Who in here thinks they are a computer security guru?

[skydivr]

Cause I've got a couple of machines I am trying to sort out.

Both machines are WinXP SP3 machines with all updates (both critical and normal) completed. Both are independent machines not connected to a server. Both run Symantec Endpoint. Both have been scanned with Malwarebytes with no reported issues. Also scanned with ESET online scanner, and Kaperski's TDSSKiller.

One of these machines accounts for 47% of the ENTIRE company's firewall traffic a week. Obvously something is trying to get a hit, but the corporate firewall blocks it.

The other machine starts to bog down, and all of a suddent the IE desktop shortcuts stop funcitioning, but will as favorites once the browser window is open. I had this machine running SMOOTH a week ago (after having to clean it because some employees just can't seem to help themselves) but now it's not looking right again.

I've fixed many machines with some pretty bad infections, but these two I can't trace down what the problem is.

Oh yeah, and has anyone heard anything else about the IE zero-day vunerablilty today? I haven't seen any fixes or Windows Updates yet.

Only thing I haven't done yet is register and post up on bleepingcomputer.com to have it looked at by an expert...

 

[skydivr]

I am bane to take the nuclear option (reformat and reinstall Windows) that's the easy way out - I will beat this thing if it takes me a month to figure it out!

 

[icemansid]

Check and verify the running services and processes. You can also use wireshark and sniff the traffic and see what ports its using, where it's going and what the payload is. Sounds like something bad.

 

[skydivr]

Tell me more about this wireshark....

 

[icemansid]

It will show you the actual packets on the wire. You will probably need to install it on the machine that has the issue. Install and play. The pool gets very deep very fast.

 

[icemansid]

Or try an app called tcpview. It's a simple no installer app. Will show you what program is using most of the bandwidth

 

[Jd1300r]

reformatting is really the only way to be positive you got all the malware off. If it is a business computer with customer info etc on it that is the smartest option.

 

[Blanca BusaLess]

I hate these computer threads! Even the short posts give me a headache.

 

[icemansid]

Lol... I'm actually in Vegas for a 6 day network/Internet security conference. Tomorrow is the last day and then a weeks va-ca in Vegas! WOOT!

 

[VIPER]

Actually simple reformat is not the answer if the crook has any skills at all. It doesnt actually clean it totally. Wireshark is a good program but it will be difficult for you to understand if you dont have a huge background in networking and understand how to read ip addresses. How do you have these computers hooked to the web? Is there an intranet involved? Have you manually changed or adjusted port settings? Have you recently switched DNS? Have you pinged anyone to see if the times are correct or if they are lagging? Google is a good one to ping usually. This will also solve whether its a problem with your access, your pc, or your isp.

 

[chrisjp]

all good information...if i understood any of it...

 

[icemansid]

Is Anti-Virus Really Dead? A Real-World Simulation Created for Forensic Data Yields Surprising Results

A good article that relates to the topic at hand. It gets a little deep but proves the point that AV isnt the answer. If the link doesn't work, just google "av is dead"(pasting from iPhone). The crap we are. Ring hit with today is much more advanced and we can't rely on just AV anymore. Oh yeah, that firewall is nothing more than a "dumb traffic cop"... Packets go in, packets go out...


Happy Saturday!

 

[HRJR]

If you are suspicious of those two computers you should disconnect them from the network and leave them disconnected until you resolve the issue. Sysinternals.com has some great tools to see what processes are running on your system (process explorer and process monitor, etc.). If you do have a rootkit installed then life can be more difficult.

Mark Russinovich has a link to his talk at TechEd 2012 on Advanced Malware techniques:

TechED 2012: Mark Russinovich

It's a great (typical for Mark) talk.

Good luck.