Hi guys, im not allowed to divulge my company's information by sending in the screenshot of the problem im encountering, but i'll try to provide as much information as possible.
There was a day when the internet stopped working / at a very slow pace, where i couldnt even make a ping to google. Yes, that serious. So when checking the firewall, i noticed that there has been a heck load of denies traffic from some PCs. This denies happen almost every second, and for a 3-4 PCs. So the firewall is actually receiving a lot of traffics and it was rejecting them over and over again.
I went to check the PCs' antivirus networking monitor, but somehow there isnt much of a irregular traffic. im puzzled by this problem. Is there someone who can enlighten me? What's with the firewall exactly. Those PCs does not have internet access! Even if they do, they didn't log in at that particular moment!
You might want to try rootkit revealer and see if anything suspicious turns up. Not all A/V programs can detect all rootkits. If these machines are being remotely controlled, you would never know they are being used, unless it's logged somewhere such as a router log or firewall log.
I just thought of something. How capable is this rootkit. Do they keep it up to date? Im afraid that the "thing" that's attack my server is rather new as it's able to intrude into the users' PC even with the latest patch from Kaspersky AV. And coming to think about it, I think the problem is not about my server that got the infection. Is the PCs that got it and tries to send it out by relaying. So it got blocked within the firewall, causing it to deny traffics and making the whole internet connection slow or even cut.
I have used rootkit revealer several years ago. I'm not sure if it's kept up to date which is why I posted a second one. I've never used the one from gmer.net. I don' think it's like A/V programs where they must keep signatures up to date since these programs check for rootkits in a different way.
ts output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit.