Trojan.Win32.Swrort.3_7c98d6fcf8

by malwarelabrobot on September 8th, 2017 in Malware Descriptions.

not-a-virus:HEUR:AdWare.Win32.Shopper.gen (Kaspersky), Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan, Adware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 7c98d6fcf82adc7b0cf14ca04d128655
SHA1: a54d61c89da4dc287a6ae07a4ce44a70ad67ee5a
SHA256: 17469887aea577e0e94d5b7120b8358b46e6bac3a18a8fa7bc2703e692b98321
SSDeep: 12288:ErTih8Cte2g5xnXqXi 5DaWdlta5yFbiAXT9NPjmC5W1CzdeCHpVwOudwlO517lv:ErTihW55qT35XTHh5WAsCJVwOWB
Size: 785328 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: Goobzo
Created at: 2015-09-09 12:51:10
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:3684
setup.exe:308
YTDownloaderFull.exe:3528

The Trojan injects its code into the following process(es):

YTDownloader.exe:1804

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3684 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\YTDownloaderFull.exe (7944 bytes)

The process setup.exe:308 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\YTDownloader\rtmpdump.exe (19592 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F81.tmp\nsProcess.dll (12 bytes)
%Program Files%\YTDownloader\YTDownloader.exe (64981 bytes)
%Program Files%\YTDownloader\DownloadAPI.dll (70495 bytes)
%Program Files%\YTDownloader\Unelevate.exe (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\YTDownloader\YTDownloader.lnk (1 bytes)
%Program Files%\YTDownloader\BrowserHelper.exe (16424 bytes)
%Program Files%\YTDownloader\YTD-icon-128x128.png (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F81.tmp\AccDownload.dll (9573 bytes)
%Program Files%\YTDownloader\BrowserHelperSrv.exe (3616 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F81.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F81.tmp\nsExec.dll (14 bytes)
%Program Files%\YTDownloader\Updater.exe (25824 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F81.tmp (4 bytes)
%Program Files%\YTDownloader\download_ani.gif (9 bytes)
%Program Files%\YTDownloader\DownloadHelper.exe (13584 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F81.tmp\nsA152.tmp (14 bytes)
%Program Files%\YTDownloader\AniGIF.ocx (6532 bytes)
%Program Files%\YTDownloader\ssleay32.dll (7192 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp (270426 bytes)
%Program Files%\YTDownloader\convert_aniBW.gif (7 bytes)
C:\Users\"%CurrentUserName%"\Desktop\YTDownloader.lnk (1 bytes)
%Program Files%\YTDownloader\sbmntr.sys (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F81.tmp\ns9C81.tmp (14 bytes)
%Program Files%\YTDownloader\libeay32.dll (33455 bytes)
%Program Files%\YTDownloader\YTDUninstall.exe (20624 bytes)
%Program Files%\YTDownloader\Download_completed.ico (1 bytes)
%Program Files%\YTDownloader\convert_ani.gif (784 bytes)
%Program Files%\YTDownloader\converter.exe (68799 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F81.tmp\AccDownload.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy3F70.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F81.tmp\ns9C81.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F81.tmp\nsA152.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F82.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F81.tmp\nsExec.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F81.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F81.tmp\System.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F81.tmp\nsProcess.dll (0 bytes)

The process YTDownloaderFull.exe:3528 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd39C6.tmp (175480 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi39E6.tmp\D1958.dll (30 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi39E6.tmp\setup.exe (1824812 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi39E6.tmp\NK.lky (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi39E6.tmp\setup1.exe (164931 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi39E6.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi39E6.tmp\NK.lky (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi39E6.tmp\D1958.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi39E6.tmp\setup1.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn39B5.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi39E6.tmp\setup.exe (0 bytes)

Registry activity

The process %original file name%.exe:3684 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\7c98d6fcf82adc7b0cf14ca04d128655_RASAPI32]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\7c98d6fcf82adc7b0cf14ca04d128655_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\7c98d6fcf82adc7b0cf14ca04d128655_RASAPI32]
"FileTracingMask" = "4294901760"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\7c98d6fcf82adc7b0cf14ca04d128655_RASMANCS]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\7c98d6fcf82adc7b0cf14ca04d128655_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\7c98d6fcf82adc7b0cf14ca04d128655_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\7c98d6fcf82adc7b0cf14ca04d128655_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\YTDownloader]
"reportLevel" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process setup.exe:308 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\CLSID\{82351441-9094-11D1-A24B-00A0C932C7DF}\Verb\0]
"(Default)" = "&Properties,0,2"

[HKCR\CLSID\{61AB12E1-A5FF-11D1-B2E9-444553540000}]
"(Default)" = "AniGIFPpg2 Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCR\CLSID\{6DC82D15-92F2-11D1-A255-00A0C932C7DF}]
"(Default)" = "AniGIFPpg Class"

[HKCR\Interface\{82351440-9094-11D1-A24B-00A0C932C7DF}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\YTDownloader\Video Converter]
"ExeLocation" = "%Program Files%\YTDownloader\Converter.exe"

[HKCR\Interface\{5252AC41-94BB-11D1-B2E7-444553540000}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\CLSID\{82351441-9094-11D1-A24B-00A0C932C7DF}\MiscStatus]
"(Default)" = "0"

[HKCR\CLSID\{82351441-9094-11D1-A24B-00A0C932C7DF}\TypeLib]
"(Default)" = "{82351433-9094-11D1-A24B-00A0C932C7DF}"

[HKCR\AniGIFPpg.AniGIFPpg]
"(Default)" = "AniGIFPpg Class"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\YTDownloader]
"Publisher" = "YTDownloader"

[HKCR\CLSID\{82351441-9094-11D1-A24B-00A0C932C7DF}\ToolboxBitmap32]
"(Default)" = "%Program Files%\YTDownloader\AniGIF.ocx, 1"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCR\AniGIFCtrl.AniGIF\CLSID]
"(Default)" = "{82351441-9094-11D1-A24B-00A0C932C7DF}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCR\AniGIFPpg.AniGIFPpg\CurVer]
"(Default)" = "AniGIFPpg.AniGIFPpg.1"

[HKCR\Interface\{5252AC41-94BB-11D1-B2E7-444553540000}]
"(Default)" = "IAniGIFEvents"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup_RASAPI32]
"EnableFileTracing" = "0"

[HKCR\AniGIFPpg2.AniGIFPpg2.1\CLSID]
"(Default)" = "{61AB12E1-A5FF-11D1-B2E9-444553540000}"

[HKCR\CLSID\{61AB12E1-A5FF-11D1-B2E9-444553540000}\InprocServer32]
"(Default)" = "%Program Files%\YTDownloader\AniGIF.ocx"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\YTDownloader]
"DisplayName" = "YTDownloader"

[HKCR\TypeLib\{82351433-9094-11D1-A24B-00A0C932C7DF}\1.5\FLAGS]
"(Default)" = "2"

[HKCU\Software\YTDownloader]
"Version" = "1.0.11487.1257"

[HKCR\AniGIFCtrl.AniGIF\CurVer]
"(Default)" = "AniGIFCtrl.AniGIF"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\YTDownloader]
"DisplayIcon" = "%Program Files%\YTDownloader\YTDownloader.exe"

[HKCR\AniGIFPpg2.AniGIFPpg2\CurVer]
"(Default)" = "AniGIFPpg2.AniGIFPpg2.1"

[HKCR\Interface\{82351440-9094-11D1-A24B-00A0C932C7DF}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{5252AC41-94BB-11D1-B2E7-444553540000}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\Interface\{5252AC41-94BB-11D1-B2E7-444553540000}\TypeLib]
"Version" = "1.5"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup_RASMANCS]
"EnableFileTracing" = "0"

[HKCR\AniGIFCtrl.AniGIF]
"(Default)" = "Animation GIF Control"

[HKCR\CLSID\{82351441-9094-11D1-A24B-00A0C932C7DF}\ProgID]
"(Default)" = "AniGIFCtrl.AniGIF"

[HKLM\SOFTWARE\YTDownloader]
"ExeLocation" = "%Program Files%\YTDownloader\YTDownloader.exe"

[HKCR\AniGIFPpg.AniGIFPpg.1]
"(Default)" = "AniGIFPpg Class"

[HKCR\Interface\{82351440-9094-11D1-A24B-00A0C932C7DF}\TypeLib]
"Version" = "1.5"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\YTDownloader\Video Converter]
"FFUseConverter" = "1"

[HKCR\Interface\{82351440-9094-11D1-A24B-00A0C932C7DF}]
"(Default)" = "IAniGIF"

[HKCR\AniGIFPpg2.AniGIFPpg2.1]
"(Default)" = "AniGIFPpg2 Class"

[HKCR\AniGIFPpg2.AniGIFPpg2]
"(Default)" = "AniGIFPpg2 Class"

[HKCR\CLSID\{82351441-9094-11D1-A24B-00A0C932C7DF}\Version]
"(Default)" = "1.5"

[HKCR\CLSID\{82351441-9094-11D1-A24B-00A0C932C7DF}\Verb]
"(Default)" = ""

[HKCR\AniGIFPpg.AniGIFPpg.1\CLSID]
"(Default)" = "{6DC82D15-92F2-11D1-A255-00A0C932C7DF}"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup_RASAPI32]
"MaxFileSize" = "1048576"

[HKCR\Interface\{82351440-9094-11D1-A24B-00A0C932C7DF}\TypeLib]
"(Default)" = "{82351433-9094-11D1-A24B-00A0C932C7DF}"

[HKCR\TypeLib\{82351433-9094-11D1-A24B-00A0C932C7DF}\1.5\0\win32]
"(Default)" = "%Program Files%\YTDownloader\AniGIF.ocx"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3F 00 00 00 09 00 00 00 00 00 00 00"

[HKCR\TypeLib\{82351433-9094-11D1-A24B-00A0C932C7DF}\1.5]
"(Default)" = "Animation GIF Control"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\YTDownloader]
"UninstallString" = "%Program Files%\YTDownloader\YTDUninstall.exe"

[HKCR\CLSID\{6DC82D15-92F2-11D1-A255-00A0C932C7DF}\InprocServer32]
"(Default)" = "%Program Files%\YTDownloader\AniGIF.ocx"

[HKCR\CLSID\{61AB12E1-A5FF-11D1-B2E9-444553540000}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{5252AC41-94BB-11D1-B2E7-444553540000}\TypeLib]
"(Default)" = "{82351433-9094-11D1-A24B-00A0C932C7DF}"

[HKLM\SOFTWARE\YTDownloader]
"Version" = "1.0.11487.1257"

[HKCR\AniGIFCtrl.AniGIF\Insertable]
"(Default)" = ""

[HKCR\CLSID\{82351441-9094-11D1-A24B-00A0C932C7DF}\MiscStatus\1]
"(Default)" = "131473"

[HKLM\SOFTWARE\YTDownloader\Video Converter]
"Install" = "%Program Files%\YTDownloader\"

[HKCR\CLSID\{82351441-9094-11D1-A24B-00A0C932C7DF}\InprocServer32]
"(Default)" = "%Program Files%\YTDownloader\AniGIF.ocx"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\YTDownloader.exe]
"(Default)" = "%Program Files%\YTDownloader\YTDownloader.exe"

[HKCR\CLSID\{82351441-9094-11D1-A24B-00A0C932C7DF}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCR\TypeLib\{82351433-9094-11D1-A24B-00A0C932C7DF}\1.5\HELPDIR]
"(Default)" = "%Program Files%\YTDownloader\"

[HKCR\CLSID\{6DC82D15-92F2-11D1-A255-00A0C932C7DF}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations]
"Application" = "http://www.fileextensionpro.com/redir.aspx?s=&LangID=x&Ext=%s"

[HKCR\CLSID\{82351441-9094-11D1-A24B-00A0C932C7DF}]
"(Default)" = "Animation GIF Control"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YTDownloader" = "%Program Files%\YTDownloader\YTDownloader.exe /boot"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"YTDownloader" = "%Program Files%\YTDownloader\YTDownloader.exe /boot"

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{82351441-9094-11D1-A24B-00A0C932C7DF}\Programmable]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"MaxConnectionsPerServer"
"MaxConnectionsPer1_0Server"

The process YTDownloader.exe:1804 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\YTDownloader_RASMANCS]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\YTDownloader_RASAPI32]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\YTDownloader_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\YTDownloader_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\YTDownloader_RASMANCS]
"MaxFileSize" = "1048576"
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 40 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\YTDownloader_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\YTDownloader]
"UserId" = "{917E57BE-05D7-4713-9FFB-40B6E0D7E2AE}"

[HKLM\SOFTWARE\YTDownloader]
"UserId" = "{917E57BE-05D7-4713-9FFB-40B6E0D7E2AE}"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

Dropped PE files

MD5	File path
45960b40c1ecb75ed5549a80049879e1	c:\Program Files\YTDownloader\AniGIF.ocx
a9da87f00c3390d4f00669e46e2429c8	c:\Program Files\YTDownloader\BrowserHelper.exe
83695911b80e6e5581d8c9f4e419f376	c:\Program Files\YTDownloader\BrowserHelperSrv.exe
5aec094599505c3ffb7772e0ca3234ba	c:\Program Files\YTDownloader\DownloadAPI.dll
38196303cecd23bb143c5f8ba1e0a510	c:\Program Files\YTDownloader\DownloadHelper.exe
4962936d469c67b90b217af431351730	c:\Program Files\YTDownloader\Unelevate.exe
302cd0029cebba0bdc484d3092430df1	c:\Program Files\YTDownloader\Updater.exe
d388c8a9189a1e91e6ef4bc3efd4912c	c:\Program Files\YTDownloader\YTDUninstall.exe
61df076fbd664b5110e04a65ffb5f6a0	c:\Program Files\YTDownloader\YTDownloader.exe
2f0e26c05c4613467bc86db5d964fd60	c:\Program Files\YTDownloader\converter.exe
fbb160d9fc7ba584b627e0267d0b8043	c:\Program Files\YTDownloader\libeay32.dll
e519f2bf8d35627aa8c712aa636f52ff	c:\Program Files\YTDownloader\rtmpdump.exe
5fe739650cde689f1e9b32ef6795b1af	c:\Program Files\YTDownloader\sbmntr.sys
c0ca162d62aedd6e7d179ed6bc6c102e	c:\Program Files\YTDownloader\ssleay32.dll
aab45f6b1fefd7b8e4019b94fa302588	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\YTDownloaderFull.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Goobzo
Product Name: Update Helper
Product Version: 1.5.3.0
Legal Copyright: Copyright (C) 2014
Legal Trademarks:
Original Filename: Updater.exe
Internal Name: Update
File Version: 1.5.3.0
File Description: Update Helper
Comments:
Language: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	610208	610304	4.61367	6ba9e074e9f1bac0208a8010e0539207
.rdata	614400	115768	116224	3.48046	3b99fc3b2765aa98d629f6c8fb1e8bae
.data	733184	24196	14336	3.74458	a008a98cae9873adfbf78fb579f9a13b
.rsrc	757760	2184	2560	2.67368	dc8999b079f5f4b0696aa6ec1d5c8422
.reloc	761856	34144	34304	3.6775	d8ba1891de804a3a75d3ccf420be3164

Dropped from:

fc40ca97e64d78f07b6a60c1304d65f8

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://update.ytdownloader.com/app/ping.ashx?e=uWabAt9SLcwTrK0LVdqauJLcBbfhsmGLt8f6YpiR28KEoj1Hf41tK9UB7N1/dopR4/1PTRcRe1o6k/zG4/KaHPafMqLUN3IhbfW9VjeXxBEUN4frQ/ABXA9OLpJMWKahk5m8qYrfVm1wcFbgUgv1E 5boyoTSWwNZSTm1xpgiFze9CcugtalIVpHdEz0Mk2X1Q0e6On2u6kOsDausEcS3ZEuYlD sFQOhIBQZbpcgIVPoxRj1Q1ZxSp4FnRpqgmbF5/WuV5CeXLcGWC21 u SlMsQmbEzCFoQYgKl1irrp6qML sT3o5oI5LnYU2fNyCIBd6G6Lj3qp3qPv/BEEOxGiq9ZfonCR6SXzkILEkgEKyczeXkBPJBRGcN/8uFnBYAS7DCm3ZJZcL8f90vVndUiKnjA3VjM3ihvgKRp5oGHOpC0G23fc1No4lTgLMHWFWV9cMKRkfHEM=	173.239.4.61
hxxp://update.ytdownloader.com/app/ping.ashx?e=uWabAt9SLcwTrK0LVdqauJLcBbfhsmGLt8f6YpiR28KEoj1Hf41tK9UB7N1/dopRG/Al4/pZIr 4WJhSbp07gzefCERsBpwniQS3BXSStT/MTAqYXcsGs2EnULbML00 ZXMmIbEekVGevOK6wBcgcrdTS QN6DtRihgHXxAiMJF2wBEcVJfGgB8t5 ZQePd2gchuB2gXiOazYE0r5EMq0Ub2k6Rn898YXCSgtUXqN5/aaUzToxOfi31ptgDQhqgieKL4L3TUdGfmh5G7kLgKqVXo80RT67Oh9qn20QlhWbZNeX wsqjFQBJD/Bkn ke2glPurx50GwPdLLQIH9SPpYL1pAEDgcGT	173.239.4.61
hxxp://update.ytdownloader.com/app/update.ashx?e=bomaaVKFzzKKFhIQxyAV1L8QnNp2TOEX/lkWt/gDpiG DhTlnFvuucWWO/N93rK8fr3WO5HNaj8eL Zli5wIvhaVGVJXw5w/pHtajDWk/vRWD8ZMll5GtoJT7q8edBsDaT6xCuVmQs741GCXDdXxCLxAT zXWLGq4VTmYx8DZjC0lOvcR7gfC/FdN9WWwaSeK1j3w9deqP24Zzvdic mNTsvB25MJtnS1urDxSq54gsguw6AdSyUuWDP1Q9noTpb49/gr4wffBtv1 Ci1G29pToiCggX1yUsfyq4/ZGycBEbmv/pnYX9cGGQDIfmkn5t3adYf6/C6XLBUwwno/zg JqekafmOwVZErXsffANTJ0Rjm Z0U1BNVsjP3eeiJ23iE3zqvKYJ3Mt9/zylZhbvMqxPs2jGlFdWWSVrCbg957jAN8ZnYmIrEIJAXijZgMf3HFtW4Go5g9xq7C8VN3hCpeKXSZhpc65 BHF5/bwk7jata/4PVE2gx1xCi3KK9GD52YcLOvG0/89jd3JJeiPXRxENS1VZNTo1PAMqKt0aAy/46DjOJsUvwdM0XkvL1yD52Bw4sODaV6tNSbGVWVlXhFZFXjhGOUMPzRmDXJmG6r6h8tpssK0zL/acJzGS9zb73E7kQSOziykFIuS8MnPDnMk nfJ9W88HTmb4b5fDvreqqglDAkZM6i9TPj/S7HZDc odCF6zaaJZeIjxuW2jgJMyxDxKJRCjLDBzqFsWPq1on5/VelMUCsyxuCxGqB0SOBG174fnHBwSl3NNXcqsjVef5Hfuj4uwOsz T8G9VJbiscymGCCEj8YRLsWnTybb/b6MAHq abkJjA3M9GrWoi4CbviGpiaICclgyp9xbgHR0akpg9ih3il18UVgZ/4DixNIhGqHUZl5HkCXHQX9HSsZZSnKJK43MofuUp8LxsJ9DFx uSPHoh85Wxu4FS8fv34SRNgcMyslJiqTAo4oFB38evHKGV89YhRHE4Soq646206VYTSOqJsmwoIXQeKWV70/O0nw8DogoWXzcy NoT8/HaSz1UblWnoNRpEGEL/E48y75iDc4YI/Pw8mDx5KsMDLSDxy2V0LY5CYrKaDBZEQMhRyjX9/rmow/6GPSqumwNQviEegGD27yrhfXB3kMxmPdud7XvvKKT14qLwjQXy0iZW1evOYnQOkmVyOhZT2tl11Z6Huy1swkAeJaYe1VsZXcFT32XzAIhej8ma54nC8W48TzR H6XpkgIwy88NLxxNRYQk32Zk4nEEX W61gOmCYihkBghR6JZOQLXNcNLQwlcDO6bezy18JsH/dqOf7jX7VWjoIWtJn19Il/oa85keGGQyLXXuIh/K5mMeKva61eZUY6659DjBek9GxR3xh6 VI9jYTkUBQpj 9R14mOp/cWkbqrYsFQG1fc26HcQG/iPVfBxeBckNXfkPs6gWhuP4ObrKRlYlcVyqHycfVToLZmUs1 /7CZ7qfrq1xepi4TVpZvhQ9rtq/ Ycu0gC1HSQ2C4F8PhDx8UlIF8kd2669ZF5CP1JlXf3G7RoRtpq0uqI9fSRGOt8604A935UR9Lz6ZOXe AO ACmf0IPjmWAy19aB2X1XiJpZww/fLrQEwh2yu9d8YevlSPY2E5FAUKY/vUdeJjqf3FpG6qkR 7ldUKjCoO fHzVWMFlu6c5ningZnbQCaRBlGp0zG0C7zY2LLTN8jamE4Y6mdQQIub4GEppmRY/WQXmfT0ntko0LS ZfSI4XvAgZuhzaTiSlB0sT5wlh0v6kk6qD5JDBTSUgmmOKGCbTgoP4fW6g==	173.239.4.61
hxxp://update.ytdownloader.com/app/ping.ashx?e=PcwT4QFtuPBwlKCj/kNh8wEPd33Ih39DyALzVp7rKpiovKrJ6qtuegS9t7ffDJccPjcs2gIowYW9vtnuQzJjo7v gNlTZPLGRzJziH5lBM4BAdwQ1yKBDcNwQmNwUXc7X0N oCDOEtFsjCUEZrFvp 2f8Q/A/I79pHtajDWk/vQKKjfrZ2eSSfSf2ucODaNtqUAbGGvfJFAE0GS/Hv zAhNr/7NOxPxigaNFuZRdZi3t4hLzIVcBgHFybDnbGUeVCTRcfbRiirLQhR3BAMcc9VH jSHEs2FsOADY2n9wz3R YSZxKTixN/QPHab7QXjtoXNw24za1vDnXbllNTpz6jerzZDlLGlwY3nqHn ZhMMxDoAIuanBxQI7ctFNLW92Fd9fuzXpLdNDTQi6CSAu7qxmtvEEwHJNxnQulyoVwwi28tXx61VC0g==	173.239.4.61
hxxp://update.ytdownloader.com/YTDownloaderFull.exe	173.239.4.61
hxxp://update.ytdownloader.com/app/ping.ashx?e=uWabAt9SLcwTrK0LVdqauL/VfVI1qEUQt8f6YpiR28KEoj1Hf41tK9UB7N1/dopRNTd3boYFIE0poKdVBJcK5jefCERsBpwniQS3BXSStT/MTAqYXcsGs2EnULbML00 ZXMmIbEekVGevOK6wBcgcrdTS QN6DtRihgHXxAiMJF2wBEcVJfGgN3qWyCGQkRt42GcT2kyHhmHGadbc1EpELNgTSvkQyrRRvaTpGfz3xhcJKC1Reo3n9ppTNOjE5 LfWm2ANCGqCJ4ovgvdNR0Z aHkbuQuAqpVejzRFPrs6H2qfbRCWFZtk15f7CyqMVAEkP8GSf6R7aCU 6vHnQbA90stAgf1I l411SbT/D7EE=	173.239.4.61
hxxp://update.ytdownloader.com/app/ping.ashx?e=uWabAt9SLcwTrK0LVdqauL/VfVI1qEUQt8f6YpiR28KEoj1Hf41tK9UB7N1/dopRsTYjOfuwTAAX/MmeuSondkcyc4h ZQTOAQHcENcigQ3DcEJjcFF3O19DfqAgzhLRbIwlBGaxb6ftn/EPwPyO/aR7Wow1pP70Cio362dnkkn0n9rnDg2jbe 9VJJjkQcKmvlnhjQNszqDHcw45SBFT8arOw fBjunC9qJdgMYj/E4ANjaf3DPdH5hJnEpOLE39A8dpvtBeO2hc3DbjNrW8OdduWU1OnPqN6vNkOUsaXBjeeoef5mEwzEOgAi5qcHFAjty0U0tb3YV31 7Nekt00NNCLoJIC7urGa28QTAck3GdC6XKhXDCDWlHfti0A 5	173.239.4.61
hxxp://update.ytdownloader.com/app/ping.ashx?e=uWabAt9SLcyLutl4VCcCLFBRJZQVJiGv62ls PLHCLDWOjC3d3hkbI9De26f9ELUpgVoFCgz5ZZX3lHubJ0Q8a07WUVYdq j9p8yotQ3ciFt9b1WN5fEERQ3h tD8AFcD04ukkxYpqGTmbypit9WbXBwVuBSC/UT7lujKhNJbA1lJObXGmCIXN70Jy6C1qUh7A8pUA3H1w5mz9ifLJdbDI5LnYU2fNyCIBd6G6Lj3qp3qPv/BEEOxGiq9ZfonCR6SXzkILEkgEKyczeXkBPJBRGcN/8uFnBYAS7DCm3ZJZcL8f90vVndUiKnjA3VjM3ihvgKRp5oGHOpC0G23fc1No4lTgLMHWFW9aeQ7YV6qSM=	173.239.4.61
hxxp://update.ytdownloader.com/app/ping.ashx?e=uWabAt9SLcyLutl4VCcCLFBRJZQVJiGv62ls PLHCLDWOjC3d3hkbI9De26f9ELUpgVoFCgz5ZakRR0NmOWSSGzp09NV5Uew g/TtAsLfyTZQL9t9YgCBKqKdVJBDVsTrItcru6Xqdk9dQ13rwldQMUeCHoSUv8tVfZE 95fq8T1z0rHhxHXffGpxKFmyo8pI8uy5hQfAyoQzzyiyCZyuzgA2Np/cM90fmEmcSk4sTf0Dx2m 0F47aFzcNuM2tbw5125ZTU6c o3q82Q5SxpcGN56h5/mYTDMQ6ACLmpwcUCO3LRTS1vdhXfX7s16S3TQ00IugkgLu6sZrbxBMByTcZ0LpcqFcMIMVYMavccMu8=	173.239.4.61
hxxp://update.ytdownloader.com/app/ping.ashx?e=/9ZmISdorEvWY Ckj/WrE1BRJZQVJiGv62ls PLHCLDWOjC3d3hkbI9De26f9ELUpgVoFCgz5ZbgrjOMelDSCVNtH1XxiKIkVTlTA7N8SCd9rpVF7L2m5voso8xPlhHGo8OVPqrD/WYe/4numrnDPh sxoD Tp5MfVtYtk1gemcwnrXaCMfcjA2tuNUGF3YjMHXY79YlLV0vxmnClI94KPjUYJcN1fEIvEBP7NdYsarhVOZjHwNmMLSU69xHuB8L8V031ZbBpJ4rWPfD116o/bhnO92Jz6Y1Oy8Hbkwm2dLW6sPFKrniCyC7DoB1LJS5nh5C3sZ1/Q12G7aPUl zhAl9dhb6NWpiOZAfBvo6lPI=	173.239.4.61
hxxp://update.ytdownloader.com/app/ping.ashx?e=s5Ydxb c7o0DbDSBvTK 4GVldGVU1DeGOggt0NtNk2v 0xA4l2Ql5bmJ/HmhTo4Isg/Aur4E6JrDYKNP8CGhRNYStPcJR5aWMhyMxI MPZHAmdz00NVJVKRIYiu/lfQHnBG7 e1KHHMTnkRVtfdXuK4k0Xfyfd30h0z7tvF4NSjxhpLaH/shdzAFlFSWijiph5urJNpRUkJmpsQ0TKQTsSWW8S0jOxDXhjZ3jwf MfnewapHV13X4Mn2VfFO6zvwTOwNUCYnvS2Afm8Fd59xcOgp01/jAfMw/ XSTVPWeftvnzx8CC5qGoRSXsMIkLBxCE/ILliC70rkUM6KgUJf8X9u7vlnEcP2BS16 bk0lSA=	173.239.4.61
hxxp://update.ytdownloader.com/app/ping.ashx?action=S_INSTALL&usid=732923889-1296844034-1208581001&aff=&rnd=&v=1.0.11487.1257&url=&title=&pingtext=Files& protocol=&size=0&ref=&browser=	173.239.4.61
hxxp://download.goobzo.com/YTDownloaderFull.exe	173.239.4.61
hxxp://www.ytdownloader.com/app/ping.ashx?action=S_INSTALL&usid=732923889-1296844034-1208581001&aff=&rnd=&v=1.0.11487.1257&url=&title=&pingtext=Files& protocol=&size=0&ref=&browser=	173.239.4.61
rep.ytdownloader.com	173.239.4.66

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP

Traffic

GET /app/ping.ashx?e=uWabAt9SLcwTrK0LVdqauJLcBbfhsmGLt8f6YpiR28KEoj1Hf41tK9UB7N1/dopR4/1PTRcRe1o6k/zG4/KaHPafMqLUN3IhbfW9VjeXxBEUN4frQ/ABXA9OLpJMWKahk5m8qYrfVm1wcFbgUgv1E 5boyoTSWwNZSTm1xpgiFze9CcugtalIVpHdEz0Mk2X1Q0e6On2u6kOsDausEcS3ZEuYlD sFQOhIBQZbpcgIVPoxRj1Q1ZxSp4FnRpqgmbF5/WuV5CeXLcGWC21 u SlMsQmbEzCFoQYgKl1irrp6qML sT3o5oI5LnYU2fNyCIBd6G6Lj3qp3qPv/BEEOxGiq9ZfonCR6SXzkILEkgEKyczeXkBPJBRGcN/8uFnBYAS7DCm3ZJZcL8f90vVndUiKnjA3VjM3ihvgKRp5oGHOpC0G23fc1No4lTgLMHWFWV9cMKRkfHEM= HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: update.ytdownloader.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Cache-Control: private

Content-Length: 0

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Thu, 07 Sep 2017 07:20:25 GMT

HTTP/1.1 200 OK..Cache-Control: private..Content-Length: 0..Server: Mi
crosoft-IIS/7.5..X-AspNet-Version: 4.0.30319..X-Powered-By: ASP.NET..D
ate: Thu, 07 Sep 2017 07:20:25 GMT......

GET /app/ping.ashx?e=PcwT4QFtuPBwlKCj/kNh8wEPd33Ih39DyALzVp7rKpiovKrJ6qtuegS9t7ffDJccPjcs2gIowYW9vtnuQzJjo7v gNlTZPLGRzJziH5lBM4BAdwQ1yKBDcNwQmNwUXc7X0N oCDOEtFsjCUEZrFvp 2f8Q/A/I79pHtajDWk/vQKKjfrZ2eSSfSf2ucODaNtqUAbGGvfJFAE0GS/Hv zAhNr/7NOxPxigaNFuZRdZi3t4hLzIVcBgHFybDnbGUeVCTRcfbRiirLQhR3BAMcc9VH jSHEs2FsOADY2n9wz3R YSZxKTixN/QPHab7QXjtoXNw24za1vDnXbllNTpz6jerzZDlLGlwY3nqHn ZhMMxDoAIuanBxQI7ctFNLW92Fd9fuzXpLdNDTQi6CSAu7qxmtvEEwHJNxnQulyoVwwi28tXx61VC0g== HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: update.ytdownloader.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Cache-Control: private

Content-Length: 0

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Thu, 07 Sep 2017 07:20:26 GMT

HTTP/1.1 200 OK..Cache-Control: private..Content-Length: 0..Server: Mi
crosoft-IIS/7.5..X-AspNet-Version: 4.0.30319..X-Powered-By: ASP.NET..D
ate: Thu, 07 Sep 2017 07:20:26 GMT......

GET /app/ping.ashx?e=uWabAt9SLcwTrK0LVdqauL/VfVI1qEUQt8f6YpiR28KEoj1Hf41tK9UB7N1/dopRsTYjOfuwTAAX/MmeuSondkcyc4h ZQTOAQHcENcigQ3DcEJjcFF3O19DfqAgzhLRbIwlBGaxb6ftn/EPwPyO/aR7Wow1pP70Cio362dnkkn0n9rnDg2jbe 9VJJjkQcKmvlnhjQNszqDHcw45SBFT8arOw fBjunC9qJdgMYj/E4ANjaf3DPdH5hJnEpOLE39A8dpvtBeO2hc3DbjNrW8OdduWU1OnPqN6vNkOUsaXBjeeoef5mEwzEOgAi5qcHFAjty0U0tb3YV31 7Nekt00NNCLoJIC7urGa28QTAck3GdC6XKhXDCDWlHfti0A 5 HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: update.ytdownloader.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Cache-Control: private

Content-Length: 0

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Thu, 07 Sep 2017 07:20:26 GMT

HTTP/1.1 200 OK..Cache-Control: private..Content-Length: 0..Server: Mi
crosoft-IIS/7.5..X-AspNet-Version: 4.0.30319..X-Powered-By: ASP.NET..D
ate: Thu, 07 Sep 2017 07:20:26 GMT......

GET /app/ping.ashx?e=uWabAt9SLcyLutl4VCcCLFBRJZQVJiGv62ls PLHCLDWOjC3d3hkbI9De26f9ELUpgVoFCgz5ZakRR0NmOWSSGzp09NV5Uew g/TtAsLfyTZQL9t9YgCBKqKdVJBDVsTrItcru6Xqdk9dQ13rwldQMUeCHoSUv8tVfZE 95fq8T1z0rHhxHXffGpxKFmyo8pI8uy5hQfAyoQzzyiyCZyuzgA2Np/cM90fmEmcSk4sTf0Dx2m 0F47aFzcNuM2tbw5125ZTU6c o3q82Q5SxpcGN56h5/mYTDMQ6ACLmpwcUCO3LRTS1vdhXfX7s16S3TQ00IugkgLu6sZrbxBMByTcZ0LpcqFcMIMVYMavccMu8= HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: update.ytdownloader.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Cache-Control: private

Content-Length: 0

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Thu, 07 Sep 2017 07:20:38 GMT

HTTP/1.1 200 OK..Cache-Control: private..Content-Length: 0..Server: Mi
crosoft-IIS/7.5..X-AspNet-Version: 4.0.30319..X-Powered-By: ASP.NET..D
ate: Thu, 07 Sep 2017 07:20:38 GMT......

GET /app/ping.ashx?e=s5Ydxb c7o0DbDSBvTK 4GVldGVU1DeGOggt0NtNk2v 0xA4l2Ql5bmJ/HmhTo4Isg/Aur4E6JrDYKNP8CGhRNYStPcJR5aWMhyMxI MPZHAmdz00NVJVKRIYiu/lfQHnBG7 e1KHHMTnkRVtfdXuK4k0Xfyfd30h0z7tvF4NSjxhpLaH/shdzAFlFSWijiph5urJNpRUkJmpsQ0TKQTsSWW8S0jOxDXhjZ3jwf MfnewapHV13X4Mn2VfFO6zvwTOwNUCYnvS2Afm8Fd59xcOgp01/jAfMw/ XSTVPWeftvnzx8CC5qGoRSXsMIkLBxCE/ILliC70rkUM6KgUJf8X9u7vlnEcP2BS16 bk0lSA= HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: update.ytdownloader.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Cache-Control: private

Content-Length: 0

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Thu, 07 Sep 2017 07:20:39 GMT

HTTP/1.1 200 OK..Cache-Control: private..Content-Length: 0..Server: Mi
crosoft-IIS/7.5..X-AspNet-Version: 4.0.30319..X-Powered-By: ASP.NET..D
ate: Thu, 07 Sep 2017 07:20:39 GMT..

GET /YTDownloaderFull.exe HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1 YTD 1.5.3.1216)

Host: download.goobzo.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Cache-Control: private

Content-Type: application/octet-stream

Last-Modified: Thu, 24 Dec 2015 07:02:02 GMT

Accept-Ranges: bytes

ETag: "f68fcafd183ed11:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Thu, 07 Sep 2017 07:20:26 GMT

Content-Length: 5106377

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..i
u..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L.....
oS.................\...........2.......p....@.........................
.................................................s....................
...................................................................p..
.............................text....[.......\.................. ..`.r
data.......p.......`..............@..@.data................r..........
....@....ndata.......@...........................rsrc................v
..............@..@....................................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
..6B..H.P.u..u..u....r@..B...SV.5.6B..E.WP.u....r@..e...E..E.P.u....r@
..}..e....Lp@........FR..VV..U... M.......M....3.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...Tp@..E...E.P.E.P.u....r@..u
....E..9}...w....~X.te.v4..Dp@....E.tU.}.j.W.E......E.......@p@..vXW..
Hp@..u..5<p@.W...E..E.h ...Pj.h..B.W...r@..u.W...u....E.P.u...\r@._
^3.[.....L$...7B...Si.....VW.T.....tO.q.3.;5.7B.sB..i......D.......t.G
.....t...O..t .....u...3....3...F.....;5.7B.r._^[...U..QQ.U.SV..i.

<<< skipped >>>

GET /app/ping.ashx?e=uWabAt9SLcwTrK0LVdqauJLcBbfhsmGLt8f6YpiR28KEoj1Hf41tK9UB7N1/dopRG/Al4/pZIr 4WJhSbp07gzefCERsBpwniQS3BXSStT/MTAqYXcsGs2EnULbML00 ZXMmIbEekVGevOK6wBcgcrdTS QN6DtRihgHXxAiMJF2wBEcVJfGgB8t5 ZQePd2gchuB2gXiOazYE0r5EMq0Ub2k6Rn898YXCSgtUXqN5/aaUzToxOfi31ptgDQhqgieKL4L3TUdGfmh5G7kLgKqVXo80RT67Oh9qn20QlhWbZNeX wsqjFQBJD/Bkn ke2glPurx50GwPdLLQIH9SPpYL1pAEDgcGT HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: update.ytdownloader.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Cache-Control: private

Content-Length: 0

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Thu, 07 Sep 2017 07:20:25 GMT

....

GET /app/update.ashx?e=bomaaVKFzzKKFhIQxyAV1L8QnNp2TOEX/lkWt/gDpiG DhTlnFvuucWWO/N93rK8fr3WO5HNaj8eL Zli5wIvhaVGVJXw5w/pHtajDWk/vRWD8ZMll5GtoJT7q8edBsDaT6xCuVmQs741GCXDdXxCLxAT zXWLGq4VTmYx8DZjC0lOvcR7gfC/FdN9WWwaSeK1j3w9deqP24Zzvdic mNTsvB25MJtnS1urDxSq54gsguw6AdSyUuWDP1Q9noTpb49/gr4wffBtv1 Ci1G29pToiCggX1yUsfyq4/ZGycBEbmv/pnYX9cGGQDIfmkn5t3adYf6/C6XLBUwwno/zg JqekafmOwVZErXsffANTJ0Rjm Z0U1BNVsjP3eeiJ23iE3zqvKYJ3Mt9/zylZhbvMqxPs2jGlFdWWSVrCbg957jAN8ZnYmIrEIJAXijZgMf3HFtW4Go5g9xq7C8VN3hCpeKXSZhpc65 BHF5/bwk7jata/4PVE2gx1xCi3KK9GD52YcLOvG0/89jd3JJeiPXRxENS1VZNTo1PAMqKt0aAy/46DjOJsUvwdM0XkvL1yD52Bw4sODaV6tNSbGVWVlXhFZFXjhGOUMPzRmDXJmG6r6h8tpssK0zL/acJzGS9zb73E7kQSOziykFIuS8MnPDnMk nfJ9W88HTmb4b5fDvreqqglDAkZM6i9TPj/S7HZDc odCF6zaaJZeIjxuW2jgJMyxDxKJRCjLDBzqFsWPq1on5/VelMUCsyxuCxGqB0SOBG174fnHBwSl3NNXcqsjVef5Hfuj4uwOsz T8G9VJbiscymGCCEj8YRLsWnTybb/b6MAHq abkJjA3M9GrWoi4CbviGpiaICclgyp9xbgHR0akpg9ih3il18UVgZ/4DixNIhGqHUZl5HkCXHQX9HSsZZSnKJK43MofuUp8LxsJ9DFx uSPHoh85Wxu4FS8fv34SRNgcMyslJiqTAo4oFB38evHKGV89YhRHE4Soq646206VYTSOqJsmwoIXQeKWV70/O0nw8DogoWXzcy NoT8/HaSz1UblWnoNRpEGEL/E48y75iDc4YI/Pw8mDx5KsMDLSDxy2V0LY5CYrKaDBZEQMhRyjX9/rmow/6GPSqumwNQviEegGD27yrhfXB3kMxmPdud7XvvKKT14qLwjQXy0iZW1evOYnQOkmVyOhZT2tl11Z6Huy1swkAeJaYe1VsZXcFT32XzAIhej8ma54nC8W48TzR H6XpkgIwy88NLxxNRYQk32Zk4nEEX W61gOmCYihkBghR6JZOQLXNcNLQwlcDO6bezy18JsH/dqOf7jX7VWjoIWtJn19Il/oa85keGGQyLXXuIh/K5mMeKva61eZUY6659DjBek9GxR3xh6 VI9jYTkUBQpj 9R14mOp/cWkbqrYsFQG1fc26HcQG/iPVfBxeBckNXfkPs6gWhuP4ObrKRlYlcVyqHycfVToLZmUs1 /7CZ7qfrq1xepi4TVpZvhQ9rtq/ Yc
HTTP/1.1 200 OK

Cache-Control: private

Content-Length: 344

Content-Type: text/html

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Thu, 07 Sep 2017 07:20:25 GMT
C.\.S...6....Cn.....~.....5. ..,....$1@.......,.Zi.3.......l\.U....}Ps
..{I."#.b.{I."#.b.{I."#.b..?lk... .|...{(.2.)..."0.C...*1/M...R ..?qj.
.(...L......^B..\.^.K.)V.Q.;{I."#.b.{I."#.b.{I."#.b.AJ#..d..X....S.3..
.)...zL....Q......z....Xt.x,p.{I."#.b.{I."#.b.{I."#.b...S._y.Y.5..#...
aJnP...i...!J. .......nm{I."#.b.{I."#.b..l..!.jW......Z!.0.\./..HTTP/1
.1 200 OK..Cache-Control: private..Content-Length: 344..Content-Type: 
text/html..Server: Microsoft-IIS/7.5..X-AspNet-Version: 4.0.30319..X-P
owered-By: ASP.NET..Date: Thu, 07 Sep 2017 07:20:25 GMT..C.\.S...6....
Cn.....~.....5. ..,....$1@.......,.Zi.3.......l\.U....}Ps..{I."#.b.{I.
"#.b.{I."#.b..?lk... .|...{(.2.)..."0.C...*1/M...R ..?qj..(...L......^
B..\.^.K.)V.Q.;{I."#.b.{I."#.b.{I."#.b.AJ#..d..X....S.3...)...zL....Q.
.....z....Xt.x,p.{I."#.b.{I."#.b.{I."#.b...S._y.Y.5..#...aJnP...i...!J
. .......nm{I."#.b.{I."#.b..l..!.jW......Z!.0.\./......


GET /app/ping.ashx?e=uWabAt9SLcwTrK0LVdqauL/VfVI1qEUQt8f6YpiR28KEoj1Hf41tK9UB7N1/dopRNTd3boYFIE0poKdVBJcK5jefCERsBpwniQS3BXSStT/MTAqYXcsGs2EnULbML00 ZXMmIbEekVGevOK6wBcgcrdTS QN6DtRihgHXxAiMJF2wBEcVJfGgN3qWyCGQkRt42GcT2kyHhmHGadbc1EpELNgTSvkQyrRRvaTpGfz3xhcJKC1Reo3n9ppTNOjE5 LfWm2ANCGqCJ4ovgvdNR0Z aHkbuQuAqpVejzRFPrs6H2qfbRCWFZtk15f7CyqMVAEkP8GSf6R7aCU 6vHnQbA90stAgf1I l411SbT/D7EE= HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: update.ytdownloader.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Cache-Control: private

Content-Length: 0

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Thu, 07 Sep 2017 07:20:26 GMT

HTTP/1.1 200 OK..Cache-Control: private..Content-Length: 0..Server: Mi
crosoft-IIS/7.5..X-AspNet-Version: 4.0.30319..X-Powered-By: ASP.NET..D
ate: Thu, 07 Sep 2017 07:20:26 GMT......

GET /app/ping.ashx?e=uWabAt9SLcyLutl4VCcCLFBRJZQVJiGv62ls PLHCLDWOjC3d3hkbI9De26f9ELUpgVoFCgz5ZZX3lHubJ0Q8a07WUVYdq j9p8yotQ3ciFt9b1WN5fEERQ3h tD8AFcD04ukkxYpqGTmbypit9WbXBwVuBSC/UT7lujKhNJbA1lJObXGmCIXN70Jy6C1qUh7A8pUA3H1w5mz9ifLJdbDI5LnYU2fNyCIBd6G6Lj3qp3qPv/BEEOxGiq9ZfonCR6SXzkILEkgEKyczeXkBPJBRGcN/8uFnBYAS7DCm3ZJZcL8f90vVndUiKnjA3VjM3ihvgKRp5oGHOpC0G23fc1No4lTgLMHWFW9aeQ7YV6qSM= HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: update.ytdownloader.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Cache-Control: private

Content-Length: 0

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Thu, 07 Sep 2017 07:20:38 GMT

....

GET /app/ping.ashx?e=/9ZmISdorEvWY Ckj/WrE1BRJZQVJiGv62ls PLHCLDWOjC3d3hkbI9De26f9ELUpgVoFCgz5ZbgrjOMelDSCVNtH1XxiKIkVTlTA7N8SCd9rpVF7L2m5voso8xPlhHGo8OVPqrD/WYe/4numrnDPh sxoD Tp5MfVtYtk1gemcwnrXaCMfcjA2tuNUGF3YjMHXY79YlLV0vxmnClI94KPjUYJcN1fEIvEBP7NdYsarhVOZjHwNmMLSU69xHuB8L8V031ZbBpJ4rWPfD116o/bhnO92Jz6Y1Oy8Hbkwm2dLW6sPFKrniCyC7DoB1LJS5nh5C3sZ1/Q12G7aPUl zhAl9dhb6NWpiOZAfBvo6lPI= HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: update.ytdownloader.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Cache-Control: private

Content-Length: 0

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Thu, 07 Sep 2017 07:20:38 GMT

HTTP/1.1 200 OK..Cache-Control: private..Content-Length: 0..Server: Mi
crosoft-IIS/7.5..X-AspNet-Version: 4.0.30319..X-Powered-By: ASP.NET..D
ate: Thu, 07 Sep 2017 07:20:38 GMT..

GET /app/ping.ashx?action=S_INSTALL&usid=732923889-1296844034-1208581001&aff=&rnd=&v=1.0.11487.1257&url=&title=&pingtext=Files& protocol=&size=0&ref=&browser= HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: VVV.ytdownloader.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Cache-Control: private

Content-Length: 0

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Thu, 07 Sep 2017 07:20:41 GMT

HTTP/1.1 200 OK..Cache-Control: private..Content-Length: 0..Server: Mi
crosoft-IIS/7.5..X-AspNet-Version: 4.0.30319..X-Powered-By: ASP.NET..D
ate: Thu, 07 Sep 2017 07:20:41 GMT..

The Trojan connects to the servers at the folowing location(s):

SearchProtocolHost.exe_1604:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

ntdll.DLL

KERNEL32.dll

msvcrt.dll

USER32.dll

ole32.dll

OLEAUT32.dll

TQUERY.DLL

MSSHooks.dll

IMM32.dll

SHLWAPI.dll

SrchCollatorCatalogInfo

SrchDSSLogin

SrchDSSPortManager

SrchPHHttp

SrchIndexerQuery

SrchIndexerProperties

SrchIndexerPlugin

SrchIndexerClient

SrchIndexerSchema

Msidle.dll

Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default

pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty

d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

RegDeleteKeyW

RegDeleteKeyExW

8%uiP

Invalid parameter passed to C runtime function.

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

-d-d-d-d-d-d-d-%d

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

</MSG></TRC>

<MSG>

<ERR> 0xx=

<LOC> %s(%d) </LOC>

tid="0x%x"

pid="0x%x"

tagname="%s"

tagid="0x%x"

el="0x%x"

time="d/d/d d:d:d.d"

logname="%s"

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

SHELL32.dll

PROPSYS.dll

ntdll.dll

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ReportEventW

_amsg_exit

MsgWaitForMultipleObjects

SearchProtocolHost.pdb

2 2(20282|2

4%5S5

Software\Microsoft\Windows Search

https

kernel32.dll

msTracer.dll

msfte.dll

lX-X-X-XX-XXXXXX

SOFTWARE\Microsoft\Windows Search

tquery.dll

%s\%s

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

Windows Search Service

<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>

advapi32.dll

WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll

winhttp.dll

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleState

<MSG>

<LOC> %S(%d) </LOC>

tagname="%S"

logname="%S"

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

Microsoft Windows Search Protocol Host

7.00.7601.17610 (win7sp1_gdr.110503-1502)

SearchProtocolHost.exe

Windows

7.00.7601.17610

SearchFilterHost.exe_2036:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

ntdll.DLL

KERNEL32.dll

msvcrt.dll

USER32.dll

ole32.dll

OLEAUT32.dll

TQUERY.DLL

IMM32.dll

MSSHooks.dll

mscoree.dll

SHLWAPI.dll

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

RegDeleteKeyW

RegDeleteKeyExW

8%uiP

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

Invalid parameter passed to C runtime function.

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

-d-d-d-d-d-d-d-%d

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ReportEventW

_amsg_exit

SearchFilterHost.pdb

version="5.1.0.0"

name="Microsoft.Windows.Search.MSSFH"

<requestedExecutionLevel

3 3(30383|3

kernel32.dll

Software\Microsoft\Windows Search

SOFTWARE\Microsoft\Windows Search

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

Windows Search Service

tquery.dll

advapi32.dll

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleState

<MSG>

<ERR> 0xx=

<LOC> %S(%d) </LOC>

tid="0x%x"

pid="0x%x"

tagname="%S"

tagid="0x%x"

el="0x%x"

time="d/d/d d:d:d.d"

logname="%S"

</MSG></TRC>

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

%s\%s

winhttp.dll

Microsoft Windows Search Filter Host

7.00.7601.17610 (win7sp1_gdr.110503-1502)

SearchFilterHost.exe

Windows

7.00.7601.17610

BROWSE~2.EXE_1980:

.text

`.rdata

@.data

.rsrc

@.reloc

broken pipe

inappropriate io control operation

not supported

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

function not supported

operation canceled

address_family_not_supported

operation_in_progress

operation_not_supported

protocol_not_supported

operation_would_block

address family not supported

operator

GetProcessWindowStation

Process token open Error: %u

C:\Builds\Build_YTDownloader\Client\WFP\BrowserHelperSrv\2013_with_xp\BrowserHelperSrv.pdb

KERNEL32.dll

USER32.dll

ADVAPI32.dll

GetProcessHeap

GetCPInfo

zcÁ

<requestedExecutionLevel level='asInvoker' uiAccess='false' />

4 5 52585>5

01S1|3

*mscoree.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

kernel32.dll

USER32.DLL

BrowserHelper.exe

explorer.exe

Software\Microsoft\Windows\CurrentVersion\Run

e:%d s:%d

\BrowserHelper.exe

C:\PROGRA~1\YTDOWN~1\BROWSE~2.EXE

BrowserHelper.exe_3004:

.text

`.rdata

@.data

.rsrc

@.reloc

j.Yf;

_tcPVj@

.PjRW

SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy

Higher: %x

Lower: %x

broken pipe

inappropriate io control operation

not supported

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

function not supported

operation canceled

address_family_not_supported

operation_in_progress

operation_not_supported

protocol_not_supported

operation_would_block

address family not supported

operator

GetProcessWindowStation

C:\Builds\Build_YTDownloader\Client\WFP\BrowserHelper\2013_with_xp\BrowserHelper.pdb

WinExec

KERNEL32.dll

SetWindowsHookExW

UnhookWindowsHookEx

USER32.dll

RegCloseKey

RegCreateKeyExW

RegEnumKeyA

RegOpenKeyExA

RegDeleteKeyW

RegEnumKeyW

RegNotifyChangeKeyValue

RegOpenKeyW

RegOpenKeyExW

ADVAPI32.dll

SHELL32.dll

ole32.dll

HttpOpenRequestW

HttpAddRequestHeadersW

HttpSendRequestW

HttpSendRequestExW

HttpEndRequestW

HttpQueryInfoW

WININET.dll

VERSION.dll

PSAPI.DLL

GetCPInfo

GetProcessHeap

j9.Wj9?Wj

zcÁ

.?AVCHttp@@

C:\PROGRA~1\YTDOWN~1\BrowserHelper.exe

<requestedExecutionLevel level='asInvoker' uiAccess='false' />

6 6=6]6}6

?&?5?[?|?

8™9D9W9d9m9

8 8$8(8,80848

:(:4:@:`:|:

1 1$1,10141

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Content-Type: multipart/form-data; boundary=%s

HTTP/1.1

XXX

Content-Disposition: form-data; name="%s"

HTTP/1.0

Software\Microsoft\Windows\CurrentVersion\Internet Settings

Windows 95

Windows 98

Windows Me

Windows NT

Windows 2000

Windows XP

Windows 2003 Server

Windows Vista

Windows 7

Windows CE

%sLow\%s\

%s\%s\%s\

%C:\Users\Public\Documents\%s\%s\

%s\Application Data\%s\%s\

ConfigDB.dll

config.xml

<d/d/%d d:d:d::d 0x%X>

[SbTracer::ReadConfiguration] Trace Level: %d

[SbTracer::ReadConfiguration] Trace Destination: %d

[SbTracer::ReadConfiguration] Trace Backup: %d

[SbTracer::ReadConfiguration] Trace Time Limit: %d

[SbTracer::ReadConfiguration] Trace Time Stamp: %d

[SbTracer::ReadConfiguration] Trace Max Size: %d

[SbTracer::FormatFilePath] ___Error - GetModuleFileName: %s

[SbTracer::FormatFilePath] ___Warning - No Log folder: %s

[SbTracer::FormatFilePath] ___Error - RecursiveCreateDirectory: %s

[SbTracer::FormatFilePath] Log Path: %s

[SbTracer::RecursiveCreateDirectory] ___Error - Directory: %s

[SbTracer::RecursiveCreateDirectory] ___Error - CreateDirectory: %s

[SbTracer::RecursiveCreateDirectory] Directory: %s

[SbTracer::OpenTraceFile] ___Error: %d, File: %s

[SbTracer::WriteTraceLine] !!! OVERFLOW or FORMAT ERROR !!! - (%d) %s

[SbTracer::OpenTraceFile] Done %s

[SbTracer::BackupTraceFile] %s

[SbTracer::RegisterOnConfigurationChange] ___Error: %d, RegOpenKeyEx

[SbTracer::RegisterOnConfigurationChange] ___Error: %d, RegNotifyChangeKeyValue

\StringFileInfo\x\%s

kernel32.dll

WININET.DLL

user32.dll

[CIEDownloadAcceleratorEngine::CallDAP] ___Error CreateProcess: %s, Parameters: %s. LE: %d

[CUtils::GetDAPExeLocation] Name: %s

[CUtils::GetDAPExeLocation] ___Error read DAP location from %s

PipeName

[CUtils::GetDAPPipeName] Name: %s

[CUtils::GetDAPPipeName] ___Error read DAP Pipe Name from %s

[CUtils::GetDAPWindowName] Name: %s

[CUtils::GetDAPWindowName] ___Error read DAP Window Name from %s

%d.%d.%d.%d

"%s" "%s"

d/d/%d d:d:d::d

"%s" %s

[CUtils::GoToURL] ___Error WinExec url = %s, defBrowser = %s, err = %d

&exe%d=%s&ver%d=%s&arr%d=%s

&ver=%s&InstDate=%s&userid=%s&usid=%s&aff=%s&date=%s%&ch=%s&ch_pin=%s&ff=%s&ff_pin=%s&ie=%s&ie_pin=%s&in=%s&in_pin=%s&def=%s&ie2=%s&global=%s&num=%d

hXXp://hcfq9zfs.vmgoxp64.netdna-cdn.com/b.ashx?

%d-d-d

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe

0.0.0.0

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Internet.exe

%Program Files%\Internet Explorer\IEXPLORE.EXE

http\shell\open\command

Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice

Mozilla Firefox

Google Chrome

Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\*.lnk

explorer.exe

BrowserHelper.txt

BrowserHelperBk.txt

Chrome

Mozilla

iexplore.exe

mscoree.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

portuguese-brazilian

USER32.DLL

%s?e=%s

zvl=%s&

1.8.1.0

Updater.exe

taskeng.exe_1872:

.text

`.data

.rsrc

@.reloc

USER32.dll

msvcrt.dll

ntdll.dll

API-MS-Win-Core-Debug-L1-1-0.dll

API-MS-Win-Core-ErrorHandling-L1-1-0.dll

API-MS-Win-Core-File-L1-1-0.dll

API-MS-Win-Core-Handle-L1-1-0.dll

API-MS-Win-Core-Heap-L1-1-0.dll

API-MS-Win-Core-Interlocked-L1-1-0.dll

API-MS-Win-Core-LibraryLoader-L1-1-0.dll

API-MS-Win-Core-Misc-L1-1-0.dll

API-MS-Win-Core-ProcessEnvironment-L1-1-0.dll

API-MS-Win-Core-ProcessThreads-L1-1-0.dll

API-MS-Win-Core-Profile-L1-1-0.dll

API-MS-Win-Core-Synch-L1-1-0.dll

API-MS-Win-Core-SysInfo-L1-1-0.dll

API-MS-Win-Core-ThreadPool-L1-1-0.dll

API-MS-Win-Security-Base-L1-1-0.dll

ole32.dll

OLEAUT32.dll

RPCRT4.dll

KERNEL32.dll

d:\w7rtm\admin\wmi\jobs\server\session\session\main.cpp

Session::ChannelMsgReceived

d:\w7rtm\admin\wmi\jobs\server\session\session\session.cpp

d:\w7rtm\admin\wmi\jobs\server\session\session\clientchannel2.cpp

d:\w7rtm\admin\wmi\jobs\server\engine\task.cpp

d:\w7rtm\admin\wmi\jobs\server\engine\comhandlerbase.cpp

StopJobMsg

StartJobMsg

ClientPipeName

Invalid parameter passed to C runtime function.

d:\w7rtm\admin\wmi\jobs\common\xml\taskxmlreader.cpp

TaskScheduler.log

j%Xf;

d:\w7rtm\admin\wmi\jobs\server\engine\action.cpp

API-MS-WIN-Service-Management-L1-1-0.dll

API-MS-WIN-Service-winsvc-L1-1-0.dll

ADVAPI32.dll

SHELL32.dll

SHLWAPI.dll

SspiCli.dll

XmlLite.dll

MPR.dll

RegOpenKeyTransactedW

RegCloseKey

RegOpenKeyExW

RegNotifyChangeKeyValue

RegCreateKeyExW

FindExecutableW

MsgWaitForMultipleObjects

EnumThreadWindows

EnumWindows

GetProcessWindowStation

_wcmdln

_amsg_exit

GetProcessHeap

SetProcessShutdownParameters

TaskEng.pdb

version="5.1.0.0"

name="Microsoft.Windows.WMI.TaskScheduler.TaskEng"

<requestedExecutionLevel

8 8$8(878

3=4Z4w4

=!=(=0=4=?=>>

5 5U5_5

5b6u6

-131J1X1o1}1

=$=<=\=|=

Password

hXXp://schemas.microsoft.com/windows/2004/02/mit/task

2ieframe.dll

%SystemRoot%\SYSTEM32\cmd.exe

%SystemRoot%\System32\Tasks

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Configuration

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Handshake

WindowSeconds

InitializeCmdlineProcessing()

pCrimson provider registration failed for taskeng, hr=0x%x

CATCH_KNOWN: %S ==> hr=0x%x [%S(),%d,%S]

InteractiveTokenOrPassword

%d.%d

%s, (%d)

hXXp://schemas.microsoft.com/cdo/configuration/smtpconnectiontimeout

hXXp://schemas.microsoft.com/cdo/configuration/smtpauthenticate

hXXp://schemas.microsoft.com/cdo/configuration/sendusing

hXXp://schemas.microsoft.com/cdo/configuration/smtpserver

201ef99a-7fa0-444c-9399-19ba84f12a1a

C:\Windows\SYSTEM32\cmd.exe

6.1.7601.17514 (win7sp1_rtm.101119-1850)

taskeng.exe

Windows

Operating System

6.1.7601.17514

YTDownloader.exe_1804:

.text

`.rdata

@.data

.idata

.rsrc

@.reloc

SSShx

WSSh8

SPSSh0

WSShd

SSShX

.tMHtJH

F><.tN<[tJ<\tF<*tB<|t><^t:<$t6

FTPQ

tL<%u@

;NTu^SSh

xSSSh

FTPjKS

FtPj;S

C.PjRV

SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy

1.3.6.1.4.1.311.2.1.12

1.2.840.113549.1.9.5

1.2.840.113549.1.9.6

CRtmpParser::GetFieldDataString

CRtmpParser::GetFieldDataNumber

NetStream.Play.Reset

NetStream.Unpause.Notify

NetStream.Pause.Notify

NetStream.Seek.Notify

NetStream.Play.Stop

NetStream.Play.Failed

NetStream.Failed

()$^.* ?[]|\-{},:=!

video/WebM

"url_encoded_fmt_stream_map": "(.*?)"

rtmpe%3Dyes

url_encoded_fmt_stream_map=

%s, string reference, index: %d, not supported, ignoring!

%s - AMF3 unknown/unsupported datatype 0xx, @%p

AMF3_DATE reference: %d, not supported!

Property: <%s%s>

timestamp: %.2f, UTC offset: %d

INVALID TYPE 0xx

Property: <%sSTRICT_ARRAY>

Property: <%sECMA_ARRAY>

Property: <%sOBJECT>

AMF_Encode - failed to encode property in index %d

%s, invalid type. %d

%s, failed to decode AMF3 property!

Member: %s

Class name: %s, externalizable: %d, dynamic: %d, classMembers: %d

Class reference: %d

Object reference, index: %d

%s: Empty buffer/no buffer pointer!

%s - unknown datatype 0xx, @%p

AMF_TYPED_OBJECT not supported!

AMF_REFERENCE not supported!

%s: Name size out of range: namesize (%d) > len (%d) - 2

%s: Not enough data for decoding with name, less than 4 bytes!

HTTP/1

%s, Setting socket timeout to %ds failed!

%s, No SSL/TLS support

HTTP_get

If-Modified-Since: %s

GET %s HTTP/1.0

User-Agent: %s

Host: %s

Mozilla/5.0

%s, d %s %d d:d:d GMT

size: x

date: %s

ctim: %s

url: %.*s

%s: couldn't open %s for writing, errno %d (%s)

%s: couldn't contact swfurl %s (HTTP error %d)

%s: swfurl %s not found

%s: connection lost while downloading swfurl %s

1.1.4

%s%s\.swfinfo

%s: %s

hXXp://

[[IMPORT]]

No application or playpath in URL!

Invalid port number!

No hostname in URL!

Parsed protocol: %d

RTMP URL: No :// in url!

NetConnection.confStream

NetStream.Publish.Start

NetStream.Play.UnpublishNotify

NetStream.Play.PublishNotify

NetStream.Play.Complete

NetStream.Play.Start

NetConnection.Connect.InvalidApp

NetStream.Play.StreamNotFound

NetStream.Authenticate.UsherToken

Publisher password

pubPasswd

Key for SecureToken response

Justin.tv authentication token

URL to player SWF file

swfUrl

URL of played media's web page

pageUrl

URL to played stream

tcUrl

DH public key does not fulfill y^q mod p = 1

DH public key must be at most p-2

DH public key must be at least 2

RC4 In Key:

RC4 Out Key:

%s: Couldn't calculate correct DH offset (got %d), exiting!

%s: Couldn't calculate correct digest offset (got %d), exiting

%s: Couldn't calculate DH offset (got %d), exiting!

%s: Couldn't calculate digest offset (got %d), exiting!

RTMP PACKET: packet type: 0xx. channel: 0xx. info 1: %d info 2: %d. Body size: %u. body: 0xx

Connecting via SOCKS proxy: %s:%d

SWFSize : %u

live : %s

StopTime : %d msec

StartTime : %d msec

flashVer : %s

NetStream.Authenticate.UsherToken : %s

subscribepath : %s

auth : %s

pageUrl : %s

swfUrl : %s

tcUrl : %s

Playpath : %s

Port : %d

Protocol : %s

s %-7s %s

Unknown option %s

%s://%.*s:%d/%.*s

Problem accessing the DNS. (addr: %s)

%s, error

%s, Authentication failed: unknown auth mode: %s

%s, Authentication failed

%s, new app: %.*s tcUrl: %.*s playpath: %s

&nonce=%s&cnonce=%s&nc=%s&response=%s

%s, md5(%s:%s:%s:%s:%s:%s) =>

%s, md5(%s:/%.*s) =>

%s, md5(%s:%s:%s) =>

%s, pubToken1: %s

?%s&user=%s

%s, Authentication failed: no such user

%s, Authentication failed: wrong password

%s, pubToken2: %s

&challenge=%s&response=%s&opaque=%s

%s, b64(md5_2) = %s

%s, b64(%d) = %s

%s, b64(md5_1) = %s

%s, md5(%s%s%s) =>

%s, par:"%s" = val:"%s"

%s, need to set pubUser & pubPasswd for publisher auth

%s, wrong pubUser & pubPasswd for publisher auth

%-22.*s%s

%s, error decoding meta data packet

%s, received: chunk size change to %d

%s: server BW = %d

%s: client BW = %d %d

%s, recv returned %d. GetSockError(): %d (%s)

POST /%s%s/%d HTTP/1.1

Host: %.*s:%d

Content-length: %d

HTTP/1.1 200

%s, RTMP send error %d (%d bytes)

%s: fd=%d, size=%d

Invoking %s

sanity failed!! trying to send header of type: 0xx.

%s, failed to allocate packet

FCSubscribe: %s

UsherToken: %s

%s, %d, pauseTime=%d

%s, seekTime=%d, stopTime=%d, sending play: %s

sending ctrl. type: 0xx

%s: Ignoring SWFVerification request, use --swfVfy!

%s: SWFVerification Type %d request not supported! Patches welcome...

%s, SWFVerification ping received:

%s, Stream Begin %d

%s, Stream EOF %d

%s, Stream Dry %d

%s, Stream IsRecorded %d

%s, Ping %d

%s, Stream BufferEmpty %d

%s, Stream BufferReady %d

%s, Stream xx %d

%s, received ctrl. type: %d, len: %d

%s, RTMP socket closed by peer

%s, No valid HTTP response found

%s, failed to read RTMP packet body. len: %u

%s, failed to read extended timestamp

%s, failed to read RTMP packet header. type: %x

%s, m_nChannel: %0x

%s, failed to read RTMP packet header 3nd byte

%s, failed to read RTMP packet header 2nd byte

%s, failed to read RTMP packet header

%s: fd=%d

%s: client signature does not match!

%s: Handshaking finished....

%s: Genuine Adobe Flash Media Server

%s: Server not genuine Adobe!

%s: Signature calculated:

%s: Digest key:

%s: Server sent signature:

%s: Wait, did the server just refuse signed authentication?

%s: Client signature calculated:

%s: Calculated digest key from secure key and server digest:

%s: Secret key:

%s: Wrong secret key position!

%s: Server DH public key offset: %d

%s: FMS Version : %d.%d.%d.%d

%s: Server Uptime : %d

%s: Type mismatch: client sent %d, server answered %d

%s: Type Answer : X

%s: Initial client digest:

%s: Client digest offset: %d

%s: Couldn't write public key!

%s: Couldn't generate Diffie-Hellmann public key!

%s: DH pubkey position: %d

%s: Couldn't initialize Diffie-Hellmann!

%s: Client type: X

%s: Genuine Adobe Flash Player

%s: Client not genuine Adobe!

%s: Client sent signature:

%s: 2nd handshake:

%s: Sending handshake response:

%s: Server signature calculated:

%s: Client DH public key offset: %d

%s: Player Version: %d.%d.%d.%d

%s: Client Uptime : %d

%s: Initial server digest:

%s: Server digest offset: %d

%s: Unknown version x

%s: Type Requested : X

%s, RTMP connect failed.

%s, handshaked

%s, handshake failed.

%s, ... connected, handshaking

%s, Could not connect for handshake

%s, no SSL/TLS support

%s, SOCKS returned error code %d

%s, failed to create socket. Error: %d

%s, SOCKS negotiation failed.

%s ... SOCKS negotiation

%s, failed to connect socket. %d (%s)

Closing connection: %s

%s, onStatus: %s

trying to connect with redirected url

%s, error description: %s

%s, received error for method call <%s>

%s, received result id %f without matching request

%s, received result for method call <%s>

%s, server invoking <%s>

%s, error decoding invoke packet

%s, Sanity failed. no string method in invoke packet

%s, flex shared object, size %u bytes, not supported, ignoring

%s, flex message, size %u bytes, not fully supported

%s, received: notify %u bytes

%s, shared object, not supported, ignoring

%s, received: invoke %u bytes

%s, unknown packet type received: 0xx

%s, flex stream send, size %u bytes, not supported, ignoring

%s, received: bytes read report

Wrong data size (%u), stream corrupted, aborting!

Couldn't find the seeked keyframe in this chunk!

First packet does not contain keyframe, all timestamps are smaller than the keyframe timestamp; probably the resume seek failed?

FLV Stream: Keyframe doesn't match!

Found keyframe with resume-keyframe timestamp!

Checked keyframe successfully!

ignoring too small audio packet: size: %d

ignoring too small video packet: size: %d

Got Play.Complete or Play.Stop from server. Assuming stream is complete

%s: Failed to close listening socket, error %d

Caught signal: %d, cleaning up, just a second...

-c, --cert cert RTMPS cert

-k, --key key RTMPS key

-p, --port port Overrides the port in the rtmp url

%s, _beginthread failed with %d

Unknown command '%c', ignoring

-o %s

-j "%s"

-p "%s"

-W "%s"

-f "%s"

-a "%s"

-r "%s"

%s, client invoking <%s>

%s, received packet type X, size %u bytes

%s: accept failed

%s: processed request

%s: accepted connection from %s

%s, listen failed

%s, TCP bind failed for port number: %d

%s, couldn't create socket

chrome.exe iexplore.exe firefox.exe Safari.exe WebKit2WebProcess.exe opera.exe

._-$,;~()

.mpeg

video/webm

.webm

.xslt

.json

audio/x-mpegurl

.torrent

.jpeg

.shtml

.shtm

.html

url_rewrite_patterns

ssl_certificate

listening_ports

index.html,index.htm,index.cgi,index.shtml,index.php,index.lp

**.shtml$|**.shtm$

mydomain.com

**.cgi$|**.pl$|**.php$

SSL_CTX_use_certificate_chain_file

SSL_CTX_set_default_passwd_cb

SSL_CTX_use_certificate_file

SSL_CTX_use_PrivateKey_file

%s %s:

[0lu] [error] [client %s]

%.*s%s

%d-%3s-%d %d:%d:%d

%*3s, %d %3s %d %d:%d:%d

%d %3s %d %d:%d:%d

%d/%3s/%d %d:%d:%d

%[^:]:%[^:]:%s

HTTP/1.1 401 Unauthorized

WWW-Authenticate: Digest qop="auth", realm="%s", nonce="%lu"

%s:%s:%s

%s.tmp

<tr><td><a href="%s%s%s">%s%s</a></td><td> %s</td><td>  %s</td></tr>

%d-%b-%Y %H:%M

**.htpasswd$

%s%c%s

%a, %d %b %Y %H:%M:%S GMT

HTTP/

%s: CGI env buffer truncated for [%s]

HTTP_%s=%s

REMOTE_USER=%s

PERLLIB=%s

SystemDrive=%s

SYSTEMROOT=%s

COMSPEC=%s

PATH_INFO=%s

PATH=%s

CONTENT_LENGTH=%s

QUERY_STRING=%s

CONTENT_TYPE=%s

HTTPS=%s

PATH_TRANSLATED=%s

SCRIPT_FILENAME=%s

SCRIPT_NAME=%.*s%s

REQUEST_URI=%s

REMOTE_PORT=%d

REMOTE_ADDR=%s

REQUEST_METHOD=%s

SERVER_PORT=%d

SERVER_PROTOCOL=HTTP/1.1

DOCUMENT_ROOT=%s

SERVER_ROOT=%s

SERVER_NAME=%s

Cannot SSI #exec: [%s]: %s

Bad SSI #exec: [%s]

HTTP/1.1 200 OK

<d:response><d:href>%s</d:href><d:propstat><d:prop><d:resourcetype>%s</d:resourcetype><d:getcontentlength>%I64d</d:getcontentlength><d:getlastmodified>%s</d:getlastmodified></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat></d:response>

HTTP/1.1 207 Multi-Status

%d.%d.%d.%d%n

%d.%d.%d.%d/%d%n

%lf%c

%s/%s

boundary=™s

HTTP/1.1 302 Found

Location: hXXps://%s:%d%s

24[^:]

%d.%d.%d.%d:%d%n

Cannot add SSL socket, is -ssl_certificate option set?

%s: %.*s: invalid port spec. Expecting list of: %s

[IP_ADDRESS:]PORT[s|p]

%s: cannot bind to %.*s: %s

set_ports_option

%s - %s [%s] "%s %s HTTP/%s" %d %I64d

%d/%b/%Y:%H:%M:%S %z

%s: subnet must be [ |-]x.x.x.x[/x]

Cannot open %s: %s

calloc(): %s

connect(%s:%d): %s

socket(): %s

gethostbyname(%s): %s

%s: %s is not allowed to connect

HTTP/1.1 %d %s

Content-Length: %d

Connection: %s

Error %d: %s

%s: CreateProcess(%s): %ld

%s%s%s\%s

%.*s%c%s

.htpasswd

fopen(%s): %s

%s: cannot open %s: %s

<tr><td><a href="%s%s">%s</a></td><td> %s</td><td>  %s</td></tr>

<html><head><title>Index of %s</title><style>th {text-align: left;}</style></head><body><h1>Index of %s</h1><pre><table cellpadding="0"><tr><th><a href="?n%c">Name</a></th><th><a href="?d%c">Modified</a></th><th><a href="?s%c">Size</a></th></tr><tr><td colspan="3"><hr></td></tr>

Error: opendir(%s): %s

Date: %s

Last-Modified: %s

Etag: %s

HTTP/1.1 100 Continue

Cannot create CGI pipe: %s

fopen: %s

CGI program sent malformed or too big (>%u bytes) HTTP headers: [%.*s]

Cannot spawn CGI process [%s]: %s

put_dir(%s): %s

HTTP/1.1 %d OK

Bad SSI #include: [%s]

Cannot open SSI #include: [%s]: fopen(%s): %s

%s: SSI tag is too large

%s: unknown SSI command: "%s"

SSI #include level is too deep (%s)

Method %s is not implemented

HTTP/1.1 301 Moved Permanently

Location: %s/

remove(%s): %s

Bad HTTP version

Bad HTTP version: [%s]

Invalid URI: [%s]

%s: option value cannot be NULL

Invalid option: %s

warning: %s: duplicate option

Hello from mongoose! Remote port: %d

HttpSendRequestW failed with error code

HttpOpenRequestW failed with error code

RegOpenKeyTransactedW

RegCreateKeyTransactedW

RegDeleteKeyTransactedW

RegDeleteKeyExW

1.2.5

inflate 1.2.5 Copyright 1995-2010 Mark Adler

Visual C   CRT: Not enough memory to complete call to strerror.

cmd.exe

Broken pipe

Inappropriate I/O control operation

Operation not permitted

portuguese-brazilian

operator

GetProcessWindowStation

C:\BUILDS\Build_YTDownloader\Client\WFP\exe\RemoteRelease\YTDownloader.pdb

.?AVCHttp@@

<>"#{}|\^~[]`' ?&

.?AVCRtmpe@@

.?AV?$IBaseInterface@VIKeysBank@@@@

.?AVIKeysBank@@

.?AV?$CBaseInterface@VCKeysBank@@VIKeysBank@@@@

.?AVCKeysBank@@

.?AVCRtmpDataProperty@@

.?AVCRtmpPacket@@

.?AVCRtmpParser@@

.?AVChromeBrowserWindow@@

.?AVFirefoxBrowserWindow@@

.?AVOperaBrowserWindow@@

HTTP://

.?AVHttpParser@@

.?AVCHttpDownload@@

zcÁ

WinExec

CreatePipe

KERNEL32.dll

MsgWaitForMultipleObjectsEx

EnumChildWindows

USER32.dll

GDI32.dll

RegCloseKey

RegCreateKeyExW

RegEnumKeyA

RegOpenKeyExA

RegOpenKeyExW

RegDeleteKeyW

RegOpenKeyW

RegEnumKeyW

RegNotifyChangeKeyValue

RegQueryInfoKeyW

RegEnumKeyExW

ADVAPI32.dll

ShellExecuteExW

ShellExecuteW

SHELL32.dll

ole32.dll

OLEAUT32.dll

COMCTL32.dll

WS2_32.dll

LIBEAY32.dll

HttpEndRequestW

HttpQueryInfoW

HttpSendRequestW

HttpSendRequestExW

HttpAddRequestHeadersW

HttpOpenRequestW

WININET.dll

VERSION.dll

CertGetNameStringW

CertFreeCertificateContext

CryptMsgClose

CertCloseStore

CertFindCertificateInStore

CryptMsgGetParam

CRYPT32.dll

PSAPI.DLL

IsValidURL

urlmon.dll

GdiplusShutdown

gdiplus.dll

GetCPInfo

GetProcessHeap

nnn%XXX

pppaSSS

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

<assemblyIdentity type="Win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>

4c6c6v6

4(4-4`4)5

>.?5?;?]?

9 9$9(9,9

00C0Y0

4B4f4

3"3(373@3

: :$:(:,:0:4:8:<:

?"?(?-?3?

:":):6:?:]:

2<3i3 4<4_;

6$6(6,6064686<6

5$50585`5

>$>0>8>`>

2 2(242`2

8$80888`8

? ?$?(?,?

HTTP/1.0

Software\Microsoft\Windows\CurrentVersion\Internet Settings

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

HTTP/1.1

Content-Disposition: form-data; name="%s"

XXX

Content-Type: multipart/form-data; boundary=%s

Windows CE

Windows 7

Windows Vista

Windows 2003 Server

Windows XP

Windows 2000

Windows NT

Windows Me

Windows 98

Windows 95

%sLow\%s\

%C:\Users\Public\Documents\%s\%s\

%s\%s\%s\

%s\Application Data\%s\%s\

[CEventsThread::SetTimeoutResolution] From: %d -> To: %d

[CEventsThread::WaitForMultipleEvents] Released on Signaled: %d ms

[CEventsThread::WaitForMultipleEvents] Released on Timeout: %d ms

[CEventsThread::WaitForMultipleEvents] ___Error MsgWaitForMultipleObjectsEx. LE: %d

[CEventsThread::WaitForMultipleEvents] TID=%X

[CEventsThread::CreateNamedEvent] OpenEvent. LE: %d

[CEventsThread::CreateNamedEvent] ___Error OpenEvent: LE: %d

[CEventsThread::CreateNamedEvent] ___Error CreateEvent. LE: %d. Try OpenEvent...

[CEventsThread::Start - Leave] TID=%X

[CEventsThread::Start] ___Error - Failed to create thread: %X

[CEventsThread::Stop - Leave] TID=%X

[CEventsThread::Stop - Enter] TID=%X

[CEventsThread::CallProcessTimeoutRoutines] ___Error Invalid Event Entry: %d, Timeout: %d

[CEventsThread::AlertEvent] ___Error SetEvent failed: %d

[CEventsThread::AlertEvent] ___Error Invalid Event Entry: %d

[CEventsThread::AlertEvent] ___Error Not found Event: %d

[CEventsThread::SetGlobalEvent] ___Error Invalid Event Entry: %d

[CEventsThread::SetGlobalEvent] ___Error Not found Event: %d

[CEventsThread::SetGlobalEvent] Event: %d

[CEventsThread::ResetEvent] ___Error ResetEvent failed: %d

[CEventsThread::ResetEvent] ___Error Invalid Event Entry: %d

[CEventsThread::ResetEvent] ___Error Not found Event: %d

[CEventsThread::ResetEvent] Event: %d

[CEventsThread::CallProcessEventRoutines] ___Error Invalid Event Entry: %d

[CEventsThread::CallProcessEventRoutines] ___Error Invalid Event Index: %d

[CEventsThread::WaitEvent] TID=%X

[CEventsThread::RemoveEvent] ___Error CloseHandle failed: %d

[CEventsThread::RemoveEvent] ___Error Invalid Event Entry: %d

[CEventsThread::RemoveEvent] ___Error Not found Event: %d

[CEventsThread::RemoveEvent] Event: %d

[CEventsThread::Cleanup] ___Error CloseHandle(0x%p) failed: %d

[CEventsThread::Cleanup] Closing Handle: %d

[CEventsThread::Work] TID=%X - Exit !!!

[CEventsThread::Work] WAIT_ABANDONED - %d

[CEventsThread::Work] TID=%X

[CEventsThread::AddEvent] ___Warning event handle already exists %d

[CEventsThread::AddEvent] ___Error invalid event handle %d

ConfigDB.dll

config.xml

%%X

<d/d/%d d:d:d::d 0x%X>

[SbTracer::RegisterOnConfigurationChange] ___Error: %d, RegNotifyChangeKeyValue

[SbTracer::RegisterOnConfigurationChange] ___Error: %d, RegOpenKeyEx

[SbTracer::RecursiveCreateDirectory] Directory: %s

[SbTracer::RecursiveCreateDirectory] ___Error - CreateDirectory: %s

[SbTracer::RecursiveCreateDirectory] ___Error - Directory: %s

[SbTracer::FormatFilePath] Log Path: %s

[SbTracer::FormatFilePath] ___Error - RecursiveCreateDirectory: %s

[SbTracer::FormatFilePath] ___Warning - No Log folder: %s

[SbTracer::FormatFilePath] ___Error - GetModuleFileName: %s

\StringFileInfo\x\%s

[SbTracer::ReadConfiguration] Trace Max Size: %d

[SbTracer::ReadConfiguration] Trace Time Stamp: %d

[SbTracer::ReadConfiguration] Trace Time Limit: %d

[SbTracer::ReadConfiguration] Trace Backup: %d

[SbTracer::ReadConfiguration] Trace Destination: %d

[SbTracer::ReadConfiguration] Trace Level: %d

[SbTracer::BackupTraceFile] %s

[SbTracer::OpenTraceFile] Done %s

[SbTracer::OpenTraceFile] ___Error: %d, File: %s

[SbTracer::WriteTraceLine] !!! OVERFLOW or FORMAT ERROR !!! - (%d) %s

CertGetNameString failed.

CryptDecodeObject failed with %x

CertFindCertificateInStore failed with %x

MoreInfo Link : %s

Publisher Link : %s

Program Name : %s

CryptMsgGetParam failed with %x

CryptQueryObject failed with %x

user32.dll

WININET.DLL

kernel32.dll

d/d/%d d:d:d::d

%d.%d.%d.%d

[CUtils::GoToURL] ___Error WinExec url = %s, defBrowser = %s, err = %d

"%s" "%s"

"%s" %s

[CUtils::GetDAPExeLocation] ___Error read DAP location from %s

[CUtils::GetDAPExeLocation] Name: %s

[CUtils::GetDAPPipeName] ___Error read DAP Pipe Name from %s

[CUtils::GetDAPPipeName] Name: %s

PipeName

[CUtils::GetDAPWindowName] ___Error read DAP Window Name from %s

[CUtils::GetDAPWindowName] Name: %s

[CIEDownloadAcceleratorEngine::CallDAP] ___Error CreateProcess: %s, Parameters: %s. LE: %d

[CClientRtmpe::HandShake] ___Error DiffieHellman - GetPublicKey

[CClientRtmpe::HandShake] ___Error Keys Bank was unable to generate a pubic key

[CClientRtmpe::operator =] Key Out: %p

[CClientRtmpe::operator =] Key In:

[CClientRtmpe::operator =]

[CClientRtmpe::OnHandshake] Step 3 - update the keystreams

[CClientRtmpe::OnHandshake] ___Error Step 3 - ___Error ComputeSharedSecretKey

[CClientRtmpe::OnHandshake] Step 3 - ComputeSharedSecretKey

[CClientRtmpe::OnHandshake] Step 2 - Client version: %x

[CClientRtmpe::OnHandshake] Step 2 - Client up time: %d

[CClientRtmpe::OnHandshake] Step 2 - Protocol: %d

[CKeysBank::Work] Exit...

[CKeysBank::Work] Enter...

[CKeysBank::Start]

[CKeysBank::Stop]

[CKeysBank::GetPublicKey] Remove Key, Total: %d

[CKeysBank::GenerateKey] Add Key, Total: %d

[CKeysBank::GenerateKey] ___Error DiffieHellman.GenerateKey

[CKeysBank::GenerateKey] ___Error DiffieHellman.Init

[CRtmpe::operator =] Key Out: %p

[CRtmpe::operator =] Key In:

[CRtmpe::operator =]

[CRtmpe::Initialize] Cache Writer: %p

[CRtmpe::ParseHeader] Protocol - RTMPE

[CRtmpe::ParseHeader] Protocol - RTMP

[CRtmpe::ParseHeader]

[CRtmpe::ParseData] Got all %d/%d bytes

[CRtmpe::ParseData] ___Warning - wait for all packet data to arraive (%d/%d)

[CRtmpe::ParseData]

[CRtmpe::Encrypt] Encryped %d bytes, Key: %p

[CRtmpe::Decrypt] Decrypted %d bytes, Key: %p

[CRtmpe::ParseBuffer] Analyze Next Packet...

[CRtmpe::HandShake] Step 1: Complete

[CRtmpe::HandShake] ___Error Step 1: Writing client signature to server

[CRtmpe::HandShake] ___Error Step 1: DiffieHellman - GetPublicKey

[CRtmpe::HandShake] ___Error Keys Bank was unable to generate a pubic key

[CRtmpe::HandShake] Step 1: Start...

[CRtmpe::UpdateBuffer] Analyzed %d/%d bytes

[CRtmpe::UpdateBuffer] Handshake already completed

[CRtmpe::UpdateBuffer] Analyzing %d bytes...

[CRtmpStream::OnHandShake] ___Error - Unknown step

[CRtmpe::OnHandshake] Step 3 - Complete

[CRtmpe::OnHandshake] Step 3 - update the keystreams

[CRtmpe::OnHandshake] Step 3 - InitRC4Encryption

[CRtmpe::OnHandshake] ___Error Step 3: m_DiffieHellman - ComputeSharedSecretKey

[CRtmpe::OnHandshake] Step 3 - ComputeSharedSecretKey

[CRtmpe::OnHandshake] ___Error Step 3: Writing client response

[CRtmpe::OnHandshake] Step 3: Start...

[CRtmpe::OnHandshake] ___Error Step 2: *** Server response validation ***

[CRtmpe::OnHandshake] ___Warning - server version

[CRtmpe::OnHandshake] ___Error Step 2: Reading server response

[CRtmpe::OnHandshake] ___Error Step 2: *** Server signature validation ***

[CRtmpe::OnHandshake] Step 2 - Server version: %x

[CRtmpe::OnHandshake] Step 2 - Server up time: %d

[CRtmpe::OnHandshake] ___Error Step 2: Reading server signature

[CRtmpe::OnHandshake] Step 2 - Protocol: %d

[CRtmpe::OnHandshake] Step 2: Start...

[CRtmpPacket::Reset]

[CRtmpPacket::DumpHeader] Info Field: %d

[CRtmpPacket::DumpHeader] Packet Type: %d

[CRtmpPacket::DumpHeader] Packet Length: %d

[CRtmpPacket::DumpHeader] Absolute Time: %d

[CRtmpPacket::DumpHeader] Time: %d

[CRtmpPacket::DumpHeader] Channel: %d

[CRtmpPacket::DumpHeader] Header Type: %d

[CRtmpPacket::DumpHeader] Header Size: %d

[CRtmpPacket::DumpHeader] Header Byte: 0x%.02X

[CRtmpPacket::ParseHandshakeHeader] ___Error - Header already parsed

[CRtmpPacket::ParseFlvHeader] Absolute Time: %d

[CRtmpPacket::ParseFlvHeader] Packet Length: %d

[CRtmpPacket::ParseFlvHeader] Packet Type: %d

[CRtmpPacket::ParseFlvHeader] Channel: %d

[CRtmpPacket::ParseFlvHeader] Header Type: %d

[CRtmpPacket::ParseFlvHeader] Header Size: %d

[CRtmpPacket::ParseFlvHeader] ___Warning - %d/%d header bytes

[CRtmpPacket::ParseFlvHeader] ___Error - No bytes to analyze

[CRtmpPacket::ParseFlvHeader] ___Error - Header already parsed

[CRtmpPacket::AppendData] Appended: %d (Total: %d/%d)

[CRtmpPacket::AppendData] ___Error - out of memory

[CRtmpPacket::AppendData] ___Warning - no bytes to append

[CRtmpPacket::Allocate] Allocated %d (Total: %d)

[CRtmpPacket::ParseHeader] ___Error - Channel: %d > 9

[CRtmpPacket::ParseHeader] Extended Time: %d

[CRtmpPacket::ParseHeader] Info Field: %d

[CRtmpPacket::ParseHeader] ___Warning - Packet Length: %d > 1M

[CRtmpPacket::ParseHeader] Packet Type: %d

[CRtmpPacket::ParseHeader] Packet Size: %d

[CRtmpPacket::ParseHeader] Time: %d

[CRtmpPacket::ParseHeader] Channel: %d

[CRtmpPacket::ParseHeader] Header Type: %d

[CRtmpPacket::ParseHeader] Header Size: %d

[CRtmpPacket::ParseHeader] Header Byte: 0x%.02X

[CRtmpPacket::ParseHeader] ___Warning - %d/%d header bytes

[CRtmpPacket::ParseHeader] ___Error - No bytes to analyze

[CRtmpPacket::ParseHeader] ___Error - Header already parsed

[CRtmpParser::Stop]

[CRtmpParser::ProcessData] ___Error - Unknown Packet Type: %d, Offset: %d

[CRtmpParser::ProcessData] Analyze Data: %d bytes

[CRtmpParser::ProcessData] ___Warning - Packet not ready for Data Processing

[CRtmpParser::OnHandshake] Step 4: Complete

[CRtmpParser::OnHandshake] Step 3: Complete

[CRtmpParser::OnHandshake] Step 2 - Server version: %d.%d.%d.%d

[CRtmpParser::OnHandshake] Step 2 - Server up time: %d

[CRtmpParser::OnHandshake] Step 1 - Client version: %d.%d.%d.%d

[CRtmpParser::OnHandshake] Step 1 - Client up time: %d

[CRtmpParser::OnHandshake] Protocol State: %d

[CRtmpParser::OnAudio]

[CRtmpParser::OnVideo]

[CRtmpParser::OnFLV]

[CRtmpParser::OnData]

[CRtmpParser::SetTimeStartPosition] Time: %d

[CRtmpParser::SetTimeEndPosition] Time: %d

[CRtmpParser::Close]

[CRtmpParser::OnError]

[CRtmpParser::SetAbsoluteTime] Client Absolute Time: %d (Max: %d)

[CRtmpParser::SetAbsoluteTime] Server Absolute Time: %d (Max: %d)

[CRtmpParser::Sync - %p]

[CRtmpParser::ParseFlvHeader]

[CRtmpParser::ParseData] Accumulated all %d/%d bytes

[CRtmpParser::ParseData] Chunk not ready

[CRtmpParser::ParseData] Going to append %d bytes

[CRtmpParser::ParseData] Got all %d/%d bytes

[CRtmpParser::ParseData] ___Warning - wait for all packet data to arraive (%d/%d)

[CRtmpParser::ParseData] ___Warning no data

[CRtmpParser::ParseData]

[CRtmpParser::ParseDataType] ___Error - Unknown Data Type: %d, Offset: %d

[CRtmpParser::ParseDataType] Date %f %d (Offset: %d)

[CRtmpParser::ParseDataType] Static Array %d (Offset: %d)

[CRtmpParser::ParseDataType] EOF Object (Offset: %d)

[CRtmpParser::ParseDataType] ECMA Array %d (Offset: %d)

[CRtmpParser::ParseDataType] Object (Offset: %d)

[CRtmpParser::OnChangeChunkSize] %d -> %d

[CRtmpParser::OnChangeChunkSize]

[CRtmpParser::OnReadBytes] Bytes read: %d

[CRtmpParser::OnReadBytes]

[CRtmpParser::OnMetadata]

[CRtmpParser::Reset - %p]

[CRtmpParser::ReadObject] ___Error %s - %d (Offset: %d) - Unknown Data Type

[CRtmpParser::ReadObject] EOF Object (Offset: %d)

[CRtmpParser::ReadObject] %s - Long String: %s (Offset: %d)

[CRtmpParser::ReadObject] %s - Date: %g (Offset: %d)

[CRtmpParser::ReadObject] %s - Static Array: %d (Offset: %d)

[CRtmpParser::ReadObject] %s - ECMA Array: %d (Offset: %d)

[CRtmpParser::ReadObject] %s - NULL (Offset: %d)

[CRtmpParser::ReadObject] %s - Object (Offset: %d)

[CRtmpParser::ReadObject] %s - String: %s (Offset: %d)

[CRtmpParser::ReadObject] %s - Boolean: %s (Offset: %d)

[CRtmpParser::ReadObject] %s - Numeric: %g (Offset: %d)

[CRtmpParser::ParseHandshakeHeader] Protocol - RTMPE

[CRtmpParser::ParseHandshakeHeader] Protocol - RTMP

[CRtmpParser::ParseHandshakeHeader]

[CRtmpParser::ParseHeader] Absolute Time: %d

[CRtmpParser::ParseHeader] New Time: %d

[CRtmpParser::ParseHeader] New Absolute Time: %d

[CRtmpParser::ParseHeader] _Prev Packet - Info Field: %d

[CRtmpParser::ParseHeader] _Prev Packet - Buffer Bytes: %d

[CRtmpParser::ParseHeader] _Prev Packet - Buffer Length: %d

[CRtmpParser::ParseHeader] _Prev Packet - Buffer: %p

[CRtmpParser::ParseHeader] _Prev Packet - Packet Type: %d

[CRtmpParser::ParseHeader] _Prev Packet - Packet Size: %d

[CRtmpParser::ParseHeader] _Prev Packet - Absolute Time: %d

[CRtmpParser::ParseHeader] _Prev Packet - Time: %d

[CRtmpParser::ParseHeader] _Prev Packet - Original Header Size: %d

[CRtmpParser::ParseHeader]

[CRtmpParser::UpdateBufferFromServer] Analyzed no bytes

[CRtmpParser::UpdateBufferFromServer] Analyzed %d/%d, Write: %d, Discard: %d

[CRtmpParser::UpdateBufferFromServer] Analyze Next Buffer... (Left: %d)

[CRtmpParser::UpdateBufferFromServer] Decrypt %d/%d bytes

[CRtmpParser::UpdateBufferFromServer] *** Data file Ended at Absolute Time: %d ***

[CRtmpParser::UpdateBufferFromServer] *** Data file Started at Absolute Time: %d ***

[CRtmpParser::UpdateBufferFromServer] Parser was stopped - discard the rest of the data!

[CRtmpParser::UpdateBufferFromServer] Decrypt %d bytes

[CRtmpParser::UpdateBufferFromServer] Parser was stopped - discard all data!

[CRtmpParser::UpdateBufferFromServer] Analyzing %d bytes...

[CRtmpParser::UpdateBufferFromClient] Analyzed %d/%d, Write: %d, Discard: %d

[CRtmpParser::UpdateBufferFromClient] Encrypt %d bytes

[CRtmpParser::UpdateBufferFromClient] Decrypt %d/%d bytes

[CRtmpParser::ParseBuffer] Analyze Next Packet... (Left: %d)

[CRtmpParser::UpdateBufferFromClient] Decrypt %d bytes

[CRtmpParser::UpdateBufferFromClient] ___Warning - Wait for the server handshake to complete...

[CRtmpParser::UpdateBufferFromClient] Analyzed no bytes

[CRtmpParser::UpdateBufferFromClient] Analyzing %d bytes...

[CRtmpParser::operator = %p] <= %p

[CRtmpParser::ParseFlvBuffer] Analyze Next FLV Buffer...

[CRtmpParser::AddDownloadFlowCommand] Method: %s -> Command: %s, Param: %d

[CRtmpParser::OnPing] SWFVerification

[CRtmpParser::OnPing] Time: %d

[CRtmpParser::OnPing] -- Unknown %d --

[CRtmpParser::OnPing] Stream buffer ready %d

[CRtmpParser::OnPing] Pause time: %d

[CRtmpParser::OnPing] Stream buffer empty %d

[CRtmpParser::OnPing] Pong %d

[CRtmpParser::OnPing] Stream is recorded %d

[CRtmpParser::OnPing] Ping %d

[CRtmpParser::OnPing] Stream dry %d

[CRtmpParser::OnPing] Stream EOF %d

[CRtmpParser::OnPing] Stream begin %d

[CRtmpParser::OnPing] Type: %d

[CRtmpParser::OnPing]

[CRtmpParser::OnServerBW] Server Bandwidth: %d

[CRtmpParser::OnServerBW]

[CRtmpParser::OnClientBW] Client Bandwidth: %d

[CRtmpParser::OnClientBW]

[CRtmpParser::OnInvoke] ___Error - Unknown Invokde method: %s

[CRtmpParser::OnInvoke] setBandwidthLimit( %g, %g )

[CRtmpParser::OnInvoke] getStats

[CRtmpParser::OnInvoke] secureTokenResponse: Token = %s

[CRtmpParser::OnInvoke] closeStream: StreamID = %g

[CRtmpParser::OnInvoke] deleteStream: StreamID = %g

[CRtmpParser::OnInvoke] releaseStream: PlayPath = %s

[CRtmpParser::OnInvoke] startStream: PlayPath = %s

[CRtmpParser::OnInvoke] createStream: StreamID = %g

[CRtmpParser::OnInvoke] %s( '%s', '%s', '%s' )

[CRtmpParser::OnInvoke] %s( '%s', '%s' )

[CRtmpParser::OnInvoke] seek( '%d' )

[CRtmpParser::OnInvoke] %s( '%d', '%g' )

[CRtmpParser::OnInvoke] %s( '%s' ), PacketInfo: %d

[CRtmpParser::OnInvoke] onStatus - code: %s, level: %s

[CRtmpParser::OnInvoke] _error - code: %s, level: %s

[CRtmpParser::OnInvoke] %s( '%s' )

[CRtmpParser::OnInvoke] _result createStream: StreamID = %g

[CRtmpParser::OnInvoke] _result connect - AMF3

[CRtmpParser::OnInvoke] _result connect: %s

[CRtmpParser::OnInvoke] _result for Method: %s

[CRtmpParser::OnInvoke] Method: %s

[CRtmpParser::OnInvoke]

Download Helper SendMsgToBtn, url: %s

Could not find converter registry key, %ws

Could not create process, error %x, proc %ws

RegContentType%d

RegRawData%d

RegProtocol%d

RegAgent%d

RegCookie%d

1.0.1.0

RegFileName%d

RegUrl

RegURL%d

%ws_%d.log

- Mozilla Firefox

- Windows Internet Explorer

opera

firefox

chrome

OPERA

opera.exe

safari.exe

firefox.exe

iexplore.exe

chrome.exe

explorer.exe

Google Chrome

Chrome_WidgetWin_1

Firefox

FirefoxBrowserWindow Found browser window, 0x%x

FirefoxBrowserWindow Found button window, 0x%x

IE9BrowserWindow Found browser window, 0x%x

IE9BrowserWindow Found button window, 0x%x

OperaBrowserWindow Found browser window, 0x%x

OperaBrowserWindow Found button window, 0x%x

Opera

SafariBrowserWindow Found browser window, 0x%x

SafariBrowserWindow Found button window, 0x%x

hXXp://VVV.youtube.com/watch?v=

Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.79 Safari/537.1

YTParser url not valid %ws

SBMonitor.log

Error no signature found at %s

GetVideoUrlAndSizeFromWatchPage Could not extract url_encoded_fmt_stream_map params.

GetVideoUrlAndSizeFromWatchPage

YTParser could not find valid url, not downloading

hXXp://VVV.youtube.com/get_video_info?video_id=

GetVideoUrlAndSizeFromVideoInfo

Failed processing urls from watch page.

reportLevel

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

(build %d)

Windows 2000

Windows XP

Web Edition

Windows Server 2003,

Windows XP Professional x64 Edition

Windows Home Server

Windows Storage Server 2003

Windows Server 2003 R2,

Web Server Edition

Windows Server 2008 R2

Windows 8

Windows 7

Windows Server 2008

Windows Vista

{X-hX-hX-XX-XXXXXX}

sbmntr.sys

Converter.exe

DownloadHelper.exe

HELPEREXELOCATION

YTDownloader.exe

MONITOREXELOCATION

hXXp://VVV.ytdownloader.com/feedback/

Driver - %ws: %x

\\.\SBMonitor

net.exe

Driver installed, NOT loaded: %s

Driver installed, loaded from %s

Software\Opera Software\

%programFiles%\Opera\opera.exe

Apple Application Support\WebKit2WebProcess.exe

Safari.exe

%programFiles%\Safari\Safari.exe

%programFiles%\Mozilla Firefox\firefox.exe

IEXPLORE.EXE

%programFiles%\Internet Explorer\iexplore.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\

%LOCALAPPDATA%\Google\Chrome\Application\chrome.exe

converter.exe

webm

[CMonitor::AddAppIdToDriver]___Error: Could not add App Ids (%x).

Same as one of buttons PID %d

Same as our PID %d

[CMonitor::EnableMonitoring]___Error: Could not enable monitoring device (%x).

___Error: Could not open device (%u).

-pid %d -size %s -sizeBytes %I64d -type %s -url %s -cookie %s -referer %s -host %s -useragent %s -resolution %s -protocol http

CMonitor::BuildParams Already created similar url, %ws

CMonitor::BuildParams Button exists for similar url, %ws

youtube.com

-pid %d -size %I64d -sizeBytes %I64d -type %s -url %s -cookie %s -referer %s -host %s -ads %s -useragent %s -protocol http

-pid %d -rawdata %s -protocol rtmp -duration %s -resolution %s

Fwpuclnt.dll

https

Not application/octet-stream video and the size is bigger than %d, %d

Not application/octet-stream video and the size is smaller than %d

Not FLV video and the size is smaller than %d

vid2.ak.dmcdn.net

CHttpMonitor::SameYoutubeVideo Same params page id = %s, itag = %s

CHttpMonitor::SameYoutubeVideo DASH same params page id = %s, itag = %s

CHttpMonitor::SameYoutubeVideo Same watch page %s

HTTP_Version_String

[HttpParser::ParseLine] ___Error: The field separator was not found in the line:

VVV.google.com

Global\{9DA0BEED-7248-450a-B27C-C0409BDC377D}

YTD-icon-128x128.png

Advapi32.dll

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

%saction=%s&userid=%s&usid=%s&aff=%s&v=%s&url=%s&title=%s&pingtext=%s&protocol=%s&size=%I64d&ref=%s&browser=%s

hXXp://rep.ytdownloader.com/app/ping.ashx?

%s%s%s

[RtmpDownloader::CreateProcessStdoutPipe] ___Error SetHandleInformation: %d

[RtmpDownloader::CreateProcessStdoutPipe] ___Error CreatePipe: %d

[RtmpDownloader::CreateProcessStdoutPipe] ___Error StdOut CloseHandle: %d

rtmpdump.exe

[RtmpDownloader::ReadFromPipe] --- Download Ends ---

[RtmpDownloader::ReadFromPipe] --- Download Begins ---

[RtmpDownloader::RunCommandLine] ___Error CreateProcess: %s. LE: %d

Error : failed to run FFmpeg - %d

[RtmpDownloader::RunCommandLine] ___Error CreateProcessStdoutPipe

Failed to run update (%x).

Trying to execute an update.

CUpdater::parseUpdateXML Set report level to %ws

REPORT

CMDLINE

%sid=%d_r=%lld_err=%d

%suserid=%s&aff=%s&v=%s

hXXp://VVV.ytdownloader.com/app/update.ashx?

mscoree.dll

KERNEL32.DLL

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

ADVAPI32.DLL

WUSER32.DLL

<>"#%{}|\^~[]`' ?&

%Program Files%\YTDownloader\YTDownloader.exe

1.0.3.9

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

%original file name%.exe:3684
setup.exe:308
YTDownloaderFull.exe:3528
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\YTDownloaderFull.exe (7944 bytes)
%Program Files%\YTDownloader\rtmpdump.exe (19592 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F81.tmp\nsProcess.dll (12 bytes)
%Program Files%\YTDownloader\YTDownloader.exe (64981 bytes)
%Program Files%\YTDownloader\DownloadAPI.dll (70495 bytes)
%Program Files%\YTDownloader\Unelevate.exe (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\YTDownloader\YTDownloader.lnk (1 bytes)
%Program Files%\YTDownloader\BrowserHelper.exe (16424 bytes)
%Program Files%\YTDownloader\YTD-icon-128x128.png (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F81.tmp\AccDownload.dll (9573 bytes)
%Program Files%\YTDownloader\BrowserHelperSrv.exe (3616 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F81.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F81.tmp\nsExec.dll (14 bytes)
%Program Files%\YTDownloader\Updater.exe (25824 bytes)
%Program Files%\YTDownloader\download_ani.gif (9 bytes)
%Program Files%\YTDownloader\DownloadHelper.exe (13584 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F81.tmp\nsA152.tmp (14 bytes)
%Program Files%\YTDownloader\AniGIF.ocx (6532 bytes)
%Program Files%\YTDownloader\ssleay32.dll (7192 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp (270426 bytes)
%Program Files%\YTDownloader\convert_aniBW.gif (7 bytes)
C:\Users\"%CurrentUserName%"\Desktop\YTDownloader.lnk (1 bytes)
%Program Files%\YTDownloader\sbmntr.sys (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F81.tmp\ns9C81.tmp (14 bytes)
%Program Files%\YTDownloader\libeay32.dll (33455 bytes)
%Program Files%\YTDownloader\YTDUninstall.exe (20624 bytes)
%Program Files%\YTDownloader\Download_completed.ico (1 bytes)
%Program Files%\YTDownloader\convert_ani.gif (784 bytes)
%Program Files%\YTDownloader\converter.exe (68799 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd39C6.tmp (175480 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi39E6.tmp\D1958.dll (30 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi39E6.tmp\setup.exe (1824812 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi39E6.tmp\NK.lky (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi39E6.tmp\setup1.exe (164931 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YTDownloader" = "%Program Files%\YTDownloader\YTDownloader.exe /boot"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"YTDownloader" = "%Program Files%\YTDownloader\YTDownloader.exe /boot"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Trojan.Win32.Swrort.3_7c98d6fcf8

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Trojan.Win32.Swrort.3_7c98d6fcf8

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet