What is incognito.exe, How to remove incognito.exe


incognito.exe is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: incognito
Filename: incognito.exe
Registry key:

HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{ADEEAF15-7FE8-DEDD-3FFF-4DF56EBB1DFB}

Command: c:\windows\system32\incognito.exe
CLSID: {ADEEAF15-7FE8-DEDD-3FFF-4DF56EBB1DFB}
Startup Type: Microsoft active setup
DDS Line:

mASetup: {ADEEAF15-7FE8-DEDD-3FFF-4DF56EBB1DFB} – c:\windows\system32\incognito.exe

Combofix/RSIT Line:

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{ADEEAF15-7FE8-DEDD-3FFF-4DF56EBB1DFB}]
c:\windows\system32\incognito.exe

Description: trojan also known as Trojan.Win32.Buzus.dahy [Kaspersky Lab], Mal/Generic-A [Sophos]

How to remove: use Kaspersky virus removal tool or Windows Registry editor

This entry was posted on Thursday, January 28th, 2010 at 6:31 am and is filed under Microsoft active setup, Trojan. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

12 Responses to “What is incognito.exe, How to remove incognito.exe”

  1. Nick Says:
    February 17th, 2010 at 10:22 am

    Every time my computer starts Norton 2010 tells me there is an incognito.exe threat, but when I go to the User Registry location specified in your fix, I don’t see the file. I can’t find it, but it’s obviously on my system somewhere.

  2. admin Says:
    February 17th, 2010 at 10:29 pm

    Nick, make a search in registry. Probably you infected with an updated version of this trojan.

  3. Kaies Says:
    February 22nd, 2010 at 7:41 am

    When i see it running on Task manager i go to the file location, it seems to be located in the Tep internet files for me. I think its waiting for an acitivation. Everytime i remove it, it comes back again. My anti virus and anty spyware cant seem to find it and report no problems.

  4. Strephon Alkhalikoi Says:
    March 18th, 2010 at 2:04 am

    Folks, HijackThis isn’t going to fix this one. Go to Google, and download ComboFix instead. Run it, and incognito.exe will go away. I just had to do it tonight, so….

  5. Antares Says:
    April 1st, 2010 at 6:13 am

    I recently found many of my machines infected incognito.exe, but it was in %windir% (C:\windows). It placed itself inside the registry as a trusted application, and placed itself inside the startup. Sometimes there’s a hidden copy of the file in either %userprofile%\local settings\start menu\programs\startup or in Documents and Settings\all users\start menu\programs\startup. I used a live OS to be able to remove it, and later on – registry search to remove it.
    Nod32 Business edition did not find anything suspicious about it, and Spybot’s resident shield (TeaTimer) did not prevent it’s infiltration. Malware Bytes did not find anything suspicious about this file’s entries in the windows registry.
    It seemed to work “together” with wmiexecxz.exe, which I usuly find in %windir%\system32, which also added itself as a trusted app, as a debugger and in startup in the registry. The other file usualy flooded specific IP addresses with SYN packets, consuming most of the infected system’s resourses and making it a DDoS zombie.

  6. Mayuri Says:
    April 3rd, 2010 at 12:48 pm

    There is nothing with the name {ADEEA…} in HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{ADEEAF15-7FE8-DEDD-3FFF-4DF56EBB1DFB}. Where in registry this string can be?

  7. admin Says:
    April 4th, 2010 at 7:31 am

    Probably your PC is infected with an updated version of this malware that uses a new classes id. Open HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ key, and then check all classes ids here.

  8. Louie Says:
    April 19th, 2010 at 10:56 pm

    Incognito.exe I think is indeed associated with wmiexecxz.exe, I have tried avira / AVG / a-squared /malwarebytes and comes up with nothing. Still it exist in my system and after 1 more try now using an activated kaspersky 2010. In 1 single full scan it eliminates incognito / wmiexecxz.exe and every associated process with it….. now i’m enjoying my pc again.. Tthis anti-virus really works on activated edition only………

  9. Adler Says:
    May 30th, 2010 at 6:01 pm

    I tried removing with malwarebytes and it said it couldn’t be removed and that file isn’t in the registery or system32 or anything help me!!!

  10. admin Says:
    May 31st, 2010 at 6:51 am

    Adler, please start a new topic in the Spyware removal forum (link below), i will help you.
    http://myantispyware.com/forum/spyware-removal-f4.html

  11. Jay Says:
    September 15th, 2010 at 7:43 am

    In safe mode search and delete sysdiag64.exe and incognito.exe
    also remove those from startup in msconfig
    search thru the registry for these and delete all the values corresponding to these names.
    reboot
    make sure u delete the cold folder from pen drive
    these steps fixed mine

  12. Geoff Says:
    September 22nd, 2010 at 8:24 am

    Kaspersky’s Virus Removal Tool works against this Trojan – takes a while to scan but it will remove the offending files/entries for you and its free to run (relies on uninstall after the scan and replacement with proper full AV software).

Leave a Reply