Computer is infected with Win32:Aluroot-B [Rtk] and blocking Avast from updating. Malwarebytes, TDDS Killer, Combofix and Hitman aren’t detecting or removing it. Here is the log from Avast MBR. Any advice would be much appreciated.
aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-04-28 23:09:52
23:09:52.254 OS Version: Windows 6.1.7601 Service Pack 1
23:09:52.255 Number of processors: 4 586 0x3A09
23:09:52.256 ComputerName: RICHFRAENKEL-PC UserName: Rich Fraenkel
23:09:52.814 Initialize success
23:09:55.723 AVAST engine defs: 13020501
23:09:58.253 Disk 0 (boot) \Device\Harddisk0\DR0 →
\Device\Ide\IAAStorageDevice-1
23:09:58.258 Disk 0 Vendor: WDC_WD32 01.0 Size: 305245MB BusType: 8
23:09:58.382 Disk 0 MBR read successfully
23:09:58.388 Disk 0 MBR scan
23:09:58.668 Disk 0 Windows 7 default MBR code
23:09:58.689 Disk 0 Partition 1 00 DE Dell Utility DELL 4.1 39
MB offset 63
23:09:58.927 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 16016
MB offset 81920
23:09:59.290 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 289188
MB offset 32882688
23:09:59.315 Disk 0 scanning sectors +625139712
23:09:59.667 Disk 0 scanning C:\Windows\system32\drivers
23:10:10.115 Service scanning
23:10:28.553 Modules scanning
23:10:36.050 Disk 0 trace - called modules:
23:10:36.454 ntkrnlpa.exe CLASSPNP.SYS disk.sys stdcfltn.sys ACPI.sys
halmacpi.dll iaStor.sys
23:10:36.467 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x88738378]
23:10:36.481 3 CLASSPNP.SYS[8ce5159e] → nt!IofCallDriver → [0x88738a08]
23:10:36.488 5 stdcfltn.sys[8cdbf854] → nt!IofCallDriver → [0x8644c958]
23:10:36.494 7 ACPI.sys[8c4b33d4] → nt!IofCallDriver →
\Device\Ide\IAAStorageDevice-1[0x863dc028]
23:10:37.186 AVAST engine scan C:\Windows
23:10:39.003 AVAST engine scan C:\Windows\system32
23:10:46.134 File: C:\Windows\system32\csrsrv.dll INFECTED
Win32:Aluroot-B [Rtk]
23:12:05.925 AVAST engine scan C:\Windows\system32\drivers
23:12:15.215 AVAST engine scan C:\Users\Rich Fraenkel
23:16:10.404 AVAST engine scan C:\ProgramData
23:16:45.357 Scan finished successfully
23:25:16.489 Disk 0 MBR has been saved successfully to “C:\Users\Rich
Fraenkel\Desktop\MBR.dat”
23:25:16.494 The log file has been saved successfully to “C:\Users\Rich
Fraenkel\Desktop\aswMBR.txt”
I can’t get any of them to detect the infection but something is wrong. I can’t activate or update Avast or install any other virus software like Eset or update Java. Here is Adwcleaner’s logs. I’ll post the others as well.
AdwCleaner v2.300 - Logfile created 04/30/2013 at 00:47:31
Updated 28/04/2013 by Xplode
Operating system : Windows 7 Professional Service Pack 1 (32 bits)
User : Rich Fraenkel - RICHFRAENKEL-PC
Boot Mode : Normal
Running from : C:\Users\Rich Fraenkel\Desktop\AdwCleaner.exe
Option [Search]
***** [Services] *****
***** [Files / Folders] *****
Folder Found : C:\Program Files\Glarysoft Toolbar
Folder Found : C:\Users\Rich Fraenkel\AppData\LocalLow\Toolbar4
***** [Registry] *****
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKLM\SOFTWARE\Classes\AppID{4CE516A7-F7AC-4628-B411-8F886DC5733E}
Key Found : HKLM\SOFTWARE\Classes\AppID{628F3201-34D0-49C0-BB9A-82A26AEFB291}
Key Found : HKLM\SOFTWARE\Classes\AppID\TbCommonUtils.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\TbHelper.EXE
Key Found : HKLM\SOFTWARE\Classes\CLSID{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Classes\CLSID{1C950DE5-D31E-42FB-AFB9-91B0161633D8}
Key Found : HKLM\SOFTWARE\Classes\CLSID{3BDF4CE9-E81D-432B-A55E-9F0570CE811F}
Key Found : HKLM\SOFTWARE\Classes\CLSID{9F34B17E-FF0D-4FAB-97C4-9713FEE79052}
Key Found : HKLM\SOFTWARE\Classes\CLSID{A9A56B8E-2DEB-4ED3-BC92-1FA450BCE1A5}
Key Found : HKLM\SOFTWARE\Classes\CLSID{AE338F6D-5A7C-4D1D-86E3-C618532079B5}
Key Found : HKLM\SOFTWARE\Classes\CLSID{C339D489-FABC-41DD-B39D-276101667C70}
Key Found : HKLM\SOFTWARE\Classes\CLSID{D433A9D0-8267-40CB-8AD5-24F22FA5373F}
Key Found : HKLM\SOFTWARE\Classes\CLSID{D565B35E-B787-40FA-95E3-E3562F8FC1A0}
Key Found : HKLM\SOFTWARE\Classes\CLSID{D89031C2-10DA-4C90-9A62-FCED012BC46B}
Key Found : HKLM\SOFTWARE\Classes\CLSID{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKLM\SOFTWARE\Classes\Interface{01221FCC-4BFB-461C-B08C-F6D2DF309921}
Key Found : HKLM\SOFTWARE\Classes\Interface{0FA32667-9A8A-4E9C-902F-CA3323180003}
Key Found : HKLM\SOFTWARE\Classes\Interface{2A42D13C-D427-4787-821B-CF6973855778}
Key Found : HKLM\SOFTWARE\Classes\Interface{3D8478AA-7B88-48A9-8BCB-B85D594411EC}
Key Found : HKLM\SOFTWARE\Classes\Interface{452AE416-9A97-44CA-93DA-D0F15C36254F}
Key Found : HKLM\SOFTWARE\Classes\Interface{45CDA4F7-594C-49A0-AAD1-8224517FE979}
Key Found : HKLM\SOFTWARE\Classes\Interface{4897BBA6-48D9-468C-8EFA-846275D7701B}
Key Found : HKLM\SOFTWARE\Classes\Interface{4D8ED2B3-DC62-43EC-ABA3-5B74F046B1BE}
Key Found : HKLM\SOFTWARE\Classes\Interface{6B458F62-592F-4B25-8967-E6A350A59328}
Key Found : HKLM\SOFTWARE\Classes\Interface{81E852CC-1FD5-4004-8761-79A48B975E29}
Key Found : HKLM\SOFTWARE\Classes\Interface{95B6A271-FEB4-4160-B0FF-44394C21C8DC}
Key Found : HKLM\SOFTWARE\Classes\Interface{B2CA345D-ADB8-4F5D-AC64-4AB34322F659}
Key Found : HKLM\SOFTWARE\Classes\Interface{B9F43021-60D4-42A6-A065-9BA37F38AC47}
Key Found : HKLM\SOFTWARE\Classes\Interface{BF921DD3-732A-4A11-933B-A5EA49F2FD2C}
Key Found : HKLM\SOFTWARE\Classes\Interface{D83B296A-2FA6-425B-8AE8-A1F33D99FBD6}
Key Found : HKLM\SOFTWARE\Classes\Interface{E67D5BC7-7129-493E-9281-F47BDAFACE4F}
Key Found : HKLM\SOFTWARE\Classes\Interface{FCC9CDD3-EFFF-11D1-A9F0-00A0244AC403}
Key Found : HKLM\SOFTWARE\Classes\TbCommonUtils.CommonUtils
Key Found : HKLM\SOFTWARE\Classes\TbCommonUtils.CommonUtils.1
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbDownloadManager
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbDownloadManager.1
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbPropertyManager
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbPropertyManager.1
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbRequest
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbRequest.1
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbTask
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbTask.1
Key Found : HKLM\SOFTWARE\Classes\TbHelper.ToolbarHelper
Key Found : HKLM\SOFTWARE\Classes\TbHelper.ToolbarHelper.1
Key Found : HKLM\SOFTWARE\Classes\Toolbar3.ContextMenuNotifier
Key Found : HKLM\SOFTWARE\Classes\Toolbar3.ContextMenuNotifier.1
Key Found : HKLM\SOFTWARE\Classes\Toolbar3.CustomInternetSecurityImpl
Key Found : HKLM\SOFTWARE\Classes\Toolbar3.CustomInternetSecurityImpl.1
Key Found : HKLM\SOFTWARE\Classes\Toolbar3.SearchProviderManager
Key Found : HKLM\SOFTWARE\Classes\Toolbar3.SearchProviderManager.1
Key Found : HKLM\SOFTWARE\Classes\TypeLib{4509D3CC-B642-4745-B030-645B79522C6D}
Key Found : HKLM\SOFTWARE\Classes\TypeLib{B87F8B63-7274-43FD-87FA-09D3B7496148}
Key Found : HKLM\SOFTWARE\Classes\TypeLib{C4BAE205-5E02-4E32-876E-F34B4E2D000C}
Key Found : HKLM\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook
Key Found : HKLM\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{628F3201-34D0-49C0-BB9A-82A26AEFB291}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536
Value Found : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
I was following a thread to remove the virus on a different forum. I am fixing this computer remotely and reran combo fix because I had the remote control active when it ran the first two times. Hope that didn’t make things worse.
I’ll try to find that page, I’ve looked through so many. I think it was on BleepingComputer somewhere. All I did was run the scans of the all the various programs. I didn’t run any of the additional scripts through combo fix.
Bleeping have specialized and trained helper. They know what they doing.
Are you finished with this topic or your case there at BC is still active?
Ok, I agreed to continue with your case. Please read the following:
[*] I will be working on your Malware issues this may or may not solve other issues you have with your machine.
[*] The fixes are specific to your problem and should only be used for this issue on this machine.
[*] If you don’t know or understand something, please don’t hesitate to ask.
[*]Please refrain from making any further changes to your computer (Install/Uninstall programs, delete files, edit the registry, etc…)
[*] Please DO NOT run any other tools or scans whilst I am helping you.
[*] It is important that you reply to this thread. Do not start a new topic.
[*] Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
[*] Absence of symptoms does not mean that everything is clear.
Please download zoek.exe and save it to your desktop.
[*] Close any open browsers.
[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.
[*] Double click on zoek.exe to run the tool . Please wait while the tool does not start…
[*] Copy the text present inside the code box below and paste it into the large window in the zoek tool:
Hi,
You have even run ESET Online scanner , Windows Repair Tool …
I’m familiar with this kind of work, it is impossible not to remember who you helped and where. ???
Step#1
-Uninstall Glary Utilities
Re-run zoek.exe as you did before but use this script: