Hi! I take a look at my Spybot's entries in Tools>System Startup and I found 2 entries about CTFMON.EXE and 1 entry for ctfmon.exe. I did msconfig>startup and there's one entry for ctfmon(command:C:\WINDOWS\system32\ctfmon.exe location:Software\Microsoft\Windows\CurrentVersion\Run). I unchecked the ctfmon entry in msconfig and when I checked back with Spybot's Tools>System Startup the entry for ctfmon.exe is now gone but the 2 entries in capital letters(CTFMON.EXE) remains. Do I have a virus/trojan? Is this still the legit Microsoft Office XP application? I checked also in my Control Panel>Regional & Language Options>Languages>details>Advanced>System Config and there is indeed a check in "Turn off advanced text services". So my question now is what are those 2 entries that remains as detected by Spybot:
HK_CU:Run(User .Default) CTFMON.EXE C:\WINDOWS\system32\CTFMON.EXE and
HK_CU:Run(User S-1-5-18) CTFMON.EXE C:\WINDOWS\system32\CTFMON.EXE?

The HKEY_USERS\S-1-5-18 registry hive is the System account profile. The HKEY_USERS\.DEFAULT registry hive is used when you define a new user.

Apparently the startup entry for C:\WINDOWS\system32\ctfmon.exe was also added to those registry hives at some point in time.

CTFMON.exe is usually part of Office 2003 (maybe 2007 too?). It deals with alternative user input methods. If you aren't using Office's built in Speech or Handwriting recognition you should remove these from your install by going to Add/Remove programmes and click the Change button next to your office installation.

Once the Office setup prog starts, select Add or Remove features. Then select Choose advanced customisation of applications.

Look under Office Shared Features - you want to set Alternative User Input and Microsoft Handwriting Component to Not Available. Then complete the changes. You'll find CTFMON.exe is no longer running on your next reboot. If it is, you may want to check your language bar settings and get rid of Speech and Handwriting recognition in there. If CTFMON.exe is still there then maybe you have got some spyware running.

Hope this helps.

I don't know how to interpret your replies. My problem now is about C:\WINDOWS\system32\CTFMON.EXE whereas the first reply(by md usa spybot fan) is about C:\WINDOWS\system32\ctfmon.exe. Also as I said in my post I've already disabled the MS Office app dealing with "advanced text services"(the legit ctfmon.exe). What is the difference between the small lettered ctfmon.exe versus the capital lettered CTFMON.EXE?

cromwell1230:


What is the difference between the small lettered ctfmon.exe versus the capital lettered CTFMON.EXE?
The Windows NT File System (NTFS) provides a case-sensitive file and directory naming convention. In other words with NTFS, it is possible to store unique file names, stored in the same directory, that differ only in case. For example, the following filenames can theoretically coexist in the same directory on an NTFS volume:
ctfmon.exe
CTFMON.EXE
However, MS-DOS and Win32 subsystems use case insensitive mode. In other words, running Windows XP the following two executables could not normally be created in the same directory:
ctfmon.exe
CTFMON.EXE
Further more, even if you did have those two (2) executables in the "C:\WINDOWS\system32" directory, because MS-DOS and Win32 subsystems are case insensitive the following two (2) commands would probably execute the same program:
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\CTFMON.EXE
______________

Using Windows Explorer, navigate to C:\WINDOWS\system32 and see if you actually have two (2) executables:
ctfmon.exe
CTFMON.EXE
If you do not have those two (2) executables then the following two (2) commands would be synonymous (the same):
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\CTFMON.EXE
______________

I assume since the focus of your follow-up query was focused on the case difference between "ctfmon.exe" and "CTFMON.EXE" that you understand why the startup entries could possibly be in the [HKEY_USERS\S-1-5-18] and the [HKEY_USERS\.DEFAULT] registry hives and the significance of there presents in those registry hives.

Thanks md usa spybot fan for explaining to me that Win32 subsystems use case-insensitive file and directory naming convention...I now have peace of mind that my ctfmon.exe & CTFMON.EXE entries in Tools>System Startup as detected by Spybot is one and the same and points to the legit(i hope im right) Microsoft Office application which I have now disabled("advanced text services").

As to whether I understand why the startup entries could possibly be in the [HKEY_USERS\S-1-5-18] and the [HKEY_USERS\.DEFAULT] registry hives and the significance of their presence in those registry hives...embarassing as it is...but I really haven't a clue. More info/explanations please...your enlightening replies are really appreciated!