#66736 - 2002-06-14 05:59 AM
Re: Removal of Comet Cursor and Gator
|
Kdyer
KiX Supporter
Registered: 2001-01-03
Posts: 6241
Loc: Tigard, OR
|
Lonkero,
Hmmm.. That is interesting.. I did not pick that up with Ad-Aware nor my reg snapshot util..
I will have to check into this tomorrow.
Kent
|
|
Top
|
|
|
|
#66737 - 2002-06-15 12:43 AM
Re: Removal of Comet Cursor and Gator
|
NTDOC
Administrator
Registered: 2000-07-28
Posts: 11628
Loc: CA
|
Radimus,
Please check or review your code. Not sure if it is your code or a poor copying of the code on my part ![[Frown]](images/icons/frown.gif) But I have just spent the past few hours trying to restore the deletion of 30GB of data from my 80GB drive. Luckily I killed the script before the entire drive disappeared. ![[Eek!]](images/icons/shocked.gif)
At this time, I'm not sure if it was me or the posted code, but it is a file deleting son of a gun.
|
|
Top
|
|
|
|
|
#66738 - 2002-06-15 12:49 AM
Re: Removal of Comet Cursor and Gator
|
Radimus
Moderator
Registered: 2000-01-06
Posts: 5187
Loc: Tampa, FL
|
I hadn't tested any of it... the deleting portion is from a UDF from here that I cut 'n pasted in...
did you supply a $gatordir... perhaps the UDF goes ape when passed a nul and it starts recursing at the root of c: ?? I dunno, I've never used it.
|
|
Top
|
|
|
|
#66740 - 2002-06-14 02:30 PM
Re: Removal of Comet Cursor and Gator
|
Kdyer
KiX Supporter
Registered: 2001-01-03
Posts: 6241
Loc: Tigard, OR
|
Maybe revert back to my code. ![[Big Grin]](images/icons/grin.gif)
I know it is fat, but works great with the exception of what I stated about the folder removal. To that end, we may need to do the following:
- Check for other running tasks
- After ending the "Gator-Related" programs, put a couple of second wait until we delete files
- RD /S /Q is pretty dangerous! We need some safety built in.
Wait a second..
Going back and re-reading your message from the Support people at Gator worries me that we are not completely closing things down...
quote:
Which of our program(s) do you have; Gator eWallet, OfferCompanion, Date
Manager, Precision Time, etc.?
Here are my couple of pennies for thought.
Kent
Thanks,
Kent
[ 14 June 2002, 14:32: Message edited by: kdyer ]
|
|
Top
|
|
|
|
|
#66744 - 2002-06-14 04:11 PM
Re: Removal of Comet Cursor and Gator
|
Radimus
Moderator
Registered: 2000-01-06
Posts: 5187
Loc: Tampa, FL
|
hey...
With a happy collection of UDFs, I have my own Spyware.
Useful to see if gator.exe is running (or freecell.exe)
I have modified the ping() UDF a little, but I need to update it more to use the WSHPipe() instead of a temp file...
Happy spying ![[Smile]](images/icons/smile.gif)
BTW,
quote:
habbed is up at 164.51.34.115 explorer.exe is running. PID is 1104
hendersr is up at 164.51.34.48 explorer.exe is running. PID is 684
artuznac is up at 164.51.34.41
thornhij is up at 164.51.34.100 explorer.exe is running. PID is 1156
blank replies for explorer.exe should mean the machine isn't logged on.
quote:
valdesm is up at 164.51.34.78 Script error : unknown command !
$processes=GetObject("winmgmts:{impersonationLevel=impersonate}!//$COMPU
TER").ExecQuery("$pidselect")
is for some reason ping() is returning an IP while the PC is turned off
code:
$Group=Groupmembers("fdhc", "area06med-longterm",2)
$app="gator.exe"
for each $member in $group
? $member
$p=ping($member)
if $p
" is up at $p "
$l=listproc("$member","$app")
if $l
" $app is running. PID is $l"
endif
endif
next
gets $k
; ************************************************************************************************************
function Ping($Computer)
dim $ip, $ipfile, $err
$ipfile = 'c:\ip.txt'
shell '%Comspec% /q /e:1024 /c for /F "tokens=2 delims=[]" %%i IN ('+ chr(39) + '"ping $Computer -n 1 | find "]""' + chr(39) + ') do echo %%i >' + $ipfile
shell '%Comspec% /q /e:1024 /c for /F %%i IN ('+ chr(39) + '"ping $Computer -n 1 | find "Request timed out""' + chr(39) + ') do echo %%i >>' + $ipfile
$ = open(10,$ipfile,2) $ip = readline(10) $err = readline(10) $ = close(10) del $ipfile
if $err $ping=0 return endif
$ping=$ip
endfunction
FUNCTION LISTPROC($COMPUTER,$PROC)
dim $pidselect, $processes, $process
$pidselect="select * from Win32_Process where Name='$PROC'"
$processes=GetObject("winmgmts:{impersonationLevel=impersonate}!//$COMPUTER").ExecQuery("$pidselect")
if $processes
For each $Process in $processes
$Listproc=$Process.ProcessId
Next
endif
$processes=""
ENDFUNCTION
Function Groupmembers($target, $group, optional $flag)
DIM $temparray[8], $member, $i, $chunk, $flag, $ADSIFlag, $filterFlag
$chunk = ubound($temparray)
$flag = val($flag)
$i = 0
$group = getobject("WinNT://$target/$group")
if vartype($group) <> 9 exit(@error) endif
select
case $flag & 1 $filterflag = 1
case $flag & 2 $filterflag = 2
case $flag & 4 $filterflag = 4
case 1 $filterflag = 1
endselect
select
case $flag & 8 $ADSIFlag = 8
case $flag & 16 $ADSIFlag = 16
endselect
for each $member in $group.members
select
case $filterflag = 2 AND $member.class = "user"
if substr($member.name,len($member.name),1) <> "$"
$temparray[$i] = $member.name
select
case $adsiflag = 8 $temparray[$i] = $member.adspath
case $adsiflag = 16 $temparray[$i] = $member
endselect
$i = $i + 1
endif
case $filterflag = 4 AND $member.class = "Group"
if substr($member.name,len($member.name),1) <> "$"
$temparray[$i] = $member.name
select
case $adsiflag = 8 $temparray[$i] = $member.adspath
case $adsiflag = 16 $temparray[$i] = $member
endselect
$i = $i + 1
endif
case $filterflag = 1
if substr($member.name,len($member.name),1) <> "$"
$temparray[$i] = $member.name
select
case $adsiflag = 8 $temparray[$i] = $member.adspath
case $adsiflag = 16 $temparray[$i] = $member
endselect
$i = $i + 1
endif
case $filterflag ;bit bucket
endselect
if $i = ubound($temparray) redim preserve $temparray[Ubound($temparray)+$chunk] endif
next
if $i <> 0 redim preserve $temparray[$i-1] $groupmembers=$temparray endif
endfunction
BTW2: there is no deleting of files here (except the temp that ping() uses )
fixed the detection of cached IP addresses...
[ 14 June 2002, 17:02: Message edited by: Radimus ]
|
|
Top
|
|
|
|
|
#66745 - 2002-06-14 07:34 PM
Re: Removal of Comet Cursor and Gator
|
NTDOC
Administrator
Registered: 2000-07-28
Posts: 11628
Loc: CA
|
hehehe... was just trying to help Kent out and finish off the code that Radimus had. I simply took it at face value... Wow!, that was a mistake. Don't trust UDF Code that deletes files without testing and making sure you have plugged in all the right information to the variables.
Any ways... Easy Recovery Pro came to my rescue and restored all the files. Had to track down some in renamed lost folder names, but seems I got back all the data.
Kent, I agree... I'll be using my own tested methods for now to do "recursive" file/folder deletes until I'm more comfortable that I have tested that kind of UDF code.
Go on Lonk, LAUGH.... I'm still here and up and running.
|
|
Top
|
|
|
|
|
#66746 - 2002-06-14 11:00 PM
Re: Removal of Comet Cursor and Gator
|
Kdyer
KiX Supporter
Registered: 2001-01-03
Posts: 6241
Loc: Tigard, OR
|
Looks like I may have found the rogue Gator Exe -
quote:
#:25 : gmt.exe
Warning! GATOR module loaded: gmt.exe (C:\Program Files\Common Files\GMT\GMT.exe
Thanks to Ad-Aware.
Well.. That is not all.. Here are more... Even more Gator stuff.
quote:
Scan initialized on 6/14/2002 1:52:11 PM.
(AAW release 5.8, referencefile 005-29.04.2002)
================================================
Started memory scan
====================
Running processes:
#:1 : smss.exe
#:2 : winlogon.exe
#:3 : services.exe
#:4 : lsass.exe
#:5 : svchost.exe
#:6 : spoolsv.exe
#:7 : netdde.exe
#:8 : avsynmgr.exe
#:9 : inetinfo.exe
#:10 : logwatnt.exe
#:11 : marchost.exe
#:12 : explorer.exe
#:13 : mdm.exe
#:14 : mnmsrvc.exe
#:15 : rundll32.exe
#:16 : naimag32.exe
#:17 : rstate.exe
#:18 : rstate.exe
#:19 : acrotray.exe
#:20 : vsstat.exe
#:21 : vshwin32.exe
#:22 : naimas32.exe
#:23 : pageserver.exe
#:24 : webcompserver.exe
#:25 : gmt.exe
Warning! GATOR module loaded: gmt.exe (C:\Program Files\Common Files\GMT\GMT.exe)
"gmt.exe" unload successfull!
#:26 : avconsol.exe
#:27 : outlook.exe
#:28 : mapisp32.exe
#:29 : svchost.exe
#:30 : mcshield.exe
#:31 : rsstatus.exe
#:32 : winword.exe
#:33 : msmsgs.exe
#:34 : trillian.exe
#:35 : crazy browser.exe
#:36 : editpadpro.exe
#:37 : svchost.exe
#:38 : regedit.exe
#:39 : ad-aware.exe
Memory scan result:
Total modules found:39
Suspicious modules found:1
Started registry scan
======================
CometCursor key:HKEY_CLASSES_ROOT\bho.csbho\
CometCursor key:HKEY_CLASSES_ROOT\bho.csbho.1\
CometCursor key:HKEY_CLASSES_ROOT\clsid\{04fc63f8-ee34-4283-8941-4a11bf17c447}\
CometCursor key:HKEY_CLASSES_ROOT\clsid\{062efa85-8bbb-11d3-80d0-00500487b1c5}\
CometCursor key:HKEY_CLASSES_ROOT\clsid\{0922ec1a-9ec7-11d3-80b9-00500487bdba}\
CometCursor key:HKEY_CLASSES_ROOT\clsid\{0e42926e-96d8-11d3-80d5-00500487b1c5}\
CometCursor key:HKEY_CLASSES_ROOT\clsid\{0e429272-96d8-11d3-80d5-00500487b1c5}\
CometCursor key:HKEY_CLASSES_ROOT\clsid\{15940f5d-d8bd-49bc-851d-29dcfb166950}\
CometCursor key:HKEY_CLASSES_ROOT\clsid\{1678f7e1-c422-11d0-ad7d-00400515caaa}\
CometCursor key:HKEY_CLASSES_ROOT\clsid\{212b99a1-9cf6-11d3-80b7-00500487bdba}\
Gator key:HKEY_CLASSES_ROOT\clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c}\
CometCursor key:HKEY_CLASSES_ROOT\clsid\{37d026c3-84d7-4ac5-a026-c08b7907cacf}\
CometCursor key:HKEY_CLASSES_ROOT\clsid\{39e01e09-2b45-11d4-810d-00500487b1c5}\
CometCursor key:HKEY_CLASSES_ROOT\clsid\{4320aeeb-2f2a-4f97-b573-232c6576aa3a}\
CometCursor key:HKEY_CLASSES_ROOT\clsid\{4aa5d526-44d5-4af6-ac53-5ce1534cc40b}\
CometCursor key:HKEY_CLASSES_ROOT\clsid\{64726b8a-0cbe-4f80-90b7-1ca1bc69fcfb}\
CometCursor key:HKEY_CLASSES_ROOT\clsid\{6f2d6a5e-e3e7-4f18-887c-c777650def57}\
CometCursor key:HKEY_CLASSES_ROOT\clsid\{7be4e188-dd04-47e4-8c1b-4aa330b18d9f}\
CometCursor key:HKEY_CLASSES_ROOT\clsid\{7f0f5da7-84cb-11d4-8137-00500487b1c5}\
CometCursor key:HKEY_CLASSES_ROOT\clsid\{827a2ece-d76f-4bcc-82ed-d6a287c11211}\
CometCursor key:HKEY_CLASSES_ROOT\clsid\{8ae68b04-d492-4474-a6e2-fd5fe884f4b1}\
CometCursor key:HKEY_CLASSES_ROOT\clsid\{90c61707-c8f8-43db-a25c-c1f4b18ee41e}\
CometCursor key:HKEY_CLASSES_ROOT\clsid\{941228b3-3ad1-4633-a9f5-59154cb362d4}\
CometCursor key:HKEY_CLASSES_ROOT\clsid\{a335d52f-d489-472d-9eaa-d72a40aaf7ca}\
CometCursor key:HKEY_CLASSES_ROOT\clsid\{a5ea242a-442e-4ecb-9cac-97037ccd6ec6}\
CometCursor key:HKEY_CLASSES_ROOT\clsid\{c38fc998-3b1b-4f59-a710-5a6c9cf8bd92}\
CometCursor key:HKEY_CLASSES_ROOT\clsid\{cbe7d5e7-90a2-11d3-80d1-00500487b1c5}\
CometCursor key:HKEY_CLASSES_ROOT\clsid\{cd74b159-a1d3-11d3-80bc-00500487bdba}\
CometCursor key:HKEY_CLASSES_ROOT\clsid\{d14d6793-9b65-11d3-80b6-00500487bdba}\
CometCursor key:HKEY_CLASSES_ROOT\clsid\{dfa771a5-2138-48ee-a58e-f782c879af8e}\
CometCursor key:HKEY_CLASSES_ROOT\clsid\{e28fcb54-8c8e-11d3-80d1-00500487b1c5}\
CometCursor key:HKEY_CLASSES_ROOT\clsid\{e5c39db9-9dcc-11d3-80d6-00500487b1c5}\
CometCursor key:HKEY_CLASSES_ROOT\clsid\{ea5bb125-a227-40a7-bcaa-652d497c2f65}\
CometCursor key:HKEY_CLASSES_ROOT\clsid\{eb07a6d4-8e36-11d4-8138-00500487b1c5}\
CometCursor key:HKEY_CLASSES_ROOT\clsid\{edc4193f-34ad-4d07-aa87-e3fdb89e3e76}\
CometCursor key:HKEY_CLASSES_ROOT\clsid\{edee4ccb-0913-4cc9-8ea9-3ddd87ab8bde}\
CometCursor key:HKEY_CLASSES_ROOT\clsid\{fe6bc4ef-5676-484b-88ae-883323913256}\
CometCursor key:HKEY_CLASSES_ROOT\cometapputil.cometuievents\
CometCursor key:HKEY_CLASSES_ROOT\cometapputil.cometuievents.1\
CometCursor key:HKEY_CLASSES_ROOT\cometietoolbar.comettoolbar\
CometCursor key:HKEY_CLASSES_ROOT\cometietoolbar.comettoolbar.1\
CometCursor key:HKEY_CLASSES_ROOT\contextparser.contextproxy\
CometCursor key:HKEY_CLASSES_ROOT\contextparser.contextproxy.1\
CometCursor key:HKEY_CLASSES_ROOT\contextparser.contextproxymgr\
CometCursor key:HKEY_CLASSES_ROOT\contextparser.contextproxymgr.1\
CometCursor key:HKEY_CLASSES_ROOT\contextparser.csregexp\
CometCursor key:HKEY_CLASSES_ROOT\contextparser.csregexp.1\
CometCursor key:HKEY_CLASSES_ROOT\contextparser.urlcontextparser\
CometCursor key:HKEY_CLASSES_ROOT\contextparser.urlcontextparser.1\
CometCursor key:HKEY_CLASSES_ROOT\core.bho1\
CometCursor key:HKEY_CLASSES_ROOT\core.bho1.1\
CometCursor key:HKEY_CLASSES_ROOT\core.browserappproxy\
CometCursor key:HKEY_CLASSES_ROOT\core.browserappproxy.1\
CometCursor key:HKEY_CLASSES_ROOT\core.cometcursor\
CometCursor key:HKEY_CLASSES_ROOT\core.cometcursor.1\
CometCursor key:HKEY_CLASSES_ROOT\core.cometframe\
CometCursor key:HKEY_CLASSES_ROOT\core.cometframe.1\
CometCursor key:HKEY_CLASSES_ROOT\core.cometwindow\
CometCursor key:HKEY_CLASSES_ROOT\core.cometwindow.1\
CometCursor key:HKEY_CLASSES_ROOT\core.cs15cursor\
CometCursor key:HKEY_CLASSES_ROOT\core.cs15cursor.1\
CometCursor key:HKEY_CLASSES_ROOT\core.fileinfo\
CometCursor key:HKEY_CLASSES_ROOT\core.fileinfo.1\
CometCursor key:HKEY_CLASSES_ROOT\core.httpcomm\
CometCursor key:HKEY_CLASSES_ROOT\core.httpcomm.1\
CometCursor key:HKEY_CLASSES_ROOT\core.mybrowser1\
CometCursor key:HKEY_CLASSES_ROOT\core.mybrowser1.1\
CometCursor key:HKEY_CLASSES_ROOT\core.selfupdater\
CometCursor key:HKEY_CLASSES_ROOT\core.selfupdater.1\
CometCursor key:HKEY_CLASSES_ROOT\core.system\
CometCursor key:HKEY_CLASSES_ROOT\core.system.1\
CometCursor key:HKEY_CLASSES_ROOT\core.windowproxy\
CometCursor key:HKEY_CLASSES_ROOT\core.windowproxy.1\
CometCursor key:HKEY_CLASSES_ROOT\csband.horizontalieband\
CometCursor key:HKEY_CLASSES_ROOT\csband.horizontalieband.1\
CometCursor key:HKEY_CLASSES_ROOT\csband.verticalieband\
CometCursor key:HKEY_CLASSES_ROOT\csband.verticalieband.1\
CometCursor key:HKEY_CLASSES_ROOT\csbrange.byterange\
CometCursor key:HKEY_CLASSES_ROOT\csbrange.byterange.1\
CometCursor key:HKEY_CLASSES_ROOT\cseng.csengine\
CometCursor key:HKEY_CLASSES_ROOT\cseng.csengine.1\
CometCursor key:HKEY_CLASSES_ROOT\cseng.cshost\
CometCursor key:HKEY_CLASSES_ROOT\cseng.cshost.1\
CometCursor key:HKEY_CLASSES_ROOT\cseng.evhandler\
CometCursor key:HKEY_CLASSES_ROOT\cseng.evhandler.1\
CometCursor key:HKEY_CLASSES_ROOT\csip.cscollection\
CometCursor key:HKEY_CLASSES_ROOT\csip.cscollection.1\
CometCursor key:HKEY_CLASSES_ROOT\csip.csipdispatch\
CometCursor key:HKEY_CLASSES_ROOT\csip.csipdispatch.1\
CometCursor key:HKEY_CLASSES_ROOT\csip.csippacket\
CometCursor key:HKEY_CLASSES_ROOT\csip.csippacket.1\
CometCursor key:HKEY_CLASSES_ROOT\interface\{012b0571-2cd6-11d4-810d-00500487b1c5}\
CometCursor key:HKEY_CLASSES_ROOT\interface\{062efa84-8bbb-11d3-80d0-00500487b1c5}\
CometCursor key:HKEY_CLASSES_ROOT\interface\{0922ec19-9ec7-11d3-80b9-00500487bdba}\
CometCursor key:HKEY_CLASSES_ROOT\interface\{0e42926f-96d8-11d3-80d5-00500487b1c5}\
CometCursor key:HKEY_CLASSES_ROOT\interface\{0e429271-96d8-11d3-80d5-00500487b1c5}\
CometCursor key:HKEY_CLASSES_ROOT\interface\{1348e05a-21c7-4134-b4a4-3c12234fca3f}\
CometCursor key:HKEY_CLASSES_ROOT\interface\{212b99a0-9cf6-11d3-80b7-00500487bdba}\
CometCursor key:HKEY_CLASSES_ROOT\interface\{29089b98-af05-4769-b627-86a745d4b672}\
CometCursor key:HKEY_CLASSES_ROOT\interface\{2da93e50-9d08-11d3-80d5-00500487b1c5}\
CometCursor key:HKEY_CLASSES_ROOT\interface\{2fcfb3fd-7184-4c42-aed3-30fff0119964}\
CometCursor key:HKEY_CLASSES_ROOT\interface\{34fdd882-5530-4a90-89cd-416612c8855e}\
CometCursor key:HKEY_CLASSES_ROOT\interface\{43f1b4ad-92ef-4db3-bda9-12335b012dd0}\
CometCursor key:HKEY_CLASSES_ROOT\interface\{50d7c4ab-3c82-11d4-8111-00500487b1c5}\
CometCursor key:HKEY_CLASSES_ROOT\interface\{58c59f56-ca66-4b5d-9132-ecea5193be5a}\
CometCursor key:HKEY_CLASSES_ROOT\interface\{788e0d0e-caf7-473b-9183-76be6d30dc9a}\
CometCursor key:HKEY_CLASSES_ROOT\interface\{7aa7d1c3-f0f8-460c-936d-b5886d0928eb}\
CometCursor key:HKEY_CLASSES_ROOT\interface\{7f0f5da6-84cb-11d4-8137-00500487b1c5}\
CometCursor key:HKEY_CLASSES_ROOT\interface\{832786ec-9632-4919-8972-59f79d621c87}\
CometCursor key:HKEY_CLASSES_ROOT\interface\{899be974-d575-48bb-a9c7-1d24e8042be4}\
CometCursor key:HKEY_CLASSES_ROOT\interface\{8bee173b-c006-4f0e-acd2-84a882bebcff}\
CometCursor key:HKEY_CLASSES_ROOT\interface\{910e67a6-bd53-46df-8434-41498b7d22f7}\
CometCursor key:HKEY_CLASSES_ROOT\interface\{9464c98e-b5f1-4c6a-bd3f-9696e3bd081e}\
CometCursor key:HKEY_CLASSES_ROOT\interface\{97284959-a553-4576-859c-b3b3ff283de0}\
CometCursor key:HKEY_CLASSES_ROOT\interface\{a0ca55a0-a112-11d3-80d6-00500487b1c5}\
CometCursor key:HKEY_CLASSES_ROOT\interface\{a0ca55a1-a112-11d3-80d6-00500487b1c5}\
CometCursor key:HKEY_CLASSES_ROOT\interface\{a4b977f5-1efc-4da0-b9c2-67c53cba140f}\
CometCursor key:HKEY_CLASSES_ROOT\interface\{aeb17fc4-2a52-4945-9866-81cc343a59e3}\
CometCursor key:HKEY_CLASSES_ROOT\interface\{b0db6360-8d7f-11d4-8137-00500487b1c5}\
CometCursor key:HKEY_CLASSES_ROOT\interface\{b0e9399e-fe6f-43b0-98d3-2f47080dde4a}\
CometCursor key:HKEY_CLASSES_ROOT\interface\{bfcbf73b-6eb2-49c1-adca-cf0cd589b140}\
CometCursor key:HKEY_CLASSES_ROOT\interface\{c0cad17e-00a3-4f40-9015-d569c3114ba3}\
CometCursor key:HKEY_CLASSES_ROOT\interface\{c4d86dc8-b73b-4470-9914-3dac14ee6f95}\
CometCursor key:HKEY_CLASSES_ROOT\interface\{c7291310-3c8c-11d4-8111-00500487b1c5}\
CometCursor key:HKEY_CLASSES_ROOT\interface\{c81b4b57-b06b-409d-aed0-028051683796}\
CometCursor key:HKEY_CLASSES_ROOT\interface\{cbe7d5e6-90a2-11d3-80d1-00500487b1c5}\
CometCursor key:HKEY_CLASSES_ROOT\interface\{cbe7d5e8-90a2-11d3-80d1-00500487b1c5}\
CometCursor key:HKEY_CLASSES_ROOT\interface\{cd74b15b-a1d3-11d3-80bc-00500487bdba}\
CometCursor key:HKEY_CLASSES_ROOT\interface\{ce2eab19-e31d-43ca-a860-f95a2ca50040}\
CometCursor key:HKEY_CLASSES_ROOT\interface\{d14d6792-9b65-11d3-80b6-00500487bdba}\
CometCursor key:HKEY_CLASSES_ROOT\interface\{dc86768f-5adf-4d84-9de8-fd047b1fe8f5}\
CometCursor key:HKEY_CLASSES_ROOT\interface\{ddd1e8ca-678d-4c9a-a472-ce9578b14dc5}\
CometCursor key:HKEY_CLASSES_ROOT\interface\{e28fcb53-8c8e-11d3-80d1-00500487b1c5}\
CometCursor key:HKEY_CLASSES_ROOT\interface\{ea3b6c62-70a6-11d1-b69e-444553540000}\
CometCursor key:HKEY_CLASSES_ROOT\interface\{eb07a6d3-8e36-11d4-8138-00500487b1c5}\
CometCursor key:HKEY_CLASSES_ROOT\interface\{ffe56921-248b-4c75-9eee-01706310e371}\
CometCursor key:HKEY_CLASSES_ROOT\skinui.activewindow\
CometCursor key:HKEY_CLASSES_ROOT\skinui.activewindow.1\
CometCursor key:HKEY_CLASSES_ROOT\skinui.cskinui\
CometCursor key:HKEY_CLASSES_ROOT\skinui.cskinui.1\
CometCursor key:HKEY_CLASSES_ROOT\skinui.webbrowsersink\
CometCursor key:HKEY_CLASSES_ROOT\skinui.webbrowsersink.1\
CometCursor key:HKEY_CLASSES_ROOT\skinui.windowshelper\
CometCursor key:HKEY_CLASSES_ROOT\skinui.windowshelper.1\
CometCursor key:HKEY_LOCAL_MACHINE\software\comet systems\
Gator key:HKEY_LOCAL_MACHINE\software\gator.com\
CometCursor key:HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{d14d6793-9b65-11d3-80b6-00500487bdba}\
Alexa key:HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}\
CometCursor key:HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{d14d6793-9b65-11d3-80b6-00500487bdba}\
Gator key:HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/iegator.dll\
CometCursor key:HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\cc2k\
CometCursor key:HKEY_CLASSES_ROOT\typelib\{062efa78-8bbb-11d3-80d0-00500487b1c5}\
CometCursor key:HKEY_CLASSES_ROOT\typelib\{3f4386e5-2fbe-44a8-81cf-4b792490605f}\
CometCursor key:HKEY_CLASSES_ROOT\typelib\{74232635-a013-49f2-b869-1b1ab932d944}\
CometCursor key:HKEY_CLASSES_ROOT\typelib\{7f0f5d9a-84cb-11d4-8137-00500487b1c5}\
CometCursor key:HKEY_CLASSES_ROOT\typelib\{878ace1b-8db0-4d75-9034-504756ad4215}\
CometCursor key:HKEY_CLASSES_ROOT\typelib\{bf986691-7f7b-4f94-85e0-20e75350701f}\
CometCursor key:HKEY_CLASSES_ROOT\typelib\{bfa2c963-fc24-4770-8c19-0d5a1cd58df9}\
CometCursor key:HKEY_CLASSES_ROOT\typelib\{c09fb84d-b9ed-43eb-afed-f145c26cb839}\
CometCursor key:HKEY_CLASSES_ROOT\typelib\{d14d6786-9b65-11d3-80b6-00500487bdba}\
Gator key:HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\cmesys
Web3000 key:HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\stashedgef
Gator key:HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\stashedgef
Web3000 key:HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\stashedgmg
Gator key:HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\stashedgmg
CometCursor key:HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\toolbar\{fe6bc4ef-5676-484b-88ae-883323913256}
Started extended registry scan
===============================
Gator key:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\moduleusage\C:/WINDOWS/Downloaded Program Files/IEGator.dll
Gator value:Software\Microsoft\Windows\CurrentVersion\Run:CMESys
Registry scan result:
Suspicious keys found :168
Started folder scan
====================
Warning, no disk in drive (A)
Gator file:C:\WINDOWS\GatorPlugin.log
Gator file:C:\WINDOWS\GatorSetup.log
CometCursor folder:C:\Program Files\Comet
Gator folder:C:\Program Files\Common Files\CMEII
Gator folder:C:\Program Files\Common Files\GMT
Folder scan result:
Folders processed:11572
Suspicious folders found:3
Started file scan
==================
CometCursor file:C:\Documents and Settings\All Users\Desktop\Comet Cursor.lnk
Gator file:C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Gator.lnk
Gator file:C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GStartup.lnk
CometCursor file:C:\Documents and Settings\All Users\Start Menu\Programs\Comet Cursor.lnk
Doubleclick file:C:\Documents and Settings\kdyer\Cookies\kdyer@doubleclick[2].txt
Other file:C:\Documents and Settings\kdyer\Cookies\kdyer@valueclick[1].txt
CometCursor file:C:\Program Files\Comet\Bin\comet.exe
CometCursor file:C:\Program Files\Comet\Bin\csapputil.dll
CometCursor file:C:\Program Files\Comet\Bin\csband.dll
CometCursor file:C:\Program Files\Comet\Bin\csbho.dll
CometCursor file:C:\Program Files\Comet\Bin\csbrange.dll
CometCursor file:C:\Program Files\Comet\Bin\cscore.dll
CometCursor file:C:\Program Files\Comet\Bin\csctx.dll
CometCursor file:C:\Program Files\Comet\Bin\cseng.dll
CometCursor file:C:\Program Files\Comet\Bin\csietb.dll
CometCursor file:C:\Program Files\Comet\Bin\csinst.dll
CometCursor file:C:\Program Files\Comet\Bin\csinstall.exe
Gator file:C:\Program Files\Common Files\CMEII\CMEIIAPI.dll
Gator file:C:\Program Files\Common Files\CMEII\CMESys.exe
Gator file:C:\Program Files\Common Files\CMEII\CMEUpd.exe
Gator file:C:\Program Files\Common Files\CMEII\GAppMgr.dll
Gator file:C:\Program Files\Common Files\CMEII\GController.dll
Gator file:C:\Program Files\Common Files\CMEII\GDwldEng.dll
Gator file:C:\Program Files\Common Files\CMEII\GFormCTM.dll
Gator file:C:\Program Files\Common Files\CMEII\GMTProxy.dll
Gator file:C:\Program Files\Common Files\CMEII\GObjs.dll
Gator file:C:\Program Files\Common Files\CMEII\GStore.dll
Gator file:C:\Program Files\Common Files\CMEII\GStoreServer.dll
Gator file:C:\Program Files\Common Files\CMEII\GSvcMgr.dll
Gator file:C:\Program Files\Common Files\CMEII\GSvcSAP.dll
Gator file:C:\Program Files\Common Files\GMT\egIEEngine.dll
Gator file:C:\Program Files\Common Files\GMT\EGIEProcess.dll
Gator file:C:\Program Files\Common Files\GMT\EGNSEngine.dll
Gator file:C:\Program Files\Common Files\GMT\Gator.log
Gator file:C:\Program Files\Common Files\GMT\Gator.log
Gator file:C:\Program Files\Common Files\GMT\GatorRes.dll
Gator file:C:\Program Files\Common Files\GMT\GatorStubSetup.exe
Gator file:C:\Program Files\Common Files\GMT\GMT.exe
Gator file:C:\Program Files\Common Files\GMT\mepcme.dat
Gator file:C:\WINDOWS\GatorPlugin.log
Gator file:C:\WINDOWS\GatorSetup.log
File scan result:
Suspicious files found:43
Scanning finished
==================
Suspicious modules found:1
Suspicious keys found :168
Suspicious folders found:3
Suspicious files found:43
==========================
Components ignored:0
Total components found:215
Kent
[ 14 June 2002, 23:08: Message edited by: kdyer ]
|
|
Top
|
|
|
|
|
#66747 - 2002-06-15 08:19 PM
Re: Removal of Comet Cursor and Gator
|
Radimus
Moderator
Registered: 2000-01-06
Posts: 5187
Loc: Tampa, FL
|
here is the next victim...
http://www.spywareinfo.com/lop.html
quote:
Lop.com
Lop.com has become one of the most hated names on the internet. All over cyberspace, from message boards to newsgroups to IRC chat rooms I've seen people begging for help in getting rid of this annoying software.
What is lop.com? Lop.com is first of all a web site owned by C2 Media. It is mainly a pay-per-click search portal where other web sites pay for each click-through to their site via lop. This isn't a terrible idea, but rather than create a quality web site to get surfers to their site and clicking those links, they instead created a program which is labeled as an mp3 search program whose installer turns the user's web browser into a device with a seemingly endless supply of links to lop.com.
|
|
Top
|
|
|
|
|
#66748 - 2002-06-16 08:30 AM
Re: Removal of Comet Cursor and Gator
|
Kdyer
KiX Supporter
Registered: 2001-01-03
Posts: 6241
Loc: Tigard, OR
|
I read something I think on Symantec's or Nai's site on how to remove this manually. It is not technically a virus, even though it does take over your web browser installation.
However, I did find this interesting tidbit - GIVE LOP THE BOOT.
When my colleagues got it, it was really annoying.
|
|
Top
|
|
|
|
|
#66749 - 2002-06-16 09:24 PM
Re: Removal of Comet Cursor and Gator
|
NTDOC
Administrator
Registered: 2000-07-28
Posts: 11628
Loc: CA
|
Yes, LOP is a piece of junk that takes over a lot of your settings, favorites, search, etc...
I have manually removed it, but that is a pain to do as well, their own uninstaller works very well.
LOP Uninstaller
|
|
Top
|
|
|
|
Moderator: Glenn Barnas, NTDOC, Arend_, Jochen, Radimus, Allen, ShaneEP, Ruud van Velsen, Mart
|
0 registered
and 601 anonymous users online.
|
|
|
