Since I've downloaded sp 3 Norton Internet Security says that
c:\\windows\system32\ctfmon.exe has a keylogger, is this a false positive?
If I remove sp 3 the keylogger also goes so I know it's nothing else.

Edna.

Yes because NIS = Not Intelligent Software

Really gives a good sense of security when it indicts a Microsoft
Office component as a keylogger.

"Edna Boxe" <spamtrap@ntlworld.com> wrote in message
news:79EDC435-E3C9-4694-B521-33FCF8FF1FE3@microsoft.com...
> Since I've downloaded sp 3 Norton Internet Security says that
> c:\\windows\system32\ctfmon.exe has a keylogger, is this a false positive?
> If I remove sp 3 the keylogger also goes so I know it's nothing else.
>
> Edna.
>

but this process can be infected R.McCarty with a virus or keyloggers?
Not because of the updates but it could be the updates revealed the
infection and the OP need to check further.
Like the Svchost.exe can be embedded with a Troj?

FileMon for Windows v7.04
http://technet.microsoft.com/en-us/s.../bb896642.aspx
Have a look here for windows Sysinternals
http://technet.microsoft.com/en-us/s...s/default.aspx

Use this tool to see what taken the most usage of the CPU on your machine.
ShellExView v1.19 - Shell Extensions Manager
http://www.nirsoft.net/utils/shexview.html

To the OP please upload this file ( ctfmon.exe) to this link for scan:
http://www.virustotal.com



"R. McCarty" wrote:

> Yes because NIS = Not Intelligent Software
>
> Really gives a good sense of security when it indicts a Microsoft
> Office component as a keylogger.
>
> "Edna Boxe" <spamtrap@ntlworld.com> wrote in message
> news:79EDC435-E3C9-4694-B521-33FCF8FF1FE3@microsoft.com...
> > Since I've downloaded sp 3 Norton Internet Security says that
> > c:\\windows\system32\ctfmon.exe has a keylogger, is this a false positive?
> > If I remove sp 3 the keylogger also goes so I know it's nothing else.
> >
> > Edna.
> >
>
>
>

What does Symantec Support have to say about it?

Frequently asked questions about Ctfmon.exe:
http://support.microsoft.com/kb/282599

--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
AumHa VSOP & Admin http://aumha.net
DTS-L http://dts-l.net/


Edna Boxe wrote:
> Since I've downloaded sp 3 Norton Internet Security says that
> c:\\windows\system32\ctfmon.exe has a keylogger, is this a false positive?
> If I remove sp 3 the keylogger also goes so I know it's nothing else.
>
> Edna.

NIS is NOT reliable. It's difficult to believe anything it reports.
IF ctfmon.exe was infected prior to the application of SP3, then NIS
*should have been reporting* it as infected then.

Since this issue occurred after applying SP3, then I'd be willing to bet
my house that it's a False Positive.

Frequently asked questions about Ctfmon.exe
http://support.microsoft.com/kb/282599

Was NIS actively monitoring the system during the download and
installation of SP3 ?
Have you checked Symantec's site to see if this has been reported to them ?


MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============


Edna Boxe wrote:

> Since I've downloaded sp 3 Norton Internet Security says that
> c:\\windows\system32\ctfmon.exe has a keylogger, is this a false positive?
> If I remove sp 3 the keylogger also goes so I know it's nothing else.
>
> Edna.
>
>

Why wasn't NIS reporting ctfmon as being infected prior to the
application of SP3 ?

Malwares can prevent updates from being downloaded or installed.
IF the installation of Windows updates was needed by NIS in order for it
be able to detect ctfmon as infected, then NIS is NOT trustworthy.

MowGreen [MVP 2003-2008]
================
*-343-* FDNY
Never Forgotten
===============


nass wrote:

> but this process can be infected R.McCarty with a virus or keyloggers?
> Not because of the updates but it could be the updates revealed the
> infection and the OP need to check further.
> Like the Svchost.exe can be embedded with a Troj?
>
> FileMon for Windows v7.04
> http://technet.microsoft.com/en-us/s.../bb896642.aspx
> Have a look here for windows Sysinternals
> http://technet.microsoft.com/en-us/s...s/default.aspx
>
> Use this tool to see what taken the most usage of the CPU on your machine.
> ShellExView v1.19 - Shell Extensions Manager
> http://www.nirsoft.net/utils/shexview.html
>
> To the OP please upload this file ( ctfmon.exe) to this link for scan:
> http://www.virustotal.com
>
>
>
> "R. McCarty" wrote:
>
>
>>Yes because NIS = Not Intelligent Software
>>
>>Really gives a good sense of security when it indicts a Microsoft
>>Office component as a keylogger.
>>
>>"Edna Boxe" <spamtrap@ntlworld.com> wrote in message
>>news:79EDC435-E3C9-4694-B521-33FCF8FF1FE3@microsoft.com...
>>
>>>Since I've downloaded sp 3 Norton Internet Security says that
>>>c:\\windows\system32\ctfmon.exe has a keylogger, is this a false positive?
>>>If I remove sp 3 the keylogger also goes so I know it's nothing else.
>>>
>>>Edna.
>>>
>>
>>
>>

"Edna Boxe" wrote:

> Since I've downloaded sp 3 Norton Internet Security says that
> c:\\windows\system32\ctfmon.exe has a keylogger, is this a false positive?
> If I remove sp 3 the keylogger also goes so I know it's nothing else.
>
> Edna.

Check this and you can contact Norton for help:
Spyware.UltraKeylogger
http://www.symantec.com/security_res...341-99&tabid=2
Technical Issues Support
http://www.symantec.com/norton/suppo...product_ts.jsp
Also you can use other online virus scanners to get a clear idea on how
clean your system.

Actually it happen with me this morning on a client machine updating from
AVG 7.0.5 to version 8.0.1 reported a Zip as a keylogger.
This Zip was there while AVG version 7.5 was installed and up2date..some new
definitions can give new flase positive or can discover viral infection that
wasn't spread at the time to get its grip on the system!
Does this ring the bill:
Spyware.UltraKeylogger
http://www.symantec.com/security_res...341-99&tabid=2
I agree with you that NIS can give false positive about some files/folders,
but again the security implementation in SP3 ??? more raised and can cause
confusion still to know what the rest of AVs will come up with :)

nass

"MowGreen [MVP]" wrote:

> Why wasn't NIS reporting ctfmon as being infected prior to the
> application of SP3 ?
>
> Malwares can prevent updates from being downloaded or installed.
> IF the installation of Windows updates was needed by NIS in order for it
> be able to detect ctfmon as infected, then NIS is NOT trustworthy.
>
> MowGreen [MVP 2003-2008]
> ================
> *-343-* FDNY
> Never Forgotten
> ===============
>
>
> nass wrote:
>
> > but this process can be infected R.McCarty with a virus or keyloggers?
> > Not because of the updates but it could be the updates revealed the
> > infection and the OP need to check further.
> > Like the Svchost.exe can be embedded with a Troj?
> >
> > FileMon for Windows v7.04
> > http://technet.microsoft.com/en-us/s.../bb896642.aspx
> > Have a look here for windows Sysinternals
> > http://technet.microsoft.com/en-us/s...s/default.aspx
> >
> > Use this tool to see what taken the most usage of the CPU on your machine.
> > ShellExView v1.19 - Shell Extensions Manager
> > http://www.nirsoft.net/utils/shexview.html
> >
> > To the OP please upload this file ( ctfmon.exe) to this link for scan:
> > http://www.virustotal.com
> >
> >
> >
> > "R. McCarty" wrote:
> >
> >
> >>Yes because NIS = Not Intelligent Software
> >>
> >>Really gives a good sense of security when it indicts a Microsoft
> >>Office component as a keylogger.
> >>
> >>"Edna Boxe" <spamtrap@ntlworld.com> wrote in message
> >>news:79EDC435-E3C9-4694-B521-33FCF8FF1FE3@microsoft.com...
> >>
> >>>Since I've downloaded sp 3 Norton Internet Security says that
> >>>c:\\windows\system32\ctfmon.exe has a keylogger, is this a false positive?
> >>>If I remove sp 3 the keylogger also goes so I know it's nothing else.
> >>>
> >>>Edna.
> >>>
> >>
> >>
> >>
>

From what I hear if the svchost is in the system 32 folder then it's ok,
anywhere else & it's definitely a virus, is this correct?

Edna.

"nass" <nass@discussions.microsoft.com> wrote in message
news:40A528C2-4DD0-435F-869C-483B1E093449@microsoft.com...
>
> but this process can be infected R.McCarty with a virus or keyloggers?
> Not because of the updates but it could be the updates revealed the
> infection and the OP need to check further.
> Like the Svchost.exe can be embedded with a Troj?
>
> FileMon for Windows v7.04
> http://technet.microsoft.com/en-us/s.../bb896642.aspx
> Have a look here for windows Sysinternals
> http://technet.microsoft.com/en-us/s...s/default.aspx
>
> Use this tool to see what taken the most usage of the CPU on your machine.
> ShellExView v1.19 - Shell Extensions Manager
> http://www.nirsoft.net/utils/shexview.html
>
> To the OP please upload this file ( ctfmon.exe) to this link for scan:
> http://www.virustotal.com
>
>
>
> "R. McCarty" wrote:
>
>> Yes because NIS = Not Intelligent Software
>>
>> Really gives a good sense of security when it indicts a Microsoft
>> Office component as a keylogger.
>>
>> "Edna Boxe" <spamtrap@ntlworld.com> wrote in message
>> news:79EDC435-E3C9-4694-B521-33FCF8FF1FE3@microsoft.com...
>> > Since I've downloaded sp 3 Norton Internet Security says that
>> > c:\\windows\system32\ctfmon.exe has a keylogger, is this a false
>> > positive?
>> > If I remove sp 3 the keylogger also goes so I know it's nothing else.
>> >
>> > Edna.
>> >
>>
>>
>>

File analyser says it's clean.

Everything is running as it should be there's no unusual processes or heavy
usage that I can see.

Edna.

"nass" <nass@discussions.microsoft.com> wrote in message
news:40A528C2-4DD0-435F-869C-483B1E093449@microsoft.com...
>
> but this process can be infected R.McCarty with a virus or keyloggers?
> Not because of the updates but it could be the updates revealed the
> infection and the OP need to check further.
> Like the Svchost.exe can be embedded with a Troj?
>
> FileMon for Windows v7.04
> http://technet.microsoft.com/en-us/s.../bb896642.aspx
> Have a look here for windows Sysinternals
> http://technet.microsoft.com/en-us/s...s/default.aspx
>
> Use this tool to see what taken the most usage of the CPU on your machine.
> ShellExView v1.19 - Shell Extensions Manager
> http://www.nirsoft.net/utils/shexview.html
>
> To the OP please upload this file ( ctfmon.exe) to this link for scan:
> http://www.virustotal.com
>
>
>
> "R. McCarty" wrote:
>
>> Yes because NIS = Not Intelligent Software
>>
>> Really gives a good sense of security when it indicts a Microsoft
>> Office component as a keylogger.
>>
>> "Edna Boxe" <spamtrap@ntlworld.com> wrote in message
>> news:79EDC435-E3C9-4694-B521-33FCF8FF1FE3@microsoft.com...
>> > Since I've downloaded sp 3 Norton Internet Security says that
>> > c:\\windows\system32\ctfmon.exe has a keylogger, is this a false
>> > positive?
>> > If I remove sp 3 the keylogger also goes so I know it's nothing else.
>> >
>> > Edna.
>> >
>>
>>
>>

That's what I'd like to know, usually Norton is 100% reliable for me that's
why I use it, seems strange that previous to the sp 3 it didn't detect this.

Edna.

"MowGreen [MVP]" <mowgreen@nowandzen.com> wrote in message
news:uh2ywcGtIHA.5268@TK2MSFTNGP06.phx.gbl...
> Why wasn't NIS reporting ctfmon as being infected prior to the application
> of SP3 ?
>
> Malwares can prevent updates from being downloaded or installed.
> IF the installation of Windows updates was needed by NIS in order for it
> be able to detect ctfmon as infected, then NIS is NOT trustworthy.
>
> MowGreen [MVP 2003-2008]
> ================
> *-343-* FDNY
> Never Forgotten
> ===============
>
>
> nass wrote:
>
>> but this process can be infected R.McCarty with a virus or keyloggers?
>> Not because of the updates but it could be the updates revealed the
>> infection and the OP need to check further.
>> Like the Svchost.exe can be embedded with a Troj?
>>
>> FileMon for Windows v7.04
>> http://technet.microsoft.com/en-us/s.../bb896642.aspx
>> Have a look here for windows Sysinternals
>> http://technet.microsoft.com/en-us/s...s/default.aspx
>>
>> Use this tool to see what taken the most usage of the CPU on your
>> machine.
>> ShellExView v1.19 - Shell Extensions Manager
>> http://www.nirsoft.net/utils/shexview.html To the OP please upload this
>> file ( ctfmon.exe) to this link for scan:
>> http://www.virustotal.com
>>
>>
>>
>> "R. McCarty" wrote:
>>
>>
>>>Yes because NIS = Not Intelligent Software
>>>
>>>Really gives a good sense of security when it indicts a Microsoft
>>>Office component as a keylogger.
>>>
>>>"Edna Boxe" <spamtrap@ntlworld.com> wrote in message
>>>news:79EDC435-E3C9-4694-B521-33FCF8FF1FE3@microsoft.com...
>>>
>>>>Since I've downloaded sp 3 Norton Internet Security says that
>>>>c:\\windows\system32\ctfmon.exe has a keylogger, is this a false
>>>>positive? If I remove sp 3 the keylogger also goes so I know it's
>>>>nothing else.
>>>>
>>>>Edna.
>>>>
>>>
>>>
>>>

"nass" <nass@discussions.microsoft.com> wrote in message
news:D3236911-AACC-499A-878C-08658128DF10@microsoft.com...
>
>
> "Edna Boxe" wrote:
>
>> Since I've downloaded sp 3 Norton Internet Security says that
>> c:\\windows\system32\ctfmon.exe has a keylogger, is this a false
>> positive?
>> If I remove sp 3 the keylogger also goes so I know it's nothing else.
>>
>> Edna.
>
> Check this and you can contact Norton for help:
> Spyware.UltraKeylogger
> http://www.symantec.com/security_res...341-99&tabid=2
> Technical Issues Support
> http://www.symantec.com/norton/suppo...product_ts.jsp
> Also you can use other online virus scanners to get a clear idea on how
> clean your system.
>

Checked & there's nothing in the start-up files so system is clean, I'll now
contact Norton for help.

Edna.

No as it tells you to disable AV software otherwise it can cause conflicts,
as yet I've not contacted Norton but will do so.

Edna.

"MowGreen [MVP]" <mowgreen@nowandzen.com> wrote in message
news:#FXosWGtIHA.2188@TK2MSFTNGP04.phx.gbl...
> NIS is NOT reliable. It's difficult to believe anything it reports.
> IF ctfmon.exe was infected prior to the application of SP3, then NIS
> *should have been reporting* it as infected then.
>
> Since this issue occurred after applying SP3, then I'd be willing to bet
> my house that it's a False Positive.
>
> Frequently asked questions about Ctfmon.exe
> http://support.microsoft.com/kb/282599
>
> Was NIS actively monitoring the system during the download and
> installation of SP3 ?
> Have you checked Symantec's site to see if this has been reported to them
> ?
>
>
> MowGreen [MVP 2003-2008]
> ===============
> *-343-* FDNY
> Never Forgotten
> ===============
>
>
> Edna Boxe wrote:
>
>> Since I've downloaded sp 3 Norton Internet Security says that
>> c:\\windows\system32\ctfmon.exe has a keylogger, is this a false
>> positive? If I remove sp 3 the keylogger also goes so I know it's nothing
>> else.
>>
>> Edna.

Yes, but you can have 6 instances of svchost.exe running in the task
manager? did you searched for it (Ctfmon.exe)?
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run = how many
entries there for the ctfmon.exe here?

The svchost.exe is a security process and can be used by many running
services, also you can experiencing a memory leak.
Process located here:
C:\WINDOWS\system32\svchost.exe size: 14336

Use this tool to see what taken the most usage of the CPU on your machine.
ShellExView v1.19 - Shell Extensions Manager
http://www.nirsoft.net/utils/shexview.html

Go through these cleaning steps:
1... Click start >> Control Panel >> Double Click Network and Internet
Connections >> Double click Internet Options, on the IE Properties window
you will see these Options:
General | Security | Privacy | Content | Connections | Programs
| Advanced .

Click on General Tab (1st Tab on the left) and you will see a Button called
[ Clear History ..] click on it to clear your History caches, then click on
[Delete Files..] to delete Internet Files created over the time, click on [
Delete Cookies...] to delete your cookies left by visiting websites.
Then click on Advanced tab and scroll down to under the Browsing Option:
[&] Browsing
[ ] Enable Third-Party browser extensions (Req Rest) uncheck this box.

= Then try to Disable the Add-Ons on your Browser somehow installed on your
browser, On how to disable the Add-ons follow this:
Click on Programs Tab and then click the Manage Add-Ons Button there Disable
the None/Not Verified Plug-ins/Add-ons ( you need to Renable them one-by-one
later and see which is the culprit .
How to manage Add-Ons:
http://support.microsoft.com/kb/883256

Scan for malware from here:
SuperAntispyware - Free
http://www.superantispyware.com/supe...freevspro.html
http://onecare.live.com/site/en-gb/d....htm?s_cid=sah
http://onecare.live.com/standard/en-gb/default.htm

RootkitRevealer v1.71
By Bryce Cogswell and Mark Russinovich
http://www.microsoft.com/technet/sys...tRevealer.mspx

Run a scan from here on-line:
http://security.symantec.com/sscv6/d...d=ie&venid=sym
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
Download Avast Cleaner (off-line scanner) from here:
http://www.avast.com/eng/avast-virus-cleaner.html

Lots of tools to download and disinfect your machine (off-line scanner):
http://www.bitdefender.co.uk/site/Do...eeRemovalTool/

How to speed your PC:
http://www.blackviper.com/WinXP/supertweaks.htm

Run disk clean up and then run this command:
sfc /scannow

How To: troubleshoot svchost.exe:
http://blogs.technet.com/askperf/arc...eshooting.aspx


Download the Hijackthis and send the report to one of
many
forums for analysis and troubleshooting:
When all else fails, HijackThis v2.0.2
(http://www.trendsecure.com/portal/en...hijackthis.php) is
the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware. Post
your log to:
http://aumha.net/viewforum.php?f=30,
http://castlecops.com/forum67.html,
http://forums.subratam.org/index.php?showforum=7
http://www.bleepingcomputer.com/tuto...utorial42.html
http://www.bleepingcomputer.com/forums/
Or other appropriate
forums for expert analysis, not here.
Let us know your progress.
nass
----
http://www.nasstec.co.uk


"Edna Boxe" wrote:

> From what I hear if the svchost is in the system 32 folder then it's ok,
> anywhere else & it's definitely a virus, is this correct?
>
> Edna.
>
> "nass" <nass@discussions.microsoft.com> wrote in message
> news:40A528C2-4DD0-435F-869C-483B1E093449@microsoft.com...
> >
> > but this process can be infected R.McCarty with a virus or keyloggers?
> > Not because of the updates but it could be the updates revealed the
> > infection and the OP need to check further.
> > Like the Svchost.exe can be embedded with a Troj?
> >
> > FileMon for Windows v7.04
> > http://technet.microsoft.com/en-us/s.../bb896642.aspx
> > Have a look here for windows Sysinternals
> > http://technet.microsoft.com/en-us/s...s/default.aspx
> >
> > Use this tool to see what taken the most usage of the CPU on your machine.
> > ShellExView v1.19 - Shell Extensions Manager
> > http://www.nirsoft.net/utils/shexview.html
> >
> > To the OP please upload this file ( ctfmon.exe) to this link for scan:
> > http://www.virustotal.com
> >
> >
> >
> > "R. McCarty" wrote:
> >
> >> Yes because NIS = Not Intelligent Software
> >>
> >> Really gives a good sense of security when it indicts a Microsoft
> >> Office component as a keylogger.
> >>
> >> "Edna Boxe" <spamtrap@ntlworld.com> wrote in message
> >> news:79EDC435-E3C9-4694-B521-33FCF8FF1FE3@microsoft.com...
> >> > Since I've downloaded sp 3 Norton Internet Security says that
> >> > c:\\windows\system32\ctfmon.exe has a keylogger, is this a false
> >> > positive?
> >> > If I remove sp 3 the keylogger also goes so I know it's nothing else.
> >> >
> >> > Edna.
> >> >
> >>
> >>
> >>
>
>

Then it is false positive by Norton and you are clear from infestation.
Although it does not harm you if you performed the cleaning steps in my
previous post but it is n't necessary to do so unless you have some doubts
and you need to put them to rest!.
----
nass


"Edna Boxe" wrote:

> File analyser says it's clean.
>
> Everything is running as it should be there's no unusual processes or heavy
> usage that I can see.
>
> Edna.
>
> "nass" <nass@discussions.microsoft.com> wrote in message
> news:40A528C2-4DD0-435F-869C-483B1E093449@microsoft.com...
> >
> > but this process can be infected R.McCarty with a virus or keyloggers?
> > Not because of the updates but it could be the updates revealed the
> > infection and the OP need to check further.
> > Like the Svchost.exe can be embedded with a Troj?
> >
> > FileMon for Windows v7.04
> > http://technet.microsoft.com/en-us/s.../bb896642.aspx
> > Have a look here for windows Sysinternals
> > http://technet.microsoft.com/en-us/s...s/default.aspx
> >
> > Use this tool to see what taken the most usage of the CPU on your machine.
> > ShellExView v1.19 - Shell Extensions Manager
> > http://www.nirsoft.net/utils/shexview.html
> >
> > To the OP please upload this file ( ctfmon.exe) to this link for scan:
> > http://www.virustotal.com
> >
> >
> >
> > "R. McCarty" wrote:
> >
> >> Yes because NIS = Not Intelligent Software
> >>
> >> Really gives a good sense of security when it indicts a Microsoft
> >> Office component as a keylogger.
> >>
> >> "Edna Boxe" <spamtrap@ntlworld.com> wrote in message
> >> news:79EDC435-E3C9-4694-B521-33FCF8FF1FE3@microsoft.com...
> >> > Since I've downloaded sp 3 Norton Internet Security says that
> >> > c:\\windows\system32\ctfmon.exe has a keylogger, is this a false
> >> > positive?
> >> > If I remove sp 3 the keylogger also goes so I know it's nothing else.
> >> >
> >> > Edna.
> >> >
> >>
> >>
> >>
>