I've collected detection rules for the following Malware:
  • Rootkit.TDSS
  • Rootkit.Zbot
  • Spyware.AdRotator
  • Trojan.Agent(9)
  • Trojan.FakeAlert.ttam(2)
  • Trojan.Fraudpack
  • Trojan.Virtumonde
Category: Trojan
Code:
:: New Malware v110
// Revision 1
// {Cat:Trojan}{Cnt:1}
// {Det:Matt,2010-05-16}


// Rootkit.TDSS:
// Bitte um Kontrolle, ob ihr diese Einträge schon alle habt! Danke :-)
// Aus einem GMER Logfile
// ---- Modules - GMER 1.0.15 ----
// Module \systemroot\PRAGMAcpxuetqxdm\PRAGMAd.sys (*** hidden *** ) A97EB000-A980E000 (143360 bytes)
// ---- Processes - GMER 1.0.15 ----
// Library D:\WINDOWS\system32\dll.dll (*** hidden *** ) @ D:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe [2460] 0x10000000
// Library D:\WINDOWS\system32\dll.dll (*** hidden *** ) @ D:\WINDOWS\system32\wuauclt.exe [2796] 0x10000000
// ---- Services - GMER 1.0.15 ----
// Service D:\WINDOWS\PRAGMAcpxuetqxdm\PRAGMAd.sys (*** hidden *** ) [SYSTEM] PRAGMAcpxuetqxdm <-- ROOTKIT !!!
// ---- Registry - GMER 1.0.15 ----
// Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\000a3a5901ef (not active ControlSet)
// Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\000a3a5901ef@000d3c409b29 0x0C 0x6E 0xAC 0x9A ...
// Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000a3a5901ef (not active ControlSet)
// Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000a3a5901ef@000d3c409b29 0x0C 0x6E 0xAC 0x9A ...
// Reg HKLM\SYSTEM\ControlSet003\Services\PRAGMAoibcjxvnmx (not active ControlSet)
// Reg HKLM\SYSTEM\ControlSet003\Services\PRAGMAoibcjxvnmx@start 1
// Reg HKLM\SYSTEM\ControlSet003\Services\PRAGMAoibcjxvnmx@type 1
// Reg HKLM\SYSTEM\ControlSet003\Services\PRAGMAoibcjxvnmx@imagepath \systemroot\PRAGMAoibcjxvnmx\PRAGMAd.sys
// Reg HKLM\SYSTEM\ControlSet003\Services\PRAGMAoibcjxvnmx\modules (not active ControlSet)
// Reg HKLM\SYSTEM\ControlSet003\Services\PRAGMAoibcjxvnmx\modules@PRAGMAd \systemroot\PRAGMAoibcjxvnmx\PRAGMAd.sys
// Reg HKLM\SYSTEM\ControlSet003\Services\PRAGMAoibcjxvnmx\modules@PRAGMAc \systemroot\PRAGMAoibcjxvnmx\PRAGMAc.dll
// Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000a3a5901ef
// Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000a3a5901ef@000d3c409b29 0x0C 0x6E 0xAC 0x9A ...
// Reg HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAcpxuetqxdm
// Reg HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAcpxuetqxdm@start 1
// Reg HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAcpxuetqxdm@type 1
// Reg HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAcpxuetqxdm@imagepath \systemroot\PRAGMAcpxuetqxdm\PRAGMAd.sys
// Reg HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAcpxuetqxdm\modules
// Reg HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAcpxuetqxdm\modules@PRAGMAd \systemroot\PRAGMAcpxuetqxdm\PRAGMAd.sys
// Reg HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAcpxuetqxdm\modules@PRAGMAc \systemroot\PRAGMAcpxuetqxdm\PRAGMAc.dll
// Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\352DFC58EA831BD4CA7B0F4F7C1999D0\Usage@AiO_Device 1018105800
// ---- Files - GMER 1.0.15 ----
// File D:\Documents and Settings\Gary Hazelett\Local Settings\Temp\PRAGMA5d73.tmp 67072 bytes executable
// File D:\Documents and Settings\Gary Hazelett\Local Settings\Temp\PRAGMA609f.tmp 343040 bytes executable
// File D:\Documents and Settings\Gary Hazelett\Local Settings\Temp\PRAGMA6f89.tmp 90624 bytes executable
// File D:\Documents and Settings\Gary Hazelett\Local Settings\Temp\PRAGMA87de.tmp 90624 bytes executable
// File D:\Documents and Settings\Gary Hazelett\Local Settings\Temp\PRAGMAa01e.tmp 67072 bytes executable
// File D:\Documents and Settings\Gary Hazelett\Local Settings\Temp\PRAGMAb35d.tmp 343040 bytes executable
// File D:\Documents and Settings\Gary Hazelett\Local Settings\Temp\PRAGMAe2a.tmp 90624 bytes executable
// File D:\Documents and Settings\Gary Hazelett\Local Settings\Temp\PRAGMAf72c.tmp 67072 bytes executable
// File D:\Documents and Settings\Gary Hazelett\Local Settings\Temp\PRAGMAf865.tmp 343040 bytes executable
// File D:\Documents and Settings\Gary Hazelett\Local Settings\Temp\pragmamainqt.dll 10274 bytes
// File D:\Documents and Settings\Gary Hazelett\Local Settings\Temp\pragmapdconf.ini 35 bytes
// File D:\WINDOWS\Temp\PRAGMA1ee3.tmp 142 bytes
// File D:\WINDOWS\Temp\PRAGMA75a3.tmp 142 bytes
// File D:\WINDOWS\Temp\PRAGMA8bb7.tmp 142 bytes
// File D:\WINDOWS\PRAGMAcpxuetqxdm 0 bytes
// File D:\WINDOWS\PRAGMAcpxuetqxdm\PRAGMAc.dll 31232 bytes executable
// File D:\WINDOWS\PRAGMAcpxuetqxdm\PRAGMAcfg.ini 93 bytes
// File D:\WINDOWS\PRAGMAcpxuetqxdm\PRAGMAd.sys 46080 bytes executable <-- ROOTKIT !!!
// File D:\WINDOWS\PRAGMAcpxuetqxdm\PRAGMAsrcr.dat 146 bytes
// File D:\WINDOWS\PRAGMAibpxusptio 0 bytes
// File D:\WINDOWS\PRAGMAibpxusptio\PRAGMAc.dll 31232 bytes executable
// File D:\WINDOWS\PRAGMAibpxusptio\PRAGMAcfg.ini 93 bytes
// File D:\WINDOWS\PRAGMAibpxusptio\PRAGMAd.sys 46080 bytes executable
// File D:\WINDOWS\PRAGMAibpxusptio\PRAGMAsrcr.dat 146 bytes
// File D:\WINDOWS\PRAGMAmtixtbdrbc 0 bytes
// File D:\WINDOWS\PRAGMAoibcjxvnmx 0 bytes
// File D:\WINDOWS\PRAGMAoibcjxvnmx\PRAGMAc.dll 31232 bytes executable
// File D:\WINDOWS\PRAGMAoibcjxvnmx\PRAGMAcfg.ini 93 bytes
// File D:\WINDOWS\PRAGMAoibcjxvnmx\PRAGMAd.sys 46080 bytes executable
// File D:\WINDOWS\PRAGMAoibcjxvnmx\PRAGMAsrcr.dat 146 bytes
// File D:\WINDOWS\PRAGMAqipjqvrtcc 0 bytes
// File D:\WINDOWS\PRAGMAqipjqvrtcc\pragmabbr.dll 57344 bytes executable
// File D:\WINDOWS\PRAGMAqipjqvrtcc\PRAGMAc.dll 31232 bytes executable
// File D:\WINDOWS\PRAGMAqipjqvrtcc\PRAGMAcfg.ini 93 bytes
// File D:\WINDOWS\PRAGMAqipjqvrtcc\PRAGMAd.sys 46080 bytes executable
// File D:\WINDOWS\PRAGMAqipjqvrtcc\pragmaserf.dll 57344 bytes executable
// File D:\WINDOWS\PRAGMAqipjqvrtcc\PRAGMAsrcr.dat 146 bytes


// Rootkit.Zbot:
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","UserInit=C:\Windows\system32\userinit.exe,C:\Windows\system32\config\systemprofile\AppData\Roaming\sdra64.exe,C:\Users\Human\AppData\Roaming\sdra64.exe,"
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","<$SYSDIR>\config\systemprofile\AppData\Roaming\sdra64.exe,"
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","<$APPDATA>\Roaming\sdra64.exe,"
// Habt ihr die folgende Variante auch schon?
// RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra73.exe,"
RegyRemove:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\","UserInit","<$SYSDIR>\sdra73.exe,"
NTFile:"<$FILE_EXE>","<$SYSDIR>\config\systemprofile\AppData\Roaming\sdra64.exe"
NTFile:"<$FILE_EXE>","<$APPDATA>\Roaming\sdra64.exe"
NTFile:"<$FILE_EXE>","<$SYSDIR>\sdra73.exe"


// Spyware.AdRotator:
BrowserHelperEx:"flvdome","filename=*.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{ec302626-9795-32d4-9991-c9cf2956df1d}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{ec302626-9795-32d4-9991-c9cf2956df1d}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\_x_EN-_-Sv2K.dll"


// Trojan.Agent(1):
AutoRun:"Windows System Guard","<$APPDATA>\egun.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Windows System Guard"
File:"<$FILE_EXE>","<$APPDATA>\egun.exe"


// Trojan.Agent(2):
// Ich kenne keinen legalen Eintrag von Microsoft, der so heißt... Ist das böse?
// AutoRun:"Microsoft XMP","c:\windows\adsxmp.exe","flagifnofile=1"
AutoRun:"Microsoft XMP","<$WINDIR>\adsxmp.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Microsoft XMP"
File:"<$FILE_EXE>","<$WINDIR>\adsxmp.exe"
// AutoRun:"Microsoft FAV","c:\windows\fav.exe","flagifnofile=1"
AutoRun:"Microsoft FAV","<$WINDIR>\fav.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Microsoft FAV"
File:"<$FILE_EXE>","<$WINDIR>\fav.exe"


// Trojan.Agent(3):
AutoRun:"syncman","<$SYSDIR>\wuaucldt.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","syncman"
File:"<$FILE_EXE>","<$SYSDIR>\wuaucldt.exe"

AutoRun:"syncman","<$PROFILE>\wuaucldt.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","syncman"
File:"<$FILE_EXE>","<$PROFILE>\wuaucldt.exe"


// Trojan.Agent(4):
// uExplorerRun: [WinOSPolicies] c:\windows\system32\windows\taskmgr.exe
// mExplorerRun: [WinOSPolicies] c:\windows\system32\windows\taskmgr.exe
AutoRun:"WinOSPolicies","<$SYSDIR>\windows\taskmgr.exe","flagifnofile=1"
AutoRun:"Microsoft®Windows®Defender","<$SYSDIR>\windows\taskmgr.exe","flagifnofile=1"
AutoRun:"Microsoft®Windows®OperatingSystem","<$SYSDIR>\windows\taskmgr.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Microsoft®Windows®Defender"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Microsoft®Windows®OperatingSystem"
File:"<$FILE_EXE>","<$SYSDIR>\windows\taskmgr.exe"
Directory:"<$DIR_PROG>","<$SYSDIR>\windows","filename=taskmgr.exe"


// Trojan.Agent(5):
AutoRun:"dso32","<$LOCALSETTINGS>\temp\dsoqq.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","dso32"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\temp\dsoqq.exe"

AutoRun:"nod32","<$LOCALSETTINGS>\Temp\nodqq.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","nod32"
File:"<$FILE_EXE>","<$LOCALSETTINGS>\Temp\nodqq.exe"


// Trojan.Agent(6):
// AutoRun:"NeoChronos","<$LOCALAPPDATA>\Temp\a.exe","flagifnofile=1"
AutoRun:"NeoChronos","<$LOCALAPPDATA>\Temp\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","NeoChronos"
File:"<$FILE_EXE>","<$LOCALAPPDATA>\Temp\?.exe"


// Trojan.Agent(7):
// AutoRun:"Minisoft","c:\windows\msa.exe","flagifnofile=1"
AutoRun:"Minisoft","<$WINDIR>\*.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Minisoft"
File:"<$FILE_EXE>","<$WINDIR>\msa.exe"
// AutoRun:"SSHNAS","rundll32.exe c:\windows\system32\sshnas.dll,DllWork","flagifnofile=1"
AutoRun:"SSHNAS","<$SYSDIR>\sshnas.dll*","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","SSHNAS"
File:"<$FILE_EXE>","<$SYSDIR>\sshnas.dll"


// Trojan.Agent(8):
RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","cbssreg","DllName=<$PERSONAL>\Settings\cbss.dll"
File:"<$FILE_LIBRARY>","<$PERSONAL>\Settings\cbss.dll"


// Trojan.Agent(9):
// O4 - S-1-5-18 Startup: ulilak.exe (User 'SYSTEM')
// O4 - .DEFAULT Startup: ulilak.exe (User 'Default user')
// O4 - .DEFAULT User Startup: ulilak.exe (User 'Default user')
File:"<$FILE_EXE>","<$STARTUP>\ulilak.exe"
// O4 - S-1-5-18 Startup: monmzb32.exe (User 'SYSTEM')
// O4 - .DEFAULT Startup: monmzb32.exe (User 'Default user')
// O4 - Startup: monmzb32.exe
File:"<$FILE_EXE>","<$STARTUP>\monmzb32.exe"


// Trojan.FakeAlert.ttam(1):
// AutoRun:"{C690F5D4-1E20-668A-96CC-2A90E689948B}",""C:\Documents and Settings\Rav\Application Data\Exbi\yrree.exe"","flagifnofile=1"
AutoRun:"*","<$APPDATA>\*\yrree.exe","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","{C690F5D4-1E20-668A-96CC-2A90E689948B}"
// File:"<$FILE_EXE>",""C:\Documents and Settings\Rav\Application Data\Exbi\yrree.exe""
File:"<$FILE_EXE>","<$APPDATA>\*\yrree.exe"


// Trojan.FakeAlert.ttam(2):
// Name des Autostarteintrages und des Dateinamens sind fest!! Siehe bitte hier: http://www.systemlookup.com/Startup/22314-gotnewupdate000_exe.html
// Bitte aufnehmen !!
// AutoRun:"gotnewupdate000.exe","C:\Dokumente und Einstellungen\m.M-T91HYABQ3K144\Anwendungsdaten\BA369B90791B9B9838D2930FF3E0E505\gotnewupdate000.exe","flagifnofile=1"
AutoRun:"gotnewupdate000.exe","<$APPDATA>\*\gotnewupdate000.exe","flagifnofile=1"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","gotnewupdate000.exe"
File:"<$FILE_EXE>","<$APPDATA>\*\gotnewupdate000.exe"
Directory:"<$DIR_APPDATA>","<$APPDATA>\*","filename=gotnewupdate000.exe"


// Trojan.Fraudpack:
// Habt ihr den registry Eintrag auch schon?
RegyKey:"<$REG_SETTINGS>",HKEY_CURRENT_USER,"\SOFTWARE\","QZAIB7KITK"
AutoRun:"QZAIB7KITK","<$WINDIR>\*.exe","flagifnofile=1"


// Trojan.Virtumonde:
BrowserHelperEx:"*","filename=dnsapi32.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{13C4F831-5195-4B13-85F6-D3980A4B2623}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{13C4F831-5195-4B13-85F6-D3980A4B2623}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dnsapi32.dll"

BrowserHelperEx:"*","filename=opnmnoo.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{E9BD0828-1FD9-410C-A50F-43EBE65D310F}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{E9BD0828-1FD9-410C-A50F-43EBE65D310F}"
File:"<$FILE_LIBRARY>","<$SYSDIR>\opnmnoo.dll"

BrowserHelperEx:"*","filename=dmband32.dll"
RegyKey:"<$REG_BHO>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\","{0CC7FCA7-0000-4055-98C1-9DE28ABD7A17}"
RegyKey:"<$REG_CLASSID>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Classes\CLSID\","{0CC7FCA7-0000-4055-98C1-9DE28ABD7A17}"
File:"<$FILE_LIBRARY>","<$COMMONAPPDATA>\dmband32.dll"

// AutoRun:"ssrrsqsys","rundll32.exe "jkjklj.dll",DllRegisterServer","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\jkjklj.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","ssrrsqsys"
// File:"<$FILE_EXE>","rundll32.exe "jkjklj.dll",DllRegisterServer"
File:"<$FILE_LIBRARY>","<$SYSDIR>\jkjklj.dll"

// AutoRun:"tuvstrdrv","rundll32.exe "vtttro.dll",s","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\vtttro.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","tuvstrdrv"
// File:"<$FILE_EXE>","rundll32.exe "vtttro.dll",s"
File:"<$FILE_LIBRARY>","<$SYSDIR>\vtttro.dll"
// Habe zudem noch folgenden Eintrag im gleichen DDS Logfile gefunden:
// 2010-05-12 18:33:54 91136 ---ha-w- c:\windows\system32\vtttro.bak
File:"<$FILE_DATA>","<$SYSDIR>\vtttro.bak","filesize>=80000,filesize<=102000"

// AutoRun:"ydfydv","RUNDLL32.EXE C:\WINDOWS\system32\msszbmuf.dll,w","flagifnofile=1"
AutoRun:"*","<$SYSDIR>\msszbmuf.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","ydfydv"
// File:"<$FILE_EXE>","RUNDLL32.EXE C:\WINDOWS\system32\msszbmuf.dll,w"
File:"<$FILE_LIBRARY>","<$SYSDIR>\msszbmuf.dll"

// AutoRun:"Eyobekawepazuc","rundll32.exe "C:\WINDOWS\ogefeworitulus.dll",Startup","flagifnofile=1"
AutoRun:"*","<$WINDIR>\ogefeworitulus.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_LOCAL_MACHINE,"\Software\Microsoft\Windows\CurrentVersion\Run\","Eyobekawepazuc"
// File:"<$FILE_EXE>","rundll32.exe "C:\WINDOWS\ogefeworitulus.dll",Startup"
File:"<$FILE_LIBRARY>","<$WINDIR>\ogefeworitulus.dll"

// AutoRun:"Iyatot","rundll32.exe "C:\WINDOWS\iceWPCKI.dll",Startup","flagifnofile=1"
AutoRun:"*","<$WINDIR>\iceWPCKI.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Iyatot"
// File:"<$FILE_EXE>","rundll32.exe "C:\WINDOWS\iceWPCKI.dll",Startup"
File:"<$FILE_LIBRARY>","<$WINDIR>\iceWPCKI.dll"

// AutoRun:"Htoxuyasezaxijoy","rundll32.exe "C:\WINDOWS\kbdiner.dll",Startup","flagifnofile=1"
AutoRun:"*","<$WINDIR>\kbdiner.dll*","flagifnofile=0"
RegyValue:"<$REG_AUTORUN>",HKEY_CURRENT_USER,"\Software\Microsoft\Windows\CurrentVersion\Run\","Htoxuyasezaxijoy"
// File:"<$FILE_EXE>","rundll32.exe "C:\WINDOWS\kbdiner.dll",Startup"
File:"<$FILE_LIBRARY>","<$WINDIR>\kbdiner.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\CvoAPI32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\CvoAPI32.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\hogayapu.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\hogayapu.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","biyupufe.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\biyupufe.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\DDACLSys32.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\DDACLSys32.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\pitorewe.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\pitorewe.dll"

RegyRemove:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\","AppInit_DLLs","<$SYSDIR>\dinput832.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dinput832.dll"

RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","c487bb58909","DllName=<$SYSDIR>\dinput832.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\dinput832.dll"

RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","iodgzmem","DllName=iodgzmem.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\iodgzmem.dll"

RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","opnmnoo","DllName=opnmnoo.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\opnmnoo.dll"

RegyKey:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\","evc","DllName=EvcLogon.dll"
File:"<$FILE_LIBRARY>","<$SYSDIR>\EvcLogon.dll"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","voluwedag","voluwedag={3cf68e15-5f23-49ec-91f4-0a1f7986dcc6}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\","zelovulon","zelovulon={be37bcda-7d3c-4a1d-aa8f-70a4e808aecf}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","jugezatag","jugezatag={3cf68e15-5f23-49ec-91f4-0a1f7986dcc6}"

RegyValue:"<$REG_SETTINGS>",HKEY_LOCAL_MACHINE,"\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\","mujuzedij","mujuzedij={be37bcda-7d3c-4a1d-aa8f-70a4e808aecf}"
Downloads: 0Rating: 0 (rated by 0 users)