Jump to content

Malware - ctfmon.exe stack overrun, Defender/Update/MBST not working


Go to solution Solved by JSntgRvr,

Recommended Posts

Hi,

I ran an infected executable and now my system is compromised.  I'm writing this from Safe Mode with Networking.

I began following some of the steps in https://forums.malwarebytes.com/topic/301781-windows-update-registry-is-missing-windows-defender-disabled/ but will stop self-directed tasks now.

  1. As soon as I believed my system was compromised, I booted into safe mode with networking
  2. On reboot, I got a popup that said ctfmon.exe was detected to have "an overrun of a stack-based buffer". The popup can be closed temporarily but will reappear within a few seconds.
  3. I ran MBAM and Avast but no detection.
  4. I deleted the infected executable and went to google for assistance
  5. I attempted to open Windows Defender but was met with a black screen
  6. I attempted to open Windows Update but was met with "Something went wrong. Try to reopen Settings later."
  7. I downloaded ran the Microsoft Safety Scanner at full scan in administrator mode; it completed and removed Trojan:Win64/TurtleLoader.SVR and HackTool:Win32/crack
  8. Rebooted into safe mode, ctfmon.exe error still occurred, defender and update still down
  9. I found the link above, downloaded the Malwarebytes Support Tool, and attempted to gather logs in admin mode.  Process completed, but no file was ever placed on my desktop.
  10. I downloaded and ran Farbar's Service Scanner in admin mode.  The results are attached.
  11. I attempted to read the results with Notepad, but was "this application cannot be started".  I was also unable to open notepad directly.  I was, however, able to open it with notepad++
  12. I downloaded and ran SecurityCheck in admin mode.  The text file that was supposed to pop up was blocked (since notepad cannot be opened).  The results are attached.
  13. I have posted here and stopped all other actions.

 

FSS.txt SecurityCheck.txt

Link to post
Share on other sites

1 hour ago, tangello said:

but no file was ever placed on my desktop.

A zip file named mbst-grab-results.zip will be saved to the Desktop or on the hidden Public desktop (usually C:\Users\Public\Desktop), please upload that file on your next repl

  • Thanks 1
Link to post
Share on other sites

  • Solution
Posted (edited)

Welcome smile.png
 
I'll be helping you with your computer.
 
Please read this post completely before beginning. If there's anything that you do not understand, please don't hesitate to ask before proceeding.
 
Please take note of the guidelines for this fix:

  • Please note that I am a volunteer. I do have a family, a career, and other endeavors that may prevent immediate responses that meet your schedule. Do note that the differences in time zones could present a problem as well. Your patience and understanding will be greatly appreciated.
  • First of all, the procedures we are about to perform are specific to your problem and should only be used on this specific computer.
  • Do not make any changes to your computer that include installing/uninstalling programs, deleting files, modifying the registry, nor running scanners or tools of any kind unless specifically requested by me.
  • Please read ALL instructions carefully and perform the steps fully and in the order they are written.
  • If things appear to be better, let me know. Just because the symptoms no longer exist as before, does not mean that you are clean.
  • Continue to read and follow my instructions until I tell you that your machine is clean.
  • If you have any questions at all, please do not hesitate to ask before performing the task that I ask of you, and please wait for my reply before you proceed.
  • Scanning with programs and reading the logs do take a fair amount of time. Again, your patience will be necessary. smile.png

Let's begin... 

This Fix will empty the following folders:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Discord cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns, please ask before running this fix.

The system will be rebooted after the fix has run.

FRST64,exe is saved in this location : C:\Users\benja\Downloads\FRSTEnglish.exe

  • Download the enclosed file  Fixlist.txt
  • Save it in the same location FRST64.exe is saved (FRSTEnglish.exe)
  • Start FRST (FRST64) with Administrator privileges 
  • This time around Press the Fix button and wait
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please attach this file in your next reply.

Proceed accordingly:

-------------------------- [ SecurityUtilities ] --------------------------
Sandboxie-Plus v1.10.5 v.1.10.5 Warning! Download Update
--------------------------- [ OtherUtilities ] ----------------------------
TeamViewer v.15.37.3 Warning! Download Update
PuTTY release 0.78 (64-bit) v.0.78.0.0 Warning! Download Update
Node.js v.19.7.0 Warning! Download Update
NVIDIA GeForce Experience 3.27.0.120 v.3.27.0.120
LibreOffice 7.4.3.2 v.7.4.3.2 Warning! Download Update
calibre 64bit v.6.26.0 Warning! Download Update
FileZilla 3.62.2 v.3.62.2 Warning! Download Update
Foxit PDF Reader v.12.1.0.15250 Warning! Download Update
Notepad++ (32-bit x86) v.8.6.2 Warning! Download Update
7-Zip 22.01 (x64) v.22.01 Warning! Download Update
Uninstall old version and install new one.
GIMP 2.10.32 v.2.10.32 Warning! Download Update
Discord v.1.0.9005 Warning! Download Update
Java 8 Update 401 (64-bit) v.8.0.4010.10 Warning! Download Update
Uninstall old version and install new one (jre-8u411-windows-x64.exe).
-------------------------------- [ Media ] --------------------------------
foobar2000 v1.6.14 v.1.6.14 Warning! Download Update
HandBrake 1.7.2 v.1.7.2 Warning! Download Update
------------------------------- [ Browser ] -------------------------------
Mozilla Firefox (x64 en-US) v.124.0.2 Warning! Download Update
Google Chrome v.123.0.6312.123 Warning! Download Update
---------------------------- [ UnwantedApps ] -----------------------------
JDownloader 2 v.2.0.1 Warning! Suspected Adware! If this program is not familiar to you it is recommended to uninstall it and execute PC scanning using Malwarebytes Anti-Malware and Malwarebytes AdwCleaner. Before uninstallation and scanning it is necessary to consult in the forum where cure is provided for you!!!
 

Dr.Web CureIt!

Please download the Dr.Web CureIt! anti-virus utility
https://free.drweb.com/

You will need to send them an email to obtain a link to download the scanner, please do so

  • The downloaded file will normally have a unique name such as:  q7a9tr4p.exe
  • Close all open applications and locate the downloaded file and double-click to run it
  • The program will take a moment to launch and bring up the License and Update screen
  • Place a check mark to agree to the terms and then click on the Continue button
  • Click the underlined link Select objects for scanning
  • On the top left click the Scanning objects that should automatically check all objects
  • Click the small wrench and make sure there is a check on Automatically apply actions to threats
  • Then click the large button on bottom right Start scanning
  • Once the scan has completed there will be a link named Open report click that and a log named cureit.log should open in Notepad
  • The log is saved in the folder named Doctor Web in the top of your user profile folders
  • Please attach that log on your next reply

Re-scan with FRST64 (FRSTEnglish.exe) and attach new logs in Normal Mode.

Edited by JSntgRvr
Link to post
Share on other sites

  1. Performed FRST instructions as instructed, fixlog.txt attached
    1. Initially restarted into safe mode, then ran into issues with un/installing node.js, so rebooted again but without safe mode
  2. Updated Sandboxie, Node.js, Firefox; uninstalled 7-zip, Java, did not reinstall yet
    1. Chrome is not actively used and will be updated later along with everything else on the list
  3. Signed up for Dr.Web CureIt, logged back into Gmail (was fully logged out), then downloaded file
  4. Took a photo of instructions with my phone, closed all apps (including Firefox and all system tray programs other than Avast and Windows Security), then began scan
  5. Stopped scan early, rebooted in safe mode, began scan again
  6. No threats detected, but was not able to open the log via the Open Report link. cureit.log attached
  7. Stopped actions; did not return to normal mode or rescan with FRST64

Fixlog.txt cureit.log

Link to post
Share on other sites

Windows Resource Protection found corrupt files and successfully repaired them.

The error indicates that there is a permission issue in your system. It could be that you are running Windows in Safe Mode.

Would the same issue occur in Normal Mode?

  • Thanks 1
Link to post
Share on other sites

Use this application to remove tools used and their quarantined items:
 
Please download KpRm by Kernel-panik and save to your Desktop.

  • Click on KpRm.exe to run the tool.

Vista/Windows 7/8/10 users right-click and select Run As Administrator.

  • Put a check mark next to these items:

- Delete tools

- Create Restore Point

- Delete now

  • Click the "Run" button.

automatic.png

  • When the tool has finished, it will create and open a log report and delete itself.

A few final recommendations:
 
The following information will help you to keep your computer and data safer as well as improve your overall privacy

Malwarebytes Browser Guard

uBlock Origin

Cybersecurity basics & protection
 
Everything you need to know about cybercrime
https://www.malwarebytes.com/cybersecurity
 
Further reading if you'd like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/
 
Please review the following to help you better protect your computer and privacy
 
Tips to help protect from infection
 
Hopefully, we've been able to assist you with correcting your system issues.
 
Thank you for using Malwarebytes. Please tell your friends and family if they too need assistance with malware removal.

  • Thanks 1
Link to post
Share on other sites

2 hours ago, JSntgRvr said:

Great. Did you try again in Safe Mode with Networking?  They all should open if there is connectivity with the web.

I ran KpRm (log attached), then rebooted into Safe Mode with Networking.  As soon as I got to the login page, I got the "ctfmon.exe - System Error" popup about stack-based buffer overrun.  I was able to open notepad, but Defender returned a black screen (as before in Safe Mode) and Update reports "Something went wrong". 

kprm-20240421164031.txt

Link to post
Share on other sites

2 hours ago, JSntgRvr said:

Great. Did you try again in Safe Mode with Networking?  They all should open if there is connectivity with the web.

Thank you for asking, I probably would not have confirmed in safe mode if you didn't ask. 

Link to post
Share on other sites

Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Please rename FRST.EXE or FRST64.EXE to FRSTEnglish.exe
  • After renaming the file right-click over FRSTEnglish.exe and select "Run as administrator"
  • When the tool opens click Yes to the disclaimer if this is the first time using the tool
  • Type the following on the search window on FRST64:

Searchall: ctfmon.exe

  • Click on Search Files.
  • Attach the Search.txt log. to your reply.
Link to post
Share on other sites

  • Download the enclosed file  Fixlist.txt
  • Save it in the same location FRST64.exe is saved (FRSTEnglish.exe)
  • Start FRST (FRST64) with Administrator privileges 
  • This time around Press the Fix button and wait
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.
Link to post
Share on other sites

Ctfmon.exe is responsible for several text input-related tasks:

  • Text Input: It handles standard text input, even for a regular English QWERTY keyboard.
  • Expressive Input (Emojis): It supports expressive input, including emojis.
  • Touch Keyboard: It’s integrated into the touch keyboard functionality.
  • Handwriting: If you use handwriting input, Ctfmon.exe manages it.
  • IMEs: Like in Windows 10, it provides support for languages like Japanese or Mandarin.

I have reviewed the registry entries for safe boot on each mode, and all seems in place.

In the event viewer I saw some devices unloaded due to lack of drivers

Are you having any issues with hardware?

Edited by JSntgRvr
typo
  • Thanks 1
Link to post
Share on other sites

No unusual issues as far as I can tell, although it's possible the issues are just unseen at the moment (such as bluetooth dongle or webcam not being used right this second).  If your second review shows the computer as clean, then I think I'm just too nervous. 

Thanks for checking things again!  I've learned my lesson and will be more careful about opening risky files moving forward.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.