Trojan-Downloader:W32/Exchanger

Manual action

To manually remove a Trojan-Downloader:W32/Exchanger infection, perform the following steps:

• Open the Windows Task Manager by pressing the Ctrl + Alt + Delete keys and click the Task Manager button.
• From the list of running processes, find CbEvtSvc.exe and then click the End Process button.
• You may close the Task Manager once the malicious process is terminated.
• From the Windows Start Menu, select Run, type regedit into the "Open:" field and then click OK.
  
• From the Registry Editor, locate and delete the following keys if present:
  • HKLM\SYSTEM\CurrentControlSet\Services\CbEvtSvc
  • HKLM\SYSTEM\ControlSet001\Services\CbEvtSvc
  • HKLM\SYSTEM\ControlSet002\Services\CbEvtSvc
  Note: HKLM equals HKEY_LOCAL_MACHINE
• Delete the file called CbEvtSvc.exe located in the C:\WINDOWS\system32\ folder.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

• Check for the latest database updates

  First check if your F-Secure security program is using the latest updates, then try scanning the file again.

• Submit a sample

  After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

  Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

• Exclude a file from further scanning

  If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

  Note: You need administrative rights to change the settings.