HELP! Win32:Trojan-Gen virus detected

Hi everyone, I’m new here, and very computer UNsavvy. The last few days while running a scan, and it tells me I have 5 Win32:Trojan-Gen viruses. I am unable to move to chest, repair or delete them. It says the system cannot find the file specified. I believe I still have the virus if the program removed it because it still keeps coming up that a virus has been found. What can I do to rid my computer of this trojan? I use the Avast Free version.

Any help would be greatly appreciated so I don’t have to run off to a virus removal computer store and spend $$$ I really don’t have to spend.

Thanks!
J

Where is the virus found c:\windows\ ? ? ?

Have you tried avast boot scan ? ( only 32bit OS )

avast 5 boot time scan http://sites.google.com/site/spg20scottsweb/home/avast-5-boot-time-scan

Check your computer for Malware with

Malwarebytes Anti-Malware 1.46 http://filehippo.com/download_malwarebytes_anti_malware/
after install click update so you have latest database before scan
click the remove selected button to quarantine anything found
you may post the scan log here

I haven’t, but will try the boot scan now. Will let you know if that’s successful, and thank you for your help!

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?

You could enable a boot time scan. From the avastUI, Scan Computer, Boot-time Scan, Schedule Now button and reboot.

Look in the C:\Documents and Settings\All Users\Application Data\Alwil Software\Avast5\report\aswBoot.txt file, check this file using notepad for info on the scan/detections, etc.

Well, I’m not sure whether this belongs here but I have come across a similar problem. I use a custom memory scan which shows that ctfmon.exe process is infected with the above mentioned Win32:Trojan-gen; looks something like this *PROCESS\678\cftmon.exe\400000\6000\cftmon.exe Severity High Threat: Win32:Trojan-gen…
Anyway, ctfmon.exe could end up being infected with Trojans and Worms, although infected file would probably be CTFMON.EXE and be in folders other than WINDOWS\system32; AVAST boot time scan shows my system is clean, so this is probably a false positive or there is some glitch with custom memory scan. Still any help would be appreciated.

No it doesn’t show that ctfmon.exe is infected. What it is showing is that something loaded into that memory location by ctfmon.exe is considered infected and not the actual file/process responsible for loading it.

Under normal circumstances there wouldn’t be a memory scan so you wouldn’t be a detection on that memory block.

So what is your Operating system (I don’t get this alert on a memory scan in XP Pro) ?

What version of avast 5 are you using (5.0.594 is the latest) ?

In your custom scan including memory, what other settings do you have ?
Memory Scan: Scan mode, Normal or High;
Sensitivity: Heuristics section, Normal or High;
Sensitivity: Sensitivity section, Test whole files enabled or not;
Sensitivity: PUP and suspicious files, enabled or not

OS is Windows XP with Service Pack 3, AVAST version is 5.0.594. Scan sensitivity is high (Heuristic sensitivity - high, Test whole files option is checked), scan priority is high - basically, rather paranoid setting - and the fact it shows there is a threat really doesn’t make any sense. Especially when Boot-time scan shows no infestation whatsoever, and other security applications e.g. Malwarebytes Anti-Malware give pretty much the same results (everything is okay, no threats detected).

I forgot to mention - “PUP and suspicious files” option is not selected, “Persistent cache option” is set to “Speed up scanning by using the persistent cache”…
Oh, “Full system scan” (with “factory” settings) and modified, custom scan (“Heuristic sensitivity” - high; “Test whole files option” is checked; “Scan areas” include “All harddisks”; “Rootkits (full scan)”…), do not show signs of any threats. However, when I add “Memory” as one of the system areas to scan (custom scan obviously; no modifications to other settings), the phantom threat reappears.

i don’t know if this helps or not but try to see if superAntiSpyware will remove the virus.
you can download SuperAntiSpyware at http://download.cnet.com/SuperAntiSpyware-Free-Edition/3000-8022_4-10523889.html?tag=mncol

@ Coolmario88cp
No SAS won’t help as there is no virus as such but a detection in memory, that will be loaded again by ctfmon.exe.

@ core1Snick
I don’t know why your system is acting in a way mine isn’t since we are effectively using the same OS.

I have just run a memory scan with those settings and no detection (no need for the others to test this memory detection). So I’m at a loss as to why it is happening on your system, I don’t know if any differences in OS Language would make a difference, but I doubt that.

However, ctfmon gets involved with lots of other applications, so it might be in that area, but very hard to investigate.

  • The avast Win32:Trojan-gen is generic signature (the -gen at the end of the malware name), so that is trying to catch multiple variants of the same type of malware and is a fine balance between detecting a new variant and detecting something valid as infected. So there is a possibility it may be an FP.

I will report it and see if it can be investigated as a possible false positive.

@ core1Snick I don't know why your system is acting in a way mine isn't since we are effectively using the same OS.

Well I’m not using localized version of Windows XP, so no problem there. My initial guess was it was a false positive. Guess I needed a second opinion. So, where do I report this false positive (obviously, I am an n00b on this forum, and frankly my session will soon expire so I probably don’t have enough time to search thoroughly for the corresponding topic)?

Anyway, thanks.

Hello,
you wrote process “cftmon.exe”, but in MS filename is “ctfmon.exe” so it lookes that it is not false positive. Malware very often uses similar names like original system files.

Milos

I will report it and see if it can be investigated as a possible false positive.

I’ve just seen this part of your post… Once again, thanks.

Quote from: core1Snick on Yesterday at 08:52:35 PM Well, I’m not sure whether this belongs here but I have come across a similar problem. I use a custom memory scan which shows that ctfmon.exe process is infected with the above mentioned Win32:Trojan-gen; looks something like this *PROCESS\678\cftmon.exe\400000\6000\cftmon.exe Severity High Threat: Win32:Trojan-gen… Anyway, ctfmon.exe could end up being infected with Trojans and Worms, although infected file would probably be CTFMON.EXE and be in folders other than WINDOWS\system32; AVAST boot time scan shows my system is clean, so this is probably a false positive or there is some glitch with custom memory scan. Still any help would be appreciated.

Hello,
you wrote process “cftmon.exe”, but in MS filename is “ctfmon.exe” so it lookes that it is not false positive. Malware very often uses similar names like original system files.

Milos

It is a typo. I’m quite aware that some malware exploit this - you will, more often than not, come across seemingly legit applications, codecs or some such (Win32:Trojan-gen, generic though it is, usually infests video codecs if I recall). As I said, if ctfmon.exe was truly infected, it would probably have same name albeit written in caps, and probably be in some random windows folder. If it is legit, it would be in WINDOWS\system32\ folder, and there would be another in WINDOWS\system32\dllcache folder. Both copies would have the same size, date and attributes (as is the case here). This is why I think it is a false positive.
There is also a ctfmon.exe in a cab archive in MS Office cache folder - perfectly normal since the service in question is utilized by MS Office…

It isn’t a typo if you got the info from the avast alert or log file, which I presume you did and copied it into your post ?

*PROCESS\678\cftmon.exe\400000\6000\cftmon.exe Severity High Threat: Win32:Trojan-gen…

I have to admit that I missed the incorrect spelling in that file name (when I submitted a report to check it as a possible FP), or I would have queried it in the forum first. That would also account for why I couldn’t replicate the alert in my memory scan as there is no cftmon.exe on my system.

The legit file, ctfmon.exe is only in my system32 folder, having done a search for c*mon.exe which would bring up all files beginning with c, ending with mon and .exe file type. This only returns the ctfmon.exe and one unrelated file, no cftmon.exe, see image.

So you have what appears to be a suspect file (cftmon.exe) on your system that is either hidden (see ~~~~ below) or undetected. Do a search for cftmon.exe and if found, submit it to avast for analysis as a possible undetected malware sample.

Send the sample/s to avast as a Undetected Malware:
Open the chest and right click in the Chest and select Add, navigate to where you have the sample and add it to the chest (see image). Once in the chest, right click on the file and select ‘Submit to virus lab…’ complete the form and submit, the file will be uploaded during the next update.

You could also check the offending/suspect file (assuming you find it) at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first.

- Ensure that you have hidden files and folders enabled and disable hide system files in Windows Explorer, Tools, Folder Options, Hidden files and folders, uncheck Hide extensions for known file types, etc. see image.
It isn't a typo if you got the info from the avast alert or log file, which I presume you did and copied it into your post ?

*PROCESS\678\cftmon.exe\400000\6000\cftmon.exe Severity High Threat: Win32:Trojan-gen…

Actually, it is a typo - I did not copy it from the alert or a log file. Being incredibly annoyed with the entire thing, I have not paid any attention to log file or anything and simply typed the alert massage without paying attention. Hence the typo.
The exact alert is:
*PROCESS\678\ctfmon.exe\400000\6000\ctfmon.exe Severity High Threat: Win32:Trojan-gen

- Ensure that you have hidden files and folders enabled and disable hide system files in Windows Explorer, Tools, Folder Options, Hidden files and folders, uncheck Hide extensions for known file types, etc. see image.

All done. In fact that is how my system is set.

The legit file, ctfmon.exe is only in my system32 folder

Essentially, there should be a dllcache folder present on Windows system. It is a subfolder of system32, and it holds copies of system files.
So, a copy of ctfmon.exe should be there. If you’re using alternative file managers such as TCUP, you could use its search option.
It should show ctfmon.exe in both WINDOWS\system32 folder and WINDOWS\system32\dllcache folder.
Sorry about the typo.

Then I don’t know what is going on with your system as this isn’t replicable on my XP SP3 system, but as I said ctfmon.exe if active with many processes. So I would suggest checking what has links to it possibly using process explorer, this isn’t an area I’m very familiar with.

There is a copy in my dllcache folder (though it shouldn’t be in use), I don’t know why it wasn’t returned in the search as I too have de selected hid system files, folders, etc. etc.

You could compare the MD5 of the two copies - You could also check the file in the dllcache folder if the MD5 is different at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page.

You could compare the MD5 of the two copies

I’ve done that already, although there was no need for that since ctfmon.exe stored in dllcache folder is basically a protected copy of the same file stored in system32 folder.
Windows File Protection scans for changes to protected system files on regular bases, and holds copies of said files in what is basically a backup in dllcache folder… If you used Windows Search to locate ctfmon.exe, chances are the copy stored in dllcache folder wouldn’t be shown among the search results.

Anyway, thanks for the advice.

File already submitted: The file sent has already been analysed by VirusTotal in the past. This is same basic info regarding the sample itself and its last analysis:
MD5: 5f1d5f88303d4a4dbc8e5f97ba967cc3
(5F1D5F88303D4A4DBC8E5F97BA967CC3 - ctfmon.exe in WINDOWS\system32 folder
5F1D5F88303D4A4DBC8E5F97BA967CC3 - ctfmon.exe in WINDOWS\system32\dllcache folder
no problems there)
Date first seen: 2009-02-11 23:51:11 (UTC)
Date last seen: 2010-08-13 14:00:57 (UTC)
Detection ratio: 1/41

Antivirus Version Last Update Result
AhnLab-V3 2010.08.13.00 2010.08.12 -
AntiVir 8.2.4.34 2010.08.13 -
Antiy-AVL 2.0.3.7 2010.08.11 -
Authentium 5.2.0.5 2010.08.13 -
Avast 4.8.1351.0 2010.08.13 -
Avast5 5.0.332.0 2010.08.13 -
BitDefender 7.2 2010.08.13 -
CAT-QuickHeal 11.00 2010.08.13 -
ClamAV 0.96.0.3-git 2010.08.13 -
Comodo 5727 2010.08.13 -
DrWeb 5.0.2.03300 2010.08.13 -
Emsisoft 5.0.0.37 2010.08.13 -
eSafe 7.0.17.0 2010.08.12 Win32.Banker
eTrust-Vet None 2010.08.13 -
F-Prot 4.6.1.107 2010.08.13 -
F-Secure 9.0.15370.0 2010.08.13 -
Fortinet 4.1.143.0 2010.08.13 -
GData 21 2010.08.13 -
Ikarus T3.1.1.88.0 2010.08.13 -
Jiangmin 13.0.900 2010.08.13 -
Kaspersky 7.0.0.125 2010.08.13 -
McAfee 5.400.0.1158 2010.08.13 -
McAfee-GW-Edition 2010.1 2010.08.13 -
Microsoft 1.6004 2010.08.13 -
NOD32 5364 2010.08.13 -
Norman 6.05.11 2010.08.13 -
nProtect 2010-08-13.01 2010.08.13 -
Panda 10.0.2.7 2010.08.13 -
PCTools 7.0.3.5 2010.08.13 -
Prevx 3.0 2010.08.13 -
Rising 22.60.04.04 2010.08.13 -
Sophos 4.56.0 2010.08.13 -
Sunbelt 6728 2010.08.13 -
SUPERAntiSpyware 4.40.0.1006 2010.08.13 -
Symantec 20101.1.1.7 2010.08.13 -
TheHacker 6.5.2.1.347 2010.08.13 -
TrendMicro 9.120.0.1004 2010.08.13 -
TrendMicro-HouseCall 9.120.0.1004 2010.08.13 -
VBA32 3.12.14.0 2010.08.13 -
ViRobot 2010.8.9.3978 2010.08.13 -
VirusBuster 5.0.27.0 2010.08.13 -
Additional information
Show all
MD5 : 5f1d5f88303d4a4dbc8e5f97ba967cc3
SHA1 : 99cb7370f16773c8e2d0c86fe805ec638ab126e9
SHA256: 5fb24fc7916a6e6b3be7d84cb1684215b266cd1495575c2e5672b8447932e5b1
ssdeep: 192:W6hGoc4F/MNhlYWpjZ+o7NpO7MIl8SVPTI7mW7rOi7oLG9lMnjmxAITljrUFE3W3:FA1Eo7
NY8MPTIaW7/lumxlJlWDlgW
File size : 15360 bytes
First seen: 2009-02-11 23:51:11
Last seen : 2010-08-13 14:00:57
Magic: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
TrID:
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher…: Microsoft Corporation
copyright…: (c) Microsoft Corporation. All rights reserved.
product…: Microsoft_ Windows_ Operating System
description…: CTF Loader
original name: CTFMON.EXE
internal name: CTFMON
file version.: 5.1.2600.5512 (xpsp.080413-2105)
comments…: n/a
signers…: -
signing date.: -
verified…: Unsigned
PEiD: -
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x2E35
timedatestamp…: 0x48025356 (Sun Apr 13 18:39:18 2008)
machinetype…: 0x14C (Intel I386)

[[ 3 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x2AB8, 0x2C00, 6.75, 414ce647d4328e7513d4155b1a2c9499
.data, 0x4000, 0x210, 0x200, 1.07, bd8c5cd346a9f53dc0dbc69260ab2240
.rsrc, 0x5000, 0x870, 0xA00, 3.85, 421ca88053c2138f828a915f2a95d754
ThreatExpert:
http://www.threatexpert.com/report.aspx?md5=5f1d5f88303d4a4dbc8e5f97ba967cc3
Symantec reputation:Suspicious.Insight

VT Community

These are some of the results. I know already that ctfmon.exe is completely clean, so my conclusion would be that the detected threat is actually a false positive. Just to be sure, I will also check (and recheck) if there are any glitches with this particular custom scan (custom memory scan). Damn, a lot of frustration, and in the end it will probably be nothing.