Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How do I remove Win32Alureon-Eu Virus correctley


  • Please log in to reply
1 reply to this topic

#1 Dracarys

Dracarys

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 31 January 2010 - 01:18 PM

I recentley recive a Virus message from Avast yesterday I tried to contain it and Avast reported that the file was currentley in use So I had Avast contain the file on system restart, The computer blue screened, restarted and I had to restart computer at last working configuration. If you need any more info i'd be happy to post Sorry for the quick title
atapi.sys
C:\\WINDOWS\system32\drivers
Virus discription Win32Alureon-Eu

here's the only bsod debugging info I have from the .dmp file

Microsoft Windows Debugger Version 6.11.0001.404 X86
Copyright Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp]
User Mini Dump File: Only registers, stack and portions of memory are available

Comment: 'Dr. Watson generated MiniDump'
Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: SingleUserTS Personal
Machine Name:
Debug session time: Sun Jan 31 08:58:23.000 2010 (GMT-6)
System Uptime: not available
Process Uptime: 0 days 0:49:10.000
................................................................
..................................
This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(3ac.834): Access violation - code c0000005 (first/second chance not available)
eax=02d7f4e4 ebx=00000000 ecx=d7972b39 edx=0cdff008 esi=ffffffff edi=0665e345
eip=100e6f80 esp=02d7f4ac ebp=06de3d30 iopl=0 nv up ei ng nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200286
*** ERROR: Symbol file could not be found. Defaulted to export symbols for Flash10d.ocx -
Flash10d+0xe6f80:
100e6f80 8b4618 mov eax,dword ptr [esi+18h] ds:0023:00000017=????????

BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:54 PM

Posted 31 January 2010 - 10:39 PM

Hello.

Appears to be a TDL3 rootkit infection. Let's confirm that. Run GMER for me.

Download and Run GMER

We will use GMER to scan for rootkits.This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.

  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • When you have done this, close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
  • Allow the gmer.sys driver to load if asked.

    If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system... Click NO.
  • In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
    • Sections
    • Registry
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show all (Don't miss this one!)
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running
*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users