xxxpower.net cant get rid of it

Discussion in 'privacy problems' started by aassddff, May 4, 2003.

Thread Status:
Not open for further replies.
  1. aassddff

    aassddff Registered Member

    Joined:
    Mar 30, 2003
    Posts:
    2
    hi i have a problem there is a porn site on my address bar :mad: xxxpower.net i used spybot adaware both deleted temp files and cookies cleaned the history went to regedit >>typed address and deleted from there but seems like cant get rid of it any idea please it drives me crazy :eek: thanx here is my hijack result and start up list thanx
    :mad:

    StartupList report, 5/4/2003, 8:18:25 PM
    StartupList version: 1.52
    Started from : C:\UNZIPPED\STARTUPLIST1521[1]\STARTUPLIST.EXE
    Detected: Windows 98 SE (Win9x 4.10.2222A)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\WEBSCANX.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\UNZIPPED\STARTUPLIST1521[1]\STARTUPLIST.EXE

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    TaskMonitor = c:\windows\taskmon.exe
    SystemTray = SysTray.Exe
    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    Alogserv = c:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    McAfee Guardian = "C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE" /SU
    LoadQM = loadqm.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    SchedulingAgent = mstask.exe
    McAfeeVirusScanService = c:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=Explorer.exe
    SCRNSAVE.EXE=
    drivers=mmsystem.dll power.drv

    --------------------------------------------------

    C:\WINDOWS\WININIT.BAK listing:
    (Created 4/5/2003, 19:55:2:cool:

    [Rename]
    NUL=C:\WINDOWS\SYSTEM\RSAENH.DLL
    C:\WINDOWS\SYSTEM\RSAENH.DLL=C:\WINDOWS\SYSTEM\SET52F4.TMP
    C:\WINDOWS\SYSTEM\IEPEERS.DLL=C:\WINDOWS\SYSTEM\IEPEERS.RCX
    C:\WINDOWS\SYSTEM\RSASIG.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\RSASIG.DLL
    C:\WINDOWS\SYSTEM\XENROLL.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\XENROLL.DLL
    C:\WINDOWS\SYSTEM\MSCAT32.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\MSCAT32.DLL
    C:\WINDOWS\SYSTEM\MSSIP32.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\MSSIP32.DLL
    C:\WINDOWS\SYSTEM\MSSIGN32.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\MSSIGN32.DLL
    C:\WINDOWS\SYSTEM\CRYPTUI.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\CRYPTUI.DLL
    C:\WINDOWS\SYSTEM\CRYPTEXT.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\CRYPTEXT.DLL
    C:\WINDOWS\SYSTEM\DIGEST.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\DIGEST.DLL
    C:\WINDOWS\SYSTEM\MSXMLA.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\MSXMLA.DLL
    C:\WINDOWS\SYSTEM\MSXMLR.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\MSXMLR.DLL
    C:\WINDOWS\SYSTEM\MSXML.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\MSXML.DLL
    C:\WINDOWS\SYSTEM\MSXML3R.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\MSXML3R.DLL
    C:\WINDOWS\SYSTEM\MSTIME.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\MSTIME.DLL
    C:\WINDOWS\SYSTEM\MMUTILSE.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\MMUTILSE.DLL
    C:\WINDOWS\SYSTEM\PLUGIN.OCX=C:\WINDOWS\SYSTEM\IE4SETUP\PLUGIN.OCX
    C:\WINDOWS\SYSTEM\MSRATING.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\MSRATING.DLL
    C:\WINDOWS\SYSTEM\HLINK.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\HLINK.DLL
    C:\WINDOWS\SYSTEM\PROCTEXE.OCX=C:\WINDOWS\SYSTEM\IE4SETUP\PROCTEXE.OCX
    C:\WINDOWS\SYSTEM\URL.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\URL.DLL
    C:\WINDOWS\SYSTEM\IMAGEHLP.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\IMAGEHLP.DLL
    C:\PROGRA~1\INTERN~1\IEXPLORE.EXE=C:\WINDOWS\SYSTEM\IE4SETUP\ACM6245.TMP
    C:\WINDOWS\SYSTEM\INETCPL.CPL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM6246.TMP
    C:\WINDOWS\SYSTEM\INETCPLC.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM6247.TMP
    C:\WINDOWS\SYSTEM\MSHTML.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM6248.TMP
    C:\WINDOWS\SYSTEM\MSHTML.TLB=C:\WINDOWS\SYSTEM\IE4SETUP\ACM6280.TMP
    C:\WINDOWS\SYSTEM\MSHTMLED.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM6282.TMP
    C:\WINDOWS\SYSTEM\SHDOCVW.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM6283.TMP
    C:\WINDOWS\SYSTEM\SHDOCLC.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM6284.TMP
    C:\WINDOWS\SYSTEM\URLMON.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM6285.TMP
    C:\WINDOWS\SYSTEM\JSCRIPT.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM6286.TMP
    C:\WINDOWS\SYSTEM\WININET.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM6295.TMP
    C:\WINDOWS\SYSTEM\SHLWAPI.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM62D0.TMP
    C:\WINDOWS\SYSTEM\ACTXPRXY.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM62E0.TMP
    C:\WINDOWS\SYSTEM\DISPEX.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM62E1.TMP
    C:\WINDOWS\SYSTEM\IMGUTIL.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM62E2.TMP
    C:\WINDOWS\SYSTEM\BROWSEUI.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM62F3.TMP
    C:\WINDOWS\SYSTEM\BROWSELC.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM62F5.TMP
    C:\WINDOWS\SYSTEM\SHDOC401.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM62F6.TMP
    C:\WINDOWS\SYSTEM\SHD401LC.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM6300.TMP
    C:\WINDOWS\SYSTEM\DXTRANS.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM6305.TMP
    C:\WINDOWS\SYSTEM\DXTMSFT.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM6306.TMP
    C:\WINDOWS\SYSTEM\MSLS31.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM6335.TMP
    NUL=C:\WINDOWS\SHELLI~1
    NUL=C:\WINDOWS\SYSTEM\WEBCHECK.DLL
    C:\WINDOWS\SYSTEM\WEBCHECK.DLL=C:\WINDOWS\SYSTEM\SET7061.TMP
    NUL=C:\WINDOWS\SYSTEM\MSIDLE.DLL
    C:\WINDOWS\SYSTEM\MSIDLE.DLL=C:\WINDOWS\SYSTEM\SET7062.TMP
    c:\windows\SYSTEM\dispex.dll=c:\windows\SYSTEM\dispex.001
    c:\windows\SYSTEM\jscript.dll=c:\windows\SYSTEM\jscript.001

    --------------------------------------------------

    C:\AUTOEXEC.BAT listing:

    SET PATH=C:\CPQS\SAVEREST;C:\CPQS\TOOLS;%PATH%;C:\PROGRA~1\BORLAND\CBUILDER\BIN

    IF EXIST C:\APPL.ZIP\*.* IF EXIST C:\WINDOWS\SMARTDRV.EXE C:\WINDOWS\SMARTDRV.EXE
    IF EXIST C:\CPQS\SAVEREST\QRSETUP.* CALL C:\CPQS\SAVEREST\QRSETUP /MFG C: D: E: F:
    CALL c:\hibernat\hibchk.bat
    c:\PROGRA~1\COMMON~1\NETWOR~1\VIRUSS~1\40~1.XX\bootscan.exe c:\
    IF ERRORLEVEL 1 PAUSE

    --------------------------------------------------


    Enumerating Task Scheduler jobs:

    Tune-up Application Start.job
    Disk Cleanup.job
    Error Lookup.job
    Disk Defragmenter.job
    DriveSpace.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [HouseCall Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
    CODEBASE = http://a840.g.akamai.net/7/840/537/...all/xscan53.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
    CODEBASE = http://active.macromedia.com/flash4/cabs/swflash.cab

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

    --------------------------------------------------
    End of report, 7,633 bytes
    Report generated in 0.228 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only


    hijack this result:

    Logfile of HijackThis v1.94.0
    Scan saved at 8:20:06 PM, on 5/4/2003
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=c:\windows\SYSTEM\blank.htm
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Alogserv] c:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    O4 - HKLM\..\Run: [McAfee Guardian] "C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE" /SU
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [McAfeeVirusScanService] c:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
    O8 - Extra context menu item: Send Image to Photo Library - file://C:\Program Files\Intel\Createshare\program\MGI\Temp\MGI00000.html
    O9 - Extra button: Translate (HKLM)
    O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
    O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
    O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash4/cabs/swflash.cab

    thanx again aassddff
    :eek:
     
  2. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi aassddff!

    Try out this tool here once (BHODemon):

    http://www.definitivesolutions.com/bhodemon.htm

    Could help you in your special case! ;)

    Best regards!

    Patrice
     
  3. aassddff,

    I think your best shot is to follow Tony's instructions he gave you here: http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi?s=3eb65bd46b9affff;act=ST;f=32;t=3021;hl=new

    Patrice,

    I don't see any BHO's (O2 entries). Do you have any reasopn to assume that HijackThis 1.94 misses these?
     
  4. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi Metallica!

    I'm not that familiar with Hijack This, so I can't answer you this question. But I'm sure others will be able to give a correct answer about that issue.

    But what I know is, that most people don't know, that they have Browser Helper Objects installed. It's happening quite fast... For example Adobe Acrobat Reader installs one -certainly a good one. But there are plenty others which will spy on you. ;)

    For those who are unfamiliar with BHO's:
    A Browser Helper Object, or BHO, is just a small program that runs automatically every time you start your Internet browser. Usually, a BHO is installed on your system by another software program. For example, Go!Zilla, the downloading utility, installs a BHO created by Radiate (formerly Aureate Media); this BHO tracks which advertisements you see as you surf the Web.

    Regards!

    Patrice
     
  5. Metallica

    Metallica Guest

    I´m sorry. I misunderstood you, I guess. HijackThis shows all BHO´s like this for example: O2 - BHO: (no name) - {7559B76E-0222-4d77-9499-CCE9EB4EDC2F} - C:\PROGRA~1\ADSHIELD\ADSHIELD\ADSHIELD.DLL
    That is why I called them O2 entries. There aren´t any in aassddff´s log, that´s why I asked. Sorry for the misunderstanding. On this site: http://www.spywareinfoforum.com/bhos/ you can find most of the BHO´s known to mankind and check if they are legit or compromising your privacy.
     
  6. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi Metallica!

    Where did you find that in aassddff's post?!? Thanks for letting me know, that the BHO's are shown in Hijack This, as I said I'm unfamiliar with that application.

    Regards,

    Patrice
     
  7. Metallica

    Metallica Guest

    Patrice,

    Like I said there aren´t any BHO´s in aassddff´s log, that´s why I wondered about you recommending BHODemon.
    The AdShield BHO comes from one of my old logs. I save those to compare them from time to time. ;)
     
  8. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Ah... sorry! I should have read your post more carefully... :oops: I wasn't aware that HijackThis shows the BHO's as well. I thought aassddff just shows some interesting parts from the log.

    Regards,

    Patrice
     
  9. Metallica

    Metallica Guest

    No prob. The funny thing is there isn´t much of interest in aassddff´s log except maybe a lot of extra buttons in IE (the O9 entries). I would love to know where his problem comes from, but no response here or on net-integration so far.
     
  10. aassddff

    aassddff Registered Member

    Joined:
    Mar 30, 2003
    Posts:
    2
    :D hi people it has been a long day at work couldnt get online good news i solved the problem using dos level clean up thanx for help anyways
    for information i got help from http://forums.techguy.org/t131906/s.html
    thanx a lot again :D
     
  11. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,877
    Location:
    New England
    Ah, so that's what it was. :D There wasn't a BHO or another piece of code inserted in your IE, you just had a stuck history item in your drop down address list.

    I've had those. When it's happened to me it was usually because it was a corrupt address (perhaps I clicked on a link in a forum and someone had a typo in it so it was actually corrupt and IE could handle it). IE was unable to clear it with the Clear History option. I eventually found that it was stuck in the History Index.dat file (which, as you said, can be cleared by deleting the various index.dat and tif entries).

    Similar circumstances noted here:

    https://www.wilderssecurity.com/showthread.php?t=7670

    Glad you have it fixed!
     
  12. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    So. everyone, is it possible that xxxpowernet or whatever found a way to purposely make that happen?

    A new exploit, if you will? Pete
     
  13. Metallica

    Metallica Guest

    You're using XP, right? Could you try this:
    Copy the bold below into notepad, save it as TypedURL.reg, doubleclick it, click OK at the prompt asking if you want to add it to the registry.
    After that open a new IE window and click the little arrow at the end of the address bar.

    Windows Registry Editor Version 5.00

    [HKEY_USERS\S-1-5-21-972563451-933833872-989089457-1000\Software\Microsoft\Internet Explorer\TypedURLs]
    "url1"="http://www.wilderssecurity.com/showthread.php?t=8994;start=11"


    Using a program the prompt can easily be avoided. Not sure if it will work because of the user ID, but I'm sure a program could read the correct one without problems. A BHO could write back that entry every time you launch a new IE window.
     
  14. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Except for the "Windows Registry Editor Version 5.00" part? Pete
     
  15. Metallica

    Metallica Guest

    Everything in bold spy1. But I think this part: S-1-5-21-972563451-933833872-989089457-1000 ruins it, because that should be a different one for you. Oh well, I think you get the idea. ;)
     
Thread Status:
Not open for further replies.