Zlob

Zlob Trojan is a type of Trojan Horse program that disguises itself as a required video codec in the form of ActiveX. It primarily affects the Windows operating system.

It is also known by many aliases, such as:

  • Troj/Zlob-XA
  • Trojan.Zlob
  • Zlob-XA
  • Troj/Zlob-QJ
  • Zlob-X.a

This Trojan Horse is activated once it has initiated itself into a computer file and installed from remote locations.

Once installed, this virus displays popup ads similar to the actual Microsoft Windows warning popups, notifying computer users that their system is infected. Clicking this popup ad would trigger the entry of malicious codes into the system processes and the download of a fake anti-spyware program which contains the hidden Zlob Trojan virus.

Variants Of Zlob

Currently, there are around 32 variants of this type of Trojan. They are frequently spread through fake video streaming sites, which notify computer users that they have to install a codec to view the non-existent videos. This codec installer is nothing more than a Zlob Trojan downloader.

Some variants of the Zlob family such as the DNSChanger attach rogue DNS name servers to the Registry of computers that is Windows-based and the network settings of Macintosh computers. This results to the potential re-routing of traffic from legitimate web sites to other suspicious web sites.

Other common variants of the virus Zlob includes:

  • TROJ_ZLOB {DR, DU, and FP}
  • Trojan.Zlob.D
  • Troj/Zlob-CD
  • Downloader-XC
  • Downloader.Win32.Zlob
  • {dz, ha, he}
  • Generic Downloader.gen.bd
  • Puper

Effects Of Zlob

The Zlob Trojan is capable of downloading atnvrsinstall.exe, which utilizes the Windows Security shield icon to disguise itself as an Anti Virus installation file from Microsoft.

Once this file is activated, it can wreak havoc on different computer networks
It can:

  • cause random computer reboots or shutdowns with random comments.
  • cause the modification of data on the computer,
  • steal information,
  • delete of files off the computer,
  • download codes from the Internet, causing malware,
  • install itself into the registry
  • modify the startup or registry file to be executed during boot up.

It can also download and install several rogue or fake anti-spyware programs such as AntiVirGear, SecurePCCleaner, IEDefender, WinAntiVirus Pro 2007, Ultimate Cleaner and SpyShredder.

If left untreated, Zlob could be highly dangerous.

Zlob Manual Removal Instructions

Removing Zlob is similar to removing any other Trojans. You have to remember that a Trojan can infect and corrupt computers, but not the files itself. So it can be easily recognized and removed.

You can manually remove Zlob by performing the following steps:

  1. To locate Zlob Path, use Windows File Search Tool. To accomplish this, follow these steps:
    • Click the Start menu
    • Click Search
    • Click All Files or Folders
    • In the “All or part of the file name:” section, key in Zlob
    • In the “Look in:” section, select “My Computer” or “Local Hard Drives” to get better results
    • Press the Search button
    • When the Search is finished, look over the In Folder for Zlob then highlight the file and copy/paste the path into the address bar
    • Save the path of the file in the clipboard because you will need the file path to delete Zlob.

  2. To Remove Zlob Processes, use Windows Task Manager. To accomplish this, follow these steps:
    • Open the Windows Task Manager by using the following combination:
    • CTRL+ALT+DEL

      CTRL+SHIFT+ESC

    • Click the Image Name button to search for the Zlob process by name
    • Choose the Zlob process
    • Press the End Process button to kill it
    • Remove the Zlob processes files:
    • msmsgs.exe

      nvctrl.exe

  3. To Remove Zlob Registry Values, use Registry Editor. Follow these steps:
    • Select the Run option from the Start menu.
    • In the pop up box, type regedit then Click OK
    • Search and delete the entry(s) whose data value located in the rightmost column is the malicious file(s) detected earlier
    • To remove the Zlob value, right-click on the Zlob value then select the Delete option
    • Search and delete the Zlob registry entries:
    • HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunRegSvr32=%System%msmsgs.exe

      HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsNTCurrentVersionWinlogonShell=explorer.exe

  4. Use Windows Command Prompt to unregister Zlob DLL Files. To accomplish this, follow these steps:
    • From the Start menu, select the Run option
    • In the pop up box, type cmd then Click OK
    • Type cd to modify the current directory then click the Space button
    • Key in the full path to where the Zlob DLL file is located
    • Press the Enter button
    • Use the dir command if you don’t know where the Zlob DLL file is located. This will display the directory’s contents.
    • To Unregister the Zlob DLL file, key in the exact directory path + regsvr32 /u + DLL_NAME
    • You may type: C:\Spyware-folder\> regsvr32 /u Zlob.dll
    • Click the Enter button
    • Wait for a message to pop up that states that you have successfully unregistered the file
    • Locate and Unregister the following Zlob DLL files:
    • uimcu.dll

      antzozc.dll

      dtjby.dll

  5. How to spot and delete other Zlob files
    • Select the Run option from the Start menu.
    • Type cmd then Click OK in the pop up box.
    • Key in dir /A name_of_the_folder. This would display the folder’s content together with the hidden files.
    • i.e. C:\Spyware-folder

    • Change the directory by typing cd name_of_the_folder
    • Once the file has appeared, key in del name_of_the_file
    • Type in del name_of_the_file to delete a file in folder
    • Type in rmdir /S name_of_the_folder to delete the entire folder
    • Choose the Zlob process
    • Press the End Process button to terminate it
    • Delete the following Zlob processes files:
    • uimcu.dll

      antzozc.dll

      dtjby.dll

      dumpserv.com

      zxserv0.com

You can also install antivirus, anti-spyware and other malware removal tools to automatically detect and remove not only this virus but also any other kind of malware.