How do I remove W32/Alureon.A!Generic
by Ron1989 - 2/17/09 4:28 PM
HELP!! How do I remove W32/Alureon.A!Generic from my system.
I'm on Windows XP.
Thanks for any help.
Attention forum users: We want you to try out the new CNET forums platform! Click here to read the details. Thanks!
by: Ron1989 February 17, 2009 4:28 PM PST
0 people like this thread
Total posts: 20 (Showing page 1 of 1)
Because that infection is also called Worm.Win32.AutoTDSS!IK, you might want to do this:
Click on Start, click Run, and then type devmgmt.msc and click OK
On the View menu click on Show hidden devices
Browse to Non-Plug and Play Drivers and you should see something like TDSSserv.sys
Highlight that driver and right click on it and select "DISABLE"
RESTART your computer.
Download a copy of Malwarebytes but DO NOT run it yet.
Download it from http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
You can also download it from http://www.gt500.org/malwarebytes/mbam.jsp
Rename the downloaded installer of malwarebytes to any name such as your mytools.exe or yourname.exe
Install by double-clicking the mytools.exe or yourname.exe
Once the program is installed go to the UPDATE tab and try to update the program if you can.
If you can't update MBAM, download the definitions manually:
Next run a quick scan when the update is installed.
Or Download A2 Free (A2) http://www.download.com/A-squared-Free/3000-2239_4-10262215.html
Install, Update then run a SmartScan (not the quick scan)
Thank you Donna for your help!!!!,
I checked the Non-Plug and Play Drivers and there's nothing that looks like TDSSserv.sys.
The following files are there:
Dynamic Virus Protection
Generic Packet Classifier
Ip Network Address Translator
ndis System Driver
ndis usermode I?O Protocol
NetBios over Tcpip
Remote Access Auto Connection driver
Remote Acess IP ARP Driver
Remote Acess NDIS TAPI Driver
TCP/IP protocol Driver
Hi Ron, sorry for the delay
Donna is a little under the weather. Did you also try her other advice with MBAM? I would read her directions above for running that and see if it finds your problem.
Hopefully Donna will be back tomorrow.
Thanks for the reply.
I had not downloaded MBAM because I thought that I had to follow the steps oulined by Donna in the order she wrote the instructions. I didn't realize that they were separated alternatives. Afer receiving your email I followed the downloading procedures and MBAM caught all the infected files and root causes.
The problem is resolved!!!!!!
Thank you and please also pass to Donna my thanks . You guys are the best!!!!
I wish Donna a speedy recovery from her illness......
(NT) Great news Ron and I will relay the message for Donna :)
Glad to hear problem is resolved
Thanks Rod for helping us in this thread.
>>I wish Donna a speedy recovery from her illness......
Glad to hear MBAM removed the infection. Please keep it up-to-date and scan regulalry.
Vista and laptop problem
I hope you can help with a problem when I try to start up my lap top.
When I start my computer the Vista operating system does not initialize.
A text box appears that says START UP REPAIR.. windows can not repair this computer automatically. I click a button that says Don't send to microsoft and the machine shuts off.
Any ideas ???
I'm in the same situation as Ron waas...
I followed Donna's directions but couldn't find anything like TDSSserv.sys.
I downloaded the Malwarebytes, renamed it, installed it, but it will not run. I suspect the virus is preventing it from running???
I'm constantly being redirected to unwanted web pages and my zone alarm security has not handled this virus. I even tried Windows One. It detected the virus but would not clean it.
Any help would be appreciated. Thanks...Jim
Jim, try Norton Power Eraser or TDSSKiller
Both programs before requires no installation and can detect or remove malware that causing what you're experiencing:
Note: When you run Norton Power Eraser, please choose "scan". It will scan the active processes for malware. If it found nothing, scan again but choose "directory scan", then select the system drive (usually drive C) to scan.
But first try TDSSKiller by Kaspersky before using Norton Power Eraser.
Thank You Donna.
I'm typing this from work because the virus on the PC at home is now preventing me from navigating to any and all websites.
I'm going to download both of the programs you suggested to a thumb drive and attempt transfer them to the home PC.
I never mentioned it before, but I'm running Windows XP.
I'll let you know how it goes. Thanks again for you help.
Nothing like a beer, a couple aspirin and one Kaspersky Rootkit removal tool to make a nasty virus all better!
(NT) You're welcome, Jim :) Glad you got rid of it!
Help me: Win32:Alureon-EU is bugging me big time.
Hi, I am running on Windows XP SP2. My anti-virus is AVAST Home edition. It has been detecting this virus Win32:Alureon-EU found in my C:\WINDOWS\system32\drivers\atapi.sys....I tried various anti malware/virus/spyware but nothing can find this virus and kill it. The warnings have been like over 30 times and it's really annoying. I kept on deleting it when it happens but the same message reappears. I donno what else to do.
Sometimes, when I restart my system, it would stop on the black screen with options such as ''Start Windows in Safe Mode'', etc. And the only thing that works for me is by pressing the ''Last Known Good Configuration''....what happened? Did the virus do this? Please help me.
False positive by Avast
I suspect you are seeing false detection by Avast. Atapi.sys is legitimate driver and the path you wrote is the right location of it. To double-check only that it is not infected by rootkit or any sort of malware, please send that sys file for single file scan over at:
Let us know of the result.
No, the virus did not do that but it is normal to see that black screen if atapi.sys or any critical drivers for Windows has been removed. I'd like to suggest also to restore that sys file from Avast chest after updating avast and reporting it to their forum.
Thank you so much for your swift reply. It found no virus in my atapi.sys driver. Here's the sys file. If there's no virus in my atapi.sys driver, then how come I kept on seeing (at some odd timing) the Win32: Alureon EU detected by my Avast? Anyway, thank you again for your help. I really appreciate it.
Antivirus Version Last Update Result
a-squared 188.8.131.52 2009.12.21 -
AhnLab-V3 184.108.40.206 2009.12.21 -
AntiVir 220.127.116.11 2009.12.21 -
Antiy-AVL 18.104.22.168 2009.12.18 -
Authentium 22.214.171.124 2009.12.02 -
Avast 4.8.1351.0 2009.12.21 -
AVG 126.96.36.1997 2009.12.21 -
BitDefender 7.2 2009.12.21 -
CAT-QuickHeal 10.00 2009.12.21 -
ClamAV 0.94.1 2009.12.21 -
Comodo 3319 2009.12.21 -
DrWeb 188.8.131.5282 2009.12.21 -
eSafe 184.108.40.206 2009.12.20 -
eTrust-Vet 35.1.7187 2009.12.21 -
F-Prot 220.127.116.11 2009.12.20 -
F-Secure 9.0.15370.0 2009.12.21 -
Fortinet 18.104.22.168 2009.12.21 -
GData 19 2009.12.21 -
Ikarus T22.214.171.124.0 2009.12.21 -
Jiangmin 13.0.900 2009.12.21 -
K7AntiVirus 7.10.923 2009.12.17 -
Kaspersky 126.96.36.199 2009.12.21 -
McAfee 5838 2009.12.20 -
McAfee+Artemis 5838 2009.12.20 -
McAfee-GW-Edition 6.8.5 2009.12.21 -
Microsoft 1.5302 2009.12.21 -
NOD32 4705 2009.12.21 -
Norman 6.04.03 2009.12.21 -
nProtect 2009.1.8.0 2009.12.21 -
Panda 10.0.2.2 2009.12.15 -
PCTools 188.8.131.52 2009.12.21 -
Prevx 3.0 2009.12.21 -
Rising 22.27.00.04 2009.12.21 -
Sophos 4.49.0 2009.12.21 -
Sunbelt 3.2.1858.2 2009.12.20 -
Symantec 184.108.40.206 2009.12.21 -
TheHacker 220.127.116.11.101 2009.12.21 -
TrendMicro 18.104.22.1684 2009.12.21 -
VBA32 22.214.171.124 2009.12.19 -
ViRobot 2009.12.21.2099 2009.12.21 -
VirusBuster 126.96.36.199 2009.12.20 -
File size: 95360 bytes
MD5 : cdfe4411a69c224bd1d11b2da92dac51
SHA1 : a42fbfeb5a4d94118b483d7f18113aa8c329a052
PEInfo: PE Structure information
( base data )
timedatestamp.....: 0x41107B4D (Wed Aug 4 07:59:41 2004)
machinetype.......: 0x14C (Intel I386)
( 9 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x380 0x9672 0x9680 6.45 70b67d65eb28dcccdcba61a31c4d40e2
NONPAGE 0x9A00 0x18E8 0x1900 6.48 5629c7db94fbcf0123c267ec52f0c942
.rdata 0xB300 0xA54 0xA80 4.37 569d2979d21f645730a1a59fd512d25c
.data 0xBD80 0xD94 0xE00 0.44 77b784be18c5257bf3b9c132a03019db
PAGESCAN 0xCB80 0x154F 0x1580 6.15 d1c7adb0c1e5491b58c485d62076561f
PAGE 0xE100 0x5F54 0x5F80 6.46 0951fe4f10eee3d01d5d5aab9a0472bc
INIT 0x14080 0x22A0 0x2300 6.48 4354ab341533bda39d4f4dc3548ef9bd
.rsrc 0x16380 0x3F0 0x400 3.40 0184b21986944fd39532f818b4c642ab
.reloc 0x16780 0xCF0 0xD00 6.46 ae8fd4a932f7899f6257876856210914
( 3 imports )
> hal.dll: KfAcquireSpinLock, READ_PORT_UCHAR, KeGetCurrentIrql, KfRaiseIrql, KfLowerIrql, HalGetInterruptVector, HalTranslateBusAddress, KeStallExecutionProcessor, KfReleaseSpinLock, READ_PORT_BUFFER_USHORT, READ_PORT_USHORT, WRITE_PORT_BUFFER_USHORT, WRITE_PORT_UCHAR
> ntoskrnl.exe: RtlInitUnicodeString, swprintf, KeSetEvent, IoCreateSymbolicLink, IoGetConfigurationInformation, IoDeleteSymbolicLink, MmFreeMappingAddress, IoFreeErrorLogEntry, IoDisconnectInterrupt, MmUnmapIoSpace, ObReferenceObjectByPointer, IofCompleteRequest, RtlCompareUnicodeString, IofCallDriver, MmAllocateMappingAddress, IoAllocateErrorLogEntry, IoConnectInterrupt, IoDetachDevice, KeWaitForSingleObject, KeInitializeEvent, RtlAnsiStringToUnicodeString, RtlInitAnsiString, IoBuildDeviceIoControlRequest, IoQueueWorkItem, MmMapIoSpace, IoInvalidateDeviceRelations, IoReportDetectedDevice, IoReportResourceForDetection, RtlxAnsiStringToUnicodeSize, NlsMbCodePageTag, PoRequestPowerIrp, KeInsertByKeyDeviceQueue, PoRegisterDeviceForIdleDetection, sprintf, MmMapLockedPagesSpecifyCache, ObfDereferenceObject, IoGetAttachedDeviceReference, IoInvalidateDeviceState, ZwClose, ObReferenceObjectByHandle, ZwCreateDirectoryObject, IoBuildSynchronousFsdRequest, PoStartNextPowerIrp, PoCallDriver, IoCreateDevice, IoAllocateDriverObjectExtension, RtlQueryRegistryValues, ZwOpenKey, RtlFreeUnicodeString, IoStartTimer, KeInitializeTimer, IoInitializeTimer, KeInitializeDpc, KeInitializeSpinLock, IoInitializeIrp, ZwCreateKey, RtlAppendUnicodeStringToString, RtlIntegerToUnicodeString, ZwSetValueKey, KeInsertQueueDpc, KefAcquireSpinLockAtDpcLevel, IoStartPacket, KefReleaseSpinLockFromDpcLevel, IoBuildAsynchronousFsdRequest, IoFreeMdl, MmUnlockPages, IoWriteErrorLogEntry, KeRemoveByKeyDeviceQueue, MmMapLockedPagesWithReservedMapping, MmUnmapReservedMapping, KeSynchronizeExecution, IoStartNextPacket, KeBugCheckEx, KeRemoveDeviceQueue, KeSetTimer, KeCancelTimer, _allmul, MmProbeAndLockPages, _except_handler3, PoSetPowerState, IoOpenDeviceRegistryKey, RtlWriteRegistryValue, _aulldiv, strstr, _strupr, KeQuerySystemTime, IoWMIRegistrationControl, KeTickCount, IoAttachDeviceToDeviceStack, IoDeleteDevice, ExAllocatePoolWithTag, IoAllocateWorkItem, IoAllocateIrp, IoAllocateMdl, MmBuildMdlForNonPagedPool, MmLockPagableDataSection, IoGetDriverObjectExtension, MmUnlockPagableImageSection, ExFreePoolWithTag, IoFreeIrp, IoFreeWorkItem, InitSafeBootMode, RtlCompareMemory, RtlCopyUnicodeString, memmove, MmHighestUserAddress
> wmilib.sys: WmiSystemControl, WmiCompleteRequest
( 0 exports )
TrID : File type identification
Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEiD : -
packers (Kaspersky): PE_Patch
RDS : NSRL Reference Data Set
( Gateway )
Gateway Operating System Windows XP Pro Edition SP2: ATAPI.SYS, atapi.sys
( Microsoft )
Disc 2438.5: atapi.sysMSDN Disc 2428.4: atapi.sysMSDN Disc 2428.5: atapi.sysMSDN Disc 2428.8: atapi.sysMSDN Disc 2438.7: atapi.sysMSDN Disc 2438.8: atapi.sysMSDN Disc 2439.6: atapi.sysMSDN Disc 2439.7: atapi.sysMSDN Disc 2439.8: atapi.sysMSDN Disc 2440.3: atapi.sysMSDN Disc 2440.4: atapi.sysMSDN Disc 2440.5: atapi.sysMSDN Disc 2441.5: atapi.sysMSDN Disc 2441.6: atapi.sysMSDN Disc 2441.7: atapi.sysMSDN Disc 2442.4: atapi.sysMSDN Disc 2442.6: atapi.sysMSDN Disc 2443.2: atapi.sysMSDN Disc 2443.4: atapi.sysMSDN Disc 2444.3: atapi.sysMSDN Disc 2444.3: atapi.sysMSDN Disc 2444.4: atapi.sysMSDN Disc 2444.6: atapi.sysMSDN Disc 2455.6: atapi.sysMSDN Disc 2464.5: atapi.sysMSDN Disc 2465.4: atapi.sysMSDN Disc 2465.5: atapi.sysMSDN Disc 2466.2: atapi.sysMSDN Disc 2466.4: atapi.sysMSDN Disc 2476.2: atapi.sysMSDN Disc 2476.4: atapi.sysMSDN Disc 2477.2: atapi.sysOperating System Reinstallation CD Microsoft Windows XP Professional Service Pack 2: atapi.sysVirtual PC for Mac Windows XP Home Edition: atapi.sysVirtual PC for Mac Windows XP Professional Edition: atapi.sys
That means it's false detection by Avast :)
I just look at Avast forum and found a discussion about atapi.sys that proves also it's a false detection by Avast:
To prevent the false detection, you need to exclude atapi.sys while Avast need to fix their detection/signature file. When they released a new update, you should try to remove the exclusion and see if it's fix already.
Hi, again. I thought I was done with all these viruses. Anyway, I am using ESET NOD32 Smart Security at the moment. But it has been detecting these stuff (shown below) over and over. And it has created a number of empty temp files...such as effy.tmp or srae.tmp...which I have no idea where they came from and God knows how to stop them from being created over and over again.
This is one of the hundreds logs taken from my ESET logfile:
12/24/2009 1:35:10 PM HTTP filter file http://rss-lenta-news.ru/123132/New2.exe a variant of Win32/Delf.OXO trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\svchost.exe.
I have tried following the steps outlined above and I can't update my MBAM. Whenever I tried to update I get an error MBAM_ERROR_UPDATING(12007,0,winHttpSendRequest). I've tried manually downloading the definitions but the page can't be displayed.
My Symantec virus protection and current malaware can't detect anything. Is there anything else I can do?
You need to try this steps.
If it's Alureon (aka TDS) infection, try the following. Download the following tools to remove the infection and also to reset to default settings:
1. Microsoft Fix it 50195 to reset IE settings.
2. Microsoft Fix it 50267 to reset the hosts file in Windows.
3. Microsoft Fix it 50203 to reset Winsock in Windows.
4. Microsoft Fix it 50199 to reset Internet Protocol.
5. TDSSKiller from Kaspersky
6. Hitman Pro
If you cannot download any tools using the problematic PC, download all of the above using a clean PC.
Save those files on your deskop or in USB/flash drive or any blank removable media that you can plugin/insert to the problematic computer.
Run or execute all the above in order (#1 to #6). Reboot only when prompted.
Try to update Malwarebytes to see if the above steps have helped.
Total posts: 20 (Showing page 1 of 1)