Downloader.Almanahe

This page contains detailed analysis on Downloader.Almanahe. To get rid of this Trojan, please use the removal guide below.

Downloader.Almanahe is a computer Trojan that has a sole purpose of downloading other threat that belongs to W32.Almanahe group. After it successfully download the most recent version of the Trojan, it will initiate its own removal and delete itself from the affected computer. This Trojan possesses a rootkit technology that able to conceal itself from antivirus and other security software.

Alias: Trojan-Downloader.Small!sd5, Trojan-Downloader.Win32.Small.gkm, W32/Almanahe, TROJ_SMALL.DXW, W32/Almanahe!dldr

Damage Level: Medium

Systems Affected: Windows 9x, 2000, XP, Windows Vista

Characteristics
When executed, Downloader.Almanahe will drop its rootkit component on the following location:
%%SYSTEM FOLDER%%\drivers\uuid.sys

With rootkit running on the compromised computer, even antivirus program will hardly identify the presence of the Trojan. Rootkits can conceal the Trojan by injecting its code to legitimate Windows processes it may found running on the system.

Next, it loads the component by adding an entry on Windows registry. This step allows the Trojan to run automatically on Windows start-up. It also sets the default browser that user may initiate when browsing the Internet. Again, it accomplishes this task through registry modifications.

The malware then injects malicious code on Internet Explorer so that it can process other payload of this Trojan and one of which is to download additional threats from a remote server.

Lastly, Downloader.Almanahe will connect to a remote computer to download another variant. Once it confirms that the download is successful, it will now execute a dropped batch file in order to delete itself from the system.

Distribution
Downloader.Almanahe may get inside the computer when users unintentionally visited malicious web sites through a series of browser redirect or spam method commonly accomplished by spam email messages. The Trojan can easily evade virus scanners because of its sophisticated rootkit technology.

How to Remove Downloader.Almanahe

1. Temporarily Disable System Restore (Windows Me/XP).
2. To be able to identify even the most recent variant of Downloader.Almanahe, open your antivirus application and update the virus definition file.

3. Start Windows in Safe Mode with Networking.
- From a power-off state, turn on the computer and press F8 on your keyboard repeatedly.
- Your computer will display Windows Advanced Boot Options menu. Please select Safe Mode with Networking.
- The system will now boot Windows and loads only necessary drivers and files.

4. Open your antivirus program and run a full system scan. After the scan, delete all infected items. If unable to delete, better place them in quarantine. Once the scan is complete, please proceed with the next step.

Scan with McAfee Stinger:

Stinger is a portable security tool that can detect and remove particular viruses. It utilizes a highly developed scan engine technology that includes process scanning and scan function optimization.

5. Go to McAfee Labs Stinger web page and download the tool. Save it to your desktop.
6. Once the download completes, double click on the file to run the program.
7. The Stinger main program will open.
8. Default directory to scan is the system drive (C:\). You may add additional drives to scan by clicking on Add button.
9. Click on Scan Now button to begin scanning assigned drives.
10. Stinger will now scan and repair/delete all infected files.
11. When done, you may now close McAfee Stinger and restart Windows in normal mode.

Alternative Removal Method for Downloader.Almanahe

Option 1 : Use Windows System Restore to return Windows to previous state

If Downloader.Almanahe enters the computer, there is a big chance that Windows files, registry entries and other essential components are also infected. System Restore can reinstate clean system files by restoring the configuration to an earlier date. The method also replaces compromised files with a clean version. If you have a saved restore point before Downloader.Almanahe infiltrates the PC, we highly encourage you to execute this procedure if none of the above works. You may proceed with Windows System Restore, click here to see the full procedure.

Option 2 : Downloader.Almanahe manual uninstall guide

IMPORTANT! Manual removal of Downloader.Almanahe requires technical skills. Deleting system files and registry entries by mistake may result to total disability of Windows system. We advise you to perform a backup of registry before proceeding with this guide.

1. Kill any running process that belongs to Downloader.Almanahe.
- Press Ctrl+Alt+Del on your keyboard.
- When Windows Task Manager appears, look for Downloader.Almanahe files (refer to Technical Reference) and click End Process.

End Task

2. Delete all registry entries that belong to this malware.
- Press [Windows Key]+R on your keyboard.
- In the 'Open' dialog box, type regedit and press Enter. This will open registry editor.
- Find and delete registry entries as mentioned in Technical Reference section below.
- Close registry editor. Changes made will be save automatically.

Run Regedit

3. Scan the computer with antivirus program.
- Connect to Internet and open your antivirus software. Please update to obtain the latest database and necessary files.
- Restart the computer in Safe Mode.
- Just before Windows logo begins to load press F8 on your keyboard.
- On Windows Advanced Boot Options, select Safe Mode and press Enter.

4. Delete all files dropped by Downloader.Almanahe.
- While still in Safe Mode, search and delete malicious files. Please refer to 'Technical Reference'. Make sure that you execute 'End Task' first before deleting the file. Otherwise, the system will not let you perform this action.

Technical Reference

Associated Files and Folders: