Solved

Internet redirect to download xxxtoolbar opens every ten minutes...

Posted on 2004-09-19
10
1,681 Views
Last Modified: 2010-04-11
Hi everyone,

When I opened up Internet Explorer this morning, I was immediately redirected to IP address which displayed a Security Warning popup saying:

'Do you want to install and run "You must be 18 or older to access Free Porn with XXXToolbar.  By clicking Yes you are agreeing to the terms and conditions" signed on 7/22/2004 11:18 PM and distributed by

Integrated Search Technologies
 
Publisher authenticity verified by Thawte Code Signing CA

Caution: Integrated Search Technologies asserts that this content is safe.  You should only install/view this content if you trust Integrated Search Technologies to make that assertion.'

From that point on, Internet Explorer has sytematically been redirecting me to the same address every ten minutes, at 1:03, 1:13, 1:23, etc.  Even if Internet Explorer is not open at the time, a new browser window will open and attempt to access the website.  Only if the network connection is severed do the attempts stop.

I checked for spyware/viruses using Norton Anti-Virus and found nothing.  I deleted all my cookies, to no avail.  I then downloaded Giant Anti-Spyware, Adaware and Spybot and ran all three.  Although each of them did find and delete some suspicious files, the problem persists.

Can anyone help?
0
Comment
Question by:Wracket
  • 5
  • 4
10 Comments
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 125 total points
Comment Utility
Hello Wracket =)

Download HijackThis v1.98.2 from here, run it and Save the LOG file:
http://www.spychecker.com/program/hijackthis.html

Then Post it at this site >> http://www.hijackthis.de/index.php?langselect=english
and it will automatically analyse it for u,,, Fix everything which it asks u to delete :)

and if still u cannot get it working, then Post here that LOG file, and we will tell u that what is BAD in it and how to remove them :)

!! GOOD LUCK !!
0
 

Author Comment

by:Wracket
Comment Utility
Hi Sheharyaar,

I downloaded HijackThis, ran it and saved the log file.  Then I posted it at the site you mentioned.  I couldn't figure out how to fix the problems it listed, but somehow in the meantime the problem seems to have vanished.  It has been over twenty minutes now and the redirect has not appeared.  I don't know if this is the result of running HijackThis as I didn't delete anything, but oh well!  Ours not to reason why, eh?

Thanks for your help!
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
Did u get any Nasty entries in the analse site ??
if YES then u had to check those Nasty entries in hijackthis and had to clcik on Fix Checked in order to delete those bad things :)
0
 
LVL 12

Expert Comment

by:rossfingal
Comment Utility
Hi!
After you have HJT fix anything -
reboot your computer.
Run HJT again and see how things look.

Regards!
RF
0
 

Author Comment

by:Wracket
Comment Utility
Well, it seemed to solve the problem before I selected them and clicked "Fix Checked", but now I have selected the three nasties (all "AntiVirus.exe", in case you cared) and one suspicious looking "unknown" ("gcasDtServ.exe" , which I found suspect in that I noticed it being active in the Task Manager when the redirect was going on) just to be on the safe side.

I appreciate the quick responses by the way--I would have almost thought it was automated if it weren't for the content!
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
ok its good u have got rid of those nasties, now just keep an eye if that xxxtoolbar comes again or not, good luck :)
0
 

Author Comment

by:Wracket
Comment Utility
Hello again,

Well, it took a day but a similar thing (this one's even nastier, truth be told!) has come back so I guess I didn't resolve the problem after all.  I'm pretty sure the problem is this AntiVirus.exe from the Google search I ran, but the "fix" option of HijackThis isn't taking care of it (I noticed that even though the link you gave says it is giving the latest version of the program what it actually gave is v1.97.7--do you think that could have something to do with it?).

Here is the log file:

Logfile of HijackThis v1.97.7
Scan saved at 3:07:16 PM, on 9/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ICO.EXE
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\AntiVirus.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Amar Hameed\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.noos.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://vaio-online.sony.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Update] AntiVirus.exe
O4 - HKLM\..\RunServices: [Microsoft Update] AntiVirus.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Update] AntiVirus.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PowerPanel.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://vaio-online.sony.com/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Thanks again for the help--I guess I jumped the gun in thinking it was taken care of yesterday. :(
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
hmmmmmmm mostly this [Microsoft Update] run entries are added in the result of a trojan infection.... not sure if same case with u or not :-?

do this, just fix these three lines,

O4 - HKLM\..\Run: [Microsoft Update] AntiVirus.exe
O4 - HKLM\..\RunServices: [Microsoft Update] AntiVirus.exe
O4 - HKCU\..\Run: [Microsoft Update] AntiVirus.exe

and then boot into safemode, run those spyware removal tools alongwith Stinger >> http://vil.nai.com/vil/stinger
check back in Normal mode, if same problem ??
0
 

Author Comment

by:Wracket
Comment Utility
I think I got rid of all of the nastiness "by hand", following some instructions I found on the internet as to where to look for the particular files in running "regedit", and so far so good.  The "fix" in HijackThis never seemed to actually get rid of/quarantine these files, but now that they have been deleted (and the task itself killed) it seems to be taken care of (of course I said that last time!), but if it persists I will use the Stinger thing you suggested.

Hopefully this is the end of the story--I appreciate your persistant help!
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
>> Hopefully this is the end of the story

hmmmmm im listening,,,, if further help will be needed,,,, though not wishing so !!  :)
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now