Alureon-EU a.k.a. "the Thing That Keeps Popping Up in Avast" Thread

Okay, now, since we’re having so much problems with this bullcrap and apparently two antivirus list it as the same rootkit (but with different names) I decided I should make a general topic about this nasty.

What is it? Why can’t antivirus block and delete it? Ask away, here.

Here is my case:

I am running Windows XP Pro SP3 dual-boot with Windows 7, which I rarely use. While browsing the net (not a dangerous site), the avast! virus screen pops up. Tells me I have Win32:Alureon-EU, and to my surprise, I had dealt with the Alureon family before (Alureon-DA, I think) and it was successfully killed. Onto the new one though. I immediately turned off the network connection, knowing Alureon are very dangerous and have high risk and stuff. But I kept clicking on ‘move to chest’ and ‘delete’ but avast! detected something in the temp folder, also an Alureon-EU. Nothing happened, again, it popped up. I decided, despite the risks, to go online and ask for help.

Later, I turned off the computer, but Windows XP gave me an error, so I went to 7. Went to find more help. Tried numerous things, nothing worked.

I can currently access the XP partition, but I cannot run the boot CD (it gives me an error in a black screen).

Any ideas, people? How can I get rid of this?

Please sticky, members should notice this.

same answer i gave in your other thread concerning this http://forum.avast.com/index.php?topic=52369.msg444012;topicseen#msg444012

Why thank you, I will look into this.

Still, I felt like we needed a general thread to discuss it, without a confusing title (or at least a title that I can associate it with) and without people making numerous threads about this.

there’s a pretty good chance your atapi.sys has been patched (If your Antivirus detects a spawned dll from this rootkit…I think it’s called AlureonCT). but like all malware they tend to have dirivatives and variants.

One easy way to find out if you have a patched Atapi.sys is to run the latest copy of GMER Anti-RootKit. Upon opening GMER it will run a very fast quick scan. If you see any entries like \DEVICEHARDDISK\Atapi (something like that) or Atapi.sys “suspicious modification” (especially this one) then your probably dealing with a very nasty rootkit. there are others here more versed in this and they can assist much further and give more step by step approach to remedying this issue.

Yeah but I can’t run XP. I don’t think it can check the registry from another OS.

I DONT NEED YOUR &^&^^*&^ HELP!!! NOW NO ONE HELPING ME THANKS TO YOU!!! I can’t do anything if can’t start in Safe Mode.

Help! Masley is hijacking the thread! Oh no!

You know, I have the same damn problem, so you should be happy I’m trying to help you. Sorry for hijacking the thread, but you can stop being a jerk now.


Any ideas guys?

http://dl.dropbox.com/u/3105891/Pics/Random%20gifs/stop.gif

Is there any need for the profanities guys?

Please just keep to yourselves and sort your own issues out…

Personally, I feel that seeing as you are both infected, neither should be helping the other…You should be helped by someone who is qualified to do so…each in your own thread…

Lets end it here shall we?

-Scott-

bonjour moi je suis nouvelle et un peu perdue sur le site, pourrais tu m’aider à m’en sortir j’ai un cheval de troie sur mon pc : cheval de troie avec mybrowserbar merci de ta réponse et sinon peux tu me dire stp ou l’on pose ses questions pour avoir une réponse bye a plus j’espère

Bienvenue sur les forums clo35,

Ce sujet est d’environ Alureon s’il vous plaît alors commencez un nouveau sujet dans viruses and worms section pour éviter toute confusion. Cliquez ce lien pour lancer un nouveau sujet.

Okay guys, I’m moving all the data I will possibly need from my XP, I will format my entire C drive, and I will make a clean install of Windows 7.

Is that a good idea?