Code:
:: New Malware v98
// Revision 1
// {Cat:Test}{Cnt:1}
// {Det:Matt,2010-04-05}
// Adware.SkyMediaPack:
// Habe euch vor einiger Zeit einige Regeln dazu geschickt!
// Markus, du hast vor einigen Wochen mal gesagt, dass du dir das noch anschauen musst... wie siehts also aus? Böse oder nicht??
// http://www.systemlookup.com/CLSID/61417-MinBHO_dll.html (scheint hier wohl ein neuer Pfadname zu sein, da die CLSID gleich ist)
BrowserHelperEx:"ShowBarObj Class","filename=MinBHO.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{2863E737-DD3F-4280-9AF8-E9E79C16F312}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{2863E737-DD3F-4280-9AF8-E9E79C16F312}"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\Save Tube Video Company\SaveTubeVideo\MinBHO.dll"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Save Tube Video Company\SaveTubeVideo"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Save Tube Video Company"
// Malware.Lop:
// Hier gefunden: http://www.trojaner-board.de/84553-logfile-hijackthis-check.html
// Bitte ALLE von mir eingeschickten Regeln von Lop dahingehend optimieren, dass beim Autostart sowohl VOR als auch NACH dem Pfad ein Sternchen kommt (wegen den beiden "" im Autostart)
// Andernfalls könnte es sein, dass Spybot (genau wie bei FakeAdobeUpdater) nichts findet; was meinst du Markus??
// Könnt ihr das bitte noch ändern? :-)
// AutoRun:"BlueFlaw",""C:\ProgramData\STOP DEBUG DEBUG.ay2u83"","flagifnofile=1"
AutoRun:"BlueFlaw","*<$COMMONAPPDATA>\STOP DEBUG DEBUG.*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","BlueFlaw"
// File:"<$FILE_EXE>",""C:\ProgramData\STOP DEBUG DEBUG.ay2u83""
File:"<$FILE_DATA>","<$COMMONAPPDATA>\STOP DEBUG DEBUG.*"
// AutoRun:"Base road long save",""C:\ProgramData\htm bat amen.cj1g48"","flagifnofile=1"
AutoRun:"Base road long save","*<$COMMONAPPDATA>\htm bat amen.*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Base road long save"
// File:"<$FILE_EXE>",""C:\ProgramData\htm bat amen.cj1g48""
File:"<$FILE_DATA>","<$COMMONAPPDATA>\htm bat amen.*"
// PUPS.BestShoppingTipsProgramm:
// Siehe auch hier: http://www.systemlookup.com/CLSID/63040-BestShoppingTipsProgram_dll.html
BrowserHelperEx:"BestShoppingTipsProgram","filename=BestShoppingTipsProgram.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{4E3A97D3-9F15-4067-D0F9-241CC9CC9541}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{4E3A97D3-9F15-4067-D0F9-241CC9CC9541}"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\BestShoppingTipsProgram\BestShoppingTipsProgram.dll"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\BestShoppingTipsProgram"
// PUPS.PandoBar:
// http://www.systemlookup.com/CLSID/34190-P4SRCHAS_DLL.html
BrowserHelperEx:"Pando Search Assistant BHO","filename=P?SRCHAS.DLL"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{06663b56-0d73-4f9f-bcc5-4aa941470afd}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{06663b56-0d73-4f9f-bcc5-4aa941470afd}"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\pandobar\srchastt\?.bin\P4SRCHAS.DLL"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\pandobar\srchastt\?.bin"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\pandobar\srchastt"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\pandobar"
// Rootkit.Zbot:
// Neuer Pfad unter APPDATA ?
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","UserInit=C:\WINDOWS\system32\userinit.exe,C:\Dokumente und Einstellungen\Squall_F\Anwendungsdaten\sdra64.exe,C:\WINDOWS\system32\sdra64.exe,"
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","<$APPDATA>\sdra64.exe*"
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","<$SYSDIR>\sdra64.exe*"
NTFile:"<$FILE_EXE>","<$APPDATA>\sdra64.exe"
NTFile:"<$FILE_EXE>","<$SYSDIR>\sdra64.exe"
// Spyware.FakeAntivirUpdate:
// Auf meinem Rechner erstellt AntiVir keinen Ordner unter Appdata bzw. Roaming!
// AutoRun:"Antivir Update","C:\Users\Kerem\AppData\Roaming\Antivir\Avira.exe","flagifnofile=1"
AutoRun:"Antivir Update","<$APPDATA>\Roaming\Antivir\Avira.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Antivir Update"
// File:"<$FILE_EXE>","C:\Users\Kerem\AppData\Roaming\Antivir\Avira.exe"
File:"<$FILE_EXE>","<$APPDATA>\Roaming\Antivir\Avira.exe"
Directory:"<$DIR_APPDATA>","<$APPDATA>\Roaming\Antivir","filename=Avira.exe"
// Spyware.Spynet(1):
// AutoRun:"HKLM","C:\Users\Tom\AppData\Roaming\System32\firefox-upd.exe","flagifnofile=1"
AutoRun:"HKLM","<$APPDATA>\Roaming\System32\firefox-upd.exe","flagifnofile=1"
// AutoRun:"HKCU","C:\Users\Tom\AppData\Roaming\System32\firefox-upd.exe","flagifnofile=1"
AutoRun:"HKCU","<$APPDATA>\Roaming\System32\firefox-upd.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","HKLM"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","HKCU"
// File:"<$FILE_EXE>","C:\Users\Tom\AppData\Roaming\System32\firefox-upd.exe"
File:"<$FILE_EXE>","<$APPDATA>\Roaming\System32\firefox-upd.exe"
// Soweit ich weiß, gibt es unter Appdata bzw. Roaming keinen Ordner "System32":
Directory:"<$DIR_APPDATA>","<$APPDATA>\Roaming\System32","filename=firefox-upd.exe"
// Spyware.Spynet(2):
// O4 - HKLM\..\Policies\Explorer\Run: [Policies] c:\windows\system32\winlog\Winlogon.exe
// O4 - HKCU\..\Policies\Explorer\Run: [Policies] c:\windows\system32\winlog\Winlogon.exe
AutoRun:"Policies","<$SYSDIR>\winlog\Winlogon.exe","flagifnofile=1"
// AutoRun:"HKLM","c:\windows\system32\winlog\Winlogon.exe","flagifnofile=1"
AutoRun:"HKLM","<$SYSDIR>\winlog\Winlogon.exe","flagifnofile=1"
// AutoRun:"HKCU","c:\windows\system32\winlog\Winlogon.exe","flagifnofile=1"
AutoRun:"HKCU","<$SYSDIR>\winlog\Winlogon.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","HKLM"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","HKCU"
// File:"<$FILE_EXE>","c:\windows\system32\winlog\Winlogon.exe"
File:"<$FILE_EXE>","<$SYSDIR>\winlog\Winlogon.exe"
Directory:"<$DIR_PROG>","<$SYSDIR>\winlog","filename=Winlogon.exe"
// Trojan.Agent(1):
// AutoRun:"Bar","C:\Documents and Settings\Owner\My Documents\access.exe","flagifnofile=1"
AutoRun:"Bar","<$PERSONAL>\access.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Bar"
// File:"<$FILE_EXE>","C:\Documents and Settings\Owner\My Documents\access.exe"
File:"<$FILE_EXE>","<$PERSONAL>\access.exe"
// Trojan.Agent(2):
AutoRun:"syncman","<$SYSDIR>\wuaucldt.exe","flagifnofile=1"
AutoRun:"syncman","<$PROFILE>\wuaucldt.exe","flagifnofile=1"
AutoRun:"syncman","<$SYSDIR>\config\systemprofile\wuaucldt.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","syncman"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","syncman"
File:"<$FILE_EXE>","<$SYSDIR>\wuaucldt.exe"
File:"<$FILE_EXE>","<$PROFILE>\wuaucldt.exe"
File:"<$FILE_EXE>","<$SYSDIR>\config\systemprofile\wuaucldt.exe"
// Trojan.Agent(3):
// Name des Autostartes ist fest (siehe bei Google)
// Habt ihr den schon?
// AutoRun:"hf8wefhuaihf8ewfydiujhfdsfdf","C:\Users\Admin\AppData\Local\Temp\sw0240.exe","flagifnofile=1"
AutoRun:"hf8wefhuaihf8ewfydiujhfdsfdf","<$LOCALAPPDATA>\Temp\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","hf8wefhuaihf8ewfydiujhfdsfdf"
// File:"<$FILE_EXE>","C:\Users\Admin\AppData\Local\Temp\sw0240.exe"
// Trojan.Agent(4):
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","Network","ImagePath=<$WINDIR>\system\services.exe"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","Network","DisplayName=Network Connections"
File:"<$FILE_EXE>","<$WINDIR>\system\services.exe"
// Trojan.Agent(5):
// Habe euch ähnliche Regeln schon mal geschickt, die wolltet ihr aber nicht aufnehmen... wie siehts jetzt damit aus?
// O4 - HKUS\S-1-5-18\..\Run: [cbssreg] C:\Windows\TEMP\fbpt.tmp\svchost.exe (User 'SYSTEM')
// O4 - HKUS\.DEFAULT\..\Run: [cbssreg] C:\Windows\TEMP\fbpt.tmp\svchost.exe (User 'Default user')
AutoRun:"cbssreg","<$WINDIR>\Temp\*\svchost.exe.exe","flagifnofile=1"
// Halt mich für verrückt, aber das sollte doch gehen:
Directory:"<$DIR_PROG>","<$WINDIR>\Temp\*","filename=svchost.exe"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","cbssreg","DllName=<$COMMONDOCUMENTS>\Settings\cbss.dll"
File:"<$FILE_LIBRARY>","<$COMMONDOCUMENTS>\Settings\cbss.dll"
// Trojan.Ambler:
BrowserHelperEx:"Internet Explorer Plugin","filename=nsfwj2.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{F4F5B58A-D3A6-4F85-B3EF-5642E8937E6F}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{F4F5B58A-D3A6-4F85-B3EF-5642E8937E6F}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\nsfwj2.dll"
// Trojan.FakeAlert.ttam(1):
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","Shell","Shell=Explorer.exe rundll32.exe syce.xto nqxwp"
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","Shell","syce.xto *"
File:"<$FILE_DATA>","<$SYSDIR>\syce.xto"
// Trojan.FakeAlert.ttam(2):
// Wieder so ein komischer Eintrag... habt ihr da jetzt schon Dateien?
// AutoRun:"fontmsrDirect","rundll32.exe "C:\Dokumente und Einstellungen\Eveline\Lokale Einstellungen\Anwendungsdaten\fontmsrDirect\fontmsrDirect.dll", DllInit","flagifnofile=1"
AutoRun:"fontmsrDirect","<$LOCALAPPDATA>\fontmsrDirect\fontmsrDirect.dll*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","fontmsrDirect"
// File:"<$FILE_EXE>","rundll32.exe "C:\Dokumente und Einstellungen\Eveline\Lokale Einstellungen\Anwendungsdaten\fontmsrDirect\fontmsrDirect.dll", DllInit"
File:"<$FILE_LIBRARY>","<$LOCALAPPDATA>\fontmsrDirect\fontmsrDirect.dll"
Directory:"<$DIR_PROG>","<$LOCALAPPDATA>\fontmsrDirect"
// Trojan.Fraudpack:
// Habe ihr diesen Pfad für sshnas21.dll auch schon?
// AutoRun:"Canaveral","rundll32.exe C:\Users\name\AppData\Local\Temp\sshnas21.dll,BackupReadW","flagifnofile=1"
AutoRun:"Canaveral","<$LOCALAPPDATA>\Temp\sshnas21.dll*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Canaveral"
// File:"<$FILE_EXE>","rundll32.exe C:\Users\name\AppData\Local\Temp\sshnas21.dll,BackupReadW"
File:"<$FILE_LIBRARY>","<$LOCALAPPDATA>\Temp\sshnas21.dll"
// Trojan.Virtumonde(1):
BrowserHelperEx:"*","filename=cscui32.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{01995D1F-69A8-4246-BA05-4ED87914C616}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{01995D1F-69A8-4246-BA05-4ED87914C616}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\cscui32.dll"
BrowserHelperEx:"*","filename=spw67.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{A9BA40A1-74F1-52BD-F431-00B15A2C8953}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{A9BA40A1-74F1-52BD-F431-00B15A2C8953}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\spw67.dll"
BrowserHelperEx:"*","filename=j1tw5l6.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{A9BA40A1-74F1-52BD-F431-00B15A2C8953}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{A9BA40A1-74F1-52BD-F431-00B15A2C8953}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\j1tw5l6.dll"
BrowserHelperEx:"*","filename=wofarola.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{cd432ac5-80f7-4615-89c1-d9aac32a3e73}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{cd432ac5-80f7-4615-89c1-d9aac32a3e73}"
File:"<$FILE_LIBRARY>","<$COMMONAPPDATA>\wofarola\wofarola.dll"
Directory:"<$DIR_COMMON_APPDATA>","<$COMMONAPPDATA>\wofarola"
BrowserHelperEx:"*","filename=jkkIXrqQ.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{261B1094-5C74-4536-897E-1EF26C8A798E}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{261B1094-5C74-4536-897E-1EF26C8A798E}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jkkIXrqQ.dll"
BrowserHelperEx:"*","filename=xmquorkj.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{2A1BDCB9-275D-4604-A5F5-F5E1A30C787f}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{2A1BDCB9-275D-4604-A5F5-F5E1A30C787f}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\xmquorkj.dll"
BrowserHelperEx:"*","filename=yipubeno.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{7c2cefde-eb66-40e6-b4b6-ec9e2132676f}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{7c2cefde-eb66-40e6-b4b6-ec9e2132676f}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yipubeno.dll"
BrowserHelperEx:"*","filename=efcASlKE.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{742BB184-CDD6-440B-82F8-1009C64A61C0}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{742BB184-CDD6-440B-82F8-1009C64A61C0}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\efcASlKE.dll"
BrowserHelperEx:"*","filename=j87lnrfdc.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{A9BA40A1-74F1-52BD-F431-00B15A2C8953}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{A9BA40A1-74F1-52BD-F431-00B15A2C8953}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\j87lnrfdc.dll"
BrowserHelperEx:"*","filename=datolepi.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{1879b3a8-bbcc-4c38-8c1e-7e669086f9d7}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{1879b3a8-bbcc-4c38-8c1e-7e669086f9d7}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\datolepi.dll"
// AutoRun:"rmosnq","RUNDLL32.EXE C:\WINDOWS\system32\msyblkya.dll,w","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\msyblkya.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","rmosnq"
// File:"<$FILE_EXE>","RUNDLL32.EXE C:\WINDOWS\system32\msyblkya.dll,w"
File:"<$FILE_LIBRARY>","<$SYSDIR>\msyblkya.dll"
// AutoRun:"uxvefl","RUNDLL32.EXE C:\WINDOWS\system32\mssapsmr.dll,w","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\mssapsmr.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","uxvefl"
// File:"<$FILE_EXE>","RUNDLL32.EXE C:\WINDOWS\system32\mssapsmr.dll,w"
File:"<$FILE_LIBRARY>","<$SYSDIR>\mssapsmr.dll"
// AutoRun:"hahokesulu","Rundll32.exe "buvujano.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\buvujano.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","hahokesulu"
// File:"<$FILE_EXE>","Rundll32.exe "buvujano.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\buvujano.dll"
// AutoRun:"peyofefab","Rundll32.exe "c:\windows\system32\jizejaho.dll",a","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\jizejaho.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","peyofefab"
// File:"<$FILE_EXE>","Rundll32.exe "c:\windows\system32\jizejaho.dll",a"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jizejaho.dll"
// AutoRun:"jkkiiisys","rundll32.exe "tussro.dll",DllRegisterServer","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\tussro.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","jkkiiisys"
// File:"<$FILE_EXE>","rundll32.exe "tussro.dll",DllRegisterServer"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tussro.dll"
// AutoRun:"sstsqrdrv","rundll32.exe "rqpppq.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\rqpppq.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","sstsqrdrv"
// File:"<$FILE_EXE>","rundll32.exe "rqpppq.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\rqpppq.dll"
// AutoRun:"jelikezowa","Rundll32.exe "C:\ProgramData\doyadaju\doyadaju.dll",s","flagifnofile=1"
AutoRun:"*","<$COMMONAPPDATA>\doyadaju\doyadaju.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","jelikezowa"
// File:"<$FILE_EXE>","Rundll32.exe "C:\ProgramData\doyadaju\doyadaju.dll",s"
File:"<$FILE_LIBRARY>","<$COMMONAPPDATA>\doyadaju\doyadaju.dll"
Directory:"<$DIR_COMMON_APPDATA>","<$COMMONAPPDATA>\doyadaju"
// AutoRun:"kilosazil","Rundll32.exe "c:\windows\system32\muvakiha.dll",a","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\muvakiha.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","kilosazil"
// File:"<$FILE_EXE>","Rundll32.exe "c:\windows\system32\muvakiha.dll",a"
File:"<$FILE_LIBRARY>","<$SYSDIR>\muvakiha.dll"
// AutoRun:"Gsibohicekiqaq","rundll32.exe "C:\WINDOWS\ohigomukedom.dll",Startup","flagifnofile=1"
AutoRun:"*","<$WINDIR>\ohigomukedom.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Gsibohicekiqaq"
// File:"<$FILE_EXE>","rundll32.exe "C:\WINDOWS\ohigomukedom.dll",Startup"
File:"<$FILE_LIBRARY>","<$WINDIR>\ohigomukedom.dll"
// AutoRun:"gohiteloje","Rundll32.exe "weyibadu.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\weyibadu.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","gohiteloje"
// File:"<$FILE_EXE>","Rundll32.exe "weyibadu.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\weyibadu.dll"
// AutoRun:"sipinewun","Rundll32.exe "c:\windows\system32\zekazide.dll",a","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\zekazide.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","sipinewun"
// File:"<$FILE_EXE>","Rundll32.exe "c:\windows\system32\zekazide.dll",a"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zekazide.dll"
// AutoRun:"Ttimoj","rundll32.exe "C:\WINDOWS\ivoranawifu.dll",Startup","flagifnofile=1"
AutoRun:"*","<$WINDIR>\ivoranawifu.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Ttimoj"
// File:"<$FILE_EXE>","rundll32.exe "C:\WINDOWS\ivoranawifu.dll",Startup"
File:"<$FILE_LIBRARY>","<$WINDIR>\ivoranawifu.dll"
// AutoRun:"fzwkht","RUNDLL32.EXE C:\Windows\TEMP\msuqddft.dll,w","flagifnofile=1"
AutoRun:"*","<$WINDIR>\TEMP\msuqddft.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","fzwkht"
// File:"<$FILE_EXE>","RUNDLL32.EXE C:\Windows\TEMP\msuqddft.dll,w"
File:"<$FILE_LIBRARY>","<$WINDIR>\TEMP\msuqddft.dll"
// AutoRun:"iifghidrv","rundll32.exe "rqpppq.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\rqpppq.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","iifghidrv"
// File:"<$FILE_EXE>","rundll32.exe "rqpppq.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\rqpppq.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\crtdll32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\crtdll32.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","ririzaki.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ririzaki.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\jizejaho.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jizejaho.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\muvakiha.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\muvakiha.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$COMMONAPPDATA>\yuzizowa\yuzizowa.dll"
File:"<$FILE_LIBRARY>","<$COMMONAPPDATA>\yuzizowa\yuzizowa.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$COMMONAPPDATA>\hetuvigu\hetuvigu.dll"
File:"<$FILE_LIBRARY>","<$COMMONAPPDATA>\hetuvigu\hetuvigu.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\hhsetup32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hhsetup32.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\dsuiext32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dsuiext32.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","humirabi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\humirabi.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\zekazide.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zekazide.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","colkpz.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\colkpz.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","ririwoba.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ririwoba.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\bemevoyu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\bemevoyu.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","a8077ccd741","DllName=<$SYSDIR>\crtdll32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\crtdll32.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","__c0011804","DllName=<$SYSDIR>\__c0011804.dat"
File:"<$FILE_DATA>","<$SYSDIR>\__c0011804.dat"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","cbXQkllL","DllName=cbXQkllL.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\cbXQkllL.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","e48be5b7649","DllName=<$SYSDIR>\dsuiext32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dsuiext32.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","khfEWNgH","DllName=khfEWNgH.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\khfEWNgH.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","bimufehuk","bimufehuk={af9d9d63-6686-4777-bc6d-5f5db5f2c6b4}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jizejaho.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","demopotek","demopotek={427f837e-381f-4473-b8e8-99689517076e}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\muvakiha.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","wuholajet","wuholajet={8c1cf909-f030-48ec-9000-5ca3a4e97598}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\muvakiha.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","harerenuj","harerenuj={8e98e45b-1038-4d1b-8a45-b45deb463e73}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\muvakiha.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","sedoyulaj","sedoyulaj={9b10e253-633b-4dc4-8ba4-9ea14e478045}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\muvakiha.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","yanafesel","yanafesel={b001dea7-0f4d-4f4f-af6e-028a84cf5025}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\muvakiha.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","wotepodib","wotepodib={63c8af00-3fed-442f-ade1-47b672cc0379}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\muvakiha.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","notahomib","notahomib={ae356f42-9481-4f0d-8a76-e8b7d3cb047f}"
File:"<$FILE_LIBRARY>","<$COMMONAPPDATA>\hetuvigu\hetuvigu.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","guwiwozum","guwiwozum={b967a594-68f0-4f50-b88a-8a140a03163b}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\muvakiha.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","wuwedenir","wuwedenir={53be29aa-fe85-41f2-ac8e-a3ccf92996f7}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\muvakiha.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","musozanep","musozanep={ef093dc2-b309-4cf5-8f97-2c0539a5e661}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zekazide.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","gotufefij","gotufefij={dda0baf4-ab9a-4b54-a330-63ed062f4c3a}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kamenewi.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","hatoleboy","hatoleboy={70a54e7f-0131-4266-a6a8-30633686552f}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\bemevoyu.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","jugezatag","jugezatag={dda0baf4-ab9a-4b54-a330-63ed062f4c3a}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kamenewi.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","tokatiluy","tokatiluy={70a54e7f-0131-4266-a6a8-30633686552f}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\bemevoyu.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","kupuhivus","kupuhivus={ef093dc2-b309-4cf5-8f97-2c0539a5e661}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zekazide.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","mujuzedij","mujuzedij={427f837e-381f-4473-b8e8-99689517076e}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\muvakiha.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","kupuhivus","kupuhivus={8c1cf909-f030-48ec-9000-5ca3a4e97598}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\muvakiha.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","tokatiluy","tokatiluy={8e98e45b-1038-4d1b-8a45-b45deb463e73}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\muvakiha.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","mujuzedij","mujuzedij={9b10e253-633b-4dc4-8ba4-9ea14e478045}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\muvakiha.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","tokatiluy","tokatiluy={b001dea7-0f4d-4f4f-af6e-028a84cf5025}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\muvakiha.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","jugezatag","jugezatag={63c8af00-3fed-442f-ade1-47b672cc0379}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\muvakiha.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","jugezatag","jugezatag={ae356f42-9481-4f0d-8a76-e8b7d3cb047f}"
File:"<$FILE_LIBRARY>","<$COMMONAPPDATA>\hetuvigu\hetuvigu.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","kupuhivus","kupuhivus={b967a594-68f0-4f50-b88a-8a140a03163b}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\muvakiha.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","kupuhivus","kupuhivus={53be29aa-fe85-41f2-ac8e-a3ccf92996f7}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\muvakiha.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","gahurihor","gahurihor={af9d9d63-6686-4777-bc6d-5f5db5f2c6b4}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jizejaho.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","hasiufhiusdfjdhfudd","hasiufhiusdfjdhfudd={A9BA40A1-74F1-52BD-F431-00B15A2C8953}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\spw67.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","hasiufhiusdfjdhfudd","hasiufhiusdfjdhfudd={A9BA40A1-74F1-52BD-F431-00B15A2C8953}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\j1tw5l6.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","hasiufhiusdfjdhfudd","hasiufhiusdfjdhfudd={A9BA40A1-74F1-52BD-F431-00B15A2C8953}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\j87lnrfdc.dll"
// Trojan.Virtumonde(2):
// Aus einem Logfile von ComboFix:
File:"<$FILE_LIBRARY>","<$SYSDIR>\buvujano.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\fidofega.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jizejaho.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kuyubuza.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\mupapupe.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\puzojowo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ririzaki.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\weholapa.dll"
New Malware v98
Reply With Quote