Hello,

I read your 'you must read this' post before posting. I was confused because it both says you should create a log and then says you shouldn't if you want one on one help... since I am very unknowledgeable when it comes to computers, I thought I would at least try to post a thread, even if I don't do it right, perhaps someone could explain to me the correct way to do it as if I was oh... 8 years old or something :red:

Anyway... I have done a spybot check today and it came up with Torpig, which it couldn't remove. I did an online scan (Kapensky?) but I don't think it was included in that. The files are indeed still on my computer ibm00001.dll and ibm0002.dll. The date they were created was yesterday, so I am sure they came from a suspicious file I opened yesterday (yes I know, I'm an idiot).

I am especially nervous because I know that Torpig collects banking details. I live in New Zealand so I'm not certain if this is a problem for me or not. I only have free anti-virus protection (AVG) which doesn't detect Torpig (I cannot afford to buy any- struggling single parent blah blah blah).

Please be patient with me as I know very little about computers- but I am a fast learner and follow instructions well (when I understand them :red:). If someone could help me with this I would be incredibly grateful and would consider offering up my next born child.

Kind Regards,

Zillah77

hi Zillah77,

i would use the computer as little as possible until cleaned up. if you have cable broadband turn your modem off when not in use. dont do anything online that requires a password and sensitive information.

do this first, get the hjt log last:

F-secure scan:
http://support.f-secure.com/enu/home/ols.shtml

click on the "start scanning button"
click to accept/install the ActiveX applet,Click Full System Scan
Once the download completes (may take awhile),the scan will begin automatically.
The scan will take some time to finish.
When the scan completes, click the Automatic cleaning (recommended) button.

Click the Show Report button and Copy&Paste the entire report in your next reply along with a current HijackThis log.
-------------------------------
next:

Please download ComboFix (by sUBs) from one of the following links:

http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Save it to the Desktop.
Double-click combofix.exe and follow the prompts.

CAUTION: Do not mouse-click ComboFix's window while it is running.
It may cause it to stall.

When finished, it produces a log.

Please provide the contents of the ComboFix log in your reply.
-----------------------------
last: the hjt log:

HiJackThis log - Merijn's HijackThis v1.99.1

Direct executable:
http://www.merijn.org/files/HijackThis.exe

Zip file:
http://www.downloads.subratam.org/hijackthis.zip

click the hjt icon to start, click on do a system scan and save a log file
* When the scan is finished, the "Scan" button will change into a "Save Log" button.
* Click that, save the log somewhere, and copy/paste back here in your reply. you can post these:

a) the f-secure report, the combofix log and last the saved hjt log.

shelf life

The first step I tried- the f-secure scan- keeps failing, telling me to close the browser and restart. I've done this several times with the same result :sad:

hi Zillah77,

ok forget the online scan. get and run combofix, then hjt. post the comboFix and hjt logs.

shelf life

Thank you very much.

Here are the ComboFix and HJT logs.

"stacey1" - 07/12/2007 10:48:27 - ComboFix 07-07-10.1 - Service Pack 3


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\microsoft shared\web folders\ibm00001.dll
C:\Program Files\Common Files\microsoft shared\web folders\ibm00002.dll


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_LDRSVC
-------\LEGACY_NTMLSVC
-------\NtmlSvc


((((((((((((((((((((((((( Files Created from 2007-06-11 to 2007-07-11 )))))))))))))))))))))))))))))))


2007-07-12 10:47 51,200 --a------ C:\WINNT\nircmd.exe
2007-07-11 21:29 <DIR> d-------- C:\DOCUME~1\stacey1\.housecall6.6
2007-07-11 16:43 26,944 --a------ C:\WINNT\system32\drivers\avg7rsnt.sys
2007-07-11 13:42 <DIR> d-------- C:\WINNT\system32\Kaspersky Lab
2007-07-02 18:03 8,464 --a------ C:\WINNT\system32\kbdkor.dll
2007-07-02 18:03 6,928 --a------ C:\WINNT\system32\kbd101c.dll
2007-07-02 18:03 6,416 --a------ C:\WINNT\system32\kbd103.dll
2007-07-02 18:03 6,416 --a------ C:\WINNT\system32\kbd101b.dll
2007-06-30 18:01 <DIR> d-------- C:\DOCUME~1\stacey1\APPLIC~1\Wildfire
2007-06-28 09:23 4,366,442 --a------ C:\WINNT\system32\DorasTripScreenSaver.scr
2007-06-28 09:23 <DIR> d-------- C:\Program Files\Dora's First Trip ScreenSaver
2007-06-28 09:23 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
2007-06-28 09:17 606,848 --a------ C:\WINNT\flashax.exe
2007-06-28 09:17 503,808 --a------ C:\WINNT\hi-5.scr
2007-06-28 09:17 12,288 --a------ C:\WINNT\impborl.dll
2007-06-28 09:17 <DIR> d-------- C:\WINNT\hi-5 dir


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-10 03:35:53 1,956 ----a-w C:\WINNT\system32\d3d8caps.dat
2007-07-10 02:17:22 -------- d-----w C:\Program Files\GameHouse
2007-06-30 05:04:15 -------- d-----w C:\Program Files\PopCap Games
2007-06-29 02:58:06 -------- d-----w C:\DOCUME~1\stacey1\APPLIC~1\gtk-2.0
2007-06-28 07:26:56 14 ----a-w C:\WINNT\popcinfo.dat
2007-05-26 02:32:18 -------- d-----w C:\Program Files\Winamp
2007-05-21 06:30:37 -------- d-----w C:\Program Files\QuickTime


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
06-12-18 04:16 59032 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{145B29F4-A56B-4b90-BBAC-45784EBEBBB7}]
06-12-04 11:06 907760 --a------ C:\Program Files\StumbleUpon\StumbleUponIEBar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{31FF080D-12A3-439A-A2EF-4BA95A3148E8}]
06-12-08 16:45 243016 --a------ C:\Program Files\GetRight\xx2gr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
06-11-09 14:21 440056 --a------ C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
07-02-11 10:35 2403392 -ra------ c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
07-05-23 19:45 325048 --a------ C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [02-07-25 00:00 C:\WINNT\system32\mobsync.exe]
"Cmaudio"="cmicnfg.cpl" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [06-11-09 14:07 ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [07-02-13 15:59 ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [07-05-21 17:57 ]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [07-07-11 16:43 ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07-05-23 19:45 ]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [07-01-19 11:49 ]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" []
"nclaunch"="C:\Program Files\Dora's First Trip ScreenSaver\nclaunch.exe" [05-10-12 17:25 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
"MPlayer2_FixUp"=C:\WINNT\inf\unregmp2.exe /Fixups

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-12 10:55:36
Windows 5.0.2195 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-07-12 10:57:37 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-07-12 10:57

--- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:01:49 AM, on 7/12/2007
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\RunDll32.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Dora's First Trip ScreenSaver\nclaunch.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Documents and Settings\stacey1\Desktop\HiJackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [nclaunch] C:\Program Files\Dora's First Trip ScreenSaver\nclaunch.exe
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: StumbleUpon: &Blog This - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: *.stumbleupon.com
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/13564910a462532f1003/netzip/RdxIE601.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 5832 bytes


I can see that the ibm00001.dll and ibm0002.dll are gone when I look in the folder. Does this mean that torpig is gone?

Also, when AVG started up this morning by itself before I stopped it, it identified another trojan- Generic5.GUH. Oh, the luck. It did say what program it was in (a game) so I guess I should try deleting it, but I will wait for futher instructions before taking any actions.

Many, many thanks.

hi Zillah77,

ok good thanks for the info. i think windows 2000 is up to service pack4. once we are done you should visit windows update to get SP4.


Does this mean that torpig is gone
rescan with spybot and see.


it identified another trojan- Generic5.GUH. Oh, the luck. It did say what program it was in (a game)
is it a legit game? not a cracked or pirated one?

you have spybot for malware, i suggest a second malware scanner like lavasofts ad aware, or super antispyware to go along with spybot search and destroy.
rest of hjt log looks ok. rescan with spybot please.

shelf life

Hello again shelf life,

I rescanned with Spybot and torpig did not come up, so I guess it's gone? I hope!!!

I downloaded the 2 programs you recommended, and scanned with those. Ad-aware came up with 2 items which I quarrantined (it gave me the option to quarrantine or delete, and I didn't know which to choose, so I chose the less permanent looking option). Superantispyware came up with 125!!! Most of them were cookies I think but it identified 2 trojans as well. After fixing, I ran AVG again- it still picked up three cases of the trojan Generic5.GUH. I couldn't see any option to 'fix' the problems, so I deleted the files in which the trojans were identified. I hope that that takes care of the problem, I'll scan again with AVG and see what happens.

Thank you very, very much for helping me get rid of torpig (if I'm not being too presumptuous!). Aiding someone from anxiety to peace is no small feat and should be rewarded, preferably with screeds of cash, but I only have keystrokes for you I'm afraid.

My heartfelt gratitude.

hello Zillah77,


I rescanned with Spybot and torpig did not come up, so I guess it's gone? I hope!!! good.


I downloaded the 2 programs you recommended
actually i should have said download one of them. you have spy bot. two malware scanners is enough.


I'll scan again with AVG and see what happens.
let me know the outcome


Thank you very, very much for helping me get rid of torpig
you are welcome


but I only have keystrokes for you I'm afraid.
no problem, i enjoy a witty comment.

shelf life

AVG scan came back clear :bigthumb:

shelf life = awesome :heart: :present:

hi Zillah77,

good and thanks. happy safe surfing.

shelf life