How to Detect a Zbot

By Leanne Canirs

Zbot is a banking Trojan that also goes by the names Zeus, WSNPOEM, NTOS and PRG. Once the Trojan is downloaded onto your computer, it runs in the background recording every keystroke your computer makes. This can be used to steal passwords, credit card information, social security numbers or money from bank accounts. Because Zbot runs under multiple names, many anti-virus programs have trouble detecting and removing the Trojan. Fortunately, Zbot gives off several hints that it is installed on your computer.

Step 1

Click the "Start" button, then "Search." Search your computer for the following file names: NTOS.EXE, LD08.EXE, LD12.EXE, PP06.EXE, PP08.EXE, LDnn.EXE and PPnn.EXE. The Zbot virus file will be between 40KBytes to 150Kbytes in size. If you see a suspicious file that matches this description, your computer may be infected.

Step 2

Search for a file named "WSNPOEM." This file is commonly installed on a computer once Zbot has been downloaded.

Step 3

Watch for any alerts telling you that there have been changes made to your computer's registry. Zbot installs itself in the registry so the program can start running as soon as the computer turns on. Many anti-spyware or anti-malware programs will alert you to this change as soon as it happens.

Step 4

Open your computer's registry by clicking the "Start" button then typing "regedit" into the run box. Navigate to the path "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit." Search through the list and see if there is a file titled "Ntos." If the file exists, your computer is infected with Zbot.

Step 5

Watch for any suspicious Internet behavior. For example, if you're visiting your bank's website and suddenly the bank asks you to type your password multiple times or provide your social security number.

Download an anti-virus program such as AVG, Avast! or McAfee. Restart your computer in safe mode by tapping "F8" after your computer beeps. Open the anti-virus program and select "Full Scan" when prompted. Some up-to-date anti-virus programs will alert you if Zbot has been found on your computer.