what is ctfmon.exe*32?

hi all, I cannot find the answer to this anywhere. I have a week old install of 64 bit 7 home premium. It’s a games pc with a 400 gig steam folder, WoW, Rift, etc.

I run nothing from strat up except windows services, avast and creative drivers.

I have never had any microsoft office gear installed, I do however run libreoffice.

Occassionally, maybe once a day I notice ctfmon.exe*32 running in avasts auto sandbox and in task manager, tracing the file C:Windows\syswow64\ctfmon.exe.

what is it?

I run hitman pro and malwarebytes as scanners they cant find anything?

thanks in advance.

Dont know how you cant find any info on ctfmon as a simple google brings up an abundant amount of information about the subject
http://www.bleepingcomputer.com/startups/ctfmon.exe-1121.html

It is related to SafeZone, which is why it will be sandboxed:

ctfmon.exe is a helper process used in Windows to support input in multiple languages. Your observation is right, Windows injects it into the SafeZone as soon as an interactive process is started there, but I don't think it's a problem.

Call it a feature. :wink:


http://forum.avast.com/index.php?topic=71652.msg598771#msg598771

Ah yes that would make sense, never noticed it before, probably wouldnt have now if i had not seen it in the sandbox.
thanks for the replies.

I also think I have seen something like this before (not necessarily relating to the safezone) and that it has something to do with the fact that it is running as the 32 bit version of ctfmon.exe on a 64bit OS.

hmm, I have had a look and the only program i have installed is libreoffice (that is multiligual) that is 32 bit program, i used it before when it was called open office.
I am fairly sure this is not malware as it’s pretty much a clean install, it is just a process i am not familiar with.

The ctfmon.exe file is an OS file (given your previous path C:Windows\syswow64\ctfmon.exe), whilst 32bit version LibreOffice is likely to use it, it is unlikely it would have its own version. So it is likely to be using the 32 bit version (in a 64bit OS), hence the *32 suffix after the file name, at least that is what I believe happens.

so it shouldn’t be there? eeek! if i have picked up my first infection in 8 years and within a week of using avast im proper annoyed!

No that isn’t what I’m saying, in a 64bit OS if a program requires a 32bit version of a system file than that suffix normally indicates that it is running the 32bit version of the file.

right! I will keep my eyes on it then, thanks for the advice.

You’re welcome.