Having Problems Again!!!

[Pumpa]

Ok those Iternet provider numbers looked familiar to me as they are the address to my router. Probly why you didn't find the name of the ISP
I have entered the status page of the router, taken down details and made sure that the information matched the ones on the PC. I am now online again and have posted another HJT log.
WOW I'm getting good at this

Logfile of HijackThis v1.99.1
Scan saved at 4:21:03 PM, on 24/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Common Files\Symantec Shared\ccProxy.exe
H:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
H:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
H:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
H:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\SOUNDMAN.EXE
H:\WINDOWS\ALCWZRD.EXE
H:\Program Files\Common Files\Symantec Shared\ccApp.exe
H:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
H:\WINDOWS\system32\RUNDLL32.EXE
H:\PROGRA~1\OfficeKB\OfficeKB.EXE
H:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
H:\Program Files\TrojanHunter 5.0\THGuard.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
H:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
H:\Program Files\KeirNet\K9\K9.exe
H:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
H:\Program Files\Common Files\NMSAccessU.exe
H:\WINDOWS\system32\nvsvc32.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
H:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\WgaTray.exe
H:\Program Files\Mozilla Firefox\firefox.exe
H:\Program Files\Mozilla Firefox\firefox.exe
H:\Program Files\HI JACK THIS\Damian.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sa.chariot.net.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.ninemsn.com.au/0SEENAU/SAOS01?FORM=TOOLBR
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - H:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - H:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - H:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {C78A76BA-447C-4532-A7A6-09370FC71915} - H:\WINDOWS\system32\sstts.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - H:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - H:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [ccApp] "H:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] H:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] H:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OfficeKB] H:\PROGRA~1\OfficeKB\OfficeKB.EXE
O4 - HKLM\..\Run: [Easy-PrintToolBox] H:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [THGuard] "H:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AnyDVD] H:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - Startup: Launch K9.lnk = H:\Program Files\KeirNet\K9\K9.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Windows Live Search - res://H:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://H:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://H:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://H:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://H:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O8 - Extra context menu item: Open in new background tab - res://H:\Program Files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/229?933a97c3b3af45fc9ff488f53ff4003b
O8 - Extra context menu item: Open in new foreground tab - res://H:\Program Files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/230?933a97c3b3af45fc9ff488f53ff4003b
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: H:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{10D44058-2415-454A-B693-4CADCE2AAEEA}: NameServer = 203.12.160.35,203.12.160.36
O17 - HKLM\System\CS1\Services\Tcpip\..\{10D44058-2415-454A-B693-4CADCE2AAEEA}: NameServer = 203.12.160.35,203.12.160.36
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - H:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - H:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - H:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - H:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - H:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - H:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - H:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - H:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - H:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - H:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - H:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: Lexar Secure II (LxrSII1s) - Unknown owner - LxrSII1s.exe (file missing)
O23 - Service: NMSAccessU - Unknown owner - H:\Program Files\Common Files\NMSAccessU.exe
O23 - Service: WinFast(R) Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - H:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - H:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - H:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - H:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - H:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe

[jholland1964]

WOW I'm getting good at this

Yes you are...

Now from what I see there is one file which just insists on remaining and it is this one
H:\WINDOWS\system32\sstts.dll
so you will have to try another tool.

Download PockeKillbox.exe
Place it on the desktop.

Double Click this on the desktop to open the program. You may get a box warning you about opening the file, and click Run to allow it to start (and not give this security warning in future.

When the program opens choose the option on the left side to Delete on Reboot

In the Full Path of File to Delete type the following;

H:\WINDOWS\system32\sstts.dll

It will provide a window for your to confirm the delete.
Next it will ask if you now wish to reboot, say yes and let the system reboot and delete the files.

Allow the program then to run, delete and reboot.
Once this all has happened and the computer has rebooted then run another FULL scan of My Computer with the online Kaspersky scanner.
Save the log.
Run another scan with HJT, save the log.
Post both of those logs here.

[Pumpa]

I thought I was stubborn but this dll is a little worse.
Ok I have installed Killbox and ran the program and followed instructions.
After confirming to reboot a window with this message appeared.
Pending File rename operations
Registry Data has been removed by external process. It did not reboot and delete the said file.

Here are the logs

Damian

[jholland1964]

Rats! You are so right Damian, I have never seen anything like it!
Time to send this off and have it analyzed...very easy to do...

Go to this website;

http://www.virustotal.com/

In the Upload a File box put this in;

H:\WINDOWS\system32\sstts.dll

Then click Send File

The file will be analyzed by 32 different anti-virus programs and you will receive a report of the findings. Copy/Paste that report here. Hopefully somebody will be able to tell us what this stubborn little bugger is!


This thing doesn't show at all in the Kaspersky log. The only infected files showing in that log are in System Restore. You can get rid of those by right clicking My Computer and choose Properties. Once System Properties opens then choose the System Restore Tab. Place a checkmark in Turn off system restore and click Ok. You will get a message that system restore is being turned off, say ok. It will turn off.
Wait a minute and then do the same again only this time take the checkmark out. This will turn system restore back on with these items now removed.

Also, run me another Deckard Scanner and let's see how it looks.

[Pumpa]

I have compacted the virus check as you only want to see what it is.
I am getting one pop-up as my son used my PC last night so next time if it shows itself I'll write down what it is if that helps.
Is it safe to do online banking with that file still in the system?

Cheers

[jholland1964]

None of the others showed anything except the AVG 7.5.0.503?
What it tells me is nothing...let me contact some of the others and see what we can come up with ok?

H:\WINDOWS\system32\sstts.dll

Try uploading it here and see what comes up;
http://virusscan.jotti.org/

[Pumpa]

Well this is what it has found.
I did go to the Add-ons manager in IE and disabled sstts.dll. rebooted in safe mode and tried to delete again but came up with the same window. Can not delete being used by another person or program.

Service load:
0% 100%
File: sstts.dll_
Status:
INFECTED/MALWARE
MD5: 03e5bf3d4a6dbf48ce1bc7abc276cb8b
Packers detected:
-
Bit9 reports: File not found
Scanner results
Scan taken on 25 Nov 2007 01:20:48 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found Generic9.WCJ
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found not-a-virus:AdWare.Win32.Virtumonde.aun
NOD32
Found nothing
Norman Virus Control
Found Vundo.gen51
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

[jholland1964]

Ok, need you to run two programs, when you have complete these please attach both logs to your next post.

Download:

- ISeeYouXP by ShadowPuterDude



Double-click ISeeYouXP.exe, ISeeYouXp will be extracted to C:\ISeeYouXP. ISeeYouXP will autorun after installation.

NOTE: Vista Users ISeeYouXP will not autorun on Vista.



Possible Error Messages

* If your ISeeYouXP.txt log appears to be empty or semi-empty or you get an error message similar to the below when running ISeeYouXP.bat and you are running Windows XP or Windows 2000, follow the steps further down that relate to your OS

C:\WINDOWS\SYSTEM32\AUTOEXEC.NT. The system file is not suitable for running MS-DOS and Microsoft Window applications.
# To fix the above error message, choose the download below which is appropriate for your system

* For Windows XP Pro: download and run: XPproFix
* For Windows XP Home: download and run: XPHomeFix
* For Windows 2000: download and run: W2KFix

Then run ISeeYouXP.bat again and attach the log.
# A possible second type of error message may occur as shown in the quote box below! If you get either of these two messages, perform the Resolution steps given in this: Virtual Device Driver Error Message in 16-Bit MS-DOS Subsystem
16 bit MS-DOS Subsystem drive:\program path XXXX. An installable Virtual Device Driver failed DLL initialization. Choose 'Close' to terminate the application. -or- 16 bit MS-DOS Subsystem drive:\program path SYSTEM\CurrentControlSet\Control\VirtualDeviceDriv ers. VDD. Virtual Device Driver format in the registry is invalid. Choose 'Close' to terminate the application.

After attempting to fix the above errors, run ISeeYouXP.bat and attach the log.

Download to the Desktop:
ProcessDll by Matt Chugg

Double-Click ProcessDll.exe, which should be on your desktop.

The ProcessDll logger will now run and save the file procdll.txt to your desktop.

Post that file with your next reply.

[Pumpa]

Umm I think we have hit a snag.
Can not extract to C:\ISeeYouXP. It is a wrong Directory.
My Hard Drive has H:\ assigned because of the card reader that I have.
Will assigning a new letter help and if so what about existing programs that are on the hard drive already.

Are you pulling your hair yet!!!

[jholland1964]

No, not pulling my hair. Instead of those two, try this one....
CleanupXP
Save it to your desktop and double click to run it.