New Malware v104

**Matt** · 2010-04-25, 10:14

I've collected detection rules for the following Malware:

Adware.BaiduBar
Adware.WurldMedia
Keylogger.EBlaster
Malware.Fraud.Antivirus
Malware.Fraud.Unknown
Malware.Lop
PUPS.MyWebSearch
Rootkit.Zbot
Spyware.AdRotator
Spyware.Spynet
Trojan.Agent(4)
Trojan.Avalanec
Trojan.Banker
Trojan.DelfInject(2)
Trojan.FakeAlert.ttam(5)
Trojan.Virtumonde(2)
Worm.Autoit

Category: Trojan

Code:

:: New Malware v104
// Revision 1
// {Cat:Test}{Cnt:1}
// {Det:Matt,2010-04-24}


// Adware.BaiduBar:
// Habt ihr das schon alles?
BrowserHelperEx:"SearchHook Class","filename=AddressBar.dll"
BrowserHelperEx:"Baidu Toolbar BHO","filename=BaiduBarX.dll"
BrowserHelperEx:"Baidu Toolbar","filename=BaiduBarX.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{00000000-0593-4356-9CF7-1D8C2B3343C0}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{00000000-0593-4356-9CF7-1D8C2B3343C0}"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{77FEF28E-EB96-44FF-B511-3185DEA48697}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{77FEF28E-EB96-44FF-B511-3185DEA48697}"
RegyValue:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Internet Explorer\Toolbar\","{B580CF65-E151-49C3-B73F-70B13FCA8E86}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{B580CF65-E151-49C3-B73F-70B13FCA8E86}"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\Baidu\AddressBar\AddressBar.dll"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\Baidu\Toolbar\BaiduBarX.dll"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Baidu\Toolbar"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Baidu\AddressBar"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\Baidu"


// Adware.WurldMedia:
// Siehe auch hier: http://www.systemlookup.com/CLSID/54006-dll_random_char.html
BrowserHelperEx:"TChkBHO Class","filename=*.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{EF3FA1F1-05F2-4639-92A2-2351228BFB1B}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{EF3FA1F1-05F2-4639-92A2-2351228BFB1B}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\assjwug.dll"


// Keylogger.EBlaster:
BrowserHelperEx:"VPN-OEM Extension","filename=msnwinnet.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{89044184-F260-4FDD-8FAB-2662814846E5}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{89044184-F260-4FDD-8FAB-2662814846E5}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\msnwinnet.dll"


// Malware.Fraud.Antivirus:
AutoRun:"Antivirus","<$PROGRAMFILES>\VAV\vav.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Antivirus"
File:"<$FILE_EXE>","<$PROGRAMFILES>\VAV\vav.exe"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\VAV"


// Malware.Fraud.Unknown:
// Alles aus einem Logfile; weiß leider nicht, zu welchem Rogue es gehört und wie man es optimieren könnte, so dass ihr es übernehmt, daher habe ich es nicht weiter bearbeitet.
AutoRun:"newupdate1142C.exe","C:\Documents and Settings\Pati\Application Data\2ACC8B85B13D816DF30BF01E3136BA85\newupdate1142C.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","newupdate1142C.exe"
File:"<$FILE_EXE>","C:\Documents and Settings\Pati\Application Data\2ACC8B85B13D816DF30BF01E3136BA85\newupdate1142C.exe"

AutoRun:"newupdate1142c .exe","c:\documents and settings\pati\application data\2acc8b85b13d816df30bf01e3136ba85\newupdate1142c .exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","newupdate1142c .exe"
File:"<$FILE_EXE>","c:\documents and settings\pati\application data\2acc8b85b13d816df30bf01e3136ba85\newupdate1142c .exe"

AutoRun:"newupdate1142c .exe","c:\documents and settings\pati\application data\2acc8b85b13d816df30bf01e3136ba85\newupdate1142c .exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","newupdate1142c .exe"
File:"<$FILE_EXE>","c:\documents and settings\pati\application data\2acc8b85b13d816df30bf01e3136ba85\newupdate1142c .exe"

AutoRun:"newupdate1142c .exe","c:\documents and settings\pati\application data\2acc8b85b13d816df30bf01e3136ba85\newupdate1142c .exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","newupdate1142c .exe"
File:"<$FILE_EXE>","c:\documents and settings\pati\application data\2acc8b85b13d816df30bf01e3136ba85\newupdate1142c .exe"


// Malware.Lop:
// Beide im selben Logfile gefunden
// AutoRun:"comp view eggs idol","C:\Documents and Settings\All Users\Application Data\loud bike comp view\Rect Mode.exe","flagifnofile=1"
AutoRun:"comp view eggs idol","<$COMMONAPPDATA>\loud bike comp view\Rect Mode.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","comp view eggs idol"
// File:"<$FILE_EXE>","C:\Documents and Settings\All Users\Application Data\loud bike comp view\Rect Mode.exe"
File:"<$FILE_EXE>","<$COMMONAPPDATA>\loud bike comp view\Rect Mode.exe"
Directory:"<$DIR_COMMON_APPDATA>","<$COMMONAPPDATA>\loud bike comp view"

// AutoRun:"funk chic","C:\DOCUME~1\Mel\APPLIC~1\proctest\bitswaitstyle.exe","flagifnofile=1"
AutoRun:"funk chic","<$APPDATA>\proctest\bitswaitstyle.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","funk chic"
// File:"<$FILE_EXE>","C:\DOCUME~1\Mel\APPLIC~1\proctest\bitswaitstyle.exe"
File:"<$FILE_EXE>","<$APPDATA>\proctest\bitswaitstyle.exe"
Directory:"<$DIR_APPDATA>","<$APPDATA>\proctest"


// PUPS.MyWebSearch:
IEExtension:"%26Search"
RegyKey:"<$REG_IEMENUEXT>",HKEY_CURRENT_USER,"\Software\Microsoft\Internet Explorer\MenuExt\","%26Search"
// File:"<$FILE_LIBRARY>","http://edits.mywebsearch.com/toolbar...tml?p=ZUman000"
File:"<$FILE_WEBPAGE>","http://edits.mywebsearch.com/toolbar*"


// Rootkit.Zbot:
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","UserInit=C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\marc\bqfb.exe \s"
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","<$PROFILE>\bqfb.exe *"
NTFile:"<$FILE_EXE>","<$PROFILE>\bqfb.exe"


// Spyware.AdRotator:
BrowserHelperEx:"ezLife browser enhancer *","filename=*.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{4DED0D91-9EC7-4705-B8B6-80EF3942F33F}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{4DED0D91-9EC7-4705-B8B6-80EF3942F33F}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\mqvcwzno.dll"

BrowserHelperEx:"everyflv","filename=*.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{4b1cdd12-dd36-7265-5cc0-22781201652e}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{4b1cdd12-dd36-7265-5cc0-22781201652e}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\-Z86pY_.dll"


// Spyware.Spynet:
// Bin mir nicht mehr sicher, ob ihr diesen Pfad schon kennt oder nicht !?
// O4 - HKLM\..\Policies\Explorer\Run: [Policies] C:\Windows\install\server.exe
// O4 - HKCU\..\Policies\Explorer\Run: [Policies] C:\Windows\install\server.exe
AutoRun:"HKLM","<$WINDIR>\install\server.exe","flagifnofile=1"
// AutoRun:"HKLM","C:\Windows\install\server.exe","flagifnofile=1"
AutoRun:"HKLM","<$WINDIR>\install\server.exe","flagifnofile=1"
// AutoRun:"HKCU","C:\Windows\install\server.exe","flagifnofile=1"
AutoRun:"HKCU","<$WINDIR>\install\server.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","HKLM"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","HKCU"
File:"<$FILE_EXE>","<$WINDIR>\install\server.exe"
Directory:"<$DIR_PROG>","<$WINDIR>\install","filename=server.exe"


// Trojan.Agent(1):
AutoRun:"WinSys2","<$SYSDIR>\startup.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","WinSys2"
File:"<$FILE_EXE>","<$SYSDIR>\startup.exe"


// Trojan.Agent(2):
// O4 - HKLM\..\Policies\Explorer\Run: [Microsoft Corp] C:\Documents and Settings\Owner\Application Data\svchosts.exe
// AutoRun:"Microsoft Corp","C:\Documents and Settings\Owner\Application Data\svchosts.exe","flagifnofile=1"
AutoRun:"Microsoft Corp","<$APPDATA>\svchosts.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Microsoft Corp"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Microsoft Corp"
// File:"<$FILE_EXE>","C:\Documents and Settings\Owner\Application Data\svchosts.exe"
File:"<$FILE_EXE>","<$APPDATA>\svchosts.exe"


// Trojan.Agent(3):
AutoRun:"forcedos64.exe","<$LOCALSETTINGS>\Temp\forcedos64.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","forcedos64.exe"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\forcedos64.exe"


// Trojan.Agent(4):
// AutoRun:"hsf87sdhfush87fsufhuie3fddf","c:\docume~1\pati\locals~1\temp\gx1x88g .exe","flagifnofile=1"
AutoRun:"hsf87sdhfush87fsufhuie3fddf","<$LOCALSETTINGS>\temp\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","hsf87sdhfush87fsufhuie3fddf"
// File:"<$FILE_EXE>","c:\docume~1\pati\locals~1\temp\gx1x88g .exe"


// Trojan.Avalanec:
// Name nach Symantec
AutoRun:"Microsoft Startup Manager","<$SYSDIR>\sysservice.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Microsoft Startup Manager"
File:"<$FILE_EXE>","<$SYSDIR>\sysservice.exe"


// Trojan.Banker:
BrowserHelperEx:"*","filename=iebho13.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{D032570A-5F63-4812-A094-87D007C23012}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{D032570A-5F63-4812-A094-87D007C23012}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\iebho13.dll"


// Trojan.DelfInject[1):
// AutoRun:"Windows Update Manager","C:\Dokumente und Einstellungen\Rechner.COMPUTER-287298\Anwendungsdaten\winvcsn.exe","flagifnofile=1"
AutoRun:"Windows Update Manager","<$APPDATA>\winvcsn.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Windows Update Manager"
// File:"<$FILE_EXE>","C:\Dokumente und Einstellungen\Rechner.COMPUTER-287298\Anwendungsdaten\winvcsn.exe"
File:"<$FILE_EXE>","<$APPDATA>\winvcsn.exe"

// AutoRun:"Windows Control Manager","C:\Dokumente und Einstellungen\Rechner.COMPUTER-287298\Anwendungsdaten\winvsn.exe","flagifnofile=1"
AutoRun:"Windows Control Manager","<$APPDATA>\winvsn.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Windows Control Manager"
// File:"<$FILE_EXE>","C:\Dokumente und Einstellungen\Rechner.COMPUTER-287298\Anwendungsdaten\winvsn.exe"
File:"<$FILE_EXE>","<$APPDATA>\winvsn.exe"


// Trojan.DelfInject(2):
// Alle aus einem Logfile!
AutoRun:"Windows Update Manager","<$PROFILE>\winvcsn.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Windows Update Manager"
File:"<$FILE_EXE>","<$PROFILE>\winvcsn.exe"

AutoRun:"WinUpdSrvc","<$PROFILE>\winvns.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","WinUpdSrvc"
File:"<$FILE_EXE>","<$PROFILE>\winvns.exe"

AutoRun:"Windows Service Manager","<$PROFILE>\winvsn.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Windows Service Manager"
File:"<$FILE_EXE>","<$PROFILE>\winvsn.exe"

AutoRun:"Windows Update Services","<$PROFILE>\winsvn.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Windows Update Services"
File:"<$FILE_EXE>","<$PROFILE>\winsvn.exe"


// Trojan.FakeAlert.ttam(1):
// Bitte das dazugehörige file in eurer Datenbank suchen und dann aufnehmen! :-)
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","Shell","Shell=Explorer.exe rundll32.exe bnis.mxo yfklng"
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","Shell","bnis.mxo *"
File:"<$FILE_DATA>","<$SYSDIR>\bnis.mxo"


// Trojan.FakeAlert.ttam(2):
// AutoRun:"RHTDCPL","rundll32 C:\WINDOWS\system32\szsh_AMDCap.dll,w","flagifnofile=1"
AutoRun:"RHTDCPL","<$SYSDIR>\????_AMDCap.dll*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","RHTDCPL"
// File:"<$FILE_EXE>","rundll32 C:\WINDOWS\system32\szsh_AMDCap.dll,w"
File:"<$FILE_LIBRARY>","<$SYSDIR>\szsh_AMDCap.dll"


// Trojan.FakeAlert.ttam(3):
// Dateiname fest
// AutoRun:"8885","C:\DOCUME~1\marc\LOCALS~1\Temp\isfwff.exe","flagifnofile=1"
AutoRun:"*","<$LOCALSETTINGS>\Temp\isfwff.exe","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","8885"
// File:"<$FILE_EXE>","C:\DOCUME~1\marc\LOCALS~1\Temp\isfwff.exe"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\isfwff.exe"


// Trojan.FakeAlert.ttam(4):
// Dateiname fest
// AutoRun:"8tVHDP4m8","C:\Users\Xafa\AppData\Local\Temp\eGddE.exe","flagifnofile=1"
// AutoRun:"bAJuc8","C:\Users\Xafa\AppData\Local\Temp\eGddE.exe","flagifnofile=1"
AutoRun:"*","<$LOCALAPPDATA>\Temp\eGddE.exe","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","8tVHDP4m8"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","bAJuc8"
// File:"<$FILE_EXE>","C:\Users\Xafa\AppData\Local\Temp\eGddE.exe"
File:"<$FILE_EXE>","<$LOCALAPPDATA>\Temp\eGddE.exe"


// Trojan.FakeAlert.ttam(5):
// Aus zwei verschiedenen Logfiles. Name des Autostarts fest!
// AutoRun:"mcexecwin","rundll32.exe c:\docume~1\user\locals~1\temp\g73cwsjw.dll, RestoreWindows","flagifnofile=1"
// AutoRun:"mcexecwin","rundll32.exe C:\DOCUME~1\Pati\LOCALS~1\Temp\s95p0.dll, RestoreWindows","flagifnofile=1"
AutoRun:"mcexecwin","<$LOCALSETTINGS>\Temp\*.dll*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","mcexecwin"
// File:"<$FILE_EXE>","rundll32.exe c:\docume~1\user\locals~1\temp\g73cwsjw.dll, RestoreWindows"
// File:"<$FILE_EXE>","rundll32.exe C:\DOCUME~1\Pati\LOCALS~1\Temp\s95p0.dll, RestoreWindows"


// Trojan.Virtumonde(1):
BrowserHelperEx:"*","filename=il0sk8d4f.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{A2BA40A0-74F1-52BD-F411-00B15A2C8953}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{A2BA40A0-74F1-52BD-F411-00B15A2C8953}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\il0sk8d4f.dll"

BrowserHelperEx:"*","filename=hs78344kjkfd.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{C5BF49A2-94F3-42BD-F434-3604812C8955}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{C5BF49A2-94F3-42BD-F434-3604812C8955}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hs78344kjkfd.dll"

BrowserHelperEx:"*","filename=xi3z27.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{a2ba40a0-74f1-52bd-f411-00b15a2c8953}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{a2ba40a0-74f1-52bd-f411-00b15a2c8953}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\xi3z27.dll"

BrowserHelperEx:"*","filename=f9gm9qw.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{A2BA40A0-74F1-52BD-F411-00B15A2C8953}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{A2BA40A0-74F1-52BD-F411-00B15A2C8953}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\f9gm9qw.dll"

BrowserHelperEx:"*","filename=kokemabo.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{d5368152-7422-4480-add3-788dc5870f1f}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{d5368152-7422-4480-add3-788dc5870f1f}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kokemabo.dll"

BrowserHelperEx:"*","filename=fdeploy32.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{03D9C0B4-DAD3-411F-9DD4-EC13E0AEFBFe}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{03D9C0B4-DAD3-411F-9DD4-EC13E0AEFBFe}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\fdeploy32.dll"

BrowserHelperEx:"*","filename=dbnetlib32.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{0145366D-3D0B-40CB-B31E-13BF10846A3a}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{0145366D-3D0B-40CB-B31E-13BF10846A3a}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dbnetlib32.dll"

BrowserHelperEx:"*","filename=mhekab.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{0b179ffb-30a6-4414-bfea-48b03af3429e}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{0b179ffb-30a6-4414-bfea-48b03af3429e}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\mhekab.dll"

BrowserHelperEx:"*","filename=tizijehe.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{ac59c2ca-ee0c-497b-b249-685ffb3c1671}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{ac59c2ca-ee0c-497b-b249-685ffb3c1671}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tizijehe.dll"

BrowserHelperEx:"*","filename=voranizi.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{587c59df-8f60-42f4-aaa5-cc9917f7913e}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{587c59df-8f60-42f4-aaa5-cc9917f7913e}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\voranizi.dll"

BrowserHelperEx:"*","filename=zenonabi.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{afd3ecab-cdce-4699-8a19-1d370e835132}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{afd3ecab-cdce-4699-8a19-1d370e835132}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zenonabi.dll"

// AutoRun:"parepedomi","Rundll32.exe "mayopupo.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\mayopupo.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","parepedomi"
// File:"<$FILE_EXE>","Rundll32.exe "mayopupo.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\mayopupo.dll"

// AutoRun:"jowoludop","Rundll32.exe "c:\windows\system32\yeruwuma.dll",a","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\yeruwuma.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","jowoludop"
// File:"<$FILE_EXE>","Rundll32.exe "c:\windows\system32\yeruwuma.dll",a"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yeruwuma.dll"

// AutoRun:"Ysicojeruqa","rundll32.exe "C:\WINDOWS\avavebaxitivume.dll",Startup","flagifnofile=1"
AutoRun:"*","<$WINDIR>\avavebaxitivume.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Ysicojeruqa"
// File:"<$FILE_EXE>","rundll32.exe "C:\WINDOWS\avavebaxitivume.dll",Startup"
File:"<$FILE_LIBRARY>","<$WINDIR>\avavebaxitivume.dll"

// AutoRun:"sivohaselo","Rundll32.exe "hewurogo.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\hewurogo.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","sivohaselo"
// File:"<$FILE_EXE>","Rundll32.exe "hewurogo.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hewurogo.dll"

// AutoRun:"Kboqucocali","rundll32.exe "C:\WINDOWS\Kragus.dll",e","flagifnofile=1"
AutoRun:"*","<$WINDIR>\Kragus.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Kboqucocali"
// File:"<$FILE_EXE>","rundll32.exe "C:\WINDOWS\Kragus.dll",e"
File:"<$FILE_LIBRARY>","<$WINDIR>\Kragus.dll"

// AutoRun:"biyasuvazi","Rundll32.exe "fizevisi.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\fizevisi.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","biyasuvazi"
// File:"<$FILE_EXE>","Rundll32.exe "fizevisi.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\fizevisi.dll"

// AutoRun:"Akigefameteq","rundll32.exe "c:\windows\uwosufol.dll",Startup","flagifnofile=1"
AutoRun:"*","<$WINDIR>\uwosufol.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Akigefameteq"
// File:"<$FILE_EXE>","rundll32.exe "c:\windows\uwosufol.dll",Startup"
File:"<$FILE_LIBRARY>","<$WINDIR>\uwosufol.dll"

// AutoRun:"sezopozere","Rundll32.exe "lefikazi.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\lefikazi.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","sezopozere"
// File:"<$FILE_EXE>","Rundll32.exe "lefikazi.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\lefikazi.dll"

// AutoRun:"kojejijan","Rundll32.exe "c:\windows\system32\newuwiyo.dll",a","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\newuwiyo.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","kojejijan"
// File:"<$FILE_EXE>","Rundll32.exe "c:\windows\system32\newuwiyo.dll",a"
File:"<$FILE_LIBRARY>","<$SYSDIR>\newuwiyo.dll"

// AutoRun:"Fuyekgbjlh","rundll32 "C:\Users\Mazlan\AppData\Roaming\iscsiwmi1.dll",Xesod","flagifnofile=1"
AutoRun:"*","<$APPDATA>\Roaming\iscsiwmi1.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Fuyekgbjlh"
// File:"<$FILE_EXE>","rundll32 "C:\Users\Mazlan\AppData\Roaming\iscsiwmi1.dll",Xesod"
File:"<$FILE_LIBRARY>","<$APPDATA>\Roaming\iscsiwmi1.dll"

// AutoRun:"Owutinasuleja","rundll32.exe "C:\WINDOWS\senthx.dll",Startup","flagifnofile=1"
AutoRun:"*","<$WINDIR>\senthx.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Owutinasuleja"
// File:"<$FILE_EXE>","rundll32.exe "C:\WINDOWS\senthx.dll",Startup"
File:"<$FILE_LIBRARY>","<$WINDIR>\senthx.dll"

// AutoRun:"Ggosa","rundll32.exe "C:\WINDOWS\diops2.dll",Startup","flagifnofile=1"
AutoRun:"*","<$WINDIR>\diops2.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Ggosa"
// File:"<$FILE_EXE>","rundll32.exe "C:\WINDOWS\diops2.dll",Startup"
File:"<$FILE_LIBRARY>","<$WINDIR>\diops2.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","moyomego.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\moyomego.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","sxedib.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\sxedib.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","fztago.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\fztago.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","mhekab.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\mhekab.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","pimodage.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pimodage.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","baliwefu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\baliwefu.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\yeruwuma.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yeruwuma.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","wunufuzo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wunufuzo.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\nisimose.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\nisimose.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\tuvumuge.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tuvumuge.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\yekitima.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yekitima.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\kehitulo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kehitulo.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","mivimoru.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\mivimoru.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\ganizoni.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ganizoni.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\newuwiyo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\newuwiyo.dll"

RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","4881f00e851","DllName=<$SYSDIR>\es32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\es32.dll"

RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","winctrl32","DllName=<$SYSDIR>\WinCtrl32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\WinCtrl32.dll"

RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","fccbYrSJ","DllName=<$SYSDIR>\fccbYrSJ.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\fccbYrSJ.dll"

RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","iifcAQKa","DllName=<$SYSDIR>\iifcAQKa.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\iifcAQKa.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","rakiwidet","rakiwidet={b265dcde-409e-4bcb-bda2-751e831a0b9b}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\bedutagi.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","kapigeyus","kapigeyus={36e8a2ea-dfef-42ee-b1cf-82b14d62212a}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\harizepu.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","zufodovuv","zufodovuv={1c5b2131-9df1-4f37-bf14-43ce7057ed35}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yeruwuma.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","zukunuhir","zukunuhir={0a57f8a8-d023-43de-8c9e-78aacf842901}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\garowori.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","hinodepar","hinodepar={f13451f9-e060-4d3c-af28-4602857b4cd0}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\rifediga.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","halazinod","halazinod={d0ccbcaa-66ed-4927-8ec2-6e866d62f700}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\sikizela.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","nopiyezul","nopiyezul={f5adae30-6793-4390-9015-ff1fbf9f373e}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yekitima.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","lehiroyak","lehiroyak={01de8c85-5256-415f-97f5-05d491978411}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ganizoni.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","pavigonof","pavigonof={aaf3f3a2-1a15-45d1-8077-1408ed4b36a3}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vifowane.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","mijerozah","mijerozah={03e4d231-08ce-4b78-8372-45880c14190e}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vifowane.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","nivemajoz","nivemajoz={792cea2c-3c5a-4a57-b88a-386986a8a81d}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vifowane.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","novizuwim","novizuwim={9d28ab78-49e6-46f7-ae77-6bd79d9ce47a}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vifowane.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","zavutoton","zavutoton={b14a2460-0873-4cfc-a5a8-a050d20c645a}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vifowane.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","lahiheboh","lahiheboh={ae61f786-08f5-4681-95f9-d3682da6ef95}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\newuwiyo.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","bokayoton","bokayoton={5b931993-6a27-4a92-9fe9-07ffdd88b3d6}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\newuwiyo.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","bohofolak","bohofolak={c3348b2f-30c8-468b-b3b3-7df09634f9f2}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\newuwiyo.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","gahurihor","gahurihor={f13451f9-e060-4d3c-af28-4602857b4cd0}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\rifediga.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","tokatiluy","tokatiluy={d0ccbcaa-66ed-4927-8ec2-6e866d62f700}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\sikizela.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","jugezatag","jugezatag={f5adae30-6793-4390-9015-ff1fbf9f373e}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yekitima.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","mujuzedij","mujuzedij={01de8c85-5256-415f-97f5-05d491978411}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\ganizoni.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","tokatiluy","tokatiluy={aaf3f3a2-1a15-45d1-8077-1408ed4b36a3}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vifowane.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","gahurihor","gahurihor={03e4d231-08ce-4b78-8372-45880c14190e}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vifowane.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","gahurihor","gahurihor={792cea2c-3c5a-4a57-b88a-386986a8a81d}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vifowane.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","jugezatag","jugezatag={9d28ab78-49e6-46f7-ae77-6bd79d9ce47a}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vifowane.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","tokatiluy","tokatiluy={b14a2460-0873-4cfc-a5a8-a050d20c645a}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vifowane.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","tokatiluy","tokatiluy={ae61f786-08f5-4681-95f9-d3682da6ef95}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\newuwiyo.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","jugezatag","jugezatag={5b931993-6a27-4a92-9fe9-07ffdd88b3d6}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\newuwiyo.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","jugezatag","jugezatag={c3348b2f-30c8-468b-b3b3-7df09634f9f2}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\newuwiyo.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","kupuhivus","kupuhivus={0a57f8a8-d023-43de-8c9e-78aacf842901}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\garowori.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","kupuhivus","kupuhivus={1c5b2131-9df1-4f37-bf14-43ce7057ed35}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yeruwuma.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","tokatiluy","tokatiluy={b265dcde-409e-4bcb-bda2-751e831a0b9b}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\bedutagi.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","tokatiluy","tokatiluy={36e8a2ea-dfef-42ee-b1cf-82b14d62212a}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\harizepu.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","kjsfi8sjefiuoshiefyhiusdhfdf","kjsfi8sjefiuoshiefyhiusdhfdf={A2BA40A0-74F1-52BD-F411-00B15A2C8953}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\il0sk8d4f.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","jgzfkj9w38rksndfi7r4","jgzfkj9w38rksndfi7r4={C5BF49A2-94F3-42BD-F434-3604812C8955}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hs78344kjkfd.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","<$SYSDIR>\xi3z27.dll","<$SYSDIR>\xi3z27.dll={a2ba40a0-74f1-52bd-f411-00b15a2c8953}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\xi3z27.dll"


// Trojan.Virtumonde(2):
// Aus einem Logfile von DDS
File:"<$FILE_LIBRARY>","<$SYSDIR>\bahabona.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\bonopefo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dowuvedo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\genetoda.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\gigivada.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\huyahife.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\kehitulo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\lefikazi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\mivimoru.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\nagomone.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\newuwiyo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\nijetiyi.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pakiguwu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\susalade.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\tesusatu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\yetuheke.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\zurihiga.dll"
File:"<$FILE_EXE>","<$SYSDIR>\kelewaba.exe"


// Worm.Autoit:
// Siehe bitte auch hier: http://www.systemlookup.com/Startup/3693-FlashGuard_exe.html
// Bin mir nicht sicher, ob beim AutoRun vorne und hinten ein Sternchen hingehört. Was meinst du?
// AutoRun:"FlashGuard",""C:\Programme\FlashGuard\FlashGuard.exe" -run","flagifnofile=1"
AutoRun:"FlashGuard","*<$PROGRAMFILES>\FlashGuard\FlashGuard.exe*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","FlashGuard"
// File:"<$FILE_EXE>",""C:\Programme\FlashGuard\FlashGuard.exe" -run"
File:"<$FILE_EXE>","<$PROGRAMFILES>\FlashGuard\FlashGuard.exe"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\FlashGuard"

Downloads: 0	Rating: 0 (rated by 0 users)

Thread: New Malware v104

Thread Tools

Display

New Malware v104

Posting Permissions