Find your solution!

Rivera42 · 07:49 AM

I was poking around in Spybot Search and Destroy version 1.6.0.30 as part of my security maintenance routine. This routine also includes scans by additional, reputable security software including MBAM and Avast! Home Edition, as well as Windows Defender, and also includes regular updates to SpywareBlaster and WinPatrol.

Under the Advanced section's System Startup list, I discovered some disturbing information attached to the Sun Java Update Scheduler (which I've since disabled using WinPatrol) and the ctfmon.exe value corresponding to
"Located: HK_CU:Run, ctfmon.exe
where: S-1-5-21-2644961631-552631873-2714520094-1005...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996A38C0B0CF151C2140AE29FC8"
(quote marks mine.)

The information for these two items, the Java updater and ctfmon.exe, is posted as an attachment.

I'd like to know whether these are false positives of some kind, or if some insidious malware has snuck past what I believed to be multiple layers of defense and installed itself (or selves, shudder) on my system. I can't figure out what's going on.

Once this thread posts, I shall execute and post the reports from Spybot's scan and a HijackThis scan. I know it's silly to post without the logs in hand, but at the moment there's a thunderstorm so I don't want to risk losing my connection, and if these are really malware, it's possible they could cost me my connection as well.

One last question: if this stuff really is malware, is it possible that my AV is inadequate? Would I be better off switching to BitDefender?

Bumdrew · 06-Aug-2008, 08:00 AM #2

ctfmon.exe is just the language bar for windows, this is not malware ad does not harm your PC, you cannot just remove t from start up because it just replaces itself.

To disable you need to open regional and language options form the control panel, open the languages tab and click on advanced. At the bottom of the box that opens up you should see a preferences button for the language bar, click this and there will be an option to turn off the language bar.

Rivera42 · 06-Aug-2008, 08:20 AM #3

Did you read the attachment? I know what the REAL ctfmon is, I'm just not sure this isn't an INFECTED version.

The Spybot and HJT logs are now attached.

Rivera42 · 08-Aug-2008, 02:15 PM #4

For all the good it's done me, I tried full scans with my other security software and all have come up clean. Logs are available if needed.

What I really need to know is what the original Spybot S&D information actually means. I looked in the Java directory, for instance, and I didn't see any "scvhost" files - and no, this isn't a typo.

**EAFiedler** · 03-Oct-2008, 01:28 AM #5

Thread opened per request.

Rivera42 · 07-Oct-2008, 09:42 PM #6

any takers?

**Byteman** · 09-Oct-2008, 11:03 PM #7

Hi, Sorry no one seems to have a definite answer for you.

Consider asking about this at the SpyBot forums

HERE

Try the False Positives subforum.

Tag Cloud
access audio black screen blue screen boot bsod connection crash dell desktop driver drivers dvd email error excel firefox hard drive hardware hijackthis internet keyboard laptop malware monitor motherboard network networking outlook problem ram recovery router safe mode screen slow sound spyware trojan upgrade vba video virus vista vundo windows windows 7 windows vista windows xp wireless

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)