dlg.main.combo.convrtquality.opt
dlg.main.combo.convrtquality.med
dlg.main.combo.convrtquality.med
dlg.main.combo.convrtquality.low
dlg.main.combo.convrtquality.low
dlg.main.combo.convrtquality.same
dlg.main.combo.convrtquality.same
dlg.main.btn.convert
dlg.main.btn.convert
dlg.main.lbl.edit.slct.file
dlg.main.lbl.edit.slct.file
dlg.main.lbl.combo.convert.to
dlg.main.lbl.combo.convert.to
dlg.main.tab.convrt.cut
dlg.main.tab.convrt.cut
dlg.main.tab.convrt.start
dlg.main.tab.convrt.start
dlg.main.tab.convrt.end
dlg.main.tab.convrt.end
dlg.main.tab.convrt.advanced
dlg.main.tab.convrt.advanced
dlg.main.tab.convrt.videovol
dlg.main.tab.convrt.videovol
dlg.main.tab.convrt.replace
dlg.main.tab.convrt.replace
dlg.main.tab.convrt.sameasdwnld
dlg.main.tab.convrt.sameasdwnld
dlg.main.tab.convrt.quality
dlg.main.tab.convrt.quality
dlg.main.lbl.saveto
dlg.main.lbl.saveto
dlg.main.check.del.orgconv.file
dlg.main.check.del.orgconv.file
dlg.main.lbl.gopro
dlg.main.lbl.gopro
00:00:00
00:00:00
tab.convert.msg.invalid.cut.time
tab.convert.msg.invalid.cut.time
msg.select.file
msg.select.file
msg.notexist.download.dir
msg.notexist.download.dir
Failed to CreateFullPathFolder(%s)
Failed to CreateFullPathFolder(%s)
grid.item.name.default
grid.item.name.default
tab.convert.dlg.open
tab.convert.dlg.open
All Video Files (*.flv;*.mp4;*.mov;*.avi;*.vmw;*.m4v;*.3gp)
All Video Files (*.flv;*.mp4;*.mov;*.avi;*.vmw;*.m4v;*.3gp)
*.flv;*.mp4;*.mov;*.avi;*.vmw;*.m4v;*.3gp
*.flv;*.mp4;*.mov;*.avi;*.vmw;*.m4v;*.3gp
All Files (*.*)
All Files (*.*)
Avi Files (*.avi)
Avi Files (*.avi)
*.avi
*.avi
Flv Files (*.flv)
Flv Files (*.flv)
*.flv
*.flv
Mov Files (*.mov)
Mov Files (*.mov)
*.mov
*.mov
Mp4 Files (*.mp4)
Mp4 Files (*.mp4)
*.mp4
*.mp4
Wmv Files (*.wmv)
Wmv Files (*.wmv)
*.wmv
*.wmv
msg.choose.convert.dir
msg.choose.convert.dir
For multiple URLs go PRO!
For multiple URLs go PRO!
dlg.main.btn.browse
dlg.main.btn.browse
dlg.main.btn.download
dlg.main.btn.download
dlg.main.btn.paste
dlg.main.btn.paste
dlg.main.lbl.edit.url2.dwnld
dlg.main.lbl.edit.url2.dwnld
dlg.main.lbl.dwnl.qlty
dlg.main.lbl.dwnl.qlty
dlg.main.check.autoconvert.to
dlg.main.check.autoconvert.to
dlg.main.combo.dwnl.best
dlg.main.combo.dwnl.best
dlg.main.combo.dwnl.fullhd
dlg.main.combo.dwnl.fullhd
dlg.main.combo.dwnl.hd
dlg.main.combo.dwnl.hd
dlg.main.combo.dwnl.standard
dlg.main.combo.dwnl.standard
dlg.main.combo.dwnl.mediumflv
dlg.main.combo.dwnl.mediumflv
dlg.main.combo.dwnl.mediummp4
dlg.main.combo.dwnl.mediummp4
dlg.main.combo.dwnl.low
dlg.main.combo.dwnl.low
dlg.main.combo.dwnl.verylow
dlg.main.combo.dwnl.verylow
Enter video URL!
Enter video URL!
msg.err.enter.url
msg.err.enter.url
Please check a list of streaming sites here: hXXp://VVV.ytddownloader.com/video_sites.html.
Please check a list of streaming sites here: hXXp://VVV.ytddownloader.com/video_sites.html.
msg.err.unsuport.site
msg.err.unsuport.site
msg.download.playlist
msg.download.playlist
One or more URLs are full channels. The videos in the channel will be downloaded one at a time. Depending on the size of the videos, this could take a long time.
One or more URLs are full channels. The videos in the channel will be downloaded one at a time. Depending on the size of the videos, this could take a long time.
msg.download.channel
msg.download.channel
msg.choose.download.dir
msg.choose.download.dir
hXXp://
hXXp://
hXXps://
hXXps://
Failed to Open(HKEY_CURRENT_USER, %s)
Failed to Open(HKEY_CURRENT_USER, %s)
tab.play.combo.view.mru.dirs
tab.play.combo.view.mru.dirs
tab.play.files.list
tab.play.files.list
tab.play.choose.dir
tab.play.choose.dir
player.btn.play
player.btn.play
player.btn.previous
player.btn.previous
player.btn.next
player.btn.next
player.btn.fullscreen
player.btn.fullscreen
player.btn.mute
player.btn.mute
player.btn.closefullscreen
player.btn.closefullscreen
Visit our website
Visit our website
player.btn.logo
player.btn.logo
m_lastAction=%s oldMediaState=%s mediaState=%s, m_bPlayBtnState=%d, m_bFullScreen=%d, m_ulDurationMs=%d, m_nTrackerPos=%d, m_bMute=%d, m_nVolumePos=%d.
m_lastAction=%s oldMediaState=%s mediaState=%s, m_bPlayBtnState=%d, m_bFullScreen=%d, m_ulDurationMs=%d, m_nTrackerPos=%d, m_bMute=%d, m_nVolumePos=%d.
m_vlcEngine.PlayFile(m_strFileToPlay=%s) m_ulDurationMs=%d).
m_vlcEngine.PlayFile(m_strFileToPlay=%s) m_ulDurationMs=%d).
Going to play file=%s.
Going to play file=%s.
Going to resume play file and after play file=%s.
Going to resume play file and after play file=%s.
TogglePlayPause to m_bPlayBtnState=%d.
TogglePlayPause to m_bPlayBtnState=%d.
*.mp3
*.mp3
*.fid
*.fid
.tmp.
.tmp.
OnKeyUpFromEdit
OnKeyUpFromEdit
player.btn.unmute
player.btn.unmute
player.btn.pause
player.btn.pause
OnKeyDownFromPlayer
OnKeyDownFromPlayer
Shell.Explorer
Shell.Explorer
(%d).
(%d).
grid.item.state.failCodes.threading
grid.item.state.failCodes.threading
grid.item.state.failCodes.rtmperror
grid.item.state.failCodes.rtmperror
grid.item.state.failCodes.sizeerror
grid.item.state.failCodes.sizeerror
grid.item.state.failCodes.ioerror
grid.item.state.failCodes.ioerror
grid.item.state.failCodes.httpcode
grid.item.state.failCodes.httpcode
grid.item.state.failCodes.invalidurl
grid.item.state.failCodes.invalidurl
grid.item.state.failCodes.servererror
grid.item.state.failCodes.servererror
grid.item.state.failCodes.noconection
grid.item.state.failCodes.noconection
grid.item.state.failCodes.unknown
grid.item.state.failCodes.unknown
4.8.9
4.8.9
Lang\res%1.ini
Lang\res%1.ini
Software\{DAF8B7E5-449D-4180-8281-10E536E597F2}\
Software\{DAF8B7E5-449D-4180-8281-10E536E597F2}\
c:\TempForSelfTest
c:\TempForSelfTest
scripts.yds
scripts.yds
scripts%d.yds
scripts%d.yds
savedItems.ysi
savedItems.ysi
ext = %s
ext = %s
append = %s
append = %s
outputTempFile = %s : outputFile = %s
outputTempFile = %s : outputFile = %s
GetCmdLine
GetCmdLine
CmdLine = %s
CmdLine = %s
Returned %s
Returned %s
Returned size.cx=%d, size.cy=%d
Returned size.cx=%d, size.cy=%d
Returned original size cx=%d, cy=%d
Returned original size cx=%d, cy=%d
Returned size cx=%d, cy=%d
Returned size cx=%d, cy=%d
Returning %s
Returning %s
-vf scale=%d:-1
-vf scale=%d:-1
-q:v %d
-q:v %d
-ar %d
-ar %d
-ac %d
-ac %d
-vol %d
-vol %d
SetOutputFile(%s)
SetOutputFile(%s)
SetTempFilename(%s)
SetTempFilename(%s)
Will call SuspendThread(%d)
Will call SuspendThread(%d)
Failed to WriteFile(q). err=%d.
Failed to WriteFile(q). err=%d.
quit for ffmpeg.exe process manual=%d bFail=%d.
quit for ffmpeg.exe process manual=%d bFail=%d.
TerminateProcess(%d)
TerminateProcess(%d)
Failed to PreparePipes().
Failed to PreparePipes().
PreparePipes
PreparePipes
Failed to CreatePipe(StdOut). err=%d.
Failed to CreatePipe(StdOut). err=%d.
Failed to SetHandleInformation() err=%d.
Failed to SetHandleInformation() err=%d.
Failed to CreatePipe(StdIn). err=%d.
Failed to CreatePipe(StdIn). err=%d.
Exiting with m_hStdOutRead=%d, m_hStdOutWrite=%d, m_hStdInRead=%d, m_hStdInWrite=%d
Exiting with m_hStdOutRead=%d, m_hStdOutWrite=%d, m_hStdInRead=%d, m_hStdInWrite=%d
Failed to CreateProcess(%s).
Failed to CreateProcess(%s).
Success, CreateProcess(%s)
Success, CreateProcess(%s)
\manual.bat "
\manual.bat "
Failed to GetExitCodeProcess(%d) with err=%d
Failed to GetExitCodeProcess(%d) with err=%d
Failed to WaitForSingleObject(%d) on ffmpeg.exe handle. It may crashed!
Failed to WaitForSingleObject(%d) on ffmpeg.exe handle. It may crashed!
Failed to FileUtils::DeleteFile(%s)
Failed to FileUtils::DeleteFile(%s)
Failure, file %s do not exists
Failure, file %s do not exists
Failed to RenameTempToFinalName() from %s to %s
Failed to RenameTempToFinalName() from %s to %s
Failed to ::DeleteFile(%s)
Failed to ::DeleteFile(%s)
Will try to ResumeThread(%d).
Will try to ResumeThread(%d).
Failed to ResumeThread(%d).
Failed to ResumeThread(%d).
Failure, you shouldn't call this since status is %d and m_processInfo.hThread=%d
Failure, you shouldn't call this since status is %d and m_processInfo.hThread=%d
Start WaitForSingleObject on ffmpeg.exe process handle.
Start WaitForSingleObject on ffmpeg.exe process handle.
Start looping on ffmpeg.exe process console output.
Start looping on ffmpeg.exe process console output.
%s %d Stop detected. m_hStdOutRead=%d m_bAppClosing=%d m_bStop=%d.
%s %d Stop detected. m_hStdOutRead=%d m_bAppClosing=%d m_bStop=%d.
%s %d Failed to ReadFile(m_hStdOutRead=%d). m_bStop=%d m_bAppClosing=%d
%s %d Failed to ReadFile(m_hStdOutRead=%d). m_bStop=%d m_bAppClosing=%d
%s %d ReadFile(m_hStdOutRead=%d) returned zero bytes. m_bStop=%d m_bAppClosing=%d
%s %d ReadFile(m_hStdOutRead=%d) returned zero bytes. m_bStop=%d m_bAppClosing=%d
%s %d Output of ::ReadFile(from std out) is: %s
%s %d Output of ::ReadFile(from std out) is: %s
Try to set max progress using: %s
Try to set max progress using: %s
Current time=%s
Current time=%s
Success m_bStop=%d.
Success m_bStop=%d.
advapi32.dll
advapi32.dll
Primeport
Primeport
GetSync(strRequestURL=%s, parResponse=%d) returned %d
GetSync(strRequestURL=%s, parResponse=%d) returned %d
strRequestURL=%s, strFilePath=%s, bStop=%d
strRequestURL=%s, strFilePath=%s, bStop=%d
GetSync(strRequestURL=%s, bStop=%d) returned %d
GetSync(strRequestURL=%s, bStop=%d) returned %d
strRequestURL=%s, bStop=%d, parResponse=%d, bSaveToFile=%d
strRequestURL=%s, bStop=%d, parResponse=%d, bSaveToFile=%d
Status code: %s
Status code: %s
Received header: %s
Received header: %s
Send header: %s
Send header: %s
IsHTTPStatusOK
IsHTTPStatusOK
IsHTTPStatusRedirect
IsHTTPStatusRedirect
Failed to InternetSetOption(NULL, INTERNET_OPTION_MAX_CONNS_PER_SERVER, 64) last error = %d
Failed to InternetSetOption(NULL, INTERNET_OPTION_MAX_CONNS_PER_SERVER, 64) last error = %d
Failed to InternetSetOption(NULL, INTERNET_OPTION_MAX_CONNS_PER_1_0_SERVER, 64) last error = %d
Failed to InternetSetOption(NULL, INTERNET_OPTION_MAX_CONNS_PER_1_0_SERVER, 64) last error = %d
Failed to InternetSetOption(NULL, INTERNET_OPTION_CONNECT_RETRIES, 4) last error = %d
Failed to InternetSetOption(NULL, INTERNET_OPTION_CONNECT_RETRIES, 4) last error = %d
GetLastError() = %d
GetLastError() = %d
HTTP/1.1
HTTP/1.1
::HttpOpenRequest() did worked.
::HttpOpenRequest() did worked.
SerializeHeader = %s
SerializeHeader = %s
::HttpSendRequest(GET) returned=%d.
::HttpSendRequest(GET) returned=%d.
::HttpSendRequest(POST) returned=%d. Posted data=%s
::HttpSendRequest(POST) returned=%d. Posted data=%s
strRequestURL=%s, bStop=%d, pINotifier=%d, pStatisticsNotify=%d, bSaveToFile=%d
strRequestURL=%s, bStop=%d, pINotifier=%d, pStatisticsNotify=%d, bSaveToFile=%d
strRequestURL=%s, strVerb=%s, bAutoRedirect=%d
strRequestURL=%s, strVerb=%s, bAutoRedirect=%d
this->InternetOpen(bStop=%d) returned error=%s
this->InternetOpen(bStop=%d) returned error=%s
this->SendRequest(strRequestURL=%s, strVerb=%s, bStop=%d) returned hInternetGETRequest=%x and error=%s
this->SendRequest(strRequestURL=%s, strVerb=%s, bStop=%d) returned hInternetGETRequest=%x and error=%s
this->IsHTTPStatusOK(hInternetGETRequest=%x) returned false
this->IsHTTPStatusOK(hInternetGETRequest=%x) returned false
strRequestURL=%s
strRequestURL=%s
this->InternetOpen(bStop=%d) returned err=%s;
this->InternetOpen(bStop=%d) returned err=%s;
this->AddSendHeaderValue(%s, %s))
this->AddSendHeaderValue(%s, %s))
AddSendHeaderValue(HTTP_RANGE, %s))
AddSendHeaderValue(HTTP_RANGE, %s))
this->SendRequest(strRequestURL, %s, %d) returned err=%s;
this->SendRequest(strRequestURL, %s, %d) returned err=%s;
GetStatusCode = %s
GetStatusCode = %s
Using ranges. strContentLength = %s ulRespStart=%lld, ulRespEnd=%lld
Using ranges. strContentLength = %s ulRespStart=%lld, ulRespEnd=%lld
GetStartEndFromHeaders(strRange=%s, ulRespStart=%lld, ulRespEnd=%lld) but we asked for %lld -> %lld
GetStartEndFromHeaders(strRange=%s, ulRespStart=%lld, ulRespEnd=%lld) but we asked for %lld -> %lld
Not using ranges. strContentLength = %s
Not using ranges. strContentLength = %s
InternetReadFileEx Failed last error = %d. ulTotalBytesToRead=%lld ulFileOffset=%lld ulStartOffset=%lld
InternetReadFileEx Failed last error = %d. ulTotalBytesToRead=%lld ulFileOffset=%lld ulStartOffset=%lld
youtube.com
youtube.com
hXXp://VVV.youtube.com/watch?
hXXp://VVV.youtube.com/watch?
hXXps://VVV.youtube.com/watch?
hXXps://VVV.youtube.com/watch?
hXXp://VVV.youtube.com/watch_popup?
hXXp://VVV.youtube.com/watch_popup?
hXXps://VVV.youtube.com/watch_popup?
hXXps://VVV.youtube.com/watch_popup?
hXXp://VVV.youtube.com/embed/
hXXp://VVV.youtube.com/embed/
hXXps://VVV.youtube.com/embed/
hXXps://VVV.youtube.com/embed/
hXXp://VVV.youtube.com/watch?v=
hXXp://VVV.youtube.com/watch?v=
m_status=%s
m_status=%s
OldStatus=%s Status=%s Url=%s
OldStatus=%s Status=%s Url=%s
Wrong state %s for Run().
Wrong state %s for Run().
New state %d ? Should treat it.
New state %d ? Should treat it.
SubItems count=%d, Url=%s
SubItems count=%d, Url=%s
Sub item seems to be finished already, pMultiSubItem=%x m_ulStart=%lld is NOT LESS then m_ulEnd=%lld
Sub item seems to be finished already, pMultiSubItem=%x m_ulStart=%lld is NOT LESS then m_ulEnd=%lld
Failed to create AsyncDownload thread pSubItem=%x
Failed to create AsyncDownload thread pSubItem=%x
IsRunning()=%d spSubItem->AsyncResume()=%d pSubItem->m_hThread=%x
IsRunning()=%d spSubItem->AsyncResume()=%d pSubItem->m_hThread=%x
Sub item seems to be invalid or finished already pSubItem=%x
Sub item seems to be invalid or finished already pSubItem=%x
Yes master, oldState=%s and current state=%s
Yes master, oldState=%s and current state=%s
Failed to m_parser.Run() Url=%s
Failed to m_parser.Run() Url=%s
Failed to m_fileOutput.Create() Url=%s fileName=%s
Failed to m_fileOutput.Create() Url=%s fileName=%s
Failed to CrackUrl(VidUrl) Url=%s VidUrl=%s
Failed to CrackUrl(VidUrl) Url=%s VidUrl=%s
IsMultistream=%d OldStatus=%s Status=%s Url=%s
IsMultistream=%d OldStatus=%s Status=%s Url=%s
Failed to RunOneStreamThread(VidUrl) Url=%s VidUrl=%s
Failed to RunOneStreamThread(VidUrl) Url=%s VidUrl=%s
Failed to RunMultiStreamThreads(VidUrl) Url=%s VidUrl=%s
Failed to RunMultiStreamThreads(VidUrl) Url=%s VidUrl=%s
Failed to RTMP RunOneStreamThread(VidUrl) Url=%s VidUrl=%s
Failed to RTMP RunOneStreamThread(VidUrl) Url=%s VidUrl=%s
Failed to m_parser.Run() for Url=%s and err=%d. Will put it for retry.
Failed to m_parser.Run() for Url=%s and err=%d. Will put it for retry.
Closed %x thread at iteration=%d
Closed %x thread at iteration=%d
It's only directory so new temp file name generated to be %s.
It's only directory so new temp file name generated to be %s.
Failed to create temp file %s with hResult=%x lastError=%d
Failed to create temp file %s with hResult=%x lastError=%d
Succeeded to create/open temp file %s CREATE_ALWAYS=%d
Succeeded to create/open temp file %s CREATE_ALWAYS=%d
Failed to m_fileOutput.SetSize(pItem->m_ulFileSize=%lld)
Failed to m_fileOutput.SetSize(pItem->m_ulFileSize=%lld)
StartSubItemThread() Url=%s ulStart=%lld ulEnd=%lld
StartSubItemThread() Url=%s ulStart=%lld ulEnd=%lld
Failed to AddDownloadSubItem(of subItemType=%d) Url=%s
Failed to AddDownloadSubItem(of subItemType=%d) Url=%s
CreateThread(AsyncDownload) of subItemType=%d Url=%s
CreateThread(AsyncDownload) of subItemType=%d Url=%s
Failed to CreateThread(AsyncDonwload) Url=%s
Failed to CreateThread(AsyncDonwload) Url=%s
Url=%s err=%d
Url=%s err=%d
Failed to Run() subItem=%d.
Failed to Run() subItem=%d.
iteration=%d
iteration=%d
dwRuningSubItems=%d
dwRuningSubItems=%d
ERR_DNET_PARSING_INVALID_URL
ERR_DNET_PARSING_INVALID_URL
ERR_DNET_PARSING_HTTP_STATUS_NOK
ERR_DNET_PARSING_HTTP_STATUS_NOK
ERR_DLD_INVALID_URL
ERR_DLD_INVALID_URL
ERR_DNET_DLD_INVALID_URL
ERR_DNET_DLD_INVALID_URL
ERR_DNET_DLD_HTTP_STATUS_NOK
ERR_DNET_DLD_HTTP_STATUS_NOK
pSubItem->m_type=%d Old status=%s status=%s m_bSubItemStop=%d error=%s
pSubItem->m_type=%d Old status=%s status=%s m_bSubItemStop=%d error=%s
Multi stream sub item finished with error=%s HTTPstatus=%s.
Multi stream sub item finished with error=%s HTTPstatus=%s.
Failed with netw error=%d and HTTP status=%s.
Failed with netw error=%d and HTTP status=%s.
Exiting with result=%s.
Exiting with result=%s.
Net err=%s and HTTP status=%s m_ulStart=%lld m_ulEnd=%lld.
Net err=%s and HTTP status=%s m_ulStart=%lld m_ulEnd=%lld.
Exiting with result=%s m_ulStart=%lld, m_ulEnd=%lld, m_ulCurrentOffset=%lld.
Exiting with result=%s m_ulStart=%lld, m_ulEnd=%lld, m_ulCurrentOffset=%lld.
m_ulStart=%lld m_ulEnd=%lld m_hThread=%x.
m_ulStart=%lld m_ulEnd=%lld m_hThread=%x.
Finished DownloadToFile with error=%s.
Finished DownloadToFile with error=%s.
Rename tempFileName=%s TO fileName=%s
Rename tempFileName=%s TO fileName=%s
oldStatus=%s status=%s networkError=%s HTTPstatus=%s failedError=%s. Url=%s
oldStatus=%s status=%s networkError=%s HTTPstatus=%s failedError=%s. Url=%s
Post the item complete message to main dialog. Url=%s
Post the item complete message to main dialog. Url=%s
Try to delete the outputFile=%s fileExist=%d.
Try to delete the outputFile=%s fileExist=%d.
(%s).
(%s).
Found error nb=%s HTTPstatus=%s downloading Url=%s
Found error nb=%s HTTPstatus=%s downloading Url=%s
%s_part_d
%s_part_d
Running multi part for URL=%s
Running multi part for URL=%s
Page does not contain searched info. URL=%s
Page does not contain searched info. URL=%s
Failed to create new DownloadItem(%s).
Failed to create new DownloadItem(%s).
status = %s oldStatus = %s nb of downloads items =%d URL=%s
status = %s oldStatus = %s nb of downloads items =%d URL=%s
Failed to pMainItem->ParseParts(), failCode is=%d and HTTPstatus is=%s, customError=%s
Failed to pMainItem->ParseParts(), failCode is=%d and HTTPstatus is=%s, customError=%s
Failure, pMainItem->m_lstDownloads.GetCount() is zero.
Failure, pMainItem->m_lstDownloads.GetCount() is zero.
Failed to download video Url=%s, err =%d
Failed to download video Url=%s, err =%d
WaitForSingleObject failed, dwError = %d
WaitForSingleObject failed, dwError = %d
Ended waiting for %d
Ended waiting for %d
WriteTextToFile %s
WriteTextToFile %s
Entering to Pause current item = %x, URL=%s, m_status=%s
Entering to Pause current item = %x, URL=%s, m_status=%s
Paused current item = %x, URL=%s
Paused current item = %x, URL=%s
Will Stop Url=%s with m_pCurrentItem=%d m_lstDownloads.GetCount=%d m_status became %s
Will Stop Url=%s with m_pCurrentItem=%d m_lstDownloads.GetCount=%d m_status became %s
strEntireFileName=%s strPartsListFile=%s
strEntireFileName=%s strPartsListFile=%s
\ffmpeg.exe
\ffmpeg.exe
cmd /c
cmd /c
lang.name
lang.name
lang.id
lang.id
\Lang\*.ini
\Lang\*.ini
%s-%s.log
%s-%s.log
%H:%M:%S
%H:%M:%S
0xX~0xX~%s~%s~%s::%s()~
0xX~0xX~%s~%s~%s::%s()~
IDispatch error #%d
IDispatch error #%d
bRet=%d for FileUtils::RenameFile(%s, %s)
bRet=%d for FileUtils::RenameFile(%s, %s)
Failed to open .flv file
Failed to open .flv file
Failed to write .flv file
Failed to write .flv file
Failed to open file %s
Failed to open file %s
Failed to read from file %s
Failed to read from file %s
Failed to write %s file
Failed to write %s file
"%s" -f concat -i "%s" -c copy "%s"
"%s" -f concat -i "%s" -c copy "%s"
bRet=%d for SysUtils::ExecuteCommand(%s, INFINITE)
bRet=%d for SysUtils::ExecuteCommand(%s, INFINITE)
"%s" -i "%s" -i "%s" -vcodec copy -acodec copy "%s"
"%s" -i "%s" -i "%s" -vcodec copy -acodec copy "%s"
\\.\pipe\p{861C592B-5428-471f-8082-A5FFB5B93894}
\\.\pipe\p{861C592B-5428-471f-8082-A5FFB5B93894}
ERR_CRACK_URL_FAILED
ERR_CRACK_URL_FAILED
ERR_HTTP_STATUS_NOK
ERR_HTTP_STATUS_NOK
All files (*.*)
All files (*.*)
cmd /c icacls "%s" /grant BUILTINUsers:(F) /t /c
cmd /c icacls "%s" /grant BUILTINUsers:(F) /t /c
%d;
%d;
%d;
%d;
u00%x
u00%x
Initiating StopAllActivity() for %d items.
Initiating StopAllActivity() for %d items.
Next item=0x%x
Next item=0x%x
Remove from grid item=%x
Remove from grid item=%x
Stopping item=%x removed from grid
Stopping item=%x removed from grid
Just removed from active list item=%x
Just removed from active list item=%x
pNextQueued->Run(0x%x)
pNextQueued->Run(0x%x)
hXXp://VVV.youtubedownloadersite.com/api/rcsvc.php?kt=[regKT]
hXXp://VVV.youtubedownloadersite.com/api/rcsvc.php?kt=[regKT]
Windows
Windows
12F8B979-DFB5-4551-82CC-7A8D9254DE78
12F8B979-DFB5-4551-82CC-7A8D9254DE78
*.log
*.log
Failed to Init m_parser! Missing scripts0.yds??
Failed to Init m_parser! Missing scripts0.yds??
Failed to Load saved items from file %s.
Failed to Load saved items from file %s.
Will try to create item for %s
Will try to create item for %s
Failed to create new download item for %s!
Failed to create new download item for %s!
Failed to create new convert item for %s!
Failed to create new convert item for %s!
Output conversion directory does not exist %s.
Output conversion directory does not exist %s.
Nonexistent conversion input fileName %s.
Nonexistent conversion input fileName %s.
FilterUnsupportedSites
FilterUnsupportedSites
Empty URLs list.
Empty URLs list.
Localized resource file %s does not exist.
Localized resource file %s does not exist.
Failed to m_parser.Init.
Failed to m_parser.Init.
hXXp://VVV.youtubedownloadersite.com/premium.html?lngid=%1<=%2&isn=%3&av=%4&ft=%5
hXXp://VVV.youtubedownloadersite.com/premium.html?lngid=%1<=%2&isn=%3&av=%4&ft=%5
Successfully read the strFileName=%s
Successfully read the strFileName=%s
Wrong format of file! line=%s
Wrong format of file! line=%s
Successfully read the line=%s
Successfully read the line=%s
FileUtils::WriteTextToFile() failed with err=%d
FileUtils::WriteTextToFile() failed with err=%d
Second FileUtils::WriteTextToFile() failed with err=%d
Second FileUtils::WriteTextToFile() failed with err=%d
Successfully saved items into strFileName=%s
Successfully saved items into strFileName=%s
Failed, m_appCfg.GetNormalScriptPath()
Failed, m_appCfg.GetNormalScriptPath()
Failed to LoadScripts(%s)
Failed to LoadScripts(%s)
VIDURL
VIDURL
REQUESTLOGINWEB
REQUESTLOGINWEB
REQUESTLOGIN
REQUESTLOGIN
RTMP_SWFURL
RTMP_SWFURL
RTMP_PAGEURL
RTMP_PAGEURL
login
login
Empty keyword or var name found
Empty keyword or var name found
ISURLALIVE
ISURLALIVE
URLDCD
URLDCD
URLENC
URLENC
SiteParser::ExecuteStatement() Failed, exception caught.
SiteParser::ExecuteStatement() Failed, exception caught.
ExecVidUrl
ExecVidUrl
Wrong VIDURL statement, var name empty.
Wrong VIDURL statement, var name empty.
VIDURL=%s
VIDURL=%s
GETTITLE=%s
GETTITLE=%s
VIDNAME=%s
VIDNAME=%s
ExecIsURLAlive
ExecIsURLAlive
strURL=%s
strURL=%s
ISURLALIVE=FALSE err=%d
ISURLALIVE=FALSE err=%d
ISURLALIVE=TRUE
ISURLALIVE=TRUE
LENGTH(%s)=%s
LENGTH(%s)=%s
REVERSE(%s)=%s
REVERSE(%s)=%s
RUNJS(%s)=%s
RUNJS(%s)=%s
SetUserAgent(%s)
SetUserAgent(%s)
Failure, net.GetSync() return error=%s
Failure, net.GetSync() return error=%s
SUBSTR=%s
SUBSTR=%s
ADDSTR=%s
ADDSTR=%s
GetHtml=%s
GetHtml=%s
net.GetSync(%s) return error=%d
net.GetSync(%s) return error=%d
GETHTML2=%s
GETHTML2=%s
ExecUrlEncode
ExecUrlEncode
Wrong URLENC statement
Wrong URLENC statement
URLENCODE=%s
URLENCODE=%s
ExecUrlDecode
ExecUrlDecode
Wrong URLDCD statement
Wrong URLDCD statement
URLDCD=%s
URLDCD=%s
JSDCD=%s
JSDCD=%s
JSUDCD=%s
JSUDCD=%s
REPLACE=%s
REPLACE=%s
POST(%s, %s, %s)=%s
POST(%s, %s, %s)=%s
BINPOST(%s, %s, %s)=%s
BINPOST(%s, %s, %s)=%s
net.GetSync() return %s %d
net.GetSync() return %s %d
HEX=%s
HEX=%s
STRFROMARR=%s
STRFROMARR=%s
FINDSTR=%s
FINDSTR=%s
HTMLDECODE=%s
HTMLDECODE=%s
Using UserAgent=%s
Using UserAgent=%s
Failure, net.GetCookie() return error=%d
Failure, net.GetCookie() return error=%d
GETCOOKIE=%s
GETCOOKIE=%s
Failure, net.SetCookie() return error=%d
Failure, net.SetCookie() return error=%d
SETCOOKIE succeeded for site=%s cookieName=%s cookieVal=%s.
SETCOOKIE succeeded for site=%s cookieName=%s cookieVal=%s.
GETYOUTUBEQ=%s
GETYOUTUBEQ=%s
GetFormatYoutube found %s
GetFormatYoutube found %s
IF %s=%s %s %s=%s THEN
IF %s=%s %s %s=%s THEN
ExecRequestLoginWeb
ExecRequestLoginWeb
Wrong REQUESTLOGINWEB statement
Wrong REQUESTLOGINWEB statement
BrowserLoginClosed
BrowserLoginClosed
Failed to CreateEvent(BrowserLoginClosed)
Failed to CreateEvent(BrowserLoginClosed)
REQUESTLOGINWEB for %s executed successfully.
REQUESTLOGINWEB for %s executed successfully.
ExecRequestLogin
ExecRequestLogin
Wrong REQUESTLOGIN statement
Wrong REQUESTLOGIN statement
ERRMSG
ERRMSG
ERRMSGID
ERRMSGID
facebook.com
facebook.com
LoginToYoutube
LoginToYoutube
youtubelogin
youtubelogin
youtubelogin script missing from scripts.txt
youtubelogin script missing from scripts.txt
LoginToYoutube executed. Exit code is %s
LoginToYoutube executed. Exit code is %s
LoginToFacebook
LoginToFacebook
facebooklogin
facebooklogin
facebooklogin script missing from scripts.txt
facebooklogin script missing from scripts.txt
LoginToFacebook executed. Exit code is %s
LoginToFacebook executed. Exit code is %s
GOTO found MARK: %s at index =%d
GOTO found MARK: %s at index =%d
GOTO invalid MARK: %s
GOTO invalid MARK: %s
ORGURL
ORGURL
ExecMD5
ExecMD5
MD5=%s
MD5=%s
DATEDIFF=%s
DATEDIFF=%s
ExecRTMP_SetPlayPath
ExecRTMP_SetPlayPath
RTMP_PLAYPATH=%s
RTMP_PLAYPATH=%s
ExecRTMP_SetSwfUrl
ExecRTMP_SetSwfUrl
Wrong RTMP_SWFURL statement.
Wrong RTMP_SWFURL statement.
RTMP_SWFURL=%s
RTMP_SWFURL=%s
ExecRTMP_SetPageUrl
ExecRTMP_SetPageUrl
Wrong RTMP_PAGEURL statement.
Wrong RTMP_PAGEURL statement.
RTMP_PAGEURL=%s
RTMP_PAGEURL=%s
GETREDIRECT = %s
GETREDIRECT = %s
DEC2HEX=%s
DEC2HEX=%s
INCREMENT=%s
INCREMENT=%s
GETFRAGS=%s
GETFRAGS=%s
GETFILEID = %s
GETFILEID = %s
GENSID = %s
GENSID = %s
GETPART = %s
GETPART = %s
FORMATFILEID = %s
FORMATFILEID = %s
Failed with err=%d to net.GetHeader(%s)
Failed with err=%d to net.GetHeader(%s)
Failed GetRecvHeaderValue(HTTP_CONTENT_TYPE)
Failed GetRecvHeaderValue(HTTP_CONTENT_TYPE)
Found extension be a %s.
Found extension be a %s.
Failed to GetHeaders with netw err code = %d.
Failed to GetHeaders with netw err code = %d.
Failed to GetRecvHeaderValue HTTP_CONTENT_LENGTH with netw err code = %d.
Failed to GetRecvHeaderValue HTTP_CONTENT_LENGTH with netw err code = %d.
Failed with ERANGE to _wtoi64(%s) = %d.
Failed with ERANGE to _wtoi64(%s) = %d.
Initial title=%s
Initial title=%s
Set sanitized title=%s
Set sanitized title=%s
Found ErrorFromScript=%s and NetworkError=%s
Found ErrorFromScript=%s and NetworkError=%s
PLAYLISTIDS = %s
PLAYLISTIDS = %s
Reset VIDURL, VIDNAME, EMPTY, ERRMSG, USERAGENT, ORGURL=%s
Reset VIDURL, VIDNAME, EMPTY, ERRMSG, USERAGENT, ORGURL=%s
Just SetEvent(%d)
Just SetEvent(%d)
librtmp.dll
librtmp.dll
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe
Your license is already in use on a different computer.hXXp://VVV.youtubedownloadersite.com/reset_license.html
Your license is already in use on a different computer.hXXp://VVV.youtubedownloadersite.com/reset_license.html
Password:
Password:
Alternatively, visit hXXp://VVV.youtubedownloadersite.com to download the most recent version.
Alternatively, visit hXXp://VVV.youtubedownloadersite.com to download the most recent version.
%2.xxx= Output file (.xxx the format to convert!)
%2.xxx= Output file (.xxx the format to convert!)
Enter the URL of the video you want to download (e.g. hXXp://youtube.com/watch?v=f5Jz8...)
Enter the URL of the video you want to download (e.g. hXXp://youtube.com/watch?v=f5Jz8...)
Paste URL
Paste URL
D:\My Documents
D:\My Documents
00:00:00 / 00:00:00
00:00:00 / 00:00:00
00:00:00/00:00:00
00:00:00/00:00:00
4, 8, 9, 6
4, 8, 9, 6
ytd.exe
ytd.exe