PPFScan.exe ist eingefroren bei "Suche nach versteckten Datein in audiodg.exe. 30 min keine reaktion ,kein blinken der Festplatte,kein Cursor! Ich versuche es morgen noch einmal! Chrome schein zu funktionieren, aber alles auf Anfang, alle Einstellungen z.B. Google Konto sind weg!!
-
-
-
Das hast du dir selbst mit der Ausführung der falschen Sache gekillt.
Chrome nochmals neu installieren: -
kann sein, war aber noch als Browser vorhanden nur die kontoeinstellungen musste ich neu eingeben! Sorgen macht mir der Scanner warum ging der nicht weiter? So ein Scan dauert ja immer ein bischen!
-
Mir macht das keine sorgen. Der Scanner untersucht dort Speicher laufender Prozesse. In Ausnahmefällen kann es da zu solchen Problemen kommen.
Versuche das morgen noch einmal.
Chrome würde ich trotzdem noch einmal neu installieren. Es könnte zu Problemen kommen, die du so noch gar nicht siehst. -
guten Morgen AHT, Bin deinem Rat gefolgt und habe Chrome nochmal neu installiert. Hatte mit dem Scan wieder Pech, an der gleichen Stelle, roter Punkt hört auf zu blinken, kein Curser, kein Festplattenblinkern. Noch mal probieren oder hast du einen Rat?
-
Einen Moment warten.
Ich passe das Script an und melde mich gleich. -
Wir versuchen das so:
- PPFScan.exe starten.
- Lass auf Nachfrage des Programms die 64Bit Version des Scanners starten.
- In das Texteingabefeld über dem Button Script ausführen folgenden Text einfügen (das was in der Box steht - ohne das Wort Quellcode und die Zeilennummern). Achte darauf, dass dir der gesamte Inhalt der Box angezeigt wird:
Code
Alles anzeigenTIME-> CREATE_FOLDER->C:\PPFS_T CREATE_FOLDER->C:\PPF_Scan1 SET_OPTIONS->112 SET_ENV_VAR->PPF_PlaySound>1 REGISTRY_READ->HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings ->Enabled SET_ENV_VAR_FROM_REGISTRY->PPFS_ScriptingHost IF->%PPFS_ScriptingHost%$=0 SET_ENV_VAR->PPF_PlaySound>0 END_IF-> REGISTRY_READ->HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings ->Enabled SET_ENV_VAR_FROM_REGISTRY->PPFS_ScriptingHost IF->%PPFS_ScriptingHost%$=0 SET_ENV_VAR->PPF_PlaySound>0 END_IF-> CREATE_BATCH_FILE->C:\PPFS_T\Speak.vbs WRITE_BATCH->Dim EnglishText, GermanText, VoiceName WRITE_BATCH->EnglishText = "Information from PPF-Scan. " WRITE_BATCH->EnglishText = EnglishText + "PPF-Scan wants to load files from the internet! " WRITE_BATCH->EnglishText = EnglishText + "Pleace dont turn off internet connection! " WRITE_BATCH->GermanText = "Information vom PPFScanner! " WRITE_BATCH->GermanText = GermanText + "Der PPFScanner wird nun Dateien aus dem Internet herunterladen! " WRITE_BATCH->GermanText = GermanText + "Bitte unterbrechen sie die Internetverbindung nicht, bis der Vorgang abgeschlossen ist! " WRITE_BATCH->Set SAPI = CreateObject("SAPI.SpVoice") WRITE_BATCH->Set SAPI.voice = SAPI.getvoices.item(0) WRITE_BATCH->VoiceName = SAPI.GetVoices.item(0).GetDescription WRITE_BATCH->VoiceName = ucase(VoiceName) WRITE_BATCH->IF instr(1, VoiceName, "GERMAN", 0) > 0 Then WRITE_BATCH-> SAPI.Speak GermanText WRITE_BATCH->ElseIF instr(1, VoiceName, "DEUTSCH", 0) > 0 Then WRITE_BATCH-> SAPI.Speak GermanText WRITE_BATCH->ElseIF instr(1, VoiceName, "ENGLISH", 0) > 0 Then WRITE_BATCH-> SAPI.Speak EnglishText WRITE_BATCH->ElseIF instr(1, VoiceName, "ENGLISCH", 0) > 0 Then WRITE_BATCH-> SAPI.Speak EnglishText WRITE_BATCH->End If IF->%PPF_PlaySound%=1 START_SHELL->%SystemRoot%\system32\cmd.exe EXECUTE_IN_SHELL->WSCRIPT.EXE C:\PPFS_T\Speak.vbs //B CLOSE_SHELL-> SLEEP->5000 END_IF-> DOWNLOAD->http://media.kaspersky.com/utilities/VirusUtilities/EN/tdsskiller.zip>C:\PPFS_T\TDSSK.ZIP UNZIP->C:\PPFS_T\TDSSK.ZIP>C:\PPFS_T CREATE_BATCH_FILE->C:\PPFS_T\TDSSSTART.BAT WRITE_BATCH->C:\PPFS_T\TDSSKILLER.exe -l C:\PPF_Scan1\TDSSKILL.TXT -accepteula -tdlfs -sigcheck -qsus -silent OPEN->C:\PPFS_T\TDSSSTART.BAT SLEEP->5000 WAIT_FOR_TERMINATE->TDSSKILLER.exe ON_64BIT-> DOWNLOAD->http://files.trendmicro.com/products/rootkitbuster/x64/RootkitBusterV5.0-1203x64.exe>C:\PPFS_T\RootkitBuster.exe END_ON-> ON_32BIT-> DOWNLOAD->http://files.trendmicro.com/products/rootkitbuster/x86/RootkitBusterV5.0-1203.exe>C:\PPFS_T\RootkitBuster.exe END_ON-> CREATE_BATCH_FILE->C:\PPFS_T\RBust.bat WRITE_BATCH->C:\PPFS_T\RootkitBuster.exe /s /a OPEN->C:\PPFS_T\RBust.bat SLEEP->15000 TIME-> SET_ENV_VAR->PPF_PlaySound>1 REGISTRY_READ->HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings ->Enabled SET_ENV_VAR_FROM_REGISTRY->PPFS_ScriptingHost REGISTRY_READ->HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ->CurrentVersion SET_ENV_VAR_FROM_REGISTRY->PPFS_WINVER REM->Welcher Virenscanner läuft? REM->Avast? PROCESS_ID_TO_ENV_VAR->AvastSvc.exe>PPFS_AvastExists REM->MSE? PROCESS_ID_TO_ENV_VAR->MsMpeng.exe>PPFS_MSEExists IF->%PPFS_MSEExists%>0 IF->%PPFS_WINVER%>=6.2 SET_ENV_VAR->PPFS_WindowsDefender>1 SET_ENV_VAR->PPFS_MSEExists>0 END_IF-> END_IF-> IF->%PPFS_ScriptingHost%$=0 SET_ENV_VAR->PPF_PlaySound>0 END_IF-> REGISTRY_READ->HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings ->Enabled SET_ENV_VAR_FROM_REGISTRY->PPFS_ScriptingHost IF->%PPFS_ScriptingHost%$=0 SET_ENV_VAR->PPF_PlaySound>0 END_IF-> CREATE_FOLDER->C:\PPFS_T CREATE_BATCH_FILE->C:\PPFS_T\Speak.vbs WRITE_BATCH->Dim EnglishText, GermanText, VoiceName WRITE_BATCH->EnglishText = "Information from PPF-Scan. " WRITE_BATCH->EnglishText = EnglishText + "PPF-Scan is executing an extended scan. This can last for over two hours!" WRITE_BATCH->GermanText = "Information vom PPFScanner! " WRITE_BATCH->GermanText = GermanText + "Der PPFScanner wird nun einen erweiterten Scan ausführen. " WRITE_BATCH->GermanText = GermanText + "Der gesammte Vorgang kann unter Umständen länger als zwei Stunden dauern! " WRITE_BATCH->Set SAPI = CreateObject("SAPI.SpVoice") WRITE_BATCH->Set SAPI.voice = SAPI.getvoices.item(0) WRITE_BATCH->VoiceName = SAPI.GetVoices.item(0).GetDescription WRITE_BATCH->VoiceName = ucase(VoiceName) WRITE_BATCH->IF instr(1, VoiceName, "GERMAN", 0) > 0 Then WRITE_BATCH-> SAPI.Speak GermanText WRITE_BATCH->ElseIF instr(1, VoiceName, "DEUTSCH", 0) > 0 Then WRITE_BATCH-> SAPI.Speak GermanText WRITE_BATCH->ElseIF instr(1, VoiceName, "ENGLISH", 0) > 0 Then WRITE_BATCH-> SAPI.Speak EnglishText WRITE_BATCH->ElseIF instr(1, VoiceName, "ENGLISCH", 0) > 0 Then WRITE_BATCH-> SAPI.Speak EnglishText WRITE_BATCH->End If IF->%PPF_PlaySound%=1 START_SHELL->%SystemRoot%\system32\cmd.exe EXECUTE_IN_SHELL->WSCRIPT.EXE C:\PPFS_T\Speak.vbs //B CLOSE_SHELL-> END_IF-> REM->Ordner für Scanfiles erzeugen! CREATE_FOLDER->C:\PPF_Scan1 REM->Nur Warnungen listen! SET_OPTIONS->204 REM->Scanner beenden, wenn Script beendet wird! SET_OPTIONS->112 REM->Symbolischen Verknüpfungen nicht folgen! SET_OPTIONS->218 REM->Kommandozeilen auslesen! SET_OPTIONS->214 REM->Alle Dateien listen! SET_OPTIONS->-205 REM->Registryschlüssel jeden Datums listen! SET_OPTIONS->-206 REM->Auch nicht aktive Dienste listen! SET_OPTIONS->-207 REM->Resourceninfos listen! SET_OPTIONS->217 REM->Keine von Microsoft signierten Sachen listen! SET_OPTIONS->208,209,210,212,213,215 REM->Firewall Regeln ohne Datei ausblenden! SET_OPTIONS->211 REM->Alle Scans aktivieren! SET_OPTIONS->34,102 SET_OPTIONS->2,3,4,5,6,7,8,9,10 SET_OPTIONS->11,12,13,14,15,16,17,18 SET_OPTIONS->19,20,21,22,-23,24,25,26 SET_OPTIONS->27,28,29,30,31,32,33,35 SET_OPTIONS->36,37,38,39,40,41,42,43 REM->Scans in Scanlistansicht ausführen! SCANLIST-> LOAD_SCRIPT->%ProgDir%BrowserExtensions.sca SET_HEADLINE->* Enhanced Autostart Keys *#* Erweiterte Autostartschlüssel * REM->Autostartschlüssel unter Policies\Explorer\Run listen! REGISTRY_ENUM->HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run REGISTRY_ENUM->HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run SET_HEADLINE->* StartupApproved Key *#* StartupApproved Schlüssel * REGISTRY_SEARCH->HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved -> REGISTRY_SEARCH->HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved -> SET_HEADLINE->HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\Scripts#HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\Scripts REGISTRY_SEARCH_STRING->HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\Scripts -> SET_HEADLINE->HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts#HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts REGISTRY_SEARCH_STRING->HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts -> SET_HEADLINE->HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\Scripts#HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\Scripts REGISTRY_SEARCH_STRING->HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\Scripts -> SET_HEADLINE->HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts#HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts REGISTRY_SEARCH_STRING->HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts -> SET_HEADLINE->* Subsystem *#* Subsystem * REGISTRY_ENUM->HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems SET_HEADLINE->* Known DLLs *#* Bekannte DLLs * REGISTRY_ENUM->HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs SET_HEADLINE->* Applications started with cmd.exe *#* Zusammen mit CMD.EXE gestartete Anwendungen * REM->Zusammen mit CMD.EXE gestartete Anwendungen listen! REGISTRY_READ->HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor ->Autorun REGISTRY_READ->HKEY_CURRENT_USER\SOFTWARE\Microsoft\Command Processor ->Autorun ON_64BIT-> REGISTRY_READ->HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor ->Autorun REGISTRY_READ->HKEY_CURRENT_USER\SOFTWARE\Wow6432Node\Microsoft\Command Processor ->Autorun END_ON-> REM->Kommandozeileninterpreter auslesen! SET_HEADLINE->* Commandline Interpreter *#* Kommandozeileninterpreter * REGISTRY_READ->HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment ->ComSpec SET_HEADLINE->* Shell in SafeBoot Mode *#* Shell im abgesicherten Modus * REM->Shell im abgesicherten Modus! REGISTRY_READ->HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot ->AlternateShell SET_HEADLINE->* IE add-ons HKLM and HKCU *#* IE Add-Ons HKLM und HKCU * REGISTRY_ENUM_DEPENDANT_KEY->HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ext\Settings ->HKEY_CLASSES_ROOT\CLSID\%DEPENDANT%\Inprocserver32 -> REGISTRY_ENUM_DEPENDANT_KEY_S->HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ext\Settings ->HKEY_CLASSES_ROOT\CLSID\%DEPENDANT% -> ON_64BIT-> SET_HEADLINE->* Global 32bit IE add-ons *#* Globale 32Bit IE Add-Ons * REGISTRY_ENUM_DEPENDANT_KEY->HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\Settings ->HKEY_CLASSES_ROOT\CLSID\%DEPENDANT%\Inprocserver32 -> REGISTRY_ENUM_DEPENDANT_KEY_S->HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\Settings ->HKEY_CLASSES_ROOT\CLSID\%DEPENDANT% -> END_ON-> REGISTRY_ENUM_DEPENDANT_KEY->HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings ->HKEY_CLASSES_ROOT\CLSID\%DEPENDANT%\Inprocserver32 -> REGISTRY_ENUM_DEPENDANT_KEY_S->HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings ->HKEY_CLASSES_ROOT\CLSID\%DEPENDANT% ON_64BIT-> REGISTRY_ENUM_DEPENDANT_KEY->HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\Settings ->HKEY_CLASSES_ROOT\CLSID\%DEPENDANT%\Inprocserver32 -> REGISTRY_ENUM_DEPENDANT_KEY_S->HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\Settings ->HKEY_CLASSES_ROOT\CLSID\%DEPENDANT% -> END_ON-> SET_HEADLINE->* IE extensions HKCU and HKLM *#* IE Erweiterungen HKCU und HKLM * REGISTRY_ENUM_DEPENDANT_VALUE->HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Approved Extensions ->HKEY_CLASSES_ROOT\CLSID\%DEPENDANT%\InprocServer32 -> REGISTRY_ENUM_DEPENDANT_VALUE->HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Approved Extensions ->HKEY_CLASSES_ROOT\CLSID\%DEPENDANT%\InprocServer32 -> ON_64BIT-> REGISTRY_ENUM_DEPENDANT_VALUE->HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Internet Explorer\Approved Extensions ->HKEY_CURRENT_USER\SOFTWARE\Wow6432Node\Classes\%DEPENDANT%\InprocServer32 -> REGISTRY_ENUM_DEPENDANT_VALUE->HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Approved Extensions ->HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\%DEPENDANT%\InprocServer32 -> END_ON-> REGISTRY_ENUM_DEPENDANT_VALUE_RETURN->HKEY_LOCAL_MACHINE\Microsoft\Internet Explorer\Extensions ->HKEY_CLASSES_ROOT\CLSID\%DEPENDANT%\InprocServer32 -> REGISTRY_ENUM_DEPENDANT_VALUE_RETURN->HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions ->HKEY_CLASSES_ROOT\CLSID\%DEPENDANT%\InprocServer32 -> ON_64BIT-> REGISTRY_ENUM_DEPENDANT_VALUE_RETURN->HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions ->HKEY_CURRENT_USER\SOFTWARE\Wow6432Node\Classes\%DEPENDANT%\InprocServer32 -> REGISTRY_ENUM_DEPENDANT_VALUE_RETURN->HKEY_LOCAL_MACHINE\Microsoft\Internet Explorer\Extensions ->HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\%DEPENDANT%\InprocServer32 -> END_ON-> SET_HEADLINE->* IE Explorer Bars HKCU and HKLM *#* IE Explorer Bars HKCU und HKLM * REGISTRY_ENUM_DEPENDANT_VALUE->HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars ->HKEY_CLASSES_ROOT\CLSID\%DEPENDANT%\InprocServer32 -> REGISTRY_ENUM_DEPENDANT_VALUE->HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars ->HKEY_CLASSES_ROOT\CLSID\%DEPENDANT%\InprocServer32 -> ON_64BIT-> REGISTRY_ENUM_DEPENDANT_VALUE->HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Internet Explorer\Explorer Bars ->HKEY_CURRENT_USER\SOFTWARE\Wow6432Node\Classes\%DEPENDANT%\InprocServer32 -> REGISTRY_ENUM_DEPENDANT_VALUE->HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Explorer Bars ->HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\%DEPENDANT%\InprocServer32 -> END_ON-> SET_HEADLINE->* IE Toolbars HKCU and HKLM *#* IE Toolbars HKCU und HKLM * REGISTRY_ENUM_DEPENDANT_VALUE->HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar ->HKEY_CLASSES_ROOT\CLSID\%DEPENDANT%\InprocServer32 -> REGISTRY_ENUM_DEPENDANT_VALUE->HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar ->HKEY_CLASSES_ROOT\CLSID\%DEPENDANT%\InprocServer32 -> ON_64BIT-> REGISTRY_ENUM_DEPENDANT_VALUE->HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar ->HKEY_CURRENT_USER\SOFTWARE\Wow6432Node\Classes\%DEPENDANT%\InprocServer32 -> REGISTRY_ENUM_DEPENDANT_VALUE->HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar ->HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\%DEPENDANT%\InprocServer32 -> END_ON-> SET_HEADLINE->* URL-Searchhooks HKCU and HKLM *#* URL-Searchhooks HKCU und HKLM * REM->URL-Searchhooks unter HKLM listen! REGISTRY_ENUM_DEPENDANT_VALUE->HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\URLSearchHooks ->HKEY_CLASSES_ROOT\CLSID\%DEPENDANT%\InprocServer32 -> REM->URL-Searchhooks unter HKCU listen! REGISTRY_ENUM_DEPENDANT_VALUE->HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks ->HKEY_CLASSES_ROOT\CLSID\%DEPENDANT%\InprocServer32 -> ON_64BIT-> REGISTRY_ENUM_DEPENDANT_VALUE->HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\URLSearchHooks ->HKEY_CLASSES_ROOT\CLSID\%DEPENDANT%\InprocServer32 -> REGISTRY_ENUM_DEPENDANT_VALUE->HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Internet Explorer\URLSearchHooks ->HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\%DEPENDANT%\InprocServer32 -> END_ON-> SET_HEADLINE->* HKLM IE Searchscopes *#* HKLM IE Suchanbieter * REGISTRY_ENUM_DEPENDANT_KEY_S->HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes ->HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\%DEPENDANT% ->URL ON_64BIT-> REGISTRY_ENUM_DEPENDANT_KEY_S->HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes ->HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\%DEPENDANT% ->URL END_ON-> SET_HEADLINE->* HKLM IE DEfault Searchscope *#* HKLM IE Standardsuchanbieter * REGISTRY_ENUM_DEPENDANT_KEYVALUE_S->HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer ->DefaultScope ->HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\%DEPENDANT% ->URL ON_64BIT-> REGISTRY_ENUM_DEPENDANT_KEYVALUE_S->HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer ->DefaultScope ->HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\%DEPENDANT% ->URL END_ON-> SET_HEADLINE->* HKCU IE Searchscopes *#* HKCU IE Suchanbieter * REGISTRY_ENUM_DEPENDANT_KEY_S->HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes ->HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\%DEPENDANT% ->URL ON_64BIT-> REGISTRY_ENUM_DEPENDANT_KEY_S->HKEY_CURRENT_USER\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes ->HKEY_CURRENT_USER\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\%DEPENDANT% ->URL END_ON-> SET_HEADLINE->* HKCU IE DEfault Searchscope *#* HKCU IE Standardsuchanbieter * REGISTRY_ENUM_DEPENDANT_KEYVALUE_S->HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer ->DefaultScope ->HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\%DEPENDANT% ->URL ON_64BIT-> REGISTRY_ENUM_DEPENDANT_KEYVALUE_S->HKEY_CURRENT_USER\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer ->DefaultScope ->HKEY_CURRENT_USER\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\%DEPENDANT% ->URL END_ON-> SET_HEADLINE->NameServer and Networkcards#NameServer und Netzwerkkarten REGISTRY_SEARCH->HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards -> REGISTRY_SEARCH->HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces ->NameServer REGISTRY_SEARCH->HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces ->NameServer SET_HEADLINE-> Installed ActiveX Controls # Installierte ActiveX Controls REGISTRY_ENUM_DEPENDANT_KEY_S->HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units ->HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\%DEPENDANT%\DownloadInformation ->CODEBASE SET_HEADLINE-> Installed 32Bit ActiveX Controls # Installierte 32Bit ActiveX Controls REGISTRY_ENUM_DEPENDANT_KEY_S->HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Code Store Database\Distribution Units ->HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Code Store Database\Distribution Units\%DEPENDANT%\DownloadInformation ->CODEBASE SET_HEADLINE-> Used ActiveX Controls # ActiveX Controls in Nutzung REGISTRY_SEARCH->HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage -> SET_HEADLINE-> Used 32Bit ActiveX Controls # 32Bit ActiveX Controls in Nutzung REGISTRY_SEARCH->HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ModuleUsage -> REM->Proxyeinstellungen des IEs listen! SET_HEADLINE->* Proxysetting *#* Proxyeinstellungen * REGISTRY_SEARCH->HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings ->Proxy REGISTRY_SEARCH->HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings ->Proxy ON_64BIT-> REGISTRY_SEARCH->HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings ->Proxy END_ON-> REGISTRY_READ->HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings ->AutoConfigURL REGISTRY_READ->HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings ->AutoConfigURL ON_64BIT-> REGISTRY_READ->HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings ->AutoConfigURL END_ON-> REGISTRY_ENUM->HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet\ManualProxies IF->%PPFS_WINVER%>=6.3 SET_HEADLINE->* Edge Settings *#* Einstellungen von Eddge * REGISTRY_READ->HKEY_CURRENT_USER\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main ->HomeButtonPage SET_HEADLINE->Edge Extensions#Edge Erweiterungen REGISTRY_ENUM_DEPENDANT_KEY_S->HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Extensions ->HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscm_baction\%DEPENDANT%\default_title ->value SET_REGISTRY_FOLDER_SEARCH_STRING->* REGISTRY_ENUM_DEPENDANT_KEY_S->HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Extensions ->HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\Config\%DEPENDANT% ->Path SET_HEADLINE->Edge Extension Files#Eweiterungsdateien von Edge SET_OPTIONS->-205 REGISTRY_TO_FILELIST->DIVIDED SET_OPTIONS->205 SET_REGISTRY_FOLDER_SEARCH_STRING-> END_IF-> REM->Browser Policies SET_HEADLINE->Browser Policies#Browser Policies REGISTRY_SEARCH->HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google -> SET_HEADLINE->Browser Policies#Browser Policies REGISTRY_SEARCH->HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer -> SET_HEADLINE->Browser Policies#Browser Policies REGISTRY_SEARCH->HKEY_CURRENT_USER\SOFTWARE\Policies\Google -> SET_HEADLINE->Browser Policies#Browser Policies REGISTRY_SEARCH->HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer -> REM->FireFox Erweiterungen und Plugins in der Registry listen SET_HEADLINE->HKCU FireFox Extensions in Registry#HKCU FireFox Erweiterungen in der Registry REGISTRY_SEARCH->HKEY_CURRENT_USER\Software\Mozilla\Firefox\Extensions -> SET_HEADLINE->HKLM FireFox Extensions in Registry#HKLM FireFox Erweiterungen in der Registry REGISTRY_SEARCH->HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions -> ON_64BIT-> SET_HEADLINE->32Bit HKLM FireFox Extensions in Registry#32Bit HKLM FireFox Erweiterungen in der Registry REGISTRY_SEARCH->HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Firefox\Extensions -> END_ON-> SET_HEADLINE->HKCU Mozilla Plugins in Registry#HKCU Mozilla Plugins in der Registry REGISTRY_SEARCH->HKEY_CURRENT_USER\Software\MozillaPlugins -> SET_HEADLINE->HKCU Mozilla Plugins in Registry#HKCU Mozilla Plugins in der Registry REGISTRY_TO_FILELIST-> SET_HEADLINE->HKLM Mozilla Plugins in Registry#HKLM Mozilla Plugins in der Registry REGISTRY_SEARCH->HKEY_LOCAL_MACHINE\Software\MozillaPlugins -> SET_HEADLINE->HKLM Mozilla Plugins in Registry#HKLM Mozilla Plugins in der Registry REGISTRY_TO_FILELIST-> ON_64BIT-> SET_HEADLINE->32Bit HKLM Mozilla Plugins in Registry#32Bit HKLM Mozilla Plugins in der Registry REGISTRY_SEARCH->HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins -> SET_HEADLINE->32Bit HKLM Mozilla Plugins in Registry#32Bit HKLM Mozilla Plugins in der Registry REGISTRY_TO_FILELIST-> END_ON-> REM->CHROME Erweiterungen in der Registry listen SET_HEADLINE->HKCU CHROME Extensions in Registry#HKCU CHROME Erweiterungen in der Registry REGISTRY_SEARCH->HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\Extensions -> SET_HEADLINE->HKLM CHROME Extensions in Registry#HKLM CHROME Erweiterungen in der Registry REGISTRY_SEARCH->HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions -> ON_64BIT-> SET_HEADLINE->32Bit HKLM CHROME Extensions in Registry#32Bit HKLM CHROME Erweiterungen in der Registry REGISTRY_SEARCH->HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Chrome\Extensions -> END_ON-> REM->FireFox Einstellungsdateien listen SET_HEADLINE->FireFox USER.JS Files#FireFox USER.JS Dateien LIST_CONTENT_OF_FILES->user.js ->%SYSTEMDRIVE%\ REM->Telephony Providers listen SET_HEADLINE->* Telephony Providers *#* DSL-Telephonie* REGISTRY_ENUM->HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Telephony\Providers ON_64BIT-> REGISTRY_ENUM->HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Telephony\Providers END_ON-> REM->Durch SharedTaskScheduler geladene Module listen! SET_HEADLINE->* Modules loaded through SharedTaskScheduler *#* Durch SharedTaskScheduler geladene Module * REGISTRY_ENUM_DEPENDANT_VALUE->HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler ->HKEY_CLASSES_ROOT\CLSID\%DEPENDANT%\InprocServer32 -> REM->MD5 Test der Systemverzeichnisse SET_HEADLINE->* MD5-Test of Systemfolder *#* MD5-Test der Systemordner * MD5->%SYSTEMROOT%\System32\*.* MD5->%SYSTEMROOT%\System32\Drivers\*.* ON_64BIT-> MD5->%SYSTEMROOT%\SysWOW64\*.* MD5->%SYSTEMROOT%\SysWOW64\Drivers\*.* END_ON-> MD5->%SYSTEMROOT%\Explorer.exe REM->Eventlog von System, Anwendungen, Virenscannern und WindowsDefender auslesen SET_HEADLINE->System events#Wichtige Systemereignisse READ_EVENTS->System,,100,3,1,1 SET_HEADLINE->Application events#Wichtige Meldungen von Anwendungen READ_EVENTS->Application,,100,3,1, IF->%PPFS_MSEExists%>0 SET_HEADLINE->Events of Microsoft Security Esentials#Wichtige Meldungen von Microsoft Security Esentials READ_EVENTS->System,Microsoft Antimalware,50,3,1,1 END_IF-> SET_HEADLINE->Events of the WindowsDefender#Wichtige Meldungen des WindowsDefenders READ_EVENTS->System,WinDefend,50,3,1,1 SET_HEADLINE->AntiVir Messages#Meldungen von AntiVir READ_EVENTS->Application,Avira AntiVir,500,3,1,1 READ_EVENTS->Application,Avira Antivirus,500,3,1,1 SET_HEADLINE->Avast Messages#Meldungen von Avast READ_EVENTS->Antivirus,avast!,500,3,1,1 REM->ADS Listen EXCLUDE_SEARCH_ADS-> EXCLUDE_SEARCH_ADS->:Zone.Identifier>26 EXCLUDE_SEARCH_ADS->:Zone.Identifier>29 EXCLUDE_SEARCH_ADS->*>0 SET_HEADLINE->* Alternate Data Streams *#* Alternate Data Streams * SEARCH_ADS->%SYSTEMDRIVE%\ REM->Pfade zu bekannten Anwendungen auslesen! SET_HEADLINE->* Known Applications *#* Bekannte Anwendungen * REGISTRY_ENUM_DEPENDANT_KEY_S->HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications ->HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\%DEPENDANT%\shell\open\command -> REM->Dateiverknüpfungen auslesen! SET_HEADLINE->* File Extensions *#* Dateiverknüpfungen * REM->.bat REGISTRY_READ->HKEY_CLASSES_ROOT\batfile\shell\open\command -> REM->.cmd REGISTRY_READ->HKEY_CLASSES_ROOT\cmdfile\shell\open\command -> REM->.com REGISTRY_READ->HKEY_CLASSES_ROOT\comfile\shell\open\command -> REM->.exe REGISTRY_READ->HKEY_CLASSES_ROOT\exefile\shell\open\command -> REM->.pif REGISTRY_READ->HKEY_CLASSES_ROOT\piffile\shell\open\command -> REM->.reg REGISTRY_READ->HKEY_CLASSES_ROOT\regfile\shell\open\command -> REGISTRY_READ->HKEY_CLASSES_ROOT\regfile\shell\Merge\command -> REM->.scr REGISTRY_READ->HKEY_CLASSES_ROOT\scrfile\shell\open\command -> REGISTRY_READ->HKEY_CLASSES_ROOT\scrfile\shell\config\command -> REGISTRY_READ->HKEY_CLASSES_ROOT\scrfile\shell\install\command -> REM->.txt REGISTRY_READ->HKEY_CLASSES_ROOT\txtfile\shell\edit\command -> REM->unbekannt REGISTRY_READ->HKEY_CLASSES_ROOT\Unknown\shell\openas\command -> REM->Directory REGISTRY_READ->HKEY_CLASSES_ROOT\Directory\shell\find\command -> REM->Ordner REGISTRY_READ->HKEY_CLASSES_ROOT\Folder\shell\find\command -> REGISTRY_READ->HKEY_CLASSES_ROOT\Folder\shell\explore\command -> REGISTRY_READ->HKEY_CLASSES_ROOT\Folder\shell\open\command -> REM->Laufwerk REGISTRY_READ->HKEY_CLASSES_ROOT\Drive\shell\find\command -> REGISTRY_READ->HKEY_CLASSES_ROOT\Drive\shell\explore\command -> REGISTRY_READ->HKEY_CLASSES_ROOT\Drive\shell\open\command -> REM->EXE REGISTRY_SEARCH->HKEY_CLASSES_ROOT\.exe -> REGISTRY_SEARCH->HKEY_CLASSES_ROOT\exefile -> REM->PPFScanner Threads auslesen! SET_HEADLINE->* Threads of PPFScanner *#* Threads des PPFScanners * THREADS_BY_FILENAME->%PROGNAME% REM->Browser Threads auslesen! SET_HEADLINE->* Threads of internetbrowsers *#* Threads der Internetbrowsers * THREADS_BY_NAME->chrome.exe THREADS_BY_NAME->firefox.exe THREADS_BY_NAME->opera.exe THREADS_BY_NAME->iexplore.exe REM->Versteckte Module in Internetbrowsern suchen SET_HEADLINE->* Hidden modules in internetbrowsers *#* Versteckte Module in Internetbrowsern * HIDDEN_MODULES->chrome.exe HIDDEN_MODULES->firefox.exe HIDDEN_MODULES->opera.exe REM->Ordner mit eventueller Umgebungsvariablenumwandlung suchen! SET_HEADLINE->* Suspicious Folders *#* Verdächtige Ordner * SEARCH_FOLDERS->%*% -> SET_HEADLINE->* Desktop Walpaper *#* Desktop Walpaper * REGISTRY_READ->HKEY_CURRENT_USER\Control Panel\Desktop ->WallPaper SET_HEADLINE->* SVCHOST Extensions *#* SVCHOST Erweiterungen * REGISTRY_ENUM_DEPENDANT_KEY_S->HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services ->HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%DEPENDANT%\Parameters ->extension SET_HEADLINE->* SVCHOST Extensions *#* SVCHOST Erweiterungen * REGISTRY_TO_FILELIST-> SET_HEADLINE->* NetworkProvider *#* NetworkProvider * REGISTRY_ENUM_DEPENDANT_KEY_S->HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services ->HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%DEPENDANT%\NetworkProvider ->ProviderPath SET_HEADLINE->* NetworkProvider *#* NetworkProvider * REGISTRY_TO_FILELIST-> SET_HEADLINE->* Printer Monitors *#* Drucker Monitore * REGISTRY_ENUM_DEPENDANT_KEY_S->HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors ->HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\%DEPENDANT% ->Driver SET_HEADLINE->* Printer Monitors *#* Drucker Monitore * REGISTRY_TO_FILELIST-> SET_HEADLINE->* BootExecute Value *#* BootExecute Wert * REGISTRY_READ->HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager ->BootExecuteSCRNSAVE.EXE SET_HEADLINE->* Terminal Server Startups *#* Terminal Server Autostarts * REGISTRY_READ->HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd ->StartupPrograms SET_HEADLINE->* Screensaver *#* Screensaver * REGISTRY_READ->HKEY_CURRENT_USER\Control Panel\Desktop ->SCRNSAVE.EXE SET_CURRENT_DIRECTORY->%SystemRoot%\System32 SET_HEADLINE->VmApplet Registryvalue#VmApplet Registrywert REGISTRY_READ->HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->VmApplet ON_64BIT-> SET_HEADLINE->32Bit VmApplet Registryvalue#32Bit VmApplet Registrywert REGISTRY_READ->HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon ->VmApplet END_ON-> SET_HEADLINE->SetupExecute Registryvalue#SetupExecute Registrywert REGISTRY_READ->HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager ->SetupExecute SET_HEADLINE->Windows NT Access Provider#Windows NT Access Provider REGISTRY_READ->HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider ->ProviderPath SET_HEADLINE->RDP-Tcp#RDP-Tcp REGISTRY_READ->HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp ->InitialProgram SET_HEADLINE->IconServiceLib Registryvalue#IconServiceLib Registrywert REGISTRY_READ->HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows ->IconServiceLib ON_64BIT-> SET_HEADLINE->32Bit IconServiceLib Registryvalue#32Bit IconServiceLib Registrywert REGISTRY_READ->HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows ->IconServiceLib END_ON-> SET_HEADLINE->GP-Extensions#GP-Erweiterungen REGISTRY_ENUM_DEPENDANT_KEY_S->HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions ->HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\%DEPENDANT% ->DllName SET_HEADLINE->GP-Extensions#GP-Erweiterungen REGISTRY_TO_FILELIST-> ON_64BIT-> SET_HEADLINE->32Bit GP-Extensions#32Bit GP-Erweiterungen REGISTRY_ENUM_DEPENDANT_KEY_S->HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions ->HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\%DEPENDANT% ->DllName SET_HEADLINE->32Bit GP-Extensions#32Bit GP-Erweiterungen REGISTRY_TO_FILELIST-> END_ON-> SET_HEADLINE->ShellServiceObjects AutoStarts#ShellServiceObjects AutoStarteinträge REGISTRY_ENUM_DEPENDANT_KEY_S->HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjects ->HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjects\%DEPENDANT% ->AutoStart SET_HEADLINE->ShellServiceObjects AutoStarts#ShellServiceObjects AutoStarteinträge REGISTRY_TO_FILELIST-> ON_64BIT-> SET_HEADLINE->32Bit ShellServiceObjects AutoStarts#32Bit ShellServiceObjects AutoStarteinträge REGISTRY_ENUM_DEPENDANT_KEY_S->HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjects ->HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjects\%DEPENDANT% ->AutoStart SET_HEADLINE->32Bit ShellServiceObjects AutoStarts#32Bit ShellServiceObjects AutoStarteinträge REGISTRY_TO_FILELIST-> END_ON-> SET_HEADLINE->Debugger#Debugger REGISTRY_READ->HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug ->Debugger ON_64BIT-> SET_HEADLINE->32Bit Debugger#32Bit Debugger REGISTRY_READ->HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug ->Debugger END_ON-> SET_HEADLINE->* ShellExecuteHooks *#* ShellExecuteHooks * REGISTRY_ENUM_DEPENDANT_VALUE->HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks ->HKEY_CLASSES_ROOT\CLSID\%DEPENDANT%\InprocServer32 -> SET_HEADLINE->* ShellExecuteHooks *#* ShellExecuteHooks * REGISTRY_TO_FILELIST-> SET_HEADLINE->* Global Shell Extensions *#* Globale Shellerweiterungen * REGISTRY_ENUM_DEPENDANT_VALUE->HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved ->HKEY_CLASSES_ROOT\CLSID\%DEPENDANT%\InprocServer32 -> SET_HEADLINE->* Global Shell Extensions *#*Globale Shellerweiterungen * REGISTRY_TO_FILELIST-> SET_HEADLINE->*Local Shell Extensions *#*Lokale Shellerweiterungen * REGISTRY_ENUM_DEPENDANT_VALUE->HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved ->HKEY_CLASSES_ROOT\CLSID\%DEPENDANT%\InprocServer32 -> SET_HEADLINE->*Local Shell Extensions *#*Lokale Shellerweiterungen * REGISTRY_TO_FILELIST-> SET_HEADLINE->* Overlay Handlers *#* Overlay Handler * REGISTRY_ENUM_DEPENDANT_KEYVALUE->HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers -> ->HKEY_CLASSES_ROOT\CLSID\%DEPENDANT%\InprocServer32 -> SET_HEADLINE->* Overlay Handlers *#* Overlay Handler * REGISTRY_TO_FILELIST-> SET_HEADLINE->* Uninstall List *#* Uninstall Liste * REGISTRY_ENUM_DEPENDANT_KEY_S->HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall ->HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\%DEPENDANT% ->DisplayName REGISTRY_ENUM_DEPENDANT_KEY_S->HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall ->HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\%DEPENDANT% ->DisplayName ON_64BIT-> REGISTRY_ENUM_DEPENDANT_KEY_S->HKEY_CURRENT_USER\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall ->HKEY_CURRENT_USER\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\%DEPENDANT% ->DisplayName REGISTRY_ENUM_DEPENDANT_KEY_S->HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall ->HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\%DEPENDANT% ->DisplayName END_ON-> SET_HEADLINE->DoubleAgent Scan#DoubleAgent Scan REGISTRY_ENUM_DEPENDANT_KEY_S->HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options ->HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%DEPENDANT% ->VerifierDlls SET_HEADLINE->DoubleAgent Scan#DoubleAgent Scan#DoubleAgent Scan REGISTRY_TO_FILELIST-> ON_64BIT-> SET_HEADLINE->32Bit DoubleAgent Scan#32Bit DoubleAgent Scan REGISTRY_ENUM_DEPENDANT_KEY_S->HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options ->HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%DEPENDANT% ->VerifierDlls SET_HEADLINE->DoubleAgent Scan#DoubleAgent Scan#DoubleAgent Scan REGISTRY_TO_FILELIST-> END_ON-> SET_HEADLINE->* Safe Boot *#* Im abgesicherten Modus zu ladende Treiber * REGISTRY_SEARCH->HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot -> SET_OPTIONS->-221 SET_HEADLINE->* LocalServer32 *#* LocalServer32 * REGISTRY_ENUM_DEPENDANT_KEY_S->HKEY_CLASSES_ROOT\CLSID ->HKEY_CLASSES_ROOT\CLSID\%DEPENDANT%\LocalServer32 -> SET_HEADLINE->*Unsigned Localserver32 Objects*#* Unsignierte Localserver32 Objekte * REGISTRY_TO_FILELIST-> ON_64BIT-> REGISTRY_ENUM_DEPENDANT_KEY_S->HKEY_CLASSES_ROOT\CLSID ->HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\CLSID\%DEPENDANT%\LocalServer32 -> REGISTRY_TO_FILELIST-> END_ON-> CHECK_PRIVILEGE->SeDebugPrivilege CHECK_PRIVILEGE->SeBackupPrivilege CHECK_PRIVILEGE->SeRestorePrivilege SET_OPTIONS->-221 SET_HEADLINE->* COM Objects *#* COM Objekte * REGISTRY_ENUM_DEPENDANT_KEY_S->HKEY_CLASSES_ROOT\CLSID ->HKEY_CLASSES_ROOT\CLSID\%DEPENDANT%\InprocServer32 -> SET_HEADLINE->*Unsigned COM Objects *#* Unsignierte COM Objekte * REGISTRY_TO_FILELIST-> ON_64BIT-> REGISTRY_ENUM_DEPENDANT_KEY_S->HKEY_CLASSES_ROOT\CLSID ->HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\CLSID\%DEPENDANT%\InprocServer32 -> REGISTRY_TO_FILELIST-> REGISTRY_ENUM_DEPENDANT_KEY_S->HKEY_CLASSES_ROOT\CLSID ->HKEY_CURRENT_USER\Software\Wow6432Node\Classes\CLSID\%DEPENDANT%\InprocServer32 -> REGISTRY_TO_FILELIST-> END_ON-> SET_OPTIONS->221 SET_HEADLINE->* Executables in Userfolders *#* Ausführbare Dateien in Userordnern * CREATE_BATCH_FILE->%PROGDIR%1.Sca WRITE_BATCH->LIST_DEPENDANT_FILES->*.exe WRITE_BATCH->->%Reg_AllUserProfiles% WRITE_BATCH->-> WRITE_BATCH->LIST_DEPENDANT_FILES->*.com WRITE_BATCH->->%Reg_AllUserProfiles% WRITE_BATCH->-> WRITE_BATCH->LIST_DEPENDANT_FILES->*.bat WRITE_BATCH->->%Reg_AllUserProfiles% WRITE_BATCH->-> WRITE_BATCH->LIST_DEPENDANT_FILES->*.vbs WRITE_BATCH->->%Reg_AllUserProfiles% WRITE_BATCH->-> WRITE_BATCH->LIST_DEPENDANT_FILES->*.vba WRITE_BATCH->->%Reg_AllUserProfiles% WRITE_BATCH->-> LOAD_SCRIPT->%PROGDIR%1.Sca FILE_EXISTS_TO_ENV_VAR->%Systemroot%\System32\WindowsPowerShell\v1.0\powershell.exe>PPFS_PSEXISTS IF->%PPFS_PSEXISTS%=1 CREATE_FOLDER->C:\PPFS_T CREATE_BATCH_FILE->C:\PPFS_T\T1.ps1 WRITE_BATCH->"********************************************" > C:\PPF_Scan1\CodeIntegrity.txt WRITE_BATCH->"** Codeintegrity **" >> C:\PPF_Scan1\CodeIntegrity.txt WRITE_BATCH->"********************************************" >> C:\PPF_Scan1\CodeIntegrity.txt WRITE_BATCH->Get-WinEvent -logname "Microsoft-Windows-CodeIntegrity/Operational" -MaxEvents 100 | ?{$_.Level -eq 2 -or $_.Level -eq 3} | format-list >> C:\PPF_Scan1\CodeIntegrity.txt IF->%PPFS_WindowsDefender%>0 IF->%PPFS_WindowsDefender%>0 WRITE_BATCH->Set-Content -Path 'C:\PPF_Scan1\WDEf.txt' -Value '************************************************' WRITE_BATCH->Add-Content -Path 'C:\PPF_Scan1\WDEf.txt' -Value '* Windows Defender Detections *' WRITE_BATCH->Add-Content -Path 'C:\PPF_Scan1\WDEf.txt' -Value '************************************************' WRITE_BATCH->Get-MpThreatDetection | Out-File -FilePath 'C:\PPF_Scan1\WDEf.txt' -Encoding "ASCII" -Append WRITE_BATCH->Add-Content -Path 'C:\PPF_Scan1\WDEf.txt' -Value '' WRITE_BATCH->Add-Content -Path 'C:\PPF_Scan1\WDEf.txt' -Value '___________________________' WRITE_BATCH->Get-MpThreat | ForEach { Get-MpThreatCatalog -ThreatID $_.ThreatID } | Out-File -FilePath 'C:\PPF_Scan1\WDEf.txt' -Encoding "ASCII" -Append WRITE_BATCH->Add-Content -Path 'C:\PPF_Scan1\WDEf.txt' -Value '' WRITE_BATCH->Add-Content -Path 'C:\PPF_Scan1\WDEf.txt' -Value '************************************************' WRITE_BATCH->Add-Content -Path 'C:\PPF_Scan1\WDEf.txt' -Value '* Windows Defender Offlinscan Detections *' WRITE_BATCH->Add-Content -Path 'C:\PPF_Scan1\WDEf.txt' -Value '************************************************' WRITE_BATCH->$Path = $env:SystemRoot + '\Microsoft Antimalware\Support' + '\MPLOG*.log' WRITE_BATCH->Get-Content -Path $Path | Out-File -FilePath 'C:\PPF_Scan1\WDEf.txt' -Encoding "ASCII" -Append END_IF-> END_IF-> END_IF-> IF->%PPFS_PSEXISTS%=1 IF->%PPFS_WINVER%>=6.2 WRITE_BATCH->Set-Content -Path 'C:\PPF_Scan1\Apps.txt' -Value '**********************************************' WRITE_BATCH->Add-Content -Path 'C:\PPF_Scan1\Apps.txt' -Value '* Global Apps *' WRITE_BATCH->Add-Content -Path 'C:\PPF_Scan1\Apps.txt' -Value '**********************************************' WRITE_BATCH->GET-AppXPackage -AllUsers | format-list | Out-File -FilePath 'C:\PPF_Scan1\Apps.txt' -Encoding "ASCII" -Append WRITE_BATCH->Add-Content -Path 'C:\PPF_Scan1\Apps.txt' -Value '**********************************************' WRITE_BATCH->Add-Content -Path 'C:\PPF_Scan1\Apps.txt' -Value '* Apps Current User *' WRITE_BATCH->Add-Content -Path 'C:\PPF_Scan1\Apps.txt' -Value '**********************************************' WRITE_BATCH->GET-AppXPackage | format-list | Out-File -FilePath 'C:\PPF_Scan1\Apps.txt' -Encoding "ASCII" -Append SET_HEADLINE->Installed Apps#Installierte Apps REGISTRY_ENUM_SPECIAL_KEY->HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages -> ->Path SET_HEADLINE->Files of installed Apps#Dateien von installierten Apps SET_REGISTRY_FOLDER_SEARCH_STRING->* SET_OPTIONS->-205,-213 REGISTRY_TO_FILELIST->DIVIDED SET_OPTIONS->205,213 SET_REGISTRY_FOLDER_SEARCH_STRING-> END_IF-> END_IF-> IF->%PPFS_PSEXISTS%=1 START_SHELL->%Systemroot%\System32\WindowsPowerShell\v1.0\powershell.exe,-noprofile -executionpolicy bypass -file C:\PPFS_T\T1.ps1 END_IF-> SET_OPTIONS->-221 SET_HEADLINE->* ZAccess Search *#* ZAccess Suche * SEARCH_FILES->*.@ ->%SYSTEMROOT% SEARCH_FILES->@* ->%SYSTEMROOT% SEARCH_FOLDERS->U ->%SYSTEMROOT% SEARCH_FILES->*.@ ->%USERPROFILE% SEARCH_FILES->@* ->%USERPROFILE% SEARCH_FOLDERS->U ->%USERPROFILE% SEARCH_FILES->n ->%SystemDrive%\ SET_OPTIONS->221 SET_HEADLINE->LNK and URL files#Verknüpfungen EXCLUDE_SEARCH_FOLDER->Recent EXCLUDE_SEARCH_FOLDER->%SYSTEMROOT% SEARCH_LNK_FILES->*.lnk ->%SYSTEMDRIVE%\ SEARCH_LNK_FILES->*.url ->%SYSTEMDRIVE%\ EXCLUDE_SEARCH_FOLDER-> EXCLUDE_SEARCH_FOLDER->%SYSTEMROOT%\winsxs EXCLUDE_SEARCH_FOLDER->%SYSTEMROOT%\assembly SET_HEADLINE->Unsigned known executables#Unsignierte bekannte EXE-Dateien SEARCH_UNSIGNED_DOUBLES->*.exe ->%SYSTEMROOT% ->%SYSTEMDRIVE%\ SEARCH_UNSIGNED_DOUBLES->*.exe ->%SYSTEMROOT%\System32 ->%SYSTEMDRIVE%\ EXCLUDE_SEARCH_FOLDER->%SYSTEMROOT% SET_HEADLINE->Unsigned known modules#Unsignierte bekannte DLLs SEARCH_UNSIGNED_DOUBLES->*.dll ->%SYSTEMROOT% ->%SYSTEMDRIVE%\ SEARCH_UNSIGNED_DOUBLES->*.dll ->%SYSTEMROOT%\System32 ->%SYSTEMDRIVE%\ EXCLUDE_SEARCH_FOLDER-> COPY_FILES_IN_SUBFOLDERS->%APPDATA%\Mozilla\Firefox\Profiles\%DEPENDANT%\prefs.js>C:\PPF_Scan1\Firefox_prefs_%DEPENDANT%.txt COPY_FILES_IN_SUBFOLDERS->%APPDATA%\Opera\%DEPENDANT%\operaprefs.ini>C:\PPF_Scan1\%DEPENDANT%_prefs.txt COPY_FILES_IN_SUBFOLDERS->%APPDATA%\Opera Software\%DEPENDANT%\Preferences>C:\PPF_Scan1\%DEPENDANT%_prefs.txt CREATE_BATCH_FILE->%PROGDIR%OPERA.Sca WRITE_BATCH->COPY_FILES_IN_SUBFOLDERS->%Reg_Local_AppData%\Google\Chrome\User Data\%DEPENDANT%\Preferences>C:\PPF_Scan1\Google_Preferences_%DEPENDANT%.txt WRITE_BATCH->COPY_FILES_IN_SUBFOLDERS->%Reg_Local_AppData%\Google\Chrome\User Data\%DEPENDANT%\Secure Preferences>C:\PPF_Scan1\Google_Secure_Preferences_%DEPENDANT%.txt LOAD_SCRIPT->%PROGDIR%OPERA.Sca CREATE_FOLDER->C:\PPFS_T CREATE_BATCH_FILE->C:\PPFS_T\diskp.dat WRITE_BATCH->lis dis WRITE_BATCH->lis vol WRITE_BATCH->select disk 0 WRITE_BATCH->list partition CREATE_BATCH_FILE->C:\PPFS_T\diskp.bat WRITE_BATCH->diskpart /S C:\PPFS_T\diskp.dat > C:\PPF_SCAN1\Disks.txt WRITE_BATCH->schtasks /Query /V /fo list >> C:\PPF_SCAN1\Tasks.txt CREATE_BATCH_FILE->C:\PPF_SCAN1\Tasks.txt WRITE_BATCH->************************************************************** WRITE_BATCH->* Tasks * WRITE_BATCH->************************************************************** OPEN->C:\PPFS_T\diskp.bat SET_OPTIONS->205 EXCLUDE_SEARCH_FOLDER->%SYSTEMROOT%\WINSXS SET_HEADLINE->Gadget Settings#Gadget Einstellungen LIST_INI_CONTENT_OF_FILES->settings.ini ->%USERPROFILE%\AppData\Local\Microsoft\Windows Sidebar SET_HEADLINE->autoexec.bat files#Autoexec.bat Dateien LIST_CONTENT_OF_FILES->autoexec.bat ->%SYSTEMDRIVE%\ SET_HEADLINE->autoexec.nt files#Autoexec.nt Dateien LIST_CONTENT_OF_FILES->autoexec.nt ->%SYSTEMDRIVE%\ SET_HEADLINE->config.sys files#Config.sys Dateien LIST_CONTENT_OF_FILES->config.sys ->%SYSTEMDRIVE%\ SET_HEADLINE->config.nt files#Config.nt Dateien LIST_CONTENT_OF_FILES->config.nt ->%SYSTEMDRIVE%\ SET_HEADLINE->Winstart.bat files#Winstart.bat Dateien LIST_CONTENT_OF_FILES->Winstart.bat ->%SYSTEMDRIVE%\ EXCLUDE_SEARCH_FOLDER-> FILE_EXISTS_TO_ENV_VAR->%Systemroot%\System32\WindowsPowerShell\v1.0\powershell.exe>PPFS_PSEXISTS IF->%PPFS_PSEXISTS%=1 SLEEP->5000 CLOSE_SHELL-> END_IF-> FILE_EXISTS_TO_ENV_VAR->%Systemroot%\System32\WindowsPowerShell\v1.0\powershell.exe>PPFS_EXISTS IF->%PPFS_EXISTS%=1 IF->%PPFS_WINVER%>=6.0 CREATE_BATCH_FILE->C:\PPFS_T\T1.ps1 WRITE_BATCH-># by chentiangemalc WRITE_BATCH-># http://chentiangemalc.wordpress.com WRITE_BATCH-># Define our C# functions to extract info from Windows Security Center (WSC) via Windows API so we can call from PowerShell WRITE_BATCH->$wscDefinition = @" WRITE_BATCH-> // WSC_SECURITY_PROVIDER as defined in Wscapi.h or http://msdn.microsoft.com/en-us/library/bb432509(v=vs.85).aspx WRITE_BATCH->[Flags] WRITE_BATCH-> public enum WSC_SECURITY_PROVIDER : int WRITE_BATCH-> { WRITE_BATCH-> WSC_SECURITY_PROVIDER_FIREWALL = 1,// The aggregation of all firewalls for this computer. WRITE_BATCH-> WSC_SECURITY_PROVIDER_AUTOUPDATE_SETTINGS = 2, // The automatic update settings for this computer. WRITE_BATCH-> WSC_SECURITY_PROVIDER_ANTIVIRUS = 4,// The aggregation of all antivirus products for this computer. WRITE_BATCH-> WSC_SECURITY_PROVIDER_ANTISPYWARE = 8,// The aggregation of all anti-spyware products for this computer. WRITE_BATCH-> WSC_SECURITY_PROVIDER_INTERNET_SETTINGS = 16, // The settings that restrict the access of web sites in each of the Internet zones for this computer. WRITE_BATCH-> WSC_SECURITY_PROVIDER_USER_ACCOUNT_CONTROL = 32, // The User Account Control (UAC) settings for this computer. WRITE_BATCH-> WSC_SECURITY_PROVIDER_SERVICE = 64,// The running state of the WSC service on this computer. WRITE_BATCH-> WSC_SECURITY_PROVIDER_NONE = 0,// None of the items that WSC monitors. WRITE_BATCH-> WRITE_BATCH->// All of the items that the WSC monitors. WRITE_BATCH-> WSC_SECURITY_PROVIDER_ALL = WSC_SECURITY_PROVIDER_FIREWALL | WSC_SECURITY_PROVIDER_AUTOUPDATE_SETTINGS | WSC_SECURITY_PROVIDER_ANTIVIRUS | WRITE_BATCH-> WSC_SECURITY_PROVIDER_ANTISPYWARE | WSC_SECURITY_PROVIDER_INTERNET_SETTINGS | WSC_SECURITY_PROVIDER_USER_ACCOUNT_CONTROL | WRITE_BATCH-> WSC_SECURITY_PROVIDER_SERVICE | WSC_SECURITY_PROVIDER_NONE WRITE_BATCH-> } WRITE_BATCH-> WRITE_BATCH-> [Flags] WRITE_BATCH-> public enum WSC_SECURITY_PROVIDER_HEALTH : int WRITE_BATCH-> { WRITE_BATCH-> WSC_SECURITY_PROVIDER_HEALTH_GOOD, // The status of the security provider category is good and does not need user attention. WRITE_BATCH-> WSC_SECURITY_PROVIDER_HEALTH_NOTMONITORED, // The status of the security provider category is not monitored by WSC. WRITE_BATCH-> WSC_SECURITY_PROVIDER_HEALTH_POOR, // The status of the security provider category is poor and the computer may be at risk. WRITE_BATCH-> WSC_SECURITY_PROVIDER_HEALTH_SNOOZE, // The security provider category is in snooze state. Snooze indicates that WSC is not actively protecting the computer. WRITE_BATCH-> WSC_SECURITY_PROVIDER_HEALTH_UNKNOWN WRITE_BATCH-> } WRITE_BATCH-> WRITE_BATCH->// as defined in http://msdn.microsoft.com/en-us/library/bb432506(v=vs.85).aspx WRITE_BATCH-> [DllImport("wscapi.dll")] WRITE_BATCH-> private static extern int WscGetSecurityProviderHealth(int inValue, ref int outValue); WRITE_BATCH-> WRITE_BATCH->// code to call our interop function and return the relevant result based on what input value we provide WRITE_BATCH-> public static WSC_SECURITY_PROVIDER_HEALTH GetSecurityProviderHealth(WSC_SECURITY_PROVIDER inputValue) WRITE_BATCH-> { WRITE_BATCH-> int inValue = (int)inputValue; WRITE_BATCH-> int outValue = -1; WRITE_BATCH-> WRITE_BATCH-> int result = WscGetSecurityProviderHealth(inValue, ref outValue); WRITE_BATCH-> WRITE_BATCH-> foreach (WSC_SECURITY_PROVIDER_HEALTH wsph in Enum.GetValues(typeof(WSC_SECURITY_PROVIDER_HEALTH))) WRITE_BATCH-> if ((int)wsph == outValue) return wsph; WRITE_BATCH-> WRITE_BATCH-> return WSC_SECURITY_PROVIDER_HEALTH.WSC_SECURITY_PROVIDER_HEALTH_UNKNOWN; WRITE_BATCH-> } WRITE_BATCH->"@ WRITE_BATCH-> WRITE_BATCH->$wscType=Add-Type -memberDefinition $wscDefinition -name "wscType" -UsingNamespace "System.Reflection","System.Diagnostics" -PassThru WRITE_BATCH->"" > C:\PPF_Scan1\SecCenter.txt WRITE_BATCH->"##############################################################################################" >> C:\PPF_Scan1\SecCenter.txt WRITE_BATCH->"## Security Center ##" >> C:\PPF_Scan1\SecCenter.txt WRITE_BATCH->"##############################################################################################" >> C:\PPF_Scan1\SecCenter.txt WRITE_BATCH->"" >> C:\PPF_Scan1\SecCenter.txt WRITE_BATCH->"Firewall: " + $wscType[0]::GetSecurityProviderHealth($wscType[1]::WSC_SECURITY_PROVIDER_FIREWALL) >> C:\PPF_Scan1\SecCenter.txt WRITE_BATCH->"Auto-Update: " + $wscType[0]::GetSecurityProviderHealth($wscType[1]::WSC_SECURITY_PROVIDER_AUTOUPDATE_SETTINGS) >> C:\PPF_Scan1\SecCenter.txt WRITE_BATCH->"Anti-Virus: " + $wscType[0]::GetSecurityProviderHealth($wscType[1]::WSC_SECURITY_PROVIDER_ANTIVIRUS) >> C:\PPF_Scan1\SecCenter.txt WRITE_BATCH->"Anti-Spyware: " + $wscType[0]::GetSecurityProviderHealth($wscType[1]::WSC_SECURITY_PROVIDER_ANTISPYWARE) >> C:\PPF_Scan1\SecCenter.txt WRITE_BATCH->"Internet Settings: " + $wscType[0]::GetSecurityProviderHealth($wscType[1]::WSC_SECURITY_PROVIDER_INTERNET_SETTINGS) >> C:\PPF_Scan1\SecCenter.txt WRITE_BATCH->"User Account Control: " + $wscType[0]::GetSecurityProviderHealth($wscType[1]::WSC_SECURITY_PROVIDER_USER_ACCOUNT_CONTROL) >> C:\PPF_Scan1\SecCenter.txt WRITE_BATCH->"WSC Service: " + $wscType[0]::GetSecurityProviderHealth($wscType[1]::WSC_SECURITY_PROVIDER_SERVICE) >> C:\PPF_Scan1\SecCenter.txt WRITE_BATCH->"" >> C:\PPF_Scan1\SecCenter.txt WRITE_BATCH-># some examples of checking the "health" status... WRITE_BATCH->if ($wscType[0]::GetSecurityProviderHealth($wscType[1]::WSC_SECURITY_PROVIDER_FIREWALL) -eq $wscType[2]::WSC_SECURITY_PROVIDER_HEALTH_POOR) WRITE_BATCH->{ WRITE_BATCH-> "Your firewall settings are lame." >> C:\PPF_Scan1\SecCenter.txt WRITE_BATCH->} WRITE_BATCH-> WRITE_BATCH->if ($wscType[0]::GetSecurityProviderHealth($wscType[1]::WSC_SECURITY_PROVIDER_USER_ACCOUNT_CONTROL) -eq $wscType[2]::WSC_SECURITY_PROVIDER_HEALTH_POOR) WRITE_BATCH->{ WRITE_BATCH-> "Don't tell me you switched off UAC. oh dear." >> C:\PPF_Scan1\SecCenter.txt WRITE_BATCH->} WRITE_BATCH-> WRITE_BATCH->if ($wscType[0]::GetSecurityProviderHealth($wscType[1]::WSC_SECURITY_PROVIDER_ANTIVIRUS) -eq $wscType[2]::WSC_SECURITY_PROVIDER_HEALTH_GOOD) WRITE_BATCH->{ WRITE_BATCH-> "At least you have anti-virus running and up-to-date." >> C:\PPF_Scan1\SecCenter.txt WRITE_BATCH->} WRITE_BATCH->"____________________________________" >> C:\PPF_Scan1\SecCenter.txt WRITE_BATCH->"" >> C:\PPF_Scan1\SecCenter.txt WRITE_BATCH->"" >> C:\PPF_Scan1\SecCenter.txt WRITE_BATCH->"**********************" >> C:\PPF_Scan1\SecCenter.txt WRITE_BATCH->"* AntiVirus *" >> C:\PPF_Scan1\SecCenter.txt WRITE_BATCH->"**********************" >> C:\PPF_Scan1\SecCenter.txt WRITE_BATCH->Get-WmiObject -Namespace ROOT\Securitycenter2 -Class "AntiVirusProduct" | select displayName,instanceGuid,pathToSignedProductExe,pathToSignedReportingExe,productState >> C:\PPF_Scan1\SecCenter.txt WRITE_BATCH->"____________________________________" >> C:\PPF_Scan1\SecCenter.txt WRITE_BATCH->"" >> C:\PPF_Scan1\SecCenter.txt WRITE_BATCH->"**********************" >> C:\PPF_Scan1\SecCenter.txt WRITE_BATCH->"* Firewall *" >> C:\PPF_Scan1\SecCenter.txt WRITE_BATCH->"**********************" >> C:\PPF_Scan1\SecCenter.txt WRITE_BATCH->Get-WmiObject -Namespace ROOT\Securitycenter2 -Class "FirewallProduct" | select displayName,instanceGuid,pathToSignedProductExe,pathToSignedReportingExe,productState >> C:\PPF_Scan1\SecCenter.txt WRITE_BATCH->"____________________________________" >> C:\PPF_Scan1\SecCenter.txt WRITE_BATCH->"" >> C:\PPF_Scan1\SecCenter.txt WRITE_BATCH->"**********************" >> C:\PPF_Scan1\SecCenter.txt WRITE_BATCH->"* AntiSpyware *" >> C:\PPF_Scan1\SecCenter.txt WRITE_BATCH->"**********************" >> C:\PPF_Scan1\SecCenter.txt WRITE_BATCH->Get-WmiObject -Namespace ROOT\Securitycenter2 -Class "AntiSpywareProduct" | select displayName,instanceGuid,pathToSignedProductExe,pathToSignedReportingExe,productState >> C:\PPF_Scan1\SecCenter.txt WRITE_BATCH->"____________________________________" >> C:\PPF_Scan1\SecCenter.txt START_SHELL->%Systemroot%\System32\WindowsPowerShell\v1.0\powershell.exe,-noprofile -executionpolicy bypass -file "C:\PPFS_T\T1.ps1" SLEEP->40000 CLOSE_SHELL-> END_IF-> END_IF-> IF->%PPFS_AvastExists%>0 REM->AVAST gefunden! START_SHELL->%SystemRoot%\system32\cmd.exe EXECUTE_IN_SHELL->XCOPY "%Reg_CommonAPPDATA%\AVAST Software\Avast\report\*.*" C:\PPF_Scan1\*.* /Y EXECUTE_IN_SHELL->XCOPY "%Reg_CommonAPPDATA%\AVAST Software\Avast\log\Avast-Browser-Cleanup.log" C:\PPF_Scan1\*.* /Y CLOSE_SHELL-> END_IF-> SET_OPTIONS->-205 TIME-> WAIT_FOR_TERMINATE->RootkitBuster.exe COPY_FILES->C:\PPFS_T\log\*.txt>C:\PPF_Scan1 COPY_FILES->C:\PPFS_T\log\*.log>C:\PPF_Scan1 COPY_FILES->C:\PPFS_T\TMRBLog\*.txt>C:\PPF_Scan1 COPY_FILES->C:\PPFS_T\TMRBLog\*.log>C:\PPF_Scan1 TIME-> COPY_SCANFILES->C:\PPF_Scan1 OPEN->C:\PPF_Scan1 END->
- Klicke dann auf den Button Script ausführen und bestätige die erscheinende
Messagebox mit Ja. - Warte, bis der Scanner sich selbst beendet.
- Lasse das Script bei einer Meldung nicht abbrechen!
- Es befinden sich im Ordner C:\PPF_Scan1 dann einige Textdateien. Lade bitte alle Dateien, die du dort findest, bei http://workupload.com/ hoch und poste die Downloadlinks hier im Forum.
-
Hallo AHT, nach deiner Anpassung ist der Scan durchgelaufen http://workupload.com/archive/eEEnLVw . Ich hatte es zwischenzeitlich auch noch mal probiert, leider ohne Erfilg!! Bei einem der Versuche hat Windows ein Update geschickt! Alles mir deaktivierten Virenscanner !
-
Schade - da ist jetzt Handarbeit nötig:
- Von hier TDSSKiller herunterladen und ausführen (Guard des Virenscvanners muss eventuell deaktiviert werden):
- Nach dem Start erscheint ein Fenster End User Licence Agreement. Klicke dort unten auf Accept.
- Bei KSN Statement klicke ebenfalls auf Accept.
- Wird ein Reboot verlangt, lasse den durchführen.
- Es müsste dann folgendes Fenster erscheinen.
[Blockierte Grafik: https://abload.de/img/12bs0f.jpg] - Klicke dort auf den kleinen Schriftzug Change Parameter.
- Stelle dort die Sachen so ein:
[Blockierte Grafik: https://abload.de/img/1i5s43.jpg] - Setze zum Schluss auch das Häkchen bei Loaded modules.
- Wird ein Reboot verlangt:
- Lass den Reboot durchführen (Reboot now klicken).
- Hat alles geklappt, wird sich der TDSSKiller nach dem Reboot selbst starten.
- Klicke wieder auf Change Parameters.
- Setze dann im erscheinenden Dialog alle Häkchen!
- Klicke den Button OK.
- Klicke Start Scan.
- Warte, bis der Scan beendet ist und die Ergebnisse angezeigt werden.
- Schließe den TDSSKiller nicht, mache einen Screenshot vom dann erscheinenden Fenster.
- Lade den Screenshot bei http://abload.de/ hoch und poste den Screenshot hier im Forum (Direktlink für Foren kopieren und hier einfügen).
- Du erhälst danach Anweisungen von mir, wie genau der Scanner zum Löschen des RootKits einzustellen ist.
- Von hier TDSSKiller herunterladen und ausführen (Guard des Virenscvanners muss eventuell deaktiviert werden):
-
sage mir bitte "Wie macht man ein Bildschirmfoto" der Scanner hat geendet!?
-
Paint öffnen.
Programm anklicken, von dem ein Screenshot gemacht werden soll (das muss aktiv sein und im Vordergrund).
Tasten Strg, ALT und Druck gleichzeitig drücken.
Dann im Programm Paint Einfügen wählen.
Bild dann abspeichern. -
ach scheiße, ich habe kein Programm "Paint" und eine taste "Druck" finde ich auch nicht!Hab ich noch nie, nich gemacht!! ich bin doch ein Computerkleinkind!
-
auf dem Skanner steht unten "weitermachen" soll ich da mal anklicken??
-
Nein, auf keinen Fall. Moment warten - wir machen das anders.
-
Das tun:
- TDSSKiller nicht schließen!
- PPFScan.exe starten.
- Lass auf Nachfrage des Programms die 64Bit Version des Scanners starten.
- In das Texteingabefeld über dem Button Script ausführen folgenden Text einfügen (das was in der Box steht - ohne das Wort Quellcode und die Zeilennummern). Achte darauf, dass dir der gesamte Inhalt der Box angezeigt wird:
CodeCREATE_FOLDER->C:\PPFS_Screenshots MINIMIZE-> SLEEP->30000 COPY_SCREEN->C:\PPFS_Screenshots\Screen1.bmp OPEN->C:\PPFS_Screenshots END->
- Klicke dann auf den Button Script ausführen und bestätige die erscheinende
Messagebox mit Ja. - Der PPFScanner wird sich minimieren - achte darauf, dass dann der TDSSKiller im Vodergrund und sichtbar ist. Ist der nicht sichtbar, hohle den sofort in den Vordergrund.
- Eine Minute warten - es wird sich dann ein Ordner mit einem Screendhot öffnen: C:\PPFS_Screenshots\Screen1.bmp
- Diese Datei dann hochladen.
-
habe paint gefunden und den Bildschirm eingefügt Ich bin verzweifelt "abload" sieht jetz ganz anders aus. ich kommen nicht weiter entschuldige bitte!
-
Du kannst das Bild zur Not auf bei Workupload hochladen und den Link hier einfügen.
Das geht auch. -
Mir steht der Schweiß auf der Stirn, ich hoffe es klappt so:https://workupload.com/file/qGjCYtu
-
Ich sehe auf dem Screenshot leider nur deinen Internetbrowser.
Du soltest den TDSSKiller in den Vordergrund holen und ihn da lassen, bis der Screenshot getätigt wurde.
Der PPFscanner wartet etwa eine Minute mit dem Script von hier, bis er den Screenshot macht. Das tut er, damit du das Fenster vom TDSSKiller sichtbar machen kannst.Ich muss wissen, was der TDSSKiller genau jetzt anzeigt - deshalb der Screenshot. Du musst dann einstellen, was der löschen soll - und ich will nicht, dass du etwas löscht, was du nachher noch brauchst, damit der Rechner funktioniert.
-
ich hoffe es ist jetzt besser https://workupload.com/file/GvS33pQ
Jetzt mitmachen!
Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!