Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Possible Torpig infection on small LAN

  • Please log in to reply
1 reply to this topic

#1 keithm2576


  • Members
  • 2 posts
  • Local time:03:33 AM

Posted 12 August 2013 - 12:30 AM


This is my first post on the forums. I run a small IT support co for small businesses and have a problem with one of my larger clients.


In the last month his static IP has been blacklisted by CBL 3 times for supposedly having the Torpig virus on a machine (see below). He runs a Windows server but does not run an email server, his email is hosted offsite by his ISP. He only has 5 workstations on the LAN.


This IP is infected with, or is NATting for a machine infected with Torpig, also known by Symantec as Anserin.

This was detected by observing this IP attempting to make contact to a Torpig Command and Control server at 'x.x.x.x' (may be missing) on IP address 80, with contents unique to TorpigC&C command protocols.


The first time this happened I did as they suggested and ran TPSSKiller on all machines. I also ran Gmer and tried to use TPView all of which came up clean. In the last two instances I ran other scan tools and came up empty. However, this is all completely out of my experience, knowledge and skill set and I need help.


I understand enough about trojans and rootkits to be able to run scans and fix infected machines. however, this time around I am unable to detect any infection so obviously can't remove it! I guess my question is what steps should/could I take to ensure every machine is infection free? 


I have downloaded and installed TDSSkiller, Gmer, Spybot, Sophos virus removal tool, Hijackthis, TCPView and even Wireshark (although I really don't know how to use the lat two).


Other than calling in an expert (where the hell would I find one anyway) what can I do?

BC AdBot (Login to Remove)


#2 boopme


    To Insanity and Beyond

  • Global Moderator
  • 73,490 posts
  • Gender:Male
  • Location:NJ USA
  • Local time:11:33 AM

Posted 12 August 2013 - 08:11 PM

Hello, what we really need is DDS log. You will have to repost in a new topic.


Please follow this Preparation Guide and post in a new topic.
Let me know if all went well.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users