Spyware Removal

Remove Todnab


What is Todnab and removal instructions

Todnab is a worm that spreads by copying itself to different locations on local hard drives. Once executed, the parasite installs itself to the system and runs a spreading routine. Then it runs a payload. Todnab terminates running antivirus software and security-related applications. It also disables the System Restore service, changes some screen saver and system settings. Furthermore, it opens a lot of non-malicious text files. Todnab runs on every Windows startup. It is also able to run in Windows Safe Mode.

Todnab manual removal:

Kill processes:
bandotbrobot.exe, blaut.exe, ble\'e.exe, eminem.exe, exblorer.exe, karyaku.exe, kerne123.exe, lsass.exe, servlogin.exe, shiemylova.exe, smahost.exe, smss.exe, winlogon.exe, winlogons.exe
Delete registry values:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\bandotoye
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\WindowsLogon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LocalServices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winexblorerxx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell\explorer.exe=%System%\Oobe\blaut.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit\%System%\userinit.exe,%System%\Drivers\ble'e.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger=%System%\Drivers\ble'e.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\AlternateShell\=%System%\Oobe\blaut.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableConfig=1
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableSR=1
HKEY_CURRENT_USER\Folder\Shell\Sexxxxesexxxx
Delete files:
bandotbrobot.exe, blaut.exe, ble\'e.exe, eminem.exe, exblorer.exe, karyaku.exe, kerne123.exe, lsass.exe, servlogin.exe, shiemylova.exe, smahost.exe, smss.exe, winlogon.exe, winlogons.exe, imstrong.dll, comand.com, ghost.com, cmd.pif, regedit.pif, ssmedia.scr
Delete directories:
C:\Sexxxxxesexxxxx
C:\Windows\Inf\Bandot240482
C:\Winnt\Inf\Bandot240482
Misc:
Exact file location:
comand.com, ghost.com - C:
bandotbrobot.exe - C:\Windows or C:\Winnt
blaut.exe - C:\Windows\System32\Oobe or C:\Winnt\System32\Oobe
ble'e.exe - C:\Windows\System32\Drivers or C:\Winnt\System32\Drivers
lsass.exe, smss.exe, winlogon.exe - C:\Windows\Inf\Bandot240482 or C:\Winnt\Inf\Bandot240482
eminem.exe, exblorer.exe, karyaku.exe, kerne123.exe, servlogin.exe, shiemylova.exe, smahost.exe, winlogons.exe, imstrong.dll, cmd.pif, regedit.pif, ssmedia.scr - C:\Windows\System, C:\Windows\System32 or C:\Winnt\System32

      
Related Spyware Removal

 

 
Previous: Tofdrop.b   Next: Tno99 Trojan
| 1-9 | O | P | Q | R | S | T | U | V | W | X | Y | N | M | L | A | B | C | D | E | F | G | H | I | J | K | Z
Copyright © SpywareDot 2004-2009| Spyware Removal.  All rights reserved.