Input styles in Css What does she do

This article was translated from English into German by Yourhighness.
Original German translation here: http://www.mytidbits.de/hijackthis.html



DOWNLOAD HIJACKTHIS:

HijackThis download link


Load / unzip HijackThis in a folder
-> None of the above, just start the program - Save-- Savelog the editor opens
Now copy the COMPLETE log with a right mouse click and insert it into the forum with a right mouse click "(in your thread in the forum)

content





1. warning

2. introduction

3.How to use HijackThis + Download

4. How to Recover Accidentally Deleted Entries

5. How to create an autostart list

6. How the Process Manager is used

7. How the host file manager is used

8. How you can use the delete on restart tool

9. How you can use ADS Spy

10. How you can use the Uninstall Manager

11. How to interpret the listing of the scan

12. R0, R1, R2, R3 section

13. F0, F1, F2, F3 section

25. N1, N2, N3, N4 section

15. O1 section

16. O2 section

17. O3 section

18. O4 section

19. O5 section

20. O6 section
 



21. O7 section

22. O8 section

23. O9 section

24. O10 section

25. O11 section

26. O12 section

27. O13 section

28. O14 section

29. O15 section

31. O16 section

32. O17 section

33. O18 section

34. O19 section

35. O20 section

35. O21 section

36. O22 section

37. O23 section

38. O24 section

39. conclusion
 





to 1: Warning



HijackThis should only be used if your browser or computer is still having problems after running Spybot or other spyware / hijack removers. HijackThis is a program for advanced users and therefore requires extensive knowledge of Windows and operations systems in general. If you delete the listed items without knowing what they are, other problems like non-working internet access or a non-working operations system can result. Therefore, you should try any other options before using HijackThis. If you allow HijackThis to remove items before another program has checked your system, the hijackers / spyware files will still remain on your computer and future removal tools will not be able to find them.

If you do not have the necessary specialist knowledge, you should NOT repair any of the entries with HijackThis without first speaking to an expert about the use of this program. If you have already run Spybot and Ad-Aware and are still having problems, please continue with this tutorial and post the log file in our forum. Please also include details of your problem in your post. We will then tell you which entries you should fix / fix.


to 2: Introduction



HijackThis is a utility program that creates a list of certain settings on your computer. HijackThis will scan your registry and various other files for entries similar to those that spyware or hijacker programs would leave behind. Interpreting these results can be tricky, and there are many legitimate programs installed on your computer in a manner similar to how hijackers are installed.

Hence, you have to be very careful if you work with HijackThis. I cannot point out enough the importance of following the warning above.

There are different interpretations of HijackThis on the internet right now. Here the individual sections are explained in a way that a layperson can understand.

These instructions will go into the use of HijackThis and the individual sections in detail and explain what the individual sections mean. There is no reason why you shouldn't understand when the other people are looking through the log file and telling you what to fix with this program.

With that sorted out, let's move on to the guide on how to use HijackThis. If you want to see the normal size of the screenshots, just click on them. Remember, however, that a new window will open and that the windows may not open when using pop-up blockers.


to 3: How to use HijackThis



The first step is to download HijackThis. The program will not be installed, so you need to know where you installed it to be able to use it again in the future.

You can download HijackThis (v1.99.0) here:

Download link

Create a folder in which you would like to save HijackThis. It is important that you save HijackThis in its own folder, as this folder will be used for backups. If you run it from a zipped file, such as a ZIP file, the backups will not be created.

As soon as you have downloaded the file, use Windows Explorer to navigate to the position of the program you have chosen and double-click the icon for HijackThis.exe. When you start HijackThis for the first time, an image similar to the following appears:

HijackThis start screen on initial startup



HijackThis start screen on initial startup

We suggest you put a tick 'Don't show this frame again when I start HijackThis' as most of the instructions given to you do not apply to this screen. After you have ticked the box, click on 'None of the above, just start the program Button marked by the red box in the graphic above. You will then be taken to the main screen of HijackThis, as shown in Figure 1 below.


Figure 1. HijackThis launch screen



Figure 1. HijackThis launch screen


Figure 2. HijackThis configuration options

You should hit the 'Config' Click the button which is indicated by the Blue box in Figure 1 and make sure that your settings match those Figure 2 s. u. match. The options that should be selected are indicated by the red box marked.

When you have made these settings, click on "Back" and move on to the HijackThis guide.



Figure 2. HijackThis configuration options



Figure 3. Scan results

To use HijackThis to search your computer for possible hijackers, click on the "Scan" Button, identified by the red box in Figure 1. You will then be presented with a screen showing a list of entries found by the program. As in Figure 3 illustrated.

At this point you have a list of entries that were found by HijackThis. If what you see seems confusing and intimidating, click the save log button, indicated by the red box, and save the log file on your computer where you can easily find it.


Figure 3. Scan results

click Save log In principle, the editor will now open automatically and you can copy the content into the forum.

Possibility Number 1:

Move with the right mouse button over the text until everything is marked

-> copy -> then click in the forum -> paste

Option 2: Click on 'Edit' and on 'Select All.' Now all of the text should be highlighted.

Click on 'Edit' and then on 'Copy.' which saves all of the text to the clipboard.
 

  1. Go to the forum and compose a new message
  2. In the forum: Give the message the title: 'HijackThis Log: Please help me check it'
  3. In the forum: Right-click on the 'Paste' option. The previously selected text should now appear in the message window.
  4. In the forum: Click on 'Submit.'





Figure 4. Information object

If you want to see information about the individual entries, you can click on the entry and 'Info on selected item' click. This brings up a screen similar to that in Figure 4 you can see.



Figure 4. Information object


Figure 5. Select an entry to remove it

When you're done looking at the information in the various entries and you feel you know enough to continue (or you're following the advice of advisors on the forum) then go down the list and get started Tick ​​the checkbox in front of all entries that you would like to remove, as in Figure 5 you can see.

Note: The fixed entries are not deleted, but only come from the system start after a restart (see: Start -> Execute -> msconfig)

The point of this process is that after the respective entry has been removed, it can now be deleted (manually or with a virus scanner) or uninstalled.

At the end of this document we have added some fundamental information to help you interpret the information in these log files. This information is by no means sufficient to cover all decisions, but it should help you decide what is legitimate and what is not.



Figure 5 (check box)

As soon as you have selected all the entries that you want to remove, click on the button 'Fix checked' marked by the blue box in Figure 5. HijackThis will then ask you to confirm that you want to remove the entries. Click on 'Yes' or 'No' whatever your decision is.

After the "fix" the PC will restart and if you unchecked, the fixed entry should no longer be visible in the HijackThis log

to 4: How to restore accidentally deleted entries




Figure 6. BackUps / restoring an entry that was accidentally removed

HijackThis comes with a data backup and recovery process in case you accidentally removed a legitimate entry. If you have configured HijackThis as mentioned in this guide, then you should be able to restore the previously deleted entries. If you run your HijackThis program from the temporary directory, the restore process will not work.

When the configuration 'Make backups before fixing' is ticked, then HijackThis will back up all repaired entries in a directory called 'Backup'. The backup directory is located in the same directory in which HijackThis resides.

If you start HijackThis and click on 'Config' and then on the 'Backups' button, you should see a screen similar to Figure 6. You will see a list of the previously repaired entries and have an option to restore them. As soon as you have restored one of the entries and scan it again, the entry will appear in the list again.

As soon as you have restored this, you can close the program.


Figure 6. BackUps


to 5: How to create an autostart list


Figure 7. Creation of an autostart list

Function: How to create an autostart list

Every now and then, when you post the log file in the forum and ask for help, the helpers may give you an autostart list of all programs. HijackThis has a built-in utility that allows you to do this.

To do this, when starting HijackThis go to the configuration options, represented by the blue box in Figure 7 , and then click on 'Misc Tools' (top center).



Figure 7. hijackthis-misc

Now click on the button 'Generate StartupList Log ', characterized by the red box in Figure 7. As soon as you have clicked this button, the program will automatically open the program editor with the text.

Copy -> right mouse button (Copy -> Paste)

or with: (Ctrl + C) and add (Ctrl + V) these entries (by Ctrl + A) -> into the forum and click on 'Submit.'

Hopefully, either with your knowledge or with the help of others, your computer has been cleaned up. If you want to learn more about the meaning of the individual sections and want to find out more details about them, then continue with this guide.


to 6: How the Process Manager is used



HijackThis has an integrated process manager that can be used to terminate programs, as well as to see which DLL files are being loaded in this process. To use the Process Manager, click on the Config Button and then on the Misc tools Button. You should now see a screen with the button Open Process Manager. If you click on this you will see a new screen similar to Figure 8.



Figure 8. HijackThis Process Manager


This window will list all open processes running on your system. You can then click on the individual processes to select them and on End task click, which is marked by the red box in Figure 8. By End task an attempt is made to terminate the process running on your system.

If you want to kill several processes at the same time, keep the Ctrl-Key on your keyboard and select the processes to be terminated by simply clicking on them. As long as she Ctrl Hold down, you can select multiple processes. Once you have selected all the processes you want, click on End task.

If you want to see which DLL files are loaded in a selected process, you can check the box Show DLLs put. Identified by the blue box in the figure above. This will split the process screen into two sections. The first section will list the running processes as before, only that by clicking on a process in the lower section you will get a list of DLL files that were loaded by this particular process.

To get out of the Process Manager you have to click twice on the Back Click the button to return to the main menu.


to 7: How the host file manager is used



HijackThis also has a simple host file manager. With this manager you can view your host files and delete individual lines from these files, or switch lines on or off. they should config click and then Misc tools click. You should now see a screen with the button on it Host file manager can be found. If you now click on this, you will see a screen similar to Figure 9.



Figure 9: Host file manager

This window will list the contents of the host files. To delete a line in your hosts file, you would click on a line as illustrated by the blue box in Figure 9. This will select the line of text. Then you can either click on the line Delete Line (s) Delete buttons, or this line 'at' or 'out' switch by clicking the Toggle line (s) Buttons. It is possible to have several lines simultaneously by holding down the Shift and CtrlButtons to select. Alternatively, you can also drag your mouse over several lines on which you want to make changes.

If you delete the lines, they will be deleted from your HOST file. If you read the lines 'On off' turn on, so HijackThis will turn on '#' put in front of the line. This will comment out the line so that it is not used by Windows. If you are not sure what to do then it is always safer to read lines 'On off' to switch so that that '#' Character appears in front of the line.

To exit the host file manager, you have to go to twice back click to return to the main screen.


to 8: How you can use the delete on restart tool



Sometimes you may find files that are stubbornly opposed to being deleted the conventional way. In version 1.98.2, HijackThis introduced a method with which Windows deletes the file when it is restarted before it has a chance to load. To be able to do this, you need to follow these steps:

  1. Start HijackThis


  2. click on Config


  3. click on Misc tools


  4. Click the button Delete a file on reboot


  5. A new window will open and ask you which file you want to delete on restart. Navigate to the file and click on it once. Then click on open


  6. You will now be asked if you want to restart the computer in order to delete the file. click on Yesif you want to restart now. Otherwise click on No and restart your computer later to delete the file.




to 9: How you can use ADS Spy



There is a specific infection called Home Search Assistant or CWS_NS3that sometimes use a file is called the Alternate Data Stream File (Google Translator Translation Lavasoft) to infect your computer. These files cannot be viewed or deleted using normal methods. ADS Spy was designed to delete these files. If you want to learn more about ADS and the Home Search Assistant, then you can read the following articles:

Windows Alternate Data Streams Tutorial link>

Home Search Assistant Analysis



The deinstallation manager allows you to manage the entries in your software list. When you remove malware from your system, it leaves unchangeable entries in the software list. Many users understandably prefer a clean software list and have difficulty deleting these misdirected entries. You can delete these entries from the uninstallation list using the uninstallation manager.

In order to be able to use the deinstallation manager, you have to follow the steps below:
 

  1. Start HijackThis


  2. click on Config


  3. click on Misc tools


  4. click on Open Uninstall Manager


  5. You will now be presented with an image similar to the one below





Figure 12: HijackThis Uninstall Manager

To delete an entry, simply click on the entry you want to delete and then click on Delete this entry. If you want to change the program to which this entry is linked, you can click on Edit uninstall command click and then enter the target path to the desired program with which the program is started when double-clicking in the software list. This last function should only be used if you know what you are doing.

If someone asks you to post the list for analysis, you can click Save list ... and specify in which directory you want to save the list as a file. If you on Save Click, Notepad opens in a new window with the contents of the saved file. Then just copy the content from the Notepad file and paste the content into a reply post of the thread you started.

If someone asks you to post the list so that it can be analyzed, click on Save list ... and specify in which directory you want to save the list as a file. If you on Save Click, Notepad opens in a new window with the contents of the saved file. Then just copy the content from the Notepad file and paste the content into a reply post of the thread you started.

to 11: How you interpret the listing of the scan



The next section serves as an aid for checking the HijackThis scan results. If you are still unsure how to proceed, or if you want to ask us for help in checking the scan result, then simply post your log file in our Online and PC security forum.

Each line of the HijackThis scan begins with a section name. Below is a list of the section names and their explanations. This comes from the tutorial by HijackThis creator Merijn. You can click on the section names to go directly there.
 

Section names description
R0, R1, R2, R3 Internet Explorer Start / Search Page URLs
F0, F1, F2, F3 Autostart programs
N1, N2, N3, N4 Netscape / Mozilla Home / Search Page URLs
O1 Hosts file redirects
O2 Browser help objects
O3 Internet Explorer toolbar
O4 Autostart programs from the registry
O5 IE option symbols that are not visible in the control panel
O6 IE option access that is restricted to administrators
O7 Regedit access to azf administrators is restricted
O8 Extra entries in the IE right-click menu
O9 Extra button on the main IE toolbar, or extra entries in the Extras menu
O10Winsock Hijackers
O11 Extra group in the IE 'Advanced Options' window
O12 IE plugins
O13 IE default settings Prefix Hijack
O14Reset web settings Hijack
O15 Unwanted pages in the Trustworthy sites section
O16 ActiveX objects (also known as downloaded program files)
O17 Lop.com/Domain Hijackers
O18 Extra logs and log hijackers
O19 User style sheet Hijack
O20 AppInit_DLLs Autorun registry value
O21 ShellServiceObjectDelayLoad
O22 SharedTaskScheduler
O23 Windows XP / NT / 2000 services


It is important to mention that certain sections have an internal White list so that HijackThis will not show any known legitimate files. To switch off the white list, you can also press -> Watch> --> hijackthis.exe / ihatewhitelists

We will try to make explanations for the individual sections as simple as possible. We will also explain to you which registry keys the individual sections use and / or which files you use and we will give you advice on what to do with the individual entries.

to 12: R0, R1, R2, R3 sections



This section refers to the Internet Explorer Start Pages, Home Page, and Url Search Hooks.

R0 is for the Internet Explorer start pages and the search assistant.

R1 is for Internet Explorer's search functions and other characteristics.

R2 Not used at the moment

R3 is for a url search hook. A url search hook is used when you enter an address in the input field of the browser without using protocols such as http: // or ftp: //.

If you enter such an address, the browser will try to find out the correct protocol for itself. If the search fails, the browser will use the UrlSearchHook, which is listed in the R3 section, to find the address you entered.
 

Some registry keys:
  HKLM \ Software \ Microsoft \ Internet Explorer \ Main, Start Page
  HKCU \ Software \ Microsoft \ Internet Explorer \ Main: Start Page
  HKLM \ Software \ Microsoft \ Internet Explorer \ Main: Default_Page_URL
  HKLM \ Software \ Microsoft \ Internet Explorer \ Main: Search Page
  HKCU \ Software \ Microsoft \ Internet Explorer \ Main: Search Page
  HKCU \ Software \ Microsoft \ Internet Explorer \ SearchURL: (Default)
  HKCU \ Software \ Microsoft \ Internet Explorer \ Main: Window Title
  HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Internet Settings: ProxyOverride
  HKCU \ Software \ Microsoft \ Internet Connection Wizard: ShellNext
  HKCU \ Software \ Microsoft \ Internet Explorer \ Main: Search Bar
  HKEY_CURRENT_USER \ Software \ Microsoft \ Internet Explorer \ URLSearchHooks
  HKLM \ Software \ Microsoft \ Internet Explorer \ Search, CustomizeSearch =
  HKCU \ Software \ Microsoft \ Internet Explorer \ Search, CustomizeSearch
  HKLM \ Software \ Microsoft \ Internet Explorer \ Search, SearchAssistant


Example listing: R0 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main, Start Page = http://www.google.com/


A common question asked is what it means when the word unknown is in front of one of these entries. In the case of spyware, this means that the spyware or the hijacker hides an entry created by the hijacker / the spyware by changing a value or the like. Such entries can be in the registry, for example, in the form of hexadecimal entries. This is just another way of hiding one's presence and makes it so difficult to remove.

If you do not know the website to which the R0 and R1 entries are pointing and you want to change it, you can safely repair it through HijackThis. The repair will not be harmful to Internet Explorer. If you are not sure about the website, just visit it. If there is a noticeable number of popups and links on the page, you can almost always delete them with HijackThis. It is important to note that if an R0 / R1 entry points to a file and you repair the entry with HijackThis, HijackThis will not delete the file. You would then have to do it manually.

There are certain R3 entries that end with a (_). An example of what such an entry could look like is the following:

R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497} _ - (no file)

Note the CLSID, the numbers between the {} sometimes have a _ at the end and are sometimes difficult to remove with HijackThis. To fix this, you have to manually delete the respective registry entry by going to the following registry key:

HKEY_CURRENT_USER \ Software \ Microsoft \ Internet Explorer \ URLSearchHooks

Then delete the desired CLSID entry under this registry key. Please leave the CLSID CFBFAE00-17A6-11D0-99CB-00C04FD64497 as it is the valid standard value.

In general, you should do some research with Google about the UrlSearchHook software before letting HijackThis fix the entry. If you know the software, you can of course fix it with HijackThis right away.

to 13: F0, F1, F2, F3 sections



This section is about the programs that are loaded from the system.ini, win.ini and the * .ini files, or the corresponding places in the registry.

F0 corresponds to the Shell = specification in the System.ini. The Shell = specification in the system.ini is used under Windows 9X and lower (and ME?) To determine which program should be listed as the 'user interface' of the operating system. The 'user interface' is the program that would load your desktop and control the window management and user interaction.

Any program listed after the Shell command will start with Windows and appear as the standard user interface.

There were a few programs that were considered valid user interface replacements, but they are no longer used. Windows 95 and 98 (Windows ME?) Both use Explorer.exe as their standard user interface. Windows 3.X used Progman.exe as the user interface. It is also possible to list other programs that are started with Windows in the same Shell = line. Such as Shell = explorer.exe badprogram.exe. This line will let both programs start with Windows.

F1 corresponds to the Run = or Load = entry in the win.ini. All programs listed after run = or load = are loaded with Windows at startup. This run = command was mostly used in Windows 3.1, 95 and 98 years and was kept to guarantee backwards compatibility for older programs. Most modern programs no longer use this ini setting. So if you don't use older programs, you can rightly become suspicious. The load = command was used to load hardware drivers. F2 and F3 entries correspond to the same locations as F0 and F1. Instead, they are stored in the registry for Windows XP, 200, and NT. These Windows versions generally do not use the system.ini and win.ini files. Instead of backwards compatibility, these operating systems used a function called IniFileMapping.

IniFileMapping takes the entire content of an * .ini file and adds it to the registry, with one key per line in the * .ini key stored there. If you then run a program that normally reads its settings from an * .ini file, it will only display the following registry key HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ IniFileMapping after a * .ini match. If a suitable entry is found, it will adopt the settings from there instead. You can recognize it by the entry REG and then the * .ini file that IniFileMapping refers to.

Another frequently found F2 entry is the UserInit entry. It corresponds to the key, HKLM \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ Userinit which you can find in WindowsNt, 2000, XP and 2003. This key determines which programs should start directly after the user login. The previous program for this key is C: \ windows \ system32 \ userinit.exe. UserInit.exe is a program that recovers your user profile, fonts, colors, etc. for your username. It is possible to add programs in order to start from this key. You just have to separate the programs with a comma.

E.g .: HKLM \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ Userinit = C: \ windows \ system32 \ userinit.exe, c: \ windows \ badprogram.exe.

This will let both programs start and is a place often used by Trojans, hijackers and spyware to start from there.

Registration key:

HKLM \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ Userinit

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ IniFileMapping,

Files used:

c: \ windows \ system.ini

c: \ windows \ win.ini
 

Example listing: F0 - system.ini: Shell = Explorer.exe Something.exe


Example listing: F2 - REG: system.ini: UserInit = userinit, nddeagnt.exe


Example listing: F2 - REG: system.ini: Shell = explorer.exe beta.exe


If you find an entry like this under F0: Shell = Explorer.exe something.exe, then you should definitely repair this entry. You can generally delete these entries, but you should always do your research on Google beforehand and visit the pages listed below.

For F1 entries, you should search Google to see if they are legitimate. You can also use the below Search pages for the entries.

If you find UserInit = userinit.exe, with or without nddeagnt.exe in the F2 entries, as in the above example, you can leave them as they are. If you use UserInit = userinit.exe (note - NO comma) then that's still ok. You should therefore leave this entry as it is.

If you find another entry with userinit.exe, then this entry could be a potential Trojan horse or malware. The same goes for F2 Shell =; Entries. If you see explorer.exe on its own then everything should be fine. If this is not the case as in the example listing above, then it could be a potential Trojan horse or malware. In general, you can delete all entries, but you should do some research on Google beforehand or use the below. Consult pages.

Please note that if HijackThis removes the entries, HijackThis does not delete the associated files. You need to remove these files manually.

Pages you can use for research:

Bleeping Computer Startup Database


Answers that work

Greatis Startup Application Database

Pacman's Startup Programs List

Pacman's Startup Lists for Offline Reading

Kephyr File Database

Wintasks Process Library

to 14: N1, _N2, _N3, _N4_Sections



These sections are for Netscape and Mozilla browser start and preset search pages.

These entries are in the prefs.js files in various places under C: \ Documents and Settings \ YourUserName \ Program Data folder. Netscape 4's entries are saved in the prefs.js file in the program path. This is always drive letter: \ Program Files \ Netscape \ Users \ default \ prefs.js.

N1 corresponds to Netscape 4's homepage and standard search page
N2 corresponds to Netscape 6's homepage and standard search page
N3 corresponds to Netscape 7's homepage and standard search page
N4 corresponds to Mozilla's homepage and standard search page

Files used: prefs.js

Since most spyware and hijacker programs target Internet Explorer, Netscape and Mozilla are mostly safe. So if you find websites listed here that you have not set yourself, you can remove them with HijackThis. However, there is a well-known site that does the same with Netscape and Mozilla and that is discussed here, namely Lop.com.

to 15: O1 section



This section corresponds to the host file redirection

The host file contains the mappings of the host names to IP addresses. E.g .: If I type in my hosts file: 127.0.0.1 www.google.com and you try on www.google.com it will check the hosts file, find the entry, and convert it to the IP address 127.0.0.1 instead of the correct address.

Host file redirection means that a hijacker will modify your host file to try to redirect a particular webpage to another webpage. So if someone added an entry like this: 127.0.0.1 www.google.com and you would try on www.google.com you would be redirected to the IP address 127.0.0.1 instead. This is your own computer.
 

Example listing: O1 hosts: 192.168.1.1 www.google.com


The host file is a text file that can be changed using any text editor and is saved by default for each operating system in the following paths. Unless you choose to save the host file elsewhere.
 

Operating system Location
Windows 3.1 C: \ WINDOWS \ HOSTS
Windows 95 C: \ WINDOWS \ HOSTS
Windows 98 C: \ WINDOWS \ HOSTS
Windows ME C: \ WINDOWS \ HOSTS
Windows XP C: \ WINDOWS \ SYSTEM32 \ DRIVERS \ ETC \ HOSTS
Windows NT C: \ WINNT \ SYSTEM32 \ DRIVERS \ ETC \ HOSTS
Windows 2000 C: \ WINNT \ SYSTEM32 \ DRIVERS \ ETC \ HOSTS
Windows 2003 C: \ WINDOWS \ SYSTEM32 \ DRIVERS \ ETC \ HOSTS


The location of the hosts file can be changed by modifying the following Windows NT / 2000 / XP registry key.

HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Services \ Tcpip \ Parameters \ DatabasePath

If you find an entry like the one above and you are not there for a specific reason known to you, then you can remove it without any problem.

If you see in an entry that your hosts file is in the target path C: \ Windows \ Help \ hosts, then you have been infected with CoolWebSearch. If the hosts file is not in the standard location for your operating system, see table above, then you should repair this entry with HijackThis, as there is a high probability of infection.

You can also load the HostsXpert program, which gives you the option of restoring the default settings. To do this, download and run the program. When the program opens, click Restore Original Hosts and then close the hoster.

ad 16: O2 section



This section corresponds to the Browser Helper Objects.

Browser helper objects are plugins that extend the functionality of your browser. These can be used by spyware and hijack programs, but also by legitimate programs such as Google Toolbar and Adobe Acrobat Reader. Before deciding to remove any of these entries, it is important to do some research as there can be legitimate entries in between.

Registry key: HKLM \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Browser Helper Objects
 

Example listing: O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C: \ Program Files \ Norton Antivirus \ NavShExt.dll


There is an excellent list of known CLSIDs associated with Browser Helper Objects (BHOs) and toolbars. This was created by Tony Klein CLSID List. If you want to use the list, use the CLSID (the number between the {}. The CLSID in the list correspond to the registry entries that contain information about the BHOs ​​or toolbars.

If you repair entries of this type with HijackThis, HijackThis will attempt to delete the listed attacking file. Sometimes the files are in use even when Internet Explorer is closed. If the file still exists, it is recommended to restart the computer and save the file in the Safe mode to remove.

ad 17: O3 section



This section corresponds to the Internet Explorer toolbars.

These are the toolbars below the navigation bar and the menu bar of Internet Explorer.

Registry key: HKLM \ SOFTWARE \ Microsoft \ Internet Explorer \ Toolbar
 

Example listing: O3 - Toolbar: Norton Antivirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C: \ Program Files \ Norton Antivirus \ NavShExt.dll


There is an excellent list of known CLSIDs associated with Browser Helper Objects (BHOs) and toolbars. This was created by Tony Klein CLSID list. If you want to use the list, use the CLSID (the number between the {}. The CLSID in the list correspond to the registry entries that contain information about the BHOs ​​or toolbars.

If you repair entries of this type, HijackThis will not delete the malicious files listed. It is therefore recommended to switch to Safe Mode and delete the malicious files there.

to 18: O4 section



This section corresponds to certain keys in the registry, as well as autostart folders, which are used to start a program automatically when Windows starts up. The registry keys listed here apply to Windows XP, NT and 2000. If they are also valid for other operating systems, please let me know.

If it looks like a registry key, then it mirrors one of the keys entered in the registry key table below.

Startup: These entries refer to the programs that start when you log in through an entry in the user startup group.

Global Startup: These entries relate to programs that are located in the Global Startup folder and that start when you log in.

Startup registry key:

HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ RunServicesOnce
HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunServicesOnce
HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ RunServices
HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunServices
HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Run
HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run
HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce
HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce
HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnceEx
HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer \ Run
HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer \ Run
HKLM \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ Userinit

Note: HKLM stands for HKEY_LOCAL_MACHINE and HKCU stands for HKEY_CURRENT_USER.

A complete list of startup localization and what it does can be found here: Windows Program Automatic Startup Locations.
 

Data directories used:
Startup: c: \ documents and settings \ USERNAME \ start menu \ programs \ startup
Global: c: \ documents and settings \ All Users \ start menu \ programs \ startup


Example listing: 04 - HKLM \ .. \ Run:


If you repair entries of this type, HijackThis will not delete the malicious files listed. It is therefore recommended to switch to Safe Mode and delete the malicious files there.

The global startup and startup entries work differently. HijackThis will delete the shortcuts found in these entries, but not the file referenced by the shortcut. If an actual executable file resides in the Global Startup or Startup folders, then the malicious file WILL be deleted.

Although many legitimate programs start this way, an entry may look like it belongs there and still be a malicious program.

You should consult the following pages for O4 entries:
Bleeping Computer Startup Database


Answers that work
Greatis Startup Application Database
Pacman's Startup Programs List
Pacman's Startup Lists for Offline Reading
Kephyr File Database
Wintasks Process Library

to 19: O5 section



This section corresponds to the display of your Internet Explorer control element.

It is possible to deactivate the appearance of the control element by viewing the file control.ini adds an entry. Under Windows XP this file is at least under C: \ Windows \ control.ini. From this file you can control which control elements should not be displayed.
 

Files used:
control.ini


Example listing: O5 - control.ini: inetcpl.cpl = no


If you find a line like this, it could be a sign that part of your software is making it difficult for you to change your settings. Unless this entry is available for a specific reason, e.g. that an administrator specifies this guideline, or Spybot S&D has set a restriction here, let HijackThis repair it.

ad 20: O6 section



This section corresponds to an administrative limitation of the possibilities to change the options or the start page in Internet Explorer by changing certain settings in the registry.
 

Registration key:
HKCU \ Software \ Policies \ Microsoft \ Internet Explorer \ Restrictions
Example listing: O6 - HKCU \ Software \ Policies \ Microsoft \ Internet Explorer \ Restrictions


These options should only appear if your administrator set them on purpose, or if you used Spybot homepage and option limit options in the immunization section of Spybot.

to 21: O7 section



This section corresponds to the prohibition to run Regedit by changing an entry in the registry.
 

Registration key:
HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System
Example listing: O7 - HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System: DisableRegedit = 1


Please note that administrators in offices block this on purpose. Therefore, the repair of these entries by HijackThis could be a violation of the company policy. If you are the administrator and Regedit is activated, then repair the entry with HijackThis.

to 22: O8 section



This section corresponds to the extra elements in the context menu of Internet Explorer.

This means that you can view these options by right-clicking on the website you are currently visiting.
 

Registration key:
HKEY_CURRENT_USER \ Software \ Microsoft \ Internet Explorer \ MenuExt


Example listing: O8 - Extra context menu item: & Google Search - res: // c: \ windows \ GoogleToolbar1.dll / cmsearch.html


The listing of these items will show you what will appear in the menu when you right-click and which program will be used when you actually click on one of these menu items. Certain entries like Browser Palshould always be removed. The rest should be researched with Google. A legitimate example of an entry is the Google Toolbar.

If you repair entries of this type, HijackThis will not delete the malicious files listed. It is therefore recommended to switch to Safe Mode and delete the malicious files there.

to 23: O9 section

This section corresponds to the buttons in the Internet Explorer toolbar, or the elements under Internet Explorer Extras Menu (which are not installed by default).

Registration key:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Internet Explorer \ Extensions
Example listing: O9 - Extra Button: AIM (HKLM)


If you do not need these buttons or elements in the menu, or if you identify them as malware, you can delete the entries without hesitation.

If you repair entries of this type, HijackThis will not delete the malicious files listed. It is therefore recommended to switch to Safe Mode and delete the malicious files there.

to 24: O10 section



This section corresponds to the Winsock Hijackers or also asLSP (Layered Service Provider) known.

LSPs are a method of linking software to your Winsock 2 version on your computer. Since LSPs are chained to one another, the data are also transported through the individual LSPs as soon as Winsock is used. Spyware and hijackers can use this to see all traffic on your computer that has taken place over the Internet.

You should be particularly careful when deleting these entries, as failure to adequately repair the LSP chain hole could result in loss of Internet connectivity.
 

Example listing: O10 - Broken Internet access because of LSP provider 'spsublsp.dll' missing


Many virus scanners start by scanning for viruses, Trojans, etc. at Winsock level. The problem is that many tend not to recreate the LSPs in the correct order after the offending entries have been deleted. This can cause HijackThis to generate a warning, which is similar to the example above and still allows an Internet connection. You should therefore seek help from an experienced person if you want to repair these entries. You should also use LSPFix to repair these entries. See below Link.

Spybot can generally fix these items, but you need to make sure you have the latest version as the older versions had problems.

You should use LSPFix to fix these entries as it was designed to do this.

to 25: O11 section



This section corresponds to a non-standard option group that the tab Expanded options added under Internet Options of IE.

If you at Internet options Look for Internet Explorer, you'll be one Extended Tabs see where it is possible for you to add an entry through a registration key so that a new group would appear there.

Registry key: HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Internet Explorer \ AdvancedOptions
 

Example listing: O11 - Options group:


According to Merjin from HijackThis, there is only one known hijacker that uses this and its CommonName. Should you CommonName in this listing so you can safely remove it. However, if there is a different entry, you should "google" some research.

to 26: O11 section