View Full Version : Ctfmon.exe

2005-11-11, 20:38
System Startup identifies this as a parasite "Current filename: C:\WINDOWS\System32\ctfmon.exe

Database status: Not required - virus, spyware, malware or other resource hog
Filename: ctfmon32.exe

_CoolWebSearch_ parasite related - hijacking to Slawsearch.com

Source: Paul Collins Startup list"

Microsoft say its part of MSOffice - http://support.microsoft.com/kb/q282599/

md usa spybot fan
2005-11-11, 21:37
Ctfmon.exe is part of Microsoft Office XP monitors the active windows and provides text input service support for speech recognition, handwriting recognition, keyboard, translation, and other alternative user input technologies. It should be located here:

If not it can be virus, spyware, trojan or worm! Examples:

2006-01-31, 06:32
Sent basically these exact complaints to SpyBot’ 1-30-06...

Using SpyBot's tools>system startup, SpyBot' lists the ticked key "HK_CU_Run" with a value of "ctfmon.exe", command line "C:\WINDOWS\system32\ctfmon.exe". Added info also shown on this states current file name "C:\WINDOWS\system32\ctfmon.exe", database status "not required - virus, spyware, malware or other resource hog", value "ctfmon.exe", filename "ctfmon32.exe", description "CoolWebSearch parasite related - hijacking to Slawsearch.com", and Source "Paul Collins Startup list".

This led me to examining SpyBot's settings because certainly ctfmon.exe and Ctfmon32 should have been caught in scans.

In SpyBot's settings>ignore products>all products, the default settings (all boxes ticked, ctfmon.exe included) indicating somewhat falsely that SpyBot’ scans will detect and report finding ctfmon.exe, and yet such does not occur in neither the scans results nor the ticking of the system startup items found in SpyBot's tools>system startup list.

Instead when the user become aware of the existence of the so called threat and the user acts on the system startup entry for ctfmon.exe (by un-ticking it and clicking “delete”, not only does MS Antispyware (Beta) immediately report its restoring of ctfmon.exe (back into the windows registry), and upon additional SpyBot’ scans, SpyBot’ consistently fails both in reporting ctfmon.exe and neither does the program re-tick it in the program's tools>system startup items page (as would be expected if the program was actually reporting and listing system startup items and the user has unticked it previously).

In that such ticked items assumedly represent system startup items identified by SpyBot' scasnning, why do SpyBot’ scans consistently fail to prompt the user to act on ctfmon.exe's existence (reportedly in the system startup items)? Even rebooting and after another SpyBot' scan, the system startup item box for ctfmon.exe remains unticked and either still listed or re-listed. If re-listed (which it doesn't appear to be because it is still unticked), it appears that SpyBot' scans both fail to notofy the user nor update the system startup item's page listing.

Even more odd is that SB's settings>ignore products>Hijackers.sbi is also default set with all boxes unticked (which includes CoolWWWSearch Ctfmon32) and despite such being installed on the os, repeatedly SB' scans here again, consistently fails to prompt for the user of the find!

If all that that wasn't enough, surpassing oddities and entering the queer realm, SB's settings>ignore products>PUPS.sbi which should have been default set with all entries unticked, and yet strangely my os had CDilla ticked!!! (incidentally, I unticked it immediately).

To add insult to injury here, added to these revelations, despite numerous requests for teamspybot to provide support (i.e.; repeated submittals of bug reports and scan results), neither teamspybot support or anyone else from SpyBot’ ever provided me any notice of why numerous SpyBot’ scans on my os identified a so called SpyBot’ "common" threat named FCI. And has done so ever since September of 2005, when I first submitted both bugreports and e-mails asking for SpyBot's so called 'common' threat to be identified further than "FCI".

And to little surprise, after so many times asking about what FCI, is, SpyBot’ and/or teamspybot support continues to (at this point) completely ignore my question about FCI as well as even my latest complaint questioning all these issues.

I'm understandably greatly disappointed in SpyBot’ and its associates as there can be little to no excuse for failures and/or misconbooberations in both their product and its wavering technical support.

So, as for part of the ctfmon.exe issues, SpyBot’ has apparently determined a legitimate MS program as being a resource hog?

Otherwise, what with all the other breakdowns in the SpyBot’ program (currently only surrounding the ctfmon.exe issues), is this not a clear case of a false positive by SpyBot', not to mention gross ignorance by SpyBot’ tech support (i.e.; in addition to never yet defining what a 'common threat' named (by SpyBot's scan results) as whatever "FCI" might be, asking about that ever since Sept. of 2005 and still SpyBot’ is mum about this as well, tell you what?

Lastly, I know the tone of my post could be considered a rant, but under the circumstances, I think it is wholly justified as deserving one, regardless that it is not intended as such.

I would hope that this at the very least embarrasses SpyBot' into doing more than perhaps refusing to post this and/or banning me from the site, because the truth often hurts and often woe be to those that tell it.


md usa spybot fan
2006-01-31, 18:00

When you first go into Spybot > Mode > Advanced mode you get the following warning:

The advanced mode of Spybot-S&D offers more options than the default mode; but those also include some that can do harm to your system if you are not sure what you are doing. Do you really want to switch to advanced mode?
Yes NoI suggest that you review that warning because you "…can do harm to your system if you are not sure what you are doing."

The check marks in front of the entries on Spybot's System Startup screen have nothing to do with scanning. The check marks indicate that the item will attempt to execute due to its location in the system registry when the system is started and/or the user logs on.

A startup entry of ctfmon.exe from the location C:\WINDOWS\system32\ctfmon.exe is most likely Microsoft’s Ctfmon.exe which is involved with the language/alternative input services in Office XP. For more information see:
Frequently asked questions about Ctfmon.exe

Ctfmon.exe can also be associated with viruses, spyware, Trojans or worms usually when executed from a directory other than C:\WINDOWS\system32\. This is why scanning for malware is not done just by names alone but usually done by what are referred to as signatures which can include content, hash values, etc so that chances of misidentifying a valid object are reduced.

I hope that this helps you understand the ctfmon.exe entry.

2006-07-11, 22:58
I read the stuff on ctfmon.exe.
I am running windows 200 pro on one computer and xp on another.

Previously I deleted ctfmon.exe on my win2k machine. Maybe on the xp machine also.
Now I am going to install dragon naturally speaking Can I reinstall ctfmon.exe if I need to, and should I?
And how would I do that?

Does anyone know that?

Thanks, Rich (otter357)
ps thanks for the tea timer fix instructions on "new posts"

md usa spybot fan
2006-07-12, 16:05

If it is just the ctfmon.exe file itself that you deleted, search your system for ctfmon.exe. You may find copies in I386 folders.

On my XP home system I found these copies:
The one in the C:\I386 was the original from XP SP1a and the one in the C:\WINDOWS\ServicePackFiles\i386 folder is a newer version that was installed with XP SP2.

John Steel
2006-11-03, 20:39
It is the ClearType Filter, which is detailed here: http://www.microsoft.com/typography/ClearTypeInfo.mspx. It is also now part of IE7 as an option upon installation of IE7. It is not essential, but may improve font legibility. Please spread the word.

md usa spybot fan
2006-11-03, 21:21
John Steel:

I do not believe that Ctfmon.exe has anything to do with ClearType Filter. See:
Frequently asked questions about Ctfmon.exe

Paul K
2006-11-07, 18:42
It is the ClearType Filter, which is detailed here: http://www.microsoft.com/typography/ClearTypeInfo.mspx. It is also now part of IE7 as an option upon installation of IE7. It is not essential, but may improve font legibility. Please spread the word.

I agree with John Steel. I didn't have ctfmon.exe in my startup program list until I installed IE 7. I believe that it was when I installed the ClearType program, that Spy Sweeper 5 flagged the inclusion of this program in my startup list.

md usa spybot fan
2006-11-07, 19:32
Paul K:

See the following for one discussion about the addition of ctfmon.exe to the startup entries during the installation of IE7:
IE7 and ctfmon.exe!

2008-10-16, 22:58

thanks for those links dude....

keep updating