Solved

Internet redirect to download xxxtoolbar opens every ten minutes...

Posted on 2004-09-19
10
1,691 Views
Last Modified: 2010-04-11
Hi everyone,

When I opened up Internet Explorer this morning, I was immediately redirected to IP address which displayed a Security Warning popup saying:

'Do you want to install and run "You must be 18 or older to access Free Porn with XXXToolbar.  By clicking Yes you are agreeing to the terms and conditions" signed on 7/22/2004 11:18 PM and distributed by

Integrated Search Technologies
 
Publisher authenticity verified by Thawte Code Signing CA

Caution: Integrated Search Technologies asserts that this content is safe.  You should only install/view this content if you trust Integrated Search Technologies to make that assertion.'

From that point on, Internet Explorer has sytematically been redirecting me to the same address every ten minutes, at 1:03, 1:13, 1:23, etc.  Even if Internet Explorer is not open at the time, a new browser window will open and attempt to access the website.  Only if the network connection is severed do the attempts stop.

I checked for spyware/viruses using Norton Anti-Virus and found nothing.  I deleted all my cookies, to no avail.  I then downloaded Giant Anti-Spyware, Adaware and Spybot and ran all three.  Although each of them did find and delete some suspicious files, the problem persists.

Can anyone help?
0
Comment
Question by:Wracket
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
10 Comments
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 125 total points
ID: 12096084
Hello Wracket =)

Download HijackThis v1.98.2 from here, run it and Save the LOG file:
http://www.spychecker.com/program/hijackthis.html

Then Post it at this site >> http://www.hijackthis.de/index.php?langselect=english
and it will automatically analyse it for u,,, Fix everything which it asks u to delete :)

and if still u cannot get it working, then Post here that LOG file, and we will tell u that what is BAD in it and how to remove them :)

!! GOOD LUCK !!
0
 

Author Comment

by:Wracket
ID: 12096181
Hi Sheharyaar,

I downloaded HijackThis, ran it and saved the log file.  Then I posted it at the site you mentioned.  I couldn't figure out how to fix the problems it listed, but somehow in the meantime the problem seems to have vanished.  It has been over twenty minutes now and the redirect has not appeared.  I don't know if this is the result of running HijackThis as I didn't delete anything, but oh well!  Ours not to reason why, eh?

Thanks for your help!
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12096187
Did u get any Nasty entries in the analse site ??
if YES then u had to check those Nasty entries in hijackthis and had to clcik on Fix Checked in order to delete those bad things :)
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 12

Expert Comment

by:rossfingal
ID: 12096213
Hi!
After you have HJT fix anything -
reboot your computer.
Run HJT again and see how things look.

Regards!
RF
0
 

Author Comment

by:Wracket
ID: 12096231
Well, it seemed to solve the problem before I selected them and clicked "Fix Checked", but now I have selected the three nasties (all "AntiVirus.exe", in case you cared) and one suspicious looking "unknown" ("gcasDtServ.exe" , which I found suspect in that I noticed it being active in the Task Manager when the redirect was going on) just to be on the safe side.

I appreciate the quick responses by the way--I would have almost thought it was automated if it weren't for the content!
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12096262
ok its good u have got rid of those nasties, now just keep an eye if that xxxtoolbar comes again or not, good luck :)
0
 

Author Comment

by:Wracket
ID: 12101798
Hello again,

Well, it took a day but a similar thing (this one's even nastier, truth be told!) has come back so I guess I didn't resolve the problem after all.  I'm pretty sure the problem is this AntiVirus.exe from the Google search I ran, but the "fix" option of HijackThis isn't taking care of it (I noticed that even though the link you gave says it is giving the latest version of the program what it actually gave is v1.97.7--do you think that could have something to do with it?).

Here is the log file:

Logfile of HijackThis v1.97.7
Scan saved at 3:07:16 PM, on 9/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ICO.EXE
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\AntiVirus.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Amar Hameed\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.noos.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://vaio-online.sony.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Update] AntiVirus.exe
O4 - HKLM\..\RunServices: [Microsoft Update] AntiVirus.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Update] AntiVirus.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PowerPanel.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://vaio-online.sony.com/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Thanks again for the help--I guess I jumped the gun in thinking it was taken care of yesterday. :(
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12103620
hmmmmmmm mostly this [Microsoft Update] run entries are added in the result of a trojan infection.... not sure if same case with u or not :-?

do this, just fix these three lines,

O4 - HKLM\..\Run: [Microsoft Update] AntiVirus.exe
O4 - HKLM\..\RunServices: [Microsoft Update] AntiVirus.exe
O4 - HKCU\..\Run: [Microsoft Update] AntiVirus.exe

and then boot into safemode, run those spyware removal tools alongwith Stinger >> http://vil.nai.com/vil/stinger
check back in Normal mode, if same problem ??
0
 

Author Comment

by:Wracket
ID: 12103976
I think I got rid of all of the nastiness "by hand", following some instructions I found on the internet as to where to look for the particular files in running "regedit", and so far so good.  The "fix" in HijackThis never seemed to actually get rid of/quarantine these files, but now that they have been deleted (and the task itself killed) it seems to be taken care of (of course I said that last time!), but if it persists I will use the Stinger thing you suggested.

Hopefully this is the end of the story--I appreciate your persistant help!
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12104174
>> Hopefully this is the end of the story

hmmmmm im listening,,,, if further help will be needed,,,, though not wishing so !!  :)
0

Featured Post

Ready to get started with anonymous questions?

It's easy! Check out this step-by-step guide for asking an anonymous question on Experts Exchange.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
This article is written by John Gates, CISSP. Gates, the SNUG President-Elect, currently holds the position of Manager of Information Systems at Lake Park High School in Roselle, Illinois.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses
Course of the Month3 days, 11 hours left to enroll

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question