Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

External Drive Full of Infections, Missing files, infected objects, Help Neeeded


  • This topic is locked This topic is locked
15 replies to this topic

#1 rogue212

rogue212

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 12 March 2010 - 09:44 AM

Hi, I feel I should warn everybody that cnet downloads, or www.download.com, is full of infections or my have even been hacked. I downloaded a program from them, as I have always trusted this site, it contained some serious infections, including a nasty backdoor trojan. I have downloaded the exact same file from www.softpedia.com and it is completely clean.

The infections have been comfirmed, I'm now in the process of deleting all my data and cleaning my drive if possile, I had downloaded and used this program from softpedia before and it was always clean, just by chance I was on cnet downloads and decided to download it again, big mistake and I hope you will be very careful in the future.

Exact program and version file size:

Cnet: 4.76 MB (4,998,707 bytes)
Softpedia: 4.64 MB (4,870,512 bytes)

Cnet have been informed but remain indifferent.

BC AdBot (Login to Remove)

 


#2 Barilla

Barilla

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:13 AM

Posted 12 March 2010 - 10:19 AM

Could you provide us with the names of the backdoors/trojans/viruses, please?

#3 I_am_CanadianEh?

I_am_CanadianEh?

  • Members
  • 489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:13 PM

Posted 12 March 2010 - 01:18 PM

Rouge212,
Also, give us the name of the program and version you were trying to download on CNET. A link would be helpful.
I'll see if my antivirus or firewall catches anything and submit the file for a sample.

#4 Eric RBA

Eric RBA

  • Members
  • 252 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:State College, PA
  • Local time:06:13 PM

Posted 12 March 2010 - 01:51 PM

Also, please provide links to verify your statement that CNET has been informed and that they are indifferent, as well as any links you have confirming that they have been hacked or have provided tainted downloads. (Aside from your assessment of the download.)

It is possible that there are two different sized software downloads because of varying versions or release dates.
I would never ask a person to do something that I wouldn't do myself.

#5 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,259 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:04:13 PM

Posted 13 March 2010 - 01:47 PM

Based on rogue212's other topics, I surmise that the file in question is flv_setup.exe. My own analysis of the file yields nothing malicious (though it comes packaged with an old version of the Yahoo! toolbar installer, which is annoying.) The only oddity I found was that CNET appears to send the wrong MIMEtype for EXE files; they send "application/download" which is not a valid MIMEtype, they should be sending "application/octet-stream."

#6 rogue212

rogue212
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 13 March 2010 - 02:35 PM

Sorry for delay, have been cleaning my computer and I'm running Linux at the moment.

File Name: FLV Player 2.0.25

Link: http://download.cnet.com/FLV-Player/3000-1....html?tag=mncol

Infections detected by Virscan and VirusTotal, VirusTotal's F-Prot scanner didn't detect W32/BackdoorX.DHLT when last scanned
W32/BackdoorX.DHLT
Win32.Small.guj
Backdoor/Small.gue

Jootti showed no infections but infection has been comfirmed and I will post results as soon as I can, I have downloaded this program before from Softpedia, same version etc.

cnet: 4.76 MB (4,998,707 bytes)
softpedia: 4.64 MB (4,870,512 bytes) clean file

As to there indifference, they have failed constantly to reply to my emails informing them of the file, read other reviews on cnet. Yes this may be me over reacting but the advice for such infections was that it could infect other files with malicious code, remember this is a backdoor trojan, the danger level could be low or very high and I was advised to run a low level format before formatting and re-installing Windows to be sure.

Edited by rogue212, 13 March 2010 - 02:35 PM.


#7 rogue212

rogue212
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 13 March 2010 - 02:50 PM

Please remember this could be a low threat, none of the top scanners detected it, could the backdoor trojan be the Yahoo installer? If this is a genuine serious backdoor trojan which can ran malicious code that infects or attaches to other files would my mp3, media and text files be safe, hope you can advise me.

ThreatExpert Submission Summary:

Submission Summary:

Submission details:

Submission received: 12 March 2010, 09:20:40

Processing time: 8 min 1 sec

Submitted sample:

File MD5: 0x014C88A3AFB657EEBEE8D0C3851936C5

File SHA-1: 0xCC7AF27807223FC5127DF42ED0218BEFA99E23BD

Filesize: 4,998,707 bytes

Summary of the findings:



What's been found Severity Level

Registers a 32-bit in-process server DLL.









Technical Details:





File System Modifications



The following files were created in the system:



# Filename(s) File Size File Hash

1 %CommonDesktopDir%\FLV Player.lnk 701 bytes MD5: 0x27AA846061C1EBD87A6CB4B4F5100A45

SHA-1: 0xAFB4AD38DCF8BE4F9C682BD5ACA5DAB6BA077B38

2 %CommonPrograms%\FLV Player\FLV Player website.lnk 718 bytes MD5: 0xD2186A8543E603A6FEA07851B16E5F2C

SHA-1: 0xD7E5197F91BCA770BF9FE24316915C160B4EFD78

3 %CommonPrograms%\FLV Player\FLV Player.lnk 713 bytes MD5: 0x3221D1218F32EFF7BDE2D048D447994B

SHA-1: 0x363A70552F18139B993118E3DF10671AE4D4C9CA

4 %CommonPrograms%\FLV Player\Uninstall.lnk 521 bytes MD5: 0xC058925CB3BF1DC45C7278821011AA18

SHA-1: 0xACB76AEA132566CDBE3A4BDC511F46192933651E

5 [pathname with a string SHARE]\FLVPlayerdata.Settings.sol 283 bytes MD5: 0x8C85AB86FC876979AADEAD9B0DC794E9

SHA-1: 0x56ECE154240045668716985EC672720C13C338AB

6 %AppData%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#local\settings.sol 75 bytes MD5: 0xA6CDC076C738534E45C0D597BE2DD3E5

SHA-1: 0x43CE8F7373E4A99B41F12A5D003D617B21FF031F

7 %AppData%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol 428 bytes MD5: 0x20DF43CC2D2B53748A504E19AA990B78

SHA-1: 0x735B58C02E4730C9AE9E1D09464B3C8A2DD435E4

8 %Temp%\mProjector61432136\File.3.1.1hj.mfx 12,288 bytes MD5: 0x4FF1AD58DA75F94E6E592633A3906229

SHA-1: 0x534F1EBC1DE3C9632C46FAD664EF27F1EDE7B3F9

9 %Temp%\mProjector61432136\Flash6MovieV2.3.1.1hj.mvx 192,512 bytes MD5: 0xFD5E10A01B41D295CE401BB0E7D518D6

SHA-1: 0x60DBFFDF811F17DA46A245EC07F916473BE4CC64

10 %Temp%\mProjector61432136\FlashPlayer.3.1.1k.ocx 2,991,488 bytes MD5: 0x48FDF435B8595604E54125B321924510

SHA-1: 0xE13D25BDAC576E95E9134C3F95F0F8CBE94D6185

11 %Temp%\mProjector61432136\mPlayer.3.1.1k.dll 126,976 bytes MD5: 0xB806E64B4303D5A85A72589305A25583

SHA-1: 0x1EB9CB63FF9D2A2E486DB3AF4893396633629C83

12 %Temp%\mProjector61432136\System.3.1.1hj.mfx 27,648 bytes MD5: 0x050A2299DA9F3CDD630E625D0EF29DE4

SHA-1: 0x23446EF293AD42566189AE723DB2856C16292006

13 %Temp%\nsf4.tmp\nsisProcMgr_U.dll 53,248 bytes MD5: 0xC4D19CD1DC5AF2E7D045605F3F27B565

SHA-1: 0x984B531409B257554C2B3077E3FF0768436DEE70

14 %Temp%\nsf4.tmp\System.dll 9,728 bytes MD5: 0x9C32A7501C959B4AED7FD64313137ECC

SHA-1: 0xF59B561FE96BCC3CE3967EBB8811D8A98A34F134

15 %ProgramFiles%\FLV Player\FLV Player.url 73 bytes MD5: 0x4FE86B28E689A962CDEEAFB8BB7216C5

SHA-1: 0x388A322F9128C575DD07BEF1FE9FCC4EDFBC3D18

16 %ProgramFiles%\FLV Player\FLVPlayer.exe 1,909,940 bytes MD5: 0x31F6A135DA6FBF556AECB2F27B45D1B2

SHA-1: 0xE12DAA9255AFC0951F795CBBE2BD3C6D79BE4F1B

17 %ProgramFiles%\FLV Player\license.txt 14,754 bytes MD5: 0x1A739366A7B325791198044EB440E0EE

SHA-1: 0x87A8F81A512F8F04EA7A548C6A098DD3A7E0A1BF

18 %ProgramFiles%\FLV Player\uninst.exe 107,160 bytes MD5: 0xEAC11FD1AA7254714E64EA8D01C22C80

SHA-1: 0xB31AC8211966563E4B9A21C93236A3C6E46F137C

19 %ProgramFiles%\Yahoo!\Common\unyt.exe 104,161 bytes MD5: 0x834B4C572ACCD75E5ACFBF5E952AF0FA

SHA-1: 0x22B838F02B39857AF76BE8D80C50622F38D08B59

20 %ProgramFiles%\Yahoo!\Common\unyt_wrap.exe 84,204 bytes MD5: 0x969AE4D624B267793EF045CE84D4A88B

SHA-1: 0x3F294B8DEA67DEFFB02B6BAA07FE8678239C55AA

21 %ProgramFiles%\Yahoo!\Companion\Data\dlg_anstip.html

%ProgramFiles%\Yahoo!\Companion\Data\dlg_anstipg.html 374 bytes MD5: 0x305FCDD79F823736C352FDFC849F6829

SHA-1: 0xEA1D3757E39986F43F924A9CE4F1FDA2A7C3AFAC

22 %ProgramFiles%\Yahoo!\Companion\Data\dlg_as.html 1,741 bytes MD5: 0x27AE97148C928E538082FC4B3E7FB723

SHA-1: 0xC010372F85E40FE706F090C0BA450D7AA4A589E1

23 %ProgramFiles%\Yahoo!\Companion\Data\dlg_atb.html 1,514 bytes MD5: 0x589E8A2F1EC39AE864E4853B5C595B76

SHA-1: 0xD077F4A9FDA1C5934598E06ED35DC1B65F14A651

24 %ProgramFiles%\Yahoo!\Companion\Data\dlg_auttip.html

%ProgramFiles%\Yahoo!\Companion\Data\dlg_auttipg.html 374 bytes MD5: 0x169E1835E7FD684E17032F984122EFC2

SHA-1: 0x57632B1ABE5FB3E4F7C3B4A15136556EE3235993

25 %ProgramFiles%\Yahoo!\Companion\Data\dlg_bootip.html 374 bytes MD5: 0x9B374F870FFC3BC88E62DB53C16205B1

SHA-1: 0x1586996BBFE1F3AAAE050F06D0A4BD5E21317370

26 %ProgramFiles%\Yahoo!\Companion\Data\dlg_catb.html 2,362 bytes MD5: 0xDF0B2EAEA99B3FEC3BBE9884D5DFE2BF

SHA-1: 0xB7A2F5F8F0A310FF3013B6C88C4C09DAF430A8EA

27 %ProgramFiles%\Yahoo!\Companion\Data\dlg_clutip.html

%ProgramFiles%\Yahoo!\Companion\Data\dlg_clutipg.html 374 bytes MD5: 0x185D41FFAE8A783E4847D1E2D7C851F9

SHA-1: 0x0343527FFB1D129EB27E251B2E9B7ACC6E2EA764

28 %ProgramFiles%\Yahoo!\Companion\Data\dlg_cnf.html 2,524 bytes MD5: 0xDFA8A4D5F662BA95046F128C16BEBBDF

SHA-1: 0x5B6CFEDA376143FA4515A694D938D9A93959AE8D

29 %ProgramFiles%\Yahoo!\Companion\Data\dlg_cotb.html 2,327 bytes MD5: 0x3D5A24CCC052ED3BBD0674BA7300FCB9

SHA-1: 0x3B51120AACC6C0218940D8CDF54A9285C7E55962

30 %ProgramFiles%\Yahoo!\Companion\Data\dlg_ctb.html 2,919 bytes MD5: 0x7DEC0C20390685D0224659666B744D98

SHA-1: 0x6A1D08E2FCD8FB066053956CD0803454C69D29CD

31 %ProgramFiles%\Yahoo!\Companion\Data\dlg_fantip.html 377 bytes MD5: 0x1704E178C172F7B5863C559D6C49F35F

SHA-1: 0x0B834D268EEAD47529252F00ED7415AE80B74691

32 %ProgramFiles%\Yahoo!\Companion\Data\dlg_fantipg.html 379 bytes MD5: 0x0F4325F42E23A17CFC5C63EA3AA64578

SHA-1: 0x0979532736F59368DEE0BCE33DEDA179874CDEF7

33 %ProgramFiles%\Yahoo!\Companion\Data\dlg_fintip.html

%ProgramFiles%\Yahoo!\Companion\Data\dlg_fintipg.html 377 bytes MD5: 0x9AA76D70200729F90AC35CBC25AED3F4

SHA-1: 0x0F09B8A09857AD27B667ECC8866A81A31C7E243C

34 %ProgramFiles%\Yahoo!\Companion\Data\dlg_flktip.html

%ProgramFiles%\Yahoo!\Companion\Data\dlg_flktipg.html 374 bytes MD5: 0x5096C0CBBFFCB2E3F1C5DEF9411B9A30

SHA-1: 0xBBE1C51CDF242BFB23B618BEB53E379F81574765

35 %ProgramFiles%\Yahoo!\Companion\Data\dlg_grptip.html

%ProgramFiles%\Yahoo!\Companion\Data\dlg_grptipg.html 377 bytes MD5: 0x0C69C6BEBB377EEDBD2A012E34215631

SHA-1: 0x2A6B8F655930FF4DEEB80077A5F190FA42A7ADBC

36 %ProgramFiles%\Yahoo!\Companion\Data\dlg_loctip.html

%ProgramFiles%\Yahoo!\Companion\Data\dlg_loctipg.html 374 bytes MD5: 0x3F90E0A3E15F67C4E7C5A8186A1023FB

SHA-1: 0x40F2B251F9D81366AB0D77C90783CD568E3B5498

37 %ProgramFiles%\Yahoo!\Companion\Data\dlg_logtip.html 377 bytes MD5: 0xD809333FE9E641E9B716079D66B846B3

SHA-1: 0x972044ED77DE37F94D93CD91EF9C550E9179FD40

38 %ProgramFiles%\Yahoo!\Companion\Data\dlg_mailatip.html 379 bytes MD5: 0x795578F31388F59A4F756CF414709B03

SHA-1: 0x713CA93085F7FAFB0EDE21AFD7B1967B0FA83B97

39 %ProgramFiles%\Yahoo!\Companion\Data\dlg_mailtip.html 378 bytes MD5: 0xED44F4353185287D4DF96162E25FBC0A

SHA-1: 0xECE7396FB50BFA5EBE5306419DF34B4AE6D1BCE7

40 %ProgramFiles%\Yahoo!\Companion\Data\dlg_map.html 2,093 bytes MD5: 0xD916EAC821E4404CE049FA45017ED826

SHA-1: 0xB73E4DE8CAD6CA0A4A37378F93BB8C3006DF9B47

41 %ProgramFiles%\Yahoo!\Companion\Data\dlg_mlbtip.html

%ProgramFiles%\Yahoo!\Companion\Data\dlg_mlbtipg.html 377 bytes MD5: 0xD4191FE550973A78C7EC668C7FE6C6EA

SHA-1: 0xDED7935EEF822C2896D0F7A97B1A8CC7AAA54145

42 %ProgramFiles%\Yahoo!\Companion\Data\dlg_movtip.html

%ProgramFiles%\Yahoo!\Companion\Data\dlg_movtipg.html 374 bytes MD5: 0xBEE7973AEECDA288E32D0CEAA396D910

SHA-1: 0xF72462E2564E4DFAC40AE4437EE895B3DC721920

43 %ProgramFiles%\Yahoo!\Companion\Data\dlg_msgratip.html 379 bytes MD5: 0x61C44F2B7792ED0282D7A5FE8BB1DCCA

SHA-1: 0x717139C3680A9CFF0A41442A249EE8C842C3380A

44 %ProgramFiles%\Yahoo!\Companion\Data\dlg_msgrtip.html 378 bytes MD5: 0xB1AA92941B5F9C84BEB46272AAD5A545

SHA-1: 0x176896106305D20EA7623BEAFE91F291E4AC1B68

45 %ProgramFiles%\Yahoo!\Companion\Data\dlg_mustip.html 374 bytes MD5: 0x52FCE84185A03B7AF0E44455E15AA010

SHA-1: 0x58C5D8A2690AC4C8964D8ACEC319A649AD66CEA4

46 %ProgramFiles%\Yahoo!\Companion\Data\dlg_mustipg.html 375 bytes MD5: 0x4DBA0B149959D53C43D34FBEA9E8F7A2

SHA-1: 0x11782B87259FF1E41CCE8DDC461C464E646C15DC

47 %ProgramFiles%\Yahoo!\Companion\Data\dlg_nbatip.html

%ProgramFiles%\Yahoo!\Companion\Data\dlg_nbatipg.html 377 bytes MD5: 0xA5FDDC5D4A68287AAFB2F62B0106AA0B

SHA-1: 0x5B55DC37DBE6D5F2B1C6BCBEA7941BE773044D4C

48 %ProgramFiles%\Yahoo!\Companion\Data\dlg_newstip.html

%ProgramFiles%\Yahoo!\Companion\Data\dlg_newstipg.html 378 bytes MD5: 0x1C87734E815B5442DEC3E32AC1F4DDD3

SHA-1: 0x60C6B127763A788803114623B88AAB867B37B3BF

49 %ProgramFiles%\Yahoo!\Companion\Data\dlg_newtip.html

%ProgramFiles%\Yahoo!\Companion\Data\dlg_newtipg.html 375 bytes MD5: 0x0A72C141312023F12AC2A6D06B3F0FDD

SHA-1: 0x1249C02C242CC5042DC85617E0C551914E50C3B1

50 %ProgramFiles%\Yahoo!\Companion\Data\dlg_nfltip.html

%ProgramFiles%\Yahoo!\Companion\Data\dlg_nfltipg.html 377 bytes MD5: 0x9A597D15A20CBC6A7B953C69160E8345

SHA-1: 0xDD315EA199D23A34FC49719C4D3011E136657A7D

51 %ProgramFiles%\Yahoo!\Companion\Data\dlg_opt.html 13,235 bytes MD5: 0xC390B0F37094A51F7FA9755C21093EFC

SHA-1: 0xD870ED381311160BFF95CEE35E351C0B1A23F16E

52 %ProgramFiles%\Yahoo!\Companion\Data\dlg_pub.html 3,682 bytes MD5: 0xC37B8F5F0BE97E5F94EA825CDD55C656

SHA-1: 0xCEC3494B61BC0E3B30BDAC5BC3257CFF8C137C5F

53 %ProgramFiles%\Yahoo!\Companion\Data\dlg_shotip.html

%ProgramFiles%\Yahoo!\Companion\Data\dlg_shotipg.html 374 bytes MD5: 0x155617489139227D76033951D6A5B16A

SHA-1: 0xBF51BED637A45C32369892DFECACD8CC169926A9

54 %ProgramFiles%\Yahoo!\Companion\Data\dlg_srchtip.html 338 bytes MD5: 0xDEDED03163E0AE51398686AEC08B6CBE

SHA-1: 0x2D4B53BDE1ADE49C9F271A56668CC9BA56CF2CFB

55 %ProgramFiles%\Yahoo!\Companion\Data\dlg_tratip.html

%ProgramFiles%\Yahoo!\Companion\Data\dlg_tratipg.html 374 bytes MD5: 0x5301BB56668988A06FF470E91DDA7525

SHA-1: 0x03DB2F4A7859BB323E45CA6A5F4B7B3C36A4F1BE

56 %ProgramFiles%\Yahoo!\Companion\Data\dlg_upg.html 505 bytes MD5: 0xFC9096C0837DC77B1A68D8B1DBD2C0F9

SHA-1: 0x4141DA7B9B80C14023FC57DE998B259FDEDFFB13

57 %ProgramFiles%\Yahoo!\Companion\Data\dlg_weatip.html

%ProgramFiles%\Yahoo!\Companion\Data\dlg_weatipg.html 374 bytes MD5: 0x855FDA424FDCCCE659D8BF77F7F94EF1

SHA-1: 0xBDDBE24A9ECAEB2ABDEECDD098BA055EABDF6BAE

58 %ProgramFiles%\Yahoo!\Companion\Data\dlg_wp.html 4,817 bytes MD5: 0xE3155D81042EB08CC983EACE9EA85A71

SHA-1: 0x50A40F28D05F90CA33BB280689E9A06546102CD1

59 %ProgramFiles%\Yahoo!\Companion\Data\dlg_wp2.html 724 bytes MD5: 0xF485F7785515DF9A70F985F1175BEA3D

SHA-1: 0xB8647075536A0D60A48765C4528A5132EBD805E9

60 %ProgramFiles%\Yahoo!\Companion\Installs\cpn\inyt.exe 123,944 bytes MD5: 0x3A084AAFB7442A601268C88ADAE64487

SHA-1: 0x46F4E6E87FE40D5E962DC4096DC54FFD439C5347

61 %ProgramFiles%\Yahoo!\Companion\Installs\cpn\inyt.exe.manifest 583 bytes MD5: 0x6C5EE63D8E649B75C991214BBDC5344E

SHA-1: 0xE3C5ED3A0B81C10B0CFA1F241EE49B4784DBF5D5

62 %ProgramFiles%\Yahoo!\Companion\Installs\cpn\pubmod.dll 219,376 bytes MD5: 0x43B96ECEAE39133222914160ED16C4E4

SHA-1: 0x0337F6B7B15FB1C638BFFB3A3103B422D90EDCBA

63 %ProgramFiles%\Yahoo!\Companion\Installs\cpn\YCAPlugin.dll 112,368 bytes MD5: 0x3FE1DB89C149406E78FDCA005F09B689

SHA-1: 0x89A7836C5AD01D03D5577C5C03BF93B3BC275F29

64 %ProgramFiles%\Yahoo!\Companion\Installs\cpn\YMERemote.dll 204,016 bytes MD5: 0xC0439467FA3896AE7EFF772B16CBD70D

SHA-1: 0x66FBFC47408CCBC0D18CB85D0081F814A4D2F466

65 %ProgramFiles%\Yahoo!\Companion\Installs\cpn\YPUBC.dll 196,096 bytes MD5: 0x92AF662A98BC68CB79D64BD27C99EE8E

SHA-1: 0xC8A48EE6242516A90E9270C05314A4BF84458A21

66 %ProgramFiles%\Yahoo!\Companion\Installs\cpn\yt.dll 882,416 bytes MD5: 0x6A2E0E49A4F2A9DF3E6293E37E7486BD

SHA-1: 0x60BE9A6966A9B229C0A9013EB77A7A6809182DD9

67 %ProgramFiles%\Yahoo!\Companion\Installs\cpn\YTabBar.dll 213,744 bytes MD5: 0xE6CB7B225623C6E23DD6660EC6AE640D

SHA-1: 0x8EA8AF036DB21FF371238756C4E46C9038C492D1

68 %ProgramFiles%\Yahoo!\Companion\Installs\cpn\YTAntiSpy.dll 50,680 bytes MD5: 0xBF08B70AFBF0BD7102713B4ECCD07AFC

SHA-1: 0x3AEE842E7325A6A53829B3C7995C7C8CAA7CA2BA

69 %ProgramFiles%\Yahoo!\Companion\Installs\cpn\ytbb.exe 156,912 bytes MD5: 0xBCC1DA6FE894E755C47AC2EC2FFC3213

SHA-1: 0xB66B9CB3D897DD6AA0D14355F68A735E22C64615

70 %ProgramFiles%\Yahoo!\Companion\Installs\cpn\YTBM.dll 335,088 bytes MD5: 0x28090B517D6C72729A2F7A575E891670

SHA-1: 0xB5941D4A454B9197FEE3F2964E72B6D844CA0781

71 %ProgramFiles%\Yahoo!\Companion\Installs\cpn\YTMsgr.dll 188,144 bytes MD5: 0x84D2E4B6E068C867906B4BB35A37CAE5

SHA-1: 0x599A1314156AB38AE5ED7186E279817A609FA670

72 %ProgramFiles%\Yahoo!\Companion\Installs\cpn\YTNavAssist.dll 186,608 bytes MD5: 0x4D5EA8FA713123404FD372C59D8E94A3

SHA-1: 0x89701F49C78105900EF6BDEFC11DAEE2A3EF5EBD

73 %ProgramFiles%\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll 160,496 bytes MD5: 0xF64C4241FE5E519F62C47C361DC671D7

SHA-1: 0x165AD669BC3DBDAD4EF02C48B7B335FBBBF14151

74 [file and pathname of the sample #1] 4,998,707 bytes MD5: 0x014C88A3AFB657EEBEE8D0C3851936C5

SHA-1: 0xCC7AF27807223FC5127DF42ED0218BEFA99E23BD

75 %System%\wbem\Performance\WmiApRpl_new.ini 2 bytes MD5: 0xC4103F122D27677C9DB144CAE1394A66

SHA-1: 0x1489F923C4DCA729178B3E3233458550D8DDDF29





Notes:

%CommonDesktopDir% is a variable that refers to the file system directory that contains files and folders that appear on the desktop for all users. A typical path is C:\Documents and Settings\All Users\Desktop (Windows NT/2000/XP).

%CommonPrograms% is a variable that refers to the file system directory that contains the directories for the common program groups that appear on the Start menu for all users. A typical path is C:\Documents and Settings\All Users\Start Menu\Programs (Windows NT/2000/XP).

%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following directories were created:

%AppData%\Adobe\Flash Player

%AppData%\Macromedia

%Temp%\mProjector61432136

%CommonAppData%\Yahoo! Companion

%CommonAppData%\Yahoo! Companion\Data

%CommonAppData%\Yahoo! Companion\Data\default

%CommonAppData%\Yahoo! Companion\Download

%CommonAppData%\Yahoo! Companion\Icons

%CommonAppData%\Yahoo! Companion\Media

%CommonAppData%\Yahoo! Companion\Modules

%CommonPrograms%\FLV Player

%AppData%\Adobe\Flash Player\AssetCache

%AppData%\Adobe\Flash Player\AssetCache\Y6BZ7L6U

%AppData%\Macromedia\Flash Player

[pathname with a string SHARE]\#SharedObjects

[pathname with a string SHARE]\CG9F7BDX

[pathname with a string SHARE]\localhost

%AppData%\Macromedia\Flash Player\macromedia.com

%AppData%\Macromedia\Flash Player\macromedia.com\support

%AppData%\Macromedia\Flash Player\macromedia.com\support\flashplayer

%AppData%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys

%AppData%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#local

%AppData%\Yahoo!

%AppData%\Yahoo!\Companion

%AppData%\Yahoo!\Companion\Buttons

%Temp%\nsf4.tmp

%ProgramFiles%\FLV Player

%ProgramFiles%\Yahoo!

%ProgramFiles%\Yahoo!\Common

%ProgramFiles%\Yahoo!\Companion

%ProgramFiles%\Yahoo!\Companion\Data

%ProgramFiles%\Yahoo!\Companion\Installs

%ProgramFiles%\Yahoo!\Companion\Installs\cpn

Notes:

%CommonAppData% is a variable that refers to the file system directory containing application data for all users. A typical path is C:\Documents and Settings\All Users\Application Data.





Memory Modifications



There was a new process created in the system:



Process Name Process Filename Main Module Size

ytb_setup.exe %Temp%\nsf4.tmp\ytb_setup.exe 380,928 bytes









Registry Modifications



The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\YCAPlugin.DLL

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\YMERemote.DLL

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\YPUBC.DLL

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\yt.DLL

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\YTabBar.DLL

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\ytbbroker.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\YTBM.DLL

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\YTMsgr.DLL

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\YTNavAssist.DLL

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\YTSingleInstance.DLL

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{07CDAAD9-1226-4C6D-B774-C00E7B323484}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1CAE874F-F5C7-4BCC-BA46-9AD26DF35B93}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{35860EFB-1589-4F32-A618-99E847A502B2}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{39DCCEAF-C749-4390-9953-527CF916935C}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{41D7CEE0-D91F-498C-BC88-4A6BEE46C2BC}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{7D831388-D405-4272-9511-A07440AD2927}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{9EDCCD11-960D-49AE-B523-C6B5AB7E1345}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{EB2BA65E-41F6-4F64-92A6-216CDFFDF577}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{EFC0651C-B6D7-49CD-A6E0-B1CE9AB5FE46}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{FFFFE1D1-E40D-49a1-9622-BC59BD1879C3}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\Component Categories

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}\409

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}\409

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\Control

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\Implemented Categories

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\MiscStatus

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\MiscStatus\1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\Programmable

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\TypeLib

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\Version

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\VersionIndependentProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1147DC83-6208-4dca-8E88-DD45BAAB3043}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1147DC83-6208-4dca-8E88-DD45BAAB3043}\InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1147DC83-6208-4dca-8E88-DD45BAAB3043}\ProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1147DC83-6208-4dca-8E88-DD45BAAB3043}\VersionIndependentProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11CB4723-D5A1-4a55-8D1D-5C2679D54CF5}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11CB4723-D5A1-4a55-8D1D-5C2679D54CF5}\InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11CB4723-D5A1-4a55-8D1D-5C2679D54CF5}\ProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11CB4723-D5A1-4a55-8D1D-5C2679D54CF5}\Programmable

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11CB4723-D5A1-4a55-8D1D-5C2679D54CF5}\TypeLib

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11CB4723-D5A1-4a55-8D1D-5C2679D54CF5}\VersionIndependentProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1E57256D-9F39-4267-AB39-D7813D644C5A}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1E57256D-9F39-4267-AB39-D7813D644C5A}\LocalServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1E57256D-9F39-4267-AB39-D7813D644C5A}\ProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1E57256D-9F39-4267-AB39-D7813D644C5A}\Programmable

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1E57256D-9F39-4267-AB39-D7813D644C5A}\TypeLib

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1E57256D-9F39-4267-AB39-D7813D644C5A}\VersionIndependentProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{31371420-098D-4C0E-A11E-EBEC2305DD01}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{31371420-098D-4C0E-A11E-EBEC2305DD01}\LocalServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{31371420-098D-4C0E-A11E-EBEC2305DD01}\ProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{31371420-098D-4C0E-A11E-EBEC2305DD01}\Programmable

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{31371420-098D-4C0E-A11E-EBEC2305DD01}\TypeLib

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{31371420-098D-4C0E-A11E-EBEC2305DD01}\VersionIndependentProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37B8167C-B9A4-4316-94B2-67B64BB2BA7C}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37B8167C-B9A4-4316-94B2-67B64BB2BA7C}\Control

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37B8167C-B9A4-4316-94B2-67B64BB2BA7C}\InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37B8167C-B9A4-4316-94B2-67B64BB2BA7C}\MiscStatus

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37B8167C-B9A4-4316-94B2-67B64BB2BA7C}\MiscStatus\1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37B8167C-B9A4-4316-94B2-67B64BB2BA7C}\ProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37B8167C-B9A4-4316-94B2-67B64BB2BA7C}\Programmable

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37B8167C-B9A4-4316-94B2-67B64BB2BA7C}\ToolboxBitmap32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37B8167C-B9A4-4316-94B2-67B64BB2BA7C}\TypeLib

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37B8167C-B9A4-4316-94B2-67B64BB2BA7C}\Version

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37B8167C-B9A4-4316-94B2-67B64BB2BA7C}\VersionIndependentProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3A06AA27-D94B-48C2-BB55-9FD0FF2120E3}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3A06AA27-D94B-48C2-BB55-9FD0FF2120E3}\InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3A06AA27-D94B-48C2-BB55-9FD0FF2120E3}\ProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3A06AA27-D94B-48C2-BB55-9FD0FF2120E3}\Programmable

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3A06AA27-D94B-48C2-BB55-9FD0FF2120E3}\TypeLib

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3A06AA27-D94B-48C2-BB55-9FD0FF2120E3}\VersionIndependentProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{46140CE4-76FE-440E-AE88-4C2272BC05C7}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{46140CE4-76FE-440E-AE88-4C2272BC05C7}\InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{46140CE4-76FE-440E-AE88-4C2272BC05C7}\ProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{46140CE4-76FE-440E-AE88-4C2272BC05C7}\Programmable

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{46140CE4-76FE-440E-AE88-4C2272BC05C7}\TypeLib

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{46140CE4-76FE-440E-AE88-4C2272BC05C7}\VersionIndependentProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6E40017D-FB6A-4804-BDE4-3BB09F1719C1}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6E40017D-FB6A-4804-BDE4-3BB09F1719C1}\Control

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6E40017D-FB6A-4804-BDE4-3BB09F1719C1}\InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6E40017D-FB6A-4804-BDE4-3BB09F1719C1}\MiscStatus

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6E40017D-FB6A-4804-BDE4-3BB09F1719C1}\MiscStatus\1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6E40017D-FB6A-4804-BDE4-3BB09F1719C1}\ProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6E40017D-FB6A-4804-BDE4-3BB09F1719C1}\Programmable

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6E40017D-FB6A-4804-BDE4-3BB09F1719C1}\ToolboxBitmap32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6E40017D-FB6A-4804-BDE4-3BB09F1719C1}\TypeLib

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6E40017D-FB6A-4804-BDE4-3BB09F1719C1}\Version

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6E40017D-FB6A-4804-BDE4-3BB09F1719C1}\VersionIndependentProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6EB4349D-4333-442F-ACA4-4C72AF28B6ED}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6EB4349D-4333-442F-ACA4-4C72AF28B6ED}\InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6EB4349D-4333-442F-ACA4-4C72AF28B6ED}\ProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6EB4349D-4333-442F-ACA4-4C72AF28B6ED}\TypeLib

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6EB4349D-4333-442F-ACA4-4C72AF28B6ED}\VersionIndependentProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\YCAPlugin.DLL]

AppID = "{41D7CEE0-D91F-498C-BC88-4A6BEE46C2BC}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\YMERemote.DLL]

AppID = "{7D831388-D405-4272-9511-A07440AD2927}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\YPUBC.DLL]

AppID = "{FFFFE1D1-E40D-49a1-9622-BC59BD1879C3}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\yt.DLL]

AppID = "{1CAE874F-F5C7-4BCC-BA46-9AD26DF35B93}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\YTabBar.DLL]

AppID = "{35860EFB-1589-4F32-A618-99E847A502B2}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\ytbbroker.EXE]

AppID = "{EFC0651C-B6D7-49CD-A6E0-B1CE9AB5FE46}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\YTBM.DLL]

AppID = "{07CDAAD9-1226-4C6D-B774-C00E7B323484}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\YTMsgr.DLL]

AppID = "{9EDCCD11-960D-49AE-B523-C6B5AB7E1345}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\YTNavAssist.DLL]

AppID = "{EB2BA65E-41F6-4F64-92A6-216CDFFDF577}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\YTSingleInstance.DLL]

AppID = "{39DCCEAF-C749-4390-9953-527CF916935C}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{07CDAAD9-1226-4C6D-B774-C00E7B323484}]

(Default) = "YTBM"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1CAE874F-F5C7-4BCC-BA46-9AD26DF35B93}]

(Default) = "yt"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{35860EFB-1589-4F32-A618-99E847A502B2}]

(Default) = "YTabBar"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{39DCCEAF-C749-4390-9953-527CF916935C}]

(Default) = "YTSingleInstance"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{41D7CEE0-D91F-498C-BC88-4A6BEE46C2BC}]

(Default) = "YCAPlugin"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{7D831388-D405-4272-9511-A07440AD2927}]

(Default) = "YMERemote"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{9EDCCD11-960D-49AE-B523-C6B5AB7E1345}]

(Default) = "YTMsgr"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{EB2BA65E-41F6-4F64-92A6-216CDFFDF577}]

(Default) = "YTNavAssist"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{EFC0651C-B6D7-49CD-A6E0-B1CE9AB5FE46}]

(Default) = "ytbbroker"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{FFFFE1D1-E40D-49a1-9622-BC59BD1879C3}]

(Default) = "YPUBC"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}\409]

(Default) = "Controls that are safely scriptable"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}\409]

(Default) = "Controls safely initializable from persistent data"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}]

(Default) = "0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}]

(Default) = "0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\MiscStatus\1]

(Default) = "131473"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\VersionIndependentProgID]

(Default) = "yt.YTHelper"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\Version]

(Default) = "6.3.0.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\TypeLib]

(Default) = "{003028C2-EA1C-4676-A316-B5CB50917002}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ProgID]

(Default) = "yt.YTHelper.2"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\MiscStatus]

(Default) = "0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\InprocServer32]

(Default) = "%ProgramFiles%\Yahoo!\Companion\Installs\cpn\yt.dll"

ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

(Default) = "&Yahoo! Toolbar Helper"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1147DC83-6208-4dca-8E88-DD45BAAB3043}\VersionIndependentProgID]

(Default) = "Yahoo.PopupBlockerPlugin"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1147DC83-6208-4dca-8E88-DD45BAAB3043}\ProgID]

(Default) = "Yahoo.PopupBlockerPlugin.4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1147DC83-6208-4dca-8E88-DD45BAAB3043}\InprocServer32]

(Default) = "%ProgramFiles%\Yahoo!\Companion\Installs\cpn\pubmod.dll"

ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1147DC83-6208-4dca-8E88-DD45BAAB3043}]

(Default) = "PopupBlocker Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11CB4723-D5A1-4a55-8D1D-5C2679D54CF5}\VersionIndependentProgID]

(Default) = "YPUBC.StringList"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11CB4723-D5A1-4a55-8D1D-5C2679D54CF5}\TypeLib]

(Default) = "{8A1AB044-787D-4309-8410-709768E484AB}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11CB4723-D5A1-4a55-8D1D-5C2679D54CF5}\ProgID]

(Default) = "YPUBC.StringList.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11CB4723-D5A1-4a55-8D1D-5C2679D54CF5}\InprocServer32]

(Default) = "%ProgramFiles%\Yahoo!\Companion\Installs\cpn\YPUBC.dll"

ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11CB4723-D5A1-4a55-8D1D-5C2679D54CF5}]

(Default) = "StringList Class"

AppID = "{FFFFE1D1-E40D-49a1-9622-BC59BD1879C3}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1E57256D-9F39-4267-AB39-D7813D644C5A}\VersionIndependentProgID]

(Default) = "ytbbroker.YTBMessengerAssistant"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1E57256D-9F39-4267-AB39-D7813D644C5A}\TypeLib]

(Default) = "{61A2027D-B837-4080-A925-6E30E10DEF32}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1E57256D-9F39-4267-AB39-D7813D644C5A}\ProgID]

(Default) = "ytbbroker.YTBMessengerAssistant.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1E57256D-9F39-4267-AB39-D7813D644C5A}\LocalServer32]

(Default) = ""%ProgramFiles%\Yahoo!\Companion\Installs\cpn\ytbb.exe""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1E57256D-9F39-4267-AB39-D7813D644C5A}]

(Default) = "YTBMessengerAssistant Class"

AppID = "{EFC0651C-B6D7-49CD-A6E0-B1CE9AB5FE46}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{31371420-098D-4C0E-A11E-EBEC2305DD01}\VersionIndependentProgID]

(Default) = "ytbbroker.YTBCustomizerAssistant"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{31371420-098D-4C0E-A11E-EBEC2305DD01}\TypeLib]

(Default) = "{61A2027D-B837-4080-A925-6E30E10DEF32}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{31371420-098D-4C0E-A11E-EBEC2305DD01}\ProgID]

(Default) = "ytbbroker.YTBCustomizerAssistant.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{31371420-098D-4C0E-A11E-EBEC2305DD01}\LocalServer32]

(Default) = ""%ProgramFiles%\Yahoo!\Companion\Installs\cpn\ytbb.exe""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{31371420-098D-4C0E-A11E-EBEC2305DD01}]

(Default) = "YTBCustomizerAssistant Class"

AppID = "{EFC0651C-B6D7-49CD-A6E0-B1CE9AB5FE46}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37B8167C-B9A4-4316-94B2-67B64BB2BA7C}\MiscStatus\1]

(Default) = "131473"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37B8167C-B9A4-4316-94B2-67B64BB2BA7C}\VersionIndependentProgID]

(Default) = "YPUBC.PUBHTMLEventHandler"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37B8167C-B9A4-4316-94B2-67B64BB2BA7C}\Version]

(Default) = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37B8167C-B9A4-4316-94B2-67B64BB2BA7C}\TypeLib]

(Default) = "{8A1AB044-787D-4309-8410-709768E484AB}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37B8167C-B9A4-4316-94B2-67B64BB2BA7C}\ToolboxBitmap32]

(Default) = "%ProgramFiles%\Yahoo!\Companion\Installs\cpn\YPUBC.dll, 106"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37B8167C-B9A4-4316-94B2-67B64BB2BA7C}\ProgID]

(Default) = "YPUBC.PUBHTMLEventHandler.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37B8167C-B9A4-4316-94B2-67B64BB2BA7C}\MiscStatus]

(Default) = "0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37B8167C-B9A4-4316-94B2-67B64BB2BA7C}\InprocServer32]

(Default) = "%ProgramFiles%\Yahoo!\Companion\Installs\cpn\YPUBC.dll"

ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37B8167C-B9A4-4316-94B2-67B64BB2BA7C}]

(Default) = "PUBHTMLEventHandler Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3A06AA27-D94B-48C2-BB55-9FD0FF2120E3}\VersionIndependentProgID]

(Default) = "YTNavAssist.NameSpacePP"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3A06AA27-D94B-48C2-BB55-9FD0FF2120E3}\TypeLib]

(Default) = "{A31F34A1-EBD2-45A2-BF6D-231C1B987CC8}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3A06AA27-D94B-48C2-BB55-9FD0FF2120E3}\ProgID]

(Default) = "YTNavAssist.NameSpacePP.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3A06AA27-D94B-48C2-BB55-9FD0FF2120E3}\InprocServer32]

(Default) = "%ProgramFiles%\Yahoo!\Companion\Installs\cpn\YTNavAssist.dll"

ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3A06AA27-D94B-48C2-BB55-9FD0FF2120E3}]

(Default) = "YTNavAssist.NameSpacePP Class"

AppID = "{EB2BA65E-41F6-4F64-92A6-216CDFFDF577}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{46140CE4-76FE-440E-AE88-4C2272BC05C7}\VersionIndependentProgID]

(Default) = "YTNavAssist.NameSpaceCF"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{46140CE4-76FE-440E-AE88-4C2272BC05C7}\TypeLib]

(Default) = "{A31F34A1-EBD2-45A2-BF6D-231C1B987CC8}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{46140CE4-76FE-440E-AE88-4C2272BC05C7}\ProgID]

(Default) = "YTNavAssist.NameSpaceCF.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{46140CE4-76FE-440E-AE88-4C2272BC05C7}\InprocServer32]

(Default) = "%ProgramFiles%\Yahoo!\Companion\Installs\cpn\YTNavAssist.dll"

ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{46140CE4-76FE-440E-AE88-4C2272BC05C7}]

(Default) = "YTNavAssist.NameSpaceCF Class"

AppID = "{EB2BA65E-41F6-4F64-92A6-216CDFFDF577}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6E40017D-FB6A-4804-BDE4-3BB09F1719C1}\MiscStatus\1]

(Default) = "131473"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6E40017D-FB6A-4804-BDE4-3BB09F1719C1}\VersionIndependentProgID]

(Default) = "YPUBC.BlockerCtrl"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6E40017D-FB6A-4804-BDE4-3BB09F1719C1}\Version]

(Default) = "3.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6E40017D-FB6A-4804-BDE4-3BB09F1719C1}\TypeLib]

(Default) = "{8A1AB044-787D-4309-8410-709768E484AB}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6E40017D-FB6A-4804-BDE4-3BB09F1719C1}\ToolboxBitmap32]

(Default) = "%ProgramFiles%\Yahoo!\Companion\Installs\cpn\YPUBC.dll, 102"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6E40017D-FB6A-4804-BDE4-3BB09F1719C1}\ProgID]

(Default) = "YPUBC.BlockerCtrl.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6E40017D-FB6A-4804-BDE4-3BB09F1719C1}\MiscStatus]

(Default) = "0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6E40017D-FB6A-4804-BDE4-3BB09F1719C1}\InprocServer32]

(Default) = "%ProgramFiles%\Yahoo!\Companion\Installs\cpn\YPUBC.dll"

ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6E40017D-FB6A-4804-BDE4-3BB09F1719C1}]

(Default) = "BlockerCtrl Class"

AppID = "{FFFFE1D1-E40D-49a1-9622-BC59BD1879C3}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6EB4349D-4333-442F-ACA4-4C72AF28B6ED}\VersionIndependentProgID]

(Default) = "yt.CacheLoader"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6EB4349D-4333-442F-ACA4-4C72AF28B6ED}\TypeLib]

(Default) = "{003028C2-EA1C-4676-A316-B5CB50917002}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6EB4349D-4333-442F-ACA4-4C72AF28B6ED}\ProgID]

(Default) = "yt.CacheLoader.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6EB4349D-4333-442F-ACA4-4C72AF28B6ED}\InprocServer32]

(Default) = "%ProgramFiles%\Yahoo!\Companion\Installs\cpn\yt.dll"

ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6EB4349D-4333-442F-ACA4-4C72AF28B6ED}]

(Default) = "CacheLoader Class"

AppID = "{1CAE874F-F5C7-4BCC-BA46-9AD26DF35B93}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}\VersionIndependentProgID]

(Default) = "YTNavAssist.YTNavAssistPlugin"

The following Registry Values were modified:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

Search Page =

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl]

provider =

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]

{0E5CBF21-D15F-11D0-8301-00AA005B4383} =

ITBarLayout =

#8 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,259 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:04:13 PM

Posted 13 March 2010 - 04:57 PM

In my further analyses I have determined that there are two files in the CNET download that are not in the Softpedia download: processwork.dll and UserInfo.dll. These files do not seem to be malicious and, in fact, are included in the download available from the developer's website. The file made available from CNET is bit-for-bit identical to the one from the developer's website whereas the one from Softpedia is not.

I don't think either of them are infected. The VirusTotal analysis of the installer shows that 2 out of 41 scanners flag it as infected (and one of them is eSafe which is crap anyway, the other is The Hacker with which I haven't much experience.) Such a low detection rate means either that it's a false positive (which I think likely) or that it's infected with something so new that most scanners don't detect it yet (possible, but I think it's unlikely.)

The file you had analyzed by Threat Expert is precisely the same one that I downloaded from CNET and the developer's website (SHA1SUM CC7AF27807223FC5127DF42ED0218BEFA99E23BD.) So, provided that you submitted the file from your hard drive, no alterations have been made it the executable while in transit or subsequently by existing infections on your machine.

#9 Nawtheasta

Nawtheasta

  • Members
  • 403 posts
  • OFFLINE
  •  
  • Location:New England, USA
  • Local time:07:13 PM

Posted 13 March 2010 - 07:51 PM

This is what I love about BP. A member has a question or problem and is responded to with insightful questions designed to determine what is going on. No flaming or condescension. Just polite and helpful responses. It was a pleasure to read this topic. Not just for the answer but the way it was arrived at and was given. Makes one proud to be a member. :thumbsup:
Thanks to all who posted
Best Regards
Nawtheasta

#10 rogue212

rogue212
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 14 March 2010 - 11:47 AM

I agree with the above comments, I'm sorry for my alarming post, but Virscan was the one that really alarmed me, may I now ask for your advice, if that was a false positive, and I deleted a lot of my data that I can't replace just to be safe, I've learnt my lesson, my story has now turned into a nightmare.

As F-Prot was one of the scanners that picked up the infection on Virscan, which found the original infection discussed, I decided to try the trial version to scan all of my back up drives etc, I found a folder hidden inside a folder inside another folder etc etc on one of my external hard drives containing all my important data, this is what it found, please could you give me some advice on the possibility of these infections infecting other files on my drive or drives with malicious code and what to do, thank you

I have never installed these programs and scanned these drives regularly with the best online and free scanners, they were always clean, it's my fault I know for sharing my computer, thank you all for your replies.

F-Prot found:
AnyDVD.exe W32/Backdoor2.DAVN (exact)
SetupAnyDVD6184.exe W32/Backdoor2.AXXB (exact)
FLVDownloader_Install.0xe W32/Backdoor2.BBNJ (exact)
CloneDVD1.3.10.1.exe

Sent them to VirusTotal for scanning, alarming!
VirusTotal Found:

File AnyDVD.exe received on 2010.03.14 14:17:24 (UTC)
Current status: finished
Result: 8/42 (19.05%)

Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.03.14 Riskware.Hacktool.Keygen.anydvd!IK
AhnLab-V3 5.0.0.2 2010.03.14 -
AntiVir 8.2.1.180 2010.03.12 -
Antiy-AVL 2.0.3.7 2010.03.12 -
Authentium 5.2.0.5 2010.03.13 W32/Backdoor2.DAVN
Avast 4.8.1351.0 2010.03.14 -
Avast5 5.0.332.0 2010.03.14 -
AVG 9.0.0.787 2010.03.14 -
BitDefender 7.2 2010.03.14 -
CAT-QuickHeal 10.00 2010.03.13 Trojan.Agent.irc
ClamAV 0.96.0.0-git 2010.03.14 -
Comodo 4254 2010.03.14 -
DrWeb 5.0.1.12222 2010.03.14 -
eSafe 7.0.17.0 2010.03.14 Win32.TrojanHorse
eTrust-Vet 35.2.7359 2010.03.12 -
F-Prot 4.5.1.85 2010.03.13 W32/Backdoor2.DAVN
F-Secure 9.0.15370.0 2010.03.14 -
Fortinet 4.0.14.0 2010.03.13 -
GData 19 2010.03.14 -
Ikarus T3.1.1.80.0 2010.03.14 not-a-virus.Hacktool.Keygen.anydvd
Jiangmin 13.0.900 2010.03.14 -
K7AntiVirus 7.10.997 2010.03.13 -
Kaspersky 7.0.0.125 2010.03.14 -
McAfee 5919 2010.03.13 -
McAfee+Artemis5919 2010.03.13 -
McAfee-GW-Edition 6.8.5 2010.03.13 Heuristic.LooksLike.Win32.Suspicious.H
Microsoft 1.5502 2010.03.12 -
NOD32 4943 2010.03.14 -
Norman 6.04.08 2010.03.14 -
nProtect 2009.1.8.0 2010.03.13 -
Panda 10.0.2.2 2010.03.14 -
PCTools 7.0.3.5 2010.03.14 -
Prevx 3.0 2010.03.14 -
Rising 22.38.04.03 2010.03.12 -
Sophos 4.51.0 2010.03.14 -
Sunbelt 5877 2010.03.14 -
Symantec 20091.2.0.41 2010.03.14 -
TheHacker 6.5.2.0.233 2010.03.13 -
TrendMicro 9.120.0.1004 2010.03.14 -
VBA32 3.12.12.2 2010.03.14 -
ViRobot 2010.3.13.2226 2010.03.13 -
VirusBuster 5.0.27.0 2010.03.13 Backdoor.BackDoor.B

Additional information
File size: 175616 bytes
MD5 : 45429bc1d6f7a0218fea7827a8fc0685
SHA1 : 0557ee182b3ce28de2e12f07e0a7c0738366d502


File FLVDownloader_Install.0xe received on 2010.03.14 14:29:29 (UTC)
Current status: finished
Result: 19/42 (45.24%)

Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.03.14 Backdoor.Win32.Sheldor!IK
AhnLab- V3 5.0.0.2 2010.03.14 -
AntiVir 8.2.1.180 2010.03.12 -
Antiy-AVL 2.0.3.7 2010.03.12 -
Authentium 5.2.0.5 2010.03.13 W32/Backdoor2.BBNJ
Avast 4.8.1351.0 2010.03.14 Win32:Adware-gen
Avast5 5.0.332.0 2010.03.14 Win32:Adware-gen
AVG 9.0.0.787 2010.03.14 -
BitDefender 7.2 2010.03.14 Adware.Generic.45143
CAT-QuickHeal 10.00 2010.03.13 -
ClamAV 0.96.0.0-git 2010.03.14 -
Comodo 4254 2010.03.14 -
DrWeb 5.0.1.12222 2010.03.14 -
eSafe 7.0.17.0 2010.03.14 Win32.Lmir.ac
eTrust-Vet 35.2.7359 2010.03.12 -
F-Prot 4.5.1.85 2010.03.13 W32/Backdoor2.BBNJ
F-Secure 9.0.15370.0 2010.03.14 Trojan.Generic.381620
Fortinet 4.0.14.0 2010.03.13 Adware/AdMoke
GData 19 2010.03.14 Adware.Generic.45143
Ikarus T3.1.1.80.0 2010.03.14 Backdoor.Win32.Sheldor
Jiangmin 13.0.900 2010.03.14 -
K7AntiVirus 7.10.997 2010.03.13 -
Kaspersky 7.0.0.125 2010.03.14 not-a-virus:AdWare.Win32.AdMoke.agg
McAfee 5919 2010.03.13 -
McAfee+Artemis 5919 2010.03.13 Artemis!DADD6DE8CE40
McAfee-GW-Editio 6.8.5 2010.03.13 -
Microsoft 1.5502 2010.03.12 -
NOD32 4943 2010.03.14 probably a variant of Win32/Adware.Agent
Norman 6.04.08 2010.03.14 -
nProtect 2009.1.8.0 2010.03.13 -
Panda 10.0.2.2 2010.03.14 Trj/CI.A
PCTools 7.0.3.5 2010.03.14 -
Rising 22.38.04.03 2010.03.12 -
Sophos 4.51.0 2010.03.14 Mal/Generic-A
Sunbelt 5877 2010.03.14 AdWare.Win32.AdMoke.agg
Symantec 20091.2.0.41 2010.03.14 Reser.Reputation.1
TheHacker 6.5.2.0.233 2010.03.13 -
TrendMicro 9.120.0.1004 2010.03.14 -
VBA32 3.12.12.2 2010.03.14 AdWare.Win32.AdMoke.agg
ViRobot 2010.3.13.2226 2010.03.13 -
VirusBuster 5.0.27.0 2010.03.13 -

Additional information
File size: 4041112 bytes
MD5 : dadd6de8ce408f9f676ddb20913c19f1
SHA1 : 68376b4cf849bc3da8727b5f2ea26bd4067c97c4


File SetupAnyDVD6184.exe received on 2010.03.14 14:42:06 (UTC)
Current status: finished
Result: 30/42 (71.43%)

Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.03.14 Downloader.QuickBatch!IK
AhnLab-V3 5.0.0.2 2010.03.14 Win32/Xema.worm.132814
AntiVir 8.2.1.180 2010.03.12 TR/Agent.2877454
Antiy-AVL 2.0.3.7 2010.03.12 AdWare/Win32.Shopper.gen
Authentium 5.2.0.5 2010.03.13 W32/Backdoor2.AXXB
Avast 4.8.1351.0 2010.03.14 -
Avast5 5.0.332.0 2010.03.14 -
AVG 9.0.0.787 2010.03.14 -
BitDefender 7.2 2010.03.14 Trojan.Generic.370028
CAT-QuickHeal 10.00 2010.03.13 Trojan.Agent.IRC
ClamAV 0.96.0.0-git 2010.03.14 Trojan.Agent-21076
Comodo 4254 2010.03.14 UnclassifiedMalware
DrWeb 5.0.1.12222 2010.03.14 Trojan.Iahonor
eSafe 7.0.17.0 2010.03.14 -
eTrust-Vet 35.2.7359 2010.03.12 -
F-Prot 4.5.1.85 2010.03.13 W32/Backdoor2.AXXB
F-Secure 9.0.15370.0 2010.03.14 Trojan.Generic.370028
Fortinet 4.0.14.0 2010.03.13 PossibleThreat
GData 19 2010.03.14 Trojan.Generic.370028
Ikarus T3.1.1.80.0 2010.03.14 Downloader.QuickBatch
Jiangmin 13.0.900 2010.03.14 TrojanDropper.Agent.ikl
K7AntiVirus 7.10.997 2010.03.13 not-a-virus:AdWare.Win32.Shopper.z
Kaspersky 7.0.0.125 2010.03.14 -
McAfee 5919 2010.03.13 -
McAfee+Artemis 5919 2010.03.13 Artemis!4E7D8DD949F9
McAfee-GW-Editio 6.8.5 2010.03.13 Trojan.Agent.2877454
Microsoft 1.5502 2010.03.12 -
NOD32 4943 2010.03.14 probably a variant of Win32/Agent
Norman 6.04.08 2010.03.14 W32/Shopper.AI
nProtect 2009.1.8.0 2010.03.13 -
Panda 10.0.2.2 2010.03.14 -
PCTools 7.0.3.5 2010.03.14 Trojan.Dropper.Hoy
Prevx 3.0 2010.03.14 High Risk Worm
Rising 22.38.04.03 2010.03.12 Dropper.Win32.KillAV.b
Sophos 4.51.0 2010.03.14 Mal/Generic-A
Sunbelt 5877 2010.03.14 -
Symantec 20091.0.41 2010.03.14 Trojan Horse
TheHacker 6.5.2.0.233 2010.03.13 Adware/Shopper.z
TrendMicro 9.120.0.1004 2010.03.14 TROJ_DROPPER.HOY
VBA32 3.12.12.2 2010.03.14 Trojan.Iahonor
ViRobot 2010.3.13.2226 2010.03.13 -
VirusBuster 5.0.27.0 2010.03.13 Backdoor.Agent.GROI

Additional information
File size: 2877454 bytes
MD5 : 4e7d8dd949f9b3e2699c7e2b6b63e588
SHA1 : c61c94dd8bdd8b2c38ce93146cbad9425b6a304a


CloneDVD1.3.10.1.exe received on 2010.03.14 14:22:30 (UTC)
Current status: finished
Result: 5/41 (12.20%)

Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.03.14 -
AhnLab-V3 5.0.0.2 2010.03.14 -
AntiVir 8.2.1.180 2010.03.12 -
Antiy-AVL 2.0.3.7 2010.03.12 -
Authentium 5.2.0.5 2010.03.13 -
Avast 4.8.1351.0 2010.03.14 -
Avast5 5.0.332.0 2010.03.14 -
AVG 9.0.0.787 2010.03.14 -
BitDefender 7.2 2010.03.14 -
CAT-QuickHeal 10.00 2010.03.13 AdWare.CommonName.al (Not a Virus)
ClamAV 0.96.0.0-git 2010.03.14 -
Comodo 4254 2010.03.14 -
DrWeb 5.0.1.12222 2010.03.14 -
eSafe 7.0.17.0 2010.03.14 -
eTrust-Vet 35.2.7359 2010.03.12 -
F-Prot 4.5.1.85 2010.03.13 -
Fortinet 4.0.14.0 2010.03.13 -
GData 19 2010.03.14 -
Ikarus T3.1.1.80.0 2010.03.14 -
Jiangmin 13.0.900 2010.03.14 Adware/Agent.bfw
K7AntiVirus 7.10.997 2010.03.13 -
Kaspersky 7.0.0.125 2010.03.14 -
McAfee 5919 2010.03.13 -
McAfee+Artemis 5919 2010.03.13 -
McAfee-GW-Edition 6.8.5 2010.03.13 -
Microsoft 1.5502 2010.03.12 -
NOD32 4943 2010.03.14 -
Norman 6.04.08 2010.03.14 -
nProtect 2009.1.8.0 2010.03.13 -
Panda 10.0.2.2 2010.03.14 -
PCTools 7.0.3.5 2010.03.14 -
Prevx 3.0 2010.03.14 High Risk Worm
Rising 22.38.04.03 2010.03.12 -
Sophos 4.51.0 2010.03.14 -
Sunbelt 5877 2010.03.14 -
Symantec 20091.2.0.41 2010.03.14 -
TheHacker 6.5.2.0.233 2010.03.13 Adware/CommonName.z
TrendMicro 9.120.0.1004 2010.03.14 -
VBA32 3.12.12.2 2010.03.14 AdWare.Win32.CommonName.bl
ViRobot 2010.3.13.2226 2010.03.13 -
VirusBuster 5.0.27.0 2010.03.13 -

Additional information
File size: 3940232 bytes
MD5 : 3bef8be4317a0f93cb988daa2e23a9e6
SHA1 : f30e0d60e8fe2fc25f4a364ade969025a0d5a495

Edited by rogue212, 14 March 2010 - 01:10 PM.


#11 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,259 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:04:13 PM

Posted 14 March 2010 - 10:06 PM

I would suggest posting a help topic in the Am I Infected? What Do I Do? forum since that's where most of the real experts on the board hang out.

#12 rogue212

rogue212
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 15 March 2010 - 05:32 AM

I'd like to thank you for your help and advice, just to update you for the last time, I will now leave you in peace. I've found more stuff on my extenal drives, mp3 songs etc, F-Prot has scanned them and lots and lots of my good programs, even Gigabyte display drivers drivers, Zonealarm firewall, are damaged, contains infected objects or are infected. Infections reported include. W32/Trojan3.BAT, W32/Backdoor2.DXMC (exact), W32/BackdoorX.BUJG, W32/Backdoor2.DAVN (exact), W32/Backdoor2.BBNJ (exact), W32/Backdoor2.AXXB, W32/Skintrim.1!Generic, but the main one is W32/Backdoor2.DXMC, more false positives.

I know lots of these files were or are clean, I'm know in the process of uploading them again to online scanners for testing, if they are now truely infected then something very nasty is or has been on my computer for some time, this my go back to when I cleaned my nephews infected computer, we never found out how the infection jumped to my my drive, turned into a new bios virus discussion on the AVG forum. If the mp3 files are illegal then these can contain a worm in the tags that carry the songs data or info that spreads, it was supposedly introduced by the recording industry to infect P2P networks, 95% are said to be infected.

All that hard work and advice to others to protect my computer from infection, oh well, I was the one who trusted a teenager on the web, thanks again.

Edited by rogue212, 15 March 2010 - 11:42 AM.


#13 rogue212

rogue212
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 15 March 2010 - 10:07 AM

After F-Prot found a backdoor trojan, which is now more then likely a false postive, I decided to try the trial version. I found a folder hidden inside a folder inside another folder etc on one of my external hard drives containing all my important data and scanned it with F-Prot, here's what it found:

F-Prot:
AnyDVD.exe W32/Backdoor2.DAVN (exact)
SetupAnyDVD6184.exe W32/Backdoor2.AXXB (exact)
FLVDownloader_Install.0xe W32/Backdoor2.BBNJ (exact)
CloneDVD1.3.10.1.exe


I sent what I found to be scanned online by VirusTotal, the results were alarming, shown below, all scanners results that did not detect anything are not shown. I have never installed any of these programs on my current computer, I decided to do a full scan with F-Prot of my external drives and what it has found is even more disturbing. F-Prot has scanned them and lots and lots of my good programs, even Gigabyte display drivers, Zonealarm firewall, are damaged, contain infected objects or are infected. Infections reported include. W32/Trojan3.BAT, W32/Backdoor2.DXMC (exact), W32/BackdoorX.BUJG, W32/Backdoor2.DAVN (exact), W32/Backdoor2.BBNJ (exact), W32/Backdoor2.AXXB, W32/Skintrim.1!Generic, but the main one is W32/Backdoor2.DXMC.

I know lots of these files were or are clean, I'm know in the process of uploadig them again to online scanners for testing, if they are now truely infected then something very nasty is or has been on my computer for some time, this my go back to when I cleaned my nephews infected computer, we never found out how the infection jumped to my drive, if anything did, turned into a new bios virus discussion on the AVG forum, or a file sharing program has been used in the past and the downloads stored on my external drive. I've found even more stuff on my extenal drives to, mp3 songs, programs etc, if the mp3 files are illegal then these can contain a worm in the tags that carry the songs data or info that spreads, it was supposedly introduced by the recording industry to infect P2P networks, 95% are said to be infected.

All that hard work and advice to others to protect my computer from infection, oh well, I was the one who trusted a teenager on the web, please could you give me some advice on the possibility of these infections infecting other files on my drive or drives with malicious code and what to do, it's my fault for sharing my computer I know, thank you.

Update, about seven infected files in all on my external drives caused the infection results shown.

VirusTotal Found:

...................................................................................................................................................................................................................................................
File AnyDVD.exe received on 2010.03.14 14:17:24 (UTC)
Current status: finished
Result: 8/42 (19.05%)

Antivirus Version Last Update Result

a-squared 4.5.0.50 2010.03.14 Riskware.Hacktool.Keygen.anydvd!IK
Authentium 5.2.0.5 2010.03.13 W32/Backdoor2.DAVN
CAT-QuickHeal 10.00 2010.03.13 Trojan.Agent.irc
eSafe 7.0.17.0 2010.03.14 Win32.TrojanHorse
F-Prot 4.5.1.85 2010.03.13 W32/Backdoor2.DAVN
Ikarus T3.1.1.80.0 2010.03.14 not-a-virus.Hacktool.Keygen.anydvd
McAfee-GW-Edition 6.8.5 2010.03.13 Heuristic.LooksLike.Win32.Suspicious.H
VirusBuster 5.0.27.0 2010.03.13 Backdoor.BackDoor.B

Additional information
File size: 175616 bytes
MD5 : 45429bc1d6f7a0218fea7827a8fc0685
SHA1 : 0557ee182b3ce28de2e12f07e0a7c0738366d502

...................................................................................................................................................................................................................................................
File FLVDownloader_Install.0xe received on 2010.03.14 14:29:29 (UTC)
Current status: finished
Result: 19/42 (45.24%)

Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.03.14 Backdoor.Win32.Sheldor!IK

Authentium 5.2.0.5 2010.03.13 W32/Backdoor2.BBNJ
Avast 4.8.1351.0 2010.03.14 Win32:Adware-gen
Avast5 5.0.332.0 2010.03.14 Win32:Adware-gen
BitDefender 7.2 2010.03.14 Adware.Generic.45143
eSafe 7.0.17.0 2010.03.14 Win32.Lmir.ac
F-Prot 4.5.1.85 2010.03.13 W32/Backdoor2.BBNJ
F-Secure 9.0.15370.0 2010.03.14 Trojan.Generic.381620
Fortinet 4.0.14.0 2010.03.13 Adware/AdMoke
GData 19 2010.03.14 Adware.Generic.45143
Ikarus T3.1.1.80.0 2010.03.14 Backdoor.Win32.Sheldor
Kaspersky 7.0.0.125 2010.03.14 not-a-virus:AdWare.Win32.AdMoke.agg
McAfee+Artemis 5919 2010.03.13 Artemis!DADD6DE8CE40
McAfee-GW-Editio 6.8.5 2010.03.13 -
Panda 10.0.2.2 2010.03.14 Trj/CI.A
Sophos 4.51.0 2010.03.14 Mal/Generic-A
Sunbelt 5877 2010.03.14 AdWare.Win32.AdMoke.agg
Symantec 20091.2.0.41 2010.03.14 Reser.Reputation.1
VBA32 3.12.12.2 2010.03.14 AdWare.Win32.AdMoke.agg


Additional information
File size: 4041112 bytes
MD5 : dadd6de8ce408f9f676ddb20913c19f1
SHA1 : 68376b4cf849bc3da8727b5f2ea26bd4067c97c4

...................................................................................................................................................................................................................................................
File SetupAnyDVD6184.exe received on 2010.03.14 14:42:06 (UTC)
Current status: finished
Result: 30/42 (71.43%)

Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.03.14 Downloader.QuickBatch!IK
AhnLab-V3 5.0.0.2 2010.03.14 Win32/Xema.worm.132814
AntiVir 8.2.1.180 2010.03.12 TR/Agent.2877454
Antiy-AVL 2.0.3.7 2010.03.12 AdWare/Win32.Shopper.gen
Authentium 5.2.0.5 2010.03.13 W32/Backdoor2.AXXB
BitDefender 7.2 2010.03.14 Trojan.Generic.370028
CAT-QuickHeal 10.00 2010.03.13 Trojan.Agent.IRC
ClamAV 0.96.0.0-git 2010.03.14 Trojan.Agent-21076
Comodo 4254 2010.03.14 UnclassifiedMalware
DrWeb 5.0.1.12222 2010.03.14 Trojan.Iahonor
F-Prot 4.5.1.85 2010.03.13 W32/Backdoor2.AXXB
F-Secure 9.0.15370.0 2010.03.14 Trojan.Generic.370028
Fortinet 4.0.14.0 2010.03.13 PossibleThreat
GData 19 2010.03.14 Trojan.Generic.370028
Ikarus T3.1.1.80.0 2010.03.14 Downloader.QuickBatch
Jiangmin 13.0.900 2010.03.14 TrojanDropper.Agent.ikl
K7AntiVirus 7.10.997 2010.03.13 not-a-virus:AdWare.Win32.Shopper.z
McAfee+Artemis 5919 2010.03.13 Artemis!4E7D8DD949F9
McAfee-GW-Editio 6.8.5 2010.03.13 Trojan.Agent.2877454
NOD32 4943 2010.03.14 probably a variant of Win32/Agent
Norman 6.04.08 2010.03.14 W32/Shopper.AI
PCTools 7.0.3.5 2010.03.14 Trojan.Dropper.Hoy
Prevx 3.0 2010.03.14 High Risk Worm
Rising 22.38.04.03 2010.03.12 Dropper.Win32.KillAV.b
Sophos 4.51.0 2010.03.14 Mal/Generic-A
Symantec 20091.0.41 2010.03.14 Trojan Horse
TheHacker 6.5.2.0.233 2010.03.13 Adware/Shopper.z
TrendMicro 9.120.0.1004 2010.03.14 TROJ_DROPPER.HOY
VBA32 3.12.12.2 2010.03.14 Trojan.Iahonor
VirusBuster 5.0.27.0 2010.03.13 Backdoor.Agent.GROI

Additional information
File size: 2877454 bytes
MD5 : 4e7d8dd949f9b3e2699c7e2b6b63e588
SHA1 : c61c94dd8bdd8b2c38ce93146cbad9425b6a304a

...................................................................................................................................................................................................................................................
CloneDVD1.3.10.1.exe received on 2010.03.14 14:22:30 (UTC)
Current status: finished
Result: 5/41 (12.20%)

Antivirus Version Last Update Result
CAT-QuickHeal 10.00 2010.03.13 AdWare.CommonName.al (Not a Virus)
Jiangmin 13.0.900 2010.03.14 Adware/Agent.bfw
Prevx 3.0 2010.03.14 High Risk Worm
TheHacker 6.5.2.0.233 2010.03.13 Adware/CommonName.z
VBA32 3.12.12.2 2010.03.14 AdWare.Win32.CommonName.bl

Additional information
File size: 3940232 bytes
MD5 : 3bef8be4317a0f93cb988daa2e23a9e6
SHA1 : f30e0d60e8fe2fc25f4a364ade969025a0d5a495

Edited by rogue212, 15 March 2010 - 04:23 PM.


#14 rogue212

rogue212
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 15 March 2010 - 10:41 AM

Most of the reported infections are being comfirmed by VirusTotal in a big way, abouts seven in all, Zonealarm is probably a false positive, some zip files are empty, F-Prot is reporting infected objects contained, many files can't be scanned, said to be damaged. a few files won't uplaod to VirusTotal for some reason. Infections detected by VirusTotal that F-Prot found include, please remember that these contain all the different scanners differnitions of seven infected files, so seven infections in all:

AntiVir 8.2.1.180 2010.03.15 PCK/PESpin
Authentium 5.2.0.5 2010.03.15 W32/Heuristic-210!Eldorado, W32/Backdoor2.DXMC
AntiVir 8.2.1.180 2010.03.15 PCK/PESpin
CAT-QuickHeal 10.00 2010.03.15 Trojan.Agent.IRC
ClamAV 0.96.0.0-git 2010.03.15 Trojan.Backdoor-11
Comodo 4272 2010.03.15 UnclassifiedMalware, Heur.Packed.Unknown
eSafe 7.0.17.0 2010.03.14 Win32.Banker
F-Prot 4.5.1.85 2010.03.15 W32/Heuristic-210!Eldorado, W32/Backdoor2.DXMC
Ikarus T3.1.1.80.0 2010.03.15 Backdoor.Rbot
Jiangmin 13.0.900 2010.03.15 Backdoor/Huigezi.2008.tfj
K7AntiVirus 7.10.997 2010.03.13 Trojan.Win32.Malware.1
McAfee-GW-Edition 6.8.5 2010.03.15 Packer.PESpin
PCTools 7.0.3.5 2010.03.15 Packed/PeSpin
Sunbelt 5894 2010.03.15 Trojan.Win32.Packer.PESpinv1.32 (v)
TheHacker 6.5.2.0.233 2010.03.15 W32/Behav-Heuristic-070
VirusBuster 5.0.27.0 2010.03.14 Packed/PeSpin
Sophos 4.51.0 2010.03.15 MadCodeHook
Norman 6.04.08 2010.03.14 W32/Hupigon.JDZS
TrendMicro 9.120.0.1004 2010.03.15 PAK_Generic.001
VirusBuster 5.0.27.0 2010.03.14 Backdoor.Agent.ISZS
CAT-QuickHeal 10.00 2010.03.15 Trojan.Agent.IRC
ClamAV 0.96.0.0-git 2010.03.15 Trojan.Backdoor-11
Comodo 4272 2010.03.15 UnclassifiedMalware
eSafe 7.0.17.0 2010.03.14 Win32.Banker
F-Prot 4.5.1.85 2010.03.15 W32/Heuristic-210!Eldorado
Ikarus T3.1.1.80.0 2010.03.15 Backdoor.Rbot
Jiangmin 13.0.900 2010.03.15 Backdoor/Huigezi.2008.tfj
K7AntiVirus 7.10.997 2010.03.13 Trojan.Win32.Malware.1
McAfee-GW-Edition 6.8.5 2010.03.15 Packer.PESpin
PCTools 7.0.3.5 2010.03.15 Packed/PeSpin
Sunbelt 5894 2010.03.15 Trojan.Win32.Packer.PESpinv1.32 (v)
TheHacker 6.5.2.0.233 2010.03.15 W32/Behav-Heuristic-070
VirusBuster 5.0.27.0 2010.03.14 Packed/PeSpin

Have I lost all the data on my external drives, is this spreading and infecting more and more files, could these infections have been sent by a backdoor, what can do, please any advice. In all about ten files contained these infections, two have shown clean by VirusTotal, the others I can't scan due to size or won't upload, thanks.

Edited by rogue212, 15 March 2010 - 04:35 PM.


#15 rogue212

rogue212
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 15 March 2010 - 05:45 PM

Hi' I'm sorry to post again but all google attempts at finding out what the .Trash-999 folder is says it's a worm causing it, does anybody know what this is, it was on all drives and partitions including external. Most peole can't delete it it but mine just deleted. Is this a new feature or update or part of my ongoing am I infected problems, thank you.

Edited by rogue212, 15 March 2010 - 05:46 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users