I´ve got spcStelth.cih ver 2018- HELP!

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Gelmirez

Thread Starter
Joined
Mar 11, 2005
Messages
1
This is the first time I enter your site. I´ve seen you´ve helped some people whose computers were infected by a spyware called spcStelth.cih ver 2018. My computer got it yesterday; when I open IE I always find a site called "letgohome", which is inmediately covered by another one called "Search...". Now and then, a window appears where I´m informed that spcStelth has been detected. I´ve tried to delete it with spybot, but it´s been useless.Then, I´ve tried to download CWShredder, but the system has not allowed me to do so. Finally, I´ve scanned with hijackthis, but I don´t dare to delete anything without a technical advice. Could do please tell me which of the log files from the list above I must delete ?

Logfile of HijackThis v1.99.1
Scan saved at 18:55:51, on 11/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
C:\ARCHIV~1\LAUNCH~1\QtZpAcer.EXE
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
C:\Archivos de programa\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\WINDOWS\System32\lylnfu6k2hefthd.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Analog Devices\USB ADSL WAN Adapter\DSLMON.exe
C:\Archivos de programa\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Archivos de programa\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Documents and Settings\Santiago Sierra\Configuración local\Temp\Directorio temporal 1 para hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://letgohome.com/sp.htm?id=31403
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://letgohome.com/sp.htm?id=31403
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=31403
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://letgohome.com/hp.htm?id=31403
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=31403
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://letgohome.com/sp.htm?id=31403
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.eresmastv.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\NR5TVR~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\ARCHIV~1\LAUNCH~1\QtZpAcer.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\System32\lylnfu6k2hefthd.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - Global Startup: DSLMON.lnk = C:\Archivos de programa\Analog Devices\USB ADSL WAN Adapter\DSLMON.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Software Kodak EasyShare.lnk = C:\Archivos de programa\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Archivos de programa\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: ConectarMP3 - {76DD9E77-F06C-4471-AB6C-CF03C5C6B5B0} - C:\WINDOWS\System32\ConectarMP3 (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} (Matrix Class) - http://acceso.masminutos.com/aplicacion.cab
O20 - AppInit_DLLs: vfhx8r2p292mmpl.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARCHIV~1\ARCHIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: System Accounts (WksPatch) - Unknown owner - C:\WINDOWS\System32\drivers\svchost.exe (file missing)

Thanks a lot! I wait for your answer!
 
Joined
Mar 25, 2001
Messages
3,334
Hi Gelmirez, welcome to TSG.

You'll have to explain what you mean that you tried to download CWShredder but the system has not allowed you to do so.

From here?:

http://www.intermute.com/spysubtract/cwshredder_download.html



Let's make sure you know how to boot into safe mode as well as how to view
hidden files on your PC. Instructions here:

Safe Mode:

http://www.computerhope.com/issues/chsafe.htm

Hidden files:

http://www.xtra.co.nz/help/0,,4155-1916458,00.html


Physically disconnect your pc from the internet.


Now boot into safe mode.


1. Open HJT and check the following entries and click Fix:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://letgohome.com/sp.htm?id=31403
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://letgohome.com/sp.htm?id=31403
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=31403
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://letgohome.com/hp.htm?id=31403
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=31403
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://letgohome.com/sp.htm?id=31403

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\NR5TVR~1.DLL

O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\System32\lylnfu6k2hefthd.exe

O20 - AppInit_DLLs: vfhx8r2p292mmpl.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll .dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dl l.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll


2. Find and delete these files:

C:\WINDOWS\System32\NR5TVR~1.DLL
C:\WINDOWS\System32\lylnfu6k2hefthd.exe
vfhx8r2p292mmpl.dll

3. If you have it, run CWShredder. Open the application and click Fix (not scan) and let it do it's thing.


Reboot to normal mode.


4. Go here for an online AV scan:

http://housecall.trendmicro.com/hou.../start_corp.asp


Reboot and post a current log, okay?

:)
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top