Possible rootkit infection

[zardozwildman]

My machine seems to be affected by a "rootkit" virus.

I'm attaching the DDS files, along with some MalwareBytes logs.

I'm not a virus expert, but am a software engineer.

MalwareBytes just shows "Trojan.FakeAlert". Don't know if that identifies the virus or not.

Here are some other clues:

- Running MalwareBytes in Safe Mode With Networking doesn't remove the virus.

- I did see "nouwetsoft" labelled on some of the trash executables.

- The virus is trying to make network connections. But MalwareBytes reports it is blocking it.

I'll attach some of the MalwareBytes logs.

- If you run SysInternals procmon.exe, the virus stops trying to make network connections. Until procmon is closed.

- MalwareBytes identifies/removes the registry/files. But the virus adds more back.

- Procmon showed the virus trying to add items back to my registry. However, it was always using the

names of various applications. It did this even if I reinstalled the application. Which makes me think

it's a rogue device driver intead of an EXE. I no longer see registry changes to the RunOnce key.

- At one point, I seemed to have removed it. However, it appeared later.

DDS.txt

Attach.txt

protection-log-2011-10-25.txt

protection-log-2011-10-26.txt

mbam-log-2011-10-25 (20-32-28).txt

mbam-log-2011-10-25 (20-31-20).txt

[zardozwildman]

Also: This virus has evaded GMER as well as MalwareBytes.

If anyone has suggestions, let me know.

Thanks,

Brice

[zardozwildman]

Update: I ran the GMER's catchme.exe tool, and got the following:

detected NTDLL code modification:

ZwEnumerateKey 0 != 47, ZwQueryKey 0 != 19, ZwOpenKey 0 != 15, ZwClose 0 != 12, ZwEnumerateValueKey 0 != 16, ZwQueryValueKey 0 != 20, ZwOpenFile 0 != 48, ZwQueryDirectoryFile 0 != 50, ZwQuerySystemInformation 0 != 51Initialization error

[zardozwildman]

I tried a few more tools, but no success.

Also tried sfc in verify mode, but it doesn't see any changes.

I guess I'll have to try more tools. If that doesn't work, try fixmbr.

I know I could reinstall, but would like to identify the virus incase it's a new one.

Since so many tools can't identify it.

[zardozwildman]

After trying AVG, Sophos, MalwareBytes, and GMER - looks like ComboFix actually found the culprit.

Since I never got any replies, I'll attach the quarantined files.

Incase anyone is curious. I'll keep testing, but looks like it's working much better.

Qoobox.zip

[screen317]

Hi and welcome to Malwarebytes.

In the future, please post all logs directly into your reply instead of attaching them unless otherwise indicated. With that said, please update MBAM, run a Quick Scan, and post its log.

Next, run DDS again and post DDS.txt directly in your reply.

[screen317]

Are you still with us? This topic will be closed in a few days if we do not hear back from you.

[screen317]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!