Win32:Daonol-P[Trj]

[Kelcher]

Hi Kelcher,

Not as your router is also involved, because the Windows firewall is only one way protection.
On XP I would use a firewall like ZA free, furthermore there are lots of threads where people recommend these here in the forum threads. In the case of an extra software FW, you could turn the Windows one off,
because no more than one active FW, in the case of Gumblar infection it is a good thing to have one, read what I wrote about this massive online threat here: http://forum.avast.com/index.php?topic=45697.0
and here: http://forum.avast.com/index.php?topic=45517.0

polonus

Thanks.  I ended up going with PC Tools Plus free firewall, after reading some of the threads.  

I'm going to study your Gumblar post a bit more, and maybe post some questions there, as I've had someone trying to "fuzz" a form on my website (got the term from a tech at my hosting company) and I haven't been able to get any php form validators to work yet (I'm not a programmer, although I'm usually capable of figuring my way through things that aren't that complicated).  Anyhow, I'll see if posting my questions makes sense in one of those threads.  I would hate for my site to become a conduit for this stuff.

THANKS TO ALL WHO HELPED!!  My desktop seems to be running smoothly (for an old timer), infection-free, and is a lot more protected against threats than it was (obviously) before.  Grateful.

[jr-bert]

Hi: Kelcher, DavidR, Tech and polonus

If any of you happen to look back into this thread ... I found it yesterday [8/27/2009] and had exactly the problem Kelcher had ... however, the cures were above my pay grade ... I had just upgraded AVAST after being unprotected for a month or so and also upgraded AdAware to AdAwareAE.   On the first run of this new (to me) AdAware, it found and eliminated the Win32:Daonol-P[Trj]  problem..  I don't know how or why, but it's gone .... thanx to you all for the help ... jr

[scythe944]

Welcome to the forum jr-bert,

Just to give you a heads up, ad-aware was once a WONDERFUL adware removal program, but over the years it has become less useful.  If it has removed all of your problems with your computer, then great, but malwarebytes and superantispyware are the best free tools to use these days.

Just remember that while ad-aware and spybot - S&D were used in the past, it doesn't mean that they are still the best.  The software moves quickly, and if the tools don't do the same, then others may come and pick up the slack.

[polonus]

Hi jr-brt,

Read the DrWeb-CureIt removal instructions here: http://forums.majorgeeks.com/member.php?s=6b824f39a1513065dbf82e1ade3f0d9c&u=26995

Infostealer.Daonol recreates, repairs and updates itself. Infostealer.Daonol and other complex spyware applications may recreate, repair and update themselves to evade deletion. When Infostealer.
Daonol alters, restores and updates its files, DLLs, registry keys and process, a scanner may only remove part of the program allowing the other remaining files to execute procedures to repair and update. In these cases, it can make the Infostealer.Daonol manual removal process very difficult.
re: http://forum.avira.com/wbb/index.php?page=Thread&threadID=90274
A good thread and read on this difficult to detect morphing infection can be found here:
http://www.bleepingcomputer.com/forums/lofiversion/index.php/t175838.html

polonus

[Pondus]

Read the DrWeb-CureIt removal instructions here: http://forums.majorgeeks.com/member.php?s=6b824f39a1513065dbf82e1ade3f0d9c&u=26995

the link goes to a logg inn page?

[polonus]

Hi pondus,

The info:
Download Dr.Web CureIt and save it to your desktop from here: http://www.freedrweb.com/download+cureit/
Doubleclick the launch.exe file and allow to run
If it prompts you about getting any updates, get the update and then rerun the launch.exe installation.
When it finishes you will have a green window with a Start and and Update selection. Click Start
the Express Scan of your PC window will come up. Click OK to scan main memory to detect infected process in memory.
If anything is found in memory, click the yes button when it asks you if you want to cure it. This is only a short scan.
You may see a popup window to Buy or get a discount on the program. Just click the X at the top right to close this popup. The scan will continue.
Once the short scan is completed, click the Custom Scan radio button. Then Select each of your hard disk drives (that is if you have more than one). A red dot shows which drives have been chosen.
Click the green arrow at the right under the Dr.Web logo, and the scan will start.
Click 'Yes to all' if it finds any problems and asks if you want to cure or move the file.
When the scan has finished, look if you can click next icon next to the files found:

If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! This is necessary because there could be files in use that will be moved or deleted during reboot.
After reboot, rename the DrWeb.csv file to DrWeb.txt so that it can be uploaded here and then attach the log from Dr.Web to your next reply,

polonus