Asked in
Computer Viruses

How do you remove Trojan horse downloader.agent.APKO?

Answer

User Avatar
Wiki User
September 12, 2011 8:37PM

Steps to remove the Trojan horse downloader.agent.APKO:

(The steps below described using Windows XP)

  1. First, we have to remove the "C:\windows\system32\x" file.

    Try starting Windows in safe mode (press F8 when booting). See if you can delete the x file.

    If you managed to delete the file then go to step 2.

    If you cannot delete the file or cannot successfully loading Windows in safe mode, then you have to do it in another computer. Remove your harddisk, set in as secondary harddisk on another computer. Delete the file from that computer.

    Another way to delete the file is using OS on CD/USB Flash Disc boot option.

    The point is you have to get rid of that x file first.

  2. Disconnect you Internet connection.
  3. Start Windows normally as an Administrator. Run Services.msc or go to Computer Management->Services and Applications->Services. Click the Startup Type column header to sort by Startup Type column. Pay attention to the Automatic startup items. Find something unusual like kxhjbs (this could be any random characters) in the Name column.
  4. If you find kxhjbs in the previous step, then Run Regedit.exe. Click My Computer then click Edit->Find (or press Ctrl+F) to open Find Dialog. Enter kxhjbs (or whatever value you found on previous step). Click Find Next. If you find matching entry, then delete the entry. Click Find Next again until it search all you Registry entry.

    Since this is a Service entry, you will find it in HKEY_LOCAL_MACHINE->SYSTEM->CurrentControlSet (or ControlSet001/002)->Services.

    You may also find an entry in the HKEY_LOCAL_MACHINE->Software->Microsoft->Windows NT->CurrentVersion->SvcHost. In the right pane, find and double click netsvcs. Remove the kxhjbs entry.

    Some entries you may find difficult to delete are in LEGACY_KXHJBS. These can be safely ignored. It just become junk in your Windows Registry. If you need to delete the entry, add Full Control Permission to Administrators first, then you can delete the entry.

  5. This step is done using another computer.

    Go to http://www.Microsoft.com/technet/security/Bulletin/MS08-067.mspx.

    Download the hotfix for you Windows version.

    Go to your favorite antivirus website for update (if you have option to manually update using file).

    Copy the MS08-067 hotfix and your antivirus update to your harddisk.

  6. Restart Windows. Update the MS08-067 hotfix. Choose to restart Windows.
  7. Up to this point the Trojan is not active anymore, but it still have some files in your harddisk, which is in this case found in Temporary Internet Files folder.

    Update your favorite Antivirus (if you can update from file). Run a full scan on your harddisk. Run a scan on your system partition (usually Drive C) should be enough. Delete files indicated as virus/Trojan.

    You may also delete Temporary Internet Files first before doing Antivirus scanning. The Antivirus may not find any virus files when you do this, but it is safer.

  8. If you find everything is back to normal then you can reconnect your Internet connection.

Okay, this is my first answer. Hope this helps.