• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1699
  • Last Modified:

Internet redirect to download xxxtoolbar opens every ten minutes...

Hi everyone,

When I opened up Internet Explorer this morning, I was immediately redirected to IP address which displayed a Security Warning popup saying:

'Do you want to install and run "You must be 18 or older to access Free Porn with XXXToolbar.  By clicking Yes you are agreeing to the terms and conditions" signed on 7/22/2004 11:18 PM and distributed by

Integrated Search Technologies
Publisher authenticity verified by Thawte Code Signing CA

Caution: Integrated Search Technologies asserts that this content is safe.  You should only install/view this content if you trust Integrated Search Technologies to make that assertion.'

From that point on, Internet Explorer has sytematically been redirecting me to the same address every ten minutes, at 1:03, 1:13, 1:23, etc.  Even if Internet Explorer is not open at the time, a new browser window will open and attempt to access the website.  Only if the network connection is severed do the attempts stop.

I checked for spyware/viruses using Norton Anti-Virus and found nothing.  I deleted all my cookies, to no avail.  I then downloaded Giant Anti-Spyware, Adaware and Spybot and ran all three.  Although each of them did find and delete some suspicious files, the problem persists.

Can anyone help?
  • 5
  • 4
1 Solution
Hello Wracket =)

Download HijackThis v1.98.2 from here, run it and Save the LOG file:

Then Post it at this site >> http://www.hijackthis.de/index.php?langselect=english
and it will automatically analyse it for u,,, Fix everything which it asks u to delete :)

and if still u cannot get it working, then Post here that LOG file, and we will tell u that what is BAD in it and how to remove them :)

WracketAuthor Commented:
Hi Sheharyaar,

I downloaded HijackThis, ran it and saved the log file.  Then I posted it at the site you mentioned.  I couldn't figure out how to fix the problems it listed, but somehow in the meantime the problem seems to have vanished.  It has been over twenty minutes now and the redirect has not appeared.  I don't know if this is the result of running HijackThis as I didn't delete anything, but oh well!  Ours not to reason why, eh?

Thanks for your help!
Did u get any Nasty entries in the analse site ??
if YES then u had to check those Nasty entries in hijackthis and had to clcik on Fix Checked in order to delete those bad things :)
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

After you have HJT fix anything -
reboot your computer.
Run HJT again and see how things look.

WracketAuthor Commented:
Well, it seemed to solve the problem before I selected them and clicked "Fix Checked", but now I have selected the three nasties (all "AntiVirus.exe", in case you cared) and one suspicious looking "unknown" ("gcasDtServ.exe" , which I found suspect in that I noticed it being active in the Task Manager when the redirect was going on) just to be on the safe side.

I appreciate the quick responses by the way--I would have almost thought it was automated if it weren't for the content!
ok its good u have got rid of those nasties, now just keep an eye if that xxxtoolbar comes again or not, good luck :)
WracketAuthor Commented:
Hello again,

Well, it took a day but a similar thing (this one's even nastier, truth be told!) has come back so I guess I didn't resolve the problem after all.  I'm pretty sure the problem is this AntiVirus.exe from the Google search I ran, but the "fix" option of HijackThis isn't taking care of it (I noticed that even though the link you gave says it is giving the latest version of the program what it actually gave is v1.97.7--do you think that could have something to do with it?).

Here is the log file:

Logfile of HijackThis v1.97.7
Scan saved at 3:07:16 PM, on 9/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Documents and Settings\Amar Hameed\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.noos.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://vaio-online.sony.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Update] AntiVirus.exe
O4 - HKLM\..\RunServices: [Microsoft Update] AntiVirus.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Update] AntiVirus.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PowerPanel.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://vaio-online.sony.com/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Thanks again for the help--I guess I jumped the gun in thinking it was taken care of yesterday. :(
hmmmmmmm mostly this [Microsoft Update] run entries are added in the result of a trojan infection.... not sure if same case with u or not :-?

do this, just fix these three lines,

O4 - HKLM\..\Run: [Microsoft Update] AntiVirus.exe
O4 - HKLM\..\RunServices: [Microsoft Update] AntiVirus.exe
O4 - HKCU\..\Run: [Microsoft Update] AntiVirus.exe

and then boot into safemode, run those spyware removal tools alongwith Stinger >> http://vil.nai.com/vil/stinger
check back in Normal mode, if same problem ??
WracketAuthor Commented:
I think I got rid of all of the nastiness "by hand", following some instructions I found on the internet as to where to look for the particular files in running "regedit", and so far so good.  The "fix" in HijackThis never seemed to actually get rid of/quarantine these files, but now that they have been deleted (and the task itself killed) it seems to be taken care of (of course I said that last time!), but if it persists I will use the Stinger thing you suggested.

Hopefully this is the end of the story--I appreciate your persistant help!
>> Hopefully this is the end of the story

hmmmmm im listening,,,, if further help will be needed,,,, though not wishing so !!  :)
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now