Me too on about:blank

Discussion in 'adware, spyware & hijack cleaning' started by wbsak03, May 11, 2004.

Thread Status:
Not open for further replies.
  1. wbsak03

    wbsak03 Registered Member

    Joined:
    May 11, 2004
    Posts:
    6
    I ran SpyBot S&D a couple of days ago, it found a few more things than the adaware I ran before that. I am experiencing the about:blank browser hijack, It looks like that is the only spyware left on my system. I was even duped into paying for some spyware removal s/w that found some other stuff and then asked me to pay before it would clean. That didn't do it, live and learn. As a stopgap measure I installed and am running SpyWareGuard to keep the browser from being hijacked. However, it doesn't do this silently, so the annoyance level has increased until I searched around and found you guys! My log follows, as you caution, I defer to your wisdom before blasting anything on my system. Thank you.

    Logfile of HijackThis v1.97.7
    Scan saved at 10:51:23 PM, on 5/11/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\ZoneLabs\vsmon.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\hkcmd.exe
    C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe
    C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Enigma Software Group\SpyHunter\MemScanner.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINNT\System32\taskmgr.exe
    C:\Documents and Settings\All Users\Documents\HiJackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS07
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\boko.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\boko.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\boko.dll/sp.html (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.225.176.8/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {E9EEDCB4-9EEE-4860-B258-B8EE51EABF2C} - C:\WINNT\System32\boko.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe"
    O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
    O4 - HKLM\..\Run: [MemScanner] C:\Program Files\Enigma Software Group\SpyHunter\MemScanner.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: EZ Firewall.lnk = C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
    O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://www.spywarenuker.com/product/camp/clickbank/SWNInstaller.exe
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
     
  2. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
  3. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Things have somewhat changed now, there is no longer a log.txt but two new created text files, which provide all necessary info in one step.

    After you've unzipped to a folder of choice (where the txt files will be stored also) run the FindAll.bat inside and copypaste the contents of :

    output.txt

    windows.txt

    Thnx

    Cheers,
     
  4. wbsak03

    wbsak03 Registered Member

    Joined:
    May 11, 2004
    Posts:
    6
    As you requested, output.txt and windows.txt from FindAll (now that I look, windows.txt has mostly non printable stuff, but I included it anyway)

    --===**'FIND-ALL' VERSION 3, 5/11**===--


    Wed May 12 13:23:38 2004 -- Results:
    *System Info:

    Microsoft Windows XP [Version 5.1.2600]
    C: "" (7426:6746) - FS:NTFS clusters:4k
    Total: 40 015 953 920 [37G] - Free: 33 658 847 232 [31G]


    Locked or 'Suspect' file(s) found...


    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A368E80-174F-4872-96B5-0B27DDD11DB2}]
    @="SpywareGuard Download Protection"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E9EEDCB4-9EEE-4860-B258-B8EE51EABF2C}]

    REGEDIT4

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
    "CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
    "CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
    "CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
    @="AP Class Install Handler filter"
    "CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
    @="AP Deflate Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
    @="AP GZIP Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
    @="AP lzdhtml encoding/decoding Filter"
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
    "CLSID"="{CF166B43-50D7-4B72-A6B7-19D01803CC9C}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
    "CLSID"="{CF166B43-50D7-4B72-A6B7-19D01803CC9C}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
    @="WebView MIME Filter"
    "CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

    application/octet-stream
    {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
    C:\WINNT\System32\mscoree.dll

    application/x-complus
    {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
    C:\WINNT\System32\mscoree.dll

    application/x-msdownload
    {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
    C:\WINNT\System32\mscoree.dll

    Class Install Handler
    {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}
    C:\WINNT\system32\urlmon.dll

    deflate
    {8f6b0360-b80d-11d0-a9b3-006097942311}
    C:\WINNT\system32\urlmon.dll

    gzip
    {8f6b0360-b80d-11d0-a9b3-006097942311}
    C:\WINNT\system32\urlmon.dll

    lzdhtml
    {8f6b0360-b80d-11d0-a9b3-006097942311}
    C:\WINNT\system32\urlmon.dll

    text/html
    {CF166B43-50D7-4B72-A6B7-19D01803CC9C}
    C:\WINNT\System32\boko.dll

    text/plain
    {CF166B43-50D7-4B72-A6B7-19D01803CC9C}
    C:\WINNT\System32\boko.dll

    text/webviewhtml
    {733AC4CB-F1A4-11d0-B951-00A0C90312E1}
    %SystemRoot%\system32\SHELL32.dll

    {0AD77229-1EFD-4C75-9A48-DE8BB478FF41} C:\WINNT\System32\boko.dll
    {6B600F14-0A8A-4593-8041-EAB9B4C17C62} C:\WINNT\System32\boko.dll
    {8B00563E-CF69-4F71-9171-6BD00D012620} C:\WINNT\System32\boko.dll
    {B127A41F-C626-407D-8EE1-CBF95603E8ED} C:\WINNT\System32\boko.dll
    {CF166B43-50D7-4B72-A6B7-19D01803CC9C} C:\WINNT\System32\boko.dll
    {DD82C171-3EB8-4C6A-A16F-0B97B32A9C3C} C:\WINNT\System32\boko.dll
    {DF852CD6-535A-4887-BC88-CA1BBD6B865C} C:\WINNT\System32\boko.dll
    {DF9A1DA0-23C0-101B-B02E-FDFDFDFDFDFD} C:\WINNT\System32\boko.dll
    {E9EEDCB4-9EEE-4860-B258-B8EE51EABF2C} C:\WINNT\System32\boko.dll
    {0AD77229-1EFD-4C75-9A48-DE8BB478FF41} C:\WINNT\System32\boko.dll
    {6B600F14-0A8A-4593-8041-EAB9B4C17C62} C:\WINNT\System32\boko.dll
    {8B00563E-CF69-4F71-9171-6BD00D012620} C:\WINNT\System32\boko.dll
    {B127A41F-C626-407D-8EE1-CBF95603E8ED} C:\WINNT\System32\boko.dll
    {CF166B43-50D7-4B72-A6B7-19D01803CC9C} C:\WINNT\System32\boko.dll
    {DD82C171-3EB8-4C6A-A16F-0B97B32A9C3C} C:\WINNT\System32\boko.dll
    {DF852CD6-535A-4887-BC88-CA1BBD6B865C} C:\WINNT\System32\boko.dll
    {DF9A1DA0-23C0-101B-B02E-FDFDFDFDFDFD} C:\WINNT\System32\boko.dll
    {E9EEDCB4-9EEE-4860-B258-B8EE51EABF2C} C:\WINNT\System32\boko.dll
    *Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (ID-NI) ALLOW Read BUILTIN\Users
    (ID-IO) ALLOW Read BUILTIN\Users
    (ID-NI) ALLOW Full access BUILTIN\Administrators
    (ID-IO) ALLOW Full access BUILTIN\Administrators
    (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM


    

    regf       Pugf hbin  ¨ÿÿÿnk, D} °ŒÃ ÿÿÿÿ ÿÿÿÿÿÿÿÿ ° x ÿÿÿÿ 0  s o  Windows ÿÿÿsk x x  Ô  „¸ È   ¤       !  €  !  ?          ?               Øÿÿÿvk  €   fùAppInit_DLLsÖæG h Ðÿÿÿvk  È   ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5  x ðÿÿÿ9 0  ë=tÀÐÿÿÿvk  €'   zGDIProcessHandleQuota"þàÿÿÿvk  8   °ºSpooler2ðÿÿÿy e s
    Ñ_å h ˜ è  ` àÿÿÿvk  €   5swapdiskÐÿÿÿvk  Ø   . TransmissionRetryTimeoutàÿÿÿh ˜ è  ` € Ð Ðÿÿÿvk  €'   % USERProcessHandleQuota
     
  5. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Thnx!

    Grrr the hidden dll (which is responsible for re-infection) is not visible yet :(

    We need to identify that one before we can proceed.

    Try this method (you will need the program later anyway) :

    Download reglite :

    http://www.resplendence.com/reglite

    Open it

    Browse to (by doubleclicking on the folders) :

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

    -Rename the Folder Windows
    to NotWindows highlighted as a purple folder
    in the left hand pane of reglite.

    - then doubleclick "AppInit_DLLs" and tell us if it show a dll (in the value box)

    If it does, note it down and paste it here please.

    Then rename notwindows back to windows and restart PC

    Thnx

    Cheers,
     
  6. wbsak03

    wbsak03 Registered Member

    Joined:
    May 11, 2004
    Posts:
    6
    I renamed the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows and dblclicked AppInit_DLLs, the value for this key is blank. That is Key= ....\NotWindows, Value name AppInit_DLLs, Type REG_SZ, Size 1, Type no. 00000001, Value has no characters in it.

    I haven't done anything else, no fix attempt in HiJackThis, No CWShredder. Awaiting your next command. Thanks.
     
  7. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Ok thnx,

    Still no luck :(

    I hope this proggy will show it.

    Download and run this program :

    StartDreck

    DoubleClick: 'StartDreck.exe'
    Hit: config
    hit: Unmark all
    Check these boxes only:
    Registry->run keys
    System/drivers> Running processes
    hit >ok.

    Post the contents of the log here please

    Thnx

    Cheers,
     
  8. wbsak03

    wbsak03 Registered Member

    Joined:
    May 11, 2004
    Posts:
    6
    StartDreck output, Thanks.

    StartDreck (build 2.1.5 public BETA) - 2004-05-13 @ 06:50:38
    Platform: Windows XP (Win NT 5.1.2600 Service Pack 1)

    »Registry
    »Run Keys
    »Current User
    »Run
    *MSMSGS="C:\Program Files\Messenger\msmsgs.exe" /background
    »RunOnce
    »Default User
    »Run
    »RunOnce
    »Local Machine
    »Run
    *IgfxTray=C:\WINNT\System32\igfxtray.exe
    *HotKeysCmds=C:\WINNT\System32\hkcmd.exe
    *Gateway Ink Monitor="C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe"
    *VetTray=C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
    *QuickTime Task="C:\Program Files\QuickTime\qttask.exe" -atboottime
    *SpyHunter=C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
    *MemScanner=C:\Program Files\Enigma Software Group\SpyHunter\MemScanner.exe
    *Installed=1
    *NoChange=1
    *Installed=1
    *Installed=1
    »RunOnce
    »RunServices
    »RunServicesOnce
    »RunOnceEx
    »RunServicesOnceEx
    »Files
    »System/Drivers
    »Running Processes
    *00000000=<unkown>
    *00000004=<unkown>
    *00000248=\SystemRoot\System32\smss.exe
    *00000288=<unkown>
    *000002A0=\??\C:\WINNT\system32\winlogon.exe
    *000002CC=C:\WINNT\system32\services.exe
    *000002D8=C:\WINNT\system32\lsass.exe
    *00000378=C:\WINNT\system32\svchost.exe
    *000003EC=C:\WINNT\System32\svchost.exe
    *00000480=<unkown>
    *0000049C=<unkown>
    *000005C0=C:\WINNT\Explorer.EXE
    *000005E4=C:\WINNT\system32\spoolsv.exe
    *000006C8=C:\WINNT\System32\hkcmd.exe
    *000006D0=C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe
    *000006D8=C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
    *000006FC=C:\Program Files\QuickTime\qttask.exe
    *000007B0=C:\Program Files\Enigma Software Group\SpyHunter\MemScanner.exe
    *000007C4=<unkown>
    *00000098=C:\WINNT\system32\ZoneLabs\vsmon.exe
    *000000C4=C:\Program Files\Messenger\msmsgs.exe
    *000001A8=C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
    *000001C8=C:\Program Files\SpywareGuard\sgmain.exe
    *00000268=C:\Program Files\SpywareGuard\sgbhp.exe
    *00000464=C:\Program Files\Outlook Express\msimn.exe
    *000006EC=C:\Program Files\Internet Explorer\IEXPLORE.EXE
    *00000BCC=C:\Program Files\Internet Explorer\IEXPLORE.EXE
    *00000100=C:\Documents and Settings\All Users\Documents\StartDreck\startdreck\StartDreck.exe
    »Application specific
     
  9. wbsak03

    wbsak03 Registered Member

    Joined:
    May 11, 2004
    Posts:
    6
    Have you guys given up on me? Unzy, we have the same birthday, April 27, there's got to be some karma there. What gives?
     
  10. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    We haven't given up, but we can't see the blasted file that is causing the reinstallation and the damge in your computer yet,

    we will find something that will show it so hang on a while longer please
     
  11. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Indeed Derek, well said :)

    wbsak03, someone (freeatlast) noticed that this must be a different variant, yours is not in the system32 folder but in the windows folders.

    We can try to nuke it using another method.

    First redownload this tool (updated, should say 3.1) :

    http://www10.brinkster.com/expl0iter/freeatlast/Find-All.zip

    Run it again (findall.bat)

    Copypaste both output.txt and windows.txt here (yes it looks funny but copypaste anyway, as there might be some readable lines in it, although in your case I hope it looks clean)

    After doing so we can try removing via safe mode or other programs (CopyLock, KillBox...)

    Hoping to hear from you soon

    Same birthday? yea there's gotta be some karma in that :cool:

    Cheers,
     
  12. wbsak03

    wbsak03 Registered Member

    Joined:
    May 11, 2004
    Posts:
    6
    This is an incredibly insidious hijacker, thank you for all your help. Here is the Find-All output:

    --===**'FIND-ALL' VERSION 3.1, 5/13**===--


    Sat May 15 10:36:17 2004 -- Results:
    *System Info:

    Microsoft Windows XP [Version 5.1.2600]
    C: "" (7426:6746) - FS:NTFS clusters:4k
    Total: 40 015 953 920 [37G] - Free: 33 530 781 696 [31G]


    Locked or 'Suspect' file(s) found...


    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A368E80-174F-4872-96B5-0B27DDD11DB2}]
    @="SpywareGuard Download Protection"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E9EEDCB4-9EEE-4860-B258-B8EE51EABF2C}]

    REGEDIT4

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
    "CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
    "CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
    "CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
    @="AP Class Install Handler filter"
    "CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
    @="AP Deflate Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
    @="AP GZIP Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
    @="AP lzdhtml encoding/decoding Filter"
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
    "CLSID"="{CF166B43-50D7-4B72-A6B7-19D01803CC9C}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
    "CLSID"="{CF166B43-50D7-4B72-A6B7-19D01803CC9C}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
    @="WebView MIME Filter"
    "CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

    *Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (ID-NI) ALLOW Read BUILTIN\Users
    (ID-IO) ALLOW Read BUILTIN\Users
    (ID-NI) ALLOW Full access BUILTIN\Administrators
    (ID-IO) ALLOW Full access BUILTIN\Administrators
    (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-NI) ALLOW Full access ATHOME\Owner
    (ID-IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM
    Full access ATHOME\Owner


    
    regf       Pugf hbin  ¨ÿÿÿnk, °qæy“8Ä ÿÿÿÿ ÿÿÿÿÿÿÿÿ ð x ÿÿÿÿ 0  yTim Windows Ðþÿÿsk x x    „Ü ø   È       !  €  !  ?          ?       $ ?    <` ®{Î-©¾8Äë      <` ®{Î-©¾8Äë   <` ®{Î-©¾8Ä Øÿÿÿvk  €   y AppInit_DLLs'  ¨ Ðÿÿÿvk     v DeviceNotSelectedTimeoutðÿÿÿ1 5  x ðÿÿÿ9 0 HandleÐÿÿÿvk  €'   GDIProcessHandleQuotak àÿÿÿvk  x   dlSpooler ðÿÿÿy e s ë=tÀ ¨ Ø ( X * àÿÿÿvk  €   y swapdiskÐÿÿÿvk     utTransmissionRetryTimeoutàÿÿÿ¨ Ø ( X * À  Ðÿÿÿvk  €'   USERProcessHandleQuota À
     
Thread Status:
Not open for further replies.