Spyware, Viruses, & Security forum

General discussion

CTF LOADER

by bently / April 16, 2008 12:12 AM PDT

WINPATROL keeps popping this up on my computer...


""A new auto startup program has been detected.
This program will run each time you login or restart your machine.

Do you approve the additon of this program startup setting?
Press YES if this program is expected and acceptable.

CTF LOADER
C:\WINDOWS\system32\ctfmon.exe
CTF loader
Microsoft Corporation version 5.1.2600.2180 ""


I am clicking DENY each time, but it keeps popping up every few minutes.


Did an ADVANCED SEARCH on CNET forums for CTF LOADER, this is what came up.

"W32/Agobot-JS is a worm that spreads to remote shares with weak passwords.
The worm copies itself as soundman.exe to the Windows system folder "


Using win XP sp2, auto update.
Do NOT have any MS OFFICE programs on my computer.
ALSO I am getting a lot of UNKNOWN various sites wanting to access my computer, I keep clicking DENY, but some are very persistant.


Latest PERSISTANT popup was from SHAWCABLE.NET, wanting to send UDP datagram to port 1027 owned by Kerio personal firewall.

Appreciate any help on this.

Thanks

Ben

Post a reply
Discussion is locked
You are posting a reply to: CTF LOADER
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: CTF LOADER
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Frequently asked questions about Ctfmon.exe
by Marianna Schmudlach / April 16, 2008 2:08 AM PDT
In reply to: CTF LOADER
Collapse -
To disable it..
by Donna Buenaventura / April 16, 2008 2:26 AM PDT
In reply to: CTF LOADER

Hi Ben,

You can try to disable it. Follow any of the guides at http://support.microsoft.com/kb/282599

See WinPatrol's description on ctfmon.exe:
http://www.winpatrol.com/db/plus2007/ctfmon.html?ctfmon.exe&1

Make sure that you are seeing ctfmon.exe and not the ctfmon.dll. "Ctfmon.dll is a completely unrelated file that installs with Family Keylogger. This "

See also at CastleCops:
CTFMon is involved with the language/alternative input services in Office XP. CTFMON.exe will continue to put itself back into MSConfig when you run the Office XP apps as long as the Text Services and Speech applets in the Control Panel are enabled. Not required if you don\'t need these features. For more info on ctfmon See_Here ;en-us;282599 . CTFMON can be disabled from Control Panel, Text & Speech Services. NOTE: The file will always be located in the System32 folder. If it is located elsewhere, it will likely be a worm or trojan!
http://www.castlecops.com/s795-ctfmon_exe.html

If you suspect that your computer has infection, try to scan using:
ESET online scanner or Housecall
http://www.trendsecure.com/portal/en-US/tools/security_tools/housecall
http://www.eset.com/onlinescan/

As for Kerio's alert on Port 1027, are you using any program (e.g. instant messenger) when the alert is displayed?

When you see the alert, try to do a netstat -ano to find out the PID # using the Port 1027 and which processes is listening to shawcable.net
Note the PID # then open task manager, configure it to show PID column then locate what processes is using the said PID#

Collapse -
Deleting CTFMON.EXE
by bently / April 18, 2008 12:46 AM PDT
In reply to: To disable it..

Thanks Marianna and Donna,

I Googled this and did not see any mention of DELETING CTFMON.EXE if you do NOT have MS Office programs.


I went to Control Panel/Text Services and Input Languages/ADVANCED and checked "turn off advanced text services".


I do NOT have any MS Office programs installed.

Is it safe to delete CTFMON.EXE from C drive?

Collapse -
Don't remove or delete
by Donna Buenaventura / April 18, 2008 1:13 AM PDT
In reply to: Deleting CTFMON.EXE

When you checked the "Turn off advanced text services", the ctfmon.exe should stop in loading. WinPatrol should not alert you about it anymore.

Deleting ctfmon.exe is not recommended by Microsoft. Only way to handle it is disable.
It is installed on XP (I know I saw it to mine) even though there's no MS Office programs on my XP with SP2.

Collapse -
(NT) Thanks Donna
by bently / April 18, 2008 1:36 AM PDT
In reply to: Don't remove or delete
Collapse -
(NT) You're welcome Ben. We're happy to help :)
by Donna Buenaventura / April 18, 2008 3:05 AM PDT
In reply to: Thanks Donna
Popular Forums
icon
Computer Help 49,613 discussions
icon
Computer Newbies 10,349 discussions
icon
Laptops 19,436 discussions
icon
Security 30,426 discussions
icon
TVs & Home Theaters 20,308 discussions
icon
Windows 10 360 discussions
icon
Phones 15,802 discussions
icon
Windows 7 7,351 discussions
icon
Networking & Wireless 14,641 discussions

Tech explained

Do you know what an OLED TV is?

CNET explains how OLED technology differs from regular TVs, and what you need to know to make the right shopping decision.