MBR Rootkit causing Advanced Credit Card Verification pop-up - please help

Hello,

My name is Andreas and my OS is WinXP Pro SP3.

Two days ago I started getting a mysterious "Advanced Credit Card Verification" popup whenever I try to check my credit card transactions on my bank's website. It seems to be a known kind of malware trying to steal credit card data, the same problem has been mentioned in a number of threads on this forum since 2008 (http://forums.majorgeeks.com/showthread.php?t=212164, http://forums.majorgeeks.com/showthread.php?t=187648, http://forums.majorgeeks.com/showthread.php?t=171693 and http://forums.majorgeeks.com/showthread.php?t=168949).

However, since the solutions in these threads vary, I thought it better to bring up my case separately, rather than just trying to repeat what was done in these other cases.

I have gone through all the steps from the "Read and Run first" - tutorial and will attach the logs to this post. Malwarebytes and SuperAntiSpyware seem to have found nothing and I don't know enough about Computers to interpret the ComboFix logfile, but RootRepeal found an MBR Rootkit on all three of my drives.
Running MGtools at first only produced a briefly flashing, then disappearing window. Having rebooted in safe mode, however, MGtools could be started and completed its diagnosis without further problems, so I can attach this log as well.

I hope you can help me find a way to get rid of this Rootkit, or whatever else is causing this popup.

Thanks in advance,
Andreas

 

... just adding the 5th logfile, from MGtools..

 

Thanks for the quick reply. Both programs have found something, I am attaching their logs.

I have already attached MGlogs.zip to my last post in this thread and the forum wont let me upload it again.

 

Thanks for the advice and the .iso. I burnt it and rebooted - however, when I entered "fixmbr \device\harddisk0" in the RecoveryConsole, I got the following, slightly scary message:

"This computer appears to have a non-standard or invalid master boot record.
FIXMBR may damage your partition tables if you proceed.
This could cause all the partitions on the current hard disk to become inaccessible.
If you are not having problems accessing your drive, do not continue.
Are you sure you want to write a new MBR?"

As I had booted from the burnt ISO, I noticed the loading screen said something about "XP Home Edition", though I am using XP Pro - could this be the cause of the message? Or is it normal and should I just proceed?

 

I have tried entering the RC by booting from the (XP home edition) .iso or by using the XP Pro recovery ronsole I installed with ComboFix (as described here http://www.bleepingcomputer.com/combofix/how-to-use-combofix#manual_recovery).
Either way, I can access the RC, but whenever I enter "fixmbr \device\harddisk0", I get the same warning message:

"This computer appears to have a non-standard or invalid master boot record.
FIXMBR may damage your partition tables if you proceed.
This could cause all the partitions on the current hard disk to become inaccessible. If you are not having problems accessing your drive, do not continue.
Are you sure you want to write a new MBR?"

My own XP Pro installation disk wont let me access the recovery console, it just automatically enters installation mode, as if my current XP weren't there.

What should I do?

 

No, it's a self-built PC (well, not "self", some friends helped me) with an Intel Core 2 Duo CPU and an ASUS 55Q PRO Motherboard.

So, do you think I should go for the fixmbr command?

 

Thanks, looks like it worked!! The log looks good, and when I tried logging on to my credit card account, the "advanced verification" popup was gone!

Anything I need to do to make sure it's all gone and never comes back?

Big thanks to you guys for putting your time and effort into this site without charging anything, by the way!! You just saved my day, my computer, and - in this particular case - even my bank account!

 

Sorry to bother you again, but I thought I'd run RootRepeal once more before wrapping up, and sure enough, it claims there's still an MBR rootkit on G:\ (an external hard drive I have permanently attached to my PC...) However, as you saw from the previous logfile, MBR Check has found nothing. TDSSKiller found 1 "locked file"..

Do you reckon I should do something about it, or is RootRepeal seeing ghosts? (logfiles attached)

 

Hm, that could be a problem, it's 500 Gigs and I don't really have that much space anywhere else... Can't I just use the "fixmbr" command on that drive as well?

 

OK, so now I've saved all relevant data from my external drive and HAVE formatted it (via Windows).

Nevertheless, RootRepeal still claims the newly formatted external drive (it is now "H:\", since another external drive I used to evacuate the data has become "G:\") is infected with an MBR rootkit. Moreover, it now can't properly scan it but displays the following error message:
"Could not read the boot sector. Try adjusting the Disk Access Level in the Options dialog."
After adjusting the Disk Access Level to maximum, the result is still the same (see attached logs).

According to MBRCheck the main drives are still clean.

Just to be save, I've disconnected the external drive for the time being.
Got any ideas?

P.S.: After looking at the MBRCheck log more closely, I've noticed that PhysicalDrive1 actually is the EXTERNAL drive, whily PhysicalDrive0 is both partitions of my internal hard drive.
So MBRCheck DID check the external drive as well, without finding anything? Shouldn't that also mean that by using the RC command "fixmbr \device\harddisk1" as well as "fixmbr \device\harddisk0" I have also repaired the MBR of the external drive? Maybe RootRepeal is wrong after all?

 

Alright then, thanks!