GameBanshee Forums

Process File: ctfmon.exe or ctfmon
Process Name: Alternative User Input Services

Description:
ctfmon.exe is a process belonging to Microsoft Office Suite. It activates the Alternative User Input Text Input Processor (TIP) and the
Microsoft Office XP Language Bar. This program is a non-essential system process, but should not be terminated unless suspected to be causing problems.

Note: ctfmon.execould also be a process which is registered as a trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.

Determining whether ctfmon.exe is a virus or a legitimate Windows process depends on the directory location it executes or runs from in WinTasks.

Unfortunately it doesn't state what that directory location might be. I read on microsoft's tech library that this file remains active after removal of MS Office. I never at any point had MS Office installed on my computer though, so I'm really wondering why it is here at all. If use the task manager to disable the ctfmon.exe process, it just gets restarted again. Removing the file from the system32 directory has the same effect, it just gets replaced.

I tried Norton, McAfee and AVG, but none of the virus scanners seems to pick this up as a virus. I'm really suspicious, but I can think of no other way to figure out if this really is a virus.

I need some suggestion. One thing I'd like to know is the actual byte size of ctfmon.exe on a computer that actually does have MS Office XP installed. Could someone here help me out with at least that part? To see the byte size, right-click and check the file's properties.

Mine are:
http://i119.photobucket.com/albums/o136 ... ctfmon.jpg

Do they match?

The other thing I'd like to know if there is anyone else who never at any point had MS Office XP installed on their computer. Do you also see that file? Any other suggestions would be appreciated. =/

I've got office applications on 2 computers

They both have ctfmon.exe running, and they are both 15,0 kb in size.

(However, strangely enough, one is 16 kb on disk, the other 32 kb... ??)

I'd say, not a virus

I have it too. but I have microsoft office exel viewer 2003.
do you have the exel viewer?

No, I don't use Office (I use open source software instead) and as far as I'm aware I have no tools installed that are related to viewing/using office files. I don't know how to check the latter for sure though.

edit: oh I forgot, the software use instead of MS Office CAN open all types of MS document. Compared to MS Office, Open Office (Sun) is structurally a very different software package. I kind of assume it shouldn't need a ctfmon runtime file.

edit2: I found ctfmon registry entries underneath the microsoft tree. If it's a trojan it is trying really hard not to look like one.

Tricky wrote:No, I don't use Office (I use open source software instead) and as far as I'm aware I have no tools installed that are related to viewing/using office files. I don't know how to check the latter for sure though.

edit: oh I forgot, the software use instead of MS Office CAN open all types of MS document. Compared to MS Office, Open Office (Sun) is structurally a very different software package. I kind of assume it shouldn't need a ctfmon runtime file.

edit2: I found ctfmon registry entries underneath the microsoft tree. If it's a trojan it is trying really hard not to look like one.

You can ofcourse try to manually remove all the register entries about ctfmon, and then the file...

But I suspect you it's not a virus, as none of the programs can identify it as such. You are using Win XP, right?

User Input Text Input Processor (TIP) and the
Microsoft Office XP Language Bar

Though, the fact that it restarts itself after you try to terminate it worries me, as it haven't done that in my computers...

Frequently asked questions about Ctfmon.exe
look at this article at the microsoft knowledge base. It might answer some of your questions. Hope it helps.
hope it ok put link in this post.

Heh, I already read that but thanks anyhow. That page doesn't actually help you figure out if the file is a trojan. I've shielded the file with a firewall, so if anything or anyone tries to access it from the outside, I'll know.