Unsolved
This post is more than 5 years old
21 Posts
0
16344
ctfmon.exe - Is it a nasty and can I get rid of it permanently?
Spybot S&D Warns with every boot, and sometimes in between:
Category: Startup user entry
Change: Value added
Entry: ctfmon.exe
New Data: C\WINDOWS\System32\ctfmon.exe
Per Spybot Info:
Current filename: C:\WINDOWS\system32\ctfmon.exe
Database status: Not required - virus, spyware, malware or other resource hog
Value: ctfmon.exe
Filename: ctfmon32.exe
Description
CoolWebSearch _Ctfmon32_ parasite variant
Source: Paul Collins Startup list
-----------------------------------
So I continually deny this change - Is it really a baddy and if so how can I delete it permkanently?
Windows XP Professional Version 2002; Service Pack 2
Cicero: Seanix Technologies Inc
AMD Athlon 64 processor 3200+
2.20 Ghz, 200 GB RAM
Physical Address Extension
Thanks so much,
CanJan
Dave Lyle
2K Posts
0
April 10th, 2008 20:00
CanJan
21 Posts
0
April 10th, 2008 21:00
NO - This is is my desk top - that is Gordonius' Lap Top - on same local network - but much different machines (his is Dell Inspiron)
CanJan
joe53
1 Rookie
1 Rookie
•
5.8K Posts
0
April 10th, 2008 22:00
ctfmon.exe is a valid MS file, when found in your C:\WINDOWS\system32\ folder.
Ctfmon.exe activates the Alternative User Input Text Input Processor (TIP) and the Microsoft Office Language Bar. Ctfmon.exe monitors the active windows and provides text input service support for speech recognition, handwriting recognition, keyboard, translation, and other alternative user input technologies.
Most users do not need this process running at startup. Simply unchecking it in msconfig does not prevent it from coming back. To disable it see the following:
http://support.microsoft.com/kb/282599
ky331
3 Apprentice
3 Apprentice
•
15.2K Posts
0
April 10th, 2008 22:00
I'm somewhat puzzled by the message which you say "SpyBot" ---
presumably, its TeaTimer module --- gave you:
on the one hand,
Entry: ctfmon.exe
New Data: C\WINDOWS\System32\ctfmon.exe
is most likely, as Joe indicated, a valid Microsoft file.
in which case, the "warning"
Database status:
Not required - virus, spyware, malware or other resource hog
presumably is just indicating this is a resource hog that is not required,
and can be disabled per directions in the thread joe linked.
on the other hand, the information
Value: ctfmon.exe
Filename: ctfmon32.exe
Description
CoolWebSearch _Ctfmon32_ parasite variant
Source: Paul Collins Startup list
refers to something else completely!!
So the first thing you really need to do is determine which file,
ctfmon.exe or ctfmon32.exe
is actually trying to be loaded at startup.
Paul Collins (aka PaCMan) is an amazing person!
CanJan
21 Posts
0
April 10th, 2008 23:00
Ky331: - Well I typed exactly what teatimer popped up using the info button - so how will I make that determination folks??
CanJan
CanJan
21 Posts
0
April 10th, 2008 23:00
Joe - I appreciate your input - would this be pretty important to the usage of my Wacom Graphire pad & pen???? Sounds like it might!
Same thing is happening over on Gord's laptop, and I keep denying it - but I will not likely use the pad there - so guess it isn't needed.
joe53
1 Rookie
1 Rookie
•
5.8K Posts
0
April 11th, 2008 04:00
ky331:
As you know, I don't use TeaTimer, so I haven't a sense for how it reports detections these days. I do have ctfmon.exe in its proper folder, and disabled it a long time ago according to the MS article. My hunch is that this is a FP on TeaTimer's part, based on its detection of a correct file in the correct folder. The filename of ctfmon32.exe does need to be ruled out as being present on CanJan's PC, but I suspect this is TeaTimer's interpretation, and not a true file present.
CanJan:
I'm not familiar with Wacom products, but you could well be right that ctfmon.exe is needed for them to work. Here is what I would do:
1) Do a search on your PC for ctfmon32.exe. If not present, you are probably ok. If present, report back on its location for more instructions.
2) Try disabling ctfmon.exe, as per my link, and see if it affects your Wacom pad and pen usabilty. Note that those instructions only disable ctfmon.exe- they do not delete it. They are reversible, so you risk nothing by trying.
3) If it turns out that ctfmon.exe is needed, there should be some way to tell TeaTimer to ignore this detection- ky331 could probably tell you more how to do this. If this is not possible, then I would disable TeaTimer in Spybot.
CanJan
21 Posts
0
April 11th, 2008 08:00
Thank you Joe!
I did a search for both cftmon.exe and cftmon32.exe and found neither since I denied it running at startup on this boot.
The wacom pad works fine and recognizes my handwriting in Photoshop Elements - so tht's not a problem,
I do have a blind son-in-law that visits on occassion, so I think I will just let it load for voice recognition purposes in case he needs it. I think I will likely disable tea-timer as it is a real nuisance, popping up with warnings every web page I go to - to many clicks needed for comfort!
I opened Spybot and looked at the Registry and there seems to be more than one line where ctfmon.exe is mentioned. I was able (I think) to copy what is said about it:
Current filename: C:\WINDOWS\system32\CTFMON.EXE
Database status: Not required - virus, spyware, malware or other resource hog
Value: CTFMON.EXE
Filename: ctfmon32.exe
Description
CoolWebSearch _Ctfmon32_ parasite variant
Source: Paul Collins Startup list
____________________
Current filename: C:\WINDOWS\system32\CTFMON.EXE
Database status: Not required - virus, spyware, malware or other resource hog
Value: CTFMON.EXE
Filename: ctfmon.exe
Description
Added by the _RAIDYS_ TROJAN! Note - this should not be confused with the valid Office XP file, see _here_
Source: Paul Collins Startup list
____________________
Current filename: C:\WINDOWS\system32\CTFMON.EXE
Database status: Not required - virus, spyware, malware or other resource hog
Value: CTFMON.EXE
Filename: msupdate32.exe
Description
Spy Sheriff/SpywareNO malware, also detected as the _SPYHOAX-A_ TROJAN, pretends to be a spyware remover! - file names spotted sofar include VXH8JKDQ2.EXE, NS6281400.so, CVXH8JKDQ2.EXE, down3.exe, sefe.exe, winstall.exe, and tool2.exe
Source: Paul Collins Startup list
____________________
Current filename: C:\WINDOWS\system32\CTFMON.EXE
Database status: Necessity depends on users preferences
Value: CTFMON.EXE
Filename: ctfmon.exe
Description
CTFMon is involved with the language/alternative input services in Office XP. Ctfmon.exe will continue to put itself back into MSConfig when you run the Office XP apps as long as the Text Services and Speech applets in the Control Panel are enabled. Not required if you don't need these features. For more info on ctfmon see _here_. Ctfmon can be disabled from Control Panel, Text & Speech Services. Note - the file will always be located in the System32 folder, if it is located elsewhere it will likely be a worm or trojan! Can cause problems with some other programs if left enabled - see _here_ for such an example
Source: Paul Collins Startup list
____________________
So I'm going to check out those other links after a good night's sleep - thanks Joe.
ky331
3 Apprentice
3 Apprentice
•
15.2K Posts
0
April 11th, 2008 11:00
canjan wrote "I did a search for both cftmon.exe and cftmon32.exe and found neither since I denied it running at startup on this boot".
what/how did you search? --- while denying (either) can stop the file from loading into RAM (random access Memory), the office-related cftmon.exe should nevertheless still reside on your HARD DRIVE.
open windows explorer, click on SEARCH, click on ALL FILES OR FOLDERS,
where asked ALL OR PART OF A FILE NAME, type in CTFMON
and under LOOK IN, click on the "marker" to open the drop-down menu, and select LOCAL HARD DRIVE (presumably C: )
then click on SEARCH
the "real" ctfmon HAS TO be there!
=================================================================
as for notifications from TeaTimer, it will alert you anytime something tries to add itself to your startup sequence. This is valuable protection --- since without it, malware could just as easily try to insert itself that way! [there are other programs, such as WinPatrol, that likewise look for new startup attempts].
I would not classify such new/modified startup notifications as a "false positive"
when TeaTimer presents you with the startup notification, and asks you to allow or deny it... there should also be a box there labeled REMEMBER THIS DECISION. if checked, TeaTimer will act automatically in the future... [there may be a small popup reminding you that teatimer automatically took action based on user decision --- such reminder will appear for a few seconds, and then disappear on its own].
[note: an older version 1.4 of spybot/teatimer had a graphical "glitch", whereby some of teatimers prompts for user response did not display properly. but that has been fixed with the current spybot/teatimer 1.5 ]
as for teatimer "popping up with warnings every web page [you] go to", RIGHT-click on the teatimer icon in your system tray (to open a menu), move your cursor to RESIDENT IE, and make sure to check BLOCK ALL BAD PAGES SILENTLY. [I'm presuming that one of the other options had been checked instead, yes??] Hopefully, that should take care of your "nuisance"/"too many clicks" issue.
================================================================================
i'm not sure i'm following what you did when you said you "opened Spybot and looked at the Registry" to find the entries listed above... can you elaborate on exactly how you did this?
CanJan
21 Posts
0
April 11th, 2008 17:00
ky331
3 Apprentice
3 Apprentice
•
15.2K Posts
0
April 11th, 2008 17:00
re: windows explorer search(ing too fast) ---
i skipped one important option:
click on the double-arrow next to MORE ADVANCED OPTIONS
and be sure to check the two boxes labeled
SEARCH SYSTEM FOLDERS
SEARCH SUBFOLDERS
CanJan
21 Posts
0
April 11th, 2008 17:00
Ahhh!!! New light!!
I finally found where I was last night: took me a while!
In Spybot S&D I went to Navigation/Tools/System Start-Up >>> This produces a very colourful page in White Green & Yellow I found the first line that mentioned ctfmon.exe and double clicked that line - that gives me a window to the right, from where I posted that info.
Now in doing that I somehow have another Spybot pop-up - but only with allow change - the "deny" button is greyed out! What's more - it is a value DELETED ??? What have I accidently done now?
"Browser Helper Object
Value Deleted
{53707962-6F74-2D53-2644-206D7942484F}
Says it is "legit" SDHelper.dll so guess I accept it?
CanJan
21 Posts
0
April 11th, 2008 18:00
I redid the search of C: using the advanced check marks you noted - I have two references;
The one we know about: in C:\Windows\System32
and another in C:\Windows\Prefetch\ CTFMON.EXE-OE179698.pf
Anything to worry about there?
CanJan
ky331
3 Apprentice
3 Apprentice
•
15.2K Posts
0
April 11th, 2008 18:00
hmmm.... let me first of all admit that the Tools/System Startup screen (accessable if you are running SpyBot in ADVANCED mode) is something that I really haven't used. but it does clarify for us that you found the informational messages in SpyBot itself, rather than as coming as a popup-warning from TeaTimer.
Apparently, that window on the right simply opens "reference" information from PaCMan's page [so you don't actually have to take the time to go online and access it]. as such, it is simpy a reference chart of of known possibilities. the chart tends to be "inclusive"... it gives you lots of information, but does not "simply" tell you which one applies to your case. And certainly, it by no means should be taken to mean that "all" of them are applicable.
yes, 53707962-6F74-2D53-2644-206D7942484F is the ClassID for the legitimate SpyBot SDHelper BHO. as long as you seem to be in Advanced mode, you can set the status of SDHelper, as well as TeaTimer, from
TOOLS / RESIDENT :
if you deleted SDHelper, and want it back, just check the box Resident SDHelper.
CanJan
21 Posts
0
April 11th, 2008 19:00
Thank you so much for your time and effort KY331 - I now know more about spybot, and will use the "remember this" checkbox from now on and eventually limit the pop-ups and I also am relieved to know that the ctfmon can run without a problem.
I better get back at the Taxes now, while keeping one eye out for a reply from BamaJim on gordonius' Laptop!
I'll be back - no doubt - Great forum - hope I can learn enough eventually to help others!
c u around, and thanks again - It was great to click the fixed check mark - I LOVE GREEN!!!
CanJan