Posts Comments

Remove Zbot | Zbot Removal Guide

By admin on March 15, 2010 Leave a Comment

The Trojan Zbot is a password-stealing malicious application. It attempts to steal the user’s cached passwords and login details from cookies. Zbot, which is also known as Win32 Zbot, gets delivered to the user as an attachment to a spam email. This email claims that a package that was to be delivered to the user could not be delivered as the user’s address was incorrect, and asks the user to download the ‘invoice copy’ attached and resubmit the address. If the user is indeed expecting a package he or she will be tricked into downloading this attachment as they would not expect anything bad to come out of it.

The so-called ‘invoice copy’ contains Zbot, which will immediately install itself and begin its malicious activities. During installation Zbot will check for firewall processes, and if any are found, it will only copy itself and exit. A large amount of junk data will be attached to the installation to make detection difficult. If there is no firewall present or if the firewall is turned off, the Trojan Zbot will immediately connect to a remote server and download a configuration file which contains details of which information Win32 Zbot should steal from the user, where to upload this information and another location where Zbot can be downloaded again.

When the user fills in forms on targeted web pages, Zbot will capture whatever is posted on the form and submit it to the malware author. It might also inject false fields into targeted web pages and send the resulting submissions as well. Zbot may also completely redirect the user away from targeted web pages to a fake web page on a different server related to malware. Zbot also has limited backdoor entry capabilities which allow the malware author to log in to the user’s system.

To remove Zbot, it is necessary to stop its processes and to delete its files and folders. However, due to the fact that manual removal can prove to be a difficult process, it is most often required to conduct a full system scan using genuine antivirus software such as Spyware Doctor with Antivirus in order to make sure that Zbot has been properly removed from your computer.

SpyHunter Download

As the first step in conduct a manual Win 32 Zbot removal, stop the following processes:

  • 1053.exe
  • 1q.exe
  • 87724515.exe
  • ANZinetbanking_certificate.exe
  • bana.exe
  • voland611.exe
  • wclctr.exe
  • winbtn.exe
  • winself.exe
  • winwem.exe
  • WorldPay_CONFR.exe
  • WorldPay_TRANS_8651.exe
  • x-file-MJacksonsKiller.exe
  • xsetup1.exe
  • Your_ETicket.exe

You should expect your traces to be a little different then the above. This threat changes all the time so most liekly your traces will be different. You should run a fully security scan using Spyware Doctor with Antivirus to see what traces are installed on your computer.

The next step is to remove the following folders:

  • %SYSTEM%\WSNPOEM
  • %SYSTEM%\WSNPOEMA
  • C:\Documents and Settings\NetworkService\Application Data\wsnpoem
  • %SYSTEM%\twain_32
  • %SYSTEM%\lowsec

Outside Resources:

http://www.symantec.com/security_response/writeup.jsp?docid=2010-011016-3514-99

Filed Under: Virus Removal Tagged With: , , , , , , ,

Speak Your Mind

*

RemoveVirus.org cannot be held liable for any damages that may occur from using our community virus removal guides. Viruses cause damage and unless you know what you are doing you may loose your data. We strongly suggest you backup your data before you attempt to remove any virus. Each product or service is a trademark of their respective company. We do make a commission off of each product we recommend. This is how removevirus.org is able to keep writing our virus removal guides. All Free based antivirus scanners recommended on this site are limited. This means they may not be fully functional and limited in use. A free trial scan allows you to see if that security client can pick up the virus you are infected with.