The Trojan has Drops files, Lowers Internet Explorer(IE) security settings, Modifies the Internet Explorer Zone Settings as the payload. It might have occurred by user visiting a malicious website. The removal of it will have the following steps :
- Disable System Restore
- Deletes the files dropped by the worm that is EXPL_CPLNK.SMA.
- Restart the computer in Safe mode
- Check mark Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden files in the search result\
- Delete the registry values
- In HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\international
- acceptlanguage=en-us
- In HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION
- svchost.exe=8888
- In HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- maxhttpredirects=8888
- In HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- enablehttp1_1=1
- In HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
- From: CurrentLevel=0To: CurrentLevel=69632
- In HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
- From: 1601=0To: 1601=1
0 comments:
Post a Comment