I recently noticed that I had unusually high memory usage and checked task manager to find a process called Ctfhost.exe running with description “Microsoft operating system” this is not normal for my machine so I killed the process and investigated to find that the process was running from “C:\Users\Ciaran\AppData\Roaming\AVAST Software” directory. I looked up the process and could not find much information on it except that it was a malicious process. I also found a scheduled task to run it at login of any user. Has my install been hijacked.

I am running windows 7 x64 with avast premier.

https://forum.avast.com/index.php?topic=53253.0

upload and test Ctfhost.exe to www.virustotal.com if tested before, click rescan for a fresh result

Post link to scan result here

As I was investigating I deleted everything I found but all files point to it being installed on the 12-11-15 I didn’t install anything on that date and had normal idle memory usage up until this evening. A malwarebytes scan shows that the system is clean. I’m going to change all my passwords now to be safe.

Could anybody check their %appdata% dir to see is ctfloader.exe there?

Please follow the instructions in the link that I gave you.