Dangerous Trojan PWS:Win32/Zbot.gen!AP – Behaviour, Removal, How it comes

Dangerous Trojan PWS:Win32/Zbot.gen!AP – Behaviour, Removal, How it comes-Created by Zeus kits, Trojan  PWS:Win32/Zbot.gen!AP is a very dangerous malware infection. Experts rate it a malware of high vulnerability. The main goal of this rogue is to steal your financial information and other sensitive data like bank details and credit/debit card details and use these for illicit purpose. It is so dangerous malware that it can cause an irrecoverable damage to your system, if not removed timely. This password-stealing trojan can send the record of your keys hits to a remote malicious hacker including your online activity like visits to your banking websites.
Image Source - www.slideshare.net

How Trojan PWS:Win32/Zbot.gen!AP comes to your PC

·                     By clicking a Spam emails, clickink a link in the email or downloading an infected file attached to it, the Trojan will be installed on your system.

·                     Through a removable storage like a USB drive or an external hard disk. The malware will
·                     be automatically installed when you connect the infected drive to your PC, If auto run is not disabled.

·                     PCs connected to a network can also infect the PCs connected in the same network.

·                     It can come to you Bundled with other software downloaded. Some malware can be installed at the same time as other programs that you download including software from, third-party websites or files shared through P2P networks.

·                     If you go to an infected website, it will try to use those vulnerabilities to infect your PC with malware, may it be a malicious site or a legitimate website site that has been compromised or hacked.

What The Trojan PWS:Win32/Zbot.gen!AP does to your PC

It automatically connects to the server behind it, whenever you connect to the internet. then it starts collecting your information for onward submission to its controlling server. The collected data may be very sensitive like codes, passwords,  banking account details, credit/debit card details and other sensitive information. It will disable some of the applications in your PC and your security software(Antivirus/Antimalware) can be made inaccessible or may not work. It may reset your registry files and make your system much slower. Similar to all other Trojans PWS:Win32/Zbot.gen!AP  also acts as a gateway for other rogues and install additional viruses, Trojans, keyloggers, worms.

Behavior of The Trojan PWS:Win32/Zbot.gen!AP

This is a threat of the Win32/Zemot family of malware and use the file names, like - java_update_<……>.exe, updateflashplayer_<……>.exe. It can drop copies of itself as randomly named, %APPDATA%\<random letters>\<random letters>.exe for instance C:\Documents and Settings\Administrator\Application Data\Wuqiowciemequ\anpow.exe Some variants may drop a copy using a randomly generated filename in the <system folder> also.
To ensure that the trojan runs automatically each time you start your PC following changes to the registry maybe made.

In subkey: HKLM\Software\Microsoft\Windows\Currentversion\Run
In subkey: HKCU\Software\Microsoft\Windows\Currentversion\Run
Sets value: "<random number>" for example, "2772969301"
With data: "<……….>".

It creates a scheduled task to ensure that it runs regularly, in the name of "Security Center Update - <9 figures at random>".

To  avoid errors display it Creates  a registry entry,

In subkey: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems
Sets value: "Windows"
With data: "<system folder>\csrss.exe objectdirectory=\windows sharedsection=1024,1536,512 windows=on subsystemtype=windows serverdll=basesrv,1
serverdll=winsrv:userserverdllinitialization,3 serverdll=winsrv:conserverdllinitialization,2 profilecontrol=off maxrequestthreads=16"

How to remove The Trojan PWS:Win32/Zbot.gen!AP

The removal of PWS:Win32/Zbot.gen!AP is not an easy task and involves highly complicated steps. A small mistake or a single wrong step during the entire  removal process may instead of improvement can result in further damage to your system. Therefore, if you are confident that you are quite expert and can complete the entire process without any mistake, you can proceed otherwise the only way to get rid of this threat is to use a powerful anti-malware. Scan your entire computer with a powerful anti-malware and let it remove the culprit PWS:Win32/Zbot.gen!AP.

How to remove The Trojan PWS:Win32/Zbot.gen!AP manually

·                     Boot your system in Safe Mode with Networking.(You can use F8 key during start)
·                     Go to Control Panel  and change folder option to ‘Show hidden files’, search and delete these PWS:Win32/Zbot.gen!AP virus related files
·                     (i)   %AppData%\Protector.exe            (ii) %AllUsersProfile%\Application Data\.dll
·                     To delete startup items of PWS:Win32/Zbot.gen!AP virus, run command(Press Win+ R), type ‘msconfig’ and click OK.
·                     To remove registry entries of  PWS:Win32/Zbot.gen!AP virus. run command(Press Win+ R), type “regedit” and click OK and remove -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “Inspector”
“ConsentPromptBehaviorAdmin” = 0

