Solved BEST strategy or software to prevent any remote users whatsoever from penetrating my systems.

Hi, title says it.
The reason I ask is I have been dealing with an intruder on my network and devices for 8 months. they have been using Wmic/cimv2 as trusted installer and have literally taken over everything. I have bricked my pcs multiple times trying to rid them and i finally managed to remove them 3 or 4 times now, but they return. They sometimes have me working in windows pe in some sort of HV or VM and I live in immersive control panel world. they show me what they want, i just take the system apart until something actually works lol. For a while i was attacking regedit and turned out it was a remote registry anyway so nothing i did made any difference at all. probably fun for them to watch me try tho. it is also related to MDM and WBEM repository, i think they are monitoring with Edge Webview as it is one of the programs i cannot remove.
I have learned a hell of alot of things but somehow they return. Even after clean install, there are so many migration files that i cannot eliminate them all so they persist. I have gone through it with this and now that i have a general idea of what to delete to shake them, im wondering what i can implement once i know they are off network for the temporary time i do get-befiore they bust their way back in.
I have had a good experience with Tweaking.com AIO tool, i like the pace and efficiency it demonstrates, but isnt permanent. I have used FRST also, not sure if that flys around here but I can get a log if someone was interested. BUT I NEED A FAILSAFE way to stop this insanity, its ruined a large part of my personal life.

edit. they are also in all of my other devices including my s23 ultra. once my os were bricked i would use my s23 to dl windows isos unfortunately they would mod them before install and AD, CIMv2 and WBEM were all stapled into my install before i could eveen get it out of my usbc port. Much of this is controlled by automated tasks, including the iso/MCT tampering.

Thank you!!

Welcome to the forum. Sorry it has to be under such dire conditions. You won't like my suggestion but here it is anyway. It seems this infection is at the router level.

1. You are going to have to disconnect ALL devices from your network and work forward connecting and cleaning one device at a time. This goes for any mobile device you connect to your network as well.

2. Routers are cheap. I would chunk that router and purchase a new one as an intruder could have affected the firmware of that router. Set up the new router making sure you change it's administrative login from default. Make sure the password is difficult.

3. I would ask your internet provider to change your ip address if at all possible. It may not be.

4. Take one device at a time. Delete all partitions and clean install Windows offline. Do not connect the device to the router.
See step 16 of this tutorial how to do that. Clean Install Windows 11 Tutorial

5.Once windows is installed you can connect that device to the new network.

6. DO NOT put any of your files into your computer OR connect any external drive that might be infected. You have no way of knowing which of your files can trigger the infection again. If you want to use any drive that might be infected, low level format that drive using one of the infected computers while it is offline
Sorry, but your files can not be trusted and I would strongly suggest you make no effort to recover them.

Do this for each device. Save nothing.
Similar thread here. BAD BAD BAD Ransomware and keylogger!!!!

Sorry to hear this,...
BUT are you certain it is not Microsoft or Google who is your network intruder??? (JK)

Strange stuff happening lately with their OS or Apps.

…uhh what the did you install just before all this started happening?

stretchyrm said:

Hi, title says it.
The reason I ask is I have been dealing with an intruder on my network and devices for 8 months. they have been using Wmic/cimv2 as trusted installer and have literally taken over everything. I have bricked my pcs multiple times trying to rid them and i finally managed to remove them 3 or 4 times now, but they return. They sometimes have me working in windows pe in some sort of HV or VM and I live in immersive control panel world. they show me what they want, i just take the system apart until something actually works lol. For a while i was attacking regedit and turned out it was a remote registry anyway so nothing i did made any difference at all. probably fun for them to watch me try tho. it is also related to MDM and WBEM repository, i think they are monitoring with Edge Webview as it is one of the programs i cannot remove.
I have learned a hell of alot of things but somehow they return. Even after clean install, there are so many migration files that i cannot eliminate them all so they persist. I have gone through it with this and now that i have a general idea of what to delete to shake them, im wondering what i can implement once i know they are off network for the temporary time i do get-befiore they bust their way back in.
I have had a good experience with Tweaking.com AIO tool, i like the pace and efficiency it demonstrates, but isnt permanent. I have used FRST also, not sure if that flys around here but I can get a log if someone was interested. BUT I NEED A FAILSAFE way to stop this insanity, its ruined a large part of my personal life.

edit. they are also in all of my other devices including my s23 ultra. once my os were bricked i would use my s23 to dl windows isos unfortunately they would mod them before install and AD, CIMv2 and WBEM were all stapled into my install before i could eveen get it out of my usbc port. Much of this is controlled by automated tasks, including the iso/MCT tampering.

Thank you!!

Click to expand...

Have you tried using VPN to stop/prevent them from tracking you? If your IP address is hidden, they won't know if you are online.

Post 2 that @glasskuter made a good point.. That is the way to go.

I will add some to that post

This is an example of how important firewalls are.. not windows crappy default that is half wide open..
1st rule of a home computer in a basic network with wifi.. block all traffic, both inbound as well as outbound as default.. Then start to open outbound rules for web browser and other apps you using.. Open for inbound should only be if you using shared folders and that kind of stuff
The router.. That one often has a built in firewall that is kind of half decent for home usage.. if it is an ISP-router, then it most likly has remote management... That is bad out of a security point of view as it can be exploited.
Also updates.. when was the router firmware last updated.. always have the latest update.

Routers can get infected, often they are that for botnet usage.. not for this kind of attacks.. even it do happens some rare times.
pull the powercable... then reset the router and let it be disconnected for half an hour.. many kind of malware will disappear that way.. some wont.. So re-flashing the router might be necessary..

You might have IoT devises that is infected..
if you have wifi, that can be hacked.

So clean installs offline, install a 3rd party firewall on the computer and activate that one for both inbound as outbound traffic.
Monitor the network. Many routers has logs.. windows resource monitor has a network tab for seeing traffic from and to the computer.
Then you also have wireshark.

If you have an old desktop laying around, with two network cards, or if only one, get an extra network card.. you can install pfSense and use that one as router and firewall and also for network monitoring, intrusion detection etc... that will be 10times more secure then any home customer router out there... a router flashed with OpenWrt is as good as pfSense or opnSense... I think pfSense is the best one of this three.. But that is my opinion.

I am that one that always let the infected computer be on for a while extra(i disconnect data drives etc)... so i can track the attackers.

I often suggest to people to install wireshark on their system's and learn the basic how to run the program... As the program write all trafic data to a file, you can always get help analyze the data afterwords if you dont want to take the time to learn how to do it.

I did a fast look after CVE's that could match this.. But i did not find any unpatched ones.. It might be i missed something as i spent the whole extreme 2minutes looking.*lol*



That will be my two cents to this thread..
Good luck

As a rule of thumb the following I do:

• Configure router with stand-alone system using Crossover cable
• Change default IP
• Extremely strong Admin & Wi-Fi password
• SSID must not be the router make/model or ISP name
• Make Standard User for day-to-day task

Back in early 2000 Software Restriction Policy was available for Domain – unsure if it still exists and could be implemented without Domain

stretchyrm said:

Hi, title says it.
The reason I ask is I have been dealing with an intruder on my network and devices for 8 months. they have been using Wmic/cimv2 as trusted installer and have literally taken over everything. I have bricked my pcs multiple times trying to rid them and i finally managed to remove them 3 or 4 times now, but they return. They sometimes have me working in windows pe in some sort of HV or VM and I live in immersive control panel world. they show me what they want, i just take the system apart until something actually works lol. For a while i was attacking regedit and turned out it was a remote registry anyway so nothing i did made any difference at all. probably fun for them to watch me try tho. it is also related to MDM and WBEM repository, i think they are monitoring with Edge Webview as it is one of the programs i cannot remove.
I have learned a hell of alot of things but somehow they return. Even after clean install, there are so many migration files that i cannot eliminate them all so they persist. I have gone through it with this and now that i have a general idea of what to delete to shake them, im wondering what i can implement once i know they are off network for the temporary time i do get-befiore they bust their way back in.
I have had a good experience with Tweaking.com AIO tool, i like the pace and efficiency it demonstrates, but isnt permanent. I have used FRST also, not sure if that flys around here but I can get a log if someone was interested. BUT I NEED A FAILSAFE way to stop this insanity, its ruined a large part of my personal life.

edit. they are also in all of my other devices including my s23 ultra. once my os were bricked i would use my s23 to dl windows isos unfortunately they would mod them before install and AD, CIMv2 and WBEM were all stapled into my install before i could eveen get it out of my usbc port. Much of this is controlled by automated tasks, including the iso/MCT tampering.

Thank you!!

Click to expand...

Omg, I have been living exactly as described above sine about September 2023. All my PC, laptop x2 and desktop have been a nightmare. Clean installation can’t count how many times.
My fixed and Removable drives have re-mapped themselves to other paths/target and WDF has all these inbound rules as the default and no open sec policy settings.
There are sec groups showing up : account unknown, “administrator” and “administrator's” interactive, and (my favorite) “everyone.”
I am an administrator but never get “permission” to do things I should be able to. Always have to allow windows to “allow” me or it doesn’t get done.
All sorts in process/services running- and usually a bunch will stop one I move from on screen to the next in task mgr.
No authentication required, come on in. (Somehow “l” used 1100GB in August 2023. Normal is 350-400. That’s when it all started…
I liked the advice about starting with all in/out blocked.
Idk if that link will work

I’m finding.ini files hidden all over my pc’s.

WTNVBFL said:

I’m finding.ini files hidden all over my pc’s.

Click to expand...

All normal in Windows. I have over 2000 of them.