hi all,

I am a new user of Spybot. I suspected that a spyware called "Cool Websearch" is affecting my comp...can anyone please kindly explain whats the meaning of this and how can i remove it completely from my system???

pls refer to pic:

http://i29.photobucket.com/albums/c289/mimijoey/Detected.jpg

when i right-click on the word "CooldWebSearch" on the right colume,
there is a pop-up saying "http:www.spywareinfo.com"
Is this the link of where I have gotton this spyware or???

and what are the rest of the items? can someone please help me?!?

thanks!

re: Ctfmon.exe

Please see:
http://forums.spybot.info/showpost.php?p=1319&postcount=2

re: Ctfmon.exe

Please see:
http://forums.spybot.info/showpost.php?p=1319&postcount=2

so does that means that since its located in:

C:\WINDOWS\system32\ctfmon.exe

then its 100% confirm that its not a spyware/virus???

please advise.... :(

If you have Windows XP Office products and run a anti-virus it should be ok.

It really is not necessary as a startup entry as the Paul Collin's listing indicates with "Not Required" in addition to indicating it can be a virus etc.

For more information see:
Frequently asked questions about Ctfmon.exe
http://support.microsoft.com/default.aspx?scid=kb;en-us;282599

hi md usa spybot fan,

what about this? please see pic below:

http://i29.photobucket.com/albums/c289/mimijoey/Detected2.jpg

also a "False" positive?

please advise....

BTW, thanks for the info...

this is the lower part of the above picture...

http://i29.photobucket.com/albums/c289/mimijoey/Detected3.jpg

i did a scan at jotti but found nothing....
btw, i have NOD32 AV & Norton Personal Firewall installed....

can anyone pls advise

also a "False" positive?
I don't consider these false positives. The information from Paul Collins' Startup list is static information to help you decide the validity of the entry. There is no scan involved to actually determine if your particular entry is good or bad.

You can find Paul Collins' Startup list here:
Startup Applications List
http://www.sysinfo.org/startuplist.php
Please go there and search for "ccApp.exe" (no quotes).

I don't consider these false positives. The information from Paul Collins' Startup list is static information to help you decide the validity of the entry. There is no scan involved to actually determine if your particular entry is good or bad.

You can find Paul Collins' Startup list here:
Startup Applications List
http://www.sysinfo.org/startuplist.php
Please go there and search for "ccApp.exe" (no quotes).

hi md usa spybot fan,

i have go to the Paul Collin's website to search for it,
but i don't understand what its actually talking about...

can u pls guide me through?

btw, if these are not false positives and they are for real,
will it help if i were to reinstall a fresh copy window and delete everything is drive c?

what i mean is, during the reinstalling of windows, i delete everything in C drive, then reinstall a FRESH copy of windows, will the "Trojans/Virus" be remove from my comp?

or does it still stay inside my comp even if i were to install a fresh copy of window?

i m sorry for so many questions, as i have little knowledge of these trojans/virus....and also i have no idea how to remover them...
i guess the best way is to reinstall a fresh copy of windows n delete everything in c drive...

i did a scan at jotti but found nothing....
btw, i have NOD32 AV & Norton Personal Firewall installed....

can anyone pls advise
ccApp.exe is a Common Component of most Symantec (Norton) products, which is why it's found in the \Common Files\Symantec Shared\ folder. I wouldn't be worried about this since you mentioned the Norton Personal Firewall, which I happen to know includes this file.

You seem to be overly concerned that your PC has some sort of malware. Are you seeing symptoms that make you think this or is it just the information in the System Startup Tool screen that has you concerned?

The Advanced Mode Tools section of Spybot S&D is intended for experts, which you've stated yourself that you aren't, for this very reason. It can be very confusing to read some of these cryptic explanations, which is why a warning is given when you enter Advanced Mode that it can be dangerous to the operation of your PC to mess with these tools. Unlike the basic 'Check for problems', which is designed to work in a relatively simple manner, the Advanced Mode assumes you have a level of knowledge above that of the average user. We can't give you that knowledge in a couple posts, so I'd recommend you not use these tools to change anything at this point.

What you can do is look at each tool as you have, read the related help by clicking the help button in each screen and then look at each entry and try to understand its purpose. You obviously have barely started that process, since you have chosen to display an image of the System Startup entries rather then post the related '--- Startup entries list ---' portion of the View Report results in the same Tools section.

As you try each of these tools, do not Delete, Remove or Change anything until you are completely certain what the results might be. Return here and use the 'Search' selection at the top of the page to look for existing posts that might answer your question, then post your question if you can't find anything. Try putting 'Ctfmon.exe' in the search box for an example and you'll find the post md usa spybot fan linked you to.

If you believe that you really have something on your PC, you can follow the instructions in the following post and then post your own log in the Malware Removal forum elsewhere on this site.

http://forums.spybot.info/showthread.php?t=288

ccApp.exe is a Common Component of most Symantec (Norton) products, which is why it's found in the \Common Files\Symantec Shared\ folder. I wouldn't be worried about this since you mentioned the Norton Personal Firewall, which I happen to know includes this file.

You seem to be overly concerned that your PC has some sort of malware. Are you seeing symptoms that make you think this or is it just the information in the System Startup Tool screen that has you concerned?

The Advanced Mode Tools section of Spybot S&D is intended for experts, which you've stated yourself that you aren't, for this very reason. It can be very confusing to read some of these cryptic explanations, which is why a warning is given when you enter Advanced Mode that it can be dangerous to the operation of your PC to mess with these tools. Unlike the basic 'Check for problems', which is designed to work in a relatively simple manner, the Advanced Mode assumes you have a level of knowledge above that of the average user. We can't give you that knowledge in a couple posts, so I'd recommend you not use these tools to change anything at this point.

What you can do is look at each tool as you have, read the related help by clicking the help button in each screen and then look at each entry and try to understand its purpose. You obviously have barely started that process, since you have chosen to display an image of the System Startup entries rather then post the related '--- Startup entries list ---' portion of the View Report results in the same Tools section.

As you try each of these tools, do not Delete, Remove or Change anything until you are completely certain what the results might be. Return here and use the 'Search' selection at the top of the page to look for existing posts that might answer your question, then post your question if you can't find anything. Try putting 'Ctfmon.exe' in the search box for an example and you'll find the post md usa spybot fan linked you to.

If you believe that you really have something on your PC, you can follow the instructions in the following post and then post your own log in the Malware Removal forum elsewhere on this site.

http://forums.spybot.info/showthread.php?t=288


hi,

last few days i saw something weird in my NPF's log...

its written:

Local IP address: local host
Local Service Port: backdoor**(forgot the name but it start with backdoor)
Remote IP address: Local Host
Remote Service Port: *forgot which number

can you pls tell me whats the meaning of the log?

p/s: i don't understand whats the meaning of this log, but i feel very weird regarding this...especially the word "backdoor" and that is why i am OVERLY concern about my comp...

the next day after i turn on my comp to check the log again, the log has been already erased, i guess it refresh itself on a system shut down...

after that i downloaded spybot to scan my comp but nothing was found, and while exploring the functions in spybot, i happen to saw these problems so thats why I am very concern about...

and yes, indeed i should use spybot in beginner mode, but i was just exploring around and DID NOT change/delete any important settings that i can't 100% confirm its meaning...

anyway, its seems like you are thinking that I am just OVERLY CONCERN about my comp, well its fine then...

if needed, i will delete/stop this thread immeditaly...

anyway, thanks!

hi,

last few days i saw something weird in my NPF's log...

its written:

Local IP address: local host
Local Service Port: backdoor**(forgot the name but it start with backdoor)
Remote IP address: Local Host
Remote Service Port: *forgot which number

can you pls tell me whats the meaning of the log?
OK, finally you've asked the question you should have asked in the first place. Sorry about the choice of words, but sometimes anger is the only way to get someone to focus on the important information rather then the 100 other things they've seen and done. For future reference the first information; error message, strange occurance or Log entry in this case is usually the most valuable and important.

I could just send you away to Symantec support, but I won't since I know it's not easy for the average person to use. I've always been very impressed with their Enterprise support, but recently tried their Personal/Small Business support and found it broken and almost useless.

Unfortunately, you've got little of the original message, but I think we can make one comment based on what you do have. The fact that both the Local and Remote IP address is Local Host indicates that the connection isn't directly to an external address, so it apparently didn't 'phone home'. This doesn't mean that the Port opened hasn't done this later though, so it's still a good idea to investigate.

As I said at the end of the previous post, if you really want to find out if there's a problem you should follow the instructions in the post I referenced and create a new posting in the Malware Removal forum. You're wasting your time with Spybot itself at this point, since you've already determined that it doesn't detect anything. The helpers in the Malware forum can discover and remove Malware that isn't known by any anti-spyware program at this point.

So here again is the link to the post telling what you should do when posting in that forum and a second link to the forum itself.

http://forums.spybot.info/showthread.php?t=288
http://forums.spybot.info/forumdisplay.php?f=22

Since new malware is coming out all the time, this is the only way to be sure.

I hope you now understand that I poked you intentionally to get you to focus your response. We could continue playing Q&A with Spybot S&D for days and get no closer to what you really need to know.

BTW, the Malware Helpers are nicer then I am. ;)