# i cant stop a hacker? accessing my laptop & router



## Trabolgan (Mar 28, 2011)

I have a serious security problem I am unable to prevent, I have tried to read and learn from the forums but I think now at this stage i am well out of my depth.

Please Help Me take back control of my lasptop and router.


i tought my basic computer knowledge was Ok but it seems not, so please if anyone can help try to explain as easy as possible as i'm struggling. Thank you

Several months ago someone started accessing my laptop while i was working on it,
(it felt like driving my car and someone had taken over by remote control!)
At first They were copying/deleting/modifying files then changing all the passwords and 'ownership rights'? and leaving me with a locked laptop with a picture of a locked safe on the screen they also keep changing my router settings and passwords ect and internet accounts etc ect
So i've been through the motions, spoke to my ISP, had the laptops formatted (highest level format) all new passwords and new router. all this done.. and they were back in my system within half our of me switching on
Things have got seriously worse since, Somehow (i dont know how) everything i do Online or any file i write/ save offline they have copies of - basically they have more control over my laptop and my internet connection than i do. 
I have full Norton security suit, windows 7, have been online with norton to config the the settings etc, 
I have formatted and reinstalled 4 times on this laptop now, 3 new routers, all passwords set up from a different location, i dont use wireless only the LAN plug in the router, i have enabled mac filtering and run hundreds of scans to find nothing. also i have tried many different firewalls.
when i press 'ctrl+alt+dlt, there is a lot of processes running, anything i can shut down/delete is back again soon, that is providing i have authorisation to access some files.

I know who the 2 guys are that are doing it, both work for British telecom, one as a network engineer and the other a telephone line instillation. I know this from the messages typed across my screen while trying to work and my files they printed out and stuck to my home front door (i live in a block, they live directly above)
Been to the ISP (sky) been to the Police and the citizens advice, No one can do anything....

Any help would be gratefully recieved, or any advice of somewhere i can take it to be looked at, thank you

Just to add, i tried to use my other laptops, a Toshiba / windows vista, i don't know how this is even possible but one evening they turned the system into an NT networks o/s ???????????? and i don't have permission to use it...

today i have formatted all drives and reinstalled windows, but if i go into admin manager to view drives, the win7 vaio shows C; drive + recovery drive + an unnamed drive and a hidden drive,
the Toshiba with vista has 6 drives?????? Both computers only have 1 x 500GB HD in each

Norton say the hackers have all my broadband phoneline information ip's so can access my laptop, so i buy a dongle go wireless, still doesn't work......... these guys seem very clever at covering there tracks and leaving no tangable evidence for the police or isp to work with. 
I think the possibilities are endless, either my laptop is forwarding all information to a remote address then he may access or there is network software or maleware within the recovery drive? 
THANK YOU,


----------



## lunarlander (Sep 22, 2007)

As you probably know, the only sure way to recover from a hacking incident is a reformat and reinstall of Windows.

Here are somethings to do when you reinstall Windows again next time.
1. unplug from the internet when you are reinstalling Windows.
2. stay offline and apply Windows 7 Service Pack 1. ( this requires you to manually download the service pack beforehand )
3. Follow the instructions in this thread to lock down the system ( print it out ):
http://forums.techguy.org/general-security/829647-locking-down-windows.html
4. After locking down the system. Attach ethernet cable and immediately do Windows Update. Don't surf the internet before all patches are applied; because IE still has security bugs before patching.
5. Next, you reinstall your programs and restore your documents. Take care not to reinstall Anything you have gotten through P2P or bittorrents, as programs from there tend to have backdoors and viruses.

The way hackers get in is through network facing components/programs. The main idea of the lock down is to disable most of these and leave you with a minimal functioning system that still allows you to surf. It is a security concept called least privilege. Windows have many networking features, and not all of them are necessary.


----------



## lunarlander (Sep 22, 2007)

There is a current unresolved problem with IE, as described by MS. Go to this MS site and apply the Fix It.
http://support.microsoft.com/kb/2501696
Do this step immediately after doing Windows Update.


----------



## lunarlander (Sep 22, 2007)

A lot of hacking attacks are targeting the browser, as that is the main program people use to connect to the internet. And a very large percentage of people use Internet Explorer, so you get a lot of exploits written for it.

To migitate the problem, most people use alternative browsers like FireFox, Chrome, or Opera. Security holes are discovered in those browsers too, once in a while. But security problems discovered are usually fixed in a week or so.

Here's an article which talks about enhancing Firefox to use Protected Mode. Protected mode is an integrity level marker attached to a program. When a program runs at low integrity, Vista and Windows 7 prevents that program from modifying Window's system files and system registry, because the system is set to medium integrity. Low cannot modify Medium. Marking a program as low integrity designates it as untrusted, because it is subject to frequent attacks. The article below explains how to mark Firefox as an low integrity application, and explains what other folders needs to be marked as low in order for Firefox to operate. It also contains the link to the utility chml.
http://www.victorc.org/2008/03/internet-explorer-7-protected-mode-vs.html


----------



## Elvandil (Aug 1, 2003)

The drives you mention are normal ones. One must be your CD-ROM.

If all that you have said is true and accurate, I believe that someone has had physical access to the machine. They may be coming in and adding a server.


----------



## Trabolgan (Mar 28, 2011)

Thank you for the advice, I will follow these instructions 
I keep formatting and reinstalling windows but i am only ever able to format C: from the boot recovery disk, as the laptops came pre installed. how can i (or should i)go about formatting the whole disk and the multiple partitions as well) then doing a fresh install

Is it worth me buying a new hard drive & windows 7 disk and then performing the 'lock down + update'

Is norton the best package for me to be using, is it possible to run another more powerfull firewall instead or along side?
Cheers.


----------



## Trabolgan (Mar 28, 2011)

Elvandil, Hi, I have checked and double checked these extra drives, they are definately not my cd drive as i can see this and the designated letter, 
one of the internet security companies i contacted had also said something in regards to a server. 
and yes people have had access to the machine (strangely enough when this all started i had just returned from holiday)


----------



## Trabolgan (Mar 28, 2011)

Elvandil said:


> The drives you mention are normal ones. One must be your CD-ROM.
> 
> If all that you have said is true and accurate, I believe that someone has had physical access to the machine. They may be coming in and adding a server.


computer manager > disk manager shows: 4 drives
1)c: NTFS 10gb
2)system reserved: NTFS 455gb
3)and an un named NTFS 10gb
4)e: raw(primary partition)
disk 0 - shows 3 partitions
disk 1 says D:
disk 2 says F
CD-Rom O .says 0 online


----------



## lunarlander (Sep 22, 2007)

Why do you want to buy a new hard drive ? If you need more space, then thats a good reason. But security wise, there is no need to. 

Buying Windows 7 Professional gives you local security policy. With local security policy, you can do a more thorough lock down. If you buy Windows 7 Ultimate, you additionally gain Whole Disk Encryption; this will stop attacks like booting a Linux CD; bypassing windows, and copying off your files; and it is the best way to secure a laptop. ( If the laptop is stolen, or if someone has physical access to the laptop, they cannot get at the data )

In my opinion, Norton protection is absolutely no match against hackers. Norton products are often bundled with new computers and every hacker knows how to bypass them because they encounter it so often. 

That said, there aren't much protection software against hacking. Antivirus programs are made to counter viruses, and products like MalwareBytes targets malware - both types of attacks are mass distributed. Whereas hacking is often a one of a kind event, with the attackers choosing and executing various attack tools to gain the ultimate admin/system level access on your computer. There is a class of software called Host Intrusion Detection, like Comodo's Firewall with Defence+ and Threatfire, which monitors activity on a system for 'suspicious' behavior, but they don't tell you what they monitor for, and I don't know their effectiveness. I use Threatfire. The media often talk about having a good firewall to stop hackers. But in my opinion, any brand of firewall is just as good, since the latest innovation in firewalls is stateful packet inspection, which is many years old. Windows 7's firewall is pretty good - just be sure to turn on outbound blocking. ( one thing about the lock down, to activate windows, you have to turn off outbound blocking for a second, because I haven't figured out which program does the actual activation in order to make a rule to allow it outbound )


----------



## jiml8 (Jul 3, 2005)

Your best solution is to shoot the intruders, since you know who and where they are.

They must be getting physical access to the machine to continually re-infect it. Either that, or you have some wide open vector that you are not aware of. Are you turning the wireless radio on your new routers off when you put them in service?


----------



## Trabolgan (Mar 28, 2011)

LUNARLANDER, Thank you for the attention, and for simplifyed instructions, I understood it all !! 
and JIML8, best idea yet... I have the wireless settings turned off permanently now on laptop and router. i only ever turn the router on when i plug it into the laptop to go online.
i do always keep the machines isolated when installing/setup and make the necessary instals via disk too

I asked about buying a new HD because i cant find a way of formatting the entire drive including all the hidden / un-named / recovery / 0: / C: drives. then buy a fresh install.
as i dont know if: somewhere on the HD is infected that i haven't been able to format, OR he keeps reinfecting it.
Definately being targeted, so many safe/secure format/reinstalls, even set a complete new system with new router new laptop new cables, new software, excellent passwords (all set up somewhere else) bought it home & 
It didn't last the evening (just to prove a point or just because he could?) a real pain in the a*s*. 

Is it normal for you to be able to log into your router by the IP address from the ISP (sky) and by the IP address i display on ip look u

can anyone recommend a company i can use, to either prevent this, or find evidence on my machine so i can take legal steps


----------



## Trabolgan (Mar 28, 2011)

another thing, every time i save a file in 'my documents' (for e.g.) as i click save the title changes to $%&* a mixture of those symbols.


----------



## jiml8 (Jul 3, 2005)

> Is it normal for you to be able to log into your router by the IP address from the ISP (sky) and by the IP address i display on ip look u


That is an option that can be set in the router. You certainly should disable that option.


----------



## jumbo 1 (Aug 26, 2008)

lunarlander said:


> As you probably know, the only sure way to recover from a hacking incident is a reformat and reinstall of Windows.
> 
> Here are somethings to do when you reinstall Windows again next time.
> 1. unplug from the internet when you are reinstalling Windows.
> ...


Hi Lunarlander,

is All this relevant to windows 7 Ultimate 64bit ?.

Cheers,

Jumbo 1


----------



## lunarlander (Sep 22, 2007)

Hi Jumbo 1,

Now that I think back, ( that thread was written long ago ) the above lock down steps were mainly written for Vista and tested on Windows 7 RC. Some items should have changed in the shipping version of Windows 7. If you cannot find an item mentioned in the lock down steps, then skip it.


----------



## lunarlander (Sep 22, 2007)

Hi Trabolgan, Jumbo 1.

You know what, forget about the linked lock down instructions. The more I try to remember, the more I think it was not meant for Windows 7. I will start a new thread about locking down Windows 7 in the near future.


----------



## Elvandil (Aug 1, 2003)

You need to move to a more secure apartment. Or get better locks.


----------



## jumbo 1 (Aug 26, 2008)

lunarlander said:


> Hi Trabolgan, Jumbo 1.
> 
> You know what, forget about the linked lock down instructions. The more I try to remember, the more I think it was not meant for Windows 7. I will start a new thread about locking down Windows 7 in the near future.


Hi Lunarlander,
Many thanks for this, I look forward to the info in Your Windows 7 thread that You are thinking of starting up.

Regards,

Jumbo 1.


----------



## marine81 (Mar 2, 2011)

Trabolgan said:


> I have a serious security problem I am unable to prevent, I have tried to read and learn from the forums but I think now at this stage i am well out of my depth.
> 
> Please Help Me take back control of my lasptop and router.
> 
> ...


*<content removed by moderator. Do not ask members to PM you & don't try to get round the rules by asking for a PM to do it > *


----------



## bp936 (Oct 13, 2003)

Your problem sounds terrible. Moving or getting more locks, this is what I would also do,
do not laugh, but I am on dialup and it is easy to see when something is being sent when you do nothing.
As soon as I see something strange happening, I pull the phone out of the computer.

I would by a Toshiba, since it has a side switch to stop internet immediately. I would setup everything (and follow all instructions regarding updates) at some other place unknown to your hackers. If you can use dialup for a while and Not have any LAN setup yet, they will get tired of the slow connections. 
Also they might just have something like corrupting your MBR that cannot be fixed as far as I know, no matter how often you format. 
Also any programs of your own, you re-install, do it only after you have a new updated Windows, I use KASPERSKY, had a lot of problems with Norton. Use Winpatrol, that tells you when something wants to change and scan your own disks before installing.

I know it is costly and a lot of work, we all had those problems, but yours are reoccurring and sounds terrible.
I would also change my IP provider for a while and change all my email addresses and names.


----------



## aka Brett (Nov 25, 2008)

Lots of good advice in the thread..I have some additional advice as well
During next reformat...do it elsewhere..friends, coffee shop, what have you...get that machine fully patched with updates at an alternate location...patch it until there are no patches left.....then..
Call your isp and get a new ip address...if the problem happens again I would think you have a rootkit that can live through a reformat...not common but the technology has existed for some time now.

Also burn a copy of Ubuntu...boot it as a live cd...use this when you want to be in "stealth" such as changing passwords to emails etc...posting on forums for help.


----------



## Stoner (Oct 26, 2002)

I'm also following this thread out of interest.

Hi Brett 


> Also burn a copy of Ubuntu...boot it as a live cd...use this when you want to be in "stealth" such as changing passwords to emails etc...posting on forums for help.


I'm not so sure that's 100% secure .....if a rootkit is already installed in the bios or any of the hardware firmware.
Anyone know for sure?


----------



## aka Brett (Nov 25, 2008)

Stoner said:


> I'm also following this thread out of interest.
> 
> Hi Brett
> 
> ...


May not be 100 percent...but most malware etc is meant to run on windows..so if a rootkit is still present it wont find windows to do its work...the rootkit will have to interact with the OS..a live cd cant be written to so it should be pretty safe..this should add to another level of protection anyway in case


----------



## Stoner (Oct 26, 2002)

aka Brett said:


> May not be 100 percent...but most malware etc is meant to run on windows..so if a rootkit is still present it wont find windows to do its work...the rootkit will have to interact with the OS..a live cd cant be written to so it should be pretty safe..this should add to another level of protection anyway in case


I understand that a rootkit can't be written to a Live CD that's already been made... 
But if it's already written to the bios or the firmware in another piece of hardware, it's booting up as an independent OS before Windows, or whatever OS is installed or being booted.

A lot of interesting links in this Google search ...rootkit+ stealth OS
http://www.google.com/search?sclient=psy&hl=en&site=&source=hp&q=rootkit+stealth+OS&btnG=Search


----------



## aka Brett (Nov 25, 2008)

Stoner said:


> I understand that a rootkit can't be written to a Live CD that's already been made...
> But if it's already written to the bios or the firmware in another piece of hardware, it's booting up as an independent OS before Windows, or whatever OS is installed or being booted.
> 
> A lot of interesting links in this Google search ...rootkit+ stealth OS
> http://www.google.com/search?sclient=psy&hl=en&site=&source=hp&q=rootkit+stealth+OS&btnG=Search


I read several articles and still cant come up with anything concrete as to whether a rootkit on hardware will need an OS to become useful.
the closest I got was here {about half way down the page}



> the Computrace/LoJack for Laptops product is laptop tracking software that periodically phones home to Absolute Software's server to both announce its location and to check to see if the machine has been reported stolen.[12][13] _LoJack_ comes preinstalled in the BIOSes of, at least, Lenovo, HP, Dell, Fujitsu, Panasonic, Toshiba, and Asus machines.[_citation needed_] It is disabled by default and can be enabled by purchasing a license for _Computrace_; upon being enabled, the BIOS will copy a downloader named rpcnetp.exe from the BIOS flash ROM to %WINDIR%\System32 (which usually resolves to C:\WINDOWS\System32) which will in turn download the actual agent rpcnet.exe and install it as a windows service. Recently[_when?_], Dell, Lenovo, Panasonic and Fujitsu appear to have discontinued this method and require manual installation.[_citation needed_] Once enabled, _Computrace_ cannot be disabled or deinstalled without assistance from _Absolute Software_, not even by reformatting or substituting the hard disk, because the BIOS keeps reinstalling or repairing it prior to loading the operating system. From then on, rpcn


http://en.wikipedia.org/wiki/LoJack#LoJack_for_Laptops

It does rely on the OS and installs to the OS...I dont know if that applies to all...or if it will install to linux distros.

I still think bios and firmware infections are pretty rare..and mbr rootkit infections are picking up {and will live through a reformat}..but can be killed with the fix mbr command...hopefully someone will chime in that has ,more knowledge than I on these rootkits


----------



## Stoner (Oct 26, 2002)

aka Brett said:


> ................
> 
> I still think bios and firmware infections are pretty rare..and mbr rootkit infections are picking up {and will live through a reformat}..but can be killed with the fix mbr command...hopefully someone will chime in that has ,more knowledge than I on these rootkits


When reading a thread like this one, it makes for something uncommon to think about.


----------



## dvk01 (Dec 14, 2002)

If you have formatted the computer & bought & installed a new router & they are still getting in, then the only thing is they must either have a hardware keylogger on your computer or they have physical access to your premises to gain access to the computer

This is a job for the police & in the UK they do deal with this & do have to deal with it 

It is beyond the capbailities of any further advice on a forum . Go to your local police station and ask to see the Crime support officer for your area
he can then refer it to the computer crimes division at Scotland Yard

To avoid any further misunderstandings in this topic it is now closed


----------



## Elvandil (Aug 1, 2003)

Rootkits, by definition, require the operating system to deploy. They do their deeds by taking control of the kernel. So one written for Windows could not work on a Linux kernel.


----------

