Zlob Trojan Virus

Zlob Trojan: Intro

At first glance, there's nothing pecualiar about Zlob; just one more trojan created to display fake warnings about spyware infections, generate scary reports and push the PC user to buy a license key for allegedly reliable anti-spyware, which of course happens to be nothing but scam.

But there's more about Zlob. It has the capacity to download and execute files from remote servers. It can transmit information back and forth from the infected machine which is potentially in demand by cyber criminals.

Redirecting surfers to pages with malicious content, hijacking the browser home page - not bad for a tiny piece of code, right?

Zlob Infection Ways

Unlike many other less-known trojans, Zlob utilizes a wide range of ways to creep into target computers. Besides common spam emails and spam in blogs, distribution via social networks, Zlob downloader was made part of various codec packages. This is indeed a smart move: media codecs are needed on every PC whose owner wants to be able to watch movies and listen to music. Who of us doesn't need this sort of entertainment? For many, this is more than that. Video and sound editing, website creation, webcam signal transmitting - all of these activities rely on corresponding media codecs.

Users normally don't suspect codecs to contain malicious code inside. They trust them because fake codecs are supplied with EULA and look totally safe. Anyway, peope just want to play a movie. Who would care about potentially unsafe code?

Those who created Zlob obviously knew that very well - and their trojan got the balls rolling in no time.

Message prompting to download a fake codec with Zlob code in it
Message prompting to download a fake codec with Zlob code in it
Zlob Details by Spyware Detector
Zlob Details by Spyware Detector

Security Labs about Zlob

But don't take my word for granted. Let's see how security labs and IT companies involved in monitoring the Internet threats estimate the potential risk of Zlob.

Sunbelt Malware Research Labs assigned a High Risk estimate to trojan downloader zlob.

Max Secure Spyware Detector added the Zlob trojan's pattern to its malware database back in 2005, and hasn't change its risk status from High since then. Three years passed - but Zlob is still a high risk trojan.

According to SpywareGuide team, Zlob scored 8 out of 10 points by the scale of potential danger to Windows-based computers.

SpywareGuide Zlob Risk Estimate

According to SpywareGuide, Zlob scored 8 out 10 risk points
According to SpywareGuide, Zlob scored 8 out 10 risk points

Single Reason Behind Creating Zlob

Money.

I know many unlucky victims of Zlob believe this trojan downloader was created with the single purpose to mess up their computers. But any blue screen of death (BSOD) or performance deterioration are nothing but side effects of Zlob activity. It's main and evidently only purpose is to download executable code of fake security programs.

And those are numerous. I counted over a hundred of all sorts of system keepers, antispyware guards and antivirus protectors advertized by Zlob.

To name a few:

  • Spy Heal
  • System Doctor
  • AntiSpy Zone
  • VirusProtectPro
  • AntiVirGear
  • VirusRanger
  • AntiSpyCheck
  • Virus Blast
  • AntiviralGolden
  • Virus Rescue
  • Pest Trap
  • SpyAxe
  • SpyFalcon
  • SpywareStrike
  • many, many, many more...

It's a pity that after already 3 full years of Zlob existence on the Web its victims still believe those shiny ads and continue to buy so-called licenses in a desperate hope to stop the ads loop. Unfortunately, that's a waste of non-refundable money. Judging by the activity of Zlob trojan programmers and promoters, considering the number of fake aplications created and absolutely insane number of domains involved in promoting Zlob-based programs, I conclude that Zlob is a very profitable investment for a team of cyber criminals.

Which means they will not stop pushing Zlob onto Windows computers unless imprisoned. Consequently, all Internet users should be concerned about this danger and take proper steps to ensure their PC's are protected against Zlob intrusion. Or, if already infected, remove zlob in as little time as possible.

Note: I will not give a single example of a domain promoting Zlob because I'm not going to send them victims. Those domains are VERY dangerous for visitors. As of now, I've counted well more than a hundred websited directly advertizing Zlob trojan downloader. New websites appear every month.

IEAntiVirus, a Zlob Trojan wrapping
IEAntiVirus, a Zlob Trojan wrapping
Files Secure, a Zlob Trojan wrapping
Files Secure, a Zlob Trojan wrapping
Malware Bell, a Zlob Virus Wrapping
Malware Bell, a Zlob Virus Wrapping

Zlob Trojan Wrapping

Above you can see screenshots of fake antispyware/antivirus programs advertized by Zlob downloader. They look very similar, don't they? Except for colors and shades and other minor details, they are completely identical. Which means both rogue security programs come from one single team of scammers. They don't bother to create new graphical wrapping for each fake program.

Final Notes about Zlob Removal

Anti-malware programs listed above are not targeted at particular fake applications installed by Zlob virus. Instead, they include necessary definitions and algorithms to fight a wide range of malware brought to Windows computers by Zlob.

This means that whether you are struggling to delete AntiVirGear of VirusProtect Pro, one single program from the list above can erase both - and lots more.

Therefore I see no point in listing files and directory names of any particular Zlob-driven fake security program because the list would be endless. It is important to kill the cause of annoying ads and PC misbehaving - which is Zlob itself. All those rogue progams are tip of the iceberg, so removing them alone and leaving main infection intact doesn't make any harm to Zlob.

Steps to remove Zlob manually

Listing all the filenames that can be generated by Zlob is out of the scope of this hubpage. The list would be too long to place it here, and still would miss newest mutations of the trojan. I tend to give a broader view of this malware so that everyone could take necessary steps to cure the infection with as little effort as possible, at minimal cost.

Manual removal of Zlob is complicated since each case of infection is different from others; this trojan makes a system-wide impact. However, deleting a couple of entries can significantly help to remove Zlob, and facilitate the task for Zlob removers to clean out the system completely.

1. Delete the Registry key of nvctrl.exe if present.

Go to Start-->Run, type in regedit.exe and click OK. The Windows Registry Editor will open.

Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

Locate the value "nvctrl.exe" = "nvctrl.exe" and delete it.

2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

and delete the subkey: {724510C3-F3C8-4FB7-879A-D99F29008A2F}

3. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

and delete the key: {724510C3-F3C8-4FB7-879A-D99F29008A2F}

4. Close the Registry Editor.

Deleting these keys increases the chancees to successfully remove Zlob in the shortest time possible.

Zlob Automatic Removal

SmitFraudFix is a free tool created to remover certain variations of Zlob trojan.

Download the application and save it to your desktop. Double-click to launch the rescue program. No installation is required - this is a click & run tool.

When the credits screen displays, select the option 2 (clean) and press Enter.

After a series of scans and cleanups, SmitFraudFix will ask if you want to repair the Registry. Answer Y and hit Enter. Then restart your computer.

After reboot, the tools will check wininet.dll and if infection is found, it will ask to replace the infected file. Select Y followed by Enter.

Reboot your computer once more. When logged on again, a log file will be displayed on the desktop or created in the root drive (normally C:\rapport.txt)

Download: SmitFraudFix

RogueFix Zlob Remover

RogueFix is another free tool that targets a number of malware threats including Zlob.

This remover performs best if run in Safe Mode. The set of instructions on the download page is pretty exhaustive, so there's no need to describe the steps. Advanced users will find them pretty simple and easy to follow.

F-secure Zlob Removal Tool

F-secure, a security software maker from Finland, added a little program to the set of zlob free virus removal tools. One more trojan Zlob removal weapon should be used to stop malware services and prevent them from running again. To use F-secure removal, it's necessary to logon in Windows Safe Mode.

Download: F-secure Zlob Removal Tool.

GMER Rootkit & Malware Detector

GMER is a free tool developed to reveal what's hiding inside the system. Rootkits, stealth malware, hidden modules and services are shown by this software. Because of its powerful detection system, GMER can greatly help to identify and remove Zlob parts.

Download: Gmer.

After Removing Zlob Trojan

It happens that once Zlob has been removed, a computer may lose access to the Internet. This is a side-effect of the Zlob trojan activity (one more reason to be protected against Zlob infection than struggle later to remove it). To repair the network settings and restore web access, a tool called LSPFix can be used.

Some commercial programs normally tackle the problem of lost Internet connection automatically.

Download: LSPfix.

NOTE: This is a non-installable file. When archive unzipped, double-click the executable file. The screenshot below is a sample only - your configuration may look differently.

LSP Fix Winsock 2 Repair Utility
LSP Fix Winsock 2 Repair Utility
Max Secure Spyware Detector
Max Secure Spyware Detector

More by this Author


Comments 13 comments

Wolf1 8 years ago

Excellant Hub!!!


Evlocoo profile image

Evlocoo 8 years ago from New Orleans

Wow! Truly informative.


Jim Batuyong profile image

Jim Batuyong 8 years ago from Anaheim, CA

This is good knowlege to have for those of us on the computer all of the time. Very informative Hub. Thanks.


briannerose profile image

briannerose 8 years ago from Calgary

great hub, It is good that you posted what it looks like when it pops up. Just another thing though it is related to this hub, If there is anyone on face book. do not accept the phoo download it is a very bad virus similar to this one. just delete it do not open it.


alejandro 7 years ago

thanks so much hub, followed one of your suggestion and it worked!


mitchbr 7 years ago

I'm sure glad run Mac OSX 10.5 now. I sure don't miss all of the downtime and lack of productivity.


AndyBaker profile image

AndyBaker 7 years ago from UK

Awesome hub.

More people should consider switching to linux (or mac) to avoid being the target for cash hungry virus makers.


earnestshub profile image

earnestshub 7 years ago from Melbourne Australia

I suspect I have a virus or trojan. My laptop has slowed to a crawl even after a registry compression and cleanout of the temp files, although faster, it is still slow. I will go check the registry manually and take a look. Thank you very much for another good hub on viruses


AEvans profile image

AEvans 7 years ago from SomeWhere Out There

Very valuable information to have on hand although here in the U.S. I have not noticed any issues with the laptop or the desktop, but I will keep this for reference. :)


Mighty Mom profile image

Mighty Mom 7 years ago from Where Left is Right, CA

Wow. Very thorough and informative. Appreciate the info. MM


COG DIESEL 7 years ago

THANK YOU SOOOOO MUCH


javanx3d profile image

javanx3d 7 years ago from Memphis, TN

Great article! The screenshots really helped!


Manna in the wild profile image

Manna in the wild 7 years ago from Australia

Nice research. It's a shame there are so many thousands of malware out there.

    Sign in or sign up and post using a HubPages Network account.

    0 of 8192 characters used
    Post Comment

    No HTML is allowed in comments, but URLs will be hyperlinked. Comments are not for promoting your articles or other sites.


    Click to Rate This Article
    working