How to remove Ares banking trojan

What is Ares banking trojan

Being a successor of Kronos, Ares is another trojan designed to collect banking data. Trojans are programs, which force the download of other malware. In our case, Ares is meant to install a program-spy called Ares Stealer. Once it settles down your system, the trojan will be able to read and record sensitive data entered during the usage. The main target is usually passwords, credit/debit card numbers, usernames, e-mail, and other banking-related information used on various websites or desktop applications. The worst part is that some users might not know that they are surveilled. They continue using and entering confidential data, which leaks to servers of cybercriminals. All credentials and other types of private intel collected by swindlers can be abused to make online transactions, sell your personal details, and more. Overall, the most obvious sign of trojans infesting your system is unusual computer behavior. If you see desktop/browser pop-ups, your computer works slower than usual, some applications do not want to launch, or your system acts on its own, then it is worth calling your bank and asking to freeze your account to avert monetary loss. Then, you can scan your system and delete the detected trojan to prevent privacy threats. Below, we show all the necessary steps to do it.

Ares trojan detection (Avast)

Ares trojan detection (Microsoft)

How Ares banking trojan infected your computer

As statistics show, most cybercriminals tend to exploit phishing e-mails (spam messages), download pages that advertise fake updates/software, malicious software cracking tools, and so forth. Most extortionists create their own websites and set up advertising networks to promote fake software updates. If you visit a page that uses or got hacked to use poor advertising content, you might see pop-up banners claiming that your Adobe Flash Player is outdated, you lack important Windows updates, or something else. If you click on them, you will be redirected to landing pages offering to download the updates. Most trojans are disguised as legitimate updates. The installation process looks absolutely identical but will result in malware infection. You can also unintentionally appear on such pages after clicking on suspicious links. Some websites will show a chain of unwanted pages before navigating to the initial one. This is why it is important to use only trusted and official resources for downloading programs. When it comes to system updates, do not trust third-party pages claiming that something is wrong. Better move over to the official website and download updates directly from it. Basically, all of the distribution methods mentioned above are meant to capitalize on users’ inexperience and excessive naiveness. To be more protected against similar threats in the future, we recommend you to read our guide below.

1. Download Ares banking trojan Removal Tool
2. Use Windows Malicious Software Removal Tool to remove Ares banking trojan
3. Use Autoruns to remove Ares banking trojan
4. Files, folders and registry keys of Ares banking trojan
5. Other aliases of Ares banking trojan
6. How to protect from threats, like Ares banking trojan

Remove Ares banking trojan manually

Manual removal of Ares banking trojan by inexperienced users may become a difficult task because it does not create entries in Add/Remove Programs under Control Panel, does not install browser extensions, and uses random file names. However, there are pre-installed instruments in the Windows system, that allow you to detect and remove malware without using third-party applications. One of them is Windows Malicious Software Removal Tool. It comes with Windows Update in Windows 11, 10, 8. 8.1. For older operating system you can download it here: 64-bit version | 32-bit version.

Remove Ares banking trojan using Windows Malicious Software Removal Tool

1. Type mrt in the search box near Start Menu.
2. Run mrt clicking on found item.
3. Click Next button.
4. Choose one of the scan modes Quick scan, Full scan, Customize scan (Full scan recommended).
5. Click Next button.
6. Click on View detailed results of the scan link to view the scan details.
7. Click Finish button.

Remove Ares banking trojan using Autoruns

Ares banking trojan often sets up to run at Windows startup as an Autorun entry or Scheduled task.

1. Download Autoruns using this link.
2. Extract the archive and run Autoruns.exe file.
3. In Options menu make sure there are checkboxes near Hide Empty Locations, Hide Microsoft Entries, and Hide Windows Entries.
4. Search for suspicious entries with weird names or running from locations like: C:\{username}\AppData\Roaming.
5. Right-click on suspicious entry and choose Delete. This will prevent the threat to run at startup.
6. Switch to Scheduled Tasks tab and do the same.
7. To remove files themselves, click on suspicious entries and choose Jump to Entry…. Remove files or registry keys found.

Remove files, folder and registry keys of Ares banking trojan

Ares banking trojan files and folders


atcuf32.dll
umengx86.dll
sandboxie.dll
libctc_sandbox.dll
atcuf64.dll
antimalware_provider32.dll
antimalware_provider64.dll
libctc_onexecute.dll


Ares banking trojan registry keys


KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
{randomname} = "%AppDataLocal%\{randomname}\{randomname}.hta"


Aliases of Ares banking trojan

How to protect from threats, like Ares banking trojan, in future

Standard Windows protection or any decent third-party antivirus (Norton, Avast, Kaspersky) should be able to detect and remove Ares banking trojan. However, if you got infected with Ares banking trojan with existing and updated security software, you may consider changing it. To feel safe and protect your PC from Ares banking trojan on all levels (browser, e-mail attachments, Word or Excel scripts, file system) we recommend a leading provider of internet security solutions – BitDefender. Its solutions both for home and business users proved to be one of the most advanced and effective. Choose and get your BitDefender protection via the button below: