Code:
:: New Malware v31
// Revision 1
// {Cat:Trojan}{Cnt:1}
// {Det:Matt,2009-10-01}
// Adware.RecipeFeeder:
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{732e5459-a239-4e08-a411-2c6ccf313f1d}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{732e5459-a239-4e08-a411-2c6ccf313f1d}"
BrowserHelperEx:"Bewiki_IE_Extension","filename=adxloader.dll"
IEExtension:"Recipe Feeder"
RegyKey:"<$REG_IEEXTENSION>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Internet Explorer\Extensions\","{14528701-EB26-4DDD-BDF3-5B3A3BF85CA5}","ButtonText=Recipe Feeder"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\Recipe Feeder\Recipe Feeder Explorer Bar\adxloader.dll"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Recipe Feeder\Recipe Feeder Explorer Bar"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Recipe Feeder"
// Adware.Zango.Seekmo:
// AutoRun:"SeekmoOE","C:\Program Files\Seekmo\bin\10.3.85.0\OEAddOn.exe","flagifnofile=1"
// AutoRun:"SeekmoSA",""C:\Program Files\Seekmo\bin\10.3.85.0\SeekmoSA.exe"","flagifnofile=1"
AutoRun:"Seekmo??","<$PROGRAMFILES>\Seekmo\bin\*\*.exe","flagifnofile=1"
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","SeekmoOE"
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","SeekmoSA"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Seekmo??"
// File:"<$FILE_EXE>","C:\Program Files\Seekmo\bin\10.3.85.0\OEAddOn.exe"
// File:"<$FILE_EXE>",""C:\Program Files\Seekmo\bin\10.3.85.0\SeekmoSA.exe""
File:"<$FILE_EXE>","<$PROGRAMFILES>\Seekmo\bin\*\??AddOn.exe"
File:"<$FILE_EXE>","<$PROGRAMFILES>\Seekmo\bin\*\Seekmo??.exe"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Seekmo\bin\*","filename=Seekmo??.exe"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Seekmo\bin"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Seekmo"
// Malware.Fraud.AlphaAntivirus:
// O4 - HKLM\..\Run: [AlphaAV] C:\Program Files\AlphaAV\AlphaAV.exe
// C:\Program Files\AlphaAV
// C:\Program Files\AlphaAV\AlphaAV.exe
// C:\WINDOWS\system32\msnaoladdon.dll
// %UserProfile%\Desktop\Alpha Antivirus.lnk
// C:\WINDOWS\system32\NetFilter.exe
// C:\WINDOWS\system32\ndisapi.dll
// C:\WINDOWS\system32\drivers\NDISRD.sys
// HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "AlphaAV"
// HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "Alpha Antivirus"
// HKEY_LOCAL_MACHINE\Software\Alpha Antivirus
// HKEY_CURRENT_USER\Software\Alpha Antivirus
// HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Alpha Antivirus
AutoRun:"AlphaAV","<$PROGRAMFILES>\AlphaAV\AlphaAV.exe","flagifnofile=1"
AutoRun:"Alpha Antivirus","<$PROGRAMFILES>\AlphaAV\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","AlphaAV"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Alpha Antivirus"
File:"<$FILE_EXE>","<$PROGRAMFILES>\AlphaAV\AlphaAV.exe"
File:"<$FILE_LIBRARY>","<$SYSDIR>\msnaoladdon.dll"
File:"<$FILE_EXE>","<$SYSDIR>\NetFilter.exe"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ndisapi.dll"
File:"<$FILE_SERVICE>","<$SYSDIR>\drivers\NDISRD.sys"
File:"<$FILE_DESKTOPLINK>","<$DESKTOP>\Alpha Antivirus.lnk"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\AlphaAV"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\Software\","Alpha Antivirus"
RegyKey:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\Software\","Alpha Antivirus"
RegyKey:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\Software\Microsoft\CurrentVersion\Uninstall\","Alpha Antivirus"
// Malware.Fraud.Antivirus2009:
// AutoRun:"04732247219170634720728826934164","C:\Program Files\Antivirus 2009\av2009.exe","flagifnofile=1"
AutoRun:"*","<$PROGRAMFILES>\Antivirus 2009\av2009.exe","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","04732247219170634720728826934164"
// File:"<$FILE_EXE>","C:\Program Files\Antivirus 2009\av2009.exe"
File:"<$FILE_EXE>","<$PROGRAMFILES>\Antivirus 2009\av2009.exe"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Antivirus 2009"
// Malware.Fraud.AntivirusPro2010:
// AutoRun:"Antivirus Pro 2010",""C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe" /hide","flagifnofile=1"
AutoRun:"Antivirus Pro 2010","<$PROGRAMFILES>\AntivirusPro_2010\AntivirusPro_2010.exe*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Antivirus Pro 2010"
// File:"<$FILE_EXE>",""C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe" /hide"
File:"<$FILE_EXE>","<$PROGRAMFILES>\AntivirusPro_2010\AntivirusPro_2010.exe"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\AntivirusPro_2010"
// Malware.Fraud.HomePersonalAntivirus:
// O4 - HKCU\..\Run: [HomeAV] %UserProfile%\Desktop\Home Personal Antivirus\homeav.exe
// %UserProfile%\Desktop\Home Personal Antivirus.LNK
// %UserProfile%\Desktop\Home Personal Antivirus
// %UserProfile%\Desktop\Home Personal Antivirus\BtCoreIf64.dll
// %UserProfile%\Desktop\Home Personal Antivirus\homeav.exe
// %UserProfile%\Desktop\Home Personal Antivirus\Microsoft.VC80.CRT.manifest
// %UserProfile%\Desktop\Home Personal Antivirus\msvcm80.dll
// %UserProfile%\Desktop\Home Personal Antivirus\msvcp80.dll
// %UserProfile%\Desktop\Home Personal Antivirus\msvcr80.dll
// %UserProfile%\Desktop\Home Personal Antivirus\null_antivirus.dll
// %UserProfile%\Desktop\Home Personal Antivirus\pthreadVC2.dll
// %UserProfile%\Desktop\Home Personal Antivirus\unistall.exe
// %UserProfile%\Desktop\Home Personal Antivirus\vdb
// %UserProfile%\Desktop\Home Personal Antivirus\vdb\daily.zvd
// %UserProfile%\Start Menu\Home Personal Antivirus.LNK
// HKEY_CURRENT_USER\Software\Home Personal Antivirus
// HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Home Personal Antivirus
// HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "HomeAV"
// Malware.Fraud.SecureFighter:
// O4 - HKCU\..\Run: [jwh2.tmp] C:\WINDOWS\system32\jwh2.tmp
// O4 - HKCU\..\Run: [SecureFighter] C:\Program Files\SecureFighter Software\SecureFighter\SecureFighter.exe -min
// O23 - Service: SecureFighter Security Service (SecureFighterSvc) - Unknown owner - C:\Program Files\SecureFighter Software\SecureFighter\SecureFighterSvc.exe (file missing)
// c:\Documents and Settings\All Users\Desktop\SecureFighter.lnk
// c:\Documents and Settings\All Users\Start Menu\Programs\SecureFighter
// c:\Documents and Settings\All Users\Start Menu\Programs\SecureFighter\1 SecureFighter.lnk
// c:\Documents and Settings\All Users\Start Menu\Programs\SecureFighter\2 Homepage.lnk
// c:\Documents and Settings\All Users\Start Menu\Programs\SecureFighter\3 Uninstall.lnk
// %Temp%\jwh2.tmp
// c:\Program Files\SecureFighter Software
// c:\Program Files\SecureFighter Software\SecureFighter
// c:\Program Files\SecureFighter Software\SecureFighter\SecureFighter.exe
// c:\Program Files\SecureFighter Software\SecureFighter\uninstall.exe
// c:\WINDOWS\10093noz-5-virus2cd.exe
// c:\WINDOWS\10593wormz045.ocx
// c:\WINDOWS\1118zhack5o9l33d.dll
// c:\WINDOWS\system32\27599virus2bz.exe
// c:\WINDOWS\system32\277fvir16z95.ocx
// c:\WINDOWS\system32\279715acztool512.bin
// HKEY_CURRENT_USER\Software\SecureFighter
// HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SecureFighter
// HKEY_LOCAL_MACHINE\SOFTWARE\SecureFighter
// HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SECUREFIGHTERSVC
// HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecureFighterSvc
// HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "jwh2.tmp"
// HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "SecureFighter"
// Malware.Fraud.SecureVeteran:
// O4 - HKCU\..\Run: [SecureVeteran] C:\Program Files\SecureVeteran Software\SecureVeteran\SecureVeteran.exe -min
// O4 - HKCU\..\Run: [ucw2.tmp] C:\WINDOWS\system32\ucw2.tmp
// O23 - Service: SecureVeteran Security Service (SecureVeteranSvc) - Unknown owner - C:\Program Files\SecureVeteran Software\SecureVeteran\SecureVeteranSvc.exe (file missing)
// c:\Program Files\SecureVeteran Software
// c:\Program Files\SecureVeteran Software\SecureVeteran
// c:\Program Files\SecureVeteran Software\SecureVeteran\SecureVeteran.exe
// c:\Program Files\SecureVeteran Software\SecureVeteran\uninstall.exe
// c:\Documents and Settings\All Users\Desktop\SecureVeteran.lnk
// c:\Documents and Settings\All Users\Start Menu\Programs\SecureVeteran
// c:\Documents and Settings\All Users\Start Menu\Programs\SecureVeteran\1 SecureVeteran.lnk
// c:\Documents and Settings\All Users\Start Menu\Programs\SecureVeteran\2 Homepage.lnk
// c:\Documents and Settings\All Users\Start Menu\Programs\SecureVeteran\3 Uninstall.lnk
// %Temp%\ucw2.tmp
// c:\WINDOWS\1049zha5k9ool76a.dll
// c:\WINDOWS\111089ot-a-v5ruz7f2.exe
// c:\WINDOWS\111539zoj627.bin
// c:\WINDOWS\11607spy359z.exe
// c:\WINDOWS\system32\1f9fdownzo5der1271.dll
// c:\WINDOWS\system32\1z0fs9yware21825.cpl
// c:\WINDOWS\system32\1z5245pambot52d9.dll
// HKEY_CURRENT_USER\Software\SecureVeteran
// HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SecureVeteran
// HKEY_LOCAL_MACHINE\SOFTWARE\SecureVeteran
// HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SECUREVETERANSVC
// HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecureVeteranSvc
// AutoRun:"SecureVeteran","C:\Program Files\SecureVeteran Software\SecureVeteran\SecureVeteran.exe -min","flagifnofile=1"
AutoRun:"SecureVeteran","<$PROGRAMFILES>\SecureVeteran Software\SecureVeteran\SecureVeteran.exe*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","SecureVeteran"
File:"<$FILE_EXE>","<$PROGRAMFILES>\SecureVeteran Software\SecureVeteran\SecureVeteran.exe"
// AutoRun:"ucw2.tmp","C:\WINDOWS\system32\ucw2.tmp","flagifnofile=1"
AutoRun:"*.tmp","<$SYSDIR>\*.tmp","flagifnofile=1"
// RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","ucw2.tmp"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","ucw?.tmp"
// File:"<$FILE_EXE>","C:\WINDOWS\system32\ucw2.tmp"
File:"<$FILE_TEMP>","<$SYSDIR>\ucw?.tmp"
File:"<$FILE_TEMP>","<$WINDIR>\Temp\ucw?.tmp"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","SecureVeteranSvc","ImagePath=<$PROGRAMFILES>\SecureVeteran Software\SecureVeteran\SecureVeteranSvc.exe"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","SecureVeteranSvc","DisplayName=SecureVeteran Security Service"
File:"<$FILE_SERVICE>","<$PROGRAMFILES>\SecureVeteran Software\SecureVeteran\SecureVeteranSvc.exe"
File:"<$FILE_EXE>","<$PROGRAMFILES>\SecureVeteran Software\SecureVeteran\uninstall.exe"
File:"<$FILE_DESKTOPLINK>","<$COMMONDESKTOP>\SecureVeteran.lnk"
File:"<$FILE_LINK>","<$COMMONPROGRAMS>\SecureVeteran\1 SecureVeteran.lnk"
File:"<$FILE_LINK>","<$COMMONPROGRAMS>\SecureVeteran\2 Homepage.lnk"
File:"<$FILE_LINK>","<$COMMONPROGRAMS>\SecureVeteran\3 Uninstall.lnk"
Directory:"<$DIR_PROG>","<$COMMONPROGRAMS>\SecureVeteran"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\SecureVeteran Software\SecureVeteran"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\SecureVeteran Software"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\Software\","SecureVeteran"
RegyKey:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\Software\","SecureVeteran"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\CurrentVersion\Uninstall\","SecureVeteran"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SYSTEM\CurrentControlSet\Enum\Root\","LEGACY_SECUREVETERANSVC"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SYSTEM\CurrentControlSet\Services\","SecureVeteranSvc"
// Malware.Fraud.SecuritySoldier:
// O4 - HKCU\..\Run: [SecuritySoldier] C:\Program Files\SecuritySoldier Software\SecuritySoldier\SecuritySoldier.exe -min
// O4 - HKCU\..\Run: [xsj2.tmp] C:\WINDOWS\system32\xsj2.tmp
// O23 - Service: SecuritySoldier Security Service (SecuritySoldierSvc) - Unknown owner - C:\Program Files\SecuritySoldier Software\SecuritySoldier\SecuritySoldierSvc.exe (file missing)
// c:\Program Files\SecuritySoldier Software
// c:\Program Files\SecuritySoldier Software\SecuritySoldier
// c:\Program Files\SecuritySoldier Software\SecuritySoldier\SecuritySoldier.exe
// c:\Program Files\SecuritySoldier Software\SecuritySoldier\uninstall.exe
// c:\Documents and Settings\All Users\Desktop\SecuritySoldier.lnk
// c:\Documents and Settings\All Users\Start Menu\Programs\SecuritySoldier
// c:\Documents and Settings\All Users\Start Menu\Programs\SecuritySoldier\1 SecuritySoldier.lnk
// c:\Documents and Settings\All Users\Start Menu\Programs\SecuritySoldier\2 Homepage.lnk
// c:\Documents and Settings\All Users\Start Menu\Programs\SecuritySoldier\3 Uninstall.lnk
// %Temp%\xsj2.tmp
// c:\WINDOWS\1055zv5rus2999.bin
// c:\WINDOWS\1115zt9al2717.ocx
// c:\WINDOWS\115299acktozl19d.ocx
// c:\WINDOWS\system32\155615otza-virus394.ocx
// c:\WINDOWS\system32\15606wzrm5a95.dll
// c:\WINDOWS\system32\15845tz9j17f.bin
// HKEY_CURRENT_USER\Software\SecuritySoldier
// HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SecuritySoldier
// HKEY_LOCAL_MACHINE\SOFTWARE\SecuritySoldier
// HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SECURITYSOLDIERSVC
// HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecuritySoldierSvc
// HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "SecuritySoldier"
// HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "xsj2.tmp"
AutoRun:"SecuritySoldier","<$PROGRAMFILES>\SecuritySoldier Software\SecuritySoldier\SecuritySoldier.exe*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","SecuritySoldier"
File:"<$FILE_EXE>","<$PROGRAMFILES>\SecuritySoldier Software\SecuritySoldier\SecuritySoldier.exe.exe"
AutoRun:"*.tmp","<$SYSDIR>\*.tmp","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","xsj?.tmp"
File:"<$FILE_TEMP>","<$SYSDIR>\xsj?.tmp"
File:"<$FILE_TEMP>","<$WINDIR>\Temp\xsj?.tmp"
// O23 - Service: SecuritySoldier Security Service (SecuritySoldierSvc) - Unknown owner - C:\Program Files\SecuritySoldier Software\SecuritySoldier\SecuritySoldierSvc.exe (file missing)
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","SecuritySoldierSvc","ImagePath=<$PROGRAMFILES>\SecuritySoldier Software\SecuritySoldier\SecuritySoldierSvc.exe"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","SecuritySoldierSvc","DisplayName=SecuritySoldier Security Service"
File:"<$FILE_EXE>","<$PROGRAMFILES>\SecuritySoldier Software\SecuritySoldier\SecuritySoldierSvc.exe"
File:"<$FILE_EXE>","<$PROGRAMFILES>\SecuritySoldier Software\SecuritySoldier\uninstall.exe"
File:"<$FILE_DESKTOPLINK>","<$COMMONDESKTOP>\SecuritySoldier.lnk"
File:"<$FILE_LINK>","<$COMMONPROGRAMS>\SecuritySoldier\1 SecuritySoldier.lnk"
File:"<$FILE_LINK>","<$COMMONPROGRAMS>\SecuritySoldier\2 Homepage.lnk"
File:"<$FILE_LINK>","<$COMMONPROGRAMS>\SecuritySoldier\3 Uninstall.lnk"
Directory:"<$DIR_PROG>","<$COMMONPROGRAMS>\SecuritySoldier"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\SecuritySoldier Software\SecuritySoldier"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\SecuritySoldier Software"
RegyKey:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\Software\","SecuritySoldier"
RegyKey:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\","SecuritySoldier"
RegyKey:"<$REG_SETTINGS>",LOCAL_MACHINE,"\Software\","SecuritySoldier"
RegyKey:"<$REG_SETTINGS>",LOCAL_MACHINE,"\SYSTEM\CurrentControlSet\Enum\Root\","LEGACY_SECURITYSOLDIERSVC"
RegyKey:"<$REG_SETTINGS>",LOCAL_MACHINE,"\SYSTEM\CurrentControlSet\Services\","SecuritySoldierSvc"
// Malware.Fraud.SecurityTool:
// Dieses Rogue verwendet, ähnlich wie SystemGuard2009 zufällige Ordner und Dateinamen (ausschließlich mit Zahlen wie ich vermute)
// Ich hoffe, ihr könnt da was draus machen, meine Möglichkeiten sind leider zu beschränkt :-)
// AutoRun:"4946550101","%UserProfile%\Application Data\4946550101\4946550101.exe","flagifnofile=1"
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","4946550101"
// File:"<$FILE_EXE>","%UserProfile%\Application Data\4946550101\4946550101.exe"
// AutoRun:"Install","%UserProfile%\Application Data\4946550101\4946550101.bat","flagifnofile=1"
AutoRun:"Install","<$APPDATA>\*\*.bat","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Install"
// File:"<$FILE_EXE>","%UserProfile%\Application Data\4946550101\4946550101.bat"
// File:"<$FILE_DATA>","<$APPDATA>\*\*.bat"
// %UserProfile%\Application Data\4946550101
// %UserProfile%\Application Data\4946550101\4946550101.bat
// %UserProfile%\Application Data\4946550101\4946550101.cfg
// %UserProfile%\Application Data\4946550101\4946550101.exe
File:"<$FILE_DESKTOPLINK>","<$DESKTOP>\Security Tool.lnk"
File:"<$FILE_LINK>","<$PROGRAMS>\Security Tool.lnk"
// HKEY_CURRENT_USER\Software\Security Tool
RegyKey:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\Software\Security Tool\","SystemCopSvc"
// HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "4946550101"
// Malware.Fraud.SpywareGuard2008:
// AutoRun:"spywareguard","C:\Program Files\Spyware Guard 2008\spywareguard.exe","flagifnofile=1"
AutoRun:"spywareguard","<$PROGRAMFILES>\Spyware Guard 2008\spywareguard.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","spywareguard"
// File:"<$FILE_EXE>","C:\Program Files\Spyware Guard 2008\spywareguard.exe"
File:"<$FILE_EXE>","<$PROGRAMFILES>\Spyware Guard 2008\spywareguard.exe"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Spyware Guard 2008"
// Malware.Fraud.SystemErrorFixer:
// AutoRun:"SystemErrorFixer","C:\Program Files\SystemErrorFixer\SysRep.exe","flagifnofile=1"
AutoRun:"SystemErrorFixer","<$PROGRAMFILES>\SystemErrorFixer\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","SystemErrorFixer"
File:"<$FILE_EXE>","<$PROGRAMFILES>\SystemErrorFixer\SysRep.exe"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\SystemErrorFixer"
// Malware.Fraud.TotalSecurity:
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}"
BrowserHelperEx:"%26IE Help","filename=iehelpmod.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\iehelpmod.dll"
// Malware.Fraud.WindowsPCDefender:
// AutoRun:"Windows PC Defender",""C:\Documents and Settings\All Users\Application Data\7fea017\WP7fea.exe" /s /d","flagifnofile=1"
// AutoRun:"Windows PC Defender",""C:\ProgramData\409ffa4\WP409f.exe" /s /d","flagifnofile=1"
AutoRun:"Windows PC Defender","<$COMMONAPPDATA>\*\*.exe*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Windows PC Defender"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Windows PC Defender"
// File:"<$FILE_EXE>",""C:\Documents and Settings\All Users\Application Data\7fea017\WP7fea.exe" /s /d"
// File:"<$FILE_EXE>",""C:\ProgramData\409ffa4\WP409f.exe" /s /d"
File:"<$FILE_EXE>","<$COMMONAPPDATA>\*\WP*.exe"
Directory:"<$DIR_PROG>","<$COMMONAPPDATA>\*","filename=WP*.exe"
// Malware.Fraud.WindowsPolicePro:
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","AntipPolice_","ImagePath=<$WINDIR>\svchast.exe"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","AntipPolice_","DisplayName=AntiPol"
File:"<$FILE_EXE>","<$WINDIR>\svchast.exe"
// Malware.Infostealer.Gamepass:
// AutoRun:"cdoosoft","C:\DOCUME~1\myla\LOCALS~1\Temp\herss.exe","flagifnofile=1"
AutoRun:"cdoosoft","<$LOCALSETTINGS>\Temp\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","cdoosoft"
// File:"<$FILE_EXE>","C:\DOCUME~1\myla\LOCALS~1\Temp\herss.exe"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\herss.exe"
// AutoRun:"dorfgwe","C:\DOCUME~1\user\LOCALS~1\Temp\uret463.exe","flagifnofile=1"
AutoRun:"dorfgwe","<$LOCALSETTINGS>\Temp\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","dorfgwe"
// File:"<$FILE_EXE>","C:\DOCUME~1\user\LOCALS~1\Temp\uret463.exe"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\uret???.exe"
// Malware.LOP:
// AutoRun:"Part browse safe hold","C:\Documents and Settings\All Users\Application Data\Audio 4 part browse\Idle Eq.exe","flagifnofile=1"
AutoRun:"Part browse safe hold","<$COMMONAPPDATA>\*\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Part browse safe hold"
// File:"<$FILE_EXE>","C:\Documents and Settings\All Users\Application Data\Audio 4 part browse\Idle Eq.exe"
File:"<$FILE_EXE>","<$COMMONAPPDATA>\Audio 4 part browse\Idle Eq.exe"
Directory:"<$DIR_COMMON_APPDATA>","<$COMMONAPPDATA>\Audio 4 part browse"
// AutoRun:"freeelse","C:\DOCUME~1\Mark\APPLIC~1\JOYLON~1\user less.exe","flagifnofile=1"
AutoRun:"freeelse","<$APPDATA>\*\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","freeelse"
// File:"<$FILE_EXE>","C:\DOCUME~1\Mark\APPLIC~1\JOYLON~1\user less.exe"
File:"<$FILE_EXE>","<$APPDATA>\JOYLON*\user less.exe"
Directory:"<$DIR_APPDATA>","<$APPDATA>\JOYLON*"
// Malware.Mirar:
RegyValue:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Internet Explorer\Toolbar\","{44B27724-D579-42BC-8F68-76EEC6ADAB96}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{44B27724-D579-42BC-8F68-76EEC6ADAB96}"
RegyValue:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Internet Explorer\Toolbar\","{FDD312BA-F684-4A1A-9AB9-494D7B8A9F89}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{FDD312BA-F684-4A1A-9AB9-494D7B8A9F89}"
// BrowserHelperEx:"Mirar","filename=winla77.dll"
BrowserHelperEx:"Mirar","filename=*.dll"
// File:"<$FILE_LIBRARY>","C:\WINDOWS\system32\winla77.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\winla??.dll"
// Malware.PurityScan:
// Name des Autostarteintrages ist fest
// AutoRun:"Sen","C:\Program Files\bama\tlii.exe","flagifnofile=1"
AutoRun:"Sen","<$PROGRAMFILES>\*\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Sen"
// File:"<$FILE_EXE>","C:\Program Files\bama\tlii.exe"
File:"<$FILE_EXE>","<$PROGRAMFILES>\*\tlii.exe"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\*","filename=tlii.exe"
// Malware.Virut:
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","NetLogin","ImagePath=<$WINDIR>\svchost.exe"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","NetLogin","DisplayName=Net Login"
File:"<$FILE_EXE>","<$WINDIR>\svchost.exe"
// PUPS.ALOT.Toolbar:
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{5AA2BA46-9913-4dc7-9620-69AB0FA17AE7}"
RegyValue:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Internet Explorer\Toolbar\","{5AA2BA46-9913-4dc7-9620-69AB0FA17AE7}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{5AA2BA46-9913-4dc7-9620-69AB0FA17AE7}"
BrowserHelperEx:"ALOT Toolbar","filename=alot.dll"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\alot\bin\alot.dll"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\alot\bin"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\alot"
// PUPS.Conduit/EffectiveBrand.Free_Ride_Games:
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\","{f92a9fe4-2850-4198-b9d5-279880e49b16}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{f92a9fe4-2850-4198-b9d5-279880e49b16}"
RegyValue:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Internet Explorer\Toolbar\","{f92a9fe4-2850-4198-b9d5-279880e49b16}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{f92a9fe4-2850-4198-b9d5-279880e49b16}"
BrowserHelperEx:"Free Ride Games Toolbar","filename=tbFree.dll"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\Free_Ride_Games\tbFree.dll"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Free_Ride_Games"
// PUPS.Conduit/EffectiveBrand.P2P_Energy:
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\","{2bae58c2-79f9-45d1-a286-81f911301c3a}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{2bae58c2-79f9-45d1-a286-81f911301c3a}"
RegyValue:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Internet Explorer\Toolbar\","{2bae58c2-79f9-45d1-a286-81f911301c3a}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{2bae58c2-79f9-45d1-a286-81f911301c3a}"
BrowserHelperEx:"P2P Energy Toolbar","filename=tbP2P_.dll"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\P2P_Energy\tbP2P_.dll"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\P2P_Energy"
// PUPS.FastBrowserSearchToolbar:
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\","{91C18ED5-5E1C-4AE5-A148-A861DE8C8E16}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{F0626A63-410B-45E2-99A1-3F2475B2D695}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{F0626A63-410B-45E2-99A1-3F2475B2D695}"
RegyValue:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Internet Explorer\Toolbar\","{1BB22D38-A411-4B13-A746-C2A4F4EC7344}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{1BB22D38-A411-4B13-A746-C2A4F4EC7344}"
BrowserHelperEx:"Search Assistant","filename=BHO.dll"
BrowserHelperEx:"Fast Browser Search Toolbar","filename=FBStoolbar.dll"
// AutoRun:"FBSSA","<$PROGRAMFILES>\SGPSA\ie3sh.exe","flagifnofile=1"
AutoRun:"FBSSA","<$PROGRAMFILES>\SGPSA\ie?sh.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","FBSSA"
// File:"<$FILE_EXE>","<$PROGRAMFILES>\SGPSA\ie3sh.exe"
File:"<$FILE_EXE>","<$PROGRAMFILES>\SGPSA\ie?sh.exe"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\SGPSA\BHO.dll"
// File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\SGPSA\mtwb3sh.dll"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\SGPSA\mtwb?sh.dll"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\Fast Browser Search\IE\FBStoolbar.dll"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\SGPSA"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Fast Browser Search\IE"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Fast Browser Search"
// PUPS.GameVance:
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{7370F91F-6994-4595-9949-601FA2261C8D}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{7370F91F-6994-4595-9949-601FA2261C8D}"
// BrowserHelperEx:"Gamevance","filename=gamevancelib32.dll"
BrowserHelperEx:"Gamevance","filename=gamevancelib??.dll"
BrowserHelperEx:"Gamevance Text","filename=gvtl.dll"
// File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\Gamevance\gamevancelib32.dll"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\Gamevance\gamevancelib??.dll"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\Gamevance\gvtl.dll"
// AutoRun:"Gamevance","C:\Program Files\Gamevance\gamevance32.exe","flagifnofile=1"
AutoRun:"Gamevance","<$PROGRAMFILES>\Gamevance\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Gamevance"
// File:"<$FILE_EXE>","C:\Program Files\Gamevance\gamevance32.exe"
File:"<$FILE_EXE>","<$PROGRAMFILES>\Gamevance\gamevance??.exe"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Gamevance"
// PUPS.MyWebSearch:
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\","{4D25F926-B9FE-4682-BF72-8AB8210D6D75}"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\MyWaySA\SrchAsDe\deSrcAs.dll"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\MyWaySA\SrchAsDe"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\MyWaySA"
// Spyware.AdRotator:
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{D3BB1FCC-83D0-B92C-DE59-148DFB474BFB}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{D3BB1FCC-83D0-B92C-DE59-148DFB474BFB}"
// BrowserHelperEx:"precisead search enhancer","filename=inamknggbo.dll"
BrowserHelperEx:"precisead search enhancer","filename=*.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\inamknggbo.dll"
// Suspicious(1):
// AutoRun:"","C:\WINDOWS\system32\drivers\BPP Budget","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\drivers\BPP Budget","flagifnofile=0"
// RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\",""
// File:"<$FILE_EXE>","C:\WINDOWS\system32\drivers\BPP Budget"
File:"<$FILE_DATA>","<$SYSDIR>\drivers\BPP Budget"
// Suspicious(2):
// O1 - Hosts: 74.206.175.177 nexon.net
// O1 - Hosts: 74.206.175.177 www.nexon.net
// O1 - Hosts: 74.206.175.177 maplestory.nexon.net
// O1 - Hosts: 74.206.175.177 maplestory.com
// O1 - Hosts: 74.206.175.177 www.maplestory.com
// O1 - Hosts: 195.245.119.131 browser-security.microsoft.com
// O1 - Hosts: 206.53.61.77 google.ae
// O1 - Hosts: 206.53.61.77 google.as
// O1 - Hosts: 206.53.61.77 google.at
// O1 - Hosts: 206.53.61.77 google.az
// O1 - Hosts: 206.53.61.77 google.ba
// O1 - Hosts: 206.53.61.77 google.be
// O1 - Hosts: 206.53.61.77 google.bg
// O1 - Hosts: 206.53.61.77 google.bs
// O1 - Hosts: 206.53.61.77 google.ca
// O1 - Hosts: 206.53.61.77 google.cd
// O1 - Hosts: 206.53.61.77 google.com.gh
// O1 - Hosts: 206.53.61.77 google.com.gi
// O1 - Hosts: 206.53.61.77 google.com.hk
// O1 - Hosts: 206.53.61.77 google.com.jm
// O1 - Hosts: 206.53.61.77 google.com.ly
// O1 - Hosts: 206.53.61.77 google.com.mx
// O1 - Hosts: 206.53.61.77 google.com.my
// O1 - Hosts: 206.53.61.77 google.com.na
// O1 - Hosts: 206.53.61.77 google.com.nf
// O1 - Hosts: 206.53.61.77 google.com.ng
// O1 - Hosts: 206.53.61.77 google.ch
// O1 - Hosts: 206.53.61.77 google.com.np
// O1 - Hosts: 206.53.61.77 google.com.om
// O1 - Hosts: 206.53.61.77 google.com.pa
// O1 - Hosts: 206.53.61.77 google.com.pr
// O1 - Hosts: 206.53.61.77 google.com.qa
// O1 - Hosts: 206.53.61.77 google.com.sg
// O1 - Hosts: 206.53.61.77 google.com.tj
// O1 - Hosts: 206.53.61.77 google.com.tr
// O1 - Hosts: 206.53.61.77 google.com.tw
// O1 - Hosts: 206.53.61.77 google.com.ua
// O1 - Hosts: 206.53.61.77 google.dj
// O1 - Hosts: 206.53.61.77 google.com.vc
// O1 - Hosts: 206.53.61.77 google.it.ao
// O1 - Hosts: 206.53.61.77 google.de
// O1 - Hosts: 206.53.61.77 google.dk
// O1 - Hosts: 206.53.61.77 google.dm
// O1 - Hosts: 206.53.61.77 google.dz
// O1 - Hosts: 206.53.61.77 google.ee
// O1 - Hosts: 206.53.61.77 google.fi
// O1 - Hosts: 206.53.61.77 google.fm
// O1 - Hosts: 206.53.61.77 google.fr
// O1 - Hosts: 206.53.61.77 google.ge
// O1 - Hosts: 206.53.61.77 google.gg
// O1 - Hosts: 206.53.61.77 google.gm
// O1 - Hosts: 206.53.61.77 google.gr
// O1 - Hosts: 206.53.61.77 google.gy
// O1 - Hosts: 206.53.61.77 google.ht
// O1 - Hosts: 206.53.61.77 google.ie
// O1 - Hosts: 206.53.61.77 google.im
// O1 - Hosts: 206.53.61.77 google.in
// O1 - Hosts: 206.53.61.77 google.it
// O1 - Hosts: 206.53.61.77 google.ki
// O1 - Hosts: 206.53.61.77 google.kz
// O1 - Hosts: 206.53.61.77 google.la
// O1 - Hosts: 206.53.61.77 google.li
// O1 - Hosts: 206.53.61.77 google.lk
// O1 - Hosts: 206.53.61.77 google.lv
// O1 - Hosts: 206.53.61.77 google.ma
// O1 - Hosts: 206.53.61.77 google.md
// O1 - Hosts: 206.53.61.77 google.ms
// O1 - Hosts: 206.53.61.77 google.mu
// O1 - Hosts: 206.53.61.77 google.mv
// O1 - Hosts: 206.53.61.77 google.mw
// O1 - Hosts: 206.53.61.77 google.nl
// O1 - Hosts: 206.53.61.77 google.no
// O1 - Hosts: 206.53.61.77 google.nr
// O1 - Hosts: 206.53.61.77 google.nu
// O1 - Hosts: 206.53.61.77 google.pl
// O1 - Hosts: 206.53.61.77 google.pn
// O1 - Hosts: 206.53.61.77 google.pt
// O1 - Hosts: 206.53.61.77 google.ro
// O1 - Hosts: 206.53.61.77 google.ru
// O1 - Hosts: 206.53.61.77 google.rw
// O1 - Hosts: 206.53.61.77 google.sc
// O1 - Hosts: 206.53.61.77 google.se
// O1 - Hosts: 206.53.61.77 google.sh
// O1 - Hosts: 206.53.61.77 google.si
// O1 - Hosts: 206.53.61.77 google.sm
// O1 - Hosts: 206.53.61.77 google.sn
// O1 - Hosts: 206.53.61.77 google.st
// O1 - Hosts: 206.53.61.77 google.tl
// O1 - Hosts: 206.53.61.77 google.tm
// O1 - Hosts: 206.53.61.77 google.tt
// O1 - Hosts: 206.53.61.77 google.us
// O1 - Hosts: 206.53.61.77 google.vg
// O1 - Hosts: 206.53.61.77 google.vu
// O1 - Hosts: 206.53.61.77 google.ws
// O1 - Hosts: 206.53.61.77 google.co.bw
// O1 - Hosts: 206.53.61.77 google.co.ck
// O1 - Hosts: 206.53.61.77 google.co.id
// O1 - Hosts: 206.53.61.77 google.co.il
// O1 - Hosts: 206.53.61.77 google.co.in
// O1 - Hosts: 206.53.61.77 google.co.jp
// O1 - Hosts: 206.53.61.77 google.co.ke
// O1 - Hosts: 206.53.61.77 google.co.kr
// O1 - Hosts: 206.53.61.77 google.co.ls
// O1 - Hosts: 206.53.61.77 google.co.ma
// O1 - Hosts: 206.53.61.77 google.co.mz
// O1 - Hosts: 206.53.61.77 google.co.nz
// O1 - Hosts: 206.53.61.77 google.co.th
// O1 - Hosts: 74.125.45.100 4-open-davinci.com
// O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
// O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
// O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
// O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
// O1 - Hosts: 74.125.45.100 secure-plus-payments.com
// O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
// O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
// O1 - Hosts: 74.125.45.100 www.getavplusnow.com
// O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
// O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
// O1 - Hosts: 74.125.45.100 paysoftbillsolution.com
// Trojan.Agent(1):
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{BD389B4D-F612-3AD3-B593-2F487D256161}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{BD389B4D-F612-3AD3-B593-2F487D256161}"
// BrowserHelperEx:"D","filename=xwr26881.dll"
BrowserHelperEx:"D","filename=xwr?????.dll"
// File:"<$FILE_LIBRARY>","<$SYSDIR>\xwr26881.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\xwr?????.dll"
// Trojan.Agent(2):
AutoRun:"winupdate.exe","<$SYSDIR>\winupdate.exe","flagifnofile=1"
// AutoRun:"rs32net","C:\WINDOWS\System32\rs32net.exe","flagifnofile=1"
AutoRun:"rs??net","<$SYSDIR>\rs??net.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","winupdate.exe"
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","rs32net"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","rs??net"
// RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","rs32net"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","rs??net"
File:"<$FILE_EXE>","<$SYSDIR>\winupdate.exe"
// File:"<$FILE_EXE>","C:\WINDOWS\System32\rs32net.exe"
File:"<$FILE_EXE>","<$SYSDIR>\rs??net.exe"
// Trojan.Agent(3):
// AutoRun:"MeuPrograma","C:\Documents and Settings\Elise Carper\iexplore.exe","flagifnofile=1"
AutoRun:"MeuPrograma","<$PROFILE>\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","MeuPrograma"
// File:"<$FILE_EXE>","C:\Documents and Settings\Elise Carper\iexplore.exe"
File:"<$FILE_EXE>","<$PROFILE>\iexplore.exe"
// Trojan.Agent(4):
// AutoRun:"svchost","C:\Users\Eric\AppData\Local\Temp\y.exy","flagifnofile=1"
AutoRun:"svchost","<$LOCALAPPDATA>\Temp\*.*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","svchost"
// File:"<$FILE_EXE>","C:\Users\Eric\AppData\Local\Temp\y.exy"
File:"<$FILE_DATA>","<$LOCALAPPDATA>\Temp\?.ex?"
// Trojan.Agent(5):
// AutoRun:"Microsoft Windows logon process","C:\Users\ingunn\AppData\Roaming\Microsoft\Windows\winlogon.exe","flagifnofile=1"
AutoRun:"Microsoft Windows logon process","<$APPDATA>\Microsoft\Windows\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Microsoft Windows logon process"
// File:"<$FILE_EXE>","C:\Users\ingunn\AppData\Roaming\Microsoft\Windows\winlogon.exe"
File:"<$FILE_EXE>","<$APPDATA>\Microsoft\Windows\winlogon.exe"
// Trojan.Agent(6):
// AutoRun:"Cerberus","C:\Users\kevin\AppData\Roaming\Cerberus\svhost.exe","flagifnofile=1"
AutoRun:"Cerberus","<$APPDATA>\Cerberus\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Cerberus"
// File:"<$FILE_EXE>","C:\Users\kevin\AppData\Roaming\Cerberus\svhost.exe"
File:"<$FILE_EXE>","<$APPDATA>\Cerberus\*.exe"
Directory:"<$DIR_APPDATA>","<$APPDATA>\Cerberus"
// Trojan.Agent(7):
// AutoRun:"ter8m","RUNDLL32.EXE C:\Users\Brady\AppData\Local\Temp\msxm192z.dll,w","flagifnofile=1"
AutoRun:"ter?m","<$LOCALAPPDATA>\Temp\*.dll*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","ter8m"
// File:"<$FILE_EXE>","RUNDLL32.EXE C:\Users\Brady\AppData\Local\Temp\msxm192z.dll,w"
File:"<$FILE_LIBRARY>","<$LOCALAPPDATA>\Temp\msxm???z.dll"
// Trojan.Agent(8):
// AutoRun:"ieupdate",""C:\WINDOWS\system32\explorer32.exe","flagifnofile=1"
AutoRun:"ieupdate","<$SYSDIR>\explorer??.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","ieupdate"
// File:"<$FILE_EXE>",""C:\WINDOWS\system32\explorer32.exe"
File:"<$FILE_EXE>","<$SYSDIR>\explorer??.exe"
// AutoRun:"Windows Service","C:\Documents and Settings\Owner\service.exe","flagifnofile=1"
AutoRun:"Windows Service","<$PROFILE>\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Windows Service"
// File:"<$FILE_EXE>","C:\Documents and Settings\Owner\service.exe"
File:"<$FILE_EXE>","<$PROFILE>\service.exe"
// Trojan.Agent(9):
// AutoRun:"LSA Shellu","C:\Users\bby\lsass.exe","flagifnofile=1"
AutoRun:"LSA Shellu","<$PROFILE>\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","LSA Shellu"
// File:"<$FILE_EXE>","C:\Users\bby\lsass.exe" ; Verdacht auf Rootkiteigenschaften
NTFile:"<$FILE_EXE>","<$PROFILE>\lsass.exe"
// Trojan.Agent(10):
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","sofatnet","ImagePath=<$SYSDIR>\sofatnet.exe"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","sofatnet","DisplayName=sofatnet Service"
File:"<$FILE_EXE>","<$SYSDIR>\sofatnet.exe"
// Aus einem Logfile von MBAM:
// HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sofatnet
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SYSTEM\ControlSet001\Services\","sofatnet"
// HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sofatnet
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SYSTEM\ControlSet003\Services\","sofatnet"
// HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sofatnet
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SYSTEM\ControlSet\Services\","sofatnet"
// Folgende beiden Dateien wurden ebenfalls von MBAM gelöscht:
// File:"<$FILE_EXE>","<$SYSDIR>\wiwow64.exe"
File:"<$FILE_EXE>","<$SYSDIR>\wiwow??.exe"
File:"<$FILE_EXE>","<$SYSDIR>\wmdtc.exe"
// Trojan.Agent(11):
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","BITS","ImagePath=<$WINDIR>\help\rundll32.exe"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","BITS","DisplayName=Background Intelligent Transfer Service"
File:"<$FILE_EXE>","<$WINDIR>\help\rundll32.exe"
// Trojan.Autorun:
// AutoRun:"windll","C:\WINDOWS\system32\windotnetsrv.exe","flagifnofile=1"
AutoRun:"windll","<$SYSDIR>\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","windll"
// File:"<$FILE_EXE>","C:\WINDOWS\system32\windotnetsrv.exe"
File:"<$FILE_EXE>","<$SYSDIR>\windotnetsrv.exe"
// Trojan.Clicker:
// RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","Net_Login","ImagePath=C:\WINDOWS\svchust.exe"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","Net_Login","ImagePath=<$WINDIR>\svchust.exe"
File:"<$FILE_EXE>","<$WINDIR>\svchust.exe"
// Trojan.IRC.Backdoor:
// AutoRun:"SVCHOST.EXE","C:\WINDOWS\system32\drivers\svchost.exe","flagifnofile=1"
AutoRun:"SVCHOST.EXE","<$SYSDIR>\drivers\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","SVCHOST.EXE"
// File:"<$FILE_EXE>","C:\WINDOWS\system32\drivers\svchost.exe"
File:"<$FILE_EXE>","<$SYSDIR>\drivers\svchost.exe"
// Trojan.Matcash:
// AutoRun:"gadcom",""C:\Documents and Settings\Owner\Application Data\gadcom\gadcom.exe" 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310","flagifnofile=1"
AutoRun:"gadcom","<$APPDATA>\gadcom\gadcom.exe*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","gadcom"
// File:"<$FILE_EXE>",""C:\Documents and Settings\Owner\Application Data\gadcom\gadcom.exe" 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310"
File:"<$FILE_EXE>","<$APPDATA>\gadcom\gadcom.exe"
Directory:"<$DIR_APPDATA>","<$APPDATA>\gadcom"
// Trojan.Pigax:
// AutoRun:"Internet Connection Wizard Setup Tool","C:\Program Files\Internet Explorer\Connection Wizard\icwsetup.exe","flagifnofile=1"
AutoRun:"Internet Connection Wizard Setup Tool","<$PROGRAMFILES>\Internet Explorer\Connection Wizard\icwsetup.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Internet Connection Wizard Setup Tool"
File:"<$FILE_EXE>","<$PROGRAMFILES>\Internet Explorer\Connection Wizard\icwsetup.exe"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\temp\icwsetup.exe"
File:"<$FILE_EXE>","<$COMMONAPPDATA>\microsoft\shortcuts\icwsetup.exe"
// Trojan.Unknown(1):
// Natürlich könnte man hier sagen, dass alles zufällig und daher nicht zu gebrauchen ist, aber:
// Ich bezweifle, dass es eine gute Datei mit nur EINEM Buchstaben als O4 Eintrag unter SYSDIR gibt ;-)
// AutoRun:"17309","C:\WINDOWS\system32\E.tmp.exe","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\?.tmp.exe","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","17309"
// File:"<$FILE_EXE>","C:\WINDOWS\system32\E.tmp.exe"
File:"<$FILE_EXE>","<$SYSDIR>\?.tmp.exe"
// Trojan.Unknown(2):
// AutoRun:"PopRock","C:\Users\Wendy\AppData\Local\Temp\b.exe","flagifnofile=1"
AutoRun:"PopRock","<$LOCALAPPDATA>\Temp\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","PopRock"
// File:"<$FILE_EXE>","C:\Users\Wendy\AppData\Local\Temp\b.exe"
File:"<$FILE_EXE>","<$LOCALAPPDATA>\Temp\?.exe"
// Trojan.Virtumonde.Reloaded:
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{1E260CDB-9D1A-44C0-9FD7-CE5D5C251311}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{1E260CDB-9D1A-44C0-9FD7-CE5D5C251311}"
BrowserHelperEx:"*","filename=rqRJBtuu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\rqRJBtuu.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{0FF89104-98D4-441F-A45E-FCC49A07AD49}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{0FF89104-98D4-441F-A45E-FCC49A07AD49}"
BrowserHelperEx:"*","filename=xkwqkokd.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\xkwqkokd.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{9C3CC3BA-DC4B-43B1-BAEF-B2B15C8DA9FD}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{9C3CC3BA-DC4B-43B1-BAEF-B2B15C8DA9FD}"
BrowserHelperEx:"*","filename=dpwsockr.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dpwsockr.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{1a6f9dec-da71-4d34-829e-c090119145fe}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{1a6f9dec-da71-4d34-829e-c090119145fe}"
BrowserHelperEx:"*","filename=vuyohasu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vuyohasu.dll"
// AutoRun:"calc","rundll32.exe C:\WINDOWS\system32\calc.dll,_IWMPEvents@0","flagifnofile=1"
AutoRun:"calc","<$SYSDIR>\calc.dll*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","calc"
// File:"<$FILE_EXE>","rundll32.exe C:\WINDOWS\system32\calc.dll,_IWMPEvents@0"
File:"<$FILE_LIBRARY>","<$SYSDIR>\calc.dll"
// AutoRun:"tamuwiden","Rundll32.exe "c:\windows\system32\mifolole.dll",a","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\mifolole.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","tamuwiden"
// File:"<$FILE_EXE>","Rundll32.exe "c:\windows\system32\mifolole.dll",a"
File:"<$FILE_LIBRARY>","<$SYSDIR>\mifolole.dll"
// AutoRun:"puyotahiv","Rundll32.exe "c:\windows\system32\husenafe.dll",a","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\husenafe.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","puyotahiv"
// File:"<$FILE_EXE>","Rundll32.exe "c:\windows\system32\husenafe.dll",a"
File:"<$FILE_LIBRARY>","<$SYSDIR>\husenafe.dll"
// AutoRun:"jsf8uiw3jnjgffght","C:\DOCUME~1\Owner\LOCALS~1\Temp\winlogin.exe","flagifnofile=1"
AutoRun:"*","<$LOCALSETTINGS>\Temp\winlogin.exe","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","jsf8uiw3jnjgffght"
// File:"<$FILE_EXE>","C:\DOCUME~1\Owner\LOCALS~1\Temp\winlogin.exe"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\winlogin.exe"
// AutoRun:"Kqehacoyus","rundll32.exe "C:\WINDOWS\Tbocifa.dll",e","flagifnofile=1"
AutoRun:"*","<$WINDIR>\Tbocifa.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Kqehacoyus"
// File:"<$FILE_EXE>","rundll32.exe "C:\WINDOWS\Tbocifa.dll",e"
File:"<$FILE_LIBRARY>","<$WINDIR>\Tbocifa.dll"
// AutoRun:"jsg8jfgfdfhfhf","C:\DOCUME~1\Owner\LOCALS~1\Temp\winlogun.exe","flagifnofile=1"
AutoRun:"*","<$LOCALSETTINGS>\Temp\winlogun.exe","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","jsg8jfgfdfhfhf"
// File:"<$FILE_EXE>","C:\DOCUME~1\Owner\LOCALS~1\Temp\winlogun.exe"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\winlogun.exe"
// AutoRun:"Yvunoyaraqesaciw","rundll32.exe "C:\WINDOWS\ewimeqaguvi.dll",e","flagifnofile=1"
AutoRun:"*","<$WINDIR>\ewimeqaguvi.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Yvunoyaraqesaciw"
// File:"<$FILE_EXE>","rundll32.exe "C:\WINDOWS\ewimeqaguvi.dll",e"
File:"<$FILE_LIBRARY>","<$WINDIR>\ewimeqaguvi.dll"
// AutoRun:"f419baca","rundll32.exe "C:\WINDOWS\system32\rbiiewau.dll",b","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\rbiiewau.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","f419baca"
// File:"<$FILE_EXE>","rundll32.exe "C:\WINDOWS\system32\rbiiewau.dll",b"
File:"<$FILE_LIBRARY>","<$SYSDIR>\rbiiewau.dll"
// AutoRun:"e84c69b7","rundll32.exe "C:\Users\bby\AppData\Local\Temp\fxtkupfu.dll",b","flagifnofile=1"
AutoRun:"*","<$LOCALAPPDATA>\Temp\fxtkupfu.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","e84c69b7"
// File:"<$FILE_EXE>","rundll32.exe "C:\Users\bby\AppData\Local\Temp\fxtkupfu.dll",b"
File:"<$FILE_LIBRARY>","<$LOCALAPPDATA>\Temp\fxtkupfu.dll"
// AutoRun:"cmds","rundll32.exe C:\Users\bby\AppData\Local\Temp\jkKbXRjI.dll,c","flagifnofile=1"
AutoRun:"*","<$LOCALAPPDATA>\Temp\jkKbXRjI.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","cmds"
// File:"<$FILE_EXE>","rundll32.exe C:\Users\bby\AppData\Local\Temp\jkKbXRjI.dll,c"
File:"<$FILE_LIBRARY>","<$LOCALAPPDATA>\Temp\jkKbXRjI.dll"
// AutoRun:"ronuduzof","Rundll32.exe "c:\progra~2\sikasiso\sikasiso.dll",a","flagifnofile=1"
AutoRun:"*","<$PROGRAMFILES>\sikasiso\sikasiso.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","ronuduzof"
// File:"<$FILE_EXE>","Rundll32.exe "c:\progra~2\sikasiso\sikasiso.dll",a"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\sikasiso\sikasiso.dll"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\sikasiso"
// AutoRun:"bazepihike","Rundll32.exe "C:\ProgramData\rurileka\rurileka.dll",s","flagifnofile=1"
AutoRun:"*","<$COMMONAPPDATA>\rurileka\rurileka.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","bazepihike"
// File:"<$FILE_EXE>","Rundll32.exe "C:\ProgramData\rurileka\rurileka.dll",s"
File:"<$FILE_LIBRARY>","<$COMMONAPPDATA>\rurileka\rurileka.dll"
Directory:"<$DIR_COMMON_APPDATA>","<$COMMONAPPDATA>\rurileka"
// AutoRun:"jsf8uiw3jnjgffght","C:\DOCUME~1\Owner\LOCALS~1\Temp\winlogin.exe","flagifnofile=1"
AutoRun:"*","<$LOCALSETTINGS>\Temp\winlogin.exe","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","jsf8uiw3jnjgffght"
// File:"<$FILE_EXE>","C:\DOCUME~1\Owner\LOCALS~1\Temp\winlogin.exe"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\winlogin.exe"
// AutoRun:"jsg8jfgfdfhfhf","C:\DOCUME~1\Owner\LOCALS~1\Temp\winlogun.exe","flagifnofile=1"
AutoRun:"*","<$LOCALSETTINGS>\Temp\winlogun.exe","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","jsg8jfgfdfhfhf"
// File:"<$FILE_EXE>","C:\DOCUME~1\Owner\LOCALS~1\Temp\winlogun.exe"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\winlogun.exe"
// AutoRun:"Jnskdfmf9eldfd","C:\DOCUME~1\Owner\LOCALS~1\Temp\csrssc.exe","flagifnofile=1"
AutoRun:"*","<$LOCALSETTINGS>\Temp\csrssc.exe","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Jnskdfmf9eldfd"
// File:"<$FILE_EXE>","C:\DOCUME~1\Owner\LOCALS~1\Temp\csrssc.exe"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\csrssc.exe"
// AutoRun:"tezrtsjhfr84iusjfo84f","C:\DOCUME~1\Owner\LOCALS~1\Temp\csrssc.exe","flagifnofile=1"
AutoRun:"*","<$LOCALSETTINGS>\Temp\csrssc.exe","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","tezrtsjhfr84iusjfo84f"
// File:"<$FILE_EXE>","C:\DOCUME~1\Owner\LOCALS~1\Temp\csrssc.exe"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\csrssc.exe"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\fagunake.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\fagunake.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\pozowaha.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pozowaha.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","binosino.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\binosino.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\pisiluvu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pisiluvu.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\ludiwemi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ludiwemi.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\hekeyapi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hekeyapi.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\sosalibu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\sosalibu.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\stclientq.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\stclientq.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","modubuzo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\modubuzo.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","tuttkn.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tuttkn.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","veyglt.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\veyglt.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","phylnz.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\phylnz.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","pohuzowo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pohuzowo.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","bozoyipo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\bozoyipo.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","ws\system32\"
// File:"<$FILE_LIBRARY>","ws\system32\"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\pojevejo"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pojevejo"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\"
// File:"<$FILE_LIBRARY>","<$SYSDIR>\"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\kegohato.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kegohato.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\fedeyipu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\fedeyipu.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\kejowigi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kejowigi.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\husenafe.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\husenafe.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","gizisuyo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\gizisuyo.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\kebilaku.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kebilaku.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\watekaho.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\watekaho.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\AuthFWGP32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\AuthFWGP32.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\delidubu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\delidubu.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\mukejowe.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\mukejowe.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\mifolole.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\mifolole.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\igfxress32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\igfxress32.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\btosif_notes32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\btosif_notes32.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","yiwuhuyu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yiwuhuyu.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\zigomobo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zigomobo.dll"
RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\expsrv32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\expsrv32.dll"
// RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","78e43426598","DllName=<$SYSDIR>\igfxress32.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","*","DllName=<$SYSDIR>\igfxress32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\igfxress32.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","acpiz","DllName=acpiz.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\acpiz.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","niguwcos","DllName=<$SYSDIR>\dpwsockr.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dpwsockr.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","__c00C9796","DllName=<$SYSDIR>\__c00C9796.dat"
File:"<$FILE_DATA>","<$SYSDIR>\__c00C9796.dat"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","__c006CDF7","DllName=<$SYSDIR>\__c006CDF7.dat"
File:"<$FILE_DATA>","<$SYSDIR>\__c006CDF7.dat"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","hgGvvWnm","DllName=hgGvvWnm.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hgGvvWnm.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","dhcpcab","DllName=<$SYSDIR>\dhcpcab.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dhcpcab.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","hgGvwxvW","DllName=<$SYSDIR>\hgGvwxvW.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hgGvwxvW.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","94f79166669","DllName=<$SYSDIR>\expsrv32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\expsrv32.dll"
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","__c004A665","DllName=<$SYSDIR>\__c004A665.dat"
File:"<$FILE_LIBRARY>","<$SYSDIR>\__c004A665.dat"
// RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","baduzejuw","baduzejuw={70198266-b0d1-485a-9c8d-f708789a09b0}"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","baduzejuw","baduzejuw=*"
File:"<$FILE_LIBRARY>","<$SYSDIR>\fagunake.dll"
// RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","punuhamuy","punuhamuy={1993a85d-f71b-40d0-918e-beb8bd7b78a8}"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","punuhamuy","punuhamuy=*"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pozowaha.dll"
// RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","repesazad","repesazad={24550c7b-b78e-413a-a7c2-a000b238f80b}"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","repesazad","repesazad=*"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pisiluvu.dll"
// RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","OSDriver","OSDriver={11F715A0-1EB3-47EF-91A8-629610A94C6F}"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","OSDriver","OSDriver=*"
// File:"<$FILE_LIBRARY>","C:\Documents and Settings\All Users\Microsoft Private Data\Microsoft\Media Index\Drivers\lan.dll"
File:"<$FILE_LIBRARY>","<$PROFILE>\Microsoft Private Data\Microsoft\Media Index\Drivers\lan.dll"
// RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","SystemLoading","SystemLoading={E2AB0207-5910-442F-B7EC-E115D5AE1503}"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","SystemLoading","SystemLoading=*"
File:"<$FILE_LIBRARY>","<$PROFILE>\Microsoft Private Data\Microsoft\Media Index\Drivers\qzyhpzugfx.dll"
// RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","ruritebuj","ruritebuj={9c07199c-f969-407f-a436-e7412b9569bc}"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","ruritebuj","ruritebuj=*"
File:"<$FILE_LIBRARY>","<$SYSDIR>\mifolole.dll"
// RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","kunuzoham","kunuzoham={559740e7-3bd6-46ad-80ac-d25905e83786}"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","kunuzoham","kunuzoham=*"
// RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","rapihajik","rapihajik={a5d17031-e1d6-4e92-beb6-8bc16e417047}"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","rapihajik","rapihajik=*"
// RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","dizowitam","dizowitam={a0b12cea-8c46-48d7-a614-b1a47a430a1c}"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","dizowitam","dizowitam=*"
// RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","rogewewah","rogewewah={14a0aac9-1c1b-4aa4-85bc-de8bf3712dd5}"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","rogewewah","rogewewah=*"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kejowigi.dll"
// RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","rakahoyot","rakahoyot={0e095911-81e5-4912-a819-a98397ced7dc}"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","rakahoyot","rakahoyot=*"
File:"<$FILE_LIBRARY>","<$SYSDIR>\husenafe.dll"
// RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","yedanaled","yedanaled={9f3d69c9-af9a-472f-9c2c-2f32a7e45348}"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","yedanaled","yedanaled=*"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zigomobo.dll"
// RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","tokatiluy","tokatiluy={70198266-b0d1-485a-9c8d-f708789a09b0}"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","tokatiluy","tokatiluy=*"
File:"<$FILE_LIBRARY>","<$SYSDIR>\fagunake.dll"
// RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","kupuhivus","kupuhivus={1993a85d-f71b-40d0-918e-beb8bd7b78a8}"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","kupuhivus","kupuhivus=*"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pozowaha.dll"
// RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","mujuzedij","mujuzedij={24550c7b-b78e-413a-a7c2-a000b238f80b}"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","mujuzedij","mujuzedij=*"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pisiluvu.dll"
// RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","kupuhivus","kupuhivus={9c07199c-f969-407f-a436-e7412b9569bc}"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","kupuhivus","kupuhivus=*"
File:"<$FILE_LIBRARY>","<$SYSDIR>\mifolole.dll"
// RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","kupuhivus","kupuhivus={559740e7-3bd6-46ad-80ac-d25905e83786}"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","kupuhivus","kupuhivus=*"
// RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","tokatiluy","tokatiluy={a5d17031-e1d6-4e92-beb6-8bc16e417047}"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","tokatiluy","tokatiluy=*"
// RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","gahurihor","gahurihor={a0b12cea-8c46-48d7-a614-b1a47a430a1c}"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","gahurihor","gahurihor=*"
// RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","jugezatag","jugezatag={14a0aac9-1c1b-4aa4-85bc-de8bf3712dd5}"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","jugezatag","jugezatag=*"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kejowigi.dll"
// RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","tokatiluy","tokatiluy={0e095911-81e5-4912-a819-a98397ced7dc}"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","tokatiluy","tokatiluy=*"
File:"<$FILE_LIBRARY>","<$SYSDIR>\husenafe.dll"
// RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","mujuzedij","mujuzedij={9f3d69c9-af9a-472f-9c2c-2f32a7e45348}"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","mujuzedij","mujuzedij=*"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zigomobo.dll"
// RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","jgzfkj9w38rksndfi7r4","jgzfkj9w38rksndfi7r4={C5BF49A2-94F3-42BD-F434-3604812C8955}"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","jgzfkj9w38rksndfi7r4","jgzfkj9w38rksndfi7r4=*"
File:"<$FILE_LIBRARY>","<$SYSDIR>\rwhbfb873unjdfdg.dll"
// RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","hjse7fw3jnefi7wejfndd","hjse7fw3jnefi7wejfndd={C5AF42A3-94F3-42BD-F634-3604832C897D}"
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","hjse7fw3jnefi7wejfndd","hjse7fw3jnefi7wejfndd=*"
File:"<$FILE_LIBRARY>","<$SYSDIR>\gseb37dkjgfgf.dll"
// Trojan.Zbot:
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","UserInit=userinit.exe,password_viewer.exe"
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","password_viewer.exe"
NTFile:"<$FILE_EXE>","<$WINDIR>\password_viewer.exe"
// AutoRun:"userinit","C:\Users\Eric\AppData\Roaming\sdra64.exe","flagifnofile=1"
AutoRun:"userinit","<$APPDATA>\sdra??.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","userinit"
// File:"<$FILE_EXE>","C:\Users\Eric\AppData\Roaming\sdra64.exe"
NTFile:"<$FILE_EXE>","<$APPDATA>\sdra??.exe"
// Ferner habe ich in einem ComboFix Logfile gesehen, dass Zbot selbst mehrere Kopien anlegt, damit es nicht komplett gelöscht werden kann
// Sobald z.B. die Datei sdra64.exe von Spybot gelöscht wird, wird sie von einer der Kopien wieder hergestellt
// Diese weiteren Zbot Dateien lauten dann z.B. sdra64(7).exe oder sdra64(10).exe, daher habe ich noch folgende Regeln erstellt (alle mir bekannten Pfade von Zbot):
NTFile:"<$FILE_EXE>","<$APPDATA>\sdra64(?).exe"
NTFile:"<$FILE_EXE>","<$APPDATA>\sdra64(??).exe"
NTFile:"<$FILE_EXE>","<$WINDIR>\sdra64(?).exe"
NTFile:"<$FILE_EXE>","<$WINDIR>\sdra64(??).exe"
NTFile:"<$FILE_EXE>","<$PROFILE>\sdra64(?).exe"
NTFile:"<$FILE_EXE>","<$PROFILE>\sdra64(??).exe"
NTFile:"<$FILE_EXE>","<$SYSDIR>\sdra64(?).exe"
NTFile:"<$FILE_EXE>","<$SYSDIR>\sdra64(??).exe"
// Trojan.Zlob.Media-Codec:
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{B499D34E-58EF-4927-AB9F-7AF52B2C4C82}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{B499D34E-58EF-4927-AB9F-7AF52B2C4C82}"
RegyValue:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Internet Explorer\Toolbar\","{6CA49FDD-4AEB-4F08-A394-C0A1F82CAA16}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{6CA49FDD-4AEB-4F08-A394-C0A1F82CAA16}"
BrowserHelperEx:"*","filename=isfmdl.dll"
BrowserHelperEx:"IE Custom Tools","filename=ictmdl.dll"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\Video Add-on\isfmdl.dll"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\Video Add-on\ictmdl.dll"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Video Add-on"
// Worm.Koobface:
// Die eine oder andere Regeln dürfte neu sein
// AutoRun:"sysldtray","C:\windows\ld14.exe","flagifnofile=1"
AutoRun:"sysldtray","<$WINDIR>\ld??.exe","flagifnofile=1"
// AutoRun:"sysfbtray","C:\windows\freddy66.exe","flagifnofile=1"
AutoRun:"sysfbtray","<$WINDIR>\freddy??.exe","flagifnofile=1"
// AutoRun:"pp","C:\windows\pp11.exe","flagifnofile=1"
AutoRun:"pp","<$WINDIR>\pp??.exe","flagifnofile=1"
// AutoRun:"Sysmstray","C:\windows\mstre21.exe ","flagifnofile=1"
// AutoRun:"Sysmstray","C:\windows\mstre22.exe","flagifnofile=1"
AutoRun:"Sysmstray","<$WINDIR>\mstre??.exe ","flagifnofile=1"
// AutoRun:"sYsbEraY2","C:\windows\sber17.exe","flagifnofile=1"
AutoRun:"sYsbEraY2","<$WINDIR>\sber??.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","sysldtray"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","sysfbtray"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","pp"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Sysmstray"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","sYsbEraY2"
// File:"<$FILE_EXE>","C:\windows\ld14.exe"
File:"<$FILE_EXE>","<$WINDIR>\ld??.exe"
// File:"<$FILE_EXE>","C:\windows\freddy66.exe"
File:"<$FILE_EXE>","<$WINDIR>\freddy??.exe"
// File:"<$FILE_EXE>","C:\windows\pp11.exe"
File:"<$FILE_EXE>","<$WINDIR>\pp??.exe"
// File:"<$FILE_EXE>","C:\windows\mstre21.exe"
// File:"<$FILE_EXE>","C:\windows\mstre22.exe"
File:"<$FILE_EXE>","<$WINDIR>\mstre??.exe"
// File:"<$FILE_EXE>","C:\windows\sber17.exe"
File:"<$FILE_EXE>","<$WINDIR>\sber??.exe"