Win32trojano-1728

Dla specjalistów Bezpieczeństwo
#21

Ja nie wiem czy jestem aż taka głupia, ale to nadal nie działa. Naprawdę robię wszystko zgodnie ze wskazówkami ale to się nie chce zrobić.

(backup) nadal powraca a wpisy 09 nie chcą się usunąć.

Przesyłam ten log

Pozdr. :oops:

[“Silent Runners.vbs”, revision 41, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by “{++}”

Startup items buried in registry:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

“CTFMON.EXE” = “C:\WINDOWS\System32\ctfmon.exe” [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

“IgfxTray” = “C:\WINDOWS\System32\igfxtray.exe” [“Intel Corporation”]

“HotKeysCmds” = “C:\WINDOWS\System32\hkcmd.exe” [“Intel Corporation”]

“SynTPLpr” = “C:\Program Files\Synaptics\SynTP\SynTPLpr.exe” [“Synaptics, Inc.”]

“SynTPEnh” = “C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [“Synaptics, Inc.”]

“InCD” = “C:\Program Files\ahead\InCD\InCD.exe” [“Copyright © ahead software gmbh and its licensors”]

“NeroCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”]

“avast!” = “C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = “AcroIEHlprObj Class” [from CLSID]

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx” [empty string]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

“{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania”

-> {CLSID}\InProcServer32(Default) = “deskpan.dll” [file not found]

“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”

-> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”]

“{E0D79304-84BE-11CE-9641-444553540000}” = “WinZip”

-> {CLSID}\InProcServer32(Default) = “C:\PROGRA~1\WINZIP\WZSHLSTB.DLL” [“WinZip Computing, Inc.”]

“{E0D79305-84BE-11CE-9641-444553540000}” = “WinZip”

-> {CLSID}\InProcServer32(Default) = “C:\PROGRA~1\WINZIP\WZSHLSTB.DLL” [“WinZip Computing, Inc.”]

“{E0D79306-84BE-11CE-9641-444553540000}” = “WinZip”

-> {CLSID}\InProcServer32(Default) = “C:\PROGRA~1\WINZIP\WZSHLSTB.DLL” [“WinZip Computing, Inc.”]

“{E0D79307-84BE-11CE-9641-444553540000}” = “WinZip”

-> {CLSID}\InProcServer32(Default) = “C:\PROGRA~1\WINZIP\WZSHLSTB.DLL” [“WinZip Computing, Inc.”]

“{59850401-6664-101B-B21C-00AA004BA90B}” = “Microsoft Office Binder Unbind”

-> {CLSID}\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\1045\UNBIND.DLL” [MS]

“{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler”

-> {CLSID}\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS]

“{472083B0-C522-11CF-8763-00608CC02F24}” = “avast”

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

INFECTION WARNING! igfxcui\DLLName = “igfxsrvc.dll” [“Intel Corporation”]

HKLM\Software\Classes*\shellex\ContextMenuHandlers\

avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}”

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”]

WinZip(Default) = “{E0D79304-84BE-11CE-9641-444553540000}”

-> {CLSID}\InProcServer32(Default) = “C:\PROGRA~1\WINZIP\WZSHLSTB.DLL” [“WinZip Computing, Inc.”]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinZip(Default) = “{E0D79304-84BE-11CE-9641-444553540000}”

-> {CLSID}\InProcServer32(Default) = “C:\PROGRA~1\WINZIP\WZSHLSTB.DLL” [“WinZip Computing, Inc.”]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}”

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”]

WinZip(Default) = “{E0D79304-84BE-11CE-9641-444553540000}”

-> {CLSID}\InProcServer32(Default) = “C:\PROGRA~1\WINZIP\WZSHLSTB.DLL” [“WinZip Computing, Inc.”]

Active Desktop and Wallpaper:

Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\

“Wallpaper” = “C:\WINDOWS\HotbarWP.bmp”

Enabled Screen Saver:

HKCU\Control Panel\Desktop\

“SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS]

Startup items in “kasia” & “All Users” startup folders:

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

“Microsoft Office” -> shortcut to: “C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l” [MS]

Winsock2 Service Provider DLLs:

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS]

000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:

Explorer Bars

Dormant Explorer Bars in “View, Explorer Bar” menu

HKLM\Software\Classes\CLSID{2178C864-B8BC-41AE-A1FB-EB6A32F87EB1}\ = “ShopperReports – Price Comparison”

Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32(Default) = “C:\Program Files\ShopperReports\Bin\1.0.8.0\ShprRprt.dll” [file not found]

HKLM\Software\Classes\CLSID{66B90ADB-0BE3-40AE-8680-84A6F0577CA0}\ = “Web Assistant”

Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32(Default) = “C:\Program Files\HbTools\Bin\4.7.1.0\HbtHostIE.dll” [file not found]

HKLM\Software\Classes\CLSID{7E66936C-FEA0-4984-AD26-7B6661AC5B2E}\ = “Hotbar Information Window”

Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar]

InProcServer32(Default) = “C:\Program Files\HbTools\Bin\4.7.1.0\HbtHostIE.dll” [file not found]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\

{946B3E9E-E21A-49C8-9F63-900533FAFE14}\

“ButtonText” = “ShopperReports - Compare travel rates”

“CLSIDExtension” = “{454b4812-e572-4703-a1bb-63490809eac0}”

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\ShopperReports\Bin\1.0.8.0\ShprRprt.dll” [file not found]

{E77EDA01-3C56-4A96-8D08-02B42891C169}\

“ButtonText” = “ShopperReports - Compare product prices”

“CLSIDExtension” = “{580a1f3f-89b4-433b-bbdb-b97aeb13f3fc}”

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\ShopperReports\Bin\1.0.8.0\ShprRprt.dll” [file not found]

All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}):

avast! Antivirus, avast! Antivirus, ““C:\Program Files\Alwil Software\Avast4\ashServ.exe”” [null data]

avast! iAVS4 Control Service, aswUpdSv, ““C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe”” [null data]

avast! Mail Scanner, avast! Mail Scanner, ““C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe” /service” [“ALWIL Software”]

avast! Web Scanner, avast! Web Scanner, ““C:\Program Files\Alwil Software\Avast4\ashWebSv.exe” /service” [“ALWIL Software”]

Karta wydajności WMI, WmiApSrv, “C:\WINDOWS\System32\wbem\wmiapsrv.exe” [MS]

SmartLinkService, SLService, “slserv.exe” [" "]

Usługa administracyjna Menedżera dysków logicznych, dmadmin, “C:\WINDOWS\System32\dmadmin.exe /com” [“Microsoft Corp., Veritas Software”]

Print Monitors:

HKLM\System\CurrentControlSet\Control\Print\Monitors\

Monitor języka PJL\Driver = “PJLMON.DLL” [MS]

  • This report excludes default entries except where indicated.

  • To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

  • The search for DESKTOP.INI DLL launch points on all local fixed drives

took 155 seconds.

  • The search for all Registry CLSIDs containing dormant Explorer Bars

took 19 seconds.

---------- (total run time: 225 seconds)]

i chyba się nie wkleiło…

#22

Spróbój jeszcze raz, był błąd:

Proszę otwierać Notatnik i wkleić:

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG

Użyj Pocket Killbox. Zaznaczasz opcję Delete on Reboot i w polu Full Path of File to Delete wklejasz ścieżki

C:\WINDOWS\HotbarWP.bmp i naciskasz X czerwony. Program poprosi o reset kompa … czyli resetujesz.

Przejście do trybu awaryjnego Windows i uruchomienie pliku FIX.REG.

#23

Wiesz ja już nie mam siły do tego cały czas to samo…

Wklejam loga, ale tam chyba nic się nie zmieniło.

Czy jak zostanie tak jak jest to coś sie stanie?

Można sobie to podarować?

[“Silent Runners.vbs”, revision 41, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by “{++}”

Startup items buried in registry:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

“CTFMON.EXE” = “C:\WINDOWS\System32\ctfmon.exe” [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

“IgfxTray” = “C:\WINDOWS\System32\igfxtray.exe” [“Intel Corporation”]

“HotKeysCmds” = “C:\WINDOWS\System32\hkcmd.exe” [“Intel Corporation”]

“SynTPLpr” = “C:\Program Files\Synaptics\SynTP\SynTPLpr.exe” [“Synaptics, Inc.”]

“SynTPEnh” = “C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [“Synaptics, Inc.”]

“InCD” = “C:\Program Files\ahead\InCD\InCD.exe” [“Copyright © ahead software gmbh and its licensors”]

“NeroCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”]

“avast!” = “C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = “AcroIEHlprObj Class” [from CLSID]

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx” [empty string]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

“{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania”

-> {CLSID}\InProcServer32(Default) = “deskpan.dll” [file not found]

“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”

-> {CLSID}\InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”]

“{E0D79304-84BE-11CE-9641-444553540000}” = “WinZip”

-> {CLSID}\InProcServer32(Default) = “C:\PROGRA~1\WINZIP\WZSHLSTB.DLL” [“WinZip Computing, Inc.”]

“{E0D79305-84BE-11CE-9641-444553540000}” = “WinZip”

-> {CLSID}\InProcServer32(Default) = “C:\PROGRA~1\WINZIP\WZSHLSTB.DLL” [“WinZip Computing, Inc.”]

“{E0D79306-84BE-11CE-9641-444553540000}” = “WinZip”

-> {CLSID}\InProcServer32(Default) = “C:\PROGRA~1\WINZIP\WZSHLSTB.DLL” [“WinZip Computing, Inc.”]

“{E0D79307-84BE-11CE-9641-444553540000}” = “WinZip”

-> {CLSID}\InProcServer32(Default) = “C:\PROGRA~1\WINZIP\WZSHLSTB.DLL” [“WinZip Computing, Inc.”]

“{59850401-6664-101B-B21C-00AA004BA90B}” = “Microsoft Office Binder Unbind”

-> {CLSID}\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\1045\UNBIND.DLL” [MS]

“{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler”

-> {CLSID}\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS]

“{472083B0-C522-11CF-8763-00608CC02F24}” = “avast”

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

INFECTION WARNING! igfxcui\DLLName = “igfxsrvc.dll” [“Intel Corporation”]

HKLM\Software\Classes*\shellex\ContextMenuHandlers\

avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}”

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”]

WinZip(Default) = “{E0D79304-84BE-11CE-9641-444553540000}”

-> {CLSID}\InProcServer32(Default) = “C:\PROGRA~1\WINZIP\WZSHLSTB.DLL” [“WinZip Computing, Inc.”]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinZip(Default) = “{E0D79304-84BE-11CE-9641-444553540000}”

-> {CLSID}\InProcServer32(Default) = “C:\PROGRA~1\WINZIP\WZSHLSTB.DLL” [“WinZip Computing, Inc.”]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}”

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”]

WinZip(Default) = “{E0D79304-84BE-11CE-9641-444553540000}”

-> {CLSID}\InProcServer32(Default) = “C:\PROGRA~1\WINZIP\WZSHLSTB.DLL” [“WinZip Computing, Inc.”]

Active Desktop and Wallpaper:

Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\

“Wallpaper” = “C:\WINDOWS\HotbarWP.bmp”

Enabled Screen Saver:

HKCU\Control Panel\Desktop\

“SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS]

Startup items in “kasia” & “All Users” startup folders:

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

“Microsoft Office” -> shortcut to: “C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l” [MS]

Winsock2 Service Provider DLLs:

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS]

000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:

Explorer Bars

Dormant Explorer Bars in “View, Explorer Bar” menu

HKLM\Software\Classes\CLSID{2178C864-B8BC-41AE-A1FB-EB6A32F87EB1}\ = “ShopperReports – Price Comparison”

Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32(Default) = “C:\Program Files\ShopperReports\Bin\1.0.8.0\ShprRprt.dll” [file not found]

HKLM\Software\Classes\CLSID{66B90ADB-0BE3-40AE-8680-84A6F0577CA0}\ = “Web Assistant”

Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32(Default) = “C:\Program Files\HbTools\Bin\4.7.1.0\HbtHostIE.dll” [file not found]

HKLM\Software\Classes\CLSID{7E66936C-FEA0-4984-AD26-7B6661AC5B2E}\ = “Hotbar Information Window”

Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar]

InProcServer32(Default) = “C:\Program Files\HbTools\Bin\4.7.1.0\HbtHostIE.dll” [file not found]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\

{946B3E9E-E21A-49C8-9F63-900533FAFE14}\

“ButtonText” = “ShopperReports - Compare travel rates”

“CLSIDExtension” = “{454b4812-e572-4703-a1bb-63490809eac0}”

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\ShopperReports\Bin\1.0.8.0\ShprRprt.dll” [file not found]

{E77EDA01-3C56-4A96-8D08-02B42891C169}\

“ButtonText” = “ShopperReports - Compare product prices”

“CLSIDExtension” = “{580a1f3f-89b4-433b-bbdb-b97aeb13f3fc}”

-> {CLSID}\InProcServer32(Default) = “C:\Program Files\ShopperReports\Bin\1.0.8.0\ShprRprt.dll” [file not found]

Running Services (Display Name, Service Name, Path {Service DLL}):

avast! Antivirus, avast! Antivirus, ““C:\Program Files\Alwil Software\Avast4\ashServ.exe”” [null data]

avast! iAVS4 Control Service, aswUpdSv, ““C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe”” [null data]

avast! Mail Scanner, avast! Mail Scanner, ““C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe” /service” [“ALWIL Software”]

avast! Web Scanner, avast! Web Scanner, ““C:\Program Files\Alwil Software\Avast4\ashWebSv.exe” /service” [“ALWIL Software”]

SmartLinkService, SLService, “slserv.exe” [" "]

Print Monitors:

HKLM\System\CurrentControlSet\Control\Print\Monitors\

Monitor języka PJL\Driver = “PJLMON.DLL” [MS]

  • This report excludes default entries except where indicated.

  • To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

  • The search for DESKTOP.INI DLL launch points on all local fixed drives

took 106 seconds.

  • The search for all Registry CLSIDs containing dormant Explorer Bars

took 22 seconds.

---------- (total run time: 185 seconds)]

Pozdrawiam :frowning:

#24

Radykalne posunięcie i zakładam iż funkcja Przywracania systemu jest WYŁĄCZNA. Start do trybu awaryjngo z linią komend i:

RD /S /Q “C:\Program Files\ShopperReports”

RD /S /Q “C:\Program Files\HbTools”

Jak stworzyłaś FIX.REG. w trybie awaryjnym klikałaś 2 razy?

#25

Tak, funkcja przywracania systemu jest wyłączona.

Co do ShooperReports i HbTools to fizycznie nie mam ich w Program Files, kiedy szukam następuje otwarcie strony www która nie może się otworzyć ale to chyba normalne w trybie awaryjnym.

Co do klikania, tak a potem jeszcze więcej i…

jest jakiś dziwny komunikat, że to nie może tak być bo to wewnętrzne itp…

Przepraszam, że tak głowę zawracam ale sama sobie nie poradzę.

Pozdrawiam

Kasia :frowning:

#26

Ok poradziłem się Picasso, ponieważ nie miałem pomysłu:

Więc 2 sposoby:

  1. AWARYJNY.

  2. Start >>> Uruchom >>> cmd >>> zostawić okno otworzone na wierzchu

  3. Alt+Ctr+Del i zabić explorer.exe

  4. W linii komend cmd wpisać:

RD /S /Q C:\PROGRA~1\SHOPPE~1

RD /S /Q C:\PROGRA~1\HBTOOLS

DEL C:\WINDOWS\HotbarWP.bmp

Jeśli komendy dadzą “Odmowę dostępu” to jest definitywnie problem uprawnień i należy nadać sobie prawa jak opisane w przyklejonym Windows

  1. W Menedżerku zadań: Nowe Zadanie >>> C:\WINDOWS\regedit i skasować zespół kluczy:

HKEY_LOCAL_MACHINE\Software\Classes\CLSID{2178C864-B8BC-41AE-A1FB-EB6A32F87EB1}

HKEY_LOCAL_MACHINE\Software\Classes\CLSID{66B90ADB-0BE3-40AE-8680-84A6F0577CA0}

HKEY_LOCAL_MACHINE\Software\Classes\CLSID{7E66936C-FEA0-4984-AD26-7B6661AC5B2E}

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions{946B3E9E-E21A-49C8-9F63-900533FAFE14}

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions{E77EDA01-3C56-4A96-8D08-02B42891C169}

A zapewne będzie konieczne przed kasacją przyznanie sobie uprawnień do tych kluczy.

A w kluczu:

HKEY_CURRENT_USER\Control Panel\Desktop

Podwójny klik na wartość Wallpaper i usunąć ścieżkę C:\WINDOWS\HotbarWP.bmp