Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Internet redirect to download xxxtoolbar opens every ten minutes...

Posted on 2004-09-19
Medium Priority
Last Modified: 2010-04-11
Hi everyone,

When I opened up Internet Explorer this morning, I was immediately redirected to IP address which displayed a Security Warning popup saying:

'Do you want to install and run "You must be 18 or older to access Free Porn with XXXToolbar.  By clicking Yes you are agreeing to the terms and conditions" signed on 7/22/2004 11:18 PM and distributed by

Integrated Search Technologies
Publisher authenticity verified by Thawte Code Signing CA

Caution: Integrated Search Technologies asserts that this content is safe.  You should only install/view this content if you trust Integrated Search Technologies to make that assertion.'

From that point on, Internet Explorer has sytematically been redirecting me to the same address every ten minutes, at 1:03, 1:13, 1:23, etc.  Even if Internet Explorer is not open at the time, a new browser window will open and attempt to access the website.  Only if the network connection is severed do the attempts stop.

I checked for spyware/viruses using Norton Anti-Virus and found nothing.  I deleted all my cookies, to no avail.  I then downloaded Giant Anti-Spyware, Adaware and Spybot and ran all three.  Although each of them did find and delete some suspicious files, the problem persists.

Can anyone help?
Question by:Wracket
  • 5
  • 4
LVL 65

Accepted Solution

SheharyaarSaahil earned 500 total points
ID: 12096084
Hello Wracket =)

Download HijackThis v1.98.2 from here, run it and Save the LOG file:

Then Post it at this site >> http://www.hijackthis.de/index.php?langselect=english
and it will automatically analyse it for u,,, Fix everything which it asks u to delete :)

and if still u cannot get it working, then Post here that LOG file, and we will tell u that what is BAD in it and how to remove them :)


Author Comment

ID: 12096181
Hi Sheharyaar,

I downloaded HijackThis, ran it and saved the log file.  Then I posted it at the site you mentioned.  I couldn't figure out how to fix the problems it listed, but somehow in the meantime the problem seems to have vanished.  It has been over twenty minutes now and the redirect has not appeared.  I don't know if this is the result of running HijackThis as I didn't delete anything, but oh well!  Ours not to reason why, eh?

Thanks for your help!
LVL 65

Expert Comment

ID: 12096187
Did u get any Nasty entries in the analse site ??
if YES then u had to check those Nasty entries in hijackthis and had to clcik on Fix Checked in order to delete those bad things :)
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

LVL 12

Expert Comment

ID: 12096213
After you have HJT fix anything -
reboot your computer.
Run HJT again and see how things look.


Author Comment

ID: 12096231
Well, it seemed to solve the problem before I selected them and clicked "Fix Checked", but now I have selected the three nasties (all "AntiVirus.exe", in case you cared) and one suspicious looking "unknown" ("gcasDtServ.exe" , which I found suspect in that I noticed it being active in the Task Manager when the redirect was going on) just to be on the safe side.

I appreciate the quick responses by the way--I would have almost thought it was automated if it weren't for the content!
LVL 65

Expert Comment

ID: 12096262
ok its good u have got rid of those nasties, now just keep an eye if that xxxtoolbar comes again or not, good luck :)

Author Comment

ID: 12101798
Hello again,

Well, it took a day but a similar thing (this one's even nastier, truth be told!) has come back so I guess I didn't resolve the problem after all.  I'm pretty sure the problem is this AntiVirus.exe from the Google search I ran, but the "fix" option of HijackThis isn't taking care of it (I noticed that even though the link you gave says it is giving the latest version of the program what it actually gave is v1.97.7--do you think that could have something to do with it?).

Here is the log file:

Logfile of HijackThis v1.97.7
Scan saved at 3:07:16 PM, on 9/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Documents and Settings\Amar Hameed\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.noos.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://vaio-online.sony.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Update] AntiVirus.exe
O4 - HKLM\..\RunServices: [Microsoft Update] AntiVirus.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Update] AntiVirus.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PowerPanel.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://vaio-online.sony.com/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Thanks again for the help--I guess I jumped the gun in thinking it was taken care of yesterday. :(
LVL 65

Expert Comment

ID: 12103620
hmmmmmmm mostly this [Microsoft Update] run entries are added in the result of a trojan infection.... not sure if same case with u or not :-?

do this, just fix these three lines,

O4 - HKLM\..\Run: [Microsoft Update] AntiVirus.exe
O4 - HKLM\..\RunServices: [Microsoft Update] AntiVirus.exe
O4 - HKCU\..\Run: [Microsoft Update] AntiVirus.exe

and then boot into safemode, run those spyware removal tools alongwith Stinger >> http://vil.nai.com/vil/stinger
check back in Normal mode, if same problem ??

Author Comment

ID: 12103976
I think I got rid of all of the nastiness "by hand", following some instructions I found on the internet as to where to look for the particular files in running "regedit", and so far so good.  The "fix" in HijackThis never seemed to actually get rid of/quarantine these files, but now that they have been deleted (and the task itself killed) it seems to be taken care of (of course I said that last time!), but if it persists I will use the Stinger thing you suggested.

Hopefully this is the end of the story--I appreciate your persistant help!
LVL 65

Expert Comment

ID: 12104174
>> Hopefully this is the end of the story

hmmmmm im listening,,,, if further help will be needed,,,, though not wishing so !!  :)

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Still wondering grappling over to strengthen your password, worry no more. Choose a Strong Passphrase instead though second factor is highly recommended. Read on more on the how-to and tips to enhance your "password" using easier to remember passphr…
Experts Exchange expands question security options for members.
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question