Posted 06 August 2011 - 12:37 PM
This has been going on for quite some time, everytime i reformat my pc i clean the bios and clear all cmos settings and the dmi pool data.
But within a day or two i see the signs that something is going on still. i just know your thinking that its just me being paranoid but i know im not.
each time i use the UltimateBootCd to use the secure enhanced erase feature on the HDD tools section of the disc. (this is the ONLY program i could find that will do this)
This completely erases all data including the Host Protected Area, the HPA can be difficult to clean ( HDAT" or Enhanced secure erase for ssd'd)
I then clean the disks in diskpart before partitioning and formatting for ntfs, the disk is a genuine 64bit version of win 7, no cracks or p2p software AT ALL.
I do not use any cd/dvd's i think may have been on a compromised system on the new system, i only get my drivers from the relevent manufacturer website, always the latest versions.
Anyway today i started up my pc after a clean install last night including all service packs and KB fixes and after a period when my PC stalled for around a minute through my headphones i heard a eastern european accent say "No dont do tha" and was gone, i didnt imagine it, it happened, we have a 50meg/sec fibre optic broadband connection which for a lot of the time is only running at 20mb/s, after talking to our isp provider they assure me that there are no technical issues their end.
At times i do see 50mb/s, but for long periods the connection is not stable and is as if the bandwidth is being strangled by something.
This has been going on for sometime, in the house are four pc's running win 7 32/64 home premium no LAN networking allowed until i think everything is safe, i have a 64bit ultimate version i do not dare use because it would have more functionality and could make for more problems than i currently have.
I have downloaded the systernals toolsuite and wireshark to try and get a grip of what is happening, i have seen logs on my router where it has been port scanned by our isp's DNS server, i found an IP address of someone else on our isp in the wireshark logs and i did wonder if this is why the isp's DNS server was scanning us, because someone else on our ISP network portscanned my address going through our isp DNS server.
Any thoughts would be a great help im currently all out of ideas as to how thew infection could be sustaining itself through the format clean re-install cycle, i have got to the point now where the first time my suspicions are raised i just format and start again, sometimes this can be a few weeks sometimes 24hrs. i can do the process in around an hour now, except for the updates.
The thoughts i had was, if i am being attacked before the updates are applied, i have seen events that make me feel this sometimes is the case, like running wireshark to capture traffic to find wireshark is stopped for no good reason and the computer becomes "clunky" and then after a short while a running process suddenly noticeably starts using more memory in its process not a steady increase but a jump in usage normally explorer or winlogon, is there anyway i can capture the updates as a file so i can install them before i have to go online.
If anyone has any ideas please weigh in with them.
win 7 64, q8300 processor, 4gb ram, gigabyte ep41-ud3l rev 1 board. Ati 5770 gpu, two crucial s300 64gb ssd's.
When i install this is what i do.
first goto uninstall progs, to uninstall features, remote differential compression and everything else except, system search .net framework and Iexplorer.
Apply microsoft fixit to disable IPV6 except for loopback interface (loopback required to boot the computer)
registry HKLM/software/policies/microsoft/NT4....create key DNSClient and dword 32 EnableMulticast 0
Install motherboard drivers> restart.
Install firewall comodo with pro active defence.
peerblock 4 r484.
advanced system care.
Connect Eternet cable make static address config, untick everything except ipv4 and comodo security driver.
disable in services.
Function discovery provider host.
Function discovery resource publication.
Internet connection sharing.
Link Layer Topology discovery.
Network access protection agent.
Peer networking group.
Peer networking identity manager.
PNRP machine name publication.
Remote access auto connection manager.
Remote access connection manager.
Remote desktop configurations.
Remote desktop services.
Remote procedure call locator.
Routing and remote access.
Smart card removal policy.
Upnp device host.
Windows remote management.
Then restart, connect to microsoft update and begin the slog of updating.....i also put a password a good strong one on the net user administrator /active:yes account.
The router has 4 addresses in the dhcp pool each of the four computers on its LAN is static assigned an address.
There have been times when i have been unable to access the network due to someone else using my address and i have checked the other pc's to find their configs correct and they can connect, i was then able to connect after turning one of those machines off and assigning their ip address to my machine. this has happened more than once, my pc is on from early am to late pm everyday pretty much, in fact it can be relied on to be connected to the internet and available almost anytime. unlike the other pc's in the house.
At times it seems their ip addresses have been in use when they switch on and try to use their assigned static address.
I need to learn some new stuff i think, anybody that can help i will greatly appreciate it, like i say sometimes it can be a few weeks, sometimes a day, and getting your mail account hacked, having unexplained "you have been logged off by a remote user" messages, finding the registry going through unexplained and not initiated configuration runs after shut down, finding a desktop configuration file being written to every dvd or cd you make, unexplained voices in your ears, defense events being triggered, finding services being reconfigured and at times password protected files showing up when you show all hidden files, to be told you do not have the access rights to delete or look at them is annoying, and definitely not paranoia ;/) .