ctfmon.exe? System file? Trojan? Rastafarian Capture the Flag?

TetraNitroCubaneTetraNitroCubane The DjinneratorAt the bottom of a bottleRegistered User regular
edited May 2007 in Help / Advice Forum
Sorry to make a new thread about this, but I keep seeing conflicting information floating about the intertubes about this particular executable.

I was going through a routine spyware and virus check this morning, and after putting my hijackthis log into an auto-analyzer, it came back with the result that ctfmon.exe was a spyware related file. I believe it was attributed to some horrid cool web search variant. Doing a quick google search revealed that this file is either: A.) A harmless Microsoft Office file that is used for various alternative inputs or languages within the Office suite. B.) A trojan, running in the background, or C.) A piece of Adware / Spyware.

No one seems to agree on this file, but I know folks around here are dependable and knowledgeable about these issues. Is there any way to check if it's legit or not? Currently it's running from \Windows\System32\ if that makes a difference. I'd also post my hijackthis log, but will be away from the computer in question for a few hours hence.

Thanks for any help.

TetraNitroCubane on


  • KMFurDMKMFurDM Registered User, ClubPA
    edited April 2007
    The correct answer is "A".

    You can remove it and the alternative user input stuff by going through the Office setup. Use Ad-Aware or Windows Defender to double check everything after you remove it, if you decide to do so of course.

    "B" is unlikely.

    "C" is possible but you would have noticed by now if you got stuck with something.

    KMFurDM on
  • gundam470gundam470 Registered User regular
    edited April 2007
    My version of ad-aware does not bring it up as spy-ware at all and I've run other programs on this machine and that particular app has never brought up any warnings.

    I know that if i bring up the system configuration utility, it's one of the start-up programs i can choose not to run at start-up.

    Also, once i got the 'rastafarian capture the flag' joke, i giggled like crazy.

    gundam470 on
  • FristleFristle Registered User
    edited April 2007
    These days, if you're looking for malware on your machine a process list doesn't tell you much of anything. Malware likes to use names like svchost.exe, or just load as a library into a legitimate exe that is already running. Then you've got rootkits, that can hide their process altogether.

    If you are curious about a particular exe being part of the system or not, check that it is signed by Microsoft. A program like Process Explorer will tell you whether or not the binary is signed. The "company name" field will say "Microsoft Corporation" if it is.

    Fristle on
  • SarathaiSarathai Registered User
    edited May 2007
    It's probably safe, since it's running from system32. ctfmon tends to show up if you've installed support for languages that don't use the Roman alphabet. I've got it running on my system for that very reason.

    Follow Fristle's advice and use Process Explorer to check it out. If you're still worried, then you can scan your system with Rootkit Revealer.

    Sarathai on
  • TetraNitroCubaneTetraNitroCubane The Djinnerator At the bottom of a bottleRegistered User regular
    edited May 2007
    Thanks for all the advice, guys. I took a closer look through Process Explorer as Fristle recommended, and it is listed as a "Microsoft Corporation" process. Oddly, the process is listed as 'unsigned' in the properties, but it does look like it's part of the system.

    It doesn't seem to be 'phoning home', and looks pretty legit, so I'll just leave well enough alone for the time being. I guess if oddities crop up later I can always remove it manually.

    TetraNitroCubane on
  • ReitenReiten Registered User
    edited May 2007
Sign In or Register to comment.