Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.



  • Please log in to reply
1 reply to this topic

#1 SuperDave84


  • Members
  • 2 posts
  • Local time:05:38 PM

Posted 06 March 2011 - 02:01 PM


I have recently had the "WindowsSafeMode" virus and had successfully removed it; or so I thought. My computer is running normally, except that MalwareBytes' keeps popping up and telling me they are blocking incoming or outgoing ip addresses. They are mostly incoming, but I do get the occasional outgoing attempt. The issue I have is that I am running a fully updated version of MalwareBytes and every time I scan, it can't find any issues.

I am also running Norton 360 5.0 Premium edition and have done full system scans but to no avail.

From what I can tell, I have removed most of the virus, but still have something else left over. The one suspicious thing I found when reviewing my process in task manager is that ctfmon.exe was running so I disabled it through msconfig. When I booted up again I went into the local machine registry and looked for the file to remove it, but it wasn't there. Is this causing the issue?

Any and all help is appreciated!



Edit: Moved topic from AntiVirus, Firewall and Privacy Products and Protection Methods to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)


#2 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,904 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:38 PM

Posted 08 March 2011 - 02:12 PM

Ctfmon.exe is a file that installs with Windows when you configure the language options. Ctfmon is installed with Office applications and activates the "Alternative User Input Text Input Processor" as well as the "Language Bar". It is also installed with Internet Explorer's Language Tool Bar which forces the use of this file to start at boot whether you want it or not. This process monitors the active windows and provides text input service support for speech recognition, handwriting recognition, keyboard, translation, and other alternative user input technologies. If you do not use these features, then Ctfmon.exe does not need to be running. However, if disabled in MSConfig or with a startup manager, Ctfmon.exe will re-appear on the next bootup. In order to prevent it from running, please refer to:Determining whether Ctfmon.exe is malware or a legitimate Windows process usually depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a legitimate or critical system file. However, it then places itself in a different location (folder) than where the legitimate file resides and runs from there. The legitimate Ctfmon.exe file is located in the C:\Windows\System32 folder. If found running from a different location, it's usually indicative of malware and you should submit it to one of the following online services that analyzes suspicious files:In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.

IP Protection (malicious website blocking) is part of the Protection Module and works after it is enabled. When attempting to go to a malicious website, Malwarebytes will block the attempt and provide an alert. Some programs on your computer have access to the Internet and that action can also trigger an IP alert. These events are stored in the "protection-log". Your firewall should be able to give you a list of such programs so you can confirm if they are legitimate. IP Protection is also designed to block incoming connections it determines to be malicious.

It is not unusual for Malwarebytes' (just like your firewall) to provide alerts regarding probing and intrusion attempts to access your computer. Botnets and Zombie computers scour the net, randomly scanning a block of IP addresses, searching for vulnerable ports - commonly probed ports and make repeated attempts to access them. Hackers use "port scanning", a popular reconnaissance technique, to search for vulnerable computers with open ports using IP addresses or a group of random IP address ranges so they can break in and install malicious programs. Your security tools are doing their job by blocking this kind of traffic and alerting you about these intrusion attempts. However, not all unrequested traffic is malevolent. Even your ISP will send out regular checks to see if your computer is still there, so you may need to investigate an attempted intrusion.

Information that explains IP Protection feature can be found in the Malwarebytes Anti-Malware IP Protection FAQs.

What does IP Protection do?
IP Protection provides an additional layer of security for your computer, by preventing access to known malicious IP addresses and IP ranges...

What does this notification mean?
This notification means quite simply, that an IP address has been blocked. It does NOT necessarily mean you are infected, it simply means a program on your computer (e.g. your browser, IM program, P2P program etc), tried accessing a malicious IP address...

Other FAQs about IP Protection
How does it do this?
How does it inform you?
I got an alert and I wasn't even surfing, how's that happen?
I received a notification on a safe site, why?
How do I disable this?
I got an alert for an IP or website I think is safe, how can I report it?
Does the IP Protection replace my firewall?
Where do I find the IP Protection logs?
How can I add an IP so it won't be detected and can access a site I need to?[/b]

If you are using peer-to-peer (P2P) file sharing programs (i.e. Limewire, eMule, Kontiki, BitTorrent, uTorrent, BitLord, BitLord, BearShare, Azureus/Vuze, etc) or an (IM) client, be aware they can trigger alerts. Why? Because these kind of programs are a security risk which can make your system susceptible to a smörgåsbord of malware infections and remote attacks for several reasons to include pop-up ads and malicious Flash ads that can lead to rogue sites where the IP address has been blocked. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. Even your Browser is susceptible to ads so just surfing the net or going to unsafe sites may trigger alerts in order to protect you.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users