Remove Downloader.Picproot Trojan from the System - How to, Technology and PC Security Forum |

Remove Downloader.Picproot Trojan from the System

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

trojan_horseDownloader.Picproot is a recently discovered Trojan horse that is detected by Symantec. The Trojan affects the Windows operating system. Even though its threat level is considered low, Downloader Picproot should be removed timely so that severe consequences are avoided. A full system scan performed by a legitimate AV solution is recommended before any other actions are taken.

Download a System Scanner, to See If Your System Has Been Affected By Downloader.Picproot.

Downloader.Picproot General Description and Distribution

The Trojan horse affects the following, as reported by security researchers:

  • Windows 2000.
  • Windows 7.
  • Windows 95.
  • Windows 98.
  • Windows Me.
  • Windows NT.
  • Windows Vista.
  • Windows XP.

Users should note that Downloader.Picproot may be dropped by a binary file that has been attached to an email message. Be sure always to analyze received emails before opening anything. Various types of malware may be distributed through the execution of malicious email attachments and corrupted hyperlinks. If the user is tricked into executing the binary, Downloader.Picproot may start copying itself to:

  • %UserProfile%\Application Data\Microsoft\Credentials\Credentials.dll
  • %UserProfile%\Application Data\Microsoft\Credentials\Credentials.exe
  • %UserProfile%\Application Data\Microsoft\SystemCertificates\CREDRIVER.dll
  • %UserProfile%\Application Data\Microsoft\SystemCertificates\Desktop.ini

Then, Downloader.Picproot may proceed towards creating the following files:

  • %UserProfile%\Application Data\Microsoft\Credentials\Credentials.dat
  • %UserProfile%\Application Data\Microsoft\Credentials\Credentials.bak
  • %UserProfile%\Application Data\Tasks\up[ONE OR MORE LETTER FILE NAME].tmp
  • %UserProfile%\Application Data\Tasks\up[ONE OR MORE LETTER FILE NAME].msi

After performing those malicious activities, the Trojan may delete files with the .dta extension. Such files may be located in

→%UserProfile%\Application Data\Tasks.

Next on the list of Downloader.Picproot is creating a new registry entry so that the threat runs every time the Windows is rebooted:

→HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”Credentials” = “rundll32.exe “%UserProfile%\Application Data\Microsoft\Credentials\Credentials.dll”,Embedding”

Also, keep in mind that Trojans can modify the Windows registry. In the case of Downloader.Picproot the following registry key may be altered:

→HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\control\lsa\”forceguest” = “0”

Then, the Trojan is activating the user’s HelpAssistant and adding it to the Administrators group. This is done so that Downloader.Picproot controls the incoming traffic through TCP ports 135, 139, and 445. Trojan horses are also known to connect to remote locations. Downloader.Picproot does not make an exception. Here is a list of possible remote servers that the malware may connect to:


The final touch of the threat is downloading a corrupted image file and saving it to %UserProfile%\Application Data\Tasks\Zup[ONE OR MORE LETTER FILE NAME].tmp or %UserProfile%\Application Data\Tasks\up[ONE OR MORE LETTER FILE NAME].msi. Finally, the payload is decrypted and hidden from the user.

Downloader.Picproot Removal Options

Affected users should proceed towards scanning the system as soon as possible. Install a trustworthy anti-malware program to detect and eliminate the threat. For future reference, always analyze incoming emails to bypass infecting the system.

Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter

1. Start Your PC in Safe Mode to Remove Downloader.Picproot

1. Start Your PC in Safe Mode to Remove Downloader.Picproot.

1. Remove all CDs and DVDs, and then Restart your PC from the “Start” menu.
2. Select one of the two options provided below:

For PCs with a single operating system: Press “F8” repeatedly after the first boot screen shows up during the restart of your computer. In case the Windows logo appears on the screen, you have to repeat the same task again.

For PCs with multiple operating systems: Тhe arrow keys will help you select the operating system you prefer to start in Safe Mode. Press “F8” just as described for a single operating system.

3. As the “Advanced Boot Options” screen appears, select the Safe Mode option you want using the arrow keys. As you make your selection, press “Enter“.
4. Log on to your computer using your administrator account

While your computer is in Safe Mode, the words “Safe Mode” will appear in all four corners of your screen.

2. Remove Downloader.Picproot automatically with Spy Hunter Malware - Removal Tool.

2. Remove Downloader.Picproot automatically with Spy Hunter Malware – Removal Tool.

To clean your computer with the award-winning software Spy Hunter – donload_now_140
It is highly recommended to run a system scan before purchasing the full version of the software to make sure that the current version of the malware can be detected by SpyHunter.


Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share