ntssf.exe ? does anyone know what this is

I think I may have done it, i just hope its the right thing and i hope i haven't sent u the worm - if it is that?

 

Yes, you did fine, but I absentmindely had my Mailwasher delete the entire email... D'UH!

Would you mind terribly sending it again, please?

Sorry about that...

 

lol - just sent it again. what needs to be done now?

 

Thanks!

It's indeed a worm, Results of an online scan:

AntiVir Found Worm/Rbot.160676.1
BitDefender Found Backdoor.RBot.7C318C6A
Fortinet Found W32/RBot.BDT-wm
Kaspersky Anti-Virus Found Backdoor.Win32.Rbot.gen
NOD32 Found probably a variant of Win32/Rbot (probable variant)
Norman Virus Control Found W32/Spybot.QHS
VBA32 Found Backdoor.Win32.Rbot.gen

This is what we do:

Run Hijack This again, and put a check mark at the following line, then press "Fix Checked":

F2 - REG:system.ini: Shell=Explorer.exe jusched.exe

Next, in Hijackthis, click "Config", then click on "Misc Tools".
Once at the new screen, click the "Delete a file on reboot" button.

You will be presented with a dialog asking you to pick a file.

Copy and paste C:\WINDOWS\System32\jusched.exe into the file name field (just like you did when attaching the file in OE) and press the 'open' button.

You'll be notified that the file in question will be deleted on reboot; when asked whether you want to restart your computer, click OK.

After a reboot the file should be gone.

When done, run Hijack This once again, and post a fresh log

 

Logfile of HijackThis v1.99.1
Scan saved at 13:35:09, on 10/07/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Apps\ActivBoard\MMKeybd.exe
C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe
C:\apps\ActivSurf\4448364\Program\backweb-4448364.exe
C:\Program Files\Media Gateway\MediaGateway.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Apps\ActivBoard\OSD.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\WINDOWS\System32\jusched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Susan\Desktop\HijackThis.exe\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.packardbell.co.uk/center
F2 - REG:system.ini: Shell=Explorer.exe jusched.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
O4 - HKLM\..\Run: [ClickMe] C:\apps\ClickMe\ClickMe.exe
O4 - HKLM\..\Run: [ActivSurf] C:\apps\ActivSurf\4448364\Program\backweb-4448364.exe
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O9 - Extra button: Packard Bell - {1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - C:\Apps\IECustom\script.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=www.packardbell.co.uk/center
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120913344531
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe

 

Well, it's still there... Did you do everything exactly as I said?

Would you try this please?

Do a Ctrl + Alt + Delete to bring up Task Manager.

If you see the jusched.exe file listed on the processes tab, highlight it and press the 'End Process' button.

Does that work, and does it disappear from the process list?

 

yes it did disappear - shall i do another hijack this scan?

 

Decided to do it again anyway, it was still there, so i checked it and fixed it done another scan and it has gone - i think...


Logfile of HijackThis v1.99.1
Scan saved at 13:43:33, on 10/07/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Apps\ActivBoard\MMKeybd.exe
C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe
C:\apps\ActivSurf\4448364\Program\backweb-4448364.exe
C:\Program Files\Media Gateway\MediaGateway.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Apps\ActivBoard\OSD.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Susan\Desktop\HijackThis.exe\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.packardbell.co.uk/center
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
O4 - HKLM\..\Run: [ClickMe] C:\apps\ClickMe\ClickMe.exe
O4 - HKLM\..\Run: [ActivSurf] C:\apps\ActivSurf\4448364\Program\backweb-4448364.exe
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O9 - Extra button: Packard Bell - {1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - C:\Apps\IECustom\script.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=www.packardbell.co.uk/center
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120913344531
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe

 

Nope, but that's a good start.

Now go to Start > Run.

Copy/paste the following into the Run box, then press 'OK'

cmd /c del /f /q "C:\WINDOWS\System32\jusched.exe"

That ought to delete the file.

NOW run Hijack This and fix that one line

When done, reboot, re-run Hijack This, post a fresh log.

 

Ah, our posts crossed. Well, it would appear you succeeded in getting rid of the little b*gger.,

Well done!

 

mum wants to know if she still need to go into safe mode and delete the entire contents of c:\documnetsandsettings... etc and that EDOWST.3EXE file?

 

Yup, you certainly do.

Your Docs and Settings\Your User Name\Local Settings\Temp folder needs to be emptied on a regular basis anyway!

And after that please update that operating system!

 

Whoops, I'm sorry, Sue, I accidentally edited your post instead of quoting it....


Tony

 

Hi Sue. You're welcome, glad to help.

Not always, but it helps in removing files that would otherwise be in use by Windows, and in this case I thought we'd better be thorough.

Well, as a freeware solution it certainly isn't bad, but it isn't in the same ball park as the best shareware AVs.
And it was certainly unable to detect three malicious files running in memory on your computer...

If you want my opinion, I'd go for either of the following, which in addition both offer very frequent antivirus definition updates, which these days is an absolute must!

ESET's Nod32 Antivirus v2.5
Kaspersky Personal

Nod32 is second to none when it comes to detection of In-The-Wild viruses.
It also does a great job "heuristically" detecting entirely new malware.

I can certainly recommend Kaspersky as well. It's a great antivirus, and it's trojan detection is also excellent.

 

Tony, thank you again for your knowledge

Is Kaspersky Personal a joint package, as I like to have the same company as my firewall & anti-virus.

I will certainly check out your suggestions.

I went to safe mode and typed in C:Temp folder etc. in the search files and folders and the Edowst.3exe never shown up.

I am still wary of downloading SP2 but I'll give it a go now that I have rebooted to factory settings.... but I'll do that later, I think it is time to put the pc to 'bed' for a while and my hubby wants to take us out for lunch so that 'turn off' button is getting hit.....

I really can't thank you enough, could never of got through this on my own.

Could I ask are you British? your manner comes across that you once may of lived in the U.K.

Cheers, Take Care, Sue

 

You're very welcome, Sue. Nope, I'm not English, but from across the North Sea: I'm from the Netherlands.

As for Kaspersky, they also offer a firewall ("Anti-Hacker"), but I'm not familiar with it. On the other hand, there's no real advantage in having it all in one package.

With KAV you'll already have an excellent antivirus. Now just choose a good firewall to go with it. They won't conflict.
Zonealarm for example has an excellent freeware version, and is among the easier to configure: http://www.zonelabs.com/store/content/home.jsp

And as for updating your operating system, again, you really don't have a choice. New vulnerabilities are being discovered as we speak and there's just no good substitute for prevention...

 

Tweety pie. If you do decide try the Kaspersky trial and want to use it with Zonealarm free version (i would recommend that too), then please disable what is called the IDS/networkprotection during the install, for info on how to do this look here (section #2): http://forum.kaspersky.com/index.php?showtopic=897, if you need any help then you can either PM me or post at the Kaspersky forum for any help you need. The IDS/networkprotection is a sort of minifirewall only meant for those (still many) with any firewall.

If you after the trial like to buy Kaspersky, then you can buy a key to add to the AV here (1 or 2 year deals), you do this through the supporttab in the main window.

 

Thank you Don Pelotas for your suggestion. Yes I think I would like to try Kaspersky as a trial. I had ZoneAlarm as EZ Armor same company but the opperating processor to their product is True Vector Services and for some reason I kept getting errors in Event Viewer as Interlogs IAMDB.RDB and having bsod's all the time and I was on my second subscription with them yet the cust. support was excellent so now I will look for a single firewall product so I've got some reading up to do.

Cheers,Sue

 

Hi Don, I'm trying to access the kaspersky web site for the link that you gave and I keep getting 'page can not be displayed' yet the .co.uk site is ok. Sue

 

Tweety pie, have you tried clicking one of the links using a HTTP server rather than one with a FTP server?

The link Don gave is working fine for me.

 

Hi Sue

Thats strange...Maybe something to do with the infection you've had. try the UK addresses instead (makes a lot more sence too, if you reside there ) the trial can be downloaded here (UK siite), i would advice you to try Kaspersky Personal, the detection is the same the Personal Pro and it's designed for the homeuser, and stay with ZA free firewall.

If you after the trial can't find the address to buy a key, then feel to contact me.

Btw. You could try and look in IE > "Tools" > "Internet Options" > "Securitytab" > click on the red stopsign (restricted sites), the press the "sites button" and see if there are any sites in there like Kaspersky that shouldn't be there.

 

Hi Don,

I looked in I.E tools etc and that area has nothing in it.

I emailed Kaspersky U.K. yesyerday evening and I have a reply about the 'Personal Security Suite':-

''This product provides: anti-virus protection,a firewall, protection from spam and protection from spyware''

I am then provided with a link to down load the trial version.
Yes I will use the .uk site as I live in Lancashire.

 

Hi Sue

If you just want to try the AV and not the entire suite, then use this link: http://www.kaspersky.co.uk/trials.

 

So far so good, Kasp. picked up on a trojan NTSSF.EXE and 'was adviced to delete this'- which I did then during an online scan for viruses a window opend from the firewall saying that Lovesan attack was detected and that the attack has been successfully repulsed.

 

Excellent! That's the one that was in your HijackThis log originally, and which subsequently mysteriously "disappeared", remember?

Good choice, Kaspersky!