Possible rootkit - please take a look at my report

[jtcgiants56]

Hello,

I suspect I may have a rootkit on my computer. My work firewall is detecting that at startup, a process (or something) is trying to connect to a known bot-net affiliated IP.

Here is my roguekiller log attatched. I am a little concerned about the [IAT:Inl(Hook.IEAT)] (explorer.exe) lines at the bottom and roguekiller even said they were suspicious but I'm really not sure.

Can anyone take a look and give me some advice?


Thanks,

[Curson]

Hi jtcgiants56,

Welcome to Adlice.com Forum.

Is your computer part of an enterprise network ?
If thats the case, you should inform your system administrator in charge so that he can takes appropriate action to take care of the issue.

Regards.

Edit : Spelling.

[jtcgiants56]

Hi Curson,

Yes, this is but in this case I am responsible for cleaning up this computer as it is a secondary one I have brought in from home. Currently it is disconnected from the network. Is it possible you can still help me with this?

Thanks,

[Curson]

Hi jtcgiants56,

The report does not reveal anything really convincing.
Could you post the full message provided by the firewall ? It could be helpful.

Regards.

[jtcgiants56]

Date: 1/19/2015 10:04:21 AM
Type: Information
Source: Websense Usage Monitor

Suspicious activity has exceeded the alerting threshold for this severity level.

Severity: High
Category: Bot Networks
Filtering action: Blocked
Threshold (in hits): 1

Log on to TRITON - Web Security and access the Threats dashboard for more details about these incidents.

Access TRITON - Web Security here: https://172.18.28.37:9443/triton/triton/?eip.tab=wsg&wsg.data=vkupp

---Most recent incident---
User: LDAP://cfins.com OU=Morristown,OU=Locations,DC=cfins,DC=com/LastName\, FirstName IP address: 172.18.40.113
URL: https://81.169.145.160/
Destination IP address: 81.169.145.160   Port: 443

I have also found the malicious 81.169.145.160 IP is only contacted when chrome starts up. I have completely cleared chromes settings and wiped all extensions so I MIGHT have removed the problem, but not sure.

Here is the line I captured from my monitoring tool showing chrome is the culprit:

1/20/2015 10:20:08 AM Added           chrome.exe           TCP 172.18.40.113:56844    81.169.145.160:443

[Curson]

Hi jtcgiants56,

IP 81.169.145.160 is assigned to a server of the STRATO AG network. It appears to be a legit shared hosting server.
It will be hard to say if the request was really malicious or not.

Anyway, since you have done a full reset of Chrome, all malicious modules/plugins that may have been present were removed.
It does not seem to be any infection on your computer.

If you have any questions, feel free to ask.
Regards.

[jtcgiants56]

I did a virustotal scan on the IP and it came up with quite a few malicious things:
https://www.virustotal.com/en/ip-address/81.169.145.160/information/

Hopefully clearing Chrome did the trick though.


Do you think the IAT hooks that were found in my report were false positives?


Thanks,

[Curson]

Hi jtcgiants56,

Indeed, the server is hosting / has hosted quite a lot of problematic content.
However, I doubt very seriously that this server can be part of a botnet.

The hooks on the CoCreateInstance and DwmExtendFrameIntoClientArea functions are most certainly legit. Rootkits don't usually hook theses.

Your computer seems clean.
I propose you to reconnect your computer to the network and if the detection was to occur again, we will investigate further.
Would you agree ?

Regards.

[jtcgiants56]

I think the Websense report was implying that my computer my be a part of a botnet, not that server. I'm really not sure.

Either way I will cross my fingers and hope it doesn't come back.

Thanks for your help!

[Curson]

Hi jtcgiants56,

I'm glad I was able to help you.
Don't hesitate to tell me if the problem occurs again.

Regards.