Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

ctv###.exe (Worm.koobface) and Trojan horse Agent2.ZNG

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

ctv###.exe (Worm.koobface) and Trojan horse Agent2.ZNG

Unread postby conquerer7 » November 10th, 2009, 5:04 pm

I've been searching high and low for somebody who had the same problem and luckily, somebody with the exact same problems posted a thread a week ago. (link)

My symptoms are the exact same as his. A few weeks ago, I got this nasty thing, ctv.exe (with several random numbers after the 'ctv') on my computer. Despite AVG detecting it and removing it, it would always reappear soon. I tried to remove it with a whole bunch of programs and none of them helped. It didn't appear to do anything at all, though.

Today, my computer started acting strangely, despite me not doing anything out of the ordinary the previous day. AVG detected 'Trojan horse Agent2.ZNG' on a scan so I removed it. The computer would randomly make sounds, for example the standard Microsoft click sound would play and once or twice an advertisement would play (if it helps, it was an ad for Mucinex). I found over ten iexplore.exe processes in the task manager and killed them all, and the noises stopped. (that was foolish of me, but I didn't see this forum before then) I have a feeling that next time I start the computer though they'll be back.

Here is the HijackThis log, thanks in advance for any help:

C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jusched .exe
C:\Program Files\Iomega\Home Storage Manager\iomega discovery.exe
C:\Program Files\WhatPulse\whatpulse.exe
C:\Program Files\WhatPulse\whatpulse .exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\RETROS~1\RETROS~1.5\retrorun.exe
C:\PROGRA~1\RETROS~1\RETROS~1.5\retrospect.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\AVG\AVG8\avgupd.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\Kevin\yddtkg.exe \s
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O2 "U2" /M "Stylus CX3800"
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P35 "EPSON Stylus CX3800 Series (Copy 1)" /O6 "USB001" /M "Stylus CX3800"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\RETROS~1\RETROS~1.5\RetroExpress.exe /h
O4 - HKLM\..\Run: [Iomega Home Storage Manager] C:\Program Files\Iomega\Home Storage Manager\Iomega Discovery.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BrStsWnd] C:\Program Files\Brownie\BrstsWnd.exe Autorun
O4 - HKLM\..\Run: [Auto EPSON Stylus CX3800 Series on M-BEDROOM-PC] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P47 "Auto EPSON Stylus CX3800 Series on M-BEDROOM-PC" /O20 "\\M-BEDROOM-PC\EPSON" /M "Stylus CX3800"
O4 - HKLM\..\Run: [\\M-BEDROOM-PC\EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P41 "\\M-BEDROOM-PC\EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
O4 - HKLM\..\Run: [ehhf] C:\WINDOWS\system32\ehhf.exe \u
O4 - HKCU\..\Run: [WhatPulse] C:\Program Files\WhatPulse\WhatPulse.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Kevin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C :\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Encarta Search Bar - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Retrospect Express HD Helper (RetroExp Helper) - EMC Corporation - C:\PROGRA~1\RETROS~1\RETROS~1.5\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Corporation - C:\PROGRA~1\RETROS~1\RETROS~1.5\retrorun.exe
O23 - Service: Remote Procedure Call (HGM) (RPCHGM) - Unknown owner - C:\Program Files\NetMeeting\secedit.exe

--
End of file - 8107 bytes
conquerer7
Active Member
 
Posts: 2
Joined: November 10th, 2009, 4:48 pm

Re: ctv###.exe (Worm.koobface) and Trojan horse Agent2.ZNG

Unread postby MWR 3 day Mod » November 13th, 2009, 8:53 pm

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the 72 hour bump room, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MWR 3day Robot
 
Posts: 2523
Joined: April 4th, 2008, 8:40 am

Re: ctv###.exe (Worm.koobface) and Trojan horse Agent2.ZNG

Unread postby Jack&Jill » November 14th, 2009, 11:55 am

Hello conquerer7,

Welcome to Malware Removal. I am Jack&Jill, and I will be helping you out.

Before we go further, there are a few things that I would like to make clear so that we are share the same understanding.
  • Please observe and follow these Forum Rules.
  • As I am currently training at Malware Removal, it will take some time for me to go through your logs, please be patient with me.
  • Be assured that any recommendations to you will be done as soon as possible and will be approved by an expert.
  • Reply and keep only to this thread. If you have the same topic elsewhere, please inform me or the other forum so that either can be closed.
  • Any advice is for your computer only and is taken at your own risk. Fixes sometimes will cause unexpected results, but I will do my best to assist you.
  • If you have any doubts or problems during the fix, please stop and ask.
  • If you need to be away for a while during the fix, please let me know.
  • Lack of malware symptoms does not mean your computer is clean. Stick to this topic until I give the All Clear.
  • Do not use or run any tools without supervision as they may cause more harm if improperly used.
  • Please read the instructions carefully and follow them closely, in the order they are presented to you.
  • All the tools that I will ask you to download and use are safe. Please allow if prompted by any of your security softwares.
  • If you do not reply within 3 days, this topic will be closed.

If you are agreeable to the above, then everything should go smoothly :) . We may begin.
I am working on your log now and will be back the soonest.

At the mean time, please post an Uninstall list
  • Open HijackThis.
  • Go to Open the Misc Tools section by clicking on the box.
  • Under the Systems tools, look for Open Uninstall Manager and click on it.
  • Click Save list... and save the text file in a convenient location.
  • Copy and paste the Uninstall list contents in your reply.

Also, please post back a new HijackThis log with the header included.
User avatar
Jack&Jill
MRU Emeritus
MRU Emeritus
 
Posts: 2284
Joined: August 19th, 2008, 5:37 am
Location: South East Asia

Re: ctv###.exe (Worm.koobface) and Trojan horse Agent2.ZNG

Unread postby Jack&Jill » November 16th, 2009, 12:03 pm

Hello conquerer7 :),

It has been 2 days since my last post. Do you still need help? Any problems following my instructions? Need more time?

If I do not get any response within the next 24 hours, this topic will be closed.
User avatar
Jack&Jill
MRU Emeritus
MRU Emeritus
 
Posts: 2284
Joined: August 19th, 2008, 5:37 am
Location: South East Asia

Re: ctv###.exe (Worm.koobface) and Trojan horse Agent2.ZNG

Unread postby NonSuch » November 20th, 2009, 6:17 pm

Due to a lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh DDS log, and wait for a new helper.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 26042
Joined: February 23rd, 2005, 7:08 am
Location: California


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: wannabeageek and 23 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware