Cutting a long story short i downloaded a program, a very popular program so i thought… i had downloaded this program many times before to my computer from many different sites so i did not think much of it… so i hit download and saved it to my desktop, and staight away i noticed that the icon was different from the other times i downloaded this program, so i right clicked the icon and scanned with avast 4.8 professional, the result was… nothing. so i double click my program and began to install, it only took a split second to install, thats when i knew it, at the bottem right of my screen popped up a warning (with that hair raising sound we all know) warning! a virus has been detected! i had just fallen victim to this little pain in the backside…
ESQULserv.sys
Win32:Alureon-CE [Rtk]
i am guessing it is some kind of rootkit malware/spyware, anyway, i opened up my browser and tried to do a little research with google on Win32:Alureon-CE [Rtk], and noticed that when i clicked links my browser would take me to webpages that i did not intended to go to, for example even when i googled avast forums and clicked the official link my browser took me to some kind of software download site, this happened many times with different searches i did.
so i moved it to avasts imfamous virus chest, right clicked and deleted it. then i ran a boot time scan on my computer giving me this result…
07/22/2009 02:44
Scan of all local drives
File C:\Program Files\Common Files\INCA Shared\OnlineEngine\TYAVP_012.npz\TYAVP_012.bin Error 42125 {ZIP archive is corrupted.}
Number of searched folders: 18172
Number of tested files: 272582
Number of infected files: 0
i am aware that Win32:Alureon-CE [Rtk] preforms some kind of DNS changing process which explains why i was taken to websites i did not intend to go to by clicking on official links, but as you can see i deleted the file from my virus chest, i did a boot scan and the recult shows 0 infected files, but this DNS changing problem is still occuring when i click links (when i do a google search my browser also takes a little longer to show the results, it used to be like 0.5 seconds, now it is like 5-10seconds), so before i insert and run my recovery disk and reformat my whole system (which i do not really want to do) i was wondering if i could get any help and advice from you guys to save me the hassle of doing so…
i hope you understand my problem and thanks for reading. your help is much appreciated.
Please download malwarebytes’ anti-malware from here http://www.malwarebytes.org/mbam.php
Update it and run a quick scan.If any infection was found,please make sure there is a check mark next to each infection.Then click on quarantine.If it ask you to restart your computer,please do so.Then post back you log from malwarebytes.
when i click the link, or try to acsess www.malwarebytes.org in any way i get Internet Explorer cannot display the webpage, i guess i have a real problem on my hands ???
ok dowloaded and installed it, i got an error when i tried to update malware bytes, but update date is 13/7/2009 so i am running a full scan right now, lets see what happens.
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) → Data: 85.255.112.206,85.255.112.116 → No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces{e0609d91-7bec-4bb2-8cee-2e1ed2d4145f}\NameServer (Trojan.DNSChanger) → Data: 85.255.112.206,85.255.112.116 → No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) → Data: 85.255.112.206,85.255.112.116 → No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces{e0609d91-7bec-4bb2-8cee-2e1ed2d4145f}\NameServer (Trojan.DNSChanger) → Data: 85.255.112.206,85.255.112.116 → No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) → Data: 85.255.112.206,85.255.112.116 → No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces{e0609d91-7bec-4bb2-8cee-2e1ed2d4145f}\NameServer (Trojan.DNSChanger) → Data: 85.255.112.206,85.255.112.116 → No action taken.
Folders Infected:
(No malicious items detected)
Files Infected:
c:\Users\pcname\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\NYF0LAF7\setup-trial[1].exe (Rogue.Installer) → No action taken.
c:\Users\pcname\AppData\Local\microsoft\Windows\temporary internet files\Low\Content.IE5\W7CSC7NY\setup-trial[1].exe (Rogue.Installer) → No action taken.
sorry its 06:45am where i am and i have not been to sleep for over 24 hours so im not exactly thinking to the best of my ability ::), i will rescan and remove them now… it must say it was a good job that i ran a full scan instead of a quick scan, the quick scan i just ran found 6 infected files all of them trojan.DNSchanger, where as the full scan found 8 infected files, 6 trojan.DNSchanger and 2 rogue.installers.
Usually,a quick scan finds 99% of what a full scan will find.Also,i recommend you run a another full scan after you have updated its database.Currently,you are not scanning with the latest database so it might have missed out something
hello, i am hoping you can help me my computer was telling that i had a virus i down loaded avast today how do i know that the virus was removed please help. ??? ???
@mathboyx215 after removing the 8 infected files malwarebytes found i was able to update malwarebytes (where as before i got an error) so i ran yet another full scan and found a seperate infected file which has now also been removed, my DNS changing problems seem to be fixed, i ran another full scan with malwarebytes, then a boot time scan with avast and the results of both scans show 0 infected files, so i think my system is clean again, thanks for your help mate!
