Trojan - nie mam pewności czy na 100% go delete


(Xlogginx) #1

Cześć

Ściągnąłem trojana przez przypadek.Niby go usunąłem z kosza,ale nie mam pewności czy z kompa.Proszę o pomoc.

Logi:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 14:24:12, on 2008-11-20

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v7.00 (7.00.6001.18000)

Boot mode: Normal


Running processes:

H:\Windows\system32\Dwm.exe

H:\Windows\system32\taskeng.exe

H:\Windows\Explorer.EXE

H:\Program Files\Alwil Software\Avast4\ashDisp.exe

H:\Program Files\Windows Media Player\wmpnscfg.exe

H:\Windows\system32\wbem\unsecapp.exe

H:\Program Files\Internet Explorer\iexplore.exe

H:\Program Files\IDM Computer Solutions\UltraEdit\Uedit32.exe

H:\Program Files\foobar2000\foobar2000.exe

H:\Windows\system32\igfxsrvc.exe

H:\Program Files\Trend Micro\HijackThis\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.pl/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - H:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\Windows\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [OutpostMonitor] H:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice

O4 - HKLM\..\Run: [OutpostFeedBack] "H:\Program Files\Agnitum\Outpost Firewall Pro\feedback.exe" /dump:os_startup

O4 - HKLM\..\Run: [avast!] H:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - H:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - H:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - H:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - H:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O20 - AppInit_DLLs: h:\progra~1\agnitum\outpos~1\wl_hook.dll

O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - H:\Windows\System32\DreamScene.dll

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - D:\PROGRAMY\A-SQUARED FREE\a2service.exe

O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - H:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - H:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - H:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - H:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - H:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - H:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)

O23 - Service: NBService - Nero AG - H:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - H:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - H:\Windows\system32\nvvsvc.exe

O23 - Service: O&O Defrag - O&O Software GmbH - H:\Windows\system32\oodag.exe

O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - H:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe


--

End of file - 4499 bytes

"Silent Runners.vbs", revision 58, http://www.silentrunners.org/

Operating System: Windows Vista

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"NvCplDaemon" = "RUNDLL32.EXE H:\Windows\system32\NvCpl.dll,NvStartup" [MS]

"OutpostMonitor" = "H:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice" [null data]

"OutpostFeedBack" = ""H:\Program Files\Agnitum\Outpost Firewall Pro\feedback.exe" /dump:os_startup" [null data]

"avast!" = "H:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" ["ALWIL Software"]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "Groove GFS Browser Helper"

                   \InProcServer32\(Default) = "H:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{00020d75-0000-0000-c000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

  -> {HKLM...CLSID} = "Microsoft Office Outlook"

                   \InProcServer32\(Default) = "H:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL" [MS]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "H:\Program Files\WinRAR\rarext.dll" [null data]

"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}" = "Groove GFS Browser Helper"

  -> {HKLM...CLSID} = "Groove GFS Browser Helper"

                   \InProcServer32\(Default) = "H:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}" = "Groove GFS Explorer Bar"

  -> {HKLM...CLSID} = "Groove Folder Synchronization"

                   \InProcServer32\(Default) = "H:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

"{A449600E-1DC6-4232-B948-9BD794D62056}" = "Groove GFS Stub Icon Handler"

  -> {HKLM...CLSID} = "Groove GFS Stub Icon Handler"

                   \InProcServer32\(Default) = "H:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" = "Groove GFS Stub Execution Hook"

  -> {HKLM...CLSID} = "Groove GFS Stub Execution Hook"

                   \InProcServer32\(Default) = "H:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

"{6C467336-8281-4E60-8204-430CED96822D}" = "Groove GFS Context Menu Handler"

  -> {HKLM...CLSID} = "Groove GFS Context Menu Handler"

                   \InProcServer32\(Default) = "H:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

"{387E725D-DC16-4D76-B310-2C93ED4752A0}" = "Groove XML Icon Handler"

  -> {HKLM...CLSID} = "Groove XML Icon Handler"

                   \InProcServer32\(Default) = "H:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

"{16F3DD56-1AF5-4347-846D-7C10C4192619}" = "Groove Explorer Icon Overlay 3 (GFS Folder)"

  -> {HKLM...CLSID} = "Groove Explorer Icon Overlay 3 (GFS Folder)"

                   \InProcServer32\(Default) = "H:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

"{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC}" = "Groove Explorer Icon Overlay 2 (GFS Stub)"

  -> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2 (GFS Stub)"

                   \InProcServer32\(Default) = "H:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

"{2916C86E-86A6-43FE-8112-43ABE6BF8DCC}" = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)"

  -> {HKLM...CLSID} = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)"

                   \InProcServer32\(Default) = "H:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

"{99FD978C-D287-4F50-827F-B2C658EDA8E7}" = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)"

  -> {HKLM...CLSID} = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)"

                   \InProcServer32\(Default) = "H:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

"{920E6DB1-9907-4370-B3A0-BAFC03D81399}" = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)"

  -> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)"

                   \InProcServer32\(Default) = "H:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

  -> {HKLM...CLSID} = "Outlook File Icon Extension"

                   \InProcServer32\(Default) = "H:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL" [MS]

"{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}" = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"

  -> {HKLM...CLSID} = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"

                   \InProcServer32\(Default) = "H:\PROGRA~1\MICROS~2\Office12\ONFILTER.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "H:\Program Files\Microsoft Office\Office12\msohevi.dll" [MS]

"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"

  -> {HKLM...CLSID} = "Microsoft Office Metadata Handler"

                   \InProcServer32\(Default) = "H:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"

  -> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"

                   \InProcServer32\(Default) = "H:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

"{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2}" = "NeroCoverEd Live Icons"

  -> {HKLM...CLSID} = "NeroCoverEdLiveIcons Class"

                   \InProcServer32\(Default) = "H:\Program Files\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]

"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"

  -> {HKLM...CLSID} = "NeroDigitalIconHandler Class"

                   \InProcServer32\(Default) = "H:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"

  -> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"

                   \InProcServer32\(Default) = "H:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"

  -> {HKLM...CLSID} = "DesktopContext Class"

                   \InProcServer32\(Default) = "H:\Windows\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"

  -> {HKLM...CLSID} = "NVIDIA CPL Extension"

                   \InProcServer32\(Default) = "H:\Windows\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "H:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\

<> "{E31004D1-A431-41B8-826F-E902F9D95C81}" = "Windows DreamScene"

  -> {HKLM...CLSID} = "Windows DreamScene"

                   \InProcServer32\(Default) = "H:\Windows\System32\DreamScene.dll" [MS]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

<> "{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" = "Groove GFS Stub Execution Hook"

  -> {HKLM...CLSID} = "Groove GFS Stub Execution Hook"

                   \InProcServer32\(Default) = "H:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\

<> "BootExecute" = "autocheck autochk *"|"OODBS" ["O&O Software GmbH"]


HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\

<> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"

  -> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"

                   \InProcServer32\(Default) = "H:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]


HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\

{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"

  -> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"

                   \InProcServer32\(Default) = "H:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]


HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\

ASW\(Default) = "{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}"

  -> {HKLM...CLSID} = "Outpost.ASWShellExt Component"

                   \InProcServer32\(Default) = "H:\Program Files\Agnitum\Outpost Firewall Pro\op_shell.dll" [null data]

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "H:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

Cover Designer\(Default) = "{73FCA462-9BD5-4065-A73F-A8E5F6904EF7}"

  -> {HKLM...CLSID} = "NeroCoverEdContextMenu Class"

                   \InProcServer32\(Default) = "H:\Program Files\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "H:\Program Files\WinRAR\rarext.dll" [null data]

XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"

  -> {HKLM...CLSID} = "Groove GFS Context Menu Handler"

                   \InProcServer32\(Default) = "H:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]


HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\

ASW\(Default) = "{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}"

  -> {HKLM...CLSID} = "Outpost.ASWShellExt Component"

                   \InProcServer32\(Default) = "H:\Program Files\Agnitum\Outpost Firewall Pro\op_shell.dll" [null data]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "H:\Program Files\WinRAR\rarext.dll" [null data]

XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"

  -> {HKLM...CLSID} = "Groove GFS Context Menu Handler"

                   \InProcServer32\(Default) = "H:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]


HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\

ASW\(Default) = "{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}"

  -> {HKLM...CLSID} = "Outpost.ASWShellExt Component"

                   \InProcServer32\(Default) = "H:\Program Files\Agnitum\Outpost Firewall Pro\op_shell.dll" [null data]

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "H:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "H:\Program Files\WinRAR\rarext.dll" [null data]

XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"

  -> {HKLM...CLSID} = "Groove GFS Context Menu Handler"

                   \InProcServer32\(Default) = "H:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]


HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\

XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"

  -> {HKLM...CLSID} = "Groove GFS Context Menu Handler"

                   \InProcServer32\(Default) = "H:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]



Default executables:

--------------------


<> HKLM\SOFTWARE\Classes\.com\(Default) = "ComFile"



Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------


Note: detected settings may not have any effect.


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\


"NoDrives" = (REG_DWORD) dword:0x00000000

{unrecognized setting}


HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000

{unrecognized setting}


"HideLogoffScripts" = (REG_DWORD) dword:0x00000000

{unrecognized setting}


"HideStartupScripts" = (REG_DWORD) dword:0x00000000

{unrecognized setting}


"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001

{unrecognized setting}


"RunStartupScriptSync" = (REG_DWORD) dword:0x00000000

{unrecognized setting}


"DisableRegistryTools" = (REG_DWORD) dword:0x00000000

{User Configuration|Administrative Templates|System|

Prevent access to registry editing tools}


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\


"ConsentPromptBehaviorAdmin" = (REG_DWORD) dword:0x00000002

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode}


"ConsentPromptBehaviorUser" = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

User Account Control: Behavior Of The Elevation Prompt For Standard Users}


"EnableInstallerDetection" = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

User Account Control: Detect Application Installations And Prompt For Elevation}


"EnableLUA" = (REG_DWORD) dword:0x00000000

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

User Account Control: Run All Administrators In Admin Approval Mode}


"EnableSecureUIAPaths" = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

User Account Control: Only elevate UIAccess applications that are installed in secure locations}


"EnableVirtualization" = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

User Account Control: Virtualize file and registry write failures to per-user locations}


"PromptOnSecureDesktop" = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

User Account Control: Switch to the secure desktop when prompting for elevation}


"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}


"FilterAdministratorToken" = (REG_DWORD) dword:0x00000000

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

User Account Control: Admin Approval Mode for the Built-in Administrator Account}


"EnableUIADesktopToggle" = (REG_DWORD) dword:0x00000000

{unrecognized setting}


"DisableRegistryTools" = (REG_DWORD) dword:0x00000000

{unrecognized setting}


"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000

{unrecognized setting}


"HideLogoffScripts" = (REG_DWORD) dword:0x00000000

{unrecognized setting}


"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001

{unrecognized setting}


"RunStartupScriptSync" = (REG_DWORD) dword:0x00000000

{unrecognized setting}


"HideStartupScripts" = (REG_DWORD) dword:0x00000000

{unrecognized setting}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "H:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows Photo Gallery\Tapeta z Galerii fotografii systemu Windows.jpg"


Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "H:\Users\Uzer\AppData\Roaming\Microsoft\Windows Photo Gallery\Tapeta z Galerii fotografii systemu Windows.jpg"



Enabled Screen Saver:

---------------------


HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "H:\Windows\system32\Aurora.scr" [MS]



Windows Portable Device AutoPlay Handlers

-----------------------------------------


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\


MPCPlayCDAudioOnArrival\

"Provider" = "Media Player Classic"

"InvokeProgID" = "MediaPlayerClassic.Autorun"

"InvokeVerb" = "PlayCDAudio"

HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayCDAudio\command\(Default) = ""H:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %1 /cd" ["Gabest"]


MPCPlayDVDMovieOnArrival\

"Provider" = "Media Player Classic"

"InvokeProgID" = "MediaPlayerClassic.Autorun"

"InvokeVerb" = "PlayDVDMovie"

HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayDVDMovie\command\(Default) = ""H:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %1 /dvd" ["Gabest"]


MPCPlayMusicFilesOnArrival\

"Provider" = "Media Player Classic"

"InvokeProgID" = "MediaPlayerClassic.Autorun"

"InvokeVerb" = "PlayMusicFiles"

HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayMusicFiles\command\(Default) = ""H:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %1" ["Gabest"]


MPCPlayVideoFilesOnArrival\

"Provider" = "Media Player Classic"

"InvokeProgID" = "MediaPlayerClassic.Autorun"

"InvokeVerb" = "PlayVideoFiles"

HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayVideoFiles\command\(Default) = ""H:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %1" ["Gabest"]


NeroAutoPlay2AudioToNeroDigital\

"Provider" = "Nero Burning ROM"

"InvokeProgID" = "Nero.AutoPlay2"

"InvokeVerb" = "PlayCDAudioOnArrival_AudioToNeroDigital"

HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\PlayCDAudioOnArrival_AudioToNeroDigital\command\(Default) = "H:\Program Files\Ahead\nero\nero.exe /Dialog:SaveTracksND /Drive:%L" ["Ahead Software AG"]


NeroAutoPlay2CDAudio\

"Provider" = "Nero Express"

"InvokeProgID" = "Nero.AutoPlay2"

"InvokeVerb" = "HandleCDBurningOnArrival_CDAudio"

HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\HandleCDBurningOnArrival_CDAudio\command\(Default) = "H:\Program Files\Ahead\nero\nero.exe /w /New:AudioCD /Drive:%L" ["Ahead Software AG"]


NeroAutoPlay2CopyCD\

"Provider" = "Nero Express"

"InvokeProgID" = "Nero.AutoPlay2"

"InvokeVerb" = "PlayCDAudioOnArrival_CopyCD"

HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\PlayCDAudioOnArrival_CopyCD\command\(Default) = "H:\Program Files\Ahead\nero\nero.exe /w /Dialog:DiscCopy /Drive:%L" ["Ahead Software AG"]


NeroAutoPlay2DataDisc\

"Provider" = "Nero Express"

"InvokeProgID" = "Nero.AutoPlay2"

"InvokeVerb" = "HandleCDBurningOnArrival_DataDisc"

HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\HandleCDBurningOnArrival_DataDisc\command\(Default) = "H:\Program Files\Ahead\nero\nero.exe /w /New:ISODisc /Drive:%L" ["Ahead Software AG"]


NeroAutoPlay2LaunchNeroStartSmart\

"Provider" = "Nero StartSmart"

"InvokeProgID" = "Nero.AutoPlay2"

"InvokeVerb" = "HandleCDBurningOnArrival_LaunchNeroStartSmart"

HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\HandleCDBurningOnArrival_LaunchNeroStartSmart\command\(Default) = "H:\Program Files\Ahead\Nero StartSmart\NeroStartSmart.exe /AutoPlay /Drive:%L" ["Ahead Software AG"]


NeroAutoPlay2RipCD\

"Provider" = "Nero Burning ROM"

"InvokeProgID" = "Nero.AutoPlay2"

"InvokeVerb" = "PlayCDAudioOnArrival_RipCD"

HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\PlayCDAudioOnArrival_RipCD\command\(Default) = "H:\Program Files\Ahead\nero\nero.exe /Dialog:SaveTracks /Drive:%L" ["Ahead Software AG"]


NeroAutoPlay7AudioToNeroDigital\

"Provider" = "Nero Burning ROM"

"InvokeProgID" = "Nero.AutoPlay7"

"InvokeVerb" = "AudioToNeroDigital_PlayCDAudioOnArrival"

HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\AudioToNeroDigital_PlayCDAudioOnArrival\command\(Default) = "H:\Program Files\Nero\Nero 7\Core\nero.exe /Dialog:SaveTracks %L" ["Nero AG"]


NeroAutoPlay7CDAudio\

"Provider" = "Nero Express"

"InvokeProgID" = "Nero.AutoPlay7"

"InvokeVerb" = "CDAudio_HandleCDBurningOnArrival"

HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\CDAudio_HandleCDBurningOnArrival\command\(Default) = "H:\Program Files\Nero\Nero 7\Core\nero.exe -w /New:AudioCD" ["Nero AG"]


NeroAutoPlay7CopyCD\

"Provider" = "Nero Burning ROM"

"InvokeProgID" = "Nero.AutoPlay7"

"InvokeVerb" = "CopyCD_PlayMusicFilesOnArrival"

HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\CopyCD_PlayMusicFilesOnArrival\command\(Default) = "H:\Program Files\Nero\Nero 7\Core\nero.exe /Dialog:DiscCopy %L" ["Nero AG"]


NeroAutoPlay7DataDisc\

"Provider" = "Nero Express"

"InvokeProgID" = "Nero.AutoPlay7"

"InvokeVerb" = "DataDisc_HandleCDBurningOnArrival"

HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\DataDisc_HandleCDBurningOnArrival\command\(Default) = "H:\Program Files\Nero\Nero 7\Core\nero.exe -w /New:ISODisc" ["Nero AG"]


NeroAutoPlay7LaunchNeroStartSmart\

"Provider" = "Nero StartSmart"

"InvokeProgID" = "Nero.AutoPlay7"

"InvokeVerb" = "LaunchNeroStartSmart_HandleCDBurningOnArrival"

HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\LaunchNeroStartSmart_HandleCDBurningOnArrival\command\(Default) = "H:\Program Files\Nero\Nero 7\Nero StartSmart\NeroStartSmart.exe /AutoPlay" ["Nero AG"]


NeroAutoPlay7PlayAudioCD\

"Provider" = "Nero ShowTime"

"InvokeProgID" = "Nero.AutoPlay7"

"InvokeVerb" = "PlayAudioCD_PlayMusicFilesOnArrival"

HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\PlayAudioCD_PlayMusicFilesOnArrival\command\(Default) = "H:\Program Files\Nero\Nero 7\Nero ShowTime\ShowTime.exe /Play %L" ["Nero AG"]


NeroAutoPlay7PlayDVD\

"Provider" = "Nero ShowTime"

"InvokeProgID" = "Nero.AutoPlay7"

"InvokeVerb" = "PlayDVD_PlayVideoFilesOnArrival"

HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\PlayDVD_PlayVideoFilesOnArrival\command\(Default) = "H:\Program Files\Nero\Nero 7\Nero ShowTime\ShowTime.exe /Play %L" ["Nero AG"]


NeroAutoPlay7RipCD\

"Provider" = "Nero Burning ROM"

"InvokeProgID" = "Nero.AutoPlay7"

"InvokeVerb" = "RipCD_PlayCDAudioOnArrival"

HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\RipCD_PlayCDAudioOnArrival\command\(Default) = "H:\Program Files\Nero\Nero 7\Core\nero.exe /Dialog:SaveTracks %L" ["Nero AG"]


NeroAutoPlay7TranscodeVideo\

"Provider" = "Nero Recode"

"InvokeProgID" = "Nero.AutoPlay7"

"InvokeVerb" = "TranscodeVideo_PlayDVDMovieOnArrival"

HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\TranscodeVideo_PlayDVDMovieOnArrival\command\(Default) = "H:\Program Files\Nero\Nero 7\Nero Recode\Recode.exe /New:CopyDVDVideo" ["Nero AG"]


NeroAutoPlay7VideoCapture\

"Provider" = "Nero Vision"

"ProgID" = "Shell.HWEventHandlerShellExecute"

"InitCmdLine" = ""H:\Program Files\Nero\Nero 7\Nero Vision\NeroVision.exe" /New:VideoCapture"

HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"

  -> {HKLM...CLSID} = "Shell Execute Hardware Event Handler"

                   \LocalServer32\(Default) = "H:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]


NeroAutoPlay7ViewPhotos\

"Provider" = "Nero PhotoSnap Viewer"

"InvokeProgID" = "Nero.AutoPlay7"

"InvokeVerb" = "ViewPhotos_ShowPicturesOnArrival"

HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\ViewPhotos_ShowPicturesOnArrival\command\(Default) = "H:\Program Files\Nero\Nero 7\Nero PhotoSnap\PhotoSnapViewer.exe /" ["Nero AG"]


WIA_{20C6FE67-3BCA-4907-B95C-78C8C84F8CAA}\

"Provider" = "Microsoft Office Word"

"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"

"InitCmdLine" = "/WiaCmd;H:\Program Files\Microsoft Office\Office12\WINWORD.EXE /IMG_WIA;"

  -> {HKLM...CLSID} = "WPDShextAutoplay"

                   \LocalServer32\(Default) = "H:\Windows\system32\WPDShextAutoplay.exe" [MS]


WIA_{304E4BE8-344C-4DFB-A791-C0552C373FDD}\

"Provider" = "Photoshop"

"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"

"InitCmdLine" = "/WiaCmd;G:\Program Files\Adobe\Adobe Photoshop CS3\Photoshop.exe /StiDevice:%1 /StiEvent:%2;"

  -> {HKLM...CLSID} = "WPDShextAutoplay"

                   \LocalServer32\(Default) = "H:\Windows\system32\WPDShextAutoplay.exe" [MS]



Startup items in "Uzer" & "All Users" startup folders:

------------------------------------------------------


WARNING! "Uzer" startup folder not found!



Non-disabled Scheduled Tasks:

-----------------------------


H:\Windows\System32\Tasks

"{51328906-CDCB-4963-ABFC-FD820ECC1A6D}" -> launches: "H:\Windows\system32\pcalua.exe -a "H:\Users\Uzer\Desktop\deamon Dark Warez\Setup\DTPro4100218Advanced.exe" -d "H:\Users\Uzer\Desktop\deamon Dark Warez\Setup"" [MS]


H:\Windows\System32\Tasks\Microsoft\Windows\Active Directory Rights Management Services Client

"AD RMS Rights Policy Template Management (Manual)" -> launches: "{BF5CB148-7C77-4d8a-A53E-D81C70CF743C}"

  -> {HKLM...CLSID} = "AD RMS Rights Policy Template Management (Manual) Task Handler"

                   \InProcServer32\(Default) = "H:\Windows\system32\msdrm.dll" [MS]


H:\Windows\System32\Tasks\Microsoft\Windows\Bluetooth

"UninstallDeviceTask" -> launches: "BthUdTask.exe $(Arg0)" [MS]


H:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient

"SystemTask" -> launches: "{58fb76b9-ac85-4e55-ac04-427593b1d060}"

  -> {HKLM...CLSID} = "Certificate Services Client Task Handler"

                   \InProcServer32\(Default) = "H:\Windows\system32\dimsjob.dll" [MS]

"UserTask" -> launches: "{58fb76b9-ac85-4e55-ac04-427593b1d060}"

  -> {HKLM...CLSID} = "Certificate Services Client Task Handler"

                   \InProcServer32\(Default) = "H:\Windows\system32\dimsjob.dll" [MS]

"UserTask-Roam" -> launches: "{58fb76b9-ac85-4e55-ac04-427593b1d060}"

  -> {HKLM...CLSID} = "Certificate Services Client Task Handler"

                   \InProcServer32\(Default) = "H:\Windows\system32\dimsjob.dll" [MS]


H:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program

"Consolidator" -> launches: "%SystemRoot%\System32\wsqmcons.exe" [MS]

"OptinNotification" -> launches: "%SystemRoot%\System32\wsqmcons.exe -n 0x1C577FA2B69CAD0" [MS]


H:\Windows\System32\Tasks\Microsoft\Windows\Defrag

"ScheduledDefrag" -> launches: "%windir%\system32\defrag.exe -c -i" [MS]


H:\Windows\System32\Tasks\Microsoft\Windows\DiskDiagnostic

"Microsoft-Windows-DiskDiagnosticDataCollector" -> (HIDDEN!) launches: "%windir%\system32\rundll32.exe dfdts.dll,DfdGetDefaultPolicyAndSMART" [MS]


H:\Windows\System32\Tasks\Microsoft\Windows\Media Center

"ehDRMInit" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /DRMInit" [MS]

"mcupdate" -> launches: "%SystemRoot%\ehome\mcupdate $(Arg0) -gc" [MS]

"OCURActivate" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /OCURActivate" [MS]

"OCURDiscovery" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /OCURDiscovery" [MS]

"UpdateRecordPath" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /DoUpdateRecordPath $(Arg0)" [MS]


H:\Windows\System32\Tasks\Microsoft\Windows\MobilePC

"HotStart" -> launches: "{06DA0625-9701-43da-BFD7-FBEEA2180A1E}"

  -> {HKLM...CLSID} = "HotStart User Agent"

                   \InProcServer32\(Default) = "H:\Windows\System32\HotStartUserAgent.dll" [MS]

"TMM" -> launches: "{35EF4182-F900-4632-B072-8639E4478A61}"

  -> {HKLM...CLSID} = "Transient Multi-Monitor Manager"

                   \InProcServer32\(Default) = "H:\Windows\System32\TMM.dll" [MS]


H:\Windows\System32\Tasks\Microsoft\Windows\MUI

"LPRemove" -> launches: "%windir%\system32\lpremove.exe" [MS]


H:\Windows\System32\Tasks\Microsoft\Windows\Multimedia

"SystemSoundsService" -> launches: "{2DEA658F-54C1-4227-AF9B-260AB5FC3543}"

  -> {HKLM...CLSID} = "Microsoft PlaySoundService Class"

                   \InProcServer32\(Default) = "H:\Windows\System32\PlaySndSrv.dll" [MS]


H:\Windows\System32\Tasks\Microsoft\Windows\NetworkAccessProtection

"NAPStatus UI" -> launches: "{f09878a1-4652-4292-aa63-8c7d4fd7648f}"

  -> {HKLM...CLSID} = "Nap ITask Handler Implementation"

                   \InProcServer32\(Default) = "H:\Windows\System32\QAgent.dll" [MS]


H:\Windows\System32\Tasks\Microsoft\Windows\PLA\System

"ConvertLogEntries" -> (HIDDEN!) launches: "%windir%\system32\rundll32.exe %windir%\system32\pla.dll,PlaConvertLogEntries" [MS]


H:\Windows\System32\Tasks\Microsoft\Windows\RAC

"RACAgent" -> (HIDDEN!) launches: "%windir%\system32\RacAgent.exe" [MS]


H:\Windows\System32\Tasks\Microsoft\Windows\RemoteAssistance

"RemoteAssistanceTask" -> (HIDDEN!) launches: "%windir%\system32\RAServer.exe /offerraupdate" [MS]


H:\Windows\System32\Tasks\Microsoft\Windows\Shell

"CrawlStartPages" -> launches: "{51653423-e62d-4ff7-894a-dabb2b8e21e2}"

  -> {HKLM...CLSID} = "CrawlStartPages Task Handler"

                   \InProcServer32\(Default) = "H:\Windows\System32\srchadmin.dll" [MS]


H:\Windows\System32\Tasks\Microsoft\Windows\SideShow

"GadgetManager" -> launches: "{FF87090D-4A9A-4f47-879B-29A80C355D61}"

  -> {HKLM...CLSID} = "GadgetsManager Class"

                   \InProcServer32\(Default) = "H:\Windows\System32\AuxiliaryDisplayServices.dll" [MS]


H:\Windows\System32\Tasks\Microsoft\Windows\SystemRestore

"SR" -> launches: "%windir%\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation" [MS]


H:\Windows\System32\Tasks\Microsoft\Windows\Tcpip

"IpAddressConflict1" -> launches: "rundll32 ndfapi.dll,NdfRunDllDuplicateIPOffendingSystem" [MS]

"IpAddressConflict2" -> launches: "rundll32 ndfapi.dll,NdfRunDllDuplicateIPDefendingSystem" [MS]


H:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework

"MsCtfMonitor" -> (HIDDEN!) launches: "{01575cfe-9a55-4003-a5e1-f38d1ebdcbe1}"

  -> {HKLM...CLSID} = "MsCtfMonitor task handler"

                   \InProcServer32\(Default) = "H:\Windows\system32\MsCtfMonitor.dll" [MS]


H:\Windows\System32\Tasks\Microsoft\Windows\UPnP

"UPnPHostConfig" -> launches: "sc.exe config upnphost start= auto" [MS]


H:\Windows\System32\Tasks\Microsoft\Windows\WDI

"ResolutionHost" -> (HIDDEN!) launches: "{900be39d-6be8-461a-bc4d-b0fa71f5ecb1}"

  -> {HKLM...CLSID} = "DiagnosticInfrastructureCustomHandler"

                   \InProcServer32\(Default) = "H:\Windows\System32\wdi.dll" [MS]


H:\Windows\System32\Tasks\Microsoft\Windows\Windows Error Reporting

"QueueReporting" -> launches: "%windir%\system32\wermgr.exe -queuereporting" [MS]


H:\Windows\System32\Tasks\Microsoft\Windows\Wired

"GatherWiredInfo" -> launches: "%windir%\system32\gatherWiredInfo.vbs" [null data]


H:\Windows\System32\Tasks\Microsoft\Windows\Wireless

"GatherWirelessInfo" -> launches: "%windir%\system32\gatherWirelessInfo.vbs" [null data]


H:\Windows\System32\Tasks\Microsoft\Windows Defender

"MP Scheduled Scan" -> (HIDDEN!) launches: "h:\program files\windows defender\MpCmdRun.exe Scan -RestrictPrivileges" [MS]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\system32\NLAapi.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\system32\napinsp.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS]

000000000004\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS]

000000000005\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000006\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]


Transport Service Providers


HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 18



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{F2CF5485-4E02-4F68-819C-B92DE9277049}"

  -> {HKLM...CLSID} = "&Links"

                   \InProcServer32\(Default) = "H:\Windows\system32\ieframe.dll" [MS]


Explorer Bars


HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\


HKLM\SOFTWARE\Classes\CLSID\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\(Default) = "Groove Folder Synchronization"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "H:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]


HKLM\SOFTWARE\Classes\CLSID\{A1A7E22D-1587-4230-8F16-081C68D21448}\(Default) = "Ustawienia"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "H:\Program Files\Agnitum\Outpost Firewall Pro\ie_bar.dll" [null data]


HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Poszukaj"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "H:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL" [MS]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\

{2670000A-7350-4F3C-8081-5663EE0C6C49}\

"ButtonText" = "Wyślij do programu OneNote"

"MenuText" = "Wyślij &do programu OneNote"

"CLSIDExtension" = "{48E73304-E1D6-4330-914C-F5F514E3486C}"

  -> {HKLM...CLSID} = "Send to OneNote from Internet Explorer button"

                   \InProcServer32\(Default) = "H:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll" [MS]


{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Research"



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


a-squared Free Service, a2free, ""D:\PROGRAMY\A-SQUARED FREE\a2service.exe"" ["Emsi Software GmbH"]

Agnitum Client Security Service, acssrv, "H:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe" [null data]

avast! Antivirus, avast! Antivirus, ""H:\Program Files\Alwil Software\Avast4\ashServ.exe"" ["ALWIL Software"]

avast! iAVS4 Control Service, aswUpdSv, ""H:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" ["ALWIL Software"]

avast! Mail Scanner, avast! Mail Scanner, ""H:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]

avast! Web Scanner, avast! Web Scanner, ""H:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]

NVIDIA Display Driver Service, nvsvc, "H:\Windows\system32\nvvsvc.exe" ["NVIDIA Corporation"]

O&O Defrag, O&O Defrag, "H:\Windows\system32\oodag.exe" ["O&O Software GmbH"]

Routing i dostęp zdalny, RemoteAccess, "H:\Windows\system32\svchost.exe -k netsvcs" {"H:\Windows\System32\mprdim.dll" [MS]}

StarWind AE Service, StarWindServiceAE, "H:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe" ["Rocket Division Software"]

Usługa Protokół SSTP, SstpSvc, "H:\Windows\system32\svchost.exe -k LocalService" {"H:\Windows\system32\sstpsvc.dll" [MS]}

Usługa udostępniania portów Net.Tcp, NetTcpPortSharing, ""H:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"" [MS]

Windows Driver Foundation — User-mode Driver Framework, wudfsvc, "H:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"H:\Windows\System32\WUDFSvc.dll" [MS]}

Windows Image Acquisition (WIA), stisvc, "H:\Windows\system32\svchost.exe -k imgsvc" {"H:\Windows\System32\wiaservc.dll" [MS]}



---------- (launch time: 2008-11-20 14:25:02)

<>: Suspicious data at a malware launch point.


+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 65 seconds.

---------- (total run time: 107 seconds)

(Gutek) #2

Zmiana zasad wklejania logów na forum - viewtopic.php?f=16&t=253052

W HJT nic nie widać