Downloader.Agent or trojan downloaders may be hard to remove because it creates autorun files that will run the malware when a volume is mounted or download a copy o the same trojan from a remote location.
1. Temporarily Disable System Restore (For WinXP only)
- On the Desktop, Right Click on My Computer
- Select the System Restore Tab
- Mark the “Turn Off System Restore” to disable and UnMark to Enable
- Click Apply on the Bottom of the Dialog Box to save the settings.
- A message “This deletes all existing restore points” will appear, click Yes to disable.
- Click OK.
Note: System Restore must be enabled after cleaning process.
2. Reboot computer in SafeMode with Netoworking
- During BootUp (just before Windows Start) process Press F8 continuously until selection appears
- Use Arrow Up+Down to select SafeMode with Networking on the selections menu.
3. Download and scan with Ewido
- Download Ewido Micro Scanner.
- It will download Signature Database before scanning
- When update is completed, disconnect computer from Internet (Turn Off Modem or unplug RJ45 jack)
- Click “Start scan” to begin. It may take time for the process to finished
- When finished scanning, click “Save Report” this will be used later as a reference when modifying registry. Save Ewido report on your Desktop
- Click “Remove Infection” to delete infected files. Do not close the Ewido Micro Scanner yet.
4. Perform Disc Cleanup
- Go to Start > All Programs > Accessories > System Tools > Disc Cleanup
- It will scan for files.
- When prompted for files to delete, check all and click OK. Press Yes for confirmation
5. Delete/Modify any values added to the registry.
- Click Start > Run
- Type regedit on the field
- Click OK.
Navigate to and delete the values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Values: On the right pane, check any values or data that are related to .exe and .dll files detected earlier by the Ewido Scanner. Please use Ewido report as reference.
- Also, delete entries that contains malicious files:
- AVPSrv.exe
- TxoMou.exe
- LotusHlp.exe
- MsIMMs32.exe
- MSPrint32D.exe
- 35691M.exe
- upxdnd.exe
- SvTh.exe
- gjcsczc.exe
- swrcfac.exe
- rarjetl.exe
- sos.exe
- SSLDyn.exe
- ntuser.com
- cmdbcs.dll
- mszxaab32.dll
- FTCCompress.dll
- Exit registry editor when done.
6. End running process
- Press Ctrl+Alt+Del
Note: If Windows Task Manager is disabled please see option below to enable it.
- Go to Process Tab
- End the process of the .exe and .dll files that were detected earlier by Ewido Scanner if present. End also process that contains malicious files stated above
7. Search and delete malicious files:
- Go to Start> Search
- Click All files and folders
- Input the malicious files filename on the “All or part of the filename” field.
- Click Search to begin
- If found, right-click on the file and Delete
- Search and delete malicious files one-by-one
8. Delete hidden and autorun files
- Go to Start > Run > type cmd in the field
- A command prompt will appear
- Type cd\ [Press Enter]
- Type dir/ah [Press Enter] (This will display hidden malicious and autorun files)
- Type edit C:\autorun.inf
- Text editor will appear and reveal the contents of the autorun file. Take note on the .exe that was called to automatically run. Example: open=filename.exe
- Exit Text editor
- Still at the command prompt (C:\>), type “ATTRIB”. It will list files with corresponding attributes. Usually files of Downloader.Agent has an attribute of SHR.
- Type “ATTRIB -S -H -R C:\filename.exe” (Where filename.exe is the file that was called in the autorun.inf file)
- Type “ATTRIB -S -H -R C:\autorun.inf”
- Type “del filename.exe”
- Type “del autorun.inf”
- Type “ATTRIB” again to see if the two files are deleted
- If clean, type “Exit” to close command prompt window
9. Scan again with Ewido
- While Ewido Micro Scanner is still open, clcik “Start a new Scan” to perform another scan and delete any infected files found.
10. Restore Internet Explorer default page
- Go to Start > Run> type gpedit.msc and click OK
- Navigate to User Configuration / Administrative Templates / Windows Component / Internet Explorer
- Click “Disabled changing home page settings” and set to Disabled
- Exit Group Policy Editor
- Open Internet Explorer
- On the Menu, click Tools > Internet Options
- On General tab, set to Use Default or enter URL of your desired website
OPTIONS:
Enable Task Manager
1. Click Start > Run
2. Enter gpedit.msc in the Open box and click OK
3. In the Group Policy settings window:
- Select User Configuration
- Select Administrative Templates
- Select System
- Select Ctrl+Alt+Delete options
- Select Remove Task Manager
- Double-click the “Remove Task Manager” option
- Set to Disabled
4. Exit the Group Policy Editor