Please help cleaning up this mess.

[joshuki]

scan results below:

MalwareBytes

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.29.02

Windows Vista Service Pack 1 x86 NTFS
Internet Explorer 8.0.6001.19088
Belle :: MAEIR_NEW [administrator]

8/28/2012 11:41:48 PM
mbam-log-2012-08-28 (23-41-48).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 249224
Time elapsed: 9 minute(s), 19 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32 (Trojan.Zaccess) -> Quarantined and deleted successfully.

Registry Values Detected: 1
HKCU\SOFTWARE\CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32| (Trojan.Zaccess) -> Data: C:\Users\Belle\AppData\Local\{846fc601-8bc1-c467-991e-6ab6537544f4}\n. -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 1
C:\sysproc.bin (Trojan.SpyEyes.R) -> Quarantined and deleted successfully.

Files Detected: 3
C:\Users\Belle\AppData\Local\temp\DD4F.tmp (Exploit.Drop.COD) -> Quarantined and deleted successfully.
C:\Windows\Installer\{846fc601-8bc1-c467-991e-6ab6537544f4}\n (RootKit.0Access) -> Quarantined and deleted successfully.
C:\sysproc.bin\E0532263A06B641 (Trojan.SpyEyes.R) -> Quarantined and deleted successfully.

(end)

[joshuki]

and aswMBR results below:



aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-08-29 00:42:15
-----------------------------
00:42:15.217    OS Version: Windows 6.0.6001 Service Pack 1
00:42:15.217    Number of processors: 2 586 0xF0D
00:42:15.219    ComputerName: MAEIR_NEW  UserName: Belle
00:42:17.312    Initialize success
00:42:17.453    AVAST engine defs: 12082803
00:42:45.299    The log file has been saved successfully to "C:\Users\Belle\Desktop\aswMBR.txt"
00:43:01.905    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
00:43:01.907    Disk 0 Vendor: ST3320813AS LV11 Size: 305245MB BusType: 3
00:43:01.938    Disk 0 MBR read successfully
00:43:01.940    Disk 0 MBR scan
00:43:01.944    Disk 0 Windows VISTA default MBR code
00:43:01.977    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS       286776 MB offset 2048
00:43:02.012    Disk 0 Partition 2 00     12  Compaq diag MSWIN4.1    18465 MB offset 587320335
00:43:02.031    Disk 0 scanning sectors +625137345
00:43:02.142    Disk 0 scanning C:\Windows\system32\drivers
00:43:21.371    Service scanning
00:43:56.198    Modules scanning
00:44:17.220    Disk 0 trace - called modules:
00:44:17.270    ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS intelide.sys PCIIDEX.SYS atapi.sys
00:44:17.276    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85d02ac8]
00:44:17.281    3 CLASSPNP.SYS[8a7a9745] -> nt!IofCallDriver -> [0x856e9888]
00:44:17.286    5 acpi.sys[806966a0] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x856cc830]
00:44:18.441    AVAST engine scan C:\Windows
00:44:25.588    AVAST engine scan C:\Windows\system32
00:46:47.142    File: C:\Windows\system32\services.exe  **INFECTED** Win32:Sirefef-AIO [Rtk]
00:49:53.088    AVAST engine scan C:\Windows\system32\drivers
00:50:21.501    AVAST engine scan C:\Users\Belle
01:01:21.311    File: C:\Users\Belle\AppData\Local\temp\soap1_wsdl.exe  **INFECTED** Win32:Zbot-PDR [Trj]
01:07:02.966    AVAST engine scan C:\ProgramData
01:13:01.155    Scan finished successfully
06:42:26.703    Disk 0 MBR has been saved successfully to "C:\Users\Belle\Desktop\MBR.dat"
06:42:26.710    The log file has been saved successfully to "C:\Users\Belle\Desktop\aswMBR.txt"

[DavidR]

There may be some delay due to differing time zones and availability of the volunteer malware removal specialists.

[joshuki]

No problem, I ran the scans at home before I headed out to work (its 9:30 my time) I'll take a look at it when I get home.

Thanks in advance to all the volunteers!

[essexboy]

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:OTL
O2 - BHO: (no name) - {0055C089-8582-441B-A0BF-17B458C2A3A8} - No CLSID value found.
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O2 - BHO: (no name) - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - No CLSID value found.
O4 - HKU\S-1-5-21-4062213243-2715843153-2725576425-1005..\Run: [YY1X6IUX7A6I8X5CQOYIAKGQ] C:\sysproc.bin\C639636C747.exe File not found
[2012/08/09 15:17:27 | 000,000,000 | ---D | C] -- C:\ProgramData\IBank
[2012/08/09 15:17:18 | 000,000,000 | -HSD | C] -- C:\ProgramData\Lwklf1ecdGY
[2012/08/09 15:10:01 | 000,000,000 | ---D | C] -- C:\Users\Belle\AppData\Roaming\Oxef
[2012/08/09 15:10:01 | 000,000,000 | ---D | C] -- C:\Users\Belle\AppData\Roaming\Lyvi
[2012/08/09 15:10:01 | 000,000,000 | ---D | C] -- C:\Users\Belle\AppData\Roaming\Dyom

:Reg
[HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32]
""="%systemroot%\system32\wbem\wbemess.dll"
[-HKCU\Software\Classes\clsid\{12d0253a-7c96-815c-11e0-3034bbd97cc0}]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS]
"DisplayName"="@%SystemRoot%\\system32\\qmgr.dll,-1000"
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"Description"="@%SystemRoot%\\system32\\qmgr.dll,-1001"
"ObjectName"="LocalSystem"
"ErrorControl"=dword:00000001
"Start"=dword:00000002
"DelayedAutoStart"=dword:00000001
"Type"=dword:00000020
"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,45,00,76,00,65,00,\
  6e,00,74,00,53,00,79,00,73,00,74,00,65,00,6d,00,00,00,00,00
"ServiceSidType"=dword:00000001
"RequiredPrivileges"=hex(7):53,00,65,00,43,00,72,00,65,00,61,00,74,00,65,00,47,\
  00,6c,00,6f,00,62,00,61,00,6c,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,\
  67,00,65,00,00,00,53,00,65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,00,6e,\
  00,61,00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,\
  00,00,53,00,65,00,54,00,63,00,62,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,\
  00,67,00,65,00,00,00,53,00,65,00,41,00,73,00,73,00,69,00,67,00,6e,00,50,00,\
  72,00,69,00,6d,00,61,00,72,00,79,00,54,00,6f,00,6b,00,65,00,6e,00,50,00,72,\
  00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,49,00,6e,00,\
  63,00,72,00,65,00,61,00,73,00,65,00,51,00,75,00,6f,00,74,00,61,00,50,00,72,\
  00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,00,00
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
  00,01,00,00,00,60,ea,00,00,01,00,00,00,c0,d4,01,00,00,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  71,00,6d,00,67,00,72,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Performance]
"Library"="bitsperf.dll"
"Open"="PerfMon_Open"
"Collect"="PerfMon_Collect"
"Close"="PerfMon_Close"
"InstallType"=dword:00000001
"PerfIniFile"="bitsctrs.ini"
"First Counter"=dword:00000774
"Last Counter"=dword:00000784
"First Help"=dword:00000775
"Last Help"=dword:00000785
"Object List"="1908"
"PerfMMFileName"="Global\\MMF_BITS_s"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Enum]
"0"="Root\\LEGACY_BITS\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

:Files
C:\Users\Belle\AppData\Local\temp\soap1_wsdl.exe
C:\sysproc.bin 
C:\Windows\Installer\{846fc601-8bc1-c467-991e-6ab6537544f4}
C:\Users\Belle\AppData\Local\{846fc601-8bc1-c467-991e-6ab6537544f4}

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN


Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  
• Accept the disclaimer and allow to update if it asks

• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.[/b]
  

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[joshuki]

Hi,

Just want to make sure this line is correct and not a copy and paste error.

         O4 - HKU\S-1-5-21-4062213243-2715843153-2725576425-1005..\Run: [YY1X6IUX7A6I8X5CQOYIAKGQ] C:\sysproc.bin\C639636C747.exe File not found

[essexboy]

yep that is correct

[joshuki]

OTL Log attached

[joshuki]

Combo Fix logs attached

[essexboy]

OK you are one system file missing so we need to search for it

Run OTL and paste the following into the custom scans box
Then press quick scan

/md5start
netbt.*
/md5stop

[joshuki]

Ran OTL, found PC shutoff, so I ran it again, attached log file

[essexboy]

OK we will now replace the file.. Once done can you let me know of any problems

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:Files
c:\windows\system32\drivers\netbt.sys|C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6001.18000_none_6064c861f7442765\netbt.sys replace

:Commands
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done

[joshuki]

did it work?

[joshuki]

fyi

still having MAL:URL warnings pop up on Avast.

[essexboy]

Could you give a screenshot of the alert please