Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pwsteal.raidys


  • Please log in to reply
4 replies to this topic

#1 Geoff777

Geoff777

  • Members
  • 235 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:England
  • Local time:05:33 AM

Posted 14 November 2006 - 12:00 PM

Hi all,

I have this pain in the neck trojan that l cannot get rid of!
I have scanned with the following: kaspersky ( can't find it)
Housecall (can' find it)
Pandascan (found it but you have to buy it to delete anything!!)

It runs the file ctfmon.exe from startup
I can delete it from startup using CCleaner, but on reboot it's back in start up again.
If l go into regedit l cannot find the registry entry to deleteit.
I am all out of ideas now. does anyone know of a removal tool for this little $*%%

The start up item is ctfmon.exe AND the filename is ctfmon.exe

Many thanks
Geoff

BC AdBot (Login to Remove)

 


m

#2 Geoff777

Geoff777
  • Topic Starter

  • Members
  • 235 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:England
  • Local time:05:33 AM

Posted 15 November 2006 - 10:48 AM

Hi all,

cleaned it :thumbsup:
using the advice given on here.
Many thanks
Geoff

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:33 AM

Posted 16 November 2006 - 10:50 AM

Hello Geoff777

PWSteal.Raidys

...is a Trojan horse that attempts to steal confidential information and opens a back door on the compromised computer. The Trojan also uses rootkit capabilities to hide its process in memory.

secunia.com

The backdoor Trojan that infected your system was very dangerous. If your computer was used for online banking or has credit card information on it, all passwords should be changed immediately. You should consider them to be compromised. I suggest you change them by using a different computer and not the infected one. Banking and credit card institutions should be notified of the possible security breech. Because your computer was compromised by a remote attacker please read Danger: Remote Access Trojans and How to report ID theft, fraud, drive-by installs, hijacking and malware.

If your sure your system is clean, you should SET A NEW RESTORE POINT to prevent reinfection from an old restore point. Any malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to set a new RESTORE POINT:
1. Go to Start > Programs > Accessories > System Tools and click "System Restore".
2. Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
3. Then go to Start > Run and type: Cleanmgr
4. Click "OK".
5. Click the "More Options" Tab.
6. Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Geoff777

Geoff777
  • Topic Starter

  • Members
  • 235 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:England
  • Local time:05:33 AM

Posted 17 November 2006 - 02:57 AM

Hi Quietman,

Thanks for the info.

I am now wondering if l have cleared it.

When l start up some of the icons on the desktop tend to flicker and move position.

In CCleaner startup each time l have the program ctfmon.exe in the file C:\system32\ctfmon.exe.
initially l thought this was the nasty and ran all sorts of scans, but none could find it?

Then l disabled ctfmon as per the instructions on Microsoft's website.

ctfmon.exe disappeared then, so l assumed all was ok.

The computer then was really slow and the fan was almost always on.

My wife (her computer) complained of programs slowing, not loading correctly and not closing correctly.

I uninstalled Microsoft Office and re-installed it.

ctfmon.exe is now back in startup. The computer seems ok, except for the icon problem?

Any ideas please?? I turned off system restore a long time ago. And have not turned it back on yet.

Many thanks
Geoff

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:33 AM

Posted 17 November 2006 - 07:06 AM

The legit Ctfmon.exe is installed by Microsoft Office and provides alternative user input features. If disabled and then you reinstall MS Office, this process will re-appear on the next startup.

PWSteal.Raidys is a nasty infection. It overwrites userinit.exe and ctfmon.exe and uses rootkit techniques by creating win_rar.dll and raid.sys files on your system.

Its probably best have a deeper look at your system by creating a hijackthis log. Please read and follow all instructions in the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". You may have performed some of these steps already. About half way down are instructions for downloading HijackThis and creating a log.

When you have done that, post a log in the HijackThis Logs and Analysis Forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log here.

After posting a log you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc.) unless advised by a HJT Team member. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make may cause confusion for the member assisting you and complicate the malware removal process.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users