Problem solve Get help with specific problems with your technologies, process and projects.

How to remove a Trojan downloader

In this thread from the ITKnowledge Exchange, get tips and learn how to remove a Trojan downloader, how they install themselves, how they spread and how to avoid infecting other machines on a network.

The following question and answer thread was excerpted from ITKnowledge Exchange. Click here to read the entire thread or begin a new thread.

A user identified as redrose posted:

"I am running Windows NT4.0 SP6 as a DNS and Web server. It is infected with a Trojan horse downloader. I have scanned and cleaned the server with AVG Antivirus, but it only becomes infected again. I also downloaded a Trojan hunter, and it detected other Trojan files, which it removed and renamed. However, the problem appears to be getting worse. Every time I scan the server, AVG detects and removes the same Trojan files from the same location."

A user identified as PeterMac replied:

"Newer Trojans are getting very smart. They will install loaders that run automatically and can't be picked up by antivirus because they don't have a specific signature. Trojans can install as part of the OS and prevent removal except in safe mode. To clear your current infection, you will need to determine exactly which Trojan you have, and then go to one of the major AV sites for the best way of dealing with it. Trojans can be deadly on a network. They spread by many means and will not show up on some systems. They just sit there, ready to re-infect any system you manage to clean. To deal with this type of outbreak you need to take all systems off the network and only bring them back on, one at a time, once you are sure they are clean."

  • Learn more about Trojans in this excerpt from Malware: Fighting Malicious Code.
  • Fighting spyware requires a classic combination of technology, policy, process and people.
  • Visit our collection of resources on Trojan defense tactics.

A user identified as Howard2nd replied:

"Without firewalls internally and externally, this problem may prove very difficult to solve. Windows puts some files in 'Protected' class and will restore them from the cache on the local hard drive. The Trojan knows this and puts its boot loader in one of those files. You remove the bad files, restart and Windows restores the infected file, which proceeds to download the Trojan all over again.

"We don't know how big your network is, and therefore we don't know how much pain this will be. Shut it all down, set up firewalls and bring it back up one machine at a time -- obviously starting with the server. If you have a good back up from before the problem started, use that. If your back up is data only (no applications), a clean installation with all patches is highly recommended before you connect to the Internet. Remember to run IIS Lockdown and URLScan before attaching to the Internet."

A user identified as nerdking replied:

"We've had similar problems on our network. Although none of our servers have been hit with Trojans, some of the desktops have. Usually by the time you discover there is a problem and get rid of the Trojan, the malicious program that the Trojan downloaded is doing its dirty work. Not only that, it insinuates itself into different parts of the registry so that when you get rid of one instance of it, the next time you restart it reloads itself.

"Here's how I have gotten a machine back to a safe, stable condition: First, remove the machine from the network, reboot it into Safe Mode, and then run a full virus scan. While still in Safe Mode, run spyware/adware sweepers, getting rid of as much as you can and rebooting back into Safe Mode between each scan.

"When the spyware/adware sweepers begin to come up "empty," run Hijack This and get rid of the garbage. Be careful with this program. Once it deletes something, it's gone. When running Hijack This, Google is your best friend. Google anything the program finds that's the least bit suspicious to find out what exactly it is before you delete it. As with the spyware/adware sweepers, reboot back into Safe Mode after each Hijack This scan and repeat until Hijack This comes up "clean."

"After all this, restart the machine normally and repeat the process above until there's nothing left except what's supposed to be there. It's a long, drawn out process."

A user identified as George replied:

Having read several "how tos" for removing malware, Trojans, spyware and adware, it would seem that someone is missing general knowledge about how systems operate. When I have an outbreak of malware I (1.) Open Task Manager and stop unneeded services ("All Unneeded" services), i.e., disk nag, Windows office, CD burner software, etc. Some will not quit but most will. For NT systems I usually can get to as few as 16 and with XP 21 or 22 is normal. (2.) With the services stopped I start regedit and go to all instances of runonce and remove any line that I cannot say is needed to make the system run. Make note of those that come back for later actions. Minimize regedit and (3.) start Internet Options in Control Panel. Clear out cached pages, Delete Temporary Internet Files, clear cookies and set temporary Internet files to less than 10 MB. At this point it is a good idea to set security for the various zones and exit. (4.) Start Add Remove Programs in Control Panel. Uninstall those programs that do not belong on the system. Navigate to program files and delete the files that you do not want, and then repeat steps one and two above. (5.) Start Navigator and delete the files and folders that have not gone away with the uninstall activities and those which have come to your attention through regedit, Explorer and Task Manager. (6.) Reboot the system into safe mode without network and repeat steps 1 through 5. (7.) Reboot the system into normal mode and see if the problems have gone away; if not, rebuild the system.
This was last published in April 2005

Dig Deeper on Malware, virus, Trojan and spyware protection and removal