IO540
21st Aug 2011, 10:10
I just got an email from my ISP (ZEN) reporting that something on my (fixed) IP is infected.
Their report, on which they have no additional detail, came from an un-named 3rd party.
I have scanned every machine we have with several programs (Malwarebytes, TDSSkiller, etc)
How to remove malware belonging to the family Rootkit.Win32.TDSS (aka Tidserv, TDSServ, Alureon)? (http://support.kaspersky.com/faq/?qid=208280684)
and nothing has been found.
This site
Remove Torpig, removal instructions (http://www.2-spyware.com/remove-torpig.html)
lists several obvious processes which should be visible in Task Manager and we cannot see them anywhere.
It turns out that Torpig has changed over the last few years and now leaves no trace of itself. It hooks up into Task Manager so when you look at running processes you don't see Torpig... previous versions showed processes like country.exe, and several like ibm00001.exe.
But another site mentioned that this is an MBR virus which loads before windoze and will make itself invisible...
So how does one go about finding it?
Our WIFI is secure (WPA/PSK) but we have one WEP-64 access point (for a specific purpose) and maybe somebody hacked it and is using it with an infected machine?
Then somebody suggested this: Microsoft Standalone System Sweeper Beta | Microsoft Connect (http://connect.microsoft.com/systemsweeper)
The M$ tool found Sinowal (a.k.a. Torpig) on my son's computer. Hey there's a suprise ;) Another son of mine had 13 trojans on his laptop once. That computer normally lives at my ex wife's house, and she has wide open WIFI (no security). I had it at my house only because his brother more or less trashed it. Also kids tend to be totally reckless in what they click on. But that PC has always had the latest Kaspersky AV software on it.
No other tool found this thing... Latest Kaspersky sees nothing. Malwarebytes sees nothing. Only a boot CD with Systemsweeper, booting off that CD, found it.
I have known for a long time that AV software can be useless in protecting against clever viruses, but this is a first. Sinowal is the nasty botnet one which keylogs, and every 20 mins goes online and uploads the stuff to the controller, whose team then raids any bank accounts, etc.
On that PC, the only clue was that the Kaspersky software was occassionally doing strange things, and the whole machine sometimes ran quite slowly.
Their report, on which they have no additional detail, came from an un-named 3rd party.
I have scanned every machine we have with several programs (Malwarebytes, TDSSkiller, etc)
How to remove malware belonging to the family Rootkit.Win32.TDSS (aka Tidserv, TDSServ, Alureon)? (http://support.kaspersky.com/faq/?qid=208280684)
and nothing has been found.
This site
Remove Torpig, removal instructions (http://www.2-spyware.com/remove-torpig.html)
lists several obvious processes which should be visible in Task Manager and we cannot see them anywhere.
It turns out that Torpig has changed over the last few years and now leaves no trace of itself. It hooks up into Task Manager so when you look at running processes you don't see Torpig... previous versions showed processes like country.exe, and several like ibm00001.exe.
But another site mentioned that this is an MBR virus which loads before windoze and will make itself invisible...
So how does one go about finding it?
Our WIFI is secure (WPA/PSK) but we have one WEP-64 access point (for a specific purpose) and maybe somebody hacked it and is using it with an infected machine?
Then somebody suggested this: Microsoft Standalone System Sweeper Beta | Microsoft Connect (http://connect.microsoft.com/systemsweeper)
The M$ tool found Sinowal (a.k.a. Torpig) on my son's computer. Hey there's a suprise ;) Another son of mine had 13 trojans on his laptop once. That computer normally lives at my ex wife's house, and she has wide open WIFI (no security). I had it at my house only because his brother more or less trashed it. Also kids tend to be totally reckless in what they click on. But that PC has always had the latest Kaspersky AV software on it.
No other tool found this thing... Latest Kaspersky sees nothing. Malwarebytes sees nothing. Only a boot CD with Systemsweeper, booting off that CD, found it.
I have known for a long time that AV software can be useless in protecting against clever viruses, but this is a first. Sinowal is the nasty botnet one which keylogs, and every 20 mins goes online and uploads the stuff to the controller, whose team then raids any bank accounts, etc.
On that PC, the only clue was that the Kaspersky software was occassionally doing strange things, and the whole machine sometimes ran quite slowly.