RichKorea
2007-07-04, 04:12
Like several others, when I recently ran Spybot, I found that I had the Torpig trojan. Spybot was highlighting two files, $_2341233.TMP and $_2341234.TMP as the problem files ($_2341233.tmp had a record of all of the key strokes that I had entered into Internet Explorer). When Spybot was unable to delete the files, I turned to the forum postings to see if anyone had found a solution. I went through the responses from the security experts (Shaba, shelf life, md usa spybot fan, and pskelley), and went through the process of checking my system with HijackThis.exe and VundoFix.exe. I also use the HijackThis delete-on-boot function to remove the two identified files. Spybot report that Torpig was still present.
I tried the Microsoft Protection Center (http://onecare.live.com/site/en-US/center/howsafe.htm), which did find a number of issues, including problems in the system-volume-information on both the hard drive in my laptop as well as an external USB hard drive. After the scan completed and the found problems were fixed, I reran Spybot, which still reported the Torpig trojan.
I did some more searching on the internet and found the ScanSpyware site, which had a lot of information regarding the Torpig trojan, including a warning about files named ibm0000*.dll and ibm0000*.exe. I did a search on my hard drive and found two dll files (ibm00001.dll and ibm00002.dll) in the Program Files\Common Files\Microsoft Shared\Web Folders. I did not find an ibm0000*.exe file, so I did a search on my hard drive for any file with a creation date the same as the two dll files and I found a file, mhd.exe with the same creation date and time as the two dll files. I quarantined the three files and ran Spybot, which reported back a clean bill of health.
What I’m not sure of is what was calling the mhd.exe file. I checked the reg file I had saved prior to running the Microsoft scan as well as a HijackThis log file, but neither file had a reference to mhd.exe. I’m wondering if there’s another file laying dormant on my hard drive that will reinstall the trojan when I’m not looking.
I tried the Microsoft Protection Center (http://onecare.live.com/site/en-US/center/howsafe.htm), which did find a number of issues, including problems in the system-volume-information on both the hard drive in my laptop as well as an external USB hard drive. After the scan completed and the found problems were fixed, I reran Spybot, which still reported the Torpig trojan.
I did some more searching on the internet and found the ScanSpyware site, which had a lot of information regarding the Torpig trojan, including a warning about files named ibm0000*.dll and ibm0000*.exe. I did a search on my hard drive and found two dll files (ibm00001.dll and ibm00002.dll) in the Program Files\Common Files\Microsoft Shared\Web Folders. I did not find an ibm0000*.exe file, so I did a search on my hard drive for any file with a creation date the same as the two dll files and I found a file, mhd.exe with the same creation date and time as the two dll files. I quarantined the three files and ran Spybot, which reported back a clean bill of health.
What I’m not sure of is what was calling the mhd.exe file. I checked the reg file I had saved prior to running the Microsoft scan as well as a HijackThis log file, but neither file had a reference to mhd.exe. I’m wondering if there’s another file laying dormant on my hard drive that will reinstall the trojan when I’m not looking.