cftm.exe???

cftm.exe
We suggest you to remove cftm.exe from your computer as soon as possible.
Cftm.exe is Trojan/Backdoor.
Kill the process cftm.exe and remove cftm.exe from Windows startup.

looks like norton has tried to delete it , but not properly;

have a look here , how to remove it
================================================== ====

also look here

================================================== ====
also found this
HTTP W32 Harakit Activity
Severity: High
This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.
Description
This signature detects W32.Harakit activity.
Additional Information
W32.Harakit is a worm that spreads by copying itself to network shares and removable drives. It may also spread through instant messaging applications.

Once executed, the worm may create the following files:

* %SystemDrive%\khq
* %SystemDrive%\khr
* %System%\cftm.exe
* %System%\cftmen.exe



It will copy itself to the following location and then deletes itself:
%System%\csrcs.exe

The worm also creates the following file on all removable drives so that it executes whenever the drive is accessed:
%System%\autorun.inf

The worm creates the following registry entries, so that it runs every time Windows starts:

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\Explorer\Run\"cftm" = "C:\WINDOWS\system32\cftm.exe"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\Explorer\Run\"csrcs" = "C:\WINDOWS\system32\csrcs.exe"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\"cftm" = "C:\WINDOWS\system32\cftm.exe"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServices\"cftm" = "C:\WINDOWS\system32\cftm.exe"



The worm creates the following registry entry so that it hides itself and runs when Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Explorer\Advanced\"ShowSuperHidden" = "0"

It also modifies the following existing registry value, so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "Explorer.exe csrcs.exe"

It may also create and populate the following registry keys

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DRM
* HKEY_LOCAL_MACHINE\SOFTWARE\ESET\Nod



The worm may delete the following registry entries:

* HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Explorer\"NoDriveTypeAutoRun" = "B5"
* HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Explorer\"NoDriveAutoRun" = "FF FF FF 03"



It may also delete registry entries present in the following registry subkeys to lower security settings:

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\NonEnum
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\system



The worm spreads through network shares, removable devices or instant messaging applications.

It has back door capabilities and may connect to a predetermined IRC channel allowing unauthorized access to perform the following actions:

* Gathering confidential information
* Act as a bot through IRC servers
* Download extensions and updates of itself



It may attempt to contact any of the following URLs:

* akitaka.oct382x.com/lexum/genst.htm
* checkip.dyndns.org/?rndl
* diesam.moe.hm/ii/133.php
* geoloc.daiguo.com
* lemox.myhome.cx
* oct382x.com/4.exe
* oct382x.com/4.php
* oct382x.com/lexum/genste.htm
* sousi/extasix.com/genst.htm
* tonkor.or.tp/llkah.htm
* tonkor.or.tp/worlog1.php
* tonkor.or.tp/worlog2.php
* tonkor.or.tp/worlog3.php
* tonkor.or.tp/worlog4.php
* tonkor.or.tp/worlog5.php
* tonkor.or.tp/worlog6.php
* What Is My IP Address? - IP Address Lookup, Internet Speed Test, IP Info, plus more
* www.whatismyip.com/automation/n09230945.asp
* zkarmy.dip.jp/oolksh.htm
Affected

* Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP

Response
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.
Possible False Positives
There are no known false positives associated with this signature.

Seems you may have had,or still have a trojan m8 Re: w32.harakit - Norton Internet Security / Norton AntiVirus - Norton Community

its stopped happening now, should i still do the above?

I would install another antivirus and check your computer again. You can't be too safe.

like what????

Eset Smart Security v4 : D
Malware Bytes Anti Spyware