PDA

View Full Version : So then ... DrvMon.exe and CTFMON.EXE



Viking-X
2008-08-29, 16:42
Now from the lack of banner ads and offers of free registry scans + my intuition I have decided with myself that this seems to be the spot where the good guys of personal computer security hang out! :)

So I was going to ask you all about two items I seem to see very often in the startup sequence of computers, but seeing as CTFMON.EXE has been dealt with in several other topics here I will reduce it to one. That is then DrvMon.exe - a seemingly safe enough application in it's intended form but is there any real reason to have it running?

Judging by the name it monitors drives (disc drives presumably) but what does it monitor for? I have never seen it present any result of this monitoring which might be my luck because my drives haven't failed, but in general I like to have as little as possible running on my computers and only stuff I feel I know what is/does, so what are your opinions on this one?

Best regards, Lasse

drragostea
2008-08-29, 18:04
Hello Lasse. And you are correct, this forum is a great place to learn and share your knowledge (and a place where the good guys hang out :santa:).

About "ctfmon.exe" here's an excerpt:
http://forums.spybot.info/showpost.php?p=225334&postcount=12
--
Basically, the idea of this process is that it is used for International Languages. Say like you have a language device that translates words you type on the keyboard into... Chinese. Then this is where ctfmon.exe takes it's role. I have is disabled on my computer since English is the primary language that is used on my PC. The link above is only an excerpt, so I would say it will contain around 2-3 pages about the process (4 pages in total).

It seems that drvmon.exe is a process associated with the Alcor Micro Drive Monitor software. I do not use this software, nor do I know what it is and what it does.

In addition to your response, I would like to know what the Alcor Micro Drive software it. Thanks.

Viking-X
2008-08-29, 18:26
Hello drragostea!

I am not much wiser with regards to drvmon.exe even though I have spent most of the afternoon looking for information on it. Like you have found as well a google search will in most cases claim it to be "Alcor Micro Drive Monitor" but not really tell much else about it. There is indeed a taiwanese company called alcormicro (with a www in front and a com after you get their website but this attempts to install both chinese language and some active x content) which appears to be just some manufacturer of storage media.

How they managed to seemingly have a product of theirs bundled up with XP is anyones guess. From my personal point of view this program is always there on an XP installation, but then I only have my own 3 computers to judge from, two of which are from the same company. Judging by the many hijackthis reports which can be found elsewhere on these forums, it seems that not many other people have this in their startup sequence. So I am definitively considering trying to remove it on mine as well! :red:

Best regards, Lasse

drragostea
2008-08-29, 18:32
Thank you for the explanation. And yes, it does seem vague from Google searches... I never knew it from a Taiwan company.

What is your computer brand (Sony VAIO, Dell, HP, etc.)?

As far as I know Sony VAIO brands... does not come with the software :laugh:.

How long have you had the software? Can you execute it? Did you find any use for it?

Greyfox
2008-08-29, 18:37
Viking-X,

drvmon.exe is not a standard component of an XP installation, either XP-Pro of XP home, SP1, SP2 or SP3.

I suspect (but I'm not sure) that it may be to do with either an add on card reader, or a USB flash drive. The general concensus is that it is not a problem and should not be removed unless there is good reason for doing so.

Perhaps you could untick it in Spybot's system startup page which will stop it loading during startup, and run for a while like that. If you find your card reader or some other device you use has problems, you can then simply retick it - just a thought

Viking-X
2008-08-29, 18:53
Hello both of you!

The computers are 2 Dells, both desktop machines and one Zepto which is a laptop. The laptop is the newest one and is about a year old, the Dells are probably around 5 years old give or take a year. Since the program is part of the startup sequence I have been running it for as long as I have had the computers but never seen any results of it - neither good or bad! :)

To the best of my knowledge none of the computers have a card reader or a USB flash drive. So that would imply that I don't need to run it but as I said it hasn't really caused me any problems during all these years so leaving it alone might be the better idea after all hehe.

I just happened to wonder about it again since I posted a hijackthis log where I noticed the program again. I have been thinking about removing it before but never done it because I didn't have problems. It's just that I like to know what all the stuff that runs on my computers is! :D:

Best regards, Lasse

tashi
2008-08-29, 18:58
Viking-X's Malware forum topic:
http://forums.spybot.info/showthread.php?t=33354

:)

Viking-X
2008-08-29, 19:10
Hello Tashi!

Yes that one exactly hehe. Errmm - I seem to have just managed to solve the problem myself by being naughty and attempting some of the solutions from others with similar problems.:lip:

Should I reply to my own post in the malware section so that the helpers know not to worry too much about me anymore? And should I write what I did or rather just say problem solved and not reveal that I 'cheated'? ;)

Best regards, Lasse

tashi
2008-08-29, 19:23
Hello Tashi!

Yes that one exactly hehe. Errmm - I seem to have just managed to solve the problem myself by being naughty and attempting some of the solutions from others with similar problems.:lip:

Should I reply to my own post in the malware section so that the helpers know not to worry too much about me anymore? And should I write what I did or rather just say problem solved and not reveal that I 'cheated'? ;)

Best regards, Lasse

Hello Lasse,

Yes please post in your topic if you no longer require assistance, thanks.

FYI:
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)




Until a helper responds, the HJT log has not been analyzed. Please wait to be advised and don't run fixes until asked.This is especially important if your Operating System is Windows Vista!!



ComboFix is not a general purpose cleaning tool, please do not use this tool without supervision.



Please note that all instructions given are customized for that member's computer only, the tools used may cause damage if run on a computer with different infections. Your symptoms may only appear to be similar.



Do NOT run 'FIXES' before helpers have analyzed HJT log (http://forums.spybot.info/showthread.php?t=16806 )

Best regards.

Viking-X
2008-08-29, 19:47
Hello Tashi!

Yes I had read all those instructions you list there but I am prone to acting rather than waiting so I couldn't stop myself! :red:

Now that I am hopefully free of nastiness on this computer (yes I am replying from the computer that couldn't reach these boards before :bigthumb:) it remains for me to find out what I actually had and how I got it.

I have run an AVG scan after the fix and now it suddenly detects 3 trojan loaders in some system restore files. It didn't detect these earlier although it was updated to the same level then. Can this be a sign that whatever I had was cheating AVG into not seeing these files or at least not reacting to them?

That would indicate that one can never be safe no matter how many security applications is running, which on some level I guess I knew but it's still a bit nasty to have the proof present itself so clearly - scary world! :sick:

Best regards, Lasse

tashi
2008-08-29, 19:58
Hi there,


I have run an AVG scan after the fix and now it suddenly detects 3 trojan loaders in some system restore files. It didn't detect these earlier although it was updated to the same level then. Can this be a sign that whatever I had was cheating AVG into not seeing these files or at least not reacting to them?


I will have to call a halt into questions being asked here about the infection as this is the Tavern, and you have an open topic in Malware removal.

I will post a link back to this topic so our helpers are aware that you may have applied other member's fixes to your own machine.

Thanks. :)

Viking-X
2008-08-29, 20:06
Hello Tashi!

Ok, duly noted. I was posting it here since I thought posting in the malware forum might be considered bumping and I didn't want to disturb the help for those people who are still having problems.

So if I would like to talk about infections and what they might do and so on but I don't actually have a problem that needs solving, should I do that in the Spybot forum then?

Best regards, Lasse

tashi
2008-08-29, 20:19
Hello Lasse,


I have run an AVG scan after the fix and now it suddenly detects 3 trojan loaders in some system restore files. It didn't detect these earlier although it was updated to the same level then.

but I don't actually have a problem that needs solving,

I am a bit confused, do you want your topic in the malware forum closed?

The Spybot-S&D forum is for Spybot Support questions. General questions can be asked here in the Tavern.

Sticky topic:
http://forums.spybot.info/showthread.php?t=187

Cheers.

Viking-X
2008-08-29, 20:24
Hello Tashi,

We're both confused then perhaps! :)

I was under the impression that the malware forum should only be used when there was an actual problem that needed solving, so maybe my topic there should be closed yes.

My computer is working nicely like it used to now and all I have left are some questions regarding what I might have had and general stuff about how trojans etc. try to prevent people from finding them.

Best regards, Lasse

tashi
2008-08-29, 20:49
Hello,

Your log shows:
C:\Program Files\Windows-Commander-v4.01-32bit-Crack\wincmd32.exe

There is no telling what that may have brought into your system or if anything is hidden without an analysis of the system.

If you wish to continue in the malware forum I will re-open your topic.

Further discussion here would not be productive.

Best regards.

Edit:
This topic closed, please send me a PM if you wish to continue in the malware forum. Thanks.