TrojanDownloader.xs (trojan-downloader.xs)
TrojanDownloader.xs or also known as Trojan-Downloader.xs is a threat being displayed on security warning pop-up messages generated by rogue antivirus application. The said rogue program was installed on computer without users consent via Trojan Zlob and misleading security websites. Malware that brought TrojanDownloader.xs on to the computer will exploit software and system vulnerabilities to get inside. Once loaded, the Trojan will modify Windows registry that will allow itself to run automatically when the system has started.
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7
How to Remove TrojanDownloader.xs:
FIRST AID TO STOP TrojanDownloader.xs:
If a virus have infected the system, registry and legitimate Windows files are also compromised. System Restore can reinstate clean system files by restoring the configuration to an earlier date. If a restore point was created before you got infected with TrojanDownloader.xs, please restore Windows to previous configuration.
REMOVAL TOOL for TrojanDownloader.xs:
1. Download Malwarebytes’ Anti-Malware (mbam-setup.exe) and save it on your Desktop.
2. After downloading, double-click on the file to install the application.
3. Follow the prompts and install as “default” only
4. Before the installation completes, check on the following prompts:
- Update Malwarebytes’ Anti-Malware
- Launch Malwarebytes’ Anti-Malware
5. Click “Finish.” Program will run automatically and you will be prompt to update the program before doing a scan. Please update.
6. Scan your computer thoroughly.
7. When scanning is finished, click on the “Show Results”
8. Make sure that all detected threats are marked, click on Remove Selected.
9. Restart Windows.
Note: TrojanDownloader.xs may prevent mbam-setup.exe from downloading and running. You can download and rename this program from a different computer before running it on infected system.
MANUAL REMOVAL OF TrojanDownloader.xs:
1. Update installed anti-virus application to have the latest definition file.
2. Reboot Windows in Safe Mode
- After turning on the power, press F8 on the keyboard.
- Select Safe Mode from the menu.
3. Thoroughly scan the system and clean/delete all infected file(s).
4. Exit registry editor and restart Windows.
ADDITIONAL TOOLS AND PROGRAMS:
Scan with Norton Power Eraser:
A free removal tool from Norton Antivirus was developed to remove virus and unfamiliar threats without using the traditional AV signatures. Download the tool and start scanning with Norton Power Eraser.
Technical Details and Additional Information:
Other functionalities of this Trojan:
- Display commercial advertisement.
- Connects to a remote server to download more files.
- Stays hidden in the background.
precisesecurity
Oct 06, 2007 @ 09:44:32
1. Please use SmitfraudFix to remove this threat.
leonard58
Mar 10, 2008 @ 02:48:23
Thanks, SmitFraudFix works well with my Dell Inspiron who got infected with trojandownloader.xs. Good job!
Paul
Mar 10, 2008 @ 22:26:14
Thanks! Worked great for removing Trojan. This is a life saver!
Jacob
Mar 22, 2008 @ 05:37:26
SmitFraudFix, What If You Don’t Want To Do The “disk cleanup”?
Because I read through the instructions.
Another question, how do you go back to normal mode afterwards.
precisesecurity
Mar 24, 2008 @ 13:13:42
Jacob, you may not perform Disk Cleanup if you want but there may be some remnants of the malware that are inside your machine particularly in temp folders.
Booting normally is just the usual booting you do when opening your computer. No more keys to press.
Tina
Mar 24, 2008 @ 19:10:36
It doesnt show it on my desktop after i go into safe mode…what do I do then? I have tried everything! Please help, before another laptop flies out the window…im very frustrated!
Anita
Mar 26, 2008 @ 22:35:35
Hi, I’ve got the same problem and nothing I’ve downloaded or purchased so far has managed to remove it. Does SmitfraudFix work for Vista?
Riya
Mar 27, 2008 @ 17:28:20
It shows on my desktop, I tried to changed my desktop setting many times but not successful. Also run antivirus so many times what should I do then? I have tried everything! Please help, I’m very frustrated!
James
Mar 27, 2008 @ 19:55:19
I have done the Smitfraudfix and the screen has gone back to normal, however after doing all my scans, AVG 8 Spybot Adaware, I still get the yellow triangle saying I have been infected with spyware and click here to remove the problem. I still also get the security warning window pop up stating that I have to download PC cleaner to remove the problem. I don’t know what else to do. Any help would be great.
Rishi
Mar 29, 2008 @ 16:02:10
I’ve got the exact same problem as James I think, the little yellow triangle exclamation mark pops up saying warning, I get abebot pop ups and fake security system protection control panel popping up as well as a fake system integrity scan wizard. I’ve used a whole range of different stuff, but nothing works. any help on the matter would be grateful.
olivier
Mar 30, 2008 @ 09:23:32
I got just the same problem, tried everything, removing registry values, scanned with Spywaredoctor, Spybot, AVG, Norton. I have it all, none works. Even that smitfraudfix doesn’t work. It just keeps on coming back, its just frustrating.
Frank
Mar 30, 2008 @ 13:46:30
Yesterday, 03-29-08, I was hit with several viruses at once. Took me all day, but got them fixed. What happened was:
- “Task manager” was disabled with a message saying “Task Manager disabled by Administrator”.
- Desktop hijacked with a message across it saying the PC is infected, with a pop-up requiring a click to a link bringing you to a web page selling garbage spyware, to get rid of the error message.
- Another pop-up calling itself a “Scan WIzard”, comes up every 15 minutes or so.
- A yellow warning triangle on the “task bar” also saying the PC is infected.
What I first did was:
- While I got Norton, I installed PC-Tool antivirus, and it identified and fixed over 600 infections. The above problems remained though.
- Went on the net to look for fixes, but also check to see if I can do a fix without major hassles.
What I finally did was:
- Identified the location in the registry which blocked the “Task Manager”, deleted the entry. Task Manager came back up. I need the “task manager” to do furthere diagnoses.
- As to the hijacked “desktop”, turns out the virus replaced my wallpaper with its own HTML file. I went to “Control Pane”=>”Display”=>Desktop, then “browse”, and restored the original wallpaper. When I browsed the wallpaper files, I found and deleted the HTML file called “def” (containing the links), so it won’t come back up. So far, it has not reinstalled itself. I realize whatever is activating “def” might be laying around somewhere, unless deleted by PC-tools.
- For the “Scan Wizard”, I found it’s activated by a “process” in the user “startup”, with the executable sitting in Programs=>Windows=>system32 area. What I did was
– I identified the process via the Task Manager, and the process consists of a “name” generated with random letters and numbers, something like “kkuyzptx”. To see what would happen, I ended the process, and the “scan wizard” went away.
– To see where this process came in from, and prevent it reloading (I have XP)I use the “Startup Control Panel” available as freeware at “www.mlin.net”. I found two startup processes with names that are randomly generated, one the same as what I saw in the Task Manager, and deleted both. Using this freeware, I didn’t have to locate and edit the registries.
– These processes point to two “executables” sitting in “system32″ which I already identified. I did so by going into the “system32″ directory, sorting the list in “date modified” order, and found the two offending files dated 03-28-08, 8:330PM and 11:30PM, which is when the problem started. As I couldn’t delete these files immediately, I was able to “rename” the files to zzspyware001 and zzspyware002, so the processes can’t locate it. So far so good. I will use some freeware to delete the stubborn files.
– After I did these steps, the “yellow triangle” came up once, went away, and never came back up again. The hijacked desktop is back to normal, and the “scan wizard” is gone.
The cause of the problem was I let my Norton subscription lapse for quite a while. I understand Norton can prevent the infections, but can’t cure it once the PC is infected. It’s since been updated.
I spent a whole day on it yesterday, and hope this post may help others.
Gerard
Mar 31, 2008 @ 05:32:46
This is for the scan wizard problem. I got the “Startup Control Panel” like you said, but I don’t know what to do from there. Is there any other way to distinguish the difference between the processes? And I also keep getting a warning against Abebot. And I’m not sure what this is, but around the same time this all started happening, whenever I open a new tab after searching something in Yahoo, I get redirected to another page. If I close the tab and open the same link again, it goes where it’s supposed to. Should I be worried about this. Please help. I can’t screw up another computer!
olivier
Mar 31, 2008 @ 08:57:19
That abebot.trojan.dowloader and that exe file are all the same stuff, they come on your screen in particularly order. So I don’t think you can delete one of the problems to fix it. I think you need to delete them all to fix. But first try MalwareBytes. It found some Trojans with fake messages which 7 other programs didn’t found so try to use that. I will try to solve the problem with your steps frank, I’ll let you know if something happens.
olivier
Mar 31, 2008 @ 08:57:41
I mean crack.
olivier
Mar 31, 2008 @ 09:23:15
I identified the process: cfshmvmp
But that control panel doesn’t work, I have Windows Vista. I went to the registry and found 3 cfshmvmp.exe keys, deleted them all and the links they refer to. I will see if it works.
olivier
Mar 31, 2008 @ 10:41:03
Thanks for your help, you killed it!
Frank
Mar 31, 2008 @ 17:02:29
A few more thoughts on comments above.
- For Gerard who got does not know what to look for in the “startup control panel”, another way to identify the errant process is via “msConfig.exe”, which can be activated by way of “Run” on the start menu. In “msconfig” click the tab that says “startup”, go down the list, look for a suspicious “process”, identified by a name that looks like a jumbo of letters.
- Two ways to knock this out. One is editing the appropriate registry entries. The other is through the “startup control panel” I mentioned above. It has several tabs, depending on how the startup took place. I recall it was in the HKCU tab, though you might want to check the others. When you see the process, select, right click, and select “delete”.
- Just to make sure I identified the correct process, I first went into the “Task Manager” to “end the process” just to make sure that it was identified correctly.
- As to Vista, according to the “mlin.net” site, Vista has it’s own “startup control panel” built in (it’s called something else), but as I wanted to wait for upgrading my machines in the upgrade to Vista, haven’t used it, so I can’t comment on it.
- I was connected to the Internet while downloading PC-tools, updating Norton’s, and apparently, the virus resurrected itself twice during that time. So check the startup processes more than once. The virus did not come back in after updating of the virus programs.
- Executables that loaded into the “system32″ directory I still have to delete though it’s rendered harmless by a “rename”, and eliminating the process that pointed to it. These executables can be easily located if the directory is put into “date modified” order.
- I was a bit leery of loading more software such as “Smithfraudfix”, so I did some detective work on my own, to avoid stuffing my machine with more unnecessary stuff. PC-tools apparently did not eliminate the problem.
- Oliver, glad it worked out for you.
- Gerard, wish you luck.
olivier
Apr 01, 2008 @ 13:15:44
Forr gerard, just press ctrl+alt+del to open task manager, go to processes and there you see all the working processes, do that when the fake screen pops up.
And for deleting the registry keys, type regedit in run as described by frank and search the keys with the same name as the process that causes the fake pop ups.
Before doing that, always make back up!
Smithfraudfix, Combofix and another tool didn’t work with me and they screwed up some settings on my PC. Norton 360, Spyware Doctor, AVG Antispyware, Spybot, Ad-aware nor Superantispyware works for killing that fake pop up.
olivier
Apr 01, 2008 @ 13:18:09
And for renaming some hard to delete files, you can use AVG antispyware , use paranoid mode it overwrites files 10 times if I remember it correct.
Ray
Apr 01, 2008 @ 17:18:13
I had the same problem with the Task Manager being disabled, with a pop up message saying ” Disabled By The Admin” This is how we solved the problem. Go to the Microsoft web site and follow the directions.
http:// support.microsoft.com/kb/913623/en-us It will take you into the registry thru series of folder and then you will come to a folder named System. In the right plane, double click “DisableTaskMgr and in the Value data box, type O and then click OK. When you first get to the Value data there will be a “1″ that has to be changed to a “O”. SEE BELOW
RESOLUTION
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 (http:// support.microsoft.com/kb/322756/) How to back up and restore the registry in Windows
To resolve this issue, set the value of the DisableTaskMgr registry entry to 0 (zero).
Note This registry entry will revert to its original setting, and Task Manager will be disabled again unless one of the following actions is performed: • The Group Policy setting is changed on the domain.
• The local policy setting is changed on the client.
To set the DisableTaskMgr registry entry value to 0 for a specific user, follow these steps:1. Log off from the computer.
2. Log on to the computer by using a user account that has administrative permissions.
3. Click Start, click Run, type regedit in the Open box, and then click OK.
4. In the left pane, click the following registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
5. In the right pane, double-click DisableTaskMgr.
6. In the Value data box, type 0, and then click OK.
7. On the File menu, click Exit.
8. Restart the computer.
George
Apr 01, 2008 @ 20:50:31
Is anyone working on putting these clowns out of business? There have been some fines and punishment for future spyware scams, but I think putting a few of these creeps away for 5-10 years would be noteworthy and the news would spread.
Lynn
Apr 02, 2008 @ 03:13:44
How did you find the registry entry that enabled the task manager again? What was the entry?
Frank
Apr 02, 2008 @ 06:25:14
Lynn:
Try this link for furthere info:
http:// windowsxp.mvps.org/Taskmanager_error.htm
The registry entry is:
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies\ System
Gerard
Apr 03, 2008 @ 01:22:25
Frank, thanks a bunch! After following your advice exactly, the pop-ups died instantly. Now I’m only left with a minor problem: the yahoo thing were anything searched will take me somewhere the first time. Any cure for that?
David Bailey
Apr 03, 2008 @ 02:35:33
I have Vista. I had a mess with Trojan and other nasty stuff. All seems to be gone. I ran smitFraudfix TWICE. Now I don’t seem to get any security issues but at reboot I get 3 RunDLL windows. They state: Error loading C:\Users\David\AppData\Local\Temp\hyGwUmlj.dll; and rqBIBtst.dll; and jklmdlgp.dll. I assume these are remnants of the fix. Anyone know what to do to get rid of these windows at boot up? I’d be so happy.
ammori
Apr 07, 2008 @ 18:39:37
The triangle went away but my background still changes automatically without any intervention. Please anyone can help me?
Pat
Apr 08, 2008 @ 02:45:05
I used several of the above comments to aid me in my successful removal of this bug. One additional thing that I think you may find helpful is to open up your task manager (if you have disabled the disable!) and look at your processes…if you were like me…you had a hard time deciding which were legit and which were bogus…go to Google and just type in the names of any suspicious .exe files. If they come up totally unknown…they are bogus…some of them even come up as “known Trojans/malware” go into your “system32″ directory and delete or rename those…the other thing I found and deleted/renamed was all files that were modified/created at the time when everything started to go wrong (for me 4/6 at about 3:30.. also make sure you use the link Frank posted for the startup control panel and remove all those again from that. Next time you reboot, problem solved.
Pat
Apr 08, 2008 @ 02:49:35
P. S. Thank you especially Frank and Ray.
Deacon
Apr 08, 2008 @ 16:37:09
I’ve been going through the process of removing a slew of Trojans and this one appears to be among them, but I’m having a problem in that every time I try to use regedit a window pops up saying that registry editing has been disabled by my administrator. I am my administrator. Any ideas?
Frank
Apr 08, 2008 @ 23:28:37
Deacon:
Refer to the following link for directions re-activating “regedit” at
http:// windowsxp.mvps.org/tweakuirest.htm
Ammori:
As to the desktop background, I went to “Control Panel”=>”Display”=>Desktop, then “browse”, and restored the original wallpaper.
The background wallpaper that it was changed to was via a HTML file, replacing the wallpaper that the desktop was pointing to when I browsed, and I then deleted the HTML file.
After I wrote the above posts, I went to MyComputer=>”C Drive”=>”Documents and settings”, then to various user folders, and found numerous “malware executables” starting with “desktop” such as desktopxxxx and desktopyyyy hiding in there. Wished I copied the names but didn’t, and I believe these are the executables that loaded and “hijacked” the desktop background. The desktop returned to normal when I deleted the infected “HTML wallpaper malware”, so these executables were rendered useless. I deleted them none-the-less.
NithiBala
Apr 10, 2008 @ 05:49:09
Thank’s Frank
I have followed your idea and it works.
But I can’t remove the virus in the registry files like trojan.2nd thought_com, 2020search and etc…
mrxkronz
Apr 10, 2008 @ 05:52:52
Frank,
you saved my life.
Rachel
Apr 13, 2008 @ 19:51:41
Okay so I’ve been arguing with the Trojan for nearly 24 hours now… I tried Smitfraud three times and every time I ran it would tell me that it couldn’t scan a file in the Temp files because it was being used. When I found the file and tried to delete it I’d say it was being used, and therefore it wouldn’t go away.
My wallpaper’s been wiped, I’m getting the ad-pop-up and the balloon alerts about how the computer’s been infected with spyware.
I’ve tried resetting the disabletskmgr to zero, but whenever I restart it goes right back to 1 again. I’ve tried deleting the registry, and still I get the alert that the administrator has disabled the Task Manager.
I’ve tried Adaware at least half a dozen times and Scan Spyware as well, but neithere are getting rid of the problem. Any idea on what I can do now?
Frank
Apr 14, 2008 @ 10:54:14
Rachel:
I found the Trojan tried to re-establish itself on my Machine a number of times while I was updating my Virus and Spyware subscription, but stopped after I had it updated. The Trojan reloaded several times in the space of two to three hours.
The Trojan is annoying, but does not stop your machine from working.
My suggestion is if you have this problem, and you’re not updating spyware, then temporarily disconnect yourself from the Internet. This may explain why you reset the Task Manger, and it gets undone, as the Trojan reloads.
Without the Task manager, you can do a few things to disable the Trojan such as disabling the executables in “system32″.
I found the “rouge executable” themselves in Windows/system32, and these files does not allow themselves to be deleted (which might be your problem), but I easily “renamed” them, which means when the process activating them comes looking for it, it could not be found.
To easily located the “rouge file” in Windows/system32, I suggest you sort the file directory in “date modified” order, and when you do this, you’ll find files with the date and time stamp corresponding to the time of the virus infection. If it happened recently, it should be at the bottom when the directory is in date order. Highlight the files, and rename them.
I found the wallpaper problem the simplest to handle. The virus replaced your original wallpaper with it’s own. What you simply do is go into the “Control Panel”=>display+>desktop, then browse and reset back to your “original wallpaper”, or just to another wallpaper if you don’t remember what the original one is. But make sure you “delete” the “rogue” wallpaper, which is a HTML file containing links to the “virus software” being peddled”.
Once you crippled the Trojan, such as renaming files, and prevent it’s reloading, such as disconnecting from the Internet, then you can leisurely reset the Task Manager and delete the processes via the “Task Manager”, and the “Startup Manager” available at http://www.mlin.net“.
If you have more than one user set up on your machine, I found when the TaskManager is disabled under one user, it still works for another user. But, if you switch to another user, you’ll have about 15 minutes to work before that gets infected.
Nagendrababu
Apr 15, 2008 @ 13:44:27
Sir, my PC has been inflected by Trojan.Downloader.xs, please tell me how can I remove the virus.
paul talcott
Apr 21, 2008 @ 10:25:02
So I have tried many of the steps above, I have tried restoring the task manager using the Windows method setting value to zero and restarting, with no luck. Any other ideas there? And while doing all this are you using safe mode, or just running Windows normally?
monty
Apr 26, 2008 @ 06:39:22
Smitfraudfix, workd fine for me, and I does work on Vista.
Ronel
Apr 28, 2008 @ 01:43:18
Thank you very much Frank, Olivier, and Ray.
The Trojan.Downloader.Xs seems to be gone now. I had a couple of funny names like the letter.exe file you were talking about.
Thank you very much, the spam, pop-ups, triangle, fake spyware and abebot hasn’t come up for about 1 hour!
IM SO GLAD YOU GUYS WERE BORN IN THIS WORLD. SPECIALLY “FRANK”!!!!
Ronel
Apr 28, 2008 @ 01:44:57
For anyone else who needs help on this virus, please SCROLL up and find all of Frank’s posts!
THEY were very helpful!
Thank goodness I didn’t have to scan so long. THANK YOU GUYS..
Not sure if virus is still here. But I’ve been able to locate 3 funny letter exe files on the START up control panel thing! Thank you guys.
Wolf
May 03, 2008 @ 21:00:47
Oliver, thank you so much for the Malwarebytes suggestion! I couldn’t believe it but it found nearly 100 items on my system and got rid of them all, including the TrojanDownloader.XS and it was easy to use. The SmitfraudFix never did work.
As the former owner of a small PC repair shop (former thanks to Hurricanes Katrina and Rita) I highly recommend using the Malwarebytes for anyone who has been affected by these malicious attacks. I will continue to use it along with my Ad-Aware and SystemSuites to keep all of my PC’s in top performing condition. I can’t thank you enough!
Lisa
May 13, 2008 @ 13:34:55
The Smitfraudfix worked perfect on my Dell Inspiron to remove the Trojandownloader.xs where nothing else could. Too bad I wasted money on buying two worthless anti-spyware programs. Thanks so much!
Shawnte
May 13, 2008 @ 14:17:38
I would like to thank everyone in this thread.
I caught this super sick virus on May 10th. I felt so helpless. I had to shut the PC down for a few days and try again. I fought with this virus all day yesterday (may 12th) and doing some minor tweaking today.
Smitfraudfix didn’t work for me.
Franks steps worked for me But I had to do them in another order.
I was unable to get task manager back nor my desktop until after everything else was done. (maybe because I gave up trying for a bit.)
I checked the registry and start up. Everything I didn’t recognize I Google-d on a separate PC. (this virus had me so crippled. Even basic surfing for info about the virus I was redirected.)
I renamed every file I thought was suspicious within my windows folder and System32 folder. (simply added “suspect” behind them). That went to every DLL, EXE, TXT all files created after the time of my infection got changed. Those that couldn’t be changed I rebooted and came back for them. I had to do all this OFFLINE.
I used that start up tool mentioned in this thread. (www.mlin.net) Very user friendly. Made looking at start up a lot easier.
After all this fighting with the virus and realized I had some room to finally breathe again ( little alerts was gone, pops up gone, virus stopped putting itself back)I tinkled with the desktop,.. surprise! it didn’t turn itself back. Then used that program mentioned about taskbarfix. It worked,.. and I was able to use it once again. (Yes I kissed the screen when I finally seen it, I had missed it so much)
I am not finished messing with the PC. Currently running scans to try and rid myself of the little stuff that may still be laying around.
But I do have a few questions with things that I just cant seem to locate.
At boot up,.. I get 2 errors about rundll.exe attached to 2 files that I had removed from start up and renamed in the folders. How do I stop the errors from showing up?
I still have 2 dll programs that are “currently being used” that I suspect being part of this madness. I cant find the roots of them. I don’t know what they are attached too. Any help in this area would be appreciated.
I am not out the woods yet,. But I do see a clearing ahead. Thanks to Frank and Oliver!
Jerry Flannery
May 14, 2008 @ 03:20:07
I have this downloader virus. If I use my recovery and applications disk and formatted my hard drive and reinstall Vista as it says, will that get rid of the virus?
Jerry Flannery
May 14, 2008 @ 03:22:40
I have this trojan.downloader virus. If I use the recovery and applications disk that came with it to reformat the hard drive and reinstall Vista like it says, will that get rid of the virus? Please answer ASAP if you can.
Greg
May 27, 2008 @ 21:13:14
I just finished restoring my Desktop using the advice of Frank and a couple of others but I had a twist with my restore session. Just before I found this web site my Internet connection was lost. It looks like I had something call webhancer installed as a third party proxy. It was blocking my network card from connecting and getting an IP address from my ISP. I researched Microsoft and found this with the error. http://support.microsoft.com/kb/811259/en-us “How to determine and to recover from Winsock2 corruption in Windows Server 2003, in Windows XP, and in Windows Vista” (my symptom was I was unable to release or renew my IP address). I had to use my laptop to update Norton and some other software plus it helped me by removing my hard drive and putting it into and external enclosure and running virus scan from my laptop. I followed the steps in the procedure above and my winsock was fixed and network connection restored. I can now take out the new Network adapter I bought. LOL I had to reinstall Internet Explorer but all others seem to be working great. Thanks to all for the research it saved me. I deal with servers and VoIP phone systems so I know a little bit about PC’s but this saved me a whole lot of crunch time. Thanks again.
Sylpheed
Jun 01, 2008 @ 08:01:23
For those who are still having this problem, I just faced this problem yesterday, spent the whole day fighting it, in the end, I just formatted my C drive since I’ve been wanting to do that for awhile.. but here’s a few good tips for those who are trying to fight it still.
I don’t have the solution to kill the source, but I know how to disable it while you find the solution
1. Task manager disabled, but tasklist isn’t,
start -> run -> cmd, at command prompt, type task list. It’ll list down all the processes, similar to task manager, now the tricky part is knowing which to kill
those with funny names like numbers.. 1067.exe or something like that, you should kill them immediately, there’s at leas 4-5 of them I think, some with alphabets.
to kill the task, type tskill [pid]
PID is the process ID, when you do task list, you should see the name + process id next to it. Kill all those buggers then your desktop will be more quieter while you find the solution
2. DO NOT restart your PC!
Start -> run -> msconfig, under startup section, you’ll notice these exact same things in the task list are there too, even if you deactivate them, they’ll still restart at start up. So disable all of them while you backup / find the solution
3) Every pop up that says, your system has been infected or something like that, IGNORE them. DO NOT Click yes or no! only the X button on the top right corner, that one I think you can click. ALl these things are mainly fake messages by the Trojan. Even the icon that looks like windows security, that’s fake also. DO NOT click it. ignore all of them. IF you wallpaper changes to something else, DO NOT click the link. just ignore it, or drag it to the side
4) unplug your Internet if possible. It’ll keep trying to sync itself with the net. THis should slow it down or starve it awhile at least
I got this Trojan while I was changing antivirus from AVG Free to Kaspersky… talk about good timing.
problems
Jun 15, 2008 @ 19:21:01
I have the same problem with the task manager disabled and I cannot run Smitfraudfix or Spybot on my computer. My background is replaced with the same stuff that frank had, Warning: spyware threat has been detected on your PC. And some other information and a link with it. I also get that triangle pop-ups every few minutes. Can you tell me how to get my task manager back please?
problems
Jun 15, 2008 @ 19:50:49
And I try to change the task manager regristry thing to 0, but it will change back to 1 again.
frustrated
Jun 16, 2008 @ 00:54:53
After restarting my computer in safe mode, I’m not able to open the Smitfraudfix program. I double click, but nothing happens.
Help!
Willis
Jun 16, 2008 @ 20:36:43
Well I have followed all of franks directions, and I am glad to say I destroyed most of this Trojan, but there are still some stuff I cant seem to destroy. I can’t update my virus protection (AVG) eithere. Most of the sites that can help me are “shut down” on me. I think it was due to the Trojan but I can’t seem to fix it. Can anyone help me out of this?
@ frustrated if its not starting just try to follow what frank said. the smitfraudfix also did that to me and I assume it just doesn’t work
Wade
Jun 20, 2008 @ 15:46:12
Been fighting this thing all week on my home computer. Really a nasty thing. (Fortunately my work PC is clean so I can search for solutions as I don’t want to be on the Internet at home until I feel the system is clean.)
Going to print this whole page out and try some of the suggestions.
For those trying to get task manager going, I thought I would note that I had previously been struggling with trying to get the task manager to come on. I would edit the registry to remove the entry which was disabling task manager, (as noted above, in regedit go to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System and delete or modify DisableTaskMgr)
and try to open task manager again and would get the same “task manager disable by admin….” message. I would check the registry again and see it had promptly had the disable entry put back in.
I finally managed to open Task manager by being in DOS, typed in taskmgr (without pressing return) removed the disable entry in the registry, then immediately clicked on the dos window and pressed return which opened the task manager. I checked the registry again and the disable entry was back again, but the task manager remained open and running.
Thanks to everyone above for all their advice which hopefully will help me get my home system back up and running again. Frank’s solutions look promising, but it should be noted that I have an up to date version of Norton and it seemed to totally miss catching this Trojan and it can’t find it when I do a full system scan. (Even after briefly connecting to the Internet long enough to load the new definitions.)
Hopefully I’ll be back here after the weekend with some good news.
Christie
Jun 21, 2008 @ 15:14:46
Hi! I found out that I have some Trojan downloader on my computer, please help!
At about 10:20 PM yesterday (which was 20/06/08) I was browsing the Internet and clicked on a link, then suddenly the screen went black and when it came up again, I exited out of the Internet and found that the desktop had changed to a blue one with a yellow rectangle box in the middle of the screen saying
“Windows has detected Spyware!
Install an anti-virus or spyware remover to clean-up your computer”
Now, every time I go to change the desktop, there are only the options ” themes” “appearance” and “settings”, so I can’t remove the wallpaper (which comes back on even when I change it after I restart the computer) through the methods everybody here has mentioned.
Also, about every 5 or so minutes or just continuously, the screen goes black again and then a dark blue screen full of writing comes up , saying stuff like
“..windows is shutting down to prevent furthere damage to your computer.
BOGUS_DRIVER
….”
And it always has something like BOGUS_DRIVER on the screen but I don’t know what that means. In addition, there was an anti virus software that somehow installed itself on the computer, that popped up after the blue screen of writing, but I managed to get rid of that, as that was part of this virus
Somebody please help me rid my computer of the Trojan downloader, since I have no idea where it is on my computer, and the black screen-then-blue screen keeps on happening, and the wallpaper is still there too!
Christie
Jun 21, 2008 @ 15:29:15
It’s good now!
Sorry, I just fixed everything, but with the help of Frank’s notes.
Thanks Frank! I just need a freeware to get rid of the Trojan.Downloader now that I’ve located it..
Wade
Jun 23, 2008 @ 14:12:05
Thanks to everyone here for their insight and knowledge.
I made a lot of progress over the weekend. Managed to get rid of most of the corruption and feel somewhat safer using the system now. I think I have all the corrupted applications removed from my Windows and Windows/System32 directories and have my task manager back. And of course the computer runs about 10 times faster. Still believe I likely have a few quirky entries in the registry, but they apparently can’t find the applications to run when I boot up.
One thing that threw me off course when starting to troubleshoot things is that the particular version I had a couple of rogue applications in the Windows/System32 directory, but I also had about 30 or so rouge files with EXE and DLL extensions in the Windows directory. When I would try to remove the files with windows explorer, I would be told they were being used. I could go into DOS and remove them IF I closed explorer first, but they would re-appear a couple of minutes later.
Good luck to everyone in removing this beast.
Kevin
Jun 24, 2008 @ 00:25:16
I got a lot of spyware when I was looking for a lyrics on a website.Then I got this frozen pop-up that I can’t close and all these spyware start popping up saying I am infected.
Like :: CoolWebSearch, TrojanDownloader.xs, Mal ware crap..
I used the SmitFraudFix and the TrojanDownloader.xs still pops up saying infected file.
And also I can’t access my desktop on my profile, it only shows my background.
I cant fix my Ctrl + Alt + Delete to access task manager.
Keeps saying Disable by Administrator.
I can’t open my own ad-aware remover, they want me to download their program which I’m not going to do.
And I don’t know if anyone is still looking at this post. But I would appreciate it if someone helps me.
Kevin
Jun 24, 2008 @ 01:49:13
I changed the ” DisableTaskMgr ” of the Registry Editor from 0 -> 1
but it doesn’t let me change it.
It stays at 1 and does not let me change to 0.
Any solutions?
Nelson
Jun 24, 2008 @ 02:14:49
Frank and All,
I have Windows XP Professional, some of the files you mentioned could not find in the location you stated. Maybe because I have XP Pro. Would you have a fix for XP Pro? I also have Trojan.downloader.xs and also disabled my task manager. Went to regedit and switch parameters for current and all users to zero and still revert to value of 1. I also disconected my Internet and still revert to value of 1. Thanks.
Kevin
Jun 24, 2008 @ 12:18:04
Is there another way to change the desktop background with the registry editor? Because I found the desktop and its background with the registry editor but I don’t know which one to delete?
Anyone can help me with that?
Amy
Jul 17, 2008 @ 14:07:17
I don’t know if anyone is paying attention to these posts lately..since the last one was posted in June, but I was infected by the trojandownloader.xs 2 days ago and my computer is completely messed up. I have been reading everyone’s opinions and ideas, but I am unable to do any of them.
For one, I still have my normal wallpaper, but it switches on me every 45 seconds to the alert that there is a virus.. I have no desktop icons, no start menu, this web site opened on its own, if I close it, I wont be able to get back in. I have tried downloading spyware removal online and it wont let me download anything onto the comp. I am getting so frustrated. I tried the smitfraudfix, it downloaded but it didn’t do anything, it opened, scanned, I guess? but it didn’t say there was a problem or anything. Can someone PLEASE help me!
Jeff
Aug 12, 2008 @ 18:45:18
Amy,
With the level of denied access you have to your PC you have very few choices. If you can put smitfraudfix in a place that is easy to find in DOS, start your PC in “Safe Mode with Command Prompt”. Navigate to where you put the program and run it. Option 2&3 are the only ones you need to run. Answer yes to the questions then quit and reboot. 90% success with just doing that. Of course if that doesn’t work it time to be a slave drive and start an all out find and delete….. all the temp files, startup items, junk programs, should all be eliminated but if your lucky this will free up some function for you. Good Luck
Jeff
zesty
Aug 21, 2008 @ 04:25:14
I have a problem similar to those above. Was able to smitfraudfix to get around most of it and I isolated/renamed the files in system32. Ran malwarebytes and AVG. both removed Trojans. I think (hope) that I am in the clear for the Trojan coming back. But I am still having a couple of annoying issues:
1. the “all programs” link is missing from my start menu. so I have no way to access the rest of my programs. it was there prior to the virus so I assume that this was something that it disabled to try to thwart its removal.
2. The “My Computer” icon is now missing from my desktop and when I try to add it back under the customization menu it is grayed out so I can’t select it.
I figure that both of these things are controlled in the registry but I can’t for the life of me find the right keys to change.
Any suggestions/help would be greatly appreciated. BTW, I am running Windows Vista Ultimate.