ctfmons.exe - Dangerous
ctfmons.exe
Manual removal instructions:
Antivirus Report of ctfmons.exe:
ctfmons.exe
We suggest you to remove ctfmons.exe from your computer as soon as possible.
Ctfmons.exe is Trojan/Backdoor.
Kill the process ctfmons.exe and remove ctfmons.exe from Windows startup.
File: MySpeed_Onlineinstaller_wz_1003.exe
Classification:
Antivirus Version Last Update Result
Avast 4.8.1335.0 2009.07.25 Win32:Trojan-gen {Other}
BitDefender 7.2 2009.07.26 -
Comodo 1767 2009.07.26 -
K7AntiVirus 7.10.802 2009.07.25 -
Microsoft 1.4903 2009.07.25 -
NOD32 4278 2009.07.26 -
Symantec 1.4.4.12 2009.07.26 Trojan Horse
Additional information
File size: 1005096 bytes
MD5 : 8573f0453c2f7f23da34e4bc386beacb
SHA1 : c0de2f904e65e504aa291d81837b3c4b0782245f
Installation
When the program is executed, it creates the following registry subkeys and values:
----------------------------------
Keys deleted:0
----------------------------------
----------------------------------
Keys added:80
----------------------------------
HKLM\SOFTWARE\Microsoft\ESENT\Process\MySpeed_Onlineinstaller_wz_1003
HKLM\SOFTWARE\Microsoft\ESENT\Process\MySpeed_Onlineinstaller_wz_1003\DEBUG
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MySpeed
HKLM\SOFTWARE\Microsoft\DownloadManager
HKLM\SOFTWARE\MySpeed
HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0008
HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0008\Linkage
HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0008\Ndi
...
----------------------------------
Values deleted:0
----------------------------------
----------------------------------
Values added:232
----------------------------------
HKLM\SOFTWARE\Microsoft\ESENT\Process\MySpeed_Onlineinstaller_wz_1003\DEBUG\Trace Level: ""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MySpeed\DisplayName: "MySpeed"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MySpeed\UninstallString: "C:\Program Files\MySpeed\uninstall.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MySpeed\DisplayIcon: "C:\Program Files\MySpeed\MySpeed.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MySpeed\DisplayVersion: "1.0.0.1"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MySpeed\URLInfoAbout: "http://www.9sv.cn"
HKLM\SOFTWARE\MySpeed\install: "C:\Program Files\MySpeed"
HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0008\Ndi\params\AllowNonAdmin\enum\0: "Not Allowed"
...
----------------------------------
Values modified:84
----------------------------------
HKLM\SYSTEM\CurrentControlSet\Control\GroupOrderList\Ndis: 0B 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00 04 00 00 00 05 00 00 00 06 00 00 00 07 00 00 00 08 00 00 00 09 00 00 00 0A 00 00 00 0B 00 00 00
HKLM\SYSTEM\CurrentControlSet\Control\GroupOrderList\Ndis: 0C 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00 04 00 00 00 05 00 00 00 06 00 00 00 07 00 00 00 08 00 00 00 09 00 00 00 0A 00 00 00 0B 00 00 00 0C 00 00 00
...
----------------------------------
Files added:9
----------------------------------
C:\Documents and Settings\Administrator\Local Settings\Temp\ctfmons.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\godeyes.exe
C:\Program Files\MySpeed\myspeed.reg
C:\WINDOWS\inf\oem8.inf
C:\WINDOWS\inf\oem8.PNF
C:\WINDOWS\system32\drivers\tap0801.sys
C:\WINDOWS\LastGood\INF\oem8.inf
C:\WINDOWS\LastGood\INF\oem8.PNF
C:\WINDOWS\RunMs.tmp
----------------------------------
Files [attributes?] modified:1
----------------------------------
C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\TimeStamp
----------------------------------
Folders added:3
----------------------------------
C:\Program Files\MySpeed
C:\WINDOWS\LastGood
C:\WINDOWS\LastGood\INF
----------------------------------
Folders deleted:0
----------------------------------
----------------------------------
Total changes:409
----------------------------------
-------------------------------------------------------------------------------------
Detected by RegRun Reanimator:
Item Name: RunMs
Author: Unknown
Related File: rundll32 RunMs.tmp RunMs
Type: Registry Run
After first reboot detected by RegRun Reanimator:
Item Name: RunMs
Author:
Related File: rundll32 RunMs.tmp RunMs
Type: Registry Run
Removal Results: Success
Number of reboot: 2
-------------------------------------------------------------------------------------
Detected by RegRun Reanimator in Deep Level Scan mode:
Item Name: tap0801.sys
Author: The OpenVPN Project
Related File: C:\WINDOWS\SYSTEM32\DRIVERS\TAP0801.SYS
Type: Drivers
Item Name: tap0801
Author:
Related File: system32\DRIVERS\tap0801.sys
Type: Services detected by Partizan
Removal Results: Success
Number of reboot: 1
-------------------------------------------------------------------------------------
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
ctfmons.exe | Malware |
ctfmons.exe | Dangerous |
ctfmons.exe | High Risk |
Ctfmons.exe is Trojan/Backdoor.
Kill the process ctfmons.exe and remove ctfmons.exe from Windows startup.
File: MySpeed_Onlineinstaller_wz_1003.exe
Classification:
Antivirus Version Last Update Result
Avast 4.8.1335.0 2009.07.25 Win32:Trojan-gen {Other}
BitDefender 7.2 2009.07.26 -
Comodo 1767 2009.07.26 -
K7AntiVirus 7.10.802 2009.07.25 -
Microsoft 1.4903 2009.07.25 -
NOD32 4278 2009.07.26 -
Symantec 1.4.4.12 2009.07.26 Trojan Horse
Additional information
File size: 1005096 bytes
MD5 : 8573f0453c2f7f23da34e4bc386beacb
SHA1 : c0de2f904e65e504aa291d81837b3c4b0782245f
Installation
When the program is executed, it creates the following registry subkeys and values:
----------------------------------
Keys deleted:0
----------------------------------
----------------------------------
Keys added:80
----------------------------------
HKLM\SOFTWARE\Microsoft\ESENT\Process\MySpeed_Onlineinstaller_wz_1003
HKLM\SOFTWARE\Microsoft\ESENT\Process\MySpeed_Onlineinstaller_wz_1003\DEBUG
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MySpeed
HKLM\SOFTWARE\Microsoft\DownloadManager
HKLM\SOFTWARE\MySpeed
HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0008
HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0008\Linkage
HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0008\Ndi
...
----------------------------------
Values deleted:0
----------------------------------
----------------------------------
Values added:232
----------------------------------
HKLM\SOFTWARE\Microsoft\ESENT\Process\MySpeed_Onlineinstaller_wz_1003\DEBUG\Trace Level: ""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MySpeed\DisplayName: "MySpeed"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MySpeed\UninstallString: "C:\Program Files\MySpeed\uninstall.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MySpeed\DisplayIcon: "C:\Program Files\MySpeed\MySpeed.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MySpeed\DisplayVersion: "1.0.0.1"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MySpeed\URLInfoAbout: "http://www.9sv.cn"
HKLM\SOFTWARE\MySpeed\install: "C:\Program Files\MySpeed"
HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0008\Ndi\params\AllowNonAdmin\enum\0: "Not Allowed"
...
----------------------------------
Values modified:84
----------------------------------
HKLM\SYSTEM\CurrentControlSet\Control\GroupOrderList\Ndis: 0B 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00 04 00 00 00 05 00 00 00 06 00 00 00 07 00 00 00 08 00 00 00 09 00 00 00 0A 00 00 00 0B 00 00 00
HKLM\SYSTEM\CurrentControlSet\Control\GroupOrderList\Ndis: 0C 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00 04 00 00 00 05 00 00 00 06 00 00 00 07 00 00 00 08 00 00 00 09 00 00 00 0A 00 00 00 0B 00 00 00 0C 00 00 00
...
----------------------------------
Files added:9
----------------------------------
C:\Documents and Settings\Administrator\Local Settings\Temp\ctfmons.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\godeyes.exe
C:\Program Files\MySpeed\myspeed.reg
C:\WINDOWS\inf\oem8.inf
C:\WINDOWS\inf\oem8.PNF
C:\WINDOWS\system32\drivers\tap0801.sys
C:\WINDOWS\LastGood\INF\oem8.inf
C:\WINDOWS\LastGood\INF\oem8.PNF
C:\WINDOWS\RunMs.tmp
----------------------------------
Files [attributes?] modified:1
----------------------------------
C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\TimeStamp
----------------------------------
Folders added:3
----------------------------------
C:\Program Files\MySpeed
C:\WINDOWS\LastGood
C:\WINDOWS\LastGood\INF
----------------------------------
Folders deleted:0
----------------------------------
----------------------------------
Total changes:409
----------------------------------
-------------------------------------------------------------------------------------
Detected by RegRun Reanimator:
Item Name: RunMs
Author: Unknown
Related File: rundll32 RunMs.tmp RunMs
Type: Registry Run
After first reboot detected by RegRun Reanimator:
Item Name: RunMs
Author:
Related File: rundll32 RunMs.tmp RunMs
Type: Registry Run
Removal Results: Success
Number of reboot: 2
-------------------------------------------------------------------------------------
Detected by RegRun Reanimator in Deep Level Scan mode:
Item Name: tap0801.sys
Author: The OpenVPN Project
Related File: C:\WINDOWS\SYSTEM32\DRIVERS\TAP0801.SYS
Type: Drivers
Item Name: tap0801
Author:
Related File: system32\DRIVERS\tap0801.sys
Type: Services detected by Partizan
Removal Results: Success
Number of reboot: 1
-------------------------------------------------------------------------------------
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
Dmitry Sokolov:
I created UnHackMe in 2006 to fix the problem that antivioruses did not fix: detecting rootkits.
Since that time I work every day to fix the issues that antiviruses cannot.
If your antivirus have not helped you solve the problem, you should try UnHackMe.
We are a small company and you can ask me directly, if you have any questions.