Author Topic: cbl.abuseat.org says my ip address is NAT(ing) for torpig infected server  (Read 1818 times)

0 Members and 1 Guest are viewing this topic.

Offline old_nerd

  • Newbie
  • *
  • Posts: 7
(The IP address) was last detected at 2015-02-22 03:00 GMT (+/- 30 minutes), approximately 4 days, 22 hours, 30 minutes ago.
This IP address is infected with, or is NATting for a machine infected with Torpig, also known by Symantec as Anserin.
If you are running a newer Windows operating system, Torpig has been likely dropped by a second Trojan such as Andromeda/Gamarue or similar malware droppers.

With Mebroot or any other rootkit that installs itself into the MBR, you will either have to use a "MBR cleaner" or reformat the drive completely - even if you manage to remove Torpig, the MBR infection will cause it to be reinfected again.
The best way to find the machine responsible for this listing is to look for connections to the Torpig C&C sinkhole. This detection was made through a connection to "108.61.18.43" on port "80" TCP. This detection corresponds to a connection at 2015-02-22 03:14:06 (GMT - this timestamp is believed accurate to within one second).
You can try Kaspersky's TDSSKiller Antirootkit Utility to get this infection detected/removed. However, we strongly recommend you to do completely re-install your operation system to get this infection removed permanently.
These infections are rated as a "severe threat" by Microsoft. It is a trojan downloader, and can download and execute ANY software on the infected computer.
You will need to find and eradicate the infection before delisting the IP address.

Hoping for a little help.

Logs attached

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40636
  • Dragons by Sasha
    • Malware fixes
Re: cbl.abuseat.org says my ip address is NAT(ing) for torpig infected server
« Reply #1 on: February 27, 2015, 02:26:19 PM »
I can see no sign there, who told you, you were infected ?

Offline Pondus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 34840
« Last Edit: February 27, 2015, 02:29:39 PM by Pondus »
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 30752
  • malware fighter
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline old_nerd

  • Newbie
  • *
  • Posts: 7
Hey thanks for the responses.  :)

I was first alerted to a problem when I received a notice from 'administrator' that two emails I sent were not delivered. After checking on spamhaus.org I read that I was listed because my Broadband stick's IP was listed on cbl.abuseat.org. CBL explained exactly why I was listed and gave advice that I should identify the infected machine (if I could) and reformat. The IP address was from the Broadband stick which I had only used on my surface pro 3- so I reset the machine. At no have I been able to identify the bot and mbr infection using available security software.

Would appreciate if anyone knows of a suitable Linux or UNIX boot-up I can run to search PC's for the C&C IP address? Will be methodically checking our family machines to ensure we have done all we can.

I have already downloaded and installed the latest beta version of Premier for the surface pro 3 and am using our family broadband connection with a different IP address, for now.

Regards

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40636
  • Dragons by Sasha
    • Malware fixes
Have you received any further warnings ?