Bugs in Spybot 1.5 tools - system startup and internals

[JDPower]

Just gave version 1.5 a try and found the following.

In system startup it is showing five non-existent entries - 2 ctfmon entries and 3 avg runonce entries. I have one instance of ctfmon disabled in msconfig and no avg runonce entries at all.
Screenshot (non existent entries in red box):


Also a system internals scan is showing the stsystra.exe startup entry (which you can see as enabled in the startup list in pic above) as "Startup file does not exist" which is clearly incorrect.

[PepiMK]

Are you sure these do not exist? The display might be a bit misleading... it says HKCU, but names the user afterwards.

These entries would be at the following locations if you want to look them uzp in the registry:

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run\

[JDPower]

Are you sure these do not exist? The display might be a bit misleading... it says HKCU, but names the user afterwards.

These entries would be at the following locations if you want to look them uzp in the registry:

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run\

There may well be traces of these entries in the registry but Spybot should not be showing them as active startup entries when they aren't.
Version 1.4, correctly, doesn't show these entries at all.
(It also doesn't show the second issue I mentioned)

[PepiMK]

And if it wouldn't show entries of other users, other people would complain that Spybot-S&D hides something

Come on, if you're looking for malware, it's kind of important to know whether other users on the same machine got infected as well, or not. They're active the moment those users log on! (ok, in this case it's the template for new users and the LocalService and NetworkService accounts... but if you show them only on the account they're for, to see them, you would have to log in on that account, and then they WOULD be started before you had a chance to review them)

Regarding the "startup file does not exist", could you let me know where this file is located exactly?

(oh, and btw, in version 2.0, the tools section will be completely swapped out into RunAlyzer to make the scanner itself leaner while allowing more features in the tools at the same time)

[JDPower]

And if it wouldn't show entries of other users, other people would complain that Spybot-S&D hides something

Come on, if you're looking for malware, it's kind of important to know whether other users on the same machine got infected as well, or not. They're active the moment those users log on! (ok, in this case it's the template for new users and the LocalService and NetworkService accounts... but if you show them only on the account they're for, to see them, you would have to log in on that account, and then they WOULD be started before you had a chance to review them)

Regarding the "startup file does not exist", could you let me know where this file is located exactly?

(oh, and btw, in version 2.0, the tools section will be completely swapped out into RunAlyzer to make the scanner itself leaner while allowing more features in the tools at the same time)

There are no other user accounts on this computer though so I still think, at least in this scenario, they shouldn't be listed.

Regarding the startup file that is showing as not existing in a system internals scan, didn't know whether you wanted the reg location or file location so heres both:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
C:\WINDOWS\stsystra.exe
(Though the startup command listed in msconfig is simply stsystra.exe, not a full file path)

[PepiMK]

Something that's simply in the Windows folder really shouldn't be complained about. But thanks for quoting both, that might help reproducing it

User accounts on Windows are not necessarily accounts for human users In this case, these accounts are accounts that Windows uses internally. S-1-5-20 should be the ID for the account "NetworkService", and S-1-5-18 is, if I'm not mistaken, the account "LocalService". If you open the Windows task manager, you will notice a few system applications are running under those accounts (you might have to add the "User Name" column to Task Managers display). So they're quite real