Code:
:: New Malware v21
// Revision 1
// {Cat:Trojan}{Cnt:1}
// {Det:Matt,2009-08-11}
// Malware.Unknown(1):
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\Documents and Settings\XXX\meqsq.exe \s"
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","<$PROFILE>\meqsq.exe*"
File:"<$FILE_EXE>","<$PROFILE>\meqsq.exe"
// Malware.Unknown(2):
//AutoRun:"vxbik","<$SYSDIR>\vxbik.exe \u","flagifnofile=1"
AutoRun:"vxbik","<$SYSDIR>\vxbik.exe*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","vxbik"
File:"<$FILE_EXE>","<$SYSDIR>\vxbik.exe"
// Malware.Unknown(3):
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","ydUtoDHdepMTG","ydUtoDHdepMTG={94977F5A-3E3D-D5F0-5C01-2BD493E1C27F}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\fq.dll"
// Malware.Unknown(4):
//Aus einem logfile von MBAM:
File:"<$FILE_EXE>","<$PROFILE>\a1y5v96t9.exe"
File:"<$FILE_EXE>","<$PROFILE>\a2v3v8y3e5a4.exe"
File:"<$FILE_EXE>","<$PROFILE>\u2v8q67n2.exe"
File:"<$FILE_EXE>","<$PROFILE>\w5c5i37c3.exe"
File:"<$FILE_EXE>","<$PROFILE>\w6m7n89n5.exe"
File:"<$FILE_EXE>","<$PROFILE>\i4m9n2s2o9p5.exe"
File:"<$FILE_EXE>","<$PROFILE>\c6b5o8n6u6f4.exe"
File:"<$FILE_EXE>","<$PROFILE>\f7x2v8a9y5c3.exe"
File:"<$FILE_EXE>","<$PROFILE>\h8n6v7u4k2d3.exe"
File:"<$FILE_EXE>","<$PROFILE>\r2l6c6o6m3v7.exe"
File:"<$FILE_EXE>","<$PROFILE>\r6r7d5f5l1y6.exe"
File:"<$FILE_EXE>","<$PROFILE>\u2b4p3a4x9t9.exe"
File:"<$FILE_EXE>","<$PROFILE>\u3b5r1o1n5i8.exe"
File:"<$FILE_EXE>","<$PROFILE>\u4b5h5n2x4m8.exe"
File:"<$FILE_EXE>","<$PROFILE>\u8c9f8m8v1w6.exe"
File:"<$FILE_EXE>","<$PROFILE>\v8w5p7g1q7e4.exe"
// PUPS.GameVance:
BrowserHelperEx:"Gamevance Text",
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{BEAC7DC8-E106-4C6A-931E-5A42E7362883}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{BEAC7DC8-E106-4C6A-931E-5A42E7362883}"
BrowserHelperEx:"*","filename=gamevancelib32.dll"
BrowserHelperEx:"*","filename=gvtl.dll"
//AutoRun:"Gamevance","<$PROGRAMFILES>\Gamevance\gamevance32.exe a","flagifnofile=1"
AutoRun:"Gamevance","<$PROGRAMFILES>\Gamevance\gamevance??.exe*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Gamevance"
File:"<$FILE_EXE>","<$PROGRAMFILES>\Gamevance\gamevance32.exe"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\Gamevance\gamevancelib32.dll"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\Gamevance\gvtl.dll"
// PUPS.MyWebSearch:
//Aus einem logfile von MBAM:
//HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca}
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\","{07b18ea9-a523-4961-b6bb-170de4475cca}"
//HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca}
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\","{07b18eab-a523-4961-b6bb-170de4475cca}"
//HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{25560540-9571-4d7b-9389-0f166788785a}
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\","{25560540-9571-4d7b-9389-0f166788785a}"
//HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8}
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\","{3dc201fb-e9c9-499c-a11f-23c360d7c3f8}"
//HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df}
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\","{9ff05104-b030-46fc-94b8-81276e4e27df}"
//HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d}
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\","{00a6faf1-072e-44cf-8957-5838f569a31d}"
// Rogue.SystemGuard2009:
//AutoRun:"11525624","C:\Documents and Settings\All Users\Application Data\11525624\11525624.exe","flagifnofile=1"
AutoRun:"11525624","<$COMMONAPPDATA>\11525624\11525624.exe","flagifnofile=1"
//AutoRun:"14008434","C:\Documents and Settings\All Users\Application Data\14008434\14008434.exe","flagifnofile=1"
AutoRun:"14008434","<$COMMONAPPDATA>\14008434\14008434.exe","flagifnofile=1"
//AutoRun:"13263544","C:\ProgramData\13263544\13263544.exe","flagifnofile=1"
AutoRun:"13263544","<$COMMONAPPDATA>\13263544\13263544.exe","flagifnofile=1"
//AutoRun:"13147344","C:\Documents and Settings\All Users\Application Data\13147344\13147344.exe","flagifnofile=1"
AutoRun:"13147344","<$COMMONAPPDATA>\13147344\13147344.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","11525624"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","14008434"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","13263544"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","13147344"
File:"<$FILE_EXE>","<$COMMONAPPDATA>\11525624\11525624.exe"
File:"<$FILE_EXE>","<$COMMONAPPDATA>\14008434\14008434.exe"
File:"<$FILE_EXE>","<$COMMONAPPDATA>\13263544\13263544.exe"
File:"<$FILE_EXE>","<$COMMONAPPDATA>\13147344\13147344.exe"
Directory:"<$DIR_COMMON_APPDATA>","<$COMMONAPPDATA>\11525624"
Directory:"<$DIR_COMMON_APPDATA>","<$COMMONAPPDATA>\14008434"
Directory:"<$DIR_COMMON_APPDATA>","<$COMMONAPPDATA>\13263544"
Directory:"<$DIR_COMMON_APPDATA>","<$COMMONAPPDATA>\13147344"
// Rogue.WiniBlueSoft:
File:"<$FILE_DATA>","<$WINDIR>\10357zro91ef.cpl"
File:"<$FILE_DATA>","<$WINDIR>\1054thie92z58.cpl"
File:"<$FILE_LIBRARY>","<$WINDIR>\11401s5az9ot59b.dll"
File:"<$FILE_DATA>","<$WINDIR>\11598spamboz5e6.cpl"
File:"<$FILE_LIBRARY>","<$WINDIR>\11649n5t-a-vzr9s62.dll"
File:"<$FILE_LIBRARY>","<$WINDIR>\12226v9rzs17e5.dll"
File:"<$FILE_DATA>","<$WINDIR>\1253ad59aze2.ocx"
File:"<$FILE_LIBRARY>","<$WINDIR>\1267z9iru590.dll"
File:"<$FILE_DATA>","<$WINDIR>\13409not-a-v5rus113z.ocx"
File:"<$FILE_DATA>","<$WINDIR>\1354zviru9155.ocx"
File:"<$FILE_LIBRARY>","<$WINDIR>\1355nzt-9-virus1f3.dll"
File:"<$FILE_DATA>","<$WINDIR>\1359zhief1191.bin"
File:"<$FILE_DATA>","<$WINDIR>\137045ot-9-virzs6d3.ocx"
File:"<$FILE_LIBRARY>","<$WINDIR>\13927hzckt59l59.dll"
File:"<$FILE_DATA>","<$WINDIR>\1395zi5us7fa.cpl"
File:"<$FILE_DATA>","<$WINDIR>\13z5ha9ktool2d7.ocx"
File:"<$FILE_LIBRARY>","<$WINDIR>\14061z9cktool502.dll"
File:"<$FILE_DATA>","<$WINDIR>\140aspzwa5e2969.cpl"
File:"<$FILE_LIBRARY>","<$WINDIR>\1445znot-a-virus759.dll"
File:"<$FILE_EXE>","<$WINDIR>\14484wo5m1z9.exe"
File:"<$FILE_DATA>","<$WINDIR>\14958zirus39b.ocx"
File:"<$FILE_DATA>","<$WINDIR>\1496zw9rm250.bin"
File:"<$FILE_DATA>","<$WINDIR>\14z66wo5m5b09.cpl"
File:"<$FILE_DATA>","<$WINDIR>\15175n9t-a-vir5s2z.bin"
File:"<$FILE_LIBRARY>","<$WINDIR>\15222v9ru53ebz.dll"
File:"<$FILE_DATA>","<$WINDIR>\153cs9eaz2682.ocx"
File:"<$FILE_DATA>","<$WINDIR>\1559addwarz9791.bin"
File:"<$FILE_DATA>","<$WINDIR>\15b99ownlozder229.ocx"
File:"<$FILE_DATA>","<$WINDIR>\15d4addwaz979.bin"
File:"<$FILE_DATA>","<$WINDIR>\15z799pyc3.bin"
File:"<$FILE_EXE>","<$WINDIR>\160fspy5are9z8.exe"
File:"<$FILE_DATA>","<$WINDIR>\16158z9t-a-virus1cb.ocx"
File:"<$FILE_EXE>","<$WINDIR>\16520not-a-59ruz522.exe"
File:"<$FILE_DATA>","<$WINDIR>\1672zspa5b9t21a.ocx"
File:"<$FILE_DATA>","<$WINDIR>\170z8vi5us7c9.bin"
File:"<$FILE_LIBRARY>","<$WINDIR>\1723t5rezt19958.dll"
File:"<$FILE_LIBRARY>","<$WINDIR>\17251w9rm4bbz.dll"
File:"<$FILE_DATA>","<$WINDIR>\17599hacktool752z.cpl"
File:"<$FILE_DATA>","<$WINDIR>\1795troj5z5.ocx"
File:"<$FILE_DATA>","<$WINDIR>\17d3t5rezt29697.bin"
File:"<$FILE_LIBRARY>","<$WINDIR>\1800spa9bot545z.dll"
File:"<$FILE_DATA>","<$WINDIR>\18232woz9455.ocx"
File:"<$FILE_DATA>","<$WINDIR>\18390wormz835.bin"
File:"<$FILE_EXE>","<$WINDIR>\187995zrm5f8.exe"
File:"<$FILE_EXE>","<$WINDIR>\18863za95tool86.exe"
File:"<$FILE_DATA>","<$WINDIR>\18945zirus635.bin"
File:"<$FILE_EXE>","<$WINDIR>\19045spazbot12e.exe"
File:"<$FILE_EXE>","<$WINDIR>\190zvir1075.exe"
File:"<$FILE_DATA>","<$WINDIR>\19131tro591z.ocx"
File:"<$FILE_DATA>","<$WINDIR>\19143hazktool5849.bin"
File:"<$FILE_DATA>","<$WINDIR>\19275szyc99.cpl"
File:"<$FILE_DATA>","<$WINDIR>\195backdzor9435.cpl"
File:"<$FILE_EXE>","<$WINDIR>\19725spamb5tz5.exe"
File:"<$FILE_DATA>","<$WINDIR>\198b5hrzat27564.ocx"
File:"<$FILE_DATA>","<$WINDIR>\1997zp5ec.cpl"
File:"<$FILE_LIBRARY>","<$WINDIR>\1a99do5nloaderz853.dll"
File:"<$FILE_DATA>","<$WINDIR>\1b39addwarz2485.bin"
File:"<$FILE_EXE>","<$WINDIR>\1e785teaz2309.exe"
File:"<$FILE_DATA>","<$WINDIR>\1ed5baczd9or399.bin"
File:"<$FILE_LIBRARY>","<$WINDIR>\1z34959ambot4d6.dll"
File:"<$FILE_EXE>","<$WINDIR>\1z5not-a9virus15.exe"
File:"<$FILE_EXE>","<$WINDIR>\1z9435ackt9olbf.exe"
File:"<$FILE_EXE>","<$WINDIR>\1z951worm759.exe"
File:"<$FILE_EXE>","<$WINDIR>\1z9799o5-a-virus200.exe"
File:"<$FILE_DATA>","<$WINDIR>\1zd9s9arse5000.bin"
File:"<$FILE_DATA>","<$WINDIR>\1zf1st5al1995.bin"
File:"<$FILE_DATA>","<$WINDIR>\2029spywar51408z.bin"
File:"<$FILE_LIBRARY>","<$WINDIR>\202bs5zwar9391.dll"
File:"<$FILE_DATA>","<$WINDIR>\20afaddwa95678z.cpl"
File:"<$FILE_EXE>","<$WINDIR>\20z9thie524359.exe"
File:"<$FILE_LIBRARY>","<$WINDIR>\21290zpy759.dll"
File:"<$FILE_DATA>","<$WINDIR>\21375ownlzader26209.ocx"
File:"<$FILE_DATA>","<$WINDIR>\215ddo95loazer98.cpl"
File:"<$FILE_DATA>","<$WINDIR>\2185s9ywa5ez289.bin"
File:"<$FILE_DATA>","<$WINDIR>\21z24troj5f79.cpl"
File:"<$FILE_DATA>","<$WINDIR>\2325thre5t3z998.ocx"
File:"<$FILE_LIBRARY>","<$WINDIR>\2388zo9m4c85.dll"
File:"<$FILE_DATA>","<$WINDIR>\23985ownloade97z.cpl"
File:"<$FILE_DATA>","<$WINDIR>\23999ha5ktool1z2.ocx"
File:"<$FILE_DATA>","<$WINDIR>\24563zot-a-v5rus296.bin"
File:"<$FILE_DATA>","<$WINDIR>\25118h9ckzool55c.ocx"
File:"<$FILE_LIBRARY>","<$WINDIR>\25154hacz9ool1ef.dll"
File:"<$FILE_DATA>","<$WINDIR>\2515a9dwarz1389.cpl"
File:"<$FILE_DATA>","<$WINDIR>\2544backzoor2912.ocx"
File:"<$FILE_EXE>","<$WINDIR>\25601s9amzot7f1.exe"
File:"<$FILE_DATA>","<$WINDIR>\25656trojz595.exe"
File:"<$FILE_DATA>","<$WINDIR>\2569zspy1055.cpl"
File:"<$FILE_DATA>","<$WINDIR>\2575tr9j5bz.cpl"
File:"<$FILE_DATA>","<$WINDIR>\25835nzt-a-v9rus69a.bin"
File:"<$FILE_DATA>","<$WINDIR>\258579pz55.bin"
File:"<$FILE_EXE>","<$WINDIR>\25951spzmbot719.exe"
File:"<$FILE_EXE>","<$WINDIR>\2596addwarz581.exe"
File:"<$FILE_LIBRARY>","<$WINDIR>\25b4s9azse5858.dll"
File:"<$FILE_DATA>","<$WINDIR>\25z4a5dware1895.bin"
File:"<$FILE_EXE>","<$WINDIR>\25zbbackdoor199.exe"
File:"<$FILE_DATA>","<$WINDIR>\26084virus695z.ocx"
File:"<$FILE_LIBRARY>","<$WINDIR>\26470zack5oo9fb.dll"
File:"<$FILE_DATA>","<$WINDIR>\27d2vir9z65.cpl"
File:"<$FILE_EXE>","<$WINDIR>\28511spy9cz5.exe"
File:"<$FILE_DATA>","<$WINDIR>\28678spa5bot9z7.cpl"
File:"<$FILE_DATA>","<$WINDIR>\2880not-a-vi5u95bz.cpl"
File:"<$FILE_EXE>","<$WINDIR>\29017worz593.exe"
File:"<$FILE_LIBRARY>","<$WINDIR>\29055zorm1a8.dll"
File:"<$FILE_EXE>","<$WINDIR>\291thre59z642.exe"
File:"<$FILE_EXE>","<$WINDIR>\2982s5ar9e234z.exe"
File:"<$FILE_DATA>","<$WINDIR>\2983zspy569.cpl"
File:"<$FILE_DATA>","<$WINDIR>\29e7threa52505z.bin"
File:"<$FILE_DATA>","<$WINDIR>\29z9hac5tool184.cpl"
File:"<$FILE_LIBRARY>","<$WINDIR>\2a11steal91z5.dll"
File:"<$FILE_DATA>","<$WINDIR>\2b9cs9arsz3155.ocx"
File:"<$FILE_DATA>","<$WINDIR>\2c59a9dza5e780.bin"
File:"<$FILE_EXE>","<$WINDIR>\2c79spzwar91825.exe"
File:"<$FILE_DATA>","<$WINDIR>\2d95backdoor1310z.ocx"
File:"<$FILE_EXE>","<$WINDIR>\2dc1addwaze23959.exe"
File:"<$FILE_DATA>","<$WINDIR>\2eazsp9r5e319.ocx"
File:"<$FILE_EXE>","<$WINDIR>\2f7fzddw5re2209.exe"
File:"<$FILE_EXE>","<$WINDIR>\2z295ief765.exe"
File:"<$FILE_EXE>","<$WINDIR>\2z39spywar51993.exe"
File:"<$FILE_LIBRARY>","<$WINDIR>\2z40t9re5t20565.dll"
File:"<$FILE_DATA>","<$WINDIR>\2z830not-a-virus951.cpl"
File:"<$FILE_DATA>","<$WINDIR>\30bfs9z5l2823.bin"
File:"<$FILE_DATA>","<$WINDIR>\30z79vi5us267.ocx"
File:"<$FILE_DATA>","<$WINDIR>\3158zspamb9te5.bin"
File:"<$FILE_EXE>","<$WINDIR>\31870zpam95t230.exe"
File:"<$FILE_LIBRARY>","<$WINDIR>\31934spz9bot5ab.dll"
File:"<$FILE_EXE>","<$WINDIR>\32201zot-a-v9ru533d.exe"
File:"<$FILE_LIBRARY>","<$WINDIR>\32420zot-a-vi9us456.dll"
File:"<$FILE_DATA>","<$WINDIR>\3490add9zr5366.cpl"
File:"<$FILE_LIBRARY>","<$WINDIR>\35098spy6z0.dll"
File:"<$FILE_LIBRARY>","<$WINDIR>\353sp965z.dll"
File:"<$FILE_DATA>","<$WINDIR>\3547virz99.cpl"
File:"<$FILE_DATA>","<$WINDIR>\355fbackdoor2z09.bin"
File:"<$FILE_DATA>","<$WINDIR>\359zv9r3035.bin"
File:"<$FILE_DATA>","<$WINDIR>\3679stea516z9.cpl"
File:"<$FILE_DATA>","<$WINDIR>\3732h5zkt9ol325.ocx"
File:"<$FILE_DATA>","<$WINDIR>\39223zorm465.bin"
File:"<$FILE_EXE>","<$WINDIR>\3929s5eal248z.exe"
File:"<$FILE_DATA>","<$WINDIR>\39505acztool562.bin"
File:"<$FILE_LIBRARY>","<$WINDIR>\39cezpyw9re1259.dll"
File:"<$FILE_DATA>","<$WINDIR>\3a88s95alz15.bin"
File:"<$FILE_LIBRARY>","<$WINDIR>\3aa4addzare5095.dll"
File:"<$FILE_DATA>","<$WINDIR>\3aa5zhreat19647.cpl"
File:"<$FILE_DATA>","<$WINDIR>\3addbac5doo9z29.bin"
File:"<$FILE_DATA>","<$WINDIR>\3ae6zac5d9or855.bin"
File:"<$FILE_LIBRARY>","<$WINDIR>\3bee5pars93z63.dll"
File:"<$FILE_DATA>","<$WINDIR>\3c9badzware5629.cpl"
File:"<$FILE_DATA>","<$WINDIR>\3cazsteal2957.bin"
File:"<$FILE_LIBRARY>","<$WINDIR>\3f10steal905z5.dll"
File:"<$FILE_LIBRARY>","<$WINDIR>\3f5btzie91502.dll"
File:"<$FILE_LIBRARY>","<$WINDIR>\3fz7addware5968.dll"
File:"<$FILE_DATA>","<$WINDIR>\3z709irus6ec5.ocx"
File:"<$FILE_DATA>","<$WINDIR>\40fb59ief256z.ocx"
File:"<$FILE_LIBRARY>","<$WINDIR>\41e4spars915z4.dll"
File:"<$FILE_DATA>","<$WINDIR>\4399tr9z565.ocx"
File:"<$FILE_DATA>","<$WINDIR>\44db9ck5oor12z5.cpl"
File:"<$FILE_DATA>","<$WINDIR>\4527addwarez0669.ocx"
File:"<$FILE_DATA>","<$WINDIR>\453thr9atz37235.ocx"
File:"<$FILE_DATA>","<$WINDIR>\4551spyza5e1895.exe"
File:"<$FILE_LIBRARY>","<$WINDIR>\4570virus1z9.dll"
File:"<$FILE_EXE>","<$WINDIR>\4599zirus675.exe"
File:"<$FILE_DATA>","<$WINDIR>\459backdoor2z44.bin"
File:"<$FILE_EXE>","<$WINDIR>\45aeaddw5r9177z.exe"
File:"<$FILE_LIBRARY>","<$WINDIR>\45c5vir9z80.dll"
File:"<$FILE_DATA>","<$WINDIR>\45fbackdo5z1994.ocx"
File:"<$FILE_DATA>","<$WINDIR>\45z9spyw5re86.ocx"
File:"<$FILE_DATA>","<$WINDIR>\476edow9zoa5er1554.ocx"
File:"<$FILE_DATA>","<$WINDIR>\481s5ars91265z.bin"
File:"<$FILE_DATA>","<$WINDIR>\4875szea59697.bin"
File:"<$FILE_DATA>","<$WINDIR>\4881not-a9viru55za.cpl"
File:"<$FILE_EXE>","<$WINDIR>\48acthreaz92915.exe"
File:"<$FILE_DATA>","<$WINDIR>\48f9zackd9o5329.bin"
File:"<$FILE_EXE>","<$WINDIR>\4994thie95738z.exe"
File:"<$FILE_DATA>","<$WINDIR>\4b61zpa9se19225.ocx"
File:"<$FILE_DATA>","<$WINDIR>\4bb5spyware27z89.cpl"
File:"<$FILE_DATA>","<$WINDIR>\4bz15ownloade91551.ocx"
File:"<$FILE_DATA>","<$WINDIR>\4c06dzwnl5a9er119.ocx"
File:"<$FILE_DATA>","<$WINDIR>\4c645ack9oor3z92.ocx"
File:"<$FILE_DATA>","<$WINDIR>\4d7aza9kdoor1465.exe"
File:"<$FILE_DATA>","<$WINDIR>\4dcfsparsz51219.bin"
File:"<$FILE_DATA>","<$WINDIR>\4dzdadd9are509.cpl"
File:"<$FILE_LIBRARY>","<$WINDIR>\50f3vir1z709.dll"
File:"<$FILE_LIBRARY>","<$WINDIR>\51279worm7z9.dll"
File:"<$FILE_DATA>","<$WINDIR>\51460z9ambotaf.bin"
File:"<$FILE_DATA>","<$WINDIR>\51bed5wnzoade91561.ocx"
File:"<$FILE_LIBRARY>","<$WINDIR>\51f3addw5r9181z.dll"
File:"<$FILE_LIBRARY>","<$WINDIR>\52227hacktool169z.dll"
File:"<$FILE_EXE>","<$WINDIR>\5223zsp91fa.exe"
File:"<$FILE_DATA>","<$WINDIR>\52z1stea96735.ocx"
File:"<$FILE_LIBRARY>","<$WINDIR>\53304vir9z608.dll"
File:"<$FILE_DATA>","<$WINDIR>\53507wo9m363z.cpl"
File:"<$FILE_DATA>","<$WINDIR>\53955pyz8c.ocx"
File:"<$FILE_DATA>","<$WINDIR>\54201vizu9135.bin"
File:"<$FILE_DATA>","<$WINDIR>\5426zte5l9339.bin"
File:"<$FILE_LIBRARY>","<$WINDIR>\54349ackdoor1z50.dll"
File:"<$FILE_DATA>","<$WINDIR>\54533spy19z.bin"
File:"<$FILE_EXE>","<$WINDIR>\5458downloa9er555z.exe"
File:"<$FILE_DATA>","<$WINDIR>\54759pywarz2146.bin"
File:"<$FILE_DATA>","<$WINDIR>\549zvi9958.ocx"
File:"<$FILE_DATA>","<$WINDIR>\54ab9ckdo5r166z.cpl"
File:"<$FILE_LIBRARY>","<$WINDIR>\54be5zief27059.dll"
File:"<$FILE_EXE>","<$WINDIR>\54fzpa9se2955.exe"
File:"<$FILE_DATA>","<$WINDIR>\54z2s9yware770.cpl"
File:"<$FILE_LIBRARY>","<$WINDIR>\55225pzmbot391.dll"
File:"<$FILE_EXE>","<$WINDIR>\559fspazse2192.exe"
File:"<$FILE_DATA>","<$WINDIR>\55eavir1z069.ocx"
File:"<$FILE_DATA>","<$WINDIR>\5631spzrse3095.bin"
File:"<$FILE_DATA>","<$WINDIR>\5650thzef2957.ocx"
File:"<$FILE_DATA>","<$WINDIR>\5692vir9916z.bin"
File:"<$FILE_EXE>","<$WINDIR>\56aa9iz25075.exe"
File:"<$FILE_DATA>","<$WINDIR>\5739downz9ader2276.bin"
File:"<$FILE_DATA>","<$WINDIR>\5778backdzor9975.ocx"
File:"<$FILE_DATA>","<$WINDIR>\57ee5hreat9z730.ocx"
File:"<$FILE_DATA>","<$WINDIR>\58474not-9-virzs74d.bin"
File:"<$FILE_EXE>","<$WINDIR>\58e4thre9t273z3.exe"
File:"<$FILE_LIBRARY>","<$WINDIR>\5929sz59se300.dll"
File:"<$FILE_DATA>","<$WINDIR>\594z59ormd5.bin"
File:"<$FILE_DATA>","<$WINDIR>\5955h5cktooz19f.ocx"
File:"<$FILE_DATA>","<$WINDIR>\595daddzare3247.bin"
File:"<$FILE_EXE>","<$WINDIR>\59659wormz4f.exe"
File:"<$FILE_LIBRARY>","<$WINDIR>\599eazdware1597.dll"
File:"<$FILE_LIBRARY>","<$WINDIR>\59z16spy497.dll"
File:"<$FILE_DATA>","<$WINDIR>\5a15vir916z.ocx"
File:"<$FILE_EXE>","<$WINDIR>\5b79threaz23858.exe"
File:"<$FILE_EXE>","<$WINDIR>\5b95vzr154.exe"
File:"<$FILE_DATA>","<$WINDIR>\5b9zbackd5or470.bin"
File:"<$FILE_LIBRARY>","<$WINDIR>\5d72vir909z.dll"
File:"<$FILE_DATA>","<$WINDIR>\5f90backdoo935z8.ocx"
File:"<$FILE_DATA>","<$WINDIR>\5z04back9oo51819.cpl"
File:"<$FILE_LIBRARY>","<$WINDIR>\5z7ca9dware19955.dll"
File:"<$FILE_DATA>","<$WINDIR>\5za6t9reat8352.ocx"
File:"<$FILE_EXE>","<$WINDIR>\5za9vir2954.exe"
File:"<$FILE_DATA>","<$WINDIR>\6052viruzb9.bin"
File:"<$FILE_DATA>","<$WINDIR>\60azt95ef2379.cpl"
File:"<$FILE_DATA>","<$WINDIR>\6159sparsz2597.bin"
File:"<$FILE_LIBRARY>","<$WINDIR>\620thre9tz5589.dll"
File:"<$FILE_DATA>","<$WINDIR>\63abdo9nlozder2105.bin"
File:"<$FILE_DATA>","<$WINDIR>\63beviz99765.bin"
File:"<$FILE_LIBRARY>","<$WINDIR>\655czt9al1487.dll"
File:"<$FILE_DATA>","<$WINDIR>\656zsp9rse2790.ocx"
File:"<$FILE_DATA>","<$WINDIR>\65b5st5al994z.cpl"
File:"<$FILE_DATA>","<$WINDIR>\65z8vir26559.ocx"
File:"<$FILE_DATA>","<$WINDIR>\65za5ddware789.cpl"
File:"<$FILE_EXE>","<$WINDIR>\66279ddwaze855.exe"
File:"<$FILE_DATA>","<$WINDIR>\6799thrzat55393.bin"
File:"<$FILE_LIBRARY>","<$WINDIR>\6995backdoor6z5.dll"
File:"<$FILE_EXE>","<$WINDIR>\6a5dthrezt96045.exe"
File:"<$FILE_DATA>","<$WINDIR>\6b5espywzre23169.cpl"
File:"<$FILE_DATA>","<$WINDIR>\6b96za9kdoor16895.bin"
File:"<$FILE_DATA>","<$WINDIR>\6c19s5yware1596z.ocx"
File:"<$FILE_DATA>","<$WINDIR>\6d72a9dware15z3.ocx"
File:"<$FILE_DATA>","<$WINDIR>\6z55vi9us12f.bin"
File:"<$FILE_DATA>","<$WINDIR>\70d6downzoa9er5815.bin"
File:"<$FILE_EXE>","<$WINDIR>\71c09ir5267z.exe"
File:"<$FILE_LIBRARY>","<$WINDIR>\727zv591683.dll"
File:"<$FILE_DATA>","<$WINDIR>\7491spywz5e674.cpl"
File:"<$FILE_LIBRARY>","<$WINDIR>\74f6zparse9435.dll"
File:"<$FILE_EXE>","<$WINDIR>\7525zparse2496.exe"
File:"<$FILE_LIBRARY>","<$WINDIR>\7529thzef2615.dll"
File:"<$FILE_LIBRARY>","<$WINDIR>\7597downloader20z89.dll"
File:"<$FILE_DATA>","<$WINDIR>\75f6s9yzare1075.cpl"
File:"<$FILE_DATA>","<$WINDIR>\7844hackz9ol7925.cpl"
File:"<$FILE_DATA>","<$WINDIR>\786ath5eat39332z.cpl"
File:"<$FILE_DATA>","<$WINDIR>\7895s5arze2150.ocx"
File:"<$FILE_EXE>","<$WINDIR>\793zviru559.exe"
File:"<$FILE_DATA>","<$WINDIR>\7a38zp9rse29795.cpl"
File:"<$FILE_EXE>","<$WINDIR>\7a8fadd95re6z3.exe"
File:"<$FILE_DATA>","<$WINDIR>\7bbcspyzare11935.cpl"
File:"<$FILE_DATA>","<$WINDIR>\7bc1spy9are2975z.cpl"
File:"<$FILE_EXE>","<$WINDIR>\7c12z5eal796.exe"
File:"<$FILE_DATA>","<$WINDIR>\7c84s5y9are252z.cpl"
File:"<$FILE_LIBRARY>","<$WINDIR>\7e38downloazer9597.dll"
File:"<$FILE_DATA>","<$WINDIR>\7f9495wnloadzr1862.ocx"
File:"<$FILE_DATA>","<$WINDIR>\819zvir5sce.cpl"
File:"<$FILE_LIBRARY>","<$WINDIR>\84s9ars52z16.dll"
File:"<$FILE_DATA>","<$WINDIR>\8529hackt95z2cc.ocx"
File:"<$FILE_DATA>","<$WINDIR>\857spars91028z.cpl"
File:"<$FILE_DATA>","<$WINDIR>\862spar5e31z9.ocx"
File:"<$FILE_DATA>","<$WINDIR>\8790notz9-virus785.cpl"
File:"<$FILE_EXE>","<$WINDIR>\8855z9cktool20c.exe"
File:"<$FILE_DATA>","<$WINDIR>\8d5th5z9t9437.ocx"
File:"<$FILE_DATA>","<$WINDIR>\9123not-a-vzru5152.ocx"
File:"<$FILE_LIBRARY>","<$WINDIR>\9219n59-a-virzsa2.dll"
File:"<$FILE_EXE>","<$WINDIR>\9222sp579z.exe"
File:"<$FILE_DATA>","<$WINDIR>\946459y553z.bin"
File:"<$FILE_EXE>","<$WINDIR>\9465hackto5l92z.exe"
File:"<$FILE_DATA>","<$WINDIR>\956dst5az532.bin"
File:"<$FILE_DATA>","<$WINDIR>\95755tealz55.bin"
File:"<$FILE_EXE>","<$WINDIR>\958zsp5mbot30e.exe"
File:"<$FILE_DATA>","<$WINDIR>\959sparse1z83.bin"
File:"<$FILE_EXE>","<$WINDIR>\97276hacktoo51d4z.exe"
File:"<$FILE_DATA>","<$WINDIR>\97espy5a9ez66.bin"
File:"<$FILE_DATA>","<$WINDIR>\988fdownloader5205z.bin"
File:"<$FILE_DATA>","<$WINDIR>\991bac5doorz456.ocx"
File:"<$FILE_EXE>","<$WINDIR>\99463h5zktool53f.exe"
File:"<$FILE_LIBRARY>","<$WINDIR>\995virz933.dll"
File:"<$FILE_DATA>","<$WINDIR>\996t5oz408.cpl"
File:"<$FILE_EXE>","<$WINDIR>\99959vzrus15.exe"
File:"<$FILE_LIBRARY>","<$WINDIR>\9b02spa5sez01.dll"
File:"<$FILE_DATA>","<$WINDIR>\9b82addware58z.ocx"
File:"<$FILE_DATA>","<$WINDIR>\9b8bvir3155z.bin"
File:"<$FILE_LIBRARY>","<$WINDIR>\9c0spyzare26685.dll"
File:"<$FILE_DATA>","<$WINDIR>\9dfzhreat158219.ocx"
File:"<$FILE_LIBRARY>","<$WINDIR>\9evzr5009.dll"
File:"<$FILE_DATA>","<$WINDIR>\9z185or915d.ocx"
File:"<$FILE_EXE>","<$WINDIR>\9z95not-a-virus2fd.exe"
File:"<$FILE_DATA>","<$WINDIR>\9zeaspyw5re746.ocx"
File:"<$FILE_LIBRARY>","<$WINDIR>\a059pars5804z.dll"
File:"<$FILE_DATA>","<$WINDIR>\a57spywaze1955.bin"
File:"<$FILE_DATA>","<$WINDIR>\b79zteal5359.ocx"
File:"<$FILE_EXE>","<$WINDIR>\d3a9hie5z53.exe"
File:"<$FILE_LIBRARY>","<$WINDIR>\d51stezl969.dll"
File:"<$FILE_LIBRARY>","<$WINDIR>\e63spy95ze2659.dll"
File:"<$FILE_EXE>","<$WINDIR>\e815zarse11559.exe"
File:"<$FILE_EXE>","<$WINDIR>\ed9s5eal176z.exe"
File:"<$FILE_EXE>","<$WINDIR>\fdavz9553.exe"
File:"<$FILE_LIBRARY>","<$SYSDIR>\1004noz-a-virus45b9.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\10145n9t-a-zirus2aa.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\10316not-9-viruz6845.dll"
File:"<$FILE_DATA>","<$SYSDIR>\10583w9rmza25.bin"
File:"<$FILE_EXE>","<$SYSDIR>\1063zte953197.exe"
File:"<$FILE_DATA>","<$SYSDIR>\107535irusz489.ocx"
File:"<$FILE_DATA>","<$SYSDIR>\10942z9rus1165.ocx"
File:"<$FILE_DATA>","<$SYSDIR>\11809not-a-v5zusb9.ocx"
File:"<$FILE_LIBRARY>","<$SYSDIR>\1190spywaz5495.dll"
File:"<$FILE_DATA>","<$SYSDIR>\11z2vir9256.bin"
File:"<$FILE_DATA>","<$SYSDIR>\120z1s9y58a5.ocx"
File:"<$FILE_DATA>","<$SYSDIR>\12583hazktool1569.bin"
File:"<$FILE_EXE>","<$SYSDIR>\12751no5-a-9izus4f5.exe"
File:"<$FILE_EXE>","<$SYSDIR>\12895tzoj645.exe"
File:"<$FILE_DATA>","<$SYSDIR>\1295zir9128.bin"
File:"<$FILE_DATA>","<$SYSDIR>\12996szambo516e.cpl"
File:"<$FILE_DATA>","<$SYSDIR>\12z955ot-9-virus366.cpl"
File:"<$FILE_EXE>","<$SYSDIR>\1306zhacktoo95cc.exe"
File:"<$FILE_DATA>","<$SYSDIR>\13337hac59oolz5e.bin"
File:"<$FILE_DATA>","<$SYSDIR>\13435sp9z6.cpl"
File:"<$FILE_DATA>","<$SYSDIR>\13595spz46f.cpl"
File:"<$FILE_DATA>","<$SYSDIR>\136549py7ez.bin"
File:"<$FILE_LIBRARY>","<$SYSDIR>\13679virzs511.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\138899orm5a5z.dll"
File:"<$FILE_EXE>","<$SYSDIR>\13z11spy759.exe"
File:"<$FILE_DATA>","<$SYSDIR>\14099sp9mb5tze6.cpl"
File:"<$FILE_DATA>","<$SYSDIR>\14145not-azvirus9f3.cpl"
File:"<$FILE_DATA>","<$SYSDIR>\14594spy1z.ocx"
File:"<$FILE_EXE>","<$SYSDIR>\14667s5yzf9.exe"
File:"<$FILE_EXE>","<$SYSDIR>\15094s5zmbo9317.exe"
File:"<$FILE_DATA>","<$SYSDIR>\1516virz5559.ocx"
File:"<$FILE_EXE>","<$SYSDIR>\15508s9ambot5z6.exe"
File:"<$FILE_DATA>","<$SYSDIR>\15847spambot39z.cpl"
File:"<$FILE_LIBRARY>","<$SYSDIR>\15999zroj62c.dll"
File:"<$FILE_DATA>","<$SYSDIR>\16247n5t-a9zirus45d.cpl"
File:"<$FILE_DATA>","<$SYSDIR>\1652spamb9t16fz.cpl"
File:"<$FILE_DATA>","<$SYSDIR>\16587not9azvirus35b5.ocx"
File:"<$FILE_EXE>","<$SYSDIR>\1685895rusz40.exe"
File:"<$FILE_EXE>","<$SYSDIR>\17135vir9s45z.exe"
File:"<$FILE_DATA>","<$SYSDIR>\1721tzief2539.cpl"
File:"<$FILE_DATA>","<$SYSDIR>\175da9dwz5e1031.bin"
File:"<$FILE_DATA>","<$SYSDIR>\176799pzmbot145.ocx"
File:"<$FILE_EXE>","<$SYSDIR>\17849zir5s593.exe"
File:"<$FILE_EXE>","<$SYSDIR>\17995zirus5bd.exe"
File:"<$FILE_DATA>","<$SYSDIR>\179z5py4fc.bin"
File:"<$FILE_EXE>","<$SYSDIR>\188b95zware3244.exe"
File:"<$FILE_DATA>","<$SYSDIR>\18907wzrm145.bin"
File:"<$FILE_DATA>","<$SYSDIR>\18919sp9252z.ocx"
File:"<$FILE_LIBRARY>","<$SYSDIR>\1919zpy6da5.dll"
File:"<$FILE_DATA>","<$SYSDIR>\19327spzmbot5cc.bin"
File:"<$FILE_DATA>","<$SYSDIR>\19478spambot7z5.bin"
File:"<$FILE_EXE>","<$SYSDIR>\1978thre5t1198z.exe"
File:"<$FILE_DATA>","<$SYSDIR>\1985z5py4a9.cpl"
File:"<$FILE_DATA>","<$SYSDIR>\19897w9r529bz.cpl"
File:"<$FILE_DATA>","<$SYSDIR>\19920zpa5bot285.ocx"
File:"<$FILE_LIBRARY>","<$SYSDIR>\19e0thizf158.dll"
File:"<$FILE_EXE>","<$SYSDIR>\19z25spy9d.exe"
File:"<$FILE_DATA>","<$SYSDIR>\19z54worm56d.cpl"
File:"<$FILE_DATA>","<$SYSDIR>\1a38szyw5re964.bin"
File:"<$FILE_EXE>","<$SYSDIR>\1abdthre59z0606.exe"
File:"<$FILE_EXE>","<$SYSDIR>\1be1zt59l294.exe"
File:"<$FILE_EXE>","<$SYSDIR>\1c2ddownlo9der2z5.exe"
File:"<$FILE_DATA>","<$SYSDIR>\1c40bzckdo5r2963.ocx"
File:"<$FILE_DATA>","<$SYSDIR>\1ca4thr5at19z67.bin"
File:"<$FILE_DATA>","<$SYSDIR>\1e4c5hi9f634z.bin"
File:"<$FILE_DATA>","<$SYSDIR>\1z2f5ac9door657.ocx"
File:"<$FILE_DATA>","<$SYSDIR>\1z31spy569.ocx"
File:"<$FILE_DATA>","<$SYSDIR>\1z369sp54309.cpl"
File:"<$FILE_LIBRARY>","<$SYSDIR>\1z75ba5kd9or751.dll"
File:"<$FILE_DATA>","<$SYSDIR>\1z9dthrea925414.bin"
File:"<$FILE_LIBRARY>","<$SYSDIR>\1zacbackdoo52389.dll"
File:"<$FILE_DATA>","<$SYSDIR>\1zd25pyware6299.cpl"
File:"<$FILE_DATA>","<$SYSDIR>\202dthrea910945z.cpl"
File:"<$FILE_LIBRARY>","<$SYSDIR>\21259spy2d5z.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\21366s5a9boz33e.dll"
File:"<$FILE_DATA>","<$SYSDIR>\21545v9rus36z.cpl"
File:"<$FILE_EXE>","<$SYSDIR>\2158sp9rze837.exe"
File:"<$FILE_DATA>","<$SYSDIR>\21z905iru965a.ocx"
File:"<$FILE_EXE>","<$SYSDIR>\225evir194z.exe"
File:"<$FILE_EXE>","<$SYSDIR>\225fazdware22479.exe"
File:"<$FILE_DATA>","<$SYSDIR>\231359o5z685.cpl"
File:"<$FILE_DATA>","<$SYSDIR>\23305ha9ktoolz4.cpl"
File:"<$FILE_DATA>","<$SYSDIR>\2331h5cztool4bd9.cpl"
File:"<$FILE_LIBRARY>","<$SYSDIR>\2390zha5ktool5be.dll"
File:"<$FILE_DATA>","<$SYSDIR>\239fthie51269z.ocx"
File:"<$FILE_DATA>","<$SYSDIR>\23f2bac5do9r26z0.cpl"
File:"<$FILE_EXE>","<$SYSDIR>\240z8not9a-5irus6b5.exe"
File:"<$FILE_DATA>","<$SYSDIR>\24499not5azvirus4d9.ocx"
File:"<$FILE_EXE>","<$SYSDIR>\24809virus50z.exe"
File:"<$FILE_EXE>","<$SYSDIR>\24952zroj261.exe"
File:"<$FILE_DATA>","<$SYSDIR>\24z75hac5tool1c9.bin"
File:"<$FILE_EXE>","<$SYSDIR>\25129ddwzre2557.exe"
File:"<$FILE_DATA>","<$SYSDIR>\255z8tro9315.bin"
File:"<$FILE_DATA>","<$SYSDIR>\258235acktool579z.bin"
File:"<$FILE_DATA>","<$SYSDIR>\25840not-a-9iruzda.ocx"
File:"<$FILE_DATA>","<$SYSDIR>\258z09pambot1255.bin"
File:"<$FILE_EXE>","<$SYSDIR>\2595spzware2859.exe"
File:"<$FILE_DATA>","<$SYSDIR>\25dz9ackdoor3151.cpl"
File:"<$FILE_EXE>","<$SYSDIR>\25e4threaz295999.exe"
File:"<$FILE_DATA>","<$SYSDIR>\25f25t9az1182.cpl"
File:"<$FILE_EXE>","<$SYSDIR>\26589tro54z5.exe"
File:"<$FILE_DATA>","<$SYSDIR>\265ebackd9orz384.bin"
File:"<$FILE_EXE>","<$SYSDIR>\26755orz73f9.exe"
File:"<$FILE_DATA>","<$SYSDIR>\27258vzru59dd.ocx"
File:"<$FILE_DATA>","<$SYSDIR>\2761zs9552f.ocx"
File:"<$FILE_DATA>","<$SYSDIR>\277295rzj769.cpl"
File:"<$FILE_DATA>","<$SYSDIR>\2775zwo9m649.bin"
File:"<$FILE_EXE>","<$SYSDIR>\2805steal963z.exe"
File:"<$FILE_DATA>","<$SYSDIR>\2811downloader596z9.bin"
File:"<$FILE_DATA>","<$SYSDIR>\28595v9rus7z5.ocx"
File:"<$FILE_DATA>","<$SYSDIR>\287225or91e6z.ocx"
File:"<$FILE_DATA>","<$SYSDIR>\2889th5ef1z30.cpl"
File:"<$FILE_DATA>","<$SYSDIR>\28a9spywzr5973.bin"
File:"<$FILE_DATA>","<$SYSDIR>\291z7s5y4d5.ocx"
File:"<$FILE_DATA>","<$SYSDIR>\29436vir5z422.bin"
File:"<$FILE_DATA>","<$SYSDIR>\295389ackzool654.dll"
File:"<$FILE_DATA>","<$SYSDIR>\295faddwarz2635.cpl"
File:"<$FILE_LIBRARY>","<$SYSDIR>\29z8sparse1595.dll"
File:"<$FILE_EXE>","<$SYSDIR>\2bb5z5e9l20.exe"
File:"<$FILE_EXE>","<$SYSDIR>\2bf5ackd9oz2173.exe"
File:"<$FILE_DATA>","<$SYSDIR>\2bfz9hreat31592.ocx"
File:"<$FILE_EXE>","<$SYSDIR>\2ca79hizf518.exe"
File:"<$FILE_EXE>","<$SYSDIR>\2d2e59dware249z.exe"
File:"<$FILE_DATA>","<$SYSDIR>\2f9a5zwnloader816.cpl"
File:"<$FILE_EXE>","<$SYSDIR>\2faastea91z59.exe"
File:"<$FILE_LIBRARY>","<$SYSDIR>\2z536n9t-a-vir5s34f.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\2z554not-a9virus2d.dll"
File:"<$FILE_EXE>","<$SYSDIR>\2z6335orm3259.exe"
File:"<$FILE_EXE>","<$SYSDIR>\3015addwarz1595.exe"
File:"<$FILE_DATA>","<$SYSDIR>\30215s9zmbot2ac.ocx"
File:"<$FILE_DATA>","<$SYSDIR>\302955ot-a-vizus521.bin"
File:"<$FILE_DATA>","<$SYSDIR>\30471hzck9ool569.ocx"
File:"<$FILE_DATA>","<$SYSDIR>\30557not-z-virus1a99.bin"
File:"<$FILE_DATA>","<$SYSDIR>\3086959rmzf.bin"
File:"<$FILE_DATA>","<$SYSDIR>\30895zo593d6.ocx"
File:"<$FILE_EXE>","<$SYSDIR>\30905worm1b6z.exe"
File:"<$FILE_LIBRARY>","<$SYSDIR>\31255not-9-v5rzs440.dll"
File:"<$FILE_DATA>","<$SYSDIR>\313z9sp9159.ocx"
File:"<$FILE_LIBRARY>","<$SYSDIR>\31629hacktooz15f.dll"
File:"<$FILE_EXE>","<$SYSDIR>\31649s9am5ot6cz.exe"
File:"<$FILE_DATA>","<$SYSDIR>\317065pam9otze2.bin"
File:"<$FILE_LIBRARY>","<$SYSDIR>\32228ha9ktoolzd5.dll"
File:"<$FILE_EXE>","<$SYSDIR>\32451not-a-virus695z.exe"
File:"<$FILE_EXE>","<$SYSDIR>\32766wor95zf.exe"
File:"<$FILE_DATA>","<$SYSDIR>\3358noz-a5viru9502.cpl"
File:"<$FILE_LIBRARY>","<$SYSDIR>\339ca5dwarez808.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\3423zi9us579.dll"
File:"<$FILE_DATA>","<$SYSDIR>\344et5r9zt26296.ocx"
File:"<$FILE_DATA>","<$SYSDIR>\3497vi5243z.cpl"
File:"<$FILE_LIBRARY>","<$SYSDIR>\34b9t5reatz2829.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\3589back9oor5z5.dll"
File:"<$FILE_DATA>","<$SYSDIR>\35aspzrse595.ocx"
File:"<$FILE_EXE>","<$SYSDIR>\3623zac5door19.exe"
File:"<$FILE_DATA>","<$SYSDIR>\3630s9ywar5z014.cpl"
File:"<$FILE_LIBRARY>","<$SYSDIR>\36e25d9warez008.dll"
File:"<$FILE_DATA>","<$SYSDIR>\3756bazkdoor996.cpl"
File:"<$FILE_DATA>","<$SYSDIR>\3799s5arsez15.cpl"
File:"<$FILE_DATA>","<$SYSDIR>\37cc9teal8z15.cpl"
File:"<$FILE_DATA>","<$SYSDIR>\3967th5zat176349.cpl"
File:"<$FILE_LIBRARY>","<$SYSDIR>\3991threaz11589.dll"
File:"<$FILE_DATA>","<$SYSDIR>\399cs5ywarez327.cpl"
File:"<$FILE_EXE>","<$SYSDIR>\39b7threatz8534.exe"
File:"<$FILE_EXE>","<$SYSDIR>\39zethief1854.exe"
File:"<$FILE_DATA>","<$SYSDIR>\3c8ezpywar524969.bin"
File:"<$FILE_LIBRARY>","<$SYSDIR>\40fdspywa5e93z9.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\410notza-v5rus995.dll"
File:"<$FILE_DATA>","<$SYSDIR>\419bbackd5or1347z.bin"
File:"<$FILE_DATA>","<$SYSDIR>\41cfbackdoo5z928.ocx"
File:"<$FILE_EXE>","<$SYSDIR>\435b5hief2z49.exe"
File:"<$FILE_DATA>","<$SYSDIR>\43f9thi592515z.bin"
File:"<$FILE_DATA>","<$SYSDIR>\4455v9z521.cpl"
File:"<$FILE_LIBRARY>","<$SYSDIR>\4523worm5zd9.dll"
File:"<$FILE_DATA>","<$SYSDIR>\459cthiez1232.ocx"
File:"<$FILE_DATA>","<$SYSDIR>\45b6tzrea925849.ocx"
File:"<$FILE_DATA>","<$SYSDIR>\45bviz1199.cpl"
File:"<$FILE_DATA>","<$SYSDIR>\4659th5zat12952.ocx"
File:"<$FILE_LIBRARY>","<$SYSDIR>\477cbazkd95r1650.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\47a3szarse5969.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\47e1downlozd95482.dll"
File:"<$FILE_DATA>","<$WINDIR>\z0025acktool590.ocx"
File:"<$FILE_DATA>","<$WINDIR>\z014t5ief491.ocx"
File:"<$FILE_LIBRARY>","<$WINDIR>\z05dbackdoor2892.dll"
File:"<$FILE_EXE>","<$WINDIR>\z1484worm5b69.exe"
File:"<$FILE_DATA>","<$WINDIR>\z169ack5oor2854.bin"
File:"<$FILE_DATA>","<$WINDIR>\z19ethrea917045.bin"
File:"<$FILE_DATA>","<$WINDIR>\z2169hack5ool326.bin"
File:"<$FILE_DATA>","<$WINDIR>\z2438not-a-9i5us7a5.ocx"
File:"<$FILE_DATA>","<$WINDIR>\z2718spam95t244.bin"
File:"<$FILE_EXE>","<$WINDIR>\z515th9ef1697.exe"
File:"<$FILE_DATA>","<$WINDIR>\z518vir190.cpl"
File:"<$FILE_DATA>","<$WINDIR>\z5489virus359.cpl"
File:"<$FILE_DATA>","<$WINDIR>\z558threat19755.cpl"
File:"<$FILE_DATA>","<$WINDIR>\z5930hacktool19a.bin"
File:"<$FILE_LIBRARY>","<$WINDIR>\z5959spy1d.dll"
File:"<$FILE_DATA>","<$WINDIR>\z5997not-a-v9rus154.ocx"
File:"<$FILE_EXE>","<$WINDIR>\z612ba5kdoor2194.exe"
File:"<$FILE_LIBRARY>","<$WINDIR>\z6362virus3985.dll"
File:"<$FILE_EXE>","<$WINDIR>\z6552vi9us49d.exe"
File:"<$FILE_DATA>","<$WINDIR>\z7859virus64d9.bin"
File:"<$FILE_DATA>","<$WINDIR>\z796spamb5t535.bin"
File:"<$FILE_DATA>","<$WINDIR>\z855wormac9.cpl"
File:"<$FILE_EXE>","<$WINDIR>\z891d5wnload9r2382.exe"
File:"<$FILE_DATA>","<$WINDIR>\z8a4spar5e9914.bin"
File:"<$FILE_DATA>","<$WINDIR>\z8th5ef994.bin"
File:"<$FILE_LIBRARY>","<$WINDIR>\z9188spy985.dll"
File:"<$FILE_EXE>","<$WINDIR>\z921s5eal1642.exe"
File:"<$FILE_EXE>","<$WINDIR>\z9504virus2cd.exe"
File:"<$FILE_DATA>","<$WINDIR>\z96235pambot54a.cpl"
File:"<$FILE_EXE>","<$WINDIR>\z966addw59e526.exe"
File:"<$FILE_DATA>","<$WINDIR>\z979virus55e.ocx"
File:"<$FILE_DATA>","<$WINDIR>\z9b55teal1461.bin"
File:"<$FILE_LIBRARY>","<$WINDIR>\z9e4backdoor529.dll"
File:"<$FILE_DATA>","<$WINDIR>\zbdcdo9nloade5143.bin"
File:"<$FILE_DATA>","<$WINDIR>\zbf0backdoor13945.cpl"
File:"<$FILE_EXE>","<$WINDIR>\zc21backd5or9264.exe"
File:"<$FILE_EXE>","<$WINDIR>\zce3th59f1201.exe"
File:"<$FILE_LIBRARY>","<$WINDIR>\ze55backdoor1619.dll"
// Suspicious(1):
//Könnte auch ein legaler Eintrag von Microsoft sein
//AutoRun:"MSConfig","C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto","flagifnofile=1"
AutoRun:"MSConfig","<$WINDIR>\PCHealth\HelpCtr\Binaries\MSConfig.exe*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","MSConfig"
//File:"<$FILE_EXE>","C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto"
File:"<$FILE_EXE>","<$WINDIR>\PCHealth\HelpCtr\Binaries\MSConfig.exe"
// Suspicious(2):
//Beim ersten Eintrag ist das Lehrzeichen vor dem eigentlichen Namen WinStart beabsichtigt
AutoRun:" WinStart","<$WINDIR>\Connection Wizard\Status\services.exe","flagifnofile=1"
AutoRun:"_WinStart","<$WINDIR>\Connection Wizard\Status\services.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\"," WinStart"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","_WinStart"
File:"<$FILE_EXE>","<$WINDIR>\Connection Wizard\Status\services.exe"
// Suspicious(3):
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\dmsynth32.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\fnqwdg.dll"
//RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs",",C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\32822kou.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs",",<$PROFILE>\CONFIGURATION\Temp\32822kou.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dmsynth32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\fnqwdg.dll"
//File:"<$FILE_LIBRARY>",",C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\32822kou.dll"
File:"<$FILE_LIBRARY>",",<$PROFILE>\CONFIGURATION\Temp\32822kou.dll"
// Trojan.Autorun:
//AutoRun:"ggmsdcia","rundll32.exe "C:\Users\XXX\AppData\Roaming\ggmsdcia.dll",autorun","flagifnofile=1"
AutoRun:"ggmsdcia","<$APPDATA>\ggmsdcia.dll*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","ggmsdcia"
//File:"<$FILE_EXE>","rundll32.exe "C:\Users\XXX\AppData\Roaming\ggmsdcia.dll",autorun"
File:"<$FILE_LIBRARY>","<$APPDATA>\ggmsdcia.dll"
// Trojan.Downloader:
//O4 - Startup: rncsys32.exe
//Pfad: %Documents and Settings%\%USER%\Start Menu\Programs\Startup\
File:"<$FILE_EXE>","<$STARTUP>\rncsys32.exe"
// Trojan.Ertfor:
BrowserHelperEx:"<$SYSDIR>\ghaf8jkdfd.dll",
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{A36D2A01-00F3-42BD-F434-00BBC39C8953}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{A36D2A01-00F3-42BD-F434-00BBC39C8953}"
BrowserHelperEx:"*","filename=ghaf8jkdfd.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","kjhsf87fhjdsfn93rjkndfdf","kjhsf87fhjdsfn93rjkndfdf={A36D2A01-00F3-42BD-F434-00BBC39C8953}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ghaf8jkdfd.dll"
// Trojan.FakeAlert:
//Dateiname zufällig
//AutoRun:"mswindows restore service","C:\DOCUME~1\XXX\LOCALS~1\Temp\vs7xj.exe","flagifnofile=1"
AutoRun:"mswindows restore service","<$LOCALSETTINGS>\Temp\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","mswindows restore service"
//File:"<$FILE_EXE>","C:\DOCUME~1\XXX\LOCALS~1\Temp\vs7xj.exe"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\vs7xj.exe"
//Folgende Dateien fanden sich zusätzlich noch so im logfile:
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\system.exe"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\njce96ic1s.exe"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\login.exe"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\mdm.exe"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\csrss.exe"
// Trojan.SisieD:
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","systemie","systemie={A9B00672-970E-4A98-8128-732145B5C5B5}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\systemie.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\sysie.dll"
File:"<$FILE_DATA>","<$SYSDIR>\syfs.dat"
File:"<$FILE_DATA>","<$SYSDIR>\systemie.dat"
File:"<$FILE_DATA>","<$SYSDIR>\sief.dat"
// Trojan.Unknown(1):
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","UserInit=userinit.exe,I:\WINDOWS\Downloaded Program Files\SVCHOST.exe"
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","<$WINDIR>\Downloaded Program Files\SVCHOST.exe"
File:"<$FILE_EXE>","<$WINDIR>\Downloaded Program Files\SVCHOST.exe"
// Trojan.Unknown(2):
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","load","load=C:\WINDOWS\system32\msbwvg.exe"
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","load","<$SYSDIR>\msbwvg.exe"
File:"<$FILE_EXE>","<$SYSDIR>\msbwvg.exe"
// Trojan.Unknown(3):
AutoRun:"Security Gateway","<$SYSDIR>\mslsgw.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Security Gateway"
File:"<$FILE_EXE>","<$SYSDIR>\mslsgw.exe"
// Trojan.Unknown(4):
//AutoRun:"74BE16","<$SYSDIR>\ACF7EF\74BE16.EXE","flagifnofile=1"
AutoRun:"74BE16","<$SYSDIR>\*\74BE16.EXE","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","74BE16"
//File:"<$FILE_EXE>","<$SYSDIR>\ACF7EF\74BE16.EXE"
File:"<$FILE_EXE>","<$SYSDIR>\*\74BE16.EXE"
//Directory:"<$DIR_PROG>","<$SYSDIR>\ACF7EF"
Directory:"<$DIR_PROG>","<$SYSDIR>\*","filename=74B16.EXE"
// Trojan.Unknown(5):
//AutoRun:"way math bike enc","C:\Documents and Settings\All Users\Application Data\cast dale way math\Window Close.exe","flagifnofile=1"
//AutoRun:"way math bike enc","<$COMMONAPPDATA>\cast dale way math\Window Close.exe","flagifnofile=1"
AutoRun:"way math bike enc","<$COMMONAPPDATA>\*\Window Close.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","way math bike enc"
//File:"<$FILE_EXE>","C:\Documents and Settings\All Users\Application Data\cast dale way math\Window Close.exe"
//File:"<$FILE_EXE>","<$COMMONAPPDATA>\cast dale way math\Window Close.exe"
File:"<$FILE_EXE>","<$COMMONAPPDATA>\*\Window Close.exe"
//Directory:"<$DIR_COMMON_APPDATA>","<$COMMONAPPDATA>\cast dale way math"
Directory:"<$DIR_COMMON_APPDATA>","<$COMMONAPPDATA>\*","""filename=Window Close.exe"""
// Trojan.Unknown(6):
//AutoRun:"MSxmlHpr","RUNDLL32.EXE C:\WINDOWS\system32\msxm192z.dll,w","flagifnofile=1"
AutoRun:"MSxmlHpr","<$SYSDIR>\msxm192z.dll*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","MSxmlHpr"
//File:"<$FILE_EXE>","RUNDLL32.EXE C:\WINDOWS\system32\msxm192z.dll,w"
File:"<$FILE_LIBRARY>","<$SYSDIR>\msxm192z.dll"
// Trojan.Unknown(7):
//AutoRun:"windows_update.exe","C:\Users\XXX\AppData\Local\Temp\windows_update.exe","flagifnofile=1"
AutoRun:"windows_update.exe","<$LOCALAPPDATA>\Temp\windows_update.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","windows_update.exe"
//File:"<$FILE_EXE>","C:\Users\XXX\AppData\Local\Temp\windows_update.exe"
File:"<$FILE_EXE>","<$LOCALAPPDATA>\Temp\windows_update.exe"
// Trojan.Unknown(8):
AutoRun:"gb9iengh.exe","<$SYSDIR>\gb9iengh.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","gb9iengh.exe"
File:"<$FILE_EXE>","<$SYSDIR>\gb9iengh.exe"
// Trojan.Unknown(9):
//AutoRun:"svchost","C:\Users\XXX\AppData\Roaming\svchost.exe","flagifnofile=1"
AutoRun:"svchost","<$LOCALAPPDATA>\svchost.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","svchost"
//File:"<$FILE_EXE>","C:\Users\XXX\AppData\Roaming\svchost.exe"
File:"<$FILE_EXE>","<$LOCALAPPDATA>\svchost.exe"
// Trojan.Unknown(10):
//Die erste CLSID ist zufällig, mit stets dem gleichen Dateinamen xwreg32.dll
ProtocolFilter:"text/html","{49cc33f9-0b04-4bcc-9cae-f1453685d2e8}"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\Protocols\Filter\","text/html","CLSID={49cc33f9-0b04-4bcc-9cae-f1453685d2e8}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\xwreg32.dll"
ProtocolFilter:"text/html","{46133d5a-8845-42b8-9257-1c93eaf39415}"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\Protocols\Filter\","text/html","CLSID={46133d5a-8845-42b8-9257-1c93eaf39415}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\mst123.dll"
// Trojan.Virtumonde:
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{6b1c77c7-2355-4da4-b753-ba81cae4dd74}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{6b1c77c7-2355-4da4-b753-ba81cae4dd74}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{c817a3ae-f46c-4978-8187-cfe965e09184}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{c817a3ae-f46c-4978-8187-cfe965e09184}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{68fd73d5-4f34-4bd9-9817-7864bbbd10af}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{68fd73d5-4f34-4bd9-9817-7864bbbd10af}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{64C07D5B-D7A4-4F9A-8132-4E73C152ABE7}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{64C07D5B-D7A4-4F9A-8132-4E73C152ABE7}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{956A32E7-C27B-4EA7-9621-C595BC383E5A}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{956A32E7-C27B-4EA7-9621-C595BC383E5A}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{0FAF4891-E95D-4C03-A388-A14C5C305759}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{0FAF4891-E95D-4C03-A388-A14C5C305759}"
//AutoRun:"lomafawipi","Rundll32.exe "C:\WINDOWS\System32\nefuwipi.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\nefuwipi.dll*","flagifnofile=0"
//AutoRun:"CPM6f778433","Rundll32.exe "c:\windows\system32\podabahu.dll",a","flagifnofile=1"
AutoRun:"CPM*","<$SYSDIR>\podabahu.dll*","flagifnofile=1"
//AutoRun:"yujugorowu","Rundll32.exe "C:\WINDOWS\system32\geveyefi.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\geveyefi.dll*","flagifnofile=0"
//Hat mir OpenSBI nicht übernommen:
//O4 - HKUS\S-1-5-19\..\Run: [jijuzozebe] Rundll32.exe "C:\WINDOWS\system32\midamuhi.dll",s (User 'LOCAL SERVICE')
//O4 - HKUS\S-1-5-20\..\Run: [jijuzozebe] Rundll32.exe "C:\WINDOWS\system32\midamuhi.dll",s (User 'NETWORK SERVICE')
AutoRun:"*","<$SYSDIR>\midamuhi.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","jijuzozebe"
File:"<$FILE_LIBRARY>","<$SYSDIR>\midamuhi.dll"
//O4 - HKUS\S-1-5-19\..\Run: [lomafawipi] Rundll32.exe "C:\WINDOWS\System32\nefuwipi.dll",s (User 'LOCAL SERVICE')
//O4 - HKUS\S-1-5-20\..\Run: [lomafawipi] Rundll32.exe "C:\WINDOWS\System32\nefuwipi.dll",s (User 'NETWORK SERVICE')
AutoRun:"*","<$SYSDIR>\nefuwipi.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","lomafawipi"
File:"<$FILE_LIBRARY>","<$SYSDIR>\nefuwipi.dll"
//O4 - HKUS\S-1-5-19\..\Run: [yujugorowu] Rundll32.exe "C:\WINDOWS\system32\geveyefi.dll",s (User 'LOCAL SERVICE')
//O4 - HKUS\S-1-5-20\..\Run: [yujugorowu] Rundll32.exe "C:\WINDOWS\system32\geveyefi.dll",s (User 'NETWORK SERVICE')
AutoRun:"*","<$SYSDIR>\geveyefi.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","yujugorowu"
File:"<$FILE_LIBRARY>","<$SYSDIR>\geveyefi.dll"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","CPM6f778433"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","yujugorowu"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\d3dim70032.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\rurimita.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\pitorewe.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\wifokuvi.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","inomhs.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","rvesfr.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","skxauz.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","wrxbze.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","vwwxei.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","khrxna.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","oyfmsd.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\jopuwive.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","sggupe.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","ulvhrp.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\cryptsvc32.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\yinuyoni.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\podabahu.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","yvxpzs.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","fccayaa","DllName=fccayaa.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","jkhhh","DllName=<$SYSDIR>\jkhhh.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","yayvVPFw","DllName=yayvVPFw.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","144e20b4651","DllName=<$SYSDIR>\d3dim70032.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","4ce715c2651","DllName=<$SYSDIR>\BROSNMP32.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","__c00260E4","DllName=<$SYSDIR>\__c00260E4.dat"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","mfntfy","DllName=<$SYSDIR>\mfntfy.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","avldr","DllName=<$SYSDIR>\avldr.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","khfGabBt","DllName=<$WINDIR>\"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","sstqr","DllName=<$SYSDIR>\sstqr.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","xxyxxus","DllName=xxyxxus.dll"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","SSODL","SSODL={EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\nefuwipi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\podabahu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\geveyefi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dajidomu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\nademiso.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yebokafe.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\nidccwwb.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\sstqr.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wvUkiFUO.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\d3dim70032.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\rurimita.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pitorewe.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wifokuvi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\inomhs.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\rvesfr.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\skxauz.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wrxbze.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vwwxei.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\khrxna.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\oyfmsd.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jopuwive.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\sggupe.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ulvhrp.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\cryptsvc32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yinuyoni.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\podabahu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yvxpzs.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\fccayaa.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jkhhh.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yayvVPFw.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\d3dim70032.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\BROSNMP32.dll"
File:"<$FILE_DATA>","<$SYSDIR>\__c00260E4.dat"
File:"<$FILE_LIBRARY>","<$SYSDIR>\mfntfy.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\avldr.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\sstqr.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\xxyxxus.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wifokuvi.dll"
//Aus einem logfile von ComboFix:
File:"<$FILE_DATA>","<$SYSDIR>\__c001CACF.dat"
File:"<$FILE_DATA>","<$SYSDIR>\__c001E440.dat"
File:"<$FILE_DATA>","<$SYSDIR>\__c005AA24.dat"
File:"<$FILE_DATA>","<$SYSDIR>\__c00E824E.dat"
File:"<$FILE_DATA>","<$SYSDIR>\__c00F3C60.dat"
File:"<$FILE_DATA>","<$SYSDIR>\__c00FBFA.dat"
//Aus einem logfile von ComboFix:
File:"<$FILE_LIBRARY>","<$SYSDIR>\foraduli.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yeweyefa.dll.tmp"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yugutoyi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\iAlmcoin.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\leheziti.dll"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\abefetah.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\abiwakem.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\adawojej.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\afesifav.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\alogowuw.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\alowotak.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\anuperep.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\anuzubog.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\apirakuw.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\avepufit.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\bcxkhpae.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\bxgpccnr.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\byoojvqh.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\cadrcyiy.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\dtehadem.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\ebihabom.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\ebojobod.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\eheduheg.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\ekafewut.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\elejugas.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\eluoupbx.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\emilipus.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\enupubil.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\epudusuz.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\evefapum.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\evipajeh.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\fmqbjiks.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\fqipmghl.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\gfswaose.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\ghdwwptg.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\gndkffgr.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\gxyiivlc.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\ibekeyup.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\ifitejul.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\ingvfrhi.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\itewafar.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\ixpdnjnm.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\iyawunij.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\iyuhikop.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\jpsnopfg.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\juixssab.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\kfobcccj.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\kgjgjywn.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\lfoyjcpc.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\ljgibgiy.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\mmrrbkdp.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\mrmxsqfo.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\nqgkcgsr.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\ocmywuwm.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\ogoruweh.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\ohigedis.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\oiomthhy.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\pbnmpynm.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\sahlaeev.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\salocidu.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\teyobdrl.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\ufobobel.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\ujubipip.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\uziyezok.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\vqggfjpt.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\vxuohsxx.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\vyfemkxv.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\wqvqllwl.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\yehwvgnc.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\ymstvrok.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\eybtncyl.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\ubilofam.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\afuvulay.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\igujajow.ini"
// Worm.Alcra:
AutoRun:"msupdate","msupdate.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","msupdate"
File:"<$FILE_EXE>","<$PROGRAMFILES>\MsUpdate\msupdate.exe"
// Worm.Koobface:
//Die ersten 12 Zahlen sind wieder identisch mit den bisherigen
//Aus einem Logfile von ComboFix:
File:"<$FILE_DATA>","<$WINDIR>\010112010146115110.dat"
File:"<$FILE_DATA>","<$WINDIR>\010112010146118114.dat"
File:"<$FILE_DATA>","<$WINDIR>\0101120101465452.dat"
File:"<$FILE_DATA>","<$WINDIR>\0101120101465749.dat"
New Malware v21
Reply With Quote