home network being breeched (can't stop it)

This is my current configuration;
only 1 PC on network
Asus P8Z68-V-lx
OCZ 120gd SSD
seagate 500GB HDD
16GB Corsair Dominator DDR3 1600mhz
I5 2500K OC'd 4300GHZ
no audio or video cards installed

DHCP Broadband connection
no wireless
motorolla surfboard gateway
SonicWALL TZ210
Full software pkg-Fully updated

on 01/08/2012 a remote user penetrated network (it was much larger then) found him
removing my local authorities through GPE. He activated Credentials manager and then removed from software. I contacted my ISP (AT&T) at the time they verified femote access to email. I tore down network requested new IP address beefed up firewall software. attacks came more often and increased in skill and cunning. I did all I knew how to do reached out locally and on net found no assistance.

I've had several exchanges with attacker through note pad and sticky notes. have contacted Local and Federal agencies, attacks continue. script has been written to audio and video cards as well as Mobo. Independant verification of this through Manufacturewr of said parts. I have a dozen hard drives with varying amounts of Forensic data on them.

as a last ditch effort I tried the following all on the same day:
Switched ISP's
bought Modem at store
replaced all cable in home that connects to PC
Checked outside for signs of tampering
Purchased above referenced Firewall
built pristine computer off site
changed wireless carriers
discontinued all wireless activities (not even wireless keyboard/mouse)
within 48 hrs attacks resumed
minor at first then grew again in scope

I then purchased a Mac
within48 hours I found (Todd Garrison's MAC OS LION Forensic memory acquisition paper) In a temp folder I rolled back as well as alternate instructions on how to perform 29 pages) here is link
http://opensource.apple.com/source/kext_tools/kext_tools-65.76/watchvol.c today when glancing at my drives I noticed this drive ????
\\?\volume 9c81cc6d-a2fc-11e1-a514-806e6f6e696311
I have already run through the virus and maleware firum and all tests and logs clean.
I need advice on how to stop this It's paralyzing my children with fear and caused thousands in damage.

Thanks For your time

MiniToolBox by Farbar Version: 04-06-2012
Ran by office (administrator) on 06-06-2012 at 02:59:55
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.
========================= Hosts content: =================================



========================= IP Configuration: ================================

Realtek PCIe GBE Family Controller = Local Area Connection (Connected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : office-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
Physical Address. . . . . . . . . : 00-0B-0E-0F-00-ED
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.168.65(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Wednesday, June 06, 2012 2:12:18 AM
Lease Expires . . . . . . . . . . : Thursday, June 07, 2012 2:12:18 AM
Default Gateway . . . . . . . . . : 192.168.168.168
DHCP Server . . . . . . . . . . . : 192.168.168.168
DNS Servers . . . . . . . . . . . : 75.75.75.75
75.75.76.76
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{AEE3C571-E347-48A9-ABA7-B9F8CC474EA5}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:3c31:3eda:3f57:57be(Preferred)
Link-local IPv6 Address . . . . . : fe80::3c31:3eda:3f57:57be%13(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled
Server: cdns01.comcast.net
Address: 75.75.75.75

Name: google.com
Addresses: 2607:f8b0:4009:802::1006
74.125.225.132
74.125.225.131
74.125.225.134
74.125.225.136
74.125.225.130
74.125.225.133
74.125.225.137
74.125.225.135
74.125.225.128
74.125.225.129
74.125.225.142


Pinging google.com [74.125.225.65] with 32 bytes of data:
Reply from 74.125.225.65: bytes=32 time=11ms TTL=56
Reply from 74.125.225.65: bytes=32 time=11ms TTL=56

Ping statistics for 74.125.225.65:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 11ms, Maximum = 11ms, Average = 11ms
Server: cdns01.comcast.net
Address: 75.75.75.75

DNS request timed out.
timeout was 2 seconds.
Name: yahoo.com
Addresses: 209.191.122.70
98.139.183.24
72.30.38.140


Pinging yahoo.com [209.191.122.70] with 32 bytes of data:
Reply from 209.191.122.70: bytes=32 time=44ms TTL=51
Reply from 209.191.122.70: bytes=32 time=43ms TTL=51

Ping statistics for 209.191.122.70:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 43ms, Maximum = 44ms, Average = 43ms
Server: cdns01.comcast.net
Address: 75.75.75.75

Name: bleepingcomputer.com
Address: 208.43.87.2


Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:
Request timed out.
Request timed out.

Ping statistics for 208.43.87.2:
Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
11...00 0b 0e 0f 00 ed ......Realtek PCIe GBE Family Controller
1...........................Software Loopback Interface 1
12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
13...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.168.168 192.168.168.65 10
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.168.0 255.255.255.0 On-link 192.168.168.65 266
192.168.168.65 255.255.255.255 On-link 192.168.168.65 266
192.168.168.255 255.255.255.255 On-link 192.168.168.65 266
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.168.65 266
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.168.65 266
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
13 58 ::/0 On-link
1 306 ::1/128 On-link
13 58 2001::/32 On-link
13 306 2001:0:4137:9e76:3c31:3eda:3f57:57be/128
On-link
13 306 fe80::/64 On-link
13 306 fe80::3c31:3eda:3f57:57be/128
On-link
1 306 ff00::/8 On-link
13 306 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

========================= Event log errors: ===============================

Application errors:
==================
Error: (06/06/2012 02:14:06 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/05/2012 11:37:25 PM) (Source: Application Error) (User: )
Description: Faulting application name: Explorer.EXE, version: 6.1.7601.17567, time stamp: 0x4d672ee4
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x000007feeb6407e4
Faulting process id: 0x%9
Faulting application start time: 0xExplorer.EXE0
Faulting application path: Explorer.EXE1
Faulting module path: Explorer.EXE2
Report Id: Explorer.EXE3

Error: (06/05/2012 11:35:32 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/05/2012 08:53:23 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/05/2012 01:30:21 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/05/2012 03:46:38 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/05/2012 00:40:36 AM) (Source: Application Error) (User: )
Description: Faulting application name: SafeZoneBrowser.exe, version: 0.0.0.0, time stamp: 0x4da894e3
Faulting module name: SafeZoneBrowser.dll, version: 9.0.592.0, time stamp: 0x4da894c1
Exception code: 0x80000003
Fault offset: 0x0015d740
Faulting process id: 0xb58
Faulting application start time: 0xSafeZoneBrowser.exe0
Faulting application path: SafeZoneBrowser.exe1
Faulting module path: SafeZoneBrowser.exe2
Report Id: SafeZoneBrowser.exe3

Error: (06/05/2012 00:40:21 AM) (Source: Application Error) (User: )
Description: Faulting application name: SafeZoneBrowser.exe, version: 0.0.0.0, time stamp: 0x4da894e3
Faulting module name: SafeZoneBrowser.dll, version: 9.0.592.0, time stamp: 0x4da894c1
Exception code: 0x80000003
Fault offset: 0x0015d740
Faulting process id: 0x1558
Faulting application start time: 0xSafeZoneBrowser.exe0
Faulting application path: SafeZoneBrowser.exe1
Faulting module path: SafeZoneBrowser.exe2
Report Id: SafeZoneBrowser.exe3

Error: (06/05/2012 00:40:14 AM) (Source: Application Error) (User: )
Description: Faulting application name: SafeZoneBrowser.exe, version: 0.0.0.0, time stamp: 0x4da894e3
Faulting module name: SafeZoneBrowser.dll, version: 9.0.592.0, time stamp: 0x4da894c1
Exception code: 0x80000003
Fault offset: 0x0015d740
Faulting process id: 0xfa8
Faulting application start time: 0xSafeZoneBrowser.exe0
Faulting application path: SafeZoneBrowser.exe1
Faulting module path: SafeZoneBrowser.exe2
Report Id: SafeZoneBrowser.exe3

Error: (06/04/2012 11:14:18 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


System errors:
=============
Error: (06/05/2012 11:33:37 PM) (Source: EventLog) (User: )
Description: The previous system shutdown at 9:54:26 PM on ?6/?5/?2012 was unexpected.

Error: (06/05/2012 08:51:28 PM) (Source: EventLog) (User: )
Description: The previous system shutdown at 6:02:09 PM on ?6/?5/?2012 was unexpected.

Error: (06/05/2012 04:37:52 AM) (Source: DCOM) (User: )
Description: {D085A4AB-CAB1-4729-9DF8-FCEEDDBD19E4}

Error: (06/01/2012 02:16:39 AM) (Source: EventLog) (User: )
Description: The previous system shutdown at 9:15:37 PM on ?5/?31/?2012 was unexpected.

Error: (05/31/2012 04:00:54 PM) (Source: EventLog) (User: )
Description: The previous system shutdown at 2:20:09 PM on ?5/?31/?2012 was unexpected.

Error: (05/31/2012 02:00:41 PM) (Source: EventLog) (User: )
Description: The previous system shutdown at 7:18:09 AM on ?5/?31/?2012 was unexpected.

Error: (05/30/2012 10:08:56 PM) (Source: EventLog) (User: )
Description: The previous system shutdown at 6:08:06 PM on ?5/?30/?2012 was unexpected.

Error: (05/30/2012 01:23:03 PM) (Source: Service Control Manager) (User: )
Description: The SliceDisk5 service failed to start due to the following error:
%%2

Error: (05/30/2012 01:23:03 PM) (Source: Service Control Manager) (User: )
Description: The SliceDisk5 service failed to start due to the following error:
%%2

Error: (05/30/2012 00:45:19 AM) (Source: DCOM) (User: )
Description: {D085A4AB-CAB1-4729-9DF8-FCEEDDBD19E4}


Microsoft Office Sessions:
=========================
Error: (06/06/2012 02:14:06 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/05/2012 11:37:25 PM) (Source: Application Error)(User: )
Description: Explorer.EXE6.1.7601.175674d672ee4unknown0.0.0.000000000c0000005000007feeb6407e4

Error: (06/05/2012 11:35:32 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/05/2012 08:53:23 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/05/2012 01:30:21 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/05/2012 03:46:38 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/05/2012 00:40:36 AM) (Source: Application Error)(User: )
Description: SafeZoneBrowser.exe0.0.0.04da894e3SafeZoneBrowser.dll9.0.592.04da894c1800000030015d740b5801cd42ddbba3bf29C:\Program Files\AVAST Software\Avast\sfzone\SafeZoneBrowser.exeC:\Program Files\AVAST Software\Avast\sfzone\SafeZoneBrowser.dllf9576e2a-aed0-11e1-8e14-000b0e0f00ed

Error: (06/05/2012 00:40:21 AM) (Source: Application Error)(User: )
Description: SafeZoneBrowser.exe0.0.0.04da894e3SafeZoneBrowser.dll9.0.592.04da894c1800000030015d740155801cd42ddb273ef9aC:\Program Files\AVAST Software\Avast\sfzone\SafeZoneBrowser.exeC:\Program Files\AVAST Software\Avast\sfzone\SafeZoneBrowser.dllf0279e9b-aed0-11e1-8e14-000b0e0f00ed

Error: (06/05/2012 00:40:14 AM) (Source: Application Error)(User: )
Description: SafeZoneBrowser.exe0.0.0.04da894e3SafeZoneBrowser.dll9.0.592.04da894c1800000030015d740fa801cd42ddae178a3aC:\Program Files\AVAST Software\Avast\sfzone\SafeZoneBrowser.exeC:\Program Files\AVAST Software\Avast\sfzone\SafeZoneBrowser.dllebd25d5b-aed0-11e1-8e14-000b0e0f00ed

Error: (06/04/2012 11:14:18 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


========================= Memory info: ===================================

Percentage of memory in use: 17%
Total physical RAM: 16086.88 MB
Available physical RAM: 13307.54 MB
Total Pagefile: 32171.94 MB
Available Pagefile: 28943.38 MB
Total Virtual: 4095.88 MB
Available Virtual: 3972.27 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:83.75 GB) (Free:32.36 GB) NTFS
2 Drive d: (Data Volume) (Fixed) (Total:465.76 GB) (Free:457.18 GB) NTFS

========================= Users: ========================================

User accounts for \\OFFICE-PC

Administrator Guest office


**** End of log ****

Sounds to me a (possibly zero day) exploit and something is reporting back to the attacker. reinstall a clean os on your custom machine after disconnecting the firewall from the wan. then configure your firewall like how im quoting below to just allow basic internet usage. next update your OS after pluging in the wan into the firewall and then after that configure your firewall with more rules for services that you absolutely need and research them online(for how they work) after installing a anti-virus program.

Also how strong did you initially setup your firewall? Did you limit everything down to certain services that you need including protocol type(tcp,udp,icmp), port numbers(1-65535), direction of packet(in,out), and possibly if the connection is new, established, or related(depends on service protocol like active/passive ftp) and blocked everything else for the firewall? (I dont know the firewall device & its configuration settings you have listed but I know strong iptables(linux/unix firewall) setups)

For instance http(for basic website browsing)
your browser goes out to tcp port 80 from a port number between tcp ports 1024-65535 on a new or established connection
the web server responds back from tcp port 80 to a port number between tcp ports 1024-65535 on a established connection into your network

https is just the same only with port 443 instead of port 80

also you will need dns access and that is on both udp and tcp on port 53 and it is the same like http & https

you will need dhcp access as well and that would be udp port 67 for the firewall lan nics(so it can hand out ip addresses to your computer) and udp port 68 for the firewall's wan nic(so it can get an ip address from the modem).

These are just basic protocols compared to somewhat complex protocols like active/passive ftp.

You may not even need to know the ports depending on the firewall's builtin knowledge of knowing the ports and just setup to show you the name of the service.(like a cisco asa, which is the only type i ever work with)

Wikipedia research link for port/protocol usage: List of TCP/UDP port numbers

basically you want your firewall to only allow dhcp in from the outside automatically and for everything else your computer has to start the connection first before anything comes into your network.
if you have any issues or more info let us know, im not sure if windows update needs a special port for updating.

Watching the topic now

Oh my God I thought I was the only person that was having problems. The interesting part of this story is talking to them via notepad!!! I di this too. It appears they have no problem letting you know they are log in. Do you live near Willcox, Az. ? At the end of 2009 we were locked out of our service here locally. I think I made our attacker mad! I spent weeks with techs coming to the house and they could not get our network to login to their server. They said there was something blocking it. It crashed 7 dell computers in our home the damage destroyed various parts of each computer, I discovered, and we stayed off line for a year. We too were afraid. I too called everyone the police, FAA, FBI, Norton etc. No one would help. My parter and I are both on SSDI with limited income. I started learning to rebuild systems and a little about software. It ended my classes at UOP and my part-time work via internet. I decided they were not going to beat me.
Beginning of 2011 we signed up with Qwest switching our phone and adding internet service with Norton 360 with the additional month fee for extra protection. When we put equipment together it was not any from the old computers I was afraid motherborads, routers, modems etc were infected. 6 months ago we were attacked again, We are now stacking old rebuilt equipment up in the storage room weekly.

New plan is:
We are getting ready to install new equipment but afriad to reinfect again. Need help to install new equipment.
The plan is to use current internet services from Qwest/ now Century Link.
We are getting the equipment in here, so give me aminute to type and send to you.

Post to Bleeping Computer

The list of New equipment in order:

Century link wireless modem is ZyXEL PK5000Z

Plus 4 direct connect Ethernet ports



Next

Dell Optiplex 210L ( used auction purchase )

2 gb ram

80 g hard drive

Ubuntu 11.10 operating system



Next

Wireless D-Link router WBR-1310

Plus 4 direct connect Ethernet ports



OK-------- Purchased

Dell OEM disk for Repair or Reinstalling Windows xp

Professional Operating system

All infected computers are Dell desktops or laptops



Questions

1] How do we fdisk the infected computers without infecting new system.

2] We are thinking Avast internet security because of the boot scan. We are ordering the disk tomorrow, want all software loaded before reconnecting. We can manually load our internet provider information. But need how to setup ports security and services we will need. Really lost at this part. So we are safe when we go back on the internet.

3] Want to connect reloaded fdisk systems to router as public connection and no sharing. Do not want to network all computers.

4] Want parental/ ownership control from Ubuntu system for internet connection (Children and friends). Do we restrict at the modem and/ or router?