Malware removal

[Cage]

Hi there,

I've installed and analysed my HiJackThis! log file and I DO have an infection which has installed itself as a service onto my machine. Any ideas on how I go about removing this service?

Code:

Logfile of HijackThis v1.99.1
Scan saved at 10:56:42 AM, on 18/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\acer\Acer eConsole\MediaServerService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Program Files\Acer\Acer eMode Management\AspireService.exe
C:\Program Files\Java\jre1.5.0_02\bin\jucheck.exe
C:\Program Files\Acer\Acer eConsole\MediaSync.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [ntiMUI] c:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [AspireService] C:\Program Files\Acer\Acer eMode Management\AspireService.exe
O4 - HKLM\..\Run: [MediaSync] C:\Program Files\Acer\Acer eConsole\MediaSync.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Acer Media Server - Acer Inc. - C:\Program Files\acer\Acer eConsole\MediaServerService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: JVFCP - Sysinternals - www.sysinternals.com - C:\DOCUME~1\ACER\LOCALS~1\Temp\JVFCP.exe

[Ruby]

Welcome to HijackThis.de @ Cage

Please load down the windatfindbat of Karl83. Double-click onto this file, now you will see a DOS Window. A new report-file will be created under C:\
Please copy and paste the last 30 days of this file to your thread.

C:\
C:\%WinDir%\%System%
C:\%WinDir%
C:\%WinDir%\TEMP

Note:
%WinDir%, %System% are variable (?). By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

[Cage]

Thanks, I apologise for the delay in my reply.

Code:

 Volume in drive C is ACER
 Volume Serial Number is 320D-180E

 Directory of C:\

27/04/2006  08:22 AM                 0 dirdat.txt
27/04/2006  08:22 AM                22 windatfind.zip
27/04/2006  08:20 AM       234,278,912 hiberfil.sys
27/04/2006  08:20 AM       301,989,888 pagefile.sys
19/04/2006  03:52 PM            13,030 PDOXUSRS.NET
19/04/2006  03:50 PM               533 APD.TRC
19/04/2006  03:50 PM             7,783 APD.LOG
18/04/2006  12:23 PM               135 RootkitReveal.txt
18/04/2006  11:08 AM         1,280,000 MBSASetup-EN.msi
18/04/2006  10:56 AM             4,237 hijackthis.log
24/03/2006  10:17 AM           386,858 cpu-z-132.zip
23/03/2006  08:00 AM        12,241,103 AVG7QT.DAT
22/03/2006  02:43 PM        21,343,795 audio.zip
22/03/2006  02:39 PM        11,539,293 Chipset.zip
16/03/2006  07:58 AM               211 boot.ini
06/03/2006  11:39 PM               582 windatfind.bat
03/03/2006  05:52 PM           902,873 cpuz.exe
03/03/2006  03:10 PM             6,901 cpuz-readme.txt
03/03/2006  03:09 PM               146 cpuz.ini
02/11/2005  01:38 AM                 6 ISACER.ID
18/06/2005  09:33 AM                76 PRELOAD.AAA
18/06/2005  07:43 AM                50 AUTOEXEC.BAT
18/06/2005  07:32 AM                 0 MSDOS.SYS
18/06/2005  07:32 AM                 0 IO.SYS
18/06/2005  07:32 AM                 0 CONFIG.SYS
18/06/2005  07:08 AM               512 BOOTSECT.DOS
25/03/2005  05:08 PM            49,152 latency.exe
04/08/2004  05:00 AM            47,564 NTDETECT.COM
04/08/2004  05:00 AM           250,032 ntldr
              29 File(s)    584,343,694 bytes
               0 Dir(s)  33,786,462,208 bytes free

 Volume in drive C is ACER
 Volume Serial Number is 320D-180E

 Directory of C:\WINDOWS\system32

27/04/2006  08:21 AM               736 eRLog.ini
27/04/2006  08:20 AM             1,158 wpa.dbl
07/04/2006  05:48 AM         5,143,456 MRT.exe
30/03/2006  07:16 PM         1,492,480 shdocvw.dll
30/03/2006  11:00 AM            16,384 xpsp3res.dll
24/03/2006  06:32 AM         3,053,568 mshtml.dll
23/03/2006  06:02 AM            53,640 perfc009.dat
23/03/2006  06:02 AM           382,022 perfh009.dat
23/03/2006  06:02 AM           441,142 PerfStringBackup.INI
23/03/2006  04:57 AM                75 LuResult.txt
23/03/2006  04:19 AM           103,418 Autorun.ini
22/03/2006  03:18 PM           176,264 FNTCACHE.DAT
18/03/2006  09:09 PM           613,376 urlmon.dll

Volume in drive C is ACER
 Volume Serial Number is 320D-180E

 Directory of C:\WINDOWS

27/04/2006  08:20 AM                 0 0.log
27/04/2006  08:20 AM             3,630 ModemLog_Lucent Win Modem.txt
27/04/2006  08:20 AM             2,048 bootstat.dat
19/04/2006  03:53 PM            11,970 SchedLgU.Txt
19/04/2006  03:53 PM           688,659 WindowsUpdate.log
19/04/2006  11:53 AM               254 hpbafd.ini
18/04/2006  04:25 PM           991,941 setupapi.log
18/04/2006  10:06 AM            16,769 KB911562.log
18/04/2006  10:06 AM           123,941 comsetup.log
18/04/2006  10:06 AM            52,998 iis6.log
18/04/2006  10:06 AM           358,674 FaxSetup.log
18/04/2006  10:06 AM           137,424 tsoc.log
18/04/2006  10:06 AM            74,342 ntdtcsetup.log
18/04/2006  10:06 AM             1,374 imsins.log
18/04/2006  10:06 AM            17,507 msgsocm.log
18/04/2006  10:06 AM            19,629 ocmsn.log
18/04/2006  10:06 AM           178,862 ocgen.log
18/04/2006  10:06 AM            27,408 updspapi.log
18/04/2006  10:06 AM             1,374 imsins.BAK
18/04/2006  10:06 AM            19,005 KB912812.log
18/04/2006  10:06 AM            11,526 KB908531.log
18/04/2006  10:06 AM            10,736 KB911567.log
24/03/2006  06:05 PM               905 wiadebug.log

 Volume in drive C is ACER
 Volume Serial Number is 320D-180E

 Directory of C:\DOCUME~1\ACER\LOCALS~1\Temp

27/04/2006  08:20 AM                 0 JETB45B.tmp
27/04/2006  08:20 AM             6,760 jusched.log
19/04/2006  07:51 AM                 0 INMEM000.REM
31/03/2006  09:38 AM             1,223 logfile.txt
31/03/2006  09:33 AM             2,729 CdMkr70.ini
23/03/2006  07:54 AM            32,768 RMS7.tmp
23/03/2006  07:54 AM            32,768 RMS6.tmp
23/03/2006  07:50 AM           158,974 avg7inst.log
23/03/2006  07:28 AM            13,318 netfxupdate.log
23/03/2006  07:27 AM            17,060 netfxsl.log

I ran RootkitRevealer as well and it turned up a data mismatch between WindowsAPI and raw hive data. Should I just reformat and reinstall? I dont know if the infection came with the computer or not, this machine is only a month or two old and did not come with a true WinXP disk but rather it forced me to burn a recovery disk upon first boot.

[Ruby]

Hello Cage

Don't know which infection you have, by the moment.

You have some new malware on your system.
We need to know all about new malware to be able to help you.
That is why we ask you to scan some files online,
to put them through to our colleguas who will analyse them
and send it to the Vendors of Antivirus to add their signatures.
So, in future you and other's systems will be protected from this malware.

Make sure you set windows to see the hidden files and folders.

STEP 1
Please load this file/these files

C:\cpuz.exe
C:\latency.exe

-> up to ST-Adware-Upload
-> up to http://siri.urz.free.fr/upload/

If you need a zip-tool we suggest zipgenius (It is free).

STEP 2
Please mail this file/these files as a password protected zipfile to both these Mail Addresses:
Virus(at)protecus.de and vms(at)drweb.com (replace the (at) with @):

C:\cpuz.exe
C:\latency.exe

You may want to use the password virus.
Please add this password to your mail.
Make us know all about the results, which you will get in an backanswer per eMail.

STEP 3
Please scan this file/these files with HJT and Virustotal and/or Jotti

C:\cpuz.exe
C:\latency.exe

You will want to make us know all about the results of the scans by copy&paste (look for an example).

STEP 4
Lets have a look if you have Win32.Polipos on your system.

Please read the Instructions, save it as a txt-file or print it out, that you can also read it offline. If the Virus Win32.Polipos will be found on your system, you need to disinfect these files because your system needs them to run. You may want to delete all worms and trojans, adware and spyware, but not the files infected with Virus Win32.Polipos.

Please load down Dr.Web CureIt!
(Dr.Web Solutions, Free services).

Run it, have it save a logfile and post it.

Since you will not be able to load it down, please use an other secure Web Browser.
Please have a look here for more Information.

[Cage]

Hi,

cpuz.exe and latency.exe were unzipped by me into C:\ when checking the motherboard and ram and is not the source of the infection as far as I am aware. cpuz.exe and latency.exe are both part of the cpu-z program found at http://www.cpuid.com/cpuz.php

[Ruby]

Hello Cage

You told us that you "DO have an infection which has installed itself as a service onto my machine'. How do you know about it? Which kind of infection? Please give me some more details? How does it show up? What is happening? I need to know more about it? Did any Antivirus discover it? What did you do? Where does this infection come from?

Pease run HijackThis > Misc tools > put a checkmark to both items > make us see a full Startuplist.

I am waiting for your answers.
Thank you.

[Unregistered]

I reasoned that I had a malware/rootkit installed as I was receiving return emails that I had apparently sent spamming hosts. I investigated the matter, running first ad-aware, then spybot s & d which both returned negative.

Next, I tried running HiJackThis! and showed a service that I do not recognise which appears at the bottom of my log file.

Code:

O23 - Service: JVFCP - Sysinternals - www.sysinternals.com - C:\DOCUME~1\ACER\LOCALS~1\Temp\JVFCP.exe

Finding this, I posted on this board with the copy of the hijackthis log file. In an attempt to resolve this issue on my own, I conducted a registry search and deleted any reference to JVFCP that I could and rebooted which resulted in the service disappearing.

After performing this, I checked my forum thread and ran the windatfind program you suggested, posting the results. In hindsight I should have waited for you to reply .

To double check that the spambot was really gone, I ran a scan with rootkit revealer from Sysinternals which revealed a data mismatch in a registry key, according to their website, any occurences would indicate a rootkit.

[Ruby]

Ok Guest,

Now I have got informated in words. What do you think about showing us all these logfiles? And at which time do you think to run Dr.Web CureIt! ? May we please see all these logfiles you have got?

C:\DOCUME~1\ACER\LOCALS~1\Temp\JVFCP.exe

You can clean up this folder "Temp" using any of these Cleaning Tools.

I am waiting to see your logs.