I've collected detection rules for the following Malware:
  • PUPS.FastBrowserSearchAssistent
  • Spyware.AdRotator
  • Spyware.Spynet
  • Trojan.Agent(8)
  • Trojan.BHO.ttam
  • Trojan.FakeAlert.ttam(5)
  • Trojan.Fraudpack
  • Trojan.SdBot
  • Trojan.Virtumonde
Category: Trojan
Code:
:: New Malware v109
// Revision 1
// {Cat:Trojan}{Cnt:1}
// {Det:Matt,2010-05-13}


// PUPS.FastBrowserSearchAssistent:
// Alles aus einem Logfile
// Ich bin mir nicht sicher, ob ihr den Ordner "sgpsa" schon habt... mir scheint er neu zu sein... Wie siehts aus?
BrowserHelperEx:"BrowserHelper Class","filename=SearchAssistant.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{8a9d74f9-560b-4fe7-abeb-3b2e638e5cd6}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{8a9d74f9-560b-4fe7-abeb-3b2e638e5cd6}"
BrowserHelperEx:"Search Assistant","filename=BHO.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{f0626a63-410b-45e2-99a1-3f2475b2d695}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{f0626a63-410b-45e2-99a1-3f2475b2d695}"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\sgpsa\SearchAssistant.dll"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\sgpsa\BHO.dll"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\sgpsa"
BrowserHelperEx:"Fast Browser Search Toolbar","filename=FBStoolbar.dll"
RegyValue:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Internet Explorer\Toolbar\","{1bb22d38-a411-4b13-a746-c2a4f4ec7344}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{1bb22d38-a411-4b13-a746-c2a4f4ec7344}"
File:"<$FILE_LIBRARY>","<$PROGRAMFILES>\fast browser search\ie\FBStoolbar.dll"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\fast browser search\ie"
Directory:"<$DIR_PROG>","<$PROGRAMFILES>\fast browser search"


// Spyware.AdRotator:
BrowserHelperEx:"flvdome","filename=*.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{21df98d1-0a38-9d1c-50b4-70123d23fcd3}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{21df98d1-0a38-9d1c-50b4-70123d23fcd3}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\a-1Okel_eElF.dll"

BrowserHelperEx:"hotrevenue browser enhancer","filename=*.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{1377c0b8-9661-6467-57ea-abe65b8eb8f2}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{1377c0b8-9661-6467-57ea-abe65b8eb8f2}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jjcdgvthnc.dll"

BrowserHelperEx:"adHlpr Object","filename=*.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{4b4e01cd-699d-46b1-9fca-d8b4a9cad794}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{4b4e01cd-699d-46b1-9fca-d8b4a9cad794}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\usrdiemp.dll"

BrowserHelperEx:"profitizeme browser enhancer","filename=*.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{1EC03A7F-E70F-1FD0-25D2-CECCD73887AD}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{1EC03A7F-E70F-1FD0-25D2-CECCD73887AD}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\aiyzqdsggobm.dll"

BrowserHelperEx:"profitmuse","filename=*.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{76136ae2-b79c-5d2e-8da4-4f49ba602c0b}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{76136ae2-b79c-5d2e-8da4-4f49ba602c0b}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\fb6b4224.dll"


// Spyware.Spynet:
AutoRun:"Policies","<$SYSDIR>\install\lsass.exe","flagifnofile=1"
AutoRun:"HKLM","<$SYSDIR>\install\lsass.exe","flagifnofile=1"
AutoRun:"HKCU","<$SYSDIR>\install\lsass.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","HKLM"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","HKCU"
File:"<$FILE_EXE>","<$SYSDIR>\install\lsass.exe"
Directory:"<$DIR_PROG>","<$SYSDIR>\install","filename=lsass.exe"


// Trojan.Agent(1):
// Erzeugt diverse F2 und O4 Einträge!!! Bitte aufnehmen, wenn er diesen Trojaner noch nicht habt!
// Ich dachte, dass die Datei winlogon von Microsoft unter SYSDIR vorkommt und nicht unter WINDIR oder WINDIR\system !??  Oder täusche ich mich da? :-)
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","Shell","Shell=Explorer.exe C:\WINDOWS\winlogon.exe"
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","Shell","<$WINDIR>\winlogon.exe"
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","Shell","Shell=Explorer.exe "C:\Documents and Settings\Administrator\Application Data\lsass.exe""
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","Shell","<$APPDATA>\lsass.exe*"
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","UserInit=C:\Windows\system32\userinit.exe,C:\Windows\System\winlogon.exe"
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","<$WINDIR>\System\winlogon.exe"
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","UserInit=c:\documents and settings\robert porter\application data\zdrvj.exe"
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","<$APPDATA>\zdrvj.exe"
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","Shell","Shell=Explorer.exe scvhost.exe"
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","Shell","scvhost.exe"
File:"<$FILE_EXE>","<$WINDIR>\winlogon.exe"
// AutoRun:"MSWUpdate",""C:\Documents and Settings\Administrator\Application Data\lsass.exe"","flagifnofile=1"
AutoRun:"MSWUpdate","*<$APPDATA>\lsass.exe*","flagifnofile=1"
File:"<$FILE_EXE>","<$APPDATA>\lsass.exe"
AutoRun:"Windows","<$WINDIR>\System\winlogon.exe","flagifnofile=1"
AutoRun:"winlogon","<$WINDIR>\System\winlogon.exe","flagifnofile=1"
File:"<$FILE_EXE>","<$WINDIR>\System\winlogon.exe"
File:"<$FILE_EXE>","<$APPDATA>\zdrvj.exe"
File:"<$FILE_EXE>","<$SYSDIR>\scvhost.exe"


// Trojan.Agent(2):
AutoRun:"Win32sys","<$SYSDIR>\win32sys\win32sys.cmd","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Win32sys"
File:"<$FILE_DATA>","<$SYSDIR>\win32sys\win32sys.cmd"
Directory:"<$DIR_PROG>","<$SYSDIR>\win32sys","filename=win32sys.cmd"


// Trojan.Agent(3):
AutoRun:"Windows Service Manager","<$PROFILE>\winvsn.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Windows Service Manager"
File:"<$FILE_EXE>","<$PROFILE>\winvsn.exe"

AutoRun:"Windows Update Services","<$PROFILE>\winsvn.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Windows Update Services"
File:"<$FILE_EXE>","<$PROFILE>\winsvn.exe"

AutoRun:"WinUpdMngr","<$PROFILE>\dlll.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","WinUpdMngr"
File:"<$FILE_EXE>","<$PROFILE>\dlll.exe"

AutoRun:"WindowsUpdateManager","<$PROFILE>\winsvcn.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","WindowsUpdateManager"
File:"<$FILE_EXE>","<$PROFILE>\winsvcn.exe"


// Trojan.Agent(4):
// AutoRun:"StartServiceCCTMSTMK","C:\Users\Acer\AppData\Local\CCTMSTMK\StartService.exe","flagifnofile=1"
AutoRun:"StartService*","<$LOCALAPPDATA>\*\StartService.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","StartServiceCCTMSTMK"
// File:"<$FILE_EXE>","C:\Users\Acer\AppData\Local\CCTMSTMK\StartService.exe"
File:"<$FILE_EXE>","<$LOCALAPPDATA>\*\StartService.exe"
Directory:"<$DIR_APPDATA>","<$LOCALAPPDATA>\*","filename=StartService.exe"


// Trojan.Agent(5)
// Alias Trojan.scherzkeks.ttam ;-)
// AutoRun:"1","C:\Documents and Settings\Administrator\Application Data\Kernel32.exe","flagifnofile=1"
AutoRun:"?","<$APPDATA>\Kernel32.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","1"
// File:"<$FILE_EXE>","C:\Documents and Settings\Administrator\Application Data\Kernel32.exe"
File:"<$FILE_EXE>","<$APPDATA>\Kernel32.exe"
// AutoRun:"winlog1234.exe","C:\Documents and Settings\Administrator\Application Data\Microsoft\winlog1234.exe","flagifnofile=1"
AutoRun:"winlog????.exe","<$APPDATA>\Microsoft\winlog????.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","winlog1234.exe"
// File:"<$FILE_EXE>","C:\Documents and Settings\Administrator\Application Data\Microsoft\winlog1234.exe"
File:"<$FILE_EXE>","<$APPDATA>\Microsoft\winlog????.exe"


// Trojan.Agent(6):
// AutoRun:"AARC","C:\Documents and Settings\Administrator\My Documents\SYS\vprwsuals.exe","flagifnofile=1"
AutoRun:"AARC","<$PERSONAL>\SYS\vprwsuals.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","AARC"
// File:"<$FILE_EXE>","C:\Documents and Settings\Administrator\My Documents\SYS\vprwsuals.exe"
File:"<$FILE_EXE>","<$PERSONAL>\SYS\vprwsuals.exe"
// AutoRun:"Update","C:\Documents and Settings\Administrator\My Documents\SYS\winupdate.exe","flagifnofile=1"
AutoRun:"Update","<$PERSONAL>\SYS\winupdate.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Update"
// File:"<$FILE_EXE>","C:\Documents and Settings\Administrator\My Documents\SYS\winupdate.exe"
File:"<$FILE_EXE>","<$PERSONAL>\SYS\winupdate.exe"
Directory:"<$DIR_PROG>","<$PERSONAL>\SYS","filename=winupdate.exe"


// Trojan.Agent(7):
AutoRun:"Windows Update","<$SYSDIR>\Updater.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Windows Update"
File:"<$FILE_EXE>","<$SYSDIR>\Updater.exe"


// Trojan.Agent(8):
// O4 - HKLM\..\Policies\Explorer\Run: [MicrosoftCorp] C:\Users\Acer\AppData\Local\Temp\nvdis.exe
AutoRun:"MicrosoftCorp","<$LOCALAPPDATA>\Temp\*.exe","flagifnofile=1"
File:"<$FILE_EXE>","<$LOCALAPPDATA>\Temp\nvdis.exe"


// Trojan.BHO.ttam:
BrowserHelperEx:"getsn32.msiesn","filename=getsn32.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{a55ca42c-bf8a-4491-9073-6e32fc4e6250}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{a55ca42c-bf8a-4491-9073-6e32fc4e6250}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\getsn32.dll"


// Trojan.FakeAlert.ttam(1):
// Bitte samples in der Datenbank suchen und dann aufnehmen ;-)
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","Shell","Shell=Explorer.exe rundll32.exe thxr.wgo nwfdtx"
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","Shell","thxr.wgo ??????"
File:"<$FILE_DATA>","<$SYSDIR>\thxr.wgo","filesize>=18000,filesize<=22000"


// Trojan.FakeAlert.ttam(2):
BrowserHelperEx:"D","filename=bt?????.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{4cb84d69-81f9-38a4-9afc-a33cb3da9335}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{4cb84d69-81f9-38a4-9afc-a33cb3da9335}"
// Habe im selben DDS Logfile noch eine Dateigröße gefunden, die ich hier versucht habe, mit einzubauen; wie findest du meinen Versuch? :-)
// File:"<$FILE_LIBRARY>","<$SYSDIR>\bt44917.dll","filesize=229376"
File:"<$FILE_LIBRARY>","<$SYSDIR>\bt?????.dll","filesize>=215000,filesize<=245000"


// Trojan.FakeAlert.ttam(3):
// Ein ganz übler Geselle :-(
// AutoRun:"{F272FED5-AE54-6F82-BB97-C42F67785C65}","\wtfdll.exe","flagifnofile=1"
// AutoRun:"omgwtf1","\wtfdll.exe","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\wtfdll.exe","flagifnofile=0"
AutoRun:"*","<$WINDIR>\wtfdll.exe","flagifnofile=0"
// RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","{F272FED5-AE54-6F82-BB97-C42F67785C65}"
// RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","omgwtf1"
// File:"<$FILE_EXE>","\wtfdll.exe"
// File:"<$FILE_EXE>","\wtfdll.exe"
// AutoRun:"Zomglawlz","<$APPDATA>\Roaming:Zomg.exe","flagifnofile=1"
AutoRun:"Zomg*","<$APPDATA>\Roaming:Zomg.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Zomglawlz"
File:"<$FILE_EXE>","<$APPDATA>\Roaming:Zomg.exe"
AutoRun:"systemlibrary","<$APPDATA>\Roaming\systemlibrary.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","systemlibrary"
File:"<$FILE_EXE>","<$APPDATA>\Roaming\systemlibrary.exe"


// Trojan.FakeAlert.ttam(4):
// Ich weiß, dass es auch legale Einträge mit "MSConfig" gibt, aber das Ganze unter PROFILE ??  Kann ich mir nicht vorstellen... oder wie siehts aus?
// AutoRun:"MSConfig","c:\documents and settings\robert porter\ratlwh.exe \u","flagifnofile=1"
AutoRun:"MSConfig","<$PROFILE>\*.exe*","flagifnofile=0"
// RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","MSConfig"
// File:"<$FILE_EXE>","c:\documents and settings\robert porter\ratlwh.exe \u"
File:"<$FILE_EXE>","<$PROFILE>\ratlwh.exe"


// Trojan.FakeAlert.ttam(5):
// O4 - Startup: wwwzuc32.exe
// Zudem noch ein Auszug aus einem MBAM logfile:
// Infizierte Dateien:
// C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wwwzuc32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
File:"<$FILE_EXE>","<$STARTUP>\wwwzuc32.exe"


// Trojan.Fraudpack:
// Habt ihr die Einträge in der registry auch schon?
RegyKey:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\SOFTWARE\","M5T8QL3YW3"
RegyKey:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\SOFTWARE\","XML"
AutoRun:"M5T8QL3YW3","<$LOCALAPPDATA>\Temp\*.exe","flagifnofile=1"
AutoRun:"M5T8QL3YW3","<$LOCALSETTINGS>\Temp\*.exe","flagifnofile=1"
AutoRun:"M5T8QL3YW3","<$WINDIR>\temp\*.exe","flagifnofile=1"
AutoRun:"M5T8QL3YW3","<$WINDIR>\*.exe","flagifnofile=1"
File:"<$FILE_DATA>","<$WINDIR>\tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job"
File:"<$FILE_DATA>","<$WINDIR>\tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job"


// Trojan.SdBot:
// Bin mir mit den beiden Sternchen nicht ganz sicher  ;-)
// AutoRun:"Windows Runtime",""C:\Users\Martin Stosic\javar.jar"","flagifnofile=1"
AutoRun:"Windows Runtime","*<$PROFILE>\javar.jar*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Windows Runtime"
// File:"<$FILE_EXE>",""C:\Users\Martin Stosic\javar.jar""
File:"<$FILE_DATA>","<$PROFILE>\javar.jar"


// Trojan.Virtumonde:
BrowserHelperEx:"*","filename=wigudozi.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{058ea4fb-f4e4-4850-85b1-2bf0aa62750f}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{058ea4fb-f4e4-4850-85b1-2bf0aa62750f}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wigudozi.dll"

BrowserHelperEx:"*","filename=d3dx9_3432.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{0128C368-38CF-4991-97B9-A6EC21718D9e}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{0128C368-38CF-4991-97B9-A6EC21718D9e}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\d3dx9_3432.dll"

// AutoRun:"7498f5a7","rundll32.exe "c:\windows\system32\thvfuccy.dll",b","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\thvfuccy.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","7498f5a7"
// File:"<$FILE_EXE>","rundll32.exe "c:\windows\system32\thvfuccy.dll",b"
File:"<$FILE_LIBRARY>","<$SYSDIR>\thvfuccy.dll"

// AutoRun:"bywurpsys","rundll32.exe "rqpqop.dll",DllRegisterServer","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\rqpqop.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","bywurpsys"
// File:"<$FILE_EXE>","rundll32.exe "rqpqop.dll",DllRegisterServer"
File:"<$FILE_LIBRARY>","<$SYSDIR>\rqpqop.dll"

// AutoRun:"rqonnodrv","rundll32.exe "efdbcc.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\efdbcc.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","rqonnodrv"
// File:"<$FILE_EXE>","rundll32.exe "efdbcc.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\efdbcc.dll"

// AutoRun:"nrsoyu","rundll32 "C:\Users\Mo\AppData\Roaming\msftedith.dll",JHGXIPT","flagifnofile=1"
AutoRun:"*","<$APPDATA>\Roaming\msftedith.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","nrsoyu"
// File:"<$FILE_EXE>","rundll32 "C:\Users\Mo\AppData\Roaming\msftedith.dll",JHGXIPT"
File:"<$FILE_LIBRARY>","<$APPDATA>\Roaming\msftedith.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\wmfhotfix.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\wmfhotfix.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","cjqphk.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\cjqphk.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\devobj32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\devobj32.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\mlljiff.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\mlljiff.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","mehoheru.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\mehoheru.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","cproyg.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\cproyg.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\pefeveli.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pefeveli.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\cryptdlg32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\cryptdlg32.dll"

RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","c0597a88909","DllName=<$SYSDIR>\cryptdlg32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\cryptdlg32.dll"

RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","winugy32","DllName=winugy32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\winugy32.dll"

RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","winpij32","DllName=winpij32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\winpij32.dll"
Downloads: 0Rating: 0 (rated by 0 users)