CTFMON.EXE coming up as infection on PC#1 but not on PC#2.....

[Lateral]

Thanks SpeedyPC

I am aware of what ctfmon does but am concerned that it may actually be a virus due to the following:

1. Avast detected it as a virus via a memory scan.
2. Virustotal detected it as  the Win32.Banker virus that causes the types of problems we have been experiencing over the last few weeks with my wife's internet banking password being stolen and used fraudulently.
3. I don't really think the above is a coincidence

Thanks
Best Regards
Greg

[essexboy]

Hi did you do a clean install of office or did you transfer the old data via USB or CD ?

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  
• Accept the disclaimer and allow to update if it asks
• Allow the installation of the recovery console

• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.[/b]
  

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.



Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[DavidR]

Hi David

Virustotal IS detecting that ctfmon.exe contains the Win32.Banker virus......it is saying that Esafe is detecting it.

Regards
Greg

When only 1 of the VT scanners detects anything it is highly likely that it is an FP, given that this detection is by esafe, which appears to have a high degree of FPs I would ignore its detection when the better known AV scanners find nothing.

There exceptions to this rule of thumb, but I don't think that is the case here.

@@@@
As I have said the alert in avast isn't on ctfmon.exe but a memory block that it loaded into memory and you can't upload a memory block to VT to be scanned. So effectively any scan on ctfmon.exe is invalid as that isn't what avast is alerting on.

Save yourself a boatload of grief and do as suggested don't scan memory on a custom scan.

[bob3160]

Save yourself a boatload of grief and do as suggested don't scan memory on a custom scan.

Why does it take a sledgehammer to convince some people ( No offense meant but David is right save yourself a whole lot of work.)

[Nesivos]

ctfmon can be both a valid program, in XP, or malware.   Check the files Properties to see where it is located and if it has a proper Digital Signature.  Also check the Timestamp and Details both in Properties; i.e. on each computer to see if they make sense.

ctfmon files have been known to become corrupt which could be created your problem.

[DavidR]

@ Nesivos
You are losing the point avast isn't alerting on ctfmon.exe (so file signature, etc. are irrelevant), this is an anomaly of having created a custom scan and electing to scan memory.

[Lateral]

Hi everybody

Thanks again for all of your help. It is very much appreciated.

Bob3160, you need to understand that we have been hit twice with the same issue and have had more than $6,000 taken from our bank accounts so you might appreciate that I am somewhat nervous about ensuring that the problem has been fixed .

Essexboy,  I have run combofix and have attached the log file. I reinstalled Windows XP and Office 2003 Small Business from the original CD's and simply copied the PST file and other documents from the old PC to the new PC (PC1)

Thanks again
Regards
Greg

[essexboy]

It is always better to be sure than sorry

As it stands at the moment I can see no evidence of a keylogger or malware

Is the computer behaving properly with no weird happenings

[Lateral]

Hi Essexboy

Thanks for taking the time to help me.

The PC (PC1) is behaving properly with no "weird" things happening.....so I guess we close this issue and move on!

Thanks again for everybody's help and input.

My last question relates to protecting us as much as possible whilst we are banking online. As we do a lot of online banking, is there anything that I need to "turn on" or configure in Avast to make our protection as strong as possible??? Is Safezone the answer and do I need to do anything to set it up???

Regards
Greg

[essexboy]

Safezone is only available with the Pro and AIS versions

Using that will isolate all banking data from the rest of your system

[Lateral]

I am using Avast Internet Security so therefore we should do the following?:

1. Configure AIS so that all of the installed browsers (IE, Firefox etc) are started in their own Sandbox
2. If we do #1, do we still need to use Safezone???

Thanks
Regards
Greg

[essexboy]

I would recommend that you use safezone, as sandboxing is more for stopping stuff getting on to your system

[bob3160]

I am using Avast Internet Security so therefore we should do the following?:

1. Configure AIS so that all of the installed browsers (IE, Firefox etc) are started in their own Sandbox
2. If we do #1, do we still need to use Safezone???

Thanks
Regards
Greg

Sandboxing is designed to be run when you suspect something suspicious and you want to be sure
there's nothing in that new program to ham your system.
Running something sandboxed isn't designed for everything. It does slow things down, sometimes considerably.
If it had no drawbacks, we would all be using it all the time. 

[Lateral]

Thanks Guys

I'll try both Sandbox and Safezone and see what happens.

Regards
Greg

[Nesivos]

@ Nesivos
You are losing the point avast isn't alerting on ctfmon.exe (so file signature, etc. are irrelevant), this is an anomaly of having created a custom scan and electing to scan memory.

Are you saying the Custom Scan is running on one of the computers and not both?  If so I guess I missed that 

I do know that Memory Scans tend to ID a lot of stuff as Malware eg SAS processes.