regsvs.exe - Dangerous


Manual removal instructions:

Antivirus Report of regsvs.exe:
regsvs.exe Malware
regsvs.exeHigh Risk
W32.Gaobot.YN is a variant of W32.HLLW.Gaobot.gen that attempts to spread to network shares and allows access to an infected computer through an IRC channel.

The worm uses multiple vulnerabilities to spread, including:
The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026), using TCP port 135
The RPC locator vulnerability (described in Microsoft Security Bulletin MS03-001), using TCP port 445
The WebDav vulnerability (described in Microsoft Security Bulletin MS03-007), using TCP port 80

Allows unauthorized remote access.
Steals CD keys of several popular computer games.
Ends processes belonging to antivirus and firewall software.
Accounts with weak passwords; systems not patched against the DCOM RPC vulnerability or the RPC locator vulnerability.

Copies itself as %System%\regsvs.exe.

Adds the value: "Compatibility Service Process" = "regsvs.exe"
to the registry keys:

Opens a randomly selected TCP port to connect to an attacker.
Connects to a predefined IRC channel, using its own IRC client, and listens for the commands from an attacker.
Allows an attacker to remotely control a compromised computer, allowing him/her to perform any of the following actions:
- Manage the installation of the worm
- Dynamically update the installed worm
- Download and execute files
- Steal system information
- Send the worm to other IRC users
- Add new accounts

Automatic removal:
Use RegRun Startup Optimizer to remove it from startup.

Remove regsvs.exe now!

Dmitry Sokolov:

I created UnHackMe in 2006 to fix the problem that antivioruses did not fix: detecting rootkits.

Since that time I work every day to fix the issues that antiviruses cannot.

If your antivirus have not helped you solve the problem, you should try UnHackMe.

We are a small company and you can ask me directly, if you have any questions.


You can read UnHackMe testimonials here.