Okay, I understand now.
One issue with our write-ups...well, more of an issue with the threats themselves...is that it's not always possible to update them to contain all the latest information.
Spybot is an *excellent* example of this. Spybot writes file names and registry keys that are completely random but legitimate-looking...that is, it's always going to write to HKLM\Software\Microsoft\Windows\CurrentVersion\Run, but *what* it writes here could fill a small book. When I say legitimate-looking, I mean seeing things like lsass.exe, svchost.exe and the like...just loading from incorrect locations. Since the variables that virus writers can pull from is limitless...at some point we, as a company, go "okay, we can't possibly list all the different names we've seen for filenames for this threat". As such, the writeups should be followed, but if files don't match (but we're alerting on them), the writeup should be a guideline.
If, for example, the writeup says that lssass.exe (note the extra S there) is loaded from HKLM\Software\...\Run and I don't see it, but I DO see cssrs.exe (should be csrss.exe) loading in Run, and that's the file we're alerting on, that's the entry I'll go after. It's not perfect, sure, but short of publishing every possible file and registry permutation, it's what we've got.
As far as where it came from, it's quite possible that it could have been a "drive by" infection, or an infection of a legitimate website itself. I've personally seen very simple webpages for a local city celebration get hit with a java injection which, in turn, tries to pull malware down. The site itself is perfectly innocent, it just comes down to the admin(s) in charge of the server hadn't patched IIS and, as such, java injections happened on most (if not all) sites hosted. The old axiom of "avoid the seedier places on the internet", while still helpful, sadly, isn't as true anymore. However, in your specific case, it's just speculation on my part.
I see your submission in our backend, and some files are already identified as "new threat", which typically means we're already in the process of building rapid release definitions, and three files are flagged for hand-detection by an engineer, so hopefully soon we'll have full defs created to detect and remove this.
In the meantime, you might want to open a case with Support (if you haven't already) and request the load point diagnostic utility to help ferret out any suspicious or unexpected loading points. Many of the times I've found new threats on customer machines has been after running load point and finding files that didn't seem quite right, or were quite obviously incorrect.