msCMTsrvc.exe, Trojan??

Hello all.

Well I have finally got to a point where I have managed to get my system up and running again… All started with an Avast alert saying filefloppy.sys was infected… Then shortly after, a few restore points and 2 files in the system recovery partition were also infected… Needless to say I quarantined all files and did a boot time scan and the rest is history. Windows refused to load past the welcome screen, except to a black screen and safe mode will not load. I managed to run the recovery console and repair, which I am now able to load windows normally but still am hanging on loading in safe mode. I was able to run a boot time scan, returning on 1 result, (mscmtsrvc.exe infected with trj-gen). I’m not sure where to go from this point but 3days later at least I’m able to boot to a desktop… I’d greatly appreciate any help.

OS: Windows XP (Now SP1 again…)
CPU: Athlon XP
AV: Reinstalled Avast 6
FWD: In the process of reinstalling Comodo…
ASW: In the process of reinstalling Spyware Blaster…

Please excuse the typos, if any, posting from phone.

EDIT:

Now that I remember, the 2 files that were flagged as trojans in the recovery partition, were named something like “AppXXXX”, where the X’s represented numbers. I was unable to find any information on these whatsoever. I kept these recovery entries quarantined, along with the filefloppy.sys and flagged infected system restore points.

Follow this guide>>http://forum.avast.com/index.php?topic=53253.0

Just be aware, since its Christmas, worst case scenario is someone wont be able to read the resulting logs and tell you what to do next for a couple of days.

EDITED TO REMOVE CLUTTER

I’ve also submitted the mscmtsrvc.exe file to VT, which hits as Trojan/Malware, with only a few scanners not flagging it. After research however, it turns out this is an embedded file in the ms shell, that is specifically related to Compaq computers. “msCMTSrvc.exe”, is an application that gets bundled with a particular series of the Compaq Presario systems. msCMTSrvc is called the Content Monitoring Tool Service (CMTS). The Compaq Offer Zone, displayed on the desktop as the Hot Deals icon, uses the CMTS to update the computer when new merchandise is available for purchase by the user.

Were you using the internet at the time of infection or around the time of infection? Viruses keep getting faster and can cause much more damage than in the past. msCMTsrvc.exe is basically an Advertisement Service so it would be safe to disable it as a Service from the F8 Key on bootup. Is your computer still freezing?

I’ve always had this computer connected to the internet, behind a Personal FW, AV and router FW. And that’s just it… Is it an infection? That is the question I’ve been trying to determine. This file was bundled with the Computer from what I have found out but still gets hits from some mainstream scanners.

Refer to the following links, which I did my research from.

hxxp://windowsxp.mvps.org/mscmtsrvc.htm

hxxp://www.completepcpedia.com/fix_error_msCMTSrvc.html

I had to reformat, as after I quarantined the mscmtsrvc.exe file, along with a few restore points, my Computer would not load past post check. It would load to where the welcome screen should have been but just sat at a black background forever, with an hourglass and no drive activity. It also would do the same thing, when loading into safe mode. So I attempted a restore, which allowed me to get past the welcome screen when booting normally, however would still seemingly load forever when trying to get into safe mode. That and I was presented with a whole new set of issues, such as programs refusing to work. Just seemed simpler imo, to reformat, so I did. Haven’t had any freezes since reformat and am able to boot into safe mode. I’m able to get into everything as should be expected booting normally and it seemed everything was fine until I installed Avast and MBAM and started running scans once all was said and done. Both hit on the mscmtsrvc.exe file, (which I would expect if this was bundled with the PC) and a few restore points (which I’m assuming are snapshots of this file). I’m not sure what you mean by disabling it from the F8 key on bootup? The only known way that I can find of disabling it, is as a service through services.msc
But even if I do this, Avast and MBAM both, will still find the file and flag it, disabled or not. I can try posting both the MBAM logs and OTL, however, if all it finds is the mscmtsrvc.exe and the usual system restore points, isn’t that a mute point? In the link Gargamel posted, concerning the MBAM scan, it says to check everything and allow it to remove all findings. If I do this I’m afraid I’ll end up back in the same boat, with a hung PC, as I’m not quite sure if the file being quarantined or possibly deleted, caused the mess to begin with. I’m at a loss on whether I have a legitimate infection here or a FP. Should I just run the scans, delete nothing and just post the results? I apologize, for ranting but this has been one helluva pickle.

upload suspicious file (mscmtsrvc.exe) to www.virustotal.com and test with 40+ malware scanners
when you have the result, copy the url in the address bar and post it here for us to see

alternative
Jotti http://virusscan.jotti.org/en
VirSCAN http://virscan.org/
Metascan http://www.metascan-online.com/

Then follow the link / guide posted by Gargammel, and attach all logs
Essexboy can then have a look inside…

I’ll make sure to post the results from the online scanner.

However, in regards to the link posted by Gargamel, it says in the first step of the guide, that after I run the MBAM scan,

“Make sure that everything is checked, and click Remove Selected.”

Is this a wise decision to delete the file before it has been determined whether this file is actually infected or a FP? Would it be okay to upload the logs and not delete the files just yet? MBAM has and will return the mscmtsrvc.exe file as a Trojan, as it did before and as I stated previously I’m concerned that this may have caused the problem to begin with.

Leaqve unchecked for the moment and we will investigate that later

Thanks EssexBoy.

Well I had my wife run the MBAM scan as I wasn’t near my computer. She didn’t uncheck the box and MBAM supposedly deleted the mscmtsrvc.exe file and a restore point after scanning. I just so happen to have the first log of what it found and what was obviously deleted or “disinfected” when she ran the scan. I’m attaching both logs. The first one, is the one that found the files and the second is the recent scan that removed them.

Working on OTL next…

OTL Log…

DISKMGMT Screenshot…

aswMBR Log…

I also attached a screenshot of my Virus Chest and the files that are currently quarantined. This includes the last few Avast scans that I have done over the last few days, which show the hits on the mscmtsrvc.exe file and the restore points. I also just updated the definitions again and rescanned all files and they’re still coming up infected per Avast.

Also, here is the VirusTotal scan result of the mscmtsrvc.exe file…

http://www.virustotal.com/file-scan/report.html?id=dd9e5865871e48436d4cc732181f009c58a55ecf8f01178bed78256ee20252f6-1324914721#

And just in case it doesn’t display, here’s the MD5 hash:

253b4b8cfc67d44f63e39328ab1f4682

you posted an old report…( 2011-08-14 ) you should have clicked the “rescan” button

I did click the rescan button. The URL is current, as the file was uploaded earlier today. The MD5 hash I copied, after clicking “Show All” once the analysis was completed. It was the only reference I could find to this file. I also see I’m not the only one having an issue with links to VT… As per your post on another topic:

You Posted on topic:

http://forum.avast.com/index.php?topic=91068.0

Virus Total URL’s Posted Here seem to get broken
« Reply #2 on: Today at 10:13:01 PM »

happens often…the best is to also post the MD5 as then we can do a search at VT

I tried resubmitting the file again and it just sits there “Queueing” forever but doesn’t get scanned. This with my Avast shields disabled so that nothing is blocking it from being uploaded.

Okay I was finally able to have some luck with Jotti… VT, still won’t upload. Not sure if there’s too much traffic but a 15 minute wait is pretty long even for their service load… But here’s the link for Jotti’s scan:

hxxp://virusscan.jotti.org/en/scanresult/dd30a82b33fb15f1dd2230cdc5a455878593c0c6

Also, the MD5 Hash:

253b4b8cfc67d44f63e39328ab1f4682

Sort of 50-50 on that. However, Dr Web does also detect it so it may well be a good detection

What problems do you have at the moment ?

Thank you for your reply Essexboy.

Currently I don’t seem to be having any issues, except for the detection of that specific file (mscmtsrvc.exe) and the 2 restore points. That seems to be the only detectable issues. I’m just not certain where to go from here… Either to disable or remove the file (mscmtsrvc.exe) and it’s restore points and how to do so or to just leave it be and quarantined in the chest. I submitted this file to Avast a few updates back but it is still detected and flagged on recent updates. Unfortunately I’m not knowledgeable enough on the process, to know whether it’s better to keep it or remove it or how and what the repercussions will be. Odd that there isn’t much background on this file or it’s publisher… Just that it’s used to make suggestions to the Consumer of the PC of Compaq products and that it’s isolated to Compaq model PC’s and the Presario line. Seems like a prime example of Corporate Spyware.