No replies to this topic

[Archie_E3]

Hi,

We've been having a recurring problem here with a particular machine behind a firewall running a dfind.exe process which overloads the firewall by maxing out the connections (at 4096). The problem has been identified and deleted time and time again but keeps coming back, so it seems there is another process that is causing the malware to come back.

The machine is a Windows Server 2003 machine with Symantec Endpoint Protection 11 installed. SEP has only come up with identifying the virus (hacktool.dfind) once, and each time the virus comes back and our firewall goes down the process is called something else (eg it was called rtvscan.exe last time).

We've run SEP, Malwarebytes, spybot, hijack this (log file available at: http://rafb.net/p/c9pBlL96.html), trend micro housecall and rootkit revealer to no avail.

I have trawled the web for people who've had similar problems, and can currently only find the following posts which are similar, but none of them seem to have solutions!

http://www.tek-tips.com/viewthread.cfm?qid...9122&page=1
http://www.experts-exchange.com/Security/V...Q_21857086.html
http://www.experts-exchange.com/Security/O...Q_21775571.html


Any help would be very much appreciated! Its an important server, and an even more important firewall its overloading, so if there is any way at all to stop this malware before having to rebuild the machine that would be brilliant!!