Windupdates and CTXMA.EXE

[Lawrence Lau]

PC began to pop up IE windows on its own yesterday (7th
Mar), PC keeps jamming router so much so that other PCs
using the same router cannot access internet.

MS AntiSpyware reports finding WindUpdates (Classified as
severe threat). MS AntiSpyware removes it from
ide21201.vxd.

However, after reboot, a scan again reveals the same
WindUpdates present at the same place, even when PC is
disconnected from the internet.

A check with registry reveals an unknown CTXMA.EXE
(listed as *Microsoft Update) in
HKLM\Software\Microsoft\Windows\Current Version\Run plus
many other locations.

It also runs as process and tries to insert itself into
the "Run" section.

A copy also exists in Services.

I suspect that this CTXMA.EXE has something to do with
the WindUpdates, and MS AntiSpyware has not "learned" to
remove it completely yet.

Search via Google locates only a handful of results that
mention CTXMA.exe, and they also guess that it is a
trojan, but nobody has successfully removed it yet.

Has anyone sucessfully removed the CTXMA and Windupdates?
Will SPYNET provide new signature file to remove this
soon?

 

[Bill Sanderson]

Have you tried:

1) running a full, deep scan with Microsoft Antispyware in safe mode.
Log in as "administrator"

2) after the scan, but before restarting normally, check for the presence of
ctxma.exe in the startup locations you mention. If it is still there, use
the system explorers to block it.

 

[Mark Randall]

http://sandbox.norman.no/live_2.html?logfile=110059

- MR

 

[Bill Sanderson]

http://sandbox.norman.no/live_2.html?logfile=110059

Thanks!