موقع جميل لصيانة الحاسوب...

[ندى نحلاوي]

http://assiste.com.free.fr/la_manip.html
منقول

[ندى نحلاوي]

هذه ترجمة سريعة على محرك ياهو لرابط الصفحة...

Outils gratuits ;
Nos outils et services gratuits et nos outils en ligne... ; Antivirus ; Antivirus pour 1 fichier ; HotFix virus ; Anti-hoax ; Anti-spywares ; Scan de failles ; Scan de vos retards de mises à jour ; Scan de ports ; Scan anti-publicités ; Rage anti-spam ; Code / décode (base 2 8 10 16 64 utf8 escape unicode IP JS...) ; Trucs à DNS (Whois, IPWhois, IPHosting...) ; Décontamination et boîte à outils pour HijackThis ; Tests et mesures de vitesses ; Proposer un outil ;
Télécharger ;
Téléchargez, testez... ; Télécharger : La logithèque classée par produit ; Télécharger : La logithèque classée par éditeur ; Télécharger : La logithèque classée par familles ; Télécharger : L'alternathèque et la Freethèque ; Télécharger : Téléchargements spéciaux ; La Crapthèque : Les logiciels suspects ou crapuleux ; Proposer un téléchargement ;
Liens ;
Des sites et des forums dignes d'interêt... ; Sites et forums de sécurité informatique ; Sites et forums Vie Privée ; Matériel informatique - pilotes... ; Services "Abuse" ; Porter plainte ; La langue française ; Sites amis et sites d'amis ; Lastminute.com Vacances moins chères ; Emploi, Job, CV ; Vivre à moitié prix ; Liens divers ; Téléphones d'urgences ; Proposer ou corriger un lien ;
Chercher ;
Moteur interne ; Google ; Donations ;
Ce site ne vit que par vos dons ; Dons avec Paypal ; Autres moyens ; Remerciements ; Proposer quelque chose ;



Manipulation
Manipulation
More:



EnSavoirPlus






The Manipulation is a procedure manual, free, which we developed in order to

to decontaminate a PC under Windows when it undergoes an attack of boot (attacks placing itself in the launching phase of Windows, generally of Hijacker type)


to install a whole of free preventive tools and corrective measures so that does not reproduce


to stop repeating without stop the same answers to all the Net surfers in distress on all the forums
You are encouraged to diffuse this address - the MANIPULATION with http://66.196.80.202/babelfish/trans...Fla_manip.html
Not to recopy this page which evolves very quickly but to point to it.

Stages of the Manipulation

Preliminary precaution with the utility pseudos of safety

Preliminary precaution with the corruption of components of Windows

Order SFC
Preliminary precautions with Internet Explorer and OutLook and Windows Media Player

Empty the mask of Internet Explorer
Erase the history of the visited bonds
Decontaminate ActiveX controls
Decontaminate the iFrames
Decontaminate the illicit recovery of the contents of the clipboard
Preliminary precaution with the traces

Preliminary precaution with the explorer of Windows

See the files and files hidden in the explorer of Windows
Stage 1 - To negotiate the case CWS.SmartKiller

Stage 2 - To pass the machine to the antivirus

With your antivirus
With an antivirus on line (on-line)
Stage 3 - To install, regulate and use SpyBot Search & Destroy

SSD_01 - Download SpyBot Search & Destroy
SSD_02 - Launch SpyBot Search & Destroy
SSD_03 - Initial loading of SpyBot Search & Destroy
SSD_04 - TeaTimer - the resident real-time of SpyBot Search & Destroy
SSD_05 - Choice of the language of SpyBot Search & Destroy
SSD_06 - Choice of the behavior of SpyBot Search & Destroy
SSD_07 - Updates of SpyBot Search & Destroy
SSD_08 - Vaccination of Internet Explorer with SpyBot Search & Destroy
SSD_09 - SDHelper, the Blocker of SpyBot Search & Destroy
SSD_10 - Revelation of the tools of SpyBot Search & Destroy
SSD_11 - Control harmlessness of ActiveX with SpyBot Search & Destroy
SSD_12 - Control harmlessness of BHOs with SpyBot Search & Destroy
SSD_13 - Installation of a file hosts with SpyBot Search & Destroy
SSD_14 - Control integrity of the LSPs Winsock with SpyBot Search & Destroy
SSD_15 - Adjustments of IE - IE Tweaks with SpyBot Search & Destroy
SSD_16 - Opt-Out de SpyBot Search & Destroy
SSD_17 - Selection of all the modules of SpyBot Search & Destroy
SSD_18 - Preserve some cookies with SpyBot Search & Destroy
SSD_19 - To launch the scan suppressor with SpyBot Search & Destroy
SSD_20 - To analyze the scan produces by SpyBot Search & Destroy
Stage 4 - The case of the gangster gang CoolWebSearch

Stage 5 - To regulate the problem of the hijackers

Stage 6 - To regulate the problems of the virtual machine Java of Microsoft

Stage 7 - To apply the entirety of the patchs of safety

Stage 8 - Adjustments of confidentiality of Windows with XP-Antispy

Stage 9 - Adjustments of confidentiality of Windows with Safe XP

Stage 10 - To supervise the list of starting

Stage 11 - optional - inhibition of the toolbars, without eradication

Stage 12 - DLLs of the AppInit_DLLs key


Stage 13 - To clean the points of restoration

To include/understand the security issues induced by the points of restoration
To activate - To decontaminate - To reactivate the points of restoration in Win XP
To activate - To decontaminate - To reactivate the points of restoration in Win Me
Epilogue - Firewall; Antivirus and anti-spam

There remains a concern?

To produce a log HiJackThis

Preventions complementary (quasi obligatory)

Récap with the helpers, victims of HiJacks and attacks of Boot (Attack Boot)



--------------------------------------------------------------------------------
Manipulation

Preliminary precaution with the utility pseudos of safety

Danger attention: Very many utilities allegedly of safety are Trojan horses embarking of the parasites. Perhaps you installed one in all bona fide of them. Assiste.com invites you to check, on this list of the false utilities of safety, if you do not use one of these very many alleged anti-spywares or anti-adwares or antiviruses which are trojans embarking one or more parasites to install them on your discs.


Preliminary precaution with the corruption of components of Windows

If Windows announces you a corrupted component or if you systematically have an error message during the use of a Windows component (and to ensure you and reassure you), launch order SFC, in mode “invites of order”. You must have your CD-ROM Windows introduced into a reader of CD-ROM.

SFC: Inspector of the files Windows (System Checker Files)
Check the protected system files (FSP) and replaces the files of incorrect version by the correct versions Microsoft. Require the original CD-ROM of Windows so certain healthy components are not present on your hard drive in an protected area of Windows (file DLL Hides) where are stored the healthy versions.

The use to be made some here is simply to open a window of invites of order
To start > All the programs > Additional > Invites of order
Type sfc /scannow (Respect the space character between sfc and /scannow).
Press on the “Entered” key and await simply the end of the analysis. A bar of progression informs you of the state of progress of the work.


Fenestrate invites of order and order to be typed.


Bar progression of the state of progress of the work. This work can last
from 5 to 10 minutes and slows down other work considerably.


SFC requires, sometimes, to find an original of a component on your CD-ROM Windows.


Preliminary precaution with Internet Explorer and Outlook and Windows Media Player

You are under Internet Explorer? The best solution consists never again not to use Internet Explorer and to prefer to him, by far, Mozilla Firefox. Install Firefox and have navigation much more convivial, reliable, completely respectful of standards of Internet, more fast, up to date, without dangers of BHOs, without catastrophes of ActiveX, with navigator with source codes public (open source), supported by all actors of Internet, multi platform, opened with plugins of third parties, made safe etc… majority from attacks from boot you are victim and who make that you are here, in “the Manipulation”, at this moment, comes from the use of Internet Explorer.


At all events, if you used Internet Explorer, empty the temporary masks and files. To decontaminate ActiveX, iFrames, joining…

Launch Internet Explorer (this can be done except connection) and made:
IE > Tools > Options > “General” Mitre


Empty the mask of Internet Explorer.
Click on “Removing the files” by notching the box “To remove all the contents except connection”


Erase the history of the visited bonds.
Click on “erasing the history”


Decontaminate ActiveX controls.
Internet Explorer > Tools > Options Internet > Mitre Safety > To decontaminate ActiveX controls - manipulation in images on this page.


Decontaminate the iFrames.
Internet Explorer > Tools > Options Internet > Mitre Safety > Internet > To personalize the level > Decontaminate “Launching of the programs and the files in a iFrame” - manipulation in images on this page.


Decontaminate the illicit recovery of the contents of the clipboard
Internet Explorer > Outils > Options Internet > Onglet Safety > Internet > Personnaliser the level > Désactivez “To allow the operations of joining via script” (Or select “To ask” what enables you “to trace” those which try to make use of it).


Is your mail system OutLook (or Outlook Express)? Its operation in infernal couple with Internet Explorer makes your system vulnerable. Useless to try to parameterize it to harden it. Replace it by Thunderbird, the tool of transport of the Mozilla foundation, developed in the same spirit as Firefox. Thunderbird is recent a open-source application, whose programmers of the whole world could peeled the code and to improve from day to day it, contrary to OutLook which is a product owner, old man, not very convivial and made up of a collection of successive layers of corrective measures to its security breaches then corrective measures with corrective measures etc… Lire the article “Thunderbird” of Arobase.org.


You use Windows Media Player, installed manu-militari by Microsoft in all Windows, like system of reading of files media? It is about the one of the supers spies of Microsoft intended for completion to encircle you (profiling, numerical management of rights (DRM) used in system of alignment, etc…) and which allows, via faults and with formats ASF, the remote code execution. Start with him to prohibit any access to the Net by blocking it in your fire wall (see further if you do not have a fire wall yet). Then, replace it by an alternative like WinAmp or the free product and in French VideoLAN (VLC media player) or MPC - Media Player Classic also in public licence.


Preliminary precaution with the traces

Before passing to the analysis of your system, its decontamination then its hardening, start by cleaning it of all the files useless, temporary, succeptibles traces of activities to be exploited by profileurs etc… who trail a little everywhere and some contain, precisely, of the parasites. For a complete and automatic cleaning, including if you use other navigators that Internet Explorer, install and use now a cleaner general practitioner, CCleaner (CrapCleaner). In particular, this last is likely to opportunely destroy temporary files containing of the viruses and other parasites.


To empty the mask of your DNS:
To start > To carry out > ipconfig /flushdns



Preliminary precaution with the explorer of Windows

You will have to seek files and files in your repertories. By defect, a sedentary provision of Windows masks a good part of the files and files when you use Windows Explorer (the explorer of Windows). Not to be likely to pass beside a required object:

Explorer of Windows

See the files and files hidden in the explorer of Windows:

To start > All programs > Additional > Exploring > Tools > Options of the files > Posting
In hidden Files and files, to select “To post the hidden files and files”.
To mask the extensions of the files whose type is known SHOULD NOT BE STAGE COACH
To mask the files protected from the operating system SHOULD NOT BE STAGE COACH
Click on “Applying to all the files” and pass in addition to the message of warning statement of Windows.
Click on Appliquer "
Ok
To close the window

This adjustment must be preserved definitively.


Stage 1 - To negotiate the case CWS.Smartkiller

To make sure that there is not a parasite, known under the name of CWS.Smartkiller, which blocks the use of many safety programs and blocks the access to several sites of safety. It is an alternative (CoolWWWSearch.SmartKiller (v1 and v2) - January 2004) of the family of CoolWebSearch parasites which closes several anti-spywares and anti-Trojan automatically each time you open them and who closes even the windows of your navigator when you go on the sites of these anti-spywares and anti-trojans. If you are in this case:

Download and carry out initially miniremoval_coolwebsearch_smartkiller (http://www.safer-networking.org/files/delcwssk.zip) of Patrick Kolla (the author of SpyBot Search and Destroy, also aimed to him by this parasite). If the official site is inaccessible, a copy is available here.
Cut: 51.2 KB (52 461 bytes)
MANDELEVIUM - c7ad54938c7c0b19492628e7cead01e5
SHA1 - 7e99a586ed7d41b26c75a5cc993c8b67ff7f738f
It is a whole little program zippé (the .zip is called delcwssk.zip and the utility to be carried out, once decompressed, is called “miniremoval_coolwebsearch_smartkiller.exe” (Patrick Kolla! why make simple when one can make complicated!!!). Direct execution - there is no phase of installation.

If “miniremoval_coolwebsearch_smartkiller.exe” tells you “CoolWWWSearch.SmartKiller (v1/v2) has not been found one your system” it is that all is well, if not, it destroys it.




Stage 2 - To pass the machine to the antivirus and the antione

To make sure that there is not/more known viruses.

If you have an antivirus installed (antivirus free or antivirus commercial)
Proceed to the update of its base of signatures
Scannez and disinfect.
Start again the computer


If you do not have an antivirus installed,
you can, with the choice:


to use an antivirus on line (free)

You can use, for more safety, a navigator different of Internet Explorer (install and use Mozilla Firefox) with Java installed (you will use, at this time there, the antivirus on line of Trend which is written in JAVA, if not you will have unfortunately to use Internet Explorer with activated ActiveX Controls.

To carry out one or more antivirus on line.

Start again the computer


to use a free antivirus: you can install Antivir and parameterize it as follows: http://speedweb1.free.fr/frames2.php?page=tuto5


To make sure that there is not/more nonviral parasites (trojans etc…) known.
In all the cases, use anti-spyware Ewido.
If you have anti-trojans installed (anti-trojans free or anti-trojans commercial)
Proceed to the update of its base of signatures
Scannez and disinfect.
Start again the computer


If you do not have the antione not installed,


you can use anti-trojans on line (free)

You can use, for more safety, a navigator different of Internet Explorer (install and use Mozilla Firefox) with Java installed (you will use, at this time there, the antione in line of PC Flank - Trojans Test, if not you will have unfortunately to use Internet Explorer with activated ActiveX Controls.

To carry out one or more anti-trojans on line.

Start again the computer


you must to install and to use Ewido anti-spyware (a commercial tool which is completely functional during 30 days) and to analyze all your system with.


Stage 3 - To install, regulate and use SpyBot Search & Destroy
In this stage, we will start to seek the parasites and to eliminate them (curative phase). We could implement several utilities specialized to seek and eliminate several forms from parasites. Let us remain simple and sparing in this standard manipulation by implementing a utility “all in” free which, if it as does not go far as the others in each field, approaches them all (or almost).
Consequently occasion, this utility allows a preventive protection, phase which almost all the commercial utilities are unaware of, so that the corrected problem does not reproduce any more.

If you make a point of using the best tools, there exist very pointed commercial utilities in each field and the tool major, by far best, which approaches them all, PestPatrol, which you can acquire on line and use immediately.


If one remains in the free one, this stage is vast and comprises the use of SpyBot Search & Destroy with digression towards each alternative, also free and more powerful, with each function approached by SpyBot. Are thus implemented, in this stage:


SypBot Search and Destroy
SpywareBlaster
SpywareGuard
LSPs Fix
To follow the directions for use of SypBot Search and Destroy on this page.

You can now leave SpyBot Search & Destroy

Stage 4 - The case of the gangster gang CoolWebSearch
To deal personally with the case CoolWebSearch. It is about a vast family of hijackers (usurping) which has jointly to exploit the ByteCodeVerifier security breach of the virtual machine Java from Microsoft. Some affiliated in CoolWebSearch use another security breach, JS.Exception.Exploit, against which Microsoft published a patch. We will recommend to you, a little low, to change virtual machine Java for more stability and of reliability. It is not used for nothing to correct the problem here if the cause of the problem is not éradiquée.

CoolWebSearch, general case


Download CWShredder which does not require an installation
Close all your authorities of Internet Explorer
Close all your authorities Windows Explorer
Close all your authorities of Notepad
Close all your authorities of MediaPlayer
Launch the execution of CWShredder
Start by making an update while clicking on the button “Check for update”
Click on the button “Fix” and to await 1 to 2 minutes.

Click on the button “Exit”


CoolWebSearch, particular case: Realyellowpage (CWS.Realyellowpage)
If your Internet Explorer starts on the sites CoolWebSearch real-yellow-page.com, drxcount.biz, list2004.com or linklist.cc (but there can be the other unknown ones to date) to carry out the procedure of eradication of Realyellowpage (CWS.Realyellowpage).


Stage 5 - To regulate the problem of the hijackers
The “Hijack” is a usurpation (of your adjustment of the page of starting of your navigator, of your adjustments of your navigator, blockings and/or redirections encrusted in your file host etc…). It is necessary to deal with the hijackers which modify the adjustments and make so that to the launching of your navigator you are directed towards a site of their choice instead of your choice. All was known as on the hijackers and the antiones thus to see these pages:

Hijackers to know of what speaks about it
Anti-hijackers to correct and to secure themselves some

If you use Internet Explorer and that this one prevents you from going on certain sites of safety, it is possible that modifications were made to the zones confidences and the zones of restriction of Internet Explorer. Use DelDomains.

Stage 6 - To regulate the problem of the virtual machine Java of Microsoft
To replace the virtual machine Java of Microsoft by that of the originator of Java, Sun. That one, at least, respects by the force of the things, the Java standard.

Since Service Pack 1a (SP1a) for Internet Explorer and Windows, published on February 3, 2003, Microsoft withdrew its Virtual Machine Java (Java Virtual Machine - JVM) and does not support it more (more maintenance nor of update) and recommends to use that of SUN. Moreover the lawsuit lost by Microsoft does not leave him an alternative. If you installed “Service Pack 1a - SP1a” you do not have any more a virtual machine Java from Microsoft. It is necessary to install the JVM (Java Virtual Machine) of SUN and:

either to destroy that of Microsoft which is buguée and not conforms to the standard

that is to say to preserve that of Microsoft but to force Internet Explorer to use that of SUN (why? because Microsoft with implemented exotic functions, out of all standards, that certain Webmasters are, unfortunately, hastened to use).

Apply handling explained to this page
JVM of Sun against JVM from Microsoft
You will find there information following

To install the JVM of SUN

Désinstaller the JVM from Microsoft

Option to use the 2 JVM alternatively

Parameters allowing supervise the implementation of Java


Stage 7 - To apply the entirety of the patchs of safety
To go on the site of Microsoft, Windows Update, and to apply all patchs and corrective measures (at least, all “critical updates” and all the “service packs”). You must go there with Internet Explorer and activated ActiveX controls.

Attention - if your machine is currently compromised (infected), do not install-not the SP2. Wait to have decontaminated your machine before doing it.


Microsoft Windows Update
Microsoft BSA

As soon as you finished with Microsoft, decontaminate ActiveX in the parameters of safety of Internet Explorer (and iFrames also).


Stage 8 - Adjustments of confidentiality of Windows with XP-Antispy
While returning from Windows Update, to make sure of certain adjustments of confidentiality of Windows.

Carry out the XP-Antispy utility
Take the advice given on the page of this utility. Strictly follow the bonds given on this page (there exist counterfeits of XP-Antispy embarking of the parasites of which backdoors)


Stage 9 - Adjustments of confidentiality of Windows with Safe XP
To complete the work of XP-Antispy with a utility of comparable nature, supplementing work.

Safe XP
Take the advice given on the page of this utility.


Stage 10 - To supervise the list of starting
TeaTimer de SpyBot (see beginning of stage 3) makes it possible to supervise your list of starting. If you chose not to install the module TeaTimer de SpyBot, install RegistryProt then, a microscopic utility which will alert you as soon as anything is tried in one of the unspecified sites of this list, and they are numerous. TeaTimer de SpyBot is more powerful than RegistryProt.

RegistryProt
Install, it is to it all.


Stage 11 - Inhibition of the toolbars, without eradication (optional stage)
For the users of Internet Explorer version 6 and following under Windows 98 /se/me/NT4/2000/XP/Server 2003 which want to avoid the problem of hijack (diversion) of the page of starting of their navigator and/or to prevent that more or less alleged toolbars and additional research are posted, apply the procedure to decontaminate the bands (bars) of tools and the objects of assistance to the navigation of third parties described in the Base of Microsoft knowledge - 298931 (http://support.microsoft.com/default...d=kb;fr;298931).

Close all the authorities of Internet Explorer, click on Démarrer, point on Paramètres, then click on Control panel.

Double-click on Options Internet.

Click on the Avancé mitre.

In Navigation, decontaminate the check box Activer the extensions third party the navigator (a restarting requires).

Start again Internet Explorer.

These stages modify the data of the value of chain “Enable Browser Extensions” in “No” in the key of Register:
HKEY_CURRENT_USER \ Software \ Microsoft \ Internet Explorer \ Hand

We include/understand well: this handling decontaminates only the toolbars and the objects of assistance to navigation installed beforehand by others that Microsoft. This eradic handling step these malevolent objects. They persist on your machine. This handling does not avoid the installation of new ill will which will be simply decontaminated but which continues to be able to settle.

Stage 12 - Dlls of the AppInit_DLLs key
Key very seldom compromised but nightmarish if it is it. See, possibly, AppInit_DLLs and procedure of cleaning.

Stage 13 - To clean the points of restoration

If, with resulting of the Manipulation, your computer, decontaminated and hardened, seems to function corectement, it is time to clean the points of restoration. Under the systems which have which it (XP Pro, XP Home and Me),


decontaminate the points of restoration of the system in order to eliminate the copies from parasites placed in zones inaccessible to the antiviruses, anti-trojans etc…


Reactivate to them the points of restoration in order to create a new point of restoration not contaminated.


In connection with the points of restoration

To include/understand the security issues induced by the points of restoration
http://assiste.com/p/comment/activer..._desactivation


To activate - To decontaminate - To reactivate the points of restoration in Windows XP (Home and Pro)
http://assiste.com/p/comment/activer...tion.php#winxp


To activate - To decontaminate - To reactivate the points of restoration in Windows Me (Windows Millenium Edition)
http://assiste.com/p/comment/activer...tion.php#winme


END OF THE MANIPULATION

--------------------------------------------------------------------------------


Epilogue - Firewall, Antivirus and anti-spam
Here, with what precedes you will feel more in confidence, with the proviso of having
a firewall (a truth, not the toy of Windows XP - it is free goods like Personal Firewall (of Kerio))
an antivirus (a truth, real-time, not an on-line trick - it is the free ones)
a anti-spam to filter your mails - it is goods, free, like SpamPal.


There remains a concern?
If there remains a concern which this manipulation general practitioner did not regulate, I suggest you:

To produce a log HiJackThis
To put your question in the HiJackThis forum while starting by recopying the log produced by HiJackThis there.


Complementary preventions (quasi obligatory)
Please apply the following recommendations, complementary to the phases of the Manipulation which already introduced preventive layers:


As far as possible, especially in environment of company or professional, pass to Mozilla.

Carry out XP-Antispy

Carry out Safe-XP
Carry out Zeb Protect


Thank you to have read me up to now
Cordially
Pierre
Assiste.com

Help me


--------------------------------------------------------------------------------

Récap with the helpers, victims of HiJacks and attacks of Boot (Attack Boot)

Opinion with the grass helpers:
To help the others only if you know what you speak and have good reflexes.

It falls under the direction that to reinstall Internet Explorer is not used strictly for nothing.

It goes without saying, but that goes better while it saying, that the first things to be looked at, in a log HiJackThis, are:

The version of Windows used

The level of update of this version - without patch up to date, useless to help somebody, it is like pissing in a violin. In 2 hours it is of return on the forums with the same problem (and others).

The version of Internet Explorer used

The level of update of this version - even notices that above

The version of HiJackThis used - if it is not the any last, to ask immediately that which you help to remake a log with the up to date last version of HJT

To immediately check, in the first part of the log HiJackThis, that an antivirus and a firewall are installed if not useless to continue a cleaning lost in advance.

To propose the reformating is an insult and a proof of incompetence. It is the reverse of an assistance.

The majority of this handling must be made whereas that which you help is in privileges of administrator, in mode without failure and decontaminated points of restoration. Do not forget these basic instructions.
An answer of the kind “Google is your friend” (under heard “Démerdes and seeks”) pourait-being santionnée of an exclusion of the forums. Of course, that which calls “the Help!” must initially be its clean “helper” but, once arrived here, it is of our duty of assistance to answer him. It arrived here because it sought. The tiredness of the helpers always to repeat the same things does not authorize transport.
To avoid answers to carries parts, stupid and empty, which risks that one types you on the fingers, of the kind “To pass an antivirus”, “To put anti-popup”, “Restore your page of starting with the options of Internet Explorer”, “Tests with HiJackThis” etc…


Manipulation

Manipulation - curative procedure and preventive anti-ill will
http://assiste.com/manip.html


Prohibited utilities

False utilities of safety and suspect sites
If you find one of these utilities in the newspaper (log) of a visitor, ask him to it désinstaller and to start again its log.


Advanced tricks

HijackThis: To create a short cut for launching HiJackThis and add the switch /ihatewhitelists to the end. The newspaper is much wider.


To seek if a field is hostile - Group R0 and R1 of a log HJT and everywhere else


List fields of CoolWebSearch
http://www.spywareinfo.com/~merijn/junk/cws_domains.txt


Deterioration or hidden creation of Hosts - O1 Group of a log HJT

The 4 types of O1 lines are form:


O1 - Hosts: 216.177.73.139 ieautosearch (any request to go on the site ieautosearch is redirected towards the machise 216.177.73.139 which lodges the usurping site w__.igetnet.com/). Tens of lines of the kind can appear.


O1 - Hosts: 127.0.0.1 www.spywareinfo.com (any request to go on the www.spywareinfo.com site - a site of computer security) is blocked: the ill will is protected and prevents you from finding the solution). Tens of lines of the kind can appear.


O1 - Hosts is located At C:\Windows\Help\hosts slips by (it is a false file hosts - it must be destroyed and the “fixed” line)


O1 - Hosts: 1123694712 auto.search.msn.com (address IP are masked in a decimal coding. Use the débug mode of CWShredder to convert it). Explanations on the page Decodes IP base10 towards IPV4.


To seek the legitimacy of a BHO or a bar of tools (by its CLSID) - Group O2 and O3 of a log HJT

TonyK' S BHO & Toolbar List

http://www.computercops.biz/CLSID.html

http://www.allsecpros.com/toolbarlist.txt

http://www.cjwdavis.co.uk/SpywareBlaster/bholist.txt


To seek legitimacy, the uselessness or the hostility of a process - O4 Group of a log HJT

[start] AnswersThatWork.com List Task < - +++

[Start] Extracted the Liutilities database < - +++

[start] AZpcHelp

[start] Microsoft DLLs dataBase

[start] Greatis

[start] John Mayer

[start] Microsoft Knowledge dataBase - the KB

[start] PacMan Startup List < - +++

[start] PestPatrol spins information < - +++

[start] PestPatrol quick

[start] S. Prevost

[start] Windows Startup

[Start] Mirror of PacMan List

[Start] Absolute Startup


LSPs legitimate or malevolent - O10 group of a log HJT

http://www.castlecops.com/LSPs.html

How to restore the LSPs Winsocks
http://assiste.com/p/comment/restaurer_winsock_lsp.php


Limp with tools (WHOIS, NsLookUp, TraceRoute, Variables of environment, Ping, Test of Proxy) - O17 Group of a log HJT

http://www.all-nettools.com/toolbox


Hostile style sheets - O19 Group of a log HJT
These lines, for example, are hostile

O19 - To use style sheet: c:\WINDOWS\Java\my.css

O19 - To use style sheet: c:\windows\my.css

O19 - To use style sheet: C:\WINDOWS\Web\oslogo.bmp


Tools of analysis and eradication


HiJackThis [with tutorial]
Hijackthis
CWShredder
Cwshredder
SpywareBlaster
Spywareblaster

SpywareGuard

SpyBot Search & Destroy [with tutorial]

AD-aware [with tutorial]

PestPatrol [with tutorial]

Commercial antiviruses

Free antiviruses

Anti-spywares

Anti-trojans commercial

Anti-trojans free

Mozilla

miniremoval_coolwebsearch_smartkiller

LSPs Fix

Viewer process By ShadowWar. In the search of DLLs hidden in the new forms of hijack standard CWS - Small How to by the author with http://www.teamcti.com/pview/prcview.htm helps

Start.Chm fix By ShadowWar. Primarily against the last alternative start.chm of CWS

Registrar Lite

StartDreck Log of the processes, the keys “run” and the services

Win98Fix Various small tools against the attack AboutBlank de CoolWebSearch


Tool against a file impossible to remove

The Kill Box

Launch The KillBox and, in the zone of text, to seize the complete way of access to the file to be destroyed.
Click on “Delete”.
If that does not function, uses the function “Delete one reboot” then rebooter and lets it be carried out with the restarting.
You can have to enter the properties of the file, mitre “safety” (see Windows XP and Mitre “Safety”, to add you like user and to allot “total control to you”.



Tools against alternatives “LMBO: /” and “sp.html”

Butt: Buster or Butt: Buster
Butt: Buster (by RubbeR DuckY) is the answer to be given against alternative LMBO: /of Butt: Blank. Butt: Buster is not used against the other alternatives as hijack, only against the alternative of the form

LMBO: //<random>.dll/<random>.html#<random>
and, with a little chance, against the form known under the name of sp.html
LMBO: //<random>.dll/sp.html

<random> meaning, since the question was put several times, “name random changing all the time and generated with stolen” - in other words, anything.


Directions for use of Butt: Buster
Download About: Buster

Dézippez it and put a short cut on your desk.

Close all the Internet Explorer authorities, all the windows and all the programs.

Empty all the masks of your navigators (with SpyBot Search & Destroy for example).

Made a log HiJackThis and fix all DLLs of the O4 group which have random names like le/les BHOs of comparable nature. All DLLs and all BHOs known (legitimate or not), are quoted on the Web - if you launch a research on a name of DLL or BHO and do not obtain a result, it is a hostility to be fixed. Fix the lines R0 and R1 hijackées is not useful for the moment present but you can do it.

Start again in mode without failure (Imperatively in mode without failure).

Double click on Butt: Buster.

Ok

Start

Ok

A scan is carried out (to wait a few seconds).

Safeguard the log of this scan in an unspecified .txt file in order to find it if you are brought to consult a helper on a forum.

Remade a second scan, to see.

If you obtain a message “Removing Error”, it is a file impossible to destroy. Then consider “Tool against a file impossible to remove” just above.

Start again in normal mode.

Lancez HiJackThis post your log in this forum.


Different Hsremove.exe tool against alternatives LMBO: /and sp.html (for Windows 2000 and XP)

Different SpHjfix.exe tool against alternative LMBO: /and sp.html. In English. The 2 sites editors of this utility are in German but it is completely useless to read them to use this tool. It is of http://www.trojaner-info.de and http://www.rokop-security.de.


Error of execution of certain utilities - Runtime Visual BASIC

Several of the utilities above are written in Visual BASIC. You must have the interpreter Visual BASIC (the “Runtime”).
http://www.microsoft.com/downloads/
To download and install.


File missing MSCOMCTL.OCX

Missing files


Tools of assistance to the helpers

HiJackThis Hot Keys


Tutoriaux

How to start in mode without failure

Points of restoration

How to decontaminate the points of restoration under Windows XP

How to decontaminate the points of restoration under Windows Me

What a BHO

Trojan horses

Hosts

Désinstaller a control ActiveX and anti-ActiveX

To decontaminate the iFrames

ActiveX controls

The list of starting

CoolWebSearch and its hijackers


Tools on line

Antivirus on line

Tests of penetration

Anti-spywares and anti-trojans on line

Tools of decoding


تحية طيبة... منقووووووووووول

[ندى نحلاوي]

ولكن حذروني انه يخترق الجهاز ويعبث بملفاتك...
ارجو التأكد والتثبت
وشكرا