ISP reports a Torpig infection - where from?

I just got an email from my ISP (ZEN) reporting that something on my
(fixed) IP is infected.

Their report, on which they have no additional detail, came from an
un-named 3rd party.

I have scanned every machine we have with several programs
(Malwarebytes, TDSSkiller, etc)
http://support.kaspersky.com/faq/?qid=208280684
and nothing has been found.

This site
http://www.2-spyware.com/remove-torpig.html
lists several obvious processes which should be visible in Task
Manager and we cannot see them anywhere.

But another site mentioned that this is an MBR virus which loads
before windoze and will make itself invisible...

So how does one go about finding it?

Our WIFI is secure (WPA/PSK) but we have one WEP-64 access point (for
a specific purpose) and maybe somebody hacked it and is using it with
an infected machine?

On Sat, 20 Aug 2011 09:05:34 +0100, Peter wrote:

> I just got an email from my ISP (ZEN) reporting that something on my
> (fixed) IP is infected.
>
> Their report, on which they have no additional detail, came from an
> un-named 3rd party.
>
> I have scanned every machine we have with several programs
> (Malwarebytes, TDSSkiller, etc)
> http://support.kaspersky.com/faq/?qid=208280684 and nothing has been
> found.
>
> This site
> http://www.2-spyware.com/remove-torpig.html lists several obvious
> processes which should be visible in Task Manager and we cannot see them
> anywhere.
>
> But another site mentioned that this is an MBR virus which loads before
> windoze and will make itself invisible...
>
> So how does one go about finding it?

My preferred technique is to boot the windows machine from a linux livecd,
mount the windows disk, and then scan it using clam.

http://www.sysresccd.org/

I guess you could also use a windows command line based scanner in a dos
command line emulator. I think that may be what avira does, although I've
never tried it:

http://www.avira.com/en/support-down...-rescue-system

avira may be more integrated, as I said I've never tried it.

> Our WIFI is secure (WPA/PSK) but we have one WEP-64 access point (for a
> specific purpose) and maybe somebody hacked it and is using it with an
> infected machine?

That's a possibility.

Do Zen require you to do anything, or is the report from them purely
informational? Presumably they're not complaining that they're seeing
evidence of your ip being used maliciously as part of a botnet, a phishing
host site, or to deliver malicious software from a web server?

Rgds

Denis McMahon

On 20/08/2011 09:05, Peter wrote:
> I just got an email from my ISP (ZEN) reporting that something on my
> (fixed) IP is infected.
>
> Their report, on which they have no additional detail, came from an
> un-named 3rd party.
>
> I have scanned every machine we have with several programs
> (Malwarebytes, TDSSkiller, etc)
> http://support.kaspersky.com/faq/?qid=208280684
> and nothing has been found.
>
> This site
> http://www.2-spyware.com/remove-torpig.html
> lists several obvious processes which should be visible in Task
> Manager and we cannot see them anywhere.
>
> But another site mentioned that this is an MBR virus which loads
> before windoze and will make itself invisible...
>
> So how does one go about finding it?
>
> Our WIFI is secure (WPA/PSK) but we have one WEP-64 access point (for
> a specific purpose) and maybe somebody hacked it and is using it with
> an infected machine?

You could try this:

MS System Sweeper

http://connect.microsoft.com/systemsweeper

Denis McMahon <(E-Mail Removed)> wrote

>On Sat, 20 Aug 2011 09:05:34 +0100, Peter wrote:
>
>> I just got an email from my ISP (ZEN) reporting that something on my
>> (fixed) IP is infected.
>>
>> Their report, on which they have no additional detail, came from an
>> un-named 3rd party.
>>
>> I have scanned every machine we have with several programs
>> (Malwarebytes, TDSSkiller, etc)
>> http://support.kaspersky.com/faq/?qid=208280684 and nothing has been
>> found.
>>
>> This site
>> http://www.2-spyware.com/remove-torpig.html lists several obvious
>> processes which should be visible in Task Manager and we cannot see them
>> anywhere.
>>
>> But another site mentioned that this is an MBR virus which loads before
>> windoze and will make itself invisible...
>>
>> So how does one go about finding it?
>
>My preferred technique is to boot the windows machine from a linux livecd,
>mount the windows disk, and then scan it using clam.
>
>http://www.sysresccd.org/

I've made a bootable CD, but can't find anywhere with a version of
Clam which can simply be copied to a CD. And if I did copy it to a CD,
how would I run it? My expertise is windoze, dos, cp/m, assembler, C
Command line no problem. But not unix.

>I guess you could also use a windows command line based scanner in a dos
>command line emulator. I think that may be what avira does, although I've
>never tried it:
>
>http://www.avira.com/en/support-down...-rescue-system
>
>avira may be more integrated, as I said I've never tried it.
>
>> Our WIFI is secure (WPA/PSK) but we have one WEP-64 access point (for a
>> specific purpose) and maybe somebody hacked it and is using it with an
>> infected machine?
>
>That's a possibility.
>
>Do Zen require you to do anything, or is the report from them purely
>informational? Presumably they're not complaining that they're seeing
>evidence of your ip being used maliciously as part of a botnet, a phishing
>host site, or to deliver malicious software from a web server?

They are not threatening to cut the line off.

Count de Monet <(E-Mail Removed)> wrote

>You could try this:
>
>MS System Sweeper
>
>http://connect.microsoft.com/systemsweeper

Great; doing that too.

Peter <occassionally-(E-Mail Removed)> wrote

>
>Count de Monet <(E-Mail Removed)> wrote
>
>>You could try this:
>>
>>MS System Sweeper
>>
>>http://connect.microsoft.com/systemsweeper
>
>Great; doing that too.

RIGHT we have a result.

The M$ tool found Sinowal (a.k.a. Torpig) on my son's computer. Hey
there's a suprise Another son of mine had 13 trojans on his laptop
once.

No other tool found this thing... Latest Kaspersky sees nothing.
Malwarebytes sees nothing.

I have scanned our other PCs but none of them have the infection -
except one on which the M$ scanner cannot be started. A google on the
error message brings up the usual threads of the same issue but no
explanation... Luckily that PC is dual boot: winXP and win2000, so
booting it into win2000 (that partition is very rarely used) and
running some AV software on *both* logical drives ought to find it.

Peter wrote:

> Count de Monet<(E-Mail Removed)> wrote
>
>> http://connect.microsoft.com/systemsweeper
>
> The M$ tool found Sinowal (a.k.a. Torpig) on my son's computer.
> No other tool found this thing...

Suggests a rootkit may be hiding what is *really* going on on his PC,
you'd have hoped the sweeper would have found that too though.

"Peter" <occassionally-(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
> Peter <occassionally-(E-Mail Removed)> wrote
>
>>
>>Count de Monet <(E-Mail Removed)> wrote
>>
>>>You could try this:
>>>
>>>MS System Sweeper
>>>
>>>http://connect.microsoft.com/systemsweeper
>>
>>Great; doing that too.
>
> RIGHT we have a result.
>
> The M$ tool found Sinowal (a.k.a. Torpig) on my son's computer. Hey
> there's a suprise Another son of mine had 13 trojans on his laptop
> once.
>
> No other tool found this thing... Latest Kaspersky sees nothing.
> Malwarebytes sees nothing.
>
> I have scanned our other PCs but none of them have the infection -
> except one on which the M$ scanner cannot be started. A google on the
> error message brings up the usual threads of the same issue but no
> explanation... Luckily that PC is dual boot: winXP and win2000, so
> booting it into win2000 (that partition is very rarely used) and
> running some AV software on *both* logical drives ought to find it.

Some useful tools here

http://www.pchell.com/support/rootkitremovaltools.shtml


Peter Crosland

In article <(E-Mail Removed) >,
Andy Burns <(E-Mail Removed)> wrote:
>Peter wrote:
>
>> Count de Monet<(E-Mail Removed)> wrote
>>
>>> http://connect.microsoft.com/systemsweeper
>>
>> The M$ tool found Sinowal (a.k.a. Torpig) on my son's computer.
>> No other tool found this thing...
>
>Suggests a rootkit may be hiding what is *really* going on on his PC,
>you'd have hoped the sweeper would have found that too though.

Torpig is usually perpetrated via a rootkit, so you really need to boot
from a clean boot disk to find it. Rootkits can hide themselves through
virtualisation otherwise.

Nick
--
Serendipity: http://www.leverton.org/blosxom (last update 29th March 2010)
"The Internet, a sort of ersatz counterfeit of real life"
-- Janet Street-Porter, BBC2, 19th March 1996

"Peter Crosland" <(E-Mail Removed)> wrote

>"Peter" <occassionally-(E-Mail Removed)> wrote in message
>news:(E-Mail Removed).. .
>>
>> Peter <occassionally-(E-Mail Removed)> wrote
>>
>>>
>>>Count de Monet <(E-Mail Removed)> wrote
>>>
>>>>You could try this:
>>>>
>>>>MS System Sweeper
>>>>
>>>>http://connect.microsoft.com/systemsweeper
>>>
>>>Great; doing that too.
>>
>> RIGHT we have a result.
>>
>> The M$ tool found Sinowal (a.k.a. Torpig) on my son's computer. Hey
>> there's a suprise Another son of mine had 13 trojans on his laptop
>> once.
>>
>> No other tool found this thing... Latest Kaspersky sees nothing.
>> Malwarebytes sees nothing.
>>
>> I have scanned our other PCs but none of them have the infection -
>> except one on which the M$ scanner cannot be started. A google on the
>> error message brings up the usual threads of the same issue but no
>> explanation... Luckily that PC is dual boot: winXP and win2000, so
>> booting it into win2000 (that partition is very rarely used) and
>> running some AV software on *both* logical drives ought to find it.
>
>Some useful tools here
>
>http://www.pchell.com/support/rootkitremovaltools.shtml

Many thanks.

I have done a few more scans and so far everything is clean - except
my son's PC which had one, and has now gone back to the ex wife's
house

I suppose it is in my interest that her bank account doesn't get
emptied, since it is *me* who is topping it off every month