Look And Discover Hi Jack Help Needed. [Resolved]

Hi To All,
Im new here and dont know much about Software, Virus´s PC´s etc.
Ive just started using Comodo Free Internet Security on the advice of our IT Techie at work.I was previously using Avast on a friends reccomendation.
Anyway my prob is:
I have an ASUS Laptop i bought in November 08 running Vista, using IE.
From the time i used it on the internet i have been stuck with the ´LookAndDiscover´Homepage.
When i change the default homepage setting it reverts back to the Look&Discover when the Pc is restarted.
Ive done a few vrus scans but they come up clean.
Ive read a few forums with solutions for XP but they sound quite complicated & arent for Vista.
One says the prob resides in the WinSched…I dunno whats hiding in my shed??
Can Anyone Help??
Thanks
Ian

Yes you found the problem, look in your running processes for winsched.exe and disable it as follows:

Go to Defense+ in CIS, look for this in the active process list then right click the file and choose terminate and block.

If you then change your home page and restart your computer it should have solved the problem.

Download and run Malwarebytes Antimalware and post the scan result here.

Welcome to the Forum, Super FX.
This is indeed an adware program from Wind Updates that needs to be removed.

Thanks for the help & quick response.
I looked for the file in the active processes list as suggested but couldnt find it.(iWQould it be different from XP to Vista ??)
Im not sure if i did the right thing but i downloaded Malwarebytes as suggested and ran a scan anyway.
It found the corrupt files but was not successful in removing all of them.
This is the 1st scan reult:

Malwarebytes’ Anti-Malware 1.36
Database version: 1945
Windows 6.0.6001 Service Pack 1

16/04/2009 19:03:45
mbam-log-2009-04-16 (19-03-17).txt

Scan type: Full Scan (C:|D:|)
Objects scanned: 237500
Time elapsed: 2 hour(s), 12 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page\Start Page (Hijack.Homepage) → Bad: (http://lookanddiscover.com/) Good: (http://www.google.com/) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.Homepage) → Bad: (http://lookanddiscover.com/) Good: (http://www.google.com/) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) → Bad: (0) Good: (1) → No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

After this i selected to remove files, changed the homepage and restarted the machine.
I ran another scan:
16/04/2009 21:16:38
mbam-log-2009-04-16 (21-16-33).txt

Scan type: Full Scan (C:|D:|)
Objects scanned: 237953
Time elapsed: 39 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.Homepage) → Bad: (http://lookanddiscover.com/) Good: (http://www.google.com/) → No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

After restarting again i still have the same Look&Discover home page.
What should i do to sort this registry item ??
Also the 2nd scan was much qicker than the 1st eventhough they were both full scans.
Could it have not run right ??
Thanks

You could search your computer for winsched.exe to see if it is there, you may need to enable to show hidden files. It could keep putting the home page back when you bstart the computer.

The MBAM database could do with updating, but I doubt it would make a difference.

Sometimes Superantispyware can remove bits that MBAM fails, so worth a try.

It is always a good thing to let multiple scanners run in case of an infection. I would like to add A Squared Free; beware of false positives with this scanner.

You may find winsched.exe in
C:\programdata\microsoft\windows\startmenu\programs\startup

If not it is possible it is there under another name, so could you let us know what is in there?

Can you post a Hijack This log?

Gday, Thanks for all the Help !!
I´ve found Winsched in the following location:
Startup(C:)ProgramData\Microsoft\Windows\StartMenu\Programs
Is this what im looking for ??
It has like an ‘A’ with a small 3 in the top rh corner, like a cubed sign logo.
I´m not sure how to copy everything from the Program File so you can see it.
I spose a screen shot would be good but i dunno hpoe to do that either !! ??

Thanks Again

OK you can delete the file and if you scan again with Malwarebytes I think you will find it has gone and so has the browser hijack.

Edit: A quick scan should be enough.

I´ve deleted the Winsched file and run another scan.
The Look anddiscover page has now finally gone and doesnt return as before !!
Although the Malwarebytes program found the file & reported it as deleted it actually wasnt and needed to be deleted from the registry as it was residing in the windows startup files it would hijack the homepage everytime IE was restarted.
I think thats sorta right anyway.
Thanks Very Much for your assistance.
I hope this may help some others who have been Hijacked by L&D !!
I´m also very happy with the free !! Comodo Security suite.

Great, Thanks James for the great help

%lock%

Xan