PDA

View Full Version : Pls Help!! scpStelth.cih removal??

snamtip
02-07-2005, 09:37 PM
Hi there, I am super new to this kind of virus removal thing. Usually I am pretty good with following directions and solving it myself but this one I just cant figure out. I have tried reading the threads but I get so lost. I downloaded the HijackThis log below from my computer:

Logfile of HijackThis v1.99.0
Scan saved at 9:18:22 PM, on 2/7/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\AT&T\DSL\programs\dslpca.exe
C:\WINDOWS\System32\mwin.exe
C:\WINDOWS\System32\VSStatmn32.exe
C:\WINDOWS\System32\5h4pv6yr9pbthd.exe
C:\WINDOWS\System32\tibs3.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Documents and Settings\Steph\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://letgohome.com/hp.htm?id=30862
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/yessentials_cq/defaults/su/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/yessentials_cq/defaults/sb/*http://www.yahoo.com/search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\UE5K3C~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.d ll
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MediaLoads Installer] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AT&T DSL Service PCA Program] C:\PROGRA~1\AT&T\DSL\programs\dslpca.exe /ws
O4 - HKLM\..\Run: [WindowsRegKey upd4te2d4te] dtkvpajxj.exe
O4 - HKLM\..\Run: [Sygate Personal Firewall Start] servic.exe
O4 - HKLM\..\Run: [Sygate Personal Firewall] mwin.exe
O4 - HKLM\..\Run: [Mcafee Antivirus Monitoring System32mn] VSStatmn32.exe
O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\System32\5h4pv6yr9pbthd.exe
O4 - HKLM\..\Run: [dnscleaner] C:\WINDOWS\dnscleaner.exe
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - HKLM\..\RunServices: [WindowsRegKey upd4te2d4te] dtkvpajxj.exe
O4 - HKLM\..\RunServices: [Sygate Personal Firewall Start] servic.exe
O4 - HKLM\..\RunServices: [Sygate Personal Firewall] mwin.exe
O4 - HKLM\..\RunServices: [Mcafee Antivirus Monitoring System32mn] VSStatmn32.exe
O4 - HKLM\..\RunOnce: [Pest Cleaning] "C:\Program Files\Yahoo!\YPSR\ppclean.exe" "clean" "cws" "2"
O4 - HKCU\..\Run: [WindowsRegKey upd4te2d4te] dtkvpajxj.exe
O4 - HKCU\..\Run: [Sygate Personal Firewall] mwin.exe
O4 - HKCU\..\Run: [Sygate Personal Firewall Start] servic.exe
O4 - HKCU\..\Run: [Mcafee Antivirus Monitoring System32mn] VSStatmn32.exe
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: winlogin.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Advisor - {CF69CDA1-C75C-4E88-9B1B-B492259E5CBB} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (HKCU)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://vparivalka.com/G7/chm10.chm::/ieloader.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1B464DD9-2347-4F3E-93DA-01693B1CAB04}: NameServer = 64.105.166.122 64.105.132.250
O17 - HKLM\System\CS1\Services\Tcpip\..\{1B464DD9-2347-4F3E-93DA-01693B1CAB04}: NameServer = 64.105.166.122 64.105.132.250
O20 - AppInit_DLLs: nw5n4fkd5nffyul.dll.dll.dll.dll.dll.dll.dll.dll.dl l.dll.dll.dll.dll.dll.dll.dll.dll.dll
O23 - Service: IMAPI CD-Burning COM Service - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Virtual NIC Service - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Can anyone help?? I have no idea what this stuff means but I can follow instructions really well!

Thanks!

**Steph**
nightowl
02-08-2005, 10:58 AM
O20 - AppInit_DLLs: nw5n4fkd5nffyul.dll.dll.dll.dll.dll.dll.dll.dll.dl l.dll.dll.dll.dll.dll.dll.dll.dll.dll


Very hard to kill, some people said Trend Micro has worked.

http://housecall.trendmicro.com/

Need to kill this first, It will just continue to reload.Give it a try then post a new log.........Jim
Artanius
03-08-2005, 12:50 AM
goto Processes in task manager end C:\WINDOWS\System32\UE5K3C~1.DLL
and nw5n4fkd5nffyul.dll.dll.dll.dll.dll.dll.dll.dll.dl l.dll.dll.dll.dll.dll.dll.dll.dll.dll
search out both files manually and delete both in the order i said them while your at it open up your system32 folder scpstelth is know for multi entrys anything with dll.dll.dll etc etc etc delete it while u are deleting others Reboot comp and try net.

If this doesnt work i have a more advance solution but ill need a fresh hjt log and u will need to download a couple files.
ECA
03-08-2005, 02:26 AM
Art,
we been fighting this one for awhile.. its insidious.. Its started in the reg, then turns off after its loaded this THING.. Its not a running task. And i think theres about 4 parts in the base of it. weve killed the old ones, but this is worse then CWS..
Artanius
03-08-2005, 08:15 AM
Just removed it on a system for a friend the other day no browser hijack no reprecutions.I am attaching a wineto.zip (http://forums.techguy.org/attachment.php?attachmentid=51269) file to this post. Downlod it and unzip it to your desktop.

Download and install APM from here (http://www.diamondcs.com.au/index.php?page=apm).
Save it to your desktop you'll need it later.

Next click Here (http://www.downloads.subratam.org/KillBox.exe) and download the the new version of Killbox and save it to your desktop.

Copy these instructions to notepad. Sign off the internet and remain offline until the entire procedure is complete.


O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\UE5K3C~1.DLL

O20 - AppInit_DLLs: nw5n4fkd5nffyul.dll.dll.dll.dll.dll.dll.dll.dll.dl l.dll.dll.dll.dll.dll.dll.dll.dll.dll

Are the lines in your HJT log you shold be most conserned with if they change modify these instructions to suit the exact name.

Doubleclick on the winto.zip file to add it to the registry. Answer yes to confirm.

OK Check to make sure the
Now run the APM program
In the upper window select C:\Windows\explorer.exe

In the lower window find and rightclick this file:

C:\WINDOWS\System32\UE5K3C~1.DLL(not it exactly but it will be the only one that starts with UE5K3C)

Select Unload DLL and click OK on the prompts that follow.

Do the same with this file:
nw5n4fkd5nffyul.dll.dll.dll.dll.dll.dll.dll.dll.dl l.dll.dll.dll.dll.dll.dll.dll.dll.dll
----> This file may not appear exactly like that in APM.

Double-click on Killbox.exe to run it. Now put a tick by Delete on Reboot. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file on next reboot. Click Yes. It will then ask if you want to reboot now. Click No.

C:\WINDOWS\System32\UE5K3C~1.DLL

C:\WINDOWS\System32\5h4pv6yr9pbthd.exe


C:\WINDOWS\system32\nw5n4fkd5nffyul.dll.dll.dll.dl l.dll.dll.dll.dll.dl l.dll.dll.dll.dll.dll.dll.dll.dll.dll
*Note: If the file name in the O20 line in Hijack has changed, replace that last file name with the one that is currently in HJT.

Exit the Killbox.


Run Hijack This again and fix any of these entries that are left. Some may/should be gone:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://letgohome.com/sp.htm?id=346

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://letgohome.com/sp.htm?id=346

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=346

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://letgohome.com/hp.htm?id=346

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=346

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\UE5K3C~1.DLL

O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\System32\lzeb6pv6yiz68thd.exe

O20 - AppInit_DLLs: nw5n4fkd5nffyul.dll.dll.dll.dll.dll.dll.dll.dll.dl l.dll.dll.dll.dll.dll.dll.dll.dll.dll

Now restart your computer.

Now turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.