trenes
asked on
Trojan, Spyware ,Rootkit or just a virus?
I have a rogue Windows XP SP2 machine.
Since 25 November I see the following behaviour of this machine, according to the Juniper firewall logs.
Once the machine is started up with a timeframe of 10 minutes it tries to make contact to
193.238.38.225 port 35618 and tries to do so every 10 minutes.
(According to ZoneAlarm which we installed later it tries to connect to 207.46.211.122:DNS (53) )
So somehow this "thing" can circumvent this.
After that we see that the machine is trying to send email to some random IP addresses.
Here is what we did.
1. We did a sfc /scannow to check the system files of windows xp.
2. Ran a complete virusscan of the machine with Kaspersky AntiVirus and AVG.
3. Did a full scan with Spybot Search & Destroy, Adware, Remover from G-Data.
4. Performed rootkit detection with Sysinternal Rootkit Detector, F-Secure Backlight.
5. Checked the %systemfolder%\system32\dr iver\etc\ files for any strange things but it is all default.
But no-one sees it.
Has anyone some good suggestions on how to proceed without suggesting reinstalling because I want to know what this is.
Since 25 November I see the following behaviour of this machine, according to the Juniper firewall logs.
Once the machine is started up with a timeframe of 10 minutes it tries to make contact to
193.238.38.225 port 35618 and tries to do so every 10 minutes.
(According to ZoneAlarm which we installed later it tries to connect to 207.46.211.122:DNS (53) )
So somehow this "thing" can circumvent this.
After that we see that the machine is trying to send email to some random IP addresses.
Here is what we did.
1. We did a sfc /scannow to check the system files of windows xp.
2. Ran a complete virusscan of the machine with Kaspersky AntiVirus and AVG.
3. Did a full scan with Spybot Search & Destroy, Adware, Remover from G-Data.
4. Performed rootkit detection with Sysinternal Rootkit Detector, F-Secure Backlight.
5. Checked the %systemfolder%\system32\dr
But no-one sees it.
Has anyone some good suggestions on how to proceed without suggesting reinstalling because I want to know what this is.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
http://www.microsoft.com/technet/sysinternals/utilities/ProcessExplorer.mspx