Downloader.Agent or Trojan downloader is one complicated infection that is hard to remove. It will create autorun files that will execute specified malware when a volume is mounted. The Trojan is also capable of downloading another threat from a remote location.
1. Temporarily Disable System Restore (For WinXP only)
– On the Desktop, Right Click on My Computer
– Select the System Restore Tab
– Mark the “Turn Off System Restore” to disable
– Click Apply on the Bottom of the Dialog Box to save the settings.
– A message “This deletes all existing restore points” will appear, click Yes to disable.
– Click OK.
Note: System Restore must be enabled after cleaning process.
2. Download and scan with Malwarebytes AntiMalware
– Download Malwarebytes’ Anti-Malware (mbam-setup.exe) and save it on your Desktop.
– After downloading, double-click on the file to install the application.
– Follow the prompts and install as “default” only
– Before the installation completes, check on the following prompts:
— Update Malwarebytes’ Anti-Malware
— Launch Malwarebytes’ Anti-Malware
– Click “Finish.” Program will run automatically and you will be prompt to update the program before doing a scan. Please update.
– Scan your computer thoroughly.
– When scanning is finished click on the “Show Results”
– Make sure that all detected threats are marked, click on Remove Selected.
– Restart the computer.
3. Perform Disc Cleanup
– Go to Start > All Programs > Accessories > System Tools > Disc Cleanup
– It will scan for files.
– When prompted for files to delete, check all and click OK. Press Yes for confirmation
4. End running process
– Press Ctrl+Alt+Del
Note: If Windows Task Manager is disabled please see option below to enable it.
– Go to Process Tab
– End the process of the .exe and .dll files that were detected earlier by Malwarebytes Antimalware if present. End also process that contains malicious files stated above
5. Search and delete malicious files:
– Go to Start > Search
– Click All files and folders
– Input the malicious files file name on the “All or part of the file name” field.
– Click Search to begin
– If found, right-click on the file and Delete
– Search and delete malicious files one-by-one
6. Delete hidden and autorun files
– Go to Start > Run > type cmd in the field
– A command prompt will appear
– Type cd\ [Press Enter]
– Type dir/ah [Press Enter] (This will display hidden malicious and autorun files)
– Type edit C:\autorun.inf
– Text editor will appear and reveal the contents of the autorun file. Take note on the .exe that was called to automatically run. Example: open=filename.exe
– Exit Text editor
– Still at the command prompt (C:\>), type “ATTRIB”. It will list files with corresponding attributes. Usually files of Downloader.Agent has an attribute of SHR.
– Type “ATTRIB -S -H -R C:\filename.exe” (Where filename.exe is the file that was called in the autorun.inf file)
– Type “ATTRIB -S -H -R C:\autorun.inf”
– Type “del filename.exe”
– Type “del autorun.inf”
– Type “ATTRIB” again to see if the two files are deleted
– If clean, type “Exit” to close command prompt window
7. Restore Internet Explorer default page
– Go to Start > Run> type gpedit.msc and click OK
– Navigate to User Configuration / Administrative Templates / Windows Component / Internet Explorer
– Click “Disabled changing home page settings” and set to Disabled
– Exit Group Policy Editor
– Open Internet Explorer
– On the Menu, click Tools > Internet Options
– On General tab, set to Use Default or enter URL of your desired website
Enable Task Manager
1. Click Start > Run
2. Enter gpedit.msc in the Open box and click OK
3. In the Group Policy settings window:
– Select User Configuration
– Select Administrative Templates
– Select System
– Select Ctrl+Alt+Delete options
– Select Remove Task Manager
– Double-click the “Remove Task Manager” option
– Set to Disabled
4. Exit the Group Policy Editor