The new forums will be named Coin Return (based on the most recent vote)! You can check on the status and timeline of the transition to the new forums here.
The Guiding Principles and New Rules document is now in effect.
ctfmon.exe? System file? Trojan? Rastafarian Capture the Flag?
TetraNitroCubane
Not Angry...Just VERY Disappointed...Registered User regular
Not Angry...Just VERY Disappointed...Registered User regular
Sorry to make a new thread about this, but I keep seeing conflicting information floating about the intertubes about this particular executable.
I was going through a routine spyware and virus check this morning, and after putting my hijackthis log into an auto-analyzer, it came back with the result that ctfmon.exe was a spyware related file. I believe it was attributed to some horrid cool web search variant. Doing a quick google search revealed that this file is either: A.) A harmless Microsoft Office file that is used for various alternative inputs or languages within the Office suite. B.) A trojan, running in the background, or C.) A piece of Adware / Spyware.
No one seems to agree on this file, but I know folks around here are dependable and knowledgeable about these issues. Is there any way to check if it's legit or not? Currently it's running from \Windows\System32\ if that makes a difference. I'd also post my hijackthis log, but will be away from the computer in question for a few hours hence.
Thanks for any help.
I was going through a routine spyware and virus check this morning, and after putting my hijackthis log into an auto-analyzer, it came back with the result that ctfmon.exe was a spyware related file. I believe it was attributed to some horrid cool web search variant. Doing a quick google search revealed that this file is either: A.) A harmless Microsoft Office file that is used for various alternative inputs or languages within the Office suite. B.) A trojan, running in the background, or C.) A piece of Adware / Spyware.
No one seems to agree on this file, but I know folks around here are dependable and knowledgeable about these issues. Is there any way to check if it's legit or not? Currently it's running from \Windows\System32\ if that makes a difference. I'd also post my hijackthis log, but will be away from the computer in question for a few hours hence.
Thanks for any help.
TetraNitroCubane on
0
Posts
You can remove it and the alternative user input stuff by going through the Office setup. Use Ad-Aware or Windows Defender to double check everything after you remove it, if you decide to do so of course.
"B" is unlikely.
"C" is possible but you would have noticed by now if you got stuck with something.
I know that if i bring up the system configuration utility, it's one of the start-up programs i can choose not to run at start-up.
Also, once i got the 'rastafarian capture the flag' joke, i giggled like crazy.
If you are curious about a particular exe being part of the system or not, check that it is signed by Microsoft. A program like Process Explorer will tell you whether or not the binary is signed. The "company name" field will say "Microsoft Corporation" if it is.
Follow Fristle's advice and use Process Explorer to check it out. If you're still worried, then you can scan your system with Rootkit Revealer.
It doesn't seem to be 'phoning home', and looks pretty legit, so I'll just leave well enough alone for the time being. I guess if oddities crop up later I can always remove it manually.