Adware.Win32.Zoremov.A
Windows
Malware-Typ:
Adware
Zerstrerisch?:
Nein
Verschlsselt?:
In the wild::
Ja
Überblick
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Löscht Dateien, so dass Programme und Anwendungen nicht ordnungsgemäß ausgeführt werden.
Technische Details
Übertragungsdetails
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
Fügt die folgenden Prozesse hinzu:
- %User Temp%\IXP001.TMP\kernel.exe
- %Application Data%\AppDirectory\PDFLeader\PDFLeaderapp.exe "%Application Data%\AppDirectory\PDFLeader\params.txt"
- schtasks.exe /create /SC DAILY /TN Update_Zoremov /TR "\"%Application Data%\AppRun\AppRun.exe\" -updatesched
- "%System%\ie4uinit.exe" -show
- ie4uinit.exe -show
- %System%\svchost.exe -k LocalServiceAndNoImpersonation
- %System%\sppsvc.exe
- "%System Root%\Program Files\Windows Media Player\wmpnetwk.exe"
- %System%\svchost.exe -k WerSvcGroup
(Hinweis: %User Temp% ist der Ordner 'Temp' des aktuellen Benutzers, normalerweise C:\Dokumente und Einstellungen\{Benutzername}\Lokale Einstellungen\Temp unter Windows 2000(32-bit), XP und Server 2003(32-bit) und C:\Users\{Benutzername}\AppData\Local\Temp unter Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) und 10(64-bit).. %Application Data% ist der Ordner 'Anwendungsdaten' für den aktuellen Benutzer, normalerweise C:\Windows\Profile\{Benutzername}\Anwendungsdaten unter Windows 98 und ME, C:\WINNT\Profile\{Benutzername}\Anwendungsdaten unter Windows NT, C:\Dokumente und Einstellungen\{Benutzername}\Lokale Einstellungen\Anwendungsdaten unter Windows 2000(32-bit), XP und Server 2003(32-bit) und C:\Users\{Benutzername}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) und 10(64-bit).. %System% ist der Windows Systemordner. Er lautet in der Regel C:\Windows\System unter Windows 98 und ME, C:\WINNT\System32 unter Windows NT und 2000 sowie C:\Windows\System32 unter Windows 2000(32-bit), XP, Server 2003(32-bit), Vista, 7, 8, 8.1, 2008(64-bit), 2012(64bit) and 10(64-bit).. %System Root% ist der Stammordner, normalerweise C:\. Dort befindet sich auch das Betriebssystem.)
Erstellt die folgenden Ordner:
- %Application Data%\AppDirectory\PDFLeader
- %Application Data%\AppDirectory
- %Application Data%\AppRun
(Hinweis: %Application Data% ist der Ordner 'Anwendungsdaten' für den aktuellen Benutzer, normalerweise C:\Windows\Profile\{Benutzername}\Anwendungsdaten unter Windows 98 und ME, C:\WINNT\Profile\{Benutzername}\Anwendungsdaten unter Windows NT, C:\Dokumente und Einstellungen\{Benutzername}\Lokale Einstellungen\Anwendungsdaten unter Windows 2000(32-bit), XP und Server 2003(32-bit) und C:\Users\{Benutzername}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) und 10(64-bit).)
Autostart-Technik
Fügt folgende Registrierungseinträge hinzu, um bei jedem Systemstart automatisch ausgeführt zu werden.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunOnce
wextract_cleanup0 = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 "%User Temp%\IXP001.TMP\""
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
AppRun = "%Application Data%\AppRun\AppRun.exe -updatestartup"
Andere Systemänderungen
Ändert die folgenden Dateien:
- %Start Menu%\Programs\Internet Explorer.lnk
- %Application Data%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
- %Start Menu%\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk
(Hinweis: %Start Menu% ist der Ordner 'Startmenü' des aktuellen Benutzers, normalerweise C:\Windows\Profile\{Benutzername}\Startmenü unter Windows 98 und ME, C:\WINNT\Profile\{Benutzername}\Startmenü unter Windows NT, C:\Windows\Startmenü oder C:\Dokumente und Einstellungen\{Benutzername}\Startmenü unter Windows 2000(32-bit), XP und Server 2003(32-bit) und C:\Users\{Benutzername}\AppData\Roaming\Microsoft\Windows\Start Menu oder Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) und 10(64-bit).. %Application Data% ist der Ordner 'Anwendungsdaten' für den aktuellen Benutzer, normalerweise C:\Windows\Profile\{Benutzername}\Anwendungsdaten unter Windows 98 und ME, C:\WINNT\Profile\{Benutzername}\Anwendungsdaten unter Windows NT, C:\Dokumente und Einstellungen\{Benutzername}\Lokale Einstellungen\Anwendungsdaten unter Windows 2000(32-bit), XP und Server 2003(32-bit) und C:\Users\{Benutzername}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) und 10(64-bit).)
Löscht die folgenden Dateien:
- %Windows%\Tasks\Update_Zoremov.job
(Hinweis: %Windows% ist der Windows Ordner, normalerweise C:\Windows oder C:\WINNT.)
Löscht die folgenden Ordner:
- %User Temp%\IXP001.TMP
(Hinweis: %User Temp% ist der Ordner 'Temp' des aktuellen Benutzers, normalerweise C:\Dokumente und Einstellungen\{Benutzername}\Lokale Einstellungen\Temp unter Windows 2000(32-bit), XP und Server 2003(32-bit) und C:\Users\{Benutzername}\AppData\Local\Temp unter Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) und 10(64-bit).)
Fügt die folgenden Registrierungseinträge hinzu:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
Zoremov
DisplayName = "PDFLeader"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
Zoremov
ApplicationVersion = "1"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
Zoremov
Publisher = "Zoremov"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
Zoremov
DisplayIcon = "%Application Data%\AppRun\AppRun.exe"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
Zoremov
DisplayVersion = "1"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
Zoremov
InstallDate = "20200115"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
Zoremov
UninstallString = "%Application Data%\AppRun\AppRun.exe -uninstall"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
Zoremov
EstimatedSize = "437"
HKEY_CURRENT_USER\Software\Apprun
Installed = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Capabilities
Hidden = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
http
FriendlyTypeName = "@%System%\ieframe.dll,-903"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
https
FriendlyTypeName = "@%System%\ieframe.dll,-904"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ftp
FriendlyTypeName = "@%System%\ieframe.dll,-905"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
InternetShortcut
FriendlyTypeName = "@%System%\ieframe.dll,-10046"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Microsoft.Website
(Default) = "Pinned Site Shortcut"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Microsoft.Website
EditFlags = "131074"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Microsoft.Website
FriendlyTypeName = "@%System%\ieframe.dll,-53504"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Microsoft.Website\DefaultIcon
(Default) = "%SystemRoot%\system32\ieframe.dll,-211"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
htmlfile
FriendlyTypeName = "@%System%\ieframe.dll,-912"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
mhtmlfile
FriendlyTypeName = "@%System%\ieframe.dll,-913"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
svgfile
FriendlyTypeName = "@%System%\ieframe.dll,-914"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
svgfile\DefaultIcon
(Default) = "%Program Files%\Internet Explorer\IEXPLORE.EXE,-17"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
xhtmlfile
FriendlyTypeName = "@%System%\ieframe.dll,-915"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
xhtmlfile\DefaultIcon
(Default) = "%Program Files%\Internet Explorer\IEXPLORE.EXE,-17"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.htm\OpenWithProgIds
htmlfile = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.html\OpenWithProgIds
htmlfile = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.partial
(Default) = "IE.AssocFile.PARTIAL"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.partial\OpenWithProgIds
IE.AssocFile.PARTIAL = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.svg
(Default) = "svgfile"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.svg
Content Type = "image/svg+xml"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.svg\OpenWithProgIds
svgfile = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.xhtml
(Default) = "xhtmlfile"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.xhtml
Content Type = "application/xhtml+xml"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.xhtml\OpenWithProgIds
xhtmlfile = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.xht
(Default) = "xhtmlfile"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.xht
Content Type = "application/xhtml+xml"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.xht\OpenWithProgIds
xhtmlfile = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
http\shell
(Default) = "open"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
http\shell\open
CommandId = "IE.File"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
http\shell\open\
command
DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
https\shell
(Default) = "open"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
https\shell\open
CommandId = "IE.Protocol"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
https\shell\open\
command
DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ftp\shell
(Default) = "open"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ftp\shell\open
CommandId = "IE.Protocol"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ftp\shell\open\
command
DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
htmlfile\shell\open
MUIVerb = "@%System%\ieframe.dll,-5732"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
htmlfile\shell\open
CommandId = "IE.File"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
htmlfile\shell\open\
command
DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
htmlfile\shell\opennew
MUIVerb = "@%System%\ieframe.dll,-5731"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
htmlfile\shell\opennew
CommandId = "IE.Protocol"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
htmlfile\shell\opennew\
command
DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.mht\OpenWithProgIds
mhtmlfile = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.mhtml\OpenWithProgIds
mhtmlfile = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
mhtmlfile\shell\open
MUIVerb = "@%System%\ieframe.dll,-5732"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
mhtmlfile\shell\open
CommandId = "IE.File"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
mhtmlfile\shell\open\
command
DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
mhtmlfile\shell\opennew
MUIVerb = "@%System%\ieframe.dll,-5731"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
mhtmlfile\shell\opennew
CommandId = "IE.File"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
mhtmlfile\shell\opennew\
command
DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
svgfile\shell
(Default) = "opennew"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
svgfile\shell\open
(Default) = "Open in S&ame Window"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
svgfile\shell\open
MUIVerb = "@%System%\ieframe.dll,-5732"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
svgfile\shell\open
CommandId = "IE.File"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
svgfile\shell\open\
command
(Default) = "%System Root%\Program Files\Internet Explorer\IEXPLORE.EXE %1"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
svgfile\shell\open\
command
DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
svgfile\shell\print\
command
(Default) = "%System%\rundll32.exe %System%\mshtml.dll,PrintHTML %1"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
svgfile\shell\printto\
command
(Default) = "%System%\rundll32.exe %System%\mshtml.dll,PrintHTML %1 %2 %3 %4"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
svgfile\shell\opennew
(Default) = "&Open"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
svgfile\shell\opennew
MUIVerb = "@%System%\ieframe.dll,-5731"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
svgfile\shell\opennew
CommandId = "IE.File"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
svgfile\shell\opennew\
command
(Default) = "%System Root%\Program Files\Internet Explorer\IEXPLORE.EXE %1"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
svgfile\shell\opennew\
command
DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
xhtmlfile\shell
(Default) = "opennew"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
xhtmlfile\shell\open
(Default) = "Open in S&ame Window"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
xhtmlfile\shell\open
MUIVerb = "@%System%\ieframe.dll,-5732"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
xhtmlfile\shell\open
CommandId = "IE.File"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
xhtmlfile\shell\open\
command
(Default) = "%System Root%\Program Files\Internet Explorer\IEXPLORE.EXE %1"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
xhtmlfile\shell\open\
command
DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
xhtmlfile\shell\print\
command
(Default) = "%System%\rundll32.exe %System%\mshtml.dll,PrintHTML %1"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
xhtmlfile\shell\printto\
command
(Default) = "%System%\rundll32.exe %System%\mshtml.dll,PrintHTML %1 %2 %3 %4"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
xhtmlfile\shell\opennew
(Default) = "&Open"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
xhtmlfile\shell\opennew
MUIVerb = "@%System%\ieframe.dll,-5731"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
xhtmlfile\shell\opennew
CommandId = "IE.File"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
xhtmlfile\shell\opennew\
command
(Default) = "%System Root%\Program Files\Internet Explorer\IEXPLORE.EXE %1"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
xhtmlfile\shell\opennew\
command
DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.website
(Default) = "Microsoft.Website"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.website\OpenWithProgIds
Microsoft.Website = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Microsoft.Website\Shell
(Default) = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Microsoft.Website\Shell\Open
(Default) = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.URL\OpenWithProgIds
InternetShortcut = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Applications\iexplore.exe\shell\
open
CommandId = "IE.File"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer
GlobalAssocChangedCounter = "41"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
telnet
FriendlyTypeName = "@%System%\ieframe.dll,-907"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
rlogin
FriendlyTypeName = "@%System%\ieframe.dll,-908"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
tn3270
FriendlyTypeName = "@%System%\ieframe.dll,-909"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
mailto
FriendlyTypeName = "@%System%\ieframe.dll,-910"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer
GlobalAssocChangedCounter = "42"
Ändert die folgenden Registrierungseinträge:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}
IsInstalled = "1"
(Note: The default value data of the said registry entry is 1.)
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\
StartMenuInternet\IEXPLORE.EXE\InstallInfo
IconsVisible = "1"
(Note: The default value data of the said registry entry is 1.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Setup\
OC Manager\Subcomponents
IEAccess = "1"
(Note: The default value data of the said registry entry is 1.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
http
(Default) = "URL:HyperText Transfer Protocol"
(Note: The default value data of the said registry entry is URL:HyperText Transfer Protocol.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
http
EditFlags = "2"
(Note: The default value data of the said registry entry is 2.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
http
URL Protocol = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
http\DefaultIcon
(Default) = "%SystemRoot%\system32\url.dll,0"
(Note: The default value data of the said registry entry is {random values}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
https
(Default) = "URL:HyperText Transfer Protocol with Privacy"
(Note: The default value data of the said registry entry is URL:HyperText Transfer Protocol with Privacy.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
https
EditFlags = "2"
(Note: The default value data of the said registry entry is 2.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
https
URL Protocol = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
https\DefaultIcon
(Default) = "%SystemRoot%\system32\url.dll,0"
(Note: The default value data of the said registry entry is {random values}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ftp
(Default) = "URL:File Transfer Protocol"
(Note: The default value data of the said registry entry is URL:File Transfer Protocol.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ftp
EditFlags = "2"
(Note: The default value data of the said registry entry is 2.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ftp
URL Protocol = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ftp\DefaultIcon
(Default) = "%SystemRoot%\system32\url.dll,0"
(Note: The default value data of the said registry entry is %Windows%\system32\msieftp.dll,0.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
InternetShortcut
(Default) = "Internet Shortcut"
(Note: The default value data of the said registry entry is Internet Shortcut.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
InternetShortcut
EditFlags = "2"
(Note: The default value data of the said registry entry is 2.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
InternetShortcut\DefaultIcon
(Default) = "%SystemRoot%\system32\url.dll,5"
(Note: The default value data of the said registry entry is {random values}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
htmlfile\DefaultIcon
(Default) = "%Program Files%\Internet Explorer\IEXPLORE.EXE,-17"
(Note: The default value data of the said registry entry is "%1".)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
mhtmlfile\DefaultIcon
(Default) = "%Program Files%\Internet Explorer\IEXPLORE.EXE,-32554"
(Note: The default value data of the said registry entry is "%1".)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.htm
(Default) = "htmlfile"
(Note: The default value data of the said registry entry is htmlfile.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.htm
Content Type = "text/html"
(Note: The default value data of the said registry entry is text/html.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.html
(Default) = "htmlfile"
(Note: The default value data of the said registry entry is htmlfile.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.html
Content Type = "text/html"
(Note: The default value data of the said registry entry is text/html.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
http\shell\open\
command
(Default) = "%System Root%\Program Files\Internet Explorer\IEXPLORE.EXE %1"
(Note: The default value data of the said registry entry is "%Program Files%\Internet Explorer\iexplore.exe" -nohome.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
https\shell\open\
command
(Default) = "%System Root%\Program Files\Internet Explorer\IEXPLORE.EXE %1"
(Note: The default value data of the said registry entry is "%Program Files%\Internet Explorer\iexplore.exe" -nohome.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ftp\shell\open\
command
(Default) = "%System Root%\Program Files\Internet Explorer\IEXPLORE.EXE %1"
(Note: The default value data of the said registry entry is "%Program Files%\Internet Explorer\iexplore.exe" %1.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
htmlfile\shell
(Default) = "opennew"
(Note: The default value data of the said registry entry is opennew.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
htmlfile\shell\open
(Default) = "Open in S&ame Window"
(Note: The default value data of the said registry entry is Open in S&ame Window.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
htmlfile\shell\open\
command
(Default) = "%System Root%\Program Files\Internet Explorer\IEXPLORE.EXE %1"
(Note: The default value data of the said registry entry is "%Program Files%\Internet Explorer\iexplore.exe" -nohome.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
htmlfile\shell\Print\
command
(Default) = "%System%\rundll32.exe %System%\mshtml.dll,PrintHTML %1"
(Note: The default value data of the said registry entry is "%Program Files%\Microsoft Office\OFFICE11\msohtmed.exe" /p %1.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
htmlfile\shell\printto\
command
(Default) = "%System%\rundll32.exe %System%\mshtml.dll,PrintHTML %1 %2 %3 %4"
(Note: The default value data of the said registry entry is {random values}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
mhtmlfile\shell
(Default) = "opennew"
(Note: The default value data of the said registry entry is opennew.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
htmlfile\shell\opennew
(Default) = "&Open"
(Note: The default value data of the said registry entry is &Open.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
htmlfile\shell\opennew\
command
(Default) = "%System Root%\Program Files\Internet Explorer\IEXPLORE.EXE %1"
(Note: The default value data of the said registry entry is "%Program Files%\Internet Explorer\iexplore.exe" %1.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.mht
(Default) = "mhtmlfile"
(Note: The default value data of the said registry entry is mhtmlfile.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.mht
Content Type = "message/rfc822"
(Note: The default value data of the said registry entry is message/rfc822.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.mhtml
(Default) = "mhtmlfile"
(Note: The default value data of the said registry entry is mhtmlfile.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.mhtml
Content Type = "message/rfc822"
(Note: The default value data of the said registry entry is message/rfc822.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
mhtmlfile\shell\open
(Default) = "Open in S&ame Window"
(Note: The default value data of the said registry entry is Open in S&ame Window.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
mhtmlfile\shell\open\
command
(Default) = "%System Root%\Program Files\Internet Explorer\IEXPLORE.EXE %1"
(Note: The default value data of the said registry entry is "%Program Files%\Internet Explorer\iexplore.exe" -nohome.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
mhtmlfile\shell\opennew
(Default) = "&Open"
(Note: The default value data of the said registry entry is &Open.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
mhtmlfile\shell\opennew\
command
(Default) = "%System Root%\Program Files\Internet Explorer\IEXPLORE.EXE %1"
(Note: The default value data of the said registry entry is "%Program Files%\Internet Explorer\iexplore.exe" %1.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.URL
(Default) = "InternetShortcut"
(Note: The default value data of the said registry entry is InternetShortcut.)
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder
Attributes = "0"
HKEY_CURRENT_USER\Software\Microsoft\
Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}
Locale = "*"
(Note: The default value data of the said registry entry is en.)
HKEY_CURRENT_USER\Software\Microsoft\
Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}
Version = "11,0,9600,0"
(Note: The default value data of the said registry entry is 6,0,2900,2180.)
Löscht die folgenden Registrierungsschlüssel:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunOnce\
wextract_cleanup0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
RemoveAccess\iexplore.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
http\URL Protocol
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
http\DefaultIcon\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
http\shell\open\
CommandId
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
http\shell\open\
command\DelegateExecute
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
http\shell\open\
command\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
https\URL Protocol
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
https\DefaultIcon\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
https\shell\open\
CommandId
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
https\shell\open\
command\DelegateExecute
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
https\shell\open\
command\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ftp\URL Protocol
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ftp\DefaultIcon\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ftp\shell\open\
CommandId
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ftp\shell\open\
command\DelegateExecute
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ftp\shell\open\
command\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
htmlfile\shell\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
htmlfile\shell\opennew\
(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
htmlfile\shell\opennew\
CommandId
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
htmlfile\shell\opennew\
command\DelegateExecute
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
htmlfile\shell\opennew\
command\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
mhtmlfile\shell\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
mhtmlfile\shell\opennew\
(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
mhtmlfile\shell\opennew\
CommandId
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
mhtmlfile\shell\opennew\
command\DelegateExecute
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
mhtmlfile\shell\opennew\
command\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
svgfile\shell\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
svgfile\shell\opennew\
(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
svgfile\shell\opennew\
CommandId
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
svgfile\shell\opennew\
command\DelegateExecute
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
svgfile\shell\opennew\
command\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
xhtmlfile\shell\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
xhtmlfile\shell\opennew\
(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
xhtmlfile\shell\opennew\
CommandId
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
xhtmlfile\shell\opennew\
command\DelegateExecute
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
xhtmlfile\shell\opennew\
command\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
htmlfile\DefaultIcon\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
htmlfile\shell\open\
CommandId
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
htmlfile\shell\open\
command\DelegateExecute
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
htmlfile\shell\open\
command\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.htm\OpenWithProgIds\htmlfile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.html\OpenWithProgIds\htmlfile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
mhtmlfile\DefaultIcon\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.mht\OpenWithProgIds\mhtmlfile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.mhtml\OpenWithProgIds\mhtmlfile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
svgfile\DefaultIcon\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
svgfile\shell\open\
CommandId
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
svgfile\shell\open\
command\DelegateExecute
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
svgfile\shell\open\
command\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.svg\OpenWithProgIds\svgfile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
xhtmlfile\shell\open\
CommandId
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
xhtmlfile\shell\open\
command\DelegateExecute
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
xhtmlfile\shell\open\
command\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.xht\OpenWithProgIds\xhtmlfile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.xhtml\OpenWithProgIds\xhtmlfile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.partial\OpenWithProgIds\IE.AssocFile.PARTIAL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.website\OpenWithProgIds\Microsoft.Website
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.URL\OpenWithProgIds\InternetShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
ShellExecuteHooks\{FBF23B40-E3F0-101B-8488-00AA003E56F8}
Einschleusungsroutine
Schleust die folgenden Dateien ein:
- %AppDataLocal%\GDIPFONTCACHEV1.DAT
- %Application Data%\AppRun\api-ms-win-core-processthreads-l1-1-1.dll
- %AppDataLocal%\Microsoft\Media Player\CurrentDatabase_372.wmdb
- %Application Data%\AppRun\api-ms-win-core-localization-l1-2-0.dll
- %User Temp%\u1bc.4
- %Application Data%\AppRun\api-ms-win-crt-string-l1-1-0.dll
- %Application Data%\AppRun\api-ms-win-core-file-l2-1-0.dll
- %Application Data%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
- %Application Data%\AppRun\api-ms-win-crt-math-l1-1-0.dll
- %User Temp%\u1bc.1
- %Application Data%\AppRun\api-ms-win-crt-runtime-l1-1-0.dll
- %Application Data%\AppRun\mfc140u.dll
- %Application Data%\AppRun\api-ms-win-crt-time-l1-1-0.dll
- %Application Data%\AppRun\api-ms-win-crt-filesystem-l1-1-0.dll
- %Application Data%\AppRun\api-ms-win-core-file-l1-2-0.dll
- %All Users Profile%\Microsoft\Windows\DRM\v3ks.sec
- %AppDataLocal%\Microsoft\Internet Explorer\MSIMGSIZ.DAT
- %Application Data%\AppRun\vcruntime140.dll
- %Application Data%\AppDirectory\PDFLeader\PDFLeader.ico
- %Application Data%\AppRun\ucrtbase.dll
- %Application Data%\AppRun\api-ms-win-core-timezone-l1-1-0.dll
- %AppDataLocal%\Microsoft\Internet Explorer\DOMStore\3UYAQU1F\service.tst.pdfleaderapp[1].xml
- %Application Data%\AppRun\libcurl.dll
- %Start Menu%\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk
- %Application Data%\AppRun\api-ms-win-crt-utility-l1-1-0.dll
- %Application Data%\AppRun\AppRun.exe
- %Application Data%\AppRun\api-ms-win-crt-stdio-l1-1-0.dll
- %Application Data%\AppDirectory\PDFLeader\SharpCompress.dll
- %Application Data%\AppDirectory\PDFLeader\params.txt
- %Application Data%\AppRun\api-ms-win-crt-locale-l1-1-0.dll
- %Application Data%\AppRun\api-ms-win-core-synch-l1-2-0.dll
- %All Users Profile%\Microsoft\Windows\DRM\drmstore.hds
- %Application Data%\AppRun\api-ms-win-crt-convert-l1-1-0.dll
- %Application Data%\AppRun\api-ms-win-crt-multibyte-l1-1-0.dll
- %User Temp%\u1bc.3
- %Application Data%\AppRun\api-ms-win-crt-heap-l1-1-0.dll
- %User Temp%\u1bc.0
- %Application Data%\AppDirectory\PDFLeader\PDFLeaderapp.exe.config
- %Application Data%\AppRun\msvcp140.dll
- %Application Data%\AppRun\api-ms-win-crt-environment-l1-1-0.dll
- %Desktop%\PDFLeader.lnk
- %User Temp%\u1bc.2
- %Application Data%\AppDirectory\PDFLeader\PDFLeaderapp.exe
(Hinweis: %Application Data% ist der Ordner 'Anwendungsdaten' für den aktuellen Benutzer, normalerweise C:\Windows\Profile\{Benutzername}\Anwendungsdaten unter Windows 98 und ME, C:\WINNT\Profile\{Benutzername}\Anwendungsdaten unter Windows NT, C:\Dokumente und Einstellungen\{Benutzername}\Lokale Einstellungen\Anwendungsdaten unter Windows 2000(32-bit), XP und Server 2003(32-bit) und C:\Users\{Benutzername}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) und 10(64-bit).. %User Temp% ist der Ordner 'Temp' des aktuellen Benutzers, normalerweise C:\Dokumente und Einstellungen\{Benutzername}\Lokale Einstellungen\Temp unter Windows 2000(32-bit), XP und Server 2003(32-bit) und C:\Users\{Benutzername}\AppData\Local\Temp unter Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) und 10(64-bit).. %Start Menu% ist der Ordner 'Startmenü' des aktuellen Benutzers, normalerweise C:\Windows\Profile\{Benutzername}\Startmenü unter Windows 98 und ME, C:\WINNT\Profile\{Benutzername}\Startmenü unter Windows NT, C:\Windows\Startmenü oder C:\Dokumente und Einstellungen\{Benutzername}\Startmenü unter Windows 2000(32-bit), XP und Server 2003(32-bit) und C:\Users\{Benutzername}\AppData\Roaming\Microsoft\Windows\Start Menu oder Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) und 10(64-bit).. %Desktop% ist der Ordner 'Desktop' für den aktuellen Benutzer, normalerweise C:\Windows\Profile\{Benutzername}\Desktop unter Windows 98 und ME, C:\WINNT\Profile\{Benutzername}\Desktop unter Windows NT, C:\Dokumente und Einstellungen\{Benutzername}\Desktop unter Windows 2000(32-bit), XP und Server 2003(32-bit) und C:\Users\{Benutzername}\Desktop unter Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) und 10(64-bit).)
Lösungen
Step 1
Für Windows ME und XP Benutzer: Stellen Sie vor einer Suche sicher, dass die Systemwiederherstellung deaktiviert ist, damit der gesamte Computer durchsucht werden kann.
Step 2
Im abgesicherten Modus neu starten
Step 3
Dateien erkennen und deaktivieren, die als Adware.Win32.Zoremov.A entdeckt wurden
- Für Windows 98 und ME Benutzer: Der Windows Task-Manager zeigt möglicherweise nicht alle aktiven Prozesse an. Verwenden Sie in diesem Fall einen Prozess-Viewer eines Drittanbieters, vorzugsweise Process Explorer, um die Malware-/Grayware-/Spyware-Datei zu beenden. Dieses Tool können Sie hier. herunterladen.
- Wenn die entdeckte Datei im Windows Task-Manager oder Process Explorer angezeigt wird, aber nicht gelöscht werden kann, starten Sie Ihren Computer im abgesicherten Modus neu. Klicken Sie auf diesen Link, um alle erforderlichen Schritte anzuzeigen.
- Wenn die entdeckte Datei nicht im Windows Task-Manager oder im Process Explorer angezeigt wird, fahren Sie mit den nächsten Schritten fort.
Step 4
Diesen Registrierungswert löschen
Wichtig: Eine nicht ordnungsgemäße Bearbeitung der Windows Registrierung kann zu einer dauerhaften Fehlfunktion des Systems führen. Führen Sie diesen Schritt nur durch, wenn Sie mit der Vorgehensweise vertraut sind oder wenn Sie Ihren Systemadministrator um Unterstützung bitten können. Lesen Sie ansonsten zuerst diesen Microsoft Artikel, bevor Sie die Registrierung Ihres Computers ändern.
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
- wextract_cleanup0 = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 "%User Temp%\IXP001.TMP\""
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- AppRun = "%Application Data%\AppRun\AppRun.exe -updatestartup"
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Zoremov
- DisplayName = "PDFLeader"
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Zoremov
- ApplicationVersion = "1"
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Zoremov
- Publisher = "Zoremov"
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Zoremov
- DisplayIcon = "%Application Data%\AppRun\AppRun.exe"
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Zoremov
- DisplayVersion = "1"
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Zoremov
- InstallDate = "20200115"
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Zoremov
- UninstallString = "%Application Data%\AppRun\AppRun.exe -uninstall"
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Zoremov
- EstimatedSize = "437"
- In HKEY_CURRENT_USER\Software\Apprun
- Installed = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Capabilities
- Hidden = "0"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\http
- FriendlyTypeName = "@%System%\ieframe.dll,-903"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\https
- FriendlyTypeName = "@%System%\ieframe.dll,-904"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ftp
- FriendlyTypeName = "@%System%\ieframe.dll,-905"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InternetShortcut
- FriendlyTypeName = "@%System%\ieframe.dll,-10046"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft.Website
- (Default) = "Pinned Site Shortcut"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft.Website
- EditFlags = "131074"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft.Website
- FriendlyTypeName = "@%System%\ieframe.dll,-53504"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft.Website\DefaultIcon
- (Default) = "%SystemRoot%\system32\ieframe.dll,-211"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile
- FriendlyTypeName = "@%System%\ieframe.dll,-912"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mhtmlfile
- FriendlyTypeName = "@%System%\ieframe.dll,-913"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\svgfile
- FriendlyTypeName = "@%System%\ieframe.dll,-914"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\svgfile\DefaultIcon
- (Default) = "%Program Files%\Internet Explorer\IEXPLORE.EXE,-17"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xhtmlfile
- FriendlyTypeName = "@%System%\ieframe.dll,-915"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xhtmlfile\DefaultIcon
- (Default) = "%Program Files%\Internet Explorer\IEXPLORE.EXE,-17"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.htm\OpenWithProgIds
- htmlfile = ""
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.html\OpenWithProgIds
- htmlfile = ""
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.partial
- (Default) = "IE.AssocFile.PARTIAL"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.partial\OpenWithProgIds
- IE.AssocFile.PARTIAL = ""
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.svg
- (Default) = "svgfile"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.svg
- Content Type = "image/svg+xml"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.svg\OpenWithProgIds
- svgfile = ""
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.xhtml
- (Default) = "xhtmlfile"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.xhtml
- Content Type = "application/xhtml+xml"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.xhtml\OpenWithProgIds
- xhtmlfile = ""
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.xht
- (Default) = "xhtmlfile"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.xht
- Content Type = "application/xhtml+xml"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.xht\OpenWithProgIds
- xhtmlfile = ""
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\http\shell
- (Default) = "open"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\http\shell\open
- CommandId = "IE.File"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\http\shell\open\command
- DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\https\shell
- (Default) = "open"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\https\shell\open
- CommandId = "IE.Protocol"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\https\shell\open\command
- DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ftp\shell
- (Default) = "open"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ftp\shell\open
- CommandId = "IE.Protocol"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ftp\shell\open\command
- DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\open
- MUIVerb = "@%System%\ieframe.dll,-5732"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\open
- CommandId = "IE.File"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command
- DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\opennew
- MUIVerb = "@%System%\ieframe.dll,-5731"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\opennew
- CommandId = "IE.Protocol"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\opennew\command
- DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.mht\OpenWithProgIds
- mhtmlfile = ""
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.mhtml\OpenWithProgIds
- mhtmlfile = ""
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mhtmlfile\shell\open
- MUIVerb = "@%System%\ieframe.dll,-5732"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mhtmlfile\shell\open
- CommandId = "IE.File"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mhtmlfile\shell\open\command
- DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mhtmlfile\shell\opennew
- MUIVerb = "@%System%\ieframe.dll,-5731"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mhtmlfile\shell\opennew
- CommandId = "IE.File"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mhtmlfile\shell\opennew\command
- DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\svgfile\shell
- (Default) = "opennew"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\svgfile\shell\open
- (Default) = "Open in S&ame Window"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\svgfile\shell\open
- MUIVerb = "@%System%\ieframe.dll,-5732"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\svgfile\shell\open
- CommandId = "IE.File"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\svgfile\shell\open\command
- (Default) = "%System Root%\Program Files\Internet Explorer\IEXPLORE.EXE %1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\svgfile\shell\open\command
- DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\svgfile\shell\print\command
- (Default) = "%System%\rundll32.exe %System%\mshtml.dll,PrintHTML %1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\svgfile\shell\printto\command
- (Default) = "%System%\rundll32.exe %System%\mshtml.dll,PrintHTML %1 %2 %3 %4"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\svgfile\shell\opennew
- (Default) = "&Open"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\svgfile\shell\opennew
- MUIVerb = "@%System%\ieframe.dll,-5731"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\svgfile\shell\opennew
- CommandId = "IE.File"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\svgfile\shell\opennew\command
- (Default) = "%System Root%\Program Files\Internet Explorer\IEXPLORE.EXE %1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\svgfile\shell\opennew\command
- DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xhtmlfile\shell
- (Default) = "opennew"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xhtmlfile\shell\open
- (Default) = "Open in S&ame Window"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xhtmlfile\shell\open
- MUIVerb = "@%System%\ieframe.dll,-5732"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xhtmlfile\shell\open
- CommandId = "IE.File"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xhtmlfile\shell\open\command
- (Default) = "%System Root%\Program Files\Internet Explorer\IEXPLORE.EXE %1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xhtmlfile\shell\open\command
- DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xhtmlfile\shell\print\command
- (Default) = "%System%\rundll32.exe %System%\mshtml.dll,PrintHTML %1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xhtmlfile\shell\printto\command
- (Default) = "%System%\rundll32.exe %System%\mshtml.dll,PrintHTML %1 %2 %3 %4"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xhtmlfile\shell\opennew
- (Default) = "&Open"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xhtmlfile\shell\opennew
- MUIVerb = "@%System%\ieframe.dll,-5731"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xhtmlfile\shell\opennew
- CommandId = "IE.File"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xhtmlfile\shell\opennew\command
- (Default) = "%System Root%\Program Files\Internet Explorer\IEXPLORE.EXE %1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xhtmlfile\shell\opennew\command
- DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.website
- (Default) = "Microsoft.Website"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.website\OpenWithProgIds
- Microsoft.Website = ""
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft.Website\Shell
- (Default) = ""
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft.Website\Shell\Open
- (Default) = ""
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.URL\OpenWithProgIds
- InternetShortcut = ""
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\iexplore.exe\shell\open
- CommandId = "IE.File"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
- GlobalAssocChangedCounter = "41"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\telnet
- FriendlyTypeName = "@%System%\ieframe.dll,-907"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\rlogin
- FriendlyTypeName = "@%System%\ieframe.dll,-908"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\tn3270
- FriendlyTypeName = "@%System%\ieframe.dll,-909"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mailto
- FriendlyTypeName = "@%System%\ieframe.dll,-910"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
- GlobalAssocChangedCounter = "42"
Step 5
Diesen geänderten Registrierungswert wiederherstellen
Wichtig: Eine nicht ordnungsgemäße Bearbeitung der Windows Registrierung kann zu einer dauerhaften Fehlfunktion des Systems führen. Führen Sie diesen Schritt nur durch, wenn Sie mit der Vorgehensweise vertraut sind oder wenn Sie Ihren Systemadministrator um Unterstützung bitten können. Lesen Sie ansonsten zuerst diesen Microsoft Artikel, bevor Sie die Registrierung Ihres Computers ändern.
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}
- From: IsInstalled = "1"
To: IsInstalled = ""1""
- From: IsInstalled = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\InstallInfo
- From: IconsVisible = "1"
To: IconsVisible = ""1""
- From: IconsVisible = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents
- From: IEAccess = "1"
To: IEAccess = ""1""
- From: IEAccess = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\http
- From: (Default) = "URL:HyperText Transfer Protocol"
To: (Default) = ""URL:HyperText Transfer Protocol""
- From: (Default) = "URL:HyperText Transfer Protocol"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\http
- From: EditFlags = "2"
To: EditFlags = ""2""
- From: EditFlags = "2"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\http
- URL Protocol = ""
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\http\DefaultIcon
- From: (Default) = "%SystemRoot%\system32\url.dll,0"
To: (Default) = ""{random values}""
- From: (Default) = "%SystemRoot%\system32\url.dll,0"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\https
- From: (Default) = "URL:HyperText Transfer Protocol with Privacy"
To: (Default) = ""URL:HyperText Transfer Protocol with Privacy""
- From: (Default) = "URL:HyperText Transfer Protocol with Privacy"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\https
- From: EditFlags = "2"
To: EditFlags = ""2""
- From: EditFlags = "2"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\https
- URL Protocol = ""
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\https\DefaultIcon
- From: (Default) = "%SystemRoot%\system32\url.dll,0"
To: (Default) = ""{random values}""
- From: (Default) = "%SystemRoot%\system32\url.dll,0"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ftp
- From: (Default) = "URL:File Transfer Protocol"
To: (Default) = ""URL:File Transfer Protocol""
- From: (Default) = "URL:File Transfer Protocol"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ftp
- From: EditFlags = "2"
To: EditFlags = ""2""
- From: EditFlags = "2"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ftp
- URL Protocol = ""
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ftp\DefaultIcon
- From: (Default) = "%SystemRoot%\system32\url.dll,0"
To: (Default) = ""%Windows%\system32\msieftp.dll,0""
- From: (Default) = "%SystemRoot%\system32\url.dll,0"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InternetShortcut
- From: (Default) = "Internet Shortcut"
To: (Default) = ""Internet Shortcut""
- From: (Default) = "Internet Shortcut"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InternetShortcut
- From: EditFlags = "2"
To: EditFlags = ""2""
- From: EditFlags = "2"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InternetShortcut\DefaultIcon
- From: (Default) = "%SystemRoot%\system32\url.dll,5"
To: (Default) = ""{random values}""
- From: (Default) = "%SystemRoot%\system32\url.dll,5"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon
- From: (Default) = "%Program Files%\Internet Explorer\IEXPLORE.EXE,-17"
To: (Default) = """%1"""
- From: (Default) = "%Program Files%\Internet Explorer\IEXPLORE.EXE,-17"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon
- From: (Default) = "%Program Files%\Internet Explorer\IEXPLORE.EXE,-32554"
To: (Default) = """%1"""
- From: (Default) = "%Program Files%\Internet Explorer\IEXPLORE.EXE,-32554"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.htm
- From: (Default) = "htmlfile"
To: (Default) = ""htmlfile""
- From: (Default) = "htmlfile"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.htm
- From: Content Type = "text/html"
To: Content Type = ""text/html""
- From: Content Type = "text/html"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.html
- From: (Default) = "htmlfile"
To: (Default) = ""htmlfile""
- From: (Default) = "htmlfile"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.html
- From: Content Type = "text/html"
To: Content Type = ""text/html""
- From: Content Type = "text/html"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\http\shell\open\command
- From: (Default) = "%System Root%\Program Files\Internet Explorer\IEXPLORE.EXE %1"
To: (Default) = """%Program Files%\Internet Explorer\iexplore.exe" -nohome""
- From: (Default) = "%System Root%\Program Files\Internet Explorer\IEXPLORE.EXE %1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\https\shell\open\command
- From: (Default) = "%System Root%\Program Files\Internet Explorer\IEXPLORE.EXE %1"
To: (Default) = """%Program Files%\Internet Explorer\iexplore.exe" -nohome""
- From: (Default) = "%System Root%\Program Files\Internet Explorer\IEXPLORE.EXE %1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ftp\shell\open\command
- From: (Default) = "%System Root%\Program Files\Internet Explorer\IEXPLORE.EXE %1"
To: (Default) = """%Program Files%\Internet Explorer\iexplore.exe" %1""
- From: (Default) = "%System Root%\Program Files\Internet Explorer\IEXPLORE.EXE %1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell
- From: (Default) = "opennew"
To: (Default) = ""opennew""
- From: (Default) = "opennew"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\open
- From: (Default) = "Open in S&ame Window"
To: (Default) = ""Open in S&ame Window""
- From: (Default) = "Open in S&ame Window"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command
- From: (Default) = "%System Root%\Program Files\Internet Explorer\IEXPLORE.EXE %1"
To: (Default) = """%Program Files%\Internet Explorer\iexplore.exe" -nohome""
- From: (Default) = "%System Root%\Program Files\Internet Explorer\IEXPLORE.EXE %1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command
- From: (Default) = "%System%\rundll32.exe %System%\mshtml.dll,PrintHTML %1"
To: (Default) = """%Program Files%\Microsoft Office\OFFICE11\msohtmed.exe" /p %1""
- From: (Default) = "%System%\rundll32.exe %System%\mshtml.dll,PrintHTML %1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\printto\command
- From: (Default) = "%System%\rundll32.exe %System%\mshtml.dll,PrintHTML %1 %2 %3 %4"
To: (Default) = ""{random values}""
- From: (Default) = "%System%\rundll32.exe %System%\mshtml.dll,PrintHTML %1 %2 %3 %4"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mhtmlfile\shell
- From: (Default) = "opennew"
To: (Default) = ""opennew""
- From: (Default) = "opennew"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\opennew
- From: (Default) = "&Open"
To: (Default) = ""&Open""
- From: (Default) = "&Open"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\opennew\command
- From: (Default) = "%System Root%\Program Files\Internet Explorer\IEXPLORE.EXE %1"
To: (Default) = """%Program Files%\Internet Explorer\iexplore.exe" %1""
- From: (Default) = "%System Root%\Program Files\Internet Explorer\IEXPLORE.EXE %1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.mht
- From: (Default) = "mhtmlfile"
To: (Default) = ""mhtmlfile""
- From: (Default) = "mhtmlfile"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.mht
- From: Content Type = "message/rfc822"
To: Content Type = ""message/rfc822""
- From: Content Type = "message/rfc822"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.mhtml
- From: (Default) = "mhtmlfile"
To: (Default) = ""mhtmlfile""
- From: (Default) = "mhtmlfile"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.mhtml
- From: Content Type = "message/rfc822"
To: Content Type = ""message/rfc822""
- From: Content Type = "message/rfc822"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mhtmlfile\shell\open
- From: (Default) = "Open in S&ame Window"
To: (Default) = ""Open in S&ame Window""
- From: (Default) = "Open in S&ame Window"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mhtmlfile\shell\open\command
- From: (Default) = "%System Root%\Program Files\Internet Explorer\IEXPLORE.EXE %1"
To: (Default) = """%Program Files%\Internet Explorer\iexplore.exe" -nohome""
- From: (Default) = "%System Root%\Program Files\Internet Explorer\IEXPLORE.EXE %1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mhtmlfile\shell\opennew
- From: (Default) = "&Open"
To: (Default) = ""&Open""
- From: (Default) = "&Open"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mhtmlfile\shell\opennew\command
- From: (Default) = "%System Root%\Program Files\Internet Explorer\IEXPLORE.EXE %1"
To: (Default) = """%Program Files%\Internet Explorer\iexplore.exe" %1""
- From: (Default) = "%System Root%\Program Files\Internet Explorer\IEXPLORE.EXE %1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.URL
- From: (Default) = "InternetShortcut"
To: (Default) = ""InternetShortcut""
- From: (Default) = "InternetShortcut"
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder
- Attributes = "0"
- In HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}
- From: Locale = "*"
To: Locale = ""en""
- From: Locale = "*"
- In HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}
- From: Version = "11,0,9600,0"
To: Version = ""6,0,2900,2180""
- From: Version = "11,0,9600,0"
Step 6
Diese Dateien suchen und löschen
- %AppDataLocal%\GDIPFONTCACHEV1.DAT
- %Application Data%\AppRun\api-ms-win-core-processthreads-l1-1-1.dll
- %AppDataLocal%\Microsoft\Media Player\CurrentDatabase_372.wmdb
- %Application Data%\AppRun\api-ms-win-core-localization-l1-2-0.dll
- %User Temp%\u1bc.4
- %Application Data%\AppRun\api-ms-win-crt-string-l1-1-0.dll
- %Application Data%\AppRun\api-ms-win-core-file-l2-1-0.dll
- %Application Data%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
- %Application Data%\AppRun\api-ms-win-crt-math-l1-1-0.dll
- %User Temp%\u1bc.1
- %Application Data%\AppRun\api-ms-win-crt-runtime-l1-1-0.dll
- %Application Data%\AppRun\mfc140u.dll
- %Application Data%\AppRun\api-ms-win-crt-time-l1-1-0.dll
- %Application Data%\AppRun\api-ms-win-crt-filesystem-l1-1-0.dll
- %Application Data%\AppRun\api-ms-win-core-file-l1-2-0.dll
- %All Users Profile%\Microsoft\Windows\DRM\v3ks.sec
- %AppDataLocal%\Microsoft\Internet Explorer\MSIMGSIZ.DAT
- %Application Data%\AppRun\vcruntime140.dll
- %Application Data%\AppDirectory\PDFLeader\PDFLeader.ico
- %Application Data%\AppRun\ucrtbase.dll
- %Application Data%\AppRun\api-ms-win-core-timezone-l1-1-0.dll
- %AppDataLocal%\Microsoft\Internet Explorer\DOMStore\3UYAQU1F\service.tst.pdfleaderapp[1].xml
- %Application Data%\AppRun\libcurl.dll
- %Start Menu%\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk
- %Application Data%\AppRun\api-ms-win-crt-utility-l1-1-0.dll
- %Application Data%\AppRun\AppRun.exe
- %Application Data%\AppRun\api-ms-win-crt-stdio-l1-1-0.dll
- %Application Data%\AppDirectory\PDFLeader\SharpCompress.dll
- %Application Data%\AppDirectory\PDFLeader\params.txt
- %Application Data%\AppRun\api-ms-win-crt-locale-l1-1-0.dll
- %Application Data%\AppRun\api-ms-win-core-synch-l1-2-0.dll
- %All Users Profile%\Microsoft\Windows\DRM\drmstore.hds
- %Application Data%\AppRun\api-ms-win-crt-convert-l1-1-0.dll
- %Application Data%\AppRun\api-ms-win-crt-multibyte-l1-1-0.dll
- %User Temp%\u1bc.3
- %Application Data%\AppRun\api-ms-win-crt-heap-l1-1-0.dll
- %User Temp%\u1bc.0
- %Application Data%\AppDirectory\PDFLeader\PDFLeaderapp.exe.config
- %Application Data%\AppRun\msvcp140.dll
- %Application Data%\AppRun\api-ms-win-crt-environment-l1-1-0.dll
- %Desktop%\PDFLeader.lnk
- %User Temp%\u1bc.2
- %Application Data%\AppDirectory\PDFLeader\PDFLeaderapp.exe
Step 7
Diese Ordner suchen und löschen
- %Application Data%\AppDirectory\PDFLeader
- %Application Data%\AppDirectory
- %Application Data%\AppRun
Step 8
Führen Sie den Neustart im normalen Modus durch, und durchsuchen Sie Ihren Computer mit Ihrem Trend Micro Produkt nach Dateien, die als Adware.Win32.Zoremov.A entdeckt werden. Falls die entdeckten Dateien bereits von Ihrem Trend Micro Produkt gesäubert, gelöscht oder in Quarantäne verschoben wurden, sind keine weiteren Schritte erforderlich. Dateien in Quarantäne können einfach gelöscht werden. Auf dieser Knowledge-Base-Seite finden Sie weitere Informationen.
Step 9
Diese Datei über eine Sicherungskopie wiederherstellen Nur Microsoft basierte Dateien werden wiederhergestellt. Falls diese Malware/Grayware/Spyware auch Dateien aus Programmen gelöscht hat, die nicht von Microsoft stammen, installieren Sie diese Programme auf Ihrem Computer bitte neu.
- %Start Menu%\Programs\Internet Explorer.lnk
- %Application Data%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
- %Start Menu%\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk
Step 10
Restore this file from backup only Microsoft-related files will be restored. If this malware/grayware also deleted files related to programs that are not from Microsoft, please reinstall those programs on you computer again.
- %Windows%\Tasks\Update_Zoremov.job
Step 11
Restore these deleted registry keys/values from backup
*Note: Only Microsoft-related keys/values will be restored. If the malware/grayware also deleted registry keys/values related to programs that are not from Microsoft, please reinstall those programs on your computer.
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
- wextract_cleanup0
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RemoveAccess
- iexplore.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\http
- URL Protocol
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\http\DefaultIcon
- (Default)
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\http\shell\open
- CommandId
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\http\shell\open\command
- DelegateExecute
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\http\shell\open\command
- (Default)
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\https
- URL Protocol
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\https\DefaultIcon
- (Default)
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\https\shell\open
- CommandId
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\https\shell\open\command
- DelegateExecute
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\https\shell\open\command
- (Default)
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ftp
- URL Protocol
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ftp\DefaultIcon
- (Default)
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ftp\shell\open
- CommandId
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ftp\shell\open\command
- DelegateExecute
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ftp\shell\open\command
- (Default)
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell
- (Default)
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\opennew
- (Default)
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\opennew
- CommandId
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\opennew\command
- DelegateExecute
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\opennew\command
- (Default)
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mhtmlfile\shell
- (Default)
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mhtmlfile\shell\opennew
- (Default)
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mhtmlfile\shell\opennew
- CommandId
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mhtmlfile\shell\opennew\command
- DelegateExecute
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mhtmlfile\shell\opennew\command
- (Default)
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\svgfile\shell
- (Default)
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\svgfile\shell\opennew
- (Default)
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\svgfile\shell\opennew
- CommandId
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\svgfile\shell\opennew\command
- DelegateExecute
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\svgfile\shell\opennew\command
- (Default)
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xhtmlfile\shell
- (Default)
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xhtmlfile\shell\opennew
- (Default)
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xhtmlfile\shell\opennew
- CommandId
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xhtmlfile\shell\opennew\command
- DelegateExecute
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xhtmlfile\shell\opennew\command
- (Default)
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon
- (Default)
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\open
- CommandId
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command
- DelegateExecute
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command
- (Default)
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.htm\OpenWithProgIds
- htmlfile
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.html\OpenWithProgIds
- htmlfile
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon
- (Default)
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.mht\OpenWithProgIds
- mhtmlfile
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.mhtml\OpenWithProgIds
- mhtmlfile
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\svgfile\DefaultIcon
- (Default)
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\svgfile\shell\open
- CommandId
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\svgfile\shell\open\command
- DelegateExecute
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\svgfile\shell\open\command
- (Default)
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.svg\OpenWithProgIds
- svgfile
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xhtmlfile\shell\open
- CommandId
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xhtmlfile\shell\open\command
- DelegateExecute
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xhtmlfile\shell\open\command
- (Default)
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.xht\OpenWithProgIds
- xhtmlfile
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.xhtml\OpenWithProgIds
- xhtmlfile
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.partial\OpenWithProgIds
- IE.AssocFile.PARTIAL
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.website\OpenWithProgIds
- Microsoft.Website
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.URL\OpenWithProgIds
- InternetShortcut
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
- {FBF23B40-E3F0-101B-8488-00AA003E56F8}
Nehmen Sie an unserer Umfrage teil