Manage updates with the Download App
How do I remove W32/Alureon.A!Generic
by Ron1989 - 2/17/09 4:28 PM
HELP!! How do I remove W32/Alureon.A!Generic from my system.
I'm on Windows XP.
Thanks for any help.
Spyware, viruses, & security forum: How do I remove W32/Alureon.A!Generic
by: Ron1989 February 17, 2009 4:28 PM PST
Like this
0 people like this thread
Staff pick
Total posts: 20 (Showing page 1 of 1)
Try this
by Donna Buenaventura 
- 2/17/09 5:55 PM
In Reply to: How do I remove W32/Alureon.A!Generic by Ron1989
Because that infection is also called Worm.Win32.AutoTDSS!IK, you might want to do this:
Click on Start, click Run, and then type devmgmt.msc and click OK
On the View menu click on Show hidden devices
Browse to Non-Plug and Play Drivers and you should see something like TDSSserv.sys
Highlight that driver and right click on it and select "DISABLE"
RESTART your computer.
Download a copy of Malwarebytes but DO NOT run it yet.
Download it from http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
You can also download it from http://www.gt500.org/malwarebytes/mbam.jsp
Rename the downloaded installer of malwarebytes to any name such as your mytools.exe or yourname.exe
Install by double-clicking the mytools.exe or yourname.exe
Once the program is installed go to the UPDATE tab and try to update the program if you can.
If you can't update MBAM, download the definitions manually:
http://malwarebytes.gt500.org/mbam-rules.exe
Next run a quick scan when the update is installed.
Or Download A2 Free (A2) http://www.download.com/A-squared-Free/3000-2239_4-10262215.html
Install, Update then run a SmartScan (not the quick scan)
Removing W32/Alureon.A!Generic
by Ron1989 - 2/18/09 5:51 AM
In Reply to: Try this by Donna Buenaventura
Thank you Donna for your help!!!!,
I checked the Non-Plug and Play Drivers and there's nothing that looks like TDSSserv.sys.
The following files are there:
AFD
Beep
dmboot
dmload
Dynamic Virus Protection
Fips
Generic Packet Classifier
hardlock
Haspnt
HTTP
IntelIdle
Ip Network Address Translator
IPSEC driver
kseddd
mnmdd
mountmanager
ndis System Driver
ndis usermode I?O Protocol
NDProxy
NetBios over Tcpip
null
oreana32
PartMGR
PartVdm
RDPCDD
Remote Access Auto Connection driver
Remote Acess IP ARP Driver
Remote Acess NDIS TAPI Driver
TCP/IP protocol Driver
trysftnt
VgaSave
VolSnap
wntpport
Thanks again,
Ron
Hi Ron, sorry for the delay
by roddy32 - 2/18/09 7:09 PM
In Reply to: Removing W32/Alureon.A!Generic by Ron1989
Donna is a little under the weather. Did you also try her other advice with MBAM? I would read her directions above for running that and see if it finds your problem.
Hopefully Donna will be back tomorrow.
Virus removal
by Ron1989 - 2/19/09 7:07 AM
In Reply to: Hi Ron, sorry for the delay by roddy32
Hi,
Thanks for the reply.
I had not downloaded MBAM because I thought that I had to follow the steps oulined by Donna in the order she wrote the instructions. I didn't realize that they were separated alternatives. Afer receiving your email I followed the downloading procedures and MBAM caught all the infected files and root causes.
The problem is resolved!!!!!!
Thank you and please also pass to Donna my thanks . You guys are the best!!!!
I wish Donna a speedy recovery from her illness......
Ron
(NT) Great news Ron and I will relay the message for Donna :)
by roddy32 - 2/19/09 7:19 AM
In Reply to: Virus removal by Ron1989
Glad to hear problem is resolved
by Donna Buenaventura - 2/19/09 10:12 PM
In Reply to: Virus removal by Ron1989
Thanks Rod for helping us in this thread.
>>I wish Donna a speedy recovery from her illness......
TYVM 
Glad to hear MBAM removed the infection. Please keep it up-to-date and scan regulalry.
Vista and laptop problem
by Ron1989 - 4/27/09 5:48 PM
In Reply to: Glad to hear problem is resolved by Donna Buenaventura
I hope you can help with a problem when I try to start up my lap top.
When I start my computer the Vista operating system does not initialize.
A text box appears that says START UP REPAIR.. windows can not repair this computer automatically. I click a button that says Don't send to microsoft and the machine shuts off.
Any ideas ???
Jim, try Norton Power Eraser or TDSSKiller
by Donna Buenaventura - 10/25/10 1:37 AM
In Reply to: I'm in the same situation as Ron waas... by mcgregorjames
Both programs before requires no installation and can detect or remove malware that causing what you're experiencing:
http://support.kaspersky.com/viruses/solutions?qid=208280684
http://security.symantec.com/nbrt/npe.asp?lcid=1033
Note: When you run Norton Power Eraser, please choose "scan". It will scan the active processes for malware. If it found nothing, scan again but choose "directory scan", then select the system drive (usually drive C) to scan.
But first try TDSSKiller by Kaspersky before using Norton Power Eraser.
Thank You Donna.
by mcgregorjames - 10/25/10 8:57 AM
In Reply to: Jim, try Norton Power Eraser or TDSSKiller by Donna Buenaventura
I'm typing this from work because the virus on the PC at home is now preventing me from navigating to any and all websites.
I'm going to download both of the programs you suggested to a thumb drive and attempt transfer them to the home PC.
I never mentioned it before, but I'm running Windows XP.
I'll let you know how it goes. Thanks again for you help.
Yes!!!
by mcgregorjames - 10/25/10 3:44 PM
In Reply to: Jim, try Norton Power Eraser or TDSSKiller by Donna Buenaventura
Nothing like a beer, a couple aspirin and one Kaspersky Rootkit removal tool to make a nasty virus all better!
Thanks Donna.
(NT) You're welcome, Jim :) Glad you got rid of it!
by Donna Buenaventura - 10/25/10 4:28 PM
In Reply to: Yes!!! by mcgregorjames
Help me: Win32:Alureon-EU is bugging me big time.
by Zanna16 - 12/20/09 6:35 AM
In Reply to: Try this by Donna Buenaventura
Hi, I am running on Windows XP SP2. My anti-virus is AVAST Home edition. It has been detecting this virus Win32:Alureon-EU found in my C:\WINDOWS\system32\drivers\atapi.sys....I tried various anti malware/virus/spyware but nothing can find this virus and kill it. The warnings have been like over 30 times and it's really annoying. I kept on deleting it when it happens but the same message reappears. I donno what else to do.
Sometimes, when I restart my system, it would stop on the black screen with options such as ''Start Windows in Safe Mode'', etc. And the only thing that works for me is by pressing the ''Last Known Good Configuration''....what happened? Did the virus do this? Please help me.
False positive by Avast
by Donna Buenaventura - 12/21/09 1:34 AM
In Reply to: Help me: Win32:Alureon-EU is bugging me big time. by Zanna16
Hello,
I suspect you are seeing false detection by Avast. Atapi.sys is legitimate driver and the path you wrote is the right location of it. To double-check only that it is not infected by rootkit or any sort of malware, please send that sys file for single file scan over at:
http://www.filterbit.com/
http://www.virustotal.com/
http://virusscan.jotti.org/en
Let us know of the result.
No, the virus did not do that but it is normal to see that black screen if atapi.sys or any critical drivers for Windows has been removed. I'd like to suggest also to restore that sys file from Avast chest after updating avast and reporting it to their forum.
The results
by Zanna16 - 12/21/09 6:34 AM
In Reply to: False positive by Avast by Donna Buenaventura
Thank you so much for your swift reply. It found no virus in my atapi.sys driver. Here's the sys file. If there's no virus in my atapi.sys driver, then how come I kept on seeing (at some odd timing) the Win32: Alureon EU detected by my Avast? Anyway, thank you again for your help. I really appreciate it.
Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.12.21 -
AhnLab-V3 5.0.0.2 2009.12.21 -
AntiVir 7.9.1.114 2009.12.21 -
Antiy-AVL 2.0.3.7 2009.12.18 -
Authentium 5.2.0.5 2009.12.02 -
Avast 4.8.1351.0 2009.12.21 -
AVG 8.5.0.427 2009.12.21 -
BitDefender 7.2 2009.12.21 -
CAT-QuickHeal 10.00 2009.12.21 -
ClamAV 0.94.1 2009.12.21 -
Comodo 3319 2009.12.21 -
DrWeb 5.0.0.12182 2009.12.21 -
eSafe 7.0.17.0 2009.12.20 -
eTrust-Vet 35.1.7187 2009.12.21 -
F-Prot 4.5.1.85 2009.12.20 -
F-Secure 9.0.15370.0 2009.12.21 -
Fortinet 4.0.14.0 2009.12.21 -
GData 19 2009.12.21 -
Ikarus T3.1.1.79.0 2009.12.21 -
Jiangmin 13.0.900 2009.12.21 -
K7AntiVirus 7.10.923 2009.12.17 -
Kaspersky 7.0.0.125 2009.12.21 -
McAfee 5838 2009.12.20 -
McAfee+Artemis 5838 2009.12.20 -
McAfee-GW-Edition 6.8.5 2009.12.21 -
Microsoft 1.5302 2009.12.21 -
NOD32 4705 2009.12.21 -
Norman 6.04.03 2009.12.21 -
nProtect 2009.1.8.0 2009.12.21 -
Panda 10.0.2.2 2009.12.15 -
PCTools 7.0.3.5 2009.12.21 -
Prevx 3.0 2009.12.21 -
Rising 22.27.00.04 2009.12.21 -
Sophos 4.49.0 2009.12.21 -
Sunbelt 3.2.1858.2 2009.12.20 -
Symantec 1.4.4.12 2009.12.21 -
TheHacker 6.5.0.3.101 2009.12.21 -
TrendMicro 9.120.0.1004 2009.12.21 -
VBA32 3.12.12.0 2009.12.19 -
ViRobot 2009.12.21.2099 2009.12.21 -
VirusBuster 5.0.21.0 2009.12.20 -
Additional information
File size: 95360 bytes
MD5 : cdfe4411a69c224bd1d11b2da92dac51
SHA1 : a42fbfeb5a4d94118b483d7f18113aa8c329a052
SHA256: 0e6b23a80f171550575bebc56f7500cd87a5cf03b2b9fdc49bc3de96282cd69d
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x155F7
timedatestamp.....: 0x41107B4D (Wed Aug 4 07:59:41 2004)
machinetype.......: 0x14C (Intel I386)
( 9 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x380 0x9672 0x9680 6.45 70b67d65eb28dcccdcba61a31c4d40e2
NONPAGE 0x9A00 0x18E8 0x1900 6.48 5629c7db94fbcf0123c267ec52f0c942
.rdata 0xB300 0xA54 0xA80 4.37 569d2979d21f645730a1a59fd512d25c
.data 0xBD80 0xD94 0xE00 0.44 77b784be18c5257bf3b9c132a03019db
PAGESCAN 0xCB80 0x154F 0x1580 6.15 d1c7adb0c1e5491b58c485d62076561f
PAGE 0xE100 0x5F54 0x5F80 6.46 0951fe4f10eee3d01d5d5aab9a0472bc
INIT 0x14080 0x22A0 0x2300 6.48 4354ab341533bda39d4f4dc3548ef9bd
.rsrc 0x16380 0x3F0 0x400 3.40 0184b21986944fd39532f818b4c642ab
.reloc 0x16780 0xCF0 0xD00 6.46 ae8fd4a932f7899f6257876856210914
( 3 imports )
> hal.dll: KfAcquireSpinLock, READ_PORT_UCHAR, KeGetCurrentIrql, KfRaiseIrql, KfLowerIrql, HalGetInterruptVector, HalTranslateBusAddress, KeStallExecutionProcessor, KfReleaseSpinLock, READ_PORT_BUFFER_USHORT, READ_PORT_USHORT, WRITE_PORT_BUFFER_USHORT, WRITE_PORT_UCHAR
> ntoskrnl.exe: RtlInitUnicodeString, swprintf, KeSetEvent, IoCreateSymbolicLink, IoGetConfigurationInformation, IoDeleteSymbolicLink, MmFreeMappingAddress, IoFreeErrorLogEntry, IoDisconnectInterrupt, MmUnmapIoSpace, ObReferenceObjectByPointer, IofCompleteRequest, RtlCompareUnicodeString, IofCallDriver, MmAllocateMappingAddress, IoAllocateErrorLogEntry, IoConnectInterrupt, IoDetachDevice, KeWaitForSingleObject, KeInitializeEvent, RtlAnsiStringToUnicodeString, RtlInitAnsiString, IoBuildDeviceIoControlRequest, IoQueueWorkItem, MmMapIoSpace, IoInvalidateDeviceRelations, IoReportDetectedDevice, IoReportResourceForDetection, RtlxAnsiStringToUnicodeSize, NlsMbCodePageTag, PoRequestPowerIrp, KeInsertByKeyDeviceQueue, PoRegisterDeviceForIdleDetection, sprintf, MmMapLockedPagesSpecifyCache, ObfDereferenceObject, IoGetAttachedDeviceReference, IoInvalidateDeviceState, ZwClose, ObReferenceObjectByHandle, ZwCreateDirectoryObject, IoBuildSynchronousFsdRequest, PoStartNextPowerIrp, PoCallDriver, IoCreateDevice, IoAllocateDriverObjectExtension, RtlQueryRegistryValues, ZwOpenKey, RtlFreeUnicodeString, IoStartTimer, KeInitializeTimer, IoInitializeTimer, KeInitializeDpc, KeInitializeSpinLock, IoInitializeIrp, ZwCreateKey, RtlAppendUnicodeStringToString, RtlIntegerToUnicodeString, ZwSetValueKey, KeInsertQueueDpc, KefAcquireSpinLockAtDpcLevel, IoStartPacket, KefReleaseSpinLockFromDpcLevel, IoBuildAsynchronousFsdRequest, IoFreeMdl, MmUnlockPages, IoWriteErrorLogEntry, KeRemoveByKeyDeviceQueue, MmMapLockedPagesWithReservedMapping, MmUnmapReservedMapping, KeSynchronizeExecution, IoStartNextPacket, KeBugCheckEx, KeRemoveDeviceQueue, KeSetTimer, KeCancelTimer, _allmul, MmProbeAndLockPages, _except_handler3, PoSetPowerState, IoOpenDeviceRegistryKey, RtlWriteRegistryValue, _aulldiv, strstr, _strupr, KeQuerySystemTime, IoWMIRegistrationControl, KeTickCount, IoAttachDeviceToDeviceStack, IoDeleteDevice, ExAllocatePoolWithTag, IoAllocateWorkItem, IoAllocateIrp, IoAllocateMdl, MmBuildMdlForNonPagedPool, MmLockPagableDataSection, IoGetDriverObjectExtension, MmUnlockPagableImageSection, ExFreePoolWithTag, IoFreeIrp, IoFreeWorkItem, InitSafeBootMode, RtlCompareMemory, RtlCopyUnicodeString, memmove, MmHighestUserAddress
> wmilib.sys: WmiSystemControl, WmiCompleteRequest
( 0 exports )
TrID : File type identification
Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ThreatExpert: http://www.threatexpert.com/report.aspx?md5=cdfe4411a69c224bd1d11b2da92dac51
ssdeep: 1536:BVzXEOXUOyD8HT6OhAVJqNoQrPs2W7IDdXBoDZYkvR5TJWBwEsjG0cXFIQ0bbZPO:BVL/Eiz6OhrNoQzsnwBoDjR51hljrckO
PEiD : -
packers (Kaspersky): PE_Patch
RDS : NSRL Reference Data Set
( Gateway )
Gateway Operating System Windows XP Pro Edition SP2: ATAPI.SYS, atapi.sys
( Microsoft )
Disc 2438.5: atapi.sysMSDN Disc 2428.4: atapi.sysMSDN Disc 2428.5: atapi.sysMSDN Disc 2428.8: atapi.sysMSDN Disc 2438.7: atapi.sysMSDN Disc 2438.8: atapi.sysMSDN Disc 2439.6: atapi.sysMSDN Disc 2439.7: atapi.sysMSDN Disc 2439.8: atapi.sysMSDN Disc 2440.3: atapi.sysMSDN Disc 2440.4: atapi.sysMSDN Disc 2440.5: atapi.sysMSDN Disc 2441.5: atapi.sysMSDN Disc 2441.6: atapi.sysMSDN Disc 2441.7: atapi.sysMSDN Disc 2442.4: atapi.sysMSDN Disc 2442.6: atapi.sysMSDN Disc 2443.2: atapi.sysMSDN Disc 2443.4: atapi.sysMSDN Disc 2444.3: atapi.sysMSDN Disc 2444.3: atapi.sysMSDN Disc 2444.4: atapi.sysMSDN Disc 2444.6: atapi.sysMSDN Disc 2455.6: atapi.sysMSDN Disc 2464.5: atapi.sysMSDN Disc 2465.4: atapi.sysMSDN Disc 2465.5: atapi.sysMSDN Disc 2466.2: atapi.sysMSDN Disc 2466.4: atapi.sysMSDN Disc 2476.2: atapi.sysMSDN Disc 2476.4: atapi.sysMSDN Disc 2477.2: atapi.sysOperating System Reinstallation CD Microsoft Windows XP Professional Service Pack 2: atapi.sysVirtual PC for Mac Windows XP Home Edition: atapi.sysVirtual PC for Mac Windows XP Professional Edition: atapi.sys
That means it's false detection by Avast :)
by Donna Buenaventura - 12/21/09 7:33 AM
In Reply to: The results by Zanna16
I just look at Avast forum and found a discussion about atapi.sys that proves also it's a false detection by Avast:
http://forum.avast.com/index.php?topic=52238.0
To prevent the false detection, you need to exclude atapi.sys while Avast need to fix their detection/signature file. When they released a new update, you should try to remove the exclusion and see if it's fix already.
Win32/Delf.OXO trojan
by Zanna16 - 12/23/09 9:36 PM
In Reply to: That means it's false detection by Avast :) by Donna Buenaventura
Hi, again. I thought I was done with all these viruses. Anyway, I am using ESET NOD32 Smart Security at the moment. But it has been detecting these stuff (shown below) over and over. And it has created a number of empty temp files...such as effy.tmp or srae.tmp...which I have no idea where they came from and God knows how to stop them from being created over and over again.
This is one of the hundreds logs taken from my ESET logfile:
12/24/2009 1:35:10 PM HTTP filter file http://rss-lenta-news.ru/123132/New2.exe a variant of Win32/Delf.OXO trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\svchost.exe.
Alureon
by asoto45 - 11/6/10 5:12 PM
In Reply to: Try this by Donna Buenaventura
I have tried following the steps outlined above and I can't update my MBAM. Whenever I tried to update I get an error MBAM_ERROR_UPDATING(12007,0,winHttpSendRequest). I've tried manually downloading the definitions but the page can't be displayed.
My Symantec virus protection and current malaware can't detect anything. Is there anything else I can do?
thanks
You need to try this steps.
by Donna Buenaventura - 11/6/10 11:48 PM
Hi,
If it's Alureon (aka TDS) infection, try the following. Download the following tools to remove the infection and also to reset to default settings:
1. Microsoft Fix it 50195 to reset IE settings.
2. Microsoft Fix it 50267 to reset the hosts file in Windows.
3. Microsoft Fix it 50203 to reset Winsock in Windows.
4. Microsoft Fix it 50199 to reset Internet Protocol.
5. TDSSKiller from Kaspersky
6. Hitman Pro
If you cannot download any tools using the problematic PC, download all of the above using a clean PC.
Save those files on your deskop or in USB/flash drive or any blank removable media that you can plugin/insert to the problematic computer.
Run or execute all the above in order (#1 to #6). Reboot only when prompted.
Try to update Malwarebytes to see if the above steps have helped.
Total posts: 20 (Showing page 1 of 1)
More Discussions
Forum Icon Legend
Unread
Read
Locked thread
-
-
-
-
-
-
Moderator
CNET Staff
Samsung Staff
Norton Authorized Support Team
AVG Staff
avast! Staff
Webroot Support Team
Acer Customer Experience Team
Windows Outreach TeamDISH staff
Dell Staff
Intel Staff
Question
Resolved question
General discussion
Tip
Alert or warning
Praise
Rant
You are e-mailing the following post: Post Subject
You are reporting the following post: Post Subject
You are posting a reply to: Post Subject
