To be brief
a computer in our network got a rootkit because they used internet explorer on an unsafe site. That computer has since been cleaned with blacklight, combofix, malwarebytes and so on. No other computers on the network got a virus or rootkit from it. All appears to be fixed. However an underlying and highly unusual symptom has occurred afterward's: All computers in the network have inbound connections from UDP 1024 connecting to UDP 137, and its both receiving and sending a lot of bytes. Now, is this harmless chatter, or did the payload include a bot? I really need to find out if my network is infected. No other computers are showing unusual signs besides this very persistent inbound connection. Terminating the connection does little, it returns moments later.
All computers are using static IP addresses. I turned them all off and renewed our IP's, and the inbound connection stopped. To test I turned the static IP's back on. Sure enough, the inbound connection came back and got right to work on whatever its doing. I know that TCP 1024 is Latinus and is hell on earth to deal with, but this is UDP 1024 and can potentially just be fine. How can I tell for sure guys? I really, REALLY don't want to deal with an infected network.
Edited by C-zom, 25 July 2010 - 04:17 AM.