Virus causing System32 folder to be opened at startup?

[Guest]

Every time I log on or reboot the System32 folder opens up. This started
after I had found a virus Trojan Downloader.Win32.Zlob.ad, which was
subsequently removed.

I have read the previous threads on the System32 folder opening topic and
have done the following:

1. I read the article at http://support.microsoft.com/?kbid=170086 regarding
two Windows registry keys. This fix did not help as I do not have any
anomalous looking registry entries based on the support page. No open ended
“, etc. These registry entries looked OK.

2. I tried to run the edit on Kelly's site:
http://www.kellys-korner-xp.com/xp_tweaks.htm
Line 260: System32 Folder Opens Upon Boot

I received the error message:
This script cannot repair your issue. The expected registry value was not
found.

3. I checked our other identical computer at home (referenced as ‘good’ from
now on) and found something interesting. On the problem computer there was
an entry at HKCU\Software\Microsoft\Windows\CurrentVersion\Run for the data
value ctfmon.exe at C:\WINDOWS\system32. The good computer does NOT have
this value.

4. Next, I ran msconfig but did not see anything unexpected under Startup
other than ctfmon.exe located at
HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
The good computer does NOT have ctfmon.exe under Startup.

5. I tried deleting this entry from the registry of the failing computer.
Once I did this it disappeared from the msconfig Startup screen as expected.

6. Rebooting does not prevent the System32 folder from reappearing. The
ctfmon.exe is NOT listed under the Startup tab of msconfig, but it is then
listed under the following registry key:
HKCU\Software\Microsoft\Windows\CurrentVersion\ShellNoRoam\MUICache\ with
the data CTF Loader.

7. Rebooting again does not prevent the System32 folder from reappearing,
but now the ctfmon.exe registry key is gone and the msconfig Startup
reference is gone.

8. As soon as I start IE6, the ctfmon.exe registry key and Startup
references are back.

9. Any idea on how this is happening? I was focusing on ctfmon.exe because
of differences between the 2 computers and because I found some references to
a virus masquerading as the ctfmon.exe file. I checked and found only one
ctfmon.exe file on the failing computer, and it was located in the
C:\WINDOWS\System32 directory.

Any help you can provide me with fixing this problem would be greatly
appreciated. I’m not sure what to do next other than a reinstall. I’ve
tried 4 different virus scanners and they all come up clean.

 

[Guest]

Some malware will come with their own backups to recreate it after it has
been removed. The backups have gibberish names, which sometimes are changed
by the perpetrator to avoid deletion by a/v software. If you remember the
date the trojan was put on your computer, the backups will have the same date.

 

[Guest]

I know the date the trojan was put on my computer as I run multiple security
checks every day. Should I be looking at files with .exe extensions that
appeared on that date? I went looking for new .exe files but didn't find
anything close to the recent date when the trojan appeared. Is it possible
that it could be stored on my hard drive with an old date? If yes, I have no
way of sorting this out... If it can be a different file extension what
would I look for?
Thanks.

 

[Wesley Vogel]

If you have any Microsoft Office programs, ctfmon.exe is a legitimate file.

Here is a list of ctfmon.exe files with info for each version, File Size,
etc.
http://support.microsoft.com/dllhelp/?dlltype=file&l=55&alpha=ctfmon.exe&S=1&x=12&y=7

Why Will Ctfmon.exe Not Go Away When I Remove It from MSConfig?
Removing Ctfmon.exe from MSConfig does not disable Ctfmon.exe. For more
information about disabling Ctfmon.exe, refer to the "Can I remove the
Ctfmon.exe file?" section earlier in this article.

ctfmon.exe = CTF Loader. Part of Microsoft Office. It activates
the Alternative User Input Text Input Processor (TIP) and the Microsoft
Office XP Language Bar.

When you run a Microsoft Office XP program, the file Ctfmon.exe (Ctfmon)
runs in the background, even after you quit all Office programs.

Ctfmon.exe monitors the active windows and provides text input service
support for speech recognition, handwriting recognition, keyboard,
translation, and other alternative user input technologies.

To prevent Ctfmon.exe from running, follow these steps.
http://support.microsoft.com/default.aspx?scid=kb;en-us;282599#XSLTH3124121122120121120120

OFFXP: What Is CTFMON and What Does It Do?
http://support.microsoft.com/default.aspx?scid=kb;en-us;282599

HOW TO: Turn Off the Speech Recognition and Handwriting Recognition Features
in Office 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;823586

HOW TO: Turn Off the Speech Recognition and Handwriting Recognition Features
in Office XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;326526

ctfmon.exe: This is your "Language Bar." Don't know what it is? I bet you do
not need it. Head to Control Panel -> Regional and Language Options ->
Languages TAB -> Details BUTTON -> Language Bar BUTTON (under
"Preferences") -> select the "Turn off advanced text services" check box.
This little detail will save you between 1.5 MB and 4 MB of RAM. If you are
using a "non-US" version, you may be required to install the English
localization to remove this "feature."
http://web.archive.org/web/20041125021602/www.blackviper.com/WinXP/strangeservice.htm

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ShellNoRoam\MUIC
ache

Did you really mean this key?
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache

Just another paranoia key.

If something is listed in
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
it just means that it has run at some time on your machine.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Guest]

Re: the malware question.

In my case, I scanned for .exe files and found a suspicious one. I did a
google search and found that it was spyware. There were also two other .exe
files with names like kdasie.exe and shymfh.exe with the same date as the
spyware. These turned up nothing when googled. So, I moved them to a temp
file and later deleted them. They apparently were the backups for the
spyware. When they were moved, my problems went away. Granted this is not
the same as a trojan, but was a problem that kept reoccurring, after the
original spyware was removed.

 

[Guest]

Wes,
I verified my version of ctfmon.exe as 5.1.2600.2180, which does not look
valid based on
http://support.microsoft.com/dllhelp/?dlltype=file&l=55&alpha=ctfmon.exe&S=1&x=12&y=7
Is this a problem? FYI, I have Office 2000 Standard Edition and XP SP2.

Since I’m not running Office XP, I couldn’t figure out why ctfmon.exe was
running, until I found the following comment at the very bottom of the page:
‘It also starts each time Windows is started and remains in the background,
regardless of whether an Office XP program is started.’
This seems to match what I’m seeing on my system.

To disable vtfmon.exe:
I tried to follow the link to ‘Step 1: Uninstall Alternative User Input’,
but couldn’t because there doesn’t appear to be an icon for ‘Alternative User
Input’ or anything similar, even after expanding all the choices. I see how
to disable an item, but ‘Alternative User Input’ doesn’t seem to be a choice.
Again, I have Office 2000.

I was able to follow ‘Step 2: Remove Alternative User Input Services from
Text Services’, and ‘Step 3: Run Regsvr32 /U on the Msimtf.dll and Msctf.dll
Files’.
I don’t know if doing step 2 and 3 is of any value without step 1. The
system32 folder still opens by itself.

To answer your other question, yes I really did mean
‘HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUIC ache’
Sorry for the typo.

Paulibus,
Regarding .exe files, there are no new ones on my computer within 10 days of
when I first had this problem.

To summarize:
- I had the ‘Trojan Downloader.Win32.Zlob.ad’ on my computer but I can no
longer find it since it was removed using PestPatrol.
- System32 folder opens whenever I log on or reboot.
- There doesn’t appear to be any recent .exe files anywhere on the hard drive.
- The ctfmon.exe version does not appear to match what’s on the support
page, but I have no idea if this is significant.
- My registry entries …\Run don’t have anything suspicious or incomplete in
them.

Any ideas on what else could be going on? Can a Trojan or other type of
problem file be something other than .exe?

 

[Wesley Vogel]

I don't know what is causing your System32 folder to open at startup.

I have ctfmon.exe version 5.1.2600.1106 I also do not have xp SP2 and I bet
that you do. I have XP SP1. 5.1.2600.2180 is valid. DLL Help isn't always
100% up to date.

File Properties for ctfmon.exe should also show:
File version: 5.1.2600.xxxx
Description: CTF Loader
Copyright: © Microsoft Corporation. All rights reserved.
Other version information
Company: Microsoft Corporation
File Version: 5.1.2600.xxxx
Internal Name: CTFMON
Language: English (United States)
Original File Name: CTFMON.EXE
Product Name: Microsoft® Windows® Operating System
Product Version: 5.1.2600.xxxx
-----

Control Panel | Regional and Language Options |
Languages TAB | Details BUTTON | Language Bar BUTTON (under
Preferences) | select the Turn off advanced text services check box | Apply

Remove all the text services you do not use, this includes keyboards and
languages.

Control Panel | Regional and Language Options |
Languages TAB | Details BUTTON | Settings tab |

You should have, depending on your language
EN English (whatever country)
Keyboard
• (whatever country)

[[text service
A program that enables a user to enter or edit text. Text services include
keyboard layouts, handwriting and speech recognition programs, and Input
Method Editors (IMEs). IMEs are used to enter East Asian language characters
with a keyboard.]]

Any extra text services can cause ctfmon.exe to run.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[neil]

Under win98 the system folder would open if there was a character in either
the "run" or "load" (can't just remember which) statement in the win.ini
file.

Neil