How to Remove Downloader.Agent and Autorun.inf

Downloader.Agent or Trojan downloader is one complicated infection that is hard to remove. It will create autorun files that will execute specified malware when a volume is mounted. The Trojan is also capable of downloading another threat from a remote location.

1. Temporarily Disable System Restore (For WinXP only)
– On the Desktop, Right Click on My Computer
– Select the System Restore Tab
– Mark the “Turn Off System Restore” to disable
– Click Apply on the Bottom of the Dialog Box to save the settings.
– A message “This deletes all existing restore points” will appear, click Yes to disable.
– Click OK.
Note: System Restore must be enabled after cleaning process.

2. Download and scan with Malwarebytes AntiMalware
– Download Malwarebytes’ Anti-Malware (mbam-setup.exe) and save it on your Desktop.
– After downloading, double-click on the file to install the application.
– Follow the prompts and install as “default” only
– Before the installation completes, check on the following prompts:
— Update Malwarebytes’ Anti-Malware
— Launch Malwarebytes’ Anti-Malware
– Click “Finish.” Program will run automatically and you will be prompt to update the program before doing a scan. Please update.
– Scan your computer thoroughly.
– When scanning is finished click on the “Show Results”
– Make sure that all detected threats are marked, click on Remove Selected.
– Restart the computer.
3. Perform Disc Cleanup
– Go to Start > All Programs > Accessories > System Tools > Disc Cleanup
– It will scan for files.
– When prompted for files to delete, check all and click OK. Press Yes for confirmation

4. End running process
– Press Ctrl+Alt+Del
Note: If Windows Task Manager is disabled please see option below to enable it.
– Go to Process Tab
– End the process of the .exe and .dll files that were detected earlier by Malwarebytes Antimalware if present. End also process that contains malicious files stated above

5. Search and delete malicious files:
– Go to Start > Search
– Click All files and folders
– Input the malicious files file name on the “All or part of the file name” field.
– Click Search to begin
– If found, right-click on the file and Delete
– Search and delete malicious files one-by-one

6. Delete hidden and autorun files
– Go to Start > Run > type cmd in the field
– A command prompt will appear
– Type cd\ [Press Enter]
– Type dir/ah [Press Enter] (This will display hidden malicious and autorun files)
– Type edit C:\autorun.inf
– Text editor will appear and reveal the contents of the autorun file. Take note on the .exe that was called to automatically run. Example: open=filename.exe
– Exit Text editor
– Still at the command prompt (C:\>), type “ATTRIB”. It will list files with corresponding attributes. Usually files of Downloader.Agent has an attribute of SHR.
– Type “ATTRIB -S -H -R C:\filename.exe” (Where filename.exe is the file that was called in the autorun.inf file)
– Type “ATTRIB -S -H -R C:\autorun.inf”
– Type “del filename.exe”
– Type “del autorun.inf”
– Type “ATTRIB” again to see if the two files are deleted
– If clean, type “Exit” to close command prompt window

7. Restore Internet Explorer default page
– Go to Start > Run> type gpedit.msc and click OK
– Navigate to User Configuration / Administrative Templates / Windows Component / Internet Explorer
– Click “Disabled changing home page settings” and set to Disabled
– Exit Group Policy Editor
– Open Internet Explorer
– On the Menu, click Tools > Internet Options
– On General tab, set to Use Default or enter URL of your desired website

OPTIONS:

Enable Task Manager
1. Click Start > Run
2. Enter gpedit.msc in the Open box and click OK
3. In the Group Policy settings window:
– Select User Configuration
– Select Administrative Templates
– Select System
– Select Ctrl+Alt+Delete options
– Select Remove Task Manager
– Double-click the “Remove Task Manager” option
– Set to Disabled

4. Exit the Group Policy Editor

11 Comments

  1. Boyce

    How do I get rid of JS/Downloader.Agent? Is there a easy way to get rid of it? I am using free editions of Adaware, AVG, and Spybot search and destroy. Is there a product that will scan and get rid of this pesky item?

  2. Ramon Carlo

    I could not see the “system restore tab” on “my computer’ when i right cliked the mouse. pls help me..

  3. Charlie

    pls help me remove the blinking SAY NO TO DRUGS to my desktop..plssss

  4. amit shah

    how do i run all these steps on a pc which is not connected with internet? it’s a stand alone.

    and yes
    I also could not see the “system restore tab” on “my computer’ when i right cliked the mouse. pls help me..

  5. Good news guys !

    Edited because the code is a miss … Heres the new code !

    @echo off
    /* Remove AUTORUN.INF AnD MSKS.PIF into the computer */
    /* Code Created by Mark email me at: [email protected] */
    /* Save as your filename.bat then execute it */
    attrib C:\MSKS.PIF -r -h -s | ren C:\MSKS.PIF Secured01 | mkdir C:\MSKS.PIF | attrib C:\autorun.inf -r -h -s | ren C:\autorun.inf Secured02 | mkdir C:\AUTORUN.INF
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveAutoRun /t REG_DWORD /d FF /f
    if exist C:\Secured01 echo y | del C:\Secured01
    if exist C:\Secured02 echo y | del C:\Secured01
    /* The computer will be restarted for 30 secs. */
    if exist C:\MSKS.PIF start C:\windows\system32\shutdown.exe -r -t 30
    /* Hope this will work :-) */
    /* Edited by Mark */
    exit

  6. raxadudle

    go to control panel, windows firewall, in the exceptions tab, uncheck the file and print sharing then press ok button. now, the trojan virus should stops on appearing.

    but it means that your computer system is lack of updates and patches. update your system using windows update and install all needed applications from microsoft. when your system is already updated try to check the file and print sharing again and the trojan virus should not able to enter to your computer.

  7. Berto

    ok so i went looking for Ewido but it looks like it isnt available anymore! Is there anything else i can use instead??? Please Help! Thanks!

  8. Sinjid Fragmenteau

    I encountered the autorun.inf virus recently on all three of my flash drives and it was hard to remove. I spent (literally) hours on Command Prompt trying to get rid of the ASHR on it. So I finally typed “edit e:\autorun.inf”. I found that there was something called “RECYCLER\INFO.exe” that was re-SHR-ing autorun.inf every time that I un-SHR’d it. So, I began work on un-SHR-ing RECYCLER\INFO.exe. I would un-SHR it, but when I typed “del e:\recycler\info.exe” it would tell me the file was not found. I was pretty PO’d at this point, so I quit. Then today I had an idea. My mother is a teacher and the school district buys Macintosh computers. Macintosh computers (however lousy they may be) do not have the ‘SH’ possibility; so, I plugged in my flash drives and the autorun.inf and RECYCLER files popped right up. I deleted autorun.inf with ease, but it wouldn’t let me delete RECYCLER. I deleted its contents. I then plugged my flash drives pack in the PC. IT WAS BACK!! So, I moved back to te mac and deleted autorun.inf and RECYCLER’s contents again, but this time I made a file named “autorun.inf” and files inside RECYCLER named “desktop.ini” and “info.exe”. I plugged my flash drives into the PC, the virus was gone because there were files by their name already, so they could not remake themselves by their appointed name. My problem was solved.

    So here are the steps:
    1 Plug your infected flashdrive into a Macintosh
    2 delete autorun.inf and the files in RECYCLER or whatever your re-shr-er file is
    3 make files with the deleted files’ names in the same spots the original files were located (i.e. if the original virus path was e:\RECYCLER\ you would put the file with the virus’ name in RECYCLER in drive e)
    4 your problem is solved!

  9. Sharad

    i used the dos command to remove autorun.inf bt doesnt workd,n says file “cud not find aoutorun.inf”
    now what 2 do?

  10. fontaine

    Just FYI, Spybot Search & Destroy put about a thousand adult and adspam sites in my hosts file! I had no idea this was happening. I have trusted SS&D for years! I still can’t believe this, but it said right there in my hosts file “inserted by Spybot Search & Destroy” so unless it was a troll that program stuck all those sites in my hosts file and totally screwed it up. Has that happened to anyone else? OT I know but someone mentioned SS&D…

  11. joao

    este filha da puta de programa assacinou meu computador !
    e o pior que entram sem pedir permissao depois agente nao consegue tirar !
    tire fora pelo amor de deus ?

Leave a Comment

Your email address will not be published. Required fields are marked *

Please support this website. Kindly hit LIKE button below and continue browsing the site.