Zurück   Trojaner-Board > Malware entfernen > Plagegeister aller Art und deren Bekämpfung
JS/Agent.480412

JS/Agent.480412


Plagegeister aller Art und deren Bekämpfung: JS/Agent.480412

Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen.

Antwort
Seite 3 von 4 12 3 4
Alt 30.05.2013, 14:08   #31
Keith
 
JS/Agent.480412 - Standard

JS/Agent.480412


danke, und hier ist das logfile

Code:
ATTFilter
SystemLook 30.07.11 by jpshortstuff
Log created at 14:59 on 30/05/2013 by Stoffi
Administrator - Elevation successful

========== regfind ==========

Searching for "rundll32.exe"
[HKEY_CURRENT_USER\Software\GNU\ffdshow]
"whitelist"="3wPlayer.exe;ACDSee10.exe;ACDSee11.exe;ACDSee5.exe;ACDSee6.exe;ACDSee7.exe;ACDSee8.exe;ACDSee8Pro.exe;ACDSee9.exe;ACDSeePro2.exe;ACDSeePro25.exe;acdseepro3.exe;Acer Crystal Eye webcam.exe;aegisub.exe;afreecaplayer.exe;afreecastudio.exe;AfterFX.exe;aim6.exe;aircamwin.exe;ALLPlayer.exe;allradio.exe;AlltoaviV4.exe;ALShow.exe;ALSong.exe;AltDVB.exe;amcap.exe;amf_slv.exe;amvtransform.exe;Apollo DivX to DVD Creator.exe;Apollo3GPVideoConverter.exe;Ares.exe;AsfTools.exe;ass_help3r.exe;ASUSDVD.exe;Audition.exe;AutoGK.exe;autorun.exe;avant.exe;AVerTV.exe;Avi2Dvd.exe;avi2mpg.exe;avicodec.exe;avipreview.exe;aviutl.exe;avs2avi.exe;Badak.exe;BearShare.exe;BePipe.exe;bestplayer.exe;bestplayer1.0.exe;bestpl~1.exe;BitComet.exe;BlazeDVD.exe;BoonPlayer.exe;bplay.exe;bsplay.exe;bsplayer.exe;BTVD3DShell.exe;Camfrog Video Chat.exe;CamRecorder.exe;CamtasiaStudio.exe;carom.exe;CEC_MAIN.exe;christv.exe;chrome.exe;cinemaplayer.exe;CinergyDVR.exe;CodecInstaller.exe;ConvertXtoDvd.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\rundll32.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{de5d803e-5d2a-4b5f-9c63-af25a465cc44}]
@="rundll32.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Application.Manifest\shell\open\command]
@="rundll32.exe dfshim.dll,ShOpenVerbApplication %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Application.Reference\shell\open\command]
@="rundll32.exe dfshim.dll,ShOpenVerbShortcut %1|%2"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\photoviewer.dll\shell\open\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\photoviewer.dll\shell\print\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\bootstrap.vsto.1\shell\open\command]
@="rundll32.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee.dll",InstallVstoSolution %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CATFile\shell\open\command]
@="%SystemRoot%\system32\rundll32.exe cryptext.dll,CryptExtOpenCAT %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CERFile\shell\add\command]
@="%SystemRoot%\system32\rundll32.exe cryptext.dll,CryptExtAddCER %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CERFile\shell\open\command]
@="%SystemRoot%\system32\rundll32.exe cryptext.dll,CryptExtOpenCER %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CertificateStoreFile\shell\open\command]
@="%SystemRoot%\system32\rundll32.exe cryptext.dll,CryptExtOpenSTR %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00f2b433-44e4-4d88-b2b0-2698a0a91dba}\LocalServer32]
@=""%SystemRoot%\System32\rundll32.exe" "%ProgramFiles%\Windows Photo Viewer\PhotoAcq.dll",AutoplayComServerW {00f2b433-44e4-4d88-b2b0-2698a0a91dba}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00f2b433-44e4-4d88-b2b0-2698a0a91dba}\LocalServer32]
"ServerExecutable"="%SystemRoot%\System32\rundll32.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0DF44EAA-FF21-4412-828E-260A8728E7F1}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,Options_RunDLL 1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{38A98528-6CBF-4CA9-8DC0-B1E1D10F7B1B}\Shell\Open\Command]
@="rundll32.exe %SystemRoot%\system32\van.dll,RunVAN"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{38A98528-6CBF-4CA9-8DC0-B1E1D10F7B1B}\Shell\OpenWithoutDiagnostics\Command]
@="rundll32.exe %SystemRoot%\system32\van.dll,RunVAN /disablediagnostics"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3eef301f-b596-4c0b-bd92-013beafce793}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{40419485-C444-4567-851A-2DD7BFA1684D}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\telephon.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{62D8ED13-C9D0-4CE8-A914-47DD628FB1B0}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\intl.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C8EEC18-8D75-41B2-A177-8831D59D2D50}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\main.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,Options_RunDLL 0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}\Shell\RunAs\Command]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,Options_RunDLL 0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{722b3793-5367-4446-b6bb-db89b05c1f24}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {722b3793-5367-4446-b6bb-db89b05c1f24}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{725BE8F7-668E-4C7B-8F90-46BDB0936430}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\main.cpl,@1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{78CB147A-98EA-4AA6-B0DF-C8681F69341C}\Shell\Open\Command]
@="C:\Windows\System32\rundll32.exe C:\Windows\System32\infocardcpl.cpl,ManageCardSpace_RunDll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{80F3F1D5-FECA-45F3-BC32-752C152E456E}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\tabletpc.cpl @1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87D66A43-7B11-4A28-9811-C86EE395ACF7}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\srchadmin.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{995C996E-D918-4a8c-A302-45719A6F4EA7}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9a97f12a-6b73-4dc4-b3c1-e9244c03adac}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9a97f12a-6b73-4dc4-b3c1-e9244c03adac}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A0275511-0E86-4ECA-97C2-ECD8F1221D08}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\irprops.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3DD4F92-658A-410F-84FD-6FBBBEF2FFFE}\Shell\Open\Command]
@="C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,Control_RunDLL C:\Windows\System32\inetcpl.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D17D1D6D-CC3F-4815-8FE3-607E7D5D10B3}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\Speech\SpeechUX\sapi.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2E7934B-DCE5-43C4-9576-7FE4F75E7480}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\timedate.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e3a4e5ca-55b2-4a06-b1ab-8fbecc7bca4b}\LocalServer32]
@="rundll32.exe /sta {fcc2867c-69ea-4d85-8058-7c214e611c97}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F2DDFC82-8F12-4CDD-B7DC-D4FE1425AA4D}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\mmsys.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F82DF8F7-8B9F-442E-A48C-818EA735FF9B}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\tabletpc.cpl @0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{fb479c02-9ec4-4fed-8599-debe037452cb}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {fb479c02-9ec4-4fed-8599-debe037452cb}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\cplfile\shell\runas\command]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CRLFile\shell\add\command]
@="%SystemRoot%\system32\rundll32.exe cryptext.dll,CryptExtAddCRL %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CRLFile\shell\open\command]
@="%SystemRoot%\system32\rundll32.exe cryptext.dll,CryptExtOpenCRL %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DeviceDisplayObject\InterfaceClass\{0850302A-B344-4fda-9BE9-90576B8D46F0}\Shell\Bluetooth\command]
@="rundll32.exe shell32.dll,Control_RunDLL bthprops.cpl,,1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DeviceDisplayObject\InterfaceClass\{70FFD812-4C7F-4C7D-926A-637B7DD852AF}\Shell\DeviceInstall\command]
@="rundll32.exe newdev.dll,DeviceInternetSettingUi 2"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\giffile\shell\printto\command]
@=""%SystemRoot%\System32\rundll32.exe" "%SystemRoot%\System32\shimgvw.dll",ImageView_PrintTo /pt "%1" "%2" "%3" "%4""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\printto\command]
@="rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1" "%2" "%3" "%4""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\icofile\shell\open\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IE.AssocFile.HTM\shell\print\command]
@=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IE.AssocFile.HTM\shell\printto\command]
@=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" "%2" "%3" "%4""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IE.AssocFile.SVG\shell\print\command]
@=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IE.AssocFile.SVG\shell\printto\command]
@=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" "%2" "%3" "%4""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IE.AssocFile.URL\Shell\Open\Command]
@=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IE.AssocFile.URL\Shell\print\command]
@=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IE.AssocFile.URL\Shell\printto\command]
@=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" "%2" "%3" "%4""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IE.AssocFile.XHT\shell\print\command]
@=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintXHTML "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IE.AssocFile.XHT\shell\printto\command]
@=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintXHTML "%1" "%2" "%3" "%4""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InternetShortcut\shell\Open\Command]
@=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InternetShortcut\shell\print\command]
@=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InternetShortcut\shell\printto\command]
@=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" "%2" "%3" "%4""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\jpegfile\shell\open\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\jpegfile\shell\printto\command]
@=""%SystemRoot%\System32\rundll32.exe" "%SystemRoot%\System32\shimgvw.dll",ImageView_PrintTo /pt "%1" "%2" "%3" "%4""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft.InformationCard\Shell\open\command]
@="C:\Windows\System32\rundll32.exe C:\Windows\System32\infocardcpl.cpl,ImportInformationCard_RunDll  %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft.WindowsCardSpaceBackup\Shell\open\command]
@="C:\Windows\System32\rundll32.exe C:\Windows\System32\infocardcpl.cpl,ImportInformationCard_RunDll  %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSDASC\shell\open\command]
@="Rundll32.exe "%CommonProgramFiles%\System\OLE DB\oledb32.dll",OpenDSLFile %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSSppPackageFile\shell\open\command]
@="rundll32.exe sppcc.dll, OpenPackage %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\msstylesfile\shell\open\command]
@="%SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,Control_RunDLL %SystemRoot%\system32\desk.cpl desk,@Appearance /Action:OpenMSTheme /file:"%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-wifialliance-org:device:WFADevice:1\shell\Configure\command]
@=""%SystemRoot%\System32\rundll32.exe" wcnwiz.dll,RunWcnWizardForDevice /c /u %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\opensearchresult\shell\print\command]
@="rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\P7RFile\shell\add\command]
@="%SystemRoot%\system32\rundll32.exe cryptext.dll,CryptExtAddP7R %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\P7RFile\shell\open\command]
@="%SystemRoot%\system32\rundll32.exe cryptext.dll,CryptExtOpenP7R %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\P7SFile\shell\open\command]
@="%SystemRoot%\system32\\rundll32.exe cryptext.dll,CryptExtOpenPKCS7 %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Paint.Picture\shell\open\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PFXFile\shell\add\command]
@="%SystemRoot%\system32\rundll32.exe cryptext.dll,CryptExtAddPFX %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PhotoViewer.FileAssoc.Bitmap\shell\open\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PhotoViewer.FileAssoc.JFIF\shell\open\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PhotoViewer.FileAssoc.Jpeg\shell\open\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PhotoViewer.FileAssoc.Png\shell\open\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PhotoViewer.FileAssoc.Tiff\shell\open\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PhotoViewer.FileAssoc.Wdp\shell\open\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\pjpegfile\shell\open\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\pjpegfile\shell\printto\command]
@=""%SystemRoot%\System32\rundll32.exe" "%SystemRoot%\System32\shimgvw.dll",ImageView_PrintTo /pt "%1" "%2" "%3" "%4""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\pngfile\shell\open\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\pngfile\shell\printto\command]
@=""%SystemRoot%\System32\rundll32.exe" "%SystemRoot%\System32\shimgvw.dll",ImageView_PrintTo /pt "%1" "%2" "%3" "%4""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\prffile\shell\Open\command]
@=""%SystemRoot%\System32\rundll32.exe" "%SystemRoot%\System32\msrating.dll",ClickedOnPRF %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ratfile\Shell\Open\Command]
@=""%SystemRoot%\System32\rundll32.exe" "%SystemRoot%\System32\msrating.dll",ClickedOnRAT %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RDB.AutoPlayHandler\shell\properties\command]
@="%SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\sysmain.dll,RDBMgmtLaunchProperties %L"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\rlogin\shell\open\command]
@=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\url.dll",TelnetProtocolHandler %l"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SavedDsQuery\Shell\open\command]
@="%SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\dsquery.dll,OpenSavedDsQuery %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\install\command]
@="rundll32.exe desk.cpl,InstallScreenSaver %l"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scriptletfile\Shell\Generate Typelib\command]
@=""C:\Windows\system32\rundll32.exe" C:\Windows\system32\scrobj.dll,GenerateTypeLib %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Shell.CDBurn\Shell\Prepare\Command]
@="%SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,PrepareDiscForBurnRunDll %L"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SPCFile\shell\add\command]
@="%SystemRoot%\system32\rundll32.exe cryptext.dll,CryptExtAddSPC %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SPCFile\shell\open\command]
@="%SystemRoot%\system32\rundll32.exe cryptext.dll,CryptExtOpenPKCS7 %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\STLFile\shell\add\command]
@="%SystemRoot%\system32\rundll32.exe cryptext.dll,CryptExtAddCTL %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\STLFile\shell\open\command]
@="%SystemRoot%\system32\rundll32.exe cryptext.dll,CryptExtOpenCTL %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\svgfile\shell\print\command]
@="rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\svgfile\shell\printto\command]
@="rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1" "%2" "%3" "%4""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.vsto\shell\open\command]
@="rundll32.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee.dll",InstallVstoSolution %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\image\shell\print\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\telnet\shell\open\command]
@=""%SystemRoot%\System32\rundll32.exe" "%SystemRoot%\System32\url.dll",TelnetProtocolHandler %l"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\themefile\shell\open\command]
@="%SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,Control_RunDLL %SystemRoot%\system32\desk.cpl desk,@Themes /Action:OpenTheme /file:"%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\themepackfile\shell\open\command]
@="%SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,Control_RunDLL %SystemRoot%\system32\desk.cpl desk,@Themes /Action:OpenTheme /file:"%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TIFImage.Document\shell\open\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TIFImage.Document\shell\printto\command]
@=""%SystemRoot%\System32\rundll32.exe" "%SystemRoot%\System32\shimgvw.dll",ImageView_PrintTo /pt "%1" "%2" "%3" "%4""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\tn3270\shell\open\command]
@=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\url.dll",TelnetProtocolHandler %l"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\shell\openas\command]
@="%SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\shell\opendlg\command]
@="%SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WCN.AutoPlayHandler\shell\open\command]
@="%systemroot%\system32\rundll32.exe %systemroot%\system32\wzcdlg.dll,ImportFlashProfile %L"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\wcxfile\shell\Open\Command]
@="rundll32.exe xwizards.dll,RunWizard /u {7940acf8-60ba-4213-a7c3-f3b400ee266d} /z%1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\wdpfile\shell\open\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\wdpfile\shell\print\command]
@="rundll32.exe %SystemRoot%\system32\shimgvw.dll,ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\wdpfile\shell\printto\command]
@="rundll32.exe %SystemRoot%\system32\shimgvw.dll,ImageView_PrintTo /pt "%1" "%2" "%3" "%4""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00f2b433-44e4-4d88-b2b0-2698a0a91dba}\LocalServer32]
@=""%SystemRoot%\System32\rundll32.exe" "%ProgramFiles%\Windows Photo Viewer\PhotoAcq.dll",AutoplayComServerW {00f2b433-44e4-4d88-b2b0-2698a0a91dba}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00f2b433-44e4-4d88-b2b0-2698a0a91dba}\LocalServer32]
"ServerExecutable"="%SystemRoot%\System32\rundll32.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0DF44EAA-FF21-4412-828E-260A8728E7F1}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,Options_RunDLL 1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38A98528-6CBF-4CA9-8DC0-B1E1D10F7B1B}\Shell\Open\Command]
@="rundll32.exe %SystemRoot%\system32\van.dll,RunVAN"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38A98528-6CBF-4CA9-8DC0-B1E1D10F7B1B}\Shell\OpenWithoutDiagnostics\Command]
@="rundll32.exe %SystemRoot%\system32\van.dll,RunVAN /disablediagnostics"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3eef301f-b596-4c0b-bd92-013beafce793}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40419485-C444-4567-851A-2DD7BFA1684D}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\telephon.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62D8ED13-C9D0-4CE8-A914-47DD628FB1B0}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\intl.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6C8EEC18-8D75-41B2-A177-8831D59D2D50}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\main.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,Options_RunDLL 0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}\Shell\RunAs\Command]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,Options_RunDLL 0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{722b3793-5367-4446-b6bb-db89b05c1f24}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {722b3793-5367-4446-b6bb-db89b05c1f24}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{725BE8F7-668E-4C7B-8F90-46BDB0936430}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\main.cpl,@1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78CB147A-98EA-4AA6-B0DF-C8681F69341C}\Shell\Open\Command]
@="C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\infocardcpl.cpl,ManageCardSpace_RunDll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{87D66A43-7B11-4A28-9811-C86EE395ACF7}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\srchadmin.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{995C996E-D918-4a8c-A302-45719A6F4EA7}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9a97f12a-6b73-4dc4-b3c1-e9244c03adac}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9a97f12a-6b73-4dc4-b3c1-e9244c03adac}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0275511-0E86-4ECA-97C2-ECD8F1221D08}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\irprops.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A3DD4F92-658A-410F-84FD-6FBBBEF2FFFE}\Shell\Open\Command]
@="C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\shell32.dll,Control_RunDLL C:\Windows\SysWOW64\inetcpl.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D17D1D6D-CC3F-4815-8FE3-607E7D5D10B3}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\Speech\SpeechUX\sapi.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2E7934B-DCE5-43C4-9576-7FE4F75E7480}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\timedate.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e3a4e5ca-55b2-4a06-b1ab-8fbecc7bca4b}\LocalServer32]
@="rundll32.exe /sta {fcc2867c-69ea-4d85-8058-7c214e611c97}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F2DDFC82-8F12-4CDD-B7DC-D4FE1425AA4D}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\mmsys.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fb479c02-9ec4-4fed-8599-debe037452cb}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {fb479c02-9ec4-4fed-8599-debe037452cb}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\rundll32.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\{de5d803e-5d2a-4b5f-9c63-af25a465cc44}]
@="rundll32.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xhtmlfile\shell\print\command]
@="rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xhtmlfile\shell\printto\command]
@="rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1" "%2" "%3" "%4""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"StubPath"=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
"StubPath"="C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\Performance\Resolvers]
"SystemBinariesList"="win32k.sys:winlogon.exe:EXPLORER.EXE:CSRSS.Exe:dwm.exe:logon.scr:logonui.exe:lsass.exe:lsm.exe:ntkrpamp.exe:ntoskrnl.exe:RUNDLL32.EXE:services.exe:sppsvc.exe:smss.exe:spoolsv.exe:svchost.exe:taskeng.exe:WinInit.exe:WISPTIS.EXE:dllhost.exe:dllhst3g.exe:cscript.exe:mmc.exe:msiexec.exe:upnpcont.exe:wscript.exe:WUDFHost.exe:dfsvc.exe:dfsvc.exe:fdbs.exe:ntfsbs.exe:memdiag.exe:NETFXSBS10.exe:applaunch.exe:aspnet_compiler.exe:aspnet_regbrowsers.exe:aspnet_regiis.exe:aspnet_regsql.exe:aspnet_state.exe:aspnet_wp.exe:caspol.exe:csc.exe:CVTRES.EXE:dfsvc.exe:dw20.exe:IEExec.exe:ilasm.exe:InstallUtil.exe:jsc.exe:MSBuild.exe:mscorsvw.exe:ngen.exe:RegAsm.exe::RegSvcs.exe:vbc.exe:TrustedInstaller.exe:Aurora.scr:AutoChk.Exe:AUTOFMT.EXE:CHKDSK.EXE:CHKNTFS.EXE:consent.exe:PnPUnattend.exe:PnPutil.exe:RacAgent.exe:fsquirt.exe:Uninst.exe:updateWmc.exe:wmdc.exe:wmdsync.exe:mofcomp.exe:ScrCons.exe:smi2smir.exe:unse
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation]
"KillList"="%1;explorer.exe;dvdplay.exe;msohtmed.exe;quikview.exe;rundll.exe;rundll32.exe;taskman.exe;bck32api.dll;"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation]
"HostApps"="RUNDLL32.EXE;MSHTA.EXE;DLLHOST.EXE;APPLAUNCH.EXE;HH.EXE;WINHLP32.EXE;MMC.EXE;"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksItemsSelected\0\{27dfca82-8593-46e4-98d8-23eb83452f65}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles%\System\wab32.dll",ShellUICommand_OnNewEmail %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksItemsSelected\1\{5099caf3-7ab4-4c18-ab35-3f3e664638e4}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles%\System\wab32.dll",ShellUICommand_OnNewContact %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksItemsSelected\2\{da8c976e-ec82-48ad-8ae4-38872e958dc5}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles%\System\wab32.dll",ShellUICommand_OnNewGroup %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksItemsSelected\3\{9d4b9c0a-7b4e-4c0d-926e-a536d781cff6}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles%\System\wab32.dll",ShellUICommand_OnEdit %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksItemsSelected\6\{0b51213d-c59c-4b59-bc10-f27d0b330294}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles%\System\wab32.dll",ShellUICommand_OnImport"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksItemsSelected\7\{165095b1-322d-47b1-bc9f-2a9234c1c4cb}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles%\System\wab32.dll",ShellUICommand_OnExport"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksNoItemsSelected\0\{5099caf3-7ab4-4c18-ab35-3f3e664638e4}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles%\System\wab32.dll",ShellUICommand_OnNewContact %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksNoItemsSelected\1\{da8c976e-ec82-48ad-8ae4-38872e958dc5}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles%\System\wab32.dll",ShellUICommand_OnNewGroup %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksNoItemsSelected\2\{0b51213d-c59c-4b59-bc10-f27d0b330294}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles%\System\wab32.dll",ShellUICommand_OnImport"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksNoItemsSelected\3\{165095b1-322d-47b1-bc9f-2a9234c1c4cb}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles%\System\wab32.dll",ShellUICommand_OnExport"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Download Assistant"="C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"StubPath"=""C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\iedkcs32.dll",BrandIEActiveSetup SIGNUP"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
"StubPath"="C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\mscories.dll,Install"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared\HTML\Default Editor\shell\Print\command]
@="rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared\HTML\Old Default Editor\shell\Print\command]
@="rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FileAssociation]
"KillList"="%1;explorer.exe;dvdplay.exe;msohtmed.exe;quikview.exe;rundll.exe;rundll32.exe;taskman.exe;bck32api.dll;"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FileAssociation]
"HostApps"="RUNDLL32.EXE;MSHTA.EXE;DLLHOST.EXE;APPLAUNCH.EXE;HH.EXE;WINHLP32.EXE;MMC.EXE;"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksItemsSelected\0\{27dfca82-8593-46e4-98d8-23eb83452f65}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles(x86)%\System\wab32.dll",ShellUICommand_OnNewEmail %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksItemsSelected\1\{5099caf3-7ab4-4c18-ab35-3f3e664638e4}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles(x86)%\System\wab32.dll",ShellUICommand_OnNewContact %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksItemsSelected\2\{da8c976e-ec82-48ad-8ae4-38872e958dc5}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles(x86)%\System\wab32.dll",ShellUICommand_OnNewGroup %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksItemsSelected\3\{9d4b9c0a-7b4e-4c0d-926e-a536d781cff6}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles(x86)%\System\wab32.dll",ShellUICommand_OnEdit %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksItemsSelected\6\{0b51213d-c59c-4b59-bc10-f27d0b330294}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles(x86)%\System\wab32.dll",ShellUICommand_OnImport"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksItemsSelected\7\{165095b1-322d-47b1-bc9f-2a9234c1c4cb}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles(x86)%\System\wab32.dll",ShellUICommand_OnExport"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksNoItemsSelected\0\{5099caf3-7ab4-4c18-ab35-3f3e664638e4}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles(x86)%\System\wab32.dll",ShellUICommand_OnNewContact %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksNoItemsSelected\1\{da8c976e-ec82-48ad-8ae4-38872e958dc5}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles(x86)%\System\wab32.dll",ShellUICommand_OnNewGroup %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksNoItemsSelected\2\{0b51213d-c59c-4b59-bc10-f27d0b330294}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles(x86)%\System\wab32.dll",ShellUICommand_OnImport"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksNoItemsSelected\3\{165095b1-322d-47b1-bc9f-2a9234c1c4cb}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles(x86)%\System\wab32.dll",ShellUICommand_OnExport"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{00f2b433-44e4-4d88-b2b0-2698a0a91dba}\LocalServer32]
@=""%SystemRoot%\System32\rundll32.exe" "%ProgramFiles%\Windows Photo Viewer\PhotoAcq.dll",AutoplayComServerW {00f2b433-44e4-4d88-b2b0-2698a0a91dba}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{00f2b433-44e4-4d88-b2b0-2698a0a91dba}\LocalServer32]
"ServerExecutable"="%SystemRoot%\System32\rundll32.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{0DF44EAA-FF21-4412-828E-260A8728E7F1}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,Options_RunDLL 1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{38A98528-6CBF-4CA9-8DC0-B1E1D10F7B1B}\Shell\Open\Command]
@="rundll32.exe %SystemRoot%\system32\van.dll,RunVAN"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{38A98528-6CBF-4CA9-8DC0-B1E1D10F7B1B}\Shell\OpenWithoutDiagnostics\Command]
@="rundll32.exe %SystemRoot%\system32\van.dll,RunVAN /disablediagnostics"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{3eef301f-b596-4c0b-bd92-013beafce793}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{40419485-C444-4567-851A-2DD7BFA1684D}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\telephon.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{62D8ED13-C9D0-4CE8-A914-47DD628FB1B0}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\intl.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{6C8EEC18-8D75-41B2-A177-8831D59D2D50}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\main.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,Options_RunDLL 0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}\Shell\RunAs\Command]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,Options_RunDLL 0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{722b3793-5367-4446-b6bb-db89b05c1f24}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {722b3793-5367-4446-b6bb-db89b05c1f24}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{725BE8F7-668E-4C7B-8F90-46BDB0936430}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\main.cpl,@1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{78CB147A-98EA-4AA6-B0DF-C8681F69341C}\Shell\Open\Command]
@="C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\infocardcpl.cpl,ManageCardSpace_RunDll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{87D66A43-7B11-4A28-9811-C86EE395ACF7}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\srchadmin.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{995C996E-D918-4a8c-A302-45719A6F4EA7}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{9a97f12a-6b73-4dc4-b3c1-e9244c03adac}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9a97f12a-6b73-4dc4-b3c1-e9244c03adac}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{A0275511-0E86-4ECA-97C2-ECD8F1221D08}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\irprops.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{A3DD4F92-658A-410F-84FD-6FBBBEF2FFFE}\Shell\Open\Command]
@="C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\shell32.dll,Control_RunDLL C:\Windows\SysWOW64\inetcpl.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{D17D1D6D-CC3F-4815-8FE3-607E7D5D10B3}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\Speech\SpeechUX\sapi.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{E2E7934B-DCE5-43C4-9576-7FE4F75E7480}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\timedate.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{e3a4e5ca-55b2-4a06-b1ab-8fbecc7bca4b}\LocalServer32]
@="rundll32.exe /sta {fcc2867c-69ea-4d85-8058-7c214e611c97}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{F2DDFC82-8F12-4CDD-B7DC-D4FE1425AA4D}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\mmsys.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{fb479c02-9ec4-4fed-8599-debe037452cb}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {fb479c02-9ec4-4fed-8599-debe037452cb}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\AppID\rundll32.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\AppID\{de5d803e-5d2a-4b5f-9c63-af25a465cc44}]
@="rundll32.exe"
[HKEY_USERS\S-1-5-21-3288425262-2259600600-3156803109-1000\Software\GNU\ffdshow]
"whitelist"="3wPlayer.exe;ACDSee10.exe;ACDSee11.exe;ACDSee5.exe;ACDSee6.exe;ACDSee7.exe;ACDSee8.exe;ACDSee8Pro.exe;ACDSee9.exe;ACDSeePro2.exe;ACDSeePro25.exe;acdseepro3.exe;Acer Crystal Eye webcam.exe;aegisub.exe;afreecaplayer.exe;afreecastudio.exe;AfterFX.exe;aim6.exe;aircamwin.exe;ALLPlayer.exe;allradio.exe;AlltoaviV4.exe;ALShow.exe;ALSong.exe;AltDVB.exe;amcap.exe;amf_slv.exe;amvtransform.exe;Apollo DivX to DVD Creator.exe;Apollo3GPVideoConverter.exe;Ares.exe;AsfTools.exe;ass_help3r.exe;ASUSDVD.exe;Audition.exe;AutoGK.exe;autorun.exe;avant.exe;AVerTV.exe;Avi2Dvd.exe;avi2mpg.exe;avicodec.exe;avipreview.exe;aviutl.exe;avs2avi.exe;Badak.exe;BearShare.exe;BePipe.exe;bestplayer.exe;bestplayer1.0.exe;bestpl~1.exe;BitComet.exe;BlazeDVD.exe;BoonPlayer.exe;bplay.exe;bsplay.exe;bsplayer.exe;BTVD3DShell.exe;Camfrog Video Chat.exe;CamRecorder.exe;CamtasiaStudio.exe;carom.exe;CEC_MAIN.exe;christv.exe;chrome.exe;cinemaplayer.exe;CinergyDVR.

Searching for "rundll*"
No data found.

-= EOF =-
die antwort ist schon wieder weg...

Code:
ATTFilter
SystemLook 30.07.11 by jpshortstuff
Log created at 14:59 on 30/05/2013 by Stoffi
Administrator - Elevation successful

========== regfind ==========

Searching for "rundll32.exe"
[HKEY_CURRENT_USER\Software\GNU\ffdshow]
"whitelist"="3wPlayer.exe;ACDSee10.exe;ACDSee11.exe;ACDSee5.exe;ACDSee6.exe;ACDSee7.exe;ACDSee8.exe;ACDSee8Pro.exe;ACDSee9.exe;ACDSeePro2.exe;ACDSeePro25.exe;acdseepro3.exe;Acer Crystal Eye webcam.exe;aegisub.exe;afreecaplayer.exe;afreecastudio.exe;AfterFX.exe;aim6.exe;aircamwin.exe;ALLPlayer.exe;allradio.exe;AlltoaviV4.exe;ALShow.exe;ALSong.exe;AltDVB.exe;amcap.exe;amf_slv.exe;amvtransform.exe;Apollo DivX to DVD Creator.exe;Apollo3GPVideoConverter.exe;Ares.exe;AsfTools.exe;ass_help3r.exe;ASUSDVD.exe;Audition.exe;AutoGK.exe;autorun.exe;avant.exe;AVerTV.exe;Avi2Dvd.exe;avi2mpg.exe;avicodec.exe;avipreview.exe;aviutl.exe;avs2avi.exe;Badak.exe;BearShare.exe;BePipe.exe;bestplayer.exe;bestplayer1.0.exe;bestpl~1.exe;BitComet.exe;BlazeDVD.exe;BoonPlayer.exe;bplay.exe;bsplay.exe;bsplayer.exe;BTVD3DShell.exe;Camfrog Video Chat.exe;CamRecorder.exe;CamtasiaStudio.exe;carom.exe;CEC_MAIN.exe;christv.exe;chrome.exe;cinemaplayer.exe;CinergyDVR.exe;CodecInstaller.exe;ConvertXtoDvd.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\rundll32.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{de5d803e-5d2a-4b5f-9c63-af25a465cc44}]
@="rundll32.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Application.Manifest\shell\open\command]
@="rundll32.exe dfshim.dll,ShOpenVerbApplication %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Application.Reference\shell\open\command]
@="rundll32.exe dfshim.dll,ShOpenVerbShortcut %1|%2"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\photoviewer.dll\shell\open\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\photoviewer.dll\shell\print\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\bootstrap.vsto.1\shell\open\command]
@="rundll32.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee.dll",InstallVstoSolution %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CATFile\shell\open\command]
@="%SystemRoot%\system32\rundll32.exe cryptext.dll,CryptExtOpenCAT %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CERFile\shell\add\command]
@="%SystemRoot%\system32\rundll32.exe cryptext.dll,CryptExtAddCER %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CERFile\shell\open\command]
@="%SystemRoot%\system32\rundll32.exe cryptext.dll,CryptExtOpenCER %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CertificateStoreFile\shell\open\command]
@="%SystemRoot%\system32\rundll32.exe cryptext.dll,CryptExtOpenSTR %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00f2b433-44e4-4d88-b2b0-2698a0a91dba}\LocalServer32]
@=""%SystemRoot%\System32\rundll32.exe" "%ProgramFiles%\Windows Photo Viewer\PhotoAcq.dll",AutoplayComServerW {00f2b433-44e4-4d88-b2b0-2698a0a91dba}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00f2b433-44e4-4d88-b2b0-2698a0a91dba}\LocalServer32]
"ServerExecutable"="%SystemRoot%\System32\rundll32.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0DF44EAA-FF21-4412-828E-260A8728E7F1}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,Options_RunDLL 1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{38A98528-6CBF-4CA9-8DC0-B1E1D10F7B1B}\Shell\Open\Command]
@="rundll32.exe %SystemRoot%\system32\van.dll,RunVAN"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{38A98528-6CBF-4CA9-8DC0-B1E1D10F7B1B}\Shell\OpenWithoutDiagnostics\Command]
@="rundll32.exe %SystemRoot%\system32\van.dll,RunVAN /disablediagnostics"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3eef301f-b596-4c0b-bd92-013beafce793}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{40419485-C444-4567-851A-2DD7BFA1684D}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\telephon.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{62D8ED13-C9D0-4CE8-A914-47DD628FB1B0}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\intl.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C8EEC18-8D75-41B2-A177-8831D59D2D50}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\main.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,Options_RunDLL 0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}\Shell\RunAs\Command]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,Options_RunDLL 0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{722b3793-5367-4446-b6bb-db89b05c1f24}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {722b3793-5367-4446-b6bb-db89b05c1f24}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{725BE8F7-668E-4C7B-8F90-46BDB0936430}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\main.cpl,@1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{78CB147A-98EA-4AA6-B0DF-C8681F69341C}\Shell\Open\Command]
@="C:\Windows\System32\rundll32.exe C:\Windows\System32\infocardcpl.cpl,ManageCardSpace_RunDll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{80F3F1D5-FECA-45F3-BC32-752C152E456E}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\tabletpc.cpl @1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87D66A43-7B11-4A28-9811-C86EE395ACF7}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\srchadmin.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{995C996E-D918-4a8c-A302-45719A6F4EA7}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9a97f12a-6b73-4dc4-b3c1-e9244c03adac}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9a97f12a-6b73-4dc4-b3c1-e9244c03adac}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A0275511-0E86-4ECA-97C2-ECD8F1221D08}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\irprops.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3DD4F92-658A-410F-84FD-6FBBBEF2FFFE}\Shell\Open\Command]
@="C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,Control_RunDLL C:\Windows\System32\inetcpl.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D17D1D6D-CC3F-4815-8FE3-607E7D5D10B3}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\Speech\SpeechUX\sapi.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2E7934B-DCE5-43C4-9576-7FE4F75E7480}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\timedate.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e3a4e5ca-55b2-4a06-b1ab-8fbecc7bca4b}\LocalServer32]
@="rundll32.exe /sta {fcc2867c-69ea-4d85-8058-7c214e611c97}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F2DDFC82-8F12-4CDD-B7DC-D4FE1425AA4D}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\mmsys.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F82DF8F7-8B9F-442E-A48C-818EA735FF9B}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\tabletpc.cpl @0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{fb479c02-9ec4-4fed-8599-debe037452cb}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {fb479c02-9ec4-4fed-8599-debe037452cb}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\cplfile\shell\runas\command]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CRLFile\shell\add\command]
@="%SystemRoot%\system32\rundll32.exe cryptext.dll,CryptExtAddCRL %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CRLFile\shell\open\command]
@="%SystemRoot%\system32\rundll32.exe cryptext.dll,CryptExtOpenCRL %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DeviceDisplayObject\InterfaceClass\{0850302A-B344-4fda-9BE9-90576B8D46F0}\Shell\Bluetooth\command]
@="rundll32.exe shell32.dll,Control_RunDLL bthprops.cpl,,1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DeviceDisplayObject\InterfaceClass\{70FFD812-4C7F-4C7D-926A-637B7DD852AF}\Shell\DeviceInstall\command]
@="rundll32.exe newdev.dll,DeviceInternetSettingUi 2"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\giffile\shell\printto\command]
@=""%SystemRoot%\System32\rundll32.exe" "%SystemRoot%\System32\shimgvw.dll",ImageView_PrintTo /pt "%1" "%2" "%3" "%4""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\printto\command]
@="rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1" "%2" "%3" "%4""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\icofile\shell\open\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IE.AssocFile.HTM\shell\print\command]
@=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IE.AssocFile.HTM\shell\printto\command]
@=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" "%2" "%3" "%4""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IE.AssocFile.SVG\shell\print\command]
@=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IE.AssocFile.SVG\shell\printto\command]
@=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" "%2" "%3" "%4""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IE.AssocFile.URL\Shell\Open\Command]
@=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IE.AssocFile.URL\Shell\print\command]
@=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IE.AssocFile.URL\Shell\printto\command]
@=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" "%2" "%3" "%4""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IE.AssocFile.XHT\shell\print\command]
@=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintXHTML "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IE.AssocFile.XHT\shell\printto\command]
@=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintXHTML "%1" "%2" "%3" "%4""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InternetShortcut\shell\Open\Command]
@=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InternetShortcut\shell\print\command]
@=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InternetShortcut\shell\printto\command]
@=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" "%2" "%3" "%4""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\jpegfile\shell\open\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\jpegfile\shell\printto\command]
@=""%SystemRoot%\System32\rundll32.exe" "%SystemRoot%\System32\shimgvw.dll",ImageView_PrintTo /pt "%1" "%2" "%3" "%4""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft.InformationCard\Shell\open\command]
@="C:\Windows\System32\rundll32.exe C:\Windows\System32\infocardcpl.cpl,ImportInformationCard_RunDll  %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft.WindowsCardSpaceBackup\Shell\open\command]
@="C:\Windows\System32\rundll32.exe C:\Windows\System32\infocardcpl.cpl,ImportInformationCard_RunDll  %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSDASC\shell\open\command]
@="Rundll32.exe "%CommonProgramFiles%\System\OLE DB\oledb32.dll",OpenDSLFile %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSSppPackageFile\shell\open\command]
@="rundll32.exe sppcc.dll, OpenPackage %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\msstylesfile\shell\open\command]
@="%SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,Control_RunDLL %SystemRoot%\system32\desk.cpl desk,@Appearance /Action:OpenMSTheme /file:"%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-wifialliance-org:device:WFADevice:1\shell\Configure\command]
@=""%SystemRoot%\System32\rundll32.exe" wcnwiz.dll,RunWcnWizardForDevice /c /u %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\opensearchresult\shell\print\command]
@="rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\P7RFile\shell\add\command]
@="%SystemRoot%\system32\rundll32.exe cryptext.dll,CryptExtAddP7R %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\P7RFile\shell\open\command]
@="%SystemRoot%\system32\rundll32.exe cryptext.dll,CryptExtOpenP7R %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\P7SFile\shell\open\command]
@="%SystemRoot%\system32\\rundll32.exe cryptext.dll,CryptExtOpenPKCS7 %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Paint.Picture\shell\open\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PFXFile\shell\add\command]
@="%SystemRoot%\system32\rundll32.exe cryptext.dll,CryptExtAddPFX %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PhotoViewer.FileAssoc.Bitmap\shell\open\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PhotoViewer.FileAssoc.JFIF\shell\open\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PhotoViewer.FileAssoc.Jpeg\shell\open\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PhotoViewer.FileAssoc.Png\shell\open\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PhotoViewer.FileAssoc.Tiff\shell\open\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PhotoViewer.FileAssoc.Wdp\shell\open\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\pjpegfile\shell\open\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\pjpegfile\shell\printto\command]
@=""%SystemRoot%\System32\rundll32.exe" "%SystemRoot%\System32\shimgvw.dll",ImageView_PrintTo /pt "%1" "%2" "%3" "%4""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\pngfile\shell\open\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\pngfile\shell\printto\command]
@=""%SystemRoot%\System32\rundll32.exe" "%SystemRoot%\System32\shimgvw.dll",ImageView_PrintTo /pt "%1" "%2" "%3" "%4""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\prffile\shell\Open\command]
@=""%SystemRoot%\System32\rundll32.exe" "%SystemRoot%\System32\msrating.dll",ClickedOnPRF %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ratfile\Shell\Open\Command]
@=""%SystemRoot%\System32\rundll32.exe" "%SystemRoot%\System32\msrating.dll",ClickedOnRAT %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RDB.AutoPlayHandler\shell\properties\command]
@="%SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\sysmain.dll,RDBMgmtLaunchProperties %L"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\rlogin\shell\open\command]
@=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\url.dll",TelnetProtocolHandler %l"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SavedDsQuery\Shell\open\command]
@="%SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\dsquery.dll,OpenSavedDsQuery %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\install\command]
@="rundll32.exe desk.cpl,InstallScreenSaver %l"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scriptletfile\Shell\Generate Typelib\command]
@=""C:\Windows\system32\rundll32.exe" C:\Windows\system32\scrobj.dll,GenerateTypeLib %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Shell.CDBurn\Shell\Prepare\Command]
@="%SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,PrepareDiscForBurnRunDll %L"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SPCFile\shell\add\command]
@="%SystemRoot%\system32\rundll32.exe cryptext.dll,CryptExtAddSPC %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SPCFile\shell\open\command]
@="%SystemRoot%\system32\rundll32.exe cryptext.dll,CryptExtOpenPKCS7 %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\STLFile\shell\add\command]
@="%SystemRoot%\system32\rundll32.exe cryptext.dll,CryptExtAddCTL %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\STLFile\shell\open\command]
@="%SystemRoot%\system32\rundll32.exe cryptext.dll,CryptExtOpenCTL %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\svgfile\shell\print\command]
@="rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\svgfile\shell\printto\command]
@="rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1" "%2" "%3" "%4""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.vsto\shell\open\command]
@="rundll32.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee.dll",InstallVstoSolution %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\image\shell\print\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\telnet\shell\open\command]
@=""%SystemRoot%\System32\rundll32.exe" "%SystemRoot%\System32\url.dll",TelnetProtocolHandler %l"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\themefile\shell\open\command]
@="%SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,Control_RunDLL %SystemRoot%\system32\desk.cpl desk,@Themes /Action:OpenTheme /file:"%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\themepackfile\shell\open\command]
@="%SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,Control_RunDLL %SystemRoot%\system32\desk.cpl desk,@Themes /Action:OpenTheme /file:"%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TIFImage.Document\shell\open\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TIFImage.Document\shell\printto\command]
@=""%SystemRoot%\System32\rundll32.exe" "%SystemRoot%\System32\shimgvw.dll",ImageView_PrintTo /pt "%1" "%2" "%3" "%4""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\tn3270\shell\open\command]
@=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\url.dll",TelnetProtocolHandler %l"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\shell\openas\command]
@="%SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\shell\opendlg\command]
@="%SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WCN.AutoPlayHandler\shell\open\command]
@="%systemroot%\system32\rundll32.exe %systemroot%\system32\wzcdlg.dll,ImportFlashProfile %L"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\wcxfile\shell\Open\Command]
@="rundll32.exe xwizards.dll,RunWizard /u {7940acf8-60ba-4213-a7c3-f3b400ee266d} /z%1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\wdpfile\shell\open\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\wdpfile\shell\print\command]
@="rundll32.exe %SystemRoot%\system32\shimgvw.dll,ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\wdpfile\shell\printto\command]
@="rundll32.exe %SystemRoot%\system32\shimgvw.dll,ImageView_PrintTo /pt "%1" "%2" "%3" "%4""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00f2b433-44e4-4d88-b2b0-2698a0a91dba}\LocalServer32]
@=""%SystemRoot%\System32\rundll32.exe" "%ProgramFiles%\Windows Photo Viewer\PhotoAcq.dll",AutoplayComServerW {00f2b433-44e4-4d88-b2b0-2698a0a91dba}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00f2b433-44e4-4d88-b2b0-2698a0a91dba}\LocalServer32]
"ServerExecutable"="%SystemRoot%\System32\rundll32.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0DF44EAA-FF21-4412-828E-260A8728E7F1}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,Options_RunDLL 1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38A98528-6CBF-4CA9-8DC0-B1E1D10F7B1B}\Shell\Open\Command]
@="rundll32.exe %SystemRoot%\system32\van.dll,RunVAN"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38A98528-6CBF-4CA9-8DC0-B1E1D10F7B1B}\Shell\OpenWithoutDiagnostics\Command]
@="rundll32.exe %SystemRoot%\system32\van.dll,RunVAN /disablediagnostics"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3eef301f-b596-4c0b-bd92-013beafce793}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40419485-C444-4567-851A-2DD7BFA1684D}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\telephon.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62D8ED13-C9D0-4CE8-A914-47DD628FB1B0}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\intl.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6C8EEC18-8D75-41B2-A177-8831D59D2D50}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\main.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,Options_RunDLL 0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}\Shell\RunAs\Command]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,Options_RunDLL 0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{722b3793-5367-4446-b6bb-db89b05c1f24}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {722b3793-5367-4446-b6bb-db89b05c1f24}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{725BE8F7-668E-4C7B-8F90-46BDB0936430}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\main.cpl,@1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78CB147A-98EA-4AA6-B0DF-C8681F69341C}\Shell\Open\Command]
@="C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\infocardcpl.cpl,ManageCardSpace_RunDll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{87D66A43-7B11-4A28-9811-C86EE395ACF7}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\srchadmin.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{995C996E-D918-4a8c-A302-45719A6F4EA7}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9a97f12a-6b73-4dc4-b3c1-e9244c03adac}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9a97f12a-6b73-4dc4-b3c1-e9244c03adac}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0275511-0E86-4ECA-97C2-ECD8F1221D08}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\irprops.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A3DD4F92-658A-410F-84FD-6FBBBEF2FFFE}\Shell\Open\Command]
@="C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\shell32.dll,Control_RunDLL C:\Windows\SysWOW64\inetcpl.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D17D1D6D-CC3F-4815-8FE3-607E7D5D10B3}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\Speech\SpeechUX\sapi.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2E7934B-DCE5-43C4-9576-7FE4F75E7480}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\timedate.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e3a4e5ca-55b2-4a06-b1ab-8fbecc7bca4b}\LocalServer32]
@="rundll32.exe /sta {fcc2867c-69ea-4d85-8058-7c214e611c97}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F2DDFC82-8F12-4CDD-B7DC-D4FE1425AA4D}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\mmsys.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fb479c02-9ec4-4fed-8599-debe037452cb}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {fb479c02-9ec4-4fed-8599-debe037452cb}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\rundll32.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\{de5d803e-5d2a-4b5f-9c63-af25a465cc44}]
@="rundll32.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xhtmlfile\shell\print\command]
@="rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xhtmlfile\shell\printto\command]
@="rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1" "%2" "%3" "%4""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"StubPath"=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
"StubPath"="C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\Performance\Resolvers]
"SystemBinariesList"="win32k.sys:winlogon.exe:EXPLORER.EXE:CSRSS.Exe:dwm.exe:logon.scr:logonui.exe:lsass.exe:lsm.exe:ntkrpamp.exe:ntoskrnl.exe:RUNDLL32.EXE:services.exe:sppsvc.exe:smss.exe:spoolsv.exe:svchost.exe:taskeng.exe:WinInit.exe:WISPTIS.EXE:dllhost.exe:dllhst3g.exe:cscript.exe:mmc.exe:msiexec.exe:upnpcont.exe:wscript.exe:WUDFHost.exe:dfsvc.exe:dfsvc.exe:fdbs.exe:ntfsbs.exe:memdiag.exe:NETFXSBS10.exe:applaunch.exe:aspnet_compiler.exe:aspnet_regbrowsers.exe:aspnet_regiis.exe:aspnet_regsql.exe:aspnet_state.exe:aspnet_wp.exe:caspol.exe:csc.exe:CVTRES.EXE:dfsvc.exe:dw20.exe:IEExec.exe:ilasm.exe:InstallUtil.exe:jsc.exe:MSBuild.exe:mscorsvw.exe:ngen.exe:RegAsm.exe::RegSvcs.exe:vbc.exe:TrustedInstaller.exe:Aurora.scr:AutoChk.Exe:AUTOFMT.EXE:CHKDSK.EXE:CHKNTFS.EXE:consent.exe:PnPUnattend.exe:PnPutil.exe:RacAgent.exe:fsquirt.exe:Uninst.exe:updateWmc.exe:wmdc.exe:wmdsync.exe:mofcomp.exe:ScrCons.exe:smi2smir.exe:unse
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation]
"KillList"="%1;explorer.exe;dvdplay.exe;msohtmed.exe;quikview.exe;rundll.exe;rundll32.exe;taskman.exe;bck32api.dll;"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation]
"HostApps"="RUNDLL32.EXE;MSHTA.EXE;DLLHOST.EXE;APPLAUNCH.EXE;HH.EXE;WINHLP32.EXE;MMC.EXE;"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksItemsSelected\0\{27dfca82-8593-46e4-98d8-23eb83452f65}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles%\System\wab32.dll",ShellUICommand_OnNewEmail %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksItemsSelected\1\{5099caf3-7ab4-4c18-ab35-3f3e664638e4}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles%\System\wab32.dll",ShellUICommand_OnNewContact %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksItemsSelected\2\{da8c976e-ec82-48ad-8ae4-38872e958dc5}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles%\System\wab32.dll",ShellUICommand_OnNewGroup %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksItemsSelected\3\{9d4b9c0a-7b4e-4c0d-926e-a536d781cff6}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles%\System\wab32.dll",ShellUICommand_OnEdit %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksItemsSelected\6\{0b51213d-c59c-4b59-bc10-f27d0b330294}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles%\System\wab32.dll",ShellUICommand_OnImport"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksItemsSelected\7\{165095b1-322d-47b1-bc9f-2a9234c1c4cb}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles%\System\wab32.dll",ShellUICommand_OnExport"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksNoItemsSelected\0\{5099caf3-7ab4-4c18-ab35-3f3e664638e4}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles%\System\wab32.dll",ShellUICommand_OnNewContact %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksNoItemsSelected\1\{da8c976e-ec82-48ad-8ae4-38872e958dc5}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles%\System\wab32.dll",ShellUICommand_OnNewGroup %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksNoItemsSelected\2\{0b51213d-c59c-4b59-bc10-f27d0b330294}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles%\System\wab32.dll",ShellUICommand_OnImport"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksNoItemsSelected\3\{165095b1-322d-47b1-bc9f-2a9234c1c4cb}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles%\System\wab32.dll",ShellUICommand_OnExport"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Download Assistant"="C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"StubPath"=""C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\iedkcs32.dll",BrandIEActiveSetup SIGNUP"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
"StubPath"="C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\mscories.dll,Install"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared\HTML\Default Editor\shell\Print\command]
@="rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared\HTML\Old Default Editor\shell\Print\command]
@="rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FileAssociation]
"KillList"="%1;explorer.exe;dvdplay.exe;msohtmed.exe;quikview.exe;rundll.exe;rundll32.exe;taskman.exe;bck32api.dll;"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FileAssociation]
"HostApps"="RUNDLL32.EXE;MSHTA.EXE;DLLHOST.EXE;APPLAUNCH.EXE;HH.EXE;WINHLP32.EXE;MMC.EXE;"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksItemsSelected\0\{27dfca82-8593-46e4-98d8-23eb83452f65}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles(x86)%\System\wab32.dll",ShellUICommand_OnNewEmail %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksItemsSelected\1\{5099caf3-7ab4-4c18-ab35-3f3e664638e4}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles(x86)%\System\wab32.dll",ShellUICommand_OnNewContact %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksItemsSelected\2\{da8c976e-ec82-48ad-8ae4-38872e958dc5}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles(x86)%\System\wab32.dll",ShellUICommand_OnNewGroup %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksItemsSelected\3\{9d4b9c0a-7b4e-4c0d-926e-a536d781cff6}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles(x86)%\System\wab32.dll",ShellUICommand_OnEdit %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksItemsSelected\6\{0b51213d-c59c-4b59-bc10-f27d0b330294}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles(x86)%\System\wab32.dll",ShellUICommand_OnImport"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksItemsSelected\7\{165095b1-322d-47b1-bc9f-2a9234c1c4cb}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles(x86)%\System\wab32.dll",ShellUICommand_OnExport"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksNoItemsSelected\0\{5099caf3-7ab4-4c18-ab35-3f3e664638e4}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles(x86)%\System\wab32.dll",ShellUICommand_OnNewContact %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksNoItemsSelected\1\{da8c976e-ec82-48ad-8ae4-38872e958dc5}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles(x86)%\System\wab32.dll",ShellUICommand_OnNewGroup %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksNoItemsSelected\2\{0b51213d-c59c-4b59-bc10-f27d0b330294}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles(x86)%\System\wab32.dll",ShellUICommand_OnImport"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksNoItemsSelected\3\{165095b1-322d-47b1-bc9f-2a9234c1c4cb}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles(x86)%\System\wab32.dll",ShellUICommand_OnExport"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{00f2b433-44e4-4d88-b2b0-2698a0a91dba}\LocalServer32]
@=""%SystemRoot%\System32\rundll32.exe" "%ProgramFiles%\Windows Photo Viewer\PhotoAcq.dll",AutoplayComServerW {00f2b433-44e4-4d88-b2b0-2698a0a91dba}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{00f2b433-44e4-4d88-b2b0-2698a0a91dba}\LocalServer32]
"ServerExecutable"="%SystemRoot%\System32\rundll32.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{0DF44EAA-FF21-4412-828E-260A8728E7F1}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,Options_RunDLL 1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{38A98528-6CBF-4CA9-8DC0-B1E1D10F7B1B}\Shell\Open\Command]
@="rundll32.exe %SystemRoot%\system32\van.dll,RunVAN"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{38A98528-6CBF-4CA9-8DC0-B1E1D10F7B1B}\Shell\OpenWithoutDiagnostics\Command]
@="rundll32.exe %SystemRoot%\system32\van.dll,RunVAN /disablediagnostics"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{3eef301f-b596-4c0b-bd92-013beafce793}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{40419485-C444-4567-851A-2DD7BFA1684D}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\telephon.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{62D8ED13-C9D0-4CE8-A914-47DD628FB1B0}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\intl.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{6C8EEC18-8D75-41B2-A177-8831D59D2D50}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\main.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,Options_RunDLL 0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}\Shell\RunAs\Command]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,Options_RunDLL 0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{722b3793-5367-4446-b6bb-db89b05c1f24}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {722b3793-5367-4446-b6bb-db89b05c1f24}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{725BE8F7-668E-4C7B-8F90-46BDB0936430}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\main.cpl,@1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{78CB147A-98EA-4AA6-B0DF-C8681F69341C}\Shell\Open\Command]
@="C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\infocardcpl.cpl,ManageCardSpace_RunDll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{87D66A43-7B11-4A28-9811-C86EE395ACF7}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\srchadmin.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{995C996E-D918-4a8c-A302-45719A6F4EA7}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{9a97f12a-6b73-4dc4-b3c1-e9244c03adac}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9a97f12a-6b73-4dc4-b3c1-e9244c03adac}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{A0275511-0E86-4ECA-97C2-ECD8F1221D08}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\irprops.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{A3DD4F92-658A-410F-84FD-6FBBBEF2FFFE}\Shell\Open\Command]
@="C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\shell32.dll,Control_RunDLL C:\Windows\SysWOW64\inetcpl.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{D17D1D6D-CC3F-4815-8FE3-607E7D5D10B3}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\Speech\SpeechUX\sapi.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{E2E7934B-DCE5-43C4-9576-7FE4F75E7480}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\timedate.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{e3a4e5ca-55b2-4a06-b1ab-8fbecc7bca4b}\LocalServer32]
@="rundll32.exe /sta {fcc2867c-69ea-4d85-8058-7c214e611c97}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{F2DDFC82-8F12-4CDD-B7DC-D4FE1425AA4D}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\mmsys.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{fb479c02-9ec4-4fed-8599-debe037452cb}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {fb479c02-9ec4-4fed-8599-debe037452cb}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\AppID\rundll32.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\AppID\{de5d803e-5d2a-4b5f-9c63-af25a465cc44}]
@="rundll32.exe"
[HKEY_USERS\S-1-5-21-3288425262-2259600600-3156803109-1000\Software\GNU\ffdshow]
"whitelist"="3wPlayer.exe;ACDSee10.exe;ACDSee11.exe;ACDSee5.exe;ACDSee6.exe;ACDSee7.exe;ACDSee8.exe;ACDSee8Pro.exe;ACDSee9.exe;ACDSeePro2.exe;ACDSeePro25.exe;acdseepro3.exe;Acer Crystal Eye webcam.exe;aegisub.exe;afreecaplayer.exe;afreecastudio.exe;AfterFX.exe;aim6.exe;aircamwin.exe;ALLPlayer.exe;allradio.exe;AlltoaviV4.exe;ALShow.exe;ALSong.exe;AltDVB.exe;amcap.exe;amf_slv.exe;amvtransform.exe;Apollo DivX to DVD Creator.exe;Apollo3GPVideoConverter.exe;Ares.exe;AsfTools.exe;ass_help3r.exe;ASUSDVD.exe;Audition.exe;AutoGK.exe;autorun.exe;avant.exe;AVerTV.exe;Avi2Dvd.exe;avi2mpg.exe;avicodec.exe;avipreview.exe;aviutl.exe;avs2avi.exe;Badak.exe;BearShare.exe;BePipe.exe;bestplayer.exe;bestplayer1.0.exe;bestpl~1.exe;BitComet.exe;BlazeDVD.exe;BoonPlayer.exe;bplay.exe;bsplay.exe;bsplayer.exe;BTVD3DShell.exe;Camfrog Video Chat.exe;CamRecorder.exe;CamtasiaStudio.exe;carom.exe;CEC_MAIN.exe;christv.exe;chrome.exe;cinemaplayer.exe;CinergyDVR.

Searching for "rundll*"
No data found.

-= EOF =-

Alt 30.05.2013, 14:32   #32
schrauber
/// the machine
/// TB-Ausbilder
 
JS/Agent.480412 - Standard

JS/Agent.480412


Ok, noch eine, die Sau finden wir noch

:regfind
c:\programdata\6zrje6z.dat
__________________

__________________
Alt 30.05.2013, 14:35   #33
Keith
 
JS/Agent.480412 - Standard

JS/Agent.480412


die sau dürfte sich wirklich gut versteckt haben...

Code:
ATTFilter
SystemLook 30.07.11 by jpshortstuff
Log created at 15:34 on 30/05/2013 by Stoffi
Administrator - Elevation successful

========== regfind ==========

Searching for "c:\programdata\6zrje6z.dat"
No data found.

-= EOF =-
__________________
Alt 30.05.2013, 14:36   #34
schrauber
/// the machine
/// TB-Ausbilder
 
JS/Agent.480412 - Standard

JS/Agent.480412


:filefind
*.ink

aber nicht mit mir
__________________
gruß,
schrauber

Proud Member of UNITE and ASAP since 2009

Spenden
Anleitungen und Hilfestellungen
Trojaner-Board Facebook-Seite

Keine Hilfestellung via PM!

Alt 30.05.2013, 16:43   #35
Keith
 
JS/Agent.480412 - Standard

JS/Agent.480412


leider nichts gefunden

Code:
ATTFilter
SystemLook 30.07.11 by jpshortstuff
Log created at 15:38 on 30/05/2013 by Stoffi
Administrator - Elevation successful

========== filefind ==========

Searching for "*.ink"
No files found.

-= EOF =-
lg


Alt 30.05.2013, 17:08   #36
schrauber
/// the machine
/// TB-Ausbilder
 
JS/Agent.480412 - Standard

JS/Agent.480412


Downloade bitte nochmal Combofix und lass es laufen.
__________________
--> JS/Agent.480412

Alt 30.05.2013, 18:14   #37
Keith
 
JS/Agent.480412 - Standard

JS/Agent.480412


ich hab jetzt den combofix genommen den du mir als erstes empfohlen hast!
hier ist das logfile:

Code:
ATTFilter
ComboFix 13-05-30.02 - Stoffi 30.05.2013  18:51:29.1.4 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.43.1031.18.7934.6569 [GMT 2:00]
ausgeführt von:: c:\users\Stoffi\Desktop\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Im Speicher befindliches AV aktiv.
.
.
.
(((((((((((((((((((((((   Dateien erstellt von 2013-04-28 bis 2013-05-30  ))))))))))))))))))))))))))))))
.
.
2013-05-30 16:55 . 2013-05-30 16:55	--------	d-----w-	c:\users\Default\AppData\Local\temp
2013-05-30 11:00 . 2013-05-30 11:00	--------	d-----w-	C:\_OTL
2013-05-29 15:43 . 2013-05-13 06:37	9460464	----a-w-	c:\programdata\Microsoft\Windows Defender\Definition Updates\{8835E69E-B14C-43BE-B0B4-6A14FF40E242}\mpengine.dll
2013-05-29 15:33 . 2013-05-29 22:21	--------	d-----w-	c:\windows\ERUNT
2013-05-29 15:27 . 2013-05-29 15:27	97	----a-w-	c:\windows\DeleteOnReboot.bat
2013-05-17 01:03 . 2013-05-05 21:36	17818624	----a-w-	c:\windows\system32\mshtml.dll
2013-05-17 01:03 . 2013-05-05 21:16	2382848	----a-w-	c:\windows\system32\mshtml.tlb
2013-05-17 01:03 . 2013-05-05 19:12	2382848	----a-w-	c:\windows\SysWow64\mshtml.tlb
2013-05-16 15:48 . 2013-04-10 06:01	265064	----a-w-	c:\windows\system32\drivers\dxgmms1.sys
2013-05-16 15:48 . 2013-04-10 06:01	983400	----a-w-	c:\windows\system32\drivers\dxgkrnl.sys
2013-05-16 15:48 . 2011-02-03 11:25	144384	----a-w-	c:\windows\system32\cdd.dll
2013-05-16 15:48 . 2013-02-27 05:52	14172672	----a-w-	c:\windows\system32\shell32.dll
2013-05-16 15:48 . 2013-02-27 05:48	1930752	----a-w-	c:\windows\system32\authui.dll
2013-05-16 15:48 . 2013-02-27 05:52	197120	----a-w-	c:\windows\system32\shdocvw.dll
2013-05-16 15:48 . 2013-02-27 06:02	111448	----a-w-	c:\windows\system32\consent.exe
2013-05-16 15:48 . 2013-02-27 05:47	70144	----a-w-	c:\windows\system32\appinfo.dll
2013-05-16 15:48 . 2013-02-27 04:49	1796096	----a-w-	c:\windows\SysWow64\authui.dll
2013-05-16 15:48 . 2013-03-19 05:53	48640	----a-w-	c:\windows\system32\wwanprotdim.dll
2013-05-16 15:48 . 2013-03-19 05:53	230400	----a-w-	c:\windows\system32\wwansvc.dll
2013-05-16 15:47 . 2013-04-10 03:30	3153920	----a-w-	c:\windows\system32\win32k.sys
2013-05-07 18:44 . 2013-05-07 18:43	83160	----a-w-	c:\windows\system32\drivers\avnetflt.sys
.
.
.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-17 01:08 . 2011-09-14 06:44	75016696	----a-w-	c:\windows\system32\MRT.exe
2013-05-14 20:11 . 2012-05-01 08:56	692104	----a-w-	c:\windows\SysWow64\FlashPlayerApp.exe
2013-05-14 20:11 . 2011-09-08 10:55	71048	----a-w-	c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-05-02 00:06 . 2010-11-21 03:27	278800	------w-	c:\windows\system32\MpSigStub.exe
2013-04-21 18:08 . 2013-04-21 18:08	163504	----a-w-	c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10144.bin
2013-04-13 05:49 . 2013-05-16 15:48	135168	----a-w-	c:\windows\apppatch\AppPatch64\AcXtrnal.dll
2013-04-13 05:49 . 2013-05-16 15:48	308736	----a-w-	c:\windows\apppatch\AppPatch64\AcGenral.dll
2013-04-13 05:49 . 2013-05-16 15:48	350208	----a-w-	c:\windows\apppatch\AppPatch64\AcLayers.dll
2013-04-13 05:49 . 2013-05-16 15:48	111104	----a-w-	c:\windows\apppatch\AppPatch64\acspecfc.dll
2013-04-13 04:45 . 2013-05-16 15:48	474624	----a-w-	c:\windows\apppatch\AcSpecfc.dll
2013-04-13 04:45 . 2013-05-16 15:48	2176512	----a-w-	c:\windows\apppatch\AcGenral.dll
2013-04-12 14:45 . 2013-04-23 19:44	1656680	----a-w-	c:\windows\system32\drivers\ntfs.sys
2013-03-27 22:47 . 2013-03-27 22:47	28600	----a-w-	c:\windows\system32\drivers\avkmgr.sys
2013-03-27 22:47 . 2013-03-27 22:47	130016	----a-w-	c:\windows\system32\drivers\avipbb.sys
2013-03-27 22:47 . 2013-03-27 22:47	100712	----a-w-	c:\windows\system32\drivers\avgntflt.sys
2013-03-19 06:04 . 2013-04-11 19:37	5550424	----a-w-	c:\windows\system32\ntoskrnl.exe
2013-03-19 05:46 . 2013-04-11 19:37	43520	----a-w-	c:\windows\system32\csrsrv.dll
2013-03-19 05:04 . 2013-04-11 19:37	3968856	----a-w-	c:\windows\SysWow64\ntkrnlpa.exe
2013-03-19 05:04 . 2013-04-11 19:37	3913560	----a-w-	c:\windows\SysWow64\ntoskrnl.exe
2013-03-19 04:47 . 2013-04-11 19:37	6656	----a-w-	c:\windows\SysWow64\apisetschema.dll
2013-03-19 03:06 . 2013-04-11 19:37	112640	----a-w-	c:\windows\system32\smss.exe
2013-03-18 19:41 . 2012-09-06 10:40	861088	----a-w-	c:\windows\SysWow64\npdeployJava1.dll
2013-03-18 19:41 . 2011-11-03 16:52	782240	----a-w-	c:\windows\SysWow64\deployJava1.dll
.
.
((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-07-29 98304]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]
"HDAudDeck"="c:\program files (x86)\VIA\VIAudioi\VDeck\VDeck.exe" [2011-04-06 3031664]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2013-02-20 152392]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2013-05-07 345312]
.
c:\users\Stoffi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
msconfig.lnk - c:\windows\System32\rundll32.exe [2009-7-14 45568]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableSecureUIAPath"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="userinit.exe"
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages	REG_MULTI_SZ   	kerberos msv1_0 schannel wdigest tspkg pku2u wsauth
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys [2012-05-11 99384]
R3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys [2012-05-11 203320]
R3 SwitchBoard;SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-12-13 54784]
R3 WatAdminSvc;Windows-Aktivierungstechnologieservice;c:\windows\system32\Wat\WatAdminSvc.exe [2011-09-11 1255736]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [2013-03-27 28600]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-07-31 202752]
S2 AntiVirSchedulerService;Avira Planer;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [2013-03-27 86752]
S2 VIAKaraokeService;VIA Karaoke digital mixer Service;c:\windows\system32\viakaraokesrv.exe [2011-03-29 27760]
S2 wsnm;VMware View Client;c:\program files\VMware\VMware View\Client\bin\wsnm.exe [2011-02-18 494192]
S2 wsnm_usbctrl;VMware View-USB-Steuerung;c:\program files\VMware\VMware View\Client\bin\wsnm_usbctrl.exe [2011-02-18 1120368]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-08-20 239616]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2011-03-29 2157680]
S3 vmwvusb;VMware View Generic USB Driver;c:\windows\system32\Drivers\vmwvusb.sys [2011-02-18 47664]
.
.
Inhalt des "geplante Tasks" Ordners
.
2013-05-30 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-01 20:11]
.
2013-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-02-18 17:59]
.
2013-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-02-18 17:59]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Download Assistant"="c:\windows\System32\LogiLDA.dll" [2010-11-03 1580368]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - LocalService
FontCache
.
------- Zusätzlicher Suchlauf -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = https://www.google.at/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: An OneNote s&enden - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: Nach Microsoft &Excel exportieren - c:\progra~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: Nach Microsoft E&xcel exportieren - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
TCP: DhcpNameServer = 212.186.211.21 195.34.133.21
FF - ProfilePath - c:\users\Stoffi\AppData\Roaming\Mozilla\Firefox\Profiles\o4b2azmr.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.at
FF - prefs.js: network.proxy.type - 0
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
Toolbar-!{64ead72b-ffd4-4e01-aa3a-4c71665d73e4} - (no file)
Toolbar-!{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} - (no file)
AddRemove-HappyFoto - Bestellassistent - c:\windows\system32\javaws.exe
.
.
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Zeit der Fertigstellung: 2013-05-30  18:58:09
ComboFix-quarantined-files.txt  2013-05-30 16:58
.
Vor Suchlauf: 9 Verzeichnis(se), 586.038.480.896 Bytes frei
Nach Suchlauf: 11 Verzeichnis(se), 585.609.682.944 Bytes frei
.
- - End Of File - - A8C853D85F2BE725DBC604895CDA239A
thx

Alt 30.05.2013, 19:14   #38
schrauber
/// the machine
/// TB-Ausbilder
 
JS/Agent.480412 - Standard

JS/Agent.480412


Hi,

Combofix-Skript
WARNUNG für die MITLESER:
Folgendes ComboFix Skript ist ausschließlich für diesen User in dieser Situtation erstellt worden.
Auf keinen Fall auf anderen Rechnern anwenden, das kann andere Systeme nachhaltig schädigen!

  • Lösche die vorhandene Combofix.exe von deinem Desktop und lade das Programm von folgenden Download-Spiegel neu herunter: Link
  • Speichere es erneut auf dem Desktop (nicht woanders hin, das ist wichtig)!
  • Drücke die Windows + R Taste --> notepad (hinein schreiben) --> OK
  • Kopiere nun den Text aus der folgenden Codebox komplett in das leere Textdokument.
    Code:
    ATTFilter
    Files::
c:\users\Stoffi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msconfig.lnk
  • Speichere dies als CFScript.txt auf deinem Desktop.
  • Wichtig: Stelle deine Anti Viren Software temporär ab. Dies kann ComboFix nämlich bei der Arbeit behindern.
    Danach wieder anstellen nicht vergessen!
  • Schließe alle laufenden Programme damit ComboFix ungehindert arbeiten kann.
  • Ziehe CFScript.txt in die ComboFix.exe wie in diesem Bild:
  • Mache nichts am Computer, bewege nicht die Maus über das ComboFix-Fenster oder klicke in dieses hinein. Dies kann dazu führen, dass ComboFix sich aufhängt.
  • Wenn ComboFix fertig ist wird es ein Log erstellen: C:\ComboFix.txt
    Bitte füge es hier als Antwort (in CODE-Tags mit dem #-Button des Editors) ein.

Hinweis:
Suspect:: und Collect::
Falls im Skript diese Anweisungen enthalten sind, sollen Dateien zur Analyse eingeschickt werden. Es erscheint eine Message-Box, nachdem Combofix fertig ist. Klicke OK und folge den Aufforderungen/Anweisungen, um die Dateien hochzuladen. Teile mir unbedingt mit, ob der Upload geklappt hat!

__________________
gruß,
schrauber

Proud Member of UNITE and ASAP since 2009

Spenden
Anleitungen und Hilfestellungen
Trojaner-Board Facebook-Seite

Keine Hilfestellung via PM!

Alt 30.05.2013, 19:56   #39
Keith
 
JS/Agent.480412 - Standard

JS/Agent.480412


so und da ist das file
(avira war aus, ist jetzt wieder an)

Code:
ATTFilter
ComboFix 13-05-30.02 - Stoffi 30.05.2013  20:25:11.3.4 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.43.1031.18.7934.6563 [GMT 2:00]
ausgeführt von:: c:\users\Stoffi\Desktop\ComboFix.exe
Benutzte Befehlsschalter :: c:\users\Stoffi\Desktop\CFScript.txt
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((   Dateien erstellt von 2013-04-28 bis 2013-05-30  ))))))))))))))))))))))))))))))
.
.
2013-05-30 18:28 . 2013-05-30 18:28	--------	d-----w-	c:\users\Default\AppData\Local\temp
2013-05-30 11:00 . 2013-05-30 11:00	--------	d-----w-	C:\_OTL
2013-05-29 15:43 . 2013-05-13 06:37	9460464	----a-w-	c:\programdata\Microsoft\Windows Defender\Definition Updates\{8835E69E-B14C-43BE-B0B4-6A14FF40E242}\mpengine.dll
2013-05-29 15:33 . 2013-05-29 22:21	--------	d-----w-	c:\windows\ERUNT
2013-05-29 15:27 . 2013-05-29 15:27	97	----a-w-	c:\windows\DeleteOnReboot.bat
2013-05-17 01:03 . 2013-05-05 21:36	17818624	----a-w-	c:\windows\system32\mshtml.dll
2013-05-17 01:03 . 2013-05-05 21:16	2382848	----a-w-	c:\windows\system32\mshtml.tlb
2013-05-17 01:03 . 2013-05-05 19:12	2382848	----a-w-	c:\windows\SysWow64\mshtml.tlb
2013-05-16 15:48 . 2013-04-10 06:01	265064	----a-w-	c:\windows\system32\drivers\dxgmms1.sys
2013-05-16 15:48 . 2013-04-10 06:01	983400	----a-w-	c:\windows\system32\drivers\dxgkrnl.sys
2013-05-16 15:48 . 2011-02-03 11:25	144384	----a-w-	c:\windows\system32\cdd.dll
2013-05-16 15:48 . 2013-02-27 05:52	14172672	----a-w-	c:\windows\system32\shell32.dll
2013-05-16 15:48 . 2013-02-27 05:48	1930752	----a-w-	c:\windows\system32\authui.dll
2013-05-16 15:48 . 2013-02-27 05:52	197120	----a-w-	c:\windows\system32\shdocvw.dll
2013-05-16 15:48 . 2013-02-27 06:02	111448	----a-w-	c:\windows\system32\consent.exe
2013-05-16 15:48 . 2013-02-27 05:47	70144	----a-w-	c:\windows\system32\appinfo.dll
2013-05-16 15:48 . 2013-02-27 04:49	1796096	----a-w-	c:\windows\SysWow64\authui.dll
2013-05-16 15:48 . 2013-03-19 05:53	48640	----a-w-	c:\windows\system32\wwanprotdim.dll
2013-05-16 15:48 . 2013-03-19 05:53	230400	----a-w-	c:\windows\system32\wwansvc.dll
2013-05-16 15:47 . 2013-04-10 03:30	3153920	----a-w-	c:\windows\system32\win32k.sys
2013-05-07 18:44 . 2013-05-07 18:43	83160	----a-w-	c:\windows\system32\drivers\avnetflt.sys
.
.
.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-17 01:08 . 2011-09-14 06:44	75016696	----a-w-	c:\windows\system32\MRT.exe
2013-05-14 20:11 . 2012-05-01 08:56	692104	----a-w-	c:\windows\SysWow64\FlashPlayerApp.exe
2013-05-14 20:11 . 2011-09-08 10:55	71048	----a-w-	c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-05-02 00:06 . 2010-11-21 03:27	278800	------w-	c:\windows\system32\MpSigStub.exe
2013-04-21 18:08 . 2013-04-21 18:08	163504	----a-w-	c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10144.bin
2013-04-13 05:49 . 2013-05-16 15:48	135168	----a-w-	c:\windows\apppatch\AppPatch64\AcXtrnal.dll
2013-04-13 05:49 . 2013-05-16 15:48	308736	----a-w-	c:\windows\apppatch\AppPatch64\AcGenral.dll
2013-04-13 05:49 . 2013-05-16 15:48	350208	----a-w-	c:\windows\apppatch\AppPatch64\AcLayers.dll
2013-04-13 05:49 . 2013-05-16 15:48	111104	----a-w-	c:\windows\apppatch\AppPatch64\acspecfc.dll
2013-04-13 04:45 . 2013-05-16 15:48	474624	----a-w-	c:\windows\apppatch\AcSpecfc.dll
2013-04-13 04:45 . 2013-05-16 15:48	2176512	----a-w-	c:\windows\apppatch\AcGenral.dll
2013-04-12 14:45 . 2013-04-23 19:44	1656680	----a-w-	c:\windows\system32\drivers\ntfs.sys
2013-03-27 22:47 . 2013-03-27 22:47	28600	----a-w-	c:\windows\system32\drivers\avkmgr.sys
2013-03-27 22:47 . 2013-03-27 22:47	130016	----a-w-	c:\windows\system32\drivers\avipbb.sys
2013-03-27 22:47 . 2013-03-27 22:47	100712	----a-w-	c:\windows\system32\drivers\avgntflt.sys
2013-03-19 06:04 . 2013-04-11 19:37	5550424	----a-w-	c:\windows\system32\ntoskrnl.exe
2013-03-19 05:46 . 2013-04-11 19:37	43520	----a-w-	c:\windows\system32\csrsrv.dll
2013-03-19 05:04 . 2013-04-11 19:37	3968856	----a-w-	c:\windows\SysWow64\ntkrnlpa.exe
2013-03-19 05:04 . 2013-04-11 19:37	3913560	----a-w-	c:\windows\SysWow64\ntoskrnl.exe
2013-03-19 04:47 . 2013-04-11 19:37	6656	----a-w-	c:\windows\SysWow64\apisetschema.dll
2013-03-19 03:06 . 2013-04-11 19:37	112640	----a-w-	c:\windows\system32\smss.exe
2013-03-18 19:41 . 2012-09-06 10:40	861088	----a-w-	c:\windows\SysWow64\npdeployJava1.dll
2013-03-18 19:41 . 2011-11-03 16:52	782240	----a-w-	c:\windows\SysWow64\deployJava1.dll
.
.
((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-07-29 98304]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]
"HDAudDeck"="c:\program files (x86)\VIA\VIAudioi\VDeck\VDeck.exe" [2011-04-06 3031664]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2013-02-20 152392]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2013-05-07 345312]
.
c:\users\Stoffi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
msconfig.lnk - c:\windows\System32\rundll32.exe [2009-7-14 45568]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableSecureUIAPath"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="userinit.exe"
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages	REG_MULTI_SZ   	kerberos msv1_0 schannel wdigest tspkg pku2u wsauth
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys [2012-05-11 99384]
R3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys [2012-05-11 203320]
R3 SwitchBoard;SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-12-13 54784]
R3 WatAdminSvc;Windows-Aktivierungstechnologieservice;c:\windows\system32\Wat\WatAdminSvc.exe [2011-09-11 1255736]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [2013-03-27 28600]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-07-31 202752]
S2 AntiVirSchedulerService;Avira Planer;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [2013-03-27 86752]
S2 VIAKaraokeService;VIA Karaoke digital mixer Service;c:\windows\system32\viakaraokesrv.exe [2011-03-29 27760]
S2 wsnm;VMware View Client;c:\program files\VMware\VMware View\Client\bin\wsnm.exe [2011-02-18 494192]
S2 wsnm_usbctrl;VMware View-USB-Steuerung;c:\program files\VMware\VMware View\Client\bin\wsnm_usbctrl.exe [2011-02-18 1120368]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-08-20 239616]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2011-03-29 2157680]
S3 vmwvusb;VMware View Generic USB Driver;c:\windows\system32\Drivers\vmwvusb.sys [2011-02-18 47664]
.
.
Inhalt des "geplante Tasks" Ordners
.
2013-05-30 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-01 20:11]
.
2013-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-02-18 17:59]
.
2013-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-02-18 17:59]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Download Assistant"="c:\windows\System32\LogiLDA.dll" [2010-11-03 1580368]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - LocalService
FontCache
.
------- Zusätzlicher Suchlauf -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = https://www.google.at/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: An OneNote s&enden - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: Nach Microsoft &Excel exportieren - c:\progra~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: Nach Microsoft E&xcel exportieren - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
TCP: DhcpNameServer = 212.186.211.21 195.34.133.21
FF - ProfilePath - c:\users\Stoffi\AppData\Roaming\Mozilla\Firefox\Profiles\o4b2azmr.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.at
FF - prefs.js: network.proxy.type - 0
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
Toolbar-!{64ead72b-ffd4-4e01-aa3a-4c71665d73e4} - (no file)
Toolbar-!{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} - (no file)
.
.
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Zeit der Fertigstellung: 2013-05-30  20:30:03
ComboFix-quarantined-files.txt  2013-05-30 18:30
ComboFix2.txt  2013-05-30 17:51
ComboFix3.txt  2013-05-30 16:58
.
Vor Suchlauf: 10 Verzeichnis(se), 585.674.555.392 Bytes frei
Nach Suchlauf: 11 Verzeichnis(se), 585.377.230.848 Bytes frei
.
- - End Of File - - EC7884C3F714B1A33C7738A1D98B96DD
thx

PS. nähern wir uns einem ende?

Alt 30.05.2013, 20:00   #40
schrauber
/// the machine
/// TB-Ausbilder
 
JS/Agent.480412 - Standard

JS/Agent.480412


Kommt die Meldung noch?
__________________
gruß,
schrauber

Proud Member of UNITE and ASAP since 2009

Spenden
Anleitungen und Hilfestellungen
Trojaner-Board Facebook-Seite

Keine Hilfestellung via PM!

Alt 30.05.2013, 20:01   #41
Keith
 
JS/Agent.480412 - Standard

JS/Agent.480412


ach ja, da mach ich doch gleich einen neustart!

Alt 30.05.2013, 20:02   #42
schrauber
/// the machine
/// TB-Ausbilder
 
JS/Agent.480412 - Standard

JS/Agent.480412


Mach mal
__________________
gruß,
schrauber

Proud Member of UNITE and ASAP since 2009

Spenden
Anleitungen und Hilfestellungen
Trojaner-Board Facebook-Seite

Keine Hilfestellung via PM!

Alt 30.05.2013, 20:07   #43
Keith
 
JS/Agent.480412 - Standard

JS/Agent.480412


ja leider kommt das immer noch

wie ist den jetzt so der status meines pcs?
ich blicke ja bei den logfiles nicht wirklich durch.
habe ich noch böses an bord?

thx

PS: also WIRKLICH thanx!!! nicht nur so als floskel, ich finde das bewundernswert
wie du dich meines problems annimmst und soviel zeit opferst!

Alt 30.05.2013, 21:48   #44
schrauber
/// the machine
/// TB-Ausbilder
 
JS/Agent.480412 - Standard

JS/Agent.480412


Hi,

ok der letze ging auf meine Kappe, kleiner Fehler im Script, also nochmal

Combofix-Skript
WARNUNG für die MITLESER:
Folgendes ComboFix Skript ist ausschließlich für diesen User in dieser Situtation erstellt worden.
Auf keinen Fall auf anderen Rechnern anwenden, das kann andere Systeme nachhaltig schädigen!

  • Lösche die vorhandene Combofix.exe von deinem Desktop und lade das Programm von folgenden Download-Spiegel neu herunter: Link
  • Speichere es erneut auf dem Desktop (nicht woanders hin, das ist wichtig)!
  • Drücke die Windows + R Taste --> notepad (hinein schreiben) --> OK
  • Kopiere nun den Text aus der folgenden Codebox komplett in das leere Textdokument.
    Code:
    ATTFilter
    File::
c:\users\Stoffi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msconfig.lnk
  • Speichere dies als CFScript.txt auf deinem Desktop.
  • Wichtig: Stelle deine Anti Viren Software temporär ab. Dies kann ComboFix nämlich bei der Arbeit behindern.
    Danach wieder anstellen nicht vergessen!
  • Schließe alle laufenden Programme damit ComboFix ungehindert arbeiten kann.
  • Ziehe CFScript.txt in die ComboFix.exe wie in diesem Bild:
  • Mache nichts am Computer, bewege nicht die Maus über das ComboFix-Fenster oder klicke in dieses hinein. Dies kann dazu führen, dass ComboFix sich aufhängt.
  • Wenn ComboFix fertig ist wird es ein Log erstellen: C:\ComboFix.txt
    Bitte füge es hier als Antwort (in CODE-Tags mit dem #-Button des Editors) ein.

Hinweis:
Suspect:: und Collect::
Falls im Skript diese Anweisungen enthalten sind, sollen Dateien zur Analyse eingeschickt werden. Es erscheint eine Message-Box, nachdem Combofix fertig ist. Klicke OK und folge den Aufforderungen/Anweisungen, um die Dateien hochzuladen. Teile mir unbedingt mit, ob der Upload geklappt hat!

__________________
gruß,
schrauber

Proud Member of UNITE and ASAP since 2009

Spenden
Anleitungen und Hilfestellungen
Trojaner-Board Facebook-Seite

Keine Hilfestellung via PM!

Alt 30.05.2013, 22:18   #45
Keith
 
JS/Agent.480412 - Standard

JS/Agent.480412


HEUREKA
die sau ist offensichtlich tot!
diesmal ist nichts aufgepoppt!!!

hier das log

Code:
ATTFilter
ComboFix 13-05-30.02 - Stoffi 30.05.2013  23:07:07.4.4 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.43.1031.18.7934.6507 [GMT 2:00]
ausgeführt von:: c:\users\Stoffi\Desktop\ComboFix.exe
Benutzte Befehlsschalter :: c:\users\Stoffi\Desktop\CFScript.txt
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\users\Stoffi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msconfig.lnk"
.
.
((((((((((((((((((((((((((((((((((((   Weitere Löschungen   ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Stoffi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msconfig.lnk
.
.
(((((((((((((((((((((((   Dateien erstellt von 2013-04-28 bis 2013-05-30  ))))))))))))))))))))))))))))))
.
.
2013-05-30 21:12 . 2013-05-30 21:12	--------	d-----w-	c:\users\Default\AppData\Local\temp
2013-05-30 11:00 . 2013-05-30 11:00	--------	d-----w-	C:\_OTL
2013-05-29 15:43 . 2013-05-13 06:37	9460464	----a-w-	c:\programdata\Microsoft\Windows Defender\Definition Updates\{8835E69E-B14C-43BE-B0B4-6A14FF40E242}\mpengine.dll
2013-05-29 15:33 . 2013-05-29 22:21	--------	d-----w-	c:\windows\ERUNT
2013-05-29 15:27 . 2013-05-29 15:27	97	----a-w-	c:\windows\DeleteOnReboot.bat
2013-05-17 01:03 . 2013-05-05 21:36	17818624	----a-w-	c:\windows\system32\mshtml.dll
2013-05-17 01:03 . 2013-05-05 21:16	2382848	----a-w-	c:\windows\system32\mshtml.tlb
2013-05-17 01:03 . 2013-05-05 19:12	2382848	----a-w-	c:\windows\SysWow64\mshtml.tlb
2013-05-16 15:48 . 2013-04-10 06:01	265064	----a-w-	c:\windows\system32\drivers\dxgmms1.sys
2013-05-16 15:48 . 2013-04-10 06:01	983400	----a-w-	c:\windows\system32\drivers\dxgkrnl.sys
2013-05-16 15:48 . 2011-02-03 11:25	144384	----a-w-	c:\windows\system32\cdd.dll
2013-05-16 15:48 . 2013-02-27 05:52	14172672	----a-w-	c:\windows\system32\shell32.dll
2013-05-16 15:48 . 2013-02-27 05:48	1930752	----a-w-	c:\windows\system32\authui.dll
2013-05-16 15:48 . 2013-02-27 05:52	197120	----a-w-	c:\windows\system32\shdocvw.dll
2013-05-16 15:48 . 2013-02-27 06:02	111448	----a-w-	c:\windows\system32\consent.exe
2013-05-16 15:48 . 2013-02-27 05:47	70144	----a-w-	c:\windows\system32\appinfo.dll
2013-05-16 15:48 . 2013-02-27 04:49	1796096	----a-w-	c:\windows\SysWow64\authui.dll
2013-05-16 15:48 . 2013-03-19 05:53	48640	----a-w-	c:\windows\system32\wwanprotdim.dll
2013-05-16 15:48 . 2013-03-19 05:53	230400	----a-w-	c:\windows\system32\wwansvc.dll
2013-05-16 15:47 . 2013-04-10 03:30	3153920	----a-w-	c:\windows\system32\win32k.sys
2013-05-07 18:44 . 2013-05-07 18:43	83160	----a-w-	c:\windows\system32\drivers\avnetflt.sys
.
.
.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-17 01:08 . 2011-09-14 06:44	75016696	----a-w-	c:\windows\system32\MRT.exe
2013-05-14 20:11 . 2012-05-01 08:56	692104	----a-w-	c:\windows\SysWow64\FlashPlayerApp.exe
2013-05-14 20:11 . 2011-09-08 10:55	71048	----a-w-	c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-05-02 00:06 . 2010-11-21 03:27	278800	------w-	c:\windows\system32\MpSigStub.exe
2013-04-21 18:08 . 2013-04-21 18:08	163504	----a-w-	c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10144.bin
2013-04-13 05:49 . 2013-05-16 15:48	135168	----a-w-	c:\windows\apppatch\AppPatch64\AcXtrnal.dll
2013-04-13 05:49 . 2013-05-16 15:48	308736	----a-w-	c:\windows\apppatch\AppPatch64\AcGenral.dll
2013-04-13 05:49 . 2013-05-16 15:48	350208	----a-w-	c:\windows\apppatch\AppPatch64\AcLayers.dll
2013-04-13 05:49 . 2013-05-16 15:48	111104	----a-w-	c:\windows\apppatch\AppPatch64\acspecfc.dll
2013-04-13 04:45 . 2013-05-16 15:48	474624	----a-w-	c:\windows\apppatch\AcSpecfc.dll
2013-04-13 04:45 . 2013-05-16 15:48	2176512	----a-w-	c:\windows\apppatch\AcGenral.dll
2013-04-12 14:45 . 2013-04-23 19:44	1656680	----a-w-	c:\windows\system32\drivers\ntfs.sys
2013-03-27 22:47 . 2013-03-27 22:47	28600	----a-w-	c:\windows\system32\drivers\avkmgr.sys
2013-03-27 22:47 . 2013-03-27 22:47	130016	----a-w-	c:\windows\system32\drivers\avipbb.sys
2013-03-27 22:47 . 2013-03-27 22:47	100712	----a-w-	c:\windows\system32\drivers\avgntflt.sys
2013-03-19 06:04 . 2013-04-11 19:37	5550424	----a-w-	c:\windows\system32\ntoskrnl.exe
2013-03-19 05:46 . 2013-04-11 19:37	43520	----a-w-	c:\windows\system32\csrsrv.dll
2013-03-19 05:04 . 2013-04-11 19:37	3968856	----a-w-	c:\windows\SysWow64\ntkrnlpa.exe
2013-03-19 05:04 . 2013-04-11 19:37	3913560	----a-w-	c:\windows\SysWow64\ntoskrnl.exe
2013-03-19 04:47 . 2013-04-11 19:37	6656	----a-w-	c:\windows\SysWow64\apisetschema.dll
2013-03-19 03:06 . 2013-04-11 19:37	112640	----a-w-	c:\windows\system32\smss.exe
2013-03-18 19:41 . 2012-09-06 10:40	861088	----a-w-	c:\windows\SysWow64\npdeployJava1.dll
2013-03-18 19:41 . 2011-11-03 16:52	782240	----a-w-	c:\windows\SysWow64\deployJava1.dll
.
.
((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-07-29 98304]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]
"HDAudDeck"="c:\program files (x86)\VIA\VIAudioi\VDeck\VDeck.exe" [2011-04-06 3031664]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2013-02-20 152392]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2013-05-07 345312]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableSecureUIAPath"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="userinit.exe"
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages	REG_MULTI_SZ   	kerberos msv1_0 schannel wdigest tspkg pku2u wsauth
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys [2012-05-11 99384]
R3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys [2012-05-11 203320]
R3 SwitchBoard;SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-12-13 54784]
R3 WatAdminSvc;Windows-Aktivierungstechnologieservice;c:\windows\system32\Wat\WatAdminSvc.exe [2011-09-11 1255736]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [2013-03-27 28600]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-07-31 202752]
S2 AntiVirSchedulerService;Avira Planer;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [2013-03-27 86752]
S2 VIAKaraokeService;VIA Karaoke digital mixer Service;c:\windows\system32\viakaraokesrv.exe [2011-03-29 27760]
S2 wsnm;VMware View Client;c:\program files\VMware\VMware View\Client\bin\wsnm.exe [2011-02-18 494192]
S2 wsnm_usbctrl;VMware View-USB-Steuerung;c:\program files\VMware\VMware View\Client\bin\wsnm_usbctrl.exe [2011-02-18 1120368]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-08-20 239616]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2011-03-29 2157680]
S3 vmwvusb;VMware View Generic USB Driver;c:\windows\system32\Drivers\vmwvusb.sys [2011-02-18 47664]
.
.
Inhalt des "geplante Tasks" Ordners
.
2013-05-30 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-01 20:11]
.
2013-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-02-18 17:59]
.
2013-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-02-18 17:59]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Download Assistant"="c:\windows\System32\LogiLDA.dll" [2010-11-03 1580368]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - LocalService
FontCache
.
------- Zusätzlicher Suchlauf -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = https://www.google.at/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: An OneNote s&enden - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: Nach Microsoft &Excel exportieren - c:\progra~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: Nach Microsoft E&xcel exportieren - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
TCP: DhcpNameServer = 212.186.211.21 195.34.133.21
FF - ProfilePath - c:\users\Stoffi\AppData\Roaming\Mozilla\Firefox\Profiles\o4b2azmr.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.at
FF - prefs.js: network.proxy.type - 0
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
Toolbar-!{64ead72b-ffd4-4e01-aa3a-4c71665d73e4} - (no file)
Toolbar-!{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} - (no file)
.
.
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Zeit der Fertigstellung: 2013-05-30  23:14:14
ComboFix-quarantined-files.txt  2013-05-30 21:14
ComboFix2.txt  2013-05-30 18:30
ComboFix3.txt  2013-05-30 17:51
ComboFix4.txt  2013-05-30 16:58
.
Vor Suchlauf: 10 Verzeichnis(se), 585.416.458.240 Bytes frei
Nach Suchlauf: 11 Verzeichnis(se), 585.377.452.032 Bytes frei
.
- - End Of File - - 6AED0909324644C2DE000F2023F86736
ich hoffe das wars jetzt
ich gehe jetzt schlafen und wünsche auch dir eine gute nacht!

LG
keith

lieber schrauber

habe jetzt noch einmal avira drüberlaufen lassen und der hat nichts gefunden

bitte sag mir noch ob dir beinm letzzten log etwas aufgefallen ist.

vielen vielen dank

keith

Antwort
Seite 3 von 4 12 3 4

Themen zu JS/Agent.480412
abgesicherte, abgesicherten, abgesicherten modus, avira, compu, computer, forum, funktionier, funktioniert, java/exploit.cve-2013-2423.au, js/agent.480412, modus, win32/reveton.m, win32/reveton.r, zugriff


« "System Care AV" Trojaner | System Care Antivirus eingefangen, erstellt sich immer selbst neu »


Ähnliche Themen: JS/Agent.480412


  1. Trojaner JS/Agent.480412 entfernen
    Plagegeister aller Art und deren Bekämpfung - 26.11.2013 (11)
  2. Sefnit-HU, Agent-ASEB, Agent-ARQX von Avast gefunden...
    Plagegeister aller Art und deren Bekämpfung - 20.11.2013 (23)
  3. GVU Win7 64 Bit JS Agent 480412
    Log-Analyse und Auswertung - 21.06.2013 (20)
  4. Polizei-Virus (JS/Agent.480412) und Trash.Gen
    Log-Analyse und Auswertung - 06.06.2013 (24)
  5. Laptop mit Windows Vista (32bit) infiziert mit JS/Agent.480412 (BKA-Trojaner)
    Plagegeister aller Art und deren Bekämpfung - 23.05.2013 (12)
  6. Hallo bin Liebe TB User. Habe Probleme mit Trojan.script.480412 & Java Agent DOA [TRJ] sowie andere
    Plagegeister aller Art und deren Bekämpfung - 09.05.2013 (3)
  7. Antivir findet ADWARE/Agent.Gaba.peg und TR/Agent.370144
    Log-Analyse und Auswertung - 09.07.2012 (5)
  8. TR/Agent.379392.F, TR/Drop.Agent.dil, TR/Crypt.ZPACK.Gen2 bei AntiVir gefunden
    Plagegeister aller Art und deren Bekämpfung - 25.12.2011 (43)
  9. mehrere Trojaner gefunden: Spy.Agent.OGS, Spy.Banker.Gen2, Graftor.9201.6, Agent.237568.6
    Log-Analyse und Auswertung - 20.12.2011 (23)
  10. pc friert ein- malware (TR/Spy.Zbot, TR/Agent.282624.k , BDS.Hupigon, JS/Agent.30510, )
    Plagegeister aller Art und deren Bekämpfung - 07.03.2011 (3)
  11. Trojanische Pferde (3) mit AVIRA gefunden: TR/Agent.ccg TR/Dropper.Gen TR/Agent.98816.14.B
    Plagegeister aller Art und deren Bekämpfung - 27.10.2010 (21)
  12. offenes system? TR/Agent.bfpp HTML/Ydergda.B TR/Riner.ZK TR/Riern.H.7 JAVA/Agent.BH
    Plagegeister aller Art und deren Bekämpfung - 18.10.2010 (1)
  13. TR/Dldr.MSIL.Agent.ON - TR/Agent.204800.BH - noch mehr?
    Plagegeister aller Art und deren Bekämpfung - 09.07.2010 (29)
  14. Verseuchter Rechner mit TR/Click.Agent.AC, TR/Dlder.Mediket.A, ADSPY/Agent.L usw.
    Plagegeister aller Art und deren Bekämpfung - 08.07.2010 (23)
  15. Trojanerr Epidemie- Agent.AN260, 261, 262, Agent.dyur, Bubnix.S
    Plagegeister aller Art und deren Bekämpfung - 20.05.2010 (25)
  16. BDS/Agent.rfw ; BDS/Agent.rfv ; TR/Agent.wyn ; TR/Dldr.FraudLoad.vbxt
    Log-Analyse und Auswertung - 13.10.2009 (1)
  17. 3 Trojaner: Agent NBU / Agent.BI und WinShow.NAL - kriegs nicht gelöscht :(
    Log-Analyse und Auswertung - 20.03.2005 (1)
Anleitungen und Tipps

- Für alle Hilfesuchenden! Was beachten?

- Anleitung: MyStartSearch.com entfernen

- Anleitung: WebSearches löschen

- Hilfe: iStartSurf entfernen – so gehts!

- Anleitung: Omiga Plus richtig entfernen

- Browser Viren entfernen


Zum Thema JS/Agent.480412 - danke, und hier ist das logfile Code: Alles auswählen Aufklappen ATTFilter SystemLook 30.07.11 by jpshortstuff Log created at 14:59 on 30/05/2013 by Stoffi Administrator - Elevation successful ========== regfind ========== - JS/Agent.480412...
Archiv
Du betrachtest: JS/Agent.480412 auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129