CTFMON.EXE coming up as infection on PC#1 but not on PC#2.....

Hi Guys

I have 2 PC’s running exactly the same version of Avast Internet Security, Windows XP. PC#1 runs Office 2003 Small Business Edition and PC#2 Office 2007.

When I do a scan on PC#1 it detects CTFMON.EXE as a Threst: Win32: trojan-gen. When I run a scan on PC#2, it does not see CTFMON.EXE as a threat…what’s going on?

Please note that PC#1 has been totally rebuilt with a clean and new installation of Windows and Office 2003.

Thanks for any help you can provide.

Regards
Greg

Check it at VT and share the result: https://www.virustotal.com/

Hi Asyn,

Here is some more information relating to the issue.

Over the past 3 weeks, my wife’s internet banking password and account number were stolen and used to steal money from her accounts. The bank detected the fraud the first time and notified us and her password was reset. I then scanned her PC (PC#1) with the latest version of Avast and MBAM and did not find anything. Then last week, the same thing happened again! I have put together a totally new PC with a clean instal of Windows XP etc and installed Avast Internet Security and the Pro version of MBAM. I then ran the scans and that is when Avast detected that there was something wrong with ctfmon.exe (in memory). I did some investigation and found that I could simply “turn it off” so it was not loaded in memory.

I just ran ctfmon.exe through VT and here are the results: It looks like Esafe picks Win32.Banker and from what I read, is probably the cause of all of our problems.

SHA256: 5fb24fc7916a6e6b3be7d84cb1684215b266cd1495575c2e5672b8447932e5b1
File name: ctfmon.exe
Detection ratio: 1 / 42
Analysis date: 2012-05-04 10:42:38 UTC ( 0 minutes ago )

0
0
More details
Antivirus Result Update
AhnLab-V3 - 20120503
AntiVir - 20120504
Antiy-AVL - 20120504
Avast - 20120504
AVG - 20120504
BitDefender - 20120504
ByteHero - 20120502
CAT-QuickHeal - 20120504
ClamAV - 20120504
Commtouch - 20120504
Comodo - 20120504
DrWeb - 20120504
Emsisoft - 20120504
eSafe Win32.Banker 20120502
eTrust-Vet - 20120504
F-Prot - 20120504
F-Secure - 20120504
Fortinet - 20120504
GData - 20120504
Ikarus - 20120504
Jiangmin - 20120504
K7AntiVirus - 20120502
Kaspersky - 20120504
McAfee - 20120504
McAfee-GW-Edition - 20120504
Microsoft - 20120504
NOD32 - 20120504
Norman - 20120503
nProtect - 20120504
Panda - 20120504
PCTools - 20120504
Rising - 20120504
Sophos - 20120504
SUPERAntiSpyware - 20120411
Symantec - 20120504
TheHacker - 20120504
TrendMicro - 20120504
TrendMicro-HouseCall - 20120504
VBA32 - 20120503
VIPRE - 20120504
ViRobot - 20120504
VirusBuster - 20120503

Help!

What can I do?

Thanks for any help you can give.

Regards
Greg

Again in relation to your other topic, when posting stuff like this you need to give full information on the detection, e.g. file name, location, malware name and type of scan, etc.

If this is a detection in memory like your other topic ?
Then essentially the answer is the same, custom scan and electing to scan memory can result in weird detections and why we don’t recommend scanning memory in a custom scan.

Hi David,

I have attached a few screen shots.

Due to the frauds that have been carried out on my wife’s bank accounts, I am really worried that the problem is still on her PC even though I have reformatted and reinstalled everything.

I have compared the details of the ctfmon on her PC (PC1) with my PC (PC2) and they are the same except for the time modified and created.

Also, she has a ctfmon file in the windows prefetch folder and I do not.

I’m going a bit nuts with this as I am not allowing her to use her PC until I am 100% certain it is “clean”…

Thanks for your help.
Regards
Greg

Well it is as I suspected a detection in memory, no doubt from a custom scan with memory scan (as in your other topic also selected and this causes more grief than relief.

Don’t scan memory as has been said if malware is already in memory it is a bit late.

I have no idea why you (she) even select a custom scan much less scan memory (?) I would stick to the pre-defined Quick and or Full System Scans.

The other two on the list are files that can’t be scanned and the reason why they can’t be scanned. This isn’t an indication that they are suspect or infected, just that they can’t be scanned.

The file in the prefetch folder isn’t a copy of the actual file it just just helps speed loading. Unless your prefetch settings are exactly the same as hers it is unlikely that you would have it in the prefetch folder (I don’t).

Hi David

Thanks for the fast reply…

Would you mind answering the following questions:

  1. If ctfmon is being detected in a memory scan on a newly formatted and installed Windows XP PC and you are saying that if it is detected in memory then “it is a bit late”, are you saying that this is a “false positive” or that I indeed do have a legitimate virus?

  2. If I have a legitimate virus how do I remove it?

Best Regards
Greg

See this frome MSS.http://support.microsoft.com/kb/282599

Thanks Arizona

I have already disabled it.

My question relates to the fact that I am getting a “detected” on ctfmon.exe on a brand new installation of Windows XP and am very worrried that somehow I have installed a virus (Win32.Banker) during the installation of Office, Outlook or some other method.

I am having trouble believing that this is all coincidence.

Thanks
Regards
Greg

  1. First, the ctfmon.exe file ‘isn’t being detected,’ but something which has been loaded into memory by the ctfmon process, which is why when you upload ctfmon to virustotal you don’t get any detection.

The custom memory scan is the most thorough of the memory scans and it digs deep which can have unforeseen consequences. My mention of the scanning of memory, is a throw back to the old days when memory scans were very much the norm. The idea now is to prevent any malware getting into your system in the first place.

If there were a true virus on your system and it had loaded something into memory, there are likely to be other issues, somehow killing the memory block (as it isn’t a physical file) would have little effect as whatever placed it there would be able to put it right back.

  1. You don’t in relation to ctfmon as it isn’t ctfmon which is being detected, but a block of memory loaded by it.

Hi David

Virustotal IS detecting that ctfmon.exe contains the Win32.Banker virus…it is saying that Esafe is detecting it.

Regards
Greg

For your ease of mind…

Please attach your logs.
http://forum.avast.com/index.php?topic=53253.0

Hi Asyn

Here are the logs from PC1.

Thanks again
Regards
Greg

You’re welcome.
Now you have to wait a while.

What is ctfmon.exe

[i]ctfmon.exe is a process belonging to Microsoft Office Suite. It activates the Alternative User Input Text Input Processor (TIP) and the Microsoft Office XP Language Bar. This process monitors active windows, providing support for handwriting and speech recognition, translations, keyboard and other alternative input methods.

Whilst, this program is a non-essential system process, it should not be terminated unless suspected to be causing problems as it could cause issues in Office XP programs. [/i]

ctfmon.exe is a system process that is needed for your PC to work properly. It should not be removed.

I believe the ctfmon.exe is false positive unless Avast confirm this ??? ??? ???

Thanks SpeedyPC

I am aware of what ctfmon does but am concerned that it may actually be a virus due to the following:

  1. Avast detected it as a virus via a memory scan.
  2. Virustotal detected it as the Win32.Banker virus that causes the types of problems we have been experiencing over the last few weeks with my wife’s internet banking password being stolen and used fraudulently.
  3. I don’t really think the above is a coincidence :slight_smile:

Thanks
Best Regards
Greg

Hi did you do a clean install of office or did you transfer the old data via USB or CD ?

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[]Accept the disclaimer and allow to update if it asks
[
]Allow the installation of the recovery console

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

When only 1 of the VT scanners detects anything it is highly likely that it is an FP, given that this detection is by esafe, which appears to have a high degree of FPs I would ignore its detection when the better known AV scanners find nothing.

There exceptions to this rule of thumb, but I don’t think that is the case here.

@@@@
As I have said the alert in avast isn’t on ctfmon.exe but a memory block that it loaded into memory and you can’t upload a memory block to VT to be scanned. So effectively any scan on ctfmon.exe is invalid as that isn’t what avast is alerting on.

Save yourself a boatload of grief and do as suggested don’t scan memory on a custom scan.

Save yourself a boatload of grief and do as suggested don't scan memory on a custom scan.

Why does it take a sledgehammer to convince some people ??? ( No offense meant but David is right save yourself a whole lot of work.)

ctfmon can be both a valid program, in XP, or malware. Check the files Properties to see where it is located and if it has a proper Digital Signature. Also check the Timestamp and Details both in Properties; i.e. on each computer to see if they make sense.

ctfmon files have been known to become corrupt which could be created your problem.