Trojaner-Board
Seite 3 von 4 12 3 4
100 Beiträge dieses Themas auf einer Seite anzeigen

Trojaner-Board (https://www.trojaner-board.de/)
-   Plagegeister aller Art und deren Bekämpfung (https://www.trojaner-board.de/plagegeister-aller-art-deren-bekaempfung/)
-   -   JS/Agent.480412 (https://www.trojaner-board.de/135635-js-agent-480412-a.html)

Keith 30.05.2013 14:08
danke, und hier ist das logfile

Code:
SystemLook 30.07.11 by jpshortstuff
Log created at 14:59 on 30/05/2013 by Stoffi
Administrator - Elevation successful

========== regfind ==========

Searching for "rundll32.exe"
[HKEY_CURRENT_USER\Software\GNU\ffdshow]
"whitelist"="3wPlayer.exe;ACDSee10.exe;ACDSee11.exe;ACDSee5.exe;ACDSee6.exe;ACDSee7.exe;ACDSee8.exe;ACDSee8Pro.exe;ACDSee9.exe;ACDSeePro2.exe;ACDSeePro25.exe;acdseepro3.exe;Acer Crystal Eye webcam.exe;aegisub.exe;afreecaplayer.exe;afreecastudio.exe;AfterFX.exe;aim6.exe;aircamwin.exe;ALLPlayer.exe;allradio.exe;AlltoaviV4.exe;ALShow.exe;ALSong.exe;AltDVB.exe;amcap.exe;amf_slv.exe;amvtransform.exe;Apollo DivX to DVD Creator.exe;Apollo3GPVideoConverter.exe;Ares.exe;AsfTools.exe;ass_help3r.exe;ASUSDVD.exe;Audition.exe;AutoGK.exe;autorun.exe;avant.exe;AVerTV.exe;Avi2Dvd.exe;avi2mpg.exe;avicodec.exe;avipreview.exe;aviutl.exe;avs2avi.exe;Badak.exe;BearShare.exe;BePipe.exe;bestplayer.exe;bestplayer1.0.exe;bestpl~1.exe;BitComet.exe;BlazeDVD.exe;BoonPlayer.exe;bplay.exe;bsplay.exe;bsplayer.exe;BTVD3DShell.exe;Camfrog Video Chat.exe;CamRecorder.exe;CamtasiaStudio.exe;carom.exe;CEC_MAIN.exe;christv.exe;chrome.exe;cinemaplayer.exe;CinergyDVR.exe;CodecInstaller.exe;ConvertXtoDvd.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\rundll32.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{de5d803e-5d2a-4b5f-9c63-af25a465cc44}]
@="rundll32.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Application.Manifest\shell\open\command]
@="rundll32.exe dfshim.dll,ShOpenVerbApplication %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Application.Reference\shell\open\command]
@="rundll32.exe dfshim.dll,ShOpenVerbShortcut %1|%2"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\photoviewer.dll\shell\open\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\photoviewer.dll\shell\print\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\bootstrap.vsto.1\shell\open\command]
@="rundll32.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee.dll",InstallVstoSolution %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CATFile\shell\open\command]
@="%SystemRoot%\system32\rundll32.exe cryptext.dll,CryptExtOpenCAT %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CERFile\shell\add\command]
@="%SystemRoot%\system32\rundll32.exe cryptext.dll,CryptExtAddCER %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CERFile\shell\open\command]
@="%SystemRoot%\system32\rundll32.exe cryptext.dll,CryptExtOpenCER %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CertificateStoreFile\shell\open\command]
@="%SystemRoot%\system32\rundll32.exe cryptext.dll,CryptExtOpenSTR %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00f2b433-44e4-4d88-b2b0-2698a0a91dba}\LocalServer32]
@=""%SystemRoot%\System32\rundll32.exe" "%ProgramFiles%\Windows Photo Viewer\PhotoAcq.dll",AutoplayComServerW {00f2b433-44e4-4d88-b2b0-2698a0a91dba}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00f2b433-44e4-4d88-b2b0-2698a0a91dba}\LocalServer32]
"ServerExecutable"="%SystemRoot%\System32\rundll32.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0DF44EAA-FF21-4412-828E-260A8728E7F1}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,Options_RunDLL 1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{38A98528-6CBF-4CA9-8DC0-B1E1D10F7B1B}\Shell\Open\Command]
@="rundll32.exe %SystemRoot%\system32\van.dll,RunVAN"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{38A98528-6CBF-4CA9-8DC0-B1E1D10F7B1B}\Shell\OpenWithoutDiagnostics\Command]
@="rundll32.exe %SystemRoot%\system32\van.dll,RunVAN /disablediagnostics"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3eef301f-b596-4c0b-bd92-013beafce793}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{40419485-C444-4567-851A-2DD7BFA1684D}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\telephon.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{62D8ED13-C9D0-4CE8-A914-47DD628FB1B0}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\intl.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C8EEC18-8D75-41B2-A177-8831D59D2D50}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\main.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,Options_RunDLL 0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}\Shell\RunAs\Command]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,Options_RunDLL 0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{722b3793-5367-4446-b6bb-db89b05c1f24}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {722b3793-5367-4446-b6bb-db89b05c1f24}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{725BE8F7-668E-4C7B-8F90-46BDB0936430}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\main.cpl,@1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{78CB147A-98EA-4AA6-B0DF-C8681F69341C}\Shell\Open\Command]
@="C:\Windows\System32\rundll32.exe C:\Windows\System32\infocardcpl.cpl,ManageCardSpace_RunDll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{80F3F1D5-FECA-45F3-BC32-752C152E456E}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\tabletpc.cpl @1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87D66A43-7B11-4A28-9811-C86EE395ACF7}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\srchadmin.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{995C996E-D918-4a8c-A302-45719A6F4EA7}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9a97f12a-6b73-4dc4-b3c1-e9244c03adac}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9a97f12a-6b73-4dc4-b3c1-e9244c03adac}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A0275511-0E86-4ECA-97C2-ECD8F1221D08}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\irprops.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3DD4F92-658A-410F-84FD-6FBBBEF2FFFE}\Shell\Open\Command]
@="C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,Control_RunDLL C:\Windows\System32\inetcpl.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D17D1D6D-CC3F-4815-8FE3-607E7D5D10B3}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\Speech\SpeechUX\sapi.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2E7934B-DCE5-43C4-9576-7FE4F75E7480}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\timedate.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e3a4e5ca-55b2-4a06-b1ab-8fbecc7bca4b}\LocalServer32]
@="rundll32.exe /sta {fcc2867c-69ea-4d85-8058-7c214e611c97}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F2DDFC82-8F12-4CDD-B7DC-D4FE1425AA4D}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\mmsys.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F82DF8F7-8B9F-442E-A48C-818EA735FF9B}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\tabletpc.cpl @0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{fb479c02-9ec4-4fed-8599-debe037452cb}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {fb479c02-9ec4-4fed-8599-debe037452cb}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\cplfile\shell\runas\command]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CRLFile\shell\add\command]
@="%SystemRoot%\system32\rundll32.exe cryptext.dll,CryptExtAddCRL %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CRLFile\shell\open\command]
@="%SystemRoot%\system32\rundll32.exe cryptext.dll,CryptExtOpenCRL %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DeviceDisplayObject\InterfaceClass\{0850302A-B344-4fda-9BE9-90576B8D46F0}\Shell\Bluetooth\command]
@="rundll32.exe shell32.dll,Control_RunDLL bthprops.cpl,,1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DeviceDisplayObject\InterfaceClass\{70FFD812-4C7F-4C7D-926A-637B7DD852AF}\Shell\DeviceInstall\command]
@="rundll32.exe newdev.dll,DeviceInternetSettingUi 2"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\giffile\shell\printto\command]
@=""%SystemRoot%\System32\rundll32.exe" "%SystemRoot%\System32\shimgvw.dll",ImageView_PrintTo /pt "%1" "%2" "%3" "%4""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\printto\command]
@="rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1" "%2" "%3" "%4""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\icofile\shell\open\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IE.AssocFile.HTM\shell\print\command]
@=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IE.AssocFile.HTM\shell\printto\command]
@=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" "%2" "%3" "%4""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IE.AssocFile.SVG\shell\print\command]
@=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IE.AssocFile.SVG\shell\printto\command]
@=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" "%2" "%3" "%4""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IE.AssocFile.URL\Shell\Open\Command]
@=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IE.AssocFile.URL\Shell\print\command]
@=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IE.AssocFile.URL\Shell\printto\command]
@=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" "%2" "%3" "%4""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IE.AssocFile.XHT\shell\print\command]
@=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintXHTML "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IE.AssocFile.XHT\shell\printto\command]
@=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintXHTML "%1" "%2" "%3" "%4""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InternetShortcut\shell\Open\Command]
@=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InternetShortcut\shell\print\command]
@=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InternetShortcut\shell\printto\command]
@=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" "%2" "%3" "%4""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\jpegfile\shell\open\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\jpegfile\shell\printto\command]
@=""%SystemRoot%\System32\rundll32.exe" "%SystemRoot%\System32\shimgvw.dll",ImageView_PrintTo /pt "%1" "%2" "%3" "%4""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft.InformationCard\Shell\open\command]
@="C:\Windows\System32\rundll32.exe C:\Windows\System32\infocardcpl.cpl,ImportInformationCard_RunDll  %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft.WindowsCardSpaceBackup\Shell\open\command]
@="C:\Windows\System32\rundll32.exe C:\Windows\System32\infocardcpl.cpl,ImportInformationCard_RunDll  %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSDASC\shell\open\command]
@="Rundll32.exe "%CommonProgramFiles%\System\OLE DB\oledb32.dll",OpenDSLFile %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSSppPackageFile\shell\open\command]
@="rundll32.exe sppcc.dll, OpenPackage %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\msstylesfile\shell\open\command]
@="%SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,Control_RunDLL %SystemRoot%\system32\desk.cpl desk,@Appearance /Action:OpenMSTheme /file:"%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-wifialliance-org:device:WFADevice:1\shell\Configure\command]
@=""%SystemRoot%\System32\rundll32.exe" wcnwiz.dll,RunWcnWizardForDevice /c /u %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\opensearchresult\shell\print\command]
@="rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\P7RFile\shell\add\command]
@="%SystemRoot%\system32\rundll32.exe cryptext.dll,CryptExtAddP7R %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\P7RFile\shell\open\command]
@="%SystemRoot%\system32\rundll32.exe cryptext.dll,CryptExtOpenP7R %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\P7SFile\shell\open\command]
@="%SystemRoot%\system32\\rundll32.exe cryptext.dll,CryptExtOpenPKCS7 %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Paint.Picture\shell\open\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PFXFile\shell\add\command]
@="%SystemRoot%\system32\rundll32.exe cryptext.dll,CryptExtAddPFX %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PhotoViewer.FileAssoc.Bitmap\shell\open\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PhotoViewer.FileAssoc.JFIF\shell\open\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PhotoViewer.FileAssoc.Jpeg\shell\open\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PhotoViewer.FileAssoc.Png\shell\open\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PhotoViewer.FileAssoc.Tiff\shell\open\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PhotoViewer.FileAssoc.Wdp\shell\open\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\pjpegfile\shell\open\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\pjpegfile\shell\printto\command]
@=""%SystemRoot%\System32\rundll32.exe" "%SystemRoot%\System32\shimgvw.dll",ImageView_PrintTo /pt "%1" "%2" "%3" "%4""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\pngfile\shell\open\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\pngfile\shell\printto\command]
@=""%SystemRoot%\System32\rundll32.exe" "%SystemRoot%\System32\shimgvw.dll",ImageView_PrintTo /pt "%1" "%2" "%3" "%4""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\prffile\shell\Open\command]
@=""%SystemRoot%\System32\rundll32.exe" "%SystemRoot%\System32\msrating.dll",ClickedOnPRF %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ratfile\Shell\Open\Command]
@=""%SystemRoot%\System32\rundll32.exe" "%SystemRoot%\System32\msrating.dll",ClickedOnRAT %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RDB.AutoPlayHandler\shell\properties\command]
@="%SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\sysmain.dll,RDBMgmtLaunchProperties %L"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\rlogin\shell\open\command]
@=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\url.dll",TelnetProtocolHandler %l"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SavedDsQuery\Shell\open\command]
@="%SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\dsquery.dll,OpenSavedDsQuery %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\install\command]
@="rundll32.exe desk.cpl,InstallScreenSaver %l"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scriptletfile\Shell\Generate Typelib\command]
@=""C:\Windows\system32\rundll32.exe" C:\Windows\system32\scrobj.dll,GenerateTypeLib %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Shell.CDBurn\Shell\Prepare\Command]
@="%SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,PrepareDiscForBurnRunDll %L"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SPCFile\shell\add\command]
@="%SystemRoot%\system32\rundll32.exe cryptext.dll,CryptExtAddSPC %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SPCFile\shell\open\command]
@="%SystemRoot%\system32\rundll32.exe cryptext.dll,CryptExtOpenPKCS7 %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\STLFile\shell\add\command]
@="%SystemRoot%\system32\rundll32.exe cryptext.dll,CryptExtAddCTL %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\STLFile\shell\open\command]
@="%SystemRoot%\system32\rundll32.exe cryptext.dll,CryptExtOpenCTL %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\svgfile\shell\print\command]
@="rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\svgfile\shell\printto\command]
@="rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1" "%2" "%3" "%4""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.vsto\shell\open\command]
@="rundll32.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee.dll",InstallVstoSolution %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\image\shell\print\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\telnet\shell\open\command]
@=""%SystemRoot%\System32\rundll32.exe" "%SystemRoot%\System32\url.dll",TelnetProtocolHandler %l"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\themefile\shell\open\command]
@="%SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,Control_RunDLL %SystemRoot%\system32\desk.cpl desk,@Themes /Action:OpenTheme /file:"%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\themepackfile\shell\open\command]
@="%SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,Control_RunDLL %SystemRoot%\system32\desk.cpl desk,@Themes /Action:OpenTheme /file:"%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TIFImage.Document\shell\open\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TIFImage.Document\shell\printto\command]
@=""%SystemRoot%\System32\rundll32.exe" "%SystemRoot%\System32\shimgvw.dll",ImageView_PrintTo /pt "%1" "%2" "%3" "%4""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\tn3270\shell\open\command]
@=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\url.dll",TelnetProtocolHandler %l"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\shell\openas\command]
@="%SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\shell\opendlg\command]
@="%SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WCN.AutoPlayHandler\shell\open\command]
@="%systemroot%\system32\rundll32.exe %systemroot%\system32\wzcdlg.dll,ImportFlashProfile %L"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\wcxfile\shell\Open\Command]
@="rundll32.exe xwizards.dll,RunWizard /u {7940acf8-60ba-4213-a7c3-f3b400ee266d} /z%1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\wdpfile\shell\open\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\wdpfile\shell\print\command]
@="rundll32.exe %SystemRoot%\system32\shimgvw.dll,ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\wdpfile\shell\printto\command]
@="rundll32.exe %SystemRoot%\system32\shimgvw.dll,ImageView_PrintTo /pt "%1" "%2" "%3" "%4""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00f2b433-44e4-4d88-b2b0-2698a0a91dba}\LocalServer32]
@=""%SystemRoot%\System32\rundll32.exe" "%ProgramFiles%\Windows Photo Viewer\PhotoAcq.dll",AutoplayComServerW {00f2b433-44e4-4d88-b2b0-2698a0a91dba}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00f2b433-44e4-4d88-b2b0-2698a0a91dba}\LocalServer32]
"ServerExecutable"="%SystemRoot%\System32\rundll32.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0DF44EAA-FF21-4412-828E-260A8728E7F1}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,Options_RunDLL 1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38A98528-6CBF-4CA9-8DC0-B1E1D10F7B1B}\Shell\Open\Command]
@="rundll32.exe %SystemRoot%\system32\van.dll,RunVAN"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38A98528-6CBF-4CA9-8DC0-B1E1D10F7B1B}\Shell\OpenWithoutDiagnostics\Command]
@="rundll32.exe %SystemRoot%\system32\van.dll,RunVAN /disablediagnostics"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3eef301f-b596-4c0b-bd92-013beafce793}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40419485-C444-4567-851A-2DD7BFA1684D}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\telephon.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62D8ED13-C9D0-4CE8-A914-47DD628FB1B0}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\intl.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6C8EEC18-8D75-41B2-A177-8831D59D2D50}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\main.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,Options_RunDLL 0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}\Shell\RunAs\Command]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,Options_RunDLL 0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{722b3793-5367-4446-b6bb-db89b05c1f24}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {722b3793-5367-4446-b6bb-db89b05c1f24}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{725BE8F7-668E-4C7B-8F90-46BDB0936430}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\main.cpl,@1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78CB147A-98EA-4AA6-B0DF-C8681F69341C}\Shell\Open\Command]
@="C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\infocardcpl.cpl,ManageCardSpace_RunDll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{87D66A43-7B11-4A28-9811-C86EE395ACF7}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\srchadmin.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{995C996E-D918-4a8c-A302-45719A6F4EA7}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9a97f12a-6b73-4dc4-b3c1-e9244c03adac}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9a97f12a-6b73-4dc4-b3c1-e9244c03adac}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0275511-0E86-4ECA-97C2-ECD8F1221D08}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\irprops.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A3DD4F92-658A-410F-84FD-6FBBBEF2FFFE}\Shell\Open\Command]
@="C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\shell32.dll,Control_RunDLL C:\Windows\SysWOW64\inetcpl.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D17D1D6D-CC3F-4815-8FE3-607E7D5D10B3}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\Speech\SpeechUX\sapi.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2E7934B-DCE5-43C4-9576-7FE4F75E7480}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\timedate.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e3a4e5ca-55b2-4a06-b1ab-8fbecc7bca4b}\LocalServer32]
@="rundll32.exe /sta {fcc2867c-69ea-4d85-8058-7c214e611c97}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F2DDFC82-8F12-4CDD-B7DC-D4FE1425AA4D}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\mmsys.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fb479c02-9ec4-4fed-8599-debe037452cb}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {fb479c02-9ec4-4fed-8599-debe037452cb}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\rundll32.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\{de5d803e-5d2a-4b5f-9c63-af25a465cc44}]
@="rundll32.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xhtmlfile\shell\print\command]
@="rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xhtmlfile\shell\printto\command]
@="rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1" "%2" "%3" "%4""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"StubPath"=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
"StubPath"="C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\Performance\Resolvers]
"SystemBinariesList"="win32k.sys:winlogon.exe:EXPLORER.EXE:CSRSS.Exe:dwm.exe:logon.scr:logonui.exe:lsass.exe:lsm.exe:ntkrpamp.exe:ntoskrnl.exe:RUNDLL32.EXE:services.exe:sppsvc.exe:smss.exe:spoolsv.exe:svchost.exe:taskeng.exe:WinInit.exe:WISPTIS.EXE:dllhost.exe:dllhst3g.exe:cscript.exe:mmc.exe:msiexec.exe:upnpcont.exe:wscript.exe:WUDFHost.exe:dfsvc.exe:dfsvc.exe:fdbs.exe:ntfsbs.exe:memdiag.exe:NETFXSBS10.exe:applaunch.exe:aspnet_compiler.exe:aspnet_regbrowsers.exe:aspnet_regiis.exe:aspnet_regsql.exe:aspnet_state.exe:aspnet_wp.exe:caspol.exe:csc.exe:CVTRES.EXE:dfsvc.exe:dw20.exe:IEExec.exe:ilasm.exe:InstallUtil.exe:jsc.exe:MSBuild.exe:mscorsvw.exe:ngen.exe:RegAsm.exe::RegSvcs.exe:vbc.exe:TrustedInstaller.exe:Aurora.scr:AutoChk.Exe:AUTOFMT.EXE:CHKDSK.EXE:CHKNTFS.EXE:consent.exe:PnPUnattend.exe:PnPutil.exe:RacAgent.exe:fsquirt.exe:Uninst.exe:updateWmc.exe:wmdc.exe:wmdsync.exe:mofcomp.exe:ScrCons.exe:smi2smir.exe:unse
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation]
"KillList"="%1;explorer.exe;dvdplay.exe;msohtmed.exe;quikview.exe;rundll.exe;rundll32.exe;taskman.exe;bck32api.dll;"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation]
"HostApps"="RUNDLL32.EXE;MSHTA.EXE;DLLHOST.EXE;APPLAUNCH.EXE;HH.EXE;WINHLP32.EXE;MMC.EXE;"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksItemsSelected\0\{27dfca82-8593-46e4-98d8-23eb83452f65}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles%\System\wab32.dll",ShellUICommand_OnNewEmail %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksItemsSelected\1\{5099caf3-7ab4-4c18-ab35-3f3e664638e4}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles%\System\wab32.dll",ShellUICommand_OnNewContact %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksItemsSelected\2\{da8c976e-ec82-48ad-8ae4-38872e958dc5}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles%\System\wab32.dll",ShellUICommand_OnNewGroup %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksItemsSelected\3\{9d4b9c0a-7b4e-4c0d-926e-a536d781cff6}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles%\System\wab32.dll",ShellUICommand_OnEdit %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksItemsSelected\6\{0b51213d-c59c-4b59-bc10-f27d0b330294}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles%\System\wab32.dll",ShellUICommand_OnImport"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksItemsSelected\7\{165095b1-322d-47b1-bc9f-2a9234c1c4cb}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles%\System\wab32.dll",ShellUICommand_OnExport"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksNoItemsSelected\0\{5099caf3-7ab4-4c18-ab35-3f3e664638e4}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles%\System\wab32.dll",ShellUICommand_OnNewContact %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksNoItemsSelected\1\{da8c976e-ec82-48ad-8ae4-38872e958dc5}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles%\System\wab32.dll",ShellUICommand_OnNewGroup %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksNoItemsSelected\2\{0b51213d-c59c-4b59-bc10-f27d0b330294}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles%\System\wab32.dll",ShellUICommand_OnImport"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksNoItemsSelected\3\{165095b1-322d-47b1-bc9f-2a9234c1c4cb}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles%\System\wab32.dll",ShellUICommand_OnExport"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Download Assistant"="C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"StubPath"=""C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\iedkcs32.dll",BrandIEActiveSetup SIGNUP"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
"StubPath"="C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\mscories.dll,Install"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared\HTML\Default Editor\shell\Print\command]
@="rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared\HTML\Old Default Editor\shell\Print\command]
@="rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FileAssociation]
"KillList"="%1;explorer.exe;dvdplay.exe;msohtmed.exe;quikview.exe;rundll.exe;rundll32.exe;taskman.exe;bck32api.dll;"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FileAssociation]
"HostApps"="RUNDLL32.EXE;MSHTA.EXE;DLLHOST.EXE;APPLAUNCH.EXE;HH.EXE;WINHLP32.EXE;MMC.EXE;"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksItemsSelected\0\{27dfca82-8593-46e4-98d8-23eb83452f65}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles(x86)%\System\wab32.dll",ShellUICommand_OnNewEmail %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksItemsSelected\1\{5099caf3-7ab4-4c18-ab35-3f3e664638e4}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles(x86)%\System\wab32.dll",ShellUICommand_OnNewContact %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksItemsSelected\2\{da8c976e-ec82-48ad-8ae4-38872e958dc5}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles(x86)%\System\wab32.dll",ShellUICommand_OnNewGroup %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksItemsSelected\3\{9d4b9c0a-7b4e-4c0d-926e-a536d781cff6}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles(x86)%\System\wab32.dll",ShellUICommand_OnEdit %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksItemsSelected\6\{0b51213d-c59c-4b59-bc10-f27d0b330294}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles(x86)%\System\wab32.dll",ShellUICommand_OnImport"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksItemsSelected\7\{165095b1-322d-47b1-bc9f-2a9234c1c4cb}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles(x86)%\System\wab32.dll",ShellUICommand_OnExport"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksNoItemsSelected\0\{5099caf3-7ab4-4c18-ab35-3f3e664638e4}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles(x86)%\System\wab32.dll",ShellUICommand_OnNewContact %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksNoItemsSelected\1\{da8c976e-ec82-48ad-8ae4-38872e958dc5}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles(x86)%\System\wab32.dll",ShellUICommand_OnNewGroup %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksNoItemsSelected\2\{0b51213d-c59c-4b59-bc10-f27d0b330294}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles(x86)%\System\wab32.dll",ShellUICommand_OnImport"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksNoItemsSelected\3\{165095b1-322d-47b1-bc9f-2a9234c1c4cb}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles(x86)%\System\wab32.dll",ShellUICommand_OnExport"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{00f2b433-44e4-4d88-b2b0-2698a0a91dba}\LocalServer32]
@=""%SystemRoot%\System32\rundll32.exe" "%ProgramFiles%\Windows Photo Viewer\PhotoAcq.dll",AutoplayComServerW {00f2b433-44e4-4d88-b2b0-2698a0a91dba}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{00f2b433-44e4-4d88-b2b0-2698a0a91dba}\LocalServer32]
"ServerExecutable"="%SystemRoot%\System32\rundll32.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{0DF44EAA-FF21-4412-828E-260A8728E7F1}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,Options_RunDLL 1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{38A98528-6CBF-4CA9-8DC0-B1E1D10F7B1B}\Shell\Open\Command]
@="rundll32.exe %SystemRoot%\system32\van.dll,RunVAN"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{38A98528-6CBF-4CA9-8DC0-B1E1D10F7B1B}\Shell\OpenWithoutDiagnostics\Command]
@="rundll32.exe %SystemRoot%\system32\van.dll,RunVAN /disablediagnostics"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{3eef301f-b596-4c0b-bd92-013beafce793}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{40419485-C444-4567-851A-2DD7BFA1684D}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\telephon.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{62D8ED13-C9D0-4CE8-A914-47DD628FB1B0}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\intl.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{6C8EEC18-8D75-41B2-A177-8831D59D2D50}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\main.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,Options_RunDLL 0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}\Shell\RunAs\Command]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,Options_RunDLL 0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{722b3793-5367-4446-b6bb-db89b05c1f24}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {722b3793-5367-4446-b6bb-db89b05c1f24}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{725BE8F7-668E-4C7B-8F90-46BDB0936430}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\main.cpl,@1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{78CB147A-98EA-4AA6-B0DF-C8681F69341C}\Shell\Open\Command]
@="C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\infocardcpl.cpl,ManageCardSpace_RunDll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{87D66A43-7B11-4A28-9811-C86EE395ACF7}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\srchadmin.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{995C996E-D918-4a8c-A302-45719A6F4EA7}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{9a97f12a-6b73-4dc4-b3c1-e9244c03adac}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9a97f12a-6b73-4dc4-b3c1-e9244c03adac}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{A0275511-0E86-4ECA-97C2-ECD8F1221D08}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\irprops.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{A3DD4F92-658A-410F-84FD-6FBBBEF2FFFE}\Shell\Open\Command]
@="C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\shell32.dll,Control_RunDLL C:\Windows\SysWOW64\inetcpl.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{D17D1D6D-CC3F-4815-8FE3-607E7D5D10B3}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\Speech\SpeechUX\sapi.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{E2E7934B-DCE5-43C4-9576-7FE4F75E7480}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\timedate.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{e3a4e5ca-55b2-4a06-b1ab-8fbecc7bca4b}\LocalServer32]
@="rundll32.exe /sta {fcc2867c-69ea-4d85-8058-7c214e611c97}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{F2DDFC82-8F12-4CDD-B7DC-D4FE1425AA4D}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\mmsys.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{fb479c02-9ec4-4fed-8599-debe037452cb}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {fb479c02-9ec4-4fed-8599-debe037452cb}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\AppID\rundll32.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\AppID\{de5d803e-5d2a-4b5f-9c63-af25a465cc44}]
@="rundll32.exe"
[HKEY_USERS\S-1-5-21-3288425262-2259600600-3156803109-1000\Software\GNU\ffdshow]
"whitelist"="3wPlayer.exe;ACDSee10.exe;ACDSee11.exe;ACDSee5.exe;ACDSee6.exe;ACDSee7.exe;ACDSee8.exe;ACDSee8Pro.exe;ACDSee9.exe;ACDSeePro2.exe;ACDSeePro25.exe;acdseepro3.exe;Acer Crystal Eye webcam.exe;aegisub.exe;afreecaplayer.exe;afreecastudio.exe;AfterFX.exe;aim6.exe;aircamwin.exe;ALLPlayer.exe;allradio.exe;AlltoaviV4.exe;ALShow.exe;ALSong.exe;AltDVB.exe;amcap.exe;amf_slv.exe;amvtransform.exe;Apollo DivX to DVD Creator.exe;Apollo3GPVideoConverter.exe;Ares.exe;AsfTools.exe;ass_help3r.exe;ASUSDVD.exe;Audition.exe;AutoGK.exe;autorun.exe;avant.exe;AVerTV.exe;Avi2Dvd.exe;avi2mpg.exe;avicodec.exe;avipreview.exe;aviutl.exe;avs2avi.exe;Badak.exe;BearShare.exe;BePipe.exe;bestplayer.exe;bestplayer1.0.exe;bestpl~1.exe;BitComet.exe;BlazeDVD.exe;BoonPlayer.exe;bplay.exe;bsplay.exe;bsplayer.exe;BTVD3DShell.exe;Camfrog Video Chat.exe;CamRecorder.exe;CamtasiaStudio.exe;carom.exe;CEC_MAIN.exe;christv.exe;chrome.exe;cinemaplayer.exe;CinergyDVR.

Searching for "rundll*"
No data found.

-= EOF =-
die antwort ist schon wieder weg...

Code:
SystemLook 30.07.11 by jpshortstuff
Log created at 14:59 on 30/05/2013 by Stoffi
Administrator - Elevation successful

========== regfind ==========

Searching for "rundll32.exe"
[HKEY_CURRENT_USER\Software\GNU\ffdshow]
"whitelist"="3wPlayer.exe;ACDSee10.exe;ACDSee11.exe;ACDSee5.exe;ACDSee6.exe;ACDSee7.exe;ACDSee8.exe;ACDSee8Pro.exe;ACDSee9.exe;ACDSeePro2.exe;ACDSeePro25.exe;acdseepro3.exe;Acer Crystal Eye webcam.exe;aegisub.exe;afreecaplayer.exe;afreecastudio.exe;AfterFX.exe;aim6.exe;aircamwin.exe;ALLPlayer.exe;allradio.exe;AlltoaviV4.exe;ALShow.exe;ALSong.exe;AltDVB.exe;amcap.exe;amf_slv.exe;amvtransform.exe;Apollo DivX to DVD Creator.exe;Apollo3GPVideoConverter.exe;Ares.exe;AsfTools.exe;ass_help3r.exe;ASUSDVD.exe;Audition.exe;AutoGK.exe;autorun.exe;avant.exe;AVerTV.exe;Avi2Dvd.exe;avi2mpg.exe;avicodec.exe;avipreview.exe;aviutl.exe;avs2avi.exe;Badak.exe;BearShare.exe;BePipe.exe;bestplayer.exe;bestplayer1.0.exe;bestpl~1.exe;BitComet.exe;BlazeDVD.exe;BoonPlayer.exe;bplay.exe;bsplay.exe;bsplayer.exe;BTVD3DShell.exe;Camfrog Video Chat.exe;CamRecorder.exe;CamtasiaStudio.exe;carom.exe;CEC_MAIN.exe;christv.exe;chrome.exe;cinemaplayer.exe;CinergyDVR.exe;CodecInstaller.exe;ConvertXtoDvd.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\rundll32.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{de5d803e-5d2a-4b5f-9c63-af25a465cc44}]
@="rundll32.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Application.Manifest\shell\open\command]
@="rundll32.exe dfshim.dll,ShOpenVerbApplication %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Application.Reference\shell\open\command]
@="rundll32.exe dfshim.dll,ShOpenVerbShortcut %1|%2"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\photoviewer.dll\shell\open\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\photoviewer.dll\shell\print\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\bootstrap.vsto.1\shell\open\command]
@="rundll32.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee.dll",InstallVstoSolution %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CATFile\shell\open\command]
@="%SystemRoot%\system32\rundll32.exe cryptext.dll,CryptExtOpenCAT %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CERFile\shell\add\command]
@="%SystemRoot%\system32\rundll32.exe cryptext.dll,CryptExtAddCER %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CERFile\shell\open\command]
@="%SystemRoot%\system32\rundll32.exe cryptext.dll,CryptExtOpenCER %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CertificateStoreFile\shell\open\command]
@="%SystemRoot%\system32\rundll32.exe cryptext.dll,CryptExtOpenSTR %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00f2b433-44e4-4d88-b2b0-2698a0a91dba}\LocalServer32]
@=""%SystemRoot%\System32\rundll32.exe" "%ProgramFiles%\Windows Photo Viewer\PhotoAcq.dll",AutoplayComServerW {00f2b433-44e4-4d88-b2b0-2698a0a91dba}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00f2b433-44e4-4d88-b2b0-2698a0a91dba}\LocalServer32]
"ServerExecutable"="%SystemRoot%\System32\rundll32.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0DF44EAA-FF21-4412-828E-260A8728E7F1}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,Options_RunDLL 1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{38A98528-6CBF-4CA9-8DC0-B1E1D10F7B1B}\Shell\Open\Command]
@="rundll32.exe %SystemRoot%\system32\van.dll,RunVAN"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{38A98528-6CBF-4CA9-8DC0-B1E1D10F7B1B}\Shell\OpenWithoutDiagnostics\Command]
@="rundll32.exe %SystemRoot%\system32\van.dll,RunVAN /disablediagnostics"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3eef301f-b596-4c0b-bd92-013beafce793}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{40419485-C444-4567-851A-2DD7BFA1684D}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\telephon.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{62D8ED13-C9D0-4CE8-A914-47DD628FB1B0}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\intl.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C8EEC18-8D75-41B2-A177-8831D59D2D50}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\main.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,Options_RunDLL 0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}\Shell\RunAs\Command]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,Options_RunDLL 0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{722b3793-5367-4446-b6bb-db89b05c1f24}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {722b3793-5367-4446-b6bb-db89b05c1f24}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{725BE8F7-668E-4C7B-8F90-46BDB0936430}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\main.cpl,@1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{78CB147A-98EA-4AA6-B0DF-C8681F69341C}\Shell\Open\Command]
@="C:\Windows\System32\rundll32.exe C:\Windows\System32\infocardcpl.cpl,ManageCardSpace_RunDll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{80F3F1D5-FECA-45F3-BC32-752C152E456E}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\tabletpc.cpl @1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87D66A43-7B11-4A28-9811-C86EE395ACF7}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\srchadmin.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{995C996E-D918-4a8c-A302-45719A6F4EA7}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9a97f12a-6b73-4dc4-b3c1-e9244c03adac}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9a97f12a-6b73-4dc4-b3c1-e9244c03adac}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A0275511-0E86-4ECA-97C2-ECD8F1221D08}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\irprops.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3DD4F92-658A-410F-84FD-6FBBBEF2FFFE}\Shell\Open\Command]
@="C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,Control_RunDLL C:\Windows\System32\inetcpl.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D17D1D6D-CC3F-4815-8FE3-607E7D5D10B3}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\Speech\SpeechUX\sapi.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2E7934B-DCE5-43C4-9576-7FE4F75E7480}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\timedate.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e3a4e5ca-55b2-4a06-b1ab-8fbecc7bca4b}\LocalServer32]
@="rundll32.exe /sta {fcc2867c-69ea-4d85-8058-7c214e611c97}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F2DDFC82-8F12-4CDD-B7DC-D4FE1425AA4D}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\mmsys.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F82DF8F7-8B9F-442E-A48C-818EA735FF9B}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\tabletpc.cpl @0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{fb479c02-9ec4-4fed-8599-debe037452cb}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {fb479c02-9ec4-4fed-8599-debe037452cb}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\cplfile\shell\runas\command]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CRLFile\shell\add\command]
@="%SystemRoot%\system32\rundll32.exe cryptext.dll,CryptExtAddCRL %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CRLFile\shell\open\command]
@="%SystemRoot%\system32\rundll32.exe cryptext.dll,CryptExtOpenCRL %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DeviceDisplayObject\InterfaceClass\{0850302A-B344-4fda-9BE9-90576B8D46F0}\Shell\Bluetooth\command]
@="rundll32.exe shell32.dll,Control_RunDLL bthprops.cpl,,1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DeviceDisplayObject\InterfaceClass\{70FFD812-4C7F-4C7D-926A-637B7DD852AF}\Shell\DeviceInstall\command]
@="rundll32.exe newdev.dll,DeviceInternetSettingUi 2"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\giffile\shell\printto\command]
@=""%SystemRoot%\System32\rundll32.exe" "%SystemRoot%\System32\shimgvw.dll",ImageView_PrintTo /pt "%1" "%2" "%3" "%4""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\printto\command]
@="rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1" "%2" "%3" "%4""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\icofile\shell\open\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IE.AssocFile.HTM\shell\print\command]
@=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IE.AssocFile.HTM\shell\printto\command]
@=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" "%2" "%3" "%4""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IE.AssocFile.SVG\shell\print\command]
@=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IE.AssocFile.SVG\shell\printto\command]
@=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" "%2" "%3" "%4""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IE.AssocFile.URL\Shell\Open\Command]
@=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IE.AssocFile.URL\Shell\print\command]
@=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IE.AssocFile.URL\Shell\printto\command]
@=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" "%2" "%3" "%4""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IE.AssocFile.XHT\shell\print\command]
@=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintXHTML "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IE.AssocFile.XHT\shell\printto\command]
@=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintXHTML "%1" "%2" "%3" "%4""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InternetShortcut\shell\Open\Command]
@=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InternetShortcut\shell\print\command]
@=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InternetShortcut\shell\printto\command]
@=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" "%2" "%3" "%4""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\jpegfile\shell\open\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\jpegfile\shell\printto\command]
@=""%SystemRoot%\System32\rundll32.exe" "%SystemRoot%\System32\shimgvw.dll",ImageView_PrintTo /pt "%1" "%2" "%3" "%4""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft.InformationCard\Shell\open\command]
@="C:\Windows\System32\rundll32.exe C:\Windows\System32\infocardcpl.cpl,ImportInformationCard_RunDll  %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft.WindowsCardSpaceBackup\Shell\open\command]
@="C:\Windows\System32\rundll32.exe C:\Windows\System32\infocardcpl.cpl,ImportInformationCard_RunDll  %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSDASC\shell\open\command]
@="Rundll32.exe "%CommonProgramFiles%\System\OLE DB\oledb32.dll",OpenDSLFile %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSSppPackageFile\shell\open\command]
@="rundll32.exe sppcc.dll, OpenPackage %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\msstylesfile\shell\open\command]
@="%SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,Control_RunDLL %SystemRoot%\system32\desk.cpl desk,@Appearance /Action:OpenMSTheme /file:"%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-wifialliance-org:device:WFADevice:1\shell\Configure\command]
@=""%SystemRoot%\System32\rundll32.exe" wcnwiz.dll,RunWcnWizardForDevice /c /u %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\opensearchresult\shell\print\command]
@="rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\P7RFile\shell\add\command]
@="%SystemRoot%\system32\rundll32.exe cryptext.dll,CryptExtAddP7R %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\P7RFile\shell\open\command]
@="%SystemRoot%\system32\rundll32.exe cryptext.dll,CryptExtOpenP7R %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\P7SFile\shell\open\command]
@="%SystemRoot%\system32\\rundll32.exe cryptext.dll,CryptExtOpenPKCS7 %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Paint.Picture\shell\open\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PFXFile\shell\add\command]
@="%SystemRoot%\system32\rundll32.exe cryptext.dll,CryptExtAddPFX %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PhotoViewer.FileAssoc.Bitmap\shell\open\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PhotoViewer.FileAssoc.JFIF\shell\open\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PhotoViewer.FileAssoc.Jpeg\shell\open\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PhotoViewer.FileAssoc.Png\shell\open\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PhotoViewer.FileAssoc.Tiff\shell\open\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PhotoViewer.FileAssoc.Wdp\shell\open\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\pjpegfile\shell\open\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\pjpegfile\shell\printto\command]
@=""%SystemRoot%\System32\rundll32.exe" "%SystemRoot%\System32\shimgvw.dll",ImageView_PrintTo /pt "%1" "%2" "%3" "%4""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\pngfile\shell\open\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\pngfile\shell\printto\command]
@=""%SystemRoot%\System32\rundll32.exe" "%SystemRoot%\System32\shimgvw.dll",ImageView_PrintTo /pt "%1" "%2" "%3" "%4""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\prffile\shell\Open\command]
@=""%SystemRoot%\System32\rundll32.exe" "%SystemRoot%\System32\msrating.dll",ClickedOnPRF %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ratfile\Shell\Open\Command]
@=""%SystemRoot%\System32\rundll32.exe" "%SystemRoot%\System32\msrating.dll",ClickedOnRAT %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RDB.AutoPlayHandler\shell\properties\command]
@="%SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\sysmain.dll,RDBMgmtLaunchProperties %L"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\rlogin\shell\open\command]
@=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\url.dll",TelnetProtocolHandler %l"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SavedDsQuery\Shell\open\command]
@="%SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\dsquery.dll,OpenSavedDsQuery %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\install\command]
@="rundll32.exe desk.cpl,InstallScreenSaver %l"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scriptletfile\Shell\Generate Typelib\command]
@=""C:\Windows\system32\rundll32.exe" C:\Windows\system32\scrobj.dll,GenerateTypeLib %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Shell.CDBurn\Shell\Prepare\Command]
@="%SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,PrepareDiscForBurnRunDll %L"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SPCFile\shell\add\command]
@="%SystemRoot%\system32\rundll32.exe cryptext.dll,CryptExtAddSPC %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SPCFile\shell\open\command]
@="%SystemRoot%\system32\rundll32.exe cryptext.dll,CryptExtOpenPKCS7 %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\STLFile\shell\add\command]
@="%SystemRoot%\system32\rundll32.exe cryptext.dll,CryptExtAddCTL %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\STLFile\shell\open\command]
@="%SystemRoot%\system32\rundll32.exe cryptext.dll,CryptExtOpenCTL %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\svgfile\shell\print\command]
@="rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\svgfile\shell\printto\command]
@="rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1" "%2" "%3" "%4""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.vsto\shell\open\command]
@="rundll32.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee.dll",InstallVstoSolution %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\image\shell\print\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\telnet\shell\open\command]
@=""%SystemRoot%\System32\rundll32.exe" "%SystemRoot%\System32\url.dll",TelnetProtocolHandler %l"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\themefile\shell\open\command]
@="%SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,Control_RunDLL %SystemRoot%\system32\desk.cpl desk,@Themes /Action:OpenTheme /file:"%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\themepackfile\shell\open\command]
@="%SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,Control_RunDLL %SystemRoot%\system32\desk.cpl desk,@Themes /Action:OpenTheme /file:"%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TIFImage.Document\shell\open\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TIFImage.Document\shell\printto\command]
@=""%SystemRoot%\System32\rundll32.exe" "%SystemRoot%\System32\shimgvw.dll",ImageView_PrintTo /pt "%1" "%2" "%3" "%4""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\tn3270\shell\open\command]
@=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\url.dll",TelnetProtocolHandler %l"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\shell\openas\command]
@="%SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\shell\opendlg\command]
@="%SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WCN.AutoPlayHandler\shell\open\command]
@="%systemroot%\system32\rundll32.exe %systemroot%\system32\wzcdlg.dll,ImportFlashProfile %L"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\wcxfile\shell\Open\Command]
@="rundll32.exe xwizards.dll,RunWizard /u {7940acf8-60ba-4213-a7c3-f3b400ee266d} /z%1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\wdpfile\shell\open\command]
@="%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\wdpfile\shell\print\command]
@="rundll32.exe %SystemRoot%\system32\shimgvw.dll,ImageView_Fullscreen %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\wdpfile\shell\printto\command]
@="rundll32.exe %SystemRoot%\system32\shimgvw.dll,ImageView_PrintTo /pt "%1" "%2" "%3" "%4""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00f2b433-44e4-4d88-b2b0-2698a0a91dba}\LocalServer32]
@=""%SystemRoot%\System32\rundll32.exe" "%ProgramFiles%\Windows Photo Viewer\PhotoAcq.dll",AutoplayComServerW {00f2b433-44e4-4d88-b2b0-2698a0a91dba}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00f2b433-44e4-4d88-b2b0-2698a0a91dba}\LocalServer32]
"ServerExecutable"="%SystemRoot%\System32\rundll32.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0DF44EAA-FF21-4412-828E-260A8728E7F1}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,Options_RunDLL 1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38A98528-6CBF-4CA9-8DC0-B1E1D10F7B1B}\Shell\Open\Command]
@="rundll32.exe %SystemRoot%\system32\van.dll,RunVAN"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38A98528-6CBF-4CA9-8DC0-B1E1D10F7B1B}\Shell\OpenWithoutDiagnostics\Command]
@="rundll32.exe %SystemRoot%\system32\van.dll,RunVAN /disablediagnostics"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3eef301f-b596-4c0b-bd92-013beafce793}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40419485-C444-4567-851A-2DD7BFA1684D}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\telephon.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62D8ED13-C9D0-4CE8-A914-47DD628FB1B0}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\intl.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6C8EEC18-8D75-41B2-A177-8831D59D2D50}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\main.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,Options_RunDLL 0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}\Shell\RunAs\Command]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,Options_RunDLL 0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{722b3793-5367-4446-b6bb-db89b05c1f24}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {722b3793-5367-4446-b6bb-db89b05c1f24}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{725BE8F7-668E-4C7B-8F90-46BDB0936430}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\main.cpl,@1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{78CB147A-98EA-4AA6-B0DF-C8681F69341C}\Shell\Open\Command]
@="C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\infocardcpl.cpl,ManageCardSpace_RunDll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{87D66A43-7B11-4A28-9811-C86EE395ACF7}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\srchadmin.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{995C996E-D918-4a8c-A302-45719A6F4EA7}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9a97f12a-6b73-4dc4-b3c1-e9244c03adac}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9a97f12a-6b73-4dc4-b3c1-e9244c03adac}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0275511-0E86-4ECA-97C2-ECD8F1221D08}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\irprops.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A3DD4F92-658A-410F-84FD-6FBBBEF2FFFE}\Shell\Open\Command]
@="C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\shell32.dll,Control_RunDLL C:\Windows\SysWOW64\inetcpl.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D17D1D6D-CC3F-4815-8FE3-607E7D5D10B3}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\Speech\SpeechUX\sapi.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2E7934B-DCE5-43C4-9576-7FE4F75E7480}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\timedate.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e3a4e5ca-55b2-4a06-b1ab-8fbecc7bca4b}\LocalServer32]
@="rundll32.exe /sta {fcc2867c-69ea-4d85-8058-7c214e611c97}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F2DDFC82-8F12-4CDD-B7DC-D4FE1425AA4D}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\mmsys.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fb479c02-9ec4-4fed-8599-debe037452cb}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {fb479c02-9ec4-4fed-8599-debe037452cb}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\rundll32.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\{de5d803e-5d2a-4b5f-9c63-af25a465cc44}]
@="rundll32.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xhtmlfile\shell\print\command]
@="rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xhtmlfile\shell\printto\command]
@="rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1" "%2" "%3" "%4""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"StubPath"=""C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
"StubPath"="C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\Performance\Resolvers]
"SystemBinariesList"="win32k.sys:winlogon.exe:EXPLORER.EXE:CSRSS.Exe:dwm.exe:logon.scr:logonui.exe:lsass.exe:lsm.exe:ntkrpamp.exe:ntoskrnl.exe:RUNDLL32.EXE:services.exe:sppsvc.exe:smss.exe:spoolsv.exe:svchost.exe:taskeng.exe:WinInit.exe:WISPTIS.EXE:dllhost.exe:dllhst3g.exe:cscript.exe:mmc.exe:msiexec.exe:upnpcont.exe:wscript.exe:WUDFHost.exe:dfsvc.exe:dfsvc.exe:fdbs.exe:ntfsbs.exe:memdiag.exe:NETFXSBS10.exe:applaunch.exe:aspnet_compiler.exe:aspnet_regbrowsers.exe:aspnet_regiis.exe:aspnet_regsql.exe:aspnet_state.exe:aspnet_wp.exe:caspol.exe:csc.exe:CVTRES.EXE:dfsvc.exe:dw20.exe:IEExec.exe:ilasm.exe:InstallUtil.exe:jsc.exe:MSBuild.exe:mscorsvw.exe:ngen.exe:RegAsm.exe::RegSvcs.exe:vbc.exe:TrustedInstaller.exe:Aurora.scr:AutoChk.Exe:AUTOFMT.EXE:CHKDSK.EXE:CHKNTFS.EXE:consent.exe:PnPUnattend.exe:PnPutil.exe:RacAgent.exe:fsquirt.exe:Uninst.exe:updateWmc.exe:wmdc.exe:wmdsync.exe:mofcomp.exe:ScrCons.exe:smi2smir.exe:unse
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation]
"KillList"="%1;explorer.exe;dvdplay.exe;msohtmed.exe;quikview.exe;rundll.exe;rundll32.exe;taskman.exe;bck32api.dll;"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation]
"HostApps"="RUNDLL32.EXE;MSHTA.EXE;DLLHOST.EXE;APPLAUNCH.EXE;HH.EXE;WINHLP32.EXE;MMC.EXE;"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksItemsSelected\0\{27dfca82-8593-46e4-98d8-23eb83452f65}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles%\System\wab32.dll",ShellUICommand_OnNewEmail %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksItemsSelected\1\{5099caf3-7ab4-4c18-ab35-3f3e664638e4}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles%\System\wab32.dll",ShellUICommand_OnNewContact %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksItemsSelected\2\{da8c976e-ec82-48ad-8ae4-38872e958dc5}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles%\System\wab32.dll",ShellUICommand_OnNewGroup %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksItemsSelected\3\{9d4b9c0a-7b4e-4c0d-926e-a536d781cff6}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles%\System\wab32.dll",ShellUICommand_OnEdit %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksItemsSelected\6\{0b51213d-c59c-4b59-bc10-f27d0b330294}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles%\System\wab32.dll",ShellUICommand_OnImport"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksItemsSelected\7\{165095b1-322d-47b1-bc9f-2a9234c1c4cb}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles%\System\wab32.dll",ShellUICommand_OnExport"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksNoItemsSelected\0\{5099caf3-7ab4-4c18-ab35-3f3e664638e4}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles%\System\wab32.dll",ShellUICommand_OnNewContact %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksNoItemsSelected\1\{da8c976e-ec82-48ad-8ae4-38872e958dc5}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles%\System\wab32.dll",ShellUICommand_OnNewGroup %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksNoItemsSelected\2\{0b51213d-c59c-4b59-bc10-f27d0b330294}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles%\System\wab32.dll",ShellUICommand_OnImport"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksNoItemsSelected\3\{165095b1-322d-47b1-bc9f-2a9234c1c4cb}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles%\System\wab32.dll",ShellUICommand_OnExport"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Download Assistant"="C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"StubPath"=""C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\iedkcs32.dll",BrandIEActiveSetup SIGNUP"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
"StubPath"="C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\mscories.dll,Install"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared\HTML\Default Editor\shell\Print\command]
@="rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Shared\HTML\Old Default Editor\shell\Print\command]
@="rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FileAssociation]
"KillList"="%1;explorer.exe;dvdplay.exe;msohtmed.exe;quikview.exe;rundll.exe;rundll32.exe;taskman.exe;bck32api.dll;"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FileAssociation]
"HostApps"="RUNDLL32.EXE;MSHTA.EXE;DLLHOST.EXE;APPLAUNCH.EXE;HH.EXE;WINHLP32.EXE;MMC.EXE;"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksItemsSelected\0\{27dfca82-8593-46e4-98d8-23eb83452f65}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles(x86)%\System\wab32.dll",ShellUICommand_OnNewEmail %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksItemsSelected\1\{5099caf3-7ab4-4c18-ab35-3f3e664638e4}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles(x86)%\System\wab32.dll",ShellUICommand_OnNewContact %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksItemsSelected\2\{da8c976e-ec82-48ad-8ae4-38872e958dc5}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles(x86)%\System\wab32.dll",ShellUICommand_OnNewGroup %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksItemsSelected\3\{9d4b9c0a-7b4e-4c0d-926e-a536d781cff6}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles(x86)%\System\wab32.dll",ShellUICommand_OnEdit %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksItemsSelected\6\{0b51213d-c59c-4b59-bc10-f27d0b330294}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles(x86)%\System\wab32.dll",ShellUICommand_OnImport"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksItemsSelected\7\{165095b1-322d-47b1-bc9f-2a9234c1c4cb}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles(x86)%\System\wab32.dll",ShellUICommand_OnExport"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksNoItemsSelected\0\{5099caf3-7ab4-4c18-ab35-3f3e664638e4}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles(x86)%\System\wab32.dll",ShellUICommand_OnNewContact %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksNoItemsSelected\1\{da8c976e-ec82-48ad-8ae4-38872e958dc5}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles(x86)%\System\wab32.dll",ShellUICommand_OnNewGroup %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksNoItemsSelected\2\{0b51213d-c59c-4b59-bc10-f27d0b330294}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles(x86)%\System\wab32.dll",ShellUICommand_OnImport"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderTypes\{de2b70ec-9bf7-4a93-bd3d-243f7881d492}\TasksNoItemsSelected\3\{165095b1-322d-47b1-bc9f-2a9234c1c4cb}\shell\InvokeTask\command]
@="rundll32.exe "%CommonProgramFiles(x86)%\System\wab32.dll",ShellUICommand_OnExport"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{00f2b433-44e4-4d88-b2b0-2698a0a91dba}\LocalServer32]
@=""%SystemRoot%\System32\rundll32.exe" "%ProgramFiles%\Windows Photo Viewer\PhotoAcq.dll",AutoplayComServerW {00f2b433-44e4-4d88-b2b0-2698a0a91dba}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{00f2b433-44e4-4d88-b2b0-2698a0a91dba}\LocalServer32]
"ServerExecutable"="%SystemRoot%\System32\rundll32.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{0DF44EAA-FF21-4412-828E-260A8728E7F1}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,Options_RunDLL 1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{38A98528-6CBF-4CA9-8DC0-B1E1D10F7B1B}\Shell\Open\Command]
@="rundll32.exe %SystemRoot%\system32\van.dll,RunVAN"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{38A98528-6CBF-4CA9-8DC0-B1E1D10F7B1B}\Shell\OpenWithoutDiagnostics\Command]
@="rundll32.exe %SystemRoot%\system32\van.dll,RunVAN /disablediagnostics"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{3eef301f-b596-4c0b-bd92-013beafce793}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{40419485-C444-4567-851A-2DD7BFA1684D}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\telephon.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{62D8ED13-C9D0-4CE8-A914-47DD628FB1B0}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\intl.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{6C8EEC18-8D75-41B2-A177-8831D59D2D50}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\main.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,Options_RunDLL 0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}\Shell\RunAs\Command]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,Options_RunDLL 0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{722b3793-5367-4446-b6bb-db89b05c1f24}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {722b3793-5367-4446-b6bb-db89b05c1f24}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{725BE8F7-668E-4C7B-8F90-46BDB0936430}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\main.cpl,@1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{78CB147A-98EA-4AA6-B0DF-C8681F69341C}\Shell\Open\Command]
@="C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\infocardcpl.cpl,ManageCardSpace_RunDll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{87D66A43-7B11-4A28-9811-C86EE395ACF7}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\srchadmin.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{995C996E-D918-4a8c-A302-45719A6F4EA7}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{9a97f12a-6b73-4dc4-b3c1-e9244c03adac}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9a97f12a-6b73-4dc4-b3c1-e9244c03adac}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{A0275511-0E86-4ECA-97C2-ECD8F1221D08}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\irprops.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{A3DD4F92-658A-410F-84FD-6FBBBEF2FFFE}\Shell\Open\Command]
@="C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\shell32.dll,Control_RunDLL C:\Windows\SysWOW64\inetcpl.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{D17D1D6D-CC3F-4815-8FE3-607E7D5D10B3}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\Speech\SpeechUX\sapi.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{E2E7934B-DCE5-43C4-9576-7FE4F75E7480}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\timedate.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{e3a4e5ca-55b2-4a06-b1ab-8fbecc7bca4b}\LocalServer32]
@="rundll32.exe /sta {fcc2867c-69ea-4d85-8058-7c214e611c97}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{F2DDFC82-8F12-4CDD-B7DC-D4FE1425AA4D}\Shell\Open\Command]
@="%SystemRoot%\System32\rundll32.exe %SystemRoot%\System32\shell32.dll,Control_RunDLL %SystemRoot%\System32\mmsys.cpl"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{fb479c02-9ec4-4fed-8599-debe037452cb}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {fb479c02-9ec4-4fed-8599-debe037452cb}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}\LocalServer32]
@="%SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\AppID\rundll32.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\AppID\{de5d803e-5d2a-4b5f-9c63-af25a465cc44}]
@="rundll32.exe"
[HKEY_USERS\S-1-5-21-3288425262-2259600600-3156803109-1000\Software\GNU\ffdshow]
"whitelist"="3wPlayer.exe;ACDSee10.exe;ACDSee11.exe;ACDSee5.exe;ACDSee6.exe;ACDSee7.exe;ACDSee8.exe;ACDSee8Pro.exe;ACDSee9.exe;ACDSeePro2.exe;ACDSeePro25.exe;acdseepro3.exe;Acer Crystal Eye webcam.exe;aegisub.exe;afreecaplayer.exe;afreecastudio.exe;AfterFX.exe;aim6.exe;aircamwin.exe;ALLPlayer.exe;allradio.exe;AlltoaviV4.exe;ALShow.exe;ALSong.exe;AltDVB.exe;amcap.exe;amf_slv.exe;amvtransform.exe;Apollo DivX to DVD Creator.exe;Apollo3GPVideoConverter.exe;Ares.exe;AsfTools.exe;ass_help3r.exe;ASUSDVD.exe;Audition.exe;AutoGK.exe;autorun.exe;avant.exe;AVerTV.exe;Avi2Dvd.exe;avi2mpg.exe;avicodec.exe;avipreview.exe;aviutl.exe;avs2avi.exe;Badak.exe;BearShare.exe;BePipe.exe;bestplayer.exe;bestplayer1.0.exe;bestpl~1.exe;BitComet.exe;BlazeDVD.exe;BoonPlayer.exe;bplay.exe;bsplay.exe;bsplayer.exe;BTVD3DShell.exe;Camfrog Video Chat.exe;CamRecorder.exe;CamtasiaStudio.exe;carom.exe;CEC_MAIN.exe;christv.exe;chrome.exe;cinemaplayer.exe;CinergyDVR.

Searching for "rundll*"
No data found.

-= EOF =-

schrauber 30.05.2013 14:32
Ok, noch eine, die Sau finden wir noch :)

:regfind
c:\programdata\6zrje6z.dat

Keith 30.05.2013 14:35
die sau dürfte sich wirklich gut versteckt haben...

Code:
SystemLook 30.07.11 by jpshortstuff
Log created at 15:34 on 30/05/2013 by Stoffi
Administrator - Elevation successful

========== regfind ==========

Searching for "c:\programdata\6zrje6z.dat"
No data found.

-= EOF =-

schrauber 30.05.2013 14:36
:filefind
*.ink

aber nicht mit mir :)

Keith 30.05.2013 16:43
leider nichts gefunden

Code:
SystemLook 30.07.11 by jpshortstuff
Log created at 15:38 on 30/05/2013 by Stoffi
Administrator - Elevation successful

========== filefind ==========

Searching for "*.ink"
No files found.

-= EOF =-
lg

schrauber 30.05.2013 17:08
Downloade bitte nochmal Combofix und lass es laufen.

Keith 30.05.2013 18:14
ich hab jetzt den combofix genommen den du mir als erstes empfohlen hast!
hier ist das logfile:

Code:
ComboFix 13-05-30.02 - Stoffi 30.05.2013  18:51:29.1.4 - x64
Microsoft Windows 7 Home Premium  6.1.7601.1.1252.43.1031.18.7934.6569 [GMT 2:00]
ausgeführt von:: c:\users\Stoffi\Desktop\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Im Speicher befindliches AV aktiv.
.
.
.
(((((((((((((((((((((((  Dateien erstellt von 2013-04-28 bis 2013-05-30  ))))))))))))))))))))))))))))))
.
.
2013-05-30 16:55 . 2013-05-30 16:55        --------        d-----w-        c:\users\Default\AppData\Local\temp
2013-05-30 11:00 . 2013-05-30 11:00        --------        d-----w-        C:\_OTL
2013-05-29 15:43 . 2013-05-13 06:37        9460464        ----a-w-        c:\programdata\Microsoft\Windows Defender\Definition Updates\{8835E69E-B14C-43BE-B0B4-6A14FF40E242}\mpengine.dll
2013-05-29 15:33 . 2013-05-29 22:21        --------        d-----w-        c:\windows\ERUNT
2013-05-29 15:27 . 2013-05-29 15:27        97        ----a-w-        c:\windows\DeleteOnReboot.bat
2013-05-17 01:03 . 2013-05-05 21:36        17818624        ----a-w-        c:\windows\system32\mshtml.dll
2013-05-17 01:03 . 2013-05-05 21:16        2382848        ----a-w-        c:\windows\system32\mshtml.tlb
2013-05-17 01:03 . 2013-05-05 19:12        2382848        ----a-w-        c:\windows\SysWow64\mshtml.tlb
2013-05-16 15:48 . 2013-04-10 06:01        265064        ----a-w-        c:\windows\system32\drivers\dxgmms1.sys
2013-05-16 15:48 . 2013-04-10 06:01        983400        ----a-w-        c:\windows\system32\drivers\dxgkrnl.sys
2013-05-16 15:48 . 2011-02-03 11:25        144384        ----a-w-        c:\windows\system32\cdd.dll
2013-05-16 15:48 . 2013-02-27 05:52        14172672        ----a-w-        c:\windows\system32\shell32.dll
2013-05-16 15:48 . 2013-02-27 05:48        1930752        ----a-w-        c:\windows\system32\authui.dll
2013-05-16 15:48 . 2013-02-27 05:52        197120        ----a-w-        c:\windows\system32\shdocvw.dll
2013-05-16 15:48 . 2013-02-27 06:02        111448        ----a-w-        c:\windows\system32\consent.exe
2013-05-16 15:48 . 2013-02-27 05:47        70144        ----a-w-        c:\windows\system32\appinfo.dll
2013-05-16 15:48 . 2013-02-27 04:49        1796096        ----a-w-        c:\windows\SysWow64\authui.dll
2013-05-16 15:48 . 2013-03-19 05:53        48640        ----a-w-        c:\windows\system32\wwanprotdim.dll
2013-05-16 15:48 . 2013-03-19 05:53        230400        ----a-w-        c:\windows\system32\wwansvc.dll
2013-05-16 15:47 . 2013-04-10 03:30        3153920        ----a-w-        c:\windows\system32\win32k.sys
2013-05-07 18:44 . 2013-05-07 18:43        83160        ----a-w-        c:\windows\system32\drivers\avnetflt.sys
.
.
.
((((((((((((((((((((((((((((((((((((  Find3M Bericht  ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-17 01:08 . 2011-09-14 06:44        75016696        ----a-w-        c:\windows\system32\MRT.exe
2013-05-14 20:11 . 2012-05-01 08:56        692104        ----a-w-        c:\windows\SysWow64\FlashPlayerApp.exe
2013-05-14 20:11 . 2011-09-08 10:55        71048        ----a-w-        c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-05-02 00:06 . 2010-11-21 03:27        278800        ------w-        c:\windows\system32\MpSigStub.exe
2013-04-21 18:08 . 2013-04-21 18:08        163504        ----a-w-        c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10144.bin
2013-04-13 05:49 . 2013-05-16 15:48        135168        ----a-w-        c:\windows\apppatch\AppPatch64\AcXtrnal.dll
2013-04-13 05:49 . 2013-05-16 15:48        308736        ----a-w-        c:\windows\apppatch\AppPatch64\AcGenral.dll
2013-04-13 05:49 . 2013-05-16 15:48        350208        ----a-w-        c:\windows\apppatch\AppPatch64\AcLayers.dll
2013-04-13 05:49 . 2013-05-16 15:48        111104        ----a-w-        c:\windows\apppatch\AppPatch64\acspecfc.dll
2013-04-13 04:45 . 2013-05-16 15:48        474624        ----a-w-        c:\windows\apppatch\AcSpecfc.dll
2013-04-13 04:45 . 2013-05-16 15:48        2176512        ----a-w-        c:\windows\apppatch\AcGenral.dll
2013-04-12 14:45 . 2013-04-23 19:44        1656680        ----a-w-        c:\windows\system32\drivers\ntfs.sys
2013-03-27 22:47 . 2013-03-27 22:47        28600        ----a-w-        c:\windows\system32\drivers\avkmgr.sys
2013-03-27 22:47 . 2013-03-27 22:47        130016        ----a-w-        c:\windows\system32\drivers\avipbb.sys
2013-03-27 22:47 . 2013-03-27 22:47        100712        ----a-w-        c:\windows\system32\drivers\avgntflt.sys
2013-03-19 06:04 . 2013-04-11 19:37        5550424        ----a-w-        c:\windows\system32\ntoskrnl.exe
2013-03-19 05:46 . 2013-04-11 19:37        43520        ----a-w-        c:\windows\system32\csrsrv.dll
2013-03-19 05:04 . 2013-04-11 19:37        3968856        ----a-w-        c:\windows\SysWow64\ntkrnlpa.exe
2013-03-19 05:04 . 2013-04-11 19:37        3913560        ----a-w-        c:\windows\SysWow64\ntoskrnl.exe
2013-03-19 04:47 . 2013-04-11 19:37        6656        ----a-w-        c:\windows\SysWow64\apisetschema.dll
2013-03-19 03:06 . 2013-04-11 19:37        112640        ----a-w-        c:\windows\system32\smss.exe
2013-03-18 19:41 . 2012-09-06 10:40        861088        ----a-w-        c:\windows\SysWow64\npdeployJava1.dll
2013-03-18 19:41 . 2011-11-03 16:52        782240        ----a-w-        c:\windows\SysWow64\deployJava1.dll
.
.
((((((((((((((((((((((((((((  Autostartpunkte der Registrierung  ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-07-29 98304]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]
"HDAudDeck"="c:\program files (x86)\VIA\VIAudioi\VDeck\VDeck.exe" [2011-04-06 3031664]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2013-02-20 152392]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2013-05-07 345312]
.
c:\users\Stoffi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
msconfig.lnk - c:\windows\System32\rundll32.exe [2009-7-14 45568]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableSecureUIAPath"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="userinit.exe"
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages        REG_MULTI_SZ          kerberos msv1_0 schannel wdigest tspkg pku2u wsauth
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys [2012-05-11 99384]
R3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys [2012-05-11 203320]
R3 SwitchBoard;SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-12-13 54784]
R3 WatAdminSvc;Windows-Aktivierungstechnologieservice;c:\windows\system32\Wat\WatAdminSvc.exe [2011-09-11 1255736]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [2013-03-27 28600]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-07-31 202752]
S2 AntiVirSchedulerService;Avira Planer;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [2013-03-27 86752]
S2 VIAKaraokeService;VIA Karaoke digital mixer Service;c:\windows\system32\viakaraokesrv.exe [2011-03-29 27760]
S2 wsnm;VMware View Client;c:\program files\VMware\VMware View\Client\bin\wsnm.exe [2011-02-18 494192]
S2 wsnm_usbctrl;VMware View-USB-Steuerung;c:\program files\VMware\VMware View\Client\bin\wsnm_usbctrl.exe [2011-02-18 1120368]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-08-20 239616]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2011-03-29 2157680]
S3 vmwvusb;VMware View Generic USB Driver;c:\windows\system32\Drivers\vmwvusb.sys [2011-02-18 47664]
.
.
Inhalt des "geplante Tasks" Ordners
.
2013-05-30 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-01 20:11]
.
2013-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-02-18 17:59]
.
2013-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-02-18 17:59]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Download Assistant"="c:\windows\System32\LogiLDA.dll" [2010-11-03 1580368]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - LocalService
FontCache
.
------- Zusätzlicher Suchlauf -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = https://www.google.at/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: An OneNote s&enden - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: Nach Microsoft &Excel exportieren - c:\progra~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: Nach Microsoft E&xcel exportieren - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
TCP: DhcpNameServer = 212.186.211.21 195.34.133.21
FF - ProfilePath - c:\users\Stoffi\AppData\Roaming\Mozilla\Firefox\Profiles\o4b2azmr.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.at
FF - prefs.js: network.proxy.type - 0
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
Toolbar-!{64ead72b-ffd4-4e01-aa3a-4c71665d73e4} - (no file)
Toolbar-!{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} - (no file)
AddRemove-HappyFoto - Bestellassistent - c:\windows\system32\javaws.exe
.
.
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Zeit der Fertigstellung: 2013-05-30  18:58:09
ComboFix-quarantined-files.txt  2013-05-30 16:58
.
Vor Suchlauf: 9 Verzeichnis(se), 586.038.480.896 Bytes frei
Nach Suchlauf: 11 Verzeichnis(se), 585.609.682.944 Bytes frei
.
- - End Of File - - A8C853D85F2BE725DBC604895CDA239A
thx

schrauber 30.05.2013 19:14
Hi,

Combofix-Skript
WARNUNG für die MITLESER:
Folgendes ComboFix Skript ist ausschließlich für diesen User in dieser Situtation erstellt worden.
Auf keinen Fall auf anderen Rechnern anwenden, das kann andere Systeme nachhaltig schädigen!

  • Lösche die vorhandene Combofix.exe von deinem Desktop und lade das Programm von folgenden Download-Spiegel neu herunter: Link
  • Speichere es erneut auf dem Desktop (nicht woanders hin, das ist wichtig)!
  • Drücke die Windows + R Taste --> notepad (hinein schreiben) --> OK
  • Kopiere nun den Text aus der folgenden Codebox komplett in das leere Textdokument.
    Code:
    Files::
    c:\users\Stoffi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msconfig.lnk
  • Speichere dies als CFScript.txt auf deinem Desktop.
  • Wichtig: Stelle deine Anti Viren Software temporär ab. Dies kann ComboFix nämlich bei der Arbeit behindern.
    Danach wieder anstellen nicht vergessen!
  • Schließe alle laufenden Programme damit ComboFix ungehindert arbeiten kann.
  • Ziehe CFScript.txt in die ComboFix.exe wie in diesem Bild:
  • Mache nichts am Computer, bewege nicht die Maus über das ComboFix-Fenster oder klicke in dieses hinein. Dies kann dazu führen, dass ComboFix sich aufhängt.
  • Wenn ComboFix fertig ist wird es ein Log erstellen: C:\ComboFix.txt
    Bitte füge es hier als Antwort (in CODE-Tags mit dem #-Button des Editors) ein.

Hinweis:
Suspect:: und Collect::
Falls im Skript diese Anweisungen enthalten sind, sollen Dateien zur Analyse eingeschickt werden. Es erscheint eine Message-Box, nachdem Combofix fertig ist. Klicke OK und folge den Aufforderungen/Anweisungen, um die Dateien hochzuladen. Teile mir unbedingt mit, ob der Upload geklappt hat!

Keith 30.05.2013 19:56
so und da ist das file
(avira war aus, ist jetzt wieder an)

Code:
ComboFix 13-05-30.02 - Stoffi 30.05.2013  20:25:11.3.4 - x64
Microsoft Windows 7 Home Premium  6.1.7601.1.1252.43.1031.18.7934.6563 [GMT 2:00]
ausgeführt von:: c:\users\Stoffi\Desktop\ComboFix.exe
Benutzte Befehlsschalter :: c:\users\Stoffi\Desktop\CFScript.txt
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((  Dateien erstellt von 2013-04-28 bis 2013-05-30  ))))))))))))))))))))))))))))))
.
.
2013-05-30 18:28 . 2013-05-30 18:28        --------        d-----w-        c:\users\Default\AppData\Local\temp
2013-05-30 11:00 . 2013-05-30 11:00        --------        d-----w-        C:\_OTL
2013-05-29 15:43 . 2013-05-13 06:37        9460464        ----a-w-        c:\programdata\Microsoft\Windows Defender\Definition Updates\{8835E69E-B14C-43BE-B0B4-6A14FF40E242}\mpengine.dll
2013-05-29 15:33 . 2013-05-29 22:21        --------        d-----w-        c:\windows\ERUNT
2013-05-29 15:27 . 2013-05-29 15:27        97        ----a-w-        c:\windows\DeleteOnReboot.bat
2013-05-17 01:03 . 2013-05-05 21:36        17818624        ----a-w-        c:\windows\system32\mshtml.dll
2013-05-17 01:03 . 2013-05-05 21:16        2382848        ----a-w-        c:\windows\system32\mshtml.tlb
2013-05-17 01:03 . 2013-05-05 19:12        2382848        ----a-w-        c:\windows\SysWow64\mshtml.tlb
2013-05-16 15:48 . 2013-04-10 06:01        265064        ----a-w-        c:\windows\system32\drivers\dxgmms1.sys
2013-05-16 15:48 . 2013-04-10 06:01        983400        ----a-w-        c:\windows\system32\drivers\dxgkrnl.sys
2013-05-16 15:48 . 2011-02-03 11:25        144384        ----a-w-        c:\windows\system32\cdd.dll
2013-05-16 15:48 . 2013-02-27 05:52        14172672        ----a-w-        c:\windows\system32\shell32.dll
2013-05-16 15:48 . 2013-02-27 05:48        1930752        ----a-w-        c:\windows\system32\authui.dll
2013-05-16 15:48 . 2013-02-27 05:52        197120        ----a-w-        c:\windows\system32\shdocvw.dll
2013-05-16 15:48 . 2013-02-27 06:02        111448        ----a-w-        c:\windows\system32\consent.exe
2013-05-16 15:48 . 2013-02-27 05:47        70144        ----a-w-        c:\windows\system32\appinfo.dll
2013-05-16 15:48 . 2013-02-27 04:49        1796096        ----a-w-        c:\windows\SysWow64\authui.dll
2013-05-16 15:48 . 2013-03-19 05:53        48640        ----a-w-        c:\windows\system32\wwanprotdim.dll
2013-05-16 15:48 . 2013-03-19 05:53        230400        ----a-w-        c:\windows\system32\wwansvc.dll
2013-05-16 15:47 . 2013-04-10 03:30        3153920        ----a-w-        c:\windows\system32\win32k.sys
2013-05-07 18:44 . 2013-05-07 18:43        83160        ----a-w-        c:\windows\system32\drivers\avnetflt.sys
.
.
.
((((((((((((((((((((((((((((((((((((  Find3M Bericht  ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-17 01:08 . 2011-09-14 06:44        75016696        ----a-w-        c:\windows\system32\MRT.exe
2013-05-14 20:11 . 2012-05-01 08:56        692104        ----a-w-        c:\windows\SysWow64\FlashPlayerApp.exe
2013-05-14 20:11 . 2011-09-08 10:55        71048        ----a-w-        c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-05-02 00:06 . 2010-11-21 03:27        278800        ------w-        c:\windows\system32\MpSigStub.exe
2013-04-21 18:08 . 2013-04-21 18:08        163504        ----a-w-        c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10144.bin
2013-04-13 05:49 . 2013-05-16 15:48        135168        ----a-w-        c:\windows\apppatch\AppPatch64\AcXtrnal.dll
2013-04-13 05:49 . 2013-05-16 15:48        308736        ----a-w-        c:\windows\apppatch\AppPatch64\AcGenral.dll
2013-04-13 05:49 . 2013-05-16 15:48        350208        ----a-w-        c:\windows\apppatch\AppPatch64\AcLayers.dll
2013-04-13 05:49 . 2013-05-16 15:48        111104        ----a-w-        c:\windows\apppatch\AppPatch64\acspecfc.dll
2013-04-13 04:45 . 2013-05-16 15:48        474624        ----a-w-        c:\windows\apppatch\AcSpecfc.dll
2013-04-13 04:45 . 2013-05-16 15:48        2176512        ----a-w-        c:\windows\apppatch\AcGenral.dll
2013-04-12 14:45 . 2013-04-23 19:44        1656680        ----a-w-        c:\windows\system32\drivers\ntfs.sys
2013-03-27 22:47 . 2013-03-27 22:47        28600        ----a-w-        c:\windows\system32\drivers\avkmgr.sys
2013-03-27 22:47 . 2013-03-27 22:47        130016        ----a-w-        c:\windows\system32\drivers\avipbb.sys
2013-03-27 22:47 . 2013-03-27 22:47        100712        ----a-w-        c:\windows\system32\drivers\avgntflt.sys
2013-03-19 06:04 . 2013-04-11 19:37        5550424        ----a-w-        c:\windows\system32\ntoskrnl.exe
2013-03-19 05:46 . 2013-04-11 19:37        43520        ----a-w-        c:\windows\system32\csrsrv.dll
2013-03-19 05:04 . 2013-04-11 19:37        3968856        ----a-w-        c:\windows\SysWow64\ntkrnlpa.exe
2013-03-19 05:04 . 2013-04-11 19:37        3913560        ----a-w-        c:\windows\SysWow64\ntoskrnl.exe
2013-03-19 04:47 . 2013-04-11 19:37        6656        ----a-w-        c:\windows\SysWow64\apisetschema.dll
2013-03-19 03:06 . 2013-04-11 19:37        112640        ----a-w-        c:\windows\system32\smss.exe
2013-03-18 19:41 . 2012-09-06 10:40        861088        ----a-w-        c:\windows\SysWow64\npdeployJava1.dll
2013-03-18 19:41 . 2011-11-03 16:52        782240        ----a-w-        c:\windows\SysWow64\deployJava1.dll
.
.
((((((((((((((((((((((((((((  Autostartpunkte der Registrierung  ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-07-29 98304]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]
"HDAudDeck"="c:\program files (x86)\VIA\VIAudioi\VDeck\VDeck.exe" [2011-04-06 3031664]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2013-02-20 152392]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2013-05-07 345312]
.
c:\users\Stoffi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
msconfig.lnk - c:\windows\System32\rundll32.exe [2009-7-14 45568]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableSecureUIAPath"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="userinit.exe"
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages        REG_MULTI_SZ          kerberos msv1_0 schannel wdigest tspkg pku2u wsauth
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys [2012-05-11 99384]
R3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys [2012-05-11 203320]
R3 SwitchBoard;SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-12-13 54784]
R3 WatAdminSvc;Windows-Aktivierungstechnologieservice;c:\windows\system32\Wat\WatAdminSvc.exe [2011-09-11 1255736]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [2013-03-27 28600]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-07-31 202752]
S2 AntiVirSchedulerService;Avira Planer;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [2013-03-27 86752]
S2 VIAKaraokeService;VIA Karaoke digital mixer Service;c:\windows\system32\viakaraokesrv.exe [2011-03-29 27760]
S2 wsnm;VMware View Client;c:\program files\VMware\VMware View\Client\bin\wsnm.exe [2011-02-18 494192]
S2 wsnm_usbctrl;VMware View-USB-Steuerung;c:\program files\VMware\VMware View\Client\bin\wsnm_usbctrl.exe [2011-02-18 1120368]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-08-20 239616]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2011-03-29 2157680]
S3 vmwvusb;VMware View Generic USB Driver;c:\windows\system32\Drivers\vmwvusb.sys [2011-02-18 47664]
.
.
Inhalt des "geplante Tasks" Ordners
.
2013-05-30 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-01 20:11]
.
2013-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-02-18 17:59]
.
2013-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-02-18 17:59]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Download Assistant"="c:\windows\System32\LogiLDA.dll" [2010-11-03 1580368]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - LocalService
FontCache
.
------- Zusätzlicher Suchlauf -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = https://www.google.at/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: An OneNote s&enden - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: Nach Microsoft &Excel exportieren - c:\progra~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: Nach Microsoft E&xcel exportieren - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
TCP: DhcpNameServer = 212.186.211.21 195.34.133.21
FF - ProfilePath - c:\users\Stoffi\AppData\Roaming\Mozilla\Firefox\Profiles\o4b2azmr.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.at
FF - prefs.js: network.proxy.type - 0
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
Toolbar-!{64ead72b-ffd4-4e01-aa3a-4c71665d73e4} - (no file)
Toolbar-!{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} - (no file)
.
.
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Zeit der Fertigstellung: 2013-05-30  20:30:03
ComboFix-quarantined-files.txt  2013-05-30 18:30
ComboFix2.txt  2013-05-30 17:51
ComboFix3.txt  2013-05-30 16:58
.
Vor Suchlauf: 10 Verzeichnis(se), 585.674.555.392 Bytes frei
Nach Suchlauf: 11 Verzeichnis(se), 585.377.230.848 Bytes frei
.
- - End Of File - - EC7884C3F714B1A33C7738A1D98B96DD
thx

PS. nähern wir uns einem ende?

schrauber 30.05.2013 20:00
Kommt die Meldung noch?

Keith 30.05.2013 20:01
ach ja, da mach ich doch gleich einen neustart!

schrauber 30.05.2013 20:02
Mach mal :)

Keith 30.05.2013 20:07
ja leider kommt das immer noch :(

wie ist den jetzt so der status meines pcs?
ich blicke ja bei den logfiles nicht wirklich durch.
habe ich noch böses an bord?

thx

PS: also WIRKLICH thanx!!! nicht nur so als floskel, ich finde das bewundernswert
wie du dich meines problems annimmst und soviel zeit opferst!

schrauber 30.05.2013 21:48
Hi,

ok der letze ging auf meine Kappe, kleiner Fehler im Script, also nochmal :)

Combofix-Skript
WARNUNG für die MITLESER:
Folgendes ComboFix Skript ist ausschließlich für diesen User in dieser Situtation erstellt worden.
Auf keinen Fall auf anderen Rechnern anwenden, das kann andere Systeme nachhaltig schädigen!

  • Lösche die vorhandene Combofix.exe von deinem Desktop und lade das Programm von folgenden Download-Spiegel neu herunter: Link
  • Speichere es erneut auf dem Desktop (nicht woanders hin, das ist wichtig)!
  • Drücke die Windows + R Taste --> notepad (hinein schreiben) --> OK
  • Kopiere nun den Text aus der folgenden Codebox komplett in das leere Textdokument.
    Code:
    File::
    c:\users\Stoffi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msconfig.lnk
  • Speichere dies als CFScript.txt auf deinem Desktop.
  • Wichtig: Stelle deine Anti Viren Software temporär ab. Dies kann ComboFix nämlich bei der Arbeit behindern.
    Danach wieder anstellen nicht vergessen!
  • Schließe alle laufenden Programme damit ComboFix ungehindert arbeiten kann.
  • Ziehe CFScript.txt in die ComboFix.exe wie in diesem Bild:
  • Mache nichts am Computer, bewege nicht die Maus über das ComboFix-Fenster oder klicke in dieses hinein. Dies kann dazu führen, dass ComboFix sich aufhängt.
  • Wenn ComboFix fertig ist wird es ein Log erstellen: C:\ComboFix.txt
    Bitte füge es hier als Antwort (in CODE-Tags mit dem #-Button des Editors) ein.

Hinweis:
Suspect:: und Collect::
Falls im Skript diese Anweisungen enthalten sind, sollen Dateien zur Analyse eingeschickt werden. Es erscheint eine Message-Box, nachdem Combofix fertig ist. Klicke OK und folge den Aufforderungen/Anweisungen, um die Dateien hochzuladen. Teile mir unbedingt mit, ob der Upload geklappt hat!

Keith 30.05.2013 22:18
HEUREKA
die sau ist offensichtlich tot!
diesmal ist nichts aufgepoppt!!!

hier das log

Code:
ComboFix 13-05-30.02 - Stoffi 30.05.2013  23:07:07.4.4 - x64
Microsoft Windows 7 Home Premium  6.1.7601.1.1252.43.1031.18.7934.6507 [GMT 2:00]
ausgeführt von:: c:\users\Stoffi\Desktop\ComboFix.exe
Benutzte Befehlsschalter :: c:\users\Stoffi\Desktop\CFScript.txt
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\users\Stoffi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msconfig.lnk"
.
.
((((((((((((((((((((((((((((((((((((  Weitere Löschungen  ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Stoffi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msconfig.lnk
.
.
(((((((((((((((((((((((  Dateien erstellt von 2013-04-28 bis 2013-05-30  ))))))))))))))))))))))))))))))
.
.
2013-05-30 21:12 . 2013-05-30 21:12        --------        d-----w-        c:\users\Default\AppData\Local\temp
2013-05-30 11:00 . 2013-05-30 11:00        --------        d-----w-        C:\_OTL
2013-05-29 15:43 . 2013-05-13 06:37        9460464        ----a-w-        c:\programdata\Microsoft\Windows Defender\Definition Updates\{8835E69E-B14C-43BE-B0B4-6A14FF40E242}\mpengine.dll
2013-05-29 15:33 . 2013-05-29 22:21        --------        d-----w-        c:\windows\ERUNT
2013-05-29 15:27 . 2013-05-29 15:27        97        ----a-w-        c:\windows\DeleteOnReboot.bat
2013-05-17 01:03 . 2013-05-05 21:36        17818624        ----a-w-        c:\windows\system32\mshtml.dll
2013-05-17 01:03 . 2013-05-05 21:16        2382848        ----a-w-        c:\windows\system32\mshtml.tlb
2013-05-17 01:03 . 2013-05-05 19:12        2382848        ----a-w-        c:\windows\SysWow64\mshtml.tlb
2013-05-16 15:48 . 2013-04-10 06:01        265064        ----a-w-        c:\windows\system32\drivers\dxgmms1.sys
2013-05-16 15:48 . 2013-04-10 06:01        983400        ----a-w-        c:\windows\system32\drivers\dxgkrnl.sys
2013-05-16 15:48 . 2011-02-03 11:25        144384        ----a-w-        c:\windows\system32\cdd.dll
2013-05-16 15:48 . 2013-02-27 05:52        14172672        ----a-w-        c:\windows\system32\shell32.dll
2013-05-16 15:48 . 2013-02-27 05:48        1930752        ----a-w-        c:\windows\system32\authui.dll
2013-05-16 15:48 . 2013-02-27 05:52        197120        ----a-w-        c:\windows\system32\shdocvw.dll
2013-05-16 15:48 . 2013-02-27 06:02        111448        ----a-w-        c:\windows\system32\consent.exe
2013-05-16 15:48 . 2013-02-27 05:47        70144        ----a-w-        c:\windows\system32\appinfo.dll
2013-05-16 15:48 . 2013-02-27 04:49        1796096        ----a-w-        c:\windows\SysWow64\authui.dll
2013-05-16 15:48 . 2013-03-19 05:53        48640        ----a-w-        c:\windows\system32\wwanprotdim.dll
2013-05-16 15:48 . 2013-03-19 05:53        230400        ----a-w-        c:\windows\system32\wwansvc.dll
2013-05-16 15:47 . 2013-04-10 03:30        3153920        ----a-w-        c:\windows\system32\win32k.sys
2013-05-07 18:44 . 2013-05-07 18:43        83160        ----a-w-        c:\windows\system32\drivers\avnetflt.sys
.
.
.
((((((((((((((((((((((((((((((((((((  Find3M Bericht  ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-17 01:08 . 2011-09-14 06:44        75016696        ----a-w-        c:\windows\system32\MRT.exe
2013-05-14 20:11 . 2012-05-01 08:56        692104        ----a-w-        c:\windows\SysWow64\FlashPlayerApp.exe
2013-05-14 20:11 . 2011-09-08 10:55        71048        ----a-w-        c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-05-02 00:06 . 2010-11-21 03:27        278800        ------w-        c:\windows\system32\MpSigStub.exe
2013-04-21 18:08 . 2013-04-21 18:08        163504        ----a-w-        c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10144.bin
2013-04-13 05:49 . 2013-05-16 15:48        135168        ----a-w-        c:\windows\apppatch\AppPatch64\AcXtrnal.dll
2013-04-13 05:49 . 2013-05-16 15:48        308736        ----a-w-        c:\windows\apppatch\AppPatch64\AcGenral.dll
2013-04-13 05:49 . 2013-05-16 15:48        350208        ----a-w-        c:\windows\apppatch\AppPatch64\AcLayers.dll
2013-04-13 05:49 . 2013-05-16 15:48        111104        ----a-w-        c:\windows\apppatch\AppPatch64\acspecfc.dll
2013-04-13 04:45 . 2013-05-16 15:48        474624        ----a-w-        c:\windows\apppatch\AcSpecfc.dll
2013-04-13 04:45 . 2013-05-16 15:48        2176512        ----a-w-        c:\windows\apppatch\AcGenral.dll
2013-04-12 14:45 . 2013-04-23 19:44        1656680        ----a-w-        c:\windows\system32\drivers\ntfs.sys
2013-03-27 22:47 . 2013-03-27 22:47        28600        ----a-w-        c:\windows\system32\drivers\avkmgr.sys
2013-03-27 22:47 . 2013-03-27 22:47        130016        ----a-w-        c:\windows\system32\drivers\avipbb.sys
2013-03-27 22:47 . 2013-03-27 22:47        100712        ----a-w-        c:\windows\system32\drivers\avgntflt.sys
2013-03-19 06:04 . 2013-04-11 19:37        5550424        ----a-w-        c:\windows\system32\ntoskrnl.exe
2013-03-19 05:46 . 2013-04-11 19:37        43520        ----a-w-        c:\windows\system32\csrsrv.dll
2013-03-19 05:04 . 2013-04-11 19:37        3968856        ----a-w-        c:\windows\SysWow64\ntkrnlpa.exe
2013-03-19 05:04 . 2013-04-11 19:37        3913560        ----a-w-        c:\windows\SysWow64\ntoskrnl.exe
2013-03-19 04:47 . 2013-04-11 19:37        6656        ----a-w-        c:\windows\SysWow64\apisetschema.dll
2013-03-19 03:06 . 2013-04-11 19:37        112640        ----a-w-        c:\windows\system32\smss.exe
2013-03-18 19:41 . 2012-09-06 10:40        861088        ----a-w-        c:\windows\SysWow64\npdeployJava1.dll
2013-03-18 19:41 . 2011-11-03 16:52        782240        ----a-w-        c:\windows\SysWow64\deployJava1.dll
.
.
((((((((((((((((((((((((((((  Autostartpunkte der Registrierung  ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-07-29 98304]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]
"HDAudDeck"="c:\program files (x86)\VIA\VIAudioi\VDeck\VDeck.exe" [2011-04-06 3031664]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2013-02-20 152392]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2013-05-07 345312]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableSecureUIAPath"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="userinit.exe"
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages        REG_MULTI_SZ          kerberos msv1_0 schannel wdigest tspkg pku2u wsauth
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys [2012-05-11 99384]
R3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys [2012-05-11 203320]
R3 SwitchBoard;SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-12-13 54784]
R3 WatAdminSvc;Windows-Aktivierungstechnologieservice;c:\windows\system32\Wat\WatAdminSvc.exe [2011-09-11 1255736]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [2013-03-27 28600]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-07-31 202752]
S2 AntiVirSchedulerService;Avira Planer;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [2013-03-27 86752]
S2 VIAKaraokeService;VIA Karaoke digital mixer Service;c:\windows\system32\viakaraokesrv.exe [2011-03-29 27760]
S2 wsnm;VMware View Client;c:\program files\VMware\VMware View\Client\bin\wsnm.exe [2011-02-18 494192]
S2 wsnm_usbctrl;VMware View-USB-Steuerung;c:\program files\VMware\VMware View\Client\bin\wsnm_usbctrl.exe [2011-02-18 1120368]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-08-20 239616]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2011-03-29 2157680]
S3 vmwvusb;VMware View Generic USB Driver;c:\windows\system32\Drivers\vmwvusb.sys [2011-02-18 47664]
.
.
Inhalt des "geplante Tasks" Ordners
.
2013-05-30 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-01 20:11]
.
2013-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-02-18 17:59]
.
2013-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-02-18 17:59]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Download Assistant"="c:\windows\System32\LogiLDA.dll" [2010-11-03 1580368]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - LocalService
FontCache
.
------- Zusätzlicher Suchlauf -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = https://www.google.at/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: An OneNote s&enden - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: Nach Microsoft &Excel exportieren - c:\progra~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: Nach Microsoft E&xcel exportieren - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
TCP: DhcpNameServer = 212.186.211.21 195.34.133.21
FF - ProfilePath - c:\users\Stoffi\AppData\Roaming\Mozilla\Firefox\Profiles\o4b2azmr.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.at
FF - prefs.js: network.proxy.type - 0
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
Toolbar-!{64ead72b-ffd4-4e01-aa3a-4c71665d73e4} - (no file)
Toolbar-!{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} - (no file)
.
.
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Zeit der Fertigstellung: 2013-05-30  23:14:14
ComboFix-quarantined-files.txt  2013-05-30 21:14
ComboFix2.txt  2013-05-30 18:30
ComboFix3.txt  2013-05-30 17:51
ComboFix4.txt  2013-05-30 16:58
.
Vor Suchlauf: 10 Verzeichnis(se), 585.416.458.240 Bytes frei
Nach Suchlauf: 11 Verzeichnis(se), 585.377.452.032 Bytes frei
.
- - End Of File - - 6AED0909324644C2DE000F2023F86736
ich hoffe das wars jetzt
ich gehe jetzt schlafen und wünsche auch dir eine gute nacht!

LG
keith

lieber schrauber

habe jetzt noch einmal avira drüberlaufen lassen und der hat nichts gefunden

bitte sag mir noch ob dir beinm letzzten log etwas aufgefallen ist.

vielen vielen dank

keith


Alle Zeitangaben in WEZ +1. Es ist jetzt 14:54 Uhr.
Seite 3 von 4 12 3 4
100 Beiträge dieses Themas auf einer Seite anzeigen

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131