W32.Mabezat.B is a computer worm. It can infect executable files and encrypt data files.
Remove ZPharaoh.exe From Task Manager. Right click on the task bar, it will display some option, then you have to select task manager. Under the processes tab, you have to right click on the unwanted process and then click End process. Remove ZPharaoh.exe Trojan virus From Registries.
W32.Mabezat.B may spread via removable drives and shared folder. It will make changes to Windows registry that may result to disability of certain functions.
This worm will take advantage of the Autorun feature in Windows to execute itself when the drive is accessed. The same task is applied to spread a copy on network computer and drop a copy on network shares.
Alias: Worm.Win32.Mabezat.b, W32/Mabezat, PEMABEZAT.B-O, W32/Mabezat-B Damage Level: Medium Systems Affected: Windows 9x, 2000, XP, Vista Characteristics Upon execution, this worm will drop multiple files under Documents and Settings and User Profile folders. It will also create additional folders and files on the same location. When the computer’s Autorun feature is active, it will utilize that function as method to spread itself. If the worm sense that Autorun is disabled, it will delete the following registry entry to reset the configuration.
HKEYCURRENTUSER Software Microsoft Windows CurrentVersion Policies Explorer NoDriveTypeAutoRun Next, W32.Mabezat.B will set file attributes to hide system files through this registry key. HKEYCURRENTUSER Software Microsoft Windows CurrentVersion Explorer Advanced ”ShowSuperHidden” = “0” The worm will look for any shared folders, drives on the network, and drop a copy of the following files. DRIVE: zPharaoh.exe DRIVE: autorun.inf If it sense that network is protected with password, the worm will force its entry by using default user name and generated key. W32.Mabezat.B also searches the compromised PC for.exe files. It encrypts the original file and replaces it with a copy of the worm. Distribution This worm typically spreads via spam email messages.
It is attached as executable file or RAR compressed data. When activated, it utilizes the infected computer to mass-mail a copy of itself to contacts found on victim’s address book.
Here are some samples of the fraud email generated by W32.Mabezat.B. Subject: hi Attachment: notes.rar Body: Unfortunately, I received unformatted email with an attached file from you. I couldn’t understand what is behind the words. I wish you next time send me a readable file!
I forwarded the attached file again to evaluate yourself. Subject: Web designer vacancy Attachment: JobDetails.rar Body: Fortunately, we have recently received your CV/Resume from moister web site and we found it matching Thanks & Regards, Ajy Bokra Subject: MBA new vision Attachment: Marketing.rar Body: MBA (Master of business administration ) one of the most required degree around the world. We offer [email protected]. NOTE: We suggest that you this guide. There are steps that we may have to restart the computer in order to successfully remove the threat. Step 1: Scan and remove W32.Mabezat.B with MalwareBytes Anti-Malware This guide requires a tool called Malwarebytes' Anti-Malware. It is a free tool designed to eradicate various computer infections including W32.Mabezat.B.
MBAM scanner and malware removal tool is distributed for free. In order to completely remove W32.Mabezat.B, it is best to download and run the recommended tool. Please click the button below to begin download. After downloading, double-click on the file to install the application. If you are using Windows Vista or higher version, right-click on the file and select 'Run as administrator' from the list.
When User Account Control prompts, please click Yes to proceed with the installation. Follow the prompts and install as 'default' only. There are no changes needed during the installation process. Before the installation procedure ends, MalwareBytes Anti-Malware will prompt if you want to launch the application.
Please leave the check mark on Launch Malwarebytes Anti-Malware. Lastly, click the Finish button. Malwarebytes Anti-Malware will launch for the first time. It is necessary to proceed with database update. Remove all media such as Memory Card, CD, DVD, and USB devices. Then, restart the computer. Boot in Safe Mode on Windows XP, Windows Vista, and Windows 7 system a) Before Windows begins to load, press F8 on your keyboard.
B) It will display the Advanced Boot Options menu. Select Safe Mode. Start computer in Safe Mode using Windows 8 and Windows 10 a) Close any running programs on your computer. B) Get ready to Start Windows. On your keyboard, Press and Hold Shift key and then, click on Restart button. C) It will prompt you with options, please click on Troubleshoot icon. D) Under Troubleshoot window, select Advanced Options.
E) On next window, click on Startup Settings icon. F) Lastly, click on Restart button on subsequent window. G) When Windows restarts, present startup options with numbers 1 - 9.
Select 'Enable Safe Mode with Networking' or number 5. H) Windows will now boot on Safe Mode with Networking. Proceed with virus scan as the next step. Once Windows is running on Safe Mode, find the icon of MalwareBytes Anti-Malware. Double-click to launch the program. Choose Threat Scan on scanner's console to ensure that it thoroughly check the PC for any presence of W32.Mabezat.B and other forms of threats. Click the Start Scan button to begin.
Once the scan has completed, Malwarebytes Anti-Malware will issue a list of identified threats. Mark all threats and click on Remove Selected.
If it prompts to restart the computer, please reboot Windows normally. Step 2: Run a scan with your antivirus program 1. Repeat the process of starting Windows in Safe Mode with Networking. Open your antivirus program and download the most recent update. This method ensures that your antivirus program can detect even newer variants of W32.Mabezat.B.
Updating your antivirus software is a one-click process. Please refer to your software manual for complete instructions.
Once updating is finished, run a full system scan on the affected PC. After the scan, delete all infected items. If unable to clean or delete, better place the threat in quarantine.
Step 3: Run another test with online virus scanner Another way to remove W32.Mabezat.B without the need to install additional antivirus software is to perform a thorough scan with free online virus scanner. It can be found on websites of legitimate antivirus and security provider.
Click the button below to proceed to the list of suggested Online Virus Scanner. Choose your desired provider. You can run each scan individually, one at a time, to ensure that all threats will be removed from the computer. This may require plug-ins, add-on or Activex object, please install if you want to proceed with scan. After completing the necessary download, your system is now ready to scan and remove W32.Mabezat.B and other kinds of threats.
Select an option in which you can thoroughly scan the computer to make sure that it will find and delete entirely all infections not detected on previous scan. Remove or delete all detected items.
When scanning is finished, you may now restart the computer in normal mode. Alternative Removal Procedures for W32.Mabezat.B Option 1: Use Windows System Restore to return Windows to previous state During an infection, W32.Mabezat.B drops various files and registry entries. The threat intentionally hides system files by setting options in the registry. With these rigid changes, the best solution is to return Windows to previous working state is through System Restore. To verify if System Restore is active on your computer, please follow the instructions below to access this feature. How to Access System Restore on Windows XP, Windows Vista, and Windows 7 a) Go to Start Menu, then under ' Run' or ' Search Program and Files' field, type rstrui.
B) Then, press Enter on the keyboard to open System Restore Settings. How to Open System Restore on Windows 8 a) Hover your mouse cursor to the lower left corner of the screen and wait for the Start icon to appear. B) Right-click on the icon and select Run from the list. This will open a Run dialog box.
C) Type rstrui on the 'Open' field and click on OK to initiate the command. If previous restore point is saved, you may proceed with Windows System Restore. To see the full procedure. Option 2: W32.Mabezat.B manual uninstall guide IMPORTANT! Manual removal of W32.Mabezat.B requires technical skills.
Deleting system files and registry entries by mistake may result to total disability of Windows system. We advise you to perform a backup of registry before proceeding with this guide. Kill any running process that belongs to W32.Mabezat.B. Press Ctrl+Alt+Del on your keyboard. When Windows Task Manager appears, look for W32.Mabezat.B files (refer to Technical Reference) and click End Process. Delete all registry entries that belong to this malware. Press Windows Key+R on your keyboard.
In the 'Open' dialog box, type regedit and press Enter. This will open registry editor. Find and delete registry entries as mentioned in Technical Reference section. Close registry editor. Changes made will be saved automatically. Scan the computer with antivirus program. Connect to Internet and open your antivirus software.
Please update to obtain the latest database and necessary files. Restart the computer in Safe Mode. Just before Windows logo begins to load press F8 on your keyboard.
On Windows Advanced Boot Options, select Safe Mode and press Enter. Delete all files dropped by W32.Mabezat.B. While still in Safe Mode, search and delete malicious files. Please refer to 'Technical Reference'. Make sure that you execute 'End Task' first before deleting the file. Otherwise, the system will not let you perform this action. Associated Files and Folders:%SystemDrive% Documents and Settings%SystemDrive% Documents and Settings hook.dl%UserProfile% Start Menu Programs Startup zPharoh.exe%SystemDrive% Documents and Settings tazebama.dll%SystemDrive% Documents and Settings USER NAME Application Data tazebama%SystemDrive% Documents and Settings USER NAME Application Data tazebama tazebama.log%SystemDrive% Documents and Settings USER NAME Application Data tazebama zPharaoh.dat DRIVE: zPharaoh.exe DRIVE: autorun.inf NetworkMy documents.
Exe NetworkReadme.doc. Exe NetworkMy Documents SPACES.exe File Location for Windows Versions:.%UserProfile% for Vista/7 user is C: Users for Windows Vista/7, for Windows XP/2000 this is C: Documents and Settings.%System% for all versions of Windows it is located under C: Windows System32 Ways to Prevent W32.Mabezat.B Infection Take the following steps to protect the computer from threats. Suggested tools and security setup within installed software helps prevent the same attack on your PC. Install an effective anti-malware program Your first line of defense would be an effective security program that provides real-time protection.
We have a that are tried and tested. It does not only scan files but also monitors your Internet traffic and is extremely active on blocking malicious communication. Click on the button below to download our recommended anti-malware program. Always update your installed software Software vendors constantly releases updates for programs whenever a flaw is discovered. Getting the updates makes the computer more secured and help prevents Trojan, virus, malware, and W32.Mabezat.B similar attacks. If in case your program is not set for instant update, it usually offered from vendor's web site, which you can download anytime.
Maximize the security potential of your Internet browser Each browser has their own feature where in you can adjust the security settings that fit your browsing habit. We highly encourage you to maximize the setup to tighten the security of your browser. Apply full caution when using the Internet Internet is full of fraud, malware, and many forms of computer threats including W32.Mabezat.B. Implement full caution with links that you may receive from emails, social networking sites, and instant messaging programs. It might lead you to malicious sites that can cause harm to your computer. Avoid strange web sites that offers free services and software downloads.
We have tried this and work on Windows2000/XP, dont know if it will work on server. Download removal tool from and save it on your Desktop. After downloading, double-click on to install the application. Follow the prompts and install as “default” only 4. If it prompts to update the database after installation, please proceed.
Click “Finish.” Program will run automatically and you will be prompt to update the program before doing a scan. Please update. Scan your computer thoroughly. When scanning is finished, click on the “Show Results” 8. Make sure that all detected threats are marked, click on Remove Selected. Restart Windows. I followed through all the procedures, only that I didn’t find the system restore tab on the properties of my computer, and I even couldn’t user the Microsoft guide to get to it, how ever I run/msconfig, and when to the system utility, and un checked the system restore service.
Then followed through the steps, but again couldn’t find the –%SystemDrive% Documents and Settings tazebama.dl –%SystemDrive% Documents and Settings hook.dl –%UserProfile% Start Menu Programs Startup zPharoh.exe –%SystemDrive% Documents and Settings tazebama.dll – DRIVE: zPharaoh.exe – DRIVE: autorun So I guessed it hadn’t created those, or my Eset NOd 32 had deleted them, there fore I just continued with the procedures to the end, some body advise otherwise where need be please. Hi, You will not beat this virus if you will not remove some of its files that were system, hidden and read-only. You have to do it manually by going to following drives: –%SystemDrive% Documents and Settings –%UserProfile% Start Menu Programs Startup – RootDrive: – USB Drive: 1. Go to StartRun and type “cmd” for command prompt 2. On each drive, type “attrib” to view attributed files. To remove the attributes, type “-s -h -r filename” 4. Delete the file, “del filename” 5.
After deleting all files, scan your computer with antivirus programs. I got infected too. But before you do all these, you have to stop it first. Open the notepad, and save the following as.bat: TASKKILL /F /IM “tazebama.dl”%SystemDrive% Documents and Settings tazebama.dl%SystemDrive% Documents and Settings hook.dl%UserProfile% Start Menu Programs Startup zPharoh.exe%SystemDrive% Documents and Settings tazebama.dll c:-dir/ah attrib -s -h -r C: autorun.inf attrib -s -h -r C: zPharaoh.exe del c: autorun.inf del c: zPharaoh.exe Depending on your drives letters, re-type the last 5 lines and consider changing the drive letter. When the virus Win32/Mabezat executed, this worm drops the following files:.
C: Documents and Settings tazebama.dl. C: Documents and Settings hook.dl. C: Start MenuProgramsStartup zPharoh.exe. C: Documents and SettingsUser NameApplicationData tazebama zPharaoh.dat. C: Documents and Settings My Documents readme.doc.exe.
Drive Letter c:: zPharaoh.exe. Drive Letter d: : zPharaoh.inf Method of Infection This worm spreads by copying itself to network shares and to removable devices, along with an “Autorun.inf”. Infection starts eithere with manual execution of the infected file or by simply navigating to the folders containing the infected files, whereby the “Autorun.inf” file could cause automatic execution of the worm.
Description This description is for a worm that is capable of spreading through removable devices and network shares. The characteristics of this worm in regards to file names, folders created etc. Will differ from one version to another. Hence, this is a general description. Indication of Infection. Presence of the files and registry entries mentioned earlier. Presence of the following autorun.inf file on the root of removable, fixed and network drives: Methods of Infection This worm spreads by copying itself to network shares and to removable devices, along with an “Autorun.inf”.
Infection starts either with manual execution of the infected file or by simply navigating to the folders containing the infected files, whereby the “Autorun.inf” file could cause automatic execution of the worm. Virus Characteristics When executed, this worm drops the following files:. C: Documents and Settings tazebama.dl. C: Documents and Settings hook.dl. C: Start Menu Programs Startup zPharoh.exe.
C: Documents and Settings User Name Application Data tazebama zPharaoh.dat. C: Documents and Settings My Documents readme.doc.exe. Drive Letter: zPharaoh.exe. Drive Letter: zPharaoh.inf Note:. The above files may have their attributes changed to hidden and system, inorder to make these files harder to find.
The worm then modifies the following registry entry to reset the drive autorun settings:. HkeyCurrentUser Software Microsoft Windows CurrentVersion Policies Explorer 'NoDriveTypeAutoRun' The worm then copies itself to all removable devices and open network shares along with an autorun.inf file. It also searches for executable files on the machine and infects them. While doing this, it ensures that the icons of the original executables are maintained.