Trojan:Downloader/Small.AJI is a malicious trojan-downloader that infiltrates Windows systems to silently retrieve and execute additional malware payloads from remote command-and-control servers. First documented in the mid-2000s malware wave, the Small.AJI variant belongs to the broader "Small" trojan family—a notorious collection of compact, obfuscated downloaders designed to establish a foothold on compromised machines and deliver more sophisticated threats like ransomware, spyware, or banking trojans. While this specific variant is older, variants from the Small family continue to circulate through bundled software, malicious email attachments, and drive-by downloads.

trojandownloadersmallaji-removal cybersecurity illustration
Photo by Tima Miroshnichenko on Pexels

What makes Trojan:Downloader/Small.AJI particularly concerning is its stealthy operation: it runs silently in the background, consuming system resources while downloading and installing unknown payloads without your knowledge or consent. The trojan modifies Windows startup configurations to ensure persistence across reboots, making it difficult to eliminate without targeted removal procedures. Once active, your system becomes a platform for whatever additional threats the attackers choose to deploy—from information stealers that harvest passwords to cryptocurrency miners that degrade performance.

Think you're infected right now? Disconnect your computer from the internet immediately to prevent further payload downloads. Don't attempt online banking or enter passwords until the infection is cleared. Call Computer Repair Roswell at (770) 406-9357 for same-day malware removal, or bring your machine to our Roswell location—we're open six days a week and offer a 90-day warranty on all malware cleaning services.

Threat Profile

Attribute Details
Threat Classification Trojan-Downloader
Malware Family Trojan:Downloader/Small (various AV vendors detect as Downloader.Small, Small.gen, TrojanDownloader:Win32/Small)
Common Aliases Downloader.Small.AJI, TrojanDownloader:Win32/Small.AJI, Trojan.Downloader.Small.Gen, W32/Small.AJI
Targeted Platforms Windows XP/Vista/7/8/10/11 (32-bit and 64-bit systems)
First Documented Mid-2000s (variants of the Small family remain active)
Primary Distribution Methods Email attachments, freeware bundles, fake codec installers, exploit kits, pirated software
Persistence Mechanisms Registry Run keys, Startup folder entries, scheduled tasks, DLL injection into legitimate processes
Core Capabilities Download and execute arbitrary payloads, establish C&C communication, disable security software, modify system configurations, create backdoor access
Typical File Size 15-150 KB (small binary size is characteristic of this family—hence the name)
Common File Locations %APPDATA%, %TEMP%, %LOCALAPPDATA%, Windows system folders (often uses randomized filenames)
Network Behavior Establishes HTTP/HTTPS connections to remote servers for payload retrieval; may use hardcoded IPs or domain generation algorithms (known for the family)
Removal Difficulty Moderate to High—requires safe mode operation, registry cleaning, and thorough scanning to ensure no secondary payloads remain

How It Spreads

Trojan:Downloader/Small.AJI primarily spreads through social engineering tactics that trick users into executing the malicious payload. The most common infection vector involves email attachments disguised as legitimate documents—invoices, shipping notifications, or urgent account alerts—that actually contain the trojan executable or a macro-enabled document that downloads it. These phishing campaigns often spoof recognizable brands or government agencies to lend credibility to the malicious message.

Software bundling represents another significant distribution channel for this threat. Free software downloads from third-party sites frequently package Trojan:Downloader/Small.AJI alongside seemingly legitimate applications. Users who rush through installation wizards without reading prompts may inadvertently agree to install "additional software" that turns out to be malware. Fake codec installers are particularly effective—users attempting to watch video content are prompted to download a "required codec" that's actually the trojan downloader.

The Small.AJI variant has also been observed in drive-by download campaigns, where compromised or malicious websites exploit browser vulnerabilities to silently install the trojan without user interaction. Outdated browsers, plugins, and operating systems are especially vulnerable to this automatic infection method.

  • Malicious email attachments: Fake invoices, shipping notices, tax documents, or business proposals with embedded executables or macro scripts
  • Freeware and shareware bundles: Legitimate-looking applications from download portals that include hidden trojan installers
  • Fake video codec prompts: Websites claiming you need to install a "codec" or "player update" to view content
  • Pirated software and cracks: Illegal downloads that bundle malware with game cracks, key generators, or pirated applications
  • Exploit kit campaigns: Compromised websites that silently exploit browser vulnerabilities to install the downloader
  • Malvertising: Malicious advertisements on legitimate sites that redirect to landing pages hosting the trojan
  • Removable media: USB drives and external storage infected with autorun scripts that launch the trojan

What It Does On Your Machine

Once executed, Trojan:Downloader/Small.AJI immediately attempts to establish communication with its command-and-control (C&C) infrastructure. The trojan contacts remote servers using hardcoded URLs or IP addresses, transmitting basic system information such as your operating system version, installed security software, and a unique infection identifier. This initial "check-in" allows the attackers to profile your system and determine which secondary payloads to deliver. The communication typically occurs over standard HTTP/HTTPS protocols, making it difficult to distinguish from legitimate web traffic without deep packet inspection.

The trojan's primary function is payload delivery. After receiving instructions from the C&C server, Small.AJI downloads additional malware components directly into memory or saves them to disk in temporary directories. These secondary infections vary widely depending on the attacker's objectives—you might receive ransomware that encrypts your files, information stealers that harvest banking credentials, cryptocurrency miners that consume system resources, or backdoor trojans that provide persistent remote access. The downloader family is particularly dangerous because you're not dealing with a single threat but rather a gateway for unlimited additional infections.

To ensure survival across reboots and avoid detection, Trojan:Downloader/Small.AJI modifies Windows configuration settings. The malware creates registry entries in Run and RunOnce keys, adds scheduled tasks, or places copies of itself in the Windows Startup folder. Some variants inject malicious code into legitimate system processes like explorer.exe or svchost.exe, allowing the trojan to operate with elevated privileges while hiding from casual inspection. You may notice performance degradation, unexpected network activity, or new processes running in Task Manager—though the small file size helps the malware maintain a relatively low profile.

The trojan may also attempt to disable or interfere with security software. Variants in the Small family are known to terminate antivirus processes, add exceptions to Windows Defender, or modify firewall rules to allow unrestricted network communication. This defensive evasion creates a window of opportunity for the malware to operate undetected while downloading and installing additional threats. Some variants even download updates to themselves, receiving new C&C addresses or enhanced capabilities from their operators.

Typical Trojan:Downloader/Small.AJI Artifacts
Executable Locations: %APPDATA%\Microsoft\{random-GUID}\svchost.exe %LOCALAPPDATA%\Temp\{8-char-random}.exe %TEMP%\install\setup_{random}.exe C:\Windows\system32\drivers\{randomname}.sys (driver variants) Registry Persistence: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\{RandomName} HKLM\Software\Microsoft\Windows\CurrentVersion\Run\System Update HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load Scheduled Tasks (common pattern): \Microsoft\Windows\{GUID}\Update_{random} Network Indicators: Outbound connections to unknown IPs on ports 80, 443, 8080 (varies) # C&C domains change frequently; family uses domain generation algorithms

Manual Removal — Step by Step

01

Disconnect From the Network Immediately

Before beginning removal, disconnect your computer from the internet by unplugging the ethernet cable or disabling Wi-Fi. This prevents the trojan from downloading additional payloads, receiving new instructions from its C&C server, or exfiltrating stolen data. Work offline throughout the entire removal process until you're certain the infection is eliminated.

02

Boot Into Safe Mode With Networking

Restart your computer and boot into Safe Mode to prevent the trojan from loading its persistence mechanisms. On Windows 10/11, hold Shift while clicking Restart, then navigate to Troubleshoot → Advanced Options → Startup Settings → Restart, and press F5 for Safe Mode with Networking. Safe Mode loads only essential drivers and services, making it easier to identify and remove malicious processes that would normally run at startup.

03

Identify and Terminate Malicious Processes

Open Task Manager (Ctrl+Shift+Esc) and look for suspicious processes—unknown executables with random names, processes running from temporary folders, or multiple instances of system processes like svchost.exe with unusual parent processes. Right-click suspicious entries, select "Open file location," then note the path before terminating the process. Be cautious: legitimate Windows processes exist alongside malicious ones, so verify before terminating anything in System32 or Windows folders.

04

Remove Registry Persistence Entries

Press Windows+R, type "regedit," and navigate to the Run key locations where the trojan establishes persistence: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Look for entries pointing to the suspicious file locations you identified in Task Manager—especially entries with random names or pointing to AppData/Temp folders. Right-click and delete these entries. Also check HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows for the "Load" value, which should normally be empty.

05

Check Scheduled Tasks and Startup Folder

Open Task Scheduler (search for it in the Start menu) and examine the task list for suspicious entries—particularly those running executables from temporary directories or with random GUID-based names. Delete any tasks associated with the file paths you've identified as malicious. Also navigate to your Startup folder by pressing Windows+R and typing "shell:startup"—remove any shortcuts to the malicious executable. Repeat for the system-wide startup folder with "shell:common startup."

06

Delete the Trojan Files and Folders

Navigate to the file locations you identified earlier and delete the malicious executable and any associated folders. Common locations include folders within %APPDATA%, %LOCALAPPDATA%, and %TEMP%. If Windows prevents deletion because the file is "in use," the process may not have terminated fully—return to Task Manager and ensure you've ended all related processes. You may need to take ownership of certain folders or use the command prompt with administrator privileges to remove protected files.

07

Run a Comprehensive Malware Scan

Connect to the internet briefly (or use a separate clean device) to download Malwarebytes Free or another reputable anti-malware tool if you don't have one installed. Disconnect again, install the scanner, update its definitions if possible offline, then run a full system scan. The scan will detect not only the downloader but also any secondary payloads it installed. Remove all detected threats, even if they don't appear related—Trojan:Downloader/Small.AJI typically installs multiple additional infections that manual removal might miss.

08

Reset Browser Settings If Applicable

If the trojan delivered browser hijackers or adware as secondary payloads, reset your browsers to default settings. In Chrome, go to Settings → Advanced → Reset and clean up → Restore settings to their original defaults. In Firefox, navigate to Help → More Troubleshooting Information → Refresh Firefox. In Edge, go to Settings → Reset settings → Restore settings to their default values. This removes malicious extensions, changes to homepages, and modified search engines.

09

Change Your Passwords on a Clean Device

Because you don't know what secondary payloads were downloaded and executed, assume that any passwords entered on this machine may have been compromised. Use a separate, known-clean device (smartphone, tablet, different computer) to change passwords for critical accounts: email, banking, social media, and any work-related credentials. Enable two-factor authentication wherever possible for an additional security layer.

10

Reboot and Verify System Cleanliness

Restart your computer normally (not in Safe Mode) and reconnect to the internet. Immediately run another full system scan with your anti-malware tool to ensure nothing survived the removal process. Monitor Task Manager for several days, watching for suspicious processes or unexpected network activity. Check your startup programs (Ctrl+Shift+Esc → Startup tab) to ensure no new malicious entries have appeared. If you experience continued issues—unusual slowness, browser redirects, or security software alerts—the infection may not be fully removed.

Prevention

  1. Exercise extreme caution with email attachments. Never open attachments from unknown senders, and verify unexpected attachments from known contacts before opening them—attackers frequently spoof sender addresses. Be especially wary of executable files (.exe, .scr, .bat) and Office documents with macros. When in doubt, contact the sender through a separate communication channel to verify legitimacy.
  2. Download software only from official sources. Avoid third-party download sites that bundle additional software with legitimate applications. Always download programs directly from the developer's official website or verified app stores. Read installation prompts carefully and choose "Custom" installation to deselect any bundled software you don't recognize or need.
  3. Keep your operating system and software updated. Enable automatic updates for Windows, your browsers, and plugins like Adobe Reader and Java. Most exploit-based infections target known vulnerabilities that patches have already fixed—staying current closes these security holes. Remove outdated software you no longer use, as unmaintained programs become security liabilities.
  4. Run reputable antivirus software with real-time protection. Install a trusted security suite and keep it updated with the latest definitions. Enable real-time scanning so threats are detected before execution. Windows Defender provides decent baseline protection if kept updated, but third-party solutions often offer additional features like behavior monitoring and ransomware protection.
  5. Enable Windows built-in security features. Turn on Windows Defender SmartScreen to block known malicious downloads, enable the firewall, and use User Account Control (UAC) to require approval before programs make system changes. These features provide defense-in-depth that makes successful infection more difficult.
  6. Be suspicious of codec and plugin prompts. Legitimate video sites use HTML5 and don't require special codec downloads. If a website claims you need to install something to view content, close the page immediately—it's almost certainly a malware distribution technique. Keep your media players updated through official channels only.
  7. Avoid pirated software and key generators. Illegal software downloads are frequently bundled with trojans, ransomware, and other malware. The "free" pirated application costs you far more when it compromises your system and data. Use free legitimate alternatives or pay for software from official sources.
  8. Implement the principle of least privilege. Don't use an administrator account for daily activities—create a standard user account for regular work and browsing. Malware running under a limited account has reduced ability to make system-wide changes or install persistence mechanisms. Only elevate to administrator privileges when necessary for legitimate software installation or system maintenance.
Our 90-Day Malware-Free Guarantee: When Computer Repair Roswell cleans your system of Trojan:Downloader/Small.AJI and associated infections, we stand behind our work with a 90-day warranty. If the same malware returns within three months, we'll re-clean your computer at no additional charge. We don't just remove the visible infection—we eliminate persistence mechanisms, check for secondary payloads, and verify system integrity before returning your machine.

Bring It In

Manual removal of Trojan:Downloader/Small.AJI can be time-consuming and risky if you're not completely confident in your ability to identify all components of the infection. Because this trojan serves as a delivery mechanism for additional malware, there's a strong possibility your system harbors multiple infections that require specialized detection and removal techniques. At Computer Repair Roswell, we see downloader trojans regularly, and we have the diagnostic tools and experience to thoroughly clean your system—not just remove the visible threat, but identify and eliminate every payload it installed.

Located in Roswell, Georgia, our shop offers same-day malware removal services with transparent flat-rate pricing—no surprises or hourly charges that escalate as the job takes longer. We'll scan your system with professional-grade tools, remove all detected threats, repair any system damage the malware caused, and verify that your computer is running cleanly before you take it home. Call us at (770) 406-9357 to discuss your situation, or stop by our shop Monday through Saturday—we're here to help restore your peace of mind and get your computer back to safe, reliable operation.