IE Start Page - sp.html

[rafmir 0]

Hi guys. I´ve been trying to change my Start Page (IE) but it always show me the same site (a search engine - sp.html). I known this is a spyware or adware, so I got the programs Spy & Robot, Reglite.exe and HijackThis v1.96.0 to solve the problem.

 

This is my log file generated from HijackThis:

 

Logfile of HijackThis v1.96.0

 

Scan saved at 08:00:11, on 30/7/2004

 

Platform: Windows XP SP1 (WinNT 5.01.2600)

 

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

 

 

Running processes:

 

C:\WINDOWS\System32\smss.exe

 

C:\WINDOWS\system32\winlogon.exe

 

C:\WINDOWS\system32\services.exe

 

C:\WINDOWS\system32\lsass.exe

 

C:\WINDOWS\system32\svchost.exe

 

C:\WINDOWS\System32\svchost.exe

 

C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe

 

C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe

 

C:\WINDOWS\system32\spoolsv.exe

 

C:\WINDOWS\Explorer.EXE

 

C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe

 

C:\Arquivos de programas\Iomega\AutoDisk\ADUserMon.exe

 

C:\Arquivos de programas\Iomega\DriveIcons\ImgIcon.exe

 

C:\ARQUIV~1\ARQUIV~1\PCSuite\DATALA~1\DATALA~1.EXE

 

C:\ARQUIV~1\Nokia\NOKIAP~1\TRAYAP~1.EXE

 

C:\Arquivos de programas\Adobe\Acrobat 6.0\Distillr\acrotray.exe

 

C:\Arquivos de programas\PV-CX881PL+\TVRMVCR.EXE

 

C:\ARQUIV~1\ARQUIV~1\PCSuite\Services\SERVIC~1.EXE

 

C:\WINDOWS\System32\drivers\CDAC11BA.EXE

 

C:\WINDOWS\system32\CTsvcCDA.EXE

 

C:\ARQUIV~1\NORTON~1\NORTON~4\GHOSTS~2.EXE

 

C:\ARQUIV~1\Iomega\System32\AppServices.exe

 

C:\Arquivos de programas\Norton SystemWorks\Norton Antivirus\navapsvc.exe

 

C:\ARQUIV~1\NORTON~1\NORTON~2\NPROTECT.EXE

 

C:\WINDOWS\System32\nvsvc32.exe

 

C:\Arquivos de programas\Norton SystemWorks\Norton Antivirus\SAVScan.exe

 

C:\ARQUIV~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE

 

C:\WINDOWS\System32\MsPMSPSv.exe

 

C:\Arquivos de programas\Iomega\AutoDisk\ADService.exe

 

C:\Arquivos de programas\Arquivos comuns\Symantec Shared\NMain.exe

 

C:\HIJACK\HijackThis.exe

 

 

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\RAFAEL~1.MIR\CONFIG~1\Temp\sp.html

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\RAFAEL~1.MIR\CONFIG~1\Temp\sp.html

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\RAFAEL~1.MIR\CONFIG~1\Temp\sp.html

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\RAFAEL~1.MIR\CONFIG~1\Temp\sp.html

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\RAFAEL~1.MIR\CONFIG~1\Temp\sp.html

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\RAFAEL~1.MIR\CONFIG~1\Temp\sp.html

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

 

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

 

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll

 

O2 - BHO: (no name) - {87AB7CA2-855D-473A-BB23-48F41BFB420C} - C:\WINDOWS\System32\gld.dll

 

O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

 

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Arquivos de programas\Norton SystemWorks\Norton Antivirus\NavShExt.dll

 

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll

 

O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

 

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Arquivos de programas\Norton SystemWorks\Norton Antivirus\NavShExt.dll

 

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

 

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

 

O4 - HKLM\..\Run: [Jet Detection] "C:\Arquivos de programas\Creative\SBLive\PROGRAM\ADGJDet.exe"

 

O4 - HKLM\..\Run: [CTStartup] C:\Arquivos de programas\Creative\Splash Screen\CTEaxSpl.EXE /run

 

O4 - HKLM\..\Run: [ccApp] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe"

 

O4 - HKLM\..\Run: [ADUserMon] C:\Arquivos de programas\Iomega\AutoDisk\ADUserMon.exe

 

O4 - HKLM\..\Run: [iomega Drive Icons] C:\Arquivos de programas\Iomega\DriveIcons\ImgIcon.exe

 

O4 - HKLM\..\Run: [Deskup] C:\Arquivos de programas\Iomega\DriveIcons\deskup.exe /IMGSTART

 

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

 

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime

 

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

 

O4 - HKLM\..\Run: [DataLayer] C:\ARQUIV~1\ARQUIV~1\PCSuite\DATALA~1\DATALA~1.EXE

 

O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\ARQUIV~1\Nokia\NOKIAP~1\TRAYAP~1.EXE

 

O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

 

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

 

O4 - Global Startup: Acrobat Assistant.lnk = C:\Arquivos de programas\Adobe\Acrobat 6.0\Distillr\acrotray.exe

 

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe

 

O4 - Global Startup: Remote Controller.lnk = C:\Arquivos de programas\PV-CX881PL+\TVRMVCR.EXE

 

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

 

O9 - Extra button: Pesquisar (HKLM)

 

O9 - Extra button: Related (HKLM)

 

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

 

O12 - Plugin for .mp3: C:\Arquivos de programas\Internet Explorer\PLUGINS\npqtplugin4.dll

 

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

 

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

 

O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://195.225.177.13/587/online.chm::/on-line.exe

 

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38076.6805787037

 

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab

 

O17 - HKLM\System\CCS\Services\Tcpip\..\{50FA4D62-5B2A-4EFA-9CDC-9C10D0ED72CD}: NameServer = 200.204.0.10,200.204.0.138

 

O17 - HKLM\System\CCS\Services\Tcpip\..\{E3C31D69-7F44-4712-8CCF-BAE6F2005AB1}: NameServer = 200.204.0.10 200.204.0.138

 

 

Please someone help me.

 

Tks

 

Rafael Miranda

 

[Sampson 0]

Try: BHODemon 2.0

 

http://www.definitivesolutions.com/bhodemon.htm

 

Disable and delete the BHO's you find. The BHO's for Abobe Reader or certain taskbars like Google or Yahoo are fine. Others that you may find are attempts to hijack your computer.

[yakkob 0]

I would also post your hijacck log on the www.spywareinfo.org forums.

Theie forums are specifically for this kind of post.