####################################################
#[mode] virus_mode: kill,scan; 
#       backup_mode: open,close;
#       ui_mode: quiet,gui;
#[share] means about share service
#[special] means special virus detect and clear,like drivelife
#[wmi] means delete wmi class or instance which matchs the path     
#[ipsec] means delete IP Security policy which matchs the name   
#[advfirewall] means delete advfirewall policy which matchs the name   
#[service] means delete virus service and stop service process  
#[dll] means kill process which calls this dll                                          
#[process] means kill process which matchs the path                           
#[reg] means delete registry which matchs the path                             
#[schtask] means delete scheduletasks which matchs the name          
#[dir] means delete directory which matchs the path                           
#[file] means delete file which matchs the path   
#[user] means delete virus system user                                 
#don't delete the above content
#details  http://www.lz520520.cn:88                                                            
####################################################


[mode]
virus_mode=kill
backup_mode=close
ui_mode=gui
thread=10
timeout=10

[share]
share_mode=off
deny445=off
getsysinfo=off
upload=off
ip=192.168.111.133
user=lz520520
pass=sangfor123
share_svc_host_dir=\printer\
virus_dir=\clearvirus\

[special]
wannamine4.0

[wmi]
#powershell
(instance)root\Subscription:__FilterToConsumerBinding.__Path="%Windows Events Consumer%"
(instance)root\Subscription:__EventFilter.name="Windows Events Filter"
(instance)root\Subscription:CommandLineEventConsumer.name="Windows Events Consumer"
(class)root\default:System_Anti_Virus_Core


[ipsec]
#powershell
netbc

[service]
tpmagentservice
wmassrv
snmpstorsrv
mssecsvc2.0
mssecsvc2.1

[dll]
#wannamine1.0
C:\windows\system32\tpmagentservice.dll
#wannamine2.0
C:\windows\system32\wmassrv.dll
C:\windows\system32\HalPluginsServices.dll
C:\windows\system32\EnrollCertXaml.dll
#wannamine3.0
c:\windows\system32\snmpstorsrv.dll


[process]
#wannacry
C:\windows\mssecsvc.exe
C:\windows\mssecsvr.exe
#wannmine1.0
C:\windows\system32\WUDHostServices.exe
C:\windows\SecureBootThemes\spoolsv.exe
C:\windows\SecureBootThemes\microsoft\spoolsv.exe
C:\windows\SecureBootThemes\microsoft\svchost.exe 
#wannamine2.0
C:\windows\SpeechsTracing\microsoft\spoolsv.exe
C:\windows\SpeechsTracing\microsoft\svchost.exe   
C:\windows\SpeechsTracing\spoolsv.exe
#wannamine3.0
C:\Windows\AppDiagnostics\svchost.exe
C:\Windows\AppDiagnostics\spoolsv.exe
C:\Windows\System32\TrustedHostex.exe
#wannamine4.0
C:\Windows\System32\dllhostex.exe
C:\Windows\SysWOW64\dllhostex.exe
C:\Windows\NetworkDistribution\svchost.exe
C:\Windows\NetworkDistribution\spoolsv.exe
#powershell
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

[reg]
#wannacry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssecsvc2.0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssecsvc2.1
#wannamine1.0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tpmagentservice
#wannamine2.0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wmassrv
#wannamine3.0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\snmpstorsrv

[schtask]
#powershell
System Log Security Check
WindowsLogTasks


[dir]
#wannamine1.0
C:\windows\SecureBootThemes
#wannamine2.0
C:\windows\SpeechsTracing
#wannamine3.0
C:\Windows\AppDiagnostics
#wannamine4.0
C:\Windows\NetworkDistribution

[file]
#wannacry
C:\windows\mssecsvc.exe
C:\windows\mssecsvr.exe
C:\windows\tasksche.exe
C:\windows\qeriuwjhrf
#wannamine1.0
C:\windows\system32\tpmagentservice.dll
C:\windows\system32\WUDHostServices.exe
C:\windows\system32\MsraReportDataCache32.tlb
#wannamine2.0
C:\windows\system32\wmassrv.dll
C:\windows\system32\HalPluginsServices.dll
C:\windows\system32\EnrollCertXaml.dll
#wannamine3.0
C:\windows\system32\MarsTraceDiagnostics.xml
c:\windows\system32\snmpstorsrv.dll
C:\Windows\System32\TrustedHostex.exe
#wannamine4.0
C:\Windows\System32\dllhostex.exe
C:\Windows\SysWOW64\dllhostex.exe

[user]
