11 replies to this topic

[Carey934]

Found this new CTFMON.EXE in a customers C:\Windows\System32 folder (customer did not have MS Office, which made this file suspicious). All search results from Google, whether using IE or Firefox, replaces the links to the search results. Very tricky!

Scanned it with four different anti-spyware utilities and two different anti-virus utilities and it comes up clean, but it is definiately NOT.

[Carey934]

This is the file.

[exile360]

I've got ctfmon.exe and I don't have MS Office installed. It's been there since I installed the OS (Vista). Don't have it in XP though. But it could be from a program like Word reader or could have been installed with a game for text to speech (Unreal Tournament 2004 installs it) and it could also be from MS Works.

[nosirrah]

http://www.virustotal.com/

Any time you have a file you are unsure of this is the place to submit it . Your file will be scanned with at least 37 antimalware engines so the odds of a bad file making it by all of them is quite low .

[MysteryFCM]

http://support.microsoft.com/kb/282599

[Chartreuse]

Yes, my CTFMON.exe is definately infected as well. Started on the 4th at 01:00 from a Tatoo graphics site popup that my daughter clicked on.

in WINDOWS/system32, sort by date reveals that there are 5 patterned files (.exe, .dll, .dll, .dll, & a .dbl) created every time I break the randomly named .exe autorun in regedit. (and one additional set each day also??? I dunno).

Once after breaking this, I saw CTFMON working hard in taskmanager, and found CTFMON was inserted into HKCU.... so if it's not a bug, it's a heck of a red-herring.

Poor little laptop thrashes the hard drive every 2 seconds, popups every other click or page, but ONLY when IE is up.... Warnings that my computer is infected from some mystical source, and Oh yea, NEVER actually saw JQS before, and now, jqs.exe gets lots of activity too when those web pages start coming up, so I'm hoping it's not infected as well. and when I disable the Helper Add-ons in IE, 2 more pop in at boot.

ctfmon.exe
application
CTF Loader
C:\\WINDOWS\system32
15,360 bytes
created: Tuesday Jan 01, 1980 1:00:00 AM
modified: Wednesday, August 04, 2004, 1:56:50 AM

...so here I go to disable CTFMON, hope that name does not morph too, ...will be hard to find again.

Thx, Christopher.

[Carey934]

Chartreuse, on Jan 6 2009, 06:08 PM, said:

Yes, my CTFMON.exe is definately infected as well. Started on the 4th at 01:00 from a Tatoo graphics site popup that my daughter clicked on.

in WINDOWS/system32, sort by date reveals that there are 5 patterned files (.exe, .dll, .dll, .dll, & a .dbl) created every time I break the randomly named .exe autorun in regedit. (and one additional set each day also??? I dunno).

Once after breaking this, I saw CTFMON working hard in taskmanager, and found CTFMON was inserted into HKCU.... so if it's not a bug, it's a heck of a red-herring.

Poor little laptop thrashes the hard drive every 2 seconds, popups every other click or page, but ONLY when IE is up.... Warnings that my computer is infected from some mystical source, and Oh yea, NEVER actually saw JQS before, and now, jqs.exe gets lots of activity too when those web pages start coming up, so I'm hoping it's not infected as well. and when I disable the Helper Add-ons in IE, 2 more pop in at boot.

ctfmon.exe
application
CTF Loader
C:\\WINDOWS\system32
15,360 bytes
created: Tuesday Jan 01, 1980 1:00:00 AM
modified: Wednesday, August 04, 2004, 1:56:50 AM

...so here I go to disable CTFMON, hope that name does not morph too, ...will be hard to find again.

Thx, Christopher.

Yes, there is a legitimate version of CTFMON that comes with MS Office. This customer does not have MS Office, running XP Home and when I allow this CTFMON.EXE file to run at startup, all of her search results from Google have the links manipulated. Its very strange. I hope the writers of MalwareBytes will detect this in the future. It's a tricky one!

[nosirrah]

http://www.virustotal.com/

Please use this site to confirm your suspicions .

[Chartreuse]

deleted /renamed the files, disabled the helpers, but must have propagated during shutdown, for after my safe-boot, 1 more .dbl & .dll in helpers in IE.... not letting me rename.

OK, in safe mode, waited untill right after the programs re-propagated then got the helpers mostly out of IE, renamed the rest, but qoMdBQHA.dll stayed allocated so could not modify it....pulled the battery / cord for an instant shutdown.... Can't believe I'm having to go through all this crap...

Pulled the hard drive and examined using a second PC, moved all of the system32 files that I had kept renaming, and finally had access to qoMdBQHA.dll. Moved as well.

OK, HERE'S THE WEIRD THING, may be important, maybe not:
( kept the internet disabled ) ...after removing the files, when starting IE, msiexec.exe would try to 'Install premium Edition', I continually escaped out of it. After finding a msiexec in an I386 folder(should be in system32), and renaming it, I rebooted and didn't have any more problems. wpa.dbl turned out to be the only file in system32 with a current date that was normal. It regens. CTFMON & qoMdBQHA.dll Seem to be core to the problem.

Good Luck yall,
Christopher.

[Raid]

Chartreuse, on Jan 6 2009, 11:48 PM, said:

deleted /renamed the files, disabled the helpers, but must have propagated during shutdown, for after my safe-boot, 1 more .dbl & .dll in helpers in IE.... not letting me rename.

if you could provide a sample of the files... to us, via uploads.malwarebytes.org
we can get this issue resolved.

[Chartreuse]

Submitted....


CTFMON got:
MD5: 24232996a38c0b0cf151c2140ae29fc8
First received: 06.16.2007 12:09:03 (CET)
Date: 04.30.2008 23:12:38 (CET) [>251D]
Results: 1/31
Permalink: analisis/d489a7d332600afda1c1f9e5043c7c6d



qoMdBQHA got:
MD5: a7a63e793afaf60928882688f09c652e
First received: 01.04.2009 03:14:10 (CET)
Date: 01.06.2009 17:33:50 (CET) [<1D]
Results: 13/38
Permalink: analisis/e3e78bd7aa897cf0d244a91b8db4d783


Both said 'already analyzed', and just regurgitated these previous reports. I don't know how to read the reports, but ......
Panda, PCTools, neither would uncover the thing, and the behavior of it being CONTINUALLY put into startup is waay suspicious, and I'm too tired to figure it out, but if you want a copy of the file, lemme know and I'll send you.

This took waay too long,
Christopher.
Cha.....sedragon@hotm++l.com

[Chartreuse]

Uploaded both to malware bytes with 2 of the dlls.