Yes it is frustrating and the deeper you dig or get more thorough/heuristic/PUPs etc. the more likely you are to bump into something that needs investigating.
That is why I tend to stick to the pre-defined scans, Quick or Full System scans as I believe with the resident protection you are in the greatest majority of cases scanning what are inert files or they would be scanned by the resident scanner.
What I can’t understand why I can’t replicate it based on your settings and why others aren’t reporting this also if it were a simple false positive in the memory scan. We had something similar, win32:malware-gen on svchost I believe on a memory scan which I was able to replicate and that was reported and corrected.
Just to add to this thread, I have the same problem as core1Snick; the memory scan of Avast 5 shows the result “*PROCESS\100\ctfmon.exe\400000\6000\ctfmon.exe Severity High Threat: Win32:Trojan-gen”. The machine is running XP Pro SP3. There are no suspicious copies of ctfmon.exe on the machine (that I can see!). The ctfmon.exe files that do exist all come up clean with Avast. Process Explorer shows only one copy of ctfmon.exe as a sub-process of Explorer. It all seems good. I wonder if this is indeed a false positive. The only part of it I am not so sure about is the possibility that it could be another process that ctfmon has loaded that is the real problem; how would one go about detecting such a process? Process Explorer didn’t show any sub-processes to Ctfmon.
Could DavidR post back when/if he gets the result of any investigation of this?
Whilst writing, thanks to the Avast! team for a first-rate antivirus package.
I didn’t get anything further back on it as it is extremely difficult to replicate as ctfmon.exe gets into everything, so it could be loading something into memory, this isn’t being loaded by others. Which is why I couldn’t replicate it.
Personally I would reboot to clear memory and run another memory scan and see if it is replicated. Unless you investigate at the time of detection it is very hard to pin down. You need something like process explorer and look for the ctfmon.exe entry with the process ID 100 and see what happens to be associated to it. Even if you find it interpreting the results, it would need specialist knowledge and possibly tools.
I honestly don’t see to many benefits only heartaches when you start doing memory and much deeper scans, unless you know exactly what is going on within your systems, it just returns more questions than answers.
Personally I would reboot to clear memory and run another memory scan and see if it is replicated. Unless you investigate at the time of detection it is very hard to pin down. You need something like process explorer and look for the ctfmon.exe entry with the process ID 100 and see what happens to be associated to it. Even if you find it interpreting the results, it would need specialist knowledge and possibly tools.
Following your advice, I’ve checked the (in)famous ctfmon.exe process using the System Explorer application (part of TCUP, really comes in handy). Security status of said process is safe. Checking the process details, I’ve got the list of all the associated modules. Needless to say, I have checked each one of them - all came up being perfectly clean (no surprises there). Since memory scan still shows ctfmon.exe to be a threat, and at the same time my system is pretty much clean i.e. no other threats detected, I’ll definitely treat this as a false positive.
Regarding ctfmon.exe PID - in my case it was 1652, but it would probably be different for somebody else. Although ctfmon.exe process could have exactly the same process ID on two different computers (running the same OS), chances for that to occur are pretty small. So, people who want to check this should look for the ctfmon.exe entry in process explorer, as well as modules or other processes associated with it.
Thanks to DavidR and other posters for the info and ideas. I appreciate that it’s very likely to be a false positive, though I’m still going to play it safe just in case.
What I’ve done is to turn off advanced text services in the Regional and Language options applet in Control Panel, which makes ctfmon.exe unload & not start on startup. There is a warning that this will adversely affect East Asian users as it closes the language bar; other than that, it appears that there are no ill effects and the infection alert is gone.
I intend to play around further with Process Explorer - having read the documentation I think I may be able to discover which process loaded by ctfmon.exe is causing the issue - and will post again when/if I have done this.
I have the same problem with ctfmon.exe and cmdagent.exe.
After scaning my computer Avast report this:
‘‘Process 516 [ctfmon.exe], memory block 0x0000000000400000, block size 24576 (ctfmon.exe) - High - Threat: Win32:Trojan-gen’’ and
‘‘Process 1388 [cmdagent.exe], memory block 0x0000000002260000, block size 471040 - High - Threat: Win32:FakeWimes-B [Trj]’’ and
the same problem was with some proces of panda clound antivirus.
I’m from Serbia.
ctfmon.exe is for Language Bar: I use English, Russian, Serbian Cyrilic and Serbian (Latin).
cmdagent.exe is for Comodo Firewall.
I use costume scan: all harddisks, operating memory of the computer, auto-start programs(all users), rootkits (full scan) - Scan PUP: on.
I use this settings a long time ago, and there no any problem. But from some of last updates of avast there was this problem.
Comodo Firewall shouldn’t need to load virus signatures into memory if you aren’t running the AV function (which you shouldn’t be, two resident AVs is a no, no), as a stand alone firewall shouldn’t be scanning for viruses.
As you will have found from my previous posts, ctfmon.exe is involved in more than just one area (Language bar, etc.) and you have to pin down exactly which occurrence of ctfmon it is and what is running under that occurrence.
and after disabling ctfmon.exe to start with system any more
theres no ctfmon.exe working in my computer, theres no language bar in taskbar,
and Avast in my custome scan not report this:
This is something which we have asked before, why comodo is loading virus signatures into memory if the AV and or Defence+ isn’t running. I believe it was even asked in the comodo forums by one avast user who also uses comodo. Though I don’t believe there was any real answer as to why they do this if the virus signatures aren’t being used.