high upload traffic on strange ports on a win2008 server

Hi I having a high outbound traffic to multiple strange ip's

Symantec Endpoint not find everything clean.

I attached multiple logs, hope someone has any idea where i can stop this one.

 

Hello riversde

Please download and scan with TDSSKiller

• Do not use the Change Parameters button
• When the scan is finished, a log will be created in the root of your C: drive
• Example: C:\TDSSKiller.2.7.47.0_25.07.2012_15.06.22_log.txt
• Attach this to your next message. (How to attach)

Also were you unable to run RogueKiller and CCleaner?

 

I attached the RogueKiller log and TDSS

Also I run CCcleaner didnt find any logs to attach.


If you need more info just let me know. I really appreciate your time on this.

Thanks a lot!

By the way my Malwarebytes trial edition is blocking the ip address that have the high traffic, but nothing appears on scans.

 

From Programs and Features (via Control Panel), please uninstall the below:

• Java(TM) 6 Update 18 (outdated)
• Java(TM) 6 Update 27 (outdated)
• Java(TM) SE Development Kit 6 Update 18 (outdated)

__

Please download OTL by OldTimer.

• Save it to your desktop.
• Right mouse click on the OTL icon on your desktop and select Run as Administrator
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the text-field.
  
  Code:

  activex
  netsvcs
  %windir%\system32\drivers\*.sys /lockedfiles
  

• Now click the button.
• Two reports will be created:
  • OTL.txt <-- Will be opened
  • Extras.txt <-- Will be minimized
• Attach OTL.txt and Extras.txt to your next message. (How to attach)

__

How many ports do you need to have open? It looks like there's a very high amount of ports that are being forwarded.

 

The only ports i need are the one that SBS open

21,1723,53,25,443,3389,80

I already unistall all the Java but it ask me to restart. This is a production server. So I will run it tonight after the restart and will post the logs.


Thanks for your support..

 

I attached the files

 

Haven't found a single trace of malware in your logs.

Code:

O15 - HKU\S-1-5-21-2951420852-1341674215-1450695527-1142\..Trusted Domains: godaddy.com ([cart] https in Trusted sites)
O15 - HKU\S-1-5-21-2951420852-1341674215-1450695527-1142\..Trusted Domains: godaddy.com ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-2951420852-1341674215-1450695527-1142\..Trusted Domains: godaddy.com ([www] https in Trusted sites)
O15 - HKU\S-1-5-21-2951420852-1341674215-1450695527-1142\..Trusted Domains: mediatek.local ([sbsmediatek] https in Trusted sites)
O15 - HKU\S-1-5-21-2951420852-1341674215-1450695527-1142\..Trusted Domains: mediatekadv.com ([remote] http in Local intranet)
O15 - HKU\S-1-5-21-2951420852-1341674215-1450695527-1142\..Trusted Domains: mediatekadv.com ([remote] https in Local intranet)
O15 - HKU\S-1-5-21-2951420852-1341674215-1450695527-1142\..Trusted Domains: microsoft.com ([i2.technet] http in Trusted sites)
O15 - HKU\S-1-5-21-2951420852-1341674215-1450695527-1142\..Trusted Domains: technet.com ([blogs] http in Trusted sites)

Did you set these as Trusted Sites? The IP addresses being contacted are in the Netherlands. All outgoing.

 

Yes, I have those links to trusted sites and I already removed.

After the reboot with the SBS2008 latest patches the traffic stop.

Dont know what happens. I really appreciate your help..

Thanks a lot!

 

So everything is OK now? What happened you installed Server 2008 updates?