Zbot (Virus Removal Guide) - 2021 update

Zbot Removal Guide

What is Zbot?

Zbot – one of the most impactful Trojans to date

ZbotZbot is a malicious program designed to steal sensitive data from the targeted Windows computer or a network

Zbot is a dangerous trojan horse that mainly focuses on information-stealing – whether it is regular computer users or financial institutions. Additionally, it can be set to perform a variety of malicious activities on a Windows computer, as well as the network. Since its main goal is to steal data, it can harvest and send the following:

  • logins and passwords
  • credit card details
  • banking site information, etc.

Zbot, which is otherwise known as Zeus or Panda banker, is one of the most iconic pieces of malware in history, since it infected millions of computers worldwide and was especially prevalent in Canada, the US, and Europe. Besides, scammers and fraudsters also adapter Trojan's name in their malicious social engineering attacks, trying to mislead users into believing that their systems are infected with Zbot.

Name Zbot
Type Trojan, info-stealer
Also known as Zeus, Panda Banker, Terdot, GameOver Zeus, Zeus Sphinx
Release date 2007
Capabilities Creates a botnet, sends spam, steals banking and other information, etc.
Removal Perform a full system scan with powerful anti-malware, such as SpyHunter 5Combo Cleaner
System fix Malware infections can diminish the performance of your computer or cause serious stability issues. Use FortectIntego to remediate your device and ensure that the virus damage is fixed

As soon as this virus infiltrates the computer, it modifies the system according to its needs. It can drop its own files, modify the registry, and initiate other activities that are needed for it. After doing so, it starts recording the victim's keystrokes and can even take desktop screenshots.

As soon as Zbot gains access to a Windows computer, it establishes a connection with a Command & Control server so it would be able to communicate with the attackers. Thanks to this connection, malware authors can:

  • send the commands remotely;
  • receive harvested information;
  • send updates that include new features.

Zbot is modular malware[1] – it uses the toolkit to create the environment suitable for the infection. The second component of the threat is needed to modify the affected computer according to hackers' needs. At the same time, the Command & Control one was created to ensure full control of the virus.

However, these capabilities are just a fraction of that malware is actually capable of doing. According to Kaspersky researchers, it can also operate as a botnet:[2]

First, it creates a botnet, which is a network of corrupted machines that are covertly controlled by a command and control server under the control of the malware's owner. A botnet allows the owner to collect massive amounts of information or execute large-scale attacks.

Due to these extensive modifications, Zbot removal might be a difficult task, although it can be terminated thanks to powerful security tools, such as SpyHunter 5Combo Cleaner, for example. Additionally, since the virus changes a variety of system settings and files, Windows might start malfunctioning after the Trojan is eliminated. If that is the case for you, you should employ FortectIntego to fix these problems at once.

Zbot scamZbot, otherwise known as Zeus, is often used in tech support scams

Malware is spread via spam emails or similar methods

Zbot Trojan is mostly spread with the help of spam. You may be tricked into downloading this virus on your computer if you fall for a fake message that looks like it was sent by some reputable company.

Such fake mails typically report about nonexistent airline e-tickets, missing deliveries or postal packages, and similar things that can increase the curiosity in people. Here is an example of such malicious message:

——– Original Message ——–
Subject: Ninja Killed – Postal Tracking #PSGMR64782BY2C2
Date: Wed, 15 Apr 2009 16:32:50 +0900
From: United Parcel Service of America [email protected]
To: recipient.com

We were not able to deliver postal package you sent on the 14th of March in time because the recipient’s address is not correct.
Please print out the invoice copy attached and collect the package at our office.
Your United Parcel Service of America

What is more, Trojan-Spy.Win32.Zbot.gen has some backdoor functionality and may even record keystrokes.

Beware that such emails are also filled with the link or the attachment, which is supposed to download trojan onto the system. Thus, you should always scan the file with anti-malware software or upload it to online analysis platforms such as Virus Total.

Additionally, researchers also noticed that software vulnerabilities,[3] combined with drive-by downloads, were used to spread this Trojan during its prime.

If you think that your machine was infected by this trojan, you shouldn't waste any minute because you may lose your personal information and other important data.

Remove Zbot virus to ensure your information safety

If you think that your PC is infected with a trojan or other malicious software, you shouldn't waste your time and remove Zbot virus from your system at once. Otherwise, there are lots of malicious activities that can be initiated by such evil programs. They can try to steal your personal information, disable legitimate software, and can even try to infect your computer with other cyber threats.

In order to perform a full Zbot removal, you should employ powerful security software. If malware is interfering with this process, you should access Safe Mode, as explained below. It is also advisable to change all your passwords on all accounts and monitor your online banking to prevent financial theft.

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of Zbot. Follow these steps

Manual removal using Safe Mode

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Remove Zbot using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Zbot. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that Zbot removal is performed successfully.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Zbot and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting trojans

Choose a proper web browser and improve your safety with a VPN tool

Online spying has got momentum in recent years and people are getting more and more interested in how to protect their privacy online. One of the basic means to add a layer of security – choose the most private and secure web browser. Although web browsers can't grant full privacy protection and security, some of them are much better at sandboxing, HTTPS upgrading, active content blocking, tracking blocking, phishing protection, and similar privacy-oriented features. However, if you want true anonymity, we suggest you employ a powerful Private Internet Access VPN – it can encrypt all the traffic that comes and goes out of your computer, preventing tracking completely.


Lost your files? Use data recovery software

While some files located on any computer are replaceable or useless, others can be extremely valuable. Family photos, work documents, school projects – these are types of files that we don't want to lose. Unfortunately, there are many ways how unexpected data loss can occur: power cuts, Blue Screen of Death errors, hardware failures, crypto-malware attack, or even accidental deletion.

To ensure that all the files remain intact, you should prepare regular data backups. You can choose cloud-based or physical copies you could restore from later in case of a disaster. If your backups were lost as well or you never bothered to prepare any, Data Recovery Pro can be your only hope to retrieve your invaluable files.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Ugnius Kiguolis
About the company Esolutions

Removal guides in other languages