Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Daonol Trojan Redirects Browser to Ad Sites


  • Please log in to reply
23 replies to this topic

#1 bklyncatlady

bklyncatlady

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 11 March 2009 - 08:00 PM

Hi all,

So unfortunately I was hit with the Daonol Trojan, and it's a headache to remove!

Here is what I have done so far:

Ran Spybot S&D-- it found some spyware, which I removed, but that was not the Trojan
Ran Malwarebytes-- it found lots of issues, which I repaired, including 5 trojan.daonol files
Ran SuperAntiSpyware-- it found some problems, but not the trojan
Ran Hijack This which found a whole bunch of stuff on my computer, which I have not touched cause I don't know what is good and what is bad!

In spite of finding and removing several files as listed above, the problem persists. When I google something, the search comes up just fine, then if I click on the result, it redirects me from the correct address to another site, with an advertisement.

I can google, and then cut and paste the addresses into my address bar and it's fine.

My information... I am running Windows XP Media Edition, and using Firefox browser.

Also... I have rebooted several times, both a "restart" and a full shut down and start back up, after running the scans with MB and SAS

Edited by bklyncatlady, 11 March 2009 - 10:00 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:26 PM

Posted 11 March 2009 - 10:22 PM

Hello and welcome,please Rerun MBAM

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Now run part 1 of S!Ri's SmitfraudFix
Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 bklyncatlady

bklyncatlady
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 12 March 2009 - 05:19 PM

Great, thanks!

Here's what's happened. I updated MBAM and ran it in normal. Here's the result. It found a daonol file.
Back in a bit with my other results.

Malwarebytes' Anti-Malware 1.34
Database version: 1841
Windows 5.1.2600 Service Pack 2

3/12/2009 6:18:01 PM
mbam-log-2009-03-12 (18-18-01).txt

Scan type: Quick Scan
Objects scanned: 87510
Time elapsed: 8 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

#4 bklyncatlady

bklyncatlady
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 12 March 2009 - 05:30 PM

Now run part 1 of S!Ri's SmitfraudFix
Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.


OK i successfully downloaded Smitfraudfix, and doubleclicked it. It opened a C prompt window, and didn't do anything else. (C:\Windows\System32\cmd.exe)
The dos window was empty, and just sat there.

Also a folder called Smitfraudfix appeared on the desktop, filled with exe files. Is it helpful for me to post what's in that file?

#5 bklyncatlady

bklyncatlady
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 12 March 2009 - 05:32 PM

I tested the googling again, and the problem is still here :thumbsup:

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:26 PM

Posted 12 March 2009 - 08:31 PM

Yes the logs are my only way of knowing what the tools did.
Also did MBAM remove the file I cannot tell from what is displayed.

EDit: yes post the contents

Edited by boopme, 12 March 2009 - 08:37 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 bklyncatlady

bklyncatlady
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 12 March 2009 - 09:27 PM

OK I rebooted and ran malware bytes again. Here's the log, it looks like maybe I didn't post the complete log before? Sorry about that!

Malwarebytes' Anti-Malware 1.34
Database version: 1841
Windows 5.1.2600 Service Pack 2

3/12/2009 10:24:00 PM
mbam-log-2009-03-12 (22-24-00).txt

Scan type: Quick Scan
Objects scanned: 87699
Time elapsed: 9 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\anyal.xvn (Trojan.Daonol) -> Quarantined and deleted successfully.

#8 bklyncatlady

bklyncatlady
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 12 March 2009 - 09:39 PM

Ok so here's what I've done:

Fresh reboot, ran MBAM, found a Daonol, quarantined/deleted with MBAM, posted the log above.

Fresh reboot, double clicked Smitfraudfix, and it did the dos window again. It sort of freezes there.

Here's a screenshot of the contents of the folder that is now on my desktop called Smitfraudfix:

Posted Image

Edited by bklyncatlady, 12 March 2009 - 09:40 PM.


#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:26 PM

Posted 13 March 2009 - 10:38 AM

That's not right,,, perhaps the makware is still interfereing. Let's run these and see if SmitFraud will run after this scan.

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 bklyncatlady

bklyncatlady
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 13 March 2009 - 05:54 PM

OK... SUPER is updated, and I booted into safe mode and ran ATF and SUPER. Here is the log from SUPER:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/13/2009 at 05:36 PM

Application Version : 4.25.1014

Core Rules Database Version : 3793
Trace Rules Database Version: 1749

Scan type : Complete Scan
Total Scan Time : 03:30:48

Memory items scanned : 215
Memory threats detected : 0
Registry items scanned : 6619
Registry threats detected : 0
File items scanned : 113560
File threats detected : 11

Adware.Tracking Cookie
C:\Documents and Settings\Laurel\Cookies\laurel@doubleclick[1].txt
C:\Documents and Settings\Laurel\Cookies\laurel@advertising[1].txt
C:\Documents and Settings\Laurel\Cookies\laurel@ads.pointroll[1].txt
C:\Documents and Settings\Laurel\Cookies\laurel@zedo[2].txt
C:\Documents and Settings\Laurel\Cookies\laurel@ads.addynamix[1].txt
C:\Documents and Settings\Laurel\Cookies\laurel@adbrite[1].txt
C:\Documents and Settings\Laurel\Cookies\laurel@electronicarts.112.2o7[1].txt
C:\Documents and Settings\Laurel\Cookies\laurel@revsci[1].txt
C:\Documents and Settings\Laurel\Cookies\laurel@ad.yieldmanager[2].txt
C:\Documents and Settings\Laurel\Cookies\laurel@media.adrevolver[2].txt
C:\Documents and Settings\Laurel\Cookies\laurel@c7.zedo[1].txt

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:26 PM

Posted 13 March 2009 - 06:12 PM

Looking good,redirects gone?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 bklyncatlady

bklyncatlady
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 13 March 2009 - 08:28 PM

Still getting the redirects, I ran MBAM again, it looks like that same file was found and quarantined/deleted again. here's the log. I am going to reboot.
Malwarebytes' Anti-Malware 1.34
Database version: 1841
Windows 5.1.2600 Service Pack 2

3/13/2009 9:26:31 PM
mbam-log-2009-03-13 (21-26-31).txt

Scan type: Full Scan (C:\|)
Objects scanned: 184896
Time elapsed: 48 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\anyal.xvn (Trojan.Daonol) -> Quarantined and deleted successfully.

#13 bklyncatlady

bklyncatlady
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 13 March 2009 - 08:33 PM

Here is another twist: It seems like the redirects happen only when I use Firefox, and not when I use IE. Firefox is my primary browser but I still have IE installed so I tested the googling with IE.

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:26 PM

Posted 13 March 2009 - 08:36 PM

Ok, well that's where it lives. You do need to have IE for windosw updates anyway.

FILE ASSASSIN
OK, let's use MBAM's FileAssassin feature. To remove this file C:\WINDOWS\anyal.xvn

Open MBAM again.Click the More Tools tab and then the Run Tool button
Now browse to the file(s) we want to remove using the drop down box next to Look in: at the top.
Locate the file(s), click Open.
You will be prompted with a message warning: This file will be permanently deleted. Are you sure you want to continue?. Click Yes.
If removal did not require a reboot, you will receive a message indicating the file was deleted successfully, however, I recommend you reboot anyway.

Caution: Be careful what you delete. FileAssassin is a powerful program, designed to move highly persistent files. Using it incorrectly could

lead to disastrous problems with your operating system.


Rerun MBAM.

Edited by boopme, 13 March 2009 - 08:39 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 bklyncatlady

bklyncatlady
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 13 March 2009 - 10:42 PM

OK Thanks!

I followed your instructions for the FileAssassin, and it worked great, file deleted successfully. I rebooted, ran MBAM quick scan, and it again found the C:\WINDOWS\anyal.xvn evil file that seems to keep coming back.

here's the log:

Malwarebytes' Anti-Malware 1.34
Database version: 1841
Windows 5.1.2600 Service Pack 2

3/13/2009 11:40:18 PM
mbam-log-2009-03-13 (23-40-18).txt

Scan type: Quick Scan
Objects scanned: 87526
Time elapsed: 8 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\anyal.xvn (Trojan.Daonol) -> Quarantined and deleted successfully.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users