Anybody Understand Spybot's Decisions?

Rivera42 · 08:49 AM

I was poking around in Spybot Search and Destroy version 1.6.0.30 as part of my security maintenance routine. This routine also includes scans by additional, reputable security software including MBAM and Avast! Home Edition, as well as Windows Defender, and also includes regular updates to SpywareBlaster and WinPatrol.

Under the Advanced section's System Startup list, I discovered some disturbing information attached to the Sun Java Update Scheduler (which I've since disabled using WinPatrol) and the ctfmon.exe value corresponding to
"Located: HK_CU:Run, ctfmon.exe
where: S-1-5-21-2644961631-552631873-2714520094-1005...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996A38C0B0CF151C2140AE29FC8"
(quote marks mine.)

The information for these two items, the Java updater and ctfmon.exe, is posted as an attachment.

I'd like to know whether these are false positives of some kind, or if some insidious malware has snuck past what I believed to be multiple layers of defense and installed itself (or selves, shudder) on my system. I can't figure out what's going on.

Once this thread posts, I shall execute and post the reports from Spybot's scan and a HijackThis scan. I know it's silly to post without the logs in hand, but at the moment there's a thunderstorm so I don't want to risk losing my connection, and if these are really malware, it's possible they could cost me my connection as well.

One last question: if this stuff really is malware, is it possible that my AV is inadequate? Would I be better off switching to BitDefender?

Bumdrew · 06-Aug-2008, 09:00 AM #2

ctfmon.exe is just the language bar for windows, this is not malware ad does not harm your PC, you cannot just remove t from start up because it just replaces itself.

To disable you need to open regional and language options form the control panel, open the languages tab and click on advanced. At the bottom of the box that opens up you should see a preferences button for the language bar, click this and there will be an option to turn off the language bar.

Rivera42 · 06-Aug-2008, 09:20 AM #3

Did you read the attachment? I know what the REAL ctfmon is, I'm just not sure this isn't an INFECTED version.

The Spybot and HJT logs are now attached.

Rivera42 · 08-Aug-2008, 03:15 PM #4

For all the good it's done me, I tried full scans with my other security software and all have come up clean. Logs are available if needed.

What I really need to know is what the original Spybot S&D information actually means. I looked in the Java directory, for instance, and I didn't see any "scvhost" files - and no, this isn't a typo.

**EAFiedler** · 03-Oct-2008, 02:28 AM #5

Thread opened per request.

Rivera42 · 07-Oct-2008, 10:42 PM #6

any takers?

**Byteman** · 10-Oct-2008, 12:03 AM #7

Hi, Sorry no one seems to have a definite answer for you.

Consider asking about this at the SpyBot forums

HERE

Try the False Positives subforum.

Tag Cloud
access acer asus bios bsod computer crash drive driver drivers error ethernet excel freeze games gaming graphics hard drive hardware hdmi internet laptop malware memory monitor motherboard netgear network printer problem ram random registry router slow software sound trojan usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless xbox

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Find the solution to yourcomputer problem!

Find the solution to your
computer problem!