Possible root kit infection

Trend Micro Worry Free Business v18 on Windows 7 Pro SP1 x64.
BSOD BugCheck 1A, {41790, fffffa80028d42a0, ffff, 0}
Probably caused by : VSApiNt.sys ( VSApiNt+1d68db )

Malwarebytes (Not active) scan: All are removed and in Quarantine.  Multiple detections in week leading up to BSOD.
     Trojan.Miuref.THD
     Rootkit.Fileless.MTGen

I have scanned for Poweliks using Symantec removal tool.  Not found.
I have scanned with RogueKiller, JRT, TDSS Killer, and MS Safety Scanner.
Roguekiller and ASWmbr both detected possible rootkit IRP_MJ_CREATE
Other issues are occuring recently with Mapped drives and offline sync.

ASWmbr scan:
aswMBR version 1.0.1.2252 Copyright(c) 2014 AVAST Software
Run date: 2015-09-12 15:01:51
-----------------------------
15:01:51.549    OS Version: Windows x64 6.1.7601 Service Pack 1
15:01:51.549    Number of processors: 4 586 0x3A09
15:02:00.413    Initialize success
15:02:00.773    VM: initialized successfully
15:02:01.160    VM: Intel CPU supported
15:02:19.885    VM: disk I/O iaStorA.sys
15:05:35.579    AVAST engine defs: 15091100
15:06:35.352    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000006d
15:06:35.354    Disk 0 Vendor: ST500DM0 KC47 Size: 476940MB BusType: 11
15:06:35.390    Disk 0 MBR read successfully
15:06:35.393    Disk 0 MBR scan
15:06:35.399    Disk 0 Windows VISTA default MBR code
15:06:35.401    Disk 0 Partition 1 00     DE Dell Utility DELL 4.1       39 MB offset 63
15:06:35.413    Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS        19014 MB offset 81920
15:06:35.422    Disk 0 Boot: NTFS     code=1
15:06:35.441    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS       457885 MB offset 39022592
15:06:35.462    Disk 0 scanning C:\Windows\system32\drivers
15:07:12.106    Service scanning
15:07:32.641    Service TmFilter C:\Program Files (x86)\Trend Micro\Security Agent\TmXPFlt.sys **LOCKED** 32
15:07:32.828    Service TmPreFilter C:\Program Files (x86)\Trend Micro\Security Agent\TmPreFlt.sys **LOCKED** 32
15:07:35.121    Service VSApiNt C:\Program Files (x86)\Trend Micro\Security Agent\VSApiNt.sys **LOCKED** 32
15:07:38.303    Modules scanning
15:07:38.303    Disk 0 trace - called modules:
15:07:38.318    ntoskrnl.exe CLASSPNP.SYS disk.sys iaStorF.sys >>UNKNOWN [0xfffffa80037952c0]<<sptd.sys storport.sys hal.dll iaStorA.sys
15:07:38.318    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80069fb060]
15:07:38.318    3 CLASSPNP.SYS[fffff88001c5a43f] -> nt!IofCallDriver -> [0xfffffa8006887980]
15:07:38.318    5 iaStorF.sys[fffff88001deeab0] -> nt!IofCallDriver -> \Device\0000006d[0xfffffa800363a9c0]
15:07:38.318    \Driver\iaStorA[0xfffffa800418eb60] -> IRP_MJ_CREATE -> 0xfffffa80037952c0
15:07:43.279    AVAST engine scan C:\
18:28:59.805    Disk 0 statistics 30864433/0/0 @ 2.37 MB/s
18:28:59.821    Scan finished successfully
LVL 4
Jason JohanknechtIT ManagerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Tyler BrooksNetwork and Security ConsultantCommented:
I would use the Kaspersky Rescue Disk as it is a great tool for removing stubborn infections.

Unfortunately the ugly truth, particularly with rootkits as far I'm concerned, is that a rebuild is often the most reliable way to ensure that the infection is gone.
0
JohnBusiness Consultant (Owner)Commented:
TDSS Killer (Kaspersky) can often help. It may be included in the link above. Otherwise, if you cannot isolate it and remove it, then reinstalling Windows is best. For rootkit viruses, be sure to back up and format first before reinstalling Windows.
0
Jason JohanknechtIT ManagerAuthor Commented:
TDSS Killer was used already as mentioned, and still no detection.  Has anyone had experience with Phase bot?  On another forum, someone hinted that specific name.

Otherwise I will plan on the rebuild.
0
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

Tyler BrooksNetwork and Security ConsultantCommented:
Sorry Phase Bot isn't one I'm familiar with.
0
Tyler BrooksNetwork and Security ConsultantCommented:
Phase bot is a malware bot,  here is a link to the removal instructions if you think that this is what you have.  http://www.spyware-techie.com/phase-bot-removal-guide
0
Jason JohanknechtIT ManagerAuthor Commented:
SpyHunter did find a couple more mindspark entries and conduit, but no virus.
0
Tyler BrooksNetwork and Security ConsultantCommented:
At this point it seems like you have quite a few of the reputable rootkit tools out there. You probably need to decide whether you are confident that you had an initial false positive and there is no rootkit, or if it's buried too deep and your only choice is a wipe and rebuild.

If this is a critical system, as I'm assuming it is, you probably should backup and do your rebuild as its the more secure choice (although I appreciate that that is a major headache).

Just my opinion.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jason JohanknechtIT ManagerAuthor Commented:
I agree, I have decided that if current scans produce nothing, I will be wiping it tomorrow.


Thanks for everyone's input.
0
Jason JohanknechtIT ManagerAuthor Commented:
No actual virus has been detected to this date.  Performance is fine after thorough cleanup of OS and programs.  No unusual network activity, and all functions have returned to normal.  Multiple programs still detect the possible rootkit infection, but Malwarebytes which detected on at least 3 seperate days a fileless virus, is no longer finding anything from full scan.  TDSS as John mentioned is one of the first utilities I run on every computer, and he is exactly right as it would be my first recommendation also.  The client has chosen to monitor the situation and not do a clean OS install.

Thanks to the contributors for all your time.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.