Can Anyone Help Me?

Discussion in 'adware, spyware & hijack cleaning' started by sarsons, Apr 16, 2004.

Thread Status:
Not open for further replies.
  1. sarsons

    sarsons Registered Member

    Joined:
    Apr 16, 2004
    Posts:
    9
    Hello

    Here is my SG log:


    --------------------------------------------------------------------------------
    BROWSER HIJACK ALERT - BROWSER PAGE CHANGED
    On 06:25:36 04/16/2004 a browser page change was detected.
    Registry Location: HKCU\Software\Microsoft\Internet Explorer\Main\
    Value Name: Search Page
    Old Value: http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    New Value: c:\searchpage.html
    User Action Taken: RESTORE OLD VALUE

    --------------------------------------------------------------------------------
    BROWSER HIJACK ALERT - BROWSER PAGE CHANGED
    On 06:25:37 04/16/2004 a browser page change was detected.
    Registry Location: HKCU\Software\Microsoft\Internet Explorer\Main\
    Value Name: Default_Page_URL
    Old Value: <none>
    New Value: c:\searchpage.html
    User Action Taken: RESTORE OLD VALUE

    --------------------------------------------------------------------------------
    BROWSER HIJACK ALERT - BROWSER PAGE CHANGED
    On 06:25:39 04/16/2004 a browser page change was detected.
    Registry Location: HKCU\Software\Microsoft\Internet Explorer\Main\
    Value Name: Start Page
    Old Value: http://trafficg.com/hps.php?member=sarsons
    New Value: c:\searchpage.html
    User Action Taken: RESTORE OLD VALUE

    --------------------------------------------------------------------------------
    BROWSER HIJACK ALERT - BROWSER PAGE CHANGED
    On 06:25:40 04/16/2004 a browser page change was detected.
    Registry Location: HKCU\Software\Microsoft\Internet Explorer\Main\
    Value Name: Search Bar
    Old Value: <none>
    New Value: c:\searchpage.html
    User Action Taken: RESTORE OLD VALUE

    --------------------------------------------------------------------------------
    BROWSER HIJACK ALERT - BROWSER PAGE CHANGED
    On 06:25:41 04/16/2004 a browser page change was detected.
    Registry Location: HKCU\Software\Microsoft\Internet Explorer\Main\
    Value Name: Default_Search_URL
    Old Value: <none>
    New Value: c:\searchpage.html
    User Action Taken: RESTORE OLD VALUE

    --------------------------------------------------------------------------------
    BROWSER HIJACK ALERT - BROWSER PAGE CHANGED
    On 06:25:42 04/16/2004 a browser page change was detected.
    Registry Location: HKLM\Software\Microsoft\Internet Explorer\Main\
    Value Name: Search Page
    Old Value: http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    New Value: c:\searchpage.html
    User Action Taken: RESTORE OLD VALUE

    --------------------------------------------------------------------------------
    BROWSER HIJACK ALERT - BROWSER PAGE CHANGED
    On 06:25:43 04/16/2004 a browser page change was detected.
    Registry Location: HKLM\Software\Microsoft\Internet Explorer\Main\
    Value Name: Start Page
    Old Value: http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
    New Value: c:\searchpage.html
    User Action Taken: RESTORE OLD VALUE

    --------------------------------------------------------------------------------
    BROWSER HIJACK ALERT - BROWSER PAGE CHANGED
    On 06:25:45 04/16/2004 a browser page change was detected.
    Registry Location: HKLM\Software\Microsoft\Internet Explorer\Main\
    Value Name: Default_Search_URL
    Old Value: http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    New Value: c:\searchpage.html
    User Action Taken: RESTORE OLD VALUE

    -------------------------

    Every 1 minute I am forced to change settings back to my old one.

    This has been going on since yesterday and is making the use of my pc impossible, as every 60 seconds I have to "go back", and stop what I am doing.

    (I have had to stop typing this 3 times now!!!!)

    What changes do I need to make to my system to stop these changes from trying to be forced please?

    I hope someone can help me.

    Andy
     
  2. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    go to https://www.wilderssecurity.com/showthread.php?t=12516 and download 'Hijack This!'.
    make sure it is placed into it's own folder, not a temporary folder. Then doubleclick the Hijackthis.exe.
    Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
    Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
    It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
    so do NOT fix anything yet.
    Someone here will be happy to help you analyze the results.
     
  3. sarsons

    sarsons Registered Member

    Joined:
    Apr 16, 2004
    Posts:
    9
    Thanks - here is the hijackthis log.

    Logfile of HijackThis v1.97.7
    Scan saved at 07:01:09, on 16/04/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\soundman.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\AOL 8.0\waol.exe
    C:\Program Files\AOL 8.0\shellmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = c:\searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = c:\searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = c:\searchpage.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://trafficg.com/hps.php?member=sarsons
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = c:\searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\searchpage.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = c:\searchpage.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.timesupport.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = c:\searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SoundMan] soundman.exe
    O4 - HKLM\..\Run: [SupaStatus] C:\Program Files\Internet Explorer\Connection Wizard\Status.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
    O4 - HKCU\..\Run: [lslt] C:\WINDOWS\System32\lslt\jpmakiop.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: TickerBar.lnk = C:\Program Files\Tickerbar\TickerBar.exe
    O4 - Global Startup: AOL Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Real.com (HKLM)
    O13 - DefaultPrefix: c:\searchpage.html?page=
    O13 - WWW Prefix: c:\searchpage.html?page=
    O13 - Home Prefix: c:\searchpage.html?page=
    O13 - Mosaic Prefix: c:\searchpage.html?page=
    O14 - IERESET.INF: START_PAGE_URL=http://www.timesupport.com
    O15 - Trusted Zone: http://*.clicking4gold.com
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
    O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://www.otxresearch.com/OTXMedia/OTXMedia.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38001.4248148148
    O17 - HKLM\System\CCS\Services\Tcpip\..\{91F46C65-09E4-4515-9037-DDB4B77F1ECA}: NameServer = 195.93.33.134

    ----
    Its the c:\searchpage stuff that the SG keeps alerting me to - in the end - just to help with userbility, I cancelled the messages and most settings changed to reflect the c:\searchpage.html (which is not on my hard drive - at least I don't think it is - its not in that location anyway).

    So with all the changes to c:\searchpage, the only thing that i keep getting prompted to change is my startpage now.

    Thanks for your help.

    Andy
     
  4. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    please find this file and zip it & send to me please C:\WINDOWS\System32\lslt\jpmakiop.exe
    submit@thespykiller.co.uk

    First download CWshredder from https://www.wilderssecurity.com/showthread.php?t=14086 then

    Boot into safe mode & Run it
    Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do it's thing.

    Now as CWS installs via the byte verifier exploit in M$ JavaVM, just surfing a page with an infected applet can install it with no user participation. So once you’ve run the above, it is vital that you go here, click Scan for updates in the main frame, and download and install all CRITICAL updates recommended.

    then reboot & post a new log please
     
  5. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
  6. sarsons

    sarsons Registered Member

    Joined:
    Apr 16, 2004
    Posts:
    9
    Thanks again, but...

    I am puzzled.

    I boot into safe mode, ok.
    I run CWS

    but I do not like the sound of what you typed after that about no user participation.

    I do not want to shove even more things on my pc which are harder to control than what I have now.

    I am a novice in these things, and am very wary of messing with something at a level that I cannot understand, and would sooner reformat my hard ddrive and start again, as i understand that :)

    When I have scanned everything using CWS, you ask me to go to a website and download all critical updates, but I can't do that in safe mode - I cannot connect to the internet while there.

    I am just too nervous to do this at the moment, so would reformatting my hard drive and reinstalling the startup disk I got with this machine sort out the problem on my pc please? If so I will thank you, and do that.

    Andy

    ps I don't have a zipper on my pc either and it would take hours to download one, which is another reason for asking this.

    Thanks
     
  7. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    xp has inbuilt zipping facility

    right click the file and select send to compressed folder, that copies the file and puts in in a zip file in the same folder it exists in

    so in this case please right click the C:\WINDOWS\System32\lslt\ folder select send to compressed folder and acopy of that folder will be made in zip format
    that will be placed inside the system32 folder, so then make a new email adreesed to the address I gave you earlier and then press insert attachment, and navigate through the folders to the new lslt zip file and press attach

    then send it to me


    You do all the updates after rebooting normaly when cwshredder has run and cleaned up hopefully.

    I am not saying that using CWShredder will put anything on the computer with no user participation
    That is HOW you were infected in the first place and even though a complete reformat will cure this problem It is like using a sledgehammer to crack a nut. It doesn't stop the underlying reason you were infected and will leave you open to many more hijacks until you have spent ages reinstalling all antivirus software etc and all windows updates

    Please post back with any more queries or worries
     
  8. sarsons

    sarsons Registered Member

    Joined:
    Apr 16, 2004
    Posts:
    9
    I don't have this file on my pc - I have tried find, and have the option to show all hidden files and folders set as well.

    Andy
     
  9. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    if you have run cwshredder and rebooted please post a new hijackthis log
     
  10. sarsons

    sarsons Registered Member

    Joined:
    Apr 16, 2004
    Posts:
    9
    Hi Derek

    I have run CWS and was asked during it if this file was a random name: c:\windows\tcpip32.exe

    I said no. I think it has something to do with internet connections or something.

    Anyway, when complete it said that the system was completely clean.

    here is the new log
    --
    Logfile of HijackThis v1.97.7
    Scan saved at 09:21:53, on 16/04/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\soundman.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = c:\searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = c:\searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = c:\searchpage.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://trafficg.com/hps.php?member=sarsons
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = c:\searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\searchpage.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = c:\searchpage.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.timesupport.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = c:\searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SoundMan] soundman.exe
    O4 - HKLM\..\Run: [SupaStatus] C:\Program Files\Internet Explorer\Connection Wizard\Status.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
    O4 - HKCU\..\Run: [lslt] C:\WINDOWS\System32\lslt\jpmakiop.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: TickerBar.lnk = C:\Program Files\Tickerbar\TickerBar.exe
    O4 - Global Startup: AOL Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Real.com (HKLM)
    O13 - DefaultPrefix: c:\searchpage.html?page=
    O13 - WWW Prefix: c:\searchpage.html?page=
    O13 - Home Prefix: c:\searchpage.html?page=
    O13 - Mosaic Prefix: c:\searchpage.html?page=
    O14 - IERESET.INF: START_PAGE_URL=http://www.timesupport.com
    O15 - Trusted Zone: http://*.clicking4gold.com
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
    O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://www.otxresearch.com/OTXMedia/OTXMedia.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38001.4248148148

    --

    I don't know if its relevant but I keep getting the error message box popping up every now and again saying "Internet Explorer cannot find the file "SHDocVwCtl.WebBrowser"

    thanks

    Andy
     
  11. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = c:\searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = c:\searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = c:\searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = c:\searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\searchpage.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = c:\searchpage.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = c:\searchpage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html

    O4 - HKLM\..\Run: [SupaStatus] C:\Program Files\Internet Explorer\Connection Wizard\Status.exe

    O4 - HKCU\..\Run: [lslt] C:\WINDOWS\System32\lslt\jpmakiop.exe

    O13 - DefaultPrefix: c:\searchpage.html?page=
    O13 - WWW Prefix: c:\searchpage.html?page=
    O13 - Home Prefix: c:\searchpage.html?page=
    O13 - Mosaic Prefix: c:\searchpage.html?page=


    Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    then using windows explorer navigate to & if they still exist

    Delete these files

    c:\searchpage.html


    and Delete these folders

    C:\WINDOWS\System32\lslt\

    then
    Reboot normally & see if the hijack has gone
     
  12. sarsons

    sarsons Registered Member

    Joined:
    Apr 16, 2004
    Posts:
    9
    Well, having done this, I have not been prompted again about changes so far, so all would appear to be sorted.

    Many thanks for all your time and help, and sorry for panicking so much :p

    Andy
     
  13. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    That's fine

    any problems come back, we are always here
     
Thread Status:
Not open for further replies.