I just got an email from my ISP (ZEN) reporting that something on my (fixed) IP is infected.

Their report, on which they have no additional detail, came from an un-named 3rd party.

I have scanned every machine we have with several programs (Malwarebytes, TDSSkiller, etc)
How to remove malware belonging to the family Rootkit.Win32.TDSS (aka Tidserv, TDSServ, Alureon)?
and nothing has been found.

This site
Remove Torpig, removal instructions
lists several obvious processes which should be visible in Task Manager and we cannot see them anywhere.

It turns out that Torpig has changed over the last few years and now leaves no trace of itself. It hooks up into Task Manager so when you look at running processes you don't see Torpig... previous versions showed processes like country.exe, and several like ibm00001.exe.

But another site mentioned that this is an MBR virus which loads before windoze and will make itself invisible...

So how does one go about finding it?

Our WIFI is secure (WPA/PSK) but we have one WEP-64 access point (for a specific purpose) and maybe somebody hacked it and is using it with an infected machine?

Then somebody suggested this: Microsoft Standalone System Sweeper Beta | Microsoft Connect

The M$ tool found Sinowal (a.k.a. Torpig) on my son's computer. Hey there's a suprise Another son of mine had 13 trojans on his laptop once. That computer normally lives at my ex wife's house, and she has wide open WIFI (no security). I had it at my house only because his brother more or less trashed it. Also kids tend to be totally reckless in what they click on. But that PC has always had the latest Kaspersky AV software on it.

No other tool found this thing... Latest Kaspersky sees nothing. Malwarebytes sees nothing. Only a boot CD with Systemsweeper, booting off that CD, found it.

I have known for a long time that AV software can be useless in protecting against clever viruses, but this is a first. Sinowal is the nasty botnet one which keylogs, and every 20 mins goes online and uploads the stuff to the controller, whose team then raids any bank accounts, etc.

On that PC, the only clue was that the Kaspersky software was occassionally doing strange things, and the whole machine sometimes ran quite slowly.

Phone Zen if you have any lingering doubts. Customer support is outstanding. They'll be happy to discuss this with you.

As you've found the only way to be reasonably sure a computer is clean is to scan it without the OS running, i.e. using a bootable CD or USB key. Rootkits are designed to hide

Many anti-virus companies produce them & quite a few are free.

Are you sure it's so problematic ?

Torpig | Symantec Connect Community

I don't think current Sinowal is easy to detect. If you do a google on it, you find loads of detection and removal instructions but they are all obsolete - a year old or more. They all involve looking for certain files, etc. None of them work.

I agree that running under another O/S is the way to do this...

I did phone Zen; I agree they are a great company (which is why I have been with them for years) but in this case they had nothing to say. They seem to subscribe to some outfit which emails them notifications of dodgy activity versus IP or IP range.

If you still have the thing, and can access this link, I would be interested to know if it's any use

Free Virus Removal | Norton Power Eraser

540 - both Avast and Avira (free x 2) will do a boot-time scan which is what you need.

Start by the second item.

Change your wifi key right now to something random ..... so then you've eliminated the possibility of a third party.

Then take a look at the network activity on your computers. The fact that your ISP has notified you that they've had an abuse complaints means that you have a zombie computer on your network that's being commanded to send out spams, or take part in network scans or attacks. So there will be some network activity going on on the computer that's infected.

Once you've found the computer that's infected, format it and rebuild it.