SearchProtectToolbar_pcap_14e6e6fb83

by malwarelabrobot on February 6th, 2015 in Malware Descriptions.

SearchProtectToolbar_pcap.YR, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Malware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 14e6e6fb83be47d5a41447c2e8584403
SHA1: 0d78275abd35c5435e1bd7596ee7aea36b899581
SHA256: 8113aa2634cd7f9a9fe4728728294f8ad9c537c5611575c9e0cf671d04f775ff
SSDeep: 1536:VQpQ5EP0ijnRTXJz68gkW RoeGd8yNkM/Dk22MpCOw78dfxkF:VQIURTXJz7Ozd8yNka7pCOjdKF
Size: 104760 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: GreenTree Applications SRL
Created at: 2009-12-06 00:50:46
Analyzed on: Windows7Ada SP1 64-bit

Summary:

Malware. Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.

Payload

No specific payload has been found.

Process activity

The Malware creates the following process(es):

SP.EXE:1680
%original file name%.exe:4048
BrowserExtensionsSetupUAC.exe:1848
YTDSetup.exe:1508
~spD451.tmp:2164
BEHelper.exe:1440
SearchProtectionStub.exe:1560
Au_.exe:3976
Au_.exe:3828
~spE38E.tmp:3172
uninstall.exe:1712
uninstall.exe:4024
exthelper.exe:676

The Malware injects its code into the following process(es):

ytd.exe:1492

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process SP.EXE:1680 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal (9778 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R4C62WHO\favicon[1].ico (1150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences (324 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\yandex_ff.xml (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{38754113-2264-4057-B454-CF19832D9F10}.ico (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Web Data (4388 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\prefs.js (64 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\searchplugins\yandex.xml (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\yandex_ie.xml (496 bytes)

The process %original file name%.exe:4048 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskCC36.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskCC36.tmp\inetca.dll (804 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskCC35.tmp (2290 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskCC36.tmp\YTDSetup.exe (715970 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskCC36.tmp\UserInfo.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6CZBXF8H\YTDSetup[1].exe (671764 bytes)

The process BrowserExtensionsSetupUAC.exe:1848 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}\chrome\content (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsrB7AD.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7} (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsrB7AC.tmp (12592 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}\chrome\content (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions.json (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\prefs.js (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsrB7AD.tmp\NSISCouponsPlugin.dll (18372 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsrB7AD.tmp\UserInfo.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C} (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC} (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}\chrome\content (4 bytes)

The process YTDSetup.exe:1508 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_output\libdirectsound_plugin.dll (1552 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\LICENSE (1 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Uninstall.exe (8318 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1050.ini (14 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1049.ini (784 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\YTD Video Downloader\YTD Video Downloader.lnk (2 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\libvlc.dll (3616 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libvmem_plugin.dll (1552 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1036.ini (14 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_mixer\libinteger_mixer_plugin.dll (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\UserInfo.dll (8 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\librtmp.dll (60186 bytes)
C:\Users\Public\Desktop\YTD Video Downloader.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{9FDDFC18-F82F-43C9-9E27-411CD7019F0F}\SearchProtectionStub.exe (1828 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\System.dll (23 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_filter\libswscale_plugin.dll (19096 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\YTD Video Downloader\Web site.url (55 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1053.ini (13 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1034.ini (14 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1035.ini (13 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1048.ini (14 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1059.ini (784 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res2074.ini (13 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libdrawable_plugin.dll (1552 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_filter\libaudio_format_plugin.dll (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{9FDDFC18-F82F-43C9-9E27-411CD7019F0F}\exthelper.exe (1826 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libwingdi_plugin.dll (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EE.tmp (733038 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1031.ini (14 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1055.ini (14 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_filter\libugly_resampler_plugin.dll (1552 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res2070.ini (14 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\FFMPEG.EXE (395158 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1043.ini (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NV3AJTKT\so[1].xml (7285 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res2052.ini (12 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libdirect3d_plugin.dll (2392 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\codec\libavcodec_plugin.dll (326900 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\libvlccore.dll (69435 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\scripts.yds (6360 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1030.ini (13 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\YTD Video Downloader\Uninstall.lnk (2 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1025.ini (15 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\manual.bat (57 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1038.ini (13 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1044.ini (13 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1040.ini (13 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1032.ini (784 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1045.ini (13 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1029.ini (13 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\COPYING.LGPLv3 (7 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\COPYING.LGPLv2 (784 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1051.ini (14 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res9999.ini (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\NSISPluginW.dll (15982 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1061.ini (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\getCountry (2 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1060.ini (13 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1052.ini (13 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_filter\libtrivial_channel_mixer_plugin.dll (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\NSISHelper.dll (8801 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\COPYING.Apachev2 (11 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe (51136 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1026.ini (784 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1033.ini (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\modern-header.bmp (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\NSISdl.dll (31 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\nsDialogs.dll (21 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\access\libfilesystem_plugin.dll (1552 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_mixer\libfloat_mixer_plugin.dll (1552 bytes)

The process ~spD451.tmp:2164 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Search Protection\SP.exe (33796 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Search Protection\Uninstall.exe (15904 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsaDF1A.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~spE38E.tmp (1940 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsaDF1A.tmp\SP.dll (33090 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsaDF19.tmp (84143 bytes)

The process ytd.exe:1492 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\ProgramData\YTD Video Downloader\scripts0.yds (673 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\plugins.dat.1492 (1444 bytes)
C:\ProgramData\YTD Video Downloader\scripts0.20150129 (22548 bytes)

The process BEHelper.exe:1440 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\chrome\content\config.json (965 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\chrome.manifest (192 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\chrome\content\redirects.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}_tmp\chrome\content\savingsslider.xul (606 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\icon.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}_tmp\icon.png (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}_tmp\chrome\content\main.js (394 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\chrome\content\main.js (134 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\chrome\content\newtab.xul (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\chrome\content\saebay.js (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}_tmp\chrome\content\spigot.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions.json (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NV3AJTKT\update[1].xml (375 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\chrome\content\ebay.xul (569 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\chrome\content\main.js (374 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\chrome\content\spigot.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\chrome\content\prefs.txt (171 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\chrome\content\spigot.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\chrome\content\main.xul (681 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\install.rdf (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}_tmp\chrome.manifest (148 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}_tmp\install.rdf (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\chrome.manifest (125 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\chrome\content\prefs.txt (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}_tmp\chrome\content\config.json (1235 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\icon.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}_tmp\chrome\content\savingsslider.js (392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\chrome\content\ebay.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\chrome\content\config.json (213 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\chrome\content\startpage.js (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}_tmp\chrome\content\prefs.txt (110 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\install.rdf (1 bytes)

The process SearchProtectionStub.exe:1560 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskD3C4.tmp\SP.dll (33090 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~spD451.tmp (1162 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsuD3B3.tmp (28806 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskD3C4.tmp\System.dll (23 bytes)

The process Au_.exe:3976 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbB57B.tmp\UserInfo.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbB57A.tmp (17495 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbB57B.tmp\NSISdl.dll (31 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbB57B.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbB57B.tmp\ping (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbB57B.tmp\BrowserExtensionsSetupUAC.exe (16750 bytes)

The process Au_.exe:3828 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw7A8D.tmp (27289 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq7ABC.tmp\SP.dll (33090 bytes)

The process ~spE38E.tmp:3172 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEDF8.tmp\NSISdl.dll (31 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\Button.exe (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEDF7.tmp (64389 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\saebay.xpi (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEDF8.tmp\UserInfo.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEDF8.tmp\NSISCouponsPlugin.dll (18372 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\Coupons.dll (12088 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\Uninstall.exe (17637 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\coupons.xpi (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\Coupons64.dll (13368 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\Button64.exe (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\ButtonWrap64.dll (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEDF8.tmp\ping (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\ButtonWrap.dll (2392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEDF8.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\BEHelper.exe (19640 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\startpage.xpi (8 bytes)

The process uninstall.exe:1712 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsb79C2.tmp (1568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~nsu.tmp\Au_.exe (3589 bytes)

The process uninstall.exe:4024 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsqB4ED.tmp (1568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~nsu.tmp\Au_.exe (3922 bytes)

The process exthelper.exe:676 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R4C62WHO\extconfig[1].xml (3777 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scr68B1.tmp (15 bytes)

Registry activity

The process SP.EXE:1680 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{38754113-2264-4057-B454-CF19832D9F10}]
"FaviconURL" = "http://www.yandex.com/favicon.ico"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadNetworkName" = "Network 3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{38754113-2264-4057-B454-CF19832D9F10}]
"DisplayName" = "ÃÂ¯ÃÂ½ÃÂ´ÃÂµÃÂºÃ‘Â"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "D6 EC 6C 28 2B 41 D0 01"

[HKCU\Software\AppDataLow\Software\Search Protection]
"ping_ts" = "1423130703"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecision" = "0"

[HKCU\Software\AppDataLow\Software\Search Protection]
"GCFailed" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionTime" = "12 6D 3E 37 2B 41 D0 01"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{38754113-2264-4057-B454-CF19832D9F10}]
"URL" = "http://yandex.ru/yandsearch?clid=1782899&text={searchTerms}"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope" = "{38754113-2264-4057-B454-CF19832D9F10}"

[HKCU\Software\Microsoft\Internet Explorer\User Preferences]
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977" = "01 00 00 00 D0 8C 9D DF 01 15 D1 11 8C 7A 00 C0"

[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"NewTabPageShow" = "1"

[HKCU\Software\Microsoft\Internet Explorer\ContinuousBrowsing]
"Enabled" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 49 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.yandex.ru/?clid=1782898"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes]
"ShowSearchSuggestionsInAddressGlobal" = "1"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{38754113-2264-4057-B454-CF19832D9F10}]
"OSDFileURL" = "file:///C:/Users/adm/AppData/Local/Temp/yandex_ie.xml"
"FaviconPath" = "C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{38754113-2264-4057-B454-CF19832D9F10}.ico"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"
"WpadDecision" = "0"

[HKCU\Software\AppDataLow\Software\Search Protection]
"FFFailed" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecisionTime" = "12 6D 3E 37 2B 41 D0 01"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process %original file name%.exe:4048 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "55 81 2D 0C 2B 41 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadNetworkName" = "Network 3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 42 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecisionReason" = "1"

"WpadDecisionTime" = "55 81 2D 0C 2B 41 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionTime" = "55 81 2D 0C 2B 41 D0 01"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process BrowserExtensionsSetupUAC.exe:1848 makes changes in the system registry.
The Malware deletes the following registry key(s):

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}]
[HKCR\Wow6432Node\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{90E4CD0C-426F-4207-805B-7885AB32D43F}]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{61db39d5-034c-45c0-8bb2-daf857edcf3b}]
[HKCR\Wow6432Node\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}\Implemented Categories]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1672163f-8651-4c0d-9c05-4ba941123972}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{61db39d5-034c-45c0-8bb2-daf857edcf3b}]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1672163f-8651-4c0d-9c05-4ba941123972}]
[HKCR\Wow6432Node\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CAE9BEC8-4723-4347-AFC6-25EE3326BA5B}]
[HKCR\Wow6432Node\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}\InprocServer32]
[HKCR\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}\InprocServer32]
[HKCR\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}]
[HKCR\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}]
[HKCR\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}\Implemented Categories]

The process YTDSetup.exe:1508 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}]
"DisplayName" = "YTD Video Downloader 4.8.9"
"Publisher" = "GreenTree Applications SRL"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadNetworkName" = "Network 3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Wow6432Node\{DAF8B7E5-449D-4180-8281-10E536E597F2}]
"(Default)" = "4.8.9"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "55 81 2D 0C 2B 41 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecision" = "0"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\7711c0f3\python.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\7711c0f3\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{9FDDFC18-F82F-43C9-9E27-411CD7019F0F}\,"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}]
"VersionMajor" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached]
"{17FE9752-0B5A-4665-84CD-569794602F5C} {7F9185B0-CB92-43C5-80A9-92277A4F7B54} 0xFFFF" = "01 00 00 00 00 00 00 00 C2 9F 86 34 2B 41 D0 01"

[HKCU\Software\GreenTree Applications\YTD]
"ISN" = "F7DBCDBD737B449098794B4547AA6F06"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}]
"NoRepair" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionTime" = "AF C3 23 0E 2B 41 D0 01"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}]
"DisplayVersion" = "4.8.9"

[HKLM\SOFTWARE\Wow6432Node\{DAF8B7E5-449D-4180-8281-10E536E597F2}]
"it" = "20150205120417"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}]
"URLInfoAbout" = "http://www.ytddownloader.com"
"InstallDir" = "%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\"
"VersionMinor" = "8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 43 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}]
"MainApp" = "%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe"

[HKCU\Software\GreenTree Applications\YTD]
"Language" = "1033"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\GreenTree Applications\YTD]
"(Default)" = "%Program Files% (x86)\GreenTree Applications\YTD Video Downloader"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}]
"DisplayIcon" = "%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe,0"
"UninstallString" = "%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\uninstall.exe"

[HKCU\Software\GreenTree Applications\YTD]
"kitType" = "ytd"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}]
"InstallLocation" = "%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecisionTime" = "AF C3 23 0E 2B 41 D0 01"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}]
"NoModify" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware deletes the following value(s) in system registry:

The process ~spD451.tmp:2164 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Search Protection]
"VersionMajor" = "1"

[HKCU\Software\AppDataLow\Software\Search Protection]
"CCV" = "198"

"WS_FF_AB" = "http://yandex.ru/yandsearch?clid=1782899&text="
"WS_GC_IB" = "http://yandex.ru/yandsearch?clid=1782899&text={searchTerms}"
"HP_IE" = "http://www.yandex.ru/?clid=1782898"
"WS_FF_IB" = "http://yandex.ru/yandsearch?clid=1782899&text={searchTerms}"
"ISN" = "CCF69B272FE54EE58735A380676F1DE4"
"ChannelID" = "937811"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Search Protection]
"NoRepair" = "1"

[HKCU\Software\AppDataLow\Software\Search Protection]
"HP_GC" = "http://www.yandex.ru/?clid=1782898"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Search Protection]
"UninstallString" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Search Protection\uninstall.exe"

[HKCU\Software\AppDataLow\Software\Search Protection]
"sdsprotection" = "1"
"InhibitGC" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Search Protection]
"NoModify" = "1"

[HKCU\Software\AppDataLow\Software\Search Protection]
"app_ver" = "10.8.0.1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Search Protection]
"DisplayName" = "Search Protection"

[HKCU\Software\AppDataLow\Software\Search Protection]
"FCV" = "198"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Search Protection]
"URLInfoAbout" = "http://www.spigot.com"
"VersionMinor" = "0"
"Publisher" = "Spigot, Inc."

[HKCU\Software\AppDataLow\Software\Search Protection]
"SPID" = "359"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Search Protection]
"DisplayVersion" = "10.8.0.1"

[HKCU\Software\AppDataLow\Software\Search Protection]
"WS_IE_IB" = "http://yandex.ru/yandsearch?clid=1782899&text={searchTerms}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Search Protection]
"InstallDir" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Search Protection\"
"InstallLocation" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Search Protection\"

[HKCU\Software\AppDataLow\Software\Search Protection]
"HP_FF" = "http://www.yandex.ru/?clid=1782898"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Search Protection]
"DisplayIcon" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Search Protection\SP.EXE,0"

[HKCU\Software\AppDataLow\Software\Search Protection]
"937811" = "1"
"WS_IE_AB" = "http://yandex.ru/yandsearch?clid=1782899&text={searchTerms}"

To automatically run itself each time Windows is booted, the Malware adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Search Protection" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Search Protection\SP.EXE /autostart"

The Malware deletes the following value(s) in system registry:
The Malware disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"SearchProtection"

The process ytd.exe:1492 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadNetworkName" = "Network 3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "AF C3 23 0E 2B 41 D0 01"

[HKCU\Software\{DAF8B7E5-449D-4180-8281-10E536E597F2}]
"lv" = "1423130669"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionTime" = "40 F6 E5 22 2B 41 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 44 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\GreenTree Applications\YTD]
"NextCheckAutoUpdate" = "1423134269"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\{DAF8B7E5-449D-4180-8281-10E536E597F2}]
"CheckInterval" = "3600"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"
"WpadDecision" = "0"

[HKCU\Software\GreenTree Applications\YTD]
"ConvertDirectory" = "C:\Users\"%CurrentUserName%"\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecisionTime" = "40 F6 E5 22 2B 41 D0 01"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process BEHelper.exe:1440 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "CA BC 38 36 2B 41 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\AppDataLow\Software\Browser Extensions\firefox]
"{54FBE89E-C878-46bb-A064-AB327EE26EBC}" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKCU\Software\AppDataLow\Software\Browser Extensions\firefox]
"{62DD0A97-FDD4-421b-94A5-D1A9434450C7}" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 4A 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

[HKCU\Software\AppDataLow\Software\Browser Extensions\firefox]
"{CA8C84C6-3918-41b1-BE77-049B2BDD887C}" = ""

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware deletes the following value(s) in system registry:

[HKCU\Software\AppDataLow\Software\Browser Extensions\firefox]
"{f894a29a-f065-40c3-bb19-da6057778493}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\AppDataLow\Software\Browser Extensions\firefox]
"{58d2a791-6199-482f-a9aa-9b725ec61362}"
"[email protected]"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKCU\Software\AppDataLow\Software\Browser Extensions\firefox]
"{32da2f20-827d-40aa-a3b4-2fc4a294352e}"
"[email protected]"
"{46eddf51-a4f6-4476-8d6c-31c5187b2a2f}"

The process Au_.exe:3976 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Malware deletes the following registry key(s):

[HKCU\Software\AppDataLow\Software\Browser Extensions]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{3A787631-66A2-4634-B928-A37E73B58FB6}]
[HKCU\Software\AppDataLow\Software\Browser Extensions\iexplorer]
[HKCU\Software\AppDataLow\Software\Browser Extensions\firefox]

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

"IntranetName"

The Malware disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Browser Extensions"

"Slick Savings"

The process Au_.exe:3828 makes changes in the system registry.
The Malware deletes the following registry key(s):

[HKCU\Software\AppDataLow\Software\Search Protection]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Search Protection]

The Malware deletes the following value(s) in system registry:
The Malware disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Search Protection"

The process ~spE38E.tmp:3172 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{3A787631-66A2-4634-B928-A37E73B58FB6}]
"InstallLocation" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1672163f-8651-4c0d-9c05-4ba941123972}]
"AppName" = "Button.exe"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{61db39d5-034c-45c0-8bb2-daf857edcf3b}]
"AppPath" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions"

[HKCR\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}]
"(Default)" = "Browser Extensions"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{3A787631-66A2-4634-B928-A37E73B58FB6}]
"VersionMinor" = "4"
"URLInfoAbout" = "http://www.spigot.com"
"NoRepair" = "1"

[HKCR\Wow6432Node\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{3A787631-66A2-4634-B928-A37E73B58FB6}]
"DisplayName" = "Browser Extensions"
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1672163f-8651-4c0d-9c05-4ba941123972}]
"AppPath" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions"

[HKCU\Software\AppDataLow\Software\Browser Extensions\iexplorer]
"cnid" = "937811"

[HKCU\Software\AppDataLow\Software\Browser Extensions\firefox]
"{CA8C84C6-3918-41b1-BE77-049B2BDD887C}" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\saebay.xpi|1|{cnid : 937811, cnid_overwrite : true}|[email protected]|{f894a29a-f065-40c3-bb19-da6057778493}"

[HKCU\Software\AppDataLow\Software\Browser Extensions]
"cnid" = "937811"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CAE9BEC8-4723-4347-AFC6-25EE3326BA5B}]
"Policy" = "3"

[HKCU\Software\AppDataLow\Software\Browser Extensions\iexplorer]
"iedns" = "1"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{61db39d5-034c-45c0-8bb2-daf857edcf3b}]
"AppName" = "Button64.exe"
"Policy" = "3"

[HKCR\Wow6432Node\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}\Implemented Categories]
"(Default)" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{3A787631-66A2-4634-B928-A37E73B58FB6}]
"DisplayIcon" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\BEHelper.exe,0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}]
"NoExplorer" = "1"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{61db39d5-034c-45c0-8bb2-daf857edcf3b}]
"AppPath" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions"

[HKCU\Software\AppDataLow\Software\Browser Extensions]
"SS_Ver" = "2.6"

[HKCU\Software\Microsoft\Internet Explorer\Approved Extensions]
"{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}" = "51 66 7A 6C 4C 1D 3B 1B 5B C4 BA 28 E3 9E A9 03"

[HKCR\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Wow6432Node\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}]
"(Default)" = ""

[HKCR\Wow6432Node\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}]
"(Default)" = "Browser Extensions"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{90E4CD0C-426F-4207-805B-7885AB32D43F}]
"Policy" = "3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{3A787631-66A2-4634-B928-A37E73B58FB6}]
"VersionMajor" = "1"

[HKCR\Wow6432Node\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}\InprocServer32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\Coupons.dll"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{90E4CD0C-426F-4207-805B-7885AB32D43F}]
"AppPath" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{3A787631-66A2-4634-B928-A37E73B58FB6}]
"NoModify" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}]
"(Default)" = "Browser Extensions"

[HKCU\Software\AppDataLow\Software\Browser Extensions\iexplorer]
"iecp" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CAE9BEC8-4723-4347-AFC6-25EE3326BA5B}]
"AppName" = "BEHelper.exe"

[HKCU\Software\AppDataLow\Software\Browser Extensions\iexplorer]
"ieeb" = "1"

[HKCU\Software\AppDataLow\Software\Browser Extensions\firefox]
"{54FBE89E-C878-46bb-A064-AB327EE26EBC}" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\coupons.xpi|1|{cnid : 937811, cnid_overwrite : true}|[email protected]|{46eddf51-a4f6-4476-8d6c-31c5187b2a2f}"

[HKCU\Software\AppDataLow\Software\Browser Extensions]
"ISN" = "E0BCB5085EA24F7699566D8CEBD03DB5"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1672163f-8651-4c0d-9c05-4ba941123972}]
"AppPath" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions"

[HKCR\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}]
"(Default)" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{3A787631-66A2-4634-B928-A37E73B58FB6}]
"Publisher" = "Spigot, Inc."

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CAE9BEC8-4723-4347-AFC6-25EE3326BA5B}]
"AppPath" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{3A787631-66A2-4634-B928-A37E73B58FB6}]
"DisplayVersion" = "2.6"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1672163f-8651-4c0d-9c05-4ba941123972}]
"Policy" = "3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{3A787631-66A2-4634-B928-A37E73B58FB6}]
"UninstallString" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\uninstall.exe"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{61db39d5-034c-45c0-8bb2-daf857edcf3b}]
"AppName" = "Button64.exe"

[HKCU\Software\AppDataLow\Software\Browser Extensions]
"(Default)" = ""

[HKCU\Software\AppDataLow\Software\Browser Extensions\iexplorer]
"ISN" = "E0BCB5085EA24F7699566D8CEBD03DB5"

[HKCR\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}\InprocServer32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\Coupons64.dll"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1672163f-8651-4c0d-9c05-4ba941123972}]
"AppName" = "Button.exe"

[HKCR\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}\Implemented Categories]
"(Default)" = ""

[HKCU\Software\AppDataLow\Software\Browser Extensions\firefox]
"{62DD0A97-FDD4-421b-94A5-D1A9434450C7}" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\startpage.xpi|1|{dns : true, ntp :true, cnid : 937811, cnid_overwrite : true, dummy : true}|{58d2a791-6199-482f-a9aa-9b725ec61362}|{32da2f20-827d-40aa-a3b4-2fc4a294352e}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{90E4CD0C-426F-4207-805B-7885AB32D43F}]
"AppName" = "BEHelper.exe"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1672163f-8651-4c0d-9c05-4ba941123972}]
"Policy" = "3"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{61db39d5-034c-45c0-8bb2-daf857edcf3b}]
"Policy" = "3"

[HKCU\Software\AppDataLow\Software\Browser Extensions]
"Src" = "install"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}]
"NoExplorer" = "1"

"(Default)" = "Browser Extensions"

To automatically run itself each time Windows is booted, the Malware adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Browser Extensions" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\BEHelper.exe"

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Internet Explorer\Approved Extensions]
"{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}"

The process uninstall.exe:1712 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\7711c0f3\python.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\7711c0f3\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{9FDDFC18-F82F-43C9-9E27-411CD7019F0F}\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\NSISPluginW.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~nsu.tmp\Au_.exe,"

The process uninstall.exe:4024 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

The process exthelper.exe:676 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "AF C3 23 0E 2B 41 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadNetworkName" = "Network 3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 45 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecisionReason" = "1"

"WpadDecisionTime" = "75 6B 7C 23 2B 41 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionTime" = "75 6B 7C 23 2B 41 D0 01"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware deletes the following value(s) in system registry:

Dropped PE files

MD5	File path
39d11c773b46d3084ef4aac1f9863146	c:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\FFMPEG.EXE
c1d1a3e711f0943527b3fc6f3c1b1f85	c:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Uninstall.exe
921b64a7dace4c93161b942b80b6b41b	c:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\librtmp.dll
ded3aa6b7920334e6b334eaed3db96c5	c:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\libvlc.dll
3c07164ceba1068ee3eff672d8e11eb6	c:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\libvlccore.dll
ab0a22194181d6d6ff01123dc9a376ce	c:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\access\libfilesystem_plugin.dll
91074f5c7288c67eaed2c2c657e373d3	c:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_filter\libaudio_format_plugin.dll
43f19a5d4d42e3cd6514348ba5fbdd96	c:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_filter\libtrivial_channel_mixer_plugin.dll
a3297b187aba1024501007bce77eeec4	c:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_filter\libugly_resampler_plugin.dll
04a21f5ee0a9c27ca5e5dae050f3d275	c:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_mixer\libfloat_mixer_plugin.dll
d4f826e68b616cccc1de1e5ef07738b8	c:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_mixer\libinteger_mixer_plugin.dll
46672363f47a25d69a5324045f4e8d63	c:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_output\libdirectsound_plugin.dll
4088b4e4ea76db97544c76ef7f2af08c	c:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\codec\libavcodec_plugin.dll
416108272cc56d4036d5796fbb1b8f3c	c:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_filter\libswscale_plugin.dll
350983ab596397b2d2703d658baeea8c	c:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libdirect3d_plugin.dll
6d9fa70a05698e9b6aa1c6074def16e8	c:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libdrawable_plugin.dll
3dee8d41db28133b3d00bfdf0fd16eaf	c:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libvmem_plugin.dll
ccc67f588880568bfd46c4b8140f41aa	c:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libwingdi_plugin.dll
520e9ab3b16bb164542ce6305036d98b	c:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe
aacddb459301cfe5498d9d862aac02d3	c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6CZBXF8H\YTDSetup[1].exe
1afbce9051d9a627097f04951b2765db	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\NSISPluginW.dll
5d2940775446f6dd29e25ce192aec206	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\{9FDDFC18-F82F-43C9-9E27-411CD7019F0F}\exthelper.exe
4f65a008acd242966d7e6ef4944e6fe0	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\~nsu.tmp\Au_.exe
fbb01457a61a080a2b42b77cf34f286c	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\~spD451.tmp
be546e15ca59c448dc5e1346605d401f	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\~spE38E.tmp

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: GreenTree Applications SRL
Product Name: YTD Video Downloader
Product Version: 4.8.6.3
Legal Copyright: (c) 2014 GreenTree Applications SRL. All rights reserved.
Legal Trademarks:
Original Filename: YTDStub.exe
Internal Name: YTDStubInstaller
File Version: 4.8.6.3
File Description: YTD Video Downloader stub
Comments:
Language: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	23130	23552	4.44841	0bc2ffd32265a08d72b795b18265828d
.rdata	28672	4496	4608	3.59163	f179218a059068529bdb4637ef5fa28e
.data	36864	110488	1024	3.26405	975304d6dd6c4a4f076b15511e2bbbc0
.ndata	147456	45056	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	192512	48912	49152	4.76321	571b2c67eb88f22b898e779f7a691ef9

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://ytd4.greentreeapps.ro/kits/ytd/YTDSetup.exe
hxxp://ytd2.greentreeapps.ro/images/pixel.gif?action=install&point=start&cid=cb821f7c3eeccf6c312c56e821a0e91a&isn=F7DBCDBD737B449098794B4547AA6F06&kt=ytd
hxxp://ytd2.greentreeapps.ro/getcountry.html
hxxp://www.mybrowserbar.com/kits/EasyBundlingDLL/937811/so.xml?kt=ytd&rsv=3	174.36.215.20
hxxp://www.mybrowserbar.com/kits/hlp/exthelper.exe	174.36.215.20
hxxp://ytd2.greentreeapps.ro/api/rcsvc.php?kt=ytd
hxxp://ytd2.greentreeapps.ro/scripts/win/scripts-20150129.yds
hxxp://www.mybrowserbar.com/cgi/extconfig.cgi?cnid=937811&ver=2.3&rsv=3.2&kt=ytd&ot=ytdsanth&bver=39.0.2171.95&dbrw=Internet Explorer&cid=c0322acd5e5d42f0b163c591ee6ff5b9	174.36.215.20
hxxp://www.mybrowserbar.com/gc/silent2.html?ot=ytdsanth&cnid=937811&kt=ytd&ext[]=cekonfccladjgbdhpgobceahgjdcdbod&ext[]=jloeihbcjbkgigodmcacomgfihpiaiip&ts=1423130670	174.36.215.20
hxxp://googleapis.l.google.com/ajax/libs/jquery/1.9.1/jquery.min.js
hxxp://plus.l.google.com/analytics.js
hxxp://www.mybrowserbar.com/favicon.ico	174.36.215.20
hxxp://www.mybrowserbar.com/images/pixel.gif?isn=d78a223d20363802cfbd313af6e664df&ver=1.2&cnid=937811&ct=shagc&event=install	174.36.215.20
hxxp://www.mybrowserbar.com/cgi/coupons.cgi/d78a223d20363802cfbd313af6e664df/937811/1.2/shagc?rsv=2	174.36.215.20
hxxp://www.mybrowserbar.com/images/pixel.gif?isn=9d357cad646259e5aec21e92440c2512&ver=1.5&cnid=937811&ct=nthgc&event=install	174.36.215.20
hxxp://www.mybrowserbar.com/cgi/nta/config.cgi/9d357cad646259e5aec21e92440c2512/937811/1.5/nthgc	174.36.215.20
hxxp://www.mybrowserbar.com/images/pixel.gif?kt=ytd&ot=ytdsanth&cnid=937811&sil=1&cid=c0322acd5e5d42f0b163c591ee6ff5b9&cekonfccladjgbdhpgobceahgjdcdbod=1&jloeihbcjbkgigodmcacomgfihpiaiip=1	174.36.215.20
hxxp://www.mybrowserbar.com/kits/sds/SearchProtectionStub.exe	174.36.215.20
hxxp://update.mybrowserbar.com/kits/sds/update.xml	108.59.13.14
hxxp://www.mybrowserbar.com/kits/sds/update.xml	174.36.215.20
hxxp://update.mybrowserbar.com/kits/sds/SearchProtectionSetup.exe	108.59.13.14
hxxp://www.mybrowserbar.com/images/pixel.gif?ct=ebd2&ies=3&eo=sgbe&cnid=937811&kt=ytd&isn=6D55661F1F404E278EE9A5E3F94B5F4B&tov=20&sbe=1&sds=1&shp=1	174.36.215.20
hxxp://www.mybrowserbar.com/cgi/api.cgi/937811/CCF69B272FE54EE58735A380676F1DE4/vloc/20	174.36.215.20
hxxp://ytd2.greentreeapps.ro/images/pixel.gif?action=install&point=finish&cid=cb821f7c3eeccf6c312c56e821a0e91a&isn=F7DBCDBD737B449098794B4547AA6F06&kt=ytd
hxxp://ytd4.greentreeapps.ro/images/pixel.gif?src=stub&kt=ytd&event=run&exit=0
hxxp://ytd4.greentreeapps.ro/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0
hxxp://www.mybrowserbar.com/cgi/api.cgi/937811/CCF69B272FE54EE58735A380676F1DE4/vrst/20	174.36.215.20
hxxp://ytd4.greentreeapps.ro/js/main.js
hxxp://ytd4.greentreeapps.ro/images/ytd-logo.png
hxxp://ytd4.greentreeapps.ro/styles.css
hxxp://fallback.global-ssl.fastly.net/js/250/addthis_widget.js
hxxp://ytd4.greentreeapps.ro/images/header-bg-repeat.jpg
hxxp://ytd4.greentreeapps.ro/images/header-bg.jpg
hxxp://fallback.global-ssl.fastly.net/static/r07/core181.js
hxxp://plus.l.google.com/ga.js
hxxp://update.mybrowserbar.com/update/wt/ie/coupons/update.xml?src=stub&cnid=937811	108.59.13.14
hxxp://e3821.dspe1.akamaiedge.net/en_US/all.js
hxxp://plus.l.google.com/r/__utm.gif?utmwv=5.6.2&utms=1&utmn=1243149095&utmhn=www.ytddownloader.com&utmcs=windows-1252&utmsr=1683x901&utmvp=1683x804&utmsc=24-bit&utmul=en-us&utmje=1&utmfl=-&utmdt=YTD Video Converter&utmhid=380816574&utmr=-&utmp=/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0&utmht=1423130702591&utmac=UA-25210420-2&utmcc=__utma=135583929.141684822.1423130703.1423130703.1423130703.1;+__utmz=135583929.1423130703.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none);&utmjid=2102772812&utmredir=1&utmu=qAAAAAAAAAAAAAAAAAAAAAAE~
hxxp://ytd4.greentreeapps.ro/images/top-header-bg.jpg
hxxp://ytd4.greentreeapps.ro/images/upgrade-pro-btn.png
hxxp://fallback.global-ssl.fastly.net/static/r07/widget/css/widget010.old.css
hxxp://update.mybrowserbar.com/update/wt/ie/coupons/BrowserExtensionsSetup.exe	108.59.13.14
hxxp://fallback.global-ssl.fastly.net/static/r07/sh186.html
hxxp://fallback.global-ssl.fastly.net/static/r07/menu171.js
hxxp://fallback.global-ssl.fastly.net/static/r07/plugins/counter020.js
hxxp://fallback.global-ssl.fastly.net/static/r07/plugins/counter015.css
hxxp://fallback.global-ssl.fastly.net/static/r07/widget/img/widget010.old.32.top.png
hxxp://a749.dsw4.akamai.net/connect/xd_arbiter/DU1Ia251o0y.js?version=41
hxxp://a.ssl.fastly.net/url/shares.json?url=http://www.ytddownloader.com/&callback=_ate.cbs.sc_httpwwwytddownloadercom0
hxxp://a1294.w20.akamai.net/b?c1=7&c2=2000001&c3=1&rn=1hz14wz&c7=http://www.ytddownloader.com/thankyou.html&c8=YTD Video Converter&cv=1.7
hxxp://m.addthisedge.com/live/red_lojson/300lo.json?6iew35&colc=1423130703205&si=54d3404edc48256c&uid=54d3404fe20ab507&pub=ytdcs&rev=15.1&jsl=33&ln=en&pc=men&vpc=&dp=www.ytddownloader.com&fp=thankyou.html&aa=0&of=0&uf=1&nt=cs;5,ce;5,dc;319,dclee;319,dcles;319,di;316,dl;311,dle;5,dls;5,fs;5,lee;u,les;319,ns;0,rs;310,rspe;314,rsps;311,scs;u&pd=0&irt=0&ct=1&tct=0&abt=0&lt=347&cdn=0&lnlc=US&whcs=1&tl=c=347,m=356,i=402,xm=733,xp=736&pi=1&&rb=0&gen=1000&gen=100&callback=_ate.track.hsr&uvs=54d3404eae96086b000&chr=windows-1252&md=0&vcl=0	8.37.70.26
hxxp://www.yandex.com/favicon.ico	213.180.204.62
hxxp://m.addthisedge.com/live/t00/mu.gif?a=sc&r=1&err=1	8.37.70.26
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?45d861ae400f132c
hxxp://www.public-trust.com/cgi-bin/CRL/2018/cdp.crl	64.18.20.10
hxxp://gs1.wac.v2cdn.net/baltimoreroot/MEUwQzBBMD8wPTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom/nYB45SPUEwQU5Z1ZMIJHWMys+ghUNoZ7OrUETfACBAcnpGo=
hxxp://a1158.b.akamai.net/MFUwUzBRME8wTTAJBgUrDgMCGgUABBS856ddZAq5lE7vDJmoUDW1u98SMAQU3WyAfLq1MhelhEFA8NIEZhMvqZACFGozgiJkrf5JafrJHx/pwJ6+De+O
hxxp://ytd4.greentreeapps.ro/favicon.ico
hxxp://www.mybrowserbar.com/images/pixel.gif?isn=E0BCB5085EA24F7699566D8CEBD03DB5&ver=2.6&cnid=937811&ct=bekit&event=install	174.36.215.20
hxxp://update.mybrowserbar.com/update/wt/ie/coupons/update.xml?cnid=937811	108.59.13.14
hxxp://a1363.dscg.akamai.net/pki/crl/products/microsoftrootcert.crl
hxxp://a1363.dscg.akamai.net/pki/crl/products/WinPCA.crl
hxxp://a1363.dscg.akamai.net/pki/crl/products/MicrosoftTimeStampPCA.crl
hxxp://a1294.w20.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab?77e52b9fc60a860d
hxxp://gs1.wac.v2cdn.net/baltimoreroot/MEUwQzBBMD8wPTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom/nYB45SPUEwQU5Z1ZMIJHWMys+ghUNoZ7OrUETfACBAcnqkc=
hxxp://hostedocsp.globalsign.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQmECJms4f7i5EbxtN7NbzQCBwAdAQUUa8kJpz0aCJXgCYrO0ZiFXsezKUCE1oAAHevvgBk+xJc0C0AAQAAd68=
hxxp://www.mybrowserbar.com/images/pixel.gif?isn=E0BCB5085EA24F7699566D8CEBD03DB5&ver=2.6&cnid=937811&ct=bekit&event=uninstall	174.36.215.20
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI=
hxxp://a1294.w20.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8=
hxxp://download.ytddownloader.com/kits/ytd/YTDSetup.exe	5.79.67.100
hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl	87.245.202.16
hxxp://www.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0	5.79.67.100
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=	23.43.139.27
hxxp://api.mybrowserbar.com/cgi/api.cgi/937811/CCF69B272FE54EE58735A380676F1DE4/vloc/20	174.36.215.20
hxxp://connect.facebook.net/en_US/all.js	23.64.223.139
hxxp://www.google-analytics.com/ga.js	173.194.113.206
hxxp://www.ytddownloader.com/images/pixel.gif?src=stub&kt=ytd&event=run&exit=0	5.79.67.100
hxxp://www.youtubedownloadersite.com/images/pixel.gif?action=install&point=finish&cid=cb821f7c3eeccf6c312c56e821a0e91a&isn=F7DBCDBD737B449098794B4547AA6F06&kt=ytd	95.211.187.90
hxxp://www.ytddownloader.com/styles.css	5.79.67.100
hxxp://www.youtubedownloadersite.com/getcountry.html	95.211.187.90
hxxp://s7.addthis.com/static/r07/core181.js	185.31.17.184
hxxp://www.ytddownloader.com/images/top-header-bg.jpg	5.79.67.100
hxxp://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js	64.233.161.95
hxxp://www.google-analytics.com/analytics.js	173.194.113.206
hxxp://m.addthis.com/live/red_lojson/300lo.json?6iew35&colc=1423130703205&si=54d3404edc48256c&uid=54d3404fe20ab507&pub=ytdcs&rev=15.1&jsl=33&ln=en&pc=men&vpc=&dp=www.ytddownloader.com&fp=thankyou.html&aa=0&of=0&uf=1&nt=cs;5,ce;5,dc;319,dclee;319,dcles;319,di;316,dl;311,dle;5,dls;5,fs;5,lee;u,les;319,ns;0,rs;310,rspe;314,rsps;311,scs;u&pd=0&irt=0&ct=1&tct=0&abt=0&lt=347&cdn=0&lnlc=US&whcs=1&tl=c=347,m=356,i=402,xm=733,xp=736&pi=1&&rb=0&gen=1000&gen=100&callback=_ate.track.hsr&uvs=54d3404eae96086b000&chr=windows-1252&md=0&vcl=0	8.37.70.26
hxxp://download.mybrowserbar.com/kits/sds/SearchProtectionStub.exe	174.36.215.20
hxxp://s7.addthis.com/static/r07/plugins/counter015.css	185.31.17.184
hxxp://ocsp.msocsp.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQmECJms4f7i5EbxtN7NbzQCBwAdAQUUa8kJpz0aCJXgCYrO0ZiFXsezKUCE1oAAHevvgBk+xJc0C0AAQAAd68=	108.162.232.204
hxxp://webupdate.mybrowserbar.com/kits/sds/SearchProtectionSetup.exe	108.59.13.15
hxxp://s7.addthis.com/js/250/addthis_widget.js	185.31.17.184
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI=	23.43.139.27
hxxp://s7.addthis.com/static/r07/widget/css/widget010.old.css	185.31.17.184
hxxp://ocsp.omniroot.com/baltimoreroot/MEUwQzBBMD8wPTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom/nYB45SPUEwQU5Z1ZMIJHWMys+ghUNoZ7OrUETfACBAcnqkc=	93.184.220.20
hxxp://crl.microsoft.com/pki/crl/products/WinPCA.crl	87.245.202.16
hxxp://s7.addthis.com/static/r07/plugins/counter020.js	185.31.17.184
hxxp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl	87.245.202.16
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?77e52b9fc60a860d	87.245.202.35
hxxp://s7.addthis.com/static/r07/widget/img/widget010.old.32.top.png	185.31.17.184
hxxp://www.ytddownloader.com/images/header-bg-repeat.jpg	5.79.67.100
hxxp://www.ytddownloader.com/images/ytd-logo.png	5.79.67.100
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8=	23.43.139.27
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl	87.245.202.16
hxxp://static.ak.facebook.com/connect/xd_arbiter/DU1Ia251o0y.js?version=41	87.245.202.42
hxxp://www.ytddownloader.com/images/upgrade-pro-btn.png	5.79.67.100
hxxp://www.youtubedownloadersite.com/images/pixel.gif?action=install&point=start&cid=cb821f7c3eeccf6c312c56e821a0e91a&isn=F7DBCDBD737B449098794B4547AA6F06&kt=ytd	95.211.187.90
hxxp://api.mybrowserbar.com/cgi/api.cgi/937811/CCF69B272FE54EE58735A380676F1DE4/vrst/20	174.36.215.20
hxxp://www.youtubedownloadersite.com/scripts/win/scripts-20150129.yds	95.211.187.90
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?45d861ae400f132c	87.245.202.35
hxxp://s7.addthis.com/static/r07/menu171.js	185.31.17.184
hxxp://www.google-analytics.com/r/__utm.gif?utmwv=5.6.2&utms=1&utmn=1243149095&utmhn=www.ytddownloader.com&utmcs=windows-1252&utmsr=1683x901&utmvp=1683x804&utmsc=24-bit&utmul=en-us&utmje=1&utmfl=-&utmdt=YTD Video Converter&utmhid=380816574&utmr=-&utmp=/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0&utmht=1423130702591&utmac=UA-25210420-2&utmcc=__utma=135583929.141684822.1423130703.1423130703.1423130703.1;+__utmz=135583929.1423130703.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none);&utmjid=2102772812&utmredir=1&utmu=qAAAAAAAAAAAAAAAAAAAAAAE~	173.194.113.206
hxxp://api-public.addthis.com/url/shares.json?url=http://www.ytddownloader.com/&callback=_ate.cbs.sc_httpwwwytddownloadercom0	23.235.43.130
hxxp://ocsp.omniroot.com/baltimoreroot/MEUwQzBBMD8wPTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom/nYB45SPUEwQU5Z1ZMIJHWMys+ghUNoZ7OrUETfACBAcnpGo=	93.184.220.20
hxxp://b.scorecardresearch.com/b?c1=7&c2=2000001&c3=1&rn=1hz14wz&c7=http://www.ytddownloader.com/thankyou.html&c8=YTD Video Converter&cv=1.7	87.245.202.32
hxxp://vassg141.ocsp.omniroot.com/MFUwUzBRME8wTTAJBgUrDgMCGgUABBS856ddZAq5lE7vDJmoUDW1u98SMAQU3WyAfLq1MhelhEFA8NIEZhMvqZACFGozgiJkrf5JafrJHx/pwJ6+De+O	88.221.132.153
hxxp://www.youtubedownloadersite.com/api/rcsvc.php?kt=ytd	95.211.187.90
hxxp://www.ytddownloader.com/js/main.js	5.79.67.100
hxxp://s7.addthis.com/static/r07/sh186.html	185.31.17.184
hxxp://download.mybrowserbar.com/kits/hlp/exthelper.exe	174.36.215.20
hxxp://www.ytddownloader.com/images/header-bg.jpg	5.79.67.100
clients3.google.com	173.194.113.201
translate.googleapis.com	64.233.165.95
chrome.google.com	173.194.113.198
www.googleapis.com	74.125.143.95
clients2.google.com	173.194.113.198
sb-ssl.google.com	173.194.113.195
www.google.com.ua	173.194.113.223
dns.msftncsi.com	131.107.255.255
clients4.google.com	173.194.113.201
s-static.ak.facebook.com	23.64.210.110
www.gstatic.com	173.194.113.215
ssl.gstatic.com	173.194.113.215
apis.google.com	173.194.113.201
time.windows.com	64.4.10.33
clients2.googleusercontent.com	173.194.113.203
lh3.googleusercontent.com	173.194.113.202
ieonline.microsoft.com	204.79.197.200

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

SURICATA UDPv4 invalid checksum
SURICATA IPv4 invalid checksum
ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

GET /images/pixel.gif?ct=ebd2&ies=3&eo=sgbe&cnid=937811&kt=ytd&isn=6D55661F1F404E278EE9A5E3F94B5F4B&tov=20&sbe=1&sds=1&shp=1 HTTP/1.1

Host: VVV.mybrowserbar.com

Accept: */*

Accept-Encoding: gzip,deflate


HTTP/1.1 200 OK

Date: Thu, 05 Feb 2015 10:05:00 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 1093

Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform

Pragma: no-cache

Expires: Thu, 01 Jan 1970 00:00:00 GMT

Content-Type: image/gif
GIF89a.............!..XMP DataXMP<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS5 Windows" xmpMM:InstanceID="xmp.iid:68AF816F211411E187C8D4C48A
462294" xmpMM:DocumentID="xmp.did:68AF8170211411E187C8D4C48A462294">
; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:68AF816D211411E187C8
D4C48A462294" stRef:documentID="xmp.did:68AF816E211411E187C8D4C48A4622
94"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> 
<?xpacket end="r"?>.............................................
......................................................................
...............~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIH
GFEDCBA@?>=<;:9876543210/.-, *)('&%$#"! ........................
.........!.......,...........D..;..

GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?77e52b9fc60a860d HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Fri, 12 Sep 2014 18:47:05 GMT

If-None-Match: "805a83f2b9cecf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ctldl.windowsupdate.com


HTTP/1.1 200 OK

Cache-Control: max-age=604800

Content-Type: application/octet-stream

Last-Modified: Fri, 23 Jan 2015 02:29:11 GMT

Accept-Ranges: bytes

ETag: "803565fb436d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 57591

Date: Thu, 05 Feb 2015 10:05:34 GMT

Connection: keep-alive
MSCF............,...................I.................6Fm. .authroot.s
tl......8..CK...<T...g.v!M.d..f.%d..}K..5......dM*K..J.,%K"...!..=.
k..........{=/....{g.~...............'....6..N....w......(.$.>.7...
........'.....`.bx....^..$.'.^.K.C......<[email protected]
.....usXq.d.i.jF$.4.........KI.Q........A2m:..E.P|...(.^p..=G|.....m..
....  .6...H.e.....X'...%$r.Y.(..)........|...;...V^r.VM.._*X.I. ..4..
...*.....Y..`.0w.u...c.i.[..-...x..<.8.<.p..,..y.[v.Yn`......!.s
...4e......B...$.,..........w.Pd.)....,..#.%..h...8...`.A...8.i(.!.$/.
=.....i.\X.H......"...a...k...y6....F.._?\*.&..3.AJo.!..`....9....=.p.
u..u....f.f....w...?..S..I.;.....5._...F.f..G?$......."..kq.y'.6tJ.e%.
.G.n.....z<.pX"....1..g."........V:.H.-...!}LM..t..-.y.j&...n{..-.]
H. .....A.O.Xg..B...#[email protected]..*.....T...}o._./S..h@$
[email protected]..#.:?."....1..v.....&G...?O1x6"5.@..$.U...n.J...w
.Y.{..........E.N.&...&.rC..W.....M.........,.e.....&eI(/eSO.B..K...R.
 [email protected].....(..Y./;-..M5.0.H2.y....:...........a.U....%.S.).^.
...1.B..a..=...q...X .B....F.../..../.Z...'..t....C....,.^...N=..t%N|I
C.#.)6...q.E.J.i.E.>....".L........>...Vy.7.jxx......G........._
q.1^..H&.4Z......^.E.K 9.Xg...qO.6%>..T....;n..s.'u.-...=.........p
..p.Rn.........=.......F........d. d.AR.0U..........9b...=N..#....c.Ic
z......u.0............Y.q..b.wYE.......R...s..W....r].....hT....k.g..[
...s.....X..`=zb.>..../..=........J.N.h...(}.5.7. .;..=F..F...'.?..
2...3...=...B..`....{...f.`Kb..@..`Z.0!^8.t..<l.j..lI.P.q.>k<<< skipped >>>

GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com


HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Wed, 28 Jan 2015 06:05:55 GMT

Accept-Ranges: bytes

ETag: "75565c7ac03ad01:0"

Server: Microsoft-IIS/8.0

VTag: 791666644800000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 554

Cache-Control: max-age=900

Date: Thu, 05 Feb 2015 10:09:17 GMT

Connection: keep-alive

0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Si
gning PCA..150127173215Z..150428055215Z.a0_0...U.#..0..........X..7.3.
..L...0... .....7.........0...U......Y0... .....7......150427174215Z0.
..*.H......................YIw.. ..(..y..O.G].B.."?.@...[1.}.X...]...e
.J....pP.I....!6...%.D.k...>c.|R.?.i..yt.z..B.........b....n..m5...
0....2..I!)v....z....y.#pXz.DO.....mF...e.'e...@.%...6./.bPZ...=....bp
[email protected]..@.. ...M....z....Q...{u. .W....

GET /update/wt/ie/coupons/update.xml?src=stub&cnid=937811 HTTP/1.1

User-Agent: SDS

Host: update.mybrowserbar.com

Accept: */*

Accept-Encoding: gzip,deflate


HTTP/1.1 200 OK

Server: nginx/0.7.65

Date: Thu, 05 Feb 2015 10:05:02 GMT

Content-Type: text/xml; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive
177..<?xml version='1.0' encoding='UTF-8'?>.<cpupdate>.   
 <libid>{40C6AC97-5316-4D22-BA61-3BF0D585FB22}</libid>.   
 <url>hXXp://update.mybrowserbar.com/update/wt/ie/coupons/coupon
s_1.6.zip</url>.    <ver>1.6</ver>.        <setup
url>hXXp://update.mybrowserbar.com/update/wt/ie/coupons/BrowserExte
nsionsSetup.exe</setupurl>.    <setupver>2.6</setupver&
gt;.    <gc>1</gc>..</cpupdate>...0..

GET /images/ytd-logo.png HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.ytddownloader.com

DNT: 1

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx/1.2.1

Date: Thu, 05 Feb 2015 10:05:01 GMT

Content-Type: image/png

Content-Length: 34724

Last-Modified: Fri, 05 Oct 2012 14:07:53 GMT

Connection: keep-alive

Accept-Ranges: bytes
.PNG........IHDR.......x.....h.......tEXtSoftware.Adobe ImageReadyq.e&
lt;...fiTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.0-c061 64.140949, 2010/12/07-10:57:01        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap
/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#"
 xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xm
p.did:48617E8EC10BE2118B4BD91E24AB7A59" xmpMM:DocumentID="xmp.did:7206
5B650C8711E28A8AE4B10473ECB4" xmpMM:InstanceID="xmp.iid:72065B640C8711
E28A8AE4B10473ECB4" xmp:CreatorTool="Adobe Photoshop CS5.1 Windows">
; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:48617E8EC10BE2118B4B
D91E24AB7A59" stRef:documentID="xmp.did:48617E8EC10BE2118B4BD91E24AB7A
59"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> 
<?xpacket end="r"?>O.......IDATx.....eYY'..s.........EA.[.6... .
....c.8.[.........n.i[.g..F...F..i...V....(j...5"c}...|.s.yq#2.2.*....
|U/.-..{.9....#.Rt.q.q.......\{\{\c.k.k..S....!......~....F.K.v....h..
d0"$=*Fk.n...7...5}.........RPv....*%9..&..~z........@..;.G.?...x.qz}.
[email protected]...)....777G.~..4.F._.f.. .Q=....$..~ ...<..
......6....>C..w.q.......#...<..........A.......`.L}.m.-.i.....~
.....?.LEY.x8..hi&....LW..0......#..&..og....K...}@I\.<]... .p\~*!.
x!...KU.:4...x.;.=.3....{.S*.EB...ovaq.J...1.5f.....W.$.wG...N....<<< skipped >>>

GET /images/header-bg.jpg HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.ytddownloader.com

DNT: 1

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx/1.2.1

Date: Thu, 05 Feb 2015 10:05:01 GMT

Content-Type: image/jpeg

Content-Length: 123553

Last-Modified: Thu, 10 Oct 2013 14:08:34 GMT

Connection: keep-alive

Accept-Ranges: bytes
......Exif..II*.................Ducky.......Z..... hXXp://ns.adobe.com
/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> 
<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c06
1 64.140949, 2010/12/07-10:57:01        "> <rdf:RDF xmlns:rdf="h
ttp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rd
f:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http:
//ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/s
Type/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5.1 Windows" xmp
MM:InstanceID="xmp.iid:02967DEC099B11E388E0A65379C2936F" xmpMM:Documen
tID="xmp.did:02967DED099B11E388E0A65379C2936F"> <xmpMM:DerivedFr
om stRef:instanceID="xmp.iid:02967DEA099B11E388E0A65379C2936F" stRef:d
ocumentID="xmp.did:02967DEB099B11E388E0A65379C2936F"/> </rdf:Des
cription> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?
>....Adobe.d.......................................................
......................................................................
....................j.................................................
......................................!.1.AQ.aq".....2R...B#...r.3..b.
.c...S..C....$T.4Ds......................!1.AQ.......a.."2qR...B......
......?....\}6..1....D...au.lxW....~k.n^.....:q.a..HH.....&....Z.Ut...
3.Y.i.3(\x......Qe$.Eg...'...x._R_?........xQ..J..?.]QQ8../...~./...e?
........L]>..7.*|j.`71au.lxV.<.r...d. u.:t.1O.$$n...~.CMK.=z..|.
....i.i.3b.......AQe$.$P.U.OE%.=W.......m..n.......[.....N..#.....<<< skipped >>>

GET /images/top-header-bg.jpg HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.ytddownloader.com

DNT: 1

Connection: Keep-Alive

Cookie: __utma=135583929.141684822.1423130703.1423130703.1423130703.1; __utmb=135583929.1.10.1423130703; __utmc=135583929; __utmz=135583929.1423130703.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1


HTTP/1.1 200 OK

Server: nginx/1.2.1

Date: Thu, 05 Feb 2015 10:05:02 GMT

Content-Type: image/jpeg

Content-Length: 2458

Last-Modified: Fri, 05 Oct 2012 14:07:53 GMT

Connection: keep-alive

Accept-Ranges: bytes
......Exif..II*.................Ducky.......d.....ohXXp://ns.adobe.com
/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> 
<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c06
1 64.140949, 2010/12/07-10:57:01        "> <rdf:RDF xmlns:rdf="h
ttp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rd
f:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="
hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.a
dobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:48617E8EC10BE2118
B4BD91E24AB7A59" xmpMM:DocumentID="xmp.did:FC5012C60BCB11E2AA79CB95D10
CA426" xmpMM:InstanceID="xmp.iid:FC5012C50BCB11E2AA79CB95D10CA426" xmp
:CreatorTool="Adobe Photoshop CS5.1 Windows"> <xmpMM:DerivedFrom
 stRef:instanceID="xmp.iid:48617E8EC10BE2118B4BD91E24AB7A59" stRef:doc
umentID="xmp.did:48617E8EC10BE2118B4BD91E24AB7A59"/> </rdf:Descr
iption> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?&g
t;....Adobe.d.........................................................
......................................................................
......................................................................
.........................................!1....Aa....Q"q...2.......#3$
....B.Cd5E..........................!#.1A."..a2.C....B3$.%.q.D..4d5E.8
............?..}.4.i....#v...jq.[Lj.....]Hzc.=12..........<.....w..
...t.E=..K...U......vt...-.x.hY.].j...#..de.t....yf. .".`.n.....a....i
"8.C. ......A..aFs~.By..d..|..V.k.h.;'-.p.}..W.d.IM...v'...Z_.Ak]m<<< skipped >>>

GET /static/r07/menu171.js HTTP/1.1

Accept: application/javascript, */*;q=0.8

Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: s7.addthis.com

DNT: 1

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Apache

Last-Modified: Thu, 22 Jan 2015 11:14:57 GMT

Content-Encoding: gzip

Cache-Control: public, no-check, max-age=86313600

Content-Type: text/javascript

Content-Length: 20323

Accept-Ranges: bytes

Date: Thu, 05 Feb 2015 10:05:02 GMT

Via: 1.1 varnish

Age: 1205260

Connection: keep-alive

X-Host: s7.addthis.com

X-Served-By: cache-fra1229-FRA

X-Cache: HIT

X-Cache-Hits: 785230

X-Timer: S1423130702.429801,VS0,VE0

Vary: Accept-Encoding
............}....0....$.#...")..AC.....8qc7n*..K.$a.....d..........l.=
......".o.......m.........;....w...:K............<....3I..(.d. ....
.q..IY0.v......5....X...o.#^...B=..[W<.C..Y.y..e.;.7.fn...ix...u:..
....{.....bJ.D...A.8..N....0.5..j=.._....%....y..]...;..OL.8...[.r0K3.
hDI#.. Q.$..e.... ..!Ha(....j.-......Ze......R.X(....v.A#.YEY..o.k....
..I....n......._^..4V.X.'N.-...1M.<J.x.;.,.,.h.8..q.....b.......5z.
aop.X....^...x..\.......'Z.M.d............y8.#.Gi"{..M.....J../H.M.;@.
.v...-...h../.qLo^..yl.N..0)L.9...&4...N;.....>{SdQ2w=..... .Q...!.
..;.T.X.l./[email protected].`.L/..0" _..5)_'.M..W@. *_.|~..;Z>..._E.....
.{.2.8.av..=..5,.Y...r......*K...`.y;py'..y...:A.i.......'.B...@......
...._.p..0..&.O..WqT.0y^'_D3...hig. s..\oG....iV.....T,.`[email protected]..|
.aox.<...c.<.....?,B.Aq...........H..@.!)...\>,.....(9.[.`..g
...-t..,z .M.;.8.:.t..T.;...a..0..HM..Z..^....71L...(E<...z..%...%r
[email protected]!.....$p.....m.....Q.t^.E.A.....z>..$.."HiJ4*.((.:...
.G.u@&......7..^.f3..........P...`..v......%.'.0e..s.X.,..@1...&.Jl6..
...;......)<...[...l^.../.1......;... 7'g......x..r........q.... :.
.z]6.......XX..,......9....2....k....z.ET.(@7.b=...L;s.R.I... .4vbM...
cUtP....&A..}'.&.L...I...r.....k..47.<.."F.h.C.|..;9:j...K...'....t
#..o.p*.*[email protected]......^...Ah._....l].?:rr..L>H...k......&D....5.k...
.mPd.wE0..NPx......(......,&0."'............M...().,.11..X.N9.0.r.BD..
f.8k*.V..[0"....TI...l......f.X....I.e.ta.Q\...~..N...a.v.N.....!.ZJ.]
.._)L(......OB.._..z..e..W.-<.O.L._..B...."...v.E.wfY...W..Z...<<< skipped >>>

GET /ga.js HTTP/1.1

Accept: application/javascript, */*;q=0.8

Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.google-analytics.com

DNT: 1

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Thu, 05 Feb 2015 08:36:27 GMT

Expires: Thu, 05 Feb 2015 10:36:27 GMT

Last-Modified: Fri, 16 Jan 2015 00:55:08 GMT

X-Content-Type-Options: nosniff

Content-Type: text/javascript

Vary: Accept-Encoding

Content-Encoding: gzip

Server: Golfe2

Content-Length: 16151

Age: 5314

Alternate-Protocol: 80:quic,p=0.02

Cache-Control: public, max-age=7200
............yW...8.?..|{.....S..7.(m.....Ms.dY.iB....%.g..A..$...y.z..
%..<mm.I~2...3....k9Z.2.}5....G.........dx.O:.Nz'...:.....I*b.v.o..
q....Bh..z6..V.|.})[email protected]....'...`....3i..RC.%..0.Fz..J{.'C
/...#O\BP]..^..../e..<1..p0...&.i......f{..zm..'&.w1...:...Y:......
.....p....`.n4....vz.W....|\c.-GX...:...5.y..".F:.. $....'..b2......k.
...:.....e.. t-{..^.^.....P....3........d..6.nM...."...^..|..1z......d
q.t.}.....I46..Kb....1..A...t...q.N.7zt .P.a......o:0.>..$Y..x:=.$.
....r./..0........n.%.vA.Ke.*....P/.....My..\..t...J(WW....,.A..<Q.
.........E..e.(.K.$......uBa ..1..yN.v..E....D=...:..[...>..zX.l^..
_..z C..o.......Mk.............^\.G.I?.7.[...l.l=..@.......;...e./y,.c
R.w`.d_...0.L/..F.q` j......y.5L....Zp*....#w0.%....]..:T..W...l.4.1U.
,.W~.q0.=XO.z'..f.,/e..K..P".F.e..^..9..S...1..1..J.. .4....WW....K..I
..x......\[email protected]]...tj..3w$...cA... XD..F.a.......3...?..41.!.w}..T 
8...vj..(.....q.P...........S^r.......A..X.e.K=J.5,o..0..Q.|=.v..l....
....j..';...B..$..-....$Z.R.L.OB.tL/:....t..g[..:A......i..4o[e8..3grr
..SJI...2...\YW..j3.^J%.................x.?.6...){...o..V.c.........@h
i.8.=..jR....]....x^.`.<..7........y1..8...YT...iLm}..Ye7T. X..d..T
 L Ui.....q}........#....elF.........m.6-..[./.-.x[{5 ....,.<....b.
e..aK\].VWMZ....{.x(....O........p..[[email protected].)..x...Fk......4.Z.i p.
7..`>.o.Z..O*<.c.....i.f...fk.g....J..a..y.....c_.X..%..4.Gz.M$.
...j5oe.0......$T~..}....0FtC].`-...Z.O..V.:Z..54o.4...oI...... .) ..6
*...Y.1......B..-._..{r..1]F.....f..|8..u.OY...38..}5.c.`.. ....`.<<< skipped >>>

GET /r/__utm.gif?utmwv=5.6.2&utms=1&utmn=1243149095&utmhn=VVV.ytddownloader.com&utmcs=windows-1252&utmsr=1683x901&utmvp=1683x804&utmsc=24-bit&utmul=en-us&utmje=1&utmfl=-&utmdt=YTD Video Converter&utmhid=380816574&utmr=-&utmp=/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0&utmht=1423130702591&utmac=UA-25210420-2&utmcc=__utma=135583929.141684822.1423130703.1423130703.1423130703.1;+__utmz=135583929.1423130703.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmjid=2102772812&utmredir=1&utmu=qAAAAAAAAAAAAAAAAAAAAAAE~ HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.google-analytics.com

DNT: 1

Connection: Keep-Alive


HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

Date: Thu, 05 Feb 2015 10:05:02 GMT

Pragma: no-cache

Expires: Fri, 01 Jan 1990 00:00:00 GMT

Cache-Control: no-cache, no-store, must-revalidate

Last-Modified: Sun, 17 May 1998 03:00:00 GMT

X-Content-Type-Options: nosniff

Content-Type: image/gif

Server: Golfe2

Content-Length: 35

Alternate-Protocol: 80:quic,p=0.02

GIF89a.............,...........D..;HTTP/1.1 200 OK..Access-Control-All
ow-Origin: *..Date: Thu, 05 Feb 2015 10:05:02 GMT..Pragma: no-cache..E
xpires: Fri, 01 Jan 1990 00:00:00 GMT..Cache-Control: no-cache, no-sto
re, must-revalidate..Last-Modified: Sun, 17 May 1998 03:00:00 GMT..X-C
ontent-Type-Options: nosniff..Content-Type: image/gif..Server: Golfe2.
.Content-Length: 35..Alternate-Protocol: 80:quic,p=0.02..GIF89a.......
......,...........D..;..

GET /b?c1=7&c2=2000001&c3=1&rn=1hz14wz&c7=http://VVV.ytddownloader.com/thankyou.html&c8=YTD Video Converter&cv=1.7 HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://s7.addthis.com/static/r07/sh186.html

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: b.scorecardresearch.com

DNT: 1

Connection: Keep-Alive

Cookie: UID=120c9bfd-194.221.64.106-1384780341; UIDR=1384780341


HTTP/1.1 204 No Content

Content-Length: 0

Date: Thu, 05 Feb 2015 10:05:02 GMT

Connection: keep-alive

Set-Cookie: UID=120c9bfd-194.221.64.106-1384780341; expires=Wed, 25-Jan-2017 10:05:02 GMT; path=/; domain=.scorecardresearch.com

Set-Cookie: UIDR=1423130702; expires=Wed, 25-Jan-2017 10:05:02 GMT; path=/; domain=.scorecardresearch.com

P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC"

Pragma: no-cache

Expires: Mon, 01 Jan 1990 00:00:00 GMT

Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate
HTTP/1.1 204 No Content..Content-Length: 0..Date: Thu, 05 Feb 2015 10:
05:02 GMT..Connection: keep-alive..Set-Cookie: UID=120c9bfd-194.221.64
.106-1384780341; expires=Wed, 25-Jan-2017 10:05:02 GMT; path=/; domain
=.scorecardresearch.com..Set-Cookie: UIDR=1423130702; expires=Wed, 25-
Jan-2017 10:05:02 GMT; path=/; domain=.scorecardresearch.com..P3P: pol
icyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC"..Pragm
a: no-cache..Expires: Mon, 01 Jan 1990 00:00:00 GMT..Cache-Control: pr
ivate, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate..

GET /getcountry.html HTTP/1.0

Host: VVV.youtubedownloadersite.com

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*


HTTP/1.1 200 OK

Server: nginx

Date: Thu, 05 Feb 2015 10:03:53 GMT

Content-Type: text/html; charset=utf-8

Content-Length: 2

Connection: close

UA..

POST /api/rcsvc.php?kt=ytd HTTP/1.1

Accept-Encoding: gzip,deflate

User-Agent: Primeport

Host: VVV.youtubedownloadersite.com

Content-Length: 544

Connection: Keep-Alive

Cache-Control: no-cache

j.=W....T..7q..qg...h.-....y.0...I..!.Pl.t
.....y._.{)FK......T./...5W......7[T ..q...fPt........d!.;..T.w.". T".....a..........._.K.X....M.k..mI..|..j...z.v`JR..{Ri.LVk........ .#..`.....
.1.....k;)..X..r...&c.l.:.....!&.a

.Z.....^.Y%..V.X..r...'Z.o.;..`._.}....../HY......8..b..Bb..S..&..I ..~...J~.d.j....eB.mS...Z....O..q.......Q..:.h.P.V...9..~1,y. .p;z.

.#..]5.%q..#.6=|....4RT2.p...5.w.....e.u..M.....PT..8....8..b..Bb..S...V...."]"...:u.B,.....W.w.N7....O!..e=.y.d.w..#...c...&...j........0b.g.......?G...ec....u.9 . .G. .K..s..\.'..
HTTP/1.1 200 OK

Server: nginx

Date: Thu, 05 Feb 2015 10:04:28 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Content-Encoding: gzip
374...................VO..1......?W....S.Pp...H......~j...?.kosbvc~...
^...A .w...z...'|_}..&w....%.J.:Zr....~.........mwy...q!....s../......
5.oS..@}J.z..;xZw.t...%....$..f......].No._..........J....m.z....\.{.#
.j..f{..V...t.../.....".\.....u..o..m.lXw...4.....b~.........'w...a...
*...%.|....^.r.`.i..n...?)'........O...q..S.X..u&.Vs..l..k..].;...o..h
.....Wj.....Y.i..P..........~_.z`:..WsR"...}...|.~..^.L..[.....ibB....
...>J..P)...........R?. Uw.|9s..cF.>..U]......./[email protected]
) m.....&.>...3......A[.......f......L..n.pW..?nN.&M.5A....2n.g...*
....v.......n.b....L.`.....E........<..[.V..S.........~.<....M/.
.Uz..?|..7i.yv.......S..?q...hZ.....Z.....~.!~.n.....s.V.0.w.....>.
.~.T.Q...G..e.{d.../.(....g.._...........tQ.~..le.....>..bX8So....s
...i;......<.k....%..]8.....dU..'_u..e...r.........I..q...M{..7..B]
5.#w......{........?Z..r/N..'.Cy}.~.. Yk........~....'....}L.{?...L."x
.....0......


GET /scripts/win/scripts-20150129.yds HTTP/1.1

Accept-Encoding: gzip,deflate

User-Agent: Primeport

Host: VVV.youtubedownloadersite.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: nginx

Date: Thu, 05 Feb 2015 10:04:28 GMT

Content-Type: application/octet-stream

Content-Length: 175248

Last-Modified: Fri, 30 Jan 2015 14:41:23 GMT

Connection: keep-alive

Accept-Ranges: bytes
Y>8.F...#"..R..AC....Z..go B9..?r.$...A...0q.V.<S..~7...K...".Gn
..u......vN.2.0..C.D....kd!.Af..@z..,4......9.....8.... [email protected];..
. [email protected].......:..,..U..R-.;..yeFz!...]:.....2.....h.....}.J..Y.)......
.2!.v.0.....Ej.n.=.z%".g.....o......52.q..........E..,.....>.......
Xi...........".g...}...OXE.&dl... .\..j...$..PKLT.(.dp...2.....o..b...
.....(._...m4W.R<..5.(#..Wt.....$...-....6*K..s...C........7.y.....
Y.%:..X.4.....6.>.e...Xp...... B...wo.3].k.\....s(v...........R.bd[
q....>...>.R......Q..].....qR.........2pfnY..i).~.|[.RP....I...R
o~.o!|.j.v...n..I.1x8I.m...i..-..{.c.N..{.rYb..j.R`..c<...1...N.Z..
.OZ.o.Ip.:C?...<o..]Hv..."|\?'!.y`.X.]R2.. .0..&/...b..)....s&-..)7
.... ?]...].TS.-Z..q.?Q.L.......N.Z...OZ.o.Ip.:,.ih..q.D`....nd.v..q.:
......4.......*.T...T..d/.a1C...l....QS...?.pcM.ySc.T..?el.I.....V.:wO
U...... .}....]...Y...%pD.....y.Be...uHV..?.@9.........\b.l..*.'..5...
d.Rv.iu..We..g..../.....7n...9_.wI...Z.o.Ip.:z..o......~. y..[..._4i".
D..~ ...F4i.i..sx..^P...t>.S$m..y.^.........I-...z=... [email protected]..
|..l.........$dt.5..;.%...iO...F.4.pF.....w[..X}.]....g.%.....T...m..|
&.7.X.w7Z..R.Q..E..j........F..z.Q.....n....5a.....eU...K.4c.@../...M.
B.~.U..4.1f..#.dli...)g............}(y....!w..0...BK.A.>.p\.kv..4."
..`U..z.........K.n..:LGa7U...m..<q!./..[..aP.F.Y4....|.4...w{G...f
..f..Si..y0..Nb....z.M...o.......(....<Xk)./.l[.L.....CS...aO......
.....k....~O/..dLH..)..t-G>.Q..X.vd).~.......;.aH}G!B..Z ....S=.. |
.t....CE.R..Z.`Hz'...;..s........q.........F.~.r.......H..p.i.....<<< skipped >>>

GET /cgi/extconfig.cgi?cnid=937811&ver=2.3&rsv=3.2&kt=ytd&ot=ytdsanth&bver=39.0.2171.95&dbrw=Internet Explorer&cid=c0322acd5e5d42f0b163c591ee6ff5b9 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: VVV.mybrowserbar.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Thu, 05 Feb 2015 10:04:30 GMT

Server: Apache

Vary: Host

Keep-Alive: timeout=30, max=100

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-Type: text/xml; charset=utf-8
56e5..<?xml version="1.0"?>.<extensions>.    <rsv>3.
2</rsv>.    <silent>true</silent>.    <usepopup&g
t;true</usepopup>.    <wait>true</wait>.    <heig
ht>390</height>.    <width>500</width>.    <bu
ttontext>Install from Chrome Web Store</buttontext>.    <c
onfirmbuttontext>Add</confirmbuttontext>.    <captionwndte
xt>Add to Chrome</captionwndtext>.    <screen><![CDA
TA[/9j/4QAYRXhpZgAASUkqAAgAAAAAAAAAAAAAAP/sABFEdWNreQABAAQAAABTAAD/4QN
vaHR0cDov.L25zLmFkb2JlLmNvbS94YXAvMS4wLwA8P3hwYWNrZXQgYmVnaW49Iu 7vyIg
aWQ9Ilc1TTBNcENl.aGlIenJlU3pOVGN6a2M5ZCI/PiA8eDp4bXBtZXRhIHhtbG5zOng9I
mFkb2JlOm5zOm1ldGEvIiB4.OnhtcHRrPSJBZG9iZSBYTVAgQ29yZSA1LjAtYzA2MSA2NC
4xNDA5NDksIDIwMTAvMTIvMDctMTA6.NTc6MDEgICAgICAgICI IDxyZGY6UkRGIHhtbG5
zOnJkZj0iaHR0cDovL3d3dy53My5vcmcvMTk5.OS8wMi8yMi1yZGYtc3ludGF4LW5zIyI 
IDxyZGY6RGVzY3JpcHRpb24gcmRmOmFib3V0PSIiIHht.bG5zOnhtcE1NPSJodHRwOi8vb
nMuYWRvYmUuY29tL3hhcC8xLjAvbW0vIiB4bWxuczpzdFJlZj0i.aHR0cDovL25zLmFkb2
JlLmNvbS94YXAvMS4wL3NUeXBlL1Jlc291cmNlUmVmIyIgeG1sbnM6eG1w.PSJodHRwOi8
vbnMuYWRvYmUuY29tL3hhcC8xLjAvIiB4bXBNTTpPcmlnaW5hbERvY3VtZW50SUQ9.Inht
cC5kaWQ6ODVDOEQzNUVGRDE3RTQxMUFBMkNCMTA2NURERjkwRTIiIHhtcE1NOkRvY3VtZW
50.SUQ9InhtcC5kaWQ6RkE5NEZGNzAyMjBDMTFFNDgxNUFGMkE1QkZGOTdFRjAiIHhtcE1
NOkluc3Rh.bmNlSUQ9InhtcC5paWQ6RkE5NEZGNkYyMjBDMTFFNDgxNUFGMkE1QkZGOTdF
RjAiIHhtcDpDcmVh.dG9yVG9vbD0iQWRvYmUgUGhvdG9zaG9wIENTNS4xIFdpbmRvd3MiP
iA8eG1wTU06RGVyaXZlZEZy.b20gc3RSZWY6aW5zdGFuY2VJRD0ieG1wLmlpZDo4NU<<< skipped >>>

POST /images/pixel.gif?kt=ytd&ot=ytdsanth&cnid=937811&sil=1&cid=c0322acd5e5d42f0b163c591ee6ff5b9&cekonfccladjgbdhpgobceahgjdcdbod=1&jloeihbcjbkgigodmcacomgfihpiaiip=1 HTTP/1.1

Accept-Encoding: gzip,deflate

Content-Type: text/xml

User-Agent: WidgiToolbar

Host: VVV.mybrowserbar.com

Content-Length: 1408

Connection: Keep-Alive

Cache-Control: no-cache

MDUvMDIvMTUgLSAxMjowNDozMCAgY2hyb21lIGlzIG5vdCBydW5uaW5nCjA1LzAyLzE1IC0gMTI6MDQ6MzAgIHN0YXJ0ZWQgY2hyb21lIHdpdGggcGFyYW1zIEM6XFByb2dyYW0gRmlsZXMgKHg4NilcR29vZ2xlXENocm9tZVxBcHBsaWNhdGlvblxjaHJvbWUuZXhlICAtLWZvcmNlLXJlbmRlcmVyLWFjY2Vzc2liaWxpdHkgLS1sYW5nPWVuLVVTIC0tZGlzYWJsZS1pbmZvYmFycyAtLW5ldy13aW5kb3cgImh0dHA6Ly93d3cubXlicm93c2VyYmFyLmNvbS9nYy9zaWxlbnQyLmh0bWw/b3Q9eXRkc2FudGgmY25pZD05Mzc4MTEma3Q9eXRkJmV4dFtdPWNla29uZmNjbGFkamdiZGhwZ29iY2VhaGdqZGNkYm9kJmV4dFtdPWpsb2VpaGJjamJrZ2lnb2RtY2Fjb21nZmlocGlhaWlwJnRzPTE0MjMxMzA2NzAiCjA1LzAyLzE1IC0gMTI6MDQ6MzIgIGluc3RhbGxpbmcgY2Vrb25mY2NsYWRqZ2JkaHBnb2JjZWFoZ2pkY2Rib2QKMDUvMDIvMTUgLSAxMjowNDozMiAgbm9udGhlbWVkCjA1LzAyLzE1IC0gMTI6MDQ6MzMgIGNsaWNrZWQgaW5zdGFsbAowNS8wMi8xNSAtIDEyOjA0OjM2ICBmb3VuZCB0aGUgY29uZmlybWF0aW9uIHdpbmRvdyB1c2luZyBhY2Nlc2liaWxpdHkKMDUvMDIvMTUgLSAxMjowNDozNyAgY2xpY2sgYWRkIGZhaWxlZCAwCjA1LzAyLzE1IC0gMTI6MDQ6MzcgIGdvdCBsb2NhdGlvbgowNS8wMi8xNSAtIDEyOjA0OjQxICBFeHRlbnNpb24gc3RhdGUgMQowNS8wMi8xNSAtIDEyOjA0OjQxICBpbnN0YWxsaW5nIGpsb2VpaGJjamJrZ2lnb2RtY2Fjb21nZmlocGlhaWlwCjA1LzAyLzE1IC0gMTI6MDQ6NDEgIG5vbnRoZW1lZAowNS8wMi8xNSAtIDEyOjA0OjQxICBjbGlja2VkIGluc3RhbGwKMDUvMDIvMTUgLSAxMjowNDo0MyAgZm91bmQgdGhlIGNvbmZpc
HTTP/1.1 200 OK

Date: Thu, 05 Feb 2015 10:04:55 GMT

Server: Apache

Vary: Host

Cache-Control: max-age=604800

Expires: Thu, 12 Feb 2015 10:04:55 GMT

Content-Length: 0

Keep-Alive: timeout=30, max=99

Connection: Keep-Alive

Content-Type: image/gif

GET /analytics.js HTTP/1.1

Host: VVV.google-analytics.com

Connection: keep-alive

Accept: */*

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36

Referer: hXXp://VVV.mybrowserbar.com/gc/silent2.html?ot=ytdsanth&cnid=937811&kt=ytd&ext[]=cekonfccladjgbdhpgobceahgjdcdbod&ext[]=jloeihbcjbkgigodmcacomgfihpiaiip&ts=1423130670

Accept-Encoding: gzip, deflate, sdch

Accept-Language: en-US,en;q=0.8


HTTP/1.1 200 OK

Date: Thu, 05 Feb 2015 08:22:16 GMT

Expires: Thu, 05 Feb 2015 10:22:16 GMT

Last-Modified: Fri, 16 Jan 2015 00:55:08 GMT

X-Content-Type-Options: nosniff

Content-Type: text/javascript

Vary: Accept-Encoding

Content-Encoding: gzip

Server: Golfe2

Content-Length: 11479

Age: 6136

Alternate-Protocol: 80:quic,p=0.02

Cache-Control: public, max-age=7200
...........}iw.;..w..P.vW..2.NN.....'.I...,.$cb....1....gK.*0....^}.jk
...,%<..T......B..H....j....G...p`..8I.{.=...L&&{.;7.i&....N...;oT(
E...M6.....tlN.t..8.K....P.5t.V%[email protected]...$8..:[email protected].
.jldf...9.4.=.R.^..{.4..4...AS#Ip:.P.=*6..(.0..C%1.@......^....#3..i..
V.`[email protected].'4..0..a.ZL..M8.g4..l..(9.......N..)wA..5.......{....4...(.
%...\.R.=*........?...$.#....A7...I...F*....0..Q.>..~.....Q...4.c.N
 .Q...<.y....=.....4..F..@.%:..ue6....M{$.T...M .'..a..~Am._./.....
..5...|...&;.M..D.f...yW..ubZ..e...Tjsn.B'.sIm.;.%J^hT.....t..l:....&g
t;.T.j*..FM..gZ..2...za.2..M..S.d8..d.P...S..#..ZS.J...4U...m.I.g6.Tu.
6..4iw..[.l...0m.....e6.Ghk..[}wW..~Tj%].;.{........x.................
.2U......g...p.s<....W..j....{..|.... V.r.GX.Y...;.i.y'.....O0...1&
..c4j....f.P.l........lf.AA.`..O..8[Y.=L........u.*..7vR6<.-.~..-.k
>.?W5t.b..wj.D..o.wC....-?U...4.vF..........Z.%.D...LV.#[..Vu..o...
...u..<uw. [email protected]._..'uJ..Q..d.../.\LK.D7s.j...I(...M
U..0..eF~.X...p.Ai......%4........O.....M230..mP..5%*..5(3..:......0..
P.......MtC..3....\..m.xl...f.....#....6...>K..K...@.')vM&j..e.h..,
(.U..C^[email protected]:.*&.E....d...q......{@D.h.].4u.C..i..?=4t.M.. .
|...vG.4.F.......N.Ig.......$.....;....\^^.AD..i'.!......I.>1...7.?
....V.x.xs...I...:.=.k...f.o..........D.f..o..I....J"u..6in.C...u?....
8.s.k.b...ts}}0.. ..Q:.....d..|.X...TB'..R|..F..j].<:CD....!.L..j.t
...P.....O{LH.F.%...?..DDS.z...?1w....S.I..P~T.#.....R......?. RLh....
R..1...=jy.....j.jm.y.8u.(...}..%........F....&}..r..`..k.t..,...V<<< skipped >>>

GET /live/red_lojson/300lo.json?6iew35&colc=1423130703205&si=54d3404edc48256c&uid=54d3404fe20ab507&pub=ytdcs&rev=15.1&jsl=33&ln=en&pc=men&vpc=&dp=VVV.ytddownloader.com&fp=thankyou.html&aa=0&of=0&uf=1&nt=cs;5,ce;5,dc;319,dclee;319,dcles;319,di;316,dl;311,dle;5,dls;5,fs;5,lee;u,les;319,ns;0,rs;310,rspe;314,rsps;311,scs;u&pd=0&irt=0&ct=1&tct=0&abt=0<=347&cdn=0&lnlc=US&whcs=1&tl=c=347,m=356,i=402,xm=733,xp=736&pi=1&&rb=0&gen=1000&gen=100&callback=_ate.track.hsr&uvs=54d3404eae96086b000&chr=windows-1252&md=0&vcl=0 HTTP/1.1

Accept: application/javascript, */*;q=0.8

Referer: hXXp://s7.addthis.com/static/r07/sh186.html

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: m.addthis.com

DNT: 1

Connection: Keep-Alive

Cookie: uid=54d3404fe20ab507; uvc=1|5; uit=1


HTTP/1.1 200 OK

Date: Thu, 05 Feb 2015 10:05:03 GMT

Cache-Control: max-age=0, no-cache, no-store

Pragma: no-cache

Set-Cookie: di2=NJAMOF.UYM;Path=/;Domain=.addthis.com;Expires=Sat, 04-Feb-2017 10:05:03 GMT

Set-Cookie: bt=;Path=/;Domain=.addthis.com;Expires=Thu, 01-Jan-1970 00:00:00 GMT

Set-Cookie: dt=X;Path=/;Domain=.addthis.com;Expires=Sat, 07-Mar-2015 10:05:03 GMT

Expires: Thu, 01 Jan 1970 00:00:00 GMT

P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"

Content-Type: application/javascript;charset=UTF-8

Content-Encoding: gzip

Connection: close
...........O,I. )JL...(...V*NM.M. )V....Q*-...r.....|]..}]........J.* 
[email protected].[u|i[.....

GET /images/pixel.gif?action=install&point=finish&cid=cb821f7c3eeccf6c312c56e821a0e91a&isn=F7DBCDBD737B449098794B4547AA6F06&kt=ytd HTTP/1.0

Host: VVV.youtubedownloadersite.com

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*


HTTP/1.1 200 OK

Server: nginx

Date: Thu, 05 Feb 2015 10:05:01 GMT

Content-Type: text/html; charset=utf-8

Connection: close

GET /baltimoreroot/MEUwQzBBMD8wPTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom/nYB45SPUEwQU5Z1ZMIJHWMys+ghUNoZ7OrUETfACBAcnqkc= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.omniroot.com


HTTP/1.1 200 OK

Accept-Ranges: bytes

Content-Type: application/ocsp-response

Date: Thu, 05 Feb 2015 10:06:06 GMT

Last-Modified: Thu, 29 Jan 2015 15:18:48 GMT

Server: ECS (frf/8799)

X-Cache: HIT

Content-Length: 1406
0..z......s0..o.. .....0.....`0..\0......`;.l.uZ..k.F..^|A.Tb..2015012
9064609Z0g0e0=0... ........./Ev..Y..].....x.#......Y0.GX....T6.{:..M..
..'.G....20141203203511Z....20150428204011Z0...*.H.............?.v..qY
.8.[t.8..9-.g".hl..H3|[email protected] .8a......u.......
.....$].o...NK....9.qxd....}.n..WZU.Z7.....bH._...[.....c'.O.T(=..1G{.
......G.U.=}C..$~.......v..OL.V....7p.8.z!..k...G`|>.J..I..R.S.....
.'...>..&~.N...c...`[k..`.8....4.X...H0,G.....0...0...0...........'
..0...*.H........0Z1.0...U....IE1.0...U....Baltimore1.0...U....CyberTr
ust1"0 ..U....Baltimore CyberTrust Root0...150114195242Z..160114195229
Z0G1.0...U....US1.0...U....Cybertrust1#0!..U....Cybertrust-Validation-
20110.."0...*.H.............0.........?....(Fb....G... ..=..(L..wK...0
4..I......C...1.Z......U.$b.f..Pa.....S...#..B.........^T..IP8........
..h8GM..*.4.MP..../[email protected]
.x....$..@@....q2...Uby.e......D....lf...C....ZP}O......7...mM..c.g..j
.\.>.O....G.A........0..0... .....0......0...U.......0.0...U.......
....0...U.%..0... .......0...U.#..0.....Y0.GX....T6.{:..M.0...U......`
;.l.uZ..k.F..^|A.Tb0...*.H.............n.h\Ch*G.c..yr..."._....J.-....
j.t%..e.....([email protected]!m...sZH.N..>.S....K..........7wi3..x.D..l..u
d.....CC......<.&.2. ..d...T.......;.S....\... ......m.6......#(.&.
...q.[z.........r..T....W...7ea.}..B.1........al.]i.F...-.0c...y.=?...
.E...........'>..O.._..<<< skipped >>>

GET /js/250/addthis_widget.js HTTP/1.1

Accept: application/javascript, */*;q=0.8

Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: s7.addthis.com

DNT: 1

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Apache

Last-Modified: Thu, 22 Jan 2015 19:52:12 GMT

ETag: "310041b-29c1-50d4302104bff"

Content-Encoding: gzip

Content-Type: text/javascript

Content-Length: 4161

Accept-Ranges: bytes

Date: Thu, 05 Feb 2015 10:05:01 GMT

Via: 1.1 varnish

Age: 571

Connection: keep-alive

X-Referer-Domain: hXXp://VVV.ytddownloader.com

X-Host: s7.addthis.com

X-Served-By: cache-fra1240-FRA

X-Cache: HIT

X-Cache-Hits: 34087

X-Timer: S1423130701.810289,VS0,VE0

Vary: Accept-Encoding
...........:kw..... d.G%#."..wM..Iw7....N.i?(..EB..........;..E=...v.Y
.......<.....y..D...A..t. ..s&I...;_..t..NV..`79.f.....S..N..z...Y]
.....|J$a....?#<X...$.....n!.<......iI..#..5.....!...n...jQur`z.
......0.Z..}......{.U.W.......uI;..zY......\..N........._>.........
....#....).......%..z=.5..I.ge...E..._...T..........#..`Mj.......R....
..J.].%."Y...oXX..V..Y..........*N..i.u.*........R.o...R}.Yq...2..J.k.
~..k9..zMV/.H............?..%X9.<?.,..9.4.e..([email protected].
[email protected][email protected]. 5.n..'`D.*.N..)\..8.
 .%..1.L.....D...j\YS8.'.....{%..s.E...[..|.V../.....!|L'#.3f.T$>6A
~..@......?...x.~...n.....?.0..n..._....-Y..J...t.J.T.y.H.....T$l.....
.Z.....T.1.R.`/H......" ........PNV.... .... G.....f.....Tl...T.AR`..H
g  ...8.".?q.a..x...f.9..Ns.......IJ}I.`..P.77 ...n.....y.6l.4.k.h..L.
C..b.~`.(...q.s.S...m..C..U.-.......h"R..... ...Z...g`w;....xZ.T..2...
"X....~..!....za.5 ..3...S....|,B@M.]... ..o..9..#.Q]......v.)....v..h
...W.A2...0E...1h9...t{.T...K.5....a...Z.H...Ls.|8.`..mM...........I._
....ci.......m.......<.8....-,...6..|~..oc....h....s..p..e...aU.|A.
...n.z..)M....LU...{..^.-.m.@...!..k&.....6.p..Y...s... h..C........`.
......E.Am..j-...T.{......v.4.8.v.u....u.\...#.....l......u#.....:.l.&
gt;f.W......h..E..~wu.=.).y{ ...{.%.r....-;[email protected]..
.,....M..<-x.ws./C45.B.L.>5.H....&..|...`h......../.....`...0.=.
......&....'^|.....-M.bR.@....<.......G.....4..4[,.ppJrl.$....'.0..
.,5]L.)~O....8&..K...>0...K..J.H>..R....Pd.Yr.9.7.....w.tyQ.<<< skipped >>>

GET /static/r07/core181.js HTTP/1.1

Accept: application/javascript, */*;q=0.8

Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: s7.addthis.com

DNT: 1

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Apache

Last-Modified: Thu, 22 Jan 2015 19:51:58 GMT

Content-Encoding: gzip

Cache-Control: public, no-check, max-age=86313600

Content-Type: text/javascript

Content-Length: 75057

Accept-Ranges: bytes

Date: Thu, 05 Feb 2015 10:05:01 GMT

Via: 1.1 varnish

Age: 1174324

Connection: keep-alive

X-Host: s7.addthis.com

X-Served-By: cache-fra1240-FRA

X-Cache: HIT

X-Cache-Hits: 63641282

X-Timer: S1423130701.982167,VS0,VE0

Vary: Accept-Encoding
.............b.H.8..?O!..e...H.......\...r[rUw.4.@.$a....(Y..>...b.
Gf".B..{~...."..... #v..a...n.s.....o..F..(..o.`./;..9.. ..x#.s.....1.
.......f|.\r([email protected][[...y....T..q0.Wq...Z./...
'i...u..q.o..x.1OF.,.xb.....rz.4M..E;HF.g.?}..............-Q.....m....
E...{.Z......v..f..-.....r.c.2v//...ljj.........d(x.V2.~R%............
.%/..,.'....ZNjG8... ...^....1i.....v..GE:...,.Eo.5.8"......9O-....E..
.,[email protected].....)...U.E.l1.r..Y......#(
4:....]..a........v..a.......v...r.ah.........FV..^....,..w .B..E...X.
.2.Huv..c|.....|X...-[.....l..|;vV.r..Vz."9..M...'.meA.-rhR.3."V..Tk2X
...&.pj{.U;...`.m3.i.>.oN.v...].e4..y.Kf9/..[[. .K.....l_W.8.t.b...
.n..y4....$...f$T...M?..?.p.....-.$....g3sc.bf.3.k.F ...7J.b..D.-...R.
^.....?.z{...I.....J.=......Z..nwwu)v.[....2,.(..au..,.....E.C&....^..
...5.U.v...{..}.f.,@.O._.k...J.....`).. 0...V0K...F.%Tk...>.......b
.......-...(......x...m.J..c....=q\.../..[......-.._.....I....x$g.....
.......O..V3C..|...`..X&.h.Bi... .&....I.gE.....~4sa....`....I.......e
.mR..I.`.5.........G.&`..e.FR-ww;..g.u.v<.Q.I2...F..#&'...$q...8v.p
..)..........O...O...D...........su`...r........?k.......aZ{.........I
..D..........V7....ur....g...O?.^..?z.....7....>.....D....O.?9"Q..0
....4.1.p.L.....}..q.8r.HG.P.N.........O.r..-..= ..F.].....4b....8.5N.
.......g$T.W....7.#..N.K.......U.JA$W.m....j....z..........w..j...Yn.F
c.].S9..;..PV.5w............c...o...BI.....1.....p.C...4.az./...T..4V.
..D!.b".b(.b N..8...^..y.Y.8..sF$......q..4........a.i.8..........<<< skipped >>>

GET /static/r07/widget/css/widget010.old.css HTTP/1.1

Accept: text/css

Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: s7.addthis.com

DNT: 1

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Apache

Last-Modified: Thu, 22 Jan 2015 11:14:15 GMT

Content-Encoding: gzip

Cache-Control: public, no-check, max-age=86313600

Content-Type: text/css

Content-Length: 16960

Accept-Ranges: bytes

Date: Thu, 05 Feb 2015 10:05:02 GMT

Via: 1.1 varnish

Age: 1205337

Connection: keep-alive

X-Host: s7.addthis.com

X-Served-By: cache-fra1240-FRA

X-Cache: HIT

X-Cache-Hits: 64094798

X-Timer: S1423130702.331959,VS0,VE0

Vary: Accept-Encoding
...........}W..:.............EQ.*zc)..2Sz...%:[email protected].|.
=...w./..o..G...g.av..N...k...#p.......j..K..3E..mH......|w,..O.....,.
O....}.$..t...\X..._........)y...L....~.v,.y.J...~V.L..R.Z..K....X...I
..C...lK........C.y....OP..........~......d].....E.$........".....;.0?
mG.u...;....2...|..MA7...q.].EL.a.O.\9.&..c.~...DQ....um.#......>.O
.tl..,?y.....iQ;..... ..O.G..Re..%.....GD.2}......J.....c~..........-5
...W..8..a...|._.CW...l...4,..8.'&.C..G..HD:#.....%Y.]!..p. ..........
.....G]U...(8.`......!..xt-...x.w.V8....l.%.....Wl.|.-'.....('|(...(..
.......7M6N2.w../h.)|....K.............x.M.Qd3....|...p.E.........H..l
...O.o.OQ...f4..t..d~fE.......)3.qEfg8.<].$.........B...8w.._....*.
.3.... .7..1]..aW.y.o.\k.......M~.>....\.......[.v.....u;o4....]6..
...}....EY..c..4....Y..G.v....U~._......z.u...-.R.k.....a..b]n........
?.E...}).......tO..r.....'..!. .d.iOB<}.<G.>.9..%...........I
..w.,..]..<D.....[<.cU..4Y..w.9!.a.....r}4-m..z.4@..%.......$[Q.
 ..../u..t.....h..C.u.~...X.K........x.=.$ B`.9..o.KX..b%^..W.}.~..}%.
W.....7_..5..i..kUb?.`[email protected]._...%....*...*$...D...S.0...b.Z1H..
.VL^.B.)............!..Ib,._\A...G.._.}...'. ..a..n.............}...(l
.]# .R../...P$.].!....O.z.?.!c .......a...:J....TE..@.. yP$.G.....g..&
F.w....MP..t...B.....G..^..6..........5....X.eFB.|.r.......h.)~.9.P...
?E...u..%.M[.....[...g.]Q....[.E...........&..].qe.<.$...../m.d....
.|........>Q...H.........."..h.P...T...j.....[^Bj....}^.^.t...})Rf.
.e../...)..M.._...YM.|.pS...H.....5....#5..-...).JU..;.7|.!iq.j..)<<< skipped >>>

GET /static/r07/sh186.html HTTP/1.1

Accept: text/html, application/xhtml xml, */*

Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: s7.addthis.com

DNT: 1

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Apache

Last-Modified: Thu, 22 Jan 2015 11:14:02 GMT

Content-Encoding: gzip

Cache-Control: public, no-check, max-age=86313600

P3P: CP="NON ADM OUR DEV IND COM STA"

Content-Type: text/html; charset=UTF-8

Content-Length: 22035

Accept-Ranges: bytes

Date: Thu, 05 Feb 2015 10:05:02 GMT

Via: 1.1 varnish

Age: 1205337

Connection: keep-alive

X-Host: s7.addthis.com

X-Served-By: cache-fra1240-FRA

X-Cache: HIT

X-Cache-Hits: 65415257

X-Timer: S1423130702.391832,VS0,VE0

Vary: Accept-Encoding
...........}k{.F......f...!....!>[email protected].,...z....I%
...o...}G_...../..}.......hY....~..wo_.Y'..?...............;.F...e.UI.
.Y...o.YG.....<^.....Q^.......-..U..6j..:.._..nWiV..Z.^.x! [(..a..,
.YGm...a|..N.T.......:j.$M...y......|9.Egy|wT.w...Y.]/.....(O...>.a
)..:..4...*..v..[UT&E}T..T.....sx..T.|...................,.h...}..q...
v....s.....)E...QxF..(..:."...^.ex....Td.z9.X.%[email protected]
[email protected] q.......n....t .......j............iN.
..We.Q).4...............x.Z.3..Z7..#.L...t.......K...q..v.!. .."......
l....lQ =....4X'Y..Gi..h..'T>....#......5ORa9..C.U8.....*..i1~.l.,.
.0.:.......[CD...;...yUg..]..n.dKU.0..s.4.hi...(.0...d..y9j*Q.Z.$....|
-..a%l...8...e.k5.n..5..==*...o.W...q......{*..e.j<.EU.M...E.z..GOF
^.....N.zyu......H..3.,..K..h.V.mV.*.........x$nE.B."/h...9..Q;..v..e.
].DZ....]......O.>{~.9..;F..X.c..g.7...c.X\RsaF?...Fm=.;.P.!.....q.
X.]....r.....N.....fw..b....O..O..^Nf..................7..~<.b...O.
..J.......L.?.I.......P./v.....&.9.?&\......?C.d....N.*'....n...,.F...
....0..L........,.TIz..Z...o.....!......7?[...b.....Sl3.E....8u.......
..w&..4..Y#...U.X9[$.;.)V.....EU./.*\PE ....a/..c...]d..o.Q....r.&.|.i
"q@.@Cu`).q...\a....a'...!bT..m-V..-.Z.D(V...i..5iz....BMP....6.,\.>
;.D.N......x..(3..L.v2..f._3n3.....*U.B;..\.Dh'..m.v...6.f?.n3.....,.M
.o.X.x..s.aR.O&..^.>..... C.....n<[...IbY$,..hA.Z|./..eX-..R:B..
,.E..DT...7.`:....%.D.R...}.........!..{e$n.......*.m.._..hT....0.-J8.
..!. 8.I.f...g.........g..r.a..t. .h......w...Y..I.K...:..J...=.&.<<< skipped >>>

GET /static/r07/widget/img/widget010.old.32.top.png HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: s7.addthis.com

DNT: 1

Connection: Keep-Alive

Cookie: uid=54d3404fe20ab507; uvc=1|5; uit=1


HTTP/1.1 200 OK

Server: Apache

Last-Modified: Thu, 22 Jan 2015 11:15:10 GMT

Cache-Control: public, no-check, max-age=86313600

Content-Type: image/png

Content-Length: 4769

Accept-Ranges: bytes

Date: Thu, 05 Feb 2015 10:05:02 GMT

Via: 1.1 varnish

Age: 1205210

Connection: keep-alive

X-Host: s7.addthis.com

X-Served-By: cache-fra1240-FRA

X-Cache: HIT

X-Cache-Hits: 15406581

X-Timer: S1423130702.766587,VS0,VE0
.PNG........IHDR... .........k.......PLTE.............................
........................Y.................e.."[email protected]..#..&............
..........................x..............C..z.....H........i.....G...u
..w..w.....s..r..C..S..q.^r..p..o..L..,.....e..X..G..D..X..H..d.V ....
......=..<..}.n*.iM.R)..~.}..xZ.ma.XYnnnv]A]..a.._r.Z|?XXXJ..8..,r.
@w.0.....Pu.Tiv5m7.h.1h.,hw.h..h.LXuDXX0X..T..M9.I..((..%.......IIHHH.
8E.F..(@.(*...g>e]E7......8HSC@^888:#O/Pp.JW&8G%(;(((.........%....
...IDATx......6...G.r.pe..!{oK]$..$........N...c..o...;..........g.Z.U
O....,._.....0.....z_.r..E.|..j....l.l..g=...9`P...#.P..@...:...X..h.S
.....E.U........H.A `.c...|[email protected]~O..oX..Lt..N.r.(a...o{`...z.(?....
...y..X(..~...Z\k....-.x...............935..R*D.........H..P..e...(..\
...%@c.~<S..r.....8...K...`?..!ufZ..9..!...M......e...xz..2.....<
;..'=..........-(..d....d.J.4.......bG0..>.j.|...'.....`K...u....N.
Z.....P..9...s...zZ...a'[email protected]..}...x.nO......r
h..0.:....k...5...8m....`..3.84.?..^..=.-.G.`[email protected]........:.,...
/.D.L..@?..x......C9.......0q.....Ff.Q........6 ..*....u7..E..x...d...
.<x..p...i...#@P...j.*Q.N.N:.....K.C...a..j.i.a.D..-4AX.F.V.t7..m.!
...$.....-..,M.I.P8..Pi6..^..L..x............V..xV.....`6.......A....j
.....^..-O...fL.6.k?.....u....@....'"........(..3...LTT..k............
[7...6....$./.N..?....96y.i...9V..y..;.........sg.c........~.N.\.%.o.l
.....6..5...T.Wb...i.....4..[.......?ZFI#.~.'8....XZ..l....(e.4I......
.....WC=...[.......W..'.N|S7.0........Ho.....%..Gq..Ij.z..A.....mm<<< skipped >>>

GET /kits/ytd/YTDSetup.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: download.ytddownloader.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: nginx/1.2.1

Date: Thu, 05 Feb 2015 10:03:51 GMT

Content-Type: application/octet-stream

Content-Length: 11127472

Last-Modified: Wed, 14 Jan 2015 15:21:11 GMT

Connection: keep-alive

Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8
...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8.......
.PE..L.....GO.................p.......B...9............@..............
............ )[email protected]........@(
......................................................................
........................................text....o.......p.............
..... ..`.rdata...*.......,...t..............@[email protected]....~...........
[email protected]....!..0...........................rsrc......
..@(.....................@[email protected]........)[email protected].
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
[email protected][email protected]...
..@..}[email protected]... M..........M........E...FQ.....NU
..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.
[email protected]}[email protected].}.j.W.E......E.....
[email protected][email protected][email protected] [email protected].
u.....@._^3.[.....L$...-G...i. @...T.....tUVW.q.3.;5.-G.sD..i. @...D..
S.....t.G.....t...O..t .....u...3....3...F. @..;5.-G.r.[_^...U..QQ<<< skipped >>>

GET /MFUwUzBRME8wTTAJBgUrDgMCGgUABBS856ddZAq5lE7vDJmoUDW1u98SMAQU3WyAfLq1MhelhEFA8NIEZhMvqZACFGozgiJkrf5JafrJHx/pwJ6+De+O HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: vassg141.ocsp.omniroot.com


HTTP/1.1 200 OK

Server: nginx

Content-Type: application/ocsp-response

Content-Length: 1765

Last-Modified: Thu, 05 Feb 2015 10:00:43 GMT

ETag: "8e644f2ffdb4851fac4f1eaf5eac8ffd9b9f390d"

Cache-Control: public, no-transform, must-revalidate, max-age=339752

Expires: Mon, 09 Feb 2015 08:27:36 GMT

Date: Thu, 05 Feb 2015 10:05:04 GMT

Connection: keep-alive
0..........0..... .....0......0...0..........[us..Ni......f....2015020
5100043Z0w0u0M0... ...........]d...N....P5....0...l.|[email protected]./...
.j3."d..Ii...............20150205100043Z....20150209100043Z0...*.H....
.........A...........B..L^.(..qk..A?..p*\i9T...4......t..........q....
..`..&...-.h.S?.-...4..K.n(.'A.._..$.g lD;.X|. .A.Dw.....{)B.h(.......
....s)....A..n<.D.<.Q.7...2xd..LX... ..?...$.:'.%...C...}d.MQ.c.
.P.t.\&!..(..B..6.U.pw_....R.z......D*B...Al8..^...9.............0...0
...0...........=......Ri..\..(.{..0...*.H........0..1.0...U....NL1.0..
.U....Amsterdam1%0#..U....Verizon Enterprise Solutions1.0...U....Cyber
trust1.0,..U...%Verizon Akamai SureServer CA G14-SHA10...140410115548Z
..150410115548Z0..1.0...U....NL1.0...U....Amsterdam1%0#..U....Verizon 
Enterprise Solutions1.0...U....Cybertrust1806..U.../Verizon Akamai Sur
eServer CA G14-SHA1 Responder0.."0...*.H.............0.........f..).1.
............Z.45..l. IB..r`...f....h.....h..._i'...J....|.c....E.D0bg.
b.v..........:Q....W._U.w..3....i...k........t.....m.CO$..j@.....>.
.Q.m......1/Z.r......L..a.n..;..KoIY.......fk{..c..d...IU.......zy.X..
.zp...F.1..F......b...Z...=9.o...N.fL.%Z.........H0..D0... .....0.....
.0L..U. .E0C0A.. .....>..0402.. ........&hXXps://secure.omniroot.co
m/repository0~.. ........r0p06.. .....0..*hXXps://cacert.a.omniroot.co
m/vassg141.crt06.. .....0..*hXXps://cacert.a.omniroot.com/vassg141.der
0...U...........0...U.%..0... .......0...U.#..0....l.|[email protected]./..
0...U..........[us..Ni......f..0...*.H.............Fk:..%..H.:.|P.<<< skipped >>>

GET /kits/sds/update.xml HTTP/1.1

User-Agent: SDS

Host: VVV.mybrowserbar.com

Accept: */*

Accept-Encoding: gzip,deflate


HTTP/1.1 200 OK

Date: Thu, 05 Feb 2015 10:04:58 GMT

Server: Apache

Transfer-Encoding: chunked

Content-Type: text/xml; charset=utf-8
b9..<?xml version='1.0' encoding='UTF-8'?>.<SearchProtection&
gt;.    <updatecheck path='hXXp://webupdate.mybrowserbar.com/kits/s
ds/SearchProtectionSetup.exe' ccv='198' />. </SearchProtection&g
t;...0..

GET /connect/xd_arbiter/DU1Ia251o0y.js?version=41 HTTP/1.1

Accept: text/html, application/xhtml xml, */*

Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: static.ak.facebook.com

DNT: 1

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Type: text/html; charset=utf-8

X-Content-Type-Options: nosniff

X-XSS-Protection: 0

Content-Encoding: gzip

X-FB-Debug: zGxUGTr28XP7LnfwC2GGF OIn6bjOuos9aNngxqem9Pi37XxlKarvu0z350i8DLG2VlRRxBUVhfLuq5OHNeTcA==

Vary: Accept-Encoding

Content-Length: 9955

Cache-Control: public, max-age=30775202

Expires: Wed, 27 Jan 2016 14:45:04 GMT

Date: Thu, 05 Feb 2015 10:05:02 GMT

Connection: keep-alive
...........}y..F....) nB.C.....TK..r..|...d.d.k.M.$.P.(.".>....h...
..{./...Y]U]W....W.^~....V.........y..y./_3...df.L.,k.J.,..w<..$.'V
...O/...E[..%..."..p._Z~.-.<.[..M-{..my...Y..9{..l.......t...<Lb
....b...("y.&.V.../...N.$u...).r .,lc%...}>.c...w.RkDY:..d......O..
O. .\N.@0.;.9.......(.(......e.0.)...k.....v'......t9......v..;..:....
.~uV\...n.(..Q..!..w...w..9.Z1_..!.......[w,Zr.{Bft..X.9.;sC....!.y...
...".O.......4......S..p.0{..;1.n....i..8.1... -<(`........-h.?...f
.J*O..R.$.[.4.....'....ZN.....H~...m.)...us...?nn....vz.r....5....y...
._.u..p...8xe!P..`.c..CK.{g&....H..z,..|....[.*...*v.B..@........(.j.4
.\.{.F....D....d.N\N.B.DS..4,.ud..d...N.<..$...._A...bX!;p2.Z...y~.
.X..C`..q..'d.C0z....&E.....Q.3<... ..w`.s........No...[..S...9ow..
m.{.../;.m......Ak.%..q.F..][email protected]%.N....R..D..d..
.hL..'.h...!. p. .....L)*.zB..Q.J.k...D......^.tj.0..@... ...1Q5...J..
...H..V..hL..Gd.Z,....3d....;.......... .(.....$......B).B\.X.Y.....7t
'.P.3......T...e...c...k;.4...2./-D..aLN..-P.lpYo.E......q.N......H`..
..u.l.....L.p...e....v..;...,s:n.)9.!K.#].u.U..W..Rj...ie/...v%..-..Do
.t d........)..s.%..-Vma...$.B.....\.1MR.....i.*.N...V...5...D....1.r.
....5..W.....;djY\.V......a..;..-...8.4W..}..Z....L*..X~........R...e.
...i.^H.zAl.D.2>.H....@B.]....rGJ:..H.^.t=j$|.8..!.E...............
E.0..B.L....p...............l..G.i.!i^.=...{.o.a...8 V;.5...p.w....\1.
i....A..m...F......w....#....?=...7.^.Z..R..........r........`Q.~y....
.......h. .iw...O.......MH..;...(d....,.=.t...^.][email protected].<<< skipped >>>

GET /update/wt/ie/coupons/BrowserExtensionsSetup.exe HTTP/1.1

User-Agent: SDS

Host: update.mybrowserbar.com

Accept: */*



MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8
...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8.......
.PE..L.....GO.................p.......B...9............@..............
[email protected]........@.
.h...........8........................................................
........................................text....o.......p.............
..... ..`.rdata...*.......,...t..............@[email protected]....~...........
...............@....ndata.......0...........................rsrc...h..
..@......................@[email protected]....... [email protected].
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
[email protected][email protected]...
..@..}[email protected]... M..........M........E...FQ.....NU
..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.
[email protected]}[email protected].}.j.W.E......E.....
[email protected][email protected][email protected] [email protected].
u.....@._^3.[.....L$...-G...i. @...T.....tUVW.q.3.;5.-G.sD..i. @...D..
S.....t.G.....t...O..t .....u...3....3...F. @..;5.-G.r.[_^...U..QQ<<< skipped >>>

GET /ajax/libs/jquery/1.9.1/jquery.min.js HTTP/1.1

Host: ajax.googleapis.com

Connection: keep-alive

Accept: */*

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36

X-Client-Data: CIS2yQEIpLbJAQiptskBCMG2yQEInobKAQjxiMoB

Referer: hXXp://VVV.mybrowserbar.com/gc/silent2.html?ot=ytdsanth&cnid=937811&kt=ytd&ext[]=cekonfccladjgbdhpgobceahgjdcdbod&ext[]=jloeihbcjbkgigodmcacomgfihpiaiip&ts=1423130670

Accept-Encoding: gzip, deflate, sdch

Accept-Language: en-US,en;q=0.8


HTTP/1.1 200 OK

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Type: text/javascript; charset=UTF-8

Last-Modified: Fri, 08 Feb 2013 15:35:10 GMT

Date: Wed, 04 Feb 2015 11:37:07 GMT

Expires: Thu, 04 Feb 2016 11:37:07 GMT

Access-Control-Allow-Origin: *

Timing-Allow-Origin: *

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 32819

X-XSS-Protection: 1; mode=block

Cache-Control: public, max-age=31536000

Age: 80844

Alternate-Protocol: 80:quic,p=0.02
............{{...7...."........o...v..q.[cg'-E..HPBL....RD....[kf0.Pq.
~.sNZ.....f......._..M...wg.?...vG.<8z2.........E...q...:z..GT.._.f
.....t.de.....uT..b.|.o6iv..._E..:.F.x...O..6..*?QUp....2U.4..6I.<.
T.%.E>....R1....4^..tIm...ZE.{5..3..<.....|4.3.D-.r.-o..]......4
[$....:Z...UUP_...........|....z.mF.r...f......Q..?..-3.0..F..^.F....l
.O........\..f.|1..t..NG2U.}tz.jxz.^G.o......./^\.>......#*........
../.../........|zp2{...N.3*....~.\../O'...g...g.;.~.M.Tx..,g.....).y..
w*@...i.^...]........2 ..n;.\.'..'/f....*.4:..oP...f..]Ul..2^.....V...
.....V.P.N....z......o3z.........aC..,.....K.\p...x......WiY%YR.v.*..^
.......<_oVI..a>*.xq....$8>....u%......n ..V?.Q.:..4....o.~.g
..Q...S_..Y.....G)..T.".......<......&...*..Z.t%[email protected].
h...X.*/. .H.....){4U.y...I`..&-.. y.....L.O....Lf..X<..1M.w.xD;;..
...3zgn...'S.....g.~3Jn.9-..... .....3..A..e#.....".-i.S..].9..3..=GE.
.,..R*.gs..j.M..0.._'.u......E.|.....K.Q'FY.H^..'.(.OK.\.-.T...8...Q..
..v||5J..Vq.}{.K2..K..z.R....o_..G..t.L....NF.W.}....."{.NLP|.T_......
..j..,P..q.Q..o..<.x...Q..t=..$nJ.%:S...,..N...*.......d.`....M...)
....T.7....|$...[......E..h.......`b.......iQ.w...-n>.=OIw..*......
..H...r.....h..V.Aj..&t..9M..is.j.t]~../...ik......l.p.....mT.=[E..7v.
...n./$...y=T.X.s...J......j.w.W.|.x..F..*..:....>K...d....f.......
...&...7./.2-..P......j.?X.p.....9u.Ae.0...D.....~f.......&...l6..3...
...i}.(.. m.Je.x...p5.:..d...gWz...G..@.*\.2/*..............>...g..
`...w....f.....\.D...#D...E.%.......G..s`K.*.WI...NI.......LeO...&<<< skipped >>>

GET /kits/sds/SearchProtectionStub.exe HTTP/1.1

Host: download.mybrowserbar.com

Accept: */*

Accept-Encoding: gzip,deflate


HTTP/1.1 200 OK

Date: Thu, 05 Feb 2015 10:04:56 GMT

Server: Apache

Last-Modified: Mon, 19 Jan 2015 14:12:15 GMT

Accept-Ranges: bytes

Content-Length: 532232

Content-Type: application/x-msdos-program
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8
...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8.......
.PE..L.....GO.................p.......B...9............@..............
[email protected]..........
.x...............8....................................................
........................................text....o.......p.............
..... ..`.rdata...*.......,...t..............@[email protected]....~...........
...............@....ndata...P...0...........................rsrc...x..
.........................@[email protected][email protected].
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
[email protected][email protected]...
..@..}[email protected]... M..........M........E...FQ.....NU
..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E...V
hL.@..]M..YY.....3.FV....@..&...h0.@..=M..Y.u...@[email protected]].u%.....G
[email protected][email protected].;....#
M....D........4...G.........F..5D.@.;.t.QP...U....F.;...~...RP...u...j
[email protected][email protected][email protected]...<<< skipped >>>

GET /live/t00/mu.gif?a=sc&r=1&err=1 HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: m.addthisedge.com

DNT: 1

Connection: Keep-Alive


HTTP/1.1 204 No Content

Date: Thu, 05 Feb 2015 10:05:03 GMT

Cache-Control: max-age=0, no-cache, no-store

Pragma: no-cache

Connection: close

GET /cgi/nta/config.cgi/9d357cad646259e5aec21e92440c2512/937811/1.5/nthgc HTTP/1.1

Host: VVV.mybrowserbar.com

Connection: keep-alive

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36

Accept: */*

Accept-Encoding: gzip, deflate, sdch

Accept-Language: en-US,en;q=0.8

Cookie: _ga=GA1.2.1138944218.1423130672


HTTP/1.1 200 OK

Date: Thu, 05 Feb 2015 10:04:50 GMT

Server: Apache

Vary: Host

Keep-Alive: timeout=30, max=100

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-Type: text/xml; charset=utf-8
ce..<?xml version="1.0" encoding="UTF-8"?>.<dea>.  <url
>hXXps://search.yahoo.com/search?fr=spigot-nt-gc&ei=utf-8&i
lc=12&type=937811&p={searchTerms}</url>.  <vulcun_off
er>0</vulcun_offer>.</dea>...0..HTTP/1.1 200 OK..Date: 
Thu, 05 Feb 2015 10:04:50 GMT..Server: Apache..Vary: Host..Keep-Alive:
 timeout=30, max=100..Connection: Keep-Alive..Transfer-Encoding: chunk
ed..Content-Type: text/xml; charset=utf-8..ce..<?xml version="1.0" 
encoding="UTF-8"?>.<dea>.  <url>hXXps://search.yahoo.co
m/search?fr=spigot-nt-gc&ei=utf-8&ilc=12&type=937811&p
={searchTerms}</url>.  <vulcun_offer>0</vulcun_offer>
;.</dea>...0..

GET /MFQwUjBQME4wTDAJBgUrDgMCGgUABBQmECJms4f7i5EbxtN7NbzQCBwAdAQUUa8kJpz0aCJXgCYrO0ZiFXsezKUCE1oAAHevvgBk+xJc0C0AAQAAd68= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.msocsp.com


HTTP/1.1 200 OK

Date: Thu, 05 Feb 2015 10:06:06 GMT

Content-Type: application/ocsp-response

Content-Length: 1757

Connection: keep-alive

Set-Cookie: __cfduid=daa641d14fedb9c0747aed2e3ae47fdce1423130766; expires=Fri, 05-Feb-16 10:06:06 GMT; path=/; domain=.msocsp.com; HttpOnly

Last-Modified: Mon, 02 Feb 2015 23:13:04 GMT

Expires: Fri, 06 Feb 2015 23:13:04 GMT

ETag: "32dc2dc5ade4e5867c219925d83ebab0609e8b04"

Cache-Control: max-age=345599,public,no-transform,must-revalidate

CF-Cache-Status: HIT

Server: cloudflare-nginx

CF-RAY: 1b3e4b1d1a680bff-AMS
0..........0..... .....0......0...0..........<.|[email protected]|..2015
0202231304Z0..0..0L0... ........&."f........{5.....t..Q.$&..h"W.& ;Fb.
{.....Z..w...d..\.-....w.....20150202231304Z....20150206231304Z."0 0..
. .....0......20140202231304Z0...*.H.............B.....>#..;n5{?Z..
aq.S(.~.F. ...KU.<.....@..=;|...!.%@.":.Y.E.VN....S..p97..L|;......
.~...~..../5..%.r?...Hy.h3......>g.'..>....q..j..p.:..S=s..q..j.
P!6p..9T.v,.d.....$!.....Z..$m].(......n....... 9...';S...]}v.....Q.g.
..Iu...{......Z....E;[email protected]....?<g|........0...0...0..........Z..~..M
..<ZYJ....~.0...*.H........0..1.0...U....US1.0...U....Washington1.0
...U....Redmond1.0...U....Microsoft Corporation1.0...U....Microsoft IT
1.0...U....Microsoft IT SSL SHA20...141229205745Z..150314205745Z0!1.0.
..U....Should be ignore by CA0.."0...*.H.............0...........&!(..
$.K...."=f....x.d.._s.....j....9`..l.Z..............^f..u......-e.&.bG
.(i.Q...........bEy...^7A...A..c....CF-&...e.7..7F....."..w...y.:..`.w
{~..D.x*.......x3Os......q...... S.fB .ig.....L..3......4E..}..7...M..
..e ...6.M.O.....<5:......r.....]..A.5........0..0...U..........<
;.|[email protected]|0...U.#..0...Q.$&..h"W.& ;Fb.{...0...U...........0...U
.%..0... .......0... .....7....0.0... .......0... .....0......0...*.H.
.................sa....^`.U.h.....(c[..j.|. ..#....3.5.?..L.....Z....J
......*.w...w.$.z..Y.d.....l.....G#.....o.\t.......(.B =..P..T....0./P
.....z.3....L.O3....z...Wxo..~.OeH....c.i.@."..?d.......=v(.....m..LN.
.PP....<.}T.X......K.&e.S...|....% ...(F.=k..~.j..C......4.....<<< skipped >>>

GET /en_US/all.js HTTP/1.1

Accept: application/javascript, */*;q=0.8

Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: connect.facebook.net

DNT: 1

Connection: Keep-Alive


HTTP/1.1 200 OK

ETag: "e7a53c95dea3821e936847030459760f"

Content-Type: application/x-javascript; charset=utf-8

Timing-Allow-Origin: *

Vary: Accept-Encoding

Content-Encoding: gzip

Content-MD5: OwvuCluN9SXnDHn1UJMFUA==

X-FB-Debug: U5mvkYE3qNXtolM8JJLDfrzyq1VZrnmJHuKfvIo0V4MhGfXMfIIfgOr2ifF8QS9gRdHcm/2 DMPXFyFDBmEH5A==

Content-Length: 52552

Cache-Control: public, max-age=1200

Expires: Thu, 05 Feb 2015 10:25:02 GMT

Date: Thu, 05 Feb 2015 10:05:02 GMT

Connection: keep-alive
............{..../...^..$.1.(J..4...%.....=.l(....H... %Q..k..[..h. %'
.s~.l.......U.U.G?.?99=>y..i........x..g..<.'....../._<..I..o
?....u..O.......gQ.?/}.:a;.....N....K..'I.--&.pV.....i..?*. .5.%.E..ZC
..|>......T..Y.g....N.~.....o...........M4..7..?...R.r1.A.%.-...u0 
%.....$. u..b.N.&..S.\....&4t.t.G.RM..p.=.......y..8....`.)....(.f.M..
Rd..Lr..i....k.EEhtz..p<./?h(...e.........?..S..f.|1...f..q..r.....
,.ZD..k.....T..m.u.u.O.o:.Q..F...:....$.G.4...nI..qw1B..v....s.P..1...
.....j?H>.L...i8./.....v..E..........9Y.F.y....&.M..l.....<..S. 
N.Z(M.y.....B..m.c.=.M]y}.W.......2.....:.'.y..xC.y...vQc....WQcT....&
.w..~st..:AB]*...~......!.. ..........d.5.)C}.e...].W..0.$...,F..^...F
e..x^..au.H...}........xC....&.V&M.Nv3....>..|9..KZ......... .S..ai
..j'.t.9...Z.....&}..O....4.pD....@.....%.6Q......7.Y.$..........M....
...c.]h7...`.N..E.T.{.TR..N....o~.....l.....L0.........Je.R..R4)..G...
...F..(..U...?j`...{.......>.xH.......cr4!{zc..dR..I...4.^R=....;.4
$...).y..u8[..Cf..n...\p..h.....C.......y....h.x#o`..e@(.W....G..c.&..
...1.03.... .o?_..-.......Gj?zUs..?..4.W.F$C.......G......H.|xL....`.{
[email protected]=^.....|.....f5.O$..f=.\.....
._.....)bKg....i.u.vw.d:.....7...gTw*..N_.....:.3..>...o.Y4..(.F..T
3t.F.@*q..ZI.?.RTg...,.A..#.xm...8h.Z$.,.......Qu...4dy)..q.T....<.
y...l.y@..=...V.....:w.....?0......v|}|.i1n...5...n].h.).DG.....C..`..
..IY>......^..3..4=(...]. ..D .<....D..(p.q.eL.9z4..).F..R.f..P.
.J.......!....Q......$$Y.....`7a..&...$. Q?.(..#..].._A.....3U.ak.<<< skipped >>>

POST /cgi/api.cgi/937811/CCF69B272FE54EE58735A380676F1DE4/vrst/20 HTTP/1.1

User-Agent: WidgiToolbar-198-937811

Host: api.mybrowserbar.com

Accept: */*

Accept-Encoding: gzip,deflate

Content-Length: 623

Content-Type: application/x-www-form-urlencoded

<drq><auth><ccv>198</ccv><cnid>937811</cnid><isn>CCF69B272FE54EE58735A380676F1DE4</isn><ct>20</ct><dlid>1033</dlid><lngid>1033</lngid><wv>6.1</wv><brw><ie>10.0.9200.16521</ie><ff>29.0.1</ff><gc>39.0.2171.95</gc><dbrw>Internet Explorer</dbrw></brw></auth>

<vrst><isn>CCF69B272FE54EE58735A380676F1DE4</isn><cnid>937811</cnid><code_ver>198</code_ver><type>install</type><ct>20</ct><src>12</src><cid>c0322acd5e5d42f0b163c591ee6ff5b9</cid><cmdline>"C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~spD451.tmp"  /fpd /cnid 937811  /runbe /iebf=15 /ffbf=15 /noeh /dsie /dsff /dsgc /register /seprotect /hp /wait /ntp_ie /S</cmdline></vrst></drq>
HTTP/1.1 200 OK

Date: Thu, 05 Feb 2015 10:05:01 GMT

Server: Apache

Pragma: no-cache

Cache-control: no-cache

Transfer-Encoding: chunked

Content-Type: text/html

Expires: Thu, 05 Feb 2015 10:05:01 GMT
2b..<drp><auth>.  <scv>198</scv>.</auth>
.</drp>..0..

GET /images/pixel.gif?action=install&point=start&cid=cb821f7c3eeccf6c312c56e821a0e91a&isn=F7DBCDBD737B449098794B4547AA6F06&kt=ytd HTTP/1.0

Host: VVV.youtubedownloadersite.com

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*


HTTP/1.1 200 OK

Server: nginx

Date: Thu, 05 Feb 2015 10:03:53 GMT

Content-Type: text/html; charset=utf-8

Connection: close

GET /cgi-bin/CRL/2018/cdp.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: VVV.public-trust.com


HTTP/1.1 200 OK

Server: Apache/2.2.15 (CentOS)

Last-Modified: Wed, 04 Feb 2015 20:30:01 GMT

ETag: "200c0-420-50e490d42fd35"

Accept-Ranges: bytes

Content-Type: application/x-pkcs7-crl

Connection: Keep-Alive

Date: Thu, 05 Feb 2015 10:06:43 GMT

Content-Length: 1056

0...0......0...*.H........0u1.0...U....US1.0...U....GTE Corporation1'0
%..U....GTE CyberTrust Solutions, Inc.1#0!..U....GTE CyberTrust Global
 Root..150204203344Z..150510203844Z0...0....'.x..110110211653Z0....'..
..141119195306Z0....'B...141119195752Z0....'....141119200006Z0....'1-.
.150204203232Z0....'.:..071121154528Z0....'.v..080219183346Z0....'....
080514142515Z0....'....080515170349Z0....'....080924143337Z0....'#...0
81203144336Z0....''j..090209174351Z0....'b...100414181148Z0....'....08
0917150432Z0....'#...081203144209Z0....'#...081203144241Z0....'#...081
203144304Z0....'%u..081203144409Z0....'/9..090318130930Z0....'8...0907
15181853Z0....'TU..100113191852Z0....'k...101130163724Z0....'.B..11110
7193907Z0....'@...141119200409Z0....'....080917150312Z0....'....140709
175318Z0....'....141210173900Z0....'-E..141119195854Z0....'....1411192
00037Z0....'F...141217193909Z0....'F...141217193956Z..0.0...U........0
...*.H............&O......@<[email protected]%~Uy.A.u.F...........?..a.wqf?...
..U......m^....%..4.>....}.). ..%...GD....S...Y.L.D~....t{..@....^N
..q..&EXR.p,HTTP/1.1 200 OK..Server: Apache/2.2.15 (CentOS)..Last-Modi
fied: Wed, 04 Feb 2015 20:30:01 GMT..ETag: "200c0-420-50e490d42fd35"..
Accept-Ranges: bytes..Content-Type: application/x-pkcs7-crl..Connectio
n: Keep-Alive..Date: Thu, 05 Feb 2015 10:06:43 GMT..Content-Length: 10
56..0...0......0...*.H........0u1.0...U....US1.0...U....GTE Corporatio
n1'0%..U....GTE CyberTrust Solutions, Inc.1#0!..U....GTE CyberTrust Gl
obal Root..150204203344Z..150510203844Z0...0....'.x..110110211653Z

<<< skipped >>>

GET /static/r07/plugins/counter020.js HTTP/1.1

Accept: application/javascript, */*;q=0.8

Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: s7.addthis.com

DNT: 1

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Apache

Last-Modified: Tue, 05 Aug 2014 18:10:35 GMT

Content-Encoding: gzip

Cache-Control: public, no-check, max-age=86313600

Content-Type: text/javascript

Content-Length: 3552

Accept-Ranges: bytes

Date: Thu, 05 Feb 2015 10:05:02 GMT

Via: 1.1 varnish

Age: 15058791

Connection: keep-alive

X-Host: s7.addthis.com

X-Served-By: cache-fra1243-FRA

X-Cache: HIT

X-Cache-Hits: 11063027

X-Timer: S1423130702.450932,VS0,VE0

Vary: Host,Accept-Encoding
...........Z.s.6..Wd..B.`JJ_.*..M.i..]..>h<...$......W..~....d;n
....H<.....>..E..Z...l.c...h.......>..p...U(.2K....<..G...
....gK.:....;.x..>`....u..0.c.....BU.B.^.T.J,...M...z.......>c..
u.D....5.............xo`..<#..^.0......[.......{.....`R..:.......x.
"...~.P..STZ.l)........=.EY!eT...L.0..k.C._....U..N[z.3 ..m..._.v...t.
..x..."..z..RP...(......~_.Q....r.{.&H..j.".i..8.Z...L.~..........b. *
H...EdKM...h.'j..R...~... ...u#@..V.e.a4n.?rJ........{!.V...x....j...;
..&R.`..."K..w.. D.^*}.r/8;..IG'....%C...Ox..R.. .&.&..$. ...<[.]..
5h..........Ei{ .....-......7..]... &9].1.=.......Y.,......9..=....!.w
.\......_...i..$..5.4.......Y...d....F3a".7.-..<....ER.I=/...K..xHx
....J...w....k\...g.........[[email protected];p.'.9J......<\ aw.......\,W.zOG.
G4.....b....yA....(z:....b...?I..o.Qwo..`q0T.<)[email protected]... R/...x...P
.p..N.t..."..$...t..x....q0.$..........^JX.Tg.....F.....=.f...HF'...x)
W\nD.#.VO........^.#K..g.....-.<.sP....Gm.......1.2......}d,...{yh.
.. .5..t;.H.n..9<8i.$`"@.!5.;q....jOttv J..e#.^_.....v...Zo....[^..
7O....Ad.......$_P......ZC.T..V....b.M...p......5..`.Q.r)s8x.E.....$b.
~...c|6....,.f4........n...,C.c&.D...xJl........m.\)....e....#6.@b....
.h........}..&U...ctXj.B....C.......i.......~..A....Xs?8..v.f...Ko / h
.._...d......(..s....So8\....%...0..>...p]..:M.Uq_Ro0.n.^....T.S...
c.m......u.Z4..[y.^ .......#[email protected].....@%.[u-?...>.......
.r.`P....&m*......B..%.w..62..Ck;....)..H.....B.,M..BaPvR.U....,.B....
.f.... .....-8.x....@@~-.........ti..k...$X....A|....N...t.h..8.,.<<< skipped >>>

GET /images/pixel.gif?isn=E0BCB5085EA24F7699566D8CEBD03DB5&ver=2.6&cnid=937811&ct=bekit&event=install HTTP/1.0

Host: VVV.mybrowserbar.com

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*


HTTP/1.1 200 OK

Date: Thu, 05 Feb 2015 10:05:05 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 1093

Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform

Pragma: no-cache

Expires: Thu, 01 Jan 1970 00:00:00 GMT

Connection: close

Content-Type: image/gif
GIF89a.............!..XMP DataXMP<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS5 Windows" xmpMM:InstanceID="xmp.iid:68AF816F211411E187C8D4C48A
462294" xmpMM:DocumentID="xmp.did:68AF8170211411E187C8D4C48A462294">
; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:68AF816D211411E187C8
D4C48A462294" stRef:documentID="xmp.did:68AF816E211411E187C8D4C48A4622
94"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> 
<?xpacket end="r"?>.............................................
......................................................................
...............~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIH
GFEDCBA@?>=<;:9876543210/.-, *)('&%$#"! ........................
.........!.......,...........D..;..

POST /cgi/api.cgi/937811/CCF69B272FE54EE58735A380676F1DE4/vloc/20 HTTP/1.1

User-Agent: WidgiToolbar-198-937811

Host: api.mybrowserbar.com

Accept: */*

Accept-Encoding: gzip,deflate

Content-Length: 486

Content-Type: application/x-www-form-urlencoded

<drq><auth><ccv>198</ccv><fcv>198</fcv><cnid>937811</cnid><tbcnid></tbcnid><isn>CCF69B272FE54EE58735A380676F1DE4</isn><ct>20</ct><dlid>1033</dlid><lngid>1033</lngid><wv>6.1</wv><brw><ie>10.0.9200.16521</ie><ff>29.0.1</ff><gc>39.0.2171.95</gc><dbrw>Internet Explorer</dbrw></brw></auth>

<vloc><type>install</type><key>1</key><key>3</key><key>2</key><key>4</key><key>5</key><key>6</key><key>7</key><key>8</key><key>9</key><key>10</key><key>11</key><key>14</key><key>15</key></vloc></drq>
HTTP/1.1 200 OK

Date: Thu, 05 Feb 2015 10:05:01 GMT

Server: Apache

Pragma: no-cache

Cache-control: no-cache

Transfer-Encoding: chunked

Content-Type: text/html

Expires: Thu, 05 Feb 2015 10:05:01 GMT
453..<drp><auth>.  <scv>198</scv>.</auth>
;.<vloc>.  <li>.    <key>1</key>.    <value
>hXXp://yandex.ru/yandsearch?clid=1782899&text={searchTerms}<
;/value>.  </li>.  <li>.    <key>3</key>.  
  <value>hXXp://yandex.ru/yandsearch?clid=1782899&text={sear
chTerms}</value>.  </li>.  <li>.    <key>2<
/key>.    <value>hXXp://yandex.ru/yandsearch?clid=1782899&
;text={searchTerms}</value>.  </li>.  <li>.    <k
ey>4</key>.    <value>hXXp://yandex.ru/yandsearch?clid=
1782899&text=</value>.  </li>.  <li>.    <key
>5</key>.    <value>hXXp://yandex.ru/yandsearch?clid=17
82899&text={searchTerms}</value>.  </li>.  <li>.
    <key>6</key>.    <value>hXXp://VVV.yandex.ru/?cl
id=1782898</value>.  </li>.  <li>.    <key>7&l
t;/key>.    <value>hXXp://VVV.yandex.ru/?clid=1782898</val
ue>.  </li>.  <li>.    <key>8</key>.    <
;value>hXXp://VVV.yandex.ru/?clid=1782898</value>.  </li&g
t;.  <li>.    <key>9</key>.    <value>359</
value>.  </li>.  <li>.    <key>10</key>.   
 <value>undef</value>.  </li>.  <li>.    <k
ey>11</key>.    <value>937811</value>.  </li&g
t;.  <li>.    <key>14</key>.    <value>tru<<< skipped >>>

GET /update/wt/ie/coupons/update.xml?cnid=937811 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: update.mybrowserbar.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx/0.7.65

Date: Thu, 05 Feb 2015 10:05:05 GMT

Content-Type: text/xml; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive
177..<?xml version='1.0' encoding='UTF-8'?>.<cpupdate>.   
 <libid>{40C6AC97-5316-4D22-BA61-3BF0D585FB22}</libid>.   
 <url>hXXp://update.mybrowserbar.com/update/wt/ie/coupons/coupon
s_1.6.zip</url>.    <ver>1.6</ver>.        <setup
url>hXXp://update.mybrowserbar.com/update/wt/ie/coupons/BrowserExte
nsionsSetup.exe</setupurl>.    <setupver>2.6</setupver&
gt;.    <gc>1</gc>..</cpupdate>...0..

GET /favicon.ico HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: VVV.yandex.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Thu, 05 Feb 2015 10:05:03 GMT

Content-Type: image/x-icon

Last-Modified: Wed, 04 Feb 2015 14:33:16 GMT

ETag: "54d22dac-47e"

Accept-Ranges: bytes

Content-Length: 1150

............ .h.......(....... ..... ............................~....
......................................................................
.....................................{................................
......................................................................
......................................................PP..((..........
...........................<............................ii.........
.........................................................%%...........
......................f....................//..\\..CC.................
.................................AB..{|...............................
............................*...............(.........................
....f................8N..............*A...............................
..................._y..........8Y.........................<........
....................Y|..Ai..Lr........................................
......................................................................
...................................x...............{..................
......................................................................
....................................HTTP/1.1 200 OK..Date: Thu, 05 Feb
 2015 10:05:03 GMT..Content-Type: image/x-icon..Last-Modified: Wed, 04
 Feb 2015 14:33:16 GMT..ETag: "54d22dac-47e"..Accept-Ranges: bytes..Co
ntent-Length: 1150.............. .h.......(....... ..... .............
...............~......................................................
.........................................................{........

<<< skipped >>>

GET /kits/EasyBundlingDLL/937811/so.xml?kt=ytd&rsv=3 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: VVV.mybrowserbar.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Thu, 05 Feb 2015 10:03:54 GMT

Server: Apache

Vary: Host

Keep-Alive: timeout=30, max=100

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-Type: text/xml; charset=utf-8
bd80..<?xml version="1.0" encoding="UTF-8"?>.<so>..<rsv
>3</rsv>.    ....<o>....<n>sgbe</n>....<
nos>&tov=20&sbe=0&sds=0&shp=0</nos>....<rk
 />....<c>....<![CDATA[..<!DOCTYPE html>..<html&g
t;...<head>....<meta http-equiv="MSThemeCompatible" content="
yes" />....<meta http-equiv="Content-Type" content="text/html; c
harset=UTF-8">....<script>.....window.onerror = function() { 
return true; }.....function regularLinkClick() {......window.event.ret
urnValue = false;......external.OpenLink(window.event.srcElement.href)
;.....}.....var strTOV = '20';.....var setupURL = 'hXXp://download.myb
rowserbar.com/kits/sds/SearchProtectionStub.exe';.....var cmdBE = " /r
unbe /iebf=15 /ffbf=15 /noeh";.....var cmdDS = " /dsie /dsff /dsgc /re
gister /seprotect";.....var cmdHP = " /hp /wait /ntp_ie";.....var ehUR
L = "hXXp://download.mybrowserbar.com/kits/hlp/exthelper.exe";.....var
 ehCmd = "";.....function UpdateCommandLine().....{......var cmdLinePa
rams = "";......var statsParams = "";......if (document.getElementById
("express").checked) {.......statsParams = "&sbe=1&sds=1&shp=1";......
.cmdLineParams = cmdLineParams   cmdBE;.......cmdLineParams = cmdLineP
arams   cmdDS;.......cmdLineParams = cmdLineParams   cmdHP;.......ehCm
d = "/ot ytdsanth";......}......else {.......statsParams = (document.g
etElementById("cbBE").checked ? "&sbe=1" : "&sbe=2");.......statsParam
s = statsParams   (document.getElementById("cbDS").checked ? "&sds<<< skipped >>>

GET /images/pixel.gif?isn=E0BCB5085EA24F7699566D8CEBD03DB5&ver=2.6&cnid=937811&ct=bekit&event=uninstall HTTP/1.0

Host: VVV.mybrowserbar.com

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*


HTTP/1.1 200 OK

Date: Thu, 05 Feb 2015 10:08:06 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 1093

Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform

Pragma: no-cache

Expires: Thu, 01 Jan 1970 00:00:00 GMT

Connection: close

Content-Type: image/gif
GIF89a.............!..XMP DataXMP<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS5 Windows" xmpMM:InstanceID="xmp.iid:68AF816F211411E187C8D4C48A
462294" xmpMM:DocumentID="xmp.did:68AF8170211411E187C8D4C48A462294">
; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:68AF816D211411E187C8
D4C48A462294" stRef:documentID="xmp.did:68AF816E211411E187C8D4C48A4622
94"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> 
<?xpacket end="r"?>.............................................
......................................................................
...............~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIH
GFEDCBA@?>=<;:9876543210/.-, *)('&%$#"! ........................
.........!.......,...........D..;..

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com


HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1453

content-transfer-encoding: binary

Cache-Control: max-age=442940, public, no-transform, must-revalidate

Last-Modified: Tue, 3 Feb 2015 13:06:37 GMT

Expires: Tue, 10 Feb 2015 13:06:37 GMT

Date: Thu, 05 Feb 2015 10:09:13 GMT

Connection: keep-alive
0..........0..... .....0......0...0......T3t.%..O.E..~..F.=....2015020
3130637Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._)..a.
.eR&.....Y.)..".\....20150203130637Z....20150210130637Z0...*.H........
.......qZ.0.B.:."m..L[.J......~9X.......?1.S....{....,..2...I.R...g.c.
vM.?.._o}......0......?.0f"K..t.%....Z&.].O....A..u..\..,-/.;L)I......
..'.....F...z.4.......F......'.s..=...W....v....Z.s....he..V.`V.gJ/...
..A.".....Oa..M..z...H.Bz......7......Ju.s...K...g]....0...0...0..3...
..../...b.v..-....l}0...*.H........0_1.0...U....US1.0...U....VeriSign,
 Inc.1705..U....Class 3 Public Primary Certification Authority0...1412
02000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporatio
n1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G1
 OCSP Responder Certificate 30.."0...*.H.............0..........'.....
.Y..x.3B1.7..Q..`..d.. ....s..t.$a.....j2R.{ ,*..c{.3.....H..3-; )....
.0._...*..9M..V...... ...{m...-.......)..tR..{D....~...M...T..pS.p..^|
o....S..v.).)[email protected]#qh...u1T.].G0.]E...=._.....
. ........TE...Sa.s4........r...3.............0..0...U....0.0l..U. .e0
c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......
0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........0... .
....0......0!..U....0...0.1.0...U....TGV-B-2730...*.H.............$..H
......oU....Y!.z{*.V.M..u.._z..3>.. 0....3..m.....e.......a..D.....
......e..F6:.y.....di.......<y.Z.......x}..q.2....UZ1 :,....
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com


HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=485119, public, no-transform, must-revalidate

Last-Modified: Wed, 4 Feb 2015 00:53:58 GMT

Expires: Wed, 11 Feb 2015 00:53:58 GMT

Date: Thu, 05 Feb 2015 10:09:13 GMT

Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..2015020
4005358Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
..M.s.Q~...@?j.......20150204005358Z....20150211005358Z0...*.H........
.......CJ.....Txt..y.....x...n...4...'..y8..=Yy.Y.u-.. .T.....Q#..i_..
..h....3`.. .p.S.h.....<;.....#mG.v.s...{..U...`......&...x....4.nf
..(.....g..R..|T........9..K.Q.\........a,..x.....{B..........ew.v....
.........1..y..s.....\..P..w....SV......<..)c.Z.....fx...#0...0...0
..........<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U...
.VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of us
e at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Cod
e Signing 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0
...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Term
s of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign C
lass 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0....
.....{(..t....2.Vf.....&;6).i*[email protected]._p.E.6.|.mk....(.
.........p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG
.d.}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l.
...(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...
U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.veri
sign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS inco
rp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U..
......0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H<<< skipped >>>

GET /kits/sds/update.xml HTTP/1.1

User-Agent: SDS

Host: update.mybrowserbar.com

Accept: */*

Accept-Encoding: gzip,deflate


HTTP/1.1 301 Moved Permanently

Server: nginx/0.7.65

Date: Thu, 05 Feb 2015 10:04:58 GMT

Content-Type: text/html

Content-Length: 185

Connection: keep-alive

Location: hXXp://VVV.mybrowserbar.com/kits/sds/update.xml
<html>..<head><title>301 Moved Permanently</title
></head>..<body bgcolor="white">..<center><h1&
gt;301 Moved Permanently</h1></center>..<hr><cent
er>nginx/0.7.65</center>..</body>..</html>..HTTP/
1.1 301 Moved Permanently..Server: nginx/0.7.65..Date: Thu, 05 Feb 201
5 10:04:58 GMT..Content-Type: text/html..Content-Length: 185..Connecti
on: keep-alive..Location: hXXp://VVV.mybrowserbar.com/kits/sds/update.
xml..<html>..<head><title>301 Moved Permanently</
title></head>..<body bgcolor="white">..<center>&l
t;h1>301 Moved Permanently</h1></center>..<hr><
;center>nginx/0.7.65</center>..</body>..</html>..
..

GET /kits/hlp/exthelper.exe HTTP/1.1

Host: download.mybrowserbar.com

Accept: */*

Accept-Encoding: gzip,deflate


HTTP/1.1 200 OK

Date: Thu, 05 Feb 2015 10:04:28 GMT

Server: Apache

Last-Modified: Mon, 02 Feb 2015 15:52:02 GMT

Accept-Ranges: bytes

Content-Length: 488416

Content-Type: application/x-msdos-program
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$..............@...@
[email protected]@[email protected]@...@..{@[email protected]@...@...@...@..|@[email protected]@[email protected]@...@Ri
[email protected]....................................
......@.......................................@.......................
[email protected]...:......................
.............o..@...............H............................text...~.
.......................... ..`.rdata..J...........................@..@
.data....<[email protected]........@.............
.........@[email protected][email protected].................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................V.D$.P...`.......E...^.
......E......V......E.......D$..t.V.w...Y..^[email protected]. ..
U...u..u..u..u..z....E....].U...u..u..u..u.......E....]....L$.........
.D$............t....3.....L$. [email protected]....
e...u..N.....E.........}......V..j.j..N.....E..I#....^.....V........D$
..t.V.}...Y..^...V.t$............E...^.......E......V......E.......D$.
.t.V.8...Y..^...j..X.E.........u.......e...u..N...p.E................V
..j.j..N...p.E..."....^.c....y$.r..A...A..V........D$..t.V.....Y..<<< skipped >>>

GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?45d861ae400f132c HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Thu, 03 Jul 2014 23:34:12 GMT

If-None-Match: "0b2464b1797cf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ctldl.windowsupdate.com


HTTP/1.1 304 Not Modified

Content-Type: application/octet-stream

Last-Modified: Thu, 03 Jul 2014 23:34:12 GMT

ETag: "0b2464b1797cf1:0"

Cache-Control: max-age=86400

Date: Thu, 05 Feb 2015 10:05:03 GMT

Connection: keep-alive

HTTP/1.1 304 Not Modified..Content-Type: application/octet-stream..Las
t-Modified: Thu, 03 Jul 2014 23:34:12 GMT..ETag: "0b2464b1797cf1:0"..C
ache-Control: max-age=86400..Date: Thu, 05 Feb 2015 10:05:03 GMT..Conn
ection: keep-alive..

GET /thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0 HTTP/1.1

Accept: text/html, application/xhtml xml, */*

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.ytddownloader.com

DNT: 1

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx/1.2.1

Date: Thu, 05 Feb 2015 10:05:01 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.4.6-1ubuntu1.8

Content-Encoding: gzip
6f8.............Wks.6..,..kv..fC.....-..W..I.4....d4..R.)[email protected].}[email protected]
....H...>.=.._........f.....wo.....?.Wax}.M....O.h....b..F..eaxs..7
7.8...j..N.....c.....p..... 6.79.Y!..Y.?#L.'.p./"...d....j.V[G.L..4W&l
t;.{.l2..Hk....c.......Y#0..x.B.;.v"..\D,.j]-.6&..*.$...".......Y..Z..
.....(.i...0d...R)...B.*..ka&f:\.Zr.......~.."......J.....s..%{&...<
;^.'[email protected]..)........./.v...E........".d.....>\..W......?.~.?.G..
..,.O....U.K.<.....o62......XF...&..g..d........9.,[email protected]
.*9Lr.q.Q.b.k....4n....Y..BI##...T....Y.....f.}..u....e.1".2......k...
^.......=Ko.....|...tP0..oe...k..%O..... ]..k.... .]5tF.x"...d. )...,.
P:M.Lv......m. @d.]`)Y8......5.: ...-.......}R..*..ju.).'.,.1.#..d.(4H
$..G&HX.gR>.97!...w!.2...u2[f..W.....]...Z.........,<5......n...
..QX!..h&..E..z.!=...@.[l...w.,|{..m.....?Kq..Z}..X)V..,.}~.-..g2.T.Y.
g<.ig5L.@:..c..HBN,.....N..X.[eA.....T.......H.,.....Z8|..C..r.C...
c..._u #...\W.(.....r?.....6....3..`.....Z.J. ...;.d..5....u.1.fro.ZqN
...f{k.Cx...8..cZX.....J...*=.|..E..c..KcdN.7o.....S[...)3...=.. 33u.k
.z:\...5.....T.a..<.L.95..L sF.Z..f.....yR.. .]...l,.9...f)W......*
F.I~.7.O.....$.A[..Y.3.......tV.f....;[email protected]
"z.abzgvv}m.. ......j.:.._A}.k.........*[email protected]
.4.-4...#..a....J...Z..j.........._......U...Y..E..T...S..]..\.....s..
.;....S....4..$...-5.>............7...........3~.M..[....6.........
$...pc.........%..0..|.E4byL......-Jm............3...0l....<w..$:..
....3...j....e.(.....K@@..n........?..........z..U.N.P.{>...oj.<<< skipped >>>

GET /js/main.js HTTP/1.1

Accept: application/javascript, */*;q=0.8

Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.ytddownloader.com

DNT: 1

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx/1.2.1

Date: Thu, 05 Feb 2015 10:05:01 GMT

Content-Type: application/x-javascript

Content-Length: 1272

Last-Modified: Fri, 08 Nov 2013 13:22:51 GMT

Connection: keep-alive

Accept-Ranges: bytes
$(document).ready(function() {.    //setting os..$(".os-redirect").cli
ck(function(){...setCookie('user_os', $(this).attr("os"), 1,'/');..});
....$(".dropdown img.flag").addClass("flagvisibility");..    $(".dropd
own dt a").click(function() {.        $(".dropdown dd div").toggle();.
    });.                .    $(".dropdown dd ul li a").click(function(
) {.        var text = $(this).html();.        $(".dropdown dt a span"
).html(text);.        $(".dropdown dd div").hide();...    });.        
        .    $(document).bind('click', function(e) {.        var $clic
ked = $(e.target);.        if (! $clicked.parents().hasClass("dropdown
")).            $(".dropdown dd div").hide();.    });...//setting loca
le...$(".langselector, #language-bar a").click(function(){...setCookie
('ytd_locale', $(this).attr("hreflang"), 1,'/');..});....change_auto_r
enew();.});..function setCookie(c_name,value,exdays, path).{..var exda
te=new Date();..exdate.setDate(exdate.getDate()   exdays);..var c_valu
e=escape(value)   ((exdays==null) ? "" : "; expires=" exdate.toUTCStri
ng())     ((path) ? "; path="   path : "") ;..document.cookie=c_name  
 "="   c_value;..}.function change_auto_renew() {.    $("input[name=sr
c]").each(function() {.        $(this).val($(this).val() == 0 ? 1 : 0 
);.    });.}....


GET /styles.css HTTP/1.1

Accept: text/css

Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.ytddownloader.com

DNT: 1

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx/1.2.1

Date: Thu, 05 Feb 2015 10:05:01 GMT

Content-Type: text/css

Content-Length: 17587

Last-Modified: Thu, 27 Nov 2014 15:47:33 GMT

Connection: keep-alive

Accept-Ranges: bytes
/* hXXp://meyerweb.com/eric/tools/css/reset/ .   v2.0 | 20110126.   Li
cense: none (public domain).*/..html, body, div, span, applet, object,
 iframe,.h1, h2, h3, h4, h5, h6, p, blockquote, pre,.a, abbr, acronym,
 address, big, cite, code,.del, dfn, em, img, ins, kbd, q, s, samp,.sm
all, strike, strong, sub, sup, tt, var,.b, u, i, center,.dl, dt, dd, o
l, ul, li,.fieldset, form, label, legend,.table, caption, tbody, tfoot
, thead, tr, th, td,.article, aside, canvas, details, embed, .figure, 
figcaption, footer, header, hgroup, .menu, nav, output, ruby, section,
 summary,.time, mark, audio, video {..margin: 0;..padding: 0;..border:
 0;..font-size: 100%;..font: inherit;..font-size:13px;..line-height:18
px;..vertical-align: baseline;..font-family:Tahoma, Arial, Helvetica, 
sans-serifl.}./* HTML5 display-role reset for older browsers */.articl
e, aside, details, figcaption, figure, .footer, header, hgroup, menu, 
nav, section {..display: block;.}.body {..line-height: 1;.}.ol, ul {..
list-style: none;.}.blockquote, q {..quotes: none;.}.blockquote:before
, blockquote:after,.q:before, q:after {..content: '';..content: none;.
}.table {..border-collapse: collapse;..border-spacing: 0;.}..clearfix:
after {..content: ".";..display: block;..clear: both;..visibility: hid
den;..line-height: 0;..height: 0;.}. ..clearfix {..display: inline-blo
ck;.}. .html[xmlns] .clearfix {..display: block;.}. .* html .clearfix 
{..height: 1%;.}.a:link, a:visited, a:hover, a:active {color:#2c4b00; 
text-decoration:underline;}.h1 {font-size:24px; margin-bottom:8px;<<< skipped >>>

GET /images/header-bg-repeat.jpg HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.ytddownloader.com

DNT: 1

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx/1.2.1

Date: Thu, 05 Feb 2015 10:05:01 GMT

Content-Type: image/jpeg

Content-Length: 1497

Last-Modified: Fri, 05 Oct 2012 14:07:53 GMT

Connection: keep-alive

Accept-Ranges: bytes
......Exif..II*.................Ducky.......d.....ohXXp://ns.adobe.com
/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> 
<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c06
1 64.140949, 2010/12/07-10:57:01        "> <rdf:RDF xmlns:rdf="h
ttp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rd
f:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="
hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.a
dobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:48617E8EC10BE2118
B4BD91E24AB7A59" xmpMM:DocumentID="xmp.did:FC5012CA0BCB11E2AA79CB95D10
CA426" xmpMM:InstanceID="xmp.iid:FC5012C90BCB11E2AA79CB95D10CA426" xmp
:CreatorTool="Adobe Photoshop CS5.1 Windows"> <xmpMM:DerivedFrom
 stRef:instanceID="xmp.iid:48617E8EC10BE2118B4BD91E24AB7A59" stRef:doc
umentID="xmp.did:48617E8EC10BE2118B4BD91E24AB7A59"/> </rdf:Descr
iption> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?&g
t;....Adobe.d.........................................................
......................................................................
..................................~...................................
................................1.!A.."3Qaq....2......................
..!1A.Q.....2Bb...3............?..s.}..4v$...y ....a[.C...............
.wZ%..Y..G.T.r...J."n...5.h.....G...qs...NH~._.....Wu....K.g...\.V1.r.
f.n.`.. ..X8..o....s]..I.\[#..[..`.6..5..9.....r..&.F.....S2_...Ea....
.U....c...GIo...............x&.T.B..l..E.......J.z.}im..>#.@...<<< skipped >>>

GET /images/upgrade-pro-btn.png HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.ytddownloader.com

DNT: 1

Connection: Keep-Alive

Cookie: __utma=135583929.141684822.1423130703.1423130703.1423130703.1; __utmb=135583929.1.10.1423130703; __utmc=135583929; __utmz=135583929.1423130703.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1


HTTP/1.1 200 OK

Server: nginx/1.2.1

Date: Thu, 05 Feb 2015 10:05:02 GMT

Content-Type: image/png

Content-Length: 13813

Last-Modified: Thu, 24 Oct 2013 10:30:42 GMT

Connection: keep-alive

Accept-Ranges: bytes
.PNG........IHDR.......T.............tEXtSoftware.Adobe ImageReadyq.e&
lt;..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.0-c061 64.140949, 2010/12/07-10:57:01        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS5.1 Windows" xmpMM:InstanceID="xmp.iid:6223BDC2438711E199DFDADE
185FF648" xmpMM:DocumentID="xmp.did:6223BDC3438711E199DFDADE185FF648"&
gt; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:6223BDC0438711E199
DFDADE185FF648" stRef:documentID="xmp.did:6223BDC1438711E199DFDADE185F
F648"/> </rdf:Description> </rdf:RDF> </x:xmpmeta>
; <?xpacket end="r"?>7._...2iIDATx..}y.eGy....{.{o.E..4h..ZF...b
Dd.#BA...`'..."... .........O*.............. 1.lJ.-.,a./#....7..{.9.;.
|_.w..........;.-......_..O(.`...|.!..?K..g.x..?....................Y.
...D..AB&2.....O..{..<..d1........O,~........z..?xl..q.-.......b..o
..'?../pW..<..ms..}[....Wn...w...m...R?!3O.Z.^.t..{O...?......O....
kx|......?...>..n...?^B...".V..<...7...u..M....5^...Qw..p.A..4 .
.f.&...o~..Pfuy.vxt.qP/....yx.8.B......_>..?..w.g.m........5{....ZJ
..yU.._.......{[email protected]}[email protected]@u7....l...W...~~Z
.2c.\.....?.3.n..u..3....r...2...w.F..U..S.=..^....y.*.\.y.u....)1<<< skipped >>>

POST /cgi/api.cgi/937811/CCF69B272FE54EE58735A380676F1DE4/vrst/20 HTTP/1.1

User-Agent: WidgiToolbar-198-937811

Host: api.mybrowserbar.com

Accept: */*

Accept-Encoding: gzip,deflate

Content-Length: 469

Content-Type: application/x-www-form-urlencoded

<drq><auth><ccv>198</ccv><cnid>937811</cnid><isn>CCF69B272FE54EE58735A380676F1DE4</isn><ct>20</ct><dlid>1033</dlid><lngid>1033</lngid><wv>6.1</wv><brw><ie>10.0.9200.16521</ie><ff>29.0.1</ff><gc>39.0.2171.95</gc><dbrw>Internet Explorer</dbrw></brw></auth>

<vrst><isn>CCF69B272FE54EE58735A380676F1DE4</isn><cnid>937811</cnid><code_ver>198</code_ver><type>uninstall</type><ct>20</ct><src>12</src><cid>c0322acd5e5d42f0b163c591ee6ff5b9</cid><cmdline></cmdline></vrst></drq>
HTTP/1.1 200 OK

Date: Thu, 05 Feb 2015 10:07:51 GMT

Server: Apache

Pragma: no-cache

Cache-control: no-cache

Transfer-Encoding: chunked

Content-Type: text/html

Expires: Thu, 05 Feb 2015 10:07:51 GMT
2b..<drp><auth>.  <scv>198</scv>.</auth>
.</drp>..0..

GET /baltimoreroot/MEUwQzBBMD8wPTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom/nYB45SPUEwQU5Z1ZMIJHWMys+ghUNoZ7OrUETfACBAcnpGo= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.omniroot.com


HTTP/1.1 200 OK

Accept-Ranges: bytes

Content-Type: application/ocsp-response

Date: Thu, 05 Feb 2015 10:05:03 GMT

Last-Modified: Thu, 29 Jan 2015 15:18:40 GMT

Server: ECS (frf/87D3)

X-Cache: HIT

Content-Length: 1406
0..z......s0..o.. .....0.....`0..\0......`;.l.uZ..k.F..^|A.Tb..2015012
9064609Z0g0e0=0... ........./Ev..Y..].....x.#......Y0.GX....T6.{:..M..
..'.j....20141203203511Z....20150428204011Z0...*.H..............-H.$..
...........^=....G..ai...I...,)vG.D..[R,.G.#(.D.<..Cg,}...;..2J#...
...GX....<b.&UFe'...I... I.o...&'....e..`..6.....`..~#......q.h|...
..C..#:2w..}.......39.EF.....Rj.M.9...^.....c.?Y/Rz...Q.~.2.I...5..,.$
o..U.....cg.H.[.(.....=.(..;.5...[.n....b*.......0...0...0...........'
..0...*.H........0Z1.0...U....IE1.0...U....Baltimore1.0...U....CyberTr
ust1"0 ..U....Baltimore CyberTrust Root0...150114195242Z..160114195229
Z0G1.0...U....US1.0...U....Cybertrust1#0!..U....Cybertrust-Validation-
20110.."0...*.H.............0.........?....(Fb....G... ..=..(L..wK...0
4..I......C...1.Z......U.$b.f..Pa.....S...#..B.........^T..IP8........
..h8GM..*.4.MP..../[email protected]
.x....$..@@....q2...Uby.e......D....lf...C....ZP}O......7...mM..c.g..j
.\.>.O....G.A........0..0... .....0......0...U.......0.0...U.......
....0...U.%..0... .......0...U.#..0.....Y0.GX....T6.{:..M.0...U......`
;.l.uZ..k.F..^|A.Tb0...*.H.............n.h\Ch*G.c..yr..."._....J.-....
j.t%..e.....([email protected]!m...sZH.N..>.S....K..........7wi3..x.D..l..u
d.....CC......<.&.2. ..d...T.......;.S....\... ......m.6......#(.&.
...q.[z.........r..T....W...7ea.}..B.1........al.]i.F...-.0c...y.=?...
.E...........'>..O.._..<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com


HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=591067, public, no-transform, must-revalidate

Last-Modified: Thu, 5 Feb 2015 06:19:11 GMT

Expires: Thu, 12 Feb 2015 06:19:11 GMT

Date: Thu, 05 Feb 2015 10:09:18 GMT

Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..2015020
5061911Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
.A..2.....:...:......20150205061911Z....20150212061911Z0...*.H........
.....0....(.9e.X.W..!s[k,....B....C.....w>..h..3>}..St.O..A.GOV.
.G..5...3.se.......2q.{....r..../c...4.G..=.%].%.b7.5].B.>s...... .
.2.... )..t.....n..`...w...A=.....Cd>.Mx..,.....E..k.='C.r.........
.G-..C....#..#,...w...9j.........?Ht.,...-#[email protected]]...#0..
.0...0..........<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0.
..U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms
 of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class
 3 Code Signing 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U...
.US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U..
.2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3Veri
Sign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H............
.0.........{(..t....2.Vf.....&;6).i*[email protected]._p.E.6.|.mk
....(..........p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..J
A..~QG.d.}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h&
lt;.l....(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0.
..0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://ww
w.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CP
S incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0
...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-24710<<< skipped >>>

GET /images/pixel.gif?src=stub&kt=ytd&event=run&exit=0 HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: VVV.ytddownloader.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 404 Not Found

Server: nginx/1.2.1

Date: Thu, 05 Feb 2015 10:05:01 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.4.6-1ubuntu1.8

10..File not found....0..

GET /url/shares.json?url=http://VVV.ytddownloader.com/&callback=_ate.cbs.sc_httpwwwytddownloadercom0 HTTP/1.1

Accept: application/javascript, */*;q=0.8

Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: api-public.addthis.com

DNT: 1

Connection: Keep-Alive

Cookie: uid=54d3404fe20ab507; uvc=1|5; uit=1


HTTP/1.1 200 OK

Cache-Control: no-cache, no-transform, must-revalidate, s-maxage=3600

Last-Modified: Thu, 05 Feb 2015 09:12:51 GMT

Content-Type: application/json

Content-Encoding: gzip

Via: 1.1 varnish

Content-Length: 76

Accept-Ranges: bytes

Date: Thu, 05 Feb 2015 10:05:02 GMT

Via: 1.1 varnish

Age: 3131

Connection: keep-alive

X-Served-By: cache-ams4126-AMS

X-Cache: HIT

X-Cache-Hits: 29

X-Timer: S1423130702.921343565,VS0,VE0

...........O,I.KN*. N..())(//.,II./...OLI-J..5..V*.H,J-V.240133.......
C.8...HTTP/1.1 200 OK..Cache-Control: no-cache, no-transform, must-rev
alidate, s-maxage=3600..Last-Modified: Thu, 05 Feb 2015 09:12:51 GMT..
Content-Type: application/json..Content-Encoding: gzip..Via: 1.1 varni
sh..Content-Length: 76..Accept-Ranges: bytes..Date: Thu, 05 Feb 2015 1
0:05:02 GMT..Via: 1.1 varnish..Age: 3131..Connection: keep-alive..X-Se
rved-By: cache-ams4126-AMS..X-Cache: HIT..X-Cache-Hits: 29..X-Timer: S
1423130702.921343565,VS0,VE0.............O,I.KN*. N..())(//.,II./...OL
I-J..5..V*.H,J-V.240133.......C.8.....

GET /baltimoreroot/MEUwQzBBMD8wPTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom/nYB45SPUEwQU5Z1ZMIJHWMys+ghUNoZ7OrUETfACBAcnqkc= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.omniroot.com


HTTP/1.1 200 OK

Accept-Ranges: bytes

Content-Type: application/ocsp-response

Date: Thu, 05 Feb 2015 10:06:06 GMT

Last-Modified: Thu, 29 Jan 2015 15:18:48 GMT

Server: ECS (frf/8799)

X-Cache: HIT

Content-Length: 1406
0..z......s0..o.. .....0.....`0..\0......`;.l.uZ..k.F..^|A.Tb..2015012
9064609Z0g0e0=0... ........./Ev..Y..].....x.#......Y0.GX....T6.{:..M..
..'.G....20141203203511Z....20150428204011Z0...*.H.............?.v..qY
.8.[t.8..9-.g".hl..H3|[email protected] .8a......u.......
.....$].o...NK....9.qxd....}.n..WZU.Z7.....bH._...[.....c'.O.T(=..1G{.
......G.U.=}C..$~.......v..OL.V....7p.8.z!..k...G`|>.J..I..R.S.....
.'...>..&~.N...c...`[k..`.8....4.X...H0,G.....0...0...0...........'
..0...*.H........0Z1.0...U....IE1.0...U....Baltimore1.0...U....CyberTr
ust1"0 ..U....Baltimore CyberTrust Root0...150114195242Z..160114195229
Z0G1.0...U....US1.0...U....Cybertrust1#0!..U....Cybertrust-Validation-
20110.."0...*.H.............0.........?....(Fb....G... ..=..(L..wK...0
4..I......C...1.Z......U.$b.f..Pa.....S...#..B.........^T..IP8........
..h8GM..*.4.MP..../[email protected]
.x....$..@@....q2...Uby.e......D....lf...C....ZP}O......7...mM..c.g..j
.\.>.O....G.A........0..0... .....0......0...U.......0.0...U.......
....0...U.%..0... .......0...U.#..0.....Y0.GX....T6.{:..M.0...U......`
;.l.uZ..k.F..^|A.Tb0...*.H.............n.h\Ch*G.c..yr..."._....J.-....
j.t%..e.....([email protected]!m...sZH.N..>.S....K..........7wi3..x.D..l..u
d.....CC......<.&.2. ..d...T.......;.S....\... ......m.6......#(.&.
...q.[z.........r..T....W...7ea.}..B.1........al.]i.F...-.0c...y.=?...
.E...........'>..O.._..<<< skipped >>>

GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Thu, 23 Oct 2014 05:05:32 GMT

If-None-Match: "a2f3ff97eeecf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com


HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Wed, 07 Jan 2015 06:02:43 GMT

Accept-Ranges: bytes

ETag: "88c4768d3f2ad01:0"

Server: Microsoft-IIS/8.0

VTag: 791450244700000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 813

Cache-Control: max-age=798

Date: Thu, 05 Feb 2015 10:05:34 GMT

Connection: keep-alive
0..)0......0...*.H........0_1.0.....&...,d....com1.0.....&...,d....mic
rosoft1-0 ..U...$Microsoft Root Certificate Authority..150106214825Z..
150407100825Z0.0...a......../..100208014912Z._0]0...U.#..0......`@V'..
%..*..S.Y..0... .....7.......0...U......(0... .....7......150406215825
Z0...*.H..............vQ..r..L.Q.N..=#.......V;..r../\.m..<.."...F/
U....(:.....xm.....P.e.F..BE8......=...G....6t:...?...L..B.v..p.M.....
...z..Q.%J.6..I.......8...U. .g..=T=K....L..$w...^....y~..-a.'...*s#N.
o..Qs.$h..:duV'~....8.6..w..b3.... .~)...|.I.y".>R.nJq.ws...3.....f
}.E)\......EB.d\.2.....h...lMjT.7..lj.'lj.b....".L.Os6{[email protected].|7z
.. ......>..Q...([email protected]\]#..Y.*.......T. .C.....A'..
5FW.ETDvX..tE.....g5.....&..&.....x.^H;...../7..'9.t.I&<[.HX.j....Q
w......}...qy3..q`<.....LB.9w|....;..Qw..a ..=.C.:.........


GET /pki/crl/products/WinPCA.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Mon, 06 Oct 2014 05:06:02 GMT

If-None-Match: "3e1c83923e1cf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com


HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Sun, 21 Dec 2014 06:03:02 GMT

Accept-Ranges: bytes

ETag: "d2e35dc7e31cd01:0"

Server: Microsoft-IIS/8.0

VTag: 27948442200000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 561

Cache-Control: max-age=900

Date: Thu, 05 Feb 2015 10:05:34 GMT

Connection: keep-alive
0..-0......0...*.H........0..1.0...U....US1.0...U....Washington1.0...U
....Redmond1.0...U....Microsoft Corporation1 0)..U..."Microsoft Window
s Verification PCA..141220223154Z..150321105154Z._0]0...U.#..0.......p
............<.J0... .....7.......0...U......30... .....7......15032
0224154Z0...*.H.............h.~oH#i.J.vh_.....A'B..g...........F....9c
.{[email protected].^ 4.r..Wv.Q.0.w..j....c9..w....I..%.~.l..F.......xo....
_...o...7BR.;<..\R/ .....b.(....~..]|.v.u.i.X.B....I......./*...P..
A..fi.}& .x.v{TFP[.G......A......L.o...)R.......V.u..V.../.Q..(L.]....
.uki~......


GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Sat, 04 Oct 2014 05:06:12 GMT

If-None-Match: "58cddbea90dfcf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com


HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Fri, 19 Dec 2014 06:02:00 GMT

Accept-Ranges: bytes

ETag: "9a9a44d511bd01:0"

Server: Microsoft-IIS/8.0

VTag: 279252244600000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 550

Cache-Control: max-age=900

Date: Thu, 05 Feb 2015 10:05:34 GMT

Connection: keep-alive
0.."0......0...*.H........0w1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1!0...U....Microsoft Time-St
amp PCA..141218221600Z..150319103600Z._0]0...U.#..0...#[email protected].. .
.5..0... .....7.......0...U......10... .....7......150318222600Z0...*.
H............./..0Q~.r.}.E....&\....F.Z.C..#..F.s........<&\..9G..-
....j..N... .C.Fk....;l.....2.K5D.........-.>...(...g.0.S.[?...T4q&
gt;[email protected].('..e...Y..Bo..q..........I....'....i>
..y:.eH@h`..\...UA.m#.~.. ;.3..d..;..<..........p..s..J..N `Az.....
[email protected]/1.1 200 OK..Content-Type: application/pkix-crl..Last-Modifie
d: Fri, 19 Dec 2014 06:02:00 GMT..Accept-Ranges: bytes..ETag: "9a9a44d
511bd01:0"..Server: Microsoft-IIS/8.0..VTag: 279252244600000000..P3P: 
CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR S
AMo CNT COM INT NAV ONL PHY PRE PUR UNI"..X-Powered-By: ASP.NET..Conte
nt-Length: 550..Cache-Control: max-age=900..Date: Thu, 05 Feb 2015 10:
05:34 GMT..Connection: keep-alive..0.."0......0...*.H........0w1.0...U
....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corp
oration1!0...U....Microsoft Time-Stamp PCA..141218221600Z..15031910360
0Z._0]0...U.#..0...#[email protected].. ..5..0... .....7.......0...U......10
... .....7......150318222600Z0...*.H............./..0Q~.r.}.E....&\...
.F.Z.C..#..F.s........<&\..9G..-....j..N... .C.Fk....;l.....2.K5D..
.......-.>...(...g.0.S.[?...T4q>[email protected].('..e.
..Y..Bo..q..........I....'....i>..y:.eH@h`..\...UA.m#.~.. ;.3..<<< skipped >>>

GET /MFQwUjBQME4wTDAJBgUrDgMCGgUABBQmECJms4f7i5EbxtN7NbzQCBwAdAQUUa8kJpz0aCJXgCYrO0ZiFXsezKUCE1oAAHevvgBk+xJc0C0AAQAAd68= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.msocsp.com


HTTP/1.1 200 OK

Date: Thu, 05 Feb 2015 10:06:06 GMT

Content-Type: application/ocsp-response

Content-Length: 1757

Connection: keep-alive

Set-Cookie: __cfduid=df754fea60b97687e095e41842ddd612e1423130766; expires=Fri, 05-Feb-16 10:06:06 GMT; path=/; domain=.msocsp.com; HttpOnly

Last-Modified: Mon, 02 Feb 2015 23:13:04 GMT

Expires: Fri, 06 Feb 2015 23:13:04 GMT

ETag: "32dc2dc5ade4e5867c219925d83ebab0609e8b04"

Cache-Control: max-age=345599,public,no-transform,must-revalidate

CF-Cache-Status: HIT

Server: cloudflare-nginx

CF-RAY: 1b3e4b1d5ecf0cad-AMS
0..........0..... .....0......0...0..........<.|[email protected]|..2015
0202231304Z0..0..0L0... ........&."f........{5.....t..Q.$&..h"W.& ;Fb.
{.....Z..w...d..\.-....w.....20150202231304Z....20150206231304Z."0 0..
. .....0......20140202231304Z0...*.H.............B.....>#..;n5{?Z..
aq.S(.~.F. ...KU.<.....@..=;|...!.%@.":.Y.E.VN....S..p97..L|;......
.~...~..../5..%.r?...Hy.h3......>g.'..>....q..j..p.:..S=s..q..j.
P!6p..9T.v,.d.....$!.....Z..$m].(......n....... 9...';S...]}v.....Q.g.
..Iu...{......Z....E;[email protected]....?<g|........0...0...0..........Z..~..M
..<ZYJ....~.0...*.H........0..1.0...U....US1.0...U....Washington1.0
...U....Redmond1.0...U....Microsoft Corporation1.0...U....Microsoft IT
1.0...U....Microsoft IT SSL SHA20...141229205745Z..150314205745Z0!1.0.
..U....Should be ignore by CA0.."0...*.H.............0...........&!(..
$.K...."=f....x.d.._s.....j....9`..l.Z..............^f..u......-e.&.bG
.(i.Q...........bEy...^7A...A..c....CF-&...e.7..7F....."..w...y.:..`.w
{~..D.x*.......x3Os......q...... S.fB .ig.....L..3......4E..}..7...M..
..e ...6.M.O.....<5:......r.....]..A.5........0..0...U..........<
;.|[email protected]|0...U.#..0...Q.$&..h"W.& ;Fb.{...0...U...........0...U
.%..0... .......0... .....7....0.0... .......0... .....0......0...*.H.
.................sa....^`.U.h.....(c[..j.|. ..#....3.5.?..L.....Z....J
......*.w...w.$.z..Y.d.....l.....G#.....o.\t.......(.B =..P..T....0./P
.....z.3....L.O3....z...Wxo..~.OeH....c.i.@."..?d.......=v(.....m..LN.
.PP....<.}T.X......K.&e.S...|....% ...(F.=k..~.j..C......4.....<<< skipped >>>

GET /ajax/libs/jquery/1.9.1/jquery.min.js HTTP/1.1

Accept: application/javascript, */*;q=0.8

Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: ajax.googleapis.com

DNT: 1

Connection: Keep-Alive


HTTP/1.1 200 OK

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Type: text/javascript; charset=UTF-8

Last-Modified: Fri, 08 Feb 2013 15:35:10 GMT

Date: Wed, 04 Feb 2015 07:00:55 GMT

Expires: Thu, 04 Feb 2016 07:00:55 GMT

Access-Control-Allow-Origin: *

Timing-Allow-Origin: *

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 32819

X-XSS-Protection: 1; mode=block

Cache-Control: public, max-age=31536000

Age: 97446

Alternate-Protocol: 80:quic,p=0.02
............{{...7...."........o...v..q.[cg'-E..HPBL....RD....[kf0.Pq.
~.sNZ.....f......._..M...wg.?...vG.<8z2.........E...q...:z..GT.._.f
.....t.de.....uT..b.|.o6iv..._E..:.F.x...O..6..*?QUp....2U.4..6I.<.
T.%.E>....R1....4^..tIm...ZE.{5..3..<.....|4.3.D-.r.-o..]......4
[$....:Z...UUP_...........|....z.mF.r...f......Q..?..-3.0..F..^.F....l
.O........\..f.|1..t..NG2U.}tz.jxz.^G.o......./^\.>......#*........
../.../........|zp2{...N.3*....~.\../O'...g...g.;.~.M.Tx..,g.....).y..
w*@...i.^...]........2 ..n;.\.'..'/f....*.4:..oP...f..]Ul..2^.....V...
.....V.P.N....z......o3z.........aC..,.....K.\p...x......WiY%YR.v.*..^
.......<_oVI..a>*.xq....$8>....u%......n ..V?.Q.:..4....o.~.g
..Q...S_..Y.....G)..T.".......<......&...*..Z.t%[email protected].
h...X.*/. .H.....){4U.y...I`..&-.. y.....L.O....Lf..X<..1M.w.xD;;..
...3zgn...'S.....g.~3Jn.9-..... .....3..A..e#.....".-i.S..].9..3..=GE.
.,..R*.gs..j.M..0.._'.u......E.|.....K.Q'FY.H^..'.(.OK.\.-.T...8...Q..
..v||5J..Vq.}{.K2..K..z.R....o_..G..t.L....NF.W.}....."{.NLP|.T_......
..j..,P..q.Q..o..<.x...Q..t=..$nJ.%:S...,..N...*.......d.`....M...)
....T.7....|$...[......E..h.......`b.......iQ.w...-n>.=OIw..*......
..H...r.....h..V.Aj..&t..9M..is.j.t]~../...ik......l.p.....mT.=[E..7v.
...n./$...y=T.X.s...J......j.w.W.|.x..F..*..:....>K...d....f.......
...&...7./.2-..P......j.?X.p.....9u.Ae.0...D.....~f.......&...l6..3...
...i}.(.. m.Je.x...p5.:..d...gWz...G..@.*\.2/*..............>...g..
`...w....f.....\.D...#D...E.%.......G..s`K.*.WI...NI.......LeO...&<<< skipped >>>

GET /kits/sds/SearchProtectionSetup.exe HTTP/1.1

User-Agent: SDS

Host: webupdate.mybrowserbar.com

Accept: */*


HTTP/1.1 200 OK

Server: nginx/0.7.65

Date: Thu, 05 Feb 2015 10:04:58 GMT

Content-Type: application/octet-stream

Content-Length: 1558376

Last-Modified: Mon, 19 Jan 2015 14:12:15 GMT

Connection: keep-alive

Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8
...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8.......
.PE..L.....GO.................p.......B...9............@..............
............`[email protected]........@.
.x...........0...8....................................................
........................................text....o.......p.............
..... ..`.rdata...*.......,...t..............@[email protected]....~...........
...............@....ndata.......0...........................rsrc...x..
..@......................@[email protected][email protected].
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
[email protected][email protected]...
..@..}[email protected]... M..........M........E...FQ.....NU
..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.
[email protected]}[email protected].}.j.W.E......E.....
[email protected][email protected][email protected] [email protected].
u.....@._^3.[.....L$...-G...i. @...T.....tUVW.q.3.;5.-G.sD..i. @...D..
S.....t.G.....t...O..t .....u...3....3...F. @..;5.-G.r.[_^...U..QQ<<< skipped >>>

GET /static/r07/plugins/counter015.css HTTP/1.1

Accept: text/css

Referer: hXXp://VVV.ytddownloader.com/thankyou.html?isn=F7DBCDBD737B449098794B4547AA6F06&lang=1033&cid=cb821f7c3eeccf6c312c56e821a0e91a&oldVer=&newVer=4.8.9&kt=ytd&pv=0

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: s7.addthis.com

DNT: 1

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Apache

Last-Modified: Tue, 05 Aug 2014 12:38:26 GMT

Content-Encoding: gzip

Cache-Control: public, no-check, max-age=86313600

Content-Type: text/css

Content-Length: 2690

Accept-Ranges: bytes

Date: Thu, 05 Feb 2015 10:05:02 GMT

Via: 1.1 varnish

Age: 15157266

Connection: keep-alive

X-Host: s7.addthis.com

X-Served-By: cache-fra1233-FRA

X-Cache: HIT

X-Cache-Hits: 13052002

X-Timer: S1423130702.450722,VS0,VE0

Vary: Host,Accept-Encoding
...........X...H...O.C...f.h...........`I6A..DE.{#U.....'fp......7...$
.k..9n...s.....a.P..v...........;....G=LL.t..0.|....!x4.$..N.....F..O.
.,..../&..=.[<Nhi...;Z.j.W..;....5.`........Q.d...3Pf.&0.D....=8...
...O..y..|....X.....2.[..F.K..gY...2....']3.vR.2;y...7S....h6@#h?.Z...
Ww....6..!S_sQv8...z..OW.2........!pv......]...K.?.0.cW......X...~....
6j.m.8.0...>.!..M..T.&..&1D..D).G.._.....C......H.Q.2$b?...2l.w..U*
.. Z4!.K..3....P2....P<E..:$5."Q......'.k.... m.'5.C.;.".C.2QM....%
.FV...g. .E#......C.....{..z..R?'Zm..m......h...a....UZ..!f.p)J.....S.
.=:.B....2......I.....'....4.....D.-g.@_....l......[....[y.F......9..m
...]Y..p...`7F...eQ.a!...8*..y...v.9..D.....<W.,v.P$f.......I.b.6.[
....."...C..D...~H..E,..5....."[email protected]!.-...'..[..M....M
[email protected];...y.2.7q=_.'...Z{.2 UU.i....... c[.........h.3h..HO.F...0...
H.C.&ad.)'...t...8....1D"....B.)iT..f...c.R[..,5..d9.....EQ..*..).t..&
lt;bW.doy.u.Z.|0......$-=~...]"Q..4..i8.G4...1K.6.j.d.M4|..7..(.5..*l.
pE.i.{....<..{T........=.)8............a....3(..M.s.p...l.(.=...b..
...9./..K&.}....N..1[....f#*...e.P.^I.........AT..j.7....%.7.k..c.T...
.0.)..]w__...o#4,.a.G2.[...9....xv..P.).[.w.l.g{M.9.e.... ..9..T... .}
..&.fDM. .'.....m3B.cYFn.............v.h.......xa..../e.K.c..........C
."....'.T.}.-..>x {...={.1.....l.[f2..E....[...c..W..^.!.2\}#0.c. 2
...<*NC..z..d.. 5...'#j....N..lR.?.....'Q.?...N{0...=..y/. -..b.mcI
.HyZ..".M.!......*.....6..U...[&/Zr.....3..QG..SU..$n{j.r.@r#..F.....{
..9.OB..... ..d..fT.e.,.l....6...6S......e/K..VF...C.kK......1L...<<< skipped >>>

GET /gc/silent2.html?ot=ytdsanth&cnid=937811&kt=ytd&ext[]=cekonfccladjgbdhpgobceahgjdcdbod&ext[]=jloeihbcjbkgigodmcacomgfihpiaiip&ts=1423130670 HTTP/1.1

Host: VVV.mybrowserbar.com

Connection: keep-alive

Accept: text/html,application/xhtml xml,application/xml;q=0.9,image/webp,*/*;q=0.8

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36

Accept-Encoding: gzip, deflate, sdch

Accept-Language: en-US,en;q=0.8


HTTP/1.1 200 OK

Date: Thu, 05 Feb 2015 10:04:31 GMT

Server: Apache

Vary: Host

Last-Modified: Mon, 12 Jan 2015 12:49:37 GMT

Accept-Ranges: bytes

Content-Length: 2543

Keep-Alive: timeout=30, max=100

Connection: Keep-Alive

Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "htt
p://VVV.w3.org/TR/html4/loose.dtd" />.<html>.<head>.  &
lt;meta name="google" value="notranslate" />.  <meta http-equiv=
"Cache-Control" content="no-cache, no-store, must-revalidate" />.  
<meta http-equiv="Pragma" content="no-cache" />.  <meta http-
equiv="Expires" content="0" />.  <title>Extensions Installati
on</title>..<link rel="chrome-webstore-item" href="hXXps://ch
rome.google.com/webstore/detail/pfndaklgolladniicklehhancnlgocpp">.
.<script src="//ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.m
in.js"></script>.<script>.  (function(i,s,o,g,r,a,m){i[
'GoogleAnalyticsObject']=r;i[r]=i[r]||function(){.  (i[r].q=i[r].q||[]
).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),.  m=s.get
ElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,
m).  })(window,document,'script','//VVV.google-analytics.com/analytics
.js','ga');.  .   ga('create', 'UA-49853190-2', 'mybrowserbar.com');..
</script>.</head>..<body>.<div id="extensions">
;.....<button href="#" id="close">close offer</button>..&l
t;/div>...<script language="javascript">.$( document ).ready(
function() {..var extensions = getURLParam('ext[]');..if (extensions  
!==  null) {.        for (var i=extensions.length-1; i>=0; i--) {. 
           var e = extensions[i];.            var item_html =  $.parse
HTML('<div id="offer_' e '"  class="offer" ><div class="a<<< skipped >>>

GET /favicon.ico HTTP/1.1

Host: VVV.mybrowserbar.com

Connection: keep-alive

Accept: */*

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36

Accept-Encoding: gzip, deflate, sdch

Accept-Language: en-US,en;q=0.8

Cookie: _ga=GA1.2.1138944218.1423130672


HTTP/1.1 200 OK

Date: Thu, 05 Feb 2015 10:04:32 GMT

Server: Apache

Vary: Host,User-Agent

Last-Modified: Wed, 21 Oct 2009 21:42:22 GMT

Accept-Ranges: bytes

Content-Length: 9062

Cache-Control: max-age=604800

Expires: Thu, 12 Feb 2015 10:04:32 GMT

Keep-Alive: timeout=30, max=99

Connection: Keep-Alive

Content-Type: image/x-icon

......  .... .....F...  .................... .h...............h.......
(... ...@..... ...... ......................@@@.@@@.@@@.@@@.@@@.@@@.@@
@.@@@.@@@.@@@.@@@.@@@.@@@.@@@.@@@.@@@.@@@.@@@.@@@.@@@.@@@.@@@.@@@.@@@.
@@@.@@@.@@@.@@@.@@@.@@@.....@@@.......................................
......................................................................
............@@@.@@@...................................................
......................................................................
@@@.@@@...............................................................
..........................................................@@@.@@@.....
......................................................................
..............................................@@@.@@@.................
......................................................................
..................................@@@.@@@.............................
..........................................n...........................
......................@@@.@@@.........................................
......................................................................
..........@@@.@@@.....................................................
....................................................................@@
@.@@@.................................................................
..........................................Y...k.........@@@.@@@.......
......................................................................
..............................[...R...n.....@@@.@@@...............

<<< skipped >>>

GET /images/pixel.gif?isn=d78a223d20363802cfbd313af6e664df&ver=1.2&cnid=937811&ct=shagc&event=install HTTP/1.1

Host: VVV.mybrowserbar.com

Connection: keep-alive

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36

Accept: */*

Accept-Encoding: gzip, deflate, sdch

Accept-Language: en-US,en;q=0.8

Cookie: _ga=GA1.2.1138944218.1423130672


HTTP/1.1 200 OK

Date: Thu, 05 Feb 2015 10:04:49 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 1093

Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform

Pragma: no-cache

Expires: Thu, 01 Jan 1970 00:00:00 GMT

Keep-Alive: timeout=30, max=98

Connection: Keep-Alive

Content-Type: image/gif
GIF89a.............!..XMP DataXMP<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS5 Windows" xmpMM:InstanceID="xmp.iid:68AF816F211411E187C8D4C48A
462294" xmpMM:DocumentID="xmp.did:68AF8170211411E187C8D4C48A462294">
; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:68AF816D211411E187C8
D4C48A462294" stRef:documentID="xmp.did:68AF816E211411E187C8D4C48A4622
94"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> 
<?xpacket end="r"?>.............................................
......................................................................
...............~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIH
GFEDCBA@?>=<;:9876543210/.-, *)('&%$#"! ........................
.........!.......,...........D..;....


GET /cgi/coupons.cgi/d78a223d20363802cfbd313af6e664df/937811/1.2/shagc?rsv=2 HTTP/1.1

Host: VVV.mybrowserbar.com

Connection: keep-alive

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36

Accept: */*

Accept-Encoding: gzip, deflate, sdch

Accept-Language: en-US,en;q=0.8

Cookie: _ga=GA1.2.1138944218.1423130672


HTTP/1.1 200 OK

Date: Thu, 05 Feb 2015 10:04:49 GMT

Server: Apache

Vary: Host

Keep-Alive: timeout=30, max=97

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-Type: text/xml; charset=utf-8
12c..<?xml version="1.0" encoding="UTF-8"?>.<cp>.    <r
sv>2</rsv>.    <insecure>.        <url>hXXp://i.s
gbfjs.info/sgbf/javascript.js?hid=40&channel=GC</url>.    &l
t;/insecure>.    <secure>.        <url>hXXps://i_sgbfjs
_info.tlscdn.com/sgbf/javascript.js?hid=40&channel=GC</url> 
.    </secure>.</cp>...0..HTTP/1.1 200 OK..Date: Thu, 05 F
eb 2015 10:04:49 GMT..Server: Apache..Vary: Host..Keep-Alive: timeout=
30, max=97..Connection: Keep-Alive..Transfer-Encoding: chunked..Conten
t-Type: text/xml; charset=utf-8..12c..<?xml version="1.0" encoding=
"UTF-8"?>.<cp>.    <rsv>2</rsv>.    <insecure&
gt;.        <url>hXXp://i.sgbfjs.info/sgbf/javascript.js?hid=40&
amp;channel=GC</url>.    </insecure>.    <secure>.  
      <url>hXXps://i_sgbfjs_info.tlscdn.com/sgbf/javascript.js?h
id=40&channel=GC</url> .    </secure>.</cp>...0.
.....


GET /images/pixel.gif?isn=9d357cad646259e5aec21e92440c2512&ver=1.5&cnid=937811&ct=nthgc&event=install HTTP/1.1

Host: VVV.mybrowserbar.com

Connection: keep-alive

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36

Accept: */*

Accept-Encoding: gzip, deflate, sdch

Accept-Language: en-US,en;q=0.8

Cookie: _ga=GA1.2.1138944218.1423130672


HTTP/1.1 200 OK

Date: Thu, 05 Feb 2015 10:04:50 GMT

Server: Apache

Accept-Ranges: bytes

Content-Length: 1093

Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform

Pragma: no-cache

Expires: Thu, 01 Jan 1970 00:00:00 GMT

Keep-Alive: timeout=30, max=96

Connection: Keep-Alive

Content-Type: image/gif
GIF89a.............!..XMP DataXMP<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS5 Windows" xmpMM:InstanceID="xmp.iid:68AF816F211411E187C8D4C48A
462294" xmpMM:DocumentID="xmp.did:68AF8170211411E187C8D4C48A462294">
; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:68AF816D211411E187C8
D4C48A462294" stRef:documentID="xmp.did:68AF816E211411E187C8D4C48A4622
94"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> 
<?xpacket end="r"?>.............................................
......................................................................
...............~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIH
GFEDCBA@?>=<;:9876543210/.-, *)('&%$#"! ........................
.........!.......,...........D..;HTTP/1.1 200 OK..Date: Thu, 05 Feb 20
15 10:04:50 GMT..Server: Apache..Accept-Ranges: bytes..Content-Length:
 1093..Cache-Control: no-cache, no-store, must-revalidate, max-age=0, 
proxy-revalidate, no-transform..Pragma: no-cache..Expires: Thu, 01 Jan
 1970 00:00:00 GMT..Keep-Alive: timeout=30, max=96..Connection: Keep-A
live..Content-Type: image/gif..GIF89a.............!..XMP DataXMP&l<<< skipped >>>

The Malware connects to the servers at the folowing location(s):

ytd.exe_1492:

.text

`.rdata

@.data

.rsrc

@.reloc

8%u3P

N<SSh

|.hT!

|.hp!

|.hP#

|.hd#

|.hT$

SShxT

vSSSh

It.It It!It

FTPjK

FtPj;

C.PjRV

tGHt.Ht&

`'\%D,3

kernel32.dll

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

ADVAPI32.DLL

portuguese-brazilian

operator

GetProcessWindowStation

USER32.DLL

()$^.* ?[]|\-{},:=!

RegDeleteKeyExW

invalid _N_type: %d

RTMP_ParseURL

%s://%.*s:%d/%.*s

d:\Autobuild\CleanSVN\ytd\branches\Win\YTD_4.8.9\Application3.0\Release\YouTubeDownloader.pdb

HttpQueryInfoW

HttpOpenRequestW

HttpSendRequestW

InternetCrackUrlW

WININET.dll

UxTheme.dll

WS2_32.dll

IPHLPAPI.DLL

GdiplusShutdown

GdipSetPenLineJoin

gdiplus.dll

PSAPI.DLL

libvlc_video_set_key_input

CreatePipe

CreateNamedPipeW

ConnectNamedPipe

DisconnectNamedPipe

WaitNamedPipeW

SetNamedPipeHandleState

GetProcessHeap

KERNEL32.dll

GetKeyState

SetWindowsHookExW

UnhookWindowsHookEx

CreateDialogIndirectParamW

USER32.dll

SetViewportOrgEx

GDI32.dll

COMDLG32.dll

RegDeleteKeyW

RegCloseKey

RegQueryInfoKeyW

RegEnumKeyExW

RegOpenKeyExW

RegCreateKeyExW

ADVAPI32.dll

ShellExecuteW

SHFileOperationW

SHELL32.dll

ole32.dll

OLEAUT32.dll

SHLWAPI.dll

COMCTL32.dll

MSIMG32.dll

GetCPInfo

GetConsoleOutputCP

libvlc.dll

zcÁ

.?AV?$_IDispEventLocator@$00$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@

.?AV?$IDispEventSimpleImpl@$00VBrowserEvents@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@

.?AV?$IDispEventImpl@$00VBrowserEvents@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B$1?LIBID_SHDocVw@@3U3@B$00$00VCComTypeInfoHolder@ATL@@@ATL@@

.?AV?$CWinDataExchange@VRequestLoginDlg@@@WTL@@

.?AV?$CDialogImpl@VRequestLoginDlg@@VCWindow@ATL@@@ATL@@

.?AVRequestLoginDlg@@

.?AUIWebNotifier@@

.?AV?$CWinDataExchange@VWebBrowserDlg@@@WTL@@

.?AV?$CAxDialogImpl@VWebBrowserDlg@@VCWindow@ATL@@@ATL@@

.?AVWebBrowserDlg@@

m`X<  <  <  <  <  <  @."D2#D2#D2#D2#D2#H6Ò#H6Ò#D2#D2#D2#D2#D2#bTK

|qjD2#<  <  <  <  D2#D2#D2#H6%K9&K9&M;(Q>(Q>(Q>(Q>(Q>(Q>(Q>(Q>(Q>(K9&K9&H6Ò#D2#D2#m`X

SD:<  <  <  <  @."D2#H6%K9&M;(Q>(UA*UA*YE,YE,YE,YE,]H.]H.]H.YE,YE,YE,YE,YE,UA*UA*Q>(Q>(K9&H6Ò#E5*|qj

i\T<  <  <  <  D2#D2#K9&M;(Q>(UA*YE,]H.]H.cM0cM0cM0fP2fP2fP2fP2fP2jT3fP2fP2cM0cM0cM0]H.]H.YE,UA*UA*M;(K9&D2#D2#fXP

|<  <  <  <  @."D2#K9&Q>(UA*YE,YE,`K/cM0cM0jT3jT3jT3qZ6qZ6qZ6u^8u^8u^8qZ6qZ6qZ6nX5jT3jT3jT3fP2cM0`K/]H.YE,UA*Q>(K9&D2#D2#m`X

L<2<  <  <  <  D2#H6%Q>(UA*YE,]H.cM0fP2jT3nX5u^8kUIdO[WIlT@

YHxYHx`LpcOjfRefRepZPzb:zb:zb:zb:qZ6qZ6jT3jT3fP2cM0]H.YE,UA*Q>(K9&D2#@."ujb

@."<  <  <  D2#H6%M;(UA*UA*]H.cM0cN9WIlSC

YHxjU]zb:zb:u^8qZ6jT3jT3fP2]H.YE,UA*M;(H6Ò#D2#

`Lpt]Fu^8qZ6jT3jT3cM0]H.YE,Q>(K9&D2#<  ynf

YHxiS:jT3cM0]H.UA*M;(H6%@."D2#

`KLfP2]H.YE,Q>(H6%@."<

Q>c]H.UA*M;(H6%@."<

]H.UA*H6%@."<  m`X

fP2]H.UA*H6%@."<  [LC

iS:]H.UA*K9&D2#<  L<2

fP2]H.UA*K9&D2#<  <

jT3]H.UA*K9&@."<  <

jT3]H.UA*H6%@."<  D2#

bTKD2#K9&Q>(YE,]H.cM0jT3qZ6tcQ

qd\D2#H6%Q>(UA*]H.cM0jT3nX5qZ6zb:

ujbD2#H6%K9&Q>(UA*YE,]H.cM0fP2jT3jT3qZ6qZ6u^8u^8zb:zb:zb:zb:zb:yb@vbG{jX

f`z_T][LCYE,UA*M;(H6Ò#<  <  <  VH>

SD:D2#H6%K9&Q>(UA*YE,]H.`K/cM0fP2jT3jT3jT3jT3nX5nX5qZ6qZ6qZ6qZ6jT3jT3jT3jT3fP2cM0`K/]H.YE,YE,Q>(M;(H6Ò#@."<  <  M;(

D2#D2#D2#K9&M;(Q>(UA*YE,YE,]H.`K/cM0cM0cM0cM0cM0cM0cM0cM0cM0cM0`K/]H.YE,YE,UA*UA*Q>(K9&H6Ò#@."<  <  @."

VH>D2#D2#H6%K9&M;(Q>(Q>(UA*UA*YE,YE,YE,YE,YE,YE,YE,YE,UA*UA*UA*Q>(M;(K9&H6Ò#D2#<  <  <  M;(

QA6D2#jXD]H.cM0fP2cM0`K/jXDcSA<

[[\[[\[[\[[\

__`__`__`__`

[[\[[\[[\[[\[[\[[\[[\[[\[[\[[\[[\[[\

__`__`__`__`__`__`__`__`__`__`__`__`

}}}---888

!!!---}}}

133336633

0153668886663311

;886631  ~

 113688;

86351 ($

>1367631%

<  5<  9

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>

848=8_8}8

2/2v2

4O4x4

0!0(020?0

1!1(121?1

2!2(222?2

3!3(323?3

3(3&5;5{5

2)21292\2

<9=1><>`>

9*949:9@9

7'7-767=7_7

< <$<(<,<0<

<$<(<,<0<4<8<<<@<

9 9$9(9,989<9

4 4$4(4,4044484

=0=<=\=|=

:4:@:`:|:

mscoree.dll

KERNEL32.DLL

HKEY_CURRENT_CONFIG

HKEY_DYN_DATA

HKEY_PERFORMANCE_DATA

HKEY_USERS

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

Global\{861C592B-5428-471f-8082-A5FFB5B93894}

Advapi32.dll

hXXp://ffmpeg.org/

hXXp://VVV.gnu.org/licenses/lgpl.html

hXXp://VVV.ytddownloader.com/src/ffmpeg-20130206.zip

hXXp://lame.sourceforge.net/

hXXp://VVV.gnu.org/licenses/old-licenses/lgpl-2.0.html

hXXp://VVV.ytddownloader.com/src/lame-3.99.5.zip

hXXp://opencore-amr.sourceforge.net/

hXXp://VVV.apache.org/licenses/LICENSE-2.0

hXXp://VVV.ytddownloader.com/src/opencore-amr-0.1.3.zip

hXXp://rtmpdump.mplayerhq.hu/librtmp.3.html

hXXp://VVV.ytddownloader.com/src/librtmp-2.3.zip

hXXp://VVV.openssl.org/

hXXp://VVV.ytddownloader.com/src/openssl-1.0.0d.zip

hXXp://VVV.openssl.org/source/license.html

hXXp://VVV.ytddownloader.com/

hXXps://VVV.videolan.org/

hXXp://VVV.gnu.org/licenses/lgpl-2.1.html

hXXp://VVV.ytddownloader.com/src/vlc-2.1.0-20130926.zip

dlg.about.lbl.version

dlg.about.title

dlg.about.btn.ok

dlg.about.lbl.gpls

<a ID="15">hXXp://VVV.ytddownloader.com/</a>

dlg.about.lbl.copy

OnKeyUpFromEdit VK_ESCAPE

OnKeyUpFromEdit VK_RETURN

OnKeyUpFromEdit VK_A   VK_CONTROL

grid.column.name.video

grid.column.name.progress

grid.column.name.speed

grid.column.name.status

grid.column.name.eta

grid.column.name.filesize

dlg.download.lbl.esttimeh

%1m %2s

dlg.download.lbl.esttimem

dlg.download.lbl.esttimes

dlg.download.lbl.speedmb

dlg.download.lbl.speedkb

grid.item.filesizemb

grid.item.state.queued

grid.item.state.downloading

grid.item.state.converting

grid.item.state.canceled

grid.item.state.paused

grid.item.state.retry

grid.item.state.completed

grid.item.state.failed

OnKeyUp VK_A   VK_CONTROL

OnKeyUp VK_F2

=%%

comctl32.dll

shell32.dll

dlg.checkupd.lbl.speed

dlg.checkupd.lbl.eta

ytd_installer.exe

dlg.checkupd.lbl.anewer

dlg.checkupd.lbl.clickon

dlg.checkupd.lbl.alternatively

dlg.checkupd.lbl.whatsnew

dlg.checkupd.title

dlg.checkupd.btn.installnow

dlg.checkupd.btn.remind

dlg.checkupd.lbl.dwnldstatus.completed

dlg.ckeckupd.msgbx.runningitems

dlg.checkupd.lbl.dwnldstatus.started

dlg.checkupd.btn.tryagain

dlg.checkupd.lbl.dwnldstatus.failed

dlg.checkupd.lbl.dwnldstatus.failed.inst

hXXp://VVV.youtubedownloadersite.com/help.html

ffmpeg -i %1 -strict -2 -vf scale=420:-1 -r 14 -b:v 50k -ar 44100 -ab 56k -ac 1 %2.mp4

dlg.manconv.title

dlg.manconv.lbl.input.file

dlg.manconv.lbl.vid.size

dlg.manconv.lbl.vid.frame

dlg.manconv.lbl.vid.rate

dlg.manconv.lbl.aud.sample

dlg.manconv.lbl.aud.rate

dlg.manconv.lbl.aud.chanel

dlg.manconv.lbl.output.file

dlg.manconv.lbl.improve.qlty

dlg.manconv.lbl.warn.cell

dlg.btn.ok

dlg.btn.cancel

dlg.btn.help

uxtheme.dll

https

testname .com.bat.exe.dll

SelfTestSitesUrls.txt

Site is not supported

tab.name.download

tab.name.convert

tab.name.activity

tab.name.play

dlg.main.btn.help

dlg.main.btn.upgrade

dlg.main.lbl.link.menu

menu.item.help.faq

menu.item.help.sup.sites

menu.item.help.checkupdates

menu.item.help.about

menu.item.help.registration

menu.item.help.transfer

menu.item.help.license.txt

menu.item.help.privacy.txt

menu.item.help.language

hXXp://VVV.ytddownloader.com/faq.html

hXXp://VVV.ytddownloader.com/video_sites.html

hXXp://VVV.youtubedownloadersite.com/license_agreement.txt

hXXp://VVV.youtubedownloadersite.com/privacy_policy.txt

hXXps://VVV.facebook.com/sharer/sharer.php?app_id=113869198637480&sdk=joey&u=http://ytddownloader.com/&ref=plugin

Got a click with ID=%s

hXXp://VVV.ytddownloader.com/contact_us.html

hXXp://VVV.facebook.com/YTDYouTubeDownloaderConverter

hXXp://VVV.youtubedownloadersite.com/review-submission.html

Added %d languages toi the interface.

dlg.checkupd.msgbx.runningitems

dwNextAutoupdate=%d dwCrtTime=%d

csComm.CheckForUpdate() returned=%d

config.GetNextCheckAutoUpdate() returned=%d

DisplayCheckForUpdatesMsg

msg.manual.check.updscript

msg.manual.check.upd

TransferYourLicense

transferlic.firstmsg

PipeMessage

addurl

OnTransferLicenseMsg

Your license key was reset. You can now use key %1% on another computer.

transferlic.secondmsg

OnRegistrationMsg

register.success

dlg.register.error.invalid

hXXp://VVV.youtubedownloadersite.com/reset_license.html

dlg.register.error.inuse

dlg.register.link.help

dlg.register.error.again

dlg.register.error.free

dlg.register.error.buy

dlg.register.error.title

hXXp://VVV.youtubedownloadersite.com/premium.html?ft=0

dlg.register.error.commerr

OnBrowserLogin

Please login

dlg.about.lbl.licensekey

dlg.register.lbl.expiration

dlg.register.invalid.lic

dlg.register.lbl.please

dlg.register.syslink

dlg.register.btn.cancel

dlg.register.btn.register

dlg.register.title

YouTube Login

dlg.login.title.yt

dlg.login.lbl.yt

Facebook Login

dlg.login.title.fb

dlg.login.lbl.fb

dlg.login.lbl.username

dlg.login.lbl.pwd

tab.activity.btn.play.tooltip

tab.activity.btn.pause.tooltip

tab.activity.btn.stop.tooltip

tab.activity.btn.clear.tooltip

tab.activity.btn.browse.tooltip

tab.activity.btn.pro

grid.menu.item.playytd

grid.menu.item.play

grid.menu.item.delete

grid.menu.item.deletefile

grid.menu.item.stop

grid.menu.item.pause

grid.menu.item.rename

grid.menu.item.open

explorer.exe

grid.menu.item.msgbox

user32.dll

tab.convert.url.gopro

dlg.main.combo.convrt.ipad

dlg.main.combo.convrt.ipod

dlg.main.combo.convrt.iphone

dlg.main.combo.convrt.psp

dlg.main.combo.convrt.cell

Windows Media Video (V.7 WMV)

dlg.main.combo.convrt.wmv

dlg.main.combo.convrt.xvid

dlg.main.combo.convrt.mpeg

dlg.main.combo.convrt.manual

dlg.main.combo.convrtquality.high

dlg.main.combo.convrtquality.opt

dlg.main.combo.convrtquality.med

dlg.main.combo.convrtquality.low

dlg.main.combo.convrtquality.same

dlg.main.btn.convert

dlg.main.lbl.edit.slct.file

dlg.main.lbl.combo.convert.to

dlg.main.tab.convrt.cut

dlg.main.tab.convrt.start

dlg.main.tab.convrt.end

dlg.main.tab.convrt.advanced

dlg.main.tab.convrt.videovol

dlg.main.tab.convrt.replace

dlg.main.tab.convrt.sameasdwnld

dlg.main.tab.convrt.quality

dlg.main.lbl.saveto

dlg.main.check.del.orgconv.file

dlg.main.lbl.gopro

00:00:00

tab.convert.msg.invalid.cut.time

msg.select.file

msg.notexist.download.dir

Failed to CreateFullPathFolder(%s)

grid.item.name.default

tab.convert.dlg.open

All Video Files (*.flv;*.mp4;*.mov;*.avi;*.vmw;*.m4v;*.3gp)

*.flv;*.mp4;*.mov;*.avi;*.vmw;*.m4v;*.3gp

All Files (*.*)

Avi Files (*.avi)

*.avi

Flv Files (*.flv)

*.flv

Mov Files (*.mov)

*.mov

Mp4 Files (*.mp4)

*.mp4

Wmv Files (*.wmv)

*.wmv

msg.choose.convert.dir

For multiple URLs go PRO!

dlg.main.btn.browse

dlg.main.btn.download

dlg.main.btn.paste

dlg.main.lbl.edit.url2.dwnld

dlg.main.lbl.dwnl.qlty

dlg.main.check.autoconvert.to

dlg.main.combo.dwnl.best

dlg.main.combo.dwnl.fullhd

dlg.main.combo.dwnl.hd

dlg.main.combo.dwnl.standard

dlg.main.combo.dwnl.mediumflv

dlg.main.combo.dwnl.mediummp4

dlg.main.combo.dwnl.low

dlg.main.combo.dwnl.verylow

Enter video URL!

msg.err.enter.url

Please check a list of streaming sites here: hXXp://VVV.ytddownloader.com/video_sites.html.

msg.err.unsuport.site

msg.download.playlist

One or more URLs are full channels. The videos in the channel will be downloaded one at a time. Depending on the size of the videos, this could take a long time.

msg.download.channel

msg.choose.download.dir

hXXp://

hXXps://

Failed to Open(HKEY_CURRENT_USER, %s)

tab.play.combo.view.mru.dirs

tab.play.files.list

tab.play.choose.dir

player.btn.play

player.btn.previous

player.btn.next

player.btn.fullscreen

player.btn.mute

player.btn.closefullscreen

Visit our website

player.btn.logo

m_lastAction=%s oldMediaState=%s mediaState=%s, m_bPlayBtnState=%d, m_bFullScreen=%d, m_ulDurationMs=%d, m_nTrackerPos=%d, m_bMute=%d, m_nVolumePos=%d.

m_vlcEngine.PlayFile(m_strFileToPlay=%s) m_ulDurationMs=%d).

Going to play file=%s.

Going to resume play file and after play file=%s.

TogglePlayPause to m_bPlayBtnState=%d.

*.mp3

*.fid

.tmp.

OnKeyUpFromEdit

player.btn.unmute

player.btn.pause

OnKeyDownFromPlayer

Shell.Explorer

(%d).

grid.item.state.failCodes.threading

grid.item.state.failCodes.rtmperror

grid.item.state.failCodes.sizeerror

grid.item.state.failCodes.ioerror

grid.item.state.failCodes.httpcode

grid.item.state.failCodes.invalidurl

grid.item.state.failCodes.servererror

grid.item.state.failCodes.noconection

grid.item.state.failCodes.unknown

4.8.9

Lang\res%1.ini

Software\{DAF8B7E5-449D-4180-8281-10E536E597F2}\

c:\TempForSelfTest

scripts.yds

scripts%d.yds

savedItems.ysi

ext = %s

append = %s

outputTempFile = %s : outputFile = %s

GetCmdLine

CmdLine = %s

Returned %s

Returned size.cx=%d, size.cy=%d

Returned original size cx=%d, cy=%d

Returned size cx=%d, cy=%d

Returning %s

-vf scale=%d:-1

-q:v %d

-ar %d

-ac %d

-vol %d

SetOutputFile(%s)

SetTempFilename(%s)

Will call SuspendThread(%d)

Failed to WriteFile(q). err=%d.

quit for ffmpeg.exe process manual=%d bFail=%d.

TerminateProcess(%d)

Failed to PreparePipes().

PreparePipes

Failed to CreatePipe(StdOut). err=%d.

Failed to SetHandleInformation() err=%d.

Failed to CreatePipe(StdIn). err=%d.

Exiting with m_hStdOutRead=%d, m_hStdOutWrite=%d, m_hStdInRead=%d, m_hStdInWrite=%d

Failed to CreateProcess(%s).

Success, CreateProcess(%s)

\manual.bat "

Failed to GetExitCodeProcess(%d) with err=%d

Failed to WaitForSingleObject(%d) on ffmpeg.exe handle. It may crashed!

Failed to FileUtils::DeleteFile(%s)

Failure, file %s do not exists

Failed to RenameTempToFinalName() from %s to %s

Failed to ::DeleteFile(%s)

Will try to ResumeThread(%d).

Failed to ResumeThread(%d).

Failure, you shouldn't call this since status is %d and m_processInfo.hThread=%d

Start WaitForSingleObject on ffmpeg.exe process handle.

Start looping on ffmpeg.exe process console output.

%s %d Stop detected. m_hStdOutRead=%d m_bAppClosing=%d m_bStop=%d.

%s %d Failed to ReadFile(m_hStdOutRead=%d). m_bStop=%d m_bAppClosing=%d

%s %d ReadFile(m_hStdOutRead=%d) returned zero bytes. m_bStop=%d m_bAppClosing=%d

%s %d Output of ::ReadFile(from std out) is: %s

Try to set max progress using: %s

Current time=%s

Success m_bStop=%d.

advapi32.dll

Primeport

GetSync(strRequestURL=%s, parResponse=%d) returned %d

strRequestURL=%s, strFilePath=%s, bStop=%d

GetSync(strRequestURL=%s, bStop=%d) returned %d

strRequestURL=%s, bStop=%d, parResponse=%d, bSaveToFile=%d

Status code: %s

Received header: %s

Send header: %s

IsHTTPStatusOK

IsHTTPStatusRedirect

Failed to InternetSetOption(NULL, INTERNET_OPTION_MAX_CONNS_PER_SERVER, 64) last error = %d

Failed to InternetSetOption(NULL, INTERNET_OPTION_MAX_CONNS_PER_1_0_SERVER, 64) last error = %d

Failed to InternetSetOption(NULL, INTERNET_OPTION_CONNECT_RETRIES, 4) last error = %d

GetLastError() = %d

HTTP/1.1

::HttpOpenRequest() did worked.

SerializeHeader = %s

::HttpSendRequest(GET) returned=%d.

::HttpSendRequest(POST) returned=%d. Posted data=%s

strRequestURL=%s, bStop=%d, pINotifier=%d, pStatisticsNotify=%d, bSaveToFile=%d

strRequestURL=%s, strVerb=%s, bAutoRedirect=%d

this->InternetOpen(bStop=%d) returned error=%s

this->SendRequest(strRequestURL=%s, strVerb=%s, bStop=%d) returned hInternetGETRequest=%x and error=%s

this->IsHTTPStatusOK(hInternetGETRequest=%x) returned false

strRequestURL=%s

this->InternetOpen(bStop=%d) returned err=%s;

this->AddSendHeaderValue(%s, %s))

AddSendHeaderValue(HTTP_RANGE, %s))

this->SendRequest(strRequestURL, %s, %d) returned err=%s;

GetStatusCode = %s

Using ranges. strContentLength = %s ulRespStart=%lld, ulRespEnd=%lld

GetStartEndFromHeaders(strRange=%s, ulRespStart=%lld, ulRespEnd=%lld) but we asked for %lld -> %lld

Not using ranges. strContentLength = %s

InternetReadFileEx Failed last error = %d. ulTotalBytesToRead=%lld ulFileOffset=%lld ulStartOffset=%lld

youtube.com

hXXp://VVV.youtube.com/watch?

hXXps://VVV.youtube.com/watch?

hXXp://VVV.youtube.com/watch_popup?

hXXps://VVV.youtube.com/watch_popup?

hXXp://VVV.youtube.com/embed/

hXXps://VVV.youtube.com/embed/

hXXp://VVV.youtube.com/watch?v=

m_status=%s

OldStatus=%s Status=%s Url=%s

Wrong state %s for Run().

New state %d ? Should treat it.

SubItems count=%d, Url=%s

Sub item seems to be finished already, pMultiSubItem=%x m_ulStart=%lld is NOT LESS then m_ulEnd=%lld

Failed to create AsyncDownload thread pSubItem=%x

IsRunning()=%d spSubItem->AsyncResume()=%d pSubItem->m_hThread=%x

Sub item seems to be invalid or finished already pSubItem=%x

Yes master, oldState=%s and current state=%s

Failed to m_parser.Run() Url=%s

Failed to m_fileOutput.Create() Url=%s fileName=%s

Failed to CrackUrl(VidUrl) Url=%s VidUrl=%s

IsMultistream=%d OldStatus=%s Status=%s Url=%s

Failed to RunOneStreamThread(VidUrl) Url=%s VidUrl=%s

Failed to RunMultiStreamThreads(VidUrl) Url=%s VidUrl=%s

Failed to RTMP RunOneStreamThread(VidUrl) Url=%s VidUrl=%s

Failed to m_parser.Run() for Url=%s and err=%d. Will put it for retry.

Closed %x thread at iteration=%d

It's only directory so new temp file name generated to be %s.

Failed to create temp file %s with hResult=%x lastError=%d

Succeeded to create/open temp file %s CREATE_ALWAYS=%d

Failed to m_fileOutput.SetSize(pItem->m_ulFileSize=%lld)

StartSubItemThread() Url=%s ulStart=%lld ulEnd=%lld

Failed to AddDownloadSubItem(of subItemType=%d) Url=%s

CreateThread(AsyncDownload) of subItemType=%d Url=%s

Failed to CreateThread(AsyncDonwload) Url=%s

Url=%s err=%d

Failed to Run() subItem=%d.

iteration=%d

dwRuningSubItems=%d

ERR_DNET_PARSING_INVALID_URL

ERR_DNET_PARSING_HTTP_STATUS_NOK

ERR_DLD_INVALID_URL

ERR_DNET_DLD_INVALID_URL

ERR_DNET_DLD_HTTP_STATUS_NOK

pSubItem->m_type=%d Old status=%s status=%s m_bSubItemStop=%d error=%s

Multi stream sub item finished with error=%s HTTPstatus=%s.

Failed with netw error=%d and HTTP status=%s.

Exiting with result=%s.

Net err=%s and HTTP status=%s m_ulStart=%lld m_ulEnd=%lld.

Exiting with result=%s m_ulStart=%lld, m_ulEnd=%lld, m_ulCurrentOffset=%lld.

m_ulStart=%lld m_ulEnd=%lld m_hThread=%x.

Finished DownloadToFile with error=%s.

Rename tempFileName=%s TO fileName=%s

oldStatus=%s status=%s networkError=%s HTTPstatus=%s failedError=%s. Url=%s

Post the item complete message to main dialog. Url=%s

Try to delete the outputFile=%s fileExist=%d.

(%s).

Found error nb=%s HTTPstatus=%s downloading Url=%s

%s_part_d

Running multi part for URL=%s

Page does not contain searched info. URL=%s

Failed to create new DownloadItem(%s).

status = %s oldStatus = %s nb of downloads items =%d URL=%s

Failed to pMainItem->ParseParts(), failCode is=%d and HTTPstatus is=%s, customError=%s

Failure, pMainItem->m_lstDownloads.GetCount() is zero.

Failed to download video Url=%s, err =%d

WaitForSingleObject failed, dwError = %d

Ended waiting for %d

WriteTextToFile %s

Entering to Pause current item = %x, URL=%s, m_status=%s

Paused current item = %x, URL=%s

Will Stop Url=%s with m_pCurrentItem=%d m_lstDownloads.GetCount=%d m_status became %s

strEntireFileName=%s strPartsListFile=%s

\ffmpeg.exe

cmd /c

lang.name

lang.id

\Lang\*.ini

%s-%s.log

%H:%M:%S

0xX~0xX~%s~%s~%s::%s()~

IDispatch error #%d

bRet=%d for FileUtils::RenameFile(%s, %s)

Failed to open .flv file

Failed to write .flv file

Failed to open file %s

Failed to read from file %s

Failed to write %s file

"%s" -f concat -i "%s" -c copy "%s"

bRet=%d for SysUtils::ExecuteCommand(%s, INFINITE)

"%s" -i "%s" -i "%s" -vcodec copy -acodec copy "%s"

\\.\pipe\p{861C592B-5428-471f-8082-A5FFB5B93894}

ERR_CRACK_URL_FAILED

ERR_HTTP_STATUS_NOK

All files (*.*)

cmd /c icacls "%s" /grant BUILTINUsers:(F) /t /c

&#%d;

�%d;

u00%x

Initiating StopAllActivity() for %d items.

Next item=0x%x

Remove from grid item=%x

Stopping item=%x removed from grid

Just removed from active list item=%x

pNextQueued->Run(0x%x)

hXXp://VVV.youtubedownloadersite.com/api/rcsvc.php?kt=[regKT]

Windows

12F8B979-DFB5-4551-82CC-7A8D9254DE78

*.log

Failed to Init m_parser! Missing scripts0.yds??

Failed to Load saved items from file %s.

Will try to create item for %s

Failed to create new download item for %s!

Failed to create new convert item for %s!

Output conversion directory does not exist %s.

Nonexistent conversion input fileName %s.

FilterUnsupportedSites

Empty URLs list.

Localized resource file %s does not exist.

Failed to m_parser.Init.

hXXp://VVV.youtubedownloadersite.com/premium.html?lngid=%1<=%2&isn=%3&av=%4&ft=%5

Successfully read the strFileName=%s

Wrong format of file! line=%s

Successfully read the line=%s

FileUtils::WriteTextToFile() failed with err=%d

Second FileUtils::WriteTextToFile() failed with err=%d

Successfully saved items into strFileName=%s

Failed, m_appCfg.GetNormalScriptPath()

Failed to LoadScripts(%s)

VIDURL

REQUESTLOGINWEB

REQUESTLOGIN

RTMP_SWFURL

RTMP_PAGEURL

login

Empty keyword or var name found

ISURLALIVE

URLDCD

URLENC

SiteParser::ExecuteStatement() Failed, exception caught.

ExecVidUrl

Wrong VIDURL statement, var name empty.

VIDURL=%s

GETTITLE=%s

VIDNAME=%s

ExecIsURLAlive

strURL=%s

ISURLALIVE=FALSE err=%d

ISURLALIVE=TRUE

LENGTH(%s)=%s

REVERSE(%s)=%s

RUNJS(%s)=%s

SetUserAgent(%s)

Failure, net.GetSync() return error=%s

SUBSTR=%s

ADDSTR=%s

GetHtml=%s

net.GetSync(%s) return error=%d

GETHTML2=%s

ExecUrlEncode

Wrong URLENC statement

URLENCODE=%s

ExecUrlDecode

Wrong URLDCD statement

URLDCD=%s

JSDCD=%s

JSUDCD=%s

REPLACE=%s

POST(%s, %s, %s)=%s

BINPOST(%s, %s, %s)=%s

net.GetSync() return %s %d

HEX=%s

STRFROMARR=%s

FINDSTR=%s

HTMLDECODE=%s

Using UserAgent=%s

Failure, net.GetCookie() return error=%d

GETCOOKIE=%s

Failure, net.SetCookie() return error=%d

SETCOOKIE succeeded for site=%s cookieName=%s cookieVal=%s.

GETYOUTUBEQ=%s

GetFormatYoutube found %s

IF %s=%s %s %s=%s THEN

ExecRequestLoginWeb

Wrong REQUESTLOGINWEB statement

BrowserLoginClosed

Failed to CreateEvent(BrowserLoginClosed)

REQUESTLOGINWEB for %s executed successfully.

ExecRequestLogin

Wrong REQUESTLOGIN statement

ERRMSG

ERRMSGID

facebook.com

LoginToYoutube

youtubelogin

youtubelogin script missing from scripts.txt

LoginToYoutube executed. Exit code is %s

LoginToFacebook

facebooklogin

facebooklogin script missing from scripts.txt

LoginToFacebook executed. Exit code is %s

GOTO found MARK: %s at index =%d

GOTO invalid MARK: %s

ORGURL

ExecMD5

MD5=%s

DATEDIFF=%s

ExecRTMP_SetPlayPath

RTMP_PLAYPATH=%s

ExecRTMP_SetSwfUrl

Wrong RTMP_SWFURL statement.

RTMP_SWFURL=%s

ExecRTMP_SetPageUrl

Wrong RTMP_PAGEURL statement.

RTMP_PAGEURL=%s

GETREDIRECT = %s

DEC2HEX=%s

INCREMENT=%s

GETFRAGS=%s

GETFILEID = %s

GENSID = %s

GETPART = %s

FORMATFILEID = %s

Failed with err=%d to net.GetHeader(%s)

Failed GetRecvHeaderValue(HTTP_CONTENT_TYPE)

Found extension be a %s.

Failed to GetHeaders with netw err code = %d.

Failed to GetRecvHeaderValue HTTP_CONTENT_LENGTH with netw err code = %d.

Failed with ERANGE to _wtoi64(%s) = %d.

Initial title=%s

Set sanitized title=%s

Found ErrorFromScript=%s and NetworkError=%s

PLAYLISTIDS = %s

Reset VIDURL, VIDNAME, EMPTY, ERRMSG, USERAGENT, ORGURL=%s

Just SetEvent(%d)

librtmp.dll

%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe

<a ID="15">hXXp://VVV.ytddownloader.com</a>

Your license is already in use on a different computer.<a ID="15">hXXp://VVV.youtubedownloadersite.com/reset_license.html</a>

Password:

Alternatively, visit hXXp://VVV.youtubedownloadersite.com to download the most recent version.

%2.xxx= Output file (.xxx the format to convert!)

Enter the URL of the video you want to download (e.g. hXXp://youtube.com/watch?v=f5Jz8...)

Paste URL

D:\My Documents

00:00:00 / 00:00:00

00:00:00/00:00:00

4, 8, 9, 6

ytd.exe

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

SP.EXE:1680
%original file name%.exe:4048
BrowserExtensionsSetupUAC.exe:1848
YTDSetup.exe:1508
~spD451.tmp:2164
BEHelper.exe:1440
SearchProtectionStub.exe:1560
Au_.exe:3976
Au_.exe:3828
~spE38E.tmp:3172
uninstall.exe:1712
uninstall.exe:4024
exthelper.exe:676
Delete the original Malware file.
Delete or disinfect the following files created/modified by the Malware:

C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal (9778 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R4C62WHO\favicon[1].ico (1150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences (324 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\yandex_ff.xml (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{38754113-2264-4057-B454-CF19832D9F10}.ico (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\prefs.js (64 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\searchplugins\yandex.xml (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\yandex_ie.xml (496 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskCC36.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskCC36.tmp\inetca.dll (804 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskCC35.tmp (2290 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskCC36.tmp\YTDSetup.exe (715970 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskCC36.tmp\UserInfo.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6CZBXF8H\YTDSetup[1].exe (671764 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}\chrome\content (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsrB7AD.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsrB7AC.tmp (12592 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}\chrome\content (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions.json (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsrB7AD.tmp\NSISCouponsPlugin.dll (18372 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsrB7AD.tmp\UserInfo.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC} (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}\chrome\content (4 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_output\libdirectsound_plugin.dll (1552 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\LICENSE (1 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Uninstall.exe (8318 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1050.ini (14 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1049.ini (784 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\YTD Video Downloader\YTD Video Downloader.lnk (2 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\libvlc.dll (3616 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libvmem_plugin.dll (1552 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1036.ini (14 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_mixer\libinteger_mixer_plugin.dll (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\UserInfo.dll (8 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\librtmp.dll (60186 bytes)
C:\Users\Public\Desktop\YTD Video Downloader.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{9FDDFC18-F82F-43C9-9E27-411CD7019F0F}\SearchProtectionStub.exe (1828 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\System.dll (23 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_filter\libswscale_plugin.dll (19096 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\YTD Video Downloader\Web site.url (55 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1053.ini (13 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1034.ini (14 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1035.ini (13 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1048.ini (14 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1059.ini (784 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res2074.ini (13 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libdrawable_plugin.dll (1552 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_filter\libaudio_format_plugin.dll (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{9FDDFC18-F82F-43C9-9E27-411CD7019F0F}\exthelper.exe (1826 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libwingdi_plugin.dll (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EE.tmp (733038 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1031.ini (14 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1055.ini (14 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_filter\libugly_resampler_plugin.dll (1552 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res2070.ini (14 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\FFMPEG.EXE (395158 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1043.ini (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NV3AJTKT\so[1].xml (7285 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res2052.ini (12 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libdirect3d_plugin.dll (2392 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\codec\libavcodec_plugin.dll (326900 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\libvlccore.dll (69435 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\scripts.yds (6360 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1030.ini (13 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\YTD Video Downloader\Uninstall.lnk (2 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1025.ini (15 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\manual.bat (57 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1038.ini (13 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1044.ini (13 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1040.ini (13 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1032.ini (784 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1045.ini (13 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1029.ini (13 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\COPYING.LGPLv3 (7 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\COPYING.LGPLv2 (784 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1051.ini (14 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res9999.ini (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\NSISPluginW.dll (15982 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1061.ini (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\getCountry (2 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1060.ini (13 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1052.ini (13 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_filter\libtrivial_channel_mixer_plugin.dll (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\NSISHelper.dll (8801 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\COPYING.Apachev2 (11 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe (51136 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1026.ini (784 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1033.ini (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\modern-header.bmp (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\NSISdl.dll (31 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszD6EF.tmp\nsDialogs.dll (21 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\access\libfilesystem_plugin.dll (1552 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_mixer\libfloat_mixer_plugin.dll (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Search Protection\SP.exe (33796 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Search Protection\Uninstall.exe (15904 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsaDF1A.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~spE38E.tmp (1940 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsaDF1A.tmp\SP.dll (33090 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsaDF19.tmp (84143 bytes)
C:\ProgramData\YTD Video Downloader\scripts0.yds (673 bytes)
%Program Files% (x86)\GreenTree Applications\YTD Video Downloader\plugins\plugins.dat.1492 (1444 bytes)
C:\ProgramData\YTD Video Downloader\scripts0.20150129 (22548 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\chrome\content\config.json (965 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\chrome.manifest (192 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\chrome\content\redirects.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}_tmp\chrome\content\savingsslider.xul (606 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\icon.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}_tmp\icon.png (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}_tmp\chrome\content\main.js (394 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\chrome\content\main.js (134 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\chrome\content\newtab.xul (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\chrome\content\saebay.js (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}_tmp\chrome\content\spigot.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NV3AJTKT\update[1].xml (375 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\chrome\content\ebay.xul (569 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\chrome\content\main.js (374 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\chrome\content\spigot.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\chrome\content\prefs.txt (171 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\chrome\content\spigot.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\chrome\content\main.xul (681 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\install.rdf (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}_tmp\chrome.manifest (148 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}_tmp\install.rdf (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\chrome.manifest (125 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\chrome\content\prefs.txt (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}_tmp\chrome\content\config.json (1235 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\icon.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}_tmp\chrome\content\savingsslider.js (392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\chrome\content\ebay.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\chrome\content\config.json (213 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{62DD0A97-FDD4-421b-94A5-D1A9434450C7}_tmp\chrome\content\startpage.js (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{54FBE89E-C878-46bb-A064-AB327EE26EBC}_tmp\chrome\content\prefs.txt (110 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{CA8C84C6-3918-41b1-BE77-049B2BDD887C}_tmp\install.rdf (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskD3C4.tmp\SP.dll (33090 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~spD451.tmp (1162 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsuD3B3.tmp (28806 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskD3C4.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbB57B.tmp\UserInfo.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbB57A.tmp (17495 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbB57B.tmp\NSISdl.dll (31 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbB57B.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbB57B.tmp\ping (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbB57B.tmp\BrowserExtensionsSetupUAC.exe (16750 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw7A8D.tmp (27289 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq7ABC.tmp\SP.dll (33090 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEDF8.tmp\NSISdl.dll (31 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\Button.exe (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEDF7.tmp (64389 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\saebay.xpi (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEDF8.tmp\UserInfo.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEDF8.tmp\NSISCouponsPlugin.dll (18372 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\Coupons.dll (12088 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\Uninstall.exe (17637 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\coupons.xpi (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\Coupons64.dll (13368 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\Button64.exe (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\ButtonWrap64.dll (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEDF8.tmp\ping (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\ButtonWrap.dll (2392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nskEDF8.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\BEHelper.exe (19640 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\startpage.xpi (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsb79C2.tmp (1568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~nsu.tmp\Au_.exe (3589 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsqB4ED.tmp (1568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R4C62WHO\extconfig[1].xml (3777 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scr68B1.tmp (15 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Search Protection" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Search Protection\SP.EXE /autostart"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Browser Extensions" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\BrowserExtensions\BEHelper.exe"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

SearchProtectToolbar_pcap_14e6e6fb83

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

SearchProtectToolbar_pcap_14e6e6fb83

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet