xxxpower.net cant get rid of it

Discussion in 'privacy problems' started by aassddff, May 4, 2003.

Thread Status:
Not open for further replies.
  1. aassddff

    aassddff Registered Member

    Joined:
    Mar 30, 2003
    Posts:
    2
    hi i have a problem there is a porn site on my address bar :mad: xxxpower.net i used spybot adaware both deleted temp files and cookies cleaned the history went to regedit >>typed address and deleted from there but seems like cant get rid of it any idea please it drives me crazy :eek: thanx here is my hijack result and start up list thanx
    :mad:

    StartupList report, 5/4/2003, 8:18:25 PM
    StartupList version: 1.52
    Started from : C:\UNZIPPED\STARTUPLIST1521[1]\STARTUPLIST.EXE
    Detected: Windows 98 SE (Win9x 4.10.2222A)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\WEBSCANX.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\UNZIPPED\STARTUPLIST1521[1]\STARTUPLIST.EXE

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    TaskMonitor = c:\windows\taskmon.exe
    SystemTray = SysTray.Exe
    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    Alogserv = c:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    McAfee Guardian = "C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE" /SU
    LoadQM = loadqm.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    SchedulingAgent = mstask.exe
    McAfeeVirusScanService = c:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=Explorer.exe
    SCRNSAVE.EXE=
    drivers=mmsystem.dll power.drv

    --------------------------------------------------

    C:\WINDOWS\WININIT.BAK listing:
    (Created 4/5/2003, 19:55:2:cool:

    [Rename]
    NUL=C:\WINDOWS\SYSTEM\RSAENH.DLL
    C:\WINDOWS\SYSTEM\RSAENH.DLL=C:\WINDOWS\SYSTEM\SET52F4.TMP
    C:\WINDOWS\SYSTEM\IEPEERS.DLL=C:\WINDOWS\SYSTEM\IEPEERS.RCX
    C:\WINDOWS\SYSTEM\RSASIG.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\RSASIG.DLL
    C:\WINDOWS\SYSTEM\XENROLL.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\XENROLL.DLL
    C:\WINDOWS\SYSTEM\MSCAT32.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\MSCAT32.DLL
    C:\WINDOWS\SYSTEM\MSSIP32.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\MSSIP32.DLL
    C:\WINDOWS\SYSTEM\MSSIGN32.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\MSSIGN32.DLL
    C:\WINDOWS\SYSTEM\CRYPTUI.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\CRYPTUI.DLL
    C:\WINDOWS\SYSTEM\CRYPTEXT.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\CRYPTEXT.DLL
    C:\WINDOWS\SYSTEM\DIGEST.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\DIGEST.DLL
    C:\WINDOWS\SYSTEM\MSXMLA.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\MSXMLA.DLL
    C:\WINDOWS\SYSTEM\MSXMLR.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\MSXMLR.DLL
    C:\WINDOWS\SYSTEM\MSXML.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\MSXML.DLL
    C:\WINDOWS\SYSTEM\MSXML3R.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\MSXML3R.DLL
    C:\WINDOWS\SYSTEM\MSTIME.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\MSTIME.DLL
    C:\WINDOWS\SYSTEM\MMUTILSE.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\MMUTILSE.DLL
    C:\WINDOWS\SYSTEM\PLUGIN.OCX=C:\WINDOWS\SYSTEM\IE4SETUP\PLUGIN.OCX
    C:\WINDOWS\SYSTEM\MSRATING.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\MSRATING.DLL
    C:\WINDOWS\SYSTEM\HLINK.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\HLINK.DLL
    C:\WINDOWS\SYSTEM\PROCTEXE.OCX=C:\WINDOWS\SYSTEM\IE4SETUP\PROCTEXE.OCX
    C:\WINDOWS\SYSTEM\URL.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\URL.DLL
    C:\WINDOWS\SYSTEM\IMAGEHLP.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\IMAGEHLP.DLL
    C:\PROGRA~1\INTERN~1\IEXPLORE.EXE=C:\WINDOWS\SYSTEM\IE4SETUP\ACM6245.TMP
    C:\WINDOWS\SYSTEM\INETCPL.CPL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM6246.TMP
    C:\WINDOWS\SYSTEM\INETCPLC.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM6247.TMP
    C:\WINDOWS\SYSTEM\MSHTML.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM6248.TMP
    C:\WINDOWS\SYSTEM\MSHTML.TLB=C:\WINDOWS\SYSTEM\IE4SETUP\ACM6280.TMP
    C:\WINDOWS\SYSTEM\MSHTMLED.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM6282.TMP
    C:\WINDOWS\SYSTEM\SHDOCVW.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM6283.TMP
    C:\WINDOWS\SYSTEM\SHDOCLC.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM6284.TMP
    C:\WINDOWS\SYSTEM\URLMON.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM6285.TMP
    C:\WINDOWS\SYSTEM\JSCRIPT.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM6286.TMP
    C:\WINDOWS\SYSTEM\WININET.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM6295.TMP
    C:\WINDOWS\SYSTEM\SHLWAPI.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM62D0.TMP
    C:\WINDOWS\SYSTEM\ACTXPRXY.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM62E0.TMP
    C:\WINDOWS\SYSTEM\DISPEX.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM62E1.TMP
    C:\WINDOWS\SYSTEM\IMGUTIL.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM62E2.TMP
    C:\WINDOWS\SYSTEM\BROWSEUI.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM62F3.TMP
    C:\WINDOWS\SYSTEM\BROWSELC.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM62F5.TMP
    C:\WINDOWS\SYSTEM\SHDOC401.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM62F6.TMP
    C:\WINDOWS\SYSTEM\SHD401LC.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM6300.TMP
    C:\WINDOWS\SYSTEM\DXTRANS.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM6305.TMP
    C:\WINDOWS\SYSTEM\DXTMSFT.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM6306.TMP
    C:\WINDOWS\SYSTEM\MSLS31.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM6335.TMP
    NUL=C:\WINDOWS\SHELLI~1
    NUL=C:\WINDOWS\SYSTEM\WEBCHECK.DLL
    C:\WINDOWS\SYSTEM\WEBCHECK.DLL=C:\WINDOWS\SYSTEM\SET7061.TMP
    NUL=C:\WINDOWS\SYSTEM\MSIDLE.DLL
    C:\WINDOWS\SYSTEM\MSIDLE.DLL=C:\WINDOWS\SYSTEM\SET7062.TMP
    c:\windows\SYSTEM\dispex.dll=c:\windows\SYSTEM\dispex.001
    c:\windows\SYSTEM\jscript.dll=c:\windows\SYSTEM\jscript.001

    --------------------------------------------------

    C:\AUTOEXEC.BAT listing:

    SET PATH=C:\CPQS\SAVEREST;C:\CPQS\TOOLS;%PATH%;C:\PROGRA~1\BORLAND\CBUILDER\BIN

    IF EXIST C:\APPL.ZIP\*.* IF EXIST C:\WINDOWS\SMARTDRV.EXE C:\WINDOWS\SMARTDRV.EXE
    IF EXIST C:\CPQS\SAVEREST\QRSETUP.* CALL C:\CPQS\SAVEREST\QRSETUP /MFG C: D: E: F:
    CALL c:\hibernat\hibchk.bat
    c:\PROGRA~1\COMMON~1\NETWOR~1\VIRUSS~1\40~1.XX\bootscan.exe c:\
    IF ERRORLEVEL 1 PAUSE

    --------------------------------------------------


    Enumerating Task Scheduler jobs:

    Tune-up Application Start.job
    Disk Cleanup.job
    Error Lookup.job
    Disk Defragmenter.job
    DriveSpace.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [HouseCall Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
    CODEBASE = http://a840.g.akamai.net/7/840/537/...all/xscan53.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
    CODEBASE = http://active.macromedia.com/flash4/cabs/swflash.cab

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

    --------------------------------------------------
    End of report, 7,633 bytes
    Report generated in 0.228 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only


    hijack this result:

    Logfile of HijackThis v1.94.0
    Scan saved at 8:20:06 PM, on 5/4/2003
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=c:\windows\SYSTEM\blank.htm
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Alogserv] c:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    O4 - HKLM\..\Run: [McAfee Guardian] "C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE" /SU
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [McAfeeVirusScanService] c:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
    O8 - Extra context menu item: Send Image to Photo Library - file://C:\Program Files\Intel\Createshare\program\MGI\Temp\MGI00000.html
    O9 - Extra button: Translate (HKLM)
    O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
    O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
    O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash4/cabs/swflash.cab

    thanx again aassddff
    :eek:
     
  2. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi aassddff!

    Try out this tool here once (BHODemon):

    http://www.definitivesolutions.com/bhodemon.htm

    Could help you in your special case! ;)

    Best regards!

    Patrice
     
  3. aassddff,

    I think your best shot is to follow Tony's instructions he gave you here: http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi?s=3eb65bd46b9affff;act=ST;f=32;t=3021;hl=new

    Patrice,

    I don't see any BHO's (O2 entries). Do you have any reasopn to assume that HijackThis 1.94 misses these?
     
  4. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi Metallica!

    I'm not that familiar with Hijack This, so I can't answer you this question. But I'm sure others will be able to give a correct answer about that issue.

    But what I know is, that most people don't know, that they have Browser Helper Objects installed. It's happening quite fast... For example Adobe Acrobat Reader installs one -certainly a good one. But there are plenty others which will spy on you. ;)

    For those who are unfamiliar with BHO's:
    A Browser Helper Object, or BHO, is just a small program that runs automatically every time you start your Internet browser. Usually, a BHO is installed on your system by another software program. For example, Go!Zilla, the downloading utility, installs a BHO created by Radiate (formerly Aureate Media); this BHO tracks which advertisements you see as you surf the Web.

    Regards!

    Patrice
     
  5. Metallica

    Metallica Guest

    I´m sorry. I misunderstood you, I guess. HijackThis shows all BHO´s like this for example: O2 - BHO: (no name) - {7559B76E-0222-4d77-9499-CCE9EB4EDC2F} - C:\PROGRA~1\ADSHIELD\ADSHIELD\ADSHIELD.DLL
    That is why I called them O2 entries. There aren´t any in aassddff´s log, that´s why I asked. Sorry for the misunderstanding. On this site: http://www.spywareinfoforum.com/bhos/ you can find most of the BHO´s known to mankind and check if they are legit or compromising your privacy.
     
  6. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi Metallica!

    Where did you find that in aassddff's post?!? Thanks for letting me know, that the BHO's are shown in Hijack This, as I said I'm unfamiliar with that application.

    Regards,

    Patrice
     
  7. Metallica

    Metallica Guest

    Patrice,

    Like I said there aren´t any BHO´s in aassddff´s log, that´s why I wondered about you recommending BHODemon.
    The AdShield BHO comes from one of my old logs. I save those to compare them from time to time. ;)
     
  8. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Ah... sorry! I should have read your post more carefully... :oops: I wasn't aware that HijackThis shows the BHO's as well. I thought aassddff just shows some interesting parts from the log.

    Regards,

    Patrice
     
  9. Metallica

    Metallica Guest

    No prob. The funny thing is there isn´t much of interest in aassddff´s log except maybe a lot of extra buttons in IE (the O9 entries). I would love to know where his problem comes from, but no response here or on net-integration so far.
     
  10. aassddff

    aassddff Registered Member

    Joined:
    Mar 30, 2003
    Posts:
    2
    :D hi people it has been a long day at work couldnt get online good news i solved the problem using dos level clean up thanx for help anyways
    for information i got help from http://forums.techguy.org/t131906/s.html
    thanx a lot again :D
     
  11. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,141
    Location:
    New England
    Ah, so that's what it was. :D There wasn't a BHO or another piece of code inserted in your IE, you just had a stuck history item in your drop down address list.

    I've had those. When it's happened to me it was usually because it was a corrupt address (perhaps I clicked on a link in a forum and someone had a typo in it so it was actually corrupt and IE could handle it). IE was unable to clear it with the Clear History option. I eventually found that it was stuck in the History Index.dat file (which, as you said, can be cleared by deleting the various index.dat and tif entries).

    Similar circumstances noted here:

    https://www.wilderssecurity.com/showthread.php?t=7670

    Glad you have it fixed!
     
  12. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    So. everyone, is it possible that xxxpowernet or whatever found a way to purposely make that happen?

    A new exploit, if you will? Pete
     
  13. Metallica

    Metallica Guest

    You're using XP, right? Could you try this:
    Copy the bold below into notepad, save it as TypedURL.reg, doubleclick it, click OK at the prompt asking if you want to add it to the registry.
    After that open a new IE window and click the little arrow at the end of the address bar.

    Windows Registry Editor Version 5.00

    [HKEY_USERS\S-1-5-21-972563451-933833872-989089457-1000\Software\Microsoft\Internet Explorer\TypedURLs]
    "url1"="http://www.wilderssecurity.com/showthread.php?t=8994;start=11"


    Using a program the prompt can easily be avoided. Not sure if it will work because of the user ID, but I'm sure a program could read the correct one without problems. A BHO could write back that entry every time you launch a new IE window.
     
  14. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Except for the "Windows Registry Editor Version 5.00" part? Pete
     
  15. Metallica

    Metallica Guest

    Everything in bold spy1. But I think this part: S-1-5-21-972563451-933833872-989089457-1000 ruins it, because that should be a different one for you. Oh well, I think you get the idea. ;)
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.