Trojan-Spy.Win32.Zbot–How to Remove Trojan-Spy.Win32.Zbot?

Trojan-Spy.Win32.Zbot is a spyware virus that is designed to gathers information from the computer and steals sensitive information.






Analysis date: 26th, July, 2013

Risk Impact/Damage: High


Behavior and damage of Trojan-Spy.Win32.Zbot:


• Create registry entries: HKEY_CURRENT_USER\Software\Microsoft\Zokiixky



• Create [*Random*].exe file under %APPDATA%\[*Random*]\


Note: %APPDATA% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Application Data folder for Windows 2000, XP, and 2003 is “C:\Documents and Settings\<user>\Application Data”. For Windows Vista, 7, and 8, the default location is “C:\Users\<user>\AppData\Roaming”.



• Start alupim.exe


Behavior and analysis about alupim.exe virus:


 Create registry entries under: HKEY_CURRENT_USER\Software\Microsoft\Zokiixky



• Hijack system process, get explorer access permission to replace its own permission, copy itself to explorer and run it. 




•  Copy its handle to other running process to avoid being deleted by other files.


•  Add registry:


C:\Documents and Settings\Administrator\Application Data\Adcaub\ixka.exe


How to Remove Trojan-Spy.Win32.Zbot?


Automatically Removal Tool: Anvi Smart Defender


If you get infected with Spy.Win32.Zbot, we recommend that you run a full system scan. Alternatively, you can try manual method available below.


1. Boot your computer into safe mode or safe mode with networking;

2. Go to C:\Documents and Settings\Administrator\Application Data\, search the random.exe and then delete it.

3. Click on Start menu-> Click Run, then type “regedit” and edit following registry entries.

 Locate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ and delete the random file registry.



Comments are closed.