Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Sed posuere consectetur est at lobortis. Vestibulum id ligula porta felis euismod semper. Donec ullamcorper nulla non metus auctor fringilla. Aenean lacinia bibendum nulla sed consectetur. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Cras mattis consectetur purus sit amet fermentum. Morbi leo risus, porta ac consectetur ac, vestibulum at eros. Sed posuere consectetur est at lobortis. Etiam porta sem malesuada magna mollis euismod. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Aenean eu leo quam. Pellentesque ornare sem lacinia quam venenatis vestibulum. Curabitur blandit tempus porttitor. Sed posuere consectetur est at lobortis.
FWIW I have the same file with the same characteristics but then I have applied SP3 also.
Here is a MSKB article describing what it is and what it does etc from which you can see that it is language/keyboard related and so IMO might be falsely identified.
FWIW since I'm no expert in this.
Thanks for the prompt replies. You’ve all put my mind at rest, I can see that this file could easily appear as keylogger.
If it is blocked by Norton for online activities, and I see no reason to remove the block.
At least now I can be sure that it wasn’t careless action that resulted in something being installed. 
Just remember it is blocked if something funny happens to do with languages or MS Office programs in particular.
for what its worth as soon as i downloaded sp3 this same block came up in the community watch on my pc.i installed the latest NIS2008 and it still came up and now sits in the blocked programs.
Would you be able to tell us the MD5 hash of the file in question? If possible, we can insure that we have access to the exact same file and can further investigate the issue. If that is not available, please submit the file via the following page. You will receive an email with a tracking number. If you can then provide that tracking number, we can follow up as well.
Submitted the file. Tracking number was #9900564.
A further e-mail was received stating that the file was clean of viruses, this was generated automatically.
Thanks for following up. I can confirm that this is part of our set of known clean files. Are there any particular steps necessary to reproduce the alert/detection you're seeing? We're unable to trigger anything with a scan.
The message appears in Transaction Report. As far as I know I have not altered any settings which could have caused this to happen (nor am I aware of any that might trigger this).
The alert appears on both our machines which run Windows XP One runs Windows XP Pro, the other runs Windows XP Home. It does not affect our computers which run Windows Vista (those machines run an older version of ctfmon.exe). All our computers run Office 2002.
I have left the keylogger blocked in place for security, this appears to have no effect on my computers.
Perhaps I should also add that our default browser is Mozilla Firefox.
All programs mentioned are updatated automatically for the latest security fixes.
I think this started when SP3 was installed on the computer, but cannot be certain.
Norton now identifies this file as a keylogger. Is this normal behaviour? I am concerned that another user may have allowed spyware to install it. I have only seen one other indication on the Internet that this may happen.
The file is in the normal location (Windows/System32) and I have no other reason to suspect problems, Hijack This revealed no suspicious activities.
The properties of ctfmon.exe are:
Size 15,360 bytes
Modified 14 April 2008.
So my question is: have I got the genuine file from Microsoft, or has something gone wrong?
Hi Martin,
Apologies for making you jump through hoops on this, but the file is definitely clean so we need to try to figure out why it's being detected. In order to do that we need to be able to reproduce the behaviour in our test lab. So to clarify, you are running NIS2008 on Windows XP SP3 - correct? It will also help if you can describe exactly when the detection occured and what alerts (including wording) you saw at the time. If you can't recall exactly, you can attempt to reproduce it yourself via the following steps: disconnect your computer from the Internet, temporarily disable autoprotect, copy the file back into the WIndows System32 directory, then re-enable autoprotect. In theory you should see the same behaviour you first described in this thread. A screenshot of the alert would be helpful, as well as any particular thing you did to make the detection reoccur. The screenshot can then be submitted to the same place as before, and your observations listed back here. Let us know if you have any questions.
JohnM
Symantec Security Response
I checked my laptop today. It is running Windows XP Home SP3. I believe it’s running Norton Internet Security 2008, but the About from Help does not confirm this, it states the version as 15.0.0.60.
I think we may be talking at cross purposes about the alert I’m getting. It’s not appearing as an urgent on screen warning, rather it is appearing in the log file, under Transaction Protection. As I remarked before, the block introduced by Norton does not appear to affect the running of the programme at all. I have submitted a screen shot as suggested, the tracking number is #9918602. I note it has not been blocked since the 27th of August. I am not sure why. After taking this screen shot I did a Google search and this did not trigger an update of the block.
I originally found out that this file was being reported as a keylogger while doing a routine scan of the Norton logs. My original concern was that a member of my staff had allowed malware to replace the Microsoft file, a suspicion made worse when I discovered that this file is sometimes malware (but not normally in those cases in the Windows folder). Discussion here and your comment has made it clear that my concerns were not justified. However I remain puzzled as to why a genuine Microsoft file is seen as a keylogger and blocked by Norton, even if the block has no effect on the running of the programme.
I’m glad to help you sort the problem out, and thank you for the interest you are showing in this.
Thanks for both the screenshot and helpful explanation. I totally understand your concerns about your network being compromised, but I see now the issue was (somewhat overzealous 
NIS network blocking and not an antivirus detection. I see also that it has been remedied, which explains why you haven’t seen the blocking recently. I’ll consider this issue resolved unless I hear back from you to the contrary. Thanks for your patience and your helpful assistance on this one Martin.
Thanks for your investigation. We are happy, and satisfied the matter has now been resolved.
Ever since I Installed S.P. 3, Crimeware has Detected a File/Program as a Keylogger and Blocks it; will Update soon with the File/Program.
Now, to MartinRess: Does you Norton Program Block this File/Program? If so, you should be okay. If you are still worried, if not done so already, Update your Product via LiveUpdate and Run a Full System Scan. Be advised that symantec have yet to Release their Virus Definitions for June 10, so it will probably be an idea to Run a Full System Scan once your Update your Virus Definitions to Tuesday, June 10, 2008.
Let us know the Result of this.