Ctfmon.exe (ctf Loader)

I installed Autoruns on my PC and in the scan results I noticed in the Registry named HKCU\Software\Microsoft\Windows\Current Version\Run I have an entry written up as below.

Autoruns Entry---------Description------------Publisher------------------------Image Path---------
ctfmon.exe-------------CTF Loader-----------Microsoft Corporation------C:\Windows\System32\ctfmon.exe


I came here to find out from the startup list if this was needed on startup only to find that the Bleeping Computer Start Up list lists the CTF Loader one as malware though not to be confused with the genuine ctfmon.exe used by Windows. How do I know the difference and if it is malware how do I get rid of it as none of my security systems are picking up on it.

My OS is Windows XP Home Edition SP2. I use the following Security. Comodo v3 CFP Firewall, Antivir AV, Comodo Boclean, Spyware Blaster as real time protection and use SuperAnti Spyware and AVG Antispyware on a twice weekly basis all programs kept up to date.

I would appreciate any help/advice offered. Thanks in advance.

Ctfmon.exe/CTF Loader is part of MS Office and its Alternative User Input. Do you have MS Office installed? Since this is a Microsoft published file and in your system 32 path. I would venture to say it is most likely a legitimate file.

More information here: Frequently asked questions about Ctfmon.exe

As far as telling the difference between a legitimate or malware entry. I would refer that portion of your question to a trained malware expert. Hopefully one will see this post and respond with an answer. If you don't get one soon, I'll see if I can get one for you.

If you don't know what a process is or you come across a suspicious file, search the name using Google, or the following links:
BC's File Database
BC's Startup Programs Database
File Research Center
Process ID Database
How to determine what services are running under a SVCHOST.EXE process

Determining whether a file is malware or a legitimate process sometimes depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file. However, it then places itself in a different location on your computer. A file's properties may give a clue to identifying it. Right-click on the file, Properties and examine the General and Version tabs.

You can download and use Process Explorer or Glarysoft Process Manager to investigate all running processes and gather additional information to identify and resolve problems. These tools will show the process CPU usage, a description and its path location. If you right-click on the file in question and select properties, you will see more details about the file.

The Process Explorer window shows two panes by default: the upper pane is always a process list and the bottom pane either shows the list of DLLs loaded into the process selected in the upper pane, or the list of operating system resource handles (files, Registry keys, synchronization objects) the process has open. In the menu at the top select View > Lower Pane View to change between DLLs and Handles.

If you have XP Pro, you can use Tasklist to display a list of active processes.
Go to Start > Run and type: cmd
press Ok
At the command prompt type: tasklist /svc >c:\taskList.txt
press Enter

Go to Start > Run and type: C:\taskList.txt
press Ok to view the list of processes

The /SVC switch shows the list of active services in each process. For help and syntax information, type the following command, and then press ENTER:
tasklist /?
or see: Syntax options

You can also use the WMI command-line utility to view and list processes.
Go to Start > Run and type: cmd
press Ok
At the command prompt type:
WMIC /OUTPUT:C:\ProcessList.txt PROCESS get Caption,Commandline,Processid
press Enter.

You can also use (type):
WMIC /OUTPUT:C:\ProcessList.txt path win32_process get Caption,Processid,Commandline
press Enter.

Go to Start > Run and type: C:\ProcessList.txt
press Ok to view the details of all the processes.

Anytime you come across a suspicious file which you cannot find any information, the file has a legitimate name but is not located where it is supposed to be, or you want a second opinion, submit it to jotti's virusscan or virustotal.com. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.
Post back with the results of the file analysis.

Thanks for the replies people. I did Google it and found that it is a legit file as long as it is in the Win32 folder which it is. I also found out that it is only used in conjunction with speech and language which I don't use. Some people were saying they had problems with it and I found a workround which I post below. I and others would untick it from Autoruns but it would reattach on reboot which is why I thought it may be malware to begin with. Since following the advice below it seems to have gone for good.

CTFMON.EXE: Excerpt from a Google search.
And if you find this service running or located outside \windows\system32 folder, then it is not the normal system file, you might want to scan your computer and get rid of it. Just in case you want to stop the service, if that is the normal service, control panel -- regional and language options -- languages tab -- details button -- language bar button and from there, disable it

Ctfmon.exe is a non-essential process and can be removed from startup. However, if disabled in MSConfig or with a startup manager, this process will re-appear on the next bootup.

IE7 also installs the Language Tool Bar which requires ctfmon.exe to start at boot. IE7 installer forces the use of this file and the Language Toolbar in the Task Bar to start whether you want it or not. To get rid of Ctfmon.exe, you may have to remove the Language Tool Bar.

I have XP Home Edition SP2 and have disabled it by the following. Firstly I unchecked ctfmon.exe for all users from their start list using AutoRuns and then did the following:

Control Panel > Date,Time,Language&Regional Options > Regional & Language Options > Languages > Details > Advanced > put a check in the checkbox for "Turn off Advanced Text services", click Apply > OK and reboot.

This has removed it from my PC or at least it hasn't appeared on my start-up again on reboot and doesn't appear on my processes list in Task Manager. After at least three reboots in the last three days it appears to be gone for good with no sign of any after effects.