Trojan:Win32/Emotet!MTB (Microsoft); Emotet-FOZ!14CA22BA3BA5 (McAfee); HEUR:Trojan-Banker.Win32.Emotet.gen (Kaspersky); Mal/EncPk-APA (Sophos); Trojan.Win32.Generic!BT (Sunbelt)

 Plattform:

Windows

 Risikobewertung (gesamt):
 Schadenspotenzial::
 Verteilungspotenzial::
 reportedInfection:
 Beeinträchtigung der Systemleistung ::
 Trend Micro Lösungen:
Niedrig
Mittel
Hoch
Kritisch

  • Malware-Typ:
    Trojan Spy

  • Zerstrerisch?:
    Nein

  • Verschlsselt?:
     

  • In the wild::
    Ja

  Überblick

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Löscht Dateien, so dass Programme und Anwendungen nicht ordnungsgemäß ausgeführt werden.

  Technische Details

Dateigröße: 640,940 bytes
Dateityp: EXE
Speicherresiden: Ja
Erste Muster erhalten am: 10 Januar 2020

Übertragungsdetails

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

Fügt die folgenden Prozesse hinzu:

  • {malware file path and name} --5c939618
  • "%Windows%\SysWOW64\groupfill.exe"
  • %Windows%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  • %Windows%\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  • %System%\svchost.exe -k LocalServiceAndNoImpersonation
  • %System%\sppsvc.exe
  • "%System Root%\Program Files\Windows Media Player\wmpnetwk.exe"
  • %System%\svchost.exe -k netsvcs
  • %Windows%\SysWOW64\groupfill.exe --846b6c58

(Hinweis: %Windows% ist der Windows Ordner, normalerweise C:\Windows oder C:\WINNT.. %System% ist der Windows Systemordner. Er lautet in der Regel C:\Windows\System unter Windows 98 und ME, C:\WINNT\System32 unter Windows NT und 2000 sowie C:\Windows\System32 unter Windows 2000(32-bit), XP, Server 2003(32-bit), Vista, 7, 8, 8.1, 2008(64-bit), 2012(64bit) and 10(64-bit).. %System Root% ist der Stammordner, normalerweise C:\. Dort befindet sich auch das Betriebssystem.)

Erstellt die folgenden Ordner:

  • %Windows%\ServiceProfiles\NetworkService\AppData\Local\Microsoft

(Hinweis: %Windows% ist der Windows Ordner, normalerweise C:\Windows oder C:\WINNT.)

Autostart-Technik

Registriert sich als Systemdienst, damit sie bei jedem Systemstart automatisch ausgeführt wird, indem sie die folgenden Registrierungseinträge hinzufügt:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\groupfill
ImagePath = "%Windows%\SysWOW64\groupfill.exe"

Andere Systemänderungen

Ändert die folgenden Dateien:

  • %Windows%\Tasks\SCHEDLGU.TXT
  • %Windows%\Prefetch\SEARCHFILTERHOST.EXE-77482212.pf
  • %Windows%\Prefetch\SEARCHPROTOCOLHOST.EXE-0CB8CADE.pf
  • %Windows%\Prefetch\CONHOST.EXE-1F3E9D7E.pf

(Hinweis: %Windows% ist der Windows Ordner, normalerweise C:\Windows oder C:\WINNT.)

Löscht die folgenden Dateien:

  • %Windows%\SysWOW64\markupcube.exe
  • %Windows%\SysWOW64\groupfill.exe:Zone.Identifier
  • {malware file path and name}

(Hinweis: %Windows% ist der Windows Ordner, normalerweise C:\Windows oder C:\WINNT.)

Fügt die folgenden Registrierungsschlüssel hinzu:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
SessionInfo\1\WHCIconStartup

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.3g2\OpenWithProgids\
WMP11.AssocFile.3G2

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.3gp\OpenWithProgids\
WMP11.AssocFile.3GP

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.3gp2\OpenWithProgids\
WMP11.AssocFile.3G2

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.3gpp\OpenWithProgids\
WMP11.AssocFile.3GP

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.AAC\OpenWithProgids\
WMP11.AssocFile.ADTS

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.ADT\OpenWithProgids\
WMP11.AssocFile.ADTS

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.ADTS\OpenWithProgids\
WMP11.AssocFile.ADTS

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.aif\OpenWithProgids\
WMP11.AssocFile.AIFF

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.aifc\OpenWithProgids\
WMP11.AssocFile.AIFF

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.aiff\OpenWithProgids\
WMP11.AssocFile.AIFF

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.asf\OpenWithProgids\
WMP11.AssocFile.ASF

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.asx\OpenWithProgids\
WMP11.AssocFile.ASX

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.au\OpenWithProgids\
WMP11.AssocFile.AU

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.avi\OpenWithProgids\
WMP11.AssocFile.AVI

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.bmp\OpenWithProgids\
Paint.Picture

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.cab\OpenWithProgids\
CABFolder

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.contact\OpenWithProgids\
contact_wab_auto_file

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.css\OpenWithProgids\
CSSfile

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.csv\OpenWithProgids\
Excel.CSV

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.dib\OpenWithProgids\
Paint.Picture

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.dll\OpenWithProgids\
dllfile

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.doc\OpenWithProgids\
Word.Document.8

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.docm\OpenWithProgids\
Word.DocumentMacroEnabled.12

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.docx\OpenWithProgids\
Word.Document.12

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.dot\OpenWithProgids\
Word.Template.8

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.dotm\OpenWithProgids\
Word.TemplateMacroEnabled.12

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.dotx\OpenWithProgids\
Word.Template.12

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.DVR\OpenWithProgids\
MediaCenter.DVR

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.DVR-MS\OpenWithProgids\
MediaCenter.DVR-MS

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.dwfx\OpenWithProgids\
Windows.XPSReachViewer

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.easmx\OpenWithProgids\
Windows.XPSReachViewer

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.edrwx\OpenWithProgids\
Windows.XPSReachViewer

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.emf\OpenWithProgids\
emffile

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.eprtx\OpenWithProgids\
Windows.XPSReachViewer

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.exe\OpenWithProgids\
exefile

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.fon\OpenWithProgids\
fonfile

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.gif\OpenWithProgids\
giffile

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.htm\OpenWithProgids\
htmlfile

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.html\OpenWithProgids\
htmlfile

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.ico\OpenWithProgids\
icofile

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.ini\OpenWithProgids\
inifile

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.jfif\OpenWithProgids\
pjpegfile

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.jpe\OpenWithProgids\
jpegfile

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.jpeg\OpenWithProgids\
jpegfile

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.jpg\OpenWithProgids\
jpegfile

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.jtx\OpenWithProgids\
Windows.XPSReachViewer

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.lnk\OpenWithProgids\
lnkfile

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.m1v\OpenWithProgids\
WMP11.AssocFile.MPEG

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.M2T\OpenWithProgids\
WMP11.AssocFile.M2TS

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.M2TS\OpenWithProgids\
WMP11.AssocFile.M2TS

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.M2V\OpenWithProgids\
WMP11.AssocFile.MPEG

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.m3u\OpenWithProgids\
WMP11.AssocFile.m3u

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.m4a\OpenWithProgids\
WMP11.AssocFile.M4A

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.m4v\OpenWithProgids\
WMP11.AssocFile.MP4

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.mht\OpenWithProgids\
mhtmlfile

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.mhtml\OpenWithProgids\
mhtmlfile

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.mid\OpenWithProgids\
WMP11.AssocFile.MIDI

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.midi\OpenWithProgids\
WMP11.AssocFile.MIDI

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.MOD\OpenWithProgids\
WMP11.AssocFile.MPEG

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.mov\OpenWithProgids\
WMP11.AssocFile.MOV

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.mp2\OpenWithProgids\
WMP11.AssocFile.MP3

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.mp2v\OpenWithProgids\
WMP11.AssocFile.MPEG

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.mp3\OpenWithProgids\
WMP11.AssocFile.MP3

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.mp4\OpenWithProgids\
WMP11.AssocFile.MP4

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.mp4v\OpenWithProgids\
WMP11.AssocFile.MP4

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.mpa\OpenWithProgids\
WMP11.AssocFile.MPEG

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.mpe\OpenWithProgids\
WMP11.AssocFile.MPEG

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.mpeg\OpenWithProgids\
WMP11.AssocFile.MPEG

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.mpg\OpenWithProgids\
WMP11.AssocFile.MPEG

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.mpv2\OpenWithProgids\
WMP11.AssocFile.MPEG

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.msg\OpenWithProgids\
Outlook.File.msg

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.MTS\OpenWithProgids\
WMP11.AssocFile.M2TS

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.ocx\OpenWithProgids\
ocxfile

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.odt\OpenWithProgids\
odtfile

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.otf\OpenWithProgids\
otffile

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.png\OpenWithProgids\
pngfile

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.pot\OpenWithProgids\
PowerPoint.Template.8

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.potm\OpenWithProgids\
PowerPoint.TemplateMacroEnabled.12

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.potx\OpenWithProgids\
PowerPoint.Template.12

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.ppam\OpenWithProgids\
PowerPoint.Addin.12

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.ppsm\OpenWithProgids\
PowerPoint.SlideShowMacroEnabled.12

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.ppsx\OpenWithProgids\
PowerPoint.SlideShow.12

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.ppt\OpenWithProgids\
PowerPoint.Show.8

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.pptm\OpenWithProgids\
PowerPoint.ShowMacroEnabled.12

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.pptx\OpenWithProgids\
PowerPoint.Show.12

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.ps1xml\OpenWithProgids\
Microsoft.PowerShellXMLData.1

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.rle\OpenWithProgids\
rlefile

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.rmi\OpenWithProgids\
WMP11.AssocFile.MIDI

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.rtf\OpenWithProgids\
Word.RTF.8

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.scf\OpenWithProgids\
SHCmdFile

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.search-ms\OpenWithProgids\
SearchFolder

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.shtml\OpenWithProgids\
shtmlfile

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.sldm\OpenWithProgids\
PowerPoint.SlideMacroEnabled.12

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.sldx\OpenWithProgids\
PowerPoint.Slide.12

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.snd\OpenWithProgids\
WMP11.AssocFile.AU

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.sys\OpenWithProgids\
sysfile

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.tif\OpenWithProgids\
TIFImage.Document

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.tiff\OpenWithProgids\
TIFImage.Document

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.TS\OpenWithProgids\
WMP11.AssocFile.TTS

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.ttc\OpenWithProgids\
ttcfile

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.ttf\OpenWithProgids\
ttffile

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.TTS\OpenWithProgids\
WMP11.AssocFile.TTS

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.txt\OpenWithProgids\
txtfile

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.wav\OpenWithProgids\
WMP11.AssocFile.WAV

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.wax\OpenWithProgids\
WMP11.AssocFile.WAX

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.wdp\OpenWithProgids\
wdpfile

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.wm\OpenWithProgids\
WMP11.AssocFile.ASF

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.wma\OpenWithProgids\
WMP11.AssocFile.WMA

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.wmf\OpenWithProgids\
wmffile

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.wmv\OpenWithProgids\
WMP11.AssocFile.WMV

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.wmx\OpenWithProgids\
WMP11.AssocFile.ASX

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.wpl\OpenWithProgids\
WMP11.AssocFile.WPL

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.WTV\OpenWithProgids\
MediaCenter.WTVFile

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.wvx\OpenWithProgids\
WMP11.AssocFile.WVX

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.xlam\OpenWithProgids\
Excel.AddInMacroEnabled

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.xls\OpenWithProgids\
Excel.Sheet.8

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.xlsb\OpenWithProgids\
Excel.SheetBinaryMacroEnabled.12

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.xlsm\OpenWithProgids\
Excel.SheetMacroEnabled.12

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.xlsx\OpenWithProgids\
Excel.Sheet.12

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.xlt\OpenWithProgids\
Excel.Template.8

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.xltm\OpenWithProgids\
Excel.TemplateMacroEnabled

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.xltx\OpenWithProgids\
Excel.Template

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.xml\OpenWithProgids\
xmlfile

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.xps\OpenWithProgids\
Windows.XPSReachViewer

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.xsl\OpenWithProgids\
xslfile

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
FileExts\.zip\OpenWithProgids\
CompressedFolder

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\Network\NetCfgLockHolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Group Policy\
ServiceInstances\{GUID}

Fügt die folgenden Registrierungseinträge hinzu:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\IKEEXT
Type = "16"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\AeLookupSvc
Type = "16"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\NetworkList\
Nla\Cache\Intranet
{89BCDCB3-5725-45A2-94AB-2D6B641209B0} = "\x00PV\xbc\x0f"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
cval = "0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\LanmanServer\Shares
Users = "\x00\x00\x00\x00\x00\x00\x00"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Group Policy\
PolicyApplicationState
PolicyState = "0"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\Network\NetCfgLockHolder
(Default) = "iphlpsvc.dll"

HKEY_USERS\S-1-5-21-2407829820-1079796033-203259571-500\Software\
Microsoft\Windows\CurrentVersion\
Group Policy\PolicyApplicationState
PolicyState = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Group Policy\
State\Machine\Extension-List\
{{GUID}}
StartTimeLo = "1026249381"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Group Policy\
State\Machine\Extension-List\
{{GUID}}
StartTimeHi = "30757067"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Group Policy\
State\Machine\Extension-List\
{{GUID}}
EndTimeLo = "1609447381"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Group Policy\
State\Machine\Extension-List\
{{GUID}}
EndTimeHi = "30757067"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Group Policy\
State\Machine\Extension-List\
{{GUID}}
Status = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Group Policy\
State\Machine\Extension-List\
{{GUID}}
LoggingStatus = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Group Policy\
History
PolicyOverdue = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Group Policy\
State\S-1-5-21-2407829820-1079796033-203259571-500\Extension-List\
{{GUID}}
StartTimeLo = "1020159381"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Group Policy\
State\S-1-5-21-2407829820-1079796033-203259571-500\Extension-List\
{{GUID}}
StartTimeHi = "30757067"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Group Policy\
State\S-1-5-21-2407829820-1079796033-203259571-500\Extension-List\
{{GUID}}
EndTimeLo = "1633809382"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Group Policy\
State\S-1-5-21-2407829820-1079796033-203259571-500\Extension-List\
{{GUID}}
EndTimeHi = "30757067"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Group Policy\
State\S-1-5-21-2407829820-1079796033-203259571-500\Extension-List\
{{GUID}}
Status = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Group Policy\
State\S-1-5-21-2407829820-1079796033-203259571-500\Extension-List\
{{GUID}}
LoggingStatus = "0"

HKEY_USERS\S-1-5-21-2407829820-1079796033-203259571-500\Software\
Microsoft\Windows\CurrentVersion\
Group Policy\History
PolicyOverdue = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Group Policy\
PolicyApplicationState
PolicyState = "2"

HKEY_USERS\S-1-5-21-2407829820-1079796033-203259571-500\Software\
Microsoft\Windows\CurrentVersion\
Group Policy\PolicyApplicationState
PolicyState = "2"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\groupfill
DisplayName = "groupfill"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\groupfill
Start = "SERVICE_AUTO_START"

Ändert die folgenden Registrierungseinträge:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\Browser
Type = "16"

(Note: The default value data of the said registry entry is 20.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\LanmanServer\Parameters
Guid = "\x9e8%\x0f\xd6\xe6TM\x85\x07?)\xfbm\xaag"

(Note: The default value data of the said registry entry is {random values}.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\LanmanServer\Parameters
Guid = "=\x1bSs\xa6\xe9_K\x8e \x92!\x9f\xf6\xdf\xb1"

(Note: The default value data of the said registry entry is {random values}.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\LanmanServer\Parameters
Guid = "\xce\x897\x11\xd3\x11[E\xb2v\xd9\x93\x1cU\x8f\x03"

(Note: The default value data of the said registry entry is {random values}.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\LanmanServer\Parameters
Guid = "\xa3\x99\x8b\x89ncA\x82Y\x93\xe2\xaev\x9b\x8c"

(Note: The default value data of the said registry entry is {random values}.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\LanmanServer\Parameters
Guid = "r\xec\xb0xB\x1d\xd8I\xbenC\xa6\x15l\xa4e"

(Note: The default value data of the said registry entry is {random values}.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\LanmanServer\Parameters
Guid = "\xb4\x8a'\x831J\x91K\xb6\xffDbg]\xe9a"

(Note: The default value data of the said registry entry is {random values}.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\LanmanServer\Parameters
Guid = "\x12Q]T\xe7\x0e\xc9C\x88\xd9\xd3$\xd7b\x0c\xfe"

(Note: The default value data of the said registry entry is {random values}.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\LanmanServer\Parameters
Guid = "\x82`\xbb\xf1\x06\xb8uL\x8f\x98\x87[4\xd2\x19^"

(Note: The default value data of the said registry entry is {random values}.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\LanmanServer\Parameters
Guid = "e0\x8b\xbc~-\xd8O\xae\x89\xc5o\xfa\x17\xa1"

(Note: The default value data of the said registry entry is {random values}.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\LanmanServer\Parameters
Guid = "Z,t\xac\xcfa\xdbM\x9cP\xb2\x8e\xae\xbb\xd7i"

(Note: The default value data of the said registry entry is {random values}.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\LanmanServer\Parameters
Guid = "\xf3mO/\x05x\xbdB\xb3yz\xd7\xb5q\x90"

(Note: The default value data of the said registry entry is {random values}.)

Löscht die folgenden Registrierungsschlüssel:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Enum\IDE\CdRomNECVMWar_VMware_IDE_CDR10_______________1.00____\
5&3a794e10&0&1.0.0\CustomPropertyHwIdKey

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Enum\PCIIDE\IDEChannel\
4&c5d1198&0&1\CustomPropertyHwIdKey

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Enum\PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\
4&1F16FEF7&0&00A8\CustomPropertyHwIdKey

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
services\LanmanServer\Parameters\
Guid

Einschleusungsroutine

Schleust die folgenden Dateien ein:

  • %All Users Profile%\Microsoft\Windows\DRM\drmstore.hds
  • %Windows%\SysWOW64\groupfill.exe
  • %Windows%\Prefetch\CONHOST.EXE-1F3E9D7E.pf
  • %Windows%\Tasks\SCHEDLGU.TXT
  • %Windows%\Prefetch\SEARCHFILTERHOST.EXE-77482212.pf
  • %System Root%\DfsServer
  • %AppDataLocal%\Microsoft\Media Player\CurrentDatabase_372.wmdb
  • %Windows%\Prefetch\SEARCHPROTOCOLHOST.EXE-0CB8CADE.pf
  • %All Users Profile%\Microsoft\Windows\DRM\v3ks.sec

(Hinweis: %Windows% ist der Windows Ordner, normalerweise C:\Windows oder C:\WINNT.. %System Root% ist der Stammordner, normalerweise C:\. Dort befindet sich auch das Betriebssystem.)

Andere Details

It connects to the following possibly malicious URL:

  • http://{BLOCKED}.19.218/7O1t0KOv0K5Ho7IWMp
  • http://{BLOCKED}.19.218/383g56wguu04Mqx
  • http://{BLOCKED}.19.218/pYODQ2RcPrZvUCLh
  • http://{BLOCKED}.19.218/GeDje8plC5QjD5K
  • http://{BLOCKED}.19.218/BhHnp9Gw5HsixJFf7I
  • http://{BLOCKED}.19.218/fHebq12nO4XLti
  • http://{BLOCKED}.19.218/dPJcHxgRgq1Sx
  • http://{BLOCKED}.19.218/iMReQyMtKyaPKGNIIYv
  • http://{BLOCKED}.19.218/yk09UTnw2DS95LnFu
  • http://{BLOCKED}.19.218/Jd3FLIDhEtKB
  • http://{BLOCKED}.19.218/8rpAKmN
  • http://{BLOCKED}.19.218/I3FvBwzF9f1e1
  • http://{BLOCKED}.19.218/UXk6Ap5djESmgXc
  • http://{BLOCKED}.19.218/y69fQ0MEzcin
  • http://{BLOCKED}.19.218/9C7mFrpr4IlwinIKjAW
  • http://{BLOCKED}.19.218/o4SqeMcKM
  • http://{BLOCKED}.19.218/4Yjaufs21Gz2bi
  • http://{BLOCKED}.19.218/FnWk7gyPNK1oVfJ
  • http://{BLOCKED}.19.218/4DFmxjl
  • http://{BLOCKED}.19.218/lgo7frOqtljn

  Lösungen

Mindestversion der Scan Engine: 9.850

Step 1

Für Windows ME und XP Benutzer: Stellen Sie vor einer Suche sicher, dass die Systemwiederherstellung deaktiviert ist, damit der gesamte Computer durchsucht werden kann.

Step 2

Dateien erkennen und deaktivieren, die als TrojanSpy.Win32.EMOTET.THLAOAI entdeckt wurden

[ learnMore ]
  1. Für Windows 98 und ME Benutzer: Der Windows Task-Manager zeigt möglicherweise nicht alle aktiven Prozesse an. Verwenden Sie in diesem Fall einen Prozess-Viewer eines Drittanbieters, vorzugsweise Process Explorer, um die Malware-/Grayware-/Spyware-Datei zu beenden. Dieses Tool können Sie hier.
    2. herunterladen.
  2. Wenn die entdeckte Datei im Windows Task-Manager oder Process Explorer angezeigt wird, aber nicht gelöscht werden kann, starten Sie Ihren Computer im abgesicherten Modus neu. Klicken Sie auf diesen Link, um alle erforderlichen Schritte anzuzeigen.
  3. Wenn die entdeckte Datei nicht im Windows Task-Manager oder im Process Explorer angezeigt wird, fahren Sie mit den nächsten Schritten fort.

Step 3

Diesen Registrierungsschlüssel löschen

[ learnMore ]

Wichtig: Eine nicht ordnungsgemäße Bearbeitung der Windows Registrierung kann zu einer dauerhaften Fehlfunktion des Systems führen. Führen Sie diesen Schritt nur durch, wenn Sie mit der Vorgehensweise vertraut sind oder wenn Sie Ihren Systemadministrator um Unterstützung bitten können. Lesen Sie ansonsten zuerst diesen Microsoft Artikel, bevor Sie die Registrierung Ihres Computers ändern.

  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1
    • WHCIconStartup
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3g2\OpenWithProgids
    • WMP11.AssocFile.3G2
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gp\OpenWithProgids
    • WMP11.AssocFile.3GP
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gp2\OpenWithProgids
    • WMP11.AssocFile.3G2
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gpp\OpenWithProgids
    • WMP11.AssocFile.3GP
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AAC\OpenWithProgids
    • WMP11.AssocFile.ADTS
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ADT\OpenWithProgids
    • WMP11.AssocFile.ADTS
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ADTS\OpenWithProgids
    • WMP11.AssocFile.ADTS
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithProgids
    • WMP11.AssocFile.AIFF
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithProgids
    • WMP11.AssocFile.AIFF
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithProgids
    • WMP11.AssocFile.AIFF
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asf\OpenWithProgids
    • WMP11.AssocFile.ASF
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithProgids
    • WMP11.AssocFile.ASX
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithProgids
    • WMP11.AssocFile.AU
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.avi\OpenWithProgids
    • WMP11.AssocFile.AVI
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp\OpenWithProgids
    • Paint.Picture
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cab\OpenWithProgids
    • CABFolder
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.contact\OpenWithProgids
    • contact_wab_auto_file
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.css\OpenWithProgids
    • CSSfile
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.csv\OpenWithProgids
    • Excel.CSV
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib\OpenWithProgids
    • Paint.Picture
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dll\OpenWithProgids
    • dllfile
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.doc\OpenWithProgids
    • Word.Document.8
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docm\OpenWithProgids
    • Word.DocumentMacroEnabled.12
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithProgids
    • Word.Document.12
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dot\OpenWithProgids
    • Word.Template.8
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dotm\OpenWithProgids
    • Word.TemplateMacroEnabled.12
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dotx\OpenWithProgids
    • Word.Template.12
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR\OpenWithProgids
    • MediaCenter.DVR
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithProgids
    • MediaCenter.DVR-MS
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dwfx\OpenWithProgids
    • Windows.XPSReachViewer
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.easmx\OpenWithProgids
    • Windows.XPSReachViewer
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.edrwx\OpenWithProgids
    • Windows.XPSReachViewer
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.emf\OpenWithProgids
    • emffile
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eprtx\OpenWithProgids
    • Windows.XPSReachViewer
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids
    • exefile
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.fon\OpenWithProgids
    • fonfile
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif\OpenWithProgids
    • giffile
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithProgids
    • htmlfile
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithProgids
    • htmlfile
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ico\OpenWithProgids
    • icofile
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ini\OpenWithProgids
    • inifile
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jfif\OpenWithProgids
    • pjpegfile
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpe\OpenWithProgids
    • jpegfile
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpeg\OpenWithProgids
    • jpegfile
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\OpenWithProgids
    • jpegfile
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jtx\OpenWithProgids
    • Windows.XPSReachViewer
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.lnk\OpenWithProgids
    • lnkfile
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m1v\OpenWithProgids
    • WMP11.AssocFile.MPEG
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.M2T\OpenWithProgids
    • WMP11.AssocFile.M2TS
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.M2TS\OpenWithProgids
    • WMP11.AssocFile.M2TS
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.M2V\OpenWithProgids
    • WMP11.AssocFile.MPEG
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\OpenWithProgids
    • WMP11.AssocFile.m3u
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\OpenWithProgids
    • WMP11.AssocFile.M4A
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4v\OpenWithProgids
    • WMP11.AssocFile.MP4
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithProgids
    • mhtmlfile
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithProgids
    • mhtmlfile
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithProgids
    • WMP11.AssocFile.MIDI
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\OpenWithProgids
    • WMP11.AssocFile.MIDI
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MOD\OpenWithProgids
    • WMP11.AssocFile.MPEG
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mov\OpenWithProgids
    • WMP11.AssocFile.MOV
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithProgids
    • WMP11.AssocFile.MP3
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2v\OpenWithProgids
    • WMP11.AssocFile.MPEG
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\OpenWithProgids
    • WMP11.AssocFile.MP3
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\OpenWithProgids
    • WMP11.AssocFile.MP4
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4v\OpenWithProgids
    • WMP11.AssocFile.MP4
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpa\OpenWithProgids
    • WMP11.AssocFile.MPEG
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpe\OpenWithProgids
    • WMP11.AssocFile.MPEG
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpeg\OpenWithProgids
    • WMP11.AssocFile.MPEG
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpg\OpenWithProgids
    • WMP11.AssocFile.MPEG
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpv2\OpenWithProgids
    • WMP11.AssocFile.MPEG
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.msg\OpenWithProgids
    • Outlook.File.msg
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MTS\OpenWithProgids
    • WMP11.AssocFile.M2TS
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ocx\OpenWithProgids
    • ocxfile
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.odt\OpenWithProgids
    • odtfile
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.otf\OpenWithProgids
    • otffile
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\OpenWithProgids
    • pngfile
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pot\OpenWithProgids
    • PowerPoint.Template.8
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.potm\OpenWithProgids
    • PowerPoint.TemplateMacroEnabled.12
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.potx\OpenWithProgids
    • PowerPoint.Template.12
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ppam\OpenWithProgids
    • PowerPoint.Addin.12
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ppsm\OpenWithProgids
    • PowerPoint.SlideShowMacroEnabled.12
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ppsx\OpenWithProgids
    • PowerPoint.SlideShow.12
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ppt\OpenWithProgids
    • PowerPoint.Show.8
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pptm\OpenWithProgids
    • PowerPoint.ShowMacroEnabled.12
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pptx\OpenWithProgids
    • PowerPoint.Show.12
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ps1xml\OpenWithProgids
    • Microsoft.PowerShellXMLData.1
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rle\OpenWithProgids
    • rlefile
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithProgids
    • WMP11.AssocFile.MIDI
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rtf\OpenWithProgids
    • Word.RTF.8
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.scf\OpenWithProgids
    • SHCmdFile
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.search-ms\OpenWithProgids
    • SearchFolder
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithProgids
    • shtmlfile
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sldm\OpenWithProgids
    • PowerPoint.SlideMacroEnabled.12
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sldx\OpenWithProgids
    • PowerPoint.Slide.12
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithProgids
    • WMP11.AssocFile.AU
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sys\OpenWithProgids
    • sysfile
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tif\OpenWithProgids
    • TIFImage.Document
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tiff\OpenWithProgids
    • TIFImage.Document
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.TS\OpenWithProgids
    • WMP11.AssocFile.TTS
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ttc\OpenWithProgids
    • ttcfile
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ttf\OpenWithProgids
    • ttffile
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.TTS\OpenWithProgids
    • WMP11.AssocFile.TTS
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithProgids
    • txtfile
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\OpenWithProgids
    • WMP11.AssocFile.WAV
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wax\OpenWithProgids
    • WMP11.AssocFile.WAX
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wdp\OpenWithProgids
    • wdpfile
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wm\OpenWithProgids
    • WMP11.AssocFile.ASF
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\OpenWithProgids
    • WMP11.AssocFile.WMA
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmf\OpenWithProgids
    • wmffile
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv\OpenWithProgids
    • WMP11.AssocFile.WMV
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmx\OpenWithProgids
    • WMP11.AssocFile.ASX
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wpl\OpenWithProgids
    • WMP11.AssocFile.WPL
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithProgids
    • MediaCenter.WTVFile
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithProgids
    • WMP11.AssocFile.WVX
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xlam\OpenWithProgids
    • Excel.AddInMacroEnabled
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xls\OpenWithProgids
    • Excel.Sheet.8
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xlsb\OpenWithProgids
    • Excel.SheetBinaryMacroEnabled.12
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xlsm\OpenWithProgids
    • Excel.SheetMacroEnabled.12
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xlsx\OpenWithProgids
    • Excel.Sheet.12
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xlt\OpenWithProgids
    • Excel.Template.8
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xltm\OpenWithProgids
    • Excel.TemplateMacroEnabled
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xltx\OpenWithProgids
    • Excel.Template
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithProgids
    • xmlfile
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xps\OpenWithProgids
    • Windows.XPSReachViewer
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xsl\OpenWithProgids
    • xslfile
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zip\OpenWithProgids
    • CompressedFolder
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network
    • NetCfgLockHolder
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\ServiceInstances
    • {GUID}

Step 4

Diesen Registrierungswert löschen

[ learnMore ]

Wichtig: Eine nicht ordnungsgemäße Bearbeitung der Windows Registrierung kann zu einer dauerhaften Fehlfunktion des Systems führen. Führen Sie diesen Schritt nur durch, wenn Sie mit der Vorgehensweise vertraut sind oder wenn Sie Ihren Systemadministrator um Unterstützung bitten können. Lesen Sie ansonsten zuerst diesen Microsoft Artikel, bevor Sie die Registrierung Ihres Computers ändern.

  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\IKEEXT
    • Type = "16"
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\AeLookupSvc
    • Type = "16"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet
    • {89BCDCB3-5725-45A2-94AB-2D6B641209B0} = "\x00PV\xbc\x0f"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
    • cval = "0"
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanServer\Shares
    • Users = "\x00\x00\x00\x00\x00\x00\x00"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\PolicyApplicationState
    • PolicyState = "0"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\NetCfgLockHolder
    • (Default) = "iphlpsvc.dll"
  • In HKEY_USERS\S-1-5-21-2407829820-1079796033-203259571-500\Software\Microsoft\Windows\CurrentVersion\Group Policy\PolicyApplicationState
    • PolicyState = "0"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{{GUID}}
    • StartTimeLo = "1026249381"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{{GUID}}
    • StartTimeHi = "30757067"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{{GUID}}
    • EndTimeLo = "1609447381"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{{GUID}}
    • EndTimeHi = "30757067"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{{GUID}}
    • Status = "0"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{{GUID}}
    • LoggingStatus = "0"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History
    • PolicyOverdue = "0"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-2407829820-1079796033-203259571-500\Extension-List\{{GUID}}
    • StartTimeLo = "1020159381"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-2407829820-1079796033-203259571-500\Extension-List\{{GUID}}
    • StartTimeHi = "30757067"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-2407829820-1079796033-203259571-500\Extension-List\{{GUID}}
    • EndTimeLo = "1633809382"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-2407829820-1079796033-203259571-500\Extension-List\{{GUID}}
    • EndTimeHi = "30757067"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-2407829820-1079796033-203259571-500\Extension-List\{{GUID}}
    • Status = "0"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-2407829820-1079796033-203259571-500\Extension-List\{{GUID}}
    • LoggingStatus = "0"
  • In HKEY_USERS\S-1-5-21-2407829820-1079796033-203259571-500\Software\Microsoft\Windows\CurrentVersion\Group Policy\History
    • PolicyOverdue = "0"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\PolicyApplicationState
    • PolicyState = "2"
  • In HKEY_USERS\S-1-5-21-2407829820-1079796033-203259571-500\Software\Microsoft\Windows\CurrentVersion\Group Policy\PolicyApplicationState
    • PolicyState = "2"
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\groupfill
    • DisplayName = "groupfill"
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\groupfill
    • Start = "SERVICE_AUTO_START"

Step 5

Diesen geänderten Registrierungswert wiederherstellen

[ learnMore ]

Wichtig: Eine nicht ordnungsgemäße Bearbeitung der Windows Registrierung kann zu einer dauerhaften Fehlfunktion des Systems führen. Führen Sie diesen Schritt nur durch, wenn Sie mit der Vorgehensweise vertraut sind oder wenn Sie Ihren Systemadministrator um Unterstützung bitten können. Lesen Sie ansonsten zuerst diesen Microsoft Artikel, bevor Sie die Registrierung Ihres Computers ändern.

  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Browser
    • From: Type = "16"
      To: Type = ""20""
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters
    • From: Guid = "\x9e8%\x0f\xd6\xe6TM\x85\x07?)\xfbm\xaag"
      To: Guid = ""{random values}""
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters
    • From: Guid = "=\x1bSs\xa6\xe9_K\x8e \x92!\x9f\xf6\xdf\xb1"
      To: Guid = ""{random values}""
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters
    • From: Guid = "\xce\x897\x11\xd3\x11[E\xb2v\xd9\x93\x1cU\x8f\x03"
      To: Guid = ""{random values}""
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters
    • From: Guid = "\xa3\x99\x8b\x89ncA\x82Y\x93\xe2\xaev\x9b\x8c"
      To: Guid = ""{random values}""
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters
    • From: Guid = "r\xec\xb0xB\x1d\xd8I\xbenC\xa6\x15l\xa4e"
      To: Guid = ""{random values}""
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters
    • From: Guid = "\xb4\x8a'\x831J\x91K\xb6\xffDbg]\xe9a"
      To: Guid = ""{random values}""
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters
    • From: Guid = "\x12Q]T\xe7\x0e\xc9C\x88\xd9\xd3$\xd7b\x0c\xfe"
      To: Guid = ""{random values}""
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters
    • From: Guid = "\x82`\xbb\xf1\x06\xb8uL\x8f\x98\x87[4\xd2\x19^"
      To: Guid = ""{random values}""
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters
    • From: Guid = "e0\x8b\xbc~-\xd8O\xae\x89\xc5o\xfa\x17\xa1"
      To: Guid = ""{random values}""
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters
    • From: Guid = "Z,t\xac\xcfa\xdbM\x9cP\xb2\x8e\xae\xbb\xd7i"
      To: Guid = ""{random values}""
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters
    • From: Guid = "\xf3mO/\x05x\xbdB\xb3yz\xd7\xb5q\x90"
      To: Guid = ""{random values}""

Step 6

Diese Dateien suchen und löschen

[ learnMore ]
Möglicherweise sind einige Komponentendateien verborgen. Aktivieren Sie unbedingt das Kontrollkästchen Versteckte Elemente durchsuchen unter "Weitere erweiterte Optionen", um alle verborgenen Dateien und Ordner in den Suchergebnissen zu berücksichtigen.
  • %All Users Profile%\Microsoft\Windows\DRM\drmstore.hds
  • %Windows%\SysWOW64\groupfill.exe
  • %Windows%\Prefetch\CONHOST.EXE-1F3E9D7E.pf
  • %Windows%\Tasks\SCHEDLGU.TXT
  • %Windows%\Prefetch\SEARCHFILTERHOST.EXE-77482212.pf
  • %System Root%\DfsServer
  • %AppDataLocal%\Microsoft\Media Player\CurrentDatabase_372.wmdb
  • %Windows%\Prefetch\SEARCHPROTOCOLHOST.EXE-0CB8CADE.pf
  • %All Users Profile%\Microsoft\Windows\DRM\v3ks.sec

Step 7

Diesen Ordner suchen und löschen

[ learnMore ]
Aktivieren Sie unbedingt das Kontrollkästchen Versteckte Elemente durchsuchen unter Weitere erweiterte Optionen, um alle verborgenen Ordner in den Suchergebnissen zu berücksichtigen.
  • %Windows%\ServiceProfiles\NetworkService\AppData\Local\Microsoft

Step 8

Durchsuchen Sie Ihren Computer mit Ihrem Trend Micro Produkt, und löschen Sie Dateien, die als TrojanSpy.Win32.EMOTET.THLAOAI entdeckt werden. Falls die entdeckten Dateien bereits von Ihrem Trend Micro Produkt gesäubert, gelöscht oder in Quarantäne verschoben wurden, sind keine weiteren Schritte erforderlich. Dateien in Quarantäne können einfach gelöscht werden. Auf dieser Knowledge-Base-Seite finden Sie weitere Informationen.

Step 9

Diese Datei über eine Sicherungskopie wiederherstellen Nur Microsoft basierte Dateien werden wiederhergestellt. Falls diese Malware/Grayware/Spyware auch Dateien aus Programmen gelöscht hat, die nicht von Microsoft stammen, installieren Sie diese Programme auf Ihrem Computer bitte neu.

  • %Windows%\Tasks\SCHEDLGU.TXT
  • %Windows%\Prefetch\SEARCHFILTERHOST.EXE-77482212.pf
  • %Windows%\Prefetch\SEARCHPROTOCOLHOST.EXE-0CB8CADE.pf
  • %Windows%\Prefetch\CONHOST.EXE-1F3E9D7E.pf

Step 10

Restore this file from backup only Microsoft-related files will be restored. If this malware/grayware also deleted files related to programs that are not from Microsoft, please reinstall those programs on you computer again.

  • %Windows%\SysWOW64\markupcube.exe
  • %Windows%\SysWOW64\groupfill.exe:Zone.Identifier
  • {malware file path and name}

Step 11

Restore these deleted registry keys/values from backup

*Note: Only Microsoft-related keys/values will be restored. If the malware/grayware also deleted registry keys/values related to programs that are not from Microsoft, please reinstall those programs on your computer.

  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\IDE\CdRomNECVMWar_VMware_IDE_CDR10_______________1.00____\5&3a794e10&0&1.0.0
    • CustomPropertyHwIdKey
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\PCIIDE\IDEChannel\4&c5d1198&0&1
    • CustomPropertyHwIdKey
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\4&1F16FEF7&0&00A8
    • CustomPropertyHwIdKey
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LanmanServer\Parameters
    • Guid


Nehmen Sie an unserer Umfrage teil