I downloaded a keygen or something for Daniusoft WMA MP3 player (dumb, i now know...) Anyway, I have a trojan. I have AVG running a scan, but it has been running for two days and still isnt finished. These are the infections listed in AVG so far:
crack.exe
serial.exe
number.exe
danuisoft_wma_mp3_co
tiny.nfo.viewer.exe
danuisoft.wma.mp3.co

My spybot scan said to check error.log file. So I did that. Here is what that says:
C:\Program Files\Spybot - Search & Destroy\Includes\Trojans.sbi | Delf.Spool.cn | <$SYSDIR>\ntdoss04.sys
C:\Program Files\Spybot - Search & Destroy\Includes\Trojans.sbi | Win32.Agent.frl | <$FILE_SYSTEM>
C:\Program Files\Spybot - Search & Destroy\Includes\Trojans.sbi | Win32.Agent.frl | <$FILE_EXE>
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | FlashExploit | <$WINDIR>\Tasks\SysFile.brk
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | Zlob.DNSChanger | <$FILE_EXE>
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | Zlob.DNSChanger | <$FILE_EXE>
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | Zlob.DNSChanger.rtk | <$FILE_EXE>
C:\Program Files\Spybot - Search & Destroy\Includes\Trojans.sbi | Delf.Spool.cn | <$SYSDIR>\ntdoss04.sys
C:\Program Files\Spybot - Search & Destroy\Includes\Trojans.sbi | Win32.Agent.frl | <$FILE_SYSTEM>
C:\Program Files\Spybot - Search & Destroy\Includes\Trojans.sbi | Win32.Agent.frl | <$FILE_EXE>
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | FlashExploit | <$WINDIR>\Tasks\SysFile.brk
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | Zlob.DNSChanger | <$FILE_EXE>
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | Zlob.DNSChanger | <$FILE_EXE>
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | Zlob.DNSChanger.rtk | <$FILE_EXE>
C:\Program Files\Spybot - Search & Destroy\Includes\Trojans.sbi | Delf.Spool.cn | <$SYSDIR>\ntdoss04.sys
C:\Program Files\Spybot - Search & Destroy\Includes\Trojans.sbi | Win32.Agent.frl | <$FILE_SYSTEM>
C:\Program Files\Spybot - Search & Destroy\Includes\Trojans.sbi | Win32.Agent.frl | <$FILE_EXE>
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | FlashExploit | <$WINDIR>\Tasks\SysFile.brk
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | Zlob.DNSChanger | <$FILE_EXE>
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | Zlob.DNSChanger | <$FILE_EXE>
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | Zlob.DNSChanger.rtk | <$FILE_EXE>


I'm not sure where to go from here. I would greatly appreciate if someone would be able to point me in the right direction. THanks!

abbygayle:

What version of Spybot are you running (Spybot » Help » About)?

If you are not running Spybot 1.5.2.20 or above, upgrading to the latest version should solve the problem. To upgrade to Spybot 1.6 download the installation program from Mirror selection - The home of Spybot-S&D! (http://www.spybot.info/en/mirrors/index.html).

ok, thanks for replying. i had 1.4 so i'm trying to update as suggested.
but when i go to download i get an error that says:
C:/programfiles/sypbot/search& destroy\plugins/tcpipaddress.dll

an error occured trying to replace existing file
delete filefailled;code 5
access denied

if i retry i get the same error. should i ignore? (not suggested according to error)?

abbygayle:

Uninstall your old version and reboot the system before installing the new one.

Hello,

We recommend a fresh install of Spybot - Search & Destroy.

Please uninstall Spybot - Search & Destroy according to the following link:
http://www.safer-networking.org/en/howto/uninstall.html
Then make a fresh install of Spybot - Search & Destroy 1.6.
You will find links to several download locations on our website:
http://www.safer-networking.org/en/mirrors/index.html

You will also have to update your new version using the integrated updater.
This should solve the problem.

Best regards
Sandra
Team Spybot

ok,thanks i was able to scan spybot without any interruptions or references to the error.log file, but none of the trojans listed above were in the scan. just things from hitbox, fastclick, tradedoubler, adrevolver, burstmedia, casalemedia.

Have I removed the trojan? Is there more I need to do?
Also, should I remove the Danuisoft program if possible? WIll the trojan follow it around?

if i go to the error.log again it has the following. i dont know if that means or anything or not.
C:\Program Files\Spybot - Search & Destroy\Includes\Trojans.sbi | Delf.Spool.cn | <$SYSDIR>\ntdoss04.sys
C:\Program Files\Spybot - Search & Destroy\Includes\Trojans.sbi | Win32.Agent.frl | <$FILE_SYSTEM>
C:\Program Files\Spybot - Search & Destroy\Includes\Trojans.sbi | Win32.Agent.frl | <$FILE_EXE>
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | FlashExploit | <$WINDIR>\Tasks\SysFile.brk
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | Zlob.DNSChanger | <$FILE_EXE>
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | Zlob.DNSChanger | <$FILE_EXE>
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | Zlob.DNSChanger.rtk | <$FILE_EXE>
C:\Program Files\Spybot - Search & Destroy\Includes\Trojans.sbi | Delf.Spool.cn | <$SYSDIR>\ntdoss04.sys
C:\Program Files\Spybot - Search & Destroy\Includes\Trojans.sbi | Win32.Agent.frl | <$FILE_SYSTEM>
C:\Program Files\Spybot - Search & Destroy\Includes\Trojans.sbi | Win32.Agent.frl | <$FILE_EXE>
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | FlashExploit | <$WINDIR>\Tasks\SysFile.brk
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | Zlob.DNSChanger | <$FILE_EXE>
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | Zlob.DNSChanger | <$FILE_EXE>
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | Zlob.DNSChanger.rtk | <$FILE_EXE>
C:\Program Files\Spybot - Search & Destroy\Includes\Trojans.sbi | Delf.Spool.cn | <$SYSDIR>\ntdoss04.sys
C:\Program Files\Spybot - Search & Destroy\Includes\Trojans.sbi | Win32.Agent.frl | <$FILE_SYSTEM>
C:\Program Files\Spybot - Search & Destroy\Includes\Trojans.sbi | Win32.Agent.frl | <$FILE_EXE>
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | FlashExploit | <$WINDIR>\Tasks\SysFile.brk
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | Zlob.DNSChanger | <$FILE_EXE>
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | Zlob.DNSChanger | <$FILE_EXE>
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | Zlob.DNSChanger.rtk | <$FILE_EXE>

i'm not sure how to edit the above post, but i should clarify that the last scan was done with a clean version of spybot s&D 1.6

abbygayle:


i'm not sure how to edit the above post, ...
You can't edit posts in this forum after 15 minutes.


ok,thanks i was able to scan spybot without any interruptions or references to the error.log file, ... Have I removed the trojan?
There were no Trojans. What you were getting were detection rule errors in the Trojans.sbi and TrojansC.sbi files being reported by the old version of Spybot because some of the new detection rules are incompatible with that old version.

i see, thank you...

i know this is a spybot forum but if i dont have any trojans do you know why my avg would list all of those same things (see first post) under infections?

if i did, indeed, have a trojan, would spybot have listed it and fixed it?

thanks again for your help.

abbygayle:


i see, thank you...

i know this is a spybot forum but if i dont have any trojans do you know why my avg would list all of those same things (see first post) under infections?

if i did, indeed, have a trojan, would spybot have listed it and fixed it?

thanks again for your help.
What version of Spybot - Search & Destroy are you currentally running (Spybot » Help » About)?

I personally do not use Grisoft's AVG and you did not include a log of the detections by AVG, so I am at a loss to answer that question.

The errors that you posted were primarally the failure of rootkit checks (hidden file checks) that fail in versions of Spybot below Spybot 1.5.2.20.

Assuming you are running Spybot 1.6.0.30, if the rootkits actually existed with a scan using Spybot 1.6.0.30, Spybot should have detected them.

I am running version 1.6.0.30 for spybot search and destroy.

For my avg log is this what you mean? These are the result/infections listed during my scan.

crack.exe
serial.exe
number.exe
danuisoft_wma_mp3_co
tiny.nfo.viewer.exe
danuisoft.wma.mp3.co

abbygayle:


... i know this is a spybot forum but if i dont have any trojans do you know why my avg would list all of those same things (see first post) under infections? ...
I guess I'm missing something. Spybot listed errors in detection rules for checks associated with these malware checks:
Delf.Spool.cn
FlashExploit
Win32.Agent.frl
Zlob.DNSChanger
Zlob.DNSChanger.rtk

... For my avg log is this what you mean? These are the result/infections listed during my scan.

crack.exe
serial.exe
number.exe
danuisoft_wma_mp3_co
tiny.nfo.viewer.exe
danuisoft.wma.mp3.co
I don't see any connection between the two.

sorry if i'm confusing. i'm pretty inexperienced with security softwares.

the things listed in the avg infection list were related to the software kegen i downloaded (danuisoft) so i assumed that was how the trojan got on my computer.

i guess my main question is, do i have a trojan or don't i? i thought i did. but spybot hasn't found anything and avg has those listed.

are you saying in your opinion i do not have a trojan (even though those things are listed as infections under avg)?

abbygayle:


... are you saying in your opinion i do not have a trojan (even though those things are listed as infections under avg)?
No I am not saying that at all.

What I am saying is the the original errors that you were getting with Spybot were because you were running an old version of Spybot. They were not detections of malware.

The detections that you are getting with Grisoft's AVG could very well be detections of malware that is not picked up during a Spybot spybot scan.