Spyware Removal

Remove Dagonit


What is Dagonit and removal instructions

Dagonit is a dangerous backdoor that gives the remote attacker full unauthorized access to the compromised computer. Once executed, the parasite enables specific system services (Telnet, Server, Terminal Services, Remote Desktop Help Session Manager) that allow remote users to connect to and control the system. Then it reconfigures related security settings and creates a user account. This account is used by the intruder to take over a control of the compromised system. Dagonit also deletes cached system files.

Dagonit manual removal:

Kill processes:
dalia2.exe, winspool.exe, wpap.exe
Delete files:
dalia2.exe, winspool.exe, wpap.exe, system.bat, dali.reg
Misc:
Disable and delete the user account called Service.

Dagonit modifies the values of the following registry entries to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\Start=2
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDSessMgr\Start=2
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\Start=2
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Start=2
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections=0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\idleWinStationPoolCount=1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\TSAdvertise=1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\TSAppCompat=1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\TSEnabled=1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\TSUserEnabled=1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Licensing Core\EnableConcurrentSessions=0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Licensing Core\WinStations\RDP-Tcp\fEnableWinStation=1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Licensing Core\WinStations\RDP-Tcp\MaxInstanceCount=1

All Dagonit files can be found in the default system directory, which is one of the following: C:\Windows\System, C:\Windows\System32 or C:\Winnt\System32.

      
Related Spyware Removal

 

 
Previous: DailyToolbar   Next: Dagger Trojan
| 1-9 | O | P | Q | R | S | T | U | V | W | X | Y | N | M | L | A | B | C | D | E | F | G | H | I | J | K | Z
Copyright © SpywareDot 2004-2009| Spyware Removal.  All rights reserved.