Downloader.Small.18.T seems to be what is installing all the **** into my comp because #1 , its called downloader #2, YOU CANT ****ING REMOVE IT!,....

only avg antivirus finds it and after deleting it , the thing just comes back,..... i did a regular scan, and a scan for stealth boot virus and stealth file virus using the rescuedisk in safe mode with command prompt and surprise surprise it didnt find anything,............

this trojan is also linked to isearch somehow because even with the internet disconnected , isearch still tries to install it self,..... but only i search if you get rid of the other installers for the various tool bars and crap,...

searching on google, there currently dosent seem to be a way to remove it.......

Post your log on the message board, I'll check it out later tonight.........Jim

i posted my log in the isearch removal thread, i think second last or last page,

its no use , the only 2 things in the log that are bad and wont go away is a BHO with a missing file and the trusted zone that ends in .biz ,....

no use now, ive tried a lot of things more powerful than hijackthis, and none of them can detect the root of the downloader,

im buying a new harddisk today and going to backup/reformat...... except this time im turning on system restore,... only if i had a recent restore point , i wouldnt be in this mess......

dont bother with the hijack this log, ive removed all spyware/malware that can be possibly removed,

the only things that wont go away is the bho with the missing file and that trusted zone with net biz or some crap like that,

but here you go any ways...

Logfile of HijackThis v1.99.0
Scan saved at 7:32:29 PM, on 2/3/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
C:\Documents and Settings\Mashfique\My Documents\downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {F3B7EC9E-E166-1970-CD3B-0E8A377FD446} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Microsoft Services] lsrv.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\RunServices: [Microsoft Services] lsrv.exe
O4 - HKLM\..\RunOnce: [Desktop Search Removal Tool] "C:\WINDOWS\inst\kill.exe" /VERYSILENT /NOCANCEL /NORESTART /SP-
O4 - HKLM\..\RunOnce: [Bonus Sites Removal Tool] "C:\WINDOWS\inst\kill.exe" /VERYSILENT /NOCANCEL /NORESTART /SP-
O4 - HKLM\..\RunOnce: [iSearch Toolbar Removal Tool] "C:\WINDOWS\inst\kill.exe" /VERYSILENT /NOCANCEL /NORESTART /SP-
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

Reboot To Safe Mode (tap F8 on Startup)

Place a check next to each of these and click Fix Checked.


R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {F3B7EC9E-E166-1970-CD3B-0E8A377FD446} - (no file)
O4 - HKLM\..\Run: [Microsoft Services] lsrv.exe
O4 - HKLM\..\RunServices: [Microsoft Services] lsrv.exe
O4 - HKLM\..\RunOnce: [Desktop Search Removal Tool] "C:\WINDOWS\inst\kill.exe" /VERYSILENT /NOCANCEL /NORESTART /SP-
O4 - HKLM\..\RunOnce: "C:\WINDOWS\inst\kill.exe" /VERYSILENT /NOCANCEL /NORESTART /SP-
O4 - HKLM\..\RunOnce: [iSearch Toolbar Removal Tool] "C:\WINDOWS\inst\kill.exe" /VERYSILENT /NOCANCEL /NORESTART /SP-
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz

Still In Safe Mode Delete all Temporary Internet Files, Cookies, [B]Empty recycle bin.


Then Reboot and post a new log..........Jim

Hi, i have the same virus, the Trojan downloader.small.18.T.
My problem is that I do not have HijackThis, and cannot seem to download it either. Every site I have tried either comes up as 'Page not found', or when I have gott o a page, the download itself will not work. I'm not sure if this is anything to do with the virus. As such I have no log to display, is there any way that you can help me get rid of this thing?!

AVG finds it, tells me it has been healed and that to complete the healing I must restart. After the restart i rerun AVG and it picks up the virus again with the same 'useful' information to restart. I have also downloaded Xoftspy which finds the Trojan, but cannot delete it.

Any help is VERY much appreciated, but please use basic steps, I'm am not hugely familar to handling this type of thing!

Many thanks in advance!!!

Alastair