January 5, 2011

How to Remove TSPY_ZBOT.XMAS Malware Manually

For removing these type of malware we need to follow certain procedure which will be common for this family of infections. First and foremost thing is to disable system restore and do a full system scan.Then we need to remove the files dropped by the virus HTML_IFRAME.SMAX. It will be in Application Data folder. When we scan using any anti-virus program it will download


Identify and delete files detected as TSPY_ZBOT.XMAS using either the Recovery Console which needs to have a startup disc. Press R when it shows at the boot time. Go to the directory by using the command Cd "C:" (taken as an example. Go to the folder that has the infected files by using the same command. Delete the files using the command Del "filename ".

Restore the modified registry value:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

  • From: Userinit = %System%\userinit.exe,%System%\sdra64.exe, To: Userinit = %System%\userinit.exe, 
Delete  the following registry values:
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
  • EnableFirewall = 0
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network
  • UID = {computer name}_{23645898} 
 In HKEY_USERS\.DEFAULT\Software\Microsoft
    • Protected Storage System Provider
  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer
    • {43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer
    • {19127AD2-394B-70F5-C650-B97867BAA1F7}
Next step is to delete the files from the system files in system folder by typing %System%\lowsec in search box.After this we need to delete the host files that are below the local host file. After all these steps do a full system scan using good Anti-Viruses like Trend Micro, Norton etc. This will completely remove the virus.

0 comments:

Post a Comment

Related Posts Plugin for WordPress, Blogger...

Search This Blog

Followers

Categories

There was an error in this gadget
Twitter Delicious Facebook Digg Stumbleupon Favorites More