Default Home page now:

Posted on 2004-11-13
Last Modified: 2010-04-11
Some pesky (PAIN IN THE #%&$@*) spyware or something has changed my home page to: have done several GOOGLE searches looking for ways to remove this bug.  BUT, it keeps coming back.  It seems that my McAfee virus scan will not see it.  Spybot dose not see it either.  Does someone have an idea of how to remove this THING, short of doing a reformat?

Logfile of HijackThis v1.98.2
Scan saved at 2:11:54 PM, on 11/13/2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\Program Files\Startup Mechanic\StartupMonitor.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Provided by
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\\agent\mcagent.exe
O4 - HKLM\..\Run: [Startup Manager Scanner] C:\Program Files\Startup Mechanic\StartupMonitor.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\\agent\McUpdate.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: winlgn.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} ( Operating System Class) -,0,0,81/
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) -,0,0,19/
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4647A57-7FE0-41C9-BFE3-022DF879E999}: NameServer =

 Thanks.  Richard
Question by:rdodson4
    LVL 13

    Assisted Solution


    Check out the following thread:

    LVL 65

    Accepted Solution

    Hello rdodson4 =)

    Post that log at this site >>
    and it will automatically analyse it for u,,, Fix the entries which it labels as Nasty :)
    To Fix, check the lines in Hijackthis scan and click on Fix Checked !!

    HJT Log Tutoriol >>

    CAUTION: Before fixing the entries in hijackthis, make sure that they are really Nasty and can be deleted, better u first research for it on Google and then when u will confirm that they shud be deleted, Fix them. And whenever u run Hijackthis, run it from a New folder on ur desktop, so that in case of any problem, u can take advantages of its created backups of fixed items. And in case if u still face problems in dealing with it, just analyse ur log at the above site, and then scroll down where u will see a Save Analyse button, hit it and it will save ur Log Analysation, then copy the link of that page and paste it here, and we will check it for u :)

    And then use msconfig to untick unwanted progrmas as described here >>
    Then Download these tools and install them:
    AdAware ==>
    SpyBot  ==>
    CoolWebShredder ==>
    Stinger ==>

    Turn off ur System Restore before cleaning the system >>
    Then Run all of them one by one in safemode and delete everything they detect.
    Then delete the temporary internet files and history of IE
    and run Disk Cleanup on ur hard drive to delete those temp and junk files.
    Restart back in Normal Mode to check for the problems now ?? :)

    Author Comment

    I think I ran across that thread when I was doing my GOOGLE seaches.  At the time I did not have the time to follow all of the steps lined out.  I did, as you can see, download and run the Hijack program and ran the shreader.  But, that was as far as I got.
    LVL 3

    Assisted Solution

    Please print out or copy this page to Notepad and save it to desktop as we will be doing things from safe mode, simply when in safe mode, open it to follow the instructions.

    Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also.

    Turn off system resotre by right clicking My Computer on the desktop, select system restore tab (top left), put a tick in the "turn off system restore on all drives" and click okay.

    Reboot into Safe Mode (hit F8 key until menu shows up). Note*If it looks like it's taking too long to boot into safe mode, just leave it and wait at least 10 minutes before posting back about the problem. Or simply try and do the steps in normal mode.

    Make sure to close any open browsers you have. Check and fix the following in HijackThis (make sure not to miss any):

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =  
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
    O4 - Global Startup: winlgn.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F4647A57-7FE0-41C9-BFE3-022DF879E999}: NameServer =

    NOTE* The file winlgn.exe if found in any places other than these locations should be removed as this is a trojan.

    NOT a Pest winlgn.exe startupfolder+\hp digital imaging monitor.lnk
    NOT a Pest winlgn.exe startupfolder+\microsoft office.lnk
    NOT a Pest winlgn.exe startupfolder+\updates from hp.lnk
    NOT a Pest winlgn.exe startupfolder+\desktop.ini

    Trojan.Win32.Bizten.gen winlgn.exe startupfolder+\winlgn.exe

    located here and anywhere else other than above "NOT A PEST" should be removed.

    Then delete the following File

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe

    Then Empty your temp files from any temp directory.

    Then click start->settings->control panel->internet options->programs tab->RESET WEB SETTINGS

    That will change everything back to defaults. Immediately change your homepage from, this site loads avenue spyware.

    Reset your pc back into normal mode. Then first thing you must do is run a virus checker, check and clean and remove anyhthing you find. Then run your Spyware apps again, clean anything they find. Then reboot again, close down all running apps bottom right, scan with HJT again, post another log to see if it's clean.

    Good Luck

    PS: To any moderators, these HJT logs can be deleted once everything is fixed, but please don't delete this solution as many others that help others with HJT logs from various places can use this information to indentify their or someone elses problem by fixing the files I have checked to be nasty if they find it on someone elses computer.
    LVL 8

    Assisted Solution

    I believe this prog to be the problem.... winlgn.exe also known as Trojan.Win32.Bizten.gen

    Your infected.......... The file plaguing you is:

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe

    Reference link:

    Good Luck,

    LVL 8

    Expert Comment

    Oh, now that I read the other comments, zeropoint also mention that paticular file.... Opps


    Author Comment

    THANKS, a combination of the Answers seem to have Fixed the problem.  

    1: Turn off System Restore  2: Use Task Manager to stop The file winlgn.exe
    3: use to select files to fix.  4: Reboot.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
    Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now