I found some Malware in todays Malwaretips files.
Its running 3 processes in Memory and 1 of is running as a system process even as it is listed
under the user name in task manager, if you want to end it the system needs to be shut down immediately cause its a system process.
They are automatically restarting.
Virustotal: https://www.virustotal.com/en/file/2025bd891c4c8d0756bf92b99fa84ec5e54d87ec34aa262c65945486aa6a828f/analysis/1399826835/
First submission 7 hours ago.
Malwr: https://malwr.com/analysis/NDJjNTRkOTBhYTAxNGFjMmJlNjAxZjU1YjA0OTQ4Yjc/
I can send you a download link if you want. 
AutoIt, UTF-8, AutoIt, AutoIt, appended, AutoIt, AutoIt detections are rather false positive prone.
A good example of such a FP recently were several of the latest avast! flags on AdwCleaner
with a typical false positive packer detection for files in use when running the script.
Specifically emulator added script for emulator: classic99 3.x.x is found to be responsible for many a false positive since April 14th of 2014.
Upgrading to a newer version of AutoIt and recompiling the scripts may be a solution here.
Earlier similar problems wit AutoIt FPs arose in the year 2007.
Download site is on zapto dot org redirecting to htxp://www.noip.com/ a free dynamic DNS.
playplayplay dot no-ip dot biz on a Minecraft server seems down now, fact for avast! not detecting.
Controversial web rep for a no-ip domain here: https://www.mywot.com/en/scorecard/bknpk.no-ip.biz?utm_source=addon&utm_content=popup
pol
Hi Michael,
If it is an AutoIT worm spreading via removable drives, why avast does not detect it as TR/Dropper gen?
Damian
Unsure. I would peronsally test it. But I don’t have an old computer. So I can’t see how to safely detect it.
Edit:
This worries me…
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Mountpoints?
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume{475c7950-e3d2-11e0-8d7a-806d6172696f}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume{475c7952-e3d2-11e0-8d7a-806d6172696f}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{475c7952-e3d2-11e0-8d7a-806d6172696f}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{475c7950-e3d2-11e0-8d7a-806d6172696f}\
Why is it going trhough looking for .exe exts?
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts.exe
HKEY_CLASSES_ROOT.exe
Why is it connecting to this website? playplayplay.no-ip.b!z (A Minecraft Server Host website? (Which now appaears to be down)?)
http://sitecheck.sucuri.net/results/playplayplay.no-ip.biz
File is still hanging around in a folder on my desktop, submitted a few days ago.
Hi Michael and Steven Winderlich,
Interesting link here: http://btindex.org/torrent/1688126
See on IP: http://www.urlvoid.com/scan/kinky82.zapto.org/
→ http://www.avgthreatlabs.com/website-safety-reports/domain/zapto.org/
Also the common multiple dynamic DNS services for Playplayplay.no-ip.biz,
and issues with static IP addresses. See the renowned afraid dot org issues,
when they try that they one make matters worse (avast! blocks sites on afraid dot org).
polonus
Steven, would you send me a DL link?
Wik do when im back home im on my phone in a train now.