My clock has been hijacked again

[SemperFi]

It doesn't happen very often usually every 3 - 4 months. Usually a scan of adaware and spybot on my user and the wifes user takes care of it.

Today the clock starts going fast. I scan with spybot and adaware on my user and get rid of a bunch of crap. I go to my wifes user and run adaware then spybot. Well spybot finds 47 things and locks while trying to erase it. I went to safe mode same problem. Finally I erase all of her cookies using the tools in IE. Spybot comes back with a clean bill in her user. Well the clock is still ticking the time fast.

Is there another program to use? This really pi$$es me off. you would think these jacka$$es could do something more productive with their time.

 

[imported_Salvatore]

Try using HijackThis. Google it, I don't have a link. Then, search for that term on this forum or the Software - Apps forum, and see what you have to look for.

 

[mechBgon]

If your OS happens to be WinXP Professional or Win2000 Professional, then I'd suggest making a Limited account (or in Win2000Pro it's called a "Restricted-User" account) for your wife and also for each other person who uses the computer, because that stuff doesn't just fall from the sky usually. WinXP Home makes everyone an Admin, so if you have Home, then that won't work. Limited/Restricted-User accounts lack the privilege level that's needed to install software, including spyware/adware, so it's a nice safety net for people who don't know better.

Secure the Administrator-class account(s) with a strong password so it's tightened up against software that might try the administrative shares as a work-around.

McAfee VirusScan 8.0 Professional comes with a 2-computer license and watches for spyware/adware, so that might be worth the $40 if you have a couple of PCs needing protection. It also seems to be able to update its definitions from a Limited/Restricted account, which was giving me problems with Norton Antivirus 2004 on my mom's rig (although I found the workaround if you happened to need it, PM me).

 

[SemperFi]

Thanks I will try that one.

I think I got it though. I have one other user on my machine that is there for the kids when their machine is down. I know they haven't been on there for at least a week so I didn't scan it. Especially since I just started today. Well I just did it and so far seems fixed.

I am definately going to try the hijack this though.

Edit/ just saw mech's post.
Mech it is xp pro. I have the wifes account setup as power user. I like for her to be able to install software. She doesn't do it very often but the call while I am at work to install a proggie is annoying.

I have norton 2003 that just expired. I am thinking of trying the panda software. There was problems with norton 2004 and road runner cable which is what I have.

I think it is just this spyware junk. adaware and spybot has always got rid of it in the past. I have had it happen several times this year so far.

 

[mechBgon]

I see. But the kids are on the short leash, right? Or if they aren't, you might change their account's class to Limited. As you might already be aware, a person logged onto a Limited account can hold the Shift key down, right-click an item, and choose Run As... and then enter an Admin-class username & password (if they know one), preserving the safety net while having Admin powers when needed.

I use that approach myself, I have an Admin account for when I need it, and then a Limited account for daily-driver stuff, and if I want to run Defrag or something without switching users, I'll just right-click with the Shift key down and do the Run As method. And I'm the only user of this PC, I live by myself. I guess my bottom-rung IT job is starting to rub off on my private life a bit, LOL...

 

[SemperFi]

I don't really remember what I have the kids on I think it is power user too. There are only 2 admin accounts mine and the administrator account. I am the only one who knows the passwords. Actually my kids aren't too tech savy yet at least. I will go check theirs they don't need more than limited anyhow.

Well it is still gaining time about 4 minutes since my edit of my last post. Now about that hijack this. I hope that does it.

 

[Schadenfroh]

in my guide to malware prevention and removal.

i have a section devoted to hijackthis, if you want to look over it.

here

 

[mechBgon]

You might check what time server WinXP has set it to sync to, also.

 

[SemperFi]

I just ran adaware and spybot again and adaware found 3 more entries. Man these things are relentless. I just ran the hijack this and I didn't see anything that shouldn't be there. At least anything that I didn't recognize. I will read that guide to malware.

Well I have missed half of the game trying to fix this. It will be here tomorrow.

Thanks for your help.

 

[mechBgon]

You might also disable System Restore to eliminate that as a hiding place, and run the scans in Safe Mode. Good luck!

 

[oldman420]

what bug would cause the clock to run fast and why ?

 

[Schadenfroh]

Originally posted by: oldman420
what bug would cause the clock to run fast and why ?

i have heard about malware returning after a few days by going by the system clock, just to lure you into a false sense of security. never heard of it speeding the clock up, but i guess the authors of malware might suck at coding (some)

 

[SemperFi]

Well I just got home and decided on the way since the adaware route wasn't working like it had in the past that I would do an online virus scan. Well since my norton subscription has run out it looks like it won't even run anymore. I thought I just wouldn't get any definition updates.

Anyhow trend micro scan is currently running and so far it has found 4 files labled as trojans. 2 are called alchemic.a and the other 2 are called agent.ae.

It looks like it is time to uninstall this norton crap. I am sick of the trash can protection anyhow. I could have sworn I selected not to install that in the begining. Looks like I need to get something today.

Anyhow so far no wait nevermind the scan just got to my temp files and now I am up to 18 troj files. Duplicates of the earlier plus a couple of new ones. It says scan result is non cleanable. I suppose when it is finished it may give me some more insight on how to remove but would a delete of temp folders get rid of them? That is where they are showing up in the scan.

 

[mechBgon]

Also try the Panada free online scanner (link in my sig includes a link to it). John had good things to say about it. Non-cleanable, to my way of thinking, just means that the file is not legit to start with and needs to be nuked.

 

[SemperFi]

I gotcha. It did delete them for me. I just wasn't sure of the lingo. Well clock is still running fast but I haven't rebooted yet. I don't know if that will make any difference.


Edit/
Well I rebooted about 20 minutes ago. Time is still right on. It only took about 5 minutes before I noticed clock was fast. I just downloaded my panda software. I am going to get that going.

Thanks for the help. That is some good help there Mech. I am running the online panda at the moment for a second opinion.