Code:
:: New Malware v15
// Revision 1
// {Cat:Trojan}{Cnt:1}
// {Det:Matt,2009-07-10}
// Adware.Need2Find:
BrowserHelperEx:"Need2Find Bar BHO",
BrowserHelperEx:"Need2Find Bar",
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{4D1C4E81-A32A-416b-BCDB-33B3EF3617D3}"
RegyValue:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Internet Explorer\Toolbar\","{4D1C4E81-A32A-416b-BCDB-33B3EF3617D3}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{4D1C4E81-A32A-416b-BCDB-33B3EF3617D3}"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\Need2Find\bar\1.bin\ND2FNBAR.DLL"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Need2Find"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Need2Find\bar"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Need2Find\bar\Cache"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Need2Find\bar\History"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Need2Find\bar\Settings"
//HKEY_CURRENT_USER\Software\Need2Find
//HKEY_LOCAL_MACHINE\Software\Need2Find
//HKEY_CLASSES_ROOT\Need2FindBar.SettingsPlugin
//HKEY_CLASSES_ROOT\Need2FindBar.ToolbarPlugin.1
// Adware.SmartShopper:
BrowserHelperEx:"Smart-Shopper",
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{4A7C84E2-E95C-43C6-8DD3-03ABCD0EB60E}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{4A7C84E2-E95C-43C6-8DD3-03ABCD0EB60E}"
// Adware.Zango.GamesBar:
BrowserHelperEx:"GamesBarBHO Class",
BrowserHelperEx:"GamesBar",
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{CB0D163C-E9F4-4236-9496-0597E24B23A5}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{CB0D163C-E9F4-4236-9496-0597E24B23A5}"
RegyValue:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Internet Explorer\Toolbar\","{6F282B65-56BF-4BD1-A8B2-A4449A05863D}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{6F282B65-56BF-4BD1-A8B2-A4449A05863D}"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\GamesBar\oberontb.dll"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\GamesBar"
// Hijacker.RXToolBar:
ProtocolFilter:"text/html","{2AB289AE-4B90-4281-B2AE-1F4BB034B647}"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\Protocols\Filter\","text/html","CLSID={2AB289AE-4B90-4281-B2AE-1F4BB034B647}"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\RXToolBar\sfcont.dll"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\RXToolBar"
// Malware.Unknown:
AutoRun:"A00F21C4F65.exe","<$LOCALSETTINGS>\Temp\_A00F21C4F65.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","A00F21C4F65.exe"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\_A00F21C4F65.exe"
// Malware.Sysguard:
AutoRun:"LowRiskFileTypes","<$WINDIR>\sysguard.exe","flagifnofile=1"
AutoRun:"system tool","<$WINDIR>\sysguard.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","LowRiskFileTypes"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","system tool"
File:"<$FILE_EXE>","<$WINDIR>\sysguard.exe"
// Malware.Zbot:
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","<$SYSDIR>\twext.exe"
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDO WS\system32\twext.exe, Malware.Zbot"
File:"<$FILE_EXE>","<$SYSDIR>\twext.exe"
// PUPS.GameVance:
BrowserHelperEx:"Gamevance",
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}"
AutoRun:"Gamevance","<$PROGRAMFILES>\Gamevance\gamevance32.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Gamevance"
File:"<$FILE_EXE>","<$PROGRAMFILES>\Gamevance\gamevance32.exe"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\Gamevance\gamevancelib32.dll"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Gamevance"
// PUPS.Hotbar:
BrowserHelperEx:"Hotbar",
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B}"
RegyValue:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Internet Explorer\Toolbar\","{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B}"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\Hotbar\bin\10.2.232.0\HostIE.dll"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Hotbar"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Hotbar\bin"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Hotbar\bin\10.2.232.0"
// PUPS.MyWebSearch:
BrowserHelperEx:"MyWebSearch Search Assistant BHO",
BrowserHelperEx:"My Web Search",
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{00A6FAF1-072E-44cf-8957-5838F569A31D}"
RegyValue:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Internet Explorer\Toolbar\","{07B18EA9-A523-4961-B6BB-170DE4475CCA}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{07B18EA9-A523-4961-B6BB-170DE4475CCA}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{00A6FAF1-072E-44cf-8957-5838F569A31D}"
AutoRun:"MyWebSearch Plugin","<$PROGRAMFILES>\MyWebSearch\bar\1.bin\M3PLUGIN.DLL","flagifnofile=1"
AutoRun:"My Web Search Bar Search Scope Monitor","<$PROGRAMFILES>\MyWebSearch\bar\1.bin\m3SrchMn.exe","flagifnofile=1"
AutoRun:"PopularScreensaversWallpaper","<$PROGRAMFILES>\MyWebSearch\bar\1.bin\F3SCRCTR.DLL","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","MyWebSearch Plugin"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","My Web Search Bar Search Scope Monitor"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","PopularScreensaversWallpaper"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\MyWebSearch\bar\1.bin\M3PLUGIN.DLL"
File:"<$FILE_EXE>","<$PROGRAMFILES>\MyWebSearch\bar\1.bin\m3SrchMn.exe"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\MyWebSearch\bar\1.bin\MWSBAR.DLL"
File:"<$FILE_EXE>","<$PROGRAMFILES>\MyWebSearch\bar\1.bin\F3SCRCTR.DLL"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\MyWebSearch"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\MyWebSearch\SrchAstt"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\MyWebSearch\1.bin"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\MyWebSearch\SrchAstt\1.bin"
// Rogue.PersonalAntivirus:
BrowserHelperEx:"%26Helper",
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{2E59498D-7E44-4452-9044-0973B080B9E8}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{2E59498D-7E44-4452-9044-0973B080B9E8}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\winexplorer.dll"
// Rogue.SystemSecurity:
AutoRun:"kell","<$PROGRAMFILES>\Manson\liser.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","kell"
File:"<$FILE_EXE>","<$PROGRAMFILES>\Manson\liser.exe"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Manson"
// Rogue.SpywareQuake:
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{192c5b4a-3efd-40c7-9f99-c472deb8efc0}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{192c5b4a-3efd-40c7-9f99-c472deb8efc0}"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\perfect codec\isaddon.dll"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\perfect codec","filename=isaddon.dll"
// Rogue.SystemGuard2009:
AutoRun:"10582034","<$COMMONAPPDATA>\10582034\10582034.exe","flagifnofile=1"
AutoRun:"14126564","<$COMMONAPPDATA>\14126564\14126564.exe","flagifnofile=1"
AutoRun:"17080464","<$COMMONAPPDATA>\17080464\17080464.exe","flagifnofile=1"
AutoRun:"10984214","<$COMMONAPPDATA>\10984214\10984214.exe","flagifnofile=1"
AutoRun:"15483904","<$COMMONAPPDATA>\15483904\15483904.exe","flagifnofile=1"
AutoRun:"16826524","<$COMMONAPPDATA>\16826524\16826524.exe","flagifnofile=1"
AutoRun:"17137504","<$COMMONAPPDATA>\17137504\17137504.exe","flagifnofile=1"
AutoRun:"99947336","<$COMMONAPPDATA>\99947336\99947336.exe","flagifnofile=1"
AutoRun:"19937344","<$COMMONAPPDATA>\19937344\19937344.exe","flagifnofile=1"
AutoRun:"15096404","<$COMMONAPPDATA>\15096404\15096404.exe","flagifnofile=1"
AutoRun:"95106396","<$COMMONAPPDATA>\95106396\95106396.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","10582034"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","14126564"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","17080464"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","10984214"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","15483904"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","16826524"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","17137504"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","99947336"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","19937344"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","15096404"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","95106396"
File:"<$FILE_EXE>","<$COMMONAPPDATA>\14126564\14126564.exe"
File:"<$FILE_EXE>","<$COMMONAPPDATA>\17080464\17080464.exe"
File:"<$FILE_EXE>","<$COMMONAPPDATA>\10984214\10984214.exe"
File:"<$FILE_EXE>","<$COMMONAPPDATA>\10582034\10582034.exe"
File:"<$FILE_EXE>","<$COMMONAPPDATA>\15483904\15483904.exe"
File:"<$FILE_EXE>","<$COMMONAPPDATA>\16826524\16826524.exe"
File:"<$FILE_EXE>","<$COMMONAPPDATA>\17137504\17137504.exe"
File:"<$FILE_EXE>","<$COMMONAPPDATA>\99947336\99947336.exe"
File:"<$FILE_EXE>","<$COMMONAPPDATA>\19937344\19937344.exe"
File:"<$FILE_EXE>","<$COMMONAPPDATA>\15096404\15096404.exe"
File:"<$FILE_EXE>","<$COMMONAPPDATA>\95106396\95106396.exe"
Directory:"<$DIR_PROG>","<$COMMONAPPDATA>\14126564"
Directory:"<$DIR_PROG>","<$COMMONAPPDATA>\17080464"
Directory:"<$DIR_PROG>","<$COMMONAPPDATA>\10984214"
Directory:"<$DIR_PROG>","<$COMMONAPPDATA>\10582034"
Directory:"<$DIR_PROG>","<$COMMONAPPDATA>\15483904"
Directory:"<$DIR_PROG>","<$COMMONAPPDATA>\16826524"
Directory:"<$DIR_PROG>","<$COMMONAPPDATA>\17137504"
Directory:"<$DIR_PROG>","<$COMMONAPPDATA>\99947336"
Directory:"<$DIR_PROG>","<$COMMONAPPDATA>\19937344"
Directory:"<$DIR_PROG>","<$COMMONAPPDATA>\15096404"
Directory:"<$DIR_PROG>","<$COMMONAPPDATA>\95106396"
// Rogue.WiniBlueSoft:
AutoRun:"setup2.exe","<$SYSDIR>\setup2.exe","flagifnofile=1"
AutoRun:"WiniBlueSoft","<$PROGRAMFILES>\WiniBlueSoft Software\WiniBlueSoft\WiniBlueSoft.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","setup2.exe"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","WiniBlueSoft"
File:"<$FILE_EXE>","<$SYSDIR>\setup2.exe"
File:"<$FILE_LINK>","<$COMMONDESKTOP>\WiniBlueSoft.lnk","filesize=930"
File:"<$FILE_LINK>","<$COMMONDESKTOP>\WiniBlueSoft.lnk","filesize=282624"
File:"<$FILE_LINK>","<$COMMONDESKTOP>\WiniBlueSoft.lnk","filesize=2034818"
File:"<$FILE_LINK>","<$COMMONPROGRAMS>\WiniBlueSoft\Homepage.lnk","filesize=1200"
File:"<$FILE_LINK>","<$COMMONPROGRAMS>\WiniBlueSoft\Uninstall.lnk","filesize=1847"
File:"<$FILE_LINK>","<$COMMONPROGRAMS>\WiniBlueSoft\WiniBlueSoft.lnk","filesize=1868"
File:"<$FILE_WEBPAGE>","<$PROGRAMFILES>\WiniBlueSoft Software\WiniBlueSoft\always_skip.xml"
File:"<$FILE_DATA>","<$PROGRAMFILES>\WiniBlueSoft Software\WiniBlueSoft\data.bin","filesize=854224"
File:"<$FILE_TEXT>","<$PROGRAMFILES>\WiniBlueSoft Software\WiniBlueSoft\License.txt","filesize=2361"
File:"<$FILE_WEBPAGE>","<$PROGRAMFILES>\WiniBlueSoft Software\WiniBlueSoft\main_config.xml"
File:"<$FILE_EXE>","<$PROGRAMFILES>\WiniBlueSoft Software\WiniBlueSoft\uninstall.exe","filesize=121970"
File:"<$FILE_EXE>","<$PROGRAMFILES>\WiniBlueSoft Software\WiniBlueSoft\WiniBlueSoft.exe","filesize=2791936"
File:"<$FILE_EXE>","<$PROGRAMFILES>\WiniBlueSoft Software\WiniBlueSoft\WiniBlueSoft.exe","filesize=1277952"
File:"<$FILE_DATA>","<$WINDIR>\10208n9t-z-virus25c.bin","filesize=6233"
File:"<$FILE_LIBRARY>","<$WINDIR>\10826z9ambot357.dll","filesize=13964"
File:"<$FILE_LIBRARY>","<$WINDIR>\1085spywaze32699.dll","filesize=15715"
File:"<$FILE_DATA>","<$WINDIR>\10909s5y55z.ocx","filesize=8974"
File:"<$FILE_LIBRARY>","<$WINDIR>\1124s9ambot5z1.dll","filesize=8316"
File:"<$FILE_DATA>","<$WINDIR>\11659z9oj72.cpl","filesize=17262"
File:"<$FILE_EXE>","<$WINDIR>\11995wormz5e5.exe","filesize=17369"
File:"<$FILE_DATA>","<$WINDIR>\11z09worm695.cpl","filesize=6739"
File:"<$FILE_DATA>","<$WINDIR>\12770spambo9155z.cpl","filesize=11806"
File:"<$FILE_DATA>","<$WINDIR>\1282zw9rm2d5.bin","filesize=4022"
File:"<$FILE_EXE>","<$WINDIR>\12911not-a-vi5usz07.exe","filesize=2682"
File:"<$FILE_DATA>","<$WINDIR>\12e4bzc9door225.ocx","filesize=5661"
File:"<$FILE_EXE>","<$WINDIR>\13466wor9z55.exe","filesize=8296"
File:"<$FILE_EXE>","<$WINDIR>\139z7no5-a-vir9s80.exe","filesize=4887"
File:"<$FILE_EXE>","<$WINDIR>\14251t9ojz9a.exe","filesize=13404"
File:"<$FILE_EXE>","<$WINDIR>\14z5w9rm5d8.exe","filesize=6451"
File:"<$FILE_DATA>","<$WINDIR>\15176hac5toolzbf9.cpl","filesize=5588"
File:"<$FILE_DATA>","<$WINDIR>\15283hac9too52b1z.cpl","filesize=12999"
File:"<$FILE_EXE>","<$WINDIR>\15343virzs39c.exe","filesize=8085"
File:"<$FILE_DATA>","<$WINDIR>\15559wormz9.cpl","filesize=15452"
File:"<$FILE_DATA>","<$WINDIR>\15651spyz9b.cpl","filesize=12840"
File:"<$FILE_DATA>","<$WINDIR>\15694zorm95d.cpl","filesize=10994"
File:"<$FILE_DATA>","<$WINDIR>\15697viz5s918.cpl","filesize=6567"
File:"<$FILE_EXE>","<$WINDIR>\156za9kdoor975.exe","filesize=10196"
File:"<$FILE_EXE>","<$WINDIR>\15a8sparse2749z.exe","filesize=13126"
File:"<$FILE_DATA>","<$WINDIR>\15ezsparse5995.ocx","filesize=15849"
File:"<$FILE_DATA>","<$WINDIR>\16062spamzot59d.bin","filesize=5264"
File:"<$FILE_EXE>","<$WINDIR>\16245s9z133.exe","filesize=3139"
File:"<$FILE_DATA>","<$WINDIR>\16574hacktool7z99.cpl","filesize=5000"
File:"<$FILE_LIBRARY>","<$WINDIR>\16e8th59az19681.dll","filesize=9023"
File:"<$FILE_DATA>","<$WINDIR>\16z80sp9mbot5a.ocx","filesize=4131"
File:"<$FILE_DATA>","<$WINDIR>\17125hacz5ool2359.ocx","filesize=4244"
File:"<$FILE_DATA>","<$WINDIR>\171549acktool1az.cpl","filesize=17563"
File:"<$FILE_DATA>","<$WINDIR>\18111v5rzs940.bin ","filesize=14369"
File:"<$FILE_EXE>","<$WINDIR>\18157v9rzs526.exe","filesize=17916"
File:"<$FILE_LIBRARY>","<$WINDIR>\186995irus5az.dll","filesize=7497"
File:"<$FILE_DATA>","<$WINDIR>\18790not5a-vizus255.ocx","filesize=12098"
File:"<$FILE_EXE>","<$WINDIR>\1879tea51470z.exe","filesize=16746"
File:"<$FILE_EXE>","<$WINDIR>\188cs5arze981.exe","filesize=8248"
File:"<$FILE_DATA>","<$WINDIR>\19225not-azvirus34b9.bin","filesize=3817"
File:"<$FILE_DATA>","<$WINDIR>\19519viru51zb.bin","filesize=17110"
File:"<$FILE_DATA>","<$WINDIR>\19556no5-a-virus2zd.cpl","filesize=15915"
File:"<$FILE_DATA>","<$WINDIR>\1976thze5t9082.ocx","filesize=6579"
File:"<$FILE_EXE>","<$WINDIR>\19835sp92ez.exe","filesize=9282"
File:"<$FILE_DATA>","<$WINDIR>\1997ba5kdozr25.cpl","filesize=8107"
File:"<$FILE_DATA>","<$WINDIR>\1be5tz9eat23475.bin","filesize=17587"
File:"<$FILE_DATA>","<$WINDIR>\1c5ddow9loader245z.cpl","filesize=17941"
File:"<$FILE_DATA>","<$WINDIR>\1d71a5dwzre2889.cpl","filesize=3570"
File:"<$FILE_LIBRARY>","<$WINDIR>\1f69st9a51z27.dll","filesize=8544"
File:"<$FILE_LIBRARY>","<$WINDIR>\1f89b5ckdzor3115.dll","filesize=10545"
File:"<$FILE_DATA>","<$WINDIR>\1fc4s95ware3z4.cpl","filesize=6940"
File:"<$FILE_DATA>","<$WINDIR>\1fe9spywaze1905.bin","filesize=2540"
File:"<$FILE_EXE>","<$WINDIR>\1z118spambot9ce5.exe","filesize=11408"
File:"<$FILE_DATA>","<$WINDIR>\1z1275i9us40c.cpl","filesize=12633"
File:"<$FILE_EXE>","<$WINDIR>\1z878vir5s69c9.exe","filesize=10748"
File:"<$FILE_EXE>","<$WINDIR>\1z8b5ck9oor2298.exe","filesize=10067"
File:"<$FILE_LIBRARY>","<$WINDIR>\1z924vi5us46.dll","filesize=15245"
File:"<$FILE_DATA>","<$WINDIR>\20037ha5kzo9l67f.cpl","filesize=17734"
File:"<$FILE_LIBRARY>","<$WINDIR>\20115zpy2409.dll","filesize=9113"
File:"<$FILE_DATA>","<$WINDIR>\20675not-9zvirus358.cpl","filesize=8444"
File:"<$FILE_LIBRARY>","<$WINDIR>\208adownloadez1995.dll","filesize=6480"
File:"<$FILE_DATA>","<$WINDIR>\20e19zdwar52615.ocx","filesize=14003"
File:"<$FILE_LIBRARY>","<$WINDIR>\20ect5rezt12952.dll","filesize=9828"
File:"<$FILE_EXE>","<$WINDIR>\20z9thr5at28594.exe","filesize=11932"
File:"<$FILE_DATA>","<$WINDIR>\21492not-a-virus59z.cpl","filesize=6690"
File:"<$FILE_EXE>","<$WINDIR>\215559orm7z6.exe","filesize=10538"
File:"<$FILE_DATA>","<$WINDIR>\21947zpy5f95.bin","filesize=15255"
File:"<$FILE_DATA>","<$WINDIR>\21caba5kdzor779.bin","filesize=17340"
File:"<$FILE_DATA>","<$WINDIR>\224939rzj665.cpl","filesize=15069"
File:"<$FILE_DATA>","<$WINDIR>\23085vzrus5c9.ocx","filesize=14550"
File:"<$FILE_EXE>","<$WINDIR>\2322zspamb957be.exe","filesize=7661"
File:"<$FILE_EXE>","<$WINDIR>\2329znot-a-v5rus7b4.exe","filesize=13951"
File:"<$FILE_DATA>","<$WINDIR>\23595spy1z.bin","filesize=11494"
File:"<$FILE_DATA>","<$WINDIR>\2359doznloader1309.ocx","filesize=5324"
File:"<$FILE_DATA>","<$WINDIR>\238fst5al2918z.cpl","filesize=14499"
File:"<$FILE_EXE>","<$WINDIR>\23945aczto9l302.exe","filesize=4606"
File:"<$FILE_EXE>","<$WINDIR>\239z8t9oj5c8.exe","filesize=13642"
File:"<$FILE_DATA>","<$WINDIR>\2435a9dwarz2887.cpl","filesize=14477"
File:"<$FILE_DATA>","<$WINDIR>\2539spywz9e2567.bin","filesize=3117"
File:"<$FILE_LIBRARY>","<$WINDIR>\25593sz953e.dll","filesize=4265"
File:"<$FILE_EXE>","<$WINDIR>\2564bzckdoor23579.exe","filesize=4268"
File:"<$FILE_EXE>","<$WINDIR>\257395ojz46.exe","filesize=14347"
File:"<$FILE_LIBRARY>","<$WINDIR>\2591zs9y5ff.dll","filesize=9512"
File:"<$FILE_DATA>","<$WINDIR>\25z079py75a.bin","filesize=18337"
File:"<$FILE_DATA>","<$WINDIR>\25z59virus212.cpl","filesize=4982"
File:"<$FILE_DATA>","<$WINDIR>\262549zoj4f1.bin","filesize=8795"
File:"<$FILE_DATA>","<$WINDIR>\26911spambzt1105.cpl","filesize=12557"
File:"<$FILE_DATA>","<$WINDIR>\26c5zparse17549.ocx","filesize=5970"
File:"<$FILE_DATA>","<$WINDIR>\26z895pambot407.cpl","filesize=13811"
File:"<$FILE_DATA>","<$WINDIR>\2725backdz9r2123.ocx","filesize=2632"
File:"<$FILE_LIBRARY>","<$WINDIR>\275159r5jz25.dll","filesize=8505"
File:"<$FILE_LIBRARY>","<$WINDIR>\27630not9a5virus5za.dll","filesize=6561"
Directory:"<$DIR_PROG>","<$COMMONPROGRAMS>\WiniBlueSoft"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\WiniBlueSoft Software"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\WiniBlueSoft Software\WiniBlueSoft"
// Rogue.XP Deluxe Protector:
BrowserHelperEx:"WinInet Class",
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{a4dca795-b588-4be0-9463-7ff2864543b1}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{a4dca795-b588-4be0-9463-7ff2864543b1}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\iehostcx32.dll"
// Spyware.AdRotator:
BrowserHelperEx:"offersfortoday browser enhancer",
BrowserHelperEx:"du-little browser enhancer",
BrowserHelperEx:"bannerstyles browser enhancer",
BrowserHelperEx:"freedomltd browser enhancer",
BrowserHelperEx:"mxlivemedia browser enhancer",
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{41AC8A05-EB2B-3426-0F35-6AA016B7E8AE}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{41AC8A05-EB2B-3426-0F35-6AA016B7E8AE}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\iwwkmkmdyafg.dll"
// Suspicious(1):
AutoRun:"narsozluk","<$PROGRAMFILES>\narsozluk\narsozluk.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","narsozluk"
File:"<$FILE_EXE>","<$PROGRAMFILES>\narsozluk\narsozluk.exe"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\narsozluk"
// Suspicious(2):
AutoRun:"ad-clear","<$PROGRAMFILES>\ad-clear\ad-clearup.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","ad-clear"
File:"<$FILE_EXE>","<$PROGRAMFILES>\ad-clear\ad-clearup.exe"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\ad-clear"
// Suspicious(3):
//RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$LOCALSETTINGS>\Temp\8705367340mxx.dll"
//RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$LOCALSETTINGS>\Temp\3551189067mxx.dll"
//RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$LOCALSETTINGS>\Temp\284930003059mxx.dll"
//RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$LOCALSETTINGS>\Temp\1423062527mxx.dll"
//RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$LOCALSETTINGS>\Temp\1706843620mxx.dll"
//RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$LOCALSETTINGS>\Temp\846559859342mxx.dll"
//RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$LOCALSETTINGS>\Temp\1064113901258mxx.dll"
//RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$LOCALSETTINGS>\Temp\561253126mxx.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$LOCALSETTINGS>\Temp\*mxx.dll"
//File:"<$FILE_LIBRARY>","<$LOCALSETTINGS>\Temp\8705367340mxx.dll"
//File:"<$FILE_LIBRARY>","<$LOCALSETTINGS>\Temp\3551189067mxx.dll"
//File:"<$FILE_LIBRARY>","<$LOCALSETTINGS>\Temp\284930003059mxx.dll"
//File:"<$FILE_LIBRARY>","<$LOCALSETTINGS>\Temp\1423062527mxx.dll"
//File:"<$FILE_LIBRARY>","<$LOCALSETTINGS>\Temp\1706843620mxx.dll"
//File:"<$FILE_LIBRARY>","<$LOCALSETTINGS>\Temp\846559859342mxx.dll"
//File:"<$FILE_LIBRARY>","<$LOCALSETTINGS>\Temp\1064113901258mxx.dll"
//File:"<$FILE_LIBRARY>","<$LOCALSETTINGS>\Temp\561253126mxx.dll"
File:"<$FILE_LIBRARY>","<$LOCALSETTINGS>\Temp\*mxx.dll"
// Suspicious(4):
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\cxajsl.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\cxajsl.dll"
// Suspicious(5):
AutoRun:"globalsettings","<$COMMONAPPDATA>\Cool tons tons.j0ce3m6","flagifnofile=1"
AutoRun:"memo site kind that","<$COMMONAPPDATA>\error 1 this.7gkdr","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","globalsettings"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","memo site kind that"
File:"<$FILE_DATA>","<$COMMONAPPDATA>\Cool tons tons.j0ce3m6"
File:"<$FILE_DATA>","<$COMMONAPPDATA>\error 1 this.7gkdr"
// Suspicious(6):
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\","{E312764E-7706-43F1-8DAB-FCDD2B1E416D}"
BrowserHelperEx:"SearchSettings Class",
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{E312764E-7706-43F1-8DAB-FCDD2B1E416D}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{E312764E-7706-43F1-8DAB-FCDD2B1E416D}"
AutoRun:"SearchSettings","<$PROGRAMFILES>\Search Settings\SearchSettings.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","SearchSettings"
File:"<$FILE_EXE>","<$PROGRAMFILES>\Search Settings\SearchSettings.exe"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\Search Settings\kb127\SearchSettings.dll"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Search Settings"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Search Settings\kb127"
// Suspicious(7):
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","byXPGVno","DllName=<$SYSDIR>\byXPGVno.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","cbXPfFYR","DllName=<$SYSDIR>\cbXPfFYR.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","hgGyvTMc","DllName=<$SYSDIR>\hgGyvTMc.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","mlJDtRih","DllName=<$SYSDIR>\mlJDtRih.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","wvUmkKbA","DllName=<$SYSDIR>\wvUmkKbA.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\byXPGVno.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\cbXPfFYR.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hgGyvTMc.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\mlJDtRih.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wvUmkKbA.dll"
// Suspicious(8):
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{B2A8AB16-388D-3D08-D827-3AE6728559C7}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{B2A8AB16-388D-3D08-D827-3AE6728559C7}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pqkcx.dll"
// Suspicious(9):
AutoRun:"ITC","<$SYSDIR>\itc.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","ITC"
File:"<$FILE_EXE>","<$SYSDIR>\itc.exe"
// Suspicious(10):
AutoRun:"Cisco Systems","<$SYSDIR>\1772.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Cisco Systems"
File:"<$FILE_EXE>","<$SYSDIR>\1772.exe"
//O4 - HKCU\..\Policies\Explorer\Run: [Cisco Systems] C:\WINDOWS\system32\1772.exe
RegyKey:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run","Cisco Systems"
// Suspicious(11):
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\cablki.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\ymwazv.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\wwqozw.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\chklvr.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\whynme.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\ozyhkl.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\lvvsjl.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\vdjmdi.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\xjewlj.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\pvqygx.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\xicnhs.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\omhxxv.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\cmxrqj.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\qlylfv.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\bjoaeb.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\wmpepn.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\rnhqoj.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\tberkr.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\nsanpc.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\lraiak.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\uszpgu.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\tbiind.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\hdwmym.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\yrevto.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\mdmfyl.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\xlxhmp.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\kijazere.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\cablki.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ymwazv.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wwqozw.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\chklvr.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\whynme.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ozyhkl.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\lvvsjl.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vdjmdi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\xjewlj.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pvqygx.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\xicnhs.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\omhxxv.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\cmxrqj.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\qlylfv.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\bjoaeb.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wmpepn.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\rnhqoj.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tberkr.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\nsanpc.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\lraiak.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\uszpgu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tbiind.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hdwmym.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yrevto.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\mdmfyl.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\xlxhmp.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kijazere.dll"
// Suspicious(12):
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","UserInit=C:\WINDOWS\system32\userinit.exe,C:\RECYCLER\S-4-4-05-1159083872-6938103384-801541373-5856\wuauclt.exe,"
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","<$SYSDRIVE>\RECYCLER\S-4-4-05-1159083872-6938103384-801541373-5856\wuauclt.exe"
File:"<$FILE_EXE>","<$SYSDRIVE>\RECYCLER\S-4-4-05-1159083872-6938103384-801541373-5856\wuauclt.exe"
Directory:"<$DIR_PROG>","<$SYSDRIVE>\RECYCLER"
Directory:"<$DIR_PROG>","<$SYSDRIVE>\RECYCLER\S-4-4-05-1159083872-6938103384-801541373-5856"
//O4 - Startup: wuauclt.exe.lnk = C:\RECYCLER\S-4-4-05-1159083872-6938103384-801541373-5856\wuauclt.exe
// Suspicious(13):
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\zpddcg.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\vawsqt.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\ripxcq.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\hvqxho.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zpddcg.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vawsqt.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ripxcq.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hvqxho.dll"
// Suspicious(14):
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","dfgdjhse5rjfmkfsderhkldtd576ogd80","ImagePath=<$WINDIR>\dfgdjhse5rjfmkfsderhkldtd576ogd81.exe"
File:"<$FILE_EXE>","<$WINDIR>\dfgdjhse5rjfmkfsderhkldtd576ogd81.exe"
// Suspicious(15):
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","dhcpsrv","ImagePath=<$WINDIR>\DLL\RUNDLL32.exe"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","dhcpsrv","DisplayName=Dhcp server"
File:"<$FILE_EXE>","<$WINDIR>\DLL\RUNDLL32.exe"
// Trojan.Adclicker:
AutoRun:"Systray","<$SYSDIR>\sockins32.dll"
AutoRun:"Systray","<$APPDATA>\sp1\sockins32.dll"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Systray"
File:"<$FILE_EXE>","<$SYSDIR>\sockins32.dll"
File:"<$FILE_EXE>","<$APPDATA>\sp1\sockins32.dll"
Directory:"<$DIR_PROG>","<$APPDATA>\sp1","filename=sockins32.dll"
// Trojan.Agent:
AutoRun:"WinSys2","<$SYSDIR>\winsys2.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","WinSys2"
File:"<$FILE_EXE>","<$SYSDIR>\winsys2.exe"
AutoRun:"DiskChk help","<$PROFILE>\proto.dll","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","DiskChk help"
File:"<$FILE_EXE>","<$PROFILE>\proto.dll"
// Trojan.Backdoor.IRCBot:
AutoRun:"Host Process","<$PROFILE>\svchost.exe","flagifnofile=1"
AutoRun:"LSA Shellu","<$PROFILE>\lsass.exe ","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Host Process"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","LSA Shellu"
File:"<$FILE_EXE>","<$PROFILE>\svchost.exe"
File:"<$FILE_EXE>","<$PROFILE>\lsass.exe"
// Trojan.Backdoor.UltimateDefender:
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","reset5e","DllName=<$SYSDIR>\reset5e.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\reset5e.dll"
// Trojan.Banker:
BrowserHelperEx:"Rmn plugin",
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{d032570a-5f63-4812-a094-87d007c23012}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{d032570a-5f63-4812-a094-87d007c23012}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{47D92EB6-E52C-4cda-92A6-2369963F4913}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{47D92EB6-E52C-4cda-92A6-2369963F4913}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\iebho.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\siemens32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\skrb32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jetaccss.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jetaccs.dll"
// Trojan.Downloader(1):
AutoRun:"Run","<$WINDIR>\run.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Run"
File:"<$FILE_EXE>","<$WINDIR>\run.exe"
// Trojan.Downloader(2):
//AutoRun:"Cognac","<$LOCALSETTINGS>\Temp\b.exe","flagifnofile=1"
//AutoRun:"Cognac","<$WINDIR>\TEMP\g.exe","flagifnofile=1"
AutoRun:"Cognac","<$LOCALSETTINGS>\Temp\?.exe","flagifnofile=1"
AutoRun:"Cognac","<$WINDIR>\TEMP\?.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Cognac"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\b.exe"
File:"<$FILE_EXE>","<$WINDIR>\TEMP\g.exe"
// Trojan.Downloader(3) bzw. Trojan.Ertfor:
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{D5BF4552-94F1-42BD-F434-3604812C807D}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{C5BF49A2-94F3-42BD-F434-3604812C897D}"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","erajhsf8743kjrngjnf","erajhsf8743kjrngjnf={D5BF4552-94F1-42BD-F434-3604812C807D}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\rakmdlkd83indfgnbu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\bserkj3fjn.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jn3ir7jdfg44yd.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\gsdrgfdrrgnd.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\uisaj387dd.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hsari3jndsbfi73.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\eawdh3hbg87dkjn.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\gbhaw3ijbdyd.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\uisd33faj387dd.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\gyuvgfytre56yftyd.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\msfokm33fdnd.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\rah3b8ffdnd.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\gjm86akm34.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jsd72hf4t.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ksaf83hfd.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jkse73hedfdgf.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\gks834t.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hs7hjdj37.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jsne87fidgf.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\gs73gfidgf.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jsdf8j3dgf.dll"
// Trojan.Downloader(4):
//O4 - HKLM\..\Policies\Explorer\Run: [CmSTP] C:\Dokumente und Einstellungen\HappyundCappa\LOCALS~1\APPLIC~1\MICR OS~1\cmstp.exe /waitservice
RegyKey:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run","CmSTP"
File:"<$FILE_EXE>","<$LOCALAPPDATA>\Microsoft\cmstp.exe"
//O4 - HKLM\..\Policies\Explorer\Run: [Logman] C:\DOKUME~1\HAPPYU~1\ANWEND~1\logman.exe /waitservice
RegyKey:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run","Logman"
File:"<$FILE_EXE>","<$APPDATA>\logman.exe"
//O4 - HKLM\..\Policies\Explorer\Run: [Spool] C:\Dokumente und Einstellungen\HappyundCappa\LOCALS~1\APPLIC~1\spoolsv.exe /waitservice
RegyKey:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run","Spool"
File:"<$FILE_EXE>","<$APPDATA>\spoolsv.exe"
//O4 - HKLM\..\Policies\Explorer\Run: [MstInit] C:\DOKUME~1\HAPPYU~1\ANWEND~1\mstinit.exe /waitservice
RegyKey:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run","MstInit"
File:"<$FILE_EXE>","<$APPDATA>\spoolsv.exe"
//O4 - HKLM\..\Policies\Explorer\Run: [ClipSrv] C:\Dokumente und Einstellungen\HappyundCappa\LOCALS~1\APPLIC~1\MICR OS~1\clipsrv.exe /waitservice
RegyKey:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run","ClipSrv"
File:"<$FILE_EXE>","<$LOCALAPPDATA>\Microsoft\clipsrv.exe"
//O4 - HKLM\..\Policies\Explorer\Run: [DllHst] C:\DOKUME~1\HAPPYU~1\LOKALE~1\Temp\dllhst3g.exe /waitservice
RegyKey:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run","DllHst"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\dllhst3g.exe"
//O4 - HKCU\..\Policies\Explorer\Run: [ComRepl] C:\DOKUME~1\HAPPYU~1\ANWEND~1\MICROS~1\comrepl.exe /waitservice
RegyKey:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run","ComRepl"
File:"<$FILE_EXE>","<$APPDATA>\Microsoft\comrepl.exe"
//O4 - HKCU\..\Policies\Explorer\Run: [DllHst] C:\Dokumente und Einstellungen\HappyundCappa\LOCALS~1\APPLIC~1\MICR OS~1\dllhst3g.exe /waitservice
RegyKey:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run","DllHst"
File:"<$FILE_EXE>","<$LOCALAPPDATA>\Microsoft\dllhst3g.exe"
//O4 - HKCU\..\Policies\Explorer\Run: [Mstsc] C:\DOKUME~1\HAPPYU~1\ANWEND~1\mstsc.exe /waitservice
RegyKey:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run","Mstsc"
File:"<$FILE_EXE>","<$LOCALAPPDATA>\mstsc.exe"
//O4 - HKCU\..\Policies\Explorer\Run: [Spool] C:\DOKUME~1\HAPPYU~1\LOKALE~1\Temp\spoolsv.exe /waitservice
RegyKey:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run","Spool"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\spoolsv.exe"
// Trojan.Downloader(5):
AutoRun:"Drmupgds","<$PROGRAMFILES>\Drmupgds\Drmupgds.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Drmupgds"
File:"<$FILE_EXE>","<$PROGRAMFILES>\Drmupgds\Drmupgds.exe"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Drmupgds"
// Trojan.Dursg:
AutoRun:"nvd32_r","<$APPDATA>\unobi.dll","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","nvd32_r"
File:"<$FILE_EXE>","<$APPDATA>\unobi.dll"
// Trojan.Ertfor:
BrowserHelperEx:"<$SYSDIR>\gsf83iujid.dll",
BrowserHelperEx:"<$SYSDIR>\grffr83hn.dll",
BrowserHelperEx:"<$SYSDIR>\sdjee3inf.dll",
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{D76AB2A1-00F3-42BD-F434-00BBC39C8953}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{D76AB2A1-00F3-42BD-F434-00BBC39C8953}"
//AutoRun:"","<$LOCALSETTINGS>\Temp\bwnx4p9d9.exe","flagifnofile=1"
AutoRun:"*","<$LOCALSETTINGS>\Temp\bwnx4p9d9.exe","flagifnofile=0"
//AutoRun:"","<$LOCALSETTINGS>\Temp\fozr092coj.exe","flagifnofile=1"
AutoRun:"*","<$LOCALSETTINGS>\Temp\fozr092coj.exe","flagifnofile=0"
//AutoRun:"","<$WINDIR>\TEMP\r15a9mh05.exe","flagifnofile=1"
AutoRun:"*","<$WINDIR>\TEMP\r15a9mh05.exe","flagifnofile=0"
//AutoRun:"","C:\WINDOWS\TEMP\blqbmapll.exe","flagifnofile=1"
AutoRun:"*","<$WINDIR>\TEMP\blqbmapll.exe","flagifnofile=0"
//AutoRun:"","<$LOCALSETTINGS>\Temp\i6n2v7mmni.exe","flagifnofile=1"
AutoRun:"*","<$LOCALSETTINGS>\Temp\i6n2v7mmni.exe","flagifnofile=0"
//AutoRun:"hsf7husjnfg98gi498aejhiugjkdg4","<$LOCALSETTINGS>\Temp\bwnx4p9d9.exe","flagifnofile=1"
//AutoRun:"hsf7husjnfg98gi498aejhiugjkdg4","<$LOCALSETTINGS>\Temp\fozr092coj.exe","flagifnofile=1"
//AutoRun:"hsf7husjnfg98gi498aejhiugjkdg4","<$WINDIR>\TEMP\r15a9mh05.exe","flagifnofile=1"
//AutoRun:"hsf7husjnfg98gi498aejhiugjkdg4","<$WINDIR>\TEMP\k8is6aq.exe","flagifnofile=1"
//AutoRun:"hsf7husjnfg98gi498aejhiugjkdg4","<$LOCALSETTINGS>\Temp\n7mdath.exe","flagifnofile=1"
//AutoRun:"hsf7husjnfg98gi498aejhiugjkdg4","<$LOCALSETTINGS>\Temp\i6n2v7mmni.exe","flagifnofile=1"
//AutoRun:"hsf7husjnfg98gi498aejhiugjkdg4","<$WINDIR>\TEMP\blqbmapll.exe","flagifnofile=1"
AutoRun:"hsf7husjnfg98gi498aejhiugjkdg4","<$LOCALSETTINGS>\Temp\*.exe","flagifnofile=1"
AutoRun:"hsf7husjnfg98gi498aejhiugjkdg4","<$WINDIR>\TEMP\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","hsf7husjnfg98gi498aejhiugjkdg4"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","rtasgvfu76ew8ndkfno94","rtasgvfu76ew8ndkfno94={D76AB2A1-00F3-42BD-F434-00BBC39C8953}"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\bwnx4p9d9.exe"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\fozr092coj.exe"
File:"<$FILE_EXE>","<$WINDIR>\TEMP\r15a9mh05.exe"
File:"<$FILE_LIBRARY>","<$SYSDIR>\gsf83iujid.dll"
File:"<$FILE_EXE>","<$WINDIR>\TEMP\k8is6aq.exe"
File:"<$FILE_LIBRARY>","<$SYSDIR>\grffr83hn.dll"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\n7mdath.exe"
File:"<$FILE_LIBRARY>","<$SYSDIR>\sdjee3inf.dll"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\i6n2v7mmni.exe"
File:"<$FILE_EXE>","<$WINDIR>\TEMP\blqbmapll.exe"
//O4 - HKUS\S-1-5-18\..\Run: [] C:\WINDOWS\TEMP\ya8bz5.exe (User 'SYSTEM')
//O4 - HKUS\S-1-5-18\..\Run: [hsf7husjnfg98gi498aejhiugjkdg4] C:\WINDOWS\TEMP\ya8bz5.exe (User 'SYSTEM')
//O4 - HKUS\.DEFAULT\..\Run: [] C:\WINDOWS\TEMP\ya8bz5.exe (User 'Default user')
// Trojan.Iksmas:
AutoRun:"brastia","<$SYSDIR>\brastia.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","brastia"
File:"<$FILE_EXE>","<$SYSDIR>\brastia.exe"
// Trojan.IRCBot:
AutoRun:"Windows UDP Control Center","<$WINDIR>\winudpmgr.exe","flagifnofile=1"
AutoRun:"Windows UDP Control Center","<$WINDIR>\msnmngs.exe","flagifnofile=1"
AutoRun:"Windows UDP Control Center","<$WINDIR>\winrofl32.exe","flagifnofile=1"
AutoRun:"Windows UDP Control Center","<$WINDIR>\winupmgr.exe","flagifnofile=1"
AutoRun:"Windows UDP Control Center","<$WINDIR>\ehSched.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Windows UDP Control Center"
File:"<$FILE_EXE>","<$WINDIR>\winudpmgr.exe"
File:"<$FILE_EXE>","<$WINDIR>\msnmngs.exe"
File:"<$FILE_EXE>","<$WINDIR>\winrofl32.exe"
File:"<$FILE_EXE>","<$WINDIR>\winupmgr.exe"
File:"<$FILE_EXE>","<$WINDIR>\ehSched.exe"
// Trojan.Matcash:
AutoRun:"kernel","<$PROGRAMFILES>\kernel\kernel.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","kernel"
File:"<$FILE_EXE>","<$PROGRAMFILES>\kernel\kernel.exe"
// Trojan.Podnuha.Rootkit:
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{6DEE9CC1-C7FE-49EF-836A-28900CB68261}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{6DEE9CC1-C7FE-49EF-836A-28900CB68261}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\apcup.dll"
// Trojan.TDSS.Rootkit(1):
// Aus einem logfile von GMER:
//Service C:\Windows\system32\drivers\MSIVXstrwtxjhcukoqvcpqnpymtqpymmxknnb.sys
//Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys
//Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys@start 1
//Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys@type 1
//Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys@imagepath \systemroot\system32\drivers\MSIVXstrwtxjhcukoqvcpqnpymtqpymmxknnb.sys
//Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys@group file system
//Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys\modules
//Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys\modules@MSIVXserv \\?\globalroot\systemroot\system32\drivers\MSIVXstrwtxjhcukoqvcpqnpymtqpymmxknnb.sys
//Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys\modules@MSIVXl \\?\globalroot\systemroot\system32\MSIVXuqcjydchweecwkqirhnpbrnbxfbcfbvs.dll
//Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys\modules@MSIVXclk \\?\globalroot\systemroot\system32\MSIVXwwtkrhumvuamcvxpewphsmaehjlwgduk.dll
//Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys
//Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys@start 1
//Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys@type 1
//Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys@imagepath \systemroot\system32\drivers\MSIVXstrwtxjhcukoqvcpqnpymtqpymmxknnb.sys
//Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys@group file system
//Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys\modules
//Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys\modules@MSIVXserv \\?\globalroot\systemroot\system32\drivers\MSIVXstrwtxjhcukoqvcpqnpymtqpymmxknnb.sys
//Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys\modules@MSIVXl \\?\globalroot\systemroot\system32\MSIVXuqcjydchweecwkqirhnpbrnbxfbcfbvs.dll
//Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys\modules@MSIVXclk \\?\globalroot\systemroot\system32\MSIVXwwtkrhumvuamcvxpewphsmaehjlwgduk.dll
//Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys
//Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys@start 1
//Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys@type 1
//Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys@imagepath \systemroot\system32\drivers\MSIVXstrwtxjhcukoqvcpqnpymtqpymmxknnb.sys
//Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys@group file system
//Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys\modules
//Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys\modules@MSIVXserv \\?\globalroot\systemroot\system32\drivers\MSIVXstrwtxjhcukoqvcpqnpymtqpymmxknnb.sys
//Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys\modules@MSIVXl \\?\globalroot\systemroot\system32\MSIVXuqcjydchweecwkqirhnpbrnbxfbcfbvs.dll
//Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys\modules@MSIVXclk \\?\globalroot\systemroot\system32\MSIVXwwtkrhumvuamcvxpewphsmaehjlwgduk.dll
//Reg HKLM\SYSTEM\ControlSet004\Services\MSIVXserv.sys
//Reg HKLM\SYSTEM\ControlSet004\Services\MSIVXserv.sys@start 1
//Reg HKLM\SYSTEM\ControlSet004\Services\MSIVXserv.sys@type 1
//Reg HKLM\SYSTEM\ControlSet004\Services\MSIVXserv.sys@imagepath \systemroot\system32\drivers\MSIVXstrwtxjhcukoqvcpqnpymtqpymmxknnb.sys
//Reg HKLM\SYSTEM\ControlSet004\Services\MSIVXserv.sys@group file system
//Reg HKLM\SYSTEM\ControlSet004\Services\MSIVXserv.sys\modules
//Reg HKLM\SYSTEM\ControlSet004\Services\MSIVXserv.sys\modules@MSIVXserv \\?\globalroot\systemroot\system32\drivers\MSIVXstrwtxjhcukoqvcpqnpymtqpymmxknnb.sys
//Reg HKLM\SYSTEM\ControlSet004\Services\MSIVXserv.sys\modules@MSIVXl \\?\globalroot\systemroot\system32\MSIVXuqcjydchweecwkqirhnpbrnbxfbcfbvs.dll
//Reg HKLM\SYSTEM\ControlSet004\Services\MSIVXserv.sys\modules@MSIVXclk \\?\globalroot\systemroot\system32\MSIVXwwtkrhumvuamcvxpewphsmaehjlwgduk.dll
// Trojan.TDSS.Rootkit(2):
// Aus einem logfile von ROOTALYZER:
//File:"Hidden file","C:\WINDOWS\system32\UACalinevrsqoerxyq.dll"
//File:"Hidden file","C:\WINDOWS\system32\UACidbvoilfcpfqhii.dll"
//File:"Hidden file","C:\WINDOWS\system32\uacinit.dll"
//File:"Hidden file","C:\WINDOWS\system32\UACjrlvkpxbrqtmuro.db"
//File:"Hidden file","C:\WINDOWS\system32\UACnkxibirviqqaomp.dat"
//File:"Hidden file","C:\WINDOWS\system32\UACrtjikmnhopupknd.dll"
//File:"Hidden file","C:\WINDOWS\system32\uactmp.db"
//File:"Hidden file","C:\WINDOWS\system32\UACxxrgvvyfwxymehe.dll"
//File:"Hidden file","C:\WINDOWS\system32\UACyykiqwhkdybxbhp.dll"
//File:"Invisible to Win32","C:\WINDOWS\temp\UAC771f.tmp"
//File:"Invisible to Win32","C:\WINDOWS\system32\UACalinevrsqoerxyq.dll"
//File:"Invisible to Win32","C:\WINDOWS\system32\UACidbvoilfcpfqhii.dll"
//File:"Invisible to Win32","C:\WINDOWS\system32\uacinit.dll"
//File:"Invisible to Win32","C:\WINDOWS\system32\UACjrlvkpxbrqtmuro.db"
//File:"Invisible to Win32","C:\WINDOWS\system32\UACnkxibirviqqaomp.dat"
//File:"Invisible to Win32","C:\WINDOWS\system32\UACrtjikmnhopupknd.dll"
//File:"Invisible to Win32","C:\WINDOWS\system32\uactmp.db"
//File:"Invisible to Win32","C:\WINDOWS\system32\UACxxrgvvyfwxymehe.dll"
//File:"Invisible to Win32","C:\WINDOWS\system32\UACyykiqwhkdybxbhp.dll"
//File:"Invisible to Win32","C:\WINDOWS\system32\drivers\UACwvblalbaijpjwqx.sys"
//File:"Invisible to Win32","C:\Documents and Settings\God Len\Local Settings\temp\UAC7231.tmp"
//File:"Invisible to Win32","C:\Documents and Settings\God Len\Local Settings\temp\UACba7c.tmp"
// Trojan.TDSS.Rootkit(3)-suspicious:
// Aus einem Logfile von ComboFix:
//c:\windows\system32\drivers\hjgruitoeitsfi.sys
//c:\windows\system32\hjgruibdqvihkc.dat
//c:\windows\system32\hjgruicnxwbqku.dll
//c:\windows\system32\hjgruivmeumfjq.dat
//c:\windows\system32\hjgruivnagmiwq.dll
NTFile:"<$FILE_SERVICE>","<$SYSDIR>\drivers\hjgrui*.sys"
NTFile:"<$FILE_DATA>","<$SYSDIR>\hjgrui*.dat"
NTFile:"<$FILE_LIBRARY>","<$SYSDIR>\hjgrui*.dll"
NTFile:"<$FILE_DATA>","<$SYSDIR>\hjgrui*.dat"
NTFile:"<$FILE_LIBRARY>","<$SYSDIR>\hjgrui*.dll"
// Trojan.VBS:
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\VirusRemoval.vbs"
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","<$SYSDIR>\wscript.exe"
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","<$SYSDIR>\VirusRemoval.vbs"
File:"<$FILE_EXE>","<$SYSDIR>\wscript.exe"
File:"<$FILE_DATA>","<$SYSDIR>\VirusRemoval.vbs"
// Trojan.Unknown(1):
//AutoRun:"Windows System Recover!","<$LOCALSETTINGS>\Temp\install.exe","flagifnofile=1"
//AutoRun:"Windows System Recover!","<$WINDIR>\TEMP\install.exe","flagifnofile=1"
//AutoRun:"Windows System Recover!","<$LOCALSETTINGS>\Temp\smss.exe.exe","flagifnofile=1"
//AutoRun:"Windows System Recover!","<$WINDIR>\TEMP\smss.exe.exe","flagifnofile=1"
//AutoRun:"Windows System Recover!","<$LOCALSETTINGS>\Temp\winlogon.exe","flagifnofile=1"
//AutoRun:"Windows System Recover!","<$WINDIR>\TEMP\spoolsv.exe","flagifnofile=1"
AutoRun:"Windows System Recover!","<$LOCALSETTINGS>\Temp\*.exe","flagifnofile=1"
AutoRun:"Windows System Recover!","<$WINDIR>\TEMP\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Windows System Recover!"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\install.exe"
File:"<$FILE_EXE>","<$WINDIR>\TEMP\install.exe"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\smss.exe"
File:"<$FILE_EXE>","<$WINDIR>\Temp\smss.exe"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\winlogon.exe"
File:"<$FILE_EXE>","<$WINDIR>\TEMP\spoolsv.exe"
// Trojan.Unknown(2):
AutoRun:"winupdate.exe","<$SYSDIR>\winupdate.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","winupdate.exe"
File:"<$FILE_EXE>","<$SYSDIR>\winupdate.exe"
// Trojan.Unknown(3):
Winsock:"<bglsp.dll>","0"
// File:"<$FILE_LIBRARY>","c:\windows\system32\bglsp.dll"
// Trojan.Unknown(4):
AutoRun:"lqgljotj","<$LOCALAPPDATA>\lqgljotj.exe","flagifnofile=1"
AutoRun:"scoso","<$LOCALAPPDATA>\scoso.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","lqgljotj"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","scoso"
File:"<$FILE_EXE>","<$LOCALAPPDATA>\lqgljotj.exe"
File:"<$FILE_EXE>","<$LOCALAPPDATA>\scoso.exe"
// Trojan.Unknown(5):
AutoRun:"Win32 Firewall","<$LOCALSETTINGS>\Temp\198.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Win32 Firewall"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Win32 Firewall"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\198.exe"
// Trojan.Unknown(6):
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","286f18bb638","DllName=<$SYSDIR>\dot3svc32.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\dot3svc32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dot3svc32.dll"
// Trojan.Unknown(7):
AutoRun:"tezrtsjhfr84iusjfo84f","<$LOCALSETTINGS>\Temp\csrssc.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","tezrtsjhfr84iusjfo84f"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\csrssc.exe"
// Trojan.Unknown(8):
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","load","load=C:\WINDOWS\system32\msywzw.exe"
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","load","<$SYSDIR>\msywzw.exe"
File:"<$FILE_EXE>","<$SYSDIR>\msywzw.exe"
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","load","load=C:\WINDOWS\system32\mscpe.exe"
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","load","<$SYSDIR>\mscpe.exe"
File:"<$FILE_EXE>","<$SYSDIR>\msywzw.exe"
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","run","run=C:\WINDOWS\system32\msgwno.exe"
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","run","<$SYSDIR>\msgwno.exe"
File:"<$FILE_EXE>","<$SYSDIR>\msgwno.exe"
// Trojan.Unknown(9):
AutoRun:"nah_Shell","<$PROFILE>\nah_tpya.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","nah_Shell"
File:"<$FILE_EXE>","<$PROFILE>\nah_tpya.exe"
// Trojan.Unknown(10):
AutoRun:"12CFG515-K641-55SF-N66P","<$SYSDRIVE>\RECYCLER\S-1-5-21-0243636035-3055115376-381863306-1556\pqlmq.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","12CFG515-K641-55SF-N66P"
File:"<$FILE_EXE>","<$SYSDRIVE>\RECYCLER\S-1-5-21-0243636035-3055115376-381863306-1556\pqlmq.exe"
Directory:"<$DIR_PROG>","<$SYSDRIVE>\RECYCLER"
Directory:"<$DIR_PROG>","<$SYSDRIVE>\RECYCLER\S-1-5-21-0243636035-3055115376-381863306-1556"
// Trojan.Unknown(11):
//O4 - S-1-5-21-3755911061-1286710541-279945468-500 Startup: fmnupd32.exe (User '?')
//O4 - S-1-5-21-3755911061-1286710541-279945468-500 Startup: zqosys32.exe (User '?')
//O4 - Startup: fmnupd32.exe
//O4 - Startup: zqosys32.exe
//O4 - Startup: ezserver.lnk = C:\ezserver.bat
//O4 - HKLM\..\Policies\Explorer\Run: [exec] C:\WINDOWS\system32\msuqpyap.exe
// Trojan.Unknown(12):
AutoRun:"defender32.exe","<$LOCALSETTINGS>\Temp\defender32.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","defender32.exe"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\defender32.exe"
// Trojan.Unknown(13):
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","aafbdcbdbadbcb","DllName=<$SYSDIR>\aafbdcbdbadbcb.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\aafbdcbdbadbcb.dll"
// Trojan.Virtumonde:
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{50C35313-CCA0-4E63-8080-691F509FB2AF}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{50C35313-CCA0-4E63-8080-691F509FB2AF}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{A9B03309-CF90-4397-934B-9FA53AC09D94}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{A9B03309-CF90-4397-934B-9FA53AC09D94}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{fbbd5691-58c3-4c48-9b25-b25a02f7f5d0}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{fbbd5691-58c3-4c48-9b25-b25a02f7f5d0}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{846a65ab-bfc7-46c2-95f7-37c65c5624c6}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{846a65ab-bfc7-46c2-95f7-37c65c5624c6}"
//AutoRun:"nelabugome","<$SYSDIR>\ravuhavu.dll","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\ravuhavu.dll","flagifnofile=0"
AutoRun:"net","<$SYSDIR>\net.net","flagifnofile=1"
//AutoRun:"wunopukuji","<$SYSDIR>\jakonehu.dll","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\jakonehu.dll","flagifnofile=0"
//AutoRun:"d0e31147","<$SYSDIR>\zofitemi.dll","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\zofitemi.dll","flagifnofile=0"
//AutoRun:"CPMd3d022db","<$SYSDIR>\kofemube.dll","flagifnofile=1"
AutoRun:"CPM*","<$SYSDIR>\kofemube.dll","flagifnofile=1"
//AutoRun:"pukosikato","<$SYSDIR>\jisagade.dll","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\jisagade.dll","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","nelabugome"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","net"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","net"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","wunopukuji"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","d0e31147"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","CPMd3d022db"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","pukosikato"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","__c005F042","DllName=<$SYSDIR>\__c005F042.dat"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","nnnmlml","DllName=<$SYSDIR>\nnnmlml.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","yrzvwyhm","DllName=<$SYSDIR>\ujrkcaq.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","__c0053106","DllName=<$SYSDIR>\__c0053106.dat"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","jkkjijk","DllName=<$SYSDIR>\jkkjijk.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","__c00DEDD2","DllName=<$SYSDIR>\__c00DEDD2.dat"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","iasrrsmp","DllName=<$SYSDIR>\iasrrsmp.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\nawowami.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\kofemube.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\nawowami.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kofemube.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ravuhavu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\nnnmlml.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\sstqp.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\nnnmlml.dll"
File:"<$FILE_DATA>","<$SYSDIR>\__c005F042.dat"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ujrkcaq.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\gozomeji.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ujrkcaq.dll"
File:"<$FILE_DATA>","<$SYSDIR>\__c0053106.dat"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jkkjijk.dll"
File:"<$FILE_DATA>","<$SYSDIR>\net.net"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jakonehu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zofitemi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kofemube.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jisagade.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kalahavi.dll"
File:"<$FILE_DATA>","<$SYSDIR>\__c00DEDD2.dat"
File:"<$FILE_LIBRARY>","<$SYSDIR>\iasrrsmp.dll"
// Trojan.Virtumonde.Variant:
AutoRun:"MSServer","<$LOCALAPPDATA>\Temp\oPiijiiI.dll","flagifnofile=1"
//AutoRun:"37c52f9d","<$LOCALAPPDATA>\Temp\epkqqbpc.dll","flagifnofile=1"
AutoRun:"*","<$LOCALAPPDATA>\Temp\epkqqbpc.dll","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","MSServer"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","37c52f9d"
File:"<$FILE_LIBRARY>","<$LOCALAPPDATA>\Temp\oPiijiiI.dll"
File:"<$FILE_LIBRARY>","<$LOCALAPPDATA>\Temp\epkqqbpc.dll"
// Trojan.WinFixer:
AutoRun:"cmds","<$LOCALAPPDATA>\Temp\tUlLCVoO.dll","flagifnofile=1"
AutoRun:"cmds","<$LOCALAPPDATA>\Temp\vtsqn.dll","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","cmds"
File:"<$FILE_EXE>","<$LOCALAPPDATA>\Temp\tUlLCVoO.dll"
File:"<$FILE_EXE>","<$LOCALAPPDATA>\Temp\vtsqn.dll"
// Virus.Virut:
AutoRun:"reader_s","<$SYSDIR>\reader_s.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","reader_s"
File:"<$FILE_EXE>","<$SYSDIR>\reader_s.exe"
AutoRun:"reader_s","<$PROFILE>\reader_s.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","reader_s"
File:"<$FILE_EXE>","<$PROFILE>\reader_s.exe"
// Worm.Blackmail:
AutoRun:"twunk_32","<$WINDIR>\32_twunk.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","twunk_32"
File:"<$FILE_EXE>","<$WINDIR>\32_twunk.exe"
// Worm.Koobface:
//AutoRun:"sysldtray","<$WINDIR>\ld12.exe","flagifnofile=1"
AutoRun:"sysldtray","<$WINDIR>\ld??.exe","flagifnofile=1"
//AutoRun:"sysfbtray","<$WINDIR>\freddy49.exe","flagifnofile=1"
AutoRun:"sysfbtray","<$WINDIR>\freddy??.exe","flagifnofile=1"
//AutoRun:"sysmstray","<$WINDIR>\mstre19.exe","flagifnofile=1"
AutoRun:"sysmstray","<$WINDIR>\mstre??.exe","flagifnofile=1"
//AutoRun:"sysftray2","<$WINDIR>\kenny18.exe","flagifnofile=1"
AutoRun:"sysftray2","<$WINDIR>\kenny??.exe","flagifnofile=1"
//AutoRun:"sysftray2","<$WINDIR>\bolivar30.exe","flagifnofile=1"
AutoRun:"sysftray2","<$WINDIR>\bolivar??.exe","flagifnofile=1"
//AutoRun:"sysftray2","<$WINDIR>\fbtre9.exe","flagifnofile=1"
AutoRun:"sysftray2","<$WINDIR>\fbtre?.exe","flagifnofile=1"
//AutoRun:"sysftray2","<$WINDIR>\che08.exe","flagifnofile=1"
AutoRun:"sysftray2","<$WINDIR>\che??.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","sysldtray"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","sysfbtray"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","sysmstray"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","sysftray2"
//File:"<$FILE_EXE>","<$WINDIR>\ld12.exe"
File:"<$FILE_EXE>","<$WINDIR>\ld??.exe"
//File:"<$FILE_EXE>","<$WINDIR>\freddy49.exe"
File:"<$FILE_EXE>","<$WINDIR>\freddy??.exe"
//File:"<$FILE_EXE>","<$WINDIR>\mstre19.exe"
File:"<$FILE_EXE>","<$WINDIR>\mstre??.exe"
//File:"<$FILE_EXE>","<$WINDIR>\kenny18.exe"
File:"<$FILE_EXE>","<$WINDIR>\kenny??.exe"
//File:"<$FILE_EXE>","<$WINDIR>\bolivar30.exe"
File:"<$FILE_EXE>","<$WINDIR>\bolivar??.exe"
//File:"<$FILE_EXE>","<$WINDIR>\fbtre9.exe"
File:"<$FILE_EXE>","<$WINDIR>\fbtre?.exe"
//File:"<$FILE_EXE>","<$WINDIR>\che08.exe"
File:"<$FILE_EXE>","<$WINDIR>\che??.exe"
New Malware v15
Reply With Quote