ctfmon.exe Hybrid + Anti-Scan sidekick

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Tantramancan, Jul 8, 2011.

  1. Tantramancan

    Tantramancan Private E-2

    Having checked on Google for all forums on Trojan ctfmon.exe I have found that there are 3 entries under that name in my PC some lowercase and upper. I caught this virus from facebook, AVG told me it is the latest " Babes " edition. They have had me do many scans with their tools {GMER, autoruns.exe & Anti Rootkit scan. logs} and send the results, but they have not been able to help me eliminate it. THIS Hybrid seems to be different in that any AVG (Paid version) scan on the REG files individually or at start of a full scan reboots the PC always at the same place the same thing occurs when I try to do Reg Cleaning. I have tried RegCleaner and AML Free Registry Cleaner and prior to running a Scan I attempt a Backup as you are advised to do, but then Instantly the computer crashes to restart.
    Upon Reboot I tried ignoring the back-up and started the scan whereupon it
    works speedily for about 20 seconds then crashes to restart. So the problem
    is definitely in the Reg Files and therefore undetectable in the AVG Scanner
    which must complete it's scan to list the errors. It seems to me to be a
    very Clever new Trojan Virus with two Parts. The Main one to feed
    information to the Hacker and the small one to prevent any anti-virus from
    finding the main one by never allowing completion of a Scan thus revealing
    where the Phishing Virus is or disclosing to the average user that there is
    a Virus present. This can be verified by checking the scan logs, no
    completed Scan results for sometime despite AVG set for sheduled Scans.
    I believe this small sidekick virus is in the Reg Files under the usual
    camoflague name of ctfmon.exe ( in lower case ) and at or near this file place
    HKU\S-1-5-21-448539723-1770027372-839522115-103\Software\Microsoft\ Windows\CurrentVersion\internet settings\zonemaps\EscDomains\gedichteank\
    www... Previous viruses had reg files had Identities starting with numbers HKU\S-1-5-18 but this one seems new with -21
    The normal Microsoft file I believe is in upper case in System folder i.e
    CTFMON.EXE
    I have tried Scan in SAFE MODE, same result. I still cannot do a Full Scan without it rebooting soon after the start in the Reg Files.
    Regards, I Look forward to a JEDI Force solution to this problem, so I don't have to Re-Format my windows, and stop using Facebook.
    Tantramancan
     
    Tantramancan, Jul 8, 2011
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Welcome to the Malware Removal Forum.

    Please read ALL of this message including the notes before doing anything.

    Pleases follow the instructions in the below link:

    READ & RUN ME FIRST. Malware Removal Guide


    and attach the requested logs when you finish these instructions.
    • **** If something does not run, write down the info to explain to us later but keep on going. ****
    • Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.

    • After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
    Helpful Notes:

    1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
    2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
    3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only SUPERAntiSpyware and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run SUPERAntiSpyware, Malwarebytes, ComboFix and MGtools on the infected account as requested in the instructions.
    4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
    Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
     
    Kestrel13!, Jul 9, 2011
    #2
  3. Tantramancan

    Tantramancan Private E-2

    I am sending these files to you, but I am without my AVG which I cannot download and install without Running the Defogger to enable NOR run a SCAN on AVG to see if the original problem still exists.
    Defogger Advises that I should not enable until I have heard from you .???? Not sure what to do, STAY OFF LINE or wait online with no protection to hear from you ?

    Kindest regards,
    tantramancan.

    I WILL attach FULL Report and Files NEXT for your perusal
     

    Attached Files:

    Last edited by a moderator: Jul 10, 2011
    Tantramancan, Jul 10, 2011
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I am not seeing any malware in your logs. I suggest you re-install AVG ( if you must, though I would recommend Microsoft Security Essentials ) and see what issue you still have.
     
    TimW, Jul 10, 2011
    #4
  5. Tantramancan

    Tantramancan Private E-2

    Find attached additional files.
     

    Attached Files:

    Tantramancan, Jul 10, 2011
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I repeat my last post.
     
    TimW, Jul 10, 2011
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    An additional comment. cftmon.exe is a Microsoft file and yours are all valid. The Windows file system is not case sensitive. cftmon.exe = CFTMON.EXE = CftMon.eXe

    Your logs showed the below which are all legit:
    Code:
    ============= Finding copies of ctfmon.exe ===================================
"E:\WINDOWS\$NtServicePackUninstall$\ctfmon.exe" 15360 04/08/2004 13:00 
"E:\WINDOWS\ERDNT\cache\ctfmon.exe" 15360 14/04/2008 01:12 
"E:\WINDOWS\ServicePackFiles\i386\ctfmon.exe" 15360 14/04/2008 01:12 
"E:\WINDOWS\system32\ctfmon.exe" 15360 14/04/2008 01:12
     
    chaslang, Jul 10, 2011
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds