I've collected detection rules for the following Malware:
  • Malware.IQManager
  • Malware.Lop
  • PUPS.GameVance.PlaySushi
  • Rootkit.Unknown(4)
  • Security.Microsoft.Windows.RedirectedHosts
  • Spyware.AdRotator
  • Spyware.Spynet
  • Trojan.Agent(7)
  • Trojan.Autorun
  • Trojan.Downloader
  • Trojan.FakeAlert.ttam(2)
  • Trojan.Fraudpack
  • Trojan.Rbot(2)
  • Trojan.Virtumonde(3)
Category: Trojan
Code:
:: New Malware v100
// Revision 1
// {Cat:Test}{Cnt:1}
// {Det:Matt,2010-04-14}


// Malware.IQManager:
// Siehe bitte hier: http://www.bleepingcomputer.com/virus-removal/remove-i-q-manager
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\","IQManager"
RegyRemove:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","Shell","<$APPDATA>\IQManager\iqmanager.exe"
// AutoRun:"iqmanager.exe","%UserProfile%\Application Data\IQManager\iqmanager.exe silent","flagifnofile=1"
AutoRun:"iqmanager.exe","<$APPDATA>\IQManager\iqmanager.exe*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","iqmanager.exe"
File:"<$FILE_EXE>","<$APPDATA>\IQManager\iqmanager.exe"
File:"<$FILE_DESKTOPLINK>","<$DESKTOP>\I-Q Manager.lnk"
File:"<$FILE_CONFIGURATION>","<$APPDATA>\IQManager\settings.ini"
File:"<$FILE_EXE>","<$APPDATA>\IQManager\uninstall.exe"
File:"<$FILE_PICTURE>","<$APPDATA>\IQManager\wallpaper.jpg"
File:"<$FILE_DATA>","<$APPDATA>\IQManager\languages\Czech.lng"
File:"<$FILE_DATA>","<$APPDATA>\IQManager\languages\Danish.lng"
File:"<$FILE_DATA>","<$APPDATA>\IQManager\languages\Dutch.lng"
File:"<$FILE_DATA>","<$APPDATA>\IQManager\languages\English.lng"
File:"<$FILE_DATA>","<$APPDATA>\IQManager\languages\French.lng"
File:"<$FILE_DATA>","<$APPDATA>\IQManager\languages\German.lng"
File:"<$FILE_DATA>","<$APPDATA>\IQManager\languages\Italian.lng"
File:"<$FILE_DATA>","<$APPDATA>\IQManager\languages\Portuguese.lng"
File:"<$FILE_DATA>","<$APPDATA>\IQManager\languages\Slovak.lng"
File:"<$FILE_DATA>","<$APPDATA>\IQManager\languages\Spanish.lng"
File:"<$FILE_DATA>","<$APPDATA>\IQManager\languages\template.lng"
Directory:"<$DIR_APPDATA>","<$APPDATA>\IQManager\torrents"
Directory:"<$DIR_APPDATA>","<$APPDATA>\IQManager\languages"
Directory:"<$DIR_APPDATA>","<$APPDATA>\IQManager"


// Malware.Lop:
// Hier gefunden: http://www.bleepingcomputer.com/forums/topic309374.html
// AutoRun:"CITY LOUD LOCKS EQ",""C:\ProgramData\dead that beep.cdonv"","flagifnofile=1"
AutoRun:"CITY LOUD LOCKS EQ","?<$COMMONAPPDATA>\dead that beep.*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","CITY LOUD LOCKS EQ"
// File:"<$FILE_EXE>",""C:\ProgramData\dead that beep.cdonv""
File:"<$FILE_DATA>","<$COMMONAPPDATA>\dead that beep.*"


// PUPS.GameVance.PlaySushi:
// Ich bin mir nicht mehr ganz sicher, ob ihr die registry Einträge auch schon habt. :-)
IEExtension:"Go PlaySushi!"
RegyKey:"<$REG_IEEXTENSION>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Internet Explorer\Extensions\","{EBD24BD3-E272-4FA3-A8BA-C5D709757CAB}","ButtonText=Go PlaySushi!"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\PlaySushi\PSText.dll"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\PlaySushi"


// Rootkit.Unknown(1):
// Aus einem GMER Logfile:
// ---- Services - GMER 1.0.15 ----
// Service C:\WINDOWS\system32\svchost.exe (*** hidden *** )  [AUTO] pzgabykgn  <-- ROOTKIT !!!
// Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] gkkpcpld <-- ROOTKIT !!!
// ---- Registry - GMER 1.0.15 ----
// Reg HKLM\SYSTEM\CurrentControlSet\Services\gkkpcpld@DisplayName Helper Update
// Reg HKLM\SYSTEM\CurrentControlSet\Services\gkkpcpld@Type 32
// Reg HKLM\SYSTEM\CurrentControlSet\Services\gkkpcpld@Start 2
// Reg HKLM\SYSTEM\CurrentControlSet\Services\gkkpcpld@ErrorControl 0
// Reg HKLM\SYSTEM\CurrentControlSet\Services\gkkpcpld@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
// Reg HKLM\SYSTEM\CurrentControlSet\Services\gkkpcpld@ObjectName LocalSystem
// Reg HKLM\SYSTEM\CurrentControlSet\Services\gkkpcpld@Description Monitors system security settings and configurations.
// Reg HKLM\SYSTEM\CurrentControlSet\Services\gkkpcpld\Parameters
// Reg HKLM\SYSTEM\CurrentControlSet\Services\gkkpcpld\Parameters@ServiceDll C:\WINDOWS\system32\jktbyy.dll
// Reg HKLM\SYSTEM\ControlSet003\Services\gkkpcpld@DisplayName Helper Update
// Reg HKLM\SYSTEM\ControlSet003\Services\gkkpcpld@Type 32
// Reg HKLM\SYSTEM\ControlSet003\Services\gkkpcpld@Start 2
// Reg HKLM\SYSTEM\ControlSet003\Services\gkkpcpld@ErrorControl 0
// Reg HKLM\SYSTEM\ControlSet003\Services\gkkpcpld@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
// Reg HKLM\SYSTEM\ControlSet003\Services\gkkpcpld@ObjectName LocalSystem
// Reg HKLM\SYSTEM\ControlSet003\Services\gkkpcpld@Description Monitors system security settings and configurations.
// Reg HKLM\SYSTEM\ControlSet003\Services\gkkpcpld\Parameters (not active ControlSet)
// Reg HKLM\SYSTEM\ControlSet003\Services\gkkpcpld\Parameters@ServiceDll C:\WINDOWS\system32\jktbyy.dll


// Rootkit.Unknown(2):
// Aus einem GMER Logfile:
// ---- Services - GMER 1.0.15 ----
// Service (*** hidden *** ) [BOOT] aicvzp <-- ROOTKIT !!!
// Service C:\Program (*** hidden *** ) [MANUAL] Steam Client Service <-- ROOTKIT !!!
// ---- Registry - GMER 1.0.15 ----
// Reg HKLM\SYSTEM\CurrentControlSet\Services\aicvzp@Type 1
// Reg HKLM\SYSTEM\CurrentControlSet\Services\aicvzp@Start 0
// Reg HKLM\SYSTEM\CurrentControlSet\Services\aicvzp@ErrorControl 0
// Reg HKLM\SYSTEM\CurrentControlSet\Services\aicvzp@Group Boot Bus Extender
// Reg HKLM\SYSTEM\ControlSet002\Services\aicvzp@Type 1
// Reg HKLM\SYSTEM\ControlSet002\Services\aicvzp@Start 0
// Reg HKLM\SYSTEM\ControlSet002\Services\aicvzp@ErrorControl 0
// Reg HKLM\SYSTEM\ControlSet002\Services\aicvzp@Group Boot Bus Extender


// Rootkit.Unknown(3):
// Aus einem GMER Logfile:
// ---- Registry - GMER 1.0.15 ----
// Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423
// Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792
// Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1
// Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
// Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
// Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
// Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
// Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC8 0xE4 0xD4 0x56 ...
// Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
// Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
// Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x1E 0xFD 0xE3 0xB8 ...
// Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
// Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x34 0x00 0x1E 0x0C ...
// Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
// Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
// Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
// Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
// Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC8 0xE4 0xD4 0x56 ...
// Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
// Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
// Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x1E 0xFD 0xE3 0xB8 ...
// Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
// Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x34 0x00 0x1E 0x0C ...


// Rootkit.Unknown(4):
// Aus einem GMER Logfile:
// ---- Registry - GMER 1.0.15 ----
// Reg             HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System
// Reg             HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OOSAFEERASE03.00.00.01MSWINDOWS                               B3CAD658CE7A0E7DAF5B04F6593A87E85D18BCC423DD435873D1290A231E319C0F77A4C1BE3DC1DEDAA7854558D8CF4D7C573500245FE8595E801DB75CFED48BC0665A62BDBCFDD7A4E7468A4D831F9675DF534A7BD3447C191D31CC8C80952B3DDD47E9D8F1024EFB677CC75489294ED529511571869C886FE6C44C4781F1A3A907900D91F4206B87DBB182FC5F34BCDE0D3CD6C2E15009DD820ABD9607796363EE2E855F043D9B1ED9C0C549981CEF854C750C9E754ECC18F8072C753B54187906698FAA01D48F4E5C5A1D3072CEBB738AB332AA751BE705B617FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC79335D575E7D6A3B9808A2D97226D213B5558EDD5E5BE2F6E667E5FBAA365D96F89179992432FC04B035473F7894973FD1FA2B6F54C335154C02E985A1820CD2630DA6D82EF4024A962EE524657339A72CC025C521A42E16BB2D04C9FBF1E932D8857AC6C2C839CE3DED9B8BE8A7850E13506F1B998127BEC2EB5976CB6D5F16D4A90BBFEEA84FB1E944111F2AE1086D3441E4841F60AD86163C92B047F01C93B7FAF39464A5B1C3C3D971FB706893742280DF8C30DB119BD06DDD8D4B89127544CF528875E2938BD6286C342994B808CFCC4232F5A1E75E72A56D98D45B76B822CF4953199AEC44950036CAE452D
// Reg             HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
// Reg             HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel                    Apartment
// Reg             HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@                                  C:\Windows\system32\OLE32.DLL
// Reg             HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b  0xC8 0x28 0x51 0xAF ...
// Reg             HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
// Reg             HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel                    Apartment
// Reg             HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@                                  C:\Windows\system32\OLE32.DLL
// Reg             HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b  0x46 0x47 0x15 0xB0 ...
// Reg             HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
// Reg             HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel                    Apartment
// Reg             HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@                                  C:\Windows\system32\OLE32.DLL
// Reg             HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016  0xFF 0x7C 0x85 0xE0 ...
// Reg             HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
// Reg             HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel                    Apartment
// Reg             HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@                                  C:\Windows\system32\OLE32.DLL
// Reg             HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48  0x3E 0x1E 0x9E 0xE0 ...
// Reg             HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
// Reg             HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel                    Apartment
// Reg             HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@                                  C:\Windows\system32\OLE32.DLL
// Reg             HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472  0xE9 0x02 0x6C 0xFA ...
// Reg             HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
// Reg             HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel                    Apartment
// Reg             HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@                                  C:\Windows\system32\OLE32.DLL
// Reg             HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d  0xDF 0x20 0x58 0x62 ...
// Reg             HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
// Reg             HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel                    Apartment
// Reg             HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@                                  C:\Windows\system32\OLE32.DLL
// Reg             HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b  0x31 0x77 0xE1 0xBA ...
// Reg             HKLM\SOFTWARE\Classes\CLSID\{B6A930A0-A4F5-43A5-9B4E-6189A6C2B9E8}@c!s!\22!i!y!`!c!i!{!f!t!e!t!i!s!m!               19583823
// Reg             HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
// Reg             HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel                    Apartment
// Reg             HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@                                  C:\Windows\system32\OLE32.DLL
// Reg             HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d  0x01 0x3A 0x48 0xFC ...
// Reg             HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
// Reg             HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel                    Apartment
// Reg             HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@                                  C:\Windows\system32\OLE32.DLL
// Reg             HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3  0xB2 0x46 0x9A 0xE2 ...
// Reg             HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
// Reg             HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel                    Apartment
// Reg             HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@                                  C:\Windows\system32\OLE32.DLL
// Reg             HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b  0xB1 0xCD 0x45 0x5A ...
// Reg             HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
// Reg             HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel                    Apartment
// Reg             HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@                                  C:\Windows\system32\OLE32.DLL
// Reg             HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6  0xE3 0x0E 0x66 0xD5 ...
// Reg             HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
// Reg             HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel                    Apartment
// Reg             HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@                                  C:\Windows\system32\OLE32.DLL
// Reg             HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2  0x6C 0x43 0x2D 0x1E ...


// Security.Microsoft.Windows.RedirectedHosts:
// O1 - Hosts: 89.149.210.50 www.google.com
// O1 - Hosts: 89.149.210.50 www.google.de
// O1 - Hosts: 89.149.210.50 www.google.fr
// O1 - Hosts: 89.149.210.50 www.google.co.uk
// O1 - Hosts: 89.149.210.50 www.google.com.br
// O1 - Hosts: 89.149.210.50 www.google.it
// O1 - Hosts: 89.149.210.50 www.google.es
// O1 - Hosts: 89.149.210.50 www.google.co.jp
// O1 - Hosts: 89.149.210.50 www.google.com.mx
// O1 - Hosts: 89.149.210.50 www.google.ca
// O1 - Hosts: 89.149.210.50 www.google.com.au
// O1 - Hosts: 89.149.210.50 www.google.nl
// O1 - Hosts: 89.149.210.50 www.google.co.za
// O1 - Hosts: 89.149.210.50 www.google.be
// O1 - Hosts: 89.149.210.50 www.google.gr
// O1 - Hosts: 89.149.210.50 www.google.at
// O1 - Hosts: 89.149.210.50 www.google.se
// O1 - Hosts: 89.149.210.50 www.google.ch
// O1 - Hosts: 89.149.210.50 www.google.pt
// O1 - Hosts: 89.149.210.50 www.google.dk
// O1 - Hosts: 89.149.210.50 www.google.fi
// O1 - Hosts: 89.149.210.50 www.google.ie
// O1 - Hosts: 89.149.210.50 www.google.no
// O1 - Hosts: 89.149.210.50 search.yahoo.com
// O1 - Hosts: 89.149.210.50 us.search.yahoo.com
// O1 - Hosts: 89.149.210.50 uk.search.yahoo.com
HostRedirect:"*.google.*","89.149.210.50"
HostRedirect:"*.google.*.*","89.149.210.50"
HostRedirect:"search.yahoo.*","89.149.210.50"
HostRedirect:"*.search.yahoo.*","89.149.210.50"


// Spyware.AdRotator:
BrowserHelperEx:"profitizeme browser enhancer","filename=*.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{4643C2EB-D9F7-7B72-2A61-2C850D4CF651}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{4643C2EB-D9F7-7B72-2A61-2C850D4CF651}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\fvqdiedkevex.dll"

BrowserHelperEx:"profitmuse","filename=*.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{e63e925d-fe8e-ad0b-3f0b-c7bab5b6bb0b}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{e63e925d-fe8e-ad0b-3f0b-c7bab5b6bb0b}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\93db323b.dll"

BrowserHelperEx:"dymanet","filename=*.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{27fbdb22-cfbe-0c14-4b71-fbe4675cb3c5}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{27fbdb22-cfbe-0c14-4b71-fbe4675cb3c5}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\60b42d83-0085-da68-5e16-127a7a05520f.dll"

BrowserHelperEx:"hotrevenue browser enhancer","filename=*.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{30D91E0D-84A1-EC98-EBBF-2BDEBB0EF671}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{30D91E0D-84A1-EC98-EBBF-2BDEBB0EF671}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\bkemvwvaonpopwnr.dll"

BrowserHelperEx:"ezLife browser enhancer *","filename=*.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{44194A02-6E19-44E5-9223-4E93ECDA1D33}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{44194A02-6E19-44E5-9223-4E93ECDA1D33}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zzvijxla.dll"

BrowserHelperEx:"SmartAds browser enhancer *","filename=*.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{DDEF99A7-DFD2-479F-AB4D-1D20E32501C5}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{DDEF99A7-DFD2-479F-AB4D-1D20E32501C5}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ferpfzhx.dll"

// AutoRun:"iqxlpxrtlnyosvne","C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\fvqdiedkevex.dll"","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\fvqdiedkevex.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","iqxlpxrtlnyosvne"
// File:"<$FILE_EXE>","C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\fvqdiedkevex.dll""
File:"<$FILE_LIBRARY>","<$SYSDIR>\fvqdiedkevex.dll"

// AutoRun:"dskevslspenaeozpo","C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\bkemvwvaonpopwnr.dll"","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\bkemvwvaonpopwnr.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","dskevslspenaeozpo"
// File:"<$FILE_EXE>","C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\bkemvwvaonpopwnr.dll""
File:"<$FILE_LIBRARY>","<$SYSDIR>\bkemvwvaonpopwnr.dll"


// Spyware.Marketscore.RelevantKnowledge.PermissionResearch:
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","PermissionResearch","DllName=c:\program files\permissionresearch\prls.dll"
File:"<$FILE_LIBRARY>","<PROGRAMFiLES>\permissionresearch\prls.dll"
Directory:"<$DIR_PROG>","<PROGRAMFiLES>\permissionresearch"


// Spyware.Spynet:
// O4 - HKLM\..\Policies\Explorer\Run: [Policies] C:\Windows\system32\muii\dtsr.exe
// O4 - HKCU\..\Policies\Explorer\Run: [Policies] C:\Windows\system32\muii\dtsr.exe
AutoRun:"Policies","<$SYSDIR>\muii\dtsr.exe","flagifnofile=1"
// AutoRun:"HKLM","C:\Windows\system32\muii\dtsr.exe","flagifnofile=1"
AutoRun:"HKLM","<$SYSDIR>\muii\dtsr.exe","flagifnofile=1"
// AutoRun:"HKCU","C:\Windows\system32\muii\dtsr.exe","flagifnofile=1"
AutoRun:"HKCU","<$SYSDIR>\muii\dtsr.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","HKLM"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","HKCU"
File:"<$FILE_EXE>","<$SYSDIR>\muii\dtsr.exe"
Directory:"<$DIR_PROG>","<$SYSDIR>\muii","filename=dtsr.exe"


// Trojan.Agent(1):
// Siehe bitte hier: http://www.threatexpert.com/files/VIE41.exe.html
// Die letzten beiden Zeichen ("41") sind zufällig!
// AutoRun:"\VIE41.exe","C:\Windows\System32\VIE41.exe","flagifnofile=1"
AutoRun:"\VIE??.exe","<$SYSDIR>\VIE??.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","\VIE??.exe"
// File:"<$FILE_EXE>","C:\Windows\System32\VIE41.exe"
File:"<$FILE_EXE>","<$SYSDIR>\VIE41.exe"


// Trojan.Agent(2):
AutoRun:"svctt","<$WINDIR>\config\explorar.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","svctt"
File:"<$FILE_EXE>","<$WINDIR>\config\explorar.exe"


// Trojan.Agent(3):
// Dateiname stabil
// AutoRun:"ewrgetuj","C:\DOCUME~1\mding\LOCALS~1\Temp\geurge.exe","flagifnofile=1"
AutoRun:"*","<$LOCALSETTINGS>\Temp\geurge.exe","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","ewrgetuj"
// File:"<$FILE_EXE>","C:\DOCUME~1\mding\LOCALS~1\Temp\geurge.exe"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\geurge.exe"


// Trojan.Agent(4):
// Habe ich schon mal eingereicht, wurde aber abgelehnt :-/
// http://www.threatexpert.com/report.aspx?md5=062edb027adecf8f7b6f36ab083b54a8
AutoRun:"nonep","<$WINDIR>\TEMP\*.tmp","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","nonep"
File:"<$FILE_TEMP>","<$WINDIR>\TEMP\36.tmp"


// Trojan.Agent(5):
// Siehe bitte hier: http://www.systemlookup.com/Startup/21069-rndll_exe.html
AutoRun:"Firevall Administrating","<$SYSDIR>\rndll.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Firevall Administrating"
File:"<$FILE_EXE>","<$SYSDIR>\rndll.exe"


// Trojan.Agent(6):
// Weiß leider nicht, ob der Name des Autostartes zufällig oder fest ist :-(
AutoRun:"Stronger7","<$SYSDIR>\Stronger7\server.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Stronger7"
File:"<$FILE_EXE>","<$SYSDIR>\Stronger7\server.exe"
Directory:"<$DIR_PROG>","<$SYSDIR>\Stronger7","filename=server.exe"


// Trojan.Agent(7):
// Habt ihr diese beiden Varianten schon? Name des Autostartes jeweils fest!
AutoRun:"ygua8e7yhuiesfha876yfauy8fe","<$WINDIR>\TEMP\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","ygua8e7yhuiesfha876yfauy8fe"
// File:"<$FILE_EXE>","<$WINDIR>\TEMP\f80dkxez3.exe"
AutoRun:"asg984jgkfmgasi8ug98jgkfgfb","<$WINDIR>\TEMP\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","asg984jgkfmgasi8ug98jgkfgfb"
File:"<$FILE_EXE>","<$WINDIR>\TEMP\lsass.exe"


// Trojan.Autorun:
// AutoRun:"UserLogon","c:\documents and settings\user\winlogon.exe","flagifnofile=1"
AutoRun:"UserLogon","<$PROFILE>\winlogon.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","UserLogon"
// File:"<$FILE_EXE>","c:\documents and settings\user\winlogon.exe"
File:"<$FILE_EXE>","<$PROFILE>\winlogon.exe"


// Trojan.Downloader:
// Name nach Sophos
// Siehe auch hier: http://www.bleepingcomputer.com/startups/Somefox-23744.html
// AutoRun:"Somefox","C:\DOCUME~1\T5A5E~1.CAR\LOCALS~1\Temp\setup1059.exe","flagifnofile=1"
AutoRun:"Somefox","<$LOCALSETTINGS>\Temp\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Somefox"
// File:"<$FILE_EXE>","C:\DOCUME~1\T5A5E~1.CAR\LOCALS~1\Temp\setup1059.exe"


// Trojan.FakeAlert.ttam(1):
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","gport_","DllName=gport_.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\gport_.dll"


// Trojan.FakeAlert.ttam(2):
RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","rKkOAiuwhbIjwm","rKkOAiuwhbIjwm={2026C7B3-8A8C-6D19-BB41-36D659A966AB}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\uvb.dll"


// Trojan.Fraudpack:
// AutoRun:"WEK9EMDHI9","C:\WINDOWS\Gcysua.exe","flagifnofile=1"
AutoRun:"WEK9EMDHI9","<$WINDIR>\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","WEK9EMDHI9"
// File:"<$FILE_EXE>","C:\WINDOWS\Gcysua.exe"
File:"<$FILE_EXE>","<$WINDIR>\Gcysua.exe"


// Trojan.Rbot(1):
// O4 - HKLM\..\Policies\Explorer\Run: [Policies] C:\WINDOWS\host\svchost.exe
// O4 - HKCU\..\Policies\Explorer\Run: [Policies] C:\WINDOWS\host\svchost.exe
AutoRun:"Policies","<$WINDIR>\host\svchost.exe","flagifnofile=1"
AutoRun:"Windows Update","<$WINDIR>\host\svchost.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Windows Update"
File:"<$FILE_EXE>","<$WINDIR>\host\svchost.exe"


// Trojan.Rbot(2):
AutoRun:"Windows Security","<$WINDIR>\wlcom.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Windows Security"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Windows Security"
File:"<$FILE_EXE>","<$WINDIR>\wlcom.exe"


// Trojan.Virtumonde(1):
BrowserHelperEx:"*","filename=rudujeru.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{d469b3a7-3577-4d76-8b00-45e4a5d69cdb}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{d469b3a7-3577-4d76-8b00-45e4a5d69cdb}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\rudujeru.dll"

BrowserHelperEx:"*","filename=yivibubu.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{a7a6b3a6-96ab-47e2-99b9-c2ccd1c85e93}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{a7a6b3a6-96ab-47e2-99b9-c2ccd1c85e93}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yivibubu.dll"

BrowserHelperEx:"*","filename=mmcox.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{A9BA40A1-74F1-52BD-F431-00B15A2C8953}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{A9BA40A1-74F1-52BD-F431-00B15A2C8953}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\mmcox.dll"

BrowserHelperEx:"*","filename=piwogome.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{e936adcc-d055-4ac7-84d9-1fc2f07a4a44}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{e936adcc-d055-4ac7-84d9-1fc2f07a4a44}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\piwogome.dll"

BrowserHelperEx:"*","filename=melepoju.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{d4119301-7ac7-42fe-aa80-4d340fcd08c8}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{d4119301-7ac7-42fe-aa80-4d340fcd08c8}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\melepoju.dll"

BrowserHelperEx:"*","filename=welumiva.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{f26e7235-3018-4471-8904-d09960c8719e}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{f26e7235-3018-4471-8904-d09960c8719e}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\welumiva.dll"

BrowserHelperEx:"*","filename=fimahafu.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{036d6a92-7b48-4e06-a62f-c3401eb016a3}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{036d6a92-7b48-4e06-a62f-c3401eb016a3}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\fimahafu.dll"

BrowserHelperEx:"*","filename=yavaneyu.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{b3ceef7d-3e97-4bc4-b6cb-f2e7d380bf1e}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{b3ceef7d-3e97-4bc4-b6cb-f2e7d380bf1e}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yavaneyu.dll"

// AutoRun:"jivubowipu","<$SYSDIR>\safedeyo.dll",s","flagifnofile=0"
AutoRun:"*","<$SYSDIR>\safedeyo.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","jivubowipu"
// File:"<$FILE_LIBRARY>","<$SYSDIR>\safedeyo.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\safedeyo.dll"

// AutoRun:"pihunevuv","<$SYSDIR>\yurizoye.dll",a","flagifnofile=0"
AutoRun:"*","<$SYSDIR>\yurizoye.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","pihunevuv"
// File:"<$FILE_LIBRARY>","<$SYSDIR>\yurizoye.dll",a"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yurizoye.dll"

// AutoRun:"vekiderilu","<$SYSDIR>\kevupavo.dll",s","flagifnofile=0"
AutoRun:"*","<$SYSDIR>\kevupavo.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","vekiderilu"
// File:"<$FILE_LIBRARY>","<$SYSDIR>\kevupavo.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kevupavo.dll"

// AutoRun:"mewelujuz","<$SYSDIR>\e:\windows\system32\lasefoye.dll",a","flagifnofile=0"
AutoRun:"*","<$SYSDIR>\lasefoye.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","mewelujuz"
// File:"<$FILE_LIBRARY>","<$SYSDIR>\e:\windows\system32\lasefoye.dll",a"
File:"<$FILE_LIBRARY>","<$SYSDIR>\lasefoye.dll"

// AutoRun:"Eloforeqonofa","<$SYSDIR>\C:\WINDOWS\efibabuyu.dll",Startup","flagifnofile=0"
AutoRun:"*","<$WINDIR>\efibabuyu.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Eloforeqonofa"
// File:"<$FILE_LIBRARY>","<$SYSDIR>\C:\WINDOWS\efibabuyu.dll",Startup"
File:"<$FILE_LIBRARY>","<$WINDIR>\efibabuyu.dll"

// AutoRun:"effecasys","<$SYSDIR>\mlkjjg.dll",DllRegisterServer","flagifnofile=0"
AutoRun:"*","<$SYSDIR>\mlkjjg.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","effecasys"
// File:"<$FILE_LIBRARY>","<$SYSDIR>\mlkjjg.dll",DllRegisterServer"
File:"<$FILE_LIBRARY>","<$SYSDIR>\mlkjjg.dll"

// AutoRun:"nnkhiidrv","<$SYSDIR>\jkjhfg.dll",s","flagifnofile=0"
AutoRun:"*","<$SYSDIR>\jkjhfg.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","nnkhiidrv"
// File:"<$FILE_LIBRARY>","<$SYSDIR>\jkjhfg.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jkjhfg.dll"

// AutoRun:"tuvtutsys","<$SYSDIR>\mlkjjg.dll",DllRegisterServer","flagifnofile=0"
AutoRun:"*","<$SYSDIR>\mlkjjg.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","tuvtutsys"
// File:"<$FILE_LIBRARY>","<$SYSDIR>\mlkjjg.dll",DllRegisterServer"
File:"<$FILE_LIBRARY>","<$SYSDIR>\mlkjjg.dll"

// AutoRun:"wojofukiw","<$SYSDIR>\zufasewa.dll",a","flagifnofile=0"
AutoRun:"*","<$SYSDIR>\zufasewa.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","wojofukiw"
// File:"<$FILE_LIBRARY>","<$SYSDIR>\zufasewa.dll",a"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zufasewa.dll"

// AutoRun:"lusurofofa","<$SYSDIR>\tatunulo.dll",s","flagifnofile=0"
AutoRun:"*","<$SYSDIR>\tatunulo.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","lusurofofa"
// File:"<$FILE_LIBRARY>","<$SYSDIR>\tatunulo.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tatunulo.dll"

// AutoRun:"Npamerisubacaxoz","<$SYSDIR>\C:\WINDOWS\igevecazuculene.dll",Startup","flagifnofile=0"
AutoRun:"*","<$WINDIR>\igevecazuculene.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Npamerisubacaxoz"
// File:"<$FILE_LIBRARY>","<$SYSDIR>\C:\WINDOWS\igevecazuculene.dll",Startup"
File:"<$FILE_LIBRARY>","<$WINDIR>\igevecazuculene.dll"

// AutoRun:"awwtrpdrv","<$SYSDIR>\ssrqrp.dll",s","flagifnofile=0"
AutoRun:"*","<$SYSDIR>\ssrqrp.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","awwtrpdrv"
// File:"<$FILE_LIBRARY>","<$SYSDIR>\ssrqrp.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ssrqrp.dll"

// AutoRun:"wvvvttsys","<$SYSDIR>\cbywxy.dll",DllRegisterServer","flagifnofile=0"
AutoRun:"*","<$SYSDIR>\cbywxy.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","wvvvttsys"
// File:"<$FILE_LIBRARY>","<$SYSDIR>\cbywxy.dll",DllRegisterServer"
File:"<$FILE_LIBRARY>","<$SYSDIR>\cbywxy.dll"

// AutoRun:"Mwavuhijuc","<$SYSDIR>\C:\WINDOWS\ivabaliko.dll",Startup","flagifnofile=0"
AutoRun:"*","<$WINDIR>\ivabaliko.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Mwavuhijuc"
// File:"<$FILE_LIBRARY>","<$SYSDIR>\C:\WINDOWS\ivabaliko.dll",Startup"
File:"<$FILE_LIBRARY>","<$WINDIR>\ivabaliko.dll"

// AutoRun:"dagugosaze","<$SYSDIR>\darejaju.dll",s","flagifnofile=0"
AutoRun:"*","<$SYSDIR>\darejaju.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","dagugosaze"
// File:"<$FILE_LIBRARY>","<$SYSDIR>\darejaju.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\darejaju.dll"

// AutoRun:"kulenotul","<$SYSDIR>\vajozesi.dll",a","flagifnofile=0"
AutoRun:"*","<$SYSDIR>\vajozesi.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","kulenotul"
// File:"<$FILE_LIBRARY>","<$SYSDIR>\vajozesi.dll",a"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vajozesi.dll"

// AutoRun:"Rmunevigulu","<$SYSDIR>\c:\windows\ijetetab.dll",Startup","flagifnofile=0"
AutoRun:"*","<$WINDIR>\ijetetab.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Rmunevigulu"
// File:"<$FILE_LIBRARY>","<$SYSDIR>\c:\windows\ijetetab.dll",Startup"
File:"<$FILE_LIBRARY>","<$WINDIR>\ijetetab.dll"

// AutoRun:"jkkkjkdrv","<$SYSDIR>\opmlli.dll",s","flagifnofile=0"
AutoRun:"*","<$SYSDIR>\opmlli.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","jkkkjkdrv"
// File:"<$FILE_LIBRARY>","<$SYSDIR>\opmlli.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\opmlli.dll"

// AutoRun:"nnkjgesys","<$SYSDIR>\vtrsrp.dll",DllRegisterServer","flagifnofile=0"
AutoRun:"*","<$SYSDIR>\vtrsrp.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","nnkjgesys"
// File:"<$FILE_LIBRARY>","<$SYSDIR>\vtrsrp.dll",DllRegisterServer"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vtrsrp.dll"

// AutoRun:"misamikafi","<$SYSDIR>\dehaseha.dll",s","flagifnofile=0"
AutoRun:"*","<$SYSDIR>\dehaseha.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","misamikafi"
// File:"<$FILE_LIBRARY>","<$SYSDIR>\dehaseha.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dehaseha.dll"

// AutoRun:"nizedudiy","<$SYSDIR>\dofozeha.dll",a","flagifnofile=0"
AutoRun:"*","<$SYSDIR>\dofozeha.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","nizedudiy"
// File:"<$FILE_LIBRARY>","<$SYSDIR>\dofozeha.dll",a"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dofozeha.dll"

// AutoRun:"kajadevaga","<$SYSDIR>\jejuvoto.dll",s","flagifnofile=0"
AutoRun:"*","<$SYSDIR>\jejuvoto.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","kajadevaga"
// File:"<$FILE_LIBRARY>","<$SYSDIR>\jejuvoto.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jejuvoto.dll"

// AutoRun:"Rgoqemowem","<$SYSDIR>\c:\windows\oletejedab.dll",Startup","flagifnofile=0"
AutoRun:"*","<$WINDIR>\oletejedab.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Rgoqemowem"
// File:"<$FILE_LIBRARY>","<$SYSDIR>\c:\windows\oletejedab.dll",Startup"
File:"<$FILE_LIBRARY>","<$WINDIR>\oletejedab.dll"

// AutoRun:"vigahumidu","<$SYSDIR>\jevodode.dll",s","flagifnofile=0"
AutoRun:"*","<$SYSDIR>\jevodode.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","vigahumidu"
// File:"<$FILE_LIBRARY>","<$SYSDIR>\jevodode.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jevodode.dll"

// AutoRun:"lalopakep","<$SYSDIR>\wiwijadu.dll",a","flagifnofile=0"
AutoRun:"*","<$SYSDIR>\wiwijadu.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","lalopakep"
// File:"<$FILE_LIBRARY>","<$SYSDIR>\wiwijadu.dll",a"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wiwijadu.dll"

// AutoRun:"Axivacuqepiconi","<$SYSDIR>\C:\WINDOWS\iyoviker.dll",Startup","flagifnofile=0"
AutoRun:"*","<$WINDIR>\iyoviker.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Axivacuqepiconi"
// File:"<$FILE_LIBRARY>","<$SYSDIR>\C:\WINDOWS\iyoviker.dll",Startup"
File:"<$FILE_LIBRARY>","<$WINDIR>\iyoviker.dll"

// AutoRun:"vpmeah","RUNDLL32.EXE C:\Users\Matt\AppData\Local\Temp\mslwaukm.dll,w","flagifnofile=0"
AutoRun:"*","<$LOCALAPPDATA>\Temp\mslwaukm.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","vpmeah"
// File:"<$FILE_LIBRARY>","RUNDLL32.EXE C:\Users\Matt\AppData\Local\Temp\mslwaukm.dll,w"
File:"<$FILE_LIBRARY>","<$LOCALAPPDATA>\Temp\mslwaukm.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\__c00993A8.dat"
File:"<$FILE_DATA>","<$SYSDIR>\__c00993A8.dat"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","gijeluhe.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\gijeluhe.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\lasefoye.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\lasefoye.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\kbdsock.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kbdsock.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","pasagami.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pasagami.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\wulemake.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wulemake.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\yahiviti.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yahiviti.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","robenala.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\robenala.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\leyoluzu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\leyoluzu.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\zufasewa.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zufasewa.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\mahozege.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\mahozege.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","jujujoju.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jujujoju.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\muhemive.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\muhemive.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\bejizayo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\bejizayo.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\sisubolu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\sisubolu.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\wafiguvu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wafiguvu.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\vajozesi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vajozesi.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","suzejuta.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\suzejuta.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","masutora.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\masutora.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","nojoredu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\nojoredu.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\dofozeha.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dofozeha.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","womaduzo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\womaduzo.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\wiwijadu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wiwijadu.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","fabojabev","fabojabev={713b6d15-ff76-4305-a07b-f637e5972dd0}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hafedeku.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","takesekaw","takesekaw={5336d834-6361-4577-aa08-2ac7cfc12881}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yosofomo.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","zadiresed","zadiresed={06342a59-bf6e-49df-9672-de8d934c02cb}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\fehitiya.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","sigazelah","sigazelah={d7d8230e-afe9-4e96-8792-9faf61abe8cd}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yurizoye.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","fipuzomub","fipuzomub={a882ea35-4c77-4c3e-adab-ae0f5577d636}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","hiyebigan","hiyebigan={bd98a08a-79cd-4983-be85-35244c7b2f3a}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yahiviti.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","hezigekih","hezigekih={93b0ad2a-6135-4f0d-bbf7-4adf29ae4434}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zufasewa.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","yopejahig","yopejahig={e0113be3-a4f4-497a-93c9-386912a733ab}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zufasewa.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","turazurug","turazurug={e5e62ebf-d0cb-41d8-a583-c07f6d4567d5}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zufasewa.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","vadihituy","vadihituy={7d15f3b5-76a1-4484-8f7c-608de8e4c812}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\leyoluzu.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","jigafevot","jigafevot={5ef36b34-5947-4a7b-83e9-7052937d1212}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\leyoluzu.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","bebogohaz","bebogohaz={f36071d0-886e-4bd8-80d8-214337773dd7}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zufasewa.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","wewahuret","wewahuret={16d8b9d0-7055-4474-9341-8fd1311eccd2}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\muhemive.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","nayovopah","nayovopah={5613c517-d3b9-447d-b19a-8fe8c361a793}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\sisubolu.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","yonumopad","yonumopad={3b9a5ee6-918d-46a6-91db-0126d9cab232}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wafiguvu.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","mevohuneh","mevohuneh={86db6e06-8b41-4fb4-9d37-1e9a198df52d}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","rekowaliz","rekowaliz={86f1fb73-8f03-4d5b-9ef1-7de806b43d0b}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","musufowiy","musufowiy={7ae2cd7b-d272-4e06-8d77-c2f5f1ce7b66}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wiwijadu.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","towivurig","towivurig={d6f99ed7-8fb7-4db5-98e0-21de9394643c}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wiwijadu.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","kupuhivus","kupuhivus={7ae2cd7b-d272-4e06-8d77-c2f5f1ce7b66}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wiwijadu.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","jugezatag","jugezatag={d6f99ed7-8fb7-4db5-98e0-21de9394643c}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wiwijadu.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","mujuzedij","mujuzedij={86db6e06-8b41-4fb4-9d37-1e9a198df52d}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","mujuzedij","mujuzedij={86f1fb73-8f03-4d5b-9ef1-7de806b43d0b}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","mujuzedij","mujuzedij={16d8b9d0-7055-4474-9341-8fd1311eccd2}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\muhemive.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","tokatiluy","tokatiluy={5613c517-d3b9-447d-b19a-8fe8c361a793}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\sisubolu.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","jugezatag","jugezatag={3b9a5ee6-918d-46a6-91db-0126d9cab232}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wafiguvu.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","gahurihor","gahurihor={bd98a08a-79cd-4983-be85-35244c7b2f3a}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yahiviti.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","mujuzedij","mujuzedij={93b0ad2a-6135-4f0d-bbf7-4adf29ae4434}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zufasewa.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","jugezatag","jugezatag={e0113be3-a4f4-497a-93c9-386912a733ab}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zufasewa.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","kupuhivus","kupuhivus={e5e62ebf-d0cb-41d8-a583-c07f6d4567d5}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zufasewa.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","tokatiluy","tokatiluy={7d15f3b5-76a1-4484-8f7c-608de8e4c812}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\leyoluzu.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","gahurihor","gahurihor={5ef36b34-5947-4a7b-83e9-7052937d1212}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\leyoluzu.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","mujuzedij","mujuzedij={f36071d0-886e-4bd8-80d8-214337773dd7}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zufasewa.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","gahurihor","gahurihor={a882ea35-4c77-4c3e-adab-ae0f5577d636}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","tokatiluy","tokatiluy={713b6d15-ff76-4305-a07b-f637e5972dd0}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hafedeku.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","tokatiluy","tokatiluy={5336d834-6361-4577-aa08-2ac7cfc12881}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yosofomo.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","tokatiluy","tokatiluy={06342a59-bf6e-49df-9672-de8d934c02cb}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\fehitiya.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","gahurihor","gahurihor={d7d8230e-afe9-4e96-8792-9faf61abe8cd}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yurizoye.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","hasiufhiusdfjdhfudd","hasiufhiusdfjdhfudd={A9BA40A1-74F1-52BD-F431-00B15A2C8953}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\mmcox.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","tokatiluy","tokatiluy={4e3d5337-a277-49a4-b11c-a74cc02c4ebe}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\lasefoye.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","jugezatag","jugezatag={acac0310-15c1-4deb-824d-c1cd947faa07}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dofozeha.dll"


// Trojan.Virtumonde(2):
// Aus 4 verschiedenen DDS Logfiles:
File:"<$FILE_LIBRARY>","<$SYSDIR>\duwobede.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\fagunufa.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\galazere.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\giruwili.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hokibewi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\homesubu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kekuzevi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kiganopo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\leyoluzu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\mahozege.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\neheseme.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\piwogome.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tunesega.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wuwijaba.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zufasewa.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zukidudu.dll"

File:"<$FILE_LIBRARY>","<$SYSDIR>\fokitape.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\gubebusi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\herifolu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\melepoju.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\mowukiwe.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\sugefeso.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vajozesi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wupijabe.dll"

File:"<$FILE_EXE>","<$SYSDIR>\juyobosu.exe"
// [2010/04/13 17:27:02 | 000,000,392 | ---- | C] () -- C:\WINDOWS\tasks\At1968.job
// [2010/04/13 17:27:02 | 000,000,392 | ---- | C] () -- C:\WINDOWS\tasks\At1967.job
// [2010/04/13 17:27:02 | 000,000,392 | ---- | C] () -- C:\WINDOWS\tasks\At1966.job
// [2010/04/13 17:27:02 | 000,000,392 | ---- | C] () -- C:\WINDOWS\tasks\At1965.job
// [2010/04/13 17:27:02 | 000,000,392 | ---- | C] () -- C:\WINDOWS\tasks\At1964.job
// [2010/04/13 17:27:02 | 000,000,392 | ---- | C] () -- C:\WINDOWS\tasks\At1963.job
// [2010/04/13 17:27:02 | 000,000,392 | ---- | C] () -- C:\WINDOWS\tasks\At1962.job
// [2010/04/13 17:27:02 | 000,000,392 | ---- | C] () -- C:\WINDOWS\tasks\At1961.job
// [2010/04/13 17:27:02 | 000,000,392 | ---- | C] () -- C:\WINDOWS\tasks\At1960.job
// [2010/04/13 17:27:02 | 000,000,392 | ---- | C] () -- C:\WINDOWS\tasks\At1959.job
// [2010/04/13 17:27:02 | 000,000,392 | ---- | C] () -- C:\WINDOWS\tasks\At1958.job
// [2010/04/13 17:27:02 | 000,000,392 | ---- | C] () -- C:\WINDOWS\tasks\At1957.job
// [2010/04/13 17:27:02 | 000,000,392 | ---- | C] () -- C:\WINDOWS\tasks\At1956.job
// [2010/04/13 17:27:02 | 000,000,392 | ---- | C] () -- C:\WINDOWS\tasks\At1955.job
// [2010/04/13 17:27:02 | 000,000,392 | ---- | C] () -- C:\WINDOWS\tasks\At1954.job
// [2010/04/13 17:27:02 | 000,000,392 | ---- | C] () -- C:\WINDOWS\tasks\At1953.job
// [2010/04/13 17:27:02 | 000,000,392 | ---- | C] () -- C:\WINDOWS\tasks\At1952.job
// [2010/04/13 17:27:02 | 000,000,392 | ---- | C] () -- C:\WINDOWS\tasks\At1951.job
// [2010/04/13 17:27:02 | 000,000,392 | ---- | C] () -- C:\WINDOWS\tasks\At1950.job
// [2010/04/13 17:27:02 | 000,000,392 | ---- | C] () -- C:\WINDOWS\tasks\At1949.job
// [2010/04/13 17:27:02 | 000,000,392 | ---- | C] () -- C:\WINDOWS\tasks\At1948.job
// [2010/04/13 17:27:02 | 000,000,392 | ---- | C] () -- C:\WINDOWS\tasks\At1947.job
// [2010/04/13 17:27:01 | 000,000,392 | ---- | C] () -- C:\WINDOWS\tasks\At1946.job
// [2010/04/13 17:27:01 | 000,000,392 | ---- | C] () -- C:\WINDOWS\tasks\At1945.job

File:"<$FILE_LIBRARY>","<$SYSDIR>\bobebeji.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dofozeha.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jejuvoto.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\moruzagi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tehayela.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yavaneyu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yopareza.dll"


// Trojan.Virtumonde(3):
// Aus einem Logfile von ESET Online Scanner:
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\dclfeqbb.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\ddnsfjaa.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\ikvbqtei.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\LnXGPpVw.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\tnrppbkq.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\vkqtnrvn.ini"
File:"<$FILE_CONFIGURATION>","<$SYSDIR>\ymcwsnuu.ini"
Downloads: 0Rating: 0 (rated by 0 users)