Hello, problem is solved. I have restarted computer in safe mode. Made a Registry Mechanic scan. Fixed registry entry and then erased Spybot entry.
It seems to have disapeared.
As you said it was a wrong registry entry.
Thanks my friend
Bye!
Hello, problem is solved. I have restarted computer in safe mode. Made a Registry Mechanic scan. Fixed registry entry and then erased Spybot entry.
It seems to have disapeared.
As you said it was a wrong registry entry.
Thanks my friend
Bye!
Hello again,
I must have done something wrong because now I cant open internet explorer.
It loads but the window closes very quick.
What do you suggest?
If your Windows OS (ME, XP or Vista) has a system restore facility, do a system restore to a restore point prior to when you ran Registry Mechanic.
Getting an answer is one thing, learning is another.
Microsoft Windows XP Home Edition running on a 2.40GHz Intel® Pentium® 4 Processor with 512 MB of RAM and a 533 MHz System Bus.
Hello, I disabled system restore just before running Regystry Mechanic. I did that because I read something about disabling system restore after fixing trojan problems. Now I know I did it wrong!
What can I do?
If you took a Registry Mechanic backup use that. If not, I am not sure I can help.
I am not familiar with Registry Mechanic because I don't use it or any other registry cleanup tools (although I do know that you can take backups within Registry Mechanic before making changes).
If Registry Mechanic has a detailed log of exactly what was changed, post the log and possibly someone may be able to determine what happened.
On the other hand if Registry Mechanic does not have a detailed log of exactly what was changed, the only thing that I can suggest is that you attempt to uninstall and reinstall Windows Internet Explorer and if that fails you possibly may have to rebuild your entire system.
Getting an answer is one thing, learning is another.
Microsoft Windows XP Home Edition running on a 2.40GHz Intel® Pentium® 4 Processor with 512 MB of RAM and a 533 MHz System Bus.
Hello
Sorry to re-open this rather old thread, but I have this same kind of question, and I didn't think it appropriate to open a new thread as it is not exactly a "false positive" detected by SpybotSD. I hope it's ok
Well, the thing is, I have in my system startup list this same blank entry with the agobot-ku comment warning, but moreover I have trojan-virus comments in some other entries, and I don't know if they fall in the "descriptions are not detections" category (since they are not blank entries but concrete files.
Here is what I mean. For example, in the entry
I receive the comments:Located: HK_LM:Run, QuickTime Task
command: "C:\Program Files\QuickTime\qttask.exe" -atboottime
file: C:\Program Files\QuickTime\qttask.exe
size: 282624
MD5: 30e1f03dcc8825988528d9058312ede2
On the entryFilename:qttasks.exe
Description_CoolWebSearch_ parasite variant
--
Filename: [random filename]
Description:_Trafficadvance_ dialer
I receive the warnings:Located: HK_CU:Run, ctfmon.exe
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 25ecfa69af1563fde8dfd31f9954497a
Filename: ctfmon32.exe
Description: CoolWebSearch _Ctfmon32_ parasite variant
--
Filename:ctfmon.exe
Description: Added by the _RAIDYS_ TROJAN! Note - this should not be confused with the valid Office XP file, see _here_
--
Filename: msupdate32.exe
Description:Spy Sheriff/SpywareNO malware, also detected as the _SPYHOAX-A_ TROJAN, pretends to be a spyware remover! - file names spotted sofar include VXH8JKDQ2.EXE, NS6281400.so, CVXH8JKDQ2.EXE, down3.exe, sefe.exe, winstall.exe, and tool2.exe
On the entry
I receive the warningsLocated: HK_LM:Run, SunJavaUpdateSched
command: "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
file: C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
size: 83608
MD5: 9c1c80bbf8e6044980890e2d2d91091c
So, my question is, is none of these entries a detection? I have checked my PC with the SpybotSD up to date and it comes up clean. I also have scanned with avast, panda online, kaspersky online, bitdefender online, ewido online, and none of them has detected anything.I have not used Spysheriff as that comment for msupdate32 says. But, in spite of this, I have problems with my internet connection (maybe related to the svchost file?)Filename: scvhost.exe
Description: Added by the _SDBOT-AVX_ WORM!
--
Filename: javamx.exe
Description: Added by the _SDBOT-WI_ WORM!
Well, if these entries are not dangerous, then I'll try to find another reason for my connection problems. If not, maybe I should post this on the Malware removal forum with a hjt log.What do you think?
Thanks in advance for your answer
Last edited by angieromero; 2007-10-26 at 14:16.
angieromero:
In each case you are only quoting a portion of the startup entry information. The following don't sound as bad do they?
Current filename: "C:\Program Files\QuickTime\qttask.exe" -atboottime
Database status: Typically not required
Value: QuickTime Task
Filename: Qttask.exe
Description
System Tray access to Apple's "Quick Time" viewer from version 5 onwards
Source: Paul Collins Startup listCurrent filename: C:\WINDOWS\system32\ctfmon.exe
Database status: Necessity depends on users preferences
Value: ctfmon.exe
Filename: ctfmon.exe
Description
CTFMon is involved with the language/alternative input services in Office XP. Ctfmon.exe will continue to put itself back into MSConfig when you run the Office XP apps as long as the Text Services and Speech applets in the Control Panel are enabled. Not required if you don't need these features. For more info on ctfmon see _here_. Ctfmon can be disabled from Control Panel, Text & Speech Services. Note - the file will always be located in the System32 folder, if it is located elsewhere it will likely be a worm or trojan! Can cause problems with some other programs if left enabled - see _here_ for such an example
Source: Paul Collins Startup listTypically your anti-virus would pick up the executable programs qttask.exe, ctfmon.exe and jusched.exe if they were the things you quoted.Current filename: "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
Database status: Typically not required
Value: SunJavaUpdateSched
Filename: jusched.exe
Description
Checks with Sun's Java updates site to see if newer Java versions are available. Visit _ http://java.sun.com_ or just run the Java Plug-In Control Panel
Source: Paul Collins Startup list
___________________
ps: Check Sun Java version you are running. The latest is Java Runtime Environment (JRE) 6 Update 3. See:
- SunJava JRE 6 Update 3 released
http://forums.spybot.info/showthread.php?t=18601
Getting an answer is one thing, learning is another.
Microsoft Windows XP Home Edition running on a 2.40GHz Intel® Pentium® 4 Processor with 512 MB of RAM and a 533 MHz System Bus.
Thanks very much md usa spybot fan for your quick response.
You are right, I only chose the specific sentences where they talked about the "infections", sorry if I should have posted all the complete comments. Here they are, in case they can be of any use:
Current filename: "C:\Program Files\QuickTime\qttask.exe" -atboottime
Database status: Typically not required
Value: QuickTime Task
Filename: Qttask.exe
Description
System Tray access to Apple's "Quick Time" viewer from version 5 onwards
Source: Paul Collins Startup list
____________________
Current filename: "C:\Program Files\QuickTime\qttask.exe" -atboottime
Database status: Not required - virus, spyware, malware or other resource hog
Value: QuickTime Task
Filename: qttasks.exe
Description
_CoolWebSearch_ parasite variant
Source: Paul Collins Startup list
____________________
Current filename: "C:\Program Files\QuickTime\qttask.exe" -atboottime
Database status: Not required - virus, spyware, malware or other resource hog
Value: QuickTime Task
Filename: [random filename]
Description
_Trafficadvance_ dialer
Source: Paul Collins Startup list
____________________
Current filename: C:\WINDOWS\system32\ctfmon.exe
Database status: Not required - virus, spyware, malware or other resource hog
Value: ctfmon.exe
Filename: ctfmon32.exe
Description
CoolWebSearch _Ctfmon32_ parasite variant
Source: Paul Collins Startup list
____________________
Current filename: C:\WINDOWS\system32\ctfmon.exe
Database status: Not required - virus, spyware, malware or other resource hog
Value: ctfmon.exe
Filename: ctfmon.exe
Description
Added by the _RAIDYS_ TROJAN! Note - this should not be confused with the valid Office XP file, see _here_
Source: Paul Collins Startup list
____________________
Current filename: C:\WINDOWS\system32\ctfmon.exe
Database status: Not required - virus, spyware, malware or other resource hog
Value: ctfmon.exe
Filename: msupdate32.exe
Description
Spy Sheriff/SpywareNO malware, also detected as the _SPYHOAX-A_ TROJAN, pretends to be a spyware remover! - file names spotted sofar include VXH8JKDQ2.EXE, NS6281400.so, CVXH8JKDQ2.EXE, down3.exe, sefe.exe, winstall.exe, and tool2.exe
Source: Paul Collins Startup list
____________________
Current filename: C:\WINDOWS\system32\ctfmon.exe
Database status: Necessity depends on users preferences
Value: ctfmon.exe
Filename: ctfmon.exe
Description
CTFMon is involved with the language/alternative input services in Office XP. Ctfmon.exe will continue to put itself back into MSConfig when you run the Office XP apps as long as the Text Services and Speech applets in the Control Panel are enabled. Not required if you don't need these features. For more info on ctfmon see _here_. Ctfmon can be disabled from Control Panel, Text & Speech Services. Note - the file will always be located in the System32 folder, if it is located elsewhere it will likely be a worm or trojan! Can cause problems with some other programs if left enabled - see _here_ for such an example
Current filename: "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
Database status: Typically not required
Value: SunJavaUpdateSched
Filename: jusched.exe
Description
Checks with Sun's Java updates site to see if newer Java versions are available. Visit _ http://java.sun.com_ or just run the Java Plug-In Control Panel
Source: Paul Collins Startup list
____________________
Current filename: "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
Database status: Not required - virus, spyware, malware or other resource hog
Value: SunJavaUpdateSched
Filename: scvhost.exe
Description
Added by the _SDBOT-AVX_ WORM!
Source: Paul Collins Startup list
____________________
Current filename: "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
Database status: Not required - virus, spyware, malware or other resource hog
Value: SunJavaUpdateSched
Filename: javamx.exe
Description
Added by the _SDBOT-WI_ WORM!
Source: Paul Collins Startup list
____________________
So,anyway, if I understand correctly, you say these comments from the startup list are not really dangerous, even if they talk about trojans, parasites or worms, and the antiviruses/antyspyware I used would have detected it if there had been any infection on these files? Well, that's a relief,really
Thank you very much
Ps: I'll check the Java release, thanks
angieromero:
Additional information:
The comments on startup entries are the known possibilities for the names of the entries. Since malware often attempts to mask itself as something innocent, the names of common startup entries, in this case QuickTime Task, ctfmon.exe and SunJavaUpdateSched, are often used by malware.
Spybot’s > Tools > System Startup does not analyze the startup entries so the comments are just that, comments. In other words Spybot is just presenting comments about possibilities for the startup entries by the names of QuickTime Task, ctfmon.exe and SunJavaUpdateSched. You must analyze the entry including the executable portion of the entry to determine if it is a legitimate entry or not:
- QuickTime Task - "C:\Program Files\QuickTime\qttask.exe" –atboottime
- ctfmon.exe - C:\WINDOWS\system32\ctfmon.exe
- SunJavaUpdateSched - "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
In most cases either anti-virus or anti-malware scans would identify either the entries or the programs they are executing as a potential problem.
One of the primary purposes Spybot’s > Tools > System Startup is to see what is starting in the system and determine if that startup is required. A relatively good source for determining whether a startup entry is actually required or not is the Task List at AnswersThatWork:
- AnswersThatWork - PC Tuning & Troubleshooting, HelpDesk, Computer Tips & Solutions
http://www.answersthatwork.com/
Getting an answer is one thing, learning is another.
Microsoft Windows XP Home Edition running on a 2.40GHz Intel® Pentium® 4 Processor with 512 MB of RAM and a 533 MHz System Bus.
Thank you very much again!