hijacked homepage (about:blank)

[cdjones]

My home page has been hijacked on my HP Pavillion notebook. I am running Win XP home using IE 6. Norton notified me right away of the infection but could not clean it. I then started getting pop-ups telling me I had been infected. Then noticed my home page had been changed to a search page (about:blank). I have run spy-bot and Nortons AV which detect anything. Ad-aware detects several CWS registry values which I then clean. I have also used CWS using the "FIX" fuction and clean the one file it finds. My system however keeps getting re-infected on boot-up. So now I think I have an .exe file that I don't know about. I have run hijack this and posted a log below. Can someone please look to see if anything is out of the ordinary. Thanks in advance!


file://C:\DOCUME~2\Owner\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~2\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {8019A8A9-BA0B-485C-B261-71BD27C439B2} - C:\WINDOWS\System32\pilpaea.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\DOWNLO~1\FlashGet\jccatch.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D589976F-6249-46CF-B383-32FABD733CB9} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [CP4HPOT] C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Ahst] C:\Documents and Settings\Owner\Application Data\iebs.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Downloads\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Downloads\FlashGet\jc_link.htm
O9 - Extra button: AIM (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4...0367/wmavax.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7863.8995833333
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) -

 

[cdjones]

I have now noticed that notepad is no more! What can go wrong next? Can someone tell me where notepad went? Thanks to all who respond! Below is the full hijack log:

Logfile of HijackThis v1.97.7
Scan saved at 11:26:43 PM, on 6/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\RadioSvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe
C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE
C:\Windows\system32\HpSrvUI.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~2\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~2\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~2\Owner\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~2\Owner\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~2\Owner\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~2\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {8019A8A9-BA0B-485C-B261-71BD27C439B2} - C:\WINDOWS\System32\pilpaea.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\DOWNLO~1\FlashGet\jccatch.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D589976F-6249-46CF-B383-32FABD733CB9} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [CP4HPOT] C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Ahst] C:\Documents and Settings\Owner\Application Data\iebs.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Downloads\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Downloads\FlashGet\jc_link.htm
O9 - Extra button: AIM (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4...0367/wmavax.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7863.8995833333
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab

 

[shadowfaX]

You should probably take a look at these entries that were found in the hijackthis! log...

file://C:\DOCUME~2\Owner\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~2\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {8019A8A9-BA0B-485C-B261-71BD27C439B2} - C:\WINDOWS\System32\pilpaea.dll
O2 - BHO: (no name) - {D589976F-6249-46CF-B383-32FABD733CB9} - (no file)
O4 - HKCU\..\Run: [Ahst] C:\Documents and Settings\Owner\Application Data\iebs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

I don't know what the pilpaea.dll, iebs.exe, or NPDocBox.dll are, but the rest can probably be deleted. My guess for the pilpaea.dll is that it may be spyware-related, which might explain why your system is still getting reinfected.

As for the missing notepad.exe... What exactly do you mean notepad is missing? Take a look in your c:\windows and c:\windows\system32 and see if notepad.exe exists. Then look at the properties of it and see if it's from "Microsoft Corporation".

If it's not there, you may have to redownload it (it's about 65 KB) or get it from your original Windows CD.

I'm not sure if it also has to do with some weird registry problem...? I know some spyware can nuke Notepad, but I'm not exactly sure *how* they do it.

 

[Lord Evermore]

Use google. Found the same problem on a coworkers machine. A dll file (pilpaea.dll) is loaded that replaces the "blank.htm" file that IE uses for the about:blank page with a search page (sp.html) and causes popups which seem to occur whenever a link is clicked. Of course the popups are "warnings" that you have spyware and want you to click to get a program to "remove" it.

It's very hard to get rid of this. You have to locate all the registry entries referring to the DLL and the sp.html page, including all the CLSIDs. Then you have to boot in safe mode to delete all of those as well as the DLL. What makes it fun is that you may or may not get ALL the instances of the file or references, or it may be installed as more than one filename (the dll file name is random), and while it may appear to be gone when you start using IE again for awhile, it'll suddenly reappear.

You can use Spybot to more easily isolate the CLSID needed. It is a browser helper object, BHO. HijackThis is showing you all the BHOs and other items but doesn't really tell you if it's something you want. Spybot tells you whether a BHO is considered "safe", like Flashget's button and BHO, or if it's unknown. Unfortunately Spybot and Adaware don't seem able to recognize this particular program that replaces the blank page, so they don't even attempt to clean it out. Just trying to remove the BHO using Spybot doesn't permanently remove it.

 

[cdjones]

We'll this is getting interesting, but not in a good way! When I delete the suspicious files in the hijack log the virus backs up the files on my desktop. Ex. 3 files deleted, 3 files backed-up. As for my notepad.exe file, it has been re-named as note.pad.exe.bak. So its there in the Windows and System32 folders but just re-named. So I assume the virus has knocked it out. After I clean the computer (once and for all) can I just re-name the file without the .bak extension. Will that fix it? On the hijack log is there a strange exe. file, maybe a system.32 file that keeps me from cleaning this thing. Thanks to all who have responded! Any further help will be greatly appreciated!

 

[mechBgon]

In the future, I suggest not having antivirus software try to clean infected stuff. Silently delete upon detection, period. Throw the first punch, and make it a TKO. :evil:

What I'd try next is updating your AV software, deleting all System Restore files and disabling System Restore, rebooting into Safe Mode and trying an exhaustive antivirus scan with the software set to kill on sight, no questions asked. If that doesn't work, I know one sure way of getting rid of it... and so do you. Windows Setup.

With the proliferation of this stuff, I've gone to the trouble of using "best practices" at home myself, running with a Restricted User account so I couldn't install spyware if I wanted to. You might want to consider making all users of the computer their own Restricted User accounts, including yourself.

 

[naruto1988]

no notepad. reminds me of my friend's comp. he said that notepad and paint disappeared, then one day his comp died and refused to boot. i'm gonna go tinker with it, but probably will end up reformatting it.

 

[cdjones]

I was finally able to rid my computer of the dreaded cws.searchx using this method. http://www.wilderssecurity.com/showthread.php?t=26534 I followed Buckshots instructions in his post. And it worked!!!!! Spywareblaster is back up and so far so good! Turns out my little nasty was in here: C:\Windows\system32\resje.dll! Evil!!!! Pure Evil!!!! I downloaded reglite and navigated the registry to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs.
I double clicked on AppInit and this showed up in the values field: C:\Windows\system32\resje.dll! Renamed Windows to "notwindows", deleted the file and then ran ad-aware and CWS Shedder and let it find the files. I deleted all! Then downloaded killbox, pasted the path as per the instructions from Buckshot and had it delete the virus on re-boot.

 

[cdjones]

I did a search for notepad.exe and found notepad.exe.bak in C:\windows and C:\windows\system32. I renamed the file in system32 to notepad.exe and notepad is now back and seems to be working fine!

 

[NikPreviousAcct]

Okay, what's wrong with Adaware, Spybot Search & Destroy, a virus scanner, and HijackThis ??

 

[amdskip]

Will cwshredder fix this for you?

 

[nanaki333]

nope. it comes right back. you can use spybot, adaware, cwshredder. it'll get rid of it, but always comes back.

 

[Trey22]

I'm in the process of hunting down the person(s) responsible for this damn hijack and will be posting pics of their castration done with an old rusty spoon, yes a spoon!... it hurts more.

I was suprised at the fact that all the anti-spyware programs could not permanently delete this hijack. The worst part of it is, is that new variants are coming out which are harder to erradicate.

 

[amdskip]

If you can get rid of it using spyware programs, you need to manually go in and clean out your computer also.