iStealer 5.0.4 or equivalent infection
I believe we have a rootkit installed in one of our executive PC. Typical security tools such as procmon generates BSOD, various security downloads get immediately corrupted, etc... In general, the system is very instable as soon as I try to perform sys admin tasks. From what I understand of the symptoms, this rootkit match the new iStealer 5.0.4 but there is very few informations available on this one.
The rootkit activate once the network is up and running. Indeed, we can track SYN SENT to IP 18.104.22.168 on port 8080 (this server, located in Kiev, Ukraine, doesn't answer though).
I tested all rootkit hunters available, without much success. Most of them don't find anything but false positives. AV can't find anything either. MD5 on usual windows system files doesn't show anything suspicious either. HijackThis doesn't help either, nor any of the usual tools (SDFix, Combofix, etc...)
I cleaned Prefetch, DLLCache, Temp directories, etc... from within a Linux box. But still no luck !
In other words, I'm pretty stuck at that point. Any help would be very appreciated ! :-)