Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Am I still infected?


  • Please log in to reply
4 replies to this topic

#1 Zuni

Zuni

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:35 AM

Posted 07 October 2012 - 10:53 PM

I have been dealing with bioskits and rootkits for the last 6 months. Its been a constant fight to keep them out. I finally just bought all new computers with all new parts even down to my monitor, mouse, and keyboard. I got my computer running for the first time 8 days ago on September 29th. I do not currently have a cd drive so i had to install windows with a bootable usb(suspecting this is the origin)Im running Win 7 64 bit and the second i installed it it seemed strange constantly suggesting remote connections and then my webpages started acting up and i could not download a thing then my screen kept flashing black and removing my video card drivers everytime i installed them. So i did a Biosflash and /cleaned my hard drive . Its acting alot better now but it still seems off i installed kaspersky and it was on my computer and i even ran it but if i go to my installed programs it never showed up i even installed in 3 times, it worked each time (finding nothing) but never showed up and now i cant even click the .exe file nothing happens. all my windows in my computer seem to be layered as well with little horizontal lines on the edge every time the window reloads they appear till the page is fully loaded, as well as goes black when i right click then goes back if i left click again(i believe that part is my video card i used an old model i had still in the box from 6 years ago)


I know i can remove it i need help locating it so i can easily identify it on the rest of out network and possibly find the source of this mess. I donno if im just plain paranoid from the whole 6 months of battle or is i actually am infected, I need my sanity back.

also i cant seem to identify who/what \\?\Users\COMPUT~1 is, at-least not a solid answer and it seems to be where all my windows updates are going.

I really hope yall can help me stop this, or relieve my worry either way would be a miracle.

BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:35 PM

Posted 08 October 2012 - 01:23 AM

I finally just bought all new computers with all new parts even down to my monitor, mouse, and keyboard.
the second i installed it it seemed strange

Hello -
This sounds like a small to medium company set-up, that can not be handled in one quick hit - - -
I have found that no computer is infected unless it is connected to a source that can infect it.
Did you clean the USB Flash Drive prior to using it, or was it just a spare old one you had been using for other work ??(Buy a New one)
Did you install new copies of Windows, or simply try to copy your already infected versions to new computers with infections included ??
Also, why are you installing one 6 year old Video card on a 1 week old system ?? Makes no sense to me ....... ?? I do not understand .

If (as you say) the NEW computers were already infected, then they have been used prior to you installing them, or no Antivirus and Antimalware programs were ever installed prior to you accessing, or adding internet applications, that are non-standard -
Return them to the place of purchase now and take no further actions on them unless the infections are internally sourced !!

Next contact your Internet Provider, and tell them that your computers may be accessed by an outside source and not internally.
Have you replaced the Modem(s) that you were using, as these can also carry infections, and replacing is the easiest method -

How far have you gone with installing or transferring OLD (infected files??) from your previous systems to your new systems ??
This is the only point of access that you could provide for infections to pass from an old to a new system without internet infection.

(Quote from SystemLookup) - COMPUT~1 - CLSID {FFFFEECE-FD18-8222-2FB0-2935B9EA0623} Currently Unidentified parasite of Chinese origin, most probably a variant of Win-Adware/BHO.Hao - should you have any information about this application, do email us -
If you actually have a copy of the file, please attach it to your email for analysis. Thanks!
Link to submit to SystemLookup A very good source for defining infections -

Only 1 Job - - - A quick look at a cmputer with \\?\Users\COMPUT~1 on it -
Download Adware Cleaner. Right click to Run as Admin. Click the SEARCH button, allow it to run and post the log it creates.
AdWare Cleaner
It will reboot your system, so please close all open work prior to scanning -

In brief, I think that you have reinfected a new lot of computers / system, by transferring an already infected set of files from the old system files -

Please tell me if I have made any basic error in misunderstanding your post, as I found it a bit confusing -

Thank You -

No doubt others will have much better ideas, but I just wanted a few minor things cleared up first -



#3 Zuni

Zuni
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:35 AM

Posted 08 October 2012 - 03:55 PM

I cleaned the usb before i put windows 7 on it and its also a new copy as we had used 32 bit prior we have been running 64 bit on the new computers due to some having larger 3 tb hard drives. The reason for using the old video card was it had never been used in a computer and i needed to start working again while im waiting for for my new one to be shipped. I have not used any of my old files due to my old stuff being on a still infected hard drive. My business partner is not as cautious about this stuff as i am so im suspecting the infection is on his computer and transferred to mine threw the usb when i transferred the windows setup.

We have replaced the modems as we changed location and providers but at this point i donno if they are infected also. This has been a nightmare, i know the original way we got them and its being handled by the police still but i need a safe way to work. Ill say this much the jerk that did all this sure has wasted a good chunk of my money and life.

here is my adware cleaner log though it did not restart my computer. I did a bios flash and cleaned everything 4 days ago this is driving me crazy :(.



Adware Cleanerv3.1 Scan Report.


-----------------------
Scan Started at : 10/8/2012 3:46:55 PM
Scan Finished at : 10/8/2012 3:47:18 PM
-----------------------






1)Total Number of Cookies and Processes inspected: 6228
2)Total Number of Registry entries inspected: 0
3)Total Number of Files/Folders inspected: 22103


[Threats Detected]

Direct3d
HKEY_CURRENT_USER\software\microsoft\direct3d\mostrecentapplication

CoolWebSearch
HKEY_CURRENT_USER\software\microsoft\internet explorer\urlsearchhooks{cfbfae00-17a6-11d0-99cb-00c04fd64497}

Aditer
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run

Bancos
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce

Hotbar
C:\program files

SmartShopper
C:\program files

Total = 6

[Files Currently Excluded]
'Files listed here will not be detected as spyware.



=====================End Of Report.

#4 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:35 PM

Posted 08 October 2012 - 05:40 PM

My business partner is not as cautious about this stuff as i am so im suspecting the infection is on his computer and transferred to mine threw the usb when i transferred the windows setup.


Someone sure is on-line without a very good Antivirus, and not paying attention to what is (was) downloaded -
The idea of just using the SEARCH option, was to show you a few of the minor infections already on your system -
CoolWebSearch parasite variant
Infostealer.Bancos Bancos is a detection name used by Symantec/Norton to identify malicious software programs that gather confidential financial information from the compromised computer.
Aditer (AKA): [Kaspersky] Trojan.Win32.Aditer.b, Trojan.Win32.Aditer - [Panda] Trojan Horse - [CA] Win32/Aditer.74754!Trojan - [Other] Win32/Aditer.B
Hotbar - Added browser bar from download sites -
SmartShopper - Added browser bar from download sites -
None of these should be on a "clean new installation" of Windows7, but are all add-ons / downloads -
NOTE - Total = 6 on a clean computer is not right ...............
You should now re-run AdAwareCleaner and hit DELETE to remove these items if you no longer wish to have them installed -
If the program will not reboot, then please reboot manually to be sure they are gone -

Please download MiniToolBox, Save it to your desktop and run it.
Checkmark the following boxes:

•Flush DNS
•Report IE Proxy Settings
•Reset IE Proxy Settings
•Report FF Proxy Settings
•Reset FF Proxy Settings
•List content of Hosts
•List IP configuration
•List last 10 Event Viewer log
•List Installed Programs
List devices (Problem only)
•List Users, Partitions and Memory size.
•List Minidump Files

Click Go and copy / paste the result (Result.txt).
Note: When using "Reset FF Proxy Settings" option Firefox should be closed. Only if Firefox has been installed -

Make sure your Antivirus is activated and updated at all times and a Firewall (Windows7 is OK) is activated -
Download Malwarebytes Anti-Malware Free Update and run a full scan (could take 20 to 60 minutes for a first scan) then do the same with SuperantiSpyware Free and post both logs back here - I "hope" both scans are clean, but we can not be sure at this time.
Malwarebytes has Logs at the Top of the face panel. while Superantispyware has View Scan logs at lower left side -

Last -
Download Security Check by Screen317 from HERE or HERE, and save it to your Desktop.
* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please copy/paste the contents of that document.
Note: If a security program requests permission to access the Internet, allow it to do so.

I still think \\?\Users\COMPUT~1 is an infection, and if we can not find it, a Malware removal Expert may be needed to find it. Do you know exactly where this is located ??

Thank You -



#5 Zuni

Zuni
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:35 AM

Posted 14 October 2012 - 09:50 PM

Well Guys i new something was wrong other then some little adware programs and my partner figured it out the \\?\Users\COMPUT~1 Was a server being ran off of my computer i had 2 as a matter of fact. Im very pleased they are shut down and my computer is secure once again all my logs are clean and \\? is no where to be found we had to over ride everything threw dos but it is shut down now if anyone would like the steps we took to shut them down id be more then willing to share but right now im going to do a clean sweep and wipe my system and start clean. I will be cloning the system that they took over so i can track them back via a virtual computer so ill keep up to date when i catch there jerks.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users