ctfmon.exe - Is it a nasty and can I get rid of it permanently?

NO - This is is my desk top - that is Gordonius' Lap Top - on same local network - but much different machines (his is Dell Inspiron) 

CanJan

ctfmon.exe is a valid MS file, when found in your C:\WINDOWS\system32\ folder.

Ctfmon.exe activates the Alternative User Input Text Input Processor (TIP) and the Microsoft Office Language Bar. Ctfmon.exe monitors the active windows and provides text input service support for speech recognition, handwriting recognition, keyboard, translation, and other alternative user input technologies.

Most users do not need this process running at startup. Simply unchecking it in msconfig does not prevent it from coming back. To disable it see the following:
http://support.microsoft.com/kb/282599

I'm somewhat puzzled by the message which you say "SpyBot" ---

presumably, its TeaTimer module --- gave you:

on the one hand,  

    Entry:     ctfmon.exe

    New Data:  C\WINDOWS\System32\ctfmon.exe

is most likely, as Joe indicated, a valid Microsoft file.

in which case, the "warning"

    Database status:

    Not required - virus, spyware, malware or other resource hog

presumably is just indicating this is a resource hog that is not required,

and can be disabled per directions in the thread joe linked.

on the other hand, the information 

    Value: ctfmon.exe
    Filename: ctfmon32.exe

    Description
    CoolWebSearch _Ctfmon32_ parasite variant

    Source: Paul Collins Startup list

refers to something else completely!!

So the first thing you really need to do is determine which file,

ctfmon.exe or ctfmon32.exe

is actually trying to be loaded at startup.

Paul Collins (aka PaCMan) is an amazing person!

Ky331: - Well I typed exactly what teatimer popped up using the info button - so how will I make that determination folks??

CanJan

Joe - I appreciate your input - would this be pretty important to the usage of my Wacom Graphire pad & pen????  Sounds like it might!

Same thing is happening over on Gord's laptop, and I keep denying it - but I will not likely use the pad there - so guess it isn't needed.

ky331:

As you know, I don't use TeaTimer, so I haven't a sense for how it reports detections these days. I do have ctfmon.exe in its proper folder, and disabled it a long time ago according to the MS article. My hunch is that this is a FP on TeaTimer's part, based on its detection of a correct file in the correct folder. The filename of ctfmon32.exe does need to be ruled out as being present on CanJan's PC, but I suspect this is TeaTimer's interpretation, and not a true file present.

CanJan:

I'm not familiar with Wacom products, but you could well be right that ctfmon.exe is needed for them to work. Here is what I would do:

1) Do a search on your PC for ctfmon32.exe. If not present, you are probably ok. If present, report back on its location for more instructions.
2) Try disabling ctfmon.exe, as per my link, and see if it affects your Wacom pad and pen usabilty. Note that those instructions only disable ctfmon.exe- they do not delete it. They are reversible, so you risk nothing by trying.
3) If it turns out that ctfmon.exe is needed, there should be some way to tell TeaTimer to ignore this detection- ky331 could probably tell you more how to do this. If this is not possible, then I would disable TeaTimer in Spybot.

Thank you Joe!

I did a search for both cftmon.exe and cftmon32.exe and found neither since I denied it running at startup on this boot.

The wacom pad works fine and recognizes my handwriting in Photoshop Elements - so tht's not a problem,

I do have a blind son-in-law that visits on occassion, so I think I will just let it load for voice recognition purposes in case he needs it.  I think I will likely disable tea-timer as it is a real nuisance, popping up with warnings every web page I go to - to many clicks needed for comfort!

I opened Spybot and looked at the Registry and there seems to be more than one line where ctfmon.exe is mentioned.  I was able (I think) to copy what is said about it:

So I'm going to check out those other links after a good night's sleep - thanks Joe.

canjan wrote "I did a search for both cftmon.exe and cftmon32.exe and found neither since I denied it running at startup on this boot".

what/how did you search? --- while denying (either) can stop the file from loading into RAM (random access Memory), the office-related cftmon.exe should nevertheless still reside on your HARD DRIVE.  

open windows explorer, click on SEARCH, click on ALL FILES OR FOLDERS,

where asked ALL OR PART OF A FILE NAME, type in CTFMON

and under LOOK IN, click on the "marker" to open the drop-down menu, and select LOCAL HARD DRIVE (presumably C: )

then click on SEARCH

the "real" ctfmon HAS TO be there!

=================================================================

as for notifications from TeaTimer, it will alert you anytime something tries to add itself to your startup sequence.   This is valuable protection --- since without it, malware could just as easily try to insert itself that way!  [there are other programs, such as WinPatrol, that likewise look for new startup attempts].  

I would not classify such new/modified startup notifications as a "false positive"

when TeaTimer presents you with the startup notification, and asks you to allow or deny it... there should also be a box there labeled  REMEMBER THIS DECISION.   if checked, TeaTimer will act automatically in the future... [there may be a small popup reminding you that teatimer automatically took action based on user decision --- such reminder will appear for a few seconds, and then disappear on its own].

[note: an older version 1.4 of spybot/teatimer had a graphical "glitch", whereby some of teatimers prompts for user response did not display properly.   but that has been fixed with the current spybot/teatimer 1.5 ]

as for teatimer "popping up with warnings every web page [you] go to", RIGHT-click on the teatimer icon in your system tray (to open a menu), move your cursor to RESIDENT IE, and make sure to check BLOCK ALL BAD PAGES SILENTLY.  [I'm presuming that one of the other options had been checked instead, yes??]  Hopefully, that should take care of your "nuisance"/"too many clicks" issue.

================================================================================

i'm not sure i'm following what you did when you said you "opened Spybot and looked at the Registry" to find the entries listed above... can you elaborate on exactly how you did this?

---

@ky331 wrote:

canjan wrote "I did a search for both cftmon.exe and cftmon32.exe and found neither since I denied it running at startup on this boot".

 

what/how did you search? --- while denying (either) can stop the file from loading into RAM (random access Memory), the office-related cftmon.exe should nevertheless still reside on your HARD DRIVE.  

 

open windows explorer, click on SEARCH, click on ALL FILES OR FOLDERS,

where asked ALL OR PART OF A FILE NAME, type in CTFMON

and under LOOK IN, click on the "marker" to open the drop-down menu, and select LOCAL HARD DRIVE (presumably C: )

then click on SEARCH

 

the "real" ctfmon HAS TO be there!

 

=================================================================

 

as for notifications from TeaTimer, it will alert you anytime something tries to add itself to your startup sequence.   This is valuable protection --- since without it, malware could just as easily try to insert itself that way!  [there are other programs, such as WinPatrol, that likewise look for new startup attempts].  

I would not classify such new/modified startup notifications as a "false positive"

 

when TeaTimer presents you with the startup notification, and asks you to allow or deny it... there should also be a box there labeled  REMEMBER THIS DECISION.   if checked, TeaTimer will act automatically in the future... [there may be a small popup reminding you that teatimer automatically took action based on user decision --- such reminder will appear for a few seconds, and then disappear on its own].

 

[note: an older version 1.4 of spybot/teatimer had a graphical "glitch", whereby some of teatimers prompts for user response did not display properly.   but that has been fixed with the current spybot/teatimer 1.5 ]

 

as for teatimer "popping up with warnings every web page [you] go to", RIGHT-click on the teatimer icon in your system tray (to open a menu), move your cursor to RESIDENT IE, and make sure to check BLOCK ALL BAD PAGES SILENTLY.  [I'm presuming that one of the other options had been checked instead, yes??]  Hopefully, that should take care of your "nuisance"/"too many clicks" issue.

 

================================================================================

 

i'm not sure i'm following what you did when you said you "opened Spybot and looked at the Registry" to find the entries listed above... can you elaborate on exactly how you did this?

 

Message Edited by ky331 on 04-11-2008 08:25 AM

---

re: windows explorer search(ing too fast) ---

i skipped one important option:

click on the double-arrow next to  MORE ADVANCED OPTIONS

and be sure to check the two boxes labeled

     SEARCH SYSTEM FOLDERS 

     SEARCH SUBFOLDERS

Ahhh!!!  New light!!

I finally found where I was last night:  took me a while!

In Spybot S&D I went to Navigation/Tools/System Start-Up >>> This produces a very colourful page in White Green & Yellow   I found the first line that mentioned ctfmon.exe and double clicked that line - that gives me a window to the right, from where I posted that info.

Now in doing that I somehow have another Spybot pop-up - but only with allow change - the "deny" button is greyed out!   What's more - it is a value DELETED ???  What have I accidently done now?

"Browser Helper Object

Value Deleted

{53707962-6F74-2D53-2644-206D7942484F}

Says it is "legit" SDHelper.dll so guess I accept it?

I redid the search of C: using the advanced check marks you noted - I have two references;

The one we know about: in C:\Windows\System32

and another in C:\Windows\Prefetch\ CTFMON.EXE-OE179698.pf

Anything to worry about there?

CanJan

hmmm.... let me first of all admit that the Tools/System Startup screen (accessable if you are running SpyBot in ADVANCED mode) is something that I really haven't used.   but it does clarify for us that you found the informational messages in SpyBot itself, rather than as coming as a popup-warning from TeaTimer.

Apparently, that window on the right simply opens "reference" information from PaCMan's page [so you don't actually have to take the time to go online and access it].   as such, it is simpy a reference chart of of known possibilities.   the chart tends to be "inclusive"... it gives you lots of information, but does not "simply" tell you which one applies to your case.  And certainly, it by no means should be taken to mean that "all" of them are applicable.

yes, 53707962-6F74-2D53-2644-206D7942484F is the ClassID for the legitimate SpyBot SDHelper BHO.   as long as you seem to be in Advanced mode, you can set the status of SDHelper, as well as TeaTimer, from

TOOLS / RESIDENT : 

if you deleted SDHelper, and want it back, just check the box Resident SDHelper.

Thank you so much for your time and effort KY331 - I now know more about spybot, and will use the "remember this" checkbox from now on and eventually limit the pop-ups and I also am relieved to know that the ctfmon can run without a problem.

I better get back at the Taxes now, while keeping one eye out for a reply from BamaJim on gordonius' Laptop!

I'll be back - no doubt - Great forum - hope I can learn enough eventually to help others!

c u around, and thanks again - It was great to click the fixed check mark - I LOVE GREEN!!!

CanJan