winNT spyware issue

ct5amr2ig1nfhp

Hi,
I've a winNT that was riddled with spyware. I downloaded search & destroy and it seems to have gotten rid of nearly everything. Except one bastid!

"cmeii.exe"

Can anyone tell me how I could get rid of this bugger? I've tried deleting the CMEII folder but I get an error message telling me its in memory bla de bla. I can't see it in under processes.

Also everytime someone logs on the machine I am also getting error messages telling me "Can't find such n such file.." I've checked all startup folders and they're empty. Is there a way to check what progs are being loaded at boot up in NT?

Any help would be great.

Thanks
ambrose :cool:

p.s. I HATE NT!

seamus

Post screenies of the errors you get.

Do a google search on the errors and process. I assume you've run Adaware too, and killed the process in the task manager before trying to delete the folder?

ChipZilla

It's part of Gator. Kill off CMESYS in the task manager. Then go to C:\Program Files\Common Files - The file you're after is in there somewhere, but might be hidden or read-only.

HijackThis is a good program to show what is being loaded on startup...

ct5amr2ig1nfhp

Hey,
Yep its cmesys alright, but its not showing in the task manager. I have just managed to delete all of but 2 folders in the "C:\Porgram Files\Common Files\CMEII\"

Its now giving me the error message "Not accessible..." when I try to delete the CMEII folder.

From what I can see in the task manager all the processes are legit. I've gone down through them one by one and google'd them.

I restarted the machine and Spybot is still finding the CMEII. When I try to fix the problem it is still telling me it has to restart and try on startup. Again I tried this but I get the first error message again. "..memory in use..."

ambrose

EDIT: I've tried deleting the folder from DOS and I'm getting "Access is denied"

Gizzard

I dont want to skirt your query but you should really think about upgrading to a better OS, NT is not the best OS and is not supported by MS anymore, you would be much better off with 2000 or XP Pro SP2

I find hijackthis to be good for finding sypware that spybot does not pick up.

Good luck

ct5amr2ig1nfhp

Hi,
Yep we're in the process of getting new machines. But until we do, I've to put up with NT unfortunetly.

I'll give hijackthis a go.

thanks
ambrose

ChipZilla

Use Hijackthis to delete the registry entry that loads cmesys on startup. Then reboot and delete the file.

BTW Gizzard, I don't think the OS makes the slightest bit of difference when it comes to picking up spyware. If a user is clueless and clicks on every Yes/No dialogue box he sees, it doesn't matter if he has Windows 95 or XP SP2.

Gizzard

ChipZilla wrote:

Use Hijackthis to delete the registry entry that loads cmesys on startup. Then reboot and delete the file.

BTW Gizzard, I don't think the OS makes the slightest bit of difference when it comes to picking up spyware. If a user is clueless and clicks on every Yes/No dialogue box he sees, it doesn't matter if he has Windows 95 or XP SP2.

Yes thats mostly true, however there are known exploits tied to versions of windows OS that can be used to install Sypware, for example IE 6 had an exploit that allowed homepages to be changed by webpage script and active x to be installed to allow sypware amongst other things, SP2 has fixed these large exploits, therefore your better off moving to XP Pro SP 2 (or Linux). There are still exploits appearing every day so Firefox is a better alternative http://www.mozilla.org

however you are correct the vast majority of Spyware is installed as a result of installing web utils like bonzai buddy (my mother keeps installing that pff), kazaa etc they are to be avoided, and the version of OS does not protect you from this kind of stupidity. , if you want kazaa install kazaalite

ColmOT [MSFT]

NT is not the best OS and is not supported by MS

Just for the same of completeness, NT4 Workstation is no longer supported - NT Server (and it's variants) is still supported until December 31st 2004.

But I agree that it' snot the best OS in the world....too many restarts!

<user action>Left double click to open My Computer
<WinNT> Your system must be restarted because you interacted with the desktop!!

gurramok

kingambrose wrote:

Hi,
Yep we're in the process of getting new machines. But until we do, I've to put up with NT unfortunetly.

I'll give hijackthis a go.

thanks
ambrose

Try deleting it when 'in safe mode with command prompt' if the folder is locked under XP fullly running.

ct5amr2ig1nfhp

Hi,
I had a "_hazafibbj" entry in the registry. Did a quick search and found it was from a virus. (Cannot remember which off the top of my head)

I downloaded the fix from Symantec though, that seems to have gotten rid of that problem.

Still cannot get rid of that CMEII folder though

I'll give Safe mode a go.

ambrose

Mac daddy

Rename the folder - switch off system restore and delete the reg key- reboot into safemode and delete the folder reboot and run hijack this

Mac daddy

Shlte i'm not sure if NT has system restore option nearly sure it hasn't