Home > Threat descriptions >



Category: Malware

Type: Trojan-Downloader

Aliases: Trojan-Downloader:W32/Exchanger, Trojan-Downloader.Win32.Exchanger


Trojan-Downloader:W32/Exchanger variants download additional malicious software onto the infected system.


To manually remove a Trojan-Downloader:W32/Exchanger infection, perform the following steps:

  • Open the Windows Task Manager by pressing the Ctrl + Alt + Delete keys and click the Task Manager button.
  • From the list of running processes, find CbEvtSvc.exe and then click the End Process button.
  • You may close the Task Manager once the malicious process is terminated.
  • From the Windows Start Menu, select Run, type regedit into the "Open:" field and then click OK.
  • From the Registry Editor, locate and delete the following keys if present:
    • HKLM\SYSTEM\CurrentControlSet\Services\CbEvtSvc
    • HKLM\SYSTEM\ControlSet001\Services\CbEvtSvc
    • HKLM\SYSTEM\ControlSet002\Services\CbEvtSvc
  • Delete the file called CbEvtSvc.exe located in the C:\WINDOWS\system32\ folder.
Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

Once the trojan is executed it copies itself into the "system32" folder and starts itself from there as a service.The trojan also creates Windows registry entries to ensure that it is started every time the computer is started.Once running, Exchanger variants will attempt to contact a remote server in order to relay information about the infected machine. The server will reply with a list of URLs that point to malicious files to be downloaded.

File System Changes

Creates these files:

  • %windir%\system32\CbEvtSvc.exe
Process Changes

Creates these processes:

  • %windir%\system32\CbEvtSvc.exe
Registry Modifications

Sets these values:

  • HKLM\System\CurrentControlSet\Services\CbEvtSvc Type = 00000010 Start = 00000002 ErrorControl = 00000001 ImagePath = %SystemRoot%\System32\CbEvtSvc.exe -k netsvcs DisplayName = CbEvtSvc ObjectName = LocalSystem Opt =
  • HKLM\System\CurrentControlSet\Services\CbEvtSvc\Security Security = \x01\x00\x14\x80\x90\[...]

Creates these keys:

  • HKLM\System\CurrentControlSet\Services\CbEvtSvc
  • HKLM\System\CurrentControlSet\Services\CbEvtSvc\Security