Terdot virus. How to remove? (Uninstall guide)
Terdot trojan steals social media credentials
Terdot is a banking trojan that emerged in the middle of 2016. The virus is a variant of Zeus trojan which source code was published online in 2011. However, in November 2017, researchers reported about an updated version of the trojan spreading via phishing emails.[1] Since then this malicious program steals social media and email credentials instead of banking data.
Terdot virus is designed as customized man-in-the-middle (MITM) proxy[2] that is capable of stealing Facebook, Twitter, YouTube and Google Plus data. Malware might post links to trojan download site on behalf of compromised accounts. Additionally, malware might attack few email services, such as Yahoo, Gmail, and Microsoft live.com login page.
However, the interesting fact is that Terdot trojan does not attack Russia’s biggest social media platform – VKontakte. Thus, it raises assumptions that developers might be from this country or Eastern Europe.
This complex cyber threat includes automatic update feature that gives attackers a change to execute new commands or download malicious files. Thus, it might be updated anytime. For this reason, it is recommended to remove Terdot as soon as you learn about the attack. Security experts warn that it might hard to delete the infection, but reputable security software, such as Reimage, should help to get rid of it.
Terdot virus is created to read browser traffic
To steal information from social networks, the trojan has to modify browser’s settings and inject specific code. Terdot malware redirects all traffic and connections to its proxy server. It means that it monitors user’s activities online by standing in the middle.
This activity might help trojan to modify data provided on the websites that user access and track sensitive information. All the collected data is uploaded to the Command and Control server. Moreover, it is reported that malware mostly affects Mozilla Firefox and Internet Explorer browsers.
The biggest threat of the malware is that it can generate its certificates for each visited websites. It means that it can easily bypass TLS restrictions and create its own Certificate Authority. Therefore, it doesn’t matter if your bank HTTPS protocol, Terdot can still see your login details and password.
The trojan might make numerous changes to the system and install harmful components. Thus, it’s better to avoid this cyber threat. However, in case you suffered from the attack, you should remove Terdot, inform your bank about this situation to block suspicious activities on your account and change your social networks or email passwords.
Select 'Safe Mode with Networking'
Select 'Enable Safe Mode with Networking'
Select 'Safe Mode with Command Prompt'
Select 'Enable Safe Mode with Command Prompt'
Enter 'cd restore' without quotes and press 'Enter'
Enter 'rstrui.exe' without quotes and press 'Enter'
When 'System Restore' window shows up, select 'Next'
Select your restore point and click 'Next'
Click 'Yes' and start system restore
Phishing emails with obfuscated PDF file spread data-stealing malware
Malware spreads via malicious emails. Researchers detected that Sundown Exploit Kit has been used for distributing emails with PDF file or icon. This component contains JavaScript code that activates trojan’s download process.
If a user clicks on a fake PDF file, he or she initiates a downloading process of the malicious payload. Due to virus complexity execution and installation of malicious components process is protected.
Email campaigns target customers of financial organizations and banks in Canada, the US, Australia, the UK,[3] and Germany. Among targeted institutions are PCFinancial, BMO, Desjardins, Royal Bank, Banque Nationale, Scotiabank, the Toronto Dominion Bank, CIBC and Tangerine Bank.
Targeted banks’ customers are advised to stay vigilant and do not rush opening emails that seem to be sent from the institution. Always double-check the information about the sender, look up for mistakes or missing credentials that would identify phishing email.
Terdot elimination instructions
The data-stealing trojan might be hard to get rid of. As you already know it might inject malicious codes into system processes that makes Terdot removal complicated. For this reason, we want to discourage you from manual elimination option.
It’s nearly impossible to delete trojan-related components manually. Thus, you should obtain a reputable malware-removal program (e.g. Reimage, Malwarebytes Malwarebytes or Plumbytes Anti-MalwareNorton Internet Security) and run a full system scan several times. If you cannot remove Terdot using security software because malware prevents from installing, updating or running it, please check the guide below.
To remove Terdot virus, follow these steps:
Remove Terdot using Safe Mode with Networking
If Terdot banking trojan prevents from running security software, follow these steps:
-
Step 1: Reboot your computer to Safe Mode with Networking
Windows 7 / Vista / XP- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
-
Select Safe Mode with Networking from the list
Windows 10 / Windows 8- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
-
Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window.
-
Step 2: Remove Terdot
Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Terdot removal.
If your ransomware is blocking Safe Mode with Networking, try further method.
Remove Terdot using System Restore
Try to remove malware by using System Restore:
-
Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
-
Select Command Prompt from the list
Windows 10 / Windows 8- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
-
Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
-
Step 2: Restore your system files and settings
-
Once the Command Prompt window shows up, enter cd restore and click Enter.
-
Now type rstrui.exe and press Enter again..
-
When a new window shows up, click Next and select your restore point that is prior the infiltration of Terdot. After doing that, click Next.
-
Now click Yes to start system restore.
-
Once the Command Prompt window shows up, enter cd restore and click Enter.
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Terdot and other ransomwares, use a reputable anti-spyware, such as Reimage, Malwarebytes Malwarebytes or Plumbytes Anti-MalwareNorton Internet Security
About the author
If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.
References
- ^ Tara Seals. Zeus Spawn 'Terdot' is a Banking Trojan with a Twist. Infosecurity Magazine. Information security and IT security news.
- ^ Bogdan Botezatu. Terdot: Zeus-based malware strikes back with a blast from the past. Bitdefender Labs. Latest cyber security news and malware analysis.
- ^ No Virus. No Virus. British security news.