Browser Hijack (with "Hijack This" log)

A

Alex

I keep removing the obvious bigwebportal.com files, but
I must be missing a file, because every time I start
up my computer, the hijack is right back.

Can anyone tell me what file I'm not deleting?

Also, can't anyone shut down bigwebportal, because
they seem to be a nuisance to lots and lots of surfers.

Alex

The following is the Hijack This log:

***********************************

Logfile of HijackThis v1.98.2
Scan saved at 14:43:52, on 26-10-04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 SP2 (5.00.3314.2100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\NTS\WANADOO CABLE\APP\ENTERNET.EXE
C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\NETSCAPE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.bigwebportal.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.bigwebportal.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.bigwebportal.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigwebportal.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.bigwebportal.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.bigwebportal.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - Default URLSearchHook is missing
N1 - Netscape 4: user_pref("browser.startup.homepage", "C:\\WINDOWS\\Desktop\\TEMP\\altavista.htm");
(C:\Program Files\Netscape\Users\joey\prefs.js)
O1 - Hosts: 66.40.21.73 auto.search.msn.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM
FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {49E0E0F0-5C30-11D4-945D-000000000000} - C:\WINDOWS\SYSTEM\IEHelper.dll
O2 - BHO: ohb - {18B79968-1A76-4953-9EBB-B651407F8998} - C:\WINDOWS\SYSTEM\WINENC32.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINDOWS\web\related.htm
O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} -
http://akamai.downloadv3.com/binaries/IA/dtc32_EN.cab
O16 - DPF: {94F5DCB7-816C-4B94-A2C1-856C6E323C5B} -
http://akamai.downloadv3.com/binaries/LiveService/LiveService_4_EN.cab
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} -
http://akamai.downloadv3.com/binaries/IA/nethv32_EN.cab
O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} (EGEGAUTH Class) -
http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_1021_EN.cab
O16 - DPF: {50AD557E-3426-41FD-AFDD-2AF39BB1C387} -
http://akamai.downloadv3.com/binaries/LiveService/LiveService_5_EN.cab

***********************************
 
W

Will Dormann

Alex said:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.bigwebportal.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.bigwebportal.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.bigwebportal.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigwebportal.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.bigwebportal.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.bigwebportal.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O1 - Hosts: 66.40.21.73 auto.search.msn.com
O2 - BHO: (no name) - {49E0E0F0-5C30-11D4-945D-000000000000} - C:\WINDOWS\SYSTEM\IEHelper.dll
O2 - BHO: ohb - {18B79968-1A76-4953-9EBB-B651407F8998} - C:\WINDOWS\SYSTEM\WINENC32.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINDOWS\web\related.htm
O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} -
http://akamai.downloadv3.com/binaries/IA/dtc32_EN.cab
O16 - DPF: {94F5DCB7-816C-4B94-A2C1-856C6E323C5B} -
http://akamai.downloadv3.com/binaries/LiveService/LiveService_4_EN.cab
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} -
http://akamai.downloadv3.com/binaries/IA/nethv32_EN.cab
O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} (EGEGAUTH Class) -
http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_1021_EN.cab
O16 - DPF: {50AD557E-3426-41FD-AFDD-2AF39BB1C387} -
http://akamai.downloadv3.com/binaries/LiveService/LiveService_5_EN.cab

Kill the above. In Windows safe mode if necessary.

Keep in mind that if you continue using the same software and settings
in the same way, you will probably get infected with the same stuff again.
http://www.quotationspage.com/quote/26032.html

Read through some of the posts on alt.privacy.spyware
You may find suggestions on other software to use, or utilities and
settings that can be used to "lock down" your current software. Use
whichever method suits your needs best.

Here's a page that one of the frequenters over there has compiled that
may help:
http://home.rochester.rr.com/bshagnasty/tips.html

-WD
 
G

gromit

[snip]
MSIE: Internet Explorer v5.00 SP2 (5.00.3314.2100)

I would *seriously* recommend you upgrade your Internet Explorer to
v6. There are so many security issues with v5 of IE.

[snip]
 
B

Bart Bailey

[snip]
MSIE: Internet Explorer v5.00 SP2 (5.00.3314.2100)

I would *seriously* recommend you upgrade your Internet Explorer to
v6. There are so many security issues with v5 of IE.

[snip]

Even better "upgrade" would produce an HJT log entry similar to this:
---begin---
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Unable to get Internet Explorer version!
---end---
 
A

Alex

gromit said:
[snip]
MSIE: Internet Explorer v5.00 SP2 (5.00.3314.2100)

I would *seriously* recommend you upgrade your Internet Explorer to
v6. There are so many security issues with v5 of IE.

I was running version 6, when the computer was infected.
I thought it was a good idea to uninstall version 6, and
Win98 SE replaced it back to version 5.

Alex
 
A

Alex

Will Dormann said:
Kill the above. In Windows safe mode if necessary.

I have deleted all but the akamai entries. I don't know what they do. All
I heard was that Akamai speeds up your connection?

Thanks for the link, I've downloaded Mozilla and will check it
out later.

Alex
 
W

Will Dormann

Alex said:
I have deleted all but the akamai entries. I don't know what they do. All
I heard was that Akamai speeds up your connection?

Thanks for the link, I've downloaded Mozilla and will check it
out later.


Actually, I truly meant that you should delete those items.

Quiz time:
Would you trust content from http://yahoo.maliciousdomain.com ?
(Assuming that you trusted Yahoo)

Think about your answer and then ask yourself the same about the O16
items listed above.


-WD
 
A

Alex

Will Dormann said:
Actually, I truly meant that you should delete those items.

Quiz time:
Would you trust content from http://yahoo.maliciousdomain.com ?
(Assuming that you trusted Yahoo)

Think about your answer and then ask yourself the same about the O16
items listed above.

Whoops, ok. Fair enough. I've already deleted them.

I'm still to install Mozilla, although I do have experience
with the Netscape stuff.

Thanks again.

Alex
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads


Top