Having Problems Again!!!

[Pumpa]

Ok those Iternet provider numbers looked familiar to me as they are the address to my router. Probly why you didn't find the name of the ISP
I have entered the status page of the router, taken down details and made sure that the information matched the ones on the PC. I am now online again and have posted another HJT log.
WOW I'm getting good at this

Logfile of HijackThis v1.99.1
Scan saved at 4:21:03 PM, on 24/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Common Files\Symantec Shared\ccProxy.exe
H:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
H:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
H:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
H:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\SOUNDMAN.EXE
H:\WINDOWS\ALCWZRD.EXE
H:\Program Files\Common Files\Symantec Shared\ccApp.exe
H:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
H:\WINDOWS\system32\RUNDLL32.EXE
H:\PROGRA~1\OfficeKB\OfficeKB.EXE
H:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
H:\Program Files\TrojanHunter 5.0\THGuard.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
H:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
H:\Program Files\KeirNet\K9\K9.exe
H:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
H:\Program Files\Common Files\NMSAccessU.exe
H:\WINDOWS\system32\nvsvc32.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
H:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\WgaTray.exe
H:\Program Files\Mozilla Firefox\firefox.exe
H:\Program Files\Mozilla Firefox\firefox.exe
H:\Program Files\HI JACK THIS\Damian.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sa.chariot.net.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.ninemsn.com.au/0SEENAU/SAOS01?FORM=TOOLBR
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - H:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - H:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - H:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {C78A76BA-447C-4532-A7A6-09370FC71915} - H:\WINDOWS\system32\sstts.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - H:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - H:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [ccApp] "H:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] H:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] H:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OfficeKB] H:\PROGRA~1\OfficeKB\OfficeKB.EXE
O4 - HKLM\..\Run: [Easy-PrintToolBox] H:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [THGuard] "H:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AnyDVD] H:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - Startup: Launch K9.lnk = H:\Program Files\KeirNet\K9\K9.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Windows Live Search - res://H:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://H:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://H:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://H:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://H:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O8 - Extra context menu item: Open in new background tab - res://H:\Program Files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/229?933a97c3b3af45fc9ff488f53ff4003b
O8 - Extra context menu item: Open in new foreground tab - res://H:\Program Files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/230?933a97c3b3af45fc9ff488f53ff4003b
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: H:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{10D44058-2415-454A-B693-4CADCE2AAEEA}: NameServer = 203.12.160.35,203.12.160.36
O17 - HKLM\System\CS1\Services\Tcpip\..\{10D44058-2415-454A-B693-4CADCE2AAEEA}: NameServer = 203.12.160.35,203.12.160.36
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - H:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - H:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - H:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - H:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - H:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - H:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - H:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - H:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - H:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - H:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - H:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: Lexar Secure II (LxrSII1s) - Unknown owner - LxrSII1s.exe (file missing)
O23 - Service: NMSAccessU - Unknown owner - H:\Program Files\Common Files\NMSAccessU.exe
O23 - Service: WinFast(R) Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - H:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - H:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - H:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - H:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - H:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe

[jholland1964]

WOW I'm getting good at this

Yes you are...

Now from what I see there is one file which just insists on remaining and it is this one
H:\WINDOWS\system32\sstts.dll
so you will have to try another tool.

Download PockeKillbox.exe
Place it on the desktop.

Double Click this on the desktop to open the program. You may get a box warning you about opening the file, and click Run to allow it to start (and not give this security warning in future.

When the program opens choose the option on the left side to Delete on Reboot

In the Full Path of File to Delete type the following;

H:\WINDOWS\system32\sstts.dll

It will provide a window for your to confirm the delete.
Next it will ask if you now wish to reboot, say yes and let the system reboot and delete the files.

Allow the program then to run, delete and reboot.
Once this all has happened and the computer has rebooted then run another FULL scan of My Computer with the online Kaspersky scanner.
Save the log.
Run another scan with HJT, save the log.
Post both of those logs here.

[Pumpa]

I thought I was stubborn but this dll is a little worse.
Ok I have installed Killbox and ran the program and followed instructions.
After confirming to reboot a window with this message appeared.
Pending File rename operations
Registry Data has been removed by external process. It did not reboot and delete the said file.

Here are the logs

Damian

[jholland1964]

Rats! You are so right Damian, I have never seen anything like it!
Time to send this off and have it analyzed...very easy to do...

Go to this website;

http://www.virustotal.com/

In the Upload a File box put this in;

H:\WINDOWS\system32\sstts.dll

Then click Send File

The file will be analyzed by 32 different anti-virus programs and you will receive a report of the findings. Copy/Paste that report here. Hopefully somebody will be able to tell us what this stubborn little bugger is!


This thing doesn't show at all in the Kaspersky log. The only infected files showing in that log are in System Restore. You can get rid of those by right clicking My Computer and choose Properties. Once System Properties opens then choose the System Restore Tab. Place a checkmark in Turn off system restore and click Ok. You will get a message that system restore is being turned off, say ok. It will turn off.
Wait a minute and then do the same again only this time take the checkmark out. This will turn system restore back on with these items now removed.

Also, run me another Deckard Scanner and let's see how it looks.

[Pumpa]

I have compacted the virus check as you only want to see what it is.
I am getting one pop-up as my son used my PC last night so next time if it shows itself I'll write down what it is if that helps.
Is it safe to do online banking with that file still in the system?

Cheers