Plataforma:

Windows 2000, Windows XP, Windows Server 2003

 Classificao do risco total:
 Potencial de dano:
 Potencial de distribuição:
 infecção relatada:
Baixo
Medium
Alto
Crítico

  • Tipo de grayware:
    Worm

  • Destrutivo:
    Não

  • Criptografado:
     

  • In the Wild:
    Sim

  Visão geral

Löscht Dateien, so dass Programme und Anwendungen nicht ordnungsgemäß ausgeführt werden.

  Detalhes técnicos

Tipo de compactação: 41,656 bytes
Tipo de arquivo: EXE
Residente na memória: Sim
Data de recebimento das amostras iniciais: 26 novembro 2013

Autostart-Technik

Registriert sich als Systemdienst, damit die Ausführung bei jedem Systemstart automatisch erfolgt, indem die folgenden Registrierungsschlüssel hinzufügt werden:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\vds2

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\VMAuthd Service

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\VMnet DHCP

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\VMwareNATService

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\vmount3

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Installer information

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\lanmanworkstation2

Andere Systemänderungen

Löscht die folgenden Dateien:

  • %System%\drivers\HookHelp.sys
  • %System%\drivers\HookSys.sys
  • %System%\drivers\RsNTGdi.sys
  • %System%\drivers\HookCont.sys
  • %System%\drivers\safeboxkrnl.sys
  • %System%\drivers\360AntiARP.sys
  • %System%\drivers\ProtoDrv.sys
  • %System%\drivers\easdrv.sys
  • %System%\drivers\eamon.sys
  • %System%\drivers\epfwtdir.sys
  • %User Profile%\Cookies\wilbert@atdmt[2].txt
  • %User Profile%\Cookies\wilbert@bing[2].txt
  • %User Profile%\Cookies\wilbert@c.atdmt[2].txt
  • %User Profile%\Cookies\wilbert@c.msn[2].txt
  • %User Profile%\Cookies\wilbert@doubleclick[1].txt
  • %User Profile%\Cookies\wilbert@microsoft[1].txt
  • %User Profile%\Cookies\wilbert@msnportal.112.2o7[1].txt
  • %User Profile%\Cookies\wilbert@msn[2].txt
  • %User Profile%\Cookies\wilbert@scorecardresearch[2].txt
  • %User Profile%\Cookies\wilbert@www.bing[2].txt
  • %User Profile%\Cookies\wilbert@www.msn[1].txt

Löscht die folgenden Ordner:

  • %System Root%\AUTOEXEC.EXE
  • %System Root%\AutoRun.inf

(Hinweis: %System Root% ist der Stammordner, normalerweise C:\. Dort befindet sich auch das Betriebssystem.)

Fügt die folgenden Registrierungsschlüssel hinzu:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RavMonD.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360rpt.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360Safe.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360tray.exe

Fügt die folgenden Registrierungseinträge hinzu:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\vds2
DependOnService = "Virtual Disk Service"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\vds2
Description = "Provides software volume and hardware volume management service."

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\vds2
DisplayName = "vds2"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\vds2
ImagePath = "%Windows%\ctfmon.exe"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\vds2
ObjectName = "LocalSystem"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\vds2
ErrorControl = "1"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\vds2
Start = "2"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\vds2
Type = "2"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VMAuthd Service
DependOnService = "VMware Authorization Service"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VMAuthd Service
Description = "{random characters}"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VMAuthd Service
DisplayName = "VMAuthd Service"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VMAuthd Service
ImagePath = "%Windows%\inetinfo.exe"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VMAuthd Service
ObjectName = "LocalSystem"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VMAuthd Service
ErrorControl = "1"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VMAuthd Service
Start = "2"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VMAuthd Service
Type = "2"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VMnet DHCP
DependOnService = "VMware DHCP Service"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VMnet DHCP
Description = "DHCP service for virtual networks"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VMnet DHCP
DisplayName = "VMnet DHCP"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VMnet DHCP
ImagePath = "%Windows%\winlogon.exe"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VMnet DHCP
ObjectName = "LocalSystem"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VMnet DHCP
ErrorControl = "1"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VMnet DHCP
Start = "2"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VMnet DHCP
Type = "2"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VMwareNATService
DependOnService = "VMware NAT Service"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VMwareNATService
Description = "Network address translation for virtual networks"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VMwareNATService
DisplayName = "VMwareNATService"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VMwareNATService
ImagePath = "%System%\TIMPlatform.exe"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VMwareNATService
ObjectName = "LocalSystem"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VMwareNATService
ErrorControl = "1"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VMwareNATService
Start = "2"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VMwareNATService
Type = "2"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\vmount3
DependOnService = "VMware Virtual Mount Manager Extended"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\vmount3
DisplayName = "vmount3"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\vmount3
ImagePath = "%Windows%\inf\realplayer.exe"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\vmount3
ObjectName = "LocalSystem"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\vmount3
ErrorControl = "1"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\vmount3
Start = "2"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\vmount3
Type = "2"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Installer information
DependOnService = "VMware Virtual Mount Manager Extended"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Installer information
Description = "{random characters}"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Installer information
DisplayName = "Installer information"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Installer information
ImagePath = "%Program Files%\INTERN~1\iedws.exe"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Installer information
ObjectName = "LocalSystem"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Installer information
ErrorControl = "1"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Installer information
Start = "2"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Installer information
Type = "2"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\lanmanworkstation2
DependOnService = "Workstation"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\lanmanworkstation2
Description = "Creates and maintains client network connections to remote servers. "

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\lanmanworkstation2
DisplayName = "lanmanworkstation2"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\lanmanworkstation2
ImagePath = "%Program Files%\INTERN~1\SIGNUP\iedws.exe"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\lanmanworkstation2
ObjectName = "LocalSystem"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\lanmanworkstation2
ErrorControl = "1"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\lanmanworkstation2
Start = "2"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\lanmanworkstation2
Type = "2"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RavMonD.exe
DEBUGGER = "%Program Files%\INTERN~1\SIGNUP\iedws.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360rpt.exe
DEBUGGER = "%Program Files%\INTERN~1\SIGNUP\iedws.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360Safe.exe
DEBUGGER = "%Windows%\inf\realplayer.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360tray.exe
DEBUGGER = "%Windows%\ctfmon.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RavMonD.exe
DEBUGGER = "%System%\TIMPlatform.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360rpt.exe
DEBUGGER = "%Windows%\inetinfo.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360Safe.exe
DEBUGGER = "%System%\TIMPlatform.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360tray.exe
DEBUGGER = "%Program Files%\INTERN~1\iedws.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RavMonD.exe
DEBUGGER = "%Windows%\winlogon.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360rpt.exe
DEBUGGER = "%Windows%\winlogon.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360Safe.exe
DEBUGGER = "%Windows%\ctfmon.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360tray.exe
DEBUGGER = "%System%\TIMPlatform.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RavMonD.exe
DEBUGGER = "%Windows%\ctfmon.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360Safe.exe
DEBUGGER = "%Windows%\inetinfo.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360tray.exe
DEBUGGER = "%Windows%\inetinfo.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RavMonD.exe
DEBUGGER = "%Windows%\inf\realplayer.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360rpt.exe
DEBUGGER = "%System%\TIMPlatform.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360Safe.exe
DEBUGGER = "%Windows%\winlogon.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360tray.exe
DEBUGGER = "%Windows%\inf\realplayer.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RavMonD.exe
DEBUGGER = "%Program Files%\INTERN~1\iedws.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360rpt.exe
DEBUGGER = "%Program Files%\INTERN~1\iedws.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360Safe.exe
DEBUGGER = "%Program Files%\INTERN~1\iedws.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360tray.exe
DEBUGGER = "%Program Files%\INTERN~1\SIGNUP\iedws.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360rpt.exe
DEBUGGER = "%Windows%\ctfmon.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RavMonD.exe
DEBUGGER = "%Windows%\inetinfo.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360Safe.exe
DEBUGGER = "%Program Files%\INTERN~1\SIGNUP\iedws.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360tray.exe
DEBUGGER = "%Windows%\winlogon.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360rpt.exe
DEBUGGER = "%Windows%\inf\realplayer.exe"

Ändert die folgenden Registrierungseinträge:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\Hidden\
SHOWALL
CheckedValue = "3"

(Note: The default value data of the said registry entry is 1.)

Löscht die folgenden Registrierungsschlüssel:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Minimal\
{4D36E967-E325-11CE-BFC1-08002BE10318}

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
{4D36E967-E325-11CE-BFC1-08002BE10318}

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot\Minimal\
{4D36E967-E325-11CE-BFC1-08002BE10318}

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot\Network\
{4D36E967-E325-11CE-BFC1-08002BE10318}

Einschleusungsroutine

Schleust die folgenden Dateien ein:

  • %Windows%\ctfmon.exe
  • %Windows%\inetinfo.exe
  • %Windows%\winlogon.exe
  • %System%\TIMPlatform.exe
  • %Windows%\inf\realplayer.exe
  • %Program Files%\INTERN~1\iedws.exe
  • %Program Files%\INTERN~1\SIGNUP\iedws.exe
  • A:\AUTOEXEC.EXE
  • A:\AutoRun.inf
  • %System Root%\AUTOEXEC.EXE
  • %System Root%\AutoRun.inf

(Hinweis: %Windows% ist der Windows Ordner, normalerweise C:\Windows oder C:\WINNT.. %System% ist der Windows Systemordner. Er lautet in der Regel C:\Windows\System unter Windows 98 und ME, C:\WINNT\System32 unter Windows NT und 2000 sowie C:\Windows\System32 unter Windows XP und Server 2003.. %Program Files%ist der Standardordner 'Programme', normalerweise C:\Programme.. %System Root% ist der Stammordner, normalerweise C:\. Dort befindet sich auch das Betriebssystem.)

  Solução

Mecanismo de varredura mínima: 9.300

Step 1

Für Windows ME und XP Benutzer: Stellen Sie vor einer Suche sicher, dass die Systemwiederherstellung deaktiviert ist, damit der gesamte Computer durchsucht werden kann.

Step 2

Im abgesicherten Modus neu starten

[ Saber mais ]

Step 3

Diesen Registrierungsschlüssel löschen

[ Saber mais ]

Wichtig: Eine nicht ordnungsgemäße Bearbeitung der Windows Registrierung kann zu einer dauerhaften Fehlfunktion des Systems führen. Führen Sie diesen Schritt nur durch, wenn Sie mit der Vorgehensweise vertraut sind oder wenn Sie Ihren Systemadministrator um Unterstützung bitten können. Lesen Sie ansonsten zuerst diesen Microsoft Artikel, bevor Sie die Registrierung Ihres Computers ändern.

  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
    • vds2
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
    • VMAuthd Service
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
    • VMnet DHCP
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
    • VMwareNATService
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
    • vmount3
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
    • Installer information
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
    • lanmanworkstation2
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • RavMonD.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • 360rpt.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • 360Safe.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • 360tray.exe

Step 4

Diesen Registrierungswert löschen

[ Saber mais ]

Wichtig: Eine nicht ordnungsgemäße Bearbeitung der Windows Registrierung kann zu einer dauerhaften Fehlfunktion des Systems führen. Führen Sie diesen Schritt nur durch, wenn Sie mit der Vorgehensweise vertraut sind oder wenn Sie Ihren Systemadministrator um Unterstützung bitten können. Lesen Sie ansonsten zuerst diesen Microsoft Artikel, bevor Sie die Registrierung Ihres Computers ändern.

  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vds2
    • DependOnService = "Virtual Disk Service"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vds2
    • Description = "Provides software volume and hardware volume management service."
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vds2
    • DisplayName = "vds2"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vds2
    • ImagePath = "%Windows%\ctfmon.exe"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vds2
    • ObjectName = "LocalSystem"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vds2
    • ErrorControl = "1"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vds2
    • Start = "2"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vds2
    • Type = "2"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VMAuthd Service
    • DependOnService = "VMware Authorization Service"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VMAuthd Service
    • Description = "{random characters}"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VMAuthd Service
    • DisplayName = "VMAuthd Service"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VMAuthd Service
    • ImagePath = "%Windows%\inetinfo.exe"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VMAuthd Service
    • ObjectName = "LocalSystem"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VMAuthd Service
    • ErrorControl = "1"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VMAuthd Service
    • Start = "2"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VMAuthd Service
    • Type = "2"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VMnet DHCP
    • DependOnService = "VMware DHCP Service"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VMnet DHCP
    • Description = "DHCP service for virtual networks"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VMnet DHCP
    • DisplayName = "VMnet DHCP"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VMnet DHCP
    • ImagePath = "%Windows%\winlogon.exe"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VMnet DHCP
    • ObjectName = "LocalSystem"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VMnet DHCP
    • ErrorControl = "1"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VMnet DHCP
    • Start = "2"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VMnet DHCP
    • Type = "2"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VMwareNATService
    • DependOnService = "VMware NAT Service"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VMwareNATService
    • Description = "Network address translation for virtual networks"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VMwareNATService
    • DisplayName = "VMwareNATService"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VMwareNATService
    • ImagePath = "%System%\TIMPlatform.exe"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VMwareNATService
    • ObjectName = "LocalSystem"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VMwareNATService
    • ErrorControl = "1"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VMwareNATService
    • Start = "2"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VMwareNATService
    • Type = "2"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vmount3
    • DependOnService = "VMware Virtual Mount Manager Extended"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vmount3
    • DisplayName = "vmount3"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vmount3
    • ImagePath = "%Windows%\inf\realplayer.exe"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vmount3
    • ObjectName = "LocalSystem"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vmount3
    • ErrorControl = "1"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vmount3
    • Start = "2"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vmount3
    • Type = "2"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Installer information
    • DependOnService = "VMware Virtual Mount Manager Extended"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Installer information
    • Description = "{random characters}"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Installer information
    • DisplayName = "Installer information"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Installer information
    • ImagePath = "%Program Files%\INTERN~1\iedws.exe"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Installer information
    • ObjectName = "LocalSystem"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Installer information
    • ErrorControl = "1"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Installer information
    • Start = "2"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Installer information
    • Type = "2"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanworkstation2
    • DependOnService = "Workstation"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanworkstation2
    • Description = "Creates and maintains client network connections to remote servers. "
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanworkstation2
    • DisplayName = "lanmanworkstation2"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanworkstation2
    • ImagePath = "%Program Files%\INTERN~1\SIGNUP\iedws.exe"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanworkstation2
    • ObjectName = "LocalSystem"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanworkstation2
    • ErrorControl = "1"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanworkstation2
    • Start = "2"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanworkstation2
    • Type = "2"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe
    • DEBUGGER = "%Program Files%\INTERN~1\SIGNUP\iedws.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe
    • DEBUGGER = "%Program Files%\INTERN~1\SIGNUP\iedws.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe
    • DEBUGGER = "%Windows%\inf\realplayer.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe
    • DEBUGGER = "%Windows%\ctfmon.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe
    • DEBUGGER = "%System%\TIMPlatform.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe
    • DEBUGGER = "%Windows%\inetinfo.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe
    • DEBUGGER = "%System%\TIMPlatform.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe
    • DEBUGGER = "%Program Files%\INTERN~1\iedws.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe
    • DEBUGGER = "%Windows%\winlogon.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe
    • DEBUGGER = "%Windows%\winlogon.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe
    • DEBUGGER = "%Windows%\ctfmon.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe
    • DEBUGGER = "%System%\TIMPlatform.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe
    • DEBUGGER = "%Windows%\ctfmon.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe
    • DEBUGGER = "%Windows%\inetinfo.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe
    • DEBUGGER = "%Windows%\inetinfo.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe
    • DEBUGGER = "%Windows%\inf\realplayer.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe
    • DEBUGGER = "%System%\TIMPlatform.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe
    • DEBUGGER = "%Windows%\winlogon.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe
    • DEBUGGER = "%Windows%\inf\realplayer.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe
    • DEBUGGER = "%Program Files%\INTERN~1\iedws.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe
    • DEBUGGER = "%Program Files%\INTERN~1\iedws.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe
    • DEBUGGER = "%Program Files%\INTERN~1\iedws.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe
    • DEBUGGER = "%Program Files%\INTERN~1\SIGNUP\iedws.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe
    • DEBUGGER = "%Windows%\ctfmon.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe
    • DEBUGGER = "%Windows%\inetinfo.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe
    • DEBUGGER = "%Program Files%\INTERN~1\SIGNUP\iedws.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe
    • DEBUGGER = "%Windows%\winlogon.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe
    • DEBUGGER = "%Windows%\inf\realplayer.exe"

Step 5

Diesen geänderten Registrierungswert wiederherstellen

[ Saber mais ]

Wichtig: Eine nicht ordnungsgemäße Bearbeitung der Windows Registrierung kann zu einer dauerhaften Fehlfunktion des Systems führen. Führen Sie diesen Schritt nur durch, wenn Sie mit der Vorgehensweise vertraut sind oder wenn Sie Ihren Systemadministrator um Unterstützung bitten können. Lesen Sie ansonsten zuerst diesen Microsoft Artikel, bevor Sie die Registrierung Ihres Computers ändern.

  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
    • From: CheckedValue = "3"
      To: CheckedValue = ""1""

Step 6

Diese Dateien suchen und löschen

[ Saber mais ]
Möglicherweise sind einige Komponentendateien verborgen. Aktivieren Sie unbedingt das Kontrollkästchen Versteckte Elemente durchsuchen unter "Weitere erweiterte Optionen", um alle verborgenen Dateien und Ordner in den Suchergebnissen zu berücksichtigen.
  • %Windows%\ctfmon.exe
  • %Windows%\inetinfo.exe
  • %Windows%\winlogon.exe
  • %System%\TIMPlatform.exe
  • %Windows%\inf\realplayer.exe
  • %Program Files%\INTERN~1\iedws.exe
  • %Program Files%\INTERN~1\SIGNUP\iedws.exe
  • A:\AUTOEXEC.EXE
  • A:\AutoRun.inf
  • %System Root%\AUTOEXEC.EXE
  • %System Root%\AutoRun.inf

Step 7

Führen Sie den Neustart im normalen Modus durch, und durchsuchen Sie Ihren Computer mit Ihrem Trend Micro Produkt nach Dateien, die als WORM_AUTORUN.BKR entdeckt werden. Falls die entdeckten Dateien bereits von Ihrem Trend Micro Produkt gesäubert, gelöscht oder in Quarantäne verschoben wurden, sind keine weiteren Schritte erforderlich. Dateien in Quarantäne können einfach gelöscht werden. Auf dieser Knowledge-Base-Seite finden Sie weitere Informationen.


Participe da nossa pesquisa!