Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Regsvcs.exe Malware/Keylogger


  • This topic is locked This topic is locked
2 replies to this topic

#1 Gizmo7

Gizmo7

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:09 PM

Posted 28 July 2017 - 02:39 PM

I managed to get this Malware that reappears after every restart after being "removed". Need some help on fully removing it. I've attached the two requested log files, they were too large to paste.

 

Location of the file is C:\Users\[user]\RegSvcs.exe

Keylog file is under: C:\Users\[user]\AppData\Roaming\dclogs


Edited by Gizmo7, 28 July 2017 - 06:15 PM.


BC AdBot (Login to Remove)

 


#2 Gizmo7

Gizmo7
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:09 PM

Posted 28 July 2017 - 06:12 PM

I've since fixed this, there was a hidden folder named "wmzf" with a VSR file "huqdsko.vsr" and another file I forget the name of. It was a hidden directory but showing hidden files wasn't enough, you have to also show hidden operating system files. Deleting this hidden directory, the log directory, and then restarting seemed to remove it completely.

 

So to surmise if someone else encounters this exact issue:

 

  1. Go into File Explorer Options and show hidden folders, also a bit below that uncheck "Hide protected operating system files"
  2. Go to C:\Users\[yourusername]\
  3. Delete the "wmzf" folder, and delete RegSvcs.exe
  4. Go to C:\Users\[yourusername]\appdata\Roaming\dclogs
  5. Delete the dclogs folder
  6. Run Malwarebytes, (it found 1 registry entry of DC3_XXXXXXXXX)
  7. Restart

 

After I did these steps my PC was no longer logging every action into the C:\Users\[yourusername]\appdata\Roaming\dclogs folder.

 

Good luck to anyone else, you can lock this thread now.


Edited by Gizmo7, 28 July 2017 - 06:14 PM.


#3 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,165 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:09 PM

Posted 28 July 2017 - 07:59 PM

Thanks for the feedback.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users