Operating System
Windows 7
Infection date and initial symptoms
don't know
Current issues and symptoms
PWA: Win32/Zbot gen!AP shows up in scan with Microsoft security Es
Steps taken in order to remove the infection
I followed the steps in order posted in the instructions that led me here (Remove PWS-Zbot virus) removal instructions.

2of12

New Member
I am new here but have tried to remove the password stealing Win32/Zbotgen!AP but it still shows up in scans on my computer so I came here looking for help. I have run the two tools TFRST64, & aswMBR and have high hopes I can get my computer back
 

Attachments

TwinHeadedEagle

Removal Expert
Staff member
Verified
Hi,



1. Please download ComboFix by sUBs from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
Note: ComboFix must be downloaded to your Desktop.


--------------------------------------------------------------------
2. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
If you are unsure how to do this please read this or this Instruction.

--------------------------------------------------------------------
3. Run ComboFix. Click on I Agree!

- ComboFix will display DISCLAIMER of warranty on software.
By clicking I Agree ComboFix shall continue.

- ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
-If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
- ComboFix will scan your computer in stages, total of 50 stages.
Do not mouse-click around while ComboFix is running.
Note:If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart your computer.

--------------------------------------------------------------------
4. When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
Attach log reports ( ComboFix.txt) back to topic.
 

TwinHeadedEagle

Removal Expert
Staff member
Verified
Open notepad and copy/paste the text present inside the code box below:


Code:
Folder::
c:\users\2of12\AppData\Roaming\Evniys
c:\users\2of12\AppData\Roaming\Yqcibae
c:\users\2of12\AppData\Roaming\Abbiamo
c:\users\2of12\AppData\Roaming\Apgumig
c:\users\2of12\AppData\Roaming\Gouzicid

ClearJavaCache::
Save this as CFScript.txt



Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:\ComboFix.txt )
 

2of12

New Member
I did as you asked, their was nothing in any of the files they were all empty, I cleared the Java Cache and attached the txt file for combo fix. after dragging the empty file into ComboFix Again Thank you for your help.
 

Attachments

2of12

New Member
where did I go wrong? I opened each of the files below but they were empty but I copied and pasted them to note pad and saved it as CFScript.txt I then cleared the Java cache, next I re-downloaded the ComBoFix file from the link onto my desktop, then I clicked on the empty CFScript.txt File and dragged it into the ComboFix.exe. then it started I let it finish after it produced the log file I saved it to C: ComboFix I then uploaded it to this post. believe me I would not- not follow your instructions I want to get this taken care of.
c:\users\2of12\AppData\Roaming\Evniys
c:\users\2of12\AppData\Roaming\Yqcibae
c:\users\2of12\AppData\Roaming\Abbiamo
c:\users\2of12\AppData\Roaming\Apgumig
c:\users\2of12\AppData\Roaming\Gouzicid
 

TwinHeadedEagle

Removal Expert
Staff member
Verified
You do not need to open any file, just copy the given script into notepad, save as CFScript and execute.
 

2of12

New Member
Thank You I miss understood. I copyed the script into notepad and saved it as CFScript then draged it to ComboFix it shows open script with ComboFix installer then lanches but it just sat there scanning all night with no progress at all it was still on the (Scanning for infected files...) this morning 6 hours later, should I try again and leave it all day?
 

2of12

New Member
we may have some progress I ran ComboFix again saved the log. Then I clicked on the CFScript.txt file it opened to show both the new log and the script i put into it. I then draged the script into ComboFix and it said the pubisher can not be verafied do you want to run I said yes. Looks like its running it's at stage 4 right now. WowHoo I will upload it when it finishes and I hope it has run with the script in it.
 

Attachments

2of12

New Member
I have run two different scans and everything looks good, I don't trust the computer Just yet though. I want to thank you for your help I had tried and tried by my self but had little luck, I spent only a small amount of time here at the forum and it looks like its over. I would like to ask what besides common sense would you suggest to help keep the machine clean? You guy are Great :)
 

2of12

New Member
Ok I just ran a deep scan with Emsisoft Emergency Kit, I'm not sure but I don't think it looks good. I will see if I can upload the log, can you take a look when you get a free minute and let me know what it's all about. Note I tried to delete the objects detected but could not. :(
 

Attachments

TwinHeadedEagle

Removal Expert
Staff member
Verified
Some files are in quarantine, some of them are adware...


I can recommend you this software to avoid Adware in the future:

http://unchecky.com/

Read here how it works --> http://www.howtogeek.com/179758/how-to-avoid-junkware-offers-with-unchecky/


The main thing is that your PC is clean :)


The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
Remove disinfection tools
Create registry backup
Purge System Restore

Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:\DelFix.txt)

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.
 

2of12

New Member
I had to come back couldn't stay away. I just borrowed the clean up tool after cleaning up something that was happing not sure what but all seams right with the world now. thanks for the best help out their when you have a problem.
 

2of12

New Member
Ok I but your wondering just what I was trying to fix. well when I click on a link say PCH a new window opens but then closes rather fast to the bottom task bar I can click on it and some times it opens but there is never an address in the address bar. Any Ideas? I have run just about everything but I can find no problems with any of the tools they say their is no problem. well sure acts like their is . Hum.