Possible infection?

[crab]

Have a buddy that asked me to help solve an issue he's been having with his computer(s) and his yahoo email in general... I stopped doing this work years ago, so I just don't know what's out there as far as malware and cleaning software/techniques to be trusted.

He started by texting me asking if I could remove "some mal ware virus" from his computer. He said it was called torpig, and that "It's on everything I have - they said". I asked who "they" was and he said he called yahoo because he can't log into his email.

So I go over and start looking at things. His yahoo account cannot be accessed by any device other than this one laptop he has. Even my own phone, it says the password is incorrect and if I try to reset it, I am given one option - to send an account key to an email address that had belonged to a now deceased family member - it is simply not an option. If I click "I do not have access to this account", yahoo pretty much says "Uh-oh...Looks like we can't recover your account online. " Apparently he has no phone numbers listed, and answered no security questions, although he says he did at one time.

From one of his computers running Windows 7 and Chrome, we can access the account. The password is saved in his Chrome password manager, and when I view it in there, it is exactly the password he told me earlier that is declined on other devices. The account looks normal, he says he's noticed nothing unusual in regards to it, and his online banking etc.

I have a feeling he really might actually have had his account taken over, they have set their own password, and this all possibly works in unison with malware on his laptop to make things look perfectly normal. The machine seems perfectly normal, his updates are current, Windows Defender finds nothing. Obviously, I know these things can be pretty damn clever these days, and purposely work in the background to make everything seem hunky-dory on the surface.

All of the tools I used 10 years ago like Spybot, Adaware, etc look quite commercialized and I'm just not sure they're the real deal anymore.

I'm pretty damn sure the number he called was not actually yahoo, as they told him all of his stuff was infected by "torpig" and that those people had control of his machines and accounts, that there was nothing they could do until things were cleaned. He says they then gave him a handful of recommendations of people/companies/sites or whatever that could clean things. All paid services, and one $300 some bucks. Uhhhh, NO.

Unfortunately, I'm almost afraid to touch the machine and risk locking him out entirely - he'd be pissed even though his current access is likely extremely risky. I think he needs to contact yahoo via a method I've verified first and fix the password properly, and I'll have him do that. But, I'm wondering if you guys think my suspicions that his system is infected and allowing a seemingly flawless access to the account, and what methods I might use to clean it up in the end (I rreeeaaalllyy just want to do a restore, we'll see).

 

[PeterRoss]

If your speculations are correct about the email access. If the only way to access it is through his PC, then removing the malware will most likely cause issues, but if cleaned, he should be able to recover all of his data. Personally, this is the first time I have encountered anything like that. We can try a couple of conventional methods of solving the issue. This entire situation seems to be very weird and tough to deal with.

To start with, is it possible to access other accounts from other devices? If it is that issue, most of the accounts should be inaccessible as well. Unfortunately, his access is currently compromising a majority of his finances and other relevant data he might have. But let us see if we can do this without extremes. Here are a couple of options you can try:

1. Restart the PC in safe mode with networking
2. Install any popular anti-virus and do a quick scan (Majority of the providers do have free versions of their software)
3. Install and scan your PC with Malwarebytes and Hitman Pro.
4. Restart PC in normal mode and do another quick scan with Malwarebytes.​

All of the listed software's have free / trial versions that can be used without limitations. That should have cleared any potential malware he might have had. At this point, I also recommend updating the windows to the newest patch. You can try and insert the passwords now from other devices as well, to confirm or deny whether it works. Regardless, whether it works or not, I would strongly recommend a full wipe and password change on every single site that is important to him.

A couple of precautions you can reference to him for future reference.

1. Always have anti-virus and anti-malware software running or at least weekly scans.
2. Be careful with which links you are browsing. If you do not recognize something, avoid it.
3. Be careful with the files that you are downloading. It is always important to download any files from trusted or known websites.
4. Be aware and double check if the website is the real one when inputting passwords.​

Hopefully, this helps you resolve the issue. Good luck!

 

[bruceb]

Instructions here (and also a file to do it for you) on how to get rid of "torpig" from your computer

https://www.securitystronghold.com/gates/torpig.html
Manual removal instructions below, but the removal tool is better.
Note: For best results, you should do this after booting into Safe Mode

How to remove Torpig manually?
During all time since adding Torpig to our database we track it changes and add them in the list below, removing files mentioned from your hard drive and deleting them from starup list and also unregistering all corresponding DLLs will result cleaning your computer drom the trojan. But also, missing DLL's that can be removed or corrupted by Torpig should be restored from your Windows CD .

So, here is the simple process to remove Torpig:

1. Delete following processes form startup and files from your hard drive:

• ibm00003.exe
• 897586e9.exe
• 36.tmp3072.exe
• ibm00001.dll
• ibm00002.dll
• $_2341234.tmp
• $_2341233.tmp
• $_2341235.tmp
• $b17a2e8.tmp
• $_3472452.EXE
• file_3.exe
• file_4.exe
• file_5.exe
• inserv[1].exe
• inserv.exe
• msvbs32[1].dll
• msvbs32.dll
• ld_dnv[1].exe
• ld_grey[1].exe
• ld_ment[1].exe
• ld_ovr[1].exe
• vx.exe
• clea14418.dll

2. Delete the following folders that are assosiated with Torpig:

• %commonprogramfiles%\microsoft shared\web folders\

3. Finally, remove this registry keys:

• Key: System\CurrentControlSet\Services\ldrsvc\DisplayName
• Key: System\CurrentControlSet\Services\gb\DisplayName
• Key: SYSTEM\ControlSet001\Enum\Root\LEGACY_LDRSVC\0000\Control
  Value: ActiveService
• Key: SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_GB\0000\Control
  Value: *NewlyCreated*
• Key: SYSTEM\CurrentControlSet\Services\ldrsvc\Parameters
  Value: ServiceDll
• Key: Software\Microsoft\Windows\CurrentVersion\Run
  Value: 897586e9.exe
• Key: Software\Microsoft\Windows\CurrentVersion\Run
  Value: Windows update loader
• Key: software\microsoft\windows\currentversion\run
  Value: 897586e9.exe
• Key: software\microsoft\windows\currentversion\run
  Value: windows update loader
• Key: Software\Microsoft\Windows\CurrentVersion\Run
  Value: shell
• Key: System\CurrentControlSet\Services\ldrsvc
  Value: Type
• Key: System\CurrentControlSet\Services\ldrsvc
  Value: Start
• Key: System\CurrentControlSet\Services\ldrsvc
  Value: ErrorControl
• Key: System\CurrentControlSet\Services\ldrsvc
  Value: ImagePath
• Key: System\CurrentControlSet\Services\ldrsvc\Security
  Value: Security
• Key: System\CurrentControlSet\Services\ldrsvc
  Value: ObjectName
• Key: SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_LDRSVC
  Value: NextInstance
• Key: SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_LDRSVC\0000\Control
  Value: *NewlyCreated*
• Key: SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_LDRSVC\0000
  Value: Service
• Key: SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_LDRSVC\0000
  Value: Legacy
• Key: SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_LDRSVC\0000
  Value: ConfigFlags
• Key: SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_LDRSVC\0000
  Value: Class
• Key: SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_LDRSVC\0000
  Value: ClassGUID
• Key: SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_LDRSVC\0000
  Value: DeviceDesc
• Key: SYSTEM\CURRENTCONTROLSET\SERVICES\ldrsvc\Enum
• Key: SYSTEM\CURRENTCONTROLSET\SERVICES\ldrsvc\Enum
  Value: Count
• Key: SYSTEM\CURRENTCONTROLSET\SERVICES\ldrsvc\Enum
  Value: NextInstance
• Key: System\CurrentControlSet\Enum\Root\LEGACY_LDRSVC\0000\Control
  Value: ActiveService
• Key: System\CurrentControlSet\Services\gb
  Value: Type
• Key: System\CurrentControlSet\Services\gb
  Value: Start
• Key: System\CurrentControlSet\Services\gb
  Value: ErrorControl
• Key: System\CurrentControlSet\Services\gb
  Value: ImagePath
• Key: System\CurrentControlSet\Services\gb
  Value: DisplayName
• Key: System\CurrentControlSet\Services\gb\Security
  Value: Security
• Key: System\CurrentControlSet\Services\gb
  Value: ObjectName
• Key: SYSTEM\CurrentControlSet\Services\gb\Parameters
  Value: ServiceDll
• Key: SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_GB
  Value: NextInstance
• Key: SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_GB\0000
  Value: Service
• Key: SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_GB\0000
  Value: Legacy
• Key: SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_GB\0000
  Value: ConfigFlags
• Key: SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_GB\0000
  Value: Class
• Key: SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_GB\0000
  Value: ClassGUID
• Key: SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_GB\0000
  Value: DeviceDesc
• Key: SYSTEM\CURRENTCONTROLSET\SERVICES\gb\Enum
• Key: SYSTEM\CURRENTCONTROLSET\SERVICES\gb\Enum
  Value: Count
• Key: SYSTEM\CURRENTCONTROLSET\SERVICES\gb\Enum
  Value: NextInstance
• Key: System\CurrentControlSet\Enum\Root\LEGACY_GB\0000\Control
  Value: ActiveService
• Key: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
  Value: Wallpaper
  Data: %windows%\desktop.html
• Key: SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LDRSVC\0000
  Value: Driver
• Key: SYSTEM\ControlSet001\Services\ldrsvc\Parameters
  Value: ServiceDll
• Key: SYSTEM\ControlSet001\Enum\Root\LEGACY_LDRSVC\0000
  Value: Driver
• Key: Software\Microsoft\Windows NT\CurrentVersion\Winlogon
  Value: Shell
  Data: explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"

 

[crab]

Hi, Thanks guys. I had wound up doing exactly as you said - scanning in safe mode. Did a pass of Spybot and Malwarebytes. There was actually nothing of substance found, maybe 25 or so cookies and some other things but no sign of a big infection. Certainly nothing about torpig, and the things I see online about torpig (its hallmarks, etc) just aren't on this machine. Whatever it is, it's not torpig. Who knows what bozos he talked to.

Since the only method of password recovery he had set up with yahoo relies on access to that other email address, I told him there was nothing that could be done. Yahoo literally says at that point you're screwed, and there is apparently no tech support available there.

Thankfully, he did wrangle a way into that OTHER email account, and grab the verification code. He's got his password reset, and I instructed him NOT TO even turn on that machine and let it connect online, let alone sign in to anything with it until I have a chance to grab his important stuff from it, and do a factory restore. I simply don't trust it. I'm also going to set up his yahoo with other recovery methods, two factor too if yahoo even has it.

Also instructed him to change the passwords to his important online accounts at the very least.

Thanks again for the help!