Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Question about ctfmon.exe


  • Please log in to reply
5 replies to this topic

#1 davour

davour

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 01 November 2011 - 01:31 PM

I have a question regarding this part of the log HijackThis produced:

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

In the StartUps list in this site, there are two entries for something similar to these: This one and this one.

How do I know if these are entries generated by Office XP or by that trojan horse?

Thanks

Edited by Orange Blossom, 02 November 2011 - 02:40 AM.
Moved to Startup Database forum. ~ OB


BC AdBot (Login to Remove)

 


#2 Akashi

Akashi

  • Members
  • 301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:59 PM

Posted 03 November 2011 - 03:59 PM

You cannot tell just by looking at that part of the HijackThis log.

The trojan you are referring to overwrites the genuine ctfmon.exe and userinit.exe files with malware files of the same name.

To tell whether a file is infected, you can upload it to an online virus scanner such as VirusTotal or VirSCAN.org

#3 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 34,770 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:11:59 AM

Posted 03 November 2011 - 04:12 PM

Comments on HJT log are not allowed outside of malware removal forum.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif




#4 Akashi

Akashi

  • Members
  • 301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:59 PM

Posted 03 November 2011 - 04:18 PM

Oops, sorry about that. I won't do it again. :thumbup2:

#5 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 34,770 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:11:59 AM

Posted 03 November 2011 - 04:21 PM

No problem :)
I'm sure you weren't simply aware of it.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif




#6 Grinler

Grinler

    Bleep Bleep!


  • Admin
  • 40,095 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:59 PM

Posted 04 November 2011 - 09:56 PM

Akashi's answer, though, is valid. I am going to make a safe bet and tell you that the ctfmon entry is legit, but the only way to tell is to scan the file with a service like virustotal.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users