Re: Virus causing System32 folder to be opened at startup?

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

I don't know what is causing your System32 folder to open at startup.

I have ctfmon.exe version 5.1.2600.1106 I also do not have xp SP2 and I bet
that you do. I have XP SP1. 5.1.2600.2180 is valid. DLL Help isn't always
100% up to date.

File Properties for ctfmon.exe should also show:
File version: 5.1.2600.xxxx
Description: CTF Loader
Copyright: © Microsoft Corporation. All rights reserved.
Other version information
Company: Microsoft Corporation
File Version: 5.1.2600.xxxx
Internal Name: CTFMON
Language: English (United States)
Original File Name: CTFMON.EXE
Product Name: Microsoft® Windows® Operating System
Product Version: 5.1.2600.xxxx
-----

Control Panel | Regional and Language Options |
Languages TAB | Details BUTTON | Language Bar BUTTON (under
Preferences) | select the Turn off advanced text services check box | Apply

Remove all the text services you do not use, this includes keyboards and
languages.

Control Panel | Regional and Language Options |
Languages TAB | Details BUTTON | Settings tab |

You should have, depending on your language
EN English (whatever country)
Keyboard
• (whatever country)

[[text service
A program that enables a user to enter or edit text. Text services include
keyboard layouts, handwriting and speech recognition programs, and Input
Method Editors (IMEs). IMEs are used to enter East Asian language characters
with a keyboard.]]

Any extra text services can cause ctfmon.exe to run.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In news:23C0EB7B-D84F-4E90-ADEC-A74646ECBA83@xxxxxxxxxxxxx,
elp70 <elp70@xxxxxxxxxxxxxxxxxxxxxxxxx> hunted and pecked:
Wes,
I verified my version of ctfmon.exe as 5.1.2600.2180, which does not look
valid based on

http://support.microsoft.com/dllhelp/?dlltype=file&l=55&alpha=ctfmon.exe&S=1&x=12&y=7
Is this a problem? FYI, I have Office 2000 Standard Edition and XP SP2.

Since I’m not running Office XP, I couldn’t figure out why ctfmon.exe
was running, until I found the following comment at the very bottom of
the page:
‘It also starts each time Windows is started and remains in the
background, regardless of whether an Office XP program is started.’
This seems to match what I’m seeing on my system.

To disable vtfmon.exe:
I tried to follow the link to ‘Step 1: Uninstall Alternative User
Input’,
but couldn’t because there doesn’t appear to be an icon for
‘Alternative User Input’ or anything similar, even after expanding
all the choices. I see how
to disable an item, but ‘Alternative User Input’ doesn’t seem to be
a choice. Again, I have Office 2000.

I was able to follow ‘Step 2: Remove Alternative User Input Services
from
Text Services’, and ‘Step 3: Run Regsvr32 /U on the Msimtf.dll and
Msctf.dll Files’.
I don’t know if doing step 2 and 3 is of any value without step 1. The
system32 folder still opens by itself.

To answer your other question, yes I really did mean
‘HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUIC ache’
Sorry for the typo.

Paulibus,
Regarding .exe files, there are no new ones on my computer within 10 days
of
when I first had this problem.

To summarize:
- I had the ‘Trojan Downloader.Win32.Zlob.ad’ on my computer but I
can no longer find it since it was removed using PestPatrol.
- System32 folder opens whenever I log on or reboot.
- There doesn’t appear to be any recent .exe files anywhere on the hard
drive.
- The ctfmon.exe version does not appear to match what’s on the support
page, but I have no idea if this is significant.
- My registry entries …\Run don’t have anything suspicious or
incomplete in them.

Any ideas on what else could be going on? Can a Trojan or other type of
problem file be something other than .exe?


"paulibus" wrote:

Re: the malware question.

In my case, I scanned for .exe files and found a suspicious one. I did a
google search and found that it was spyware. There were also two other
.exe files with names like kdasie.exe and shymfh.exe with the same date
as the spyware. These turned up nothing when googled. So, I moved them
to a temp file and later deleted them. They apparently were the backups
for the spyware. When they were moved, my problems went away. Granted
this is not the same as a trojan, but was a problem that kept
reoccurring, after the original spyware was removed.

.

Quantcast