Jump to content

"PWS:Win32/Zbot Was found on your PC"


Recommended Posts

I need this off of my laptop as soon as possible.  I have scanned with Microsoft Security Essentials, Malwarebytes, and now HitmanPro (all updated) and still this unholy thing remains.  I heard it steals passwords.  The only thing I have come across so far is a not very detailed guide on how to remove its files directly from the registry, however I do not want to mess with that. 

 

Need help asap.

Thanks

Link to post
Share on other sites

:welcome:   Hi.

 

I will be guiding you as we go forward.  I do need to see other diagnostic information from this system, so that I can see about pinning down the source of this issue.
I would like to ask that you always attach any report or file I ask for, from time to time.

What exactly is showing or has reported << PWS:Win32/Zbot >> ?  Is that by any chance at all some odd-page showing on a web browser on-screen?


Before we proceed further, please read all of the following instructions carefully.
If there is anything that you do not understand kindly ask before proceeding.
If needed, please print out these instructions.

  •     Please do not post logs using CODE, QUOTE, or FONT tags. Just always attach files / reports.
  •     Please enable your system to show hidden files: How to see hidden files in Windows
  •     Make sure you're subscribed to this topic:
  •     Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly
  •     Removing malware can be unpredictable, it is unlikely, but things can go very wrong! Please make sure you Backup all files that cannot be replaced if something were to happen. You can copy them to a CD/DVD, external drive or a pen drive
  •     Please don't run any other scans, download, install or uninstall any programs unless requested by me while I'm working with you.
  •     The removal of malware is not instantaneous; please be patient. Often we are also in a different Time Zone.
  •     Perform everything in the correct order. Sometimes one step requires the previous one.
  •     If you have any problems while following my instructions, Stop there and tell me the exact nature of the issue.
  •     You can check here if you're not sure if your computer is 32-bit or 64-bit
  •     
  •     When we are done, I'll give you instructions on how to clean up all the tools and logs
  •     Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.
  •     Your topic will be closed if you haven't replied within 3 days.

Please download Farbar Recovery Scan Tool and save it to your desktop.

You may wind up needing to temporarily turn off your antivirus program IF it interferes with the diagnostic tool-reports listed below.

Right-click on FRST icon and select  Run as Administrator to start the tool , and reply YES to allow it to proceed and run.
Windows 8 or 10 users will be prompted about Windows SmartScreen protection - click line  More info information on that screen and click button Run anyway on next screen.
Click YES when prompted by Windows U A C prompt to allow it to run.

XP users just double-click, and then click run after receipt of Windows Security Warning - Open File.

 

Approve the Windows’ UAC prompt on Windows Vista and newer operating systems by clicking on Continue or Yes. (not on XP systems)

Click Yes when the* disclaimer* appears in FRST.
The tool may want to update itself - in that case you'll be prompted when the update is completed and ready to use.

Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run.
The first time the tool is run, it also makes another log (Addition.txt). Please attach FRST.txt & Addition.txt along  your next reply.

Link to post
Share on other sites

To answer the first part, I just have this little "flag" icon on the bottom right corner of the screen next to other icons like sound, internet connectivity, etc.  It says that "that" was found on your pc along with a few other issues, although this is the most pressing concern of mine.  I will continue with the rest of what you said to do in a few moments.  

Link to post
Share on other sites

If you simply only just hover the mouse pointer over that icon, what program name or EXE name do you see ?   Just only hover and see if anything shows.  If so, take notes about it.

I see one rogue startup entry.  The following steps are intended to help remove it.  Please just take your time and do in the following outlined order.  But first, Close ( EXIT) any of your personal programs that you may have started.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
Do NOT turn off the firewall

Please download Rkill by Grinler and save it to your desktop.

  • Link 2
    Link 3
    Link 4

  • Right-click on it and  Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
  • If your antivirus program gives a prompt message, respond positive to allow RKILL to run.
  • If a malware-rogue gives a message regarding RKILL, proceed forward to running RKILL


IF you still have a problem running RKILL, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.

NEXT:
I am sending a Fix script which is going to be used by the FRST64 tool. They will both work together as a pair.

Please RIGHT-click the FIXLIST and select SAVE AS   and save it directly ( as is) in the same general location as where you have FRST
At the DOWNLOADS  folder

NOTE: Both FRST64.exe and the fixlist.txt must be in the same location or the fix will not work.

RIGHT click FRST64 and select RUN As Administrator  to run the tool.  Reply YES to allow to proceed.
If the tool warns you the version is outdated, please download and run the updated version.
Click the Fix button just once, and wait.


If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please attach the Fixlog.txt in your reply, plus
rkill.txt log file will be on your desktop. Just attach the files, please with your reply.

 

Fixlist.txt

Link to post
Share on other sites

Well when I hover over the icon nothing happens, but when I click on it, one of those "Windows is searching for a solution" screens pops up (which is always unnsuccessful in its search).  However, after my restart from running those programs, I noticed that I had forgotten to turn off Hitman Pro.  Now I have a couple new startup messages.  The Win32/Zbot message is gone, but now theres a "choose an antimalware program" one there.  MSE is turned off still.

 

Below are those two files.

Rkill.txt

Fixlog_01-08-2016_09-03-25.txt

Link to post
Share on other sites

Glad to know that <<Win32/Zbot message is gone>>.  That is great.
Note, I only asked for you to hover the mouse.  Not to double click.

RKILL run is good even if it noted no rogues.  I should say, epecially since it did not in fact find something.

Take pro-active measures to turn back on Microsoft Security Essentials.
Look at the Option # 2 at this link
http://www.sevenforums.com/tutorials/6397-windows-defender-turn-off.html

Do those tips.
And Start M S E.  Do a Update check-run.
Then do a Scan with M S E.

and by the way, Hitman pro should only be used as on-demand.

Link to post
Share on other sites

  • 2 weeks later...

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.