Trojan Horse.. How do I get rid of it?

I use AVG and it says I have a virus called
Trojan horse Downloader.Small.16.X found in file C:\WINDOWS\SYSTEM32\4f01l.dll
this message keeps popping up but AVG won't delete it.
I've used spybot search and destroy but that doesn't work either.
Also, I downloaded HijackThis but i'm unsure of how to use it. Is there someone i can send the log to that can tell me what needs to be fixed?
hope you can help
jacqui

 

Hi Jacqui,

Generally, where there is one piece of Malware, more may be found. So, it is a good idea to start with the Cleanup Tutorial HERE:

READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan and Virus Removal

There are only a few of us Volunteers who regularly offer advice in this forum. Running through the above Tutorial will remove a lot of stuff that would otherwise clog a HijackThis Log and save us valuable time.

Please let us know the steps that you are able to complete and the ones that give you problems. Note that you need to be in Safe Mode with System Restore OFF and have the Viewing of Hidden Files ENABLED as per the instructions in the link. Make sure to do the Online Scans.

Post back and let us know how you fared. Also, send us a HijackThis Log. Be sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.99) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis!

If you need a Fresh Download of HJT, get it HERE: HijackThis v1.99

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

I’ve been pretty busy with work lately, but somebody will try to take a look when they get a chance.

Best luck
PP

 

Hey PhilliePhan
Thanx for the reply. I read through the tutorial and tried to do everything I could. The ones I did try like spybot and ad-aware didn't fix anything. I ran HijackThis and have attached my log.
I'd be really grateful if someone could take a look at it for me and let me know what i need to do to get rid of this virus.
Thanx

 

Hi Jacqui,

I'm surprised the tools didn't catch some of this!

You might consider dumping the two popup stoppers you have and just use the Google Toobar – It has a great popup blocker.

I suggest staying away from WildTangent!

Flash Extender --> Is this something you want and need? If so, leave it alone below.


FIRST:
Please run the following tool: Adware T.V. Media Removal Tool 1.1

NOW:
Please look in Add or Remove Programs for the following and Uninstall them if found:

Bcpc
Flash Extender
Fen

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Now, look in Task Manager (Ctrl-Alt-Del) for the following running process and, if you see it, try to END it if possible:

bcpc.exe

Now scan with HijackThis and Check the Boxes for the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll

O2 - BHO: (no name) - {7371F073-AC0F-4b80-BB2F-96A488CEFB32} - (no file)

O2 - BHO: No description - {88CC91DE-5930-45AD-9E04-6B1233609FEA} - C:\WINDOWS\system32\cmzBE0.dll

O2 - BHO: Flash Extender - {95795B67-BBAB-47d0-8A9F-069E8242C0E5} - c:\Program Files\Fen\fen.dll ---> I don’t know what this “Flash Extender" is. If you don’t either, then remove it!

O2 - BHO: Band Class - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINDOWS\AdRoar.dll

O4 - HKLM\..\Run: [KAZAAkCuF] 9

O4 - HKLM\..\Run: [PAV.EXE] 23

O4 - HKLM\..\Run: [Zonavirus] 0

O4 - HKLM\..\Run: [WinServices] C:\WINDOWS\System32\WinServices.exe

O4 - HKLM\..\Run: [EOKUC] C:\WINDOWS\EOKUC.exe

O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"

O4 - HKLM\..\Run: [AdRoarUpdate] C:\WINDOWS\ARUpdate.exe

O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKLM\..\Run: [Breg] "C:\Program Files\Common Files\Java\bcre.exe"

O4 - HKLM\..\Run: [BCPC] "C:\Program Files\Bcpc\bcpc.exe"

O4 - HKLM\..\Run: [FeCPY] "C:\Program Files\Common Files\Java\fecpy.exe"

O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/partners/hpdesktop/blasterball2Remix/install.cab

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following if they should remain:

C:\Program Files\Common Files\Java\bcre.exe
C:\WINDOWS\system32\cmzBE0.dll
C:\WINDOWS\EOKUC.exe
C:\Program Files\webHancer ---> The Folder
C:\Program Files\TV Media ---> The Folder
C:\Program Files\Common Files\Java\fecpy.exe
C:\Program Files\Bcpc ---> The Folder
C:\WINDOWS\ARUpdate.exe
C:\WINDOWS\AdRoar.dll
c:\Program Files\Fen ---> The Folder - If you don’t need “Flash Extender”

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log.
Let me know of any problems you may have encountered with the above instructions and how your computer is running now. I will try to check back when time permits.

Best luck
PP