www.910sp.com has been set as my homepage 1

[DPlank]

..and I can't get rid of it.

Trend Micro indicated I had an infected svchost.exe in c:\winnt, but can't seem to clean it. Neither is it even detected by the PCGuard system Virgin provided me.

This file appears to be relatively important to the workings of the PC from what I can tell, so I don't want to delete it either...

Trend Micro claimed it was a generic backdoor (low threat), but IE's starting up by itself... Luckily I've got firefox to post this query with..

Anyone suggest how I can deal with this?


Cheers,
Dave

"Yes, I'll stop finding bugs in the software - as soon as you stop writing bugs into the software." <-- Me

For all your testing needs: Forum1393

 

[electronicsfreak]

download avg anti spyware from the link below and set it to delete anything it finds

http://www.ewido.net

Now download ccleaner from the link below (if you have nero uncheck the box for it under programs)

http://www.filehippo.com/download_ccleaner/

(download latest version on the right top in the green)

Download this free registry cleaner

http://www.download.com/Eusing-Free-Registry-Cleaner/3000-2094_4-10658410.html?tag=lst-0-1

Now to run the other programs, first open up and run ccleaner, let it remove all temp garbage from the computer.

Next open up avg anti spyware and run a full system scan with it.

Once done with that run the registry cleaner. Now run hijackthis and post the logfile on here. Do not attempt to fix anything on hijackthis as not everything it shows is bad

http://www.download.com/HijackThis/3000-8022_4-10379544.html

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon

 

[DPlank]

Thanks for your help so far Jason - Here's the HiJackThis logfile..

Logfile of HijackThis v1.99.1
Scan saved at 23:15:43, on 21/09/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\blueyonder\PCguard\fws.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\mgabg.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINNT\system32\PDesk\PDesk.exe
C:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe
C:\Program Files\blueyonder\PCguard\Rps.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINNT\system32\internat.exe
C:\program files\bittorrent\bittorrent.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\OldFiles\AV\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [URL unfurl="true"]http://www.910sp.com[/URL]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [URL unfurl="true"]http://www.broadband.blueyonder.co.uk[/URL]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = QQ·ÇÖ÷Á÷
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_18_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\blueyonder\PCguard\pkR.dll
O2 - BHO: BHOManager Class - {474264BC-9571-47C1-85B9-780F756DC9CE} - C:\WINNT\system32\BHOManager.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\blueyonder\PCguard\FBHR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINNT\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\system32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [PCguardadvisor.exe] "C:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe"
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\blueyonder\PCguard\Rps.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\program files\bittorrent\bittorrent.exe" --force_start_minimized
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Microsoft Office Shortcut Bar.Lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - [URL unfurl="true"]http://kl.bar.need2find.com/KL/menusearch.html?p=KL[/URL]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.broadband.blueyonder.co.uk
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} - [URL unfurl="true"]https://signup.msn.com/pages/MsnInstC.cab[/URL]
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - [URL unfurl="true"]http://download.ewido.net/ewidoOnlineScan.cab[/URL]
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - [URL unfurl="true"]http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab[/URL]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [URL unfurl="true"]http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1127065387390[/URL]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [URL unfurl="true"]http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1164968765640[/URL]
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - [URL unfurl="true"]http://xscanner.malwarealarm.com/a/install1459.cab[/URL]
O16 - DPF: {BF02518B-B049-4E3C-AE09-A6A8FDB148EB} - [URL unfurl="true"]http://gromozon.com/729421d8/sm/10002/1/xp/FreeAccess.ocx[/URL]
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.67 85.255.112.140
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.67 85.255.112.140
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.67 85.255.112.140
O18 - Protocol: HTLFP - {03B7A5D4-96B0-4316-95F8-072D326A58F1} - ielpview.dll (file missing)
O18 - Protocol: vfsp - {E4CB5121-E242-11D4-8ED6-00010219EB22} - VFSProtocol.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DaterSpooler - Unknown owner - C:\Program.exe (file missing)
O23 - Service: DCOMLoduoher  (DDOM DechLunuocCOMD) - Unknown owner - C:\WINNT\system32\log2.txt
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINNT\system32\mgabg.exe
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe

The other items you suggested have helped as well, several items have been cleared out that my current setup had missed.

Thanks

Cheers,
Dave

"Yes, I'll stop finding bugs in the software - as soon as you stop writing bugs into the software." <-- Me

For all your testing needs: Forum1393

 

[electronicsfreak]

Check these and click fix checked

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = QQ·ÇÖ÷Á÷

O8 - Extra context menu item: &Search -

http://kl.bar.need2find.com/KL/menusearch.html?p=KL

O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} -

http://xscanner.malwarealarm.com/a/install1459.cab

O16 - DPF: {BF02518B-B049-4E3C-AE09-A6A8FDB148EB} -

http://gromozon.com/729421d8/sm/10002/1/xp/FreeAccess.ocx

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.67 85.255.112.140

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.67 85.255.112.140

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.67 85.255.112.140


These ones here im not sure about but they look suspicious

O23 - Service: DaterSpooler - Unknown owner - C:\Program.exe (file missing)

O23 - Service: DCOMLoduoher (DDOM DechLunuocCOMD) - Unknown owner - C:\WINNT\system32\log2.txt

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon

 

[DPlank]

OK - done that

Seems to have cleared up the issue with IE starting on the wrong page, however the Home button now takes me to "about:blank" instead of my expected page.

Also the option to change it in Internet Options has been disabled. Do you know where in the registry (I'm assuming it's in the registry) I can re-enable this?

Thanks again!

Cheers,
Dave

"Yes, I'll stop finding bugs in the software - as soon as you stop writing bugs into the software." <-- Me

For all your testing needs: Forum1393

 

[electronicsfreak]

Go to the following locations in registry.
hkey local machine, software, microsoft, internet explorer, then click on main where its highlighted

Change the keys as you wish

Also other location is

hkey current user, software, microsoft, internet explorer, then click on main where its highlighted

Change keys as you wish.


There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon

 

[electronicsfreak]

Id run another scan here just to be sure everything is clean and gone. It is Trend Micro's housecall online scanner. Run it just to see if it picks up anything.

http://housecall.trendmicro.com/

It will ask you to install things just verify its from trend micro or housecall.

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon

 

[electronicsfreak]

Also thanks for the star

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon