Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Torpig infection on small LAN


  • Please log in to reply
1 reply to this topic

#1 keithm2576

keithm2576

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:20 PM

Posted 12 August 2013 - 12:30 AM

Hi

This is my first post on the forums. I run a small IT support co for small businesses and have a problem with one of my larger clients.

 

In the last month his static IP has been blacklisted by CBL 3 times for supposedly having the Torpig virus on a machine (see below). He runs a Windows server but does not run an email server, his email is hosted offsite by his ISP. He only has 5 workstations on the LAN.

 

This IP is infected with, or is NATting for a machine infected with Torpig, also known by Symantec as Anserin.

This was detected by observing this IP attempting to make contact to a Torpig Command and Control server at 'x.x.x.x' (may be missing) on IP address 80, with contents unique to TorpigC&C command protocols.

 

The first time this happened I did as they suggested and ran TPSSKiller on all machines. I also ran Gmer and tried to use TPView all of which came up clean. In the last two instances I ran other scan tools and came up empty. However, this is all completely out of my experience, knowledge and skill set and I need help.

 

I understand enough about trojans and rootkits to be able to run scans and fix infected machines. however, this time around I am unable to detect any infection so obviously can't remove it! I guess my question is what steps should/could I take to ensure every machine is infection free? 

 

I have downloaded and installed TDSSkiller, Gmer, Spybot, Sophos virus removal tool, Hijackthis, TCPView and even Wireshark (although I really don't know how to use the lat two).

 

Other than calling in an expert (where the hell would I find one anyway) what can I do?



BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:20 AM

Posted 12 August 2013 - 08:11 PM

Hello, what we really need is DDS log. You will have to repost in a new topic.

 

Please follow this Preparation Guide and post in a new topic.
Let me know if all went well.


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users