Gator date/time setter

Mainframeguy

Debiant by way of Ubuntu
Joined
Aug 29, 2002
Messages
3,763
#1
OK there's this things from Gator corp that claims to set your date time in synch accurately but is actually spyware - I have SpyBot S&D and it can clean it OK with a reboot....

then it seems to have come back (once so far). I should point out this machine gets used by my two teenage step daughters - so I regularly have to go in and run Adaware, S&d etc.... they claim to have done nothing (knowingly) to bring it back - can anyone tell me it's method of entry and how to stop it recurring again, I am getting sick of taking on the cleaning of their system for them -

I've run that thing that adds the worst sites to your restricted list - so that isn't helping - any ideas appreciated, thanks in hope...
 

Mainframeguy

Debiant by way of Ubuntu
Joined
Aug 29, 2002
Messages
3,763
#3
OK thanks

Enyo said:
Read:

http://www.ntfs.org/forum/showthread.php?t=91

Please use HiJack This to generate a log file and attach it here.
You may wish to be aware the hijackThis! link is out of date (invalid for me anyway). But I will do that, not sure how it works but remember this machine is being turned over to teenagers on other accounts - so it may not help me identify, so far as I understand it's operation.

I was asking here hoping someone knew specifics because when I try to add the gator site to Restricted Zone it says it is in another zone already (yet I cannot find it!) Guessing gator was agressive enough to screw my registry to leave the "door open" again....

Here's a better link (hopefully)

and I'll attach the log - looks innocent to me now - but then I have already run S&D so do not have the pesky thing here now - will of course log again if it comes back, but that's what I am trying to stop!
 

Attachments

Enyo

OSNN Veteran Addict
Joined
Feb 2, 2003
Messages
1,338
#4
Remove:

O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://www.geocities.com/tentation20094/loader.cab

O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://www.flipside.com/cab/WONWebLauncherControl.cab

For:

C:\Apps\ActivBoard\nhksrv.exe
C:\Apps\ActivBoard\MMKeybd.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Apps\ActivBoard\OSD.exe

See: http://www.gank.com/spyware/HP/

Investigate:

C:\WINDOWS\system32\slserv.exe

Possible W32/Gaobot.CR
Also listed as Connectbird 56k driver componet.

Misc:

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

RealPlayer Process. Remove to avoid messenge centre ads.

O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe

See Above

O4 - HKLM\..\Run: [Ping] C:\Program Files\KaZaA Lite\ping.exe

Consider removing.

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

See Above. You can disable it.

From http://www.ntfs.org/forum/showthread.php?t=91 look at SpywareBlaster and IESPYAD.

It appears you have resident spyware protection already running. I would remove it and replace with something like AdWatch (AAW Plus) or SpywareGuard (Free)
 

Mainframeguy

Debiant by way of Ubuntu
Joined
Aug 29, 2002
Messages
3,763
#5
* impressed *

Wow! Thanks Enyo - that's kinda an impressive post - I'll work through and pay attention to all those links and keep you "posted", hopefully all will be well,

Thank you
 

Mainframeguy

Debiant by way of Ubuntu
Joined
Aug 29, 2002
Messages
3,763
#6
Mainframeguy said:
...hopefully all will be well,
and lo and behold - I allowed someone on this machine with admin privileges over the weekend at a party - and it is back. I really want to track down the point of entry of this piece of s**t. I am really fed up with removing it - it is one of the worst I have seen. There is a site (PC Pitstop) that even has pages which are dedicated to it's removal and the degradation it brings to our system! These pages believe it or not are the subject of legal action by..... Gator corp!

You gotta hate those guys, no? So... if anyone can help guide me to a way to pinpoint WHO and the HOW of the entry so that I can prevent it recurring - that would be great.

(BTW Enyo - actioned most of your suggestions - and thanks!)
 

Enyo

OSNN Veteran Addict
Joined
Feb 2, 2003
Messages
1,338
#7
Gator normally finds its way onto systems via ActiveX controls on web pages. Spyware Blaster and IESPYAD should protect you from that.

The only other route would be from downloaded software, as you know it does get bundled with a few things.
 

Members online

No members online now.

Latest posts

Latest profile posts

Perris Calderon wrote on Electronic Punk's profile.
Hey ep!

All good with me, applying for microsoft mvp right now, should have done this a while ago.

Notifications don't work, I only found your response by comming back to hunt up some threads, if you want, give me your email address so we can keep in touch easier, mine is perriscalderon at gmail
Perris Calderon wrote on Electronic Punk's profile.
Ep, glad to see you come back and tidy up...did want to ask a one day favor, I want to enhance my resume , was hoping you could make me administrator for a day, if so, take me right off since I won't be here to do anything, and don't know the slightest about the board, but it would be nice putting "served administrator osnn", if can do, THANKS

Been running around Quora lately, luv it there https://tinyurl.com/ycpxl
Electronic Punk wrote on Perris Calderon's profile.
All good still mate?
Hello, is there anybody in there? Just nod if you can hear me ...

Forum statistics

Threads
62,027
Messages
673,527
Members
89,037
Latest member
MichaelPowers