Win32:Daonol-P[Trj]

Okay,

I’ve got a virus. I’m looking at the top stickied thread, and I’ll try to provide the information requested for help.

Check if the Worm or Virus is included in the list of malware that the avast CLEANER can remove: http://www.avast.com/i_idt_171.html

Tried, but the link is dead.

- What WIN do you have ? Are all ServicePacks and Windowsupdates applied ? Please CHECK !!
  • What name does avast give the virus (e.g. like: “Win32:Netsky-P [Wrm]” ) ?

  • Where exactly was the infected File found (full path/folder/filename, e.g. like c:\Windows\system32\virusfile.exe) ?
    You’ll get this info from the Alert/PopUp window or from avast’s report/Log-files. If you can’t start avast, look for the info in the logfiles in the avast (sub-)folders and
    in the EventLog of Win XP / 2000: Controlpanel → Administration → Event-log

-Windows XP Home Edition Version 2002 Service Pack 3

-Win32:Daonol-P[Trj]

-c:\windows\RYQAAWR.DVX and a few dozen variations of this, all in c:\windows. By variations, I mean all starting with c:\windows\ryqaawr.dvx, but having different numbers of x’s at the end. E.g. -c:\windows\RYQAAWR.DVXX, -c:\windows\RYQAAWR.DVXXX etc.

Background. Mcafee was using up so many system resources, the computer was just about unusable. I uninstalled it, planning to install Avast. Stupidly, I waited like a week, and suddenly:

-I started clicking links from search results, and occasionally instead of going to the page I had clicked, I got redirected to another site.

-Decided to check AV sites, but was blocked from accessing them.

-Tried to download Avast through download.com, but couldn’t download.

-Managed to download Avast through a different server and install.

-Avast didn’t find the virus.

-Tried to download most recent database through the Avast interface, but got 501 errors.

-Downloaded most recent database from the Avast website, and got Avast updated.

-It then began finding the virus every time I started a new program.

-I scanned, and it found the virus several times during the scan.

-In all cases, when Avast has found the virus, I’ve added it to the chest. There are now 60 files in the chest.

-There are 20 versions in c:\windows (just looking through Windows Explorer)

I’m wondering:

a) if i can find out what type of damage this particular virus can do/has done

b) find a way to clean it.

I uploaded one of the files in c:\windows to virustotal.com, and have a report. I can post it here, if that makes sense.

Very appreciative of anyone who can help me out.

By the way, I should add that since having updated the virus database, and now that Avast seems to find the virus every time it executes (if that’s the right term?), I AM able to access AV sites like McAfee, and I am able to update the database from within the Avast interface. Also, my browser doesn’t seem to be redirecting any more.

I don’t know if that means the damage is being contained or not, but I do know that every time I start a program, I still get the siren and have to send another version of this to the chest, so it’s clearly not gone.

For what that’s worth.

First even if the link weren’t dead (that topic is getting long in the tooth) the avast cleaner is for a very limited set of viruses/worms, and your detection, a Trojan doesn’t come under the worms/viruses that it can repair/clean. So installing avast is the best way to go.

Based on only the file names and locations the detections appear to be good as a few google searches on the file names return zero hits, suspicious for anything in the windows folder.

When you get avast installed and running - I would suggest running this tool to ensure all remnants of McAfee are gone see #### below.

I think that avast has gone some way to cleaning your system but I would suggest two more applications to compliment avast and see if they also find other hidden/undetected elements. Don’t worry about tracj=king cookies not a big issue but let SAS deal with them.

If you haven’t already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

What is your firewall ?
The reason I ask is Daonol is meant to be an info stealer, so I would also advise changing any security/confidential passwords (definitely for stronger ones) and changing the username if allowed my be a good idea too.

McAfee has an uninstall tool that you could run to ensure any possible remnants are removed.
http://download.mcafee.com/products/licensed/cust_support_patches/VSCleanupTool.exe Or http://majorgeeks.com/McAfee_Consumer_Product_Removal_Tool_d5420.html

2007 version - http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe

Also see - How do I uninstall SecurityCenter? http://ts.mcafeehelp.com/faq3.asp?docid=71525

Thank you for the help. I’m going to try to do this one step at a time.

First. I downladed and updated Malwarebytes Anti-malware, and ran a quick scan. I should note that Avast was still running when I ran the Malwarebytes scan. Malwarebytes detected all of the files still in C:\Windows (to which I alluded earlier). Every time it detected one, Avast detected it, and let me put it in the chest. I don’t know if they’re supposed to work in concert like this, but that’s what happened.

So, here is the log from Malwarebytes (the registry key infection seems to be something that Avast didn’t find):


Malwarebytes’ Anti-Malware 1.37
Database version: 2232
Windows 5.1.2600 Service Pack 3

6/4/2009 9:04:25 PM
mbam-log-2009-06-04 (21-04-05).txt

Scan type: Quick Scan
Objects scanned: 90462
Time elapsed: 19 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 20

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntivirus) → No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\windows\ryqaawr.dvxxxxxxxxxxxxxxxx (Trojan.Gumblar) → No action taken.
c:\windows\ryqaawr.dvxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (Trojan.Gumblar) → No action taken.
c:\WINDOWS\ryqaawr.dvx (Trojan.Gumblar) → No action taken.
c:\windows\ryqaawr.dvxx (Trojan.Gumblar) → No action taken.
c:\windows\ryqaawr.dvxxx (Trojan.Gumblar) → No action taken.
c:\windows\ryqaawr.dvxxxx (Trojan.Gumblar) → No action taken.
c:\windows\ryqaawr.dvxxxxx (Trojan.Gumblar) → No action taken.
c:\windows\ryqaawr.dvxxxxxxxxx (Trojan.Gumblar) → No action taken.
c:\windows\ryqaawr.dvxxxxxxxxxxxxxx (Trojan.Gumblar) → No action taken.
c:\windows\ryqaawr.dvxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (Trojan.Gumblar) → No action taken.
c:\windows\ryqaawr.dvxxxxxxxxxxxxxxxxxxx (Trojan.Gumblar) → No action taken.
c:\windows\ryqaawr.dvxxxxxxxxxxxxxxxxxxxx (Trojan.Gumblar) → No action taken.
c:\windows\ryqaawr.dvxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (Trojan.Gumblar) → No action taken.
c:\windows\ryqaawr.dvxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (Trojan.Gumblar) → No action taken.
c:\windows\ryqaawr.dvxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (Trojan.Gumblar) → No action taken.
c:\windows\ryqaawr.dvxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (Trojan.Gumblar) → No action taken.
c:\windows\ryqaawr.dvxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (Trojan.Gumblar) → No action taken.
c:\windows\ryqaawr.dvxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (Trojan.Gumblar) → No action taken.
c:\windows\ryqaawr.dvxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (Trojan.Gumblar) → No action taken.
c:\windows\ryqaawr.dvxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (Trojan.Gumblar) → No action taken.


I’m taking no action until I hear back. And, I’m waiting to download and run the other program as well.

Thanks.

What may be happening is that as MBAM detects this and or tries to move it avast is then able to see it and detect it and be able to move it to the chest.

So I don’t know if that would subsequently stop MBAM actually moving it to its quarantine as I see in your log the No action taken suffix to the entries. So yes you should run MBAM again and this time when the scan is complete, all detections should have a check mark in the box to the left of the entry, leave them selected (or select if not selected). At the bottom of the window there is a button, Remove Selected, click that and the items will be removed.

The virus is replicant… I suggest you get rid of it asap.
I generally suggest:

  1. Clean your temporary files.
  2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
  3. Use MBAM (or SUPERantispyware or even Spyware Terminator) to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.
  4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
  5. Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
  6. Disable System Restore and then reenable it again.
  7. Immunize your system with SpywareBlaster.
  8. Check if you have insecure applications with Secunia Software Inspector.

Maybe you could run MBAM booting is Safe Mode (I’m not sure).

Done

2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try [url=http://www.freedrweb.com/cureit/]DrWeb CureIT![/url] instead.

Did the boot time scan with archive scanning turned on. Avast found several infected files, and put them all in the chest.

3. Use [url=http://malwarebytes.org/mbam.php]MBAM[/url] (or [url=http://www.superantispyware.com]SUPERantispyware[/url] or even [url=http://www.spywareterminator.com/]Spyware Terminator[/url]) to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.

Did a full scan with MBAM and it came out clean.

4. Test your machine with [url=http://www.antirootkit.com/software/index.htm]anti-rootkit applications[/url]. I suggest [url=http://files.avast.com/files/beta/aswar.exe]avast! antirootkit[/url] or [url=http://www.trendmicro.com/download/rbuster.asp]Trend Micro RootkitBuster[/url].

Used the Avast antirootkit. Scan came out clean.

5. Make a [url=http://www.bleepingcomputer.com/files/hijackthis.php]HijackThis[/url] log to post here or [url=http://www.hijackthis.de/#anl]this analysis site[/url]. Or even submit the [url=http://www.runscanner.net/]RunScanner[/url] log to to on-line analysis.

Done. Will post the HJT Log in next post.

6. Disable System Restore and then reenable it again. 7. Immunize your system with [url=http://www.javacoolsoftware.com/spywareblaster.html]SpywareBlaster[/url]. 8. Check if you have insecure applications with [url=http://secunia.com/software_inspector/]Secunia Software Inspector[/url].

Planning to do these next. Might need a little more info on (6).

Thanks again.

Darned 10000 character limit. Here’s part 1 of the HJT log:

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:49:47 AM, on 6/9/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

Part 2 of HJT log:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn6\yt.dll -- End of file - 12668 bytes

Part 3 of HJT log:

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://my.yahoo.com/"); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\6yrik8xn.slt\prefs.js) N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\6yrik8xn.slt\prefs.js) O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn6\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Cole2k Media Toolbar Helper - {5499BCB1-5641-4A4C-9F75-462D4D8D0DA0} - C:\Program Files\Cole2k Media Toolbar\v3.3.0.1\Cole2k_Media_Toolbar.dll O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn6\YTSingleInstance.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll O3 - Toolbar: &Zero-Knowledge Freedom - {FA91B828-F937-4568-82C1-843627E63ED7} - C:\Program Files\Zero Knowledge\Freedom\BandObjs.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn6\yt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll O3 - Toolbar: Cole2k Media Toolbar - {8AE33802-00D3-4F1B-B5C7-6FEE34E402CE} - C:\Program Files\Cole2k Media Toolbar\v3.3.0.1\Cole2k_Media_Toolbar.dll O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Owner\Application Data\mjusbsp\cdloader2.exe" MAGICJACK O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKUS\S-1-5-19\..\Run: [Sabre Site Services] C:\SABRE\Apps\ATS\SSSClnt.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [Java Sabre Server (JSERVER)] C:\SABRE\Apps\eVoya\JServer.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sabre Site Services] C:\SABRE\Apps\ATS\SSSClnt.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [Sabre Site Services] C:\SABRE\Apps\ATS\SSSClnt.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Sabre Site Services] C:\SABRE\Apps\ATS\SSSClnt.EXE (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user') O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.00.0001.1203\en-us\msntb.dll/search.htm O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Write a Review... - http://client.alexa.com/holiday/script/actions/review.htm O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper2007261.dll O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177884859828 O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://venicebeach.earthcam.net/viewer/AxisCamControl.cab O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks Pro\HelpAsyncPluggableProtocol.dll O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing) O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe O23 - Service: Sabre Printing Module (SabrePrint) - Unknown owner - C:\SABRE\Apps\OADP\Oadp.exe (file missing) O23 - Service: Sabre Device Manager (SDMan) - Unknown owner - C:\WINDOWS\SDMan.EXE (file missing) O23 - Service: SurfStats Scheduler Ver 8.4.0.0 (SurfServer8400) - Unknown owner - C:\Program Files\Surfstats8400\SurfServ8400.exe O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

Okay, I’ve found where I can disable/enable System Restore (in the System Properties dialog box, system restore tab).

It provides the option to turn off "turn off systerm restore on all drives. I’m presuming I need to check that box and click “OK.” Do I need to then restart the computer? And then unclick the box? And then restart again? Or is restarting unnecessary?

Also, can someone give me a quick explanation of what this accomplishes?

Thanks.

Hi Kelcher,

Read an answer to that question here: http://bertk.mvps.org/

Check if you know this service:
O23 - Service: SurfStats Scheduler Ver 8.4.0.0 (SurfServer8400) - Unknown owner - C:\Program Files\Surfstats8400\SurfServ8400.exe

Can you answer this question, because no active software firewall was found on your computer:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don’t use any firewall at all,

polonus

Thanks polonus. Responses below:

Yeah, it’s a website log analysis program. I use it to track traffic on my site.

Can you answer this question, because no active software firewall was found on your computer: (1.) You are using the windows firewall or a hardware firewall. (2.) You are using a firewall of an unknown vendor. (3.) You are using a firewall, but for unknown reasons it is disabled (4.) You don't use any firewall at all,

I’m using windows firewall. I believe my dsl modem/router also has a firewall, but I’ve never toyed with it to the best of my knowledge. Windows firewall shows as “ON” in Windows Security Center.

Is Windows Firewall a bad solution?

Hi Kelcher,

Not as your router is also involved, because the Windows firewall is only one way protection.
On XP I would use a firewall like ZA free, furthermore there are lots of threads where people recommend these here in the forum threads. In the case of an extra software FW, you could turn the Windows one off,
because no more than one active FW, in the case of Gumblar infection it is a good thing to have one, read what I wrote about this massive online threat here: http://forum.avast.com/index.php?topic=45697.0
and here: http://forum.avast.com/index.php?topic=45517.0

polonus

6. Disable System Restore and then reenable it again.

Done.

7. Immunize your system with SpywareBlaster.

Done.

8. Check if you have insecure applications with Secunia Software Inspector.

Done. Most applications weren’t too out of date, but I got rid of some old redundant versions of things like Acrobat, and updated everything else to the most recent.

Thanks. I ended up going with PC Tools Plus free firewall, after reading some of the threads.

I’m going to study your Gumblar post a bit more, and maybe post some questions there, as I’ve had someone trying to “fuzz” a form on my website (got the term from a tech at my hosting company) and I haven’t been able to get any php form validators to work yet (I’m not a programmer, although I’m usually capable of figuring my way through things that aren’t that complicated). Anyhow, I’ll see if posting my questions makes sense in one of those threads. I would hate for my site to become a conduit for this stuff.

THANKS TO ALL WHO HELPED!! My desktop seems to be running smoothly (for an old timer), infection-free, and is a lot more protected against threats than it was (obviously) before. Grateful.

Hi: Kelcher, DavidR, Tech and polonus

If any of you happen to look back into this thread … I found it yesterday [8/27/2009] and had exactly the problem Kelcher had … however, the cures were above my pay grade … I had just upgraded AVAST after being unprotected for a month or so and also upgraded AdAware to AdAwareAE. On the first run of this new (to me) AdAware, it found and eliminated the Win32:Daonol-P[Trj] problem… I don’t know how or why, but it’s gone … thanx to you all for the help … jr

Welcome to the forum jr-bert,

Just to give you a heads up, ad-aware was once a WONDERFUL adware removal program, but over the years it has become less useful. If it has removed all of your problems with your computer, then great, but malwarebytes and superantispyware are the best free tools to use these days.

Just remember that while ad-aware and spybot - S&D were used in the past, it doesn’t mean that they are still the best. The software moves quickly, and if the tools don’t do the same, then others may come and pick up the slack.

Hi jr-brt,

Read the DrWeb-CureIt removal instructions here: http://forums.majorgeeks.com/member.php?s=6b824f39a1513065dbf82e1ade3f0d9c&u=26995

Infostealer.Daonol recreates, repairs and updates itself. Infostealer.Daonol and other complex spyware applications may recreate, repair and update themselves to evade deletion. When Infostealer.
Daonol alters, restores and updates its files, DLLs, registry keys and process, a scanner may only remove part of the program allowing the other remaining files to execute procedures to repair and update. In these cases, it can make the Infostealer.Daonol manual removal process very difficult.
re: http://forum.avira.com/wbb/index.php?page=Thread&threadID=90274
A good thread and read on this difficult to detect morphing infection can be found here:
http://www.bleepingcomputer.com/forums/lofiversion/index.php/t175838.html

polonus

Read the DrWeb-CureIt removal instructions here: http://forums.majorgeeks.com/member.php?s=6b824f39a1513065dbf82e1ade3f0d9c&u=26995

the link goes to a logg inn page?