Downloader.Agent or trojan downloaders may be hard to remove because it creates autorun files that will run the malware when a volume is mounted or download a copy o the same trojan from a remote location.
1. Temporarily Disable System Restore (For WinXP only)
- On the Desktop, Right Click on My Computer
- Select the System Restore Tab
- Mark the “Turn Off System Restore” to disable and UnMark to Enable
- Click Apply on the Bottom of the Dialog Box to save the settings.
- A message “This deletes all existing restore points” will appear, click Yes to disable.
- Click OK.
Note: System Restore must be enabled after cleaning process.
2. Reboot computer in SafeMode with Netoworking
- During BootUp (just before Windows Start) process Press F8 continuously until selection appears
- Use Arrow Up+Down to select SafeMode with Networking on the selections menu.
3. Download and scan with Ewido
- Download Ewido Micro Scanner.
- It will download Signature Database before scanning
- When update is completed, disconnect computer from Internet (Turn Off Modem or unplug RJ45 jack)
- Click “Start scan” to begin. It may take time for the process to finished
- When finished scanning, click “Save Report” this will be used later as a reference when modifying registry. Save Ewido report on your Desktop
- Click “Remove Infection” to delete infected files. Do not close the Ewido Micro Scanner yet.
4. Perform Disc Cleanup
- Go to Start > All Programs > Accessories > System Tools > Disc Cleanup
- It will scan for files.
- When prompted for files to delete, check all and click OK. Press Yes for confirmation
5. Delete/Modify any values added to the registry.
- Click Start > Run
- Type regedit on the field
- Click OK.
Navigate to and delete the values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Values: On the right pane, check any values or data that are related to .exe and .dll files detected earlier by the Ewido Scanner. Please use Ewido report as reference.
- Also, delete entries that contains malicious files:
- AVPSrv.exe
- TxoMou.exe
- LotusHlp.exe
- MsIMMs32.exe
- MSPrint32D.exe
- 35691M.exe
- upxdnd.exe
- SvTh.exe
- gjcsczc.exe
- swrcfac.exe
- rarjetl.exe
- sos.exe
- SSLDyn.exe
- ntuser.com
- cmdbcs.dll
- mszxaab32.dll
- FTCCompress.dll
- Exit registry editor when done.
6. End running process
- Press Ctrl+Alt+Del
Note: If Windows Task Manager is disabled please see option below to enable it.
- Go to Process Tab
- End the process of the .exe and .dll files that were detected earlier by Ewido Scanner if present. End also process that contains malicious files stated above
7. Search and delete malicious files:
- Go to Start> Search
- Click All files and folders
- Input the malicious files filename on the “All or part of the filename” field.
- Click Search to begin
- If found, right-click on the file and Delete
- Search and delete malicious files one-by-one
8. Delete hidden and autorun files
- Go to Start > Run > type cmd in the field
- A command prompt will appear
- Type cd\ [Press Enter]
- Type dir/ah [Press Enter] (This will display hidden malicious and autorun files)
- Type edit C:\autorun.inf
- Text editor will appear and reveal the contents of the autorun file. Take note on the .exe that was called to automatically run. Example: open=filename.exe
- Exit Text editor
- Still at the command prompt (C:\>), type “ATTRIB”. It will list files with corresponding attributes. Usually files of Downloader.Agent has an attribute of SHR.
- Type “ATTRIB -S -H -R C:\filename.exe” (Where filename.exe is the file that was called in the autorun.inf file)
- Type “ATTRIB -S -H -R C:\autorun.inf”
- Type “del filename.exe”
- Type “del autorun.inf”
- Type “ATTRIB” again to see if the two files are deleted
- If clean, type “Exit” to close command prompt window
9. Scan again with Ewido
- While Ewido Micro Scanner is still open, clcik “Start a new Scan” to perform another scan and delete any infected files found.
10. Restore Internet Explorer default page
- Go to Start > Run> type gpedit.msc and click OK
- Navigate to User Configuration / Administrative Templates / Windows Component / Internet Explorer
- Click “Disabled changing home page settings” and set to Disabled
- Exit Group Policy Editor
- Open Internet Explorer
- On the Menu, click Tools > Internet Options
- On General tab, set to Use Default or enter URL of your desired website
OPTIONS:
Enable Task Manager
1. Click Start > Run
2. Enter gpedit.msc in the Open box and click OK
3. In the Group Policy settings window:
- Select User Configuration
- Select Administrative Templates
- Select System
- Select Ctrl+Alt+Delete options
- Select Remove Task Manager
- Double-click the “Remove Task Manager” option
- Set to Disabled
4. Exit the Group Policy Editor
10 Responses for "How to Remove Downloader.Agent and Autorun.inf"
How do I get rid of JS/Downloader.Agent? Is there a easy way to get rid of it? I am using free editions of Adaware, AVG, and Spybot search and destroy. Is there a product that will scan and get rid of this pesky item?
I could not see the “system restore tab” on “my computer’ when i right cliked the mouse. pls help me..
pls help me remove the blinking SAY NO TO DRUGS to my desktop..plssss
how do i run all these steps on a pc which is not connected with internet? it’s a stand alone.
and yes
I also could not see the “system restore tab” on “my computer’ when i right cliked the mouse. pls help me..
I made a DOS Script to automatically remove the C:\autorun.inf and C:\MSKS.PIF hope this will help to those who are still infected with this kind of virus… Say thanks if it helps
@echo off
*/
/* Remove AUTORUN.INF AnD MSKS>PIF into the computer */
/* Code Created by Mark email me at: Acidleakz@inbox.com */
/* Save as your filename.bat then execute it */
attrib C:\MSKS.PIF -r -h -s | ren C:\MSKS.PIF Secured01 | mkdir C:\MSKS.PIF | attrib C:\autorun.inf -r -h -s | ren C:\autorun.inf Secured02 | mkdir C:\AUTORUN.INF
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveAutoRun /t REG_DWORD /d FF /f
if exist C:\Secured01 echo y | del C:\C:\Secured01
if exist C:\Secured02 echo y | del C:\C:\Secured01
/* The computer will be restarted for 30 secs. */
if exist C:\MSKS.PIF start C:\windows\system32\shutdown.exe -r -t 30
/* Hope this will work
exit
Edited because the code is a miss … Heres the new code !
@echo off
*/
/* Remove AUTORUN.INF AnD MSKS.PIF into the computer */
/* Code Created by Mark email me at: Acidleakz@inbox.com */
/* Save as your filename.bat then execute it */
attrib C:\MSKS.PIF -r -h -s | ren C:\MSKS.PIF Secured01 | mkdir C:\MSKS.PIF | attrib C:\autorun.inf -r -h -s | ren C:\autorun.inf Secured02 | mkdir C:\AUTORUN.INF
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveAutoRun /t REG_DWORD /d FF /f
if exist C:\Secured01 echo y | del C:\Secured01
if exist C:\Secured02 echo y | del C:\Secured01
/* The computer will be restarted for 30 secs. */
if exist C:\MSKS.PIF start C:\windows\system32\shutdown.exe -r -t 30
/* Hope this will work
/* Edited by Mark */
exit
go to control panel, windows firewall, in the exceptions tab, uncheck the file and print sharing then press ok button. now, the trojan virus should stops on appearing.
but it means that your computer system is lack of updates and patches. update your system using windows update and install all needed applications from microsoft. when your system is already updated try to check the file and print sharing again and the trojan virus should not able to enter to your computer.
ok so i went looking for Ewido but it looks like it isnt available anymore! Is there anything else i can use instead??? Please Help! Thanks!
I encountered the autorun.inf virus recently on all three of my flash drives and it was a bugger to remove. I spent (literally) hours on Command Prompt trying to get rid of the ASHR on it. So I finally typed “edit e:\autorun.inf”. I found that there was something called “RECYCLER\INFO.exe” that was re-SHR-ing autorun.inf every time that I un-SHR’d it. So, I bagan work on un-SHR-ing RECYCLER\INFO.exe. I would un-SHR it, but when I typed “del e:\recycler\info.exe” it would tell me the file was not found. I was pretty PO’d at this point, so I quit. Then today I had an idea. My mother is a teacher and the school district buys Macintosh computers. Macintosh computers (however lousy they may be) do not have the ‘SH’ possibility; so, I plugged in my flash drives and the autorun.inf and RECYCLER files popped right up. I deleted autorun.inf with ease, but it wouldn’t let me delete RECYCLER. I deleted its contents. I then plugged my flash drives pack in the PC. IT WAS BACK!! So, I moved back to te mac and deleted autorun.inf and RECYCLER’s contents again, but this time I made a file named “autorun.inf” and files inside RECYCLER named “desktop.ini” and “info.exe”. I plugged my flash drives into the PC, the virus was gone because there were files by their name already, so they could not remake themselves by their appointed name. My problem was solved.
So here are the steps:
1 Plug your infected flashdrive into a Macintosh
2 delete autorun.inf and the files in RECYCLER or whatever your re-shr-er file is
3 make files with the deleted files’ names in the same spots the original files were located (i.e. if the original virus path was e:\RECYCLER\ you would put the file with the virus’ name in RECYCLER in drive e)
4 your problem is solved!
i used the dos command to remove autorun.inf bt doesnt workd,n says file “cud not find aoutorun.inf”
now what 2 do?
Any Response?
Can't Find a Solution?
Start a Discussion Here!