We’ve had a spate of customer’s machines get infected with this over the last week. Had us scratching our heads for a few hours … thought it was conficker or some variant but it seems not. Looks like it was actually Trojan:Win32/Daonol.B
Symptoms
Causes some or all of the symptoms below :-
1. Antivirus software won’t update from the Internet (Sophos, Kaspersky, AVG, F-Secure)
2. Some google/yahoo searches get redirected to other dodgy looking sites!
3. Loading cmd or regedit causes explorer.exe to crash (the start bar disappears for a few seconds and then reappears)
4. Sometimes on starting up the PC it just arrives at a blank blue screen with no icons or text at all. Pressing Ctrl-Alt-Delete and doing File-Run-Explorer.exe will usually bring up the windows desktop & start menu.
5. Access to many antivirus / security websites is blocked
6. The windows firewall gets mucked up and various strange things start to happen with both outbound and inbound traffic. Some PCs prevent web access completely or prevent access from other network PCs.
7. We tried multiple AV programs and nothing detected it – Sophos, Kaspersky, F-Secure, AVG, OneCare. Tried online scans and scans from a bootable Bart PE cd with no success.
8. HijackThis showed up nothing of interest.
9. It continued to operate when in safe mode with every possible process shutdown (which was the key to establishing it had to be something at driver rather than process level)
Cause
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32\Aux (or Aux1, Aux2, Aux3 etc) has strange value like :-
C:\WINDOWS\system32\..\ppfrvd.waq
C:\WINDOWS\system32\..\ryqkue.idb
C:\WINDOWS\system32\wdmaud.sys
C:\docume~1\%user%\locals~1\temp\..\adfdpj.dsa
(Note: c:\windows\system32\wdmaud.drv & c:\windows\system32\drivers\wdmaud.sys are legit files!)
Resolution
1. Fix registry
- Start-Run->”command” (note: NOT cmd!)
- cd \windows
- copy regedit.exe regedit1.exe (because you cannot load regedit.exe directly)
- Run regedit1 & navigate to HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
- Make a note of the dodgy filename and then set the value of aux key to wdmaud.drv
2. Delete file
- Run HijackThis
- Select More Options – Delete on Reboot
- Browse to the file listed in regedit above. Choose file . (Note \.\ designates parent folder – ie a folder level up from temp.
- Allow to reboot.
3. Update Antivirus and run a full scan - preferably from more than one vendor to ensure the machine is clean.
Correct data value for Aux should be like this,
Resources
http://www.sophos.com/security/analyses/viruses-and-spyware/trojdaonolfam.html
http://www.threatexpert.com/threats/trojan-win32-daonol-b.html
Update 13/05/2009
Found another blog with some more information here :- http://miekiemoes.blogspot.com/2008/10/fake-sysaudiosys-causes-searchengine.html
Has some info on how it works and where it comes from:-
As far as I know.. this one is getting installed via a “Yahoo! Counter starts here” javascript (which is a malicious script and not related with Yahoo) injected on many forums/sites/blogs.
Filed under: AntiVirus, Computers, Google, Technology, Trojan, Virus, Windows
Solution: Buy a Mac!
Don’t you even start ……
Iain,
I still need help.
I copied regedit and was able to open it. I navigated down to Drivers32 and there is no Aux file. I only have Terminal Server there.
Any thoughts?
Where do I go from here?
Thanks in advance.
As no one AV could even detect this trojan, thank You for this post.
I allready done all your sugestions. Thank you. but problem still exist. AVG does not detect the virus. File was \windows\system32\..\fws.yyt
Thanks! Great help.
The copy regedit.exe regedit1.exe didnt helpt, try
copy regedit.exe c:\qq.exe (e.g).
This helped a ton! My coworker and I were stumped when a customer brought in a machine with this virus, but we were able to fix it using your detailed instructions.
Thanks again!
Kyle: Glad it helped.
Rey333: I noticed that too on a couple of machines – sometimes seems to object if “regedit” is anywhere in the filename. As you say calling it something random will work.
Spyros: Is the file still there after a reboot? And if you check regedit again is there a new filename listed? Did you use HijackThis or something to remove the file during a reboot rather than just deleting it?
THANK YOU!! for posting this solution. I had the same problem and doing exactly what you say WORKS!
Beside the symtoms you describe I had also the following: language bar dissapears, Total Commander does not run. However, you can trick the virus for the moment, by starting regedit, cmd…. from Winrar for example.
We’ve run across similar issues but have fixed them by downloading combofix from bleepingcomputer.com to a flash drive from another computer, changing the name of the file (from combofix to something like fixthismachine.exe) and letting it do it’s job. Works like a charm.
I usually don’t respond on these websites, but I must say thanks. have been working on a client’s laptop for over a day and your advice finally fixed the issue.
I saw a 4 page discussion on another forum and that didn’t fix the issue for those users. Yours was an easy fix, I didn’t use HiJackThis, I just edited the registry, restarted and all is well.
Thank you ever so much!
I also ran into that … and searching around some days fixing the problem with no success. Thank you very much for your solution which works well
For me there was a aux2 entry in the registry with the file link C:\WINDOWS\system32\..\lfmhbv.nuc
I’ve no idea when and how (on what way) this comes to the system.
Thank you very much!!!
Thanks so much, your advice worked.
Renamed regedit to killthem (regedit in the filename triggered the explorer crash)
Malicious file: fpln.ecn
Removed it on reboot using hijack this, problem solved, regedit works again!
No Antivirus system caught this one.
Thanks for all the comments folks.
If anyone has found out where the heck this thing comes from or how it works I’d love to know as it does have a nasty habit of reappearing! It seems to be able to infect fully patched systems with completely up to date antivirus!
[...] [...]
NOD32 detects it and tries to delete it but cannot fix the registry value under \Drivers and begins endless loop of deleting and recreating. The virus on my machine was Win32\Defl.SHO (SHO = System Helper Object, similar to BHO) and it location C:\WINNT\ticb.ceq Fortunatelly had third party tools to access registry and deal with the problem. The Windows removal tool and MBAM do not detect it even with latest definitions.
Thank you !
three hours searching around for solution with no success. My up-to-date Norton Internet Security 2009 cannot detect it also. My system is fully patched. No idea how it infected to the system.
Hi
Can anyone tell me how this is being distributed. Its really importhant that I find out where its coming from. I have a customer based around Europe and they are starting to report it to me. If I can locate the distrabution mechanism it will help me protect them.
Thanks for the fix – it really got us out of a hole.
Linus
AVG8.5 detected it when I deselected “Scan infectable files only” on the scan settings. It just can’t remove it.
Thanks for the information.
First of all: THANK YOU.
My symptoms:
- WinXP system in general:
- sluggish performance
- CPU idling at 40% usage; but no processes going nuts in task list
- IE 8: crashes when trying to load any website.
- Firefox: Intermittent redirects to random websites and a host of websites selling “Regcure”..
I have McAfee 8.0 Enterprise which didn’t detect the malware nor would it update — even nai.com and mcafee.com were blocked; Windows Defender didn’t find it, nothing out of the ordinary in HijackThis, etc. etc.
You described my problem and the fix you described was successful. My infection looked like your screenshot (random filename) and the path data was ” C:\Windows\System32\..\ ”
It should be noted that in troubleshooting, most roads led to this “RegCure” thing. Evidently, in & of itself RegCure is a poorly-written registry cleaner. But this malware is their method of directing people to their page (presumably to buy Regcure).
Upon further investigation, this is probably THE most elaborate malware scam I have ever seen. They’ve got dozens of websites, either selling the crap or a dummied-up tech support site promising that RegCure will heal all that ails you. They even have bots posting ‘no, really, we are legit’ messages on forum threads dedicated to the subject of Regcure.
Most people who actually paid for Regcure say it either made their problems worse/can’t uninstall it/ can’t contact their tech support. I hope those people find their way to this site.
At any rate….Thanks again!
I got rid of this pesky thing,. using regrun and malwarebytes. seems to be gone….
Word!
Thanks! Worked a treat. Only thing is that the Regedit copy did not work for me. For those that it does not work go to http://www.dougknox.com/xp/utils/xp_emerutils.htm and use the tool there. This is proving to be a bit of a money maker for me, i think this is picked up from social networking sites, im getting laptops deleivered left right and centre.
Holiday Events