PWS:Win32/Zbot is a family of trojans that is created/generated by kits known as “Zeus”; these kits are bought and sold on the cyberworld black market.
PWS-Zbot is a trojan threat designed to steal data from victim’s system. It is most widely known for stealing financial account information. For example, online banking login details and account data.
PWS-Zbot spreads mostly via email but can also utilize auto run capabilities of removable media, or install via a drive-by infection when the user visits a compromised or malicious webpage. Once the infected binary file is installed to a machine it connects to a command and control server, and also monitors for internet activity and uploads stolen data.
Most antivirus products can detect this threat as :Zeus,Trojan-Spy:W32/Zbot,Trojan.Zbot,TrojanSpy.Win32.Zbot [Kaspersky],Win32/Zbot [Microsoft],PWS-Zbot [McAfee],PWS-zbot.gen.anq [Avast] some of this products may have issues while trying to remove this infection from your computer.
Pws-Zbot Removal Guide
STEP 1: Remove the PWS-Zbot with Kaspersky TDSSKiller
PWS-Zbot has installed a rootkit to protect itself from being removed.To remove the ZeroAccess rootkit, we need to run a system scan with Kaspersky TDSSKiller.
- Please download the latest official version of Kaspersky TDSSKiller.
KASPERSKY TDSSKILLER DOWNLOAD LINK(This link will automatically download Kaspersky TDSSKiller on your computer.)
- Before you can run Kaspersky TDSSKiller, you first need to rename it so that
you can get it to run. To do this, right-click on the TDSSKiller.exe icon and select Rename.
Edit the name of the file from TDSSKiller.exe to iexplore.exe, and then double-click on it to launch.
- Kaspersky TDSSKiller will now start and display the welcome screen as shown below.In order to start a system scan , press the ‘Start Scan’ button.
- Kaspersky TDSSKiller will now scan your computer for the Pws-Zbot.
- When the scan has finished it will display a result screen stating whether or not the infection was found on your computer. If it was found it will display a screen similar to the one below.
- To remove the infection simply click on the Continue button and TDSSKiller will attempt to clean the infection.A reboot will be require to completely remove this rootkit from your system.
STEP 2 : Remove the malicious files and replace the infected services.exe file
The Pws-Zbot will infect services.exe Windows file,so we need to run Combofix to replace this file.
- You can download Combofix from the below link.
COMBOFIX DOWNLOAD LINK #1 (This link will automatically download Combofix on your computer)
- Before running this utility,please follow the below instructions:
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection beforeperforming a scan. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
- Start the Combofix scan:
- Double click on ComboFix.exe and then follow the prompts.
- Accept the disclaimer and allow to update if it asks.Windows XP user will be asked to install Windows Recovery Console.
- When finished, it shall produce a log for you.
- Restart your computer
- DO NOT mouse-click Combofix’s window while it is running. That may cause it to stall.
- IF after the reboot you get errors about programms being marked for deletion then reboot, that will cure it.
STEP 3 : Remove the malicious registry keys added by the Pws-Zbot
PWS-Zbot has added some malicious registry keys to your Windows installation,to remove them we will need to perform a scan with RogueKiller.
- Please download the latest official version of RogueKiller.
ROGUEKILLER DOWNLOAD LINK (This link will automatically download RogueKiller on your computer)
- Double click on RogueKiller.exe to start this utility and then wait for the Prescan to complete.This should take only a few seconds and then you can click the Start button to perform a system scan.
- After the scan has completed, press the Delete button to remove any malicious registry keys.
STEP 4: Remove PWS-Zbot malicious files with Malwarebytes Anti-Malware FREE
- Download the latest official version of Malwarebytes Anti-Malware FREE.
MALWAREBYTES ANTI-MALWARE DOWNLOAD LINK (This link will open a download page in a new window from where you can download Malwarebytes Anti-Malware Free)
- You can start the Malwarebytes’ Anti-Malware installation process by double clicking on mbam-setup file.
- When the installation begins, keep following the prompts in order to continue with the setup process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware checked. Then click on the Finish button. If Malwarebytes’ prompts you to reboot, please do not do so.
- Malwarebytes Anti-Malware will now start and you’ll be prompted to start a trial period , please select ‘Decline‘ as we just want to use the on-demand scanner.
- On the Scanner tab,select Perform full scan and then click on the Scanbutton to start scanning your computer.
- Malwarebytes’ Anti-Malware will now start scanning your computer for PWS-Zbot malicious files as shown below.
- When the scan is finished a message box will appear, click OK to continue.
- You will now be presented with a screen showing you the malware infections that Malwarebytes’ Anti-Malware has detected.Please note that the infections found may be different than what is shown in the image.Make sure that everything is Checked (ticked) and click on the Remove Selected button.
- Malwarebytes’ Anti-Malware will now start removing the malicious files.After completing this task it will display a message stating that it needs to reboot,please allow this request and then let your PC boot in Normal mode.
STEP 5: Run a scan with HitmanPro
- Download the latest official version of HitmanPro from the below link.
HITMANPRO DOWNLOAD LINK(This link will open a download page in a new window from where you can download HitmanPro)
- Double click on the previously downloaded fileto start the HitmanPro installation.
IF you are experiencing problems while trying to starting HitmanPro, you can use the “Force Breach” mode.To start this program in Force Breach mode, hold down the left CTRL-key when you start HitmanPro and all non-essential processes are terminated, including the malware process. (How to start HitmanPro in Force Breach mode – Video)
- Click on Next to install HitmanPro on your system.
- The setup screen is displayed, from which you can decide whether you wish to install HitmanPro on your machine or just perform a one-time scan, select a option then click on Next to start a system scan.
- HitmanPro will start scanning your system for malicious files as seen in the image below.
- Once the scan is complete,you’ll see a screen which will display all the malicious files that the program has found.Click on Next to remove this malicious files.
- Click Activate free license to start the free 30 days trial and remove the malicious files.
- HitmanPro will now start removing the infected objects.If this program will ask you to restart your computer,please allow this request.
STEP 6: Double check for any left over infections on your computer
If want to make another check for any left over malicious files,you can run a scan with the following tools:
STEP A: Run a scan with Eset Online Scanner.
- Download ESET Online Scanner utility.
ESET Online Scanner Download Link (This link will automatically download ESET Online Scanner on your computer.)
- Double click on the Eset installer program (esetsmartinstaller_enu.exe).
- Click the Start button.
- Check Scan archives
- Push the Start button.
- ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
- When the scan completes, push Finish
STEP B: Run a scan with Emsisoft Emergency Kit.
- Please download the latest official version of Emsisoft Emergency Kit.
EMSISOFT EMERGENCY KIT DOWNLOAD LINK (This link will open a download page in a new window from where you can download Emsisoft Emergency Kit)
- After the download process will finish , you’ll need to unpack EmsisoftEmergencyKit.zip and then double click on EmergencyKitScanner.bat
- A pop-up will prompt you to update Emsisoft Emergency Kit , please click the “Yes” button.After the Update process has completed , put the mouse cursor over the “Menu” tab on the left and click-on “Scan PC“.
- Select “Smart scan” and click-on the below “SCAN” button.When the scan will be completed , you will be presented with a screen showing you the malware infections that Emsisoft Emergency Kit has detected.Make sure that everything is Checked (ticked) and click on the ‘Quarantine selected objects‘ button.
Next,we will remove Combofix from your machine and in addition,you can uninstall any of the tools that we’ve used:
Lets remove ComboFix from your computer:
- Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
- In the Run box, type in ComboFix /Uninstall (Notice the space between the “x” and “/”) then click OK
- Follow the prompts on the screen
- A message should appear confirming that ComboFix was uninstalled
Delete the following files: (If they exist)
Delete the following folders: (If they exist)
Kaspersky TDSSKiller and RogueKiller can be removed by deleting the utilities.
We strongly recommend that you keep Malwarebytes Anti-Malware and HitmanPro installed on your machine and run regular scans with this tools.If you however,wish to remove them,you can go into the Add or Remove programs and uninstall this two on-demand scanners.
Because this trojan is designed to steal your personal information, we recommend that you change your passwords for your online accounts and if you have used your credit card while this trojan was on your computer, contact the bank and let them know that you might be be victim of a phishing attack.