xxxpower.net cant get rid of it

hi i have a problem there is a porn site on my address bar xxxpower.net i used spybot adaware both deleted temp files and cookies cleaned the history went to regedit >>typed address and deleted from there but seems like cant get rid of it any idea please it drives me crazy thanx here is my hijack result and start up list thanx


StartupList report, 5/4/2003, 8:18:25 PM
StartupList version: 1.52
Started from : C:\UNZIPPED\STARTUPLIST1521[1]\STARTUPLIST.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\WEBSCANX.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\UNZIPPED\STARTUPLIST1521[1]\STARTUPLIST.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

TaskMonitor = c:\windows\taskmon.exe
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
Alogserv = c:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
McAfee Guardian = "C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE" /SU
LoadQM = loadqm.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent = mstask.exe
McAfeeVirusScanService = c:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 4/5/2003, 19:55:2

[Rename]
NUL=C:\WINDOWS\SYSTEM\RSAENH.DLL
C:\WINDOWS\SYSTEM\RSAENH.DLL=C:\WINDOWS\SYSTEM\SET52F4.TMP
C:\WINDOWS\SYSTEM\IEPEERS.DLL=C:\WINDOWS\SYSTEM\IEPEERS.RCX
C:\WINDOWS\SYSTEM\RSASIG.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\RSASIG.DLL
C:\WINDOWS\SYSTEM\XENROLL.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\XENROLL.DLL
C:\WINDOWS\SYSTEM\MSCAT32.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\MSCAT32.DLL
C:\WINDOWS\SYSTEM\MSSIP32.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\MSSIP32.DLL
C:\WINDOWS\SYSTEM\MSSIGN32.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\MSSIGN32.DLL
C:\WINDOWS\SYSTEM\CRYPTUI.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\CRYPTUI.DLL
C:\WINDOWS\SYSTEM\CRYPTEXT.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\CRYPTEXT.DLL
C:\WINDOWS\SYSTEM\DIGEST.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\DIGEST.DLL
C:\WINDOWS\SYSTEM\MSXMLA.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\MSXMLA.DLL
C:\WINDOWS\SYSTEM\MSXMLR.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\MSXMLR.DLL
C:\WINDOWS\SYSTEM\MSXML.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\MSXML.DLL
C:\WINDOWS\SYSTEM\MSXML3R.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\MSXML3R.DLL
C:\WINDOWS\SYSTEM\MSTIME.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\MSTIME.DLL
C:\WINDOWS\SYSTEM\MMUTILSE.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\MMUTILSE.DLL
C:\WINDOWS\SYSTEM\PLUGIN.OCX=C:\WINDOWS\SYSTEM\IE4SETUP\PLUGIN.OCX
C:\WINDOWS\SYSTEM\MSRATING.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\MSRATING.DLL
C:\WINDOWS\SYSTEM\HLINK.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\HLINK.DLL
C:\WINDOWS\SYSTEM\PROCTEXE.OCX=C:\WINDOWS\SYSTEM\IE4SETUP\PROCTEXE.OCX
C:\WINDOWS\SYSTEM\URL.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\URL.DLL
C:\WINDOWS\SYSTEM\IMAGEHLP.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\IMAGEHLP.DLL
C:\PROGRA~1\INTERN~1\IEXPLORE.EXE=C:\WINDOWS\SYSTEM\IE4SETUP\ACM6245.TMP
C:\WINDOWS\SYSTEM\INETCPL.CPL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM6246.TMP
C:\WINDOWS\SYSTEM\INETCPLC.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM6247.TMP
C:\WINDOWS\SYSTEM\MSHTML.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM6248.TMP
C:\WINDOWS\SYSTEM\MSHTML.TLB=C:\WINDOWS\SYSTEM\IE4SETUP\ACM6280.TMP
C:\WINDOWS\SYSTEM\MSHTMLED.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM6282.TMP
C:\WINDOWS\SYSTEM\SHDOCVW.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM6283.TMP
C:\WINDOWS\SYSTEM\SHDOCLC.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM6284.TMP
C:\WINDOWS\SYSTEM\URLMON.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM6285.TMP
C:\WINDOWS\SYSTEM\JSCRIPT.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM6286.TMP
C:\WINDOWS\SYSTEM\WININET.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM6295.TMP
C:\WINDOWS\SYSTEM\SHLWAPI.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM62D0.TMP
C:\WINDOWS\SYSTEM\ACTXPRXY.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM62E0.TMP
C:\WINDOWS\SYSTEM\DISPEX.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM62E1.TMP
C:\WINDOWS\SYSTEM\IMGUTIL.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM62E2.TMP
C:\WINDOWS\SYSTEM\BROWSEUI.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM62F3.TMP
C:\WINDOWS\SYSTEM\BROWSELC.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM62F5.TMP
C:\WINDOWS\SYSTEM\SHDOC401.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM62F6.TMP
C:\WINDOWS\SYSTEM\SHD401LC.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM6300.TMP
C:\WINDOWS\SYSTEM\DXTRANS.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM6305.TMP
C:\WINDOWS\SYSTEM\DXTMSFT.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM6306.TMP
C:\WINDOWS\SYSTEM\MSLS31.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM6335.TMP
NUL=C:\WINDOWS\SHELLI~1
NUL=C:\WINDOWS\SYSTEM\WEBCHECK.DLL
C:\WINDOWS\SYSTEM\WEBCHECK.DLL=C:\WINDOWS\SYSTEM\SET7061.TMP
NUL=C:\WINDOWS\SYSTEM\MSIDLE.DLL
C:\WINDOWS\SYSTEM\MSIDLE.DLL=C:\WINDOWS\SYSTEM\SET7062.TMP
c:\windows\SYSTEM\dispex.dll=c:\windows\SYSTEM\dispex.001
c:\windows\SYSTEM\jscript.dll=c:\windows\SYSTEM\jscript.001

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

SET PATH=C:\CPQS\SAVEREST;C:\CPQS\TOOLS;%PATH%;C:\PROGRA~1\BORLAND\CBUILDER\BIN

IF EXIST C:\APPL.ZIP\*.* IF EXIST C:\WINDOWS\SMARTDRV.EXE C:\WINDOWS\SMARTDRV.EXE
IF EXIST C:\CPQS\SAVEREST\QRSETUP.* CALL C:\CPQS\SAVEREST\QRSETUP /MFG C: D: E: F:
CALL c:\hibernat\hibchk.bat
c:\PROGRA~1\COMMON~1\NETWOR~1\VIRUSS~1\40~1.XX\bootscan.exe c:\
IF ERRORLEVEL 1 PAUSE

--------------------------------------------------


Enumerating Task Scheduler jobs:

Tune-up Application Start.job
Disk Cleanup.job
Error Lookup.job
Disk Defragmenter.job
DriveSpace.job

--------------------------------------------------

Enumerating Download Program Files:

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
CODEBASE = http://a840.g.akamai.net/7/840/537/...all/xscan53.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://active.macromedia.com/flash4/cabs/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
End of report, 7,633 bytes
Report generated in 0.228 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


hijack this result:

Logfile of HijackThis v1.94.0
Scan saved at 8:20:06 PM, on 5/4/2003
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=c:\windows\SYSTEM\blank.htm
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Alogserv] c:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE" /SU
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] c:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O8 - Extra context menu item: Send Image to Photo Library - file://C:\Program Files\Intel\Createshare\program\MGI\Temp\MGI00000.html
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash4/cabs/swflash.cab

thanx again aassddff

 

Hi aassddff!

Try out this tool here once (BHODemon):

http://www.definitivesolutions.com/bhodemon.htm

Could help you in your special case!

Best regards!

Patrice

 

aassddff,

I think your best shot is to follow Tony's instructions he gave you here: http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi?s=3eb65bd46b9affff;act=ST;f=32;t=3021;hl=new

Patrice,

I don't see any BHO's (O2 entries). Do you have any reasopn to assume that HijackThis 1.94 misses these?

 

Hi Metallica!

I'm not that familiar with Hijack This, so I can't answer you this question. But I'm sure others will be able to give a correct answer about that issue.

But what I know is, that most people don't know, that they have Browser Helper Objects installed. It's happening quite fast... For example Adobe Acrobat Reader installs one -certainly a good one. But there are plenty others which will spy on you.

For those who are unfamiliar with BHO's:
A Browser Helper Object, or BHO, is just a small program that runs automatically every time you start your Internet browser. Usually, a BHO is installed on your system by another software program. For example, Go!Zilla, the downloading utility, installs a BHO created by Radiate (formerly Aureate Media); this BHO tracks which advertisements you see as you surf the Web.

Regards!

Patrice

 

I´m sorry. I misunderstood you, I guess. HijackThis shows all BHO´s like this for example: O2 - BHO: (no name) - {7559B76E-0222-4d77-9499-CCE9EB4EDC2F} - C:\PROGRA~1\ADSHIELD\ADSHIELD\ADSHIELD.DLL
That is why I called them O2 entries. There aren´t any in aassddff´s log, that´s why I asked. Sorry for the misunderstanding. On this site: http://www.spywareinfoforum.com/bhos/ you can find most of the BHO´s known to mankind and check if they are legit or compromising your privacy.

 

Hi Metallica!

Where did you find that in aassddff's post?!? Thanks for letting me know, that the BHO's are shown in Hijack This, as I said I'm unfamiliar with that application.

Regards,

Patrice

 

Patrice,

Like I said there aren´t any BHO´s in aassddff´s log, that´s why I wondered about you recommending BHODemon.
The AdShield BHO comes from one of my old logs. I save those to compare them from time to time.

 

Ah... sorry! I should have read your post more carefully... I wasn't aware that HijackThis shows the BHO's as well. I thought aassddff just shows some interesting parts from the log.

Regards,

Patrice

 

No prob. The funny thing is there isn´t much of interest in aassddff´s log except maybe a lot of extra buttons in IE (the O9 entries). I would love to know where his problem comes from, but no response here or on net-integration so far.

 

hi people it has been a long day at work couldnt get online good news i solved the problem using dos level clean up thanx for help anyways
for information i got help from http://forums.techguy.org/t131906/s.html
thanx a lot again

 

So. everyone, is it possible that xxxpowernet or whatever found a way to purposely make that happen?

A new exploit, if you will? Pete

 

You're using XP, right? Could you try this:
Copy the bold below into notepad, save it as TypedURL.reg, doubleclick it, click OK at the prompt asking if you want to add it to the registry.
After that open a new IE window and click the little arrow at the end of the address bar.

Windows Registry Editor Version 5.00

[HKEY_USERS\S-1-5-21-972563451-933833872-989089457-1000\Software\Microsoft\Internet Explorer\TypedURLs]
"url1"="http://www.wilderssecurity.com/showthread.php?t=8994;start=11"

Using a program the prompt can easily be avoided. Not sure if it will work because of the user ID, but I'm sure a program could read the correct one without problems. A BHO could write back that entry every time you launch a new IE window.

 

Except for the "Windows Registry Editor Version 5.00" part? Pete

 

Everything in bold spy1. But I think this part: S-1-5-21-972563451-933833872-989089457-1000 ruins it, because that should be a different one for you. Oh well, I think you get the idea.