Jump to content

Possible rootkit infection

Recommended Posts

My machine seems to be affected by a "rootkit" virus.

I'm attaching the DDS files, along with some MalwareBytes logs.

I'm not a virus expert, but am a software engineer.

MalwareBytes just shows "Trojan.FakeAlert". Don't know if that identifies the virus or not.

Here are some other clues:

- Running MalwareBytes in Safe Mode With Networking doesn't remove the virus.

- I did see "nouwetsoft" labelled on some of the trash executables.

- The virus is trying to make network connections. But MalwareBytes reports it is blocking it.

I'll attach some of the MalwareBytes logs.

- If you run SysInternals procmon.exe, the virus stops trying to make network connections. Until procmon is closed.

- MalwareBytes identifies/removes the registry/files. But the virus adds more back.

- Procmon showed the virus trying to add items back to my registry. However, it was always using the

names of various applications. It did this even if I reinstalled the application. Which makes me think

it's a rogue device driver intead of an EXE. I no longer see registry changes to the RunOnce key.

- At one point, I seemed to have removed it. However, it appeared later.





mbam-log-2011-10-25 (20-32-28).txt

mbam-log-2011-10-25 (20-31-20).txt

Link to post
Share on other sites

Update: I ran the GMER's catchme.exe tool, and got the following:

detected NTDLL code modification:

ZwEnumerateKey 0 != 47, ZwQueryKey 0 != 19, ZwOpenKey 0 != 15, ZwClose 0 != 12, ZwEnumerateValueKey 0 != 16, ZwQueryValueKey 0 != 20, ZwOpenFile 0 != 48, ZwQueryDirectoryFile 0 != 50, ZwQuerySystemInformation 0 != 51Initialization error

Link to post
Share on other sites

  • 2 weeks later...
  • 2 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.