ArtsAutosBooksBusinessEducationEntertainmentFamilyFashionFoodGamesGenderHealthHolidaysHomeHubPagesPersonal FinancePetsPoliticsReligionSportsTechnologyTravel

Zlob Trojan Virus

Updated on April 25, 2014

Zlob Trojan: Intro

At first glance, there's nothing pecualiar about Zlob; just one more trojan created to display fake warnings about spyware infections, generate scary reports and push the PC user to buy a license key for allegedly reliable anti-spyware, which of course happens to be nothing but scam.

But there's more about Zlob. It has the capacity to download and execute files from remote servers. It can transmit information back and forth from the infected machine which is potentially in demand by cyber criminals.

Redirecting surfers to pages with malicious content, hijacking the browser home page - not bad for a tiny piece of code, right?

Zlob Infection Ways

Unlike many other less-known trojans, Zlob utilizes a wide range of ways to creep into target computers. Besides common spam emails and spam in blogs, distribution via social networks, Zlob downloader was made part of various codec packages. This is indeed a smart move: media codecs are needed on every PC whose owner wants to be able to watch movies and listen to music. Who of us doesn't need this sort of entertainment? For many, this is more than that. Video and sound editing, website creation, webcam signal transmitting - all of these activities rely on corresponding media codecs.

Users normally don't suspect codecs to contain malicious code inside. They trust them because fake codecs are supplied with EULA and look totally safe. Anyway, peope just want to play a movie. Who would care about potentially unsafe code?

Those who created Zlob obviously knew that very well - and their trojan got the balls rolling in no time.

Message prompting to download a fake codec with Zlob code in it
Message prompting to download a fake codec with Zlob code in it
Zlob Details by Spyware Detector
Zlob Details by Spyware Detector

Security Labs about Zlob

But don't take my word for granted. Let's see how security labs and IT companies involved in monitoring the Internet threats estimate the potential risk of Zlob.

Sunbelt Malware Research Labs assigned a High Risk estimate to trojan downloader zlob.

Max Secure Spyware Detector added the Zlob trojan's pattern to its malware database back in 2005, and hasn't change its risk status from High since then. Three years passed - but Zlob is still a high risk trojan.

According to SpywareGuide team, Zlob scored 8 out of 10 points by the scale of potential danger to Windows-based computers.

SpywareGuide Zlob Risk Estimate

According to SpywareGuide, Zlob scored 8 out 10 risk points
According to SpywareGuide, Zlob scored 8 out 10 risk points

Single Reason Behind Creating Zlob


I know many unlucky victims of Zlob believe this trojan downloader was created with the single purpose to mess up their computers. But any blue screen of death (BSOD) or performance deterioration are nothing but side effects of Zlob activity. It's main and evidently only purpose is to download executable code of fake security programs.

And those are numerous. I counted over a hundred of all sorts of system keepers, antispyware guards and antivirus protectors advertized by Zlob.

To name a few:

  • Spy Heal
  • System Doctor
  • AntiSpy Zone
  • VirusProtectPro
  • AntiVirGear
  • VirusRanger
  • AntiSpyCheck
  • Virus Blast
  • AntiviralGolden
  • Virus Rescue
  • Pest Trap
  • SpyAxe
  • SpyFalcon
  • SpywareStrike
  • many, many, many more...

It's a pity that after already 3 full years of Zlob existence on the Web its victims still believe those shiny ads and continue to buy so-called licenses in a desperate hope to stop the ads loop. Unfortunately, that's a waste of non-refundable money. Judging by the activity of Zlob trojan programmers and promoters, considering the number of fake aplications created and absolutely insane number of domains involved in promoting Zlob-based programs, I conclude that Zlob is a very profitable investment for a team of cyber criminals.

Which means they will not stop pushing Zlob onto Windows computers unless imprisoned. Consequently, all Internet users should be concerned about this danger and take proper steps to ensure their PC's are protected against Zlob intrusion. Or, if already infected, remove zlob in as little time as possible.

Note: I will not give a single example of a domain promoting Zlob because I'm not going to send them victims. Those domains are VERY dangerous for visitors. As of now, I've counted well more than a hundred websited directly advertizing Zlob trojan downloader. New websites appear every month.

IEAntiVirus, a Zlob Trojan wrapping
IEAntiVirus, a Zlob Trojan wrapping
Files Secure, a Zlob Trojan wrapping
Files Secure, a Zlob Trojan wrapping
Malware Bell, a Zlob Virus Wrapping
Malware Bell, a Zlob Virus Wrapping

Zlob Trojan Wrapping

Above you can see screenshots of fake antispyware/antivirus programs advertized by Zlob downloader. They look very similar, don't they? Except for colors and shades and other minor details, they are completely identical. Which means both rogue security programs come from one single team of scammers. They don't bother to create new graphical wrapping for each fake program.

Final Notes about Zlob Removal

Anti-malware programs listed above are not targeted at particular fake applications installed by Zlob virus. Instead, they include necessary definitions and algorithms to fight a wide range of malware brought to Windows computers by Zlob.

This means that whether you are struggling to delete AntiVirGear of VirusProtect Pro, one single program from the list above can erase both - and lots more.

Therefore I see no point in listing files and directory names of any particular Zlob-driven fake security program because the list would be endless. It is important to kill the cause of annoying ads and PC misbehaving - which is Zlob itself. All those rogue progams are tip of the iceberg, so removing them alone and leaving main infection intact doesn't make any harm to Zlob.

Steps to remove Zlob manually

Listing all the filenames that can be generated by Zlob is out of the scope of this hubpage. The list would be too long to place it here, and still would miss newest mutations of the trojan. I tend to give a broader view of this malware so that everyone could take necessary steps to cure the infection with as little effort as possible, at minimal cost.

Manual removal of Zlob is complicated since each case of infection is different from others; this trojan makes a system-wide impact. However, deleting a couple of entries can significantly help to remove Zlob, and facilitate the task for Zlob removers to clean out the system completely.

1. Delete the Registry key of nvctrl.exe if present.

Go to Start-->Run, type in regedit.exe and click OK. The Windows Registry Editor will open.

Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

Locate the value "nvctrl.exe" = "nvctrl.exe" and delete it.

2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

and delete the subkey: {724510C3-F3C8-4FB7-879A-D99F29008A2F}

3. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

and delete the key: {724510C3-F3C8-4FB7-879A-D99F29008A2F}

4. Close the Registry Editor.

Deleting these keys increases the chancees to successfully remove Zlob in the shortest time possible.

Zlob Automatic Removal

SmitFraudFix is a free tool created to remover certain variations of Zlob trojan.

Download the application and save it to your desktop. Double-click to launch the rescue program. No installation is required - this is a click & run tool.

When the credits screen displays, select the option 2 (clean) and press Enter.

After a series of scans and cleanups, SmitFraudFix will ask if you want to repair the Registry. Answer Y and hit Enter. Then restart your computer.

After reboot, the tools will check wininet.dll and if infection is found, it will ask to replace the infected file. Select Y followed by Enter.

Reboot your computer once more. When logged on again, a log file will be displayed on the desktop or created in the root drive (normally C:\rapport.txt)

Download: SmitFraudFix

RogueFix Zlob Remover

RogueFix is another free tool that targets a number of malware threats including Zlob.

This remover performs best if run in Safe Mode. The set of instructions on the download page is pretty exhaustive, so there's no need to describe the steps. Advanced users will find them pretty simple and easy to follow.

F-secure Zlob Removal Tool

F-secure, a security software maker from Finland, added a little program to the set of zlob free virus removal tools. One more trojan Zlob removal weapon should be used to stop malware services and prevent them from running again. To use F-secure removal, it's necessary to logon in Windows Safe Mode.

Download: F-secure Zlob Removal Tool.

GMER Rootkit & Malware Detector

GMER is a free tool developed to reveal what's hiding inside the system. Rootkits, stealth malware, hidden modules and services are shown by this software. Because of its powerful detection system, GMER can greatly help to identify and remove Zlob parts.

Download: Gmer.

After Removing Zlob Trojan

It happens that once Zlob has been removed, a computer may lose access to the Internet. This is a side-effect of the Zlob trojan activity (one more reason to be protected against Zlob infection than struggle later to remove it). To repair the network settings and restore web access, a tool called LSPFix can be used.

Some commercial programs normally tackle the problem of lost Internet connection automatically.

Download: LSPfix.

NOTE: This is a non-installable file. When archive unzipped, double-click the executable file. The screenshot below is a sample only - your configuration may look differently.

LSP Fix Winsock 2 Repair Utility
LSP Fix Winsock 2 Repair Utility
Max Secure Spyware Detector
Max Secure Spyware Detector


    0 of 8192 characters used
    Post Comment

    • Manna in the wild profile image

      Manna in the wild 

      9 years ago from Australia

      Nice research. It's a shame there are so many thousands of malware out there.

    • javanx3d profile image


      9 years ago from Memphis, TN

      Great article! The screenshots really helped!

    • profile image


      9 years ago


    • Mighty Mom profile image

      Susan Reid 

      9 years ago from Where Left is Right, CA

      Wow. Very thorough and informative. Appreciate the info. MM

    • AEvans profile image


      9 years ago from SomeWhere Out There

      Very valuable information to have on hand although here in the U.S. I have not noticed any issues with the laptop or the desktop, but I will keep this for reference. :)

    • earnestshub profile image


      9 years ago from Melbourne Australia

      I suspect I have a virus or trojan. My laptop has slowed to a crawl even after a registry compression and cleanout of the temp files, although faster, it is still slow. I will go check the registry manually and take a look. Thank you very much for another good hub on viruses

    • AndyBaker profile image


      9 years ago from UK

      Awesome hub.

      More people should consider switching to linux (or mac) to avoid being the target for cash hungry virus makers.

    • profile image


      9 years ago

      I'm sure glad run Mac OSX 10.5 now. I sure don't miss all of the downtime and lack of productivity.

    • profile image


      10 years ago

      thanks so much hub, followed one of your suggestion and it worked!

    • briannerose profile image


      10 years ago from Calgary

      great hub, It is good that you posted what it looks like when it pops up. Just another thing though it is related to this hub, If there is anyone on face book. do not accept the phoo download it is a very bad virus similar to this one. just delete it do not open it.

    • Jim Batuyong profile image

      Jim Batuyong 

      10 years ago from Anaheim, CA

      This is good knowlege to have for those of us on the computer all of the time. Very informative Hub. Thanks.

    • Evlocoo profile image


      10 years ago from New Orleans

      Wow! Truly informative.

    • profile image


      10 years ago

      Excellant Hub!!!


    This website uses cookies

    As a user in the EEA, your approval is needed on a few things. To provide a better website experience, uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

    For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at:

    Show Details
    HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
    LoginThis is necessary to sign in to the HubPages Service.
    Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
    AkismetThis is used to detect comment spam. (Privacy Policy)
    HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
    HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
    Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
    CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
    Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the or domains, for performance and efficiency reasons. (Privacy Policy)
    Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
    Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
    Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
    Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
    Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
    VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
    PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
    Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
    MavenThis supports the Maven widget and search functionality. (Privacy Policy)
    Google AdSenseThis is an ad network. (Privacy Policy)
    Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
    Index ExchangeThis is an ad network. (Privacy Policy)
    SovrnThis is an ad network. (Privacy Policy)
    Facebook AdsThis is an ad network. (Privacy Policy)
    Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
    AppNexusThis is an ad network. (Privacy Policy)
    OpenxThis is an ad network. (Privacy Policy)
    Rubicon ProjectThis is an ad network. (Privacy Policy)
    TripleLiftThis is an ad network. (Privacy Policy)
    Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
    Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
    Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
    Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
    ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
    Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)