Click on screenshot to zoom
Danger level 6
Type: Trojans
Common infection symptoms:
  • Slow Computer
  • System crashes
  • Normal system programs crash immediatelly
  • Connects to the internet without permission
  • Installs itself without permissions
  • Can't be uninstalled via Control Panel


Topinambour is what cyber criminals use to unlock a door to an operating system. If the attackers find a way to infiltrate this infection, they can use it to download and execute various other infections, making a bigger mess. The attackers belong to the infamous Turla group, which goes by many different names. Some of them include Krypton, Snake, Venomous Bear, Waterbug, or WhiteBear. It is believed that the group comes from Russia, and it is pretty obvious that they are focused on attacking large entities, such as government agencies or international companies. They do not care to waste their time on individual Windows users because they have bigger fish to fry. Amongst the victims of Turla, we have the militaries of the US, Pakistan and India, a gaming company in South Korea, and even diplomatic agencies in Eastern Europe. The worst part is that no one has been able to stop these attacks for over a decade now, and the group continues to grow with new tools. In this report, we talk about the removal of Topinambour. However, note that if you need to delete this threat, it is likely that others exist too.

According to our malware researchers, there are several different versions of the devious Topinambour Trojan. JavaScript, .NET, and PowerShell versions have been discovered, and they can have unique characteristics. For example, we know that the PowerShell version specifically can capture screenshots to record sensitive data on the infected systems. In general, this infection is meant to open up backdoors, via which new infections could be let in, as well as exfiltrate sensitive information. Without a doubt, depending on the target of Topinambour, this could be extremely dangerous. For example, if the Trojan leaks sensitive military information, the entire nation’s security could be put at risk. By attacking companies, the attackers can stall production and cause great financial loss and, in extreme cases, general economic decline. Overall, because it can download and execute any file, as well as fingerprint the system, this Trojan is like a ticking bomb, and it must be dismantled immediately. Unfortunately, removing threats like this one is never an easy task.

Before we start discussing the removal of Topinambour, we need to look into the proliferation of this dangerous infection. According to our malware researchers, this infection is likely to employ legitimate and harmless installers to conceal itself, which is, without a doubt, the most clandestine way to spread this infection. The dropper of the Trojan is added to the legitimate installer, and it contains a .NET shell that the attackers can control using remote commands. The corrupted installer could be dropped anywhere on the computer, but it was dropped to the %TEMP% directory in our case. After successful execution, the infection installed itself to %LOCALAPPDATA%\VirtualStore\, and a scheduled task was created to support the file. Soon after that, the infection is meant to start downloading other malware modules, such as the KopiLuwak dropper, which, of course, is responsible for dropping more threats onto the operating system. Overall, although Topinambour appears to be used for the initial attack, it is not enough to delete it from the system. Most likely, many other threats await removal too.

If you are sure that you want to clean your operating system manually, the first thing you need to do is inspect your operating system for additional threats that must be removed too. Only then, will you be able to determine whether or not your chances at successfully cleaning the system are high. Inspecting the system manually is an incredibly difficult task, but you can install a legitimate malware scanner to take care of this part. The tool will determine whether or not you need to delete Topinambour along with other malicious infections. Most likely, you will. What should you do if you cannot remove them all by yourself? If that is the case, installing an anti-malware tool that can handle the situation is the best move. Obviously, since Topinambour is most likely to affect large networks of systems, the type of solution you come up with might depend on your security protocols and the processes applied by your security team. Ultimately, if you discover something strange, do not ignore it because it could always turn out to be a malicious infection in disguise.

Topinambour Removal

  1. Tap Win+E keys to launch Windows Explorer.
  2. Enter %LOCALAPPDATA%\VirtualStore\ into the field at the top.
  3. Right-click and Delete a malicious [unknown name].exe file.
  4. Enter %WINDIR%\System32\Tasks\ into the field at the top.
  5. Right-click and Delete any unfamiliar tasks.
  6. Delete the executable that carried the infection (in our case, it was dropped to %TEMP%).
  7. Empty Recycle Bin and then perform a full system scan once more to check for potential leftovers.
Download Spyware Removal Tool to Remove* Topinambour
  • Quick & tested solution for Topinambour removal.
  • 100% Free Scan for Windows

Post comment — WE NEED YOUR OPINION!

Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.