Trojan-Downloader:W32/Exchanger variants download additional malicious software onto the infected system.
To manually remove a Trojan-Downloader:W32/Exchanger infection, perform the following steps:
Find the latest advice in our Community Knowledge Base.
See the manual for your F-Secure product on the Help Center.
Submit a file or URL for further analysis.
Once the trojan is executed it copies itself into the "system32" folder and starts itself from there as a service.The trojan also creates Windows registry entries to ensure that it is started every time the computer is started.Once running, Exchanger variants will attempt to contact a remote server in order to relay information about the infected machine. The server will reply with a list of URLs that point to malicious files to be downloaded.
Creates these files:
Creates these processes:
Sets these values:
Creates these keys: