I have the same problem. Also, neither spybot, adaware nor spyhunter finds anything, MacAfee doesn’t as well. I found out, that the starting point of CTFMON.EXE is in HKEY_Users\S-1-5-21...<myID>...\Software\Microsoft\Windows\CurrentVersion\run.
If I delete this entry, starting InternetExplorer will set the entry there again. In my case after a reboot it will add at the same place in the registry the entry "wkdetect.exe" (probably because on my computer runs Works).

About 4 weeks ago I restored my whole system from scratch, because I had a similar problem, also connected with "wkdetect" and "ctfmon". After some reboots I could not open the taskmanager and msconfig. Probably the author of the Trojan wanted to prevent a detection of the two processes. I had to go into secured mode to start windows and then to delete both files.

This strange behaviour caused me to build up the whole system, but now I have a similar problem as described above. Probably a slightly changed new version of the same Trojan.

I have read in several forums that there are users, who have problems with shut down of windows. I have problems to go in standby. Probably this is also a result of the virus to force reboots, which fits into the philosophy of "distributed trojaning".

Out of this I have drawn the following hypothesis:
1. We are confronted with a new type of stealth Trojan
2. The Trojan uses names of well known MS programs to hide himself
3. The Trojan uses probably parts of existing programs for his own purposes, therefore these programs must be running in the background

At the moment I do not know, where is the Trojan really situated, where can I catch it. So I ask you, please, give me feedback, if you have some news.