Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help, Infected With Torpig And Can't Remove It.


  • This topic is locked This topic is locked
14 replies to this topic

#1 videoguy

videoguy

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:10:24 AM

Posted 03 April 2007 - 02:41 PM

Spybot has caught the virus but can't seem to remove it.

Logfile of HijackThis v1.99.1
Scan saved at 3:33:27 PM, on 4/3/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Palm\HOTSYNC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAcc-essManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thank you!

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:24 PM

Posted 07 April 2007 - 08:17 AM

Hello,

Please let me know where Spybot finds Torpig. What file, in what folder etc...
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 videoguy

videoguy
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:10:24 AM

Posted 07 April 2007 - 03:47 PM

Thanks for the help!

The Torpig file is located in:
Temporary file
C:\WINDOWS\Temp\$_2341233.TMP
&
Temporary file
C:\WINDOWS\Temp\$_2341233.TMP

Is this thing a keylogger? I've already cancelled my credit card because of this. Thanks again!

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:24 PM

Posted 07 April 2007 - 03:56 PM

You posted two times the same file?

They are leftovers from the Torpig. Actually a non malicious textfile containing the data that was stolen from your computer.

Just delete those manually.

If you can't find them, Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Please hide your hidden files and folders afterwards again, when we are done with this thread and your problems are solved, because above instructions to set your system to show all files, unhide legit files and folders as well.
And I don't want you to delete them because they may look suspicious. To hide them again, just perform the above instructions in the opposite way.


The main infection should be gone though, because otherwise it should display in your HijackThislog.

Just check if next files still exist and delete them (they are also hidden, so you may want to reveal hidden files and folders):

C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm0000*.exe (* stand for a random number)

and

C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm0000*.dll (* stands for a random number)

Normally all scanners should be able to detect and delete it though.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:24 PM

Posted 07 April 2007 - 03:59 PM

Extra addition, Please also change all your passwords.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 videoguy

videoguy
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:10:24 AM

Posted 07 April 2007 - 04:17 PM

You posted two times the same file?


Sorry I meant to type:

C:\WINDOWS\Temp\$_2341233.TMP
&
Temporary file
C:\WINDOWS\Temp\$_2341234.TMP


They are leftovers from the Torpig. Actually a non malicious textfile containing the data that was stolen from your computer.

Just delete those manually.

If you can't find them, Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.


Okay, I've done this.

Please hide your hidden files and folders afterwards again, when we are done with this thread and your problems are solved, because above instructions to set your system to show all files, unhide legit files and folders as well.
And I don't want you to delete them because they may look suspicious. To hide them again, just perform the above instructions in the opposite way.


The main infection should be gone though, because otherwise it should display in your HijackThislog.

Just check if next files still exist and delete them (they are also hidden, so you may want to reveal hidden files and folders):

C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm0000*.exe (* stand for a random number)

and

C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm0000*.dll (* stands for a random number)

Normally all scanners should be able to detect and delete it though.

ibm0000.exe was not there.
ibm0000.dll can't be deleted for some reason. The Torpig virus is still there when I do the scan with Spybot unfortunately.

Extra addition, Please also change all your passwords.


I guess I better do this after I get rid of the Torpig stuff though right?

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:24 PM

Posted 07 April 2007 - 04:21 PM

Ok, so what is the exact filename present in the C:\Program Files\Common Files\Microsoft Shared\Web Folders - folder? Because it has a random number in it.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 videoguy

videoguy
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:10:24 AM

Posted 07 April 2007 - 04:27 PM

Ok, so what is the exact filename present in the C:\Program Files\Common Files\Microsoft Shared\Web Folders - folder? Because it has a random number in it.


Thanks again.

It is:

ibm00001.dll & ibm00002.dll

I can't delete either one. It gives me a message that access is denied and that I should check to see if the file is currently in use when I try to delete either one. And there is no ibm0000*.exe file here.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:24 PM

Posted 07 April 2007 - 04:30 PM

Ok, do next please..

* Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Where it says: "Paste List of Files/Folders to be Moved", copy and paste next bold part into that Window:

    C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll
    C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
    C:\WINDOWS\Temp\$_2341233.TMP
    C:\WINDOWS\Temp\$_2341234.TMP



  • Then click the red Moveit! button below.
  • This will display the results in the right windows where it says "Results" on top
  • Copy and paste everything present in the Results window (right window) and save these results in notepad and save it on your desktop, because I need to see those results afterwards.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 videoguy

videoguy
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:10:24 AM

Posted 07 April 2007 - 04:31 PM

Ok, do next please..

* Please download the OTMoveIt by OldTimer.

  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Where it says: "Paste List of Files/Folders to be Moved", copy and paste next bold part into that Window:

    C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll
    C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
    C:\WINDOWS\Temp\$_2341233.TMP
    C:\WINDOWS\Temp\$_2341234.TMP



  • Then click the red Moveit! button below.
  • This will display the results in the right windows where it says "Results" on top
  • Copy and paste everything present in the Results window (right window) and save these results in notepad and save it on your desktop, because I need to see those results afterwards.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Great, I'll try this right now. Thanks!

#11 videoguy

videoguy
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:10:24 AM

Posted 07 April 2007 - 04:34 PM

This was the results:

DllUnregisterServer procedure not found in C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll NOT unregistered.
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll moved successfully.
DllUnregisterServer procedure not found in C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll NOT unregistered.
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll moved successfully.
File move failed. C:\WINDOWS\Temp\$_2341233.TMP scheduled to be moved on reboot.
File move failed. C:\WINDOWS\Temp\$_2341234.TMP scheduled to be moved on reboot.

Created on 04/07/2007 17:34:47

I'm going to reboot my computer now as per OTmoveIt's instructions.

#12 videoguy

videoguy
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:10:24 AM

Posted 07 April 2007 - 04:37 PM

Done.

Should I try scanning with Spybot now?

#13 videoguy

videoguy
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:10:24 AM

Posted 07 April 2007 - 04:48 PM

The Torpig is gone. Thanks.

So was the Torpig ever on my system for a long time? Did Spybot get rid of most of it the first time? How did this thing get on my system in the 1st place?

Thanks again, this site is awesome.

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:24 PM

Posted 07 April 2007 - 05:04 PM

Hi,

Yes, I am afraid that it was indeed already a long time on your computer, since this was an older variant.
Did your AVG Antivirus never flag it? This is strange though, because it should flag and delete it.

In 90% of the cases, this one is getting installed via questionable websites, so always be careful where you surf.

Glad I could help. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:24 PM

Posted 09 April 2007 - 07:47 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users