Trojan, Spyware ,Rootkit or just a virus?
Posted on 2006-11-29
I have a rogue Windows XP SP2 machine.
Since 25 November I see the following behaviour of this machine, according to the Juniper firewall logs.
Once the machine is started up with a timeframe of 10 minutes it tries to make contact to
220.127.116.11 port 35618 and tries to do so every 10 minutes.
(According to ZoneAlarm which we installed later it tries to connect to 18.104.22.168:DNS (53) )
So somehow this "thing" can circumvent this.
After that we see that the machine is trying to send email to some random IP addresses.
Here is what we did.
1. We did a sfc /scannow to check the system files of windows xp.
2. Ran a complete virusscan of the machine with Kaspersky AntiVirus and AVG.
3. Did a full scan with Spybot Search & Destroy, Adware, Remover from G-Data.
4. Performed rootkit detection with Sysinternal Rootkit Detector, F-Secure Backlight.
5. Checked the %systemfolder%\system32\driver\etc\ files for any strange things but it is all default.
But no-one sees it.
Has anyone some good suggestions on how to proceed without suggesting reinstalling because I want to know what this is.