Torpig

huggiss · Nov 7, 2006

Spybot has told me i have tibs and torpig spyware but seems unable to remove it

I have run combofix and this is my log: Anybody any ideas.

User1 - 06-11-07 23:44:03.32 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\User1\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\secure32.html

((((((((((((((((((((((((((((((( Files Created from 2006-10-07 to 2006-11-07 ))))))))))))))))))))))))))))))))))

2006-11-07 23:22 776,096 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-11-07 23:22 27,776 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-10-21 05:40 53,760 --a------ C:\DRTCP.exe
2006-10-21 05:25 7,936 --a------ C:\WINDOWS\system32\drivers\gtptser.sys
2006-10-21 05:25 67,840 --a------ C:\WINDOWS\system32\drivers\NWADIEnum.sys
2006-10-21 05:25 32,000 --a------ C:\WINDOWS\system32\drivers\gtf32bus.sys
2006-10-21 05:25 280,576 --a------ C:\WINDOWS\system32\drivers\Mrvw123.sys
2006-10-21 05:25 280,448 --a------ C:\WINDOWS\system32\drivers\Mrvw125.sys
2006-10-21 05:25 269,056 --a------ C:\WINDOWS\system32\drivers\NWVNdis.sys
2006-10-21 05:25 18,944 --a------ C:\WINDOWS\system32\drivers\gtscser.sys
2006-10-21 05:24 92,416 --a------ C:\WINDOWS\system32\drivers\cfvn4c51.sys
2006-10-21 05:24 77,056 --a------ C:\WINDOWS\system32\drivers\nwusbmdm.sys
2006-10-21 05:24 65,152 --a------ C:\WINDOWS\system32\drivers\ewusbser.sys
2006-10-21 05:24 65,152 --a------ C:\WINDOWS\system32\drivers\ewusbmdm.sys
2006-10-21 05:24 65,152 --a------ C:\WINDOWS\system32\drivers\ewusbapp.sys
2006-10-21 05:24 53,248 --a------ C:\WINDOWS\system32\drivers\GCXXnet.sys
2006-10-21 05:24 52,864 --a------ C:\WINDOWS\system32\drivers\GTEDGNet.sys
2006-10-21 05:24 40,064 --a------ C:\WINDOWS\system32\drivers\apusbsnt.sys
2006-10-21 05:24 4,480 --a------ C:\WINDOWS\system32\drivers\g3grpm.sys
2006-10-21 05:24 4,352 --a------ C:\WINDOWS\system32\drivers\g3gcpm.sys
2006-10-21 05:24 368,896 --a------ C:\WINDOWS\system32\drivers\SEMWL5.sys
2006-10-21 05:24 311,936 --a------ C:\WINDOWS\system32\drivers\mrv8k51.sys
2006-10-21 05:24 311,936 --a------ C:\WINDOWS\system32\drivers\mrv8k50.sys
2006-10-21 05:24 28,416 --a------ C:\WINDOWS\system32\drivers\g3grumdm.sys
2006-10-21 05:24 266,496 --a------ C:\WINDOWS\system32\drivers\gtwl5.sys
2006-10-21 05:24 25,856 --a------ C:\WINDOWS\system32\drivers\g3gcumdm.sys
2006-10-21 05:24 241,664 --a------ C:\WINDOWS\NwtGatewayDLL.dll
2006-10-21 05:24 24,576 --a------ C:\WINDOWS\system32\drivers\g3gruser.sys
2006-10-21 05:24 22,656 --a------ C:\WINDOWS\system32\drivers\g3gcuser.sys
2006-10-21 05:24 21,888 --a------ C:\WINDOWS\system32\drivers\GTEDGSC.sys
2006-10-21 05:24 21,888 --a------ C:\WINDOWS\system32\drivers\GCXXSC.sys
2006-10-21 05:24 200,704 --a------ C:\WINDOWS\loader.dll
2006-10-21 05:24 20,736 --a------ C:\WINDOWS\system32\drivers\swivspnt.sys
2006-10-21 05:24 19,328 --a------ C:\WINDOWS\system32\drivers\g3grsc.sys
2006-10-21 05:24 114,944 --a------ C:\WINDOWS\system32\drivers\GCXX.sys
2006-10-21 05:24 107,904 --a------ C:\WINDOWS\system32\drivers\GTEDG.sys
2006-10-21 05:24 10,752 --a------ C:\WINDOWS\system32\drivers\apusbdco.dll
2006-10-21 05:24 10,752 --a------ C:\WINDOWS\system32\apusbdco.dll
2006-10-21 05:23 9,600 --a------ C:\WINDOWS\system32\drivers\WCMLibXP.sys
2006-10-21 05:23 71,552 --a------ C:\WINDOWS\system32\drivers\WCMBusXP.sys
2006-10-21 05:23 55,808 --a------ C:\WINDOWS\system32\drivers\WCMVmdXP.sys
2006-10-21 05:23 51,328 --a------ C:\WINDOWS\system32\drivers\uart0.sys
2006-10-21 05:23 21,120 --a------ C:\WINDOWS\system32\drivers\WCMscXP.sys
2006-10-15 07:41 37,887 --a------ C:\WINDOWS\system32\drivers\LHidUsb.sys
2006-10-15 07:41 14,095 --a------ C:\WINDOWS\system32\drivers\LCcfltr.sys
2006-10-15 07:41 12,953 --------- C:\WINDOWS\system32\drivers\itchfltr.sys
2006-10-15 07:40 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2006-10-15 07:40 54,784 --a------ C:\WINDOWS\system32\MSVCI70.DLL
2006-10-15 07:40 36,224 --a------ C:\WINDOWS\system32\drivers\hidclass.sys
2006-10-15 07:40 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2006-10-15 07:40 24,960 --a------ C:\WINDOWS\system32\drivers\hidparse.sys
2006-10-15 07:40 24,576 --a------ C:\WINDOWS\system32\drivers\kbdclass.sys
2006-10-15 07:40 20,992 --a------ C:\WINDOWS\system32\hid.dll
2006-10-15 07:40 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2006-10-15 06:58 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2006-10-15 06:20 9,952 --------- C:\WINDOWS\system32\drivers\LKBDHLPR.SYS
2006-10-15 06:03 13,105 --a------ C:\WINDOWS\system32\drivers\L8042Kbd.sys

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-11-07 22:54 -------- d-------- C:\Program Files\Mgutil
2006-10-31 23:23 -------- d-------- C:\Documents and Settings\User1\Application Data\Ahead
2006-10-21 05:23 -------- d-------- C:\Documents and Settings\User1\Application Data\ICS
2006-10-21 05:22 -------- d-------- C:\Program Files\Diginext
2006-10-21 05:22 -------- d-------- C:\Program Files\Common Files\Funk Software
2006-10-21 05:22 -------- d-------- C:\Program Files\Common Files
2006-10-15 07:40 -------- d-------- C:\Program Files\Common Files\Logitech
2006-10-15 06:20 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-15 06:20 -------- d-------- C:\Program Files\Logitech
2006-10-14 08:46 -------- d-------- C:\Program Files\Google
2006-10-06 18:09 -------- d-------- C:\Program Files\Cryptainer LE
2006-10-01 07:07 -------- d-------- C:\Documents and Settings\User1\Application Data\Google
2006-09-22 14:56 -------- d-------- C:\Program Files\Broderbund
2006-09-20 08:55 -------- d-------- C:\Program Files\ApexWin
2006-09-13 05:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-08-25 15:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 12:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 09:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-16 11:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"H/PC Connection Agent"="\"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe\""
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.908.5008\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"adiras"="adiras.exe"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"zBrowser Launcher"="C:\\Program Files\\Logitech\\iTouch\\iTouch.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"PixelInstall"=dword:00000001
"Reboot"=dword:00000001
"SpybotSnD"="\"C:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe\" /autocheck"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="http://fax.tiscali.co.uk/view_fax.png?fax_id=104e625f01c-1748799f18&page=0&thumb=true"
"SubscribedURL"="http://fax.tiscali.co.uk/view_fax.png?fax_id=104e625f01c-1748799f18&page=0&thumb=true"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,4d,01,00,00,b1,00,00,00,43,00,00,00,5d,00,00,00,e8,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,6a,02,00,00,e1,00,00,00,43,00,00,00,5d,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:14,6d,12,05,41,c0,b4,74,10,c0,78,03,68,de,12,05,20,6d,\
12,05,78,cd,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"SaYaNz"="sayanx.exe"
"NTSF MICROSOFT SYSTEM"="explorex32.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"Windows 32 Editor"="win32edit.exe"
"SaYaNz"="sayanx.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"SaYaNz"="sayanx.exe"
"NTSF MICROSOFT SYSTEM"="explorex32.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"Windows 32 Editor"="win32edit.exe"
"SaYaNz"="sayanx.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"NTSF MICROSOFT SYSTEM"="explorex32.exe"
"MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\mnyexpr.exe\""
"RealPlayer"="\"C:\\Program Files\\Real\\RealPlayer\\realplay.exe\" /RunUPGToolCommandReBoot"
"Tiscali NetPhone"="C:\\Program Files\\Tiscali\\NetPhone\\Tiscali NetPhone.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NTSF MICROSOFT SYSTEM"="explorex32.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"PCSuiteTrayApplication"="C:\\PROGRA~1\\Nokia\\NOKIAP~1\\TRAYAP~1.EXE"
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe"
"InstantAccess"="C:\\Program Files\\TextBridge Pro Millennium BE\\Bin\\InstantAccess.exe /h"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"RemoteControl"="C:\\Program Files\\Roxio\\Roxio DVDMax Player\\PDVDServ.exe"
"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"DataLayer"="C:\\PROGRA~1\\COMMON~1\\PCSuite\\DATALA~1\\DATALA~1.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"NTSF MICROSOFT SYSTEM"="explorex32.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Ad-Aware SE Personal.job
C:\WINDOWS\tasks\Disk Cleanup.job

Completion time: 06-11-07 23:50:03.15
C:\ComboFix.txt ... 06-11-07 23:50

Niobis · Nov 9, 2006

Torpig is a serious backdoor trojan. Read here for more info on what Torpig can do.

[bold]But[/bold], I don't see Torpig in the ComboFix log. Which of course ComboFix will not rid Torpig, but it would show if it was running on startup or new. So please do the following.

Download HijackThis.
Create a folder for it somewhere.
Extract the file to the new folder.
Open HijackThis.exe and click "Do a system scan and save a log file".
Please post that log in your next reply.

Run a scan with Spybot. When it finishes, after you click Fix selected problem, right click inside the window and select Copy results (not full report). Paste them to Notepad and save them. Post the log along with the HijackThis log.

Log in or Sign up

Torpig

huggiss Member

Niobis Active member

Share This Page

Log in or Sign up

Torpig

huggiss Member

Niobis Active member

Share This Page

Useful Searches