ctfmona

Discussion in 'malware problems & news' started by lodore, Nov 17, 2007.

Thread Status:
Not open for further replies.
  1. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
  2. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Hi Lodore

    It might be active malware remaining or it could possibly be a system error report because the malware file has been deleted and left a vacated load value.

    If you are fammiliar with HiJackThis or Autoruns you could try and identify the load value and remove it.However unless you are 100% confident in what you are doing its best to get outside help/advice on what to remove.

    If you want to post HJT & Autoruns logs from the compromised PC across in the SAS forums i will be happy to assist in completing the clean up:thumb:
     
  3. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
  4. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    did i forgot to mention the xp install is less than one week old and has norton 2008 on it. IE7 seems to be as unsecure as IE6 since the infections where activex based as far as i can tell.
    i think they are all gone now thou
    lodore
     
  5. ghiser1

    ghiser1 Developer

    Joined:
    Jul 8, 2004
    Posts:
    132
    Location:
    Gloucester, UK
    Might be a silly question, but why not use Prevx to get rid of it?
     
  6. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    From how lodore described it,my interpretation is there is an error message at bootup(probaly winlogon stage)where the error message about a file called ctfmona.exe is displayed.

    This will be caused by the malware file having been deleted but its loading point in the registry is still in place.

    At this point this is a system error and not an active malware persay.All it needs is for the load entry to be removed and voila no error at boot:)

    I will post up a screenshot at some point to highlight one type of such error when i get a chance.
     
  7. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
Thread Status:
Not open for further replies.