ibmxxxxx.dll, Torpig

Welcome to Major Geeks!

First before we get started fixing things, I must post the below important message/warning!

IMPORTANT NOTE: You have been infected with a Password Stealing Trojan: Trojan.W32.Torpig

See this links for what you have: http://www.liutilities.com/products/wintaskspro/processlibrary/ibm00001/
http://www.liutilities.com/products/wintaskspro/processlibrary/syshost/

You must take this possible threat seriously, especially if you use this PC for financial related matters.

You are strongly advised to do the following immediately:

1. Disconnect infected computer from the internet and from any networked computers until the computer can be cleaned. If you have network compters, start checking them for problems too.
2. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
3. From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passords and transaction information.

 

Okay you need to follow the instructions in step 7 of the READ ME to get HijackThis installed and renamed. I will be requesting a log at the end of the below procedure.

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 8

Make sure you reboot after uninstalling the above!

After reboot into safe mode and run Windows Exploer (right click Start and select Explore). Then naviagte to the below files and right click on them and select Delete.
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00005.dll
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00006.dll

Now reboot into normal mode and install the current version of Sun Java from: Sun Java Runtime Environment

Now attach a new log from ShowNew. Also attach a HijackThis log.

 

These files for Torpig can change names but the will always begin with the ibm00 and they will be in that same folder. Just look in that folder with Windows Explorer.

Yes you should.

 

They are gone based on your ShowNew log.

Now uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below two folders which may be left behind by the uninstall:
C:\Documents and Settings\All Users\Application Data\Sunbelt Software
C:\Program Files\Sunbelt Software


Let's also remove some unnecessary and duplicate startups that will slow down bootup and also affect normal operation.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: PowerReg Scheduler.exe

After clicking Fix, exit HJT.

Other than the above suggestions, you are clean! Are you having any malware problems?

 

You're welcome.

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, and the C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you run Avenger, you can delete all files related to Avenger now.
7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
8. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
9. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Please follow directions! Deleting the retore points was part of my directions and that is why you are finding problems. SystemVolumeInformation is System Restore.