dwm.exe removal

Symantec: Trojan.Senkrad

This is another Trojan on the loose that has been troubling quite a lot of systems recently acting as a system service. According to the Symantec threat analysis, the Trojan was first seen in the December of 2010. Like the other clever viruses, this one also adds a registry entry such that it cannot be stopped by the Windows firewall. This is where the Windows Security Updates come to help. If the computer has been updated earlier by the recent security updates provided by Microsoft, the Trojan could actually be prevented from even entering the target's system. The Trojan tries to fool the user by acting as a Windows service and hides its process by adding a thread to the Services.exe such that it cannot be seen as a threat to the user in the Task Manager. To achieve this, it modifies the registry rapidly and changes many settings. The user of the target's system has the vaguest idea about a Trojan running in his system. This is because, the Trojan doesn't even give him the clue that a malicious code is being executed in his system. It runs silently in the computer like the other services that do not make any noise and thus steals the information of the computer. It pings to a few servers to which this data is sent. The Trojan can run on all platforms of Windows except the Windows se7en because of the changes in the storage location of its system files. This one must be prevented as soon as possible in order to prevent further updation of the Trojan which can result in complete loss of information and may also lead to DDoS attacks. Follow the instructions given below to eliminate this Trojan completely from your system.

Manual instructions to remove dwm.exe:

  1. Lets begin with rebooting the system in the Safe Mode as usual. If you find any problems figuring out how to enable the Safe Mode, click here.
  2. Start with opening the Services.exe file. This can be done by typing "services.msc" in the Run box.
  3. Among the various services displayed to you, search for the service "IpSectPro" and stop it if it is still running. Disable it so that it doesn't continue running in the next startup. Close the Services after doing this. 
  4. The instructions displayed above are enough for preventing the virus from running. However, the virus must be removed from the system just to be safe. Open the MS configuration by typing "msconfig" in the Run box. Tab to Startup and uncheck any boxes that relate to the words " IpSectPro" or "dwm.exe" or "Security" or "darkness".  Most probably, none of these words would be present in the MS configuration but if in case, the Trojan was updated, this could be a possibility.
  5. Now open the Registry Editor by typing "regedit" in the Run box. Navigate to the location


    Delete the darkness key. This was created by the Trojan to run itself in the form of a thread under the Services.exe process. Now go to

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications List

    Here, delete the key containing the following information

    "\" = "%System%\dwm.exe:*:Enabled:KL"
  6. Now its time to delete the main files of the virus. For this navigate to the following folders and delete the files given below


    These are the locations of the Trojan from where the thread is launched. Once you delete these files, all the associations related to the Trojan are removed.
  7. The instructions might have been a little difficult to follow but you can relax now. The virus has been deleted.

Posts that might help you here:
Enabling Safe Mode booting, enabling the Registry, Enable Windows Task manager , Enable Hidden files and folders option and enabling the Command Prompt.
Get the best security software for your compter here!

powered by Blogger | WordPress by Newwpthemes | Converted by BloggerTheme