Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice

Trojan horse virus

6474 Views 24 Replies 6 Participants Last post by  ~Candy~
Hello, hello. I have AVG and it tells me I have "Trojan horse Downloader.Small.18.T" virus. No matter what action I take (delete, move to vault, heal) it keeps coming back after every action I take (open internet, my documents, etc.). I am pretty sure it is in conjunction with this Desktop Search I now have in my lower left corner on my desktop. I have no idea where it came. Any assistance in removing this would be GREATLY appreciated.
p.s. I have Windows XP
Not open for further replies.
1 - 9 of 25 Posts
Welcome to TSG

Where does it say the trojan is located at?


Go to and download 'Hijack This!'.

First make a folder on your computer in my documents called Hijackthis and then Unzip it to that folder.
Then doubleclick the Hijackthis.exe.

Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
so do NOT fix anything yet.

Someone here will be happy to help you analyze the results.
See less See more
Download and unzip or install these programs/applications if you haven't already got them. If you have them, then make sure they are updated and configured as described

CWshredder from
Spybot - Search & Destroy from
Download Adaware SE


Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do it's thing.
and make sure you have all of Microsoft security updates

then reboot &

Run Sybot S&D

After installing, first press Online, press search for updates, then tick the updates it finds, then press download updates. Beside the download button is a little down pointed arrow, select one of the servers listed. If it doesn't work or you get an error message then try a different server

Next, close all Internet Explorer and OE windows, press 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

then reboot &


Install the program and launch it.

First in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files.

From main window :Click Start then under Select a scan Mode tick Perform full system scan.

Next deselect Search for negligible risk entries.

Now to scan just click the Next button.

When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

Restart your computer.
then post a new hijackthis log
See less See more
What every Adaware and Spybot finds and is red is spyware and needs to be remove. If you have programs that you do not want to remove then you will keep having the same problems that you are having now. The choice is yours
run hijackthis and fix the following items. Be sure all windows are closed except for hijackthis.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: (no name) - {8235A87F-2AF9-4B3B-8B9C-66DFEDCE9E40} - C:\WINDOWS\System32\ifsautil.dll (file missing)
O2 - BHO: (no name) - {FB2F93E0-E804-41DB-8586-A9DF14CF604B} - C:\WINDOWS\System32\cea.dll (file missing)
O2 - BHO: (no name) - {FEF3DFC6-6524-45DE-5008-4D26242F6090} - C:\WINDOWS\System32\trhi.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)

O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe

O16 - DPF: {2ABE804B-4D3A-41BF-A172-304627874B45} -

How to boot in safe mode

Reboot in safe mode and delete the following folder


Reboot and post a new hijackthis log
See less See more
Per my e-mail I sent you.

You are running hijackthis from a temp folder. Please move that to a permanent folder so you don't loose your backups.

Create a permanent folder on your hard drive like c:\hijackthis

run hijackthis and fix the following items. Be sure all windows are closed except for hijackthis.

O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll

O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe

Restart to safe mode.

Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Now find and delete this folder


Reboot and post a new hijackthis log
See less See more
Ok it is still in your system.

Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

When you are sure you are clean turn it back on and create a restore point.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.

Lets try this

In Windows Explorer, find and delete these files, by manually navigating to the folders they are in, delete all you can find but continue if you do not find one or more--don't stop in the middle!!


Now, delete this folder.


Reboot and post a new hijackthis log
See less See more
Go into task manager alt > ctrl > Del select task manger select processes and select ffisearch.exe and end process.

Then try to delete it
Ok hold on for a few minutes I have PM one of the best to give us a helping hand
While we are waiting lets try this

Download Pocket Killbox from here:

Unzip the files to the folder of your choice.

Double-click on "Killbox.exe" to run it. Now put a tick by "Delete on reboot" In the "Paste Full Path of File to Delete" box, copy and paste each of the following lines one at a time. After each one it will ask for confimation to delete the file on next reboot. Click Yes. It will then ask if you want to reboot now. Click No. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.


When in Safe Mode, open notepad and paste in the following Boldedlines:

del c:\ *.tmp
del %temp%\*.tmp /f
del %windir%\prefetch\*.*
del %windir%\temp\*.* /f
del C:\documents and settings\*\local settings\temp\*.* /f

Save to your desktop as 'clean.bat'.....Before you save,set 'file types' to all types. ( *.*)

DoubleClick on "clean.bat", and say Yes to the prompt.

Re-boot again into safe mode.

Locate this folders and delete it:


Boot back into normal mode,re-scan with HijackThis and post the new log.
See less See more
1 - 9 of 25 Posts
Not open for further replies.