Satiloler.e manual removal:
Kill processes:
ctfmon.exe, lsass.exe, tml_[X].exe, userinit.exe
Delete registry values:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\system
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs=%System%\init.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\system
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable=FFFFFF9D
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan=0
HKEY_CURRENT_USER\Software\ver
HKEY_CURRENT_USER\Software\vs
HKEY_CURRENT_USER\Software\Microsoft\x
Delete files:ctfmon.exe, lsass.exe, tml_[X].exe, userinit.exe, init.dll, sfc.dll, sfc_os.dll, xvid.dll, ip.sys, divx.ini, xvid.ini, b.reg, bkup.reg
Misc:[X] is a combination of random characters.
The divx.ini file contains stolen data.
Exact file location:
b.reg, bkup.reg - C:
tml_[X].exe - C:\Windows\Temp or C:\Winnt\Temp
lsass.exe - C:\Program Files\Common Files\System
ctfmon.exe, userinit.exe, init.dll, sfc.dll, sfc_os.dll, xvid.dll, divx.ini, xvid.ini - C:\Windows\System, C:\Windows\System32 or C:\Winnt\System32
ip.sys - C:\Windows\System\Drivers, C:\Windows\System32\Drivers or C:\Winnt\System32\Drivers
Post Comment: