Severity scale:

(80/100)

Terdot virus. How to remove? (Uninstall guide)

removal by Linas Kiguolis - - 2017-11-17 | Type: Malware

11432 views

Special Offer

Terdot ransomware uses sophisticated techniques to infiltrate computers and hide from its victims. Use Reimage to determine whether your system is infected and prevent the loss of your files.
Download Reimage repair Download Reimage repair

More information about Reimage and Uninstall Instructions. Please review Reimage EULA and Privacy Policy. Reimage scanner is free. If it detects a malware, purchase its full version to remove it.

Terdot trojan steals social media credentials

The picture of Terdot virus

Terdot is a banking trojan that emerged in the middle of 2016. The virus is a variant of Zeus trojan which source code was published online in 2011. However, in November 2017, researchers reported about an updated version of the trojan spreading via phishing emails.^[1] Since then this malicious program steals social media and email credentials instead of banking data.

Terdot virus is designed as customized man-in-the-middle (MITM) proxy^[2] that is capable of stealing Facebook, Twitter, YouTube and Google Plus data. Malware might post links to trojan download site on behalf of compromised accounts. Additionally, malware might attack few email services, such as Yahoo, Gmail, and Microsoft live.com login page.

However, the interesting fact is that Terdot trojan does not attack Russia’s biggest social media platform – VKontakte. Thus, it raises assumptions that developers might be from this country or Eastern Europe.

This complex cyber threat includes automatic update feature that gives attackers a change to execute new commands or download malicious files. Thus, it might be updated anytime. For this reason, it is recommended to remove Terdot as soon as you learn about the attack. Security experts warn that it might hard to delete the infection, but reputable security software, such as Reimage, should help to get rid of it.

Terdot virus is created to read browser traffic

To steal information from social networks, the trojan has to modify browser’s settings and inject specific code. Terdot malware redirects all traffic and connections to its proxy server. It means that it monitors user’s activities online by standing in the middle.

This activity might help trojan to modify data provided on the websites that user access and track sensitive information. All the collected data is uploaded to the Command and Control server. Moreover, it is reported that malware mostly affects Mozilla Firefox and Internet Explorer browsers.

The biggest threat of the malware is that it can generate its certificates for each visited websites. It means that it can easily bypass TLS restrictions and create its own Certificate Authority. Therefore, it doesn’t matter if your bank HTTPS protocol, Terdot can still see your login details and password.

The trojan might make numerous changes to the system and install harmful components. Thus, it’s better to avoid this cyber threat. However, in case you suffered from the attack, you should remove Terdot, inform your bank about this situation to block suspicious activities on your account and change your social networks or email passwords.

The image of Terdot malware — Terdot virus started as a banking trojan, but currently, it steals social media credentials.

**Method 1. (Safe Mode method)**
Select 'Safe Mode with Networking'

**Method 1. (Safe Mode method)**
Select 'Enable Safe Mode with Networking'

**Method 2. (System Restore method)**
Select 'Safe Mode with Command Prompt'

**Method 2. (System Restore method)**
Select 'Enable Safe Mode with Command Prompt'

**Method 2. (System Restore method)**
Enter 'cd restore' without quotes and press 'Enter'

**Method 2. (System Restore method)**
Enter 'rstrui.exe' without quotes and press 'Enter'

**Method 2. (System Restore method)**
When 'System Restore' window shows up, select 'Next'

**Method 2. (System Restore method)**
Select your restore point and click 'Next'

**Method 2. (System Restore method)**
Click 'Yes' and start system restore

Slide 1 of 10

Phishing emails with obfuscated PDF file spread data-stealing malware

Malware spreads via malicious emails. Researchers detected that Sundown Exploit Kit has been used for distributing emails with PDF file or icon. This component contains JavaScript code that activates trojan’s download process.

If a user clicks on a fake PDF file, he or she initiates a downloading process of the malicious payload. Due to virus complexity execution and installation of malicious components process is protected.

Email campaigns target customers of financial organizations and banks in Canada, the US, Australia, the UK,^[3] and Germany. Among targeted institutions are PCFinancial, BMO, Desjardins, Royal Bank, Banque Nationale, Scotiabank, the Toronto Dominion Bank, CIBC and Tangerine Bank.

Targeted banks’ customers are advised to stay vigilant and do not rush opening emails that seem to be sent from the institution. Always double-check the information about the sender, look up for mistakes or missing credentials that would identify phishing email.

Terdot elimination instructions

The data-stealing trojan might be hard to get rid of. As you already know it might inject malicious codes into system processes that makes Terdot removal complicated. For this reason, we want to discourage you from manual elimination option.

It’s nearly impossible to delete trojan-related components manually. Thus, you should obtain a reputable malware-removal program (e.g. Reimage, Malwarebytes MalwarebytesCombo Cleaner or Plumbytes Anti-MalwareMalwarebytes Malwarebytes) and run a full system scan several times. If you cannot remove Terdot using security software because malware prevents from installing, updating or running it, please check the guide below.

Offer

do it now!

Download
Reimage (remover) Happiness
Guarantee Download
Reimage (remover) Happiness
Guarantee

Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions

What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.

Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

Alternative Software

Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Malwarebytes.

Download Malwarebytes Review »

Alternative Software

Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Combo Cleaner.

Download Combo Cleaner Review »

To remove Terdot virus, follow these steps:

Remove Terdot using Safe Mode with Networking

If Terdot banking trojan prevents from running security software, follow these steps:

Step 1: Reboot your computer to Safe Mode with Networking

Windows 7 / Vista / XP
1. Click Start → Shutdown → Restart → OK.
2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
3. Select Safe Mode with Networking from the list
Windows 10 / Windows 8
1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
2. Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window.
Step 2: Remove Terdot

Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Terdot removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Terdot using System Restore

Try to remove malware by using System Restore:

Step 1: Reboot your computer to Safe Mode with Command Prompt

Windows 7 / Vista / XP
1. Click Start → Shutdown → Restart → OK.
2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
3. Select Command Prompt from the list
Windows 10 / Windows 8
1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
2. Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
Step 2: Restore your system files and settings
1. Once the Command Prompt window shows up, enter cd restore and click Enter.
2. Now type rstrui.exe and press Enter again..
3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Terdot. After doing that, click Next.
4. Now click Yes to start system restore.
Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Terdot removal is performed successfully.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Terdot and other ransomwares, use a reputable anti-spyware, such as Reimage, Malwarebytes MalwarebytesCombo Cleaner or Plumbytes Anti-MalwareMalwarebytes Malwarebytes

About the author

Linas Kiguolis - Expert in social media

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Linas Kiguolis
About the company Esolutions

References

^ Tara Seals. Zeus Spawn 'Terdot' is a Banking Trojan with a Twist. Infosecurity Magazine. Information security and IT security news.
^ Bogdan Botezatu. Terdot: Zeus-based malware strikes back with a blast from the past. Bitdefender Labs. Latest cyber security news and malware analysis.
^ No Virus. No Virus. British security news.