Results 1 to 2 of 2

Thread: ctfmon.exe and ccApp.exe

  1. 2006-11-28, 17:32 #1
    tahl20
    tahl20 is offline
    Junior Member
    Join Date
    Nov 2006
    Posts
    5

    Question ctfmon.exe and ccApp.exe

    Based on the extra information provided to me within Spybot. I chose to disable ccApp.exe from the start up entry. The file resides in "C:\Program Files\Common Files\Symantec Shared\ccApp.exe". The advice that Spybot gives is that it is a Trojan called OBSORB. After disabling it Nortan AntiVirus will no longer start up. I have to manually load it with every boot. So I re-enabled it and Nortan now starts up. My question is, did Spybot make a mistake in calling this file in this location a Trojan?

    Second question is ctfmon.exe. I went to the microsoft website to read what this file was and found this arcticle, "http://support.microsoft.com/kb/282599". Here they said that this file is a part of Office XP. Spybot indicates that this is a file that is part of the CoolWebSearch parasite. Now, I haven't noticed any malfunctions while using my Office XP products after disabling it so I've left it disabled. It somehow continues to re-enable itself without Spybot catching it. The Microsoft arcticle above explains why and how it does that, and how to properly remove it if we want to. Did Spybot make a mistake in proclaiming this file as a parasite though?
    Reply With Quote Reply With Quote
  2. 2006-11-29, 08:30 #2
    Zenobia
    Zenobia is offline
    Spybot Advisor Team Zenobia's Avatar
    Join Date
    Oct 2005
    Posts
    5,507

    Default

    Here's an excerpt from Spybot's help file:
    This tool lists all programs that are started at Windows startup. If those items are in the database coming with Spybot-S&D, it will
    display some more information about them. It also allows you to disable (and enable) items, as well as delete them, change them or
    insert new items.

    The entries will be displayed in different colours:


    Green: legitimate program
    Yellow: unknown, unneeded or unambiguous program (e.g. malware programs might use the same file name as legitimate programs)
    Red: malicious program
    At the top of the infopanel window,Spybot shows the current filename.I have ctfmon.exe in start-up,so here is mine:
    Current filename: C:\WINDOWS\system32\ctfmon.exe

    Down below that info,it says:
    Database status: Not required - virus, spyware, malware or other resource hog
    Value: ctfmon.exe
    Filename: ctfmon32.exe

    Description
    _CoolWebSearch_ parasite related - hijacking to Slawsearch.com

    Source: Paul Collins Startup list

    My filename isn't ctfmon32.exe,so Spybot shows it in mine as white.

    If Current filename is:
    Current filename: C:\WINDOWS\system32\ctfmon32.exe
    ,then Spybot shows that line as red in my startup list.

    So I don't know for sure of course,but I'd take it that the current filename info is used to compare with the info below it,as well as having the coloured entries.

    See the top of this page for the Key,an explanation of Y,N,X,etc.which you'll see in the status box.
    http://www.castlecops.com/StartupList.html

    Here is one of the entries at castlecops for ctfmon.exe(Name,ctfmon.exe Command,ctfmon.exe Status:U):
    http://www.castlecops.com/s795-ctfmon_exe.html

    Here is the one for Name:Ctfmon.exe Command:ctfmon32.exe Status:X
    http://www.castlecops.com/s797-Ctfmon_exe.html

    Here is one entry for ccApp,then (random file name):
    http://www.castlecops.com/s525-ccApp.html

    Here is another for Name:ccApp Command:ccApp.exe:
    http://www.castlecops.com/s524-ccApp.html
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules