Skip to main content

How to detect and remove Citadel Malware

Release Date: 7 Jun 2013 10574 Views

If you are worry about your computer was infected Citadel Malware, you can download a Microsoft Safety Scanner from Microsoft at and run a full system scan.


  1. Click "Download Now" to download Microsoft Safety Scanner.

  2. Double click to run msert.exe and select Accept all terms of the preceding license agreement check box, then click “Next”

  3. Select “Full scan” and click “Next” to start scanning

  4. Scanning in progress

  5. Scanning was completed and no viruses, spyware, and other potentially unwanted software were detected.

  6. If your computer was infected by Citadel Malware, it will be detected and removed by the scanner.

HKCERT received and analyzed some samples of Citadel Malware, the preliminary result show that most of the anti-malware softwares are able to detect Citadel malware. You can refer to the link below:


Sample 1:


Sample 2:


Sample 3:


Sample 4:


Sample 5:


Sample 6:


Sample 7:


Different security vendor may have different naming standard. You may refer to the table below for the aliases of Citadel malware.


 Security Vendor


 Aliases of Citadel Malware



 Win32:Spyeye-AGL [Trj]

 Win32:Cutwail-BM [Trj]

 Win32:Injector-AXW [Trj]

 Win32:Zbot-QEP [Trj]


 Win32:Crypt-OZC [Trj]











 Avira (AntiVir)







 a variant of Win32/Injector.XNG

 a variant of Win32/Injector.AALK

 a variant of Win32/Injector.AAHY

 a variant of Win32/Injector.AAHE

 a variant of Win32/Kryptik.ASFX

 a variant of Win32/Injector.AEDR


















 Generic PWS.y!1tc


 Generic PWS.y!1s3