Solved! Use CTFMON.FET (Virus Sality) Removal Guide

I recommend you UnHackMe - Ultimate Malware Killer for fast malware removal:

Download UnHackMe
Fully Functional 30-day Trial. No credit card is required. Reviews. EULA. Privacy Policy.

CTFMON.FET – Virus Sality removal

File MD5 Virus Alias
CTFMON.FET 7a6d4d23ed5f5355c4694b63df4c134e Virus Sality
CTFMON.FET 7a6d4d23ed5f5355c4694b63df4c134e Trojan Generic
CTFMON.FET 7a6d4d23ed5f5355c4694b63df4c134e Trojan Agent

CTFMON.FET size: 46058 bytes
CTFMON.FET hash: 7A6D4D23ED5F5355C4694B63DF4C134E

Created files:

%SysDir%\ctfmon.exe
%SysDir%\CTFMON.FET
%SysDir%\SYSLIB32.DLL
%AppData%\msup1.exe
%AppData%\msup10.exe
%AppData%\msup11.exe
%AppData%\msup12.exe
%AppData%\msup13.exe
%AppData%\msup14.exe
%AppData%\msup15.exe
%AppData%\msup16.exe
%AppData%\msup17.exe
%AppData%\msup18.exe
%AppData%\msup19.exe
%AppData%\msup2.exe
%AppData%\msup20.exe
%AppData%\msup3.exe
%AppData%\msup4.exe
%AppData%\msup5.exe
%AppData%\msup6.exe
%AppData%\msup7.exe
%AppData%\msup8.exe
%AppData%\msup9.exe

Autostart registry keys:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\lyt: %AppData%\msup1.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\lytcgj: %AppData%\msup2.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\lytcgjvxj: %AppData%\msup3.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\lytcgjvxjbbh: %AppData%\msup4.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\lytcgjvxjbbhhfm: %AppData%\msup5.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\lytcgjvxjbbhhfmpkh: %AppData%\msup6.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\lytcgjvxjbbhhfmpkhgfz: %AppData%\msup7.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\lytcgjvxjbbhhfmpkhgfzklb: %AppData%\msup8.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\lytcgjvxjbbhhfmpkhgfzklbncl: %AppData%\msup9.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\lytcgjvxjbbhhfmpkhgfzklbncldok: %AppData%\msup10.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\lytcgjvxjbbhhfmpkhgfzklbncldokzvt: %AppData%\msup11.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\lytcgjvxjbbhhfmpkhgfzklbncldokzvtthn: %AppData%\msup12.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\lytcgjvxjbbhhfmpkhgfzklbncldokzvtthnmfs: %AppData%\msup13.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\lytcgjvxjbbhhfmpkhgfzklbncldokzvtthnmfsotu: %AppData%\msup14.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\lytcgjvxjbbhhfmpkhgfzklbncldokzvtthnmfsoturwd: %AppData%\msup15.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\lytcgjvxjbbhhfmpkhgfzklbncldokzvtthnmfsoturwdcmt: %AppData%\msup16.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\lytcgjvxjbbhhfmpkhgfzklbncldokzvtthnmfsoturwdcmtkgx: %AppData%\msup17.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\lytcgjvxjbbhhfmpkhgfzklbncldokzvtthnmfsoturwdcmtkgxozb: %AppData%\msup18.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\lytcgjvxjbbhhfmpkhgfzklbncldokzvtthnmfsoturwdcmtkgxozbiuw: %AppData%\msup19.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\lytcgjvxjbbhhfmpkhgfzklbncldokzvtthnmfsoturwdcmtkgxozbiuwezb: %AppData%\msup20.exe

Detected by UnHackMe:

CTFMON.FET
Default location: %SYSDIR%\CTFMON.FET

Dropper information:
MD5: 1b298d7c02652d7b6be18e2812df9a91
File size: 156259 bytes

Leave a Reply