Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ctfmon


  • Please log in to reply
16 replies to this topic

#1 TuckTheBrave

TuckTheBrave

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 09 January 2008 - 01:12 PM

I am aware that the running process ctfmon.exe is a known microsoft office function (language bar), but it seems I have TWO ctfmon processes running! I'm wondering if one of them is really some spyware. Here are the locations of each according to the list of start up processes:

hkcu\software\microsoft\windows\currentversion\run
software\microsoft\windows\currentversion\run

Which of these is the real deal and which is the evil one?

Thanks for the help.

BC AdBot (Login to Remove)

 


#2 nigglesnush85

nigglesnush85

  • Members
  • 4,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:06:26 AM

Posted 09 January 2008 - 01:26 PM

Hello,

Could you check your task manager to see if there are two in there, also, if you do a simple search for ctfmon, how many files show themselves? remember to make sure it searches hidden and system folders.
Regards,

Alan.

#3 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,260 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:11:26 PM

Posted 10 January 2008 - 06:27 AM

Hi there, TuckTheBrave! Welcome to BC! :thumbsup:

If, after following nigglesnush85's advice, you find that there are indeed two instances of ctfmon.exe running, here's how you can find out if either of them are malicious.

Download Process Ecplorer from Microsoft (an excellent program you should get anyway, IMO): http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx

Run Process Explorer. Find the two ctfmon.exe processes and double click on them to open their properties window. In the properties window, find the "Path" entry. If the path is anything but C:\Windows\System32, then it's likely that it's something that you don't want. Post back here for further assistance.

Edited by Amazing Andrew, 10 January 2008 - 06:29 AM.


#4 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:02:26 AM

Posted 10 January 2008 - 06:28 AM

Which registry branch is the second one located in? I'd presume it's HKLM, but it could be in others.
What are the paths to the files named in each key?
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#5 TuckTheBrave

TuckTheBrave
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 11 January 2008 - 08:52 PM

OK. I finally got back to this.

1. I checked the Task Manager and I found only one in there.

2. When I do a simple search (including hidden files), it shows two ctfmon processes running with two CTF Loader programs running. Here's where the search says these are:
a. ctfmon (CTF Loader) - in folder: C:\i386
b. CTFMON.EXE-05E57A5E.pf in folder: C:\WINDOWS\Prefetch
c. ctfmon (CTF Loader) - in folder: C:\WINDOWS\system32
d. CTFMON.EXE-05E57A5E.PF

3. I downloaded Process Explorer, but I could only find one ctfmon.exe process running. When I double clicked on it, the path is to the System32 folder.

between when I posted my question and today - I installed and ran a cleanup program from White Canyon. I'm going to poke around in the log file that that session created and see what came up. Now when I check the start up process list, only the one ctfmon process (from the system32 folder) is there.

I appreciate everyone's input and advice. If I discover what happened - or if I see it ocurring again, I'll post again. I'm glad I joined BleepingComputer. It's nice to grab the good advice. Happy posting!

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:26 AM

Posted 11 January 2008 - 11:33 PM

These are all legit:
HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

The HKEY_USERS subtree contains all actively loaded user profiles. HKEY_USERS has at least three keys:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Armanchester

Armanchester

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 07 July 2008 - 09:25 AM

cftmon is viral. If there is a legitimate cftmon out there, the loss of it would be small potatoes compared to the gains in getting rid of the viral version. If you run msconfig, you will find cftmon activated on the start menu. Deactivate it on the start menu and it reactivates itself within a few hours. Go to your system folder and rename the file, and a new copy will appear within a few hours. If you get it deactivated, system speeds are almost doubled, and you can immediately notice when it comes active again. Don't be so shy to try deactivating something you are suspicious about. Legitimate files don't foist themselves onto your start menu. Legitimate files don't reappear when the user 'loses' them to the system. Saying this thing is legit just because it is in the system folder or says its from microsoft is naivety.

#8 nigglesnush85

nigglesnush85

  • Members
  • 4,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:06:26 AM

Posted 07 July 2008 - 09:41 AM

cftmon is viral.


Ctfmon.exe activates the Alternative User Input Text Input Processor (TIP) and the Microsoft Office Language Bar.
http://support.microsoft.com/kb/282599

While malware can change/modify/be called ctfmon.exe the ctfmon in this topic legit.
Regards,

Alan.

#9 Armanchester

Armanchester

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 08 July 2008 - 03:41 PM

Since I don't have Office applications (use WP) and don't have any hand writing or speech recognition, why is it there? Why won't it stay deactivated? If you don't have Word (or WP for that matter) active, why does this resource robbing thing have to be up and running ALL THE TIME! Recognizing it as viral is more than seeing what folder it is in.

#10 tswsl1989

tswsl1989

  • Members
  • 260 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cymru/Wales
  • Local time:07:26 AM

Posted 08 July 2008 - 03:48 PM

Recognising it as viral is more or less as simple as seeing what folder it's in. Like it or not it's a legitimate part of Windows (and used by office), and is only going to cause resource problems on extremely underspecced PCs. To quote from HHGTG, it may be summarised as follows:

Harmless
Tom

Tswsl1989
Duct tape is like the force. It has a light side, a dark side, and it holds the universe together

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:26 AM

Posted 08 July 2008 - 04:53 PM

"What is ctfmon.exe And Why Is It Running?".

IE7 installs the Language Tool Bar which requires ctfmon.exe to start at boot. IE7 installer forces the use of this file and the Language Toolbar in the Task Bar to start whether you want it or not. To get rid of Ctfmon.exe, you may have to remove the Language Tool Bar.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 Armanchester

Armanchester

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 08 July 2008 - 08:42 PM

I don't have a language tool bar. I don't have Office. There is no excuse for it to be on my system and it will not stay shut down nor go away. It is not harmless

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:26 AM

Posted 08 July 2008 - 09:42 PM

Are you using IE7?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 Armanchester

Armanchester

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 08 July 2008 - 11:21 PM

No. Firefox. And besides, why would IE startup something that is occasionally looked for by Word? This thing is NOT legit.
Now if I kill all things LOCAL SERVICE then cftmon stays down longer, and my system works so much faster and better, but I'm looking for a way to kill it for good. Obviously no suggestions here?

Edited by Armanchester, 08 July 2008 - 11:40 PM.


#15 nigglesnush85

nigglesnush85

  • Members
  • 4,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:06:26 AM

Posted 09 July 2008 - 03:17 AM

It installs with Windows, when you are configuring the language options.

Open msconfig and the startup tab. Clear the check box for ctfmon apply and click exit without restart

Now go to the control panel and open Regional and Language Options then the Languages tab then details then on the new window click the advanced tab then select the turn of advanced text services. then OK your way back.
Regards,

Alan.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users