BleepingComputer.com: Question about ctfmon.exe

I have a question regarding this part of the log HijackThis produced:

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

In the StartUps list in this site, there are two entries for something similar to these: This one and this one.

How do I know if these are entries generated by Office XP or by that trojan horse?

Thanks

This post has been edited by Orange Blossom: 02 November 2011 - 02:40 AM
Reason for edit: Moved to Startup Database forum. ~ OB

You cannot tell just by looking at that part of the HijackThis log.

The trojan you are referring to overwrites the genuine ctfmon.exe and userinit.exe files with malware files of the same name.

To tell whether a file is infected, you can upload it to an online virus scanner such as VirusTotal or VirSCAN.org

Comments on HJT log are not allowed outside of malware removal forum.

Oops, sorry about that. I won't do it again.

No problem
I'm sure you weren't simply aware of it.

Akashi's answer, though, is valid. I am going to make a safe bet and tell you that the ctfmon entry is legit, but the only way to tell is to scan the file with a service like virustotal.