Author Topic: so i have just fallen victim to... Win32:Alureon-CE [Rtk] (please help!)  (Read 6695 times)

0 Members and 1 Guest are viewing this topic.

Crying

  • Guest
Cutting a long story short i downloaded a program, a very popular program so i thought... i had downloaded this program many times before to my computer from many different sites so i did not think much of it.. so i hit download and saved it to my desktop, and staight away i noticed that the icon was different from the other times i downloaded this program, so i right clicked the icon and scanned with avast 4.8 professional, the result was.. nothing. so i double click my program and began to install, it only took a split second to install, thats when i knew it, at the bottem right of my screen popped up a warning (with that hair raising sound we all know) warning! a virus has been detected! i had just fallen victim to this little pain in the backside..

ESQULserv.sys
Win32:Alureon-CE [Rtk]

i am guessing it is some kind of rootkit malware/spyware, anyway, i opened up my browser and tried to do a little research with google on Win32:Alureon-CE [Rtk], and noticed that when i clicked links my browser would take me to webpages that i did not intended to go to, for example even when i googled avast forums and clicked the official link my browser took me to some kind of software download site, this happened many times with different searches i did.

so i moved it to avasts imfamous virus chest, right clicked and deleted it. then i ran a boot time scan on my computer giving me this result..

07/22/2009 02:44
Scan of all local drives

File C:\Program Files\Common Files\INCA Shared\OnlineEngine\TYAVP_012.npz\TYAVP_012.bin Error 42125 {ZIP archive is corrupted.}
Number of searched folders: 18172
Number of tested files: 272582
Number of infected files: 0

i am aware that Win32:Alureon-CE [Rtk] preforms some kind of DNS changing process which explains why i was taken to websites i did not intend to go to by clicking on official links, but as you can see i deleted the file from my virus chest, i did a boot scan and the recult shows 0 infected files, but this DNS changing problem is still occuring when i click links (when i do a google search my browser also takes a little longer to show the results, it used to be like 0.5 seconds, now it is like 5-10seconds), so before i insert and run my recovery disk and reformat my whole system (which i do not really want to do) i was wondering if i could get any help and advice from you guys to save me the hassle of doing so...

i hope you understand my problem and thanks for reading. your help is much appreciated.
« Last Edit: July 22, 2009, 06:43:22 AM by Crying »

Offline mathboyx215

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 449
Please download malwarebytes' anti-malware from here http://www.malwarebytes.org/mbam.php
Update it and run a quick scan.If any infection was found,please make sure there is a check mark next to each infection.Then click on quarantine.If it ask you to restart your computer,please do so.Then post back you log from malwarebytes.
It is not possible to divide anything by zero

Crying

  • Guest
Please download malwarebytes' anti-malware from here http://www.malwarebytes.org/mbam.php

when i click the link, or try to acsess www.malwarebytes.org in any way i get Internet Explorer cannot display the webpage, i guess i have a real problem on my hands ???

Offline mathboyx215

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 449
It is not possible to divide anything by zero

Crying

  • Guest
Try this link http://www.filehippo.com/download_malwarebytes_anti_malware/


ok dowloaded and installed it, i got an error when i tried to update malware bytes, but update date is 13/7/2009 so i am running a full scan right now, lets see what happens.

Crying

  • Guest
here are my results from the malwarebytes scan...

Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 6.0.6002 Service Pack 2

22/07/2009 06:32:20
mbam-log-2009-07-22 (06-32-08).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|)
Objects scanned: 181882
Time elapsed: 29 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.206,85.255.112.116 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e0609d91-7bec-4bb2-8cee-2e1ed2d4145f}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.206,85.255.112.116 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.206,85.255.112.116 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{e0609d91-7bec-4bb2-8cee-2e1ed2d4145f}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.206,85.255.112.116 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.206,85.255.112.116 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{e0609d91-7bec-4bb2-8cee-2e1ed2d4145f}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.206,85.255.112.116 -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\pcname\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\NYF0LAF7\setup-trial[1].exe (Rogue.Installer) -> No action taken.
c:\Users\pcname\AppData\Local\microsoft\Windows\temporary internet files\Low\Content.IE5\W7CSC7NY\setup-trial[1].exe (Rogue.Installer) -> No action taken.

Offline mathboyx215

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 449
Did you remove the infected item?If not,run the scan again and remove them
It is not possible to divide anything by zero

Crying

  • Guest
Did you remove the infected item?If not,run the scan again and remove them
sorry its 06:45am where i am and i have not been to sleep for over 24 hours so im not exactly thinking to the best of my ability ::), i will rescan and remove them now.. it must say it was a good job that i ran a full scan instead of a quick scan, the quick scan i just ran found 6 infected files all of them trojan.DNSchanger, where as the full scan found 8 infected files, 6 trojan.DNSchanger and 2 rogue.installers.
« Last Edit: July 22, 2009, 07:49:35 AM by Crying »

Offline mathboyx215

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 449
Usually,a quick scan finds 99% of what a full scan will find.Also,i recommend you run a another full scan after you have updated its database.Currently,you are not scanning with the latest database so it might have missed out something
It is not possible to divide anything by zero

elm6588

  • Guest
hello, i am hoping you can help me my computer was telling that i had a virus i down loaded avast today how do i know that the virus was removed please help. ??? ???

Offline mathboyx215

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 449
hello, i am hoping you can help me my computer was telling that i had a virus i down loaded avast today how do i know that the virus was removed please help. ??? ???
Please start your own topic
« Last Edit: July 22, 2009, 08:31:40 AM by mathboyx215 »
It is not possible to divide anything by zero

Crying

  • Guest
@mathboyx215 after removing the 8 infected files malwarebytes found i was able to update malwarebytes (where as before i got an error) so i ran yet another full scan and found a seperate infected file which has now also been removed, my DNS changing problems seem to be fixed, i ran another full scan with malwarebytes, then a boot time scan with avast and the results of both scans show 0 infected files, so i think my system is clean again, thanks for your help mate! ;)

Offline mathboyx215

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 449
No problem.Glad I could help you ;D
It is not possible to divide anything by zero