Agent Tesla / Virus Removal Guide - Improved Instructions

Agent Tesla Removal Guide

What is Agent Tesla?

Agent Tesla is a dangerous Trojan used by criminals to collect banking information, logins, Wi-Fi passwords, and other credentials

Agent Tesla virusAgent Tesla is a hybrid malware with keylogger, spyware, trojan, and RAT features included

Agent Tesla is a Trojan infection, which exhibits traits of an info-stealer, spyware, keylogger, and RAT[1]. Its history stretches back to 2014 when it has first been introduced as a commercial project or remote access tool on the official download website. Despite attempts to prove legitimacy, a thorough analysis of this malware has proved the fact that it exhibits malicious traits and is usually employed by criminals to steal credentials on the host machine.

Agent Tesla RAT is written on Microsoft's language targeting Microsoft Windows. Throughout six years of its existence, there were silent and active periods of this trojan, though it manifests a strong tendency to prevail and grow into a cyber threat causing damage to the business, manufacturing, and other public sectors, not only random PC users.

At the end of April 2020, the cybersecurity community reported an attempt at Agent Tesla virus attack over OPEC+ related companies settled in U.S., Malaysia, Iran, South Africa, Turkey, Oman, and The Philippines[2]. Using a well-prepared phishing email impersonating shipping company's report, criminals push delivery_express.exe, which subsequently launches a Trojan and connects to the C2 server for commands.

The primary purpose of the Agent Tesla malware is to grant access to the victim's PC and steadily collect login details, passwords, credit card information, and other personally identifiable information. The data stealer is connected to the remote server continuously and, therefore, harvested data is directly transmitted to criminals. Despite that, the latest variant is equipped with a variety of functions for stealing WiFi passwords[3] and extensive information about FTP clients, file downloaders, technical details of the infected machine, web browser information, and others. It is assumed that such information is sought for shifting a trojan to a RAT allowing it to compromise systems connected on the same wireless network.

Name Agent Tesla
Launched in 2014
Type of malware Info-stealer trojan
Countries currently targeted U.S., Malaysia, Iran, South Africa, Turkey, Oman, and The Philippines
AV detection TrojanDropper:Win32/Scrop.7775a842, Trojan.GenericKD.31825418, Malware@#3lamjr6l2l59w,
Trojan.Autoit (A), Trojan-Dropper.Win32.Scrop.uod, Artemis!89A43838A083, Troj/Inject-DYW, Trojan.Agent.FA, Trojan.TR/AD.Inject.ejntp[4]
Related files Myfile.exe, RegSvcs.exe
Danger level High. This trojan seeks to gain full access to the target system and subsequently harvest the most sensitive data, such as credit card details and passwords. It is capable of registering keystrokes and transmitting information to C2 server regularly. Besides, it accumulates system and WiFi information helping to initiate future attacks
Distribution Agent Tesla can be downloaded from the official website paying a monthly/yearly subscription fee. However, random PC users are not very likely to use the service for everyday activities. Criminals are using malspam campaigns to spread bulk trojan payloads. Typically, spam emails contain .exe attachment that asks for the user's permission to open. The latest attack mimics a famous forwarder, contains tracking numbers, original logos, and other credentials that seem trustworthy
Symptoms A trojan is a very deceptive infection, which runs silently in the system to prolong its persistence. In most of the cases, the system exhibits the following symptoms: high CPU consumption, error messages, longer boot period, unresponsive AV program or other security programs, fake websites on the web browser, etc.
Removal options There is no way to remove Agent Tesla manually. Trojans have loads of supportive files that have to be terminated at once. For that, you need to boot into Safe Mode and enable a full scan with a professional AV engine.
Damage fix It's important to restore the system to a state prior to virus infection. Take advantage of the FortectIntego optimization program.

Agent Tesla RAT is an extremely dangerous info-stealer, which has been distributed via massive malspam campaigns since 2014. Criminals prepare obfuscated attachments and append them to tricky email messages that are subsequently sent to random PC users. Based on the information collected, it seems that this virus spreads in disguise with the following spam emails:

  • Requests for urgent quotations;
  • New order excel sheets asking for permission to enable it;
  • Rogue TNT Express delivery notifications;
  • DHL Express tracking information;
  • Bank swifts for balance checking;
  • On-Demand delivery confirmations;

Opening an attachment grants Agent Tesla keylogger access to the system. Right after successful infiltration, the malware launches its payload and drops RegSvcs.exe process, which is responsible for enabling both RAT and keylogging functions. Criminals exploit vulnerabilities and start stealing the user's credentials, system-related information, and WiFi information.

The Agent Tesla removal may be a difficult task to perform. There is no way to eliminate this data-stealing trojan as it attempts to gain administrative privileges, can disable Windows User Account Control, Task Manager, cmd.exe, msconfig.exe, Start menu items, and other functions. Besides, it is cable of causing regular shutdowns preventing the victim from launching the AV engines.

Agent Tesla trojanAgent Tesla spreads via malicious spam email attachment. The user has to give permission to open the attachment

Even though the above-mentioned activities may not be initially manifested, it may be difficult to detect and remove Agent Tesla because it replaces legitimate system files and keep entries within C:\windows\system32\.

Manual Agent Tesla RAT removal is not possible in any way, experts from stress[5]. It's critical to eliminate it as soon as possible to minimize the amount of data leaked. The longer the RAT remains on the system, the more credentials, system logs, WiFi connections it can transmit to criminals. The safest way to get rid of it is to restart the system into Safe Mode and run a full system scan with a powerful anti-virus program.

Initiating active malspam campaigns the malware ranks second in most prevalent threats ranking of 2019

Agent Tesla RAT has been actively spreading since 2014 and does not lose ground up until now. It has been ranked second by Any.Run research and labeled as the most proliferate virus of 2019. As the analysis has shown, cybersecurity researchers detected over 10,000 samples.

Moreover, it keeps exhibiting great performance within March and April 2020. During these two months, experts revealed multiple malspam campaigns targeting not only regular users but also giant companies, such as OPEC and other oil and gas producers. It is common for trojans like Agent Tesla to aim for bigger businesses to make larger amount of profit.

The virus receives updates regularly and shifts its target. Currently, experts stress the tendency of this new Agent Tesla virus variant to steal WiFi password, VPN, FTP credentials, system registries, and similar. Such a shift raises anxiety since a focus on the WiFi module indicates plans of criminal to rearrange the info-stealer malware into a WiFi worm.

Agent Tesla distributionAgent Tesla is being distributed in the disguise of well-known companies, such as DHL, FedEx, Red-Cross, and similar

The Spyware.Agent.Tesla malware campaign detected by FortiGuard Labs misuses On-demand delivery notification from a freight forwarder. The notification says:



Your *** Express shipment with waybill number 6856686851 *** EXPRESS is on its way. We will require a signature at the same time of delivery.

The current estimated delivery is Mon 2 March by End of Day.

To view your delivery options, make a change or track your shipment, click here.


Waybill No

Delivery Address P.O.BOX 16199 AL-AIN UAE
Estimated Delivery Date Mon March 2
Delivery Time by End of Day
Thank you for using On Demand Delivery
*** Express – Excellence. Simply delivered.

This rogue email contains a *** Delivery Report.exe attachment, which once clicked asks for permission to edit. Permission granting enables AutoIt executable, Exe2Aut, and myAut2Exe tools, which subsequently enables the malware.

Thus, make sure to update your security tool with the latest virus definitions so that it would lapel phishing emails as spam, block *** Delivery Report.exe attachment due to malicious traits, and detect traffic (Spyware.Agent.Tesla) where stolen information is set to be sent.

Advanced malspam campaigns allow the trojan to attack thousands of unsuspecting users

The criminals behind this malware are taking advantage of malspam campaigns, which rely on botnets. Having a database of leaked email addresses, crooks launch catchy email messages and transmit them to thousands of users. Currently, the trojan is targeting Aerofox Foxmail, Claws Mail, Microsoft Outlook, Opera Mail, IncrediMail, Pocomail, Becky! Internet Mail, ICQ Transport, Mozilla Thunderbird, The Bat! Email, though others are not safe either.

Typically, spam emails come as order confirmations, delivery notes, invoices for payments, and similar. Crooks prepare them identical to well-known companies, such as DHL, TNT, FedEx, health care institutions, and similar. Spam will always contain an attachment in one of the following formats:

  • ZIP
  • CAB
  • MSI
  • IMG
  • Office document.

Unfortunately, these messages are really credible, and more gullible people can easily fall for opening them. Therefore, to keep the system from malware infections via spam emails is to ensure the full protection of the system. Typically, professional antivirus programs are offered in a pack with email filters, IPS services, and AV engines.

A guide on how to eliminate Agent Tesla RAT from the infected PC

As we have explained above, the info-stealer trojan features the traits of keylogger, and RAT is very dangerous and requires immediate forces for its removal. Agent Tesla removal may be very difficult since it can disable Task Manager, cmd.exe, msconfig.exe, Start menu items, disable the antivirus program to hide its traces, and prevent detection.

The sooner you remove Agent Tesla, the lower is the risk of exposing your credentials to criminals. The only way to get rid of it is to launch an AV scanner. It's very likely that you will not be allowed to launch it due to compromised processes and files, so you should restart the system into Safe Mode and try again. In case of a failure, try to download an alternative AV program while in Safe Mode. We recommend relying on tools like SpyHunter 5Combo Cleaner or Malwarebytes.

Keep in mind that the latest variant of this trojan has a feature os a RAT, meaning that it may spread via WiFi network and affect PCd that are connected on the same network. A full guide on how to remove Agent Tesla virus from Windows.

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of Agent Tesla. Follow these steps

Manual removal using Safe Mode

Those who cannot remove Agent Tesla because it disarmed the system should try rebooting the system into Safe Mode and enabling the idle AV engine.

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Remove Agent Tesla using System Restore

If the method with Safe Mode failed, then check if Command Prompt is working. If it does, then perform Agent Tesla removal by following these steps:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Agent Tesla. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that Agent Tesla removal is performed successfully.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Agent Tesla and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting trojans

Stream videos without limitations, no matter where you are

There are multiple parties that could find out almost anything about you by checking your online activity. While this is highly unlikely, advertisers and tech companies are constantly tracking you online. The first step to privacy should be a secure browser that focuses on tracker reduction to a minimum.

Even if you employ a secure browser, you will not be able to access websites that are restricted due to local government laws or other reasons. In other words, you may not be able to stream Disney+ or US-based Netflix in some countries. To bypass these restrictions, you can employ a powerful Private Internet Access VPN, which provides dedicated servers for torrenting and streaming, not slowing you down in the process.

Data backups are important – recover your lost files

Ransomware is one of the biggest threats to personal data. Once it is executed on a machine, it launches a sophisticated encryption algorithm that locks all your files, although it does not destroy them. The most common misconception is that anti-malware software can return files to their previous states. This is not true, however, and data remains locked after the malicious payload is deleted.

While regular data backups are the only secure method to recover your files after a ransomware attack, tools such as Data Recovery Pro can also be effective and restore at least some of your lost data.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Gabriel E. Hall
About the company Esolutions