Messages

1

Malware removal help / Re: Possible rootkit - please take a look at my report

« on: January 21, 2015, 02:30:53 AM »

I think the Websense report was implying that my computer my be a part of a botnet, not that server. I'm really not sure.

Either way I will cross my fingers and hope it doesn't come back.

Thanks for your help!

2

Malware removal help / Re: Possible rootkit - please take a look at my report

« on: January 20, 2015, 11:32:47 PM »

I did a virustotal scan on the IP and it came up with quite a few malicious things:
https://www.virustotal.com/en/ip-address/81.169.145.160/information/

Hopefully clearing Chrome did the trick though.


Do you think the IAT hooks that were found in my report were false positives?


Thanks,

3

Malware removal help / Re: Possible rootkit - please take a look at my report

« on: January 20, 2015, 04:34:35 PM »

Date: 1/19/2015 10:04:21 AM
Type: Information
Source: Websense Usage Monitor

Suspicious activity has exceeded the alerting threshold for this severity level.

Severity: High
Category: Bot Networks
Filtering action: Blocked
Threshold (in hits): 1

Log on to TRITON - Web Security and access the Threats dashboard for more details about these incidents.

Access TRITON - Web Security here: https://172.18.28.37:9443/triton/triton/?eip.tab=wsg&wsg.data=vkupp

---Most recent incident---
User: LDAP://cfins.com OU=Morristown,OU=Locations,DC=cfins,DC=com/LastName\, FirstName IP address: 172.18.40.113
URL: https://81.169.145.160/
Destination IP address: 81.169.145.160   Port: 443

I have also found the malicious 81.169.145.160 IP is only contacted when chrome starts up. I have completely cleared chromes settings and wiped all extensions so I MIGHT have removed the problem, but not sure.

Here is the line I captured from my monitoring tool showing chrome is the culprit:

1/20/2015 10:20:08 AM Added           chrome.exe           TCP 172.18.40.113:56844    81.169.145.160:443

4

Malware removal help / Re: Possible rootkit - please take a look at my report

« on: January 20, 2015, 02:50:09 PM »

Hi Curson,

Yes, this is but in this case I am responsible for cleaning up this computer as it is a secondary one I have brought in from home. Currently it is disconnected from the network. Is it possible you can still help me with this?

Thanks,

5

Malware removal help / Possible rootkit - please take a look at my report

« on: January 19, 2015, 10:35:09 PM »

Hello,

I suspect I may have a rootkit on my computer. My work firewall is detecting that at startup, a process (or something) is trying to connect to a known bot-net affiliated IP.

Here is my roguekiller log attatched. I am a little concerned about the [IAT:Inl(Hook.IEAT)] (explorer.exe) lines at the bottom and roguekiller even said they were suspicious but I'm really not sure.

Can anyone take a look and give me some advice?


Thanks,