Rootkit..Win32:Aluroot-B[RTK]?

I was notified that I had an infected file by the file system shield. I ran Malwarebytes and no infected files were found. Then I received a pop up (see screenshot in next post) that a rootkit was found and in order to delete it I had to restart the computer and do a boot scan. During this scan I was able to delete 2 files but there was 1 file that I could delete or move to the chest. I restarted my computer and the same pop up about the rootkit came up again.

Also, whenever I try to download aswMBR I get a pop up from avast saying that a “suspicious file was blocked” (see screenshot). I tried downloading it from three different websites and the same thing happened. I attached all of the logs except the aswMBR. My computer was infected with the same rootkit in April and posted to the forum.

Monitoring …

Here are the screenshots.

@ allegory Welcome to avast. :wink:

[*] I will be working on your Malware issues this may or may not solve other issues you have with your machine.
[*] The fixes are specific to your problem and should only be used for this issue on this machine.
[*] If you don’t know or understand something, please don’t hesitate to ask.
[*]Please refrain from making any further changes to your computer (Install/Uninstall programs, delete files, edit the registry, etc…)
[*] Please DO NOT run any other tools or scans whilst I am helping you.
[*] It is important that you reply to this thread. Do not start a new topic.
[*] Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
[*] Absence of symptoms does not mean that everything is clear.


I’ll need to see the avast logs.

C:\ProgramData\AVAST Software\Avast\report

Please attach here BehaviorShield.txt


Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this or this Instruction.

How to disable avast:

[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.

[*]Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.

Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.
If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart computer once more.

When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.

Here is the ComboFix Log. The Avast log is 546 KB so it’s too large to attach.

I deleted the text from September 2011 - December 2011 from the BehaviorShield log so the file would be small enough.

Hi allegory,
First image above indicates that avast has been detected a service that is MBAM related. Second image above shows that aswMBR driver has been detected by Avast.
I see traces of dialer in CF log. We will continue with the removal.

Open notepad and copy/paste the text present inside the code box below:



ClearJavaCache::

Driver::
mchInjDrv

File::
c:\windows\TEMP\mc27406.tmp



Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

Here is the ComboFix log. At first a message popped up saying a certain file couldn’t be deleted.

Can you please explain what you meant in the first paragraph of the last post? I didn’t really understand. Is there actually a rootkit or was it a false positive? Why couldn’t I download aswMBR?

Let’s first run check for known rootkits.

Download TDSSKiller and save it to your desktop

Execute [b]TDSSKiller.exe[/b] by doubleclicking on it.

[*] Press Start Scan

[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, [b]C:\TDSSKiller.<version_date_time>log.txt[/b]

Please post the contents of that log in your next reply.

======= Next =======

CFScript;

Open notepad and copy/paste the text present inside the code box below:



KILLALL::

File::
c:\windows\TEMP\mc27406.tmp



Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

Yes, FP. So it seems. Detection is related for MBAM and aswMBR services, legit tools. When I thoroughly check and clean your machine, I will know for sure.

Here is the log. TDSSKiller did not find any threats.

Hi,
mchInjDrv services is used by several trusted programs. It also can be malware related. Yours are legit and service will be reloaded on startup of thouse programs.

You are maware free. Your PC is clean. AV has via heuristics warned you for potential danger, detection Eve-Gen is FP.

It is necessary to uninstall ComboFix :

[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.

On Windows7 or Vista you may use Start Search field if Run is not available.

[*] In the line of text type in (Copy) the following:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

[*] then click OK (or press Enter ).

Wait for the uninstall process is complete.


Re-run OTL and click on CleanUp! button.

You will be asked to reboot the machine to finish the cleanup process, choose Yes.
After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTL. Feel free to manually delete any tools it leaves behind.


I recommended to keep Malwarebytes and to use MCShield if you will.
You may download MCShield from one of the following links:

MyCity - Official download link
Softpedija - Mirror download link

It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.

Ok. I did everything you said to do. Thank you for your help.