ctfmon question

[chipmeister]

While checking my System Configuration Utility, startup tab, I ran across the item ctfmon. I did some checking and saw that it was part of Microsoft Office. But I also saw that it could be a virus/malware, depending on where it was located and that if it was in c:\windows\system32 folder, that was the MS Office item. So, for the heck of it, I decided to do a file/folder search to see where it might be on my drive. Well, not 1, but 4 items popped up. So, now I'm not sure what I have here or if any of the items might be a problem. One note, 3 of the items were named ctfmon, with no .exe suffix (same for the item in my startup tab). But one did have an .exe and it was not the system 32 item. So, below is the list of what the search turned up.

1)  ctfmon    c:\windows\system32                         ctf loader                     application
2)  ctfmon    c:\windows\ERDNT\cache                   ctf loader                     application
3)  ctfmon    c:\windows\softwaredistribution\download\2d8     ctf loader      application

4)   f816_ctfmon.exe.2BBC3BB7_EE04_46E8_8476_2F99E88F4EE4
   located at:
      c:\msocache\allusers\900000409-6000-11D3-8CFE-0150048383C9\YC561403.cab

And something that caught my eye and may or may not mean anything: the info for item 3), showed it to have a created date of April 7, 2011 and a modified date of Aug. 10, 2004. Looked out of sequence to me. Also, I was in the middle of running a pretty big issue on the 'post here for malware removal' forum on April 7.

I just wanted to see if any these items might actually be malware/spyware. Thanks.

[PCBruiser]

ctfmon is dual purpose - supports foreign languages within office and adds a language bar for your bottom bar.  It was added in XP SP2 I think, that's where the modification date comes from.  The one in system32 is the operating one that actually loads at boot.  The other three are from the ERDNT backup cache, created by ERDNT, the folder created during Windows or Updates installation, the one from the MS Office install.  They are all usually legitimate, and while we have seen malware versions in the past, I can't recall ever seeing one in the last few years, 5 or more say.

If you are truly worried about them, your antivirus and antimalware software should pick up any malware versions, as I said we rarely see malware versions anymore.  You can also upload them to Jotti and/or Virus Total for scanning.

[chipmeister]

Thanks. None of my software is picking any of it up. Since I had just read about it, and it was kind of new to me, I was curious. I think I'm o.k. Appreciate the help.

[chipmeister]

Oh, one other thing. I did run those through Jotti and Virus Total. Jotti showed them as nothing. One user on VT showed them as malware but there appeared to be a little disagrrement there. Anyway, I think they are ok. But I did notice when I searched for them today, there are 2 new ctfmon items in prefetch. Might that be an issue or a normal part of its operation?

[PCBruiser]

Hi,

The pre-fetch cache was introduced first in XP.  What that contains is information relating to programs that the operating system can use to help open the software faster.  The cache is not executable, but just info about where on the drives the software is located, etc.  It also helps defragmenters organize software on your hard drive better so that the drive heads are not thrashing about looking for programs scattered across the drive.  The cache was also intended to help systems boot faster, a major complaint about XP's predecessor OS, Windows 2000.

The prefetch info about each program is updated each time it is opened by the system, so the dates of most system software are usually very current.  In any case, isn't malware.  If you look in the prefetch cache, you will find numerous individual executables listed there.  That is the accumulated info the OS has captured to help it load them faster.