Spyware, Viruses, & Security forum

General discussion

How do I remove W32/Alureon.A!Generic

by Ron1989 / February 17, 2009 8:28 AM PST

HELP!! How do I remove W32/Alureon.A!Generic from my system.
I'm on Windows XP.

Thanks for any help.

Post a reply
Discussion is locked
You are posting a reply to: How do I remove W32/Alureon.A!Generic
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: How do I remove W32/Alureon.A!Generic
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Try this
by Donna Buenaventura / February 17, 2009 9:55 AM PST

Because that infection is also called Worm.Win32.AutoTDSS!IK, you might want to do this:

Click on Start, click Run, and then type devmgmt.msc and click OK
On the View menu click on Show hidden devices
Browse to Non-Plug and Play Drivers and you should see something like TDSSserv.sys
Highlight that driver and right click on it and select "DISABLE"
RESTART your computer.

Download a copy of Malwarebytes but DO NOT run it yet.
Download it from http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
You can also download it from http://www.gt500.org/malwarebytes/mbam.jsp

Rename the downloaded installer of malwarebytes to any name such as your mytools.exe or yourname.exe
Install by double-clicking the mytools.exe or yourname.exe

Once the program is installed go to the UPDATE tab and try to update the program if you can.
If you can't update MBAM, download the definitions manually:
http://malwarebytes.gt500.org/mbam-rules.exe

Next run a quick scan when the update is installed.

Or Download A2 Free (A2) http://www.download.com/A-squared-Free/3000-2239_4-10262215.html
Install, Update then run a SmartScan (not the quick scan)

Collapse -
Removing W32/Alureon.A!Generic
by Ron1989 / February 17, 2009 9:51 PM PST
In reply to: Try this

Thank you Donna for your help!!!!,
I checked the Non-Plug and Play Drivers and there's nothing that looks like TDSSserv.sys.

The following files are there:
AFD
Beep
dmboot
dmload
Dynamic Virus Protection
Fips
Generic Packet Classifier
hardlock
Haspnt
HTTP
IntelIdle
Ip Network Address Translator
IPSEC driver
kseddd
mnmdd
mountmanager
ndis System Driver
ndis usermode I?O Protocol
NDProxy
NetBios over Tcpip
null
oreana32
PartMGR
PartVdm
RDPCDD
Remote Access Auto Connection driver
Remote Acess IP ARP Driver
Remote Acess NDIS TAPI Driver
TCP/IP protocol Driver
trysftnt
VgaSave
VolSnap
wntpport

Thanks again,

Ron

Collapse -
Hi Ron, sorry for the delay
by roddy32 / February 18, 2009 11:09 AM PST

Donna is a little under the weather. Did you also try her other advice with MBAM? I would read her directions above for running that and see if it finds your problem.

Hopefully Donna will be back tomorrow.

Collapse -
Virus removal
by Ron1989 / February 18, 2009 11:07 PM PST

Hi,
Thanks for the reply.
I had not downloaded MBAM because I thought that I had to follow the steps oulined by Donna in the order she wrote the instructions. I didn't realize that they were separated alternatives. Afer receiving your email I followed the downloading procedures and MBAM caught all the infected files and root causes.

The problem is resolved!!!!!!

Thank you and please also pass to Donna my thanks . You guys are the best!!!!

I wish Donna a speedy recovery from her illness......

Ron

Collapse -
(NT) Great news Ron and I will relay the message for Donna :)
by roddy32 / February 18, 2009 11:19 PM PST
In reply to: Virus removal
Collapse -
Glad to hear problem is resolved
by Donna Buenaventura / February 19, 2009 2:12 PM PST
In reply to: Virus removal

Thanks Rod for helping us in this thread.

>>I wish Donna a speedy recovery from her illness......
TYVM Happy

Glad to hear MBAM removed the infection. Please keep it up-to-date and scan regulalry.

Collapse -
Vista and laptop problem
by Ron1989 / April 27, 2009 10:48 AM PDT

I hope you can help with a problem when I try to start up my lap top.

When I start my computer the Vista operating system does not initialize.
A text box appears that says START UP REPAIR.. windows can not repair this computer automatically. I click a button that says Don't send to microsoft and the machine shuts off.

Any ideas ???

Collapse -
I'm in the same situation as Ron waas...
by mcgregorjames / October 24, 2010 1:41 AM PDT

I followed Donna's directions but couldn't find anything like TDSSserv.sys.

I downloaded the Malwarebytes, renamed it, installed it, but it will not run. I suspect the virus is preventing it from running???

I'm constantly being redirected to unwanted web pages and my zone alarm security has not handled this virus. I even tried Windows One. It detected the virus but would not clean it.

Any help would be appreciated. Thanks...Jim

Collapse -
Jim, try Norton Power Eraser or TDSSKiller
by Donna Buenaventura / October 24, 2010 6:37 PM PDT

Both programs before requires no installation and can detect or remove malware that causing what you're experiencing:

http://support.kaspersky.com/viruses/solutions?qid=208280684
http://security.symantec.com/nbrt/npe.asp?lcid=1033

Note: When you run Norton Power Eraser, please choose "scan". It will scan the active processes for malware. If it found nothing, scan again but choose "directory scan", then select the system drive (usually drive C) to scan.

But first try TDSSKiller by Kaspersky before using Norton Power Eraser.

Collapse -
Thank You Donna.
by mcgregorjames / October 25, 2010 1:57 AM PDT

I'm typing this from work because the virus on the PC at home is now preventing me from navigating to any and all websites.

I'm going to download both of the programs you suggested to a thumb drive and attempt transfer them to the home PC.

I never mentioned it before, but I'm running Windows XP.

I'll let you know how it goes. Thanks again for you help.

Collapse -
Yes!!!
by mcgregorjames / October 25, 2010 8:44 AM PDT

Nothing like a beer, a couple aspirin and one Kaspersky Rootkit removal tool to make a nasty virus all better! Happy

Thanks Donna.

Collapse -
(NT) You're welcome, Jim :) Glad you got rid of it!
by Donna Buenaventura / October 25, 2010 9:28 AM PDT
In reply to: Yes!!!
Collapse -
Help me: Win32:Alureon-EU is bugging me big time.
by Zanna16 / December 19, 2009 10:35 PM PST
In reply to: Try this

Hi, I am running on Windows XP SP2. My anti-virus is AVAST Home edition. It has been detecting this virus Win32:Alureon-EU found in my C:\WINDOWS\system32\drivers\atapi.sys....I tried various anti malware/virus/spyware but nothing can find this virus and kill it. The warnings have been like over 30 times and it's really annoying. I kept on deleting it when it happens but the same message reappears. I donno what else to do.

Sometimes, when I restart my system, it would stop on the black screen with options such as ''Start Windows in Safe Mode'', etc. And the only thing that works for me is by pressing the ''Last Known Good Configuration''....what happened? Did the virus do this? Please help me.

Collapse -
False positive by Avast
by Donna Buenaventura / December 20, 2009 5:34 PM PST

Hello,

I suspect you are seeing false detection by Avast. Atapi.sys is legitimate driver and the path you wrote is the right location of it. To double-check only that it is not infected by rootkit or any sort of malware, please send that sys file for single file scan over at:
http://www.filterbit.com/
http://www.virustotal.com/
http://virusscan.jotti.org/en

Let us know of the result.

No, the virus did not do that but it is normal to see that black screen if atapi.sys or any critical drivers for Windows has been removed. I'd like to suggest also to restore that sys file from Avast chest after updating avast and reporting it to their forum.

Collapse -
The results
by Zanna16 / December 20, 2009 10:34 PM PST

Thank you so much for your swift reply. It found no virus in my atapi.sys driver. Here's the sys file. If there's no virus in my atapi.sys driver, then how come I kept on seeing (at some odd timing) the Win32: Alureon EU detected by my Avast? Anyway, thank you again for your help. I really appreciate it.

Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.12.21 -
AhnLab-V3 5.0.0.2 2009.12.21 -
AntiVir 7.9.1.114 2009.12.21 -
Antiy-AVL 2.0.3.7 2009.12.18 -
Authentium 5.2.0.5 2009.12.02 -
Avast 4.8.1351.0 2009.12.21 -
AVG 8.5.0.427 2009.12.21 -
BitDefender 7.2 2009.12.21 -
CAT-QuickHeal 10.00 2009.12.21 -
ClamAV 0.94.1 2009.12.21 -
Comodo 3319 2009.12.21 -
DrWeb 5.0.0.12182 2009.12.21 -
eSafe 7.0.17.0 2009.12.20 -
eTrust-Vet 35.1.7187 2009.12.21 -
F-Prot 4.5.1.85 2009.12.20 -
F-Secure 9.0.15370.0 2009.12.21 -
Fortinet 4.0.14.0 2009.12.21 -
GData 19 2009.12.21 -
Ikarus T3.1.1.79.0 2009.12.21 -
Jiangmin 13.0.900 2009.12.21 -
K7AntiVirus 7.10.923 2009.12.17 -
Kaspersky 7.0.0.125 2009.12.21 -
McAfee 5838 2009.12.20 -
McAfee+Artemis 5838 2009.12.20 -
McAfee-GW-Edition 6.8.5 2009.12.21 -
Microsoft 1.5302 2009.12.21 -
NOD32 4705 2009.12.21 -
Norman 6.04.03 2009.12.21 -
nProtect 2009.1.8.0 2009.12.21 -
Panda 10.0.2.2 2009.12.15 -
PCTools 7.0.3.5 2009.12.21 -
Prevx 3.0 2009.12.21 -
Rising 22.27.00.04 2009.12.21 -
Sophos 4.49.0 2009.12.21 -
Sunbelt 3.2.1858.2 2009.12.20 -
Symantec 1.4.4.12 2009.12.21 -
TheHacker 6.5.0.3.101 2009.12.21 -
TrendMicro 9.120.0.1004 2009.12.21 -
VBA32 3.12.12.0 2009.12.19 -
ViRobot 2009.12.21.2099 2009.12.21 -
VirusBuster 5.0.21.0 2009.12.20 -
Additional information
File size: 95360 bytes
MD5 : cdfe4411a69c224bd1d11b2da92dac51
SHA1 : a42fbfeb5a4d94118b483d7f18113aa8c329a052
SHA256: 0e6b23a80f171550575bebc56f7500cd87a5cf03b2b9fdc49bc3de96282cd69d
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x155F7
timedatestamp.....: 0x41107B4D (Wed Aug 4 07:59:41 2004)
machinetype.......: 0x14C (Intel I386)

( 9 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x380 0x9672 0x9680 6.45 70b67d65eb28dcccdcba61a31c4d40e2
NONPAGE 0x9A00 0x18E8 0x1900 6.48 5629c7db94fbcf0123c267ec52f0c942
.rdata 0xB300 0xA54 0xA80 4.37 569d2979d21f645730a1a59fd512d25c
.data 0xBD80 0xD94 0xE00 0.44 77b784be18c5257bf3b9c132a03019db
PAGESCAN 0xCB80 0x154F 0x1580 6.15 d1c7adb0c1e5491b58c485d62076561f
PAGE 0xE100 0x5F54 0x5F80 6.46 0951fe4f10eee3d01d5d5aab9a0472bc
INIT 0x14080 0x22A0 0x2300 6.48 4354ab341533bda39d4f4dc3548ef9bd
.rsrc 0x16380 0x3F0 0x400 3.40 0184b21986944fd39532f818b4c642ab
.reloc 0x16780 0xCF0 0xD00 6.46 ae8fd4a932f7899f6257876856210914

( 3 imports )

> hal.dll: KfAcquireSpinLock, READ_PORT_UCHAR, KeGetCurrentIrql, KfRaiseIrql, KfLowerIrql, HalGetInterruptVector, HalTranslateBusAddress, KeStallExecutionProcessor, KfReleaseSpinLock, READ_PORT_BUFFER_USHORT, READ_PORT_USHORT, WRITE_PORT_BUFFER_USHORT, WRITE_PORT_UCHAR
> ntoskrnl.exe: RtlInitUnicodeString, swprintf, KeSetEvent, IoCreateSymbolicLink, IoGetConfigurationInformation, IoDeleteSymbolicLink, MmFreeMappingAddress, IoFreeErrorLogEntry, IoDisconnectInterrupt, MmUnmapIoSpace, ObReferenceObjectByPointer, IofCompleteRequest, RtlCompareUnicodeString, IofCallDriver, MmAllocateMappingAddress, IoAllocateErrorLogEntry, IoConnectInterrupt, IoDetachDevice, KeWaitForSingleObject, KeInitializeEvent, RtlAnsiStringToUnicodeString, RtlInitAnsiString, IoBuildDeviceIoControlRequest, IoQueueWorkItem, MmMapIoSpace, IoInvalidateDeviceRelations, IoReportDetectedDevice, IoReportResourceForDetection, RtlxAnsiStringToUnicodeSize, NlsMbCodePageTag, PoRequestPowerIrp, KeInsertByKeyDeviceQueue, PoRegisterDeviceForIdleDetection, sprintf, MmMapLockedPagesSpecifyCache, ObfDereferenceObject, IoGetAttachedDeviceReference, IoInvalidateDeviceState, ZwClose, ObReferenceObjectByHandle, ZwCreateDirectoryObject, IoBuildSynchronousFsdRequest, PoStartNextPowerIrp, PoCallDriver, IoCreateDevice, IoAllocateDriverObjectExtension, RtlQueryRegistryValues, ZwOpenKey, RtlFreeUnicodeString, IoStartTimer, KeInitializeTimer, IoInitializeTimer, KeInitializeDpc, KeInitializeSpinLock, IoInitializeIrp, ZwCreateKey, RtlAppendUnicodeStringToString, RtlIntegerToUnicodeString, ZwSetValueKey, KeInsertQueueDpc, KefAcquireSpinLockAtDpcLevel, IoStartPacket, KefReleaseSpinLockFromDpcLevel, IoBuildAsynchronousFsdRequest, IoFreeMdl, MmUnlockPages, IoWriteErrorLogEntry, KeRemoveByKeyDeviceQueue, MmMapLockedPagesWithReservedMapping, MmUnmapReservedMapping, KeSynchronizeExecution, IoStartNextPacket, KeBugCheckEx, KeRemoveDeviceQueue, KeSetTimer, KeCancelTimer, _allmul, MmProbeAndLockPages, _except_handler3, PoSetPowerState, IoOpenDeviceRegistryKey, RtlWriteRegistryValue, _aulldiv, strstr, _strupr, KeQuerySystemTime, IoWMIRegistrationControl, KeTickCount, IoAttachDeviceToDeviceStack, IoDeleteDevice, ExAllocatePoolWithTag, IoAllocateWorkItem, IoAllocateIrp, IoAllocateMdl, MmBuildMdlForNonPagedPool, MmLockPagableDataSection, IoGetDriverObjectExtension, MmUnlockPagableImageSection, ExFreePoolWithTag, IoFreeIrp, IoFreeWorkItem, InitSafeBootMode, RtlCompareMemory, RtlCopyUnicodeString, memmove, MmHighestUserAddress
> wmilib.sys: WmiSystemControl, WmiCompleteRequest

( 0 exports )
TrID : File type identification
Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ThreatExpert: http://www.threatexpert.com/report.aspx?md5=cdfe4411a69c224bd1d11b2da92dac51
ssdeep: 1536:BVzXEOXUOyD8HT6OhAVJqNoQrPs2W7IDdXBoDZYkvR5TJWBwEsjG0cXFIQ0bbZPO:BVL/Eiz6OhrNoQzsnwBoDjR51hljrckO
PEiD : -
packers (Kaspersky): PE_Patch
RDS : NSRL Reference Data Set

( Gateway )

Gateway Operating System Windows XP Pro Edition SP2: ATAPI.SYS, atapi.sys
( Microsoft )

Disc 2438.5: atapi.sysMSDN Disc 2428.4: atapi.sysMSDN Disc 2428.5: atapi.sysMSDN Disc 2428.8: atapi.sysMSDN Disc 2438.7: atapi.sysMSDN Disc 2438.8: atapi.sysMSDN Disc 2439.6: atapi.sysMSDN Disc 2439.7: atapi.sysMSDN Disc 2439.8: atapi.sysMSDN Disc 2440.3: atapi.sysMSDN Disc 2440.4: atapi.sysMSDN Disc 2440.5: atapi.sysMSDN Disc 2441.5: atapi.sysMSDN Disc 2441.6: atapi.sysMSDN Disc 2441.7: atapi.sysMSDN Disc 2442.4: atapi.sysMSDN Disc 2442.6: atapi.sysMSDN Disc 2443.2: atapi.sysMSDN Disc 2443.4: atapi.sysMSDN Disc 2444.3: atapi.sysMSDN Disc 2444.3: atapi.sysMSDN Disc 2444.4: atapi.sysMSDN Disc 2444.6: atapi.sysMSDN Disc 2455.6: atapi.sysMSDN Disc 2464.5: atapi.sysMSDN Disc 2465.4: atapi.sysMSDN Disc 2465.5: atapi.sysMSDN Disc 2466.2: atapi.sysMSDN Disc 2466.4: atapi.sysMSDN Disc 2476.2: atapi.sysMSDN Disc 2476.4: atapi.sysMSDN Disc 2477.2: atapi.sysOperating System Reinstallation CD Microsoft Windows XP Professional Service Pack 2: atapi.sysVirtual PC for Mac Windows XP Home Edition: atapi.sysVirtual PC for Mac Windows XP Professional Edition: atapi.sys

Collapse -
That means it's false detection by Avast :)
by Donna Buenaventura / December 20, 2009 11:33 PM PST
In reply to: The results

I just look at Avast forum and found a discussion about atapi.sys that proves also it's a false detection by Avast:
http://forum.avast.com/index.php?topic=52238.0

To prevent the false detection, you need to exclude atapi.sys while Avast need to fix their detection/signature file. When they released a new update, you should try to remove the exclusion and see if it's fix already.

Collapse -
Win32/Delf.OXO trojan
by Zanna16 / December 23, 2009 1:36 PM PST

Hi, again. I thought I was done with all these viruses. Anyway, I am using ESET NOD32 Smart Security at the moment. But it has been detecting these stuff (shown below) over and over. And it has created a number of empty temp files...such as effy.tmp or srae.tmp...which I have no idea where they came from and God knows how to stop them from being created over and over again.

This is one of the hundreds logs taken from my ESET logfile:
12/24/2009 1:35:10 PM HTTP filter file http://rss-lenta-news.ru/123132/New2.exe a variant of Win32/Delf.OXO trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\svchost.exe.

Collapse -
Alureon
by asoto45 / November 6, 2010 10:12 AM PDT
In reply to: Try this

I have tried following the steps outlined above and I can't update my MBAM. Whenever I tried to update I get an error MBAM_ERROR_UPDATING(12007,0,winHttpSendRequest). I've tried manually downloading the definitions but the page can't be displayed.
My Symantec virus protection and current malaware can't detect anything. Is there anything else I can do?
thanks

Collapse -
You need to try this steps.
by Donna Buenaventura / November 6, 2010 4:48 PM PDT
In reply to: Alureon

Hi,

If it's Alureon (aka TDS) infection, try the following. Download the following tools to remove the infection and also to reset to default settings:

1. Microsoft Fix it 50195 to reset IE settings.
2. Microsoft Fix it 50267 to reset the hosts file in Windows.
3. Microsoft Fix it 50203 to reset Winsock in Windows.
4. Microsoft Fix it 50199 to reset Internet Protocol.
5. TDSSKiller from Kaspersky
6. Hitman Pro

If you cannot download any tools using the problematic PC, download all of the above using a clean PC.

Save those files on your deskop or in USB/flash drive or any blank removable media that you can plugin/insert to the problematic computer.

Run or execute all the above in order (#1 to #6). Reboot only when prompted.

Try to update Malwarebytes to see if the above steps have helped.

Popular Forums
icon
Computer Help 49,613 discussions
icon
Computer Newbies 10,349 discussions
icon
Laptops 19,436 discussions
icon
Security 30,426 discussions
icon
TVs & Home Theaters 20,308 discussions
icon
Windows 10 360 discussions
icon
Phones 15,802 discussions
icon
Windows 7 7,351 discussions
icon
Networking & Wireless 14,641 discussions

Tech Tip

Stuck without Internet and want to watch movies?

CNET shows you how to download movies and TV shows onto your device using Amazon Prime so you'll always be entertained.