 | Home | | Download | | About | | Donation | | Forum | |
This guide contains three parts
Symptom of Trojan.Alureon (Win32/Alureon)
Trojan.Alureon (Win32/Alureon) is a family of data-stealing trojans. It is also known as TR/Alureon. These trojans are installed on a computer via a web browser security exploit. Once one of a variant of this trojan family is active on a computer, it will infect some Windows driver file and modify internet DNS settings on the target computer, this will allow an attacker to intercept incoming and outgoing internet traffic in order to gather confidential information such as user names, passwords, and credit card data.
Symptom 1. Once infected by one of a variant of Win32/Alureon trojans, several dlls will be added in this folder "C:\Windows\System32" :
tdlcmd.dll
tdlclk.dll
tdlwsp.dll
The trojan injects these dlls into every process so that it can hide these dlls from being detected by some security programs. But you can test if these dlls exist in your computer by creating a new file in "C:\Windows\System32" folder and rename the new file to the same name as these dlls, if you cannot rename the new file, that means one of the trojan dll is hidden in your computer.
The following image displays if a "tdlcmd.dll" file is hidden in "C:\Windows\System32" folder, when you try to rename a new created text file to "tdlcmd.dll", you will get a error message like this.
Symptom 2. A Windows driver file is modified so that the trojan can start itself automatical when Windows starts up. Because the target driver file will be loaded under safe mode so the trojan can be started even under safe mode. Different variant may target different driver files, the most commonly-targeted driver file is the "ATA miniport driver: atapi.sys", which is located in "C:\Windows\System32\drivers" folder. If you just delete this infected "atapi.sys" file, your Windows will NOT start any more.
Symptom 3. Some variant may modify the Internet DNS settings.
The DNS (Domain Name Server) settings is used to map domain names to IP addresses, that is, to map human-readable domain names to machine-readable IP addresses. When a user attempts to visit a particular URL, a browser will use DNS servers to find the correct IP address of the requested domain. When a user is directed to a malicious server that is not part of the authoritative Domain Name System, an attacker can provide incorrect IP addresses at their choice to map to particular domain names, thus directing the user to possibly bogus or malicious sites without the affected user's knowledge.
You can check your DNS settings by following steps below:
- 1. Click Start, click Control Panel, click Network and Internet Connections, and then click Network Connections.
- 2. Right-click the network connection that you want to configure, and then click Properties.
- 3. On the General tab, click Internet Protocol Version 4(TCP/IP v4), and then click Properties. The configuration window looks like as follow:
For most computer, the DNS setting is configured to "Obtain DNS server address automatically", some variant of Win32/Alureon would modify the DNS setting to "Use the following DNS server addresses" and specify two IP addresses which point to malicious sites. You need to check with your ISP to confirm what your DNS server address is.
How to remove Trojan.Alureon (Win32/Alureon)
Manual removal instructions
Note: Due to this trojan family has many variants and all variants infect important Windows driver files, it is very difficult for general user to remove it manually, if you still want to try the manual method, it is highly recommended to read the full instructions carefully before you start.
The following steps is an example to manually remove one variant of trojan.Alureon which infects the "atapi.sys" file.
Step 1. Make a Windows recovery disc (for Vista and Win7), or install Windows Recovery Console (for XP)
- If your Windows is Vista or Windows 7 and you already have a recovery disc you can ignore this step, if you do not have one, follow the steps in this page to make one : How to make a Windows recovery disc
- If your Windows is XP, you can follow the steps in this page to install Windows Recovery Console
Step 2. Find a clean "atapi.sys" file
Usually this trojan only infects the "atapi.sys" file which is located in "C:\Windows\System32" folder, there might be several other clean copies of "atapi.sys" existing in somewhere else on your computer, you can search your computer for the "atapi.sys" file, once you find several results, compairing the file size between the one in "C:\Windows\System32" folder with the one in other place, usually the file size of infected one is larger than the clean one. (NOTE: This guide only for the variant that infects "atapi.sys", for some other variants, they may infect other driver files, so this guide will not fix those variants.) If you find a clean "atapi.sys", copy it to a place where you can easily find it, for example, you can copy the clean "atapi.sys" to "C:\" . If you can not find a clean one, you can try to copy from another computer with the same operating system as yours, still, copy it to "C:\".
Step 3. Use the Recovery disc to boot your computer (Vista or Win7) or boot to Recovery Console (XP)
Insert your recovery disc in CD-ROM and reboot your computer, follow the prompt until you see the System Recovery Options window, click Command Prompt, you will see a command prompt window. For Windows XP, when booting to Recovery Console, you will see a similar command prompt window.
Step 4. Replace the infected atapi.sys with a clean one
Type the following command in the command prompt window
copy C:\atapi.sys C:\Windows\System32\atapi.sys
You should copy a clean atapi.sys file to "C:\" before booting to the recovery window.
Step 5. Delete other dlls created by Win32/Alureon trojans
Type the following commands in the command prompt window
del C:\Windows\system32\tdlcmd.dll
del C:\Windows\system32\tdlclk.dll
del C:\Windows\system32\tdlwsp.dll
Now reboot computer to normal mode, check if the trojan is gone.
Automatical Removal instructions
Several antispyware programs can completely remove this malware:
MalwareBytes:
MalwareBytes is an excellent antispyware program, The company of MalwareBytes provides a free version for personal user.
Download and install MalwareBytes Anti-malware (MBAM).
Main interface of MalwareBytes' Anti-Malware
AVG Antivirus:
AVG Antivirus is another well-known antivirus protection tool. The AVG Free Edition is available free of charge to home users for the life of the product.
Download and install AVG Free Edition
Main interface of AVG
Solution for infection by a new variant
If you followed the steps above but still get this malware or some objects are denied to delete, your computer possibly gets infected by a new variant or there is some hidden objects that have not been detected. We provide a free diagnostic scan tool ("TheStubware") to scan your computer and generate a scan log file for analysis. This tool is especially used to find those stubborn malware. You can submit your log file to support@TheStubware.com, we will analysis it and send you back a removal script file to remove the new variant or hidden objects found in your log file.
Download and install TheStubware
| Do you remove this: |