CiceroUIWFrame.exe?

Discussion in 'other security issues & news' started by beads, Jun 3, 2005.

Thread Status:
Not open for further replies.
  1. beads

    beads Registered Member

    Joined:
    Jun 1, 2005
    Posts:
    49
    This file tends but no always show up when I am powering down the client system. Problem is --> I can't find it, anywhere! <-- Doesn't show with PE, TCPView, etc only if and when it hangs when I am shutting the system down.

    Windows XP SP2

    Applications open when I have seen this:
    Acrobat 7.x
    Domino Client 6.5.2

    Other software that would be considered normal for a work session:
    TrendMicro (NeatSuite up to date)
    RSS feed
    Powerchute
    Foxfire 1.0.4

    The application (CiceroUIWFrame.exe) can and usually but not always hangs and the last app to unload before shutdown. Even then I generally have to hang the domino client on purpose to get it to work.

    Now, I am as curious about such things as the next tech but... I gotta tell ya this one has really stumped me. Anyone seen this before? Tried all the usual suspects, A/Vs, Disk Searches even advanced Google searches. Either this is something really odd or I have missed the trees despite the forrest. :rolleyes:

    Which wouldn't be unexplainable either. Sometimes I do miss the trees despite the forrest, orchards and ummmm...arboretums! Yeah, thats it - arboretums! Hey, its late on a Friday afternoon and I'm running a bit out of steam.

    I look forward to any and all replies with my thanks in advance.

    - beads
     
  2. mrgreans

    mrgreans Guest

    I have it too! It is not concerning any of the programs you have mentioned because I am not urrently using SP2 and have the same error.
    undoubtedly a trojan.
     
  3. beads

    beads Registered Member

    Joined:
    Jun 1, 2005
    Posts:
    49
    Now, that is odd. I have run root-kit analyzers, anti-spyware, trend, mcaffee, et. al. Nothing! And I do mean nothing is catching this. I cannot find anything in the registery that even begins to relate to this file.

    Well, atleast its a good one. :mad:
     
  4. JRosenfeld

    JRosenfeld Registered Member

    Joined:
    Jul 26, 2004
    Posts:
    117
  5. JRosenfeld

    JRosenfeld Registered Member

    Joined:
    Jul 26, 2004
    Posts:
    117
    To help in shutdown, install the additional MS service UPHcleanup.

    http://www.microsoft.com/downloads/...6D-8912-4E18-B570-42470E2F3582&displaylang=en

    I think Cicero is related to MS alternative text input service. From one MS KB article

    Cicero Unaware Application Support (CUAS). CUAS is a feature of the Microsoft Windows XP operating system that provides support for Advanced Text Services. Examples of these services include handwriting recognition, speech recognition, and East Asian keyboard input services.

    Do you have ctfmon.exe running in the background?

    I did find one post mentioning CiceroUIWFrame dating from 2003 but it is not illuminating.

    http://www.pcbanter.net/showthread.php?t=211134
     
  6. beads

    beads Registered Member

    Joined:
    Jun 1, 2005
    Posts:
    49
    JRosenfeld, et. all;

    That smarts! LOL! A real: "I could have had a V8 moment!"

    I really went through the registry/drives and checked the usual sites with no luck. This file must really be buried somewhere in the OS.

    Saw red when this came up because of the simple word: IFRAME. A known attack and pretty much dismissed any other possibility. I will be more careful in the future.

    Confirm that ctfmon.exe is running on in the background, for what reason - I dunno, to be honest. That should be fairly simple to take off voice recognition. Most likely installed by default by HP (who made the desktop).

    Well, thanks again! The information is truly appreciated. Looks like I have to go dig a bit deeper into the MS site to find out what the real problem is and how to fix it.


    - beads

    Now, I can take myself out of the dog house.
     
Thread Status:
Not open for further replies.