Stupid bloody spyware

Burn

Newbie
Joined
May 13, 2004
Messages
3,409
Reaction score
0
I got some spywarey adware stuff.. random popups of genreal crap that I dont want. I wouldnt care but these popups are forced to the front of the screen, thus if Im watching a film, or playing a game it alt-tabs it or crashes it.

I have tried spybot and adaware, none got rid of it, in my taskmanger I have a program called "rteedh.exe" running, which I think it is, because when I end it.. it just reopens anouther random exe file, like.. "cexwbu.exe"

HELP!
 
Got it, doesnt work.

Edit: Haha... I had mine turned off, Im an idiot. Turned it back on and it delt with it.
 
Probably the most drastic solution, but the best: format. Sometimes I got spywares that 5 Anti-Spywares programs didn't get rid of it. Reinstalling windows solved that, it's so refreshing.
 
uh oh
time for some drastic formatting if spyware killers are immune to them
are the antispyware software fully updated?
 
Ritz said:
Got it, doesnt work.

Edit: Haha... I had mine turned off, Im an idiot. Turned it back on and it delt with it.

didn't he fix the problem?
 
She. And no.

It seems it didnt fix the issue at all.. in fact in the last five minutes Ive had 7 popups, and its not normall popups, these are forced to the top, killing anything you are running.

Going to need to reformat, bah.
 
did you clear all your cookies?
try that first
then delete your temp internet files
finally update your fav spyware killer and run a new scan
 
john3571000 said:
uh oh
time for some drastic formatting if spyware killers are immune to them
are the antispyware software fully updated?

Don't put all your faith in antispyware/antivirus, they miss an awful lot of stuff even when they're fully updated.

Do this -
1) if you have an idea of when you contracted the spyware, do a search on all *.exe or *.dll files modified on that day. You'll get a ton of hits, but look out for any obviously dumb names or very small files that all appeared around the same time. Make a judgement on whether to delete them or not - if necessary, look up the file name online (www.tasklist.org is one place to start, but google does the job).

2) Also go to your windows/system32 folder and sort the files by date, most recent to last. Have a special look at any exe's that turned up just before you started having trouble. If you can't pinpoint the exact time, check out all the most recent exe's/dll's/bat's/etc - look for obvious stuff like fishy names, or capital letters on exe's (most exe's in that folder are lower case). If you're really torn over whether to get rid of something or not, check its properties - most legit stuff in that folder will have a "version" tab on it. Admittedly, the more recent the file in that folder, the less likely it is to have a version, like java software or whatever, but as a general rough and ready rule, deleting stuff without a "version" wont cause your computer to explode (I think...). And even if it screws a few small things up, it's better than formatting if it gives you peace of mind, right? Try to avoid deleting stuff with "version"s.

3) Really obstinate spyware hides itself in windows, and is invisible. I once had my entire windows/system folder hidden from me. Go to run/msconfig and check startup. Again, look for fishy filenames (especially in windows/system32) and run a search on them, check their version, check modified dates, check online, make a judgement. If you can't find them on your computer at all, be a little suspicious (especially if it's currently running!). Often you get files that add themselves back to the startup menu after being removed - Google a prog called "hijackthis" and download it. Run it, look for any dodgy registry files, like the ones that point to invisible files. Make a note of the file name, then delete the registry entry. BE VERY SURE about what you're doing beforehand though - don't do it "just to see what happens"...do this only when you know you have spyware, you know what it is, but you're having trouble deleting it. After deleting the registry entry, reboot in safe mode. Search for the files - if they now show up, and if they don't have the sense to even have a "version" tab, you can now administer the smackdown.

DISCLAIMER: - this is a very rough and ready guide. It can, and frequently will, result in you creating problems for yourself in windows (I've done it many times...). Exercise great caution and delicacy. These are just the intuitive voodoo tactics you develop after running a computer for 2 years with no antivirus, and I take no responsibility for damage or loss of data incurred by following these steps. Typically you'll only need to worry about doing this kind of stuff if you very obviously have spyware on your comp, and you need to get rid - not if you're just doing a checkup.
 
I boot to a dos floppy and go on a deleting rampage (works every time). Once i renamed my Windows folder while in DOS for fun. And then I lost the floppy. Had to reinstall windows. I tend to get a little paranoid though, I deleted Norton Anti-Virus because it clogged up so much RAM I thought it was spyware. Some spyware have multiple exes running, so when you ctrl-alt-del one of them the other one restarts it, and if you remove the startup entry from msconfig it restores it back instantly. The easiest way to deal with it (if you're on XP) is to go to the command line and type taskkill /F /IM spyware1.exe spyware2.exe etc. etc. etc. That way you can end multiple processes at once.
 
The easiest way to deal with it (if you're on XP) is to go to the command line and type taskkill /F /IM spyware1.exe spyware2.exe etc. etc. etc. That way you can end multiple processes at once.

Interesting, I never knew that tactic. What do you recommend doing when there are mutiple instances of legitimate programs running, when there should only be one? For instance, more than one ctfmon.exe, when you can only find one ctfmon on your comp?
 
Doesnt seem like anything is going to get rid of it, Im going to format, only downside is I dont know where my windows cd is :( Gonna have to find first.
 
Have you tried the suggestions above? If you're running into problems maybe someone can come up with a workaround or something.
 
try running the spyware progs firstly in safemode and then try runnign them in the normal windows user. That will clear out all the main stuff. Also clear out cookies and stuff
 
Laivasse said:
Interesting, I never knew that tactic. What do you recommend doing when there are mutiple instances of legitimate programs running, when there should only be one? For instance, more than one ctfmon.exe, when you can only find one ctfmon on your comp?
What do you mean by "find one ctfmon on your comp"? If you have more than one instance of the same executable you will only see it once process of it in the task manager (i think).
 
If there are more than one instance, don't worry about it. Certain programs (like svchost) do more than one thing and show up as multiple entries.

"Svchost.exe is a generic host process name for services that are run from dynamic-link libraries (DLLs). Each Svchost.exe session can contain a grouping of services, so that separate services can be run depending on how and where Svchost.exe is started."

iexplore.exe and explorer.exe are the same way if you have multiple windows open. ctfmon might be a similar program. Then again, run a search for "ctfmon", since some trojans and viruses disguise themselves as other programs. You should only have one copy of the file on your harddrive (unless it's also in the installation files), and it should be in the system directory (I think).
 
DSDchemE said:
If there are more than one instance, don't worry about it. Certain programs (like svchost) do more than one thing and show up as multiple entries.

"Svchost.exe is a generic host process name for services that are run from dynamic-link libraries (DLLs). Each Svchost.exe session can contain a grouping of services, so that separate services can be run depending on how and where Svchost.exe is started."

iexplore.exe and explorer.exe are the same way if you have multiple windows open. ctfmon might be a similar program. Then again, run a search for "ctfmon", since some trojans and viruses disguise themselves as other programs. You should only have one copy of the file on your harddrive (unless it's also in the installation files), and it should be in the system directory (I think).

It was a spyware problem I sorted a while ago, but I never understood how it worked. I know svchost is meant to have multiple instances, but ctfmon (it manages the language bar) is only meant to appear in the tasklist once in my experience. The problem went away after I deleted and replaced my legitimate ctfmon, as well as clearing out a few suspicious dll's. But it was only luck that I found them, and none of them were called "ctfmon". So I still don't have a hard and fast solution to that one. Slipped by all my antivirus/antispy too.
 
Scan with all the programs you have. This should include

Microsoft Antispyware Beta
Spybot
AdAware
AVG

If that doesn't work and you can't find the offending file, format.
 
Back
Top