New Malware v72

**Matt** · 2010-02-21, 11:37

I've collected detection rules for the following Malware:

Adware.CouponBar
Malware.Fraud.AntimalwareDoctor
Malware.Fraud.PCDefender
Malware.Fraud.Sysguard
Malware.Fraud.VirusProtector
Rootkit.Zbot
Trojan.FakeAlert.ttam(2)
Trojan.FraudPack
Trojan.Opachki
Trojan.Tracur
Trojan.Virtumonde(2)

Category: Trojan

Code:

:: New Malware v72
// Revision 1
// {Cat:Trojan}{Cnt:1}
// {Det:Matt,2010-02-21}

// Als Hilfe empfehle ich, auch die Datei New Malware #72.log anzusehen!
// Als Hilfe empfehle ich, auch die Datei New Malware #72.log anzusehen!
// Als Hilfe empfehle ich, auch die Datei New Malware #72.log anzusehen!


// Adware.CouponBar:
BrowserHelperEx:"TTB000000","filename=COUPON*.DLL"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{62960D20-6D0D-1AB4-4BF1-95B0B5B8783A}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{62960D20-6D0D-1AB4-4BF1-95B0B5B8783A}"
RegyValue:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Internet Explorer\Toolbar\","{5BED3930-2E9E-76D8-BACC-80DF2188D455}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{5BED3930-2E9E-76D8-BACC-80DF2188D455}"
// C:\Users\cchauntz\AppData\Local\Temp\low\COUPON~1.DLL
File:"<$FILE_LIBRARY>","<$LOCALAPPDATA>\Temp\*\COUPON*.dll"
// File:"<$FILE_LIBRARY>","C:\Users\cchauntz\AppData\Local\Temp\low\CouponsBar.dll"
File:"<$FILE_LIBRARY>","<$LOCALAPPDATA>\Temp\*\CouponsBar.dll"
Directory:"<$DIR_APPDATA>","<$LOCALAPPDATA>\Temp\*","filename=COUPONsBar.dll"


// Malware.Fraud.AntimalwareDoctor:
// Erstellt unter den mehreren Pfaden die Datei Antimalware Doctor.exe, siehe auch Malware.Fraud.VirusProtector
// Wird von anderer Malware auf den Rechner geladen
// HKEY_CURRENT_USER\Software\Antimalware Doctor Inc\Antimalware Doctor
RegyKey:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\SOFTWARE\","Antimalware Doctor Inc"
// HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor
RegyKey:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\","Antimalware Doctor"
AutoRun:"Antimalware Doctor.exe","<$DESKTOP>\Antimalware Doctor.exe","flagifnofile=1"
AutoRun:"Antimalware Doctor.exe","<$APPDATA>\Antimalware Doctor.exe","flagifnofile=1"
AutoRun:"Antimalware Doctor.exe","<$LOCALSETTINGS>\Temp\Antimalware Doctor.exe","flagifnofile=1"
AutoRun:"Antimalware Doctor.exe","<$WINDIR>\Antimalware Doctor.exe","flagifnofile=1"
AutoRun:"Antimalware Doctor.exe","<$SYSDIR>\Antimalware Doctor.exe","flagifnofile=1"
AutoRun:"Antimalware Doctor.exe","<$SYSDIR>\drivers\Antimalware Doctor.exe","flagifnofile=1"
AutoRun:"Antimalware Doctor.exe","<$PROGRAMFILES>\Internet Explorer\Antimalware Doctor.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Antimalware Doctor.exe"


// Malware.Fraud.PCDefender:
// HKEY_USERS\.DEFAULT\Software\Def Group\Antispyware
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\","Def Group"
RegyKey:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\SOFTWARE\","Def Group"
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","UserInit=C:\WINDOWS\system32\userinit.exe,"C:\Program Files\Def Group\PC Defender\Antispyware.exe""
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","<$PROGRAMFILES>\Def Group\PC Defender\Antispyware.exe"
File:"<$FILE_EXE>","<$PROGRAMFILES>\Def Group\PC Defender\Antispyware.exe"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\Def Group\PC Defender\hook.dll"
File:"<$FILE_EXE>","<$PROGRAMFILES>\Def Group\PC Defender\proccheck.exe"
File:"<$FILE_DESKTOPLINK>","<$COMMONDESKTOP>\PC Defender.lnk"
File:"<$FILE_LINK>","<$COMMONPROGRAMS>\PC Defender\PC Defender.lnk"
Directory:"<$DIR_PROG>","<$COMMONPROGRAMS>\PC Defender"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Def Group\PC Defender"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Def Group"


// Malware.Fraud.Sysguard:
// AutoRun:"athvsdij","F:\Documents and Settings\Wayne\Local Settings\Application Data\xflvfv\sdjlsftav.exe","flagifnofile=1"
// AutoRun:"ffqljqie","c:\documents and settings\travelmate\local settings\application data\wiyosj\nssfsftav.exe","flagifnofile=1"
AutoRun:"*","<$LOCALAPPDATA>\*\*sftav.exe","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","athvsdij"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","ffqljqie"
// File:"<$FILE_EXE>","F:\Documents and Settings\Wayne\Local Settings\Application Data\xflvfv\sdjlsftav.exe"
// File:"<$FILE_EXE>","c:\documents and settings\travelmate\local settings\application data\wiyosj\nssfsftav.exe"
File:"<$FILE_EXE>","<$LOCALAPPDATA>\*\*sftav.exe"
Directory:"<$DIR_APPDATA>","<$LOCALAPPDATA>\*","filename=*sftav.exe"

// AutoRun:"mmwyyymp","C:\Users\bruce\AppData\Local\bkooab\sdbcsysguard.exe","flagifnofile=1"
// AutoRun:"lnabchii","C:\Users\bruce\AppData\Local\uvsmbu\scpwsysguard.exe","flagifnofile=1"
AutoRun:"*","<$LOCALAPPDATA>\*\*sysguard.exe","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","mmwyyymp"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","lnabchii"
// File:"<$FILE_EXE>","C:\Users\bruce\AppData\Local\bkooab\sdbcsysguard.exe"
// File:"<$FILE_EXE>","C:\Users\bruce\AppData\Local\uvsmbu\scpwsysguard.exe"
File:"<$FILE_EXE>","<$LOCALAPPDATA>\*\*sysguard.exe"
Directory:"<$DIR_APPDATA>","<$LOCALAPPDATA>\*","filename=*sysguard.exe"


// Malware.Fraud.VirusProtector:
// Erstellt unter den folgenden Pfaden zufällig generierte exe und dll Dateien
// Ich hoffe, ihr könnt es aufgrund der Namensbezeichnung des Autostartes dennoch aufnehmen! :-)
AutoRun:"Virus Protector","<$APPDATA>\*.exe","flagifnofile=1"
AutoRun:"Virus Protector","<$APPDATA>\*.dll","flagifnofile=1"
AutoRun:"Virus Protector","<$LOCALSETTINGS>\Temp\*.exe","flagifnofile=1"
AutoRun:"Virus Protector","<$LOCALSETTINGS>\Temp\*.dll","flagifnofile=1"
AutoRun:"Virus Protector","<$PROGRAMFILES>\Internet Explorer\*.exe","flagifnofile=1"
AutoRun:"Virus Protector","<$PROGRAMFILES>\Internet Explorer\*.dll","flagifnofile=1"
AutoRun:"Virus Protector","<$WINDIR>\*.exe","flagifnofile=1"
AutoRun:"Virus Protector","<$WINDIR>\*.dll","flagifnofile=1"
AutoRun:"Virus Protector","<$SYSDIR>\*.exe","flagifnofile=1"
AutoRun:"Virus Protector","<$SYSDIR>\*.dll","flagifnofile=1"
AutoRun:"Virus Protector","<$SYSDIR>\drivers\*.exe","flagifnofile=1"
AutoRun:"Virus Protector","<$SYSDIR>\drivers\*.dll","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Virus Protector"


// Rootkit.Zbot:
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDO WS\system32\mswijv32.exe,"
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","<$SYSDIR>\mswijv32.exe*"
NTFile:"<$FILE_EXE>","<$SYSDIR>\mswijv32.exe"


// Trojan.FakeAlert.ttam(1):
// Siehe auch #69-Trojan.FakeAlert.ttam(1)
// Bitte mal nachschaun, sowas ähnliches wurde schon zweimal aufgenommen, siehe xwr?????.dll und oz?????.dll
BrowserHelperEx:"*","filename=rshx????.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{B7A13163-B539-4489-AA5B-9D9B3E2637A4}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{B7A13163-B539-4489-AA5B-9D9B3E2637A4}"
// C:\WINDOWS\system32\rshx3232.dll
File:"<$FILE_LIBRARY>","<$SYSDIR>\rshx3232.dll"


// Trojan.FakeAlert.ttam(2):
// Tritt zusammen mit Malware.Fraud.PaladinAntivirus auf, bitte aufnehmen!
// AutoRun:"eventcreatexp.exe","C:\DOCUME~1\Adam\LOCALS~1\Temp\eventcreatexp.exe","flagifnofile=1"
AutoRun:"eventcreatexp.exe","<$LOCALSETTINGS>\Temp\eventcreatexp.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","eventcreatexp.exe"
// File:"<$FILE_EXE>","C:\DOCUME~1\Adam\LOCALS~1\Temp\eventcreatexp.exe"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\eventcreatexp.exe"


// Trojan.FraudPack:
// Befindet sich unter Localsettings und Localappdata
// In drei verschiedenen Logfiles gefunden
// AutoRun:"TOY5KNQ8OC","C:\DOCUME~1\usu01\CONFIG~1\Temp\Qv4.exe","flagifnofile=1"
// AutoRun:"TOY5KNQ8OC","C:\DOCUME~1\Adam\LOCALS~1\Temp\Vwr.exe","flagifnofile=1"
AutoRun:"TOY5KNQ8OC","<$LOCALSETTINGS>\Temp\*.exe","flagifnofile=1"
// AutoRun:"TOY5KNQ8OC","C:\Users\Mandelbrot Set\AppData\Local\Temp\Ljd.exe","flagifnofile=1"
AutoRun:"TOY5KNQ8OC","<$LOCALAPPDATA>\Temp\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","TOY5KNQ8OC"
File:"<$FILE_EXE>","C:\DOCUME~1\usu01\CONFIG~1\Temp\Qv4.exe"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\Vwr.exe"
File:"<$FILE_EXE>","<$LOCALAPPDATA>\Temp\Ljd.exe"


// Trojan.Opachki:
// AutoRun:"notepad","rundll32.exe C:\Windows\system32\notepad.dll,_IWMPEvents@0","flagifnofile=1"
AutoRun:"notepad","<$SYSDIR>\notepad.dll*","flagifnofile=1"
// AutoRun:"notepad","rundll32.exe C:\Users\VERIDI~1\ntload.dll,_IWMPEvents@0","flagifnofile=1"
AutoRun:"notepad","<$PROFILE>\ntload.dll*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","notepad"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","notepad"
// File:"<$FILE_EXE>","rundll32.exe C:\Windows\system32\notepad.dll,_IWMPEvents@0"
File:"<$FILE_LIBRARY>","<$SYSDIR>\notepad.dll"
// File:"<$FILE_EXE>","rundll32.exe C:\Users\VERIDI~1\ntload.dll,_IWMPEvents@0"
File:"<$FILE_LIBRARY>","$PROFILE><\ntload.dll"


// Trojan.Tracur:
// Name nach MBAM
// Aus einem Logfile von MBAM
BrowserHelperEx:"*","filename=cscdll32.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{0F5FC75F-81EC-402F-B0ED-A70EBC417930}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{0F5FC75F-81EC-402F-B0ED-A70EBC417930}"
File:"<$FILE_LIBRARY>","<$WINDIR>\SysWow64\cscdll32.dll"

BrowserHelperEx:"*","filename=dsauth32.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{01E7E5F8-63DE-4B78-B0CB-98E78A1BAAD1}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{01E7E5F8-63DE-4B78-B0CB-98E78A1BAAD1}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dsauth32.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\eqossnap32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\eqossnap32.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\dmdlgs32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dmdlgs32.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\evr32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\evr32.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\Faultrep32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\Faultrep32.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\qv7r48zdm32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\qv7r48zdm32.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\un655tyhhenbet32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\un655tyhhenbet32.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\p833x6g32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\p833x6g32.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\dse4a29mcw7932.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dse4a29mcw7932.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\EAPPGNUI32.DLL"
File:"<$FILE_LIBRARY>","<$SYSDIR>\EAPPGNUI32.DLL"


// Trojan.Virtumonde(1):
BrowserHelperEx:"*","filename=zitajalu.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{a6d4f6b2-bf7f-4ed8-9898-d6b5a83b7227}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{a6d4f6b2-bf7f-4ed8-9898-d6b5a83b7227}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zitajalu.dll"

BrowserHelperEx:"*","filename=rqRklKed.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{2935c200-7e7d-4257-b9d4-ee75baa206c9}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{2935c200-7e7d-4257-b9d4-ee75baa206c9}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\rqRklKed.dll"

// Beim folgenden Eintrag handelt es sich eigentlich um Trojan.Ertfor, aber laut Markus erkennt ihr Trojan.Ertfor auch als Trojan.Virtumonde
BrowserHelperEx:"*","filename=dmdrish71.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{A3BA40A2-74F0-42BD-F434-00B15A2C8953}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{A3BA40A2-74F0-42BD-F434-00B15A2C8953}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dmdrish71.dll"

// AutoRun:"lebadusiw","Rundll32.exe "c:\windows\system32\fuhubuga.dll",a","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\fuhubuga.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","lebadusiw"
// File:"<$FILE_EXE>","Rundll32.exe "c:\windows\system32\fuhubuga.dll",a"
File:"<$FILE_LIBRARY>","<$SYSDIR>\fuhubuga.dll"

// AutoRun:"Kdumemom","rundll32.exe "C:\WINDOWS\ecekivegohe.dll",Startup","flagifnofile=1"
AutoRun:"*","<$WINDIR>\ecekivegohe.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Kdumemom"
// File:"<$FILE_EXE>","rundll32.exe "C:\WINDOWS\ecekivegohe.dll",Startup"
File:"<$FILE_LIBRARY>","<$WINDIR>\ecekivegohe.dll"

// AutoRun:"riroviwet",""Rundll32.exe" "c:\windows\system32\kolohage.dll",a","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\kolohage.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","riroviwet"
// File:"<$FILE_EXE>",""Rundll32.exe" "c:\windows\system32\kolohage.dll",a"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kolohage.dll"

// AutoRun:"huroserev","Rundll32.exe "c:\windows\system32\vofiposa.dll",a","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\vofiposa.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","huroserev"
// File:"<$FILE_EXE>","Rundll32.exe "c:\windows\system32\vofiposa.dll",a"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vofiposa.dll"

// AutoRun:"Lxogoqaxa","rundll32.exe "C:\WINDOWS\iwugacudeze.dll",Startup","flagifnofile=1"
AutoRun:"*","<$WINDIR>\iwugacudeze.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Lxogoqaxa"
// File:"<$FILE_EXE>","rundll32.exe "C:\WINDOWS\iwugacudeze.dll",Startup"
File:"<$FILE_LIBRARY>","<$WINDIR>\iwugacudeze.dll"

// AutoRun:"yakezavon","Rundll32.exe "c:\windows\system32\retosobu.dll",a","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\retosobu.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","yakezavon"
// File:"<$FILE_EXE>","Rundll32.exe "c:\windows\system32\retosobu.dll",a"
File:"<$FILE_LIBRARY>","<$SYSDIR>\retosobu.dll"

// AutoRun:"Kdumemom","rundll32.exe "C:\WINDOWS\ecekivegohe.dll",Startup","flagifnofile=1"
AutoRun:"*","<$WINDIR>\ecekivegohe.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Kdumemom"
// File:"<$FILE_EXE>","rundll32.exe "C:\WINDOWS\ecekivegohe.dll",Startup"
File:"<$FILE_LIBRARY>","<$WINDIR>\ecekivegohe.dll"

// AutoRun:"vesemokus","Rundll32.exe "c:\windows\system32\pirabumo.dll",a","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\pirabumo.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","vesemokus"
// File:"<$FILE_EXE>","Rundll32.exe "c:\windows\system32\pirabumo.dll",a"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pirabumo.dll"

// AutoRun:"hubavagok","Rundll32.exe "c:\windows\system32\bofofevu.dll",a","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\bofofevu.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","hubavagok"
// File:"<$FILE_EXE>","Rundll32.exe "c:\windows\system32\bofofevu.dll",a"
File:"<$FILE_LIBRARY>","<$SYSDIR>\bofofevu.dll"

// AutoRun:"Odolizokizicesoj","rundll32.exe "C:\WINDOWS\aracuhuhoneniqe.dll",Startup","flagifnofile=1"
AutoRun:"*","<$WINDIR>\aracuhuhoneniqe.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Odolizokizicesoj"
// File:"<$FILE_EXE>","rundll32.exe "C:\WINDOWS\aracuhuhoneniqe.dll",Startup"
File:"<$FILE_LIBRARY>","<$WINDIR>\aracuhuhoneniqe.dll"

// AutoRun:"Thowec","rundll32.exe "C:\WINDOWS\awanubesidacibi.dll",Startup","flagifnofile=1"
AutoRun:"*","<$WINDIR>\awanubesidacibi.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Thowec"
// File:"<$FILE_EXE>","rundll32.exe "C:\WINDOWS\awanubesidacibi.dll",Startup"
File:"<$FILE_LIBRARY>","<$WINDIR>\awanubesidacibi.dll"

// AutoRun:"Hwetelehiz","rundll32.exe "C:\WINDOWS\awuqasoqege.dll",Startup","flagifnofile=1"
AutoRun:"*","<$WINDIR>\awuqasoqege.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Hwetelehiz"
// File:"<$FILE_EXE>","rundll32.exe "C:\WINDOWS\awuqasoqege.dll",Startup"
File:"<$FILE_LIBRARY>","<$WINDIR>\awuqasoqege.dll"

// AutoRun:"Plepilimelumorun","rundll32.exe "C:\WINDOWS\esomodoruvozeraz.dll",Startup","flagifnofile=1"
AutoRun:"*","<$WINDIR>\esomodoruvozeraz.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Plepilimelumorun"
// File:"<$FILE_EXE>","rundll32.exe "C:\WINDOWS\esomodoruvozeraz.dll",Startup"
File:"<$FILE_LIBRARY>","<$WINDIR>\esomodoruvozeraz.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\nenikuwe.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\nenikuwe.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","zujiluka.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zujiluka.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\fuhubuga.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\fuhubuga.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\hiragege.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hiragege.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\puvutabo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\puvutabo.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","wovahova.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wovahova.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\kolohage.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kolohage.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\dirupahu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dirupahu.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\gisusuje.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\gisusuje.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\nipavuyo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\nipavuyo.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\vahoremo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vahoremo.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\yopopanu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yopopanu.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\yozezuna.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yozezuna.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\mekohige.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\mekohige.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\gibijayu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\gibijayu.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\vebikosi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vebikosi.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","bovenage.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\bovenage.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\nifisofo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\nifisofo.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\nowepeto.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\nowepeto.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\rogumike.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\rogumike.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\wuleluzu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wuleluzu.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\jabohatu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jabohatu.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","pufidihu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pufidihu.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\tadezuzu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tadezuzu.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\vofiposa.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vofiposa.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\mebokero.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\mebokero.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\mitihuho.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\mitihuho.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","rikupabe.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\rikupabe.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\retosobu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\retosobu.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","sazuduwe.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\sazuduwe.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\tobuvuzi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tobuvuzi.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\pirabumo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pirabumo.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","tusiheku.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tusiheku.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\bofofevu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\bofofevu.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\pojalufa.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pojalufa.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","farigusi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\farigusi.dll"

RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","ssqpnll","DllName=ssqpnll.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ssqpnll.dll"

RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","rqRklKed","DllName=rqRklKed.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\rqRklKed.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","tabujuyed","tabujuyed={19d72005-0438-4e1a-ac77-810b8e8989b7}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\nenikuwe.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","nufilajev","nufilajev={fa4119bd-e16e-41c7-a05a-eec1c4cff68d}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","sejayapoh","sejayapoh={5fecbd61-c52e-4346-af11-2197a655cd9d}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hiragege.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","simibomim","simibomim={fafa74ff-a91c-4413-9aad-bae8c515a451}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hiragege.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","dikokobar","dikokobar={8f0688e4-4ad1-4fc7-b8e7-5cc143acd2de}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","wineyusap","wineyusap={aa1be6c8-65b2-4158-b643-4aca7a7bb641}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","liyelewin","liyelewin={bb25a1b3-9ce1-4085-bbf9-b88d938fbffd}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","gugevapof","gugevapof={92cbe48d-4332-4028-a989-32a6a7ed0833}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","nuziwelim","nuziwelim={ef67f6b2-544f-4179-a5f8-5694e35e4210}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","duyotasah","duyotasah={dc876e43-e374-495f-bc27-776d8c211286}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","pihotafon","pihotafon={d2f08e20-0ac0-4c6f-954d-6f5084c80316}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","pokagefas","pokagefas={4bacf2bf-a261-4f5a-ae66-2b16dd03e406}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","yihosotaw","yihosotaw={25df5544-085e-4292-8816-113cd65e5a65}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","merojozus","merojozus={cb0e278a-fe0d-417c-96c7-aa8efe491da7}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","nifayenuw","nifayenuw={fce51cf9-20ae-4385-90e2-97734b2acf2e}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","punitogeb","punitogeb={e773929c-5bdd-47c9-8116-13caa4afb77d}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","sumebawuk","sumebawuk={978077d0-d50f-4cee-801d-c012dc28c324}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","gagepilos","gagepilos={fbeb4119-9d95-462f-a9ca-6df23e2a6535}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","yuhetebir","yuhetebir={3dbd806c-ff73-4564-862d-8dd3254d6867}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","dehoyapez","dehoyapez={c9cf05c9-2493-48e7-8adc-d8863f533597}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","suzugibop","suzugibop={abb4a591-a2a0-40f8-9707-416cbba698ac}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","rasinogug","rasinogug={a7336edb-d9c2-45e5-9319-97ecbd7fc227}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","husedirey","husedirey={2a3910b8-1bf7-4532-8016-35784a4924da}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","rifuretab","rifuretab={d0518e1b-0687-4d30-aa23-24ad5eb28230}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","givorelid","givorelid={9712188c-8876-4c18-b1ca-3fd4e2d9d405}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","burefuvaw","burefuvaw={3725fbbb-cd3a-49f7-aef3-9647a2d5cc00}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","nefojugab","nefojugab={b10884db-5c01-49ca-a51f-4c98d53b5a40}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","dozimowaw","dozimowaw={feff663f-6208-4046-90c8-72de97b6036c}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","dukekumam","dukekumam={3a8e7830-bc59-4e3c-be2f-6aa0f7623443}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","hotefepuf","hotefepuf={9b3d4f5e-4bb7-4f28-98a7-64f637010933}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","horapelok","horapelok={df535990-01d9-4a1a-88a5-b7fcb4c89170}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","jifodevoz","jifodevoz={b544396f-3783-4676-a584-eeef8ac788b5}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vofiposa.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","nonufulah","nonufulah={a3d54bb0-5096-4992-a9b8-7f42f76c4221}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tobuvuzi.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","bogehotam","bogehotam={31781cd0-bfba-40fc-aa07-e45026c71553}"
File:"<$FILE_LIBRARY>","<$WINDIR>\SysWow64\pirabumo.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","jugezatag","jugezatag={31781cd0-bfba-40fc-aa07-e45026c71553}"
File:"<$FILE_LIBRARY>","<$WINDIR>\SysWow64\pirabumo.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","jugezatag","jugezatag={a3d54bb0-5096-4992-a9b8-7f42f76c4221}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tobuvuzi.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","gahurihor","gahurihor={b544396f-3783-4676-a584-eeef8ac788b5}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vofiposa.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","gahurihor","gahurihor={8f0688e4-4ad1-4fc7-b8e7-5cc143acd2de}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","gahurihor","gahurihor={aa1be6c8-65b2-4158-b643-4aca7a7bb641}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","gahurihor","gahurihor={bb25a1b3-9ce1-4085-bbf9-b88d938fbffd}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","kupuhivus","kupuhivus={92cbe48d-4332-4028-a989-32a6a7ed0833}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","kupuhivus","kupuhivus={ef67f6b2-544f-4179-a5f8-5694e35e4210}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","kupuhivus","kupuhivus={dc876e43-e374-495f-bc27-776d8c211286}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","gahurihor","gahurihor={d2f08e20-0ac0-4c6f-954d-6f5084c80316}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","jugezatag","jugezatag={4bacf2bf-a261-4f5a-ae66-2b16dd03e406}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","gahurihor","gahurihor={25df5544-085e-4292-8816-113cd65e5a65}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","mujuzedij","mujuzedij={cb0e278a-fe0d-417c-96c7-aa8efe491da7}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","gahurihor","gahurihor={fce51cf9-20ae-4385-90e2-97734b2acf2e}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","kupuhivus","kupuhivus={e773929c-5bdd-47c9-8116-13caa4afb77d}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","kupuhivus","kupuhivus={978077d0-d50f-4cee-801d-c012dc28c324}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","tokatiluy","tokatiluy={fbeb4119-9d95-462f-a9ca-6df23e2a6535}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","kupuhivus","kupuhivus={3dbd806c-ff73-4564-862d-8dd3254d6867}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","mujuzedij","mujuzedij={c9cf05c9-2493-48e7-8adc-d8863f533597}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","kupuhivus","kupuhivus={abb4a591-a2a0-40f8-9707-416cbba698ac}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","tokatiluy","tokatiluy={a7336edb-d9c2-45e5-9319-97ecbd7fc227}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","kupuhivus","kupuhivus={2a3910b8-1bf7-4532-8016-35784a4924da}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","gahurihor","gahurihor={d0518e1b-0687-4d30-aa23-24ad5eb28230}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","gahurihor","gahurihor={9712188c-8876-4c18-b1ca-3fd4e2d9d405}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","kupuhivus","kupuhivus={3725fbbb-cd3a-49f7-aef3-9647a2d5cc00}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","mujuzedij","mujuzedij={b10884db-5c01-49ca-a51f-4c98d53b5a40}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","jugezatag","jugezatag={feff663f-6208-4046-90c8-72de97b6036c}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","kupuhivus","kupuhivus={3a8e7830-bc59-4e3c-be2f-6aa0f7623443}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","jugezatag","jugezatag={9b3d4f5e-4bb7-4f28-98a7-64f637010933}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","jugezatag","jugezatag={df535990-01d9-4a1a-88a5-b7fcb4c89170}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","grazable","grazable={fa55d551-9698-48ac-b639-9b00cf1a6ea0}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","tokatiluy","tokatiluy={19d72005-0438-4e1a-ac77-810b8e8989b7}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\nenikuwe.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","kupuhivus","kupuhivus={fa4119bd-e16e-41c7-a05a-eec1c4cff68d}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","mujuzedij","mujuzedij={5fecbd61-c52e-4346-af11-2197a655cd9d}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hiragege.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","gahurihor","gahurihor={fafa74ff-a91c-4413-9aad-bae8c515a451}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hiragege.dll"

// Bei dem folgenden Eintrag handelt es sich eigentlich um Trojan.Ertfor, aber laut Markus erkennt ihr Trojan.Ertfor auch als Trojan.Virtumonde
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","7whfiudhf8s7f3oifhif7syfdhsof","7whfiudhf8s7f3oifhif7syfdhsof={A3BA40A2-74F0-42BD-F434-00B15A2C8953}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dmdrish71.dll"


// Trojan.Virtumonde(2):
// Aus zwei Logfiles von MBAM und DDS
File:"<$FILE_LIBRARY>","<$WINDIR>\kbdpcae.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kupuruzi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\nadejafi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kozotifa.dll"

File:"<$FILE_LIBRARY>","<$SYSDIR>\gavedewu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\gemewoda.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kozotifa.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\lejorude.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\lutirada.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\mebokero.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\meyeyihi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\mutupapo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\nunupofa.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pbfwgmer.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pufidihu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ruvoziyi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\segipusa.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\sinuvili.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\somorali.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\suzezufu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\valahedo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vofiposa.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wawupobe.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\welojehi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wiyirive.dll"

Downloads: 0	Rating: 0 (rated by 0 users)

Thread: New Malware v72

Thread Tools

Display

New Malware v72

Posting Permissions