ZBot Trojan Remover可以检测并查杀ZBot变种木马病毒，这病毒可以从网站上窃取用户的银行信息，信用卡信息和paypal账户的登录凭据。

病毒样本：

Malware Analyzer by HX
Analysis started

MD5: 2BB9A1C4B35719ABD022C605A546D6C4

Executing -> DeviceHarddiskVolume3UsersGatewayDesktop2BB9A1C4B35719ABD022C605A546D6C4.exe (PID: 13440)
Command-line: "C:UsersGatewayDesktop2BB9A1C4B35719ABD022C605A546D6C4.exe"

C:UsersGatewayDesktop2BB9A1C4B35719ABD022C605A546D6C4.exe
        WriteFile, C:UsersGatewayAppDataRoamingGolaxyeq.exe

C:UsersGatewayDesktop2BB9A1C4B35719ABD022C605A546D6C4.exe
        WriteRegistryKey, SoftwareMicrosoft

C:UsersGatewayDesktop2BB9A1C4B35719ABD022C605A546D6C4.exe
        WriteRegistryKey, Juat

C:UsersGatewayDesktop2BB9A1C4B35719ABD022C605A546D6C4.exe
        DeleteFile, C:UsersGatewayAppDataRoamingGolaxyeq.exe

C:UsersGatewayDesktop2BB9A1C4B35719ABD022C605A546D6C4.exe
        WriteFile, C:UsersGatewayAppDataRoamingGolaxyeq.exe

C:UsersGatewayDesktop2BB9A1C4B35719ABD022C605A546D6C4.exe
        WriteFile, C:UsersGatewayAppDataRoamingGolaxyeq.exe

Executing -> DeviceHarddiskVolume3SandboxGatewayAnalyzerusercurrentAppDataRoamingGolaxyeq.exe (PID: 16540)
Command-line: "C:UsersGatewayAppDataRoamingGolaxyeq.exe"

C:UsersGatewayAppDataRoamingGolaxyeq.exe
        WriteRegistryKey, SoftwareMicrosoftJuat

C:UsersGatewayAppDataRoamingGolaxyeq.exe
        WriteRegistryKey, f62bfi

C:UsersGatewayAppDataRoamingGolaxyeq.exe (PID: 16540)
        AccessPROTECTEDProgram, C:WindowsSystem32 askhost.exe (PID: 1992)

C:UsersGatewayAppDataRoamingGolaxyeq.exe (PID: 16540)
        AccessPROTECTEDProgram, C:WindowsSystem32dwm.exe (PID: 2976)

C:UsersGatewayAppDataRoamingGolaxyeq.exe (PID: 16540)
        AccessPROTECTEDProgram, C:UsersGatewayAppDataLocalMicrosoftSkyDriveSkyDrive.exe (PID: 3484)

C:UsersGatewayAppDataRoamingGolaxyeq.exe (PID: 16540)
        AccessPROTECTEDProgram, C:Program Files (x86)GoogleDrivegoogledrivesync.exe (PID: 3496)

C:UsersGatewayAppDataRoamingGolaxyeq.exe (PID: 16540)
        AccessPROTECTEDProgram, C:Program FilesSandboxieSbieCtrl.exe (PID: 3524)

C:UsersGatewayAppDataRoamingGolaxyeq.exe (PID: 16540)
        AccessPROTECTEDProgram, C:Program Files (x86)EvernoteEvernoteEvernoteClipper.exe (PID: 3584)

C:UsersGatewayAppDataRoamingGolaxyeq.exe (PID: 16540)
        AccessPROTECTEDProgram, K:Program Files (x86)Kaspersky LabKaspersky Endpoint Security 8 for Windowsavp.exe (PID: 3592)

C:UsersGatewayAppDataRoamingGolaxyeq.exe (PID: 16540)
        AccessPROTECTEDProgram, C:UsersGatewayDesktopgoagent-goagent-a51d6a2localgoagent.exe (PID: 3600)

C:UsersGatewayAppDataRoamingGolaxyeq.exe (PID: 16540)
        AccessPROTECTEDProgram, C:WindowsSystem32conhost.exe (PID: 3608)

C:UsersGatewayAppDataRoamingGolaxyeq.exe (PID: 16540)
        AccessPROTECTEDProgram, C:Program FilesBOINCoincmgr.exe (PID: 3696)

C:UsersGatewayAppDataRoamingGolaxyeq.exe (PID: 16540)
        AccessPROTECTEDProgram, C:UsersGatewayDesktopgoagent-goagent-a51d6a2localpython27.exe (PID: 3704)

C:UsersGatewayAppDataRoamingGolaxyeq.exe (PID: 16540)
        AccessPROTECTEDProgram, C:Program FilesBOINCoinctray.exe (PID: 3776)

C:UsersGatewayAppDataRoamingGolaxyeq.exe (PID: 16540)
        AccessPROTECTEDProgram, K:SkyDriveProgramsVBSherloggerSherlogger.exe (PID: 3840)

C:UsersGatewayAppDataRoamingGolaxyeq.exe (PID: 16540)
        AccessPROTECTEDProgram, K:Program Files (x86)BaiduYunaiduyun.exe (PID: 3868)

C:UsersGatewayAppDataRoamingGolaxyeq.exe (PID: 16540)
        AccessPROTECTEDProgram, C:Program Files (x86)GoogleDrivegoogledrivesync.exe (PID: 3952)

C:UsersGatewayAppDataRoamingGolaxyeq.exe (PID: 16540)
        AccessPROTECTEDProgram, C:Program FilesBOINCoinc.exe (PID: 3964)

C:UsersGatewayAppDataRoamingGolaxyeq.exe (PID: 16540)
        AccessPROTECTEDProgram, C:WindowsSystem32conhost.exe (PID: 3972)

C:UsersGatewayAppDataRoamingGolaxyeq.exe (PID: 16540)
        AccessPROTECTEDProgram, C:Program Files (x86)alipaySafeTransactionAlipaySafeTran.exe (PID: 17800)

C:UsersGatewayAppDataRoamingGolaxyeq.exe (PID: 16540)
        AccessPROTECTEDProgram, C:ProgramDataBOINCprojectswww.worldcommunitygrid.orgwcgrid_dsfl_vina_6.25_windows_x86_64 (PID: 57092)

C:UsersGatewayAppDataRoamingGolaxyeq.exe (PID: 16540)
        AccessPROTECTEDProgram, C:WindowsSystem32conhost.exe (PID: 58156)


Rolling back...
Analysis ended
Reason: Malware detected and rolled back

Anomalies:
        - Modifies protected resource. The executable modifies important resources (files, processes, etc.)

未经书面许可，严禁将本网内容作为AI训练资源。