Trojan:Win32/Lolbot.B is a multi-purpose backdoor trojan that grants remote attackers control over infected Windows systems. First documented in the late 2000s as part of the Lolbot family of backdoor trojans, this variant establishes persistent command-and-control communication channels that enable adversaries to execute arbitrary commands, download additional malware payloads, and exfiltrate sensitive information from compromised machines. While the original Lolbot variants primarily targeted online gaming credentials, the .B variant evolved to include broader data-theft capabilities and system manipulation features that make it a serious threat to both home and business environments.
This trojan operates silently in the background, often evading detection by lightweight antivirus solutions through process injection and rootkit-like techniques. Victims typically remain unaware of the infection until they notice unexplained network activity, performance degradation, or discover unauthorized access to online accounts. The malware's modular architecture allows attackers to customize its behavior post-infection, meaning the specific capabilities active on any given machine may vary considerably based on the attacker's objectives.
Threat Profile
| Threat Type | Backdoor Trojan |
| Family | Lolbot (variant B) |
| Common Aliases | Win32/Lolbot.B, TROJ_LOLBOT.B, Backdoor.Lolbot.B, Trojan.Lolbot!gen |
| Platforms Affected | Windows XP through Windows 11 (32-bit and 64-bit) |
| First Documented | 2008-2009 (Lolbot family); variant B emerged circa 2009-2010 |
| Distribution Methods | Exploit kits, malicious email attachments, drive-by downloads, software cracks, bundled with PUPs |
| Persistence Mechanisms | Registry Run keys, Windows services, scheduled tasks, process injection into legitimate system processes |
| Primary Capabilities | Remote command execution, keylogging, credential theft, payload delivery, process manipulation, file operations |
| Network Behavior | Establishes HTTP/HTTPS connections to C2 servers (varies by campaign); often uses non-standard ports and encryption to evade detection |
| Typical Artifacts | Random-named executables in %APPDATA%, %TEMP%, or System32; registry modifications; injected code in explorer.exe or svchost.exe |
| Data Targets | Browser-stored credentials, gaming account credentials (historically), FTP client passwords, email account details, system information |
| Removal Difficulty | Moderate to High (requires safe mode boot, registry cleaning, process termination, and thorough scanning) |
How It Spreads
Trojan:Win32/Lolbot.B relies primarily on deceptive distribution methods that trick users into executing the malware themselves. Unlike worms that spread automatically, this trojan requires user interaction at some point in the infection chain. The most common infection vector historically involved exploit kits that targeted unpatched vulnerabilities in web browsers, Java, Flash Player, and Adobe Reader. When users visited compromised or malicious websites, these exploit kits would silently download and execute the trojan without any visible warning.
In more recent years, as browser and plugin security has improved, attackers have shifted toward social engineering tactics. Malicious email campaigns remain particularly effective, with attackers disguising Lolbot.B droppers as invoice PDFs, shipping notifications, or urgent security alerts from banks and government agencies. The trojan is also frequently bundled with pirated software, key generators, and "free" versions of commercial applications distributed through torrent sites and file-sharing platforms.
Common distribution methods include:
- Malicious email attachments — ZIP archives containing disguised executables (.scr, .com, .pif extensions), Office documents with malicious macros, or weaponized PDFs
- Drive-by downloads — Compromised legitimate websites or malicious advertising networks that exploit browser vulnerabilities
- Software bundling — Included with free software installers, particularly those from unofficial download sites, where users click through installation screens without reading carefully
- Exploit kits — Automated attack frameworks (historically Blackhole, Magnitude, and similar kits) that scan for vulnerable software and deliver the payload silently
- Fake updates — Websites claiming your Flash Player, codec pack, or browser needs updating, offering a malicious executable disguised as a legitimate installer
- Removable media — USB drives and external hard drives that auto-execute the trojan when connected to Windows systems with AutoRun enabled
- Secondary payload — Downloaded by other malware already present on the system, serving as part of a multi-stage infection chain
What It Does On Your Machine
Once executed, Trojan:Win32/Lolbot.B immediately begins establishing persistence and concealing its presence. The initial dropper typically copies itself to a directory within the user profile or system folders, using a randomized filename that blends in with legitimate Windows files. Common locations include subdirectories of %APPDATA%, %LOCALAPPDATA%, or %PROGRAMDATA%, often with GUID-like folder names that appear system-generated. The trojan then modifies Windows Registry keys to ensure it launches automatically at system startup, typically targeting the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key or creating a scheduled task that triggers at user logon.
The malware's backdoor functionality becomes active shortly after installation. Lolbot.B establishes outbound connections to command-and-control servers, often using HTTP or HTTPS protocols over non-standard ports to avoid detection by basic firewall rules. This communication channel allows remote attackers to issue commands to the infected machine, effectively transforming it into a remotely-controlled bot within a larger botnet. The trojan implements various evasion techniques, including process injection into trusted Windows processes like explorer.exe or svchost.exe, making it difficult to identify malicious activity through Task Manager alone.
Information theft represents a core function of this variant. Lolbot.B typically includes a credential-stealing module that targets stored passwords in web browsers (Chrome, Firefox, Edge, Internet Explorer), email clients, FTP applications like FileZilla, and instant messaging software. The trojan scans for and exfiltrates saved login credentials, which are then transmitted back to the attacker's servers. Some variants include keylogging capabilities that record everything typed, capturing passwords and sensitive information even when they're not saved in applications. This data collection operates silently, with no visible indication to the user that their information is being harvested.
The modular nature of Lolbot.B means its behavior can be extended post-infection. Attackers can push additional modules or entirely separate malware payloads through the established backdoor channel. Infected systems have been observed downloading ransomware, cryptocurrency miners, additional spyware tools, and banking trojans after the initial Lolbot.B infection. The trojan may also modify system security settings, disable Windows Defender or other antivirus software, and block access to security-related websites to prevent users from downloading removal tools or seeking help online.
Manual Removal — Step by Step
Disconnect from the Internet Immediately
Unplug your ethernet cable or disable Wi-Fi to sever the trojan's communication with its command-and-control server. This prevents it from receiving new instructions, downloading additional payloads, or exfiltrating more data while you work on removal. Keep the system offline throughout the entire removal process.
Boot into Safe Mode with Networking
Restart your computer and repeatedly press F8 (Windows 7) or hold Shift while clicking Restart (Windows 8/10/11) to access the boot options menu. Select "Safe Mode with Networking" to load Windows with minimal drivers and services. This prevents most malware, including Lolbot.B, from loading automatically, giving you a cleaner environment to work in. Safe Mode with Networking allows you to download removal tools if needed.
Identify and Terminate Malicious Processes
Open Task Manager (Ctrl+Shift+Esc) and examine running processes carefully. Look for suspicious entries with random names, processes running from AppData or Temp folders, or multiple instances of system processes like svchost.exe with unusual memory usage. Right-click suspicious processes, select "Open File Location" to see where they're running from, then "End Task" if they appear malicious. Note the file locations for the next step.
Remove Registry Persistence Entries
Press Win+R, type "regedit" and hit Enter to open Registry Editor. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Look for entries pointing to suspicious executables in AppData, ProgramData, or Temp folders—especially those with generic names like "System Update" or random GUIDs. Right-click and delete any entries associated with the malware. Create a registry backup before making changes.
Check and Remove Scheduled Tasks
Open Task Scheduler (search for "Task Scheduler" in the Start menu) and examine the Task Scheduler Library, especially under Microsoft\Windows folders. Look for tasks with suspicious names, tasks that run executables from AppData or Temp folders, or recently created tasks you don't recognize. Right-click suspicious tasks and select Delete. Lolbot.B commonly creates tasks disguised as system maintenance or update functions.
Delete the Malware Files and Folders
Using File Explorer, navigate to the locations you identified in Step 3 (typically AppData\Roaming, AppData\Local, or ProgramData subfolders). Delete the entire folder containing the trojan executable. If Windows prevents deletion claiming the file is in use, you're either not in Safe Mode or didn't successfully terminate the process. You may need to take ownership of the folder first—right-click the folder, select Properties > Security > Advanced, change the owner to your user account, then try deleting again.
Run Malwarebytes and a Second-Opinion Scanner
Download and install Malwarebytes Free (while still in Safe Mode with Networking). Run a full system scan and quarantine everything it finds. After Malwarebytes completes, run a second scanner like Emsisoft Emergency Kit or Hitman Pro for a second opinion. Trojans like Lolbot.B often drop additional components that one scanner might miss. Let both scans complete fully even if they take several hours.
Reset Browsers and Clear Browser Data
If Lolbot.B stole browser credentials, it may have also installed malicious extensions or modified browser settings. Open each browser you use, go to Settings, and perform a full reset to default settings. Clear all browsing data including cached images, cookies, and saved passwords. After resetting, manually check for and remove any extensions you don't recognize or didn't intentionally install.
Change All Passwords from a Clean Device
Since Trojan:Win32/Lolbot.B steals credentials, assume all passwords stored in browsers or typed while infected are compromised. Using a different device (smartphone, tablet, or another computer), change passwords for email accounts, banking, social media, work accounts, and any other sensitive services. Enable two-factor authentication wherever possible to add an extra security layer.
Reboot Normally and Monitor System Behavior
Restart your computer into normal mode and reconnect to the internet. Monitor Task Manager, network activity, and system performance for the next few days. Run Windows Update to ensure your operating system and software are fully patched. Watch for unusual CPU usage, unexpected network connections, or a return of suspicious processes. If problems persist, the infection may have rootkit components requiring professional removal.
Prevention
- Keep Windows and all software updated. Enable automatic updates for Windows, and regularly update browsers, Java (or uninstall if not needed), Adobe products, and all other applications. Most Lolbot infections exploited known vulnerabilities that had available patches.
- Use reputable antivirus software with real-time protection. Windows Defender is acceptable for basic protection, but consider a more robust solution like Bitdefender, Kaspersky, or ESET that includes behavioral detection. Keep the antivirus updated and enabled at all times.
- Exercise extreme caution with email attachments. Never open attachments from unknown senders, even if they appear to be common file types like PDFs or Office documents. Hover over sender addresses to verify authenticity. When in doubt, contact the alleged sender through a separate channel to verify they actually sent the file.
- Download software only from official sources. Avoid third-party download sites, torrent sites, and "free" versions of commercial software. These are the primary distribution channels for bundled malware. Always download directly from the developer's official website or from the Microsoft Store for Windows applications.
- Disable AutoRun for removable media. Configure Windows to not automatically execute programs from USB drives or other removable storage devices. This prevents malware from spreading automatically when you connect external drives, which was a common Lolbot distribution method.
- Use a standard user account for daily activities. Create a separate administrator account for installing software and making system changes, but use a standard user account for web browsing and everyday tasks. This limits malware's ability to install itself system-wide or create persistence mechanisms requiring admin privileges.
- Enable a firewall and review outbound connection rules. Windows Firewall should be enabled at all times. Consider configuring it to prompt for permission when programs attempt outbound connections, which can alert you to malware trying to communicate with C2 servers.
- Regularly backup important data to offline storage. Maintain backups on external drives that are disconnected when not actively backing up, or use cloud services with versioning. If you do get infected with Lolbot.B or it downloads ransomware as a secondary payload, you can restore your data without paying criminals.
When Computer Repair Roswell removes malware from your system, that specific threat stays gone. We thoroughly clean the infection, patch vulnerabilities, and verify system integrity before returning your machine. If the same malware returns within 90 days, we'll re-clean your system at no additional charge. This guarantee reflects our confidence in our removal process and our commitment to your digital security.
Bring It In
Manual removal of Trojan:Win32/Lolbot.B requires technical knowledge, patience, and the right tools. Even following every step correctly, there's always a risk that rootkit components, injected code in system files, or secondary payloads remain hidden on your system. If you're uncomfortable working in the Registry, terminating processes, or don't have several hours to dedicate to the removal process, professional help is the smarter choice. One missed artifact can allow the infection to re-establish itself within hours of thinking you've cleaned it.
Computer Repair Roswell has removed hundreds of trojan infections from systems throughout the Roswell and North Fulton area. We use professional-grade tools not available to consumers, work in isolated environments to prevent re-infection, and verify system integrity with multiple scanning passes before returning your machine. Most trojan removals are completed within 24 hours, and our flat-rate pricing means no surprises. Call us at (770) 637-1435 or stop by our shop at 1365 Canton Road in Roswell—we're here Monday through Saturday and always happy to answer questions about infections, prevention, or anything else computer-related. Don't let a trojan compromise your personal information or business data when expert help is just a phone call away.