everytime my friend logs on to his computer he gets a message about ctfmona according to prevx is a trojan.nudos. linkhttp://www.prevx.com/filenames/X2371345958929863758-X1/CTFMONA.EXE.html anyone know a tool which can get rid of it? he has already scanned with superantispyware and it found and got rid of like 5 trojans. lodore
Hi Lodore It might be active malware remaining or it could possibly be a system error report because the malware file has been deleted and left a vacated load value. If you are fammiliar with HiJackThis or Autoruns you could try and identify the load value and remove it.However unless you are 100% confident in what you are doing its best to get outside help/advice on what to remove. If you want to post HJT & Autoruns logs from the compromised PC across in the SAS forums i will be happy to assist in completing the clean up
Format c: will get rid of it, and everything else . But seriously, regrun claims to be able to remove it, you could install the trial version and hopefully remove it. http://greatis.com/appdata/d/c/ctfmona.exe_Removal.htm
did i forgot to mention the xp install is less than one week old and has norton 2008 on it. IE7 seems to be as unsecure as IE6 since the infections where activex based as far as i can tell. i think they are all gone now thou lodore
From how lodore described it,my interpretation is there is an error message at bootup(probaly winlogon stage)where the error message about a file called ctfmona.exe is displayed. This will be caused by the malware file having been deleted but its loading point in the registry is still in place. At this point this is a system error and not an active malware persay.All it needs is for the load entry to be removed and voila no error at boot I will post up a screenshot at some point to highlight one type of such error when i get a chance.
System error report/missing file example(Vundo trojan in this case) Error message generated during boot process>>>http://img118.imageshack.us/img118/638/nonamexy5.jpg Caused by missing file but load value still present>>> http://img515.imageshack.us/img515/8848/nozf3.jpg In this case Autoruns can be used to delete the load value and the system error is no more