Hello, i am permanently under hacker attack and i just can not change the ip anymore. What i did : 1.update bios ,flush bios. 2 delete all , erase hard drive with system eraser. 3 disconnect hard drive ,move the jumpers , (all ) for 10 sec. remove the memory remove the battery. 4 put all back , install windows7 , still the same ip address. i did this many times but always the same ip. 5 install lancard ,,for sure i got a new ip,,but only one time . 6 i make a bridge network , the same i got only one time a new ip . so my best hacker friend knows all 3 ip adresses and i am running out of options. i got the system almost safe but i can not change the ip. it means somewhere is a rootkit with the modifight lan drivers, but where ? i can install a new drive for the lan one on motherboard,but no change. i can not install the driver for the lancard , ( can not connect to the registry). I hope someone can me out with that problem. Thank you

If I understand the problem correctly none of these changes will force a new IP. The IP assignment through DHCP is determined by the MAC address of the network adapter. This is why you got a new IP with a new network adapter. The real problem is how are you being hacked? If you really must get a new IP, and I assume this is for legitimate reasons, you can change the MAC address of a NIC in the advanced properties if the NIC configuration, on 'most' NIC's. However I strongly discourage you from doing this as all MAC addresses are unique and there is always the risk of having a duplicate MAC on a network segment, which can cause nightmares for a switch, or router. Rob Williams

I'd ask them here. http://answers.microsoft.com/en-us/windows/forum/windows_7?page=1&tab=all As far as I know rootkit can't survive OS replacement but try asking them here. http://forum.sysinternals.com/ Regards, Dave Patrick .... Microsoft Certified Professional Microsoft MVP [Windows]

I would assume that your computer is within a private network, and therefore using a private IP such as 192.168.1.x. A hacker from the internet would not be able to access that IP directly. They would be using your public IP. If you have a public IP, there not much you can do to prevent someone from trying to access your public IP. Are you allowing unsolicited traffic inside your network? Have you protected your router's admin account? Worst case scenario, if you know the public IP of the hacker, you could simply just create a permanent entry in your routing table and "blackhole" that destination IP. For instance, if the destination IP is 65.100.1.1, then you could do something like: Open your command prompt in elevated mode (admin) ROUTE ADD 65.100.1.1 MASK 255.255.255.0 0.0.0.0 This will prevent any traffic leaving your computer to the destination address of 65.100.1.1. Visit: anITKB.com, an IT Knowledge Base.

thanks for the fast answers, Dave i understand you and i also ask in Microsoft Answers,but i think i found the right guys here. Router,,i give up using a router, he damaged just to much of it and somehow he always find a way to make things worst while i am using router. Router i useless. how do i get hacked : most of the time with adobe flash player ,shock wave player or other player exe ,even microsoft player ,there is also a network within. I am not sure if the firefox have to run over the localhost,but here is the tcp view . [System Process] 0 TCP aa-pc 50122 m.webtrends.com http TIME_WAIT [System Process] 0 TCP aa-pc 50123 m.webtrends.com http TIME_WAIT [System Process] 0 TCP aa-pc 50147 74.125.235.20 http TIME_WAIT [System Process] 0 TCP aa-pc 50154 65.55.11.254 http TIME_WAIT [System Process] 0 TCP aa-pc 50155 65.55.11.254 http TIME_WAIT [System Process] 0 TCP aa-pc 50157 207.46.49.133 http TIME_WAIT [System Process] 0 TCP aa-pc 50191 193.46.63.147 http TIME_WAIT [System Process] 0 TCP aa-pc 50170 203.84.218.36 http TIME_WAIT chrome.exe 2932 TCP aa-pc 50125 210.5.102.40.pldt.net http ESTABLISHED chrome.exe 2932 TCP aa-pc 50126 210.5.102.40.pldt.net http ESTABLISHED chrome.exe 2932 TCP aa-pc 50127 210.5.102.40.pldt.net http ESTABLISHED chrome.exe 2932 TCP aa-pc 50128 210.5.102.40.pldt.net http ESTABLISHED chrome.exe 2932 TCP aa-pc 50129 210.5.102.40.pldt.net http ESTABLISHED chrome.exe 2932 TCP aa-pc 50130 210.5.102.40.pldt.net http ESTABLISHED chrome.exe 2932 TCP aa-pc 50131 210.5.102.40.pldt.net http ESTABLISHED chrome.exe 2932 TCP aa-pc 50132 210.5.102.40.pldt.net http ESTABLISHED chrome.exe 2932 TCP aa-pc 50133 210.5.102.40.pldt.net http ESTABLISHED chrome.exe 2932 TCP aa-pc 50134 210.5.102.40.pldt.net http ESTABLISHED chrome.exe 2932 TCP aa-pc 50137 65.55.11.254 http ESTABLISHED chrome.exe 2932 TCP aa-pc 50138 210.5.102.40.pldt.net http ESTABLISHED chrome.exe 2932 TCP aa-pc 50146 74.125.235.20 http ESTABLISHED chrome.exe 2932 TCP aa-pc 50150 210.5.102.40.pldt.net http ESTABLISHED chrome.exe 2932 TCP aa-pc 50151 65.55.11.254 http ESTABLISHED chrome.exe 2932 TCP aa-pc 50152 65.55.11.254 http ESTABLISHED chrome.exe 2932 TCP aa-pc 50153 65.55.11.254 http ESTABLISHED chrome.exe 2932 TCP aa-pc 50156 207.46.49.133 http ESTABLISHED chrome.exe 2932 TCP aa-pc 50161 74.125.235.36 http ESTABLISHED chrome.exe 2932 TCP aa-pc 50162 209.85.175.138 http ESTABLISHED chrome.exe 4000 UDP aa-PC 52072 * * CLPS.exe 2732 UDP aa-PC 64435 * * firefox.exe 1492 TCP aa-PC 50159 localhost 50160 ESTABLISHED firefox.exe 1492 TCP aa-PC 50160 localhost 50159 ESTABLISHED firefox.exe 1492 TCP aa-PC 50163 localhost 50164 ESTABLISHED firefox.exe 1492 TCP aa-PC 50164 localhost 50163 ESTABLISHED firefox.exe 1492 TCP aa-pc 50167 210.5.102.32 http ESTABLISHED firefox.exe 1492 TCP aa-pc 50168 210.5.102.17 http ESTABLISHED firefox.exe 1492 TCP aa-pc 50171 125.5.99.19 http CLOSE_WAIT firefox.exe 1492 TCP aa-pc 50172 125.5.99.19 http CLOSE_WAIT firefox.exe 1492 TCP aa-pc 50173 125.5.99.19 http CLOSE_WAIT firefox.exe 1492 TCP aa-pc 50174 125.5.99.19 http CLOSE_WAIT firefox.exe 1492 TCP aa-pc 50175 125.5.99.19 http CLOSE_WAIT firefox.exe 1492 TCP aa-pc 50176 125.5.99.19 http CLOSE_WAIT firefox.exe 1492 TCP aa-pc 50177 125.5.99.19 http CLOSE_WAIT firefox.exe 1492 TCP aa-pc 50178 125.5.99.19 http CLOSE_WAIT firefox.exe 1492 TCP aa-pc 50179 125.5.99.19 http CLOSE_WAIT firefox.exe 1492 TCP aa-pc 50180 125.5.99.19 http CLOSE_WAIT firefox.exe 1492 TCP aa-pc 50181 125.5.99.19 http CLOSE_WAIT firefox.exe 1492 TCP aa-pc 50182 125.5.99.19 http CLOSE_WAIT firefox.exe 1492 TCP aa-pc 50183 74.125.235.59 http ESTABLISHED firefox.exe 1492 TCP aa-pc 50184 125.5.99.18 http CLOSE_WAIT firefox.exe 1492 TCP aa-pc 50185 125.5.99.18 http CLOSE_WAIT firefox.exe 1492 TCP aa-pc 50186 125.5.99.18 http CLOSE_WAIT firefox.exe 1492 TCP aa-pc 50187 74.125.235.27 http ESTABLISHED firefox.exe 1492 TCP aa-pc 50188 125.5.99.19 http CLOSE_WAIT firefox.exe 1492 TCP aa-pc 50192 203.84.218.36 http CLOSE_WAIT lsass.exe 564 TCP aa-PC 49157 aa-PC 0 LISTENING lsass.exe 564 TCPV6 [0:0:0:0:0:0:0:0] 49157 [0:0:0:0:0:0:0:0] 0 LISTENING services.exe 556 TCP aa-PC 49155 aa-PC 0 LISTENING services.exe 556 TCPV6 [0:0:0:0:0:0:0:0] 49155 [0:0:0:0:0:0:0:0] 0 LISTENING svchost.exe 788 TCP aa-PC epmap aa-PC 0 LISTENING svchost.exe 324 TCP aa-PC 49153 aa-PC 0 LISTENING svchost.exe 340 TCP aa-PC 49154 aa-PC 0 LISTENING svchost.exe 1896 TCP aa-PC 49156 aa-PC 0 LISTENING svchost.exe 340 UDP aa-PC isakmp * * svchost.exe 340 UDP aa-PC ipsec-msft * * svchost.exe 788 TCPV6 [0:0:0:0:0:0:0:0] epmap [0:0:0:0:0:0:0:0] 0 LISTENING svchost.exe 324 TCPV6 [0:0:0:0:0:0:0:0] 49153 [0:0:0:0:0:0:0:0] 0 LISTENING svchost.exe 340 TCPV6 [0:0:0:0:0:0:0:0] 49154 [0:0:0:0:0:0:0:0] 0 LISTENING svchost.exe 1896 TCPV6 [0:0:0:0:0:0:0:0] 49156 [0:0:0:0:0:0:0:0] 0 LISTENING svchost.exe 340 UDPV6 [0:0:0:0:0:0:0:0] 500 * * svchost.exe 340 UDPV6 [0:0:0:0:0:0:0:0] 4500 * * wininit.exe 440 TCP aa-PC 49152 aa-PC 0 LISTENING wininit.exe 440 TCPV6 [0:0:0:0:0:0:0:0] 49152 [0:0:0:0:0:0:0:0] 0 LISTENING sometimes it looks wild with plenty of botnet proxy domains,,this time is it only pldt.net

It sounds like you need a new friend :-) If you use a router and you do not enable remote management of the router, and you do not share files with your friend, how are they accessing your PC? As mentioned if necessary you can change the MAC of your PC and receive a new IP. However, this doesn't sound like a support question as much as assistance between two friends trying to hack one another. I assume the hacker friend is not part of your LAN.Rob Williams

Hello Rob, you are sooo right but it is hard to find good friends . look thats are the last attacks while i am writing here. don't worry i can not hack and i never will hack someone and i also don't like to ahare files with my friend,,he have stolen and damaged allrady so much. 2011-03-14 05:09:51 C:\Users\aa\AppData\Local\Google\Chrome\APPLIC~1\chrome.exe Sandboxed As Partially Limited 2011-03-14 05:09:59 C:\Users\aa\AppData\Local\Google\Chrome\Application\chrome.exe Access Memory System 2011-03-14 06:34:29 C:\Users\aa\AppData\Local\Google\Chrome\Application\chrome.exe Install Hook C:\Windows\system32\dwmapi.dll 2011-03-14 07:09:40 C:\Windows\System32\taskhost.exe Modify File C:\Windows\ServiceProfiles\LocalService 2011-03-14 07:10:00 C:\Windows\System32\taskhost.exe Modify File C:\Windows\ServiceProfiles\LocalService 2011-03-14 07:11:28 C:\Users\aa\AppData\Local\Google\Chrome\APPLIC~1\chrome.exe Sandboxed As Partially Limited 2011-03-14 07:11:44 C:\Users\aa\AppData\Local\Google\Chrome\APPLIC~1\chrome.exe Sandboxed As Partially Limited 2011-03-14 07:38:18 C:\Windows\System32\notepad.exe Direct Keyboard Access C:\Windows\system32\NOTEPAD.EXE 2011-03-14 07:49:17 C:\Program Files\Windows Media Player\wmpnetwk.exe Modify Key HKLM\SYSTEM\ControlSet001\services\EventLog 2011-03-14 07:51:17 C:\Program Files\Windows Media Player\wmpnetwk.exe Modify File C:\Windows\system32\catroot 2011-03-14 07:51:19 C:\Program Files\Windows Media Player\wmpnetwk.exe Modify Key HKLM\SYSTEM\ControlSet001\services\EventLog 2011-03-14 07:53:17 C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Modify File C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenserviceclientlock.dat 2011-03-14 07:53:20 C:\Users\aa\AppData\Local\Google\Chrome\APPLIC~1\chrome.exe Sandboxed As Partially Limited 2011-03-14 07:53:26 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe Modify File C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenserviceclientlock.dat 2011-03-14 07:53:28 C:\Program Files\Windows Media Player\wmpnetwk.exe Modify File C:\Windows\System32\CatRoot2\dberr.txt 2011-03-14 07:53:37 C:\Program Files\Windows Media Player\wmpnetwk.exe Modify File C:\Windows\system32\catroot 2011-03-14 07:53:42 C:\Users\aa\AppData\Local\Google\Chrome\APPLIC~1\chrome.exe Sandboxed As Partially Limited 2011-03-14 07:55:32 C:\Program Files\Windows Media Player\wmpnetwk.exe Modify Key HKLM\SYSTEM\ControlSet001\services\EventLog 2011-03-14 07:55:57 C:\Program Files\Windows Media Player\wmpnetwk.exe Modify Key HKLM\SYSTEM\ControlSet001\services\EventLog 2011-03-14 07:56:06 C:\Program Files\Windows Media Player\wmpnetwk.exe Modify File C:\Windows\system32\catroot 2011-03-14 08:00:01 C:\Windows\System32\wsqmcons.exe Create Process C:\Windows\System32\schtasks.exe 2011-03-14 08:00:21 C:\Windows\System32\wsqmcons.exe Modify File C:\Windows\system32\LogFiles\SQM 2011-03-14 08:00:25 C:\Program Files\Windows Media Player\wmpnetwk.exe Modify Key HKLM\SYSTEM\ControlSet001\services\EventLog 2011-03-14 08:00:25 C:\Program Files\Windows Media Player\wmpnetwk.exe Modify File C:\Windows\system32\catroot 2011-03-14 08:00:34 C:\Program Files\Windows Media Player\wmpnetwk.exe Modify Key HKLM\SYSTEM\ControlSet001\services\EventLog 2011-03-14 08:00:34 C:\Program Files\Windows Media Player\wmpnetwk.exe Modify File C:\Windows\system32\catroot 2011-03-14 08:00:40 C:\Windows\System32\wsqmcons.exe Modify File C:\Windows\system32\LogFiles\SQM 2011-03-14 08:01:12 C:\Program Files\Windows Media Player\wmpnetwk.exe Modify Key HKLM\SYSTEM\ControlSet001\services\EventLog 2011-03-14 08:01:12 C:\Program Files\Windows Media Player\wmpnetwk.exe Modify File C:\Windows\system32\catroot 2011-03-14 08:01:44 C:\Program Files\Windows Media Player\wmpnetwk.exe Modify Key HKLM\SYSTEM\ControlSet001\services\EventLog 2011-03-14 08:01:44 C:\Program Files\Windows Media Player\wmpnetwk.exe Modify File C:\Windows\system32\catroot 2011-03-14 08:07:23 C:\Program Files\Windows Media Player\wmpnetwk.exe Modify Key HKLM\SYSTEM\ControlSet001\services\EventLog 2011-03-14 08:07:23 C:\Program Files\Windows Media Player\wmpnetwk.exe Modify File C:\Windows\system32\catroot 2011-03-14 08:07:39 C:\Program Files\Windows Media Player\wmpnetwk.exe Modify Key HKLM\SYSTEM\ControlSet001\services\EventLog 2011-03-14 08:07:39 C:\Program Files\Windows Media Player\wmpnetwk.exe Modify File C:\Windows\system32\catroot 2011-03-14 08:08:31 C:\Users\aa\Desktop\tcp\Tcpview.exe DNS/RPC Client Access 2011-03-14 08:08:59 C:\Users\aa\Desktop\tcp\Tcpview.exe DNS/RPC Client Access 2011-03-14 08:08:59 C:\Users\aa\Desktop\tcp\Tcpview.exe DNS/RPC Client Access 2011-03-14 08:10:05 C:\Users\aa\Desktop\tcp\Tcpview.exe Access Memory C:\Windows\explorer.exe 2011-03-14 08:10:16 C:\Users\aa\Desktop\tcp\Tcpview.exe Direct Keyboard Access 2011-03-14 08:10:16 C:\Users\aa\Desktop\tcp\Tcpview.exe Access Memory C:\Windows\explorer.exe 2011-03-14 08:10:19 C:\Windows\System32\notepad.exe Direct Keyboard Access C:\Windows\system32\NOTEPAD.EXE 2011-03-14 08:10:55 C:\Windows\System32\taskhost.exe Modify File C:\Windows\ServiceProfiles\LocalService 2011-03-14 08:11:10 C:\Program Files\Windows Media Player\wmpnetwk.exe Modify Key HKLM\SYSTEM\ControlSet001\services\EventLog 2011-03-14 08:11:10 C:\Program Files\Windows Media Player\wmpnetwk.exe Modify File C:\Windows\system32\catroot 2011-03-14 08:11:30 C:\Program Files (x86)\Mozilla Firefox\firefox.exe Direct Keyboard Access 2011-03-14 08:11:34 C:\Windows\System32\taskhost.exe Modify File C:\Windows\ServiceProfiles\LocalService 2011-03-14 08:11:34 C:\Program Files\Windows Media Player\wmpnetwk.exe Modify Key HKLM\SYSTEM\ControlSet001\services\EventLog 2011-03-14 08:11:34 C:\Program Files\Windows Media Player\wmpnetwk.exe Modify File C:\Windows\system32\catroot 2011-03-14 08:11:59 C:\Users\aa\Desktop\tcp\Tcpview.exe DNS/RPC Client Access 2011-03-14 08:12:12 C:\Users\aa\Desktop\tcp\Tcpview.exe DNS/RPC Client Access 2011-03-14 08:12:12 C:\Users\aa\Desktop\tcp\Tcpview.exe DNS/RPC Client Access 2011-03-14 08:12:21 C:\Users\aa\Desktop\tcp\Tcpview.exe Access Memory C:\Windows\explorer.exe 2011-03-14 08:12:21 C:\Users\aa\Desktop\tcp\Tcpview.exe DNS/RPC Client Access 2011-03-14 08:12:27 C:\Users\aa\Desktop\tcp\Tcpview.exe Direct Keyboard Access 2011-03-14 08:12:27 C:\Users\aa\Desktop\tcp\Tcpview.exe DNS/RPC Client Access 2011-03-14 08:12:27 C:\Users\aa\Desktop\tcp\Tcpview.exe Access Memory C:\Windows\explorer.exe 2011-03-14 08:12:27 C:\Users\aa\Desktop\tcp\Tcpview.exe DNS/RPC Client Access 2011-03-14 08:12:27 C:\Users\aa\Desktop\tcp\Tcpview.exe DNS/RPC Client Access 2011-03-14 08:12:43 C:\Windows\System32\notepad.exe Direct Keyboard Access C:\Windows\system32\NOTEPAD.EXE 2011-03-14 08:12:49 C:\Users\aa\Desktop\tcp\Tcpview.exe DNS/RPC Client Access 2011-03-14 08:35:41 C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Modify File C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenserviceclientlock.dat 2011-03-14 08:36:48 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe Modify File C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenserviceclientlock.dat 2011-03-14 08:36:56 C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Modify File C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenserviceclientlock.dat 2011-03-14 08:37:30 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe Modify File C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenserviceclientlock.dat

You need to be using a NAT router with stateful packet inspection between your Windows hosts and the Internet. Disable remote administration as was said and don't port forward to your internal LAN hosts. Wipe HDDs using a tool like PDWipe. Reinstall Windows. Patch Windows. Install MS Security Essentials (or other preferred anti-x like NOD32). Install latest versions of Adobe software (and check for updates regularly). Stay away from malicious websites, use noscript, adblock, etc... The odds of someone rooting your machine if you do all of that are very slim. Use other third party tools such as Malwarebytes or WinMHR to periodically scan your hosts for malicious software. If you want to go the extra mile invest in something like a Cisco ASA 5505 firewall which can do application layer inspection.Matt W. CCNP, CCDA, CCNA-S, RHCT, MCSE, MCSA, MCP+I, A+

Hello mattjw916, i understand all and thank you for the advice,,but how can i do this : "don't port forward to your internal LAN hosts" Thank you

Assuming you are using PAT to translate an internal private address to a public internet-routable IP address the only way external hosts could directly connect from the outside to the inside is if you were using port-forwarding. That is, if your inside local_ip was 192.168.0.1 and your outside global_ip was 55.100.61.4, in order for an external host to reach your inside host to, for example, RDP to it using TCP 3389 you would have to set up port forwarding rules so that incoming connections to 55.100.61.4 port 3389 would be translated and forwarded to 192.168.0.1 port 3389. If you don't configure port-forwarding external hosts cannot directly reach your inside hosts with traffic sourced from the outside.Matt W. CCNP, CCDA, CCNA-S, RHCT, MCSE, MCSA, MCP+I, A+

Thank You Guys, i will try my best and keep you updated. :) have a nice day