QuantLoader Removal Guide

QuantLoader, or Quant Loader, is a serious infection that the users of Windows operating system need to take very seriously. When this malware invades the operating system, it downloads the FormBook Trojan that can erase and execute files (e.g., Zeus Panda), delete tracking cookies, update bots, launch commands, crash the systems, monitor the clipboard, and even record keystrokes. This devious threat could function in many different ways, and, unfortunately, it might be impossible to know exactly what kind of data it leaks from a system it invades. One thing is for sure, this infection is extremely clandestine, and the victim might not even know about its existence. Obviously, if your malware scanner or anti-malware tool detects it, you must remove FormBook immediately. You cannot forget to delete QuantLoader either because this is the threat that connects to the Internet without your permission and downloads and executes malware without you knowing anything about it too.

How is QuantLoader distributed? It appears that malvertising campaigns and mass spam email attacks are used for that in most cases. The infection could also be hidden is malware bundles available on malicious sites, but that is the less likely source in this case. If malvertising is used to drop malware, the RIG exploit kit is likely to be used for that, and few of the sites involved in loading the threat onto systems include pay-scale[.]us, filmsdays[.]top, and mymedicalcare[.]us. When it comes to spam emails, all users need to look out for messages with archive files (e.g., ZIP, RAR), DOC and XLS files with macros, and PDF files with tny.im links attached to them. Unfortunately, cyber criminals behind these spam emails can use deceptive messages and intriguing subject lines to catch the target’s attention. The subject lines could include your own name, as well as such strings as “new order,” “purchase order,” “shared a file,” “parcel,” or “inquiry.” Alleged order codes and parcel numbers could be included to make the messages appear more authentic. Without a doubt, opening any kind of spam emails sent by unknown senders is risky. If you do not let in a Trojan, you could let in a file-encrypting ransomware or any other kind of malware. So, if you receive a funny message, delete it right away. If you open it and the file attached to it, you might soon have to worry about the removal of QuantLoader.

When QuantLoader secretly slithers into the system, it creates a copy of itself to circumvent removal. In our case, it created a copy in the %APPDATA%\[unique name] folder, but this could change from one case to the next. Once the infection downloads FormBook, a copy is created for this Trojan too. For example, the file could be named “mfcgn2pl.exe”, and it could be placed in the %USERPROFILE% directory. The first letters in the name are interchangeable, and some other options include “ms,” “win,” “user,” “audiodg,” or “Cookies.” These are followed by five random characters and an extension at the end. This could be selected from these options: “.bat,” “.cmd,” “.com,” “.exe,” “.pif,” and “.scr.” These are the directories that the copy could be created in: %USERPROFILE%, %APPDATA%, %TEMP%, %ProgramFiles%, or %CommonProgramFiles%. Looking at the data regarding the infected systems, it appears that FormBook is primarily used by attackers targeting the US and South Korea companies, organizations, and government agencies. We are still researching the threat to see if it can affect regular users. The issue is that the FormBook Trojan can be utilized by anyone who is willing to pay some money. At the moment, an attacker can pay just $39 to use the infection for a week, and that is enough time to do some real damage. Obviously, you want to remove this malware regardless of who uses it.

Although it is clear that FormBook is the threat that we need to focus on, you must not forget to remove QuantLoader as well because this is the root of the problem. In fact, the root of all your security-related problems is the lack of virtual protection. It is high time you employed reliable security software that could ensure complete protection here on out. By installing it, you will be solving two issues, as all existing threats will be eliminated too. You will have FormBook and QuantLoader deleted along with other malicious threats that could be active without you knowing about them. Once the system is cleaned, you need to think about your virtual integrity. Change your passwords, keep an eye out on your banking accounts for unauthorized transactions, and be cautious about any suspicious activity.

How to delete QuantLoader

1. Simultaneously tap Win+E to access Windows Explorer.
2. Enter %APPDATA% into the bar at the top.
3. Delete the malicious {unknown name}.exe file that represents the Trojan (if you cannot find a file, look for a folder created by the infection where the file might be stored).
4. Find and Delete the original .exe launcher. It could be located in the %TEMP% and Downloads folders, on the Desktop, or any other location on your operating system.
5. Empty Recycle Bin and then perform a full system scan.

N.B. If you cannot find or recognize malicious QuantLoader components, install an automated malware remover instead of trying to clean the system manually because eliminating the wrong components could cause more problems.