I have just recovered from a 2 day spyware-hijacking-my-PC ordeal. I hate these fuckers that don’t have anything better to do than write malicious software that results in your computer going balls-up. Don’t worry, this post will help you remove this piece of shit.
It started with an icon appearing in my system tray with a balloon that said: “your computer is infected”. So, like the complete twat that I am, I clicked on it. This proceeded to download some bullshit anti-spyware program that resulted in this balloon popping up every 10 seconds or so. After a while I managed to figure out that the icon itself was the spyware.
I tried every free spyware program on the market and none of them could remove the damn thing fully. Eventually, I realised that the source of the problem was a startup program called ctpmon.exe, which sounds the same as the legitimate ctfmon.exe, the Microsoft program that is always running in the background doing whatever it is that it does. So I googled the thing and found an awesome entry from MegaBlast at http://forums.techguy.org/security/535550-hijack-log-other-stuff.html which told me exactly how to remove this annoying piece of shit once and for all. It did involve some deleting of registry entries (so make a back-up of the registry first!), but now my PC is totally shitware free 
Hopefully this will help anyone visiting this site and prevent further heartache for those of us suffering at the hands of those useless bastards writing this spyware crap.
Peace!
Please visit our technical support area for other useful articles
Entries (RSS)
January 24th, 2007 at 6:26 pm
Ha haha shame dude..
But hey spyware is a real biatch that can really own your pc >< .
But, we all know where spyware comes from don’t we?! *cough* porn sites *cough*
Just playing man, glad you got it sorted it out. Just tip, google takes the heading of an article quite seriously. So if you wanted others to search and find the same thing, you probably want to make the heading more helpful. ie . ctpmon.exe spy problem. or what ever.
Also try to give a more teched out detailed next time, want to start a technical section.
Just stay away from those hentai sites
January 25th, 2007 at 1:28 am
And UL if I find out there is Spyware on your PC… You will be googling your ass for tech support once I am done with you!
…and then I will be knocking on Gandhi’s door for those Manga/Hentai/Naruto files that UL downloaded … mmm… JJ
BUT I do wonder why spyware always seems to happen to guys PC and not chicks PC…mmm…
January 25th, 2007 at 9:32 am
Ha ha guys
Was actually dl’ing a program, I’ll have you know
I think it was a fake site though, opened the .exe and bam, spyware infection.
Besides, at work, not a good idea to be checking out porn, the office is open plan, so everyone can see what you’re up to
January 26th, 2007 at 10:53 am
Aaah Internet porn! the art of typing with one hand! …jj…
I also seem to be picking these bastards up all the time. Recently had something called a BHO, it’s still here in fact, just disbled thanks to a little freeware program called BHODemon (i know, sounds like a virus on it’s own). They can be contracted in many ways so I’ll believe Gandhi’s story.
February 3rd, 2007 at 1:38 pm
same bich is in my PC. ctpmon.exe i knw it was spyware by the way how to remove it . Antivirus cannot remove it. nor any removal tool. fookin nerds. why the hell they visit spyware sites .
February 5th, 2007 at 3:32 am
EASY FIX FOR CTPMON.EXE:
I got the malware file “ctpmon.exe” - “System Registry Cleaner” - displays a red shield with a white X in the system tray (looks like the Windows Security Center icon).
Tried Grisoft AVG anti-virus, Webroot SpySweeper, and Lavasoft Ad-Aware SE - none would fix it.
Could not delete the file. When I force-terminated the process using TaskInfo, it would simply restart. When I disabled ctpmon.exe startup using MS System Configuration Utility (MSConfig), it just restored itself after reboot.
Here’s the fix: ctpmon.exe only infects the Windows logon “User Account” where it originated. Simply logon using a different User Account, and delete the file “C:\windows\system32\ctpmon.exe” (NOT “ctfmon.exe”). Of course, the infected User Account must NOT be active when you do it (must be completely logged-off).
Worked for me (running Windows XP Home SP2).
February 6th, 2007 at 9:54 am
For anyone having problems accessing MegaBlast’s post, I’ve taken the liberty of copying the post here. Once again, all credit to MegaBlast.
“I just found your thread whilst looking to see if the ctpmon.exe was the cause of the problem.
The pop-up box you are seeing is the ctpmon.exe process. It is very easy to get rid of (so far it hasn’t returned).
Firstly, in windows explorer broswer to c:\windows\system32 and find the file ctpmon.exe.
Rename this file you something else.
Then open regedit and go to:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
and delete any keys mentioning ctpmon.exe, then go to:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
and repeat the delete.”
This worked perfectly for me, but as I said, if anything fucks up, make sure you have a backup of your registry.
February 13th, 2007 at 9:01 am
too bad it wont let me rename or anything related to ctpmon in the system32 dir, and regedit cant find any keys?!, maybe system restore? but will it be piggy’d with sys resto as well? lots of questions i know, but im sure someone has a fix
February 13th, 2007 at 9:54 am
Logfile of HijackThis v1.99.1
Scan saved at 1:49:48 AM, on 2/13/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\uTorrent\utorrent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\”my name was here”\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Protection Bar - {84938242-5C5B-4A55-B6B9-A1507543B418} - C:\Program Files\Video ActiveX Object\iesplugin.dll
O4 - HKLM\..\Run: [RaidTool] “C:\Program Files\VIA\RAID\raid_tool.exe”
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DllRunning] rundll32.exe “C:\WINDOWS\System32\obgvglfd.dll”,setvm
O4 - HKLM\..\Run: [syswin] C:\WINDOWS\System32\v6.exe
O4 - HKLM\..\RunServices: [Windows Network Security] taskmngr.exe
O4 - HKCU\..\Run: [MsnMsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136258431734
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
February 13th, 2007 at 10:29 am
Hey,
I’ve had huge spyware problems before. There is an easy way to fix most spyware.
Step 1: Boot into windows via safe mode (safe mode runs on required windows system files) so it won’t try boot up any added extra’s, including Spyware.
Step 2: if you know what the file is, remove it from you System 32 directory as well anywhere else it might be found. Just run a full scan of your system. (when searchingm search for bits of the file name.. ie search for *cptm*.* (sometimes it creates a duplicate in your boot, so that it just re-installs it self)
Step 3: Goto regedit and search for that file name again. Delete it where ever you see it(back up registery first)
This should remove the spyware.
PLEASE NOTE!! When your spyware has a similar filename to a system file, Make sure you are deleting the right file.. for eg. the svchost spyware. Delete the SVCHOST.exe files and NOT svchost.exe files.
Hope this helps
February 28th, 2007 at 6:42 am
Hmmm. No feedback on my “EASY FIX FOR CTPMON.EXE” above.
Been almost a month - ctpmon is still history.
Safe Mode may work just as well as a different logon.
I did not need to make any Registry changes to be rid of ctpmon.
February 28th, 2007 at 11:03 am
At one point we were getting about 40-50 hits a day to this page alone.
Now no one is coming..
But thanks for the input.
If you ever get any other spyware problems, just post it here.
February 28th, 2007 at 4:11 pm
Oh well, suppose we have to get more spyware then
August 14th, 2008 at 4:30 pm
You should definitely find a better job… actually that was pretty well written
I hate svchost sometimes btw.