A Broadband and ADSL forum. BroadbanterBanter

Welcome to BroadbanterBanter.

You are currently viewing as a guest which gives you limited access to view most discussions and other FREE features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload your own photos and access many other special features. Registration is fast, simple and absolutely free so please, join our community today.

Go Back   Home » BroadbanterBanter forum » Newsgroup Discussions » uk.telecom.broadband (UK broadband)
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

uk.telecom.broadband (UK broadband) (uk.telecom.broadband) Discussion of broadband services, technology and equipment as provided in the UK. Discussions of specific services based on ADSL, cable modems or other broadband technology are also on-topic. Advertising is not allowed.

ISP reports a Torpig infection - where from?



 
 
Thread Tools Display Modes
  #1  
Old August 20th 11, 09:05 AM posted to uk.telecom.broadband
Peter
external usenet poster
 
Posts: 330
Default ISP reports a Torpig infection - where from?

I just got an email from my ISP (ZEN) reporting that something on my
(fixed) IP is infected.

Their report, on which they have no additional detail, came from an
un-named 3rd party.

I have scanned every machine we have with several programs
(Malwarebytes, TDSSkiller, etc)
http://support.kaspersky.com/faq/?qid=208280684
and nothing has been found.

This site
http://www.2-spyware.com/remove-torpig.html
lists several obvious processes which should be visible in Task
Manager and we cannot see them anywhere.

But another site mentioned that this is an MBR virus which loads
before windoze and will make itself invisible...

So how does one go about finding it?

Our WIFI is secure (WPA/PSK) but we have one WEP-64 access point (for
a specific purpose) and maybe somebody hacked it and is using it with
an infected machine?
  #2  
Old August 20th 11, 12:28 PM posted to uk.telecom.broadband
Denis McMahon
external usenet poster
 
Posts: 40
Default ISP reports a Torpig infection - where from?

On Sat, 20 Aug 2011 09:05:34 +0100, Peter wrote:

I just got an email from my ISP (ZEN) reporting that something on my
(fixed) IP is infected.

Their report, on which they have no additional detail, came from an
un-named 3rd party.

I have scanned every machine we have with several programs
(Malwarebytes, TDSSkiller, etc)
http://support.kaspersky.com/faq/?qid=208280684 and nothing has been
found.

This site
http://www.2-spyware.com/remove-torpig.html lists several obvious
processes which should be visible in Task Manager and we cannot see them
anywhere.

But another site mentioned that this is an MBR virus which loads before
windoze and will make itself invisible...

So how does one go about finding it?


My preferred technique is to boot the windows machine from a linux livecd,
mount the windows disk, and then scan it using clam.

http://www.sysresccd.org/

I guess you could also use a windows command line based scanner in a dos
command line emulator. I think that may be what avira does, although I've
never tried it:

http://www.avira.com/en/support-down...-rescue-system

avira may be more integrated, as I said I've never tried it.

Our WIFI is secure (WPA/PSK) but we have one WEP-64 access point (for a
specific purpose) and maybe somebody hacked it and is using it with an
infected machine?


That's a possibility.

Do Zen require you to do anything, or is the report from them purely
informational? Presumably they're not complaining that they're seeing
evidence of your ip being used maliciously as part of a botnet, a phishing
host site, or to deliver malicious software from a web server?

Rgds

Denis McMahon
  #3  
Old August 20th 11, 05:31 PM posted to uk.telecom.broadband
Count de Monet
external usenet poster
 
Posts: 12
Default ISP reports a Torpig infection - where from?

On 20/08/2011 09:05, Peter wrote:
I just got an email from my ISP (ZEN) reporting that something on my
(fixed) IP is infected.

Their report, on which they have no additional detail, came from an
un-named 3rd party.

I have scanned every machine we have with several programs
(Malwarebytes, TDSSkiller, etc)
http://support.kaspersky.com/faq/?qid=208280684
and nothing has been found.

This site
http://www.2-spyware.com/remove-torpig.html
lists several obvious processes which should be visible in Task
Manager and we cannot see them anywhere.

But another site mentioned that this is an MBR virus which loads
before windoze and will make itself invisible...

So how does one go about finding it?

Our WIFI is secure (WPA/PSK) but we have one WEP-64 access point (for
a specific purpose) and maybe somebody hacked it and is using it with
an infected machine?


You could try this:

MS System Sweeper

http://connect.microsoft.com/systemsweeper
  #4  
Old August 20th 11, 05:42 PM posted to uk.telecom.broadband
Peter
external usenet poster
 
Posts: 330
Default ISP reports a Torpig infection - where from?


Denis McMahon wrote

On Sat, 20 Aug 2011 09:05:34 +0100, Peter wrote:

I just got an email from my ISP (ZEN) reporting that something on my
(fixed) IP is infected.

Their report, on which they have no additional detail, came from an
un-named 3rd party.

I have scanned every machine we have with several programs
(Malwarebytes, TDSSkiller, etc)
http://support.kaspersky.com/faq/?qid=208280684 and nothing has been
found.

This site
http://www.2-spyware.com/remove-torpig.html lists several obvious
processes which should be visible in Task Manager and we cannot see them
anywhere.

But another site mentioned that this is an MBR virus which loads before
windoze and will make itself invisible...

So how does one go about finding it?


My preferred technique is to boot the windows machine from a linux livecd,
mount the windows disk, and then scan it using clam.

http://www.sysresccd.org/


I've made a bootable CD, but can't find anywhere with a version of
Clam which can simply be copied to a CD. And if I did copy it to a CD,
how would I run it? My expertise is windoze, dos, cp/m, assembler, C
Command line no problem. But not unix.

I guess you could also use a windows command line based scanner in a dos
command line emulator. I think that may be what avira does, although I've
never tried it:

http://www.avira.com/en/support-down...-rescue-system

avira may be more integrated, as I said I've never tried it.

Our WIFI is secure (WPA/PSK) but we have one WEP-64 access point (for a
specific purpose) and maybe somebody hacked it and is using it with an
infected machine?


That's a possibility.

Do Zen require you to do anything, or is the report from them purely
informational? Presumably they're not complaining that they're seeing
evidence of your ip being used maliciously as part of a botnet, a phishing
host site, or to deliver malicious software from a web server?


They are not threatening to cut the line off.
  #5  
Old August 20th 11, 05:43 PM posted to uk.telecom.broadband
Peter
external usenet poster
 
Posts: 330
Default ISP reports a Torpig infection - where from?


Count de Monet wrote

You could try this:

MS System Sweeper

http://connect.microsoft.com/systemsweeper


Great; doing that too.
  #6  
Old August 20th 11, 10:08 PM posted to uk.telecom.broadband
Peter
external usenet poster
 
Posts: 330
Default ISP reports a Torpig infection - where from?


Peter wrote


Count de Monet wrote

You could try this:

MS System Sweeper

http://connect.microsoft.com/systemsweeper


Great; doing that too.


RIGHT we have a result.

The M$ tool found Sinowal (a.k.a. Torpig) on my son's computer. Hey
there's a suprise Another son of mine had 13 trojans on his laptop
once.

No other tool found this thing... Latest Kaspersky sees nothing.
Malwarebytes sees nothing.

I have scanned our other PCs but none of them have the infection -
except one on which the M$ scanner cannot be started. A google on the
error message brings up the usual threads of the same issue but no
explanation... Luckily that PC is dual boot: winXP and win2000, so
booting it into win2000 (that partition is very rarely used) and
running some AV software on *both* logical drives ought to find it.
  #7  
Old August 20th 11, 10:24 PM posted to uk.telecom.broadband
Andy Burns
external usenet poster
 
Posts: 486
Default ISP reports a Torpig infection - where from?

Peter wrote:

Count de wrote

http://connect.microsoft.com/systemsweeper


The M$ tool found Sinowal (a.k.a. Torpig) on my son's computer.
No other tool found this thing...


Suggests a rootkit may be hiding what is *really* going on on his PC,
you'd have hoped the sweeper would have found that too though.


  #8  
Old August 20th 11, 10:37 PM posted to uk.telecom.broadband
Peter Crosland
external usenet poster
 
Posts: 1,463
Default ISP reports a Torpig infection - where from?

"Peter" wrote in message
...

Peter wrote


Count de Monet wrote

You could try this:

MS System Sweeper

http://connect.microsoft.com/systemsweeper


Great; doing that too.


RIGHT we have a result.

The M$ tool found Sinowal (a.k.a. Torpig) on my son's computer. Hey
there's a suprise Another son of mine had 13 trojans on his laptop
once.

No other tool found this thing... Latest Kaspersky sees nothing.
Malwarebytes sees nothing.

I have scanned our other PCs but none of them have the infection -
except one on which the M$ scanner cannot be started. A google on the
error message brings up the usual threads of the same issue but no
explanation... Luckily that PC is dual boot: winXP and win2000, so
booting it into win2000 (that partition is very rarely used) and
running some AV software on *both* logical drives ought to find it.


Some useful tools here

http://www.pchell.com/support/rootkitremovaltools.shtml


Peter Crosland


  #9  
Old August 20th 11, 11:49 PM posted to uk.telecom.broadband
Nick Leverton
external usenet poster
 
Posts: 101
Default ISP reports a Torpig infection - where from?

In article ,
Andy Burns wrote:
Peter wrote:

Count de wrote

http://connect.microsoft.com/systemsweeper


The M$ tool found Sinowal (a.k.a. Torpig) on my son's computer.
No other tool found this thing...


Suggests a rootkit may be hiding what is *really* going on on his PC,
you'd have hoped the sweeper would have found that too though.


Torpig is usually perpetrated via a rootkit, so you really need to boot
from a clean boot disk to find it. Rootkits can hide themselves through
virtualisation otherwise.

Nick
--
Serendipity: http://www.leverton.org/blosxom (last update 29th March 2010)
"The Internet, a sort of ersatz counterfeit of real life"
-- Janet Street-Porter, BBC2, 19th March 1996
  #10  
Old August 21st 11, 07:26 AM posted to uk.telecom.broadband
Peter
external usenet poster
 
Posts: 330
Default ISP reports a Torpig infection - where from?


"Peter Crosland" wrote

"Peter" wrote in message
.. .

Peter wrote


Count de Monet wrote

You could try this:

MS System Sweeper

http://connect.microsoft.com/systemsweeper

Great; doing that too.


RIGHT we have a result.

The M$ tool found Sinowal (a.k.a. Torpig) on my son's computer. Hey
there's a suprise Another son of mine had 13 trojans on his laptop
once.

No other tool found this thing... Latest Kaspersky sees nothing.
Malwarebytes sees nothing.

I have scanned our other PCs but none of them have the infection -
except one on which the M$ scanner cannot be started. A google on the
error message brings up the usual threads of the same issue but no
explanation... Luckily that PC is dual boot: winXP and win2000, so
booting it into win2000 (that partition is very rarely used) and
running some AV software on *both* logical drives ought to find it.


Some useful tools here

http://www.pchell.com/support/rootkitremovaltools.shtml


Many thanks.

I have done a few more scans and so far everything is clean - except
my son's PC which had one, and has now gone back to the ex wife's
house

I suppose it is in my interest that her bank account doesn't get
emptied, since it is *me* who is topping it off every month
 




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Unusual speed reports. Pet - www.GymRatZ.co.uk uk.telecom.broadband (UK broadband) 1 August 23rd 07 08:38 PM
Dr Speedtouch reports problem with internet Pete uk.telecom.broadband (UK broadband) 4 May 29th 06 10:46 AM
2mb Tiscali reports as 1mb??? Jon Manley uk.telecom.broadband (UK broadband) 8 February 6th 06 11:19 AM
adslguide speed reports Nov2004 Andy Burns uk.telecom.broadband (UK broadband) 26 December 23rd 04 11:24 AM


All times are GMT +1. The time now is 10:23 AM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.Content Relevant URLs by vBSEO 2.4.0
Copyright 2004-2019 BroadbanterBanter.
The comments are property of their posters.