Posted 06 December 2011 - 09:21 AM
Have a client that is being blacklisted :
This IP is infected with, or is NATting for a machine infected with Torpig, also known by Symantec as Anserin.
This was detected by observing this IP attempting to make contact to a Torpig Command and Control server at 22.214.171.124, with contents unique to Torpig C&C command protocols.
Torpig is a banking trojan, specializing in stealing personal information (passwords, account information, etc) from interactions with banking sites.
Torpig is normally dropped by Mebroot. Mebroot is a Rootkit that installs itself into the MBR (Master Boot Record).
With Mebroot or any other rootkit that installs itself into the MBR, you will either have to use a "MBR cleaner" or reformat the drive completely - even if you manage to remove Torpig, the MBR infection will cause it to be reinfected again.
The best way to find the machine responsible is to look for connections to the Torpig C&C server. This detection was made through a connection to 126.96.36.199, but this changes periodically. To find these infections, we suggest you search for TCP/IP connections in the following ranges:
I think and am a bit convinced it is the server, however, nothing is picking it up.
I know that combofix will if I run it.
Can I run combofix on an SBS2008 server thats running file services as well as exchange?