VilmaTech.com > VilmaTech Blog > Win32/Zbot.gen!AP, Latest Way to Remove PWS: Win32/Zbot.gen!AP

Win32/Zbot.gen!AP, Latest Way to Remove PWS: Win32/Zbot.gen!AP

Published on January 16, 2014

Behavior Analysis

Win32/Zbot.gen!AP stems from Win32/Zbot.gen family that can be traced back to early 2009. It is the most notorious among the newly published versions as it sticks to a target machine as if there’s no way to remove it. Anti-virus programs simply work to only flag Win32/Zbot.gen!AP without solution and have to allow svchost.exe to pop up, CPU to be consumed significantly, redirect issues to happen.

PWSWin32Zbot genAP

Given this, Global PC Support Center has tested Win32/Zbot.gen!AP for multiple times on the platform of WinXP SP3 to bring about a list of its vicious conducts hereby to come to your knowledge:

  • When Win32/Zbot.gen!AP is activated, it puts its executable files into “Winlogon” as well as “userinit” to guarantee its automatic launch in future.
  • Win32/Zbot.gen!AP places executable files under “system32” to set hidden attribute.
  • Win32/Zbot.gen!AP continues to modify process memory to use processes resembling the system ones to protect it from being recognized and deleted.
  • Win32/Zbot.gen!AP then injects its vicious codes in desktop.ini file to make sure that incomplete removal will simply flood all its components back in the target machine all over again.
  • Win32/Zbot.gen!AP affect smss.exe and svchost.exe to create remote thread so as to load down additional codes as well as upload collected information mainly regarding password.

If one navigate to “Generic Host Process for Win32 Services [svchost.exe]”, one will find an obvious fact that something is monitoring activities and a weird terminal is connected without knowledge.
 

PWS: Win32/Zbot.gen!AP Should be Removed Now!

The above provided analysis has make it perfectly clear that getting infected with Win32/Zbot.gen!AP will lead to lower Internet browser security, disabled the computer’s firewall, information lost, unauthorized access and direct control of an affected computer. To safeguard your computer as well as information, it is wise to remove Win32/Zbot.gen!AP. Due to high elusiveness, removing Win32/Zbot.gen!AP needs computer knowledge to carry out manual removal. If you don’t know how to proceed the below offered instruction, get one-to-one assistance from specialized expert at VilmaTech Online Support.

live chat

 
One – End running processes related to Win32/Zbot.gen!AP or have been injected with .dll.

Windows 8

  • Enable charms bar by hovering mouse to border to any direction.
  • Type ‘Task’ or ‘Task Manager’ and hit Enter key to select Task Manager in the next screen.win8 task manager
  • Hit Process tab to end vicious process.

 
Windows7/vista/XP

  • Use Ctrl, Alt and Delete key combination/ Ctrl, Shift and Esc key combination (this operation varies by different operating systems) to bring up Task Manager.                                                                             ctrl+alt+del
  • Hit Process tab to end vicious process.

 
Steps:

  • End WINLOGON.EXE rather than Winlogon.exe.
  • End Svchost.exe in Task Manager.
  • tip: Svchost.exe can be system process and it cannot be exterminated, to differentiate the vicious ones from the genuine, follow the steps here.
  • End System32.exe that is shown to be with “PERRGX5DKQSBQDWAUCRQH.DLL”; check by right clicking on System32.exe to select “go to services”.
  • Exterminate rundl132.exe, rundll32.exe and logo_1.exe if any.

 
Two – Remove desktop.ini files generated by Win32/Zbot.gen!AP to make sure that it won’t flood all its components back on the occurrence of incomplete removal.

Since desktop.ini file is hidden, we should unveil hidden items first.

Steps:

Windows 8

  • Click open Windows Explorer on Start screen and tap View tab.windows explorer
  • Tick the box next to ‘File name extensions’ and ‘Hidden items’ options and press “OK” button to show all hidden items.                                                                                                            win8 hidden file

 
Windows 7/XP/Vista

  • Unfold Start menu to access ‘Control Panel’ window.
  • Then select ‘Folder Options’ to tap View tab.                               folder options1
  • Tick the box next to ‘Show hidden files and folders and non-tick Hide protected operating system files (Recommended)’ and press on ‘OK’ button to unveil all hidden items.

(Tip: remove the following files by the way.)

  1. Temp files under C:\Windows\System32
  2. All files and folders under C:\WINDOWS\SoftwareDistribution.
  3. D:\autorun.inf
  4. C:\Program Files\Internet Explorer\iexplore.com
  5. C:\Program Files\Common Files\iexplore.com
  6. C:\WINDOWS\1.com
  7. C:\WINDOWS\iexplore.com
  8. C:\WINDOWS\finder.com
  9. C:\WINDOWS\Debug\[name] Programme.exe
  10. C:\Windows\system32\command.com (the one that is created on the date Win32/Zbot.gen!AP emerged)

 
Run anti-virus programs to find out the directory Win32/Zbot.gen!AP locates.
 
Use cmd line to help remove all the desktop.ini file shown in the place where Win32/Zbot.gen!AP locates.
Steps:

  • Press and hold Win key and R key together to bring up a run box.win+r
  • Type “cmd.exe” and hit Enter key.
  • You’ll then see a flashing slash or line, type “/s” there and hit enter key.

(Tip: one should empty out Dustbin including desktop.ini file there.)

 
Three – Access Registry Editor to Remove the following given keys and values.

  • Use Win key and R key together to bring up a run box.
  • Type “Regedit” and hit Enter key, you will be taken to Registry Editor.registry enditor2

HKEY_CLASSES_ROOT\CLSID\{51716C09-6B08-4CCF-B526-718E912C0573}
HKEY_CLASSES_ROOT\CLSID\{51716C09-6B08-4CCF-B526-718E912C0573}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{51716C09-6B08-4CCF-B526-718E912C0573}
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{51716C09-6B08-4CCF-B526-718E912C0573}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ EXPLORER\SHELLEXECUTEHOOKS{51716C09-6B08-4CCF-B526-718E912C0573}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run{random file name} = “%Application Data%\{random folder name}\{random file name}.exe”

 

Final

PWS:Win32/Zbot.gen family is generated by Zeus kit, the one is crazily peddled on network black market. Therefore it is tough to eliminate its supply. What we need to before the successful elimination is to enhance overall security and use high vigilance when surfing online. Most PC users won’t pay much attention to Win32/Zbot.gen!AP since it doesn’t cause many more troubles. However, Win32/Zbot.gen!AP targets password and it affects system memory to trigger tangled problems that cannot be repaired completely, which plants the seeds for additional affection. Since some vicious components are so confusing that anti-virus programs are not able to remove Win32/Zbot.gen!AP completely, it is recommended to adopt manual method. On the occurrence of difficulties, you are welcome to use online PC security service from VilmaTech Online Support for exclusive solution to your concrete situation. Be noted that any ignorance of a piece of vicious item will lead to failure.

live chat

Subscribe to our RSS feed