Need to remove a trojan

**abbygayle** · 2008-08-14, 15:45

I downloaded a keygen or something for Daniusoft WMA MP3 player (dumb, i now know...) Anyway, I have a trojan. I have AVG running a scan, but it has been running for two days and still isnt finished. These are the infections listed in AVG so far:
crack.exe
serial.exe
number.exe
danuisoft_wma_mp3_co
tiny.nfo.viewer.exe
danuisoft.wma.mp3.co

My spybot scan said to check error.log file. So I did that. Here is what that says:
C:\Program Files\Spybot - Search & Destroy\Includes\Trojans.sbi | Delf.Spool.cn | <$SYSDIR>\ntdoss04.sys
C:\Program Files\Spybot - Search & Destroy\Includes\Trojans.sbi | Win32.Agent.frl | <$FILE_SYSTEM>
C:\Program Files\Spybot - Search & Destroy\Includes\Trojans.sbi | Win32.Agent.frl | <$FILE_EXE>
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | FlashExploit | <$WINDIR>\Tasks\SysFile.brk
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | Zlob.DNSChanger | <$FILE_EXE>
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | Zlob.DNSChanger | <$FILE_EXE>
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | Zlob.DNSChanger.rtk | <$FILE_EXE>
C:\Program Files\Spybot - Search & Destroy\Includes\Trojans.sbi | Delf.Spool.cn | <$SYSDIR>\ntdoss04.sys
C:\Program Files\Spybot - Search & Destroy\Includes\Trojans.sbi | Win32.Agent.frl | <$FILE_SYSTEM>
C:\Program Files\Spybot - Search & Destroy\Includes\Trojans.sbi | Win32.Agent.frl | <$FILE_EXE>
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | FlashExploit | <$WINDIR>\Tasks\SysFile.brk
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | Zlob.DNSChanger | <$FILE_EXE>
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | Zlob.DNSChanger | <$FILE_EXE>
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | Zlob.DNSChanger.rtk | <$FILE_EXE>
C:\Program Files\Spybot - Search & Destroy\Includes\Trojans.sbi | Delf.Spool.cn | <$SYSDIR>\ntdoss04.sys
C:\Program Files\Spybot - Search & Destroy\Includes\Trojans.sbi | Win32.Agent.frl | <$FILE_SYSTEM>
C:\Program Files\Spybot - Search & Destroy\Includes\Trojans.sbi | Win32.Agent.frl | <$FILE_EXE>
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | FlashExploit | <$WINDIR>\Tasks\SysFile.brk
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | Zlob.DNSChanger | <$FILE_EXE>
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | Zlob.DNSChanger | <$FILE_EXE>
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | Zlob.DNSChanger.rtk | <$FILE_EXE>

I'm not sure where to go from here. I would greatly appreciate if someone would be able to point me in the right direction. THanks!

**md usa spybot fan** · 2008-08-14, 15:53

abbygayle:

What version of Spybot are you running (Spybot » Help » About)?

If you are not running Spybot 1.5.2.20 or above, upgrading to the latest version should solve the problem. To upgrade to Spybot 1.6 download the installation program from Mirror selection - The home of Spybot-S&D!.

**abbygayle** · 2008-08-14, 16:14

ok, thanks for replying. i had 1.4 so i'm trying to update as suggested.
but when i go to download i get an error that says:
C:/programfiles/sypbot/search& destroy\plugins/tcpipaddress.dll

an error occured trying to replace existing file
delete filefailled;code 5
access denied

if i retry i get the same error. should i ignore? (not suggested according to error)?

**md usa spybot fan** · 2008-08-14, 16:32

abbygayle:

Uninstall your old version and reboot the system before installing the new one.

**spybotsandra** · 2008-08-14, 16:32

Hello,

We recommend a fresh install of Spybot - Search & Destroy.

Please uninstall Spybot - Search & Destroy according to the following link:
http://www.safer-networking.org/en/howto/uninstall.html
Then make a fresh install of Spybot - Search & Destroy 1.6.
You will find links to several download locations on our website:
http://www.safer-networking.org/en/mirrors/index.html

You will also have to update your new version using the integrated updater.
This should solve the problem.

Best regards
Sandra
Team Spybot

**abbygayle** · 2008-08-14, 18:53

ok,thanks i was able to scan spybot without any interruptions or references to the error.log file, but none of the trojans listed above were in the scan. just things from hitbox, fastclick, tradedoubler, adrevolver, burstmedia, casalemedia.

Have I removed the trojan? Is there more I need to do?
Also, should I remove the Danuisoft program if possible? WIll the trojan follow it around?

if i go to the error.log again it has the following. i dont know if that means or anything or not.
C:\Program Files\Spybot - Search & Destroy\Includes\Trojans.sbi | Delf.Spool.cn | <$SYSDIR>\ntdoss04.sys
C:\Program Files\Spybot - Search & Destroy\Includes\Trojans.sbi | Win32.Agent.frl | <$FILE_SYSTEM>
C:\Program Files\Spybot - Search & Destroy\Includes\Trojans.sbi | Win32.Agent.frl | <$FILE_EXE>
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | FlashExploit | <$WINDIR>\Tasks\SysFile.brk
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | Zlob.DNSChanger | <$FILE_EXE>
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | Zlob.DNSChanger | <$FILE_EXE>
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | Zlob.DNSChanger.rtk | <$FILE_EXE>
C:\Program Files\Spybot - Search & Destroy\Includes\Trojans.sbi | Delf.Spool.cn | <$SYSDIR>\ntdoss04.sys
C:\Program Files\Spybot - Search & Destroy\Includes\Trojans.sbi | Win32.Agent.frl | <$FILE_SYSTEM>
C:\Program Files\Spybot - Search & Destroy\Includes\Trojans.sbi | Win32.Agent.frl | <$FILE_EXE>
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | FlashExploit | <$WINDIR>\Tasks\SysFile.brk
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | Zlob.DNSChanger | <$FILE_EXE>
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | Zlob.DNSChanger | <$FILE_EXE>
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | Zlob.DNSChanger.rtk | <$FILE_EXE>
C:\Program Files\Spybot - Search & Destroy\Includes\Trojans.sbi | Delf.Spool.cn | <$SYSDIR>\ntdoss04.sys
C:\Program Files\Spybot - Search & Destroy\Includes\Trojans.sbi | Win32.Agent.frl | <$FILE_SYSTEM>
C:\Program Files\Spybot - Search & Destroy\Includes\Trojans.sbi | Win32.Agent.frl | <$FILE_EXE>
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | FlashExploit | <$WINDIR>\Tasks\SysFile.brk
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | Zlob.DNSChanger | <$FILE_EXE>
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | Zlob.DNSChanger | <$FILE_EXE>
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | Zlob.DNSChanger.rtk | <$FILE_EXE>

**abbygayle** · 2008-08-14, 19:31

i'm not sure how to edit the above post, but i should clarify that the last scan was done with a clean version of spybot s&D 1.6

**md usa spybot fan** · 2008-08-14, 21:24

abbygayle:

Originally Posted by abbygayle

i'm not sure how to edit the above post, ...

You can't edit posts in this forum after 15 minutes.

Originally Posted by abbygayle

ok,thanks i was able to scan spybot without any interruptions or references to the error.log file, ... Have I removed the trojan?

There were no Trojans. What you were getting were detection rule errors in the Trojans.sbi and TrojansC.sbi files being reported by the old version of Spybot because some of the new detection rules are incompatible with that old version.

**abbygayle** · 2008-08-14, 21:42

i see, thank you...

i know this is a spybot forum but if i dont have any trojans do you know why my avg would list all of those same things (see first post) under infections?

if i did, indeed, have a trojan, would spybot have listed it and fixed it?

thanks again for your help.

**md usa spybot fan** · 2008-08-14, 22:24

abbygayle:

Originally Posted by abbygayle

i see, thank you...

i know this is a spybot forum but if i dont have any trojans do you know why my avg would list all of those same things (see first post) under infections?

if i did, indeed, have a trojan, would spybot have listed it and fixed it?

thanks again for your help.

What version of Spybot - Search & Destroy are you currentally running (Spybot » Help » About)?

I personally do not use Grisoft's AVG and you did not include a log of the detections by AVG, so I am at a loss to answer that question.

The errors that you posted were primarally the failure of rootkit checks (hidden file checks) that fail in versions of Spybot below Spybot 1.5.2.20.

Assuming you are running Spybot 1.6.0.30, if the rootkits actually existed with a scan using Spybot 1.6.0.30, Spybot should have detected them.

Thread: Need to remove a trojan

Thread Tools

Display

Need to remove a trojan

Posting Permissions