Trojan.Zlob/Smitfraud Removal

What is Smitfraud/Trojan.Zlob?

Smitfruad, also known as Trojan.Zlob, is a family of Desktop Hijackers. These infections change your Desktop background to issue fake warning messages on your computer, similar (and almost identical) to Windows Update Notification balloons. These alerts tend to be accompanied by a rogue anti-spyware program (see list below) installed on your computer without your consent. Clicking on one of these fake security alerts will either bring you to a home page where you can purchase other fraudulent software, or without your permission, will automatically install onto your computer.
This is a partial list of rogue anti-spyware programs. There are many, many more.

AdwarePunisher AdwareSheriff AlphaCleaner Antispyware Soldier AntiVermeans AntiVermins AntiVerminser AntivirusGolden AVGold

BraveSentry MalwareWipe MalwareWiped MalwaresWipeds MalwareWipePro MalwareWiper PestCapture PestTrap PSGuard

quicknavigate.com Registry Cleaner Security iGuard Smitfraud SpyAxe SpyCrush SpyDown SpyFalcon SpyGuard SpyHeal SpyHeals

SpyLocked SpyMarshal SpySheriff SpySoldier Spyware Vanisher Spyware Soft Stop SpywareLocked SpywareQuake SpywareKnight

SpywareSheriff SpywareStrike Startsearches.net TitanShield Antispyware Trust Cleaner UpdateSearches.com Virtual Maid VirusBlast

VirusBurst Win32.puper WinHound Brain Codec DirectVideo EliteCodec eMedia Codec FreeVideo Gold Codec HQ Codec iCodecPack

Tools needed:
SmitFraudFix

IDENTIFICATION

Entries in a HijackThis log

O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - C:\Program Files\Media-Codec\isaddon.dll
O2 - BHO: (no name) - {8bf5b8fc-11cb-409f-8c91-4d4ca04a1b6d} - C:\Program Files\VideoKeyCodec\isaddon.dll
O2 - BHO: (no name) - {274c0420-ebe0-4f1d-b473-edd1aa9b85dd} - C:\Program Files\iVideoCodec\isaddon.dll
O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - C:\Program Files\X Password Generator\isaddon.dll
O2 - BHO: MSVPS System - {100B21CD-3B97-44FB-B1C0-EA6249E482E8} - C:\WINDOWS\ddesupport.dll
O4 - HKCU..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU..\Run: [MalwareAlarm] C:\Program Files\MalwareAlarm\MalwareAlarm.exe
O4 - HKLM..\Run: [avp] C:\WINDOWS\avp.exe

  1. Please reboot your computer to Safe Mode by doing the following:
    Restart your computer

After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;

Instead of Windows loading as normal, a menu with options should appear;

Select the first option, to run Windows in Safe Mode, then press “Enter”.

Choose your usual account.
2. When you are in Safe Mode, proceed by opening the SmitfraudFix folder on your Desktop.

  1. Make sure any other open windows are closed.

  2. Now double-click smitfraudfix.cmd in the SmitfraudFix folder

  3. When the tool opens, you will see the intro/credit screen. Simply press any key on your keyboard to continue.

  4. You will now see a menu, as seen in the image below. Select option #2 “Clean (Safe mode recommended)” by typing 2 and pressing “Enter” on your keyboard.

http://img687.imageshack.us/img687/6396/option2newjg4.png

  1. SmitfraudFix will begin the cleaning process by going through the cleaning process.

  2. Once the clean-up has been completed, SmitfraudFix will open and start Disk Cleanup as seen below. Disk Cleanup can take several minutes to complete.

The Disk Cleanup tool helps free up space on the hard disk by searching the disk for files that can be safely deleted. You can choose to delete some or all of the files. Use Disk Cleanup to perform any of the following tasks to free up space on the hard disk:
Remove temporary Internet files.
Remove downloaded program files. For example, ActiveX controls and Java applets that are downloaded from the Internet.
Empty the Recycle Bin.
Remove Windows temporary files.
Remove optional Windows components that you are not using.
Remove installed programs that you no longer use.

  1. Once Disk Cleanup has finished, you will be prompted with an option asking: “Registry cleaning - Do you want to clean the registry?”; answer “Yes” by typing Y proceeded by pressing “Enter” on your keyboard. This will remove your Desktop background and clean the registry keys associated with the Smitfraud infection.

  2. The tool will now restart your computer back to Normal Mode to finish the cleaning process. If it does not restart automatically, please restart manually. (Start > Turn Off Computer > Restart).

  3. Once you are back in Normal Mode, a Notepad file will appear onscreen, with results from the cleaning process.

  4. download CCleaner run a full “scan”

13.enjoy your pc without this virus,FREEDOM

I don’t think SmitFraudFix is being kept up to date- the last update was on June 24, 2009.

http://siri.geekstogo.com/ChangeLog.php

It was useful back in my time- but that was years ago, as I’ve been using Linux more and more (and now exclusively).

S!Ri, the author, seems to be working with/for MBAM now.

http://siri-urz.blogspot.com/search/label/ScreenShots

hmm didn’t know that :(,sorry,i know some other tricks to remove trojan zlob but i will post them in the future

I’m not saying for sure it’s not useful any more, because I don’t know for sure, and I haven’t been taking much notice of Windows malware.

Hi FwF,

Anti-malware tools like SAS and MBAM are repeatedly updated for the latest versions of this kind of malware program. In case the removal is problematic one should ask for the help of a trained malware eliminator, like our good friend essexboy, he has the latest cleansing instructions at geek2go, and essexboy is qualified to perform these elimination tools and scripts. Also oldman here at the forums is a qualified eliminator, but I haven’t seen him lately that much, and there are others I know of,

polonus

i thought this topic would be “usefull”,nah forget it :-\

Hi Left123,

Why useful, HJT is outlived, old and stale like bread that has been out in the sun too long, when these new varieties of the malware came rootkitted, you need the new tools like Comboscript and other specific detecting & cleansing methods. There is malware that still can be cleansed out manually and with the help of HJT and BO-remover or freefixer or StartDreck analysis, and there are even those that cannot be cleansed at all like the buggy destructive file infector Virut (virus has won - game over), go to the web look up the description of what the malware does with ThreatExpert, and also study the specific cleansing routines at geeks2go and other malware cleansing online universities, go and volunteer there to become a trained eliminator, you are not allowed to do cleansing routines until you are fully trained, you learn all the official routines, can assist, later cleanse under supervision until they let you loose at real victims, then you have acquired some fresh new bread and some nice tasty fresh garlic and tomatoes to have with it,

polonus

k teacher ;D,did i say that i am good at pc?nop i am not just tryin to be better,improve my “skills” ;D

Hi Left123,

You get all the opportunity to do so here, welcome aboard,

polonus

Then it is much better to sit back and monitor the forums and find out what is being used rather than post stuff like this and just show that inexperience.

pffff,just wanted to help and i only see bad comments -.-

Left123,

You may mean well, but you will learn more by the advice Polonus has given you in this thread. It is also helpful to observe threads to learn how problems are resolved before you start to offer suggestions. We don’t mean to sound harsh, but if you post something incorrectly, another person may think it is correct and follow the suggestion you offered that was incorrect and this may cause major problems for them.

So for now, sit back and read the forums and learn, ask questions if you have problems. This is how we all start…please don’t be offended. We are trying to help you in this learning process. :slight_smile: