WinPatrol

Click here! Install it!! Use it!!!

There are all sorts of anti-virus programs. An anti-virus program should be the first program installed on a new computer, if it doesn't already come with one. (Your anti-virus software is up-to-date, isn't it?) However, it's an ongoing battle between those who write viruses and those who write the software to block them.

WinPatrol provides a different kind of protection. Rather than identify individual viruses, trojan horses, spyware, and adware, it's mascot Scotty monitors a computer for the kind of things viruses do: install programs, change homepages, and add services. This way, WinPatrol can sound the alert if a virus does manage to break through despite the best efforts of anti-virus software.

You can also think of WinPatrol as Task Manager on steroids. WinPatrol displays panels containing all of a computers startup programs, IE helpers, scheduled tasks, services, active tasks, and hidden files.

However, not only does WinPatrol list each item, but WinPatrol Plus provides detail information about each program and service. For example, one of my active tasks is "ctfmon.exe". What, I wonder, is being monitored? Who put this here and why? Plus information tells me

CTFMON.EXE activates the Alternative User Input Text Input Processor (TIP) and the Microsoft Office Language Bar.

CTFMON monitors the active windows and provides text input service support for speech recognition, handwriting recognition, keyboard, translation, and other alternative user input technologies.

When you run a Microsoft Office XP program, the file Ctfmon.exe (Ctfmon) runs in the background. It remains in memory even after you quit all Office programs.

CTFMON was first included with Office 2002. More detail on what the program does can be found at ‹snip›.

# Safe

So, I now know it's nothing to worry about. Perhaps even more important, WinPatrol tells me the first time it encountered a particular startup, active task, or process on my computer, which can be invaluable when diagnosing aberrant behavior.

Okay, so why this page?

I'm still not sure what link I hit. There was a tight group of links next to the close panel button. The panel didn't close and my anti-virus software went off. I tried moving the suspect temp file to the program's virus vault, but the program told me the file couldn't be moved. I think it came up with a "Try again?" alert box, but since the program couldn't be moved the first time, I clicked "No". In retrospect, I'm wondering what I allowed. In any case, the anti-virus software went off again. This time I told it to "heal" the file, which it did, and I went on computing.

Then, Scotty went off like a good watchdog telling me that a program called winlogon.exe was trying to install itself as a startup program. I denied permission and thought that would be the end of it, but every 30 seconds Scotty was back telling me that the program was again trying to install itself!

Scotty pointed me to where the program was located, but I couldn't erase it! In the old days, this would have been no big deal. I'd've pulled the plug, booted directly to DOS, and blown the file away. Windows XP, however, unlike earlier versions, is not built on top of DOS, so booting to DOS is not an option.

After a few tries at telling Scotty not to let the program install itself, I was sent automatically to a WinPatrol web page telling me about viruses and trojan horses that won't take no for an answer. It included a link to Sophos. This trojan horse wasn't pretty!

Each time the Trojan is run it tries to connect to a remote IRC server and join a specific channel using a random nickname. The Trojan then runs continuously in the background, listening on the channel for commands to execute.

The web page also told me about a WinPatrol feature I was unaware of. The user can right-click on a Start Up program and choose "Delete file on Reboot" This happens before Windows engages just like the old "Boot to DOS"! (There's no going back, so you'd better be sure of your request.)

I looked in WinPatrol's list of startup programs and found the offending entry: Windows automatic firewall, first recognized by WinPatrol that day, and pointing to the offending file in my Temp directory. I clicked on "Delete file on Reboot", rebooted, and everything was back to normal! .../Temp/winlogon.exewas gone. The so-called firewall was no longer listed among the Start Up programs. More important, I could once again run the Registry editor, which the trojan had disabled.

Long before this incident, I had already decided that I could never again run a computer without WinPatrol because of its functions and the useful information it provides. This incident only reinforced my decision.


Copyright © 2007 Gerard E. Dallal