I keep removing the obvious bigwebportal.com files, but
I must be missing a file, because every time I start
up my computer, the hijack is right back.

Can anyone tell me what file I'm not deleting?

Also, can't anyone shut down bigwebportal, because
they seem to be a nuisance to lots and lots of surfers.

Alex

The following is the Hijack This log:

***********************************

Logfile of HijackThis v1.98.2
Scan saved at 14:43:52, on 26-10-04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 SP2 (5.00.3314.2100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\NTS\WANADOO CABLE\APP\ENTERNET.EXE
C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\NETSCAPE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.bigwebportal.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.bigwebportal.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.bigwebportal.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigwebportal.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.bigwebportal.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.bigwebportal.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - Default URLSearchHook is missing
N1 - Netscape 4: user_pref("browser.startup.homepage", "C:\\WINDOWS\\Desktop\\TEMP\\altavista.htm");
(C:\Program Files\Netscape\Users\joey\prefs.js)
O1 - Hosts: 66.40.21.73 auto.search.msn.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM
FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {49E0E0F0-5C30-11D4-945D-000000000000} - C:\WINDOWS\SYSTEM\IEHelper.dll
O2 - BHO: ohb - {18B79968-1A76-4953-9EBB-B651407F8998} - C:\WINDOWS\SYSTEM\WINENC32.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINDOWS\web\related.htm
O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} -
http://akamai.downloadv3.com/binaries/IA/dtc32_EN.cab
O16 - DPF: {94F5DCB7-816C-4B94-A2C1-856C6E323C5B} -
http://akamai.downloadv3.com/binarie...rvice_4_EN.cab
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} -
http://akamai.downloadv3.com/binaries/IA/nethv32_EN.cab
O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} (EGEGAUTH Class) -
http://akamai.downloadv3.com/binarie...TH_1021_EN.cab
O16 - DPF: {50AD557E-3426-41FD-AFDD-2AF39BB1C387} -
http://akamai.downloadv3.com/binarie...rvice_5_EN.cab

***********************************

Alex wrote:

> R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.bigwebportal.com
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.bigwebportal.com
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.bigwebportal.com
> R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigwebportal.com
> R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.bigwebportal.com
> R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.bigwebportal.com
> R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
> R3 - Default URLSearchHook is missing
> O1 - Hosts: 66.40.21.73 auto.search.msn.com
> O2 - BHO: (no name) - {49E0E0F0-5C30-11D4-945D-000000000000} - C:\WINDOWS\SYSTEM\IEHelper.dll
> O2 - BHO: ohb - {18B79968-1A76-4953-9EBB-B651407F8998} - C:\WINDOWS\SYSTEM\WINENC32.DLL
> O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
> O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
> C:\WINDOWS\web\related.htm
> O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} -
> http://akamai.downloadv3.com/binaries/IA/dtc32_EN.cab
> O16 - DPF: {94F5DCB7-816C-4B94-A2C1-856C6E323C5B} -
> http://akamai.downloadv3.com/binarie...rvice_4_EN.cab
> O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} -
> http://akamai.downloadv3.com/binaries/IA/nethv32_EN.cab
> O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} (EGEGAUTH Class) -
> http://akamai.downloadv3.com/binarie...TH_1021_EN.cab
> O16 - DPF: {50AD557E-3426-41FD-AFDD-2AF39BB1C387} -
> http://akamai.downloadv3.com/binarie...rvice_5_EN.cab

Kill the above. In Windows safe mode if necessary.

Keep in mind that if you continue using the same software and settings
in the same way, you will probably get infected with the same stuff again.
http://www.quotationspage.com/quote/26032.html

Read through some of the posts on alt.privacy.spyware
You may find suggestions on other software to use, or utilities and
settings that can be used to "lock down" your current software. Use
whichever method suits your needs best.

Here's a page that one of the frequenters over there has compiled that
may help:
http://home.rochester.rr.com/bshagnasty/tips.html

-WD

On Tue, 26 Oct 2004 15:03:22 +0200, in alt.comp.anti-virus
"Alex" <(E-Mail Removed)> posted:

[snip]

>MSIE: Internet Explorer v5.00 SP2 (5.00.3314.2100)

I would *seriously* recommend you upgrade your Internet Explorer to
v6. There are so many security issues with v5 of IE.

[snip]


--
Phil
To reply delete "NOTHANKS"

In Message-ID:<(E-Mail Removed)> posted on
Wed, 27 Oct 2004 13:18:56 +0800, gromit wrote: Begin

>On Tue, 26 Oct 2004 15:03:22 +0200, in alt.comp.anti-virus
>"Alex" <(E-Mail Removed)> posted:
>
>[snip]
>
>>MSIE: Internet Explorer v5.00 SP2 (5.00.3314.2100)
>
>I would *seriously* recommend you upgrade your Internet Explorer to
>v6. There are so many security issues with v5 of IE.
>
>[snip]

Even better "upgrade" would produce an HJT log entry similar to this:
---begin---
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Unable to get Internet Explorer version!
---end---

--

Bart

"gromit" <(E-Mail Removed)> schreef in bericht
news:(E-Mail Removed)...
> On Tue, 26 Oct 2004 15:03:22 +0200, in alt.comp.anti-virus
> "Alex" <(E-Mail Removed)> posted:
>
> [snip]
>
> >MSIE: Internet Explorer v5.00 SP2 (5.00.3314.2100)
>
> I would *seriously* recommend you upgrade your Internet Explorer to
> v6. There are so many security issues with v5 of IE.

I was running version 6, when the computer was infected.
I thought it was a good idea to uninstall version 6, and
Win98 SE replaced it back to version 5.

Alex

"Will Dormann" <(E-Mail Removed)> schreef in bericht
news:xdCdnUpU5Os1TuPcRVn-(E-Mail Removed)...
> Alex wrote:
>
> > R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.bigwebportal.com
> > R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.bigwebportal.com
> > R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.bigwebportal.com
> > R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigwebportal.com
> > R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://www.bigwebportal.com
> > R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://www.bigwebportal.com
> > R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
> > R3 - Default URLSearchHook is missing
> > O1 - Hosts: 66.40.21.73 auto.search.msn.com
> > O2 - BHO: (no name) - {49E0E0F0-5C30-11D4-945D-000000000000} - C:\WINDOWS\SYSTEM\IEHelper.dll
> > O2 - BHO: ohb - {18B79968-1A76-4953-9EBB-B651407F8998} - C:\WINDOWS\SYSTEM\WINENC32.DLL
> > O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
> > O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
> > C:\WINDOWS\web\related.htm
> > O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} -
> > http://akamai.downloadv3.com/binaries/IA/dtc32_EN.cab
> > O16 - DPF: {94F5DCB7-816C-4B94-A2C1-856C6E323C5B} -
> > http://akamai.downloadv3.com/binarie...rvice_4_EN.cab
> > O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} -
> > http://akamai.downloadv3.com/binaries/IA/nethv32_EN.cab
> > O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} (EGEGAUTH Class) -
> > http://akamai.downloadv3.com/binarie...TH_1021_EN.cab
> > O16 - DPF: {50AD557E-3426-41FD-AFDD-2AF39BB1C387} -
> > http://akamai.downloadv3.com/binarie...rvice_5_EN.cab
>
> Kill the above. In Windows safe mode if necessary.

I have deleted all but the akamai entries. I don't know what they do. All
I heard was that Akamai speeds up your connection?

Thanks for the link, I've downloaded Mozilla and will check it
out later.

Alex




> Keep in mind that if you continue using the same software and settings
> in the same way, you will probably get infected with the same stuff again.
> http://www.quotationspage.com/quote/26032.html
>
> Read through some of the posts on alt.privacy.spyware
> You may find suggestions on other software to use, or utilities and
> settings that can be used to "lock down" your current software. Use
> whichever method suits your needs best.
>
> Here's a page that one of the frequenters over there has compiled that
> may help:
> http://home.rochester.rr.com/bshagnasty/tips.html
>
> -WD
>

Alex wrote:
> "Will Dormann" <(E-Mail Removed)> schreef in bericht
>>>O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} -
>>>http://akamai.downloadv3.com/binaries/IA/dtc32_EN.cab
>>>O16 - DPF: {94F5DCB7-816C-4B94-A2C1-856C6E323C5B} -
>>>http://akamai.downloadv3.com/binarie...rvice_4_EN.cab
>>>O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} -
>>>http://akamai.downloadv3.com/binaries/IA/nethv32_EN.cab
>>>O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} (EGEGAUTH Class) -
>>>http://akamai.downloadv3.com/binarie...TH_1021_EN.cab
>>>O16 - DPF: {50AD557E-3426-41FD-AFDD-2AF39BB1C387} -
>>>http://akamai.downloadv3.com/binarie...rvice_5_EN.cab
>>
>>Kill the above. In Windows safe mode if necessary.
>
>
> I have deleted all but the akamai entries. I don't know what they do. All
> I heard was that Akamai speeds up your connection?
>
> Thanks for the link, I've downloaded Mozilla and will check it
> out later.


Actually, I truly meant that you should delete those items.

Quiz time:
Would you trust content from http://yahoo.maliciousdomain.com ?
(Assuming that you trusted Yahoo)

Think about your answer and then ask yourself the same about the O16
items listed above.


-WD

"Will Dormann" <(E-Mail Removed)> schreef in bericht
news:s7udnXTX-KvKvB3cRVn-(E-Mail Removed)...
> Alex wrote:
> > "Will Dormann" <(E-Mail Removed)> schreef in bericht
> >>>O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} -
> >>>http://akamai.downloadv3.com/binaries/IA/dtc32_EN.cab
> >>>O16 - DPF: {94F5DCB7-816C-4B94-A2C1-856C6E323C5B} -
> >>>http://akamai.downloadv3.com/binarie...rvice_4_EN.cab
> >>>O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} -
> >>>http://akamai.downloadv3.com/binaries/IA/nethv32_EN.cab
> >>>O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} (EGEGAUTH Class) -
> >>>http://akamai.downloadv3.com/binarie...TH_1021_EN.cab
> >>>O16 - DPF: {50AD557E-3426-41FD-AFDD-2AF39BB1C387} -
> >>>http://akamai.downloadv3.com/binarie...rvice_5_EN.cab
> >>
> >>Kill the above. In Windows safe mode if necessary.
> >
> >
> > I have deleted all but the akamai entries. I don't know what they do. All
> > I heard was that Akamai speeds up your connection?
> >
> > Thanks for the link, I've downloaded Mozilla and will check it
> > out later.
>
>
> Actually, I truly meant that you should delete those items.
>
> Quiz time:
> Would you trust content from http://yahoo.maliciousdomain.com ?
> (Assuming that you trusted Yahoo)
>
> Think about your answer and then ask yourself the same about the O16
> items listed above.

Whoops, ok. Fair enough. I've already deleted them.

I'm still to install Mozilla, although I do have experience
with the Netscape stuff.

Thanks again.

Alex