Avast WEBforum
Other => Viruses and worms => Topic started by: Crying on July 22, 2009, 06:03:03 AM
-
Cutting a long story short i downloaded a program, a very popular program so i thought... i had downloaded this program many times before to my computer from many different sites so i did not think much of it.. so i hit download and saved it to my desktop, and staight away i noticed that the icon was different from the other times i downloaded this program, so i right clicked the icon and scanned with avast 4.8 professional, the result was.. nothing. so i double click my program and began to install, it only took a split second to install, thats when i knew it, at the bottem right of my screen popped up a warning (with that hair raising sound we all know) warning! a virus has been detected! i had just fallen victim to this little pain in the backside..
ESQULserv.sys
Win32:Alureon-CE [Rtk]
i am guessing it is some kind of rootkit malware/spyware, anyway, i opened up my browser and tried to do a little research with google on Win32:Alureon-CE [Rtk], and noticed that when i clicked links my browser would take me to webpages that i did not intended to go to, for example even when i googled avast forums and clicked the official link my browser took me to some kind of software download site, this happened many times with different searches i did.
so i moved it to avasts imfamous virus chest, right clicked and deleted it. then i ran a boot time scan on my computer giving me this result..
07/22/2009 02:44
Scan of all local drives
File C:\Program Files\Common Files\INCA Shared\OnlineEngine\TYAVP_012.npz\TYAVP_012.bin Error 42125 {ZIP archive is corrupted.}
Number of searched folders: 18172
Number of tested files: 272582
Number of infected files: 0
i am aware that Win32:Alureon-CE [Rtk] preforms some kind of DNS changing process which explains why i was taken to websites i did not intend to go to by clicking on official links, but as you can see i deleted the file from my virus chest, i did a boot scan and the recult shows 0 infected files, but this DNS changing problem is still occuring when i click links (when i do a google search my browser also takes a little longer to show the results, it used to be like 0.5 seconds, now it is like 5-10seconds), so before i insert and run my recovery disk and reformat my whole system (which i do not really want to do) i was wondering if i could get any help and advice from you guys to save me the hassle of doing so...
i hope you understand my problem and thanks for reading. your help is much appreciated.
-
Please download malwarebytes' anti-malware from here http://www.malwarebytes.org/mbam.php
Update it and run a quick scan.If any infection was found,please make sure there is a check mark next to each infection.Then click on quarantine.If it ask you to restart your computer,please do so.Then post back you log from malwarebytes.
-
Please download malwarebytes' anti-malware from here http://www.malwarebytes.org/mbam.php
when i click the link, or try to acsess www.malwarebytes.org in any way i get Internet Explorer cannot display the webpage, i guess i have a real problem on my hands ???
-
Try this link http://www.filehippo.com/download_malwarebytes_anti_malware/
-
Try this link http://www.filehippo.com/download_malwarebytes_anti_malware/
ok dowloaded and installed it, i got an error when i tried to update malware bytes, but update date is 13/7/2009 so i am running a full scan right now, lets see what happens.
-
here are my results from the malwarebytes scan...
Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 6.0.6002 Service Pack 2
22/07/2009 06:32:20
mbam-log-2009-07-22 (06-32-08).txt
Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|)
Objects scanned: 181882
Time elapsed: 29 minute(s), 35 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.206,85.255.112.116 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e0609d91-7bec-4bb2-8cee-2e1ed2d4145f}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.206,85.255.112.116 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.206,85.255.112.116 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{e0609d91-7bec-4bb2-8cee-2e1ed2d4145f}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.206,85.255.112.116 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.206,85.255.112.116 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{e0609d91-7bec-4bb2-8cee-2e1ed2d4145f}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.206,85.255.112.116 -> No action taken.
Folders Infected:
(No malicious items detected)
Files Infected:
c:\Users\pcname\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\NYF0LAF7\setup-trial[1].exe (Rogue.Installer) -> No action taken.
c:\Users\pcname\AppData\Local\microsoft\Windows\temporary internet files\Low\Content.IE5\W7CSC7NY\setup-trial[1].exe (Rogue.Installer) -> No action taken.
-
Did you remove the infected item?If not,run the scan again and remove them
-
Did you remove the infected item?If not,run the scan again and remove them
sorry its 06:45am where i am and i have not been to sleep for over 24 hours so im not exactly thinking to the best of my ability ::), i will rescan and remove them now.. it must say it was a good job that i ran a full scan instead of a quick scan, the quick scan i just ran found 6 infected files all of them trojan.DNSchanger, where as the full scan found 8 infected files, 6 trojan.DNSchanger and 2 rogue.installers.
-
Usually,a quick scan finds 99% of what a full scan will find.Also,i recommend you run a another full scan after you have updated its database.Currently,you are not scanning with the latest database so it might have missed out something
-
hello, i am hoping you can help me my computer was telling that i had a virus i down loaded avast today how do i know that the virus was removed please help. ??? ???
-
hello, i am hoping you can help me my computer was telling that i had a virus i down loaded avast today how do i know that the virus was removed please help. ??? ???
Please start your own topic
-
@mathboyx215 after removing the 8 infected files malwarebytes found i was able to update malwarebytes (where as before i got an error) so i ran yet another full scan and found a seperate infected file which has now also been removed, my DNS changing problems seem to be fixed, i ran another full scan with malwarebytes, then a boot time scan with avast and the results of both scans show 0 infected files, so i think my system is clean again, thanks for your help mate! ;)
-
No problem.Glad I could help you ;D