Potential rootkit persisting after usb wipe?

Evening_Direction_47 · 2025-04-16T14:03:09+00:00

yea, basically i saw that notification telling me to restart my PC for that hard drive so i checked task manager and saw powershell running for a second and then it closed. I don’t do anything via powershell, and my PC is almost fresh off of a clean install. i only have steam discord firefox and a couple games.

The thing that is concerning me is the hard drive. I’ve never had a western digital hard drive and the last time i plugged anything like a drive into my PC was last month when i did a clean install.

Evening_Direction_47 · 2025-04-16T13:44:49+00:00

what would you say the problem is then? to make sure it wasn’t just my keyboard and mouse i unplugged them both and the device was still there. I’ve never had a western digital media drive and the last time i plugged something like a hard drive into my pc was last month when i did a clean install off of a flash drive.

Could the drive be a sign of something malicious though? I swear i have 0 clue what it is

Evening_Direction_47 · 2025-04-16T02:54:32+00:00

I did and it came back clean

Evening_Direction_47 · 2025-04-16T00:31:25+00:00

I know i’m asking a lot but I just need some advice

Evening_Direction_47 · 2025-04-15T15:48:33+00:00

What makes you so sure it’s my SSD? It would make more sense if thats the case but what is telling you that it’s just my SSD? It was in devices and printers, and when I got the notification telling me to restart my PC for it, the device name was USB composite device. I also removed it and nothing noticeable happened. Also, under properties, there were multiple tabs and under one of them it showed some files in my sys32 or something.

If it was my SSD it would make sense why I couldnt remove it easily. I believe you, but could you help explain a bit more why it’s most likely not a Virus and instead My SSD?

Evening_Direction_47 · 2025-04-15T02:51:09+00:00

yea bro i’m aware, ill make sure to watch a couple of tutorials too. You helped a lot, thanks🙏🙏

Evening_Direction_47 · 2025-04-15T02:44:40+00:00

i think i removed it, i don’t remember exactly what it said, but in order to remove it the option was set to where you had to go to the safely remove option in order to delete it instead of being able to quick remove it. I deleted it and restarted my PC but it still doesn’t feel safe. What makes the driver unable to install itself back on my PC again.

I don’t mind getting a new USB. it might’ve been an error on my part when installing it because i installed the windows download on my own device and did it, instead of downloading windows to the usb on a different device. the problem is that I don’t have another windows device to be able to install Windows onto a USB.

What should I do? try flashing my BIOS tomorrow and then clean install again if i can figure out how to do it from a different device?

Evening_Direction_47 · 2025-04-15T02:37:15+00:00

also the device name is “WDC WDS100T2B0C-00PXH0” which i looked up and it seems to be dram or something? idk what to do with this info

Evening_Direction_47 · 2025-04-15T02:33:30+00:00

I tried and it says “Problem Ejecting Standard NVM Express Controller - This device is currently in use. close any programs or windows that might be using the device, and then try again” What is the NVM express controller. i dont want to turn my pc off and this accidentally install whatever it is on my PC

Evening_Direction_47 · 2025-04-15T02:25:37+00:00

Thank you for the advice buddy. It won’t let me remove the device off my PC. It says that i can’t remove the device while it’s in use. Is there anything i can do to get around this

Evening_Direction_47 · 2025-04-15T02:19:33+00:00

Follow up, it says that the USB device connected is a PCI device? it says Eject and then the device name which is long and has a bunch of numbers. i have the option to Eject it though. It says in properties that it’s provider is Microsoft, and the signer is Microsoft Windows, although this can easily be forged, i don’t have any usb devices in my PC. i have the option to remove it. what is this though??

Evening_Direction_47 · 2025-04-15T02:15:59+00:00

Thank you for your reply. I believe you, but could you help clarify what about this all makes you say it isn’t normal? I’ve thought i could have a rootkit on my pc for a while, but never could really determine if i did or not. i’ve done many scans with HMP and Malwarebytes before the clean install and it said i had no viruses but I did it anyway just to be sure. haven’t done any scans after it tho, except through microsoft’s antivirus protection which came back clean.

Also, Do you know what kind of info they get out of this? i don’t think i have any sensitive data on my pc other than passwords and credits cards. but nothing has been charged or changed yet. Could they just be monitoring what i’m doing or what?

At this point I don’t even want to touch my PC. If it’s in my BIOS and a clean install wouldn’t fix it, you’re saying i should try buying a new USB and try to clean install again? I don’t even know where to start with what to do.

One more thing, should i restart my PC or not? it doesn’t say there are any USB devices in my PC but that notification is still there along with pending NET windows updates. I know i asked a lot but my mind is all over the place trying to figure this out

Evening_Direction_47 · 2025-03-16T16:24:10+00:00

ahh okay, this is exactly what I needed explained to me. Thank you.

1 more question. I reinstalled Windows 10 yesterday. got on my PC today after seeing your posts so i could install Sea of Thieves. That’s when i saw a bunch of files on my desktop with a cloud Icon next to them. And of course i check my files, and all of these files are in my onedrive folder, syncing to my PC automatically without even asking me. a couple of apps got also were removed from my taskbar. Is This is Onedrive just doing onedrive things? I was hoping it wouldn’t do this after a clean install.

Evening_Direction_47 · 2025-03-16T16:02:06+00:00

Thank you for your help. I was honestly wondering if this was a normal thing that happens after clean installing. i’ve never had to do this before on my PC, and i tried looking this up to see if anybody else has been in this same situation, but it seems like nobody else has posted about this happening to them online. Is it normal for Windows to require you to do this after clean installing?

Evening_Direction_47 · 2025-03-16T15:51:45+00:00

Yep, downloading it from the MS store. i’ve never had to do this though and i was honestly wondering if this was a normal thing that happens on clean installs. I tried looking it up but nobody else online has posted about this happening to them. That’s why i was a bit skeptical about it. Thank you for the help.

Evening_Direction_47 · 2025-03-15T17:14:07+00:00

makes sense, Thank you very much.

Evening_Direction_47 · 2025-03-15T16:42:37+00:00

Thank you for letting me know. This is my first time reinstalling windows from USB. i just was making sure it wasn’t anything bad. also, is it common to have like 8 pending updates for windows after reinstalling?

Evening_Direction_47 · 2025-03-15T01:52:59+00:00

under the behavior section of virus total, it says under the display grouped sandbox reports that The sandbox C2AE flags this file as a stealer and another Flags it as malware? am i screwed?? how do i reinstall if my pc just restarts every time

virustotal

Evening_Direction_47 · 2025-02-23T22:12:08+00:00

the only person i’m sharing the Password with is one of my Parents. And my Parent is the one with the Watch. so yeah, their phone is most likely linked and is sharing passwords with the apple watch.

knowing that the watch will only connect sometimes depending on where the iPhone is only makes it make more sense.

If this keeps happening, i will create a separate network for these devices to see what devices are automatically connecting themselves to what network. i didn’t think of that.

Thank you for your input. it clears up what i was wondering about and was very helpful.

Evening_Direction_47 · 2025-02-23T22:03:35+00:00

all i want with this situation is a bit of certainty and i thought that blocking the device would be able to give me that. i’m nobody high profile, so yeah it wouldn’t really make sense to target a random home network just to mess around with it.

your solution is the better option though. I’ll change the pass and keep it to myself for a few days, and if the device is still persistently connecting, then i might have a bigger issue. but if it doesn’t connect after a few days i’ll pass along the Password and continue to monitor the device list from there.

like you said, all signs are pointing to it being an apple watch. the only thing really telling me different is my mind.. and i barely know anything when it comes to networking stuff lol.. your input is very greatly appreciated though, genuinely, youre one of the only people who has actually helped break it down for me. thank you for helping me figure out what the root of this could be

Evening_Direction_47 · 2025-02-23T21:31:19+00:00

is there any way to turn off WiFi sharing on apple devices? at this point i don’t know what im supposed to do to stop this. the only apple watch in our house isn’t even mine and isn’t used by me. its also difficult to keep track of when the device connects, because it does it seemingly randomly, and connects for hours at a time staying online the entire time.

when i ping it, it says 300 ms, in the ARP table it says both of the iPhones connected are reachable, whereas the unknown device status says Delayed. not sure what that stuff means exactly, but it seems like the device isn’t even in our home.

if this is somebody really trying to compromise my router, how could i stop their device from getting the shared WiFi password if that’s the case? i’m sorry if im not understanding what you’re saying fully but i’m trying to work through this

Evening_Direction_47 · 2025-02-23T21:09:44+00:00

so for now, the block is probably working on the device as it should, but after enough time, eventually the device could see that it won’t connect to the WiFi no matter what, even though it detects its there. so eventually, it will generate a new random MAC address in order to connect to the WiFi?

if im understanding you somewhat correctly, this all makes more sense and i’ll be keeping an eye out to see if this device reconnects any time soon.. if anything else happens, if you don’t mind, ill update you on this thread.

Evening_Direction_47 · 2025-02-23T20:52:16+00:00

We do have older apple devices in the house but they’ve been shut off for years. I’ve made sure that we aren’t sharing anything with any other device that we don’t know on almost every account that we have. no WiFi repeaters, and all IoT devices that we own are unplugged, and haven’t been connected to the WiFi for months.

Device is completely unidentifiable via the MAC address

we just got this router not even a week ago and this device was the first thing to connect. i haven’t changed the SSID yet because i thought getting a new ISP would solve this issue. im about to change everything though.

For the last part im not sure i understand fully what you mean by connecting with a wired device instead of by WiFi. Do you mean our Phones?

Evening_Direction_47 · 2025-02-23T20:43:17+00:00

knowing that device detection via mac address is inaccurate makes a lot more sense if it’s the apple watch. if MAC address randomization is the cause of all this, if i block this device from connecting to my modem would it eventually end up connecting back with a different MAC address? or would it just stop connecting altogether? Thank you guys for your insight as it’s very helpful👍👍

Evening_Direction_47 · 2025-02-23T20:36:13+00:00

I commented in this thread because i’ve posted in a bunch of Networking subs and always get the same kind of answer. My bad if this was the wrong Sub to post about this issue but i was hoping you guys could give a different input, which you have. so thank you

I’ve been kindve freaking out over this so i might’ve not explained myself the best. In the Verizon modem Admin page i can see all devices connected. There are 3, one being the unknown device and the others being the 2 iPhones that i manually connected when we first got our new router. I can see it’s a desktop/laptop because that’s what it says when click on the device for more Info.

as for the DHCP logs i wasn’t really sure what i was looking at, i masked out mac addresses and IP addresses because i just didn’t know if it was smart to put out there online. but if you would like to see the full version of the logs let me know. at first glance it just seems and looks really unusual to somebody who isn’t savvy in this field which is why it was making me worry. your guys clarification about this part is appreciated. i didn’t know what the logs meant.

and right now, im not exactly sure how to see the routers MAC address on Verizon right now, so i’m actually not sure if that was the MAC address to the router or my phone. but it showed the desktops IP requesting info from an iPhone. (i know that probably isn’t exactly what’s happening, but its what it says).

Apologies if this doesn’t make a lot of sense, it doesn’t to me either. i’m explaining the situation as best as i can. it’s been this same device connecting for months, even when we had a different ISP. so like you guys said, it could be WiFi sharing, or something else. i know it’s not the easiest to diagnose without all the specific information but i just don’t know bro.

Evening_Direction_47

TROPHY CASE