January 18, 2011

Removal of Worm.TDSS.TX

The Trojan has Drops files, Lowers Internet Explorer(IE) security settings, Modifies the Internet Explorer Zone Settings as the payload. It might have occurred by user visiting a malicious website.  The removal of it will have the following steps :

  1. Disable System Restore
  2. Deletes the files dropped by the worm that is EXPL_CPLNK.SMA.
  3. Restart the computer in Safe mode
  4. Check mark Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden files in the search result\
  5. Delete the registry values

  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\international
    • acceptlanguage=en-us
  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION
    • svchost.exe=8888
  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    • maxhttpredirects=8888
  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    • enablehttp1_1=1
     
 Restore the modified values to their default values :
  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
    • From: CurrentLevel=0To: CurrentLevel=69632
  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
    • From: 1601=0To: 1601=1
     
 Scan your computer with a good anti-virus program which will remove the worm completely.

0 comments:

Post a Comment

Related Posts Plugin for WordPress, Blogger...

Search This Blog

Followers

Categories

Twitter Delicious Facebook Digg Stumbleupon Favorites More