Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ctfmon Startup Item


  • Please log in to reply
59 replies to this topic

#1 Jove

Jove

  • Members
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Very South Jersey
  • Local time:12:33 AM

Posted 11 December 2007 - 02:57 PM

I have the following item in my startuplist, also per BC startup list info is as follows., . .Also have found msmsgs.

Please advise, is unchecking this on my startup list enough as my Spubot and AVG has not picked this up, I need to reinstall AdAware as something went wrong with it.





Startup Item; ctfmon

This file has been identified as a program that is undesirable to have running on your computer. This consists of programs that are misleading, harmful, or undesirable.

If the description states that it is a piece of malware, you should immediately run an antivirus and antispyware program. If that does not help, feel free to ask us for assistance in the forums.
Name: ctfmon
Filename: cftmon.exe
Command: Unknown at this time.
Description: Added by the Troj/Delbot-B TROJAN/IRC backdoor!
File Location: %Windir%
Startup Type: This startup entry is started automatically from a Run, RunOnce, RunServices, or RunServicesOnce entry in the registry.
HijackThis Category: O4 Entry
Note: %Windir% refers to the Windows installation folder. By default, this is C:\Windows for Windows 95/98/ME/XP/Vista or C:\Winnt for Windows NT/2000.
Removal Instructions: How to remove a Trojan, Virus, Worm, or other Malware


This entry has been requested 16148 times.

Edited by Jove, 11 December 2007 - 02:59 PM.

When you don't have to worry about your computer anymore, you can start
living again !

vrwqzc.gif
Success is a result, not a goal. . . . Flaubert


BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:33 PM

Posted 11 December 2007 - 03:04 PM

ctfmon is not necessarily malware - see this link for more information.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:33 AM

Posted 11 December 2007 - 03:13 PM

Same with msmsgs.

Windows Messenger is a proprietary instant messaging client included in Windows XP, 2000 and 2003 Server and should not be confused with the the Messenger Service which is a network-based system notification service and a component of Windows itself or with Windows Live Messenger (formerly MSN Messenger) which is a separate instant messaging client. By default, Windows XP Professional and Windows XP Home Edition install Windows Messenger.

To disable Windows Messenger from automatically running in the background, do this:
1. Open Windows Messenger and go to Tools > Options > Preferences and uncheck "Allow Windows Messenger to run in the background".
2. To disable it from starting up when Windows starts, uncheck the "Run Windows Messenger when Windows starts" above it.

Determining whether a file is malware or a legitimate process sometimes depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file. However, it then places itself in a different location on your computer. A file's properties may give a clue to identifying it. Right-click on the file, Properties and examine the General and Version tabs.

You can download and use Process Explorer or Glarysoft Process Manager to investigate all running processes and gather additional information to identify and resolve problems. These tools will show the process CPU usage, a description and its path location. If you right-click on the file in question and select properties, you will see more details about the file.

"What is CTFMON.EXE and How Can I Remove It
"Frequently asked questions about Ctfmon.exe"
"How to turn off the speech recognition in Office"
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Jove

Jove
  • Topic Starter

  • Members
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Very South Jersey
  • Local time:12:33 AM

Posted 11 December 2007 - 03:16 PM

OK,
Isee that it has listed itself again, and now understand that this is not necessarily a malware,
the initial search turned up;

Description: Added by the Troj/Delbot-B TROJAN/IRC backdoor!

Is slightly confusing I will leave it alone.

Thanks much !

When you don't have to worry about your computer anymore, you can start
living again !

vrwqzc.gif
Success is a result, not a goal. . . . Flaubert


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:33 AM

Posted 11 December 2007 - 03:24 PM

Anytime you come across a suspicious file which you cannot find any information, the file has a legitimate name but is not located where it is supposed to be, or you want a second opinion, submit it to jotti's virusscan or virustotal.com. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Jove

Jove
  • Topic Starter

  • Members
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Very South Jersey
  • Local time:12:33 AM

Posted 11 December 2007 - 06:43 PM

OK, The thing is (I believe I have been here before in a prvious thread), but accordingly, as I searched, ctfmon
from BC's startup list as in the first post, it was explicit ; Startup Item; ctfmon

This file has been identified as a program that is undesirable to have running on your computer. This consists of programs that are misleading, harmful, or undesirable.

Not to be to redundit but, on the same token, as posted by Budapest ;

This is a valid program, but it is up to you whether or not you want it to run on startup.

Whether or not you need to run this program on startup must be decided by you. If you feel that you want this program starting automatically so that you have it available as needed, then do not disable it. The following information is a brief description of what is known about this file. If you require further assistance for this file, feel free to ask about in the forums.
Name: ctfmon.exe
Filename: ctfmon.exe
Command: C:\WINDOWS\system32\ctfmon.exe


My systems startup list noted this without the suffix .exe, and therefore a different description was given, or at least I think that is the reason.

The question left is why was this not noted in my system with the exe. ?

Appreciate your advice and will make the time to look into this.

Edited by Jove, 11 December 2007 - 06:44 PM.

When you don't have to worry about your computer anymore, you can start
living again !

vrwqzc.gif
Success is a result, not a goal. . . . Flaubert


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:33 AM

Posted 11 December 2007 - 11:22 PM

In addition to the legitimate cftmon.exe there are several types of malware with the same name such as the one you found here.

Troj/Delbot-B is a IRC backdoor Trojan that installs itself in C:\Windows.
When investigating with Hijackthis, it would like this:
O4 - HKCU\..\Run: [ctfmon] C:\WINDOWS\ctfmon.exe
The name in this case is just ctfmon but the file name includes the .exe.

As I previously said, one of the ways that malware tries to hide is to give itself the same name as a critical system file. However, it then places itself in a different location on your computer. Determining whether it is legit or not depends on the location it executes or runs from.

Ctfmon.exe should appear in the following folders:
C:\Windows\system32\
C:\Windows\Prefetch\CTFMON.EXE-0E17969B.pf

You may also find copies in i386 folders:
C:\i386\ctfmon.exe <- the original from XP SP1a
C:\WINDOWS\ServicePackFiles\i386\ctfmon.exe <- a newer version that was installed with XP SP2

When investigating with Hijackthis, it would like this:
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

If ctfmon.exe is found elsewhere, then it is likely to be malware and you should submit the suspect file for analysis at jotti's virusscan or virustotal.com.

Edited by quietman7, 11 December 2007 - 11:24 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Jove

Jove
  • Topic Starter

  • Members
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Very South Jersey
  • Local time:12:33 AM

Posted 12 December 2007 - 10:25 AM

Quietman,
Thanks for all the good information, I will start checking it out.

For your Information, this is what it looks like at this point, file search results;

Posted Image

If in the case the suffix is suppose to be, exe., then it appears to be a bad file.

Edited by Jove, 12 December 2007 - 10:27 AM.

When you don't have to worry about your computer anymore, you can start
living again !

vrwqzc.gif
Success is a result, not a goal. . . . Flaubert


#9 Jove

Jove
  • Topic Starter

  • Members
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Very South Jersey
  • Local time:12:33 AM

Posted 12 December 2007 - 10:45 AM

Posted Image

If this is a malware then the properties file would not give it away!

I'll get back to researching the info. and double check this.

When you don't have to worry about your computer anymore, you can start
living again !

vrwqzc.gif
Success is a result, not a goal. . . . Flaubert


#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:33 AM

Posted 12 December 2007 - 10:47 AM

Those are legit locations for the file. Mine are in the same place, showing the same size with a date of Aug 4, 2004. Any of the malware files with the same name reside elsewhere.

If you navigate there in Windows Explorer, you will see that it has an .exe extension. If your not seeing the extension, you need to Reconfigure Windows XP to show hidden files, folders, Hide file extensions.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Jove

Jove
  • Topic Starter

  • Members
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Very South Jersey
  • Local time:12:33 AM

Posted 12 December 2007 - 05:05 PM

Quietman,
During my investigations into the identification of ctfmon I have come across the process library

http://www.processlibrary.com/directory/?files=ctfmon

and followed the suggestion to scan with Uniblue Registry Booster Version 2, I have scanned with this and it has found
some 241 problems, since this has fixes that I believe effect the registry, I have done nothing at this point as I do not know the reliability of this scan, however from what I am observing the is a, "click', to fix all errors.

I would like to know the reliability of this device, as in searching, ctfmon, etc., I am still looking for the reason I have sudden random crashes and instant restarts wich usually occur when I am running Windows Internet Explorer.

There seems to be quite a few times when this and other programs need to close, etc.

Is there anything you can tell me about this RB scann device ?

As previously stated, I do not find the suffix, exe. concerning this entry, (ctfmon), and have included search info., I think that it is valid as when unchecking it in the startup list it re-enters itself after restart. This to me would indicate it is valid and that these two entries are the only ones in my computer and the fact that they are part of the WXP SP2 installation.



Files Found to have suffix, exe.

Edited by Jove, 12 December 2007 - 06:07 PM.

When you don't have to worry about your computer anymore, you can start
living again !

vrwqzc.gif
Success is a result, not a goal. . . . Flaubert


#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:33 AM

Posted 12 December 2007 - 07:01 PM

You don't need RB.

Registry cleaners are extremely powerful applications. There are a number of them available and some are more safe than others. Keep in mind that no two registry cleaners work entirely the way. Each vendor uses different criteria as to what constitutes a "bad" entry. One cleaner may find entries on your system that will not cause a problem when removed, another may not find the same entries, and still another may want to remove entries required for a program to work.

The Windows registry is a central repository (database) for storing configuration data, user settings and machine-dependent settings, and options for the operating system. It contains information and settings for all hardware, software, users, and preferences. Whenever a user makes changes to settings, file associations, system policies, or installed software, the changes are reflected and stored in this repository. The registry is a crucial component because it is where Windows "remembers" all this information, how it works together, how Windows boots the system and what files it uses when it does. The registry is also a vulnerable subsystem, in that relatively small changes done incorrectly can render the system unbootable.

The usefulness of cleaning the registry is highly overrated and can be dangerous. In most cases, using a cleaner to remove obsolete, invalid, and erroneous entries does not affect system performance but it can result in "unpredictable results". Unless you have a particular problem that requires a registry edit to correct it, I would suggest you leave the registry alone. Using registry cleaning tools unnecessarily or incorrectly can have disastrous effects on your operating system such as preventing it from ever starting again. For routine use by those not familiar with the registry, the benefits to your computer are negligible while the potential risks are great.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 Jove

Jove
  • Topic Starter

  • Members
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Very South Jersey
  • Local time:12:33 AM

Posted 12 December 2007 - 08:23 PM

I understand this and is the reason I did nothing. However I am wondering if in the log that has been compiled by this scan, would it be possible to recognize the reason for the random crashes and programs needing to close ?

Or, would a HJT post be more productive ? I find it interesting that this scanner has found 214 problems, but frustrating that I am not really able to identify them per say.

Especially since they are all identified by registry keys.

Alot of these are related to my recently discontinued AOL program, i.e.,

Entry: HKEY_CLASSES_ROOT\CLSID\{00e0313F-8627-45db-863d-fd41083c3d32}\LocalServer32
Valuename:
Value: "C:\Program Files\AOL 9.0\waol.exe"
Reason: ( The LocalServer32 points to the missing program "C:\Program Files\AOL 9.0\waol.exe" in the HKEY_CLASSES_ROOT\CLSID\{00e0313F-8627-45db-863d-fd41083c3d32} key )

Edited by Jove, 12 December 2007 - 09:16 PM.

When you don't have to worry about your computer anymore, you can start
living again !

vrwqzc.gif
Success is a result, not a goal. . . . Flaubert


#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:33 AM

Posted 12 December 2007 - 10:18 PM

Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.
Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under "General and Startup", make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
Then perform an Online Virus Scan like BitDefender.
(These require Internet Explorer to work. Watch the Address bar in IE. You may receive alerts that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Install ActiveX component. If given the option, choose "Quarantine" instead of delete.)

In Windows XP, the default setting is for the computer to reboot automatically when a fatal error or crash occurs. You should be able to see the error by looking in the Event Log. Read "How To Use the Event Viewer Applet".

An alternative is to turn off the automatic reboot feature so you can actually see the error code/STOP Message when it happens - this is also known as the Blue Screen Of Death (BSOD).

To change the recovery settings and Disable Automatic Rebooting, go to Start > Run and type: sysdm.cpl
Click Ok or just press WINKEY + Pause/Break keys to bring up System Properties.
  • Go to the Advanced tab and under "Startup and Recovery", click on the "Settings" button and go to "System failure".
  • Make sure "Write an event to the system log" is checked and that "Automatically restart" is UNchecked.
  • Click "OK" and reboot for the changes to take effect.
Doing this won't cure your problem but instead of crashing and restarting you will get a blue diagnostic screen with an error code and other information that will allow you to better trace your problem.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 Jove

Jove
  • Topic Starter

  • Members
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Very South Jersey
  • Local time:12:33 AM

Posted 12 December 2007 - 11:13 PM

Quietman,

I have previously edited last post in case you may not have viewed this concerning the registry scan report;

Alot of these are related to my recently discontinued AOL program, i.e.,

Entry: HKEY_CLASSES_ROOT\CLSID\{00e0313F-8627-45db-863d-fd41083c3d32}\LocalServer32
Valuename:
Value: "C:\Program Files\AOL 9.0\waol.exe"
Reason: ( The LocalServer32 points to the missing program "C:\Program Files\AOL 9.0\waol.exe" in the HKEY_CLASSES_ROOT\CLSID\{00e0313F-8627-45db-863d-fd41083c3d32} key )


I want to run a complete virus scan at this time and would like to get something straight, concerning my Systems Restore, if in fact there is an infection existing and it is in my systems restore, when I turn this off to run virus and malware scans, and after turn it back on, I assume that the previous restore points must be disgarded in some way, . . correct ?



I have just viewed your last post and will continue with this procedure, thank you.

Edited by Jove, 12 December 2007 - 11:15 PM.

When you don't have to worry about your computer anymore, you can start
living again !

vrwqzc.gif
Success is a result, not a goal. . . . Flaubert





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users