Anchor Removal Guide

Threat Level:
Rate this Article:
Comments (0)
Article Views: 1657
Category: Trojans

Cybersecurity experts think that Anchor is a malicious application that was created by hackers who are interested in financial gain. That is because the malware was noticed to be used in attacks on the Point of Sale or PoS systems. Also, it is believed that hackers are still updating the threat, which means there could be lots of versions of it. Further, in this article, we explain how such malicious applications might work, how they could enter a system, and other essential details. If you want to know how you could delete Anchor manually, you should have a look at the instructions located at the end of this article as soon as you read it. However, we should stress that they may not work and that if you want to be sure that the malware gets eliminated, you should use a legitimate antimalware tool.

FIN6 is a cybercrime group that is concentrated on hacking retailers and stealing payment information from the Point of Sale systems, which is why specialists believe it might be behind Anchor. The connection is even more possible considering that the malicious application in question might be spread with a newer version of TrickBot, which has been associated with FIN6 in the past. This also means that if you find Anchor on your system, it is likely that you have TrickBot as well.

Our researchers say that such threats can be distributed through Spam emails, malicious notifications, and so on. Researchers who investigated a few TrickBot attacks discovered that its victims received emails with links leading to files that appeared to be text documents hosted on Google Docs. For example, such files could be called Annual Bonus Report.doc. If opened, the malicious files should show a fake notification asking to update Microsoft Word and secretly drop the TrickBot downloader. It appears that after it is downloaded, it might drop Anchor.

To avoid such threats, we recommend being cautious with all files that come unexpectedly and from unknown sources. Instead of rushing to open such data, you should scan it with a reliable antimalware tool first. A scan may allow you to learn if a file has any malicious components. In case it does, your chosen antimalware tool, should warn you about it and help you get rid of the scanned data. Always remember that malicious files might look harmless, so you should never lose your guard even with text files or other documents, pictures, and so on.

There are a few known types of Anchor threats: Anchor, Old Anchor_DNS, and New Anchor_DNS. The first one was used in attacks that occurred in 2018, while DNS versions were discovered in 2019. It is said that they are still being updated and that more versions of them might show up. For example, the latest variant (New Anchor_DNS) does not have the self-deletion feature that both of the previous versions had. Nonetheless, unlike Anchor and Old Anchor_DNS, the new variant has obfuscated code. Also, researchers say that it can connect to its creator’s server to transfer data that it might obtain while staying on an infected device as well as download additional payload and receive commands.

Reports also say that Anchor might be able to avoid detection, which means noticing it on a system could be an impossible task. In case you do find it on your device, you could try to remove it manually while following the instructions located below, but we cannot promise that completing them will erase the malware. Thus, it would be safer to delete Anchor with a reliable antimalware tool.

Restart the device in Safe Mode with Networking

Windows 8 and Windows 10

  1. Press Win+I or go to the Start menu and click the Power button.
  2. Tap and hold Shift and click Restart.
  3. Select Troubleshoot and choose Advanced Options.
  4. Pick Startup Settings and press Restart.
  5. Click the F5 key and reboot the system.

Windows XP/Windows Vista/Windows 7

  1. Go to Start, press Shutdown options, and choose Restart.
  2. Press and hold the F8 key when your computer is restarting.
  3. Wait till the Advanced Boot Options window is loaded.
  4. Select Safe Mode with Networking.
  5. Press Enter and log on.

Get rid of Anchor

  1. Tap Win+E.
  2. Go to this location: %APPDATA%
  3. Search for a randomly named folder that should have a randomly named subfolder; inside of it you should find a malicious file called autoupdate#{random numbers}.
  4. Right-click the threat's folder and select Delete to remove all that it contains.
  5. Navigate to: %USERPROFILE%
  6. Locate a suspicious file that could belong to the malware, right-click it, and select Delete.
  7. Then check these directories:
  8. Look for a suspicious file that could belong to the threat, right-click it, and press Delete.
  9. Leave File Explorer.
  10. Tap Win+R.
  11. Insert Regedit and click OK.
  12. Go to this path: HKLM\SYSTEM\CurrentControlSet\Services\netTcpSvc\Parameters
  13. Locate a value name that might be called ServiceDll or similarly.
  14. Right-click it and press Delete.
  15. Leave Registry Editor.
  16. Empty Recycle bin.
  17. Reboot the device.
Download Remover for Anchor *
*SpyHunter scanner, published on this site, is intended to be used only as a detection tool. To use the removal functionality, you will need to purchase the full version of SpyHunter.


Your email address will not be published.


Enter the numbers in the box to the right *