Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ctfmon.exe (ctf Loader)


  • Please log in to reply
6 replies to this topic

#1 bluesjunior

bluesjunior

  • Members
  • 737 posts
  • OFFLINE
  •  
  • Local time:06:31 PM

Posted 28 November 2007 - 09:31 AM

I installed Autoruns on my PC and in the scan results I noticed in the Registry named HKCU\Software\Microsoft\Windows\Current Version\Run I have an entry written up as below.

Autoruns Entry---------Description------------Publisher------------------------Image Path---------
ctfmon.exe-------------CTF Loader-----------Microsoft Corporation------C:\Windows\System32\ctfmon.exe


I came here to find out from the startup list if this was needed on startup only to find that the Bleeping Computer Start Up list lists the CTF Loader one as malware though not to be confused with the genuine ctfmon.exe used by Windows. How do I know the difference and if it is malware how do I get rid of it as none of my security systems are picking up on it.

My OS is Windows XP Home Edition SP2. I use the following Security. Comodo v3 CFP Firewall, Antivir AV, Comodo Boclean, Spyware Blaster as real time protection and use SuperAnti Spyware and AVG Antispyware on a twice weekly basis all programs kept up to date.

I would appreciate any help/advice offered. Thanks in advance.
Motherboard: Gigabyte GA-MA770T-UD3, CPU: AMD Athlon II X3 450 Processor, Memory: OCZ 4GB (2x2GB) DDR3 1333MHz,Graphics: PowerColor HD 5750 1GB GDDR5,
PSU: Corsair 430W CX PSU 4x SATA 1x PCI-E, Hard Drive:Samsung SpinPoint F3 500GB Hard Drive SATAII 7200rpm 16MB Cache.

BC AdBot (Login to Remove)

 


#2 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 28,293 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:10:31 AM

Posted 28 November 2007 - 02:56 PM

Ctfmon.exe/CTF Loader is part of MS Office and its Alternative User Input. Do you have MS Office installed? Since this is a Microsoft published file and in your system 32 path. I would venture to say it is most likely a legitimate file.

More information here: Frequently asked questions about Ctfmon.exe

As far as telling the difference between a legitimate or malware entry. I would refer that portion of your question to a trained malware expert. Hopefully one will see this post and respond with an answer. If you don't get one soon, I'll see if I can get one for you.

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


raybcuserbar.jpg


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 34,079 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:31 PM

Posted 28 November 2007 - 03:05 PM

If you don't know what a process is or you come across a suspicious file, search the name using Google, or the following links:
BC's File Database
BC's Startup Programs Database
File Research Center
Process ID Database
How to determine what services are running under a SVCHOST.EXE process

Determining whether a file is malware or a legitimate process sometimes depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file. However, it then places itself in a different location on your computer. A file's properties may give a clue to identifying it. Right-click on the file, Properties and examine the General and Version tabs.

You can download and use Process Explorer or Glarysoft Process Manager to investigate all running processes and gather additional information to identify and resolve problems. These tools will show the process CPU usage, a description and its path location. If you right-click on the file in question and select properties, you will see more details about the file.

The Process Explorer window shows two panes by default: the upper pane is always a process list and the bottom pane either shows the list of DLLs loaded into the process selected in the upper pane, or the list of operating system resource handles (files, Registry keys, synchronization objects) the process has open. In the menu at the top select View > Lower Pane View to change between DLLs and Handles.

If you have XP Pro, you can use Tasklist to display a list of active processes.
Go to Start > Run and type: cmd
press Ok
At the command prompt type: tasklist /svc >c:\taskList.txt
press Enter

Go to Start > Run and type: C:\taskList.txt
press Ok to view the list of processes

The /SVC switch shows the list of active services in each process. For help and syntax information, type the following command, and then press ENTER:
tasklist /?
or see: Syntax options

You can also use the WMI command-line utility to view and list processes.
Go to Start > Run and type: cmd
press Ok
At the command prompt type:
WMIC /OUTPUT:C:\ProcessList.txt PROCESS get Caption,Commandline,Processid
press Enter.

You can also use (type):
WMIC /OUTPUT:C:\ProcessList.txt path win32_process get Caption,Processid,Commandline
press Enter.

Go to Start > Run and type: C:\ProcessList.txt
press Ok to view the details of all the processes.

Anytime you come across a suspicious file which you cannot find any information, the file has a legitimate name but is not located where it is supposed to be, or you want a second opinion, submit it to jotti's virusscan or virustotal.com. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.
Post back with the results of the file analysis.
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#4 bluesjunior

bluesjunior
  • Topic Starter

  • Members
  • 737 posts
  • OFFLINE
  •  
  • Local time:06:31 PM

Posted 28 November 2007 - 04:52 PM

Thanks for the replies people. I did Google it and found that it is a legit file as long as it is in the Win32 folder which it is. I also found out that it is only used in conjunction with speech and language which I don't use. Some people were saying they had problems with it and I found a workround which I post below. I and others would untick it from Autoruns but it would reattach on reboot which is why I thought it may be malware to begin with. Since following the advice below it seems to have gone for good.

CTFMON.EXE: Excerpt from a Google search.
And if you find this service running or located outside \windows\system32 folder, then it is not the normal system file, you might want to scan your computer and get rid of it. Just in case you want to stop the service, if that is the normal service, control panel -- regional and language options -- languages tab -- details button -- language bar button and from there, disable it
Motherboard: Gigabyte GA-MA770T-UD3, CPU: AMD Athlon II X3 450 Processor, Memory: OCZ 4GB (2x2GB) DDR3 1333MHz,Graphics: PowerColor HD 5750 1GB GDDR5,
PSU: Corsair 430W CX PSU 4x SATA 1x PCI-E, Hard Drive:Samsung SpinPoint F3 500GB Hard Drive SATAII 7200rpm 16MB Cache.

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 34,079 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:31 PM

Posted 28 November 2007 - 05:39 PM

Ctfmon.exe is a non-essential process and can be removed from startup. However, if disabled in MSConfig or with a startup manager, this process will re-appear on the next bootup.

IE7 also installs the Language Tool Bar which requires ctfmon.exe to start at boot. IE7 installer forces the use of this file and the Language Toolbar in the Task Bar to start whether you want it or not. To get rid of Ctfmon.exe, you may have to remove the Language Tool Bar.
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#6 bluesjunior

bluesjunior
  • Topic Starter

  • Members
  • 737 posts
  • OFFLINE
  •  
  • Local time:06:31 PM

Posted 30 November 2007 - 06:23 AM

I have XP Home Edition SP2 and have disabled it by the following. Firstly I unchecked ctfmon.exe for all users from their start list using AutoRuns and then did the following:

Control Panel > Date,Time,Language&Regional Options > Regional & Language Options > Languages > Details > Advanced > put a check in the checkbox for "Turn off Advanced Text services", click Apply > OK and reboot.

This has removed it from my PC or at least it hasn't appeared on my start-up again on reboot and doesn't appear on my processes list in Task Manager. After at least three reboots in the last three days it appears to be gone for good with no sign of any after effects.
Motherboard: Gigabyte GA-MA770T-UD3, CPU: AMD Athlon II X3 450 Processor, Memory: OCZ 4GB (2x2GB) DDR3 1333MHz,Graphics: PowerColor HD 5750 1GB GDDR5,
PSU: Corsair 430W CX PSU 4x SATA 1x PCI-E, Hard Drive:Samsung SpinPoint F3 500GB Hard Drive SATAII 7200rpm 16MB Cache.

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 34,079 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:31 PM

Posted 30 November 2007 - 08:00 AM

:thumbsup:
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users