"Security: Cool Web Search" and "about:blank" problem

Posted on 2005-04-30
Last Modified: 2010-04-11
Hello all. It appears my browser has been hijacked. I've tried several remedies, but to no avail. Here's the log file from HijackThis. Please help. Thanks.

Logfile of HijackThis v1.99.0
Scan saved at 2:26:23 AM, on 01/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Downloads\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vtpuu.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vtpuu.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\vtpuu.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vtpuu.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vtpuu.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vtpuu.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vtpuu.dll/sp.html#14044
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {11BFA2A5-3764-8F18-ABD7-E340FEE4F763} - C:\WINDOWS\atlbt32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [addzd32.exe] C:\WINDOWS\addzd32.exe
O4 - HKLM\..\RunOnce: [addln.exe] C:\WINDOWS\addln.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Creating Keepsakes Scrapbook Designer Event Reminder.lnk = C:\Program Files\Scrapbook Designer\scrapremind.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) -
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} -
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) -
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Network Security Service - Unknown - C:\WINDOWS\ieee.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: PCTEL Speaker Phone - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Question by:jaerob

    Author Comment

    By the way... here the link to the analysis file:
    LVL 16

    Expert Comment

    Start with this - if it doesn't work, you've gone one of the Really Tough Ones, so come back to us again. :)

    1) Boot normally.
    2) Shut down any programs you're not going to need, including stuff that sits in the system tray (it just minimses the amount of stuff you see in the reports)
    3) Use the "Internet" control panel to clear out ALL the temp files of Internet Expoiorer including the "all offline content" option (makes scanning MUCH faster).
    4) Run SpybotS&D (htttp:// Update it to the latest files, immunize, and run a full scan. Fix anything it finds, do NOT at this stage worry abotu allowing it to run after reboot.
    5) Run Lavasoft's AdAware SE Personal. Again, update to latest files, then run a "full scan". This is where you'll wish you didn't skip step three if you skipped step 3. :-)  Fix anything it finds.

    This will fix 95% of the spyware I've found in the wild.

    If you still have a baddy, repeat steps 1 and 2 and then re-run HiJackThis, and re-post the log - it'll be quite a bit shorter and easier to find stuff in.
    LVL 8

    Expert Comment

    Hi, Have you had a look at

    Hope I could help
    LVL 27

    Expert Comment

    LVL 29

    Expert Comment

    These entries have been positively identified as malicious programs. In the HijackThis program, place a check mark next to the following entries.

    R3 - Default URLSearchHook is missing
    (Description: This will fix the search mechanism in IE.)

    O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
    (Description: IExplore.exe in the startup registry key is typically a virus or trojan. Unless you have specifically set your PC to start a new Internet Explorer browser window every time Windows starts, remove this entry.)

    This is your saved analysis:

    Follow the tips there, besides the onnes I posted above.

    LVL 29

    Expert Comment


    This site will analyse your HJT logs:

    Next time please use it, scroll down to save the analysis and post only the LINK to that saved analysis as I did above.

    HJT logs are unwelcome in EE:

    LVL 29

    Expert Comment


    And be aware there is a more recent version of HJT:

    Download and run it for the next scans.

    LVL 12

    Expert Comment


    Your HijackThis log from this question shows a different version of "About:Blank"
    then the one in this question:

    One of the telltale lines in this question is this:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vtpuu.dll/sp.html#14044

    In this question -
    One of the lines is this:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    res://C:\WINDOWS\System32\jheckb.dll/sp.html (obfuscated)

    Here's a removal procedure for the version of "About:Blank" you have showing in this question:
    Make sure you go through this procedure carefully -
    Do Not skip any steps!
    (You may have to do this several times)
    The "bad" Service showing in your log, is this one:
    O23 - Service: Network Security Service - Unknown - C:\WINDOWS\ieee.exe (file missing)

    This utility (The Hoster) will reset your "hosts" file to the default:
     Please download the Hoster from here:
              Unzip it to the desktop and run it.
              Click "Restore original HOSTS" and OK any prompts.
              You may have to reimmunize with Spybot, SpywareBlaster,
              and/or IE-SPYADs, etc. after doing this.
              Please restart your computer

    And, as noted by Tolomir in your other question:
    a new version of "AboutBuster" is available - see here -

    Good luck!

    Author Comment

    Ok guys, first let me apologize for posting two questions for the same problem. ( I didn't intend to confuse the issue more. I thought I was unclear in the first post and was unable to delete the question. (How do I do that anyway?) I'm a bit confused with all the advice I've received so I need to just start over from square one.  (please bear with me) I'll stick close to my machine and be more responsive this time so I can keep track.

    Here's the latest:
    I've tried CWShredder and it identified the problem as: CWS.HomeSearch but was unable to fix it.
    SpyBot S&D removed some lesser thrats, but not the primary one. --> ("about:blank" in the IE address bar and a Quick Web Search form with a fake IE logo)

    AdAware SE Personal also removed some lesser threats, but not the primary one.

    I downloaded the latest version of HiJackThis, ran a scan, removed all the "nasty" threats, but the primary issue returned.

    Here's the URL to my latest HijackThis analysis file:

    What should I do next?

    LVL 38

    Expert Comment

    by:Rich Rumble
    So you've turned off system restore... right? and you've attempted to use Ad-aware and other ant-spyware porgrams after turning of system restore.

    To have the question deleted/refunded, place a question here and state your intentions (refund/delete):
    LVL 12

    Expert Comment

    >>What should I do next?

    Still shows nasty's

    Executables that are unfamiliar to me (does not mean they are nasty... you evalutate!)
    - C:\WINDOWS\System32\CTsvcCDA.exe
    - C:\WINDOWS\system32\pctspk.exe
    - C:\WINDOWS\crhr.exe
    - C:\WINDOWS\addzd32.exe

    And they are in your startuplist too.

    Bottom two seem bad to me seeing your system should not have to run any executable from the c:\windows dir except for explorer.
    LVL 12

    Expert Comment


    If you have restarted your computer, since you posted your last HijackThis log from above -
    run HijackThis and post a LINK to a new log file here.

    If you Have Not restarted since you posted an HJT log - let me Know.
    Do not restart until you're asked to do so.


    Author Comment

    Hi guys. Just wanted to thank all of you for your dilligent assistance. As it turns out, Adware Away solved my problem. Their tech support e-mailed me today after I sent a custom log file to them yesterday. The reason it didn't work for me the first time I used it was because I was using the fix for the wrong variant. My machine was infected with Variant 5 of the about:blank hijacker. Their program killed it with one click and one reboot. Since I initially confused things by posting twice for the same issue, I will request this question be closed since I awarded blue_zee the points for the solution on my other post. Thanks so much and God bless you all.    :)
    LVL 29

    Expert Comment





    LVL 12

    Expert Comment

    >>I will request this question be closed since I awarded blue_zee the points for the solution on my other post.
    LVL 5

    Accepted Solution

    Closed, 500 points refunded.
    Site Admin

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
    Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    This video discusses moving either the default database or any database to a new volume.

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now