I factory reset my computer but I'm still infected with spyware

Status
Not open for further replies.

Drift_Count5179

Level 1
Thread author
May 15, 2021
8
First let me apologize for skipping the steps before posting here. I am posting this from a new phone. Factory resetting my computer didn't work so I figured a Farbar scan wouldn't help. If it's absolutely necessary I will try it in safe mode. In case spyware doesn't count as malware may you please suggest where I can ask for assistance. Thanks

My situation is weird so bear with me. It's a Windows 10 Asus laptop. I know the spyware still on there because my stalkers continue to harass me. Their timing is so precise it makes me think it's something on my machine. The following are things I have tried:

-replacing hard drives
-avoid usb flash drives and usb connections altogether except one for the mouse
-avoid restoring backup files
-avoid weird links or downloads
-updated Windows and malware scan
-checked the location where I use my laptop for hidden cameras (my stalkers live with me)
- physically secure my laptop so no one can get to it
-use a vpn 24/7
-avoid sites where my credentials could've been compromised

I haven't completely ruled out my stalkers constantly reinfecting my computer. We all share the home network (I am not in control of the modem router, they are) but the vpn should still hide my activity right? Anyway like I said before my hunch is it's more than just network sniffing.

I don't know what else to do besides buy a new computer. Figured I would ask here to see what can be done about the spy/malware, keylogger, backdoor or whatever the hell is on my computer. My amateur guess is that it was installed on some component that is read/written to. My stalkers have professional experience in computers, if that matters at all. There was a moment some time ago where one of them had a few hours of complete access to my computer so I'm guessing that was when the infection was contracted.
 

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
656
Hello Drift_Count5179,

I am Karsten and will help you with any malware-related problems.

Factory resetting my computer didn't work so I figured a Farbar scan wouldn't help

You are suspecting a re-infection of your system, so we should verify first with FRST if your system is infected and what malware is on it.

If it is indeed infected however, cleaning it or buying a new computer will not change your situation. If you live with abusive people, they have likely physical access to your systems and your environment. No technical solution can prevent that. That's just a heads-up because I am not really sure if I can be of any help here and if it makes sense to proceed.

Furthermore, I recommend that you check out the help resources here and find support hotlines depending on the country you live in: Resources | Stalkerware

Please follow the steps below if you want a system checkup.

-------------------------------------------------------------------

Please familiarize yourself with the following ground rules before you start.
  • Read my instructions thoroughly, carry out each step in the given order.
  • Do not make any changes to your system, or run any tools other than those I provided. Do not delete, fix, uninstall, or install anything unless I tell you to.
  • If you are unsure about anything or if you encounter any problems, please stop and inform me about it.
  • Stick with me until I tell you that your computer is clean. Absence of symptoms does not mean that your computer is free of malware.
  • Back up important files before we start.
  • Note: On weekends I might be slow to reply

Farbar Recovery Scan Tool (FRST) Scan
  • Please download Farbar Recovery Scan Tool and save the file to your Desktop. (Note: choose the right version, 64 or 32 bit, for your operating system, only one will run)
  • Double-click FRST64.exe to run the programme.
  • Click Yes to the disclaimer.
  • Ensure the Addition.txt box is checked.
  • Click the Scan button and let the programme run.
  • Upon completion, click OK, then OK on the Addition.txt pop up screen.
  • Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Attach both logs in your next reply.
 
Last edited:

Drift_Count5179

Level 1
Thread author
May 15, 2021
8
Hello Drift_Count5179,

I am Karsten and will help you with any malware-related problems.



You are suspecting a re-infection of your system, so we should verify first with FRST if your system is infected and what malware is on it.

If it is indeed infected however, cleaning it or buying a new computer will not change your situation. If you live with abusive people, they have likely physical access to your systems and your environment. No technical solution can prevent that. That's just a heads-up because I am not really sure if I can be of any help here and if it makes sense to proceed.

Furthermore, I recommend that you check out the help resources here and find support hotlines depending on the country you live in: Resources | Stalkerware

Please follow the steps below if you want a system checkup.

-------------------------------------------------------------------

Please familiarize yourself with the following ground rules before you start.
  • Read my instructions thoroughly, carry out each step in the given order.
  • Do not make any changes to your system, or run any tools other than those I provided. Do not delete, fix, uninstall, or install anything unless I tell you to.
  • If you are unsure about anything or if you encounter any problems, please stop and inform me about it.
  • Stick with me until I tell you that your computer is clean. Absence of symptoms does not mean that your computer is free of malware.
  • Back up important files before we start.
  • Note: On weekends I might be slow to reply

Farbar Recovery Scan Tool (FRST) Scan
  • Please download Farbar Recovery Scan Tool and save the file to your Desktop. (Note: choose the right version, 64 or 32 bit, for your operating system, only one will run)
  • Double-click FRST64.exe to run the programme.
  • Click Yes to the disclaimer.
  • Ensure the Addition.txt box is checked.
  • Click the Scan button and let the programme run.
  • Upon completion, click OK, then OK on the Addition.txt pop up screen.
  • Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Attach both logs in your next reply.
Hi Karsten thanks for your reply. If it allows me to will running it in safe mode interfere with results?
 

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
656
Safe mode would indeed not show everything. If there was an infection, it would be better to get the logs while the malware is active and visible.

I did not find any malware on your system, though. Only potentially unwanted software that changed your browser settings.
Did you install WebCompanion on purpose? Do you want to keep it?
 

Drift_Count5179

Level 1
Thread author
May 15, 2021
8
Safe mode would indeed not show everything. If there was an infection, it would be better to get the logs while the malware is active and visible.

I did not find any malware on your system, though. Only potentially unwanted software that changed your browser settings.
Did you install WebCompanion on purpose? Do you want to keep it?
In that case should I run while connected to internet? I ran this offline

Web companion was a complementary download I usually remove it just forgot to
 
  • Like
Reactions: tipo and Nevi

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
656
Step 1: Uninstall Software
  • Press the Windows Key
    vQQ9ew4.png
    + r on your keyboard at the same time. Type appwiz.cpl and click OK.
  • Search for the following programs, right-click and click Uninstall.
    • Web Companion
  • Follow the prompts.
  • Note: If you are offered the choice to install additional software, ensure you decline.
  • Reboot if necessary.

Step 2: Farbar Recovery Scan Tool (FRST) Script
  • Download the attached fixlist.txt
  • Important: The file must be saved in the same location as FRST64.exe.
NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.
  • Double-click FRST64.exe to run the programme.
  • Click Fix.
  • A log (Fixlog.txt) will open on your desktop. Attach the log to your next reply.
 

Attachments

  • fixlist.txt
    1.4 KB · Views: 3
  • Like
Reactions: tipo

Drift_Count5179

Level 1
Thread author
May 15, 2021
8
Excuse me I should have clearly stated I did not want to remove Web Companion. Do you or anyone know of a economical way to remove malware from all components of a laptop i.e. not just the hard drive?

For any other lost souls out there with this problem know that malware can be installed on other pieces of your computer/laptop e.g. graphics and network cards, etc. It can also be on your hard drive as a "low-level" infection in the boot memory, or whatever it's called, of your hard drive. All of which renders malware scans useless. Wish I knew all this before wasting time trying to save my machine.

If you're like me and know a bit more than nothing about computers then look up these topics:

@Master boot record malware removal (some antivirus software call it scanning for rootkits)
@//bios(called UEFI in Win10) reflashing
@low-level formatting
@[your preferred store] to buy a new ******** computer because if it's a low-level infection it will be nearly impossible to detect
 
Last edited:

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
656
Excuse me I should have clearly stated I did not want to remove Web Companion.

I interpreted your answer below as wanting to remove WebCompanion. I am sorry that I misunderstood.

Web companion was a complementary download I usually remove it just forgot to

Do you or anyone know of a economical way to remove malware from all components of a laptop i.e. not just the hard drive?

What makes you think there is an infection on your laptop?
Yes, network cards and any other component with firmware can theoretically be infected. So far for most of these components this is a domain of research and not actually used in the wild.

For rootkits and bootkits we can perform a rootkit scan. I will post instructions below.

Also may I delete the posts with those frst results?
Yes, you can delete them.

------------------------------------------------------------

RogueKiller AntiMalware
  • Please download Roguekiller AntiMalware
  • Double-click RogueKiller64.exe to run the programme.
  • Accept the terms and conditions.
  • Click on Scan.
  • You will be presented with 3 Scan options. Below Standard Scan click on Start.
  • Wait for the scan to finish.
  • Click on Results and Report
  • On the lower right corner, click on Open and Text file.
  • Notepad will open with a report of your file. Please copy the contents and paste in your next reply.
 
  • Like
Reactions: Nevi and tipo

Drift_Count5179

Level 1
Thread author
May 15, 2021
8
Yes, network cards and any other component with firmware can theoretically be infected. So far for most of these components this is a domain of research and not actually used in the wild.
Can you please elaborate on "not actually used in the wild"? I thought my situation was very unusual considering the malicious physical access by actors with a bit of know-how.

I interpreted your answer below as wanting to remove WebCompanion. I am sorry that I misunderstood
Yes "I usually" as in I did not want help. My mistake I should have been clearer.

What makes you think there is an infection on your laptop?
As I said in op:
I know the spyware still on there because my stalkers continue to harass me

For rootkits and bootkits we can perform a rootkit scan. I will post instructions below.
I have tried a boot sector scan with my antivirus software if it's worth its salt. I may decide to skip this step if it looks like it doesn't offer anything different.
 
Last edited:

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
656
I know the spyware still on there because my stalkers continue to harass me

I was asking to get a grasp on potential technical symptoms you experience with your devices. I don't know the details on the harassment, and you don't need to tell me, but can they have information on you from other sources than infecting your devices?

We are working via a forum, which adds a form of difficulty because I don't see your system. I can only assist you, if I have something to work with: symptoms, scan logs or anything else.
Currently I don't have either of those. It's of course perfectly fine if you don't want to get into detail or provide further logs. This is up to you. But it also means I cannot help you at the moment. I am not sitting in front of your system, I cannot check or see what's going with it, and can only rely on what you tell me or provide me.


Can you please elaborate on "not actually used in the wild"? I thought my situation was very unusual considering the malicious physical access by actors with a bit of know-how.
I am a malware analyst, working for an AV company. So by any means, I would probably count as an expert on the topic. But the difficulty and effort one would have to make to infect all of your firmware while still managing to NOT make it show up in Antivirus scans and diagnostic logs is so unproportonally high that I would not be able to do it in a reasonable amount of time. I think it is highly unlikely your abusers have a level of technical expertise that surpasses malware researchers. Even if they have, they would resort to easier ways to achieve the same.

Your situation is not that unusual. The reason the initiative against stalkerware exists, is that there are many people who are stalked and harassed by their abusers, who oftentimes live with them and may infect their phones and personal computers to monitor them. You are also not the first person asking for help in forums like this one.
 

Drift_Count5179

Level 1
Thread author
May 15, 2021
8
I was asking to get a grasp on potential technical symptoms you experience with your devices. I don't know the details on the harassment, and you don't need to tell me, but can they have information on you from other
Ah sorry. No I don't notice any symptoms. All I have tried is preliminary searches for unusual connections or for weird processes in task manager. If there is another source I wouldn't know where.

We are working via a forum, which adds a form of difficulty because I don't see your system. I can only assist you, if I have something to work with: symptoms, scan logs or anything else.
Currently I don't have either of those. It's of course perfectly fine if you don't want to get into detail or provide further logs. This is up to you. But it also means I cannot help you at the moment. I am not sitting in front of your system, I cannot check or see what's going with it, and can only rely on what you tell me or provide me.
Right I didn't mean to suggest to stop here. I was thinking of going to the next step. I will attach the roguekiller results if it will help. My current antivirus did not give problems with this like it did with farbar thankfully. The rootkit section is empty in results. Uncertain if it scanned for them.

I am a malware analyst, working for an AV company. So by any means, I would probably count as an expert on the topic. But the difficulty and effort one would have to make to infect all of your firmware while still managing to NOT make it show up in Antivirus scans and diagnostic logs is so unproportonally high that I would not be able to do it in a reasonable amount of time. I think it is highly unlikely your abusers have a level of technical expertise that surpasses malware researchers. Even if they have, they would resort to easier ways to achieve the same.
I'm always reading about or being told, whenever I ask for assistance, the type of infection I am thinking of is rare and unlikely, improbable, etc without reasoning so it's nice to hear why. Your perspective is appreciated. Perhaps I am giving them too much credit.....

Your situation is not that unusual. The reason the initiative against stalkerware exists, is that there are many people who are stalked and harassed by their abusers, who oftentimes live with them and may infect their phones and personal computers to monitor them. You are also not the first person asking for help in forums like this one.
However I will say while my general situation is a common one, I am still convinced to be dealing with atypical abusers. The kind that would spend nearly 6 figures just to pull off an unrelated prank. In terms of the route of infection I would think they have some extra means not possessed by the majority.
 

Attachments

  • rgkiller.tmp.txt
    6.3 KB · Views: 1

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
656
Your Roguekiller log only shows PUP entries, no rootkits, no malware, no spyware or any of that sort.

All I have tried is preliminary searches for unusual connections or for weird processes in task manager. If there is another source I wouldn't know where.

Could they be getting information from a person you are in close contact with?
Could there be monitoring via cameras, microphons, telephone?

You mentioned network sniffing as a possibility since others are in control of the router. I recommend using only encrypted forms of communication (HTTPS, SSH, SMTP/TLS, POP/TLS). You cannot prevent network sniffing, but you can make the information they get useless by encrypting it.

Apart from that follow these rules for infection prevention:
  • Use multi-factor-authentication for your accounts, if available
  • Keep your programs always up-to-date, including the operating system, browsers, email programs, everything that you use to interact with the web, and also your Antivirus suite.
  • Use exactly one Antivirus suite. Several will get in the way of each other, fight for resources, and potentially detect each other as malicious due to the way AV has to monitor the system.
  • Use browser plugins that prevent ads (aka adblockers) and execution of scripts, e.g., NoScript.
  • Be careful with email attachments and links. Those can potentially contain malware or lead to phishing sites.
  • Avoid using P2P software. This software is sharing files with lots of other computers. Infected files, especially worms, thrive in this environment.
  • Enable to view file extensions in file explorer, so that you can recognize double extensions. These are used by malware to trick you into executing their files, e.g. my_great_movie.mp4.exe

However I will say while my general situation is a common one, I am still convinced to be dealing with atypical abusers. The kind that would spend nearly 6 figures just to pull off an unrelated prank. In terms of the route of infection I would think they have some extra means not possessed by the majority.
Yes, the circumstances are unique and specific to your situation. I also believe that some abusers are willing to do their things at great costs.

I hope you find a way out of the situation and possibly some help from people in your proximity.

I have no reason to do more scans on your systems right now since the logs came up clean.
But if you come across anything (e.g., logs of other tools) that makes you doubt your system is clean, let me know, and I will check. I have malware-experience only with Windows computers, though. Not with smartphones or other operating systems than Windows.
 

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
656
I am going to leave this topic open for 5 days in case something comes up. After 5 days I will be locking the thread to proceed helping others.
 
  • Like
Reactions: Dave Russo and Nevi
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top