Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ctfmona


  • Please log in to reply
8 replies to this topic

#1 cjaye

cjaye

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:45 AM

Posted 20 April 2008 - 07:53 PM

My sister's computer has been infected I think with the ctfmona virus. I will be the one trying to clean it up.

I'd like to at some point post a Hijack This log ( I have done this once before on a pup I had on my pc), however, when I rehook my sister's pc to the router (we had unhooked it when we discovered she had a virus), then her pc keeps rebooting until we unhook from router.

Can someone give me some ideas on how to prevent the rebooting. If I can't get on the internet through the router then I can't post a Hijack This log. The McAfee scan revealed (so far...not done scanning) that the ctfmona is in the startup processes. I am a computer programer so am not an expert by any means but fairly comfortable with computers.

Thank you for any help you can provide.

cjaye

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:45 PM

Posted 21 April 2008 - 09:28 AM

http://www.prevx.com/filenames/X2371345958...TFMONA.EXE.html

sometimes it's best to stay disconnected from the internet

do you have an update on your progress?
Chewy

No. Try not. Do... or do not. There is no try.

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,140 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:45 PM

Posted 21 April 2008 - 11:08 AM

CTFMONA.EXE is a backdoor Trojan. Backdoor Trojans, IRCBots and Infostealers are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Remote attackers use backdoor Trojans as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge. Read the Danger: Remote Access Trojans.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the backdoor Trojan has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the backdoor Trojan has been removed the computer is now secure. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read "When should I re-format? How should I reinstall?".

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. If you wish to proceed, please do the following.

If your sister is using Windows 2000/XP, please print out and follow the instructions for using SDFix in BC's self-help tutorial "How to use SDFix".
-- When using this tool, you must use the Administrator's account or an account with "Administrative rights"
-- Disconnect from the Internet and temporarily disable your anti-virus and any anti-malware real time protection before performing a scan.

When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt. Please copy and paste the contents of Report.txt in your next reply. Be sure to renable you anti-virus and and other security programs before connecting to the Internet.

It would be best to download SDFix from another pc and save to a flash (usb, pen, thumb, jump) drive or CD. Then transfer these programs directly to the infected computer where you can use them.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 cjaye

cjaye
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:45 AM

Posted 21 April 2008 - 02:04 PM

Thank you for your very informative post. I have decided to just do a reformat, although I have read where wiping the harddrive clean with a reformat doesn't necessarily guarantee complete virus removal.

My other concern is, the infected computer was (I unplugged it) plugged into a router, so is it possible for any other computers in the house that are wirelessly accessing the router to also be infected?

I appreciated your help and advice.

cjaye

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,140 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:45 PM

Posted 21 April 2008 - 02:11 PM

That's the decision I would have made if this were my system.

Some types of malware can result in a system so badly damaged that a Repair Install will NOT help!. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Starting over, reformatting the drive and performing a clean install of the OS removes everything and is the safest action.

In case you need help with this, please review the following links:
"How to partition and format a hard disk in Windows XP"
"How do I reinstall and reformat Windows XP on my hard drive?"

These links include step by step instructions:
"Reformat & Clean Install Windows".
"Clean Install Windows XP".
"XP Clean Install (Interactive Setup)".

If you need additional assistance with reformatting, you can start a new topic in the Windows XP Home and Professional forum.

is it possible for any other computers in the house that are wirelessly accessing the router to also be infected?

Yes so make sure you scan them for malware and look for suspcicious activity/processes.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 cjaye

cjaye
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:45 AM

Posted 21 April 2008 - 02:24 PM

hmmm..guess I don't know how to reply to individual posts...maybe you can't.
Anyway, thanks also to Chewy for your post.

I went to the link Chewy put in his post and something else concerns me that I read:
Writes to another Process's Virtual Memory (Process Hijacking)
I was thinking that my sister got the virus yesterday (while visiting MySpace is when she thought she got it) and when I looked in her system32 dir for yesterday's date there were a bunch of suspicious looking files including a bitmap for the bug that crawls across her screen and a text file called Info that shows sites she's frequented with passwords/logins (banking site for one).

The curious thing is....now I'm wondering if she contacted the virus prior to yesterday because:
#1 some of the sites in the text file she did not access yesterday
#2 the "writes to another Process's Virtual Memory thing... my sister has been getting Virtual Memory being increased messages for some time.
The weird behaviour did not start until yesterday though.

Thank you.

cjaye

#7 cjaye

cjaye
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:45 AM

Posted 21 April 2008 - 02:40 PM

quietman7, I have read though that doing the reformat/repartition doesn't always totally clean a hard drive. Something about viruses can still reside in areas of sectors. Ever hear of this? Was also mentioned that it goes along the same lines as no one can rid a harddrive entirely of data without doing some other pretty tricky stuff (other than the reformat/repartition/fdisk,etc)

Thoughts??

#8 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:45 PM

Posted 21 April 2008 - 03:19 PM

I asked something similar of the head developer for one of the leading malware scanners a few days ago

I have decided to delete the primary partition, do I need to write zeros to the drive?


he answered

If you are trying to reformat the entire system. Delete the main partition and format it NTFS. All data on that system will be lost assuming it only has 1 partition. Malware, minus very tiny exceptions, does not survive a format.


there are programs which will write 0's to the drive, all partitions are lost, it takes forever

you will know when you hit the tiny exception after a clean install and you reconnect to the internet the infection will come right back
Chewy

No. Try not. Do... or do not. There is no try.

#9 cjaye

cjaye
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:45 AM

Posted 21 April 2008 - 08:13 PM

Thanks for the info Chewy. It's somewhat reassuring among so much uncertainty.

cjaye




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users