1. (One or several) files appear in the folders %windir%system32 and %AppData%:

• ntos.exe
  
• twex.exe
  
• twext.exe
  
• oembios.exe
  
• sdra64.exe
  
• lowsec\local.ds
  
• lowsec\user.ds
  

%windir%system32 and %AppData% are Microsoft Windows system folders. Respective on the version of the OS installed, the path to these folders may vary:

• Under Windows Vista the full paths to these folders are the following: C:WindowsSystem32 and C:Users\AppData.
  
• Under Windows XP Professional the full paths to these folders are the following: C:WINDOWSsystem32 and C:Documents and Settings\Application Data.
  

2. Links to the suspicious files mentioned above appear in the following system registry keys:

• HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonUserinit o
  
• HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
  

• performs quick system scan for infection
  

• finds and deletes a malicious code of known Trojan-Spy.Win32.Zbot modifications, which spread into other programs launched on the computer.
  

• deletes functionality of malicious programs used to hide malicious files and processes (rootkit).
  

• deletes malicious files and cleans the system registry from activity of Trojan-Spy.Win32.Zbot.
  

1. Download the archive [You must be registered and logged in to see this link.] and extract content into a separate folder on an infected (or potentially infected) computer.
2. Run the file ZbotKiller.exe.
When the scan is over an active window of the command prompt may be displayed on your computer monitor, in order to minimize the window press any button. For the window of the command prompt to close automatically it is recommended to run the utility with the parameter –y.
3. Wait until the scan is complete. No computer reboot is required.

1. Download the utility [You must be registered and logged in to see this link.] and extract content into a separate folder.
2. In Administration Kit console create installation package for application ZbotKiller.exe. In the installation package settings on the Application step select the variant Make installation package for specified executable file.
In the field Executable file command line (optional) define the parameter –y to close the console window automatically once the utility work is over.
3. Create either a global or group task for remote installation of the package to designated computers and run the task. The utility ZbotKiller.exe can be run all computers in your network.
Run the task.

-y - end program without pressing any key
-s - silent mode (without a black window)
-l - write info into a log
-v - extended log maintenance (should be entered with the -l switch)
-help - show additional information about the utility

zbotkiller.exe -y -l report.txt -v