Mainframeguy

OK there's this things from Gator corp that claims to set your date time in synch accurately but is actually spyware - I have SpyBot S&D and it can clean it OK with a reboot....

then it seems to have come back (once so far). I should point out this machine gets used by my two teenage step daughters - so I regularly have to go in and run Adaware, S&d etc.... they claim to have done nothing (knowingly) to bring it back - can anyone tell me it's method of entry and how to stop it recurring again, I am getting sick of taking on the cleaning of their system for them -

I've run that thing that adds the worst sites to your restricted list - so that isn't helping - any ideas appreciated, thanks in hope...

Enyo

Read:

http://www.ntfs.org/forum/showthread.php?t=91

Please use HiJack This to generate a log file and attach it here.

Mainframeguy

You may wish to be aware the hijackThis! link is out of date (invalid for me anyway). But I will do that, not sure how it works but remember this machine is being turned over to teenagers on other accounts - so it may not help me identify, so far as I understand it's operation.

I was asking here hoping someone knew specifics because when I try to add the gator site to Restricted Zone it says it is in another zone already (yet I cannot find it!) Guessing gator was agressive enough to screw my registry to leave the "door open" again....

Here's a better link (hopefully)

and I'll attach the log - looks innocent to me now - but then I have already run S&D so do not have the pesky thing here now - will of course log again if it comes back, but that's what I am trying to stop!

Attached Files

hijackthislog.txt (7.8 KB, 60 views)

Enyo

Remove:

O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://www.geocities.com/tentation20094/loader.cab

O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://www.flipside.com/cab/WONWebLauncherControl.cab

For:

C:\Apps\ActivBoard\nhksrv.exe
C:\Apps\ActivBoard\MMKeybd.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Apps\ActivBoard\OSD.exe

See: http://www.gank.com/spyware/HP/

Investigate:

C:\WINDOWS\system32\slserv.exe

Possible W32/Gaobot.CR
Also listed as Connectbird 56k driver componet.

Misc:

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

RealPlayer Process. Remove to avoid messenge centre ads.

O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe

See Above

O4 - HKLM\..\Run: [Ping] C:\Program Files\KaZaA Lite\ping.exe

Consider removing.

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

See Above. You can disable it.

From http://www.ntfs.org/forum/showthread.php?t=91 look at SpywareBlaster and IESPYAD.

It appears you have resident spyware protection already running. I would remove it and replace with something like AdWatch (AAW Plus) or SpywareGuard (Free)

Mainframeguy

Wow! Thanks Enyo - that's kinda an impressive post - I'll work through and pay attention to all those links and keep you "posted", hopefully all will be well,

Thank you

Mainframeguy

and lo and behold - I allowed someone on this machine with admin privileges over the weekend at a party - and it is back. I really want to track down the point of entry of this piece of s**t. I am really fed up with removing it - it is one of the worst I have seen. There is a site (PC Pitstop) that even has pages which are dedicated to it's removal and the degradation it brings to our system! These pages believe it or not are the subject of legal action by..... Gator corp!

You gotta hate those guys, no? So... if anyone can help guide me to a way to pinpoint WHO and the HOW of the entry so that I can prevent it recurring - that would be great.

(BTW Enyo - actioned most of your suggestions - and thanks!)

---

Enyo

Gator normally finds its way onto systems via ActiveX controls on web pages. Spyware Blaster and IESPYAD should protect you from that.

The only other route would be from downloaded software, as you know it does get bundled with a few things.