Just gave version 1.5 a try and found the following.

In system startup it is showing five non-existent entries - 2 ctfmon entries and 3 avg runonce entries. I have one instance of ctfmon disabled in msconfig and no avg runonce entries at all.
Screenshot (non existent entries in red box):
http://i33.photobucket.com/albums/d99/WKDPOWER/Random%20pics/Spybot2b.jpg

Also a system internals scan is showing the stsystra.exe startup entry (which you can see as enabled in the startup list in pic above) as "Startup file does not exist" which is clearly incorrect.

Are you sure these do not exist? The display might be a bit misleading... it says HKCU, but names the user afterwards.

These entries would be at the following locations if you want to look them uzp in the registry:

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run\

Are you sure these do not exist? The display might be a bit misleading... it says HKCU, but names the user afterwards.

These entries would be at the following locations if you want to look them uzp in the registry:

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run\
There may well be traces of these entries in the registry but Spybot should not be showing them as active startup entries when they aren't.
Version 1.4, correctly, doesn't show these entries at all.
(It also doesn't show the second issue I mentioned)

And if it wouldn't show entries of other users, other people would complain that Spybot-S&D hides something :laugh:

Come on, if you're looking for malware, it's kind of important to know whether other users on the same machine got infected as well, or not. They're active the moment those users log on! (ok, in this case it's the template for new users and the LocalService and NetworkService accounts... but if you show them only on the account they're for, to see them, you would have to log in on that account, and then they WOULD be started before you had a chance to review them)

Regarding the "startup file does not exist", could you let me know where this file is located exactly?

(oh, and btw, in version 2.0, the tools section will be completely swapped out into RunAlyzer to make the scanner itself leaner while allowing more features in the tools at the same time)

And if it wouldn't show entries of other users, other people would complain that Spybot-S&D hides something :laugh:

Come on, if you're looking for malware, it's kind of important to know whether other users on the same machine got infected as well, or not. They're active the moment those users log on! (ok, in this case it's the template for new users and the LocalService and NetworkService accounts... but if you show them only on the account they're for, to see them, you would have to log in on that account, and then they WOULD be started before you had a chance to review them)

Regarding the "startup file does not exist", could you let me know where this file is located exactly?

(oh, and btw, in version 2.0, the tools section will be completely swapped out into RunAlyzer to make the scanner itself leaner while allowing more features in the tools at the same time)
There are no other user accounts on this computer though so I still think, at least in this scenario, they shouldn't be listed.

Regarding the startup file that is showing as not existing in a system internals scan, didn't know whether you wanted the reg location or file location so heres both:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
C:\WINDOWS\stsystra.exe
(Though the startup command listed in msconfig is simply stsystra.exe, not a full file path)

Something that's simply in the Windows folder really shouldn't be complained about. But thanks for quoting both, that might help reproducing it :)

User accounts on Windows are not necessarily accounts for human users ;) In this case, these accounts are accounts that Windows uses internally. S-1-5-20 should be the ID for the account "NetworkService", and S-1-5-18 is, if I'm not mistaken, the account "LocalService". If you open the Windows task manager, you will notice a few system applications are running under those accounts (you might have to add the "User Name" column to Task Managers display). So they're quite real ;)

If you open the Windows task manager, you will notice a few system applications are running under those accounts (you might have to add the "User Name" column to Task Managers display). So they're quite real ;)
Well the user name column in my task manager is actually empty (apart from one System entry) :p: :D:

One last thing, would there actually be any point unticking those startup entries or are they best left alone?

I have also seen those lines or I think it was those same run once. I got WinPatrol so it pops up to tell me about them and most are always pointing to the windows temp folder.
My guess is maybe you cleaned your temp folder before you did a reboot so what would of happen with that run once file in the temp folder could not happen if you deleted the file.

One thing I learned after I started using WinPatrol is to never clear anything from the windows temp folder after doing a upgrade, install and uninstall because if there are changes that are made on a reboot it needs those files and most times after the reboot the file in the windows temp folder gets deleted on it's own from the run once.

Here is all I have in startup and on AVG.

http://xs219.xs.to/xs219/07364/startup.gif.xs.jpg (http://xs.to/xs.php?h=xs219&d=07364&f=startup.gif)

I have also seen those lines or I think it was those same run once. I got WinPatrol so it pops up to tell me about them and most are always pointing to the windows temp folder.
My guess is maybe you cleaned your temp folder before you did a reboot so what would of happen with that run once file in the temp folder could not happen if you deleted the file.
Nope, the AVG entries are from the initial install of AVG, I never empty temp folders of run any cleaners during an install (besides you can see from the screenshot they aren't pointing to a temp folder, its pointing to the AVG test center exe).
And the ctfmon was disabled (via startup and followed by the MS instructions here (http://%22http://support.microsoft.com/kb/282599)) straight after my Windows install.

Nope, the AVG entries are from the initial install of AVG, I never empty temp folders of run any cleaners during an install (besides you can see from the screenshot they aren't pointing to a temp folder, its pointing to the AVG test center exe).
And the ctfmon was disabled (via startup and followed by the MS instructions here (http://%22http://support.microsoft.com/kb/282599)) straight after my Windows install.


Don't know they are showing up then. Not sure if what is list would point always to the temp folder or not because things happen many way on a reboot and the run once and with WinPatrol I have seen many that look like that but you also have it pointing to other places.
I have the AVGW.EXE file also but not in the startup.
WinPatrol also shows more listed in the startup then spybot does. Like WinParol showes in the startup 28 things and if I check the Secret startup box option you have on the Plus version I have 31 things listed.

So maybe others will know if it is safe to delete.
Those that know how to read and help on HijackThis logs are good at things like this.