Win32 Alureon and it’s removal from Windows computers​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​

This past ​​​​​week MLD Services ran into a particularly nasty virus​​​​​ called Win32 Alueron that was installed on a clients laptop. Symptoms of the infection were the disabling of the free version of ​​​​​​​​​​​​​​​​​​​​​​Avast ​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​and redirects from the website the user was trying to view to infected sites attempting to install more malware.

Here is Microsoft’s definition:

Win32/Alureon is a family of data-stealing trojans. These trojans allow an attacker to intercept incoming and outgoing Internet traffic in order to gather confidential information such as user names, passwords, and credit card data. The Win32/Alureon trojan may also allow an attacker to transmit malicious data to the infected computer. The trojan may modify DNS settings on the host computer to enable the attacker to perform these tasks. Therefore it may be necessary to reconfigure DNS settings after the trojan is removed from the computer.

Win32/Alureon may also infect and corrupt certain driver files, causing them to become unusable.

This virus is especially hard to detect and hard to properly remove. The Anti-virus products that do identify the problem label it as RAS Automatic Connection Driver infection (rasacd.sys) or some form of Win32 Alureon.

Some online articles refer you to a set of instructions which will remove the infected file rasacd.sys and then restore the original file either from a CD, DVD or the i386 directory, but somehow MLD Services found a way around this using a combination of products that apparently have resolved the issue. It is quite possible that our issue had not corrupted the file rasacd.sys even though OneCare Live pointed out that file as the issue.

The first step in troubleshooting any malware or computer virus infection is to properly identify the problem! In this instance we used OnceCare Live from Microsoft to identify the problem and allowed it to cleanup what it could.​ Note that the Anti-virus software installed on the system was disabled and useless.

The second step was to run a lesser known tool called ”VIPRE Rescue Program” from Sunbelt software. You can find the instructions for use and download the tool here on Sunbelt’s website.

Our third step was to run Malwarebytes and clean any problems that it detected.

The fourth step was to run OneCare Live one more time, and if it was clean we tested by browsing multiple websites like; msnbc.com, google.com, symantec.com, and other popular web sites.

Some of the free Antivirus products claim to be able to stop this infection, but running a full set of security tools is the only way to go. This includes tools that include Anti-Virus, Spyware, Malware, Firewall, and possibly using of 3rd party tools such as OpenDNS to assist in keeping you safe on the Internet. All computer users regardless of operating system need to run daily updates and then run full scans at least once a week.

If you have any questions or concerns please use our contact page for information on how we can be reached.