Avast WEBforum
Other => Viruses and worms => Topic started by: Kelcher on June 05, 2009, 02:10:25 AM
-
Okay,
I've got a virus. I'm looking at the top stickied thread, and I'll try to provide the information requested for help.
Check if the Worm or Virus is included in the list of malware that the avast CLEANER can remove:
http://www.avast.com/i_idt_171.html
Tried, but the link is dead.
- What WIN do you have ? Are all ServicePacks and Windowsupdates applied ? Please CHECK !!
- What name does avast give the virus (e.g. like: "Win32:Netsky-P [Wrm]" ) ?
- Where exactly was the infected File found (full path/folder/filename, e.g. like c:\Windows\system32\virusfile.exe) ?
You'll get this info from the Alert/PopUp window or from avast's report/Log-files. If you can't start avast, look for the info in the logfiles in the avast (sub-)folders and
in the EventLog of Win XP / 2000: Controlpanel -> Administration -> Event-log
-Windows XP Home Edition Version 2002 Service Pack 3
-Win32:Daonol-P[Trj]
-c:\windows\RYQAAWR.DVX and a few dozen variations of this, all in c:\windows. By variations, I mean all starting with c:\windows\ryqaawr.dvx, but having different numbers of x's at the end. E.g. -c:\windows\RYQAAWR.DVXX, -c:\windows\RYQAAWR.DVXXX etc.
Background. Mcafee was using up so many system resources, the computer was just about unusable. I uninstalled it, planning to install Avast. Stupidly, I waited like a week, and suddenly:
-I started clicking links from search results, and occasionally instead of going to the page I had clicked, I got redirected to another site.
-Decided to check AV sites, but was blocked from accessing them.
-Tried to download Avast through download.com, but couldn't download.
-Managed to download Avast through a different server and install.
-Avast didn't find the virus.
-Tried to download most recent database through the Avast interface, but got 501 errors.
-Downloaded most recent database from the Avast website, and got Avast updated.
-It then began finding the virus every time I started a new program.
-I scanned, and it found the virus several times during the scan.
-In all cases, when Avast has found the virus, I've added it to the chest. There are now 60 files in the chest.
-There are 20 versions in c:\windows (just looking through Windows Explorer)
I'm wondering:
a) if i can find out what type of damage this particular virus can do/has done
b) find a way to clean it.
I uploaded one of the files in c:\windows to virustotal.com, and have a report. I can post it here, if that makes sense.
Very appreciative of anyone who can help me out.
-
By the way, I should add that since having updated the virus database, and now that Avast seems to find the virus every time it executes (if that's the right term?), I AM able to access AV sites like McAfee, and I am able to update the database from within the Avast interface. Also, my browser doesn't seem to be redirecting any more.
I don't know if that means the damage is being contained or not, but I do know that every time I start a program, I still get the siren and have to send another version of this to the chest, so it's clearly not gone.
For what that's worth.
-
First even if the link weren't dead (that topic is getting long in the tooth) the avast cleaner is for a very limited set of viruses/worms, and your detection, a Trojan doesn't come under the worms/viruses that it can repair/clean. So installing avast is the best way to go.
Based on only the file names and locations the detections appear to be good as a few google searches on the file names return zero hits, suspicious for anything in the windows folder.
When you get avast installed and running - I would suggest running this tool to ensure all remnants of McAfee are gone see #### below.
I think that avast has gone some way to cleaning your system but I would suggest two more applications to compliment avast and see if they also find other hidden/undetected elements. Don't worry about tracj=king cookies not a big issue but let SAS deal with them.
If you haven't already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).
- 1. MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe (http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe), right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.
- 2. SUPERantispyware (http://www.superantispyware.com) On-Demand only in free version.
What is your firewall ?
The reason I ask is Daonol is meant to be an info stealer, so I would also advise changing any security/confidential passwords (definitely for stronger ones) and changing the username if allowed my be a good idea too.
####
McAfee has an uninstall tool that you could run to ensure any possible remnants are removed.
http://download.mcafee.com/products/licensed/cust_support_patches/VSCleanupTool.exe (http://download.mcafee.com/products/licensed/cust_support_patches/VSCleanupTool.exe) Or http://majorgeeks.com/McAfee_Consumer_Product_Removal_Tool_d5420.html (http://majorgeeks.com/McAfee_Consumer_Product_Removal_Tool_d5420.html)
2007 version - http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe (http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe)
Also see - How do I uninstall SecurityCenter? http://ts.mcafeehelp.com/faq3.asp?docid=71525 (http://ts.mcafeehelp.com/faq3.asp?docid=71525)
-
Thank you for the help. I'm going to try to do this one step at a time.
First. I downladed and updated Malwarebytes Anti-malware, and ran a quick scan. I should note that Avast was still running when I ran the Malwarebytes scan. Malwarebytes detected all of the files still in C:\Windows (to which I alluded earlier). Every time it detected one, Avast detected it, and let me put it in the chest. I don't know if they're supposed to work in concert like this, but that's what happened.
So, here is the log from Malwarebytes (the registry key infection seems to be something that Avast didn't find):
---------------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.37
Database version: 2232
Windows 5.1.2600 Service Pack 3
6/4/2009 9:04:25 PM
mbam-log-2009-06-04 (21-04-05).txt
Scan type: Quick Scan
Objects scanned: 90462
Time elapsed: 19 minute(s), 11 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 20
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntivirus) -> No action taken.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\windows\ryqaawr.dvxxxxxxxxxxxxxxxx (Trojan.Gumblar) -> No action taken.
c:\windows\ryqaawr.dvxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (Trojan.Gumblar) -> No action taken.
c:\WINDOWS\ryqaawr.dvx (Trojan.Gumblar) -> No action taken.
c:\windows\ryqaawr.dvxx (Trojan.Gumblar) -> No action taken.
c:\windows\ryqaawr.dvxxx (Trojan.Gumblar) -> No action taken.
c:\windows\ryqaawr.dvxxxx (Trojan.Gumblar) -> No action taken.
c:\windows\ryqaawr.dvxxxxx (Trojan.Gumblar) -> No action taken.
c:\windows\ryqaawr.dvxxxxxxxxx (Trojan.Gumblar) -> No action taken.
c:\windows\ryqaawr.dvxxxxxxxxxxxxxx (Trojan.Gumblar) -> No action taken.
c:\windows\ryqaawr.dvxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (Trojan.Gumblar) -> No action taken.
c:\windows\ryqaawr.dvxxxxxxxxxxxxxxxxxxx (Trojan.Gumblar) -> No action taken.
c:\windows\ryqaawr.dvxxxxxxxxxxxxxxxxxxxx (Trojan.Gumblar) -> No action taken.
c:\windows\ryqaawr.dvxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (Trojan.Gumblar) -> No action taken.
c:\windows\ryqaawr.dvxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (Trojan.Gumblar) -> No action taken.
c:\windows\ryqaawr.dvxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (Trojan.Gumblar) -> No action taken.
c:\windows\ryqaawr.dvxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (Trojan.Gumblar) -> No action taken.
c:\windows\ryqaawr.dvxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (Trojan.Gumblar) -> No action taken.
c:\windows\ryqaawr.dvxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (Trojan.Gumblar) -> No action taken.
c:\windows\ryqaawr.dvxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (Trojan.Gumblar) -> No action taken.
c:\windows\ryqaawr.dvxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (Trojan.Gumblar) -> No action taken.
---------------------------------------------------
I'm taking no action until I hear back. And, I'm waiting to download and run the other program as well.
Thanks.
-
What may be happening is that as MBAM detects this and or tries to move it avast is then able to see it and detect it and be able to move it to the chest.
So I don't know if that would subsequently stop MBAM actually moving it to its quarantine as I see in your log the No action taken suffix to the entries. So yes you should run MBAM again and this time when the scan is complete, all detections should have a check mark in the box to the left of the entry, leave them selected (or select if not selected). At the bottom of the window there is a button, Remove Selected, click that and the items will be removed.
-
The virus is replicant... I suggest you get rid of it asap.
I generally suggest:
1. Clean your temporary files.
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! (http://www.freedrweb.com/cureit/) instead.
3. Use MBAM (http://malwarebytes.org/mbam.php) (or SUPERantispyware (http://www.superantispyware.com) or even Spyware Terminator (http://www.spywareterminator.com/)) to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.
4. Test your machine with anti-rootkit applications (http://www.antirootkit.com/software/index.htm). I suggest avast! antirootkit (http://files.avast.com/files/beta/aswar.exe) or Trend Micro RootkitBuster (http://www.trendmicro.com/download/rbuster.asp).
5. Make a HijackThis (http://www.bleepingcomputer.com/files/hijackthis.php) log to post here or this analysis site (http://www.hijackthis.de/#anl). Or even submit the RunScanner (http://www.runscanner.net/) log to to on-line analysis.
6. Disable System Restore and then reenable it again.
7. Immunize your system with SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html).
8. Check if you have insecure applications with Secunia Software Inspector (http://secunia.com/software_inspector/).
Maybe you could run MBAM booting is Safe Mode (I'm not sure).
-
1. Clean your temporary files.
Done
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! (http://www.freedrweb.com/cureit/) instead.
Did the boot time scan with archive scanning turned on. Avast found several infected files, and put them all in the chest.
3. Use MBAM (http://malwarebytes.org/mbam.php) (or SUPERantispyware (http://www.superantispyware.com) or even Spyware Terminator (http://www.spywareterminator.com/)) to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.
Did a full scan with MBAM and it came out clean.
4. Test your machine with anti-rootkit applications (http://www.antirootkit.com/software/index.htm). I suggest avast! antirootkit (http://files.avast.com/files/beta/aswar.exe) or Trend Micro RootkitBuster (http://www.trendmicro.com/download/rbuster.asp).
Used the Avast antirootkit. Scan came out clean.
5. Make a HijackThis (http://www.bleepingcomputer.com/files/hijackthis.php) log to post here or this analysis site (http://www.hijackthis.de/#anl). Or even submit the RunScanner (http://www.runscanner.net/) log to to on-line analysis.
Done. Will post the HJT Log in next post.
6. Disable System Restore and then reenable it again.
7. Immunize your system with SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html).
8. Check if you have insecure applications with Secunia Software Inspector (http://secunia.com/software_inspector/).
Planning to do these next. Might need a little more info on (6).
Thanks again.
-
Darned 10000 character limit. Here's part 1 of the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:49:47 AM, on 6/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
-
Part 2 of HJT log:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn6\yt.dll
--
End of file - 12668 bytes
-
Part 3 of HJT log:
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://my.yahoo.com/"); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\6yrik8xn.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\6yrik8xn.slt\prefs.js)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn6\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Cole2k Media Toolbar Helper - {5499BCB1-5641-4A4C-9F75-462D4D8D0DA0} - C:\Program Files\Cole2k Media Toolbar\v3.3.0.1\Cole2k_Media_Toolbar.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn6\YTSingleInstance.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Zero-Knowledge Freedom - {FA91B828-F937-4568-82C1-843627E63ED7} - C:\Program Files\Zero Knowledge\Freedom\BandObjs.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn6\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Cole2k Media Toolbar - {8AE33802-00D3-4F1B-B5C7-6FEE34E402CE} - C:\Program Files\Cole2k Media Toolbar\v3.3.0.1\Cole2k_Media_Toolbar.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Owner\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [Sabre Site Services] C:\SABRE\Apps\ATS\SSSClnt.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [Java Sabre Server (JSERVER)] C:\SABRE\Apps\eVoya\JServer.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sabre Site Services] C:\SABRE\Apps\ATS\SSSClnt.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Sabre Site Services] C:\SABRE\Apps\ATS\SSSClnt.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Sabre Site Services] C:\SABRE\Apps\ATS\SSSClnt.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.00.0001.1203\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Write a Review... - http://client.alexa.com/holiday/script/actions/review.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper2007261.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177884859828
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://venicebeach.earthcam.net/viewer/AxisCamControl.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks Pro\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Sabre Printing Module (SabrePrint) - Unknown owner - C:\SABRE\Apps\OADP\Oadp.exe (file missing)
O23 - Service: Sabre Device Manager (SDMan) - Unknown owner - C:\WINDOWS\SDMan.EXE (file missing)
O23 - Service: SurfStats Scheduler Ver 8.4.0.0 (SurfServer8400) - Unknown owner - C:\Program Files\Surfstats8400\SurfServ8400.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
-
6. Disable System Restore and then reenable it again.
Okay, I've found where I can disable/enable System Restore (in the System Properties dialog box, system restore tab).
It provides the option to turn off "turn off systerm restore on all drives. I'm presuming I need to check that box and click "OK." Do I need to then restart the computer? And then unclick the box? And then restart again? Or is restarting unnecessary?
Also, can someone give me a quick explanation of what this accomplishes?
Thanks.
-
Hi Kelcher,
Read an answer to that question here: http://bertk.mvps.org/
Check if you know this service:
O23 - Service: SurfStats Scheduler Ver 8.4.0.0 (SurfServer8400) - Unknown owner - C:\Program Files\Surfstats8400\SurfServ8400.exe
Can you answer this question, because no active software firewall was found on your computer:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don't use any firewall at all,
polonus
-
Thanks polonus. Responses below:
Check if you know this service:
O23 - Service: SurfStats Scheduler Ver 8.4.0.0 (SurfServer8400) - Unknown owner - C:\Program Files\Surfstats8400\SurfServ8400.exe
Yeah, it's a website log analysis program. I use it to track traffic on my site.
Can you answer this question, because no active software firewall was found on your computer:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don't use any firewall at all,
I'm using windows firewall. I believe my dsl modem/router also has a firewall, but I've never toyed with it to the best of my knowledge. Windows firewall shows as "ON" in Windows Security Center.
Is Windows Firewall a bad solution?
-
Hi Kelcher,
Not as your router is also involved, because the Windows firewall is only one way protection.
On XP I would use a firewall like ZA free, furthermore there are lots of threads where people recommend these here in the forum threads. In the case of an extra software FW, you could turn the Windows one off,
because no more than one active FW, in the case of Gumblar infection it is a good thing to have one, read what I wrote about this massive online threat here: http://forum.avast.com/index.php?topic=45697.0
and here: http://forum.avast.com/index.php?topic=45517.0
polonus
-
6. Disable System Restore and then reenable it again.
Done.
7. Immunize your system with SpywareBlaster.
Done.
8. Check if you have insecure applications with Secunia Software Inspector.
Done. Most applications weren't too out of date, but I got rid of some old redundant versions of things like Acrobat, and updated everything else to the most recent.
-
Hi Kelcher,
Not as your router is also involved, because the Windows firewall is only one way protection.
On XP I would use a firewall like ZA free, furthermore there are lots of threads where people recommend these here in the forum threads. In the case of an extra software FW, you could turn the Windows one off,
because no more than one active FW, in the case of Gumblar infection it is a good thing to have one, read what I wrote about this massive online threat here: http://forum.avast.com/index.php?topic=45697.0
and here: http://forum.avast.com/index.php?topic=45517.0
polonus
Thanks. I ended up going with PC Tools Plus free firewall, after reading some of the threads.
I'm going to study your Gumblar post a bit more, and maybe post some questions there, as I've had someone trying to "fuzz" a form on my website (got the term from a tech at my hosting company) and I haven't been able to get any php form validators to work yet (I'm not a programmer, although I'm usually capable of figuring my way through things that aren't that complicated). Anyhow, I'll see if posting my questions makes sense in one of those threads. I would hate for my site to become a conduit for this stuff.
THANKS TO ALL WHO HELPED!! My desktop seems to be running smoothly (for an old timer), infection-free, and is a lot more protected against threats than it was (obviously) before. Grateful.
-
Hi: Kelcher, DavidR, Tech and polonus
If any of you happen to look back into this thread ... I found it yesterday [8/27/2009] and had exactly the problem Kelcher had ... however, the cures were above my pay grade ... I had just upgraded AVAST after being unprotected for a month or so and also upgraded AdAware to AdAwareAE. On the first run of this new (to me) AdAware, it found and eliminated the Win32:Daonol-P[Trj] problem.. I don't know how or why, but it's gone .... thanx to you all for the help ... jr
-
Welcome to the forum jr-bert,
Just to give you a heads up, ad-aware was once a WONDERFUL adware removal program, but over the years it has become less useful. If it has removed all of your problems with your computer, then great, but malwarebytes and superantispyware are the best free tools to use these days.
Just remember that while ad-aware and spybot - S&D were used in the past, it doesn't mean that they are still the best. The software moves quickly, and if the tools don't do the same, then others may come and pick up the slack.
-
Hi jr-brt,
Read the DrWeb-CureIt removal instructions here: http://forums.majorgeeks.com/member.php?s=6b824f39a1513065dbf82e1ade3f0d9c&u=26995
Infostealer.Daonol recreates, repairs and updates itself. Infostealer.Daonol and other complex spyware applications may recreate, repair and update themselves to evade deletion. When Infostealer.
Daonol alters, restores and updates its files, DLLs, registry keys and process, a scanner may only remove part of the program allowing the other remaining files to execute procedures to repair and update. In these cases, it can make the Infostealer.Daonol manual removal process very difficult.
re: http://forum.avira.com/wbb/index.php?page=Thread&threadID=90274
A good thread and read on this difficult to detect morphing infection can be found here:
http://www.bleepingcomputer.com/forums/lofiversion/index.php/t175838.html
polonus
-
Read the DrWeb-CureIt removal instructions here: http://forums.majorgeeks.com/member.php?s=6b824f39a1513065dbf82e1ade3f0d9c&u=26995
the link goes to a logg inn page?
-
Hi pondus,
The info:
Download Dr.Web CureIt and save it to your desktop from here: http://www.freedrweb.com/download+cureit/
Doubleclick the launch.exe file and allow to run
If it prompts you about getting any updates, get the update and then rerun the launch.exe installation.
When it finishes you will have a green window with a Start and and Update selection. Click Start
the Express Scan of your PC window will come up. Click OK to scan main memory to detect infected process in memory.
If anything is found in memory, click the yes button when it asks you if you want to cure it. This is only a short scan.
You may see a popup window to Buy or get a discount on the program. Just click the X at the top right to close this popup. The scan will continue.
Once the short scan is completed, click the Custom Scan radio button. Then Select each of your hard disk drives (that is if you have more than one). A red dot shows which drives have been chosen.
Click the green arrow at the right under the Dr.Web logo, and the scan will start.
Click 'Yes to all' if it finds any problems and asks if you want to cure or move the file.
When the scan has finished, look if you can click next icon next to the files found:
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! This is necessary because there could be files in use that will be moved or deleted during reboot.
After reboot, rename the DrWeb.csv file to DrWeb.txt so that it can be uploaded here and then attach the log from Dr.Web to your next reply,
polonus