can't change ip address
Hello,
i am permanently under hacker attack and i just can not change the ip anymore.
What i did :
1.update bios ,flush bios.
2 delete all , erase hard drive with system eraser.
3 disconnect hard drive ,move the jumpers , (all ) for 10 sec. remove the memory remove the battery.
4 put all back , install windows7 , still the same ip address.
i did this many times but always the same ip.
5 install lancard ,,for sure i got a new ip,,but only one time .
6 i make a bridge network , the same i got only one time a new ip .
so my best hacker friend knows all 3 ip adresses and i am running out of options. i got the system almost safe but i can not change the ip.
it means somewhere is a rootkit with the modifight lan drivers, but where ?
i can install a new drive for the lan one on motherboard,but no change.
i can not install the driver for the lancard , ( can not connect to the registry).
I hope someone can me out with that problem.
Thank you
March 14th, 2011 6:18pm
If I understand the problem correctly none of these changes will force a new IP. The IP assignment through DHCP is determined by the MAC address of the network adapter. This is why you got a new IP with a new network adapter. The real problem is how
are you being hacked? If you really must get a new IP, and I assume this is for legitimate reasons, you can change the MAC address of a NIC in the advanced properties if the NIC configuration, on 'most' NIC's. However I strongly discourage you from doing this
as all MAC addresses are unique and there is always the risk of having a duplicate MAC on a network segment, which can cause nightmares for a switch, or router.
Rob Williams
Free Windows Admin Tool Kit Click here and download it now
March 14th, 2011 6:24pm
I'd ask them here.
http://answers.microsoft.com/en-us/windows/forum/windows_7?page=1&tab=all
As far as I know rootkit can't survive OS replacement but try asking them here.
http://forum.sysinternals.com/
Regards, Dave Patrick ....
Microsoft Certified Professional
Microsoft MVP [Windows]
March 14th, 2011 6:27pm
I would assume that your computer is within a private network, and therefore using a private IP such as 192.168.1.x. A hacker from the internet would not be able to access that IP directly. They would be using your public IP. If you have
a public IP, there not much you can do to prevent someone from trying to access your public IP.
Are you allowing unsolicited traffic inside your network? Have you protected your router's admin account?
Worst case scenario, if you know the public IP of the hacker, you could simply just create a permanent entry in your routing table and "blackhole" that destination IP. For instance, if the destination IP is 65.100.1.1,
then you could do something like:
Open your command prompt in elevated mode (admin)
ROUTE ADD 65.100.1.1 MASK 255.255.255.0 0.0.0.0
This will prevent any traffic leaving your computer to the destination address of 65.100.1.1.
Visit: anITKB.com, an IT Knowledge Base.
Free Windows Admin Tool Kit Click here and download it now
March 14th, 2011 6:46pm
thanks for the fast answers,
Dave i understand you and i also ask in Microsoft Answers,but i think i found the right guys here.
Router,,i give up using a router, he damaged just to much of it and somehow he always find a way to make things worst while i am using router. Router i useless.
how do i get hacked : most of the time with adobe flash player ,shock wave player or other player exe ,even microsoft player ,there is also a network within.
I am not sure if the firefox have to run over the localhost,but here is the tcp view .
[System Process] 0
TCP aa-pc
50122 m.webtrends.com
http TIME_WAIT
[System Process] 0
TCP aa-pc
50123 m.webtrends.com
http TIME_WAIT
[System Process] 0
TCP aa-pc
50147 74.125.235.20
http TIME_WAIT
[System Process] 0
TCP aa-pc
50154 65.55.11.254
http TIME_WAIT
[System Process] 0
TCP aa-pc
50155 65.55.11.254
http TIME_WAIT
[System Process] 0
TCP aa-pc
50157 207.46.49.133
http TIME_WAIT
[System Process] 0
TCP aa-pc
50191 193.46.63.147
http TIME_WAIT
[System Process] 0
TCP aa-pc
50170 203.84.218.36
http TIME_WAIT
chrome.exe 2932
TCP aa-pc
50125 210.5.102.40.pldt.net
http ESTABLISHED
chrome.exe 2932
TCP aa-pc
50126 210.5.102.40.pldt.net
http ESTABLISHED
chrome.exe 2932
TCP aa-pc
50127 210.5.102.40.pldt.net
http ESTABLISHED
chrome.exe 2932
TCP aa-pc
50128 210.5.102.40.pldt.net
http ESTABLISHED
chrome.exe 2932
TCP aa-pc
50129 210.5.102.40.pldt.net
http ESTABLISHED
chrome.exe 2932
TCP aa-pc
50130 210.5.102.40.pldt.net
http ESTABLISHED
chrome.exe 2932
TCP aa-pc
50131 210.5.102.40.pldt.net
http ESTABLISHED
chrome.exe 2932
TCP aa-pc
50132 210.5.102.40.pldt.net
http ESTABLISHED
chrome.exe 2932
TCP aa-pc
50133 210.5.102.40.pldt.net
http ESTABLISHED
chrome.exe 2932
TCP aa-pc
50134 210.5.102.40.pldt.net
http ESTABLISHED
chrome.exe 2932
TCP aa-pc
50137 65.55.11.254
http ESTABLISHED
chrome.exe 2932
TCP aa-pc
50138 210.5.102.40.pldt.net
http ESTABLISHED
chrome.exe 2932
TCP aa-pc
50146 74.125.235.20
http ESTABLISHED
chrome.exe 2932
TCP aa-pc
50150 210.5.102.40.pldt.net
http ESTABLISHED
chrome.exe 2932
TCP aa-pc
50151 65.55.11.254
http ESTABLISHED
chrome.exe 2932
TCP aa-pc
50152 65.55.11.254
http ESTABLISHED
chrome.exe 2932
TCP aa-pc
50153 65.55.11.254
http ESTABLISHED
chrome.exe 2932
TCP aa-pc
50156 207.46.49.133
http ESTABLISHED
chrome.exe 2932
TCP aa-pc
50161 74.125.235.36
http ESTABLISHED
chrome.exe 2932
TCP aa-pc
50162 209.85.175.138
http ESTABLISHED
chrome.exe 4000
UDP aa-PC
52072 *
*
CLPS.exe 2732
UDP aa-PC
64435 *
*
firefox.exe 1492
TCP aa-PC
50159 localhost
50160 ESTABLISHED
firefox.exe 1492
TCP aa-PC
50160 localhost
50159 ESTABLISHED
firefox.exe 1492
TCP aa-PC
50163 localhost
50164 ESTABLISHED
firefox.exe 1492
TCP aa-PC
50164 localhost
50163 ESTABLISHED
firefox.exe 1492
TCP aa-pc
50167 210.5.102.32
http ESTABLISHED
firefox.exe 1492
TCP aa-pc
50168 210.5.102.17
http ESTABLISHED
firefox.exe 1492
TCP aa-pc
50171 125.5.99.19
http CLOSE_WAIT
firefox.exe 1492
TCP aa-pc
50172 125.5.99.19
http CLOSE_WAIT
firefox.exe 1492
TCP aa-pc
50173 125.5.99.19
http CLOSE_WAIT
firefox.exe 1492
TCP aa-pc
50174 125.5.99.19
http CLOSE_WAIT
firefox.exe 1492
TCP aa-pc
50175 125.5.99.19
http CLOSE_WAIT
firefox.exe 1492
TCP aa-pc
50176 125.5.99.19
http CLOSE_WAIT
firefox.exe 1492
TCP aa-pc
50177 125.5.99.19
http CLOSE_WAIT
firefox.exe 1492
TCP aa-pc
50178 125.5.99.19
http CLOSE_WAIT
firefox.exe 1492
TCP aa-pc
50179 125.5.99.19
http CLOSE_WAIT
firefox.exe 1492
TCP aa-pc
50180 125.5.99.19
http CLOSE_WAIT
firefox.exe 1492
TCP aa-pc
50181 125.5.99.19
http CLOSE_WAIT
firefox.exe 1492
TCP aa-pc
50182 125.5.99.19
http CLOSE_WAIT
firefox.exe 1492
TCP aa-pc
50183 74.125.235.59
http ESTABLISHED
firefox.exe 1492
TCP aa-pc
50184 125.5.99.18
http CLOSE_WAIT
firefox.exe 1492
TCP aa-pc
50185 125.5.99.18
http CLOSE_WAIT
firefox.exe 1492
TCP aa-pc
50186 125.5.99.18
http CLOSE_WAIT
firefox.exe 1492
TCP aa-pc
50187 74.125.235.27
http ESTABLISHED
firefox.exe 1492
TCP aa-pc
50188 125.5.99.19
http CLOSE_WAIT
firefox.exe 1492
TCP aa-pc
50192 203.84.218.36
http CLOSE_WAIT
lsass.exe 564
TCP aa-PC
49157 aa-PC
0 LISTENING
lsass.exe 564
TCPV6 [0:0:0:0:0:0:0:0]
49157 [0:0:0:0:0:0:0:0]
0 LISTENING
services.exe 556
TCP aa-PC
49155 aa-PC
0 LISTENING
services.exe 556
TCPV6 [0:0:0:0:0:0:0:0]
49155 [0:0:0:0:0:0:0:0]
0 LISTENING
svchost.exe 788
TCP aa-PC
epmap aa-PC
0 LISTENING
svchost.exe 324
TCP aa-PC
49153 aa-PC
0 LISTENING
svchost.exe 340
TCP aa-PC
49154 aa-PC
0 LISTENING
svchost.exe 1896
TCP aa-PC
49156 aa-PC
0 LISTENING
svchost.exe 340
UDP aa-PC
isakmp *
*
svchost.exe 340
UDP aa-PC
ipsec-msft *
*
svchost.exe 788
TCPV6 [0:0:0:0:0:0:0:0]
epmap [0:0:0:0:0:0:0:0]
0 LISTENING
svchost.exe 324
TCPV6 [0:0:0:0:0:0:0:0]
49153 [0:0:0:0:0:0:0:0]
0 LISTENING
svchost.exe 340
TCPV6 [0:0:0:0:0:0:0:0]
49154 [0:0:0:0:0:0:0:0]
0 LISTENING
svchost.exe 1896
TCPV6 [0:0:0:0:0:0:0:0]
49156 [0:0:0:0:0:0:0:0]
0 LISTENING
svchost.exe 340
UDPV6 [0:0:0:0:0:0:0:0]
500 *
*
svchost.exe 340
UDPV6 [0:0:0:0:0:0:0:0]
4500 *
*
wininit.exe 440
TCP aa-PC
49152 aa-PC
0 LISTENING
wininit.exe 440
TCPV6 [0:0:0:0:0:0:0:0]
49152 [0:0:0:0:0:0:0:0]
0 LISTENING
sometimes it looks wild with plenty of botnet proxy domains,,this time is it only pldt.net
March 14th, 2011 7:07pm
It sounds like you need a new friend :-)
If you use a router and you do not enable remote management of the router, and you do not share files with your friend, how are they accessing your PC? As mentioned if necessary you can change the MAC of your PC and receive a new IP. However, this doesn't
sound like a support question as much as assistance between two friends trying to hack one another. I assume the hacker friend is not part of your LAN.Rob Williams
Free Windows Admin Tool Kit Click here and download it now
March 14th, 2011 7:28pm
Hello Rob,
you are sooo right but it is hard to find good friends . look thats are the last attacks while i am writing here.
don't worry i can not hack and i never will hack someone and i also don't like to ahare files with my friend,,he have stolen and damaged allrady so much.
2011-03-14 05:09:51 C:\Users\aa\AppData\Local\Google\Chrome\APPLIC~1\chrome.exe
Sandboxed As Partially Limited
2011-03-14 05:09:59 C:\Users\aa\AppData\Local\Google\Chrome\Application\chrome.exe
Access Memory System
2011-03-14 06:34:29 C:\Users\aa\AppData\Local\Google\Chrome\Application\chrome.exe
Install Hook C:\Windows\system32\dwmapi.dll
2011-03-14 07:09:40 C:\Windows\System32\taskhost.exe
Modify File C:\Windows\ServiceProfiles\LocalService
2011-03-14 07:10:00 C:\Windows\System32\taskhost.exe
Modify File C:\Windows\ServiceProfiles\LocalService
2011-03-14 07:11:28 C:\Users\aa\AppData\Local\Google\Chrome\APPLIC~1\chrome.exe
Sandboxed As Partially Limited
2011-03-14 07:11:44 C:\Users\aa\AppData\Local\Google\Chrome\APPLIC~1\chrome.exe
Sandboxed As Partially Limited
2011-03-14 07:38:18 C:\Windows\System32\notepad.exe
Direct Keyboard Access C:\Windows\system32\NOTEPAD.EXE
2011-03-14 07:49:17 C:\Program Files\Windows Media Player\wmpnetwk.exe
Modify Key HKLM\SYSTEM\ControlSet001\services\EventLog
2011-03-14 07:51:17 C:\Program Files\Windows Media Player\wmpnetwk.exe
Modify File C:\Windows\system32\catroot
2011-03-14 07:51:19 C:\Program Files\Windows Media Player\wmpnetwk.exe
Modify Key HKLM\SYSTEM\ControlSet001\services\EventLog
2011-03-14 07:53:17 C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Modify File C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenserviceclientlock.dat
2011-03-14 07:53:20 C:\Users\aa\AppData\Local\Google\Chrome\APPLIC~1\chrome.exe
Sandboxed As Partially Limited
2011-03-14 07:53:26 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Modify File C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenserviceclientlock.dat
2011-03-14 07:53:28 C:\Program Files\Windows Media Player\wmpnetwk.exe
Modify File C:\Windows\System32\CatRoot2\dberr.txt
2011-03-14 07:53:37 C:\Program Files\Windows Media Player\wmpnetwk.exe
Modify File C:\Windows\system32\catroot
2011-03-14 07:53:42 C:\Users\aa\AppData\Local\Google\Chrome\APPLIC~1\chrome.exe
Sandboxed As Partially Limited
2011-03-14 07:55:32 C:\Program Files\Windows Media Player\wmpnetwk.exe
Modify Key HKLM\SYSTEM\ControlSet001\services\EventLog
2011-03-14 07:55:57 C:\Program Files\Windows Media Player\wmpnetwk.exe
Modify Key HKLM\SYSTEM\ControlSet001\services\EventLog
2011-03-14 07:56:06 C:\Program Files\Windows Media Player\wmpnetwk.exe
Modify File C:\Windows\system32\catroot
2011-03-14 08:00:01 C:\Windows\System32\wsqmcons.exe
Create Process C:\Windows\System32\schtasks.exe
2011-03-14 08:00:21 C:\Windows\System32\wsqmcons.exe
Modify File C:\Windows\system32\LogFiles\SQM
2011-03-14 08:00:25 C:\Program Files\Windows Media Player\wmpnetwk.exe
Modify Key HKLM\SYSTEM\ControlSet001\services\EventLog
2011-03-14 08:00:25 C:\Program Files\Windows Media Player\wmpnetwk.exe
Modify File C:\Windows\system32\catroot
2011-03-14 08:00:34 C:\Program Files\Windows Media Player\wmpnetwk.exe
Modify Key HKLM\SYSTEM\ControlSet001\services\EventLog
2011-03-14 08:00:34 C:\Program Files\Windows Media Player\wmpnetwk.exe
Modify File C:\Windows\system32\catroot
2011-03-14 08:00:40 C:\Windows\System32\wsqmcons.exe
Modify File C:\Windows\system32\LogFiles\SQM
2011-03-14 08:01:12 C:\Program Files\Windows Media Player\wmpnetwk.exe
Modify Key HKLM\SYSTEM\ControlSet001\services\EventLog
2011-03-14 08:01:12 C:\Program Files\Windows Media Player\wmpnetwk.exe
Modify File C:\Windows\system32\catroot
2011-03-14 08:01:44 C:\Program Files\Windows Media Player\wmpnetwk.exe
Modify Key HKLM\SYSTEM\ControlSet001\services\EventLog
2011-03-14 08:01:44 C:\Program Files\Windows Media Player\wmpnetwk.exe
Modify File C:\Windows\system32\catroot
2011-03-14 08:07:23 C:\Program Files\Windows Media Player\wmpnetwk.exe
Modify Key HKLM\SYSTEM\ControlSet001\services\EventLog
2011-03-14 08:07:23 C:\Program Files\Windows Media Player\wmpnetwk.exe
Modify File C:\Windows\system32\catroot
2011-03-14 08:07:39 C:\Program Files\Windows Media Player\wmpnetwk.exe
Modify Key HKLM\SYSTEM\ControlSet001\services\EventLog
2011-03-14 08:07:39 C:\Program Files\Windows Media Player\wmpnetwk.exe
Modify File C:\Windows\system32\catroot
2011-03-14 08:08:31 C:\Users\aa\Desktop\tcp\Tcpview.exe
DNS/RPC Client Access
2011-03-14 08:08:59 C:\Users\aa\Desktop\tcp\Tcpview.exe
DNS/RPC Client Access
2011-03-14 08:08:59 C:\Users\aa\Desktop\tcp\Tcpview.exe
DNS/RPC Client Access
2011-03-14 08:10:05 C:\Users\aa\Desktop\tcp\Tcpview.exe
Access Memory C:\Windows\explorer.exe
2011-03-14 08:10:16 C:\Users\aa\Desktop\tcp\Tcpview.exe
Direct Keyboard Access
2011-03-14 08:10:16 C:\Users\aa\Desktop\tcp\Tcpview.exe
Access Memory C:\Windows\explorer.exe
2011-03-14 08:10:19 C:\Windows\System32\notepad.exe
Direct Keyboard Access C:\Windows\system32\NOTEPAD.EXE
2011-03-14 08:10:55 C:\Windows\System32\taskhost.exe
Modify File C:\Windows\ServiceProfiles\LocalService
2011-03-14 08:11:10 C:\Program Files\Windows Media Player\wmpnetwk.exe
Modify Key HKLM\SYSTEM\ControlSet001\services\EventLog
2011-03-14 08:11:10 C:\Program Files\Windows Media Player\wmpnetwk.exe
Modify File C:\Windows\system32\catroot
2011-03-14 08:11:30 C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Direct Keyboard Access
2011-03-14 08:11:34 C:\Windows\System32\taskhost.exe
Modify File C:\Windows\ServiceProfiles\LocalService
2011-03-14 08:11:34 C:\Program Files\Windows Media Player\wmpnetwk.exe
Modify Key HKLM\SYSTEM\ControlSet001\services\EventLog
2011-03-14 08:11:34 C:\Program Files\Windows Media Player\wmpnetwk.exe
Modify File C:\Windows\system32\catroot
2011-03-14 08:11:59 C:\Users\aa\Desktop\tcp\Tcpview.exe
DNS/RPC Client Access
2011-03-14 08:12:12 C:\Users\aa\Desktop\tcp\Tcpview.exe
DNS/RPC Client Access
2011-03-14 08:12:12 C:\Users\aa\Desktop\tcp\Tcpview.exe
DNS/RPC Client Access
2011-03-14 08:12:21 C:\Users\aa\Desktop\tcp\Tcpview.exe
Access Memory C:\Windows\explorer.exe
2011-03-14 08:12:21 C:\Users\aa\Desktop\tcp\Tcpview.exe
DNS/RPC Client Access
2011-03-14 08:12:27 C:\Users\aa\Desktop\tcp\Tcpview.exe
Direct Keyboard Access
2011-03-14 08:12:27 C:\Users\aa\Desktop\tcp\Tcpview.exe
DNS/RPC Client Access
2011-03-14 08:12:27 C:\Users\aa\Desktop\tcp\Tcpview.exe
Access Memory C:\Windows\explorer.exe
2011-03-14 08:12:27 C:\Users\aa\Desktop\tcp\Tcpview.exe
DNS/RPC Client Access
2011-03-14 08:12:27 C:\Users\aa\Desktop\tcp\Tcpview.exe
DNS/RPC Client Access
2011-03-14 08:12:43 C:\Windows\System32\notepad.exe
Direct Keyboard Access C:\Windows\system32\NOTEPAD.EXE
2011-03-14 08:12:49 C:\Users\aa\Desktop\tcp\Tcpview.exe
DNS/RPC Client Access
2011-03-14 08:35:41 C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Modify File C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenserviceclientlock.dat
2011-03-14 08:36:48 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Modify File C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenserviceclientlock.dat
2011-03-14 08:36:56 C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Modify File C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenserviceclientlock.dat
2011-03-14 08:37:30 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Modify File C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenserviceclientlock.dat
March 14th, 2011 7:34pm
You need to be using a NAT router with stateful packet inspection between your Windows hosts and the Internet. Disable remote administration as was said and don't port forward to your internal LAN hosts.
Wipe HDDs using a tool like PDWipe. Reinstall Windows. Patch Windows. Install MS Security Essentials (or other preferred anti-x like NOD32). Install latest versions of Adobe software (and check for updates regularly). Stay away
from malicious websites, use noscript, adblock, etc...
The odds of someone rooting your machine if you do all of that are very slim.
Use other third party tools such as Malwarebytes or WinMHR to periodically scan your hosts for malicious software.
If you want to go the extra mile invest in something like a Cisco ASA 5505 firewall which can do application layer inspection.Matt W. CCNP, CCDA, CCNA-S, RHCT, MCSE, MCSA, MCP+I, A+
Free Windows Admin Tool Kit Click here and download it now
March 14th, 2011 7:50pm
Hello mattjw916,
i understand all and thank you for the advice,,but how can i do this :
"don't port forward to your internal LAN hosts"
Thank you
March 14th, 2011 7:57pm
Assuming you are using PAT to translate an internal private address to a public internet-routable IP address the only way external hosts could directly connect from the outside to the inside is if you were using port-forwarding. That is, if your
inside local_ip was 192.168.0.1 and your outside global_ip was 55.100.61.4, in order for an external host to reach your inside host to, for example, RDP to it using TCP 3389 you would have to set up port forwarding rules so that incoming connections to 55.100.61.4
port 3389 would be translated and forwarded to 192.168.0.1 port 3389. If you don't configure port-forwarding external hosts cannot directly reach your inside hosts with traffic sourced from the outside.Matt W. CCNP, CCDA, CCNA-S, RHCT, MCSE, MCSA, MCP+I, A+
Free Windows Admin Tool Kit Click here and download it now
March 14th, 2011 8:09pm
Thank You Guys, i will try my best and keep you updated. :) have a nice day
March 14th, 2011 8:22pm