Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Tojan?


  • Please log in to reply
3 replies to this topic

#1 Baurge

Baurge

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Location:Florida, USA
  • Local time:07:59 AM

Posted 14 May 2006 - 01:46 AM

I just want to say thanks for all the help people have provided for me in the past before I roll into my possible new problem. Well here goes. My sister had control of my computer this past weekend and upon my return I noticed a decrease in performance and in some cases unbearable ammount of popups. Well with the help I recieved before I was able to clean up some of the problems myself and got my system running up to par from what I can tell for the most part my only big question is I was going through the program Spybot - Search and Destory (love that app ^^). While browsing through it cleaning everything up a little. Mainly disabling somethings that startup with Windows that i don't need. I ran across a ctfmon.exe at startup and it marks it as a possible Trojan of some sorts. Did a little research on the topic and found that it is sometimes a tojan in disguise but sometimes it's a valid file.....So i'm confused as to whether to get ride of it or not. If someone could please help me out a little bit with this I would greatly appreciate it. Here is a copy of the log that Spybot gives me on my startup with the questionable item highlighted.
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-01-26 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-05-12 Includes\Cookies.sbi
2006-05-12 Includes\Dialer.sbi
2006-05-12 Includes\Hijackers.sbi
2006-05-12 Includes\Keyloggers.sbi
2004-11-29 Includes\LSP.sbi
2006-05-12 Includes\Malware.sbi
2006-05-12 Includes\PUPS.sbi
2006-05-12 Includes\Revision.sbi
2006-05-12 Includes\Security.sbi
2006-05-12 Includes\Spybots.sbi
2005-02-17 Includes\Tracks.uti
2006-05-12 Includes\Trojans.sbi

Located: HK_LM:Run, {0228e555-4f9c-4e35-a3ec-b109a192b4c2}
command: C:\Program Files\Google\Gmail Notifier\gnotify.exe
file: C:\Program Files\Google\Gmail Notifier\gnotify.exe
size: 479232
MD5: 3df7ac30a381c57d0c70eaefee3c4ef2

Located: HK_LM:Run, AGRSMMSG
command: AGRSMMSG.exe
file: C:\WINDOWS\AGRSMMSG.exe
size: 88209
MD5: 230ea041666125b6812fe3ff964b2df3

Located: HK_LM:Run, Apoint
command: C:\Program Files\Apoint2K\Apoint.exe
file: C:\Program Files\Apoint2K\Apoint.exe
size: 159744
MD5: e9baeaf70deb530fa496ce1bde2188f0

Located: HK_LM:Run, BigDogPath
command: C:\WINDOWS\VM_STI.EXE USB PC Camera 301P
file: C:\WINDOWS\VM_STI.EXE
size: 40960
MD5: d13f20471a8dc69f943e9652baaf7e94

Located: HK_LM:Run, eabconfg.cpl
command: C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
file:

Located: HK_LM:Run, HotKeysCmds
command: C:\WINDOWS\system32\hkcmd.exe
file: C:\WINDOWS\system32\hkcmd.exe
size: 126976
MD5: 4ec3cdd926c694526a8bdcf7162e25e7

Located: HK_LM:Run, hpWirelessAssistant
command: C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
file: C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
size: 794624
MD5: a1eff7d2f3e6b46514ab7c4f6f99c253

Located: HK_LM:Run, KernelFaultCheck
command: %systemroot%\system32\dumprep 0 -k
file: C:\WINDOWS\system32\dumprep.exe
size: 10752
MD5: 13922eb54890c77005268882629a31fe

Located: HK_LM:Run, NeroFilterCheck
command: C:\WINDOWS\system32\NeroCheck.exe
file: C:\WINDOWS\system32\NeroCheck.exe
size: 155648
MD5: 3e4c03cefad8de135263236b61a49c90

Located: HK_LM:Run, Zone Labs Client
command: C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
file: C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
size: 755480
MD5: b4e843ded6daf99aec3fbfe395e643c7

Located: HK_LM:Run, Cpqset (DISABLED)
command: C:\Program Files\HPQ\Default Settings\cpqset.exe
file: C:\Program Files\HPQ\Default Settings\cpqset.exe
size: 233534
MD5: 448e0ecb31fadf82d6b82739d41d010a

Located: HK_LM:Run, HostManager (DISABLED)
command: C:\Program Files\Common Files\AOL\1138324450\ee\AOLSoftware.exe
file: C:\Program Files\Common Files\AOL\1138324450\ee\AOLSoftware.exe
size: 50792
MD5: d88962ada17e876554bf03d977139148

Located: HK_LM:Run, HotKeysCmds (DISABLED)
command: C:\WINDOWS\system32\hkcmd.exe
file: C:\WINDOWS\system32\hkcmd.exe
size: 126976
MD5: 4ec3cdd926c694526a8bdcf7162e25e7

Located: HK_LM:Run, HP Software Update (DISABLED)
command: C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
file: C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
size: 49152
MD5: 821f73b833c4daebc33c1a9a4b16bb5a

Located: HK_LM:Run, IgfxTray (DISABLED)
command: C:\WINDOWS\system32\igfxtray.exe
file: C:\WINDOWS\system32\igfxtray.exe
size: 155648
MD5: 2e23ebf313d9092f3f321bd5a8548255

Located: HK_LM:Run, IMEKRMIG6.1 (DISABLED)
command: C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
file: C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
size: 44032
MD5: e6bb63bbe1bed01769ca87f4dac286c8

Located: HK_LM:Run, IMJPMIG8.1 (DISABLED)
command: "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
file: C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE
size: 208952
MD5: 7bbe4cf421aecc7f0226edd75f12079f

Located: HK_LM:Run, iTunesHelper (DISABLED)
command: "C:\Program Files\iTunes\iTunesHelper.exe"
file: C:\Program Files\iTunes\iTunesHelper.exe
size: 278528
MD5: 8778072a594e1310c0b7d0a93771e8bd

Located: HK_LM:Run, MSPY2002 (DISABLED)
command: C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
file: C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe
size: 59392
MD5: 1b17e09c1223f6d17336d2dd7a1af4f4

Located: HK_LM:Run, PHIME2002A (DISABLED)
command: C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
file: C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE
size: 455168
MD5: 024dc0f68df5fd6ae9dd82dfbaf479d6

Located: HK_LM:Run, PHIME2002ASync (DISABLED)
command: C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
file: C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE
size: 455168
MD5: 024dc0f68df5fd6ae9dd82dfbaf479d6

Located: HK_LM:Run, QuickTime Task (DISABLED)
command: "C:\Program Files\QuickTime\qttask.exe" -atboottime
file: C:\Program Files\QuickTime\qttask.exe
size: 155648
MD5: c74c7963eec07af49dce44d64819b2bf

Located: HK_LM:Run, SoundMAX (DISABLED)
command: C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
file:

Located: HK_LM:Run, SoundMAXPnP (DISABLED)
command: C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
file: C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
size: 1388544
MD5: c06f1a3ff958a10f828eee828623e193

Located: HK_LM:Run, SunJavaUpdateSched (DISABLED)
command: C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
file: C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
size: 36975
MD5: d3e445a99a1142c35d8d3100b5564591

Located: HK_LM:Run, TkBellExe (DISABLED)
command: "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
file: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
size: 180269
MD5: 1ac2c58b587c70de64582ad41ee79fba

Located: HK_CU:Run, BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}
command: "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
file: C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
size: 94208
MD5: 7460f8a9edec9b00cf20dc401b7df6e2

Located: HK_CU:Run, ctfmon.exe
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996a38c0b0cf151c2140ae29fc8

Located: HK_CU:Run, Aim6 (DISABLED)
command:
file:

Located: HK_CU:Run, ctfmon.exe (DISABLED)
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996a38c0b0cf151c2140ae29fc8


Located: HK_CU:Run, MSMSGS (DISABLED)
command: "C:\Program Files\Messenger\msmsgs.exe" /background
file: C:\Program Files\Messenger\msmsgs.exe
size: 1694208
MD5: 74e6e96c6f0e2eca4edbb7f7a468f259

Located: Startup (common), Adobe Reader Speed Launch.lnk
command: C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
file: C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
size: 29696
MD5: 43362b96870ce8649f4f2ec893da93f0

Located: Startup (user), Adobe Gamma.lnk
command: C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
file: C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
size: 113664
MD5: c2ff17734176cd15221c10044ef0ba1a

Located: Startup (user), Microsoft Office OneNote 2003 Quick Launch.lnk
command: C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
file: C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
size: 59080
MD5: b2337403a5e582811f96de88c03ac7a9

Located: System.ini, crypt32chain
command: crypt32.dll
file: crypt32.dll

Located: System.ini, cryptnet
command: cryptnet.dll
file: cryptnet.dll

Located: System.ini, cscdll
command: cscdll.dll
file: cscdll.dll

Located: System.ini, igfxcui
command: igfxsrvc.dll
file: igfxsrvc.dll

Located: System.ini, ScCertProp
command: wlnotify.dll
file: wlnotify.dll

Located: System.ini, Schedule
command: wlnotify.dll
file: wlnotify.dll

Located: System.ini, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll

Located: System.ini, SensLogn
command: WlNotify.dll
file: WlNotify.dll

Located: System.ini, termsrv
command: wlnotify.dll
file: wlnotify.dll

Located: System.ini, wlballoon
command: wlnotify.dll
file: wlnotify.dll


Thanks,
Baurge

Edited by Baurge, 14 May 2006 - 01:47 AM.

Everything no matter how great will come to an end.....

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,471 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:59 AM

Posted 14 May 2006 - 07:10 AM

Ctfmon.exe is part of Microsoft Office XP monitors the active windows and provides text input service support for speech recognition, handwriting recognition, keyboard, translation, and other alternative user input technologies. It is located in C:\Windows\System32

If found in other locations it can be malware. Some examples include:
PWSteal.Raidys
Trojan.Satiloler
Spyware.FamilyKeylog

Frequently asked questions about Ctfmon.exe

When you find suspicious files that you want to check, do this.

Go to jotti.org
Browse to the location of the suspicious file and submit [upload] it for scanning/analysis.

You can do the same thing at virustotal.com.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Baurge

Baurge
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Location:Florida, USA
  • Local time:07:59 AM

Posted 14 May 2006 - 09:43 AM

thanks so much for the information! great websites to have. Does anyone have any good programs they know of though that might do the same thing? At this point i'm willing to purchase something to make sure my sister doesn't do anything to my computer.
Everything no matter how great will come to an end.....

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,471 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:59 AM

Posted 14 May 2006 - 02:34 PM

List of Virus & Malware Resources
Freeware Replacements For Common Commercial Apps
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users