Thursday, April 17, 2014

Remove Strong Trojan Win32/Spy.Zbot.YW that Steals Paswword



Trojan Win32/Spy.Zbot.YW Troubles

  1. Considerably consumed CPU.
  2. Snail-like PC performance.
  3. Error message would be triggered to cause malfunction/dysfunction.
  4. Freezes/crash would happen on both computer and browsers.
  5. Additional infections or unknown items can be detected soon after its infiltration.
Not all the above listed troubles will be detected by a victim. It depends on the level of privileges. Win32/Spy.Zbot.YW will inject itself into one of two services. If the account has administrative privileges, the threat injects itself into the winlogon.exe service. If not, it attempts to do the same with the explorer.exe service. The threat also injects code into svchost.exe service, which it later uses when stealing banking information. There more privileges the Trojan gets, the more services will be affected to fall into its use, and the more troubles will be incurred.

Where Win32/Spy.Zbot.YW Comes from?

Q: Supposedly the alert about Win32/Spy.Zbot.yw came up once the computer was turned on and Outlook opened and nothing else was done. Then where the infection would have come from if not from some clickable link in an email or a webpage?

A: spreading through emails and some strange links through instant chat tools are the ways known to all and thus PC users pay much precaution over them. To propagate itself and work to steal as much confidential information as possible to earn money for its maker, Win32/Spy.Zbot.yw, belong to Trojan, would switch to other strategies as follows:
  1. Capture browser hijackers or other BHO applications to preload its code when access it built.
  2. Exploit vulnerability within Script/installed programs/system, backdoor of some loosely programmed software mounted on your computer and bugs on some ads/installed applications.
  3. Piggyback on some rogueware like Windows Efficient Kit.

How Dangerous Is Trojan Win32/Spy.Zbot.YW?

The moment it manages to open a door to get onto a machine, Win32/Spy.Zbot.YW would numerates the drivers concerning security services and utilities especially for overwriting with some virulent code so that the Trojan horse manages to affect deeper and more files as well as processes. So, Trojan Win32/Spy.Zbot.YW packs both file infection and process infection capabilities, and it's the process infection component that resulted in the detection you see. It would be surprising if this wasn't simultaneously accompanied by file-based detection.

With overridden services, Win32/Spy.Zbot.YW manages to do what it wants without being deterred by system or built-in security defense, such as:
  1. Tracking down online whereabouts with explorer.exe function.
  2. Use winlogon.exe function to collect confidential information stored in the computer and some temp files.
  3. Utilizing explorer.exe function to help exploit the seldom used ports to open up a backdoor invisible to victims for information uploading and receiving new commands.
Be noted that such backdoor can generate extra money for Win32/Spy.Zbot.YW’s maker. By helping other infections to get into a target machine, its maker would get profitable commission.

Manual Removal Is Recommended

Name Threat Action Information
Operating memory » explorer.exe(764) a variant of Win32/Spy.Zbot.ZR trojan unable to clean

Name Threat Action Information
Operating memory » C:\Documents and Settings\Jason\Application Data\Uvug\riwuylm.exe a variant of Win32/Spy.Zbot.YW trojan cleaned by deleting - quarantined

Name Threat Action Information
Operating memory » userinit.exe(1812) a variant of Win32/Spy.Zbot.YW trojan unable to clean
-    it is the threat alert about Spy.Zbot.YW Trojan given by installed anti-virus program.
Obviously that the security utilities are not able remove the Trojan horse automatically. Why?

The modifications on services, the simultaneously accompanied by file-based detection attribute. Besides, if one is well equipped with computer skills and virus knowledge, one would notice that there are some items resembling system ones. This is also how Spy.Zbot.YW manages to confuse a compromised machine and dodge automatic removal. Therefore, manual removal method is recommended.

Follow the below steps to help yourself. Should you encounter some unexpected issues in the middle of the removal, you are welcome to contact Global PC Support for one-to-one assistance by starting a live chat window here.
live chat to get expert help in removing Trojan Win32/Spy.Zbot.YW

Manual Way to Remove Trojan Win32/Spy.Zbot.YW

1. please close down System Restore function as Trojan Win32/Spy.Zbot.YW could inject its vicious code into every detected restore points and restore itself automatically after being remove incompletely.

2. enter into Safe Mode to run full scan with anti-virus program and note down the path name directing to Trojan Win32/Spy.Zbot.YW.

Windows 7/Vista/XP
Restart the affected computer > keep tapping on “F8 key” when the computer is booting > select ‘Safe Mode’ on  “Windows Advanced Options Menu” screen > press Enter key.

Windows 8
Restart the affected computer > hold the Shift button and keep tapping on the F8 key as the computer is booting >  ‘See advanced repair options’ > ‘Troubleshoot’ > ‘Advanced Options’ > ‘Windows Startup Settings’ > ‘Restart’ button.

3. end the running processes related to Trojan Win32/Spy.Zbot.YW according to the path name shown in Task Manager and System Information respectively.

Access Task Manager > View > select columns > tick "PID" and "Path name" > go to open up System Information > end the process with path name directing to Trojan Win32/Spy.Zbot.YW 's path or the path that doesn't belong to system.
(tip: find the services directing to Trojan Win32/Spy.Zbot.YW' s path or the path that doesn't belong to system for step 5)

4. unveil all hidden items and remove items generated by Trojan Win32/Spy.Zbot.YW from local disk.

Windows 7/XP/Vista- Control Panel > user accounts and family safety > Folder Options > View tab > tick ‘Show hidden files and folders’ > non-tick ‘Hide protected operating system files (Recommended)’ > OK button.

Windows 8 - Windows Explorer > View tab > tick ‘File name extensions’ and ‘Hidden items’ > OK button.
  • Access the detected path and remove all the items there.
  • Access the following folders to remove the items generated on the day when Trojan Win32/Spy.Zbot.YW was firstly detected:
C:\Users\[your username]\Documents\
C:\Program Files\

5. access Database to remove the services generated by Trojan Win32/Spy.Zbot.YW found in Step 3.

Press down Win key and R key together > type “regedit” > hit Enter key > press down Ctrl and F key > Find box > type the detected services > hit Find button > remove any found items.

6. remove restore file that help Trojan Win32/Spy.Zbot.YW to recover from removal.

Win+R key combination > Run box > type "CMD" > hit Enter key > type "-h -r C:\_RESTORE" > hit Enter key > type "DELETE _RESTORE" > hit Enter key.

If one reads the preceding paragraphs in depths, one should be clear that there is big chance for Trojan Win32/Spy.Zbot.YW to bring in additional infections, Trojan particularly. But what the Trojan horse would bring in can not be ascertain. Therefore, it is impossible to offer the instruction to remove the additional infections as well as troubles. If unfortunately that it is the case you are now in, you may need to seek corresponding solution in virus reservoir or simply get specialized technical help by live chatting with senior technician from VilmaTech Online Support.
live chat to get expert help in removing Trojan Win32/Spy.Zbot.YW

No comments: