For removing these type of malware we need to follow certain procedure which will be common for this family of infections. First and foremost thing is to disable system restore and do a full system scan.Then we need to remove the files dropped by the virus HTML_IFRAME.SMAX. It will be in Application Data folder. When we scan using any anti-virus program it will download
Identify and delete files detected as TSPY_ZBOT.XMAS using either the Recovery Console which needs to have a startup disc. Press R when it shows at the boot time. Go to the directory by using the command Cd "C:" (taken as an example. Go to the folder that has the infected files by using the same command. Delete the files using the command Del "filename ".
Restore the modified registry value:
Identify and delete files detected as TSPY_ZBOT.XMAS using either the Recovery Console which needs to have a startup disc. Press R when it shows at the boot time. Go to the directory by using the command Cd "C:" (taken as an example. Go to the folder that has the infected files by using the same command. Delete the files using the command Del "filename ".
Restore the modified registry value:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
- From: Userinit = %System%\userinit.exe,%System%\sdra64.exe, To: Userinit = %System%\userinit.exe,
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
- EnableFirewall = 0
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network
- UID = {computer name}_{23645898}
-
- Protected Storage System Provider
- In HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer
- {43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
- In HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer
- {19127AD2-394B-70F5-C650-B97867BAA1F7}
0 comments:
Post a Comment