How to Remove Zr89YEwgl7.exe "Zr89" Spyware/Malware [Trojan:Win32/Wacatac.B!ml]

We may receive a commission for purchases made through some ads/links on this page A new data-stealing malware is on the loose! First repor...

Monday, March 15, 2021

What is CxUtilSvc.exe and How to Fix CxUtilSvc.exe Fan Speed Error on Windows

CxUtilSvc.exe Errors can affect your PC fan speed

CxUtilSvc.exe is a Conexant SmartAudio process designed to run on Windows computers. This file is not malware, however it can cause several Windows-related issues if it happens to malfunction or is overwritten. In this article, we will explain how CxUtilSvc.exe works and what to do if you notice a connection between this process and unusual fan activity on a Windows PC.

How CxUtilSvc.exe Works

Conexant Systems developed CxUtilSvc.exe as a service program to be supported by Windows OS. Both Conexant software and hardware is commonly used in PCs. CxUtilSvc.exe, otherwise known as the Conexant Utility Service, is associated with Conexant SmartAudio II, a program which allows user access to Conexant audio chipset settings.

If you know CxUtilSvc.exe is essential to your PC or Windows apps, avoid uninstalling it to prevent further problems.

File Info:

Name - CxUtilSvc.exe

Publisher - Conexant Systems, Inc

Version Used -

MD5 - 9a59df2ca690019fea3b265d5a7eb619

SHA1 - edcc7a48bd9cee92c792e91fb33e72589233a0e7

CxUtilSvc.exe Fan Speed-Related Error

Some Windows users have discovered a correlation between the Conexant Utility Service and strange fan activity. Symptoms of this problem include higher PC fan speeds while the mouse is being used and when the CxUtilSvc.exe program is active. Follow this step-by-step guide to diagnose and fix the problem.

Step 1 - Identify the CxUtilSvc.exe file location on your computer. You can do this by right-clicking on the application in Task Manager (Ctrl + Shift + Esc) and clicking “Open file location”. Alternatively, you can check the following directories: C:\Windows\System32, C:\Program Files\Conexant, and C:\Windows\CxSvc.

Download Malscope Antivirus to upgrade your Windows security

If you find the application under C:\Windows\System32, avoid uninstalling CxUtilSvc.exe as it may be essential to your computer system. If you fail to find CxUtilSvc.exe under any of the aforementioned directories but still see the file running as a process in Task Manager, it’s possible your computer has been infected by malware impersonating the Conexant Utility Service. Software impersonation is a common tactic used by malware developers to extend the lifetime of a virus on an infected PC.

Step 2 - Reinstall the Conexant SmartAudio driver. This can be done via the Device Manager, which can be opened by pressing the Windows key and “R” to open the Run Dialogue and entering “devmgmt.msc”.

Open the Device Manager to reinstall the Conexant SmartAudio driver

Once you’ve successfully run the Device Manager, find the “Audio inputs and outputs” tab and click it. Look for “Conexant SmartAudio” and right-click the text before selecting “Uninstall”. The driver should automatically reinstall the next time you restart your computer.

Step 3 - If CxUtilSvc.exe is still causing fan problems on your PC, try using Microsoft’s system file checker. First, open Command Prompt as an administrator by typing “CMD” in the Windows search box, and clicking “Run as administrator”.

Search for Command Prompt on Windows search to access the sfc tool

Then, click “Yes” and type “sfc /scannow”. This will execute the SFC (system file checker) tool on your PC. The scan may take some time, but if any Conexant Utility Service errors are identified they will be automatically repaired.

Defend your data with Opticole encryption

Step 4 - Uninstall the Conexant Utility Service application if the steps above did not resolve your PC fan error. Note: this should only be done if CxUtilSvc.exe is not essential to your computer. Begin by opening the control panel via the Windows search box.

Search for Control Panel on Windows Search to uninstall CxUtilSvc.exe

Click on “Uninstall a program” under “Programs” and find the “Conexant Utility Service” label. Select it and click “Uninstall”. This will remove the CxUtilSvc.exe app from your PC and hopefully fix any fan-related issues connected to it. Restart your computer to observe any changes.

Click on Uninstall a program under Control Panel to remove CxUtilSvc.exe

More Errors

Other problems associated with CxUtilSvc.exe include System Error notifications and corrupt application data. When approaching these errors, make sure CxUtilSvc.exe is up-to-date. You can check a file’s version by opening PowerShell (via Windows search) and typing “(Get-Command C:\Path\Of\File.exe).FileVersionInfo.FileVersion”. 

Open PowerShell to find file version

If you believe the CxUtilSvc.exe file on your computer is illegitimate, in other words, if you think you're dealing with another program impersonating the Conexant Utility Service, you can always verify the file by calculating a checksum and comparing it to the hashes listed above.

Monday, March 1, 2021

How to Remove Calimalimodunator [Trojan:Win32/Wacatac.DA!ml] + Complete Malware Analysis

Welcome to a complete removal guide for the calimalimodunator.exe virus (otherwise known as A954E0~1.EXE). This new spyware is specifically designed to steal user credentials and harvest sensitive browser data. An infection should be removed as soon as possible. Click here to skip directly to our removal guide.

Calimalimodunator or A954E0~1.exe harvested data

By making use of a dangerous arsenal of dropped dynamic link library files (DLLs), Calimalimodunator can change your system policies to compromise your environment and swipe data. Our malware analysis will reveal how Calimalimodunator runs its data-stealing operations on victim computers, how it executes dropped files, and how it can evade antivirus and investigation.

General Info:

Filenames - Calimalimodunator.exe,, SECURI~1.exe, A954E0~1.exe

Dropped Filenames - SECURI~1.EXE.dll, A954E0~1.EXE.dll, A954E0~1.EXE.id0, A954E0~1.EXE.id1, A954E0~1.EXE.id2, A954E0~1.EXE.nam, A954E0~1.EXE.til

Total File Size - 6,272,000 Bytes

Possible Malware Origin - Slovakia, Iran

File Hash:

SHA256 - a954e03d2300786bf77ab0caab269c05b75c34d62e0497979bfbb6919befcff5

SHA1 - dfccc553dd00dee74dc212373a82cae24e2648b5

MD5 - 03b1daa2ee50da70c70c779b7471f492

Librarie(s) Accessed (Windows) - kernel32.dll

Test Sample Used - Malware Bazaar

Variants (Disclaimer):

As is common with most malware targeting Windows machines in today’s world, the original Calimalimodunator file will likely join a large list of software variants designed by threat actors to make improvements to the existing source code. Our extensive malware testing analysis is based on the investigation of the test sample listed above. Since our research involves analyzing file properties and data profiles associated with the Calimalimodunator or A954E0~1.exe malware, our antivirus tool is highly likely to flag new variants and remove file systems changes made by those variants as well as the original sample. That being said, malicious variants may vary and exhibit unique behaviors as well as differing structures not listed in this report. Subscribe to this blog to be notified of any updates made on this page. 


Spyware viruses are usually designed to target highly-selective information on infected computers. Distribution methods for this type of malware often differ from those used by ransomware or other types. The Calimalimodunator variant we tested accesses browser data from Chrome. This means that Chrome users are an ideal target for the threat actors behind Calimalimodunator and that their distribution methods may capitalize on this fact.

Direct Download - During our virtual machine testing phase of the Calimalimodunator malware, no fake windows or popups were found, indicating that the virus was attempting to disguise itself as legitimate software. For this reason, it’s possible that Calimalimodunator was developed for a specific target or a group of targets that can be physically accessed. After execution, the software immediately drops its malicious files right into the application’s parent directory. From a victim’s perspective, these files would seem highly suspicious, and the malware would be more effective if it were to modify its environment in a carefully selected, hidden directory. If Calimalimodunator or A954E0~1.exe was transported via flash drive and executed directly on a target computer behind a wall of folders, it could operate largely undetected by the victim.

Malicious Websites - Buying websites to spread malware is a common distribution tactic for threat actors. Some sites can be bought with cryptocurrency, providing malware developers with relative anonymity when making their purchase. Some sites are also stolen for distribution purposes, especially those with serious vulnerabilities. It’s possible that Calimalimodunator itself is spread via malicious websites due to the fact that it makes requests to at least one recently registered website during its infection.


Upon execution, the Calimalimodunator virus immediately drops the following files into its parent directory: A954E0~1.EXE.dll, A954E0~1.EXE.id0, A954E0~1.EXE.id1, A954E0~1.EXE.id2, A954E0~1.EXE.nam, A954E0~1.EXE.til (filenames may vary). Most of these files are not immediately written to and their function is likely to store stolen data harvested from the host computer.


Calimalimodunator then uses PowerShell to write a bypass to the execution policy for a hidden, temporary dropped file. This allows the malware to run its own PowerShell scripts on the targeted system. Windows execution policy normally restricts these scripts from being executed, however, Calimalimodunator finds a way around this to continue its spyware operations. In addition to bypassing PowerShell execution policy, this malware also scans infected computers to identify antivirus engines, a function which allows Calimalimodunator to behave differently depending on its environment and avoid being studied by an antivirus program or the security analysts behind it.
Use Opticole to defend your computer data
When it comes to its data-stealing capabilities, Calimalimodunator selects a very particular browser to swipe information from: Chrome. The malware will scan through an infected computer’s Chrome log files to look for browser settings, internet history, cookies, and login data. If this information is sent back to threat actors, it could potentially place all of the victim's online accounts at risk of being hacked. Cookie stealing (or session hijacking), which involves swiping cookie data and injecting it on another computer to login using saved sessions, is a common tactic hackers use to break into emails. From a compromised email, hackers may then find sensitive banking information or reset some online passwords. For this reason, spyware is extremely damaging to victims and profitable for cyber-criminals. Calimalimodunator is also known to schedule tasks, meaning it can execute its own files or more malicious activities at preset times.
Calimalimodunator or A954E0~1.exe processes

Finally, Calimalimodunator or A954E0~1.exe also accesses the Windows registry during its infection and makes a connection request to the following address: hxxp://

This domain was registered this January in Hong Kong, and may be linked to Calimalimodunator’s operation, particularly the data transfer stage of its information-stealing endeavors. However, our testing did not confirm this and it is possible that the connection was formed to obfuscate other attempts at transferring data to the threat actor.


Removing the Calimalimodunator virus, A954E0~1.exe, or its other files and variants is very easy to do with the malware removal tool built into our antivirus app, Malscope. Differing removal methods may exist but the following steps are our tested instructions for Calimalimodunator malware removal:

1. Purchase or download the Malscope Antivirus from our webpage and unzip the installer. If you purchase a yearly plan, you can use the code “calimali” to get 30% off Malscope, an app that is equipped to detect Calimalimodunator along with its possible variants and highlight any malicious files it discovers. The discount code will expire in 30 days, so be sure to use it as soon as possible!
Malscope Antivirus website page

2. Run the “Malscope” app and enter the product key you received after your purchase (check your email). If you already have a product key, you may skip the purchasing steps and enter it now.
Enter product key on Malscope Antivirus (step 1)

Enter product key on Malscope Antivirus (step 2)

3. Wait for Malscope to set up its environment. Once controls for the app are loaded, you can begin removing the Calimalimodunator infection.

Malscope Antivirus app layout

4. Click the drop-down box under “Virus Removal” on Malscope to select a malware type to remove. Click “Calimalimodunator [Trojan:Win32/Wacatac.DA!ml]” and then press remove. If the Calimalimodunator virus is or was active on your computer, Malscope will automatically remove all dropped files and reverse damages to your system’s settings and execution policies.

Remove Calimalimodunator with Malscope Antivirus

5. If you downloaded Calimalimodunator.exe by mistake, be sure to scan the directory you saved it to with the “Scan Directory” button. This will prompt you to select a folder which you can click and wait for Malscope to scan. Malscope will automatically mark suspicious files and print them onto the usage log for you to read. You may then choose to delete the files either manually or through Malscope’s “Scan File Now” data removal option.

Select folder to scan with Malscope Antivirus


Since Malscope Antivirus is equipped with the ability to detect Calimalimodunator and its variants, we recommend using this tool to prevent an infection as well as removing it. Downloaded executable files should be regularly scanned with Malscope to ensure their safety.

Additional Notes:

-The Calimalimodunator malware was written in Delphi, a dialect of Object Pascal programming languages.

-The compilation system language of Calimalimodunator and A954E0~1 is Slovak, indicating that this virus likely originated from Slovakia.

-”Vsekdag” is the internal legal copyright name of the software used to run Calimalimodunator. This name may refer to a threat actor or malware author, as it has also been used in association with a more infectious spyware known as Calanilimodumator or m8kdtboA0T.exe.

-The image below is the app icon attached to the Calimalimodunator virus.

Calimalimodunator or A954E0~1.exe icon