I received an alert yesterday. I believe it was from the File System Shield. I may have been using a web browser, but I don’t think I was.

The alert said that "Win32:Aluroot-B [RTK] was found and this file was moved to the chest. I did a Quick Scan and no infected files were found. I also ran Malwarebytes and nothing was found either. I scheduled a boot scan just in case and two infected files were found again and moved to the chest again. I have not noticed any changes in how my computer runs yet.

I have attached logs and a screenshot of the chest with the original file locations.

Here is the screenshot of the virus chest and the AdwCleaner log.

malware removers are notified, check back later today

Hi,

Step#1

Please download zoek.exe and save it to your desktop.

[*] Close any open browsers.

[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.

[*] Double click on zoek.exe to run the tool .
Please wait while the tool does not start…

[*] Copy the text present inside the code box below and paste it into the large window in the zoek tool:

emptyclsid;
firefoxlook;
chromelook;
csrsrv.dll;z

[*] Click on Run script button
Please wait until a logreport will open (this can be after reboot)

[*] Save notepad to your Desktop and attach here zoek-results.log

Note: It will also create a log in the C:\ directory named “zoek-results.log”

Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this or this Instruction.

How to disable avast:

[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.

[*]Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.

Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.
If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart computer once more.

When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.

Hi,
I let zoek run for 14 hours on my computer but it still said something like “Zoek is still running. Please wait.” I ended up trying to close it in the task manager and restarted my computer. I don’t know if I was supposed to wait longer than that. I’ll run the script again if necessary.

I attached the zoek-results log and the combofix log.

Hi,

Open notepad and copy/paste the text present inside the code box below:

ClearJavaCache:: 

Driver::
vToolbarUpdater13.2.0
mchInjDrv

Folder::
c:\program files\Common Files\AVG Secure Search
c:\windows\TEMP\mc286BB.tmp

Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

Then try to re-run zoek.exe as you did before but you will use (copy) this script:

autoclean;

Click on RunScript and attach here fresh zoek-results.txt log

If zoek tool does’t execute script and don’t show zoek fresh log within ~ half hours, stop it,restart computer and specify it in the message.

I did everything you said. Here are the new logs.

Hi,

Re-run zoek.exe as you did before but use this script.

Search Assistant;ff
C:\Users\AYJ\AppData\Roaming\Mozilla\Firefox\Profiles\1qqtuedc.default\extensions\{B3834E60-12A8-11E0-A289-939FDFD72085};f
ndibdjnfmopecpmkdieinmbadjfpblof;chr
pbkdpahkifcigckmhiafindmaflfifgm;chr
C:\ProgramData\AVG Secure Search;fs
C:\Users\AYJ\AppData\Local\Coupon Companion\Chrome\Coupon Companion.crx;f

Let’s run some AntiRootkit scan:

Please download Malwarebytes AntiRootkit and save it to your desktop.
http://www.malwarebytes.org/products/mbar/

Full instructions how to use MBAR
http://www.bleepingcomputer.com/virus-removal/how-to-use-malwarebytes-anti-rootkit
Please note: This is a beta version so please be sure to read the disclaimer and note of it.

[*] Unzip/unrar MBAR in a folder to your Desktop
[*] Open the folder where the contents were unzipped to run mbar.exe

[*] Click on Next > then on Update button to download fresh definitions.
[*] When database updates click Next
[*] In the following window ensure “Targets” scan for Drivers; Sectors; System are ticked. Then select “Scan button”

[*] If an infection/s are found ensure “Create Restore Point” is checked, then select the “Cleanup Button” to remove threats.
Or if you are sure any entries should not be kept, just untick them. A list of infected files will be listed.

[*] The Clean up procedure will be Scheduled for process.
[*] When complete pop-up will show you. Select the Yes button and the system should re-boot to complete the cleaning process.

Please attach the two following logs from the mbar folder:

system-log.txt
and
mbar-log-year-month-day (hour-minute-second).txt.

How is your computer running now?

I followed all of the instructions and attached the logs to this post.

Ok, all looks good. Tell me, your computer is running how?

Good afternoon everybody! I’m new on the forum

I don’t know if this is the same malware/case, but in my case this Win32:Aluroot-B[RTK] alert pops right when I try to install the update KB28132170 for Windows 7…

This is what you find after clicking on more information button… https://technet.microsoft.com/en-us/security/bulletin/ms13-031

So I guess I shouldn’t install this update? Or should I?

Kind regards!

My computer seems to be running normally. The only thing I noticed is that while I was booting my computer the command prompt briefly flashed on the screen before the desktop appeared.

@ Neo2608

Your system might be infected and malware active. Malware protects it’s self by preventing anyting that might kill him. This is security update for vulnerabilities and malware usual use vulnerabilities so …

Best for you is to open a new topic and follow this guide from here:
http://forum.avast.com/index.php?topic=53253.0

AdwCleaner - pre-scanner to remove unwonted crapware software …
Malwarebytes - pre-scanner as great help to primary diagnostic tools …

OTL - primary system diagnostic tool
aswMBR - primary antirootkit diagnostic tool

Someone (if it’s not me) will review attached logs and forward you with further malware-removal instructions.

@ allegory

The only thing I noticed is that while I was booting my computer the command prompt briefly flashed on the screen before the desktop appeared.

That is from zoek.exe tool. It using some CMD commands for force reboot action …

My computer seems to be running normally.

It is necessary to uninstall ComboFix :

[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.

On Windows7 or Vista you may use Start Search field if Run is not available.

[*] In the line of text type in (Copy) the following:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

[*] then click OK (or press Enter ).

Wait for the uninstall process is complete.

Re-run OTL and click on CleanUp! button.

You will be asked to reboot the machine to finish the cleanup process, choose Yes.
After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTL. Feel free to manually delete any tools it leaves behind.

I recommended to keep Malwarebytes and to use MCShield if you will.
You may download MCShield from one of the following links:

MyCity - Official download link
Softpedija - Mirror download link

It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.

I accidentally ran Combofix again, but I was able to uninstall it the second time. Thank you so much for your help.

Hello

I got that critter too. I have attached my zoex-results.txt. Many thanks in advance.

@ lordarpad
zoek’s script fix is only relevant for allegory’s system and no other, using on another computer may cause problems.

Re-run zoek.exe as you did before but use this script:

standardsearch;

Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button.

Attach here fresh zoek log.

Hi,

got same Aluroot-B message

File csrsrv.dll, in
c\windows\Software Distribution\download\34040f093a63a8239849e531dfa4b587

Nor file nor alphanum directory can be found.

Ran zoek and combofix.
Got message again.
Went on Bleeping computer where my logs had been looked over.

Got messag again.
ran DDS Security Check, AdwCleaner, posted logs
waiting for new advice.

Should i run MBAR (which is BETA) ?

Found similar posts (Aluroot/avast) on deutsch and portugese forum.

False positive ?

Thanks

@ThePoy
start your own topic if seeking help

Went on Bleeping computer where my logs had been looked over.