|
|
foxhall
new user
Reg'd: Tue
Posts: 3
|
|
Hi, I keep getting an anoying box appear on start up which I cannot close. It says winlgn.exe - no disk. Please insert into drive. Is this the Win Min virus i have heard about.
Also when I go into the internet, my homepage keeps coming up with esearch. I have tried changing the homepage and rebooting, but the change does not work.
Any help would be greatly appreciated.
Logfile of HijackThis v1.98.0
Scan saved at 08:45:07, on 28/07/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINNT\system32\internat.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Ash\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.esearch.cc/s.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.esearch.cc/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.esearch.cc/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.esearch.cc/s.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.esearch.cc/s.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.esearch.cc/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.esearch.cc/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.esearch.cc/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Shorty - {5C472352-90D0-4214-BF20-8E4A2B82F980} - C:\WINNT\win32app.dll
O2 - BHO: ICOO Loader BHO - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - C:\WINNT\msopt.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: winlgn.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {13112111-1224-1141-1451-111111113533} - file://c:\winnt\system32\setup1.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINNT\msopt.dll
Edited by foxhall on 28/07/2004 08:49 (server time).
|
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 28603
Loc: belfast
|
|
first thing to do is BOOT UP IN SAFE MODE
then go to C:\WINNT and delete msopt.dll and win32app.dll
then boot up normally.
Close all windows,rerun HJT, put a tick beside these and
click FIX CHECKED
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.esearch.cc/s.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.esearch.cc/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.esearch.cc/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.esearch.cc/s.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.esearch.cc/s.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.esearch.cc/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.esearch.cc/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.esearch.cc/
O2 - BHO: Shorty - {5C472352-90D0-4214-BF20-8E4A2B82F980} - C:\WINNT\win32app.dll
O2 - BHO: ICOO Loader BHO - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - C:\WINNT\msopt.dll
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: winlgn.exe
O16 - DPF: {13112111-1224-1141-1451-111111113533} - file://c:\winnt\system32\setup1.exe
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINNT\msopt.dll
then use cntrl+alt+del to bring up task manager and find winlgn.exe click on it and "end process". then go to
C:\Documents and Settings\All Users\Start Menu\Programs\Startup and delete winlgn.exe
then go to c:\winnt\system32 and delete setup1.exe
reboot and post a fresh log.
AVG ANTIVIRUS..AVG email scanner..SYGATE FIREWALL..ADAWARE..SPYWAREBLASTER..HIJACK THIS..WINDOWS UPDATE..COOLWEBSHREDDER.. SPYWARE GUARD..WINZIP.. DISKEEPERLITE
BARNEYS PLACE
Sic biscuitus disintegratum
|
foxhall
new user
Reg'd: Tue
Posts: 3
|
|
Hi Bricat.
I deleted files msopt.dll and win32app.dll and rebooted. I ran HJT and fix checked all the files mentioned. (no problem so far, even for a novice like me). I brought up task manager and clicked on winlgn.exe. Message appeared saying"operation could not be completed, Access denied". I could not then delete it from startup due to the file still being open.
Below is a copy of my current log.
Any further suggestions?
Thanks
Logfile of HijackThis v1.98.0
Scan saved at 13:41:58, on 28/07/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINNT\system32\internat.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Documents and Settings\Ash\hijackthis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: winlgn.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINNT\msopt.dll
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 28603
Loc: belfast
|
|
BOOT UP IN SAFE MODE then delete that file.
AVG ANTIVIRUS..AVG email scanner..SYGATE FIREWALL..ADAWARE..SPYWAREBLASTER..HIJACK THIS..WINDOWS UPDATE..COOLWEBSHREDDER.. SPYWARE GUARD..WINZIP.. DISKEEPERLITE
BARNEYS PLACE
Sic biscuitus disintegratum
|
foxhall
new user
Reg'd: Tue
Posts: 3
|
|
All working fine.
Many thanks for your help.
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 28603
Loc: belfast
|
|
glad you're sorted,  I strongly recommend you install the following to protect your p.c. in the future:
Spywareblaster & Spywareguard & IE/Spyad
You don't have to do anything with these programmes apart from update them once a week, they will do the work for you. If you try to download something which contains known spyware, Spywareguard will notify you immediately so you can cancel the download
AVG ANTIVIRUS..AVG email scanner..SYGATE FIREWALL..ADAWARE..SPYWAREBLASTER..HIJACK THIS..WINDOWS UPDATE..COOLWEBSHREDDER.. SPYWARE GUARD..WINZIP.. DISKEEPERLITE
BARNEYS PLACE
Sic biscuitus disintegratum
|
|
|
Previous
Index
Next
Threaded
Edit
Reply
Quote
