Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hackers still on computer after doing full wipe and new install


  • Please log in to reply
5 replies to this topic

#1 tryingmybest

tryingmybest

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:54 AM

Posted 20 May 2013 - 11:19 PM

I have had these same hackers on my computer for over 2 months. Everything I do is being logged by them and they have made several changes in my registry and window files. I try to delete what they put in my windows files, but I'll get an error saying the file is in use by another program, I don't have permission to access the file or something like that. Anything I do manage to delete, they put it right back in. They also blocked me from downloading anything from certain sites, from using my cdr drive or a flash drive and other things.
My Norton history and network security map show up to three other computers on my account at any given time. I have a lot of screenshots, logs, etc to back this up. My remote access has been turned off the whole time.
At the time I was hacked, I was using a Belkin N600 DB Wireless N+ Router, Model Number F9K1102V2, which was secured. My modem is a Scientific Atlanta DPC2100R2. My motherboard is an MSI K9n6pgm2 V2 which supports 10/100 LAN by Realtek RTL8103EL. At the time, I was running Windows XP. Whatever they did, I could no longer use my wi-fi.
I did a complete wipe using Wipedrive and installed Windows 7. As soon as I went online, I checked my Norton and one of the other three computers was also on.
I have called my cable company about this numerous times. For one thing, I should have a dynamic isp address but the hackers have me on a static one. I asked about closing my account and opening a new one to start fresh but the only way I would be able to do that is if I put the account in another person's name using their SS number. I called other companies and dial-up or a 765mbps connection are my only other options.
Evidently, the hackers are homed into my account using the isp address, mac address or something. Since this is the case, would it help if I got a new modem? That was my cable company's latest suggestion. They said if it didn't work, I could always return the modem.
I am more than open to any other ideas too! Thankfully, I have a smartphone but I want my computer back.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,026 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:54 AM

Posted 21 May 2013 - 11:37 AM

At this point it would be best to get a deeper look and see if there is some protected malware.

Do steps 6,7 and 8 Preparation Guide

Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 tryingmybest

tryingmybest
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:54 AM

Posted 22 May 2013 - 05:35 PM

It can't be protected malware. " WipeDrive from WhiteCanyon Software will completely wipe, erase hard drive data, and removes all impressions that would compromise your information, all with absolutely no damage to your hard drive. A Permanent hard drive
eraser protects your informeration by ensuring that it's is gone. WipeDrive deletes everything."
When doing the reinstall, I used brand new Windows 7 and Norton program disks.

I used Wipedrive again so nothing is on the hard drive right now.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,026 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:54 AM

Posted 22 May 2013 - 08:41 PM

Then you should repost in Networking and ask them to go thru your setup.


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 tryingmybest

tryingmybest
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:54 AM

Posted 22 May 2013 - 09:28 PM

Thanks:-)

#6 tryingmybest

tryingmybest
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:54 AM

Posted 26 May 2013 - 02:10 PM

Ok, I ran the program:

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 8.0.7601.17514
Run by Barbara at 13:51:47 on 2013-05-26
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.1791.465 [GMT -5:00]
.
AV: Norton Internet Security *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files (x86)\Norton Internet Security\Engine\20.1.0.24\ccSvcHst.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files (x86)\Norton Internet Security\Engine\20.1.0.24\ccSvcHst.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\sppsvc.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit = userinit.exe
BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\20.1.0.24\CoIEPlg.dll
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\20.1.0.24\IPS\IPSBHO.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\20.1.0.24\CoIEPlg.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\20.1.0.24\CoIEPlg.dll
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
TCP: NameServer = 68.105.28.11 68.105.29.11 68.105.28.12
TCP: Interfaces\{A77D07BC-F75D-4BD4-90F4-86D56CDE7A09} : DHCPNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
SSODL: WebCheck - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Barbara\AppData\Roaming\Mozilla\Firefox\Profiles\46ltban4.default\
FF - ExtSQL: 2013-05-25 18:51; {BBDA0591-3099-440a-AA10-41764D9DB4DB}; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.0.24\IPSFFPlgn
FF - ExtSQL: 2013-05-26 13:30; {2D3F3651-74B9-4795-BDEC-6DA2F431CB62}; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.0.24\coFFPlgn
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;C:\Windows\System32\drivers\NISx64\1401000.018\SymDS64.sys [2013-5-25 493216]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\System32\drivers\NISx64\1401000.018\SymEFA64.sys [2013-5-25 1132192]
R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.0.24\Definitions\BASHDefs\20130515.001\BHDrvx64.sys [2013-5-15 1390680]
R1 ccSet_NIS;Norton Internet Security Settings Manager;C:\Windows\System32\drivers\NISx64\1401000.018\ccSetx64.sys [2013-5-25 168096]
R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.0.24\Definitions\IPSDefs\20130524.001\IDSviA64.sys [2013-5-24 513184]
R1 SymIRON;Symantec Iron Driver;C:\Windows\System32\drivers\NISx64\1401000.018\Ironx64.sys [2013-5-25 224416]
R1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\System32\drivers\NISx64\1401000.018\symnets.sys [2013-5-25 432800]
R2 NIS;Norton Internet Security;C:\Program Files (x86)\Norton Internet Security\Engine\20.1.0.24\ccSvcHst.exe [2013-5-25 143928]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2013-5-25 138912]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-6-10 187392]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
.
=============== Created Last 30 ================
.
2013-05-26 18:52:15    432800    ----a-w-    C:\Windows\System32\drivers\NISx64\1403010.016\symnets.sys
2013-05-26 18:52:15    23448    ----a-r-    C:\Windows\System32\drivers\NISx64\1403010.016\symelam.sys
2013-05-26 18:52:14    1139800    ----a-w-    C:\Windows\System32\drivers\NISx64\1403010.016\symefa64.sys
2013-05-26 18:52:13    493656    ----a-w-    C:\Windows\System32\drivers\NISx64\1403010.016\symds64.sys
2013-05-26 18:52:13    36952    ----a-w-    C:\Windows\System32\drivers\NISx64\1403010.016\srtspx64.sys
2013-05-26 18:52:12    796248    ----a-w-    C:\Windows\System32\drivers\NISx64\1403010.016\srtsp64.sys
2013-05-26 18:52:12    224416    ----a-w-    C:\Windows\System32\drivers\NISx64\1403010.016\ironx64.sys
2013-05-26 18:52:11    168096    ----a-w-    C:\Windows\System32\drivers\NISx64\1403010.016\ccsetx64.sys
2013-05-26 18:50:56    --------    d-----w-    C:\Windows\System32\drivers\NISx64\1403010.016
2013-05-26 18:45:20    8199504    ----a-w-    C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2013-05-26 18:44:48    9460464    ----a-w-    C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{A35F0A03-568C-472B-9CC1-521ED6EA86A5}\mpengine.dll
2013-05-26 18:41:59    920472    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\firefox.exe
2013-05-26 18:41:59    74136    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\breakpadinjector.dll
2013-05-26 18:41:59    59288    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\libEGL.dll
2013-05-26 18:41:59    478104    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\libGLESv2.dll
2013-05-26 18:41:59    3076504    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\gkmedias.dll
2013-05-26 18:41:59    279448    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\freebl3.dll
2013-05-26 18:41:59    2106216    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\D3DCompiler_43.dll
2013-05-26 18:41:59    193824    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\maintenanceservice_installer.exe
2013-05-26 18:41:59    19352    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\AccessibleMarshal.dll
2013-05-26 18:41:59    16280    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\mozalloc.dll
2013-05-26 18:41:59    117144    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\maintenanceservice.exe
2013-05-26 18:41:59    116120    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\crashreporter.exe
2013-05-26 18:35:17    2622464    ----a-w-    C:\Windows\System32\wucltux.dll
2013-05-26 18:34:58    36864    ----a-w-    C:\Windows\System32\wuapp.exe
2013-05-26 18:34:58    186752    ----a-w-    C:\Windows\System32\wuwebv.dll
2013-05-26 03:53:07    --------    d-----w-    C:\Users\Barbara\AppData\Local\Apps
2013-05-26 03:06:16    --------    d-----w-    C:\Program Files (x86)\Nero
2013-05-26 03:05:57    --------    d-----w-    C:\ProgramData\Nero
2013-05-26 03:02:28    --------    d-sh--w-    C:\Windows\Installer
2013-05-26 00:17:03    --------    d-----w-    C:\Users\Barbara\AppData\Roaming\IrfanView
2013-05-26 00:17:03    --------    d-----w-    C:\Program Files (x86)\IrfanView
2013-05-26 00:16:26    --------    d-----w-    C:\Windows\Panther
2013-05-25 23:51:57    --------    d-----w-    C:\Program Files (x86)\Common Files\Symantec Shared
2013-05-25 23:24:12    43680    ----a-r-    C:\Windows\System32\drivers\SymIMV.sys
2013-05-25 22:57:55    --------    d-----w-    C:\ProgramData\NortonInstaller
2013-05-25 22:57:55    --------    d-----w-    C:\Program Files (x86)\NortonInstaller
.
==================== Find3M  ====================
.
2013-05-25 23:03:47    177312    ----a-w-    C:\Windows\System32\drivers\SYMEVENT64x86.SYS
2013-05-02 07:06:08    278800    ------w-    C:\Windows\System32\MpSigStub.exe
.
============= FINISH: 13:53:51.56 ===============
 

 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users