Author Topic: Removing Win32:Aluroot-B [Rtk]  (Read 15381 times)

0 Members and 1 Guest are viewing this topic.

kingoftheremotes

  • Guest
Removing Win32:Aluroot-B [Rtk]
« on: April 30, 2013, 04:31:39 AM »
Computer is infected with Win32:Aluroot-B [Rtk] and blocking Avast from updating. Malwarebytes, TDDS Killer, Combofix and Hitman aren't detecting or removing it. Here is the log from Avast MBR. Any advice would be much appreciated.

aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-04-28 23:09:52
-----------------------------
23:09:52.254    OS Version: Windows 6.1.7601 Service Pack 1
23:09:52.255    Number of processors: 4 586 0x3A09
23:09:52.256    ComputerName: RICHFRAENKEL-PC  UserName: Rich Fraenkel
23:09:52.814    Initialize success
23:09:55.723    AVAST engine defs: 13020501
23:09:58.253    Disk 0 (boot) \Device\Harddisk0\DR0 ->
\Device\Ide\IAAStorageDevice-1
23:09:58.258    Disk 0 Vendor: WDC_WD32 01.0 Size: 305245MB BusType: 8
23:09:58.382    Disk 0 MBR read successfully
23:09:58.388    Disk 0 MBR scan
23:09:58.668    Disk 0 Windows 7 default MBR code
23:09:58.689    Disk 0 Partition 1 00     DE Dell Utility DELL 4.1       39
MB offset 63
23:09:58.927    Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS        16016
MB offset 81920
23:09:59.290    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS       289188
MB offset 32882688
23:09:59.315    Disk 0 scanning sectors +625139712
23:09:59.667    Disk 0 scanning C:\Windows\system32\drivers
23:10:10.115    Service scanning
23:10:28.553    Modules scanning
23:10:36.050    Disk 0 trace - called modules:
23:10:36.454    ntkrnlpa.exe CLASSPNP.SYS disk.sys stdcfltn.sys ACPI.sys
halmacpi.dll iaStor.sys
23:10:36.467    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x88738378]
23:10:36.481    3 CLASSPNP.SYS[8ce5159e] -> nt!IofCallDriver -> [0x88738a08]
23:10:36.488    5 stdcfltn.sys[8cdbf854] -> nt!IofCallDriver -> [0x8644c958]
23:10:36.494    7 ACPI.sys[8c4b33d4] -> nt!IofCallDriver ->
\Device\Ide\IAAStorageDevice-1[0x863dc028]
23:10:37.186    AVAST engine scan C:\Windows
23:10:39.003    AVAST engine scan C:\Windows\system32
23:10:46.134    File: C:\Windows\system32\csrsrv.dll  **INFECTED**
Win32:Aluroot-B [Rtk]
23:12:05.925    AVAST engine scan C:\Windows\system32\drivers
23:12:15.215    AVAST engine scan C:\Users\Rich Fraenkel
23:16:10.404    AVAST engine scan C:\ProgramData
23:16:45.357    Scan finished successfully
23:25:16.489    Disk 0 MBR has been saved successfully to "C:\Users\Rich
Fraenkel\Desktop\MBR.dat"
23:25:16.494    The log file has been saved successfully to "C:\Users\Rich
Fraenkel\Desktop\aswMBR.txt"

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Removing Win32:Aluroot-B [Rtk]
« Reply #1 on: April 30, 2013, 06:08:47 AM »
Please attach your logs. (AdwCleaner, MBAM and OTL..!!)
Instructions: http://forum.avast.com/index.php?topic=53253.0
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

kingoftheremotes

  • Guest
Re: Removing Win32:Aluroot-B [Rtk]
« Reply #2 on: April 30, 2013, 07:35:55 AM »
I can't get any of them to detect the infection but something is wrong. I can't activate or update Avast or install any other virus software like Eset or update Java. Here is Adwcleaner's logs. I'll post the others as well.

# AdwCleaner v2.300 - Logfile created 04/30/2013 at 00:47:31
# Updated 28/04/2013 by Xplode
# Operating system : Windows 7 Professional Service Pack 1 (32 bits)
# User : Rich Fraenkel - RICHFRAENKEL-PC
# Boot Mode : Normal
# Running from : C:\Users\Rich Fraenkel\Desktop\AdwCleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

Folder Found : C:\Program Files\Glarysoft Toolbar
Folder Found : C:\Users\Rich Fraenkel\AppData\LocalLow\Toolbar4

***** [Registry] *****

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKLM\SOFTWARE\Classes\AppID\{4CE516A7-F7AC-4628-B411-8F886DC5733E}
Key Found : HKLM\SOFTWARE\Classes\AppID\{628F3201-34D0-49C0-BB9A-82A26AEFB291}
Key Found : HKLM\SOFTWARE\Classes\AppID\TbCommonUtils.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\TbHelper.EXE
Key Found : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{1C950DE5-D31E-42FB-AFB9-91B0161633D8}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{3BDF4CE9-E81D-432B-A55E-9F0570CE811F}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{9F34B17E-FF0D-4FAB-97C4-9713FEE79052}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{A9A56B8E-2DEB-4ED3-BC92-1FA450BCE1A5}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{AE338F6D-5A7C-4D1D-86E3-C618532079B5}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{C339D489-FABC-41DD-B39D-276101667C70}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{D433A9D0-8267-40CB-8AD5-24F22FA5373F}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{D565B35E-B787-40FA-95E3-E3562F8FC1A0}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{D89031C2-10DA-4C90-9A62-FCED012BC46B}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKLM\SOFTWARE\Classes\Interface\{01221FCC-4BFB-461C-B08C-F6D2DF309921}
Key Found : HKLM\SOFTWARE\Classes\Interface\{0FA32667-9A8A-4E9C-902F-CA3323180003}
Key Found : HKLM\SOFTWARE\Classes\Interface\{2A42D13C-D427-4787-821B-CF6973855778}
Key Found : HKLM\SOFTWARE\Classes\Interface\{3D8478AA-7B88-48A9-8BCB-B85D594411EC}
Key Found : HKLM\SOFTWARE\Classes\Interface\{452AE416-9A97-44CA-93DA-D0F15C36254F}
Key Found : HKLM\SOFTWARE\Classes\Interface\{45CDA4F7-594C-49A0-AAD1-8224517FE979}
Key Found : HKLM\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}
Key Found : HKLM\SOFTWARE\Classes\Interface\{4D8ED2B3-DC62-43EC-ABA3-5B74F046B1BE}
Key Found : HKLM\SOFTWARE\Classes\Interface\{6B458F62-592F-4B25-8967-E6A350A59328}
Key Found : HKLM\SOFTWARE\Classes\Interface\{81E852CC-1FD5-4004-8761-79A48B975E29}
Key Found : HKLM\SOFTWARE\Classes\Interface\{95B6A271-FEB4-4160-B0FF-44394C21C8DC}
Key Found : HKLM\SOFTWARE\Classes\Interface\{B2CA345D-ADB8-4F5D-AC64-4AB34322F659}
Key Found : HKLM\SOFTWARE\Classes\Interface\{B9F43021-60D4-42A6-A065-9BA37F38AC47}
Key Found : HKLM\SOFTWARE\Classes\Interface\{BF921DD3-732A-4A11-933B-A5EA49F2FD2C}
Key Found : HKLM\SOFTWARE\Classes\Interface\{D83B296A-2FA6-425B-8AE8-A1F33D99FBD6}
Key Found : HKLM\SOFTWARE\Classes\Interface\{E67D5BC7-7129-493E-9281-F47BDAFACE4F}
Key Found : HKLM\SOFTWARE\Classes\Interface\{FCC9CDD3-EFFF-11D1-A9F0-00A0244AC403}
Key Found : HKLM\SOFTWARE\Classes\TbCommonUtils.CommonUtils
Key Found : HKLM\SOFTWARE\Classes\TbCommonUtils.CommonUtils.1
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbDownloadManager
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbDownloadManager.1
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbPropertyManager
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbPropertyManager.1
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbRequest
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbRequest.1
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbTask
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbTask.1
Key Found : HKLM\SOFTWARE\Classes\TbHelper.ToolbarHelper
Key Found : HKLM\SOFTWARE\Classes\TbHelper.ToolbarHelper.1
Key Found : HKLM\SOFTWARE\Classes\Toolbar3.ContextMenuNotifier
Key Found : HKLM\SOFTWARE\Classes\Toolbar3.ContextMenuNotifier.1
Key Found : HKLM\SOFTWARE\Classes\Toolbar3.CustomInternetSecurityImpl
Key Found : HKLM\SOFTWARE\Classes\Toolbar3.CustomInternetSecurityImpl.1
Key Found : HKLM\SOFTWARE\Classes\Toolbar3.SearchProviderManager
Key Found : HKLM\SOFTWARE\Classes\Toolbar3.SearchProviderManager.1
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{B87F8B63-7274-43FD-87FA-09D3B7496148}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{C4BAE205-5E02-4E32-876E-F34B4E2D000C}
Key Found : HKLM\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook
Key Found : HKLM\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{628F3201-34D0-49C0-BB9A-82A26AEFB291}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536
Value Found : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16476

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main - Start Page] = hxxp://isearch.glarysoft.com/?src=iehome&d=y

-\\ Google Chrome v26.0.1410.64

File : C:\Users\Rich Fraenkel\AppData\Local\Google\Chrome\User Data\Default\Preferences

Found [l.28] : icon_url = "hxxp://isearch.glarysoft.com/favicon.ico",
Found [l.31] : keyword = "isearch.glarysoft.com",
Found [l.35] : search_url = "hxxp://isearch.glarysoft.com/?q={searchTerms}&src=gcsearch&d=y",
Found [l.2168] : homepage = "hxxp://isearch.glarysoft.com/?src=gchome&d=y",

*************************

AdwCleaner[R1].txt - [6653 octets] - [30/04/2013 00:47:31]

########## EOF - C:\AdwCleaner[R1].txt - [6713 octets] ##########

kingoftheremotes

  • Guest
Re: Removing Win32:Aluroot-B [Rtk]
« Reply #3 on: April 30, 2013, 07:38:50 AM »
Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.04.30.01

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Rich Fraenkel :: RICHFRAENKEL-PC [administrator]

Protection: Disabled

4/30/2013 12:50:50 AM
mbam-log-2013-04-30 (00-50-50).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 321165
Time elapsed: 30 minute(s), 23 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Removing Win32:Aluroot-B [Rtk]
« Reply #4 on: April 30, 2013, 07:42:00 AM »
Stop..!! Please use the option to attach the OTL log. Thanks.
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

kingoftheremotes

  • Guest
Re: Removing Win32:Aluroot-B [Rtk]
« Reply #5 on: April 30, 2013, 07:43:47 AM »
Ah thanks, I didn't see the attachment option!

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Removing Win32:Aluroot-B [Rtk]
« Reply #6 on: April 30, 2013, 07:45:47 AM »
Ah thanks, I didn't see the attachment option!

NP, now you've to wait a bit...
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: Removing Win32:Aluroot-B [Rtk]
« Reply #7 on: April 30, 2013, 01:03:21 PM »
Malwarebytes, TDDS Killer, Combofix and Hitman aren't detecting or removing it.

Attach here all TDSSK logs:
C:\TDSSKiller.<version_date_time>log.txt

Attach here Combofix log:
C:\ComboFix.txt

and if you have ...
C:\qoobox\ComboFix2.txt  ...
C:\qoobox\ComboFix3.txt  ...
C:\qoobox\ComboFix4.txt  ...
[ ... ]


kingoftheremotes

  • Guest
Re: Removing Win32:Aluroot-B [Rtk]
« Reply #8 on: April 30, 2013, 05:02:20 PM »
Combofix Log

kingoftheremotes

  • Guest
Re: Removing Win32:Aluroot-B [Rtk]
« Reply #9 on: April 30, 2013, 05:02:43 PM »
TDDS Killer Log

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: Removing Win32:Aluroot-B [Rtk]
« Reply #10 on: April 30, 2013, 06:06:12 PM »
This is the third CF log. I need to see the first two CF logos.

PS: Who told you to deploy Combofix and why?

kingoftheremotes

  • Guest
Re: Removing Win32:Aluroot-B [Rtk]
« Reply #11 on: April 30, 2013, 06:47:16 PM »
I was following a thread to remove the virus on a different forum. I am fixing this computer remotely and reran combo fix because I had the remote control active when it ran the first two times. Hope that didn't make things worse.

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: Removing Win32:Aluroot-B [Rtk]
« Reply #12 on: April 30, 2013, 06:53:05 PM »
I was following a thread to remove the virus on a different forum.

Can I please have a link of that forum/topic? I just need to verify that you're getting help in right place.
 

kingoftheremotes

  • Guest
Re: Removing Win32:Aluroot-B [Rtk]
« Reply #13 on: April 30, 2013, 09:15:27 PM »
I'll try to find that page, I've looked through so many. I think it was on BleepingComputer somewhere. All I did was run the scans of the all the various programs. I didn't run any of the additional scripts through combo fix.

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: Removing Win32:Aluroot-B [Rtk]
« Reply #14 on: April 30, 2013, 09:52:44 PM »
Bleeping have specialized and trained helper. They know what they doing.
Are you finished with this topic or your case there at BC is still active?


Ok, I agreed to continue with your case. Please read the following:


  • I will be working on your Malware issues this may or may not solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • If you don't know or understand something, please don't hesitate to ask.
  • Please refrain from making any further changes to your computer (Install/Uninstall programs, delete files, edit the registry, etc...)
  • Please DO NOT run any other tools or scans whilst I am helping you.
  • It is important that you reply to this thread. Do not start a new topic.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  • Absence of symptoms does not mean that everything is clear.
-----------------------------------------


Please download zoek.exe and save it to your desktop.

  • Close any open browsers.
  •   Temporarily disable your AntiVirus program. (If necessary)
    If you are unsure how to do this please read this or this Instruction.



  • Double click on zoek.exe to run the tool .
    Please wait while the tool does not start...


  • Copy the text present inside the code box below and paste it into the large window in the zoek tool:
Code: [Select]

C:\Windows\system32\csrsrv.dll;i
c:\windows\system32\catroot2;vs
c:\windows\PSEXESVC.EXE;i
firefoxlook;
Chromelook;
skipfix-iedefaults;
silentrunners;
startupall;
filesrcm;

  • Click on button
    Please wait until a logreport will open (this can be after reboot)

  • Save notepad to your Desktop and attach here zoek-results.log

    Note: It will also create a log in the C:\ directory named "zoek-results.log"


« Last Edit: April 30, 2013, 10:02:39 PM by magna86 »