Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


A Vicious Rootkit setting up a hidden domain server on all my devices

  • Please log in to reply
1 reply to this topic

#1 Melanie1


  • Members
  • 7 posts
  • Local time:08:24 PM

Posted 23 February 2018 - 08:54 PM

I am living in the 7th ring of hell right now so please bear with me as I have limited resources.

A vivcious rootkit has taken over my all my computer operating as C&C panel. It's taken over 2 weeks before I could connect to this site.
I had to buy a new computer and log on here from a safe place.
I am running a variety of unnconnect network computers with different operating systems. I first notice something strange occuring a month ago on my main computer running Windows 7 32bit Ultima 4TB when Google chrome folder was spawning a host of .js files. I had just updated Google from govt.redirector.com. I notice that the update version looked like chome but it was reconfigured butchered chromecast program with malicious extensions. It loaded bits of .js code. I uploaded the files to reverse.it, I believe - that detect it as malicious 10 out 10 for dangerous.
I have malwarebyte antimalware, antiransomware and antiexploit, Emsisoft, EMET 5.5, Windows Defender.
I took 3-4 minutes to search other programs for java, .js scripts, and installers, It search android auto sync folders, and navigation installer folder that had excutive privlege installer. it downloaded a bunch of windows cab files, installers, win.iso image, java development kit by setting up and mounting an image file of my hardrive using macrium reflect backup. It was as a hidden server  domain controller to my computer. It produces an unknown account in svchost processes, audio, explorer etc. SID of S-1-5-5-0.xxx on all my files taking over control of Trusted Installer. Taskscheduler, audio, medi, ctfmon drivers. It setup a hidden proxy server and used Internet Explorer even though I turned off internet explorer in control panel and running Firefox with https everywhere, U-block, noscript etc. It exfiltrated my entire computer system files, I believe to a third part data broker. I always run wireshark connected to my internet activities.
I ran ever scan possible but they all came up empty since it is scanning either an image file, my disk since it mirroring my activities or it controls the the antimalware, antivirus scanners. It hooked and took control of EMET5.5 by presenting it with it's own certificates and hooked into the kernel in 7 places with unknown image file at ring 3 or 0. It likes .png files as I found 109.png file in Google folder. It has rooted all my android phones!
It takes control over even unconnected devices either using pulse audio at high frequency sending out bits of code. It has created a file or program called policy convertor.
Here is the strange part. I have several  unconnected laptops with different operating systems. It migrated to them. I even formated these laptops and commence a recovery from their recoverery partition, the laptops were still infected. So it operates at level below the security scanners. I thought it may be in the boot sector. But I can take the hard drive out an  battery out of the laptop and it will bootup in X:drive showing 196G windows drive! It will not allow me to download, install, or run any internet scans.  
I thought it my be install in the system bios but 196G drive? It loads up EMS which I believe you can install windows on a laptop that has no internet connections.
There is a windows exploit that bypasses powershell and ADS and installs below the security scanner level so that you never know it's there. One IT person said it could be meltdown? It spanws other aliases. I found files traced to Trojan Powershell/Lonit.PA, WannaMin, Peasccto.A, w32/popureb.E, NircmdB.exe file, Virut etc. so more than one malware. I have part of their code. bootup log files etc. They also take contol of the gpedit.msc
I don't know if it is possible to regain control onf any of my computers. I don't know how these laptops can reboot into windows recovery console with no hard drive or batter connected and still load a compromised windows from a remote location? I found a newly found android data dump with a correct Mtg file on a ubunta HD sitting on my self for 2 yrs!
I cannot produce any scans as I don't want to activate these drives but the scans from FRT, Rogue, Gmer, Kapresky, Eset, emsisoft, malwarebytes, ADclearner, JRT etc. all are clean accept from one progam that disables script files and looks for worms but quickly disabled it. I cannot run dispart as they disabled the A key or locked me out all together even though I am disconnected from the internet. I believe they are using terminal mode from mounted scsi device.


I just need to find out why on one clean laptop with just only basic windows home premium, that the recovery partition has malware and why with the hard disk removed it can still load up a malware recovery partition from x: drive 169G drive unconnected from the internet? It maybe they were using my smartphone, I don't know.


I hope you can help me on this :-)

Edited by Melanie1, 23 February 2018 - 09:06 PM.
Deleted duplicate

BC AdBot (Login to Remove)


#2 Melanie1

  • Topic Starter

  • Members
  • 7 posts
  • Local time:08:24 PM

Posted 28 February 2018 - 10:10 PM

It's taken a few days to log back in Every phone or very sim card I buy gets rooted. I bought to new laptops from computer retailer and they got hacked with the above rootkit!! Blocking and disabling all phone service out even locking my screen

I talked to mtg tech support and they stated they know about rootkit. It's Spectre They were given the advisory in Feb but they are having difficulty applying a patch for their lsptops.

This is on a brand new laptop running Wndows 10.

Part of Meltdown Spectre exploit. Do instead of a recall, retailers are selling hacked computers to consumers!! Grr..

Bypasses McAfee anti intrusion firewall, malware scans did not pick it up. May changes to hidden unknown device drivers with error code 24. Device not connected to computer reconnect to enable. It was created in 10-13-2017 and createdd on the laptop on 1-12-2018. I purchase laptop 2 days ago.

It uses unknown account Sid 1-5-5-x as stated above on svchost processes. Time zone was Far East. Sets up hidden proxy server mounts image file from snapshot of HD. Maybe malvertizing bonnet. Accesses all play stores

Edited by Melanie1, 28 February 2018 - 10:28 PM.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users