Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Have Been Damned And Nothing Helps!


  • Please log in to reply
12 replies to this topic

#1 alt3rn1ty

alt3rn1ty

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:04:18 AM

Posted 26 March 2006 - 08:44 PM

I have Norton 2005, adaware, spybot1.4, webroot spysweeper and counterspy, registered as necessary, but not all running at once.
When occasionally infected I find a combination of approaches from these usually sort out my problems.

Now I am experiencing a blue smiley in the upper left corner of my screen at startup before xp asks for my password. None of the above software finds a trace, and after trawling the net for advice I came across a scanner called MWAV.exe which informs me I have the following -

Popuper, clientman, cydoor.topics.a, family keylogger commercial keylogger.

Heres the best bit:-

MWAV.exe will not remove, just identifies. To remove I need to pay for yet another piece of software to catch what the others havent - BUT the best bit being presumeably I have to use my credit card with this gang of nasty pasties andwho knows what else running on my system :thumbsup:

Can anyone save me?, I have a feeling in my waters its all bad news.

BC AdBot (Login to Remove)

 


m

#2 jgweed

jgweed

  • Staff Emeritus
  • 28,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, Il.
  • Local time:11:18 PM

Posted 27 March 2006 - 12:40 AM

You may have been damned, but BC has a group of expert, volunteer angels who can help you get rid of this spyware, and without asking for your credit card and a huge sum of money. I suggest you post a HijackThis!log for them to review and help you get rid of the malware.
Please carefullly read and follow the instructions in the submission Guide, found here:

http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

Regards,
John
Whereof one cannot speak, thereof one should be silent.

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:12:18 AM

Posted 27 March 2006 - 10:09 AM

I have split and moved your HJT log to the HJT forum.

You'll find it here.
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#4 alt3rn1ty

alt3rn1ty
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:04:18 AM

Posted 27 March 2006 - 10:13 AM

Thanks John following KoanYorel now
:thumbsup:

#5 jgweed

jgweed

  • Staff Emeritus
  • 28,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, Il.
  • Local time:11:18 PM

Posted 27 March 2006 - 10:15 AM

For a brief time, there will be two posts of your log in the HJT forum, since Koan and I split and moved the log at the same time. My split will be removed.
John
Whereof one cannot speak, thereof one should be silent.

#6 alt3rn1ty

alt3rn1ty
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:04:18 AM

Posted 27 March 2006 - 11:08 AM

Good luck with the operation, having a split removed sounds drastic :thumbsup: :flowers: :trumpet:

Apologies I couldn't resist.

#7 jgweed

jgweed

  • Staff Emeritus
  • 28,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, Il.
  • Local time:11:18 PM

Posted 27 March 2006 - 12:13 PM

Never split against the wind!
(now MY apologies!)
John
Whereof one cannot speak, thereof one should be silent.

#8 alt3rn1ty

alt3rn1ty
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:04:18 AM

Posted 27 March 2006 - 10:55 PM

:thumbsup: I have resolved the problem and found the culprit too. Pass this info on to KoanYorel who I believe is still pondering my HJT log.

Having caused a bit more of a mess myself, decided to go through the safeboot routines again with all checkers.

Got rid of Popuper and clientman.

Stopped system restore and pagefiles then went on to do more checks through several system reboots.

"cydoor.topicks.a" and "family keylogger Commercial Keylogger" were a hardy pair of nasties.

So, backed up my documents and did a complete reformat/reinstall (including a re-write of the MBR just for good measure) of windows xp.

ran mwav.exe and the last two nasties had reappeared.

There was only one source left - Did another reformat/install with recovery CD, but didnt go on to the Application and driver recovery dvd, did a few checks first.

All was clear :inlove:

Now went on to my Application and driver recovery dvd - During the install I have chosen individual drivers as opposed to the whole recovery, and noticed two things

The blue smiley kicks in when the NV17M (NVidia graphics driver) installs - BUT thats not the source of the adware.....

They re-install when I let the system install the AOL references/internet connection settings and HP Compaq default system settings and desktop helpers - All of which are gumf I dont need. :flowers:

So have once again reformat/installed, and once again selectively gone through the Application and driver recovery dvd....

TADAAA! :trumpet: - One clean system. :huh:


I'm sure this kind of thing should be in a EULA somewhere, unfortunately it doesnt exactly leap out and grab your vitals during an install or even afterwards.

I have a Compaq Presario R3000 laptop - People beware youre Application and driver recovery dvd, it has spyware and installs a keylogger too. Do all the Hardware drivers, and Norton if you must have a system heavy virus checker, but the third section only select the .net installs, forget the rest. :huh:

#9 alt3rn1ty

alt3rn1ty
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:04:18 AM

Posted 27 March 2006 - 11:23 PM

:thumbsup: :flowers: :trumpet: :inlove: :huh:

Thats me, my wife, two daughters and the dog

(Although the latter probably doesnt understand why we are angry).

Im ranting here because I dont know where else to just yet. This is
just as bad as Sony's fiasco. You try to keep your family safe online
and find you cant even trust an official recovery dvd.

Any thoughts anyone?, am I going to be hounded by black suits for finding this out?. :huh:

#10 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:12:18 AM

Posted 28 March 2006 - 12:53 AM

Hang on and wait for a reply to your HJT log?

We are very busy in that forum.
I promise though an HJT tech will help you sort out any problems.
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#11 alt3rn1ty

alt3rn1ty
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:04:18 AM

Posted 28 March 2006 - 09:52 AM

Okay, no probs just came back here to update John mainly - Still very interested in you're results and monitoring the split forum. Even though my problem is resolved I didnt precisely beyond any reasonable doubt prove the exact installation culprit, so you're expert advice will still be valued highly. Especially if I make a big public issue of the matter. :thumbsup:

#12 jgweed

jgweed

  • Staff Emeritus
  • 28,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, Il.
  • Local time:11:18 PM

Posted 28 March 2006 - 10:55 AM

Since you have resolved your problem and have reformatted your hard drive and re-installed your programmes and applications, then the posted HJT contains invalid and outdated data. The log is therefore closed.
Thanks for posting your resolution, as it may help another member with a similar problem sometime in the future.

Having had to reinstall a Compaq from their recovery disk (although some time ago), and not finding anything malicious immediately thereafter on my computer, I am not absolutely certain that the source of the culprits are there, especially if you went on-line after reinstalling and before checking. I would certainly advise anyone, though, to "pick and choose" what they install, especially when it comes to the bundled applications. Many problems could be avoided if computer manufacturers simply included a Windows OS disk with the computer, rather than some proprietory bundle of gunk.

Regards,
John
Whereof one cannot speak, thereof one should be silent.

#13 alt3rn1ty

alt3rn1ty
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:04:18 AM

Posted 28 March 2006 - 01:37 PM

I believe thats a friendly and informed caution hidden away there, thanks John for putting enough of a check on my temperament. And big thanks for all the help during these posts to all concerned, you really are a bunch of guardian angels. :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users