How to Fix: Trojan Keeps Coming Back, Won't Remove

Infopackets Reader Jason B. writes:

" Dear Dennis,

Thanks for all your excellent articles! Somehow my PC got infected with the Trojan: Trojan.Agent.Gen - it was detected by Malwarebytes Antimalware after I ran a scan. Malwarebytes said it needed to reboot to clean the infection; I did that, but after another scan, the Trojan is still on my system - I can't remove it! The filename and path of the Trojan is located at %userprofile%\AppData\Roaming\windows.vbs. I have also tried removing Trojan.Agent.Gen using Microsoft Security Essentials and ADWCleaner, but neither program will remove it and it just keeps coming back. I've communicated with Malwarebytes, but they tell me they can't help. I was also advised by Malwarebytes that upgrading from Windows 7 to Windows 10 will not rid me of the infection. I do not want to reformat my main drive. Do you have a solution? "

Update 20200116: I'm getting a lot of emails from folks asking for help removing particularly pernicious and painful infections on their machines. If you need help with this ASAP, send me an email and don't forget to leave your phone number. I will call you back as soon as possible.

My response:

I was not familiar with how Trojan.Agent.Gen works - in fact, based on my research Trojan.Agent.Gen stands for "Trojan Agent Generic", which is (as you may have guessed!) a generic name for a Trojan infection. In other words, this particular Trojan could be capable of just about anything nasty.

As such, I emailed Jason and asked if he'd like me to connect to his machine using my remote desktop support service to have a better look. He agreed; once connected, Jason told me he was worried that Trojan.Agent.Gen was capturing his keystrokes, which prevented him from doing any online banking. After analyzing the situation a bit more, Jason agreed to hire me to try and remove the threat.

Troubleshooting a Trojan That Won't Remove

First, I reviewed the Malwarebytes log files and found where the Trojan file was located on Jason's machine. I then tried to delete the file through an administrative command prompt, but Windows reported that "the file was currently in use by another process." Since the file was in use, it could not be deleted. This is a 'catch-22' when it comes to killing off viruses and Trojans and is often the reason why a Trojan "keeps coming back".

As such, the next thing to do is to figure out which process is using the file, so I can kill the process and then delete the file. The best job for this is Process Explorer, and so I downloaded it onto Jason's computer. Once it was installed, I did a search for 'windows.vbs' (which was the name of the Trojan), and found that the process "wscript.exe" was the task responsible for locking the file.

I killed the process tree for 'wscript.exe', went back to the administrative command prompt, and then deleted the file. I then launched msconfig.exe and looked at Jason's startup, and found that there was an entry called 'windows', which then pointed to the windows.vbs file. I disabled the entry and rebooted his computer. I then verified that %userprofile%\AppData\Roaming\windows.vbs was in fact deleted. Problem solved! Jason ran another scan it this time he was infection-free.

How to Fix: Trojan Keeps Coming Back, Won't Remove

In detail, here is how I removed Trojan.Agent.Gen - though, you could apply this technique to most Trojan infections that aren't easily removed and keep coming back:

1. Download and install Malwarebytes Antimalware Free. When you run it, do not opt to use the 'Trial' version for the Premium Edition. It is not necessary and will automatically stop working after 30 days if you opt into the trial. The free version runs just fine.
    
2. Run a scan, then review the log files associated with Malwarebytes Antimalware. Jason had his logs conveniently placed on his desktop; you can learn how to read Malwarebytes Antimalware logs at any point during or after a scan.
    
3. Note the location of the Trojan file according to the log, then download Process Explorer. Once it's downloaded, extract Process Explorer (it is a .ZIP file), then launch the process explorer program so it installs on the system.
    
4. Once Process Explorer is launched, look near the top menu items, and select "Find -> File handle or DLL..." Next, type in the name of the Trojan file (in Jason's case, it was windows.vbs), then click Search. When the search results appear, left click on the column "Type" to sort by type. The type will either be: DLL, Process, or Thread - you are interested in all instances of the "Process" type.
    
5. Next, left click to select any searches related to the "Process" type. Note that the Process Explorer main window is split into two; in the top part of the window, it will also highlight the Process type you just left clicked (selected) in the search. Go to the top portion of the window, then left click the line that is already highlighted (in grey), then right click the line and select "Kill process tree" if it is available, otherwise use "Kill process".
    
6. The Trojan process should now be neutralized, which means you can now safely delete the Trojan file on the hard drive. To do so: refer again to the Malwarebytes log so you can note and copy location (path) of the Trojan file. In Jason's case, the location was in %userprofile%\AppData\Roaming and the file name was windows.vbs. To go there, simply open My Computer or This PC, then paste the only path (do not include the file portion) into Windows Explorer. Once you're there, locate the file and delete it. You should not have any errors stating that the file is in use; if so, you may have a particularly difficult Trojan to remove. If that is the case, you can contact me for further assistance.
    
7. Assuming the file is deleted - it's now time to launch msconfig and review your Services and Startup items. To do so: Click Start, then type in "msconfig" (no quotes). Go to the Services tab, then click the option that says "Hide all Microsoft Services", then go through the list of services. If you don't recognize the service, Google the name of the service and hopefully you can come across a page that will tell you if it is a legitimate service - be careful though, because many "information" pages will try to scam you by stating the process is in fact harmful and you need to download such and such program to remove the threat. These are bogus pages - so please research carefully.
    
8. Assuming you've researched all your Services and disabled any that look suspicious, it's time to move onto the Startup tab and repeat the process. If you don't know what you're doing at this point, you can contact me for further assistance.
    
9. Reboot the computer and refer to the Malwarebytes log again; note the location where the infected file was previously, and make sure it's not there anymore. You can also do another scan of Malwarebytes Antimalware to ensure that you are infection-free.

I hope that helps.

Some Trojan Infections Are Very Difficult To Remove

Please note that every Trojan infection acts differently. Although the steps above will help you to understand how to remove the some Trojan infections that 'keep coming back', it may not catch them all. For example, some Trojan infections are so deeply entrenched in the operating system, they may attempt to replicate themselves every second. In other words, you'd be playing 'whack a mole' when trying to remove the infection, to no avail - I have witnessed such infections myself. In this case, you will need a professional (such as myself) to help you remove the infection.

Additional 1-on-1 Support: From Dennis

If all of this is over your head, or if you are infected with a Trojan and you need help removing it - I can do it for you using my remote desktop support service. Simply contact me with your concerns and I'll do my best to get back to you as soon as possible.

Got a Computer Question or Problem? Ask Dennis!

I need more computer questions. If you have a computer question - or even a computer problem that needs fixing - please email me with your question so that I can write more articles like this one. I can't promise I'll respond to all the messages I receive (depending on the volume), but I'll do my best.

About the author: Dennis Faas is the owner and operator of Infopackets.com. With over 30 years of computing experience, Dennis' areas of expertise are a broad range and include PC hardware, Microsoft Windows, Linux, network administration, and virtualization. Dennis holds a Bachelors degree in Computer Science (1999) and has authored 6 books on the topics of MS Windows and PC Security. If you like the advice you received on this page, please up-vote / Like this page and share it with friends. For technical support inquiries, Dennis can be reached via Live chat online this site using the Zopim Chat service (currently located at the bottom left of the screen); optionally, you can contact Dennis through the website contact form.