MD5: eeb46809b2b8feb8026a627897251225
SHA1: 688174e615d2b8d7a6d554e15c8a89b907e6fe85
SHA256: 6876e3a746e33cebe37a5f71aadb44c35151f066b0aa19658f9e8e118e7719f6
SSDeep: 98304:KWk o0jsDCPZV5uJLTi14WCQ2bLhIpQYxsUyQ81GffopV:Kj jjsDGZVeLTinCQ2FtUyQaIgT
Size: 4932608 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

taskkill.exe:932
taskkill.exe:1812
%original file name%.exe:1164
WScript.exe:1884
net1.exe:544
RUNDLL32.EXE:1984
net.exe:592
runonce.exe:1012
IEMonitor.exe:1988
svchost_.exe:488
IDMan.exe:516
grpconv.exe:1312

The Trojan injects its code into the following process(es):

%original file name%.exe:368
rundll32.exe:1008

Mutexes

The following mutexes were created/opened:

ZonesCounterMutex
ZonesCacheCounterMutex
ZonesLockedCacheCounterMutex
ShimCacheMutex
DC_MUTEX-LC5FSFK

File activity

The process %original file name%.exe:1164 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\WinDbg\windbg.exe (37269 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\svchost_.exe (15769255 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Z0KvOr (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Z0KvOr.vbs (618 bytes)

The process RUNDLL32.EXE:1984 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\inf\oem11.PNF (7349 bytes)
%System%\drivers\SET4.tmp (601 bytes)
%WinDir%\inf\oem11.inf (2 bytes)
%WinDir%\setupapi.log (4760 bytes)

The Trojan deletes the following file(s):

%System%\drivers\SET4.tmp (0 bytes)

The process svchost_.exe:488 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp\IDM Registered.bat (600 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp\IDM Registered.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (0 bytes)

The process IDMan.exe:516 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\IDM\idmmzcc5\components2\idmhelper.js (1 bytes)
%Documents and Settings%\%current user%\Application Data\IDM\defextmap.dat (2 bytes)
%Documents and Settings%\%current user%\Application Data\IDM\idmmzcc5\components\iIDMMzCC.xpt (569 bytes)
%Documents and Settings%\%current user%\Application Data\IDM\idmmzcc5\components2\idmmzcc.dll (2696 bytes)
%Documents and Settings%\%current user%\Application Data\IDM\idmmzcc5\components\iIDMHelper5.xpt (2 bytes)
%Documents and Settings%\%current user%\Application Data\IDM\idmmzcc5\components9\idmmzcc.dll (1256 bytes)
%Program Files%\Internet Download Manager\idmcchandler2.dll (1425 bytes)
%Program Files%\Internet Download Manager\idmcchandler2_64.dll (2321 bytes)
%Documents and Settings%\%current user%\Application Data\IDM\idmmzcc5\META-INF\zigbert.rsa (196 bytes)
%Documents and Settings%\%current user%\Application Data\IDM\idmmzcc5\components2\iIDMMzCC.xpt (569 bytes)
%Documents and Settings%\%current user%\Application Data\IDM\idmmzcc5\chrome\idmmzcc.jar (196 bytes)
%Documents and Settings%\%current user%\Application Data\IDM\idmmzcc5\install.rdf (2 bytes)
%Documents and Settings%\%current user%\Application Data\IDM\idmmzcc5\components2\idmcchandler2.dll (20504 bytes)
%Documents and Settings%\%current user%\Application Data\IDM\idmmzcc5\META-INF\zigbert.sf (2 bytes)
%Documents and Settings%\%current user%\Application Data\IDM\idmmzcc5\components2\iIDMHelper.xpt (331 bytes)
%Documents and Settings%\%current user%\Application Data\IDM\idmmzcc5\components\idmhelper5.js (776 bytes)
%Documents and Settings%\%current user%\Application Data\IDM\Scheduler\s_1.dt (304 bytes)
%Documents and Settings%\%current user%\Application Data\IDM\idmmzcc5\chrome.manifest (1 bytes)
%Documents and Settings%\%current user%\Application Data\IDM\idmmzcc5\components2\idmmzcc64.dll (1928 bytes)
%Documents and Settings%\%current user%\Application Data\IDM\idmmzcc5\components9\idmmzcc64.dll (1928 bytes)
%Documents and Settings%\%current user%\Application Data\IDM\idmmzcc5\components2\idmcchandler2_64.dll (28400 bytes)
%Documents and Settings%\%current user%\Application Data\IDM\idmmzcc5\components\idmmzcc.dll (2696 bytes)
%Documents and Settings%\%current user%\Application Data\IDM\idmmzcc5\install.js (696 bytes)
%Documents and Settings%\%current user%\Application Data\IDM\idmmzcc5\META-INF\manifest.mf (2 bytes)
%Documents and Settings%\%current user%\Application Data\IDM\urlexclist.dat (2 bytes)

Registry activity

The process taskkill.exe:932 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "57 DA AE 16 4F 40 A4 45 4F 41 EB 50 12 88 F3 AA"

The process taskkill.exe:1812 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA F5 8A DD 5C CA 7C A5 E6 C7 76 D8 FD 65 C7 87"

The process %original file name%.exe:1164 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 12 B6 7D FC 99 F6 C0 07 45 78 1D 1E 25 BF BE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"svchost_.exe" = "www.Brain9G.tk"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"wscript.exe" = "Microsoft (R) Windows Based Script Host"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process %original file name%.exe:368 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F F7 8F FD 13 73 A5 D4 5E 0D CC 80 6F 35 BF 62"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process WScript.exe:1884 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A 73 D0 CE 38 03 93 83 B9 A3 7F 7F F0 6A 98 7F"

The process net1.exe:544 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DB DA BD 8C F7 58 07 4A 6F D1 9C 07 63 B4 88 DB"

The process RUNDLL32.EXE:1984 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "81 D8 6C 7C 24 C3 40 26 07 86 AE AB 1C 43 C8 F6"

[HKLM\SYSTEM\LastKnownGoodRecovery\LastGood]
"INF/oem11.inf" = "1"

"INF/oem11.PNF" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv" = "grpconv -o"

The process net.exe:592 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1E 69 64 C3 A6 AA D0 14 20 37 62 39 11 77 1E 60"

The process rundll32.exe:1008 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5D 47 D7 65 BD A2 08 EA 85 9A BE BD 75 C3 F8 5C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process runonce.exe:1012 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B9 C4 43 33 46 35 92 8D 48 55 63 AC 55 5D 33 1B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"grpconv.exe" = "Windows Progman Group Converter"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"

The process IEMonitor.exe:1988 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2A E2 87 1A DF E3 48 EB D6 0C B8 03 59 29 C6 11"

The process svchost_.exe:488 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "54 D9 80 5D 0F 41 91 D0 A3 18 FD 18 17 EF A1 4E"

The process IDMan.exe:516 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\DownloadManager]
"TipFilePos" = "160"

[HKCR\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32]
"(Default)" = "%Program Files%\Internet Download Manager\downlWithIDM.dll"

[HKLM\SOFTWARE\Microsoft\Internet Explorer]
"DownloadUI" = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"

[HKCU\Software\DownloadManager]
"TipTimeStamp" = "Sun Jun 14 16:40:04 2015"

[HKCR\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\MiscStatus]
"(Default)" = "0"

[HKCR\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}\TypeLib]
"(Default)" = "{5518B636-6884-48CA-A9A7-1CFD3F3BA916}"

[HKCR\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\VersionIndependentProgID]
"(Default)" = "DownlWithIDM.IDMDwnlMgr"

[HKCR\Interface\{33AEF752-FB86-4787-9ED1-6010528F5FA3}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}]
"(Default)" = "LinkProcessor Class"

[HKLM\SOFTWARE\Internet Download Manager]
"AdvIntDriverEnabled2" = "1"

[HKCU\Software\DownloadManager\IDMBI\Firefox]
"int" = "1"

[HKCR\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\MiscStatus\1]
"(Default)" = "131473"

[HKCU\Software\DownloadManager]
"radxcnt" = "32"

[HKCR\Interface\{A87AB5DD-211B-4284-8CBD-B92F77A5DE14}\TypeLib]
"(Default)" = "{5518B636-6884-48CA-A9A7-1CFD3F3BA916}"

[HKCR\Interface\{72B7361C-3568-4392-BCCD-D912CD5C1169}]
"(Default)" = "IV2LinkProcessor"

[HKCR\Idmfsa.IDMEFSAgent.1]
"(Default)" = "IDMEFSAgent Class"

[HKCU\Software\DownloadManager\IDMBI\NETSCP]
"int" = "1"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}]
"Policy" = "3"

[HKCR\TypeLib\{6A89524B-E1B6-4D71-972A-8FD53F240936}\1.0]
"(Default)" = "downlWithIDM 1.0 Type Library"

[HKCR\DownlWithIDM.VLinkProcessor\CurVer]
"(Default)" = "DownlWithIDM.VLinkProcessor.1"

[HKCR\IDMGetAll.IDMAllLinksProcessor.1]
"(Default)" = "IDMAllLinksProcessor Class"

[HKCU\Software\DownloadManager]
"AppDataIDMFolder" = "%Documents and Settings%\%current user%\Application Data\IDM\"

[HKCU\Software\DownloadManager\IDMBI\NETSCP]
"Name" = "Netscape 6 and later"

[HKCR\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}]
"(Default)" = "IDM integration (IDMIEHlprObj Class)"

[HKCR\TypeLib\{5518B636-6884-48CA-A9A7-1CFD3F3BA916}\1.0\FLAGS]
"(Default)" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\TypeLib\{ECF21EAB-3AA8-4355-82BE-F777990001DD}\1.0\HELPDIR]
"(Default)" = "%Program Files%\Internet Download Manager"

[HKCR\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\VersionIndependentProgID]
"(Default)" = "DownlWithIDM.V2LinkProcessor"

[HKCR\Interface\{98D060EC-53AF-4F61-8180-43C507C9FF94}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{98D060EC-53AF-4F61-8180-43C507C9FF94}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\DownloadManager\menuExt]
"ffdownl10FLVa_str" = "Download FLV videos with IDM from 10 last requested"

[HKCR\Interface\{BC69364C-34D7-4225-B16F-8595C743C775}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{A87AB5DD-211B-4284-8CBD-B92F77A5DE14}]
"(Default)" = "IIDMEFSAgent3"

[HKCR\Interface\{98D060EC-53AF-4F61-8180-43C507C9FF94}\TypeLib]
"(Default)" = "{3BDFC55C-ED33-43BB-9A77-57C2AF4B56EF}"

[HKCR\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\DownlWithIDM.VLinkProcessor\CLSID]
"(Default)" = "{CDD67718-A430-4AB9-A939-83D9074B0038}"

[HKCR\DownlWithIDM.V2LinkProcessor]
"(Default)" = "V2LinkProcessor Class"

[HKCR\Interface\{4BD46AAE-C51F-4BF7-8BC0-2E86E33D1873}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32]
"(Default)" = "%Program Files%\Internet Download Manager\IDMIECC.dll"

[HKCR\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ProgID]
"(Default)" = "IDMIECC.IDMIEHlprObj.1"

[HKCR\Interface\{A87AB5DD-211B-4284-8CBD-B92F77A5DE14}\TypeLib]
"Version" = "1.0"

[HKCR\IDMIECC.IDMIEHlprObj]
"(Default)" = "IDMIEHlprObj Class"

[HKCR\Interface\{94D09862-1875-4FC9-B434-91CF25C840A1}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Internet Explorer\MenuExt\Download all links with IDM]
"(Default)" = "%Program Files%\Internet Download Manager\IEGetAll.htm"

[HKCR\DownlWithIDM.LinkProcessor.1\CLSID]
"(Default)" = "{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}"

[HKCU\Software\DownloadManager\menuExt]
"ffdownl10FLV_str" = "Choose from 10 last requested FLV videos"

[HKCR\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
"(Default)" = "IDM Shell Extension"

[HKCR\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\ProgID]
"(Default)" = "IDMGetAll.IDMAllLinksProcessor.1"

[HKCR\Interface\{356E6235-B055-46D9-8B32-BDC2266C9DAB}\TypeLib]
"(Default)" = "{6A89524B-E1B6-4D71-972A-8FD53F240936}"

[HKCU\Software\DownloadManager\menuExt]
"ffdownl1_str" = "Download with IDM"

[HKCR\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\VersionIndependentProgID]
"(Default)" = "IDMIECC.IDMHelperLinksStorage"

[HKCR\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCU\Software\DownloadManager\IDMBI\Safari]
"int" = "1"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"net.exe" = "Net Command"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}]
"AppPath" = "%Program Files%\Internet Download Manager"

[HKCR\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}]
"(Default)" = "IIDMEFSAgent2"

[HKCR\TypeLib\{37294E01-DB54-43AF-9D50-93FF7267DF5D}\1.0\HELPDIR]
"(Default)" = "%Program Files%\Internet Download Manager\"

[HKCU\Software\DownloadManager]
"LargeButtons" = "0"

[HKCR\IDMIECC.IDMHelperLinksStorage.1]
"(Default)" = "IDMHelperLinksStorage Class"

[HKLM\SOFTWARE\Google\Chrome\Extensions\jeaohhlajejodfjadcponpnjgkiikocn]
"Version" = "6.19.1"

[HKCU\Software\DownloadManager]
"EnableDriver" = "1"

[HKCR\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}]
"Model" = "164"

[HKCR\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\InprocServer32]
"(Default)" = "%Program Files%\Internet Download Manager\idmfsa.dll"

[HKCR\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\InprocServer32]
"(Default)" = "%Program Files%\Internet Download Manager\downlWithIDM.dll"

[HKCR\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\TypeLib]
"(Default)" = "{3BDFC55C-ED33-43BB-9A77-57C2AF4B56EF}"

[HKCR\Interface\{98D060EC-53AF-4F61-8180-43C507C9FF94}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{BC69364C-34D7-4225-B16F-8595C743C775}]
"(Default)" = "IVLinkProcessor"

[HKCR\TypeLib\{37294E01-DB54-43AF-9D50-93FF7267DF5D}\1.0\FLAGS]
"(Default)" = "0"

[HKCU\Software\DownloadManager\IDMBI\OPERA]
"Name" = "Opera"

[HKCR\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\NumMethods]
"(Default)" = "13"

[HKCR\Interface\{94D09862-1875-4FC9-B434-91CF25C840A1}]
"(Default)" = "ICIDMLinkTransmitter2"

[HKCR\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\TypeLib]
"(Default)" = "{37294E01-DB54-43AF-9D50-93FF7267DF5D}"

[HKCR\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}]
"(Default)" = "IDMHelperLinksStorage Class"

[HKCR\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}]
"(Default)" = "VLinkProcessor Class"

[HKCU\Software\DownloadManager]
"isSSW_OK" = "0"

[HKCU\Software\DownloadManager\IDMBI\chrome]
"Name" = "Google Chrome"

[HKCR\DownlWithIDM.IDMDwnlMgr]
"(Default)" = "IDMDwnlMgr Class"

[HKCR\Interface\{356E6235-B055-46D9-8B32-BDC2266C9DAB}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{72B7361C-3568-4392-BCCD-D912CD5C1169}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\DownlWithIDM.VLinkProcessor.1\CLSID]
"(Default)" = "{CDD67718-A430-4AB9-A939-83D9074B0038}"

[HKCU\Software\DownloadManager]
"ToolbarStyle" = "@Brain9G"

[HKCR\DownlWithIDM.V2LinkProcessor\CLSID]
"(Default)" = "{4764030F-2733-45B9-AE62-3D1F4F6F2861}"

[HKCR\Interface\{BC69364C-34D7-4225-B16F-8595C743C775}\TypeLib]
"(Default)" = "{6A89524B-E1B6-4D71-972A-8FD53F240936}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCR\TypeLib\{5518B636-6884-48CA-A9A7-1CFD3F3BA916}\1.0]
"(Default)" = "idmfsa 1.0 Type Library"

[HKCU\Software\DownloadManager\menuExt]
"iedownl1_str" = "Download with IDM"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}]
"Policy" = "3"

[HKCR\Interface\{33AEF752-FB86-4787-9ED1-6010528F5FA3}]
"(Default)" = "IIDMAllLinksProcessor"

[HKCR\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}]
"(Default)" = "IDMDwnlMgr Class"

[HKCR\Interface\{98D060EC-53AF-4F61-8180-43C507C9FF94}]
"(Default)" = "IIDMIEHlprObj"

[HKCR\Interface\{72B7361C-3568-4392-BCCD-D912CD5C1169}\TypeLib]
"(Default)" = "{6A89524B-E1B6-4D71-972A-8FD53F240936}"

[HKCR\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\TypeLib]
"(Default)" = "{6A89524B-E1B6-4D71-972A-8FD53F240936}"

[HKCR\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\Version]
"(Default)" = "1.0"

[HKCR\Interface\{356E6235-B055-46D9-8B32-BDC2266C9DAB}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\DownlWithIDM.LinkProcessor\CLSID]
"(Default)" = "{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}"

[HKCR\DownlWithIDM.LinkProcessor\CurVer]
"(Default)" = "DownlWithIDM.LinkProcessor.1"

[HKCU\Software\DownloadManager]
"LastCheck" = "06/14/15"

[HKCU\Software\DownloadManager\menuExt]
"ffdownlppFLV_str" = "Download FLV video with IDM"

[HKCR\IDMIECC.IDMIEHlprObj\CLSID]
"(Default)" = "{0055C089-8582-441B-A0BF-17B458C2A3A8}"

[HKCR\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\TypeLib]
"(Default)" = "{3BDFC55C-ED33-43BB-9A77-57C2AF4B56EF}"

[HKCR\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}]
"(Default)" = "IDMAllLinksProcessor Class"

[HKCR\Interface\{94D09862-1875-4FC9-B434-91CF25C840A1}\TypeLib]
"(Default)" = "{ECF21EAB-3AA8-4355-82BE-F777990001DD}"

[HKCR\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\InprocServer32]
"(Default)" = "%Program Files%\Internet Download Manager\downlWithIDM.dll"

[HKCR\TypeLib\{5518B636-6884-48CA-A9A7-1CFD3F3BA916}\1.0\HELPDIR]
"(Default)" = "%Program Files%\Internet Download Manager\"

[HKCR\TypeLib\{6A89524B-E1B6-4D71-972A-8FD53F240936}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}]
"(Default)" = "IDMEFSAgent Class"

[HKCR\IDMan.CIDMLinkTransmitter\CLSID]
"(Default)" = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"

[HKCR\Interface\{BC69364C-34D7-4225-B16F-8595C743C775}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{ECF21EAB-3AA8-4355-82BE-F777990001DD}\1.0\FLAGS]
"(Default)" = "0"

[HKCU\Software\DownloadManager\IDMBI\OPERA]
"int" = "1"

[HKCR\Interface\{33AEF752-FB86-4787-9ED1-6010528F5FA3}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\DownloadManager\IDMBI\IEXPLORE]
"int" = "1"

[HKCU\Software\DownloadManager\menuExt]
"iedownlAll_str" = "Download all links with IDM"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}]
"AppName" = "IDMan.exe"

[HKCR\Interface\{94D09862-1875-4FC9-B434-91CF25C840A1}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{5518B636-6884-48CA-A9A7-1CFD3F3BA916}\1.0\0\win32]
"(Default)" = "%Program Files%\Internet Download Manager\idmfsa.dll"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2C 0F B2 26 41 2F 65 14 48 91 3E 8C DB 46 61 5C"

[HKCR\TypeLib\{ECF21EAB-3AA8-4355-82BE-F777990001DD}\1.0]
"(Default)" = "IDMan 1.0 Type Library"

[HKCU\Software\Microsoft\Internet Explorer\MenuExt\Download FLV video content with IDM]
"(Default)" = "%Program Files%\Internet Download Manager\IEGetVL.htm"

[HKCR\DownlWithIDM.IDMDwnlMgr.1\CLSID]
"(Default)" = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\IDMIECC.IDMHelperLinksStorage]
"(Default)" = "IDMHelperLinksStorage Class"

[HKCU\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM]
"(Default)" = "%Program Files%\Internet Download Manager\IEExt.htm"

[HKCR\TypeLib\{6A89524B-E1B6-4D71-972A-8FD53F240936}\1.0\HELPDIR]
"(Default)" = "%Program Files%\Internet Download Manager\"

[HKCR\Interface\{C7798BD6-34AF-4925-B01C-450C9EAD2DD9}\TypeLib]
"Version" = "1.0"

[HKCU\Software\DownloadManager\ConfigTime]
"(Default)" = "1434289222"

[HKCR\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32]
"(Default)" = "%Program Files%\Internet Download Manager\IDMan.exe"

[HKCR\Interface\{C7798BD6-34AF-4925-B01C-450C9EAD2DD9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\DownlWithIDM.IDMDwnlMgr\CLSID]
"(Default)" = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"

[HKCR\Interface\{33AEF752-FB86-4787-9ED1-6010528F5FA3}\TypeLib]
"(Default)" = "{37294E01-DB54-43AF-9D50-93FF7267DF5D}"

[HKCR\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}]
"AppID" = "{0F947660-8606-420A-BAC6-51B84DD22A47}"

[HKCU\Software\DownloadManager]
"TempPath" = "%Documents and Settings%\%current user%\Application Data\IDM\"

[HKCR\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}]
"LocalizedString" = "@%Program Files%\Internet Download Manager\idmfsa.dll,-100"

[HKCU\Software\Microsoft\Internet Explorer\MenuExt\Download FLV video content with IDM]
"Contexts" = "243"

[HKCR\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32]
"(Default)" = "%Program Files%\Internet Download Manager\IDMShellExt.dll"

[HKCR\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}\ProgID]
"(Default)" = "DownlWithIDM.IDMDwnlMgr.1"

[HKCR\Idmfsa.IDMEFSAgent\CurVer]
"(Default)" = "Idmfsa.IDMEFSAgent.1"

[HKCR\TypeLib\{3BDFC55C-ED33-43BB-9A77-57C2AF4B56EF}\1.0\HELPDIR]
"(Default)" = "%Program Files%\Internet Download Manager"

[HKCR\Interface\{4BD46AAE-C51F-4BF7-8BC0-2E86E33D1873}]
"(Default)" = "ICIDMLinkTransmitter"

[HKCR\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\TypeLib]
"(Default)" = "{5518B636-6884-48CA-A9A7-1CFD3F3BA916}"

[HKCR\Interface\{4BD46AAE-C51F-4BF7-8BC0-2E86E33D1873}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{C7798BD6-34AF-4925-B01C-450C9EAD2DD9}\TypeLib]
"(Default)" = "{3BDFC55C-ED33-43BB-9A77-57C2AF4B56EF}"

[HKCR\Interface\{33AEF752-FB86-4787-9ED1-6010528F5FA3}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\ProgID]
"(Default)" = "IDMIECC.IDMHelperLinksStorage.1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCR\DownlWithIDM.VLinkProcessor.1]
"(Default)" = "VLinkProcessor Class"

[HKCR\IDMIECC.IDMIEHlprObj\CurVer]
"(Default)" = "IDMIECC.IDMIEHlprObj.1"

[HKCR\IDMGetAll.IDMAllLinksProcessor\CurVer]
"(Default)" = "IDMGetAll.IDMAllLinksProcessor.1"

[HKCR\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\ToolboxBitmap32]
"(Default)" = "%Program Files%\Internet Download Manager\downlWithIDM.dll, 101"

[HKCR\TypeLib\{3BDFC55C-ED33-43BB-9A77-57C2AF4B56EF}\1.0\0\win32]
"(Default)" = "%Program Files%\Internet Download Manager\IDMIECC.dll"

[HKCU\Software\Microsoft\Internet Explorer\MenuExt\Download all links with IDM]
"Contexts" = "243"

[HKCR\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\TypeLib]
"Version" = "1.0"

[HKCU\Software\DownloadManager\IDMBI\IEXPLORE]
"Name" = "Internet Explorer"

[HKCR\Interface\{72B7361C-3568-4392-BCCD-D912CD5C1169}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\ProgID]
"(Default)" = "DownlWithIDM.VLinkProcessor.1"

[HKCR\AppID\{0F947660-8606-420A-BAC6-51B84DD22A47}]
"(Default)" = "IDM Elevated FS Assistant"

[HKCR\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\ProgID]
"(Default)" = "DownlWithIDM.V2LinkProcessor.1"

[HKCU\Software\DownloadManager]
"lastintres" = "1"

[HKCR\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\TypeLib]
"(Default)" = "{5518B636-6884-48CA-A9A7-1CFD3F3BA916}"

[HKCU\Software\DownloadManager\IDMBI\Mozilla]
"int" = "1"

[HKCR\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\InprocServer32]
"(Default)" = "%Program Files%\Internet Download Manager\IDMGetAll.dll"

[HKCR\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\TypeLib\{ECF21EAB-3AA8-4355-82BE-F777990001DD}\1.0\0\win32]
"(Default)" = "%Program Files%\Internet Download Manager\IDManTypeInfo.tlb"

[HKCR\CLSID\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\InProcServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{CDC95B92-E27C-4745-A8C5-64A52A78855D}" = "IDM Shell Extension"

[HKLM\SOFTWARE\Google\Chrome\Extensions\jeaohhlajejodfjadcponpnjgkiikocn]
"Path" = "%Program Files%\Internet Download Manager\IDMGCExt.crx"

[HKCR\Interface\{4BD46AAE-C51F-4BF7-8BC0-2E86E33D1873}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\DownlWithIDM.V2LinkProcessor\CurVer]
"(Default)" = "DownlWithIDM.V2LinkProcessor.1"

[HKCU\Software\DownloadManager\menuExt]
"iedownlFLV_str" = "Download FLV video content with IDM"

[HKCU\Software\Microsoft\Internet Explorer\MenuExt\Download FLV videos with IDM from 10 last requested]
"Contexts" = "243"

[HKCR\IDMIECC.IDMIEHlprObj.1\CLSID]
"(Default)" = "{0055C089-8582-441B-A0BF-17B458C2A3A8}"

[HKCR\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}]
"(Default)" = "IDMan.CIDMLinkTransmitter"

[HKCR\IDMGetAll.IDMAllLinksProcessor\CLSID]
"(Default)" = "{5312C54E-A385-46B7-B200-ABAF81B03935}"

[HKCR\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\TypeLib]
"(Default)" = "{6A89524B-E1B6-4D71-972A-8FD53F240936}"

[HKCR\Interface\{4BD46AAE-C51F-4BF7-8BC0-2E86E33D1873}\TypeLib]
"(Default)" = "{ECF21EAB-3AA8-4355-82BE-F777990001DD}"

[HKCR\Interface\{356E6235-B055-46D9-8B32-BDC2266C9DAB}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\InprocServer32]
"(Default)" = "%Program Files%\Internet Download Manager\downlWithIDM.dll"

[HKCR\TypeLib\{37294E01-DB54-43AF-9D50-93FF7267DF5D}\1.0\0\win32]
"(Default)" = "%Program Files%\Internet Download Manager\IDMGetAll.dll"

[HKCR\Interface\{94D09862-1875-4FC9-B434-91CF25C840A1}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{C7798BD6-34AF-4925-B01C-450C9EAD2DD9}]
"(Default)" = "IIDMHelperLinksStorage"

[HKCR\IDMIECC.IDMHelperLinksStorage\CurVer]
"(Default)" = "IDMIECC.IDMHelperLinksStorage.1"

[HKCR\DownlWithIDM.VLinkProcessor]
"(Default)" = "VLinkProcessor Class"

[HKCR\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCU\Software\DownloadManager]
"idmvers" = "v6.19 Full"

[HKCR\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCU\Software\DownloadManager\menuExt]
"ffdownlFLV_str" = "Download last requested FLV video"

[HKCR\Interface\{A87AB5DD-211B-4284-8CBD-B92F77A5DE14}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}]
"Policy" = "3"

[HKCR\DownlWithIDM.V2LinkProcessor.1]
"(Default)" = "V2LinkProcessor Class"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}]
"AppPath" = "%Program Files%\Internet Download Manager"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCR\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}\NumMethods]
"(Default)" = "12"

[HKCR\CLSID\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}]
"(Default)" = "PSFactoryBuffer"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}]
"AppPath" = "%Program Files%\Internet Download Manager"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\IDM Shell Extension]
"(Default)" = "{CDC95B92-E27C-4745-A8C5-64A52A78855D}"

[HKCR\Interface\{A87AB5DD-211B-4284-8CBD-B92F77A5DE14}\ProxyStubClsid32]
"(Default)" = "{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}"

[HKCU\Software\DownloadManager\IDMBI\Mozilla]
"Name" = "Mozilla"

[HKCU\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM]
"Contexts" = "243"

[HKCR\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\VersionIndependentProgID]
"(Default)" = "DownlWithIDM.LinkProcessor"

[HKCR\TypeLib\{3BDFC55C-ED33-43BB-9A77-57C2AF4B56EF}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\InprocServer32]
"(Default)" = "%Program Files%\Internet Download Manager\IDMIECC.dll"

[HKCR\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\ProxyStubClsid32]
"(Default)" = "{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}"

[HKCR\DownlWithIDM.IDMDwnlMgr.1]
"(Default)" = "IDMDwnlMgr Class"

[HKCR\Idmfsa.IDMEFSAgent]
"(Default)" = "IDMEFSAgent Class"

[HKCU\Software\Microsoft\Internet Explorer\MenuExt\Download FLV videos with IDM from 10 last requested]
"(Default)" = "%Program Files%\Internet Download Manager\IEGetVL2.htm"

[HKCU\Software\Microsoft\Internet Explorer]
"DownloadUI" = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"

[HKCR\CLSID\{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\DownlWithIDM.LinkProcessor.1]
"(Default)" = "LinkProcessor Class"

[HKCR\Interface\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\DownloadManager\IDMBI\Safari]
"Name" = "Apple Safari"

[HKCR\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\TypeLib\{3BDFC55C-ED33-43BB-9A77-57C2AF4B56EF}\1.0]
"(Default)" = "IDMIECC 1.0 Type Library"

[HKCR\Interface\{BC69364C-34D7-4225-B16F-8595C743C775}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{C7798BD6-34AF-4925-B01C-450C9EAD2DD9}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\DownloadManager]
"trayIcon" = "1"

[HKCR\AppID\{0F947660-8606-420A-BAC6-51B84DD22A47}]
"DllSurrogate" = ""

[HKCR\DownlWithIDM.V2LinkProcessor.1\CLSID]
"(Default)" = "{4764030F-2733-45B9-AE62-3D1F4F6F2861}"

[HKCU\Software\DownloadManager\menuExt]
"iedownl10FLV_str" = "Download FLV videos with IDM from 10 last requested"

[HKCR\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}]
"(Default)" = "IIDMEFSAgent"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\DownloadManager\IDMBI\Firefox]
"Name" = "Mozilla firefox"

[HKCU\Software\DownloadManager\menuExt]
"ffdownlAll_str" = "Download all links with IDM"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}]
"AppName" = "IEMonitor.exe"

[HKCU\Software\DownloadManager]
"CommonAppDataIDMFolder" = "%Documents and Settings%\All Users\Application Data\IDM\"

[HKCR\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\VersionIndependentProgID]
"(Default)" = "Idmfsa.IDMEFSAgent"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCR\CLSID\{CDD67718-A430-4AB9-A939-83D9074B0038}\VersionIndependentProgID]
"(Default)" = "DownlWithIDM.VLinkProcessor"

[HKCR\CLSID\{5312C54E-A385-46B7-B200-ABAF81B03935}\VersionIndependentProgID]
"(Default)" = "IDMGetAll.IDMAllLinksProcessor"

[HKCR\IDMIECC.IDMIEHlprObj.1]
"(Default)" = "IDMIEHlprObj Class"

[HKCR\IDMGetAll.IDMAllLinksProcessor]
"(Default)" = "IDMAllLinksProcessor Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\TypeLib]
"(Default)" = "{6A89524B-E1B6-4D71-972A-8FD53F240936}"

[HKCR\Interface\{356E6235-B055-46D9-8B32-BDC2266C9DAB}]
"(Default)" = "ILinkProcessor"

[HKCR\IDMGetAll.IDMAllLinksProcessor.1\CLSID]
"(Default)" = "{5312C54E-A385-46B7-B200-ABAF81B03935}"

[HKCU\Software\DownloadManager]
"ExePath" = "%Program Files%\Internet Download Manager\IDMan.exe"

[HKCU\Software\DownloadManager\menuExt]
"ffdownlFLVa_str" = "Download last requested FLV video with IDM"

[HKCR\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\IDMIECC.IDMHelperLinksStorage.1\CLSID]
"(Default)" = "{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}"

[HKCR\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}]
"(Default)" = "V2LinkProcessor Class"

[HKCR\Interface\{6EDC7F8E-EB3D-4F9A-B693-216F07C94D74}\ProxyStubClsid32]
"(Default)" = "{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}"

[HKCR\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\ProgID]
"(Default)" = "Idmfsa.IDMEFSAgent.1"

[HKCR\CLSID\{6B9EB066-DA1F-4C0A-AC62-01AC892EF175}\InProcServer32]
"(Default)" = "%Program Files%\Internet Download Manager\idmfsa.dll"

[HKCU\Software\DownloadManager]
"mzcc_vers" = "61901"

[HKCU\Software\DownloadManager\Queue]
"Queue" = ""

[HKCR\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}]
"Therad" = "1"

[HKCR\Interface\{A87AB5DD-211B-4284-8CBD-B92F77A5DE14}\NumMethods]
"(Default)" = "14"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}]
"AppName" = "IDMan.exe"

[HKCR\DownlWithIDM.IDMDwnlMgr\CurVer]
"(Default)" = "DownlWithIDM.IDMDwnlMgr.1"

[HKCR\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}\ProgID]
"(Default)" = "DownlWithIDM.LinkProcessor.1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCR\CLSID\{4764030F-2733-45B9-AE62-3D1F4F6F2861}\TypeLib]
"(Default)" = "{6A89524B-E1B6-4D71-972A-8FD53F240936}"

[HKCR\Idmfsa.IDMEFSAgent\CLSID]
"(Default)" = "{0F947660-8606-420A-BAC6-51B84DD22A47}"

[HKCU\Software\DownloadManager]
"LocalPathW" = "43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00"

[HKCR\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\VersionIndependentProgID]
"(Default)" = "IDMIECC.IDMIEHlprObj"

[HKCR\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32]
"ThreadingModel" = "Apartment"

[HKCU\Software\Mozilla\SeaMonkey\Extensions]
"[email protected]" = "%Documents and Settings%\%current user%\Application Data\IDM\idmmzcc5"

[HKCR\DownlWithIDM.LinkProcessor]
"(Default)" = "LinkProcessor Class"

[HKCR\TypeLib\{37294E01-DB54-43AF-9D50-93FF7267DF5D}\1.0]
"(Default)" = "IDMGetAll 1.0 Type Library"

[HKCR\IDMIECC.IDMHelperLinksStorage\CLSID]
"(Default)" = "{436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D}"

[HKCR\TypeLib\{6A89524B-E1B6-4D71-972A-8FD53F240936}\1.0\0\win32]
"(Default)" = "%Program Files%\Internet Download Manager\downlWithIDM.dll"

[HKCR\CLSID\{0F947660-8606-420A-BAC6-51B84DD22A47}\Elevation]
"Enabled" = "1"

[HKCU\Software\DownloadManager\IDMBI\chrome]
"int" = "1"

[HKCR\Interface\{72B7361C-3568-4392-BCCD-D912CD5C1169}\TypeLib]
"Version" = "1.0"

[HKCR\Idmfsa.IDMEFSAgent.1\CLSID]
"(Default)" = "{0F947660-8606-420A-BAC6-51B84DD22A47}"

The following driver will be automatically launched by the NT Native code (IoInitSystem method):

[HKLM\System\CurrentControlSet\Services\IDMTDI]
"Start" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Idman" = "%Program Files%\Internet Download Manager\IDMan.exe /onboot"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}]
"NoExplorer" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}]
"(Default)" = "IDM Helper"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCR\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}]
"AppID"

[HKCU\Software\DownloadManager]
"ToolbarStyle"

The process grpconv.exe:1312 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B 2E F0 2E F4 67 24 33 C9 3C CE 26 03 E1 C3 F7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\GrpConv]
"Log" = "Init Application."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\MSProgramGroup\Shell\Open\Command]
"(Default)" = "%System%\grpconv.exe %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCR\MSProgramGroup]
"(Default)" = "Microsoft Program Group"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\.grp]
"(Default)" = "MSProgramGroup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "%System%\DRIVERS\idmtdi.sys" the Trojan controls creation and closing of processes by installing the process notifier.
Using the driver "%System%\DRIVERS\idmtdi.sys" the Trojan controls loading executable images into a memory by installing the Load image notifier.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version: 1.0.0.0
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description:
Comments:
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://brain9g.tk/
hxxp://domain.dot.tk/p/?d=BRAIN9G.TK&i=37.57.16.189&c=380&ro=0&ref=unknown&_=1434289203197	146.148.5.39
hxxp://freedomains4all.tk/?&_=1434289204	184.73.243.112
hxxp://www-google-analytics.l.google.com/ga.js
hxxp://freedomains4all.tk/images/606.gif	184.73.243.112
hxxp://www-google-analytics.l.google.com/r/__utm.gif?utmwv=5.6.4&utms=1&utmn=2046874803&utmhn=freedomains4all.tk&utmcs=utf-8&utmsr=1916x902&utmvp=1896x749&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmhid=856105775&utmr=-&utmp=/?&_=1434289204&utmht=1434289214229&utmac=UA-23441223-1&utmcc=__utma=176390642.1848436454.1434289213.1434289213.1434289213.1;+__utmz=176390642.1434289213.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmjid=2100074900&utmredir=1&utmu=qAAAAAAAAAAAAAAAAAAAAAAE~
hxxp://www.brain9g.tk/	195.20.40.136
hxxp://www.google-analytics.com/ga.js	216.58.209.206
hxxp://www.google-analytics.com/r/__utm.gif?utmwv=5.6.4&utms=1&utmn=2046874803&utmhn=freedomains4all.tk&utmcs=utf-8&utmsr=1916x902&utmvp=1896x749&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmhid=856105775&utmr=-&utmp=/?&_=1434289204&utmht=1434289214229&utmac=UA-23441223-1&utmcc=__utma=176390642.1848436454.1434289213.1434289213.1434289213.1;+__utmz=176390642.1434289213.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmjid=2100074900&utmredir=1&utmu=qAAAAAAAAAAAAAAAAAAAAAAE~	216.58.209.206
kkamla.no-ip.biz	204.95.99.66

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET CURRENT_EVENTS DNS Query to a .tk domain - Likely Hostile
ET CURRENT_EVENTS HTTP Request to a *.tk domain

Traffic

GET /?&_=1434289204 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: freedomains4all.tk

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sun, 14 Jun 2015 13:40:04 GMT

Server: Apache/2.2.9 (Fedora)

Last-Modified: Sun, 22 May 2011 02:03:24 GMT

ETag: "b4ab2-3fb-4a3d3c2889300"

Accept-Ranges: bytes

Content-Length: 1019

Connection: close

Content-Type: text/html; charset=UTF-8
<HTML>.<head><meta http-equiv="X-UA-Compatible" content
="IE=7">.<script type="text/javascript">..  var _gaq = _gaq |
| [];.  _gaq.push(['_setAccount', 'UA-23441223-1']);.  _gaq.push(['_tr
ackPageview']);..  (function() {.    var ga = document.createElement('
script'); ga.type = 'text/javascript'; ga.async = true;.    ga.src = (
'https:' == document.location.protocol ? 'hXXps://ssl' : 'hXXp://www')
   '.google-analytics.com/ga.js';.    var s = document.getElementsByTa
gName('script')[0]; s.parentNode.insertBefore(ga, s);.  })();..</sc
ript>.</HEAD>.<BODY BGCOLOR=WHITE>.<P><BR>&
lt;P><BR><P><BR><P><BR>.<CENTER>
;.<font size=5 face=arial>.<a href="hXXp://my.dot.tk/cgi-bin/
amb/landing.dottk?nr=385890::9512965::1::16" target="_new">Free dom
ain? Get yours today! Click here...</a><P><BR>.<t
able border=1 cellspacing=0 cellpadding=0>.<tr>.<td>.&l
t;a href="hXXp://my.dot.tk/cgi-bin/amb/landing.dottk?nr=385890::951296
5::1::16" target="_new"> <img src="/images/606.gif" border="0" /
></a>.</td></tr>.</table>.</CENTER>.&
lt;/BODY>.</HTML>...

GET /p/?d=BRAIN9G.TK&i=37.57.16.189&c=380&ro=0&ref=unknown&_=1434289203197 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: domain.dot.tk

Connection: Keep-Alive

HTTP/1.0 301 Moved Permanently

Date: Sun, 14 Jun 2015 13:40:04 GMT

Server: Apache/1.3.41 (Unix) mod_perl/1.30

Location: hXXp://freedomains4all.tk/?&_=1434289204

Content-Type: text/html; charset=ISO-8859-1

Content-Length: 0

Connection: close

GET / HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.brain9g.tk

Connection: Keep-Alive

HTTP/1.0 203 Non-Authoritative Information

Date: Sun, 14 Jun 2015 13:40:03 GMT

Server: nginx/1.6.2

Cache-Control: no-cache

Content-Type: text/html;charset=UTF-8

Expires: Thu, 01 Jan 1970 00:00:00 GMT

Pragma: no-cache

X-Server: 3302a3ed9692

Set-Cookie: JSESSIONID=5C13CF28145977EE4A55C217A99E26F9; Path=/; HttpOnly

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Length: 354

Connection: close
[email protected]...[..c4.......J.[.S*1.w[.&x0^.l. 3.;....4.
[email protected].(1...0.......".l&...1w.[)7.2"1.XY.k.B!....g..).".....r.u/..kN
og7.O..;..J:.....].....t4.t...#.Z......P.bt1......'.ia..........w$.l..
Q..9q.....*F.......?`...&..........WI.u....K.g..n.c....'..H..].3...".q
Z.. ..B.u.p....J5.........L-K....Z.B.\fB......}.......~%k..NM.|..'...F
~.....

GET /images/606.gif HTTP/1.1

Accept: */*

Referer: hXXp://freedomains4all.tk/?&_=1434289204

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: freedomains4all.tk

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sun, 14 Jun 2015 13:40:04 GMT

Server: Apache/2.2.9 (Fedora)

Last-Modified: Wed, 13 May 2009 10:33:01 GMT

ETag: "c831b-e3a1-469c8bc567140"

Accept-Ranges: bytes

Content-Length: 58273

Connection: close

Content-Type: image/gif
GIF89a..<.............)...T/...S..gJ(R.&.....r......n..CCB..q......
..........oJE....l.kX........nM.)...)../.................,30...M.....)
.....X/.....r.......!.....D........'u...ux.VL.,......s.k...zzz........
0.........v.g#..e.S...j.E..PW.F.....................^.5.i.o.(.lE[..w.3
j.O...... .[K..L.........../.....aba~.fe.B..y6.....!Ya.....v...I.y.wb[
x.oO?.ug..................7......S:.....AP...{..'%W.>o..3#.4..;y#s.
J...3...R99..1.0u.X........_.V..Q7...Ou?c....@<..`..$..<.!...5."
...k..........o9;8Ihr...heT......9.....*Y.7.......|...f......x.9......
.HQSXI.t3........Z9PhsugQr........Sk.O............hwfZ.;.7........7M..
..[[email protected][...ukum.[...1.................9..
......9..;...........=..............1..1.......................@......
.....:...._............!..NETSCAPE2.0.....!...d...,......<......M.'
......*4.0a...#B....D../j.............I...YX..%...b..)..M)Hp".....B7..
......G.(U..A..P.M.:.jU..Ph......`.22G....h..].....&...2W..pw...w..9f.
...L.......V...bq. {!A...g.H`~&h....*$q.dC.......A..'.G....Z.g..xI..^&
lt;[email protected]~<.s...?...y....[..}..........9..'K.\.r...3.H.?.f.
.<...:....J%.TSQ=5.U.b.UW_y.....5.#h.1.Zl..V\N.5W]{...b$.h......e.\
..f.t...UTQ..n8.......k.=!..#<qK..`..(.....P>)\x.%W.qW...x.i....
..%.T~I.x.Yi.Dj.i.4...^{0...|..d.OH..'...%TQG.x..NEu UV). ..R0V.f.u...
..W:.~xW^{.5"...z"c..B.f.mF.-.@...........&...uR@'E2..f-...7.x.,...Y.t
..G].hB;...^ .u...-..j[-C...'{*...Lw..'~|....A.e..L%.(..f....BH...X...
.jjB.r..i.z.j....(.....Yg.Vp..<.........Lt....V!.e%...o........
<<< skipped >>>

GET /ga.js HTTP/1.1

Accept: */*

Referer: hXXp://freedomains4all.tk/?&_=1434289204

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google-analytics.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sun, 14 Jun 2015 13:31:22 GMT

Expires: Sun, 14 Jun 2015 15:31:22 GMT

Last-Modified: Wed, 27 May 2015 21:02:55 GMT

X-Content-Type-Options: nosniff

Content-Type: text/javascript

Vary: Accept-Encoding

Content-Encoding: gzip

Server: Golfe2

Content-Length: 16075

Age: 523

Cache-Control: public, max-age=7200

Alternate-Protocol: 80:quic,p=0
...........}.W........_/.>.!aj..f....--....Y.!MHB.0....o..-'.......
{K..y.....d.Wig.....r.H.P.. ............"..a?..;..P2...C.R.&..e....o.e
x"...e.....[..C.K...G:....de...d.F.,..|.=..Fn..9..//5$X...Co..=..'z2..
.`0..%[email protected]...#.^a.......Kh.'.C.....I.]......tp..:.sO...x..
.8...t0<....\b;=. .z.e>.1..#.v.j......<q...#[email protected]...}H1.C..
.R.5...z..XWb.2.t.......B.....[(i.....P...x.....9.nM...."...^.....c.. 
R......t...Z..q.hl......;.c.....9.@g_.(..n.hO....|......t`.|.)H..Z....
.l..f .j......J...%._.KN......Tf..g.^.b....r.I..z...UK.\^^.m....}..DA/
.......g.A........0.........".c0.....$~I....D#......{...}.=..j...m....
@.....k.?$....J..Q......}.g......~...6.l<]..x...d?.\...w.3].._.X@..
|....}.C..$0.|.53...Q.8.....i.0=Vr.h.........<.a>.....4.:...ttg.
.....f....'.T.`=..........a...oB...Q.q......3N5 ..<....R....4......
....K..I.i#..C..$#i....`Ja..:..z.*...O...?..41.!.w}......T............
.........y..pE^r..n....A..............q..`.i>;........ .).......m..
P61I.jK.nG..Vj......9.....2....Tv. ^. ........OZ....U.9399].).,.p..\..
\YW..j3..H%...........e.c.....[[email protected].=...R...
.]....xz.`.<..7........r1..87.....7.iL}u..Yu;T. X..d.GT L Uy.....q}
......./...=. ..<#u%..4h...mZJ......p.m...,,<..4.,o$..E.a&.-qy9Z
^6i-,@...".6.7.......-f;.`..f.2...?./.S<[email protected].%.|.
.:.J5.Vy...........%5....... ..g.*..v..".......K..e0....H.....n..6a...
q..I..8..:.q1`......Z*'[email protected]... X.1.....
.B.km._.Uzr..2.D..2..n..}8.wu.O....38..}5.c.`.. ....`...MC.....#A[
<<< skipped >>>

GET /r/__utm.gif?utmwv=5.6.4&utms=1&utmn=2046874803&utmhn=freedomains4all.tk&utmcs=utf-8&utmsr=1916x902&utmvp=1896x749&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmhid=856105775&utmr=-&utmp=/?&_=1434289204&utmht=1434289214229&utmac=UA-23441223-1&utmcc=__utma=176390642.1848436454.1434289213.1434289213.1434289213.1;+__utmz=176390642.1434289213.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmjid=2100074900&utmredir=1&utmu=qAAAAAAAAAAAAAAAAAAAAAAE~ HTTP/1.1

Accept: */*

Referer: hXXp://freedomains4all.tk/?&_=1434289204

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google-analytics.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

Date: Sun, 14 Jun 2015 13:40:06 GMT

Pragma: no-cache

Expires: Fri, 01 Jan 1990 00:00:00 GMT

Cache-Control: no-cache, no-store, must-revalidate

Last-Modified: Sun, 17 May 1998 03:00:00 GMT

X-Content-Type-Options: nosniff

Content-Type: image/gif

Server: Golfe2

Content-Length: 35

Alternate-Protocol: 80:quic,p=0
GIF89a.............,...........D..;HTTP/1.1 200 OK..Access-Control-All
ow-Origin: *..Date: Sun, 14 Jun 2015 13:40..

The Trojan connects to the servers at the folowing location(s):

.text

`.itext

`.data

.idata

.rdata

@.reloc

B.rsrc

kernel32.dll

Windows

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

EVariantBadIndexError

ssShift

htKeyword

EInvalidOperation

%s_%d

EInvalidGraphicOperation

SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes

%s, ClassID: %s

%s, ProgID: "%s"

ole32.dll

USER32.DLL

uxtheme.dll

DWMAPI.DLL

clWebSnow

clWebFloralWhite

clWebLavenderBlush

clWebOldLace

clWebIvory

clWebCornSilk

clWebBeige

clWebAntiqueWhite

clWebWheat

clWebAliceBlue

clWebGhostWhite

clWebLavender

clWebSeashell

clWebLightYellow

clWebPapayaWhip

clWebNavajoWhite

clWebMoccasin

clWebBurlywood

clWebAzure

clWebMintcream

clWebHoneydew

clWebLinen

clWebLemonChiffon

clWebBlanchedAlmond

clWebBisque

clWebPeachPuff

clWebTan

clWebYellow

clWebDarkOrange

clWebRed

clWebDarkRed

clWebMaroon

clWebIndianRed

clWebSalmon

clWebCoral

clWebGold

clWebTomato

clWebCrimson

clWebBrown

clWebChocolate

clWebSandyBrown

clWebLightSalmon

clWebLightCoral

clWebOrange

clWebOrangeRed

clWebFirebrick

clWebSaddleBrown

clWebSienna

clWebPeru

clWebDarkSalmon

clWebRosyBrown

clWebPaleGoldenrod

clWebLightGoldenrodYellow

clWebOlive

clWebForestGreen

clWebGreenYellow

clWebChartreuse

clWebLightGreen

clWebAquamarine

clWebSeaGreen

clWebGoldenRod

clWebKhaki

clWebOliveDrab

clWebGreen

clWebYellowGreen

clWebLawnGreen

clWebPaleGreen

clWebMediumAquamarine

clWebMediumSeaGreen

clWebDarkGoldenRod

clWebDarkKhaki

clWebDarkOliveGreen

clWebDarkgreen

clWebLimeGreen

clWebLime

clWebSpringGreen

clWebMediumSpringGreen

clWebDarkSeaGreen

clWebLightSeaGreen

clWebPaleTurquoise

clWebLightCyan

clWebLightBlue

clWebLightSkyBlue

clWebCornFlowerBlue

clWebDarkBlue

clWebIndigo

clWebMediumTurquoise

clWebTurquoise

clWebCyan

clWebPowderBlue

clWebSkyBlue

clWebRoyalBlue

clWebMediumBlue

clWebMidnightBlue

clWebDarkTurquoise

clWebCadetBlue

clWebDarkCyan

clWebTeal

clWebDeepskyBlue

clWebDodgerBlue

clWebBlue

clWebNavy

clWebDarkViolet

clWebDarkOrchid

clWebMagenta

clWebDarkMagenta

clWebMediumVioletRed

clWebPaleVioletRed

clWebBlueViolet

clWebMediumOrchid

clWebMediumPurple

clWebPurple

clWebDeepPink

clWebLightPink

clWebViolet

clWebOrchid

clWebPlum

clWebThistle

clWebHotPink

clWebPink

clWebLightSteelBlue

clWebMediumSlateBlue

clWebLightSlateGray

clWebWhite

clWebLightgrey

clWebGray

clWebSteelBlue

clWebSlateBlue

clWebSlateGray

clWebWhiteSmoke

clWebSilver

clWebDimGray

clWebMistyRose

clWebDarkSlateBlue

clWebDarkSlategray

clWebGainsboro

clWebDarkGray

clWebBlack

comctl32.dll

AutoHotkeysd-C

AutoHotkeys

\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\

ssHotTrack

TWindowState

poProportional

TWMKey

KeyPreview

WindowState

OnKeyDownL

OnKeyPress

OnKeyUpH

GlassFrame.Bottom

GlassFrame.Enabled

GlassFrame.Left

GlassFrame.Right

GlassFrame.SheetOfGlass

GlassFrame.Top

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

Uh.ID

User32.dll

TKeyEvent

TKeyPressEvent

HelpKeyword nA

crSQLWait

%s (%s)

imm32.dll

TSocketPort

%d.%d.%d.%d

0.0.0.0

PSAPI.dll

TDCWebCam

127.0.0.1

BuildImportTable: can't load library:

BuildImportTable: ReallocMemory failed

BuildImportTable: GetProcAddress failed

BTMemoryLoadLibary: BuildImportTable failed

BTMemoryGetProcAddress: no export table found

BTMemoryGetProcAddress: DLL doesn't export anything

BTMemoryGetProcAddress: exported symbol not found

1.2.3

127.0.0.1:1604

#KCMDDC51#-

5.3.0

cmd.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

hkey

\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

*.torrent

\Internet Explorer\iexplore.exe

explorer.exe

wlanapi.dll

80211_SHARED_KEY

user32.dll

TUploadFTP

notepad.exe

KEYNAME

%ShortCut#

RELATEDCMD

ping 127.0.0.1 -n 4 > NUL && "

DRKey

CRKey

DelMSKey

InstallHKEY

ActiveOnlineKeylogger

UnActiveOnlineKeylogger

KeylogOn

ActiveOfflineKeylogger

UnActiveOfflineKeylogger

ActiveOnlineKeyStrokes

UnActiveOnlineKeyStrokes

OpenWebPage

tmpprint.txt

URLUpdate

MSGBOX

#BOT#VisitUrl

#BOT#OpenUrl

HTTP://

hXXp://

BTRESULTOpen URL|

Command successfully executed!|

#BOT#URLUpdate

BTERRORUpdate from URL| Error on downloading file check if you type the correct url...|

BTRESULTUpdate from URL|Update : File Downloaded , Executing new one in temp dir...|

#BOT#URLDownload

GetActivePorts

out.txt

tmp.txt

DDOSHTTPFLOOD

DDOSUDPFLOOD

%IPPORTSCAN

SAPI.SpVoice

WEBCAMLIVE

WEBCAMSTOP

PASSWORD

FTPFILEUPLOAD

URLDOWNLOADTOFILE

UPLOADEXEC

UPANDEXEC

FTPPORT

FTPPASS

FTPUSER

FTPHOST

FTPROOT

FTPUPLOADK

FTPSIZE

BTRESULTUDP Flood|UDP Flood task finished!|

PortScanAdd

BTRESULTVisit URL|finished to visit

BTERRORVisit URL|An exception occured in the thread|

POST /index.php/1.0

BTRESULTHTTP Flood|Http Flood task finished!|

Mozilla

BTRESULTDownload File|Mass Download : File Downloaded , Executing new one in temp dir...|

BTERRORDownload File| Error on downloading file check if you type the correct url...|

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

ERR|Cannot listen to port, try another one..|

TCaptureWebcam

taskmgr.exe

\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

DC3_FEXEC

Windows NT 4.0

Windows 2000

Windows XP

Windows Server 2003

Windows Vista

Windows 7

Windows 95

Windows 98

Windows Me

S-%u-

FAKEMSG

MSGICON

MSGTITLE

MSGCORE

deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly

inflate 1.2.3 Copyright 1995-2005 Mark Adler

%Documents and Settings%\%current user%\Application Data\dclogs\2015-06-14-1.dc

advapi32.dll

RegOpenKeyExA

RegCloseKey

GetKeyboardType

keybd_event

VkKeyScanA

UnhookWindowsHookEx

SetWindowsHookExA

MsgWaitForMultipleObjectsEx

MsgWaitForMultipleObjects

MapVirtualKeyA

LoadKeyboardLayoutA

GetKeyboardState

GetKeyboardLayoutNameA

GetKeyboardLayoutList

GetKeyboardLayout

GetKeyState

GetKeyNameTextA

ExitWindowsEx

EnumWindows

EnumThreadWindows

EnumChildWindows

ActivateKeyboardLayout

gdi32.dll

SetViewportOrgEx

version.dll

WinExec

PeekNamedPipe

GetWindowsDirectoryA

GetProcessHeap

GetCPInfo

CreatePipe

RegQueryInfoKeyA

RegOpenKeyA

RegFlushKey

RegEnumKeyExA

RegDeleteKeyA

RegCreateKeyExA

RegCreateKeyA

wsock32.dll

shell32.dll

ShellExecuteExA

ShellExecuteA

SHFileOperationA

URLMON.DLL

URLDownloadToFileA

wininet.dll

InternetOpenUrlA

HttpQueryInfoA

FtpPutFileA

winmm.dll

netapi32.dll

gdiplus.dll

GdiplusShutdown

msacm32.dll

ntdll.dll

WS2_32.DLL

SHFolder.dll

SHELL32.DLL

AVICAP32.DLL

1!1,1=1|1

6 6$6(6,606

=!=$=)=-=1=

01m1

0 0$0(0,0004080<0@0

<!=$=)=-=4=

;"<?<_<|<

; ;$;(;,;0;4;8;<;@;

7 8$888<8

= =$=(=,=0=4=8=

UntKeylogger

KWindows

UntActivePorts

UntControlKey

UntCaptureWebcam

UntWebCam

UrlMon

(UntUploadFTPThread

UntFTP

_UntUDPFlood

YUntScanPorts

0UntPasswordAndData

XUntHTTPFlood

UntCPU

66006666

No help found for %s#No context-sensitive help installed

No help found for context$No topic-based help system installedNUnable to retrieve a pointer to a running object registered with OLE for %s/%s

Invalid clipboard format Clipboard does not support Icons

Cannot open clipboard/Menu '%s' is already being used by another form

- Dock zone has no controlLError loading dock zone from the stream. Expecting version %d, but found %d.

OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window

Not enough timers available@GroupIndex cannot be less than a previous menu item's GroupIndex5Cannot create form. No MDI forms are currently active$%s not in a class registration group

Property %s does not exist

Thread creation error: %s

Thread Error: %s (%d)

Unsupported clipboard format

Invalid data type for '%s' List capacity out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d) Out of memory while expanding memory stream

Error reading %s%s%s: %s

Failed to create key %s

Failed to get data for '%s'

Failed to set data for '%s'

Resource %s not found

%s.Seek not implemented$Operation not allowed on sorted list

Ancestor for '%s' not found

Cannot assign a %s to a %s

Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread

Class %s not found

A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file "%s". %s

Cannot open file "%s". %s

Invalid stream format$''%s'' is not a valid component name

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

No argument for format '%s'"Variant method calls not supported

Invalid variant operation%Invalid variant operation (%s%.8x)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Operation not supported

Integer overflow Invalid floating point operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction(Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

!'%s' is not a valid integer value('%s' is not a valid floating point value!'%s' is not a valid date and time

'%s' is not a valid GUID value

I/O error %d

1, 0, 0, 1

MSRSAAP.EXE

4, 0, 0, 0

%original file name%.exe_368_rwx_00400000_000B2000:

.text

`.itext

`.data

.idata

.rdata

@.reloc

B.rsrc

kernel32.dll

Windows

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

EVariantBadIndexError

ssShift

htKeyword

EInvalidOperation

%s_%d

EInvalidGraphicOperation

SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes

%s, ClassID: %s

%s, ProgID: "%s"

ole32.dll

USER32.DLL

uxtheme.dll

DWMAPI.DLL

clWebSnow

clWebFloralWhite

clWebLavenderBlush

clWebOldLace

clWebIvory

clWebCornSilk

clWebBeige

clWebAntiqueWhite

clWebWheat

clWebAliceBlue

clWebGhostWhite

clWebLavender

clWebSeashell

clWebLightYellow

clWebPapayaWhip

clWebNavajoWhite

clWebMoccasin

clWebBurlywood

clWebAzure

clWebMintcream

clWebHoneydew

clWebLinen

clWebLemonChiffon

clWebBlanchedAlmond

clWebBisque

clWebPeachPuff

clWebTan

clWebYellow

clWebDarkOrange

clWebRed

clWebDarkRed

clWebMaroon

clWebIndianRed

clWebSalmon

clWebCoral

clWebGold

clWebTomato

clWebCrimson

clWebBrown

clWebChocolate

clWebSandyBrown

clWebLightSalmon

clWebLightCoral

clWebOrange

clWebOrangeRed

clWebFirebrick

clWebSaddleBrown

clWebSienna

clWebPeru

clWebDarkSalmon

clWebRosyBrown

clWebPaleGoldenrod

clWebLightGoldenrodYellow

clWebOlive

clWebForestGreen

clWebGreenYellow

clWebChartreuse

clWebLightGreen

clWebAquamarine

clWebSeaGreen

clWebGoldenRod

clWebKhaki

clWebOliveDrab

clWebGreen

clWebYellowGreen

clWebLawnGreen

clWebPaleGreen

clWebMediumAquamarine

clWebMediumSeaGreen

clWebDarkGoldenRod

clWebDarkKhaki

clWebDarkOliveGreen

clWebDarkgreen

clWebLimeGreen

clWebLime

clWebSpringGreen

clWebMediumSpringGreen

clWebDarkSeaGreen

clWebLightSeaGreen

clWebPaleTurquoise

clWebLightCyan

clWebLightBlue

clWebLightSkyBlue

clWebCornFlowerBlue

clWebDarkBlue

clWebIndigo

clWebMediumTurquoise

clWebTurquoise

clWebCyan

clWebPowderBlue

clWebSkyBlue

clWebRoyalBlue

clWebMediumBlue

clWebMidnightBlue

clWebDarkTurquoise

clWebCadetBlue

clWebDarkCyan

clWebTeal

clWebDeepskyBlue

clWebDodgerBlue

clWebBlue

clWebNavy

clWebDarkViolet

clWebDarkOrchid

clWebMagenta

clWebDarkMagenta

clWebMediumVioletRed

clWebPaleVioletRed

clWebBlueViolet

clWebMediumOrchid

clWebMediumPurple

clWebPurple

clWebDeepPink

clWebLightPink

clWebViolet

clWebOrchid

clWebPlum

clWebThistle

clWebHotPink

clWebPink

clWebLightSteelBlue

clWebMediumSlateBlue

clWebLightSlateGray

clWebWhite

clWebLightgrey

clWebGray

clWebSteelBlue

clWebSlateBlue

clWebSlateGray

clWebWhiteSmoke

clWebSilver

clWebDimGray

clWebMistyRose

clWebDarkSlateBlue

clWebDarkSlategray

clWebGainsboro

clWebDarkGray

clWebBlack

comctl32.dll

AutoHotkeysd-C

AutoHotkeys

\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\

ssHotTrack

TWindowState

poProportional

TWMKey

KeyPreview

WindowState

OnKeyDownL

OnKeyPress

OnKeyUpH

GlassFrame.Bottom

GlassFrame.Enabled

GlassFrame.Left

GlassFrame.Right

GlassFrame.SheetOfGlass

GlassFrame.Top

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

Uh.ID

User32.dll

TKeyEvent

TKeyPressEvent

HelpKeyword nA

crSQLWait

%s (%s)

imm32.dll

TSocketPort

%d.%d.%d.%d

0.0.0.0

PSAPI.dll

TDCWebCam

127.0.0.1

BuildImportTable: can't load library:

BuildImportTable: ReallocMemory failed

BuildImportTable: GetProcAddress failed

BTMemoryLoadLibary: BuildImportTable failed

BTMemoryGetProcAddress: no export table found

BTMemoryGetProcAddress: DLL doesn't export anything

BTMemoryGetProcAddress: exported symbol not found

1.2.3

127.0.0.1:1604

#KCMDDC51#-

5.3.0

cmd.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

hkey

\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

*.torrent

\Internet Explorer\iexplore.exe

explorer.exe

wlanapi.dll

80211_SHARED_KEY

user32.dll

TUploadFTP

notepad.exe

KEYNAME

%ShortCut#

RELATEDCMD

ping 127.0.0.1 -n 4 > NUL && "

DRKey

CRKey

DelMSKey

InstallHKEY

ActiveOnlineKeylogger

UnActiveOnlineKeylogger

KeylogOn

ActiveOfflineKeylogger

UnActiveOfflineKeylogger

ActiveOnlineKeyStrokes

UnActiveOnlineKeyStrokes

OpenWebPage

tmpprint.txt

URLUpdate

MSGBOX

#BOT#VisitUrl

#BOT#OpenUrl

HTTP://

hXXp://

BTRESULTOpen URL|

Command successfully executed!|

#BOT#URLUpdate

BTERRORUpdate from URL| Error on downloading file check if you type the correct url...|

BTRESULTUpdate from URL|Update : File Downloaded , Executing new one in temp dir...|

#BOT#URLDownload

GetActivePorts

out.txt

tmp.txt

DDOSHTTPFLOOD

DDOSUDPFLOOD

%IPPORTSCAN

SAPI.SpVoice

WEBCAMLIVE

WEBCAMSTOP

PASSWORD

FTPFILEUPLOAD

URLDOWNLOADTOFILE

UPLOADEXEC

UPANDEXEC

FTPPORT

FTPPASS

FTPUSER

FTPHOST

FTPROOT

FTPUPLOADK

FTPSIZE

BTRESULTUDP Flood|UDP Flood task finished!|

PortScanAdd

BTRESULTVisit URL|finished to visit

BTERRORVisit URL|An exception occured in the thread|

POST /index.php/1.0

BTRESULTHTTP Flood|Http Flood task finished!|

Mozilla

BTRESULTDownload File|Mass Download : File Downloaded , Executing new one in temp dir...|

BTERRORDownload File| Error on downloading file check if you type the correct url...|

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

ERR|Cannot listen to port, try another one..|

TCaptureWebcam

taskmgr.exe

\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

DC3_FEXEC

Windows NT 4.0

Windows 2000

Windows XP

Windows Server 2003

Windows Vista

Windows 7

Windows 95

Windows 98

Windows Me

S-%u-

FAKEMSG

MSGICON

MSGTITLE

MSGCORE

deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly

inflate 1.2.3 Copyright 1995-2005 Mark Adler

%Documents and Settings%\%current user%\Application Data\dclogs\2015-06-14-1.dc

advapi32.dll

RegOpenKeyExA

RegCloseKey

GetKeyboardType

keybd_event

VkKeyScanA

UnhookWindowsHookEx

SetWindowsHookExA

MsgWaitForMultipleObjectsEx

MsgWaitForMultipleObjects

MapVirtualKeyA

LoadKeyboardLayoutA

GetKeyboardState

GetKeyboardLayoutNameA

GetKeyboardLayoutList

GetKeyboardLayout

GetKeyState

GetKeyNameTextA

ExitWindowsEx

EnumWindows

EnumThreadWindows

EnumChildWindows

ActivateKeyboardLayout

gdi32.dll

SetViewportOrgEx

version.dll

WinExec

PeekNamedPipe

GetWindowsDirectoryA

GetProcessHeap

GetCPInfo

CreatePipe

RegQueryInfoKeyA

RegOpenKeyA

RegFlushKey

RegEnumKeyExA

RegDeleteKeyA

RegCreateKeyExA

RegCreateKeyA

wsock32.dll

shell32.dll

ShellExecuteExA

ShellExecuteA

SHFileOperationA

URLMON.DLL

URLDownloadToFileA

wininet.dll

InternetOpenUrlA

HttpQueryInfoA

FtpPutFileA

winmm.dll

netapi32.dll

gdiplus.dll

GdiplusShutdown

msacm32.dll

ntdll.dll

WS2_32.DLL

SHFolder.dll

SHELL32.DLL

AVICAP32.DLL

1!1,1=1|1

6 6$6(6,606

=!=$=)=-=1=

01m1

0 0$0(0,0004080<0@0

<!=$=)=-=4=

;"<?<_<|<

; ;$;(;,;0;4;8;<;@;

7 8$888<8

= =$=(=,=0=4=8=

UntKeylogger

KWindows

UntActivePorts

UntControlKey

UntCaptureWebcam

UntWebCam

UrlMon

(UntUploadFTPThread

UntFTP

_UntUDPFlood

YUntScanPorts

0UntPasswordAndData

XUntHTTPFlood

UntCPU

66006666

No help found for %s#No context-sensitive help installed

No help found for context$No topic-based help system installedNUnable to retrieve a pointer to a running object registered with OLE for %s/%s

Invalid clipboard format Clipboard does not support Icons

Cannot open clipboard/Menu '%s' is already being used by another form

- Dock zone has no controlLError loading dock zone from the stream. Expecting version %d, but found %d.

OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window

Not enough timers available@GroupIndex cannot be less than a previous menu item's GroupIndex5Cannot create form. No MDI forms are currently active$%s not in a class registration group

Property %s does not exist

Thread creation error: %s

Thread Error: %s (%d)

Unsupported clipboard format

Invalid data type for '%s' List capacity out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d) Out of memory while expanding memory stream

Error reading %s%s%s: %s

Failed to create key %s

Failed to get data for '%s'

Failed to set data for '%s'

Resource %s not found

%s.Seek not implemented$Operation not allowed on sorted list

Ancestor for '%s' not found

Cannot assign a %s to a %s

Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread

Class %s not found

A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file "%s". %s

Cannot open file "%s". %s

Invalid stream format$''%s'' is not a valid component name

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

No argument for format '%s'"Variant method calls not supported

Invalid variant operation%Invalid variant operation (%s%.8x)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Operation not supported

Integer overflow Invalid floating point operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction(Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

!'%s' is not a valid integer value('%s' is not a valid floating point value!'%s' is not a valid date and time

'%s' is not a valid GUID value

I/O error %d

1, 0, 0, 1

MSRSAAP.EXE

4, 0, 0, 0

rundll32.exe_1008:

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

GDI32.dll

USER32.dll

IMAGEHLP.dll

rundll32.pdb

.....eZXnnnnnnnnnnnn3

....eDXnnnnnnnnnnnn3

...eDXnnnnnnnnnnnn,

.eDXnnnnnnnnnnnn,

%Xnnnnnnnnnnnnnnn1

O3$dS7"%U9

.manifest

5.1.2600.5512 (xpsp.080413-2105)

RUNDLL.EXE

Windows

Operating System

5.1.2600.5512

YThere is not enough memory to run the file %s.

Please close other windows and try again.

9The file %s or one of its components could not be opened.

0The file %s or one of its components cannot run.

MThe file %s or one of its components requires a different version of Windows.

UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"

Error in %s

Missing entry:%s

Error loading %s

iexplore.exe_1928:

%?9-*09,*19}*09

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

USER32.dll

SHLWAPI.dll

SHDOCVW.dll

Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess

IE-X-X

rsabase.dll

System\CurrentControlSet\Control\Windows

dw15 -x -s %u

watson.microsoft.com

IEWatsonURL

%s -h %u

iedw.exe

Iexplore.XPExceptionFilter

jscript.DLL

mshtml.dll

mlang.dll

urlmon.dll

wininet.dll

shdocvw.DLL

browseui.DLL

comctl32.DLL

IEXPLORE.EXE

iexplore.pdb

ADVAPI32.dll

MsgWaitForMultipleObjects

IExplorer.EXE

IIIIIB(II<.Fg

7?_____ZZSSH%

)z.UUUUUUUU

,....Qym

````2```

{.QLQIIIKGKGKGKGKGKG

;33;33;0

8888880

8887080

browseui.dll

shdocvw.dll

6.00.2900.5512 (xpsp.080413-2105)

Windows

Operating System

6.00.2900.5512

IDMan.exe_516:

.text

`.rdata

@.data

.rsrc

UxSSh

SSSh4

QSSSh(

QPSSh(

L$4PQSSh

FxSSh

t%Fj"V

RPSSh

T$TQRSSh

QRSSh

PQSSh

QRSShp

RPSSh\

RPSShD

PQSSh4

SSSh|

PQSShH

T$dQRSSh8

QRSShx

QRSShl

D$8RPSSh

PQSShT

T$LQRSSh

SSSSSh

jCSSSSh

PSSShD6i

u.hX9i

SSSSh

PVSSh

QRSShP;i

SSSShD;i

SSSSh4

SShdGi

tdSSh

PWSSh

T$DQRSSh

T$\QRSSh

T$HQRSSh

L$HPQSSh

PQSSh85i

PSSSh

RSSSh

RVSSh

QPSSh

L$TPQSSh

D$<RPSSh

D$,RPSShXsi

PQSShp

!"#$%&'()* ,-./01234

t~9.tz

QSSh4;i

T$0QRSSh

RPSShh~j

PQSShX~j

QRSShD~j

RPSSh0~j

PQSShx~j

QRSSh$~j

FtPh

tCPWh

>"u.Fj"V

QRSSh`

PQSSh tj

T$4QRSSh

L$HPQSSh86i

D$HRPSShp

QRSSh(

u$SShe

commctrl_DragListMsg

COMCTL32.DLL

CCmdTarget

GDI32.DLL

%*.*f

windows

CNotSupportedException

MSWHEEL_ROLLMSG

KERNEL32.DLL

ole32.dll

__MSVCRT_HEAP_SELECT

user32.dll

WSOCK32.dll

GetWindowsDirectoryA

GetProcessHeap

GetWindowsDirectoryW

GetCPInfo

PeekNamedPipe

KERNEL32.dll

ExitWindowsEx

MsgWaitForMultipleObjects

EnumWindows

GetKeyState

CreateDialogIndirectParamA

UnhookWindowsHookEx

SetWindowsHookExA

GetAsyncKeyState

USER32.dll

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

GDI32.dll

comdlg32.dll

WINSPOOL.DRV

RegCloseKey

RegOpenKeyExA

RegCreateKeyExA

RegEnumKeyA

RegQueryInfoKeyA

RegDeleteKeyA

RegEnumKeyExA

RegNotifyChangeKeyValue

RegFlushKey

RegCreateKeyExW

RegLoadKeyA

RegRestoreKeyA

RegSaveKeyA

ADVAPI32.dll

ShellExecuteA

ShellExecuteExW

ShellExecuteExA

FindExecutableW

ShellExecuteW

SHFileOperationA

SHFileOperationW

SHELL32.dll

COMCTL32.dll

oledlg.dll

OLEPRO32.DLL

OLEAUT32.dll

InternetCombineUrlA

InternetCrackUrlA

InternetCanonicalizeUrlA

GetUrlCacheEntryInfoW

InternetCanonicalizeUrlW

WININET.dll

hXXps://secure.

hXXp://VVV.

%s&lng=%s

.internetdownloadmanager.com/

AboutD.htm

.xn--

PTF://

hXXps://

hXXp://

hXXp://%s

Unknown error during CAddUrlDlg::CAddUrlDlg()

Unknown error during CAddUrlDlg::OnInitDialog()

UnkErr in AddUrl 299

Unknown error during CAddUrlDlg::OnClose()

Unknown error during CAddUrlDlg::OnVerify()

Unknown error during CAddUrlDlg::OnCancel()

https

Unknown error during CAddUrlDlg::OnEditchangeUrl()

FtpPasword

FtpEncPassword

FtpUserName

UseFtpProxy

FtpPort

FtpProxy

HttpPasword

HttpEncPassword

HttpUserName

UseHttpProxy

HttpPort

HttpProxy

HttpsPasword

HttpsEncPassword

HttpsUserName

UseHttpsProxy

HttpsPort

HttpsProxy

http=

https=

Software\Microsoft\Windows\CurrentVersion\Internet Settings

%%0Ý

%s %s

fceb7191-46c6-4fb2-bc5f-a10317cd4b1a

fc21ec12-91cc-4546-8ce9-0fea34ce5ad9

f1b17826-2437-4a4d-a9d0-97ee5c76c164

db47a145-d5cc-424d-885d-7a305ebc25b0

d177c6d9-1454-476c-bcc3-1195d036d6e0

cf2d8c1d-bb0e-4cdc-9e97-3cc6da9f48c7

cb6498f3-91f5-4e72-bdd3-35e5a6dc6d5f

851aba31-d661-4825-a37f-5bd0faeb4d88

80993b9b-0cd0-4b2d-864c-88151c635fe5

77e27bc6-988a-4b45-bdf1-85a8928f86ea

6528e7db-f86d-4398-a3df-abf0e7b70aa2

64a72197-bda2-449e-ba78-8e0335442661

205801ea-84b1-4085-b818-b1c6fb567bd7

179619ba-deeb-4436-abaf-82eeaf2f3816

144323b7-20c3-4b5f-b2a5-1cd0d6996dbc

02c1811b-6b25-416a-aca8-dc671d68056d

00645ccd-b777-44a2-9b36-1fb3f423b559

Cannot open regkey in CBrInt constr

Cannot open(/create) registry subkey during CBrowsersIntegration::Save().

Mozilla

Google Chrome

chrome

Opera

OPERA

Mozilla firefox

Firefox

fceb7191-46c6-4fb2-bc5f-000000000000

webHancer

New.net

rpcrt4.dll

%s%s%s

%s\%s

sporder.dll

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

%s%sGoogle\Chrome\User Data\Default\Extensions

Software\Mozilla\Firefox\Extensions

Software\Mozilla

Software\Mozilla\Waterfox

Software\Mozilla\Aurora

Software\Mozilla\Mozilla Firefox

manifest.json

SOFTWARE\Google\Chrome\Extensions

SOFTWARE\Google\Chrome\Extensions\%s

Software\Google\Chrome

Software\Google\Chrome\Extensions

Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}

Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}

Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}

"%s" "%s"

isExtensionSupported

MozillaFirebird

Mozilla Firebird

seamonkey

SeaMonkey

mozilla

firefox

Mozilla Firefox

{7D11E719-FF90-479C-B0D7-96EB43EE55D7}

%sIDMGrHlp.exe

%sUninstall.exe

Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers

hXXp://VVV.internetdownloadmanager.com/register/new_faq/enableBFE.html

\\.\IDMTDI

New.net Startup

Software\Microsoft\Windows\CurrentVersion\Run

StEnableBFEMsg

net.exe

\\.\IDMWFP

1.2.0.13

kltdi.sys

https\

http\

{0055C089-8582-441B-A0BF-17B458C2A3A8}

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

Software\Opera Software

IntegrateOpera

Unknown error during CBrowsersIntegrator::GetMozillaInstallDir()

SOFTWARE\mozilla.org\Mozilla

IntegrateMozilla

MozillaFirebird.exe

%sPlugins\

Mozilla.exe

SOFTWARE\FullCircle\TalkBack\%s

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

%s%s\chrome.manifest

%s%s\chrome\idmmzcc.jar

%s%s\components2\iIDMMzCC.xpt

%s%s\components\iIDMMzCC.xpt

%s%s\components9\idmmzcc64.dll

%s%s\components9\idmmzcc.dll

%s%s\components2\idmcchandler2_64.dll

%s%s\components2\idmcchandler2.dll

%s%s\components2\idmmzcc64.dll

%s%s\components2\idmmzcc.dll

%s%s\components\idmmzcc.dll

%s\drivers\idmwfp.sys

%s\drivers\idmtdi.sys

\WinInit.Ini

PendingFileRenameOperations

PSAPI.DLL

%stmp_test.html

%s\Main

%sOpera.exe

%s\flock.exe

SOFTWARE\Mozilla\SeaMonkey

SOFTWARE\Mozilla\Netscape Navigator

Software\mozilla.org\Mozilla Firefox

\StringFileInfo\xx\%s

\StringFileInfo\xx\FileVersion

idmcchandler2_64.dll

idmcchandler2.dll

%s%s\%s

%sNP_IDM%d.dll

</em:updateURL>

<em:updateURL>

%s%s\install.rdf

%sidmmzcc03

%sidmmzcc02

%sidmmzcc01

%sidmmzcc3

%sidmmzcc2

%sidmmzcc

Software\Mozilla\SeaMonkey

Software\Mozilla\SeaMonkey\Extensions

Software\Mozilla\Firefox

Cannot create regkey in CBrIntr:SaveBIA, s2

Cannot create regkey in CBrIntr:SaveBIA

SOFTWARE\Microsoft\Windows\CurrentVersion

%s (*.exe)|*.exe||

%s executable file (%s.exe)|%s.exe||

%scnlurllist.dat

%s*%s

%s://*.%s%s

%sdefextmap.dat

%surlexclist.dat

%s (5)

VVV.internetdownloadmanager.com

testing.html

%s (%d)

idmbrbtn.dll

.youtube.com

secure%s

www%s

.com/fillregform.html?d=

.com/autoreg.html?d=

%s?v=%s

idmupdt2.exe

idmupdt.exe

%s?%s

update.cgi

CURRENT_USER\%s

Software\Classes\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}

Update.htm

application/vnd.lumberjack.manifest

image/x-windows-bmp

application/x-winexe

%sGrabber\

%stemplate%s.dat

%stemplate*.dat

%sToolbar\%s

%sToolbar\*.tbi

Connect.dll

%s%ld

hXXp://VVV.internetdownloadmanager.com/support/firefox_integration.html

hXXp://VVV.internetdownloadmanager.com/support/firefox8_integration.html

hXXp://VVV.internetdownloadmanager.com/register/new_faq/chrome_extension2.html

%d%sd %s

%d %s

%s (*.*)

chrome.exe

Firefox/

firefox.exe

%s\Downloads\%s

%s%s%s%s

bShTipWEBMPlayer

.webm

%s. %s.

WEBM

hXXp://VVV.internetdownloadmanager.com/flv_player.html

CompleteDlg.htm

hXXp://www%s/uptateidm.cgi?v=%s

hXXps://secure%s/subscription.html?v=%s

hXXp://www%s/contact_us.html?v=%s

6.19.1

02/05/14

%sidmvs.dll

RegCreateKeyEx() failed during OpenGlobalIDMRegKey(), errCode = %ld

%s%sIDM

%s%sIDM\%s

Internet Download Manager detected that its registry keys had been damaged since the last run. It's possible that you run a flaky spyware remover program which corrupted system registry. Internet Download Manager will try to restore all damaged data, but some data may remain corrupted.

hXXp://VVV.internetdownloadmanager.com/support/damaged_keys.html

Internet Download Manager detected that its registry keys had been damaged since the last run. It's possible that you run a flaky spyware remover program like Spyhunter which corrupted system registry. Internet Download Manager will try to restore all damaged data, but some data may remain corrupted.

%Program Files%\Spyhunter

SHCopyKeyA

shlwapi.dll

%s\settings.bak

%s%sDMCache\%s

%s%sDMCache

SpecialKeys

Passwords

%s%sDownloads\

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\

LastFileCmdLine

LastDirCmdLine

LastUrlCmdLine

Unknown error during CDownloaderApp::InitInstance(), downloaderDlg.DoModal()

IDMShellExt.dll

%sIDMShellExt.dll

%sIDMIntegrator64.exe

/s "%sdownlWithIDM64.dll"

/s "%sIDMGetAll64.dll"

/s "%sIDMIECC64.dll"

%sIDMShellExt64.dll

CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}\InProcServer32

/s "%sIDMShellExt64.dll"

idmfsa.dll

downlWithIDM.dll

IDMIECC.dll

IDMGetAll.dll

RichEd32.Dll

Software\Classes\CLSID\{84797876-C678-1780-A556-0CD06786780F}

FtpPasive

MonitorUrlClipboard

%s /onboot

%s Full

%s Trial

3GP 7Z AAC ACE AIF ARJ ASF AVI BIN BZ2 EXE GZ GZIP IMG ISO LZH M4A M4V MKV MOV MP3 MP4 MPA MPE MPEG MPG MSI MSU OGG OGV PDF PLJ PPS PPT QT R0* R1* RA RAR RM RMVB SEA SIT SITX TAR TIF TIFF WAV WMA WMV Z ZIP

SOFTWARE\Classes\AppID\%s

AppID\%s

CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}

{AC746233-E9D3-49CD-862F-068F7B7CCCA4}

IDMan.CIDMLinkTransmitter

Kernel32.DLL

IDMan.exe

VDMDBG.DLL

DownloaderCmdLine::ParseParam(LPCTSTR lpszParam, BOOL bFlag, BOOL bLast)

rbmsg

Invalid URL

%sLanguages\%s

lang0xx.txt

lng0x%x.txt

Unknown error during SetIconsOnUrlListProc()

comctl32.dll

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

%sMediumILStart.exe

ecom.cimetz.com

siteseal.thawte.com

CDownloaderDlg::CreateColumnInUrlList(): inserted index != sent parameter

506938841

.testingext

URL::set_fileName(): Not enough memory!

URL::set_Referer(): Not enough memory!

URL::set_serverPath(): Not enough memory!

URL::set_serverName(): Not enough memory!

URL::set_Cookie(): Not enough memory!

"%%s" /ch %ld /w %I64d

DntShMsgOnCNTOOHtml4

%d%sd%%

%s %s/%s

%s/%s

ProcessOnNewUrl()

Unknown error during CDownloaderDlg::ProcessOnNewUrl()

/fillregform.html?d=

shell32.dll OpenAs_RunDLL %s

Unknown error during CDownloaderDlg::OnKeydownUrllist()

Unknown error during CDownloaderDlg::OnItemchangedUrllist()

Unknown error during CDownloaderDlg::OnColumnclickUrlList()

index.html

hXXp://VVV.internetdownloadmanager.com/support/damaged_keys2.html

Internet Download Manager found out that you had Spyhunter software installed. This is a low quality spyware remover that mixes registry keys, and may screw up installations of spyware clean products. For example, Spyhunter misidentifies one of IDM registry keys as SideSearch, and deletes it. It doesn't affect IDM work in any way, nor its installation, but may damage IDM downloads. We tried to contact creators of Spyhunter, but couldn

bshexmsg

MIME\Database\Content Type\%s

.gzip

.test

tmp1%s

tmp1.%s

Unkerr in maindlg:GetStrUrl

ExportListToFile()

Unknown error during CDownloaderDlg::ExportListToFile()

%s (*.ef2)|*.ef2||

%s (*.txt)|*.txt|%s (*.*)|*.*||

ImportListFromFile()

Unknown error during CDownloaderDlg::ImportListFromFile()

%s (*.ef2; *.ief)|*.ef2;*.ief||

OnCommandLineUrl()

Unknown error during CDownloaderDlg::OnCommandLineUrl()

ProcessOnNewUrl2()

Unknown error during CDownloaderDlg::ProcessOnNewUrl2()

explorer.exe

/n,/select,"%s"

\SpyHunter.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{EE5B8E34-973C-4FBE-AC83-99F064009FC7}

%Program Files%\SpyHunter\SpyHunter.exe

hXXp://VVV.internetdownloadmanager.com/support/toolbar2.html

%sgrprdb

%s*.%s

%s%sIDMGrHlp.exe

name=%s

IDM_queues.htm

SourceURL:

updatevm.txt

%s\Scheduler\q_%s.dt

Operation {new char[...]} returned 0 during CDownloadQueue constructor.

Cannot open(/create) registry queue subkey.

%s\Scheduler

%s\Scheduler\s_%s.dt

%s%s:%d/%s

%s%s/%s

Unknown error during CSessionsArray::GetIndexIfUrlInArray()

Unkerr in CDPrgDlg SetURL

Unkerr in CDwnlPrDlg, OnCmd, wP=%ld

%s/%s %s

%s ( %d%sd %% )

%s (%s)

%d%sd %s

Software\DownloadManager\IDMBI\Firefox\DwnlPanel

CEditMozillaMenutab

Advapi32.dll

*.update.microsoft.com download.windowsupdate.com siteseal.thawte.com ecom.cimetz.com *.voice2page.com

Options.htm

http-equiv

%s://%s%s%s

%d; URL=%s

update_dq.txt?v=%s

update608.txt

%s:%ld

jsproxy.dll

SocksPass

SocksPort

%d %d:%d:%d %d

default.htm

VVV.sharingmatrix.com

sharingmatrix.com

VVV.filesonic.

hXXp://api.filesonic.com/%s

link?method=getDownloadLink&ids=%s&u=%s&redirect=true

api.filesonic.com

%s-%s

Right_click_IE.htm

Cannot open(/create) registry GetAllDlgLS subkey.

%s, Time: %.15s.%hu %s

GrbFsDlg::OnAddF:RegCrKey failed, err=%ld

%sproject%s.gsd

%sGrabber\Projects\

%s*.gsd

\\.\%s:

%s[%s]%s

\\.\PhysicalDrive%d

avi mpg mpe mpeg asf wmv mov qt rm mp4 flv m4v webm ogv ogg

Cannot open(/create) registry subkey during CIDMFoldersTree constructor.

Cannot open(/create) registry subkey during CIDMFoldersTree::Save().

Cannot open(/create) registry key during CIDMFoldersTree::Save().

Cannot open(/create) registry key during CIDMFoldersTree::DeleteItem().

Cannot open(/create) registry key during CIDMFoldersTree::SetVisiblity().

Cannot open(/create) registry key during CIDMFoldersTree::CheckQAU().

Cannot open(/create) registry key during CIDMFoldersTree::DeleteQAU().

HHCtrl.ocx

idman.chm

tutor.chm

grabber.chm

scheduler.chm

Cannot open(/create) registry listsettings subkey.

Cannot open(/create) registry key during CIDMMainDlgTree::OnEditItem().

%sproxy.pac

EncPassword

Software\DownloadManager\ProxyPac\%s

VERSION.dll

Gr GetWW:CrTh2 failed, err %ld

Gr GetWW:CrTh failed, err %ld

Gr AsyncMsgHandler:CrWnd failed, err %ld

Gr AsyncMsgHandler:RegCl failed, err %ld

Unk err in AsyncWndProc, uMsg=%ld, wParam=%ld, lParam=%ld

%sempty.html

%s %s error %ld

%s_%s%s

Unk err in Gr CrTmpF

%s_%s.pdb

logoutUrl=

manualLoginUrl=

useManualLogin=

password=

login=

isSPC=%d

tmpFolder=%s

manualLoginUrl=%s

useManualLogin=%d

logoutUrl=%s

denyLogout=%d

password=%s

login=%s

useAuthorization=%d

startingPage=%s

template=%s

version=%d

%smanuallogin.html

"%%s" /a 1 /w %I64d /i 2000000000 /%s "%%s" /ct "%s" /u "%s"

"%%s" /a 1 /w %I64d /i 2000000000 /%s "%%s" /ct "%s" /u "%s" /cp "%s" /lb "%s" /ok "%s" /cb "%s"

Gr SetPID:RegCrKey failed, err=%ld

excFP=%s

useExcFP=%d

incFP=%s

useIncFP=%d

excSP=%s

useExcSP=%d

incSP=%s

useIncSP=%d

maxSzU=%d

maxSzA=%d

useMaxSz=%d

minSzU=%d

minSzA=%d

useMinSz=%d

overwrEx=%d

replHtmlLnk=%d

usesubf=%d

wsaveto=%s

category=%d

saveMode=%d

useIEC=%d

useDescr=%d

autoAdd=%d

goTSF=%d

prJava=%d

dnp=%d

dntAddMrrs=%d

dwnlAO=%d

igPp=%d

allSOMD=%d

nLevelOS=%d

nLevel=%d

wholeSite=%d

nDATSTF=%d

nEATSTF=%d

SHDeleteKeyA

Shlwapi.dll

%sproject%s_%s.igp

%sproject%s.igp

"%%s" /a 2 /w %I64d /fl %ld /i %ld /%s "%%s" /ct "%s" /u "%s"

%s%sa%s\

wininet.dll

%sChList

%ld %ld %ld %d %d %d p%s

%s_fda.pdb

%ld %ld %ld %d %d %d

%s*f*

%s%s%s\

action.html

filters.html

wheretosearch.html

saveto.html

starting.html

hXXp://VVV.internetdownloadmanager.com/welcome2.html?%s%s

hXXp://VVV.internetdownloadmanager.com/welcome.html?%s%s

hXXp://VVV.internetdownloadmanager.com/?%s%s

%sbuy1.html?%s%s

%sbuy_idm.html?%s%s

mailto:?subject=Internet Download Manager - very cool application!!!&body=download from hXXp://VVV.internetdownloadmanager.com

download from 

Internet Download Manager - very cool application!!!

hXXp://www%s/welcome2.html?%s

hXXp://www%s/welcome.html?%s

hXXp://www%s/?%s

%sbuy1.html?%s

%sbuy_idm.html?%s

hXXps://secure%s/

mailto:[email protected]?subject=IDM_%s

IDM's temporary directory for storing file parts during download is located on drive "%s", this drive has %s file system. The files larger than %d GBytes cannot be written on this file system.

The size of "%s" file is %.1f GBytes.

The drive "%s" where you want to save this file has %s file system. The files larger than %d GBytes cannot be written on this file system.

1. Please RESTART Google Chrome and press on Chrome menu (arrow 1 on the image)

5. If you use incognito mode in Chrome, you need to enable "Allow in incognito" checkbox (arrow 5 on the image).

IDM extension has been successfully installed into (or updated in) Google Chrome browser.

You must enable "IDM Integration module" extension in Google Chrome settings if you want IDM to work with Chrome properly

This version of IDM does not support this type of downloading. Try to update IDM to the latest version.

If automatically updating your Kaspersky product does not help, please contact Kaspersky support to get an update for the "kltdi" driver.

You need to restart the Chrome to apply changes

In order to update a part of IDM extension for Firefox please close Firefox (or SeaMonkey) and then press "Retry" button

IDM cannot check for updates because an important system file is damaged on your computer. Repair this file?

Your browser may not open IDM website because an important system file is damaged on your computer. Repair this file?

IDM cannot engage Advanced Browser Integration because "Base Filtering Engine" Windows service is missing. This could happen because of your system being damaged by a computer malware.

Click OK to open a web page with recovery instructions.

IDM cannot engage Advanced Browser Integration because "Base Filtering Engine" Windows service is not running. Please right-click the Computer icon, select "Manage", navigate to "Services and Applications -> Services", then find "Base Filtering Engine" in the list and right-click on it to open Properties. Change Startup type to "Automatic", click "Start" and confirm changes.

Click OK to visit a web page for additional information.

Cannot connect to the socks server %s

Socks server cannot connect to %s

Import links to IDM

It's possible that you need to change VPN connection that is set in IDM options, or turn off "Use Windows Dial Up / VPN Networking" checkbox in IDM options -> "Dial Up / VPN" tab

IDM cannot download this protected stream for legal reasons. The download of such streams is not supported because IDM may not bypass the technological measures which are made for the protection of audio, video and data content.

These settings are unavailable when "%s" is turned on

%s is a product key of Internet Download Manager.

Please press "%s" button to buy IDM.

What is the "%s"?

1. You do not have Administrator rights or you did not allow IDM helper program to execute as Administrator.

IDM has intercepted this file from web media player because of the disabled download panel for the respective file type in IDM Options.

If you want IDM to refrain from intercepting such files please go to the "General" tab in IDM Options, click "Edit..." button for download panels in browsers and turn on "Don't capture downloads from web-players automatically" checkbox in the pop-up window.

Internet Download Manager will install a new network driver, which significantly improves integration with web players and changes old integration with several browsers like Chrome or Opera. If you encounter any problems with your browser, please open IDM options and turn off "Use advanced browser integration" checkbox on General tab. It will turn off the new driver.

IDM shows a download panel instead of capturing downloads in web players when %s integration is working correctly.

You have an obsolete %s browser integration, or %s integration is not installed. Would you like to read how to fix it?

Sometimes when you click on a link, your browser requests other files AT THE SAME TIME like Java scripts, web pages, pictures, etc. When you press and hold down a special key, IDM intercepts these files, and the browser may not request the necessary file because it will not run a Javascript, which has been intercepted by IDM erroneously. If you want to intercept and download only the necessary files with IDM, please turn on the option below:

IDM executable is on desktop

You have placed IDM's executable file on the desktop. IDM cannot work correctly without its other files, please move IDMan.exe back to programs, and create a shortcut to IDM on Desktop instead. To create a shortcut, open IDM folder in Programs, right click on IDMan.exe file and use "Send To -> Desktop (create shortcut)" popup menu item.

Would you like to know how to download files from %s site with IDM?

%s video has been downloaded

IDM found out that you computer might not have a player that would play %s videos. You will need to install any %s player.

Would you like to read about a %s player?

It will install a new network driver, which significantly improves integration with web players and changes old integration with several browsers like Chrome or Opera. If you encounter any problems when connecting to the Internet, for example, a system freezing, or crashes, etc., please open IDM options and turn off "Use advanced browser integration" checkbox on General tab. It will turn off the new driver.

IDM will download a web-page instead of a file.

(Currently this feature works for Internet Explorer, IE based browsers, Firefox and Mozilla-based browsers)

For web-players

You have entered a space after the password. If the space was entered by mistake, would you like IDM to delete the space?

You have entered a space before the password. If the space was entered by mistake, would you like IDM to delete the space?

Cannot find any web address in the clipboard!

Several URLs found in clipboard. Do you want to download them?

If you don't want to download anything please close "%s" dialog using "Cancel" button.

Checking address: %s

The web site sent a web page instead of a file when IDM requested this file second time. Probably this site uses temporary links and does not allow requesting the same address twice.

Downloading owner web page to refresh link address

IDM will open a web page in your browser where it captured this download. Please start the download of the same file from your browser again, and IDM will try to capture a new address or new session data to resume this download

Note: If you uncheck a file type on the list above and if the file type is in the list on "Options->File Types" tab, downloads of this file type are captured by IDM automatically and won't be played in the web-player. If you want to prevent it, check the box below:

Download this %s

A CRC error occurred while downloading. That means that you had some problem with your hard disk. You should scan your disk for errors by using "Error-checking" on disk properties->tools Windows dialog.

Firefox and other Mozilla based

The data transfer has been interrupted and the server does not support "resume". It's only possible to download this file from the beginning.

"IDM CC" extension for Mozilla based browsers has changed in this version of IDM. You will need to reinstall the extension to use new features. Do you want to install the new "IDM CC" extension for browsers which have an old "IDM CC" extension?

"IDM CC" extension for Mozilla based browsers has changed in this version of IDM. You will need to reinstall the extension to use new features. Do you want to reinstall the extension for %s %s browser?

Stop %s

Start %s

Do you really want to delete %s?

The browser made the first request of "%s" file and then when IDM tried to request the same file again, the site sent a web page to IDM instead of the download.

To take over this download you can set a special key in "IDM Options->General->Keys...". Press and hold this key while clicking on download link/button so that IDM could take over the download before the first browser request. Note that "Ins" key should work for most browsers.

The requested file looks like html web page.

You'll need to provide administrator permissions to perform this operation

This feature is not available for Windows Vista, but it should be implemented soon. Please check for IDM updates.

Drag this icon to start the drag and drop operation for the downloaded file.

Netscape 7.xx and 6.xx

Please confirm the installation of idmmzcc.xpi extension from Tonec Inc. on corresponding browser dialog and restart the browser after the installation.

IDM detected that %s %s browser had been also installed on your computer.

Cannot install plugins for %s %s browser!

%s %s browser will be opened now to install the extension for integration with IDM.

Cannot install idmmzcc.xpi browser extension!

IDM has detected that %s %s browser is default browser on your computer.

IDM has been successfully integrated into Mozilla Firefox.

You need to restart the Firefox browser to apply changes

Cannot install idmmzcc.xpi browser extension for Mozilla Firefox!

Please locate the browser executable file on the next dialog.

Plugins for %s browser have been removed.

Plugins for %s %s browser have been installed.

Plugins for %s browser have been installed.

IDM cannot find %s browser on your computer. Please locate the browser executable file on the next dialog.

Note: Opera and OLD Mozilla based browsers can be integrated with IDM using plugins. This integration type does not support server exceptions list to prevent downloading with IDM. Also when you change file types list you need to restart these browsers to reload plugins.

Note: Opera and OLD Mozilla based browsers can be integrated with IDM using plugins. This integration type does not support special keys to prevent or force downloading with IDM from these browsers. If you want to prevent or force downloading with IDM by pressing special keys, you should use "Advanced browser integration".

Rebooting in %d seconds

Automatically put in "%s" category the following file types:

Remember this path for "%s" category

Downloaded %s (%I64d Bytes)

Restore all download windows

t be deleted. The grabber will parse all web pages on the site again, and it may take a while.

The Java-script will not be processed for the web pages which have been already explored/processed. If you want to process Java-script for these pages you will need to press "Update all" toolbar button on the Grabber Action dialog.

The scheduled grabber project could not be started at %d:d because the project settings were being edited at this time.

The scheduled grabber project could not be started at %d:d because the project was running at this time.

Cannot start downloading the manual login page. Please check the URL syntax.

Downloading the manual login page

There is not enough free space on drive %s to open the grabber project. Please free some space and try again.

There is not enough free space on drive %s to process the grabber project. Please free some space and try again.

There is no asterisk wildcard in URL to create a download file list!

Press the OK button when login process completes

IDM Site Grabber. Step %d --- %s

Cannot open the file "%s"

Do you want to delete the "%s" grabber project?

The project with "%s" name already exists. Please select another name.

Manual login page

Please enter manual login page or uncheck the corresponding checkbox

Please enter login and password or uncheck the "Use Authorization" checkbox

Web content

If these events did not occur, please send %s file (if it exists) to Internet Download Manager support department for analysis.

When trying to resume the download, Internet Download Manager got a response from the server that it doesn't support resuming the download.

The whole web site

All files of the web site except web pages and images

All Video files of the web site

All Pictures of the web site

The filter with "%s" name already exists. Please choose another name.

When Advanced Browser Integration is turned on, IDM can catch those downloads which were impossible to catch before in IDM, or in any other download manager. Also when using the integration, IDM can be integrated into any browsers and Internet applications to take over your FTP/HTTP downloads.

We have created a configuration report that you can send us. Please send us the following information to help us to fix this problem in future versions of IDM. This data is of technical kind. We don't collect your personal information, and we will treat this report as confidential and anonymous.

You have turned off advanced browser integration. If you found a problem with advanced browser integration, we would like to fix the problem for you. In order to fix the problem, we need to collect and analyze some technical information about your computer configuration and installed Internet applications. IDM will collect and show you this information on the next stage before sending it to our support department.

IDM has detected that you are using Windows DialUp networking to connect your modem to the Internet. Would you like to use these settings in IDM?

IDM cannot find %d file(s) that are necessary for browser and system integration. Would you like to download them?

The key(s) to prevent downloading should not be contained in the key(s) to force downloading.

Please choose others keys.

"%s" data transmission protocol is not supported by IDM at this time. Or it might be a spelling error, therefore please check the spelling, and try again.

The name to save the file was "%s", but the server sent the following file type "%s", and the file should be saved as "%s". Would you like to save the file with the name matched the file type received from the server?

Password

%d sec

%d min %d sec

%ld hour(s) %d min

IDM Export Files

From %d:d to %d:d you downloaded %ld MB. All IDM downloads have been stopped at %d:d because you had exceeded your download limits set in IDM Scheduler (or 'Options->Connections')!

All stopped downloads will be resumed automatically at d:d. If you want to resume downloads immediately, change settings in Download Limits and press on Resume.

From %d:d to %d:d you downloaded %ld MB. All IDM downloads will be stopped because you have exceeded your download limits set in in IDM Scheduler (or 'Options->Connections')!

%s, total %ld files

MPEG: Res. %dx%d, %.1f samp per sec, %d bits per samp

WAV: %d samp per sec, %d bits per samp, Length: %s

AVI: Res. %dx%d, %d samp per sec, Length %s

Cannot create folder %s, error code = %ld

Warning: This computer program is protected by copyright laws and international treaties. Unauthorized reproduction or distribution of this program, or any portion of it, may result in severe civil and criminal penalties, and will be prosecuted to the maximum extent possible under law.

Add URL

Please enter login name.

The file with this URL already exists in your list and waits for download to complete. Do you want to resume file?

The file with this URL has been already downloaded by Internet Download Manager. Do you want to download it again?

Invalid URL entered. Please correct.

User names and passwords for servers/sites

Logins

Sites Logins

Change folder for "%s" category on last selected

Default download directory for "%s" category

Would you like to place all old downloads with "%s" file types to this category? The files won't be moved on the hard drive, but will be associated with this category.

The folder "%s" doesn't exist.

Do you really want to delete "%s" category from IDM categories list?

You have %d days left to use Internet Download Manager. Do you want to register your copy of IDM now?

An error occured while loading security dll. Cannot create https connectin.

An error occured while creating security connection to %s.

Cannot find HHCtrl.ocx to display help file!

File %s download complete.

This m3u file contains one or more web links to mp3 files. Would you like to add these mp3 files to your download list?

This m3u file contains a web link to one mp3 file. Would you like to download this mp3 file?

The name to save the file was "%s%s", but the server sent the following name "%s". Would you like to save the file with the file name that was received from the server?

Cannot download this file, maybe this ftp server doesn't support download resume. Would you like to add the same file and download it from the beginning?

An unknown error occured while executing the operation!

The file doesn't have any web links

The file is not a valid IDM export file or the file is corrupted

Import to IDM

The %s file has been moved.

The downloaded file looks like html web page.

If this download was taken over from your browser automatically when you clicked on a link, try to hold Alt key when clicking on the link to let IE open the page.

QuickUpdate for IDM from VVV.internetdownloadmanager.com. Receiving new files...

Cannot download this file. Invalid http server reply.

File %s - downloaded %s (%I64d Bytes). The file may not have been downloaded completely, because the file size is unknown.

File saved as %s

There is no disk space left on drive '%s'.

The size of %s is %I64d bytes.

There is no disk space left on drive '%s' to store downloaded file parts.

Probably the server does not support command pipelining.

Restarting at the beginning because local file has been erased. Restarting from arbitrary position is not supported in this case.

PORT OK

Sending PORT command...

The server does not support PASV.

Password OK

Password failed

Sending password...

Cannot find the end of string in ftp server reply.

Server sent new location and the file name %s has changed to %s.

The size of file %s has not been found in server reply

Cannot open data connection because ftp server does not support PASV command and checkbox 'Use FTP in PASV mode' in Options->Proxy/Firewall is turned on.

PORT command failed.

Cannot send PORT command.

Cannot open ftp data socket

Error occurred while receiving ftp server reply: Invalid reply format

Error occurred while receiving ftp server reply.

Ftp server doesn't allow connections.

Cannot find this file on ftp server.

Cannot login to ftp server.

Fatal read error occurred while joining downloaded parts into one file

Fatal write error occurred while joining downloaded parts into one file

Virtual memory allocation error while joining downloaded parts into one file

Cannot get the size of next part while joining downloaded parts into one file

Cannot open local file for writing while joining downloaded parts into one file

An unknown error occurred while joining downloaded parts into one file

An unknown error occurred while appending files or joining downloaded parts into one file

Cannot connect to proxy server %s:%ld

Cannot connect to %s:%ld

Cannot find proxy server %s

Cannot find server %s

The size of "%s" file is %I64d bytes.

There is no disk space left on drive "%s"' where you want to save this file.

A socket operation encountered a dead network. This could indicate a serious failure of the network system (i.e. the protocol stack that the WinSock DLL runs over), the network interface, or the local network itself.

A socket operation was attempted to an unreachable network. This usually means the local software knows no route to reach the remote host.

A socket operation failed because the destination host was down. A socket operation encountered a dead host. Networking activity on the local host has not been initiated.

Proxy authorization is required for this proxy server. You can change proxy username and password in "Options/Proxy"

Authorization is required for this site/path. You can set login information for this download by selecting properties item in a right click context menu. Or add login information to "Options/Sites passwords" to use these login/password every time you are downloading files from this site.

You have changed the "site/path field." The login information for this new site/path already exists in your password list.

The login information hasn't been changed. You may want to edit the existing one.

The login information for this site/path already exists in your password list.

The new login information hasn't been added. You may want to edit the existing one.

Change username and password of this download to "anonymous" ?

Apply these username and password to this download?

Are you sure you want to delete login information for this site?

Password field has not been filled!

Password verification failed! Please try again.

Cannot rename downloaded file from temp folder (%s) to %s. The file has been saved in temp folder.

mailto:?subject=%s&body=%s% hXXp://VVV.internetdownloadmanager.com

mailto:[email protected]?subject=IDM_%s&body=%s

mailto:[email protected]

%sLanguages\idm_*.lng

%sLanguages\inst_*.lng

%ld %s

hXXp://cache*-music*.myspacecdn.com/*/std_*.mp3?bandid=*&songid=*&token=*

hXXp://*.*/*.swf*

hXXp://lads.myspace.com/*.swf?*

%s://%s

youtube.com

location.href

window.navigate

window.open

\winhlp32.exe

Software\DownloadManager\MCN\%s

Software\DownloadManager\MCN\%s%s

scheduler.htm

https:/

http:/

MozillaWindowClass

AutoConfigURL

0.0.0.

127.0.0.

\StringFileInfo\xx\ProductName

drwebwcl

*.exe

COptSitesPasswords

%s (*.wav)|*.wav||

Software\DownloadManager\Passwords\

Software\DownloadManager\Passwords

VVV.filesonic.tw

*.filesonic.tw

filesonic.tw

VVV.filesonic.jp

*.filesonic.jp

filesonic.jp

*.sharingmatrix.com

VVV.filesonic.com

*.filesonic.com

filesonic.com

VVV.fileserve.com

*.fileserve.com

fileserve.com

VVV.hotfile.com

*.hotfile.com

hotfile.com

VVV.mediafire.com

*.mediafire.com

mediafire.com

.megaupload.com

VVV.megaupload.com

*.megaupload.com

megaupload.com

.rapidshare.com

ssl.rapidshare.com

VVV.rapidshare.com

*.rapidshare.com

rapidshare.com

URL::set_password: Not enough memory!

URL::set_userName: Not enough memory!

%s. %s

%d %%

%d%sd%% %s

%s (%I64d %s)

Properties.htm

CAllControlsSheet

%sScheduler\

%sq_*.dt

%d %s

%s.%s%s%s

RegistrationD.htm

%sprojects.dat

%sprojects2.dat

%sfoldresHistory.txt

%s (*.*)|*.*||

scheduler.html

%s{%s}

Software\Classes\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}

%s\%s{%s}

E8CF4E59-B7A3-41F2-86C7-82B03334F22A

9C9D53D4-A978-43FC-93E2-1C21B529E6D7

hXXp://VVV.internetdownloadmanager.com/support/updateblocked.html

add_exception28.html

url=%s

webpage=%s

dll=%s

firstCT=%s

secondCT=%s

ref=%s

user_agent=%s

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

%d:%d build %d %d-bit

%d:%d build %d

Windows 3.1

Windows 95

Windows 98

Windows NT

Windows version:

Configuration report:

Unk err --- GetRegistrySubkeys

Cannot open key for reading.

Unk err --- SaveAllSubkeys

Cannot read information about subkey's.

Unk err --- SaveKeyValuesEx

Unk err --- SaveKeyValues

Cannot read information about this key.

send_adv_int_rep2.html

mail=%s

winmm.dll

bUseControlKey

bUseAltKey

ShiftP

UseKeyToForce

UseKeyToPrevent

settings.html

%s >>

%s <<

*.html,*.htm,*.js,*.css,*.gif,*.jpg,*.jpeg,*.jpe,*.bmp,*.png,*.tif

%s,*.js,*.css,*.gif,*.jpg,*.jpeg,*.jpe,*.bmp,*.png,*.swf

*.zip,*.rar,*.tar,*.gz,*.tgz

*.pdf

*.mp3,*.wma,*.waw

*.mpg,*.mp4,*.mpeg,*.avi,*mov,*qt,*.wmv

*.gif,*.jpg,*.jpeg,*.jpe,*.bmp,*.png,*.tif

%s ( %s )

*.%s %s

%s_tvlda.pdb

nlevels.html

prJava.html

StImmMsg

*.uploaded.to

VVV.uploading.com

*.easy-share.com

zshare.net

uploaded.to

uploading.com

sendspace.com

filefactory.com

depositfiles.com

Software\DownloadManager\DwnlSelPanel\%s

Shell32.dll

%stips.txt

Unknown error during CUrlExporter::CUrlExporter()

CreateFile error %ld during CUrlExporter::CUrlExporter()

Unknown error during CUrlExporter::WriteInELFFile()

Unknown error during CUrlExporter::ReadFromIEFFile()

Unknown error during CUrlExporter::ReadFromTextFile()

Err1 in SetSmUrl

UrlUnescapeA

3GP 7Z AAC ACE AIF ARJ ASF AVI BIN BZ2 DOC DOCX EXE FLV GZ GZIP IMG ISO LZH M4A M4V MKV MOV MP3 MP4 MPA MPE MPEG MPG MSI MSU OGG OGV PDF PLJ PPS PPT QT R0* R1* RA RAR RM RMVB SEA SIT SITX TAR TIF TIFF WAV WEBM WMA WMV Z ZIP

Unknown error during CUrlHistory::CUrlHistory()

UrlHistory

Unknown error during CUrlHistory::~CUrlHistory()

Unknown error during CUrlHistory::OnAddUrl()

Unk err in CUrlHistory2::CUrlHistory2

UxTheme.dll

dwmapi.dll

%s %s

Deleting temp file %s

Could not delete temp file %s

%ld,%f

%sSeg%%ld-Frag%%ld

first listitem id = %d, startpos = %I64d, file %s, endpos = %I64d

Error opening file %s, errcode = %ld.

Updating record with num %s: set ID %d, startPos %I64d, nextID %d

Error reading registry, errCode = %d.

Adding record to registry with ID %d, startPos %I64d, nextID %d

%s.tmp

Unknown error during ChunksList::JoinFile()

Updating record with ID 0, set nextID %d

Deleting record %s from registry

Size of %s is %I64d

Error during GetFileSize(), errcode = %d.

Skip first bytes via temp file %s.

Step5, can not rename temp file %s to %s, errno = %ld

%s_tmp

Rename temp file %s to %s.

Can not rename temp file %s to %s, errno = %ld

Can not create folder %s, error = %ld

Can not rename temp file %s to %s, error = %ld

Rename2 temp file %s to %s.

Delete old file %s

Assembling all downloaded portions into one file...

Fatal Read Error %d

Fatal Write Error %d

VirtualAlloc/malloc failed, error %d

Values counter in the registry subkey = %d

Cannot find registry subkeys counter.

Set curID %d, curPos %I64d

No keyframe found

Adding record with ID %d, startPos %I64d, nextID %d

error!!! No keyframe found(0)

this file %s, size %I64d

Read record num. %s from registry: ID = %d, startPos = %I64d, nextID = %d

Error reading registry, errCode = %d. End rebuilding.

Err 1231, f=%s, e=%ld.

Loading duration from registry: %f sec

error in chlist, id=%d, next=%d, starttime=%ld, ts=%ld

Chunk order violation error, cInf.ID %d, startPos %I64d

Error opening file %s.

next file %s, size %I64d

Error reading first chunk, errcode = %d.

new listitem id=%d, startpos=%I64d, file %ls,

error reading registry %d

Error opening file %s to get size, errcode = %ld.

insert from reg, ID = %d

Error closing file %s

Error reading saved last part, errcode = %d.

Adding record %s to registry with ID %d, startPos %I64d, nextID %d

Add alternative connection (%d) for connection %d

Error during deleting record with num %s, errcode = %ld

Apply alternative for connection %d

Getting file size error during check alternative for record %d, errcode = %ld

Opening file error during check alternative for record %d, errcode = %ld

Unknown error during ChunksListItem::JoinWithNext().

Deleting record with num %s

C%d:%s

Error during call to %s, err = %d

/%s%s

Dnsapi.dll

Error code = %d

Sock ver = %d, reply = %d

Error code = %ld, socks ret code = %d

%s %s

Select failed, err code = %d, socket = %d

Select error code = %d, socket = %d

Checking connect, socket = %d

File write error! Received %d bytes, wrote %d bytes, errCode = %ld

Error code = %d, socket = %d

sqlite3_free

sqlite3_exec

sqlite3_close

sqlite3_open

%sidmindex.dll

%s%sGoogle\Chrome\User Data\Default\cookies

%s%sMozilla\Firefox\Profiles\%s\cookies.sqlite

%s%sMozilla\Firefox\Profiles\*

SELECT name, value, path, %s like '%%%s'

host_key, secure FROM cookies WHERE host_key

host_key

d:d:d

ddd d:d:d GMT

dddddd

Unknown error during FTPConnection::FTPConnection() constructor.

Unknown error during FTPConnection::set_sequence_cpbl().

Unknown error during FTPConnection::try_set_pasv_cpbl().

Unknown error during FTPConnection::GetReply().

Unknown error during FTPConnection::Disconnect().

Unknown error during FTPConnection::SendQuit().

Unknown error during FTPConnection::TryConnect().

Unknown error during FTPConnection::CloseDataConnection().

Unknown error during FTPConnection::CheckConnectReply().

Initial response from FTP server:

Unknown error during FTPConnection::SendUser().

USER %s%s

%s@%s%s

Unknown error during FTPConnection::SendPassword().

send() PASS

PASS %s%s

send() proxy PASS

Unknown error during FTPConnection::CheckUserReply().

Unknown error during FTPConnection::CheckPasswordReply().

Reply on password:

recv() PASS

Unknown error during FTPConnection::SendPasv().

PASV%s

Unknown error during FTPConnection::ProcessPasvReply().

%u,%u,%u,%u,%u,%u

Unknown error during FTPConnection::BindSocket().

Unknown error during FTPConnection::Accept().

Unknown error during FTPConnection::SendPort().

send() PORT

PORT %d,%d,%d,%d,%d,%d

Unknown error during FTPConnection::CheckPortReply().

Reply on PORT:

recv() PORT

Unknown error during FTPConnection::SendCWD().

CWD %s%s

Unknown error during FTPConnection::CheckCWDReply().

Unknown error during FTPConnection::CheckOthersReplies().

Unknown error during FTPConnection::SendType().

TYPE %s%s

Unknown error during FTPConnection::CheckTypeReply().

Unknown error during FTPConnection::SendRest().

REST %I64d%s

Unknown error during FTPConnection::CheckRestReply().

Unknown error during FTPConnection::SendRetr().

RETR %s%s%s

Unknown error during FTPConnection::SendNoop().

Unknown error during FTPConnection::CheckRetrReply().

Unknown error during FTPConnection::FindSizeInRetrReply().

%I64d%s

Unknown error during FTPConnection::SendSize().

SIZE %s%s%s

Unknown error during FTPConnection::SendListFile().

LIST %s%s%s

Unknown error during FTPConnection::CheckListReply().

Unknown error during FTPConnection::CheckTransferEndReply().

Unknown error during FTPConnection::CheckSizeReply().

Unknown error during FTPConnection::OpenDataConnection().

ftp server doesn't support PASV

Unknown error during FTPConnection::StartRetr().

Unknown error during FTPConnection::RecvListData().

time %s, sizetype %d, size %I64d, name %s, namelen %d, flagtryretr %d

UNk err FTPCn2597

Unknown error during FTPConnection::GetFileSize().

Unknown error during FTPConnection::ProcessReply().

Unknown error during FTPConnection::ProcessReplyQueue().

Unknown error during FTPConnection::RollBack().

Unknown error during FTPConnection::Restart().

Unknown error during FTPConnection::OnSendError().

Unknown error during FTPConnection::StartGetChunk().

Unknown error during FTPConnection::ProcessWaitConn().

Unknown error during FTPConnection::ProcessWaitReply().

Unknown error during FTPConnection::SendInAddition().

Unkerr in FTPC2980

Unknown error during FTPConnection::ProcessPasvOK().

Unknown error during FTPConnection::InsInChunksList().

Unknown error during FTPConnection::SendTestSequences().

TYPE I%sNOOP%s

CWD %s%sTYPE I%s

Unknown error during FTPConnection::ProcessWaitTestSequ().

Unknown error during FTPConnection::ProcessWaitSecSeqReply().

Unknown error during FTPConnection::AuditForRestart().

Unknown error during FTPConnection::SetCompleted().

next %d

Sendig QUIT for connection %d...

The file chunk of connection %d is reassigned to connection %d.

conn. %d dowload completed

time %I64d, status %d,

Unknown error during FTPConnection::HandleStatus().

Error during FTPConnection::OnNewLastModified()

Unk err in FTPC::SMDTM().

MDTM %s%s%s

Unk err in FTPC::CMDTMR

Unknown error in FTPSession constructor.

Unknown error in FTPSession destructor.

Unknown error during FTPSession::InitSession().

Unknown error during FTPSession::set_sequence_cpbl_ok().

Unknown error during FTPSession::set_rest_cpbl().

Unknown error during FTPSession::set_pasv_cpbl().

Unknown error during FTPSession::CreateOptionalConnections().

Unknown error during FTPSession::getFile()

User : %s, password : xxx

%s %s Time: %.19s.%hu %.4s (%ld sec)

Url: PTF://

Windows %d.%d

Unknown error during FTPSession::ReceiveData()

Unknown error during FTPSession::set_fds()

Probably the server does not support command sequences.

Unkerr in FTPSss:AlQt

Unkerr in FTPSss:SndAlCnInf

Unknown error during FTPSession::TryStartNewOptionalConnections()

Cannot download this file, maybe this ftp server doesn't support download resume. Would you like to download the file from the beginning?

1.1.4

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /hXXp://VVV.internetdownloadmanager.com/support/data_corruption.html

nShMsgCrData

Unknown error in HTTPConnection constructor.

Unknown error in HTTPConnection destructor.

conn. %d dowload complete

Unknown error during HTTPConnection::Disconnect().

Error during HTTPConnection::SetBasicAuthStr()

Authorization: Basic %s

%s:%s

Error during HTTPConnection::GetNextReplyLine()

Error during HTTPConnection::GetReplyIntoStorage()

Error during HTTPConnection::GetRetrRangeReply()

.dailymotion.com

emusic.com

Error during HTTPConnection::setNewLocation()

.html

/* Old URL: %s%s */

rapidshare.de

Err in HTTPC::AFR

Error during HTTPConnection::ProcessState()

UNk err HTTPCn2597

Error during HTTPConnection::GetInfo()

.googlevideo.com

%s.mnft

.dmcdn.net

sciencedirect.com

Error during HTTPConnection::GetState()

Error during HTTPConnection::SendGet()

%I64d-%I64d, %s

%s %s HTTP/1.1

User-Agent: %s

Host: %s%s

Accept: %s

%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s

Accept-Charset: %s

Origin: %s

Accept-Language: %s

Cookie2: %s

Content-Type: %s

Content-Length: %d

application/x-www-form-urlencoded

If-Modified-Since: %s

Referer: %s

Authorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", %sresponse="%s"%s

, opaque="%s"

qop=%s, nc=%s, cnonce="%s",

Unknown error during HTTPConnection::HttpsProxyConnect()

CONNECT %s:%ld HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)

Proxy-Authorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", %sresponse="%s"%s

Error during HTTPConnection::RecvAllHeaders()

Error during HTTPConnection::SkipAllHeaders()

Error during HTTPConnection::SkipAllHeaders2()

Error during HTTPConnection::RecvState()

HHTTP/

HTTP/

Error during HTTPConnection::ProcessHeader()

policyref="hXXp://p3p.yahoo.com/w3c/

windows-125

HTTPS

Server: MediaFire-HTTP-lrbd

Server: BestHop 2.4.4

Unkerr HTTPC:OnCnt

Error during HTTPConnection::HandleStatus()

.mail.yahoo.com/

Unkerr HTTPC 5571

UnkErr in HTTPC6234

No memory, s httpc6172

No memory, s httpc6154

Ieframe.dll

Error during HTTPConnection::Set_szURL()

Error during HTTPConnection::OnNewLastModified()

Error during HTTPConnection::ProcessSetCookieHeader()

Not enough memory in cookieURL = new char[...]

Unknown error during HTTPConnection::Restart().

Error %d during HTTPConnection::MNSP(), step1.

Error %d during HTTPConnection::MNSP(), step2.

Unkerr in HTTP:RestartOnNLM

Unknown error in HTTPSession constructor.

Unknown error in HTTPSession destructor.

Unknown error during HTTPSession::InitSession().

Unknown error during HTTPSession::getFile()

The server does not support transfer restarts.

User : %s, password :xxx

password=***

register.cgi

HTTPSess err 960

Try original url

Unknown error during HTTPSession::ReceiveData()

Unknown error during HTTPSession::set_fds()

Unknown error during HTTPSession::AuditForRestart()

Unknown error during HTTPSession::SendAllConnInfo()

Unknown error during HTTPSession::TryStartNewOptionalConnections()

Cannot download this file, maybe this server doesn't support download resume. Would you like to download the file from the beginning?

hXXps://secure.internetdownloadmanager.com/buy.html

hXXps://secure.internetdownloadmanager.com/buy1.html

hXXp://VVV.internetdownloadmanager.com/

hXXp://VVV.internetdownloadmanager.com/welcome.html

hXXp://VVV.internetdownloadmanager.com/welcome2.html

Software\Classes\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}

sending %x command, res = %ld

send mms cmd

NSPlayer/9.0.0.2980; {%s}; Host: %s

954afa31-d601-4525-ae7f-57d44aeb4d34

\\%d.%d.%d.%d\%s\%ld

recv %x command

Recv cmd failed, error = %ld

Recv cmd failed, connection closed by server.

errCode 0x%x

err code = 0x%x

xxxx-xx-xx-xx-xxxxxx

75B22636-668E-11CF-A6D9-00AA0062CE6C

14E6A5CB-C672-4332-8399-A96952065B5A

5FBF03B5-A92E-11CF-8EE3-00C00C205365

75B22633-668E-11CF-A6D9-00AA0062CE6C

BC19EFC0-5B4D-11CF-A8FD-00805F5C442B

B7DC0791-A9B7-11CF-8EE6-00C00C205365

8CABDCA1-A947-11CF-8EE4-00C00C205365

75B22630-668E-11CF-A6D9-00AA0062CE6C

Packets number %ld, packet length %ld, media length %I64d, streams count %d, file size %I64d

%s, %s%s%s, Length: %s

Connection %d, downloaded %I64d.

Unk err in MMSCn::HndlSt, time %I64d, status %d

%s Time: %.19s.%hu %.4s (%ld sec)

%I64d-%I64d, %s%s

%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s

Content-Type: application/x-www-form-urlencoded

Proxy-Authorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", %sresponse="%s"%s%s

, charset=utf-8, hashed-dirs="service-name,channel-binding", service-name="%s", channel-binding="%s"

Unknown error during ProxyConnection::Set_szURL()

Not enough memory during szURL = new char[...]

Proxy-Authorization: Basic %s

Unkerr in RTMPConn, 12, time %I64d, status %d

OneKeyFrameBack failed, Erase outfile

Recieved ID: %s

POST /fcs/ident2 HTTP/1.1

Host: %s

POST /open/1 HTTP/1.1

POST /%s/%s/%ld HTTP/1.1

Version: %d.%d.%d.%d

recv handshake, type = X

SendPacket failed! Header type: 0xx

pageUrl

tcUrl

swfUrl

Key frame doesn't match! (c3)

Key frame doesn't match! (c2)

Key frame doesn't match!

The file chunk %d is reassigned to connection %d.

Join with next, deleting record with num %s

error 2099, id=%d, next=%d, starttime=%ld, ts=%ld

Delete temp file %s

cmpkfcount > MAX_CMP_KEYFRAMES, set NO_REST

Sending ping, type=0xx

Unknown packet type received: 0xx

Report: received

Sending play, stime=%f, file=%s

NetConnection.Connect.InvalidApp

NetStream.Play.UnpublishNotify

NetConnection.Connect.Rejected

NetStream.Play.StreamNotFound

NetStream.Play.Stop

NetStream.Play.Failed

NetStream.Failed

onStatus: %s

Server sent result for %s

Server invoking %s

Duration = %f

Duration dont match! New duration = %f

OneKeyFrameBack

Join all (1).

Cannot find Winsock v%d.%d or later!

Ss::InfMsg err

Unknown error during Session::CheckFormat(), ctc.Check(...)

%a, %d %b %Y %H:%M:%S GMT

hXXp://VVV.internetdownloadmanager.com/register/new_faq/How_to_configure_Firewalls_for_IDM.html

downlResult = %ldsetting new login

Unknown error during SessionManager::SetURL()

Unknown error during SessionManager::SetLogin()

%s://%s%s%s%s

simtel.net

Unknown error during SessionManager::LoadUrlFromReg()

URL::set_lastResult(): Not enough memory!

[email protected]

Port

Can not delete subkey %s from registry, error code = %ld

Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

UrlUnescapeW

%s.%s

%s_%s.%s

%s_default.html

%s%s%s.%s

.docx

.mpeg

easy-share.com

googlevideo.com

%s&signature=%s

&url=

\u0026url=

url_encoded_fmt_stream_map

%s...

Downloading owner web page

googlevideo.com/api_video_info?

googlevideo.com/get_video_info?

youtube.com/api_video_info?

youtube.com/get_video_info?

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)

Mozilla/4.0 (compatible; MSIE 7.0; Windows 98)

Unknown error in URL destructor

%s?lng=%s

hXXp://VVV.internetdownloadmanager.com/support/shsdownload.html

hXXp://VVV.internetdownloadmanager.com/articles/flv_downloading.html

hXXp://VVV.internetdownloadmanager.com/support/filesonic_dwnl.html

hXXp://VVV.internetdownloadmanager.com/support/rsdownload.html

showHTDlFsnMsg

showHTDlShSMsg

4shared.com

.filesonic.

showHTDlYtMsg

showHTDlRSMsg

%ld%s

URL::set_localPath(): Not enough memory!

Folder %s was created.

Unknown error during URL::SaveToReg()

capabilities=%f&audioCodecs=%f&videoCodecs=%f&videoFunction=%f&duration=%I64d%s%s

&tcUrl=%s

&userArgs=%s

Unknown error during URL::set_LastModified()

URL::set_LastModified(): Not enough memory!

Unknown error during URL::DeleteFileChunks()

Error read registry, errCode = %d. End rebuilding.

Unknown error during URL::LoadLocalNamesFromReg()

URL::set_localFileName(): Not enough memory!

URL::set_description(): Not enough memory!

%s\idmftype.dll

idmcheckedtype/%s

Urlmon.dll

%s%s%s.html

%s %s|*.%s|%s (*.*)|*.*||

Error %ld opening registry key in URL::OpenDMRegSubKey()

EM = 0x%x, 0x%x,

DM = 0x%x, 0x%x.

Error 0x%x reading security interface.

Error 0x%x reading InitSecurityInterface entry point.

Error 0x%x loading %s.

secur32.dll

security.dll

schannel.dll,

Error %ld opening Key during CheckRegSecurityProvider()

schannel.dll

Unk err in URL::set_MDTM()

.MPEG

Unknown error during CFormatParsing::%s

new operator error %ld in CFormatParsing::FillZipFormatStruct()

Joint Stereo

d %s %d d:d

CertFreeCertificateContext

Error 0x%x returned by AcquireCredentialsHandle

Error 0x%x returned by CertFindCertificateInStore

CertFindCertificateInStore

Error 0x%x returned by CertOpenSystemStore

CertOpenSystemStoreA

Error %d sending data to server (1)

%d bytes of handshake data sent

Error %d returned by InitializeSecurityContext (1)

Error 0x%x returned by InitializeSecurityContext (2)

%d bytes of app data was bundled with handshake data

Error %d sending data to server (2)

Error %d reading data from server

Key exchange strength: %d

Key exchange: KEA

Key exchange: 0x%x

Key exchange: DH Ephemeral

Key exchange: RSA

Hash strength: %d

Hash: 0x%x

Cipher strength: %d

Cipher: 0x%x

Protocol: 0x%x

Error 0x%x querying connection info

Error 0x%x finding cert chain

**** Error 0x%x returned by AcquireCredentialsHandle

certificate chain found

CertFindChainInStore

1.3.6.1.5.5.7.3.2

Error 0x%x querying issuer list info

Error during HTTPConnection::SendHTTPSGet()

%d bytes of request sent

Error %d sending data to server (3)

Error 0x%x returned by EncryptMessage

Header: %d, Trailer: %d, MaxMessage: %d

Error 0x%x reading SECPKG_ATTR_STREAM_SIZES

Error during HTTPConnection::RecvHTTPSData()

**** Error 0x%x returned by DecryptMessage

%d bytes of handshake data received

%c%c%c%c%c%c%c%c%c%c

%s.cdb2

%s.pdb

%s_ssi.pdb

%s_szi.pdb

%s_di.pdb

%s_sfti.pdb

%s_lni2.pdb

%s_lni.pdb

%s_dni.pdb

%s_ui.pdb

%s_mi.pdb

.?AVCCmdTarget@@

.PAVCException@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCUserException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCResourceException@@

.PAVCArchiveException@@

.?AVCToolCmdUI@@

.PAVCOleException@@

.PAVCOleDispatchException@@

.PAVCMemoryException@@

.PAVCNotSupportedException@@

.?AVCNotSupportedException@@

.PAVCFileException@@

zcÁ

%Program Files%\Internet Download Manager\IDMan.exe

Ku.sL

z%X8>

 ].vh

'%7u%g

^.ovs

^.ovs[cX:

w'R.siZ

2:3:3:/:/\/\/

2:3:3:3:3

Rn-N)N)N)N)M)M)-%-%-%,%,%uN

.ZduB

keYb

6.vFo)

ZL%FV

{.wGZ

o{-{,{,w,w,w,w,w,w-w-w-w.wNwNwNwNwN{N{N{N{o{o{q{

{/{,{,{,{,{,{,w,w,w.wPw

.)7)7(3'/

2*;*;*7)7

2 ; ; ;*7

p{N{M{-{-{-{,{,{,{-w-w-w.wNwNwNw

w.wGZ

O{-{,w,w,w,w,w,w,w-w-w-w.wNwNwNwNwN{N{N{n{n{o{q{

{.{,{,w,w,w,w,w,w,w.wPw

uN-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%-%uN

"?'?#?#?

7_3_/_ _'?#

;=;=;=;^7

"?'?'?'?#?#

&? ?'?'?#

.GNGnGMCK;(3

{.KoKoKnGL?)7

R.siZ

N.siZ

-%-)-)-%

;;;7;7;7;7;7:7:7:3:3

.ZW9W9W8W8W9[9_Z_

6>;_7?7?3? ?'

tcp D

?=?=;=;^;

._/_/_/?/? 

3_3?3?/? ? 

{4Fp)o%uF

7\3\3\ \'<

;?;?7?/? 

-xB}ouF\#o

)QO(b

.lffn]XX

L/%XN3'4S7)

& #!!!!&

version="1.0.0.0"

name="Tonec.IDM.IDMan"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

<requestedExecutionLevel level="asInvoker"/>

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>

<asmv3:windowsSettings xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">

</asmv3:windowsSettings>

'()* ,-./

0123456789

idmmbc.dll

nIDMGCExt.crx

IEMonitor.exe

idmmzcc.xpi

Uninstall.exe

iRUNDLL32.EXE

SETUPAPI.DLL,InstallHinfSection DefaultUninstall 128 %s

SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 %s

idmtdi.inf

idmtdi32.sys

NPIDMan2.dll

NPIDMan1.dll

lidmbrbtn64.dll

IDMShellExt64.dll

IDMNetMon64.dll

IDMNetMon.dll

IEGetAll.htm

IEExt.htm

IDManTypeInfo.tlb

idmmkb.dll

IDMIECC64.dll

lhttp

iseamonkey.exe

orca.exe

MozillaFireBird.exe

NETSCP.exe

Flock.exe

navigator.exe

NETSCAPE.exe

OPERA.exe

Firefox.exe

iexplore.exe

PathToExe

~idmcchandler2_64.dll

defexclist.txt

g.exe

idmvs.dll

regsvr32.exe

index.htm

IDMGrHlp.exe

rundll32.exe

downlWithIDM64.dll

IDMGetAll64.dll

%s%s%s_%ld%s

Elevation:Administrator!new:%s

temp.htm

GlobalErrors.log

s%sGlobalErrors.log

mgrabber.chm

%s%lda%ld\

%s%s%s\default_user\

%s%s%s\%s\

idmpldr.ini

IEGetVL2.htm

IEGetVL.htm

dnlbtmn.txt

%s%sSounds\%s

%sSounds\%s

%s%sSounds\

%sSounds\

sts_list.dat

tips.txt

UrlHistory.txt

UrlHistory2.txt

%s%s_%ld.log

manuallogin.html

default.html

%s%ld\

%s%s_%ld\

:?!#&*-<>\$%@

"'/[]^|~

a%Program Files%\Internet Download Manager\GlobalErrors.log

E&xport

To IDM export &file

&Import

&From IDM export file

C&ustomize URL List...

&Contact IDM Support

hXXp://VVV.internetdownloadmanager.com

Support Team:

internetdownloadmanager.com/contact_us.html

The web page from which this file was obtained:

Login

Automatically start downloading of URLs placed to clipboard

Customize keys to prevent or force downloading with IDM

Keys...

Use FTP in &PASV mode

Site login

Note: Type the path only if you have different login names for different server directories.

Use Windows Dial Up / VPN Networking

Password:

Save password

IDM drop target. Drop web-links for downloading here

Export download list

Export download queue

Export selected files

Export all files

Hide images located on this web page

Using special keys

Use the following key(s) to prevent downloading with IDM for any links:

Use the following key(s) to force downloading with IDM for any links:

Note: Sometimes after you click on a download link, a web page will load telling that the download starts in X seconds. In this case you will need to uncheck the following option to force downloading with IDM.

Check for left mouse button clicked on a link along with the special key(s) pressed to force downloading the link

While holding down a special key DO NOT take over the downloads

which are web-pages, pictures, scripts and etc.

Internet Download Manager Problem Report

We have created a configuration report that you can send us.

Press Advanced button to enable manual login or to disable a logout page

Enter login and password manually at the following web page:

Please note that a web server may reject requests if you set a large number of files to explore (download) at the same time.

At this step you should specify what web pages to explore to find the required files. At the next step, you will be able to set file types, location, and other filters.

Ignore popup windows

Explore web pages within the following paths/domains only:

Don't explore web pages within the following paths/domains:

Web pages processed

Type your user name and password.

Save this password in IDM password list

It's possible to add a group of sequential file names like img001.jpg, img002.jpg, etc., img100.jpg to IDM download queue. Use the asterisk wildcard for the file name pattern.

For example: hXXp://VVV.internetdownloadmanager.com/pictures/img*.jpg

Report for IDM developers

You can send a report to IDM developers about the downloads that were taken over by mistake to make a workaround for this site in the future versions of IDM

The referrer URL from which the download was taken over by mistake:

Note: Internet servers may break connection when the speed is too limited! Thus it's not recommened to use Speed Limiter to download from servers that do not support "resume" feature.

IDM can show its Download panel on a web-player in a browser when IDM detects a multimedia request from the web-player

Don't capture downloads from web-players automatically

IDM can show Download panel on a web-page when you select a text that contains download links.

FileUrl

Use &HTTP Proxy

Use HTTP&S Proxy

Use &FTP Proxy

Google Chrome Integration

EMake an attempt to find HTTP proxy in Internet Explorer configuration

:Use FTP protocol in passive mode (needed behind firewalls)

>Check for available updates on VVV.internetdownloadmanager.com

'Register IDM with your registration key

Contact IDM support team

Stop all downloads%Remove selected file(s) from the list(Remove all completed files from the listDBrowsers/System integration, File types, Proxy, Passwords and others

Opening Port

Port Opened

Change Password Requested

Password Expired

All Files (*.*)

No error message is available.'An unsupported operation was attempted.$A required resource was unavailable.

Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.

Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1.

#Unable to load mail system support.

Access to %1 was denied..An invalid file handle was associated with %1.<%1 could not be removed because it is the current directory.6%1 could not be created because the directory is full.

Seek failed on A hardware I/O error was reported while accessing %1.0A sharing violation occurred while accessing %1.0A locking violation occurred while accessing %1.

Disk full while accessing %1..An attempt was made to access %1 past its end.

No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1..An attempt was made to access %1 past its end.0An attempt was made to read from the writing %1.

6, 19, 1, 2

1999 - 2014

IEMonitor.exe_1988:

.text

`.rdata

@.data

.rsrc

QSSSh

QPSSh

CCmdTarget

commctrl_DragListMsg

COMCTL32.DLL

%*.*f

CNotSupportedException

MSWHEEL_ROLLMSG

ole32.dll

__MSVCRT_HEAP_SELECT

user32.dll

GetCPInfo

KERNEL32.dll

GetKeyboardState

GetKeyState

SetWindowsHookExA

CreateDialogIndirectParamA

UnhookWindowsHookEx

USER32.dll

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

GDI32.dll

comdlg32.dll

WINSPOOL.DRV

RegCloseKey

RegOpenKeyExA

RegCreateKeyExA

ADVAPI32.dll

SHELL32.dll

COMCTL32.dll

oledlg.dll

OLEPRO32.DLL

OLEAUT32.dll

InternetCrackUrlA

InternetCanonicalizeUrlA

WININET.dll

%s%s%s

GlobalErrors.log

%s, Time: %.15s.%hu %s

idmmkb.dll

%s\idmmkb.dll

{0055C089-8582-441B-A0BF-17B458C2A3A8}

Software\Microsoft\Windows\CurrentVersion\Ext\Settings

Windows Internet Explorer

iexplore.exe

ShiftP

UseKeyToPrevent

UseKeyToForce

SpecialKeys

hXXps://

PTF://

hXXp://

This application is secure, safe, and signed with our certificate from Microsoft.

The window of this application should not be visible and it's possible that you have a program that switches the display of hidden windows.

.?AVCCmdTarget@@

.PAVCException@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCUserException@@

.PAVCOleException@@

.PAVCObject@@

.PAVCOleDispatchException@@

.PAVCSimpleException@@

.PAVCResourceException@@

.PAVCArchiveException@@

.PAVCMemoryException@@

.PAVCNotSupportedException@@

.?AVCNotSupportedException@@

.PAVCFileException@@

zcÁ

windows

KERNEL32.DLL

%Program Files%\Internet Download Manager\GlobalErrors.log

%Program Files%\Internet Download Manager\IEMonitor.exe

version="1.0.0.0"

name="Tonec.IDM.IEMonitor"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

<requestedExecutionLevel level="asInvoker"/>

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>

JPAwmsgw

h%s\idmmkb.dll

6, 18, 7, 1

1999 - 2013

IEMonitor.EXE

All Files (*.*)

No error message is available.'An unsupported operation was attempted.$A required resource was unavailable.

Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.

Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1.

Access to %1 was denied..An invalid file handle was associated with %1.<%1 could not be removed because it is the current directory.6%1 could not be created because the directory is full.

Seek failed on A hardware I/O error was reported while accessing %1.0A sharing violation occurred while accessing %1.0A locking violation occurred while accessing %1.

Disk full while accessing %1..An attempt was made to access %1 past its end.

No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1..An attempt was made to access %1 past its end.0An attempt was made to read from the writing %1.

#Unable to load mail system support.

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   taskkill.exe:932
   taskkill.exe:1812
   %original file name%.exe:1164
   WScript.exe:1884
   net1.exe:544
   RUNDLL32.EXE:1984
   net.exe:592
   runonce.exe:1012
   IEMonitor.exe:1988
   svchost_.exe:488
   IDMan.exe:516
   grpconv.exe:1312

3. Delete the original Trojan file.
   
4. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Application Data\WinDbg\windbg.exe (37269 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\svchost_.exe (15769255 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\Z0KvOr (3 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\Z0KvOr.vbs (618 bytes)
   %WinDir%\inf\oem11.PNF (7349 bytes)
   %System%\drivers\SET4.tmp (601 bytes)
   %WinDir%\inf\oem11.inf (2 bytes)
   %WinDir%\setupapi.log (4760 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\1.tmp\IDM Registered.bat (600 bytes)
   %Documents and Settings%\%current user%\Application Data\IDM\idmmzcc5\components2\idmhelper.js (1 bytes)
   %Documents and Settings%\%current user%\Application Data\IDM\defextmap.dat (2 bytes)
   %Documents and Settings%\%current user%\Application Data\IDM\idmmzcc5\components\iIDMMzCC.xpt (569 bytes)
   %Documents and Settings%\%current user%\Application Data\IDM\idmmzcc5\components2\idmmzcc.dll (2696 bytes)
   %Documents and Settings%\%current user%\Application Data\IDM\idmmzcc5\components\iIDMHelper5.xpt (2 bytes)
   %Documents and Settings%\%current user%\Application Data\IDM\idmmzcc5\components9\idmmzcc.dll (1256 bytes)
   %Program Files%\Internet Download Manager\idmcchandler2.dll (1425 bytes)
   %Program Files%\Internet Download Manager\idmcchandler2_64.dll (2321 bytes)
   %Documents and Settings%\%current user%\Application Data\IDM\idmmzcc5\META-INF\zigbert.rsa (196 bytes)
   %Documents and Settings%\%current user%\Application Data\IDM\idmmzcc5\components2\iIDMMzCC.xpt (569 bytes)
   %Documents and Settings%\%current user%\Application Data\IDM\idmmzcc5\chrome\idmmzcc.jar (196 bytes)
   %Documents and Settings%\%current user%\Application Data\IDM\idmmzcc5\install.rdf (2 bytes)
   %Documents and Settings%\%current user%\Application Data\IDM\idmmzcc5\components2\idmcchandler2.dll (20504 bytes)
   %Documents and Settings%\%current user%\Application Data\IDM\idmmzcc5\META-INF\zigbert.sf (2 bytes)
   %Documents and Settings%\%current user%\Application Data\IDM\idmmzcc5\components2\iIDMHelper.xpt (331 bytes)
   %Documents and Settings%\%current user%\Application Data\IDM\idmmzcc5\components\idmhelper5.js (776 bytes)
   %Documents and Settings%\%current user%\Application Data\IDM\Scheduler\s_1.dt (304 bytes)
   %Documents and Settings%\%current user%\Application Data\IDM\idmmzcc5\chrome.manifest (1 bytes)
   %Documents and Settings%\%current user%\Application Data\IDM\idmmzcc5\components2\idmmzcc64.dll (1928 bytes)
   %Documents and Settings%\%current user%\Application Data\IDM\idmmzcc5\components9\idmmzcc64.dll (1928 bytes)
   %Documents and Settings%\%current user%\Application Data\IDM\idmmzcc5\components2\idmcchandler2_64.dll (28400 bytes)
   %Documents and Settings%\%current user%\Application Data\IDM\idmmzcc5\components\idmmzcc.dll (2696 bytes)
   %Documents and Settings%\%current user%\Application Data\IDM\idmmzcc5\install.js (696 bytes)
   %Documents and Settings%\%current user%\Application Data\IDM\idmmzcc5\META-INF\manifest.mf (2 bytes)
   %Documents and Settings%\%current user%\Application Data\IDM\urlexclist.dat (2 bytes)

5. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
   "GrpConv" = "grpconv -o"
   
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "Idman" = "%Program Files%\Internet Download Manager\IDMan.exe /onboot"

6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
7. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.