IRC BOT/ TORPIG detected by ISP but not found by multiple A-V scanners

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
My client's ISP (Rogers) had warned my client that, based on their
traffic scanners, his system has an IRCBOT/TORPIG infection. He uses
AntiVir Premium and it had found nothing prior to this warning from
Rogers. They warned that if it wasn't cleaned up within 48 hours, they
would suspecnd his internet access.

I scanned his system using an up-to-date Avira Rescue System CD. It
found no infections. We did an online scan with Kaspersky's online
scan, but his system froze near the end of the scan (as it has been
doing periodically). Up to that point, I think he said it had found no
infections. A retry, scanning just "Critical Areas," found no
infections. Per Rogers advice, he uninstalled AntiVir and installed
their Rogers-Yahoo Online Protection (similar to, but not, Norton
NIS). A scan by it revealed no infections. Today, they suspended his
internet access saying his system is still infected, and recommended a
flatten and re-install as the only way to be sure he isn't infected.

Before doing that, and because of the time and expense involved, I
thought I'd try once more to see if I could find the infection. I
scanned with MBAM and it found only 4 minor adware items and 2
Disabled Security items or words to that effect (which I assume are
because the Windows Firewall is disabled by the Rogers-Yahoo Online
Protection, which incorporates its own firewall). I just slaved his
drive to my system and ran a KAV 2009 scan on it and it found no
infections.

My advice to him is to switch to another ISP, as I think his system is
clean and Rogers is wrong. I can't find anything recent on
IRCBOT/TORPIG, and don't know where to look for signs of this
infection.

Any suggestions?

Larry

Re: IRC BOT/ TORPIG detected by ISP but not found by multiple A-V scanners


| My client's ISP (Rogers) had warned my client that, based on their
| traffic scanners, his system has an IRCBOT/TORPIG infection. He uses
| AntiVir Premium and it had found nothing prior to this warning from
| Rogers. They warned that if it wasn't cleaned up within 48 hours, they
| would suspecnd his internet access.

| I scanned his system using an up-to-date Avira Rescue System CD. It
| found no infections. We did an online scan with Kaspersky's online
| scan, but his system froze near the end of the scan (as it has been
| doing periodically). Up to that point, I think he said it had found no
| infections. A retry, scanning just "Critical Areas," found no
| infections. Per Rogers advice, he uninstalled AntiVir and installed
| their Rogers-Yahoo Online Protection (similar to, but not, Norton
| NIS). A scan by it revealed no infections. Today, they suspended his
| internet access saying his system is still infected, and recommended a
| flatten and re-install as the only way to be sure he isn't infected.

| Before doing that, and because of the time and expense involved, I
| thought I'd try once more to see if I could find the infection. I
| scanned with MBAM and it found only 4 minor adware items and 2
| Disabled Security items or words to that effect (which I assume are
| because the Windows Firewall is disabled by the Rogers-Yahoo Online
| Protection, which incorporates its own firewall). I just slaved his
| drive to my system and ran a KAV 2009 scan on it and it found no
| infections.

| My advice to him is to switch to another ISP, as I think his system is
| clean and Rogers is wrong. I can't find anything recent on
| IRCBOT/TORPIG, and don't know where to look for signs of this
| infection.

| Any suggestions?

| Larry

Sniff it !

Use WireShark or other and determine if he is truly generating Bot type traffic.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: IRC BOT/ TORPIG detected by ISP but not found by multiple A-V scanners


Quoted text here. Click to load it

OK, thanks David. I don't know how to use wireshark, but will try it
with his system connected to my router and pray _I_ don't get shut
down.

Larry

Site Timeline