Spyware Newbie

[Michael PPPPP]

I've just started looking at possible spyware on my
computer. I'm mostly concerned about keyloggers or other
spyware that will find credit-card info or passwords.

First tried Spybot S&D, it found the normal stuff (lots of
fairly innocuous trackting-cookies, and the DSO Exploit).
Then downloaded PestPatrol trial version, and it found
little more. But PestPatrol listed my startup files,
which includes some strange entries. Like 'cftmon.exe'
or 'mshta.exe', which seem either to be horrendous
worms/trojans, or a normal part of the OS. PestPatrol
said they are 'ok', but PestPatrol gives them both a date
of 04 Aug, which was a time when I was hooked up to a
potentially dodgy network. And when I looked for the
associated files on my c: drive, they don't seem to be
there at all.

The anti-spyware available all seems a bit questionable,
and some trial versions of the anti spyware seem to be
designed to scare you into paying for the full version by
listing bogus

Which is all a roundabout way to ask: How the hell do you
know what's what? How to know if I've got cftmon.exe, the
virus, or cftmon.exe, the MSoft language bar executable?

 

[Ron Chamberlin]

Hi Michael,

You didn't mention if you have a firewall enabled, or if you are running an
up to date antivirus program, thus there's no telling what may be on the
loose within your pc. If you don't have an active AV, I suggest going to
pandasoftware.com or trendmicro.com and doing a free, full scan ASAP.

I've just started looking at possible spyware on my
computer. I'm mostly concerned about keyloggers or other
spyware that will find credit-card info or passwords.

Keyloggers aren't just spyware IMVHO. I would consider one as nasty as a
virus. Some critters, such as W32.spybot.worm (not to be confused with the
very good Spybot anti spyware program) will, in fact, act as a key logger
and send your info outbound.

The anti-spyware available all seems a bit questionable, and some trial
versions of the anti spyware seem to be
designed to scare you into paying for the full version by listing bogus >

Then why use it at all? I am quite comfortable running and trusting the
Microsoft product, SpyBot, Adaware, HiJackThis, CWShredder et al. I trust
them.

Which is all a roundabout way to ask: How the hell do you know what's
what? How to know if I've got cftmon.exe, the
virus, or cftmon.exe, the MSoft language bar executable? >

Good question. You've got to protect yourself with a combination of smart
surfing and the available tools.
Best practices are outlined at
http://www.microsoft.com/athome/security/default.mspx

Ron Chamberlin
MS-MVP

 

[Kaspars]

Hi, Michael!
1. Check spelling of cftmon.exe versus ctfmon.exe
If it is _cftmon.exe_ then you may look at:
http://uk.trendmicro-
europe.com/enterprise/security_info/ve_detail.php?
VName=WORM_SDBOT.AGJ
(URL must be one unsplitted line)
2. Run: sfc /scannow
If it asks for OS CD insert it and wait until finish;
3. You may go to Windows Update and download/install
missing high priority updates
4. Follow advices given by Ron Chamberlin
Regards - Kaspars

-----Original Message-----

I've just started looking at possible spyware on my
computer. I'm mostly concerned about keyloggers or other
spyware that will find credit-card info or passwords.
First tried Spybot S&D, it found the normal stuff (lots
of
fairly innocuous trackting-cookies, and the DSO
Exploit).
Then downloaded PestPatrol trial version, and it found
little more. But PestPatrol listed my startup files,
which includes some strange entries. Like 'cftmon.exe'
or 'mshta.exe', which seem either to be horrendous
worms/trojans, or a normal part of the OS. PestPatrol
said they are 'ok', but PestPatrol gives them both a date
of 04 Aug, which was a time when I was hooked up to a
potentially dodgy network. And when I looked for the
associated files on my c: drive, they don't seem to be
there at all.

The anti-spyware available all seems a bit questionable,
and some trial versions of the anti spyware seem to be
designed to scare you into paying for the full version by
listing bogus

Which is all a roundabout way to ask: How the hell do you
know what's what? How to know if I've got cftmon.exe,
the
virus, or cftmon.exe, the MSoft language bar executable?
..

 

[Ron Kinner]

The files are there but they are either hidden or system
files and by default you are not allowed to see them. If
you want to see hidden and system files then:

http://forums.majorgeeks.com/showthread.php?t=37650

Once you have done that you can go into Windows Explorer
and find the files and right click on them and check their
properties. Verify the version number and maker.

Alternatively you can see the file in CMD mode. Start Run
cmd and a DOS type window will open. Type:

c:
cd \windows\system32
dir ctfmon.exe

Also useful is

dir /ogd *.*

which will list all of your files in that folder sorted by
date. That way you can just look at the more recent files.

You can also use

dir /ah

which shows only hidden files in the current folder.

dir /as

system files

dir /ar

read only files.

To delete a file that is read only

erase /f /q filename.ext

But if deleting a file with a .dll extension you shoud
unregister it first.

regsvr32 /s /u filename.ext

Since you are worried about security I would get the free
version of Zone Alarm

http://www.zonelabs.com/store/content/catalog/products/sku_
list_za.jsp

It will warn you if a program wants to go to the internet
and ask you if it is allowed or not.

Another good thing to have is HijackThis.

http://tomcoyote.org/hjt/hjt199//HijackThis.exe

If you save it to its own folder and run it now when you
think you are clean you can check all of the entries it
finds and tell it to ignore them in the future. The next
time you scan with it you will only see things that have
changed and you can remove them without worry.

Ron