Gator date/time setter

Mainframeguy

Mainframeguy

Debiant by way of Ubuntu
Joined
29 Aug 2002
Messages
3,763
OK there's this things from Gator corp that claims to set your date time in synch accurately but is actually spyware - I have SpyBot S&D and it can clean it OK with a reboot....

then it seems to have come back (once so far). I should point out this machine gets used by my two teenage step daughters - so I regularly have to go in and run Adaware, S&d etc.... they claim to have done nothing (knowingly) to bring it back - can anyone tell me it's method of entry and how to stop it recurring again, I am getting sick of taking on the cleaning of their system for them -

I've run that thing that adds the worst sites to your restricted list - so that isn't helping - any ideas appreciated, thanks in hope...
 
OK thanks

Enyo said:
Read:

http://www.ntfs.org/forum/showthread.php?t=91

Please use HiJack This to generate a log file and attach it here.
Click to expand...
You may wish to be aware the hijackThis! link is out of date (invalid for me anyway). But I will do that, not sure how it works but remember this machine is being turned over to teenagers on other accounts - so it may not help me identify, so far as I understand it's operation.

I was asking here hoping someone knew specifics because when I try to add the gator site to Restricted Zone it says it is in another zone already (yet I cannot find it!) Guessing gator was agressive enough to screw my registry to leave the "door open" again....

Here's a better link (hopefully)

and I'll attach the log - looks innocent to me now - but then I have already run S&D so do not have the pesky thing here now - will of course log again if it comes back, but that's what I am trying to stop!
 

Attachments

  • hijackthislog.txt
    7.8 KB · Views: 108
Remove:

O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://www.geocities.com/tentation20094/loader.cab

O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://www.flipside.com/cab/WONWebLauncherControl.cab

For:

C:\Apps\ActivBoard\nhksrv.exe
C:\Apps\ActivBoard\MMKeybd.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Apps\ActivBoard\OSD.exe

See: http://www.gank.com/spyware/HP/

Investigate:

C:\WINDOWS\system32\slserv.exe

Possible W32/Gaobot.CR
Also listed as Connectbird 56k driver componet.

Misc:

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

RealPlayer Process. Remove to avoid messenge centre ads.

O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe

See Above

O4 - HKLM\..\Run: [Ping] C:\Program Files\KaZaA Lite\ping.exe

Consider removing.

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

See Above. You can disable it.

From http://www.ntfs.org/forum/showthread.php?t=91 look at SpywareBlaster and IESPYAD.

It appears you have resident spyware protection already running. I would remove it and replace with something like AdWatch (AAW Plus) or SpywareGuard (Free)
 
* impressed *

Wow! Thanks Enyo - that's kinda an impressive post - I'll work through and pay attention to all those links and keep you "posted", hopefully all will be well,

Thank you
 
Mainframeguy said:
...hopefully all will be well,
Click to expand...

and lo and behold - I allowed someone on this machine with admin privileges over the weekend at a party - and it is back. I really want to track down the point of entry of this piece of s**t. I am really fed up with removing it - it is one of the worst I have seen. There is a site (PC Pitstop) that even has pages which are dedicated to it's removal and the degradation it brings to our system! These pages believe it or not are the subject of legal action by..... Gator corp!

You gotta hate those guys, no? So... if anyone can help guide me to a way to pinpoint WHO and the HOW of the entry so that I can prevent it recurring - that would be great.

(BTW Enyo - actioned most of your suggestions - and thanks!)
 
Gator normally finds its way onto systems via ActiveX controls on web pages. Spyware Blaster and IESPYAD should protect you from that.

The only other route would be from downloaded software, as you know it does get bundled with a few things.
 
You must log in or register to reply here.

Members online

No members online now.
Total: 423 (members: 0, guests: 423)

Affiliates

lunarsoft.net techzonez.com

- Contact us to trade links -

OSNN OSNN NTFS XP-erience

Latest profile posts

Steevo
Steevo
Also Hi EP and people. I found this place again while looking through a oooollllllldddd backup. I have filled over 10TB and was looking at my collection of antiques. Any bids on the 500Mhz Win 95 fix?
•••
Steevo
Steevo
Any of the SP crew still out there?
•••
Xie
Xie wrote on Electronic Punk's profile.
Impressed you have kept this alive this long EP! So many sites have come and gone. :(

Just did some crude math and I apparently joined almost 18yrs ago, how is that possible???
•••
N
Nismo83
hello peeps... is been some time since i last came here.
•••
Electronic Punk
Electronic Punk wrote on Sazar's profile.
Rest in peace my friend, been trying to find you and finally did in the worst way imaginable.
•••

Forum statistics

Threads
62,015
Messages
673,494
Members
5,621
Latest member
naeemsafi
Back