|
Malware -
Harmful EXE
|
regsvr.exe is a file added by a trojan horse which may be installed without your knowing, after visiting malicious websites, It downloads the files from remote server and installs them. It also installs a commercial software called Ardamax Keylogger This article provides thorough detection and removal instructions. All the tools/ software mentioned in this article are freeware.
| Aliases: You can see a list of the aliases on this link | Delete Files: The places where regsvr.exe could be found is %System%\regsvr.exe, %Windir%\regsvr.exe, %Windir%\temp\regsvr.exe it deletes the following files
%System%\linkinfo.dll
creates a directory
%System%\28463
creates the following files, it has different variations 1) %Windir%\linkinfo.dll
%Windir%\regsvr.exe
%System%\regsvr.exe
%System%\svchost .exe
%System%\28463\svchost.001
%System%\28463\svchost.exe
%System%\drivers\cdralw.sys
%System%\setup.ini
%Windir%\Tasks\At1.job
%Windir%\Tasks\At2.job see report
2) %CommonPrograms%\Ardamax Keylogger see report %System% refers to the System folder. By default C:\Windows\System (in Windows 95/98/Me), C:\Winnt\System32 (in Windows NT/2000), or C:\Windows\System32 (in Windows XP and Vista).
%Windir% is C:\Windows or C:\Winnt
%CommonPrograms% is C:\Documents and Settings\All Users\Start Menu\Programs (Windows NT/2000/XP). | | View Hidden Files: Before you could delete regsvr.exe , and its associated files you need to search for them, and before doing that you need to enable to view hidden files and folders Click here to read more... | | Boot in safe mode: Sometimes you will not be able to delete a file even if you find it, in that case you should boot in safe mode and then try to delete it/ them. Click here to read more... | | End Process in the Task Manager: If you find regsvr.exe running in the Task Manager, you can select it and press End process button, that will help you to delete it from the hard disk later. Click here to read more... | Remove entry from Windows Startup: Look in the windows startup, by opening the system configuration utility and remove the entry of regsvr.exe if found. Click here to read more...
| | Unable to open Task Manager: If that happens, you can try these free tools to enable the task manager again. Click here to read more... | | Run CCleaner : If you manage to find regsvr.exe and associated files and delete it, even then there will be associated entries in the windows registry. If you run a free temp files/registry cleaner called CCleaner, that will help you to automatically clean the registry from the virus entries. Click here to read more... | Block the sites: Keep yourself protected by using a stadalone firewall software, you can see the logs of the firewall to see if there is any suspicious communication from your computer which you are not aware of. | | Run system file chekcer: Windows has a built in tool called system file checker. It scans the computer to see if any of the windows system files are corrupt/missing and replaces them with a good copy. you should run this tool so that it will replace the deleted/ modified system file. Click here to read more... | Delete the registry keys manually: If you are brave enough to do so. You can edit the registry by using the windows built in registry editor. Click here to read more... You can find the registry entries created by this malware on this link Best of Luck reference with permission from Threatexpert |
|
