Trojan:Win32/Agent.EQ is a generic detection name used by Microsoft Defender and other antivirus engines to identify a family of trojan programs that operate as downloaders and information stealers. This classification encompasses numerous variants that share common behavioral patterns—establishing persistence on infected systems, communicating with remote command-and-control servers, and downloading additional malicious payloads. The "Agent" designation indicates its role as an agent for further compromise, while the ".EQ" suffix is simply a variant identifier within Microsoft's detection taxonomy.

Trojan:Win32/Agent.EQ — cybersecurity illustration
Photo by cottonbro studio on Pexels

First documented in the mid-2010s, this trojan family remains active today due to continuous repackaging and obfuscation by malware distributors. Infections typically manifest as unexplained system slowdowns, suspicious network traffic, or the sudden appearance of other malware families—since Agent.EQ variants frequently serve as the initial foothold for more destructive threats.

Think you're infected right now? Disconnect your computer from the internet immediately (unplug Ethernet or disable Wi-Fi). Do not perform any financial transactions or log into sensitive accounts until the machine is cleaned. Call us at (770) 954-1480 or bring your computer to our Roswell shop for same-day malware removal.

Threat Profile

Attribute Details
Malware Family Trojan-Downloader / Agent family
Aliases Win32/Agent.EQ, Trojan.Agent.EQ, Generic.Agent.EQ, Backdoor:Win32/Agent (varies by vendor)
Platform Windows (all versions; typically targets 32-bit processes but runs on 64-bit systems)
First Documented 2014–2015 (family continues to evolve)
Distribution Methods Malicious email attachments, drive-by downloads, exploit kits, bundled with pirated software
Persistence Mechanisms Registry Run keys, scheduled tasks, DLL injection into legitimate processes
Primary Capabilities Download and execute secondary payloads, keylogging (some variants), screenshot capture, credential harvesting, remote command execution
Network Behavior HTTP/HTTPS connections to C2 servers (often using hardcoded IPs or DGA-generated domains), uploads system information
Typical Artifacts Random-named executables in %APPDATA% or %TEMP%, mutex objects to prevent multiple instances, modified registry values in HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Data Exfiltration System fingerprinting data, saved browser credentials, clipboard contents (varies by variant)
Secondary Payloads Ransomware, banking trojans, cryptocurrency miners, adware toolbars (depends on attacker objectives)
Removal Difficulty Moderate—persistence mechanisms can regenerate the infection if not completely removed; secondary infections complicate cleanup

How It Spreads

Agent.EQ variants reach victim computers through multiple attack vectors, with email-based social engineering remaining the most prevalent. Attackers craft convincing messages impersonating shipping companies, banks, government agencies, or colleagues, attaching weaponized documents (typically Word or Excel files with malicious macros) or compressed archives containing the trojan executable. When the user opens the attachment and enables macros—or simply extracts and runs the executable—the infection begins.

Drive-by download attacks represent another significant distribution channel. Compromised legitimate websites or malicious advertising networks serve exploit kits that scan visitor browsers for unpatched vulnerabilities. When a vulnerable system is detected, the exploit kit silently downloads and executes the trojan without any user interaction. Websites offering pirated software, key generators, or "free" versions of commercial applications frequently bundle Agent.EQ variants with their downloads, banking on users' willingness to bypass security warnings for desired content.

Common distribution methods include:

  • Phishing emails with malicious attachments disguised as invoices, shipping notifications, tax documents, or job applications
  • Malvertising campaigns that redirect users to exploit kit landing pages through compromised ad networks
  • Software bundling with pirated applications, cracks, keygens, and "free download" utilities from untrustworthy sources
  • Trojanized installers for popular freeware distributed through third-party download sites rather than official sources
  • Worm-like propagation through removable drives (USB sticks) on some variants that copy themselves to external media
  • RDP brute-force attacks on exposed Remote Desktop Protocol connections with weak credentials

What It Does On Your Machine

Once executed, Agent.EQ immediately establishes persistence to survive system reboots. The trojan copies itself to a location where it's less likely to be noticed—typically a randomly named subfolder within %APPDATA%, %LOCALAPPDATA%, or %TEMP%—using a filename that mimics legitimate Windows processes or employs a random string of characters. It then creates registry entries under the current user's Run key or configures a scheduled task that launches the malware at system startup or user login.

After securing its foothold, the trojan initiates contact with its command-and-control infrastructure. It gathers basic system information (operating system version, installed antivirus software, computer name, IP address) and transmits this fingerprinting data to the attacker's server. Based on the response, the trojan downloads and executes additional malicious components. This modular approach allows attackers to customize the infection based on the victim's profile—corporate networks might receive banking trojans or ransomware, while home users might get adware or cryptocurrency miners.

Some Agent.EQ variants incorporate keylogging functionality, recording every keystroke to capture passwords, credit card numbers, and other sensitive information typed by the user. The collected data is periodically uploaded to the C2 server. Browser credential theft is another common capability, with the malware extracting saved passwords from Chrome, Firefox, Edge, and other browsers' credential stores. Many variants also monitor clipboard contents, watching for cryptocurrency wallet addresses to perform clipboard hijacking—replacing copied wallet addresses with attacker-controlled addresses so that cryptocurrency transfers get redirected.

Typical filesystem and registry artifacts: File locations (examples—actual paths vary by variant): C:\Users\[Username]\AppData\Roaming\{6F4A2B1C-9D8E-4A3F-B2C7-1E5D8A9F4B2C}\svchost.exe C:\Users\[Username]\AppData\Local\Temp\msupdate.exe C:\Users\[Username]\AppData\Local\[RandomString]\winlogon.exe Registry persistence: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SystemUpdate = "[path to malware]" HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "[path to malware]" Scheduled task (may exist): Task Name: "Windows Update Check" or similar legitimate-sounding name Trigger: At user logon Action: [path to malware executable] Note: Filenames and GUID folder names are randomized per infection.

Manual Removal — Step by Step

01

Disconnect from the Internet

Immediately disconnect your computer from all networks. Unplug the Ethernet cable if wired, or disable Wi-Fi through the system tray or physical wireless switch. This prevents the trojan from receiving commands, downloading additional payloads, or exfiltrating stolen data while you work on removal.

02

Boot into Safe Mode with Networking

Restart your computer and boot into Safe Mode with Networking. On Windows 10/11, hold Shift while clicking Restart, then navigate to Troubleshoot → Advanced Options → Startup Settings → Restart, and select option 5. Safe Mode loads only essential drivers and services, preventing most malware from launching automatically and making it easier to remove.

03

Identify and Terminate the Malicious Process

Open Task Manager (Ctrl+Shift+Esc) and examine running processes. Look for suspicious entries with random names, processes running from unusual locations like %APPDATA% or %TEMP%, or unfamiliar executables consuming network bandwidth. Right-click suspicious processes, select "Open file location" to verify the path, then end the task. Note the file location for step 5.

04

Remove Registry Persistence Entries

Press Win+R, type "regedit" and hit Enter. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and examine each entry. Delete any values pointing to suspicious executables in %APPDATA%, %TEMP%, or GUID-named folders. Also check HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run for system-wide entries. Exercise caution—legitimate programs also use these locations.

05

Delete the Malware Files and Folders

Using File Explorer, navigate to the locations you identified in step 3. Delete the malware executable and its containing folder (often a GUID-named folder in %APPDATA% or %LOCALAPPDATA%). Also check %TEMP% for recently created suspicious files. You may need to show hidden files and system files through Folder Options to see these locations.

06

Remove Malicious Scheduled Tasks

Open Task Scheduler (search for it in the Start menu). Review the Task Scheduler Library for tasks with suspicious names or those pointing to the malware file paths. Right-click and delete any tasks created by the trojan. Common disguises include "Windows Update Check," "System Maintenance," or random alphanumeric strings.

07

Scan with Malwarebytes and a Second-Opinion Scanner

Reconnect to the internet briefly, download Malwarebytes Free (from malwarebytes.com), install it, update definitions, and run a full Threat Scan. Let it complete and remove everything it finds. Follow up with a second scanner like Kaspersky Virus Removal Tool or HitmanPro to catch anything the first scan missed. Multiple scanners improve detection rates for trojan families with many variants.

08

Reset Browser Settings

If you use your browser for passwords or financial transactions, reset it to defaults to remove any injected scripts or malicious extensions. In Chrome/Edge, go to Settings → Reset settings → Restore settings to their original defaults. In Firefox, go to Help → More troubleshooting information → Refresh Firefox. You'll need to reconfigure preferences, but this removes trojan hooks.

09

Change All Important Passwords

From a known-clean device (not the infected computer yet), change passwords for critical accounts: email, banking, Amazon, PayPal, social media. Agent.EQ variants often include keyloggers or credential stealers, so assume anything typed on the infected machine was compromised. Enable two-factor authentication wherever possible for additional protection.

10

Reboot and Verify Clean Status

Restart your computer normally (not Safe Mode) and observe behavior. Check that no suspicious processes reappear in Task Manager, verify that startup items in Task Manager's Startup tab look legitimate, and run one more quick scan with Malwarebytes. Monitor your system for the next few days for unusual behavior, unexpected network activity, or performance degradation that might indicate incomplete removal.

Prevention

  1. Maintain skepticism with email attachments. Never open attachments from unexpected senders, even if they appear to come from known companies. Verify legitimacy through independent contact before opening anything claiming to be an invoice, shipping notice, or urgent document. Legitimate businesses don't send unsolicited executable files or macro-enabled documents.
  2. Keep Windows and all software fully updated. Enable automatic updates for Windows, browsers, Adobe Reader, Java, and other common applications. The majority of drive-by download attacks exploit known vulnerabilities that have available patches—keeping software current closes these attack vectors.
  3. Download software only from official sources. Obtain programs directly from the developer's website or Microsoft Store, never from third-party download portals, torrent sites, or "free software" aggregators. Avoid pirated software entirely—the savings aren't worth the malware risk, and you're violating licensing agreements.
  4. Use reputable antivirus software and keep it updated. While no antivirus catches everything, a quality security suite (Windows Defender, Bitdefender, Kaspersky, Norton) provides a valuable defense layer. Ensure real-time protection is enabled and definitions update automatically. Supplement with periodic scans using Malwarebytes.
  5. Disable macros in Office documents by default. Configure Microsoft Office to disable macros or prompt before enabling them. Most legitimate documents don't require macros, so if a document asks you to "enable content" or "enable editing," treat it with extreme suspicion unless you specifically requested that file from a trusted source.
  6. Implement proper backup procedures. Maintain regular backups of important data to an external drive or cloud service. Since Agent.EQ variants often download ransomware as a secondary payload, backups protect against both data loss and ransomware extortion. Test your backups periodically to ensure they're actually restorable.
  7. Use a standard user account for daily activities. Create a separate administrator account for software installation and system changes, but use a standard (non-admin) account for web browsing and email. This limits the damage malware can cause, as it inherits only the permissions of the account that launched it.
  8. Enable a firewall and monitor outbound connections. Windows Firewall (or a third-party alternative) should be active. For advanced users, consider a firewall that alerts on outbound connections from new programs, allowing you to catch trojans attempting to contact command-and-control servers.
Our 90-Day Warranty on Malware Removal
When Computer Repair Roswell removes malware from your system, we back our work with a 90-day warranty. If the same infection returns within 90 days, we'll clean it again at no additional charge. We don't just run a scanner—we manually verify persistence mechanisms are eliminated, check for secondary infections, and confirm your system is genuinely clean before returning it to you.

Bring It In

Manual malware removal can be time-consuming and risky if you're not certain about what to delete. One missed registry key or overlooked scheduled task means the trojan regenerates itself after the next reboot. Worse, Agent.EQ variants frequently download additional malware families—you might successfully remove the trojan itself while leaving behind a keylogger, ransomware, or cryptocurrency miner that wasn't detected. Our technicians have the experience and specialized tools to thoroughly clean infections, identify secondary payloads, and verify your system is genuinely secure.

Located in Roswell, Georgia, Computer Repair Roswell provides same-day malware removal service for both PC and Mac systems. We'll remove Trojan:Win32/Agent.EQ and any associated infections, repair any damage to system files or settings, and explain what happened so you can avoid reinfection. Call us at (770) 954-1480 or stop by our shop at [address]. Don't let a trojan compromise your personal information, financial accounts, or business data—bring your computer in today and let us get you back to safe, normal operation.