New Malware v32

[Matt]

I've collected detection rules for the following Malware:

• Adware.Couponbar
• Adware.DuDuAccelerator
• Adware.PopLoader
• Hijacker.AdwareClick
• Malware.Ascentive.PerformanceCenter
• Malware.Fraud.Contraviro
• Malware.Fraud.SecureWarrior
• Malware.Fraud.TrustCop
• Malware.Huntbar
• Malware.Smitfraud
• Malware.SuperSearch/EasySearch
• Malware.Sysguard
• Malware.Unknown(3)
• PUPS.MyFreeze.com
• PUPS.SearchSettings
• Rootkit.Rustock
• Rootkit.TDSS
• Rootkit.Unknown(2)
• Rootkit.Zbot
• Spyware.Ultraview
• Suspicious(2)
• Trojan.Agent(11)
• Trojan.Banker
• Trojan.Unknown(7)
• Trojan.Virtumonde
• Worm.Unknown

Category: Trojan

Code:

:: New Malware v32
// Revision 1
// {Cat:Trojan}{Cnt:1}
// {Det:Matt,2009-10-07}

// Adware.Couponbar:
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{62960D20-6D0D-1AB4-4BF1-95B0B5B8783A}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{62960D20-6D0D-1AB4-4BF1-95B0B5B8783A}"
BrowserHelperEx:"TTB000000","filename=COUPON*.dll"
// C:\WINDOWS\COUPON~1.DLL
File:"<$FILE_LIBRARY>","<$WINDIR>\COUPON*.DLL"

// Adware.DuDuAccelerator:
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{00018593-C6BD-46F7-9349-DBA1AA674C90}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{00018593-C6BD-46F7-9349-DBA1AA674C90}"
BrowserHelperEx:"dddmont Class","filename=*.dll"
BrowserHelperEx:"DuDu.com","filename=*.dll"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\DuDu\Speed\dddiemon.dll"
// IEExtension:"%26Detect Video By DuDu"
// IEExtension:"%26Download All By DuDu"
// IEExtension:"%26Download By DuDu"
// IEExtension:"%26Download Selection By DuDu"
IEExtension:"* By DuDu"
// RegyKey:"<$REG_IEMENUEXT>",HKEY_CURRENT_USER,"\Software\Microsoft\Internet Explorer\MenuExt\","%26Detect Video By DuDu"
// RegyKey:"<$REG_IEMENUEXT>",HKEY_CURRENT_USER,"\Software\Microsoft\Internet Explorer\MenuExt\","%26Download All By DuDu"
// RegyKey:"<$REG_IEMENUEXT>",HKEY_CURRENT_USER,"\Software\Microsoft\Internet Explorer\MenuExt\","%26Download By DuDu"
// RegyKey:"<$REG_IEMENUEXT>",HKEY_CURRENT_USER,"\Software\Microsoft\Internet Explorer\MenuExt\","%26Download Selection By DuDu"
RegyKey:"<$REG_IEMENUEXT>",HKEY_CURRENT_USER,"\Software\Microsoft\Internet Explorer\MenuExt\","* By DuDu"
// File:"<$FILE_LIBRARY>","res://C:\Program Files\DuDu\Speed\dddmext.dll/205"
// File:"<$FILE_LIBRARY>","res://C:\Program Files\DuDu\Speed\dddmext.dll/203"
// File:"<$FILE_LIBRARY>","res://C:\Program Files\DuDu\Speed\dddmext.dll/202"
// File:"<$FILE_LIBRARY>","res://C:\Program Files\DuDu\Speed\dddmext.dll/204"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\DuDu\Speed\dddmext.dll"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\DuDu\Speed"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\DuDu"

// Adware.PopLoader:
// O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://l.yimg.com/jh/games/web_games...ploader_v6.cab
CodeStoreDB:"http://l.yimg.com/jh/games/web_games...ploader_v6.cab"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Code Store Database\Distribution Units\","{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}","DownloadInformation\CODEBASE=http://l.yimg.com/jh/games/web_games...ploader_v6.cab"

// Adware.SmartShopper:
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{4A7C84E2-E95C-43C6-8DD3-03ABCD0EB60E}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{4A7C84E2-E95C-43C6-8DD3-03ABCD0EB60E}"
BrowserHelperEx:"Smart-Shopper","filename=*.dll"
// IEExtension:"SmartShopper - Compare product prices"
// IEExtension:"SmartShopper - Compare travel rates"
IEExtension:"SmartShopper - *"
// RegyKey:"<$REG_IEEXTENSION>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Internet Explorer\Extensions\","{3cc3d8fe-f0e0-4dd1-a69a-8c56bcc7bebf}","ButtonText=SmartShopper - Compare product prices"
// RegyKey:"<$REG_IEEXTENSION>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Internet Explorer\Extensions\","{3cc3d8fe-f0e0-4dd1-a69a-8c56bcc7bec0}","ButtonText=SmartShopper - Compare travel rates"
RegyKey:"<$REG_IEEXTENSION>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Internet Explorer\Extensions\","{3cc3d8fe-f0e0-4dd1-a69a-8c56bcc7bec0}","ButtonText=SmartShopper - *"
// C:\Program Files (x86)\Smart-Shopper\Bin\2.5.1\Smrt-Shpr.dll
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\Smart-Shopper\Bin\*\Smrt-Shpr.dll"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Smart-Shopper\Bin\*","filename=Smrt-Shpr.dll"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Smart-Shopper\Bin"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Smart-Shopper"

// Hijacker.AdwareClick:
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{5C13D564-5818-4960-B5B5-B14E3D1492F8}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{5C13D564-5818-4960-B5B5-B14E3D1492F8}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{900CA02A-990F-4f0d-8E8E-28A3F82F08D8}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{900CA02A-990F-4f0d-8E8E-28A3F82F08D8}"
// BrowserHelperEx:"Bho","filename=xlfgwqgk.dll"
// BrowserHelperEx:"Bho","filename=reqyvyjq.dll"
BrowserHelperEx:"Bho","filename=*.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\xlfgwqgk.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\reqyvyjq.dll"

// Malware.Ascentive.PerformanceCenter:
// AutoRun:"Performance Center","C:\Program Files\Ascentive\Performance Center\APCMain.exe -m","flagifnofile=1"
AutoRun:"Performance Center","<$PROGRAMFILES>\Ascentive\Performance Center\*.exe*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Performance Center"
// File:"<$FILE_EXE>","C:\Program Files\Ascentive\Performance Center\APCMain.exe -m"
File:"<$FILE_EXE>","<$PROGRAMFILES>\Ascentive\Performance Center\APCMain.exe"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Ascentive\Performance Center"

// Malware.Fraud.Contraviro:
// AutoRun:"Contraviro","C:\Program Files\Contraviro\Contraviro.exe","flagifnofile=1"
AutoRun:"Contraviro","<$PROGRAMFILES>\Contraviro\Contraviro.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Contraviro"
// File:"<$FILE_EXE>","C:\Program Files\Contraviro\Contraviro.exe"
File:"<$FILE_EXE>","<$PROGRAMFILES>\Contraviro\Contraviro.exe"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Contraviro"
// File:"<$FILE_LIBRARY>","c:\program files\contraviro\siglsp.dll"
Winsock:"<siglsp.dll>","0"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\Contraviro\siglsp.dll"

// Malware.Fraud.SecureWarrior:
// AutoRun:"SecureWarrior","C:\Program Files\SecureWarrior Software\SecureWarrior\SecureWarrior.exe -min","flagifnofile=1"
AutoRun:"SecureWarrior","<$PROGRAMFILES>\SecureWarrior Software\SecureWarrior\SecureWarrior.exe*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","SecureWarrior"
// File:"<$FILE_EXE>","C:\Program Files\SecureWarrior Software\SecureWarrior\SecureWarrior.exe -min"
File:"<$FILE_EXE>","<$PROGRAMFILES>\SecureWarrior Software\SecureWarrior\SecureWarrior.exe"
File:"<$FILE_EXE>","<$PROGRAMFILES>\SecureWarrior Software\SecureWarrior\uninstall.exe"
File:"<$FILE_DESKTOPLINK>","<$COMMONDESKTOP>\SecureWarrior.lnk"
File:"<$FILE_LINK>","<$COMMONPROGRAMS>\SecureWarrior\1 TrustCop.lnk"
File:"<$FILE_LINK>","<$COMMONPROGRAMS>\SecureWarrior\2 Homepage.lnk"
File:"<$FILE_LINK>","<$COMMONPROGRAMS>\SecureWarrior\3 Uninstall.lnk"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","SecureWarriorSvc","ImagePath=<$PROGRAMFILES>\SecureWarrior Software\SecureWarrior\SecureWarriorSvc.exe"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","SecureWarriorSvc","DisplayName=SecureWarrior Security Service"
File:"<$FILE_EXE>","C:\Program Files\SecureWarrior Software\SecureWarrior\SecureWarriorSvc.exe"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\SecureWarrior Software\SecureWarrior"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\SecureWarrior Software"
// HKEY_LOCAL_MACHINE\SOFTWARE\SecureWarrior
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\Software\","SecureWarrior"
// HKEY_CURRENT_USER\Software\SecureWarrior
RegyKey:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\Software\","SecureWarrior"
// HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SecureWarrior
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Uninstall\","SecureWarrior"
// HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SECUREWARRIORSVC
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SYSTEM\CurrentControlSet\Enum\Root\","LEGACY_SECUREWARRIORSVC"
// HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecureWarriorSvc
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SYSTEM\CurrentControlSet\Services\","SecureWarriorSvc"

// Malware.Fraud.TrustCop:
// AutoRun:"TrustCop","C:\Program Files\TrustCop Software\TrustCop\TrustCop.exe -min","flagifnofile=1"
AutoRun:"TrustCop","<$PROGRAMFILES>\TrustCop Software\TrustCop\TrustCop.exe*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","TrustCop"
// File:"<$FILE_EXE>","C:\Program Files\TrustCop Software\TrustCop\TrustCop.exe -min"
File:"<$FILE_EXE>","<$PROGRAMFILES>\TrustCop Software\TrustCop\TrustCop.exe"
File:"<$FILE_EXE>","<$PROGRAMFILES>\TrustCop Software\TrustCop\uninstall.exe"
// c:\WINDOWS\10134spamb9zb95.dll
// c:\WINDOWS\1015zpyware2930.dll
// c:\WINDOWS\10753tzo5931.bin
// c:\WINDOWS\system32\288995acktool3z1.dll
// c:\WINDOWS\system32\28935virus54z.ocx
// c:\WINDOWS\system32\28a6d9wnlzader1957.exe
File:"<$FILE_DESKTOPLINK>","<$COMMONDESKTOP>\TrustCop.lnk"
File:"<$FILE_LINK>","<$COMMONPROGRAMS>\TrustCop\1 TrustCop.lnk"
File:"<$FILE_LINK>","<$COMMONPROGRAMS>\TrustCop\2 Homepage.lnk"
File:"<$FILE_LINK>","<$COMMONPROGRAMS>\TrustCop\3 Uninstall.lnk"
Directory:"<$DIR_PROG>","<$COMMONPROGRAMS>\TrustCop"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\TrustCop Software\TrustCop"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\TrustCop Software"
// HKEY_LOCAL_MACHINE\SOFTWARE\TrustCop
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\Software\","TrustCop"
// HKEY_CURRENT_USER\Software\TrustCop
RegyKey:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\Software\","TrustCop"
// HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TrustCop
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Uninstall\","TrustCop"

// Malware.Huntbar:
// AutoRun:"TBPS","C:\PROGRA~1\Toolbar\TBPS.exe","flagifnofile=1"
AutoRun:"TBPS","<$PROGRAMFILES>\Toolbar\TBPS.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","TBPS"
// File:"<$FILE_EXE>","C:\PROGRA~1\Toolbar\TBPS.exe"
File:"<$FILE_EXE>","<$PROGRAMFILES>\Toolbar\TBPS.exe"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Toolbar","filename=TBPS.exe"

// Malware.Smitfraud:
// AutoRun:"A00F2120B6.exe","C:\DOCUME~1\Owner\LOCALS~1\Temp\_A00F2120B6.exe","flagifnofile=1"
// AutoRun:"A00F1556A96.exe","C:\DOCUME~1\Owner\LOCALS~1\Temp\_A00F1556A96.exe","flagifnofile=1"
AutoRun:"A00*.exe","<$LOCALSETTINGS>\Temp\_A00*.exe","flagifnofile=1"
// RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","A00F2120B6.exe"
// RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","A00F1556A96.exe"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","A00*.exe"
// File:"<$FILE_EXE>","C:\DOCUME~1\Owner\LOCALS~1\Temp\_A00F2120B6.exe"
// File:"<$FILE_EXE>","C:\DOCUME~1\Owner\LOCALS~1\Temp\_A00F1556A96.exe"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\_A00*.exe"

// Malware.SuperSearch/EasySearch(??):
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{B88F0A3B-663C-4342-A7CE-2D6F81032897}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{B88F0A3B-663C-4342-A7CE-2D6F81032897}"
BrowserHelperEx:"Super-Search - search like an expert","filename=*.dll"
// C:\PROGRA~1\EASYSE~1\BHO\1SUPER~1.DLL
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\EASYSE*\BHO\*SUPER*.dll"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\EASYSE*\BHO"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\EASYSE*"

// Malware.Sysguard:
// AutoRun:"system tool","C:\Program Files\filvsk\pekjsysguard.exe","flagifnofile=1"
AutoRun:"system tool","<$PROGRAMFILES>\*\*sysguard.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","system tool"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","system tool"
// File:"<$FILE_EXE>","C:\Program Files\filvsk\pekjsysguard.exe"
File:"<$FILE_EXE>","<$PROGRAMFILES>\*\*sysguard.exe"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\*","filename=*sysguard.exe"

// Malware.Unknown(1):
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{9AEDA548-56E7-4C9F-8FA0-68AF07888013}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{9AEDA548-56E7-4C9F-8FA0-68AF07888013}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{EAC97150-C97D-4221-952B-A33F0D8F64ED}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{EAC97150-C97D-4221-952B-A33F0D8F64ED}"
// BrowserHelperEx:"ZIEPro Class","filename=asr_fmt.cpl"
BrowserHelperEx:"ZIEPro Class","filename=*.cpl"
// BrowserHelperEx:"VAid Class","filename=danim.cpl"
BrowserHelperEx:"VAid Class","filename=*.cpl"
File:"<$FILE_LIBRARY>","<$SYSDIR>\asr_fmt.cpl"
File:"<$FILE_LIBRARY>","<$SYSDIR>\danim.cpl"

// Malware.Unknown(2):
// AutoRun:"owecw",""c:\users\serhat bilgin\appdata\local\owecw.exe" owecw","flagifnofile=1"
AutoRun:"owecw","<$LOCALAPPDATA>\owecw.exe*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","owecw"
// File:"<$FILE_EXE>",""c:\users\serhat bilgin\appdata\local\owecw.exe" owecw"
File:"<$FILE_EXE>","<$LOCALAPPDATA>\owecw.exe"

// Malware.Unknown(3):
// RegyRemove:"<$REG_WEBPAGE>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","C:\WINDOWS\TEMP\512657sys.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$WINDIR>\TEMP\*sys.dll"
File:"<$FILE_LIBRARY>","<$WINDIR>\TEMP\*sys.dll"

// PUPS.MyFreeze.com:
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\","{E38FA08E-F56A-4169-ABF5-5C71E3C153A1}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{E38FA08E-F56A-4169-ABF5-5C71E3C153A1}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{E38FA08E-F56A-4169-ABF5-5C71E3C153A1}"
BrowserHelperEx:"NetAssistantBHO","filename=NetAssistant.dll"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\My.Freeze.com NetAssistant\NetAssistant.dll"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\My.Freeze.com NetAssistant"

// PUPS.SearchSettings:
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{E312764E-7706-43F1-8DAB-FCDD2B1E416D}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{E312764E-7706-43F1-8DAB-FCDD2B1E416D}"
RegyValue:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Internet Explorer\Toolbar\","{B922D405-6D13-4A2B-AE89-08A030DA4402}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{B922D405-6D13-4A2B-AE89-08A030DA4402}"
BrowserHelperEx:"*","filename=SearchSettings.dll"
BrowserHelperEx:"pdfforge Toolbar","filename=*.dll"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\pdfforge Toolbar\SearchSettings.dll"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\pdfforge Toolbar\WidgiToolbarIE.dll"
// AutoRun:"SearchSettings","C:\Program Files\pdfforge Toolbar\SearchSettings.exe","flagifnofile=1"
AutoRun:"SearchSettings","<$PROGRAMFILES>\pdfforge Toolbar\SearchSettings.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","SearchSettings"
// File:"<$FILE_EXE>","C:\Program Files\pdfforge Toolbar\SearchSettings.exe"
File:"<$FILE_EXE>","<$PROGRAMFILES>\pdfforge Toolbar\SearchSettings.exe"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\pdfforge Toolbar"

// Rootkit.Rustock:
// Aus einem Logfile von MBAM
NTFile:"<$FILE_SERVICE>","<$SYSDIR>\drivers\732889a4.sys"
NTFile:"<$FILE_SERVICE>","<$SYSDIR>\drivers\732889a0.sys"
NTFile:"<$FILE_SERVICE>","<$SYSDIR>\drivers\732889a4.sys"
NTFile:"<$FILE_SERVICE>","<$SYSDIR>\drivers\7e0d5626.sys"
NTFile:"<$FILE_SERVICE>","<$SYSDIR>\drivers\A0155794.sys"
NTFile:"<$FILE_SERVICE>","<$SYSDIR>\drivers\a9560aa2.sys"
NTFile:"<$FILE_SERVICE>","<$SYSDIR>\drivers\f1e02e46.sys"

// Rootkit.TDSS:
// c:\windows\system32\drivers\gasfkyxdkcpdfx.sys
// c:\windows\system32\gasfkyewqxrmlb.dat
// c:\windows\system32\gasfkymitlweko.dll
// c:\windows\system32\gasfkyomcqrssf.dat
// c:\windows\system32\gasfkytiqobiuf.dll
// c:\windows\system32\gasfkyxueqerrs.dll

// Rootkit.Unknown(1):
// Konnte von Spybot laut User nicht gelöscht werden, daher nun NTFile; bitte um Kontrolle
// AutoRun:"Regedit32","C:\WINDOWS\system32\regedit.exe","flagifnofile=1"
AutoRun:"Regedit??","<$SYSDIR>\regedit.exe","flagifnofile=1"
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Regedit32"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Regedit??"
// File:"<$FILE_EXE>","C:\WINDOWS\system32\regedit.exe"
NTFile:"<$FILE_EXE>","<$SYSDIR>\regedit.exe"

// Rootkit.Unknown(2):
// Aus einem Logfile von RootRepeal
// C:\WINDOWS\win32k.sys:1
// C:\WINDOWS\win32k.sys:2
NTFile:"<$FILE_SERVICE>","<$WINDIR>\win32k.sys:?"
// Aus einem Logfile von ComboFix
// c:\windows\uxuderekeg.sys
NTFile:"<$FILE_SERVICE>","<$WINDIR>\uxuderekeg.sys"

// Rootkit.Zbot:
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","UserInit=C:\WINDOWS\system32\userinit.exe,C:\Dokum ente und Einstellungen\***\hatgj.exe \s"
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","<$PROFILE>\hatgj.exe*"
NTFile:"<$FILE_LIBRARY>","<$PROFILE>\hatgj.exe"

// Spyware.Ultraview:
// RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","shellservice","shellservice={8FB2D6CA-E258-48CF-9DAB-EEFB735E225C}"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","shellservice","shellservice=*"
// File:"<$FILE_LIBRARY>","C:\WINDOWS\system32\config\atww\ShellService.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\config\*\ShellService.dll"
Directory:"<$DIR_PROG>","<$SYSDIR>\config\*","filename=ShellService.dll"

// Suspicious(1):
// Laut Web Of Trust (WOT) sind alle folgenden Seiten, die ich in einem HJT logfile gefunden habe, nicht vertrauenswürdig und enthalten Malware
// O15 - Trusted Zone: *.antimalwareguard.com
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\","antimalwareguard.com","antimalwareguard.com  \*=dword:1"
// O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\","antimalwareguard.com (HKLM)","antimalwareguard.com (HKLM)\*=dword:1"
// O15 - Trusted Zone: *.gomyhit.com (HKLM)
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\","gomyhit.com (HKLM) ","gomyhit.com (HKLM) \*=dword:1"

// Suspicious(2):
// O1 - Hosts: 82.98.231.89 url.adtrgt.com
// O1 - Hosts: 82.98.231.89 googleads2.gdoubleclick.net
// O1 - Hosts: 209.44.111.57 security.microsoft.com
// O1 - Hosts: 209.44.111.57 inetavirus.c om
// O1 - Hosts: 209.44.111.57 hxxp://www.inetavirus.c om
// O1 - Hosts: 91.212.65.127 browser-security.microsoft.com
// O1 - Hosts: 91.212.65.127 spywareprotector-2009.com
// O1 - Hosts: 91.212.65.127 www.spywareprotector-2009.com
// O1 - Hosts: 91.212.65.127 secure.spywareprotector-2009.com
// O1 - Hosts: 94.232.248.66 antivir-service.microsoft.com
// O1 - Hosts: 94.232.248.66 antivirussys2009.com
// O1 - Hosts: 94.232.248.66 www.antivirussys2009.com
// O1 - Hosts: 69.10.51.38 www.reevoo.com
// O1 - Hosts: 69.10.51.38 toptenreviews.com
// O1 - Hosts: 91.212.127.226 windows-shield.microsoft.com
// O1 - Hosts: 91.212.127.226 windows-shield.com
// O1 - Hosts: 91.212.127.226 www.windows-shield.com
// O1 - Hosts: 1.1.1.1 download.bitdefender.com
// O1 - Hosts: 1.1.1.1 spywareinfo.com
// O1 - Hosts: 1.1.1.1 www.spywareinfo.com
// O1 - Hosts: 1.1.1.1 www.paretologic.com
// O1 - Hosts: 1.1.1.1 paretologic.com
// O1 - Hosts: 1.1.1.1 services.google.com
// O1 - Hosts: 1.1.1.1 webroot.com
// O1 - Hosts: 94.232.248.66 antivaresys.com
// O1 - Hosts: 94.232.248.66 www.antivaresys.com
// O1 - Hosts: 359.63.157.25 www.fs2you.com
// O1 - Hosts: 222.169.230.101 dyn.www.fs2you.com
// O1 - Hosts: 59.32.232.195 cachefile1.fs2you.com
// O1 - Hosts: 222.169.230.98 cachefile2.fs2you.com
// O1 - Hosts: 221.204.246.79 cachefile3.fs2you.com
// O1 - Hosts: 61.150.85.80 cachefile4.fs2you.com
// O1 - Hosts: 60.2.139.27 cachefile5.fs2you.com
// O1 - Hosts: 61.184.189.10 cachefile6.fs2you.com
// O1 - Hosts: 61.174.62.132 cachefile7.fs2you.com
// O1 - Hosts: 58.211.75.49 cachefile8.fs2you.com
// O1 - Hosts: 61.134.84.238 cachefile9.fs2you.com
// O1 - Hosts: 61.156.40.181 cachefile10.fs2you.com
// O1 - Hosts: 218.75.151.4 cachefile11.fs2you.com
// O1 - Hosts: 58.211.75.31 cachefile12.fs2you.com
// O1 - Hosts: 124.94.101.133 cachefile13.fs2you.com
// O1 - Hosts: 221.204.246.115 cachefile14.fs2you.com
// O1 - Hosts: 218.75.151.10 cachefile15.fs2you.com
// O1 - Hosts: 58.218.209.126 cachefile16.fs2you.com
// O1 - Hosts: 61.157.152.173 cachefile17.fs2you.com
// O1 - Hosts: 125.46.41.27 cachefile18.fs2you.com
// O1 - Hosts: 125.91.11.223 cachefile19.fs2you.com
// O1 - Hosts: 59.53.48.134 cachefile20.fs2you.com
// O1 - Hosts: 59.53.48.136 cachefile21.fs2you.com
// O1 - Hosts: 59.53.48.144 cachefile22.fs2you.com
// O1 - Hosts: 61.139.106.204 cachefile23.fs2you.com
// O1 - Hosts: 59.53.48.172 cachefile24.fs2you.com
// O1 - Hosts: 124.94.101.146 cachefile25.fs2you.com
// O1 - Hosts: 61.166.111.227 cachefile26.fs2you.com
// O1 - Hosts: 58.218.179.214 www.fs2you.com

// Trojan.Agent(1):
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{BD389B4D-F612-3AD3-B593-2F487D256161}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{BD389B4D-F612-3AD3-B593-2F487D256161}"
BrowserHelperEx:"D","filename=xwr*.dll"
// C:\WINDOWS\system32\xwr26881.dll
File:"<$FILE_LIBRARY>","<$SYSDIR>\xwr?????.dll"

// Trojan.Agent(2):
// AutoRun:"PromoReg","C:\WINDOWS\Temp\_ex-08.exe","flagifnofile=1"
AutoRun:"PromoReg","<$WINDIR>\Temp\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","PromoReg"
// File:"<$FILE_EXE>","C:\WINDOWS\Temp\_ex-08.exe"
File:"<$FILE_EXE>","<$WINDIR>\Temp\_ex-??.exe"

// Trojan.Agent(3):
// AutoRun:"cnu","C:\WINDOWS\system32\cnu.exe \u","flagifnofile=1"
AutoRun:"cnu","<$SYSDIR>\cnu.exe*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","cnu"
// File:"<$FILE_EXE>","C:\WINDOWS\system32\cnu.exe \u"
File:"<$FILE_EXE>","<$SYSDIR>\cnu.exe"

// Trojan.Agent(4):
// AutoRun:"pp9nvgspv64u","C:\WINDOWS\system32\pp9nvgppv6kt.exe","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\pp9nvgppv6kt.exe","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","pp9nvgspv64u"
// File:"<$FILE_EXE>","C:\WINDOWS\system32\pp9nvgppv6kt.exe"
File:"<$FILE_EXE>","<$SYSDIR>\pp9nvgppv6kt.exe"

// Trojan.Agent(5):
// AutoRun:"jnhvd","C:\WINDOWS\system32\jnhvd.exe \u","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\jnhvd.exe*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","jnhvd"
// File:"<$FILE_EXE>","C:\WINDOWS\system32\jnhvd.exe \u"
File:"<$FILE_EXE>","<$SYSDIR>\jnhvd.exe"

// Trojan.Agent(6):
// AutoRun:"lmk8hoju","C:\WINDOWS\system32\lmk8hoju.exe","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\lmk8hoju.exe","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","lmk8hoju"
// File:"<$FILE_EXE>","C:\WINDOWS\system32\lmk8hoju.exe"
File:"<$FILE_EXE>","<$SYSDIR>\lmk8hoju.exe"

// Trojan.Agent(7):
// Name des Autostarteintrages ist zufällig, Datei fest
// AutoRun:"FH","C:\WINDOWS\system32\svchop.exe home ","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\svchop.exe*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","FH"
// File:"<$FILE_EXE>","C:\WINDOWS\system32\svchop.exe home"
File:"<$FILE_EXE>","<$SYSDIR>\svchop.exe"

// Trojan.Agent(8):
// AutoRun:"mserv","C:\Documents and Settings\Tian Chen\Application Data\svcst.exe","flagifnofile=1"
// AutoRun:"mserv","C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\seres.exe","flagifnofile=1"
AutoRun:"mserv","<$APPDATA>\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","mserv"
File:"<$FILE_EXE>","<$APPDATA>\svcst.exe"
File:"<$FILE_EXE>","<$APPDATA>\seres.exe"
// AutoRun:"svchost","C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\svcst.exe","flagifnofile=1"
AutoRun:"svchost","<$APPDATA>\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","svchost"
// File:"<$FILE_EXE>","C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\svcst.exe"
File:"<$FILE_EXE>","<$APPDATA>\svcst.exe"

// Trojan.Agent(9):
// AutoRun:"Windows",""C:\Windows\System32\window.exe"","flagifnofile=1"
AutoRun:"Windows","<$SYSDIR>\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Windows"
// File:"<$FILE_EXE>",""C:\Windows\System32\window.exe""
File:"<$FILE_EXE>","<$SYSDIR>\window.exe"

// Trojan.Agent(10):
// AutoRun:"DealAssistant","C:\Dokumente und Einstellungen\User\Anwendungsdaten\DealAssistant\dealassistant.exe","flagifnofile=1"
AutoRun:"DealAssistant","<$APPDATA>\DealAssistant\dealassistant.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","DealAssistant"
// File:"<$FILE_EXE>","C:\Dokumente und Einstellungen\User\Anwendungsdaten\DealAssistant\dealassistant.exe"
File:"<$FILE_EXE>","<$APPDATA>\DealAssistant\dealassistant.exe"
Directory:"<$DIR_APPDATA>","<$APPDATA>\DealAssistant"

// Trojan.Agent(11):
// Laut SuperAntiSpyware "Trojan.Agent/Gen-SoftWin[Virut]"; tarnt sich als Adobe-Anwendung
// AutoRun:"mmplayer.exe","C:\Dokumente und Einstellungen\bless97\Anwendungsdaten\Adobe\mmplayer.exe","flagifnofile=1"
AutoRun:"mmplayer.exe","<$APPDATA>\Adobe\mmplayer.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","mmplayer.exe"
// File:"<$FILE_EXE>","C:\Dokumente und Einstellungen\bless97\Anwendungsdaten\Adobe\mmplayer.exe"
File:"<$FILE_EXE>","<$APPDATA>\Adobe\mmplayer.exe"
Directory:"<$DIR_APPDATA>","<$APPDATA>\Adobe","filename=mmplayer.exe"

// Trojan.Banker:
// CLSID ist zufällig
// RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","eplrr","eplrr={A3F9D024-71A9-4DE2-8BEF-E566D2807802}"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","eplrr","eplrr=*"
File:"<$FILE_LIBRARY>","<$SYSDIR>\eplrr.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\eplrr?.dll"

// Trojan.Unknown(1):
// AutoRun:"Yjafosi8kdf98winmdkmnkmfnwe","C:\DOCUME~1\David\LOCALS~1\Temp\spoolsv.exe","flagifnofile=1"
AutoRun:"*","<$LOCALSETTINGS>\Temp\spoolsv.exe","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Yjafosi8kdf98winmdkmnkmfnwe"
// File:"<$FILE_EXE>","C:\DOCUME~1\David\LOCALS~1\Temp\spoolsv.exe"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\spoolsv.exe"

// Trojan.Unknown(2):
// RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","OLE Module","OLE Module={03B1C4D9-BC71-8916-38AD-9DEA5D213614}"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","OLE Module","OLE Module=*"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","OLE Automation Module","OLE Automation Module=*"
File:"<$FILE_LIBRARY>","<$SYSDIR>\rch.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\brew.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\smp.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\chp.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\msbnk.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\rdrlib.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wunk32.dll"
File:"<$FILE_SERVICE>","<$WINDIR>\Temp\url.sys"
File:"<$FILE_SERVICE>","<$WINDIR>\Temp\tsk.sys"
File:"<$FILE_DATA>","<$WINDIR>\Temp\body.dat"
File:"<$FILE_DATA>","<$WINDIR>\Temp\mailz.dat"

// Trojan.Unknown(3):
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","Logicle Disk Managers","ImagePath=<$WINDIR>\msagent\agentpsh.exe"
File:"<$FILE_EXE>","<$WINDIR>\msagent\agentpsh.exe"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","Logicle Mianags","ImagePath=<$SYSDIR>\Restore\sframie.exe"
File:"<$FILE_EXE>","<$SYSDIR>\Restore\sframie.exe"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","DstRser","ImagePath=<$WINDIR>\msagent\agentdpv.exe"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","DstRser","DisplayName=Distributed Transaction Servic"
File:"<$FILE_EXE>","<$WINDIR>\msagent\agentdpv.exe"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","MySQL","ImagePath=<$SYSDRIVE>\Program.exe"
File:"<$FILE_EXE>","<$SYSDRIVE>\Program.exe"

// Trojan.Unknown(4):
// Habe ich in einem Logfile gefunden; laut mehrerer Internetseiten ist alles böse :-)
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","afisicx","ImagePath=<$SYSDIR>\afisicx.exe"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","afisicx","DisplayName=afisicx Service"
File:"<$FILE_EXE>","<$SYSDIR>\afisicx.exe"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","mabidwe","ImagePath=<$SYSDIR>\mabidwe.exe"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","mabidwe","DisplayName=mabidwe Service"
File:"<$FILE_EXE>","<$SYSDIR>\mabidwe.exe"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","noytcyr","ImagePath=<$SYSDIR>\noytcyr.exe"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","noytcyr","DisplayName=noytcyr Service"
File:"<$FILE_EXE>","<$SYSDIR>\noytcyr.exe"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","roytctm","ImagePath=<$SYSDIR>\roytctm.exe"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","roytctm","DisplayName=roytctm Service"
File:"<$FILE_EXE>","<$SYSDIR>\roytctm.exe"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","soxpeca","ImagePath=<$SYSDIR>\soxpeca.exe"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","soxpeca","DisplayName=soxpeca Service"
File:"<$FILE_EXE>","<$SYSDIR>\soxpeca.exe"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","wsldoekd","ImagePath=<$SYSDIR>\wsldoekd.exe"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","wsldoekd","DisplayName=wsldoekd Service"
File:"<$FILE_EXE>","<$SYSDIR>\wsldoekd.exe"

// Trojan.Unknown(5):
// RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","DLLT","ImagePath=C:\Users\Jerms\AppData\Local\Temp\DLLT.exe"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","DLLT","ImagePath=<$LOCALAPPDATA>\Temp\DLLT.exe"
File:"<$FILE_EXE>","<$LOCALAPPDATA>\Temp\DLLT.exe"
// RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","EHGDJMRNZSS","ImagePath=C:\Users\Jerms\AppData\Local\Temp\EHGDJMRNZSS.exe"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","EHGDJMRNZSS","ImagePath=<$LOCALAPPDATA>\Temp\EHGDJMRNZSS.exe"
File:"<$FILE_EXE>","<$LOCALAPPDATA>\Temp\EHGDJMRNZSS.exe"

// Trojan.Unknown(6):
// Tarnt sich als Norton-Produkt
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\",".norton2009Reset","ImagePath=<$COMMONAPPDATA>\Norton\Norton2009Reset.exe"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\",".norton2009Reset","DisplayName=Norton2009 Reset"
File:"<$FILE_EXE>","<$COMMONAPPDATA>\Norton\Norton2009Reset.exe"
Directory:"<$DIR_COMMON_APPDATA>","<$COMMONAPPDATA>\Norton","filename=Norton2009Reset.exe"

// Trojan.Unknown(7):
// Aus einem Logfile von ComboFix
// c:\documents and settings\Michael\{E0BEA186-702D-AEE1-C853-B2F338819BB8}-svchost.exe
File:"<$FILE_EXE>","<$PROFILE>\*-svchost.exe"
// c:\windows\system32\wscsvc32.exe
File:"<$FILE_EXE>","<$SYSDIR>\wscsvc32.exe"

// Trojan.Virtumonde:
// Aus einem Logfile von Combofix
File:"<$FILE_LIBRARY>","<$SYSDIR>\paduzebe.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ramegige.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zazovera.dll"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\gxxygekd.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\lmWxwyay.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\lmWxwyay.ini2"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\shaibgvh.ini"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wingenocx.dll"

RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{6DD0BC06-4719-4BA3-BEBC-FBAE6A448152}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{6DD0BC06-4719-4BA3-BEBC-FBAE6A448152}"
BrowserHelperEx:"MSEvents Object","filename=*.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jkkli.dll"

RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{8f36637d-b930-4685-8a5c-a1f167fdbf6e}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{8f36637d-b930-4685-8a5c-a1f167fdbf6e}"
BrowserHelperEx:"*","filename=zusidebi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zusidebi.dll"

RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{9b34da61-19e3-4294-a7f4-25aaee2c8a95}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{9b34da61-19e3-4294-a7f4-25aaee2c8a95}"
BrowserHelperEx:"*","filename=hizapego.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zusidebi.dll"

RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{A249BC15-23F2-42AD-F4E4-00AAC39C0004}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{A249BC15-23F2-42AD-F4E4-00AAC39C0004}"
BrowserHelperEx:"*","filename=gjx01r4y21.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\gjx01r4y21.dll"

RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{A9672972-83EE-440B-B390-5835B5C7F572}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{A9672972-83EE-440B-B390-5835B5C7F572}"
BrowserHelperEx:"*","filename=muweb32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\muweb32.dll"

// AutoRun:"Jluposixa","rundll32.exe "C:\WINDOWS\ohovapuz.dll",Startup","flagifnofile=1"
AutoRun:"*","<$WINDIR>\ohovapuz.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Jluposixa"
// File:"<$FILE_EXE>","rundll32.exe "C:\WINDOWS\ohovapuz.dll",Startup"
File:"<$FILE_LIBRARY>","<$WINDIR>\ohovapuz.dll"

// AutoRun:"gobehabuye","Rundll32.exe "monigula.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\monigula.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","gobehabuye"
// File:"<$FILE_EXE>","Rundll32.exe "monigula.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\monigula.dll"

// AutoRun:"fedewapul","Rundll32.exe "c:\windows\system32\kogetagi.dll",a","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\kogetagi.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","fedewapul"
// File:"<$FILE_EXE>","Rundll32.exe "c:\windows\system32\kogetagi.dll",a"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kogetagi.dll"

// AutoRun:"xml10","RUNDLL32.EXE C:\WINDOWS\system32\xml_inc.dll,i","flagifnofile=1"
AutoRun:"xml??","<$SYSDIR>\xml_inc.dll*","flagifnofile=1"
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","xml10"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","xml??"
// File:"<$FILE_EXE>","RUNDLL32.EXE C:\WINDOWS\system32\xml_inc.dll,i"
File:"<$FILE_LIBRARY>","<$SYSDIR>\xml_inc.dll"

// O4 - HKUS\S-1-5-18\..\Run: [calc] rundll32.exe C:\DOCUME~1\LOCALS~1\ntuser.dll,_IWMPEvents@0 (User 'SYSTEM')
// O4 - HKUS\.DEFAULT\..\Run: [calc] rundll32.exe C:\DOCUME~1\LOCALS~1\ntuser.dll,_IWMPEvents@0 (User 'Default user')
// AutoRun:"calc","rundll32.exe C:\DOCUME~1\NETWOR~1\ntuser.dll,_IWMPEvents@0","flagifnofile=1"
AutoRun:"calc","<$PROFILES>\NETWOR*\ntuser.dll*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","calc"
// File:"<$FILE_EXE>","rundll32.exe C:\DOCUME~1\NETWOR~1\ntuser.dll,_IWMPEvents@0"
File:"<$FILE_LIBRARY>","<$PROFILES>\NETWOR*\ntuser.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","lrqzhy.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\lrqzhy.dll"

// RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$WINDIR>\temp\49241xxx.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$WINDIR>\temp\*xxx.dll"
File:"<$FILE_LIBRARY>","<$WINDIR>\temp\*xxx.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\zekibawi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zekibawi.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","zayiveva.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zayiveva.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\sukiyeko.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\sukiyeko.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\kogetagi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kogetagi.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","rijiraza.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\rijiraza.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\tunirufa.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tunirufa.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\tareyezu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tareyezu.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","papupona.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\papupona.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","wonupago.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wonupago.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","emovmv.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\emovmv.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\delidubu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\delidubu.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\mukejowe.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\mukejowe.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\lipewedi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\lipewedi.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\DevicePairingProxy32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\DevicePairingProxy32.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","kayufegi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kayufegi.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\hunayeko.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hunayeko.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\lodivoyo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\lodivoyo.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","hupabubi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hupabubi.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\eapsvc32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\eapsvc32.dll"

RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","__c00E4584","DllName=<$SYSDIR>\__c00E4584.dat"
File:"<$FILE_DATA>","<$SYSDIR>\__c00E4584.dat"

RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","64c56c89598","DllName=C:\WINDOWS\"
// File:"<$FILE_LIBRARY>","C:\WINDOWS\"

RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","xbhactnc","DllName=jzjkllk.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jzjkllk.dll"

RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","dhcpcab","DllName=<$SYSDIR>\dhcpcab.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dhcpcab.dll"

RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","__c00C9796","DllName=<$SYSDIR>\__c00C9796.dat"
File:"<$FILE_DATA>","<$SYSDIR>\__c00C9796.dat"

RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","jkkli","DllName=<$SYSDIR>\jkkli.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jkkli.dll"

RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","opnkkji","DllName=opnkkji.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\opnkkji.dll"

RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","ddcCVOHb","DllName=C:\WINDOWS\"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ddccvohb.dll"

RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","Love","DllName=<$SYSDIR>\LoveFly.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\LoveFly.dll"

RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","Fly","DllName=smart.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\smart.dll"

RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","6c44b700684","DllName=<$SYSDIR>\eapsvc32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\eapsvc32.dll"

RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","__c0021B88","DllName=<$SYSDIR>\__c0021B88.dat"
File:"<$FILE_DATA>","<$SYSDIR>\__c0021B88.dat"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","pobugeser","pobugeser={f1688b16-b0be-459a-9bd3-9157c155aa08}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tunirufa.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","bozenamad","bozenamad={d5bc185e-2c2f-4076-b742-5b8b202c3d68}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tareyezu.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","tosidoyek","tosidoyek={8d3d2b54-7e24-430c-a70e-36730c7986b6}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\sukiyeko.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","yelepojek","yelepojek={520843c2-e3b4-4d47-b45b-36b1f4e502cf}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kogetagi.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","vWpxNPFhR","vWpxNPFhR={18D91021-B273-BA8B-F085-7D1256028AE2}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\iyc.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","narenozej","narenozej={c8b9ac13-5894-49eb-b867-114f22a08f75}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hunayeko.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","gefojokub","gefojokub={c6841d3c-d027-48ef-88e5-4a98d4669c8b}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\lodivoyo.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","jugezatag","jugezatag={f1688b16-b0be-459a-9bd3-9157c155aa08}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tunirufa.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","jugezatag","jugezatag={d5bc185e-2c2f-4076-b742-5b8b202c3d68}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tareyezu.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","iukjsf8w3jirojs9f8u3jruhsf78s3jijdif","iukjsf8w3jirojs9f8u3jruhsf78s3jijdif={A249BC15-23F2-42AD-F4E4-00AAC39C0004}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\gjx01r4y21.dll"

// Worm.Unknown:
// Natürlich gibt es die folgenden Windows-Dienste, jedoch tauchen diese meines Wissens NICHT als O4-Eintrag auf; alle aus EINEM Logfile; ich vermute Worm.Rbot
// AutoRun:"Windows Update","ssms.exe","flagifnofile=1"
AutoRun:"Windows Update","<$SYSDIR>\ssms.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Windows Update"
// File:"<$FILE_EXE>","ssms.exe"
File:"<$FILE_EXE>","<$SYSDIR>\ssms.exe"

// AutoRun:"Spooler SubSystem App","C:\WINDOWS\System32\spoolsvc.exe","flagifnofile=1"
AutoRun:"Spooler SubSystem App","<$SYSDIR>\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Spooler SubSystem App"
// File:"<$FILE_EXE>","C:\WINDOWS\System32\spoolsvc.exe"
File:"<$FILE_EXE>","<$SYSDIR>\spoolsvc.exe"

// AutoRun:"Microsoft(R) System Manager","C:\WINDOWS\system32\sysmgr.exe","flagifnofile=1"
AutoRun:"Microsoft(R) System Manager","<$SYSDIR>\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Microsoft(R) System Manager"
// File:"<$FILE_EXE>","C:\WINDOWS\system32\sysmgr.exe"
File:"<$FILE_EXE>","<$SYSDIR>\sysmgr.exe"

// AutoRun:"Local Security Authority Service","C:\WINDOWS\System32\lssas.exe","flagifnofile=1"
AutoRun:"Local Security Authority Service","C:\WINDOWS\System32\lssas.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Local Security Authority Service"
// File:"<$FILE_EXE>","C:\WINDOWS\System32\lssas.exe"
File:"<$FILE_EXE>","<$SYSDIR>\lssas.exe"

// AutoRun:"Windows System Update","C:\WINDOWS\TEMP\CSRSS.EXE","flagifnofile=1"
AutoRun:"Windows System Update","<$WINDIR>\TEMP\*.EXE","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Windows System Update"
// File:"<$FILE_EXE>","C:\WINDOWS\TEMP\CSRSS.EXE"
File:"<$FILE_EXE>","<$WINDIR>\TEMP\CSRSS.EXE"

// AutoRun:"Windows Updater","C:\WINDOWS\TEMP\System.exe","flagifnofile=1"
AutoRun:"Windows Updater","<$WINDIR>\TEMP\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Windows Updater"
// File:"<$FILE_EXE>","C:\WINDOWS\TEMP\System.exe"
File:"<$FILE_EXE>","<$WINDIR>\TEMP\System.exe"

// AutoRun:"Language_Shortcut","C:\WINDOWS\TEMP\IEXPLORE.EXE","flagifnofile=1"
AutoRun:"Language_Shortcut","<$WINDIR>\TEMP\*.EXE","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Language_Shortcut"
// File:"<$FILE_EXE>","C:\WINDOWS\TEMP\IEXPLORE.EXE"
File:"<$FILE_EXE>","<$WINDIR>\TEMP\IEXPLORE.EXE"

// AutoRun:"SYSTRAY_UPDATE","C:\WINDOWS\TEMP\systray.exe","flagifnofile=1"
AutoRun:"SYSTRAY_UPDATE","<$WINDIR>\TEMP\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","SYSTRAY_UPDATE"
// File:"<$FILE_EXE>","C:\WINDOWS\TEMP\systray.exe"
File:"<$FILE_EXE>","<$WINDIR>\TEMP\systray.exe"

// AutoRun:"RUNDLL32","C:\WINDOWS\TEMP\rundll32.exe","flagifnofile=1"
AutoRun:"RUNDLL32","<$WINDIR>\TEMP\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","RUNDLL32"
// File:"<$FILE_EXE>","C:\WINDOWS\TEMP\rundll32.exe"
File:"<$FILE_EXE>","<$WINDIR>\TEMP\rundll32.exe"

Downloads: 0	Rating: 5 (rated by 1 user)