Gator date/time setter

Discussion in 'Windows Desktop Systems' started by Mainframeguy, Feb 3, 2004.

  1. Mainframeguy

    Mainframeguy Debiant by way of Ubuntu Folding Team

    Messages:
    3,763
    Location:
    London, UK
    OK there's this things from Gator corp that claims to set your date time in synch accurately but is actually spyware - I have SpyBot S&D and it can clean it OK with a reboot....

    then it seems to have come back (once so far). I should point out this machine gets used by my two teenage step daughters - so I regularly have to go in and run Adaware, S&d etc.... they claim to have done nothing (knowingly) to bring it back - can anyone tell me it's method of entry and how to stop it recurring again, I am getting sick of taking on the cleaning of their system for them -

    I've run that thing that adds the worst sites to your restricted list - so that isn't helping - any ideas appreciated, thanks in hope...
     
  2. Enyo

    Enyo Moderator

    Messages:
    1,338
  3. Mainframeguy

    Mainframeguy Debiant by way of Ubuntu Folding Team

    Messages:
    3,763
    Location:
    London, UK
    OK thanks

    You may wish to be aware the hijackThis! link is out of date (invalid for me anyway). But I will do that, not sure how it works but remember this machine is being turned over to teenagers on other accounts - so it may not help me identify, so far as I understand it's operation.

    I was asking here hoping someone knew specifics because when I try to add the gator site to Restricted Zone it says it is in another zone already (yet I cannot find it!) Guessing gator was agressive enough to screw my registry to leave the "door open" again....

    Here's a better link (hopefully)

    and I'll attach the log - looks innocent to me now - but then I have already run S&D so do not have the pesky thing here now - will of course log again if it comes back, but that's what I am trying to stop!
     

    Attached Files:

  4. Enyo

    Enyo Moderator

    Messages:
    1,338
    Remove:

    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://www.geocities.com/tentation20094/loader.cab

    O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://www.flipside.com/cab/WONWebLauncherControl.cab

    For:

    C:\Apps\ActivBoard\nhksrv.exe
    C:\Apps\ActivBoard\MMKeybd.exe
    C:\Apps\ActivBoard\TrayMon.exe
    C:\Apps\ActivBoard\OSD.exe

    See: http://www.gank.com/spyware/HP/

    Investigate:

    C:\WINDOWS\system32\slserv.exe

    Possible W32/Gaobot.CR
    Also listed as Connectbird 56k driver componet.

    Misc:

    C:\Program Files\Common Files\Real\Update_OB\realsched.exe

    RealPlayer Process. Remove to avoid messenge centre ads.

    O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe

    See Above

    O4 - HKLM\..\Run: [Ping] C:\Program Files\KaZaA Lite\ping.exe

    Consider removing.

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    See Above. You can disable it.

    From http://www.ntfs.org/forum/showthread.php?t=91 look at SpywareBlaster and IESPYAD.

    It appears you have resident spyware protection already running. I would remove it and replace with something like AdWatch (AAW Plus) or SpywareGuard (Free)
     
  5. Mainframeguy

    Mainframeguy Debiant by way of Ubuntu Folding Team

    Messages:
    3,763
    Location:
    London, UK
    * impressed *

    Wow! Thanks Enyo - that's kinda an impressive post - I'll work through and pay attention to all those links and keep you "posted", hopefully all will be well,

    Thank you
     
  6. Mainframeguy

    Mainframeguy Debiant by way of Ubuntu Folding Team

    Messages:
    3,763
    Location:
    London, UK
    and lo and behold - I allowed someone on this machine with admin privileges over the weekend at a party - and it is back. I really want to track down the point of entry of this piece of s**t. I am really fed up with removing it - it is one of the worst I have seen. There is a site (PC Pitstop) that even has pages which are dedicated to it's removal and the degradation it brings to our system! These pages believe it or not are the subject of legal action by..... Gator corp!

    You gotta hate those guys, no? So... if anyone can help guide me to a way to pinpoint WHO and the HOW of the entry so that I can prevent it recurring - that would be great.

    (BTW Enyo - actioned most of your suggestions - and thanks!)
     
  7. Enyo

    Enyo Moderator

    Messages:
    1,338
    Gator normally finds its way onto systems via ActiveX controls on web pages. Spyware Blaster and IESPYAD should protect you from that.

    The only other route would be from downloaded software, as you know it does get bundled with a few things.