HELP! Win32:Trojan-Gen virus detected

[HRR352]

Hi everyone, I'm new here, and very computer UNsavvy. The last few days while running a scan, and it tells me I have 5 Win32:Trojan-Gen viruses. I am unable to move to chest, repair or delete them. It says the system cannot find the file specified. I believe I still have the virus if the program removed it because it still keeps coming up that a virus has been found. What can I do to rid my computer of this trojan? I use the Avast Free version.

Any help would be greatly appreciated so I don't have to run off to a virus removal computer store and spend $$$ I really don't have to spend.

Thanks!
J

[Pondus]

Where is the virus found c:\windows\ ? ? ?

Have you tried avast boot scan ? ( only 32bit OS )

avast 5 boot time scan http://sites.google.com/site/spg20scottsweb/home/avast-5-boot-time-scan


Check your computer for Malware with

Malwarebytes Anti-Malware 1.46 http://filehippo.com/download_malwarebytes_anti_malware/
after install click update so you have latest database before scan
click the remove selected button to quarantine anything found
you may post the scan log here

[HRR352]

I haven't, but will try the boot scan now. Will let you know if that's successful, and thank you for your help!

[DavidR]

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?

You could enable a boot time scan. From the avastUI, Scan Computer, Boot-time Scan, Schedule Now button and reboot.
 
Look in the C:\Documents and Settings\All Users\Application Data\Alwil Software\Avast5\report\aswBoot.txt file, check this file using notepad for info on the scan/detections, etc.

[core1Snick]

Well, I’m not sure whether this belongs here but I have come across a similar problem. I use a custom memory scan which shows that ctfmon.exe process is infected with the above mentioned Win32:Trojan-gen; looks something like this *PROCESS\678\cftmon.exe\400000\6000\cftmon.exe Severity High Threat: Win32:Trojan-gen…
Anyway, ctfmon.exe could end up being infected with Trojans and Worms, although infected file would probably be CTFMON.EXE and be in folders other than WINDOWS\system32; AVAST boot time scan shows my system is clean, so this is probably a false positive or there is some glitch with custom memory scan. Still any help would be appreciated.

[DavidR]

No it doesn't show that ctfmon.exe is infected. What it is showing is that something loaded into that memory location by ctfmon.exe is considered infected and not the actual file/process responsible for loading it.

Under normal circumstances there wouldn't be a memory scan so you wouldn't be a detection on that memory block.

So what is your Operating system (I don't get this alert on a memory scan in XP Pro) ?

What version of avast 5 are you using (5.0.594 is the latest) ?

In your custom scan including memory, what other settings do you have ?
Memory Scan: Scan mode, Normal or High;
Sensitivity: Heuristics section, Normal or High;
Sensitivity: Sensitivity section, Test whole files enabled or not;
Sensitivity: PUP and suspicious files, enabled or not

[core1Snick]

OS is Windows XP with Service Pack 3, AVAST version is 5.0.594. Scan sensitivity is high (Heuristic sensitivity - high, Test whole files option is checked), scan priority is high - basically, rather paranoid setting - and the fact it shows there is a threat really doesn’t make any sense. Especially when Boot-time scan shows no infestation whatsoever, and other security applications e.g. Malwarebytes Anti-Malware give pretty much the same results (everything is okay, no threats detected).

[core1Snick]

I forgot to mention - “PUP and suspicious files” option is not selected, “Persistent cache option” is set to “Speed up scanning by using the persistent cache”…
Oh, “Full system scan” (with “factory” settings) and modified, custom scan (“Heuristic sensitivity” - high; “Test whole files option” is checked; “Scan areas” include “All harddisks”; “Rootkits (full scan)”…), do not show signs of any threats. However, when I add “Memory” as one of the system areas to scan (custom scan obviously; no modifications to other settings), the phantom threat reappears.

[Coolmario88]

i don't know if this helps or not but try to see if superAntiSpyware will remove the virus.
you can download SuperAntiSpyware at http://download.cnet.com/SuperAntiSpyware-Free-Edition/3000-8022_4-10523889.html?tag=mncol

[DavidR]

@ Coolmario88cp
No SAS won't help as there is no virus as such but a detection in memory, that will be loaded again by ctfmon.exe.

@ core1Snick
I don't know why your system is acting in a way mine isn't since we are effectively using the same OS.

I have just run a memory scan with those settings and no detection  (no need for the others to test this memory detection). So I'm at a loss as to why it is happening on your system, I don't know if any differences in OS Language would make a difference, but I doubt that.

However, ctfmon gets involved with lots of other applications, so it might be in that area, but very hard to investigate.

- The avast Win32:Trojan-gen is generic signature (the -gen at the end of the malware name), so that is trying to catch multiple variants of the same type of malware and is a fine balance between detecting a new variant and detecting something valid as infected. So there is a possibility it may be an FP.

I will report it and see if it can be investigated as a possible false positive.

[core1Snick]

@ core1Snick
I don't know why your system is acting in a way mine isn't since we are effectively using the same OS.

Well I’m not using localized version of Windows XP, so no problem there. My initial guess was it was a false positive. Guess I needed a second opinion. So, where do I report this false positive (obviously, I am an n00b on this forum, and frankly my session will soon expire so I probably don’t have enough time to search thoroughly for the corresponding topic)?

Anyway, thanks.

[Milos]

Well, I’m not sure whether this belongs here but I have come across a similar problem. I use a custom memory scan which shows that ctfmon.exe process is infected with the above mentioned Win32:Trojan-gen; looks something like this *PROCESS\678\cftmon.exe\400000\6000\cftmon.exe Severity High Threat: Win32:Trojan-gen…
Anyway, ctfmon.exe could end up being infected with Trojans and Worms, although infected file would probably be CTFMON.EXE and be in folders other than WINDOWS\system32; AVAST boot time scan shows my system is clean, so this is probably a false positive or there is some glitch with custom memory scan. Still any help would be appreciated.

Hello,
you wrote process "cftmon.exe", but in MS filename is "ctfmon.exe" so it lookes that it is not false positive. Malware very often uses similar names like original system files.

Milos

[core1Snick]

I will report it and see if it can be investigated as a possible false positive.

I’ve just seen this part of your post... Once again, thanks.

[core1Snick]

Quote from: core1Snick on Yesterday at 08:52:35 PM
Well, I’m not sure whether this belongs here but I have come across a similar problem. I use a custom memory scan which shows that ctfmon.exe process is infected with the above mentioned Win32:Trojan-gen; looks something like this *PROCESS\678\cftmon.exe\400000\6000\cftmon.exe Severity High Threat: Win32:Trojan-gen…
Anyway, ctfmon.exe could end up being infected with Trojans and Worms, although infected file would probably be CTFMON.EXE and be in folders other than WINDOWS\system32; AVAST boot time scan shows my system is clean, so this is probably a false positive or there is some glitch with custom memory scan. Still any help would be appreciated.

Hello,
you wrote process "cftmon.exe", but in MS filename is "ctfmon.exe" so it lookes that it is not false positive. Malware very often uses similar names like original system files.

Milos

It is a typo. I’m quite aware that some malware exploit this - you will, more often than not, come across seemingly legit applications, codecs or some such (Win32:Trojan-gen, generic though it is, usually infests video codecs if I recall). As I said, if ctfmon.exe was truly infected, it would probably have same name albeit written in caps, and probably be in some random windows folder. If it is legit, it would be in WINDOWS\system32\ folder, and there would be another in WINDOWS\system32\dllcache folder. Both copies would have the same size, date and attributes (as is the case here). This is why I think it is a false positive.
There is also a ctfmon.exe in a cab archive in MS Office cache folder - perfectly normal since the service in question is utilized by MS Office...

[DavidR]

It isn't a typo if you got the info from the avast alert or log file, which I presume you did and copied it into your post ?

*PROCESS\678\cftmon.exe\400000\6000\cftmon.exe Severity High Threat: Win32:Trojan-gen…

I have to admit that I missed the incorrect spelling in that file name (when I submitted a report to check it as a possible FP), or I would have queried it in the forum first. That would also account for why I couldn't replicate the alert in my memory scan as there is no cftmon.exe on my system.

The legit file, ctfmon.exe is only in my system32 folder, having done a search for c*mon.exe which would bring up all files beginning with c, ending with mon and .exe file type. This only returns the ctfmon.exe and one unrelated file, no cftmon.exe, see image.

So you have what appears to be a suspect file (cftmon.exe) on your system that is either hidden (see ~~~~ below) or undetected. Do a search for cftmon.exe and if found, submit it to avast for analysis as a possible undetected malware sample.

Send the sample/s to avast as a Undetected Malware:
Open the chest and right click in the Chest and select Add, navigate to where you have the sample and add it to the chest (see image). Once in the chest, right click on the file and select 'Submit to virus lab...' complete the form and submit, the file will be uploaded during the next update.

####
You could also check the offending/suspect file (assuming you find it) at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first.

~~~~
- Ensure that you have hidden files and folders enabled and disable hide system files in Windows Explorer, Tools, Folder Options, Hidden files and folders, uncheck Hide extensions for known file types, etc. see image.