Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 453
  • Last Modified:

Default Home page now: http://any-find.com/index.htm

Some pesky (PAIN IN THE #%&$@*) spyware or something has changed my home page to: http://any-find.com/index.htm................I have done several GOOGLE searches looking for ways to remove this bug.  BUT, it keeps coming back.  It seems that my McAfee virus scan will not see it.  Spybot dose not see it either.  Does someone have an idea of how to remove this THING, short of doing a reformat?

Logfile of HijackThis v1.98.2
Scan saved at 2:11:54 PM, on 11/13/2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\Program Files\Startup Mechanic\StartupMonitor.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://any-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://any-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://any-find.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://any-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://any-find.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Provided by Teleport.cc
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [Startup Manager Scanner] C:\Program Files\Startup Mechanic\StartupMonitor.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: winlgn.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4647A57-7FE0-41C9-BFE3-022DF879E999}: NameServer =

 Thanks.  Richard
4 Solutions

Check out the following thread:


Hello rdodson4 =)

Post that log at this site >> http://www.hijackthis.de/index.php?langselect=english
and it will automatically analyse it for u,,, Fix the entries which it labels as Nasty :)
To Fix, check the lines in Hijackthis scan and click on Fix Checked !!

HJT Log Tutoriol >> http://aumha.org/a/hjttutor.php

CAUTION: Before fixing the entries in hijackthis, make sure that they are really Nasty and can be deleted, better u first research for it on Google and then when u will confirm that they shud be deleted, Fix them. And whenever u run Hijackthis, run it from a New folder on ur desktop, so that in case of any problem, u can take advantages of its created backups of fixed items. And in case if u still face problems in dealing with it, just analyse ur log at the above site, and then scroll down where u will see a Save Analyse button, hit it and it will save ur Log Analysation, then copy the link of that page and paste it here, and we will check it for u :)

And then use msconfig to untick unwanted progrmas as described here >> http://netsquirrel.com/msconfig/
Then Download these tools and install them:
AdAware ==> http://www.spychecker.com/program/adaware.html
SpyBot  ==> http://www.spychecker.com/program/spybot.html
CoolWebShredder ==> http://www.softpedia.com/public/cat/10/17/10-17-150.shtml
Stinger ==> http://vil.nai.com/vil/stinger

Turn off ur System Restore before cleaning the system >> http://www.pchell.com/virus/systemrestore.shtml
Then Run all of them one by one in safemode and delete everything they detect.
Then delete the temporary internet files and history of IE
and run Disk Cleanup on ur hard drive to delete those temp and junk files.
Restart back in Normal Mode to check for the problems now ?? :)
rdodson4Author Commented:
I think I ran across that thread when I was doing my GOOGLE seaches.  At the time I did not have the time to follow all of the steps lined out.  I did, as you can see, download and run the Hijack program and ran the shreader.  But, that was as far as I got.
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Please print out or copy this page to Notepad and save it to desktop as we will be doing things from safe mode, simply when in safe mode, open it to follow the instructions.

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also.

Turn off system resotre by right clicking My Computer on the desktop, select system restore tab (top left), put a tick in the "turn off system restore on all drives" and click okay.

Reboot into Safe Mode (hit F8 key until menu shows up). Note*If it looks like it's taking too long to boot into safe mode, just leave it and wait at least 10 minutes before posting back about the problem. Or simply try and do the steps in normal mode.

Make sure to close any open browsers you have. Check and fix the following in HijackThis (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://any-find.com/sp.htm   
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://any-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://any-find.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://any-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://any-find.com/index.htm
O4 - Global Startup: winlgn.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4647A57-7FE0-41C9-BFE3-022DF879E999}: NameServer =

NOTE* The file winlgn.exe if found in any places other than these locations should be removed as this is a trojan.

NOT a Pest winlgn.exe startupfolder+\hp digital imaging monitor.lnk
NOT a Pest winlgn.exe startupfolder+\microsoft office.lnk
NOT a Pest winlgn.exe startupfolder+\updates from hp.lnk
NOT a Pest winlgn.exe startupfolder+\desktop.ini

Trojan.Win32.Bizten.gen winlgn.exe startupfolder+\winlgn.exe

located here and anywhere else other than above "NOT A PEST" should be removed.

Then delete the following File

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe

Then Empty your temp files from any temp directory.

Then click start->settings->control panel->internet options->programs tab->RESET WEB SETTINGS

That will change everything back to defaults. Immediately change your homepage from msn.com, this site loads avenue spyware.

Reset your pc back into normal mode. Then first thing you must do is run a virus checker, check and clean and remove anyhthing you find. Then run your Spyware apps again, clean anything they find. Then reboot again, close down all running apps bottom right, scan with HJT again, post another log to see if it's clean.

Good Luck

PS: To any moderators, these HJT logs can be deleted once everything is fixed, but please don't delete this solution as many others that help others with HJT logs from various places can use this information to indentify their or someone elses problem by fixing the files I have checked to be nasty if they find it on someone elses computer.
I believe this prog to be the problem.... winlgn.exe also known as Trojan.Win32.Bizten.gen

Your infected.......... The file plaguing you is:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe

Reference link:

Good Luck,

Oh, now that I read the other comments, zeropoint also mention that paticular file.... Opps

rdodson4Author Commented:
THANKS, a combination of the Answers seem to have Fixed the problem.  

1: Turn off System Restore  2: Use Task Manager to stop The file winlgn.exe
3: use  http://www.hijackthis.de/index.php?langselect=english to select files to fix.  4: Reboot.


Featured Post

Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now