Help me remove Win32/Daonol.D trojan RRS feed

  • Question

  • I cannot get this Daonol.D trojan off my computer and it is slowing down the processes so much that computer is difficult to use.  Onecare would not wipe it off so I then uninstalled Onecare and installed AVG-free hoping it would get it.  No luck b/c it deactivates that too!  Reinstalled Onecare and Onecare found the virus but still could not wipe it off!  Very frustrated!

    Then, I tried running a Onecare scan in safe mode with the -S and -H tags using instructions on this forum and it quarantined it, but then when I restarted the computer went back to its old ways.  I have located the file in the C:/windows directory and tried to delete it manually, but it just reappears again.  This virus intereferes with anti-virus software running.  In fact, whenever anti-virus software turns on, the computer essentially runs so slow you cant do anything with it.  If you turn off antivirus, then you cna use the computer, but this trojan is labelled as severe security warning.

    The virus loads every time I start computer and Onecare cant seem to remove it.  How do I get this thing off ?!

    Running Windows XP (SP3) on a Circa 2004 Fujitsu laptop.  The culprit file is C:\windows\eudnqku.eqd.  Also the file appears to replicated itself over and over by adding an "x" to the end of itself so you get a huge list of eudnqkuxxxx etc. files.  If you delete all of them, you still cant get rid of the original eudnqku.eqd file.  It just keeps coming back no matter how many times you delete it.  I cannot identify which process is running with the virus in the task manager, but I can tell you that as soon as the process called MsMsg starts, the CPU usage maxes to 100% and the computer runs like molases.  Turning off that process relieves the slowness problem, but it also turns off Onecare so I am assuming that it is a process essential to virus scanning.

    Can you please give me a set of instructions to remove this thing.  At the end my rope here

    Many thanks.

    Monday, June 1, 2009 1:19 PM


All replies


    If you are using Windows Live OneCare and you have been infected, but OneCare did not detect or cannot remove the malware, please contact support to report this and for help with removal.

    How to reach support (FAQ) - http://social.microsoft.com/Forums/en-US/onecareinstallandactivate/thread/30400b52-7f26-4ba0-bc18-17e305329d90


    If you are in North America, you can call 866-727-2338 for help with virus and spyware infections. See http://www.microsoft.com/protect/support/default.mspx  for details.  For international information, see your local subsidiary Support site.

    Microsoft MVP Windows Live / Windows Live OneCare & Live Mesh Forum Moderator
    Monday, June 1, 2009 3:35 PM
  • i spent hours on the phone today with microsoft support. i too have the daonol.d trojan, as well as the hiloti.gen!A trojan. onecare located them and claimed to have resolved them, to no avail. i have case numbers with tech support and pc safety department. the resolution i received was that they deleted my ask.com toolbar, which they insisted was my "infection". yes, seriously. i still have the viruses, and don't know what to do about it! meanwhile, my computer is vulnerable because my antivirus software hasn't updated in over a month!
    anyone know of another route i can take to remove these trojans?
    any help would be much appreciated!
    Tuesday, June 16, 2009 7:31 AM
  • I'm sorry that you spent hours to no avail at this point. What is the status of you case(s) with support? If the infections were not removed, you should request that the case be escalated until they are removed.

    If you wish to pursue this yourself, this forum thread may help:

    And this link may help for the second infection:

    You may also wish to join the bleeping computer forum and post your issue there. They will work with you to clean the PC after you provide them with logs to review.

    Microsoft MVP Windows Live / Windows Live OneCare & Live Mesh Forum Moderator
    Tuesday, June 16, 2009 12:06 PM
  • In conjunction with MS Onecare research team and 2 weeks of work I have removed the Daonol.D and all the other trojans it downloads.  Onecare is able to detect it, but it cannot remove it.  Here is the procedure:

    1) Start computer in safe mode with networking only!  If you don't, the trojan loads and wont let you run or update ANY antivirus software and it also downloads other trojans from the web onto your computer.

    While in safe mode with networking:

    2) Delete all temporary internet files, cache, cookies, and prefetch files manually. (type %temp% in run command box and %prefetch% in run command box and delete everything in those folders)

    3) Go to the onecare website and use the Web scanner to run a complete scan of your computer over the web (this will take a few hours). It will clean everything it can, but the tojan will still be on your computer.

    4) Download the free Malwarebytes' Anti-malware scanner from web and run it while in safe mode.  It will find and clean the Daonol.D from your registry and delete the virus and all the other trojans that it downloaded.

    5) Next RESET INTERNET EXPLORER to orginial default settings to protect from further infections via pop-ups etc.

    5) Next, say a prayer and restart the computer normally.  Should function normally now.  Then use OneCare to run a full tune-up.  It will then update itself and re-scan your computer.

    Good Luck.
    Tuesday, June 16, 2009 1:47 PM
  • chris,
    thanks for the response. i can't use the internet while in safe mode with networking only, because i live in the boonies and my only source of internet is a verizon aircard. this runs through my usb port, which does not function while in safe mode. i think i will have to remove my harddrive and connect it to someone else's computer as an external harddrive, then deal with it that way. geez, what a pain...
    Tuesday, June 16, 2009 3:42 PM
  • If you download the Malwarebytes scanner and save it to your desktop, you can run it while not connected to the Internet and skip the OneCare safety scan in the steps. That may still work for you. The OneCare Safety Scan uses the same basic engine and definitions as the installed OneCare, perhaps slightly more up to date as the definitions can be updated throughout the day compared to OneCare's daily check for updates.
    Microsoft MVP Windows Live / Windows Live OneCare & Live Mesh Forum Moderator
    • Proposed as answer by kseningen Wednesday, June 17, 2009 5:41 AM
    Tuesday, June 16, 2009 4:09 PM
  • hooray it worked! stephen boots you're my hero!!!!!!!!!!!!!!!! malwarebytes wore out doanol like an old pair of sneakers!
    Wednesday, June 17, 2009 5:41 AM
  • hooray it worked! stephen boots you're my hero!!!!!!!!!!!!!!!! malwarebytes wore out doanol like an old pair of sneakers!

    Glad to read that you were able to be rid of the malware. I'm not sure i can accept the hero designation, you did the work. You may want to follow up the removal with an online scan to be sure that nothing else is lurking that OneCare may have missed.

    Some of these scan only and will require purchase for cleaning, but the OneCare online scanner is completely free.








    Microsoft MVP Windows Live / Windows Live OneCare & Live Mesh Forum Moderator
    Wednesday, June 17, 2009 12:40 PM