For most of 2012, I've been using the freeware "YTD Video Downloader" for downloading videos off of Youtube. Today I wanted to save a video from Youtube, opened the program, and it prompted me for an update. The changelog showed some bug fixes and feature additions, so I went ahead and allowed the update.
Big mistake.
YTD Video Downloader proceeded to dump malware on the system.
WinPatrol caught and blocked the attempts to add new startup programs to the computer, as well as change all my browser home pages. It tried to alter IE, Firefox and Chrome homepage and search default settings. The search was to be changed to some sort of Yahoo affiliate-looking link.
The following crap was added:
- An "Application Updater" Windows service, with files located at C:\Program Files (x86)\Common Files\Application Updater\
- The "YTD Toolbar" from Spigot, located at C:\Program Files (x86)\Spigot\
- Several dozen registry entries.
How to Remove:
Step 1 -- Stop Processes / Unlocker:
The "SearchSettings.exe" process was terminated with the Task Manager (part of Windows; right-click on taskbar to get to it).
I then used Unlocker to nuke/halt the Spigot folder. Unlocker is a tool that allows deletion of files considered "active" by Windows, by severing said connections. Get Unlocker from the official site:
http://www.emptyloop.com/unlocker
Next I stopped the Application Updater service (right-click on My Computer, go to Manage; new window pops up, go to services, search for the Application Updater), and nuked its folder.
Both folder were then deleted in Windows, and the recycle bin emptied.
Step 2 -- Registry Clean-Up / CCleaner:
This left a pile of garbage in the registry. I first used CCleaner to remove most of it. Then I ran regedit.exe (Registry Editor; Start > Run > regedit.exe) and searched for the following terms: (1) "applicationupdater", (2) "spigot", and (3) "searchsettings". I deleted dedicated trees, and remove individual entries barfed into other trees (like browser settings).
RegEdit.exe comes with Windows.
Get CCleaner from the official site:
http://www.filehippo.com/download_ccleaner
My Official Opinion on YTD Video Downloader:
This is a malicious piece of crap written by assholes. It's about as useful as hitting my laptop with a sledge hammer.
While KeepVid.com has grown more annoying over time (by using pure Java), at least it doesn't inject a computer with malware.
What's truly irritating is how the Spigot / ApplicationUpdater / YTD Toolbar garbage was wrapped into a payload bomb inside the YTD Video Downloader installer. It was silent, hidden, and had no option to avoid installation. The ApplicationUpdater.exe service was there to allow continued passive installs/updates of who-knows-what. They managed to leverage social engineering to bypass Windows 7 UAC safeguards, by tricking the user into updating a program that previously lacked junk.