Ytbn has been invading the computers of unsuspecting users lately and denying those users access to their very own computer files. Ytbn is therefore a representative of the ransomware cryptovirus malware category.
What this means is that this malicious piece of programming denies users access to their data by means of encrypting said data. Hence, the affected files become unreadable and cannot be opened by any software unless a special decryption key is applied. Here is where the ransomware part comes in.
In order to obtain this decryption key, which you could say that the hackers responsible for the infection hold ‘hostage’, victims are required to pay a hefty sum in ‘ransom’. This is an age-old blackmail scheme that, unfortunately, in recent years has only gained momentum and doesn’t appear to be slowing down any time soon.
In this post we will aim to outline the means by which Ytbn is distributed and what tools are available to combat it with. Specifically, we have developed a removal guide which will show you how to remove this virus from your PC. And in the second part of the guide you will also find information regarding the restoration process of your data.
The Ytbn virus
The Ytbn virus uses complex encryption in order to make user files inaccessible to anyone not in possession of a decryption key. This very encryption process also makes the Ytbn virus invulnerable to most antivirus software out there.
The thing is that antivirus programs aren’t triggered by encryption, as it is not an inherently malicious process. And this fact enables variants like Ytbn, Ekvf, Enfp to operate directly under their radars without being interrupted. For this reason, the best possible way to battle such attacks is by preventing them. And the way to do that is by knowing how ransomware is distributed, which we will reveal in just a little bit.
But an even more reliable way to render a ransomware attack like this one practically harmless is by backing up whatever valuable data you would fear losing. Furthermore, keep the copies of your files stored on a cloud service or better yet on a separate hard drive that is not constantly connected to your computer or to any network.
The Ytbn file distribution
The Ytbn file distribution usually takes place with the help of spam messages. You can also download the Ytbn file if you happen to click on a compromised or infected online ad.
The latter is commonly referred to as malvertising and is a very common way of distributing various malicious prices of programming, including ransomware like Ytbn. That being said, it’s important to note that oftentimes ransomware relies on the help of backdoor viruses (usually Trojans) to infect a given computer as well.
How it works is basically first you will get infected with the Trojan, which is an expert at detecting and exploiting vulnerabilities in your system. And once that happens, it will proceed to let the ransomware in as well. Hence, it’s certainly a good idea to scan your computer for Trojans as soon as you’ve handled Ytbn.
|Data Recovery Tool||Not Available|
Remove Ytbn Ransomware
Type Task Manager in the Start Menu and select the first item from the results and go into its Processes tab. In there, you must find the process or processes that are run by the Ytbn virus. Those processes may have the same name as the threat but in most cases they’d be named differently so use your own discretion to spot them. Look for resource-intensive processes with unfamiliar/suspicious names that consume large portions of the RAM memory of the computer or its CPU power.
If you suspect a given process, conduct an online search with its name to see what information you could find about it and to confirm that the suspected process is not one run by Windows.
Once you’ve done your research and have confirmed that the suspicious process is not from Windows, you must right-click on it from the Task Manager and select the open File Location option. The files located in the folder that opens next must be scanned for malware. Use the next free online scanner and/or an antivirus/anti-malware tool of your own to test the files.
If a file is detected as malware, go back to the suspicious process, right-click on it again, and then click on End Process Tree.
Next, delete the folder where the malware files are located – in some cases, you may not be allowed to do that because some of the files in it cannot be deleted at the moment. If this happens in your case, delete whatever files you can from the file location folder and then move on to the next steps. Once you are done with them, you should try again to delete the file location folder.
WARNING! READ CAREFULLY BEFORE PROCEEDING!
Now go to your Start Menu, type system configuration, and press Enter. Select Startup from the window that opens and look for suspicious startup items in the displayed list. If there are any items you don’t recognize or trust, untick them and then select Apply. Do the same with items that have unknown manufacturers unless you trust those items and know they are related to safe software.
Finally, click on OK to finish this step and move on to the next one.
Paste this line “notepad %windir%/system32/Drivers/etc/hosts” in the Start Menu (without the quotations) and hit enter.
A notepad file named Hosts should appear on your screen – at its bottom, there is a line that reads LocalHost – if there are any IP addresses or other text written below it, you must copy those addresses/text and put them in the comments below. We will have a look and tell you if anything needs to be done about them.
If we tell you that the IPs you’ve sent us are from the Ytbn virus, you will have to remove them from your Hosts file and then click on File > Save to save the changes.
Warning!: To complete this step, you will have to make changes to your computer’s Registry by deleting malware entries from it. Be very careful and only delete items you are certain are from Ytbn. In case you are in doubt, it is preferable if you consult us via the comments section before you go on to delete anything. Otherwise, you may end up deleting an item you aren’t supposed to, this causing more problems to your system.
Press Windows Key + R and type regedit in the Run box. Hit Enter and when Windows asks for your Admin approval, click on Yes to continue.
When the Registry Editor opens, click on its Edit menu and then go to Find. Type the virus name in the Find box and click on Find Next. You will be taken to the first item in the Registry that carries the name of the virus. Delete that item, repeat the search, and if another item is found, delete that one too. Keep searching and deleting until there are no more items in the Registry Editor with the Ytbn name.
Next, find the following three directories from the left panel of the Registry Editor.
- HKEY_CURRENT_USER > Software
- HKEY_CURRENT_USER > Software > Microsoft > Windows > CurrentVersion > Run
- HKEY_CURRENT_USER > Software > Microsoft > Internet Explorer > Main
In them, your job is to find and delete any suspicious folders that draw your attention and could be linked to the malware. Such folders would typically have long names that consist of randomly arranged letters and numbers. In case you see such a folder, delete it but only if you are certain it is not supposed to be there. As we said, you can always ask us in the comments about a given Registry entry before you delete it.
Copy-paste each of the following lines in the Start Menu and hit enter after each to go to the folder it corresponds to.
Delete the most recent files in those folders – everything from the moment the virus infected you to the current moment. In the folder named Temp, you must delete everything.
Finally, go back to the File location folder from the first step and try to delete it – this time you should have no problem removing that folder alongside any files that may be left in it.
How to Decrypt Ytbn files
This guide should help you delete Ytbn, but it will not be enough to decrypt the files that have already been encrypted by the virus. If you want to restore your encrypted data without paying the ransom, we suggest you visit our How to Decrypt Ransomware guide and try the suggested alternative recovery methods included there. However, before you attempt to recovery any of the locked files, you must be certain that the virus is fully gone from your computer or else the data you may managed to restored could get encrypted all over again by the threat. To check if any suspicious files on your computer contain malware, you can use the free online malware scanner available on our site.
To conclude, we sincerely hope that the steps included in the guide above have or will help you delete Ytbn. If, for some reason, the malware still seems to be present on the computer after you are finished with the guide, be sure to give a try to the recommended anti-malware tool present on the current page – it can quickly locate and take care of any malware files in your system as well as ensure the future safety of your computer against other incoming threats.