Removed it and it came back. Turned off system restore and re-scanned with Malwarebytes and some 20 files were infected (log attached).
Removed the drive from the computer and slaved it to another drive in a different computer. Rescanned with Malwarebytes and four files with Rootkit agent virus. Files quarantined and removed.
C:\WINDOWS\Temp\4DW4R3176e2b (Rootkit.Agent) -> quarantined and deleted successfully.
C:\WINDOWS\Temp\4DW4R32e540b (Rootkit.Agent) -> quarantined and deleted successfully.
C:\WINDOWS\Temp\4DW4R34539dc (Rootkit.Agent) -> quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\4DW4R3sv.dat (Rootkit.Agent) -> quarantined and deleted successfully.
Scanned again and nothing turned up so I thought we were clean.
I then tried Superantispyware as a precaution on the same slaved drive the next morning and Superantispyware found four infected files (
Rootkit.Agent/Gen-4DW4R3). Infection removed.
Scanned again and found some typical trash Adaware stuff.
Purchased Malwarebytes so I could get the IP blocking feature and since then we have had a tremendous number of blocked IP reports from Malwarebytes. Now I know there is such a thing as false positives, but this is happening when there is no open Internet connection running at the time and I am guessing (hopefully incorrectly) that something inside the computer is trying to reach out to the sites. Tried running TCPview and process explorer to see what was running at the time of the report of the blocked IP's. One is coming from the UK 126.96.36.199, 188.8.131.52 and some are from a hosting company in New Jersey 184.108.40.206
I have run dds and gmer and am attaching both logs.
I have also used the Kapersky ZBot killer - unhookexec and F-secure blacklight rootkit eliminator.
Is there something going on still, and it's time to wipe the drive and start over, or have we gotten rid of the issue and the Malwarebytes is blocking something innocuous?