CTFMON.EXE coming up as infection on PC#1 but not on PC#2.....

[Lateral]

Hi Guys

I have 2 PC's running exactly the same version of Avast Internet Security, Windows XP. PC#1 runs Office 2003 Small Business Edition and PC#2 Office 2007.

When I do a scan on PC#1 it detects CTFMON.EXE as a Threst: Win32: trojan-gen. When I run a scan on PC#2, it does not see CTFMON.EXE as a threat.....what's going on?

Please note that PC#1 has been totally rebuilt with a clean and new installation of Windows and Office 2003.

Thanks for any help you can provide.

Regards
Greg

[Asyn]

When I do a scan on PC#1 it detects CTFMON.EXE as a Threst: Win32: trojan-gen. When I run a scan on PC#2, it does not see CTFMON.EXE as a threat.....what's going on?

Check it at VT and share the result: https://www.virustotal.com/

[Lateral]

Hi Asyn,

Here is some more information relating to the issue.

Over the past 3 weeks, my wife's internet banking password and account number were stolen and used to steal money from her accounts. The bank detected the fraud the first time and notified us and her password was reset. I then scanned her PC (PC#1) with the latest version of Avast and MBAM and did not find anything. Then last week, the same thing happened again! I have put together a totally new PC with a clean instal of Windows XP etc and installed Avast Internet Security and the Pro version of MBAM. I then ran the scans and that is when Avast detected that there was something wrong with ctfmon.exe (in memory). I did some investigation and found that I could simply "turn it off" so it was not loaded in memory.

I just ran ctfmon.exe through VT and here are the results: It looks like Esafe picks Win32.Banker and from what I read, is probably the cause of all of our problems.

SHA256:   5fb24fc7916a6e6b3be7d84cb1684215b266cd1495575c2e5672b8447932e5b1
File name:   ctfmon.exe
Detection ratio:   1 / 42
Analysis date:   2012-05-04 10:42:38 UTC ( 0 minutes ago )
 
0
0
More details
Antivirus   Result   Update
AhnLab-V3   -   20120503
AntiVir   -           20120504
Antiy-AVL   -           20120504
Avast   -           20120504
AVG   -                   20120504
BitDefender   -   20120504
ByteHero   -           20120502
CAT-QuickHeal   -   20120504
ClamAV   -           20120504
Commtouch   -   20120504
Comodo   -           20120504
DrWeb   -           20120504
Emsisoft   -           20120504
eSafe   Win32.Banker   20120502
eTrust-Vet   -           20120504
F-Prot   -           20120504
F-Secure   -           20120504
Fortinet   -           20120504
GData   -           20120504
Ikarus   -           20120504
Jiangmin   -           20120504
K7AntiVirus   -   20120502
Kaspersky   -   20120504
McAfee   -           20120504
McAfee-GW-Edition   -   20120504
Microsoft   -          20120504
NOD32   -          20120504
Norman   -          20120503
nProtect   -          20120504
Panda   -          20120504
PCTools   -          20120504
Rising   -          20120504
Sophos   -          20120504
SUPERAntiSpyware   -   20120411
Symantec   -          20120504
TheHacker   -      20120504
TrendMicro   -      20120504
TrendMicro-HouseCall   -   20120504
VBA32   -   20120503
VIPRE   -   20120504
ViRobot   -   20120504
VirusBuster   -   20120503

Help!

What can I do?

Thanks for any help you can give.

Regards
Greg

[DavidR]

Again in relation to your other topic, when posting stuff like this you need to give full information on the detection, e.g. file name, location, malware name and type of scan, etc.

If this is a detection in memory like your other topic ?
Then essentially the answer is the same, custom scan and electing to scan memory can result in weird detections and why we don't recommend scanning memory in a custom scan.

[Lateral]

Hi David,

I have attached a few screen shots.

Due to the frauds that have been carried out on my wife's bank accounts, I am really worried that the problem is still on her PC even though I have reformatted and reinstalled everything.

I have compared the details of the ctfmon on her PC (PC1) with my PC (PC2) and they are the same except for the time modified and created.

Also, she has a ctfmon file in the windows prefetch folder and I do not.

I'm going a bit nuts with this as I am not allowing her to use her PC until I am 100% certain it is "clean"......

Thanks for your help.
Regards
Greg

[DavidR]

Well it is as I suspected a detection in memory, no doubt from a custom scan with memory scan (as in your other topic also selected and this causes more grief than relief.

Don't scan memory as has been said if malware is already in memory it is a bit late.

I have no idea why you (she) even select a custom scan much less scan memory (?) I would stick to the pre-defined Quick and or Full System Scans.

The other two on the list are files that can't be scanned and the reason why they can't be scanned. This isn't an indication that they are suspect or infected, just that they can't be scanned.

####
The file in the prefetch folder isn't a copy of the actual file it just just helps speed loading. Unless your prefetch settings are exactly the same as hers it is unlikely that you would have it in the prefetch folder (I don't).

[Lateral]

Hi David

Thanks for the fast reply....

Would you mind answering the following questions:

1. If ctfmon is being detected in a memory scan on a newly formatted and installed Windows XP PC and you are saying that if it is detected in memory then "it is a bit late", are you saying that this is a "false positive" or that I indeed do have a legitimate virus?

2. If I have a legitimate virus how do I remove it?

Best Regards
Greg

[Arizona]

See this frome MSS.http://support.microsoft.com/kb/282599

[Lateral]

Thanks Arizona

I have already disabled it.

My question relates to the fact that I am getting a "detected" on ctfmon.exe on a brand new installation of Windows XP and am very worrried that somehow I have installed a virus (Win32.Banker) during the installation of Office, Outlook or some other method.

I am having trouble believing that this is all coincidence.

Thanks
Regards
Greg

[DavidR]

1. First, the ctfmon.exe file 'isn't being detected,' but something which has been loaded into memory by the ctfmon process, which is why when you upload ctfmon to virustotal you don't get any detection.

The custom memory scan is the most thorough of the memory scans and it digs deep which can have unforeseen consequences. My mention of the scanning of memory, is a throw back to the old days when memory scans were very much the norm. The idea now is to prevent any malware getting into your system in the first place.

If there were a true virus on your system and it had loaded something into memory, there are likely to be other issues, somehow killing the memory block (as it isn't a physical file) would have little effect as whatever placed it there would be able to put it right back.

2. You don't in relation to ctfmon as it isn't ctfmon which is being detected, but a block of memory loaded by it.

[Lateral]

Hi David

Virustotal IS detecting that ctfmon.exe contains the Win32.Banker virus......it is saying that Esafe is detecting it.

Regards
Greg

[Asyn]

My question relates to the fact that I am getting a "detected" on ctfmon.exe on a brand new installation of Windows XP and am very worrried that somehow I have installed a virus (Win32.Banker) during the installation of Office, Outlook or some other method.

I am having trouble believing that this is all coincidence.

For your ease of mind...

Please attach your logs.
http://forum.avast.com/index.php?topic=53253.0

[Lateral]

Hi Asyn

Here are the logs from PC1.

Thanks again
Regards
Greg

[Asyn]

Hi Asyn
Here are the logs from PC1.
Thanks again

You're welcome.
Now you have to wait a while.

[SpeedyPC]

What is ctfmon.exe

ctfmon.exe is a process belonging to Microsoft Office Suite. It activates the Alternative User Input Text Input Processor (TIP) and the Microsoft Office XP Language Bar. This process monitors active windows, providing support for handwriting and speech recognition, translations, keyboard and other alternative input methods.

Whilst, this program is a non-essential system process, it should not be terminated unless suspected to be causing problems as it could cause issues in Office XP programs.

ctfmon.exe is a system process that is needed for your PC to work properly. It should not be removed.

I believe the ctfmon.exe is false positive unless Avast confirm this