Question about spywware/popups

[tnf]

So, on my desktop gaming rig I've never had a problem with this until the other day when my cousin's kid used it to work on a paper. Before I could tell him otherwise he used exploiter for everything, and I am guessing hit up a porn site or two having not had much time with the high speed before. In any case, I've got popups coming at me left and right on that machine, which isn't too big of a deal because I can just re-image the drive...but....

I know fuckall about how all the shit works, but could someone in the know tell me if what I discovered is somewhat correct about how this shit works?

First off, I looked at my processes that were running and noticed about 5 different ones with names like:
jfsixlsx.exe
rjptxls.exe

All random letters, all traced back to windows\system32\
WIthin the system32 directory were a bunch of directories with random names too...and each directory had 1 of the .exe files in it.

For example \system32\tjslkddj\rjptxls.exe

I did some google searches for any of those filenames and found nothing. I began deleting each file, and scanning through the registry for them, but found nothing matching the random name there.

Now, before I could delete the files, I had to kill the processes in the process list in task manager. The bitch was, though, that a couple of the processes were under user name SYSTEM, so when I'd end them, they'd start back up in about 2 seconds...and you can't delete the file when the process is running. So, I actually had to have everything open and ready, kill the process, then sneak in the file delete before the process started back up on its own.

Anyhow, I didn't realize how fucking insidious these fucking things could be. I was getting explorer popups even with the messenger service disabled while using firefox. Some shit named aurora still keeps coming up.

I haven't bothered trying spyware removal software, because I am going to wipe the drive anyhow.

SO, my question (finally) is...do those popup/spyware programs use some kind of random filename generators when they install themselves to make them even more of a pain in the ass to get rid of? That is the only thing I can think of in regards to all that "rjdxlkjs.exe" bullshit.

Ideas? Thanks.

[stocktroll]

i remember i had a problem like that.

scan with adaware....if removing it only respawns a new spyware scan again but dont delete the new files
use killbox to replace them with dummy files on reboot
or depending on what it is you can just use kill box to take em out straight away

[Tormentius]

SO, my question (finally) is...do those popup/spyware programs use some kind of random filename generators when they install themselves to make them even more of a pain in the ass to get rid of? That is the only thing I can think of in regards to all that "rjdxlkjs.exe" bullshit.

Ideas? Thanks.

Thats exactly what some of the more insidious spyware or trojan-type applications do. Heuristics (like MS' and other real-time apps use) will do a better job of stopping/removing those type of threats. Chances are if you just run a couple different vendors scans you'll be able to save yourself a reinstall. PM me if you'd like more help.

[Massive Quasars]

Symantec AV claims it will remove adaware and spyware. I don't know how effective it is at that.

[Eraser]

Not really I think.
I use Symantec Antivirus and when I first installed Microsoft AntiSpyware it still found spyware.

[Massive Quasars]

Is MS AntiSpyware any good?

[+JuggerNaut+]

Is MS AntiSpyware any good?

very.

[SOAPboy]

Next time you ahve to kill a process to "delete it" Move said file to the desktop, kill process, then delete the file.. it cant rerun it if its not in the same place it "was" and its not going to complain about "moving" the file while its running as your just moving it and it can still "run" in a different location..

[Eraser]

Next time you ahve to kill a process to "delete it" Move said file to the desktop, kill process, then delete the file.. it cant rerun it if its not in the same place it "was" and its not going to complain about "moving" the file while its running as your just moving it and it can still "run" in a different location..

I don't think that's correct.
Normally you can't move files that are in use.

[SOAPboy]

Next time you ahve to kill a process to "delete it" Move said file to the desktop, kill process, then delete the file.. it cant rerun it if its not in the same place it "was" and its not going to complain about "moving" the file while its running as your just moving it and it can still "run" in a different location..

I don't think that's correct.
Normally you can't move files that are in use.

It works for most of that stupid spyware shit.. like stubborn toolbars and such

[+JuggerNaut+]

Next time you ahve to kill a process to "delete it" Move said file to the desktop, kill process, then delete the file.. it cant rerun it if its not in the same place it "was" and its not going to complain about "moving" the file while its running as your just moving it and it can still "run" in a different location..

I don't think that's correct.
Normally you can't move files that are in use.

It works for most of that stupid spyware shit.. like stubborn toolbars and such

i'm pretty positive if it's a running process, you cannot move or delete it.

[SOAPboy]

I don't think that's correct.
Normally you can't move files that are in use.

It works for most of that stupid spyware shit.. like stubborn toolbars and such

i'm pretty positive if it's a running process, you cannot move or delete it.

Try it

Install some popup crap, and move the exe, and or .dll for the program.. it works..

[+JuggerNaut+]

It works for most of that stupid spyware shit.. like stubborn toolbars and such

i'm pretty positive if it's a running process, you cannot move or delete it.

Try it

Install some popup crap, and move the exe, and or .dll for the program.. it works..

oh , maybe that's the problem. I DON'T GET SPYWARE.

[SOAPboy]

i'm pretty positive if it's a running process, you cannot move or delete it.

Try it

Install some popup crap, and move the exe, and or .dll for the program.. it works..

oh , maybe that's the problem. I DON'T GET SPYWARE.

well next time you work on someones machine that has some toolbar installed, try it, it works..

:icon26:

[+JuggerNaut+]

i think i will just for the hell of it.

[Massive Quasars]

Is MS AntiSpyware any good?

very.

Maybe.

After doing a scan, and fixing the problems it found, I did another scan 15 mins later and still found spyware and adware. This was with Real-time protection on for the duration of the period between scans.

[+JuggerNaut+]

well, like any app, ymmv. on a acquaintance's pc it obliterated a couple of pesky browser hijackers that neither adaware or spybot would get rid of.

is the "spyware/adware" cookies or running processes?

[Massive Quasars]

Not sure, but it frustrates me to no end.

Previously I had this POS virus that wouldn't allow me to open any explorer.exe related windows (IE, windows explorer, control panel, etc.). I thought I needed a format the whole time, but the problem disappeared after a solid AV scan.

I explained this in another thread.

[Giraffe }{unter]

Symantec AV claims it will remove adaware and spyware. I don't know how effective it is at that.

Yes they do but they do not scan for it by default, you need to set it to scan for expanded threats and delete them. I'm not 100% sure how to do it in the home version though.

Is MS AntiSpyware any good?

Yes, when using it also go into Advanced tools > Browser hijack restore > check all and restore.


Lastly fo those annoying ones do all your work in Safe Mode most of the baddies won't be running so you can easily delete them. While in safe mode goto

C:\Windows\Temp
C:\Documents & Settings\infected account's user name\local settings\Temp

Select all > SHIFT+DELETE everything this is where the install files hide.

More on this http://www.giraffe-hunter.com/junkwarep1.htm

[Massive Quasars]

Thank you sir.

[blood.angel]

Noobs.

Adaware followed by Spybot followed by Norton Corporate Antivirus.

Ownt.

[mik0rs]

It works for most of that stupid spyware shit.. like stubborn toolbars and such

i'm pretty positive if it's a running process, you cannot move or delete it.

Try it

Install some popup crap, and move the exe, and or .dll for the program.. it works..

No it doesn't, you can't move something that's running. I've tried this a mutlitude of times on various spyware addled computers (not mine because I can't having any), the only way to movethem/delete them is to make sure the process isn't running and then blast it, safe-mode's handy for that.

[Massive Quasars]

Noobs.

Adaware followed by Spybot followed by Norton Corporate Antivirus.

Ownt.

I have all 3. I couldn't get Adaware or Spybot to schedule scans, once scheduled nothing would happen, so scans were infrequent because they required my prompting. Both Symantec AV and MS Antispyware schedule properly and generally own. MS-AS schedules everything, pretty much totally automated from what I gather. Symantec AV will schedule scans, but not updates as far as I'm aware.

[Freakaloin]

Is MS AntiSpyware any good?

very.

lol...it is? by being good, do u mean it sucks ass? ok then...

[Giraffe }{unter]

i'm pretty positive if it's a running process, you cannot move or delete it.

Try it

Install some popup crap, and move the exe, and or .dll for the program.. it works..

No it doesn't, you can't move something that's running. I've tried this a mutlitude of times on various spyware addled computers (not mine because I can't having any), the only way to movethem/delete them is to make sure the process isn't running and then blast it, safe-mode's handy for that.

you can also be sneaky (only works on 80% of the crap) but good for quick removal

• Open Task Manager > Processes tab
• write down all offending processes
• find them so you can delete them
• Select explorer > end task (with explored not running most of these processes do not know how to restart)
• select all bad processes and end them as well
• File > New Task (run) > type "cmd"
• in the command prompt navigate to the directory (example: CD windows\system32)
• in the command prompt delete the file (example: delete jfhuy1.exe)