Investigate malware infection
Posted on 2010-09-14
I would like to further investigate a malware infection found on one of our machines and was hoping for some advice on how to best to about doing further investigation... (if for nothing more than my own curiosity)
It was picked up by Symantec as 'Suspicious.IRCBot' living in the 'C:\WINDOWS\Temp' folder running as the user 'SYSTEM' and lists a long (TMP00000FC136........) file name.
How best to:
- Determine what originally caused the infection, along with (ball park) date of infection.
- Determine if this file is associated with a particular process or service.
- Determine the IP/hostname of the (presumably) IRC server it is attempting to communicate with (if at all).
- Any other info that could be interesting regarding the source or background of the infection.
All efforts thus far to remove the malware have failed:
Disabling system restore, boot in safe mode, disk clean up, delete all temp files, scan with malware bytes, scan with symantec, scan with mse... (removing it is not important, will just rebuild - but just giving background of infection)
Side notes regarding machine:
Windows XP Pro - Domained
No important info on the machine
Currently quarantined (disconnected) from company network whilst investigating
Thanks in advance!