Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Bugs in Spybot 1.5 tools - system startup and internals

  1. #1
    Junior Member
    Join Date
    Sep 2007
    Location
    England
    Posts
    7

    Default Bugs in Spybot 1.5 tools - system startup and internals

    Just gave version 1.5 a try and found the following.

    In system startup it is showing five non-existent entries - 2 ctfmon entries and 3 avg runonce entries. I have one instance of ctfmon disabled in msconfig and no avg runonce entries at all.
    Screenshot (non existent entries in red box):


    Also a system internals scan is showing the stsystra.exe startup entry (which you can see as enabled in the startup list in pic above) as "Startup file does not exist" which is clearly incorrect.

  2. #2
    Member of Team Spybot PepiMK's Avatar
    Join Date
    Oct 2005
    Location
    Planet Earth
    Posts
    3,576

    Default

    Are you sure these do not exist? The display might be a bit misleading... it says HKCU, but names the user afterwards.

    These entries would be at the following locations if you want to look them uzp in the registry:

    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\
    HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\
    HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run\
    Just remember, love is life, and hate is living death.
    Treat your life for what it's worth, and live for every breath
    (Black Sabbath: A National Acrobat)

  3. #3
    Junior Member
    Join Date
    Sep 2007
    Location
    England
    Posts
    7

    Default

    Quote Originally Posted by PepiMK View Post
    Are you sure these do not exist? The display might be a bit misleading... it says HKCU, but names the user afterwards.

    These entries would be at the following locations if you want to look them uzp in the registry:

    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\
    HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\
    HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run\
    There may well be traces of these entries in the registry but Spybot should not be showing them as active startup entries when they aren't.
    Version 1.4, correctly, doesn't show these entries at all.
    (It also doesn't show the second issue I mentioned)
    Last edited by JDPower; 2007-09-05 at 21:48.

  4. #4
    Member of Team Spybot PepiMK's Avatar
    Join Date
    Oct 2005
    Location
    Planet Earth
    Posts
    3,576

    Default

    And if it wouldn't show entries of other users, other people would complain that Spybot-S&D hides something

    Come on, if you're looking for malware, it's kind of important to know whether other users on the same machine got infected as well, or not. They're active the moment those users log on! (ok, in this case it's the template for new users and the LocalService and NetworkService accounts... but if you show them only on the account they're for, to see them, you would have to log in on that account, and then they WOULD be started before you had a chance to review them)

    Regarding the "startup file does not exist", could you let me know where this file is located exactly?

    (oh, and btw, in version 2.0, the tools section will be completely swapped out into RunAlyzer to make the scanner itself leaner while allowing more features in the tools at the same time)
    Just remember, love is life, and hate is living death.
    Treat your life for what it's worth, and live for every breath
    (Black Sabbath: A National Acrobat)

  5. #5
    Junior Member
    Join Date
    Sep 2007
    Location
    England
    Posts
    7

    Default

    Quote Originally Posted by PepiMK View Post
    And if it wouldn't show entries of other users, other people would complain that Spybot-S&D hides something

    Come on, if you're looking for malware, it's kind of important to know whether other users on the same machine got infected as well, or not. They're active the moment those users log on! (ok, in this case it's the template for new users and the LocalService and NetworkService accounts... but if you show them only on the account they're for, to see them, you would have to log in on that account, and then they WOULD be started before you had a chance to review them)

    Regarding the "startup file does not exist", could you let me know where this file is located exactly?

    (oh, and btw, in version 2.0, the tools section will be completely swapped out into RunAlyzer to make the scanner itself leaner while allowing more features in the tools at the same time)
    There are no other user accounts on this computer though so I still think, at least in this scenario, they shouldn't be listed.

    Regarding the startup file that is showing as not existing in a system internals scan, didn't know whether you wanted the reg location or file location so heres both:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    C:\WINDOWS\stsystra.exe
    (Though the startup command listed in msconfig is simply stsystra.exe, not a full file path)
    Last edited by JDPower; 2007-09-05 at 23:18.

  6. #6
    Member of Team Spybot PepiMK's Avatar
    Join Date
    Oct 2005
    Location
    Planet Earth
    Posts
    3,576

    Default

    Something that's simply in the Windows folder really shouldn't be complained about. But thanks for quoting both, that might help reproducing it

    User accounts on Windows are not necessarily accounts for human users In this case, these accounts are accounts that Windows uses internally. S-1-5-20 should be the ID for the account "NetworkService", and S-1-5-18 is, if I'm not mistaken, the account "LocalService". If you open the Windows task manager, you will notice a few system applications are running under those accounts (you might have to add the "User Name" column to Task Managers display). So they're quite real
    Just remember, love is life, and hate is living death.
    Treat your life for what it's worth, and live for every breath
    (Black Sabbath: A National Acrobat)

  7. #7
    Junior Member
    Join Date
    Sep 2007
    Location
    England
    Posts
    7

    Default

    Quote Originally Posted by PepiMK View Post
    If you open the Windows task manager, you will notice a few system applications are running under those accounts (you might have to add the "User Name" column to Task Managers display). So they're quite real
    Well the user name column in my task manager is actually empty (apart from one System entry)

  8. #8
    Junior Member
    Join Date
    Sep 2007
    Location
    England
    Posts
    7

    Default

    One last thing, would there actually be any point unticking those startup entries or are they best left alone?

  9. #9
    Junior Member
    Join Date
    Feb 2006
    Posts
    23

    Default

    I have also seen those lines or I think it was those same run once. I got WinPatrol so it pops up to tell me about them and most are always pointing to the windows temp folder.
    My guess is maybe you cleaned your temp folder before you did a reboot so what would of happen with that run once file in the temp folder could not happen if you deleted the file.

    One thing I learned after I started using WinPatrol is to never clear anything from the windows temp folder after doing a upgrade, install and uninstall because if there are changes that are made on a reboot it needs those files and most times after the reboot the file in the windows temp folder gets deleted on it's own from the run once.

    Here is all I have in startup and on AVG.

    Last edited by hewee; 2007-09-07 at 00:01.

  10. #10
    Junior Member
    Join Date
    Sep 2007
    Location
    England
    Posts
    7

    Default

    Quote Originally Posted by hewee View Post
    I have also seen those lines or I think it was those same run once. I got WinPatrol so it pops up to tell me about them and most are always pointing to the windows temp folder.
    My guess is maybe you cleaned your temp folder before you did a reboot so what would of happen with that run once file in the temp folder could not happen if you deleted the file.
    Nope, the AVG entries are from the initial install of AVG, I never empty temp folders of run any cleaners during an install (besides you can see from the screenshot they aren't pointing to a temp folder, its pointing to the AVG test center exe).
    And the ctfmon was disabled (via startup and followed by the MS instructions here) straight after my Windows install.
    Last edited by JDPower; 2007-09-07 at 00:09.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •