Re: Virus causing System32 folder to be opened at startup?

If you have any Microsoft Office programs, ctfmon.exe is a legitimate file.

Here is a list of ctfmon.exe files with info for each version, File Size,
etc.
http://support.microsoft.com/dllhelp/?dlltype=file&l=55&alpha=ctfmon.exe&S=1&x=12&y=7

Why Will Ctfmon.exe Not Go Away When I Remove It from MSConfig?
Removing Ctfmon.exe from MSConfig does not disable Ctfmon.exe. For more
information about disabling Ctfmon.exe, refer to the "Can I remove the
Ctfmon.exe file?" section earlier in this article.

ctfmon.exe = CTF Loader. Part of Microsoft Office. It activates
the Alternative User Input Text Input Processor (TIP) and the Microsoft
Office XP Language Bar.

When you run a Microsoft Office XP program, the file Ctfmon.exe (Ctfmon)
runs in the background, even after you quit all Office programs.

Ctfmon.exe monitors the active windows and provides text input service
support for speech recognition, handwriting recognition, keyboard,
translation, and other alternative user input technologies.

To prevent Ctfmon.exe from running, follow these steps.
http://support.microsoft.com/default.aspx?scid=kb;en-us;282599#XSLTH3124121122120121120120

OFFXP: What Is CTFMON and What Does It Do?
http://support.microsoft.com/default.aspx?scid=kb;en-us;282599

HOW TO: Turn Off the Speech Recognition and Handwriting Recognition Features
in Office 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;823586

HOW TO: Turn Off the Speech Recognition and Handwriting Recognition Features
in Office XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;326526

ctfmon.exe: This is your "Language Bar." Don't know what it is? I bet you do
not need it. Head to Control Panel -> Regional and Language Options ->
Languages TAB -> Details BUTTON -> Language Bar BUTTON (under
"Preferences") -> select the "Turn off advanced text services" check box.
This little detail will save you between 1.5 MB and 4 MB of RAM. If you are
using a "non-US" version, you may be required to install the English
localization to remove this "feature."
http://web.archive.org/web/20041125021602/www.blackviper.com/WinXP/strangeservice.htm

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ShellNoRoam\MUIC
ache

Did you really mean this key?
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache

Just another paranoia key.

If something is listed in
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
it just means that it has run at some time on your machine.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In news:9614D1D9-9160-4352-8834-0DB8EE2FE317@xxxxxxxxxxxxx,
elp70 <elp70@xxxxxxxxxxxxxxxxxxxxxxxxx> hunted and pecked:
Every time I log on or reboot the System32 folder opens up. This started
after I had found a virus Trojan Downloader.Win32.Zlob.ad, which was
subsequently removed.

I have read the previous threads on the System32 folder opening topic and
have done the following:

1. I read the article at http://support.microsoft.com/?kbid=170086
regarding two Windows registry keys. This fix did not help as I do not
have any anomalous looking registry entries based on the support page.
No open ended “, etc. These registry entries looked OK.

2. I tried to run the edit on Kelly's site:
http://www.kellys-korner-xp.com/xp_tweaks.htm
Line 260: System32 Folder Opens Upon Boot

I received the error message:
This script cannot repair your issue. The expected registry value was not
found.

3. I checked our other identical computer at home (referenced as
‘good’ from now on) and found something interesting. On the problem
computer there was
an entry at HKCU\Software\Microsoft\Windows\CurrentVersion\Run for the
data value ctfmon.exe at C:\WINDOWS\system32. The good computer does NOT
have
this value.

4. Next, I ran msconfig but did not see anything unexpected under Startup
other than ctfmon.exe located at
HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
The good computer does NOT have ctfmon.exe under Startup.

5. I tried deleting this entry from the registry of the failing computer.
Once I did this it disappeared from the msconfig Startup screen as
expected.

6. Rebooting does not prevent the System32 folder from reappearing. The
ctfmon.exe is NOT listed under the Startup tab of msconfig, but it is then
listed under the following registry key:
HKCU\Software\Microsoft\Windows\CurrentVersion\ShellNoRoam\MUICache\ with
the data CTF Loader.

7. Rebooting again does not prevent the System32 folder from reappearing,
but now the ctfmon.exe registry key is gone and the msconfig Startup
reference is gone.

8. As soon as I start IE6, the ctfmon.exe registry key and Startup
references are back.

9. Any idea on how this is happening? I was focusing on ctfmon.exe
because
of differences between the 2 computers and because I found some
references to
a virus masquerading as the ctfmon.exe file. I checked and found only one
ctfmon.exe file on the failing computer, and it was located in the
C:\WINDOWS\System32 directory.

Any help you can provide me with fixing this problem would be greatly
appreciated. I’m not sure what to do next other than a reinstall.
I’ve tried 4 different virus scanners and they all come up clean.

.