Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

spybot s&d/allow or deny?


  • Please log in to reply
11 replies to this topic

#1 igonuts2

igonuts2

  • Members
  • 358 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:my closet
  • Local time:07:36 PM

Posted 23 June 2005 - 10:39 PM

hi bc staff,

HP desk top Presario I386
XP SP2
Spybot S&D 1.3
Ad-Aware SE Personel
Spyware Blaster
NIS 2005
Microsoft Anti Spyware
Spyware Guard

only dumb question is the one you dont ask, so....

spybot keeps popping up with the allow or deny change re;

6/23/2005 6:55:58 PM Denied value "MSConfig" (new data: "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto") added in System Startup global entry!

as you can see i have denied the change. i have been hijacked before and im learning that if in doubt, deny and ask.

so im asking. what the heckle is this. it keeps bugging me.

ty bc
igo
Why work when you can play!

BC AdBot (Login to Remove)

 


#2 .Prodigy.

.Prodigy.

  • Members
  • 155 posts
  • OFFLINE
  •  
  • Location:New York
  • Local time:11:36 PM

Posted 23 June 2005 - 10:57 PM

MSConfig is a utility that allows you to decide, among other things, what starts up with the computer and what services your computer uses. if you have used it before to disable some things from starting up, it comes up on the next restart telling you that changes have been made, and has a check box with the option not to show this message. i think this message keeps trying to pop-up, and since you don't (or are unable to) check the box, it keeps coming up telling you that a change has been made.

i suggest going into Start > Run, typing msconfig in the dialog box and pressing OK. Click on the StartUp tab and see if there are any programs you don't want running on start up. Don't deselect anything without being absolutely sure as to what it is, since some things may cause your computer to run incorrectly.

After closing the MSConfig box, restart you computer and have spybot allow it to run. Click the check box saying you don't want it to run on startup, and your problem should be solved.

Please don't do this unless you are sure you know what you are doing. By stopping certain programs from running on start-up, you could possibly cause you computer to run incorrectly and cause irreversible damage.

Posted Image


#3 igonuts2

igonuts2
  • Topic Starter

  • Members
  • 358 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:my closet
  • Local time:07:36 PM

Posted 23 June 2005 - 11:20 PM

ty prodigy,

maybe im not clear, or maybe im not sure what your saying.

ive been to start>run>msconfig>ok>startup, and have used bc startup data base as a guide.

your saying to allow it to be added?

i know spybot is just doing its job in advising me of changes.

i assume its persistance maybe due to either malicious or needed service.

if its malicious,.... well... just letting it add itself doesnt seem like the best thing to do.

thats why im asking, what is it?

respectfully,
igo
Why work when you can play!

#4 .Prodigy.

.Prodigy.

  • Members
  • 155 posts
  • OFFLINE
  •  
  • Location:New York
  • Local time:11:36 PM

Posted 23 June 2005 - 11:33 PM

I'm sorry, i wasn't completely clear on what it is. MSConfig is a utility that comes with Windows, and is not malicious at all (unless it is a virus using the name, but this is probably not the case.) Going through the startup list doesn't have anything to do with your current problem, it is just system maintenance that I see as convenient (in this case). After finishing with MSConfig (you don't necessarially have to do anything), restart and have spybot allow it to run. After restarting and allowing it to run, check the box saying you don't want to receive the message on start-up and spybot should stop coming up with the message you're getting on start-up.

Edited by .Prodigy., 23 June 2005 - 11:34 PM.

Posted Image


#5 igonuts2

igonuts2
  • Topic Starter

  • Members
  • 358 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:my closet
  • Local time:07:36 PM

Posted 23 June 2005 - 11:57 PM

ok,

im the dummy here.

your saying that when i run msconfig that spybot notices that utility is running and is asking me if i want to allow it or deny.

i will allow as you suggest, ty. i didnt realize that was the path of sysutil.
im learning, be it a little slow.

i get it. dont laugh. i know you all dont, but ya might chuckle a little here and there.

this is what happened.

spybot advanced mode>tools>startup showed this;

C:\WINDOWS\system32\ctfmon.exe

so i went to task mngr and msconfig to find it and thats when spybot stepped in.

ctfmom.exe is not a good thing and i cant find it

per spybot,

ctfmon.exe is cool.web.search/slaw search

all i can find is ctfmon, not ctfmon.exe.

after reading bc's startup data base i find that ctfmon could be ms office (which my wife does use).

i unchecked ctfmon that was in msconfig starup, rebooted and its checked again in startup.

any help??????

ty igo

Edited by igonuts2, 24 June 2005 - 12:19 AM.

Why work when you can play!

#6 .Prodigy.

.Prodigy.

  • Members
  • 155 posts
  • OFFLINE
  •  
  • Location:New York
  • Local time:11:36 PM

Posted 24 June 2005 - 12:20 AM

cftmon.exe, according to the startup database on this website, is one of three things, the first being the most likely (and not malicious) case.

1. CTFMon is involved with the language/alternative input services in Office XP. CTFMON.exe will continue to put itself back into MSConfig when you run the Office XP apps as long as the Text Services and Speech applets in the Control Panel are enabled. Not required if you don't need these features. For more info on ctfmon see here

2. Added by the Troj/SDBot-06 backdoor worm. When this infection starts it will connect to an IRC server where it will wait for remote commands to execute.

3. CoolWebSearch parasite related - hijacking to Slawsearch.com

In my experience, every instance of ctfmon i have seen has been the windows service (on my own personal computer as well) In order to determine if it is malicious or not, ask the good folks at the HijackThis Logs and Analysis Forum. They will be able to help with detectoin and removal of viruses and bugs.

Posted Image


#7 TEB

TEB

  • Banned
  • 449 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 24 June 2005 - 01:16 AM

1. to verify that it is not the coolwebsearch virus download CWS Shredder This tool will search your system for the cool web search trojan and remove it.

2. To verify that it is not the Troj/SDBot-06 backdoor worm download any reputable antivirus software (zonelabs, Norton, Mcafee)

#8 igonuts2

igonuts2
  • Topic Starter

  • Members
  • 358 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:my closet
  • Local time:07:36 PM

Posted 24 June 2005 - 01:37 AM

ty prodigy,

you found what i found. i just dont trust myself yet.

what i found in spybot>advanced mode>tools>starup was a copy paste,

C:\WINDOWS\system32\ctfmon.exe

i just dont know which one i have.

every time i unchecked it in msconfig, spybot would advise me of the utillity running and ignorant me, i denied the change. so when i rebooted it came back.

after my education (your input), i told spybot to allow the utillity to run, rebooted and its gone.

i think your right though. its probably ms office.

doesnt show on any scan. only in spybot starup when i clicked on its definition did spybot ID it as coolwebsearch parasite.

i was just nosing around in spybot. thats what got me going on all this.

by the way, you were clear enough on your replies. im sill a newbie and learning.

its off startup and staying off.

i think i'll use ms office and see if it comes back.

i'll reply tomorrow (24th) and let you know what happens.

ty prodigy for your assistance.

ty
igo

Edited by igonuts2, 24 June 2005 - 01:56 AM.

Why work when you can play!

#9 igonuts2

igonuts2
  • Topic Starter

  • Members
  • 358 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:my closet
  • Local time:07:36 PM

Posted 24 June 2005 - 01:43 AM

ty tech,

that was part of the problem. it didnt show on any scan that i had or a2 or trendmicro online.

but i'll ck out the CWS

ty
igo

Edited by igonuts2, 24 June 2005 - 01:45 AM.

Why work when you can play!

#10 Leurgy

Leurgy

    Voted most likely


  • Members
  • 3,831 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Collingwood, Ontario, Canada
  • Local time:10:36 PM

Posted 24 June 2005 - 07:40 AM

Do a search of your hard drive for the file ctfmon.exe. When its found, right click and select properties. Look at the version tab to see if it is an MS file.

When the only tool you own is a hammer, every problem begins to resemble a nail. Abraham Maslo

**** We use our powers for good, not evil ****

 Trying to remove your data from the web is like trying to remove pee from a swimming pool


#11 Enthusiast

Enthusiast

  • Members
  • 5,898 posts
  • OFFLINE
  •  
  • Location:Florida, USA
  • Local time:10:36 PM

Posted 24 June 2005 - 01:35 PM

ty prodigy,

maybe im not clear, or maybe im not sure what your saying.

ive been to start>run>msconfig>ok>startup, and have used bc startup data base as a guide.

your saying to allow it to be added?

i know spybot is just doing its job in advising me of changes.

i assume its persistance maybe due to either malicious or needed service.

if its malicious,.... well... just letting it add itself doesnt seem like the best thing to do.

thats why im asking, what is it?

respectfully,
igo

MSCONFIG is a Microsoft utility and therefore should be allowed.

#12 igonuts2

igonuts2
  • Topic Starter

  • Members
  • 358 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:my closet
  • Local time:07:36 PM

Posted 24 June 2005 - 02:35 PM

ty Prodigy, Techsomething, Leurgy (dont you ever rest?), Enthusiast,

more attention than a blonde on a street corner!!!!

to understand what a newbie is saying, not to mention what the problem might be, when the newbie doesnt even know how to discribe it, is nothing short of amazing.

after using ms office it came up again on startup. and ms antispy advised me of CTF loader. another ms office program.

CWS came up clean.

did a search and just holding the curser over the file it told me it was an ms file. rt clicked to properies>version as suggested and found it to be ms.

so; ctfmon.exe in this instance is a good thing.

you know spybot didnt ID it as either this or that. it outright said (copy/paste);
-----------------------------------
Current filename:
C:\WINDOWS\system32\ctfmon.exe

Database status:
Not required - virus, spyware, malware or other resource hog
Value:
ctfmon.exe
Filename:
ctfmon32.exe

Description
_CoolWebSearch_ parasite related - hijacking to Slawsearch.com

Source:
Paul Collins Startup list
-----------------------------------

every time i see the word "hijack" i get all..... you know.

anyway, i definitly learned a lot here. i cant thank you all enough.

case closed!!!! :thumbsup: :flowers: :trumpet: :inlove: :cool:

ty ty ty ty bc staff, roadies & groupies,
your what makes this site work.

igo
Why work when you can play!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users