Rootkit, please help.

Malwarebytes’ Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6450

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

26.04.2011 22:36:56
mbam-log-2011-04-26 (22-36-56).txt

Scan type: Quick scan
Objects scanned: 158898
Time elapsed: 3 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman (Trojan.Agent) → Value: Taskman → Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Hi why do you think you have a rootkit ?

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswmbrscan.gif

Click the “Scan” button to start scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswmbrsavelog.gif

THEN

Download OTS to your Desktop and double-click on it to run it

[*]Make sure you close all other programs and don’t use the PC while the scan runs.
[*]Select All Users
[*]Under additional scans select the following
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

[*]Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

[*]Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Please attach the log in your next post.

Thank you for your help. The log is attached.

Whilst I look at the log could you post the ASWMbr log please and let me know why you think you have a rootkit

Hi. Here it is:

aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-04-28 00:58:51

00:58:51.968 OS Version: Windows 5.1.2600 Service Pack 3
00:58:51.968 Number of processors: 2 586 0x4303
00:58:51.968 ComputerName: 2-8141B4DC8AF14 UserName:
00:58:52.187 Initialize success
00:58:58.531 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP2T0L0-5
00:58:58.531 Disk 0 Vendor: WDC_WD2500KS-00MJB0 02.01C03 Size: 238475MB BusType: 3
00:58:58.531 Disk 0 MBR read error
00:58:58.531 Disk 0 MBR scan
00:58:58.531 MBR BIOS signature not found 0
00:58:58.531 Disk 0 scanning sectors +488376000
00:58:58.531 Disk 0 scanning C:\WINDOWS\system32\drivers
00:59:01.406 Service scanning
00:59:02.234 Disk 0 trace - called modules:
00:59:02.234 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89095aee]<<
00:59:02.234 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x89dbeab8]
00:59:02.234 3 CLASSPNP.SYS[b80e8fd7] → nt!IofCallDriver → \Device\00000075[0x89dbff18]
00:59:02.234 5 ACPI.sys[b7e57620] → nt!IofCallDriver → \Device\Ide\IdeDeviceP2T0L0-5[0x89dbdd98]
00:59:02.234 Scan finished successfully

When I tried to do my online banking couple of days ago a pop up window appeared asking for my credit card number, pin, expiry date etc, which could not have possibly come from the bank (I also verified with the bank later that there are no changes in the login).
When I scanned my computer with the Avast it reported MBR:\.|PHYSICALDRIVE0. I scanned and tried to delete or repair many times, but it occurs again and again. When I do the boot-time scan the Avast reports that I have sinlaw@mbr.

sinowal@mbr, more precisely.

This may be the new variant - does a bootscan detect it and try to cure it ?

Lets use TDSSKiller as a test

Please read carefully and follow these steps.

[*]Download TDSSKiller and save it to your Desktop.
[*]Extract its contents to your desktop.
[*]Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png

[*]If an infected file is detected, the default action will be Cure, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMal-1.png

[*]If a suspicious file is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious.png

[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png

[*]If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
[*]If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste the contents of that file here.

I followed your instructions. The TDSSKiller detected suspicious objects, and does not ask for reboot. The scan report is attached.

you must save the log as ANSI and not Unicode

It is attached to this post.

Re-run TDSSKiller and allow it to fix the MBR then reboot

Thank you so much. I followed your instructions, and two days and many full scans latter, the Avast does not detect anything. I appreciate your help.

Best regards,

Gordana