Sinowal@mbr[Rtk] help

[struggling bt]

Hi Folks!

I'm grateful this forum exists, and hopeful that help is just around the corner from one of the many knowledgeable people here.

I'm running a Dell, oldie but goodie; XP OS and Internet Explorer 8.0.  She's been a good machine but I'm afraid I put her in harm's way.

On Friday, 04/29 I used Avast Free to identify a high threat item on my computer: Sinowal@mbr[Rtk]

Over the weekend I'm meticulously prepared redundant backups of all my data in preparation for a hard drive reformat.

On Sunday, 05/01 I ran aswMBR from safe mode and it highlighted two lines in red. I then clicked on MBR Fix and received the message "Disk 0 Windows 501 MBR

fixed successfully".

After reading several posts on this forum I rebooted immediately and then ran and subsequent scans using Avast Free and MBam.  The scans came up mostly

clean; but certainly free of Sinowal@mbr[Rtk].

Next I ran aswMBR, and it showed the same two red lines. I then ran MBR Fix several times and kept getting the same red lines showing up with slight

variations.

Here it is Tuesday, 05/03 and I'm still getting clean virus scans using the two programs mentioned above.  But I am still getting the same two red lines when

I run aswMBR, and the same fixed successfully message. 

What prompted all this was my computer was running super slow, and whenever I went to the eBay or Amazon.com I would get a Phish pop up that would not even

let me enter the site unless I provided credit card, Social Security, security code, ATM pin number etc.

Well, again, here I am, and I have been able to successfully visit eBay and Amazon.com without the Phish screen and I'm getting clean virus scans.  I just

don't trust that my issue has been resolved.

I've included two aswMBR logs.  The first log reflects my 04/30 scan & fix; while the second log reflects my most recent aswMBR (05/03) scan.  I've placed

asterisks on the two lines that show up in red.  There are obvious differences in those lines between the earlier scan/fix in today's scan/fix.  I don't know

if my computer is safe enough to go online or not.  I don't know if Sinowal@mbr[Rtk] has been removed or if it's just sleeping.  I do know Sinowal@mbr[Rtk]

is not showing up on my MBam scans or my Avast Free scans.

I'm sure tired of dealing with this but I'm prepared to reformat and reinstall if necessary.  I've only been activating my Internet connection for short

periods of time for specific purposes; i.e. posting this and returning a few quick e-mails.

I sure appreciate any light you can shed on my problem.

Thanks
Matt

LOGS

aswMBR version 0.9.5 Copyright(c) 2011 AVAST Software
Run date: 2011-04-30 21:44:48
-----------------------------
21:44:48.015    OS Version: Windows 5.1.2600 Service Pack 3
21:44:48.015    Number of processors: 2 586 0x403
21:44:48.015    ComputerName: MDE  UserName:
21:44:48.718    Initialize success
21:44:58.375    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
21:44:58.390    Disk 0 Vendor: Maxtor_6 YAR5 Size: 152587MB BusType: 3
21:44:58.406    Disk 1  \Device\Harddisk1\DR1 -> \Device\Ide\IAAStorageDevice-1
21:44:58.421    Disk 1 Vendor: WDC_WD50 12.0 Size: 476940MB BusType: 3
21:45:00.437    Disk 0 MBR read successfully
21:45:00.453    Disk 0 MBR scan
21:45:02.468    Disk 0 scanning sectors +312496380
21:45:02.500    Disk 0 scanning C:\WINDOWS\system32\drivers
21:45:16.546    Service scanning
21:45:18.031    Disk 0 trace - called modules:
21:45:18.046*   ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x866b2aee]<<
21:45:18.062    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x872fdab8]
21:45:18.078    3 CLASSPNP.SYS[f7824fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x86dfc030]
21:45:18.093*   \Driver\iastor[0x8730b988] -> IRP_MJ_CREATE -> 0x873661d8
21:45:18.125    Scan finished successfully
10:23:10.078    Disk 0 Windows 501 MBR fixed successfully
10:23:37.281    Disk 0 Windows 501 MBR fixed successfully
10:24:10.046    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\My Documents\MBR.dat"
10:24:10.062    The log file has been saved successfully to "C:\Documents and Settings\Administrator\My Documents\aswMBR.txt"
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

aswMBR version 0.9.5 Copyright(c) 2011 AVAST Software
Run date: 2011-05-03 10:51:28
-----------------------------
10:51:28.296    OS Version: Windows 5.1.2600 Service Pack 3
10:51:28.296    Number of processors: 2 586 0x403
10:51:28.296    ComputerName: MDE  UserName:
10:51:29.296    Initialize success
10:51:40.125    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
10:51:40.125    Disk 0 Vendor: Maxtor_6 YAR5 Size: 152587MB BusType: 3
10:51:40.140    Disk 1  \Device\Harddisk1\DR1 -> \Device\Ide\IAAStorageDevice-1
10:51:40.140    Disk 1 Vendor: WDC_WD50 12.0 Size: 476940MB BusType: 3
10:51:42.156    Disk 0 MBR read successfully
10:51:42.156    Disk 0 MBR scan
10:51:44.171    Disk 0 scanning sectors +312496380
10:51:44.203    Disk 0 scanning C:\WINDOWS\system32\drivers
10:51:59.718    Service scanning
10:52:01.015    Disk 0 trace - called modules:
10:52:01.015*   ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x85e76aee]<<
10:52:01.015    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87139ab8]
10:52:01.031    3 CLASSPNP.SYS[f75d2fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x86c05030]
10:52:01.031*   \Driver\iastor[0x8710aa08] -> IRP_MJ_CREATE -> 0x871d01d8
10:52:01.031    Scan finished successfully
10:55:23.765    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\My Documents\MBR.dat"
10:55:23.765    The log file has been saved successfully to "C:\Documents and Settings\Administrator\My Documents\aswMBR009.txt"
10:55:37.390    Disk 0 Windows 501 MBR fixed successfully
10:56:04.843    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\My Documents\MBR.dat"
10:56:04.843    The log file has been saved successfully to "C:\Documents and Settings\Administrator\My Documents\aswMBR010.txt"

[essexboy]

This may be the new variant that latches on to volsnap - although we can test it out with a dedicated TDL3 tool

Please read carefully and follow these steps. 

• Download TDSSKiller and save it to your Desktop.
  
• Extract its contents to your desktop.
• Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
   
   
  
   
   
  
• If an infected file is detected, the default action will be Cure, click on Continue.
   
   
  
   
   
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
   
   
  
   
   
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
   
   
  
   
   
  
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  
• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  

[struggling bt]

Thank you essexboy!

I've read several of your malware removal posts and I appreciate your input.  Would it be your opinion then, that MBam and AvastFree are giving me false hope that the problem is gone?  Is the real indicator the red lines that show up during my aswMBR scans?

Thanks again.  I will download that program and report back in a little while.

Matt

[essexboy]

The probability is that it has gone gone - however, a double check never hurts..  MBAM will not detect this type of infection

[struggling bt]

The plot thickens!

I ran TDSSKiller and was ecstatic when it found Sinowal.  I went with the default "cure" and rebooted as soon as it told me to.  I continued to be overjoyed when, after my machine was back up, I ran aswMBR.  This time the two red lines still appeared but the program offered me "Fix" instead of MBR Fix.  I selected Fix and was rewarded with a "successfully fixed message".  I rebooted immediately and then ran aswMBR again; and to my disappointment the two red lines appeared yet again and my only option was MBR Fix.  I chose that option, rebooted, and returned to report my results.

I've included the TDSSKiller log immediately below as requested.  I can also post one of the aswMBR logs if you think it might help.

Thanks
Matt

So what do you think?  Do I still have a virus or not?  I never really researched this particular bug so I'm not really sure what it does or how it might endanger the security of my online activities.

Thanks again!  I'm running into fits because the logs have more words than I'm allowed to post.

[struggling bt]

PS This "attached log" looks horrible... almost unreadable.  Are there other options available to me to get you the information you need?

Matt

[essexboy]

You saved it as Unicode but as I only needed to read it , it was not a problem

Could you run another aswmbr scan please and post the log

[struggling bt]

Here you go!

aswMBR version 0.9.5 Copyright(c) 2011 AVAST Software
Run date: 2011-05-03 15:11:28
-----------------------------
15:11:28.750    OS Version: Windows 5.1.2600 Service Pack 3
15:11:28.750    Number of processors: 2 586 0x403
15:11:28.765    ComputerName: MDE  UserName:
15:11:29.515    Initialize success
15:11:34.375    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
15:11:34.375    Disk 0 Vendor: Maxtor_6 YAR5 Size: 152587MB BusType: 3
15:11:34.390    Disk 1  \Device\Harddisk1\DR1 -> \Device\Ide\IAAStorageDevice-1
15:11:34.390    Disk 1 Vendor: WDC_WD50 12.0 Size: 476940MB BusType: 3
15:11:36.421    Disk 0 MBR read successfully
15:11:36.421    Disk 0 MBR scan
15:11:38.453    Disk 0 scanning sectors +312496380
15:11:38.468    Disk 0 scanning C:\WINDOWS\system32\drivers
15:12:01.421    Service scanning
15:12:03.093    Disk 0 trace - called modules:
15:12:03.125    ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x871d01d8]<<
15:12:03.125    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87127ab8]
15:12:03.125    3 CLASSPNP.SYS[f75d2fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x86bfb030]
15:12:03.125    \Driver\iastor[0x87130168] -> IRP_MJ_CREATE -> 0x871d01d8
15:12:03.125    Scan finished successfully
15:12:14.734    Disk 0 Windows 501 MBR fixed successfully
15:12:36.453    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\My Documents\MBR.dat"
15:12:36.453    The log file has been saved successfully to "C:\Documents and Settings\Administrator\My Documents\aswMBR013.txt"

[essexboy]

How is the system behaving ?

[struggling bt]

Okay, in short it seems to be running fair.  As I mentioned in my first post there were two things going on that alerted me to potential trouble.  First, my online activity was slowed drastically and when I typed into the fields there was quite a delay between my keystroke and the letter appearing on screen.

The second thing that was happening was when I visited eBay or Amazon.com.  A pop-up, or partial overlay, would request over and above personal information.  That overlay would not even allow me to casually browse those sites.

I am not experiencing any of the latter.  My cable connectivity is faster than it was a week ago but not as fast as it was a month ago.

One thing I did not mention is that about a month ago I experienced the same sort of Phish activity on the e-commerce sites.  I used my standard battery of tools; MBam, AVG, and Spybot to clear things up and I was able to revisit those sites without any problems.

Right now things seemed to be working okay.

Question for you.  My computer guys here tell me that viruses like this are usually not attached to document, picture, or music data... and that I can generally consider my backup data to be safe.  Is that your opinion as well?  My concern stems from reading several other posts where the computer operators did complete hard disk wipes and reformats; and still had problems with the sluggish computer.

If I have to, I don't mind wiping my hard drive if that will work.  On the other hand if the data I saved as the potential to reinfect my newly reformatted hard drive, that could be bothersome.

[essexboy]

We could do a bit of TLC and see if that assists - generally I only recommend a format if a file infector is involved

Clear Cache/Temp Files
Download TFC by OldTimer to your desktop

• Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• It will close all programs when run, so make sure you have saved all your work before you begin.
  
• Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.  Let it run uninterrupted to completion.
  
• Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

THEN

Download and run Puran Disc Defragmenter
For the first run I would recommend a boot defrag and disk check

[struggling bt]

essexboy,

I am very grateful for your help. I have noticed a dramatic improvement in my computer's online and offline performance. I will follow the instructions in your last post, but wanted to tell you how much I appreciate you sharing your expertice.

Best wishes!
Matt

[essexboy]

My pleasure