How to remove this Virus:Win32/Alureon.H RRS feed

  • Question

  • I have Microsoft Forefront Client Security installed on my machine(HP PROBOOK 4510S) which always comes with the following message: Review harmful or potentially unanted items. It descoverd Win32/Alureon.H on the machine but cannot clean/remove it. The taskbar icon is aalways red. I tried to get the latest definitions updates from microsoft but get an error message. I tried other softwares but nothing seems to work. I even tried to format the hard drive but I get a blue screen. Is theRE any other way(even manually step by step) to remove this Win32/Alureon.H from my machine.
    kgomotso kgomotso.mogole@randfontein.org.za
    Friday, June 18, 2010 12:56 PM


All replies

  • Hi,

    See this link, it's about OneCare and I think it's similar with FCS http://social.microsoft.com/Forums/en-US/onecareanti-virus/thread/3062c1fd-c653-41ad-8910-822de6520226 

    Also you can submit file to Microsoft, they will do the best to solve this problem https://www.microsoft.com/security/portal/Submission/Submit.aspx




    Friday, June 18, 2010 5:09 PM
  • Hi!

    I would realy reinstall the computer (if that is an option for you). Alureon is nasty and very hard to remove.

    Just boot from the CD and format the drive from there. now, make sure you don't get reinfected from a backup when you restore your files.

    Another thing you can try is if you have another computer. You can map the c drive of your infected computer and do a remote scan from that machine, this could trick the rootkit functionality of Alureon. WARNING! this could mean that the other computer also gets infected, so use a spare computer to do this (that you later also reinstall). Also...do this on a separate isolated network.

    Hope you get rid of Alureon!


    MCSE, forefront spec | www.msforefront.com
    Saturday, June 19, 2010 10:58 AM
  • Google TDSKiller.    It worked for us. 




    Dave Zuver

    Thursday, July 8, 2010 8:30 PM
  • This is the summary of my experience with Microsoft® Windows Live OneCare Safety Center. I hope that this helps save YOUR computer from NASTY bugs / viruses, without all of the research and pain that I went through!



    • Win32 Error Window pops up on my screen and ultimately distorts my menu bar, etc.
    • "Second Page" pop ups occur as soon as I enter Internet Explorer, which are sometimes hard to close
    • All "Search Engine" links (Google, BING, etc.) are re-directed to some OTHER page that is designed to steal your identity / usernames / passwords / banking account info, etc. (this virus will track you through any banking / credit card transactions, etc. on the internet)
    • All Windows Update functions are blocked / unusable

    Microsoft® has a "Safety Scanner" that you run to thoroughly identify the risks and issues on your computer. Completely! (The Win32 Alureon H Virus was detected (but could not be removed), among many other problems that the Safety Scanner WAS able to clean / fix.) From that, you are forwarded to a "Live Chat" with a Technical person to review the Scanner results. NO WAITING . . . the Technician showed up within seconds!) To get to the Windows Live OneCare Safety Center, use the following link:




    Daniel, the Microsoft® Technician, took care of me by taking shared control over my computer with a "Desktop Share" and immediately went to work on it. He told me that NONE of the Malware programs or Anti-Virus programs had what it takes to eradicate this nasty virus from Windows. And, as we observed, even the Microsoft® Malware programs can only PARTIALLY remove the Win32 viruses. They have a special program, contracted to Microsoft®, that now helps them do it. He placed "TDSS Killer" on my computer, scanned and removed / fixed this virus.


    This nasty virus is transmitted through Downloads from the Internet. It is contained, unknowingly, in many popular sites such as Facebook or other popular download sites.This virus specifically BLOCKS ALL Windows Updates and also "re-directed" my computer from all Search Engine items / links to Spam and false "data collecting" sites. It was also the cause for the unwanted Pop-Ups to Spam Sites when loading Internet Explorer. This virus is designed to take you to places so that they can get your passwords, usernames, banking account numbers, credit cards, etc. Specifically, it loads when you go to sights that require passwords and account numbers in order to steal them. Very dangerous indeed!


    The Microsoft® surgery by Daniel was so impressive! Took about 1 ½ hours, but so incredibly effective. After removing the Win32 Alureon H virus from my computer, he also proceeded to wipe out a variety of "Temp" files & folders, some deep into Windows, from what I was observing by watching him navigate my system. The "%temp%" in Start / Run or "*.tmp;*.chk;~*.*" in Start / Search are things he did to manually find / delete these Temp Files & Folders. Plus he went to specific folders. Also wiped clean all cookies and temporary internet files / folders and stored items within the "Browsing History" under "Internet Options".


    Several times, I had to "restart" my computer. However, the procedure and "Desktop Share" allowed Microsoft® to be there when I came back each time.


    Again, this guy was a clinical surgeon!!! And, in the end, he has transformed my computer to its current, yet cleaned, state. No "re-build" necessary!!!


    After he was done, I went into Windows Update and I had over 20 Security and other "Fix" updates to load. I also re-installed Internet Explorer 8.0 (Daniel recommended this) and it performed the Microsoft® Malware scan again. When I re-ran "Full Scans" using my "Malwarebytes.org" and "Superantispyware.com" malware programs again (with recent updates), my system was totally clean. Also ran McAfee Full Scan with recent updates and nothing!!!


    The result:

    • No more Win32 Errors
    • No more PopUps when entering Internet Explorer
    • No redirects from Google, BING searches
    • Windows Updates are now active again (set up for daily checks)
    • No viruses or Malware currently exists on my computer


    Bottom line: Win32 viruses, such as Alureon H, are extremely nasty and nothing short of surgery can remove them. And it attacks / blocks most "fixes". Overall, a great experience with Microsoft®.


    I will be sure to clean my computer REGULARLY with all of these new tools!


    The "Microsoft® Windows® Malicious Software Removal Tool (KB890830)" can be found at:




    "Microsoft® Windows Defender" can be found at:




    BTW, the latest "definitions" for Windows Defender can be found at:




    Kind Regards,

    Wednesday, August 11, 2010 3:42 PM
  • If you have the Microsoft Diagnostics and Recovery Toolset version 6.5 CD from the MS Desktop Optimization Pack then you can boot up from the CD and run the Standalone System Sweeper. I have had a lot of success removing rootkits with it. Alureon.H in particular I have removed a lot.

    What I do is first do a full scan with Malwarebytes. Then boot into MS DaRT and full scan.


    Friday, September 10, 2010 1:48 PM
  • Google TDSKiller.    It worked for us. 




    Dave Zuver

    It worked for me as well!!
    Friday, September 24, 2010 10:25 PM
  • I would first try the suggestion I found below...


    Unfortunately, I did not find this link until I had manually fixed the problem. So if the above link does not work for you, here is what I did to successfully remove Alureon.H ...

    1. On my system, the Alureon.H virus was in the file netbt.sys. On my restore disk in the I386 directory, I found the file netbt.sy_ and copied it to the directory Windows/system32/drivers without renaming it. (somewhere, somehow you must find a valid netbt.sys file like I did.)
    2. I next download the AVG rescue disk at:
    3. With that file, I made a bootable cd, booted the rescue CD and ran a full system check overnight. It found several viruses including the virus in netbt.sys. However, it said the netbt.sys file was needed by the system to boot and should not be removed. I DELETED it anyway.
    4. Next using the utility File Manager on the rescue disk, I navigated to the Windows/system32/drivers directory and then copied netbt.sy_ to netbt.sys (cp netbt.sy_ netbt.sys).

    After rebooting, the virus was no longer found by the AVG rescure disk, the One Care Scanner or Microsoft Security Essentials.

    Tuesday, October 19, 2010 4:50 PM