May 21, 2021

(Major problem / Rootkit suspicion) I’ve hit a brickwall with how identify and remove this persistent Rootkit, and have become rather paranoid because of this. Running out of options, please help me.

Hello, this is my first post here.

I’m usually not one to turn to forums for help, I usually try to solve my system issues with extensive research & manual methods, however, I’ve exhausted myself and feel increasingly like this problem is now over my head and out of my league.

I submit.

**^(I recently had 168 of my passwords compromised, and had to spend 6 hours doing damage control with passwords and ensuring that all of my services would not be hacked into before a hacker could use the information that they stole from me.)**

I will first preface this by how I believe discovered I have a rootkit.

I will mark in lines to indicate TLDR sections for those who want to get to what I have already tried in removing this pesk..

​

This will be a long post as I have (***admittedly in a frantic paranoid state***) poured roughly **55+ realtime hours** into figuring out how to manual remove this, and as a result I have a lot of crucial information I need to share in helping me remove this major stressor from my life, as my personal data is in constant risk.

**====================================================================================**

# TLDR SECTION / Important info Preface:

For the past year I’ve had random system stutters that come seemingly out of no where, which would always progress into complete OS freeze-ups within 1–3 minutes of the stuttering, that required doing a hard-restart to restore PC functionality.

*I did suspect a virus initially*, but due to my GPU recently dying off (recently replaced with an older gen gpu) and my pc in general being nearly 4 years old, I ignorantly disregarded the possibility and accepted that it was just my PC dying slowly due to natural aging.

​

Well, roughly last month, I noticed a pattern with these progressing stutters. (*Not sure why I didn’t make this serious correlation sooner*, ***as it’s a major red flag.***)

​

My symptoms would begins as followed (In order):

1. **Mouse input stuttering** (Meaning that, when I would simply move my mouse from point A to point B on the screen, I would have atleast 1 stutter that lasts roughly 1-2 seconds, recurring every 3-5 seconds.)
2. **System processes (*****Web browsers, text documents, games, miscellaneous programs.. ect*****) would systematically stop loading / stop responding all together.** Closing processes and attempting to reopen would result in the program being called for opening in a continuous “***…Isn’t responding***” state. Rendering the OS completely unusable
3. ***Task manager refuses to open.. BIGGEST RED FLAG!*** Confused by the before mentioned behavior, I would always turn to Task manager in an attempt to see if something was hogging my memory or anything that could be causing these shutdowns. **However..** in doing so, trying to open Task manager while the PC was in this state, it would flare my previous symptoms up even worse, with more frequent system stuttering, programs would no longer open to begin with (when previously they would open in a state of “***…Isnt responding***”
4. 4. ***CTRL+ALT+DELETE would not respond when activated, Start would not respond.*** Trying to access these panels would be met with no action. Completely frozen at this point.

All of this leads me up to now, last week after doing a few hours of research, I figured out how to operate eventlogger, the learning curve was a bit much than what I am used to but I’ve now picked up how to use it more.

After a day or so of obsessively tinkering and viewing logs after system crashes I started connecting dots, identifying malicious EventID’s and doing extensive research on various system processes to grasp a better understanding of what does what in the OS and how processes can be controlled by Malware and rootkits to mitigate detection.

​

**Here’s what ya boy found.**

I managed to find a few strange events that were recurring every 20 or so minutes.

I found a ton of warning and error events saying

‘Got connection for named pipe’ in CUMRDPListenerReverseConnectTcpUdp::OnNamedPipeConnectionCompleted at 5172 err=[0x0]

I thought this looked ridiculous, so I did a google search and found absolutely no information of this is anywhere. This got me super paranoid about the fact that my PC is likely already backdoored and has been for a while and I’m much too late.

​

After this discovery I began vigurouly running Malwarebytes, and further digging through my eventviewer logs and started finding more interesting events. Stumbling upon many more alarming event logs, such as:

A rule has been deleted in the Windows Defender Firewall exception list.

Deleted Rule:
Rule ID: {A0E17A81-7E27-4568-98A1-5CB45020A065}
Rule Name: windows_ie_ac_001
Modifying User: S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052
Modifying Application: C:WINDOWSSystem32svchost.exe

and others like:

A rule has been added to the Windows Defender Firewall exception list.

Added Rule:
Rule ID: {CBAB68B7-0EAA-4A32-AAF8-3F687C1B2625}
Rule Name: @{Microsoft.AAD.BrokerPlugin_1000.19041.423.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}
Origin: Local
Active: Yes
Direction: Inbound
Profiles: Private,Domain, Public
Action: Allow
Application Path:
Service Name:
Protocol: Any
Security Options: None
Edge Traversal: None
Modifying User: S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052
Modifying Application: C:WINDOWSSystem32svchost.exe

A rule has been deleted in the Windows Defender Firewall exception list.

Deleted Rule:
Rule ID: {5CF244A1-2B16-4100-827D-BB83B9614CDA}
Rule Name: windows_ie_ac_001
Modifying User: S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052
Modifying Application: C:WINDOWSSystem32svchost.exe

Firewall and windows defender rules being both Added AND deleted, without my acknowledgment.

Resetting firewall policies is futile, as when I do so and watch over EventViewer, I would see more of these events, originating from the modifying app SVCHost.

Google searching to find reassurance of this being a normal system process turned up absolutely nothing, further adding to my paranoia.

​

**And I swear when I say this, the timing of my discovery of this possible back door is insane because when I started googling event ids and digging into their strings, google informed me that 168 passwords were compromised and uploaded to a database, including information such as my IP, Email address, names, and so on. All the stuff you dont want random strangers knowing.**

​

# Weird timing. Its almost like someone saw that I was figuring out that my PC was backdoored and decided to say “Screw you, I got everything I needed anyways!” and uploads all of my personal information to a database.

#

This week has been absolutely miserable for me.

​

# **End of TLDR Section**

**====================================================================================**

​

Things I have done to try to identify and remove this rootkit:

​

**^(-2 complete OS wipes, wiping partions, and reinstalling a fresh copy of windows from DVD.)**

**^(-Safemode AV scans)**

**^(-Installing nearly a dozen different trusted Antivirus, antimalware, antirootkit programs, and program analyzers, including:)**

**^(GMER)**

**^(TDSSKiller)**

**^(Standalone Offline windows sweepers (By the way, this no longer works.))**

**^(Malwarebytes, Malwarebypesantirootkit, malwarebytesantiadware)**

**^(AdwCleaner)**

**^(AVG AntiVirus FREE)**

**^(Unhide by the devs over at Bleeping Computer)**

**^(EventViewer)**

**^(Procmon64)**

**^(Autoruns)**

**^(Wireshark (Still learning how to use this to monitor my network, this may be my only solution?))**

**^(-Both OS wipes were unsuccessful in removing the suspicious event logs, however my PC has since not crashed once. I suspect my Realtime Protection is preventing this, but I worry that once my free trial with malwarebytes expires, that the malware will run rampant on my system again.)**

​

***All, and I mean ALL of the AV and Rootkit scanners turn up empty, nothing is flagged, yet all of my passwords were compromised, this is terrifying me, and I worry its even infected my router. I am not able to handle these types of threats.***

***I am at a brick wall now. I do not know where to go from here, but to the people of this community, I desperately need help, absolutely any lead or ideas will be gladly accepted no matter how anecdotal.***

If you took the time to read and digest my post, I am seriously grateful to you. Thank you.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.