i've got a computer that is running behind a palo alto firewall. the pc uses a program called endicia to create shipping labels. it also has internet access to a remote mysql database. i started to lock down the firewall rules so the computer would only be able to access the internet for the software above and found that unless i granted access to a different IP address, the endicia software would not connect. i contacted the software vendor and they swear that the IP address that is requiring connection is not one of theirs.
I'm trying to figure out of this is a sign of an infected computer. Is it possible for malware to be able to block internet access to valid IP addresses if the IP address to their infected IP address is not open? Oh, one other thing that happens on this computer is that it constantly tries to connect to other computers on the network. The firewall shows repeated attempts to contact internal IP addresses that have been removed from the computer.
If I have to clean up this computer, is it good enough to simply stick in a CD with KillDisk on it and nuke the hard drive and then use the installation CDs to reinstall, or can malware survive in memory if it is a really smart rootkit? Are there any other steps I should take that will wipe this computer absolutely clean and destroy any possibility of a rootkit, so I can reinstall the operating system XP and software programs?
Thanks for any help.