I have 2 PC’s running exactly the same version of Avast Internet Security, Windows XP. PC#1 runs Office 2003 Small Business Edition and PC#2 Office 2007.
When I do a scan on PC#1 it detects CTFMON.EXE as a Threst: Win32: trojan-gen. When I run a scan on PC#2, it does not see CTFMON.EXE as a threat…what’s going on?
Please note that PC#1 has been totally rebuilt with a clean and new installation of Windows and Office 2003.
Here is some more information relating to the issue.
Over the past 3 weeks, my wife’s internet banking password and account number were stolen and used to steal money from her accounts. The bank detected the fraud the first time and notified us and her password was reset. I then scanned her PC (PC#1) with the latest version of Avast and MBAM and did not find anything. Then last week, the same thing happened again! I have put together a totally new PC with a clean instal of Windows XP etc and installed Avast Internet Security and the Pro version of MBAM. I then ran the scans and that is when Avast detected that there was something wrong with ctfmon.exe (in memory). I did some investigation and found that I could simply “turn it off” so it was not loaded in memory.
I just ran ctfmon.exe through VT and here are the results: It looks like Esafe picks Win32.Banker and from what I read, is probably the cause of all of our problems.
SHA256: 5fb24fc7916a6e6b3be7d84cb1684215b266cd1495575c2e5672b8447932e5b1
File name: ctfmon.exe
Detection ratio: 1 / 42
Analysis date: 2012-05-04 10:42:38 UTC ( 0 minutes ago )
Again in relation to your other topic, when posting stuff like this you need to give full information on the detection, e.g. file name, location, malware name and type of scan, etc.
If this is a detection in memory like your other topic ?
Then essentially the answer is the same, custom scan and electing to scan memory can result in weird detections and why we don’t recommend scanning memory in a custom scan.
Due to the frauds that have been carried out on my wife’s bank accounts, I am really worried that the problem is still on her PC even though I have reformatted and reinstalled everything.
I have compared the details of the ctfmon on her PC (PC1) with my PC (PC2) and they are the same except for the time modified and created.
Also, she has a ctfmon file in the windows prefetch folder and I do not.
I’m going a bit nuts with this as I am not allowing her to use her PC until I am 100% certain it is “clean”…
Well it is as I suspected a detection in memory, no doubt from a custom scan with memory scan (as in your other topic also selected and this causes more grief than relief.
Don’t scan memory as has been said if malware is already in memory it is a bit late.
I have no idea why you (she) even select a custom scan much less scan memory (?) I would stick to the pre-defined Quick and or Full System Scans.
The other two on the list are files that can’t be scanned and the reason why they can’t be scanned. This isn’t an indication that they are suspect or infected, just that they can’t be scanned.
The file in the prefetch folder isn’t a copy of the actual file it just just helps speed loading. Unless your prefetch settings are exactly the same as hers it is unlikely that you would have it in the prefetch folder (I don’t).
If ctfmon is being detected in a memory scan on a newly formatted and installed Windows XP PC and you are saying that if it is detected in memory then “it is a bit late”, are you saying that this is a “false positive” or that I indeed do have a legitimate virus?
My question relates to the fact that I am getting a “detected” on ctfmon.exe on a brand new installation of Windows XP and am very worrried that somehow I have installed a virus (Win32.Banker) during the installation of Office, Outlook or some other method.
I am having trouble believing that this is all coincidence.
First, the ctfmon.exe file ‘isn’t being detected,’ but something which has been loaded into memory by the ctfmon process, which is why when you upload ctfmon to virustotal you don’t get any detection.
The custom memory scan is the most thorough of the memory scans and it digs deep which can have unforeseen consequences. My mention of the scanning of memory, is a throw back to the old days when memory scans were very much the norm. The idea now is to prevent any malware getting into your system in the first place.
If there were a true virus on your system and it had loaded something into memory, there are likely to be other issues, somehow killing the memory block (as it isn’t a physical file) would have little effect as whatever placed it there would be able to put it right back.
You don’t in relation to ctfmon as it isn’t ctfmon which is being detected, but a block of memory loaded by it.
[i]ctfmon.exe is a process belonging to Microsoft Office Suite. It activates the Alternative User Input Text Input Processor (TIP) and the Microsoft Office XP Language Bar. This process monitors active windows, providing support for handwriting and speech recognition, translations, keyboard and other alternative input methods.
Whilst, this program is a non-essential system process, it should not be terminated unless suspected to be causing problems as it could cause issues in Office XP programs. [/i]
ctfmon.exe is a system process that is needed for your PC to work properly. It should not be removed.
I believe the ctfmon.exe is false positive unless Avast confirm this ??? ??? ???
I am aware of what ctfmon does but am concerned that it may actually be a virus due to the following:
Avast detected it as a virus via a memory scan.
Virustotal detected it as the Win32.Banker virus that causes the types of problems we have been experiencing over the last few weeks with my wife’s internet banking password being stolen and used fraudulently.
Hi did you do a clean install of office or did you transfer the old data via USB or CD ?
Download and Install Combofix
Download ComboFix from one of the following locations: Link 1 Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
[*]Double click on ComboFix.exe & follow the prompts.
[]Accept the disclaimer and allow to update if it asks
[]Allow the installation of the recovery console
When only 1 of the VT scanners detects anything it is highly likely that it is an FP, given that this detection is by esafe, which appears to have a high degree of FPs I would ignore its detection when the better known AV scanners find nothing.
There exceptions to this rule of thumb, but I don’t think that is the case here.
@@@@
As I have said the alert in avast isn’t on ctfmon.exe but a memory block that it loaded into memory and you can’t upload a memory block to VT to be scanned. So effectively any scan on ctfmon.exe is invalid as that isn’t what avast is alerting on.
Save yourself a boatload of grief and do as suggested don’t scan memory on a custom scan.
ctfmon can be both a valid program, in XP, or malware. Check the files Properties to see where it is located and if it has a proper Digital Signature. Also check the Timestamp and Details both in Properties; i.e. on each computer to see if they make sense.
ctfmon files have been known to become corrupt which could be created your problem.