PDA

View Full Version : ctfmon.exe - keylogger??



Agent_24
06-07-2006, 11:39 PM
Was just doing a scan with A-Squared when I happened to find something I had never seen before (apart from the usual advertisement cookies):

Object Diagnosis
Value: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Te rminal Server\SysProcs --> ctfmon.exe Trace.Registry.FamilyKeylogger
Value: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Te rminal Server\SysProcs --> ctfmon.exe Trace.Registry.FamilyKeylogger
Value: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Terminal Server\SysProcs --> ctfmon.exe Trace.Registry.FamilyKeylogger

Apparently ctfmon.exe is part of office XP, but I only have office 2000.

Also, ctfmon.exe is not listed in any startup field (checked with msconfig and starter), and it isn't a running process either (in taskmanager or process viewer or anything else)

So why are these registry entries there? and should I delete them??

gibler
07-07-2006, 12:12 AM
hmmmmmm (http://www.hijackfree.com/en/autorundetails/?command=ctfmon.exe)

FamilyKeylogger can hide itself from the windows process viewer....

look for a CTF folder in C:\WINDOWS\SYSTEM32

zqwerty
07-07-2006, 12:12 AM
Normally ctfmon.exe is an MS program that is used to scan your computer files to index them for fast searching.

I always disable it because it slows the computer down and starts when you are burning important DVD's etc, ie runs just when you don't want it to.

Disable it in services.

Agent_24
07-07-2006, 12:22 AM
I found a CTFMON.EXE in system32, no CTF folder, file properties says 'CTF Loader', made by Microsoft Corporation, seems all legit etc

Can't find anything to do with CTF in services, and the indexing service points to C:\WINDOWS\system32\cisvc.exe

zqwerty
07-07-2006, 12:39 AM
Yes I had this on Win2K as well, that is when I learnt about it. I might be confused about Services but I was sure that I disabled it in Services on XP then removed it altogether.

You can tell when it is running, your computer slows a bit and you can hear it racing through the HDD checking for changes to already indexed and new files etc.

May be a component of XP 2003 Small Business Suite or something like that name, can't recall the exact wording.

"When you run a Microsoft Office XP program, the file Ctfmon.exe (Ctfmon) runs in the background, even after you quit all Office programs." from here:

http://www.neuber.com/taskmanager/process/ctfmon.exe.html

More here:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q282599

Notice that if it is not in the correct folder then it could be a worm!!!!

jenae
07-07-2006, 02:16 PM
Hi, you will find this process in office 2003 as well. Probably not a good idea to turn it off , it uses little processing power, and seems to start no matter how you try to disable it (even following MS instructions in the above link). Only concern would be it's location should be in windows system 32 and system32 dll cache.