What is incognito.exe, How to remove incognito.exe

incognito.exe is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: incognito
Filename: incognito.exe
Registry key:

HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{ADEEAF15-7FE8-DEDD-3FFF-4DF56EBB1DFB}

Command: c:\windows\system32\incognito.exe
Startup Type: Microsoft active setup
DDS Line:

mASetup: {ADEEAF15-7FE8-DEDD-3FFF-4DF56EBB1DFB} – c:\windows\system32\incognito.exe

Combofix/RSIT Line:

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{ADEEAF15-7FE8-DEDD-3FFF-4DF56EBB1DFB}]

Description: trojan also known as Trojan.Win32.Buzus.dahy [Kaspersky Lab], Mal/Generic-A [Sophos]

How to remove: use Kaspersky virus removal tool or Windows Registry editor

12 Responses to “What is incognito.exe, How to remove incognito.exe”

  1. Nick Says:

    Every time my computer starts Norton 2010 tells me there is an incognito.exe threat, but when I go to the User Registry location specified in your fix, I don’t see the file. I can’t find it, but it’s obviously on my system somewhere.

  2. admin Says:

    Nick, make a search in registry. Probably you infected with an updated version of this trojan.

  3. Kaies Says:

    When i see it running on Task manager i go to the file location, it seems to be located in the Tep internet files for me. I think its waiting for an acitivation. Everytime i remove it, it comes back again. My anti virus and anty spyware cant seem to find it and report no problems.

  4. Strephon Alkhalikoi Says:

    Folks, HijackThis isn’t going to fix this one. Go to Google, and download ComboFix instead. Run it, and incognito.exe will go away. I just had to do it tonight, so….

  5. Antares Says:

    I recently found many of my machines infected incognito.exe, but it was in %windir% (C:\windows). It placed itself inside the registry as a trusted application, and placed itself inside the startup. Sometimes there’s a hidden copy of the file in either %userprofile%\local settings\start menu\programs\startup or in Documents and Settings\all users\start menu\programs\startup. I used a live OS to be able to remove it, and later on – registry search to remove it.
    Nod32 Business edition did not find anything suspicious about it, and Spybot’s resident shield (TeaTimer) did not prevent it’s infiltration. Malware Bytes did not find anything suspicious about this file’s entries in the windows registry.
    It seemed to work “together” with wmiexecxz.exe, which I usuly find in %windir%\system32, which also added itself as a trusted app, as a debugger and in startup in the registry. The other file usualy flooded specific IP addresses with SYN packets, consuming most of the infected system’s resourses and making it a DDoS zombie.

  6. Mayuri Says:

    There is nothing with the name {ADEEA…} in HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{ADEEAF15-7FE8-DEDD-3FFF-4DF56EBB1DFB}. Where in registry this string can be?

  7. admin Says:

    Probably your PC is infected with an updated version of this malware that uses a new classes id. Open HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ key, and then check all classes ids here.

  8. Louie Says:

    Incognito.exe I think is indeed associated with wmiexecxz.exe, I have tried avira / AVG / a-squared /malwarebytes and comes up with nothing. Still it exist in my system and after 1 more try now using an activated kaspersky 2010. In 1 single full scan it eliminates incognito / wmiexecxz.exe and every associated process with it….. now i’m enjoying my pc again.. Tthis anti-virus really works on activated edition only………

  9. Adler Says:

    I tried removing with malwarebytes and it said it couldn’t be removed and that file isn’t in the registery or system32 or anything help me!!!

  10. admin Says:

    Adler, please start a new topic in the Spyware removal forum (link below), i will help you.

  11. Jay Says:

    In safe mode search and delete sysdiag64.exe and incognito.exe
    also remove those from startup in msconfig
    search thru the registry for these and delete all the values corresponding to these names.
    make sure u delete the cold folder from pen drive
    these steps fixed mine

  12. Geoff Says:

    Kaspersky’s Virus Removal Tool works against this Trojan – takes a while to scan but it will remove the offending files/entries for you and its free to run (relies on uninstall after the scan and replacement with proper full AV software).

Leave a Reply