Please help cleaning up this mess.

scan results below:

MalwareBytes

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.29.02

Windows Vista Service Pack 1 x86 NTFS
Internet Explorer 8.0.6001.19088
Belle :: MAEIR_NEW [administrator]

8/28/2012 11:41:48 PM
mbam-log-2012-08-28 (23-41-48).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 249224
Time elapsed: 9 minute(s), 19 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCU\SOFTWARE\CLASSES\CLSID{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32 (Trojan.Zaccess) → Quarantined and deleted successfully.

Registry Values Detected: 1
HKCU\SOFTWARE\CLASSES\CLSID{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32| (Trojan.Zaccess) → Data: C:\Users\Belle\AppData\Local{846fc601-8bc1-c467-991e-6ab6537544f4}\n. → Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 1
C:\sysproc.bin (Trojan.SpyEyes.R) → Quarantined and deleted successfully.

Files Detected: 3
C:\Users\Belle\AppData\Local\temp\DD4F.tmp (Exploit.Drop.COD) → Quarantined and deleted successfully.
C:\Windows\Installer{846fc601-8bc1-c467-991e-6ab6537544f4}\n (RootKit.0Access) → Quarantined and deleted successfully.
C:\sysproc.bin\E0532263A06B641 (Trojan.SpyEyes.R) → Quarantined and deleted successfully.

(end)

and aswMBR results below:

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-08-29 00:42:15

00:42:15.217 OS Version: Windows 6.0.6001 Service Pack 1
00:42:15.217 Number of processors: 2 586 0xF0D
00:42:15.219 ComputerName: MAEIR_NEW UserName: Belle
00:42:17.312 Initialize success
00:42:17.453 AVAST engine defs: 12082803
00:42:45.299 The log file has been saved successfully to “C:\Users\Belle\Desktop\aswMBR.txt”
00:43:01.905 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-0
00:43:01.907 Disk 0 Vendor: ST3320813AS LV11 Size: 305245MB BusType: 3
00:43:01.938 Disk 0 MBR read successfully
00:43:01.940 Disk 0 MBR scan
00:43:01.944 Disk 0 Windows VISTA default MBR code
00:43:01.977 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 286776 MB offset 2048
00:43:02.012 Disk 0 Partition 2 00 12 Compaq diag MSWIN4.1 18465 MB offset 587320335
00:43:02.031 Disk 0 scanning sectors +625137345
00:43:02.142 Disk 0 scanning C:\Windows\system32\drivers
00:43:21.371 Service scanning
00:43:56.198 Modules scanning
00:44:17.220 Disk 0 trace - called modules:
00:44:17.270 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS intelide.sys PCIIDEX.SYS atapi.sys
00:44:17.276 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x85d02ac8]
00:44:17.281 3 CLASSPNP.SYS[8a7a9745] → nt!IofCallDriver → [0x856e9888]
00:44:17.286 5 acpi.sys[806966a0] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-0[0x856cc830]
00:44:18.441 AVAST engine scan C:\Windows
00:44:25.588 AVAST engine scan C:\Windows\system32
00:46:47.142 File: C:\Windows\system32\services.exe INFECTED Win32:Sirefef-AIO [Rtk]
00:49:53.088 AVAST engine scan C:\Windows\system32\drivers
00:50:21.501 AVAST engine scan C:\Users\Belle
01:01:21.311 File: C:\Users\Belle\AppData\Local\temp\soap1_wsdl.exe INFECTED Win32:Zbot-PDR [Trj]
01:07:02.966 AVAST engine scan C:\ProgramData
01:13:01.155 Scan finished successfully
06:42:26.703 Disk 0 MBR has been saved successfully to “C:\Users\Belle\Desktop\MBR.dat”
06:42:26.710 The log file has been saved successfully to “C:\Users\Belle\Desktop\aswMBR.txt”

There may be some delay due to differing time zones and availability of the volunteer malware removal specialists.

No problem, I ran the scans at home before I headed out to work (its 9:30 my time) I’ll take a look at it when I get home.

Thanks in advance to all the volunteers!

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL
O2 - BHO: (no name) - {0055C089-8582-441B-A0BF-17B458C2A3A8} - No CLSID value found.
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O2 - BHO: (no name) - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - No CLSID value found.
O4 - HKU\S-1-5-21-4062213243-2715843153-2725576425-1005..\Run: [YY1X6IUX7A6I8X5CQOYIAKGQ] C:\sysproc.bin\C639636C747.exe File not found
[2012/08/09 15:17:27 | 000,000,000 | ---D | C] -- C:\ProgramData\IBank
[2012/08/09 15:17:18 | 000,000,000 | -HSD | C] -- C:\ProgramData\Lwklf1ecdGY
[2012/08/09 15:10:01 | 000,000,000 | ---D | C] -- C:\Users\Belle\AppData\Roaming\Oxef
[2012/08/09 15:10:01 | 000,000,000 | ---D | C] -- C:\Users\Belle\AppData\Roaming\Lyvi
[2012/08/09 15:10:01 | 000,000,000 | ---D | C] -- C:\Users\Belle\AppData\Roaming\Dyom

:Reg
[HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32] 
""="%systemroot%\system32\wbem\wbemess.dll" 
[-HKCU\Software\Classes\clsid\{12d0253a-7c96-815c-11e0-3034bbd97cc0}] 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS]
"DisplayName"="@%SystemRoot%\\system32\\qmgr.dll,-1000"
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"Description"="@%SystemRoot%\\system32\\qmgr.dll,-1001"
"ObjectName"="LocalSystem"
"ErrorControl"=dword:00000001
"Start"=dword:00000002
"DelayedAutoStart"=dword:00000001
"Type"=dword:00000020
"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,45,00,76,00,65,00,\
  6e,00,74,00,53,00,79,00,73,00,74,00,65,00,6d,00,00,00,00,00
"ServiceSidType"=dword:00000001
"RequiredPrivileges"=hex(7):53,00,65,00,43,00,72,00,65,00,61,00,74,00,65,00,47,\
  00,6c,00,6f,00,62,00,61,00,6c,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,\
  67,00,65,00,00,00,53,00,65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,00,6e,\
  00,61,00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,\
  00,00,53,00,65,00,54,00,63,00,62,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,\
  00,67,00,65,00,00,00,53,00,65,00,41,00,73,00,73,00,69,00,67,00,6e,00,50,00,\
  72,00,69,00,6d,00,61,00,72,00,79,00,54,00,6f,00,6b,00,65,00,6e,00,50,00,72,\
  00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,49,00,6e,00,\
  63,00,72,00,65,00,61,00,73,00,65,00,51,00,75,00,6f,00,74,00,61,00,50,00,72,\
  00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,00,00
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
  00,01,00,00,00,60,ea,00,00,01,00,00,00,c0,d4,01,00,00,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  71,00,6d,00,67,00,72,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Performance]
"Library"="bitsperf.dll"
"Open"="PerfMon_Open"
"Collect"="PerfMon_Collect"
"Close"="PerfMon_Close"
"InstallType"=dword:00000001
"PerfIniFile"="bitsctrs.ini"
"First Counter"=dword:00000774
"Last Counter"=dword:00000784
"First Help"=dword:00000775
"Last Help"=dword:00000785
"Object List"="1908"
"PerfMMFileName"="Global\\MMF_BITS_s"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Enum]
"0"="Root\\LEGACY_BITS\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

:Files
C:\Users\Belle\AppData\Local\temp\soap1_wsdl.exe
C:\sysproc.bin  
C:\Windows\Installer\{846fc601-8bc1-c467-991e-6ab6537544f4}
C:\Users\Belle\AppData\Local\{846fc601-8bc1-c467-991e-6ab6537544f4}

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Hi,

Just want to make sure this line is correct and not a copy and paste error.

     [b][i]O4 - HKU\S-1-5-21-4062213243-2715843153-2725576425-1005..\Run: [YY1X6IUX7A6I8X5CQOYIAKGQ] C:\sysproc.bin\C639636C747.exe File not found[/i][/b]

yep that is correct

OTL Log attached

Combo Fix logs attached

OK you are one system file missing so we need to search for it

Run OTL and paste the following into the custom scans box
Then press quick scan

/md5start
netbt.*
/md5stop

Ran OTL, found PC shutoff, so I ran it again, attached log file

OK we will now replace the file… Once done can you let me know of any problems

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:Files
c:\windows\system32\drivers\netbt.sys|C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6001.18000_none_6064c861f7442765\netbt.sys replace

:Commands
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

did it work?

fyi

still having MAL:URL warnings pop up on Avast.

Could you give a screenshot of the alert please