[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

"Security: Cool Web Search" and "about:blank" problem

Posted on 2005-04-30
17
Medium Priority
?
2,360 Views
Last Modified: 2010-04-11
Hello all. It appears my browser has been hijacked. I've tried several remedies, but to no avail. Here's the log file from HijackThis. Please help. Thanks.

---------------------------------------------------------------------------
Logfile of HijackThis v1.99.0
Scan saved at 2:26:23 AM, on 01/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\addln.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\addzd32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\AIM95\aim.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Downloads\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vtpuu.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vtpuu.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\vtpuu.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vtpuu.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vtpuu.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vtpuu.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vtpuu.dll/sp.html#14044
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {11BFA2A5-3764-8F18-ABD7-E340FEE4F763} - C:\WINDOWS\atlbt32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [addzd32.exe] C:\WINDOWS\addzd32.exe
O4 - HKLM\..\RunOnce: [addln.exe] C:\WINDOWS\addln.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Creating Keepsakes Scrapbook Designer Event Reminder.lnk = C:\Program Files\Scrapbook Designer\scrapremind.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.google.ca
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} - http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Network Security Service - Unknown - C:\WINDOWS\ieee.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: PCTEL Speaker Phone - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

0
Comment
Question by:jaerob
  • 4
  • 3
  • 2
  • +6
16 Comments
 

Author Comment

by:jaerob
ID: 13903519
By the way... here the link to the analysis file: http://www.hijackthis.de/logfiles/e10922e827c63182b796add017c3e64e.html.
0
 
LVL 17

Expert Comment

by:ccomley
ID: 13903593
Start with this - if it doesn't work, you've gone one of the Really Tough Ones, so come back to us again. :)

1) Boot normally.
2) Shut down any programs you're not going to need, including stuff that sits in the system tray (it just minimses the amount of stuff you see in the reports)
3) Use the "Internet" control panel to clear out ALL the temp files of Internet Expoiorer including the "all offline content" option (makes scanning MUCH faster).
4) Run SpybotS&D (htttp://security.kolla.de). Update it to the latest files, immunize, and run a full scan. Fix anything it finds, do NOT at this stage worry abotu allowing it to run after reboot.
5) Run Lavasoft's AdAware SE Personal. Again, update to latest files, then run a "full scan". This is where you'll wish you didn't skip step three if you skipped step 3. :-)  Fix anything it finds.

This will fix 95% of the spyware I've found in the wild.

If you still have a baddy, repeat steps 1 and 2 and then re-run HiJackThis, and re-post the log - it'll be quite a bit shorter and easier to find stuff in.
0
 
LVL 8

Expert Comment

by:anil_u
ID: 13903662
Hi, Have you had a look at
http://www.experts-exchange.com/Security/Q_21408322.html

Hope I could help
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
LVL 27

Expert Comment

by:Tolomir
ID: 13903920
0
 
LVL 29

Expert Comment

by:blue_zee
ID: 13903925
These entries have been positively identified as malicious programs. In the HijackThis program, place a check mark next to the following entries.

R3 - Default URLSearchHook is missing
(Description: This will fix the search mechanism in IE.)

O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
(Description: IExplore.exe in the startup registry key is typically a virus or trojan. Unless you have specifically set your PC to start a new Internet Explorer browser window every time Windows starts, remove this entry.)

This is your saved analysis:

http://www.hijackthis.de/logfiles/04bcad594607db2468e1c4d02664f748.html

Follow the tips there, besides the onnes I posted above.

Zee
0
 
LVL 29

Expert Comment

by:blue_zee
ID: 13903927

This site will analyse your HJT logs:

http://www.hijackthis.de/index.php?langselect=english

Next time please use it, scroll down to save the analysis and post only the LINK to that saved analysis as I did above.

HJT logs are unwelcome in EE:

http://www.experts-exchange.com/Q_21149514.html

Zee
0
 
LVL 29

Expert Comment

by:blue_zee
ID: 13903930

And be aware there is a more recent version of HJT:

http://www.majorgeeks.com/download3155.html

Download and run it for the next scans.

Zee
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13903967
Hi!

Your HijackThis log from this question shows a different version of "About:Blank"
then the one in this question:
http://www.experts-exchange.com/Security/Q_21408322.html

One of the telltale lines in this question is this:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vtpuu.dll/sp.html#14044

In this question - http://www.experts-exchange.com/Security/Q_21408322.html
One of the lines is this:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\System32\jheckb.dll/sp.html (obfuscated)

Here's a removal procedure for the version of "About:Blank" you have showing in this question:
http://www.pchell.com/support/onlythebest.shtml
Make sure you go through this procedure carefully -
Do Not skip any steps!
(You may have to do this several times)
The "bad" Service showing in your log, is this one:
O23 - Service: Network Security Service - Unknown - C:\WINDOWS\ieee.exe (file missing)

This utility (The Hoster) will reset your "hosts" file to the default:
 Please download the Hoster from here:
          http://members.aol.com/toadbee/hoster.zip
          Unzip it to the desktop and run it.
          Click "Restore original HOSTS" and OK any prompts.
          You may have to reimmunize with Spybot, SpywareBlaster,
          and/or IE-SPYADs, etc. after doing this.
          Please restart your computer

And, as noted by Tolomir in your other question:
a new version of "AboutBuster" is available - see here -
http://www.besttechie.net/forums/index.php?showtopic=1488

Good luck!
RF
0
 

Author Comment

by:jaerob
ID: 13904777
Ok guys, first let me apologize for posting two questions for the same problem. (http://www.experts-exchange.com/Security/Q_21408322.html) I didn't intend to confuse the issue more. I thought I was unclear in the first post and was unable to delete the question. (How do I do that anyway?) I'm a bit confused with all the advice I've received so I need to just start over from square one.  (please bear with me) I'll stick close to my machine and be more responsive this time so I can keep track.

Here's the latest:
I've tried CWShredder and it identified the problem as: CWS.HomeSearch but was unable to fix it.
SpyBot S&D removed some lesser thrats, but not the primary one. --> ("about:blank" in the IE address bar and a Quick Web Search form with a fake IE logo)

AdAware SE Personal also removed some lesser threats, but not the primary one.

I downloaded the latest version of HiJackThis, ran a scan, removed all the "nasty" threats, but the primary issue returned.

Here's the URL to my latest HijackThis analysis file:
http://www.hijackthis.de/logfiles/7bb3a8bae29602e19f5f638830ef93a5.html

What should I do next?

0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13906273
So you've turned off system restore... right? and you've attempted to use Ad-aware and other ant-spyware porgrams after turning of system restore.

To have the question deleted/refunded, place a question here and state your intentions (refund/delete): http://www.experts-exchange.com/Community_Support/
-rich
0
 
LVL 12

Expert Comment

by:kneH
ID: 13908259
>>What should I do next?

Still shows nasty's

Executables that are unfamiliar to me (does not mean they are nasty... you evalutate!)
- C:\WINDOWS\System32\CTsvcCDA.exe
- C:\WINDOWS\system32\pctspk.exe
- C:\WINDOWS\crhr.exe
- C:\WINDOWS\addzd32.exe

And they are in your startuplist too.


Bottom two seem bad to me seeing your system should not have to run any executable from the c:\windows dir except for explorer.
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13908443
HI!

If you have restarted your computer, since you posted your last HijackThis log from above -
run HijackThis and post a LINK to a new log file here.

If you Have Not restarted since you posted an HJT log - let me Know.
Do not restart until you're asked to do so.

RF
0
 

Author Comment

by:jaerob
ID: 13908701
Hi guys. Just wanted to thank all of you for your dilligent assistance. As it turns out, Adware Away solved my problem. Their tech support e-mailed me today after I sent a custom log file to them yesterday. The reason it didn't work for me the first time I used it was because I was using the fix for the wrong variant. My machine was infected with Variant 5 of the about:blank hijacker. Their program killed it with one click and one reboot. Since I initially confused things by posting twice for the same issue, I will request this question be closed since I awarded blue_zee the points for the solution on my other post. Thanks so much and God bless you all.    :)
0
 
LVL 29

Expert Comment

by:blue_zee
ID: 13908767

;-)

Great!

Thanks.

Zee
0
 
LVL 12

Expert Comment

by:kneH
ID: 13918353
>>I will request this question be closed since I awarded blue_zee the points for the solution on my other post.
0
 
LVL 5

Accepted Solution

by:
Netminder earned 0 total points
ID: 13956751
Closed, 500 points refunded.
Netminder
Site Admin
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
Securing your business data in current era should be your biggest priority. Numerous people are unaware of the fact that insiders commit more than 60 percent of security breaches. You need to figure out the underlying cause and invoke your potential…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question