Trojan-Downloader:W32/Exchanger variants download additional malicious software onto the infected system.
To manually remove a Trojan-Downloader:W32/Exchanger infection, perform the following steps:
- Open the Windows Task Manager by pressing the Ctrl + Alt + Delete keys and click the Task Manager button.
- From the list of running processes, find CbEvtSvc.exe and then click the End Process button.
- You may close the Task Manager once the malicious process is terminated.
- From the Windows Start Menu, select Run, type regedit into the "Open:" field and then
- From the Registry Editor, locate and delete the following keys if present:
- Delete the file called CbEvtSvc.exe located in the C:\WINDOWS\system32\ folder.
Once the trojan is executed it copies itself into the "system32" folder and starts itself from there as a service.The trojan also creates Windows registry entries to ensure that it is started every time the computer is started.Once running, Exchanger variants will attempt to contact a remote server in order to relay information about the infected machine. The server will reply with a list of URLs that point to malicious files to be downloaded.
File System Changes
Creates these files:
Creates these processes:
Sets these values:
- HKLM\System\CurrentControlSet\Services\CbEvtSvc Type = 00000010 Start = 00000002 ErrorControl = 00000001 ImagePath = %SystemRoot%\System32\CbEvtSvc.exe -k netsvcs DisplayName = CbEvtSvc ObjectName = LocalSystem Opt =
- HKLM\System\CurrentControlSet\Services\CbEvtSvc\Security Security = \x01\x00\x14\x80\x90\[...]
Creates these keys: