none
looking for help please. during OEM windows setup. XML URI script being injected into root/registry RRS feed

  • Question

  • hello, I dont know what else to do and ive tried about 50 differents times and different ways with no success, I cannot stop my system from being taken over administratively and forced into a enterprise server enviorment. Then access to various resources are restricted and complete/all data and usage monitoring. I think someone has either installed some sort of NUT UPD module or maybe a broadcom wiced or the like chip and for the most part these attacks are being done through bluetooth somehow... this is the logfile i captured using netsh/wfp/capture start & stop (at the most 5 mins from /start to /stop & 2 mins after OEM disk windows install on fully wiped cleaned hard drives using diskpart clean all and format /F as well. then creating a single virtual (raid 0) volume from my 2 harddrives.) This is the result logfile from wfpdiag and the capture /start /stop. this is only 2 small (compared to the whole) sections. the whole logfile is 1.58 mbs.. All advice/help would be greatly appreciated.

    </field>
         <defaultSubLayerKey>FWPM_SUBLAYER_UNIVERSAL</defaultSubLayerKey>
         <layerId>44</layerId>
        </layer>
        <callouts numItems="4">
         <item>
          <calloutKey>FWPM_CALLOUT_IPSEC_INBOUND_INITIATE_SECURE_V4</calloutKey>
          <displayData>
           <name>WFP Built-in IPsec Inbound Initiate Secure v4 Layer Callout</name>
           <description>Verifies that each incoming connection that is supposed to arrive secure arrives securely.</description>
          </displayData>
          <flags numItems="1">
           <item>FWPM_CALLOUT_FLAG_REGISTERED</item>
          </flags>
          <providerKey/>
          <providerData/>
          <applicableLayer>FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4</applicableLayer>
          <calloutId>13</calloutId>
         </item>
         <item>
          <calloutKey>FWPM_CALLOUT_TCP_CHIMNEY_ACCEPT_LAYER_V4</calloutKey>
          <displayData>
           <name>WFP Built-in TCP Chimney Offload ALE Receive/Accept v4 Layer Callout</name>
           <description>Enables or disables TCP Chimney Offload for each incoming connection.</description>
          </displayData>
          <flags numItems="1">
           <item>FWPM_CALLOUT_FLAG_REGISTERED</item>
          </flags>
          <providerKey/>
          <providerData/>
          <applicableLayer>FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4</applicableLayer>
          <calloutId>21</calloutId>
         </item>
         <item>
          <calloutKey>FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_ALE_ACCEPT_V4</calloutKey>
          <displayData>
           <name>WFP Built-in IPsec Inbound Tunnel ALE Receive/Accept v4 Layer Callout</name>
           <description>Permits IPsec tunnel mode IP-in-IP packets when they get classified at the ALE receive/accept layer.</description>
          </displayData>
          <flags numItems="1">
           <item>FWPM_CALLOUT_FLAG_REGISTERED</item>
          </flags>
          <providerKey/>
          <providerData/>
          <applicableLayer>FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4</applicableLayer>
          <calloutId>25</calloutId>
         </item>
         <item>
          <calloutKey>{c3dbed20-0bb6-4bf3-828d-96732e1e022c}</calloutKey>
          <displayData>
           <name>Windows Firewall: callout</name>
           <description>Allows secondary connections.</description>
          </displayData>
          <flags numItems="1">
           <item>FWPM_CALLOUT_FLAG_REGISTERED</item>
          </flags>
          <providerKey>{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}</providerKey>
          <providerData/>
          <applicableLayer>FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4</applicableLayer>
          <calloutId>272</calloutId>
         </item>
        </callouts>
        <filters numItems="31">
         <item>
          <filterKey>{c970a45d-57f9-4e32-a5bd-886a9662641e}</filterKey>
          <displayData>
           <name>Boot Time Filter</name>
           <description>This filter is in effect before the service starts.</description>
          </displayData>
          <flags numItems="1">
           <item>FWPM_FILTER_FLAG_BOOTTIME</item>
          </flags>
          <providerKey>{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}</providerKey>
          <providerData>
           <data>ffffffffffffffff</data>
           <asString>........</asString>
          </providerData>
          <layerKey>FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4</layerKey>
          <subLayerKey>{b3cdd441-af90-41ba-a745-7c6008ff2301}</subLayerKey>
          <weight>
           <type>FWP_UINT64</type>
           <uint64>18446744073709551615</uint64>
          </weight>
      %2

    Monday, September 28, 2015 3:15 AM