CTSysVol.exe Warning

[AngryAmoeba]

Yesterday, my internet started going haywire. A few things worked sporadically (AIM, Last.fm scrobbler, BitTorrent) and most didn't. Windows Update couldn't connect to Microsoft, Gmail Notifier couldn't connect to Google, and Firefox, Chrome, and IE all failed to connect to webpages—including my router's config page. Any situation where some things work and some don't for no apparent reason kind of raises some flags for me. The plot thickened when I found that I could successfully ping some (not all) websites via command prompt. Rebooting solved the problem temporarily, but after a while things would break again.

I checked my processes and one in particular caught my eye. I had never seen CTSysVol.exe before and didn't know where it came from. Under normal circumstances, this is a Creative Labs volume manager. Only I've never owned a Creative Labs product, and while most people find this file in C:\Program Files\Creative, mine was in C:\Users\Username\AppData\Local\Microsoft\Windows (Vista). So I killed the process and my internet started working again without a hitch.

Avast! didn't have anything to say about this file, but I'm 99% sure it was the source of my problems. I recommend adding CTSysVol.exe to the list of potential threats.

[micky77]

Can you find and send the file here http://www.virustotal.com/ then post the results. Iwould doubt just killing the process, will be enough, if it were to be malicious

[AngryAmoeba]

http://www.virustotal.com/analisis/3bce0005aa5ca6a371b48ee2ee2e5513a029c3149589974ab5d673956aada377-1246288432

[mkis]

Hi AngryAmoeba

Welcome to the forum

And when you locate file send it through to avast would help
You should be able to locate the file in a log, although I assume avast would be party to that log unless you also have another AV loaded onto your system either current, or from the past sometime.
 
1. Check the chest anyway --is it visible ether in Infected files or User files?
   Right-click file----->choose email to Alwil software------follow directions

The file will be uploaded to avast on the next auto update or you can manual update

2. Or either in a log or still located in system
   Send a sample to virus@avast.com
-   classify file as undetected malware – add  link to this topic in the forum
-   zip the message and password protect – secure password in the email body


3. I also add this. just for good measure--

You can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already there) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.
 
Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.


AngryAmoeba, you may have a conflict amongst resident antivirus on your system - avast and another AV(s).
Most times avast would have been going off like mad under the circumstances and given the web behaviour that you describe. The other AV(s) may not be current, but made of remains from previously loaded AV programs

[micky77]

Thats unusual, 2/41, almost certainly a false alarm. Except Kaspersky, is probably the first one I look at.Its the best detector
So why not post a HijackThis log, run the program, choose scan and save a logfile.Copy/paste the log here, the whole process wil take 5 mins.

http://filehippo.com/download_hijackthis/
When you have posted the log, download, install, updateand run these two programs http://filehippo.com/download_malwarebytes_anti_malware/

http://filehippo.com/download_superantispyware/
Then post the logs here

[AngryAmoeba]

I added the file to the chest and uploaded it to Alwil. Sadly I already ran HijackThis and fixed the CTSysVol.exe entry without saving a log first. The entry started the process at boot. I'm still almost certain this is the culprit because after killing it via Task Manager, all of my problems disappeared and have not yet reappeared. Not to mention the fact that CTSysVol.exe is a Creative Labs executable, and I've never used one of their products. But I'll download those two programs and get back to you.

EDIT: Oh and I doubt Avast is conflicting with other AV programs because Avast was one of the first programs I installed on this system, as always.

[micky77]

You may find the log in C\program files\trend micro\hijackthis\hijackthis.log

[polonus]

Hi AngryAmoeba,

Can you also check the following for the flag you got from virustotal.com:
Was not there a process of that name running CTSysVol.exe as system/root?
Also check additionally whether you can find this (re: the so-called FP)
C\Program Files\Mozilla Firefox\components\iamfamous.dll.vir Infected: Trojan.Win32.Agent.avjo 1
C\WINDOWS\system32\hirisaki.dll.vir Infected: Trojan-Spy.Win32.Agent.gan 1
C\WINDOWS\system32\khfFUmJB.dll.vir Infected: Trojan.Win32.Agent.attb 1
C\WINDOWS\system32\userinit.exe.vir Infected: Trojan-Downloader.Win32.Agent.auff 1

polonus

[AngryAmoeba]

@ polonus: I only found userinit.exe, and VirusTotal gave me a result of 0/41 for it. I'm not sure what you mean by "Can you also check the following for the flag you got from virustotal.com: Was not there a process of that name running CTSysVol.exe as system/root?"

@ micky77: Sorry, no HijackThis log from before I deleted the HKCU registry entry. But here is what Anti-Malware found (everything else says 'No malicious items detected'):

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

SuperAntiSpyware found 41 adware cookies:

Adware.Tracking Cookie
   C:\Users\Seiji\AppData\Roaming\Microsoft\Windows\Cookies\seiji@ads.gofuckyourself[2].txt
   C:\Users\Seiji\AppData\Roaming\Microsoft\Windows\Cookies\seiji@imrworldwide[2].txt
   C:\Users\Seiji\AppData\Roaming\Microsoft\Windows\Cookies\seiji@ad.yieldmanager[2].txt
   C:\Users\Seiji\AppData\Roaming\Microsoft\Windows\Cookies\seiji@maxis.112.2o7[1].txt
   C:\Users\Seiji\AppData\Roaming\Microsoft\Windows\Cookies\seiji@zedo[1].txt
   C:\Users\Seiji\AppData\Roaming\Microsoft\Windows\Cookies\seiji@ads.pointroll[2].txt
   C:\Users\Seiji\AppData\Roaming\Microsoft\Windows\Cookies\seiji@yieldmanager[1].txt
   C:\Users\Seiji\AppData\Roaming\Microsoft\Windows\Cookies\seiji@atdmt[2].txt
   C:\Users\Seiji\AppData\Roaming\Microsoft\Windows\Cookies\seiji@casalemedia[1].txt
   C:\Users\Seiji\AppData\Roaming\Microsoft\Windows\Cookies\seiji@insightexpressai[1].txt
   C:\Users\Seiji\AppData\Roaming\Microsoft\Windows\Cookies\seiji@apmebf[1].txt
   C:\Users\Seiji\AppData\Roaming\Microsoft\Windows\Cookies\seiji@mediaplex[1].txt
   C:\Users\Seiji\AppData\Roaming\Microsoft\Windows\Cookies\seiji@eaeacom.112.2o7[1].txt
   C:\Users\Seiji\AppData\Roaming\Microsoft\Windows\Cookies\seiji@atwola[2].txt
   C:\Users\Seiji\AppData\Roaming\Microsoft\Windows\Cookies\seiji@bs.serving-sys[1].txt
   C:\Users\Seiji\AppData\Roaming\Microsoft\Windows\Cookies\seiji@zoophilestracker[2].txt
   C:\Users\Seiji\AppData\Roaming\Microsoft\Windows\Cookies\seiji@cdn.at.atwola[1].txt
   C:\Users\Seiji\AppData\Roaming\Microsoft\Windows\Cookies\seiji@ar.atwola[2].txt
   C:\Users\Seiji\AppData\Roaming\Microsoft\Windows\Cookies\seiji@2o7[1].txt
   C:\Users\Seiji\AppData\Roaming\Microsoft\Windows\Cookies\seiji@questionmarket[1].txt
   C:\Users\Seiji\AppData\Roaming\Microsoft\Windows\Cookies\seiji@collective-media[1].txt
   C:\Users\Seiji\AppData\Roaming\Microsoft\Windows\Cookies\seiji@adopt.specificclick[2].txt
   C:\Users\Seiji\AppData\Roaming\Microsoft\Windows\Cookies\seiji@specificclick[1].txt
   C:\Users\Seiji\AppData\Roaming\Microsoft\Windows\Cookies\seiji@doubleclick[2].txt
   C:\Users\Seiji\AppData\Roaming\Microsoft\Windows\Cookies\seiji@optimize.indieclick[1].txt
   C:\Users\Seiji\AppData\Roaming\Microsoft\Windows\Cookies\seiji@revsci[1].txt
   C:\Users\Seiji\AppData\Roaming\Microsoft\Windows\Cookies\seiji@247realmedia[2].txt
   C:\Users\Seiji\AppData\Roaming\Microsoft\Windows\Cookies\seiji@ads.bridgetrack[1].txt
   C:\Users\Seiji\AppData\Roaming\Microsoft\Windows\Cookies\seiji@viacom.adbureau[2].txt
   C:\Users\Seiji\AppData\Roaming\Microsoft\Windows\Cookies\seiji@adlegend[2].txt
   C:\Users\Seiji\AppData\Roaming\Microsoft\Windows\Cookies\seiji@adbrite[2].txt
   C:\Users\Seiji\AppData\Roaming\Microsoft\Windows\Cookies\seiji@serving-sys[1].txt
   C:\Users\Seiji\AppData\Roaming\Microsoft\Windows\Cookies\seiji@at.atwola[1].txt
   C:\Users\Seiji\AppData\Roaming\Microsoft\Windows\Cookies\seiji@media6degrees[2].txt
   C:\Users\Seiji\AppData\Roaming\Microsoft\Windows\Cookies\seiji@overture[2].txt
   C:\Users\Seiji\AppData\Roaming\Microsoft\Windows\Cookies\seiji@trafficmp[1].txt
   C:\Users\Seiji\AppData\Roaming\Microsoft\Windows\Cookies\seiji@viagametrailersvideo.112.2o7[1].txt
   C:\Users\Seiji\AppData\Roaming\Microsoft\Windows\Cookies\seiji@server.cpmstar[2].txt
   C:\Users\Seiji\AppData\Roaming\Microsoft\Windows\Cookies\seiji@clicktorrent[2].txt
   C:\Users\Seiji\AppData\Roaming\Microsoft\Windows\Cookies\seiji@advertising[2].txt
   C:\Users\Seiji\AppData\Roaming\Microsoft\Windows\Cookies\seiji@ads.realtechnetwork[1].txt

[micky77]

Well , post another HJT log. How is the pc, any problems

[polonus]

Hi AngryAmoeba,

So much the better, I only wanted you to check to make sure you did not have any traces of the real Trojan.Win32.Agent.avjo 1 there, and if you cannot find these dll's that version is not there.
The cookies must have been there courtesy of that spyware you cleansed off initially, you can delete them safely, these mean a minor threat now. Normally this file you took of is safe: Author: Creative Labs
Part of:Creative Volume Manager Common Path(s):%programfiles%\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
But malware can pose as whatever executable, especially when where not normally found,

polonus

[AngryAmoeba]

@ polonus: Thank you, I'll delete those cookies.

@ micky77: My system appears to be fine so far. No more internet trouble at all. Here is my HijackThis log. Of course the CTSysVol.exe entry is gone, and some trusted entries (like Avast) are on my ignorelist.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:56:24 PM, on 6/29/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\PROGRA~1\Fraps\fraps.exe
C:\Program Files (x86)\DAEMON Tools Lite\daemon.exe
C:\Program Files (x86)\iTunes\iSproggler 1.2.0\iSproggler.exe
C:\Users\Seiji\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files (x86)\PreSonus\1394AudioDriver_FireBox\FireBox.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files (x86)\Google\Gmail Notifier\gnotify.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Stickies\stickies.exe
C:\Program Files (x86)\AIM6\aim6.exe
C:\Program Files (x86)\AIM6\aolsoftware.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\HijackThis\HijackThis.exe
C:\Program Files (x86)\uTorrent\uTorrent.exe
C:\Program Files (x86)\SUPERAntiSpyware\SUPERAntiSpyware.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /install /silent
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files (x86)\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O13 - Gopher Prefix:
O20 - AppInit_DLLs: prio.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files (x86)\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: FLEXnet Licensing Service 64 - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files (x86)\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: nHancer Support (nHancer) - KSE - Korndörfer Software Engineering - C:\Program Files\nHancer\nHancerService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Windows\SysWOW64\nvSCPAPISvr.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files (x86)\Viewpoint\Common\ViewpointService.exe
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

[micky77]

Well, looks like you solved your own problem. A new virus. The only other thing I would do,is a scan for a possible rootkit.This is only because this malware is virtually unknown. Please send a sample to Avast, as described by Mkis.

There are many rootkit scanners

Try Avira http://www.free-av.com/en/products/4/avira_antirootkit_tool.html

Or Trend Micro http://www.trendmicro.com/download/rbuster.asp

Good night