ntssf.exe ? does anyone know what this is

I have done a complete restore back to 'factory settings', my newly installed 'AVG Anti-Virus Plus Firewall' is asking whether I want to 'allow' or 'deny' ntssf.exe..... has any one ever had this from there firewall? could someone please explain what it is, Cheers

 

Hi tweety pie,

I google search doesn't reveal any information, are you sure the spelling is correct? Can you do a search for that file, and check it's properties or run sysinternals Process Explorer and check the properties using it.

For now, seeing as we don't really know much, I'll leave this thread in the General Forum and move it to a more appropriate forum once we figure out where it belongs.

Regards,

Steve

 

A brief search yielded a forum thread containing a HijackThis log with these entries:

O4 - HKLM\..\Run: [NTSF MICROSOFT SYSTEM] ntssf.exe
O4 - HKLM\..\RunServices: [NTSF MICROSOFT SYSTEM] ntssf.exe
O4 - HKCU\..\Run: [NTSF MICROSOFT SYSTEM] ntssf.exe

That would make it a Rbot or SDBot worm variant.

Please do the following:

Go to Start/run, and type Msinfo32, followed by OK.
Go to Software Environment/Startup Programs.
Click Edit/'Select all', and then 'copy'
Now paste the contents here.

 

Whoops, just found a Trend Micro article (partly in Italian, but still... LOL):

http://it.trendmicro-europe.com/consumer/vinfo/encyclopedia.php?LYstr=VMAINDATA&vNav=3&VName=WORM_RBOT.ARQ

Would appear to be a close relative of that one

 

Steve, Thank you for your reply, I'll look that up



Tony, I'll do my best doing that, there are somethings that I've never done and your suggestion is a little over my head but I'll give it a try, are you saying then that this is a worm? I was so stupid to click 'allow' when i came on the pc, I hope to get to the bottom of this.

Thanks both of you.

 

That's what it would indeed appear to be...

Just follow my directions to give us a copy and paste of your startup programs. That might tell us a little more.

 

Tony, Ive got this info, it looks as though it appears 4 times under NTSF Microsoft System. You are an Angel.... I wouldn't of known to access that information, I'm ready for any more expertise that you can offer, thank you.


1HeU c:\windows\qujohp.exe All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
6i1dcndp c:\windows\system32\6i1dcndp.exe All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ACTIVBOARD c:\apps\activboard\mmkeybd.exe All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ActivSurf c:\apps\activsurf\4448364\program\backweb-4448364.exe All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AVG7_CC c:\progra~1\grisoft\avg7\avgcc.exe /startup All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AVG7_EMC c:\progra~1\grisoft\avg7\avgemc.exe All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AVG7_Run c:\progra~1\grisoft\avg7\avgw.exe /runonce NT AUTHORITY\SYSTEM HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AVG7_Run c:\progra~1\grisoft\avg7\avgw.exe /runonce NT AUTHORITY\LOCAL SERVICE HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AVG7_Run c:\progra~1\grisoft\avg7\avgw.exe /runonce NT AUTHORITY\NETWORK SERVICE HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AVG7_Run c:\progra~1\grisoft\avg7\avgw.exe /runonce .DEFAULT HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ClickMe c:\apps\clickme\clickme.exe All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ControlCenter2.0 c:\program files\brother\controlcenter2\brctrcen.exe /autorun All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
desktop desktop.ini NT AUTHORITY\SYSTEM Startup
desktop desktop.ini SN023092320093\Susan Startup
desktop desktop.ini .DEFAULT Startup
desktop desktop.ini All Users Common Startup
EM_EXEC c:\progra~1\mousew~1\system\em_exec.exe All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IndexSearch c:\program files\scansoft\paperport\indexsearch.exe All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Media Gateway c:\program files\media gateway\mediagateway.exe All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSMSGS "c:\program files\messenger\msmsgs.exe" /background SN023092320093\Susan HKU\S-1-5-21-1757981266-1935655697-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSN MMISSENGER mssmmspgr.exe All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NTSF MICROSOFT SYSTEM ntssf.exe NT AUTHORITY\SYSTEM HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NTSF MICROSOFT SYSTEM ntssf.exe SN023092320093\Susan HKU\S-1-5-21-1757981266-1935655697-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NTSF MICROSOFT SYSTEM ntssf.exe .DEFAULT HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NTSF MICROSOFT SYSTEM ntssf.exe All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NvCplDaemon rundll32.exe nvqtwk,nvcpldaemon initialize All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PaperPort PTD c:\program files\scansoft\paperport\pptd40nt.exe All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SetDefPrt c:\program files\brother\brmfl04a\brstdvpt.exe All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
smsrv smsrv.exe All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SSBkgdUpdate "c:\program files\common files\scansoft shared\ssbkgdupdate\ssbkgdupdate.exe" -embedding -boot All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Status Monitor c:\progra~1\brother\brmfcmon\brmfcwnd.exe brother dcp-110c /startup All Users Common Startup
VCSPlayer "c:\program files\virtual cd v4 sdk\system\vcsplay.exe" All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

 

Yup, that's your worm!

But it would appear you have another one as well:

Although technically we're not doing malware removal here any longer, I guess we do need a closer look in order to be sure not to be missing anything ( I hope the powers that be won't mind...)..:

Go to http://castlecops.com/downloads-cats-14-10-10.html , and download HijackThis. Choose Save, not Open - save the file in a location of your choice.

Unzip, doubleclick HijackThis.exe, and hit "Do a System Scan and save a Log file".

When the scan is finished, the log will automatically open in Notepad.

Go to File > Save and save the log in a location of your choice.

NOTE: Most of what Hijack This lists will be harmless or even required, so do NOT fix anything yet.

Next, copy and paste the contents of the Hijack This log into your reply

 

Don't mind at all, Tony, as a HijackThis log can indeed by requested by a specially titled forum Expert here, which you are one of the best.

Regards,

snap

 

Tony, thank you so much, I will print off your info and again do my best, I never even had 'worm' problems before I had to do a recovery, there are some crazy people out there who want to destroy pc's.... really haven't they better things to do with there time but then we have experts like you who can take me by the hand and guide me, I'm very grateful for your help, I hope to achieve what you are asking. Bye for now...

 

Thanks, Snap, it's appreciated!

That's very flattering, although technically I've been retired for a while...
Well, let's hope I haven't forgotten everything....

 

Don't worry, you'll do fine!

 

Logfile of HijackThis v1.99.1
Scan saved at 22:35:51, on 09/07/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Apps\ActivBoard\MMKeybd.exe
C:\WINDOWS\System32\ntssf.exe
C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe
C:\apps\ActivSurf\4448364\Program\backweb-4448364.exe
C:\WINDOWS\System32\6i1dcndp.exe
C:\Program Files\Media Gateway\MediaGateway.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Apps\ActivBoard\OSD.exe
C:\WINDOWS\System32\jusched.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe
C:\Documents and Settings\Susan\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.packardbell.co.uk/center
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe jusched.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [1HeU] C:\WINDOWS\qujohp.exe
O4 - HKLM\..\Run: [NTSF MICROSOFT SYSTEM] ntssf.exe
O4 - HKLM\..\Run: [smsrv] smsrv.exe
O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
O4 - HKLM\..\Run: [ClickMe] C:\apps\ClickMe\ClickMe.exe
O4 - HKLM\..\Run: [ActivSurf] C:\apps\ActivSurf\4448364\Program\backweb-4448364.exe
O4 - HKLM\..\Run: [6i1dcndp] C:\WINDOWS\System32\6i1dcndp.exe
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [MSN MMISSENGER] mssmmspgr.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\RunServices: [NTSF MICROSOFT SYSTEM] ntssf.exe
O4 - HKLM\..\RunServices: [smsrv] smsrv.exe
O4 - HKLM\..\RunServices: [MSN MMISSENGER] mssmmspgr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NTSF MICROSOFT SYSTEM] ntssf.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O9 - Extra button: Packard Bell - {1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - C:\Apps\IECustom\script.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=www.packardbell.co.uk/center
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120913344531
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180searchassistant.com/180saax.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe

Hi Tony, the info is provided with the help of my 19 year old daughter. I hope you can see your way through it, it looks so complicated to me, I really haven't a clue, I'm off to bed now and I'll get back on here tomorrow and when I come on the pc I will 'deny' this file but as I know it has already got to my pc.
Thank you again for your help, I really do appreiciate it, you've taught me things that I have never come across and I've had my pc for 3 years.

 

OK, next step:

Start your computer in Safe Mode (you want to print this out), and find and delete these files:

C:\WINDOWS\System32\ntssf.exe
C:\WINDOWS\System32\6i1dcndp.exe

NOTE: To avoid the risk of any of the above not being found due to them having the 'Hidden' attribute, first make sure that in Folder Options > View hidden and operating system files are set to show.

Next, still in Safe Mode, run Hijack This, and press "Do a System Scan Only".
In the Results window, check the following lines, then press "Fix Checked".

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

F2 - REG:system.ini: Shell=Explorer.exe jusched.exe

O4 - HKLM\..\Run: [1HeU] C:\WINDOWS\qujohp.exe
O4 - HKLM\..\Run: [NTSF MICROSOFT SYSTEM] ntssf.exe
O4 - HKLM\..\Run: [smsrv] smsrv.exe
O4 - HKLM\..\Run: [6i1dcndp] C:\WINDOWS\System32\6i1dcndp.exe
O4 - HKLM\..\Run: [MSN MMISSENGER] mssmmspgr.exe
O4 - HKLM\..\RunServices: [NTSF MICROSOFT SYSTEM] ntssf.exe
O4 - HKLM\..\RunServices: [smsrv] smsrv.exe
O4 - HKLM\..\RunServices: [MSN MMISSENGER] mssmmspgr.exe
O4 - HKCU\..\Run: [NTSF MICROSOFT SYSTEM] ntssf.exe

O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180searchassistant.com/180saax.cab

Now start your computer normally.

Next, have your computer scanned on line by the Kaspersky web scanner: http://www.kaspersky.com/beta?product=161744315
Allow it to remove everything it finds.

When done, run Hijack This again, have it produce a fresh log, and post it, together with the Kaspersky log.

 

... also, you're running an outdated and therefore extremely unsafe version of Internet Explorer.
When we're done, you NEED to install the Service Pack 2 for Windows XP right away!

Next, make sure you download and install all other Critical Updates on offer at the Windows Update site.
That will fix innumerable bugs, update a large number of important system files, and plug many security holes.

The fact that from your Hijack This log there now appears to be a greater number of (bad) startups than in the log from Msconfig/Startups you posted previously doesn't exactly inspire confidence...

 

Morning Tony,

I have done half of your advice with a little moan from my daughter for when HijackThis prompted me to make a folder.... never done this but she helped in the end with an ultimatum of well if you want to chat on MSM then I need a little help...

I searched the 2 files and only C:\WINDOWS\System32\6i1dcndp.exe was there so deleted that; the other even dropping the 's' of ntssf.exe was not there in whatever format I typed, is it a good thing that it wasn't there?

I ''Fix Checked'' the list in HijackThis and cleared them.

Now I'm about to go to Kaspersky link and do the HijackThis log for you.

In the past I had downloaded SP2 Pack but it made Outlook Express open in a different way just looked forgein to me, I never liked what it changed so I uninstalled, I have read that as long as you have a good firewall/anti-virus pack that you don' really need SP2 so I am always dubious about downloading it again. Is there a way of just updating a current version of Internet Explorer?

Could I ask what firewall/antivirus you are running. Before my reboot I had EZ Armor but kept getting IAMDB.RDB errors which went to Internet Logs, I seen this in the 'Event Viewer' and source always said TrueVector Services i.d.;5007, this is an umbrella of Zone Alarm and tech. support was good, tried installing EZ Armor in safe mode but still had BSOD'S so I chose to go to another company then discovered Grisoft's new AVG Firewall & Antivirus pack, I'm using the 30 day trial to see how I get on, it's not done too bad so far as it picked up this 'ntssf.exe' asking me whether to 'allow' of 'deny', 2nd time round I chose 'allow' as I thought it may have something to do with the firewall but how wrong was I to 'allow' it's entry..... sorry for the long post, I'm worse sending text messages!!!!! LOL

You have been fantastic..... couldn't to save my life of known anything of all this, thank you again, hope to hear from you soon.

 

No, not really... It will not disappear by itself. It may well have been replaced by a close relative bearing a different name...

It's important we get this over with in one stretch without rebooting in the mean time unless requested...

Please do the KAV scan, then run Hijack This again, and post a fresh log.

And there's no alternative to installing SP 2. Your present version of XP/IE badly needs to be patched.

As I said, you NEED to install the Service Pack AND subsequenly ALL other WU Critical Updates, or you'll continue getting infected despite your firewall/antivirus.

 

Tried to access link for scan - says page cannot be displayed, went on website to run scan that way and it wont let me scan the whole pc - is there any particular file i need to scan?
Ran hijack this again...

Logfile of HijackThis v1.99.1
Scan saved at 11:32:57, on 10/07/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Apps\ActivBoard\MMKeybd.exe
C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe
C:\apps\ActivSurf\4448364\Program\backweb-4448364.exe
C:\Program Files\Media Gateway\MediaGateway.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\Apps\ActivBoard\OSD.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\WINDOWS\System32\jusched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Susan\Desktop\HijackThis.exe\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.packardbell.co.uk/center
F2 - REG:system.ini: Shell=Explorer.exe jusched.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
O4 - HKLM\..\Run: [ClickMe] C:\apps\ClickMe\ClickMe.exe
O4 - HKLM\..\Run: [ActivSurf] C:\apps\ActivSurf\4448364\Program\backweb-4448364.exe
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O9 - Extra button: Packard Bell - {1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - C:\Apps\IECustom\script.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=www.packardbell.co.uk/center
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120913344531
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe

 

In fact that does look better.

One thing though: I'm a little worried about this log entry that apparently refused to go:

F2 - REG:system.ini: Shell=Explorer.exe jusched.exe

Now there's a legitimate jusched.exe file which belongs to Sun Microsystem's Java2 software, but it shouldn't be in that particular location, nor have I ever seen it being launched that way.

Could I ask you to please send a copy of that C:\WINDOWS\System32\jusched.exe file to submit_stuffATxs4all.nl for analysis? (replace 'AT' by @)

We'd like to make sure it belongs on your computer!

Much appreciated

Just in case, here's how to attach a file to an email using Outlook Express

And I suggest you forget the Kaspersky scan for now. Instead, try either or both Panda Active Scan and Trend Micro Housecall

 

Tony, just ran a virus scan on 'AVG', Says 'no virus found'

While the scan was taking place another 'allow' or 'deny' came up for 'EDowst3.exe', it appeared as this;-

C:\temp\EDOWST3.EXE local host:2395
remote address: 146.82.109.210.80, connection TCP

I clicked 'deny' As I don't know what it is.

How is the HijackLog looking, have things cleared?

 

Hmm...

Please send me a copy of Jusched.exe as requested.

Then boot up into Safe Mode again, and delete the ENTIRE contents of the C:\Documents and Settings\Susan\Local Settings\Temp folder

And that EDOWST3.EXE file in the C:\Temp folder, if still there.

Reboot normally, and post a fresh Hijack This log.

 

Hi Tony, u r going to shout at me!!!! How do I access that file and send the info, do I have to go to safe mode again? I looked on the whole listing of files and there is no entry for 'jusched.exe' will it be in one of the 'java' files. I did look this info up from google yesterday and the info said it had something to do with Java and to permit it as it has to run on Windows... so I thought it was ok to 'allow'.

You are so patient....

 

I just told you how to do that:

No, jnot right away. First you send a copy of the file: C:\WINDOWS\System32\jusched.exe

As you see from that 'path' it's located in your C:\WINDOWS\System32 folder. Just follow the directions in the article to send it.

As I said before, there IS a legitimate jusched.exe file, but I'd just like to verify that that's the case here as well...

After sending the file, boot into Safe Mode again in order to delete that stuff I asked you to.

 

daughter here, mum has asked me to help. i cannot find jusched.exe as an actual file/folder. I have tried searching for it in different ways. i know how to send an attatment on e-mail - thats the easy bit lol - i just can't find that file/folder as itself, it only comes up on the highjack this scan.
thanx

 

Hi there!

The file must be there, as it is listed among the running processes. Are you sure that Hidden and Operating files ar set to show, as I explained in one of my previous posts?

Still, there's an easy way to attach a file, even if it's 'invisible':

Copy the full path to the file

C:\WINDOWS\System32\jusched.exe

Next, press the Attach button in Outlook Express. Now, do NOT try browsing to the System32 folder, but, in the Insert Attachment dialog, simply RIGHTclick in the File name box, and choose 'Paste' from the Contect menu, so that the full path gets copied into it.

Press Attach, and send the email.