What is Terdot? And how does it function?

Terdot is a banking Trojan that first emerged on 2016. It is a variant of the notorious Zeus Trojan. However, on November 2017 researchers were able to discover an updated version of the Zeus variant which was caught spreading using phishing emails. This Trojan infection is designed as a customized MITM or man-in-the-middle proxy which is capable of stealing Facebook, Google Plus, YouTube and Twitter information. It can also download and execute files from a remote server. Malicious software might post corrupted links that links to this Trojan’s download site on behalf of the affected accounts. Terdot comes with advanced anti-VM evasion systems and is downloaded in multiple components to avoid detection. It also makes use of a Domain Generation Algorithm or DGA to generate unique domains for its Command and Control server that makes it harder to take down.
As of now, this banking Trojan is not widespread just yet. According to security experts Terdot was noticed targeting Canadian banks such as CFinancial, Desjardins, BMO, Royal Bank, the Toronto Dominion Bank, Banque Nationale, Scotiabank, CIBC and Tangerine Bank where it was distributed using the Sundown exploit kit and spam emails. And since this Trojan is a new and sophisticated version of Zeus, the only similarity of Terdot to Zeus is the ability to inject itself into browser processes and its configuration system which allows its developers to control what pages Terdot targets and in what way. And to perform its malicious tasks, this banking Trojan does not rely on custom code that may trigger alerts from security programs in the computer but it uses legitimate tools that are white-listed often. This kind trick has been a trend all over this year used by Trojans and other threats.
How is Terdot disseminated online?
As pointed out earlier, Terdot spreads using the Sundown exploit kit as well as spam emails. What users find strange is that in the spam emails, they only depict an image of a PDF icon. Once users click this image, it will trigger a malicious JavaScript code that downloads and runs the Terdot Trojan into the computer. And because it only has limited targeting, Terdot’s campaigns have gone largely unreported until Bitdefender published a report regarding the Trojan’s inner workings a couple of weeks ago.
Carefully follow each of the steps in the removal guide below to delete Terdot from your infected computer.
Step 1: Restart your PC to Safe Mode with Networking.

Step 2: Enable the disabled Windows features.

  1. Press Win + R keys to launch Run.
  2. Type in msc in the box and press Enter to open Group Policy.
  3. Under Group Policy, navigate to:
    1. User Configuration\Administrative Templates\System
  4. After that, open Prevent access to the command prompt.
  5. Select Disable to enable cmd
  6. Click the OK button
  7. After that, go to:
    1. Configuration\Administrative Templates\System
  8. Double click on the Prevent Access to registry editing tools.
  9. Choose Disabled and click OK.
  10. Navigate to :
    1. User Configuration\Administrative Templates\System>Ctrl+Alt+Del Options
  11. Double click on Remove Task Manager.
  12. And then set its value to Disabled.

Step 3: Tap Ctrl + Shift + Esc keys to open the Task Manager.
Step 4: Look for the following processes disguising as Windows processes created by Terdot and end all of them. Take note that Terdot uses legitimate processes so you have to look for a process that consumes mot CPU power and end it.

Step 5: Open Control Panel by pressing the Windows key + R, then type in appwiz.cpl and then click OK or press Enter.

Step 6: Look for Terdot or any suspicious program that might be related to it and then Uninstall it/them.

Step 7: Tap the Win + E keys simultaneously to open File Explorer.
Step 8: Navigate to the following locations below.

  • %TEMP%
  • %USERPROFILE%\Downloads
  • %USERPROFILE%\Desktop

Step 9: Look for the malicious files Terdot created in the directories listed above.
Step 10: Close the File Explorer.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use PC Cleaner Pro, this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then by all means go on to the next steps.
Step 11: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.

Step 12: Navigate to the following path:

  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Step 13: Delete the registry keys and sub-keys created by Terdot the banking Trojan.
Step 14: Close the Registry Editor and empty your Recycle Bin.
To completely eliminate Terdot and its malicious processes and files from your computer, follow the advanced guidelines below.
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:

  1. Turn on your computer. If it’s already on, you have to reboot
  2. After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.

  1. To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
  2. Windows will now load the SafeMode with Networking.
  3. Press and hold both R key and Windows key.

  1. If done correctly, the Windows Run Box will show up.
  2. Type in explorer http://www.fixmypcfree.com/install/spyremoverpro

A single space must be in between explorer and http. Click OK.

  1. A dialog box will be displayed by Internet Explorer. Click Run to begin downloading the program. Installation will start automatically once download is done.

  1. Click OK to launch it.
  2. Run SpyRemover Pro and perform a full system scan.

  1. After all the infections are identified, click REMOVE ALL.

  1. Register the program to protect your computer from future threats.


logo main menu

Copyright © 2023, FixMyPcFree. All Rights Reserved Trademarks: Microsoft Windows logos are registered trademarks of Microsoft. Disclaimer: FixMyPcFree.com is not affiliated with Microsoft, nor claim direct affiliation. The information on this page is provided for information purposes only.

DMCA.com Protection Status

Log in with your credentials

Forgot your details?