Internet redirect to download xxxtoolbar opens every ten minutes...

Posted on 2004-09-19
Last Modified: 2010-04-11
Hi everyone,

When I opened up Internet Explorer this morning, I was immediately redirected to IP address which displayed a Security Warning popup saying:

'Do you want to install and run "You must be 18 or older to access Free Porn with XXXToolbar.  By clicking Yes you are agreeing to the terms and conditions" signed on 7/22/2004 11:18 PM and distributed by

Integrated Search Technologies
Publisher authenticity verified by Thawte Code Signing CA

Caution: Integrated Search Technologies asserts that this content is safe.  You should only install/view this content if you trust Integrated Search Technologies to make that assertion.'

From that point on, Internet Explorer has sytematically been redirecting me to the same address every ten minutes, at 1:03, 1:13, 1:23, etc.  Even if Internet Explorer is not open at the time, a new browser window will open and attempt to access the website.  Only if the network connection is severed do the attempts stop.

I checked for spyware/viruses using Norton Anti-Virus and found nothing.  I deleted all my cookies, to no avail.  I then downloaded Giant Anti-Spyware, Adaware and Spybot and ran all three.  Although each of them did find and delete some suspicious files, the problem persists.

Can anyone help?
Question by:Wracket
  • 5
  • 4
LVL 65

Accepted Solution

SheharyaarSaahil earned 125 total points
ID: 12096084
Hello Wracket =)

Download HijackThis v1.98.2 from here, run it and Save the LOG file:

Then Post it at this site >>
and it will automatically analyse it for u,,, Fix everything which it asks u to delete :)

and if still u cannot get it working, then Post here that LOG file, and we will tell u that what is BAD in it and how to remove them :)


Author Comment

ID: 12096181
Hi Sheharyaar,

I downloaded HijackThis, ran it and saved the log file.  Then I posted it at the site you mentioned.  I couldn't figure out how to fix the problems it listed, but somehow in the meantime the problem seems to have vanished.  It has been over twenty minutes now and the redirect has not appeared.  I don't know if this is the result of running HijackThis as I didn't delete anything, but oh well!  Ours not to reason why, eh?

Thanks for your help!
LVL 65

Expert Comment

ID: 12096187
Did u get any Nasty entries in the analse site ??
if YES then u had to check those Nasty entries in hijackthis and had to clcik on Fix Checked in order to delete those bad things :)
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

LVL 12

Expert Comment

ID: 12096213
After you have HJT fix anything -
reboot your computer.
Run HJT again and see how things look.


Author Comment

ID: 12096231
Well, it seemed to solve the problem before I selected them and clicked "Fix Checked", but now I have selected the three nasties (all "AntiVirus.exe", in case you cared) and one suspicious looking "unknown" ("gcasDtServ.exe" , which I found suspect in that I noticed it being active in the Task Manager when the redirect was going on) just to be on the safe side.

I appreciate the quick responses by the way--I would have almost thought it was automated if it weren't for the content!
LVL 65

Expert Comment

ID: 12096262
ok its good u have got rid of those nasties, now just keep an eye if that xxxtoolbar comes again or not, good luck :)

Author Comment

ID: 12101798
Hello again,

Well, it took a day but a similar thing (this one's even nastier, truth be told!) has come back so I guess I didn't resolve the problem after all.  I'm pretty sure the problem is this AntiVirus.exe from the Google search I ran, but the "fix" option of HijackThis isn't taking care of it (I noticed that even though the link you gave says it is giving the latest version of the program what it actually gave is v1.97.7--do you think that could have something to do with it?).

Here is the log file:

Logfile of HijackThis v1.97.7
Scan saved at 3:07:16 PM, on 9/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Documents and Settings\Amar Hameed\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Update] AntiVirus.exe
O4 - HKLM\..\RunServices: [Microsoft Update] AntiVirus.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Update] AntiVirus.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PowerPanel.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

Thanks again for the help--I guess I jumped the gun in thinking it was taken care of yesterday. :(
LVL 65

Expert Comment

ID: 12103620
hmmmmmmm mostly this [Microsoft Update] run entries are added in the result of a trojan infection.... not sure if same case with u or not :-?

do this, just fix these three lines,

O4 - HKLM\..\Run: [Microsoft Update] AntiVirus.exe
O4 - HKLM\..\RunServices: [Microsoft Update] AntiVirus.exe
O4 - HKCU\..\Run: [Microsoft Update] AntiVirus.exe

and then boot into safemode, run those spyware removal tools alongwith Stinger >>
check back in Normal mode, if same problem ??

Author Comment

ID: 12103976
I think I got rid of all of the nastiness "by hand", following some instructions I found on the internet as to where to look for the particular files in running "regedit", and so far so good.  The "fix" in HijackThis never seemed to actually get rid of/quarantine these files, but now that they have been deleted (and the task itself killed) it seems to be taken care of (of course I said that last time!), but if it persists I will use the Stinger thing you suggested.

Hopefully this is the end of the story--I appreciate your persistant help!
LVL 65

Expert Comment

ID: 12104174
>> Hopefully this is the end of the story

hmmmmm im listening,,,, if further help will be needed,,,, though not wishing so !!  :)

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
is there an export feature for easy reading in task scheduler 9 108
PCI Compliance - mixing SAQs 6 45
Cisco ASA blocks some https sites. 27 43
Android Touch & Google API 7 24
Each year, investment in cloud platforms grows more than 20% ( as an increasing number of companies begin to…
Most MSPs worth their salt are already offering cybersecurity to their customers. But cybersecurity as a service is wide encompassing and can mean many things.  So where are MSPs falling in this spectrum?
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question