Expert: Brian Benosky - 2/18/2008

Question
QUESTION: how can i get rid of the above??  It comes up first and then I have to push home to get to my default homepage.  I have tried to uncheck the third party under properties of the shortcut but it is still doing it.  Can you help me??

Thanks,
Jacki

ANSWER: Hi Jacki

Http://xtoff/ is generally caused by a corruption of your Internet Explorer shortcut.  Go to the icon where you normally open up IE from.  Instead of left-clicking to open, right click it and select properties from the list that pops up.  You will then see that IE has an -extoff option.  Remove that.  Close the box and restart IE.  It should work now.  It is also wise at this point to check for spyware, in case this was caused by a browser hijacker.  Follow the procedure below if you need me to check your computer for infection:  

Please download TrendMicro HijackThis! from the following link:
http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe
* Save HJTInstall.exe to your desktop.
* Doubleclick on the HJTInstall.exe icon on your desktop.
* By default it will install to C:\Program Files\Trend Micro\HijackThis.
* Click on Install.
* It will create a HijackThis icon on the desktop.
* Once installed, it will launch Hijackthis.
* Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
* Click on "Edit > Select All" then click on "Edit > Copy" and Paste the entire contents of the log (no attachments) into a follow-up here.

Brian



---------- FOLLOW-UP ----------

QUESTION: Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:07:01 PM, on 2/17/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Documents and Settings\default\My Documents\Jacki's Folder\iTunesHelper.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\All Users\Desktop\My Briefcase\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {0C547B86-675D-3A79-5648-2D3DF951F175} - C:\WINDOWS\sysrh32.dll (file missing)
O2 - BHO: Class - {15D74F8D-4CE5-7E2C-BA97-C8EAB99FD32D} - C:\WINDOWS\system32\mszn32.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Class - {55DD572D-AEB7-D516-2293-88F7880EE3B1} - C:\WINDOWS\system32\msau32.dll (file missing)
O2 - BHO: Zango Toolbar - {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - C:\Program Files\ZangoToolbar\Bin\4.8.3.0\ZbHostIE.dll (file missing)
O2 - BHO: Class - {81A766F7-5B7F-5B9C-35A8-F8D0FC44EE64} - C:\WINDOWS\system32\winvq.dll (file missing)
O2 - BHO: Class - {9EFBA81C-7713-9293-4846-F819A8EDCEEA} - C:\WINDOWS\mfcyf.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Class - {B32BF9AC-3C15-58D5-A2CD-D066EB196265} - C:\WINDOWS\iedk.dll (file missing)
O2 - BHO: Class - {BC18BA43-C47A-6611-F21E-B318D4B30ACB} - C:\WINDOWS\crqm32.dll (file missing)
O2 - BHO: Class - {C0F0ED5F-8D03-01D1-4011-3F4833C25EBA} - C:\WINDOWS\system32\javapp.dll (file missing)
O2 - BHO: Class - {CC38D1EE-B58B-D78E-9E8E-5F1BF05ABA95} - C:\WINDOWS\system32\atlsm32.dll (file missing)
O2 - BHO: Class - {D1BC0FB9-49D7-E899-A1BF-5E6CDA0B8463} - C:\WINDOWS\system32\winii32.dll (file missing)
O2 - BHO: Class - {D9B54006-2A8F-DF9D-E679-97E6A6B19323} - C:\WINDOWS\addqz32.dll (file missing)
O2 - BHO: Class - {DD77DFD7-7C3A-0843-AD05-5E721178C924} - C:\WINDOWS\system32\sdkxc.dll (file missing)
O2 - BHO: Class - {E72D55D9-D0F9-5060-B321-D4B6575AD029} - C:\WINDOWS\system32\systn.dll (file missing)
O2 - BHO: Class - {EC359119-1A6C-52A9-D03C-E373C5AAC363} - C:\WINDOWS\msha32.dll (file missing)
O2 - BHO: Class - {ECE8EEC7-7623-F474-9350-30AB79D21A19} - C:\WINDOWS\system32\sysmm32.dll (file missing)
O2 - BHO: Class - {EFC5B77D-89C3-A962-9A96-1C6818B08696} - C:\WINDOWS\system32\addly.dll (file missing)
O2 - BHO: Class - {F61EE4EF-175D-788C-572B-3EA8961D324F} - C:\WINDOWS\apion32.dll (file missing)
O2 - BHO: Class - {FF56B561-EE03-788D-F628-1F9CD8262ABA} - C:\WINDOWS\ipuf32.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Documents and Settings\default\My Documents\Jacki's Folder\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'Default user')
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Documents and Settings\All Users\Desktop\My Briefcase\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZUxdm080LDUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuwe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 8609 bytes


ANSWER: Hi Jacki

Hopefully the fix I suggested worked and you are now able to open up your browsers.  Your log file, however shows remnants of a bad infection and some active ones as well.  You also need to update your Windows XP to Service Pack 2.  There are a great deal of security flaws in SP1 that have since been patched in SP2.  Please run Windows Update and install SP2 along with any other updates that are recommended.  After which, please send me an updated HJT log so that we can start the cleanup.

Brian

---------- FOLLOW-UP ----------

QUESTION: Hi Brian,
I have tried what you suggested a few times and I don't know if I'm doing something wrong or what but it still doing it.  In fact I tried that before contacting you.  I have right-clicked went to properties went to advanced unchecked the only box that said enable thrid party browser and tried other things and nothing is working.  I had to recently reinstall my windows because I had no curser in email or internet and my interent options was gone, so since Thursday I now have been dealing with this http://xtoff/ although if I click on the house I can go to my homepage of choice and I have tried to install updates for windows.  Am I in trouble of can I fix it??

Help!!! Jacki

Answer
Hi Jacki

Well let's see if we can't get some of the malware off, then hopefully you will be able to update.  Please download ComboFix.exe from:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
and run following these instructions:

1. Disconnect from the internet.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, along with all other programs including your browser.
3. Double click on ComboFix.exe & follow the prompts.
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.

After ComboFix is finished, it will save a log file for you at C:\ComboFix.txt

Now reconnect to the internet and go here:
http://www.eset.com/onlinescan/
Click on this ESET Online Scannner to begin the process.

 * Check the box next to YES, I accept the Terms of Use.
 * Click Start
 * When asked, allow the activex control to be installed.
 * Click Start
 * Check below options:
       o Remove found threats
       o Scan unwanted applications.
 * Click Scan
 * Wait for the scan to finish
 * When it finishes it will create a log file here: C:\Program Files\EsetOnlineScanner\log.txt

Attach this logfile to your next message, along with the ComboFix log and a new HJT log.

Brian