Viruslike behaviour of ctfmon.exe

Discussion in 'malware problems & news' started by alexsons, Sep 23, 2005.

Thread Status:
Not open for further replies.
  1. alexsons

    alexsons Registered Member

    Joined:
    Sep 23, 2005
    Posts:
    1
    I have a suspicious ctfmon.exe process running:


    filename: ctfmon.exe
    location: c:\windows\system32


    After ending the process from Task Manager it keeps coming back in the process list. Ending the process and deleting the file from the filesystem won't help either: the file is remade within seconds, and restarted within minutes...

    A search within c:\windows for filenames containing "ctfmon" found also the following file:


    filename: CTFMON.EXE-0E17969B.pf
    location: c:\windows\prefetch


    I can delete this file too, but after a restart it is back again.
    I found also a registry entry for ctfmon.exe in the infamous "run" section:


    location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run


    I deleted this entry, and it didn't return. But still ctfmon.exe keeps popping up after reboots and so forth.

    To me these characteristics are typical for viruses, but both Symantec and McAfee don't recognizes this one.

    ---------------------------
    The BIG question(s):
    Is this normal behaviour for the standard MS program?
    Or is it really a virus?
    And subsequently how to get rid of it!
    ---------------------------

    Thanks for any help given.
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi, I have moved your thread to here as it was not a direct ProcessGuard support question.
    Try Jotti's scans found here for a more thorough check.
    http://virusscan.jotti.org/ Use the browse and submit buttons at the top of the page.

    HTH Pilli
     
  3. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
  4. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    ctfmon.exe is a voice recognition component if i remeber correctly.
    It sometimes launches even if you remove it from startup because some other software (like MS Office) triggers it.
     
  5. Zhen-Xjell

    Zhen-Xjell Security Expert

    Joined:
    Feb 8, 2002
    Posts:
    1,397
    Location:
    Ohio
  6. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
  7. NICK ADSL UK

    NICK ADSL UK Administrator

    Joined:
    May 13, 2003
    Posts:
    9,217
    Location:
    UK
    The best way to install the Microsoft office suite is to do it on the custom setting and unticking the box thats covers the voice recognition component. By doing it this way it will never launch when starting the Office suite

    Regards
     
Thread Status:
Not open for further replies.