ntssf.exe ? does anyone know what this is

Discussion in 'malware problems & news' started by tweety pie, Jul 9, 2005.

Thread Status:
Not open for further replies.
  1. tweety pie

    tweety pie Registered Member

    Joined:
    Jun 27, 2005
    Posts:
    67
    o_O I have done a complete restore back to 'factory settings', my newly installed 'AVG Anti-Virus Plus Firewall' is asking whether I want to 'allow' or 'deny' ntssf.exe..... has any one ever had this from there firewall? could someone please explain what it is, Cheers *puppy*
     
  2. dog

    dog Guest

    Hi tweety pie,

    I google search doesn't reveal any information, are you sure the spelling is correct? Can you do a search for that file, and check it's properties or run sysinternals Process Explorer and check the properties using it.

    For now, seeing as we don't really know much, I'll leave this thread in the General Forum and move it to a more appropriate forum once we figure out where it belongs. ;)

    Regards,

    Steve
     
  3. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    A brief search yielded a forum thread containing a HijackThis log with these entries:

    O4 - HKLM\..\Run: [NTSF MICROSOFT SYSTEM] ntssf.exe
    O4 - HKLM\..\RunServices: [NTSF MICROSOFT SYSTEM] ntssf.exe
    O4 - HKCU\..\Run: [NTSF MICROSOFT SYSTEM] ntssf.exe

    That would make it a Rbot or SDBot worm variant.

    Please do the following:

    Go to Start/run, and type Msinfo32, followed by OK.
    Go to Software Environment/Startup Programs.
    Click Edit/'Select all', and then 'copy'
    Now paste the contents here.
     
  4. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
  5. tweety pie

    tweety pie Registered Member

    Joined:
    Jun 27, 2005
    Posts:
    67
    Steve, Thank you for your reply, I'll look that up



    Tony, I'll do my best doing that, there are somethings that I've never done and your suggestion is a little over my head but I'll give it a try, are you saying then that this is a worm? I was so stupid to click 'allow' when i came on the pc, I hope to get to the bottom of this.

    Thanks both of you.
     
  6. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    That's what it would indeed appear to be...

    Just follow my directions to give us a copy and paste of your startup programs. That might tell us a little more.
     
  7. tweety pie

    tweety pie Registered Member

    Joined:
    Jun 27, 2005
    Posts:
    67
    Tony, Ive got this info, it looks as though it appears 4 times under NTSF Microsoft System. You are an Angel.... I wouldn't of known to access that information, I'm ready for any more expertise that you can offer, thank you.


    1HeU c:\windows\qujohp.exe All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    6i1dcndp c:\windows\system32\6i1dcndp.exe All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    ACTIVBOARD c:\apps\activboard\mmkeybd.exe All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    ActivSurf c:\apps\activsurf\4448364\program\backweb-4448364.exe All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    AVG7_CC c:\progra~1\grisoft\avg7\avgcc.exe /startup All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    AVG7_EMC c:\progra~1\grisoft\avg7\avgemc.exe All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    AVG7_Run c:\progra~1\grisoft\avg7\avgw.exe /runonce NT AUTHORITY\SYSTEM HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    AVG7_Run c:\progra~1\grisoft\avg7\avgw.exe /runonce NT AUTHORITY\LOCAL SERVICE HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    AVG7_Run c:\progra~1\grisoft\avg7\avgw.exe /runonce NT AUTHORITY\NETWORK SERVICE HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    AVG7_Run c:\progra~1\grisoft\avg7\avgw.exe /runonce .DEFAULT HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    ClickMe c:\apps\clickme\clickme.exe All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    ControlCenter2.0 c:\program files\brother\controlcenter2\brctrcen.exe /autorun All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    desktop desktop.ini NT AUTHORITY\SYSTEM Startup
    desktop desktop.ini SN023092320093\Susan Startup
    desktop desktop.ini .DEFAULT Startup
    desktop desktop.ini All Users Common Startup
    EM_EXEC c:\progra~1\mousew~1\system\em_exec.exe All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    IndexSearch c:\program files\scansoft\paperport\indexsearch.exe All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Media Gateway c:\program files\media gateway\mediagateway.exe All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    MSMSGS "c:\program files\messenger\msmsgs.exe" /background SN023092320093\Susan HKU\S-1-5-21-1757981266-1935655697-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    MSN MMISSENGER mssmmspgr.exe All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    NTSF MICROSOFT SYSTEM ntssf.exe NT AUTHORITY\SYSTEM HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    NTSF MICROSOFT SYSTEM ntssf.exe SN023092320093\Susan HKU\S-1-5-21-1757981266-1935655697-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    NTSF MICROSOFT SYSTEM ntssf.exe .DEFAULT HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    NTSF MICROSOFT SYSTEM ntssf.exe All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    NvCplDaemon rundll32.exe nvqtwk,nvcpldaemon initialize All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    PaperPort PTD c:\program files\scansoft\paperport\pptd40nt.exe All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    SetDefPrt c:\program files\brother\brmfl04a\brstdvpt.exe All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    smsrv smsrv.exe All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    SSBkgdUpdate "c:\program files\common files\scansoft shared\ssbkgdupdate\ssbkgdupdate.exe" -embedding -boot All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Status Monitor c:\progra~1\brother\brmfcmon\brmfcwnd.exe brother dcp-110c /startup All Users Common Startup
    VCSPlayer "c:\program files\virtual cd v4 sdk\system\vcsplay.exe" All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
     
  8. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Yup, that's your worm!

    But it would appear you have another one as well:

    Although technically we're not doing malware removal here any longer, I guess we do need a closer look in order to be sure not to be missing anything ( I hope the powers that be won't mind...)..:

    Go to http://castlecops.com/downloads-cats-14-10-10.html , and download HijackThis. Choose Save, not Open - save the file in a location of your choice.

    Unzip, doubleclick HijackThis.exe, and hit "Do a System Scan and save a Log file".

    When the scan is finished, the log will automatically open in Notepad.

    Go to File > Save and save the log in a location of your choice.

    NOTE: Most of what Hijack This lists will be harmless or even required, so do NOT fix anything yet.

    Next, copy and paste the contents of the Hijack This log into your reply
     
    Last edited: Jul 9, 2005
  9. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Don't mind at all, Tony, as a HijackThis log can indeed by requested by a specially titled forum Expert here, which you are one of the best. ;)

    Regards,

    snap
     
  10. tweety pie

    tweety pie Registered Member

    Joined:
    Jun 27, 2005
    Posts:
    67
    Tony, thank you so much, I will print off your info and again do my best, I never even had 'worm' problems before I had to do a recovery, there are some crazy people out there who want to destroy pc's.... really haven't they better things to do with there time but then we have experts like you who can take me by the hand and guide me, I'm very grateful for your help, I hope to achieve what you are asking. Bye for now...
     
  11. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Thanks, Snap, it's appreciated! :)

    That's very flattering, although technically I've been retired for a while...
    Well, let's hope I haven't forgotten everything.... ;)
     
  12. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Don't worry, you'll do fine! :)
     
  13. tweety pie

    tweety pie Registered Member

    Joined:
    Jun 27, 2005
    Posts:
    67
    Logfile of HijackThis v1.99.1
    Scan saved at 22:35:51, on 09/07/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.exe
    C:\WINDOWS\System32\brsvc01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\brss01a.exe
    C:\Apps\ActivBoard\nhksrv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
    C:\WINDOWS\system32\Brmfrmps.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
    C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\Apps\ActivBoard\MMKeybd.exe
    C:\WINDOWS\System32\ntssf.exe
    C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe
    C:\apps\ActivSurf\4448364\Program\backweb-4448364.exe
    C:\WINDOWS\System32\6i1dcndp.exe
    C:\Program Files\Media Gateway\MediaGateway.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    C:\Program Files\Brother\ControlCenter2\brctrcen.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
    C:\Apps\ActivBoard\TrayMon.exe
    C:\Apps\ActivBoard\OSD.exe
    C:\WINDOWS\System32\jusched.exe
    C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\cmd.exe
    C:\Documents and Settings\Susan\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.packardbell.co.uk/center
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    F2 - REG:system.ini: Shell=Explorer.exe jusched.exe
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
    O4 - HKLM\..\Run: [1HeU] C:\WINDOWS\qujohp.exe
    O4 - HKLM\..\Run: [NTSF MICROSOFT SYSTEM] ntssf.exe
    O4 - HKLM\..\Run: [smsrv] smsrv.exe
    O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
    O4 - HKLM\..\Run: [ClickMe] C:\apps\ClickMe\ClickMe.exe
    O4 - HKLM\..\Run: [ActivSurf] C:\apps\ActivSurf\4448364\Program\backweb-4448364.exe
    O4 - HKLM\..\Run: [6i1dcndp] C:\WINDOWS\System32\6i1dcndp.exe
    O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
    O4 - HKLM\..\Run: [MSN MMISSENGER] mssmmspgr.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
    O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
    O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
    O4 - HKLM\..\RunServices: [NTSF MICROSOFT SYSTEM] ntssf.exe
    O4 - HKLM\..\RunServices: [smsrv] smsrv.exe
    O4 - HKLM\..\RunServices: [MSN MMISSENGER] mssmmspgr.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [NTSF MICROSOFT SYSTEM] ntssf.exe
    O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
    O9 - Extra button: Packard Bell - {1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - C:\Apps\IECustom\script.htm
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=www.packardbell.co.uk/center
    O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120913344531
    O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180searchassistant.com/180saax.cab
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
    O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
    O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
    O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
    O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe

    Hi Tony, the info is provided with the help of my 19 year old daughter. I hope you can see your way through it, it looks so complicated to me, I really haven't a clue, I'm off to bed now and I'll get back on here tomorrow and when I come on the pc I will 'deny' this file but as I know it has already got to my pc.
    Thank you again for your help, I really do appreiciate it, you've taught me things that I have never come across and I've had my pc for 3 years.
     
  14. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    OK, next step:

    Start your computer in Safe Mode (you want to print this out), and find and delete these files:

    C:\WINDOWS\System32\ntssf.exe
    C:\WINDOWS\System32\6i1dcndp.exe

    NOTE: To avoid the risk of any of the above not being found due to them having the 'Hidden' attribute, first make sure that in Folder Options > View hidden and operating system files are set to show.

    Next, still in Safe Mode, run Hijack This, and press "Do a System Scan Only".
    In the Results window, check the following lines, then press "Fix Checked".

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

    F2 - REG:system.ini: Shell=Explorer.exe jusched.exe

    O4 - HKLM\..\Run: [1HeU] C:\WINDOWS\qujohp.exe
    O4 - HKLM\..\Run: [NTSF MICROSOFT SYSTEM] ntssf.exe
    O4 - HKLM\..\Run: [smsrv] smsrv.exe
    O4 - HKLM\..\Run: [6i1dcndp] C:\WINDOWS\System32\6i1dcndp.exe
    O4 - HKLM\..\Run: [MSN MMISSENGER] mssmmspgr.exe
    O4 - HKLM\..\RunServices: [NTSF MICROSOFT SYSTEM] ntssf.exe
    O4 - HKLM\..\RunServices: [smsrv] smsrv.exe
    O4 - HKLM\..\RunServices: [MSN MMISSENGER] mssmmspgr.exe
    O4 - HKCU\..\Run: [NTSF MICROSOFT SYSTEM] ntssf.exe

    O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180searchassistant.com/180saax.cab

    Now start your computer normally.

    Next, have your computer scanned on line by the Kaspersky web scanner: http://www.kaspersky.com/beta?product=161744315
    Allow it to remove everything it finds.

    When done, run Hijack This again, have it produce a fresh log, and post it, together with the Kaspersky log.
     
    Last edited: Jul 9, 2005
  15. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    ... also, you're running an outdated and therefore extremely unsafe version of Internet Explorer.
    When we're done, you NEED to install the Service Pack 2 for Windows XP right away!

    Next, make sure you download and install all other Critical Updates on offer at the Windows Update site.
    That will fix innumerable bugs, update a large number of important system files, and plug many security holes.

    The fact that from your Hijack This log there now appears to be a greater number of (bad) startups than in the log from Msconfig/Startups you posted previously doesn't exactly inspire confidence...
     
  16. tweety pie

    tweety pie Registered Member

    Joined:
    Jun 27, 2005
    Posts:
    67
    Morning Tony,

    I have done half of your advice with a little moan from my daughter for when HijackThis prompted me to make a folder.... never done this but she helped in the end with an ultimatum of well if you want to chat on MSM then I need a little help...

    I searched the 2 files and only C:\WINDOWS\System32\6i1dcndp.exe was there so deleted that; the other even dropping the 's' of ntssf.exe was not there in whatever format I typed, is it a good thing that it wasn't there?

    I ''Fix Checked'' the list in HijackThis and cleared them.

    Now I'm about to go to Kaspersky link and do the HijackThis log for you.

    In the past I had downloaded SP2 Pack but it made Outlook Express open in a different way just looked forgein to me, I never liked what it changed so I uninstalled, I have read that as long as you have a good firewall/anti-virus pack that you don' really need SP2 so I am always dubious about downloading it again. Is there a way of just updating a current version of Internet Explorer?

    Could I ask what firewall/antivirus you are running. Before my reboot I had EZ Armor but kept getting IAMDB.RDB errors which went to Internet Logs, I seen this in the 'Event Viewer' and source always said TrueVector Services i.d.;5007, this is an umbrella of Zone Alarm and tech. support was good, tried installing EZ Armor in safe mode but still had BSOD'S so I chose to go to another company then discovered Grisoft's new AVG Firewall & Antivirus pack, I'm using the 30 day trial to see how I get on, it's not done too bad so far as it picked up this 'ntssf.exe' asking me whether to 'allow' of 'deny', 2nd time round I chose 'allow' as I thought it may have something to do with the firewall but how wrong was I to 'allow' it's entry..... sorry for the long post, I'm worse sending text messages!!!!! LOL

    You have been fantastic..... couldn't to save my life of known anything of all this, thank you again, hope to hear from you soon. *puppy*
     
  17. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    No, not really... It will not disappear by itself. It may well have been replaced by a close relative bearing a different name...

    It's important we get this over with in one stretch without rebooting in the mean time unless requested...

    Please do the KAV scan, then run Hijack This again, and post a fresh log.

    And there's no alternative to installing SP 2. Your present version of XP/IE badly needs to be patched.

    As I said, you NEED to install the Service Pack AND subsequenly ALL other WU Critical Updates, or you'll continue getting infected despite your firewall/antivirus.
     
  18. tweety pie

    tweety pie Registered Member

    Joined:
    Jun 27, 2005
    Posts:
    67
    Tried to access link for scan - says page cannot be displayed, went on website to run scan that way and it wont let me scan the whole pc - is there any particular file i need to scan?
    Ran hijack this again...

    Logfile of HijackThis v1.99.1
    Scan saved at 11:32:57, on 10/07/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\brsvc01a.exe
    C:\WINDOWS\Explorer.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\brss01a.exe
    C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\Apps\ActivBoard\MMKeybd.exe
    C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe
    C:\apps\ActivSurf\4448364\Program\backweb-4448364.exe
    C:\Program Files\Media Gateway\MediaGateway.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    C:\Program Files\Brother\ControlCenter2\brctrcen.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
    C:\Apps\ActivBoard\TrayMon.exe
    C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
    C:\Apps\ActivBoard\nhksrv.exe
    C:\Apps\ActivBoard\OSD.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
    C:\WINDOWS\system32\Brmfrmps.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
    C:\WINDOWS\System32\jusched.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\cmd.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Susan\Desktop\HijackThis.exe\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.packardbell.co.uk/center
    F2 - REG:system.ini: Shell=Explorer.exe jusched.exe
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
    O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
    O4 - HKLM\..\Run: [ClickMe] C:\apps\ClickMe\ClickMe.exe
    O4 - HKLM\..\Run: [ActivSurf] C:\apps\ActivSurf\4448364\Program\backweb-4448364.exe
    O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
    O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
    O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
    O9 - Extra button: Packard Bell - {1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - C:\Apps\IECustom\script.htm
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=www.packardbell.co.uk/center
    O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120913344531
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
    O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
    O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
    O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
    O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
     
  19. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    In fact that does look better.

    One thing though: I'm a little worried about this log entry that apparently refused to go:

    F2 - REG:system.ini: Shell=Explorer.exe jusched.exe

    Now there's a legitimate jusched.exe file which belongs to Sun Microsystem's Java2 software, but it shouldn't be in that particular location, nor have I ever seen it being launched that way.

    Could I ask you to please send a copy of that C:\WINDOWS\System32\jusched.exe file to submit_stuffATxs4all.nl for analysis? (replace 'AT' by @)

    We'd like to make sure it belongs on your computer!

    Much appreciated :)

    Just in case, here's how to attach a file to an email using Outlook Express

    And I suggest you forget the Kaspersky scan for now. Instead, try either or both Panda Active Scan and Trend Micro Housecall
     
  20. tweety pie

    tweety pie Registered Member

    Joined:
    Jun 27, 2005
    Posts:
    67
    Tony, just ran a virus scan on 'AVG', Says 'no virus found'

    While the scan was taking place another 'allow' or 'deny' came up for 'EDowst3.exe', it appeared as this;-

    C:\temp\EDOWST3.EXE local host:2395
    remote address: 146.82.109.210.80, connection TCP

    I clicked 'deny' As I don't know what it is.

    How is the HijackLog looking, have things cleared?
     
  21. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Hmm...

    Please send me a copy of Jusched.exe as requested.

    Then boot up into Safe Mode again, and delete the ENTIRE contents of the C:\Documents and Settings\Susan\Local Settings\Temp folder

    And that EDOWST3.EXE file in the C:\Temp folder, if still there.

    Reboot normally, and post a fresh Hijack This log.
     
  22. tweety pie

    tweety pie Registered Member

    Joined:
    Jun 27, 2005
    Posts:
    67
    Hi Tony, u r going to shout at me!!!! How do I access that file and send the info, do I have to go to safe mode again? I looked on the whole listing of files and there is no entry for 'jusched.exe' will it be in one of the 'java' files. I did look this info up from google yesterday and the info said it had something to do with Java and to permit it as it has to run on Windows... so I thought it was ok to 'allow'.

    You are so patient....
     
  23. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    I just told you how to do that:


    No, jnot right away. First you send a copy of the file: C:\WINDOWS\System32\jusched.exe

    As you see from that 'path' it's located in your C:\WINDOWS\System32 folder. Just follow the directions in the article to send it.

    As I said before, there IS a legitimate jusched.exe file, but I'd just like to verify that that's the case here as well...

    After sending the file, boot into Safe Mode again in order to delete that stuff I asked you to. :)
     
  24. tweety pie

    tweety pie Registered Member

    Joined:
    Jun 27, 2005
    Posts:
    67
    daughter here, mum has asked me to help. i cannot find jusched.exe as an actual file/folder. I have tried searching for it in different ways. i know how to send an attatment on e-mail - thats the easy bit lol - i just can't find that file/folder as itself, it only comes up on the highjack this scan.
    thanx
     
  25. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Hi there!

    The file must be there, as it is listed among the running processes. Are you sure that Hidden and Operating files ar set to show, as I explained in one of my previous posts?

    Still, there's an easy way to attach a file, even if it's 'invisible':

    Copy the full path to the file

    C:\WINDOWS\System32\jusched.exe

    Next, press the Attach button in Outlook Express. Now, do NOT try browsing to the System32 folder, but, in the Insert Attachment dialog, simply RIGHTclick in the File name box, and choose 'Paste' from the Contect menu, so that the full path gets copied into it.

    Press Attach, and send the email.
     

    Attached Files:

    • att.gif
      att.gif
      File size:
      12.2 KB
      Views:
      355
Loading...
Thread Status:
Not open for further replies.