confgldr.exe - Dangerous
confgldr.exe
Manual removal instructions:
Antivirus Report of confgldr.exe:
confgldr.exe
W32.Gaobot.gen!poly is a worm that attempts to spread through network shares with weak passwords and allows attackers to access
an infected computer using a specific IRC channel.
Allows an attacker to remotely control a compromised computer and perform any of the following actions:
- Download and execute files
- Steal system information
- Harvest email addresses
- Steal CD keys for various games
Also Known As: W32.HLLW.Polybot, Phatbot, W32/Polybot.l!irc [McAfee], WORM_AGOBOT.HM [Trend], Backdoor.Agobot.hm [Kaspersky]
Copies itself as one of the following files:
%System%\soundman.exe
%System%\confgldr.exe
%System%\spoolsvc.exe
Adds one of the following values:
"^`d}qZxu" = "~`d}qzxu3zYF"
"Configuration Loader"="confgldr.exe"
"Video Process"="sysconf.exe"
"Service Host Process"="spoolsvc.exe"
to the registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Creates a service for the worm with one of the following names and sets it to automatically run on startup:
Configuration Loader, SoundMan, Service Host Process
Hides all the files that contain the word "soun."
May change the %System%\drivers\etc\hosts file with some lines.
Attempt to spread to other systems by exploiting vulnerabilities.
Ends processes associated with antivirus and firewall software.
Attempts to delete the files and registry values associated with other worms.
Use RegRun Startup Optimizer to remove it from startup.
| confgldr.exe | Malware |
| confgldr.exe | Dangerous |
| confgldr.exe | High Risk |
an infected computer using a specific IRC channel.
Allows an attacker to remotely control a compromised computer and perform any of the following actions:
- Download and execute files
- Steal system information
- Harvest email addresses
- Steal CD keys for various games
Also Known As: W32.HLLW.Polybot, Phatbot, W32/Polybot.l!irc [McAfee], WORM_AGOBOT.HM [Trend], Backdoor.Agobot.hm [Kaspersky]
Copies itself as one of the following files:
%System%\soundman.exe
%System%\confgldr.exe
%System%\spoolsvc.exe
Adds one of the following values:
"^`d}qZxu" = "~`d}qzxu3zYF"
"Configuration Loader"="confgldr.exe"
"Video Process"="sysconf.exe"
"Service Host Process"="spoolsvc.exe"
to the registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Creates a service for the worm with one of the following names and sets it to automatically run on startup:
Configuration Loader, SoundMan, Service Host Process
Hides all the files that contain the word "soun."
May change the %System%\drivers\etc\hosts file with some lines.
Attempt to spread to other systems by exploiting vulnerabilities.
Ends processes associated with antivirus and firewall software.
Attempts to delete the files and registry values associated with other worms.
Use RegRun Startup Optimizer to remove it from startup.
Dmitry Sokolov:
I created UnHackMe in 2006 to fix the problem that antivioruses did not fix: detecting rootkits.
Since that time I work every day to fix the issues that antiviruses cannot.
If your antivirus have not helped you solve the problem, you should try UnHackMe.
We are a small company and you can ask me directly, if you have any questions.