Skip to main content
Published May 19, 2009 | Updated Apr 16, 2011

Win32/Daonol

Detected by Microsoft Defender Antivirus

Aliases: Trojan-PSW.Win32.Kates (Kaspersky) Lando (McAfee) Hacktool.Rootkit (Symantec)

Summary

Win32/Daonol is a family of trojans capable of monitoring network traffic, stealing FTP credentials, preventing access to security Web sites, disabling access to system programs, and redirecting Web searches to sites hosting other malware.
Use Microsoft Windows Defender, Microsoft Security Essentials, the Microsoft Safety Scanner, or another up-to-date scanning and removal tool to detect and remove this threat and other unwanted software from your computer. For more information on Microsoft security products, see http://www.microsoft.com/protect/products/computer/default.mspx.
Additional Recovery Instructions for Windows XP Systems
Steps to manually clean Win32/Daonol infections from within Windows XP:
  1. Navigate to Start, click Run, and type the following instruction:

    explorer.exe c:\

    then click OK or press Enter.
  2. Create a folder named cleanup - from the File menu, select New and then Folder and type cleanup . Press Enter twice to open the newly created folder named cleanup, or double-click on the folder.
  3. Navigate to Start, click Run, and type the following instruction:

    explorer.exe %windir%\system32

    then click OK or press Enter. Note that %windir% is intentional and points to the Windows directory as installed on the computer.
  4. In the list of files, look for cmd.exe. Right-click on the file and select Copy, or press Ctrl-C to copy the program to the Windows clipboard.
  5. Paste the copied file into the cleanup folder - press Alt-Tab to toggle the active window to the cleanup folder and press Ctrl-V to paste the cmd.exe file into this folder.
  6. Rename the copied cmd.exe executable to c.exe - right-click the copied file and select Rename, and type c.exe.
  7. Double-click c.exe to open the copied command prompt and type the following instructions in order:

    copy %windir%\system32\reg.exe r.exe
    r.exe save "HKLM\Software\Microsoft\Windows NT\CurrentVersion" temp.dat
    r.exe load HKLM\TempCleanup temp.dat
    r.exe query HKLM\TempCleanup\Drivers32
  8. The last instruction should result in the display of registry values. Malicious registry values will have the following common properties:
    1. The file name has the extension .bak, .tmp, .old or .dat
    2. The file path includes the full path including drive letter
    3. The file path includes the string \..\
    4. The value data may include some random strings such as 0yAAAAAAA

      Note that in this example, the last entry is the malicious registry value:

      midimapper       REG_SZ        midimap.dll
      vidc.iv32        REG_SZ        ir32_32.dll
      vidc.iv41        REG_SZ        ir41_32.ax
      midi9            REG_SZ        C:\Windows\..\kft.bak 0yAAAAAAAA
  9. Write down the malicious registry value and data details on paper, as in the following example:

    value = midi9
    file = C:\Windows\..\kft.bak
  10. Type the following instructions to delete the malicious registry key:

    r.exe delete “HKLM\Software\Microsoft\Windows NT\CurrentVersion” /v <value>

    where <value> is the value that you have written down in step 9. For the above example the instruction would be:

    r.exe delete “HKLM\Software\Microsoft\Windows NT\CurrentVersion” /v midi9
  11. Delete the Win32/Daonol file by typing the following instruction:

    delete "C:\Windows\..\<file>"

    where <file> is the value that you have written down in step 9. For the above example the instruction would be:

    delete "C:\Windows\..\kft.bak"
  12. Restart your computer.
Follow us