Default Home page now: http://any-find.com/index.htm

Some pesky (PAIN IN THE #%&$@*) spyware or something has changed my home page to: http://any-find.com/index.htm................I have done several GOOGLE searches looking for ways to remove this bug.  BUT, it keeps coming back.  It seems that my McAfee virus scan will not see it.  Spybot dose not see it either.  Does someone have an idea of how to remove this THING, short of doing a reformat?

Logfile of HijackThis v1.98.2
Scan saved at 2:11:54 PM, on 11/13/2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Startup Mechanic\StartupMonitor.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://any-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://any-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://any-find.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://any-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://any-find.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Provided by Teleport.cc
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [Startup Manager Scanner] C:\Program Files\Startup Mechanic\StartupMonitor.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: winlgn.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4647A57-7FE0-41C9-BFE3-022DF879E999}: NameServer = 209.244.0.3 209.244.0.4




 Thanks.  Richard
rdodson4Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

gripeCommented:

Check out the following thread:

http://computercops.biz/postt82794.html

0
SheharyaarSaahilCommented:
Hello rdodson4 =)

Post that log at this site >> http://www.hijackthis.de/index.php?langselect=english
and it will automatically analyse it for u,,, Fix the entries which it labels as Nasty :)
To Fix, check the lines in Hijackthis scan and click on Fix Checked !!

HJT Log Tutoriol >> http://aumha.org/a/hjttutor.php

CAUTION: Before fixing the entries in hijackthis, make sure that they are really Nasty and can be deleted, better u first research for it on Google and then when u will confirm that they shud be deleted, Fix them. And whenever u run Hijackthis, run it from a New folder on ur desktop, so that in case of any problem, u can take advantages of its created backups of fixed items. And in case if u still face problems in dealing with it, just analyse ur log at the above site, and then scroll down where u will see a Save Analyse button, hit it and it will save ur Log Analysation, then copy the link of that page and paste it here, and we will check it for u :)

And then use msconfig to untick unwanted progrmas as described here >> http://netsquirrel.com/msconfig/
Then Download these tools and install them:
========================================================
AdAware ==> http://www.spychecker.com/program/adaware.html
SpyBot  ==> http://www.spychecker.com/program/spybot.html
CoolWebShredder ==> http://www.softpedia.com/public/cat/10/17/10-17-150.shtml
Stinger ==> http://vil.nai.com/vil/stinger
========================================================

Turn off ur System Restore before cleaning the system >> http://www.pchell.com/virus/systemrestore.shtml
Then Run all of them one by one in safemode and delete everything they detect.
Then delete the temporary internet files and history of IE
and run Disk Cleanup on ur hard drive to delete those temp and junk files.
Restart back in Normal Mode to check for the problems now ?? :)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rdodson4Author Commented:
I think I ran across that thread when I was doing my GOOGLE seaches.  At the time I did not have the time to follow all of the steps lined out.  I did, as you can see, download and run the Hijack program and ran the shreader.  But, that was as far as I got.
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

ZeropointNRGCommented:
Please print out or copy this page to Notepad and save it to desktop as we will be doing things from safe mode, simply when in safe mode, open it to follow the instructions.

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also.

Turn off system resotre by right clicking My Computer on the desktop, select system restore tab (top left), put a tick in the "turn off system restore on all drives" and click okay.

Reboot into Safe Mode (hit F8 key until menu shows up). Note*If it looks like it's taking too long to boot into safe mode, just leave it and wait at least 10 minutes before posting back about the problem. Or simply try and do the steps in normal mode.

Make sure to close any open browsers you have. Check and fix the following in HijackThis (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://any-find.com/sp.htm   
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://any-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://any-find.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://any-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://any-find.com/index.htm
O4 - Global Startup: winlgn.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4647A57-7FE0-41C9-BFE3-022DF879E999}: NameServer = 209.244.0.3 209.244.0.4

NOTE* The file winlgn.exe if found in any places other than these locations should be removed as this is a trojan.

NOT a Pest winlgn.exe startupfolder+\hp digital imaging monitor.lnk
NOT a Pest winlgn.exe startupfolder+\microsoft office.lnk
NOT a Pest winlgn.exe startupfolder+\updates from hp.lnk
NOT a Pest winlgn.exe startupfolder+\desktop.ini

Trojan.Win32.Bizten.gen winlgn.exe startupfolder+\winlgn.exe

located here and anywhere else other than above "NOT A PEST" should be removed.

Then delete the following File

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe

Then Empty your temp files from any temp directory.

Then click start->settings->control panel->internet options->programs tab->RESET WEB SETTINGS

That will change everything back to defaults. Immediately change your homepage from msn.com, this site loads avenue spyware.

Reset your pc back into normal mode. Then first thing you must do is run a virus checker, check and clean and remove anyhthing you find. Then run your Spyware apps again, clean anything they find. Then reboot again, close down all running apps bottom right, scan with HJT again, post another log to see if it's clean.

Good Luck

PS: To any moderators, these HJT logs can be deleted once everything is fixed, but please don't delete this solution as many others that help others with HJT logs from various places can use this information to indentify their or someone elses problem by fixing the files I have checked to be nasty if they find it on someone elses computer.
0
mugman21Commented:
I believe this prog to be the problem.... winlgn.exe also known as Trojan.Win32.Bizten.gen

Your infected.......... The file plaguing you is:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe



Reference link:
http://research.pestpatrol.com/Analyses/2004-08-09_155012.asp

Good Luck,

Mugman
0
mugman21Commented:
Oh, now that I read the other comments, zeropoint also mention that paticular file.... Opps

0
rdodson4Author Commented:
THANKS, a combination of the Answers seem to have Fixed the problem.  

1: Turn off System Restore  2: Use Task Manager to stop The file winlgn.exe
3: use  http://www.hijackthis.de/index.php?langselect=english to select files to fix.  4: Reboot.

THANKS TO ALL.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.