Sunday, December 7, 2008

Remove Trojan.Zlob.G fake alert - Trojan.Zlob.G Removal Help

Trojan.Zlob.G is an old modification of Zlob trojan (Symantec described this threat 3 years ago). But today russian scammers use "Trojan.Zlob.G" name to scare users and force to download and than purchase Perfect Defender 2009 rogue anti-spyware. Special trojan (usually Vundo) displays fake "Security center alert" stating that your PC is seriously infected with Trojan.Zlob.G infection. We recommend to remove Trojan.Zlob.G popup and Vundo malware using Spyware Doctor + antivirus (with free scan).

Trojan.Zlob.G screenshot:


Trojan.Zlob.G popup text:
"Security center alert
Do you want to block this suspicious software?
Name: Trojan.Zlob.G
Risk Level: High
Description: Trojan.Zlob.G is a trojan program that records keystrokes and takes screen shots of the computer, stealing personal and financial information."
Trojan.Zlob.G automatical remover:

40 comments:

Anonymous said...

The window with this message you named showed up on my computer 2 days ago when visiting a trusted site I normally visit. Now I cannot log on to the internet from that computer but it will,however, still let me retrieve my e-mail through outlook. When I attempt to log on to the internet another error message pops-up "IEXPLORE.EXE application error" with something about the memory could not be written... and then it shuts down automatically...

1)Are you saying to click on the download you've included in this post and that will remove the microsoft security message about Trojan.zlob.g?

2)If so, how can I do this if I can't log on to the internet from the affected computer?

3)If it is a fake alert why has my computer become disabled?

Thanks for the help.

Anonymous said...

I got this thing last night (1/06) on Stickam. Busted right through Norton 2009.
Norton doesn't detect it even in safe mode. AVG doesn't detect it even in safe mode, and this so called great norman maleware cleaner doesn't detect it in safe mode.
My PC is doing exactly like Confused pc is doing.
I think this is a little more than what is written.
When it hit my pc it powered the machine off. I can not connect to the internet and get the same error messages.
More powerful then what they are saying here.

Anonymous said...

I have the same symptoms as Confused (and I also apparently got this trojan while browsing major mainstream sites that should not pass on viruses) and it has obviously affected my computer in a real way, kicking me out of any browsers immediately when I try to launch them.

However, the day after my computer was hit (and I had done nothing to try to fix the problem yet), I still get these pop-up messages saying this Trojan.Zlob.G has infected my computer but I am again able to use the Internet. Does anyone know what's going on? Is this really a trojan that can record keystrokes and take screen captures as the pop-up warned me it would?

R said...

Hello there!

Thanks for the post. I have exactly had the same issue a couple of hours ago and it still exists. When I try to install your link its says invalid Win32 application.

Please help!

Anonymous said...

Is this even a legit blog? Or is this a way to lure people who do a google search on how to remove this trojan. I just now had the same problem as Confused and everyone else who has posted. My computer has similar symptoms and just shut off earlier today. My computer is being extra slow right now and the screen sometimes appears to be refreshing on its own. Don't know WHO to trust.

Anonymous said...

same thing happened to me friday night late while i was surfing myspace profiles...
CONFUSED..have you resolved your problem yet? I was afraid to click that dowwnload link provided...did you? I have heard that some of the removal tools are spyware as well..I am running norton and went on a chat support...they wanted to chrge $100 to remove it via remote assistance

Anonymous said...

I suffered of this badly and could not download any removal tool to kill the virus or hell knows what it was because my browser did not allow the downloads from this website. "IEXPLORE.EXE application error" popup was screened. So I turned on my wife’s computer and installed SpywareDoctor on it, then I sent it through the local network to my infected machine and successfully installed. Now I am happy to remove Trojan.Zlob.G and both my and my wife’s computers are running well now. I guess this works.

Anonymous said...

Yep. Same here. It showed up yesterday on my pc and it got me busy the whole afternoon and evening without any luck. I also use AVG and tried several antispyware, but all with no luck. GRRRR
Symptoms I have are:
- internet explorer crashes with an application error.
- no internet connection
- spontanious reboot

Anonymous said...

I've also got this, however I haven't received exactly the same problems as the above have mentioned. My laptop restarted itself the other night after it had closed my web browser by itself, and when it came back on I started getting this popup every 10 minutes...

I haven't had any further problems to mention, but it seems this is happening to a fair number of people all around the same time..

Hope someone else can post some more info.

Anonymous said...

I primarily use Firefox but Internet Explorer (IE) was also impacted by this annoyance (Trojan.Zlob.G, Fake security alert that tries to get you to by Project Defender 2009). I tried main of the freely available malware, adware, spyware and virus removal tools as well as a couple you have to purchase. As of December 8, 2008 all of the ones I tried detected nothing or were otherwise not helpful.

I however am free of this annoyance and here is what I did. Some of this may not be necessary; however it was part of the sequence I used.

If using Internet Explorer:
1.Run IE with no add-ons this is found by doing the following:
[Start>All Programs>Accessories>System Tools>Internet Explorer (no add-ons)]

Try it a few times it make take a few to get it to stay running.

2. Now delete your temporary files, history, cookies, saved passwords, and web form information [Tools>Internet Options]

You should see the General tab open if not open it. Find Browsing History on this tab and PRESS the (Delete) button.

*** Note, this makes IE a bit more stable; but, close it now.***

If using Mozilla Firefox:
1. Run Firefox in safe mode. [Start>All Programs>Mozilla Firefox> Mozilla Firefox (Safe Mode)]

Again, try it a few times it make take a few to get it to stay running.

2. Now delete your cookies.[Tools>Options]
You should see 7 buttons or tabs at the top of this window. Click on (Privacy). Now find and click (Show Cookies) then click (remove all cookies) and then (close).

*** Note, this makes Firefox a bit more stable; but, close it now.***


All steps are the same from here regardless of the browser. I did this really fast and close together so you showed have the next stuff open and ready to use.

3.Run windows task manager by holding down (ctrl and Alt and Del) simultaneously. Now click on the (Processes) tab.

4.Run regedit [start>Run] type in regedit and hit (OK).

5.Now double click (HKEY_LOCAK_MACHINE) under that tree element double click (SOFTWARE) then (Microsoft) then (Windows) then (Run).

***Note, at this point I saw in the right panel two lines with cftmon in them, find them but do nothing yet. It is possible you will see Smax4 here instead is so substitute it for Cftmon or cftmon.exe everywhere in these instructions.***

6. Now with Task Manager and regedit open and where we left them above open the following folder under my computer: [C:\Documents and Settings\{username}\Application Data\Google].

Treat any files in this google folder that are not in a subfolder (e.g. Local Search History, etc) with suspicion. The files you are looking for here are spcffwl.dll and kjzna1562565.exe.

These files can change names if you use some freeware tools to try to delete them or destroy them. The normal delete had no effect for me here, thus this convoluted scheme I am giving you.

7.Ok, now I did all these thing in fairly quick succession, that is why I had you do the above preparation.

Task Manager find cftmon.exe (not to be confuse with ctfmon.exe, part of windows I won’t discuss here) click on it to highlight it and then hit the (End Process). Just in case you might stop both cftmon.exe and ctfmon.exe (I found a bit of confusion in discussion concerning these two files; so the safe bet is end both).

8. Now, go to you rededit window and in the right panel and right click and then delete on any lines with cftmon in them if you see ctfmon here do the same.

9. Now, if your situation is like mine you should be able to delete spcffwl.dll and kjzna1562565.exe in the Google folder you have open. So, delete them.

10. OK, close everything and try opening Firefox and/or Internet Explorer. On my system the were back to normal and the fake security alert was gone. I would suggest rebooting and checking your browsers again.


I hope this helps.

mzfang said...

Dear mbioanalyics said...

I found your info to be most helpful and I followed it to the letter...However I was still unable to delete the 2 files from application date\google file. It gave me a message that "access denied make the disc is not full or right protected and that the file is currently not in use." My Regedit also did not have either of the cftmon or Smax4 files listed in them...So I was unable to delete them prior to the google files?? Do you have any other suggestions on how to rid myself of this bloody parasite. It's driving me crazy.....and any help would be greatly appreciated? Could I try renaming the files? I also noted that both files were modified at almost the same time I was trying to delete them.... Perhaps I wasn't quick enough I'm not sure.....

Thanks!
Mzfang

Hemant said...

This solution works for the latest Trojan.Zlog.G popup problem where no internet connection works and repeated fake warnings to 'activate' Defender anti-virus program.

No use running any ant-virus/soyware programs, they don't seem to detect this latest Trojan. Only manual removal works perfect:

Start in safe mode (press F8 at startup)
Delete following:

kjzna1562565.exe
spcffwl.dll
T-Scan (entire folder)

their location would be C:\Documents and Settings\{username}\Application Data\Google\

It looks so simple in hindsight, entire day wasted in efforts.

Anonymous said...

Dear mzfang,

A couple of things:

They won't delete because they are in use. Renaming them does not appear to help.

I am discovering this thing exists in a couple of variants.

Make sure system restore is turned off. You can try deleting the files in the google folder in safe mode. This didn't work on the first system I worked on that was infected. However, it did on another system.

Did you have ctfmon in the registry as described insteps 5 and 8? Also as when you did step 5 did you see run- or runonce? If so look in them for these entries.

Additionally, search the registry for kjzna1562565 and perfect defender in same place as before and delete all occurrences (I would also use regedit find feature to look throughout). I will look for other registry entries you can check for. The most important thing is to get those files deleted.

Are you running Spybot? If so turn off Teatimer. When everything is fixed you will need to create a registry backup or Teatimer will just keep changing things back. I actually discovered on another system I was working on today that it was best at the end to uninstall and then reinstall teatimer when all is fixed.

Anonymous said...

Dear mbioanalyics: thank you!

Dear mzfang: I ran into exactly the same scenario you did. However, you can delete those 2 files from application data\google directory with this slightly modified approach after you've followed mbioanalyics’ steps one, and two.

3. Search the registry for cftmon. Delete the one entry that references it immediately AFTER you END PROCESS of cftmon.exe in Task Manager.

4. Reboot into safe mode, command prompt only. Change directory into the C:\Documents and Settings\{username}\Application Data\Google, and then delete the two files spcffwl.dll, and kjzna1562565.exe using the DEL command.

5. Reboot into normal Windows mode, and immediately empty the Recycle Bin for good measure.

Anonymous said...

Hi, Same problem here since Sunday. I've tried all the removal suggestions from Anonymous, mbioanalyics and mzfang, but unfortunately none of the cftmon, ctfmon, kjzna1562565.exe, spcffwl.dll or T-Scan were found in my Task Manager, Registry or Google App Data folders. Also, for some reason whenever I try to start in Safe Mode, my computer goes to a beeping blank screen with a blinking cursor at the top left, so that doesn't work either.

Two things called dplsmjk.dll and WinDep were in the Application Data/Google folder, though. Neither of them allow me to delete them; I keep getting a message saying "Needs Authorization: Try Again or Skip".

I did find the Smax4v under [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] and deleted it, but I can't find any of the relevant applications to end in the Task Manager.

Any thoughts on how to tweak my solution for removal? I have Vista, so that might be where the difference/extra problem is coming in. It's really wreaking havoc with my computer. Any help would be greatly appreciated. Thanks!

Anonymous said...

The two files dplsmjk.dll and WinDep are the problem. These file names are known to be associated with trojans. You should delete them. There has been some success with changing the file names to something else and then deleting them. File shredder programs don't appear to delete them either; but, I know of one case where a shredder resulted in file name changes and then the files could be deleted.

Anonymous said...

Is the fix really as simple as you're suggesting, Hemant? I'd like to beat up some Russians who have nothing better to do that to scam people with this approach. This is criminal.

mzfang said...

Dear mbioanalyics and everyone else,

Unfortunately this virus locks up my pc if I try to go into any type of safe mode, safe mode with networking and or SM with command prompt. After much distress I did try turning off the system restore also to no avail. ctfmon only showed up in the running processes which I deleted only to have it reappeared as soon as the bogus screen popped back up. I am still able to access the internet via IE with no add-ons. But I've been leary to go anywhere else that requires or stores a password.

When I doubleclick on Run in the registry I get another file called "Optimal components" which contains 3 files, IMAIL, MAPI, MSFS. There is a RUNONCE and a RUNONCEEX both contain a "default" REG SZ file on the left side of the screen.....

Since I am unable to boot into safe mode I have a friend who has dealt with this beast in the past and he is bringing me an MS DOS boot disc tonight and we are going to try to tackle it that way.

I think what has happened is that I either didn't allow the virus to completely install on my pc as I immediately shut my system down when I realized what was going on or that one of the removal tools I used may have removed portions of the the virus but obviously not all....

But again, any advice is much appreciated....This is my 4th day with this disaster and I'm ready to be rid of it....

Thanks again!

Anonymous said...

Dear mzfang,

I was going to suggest a dos boot disk next. Is you file system NTFS? If so, not all dos boot disk can read the files. In the event that happens, try NTFS4DOS.

This should also work for Vista users using a Dos boot disk to delete the files.

Hermant's solution does work on some system. Although it does leave the changes made in the registry. If it works for you, I would still recommend you delete all cookies and temporary internet files as a precaution. On some system these files have other names and on some they will not delete even in safe mode.

Just a note when you are looking for these if you can't find them make sure you have folder options set so you can see hidden files.

Anonymous said...

I managed to fix the problem (I hope!) after deleting that Smax4v file and after renaming and deleting both of the other files in the AppData\Google folder. Thanks so much for everyone's help, especially the renaming tip, mbioanalytics. I'm not the most computer-literate person, but everyone's instructions were really clear. Thanks again!

Anonymous said...

@Hemant: Nice call. Worked like a charm.

Anonymous said...

I removed them without opening the regedit. I opened up the taskmanager. Then went to [C:\Documents and Settings\{username}\Application Data\Google] I then used unlocker- a freeware program- to unlock the ddl-file. Then deleted it without any problems. In the taskmanager the "kjzna1562565.exe" appeared so I just killed it and then deleted it from the google folder.

Anonymous said...

Norton fixed the problem this morning. When I ran live-update this morning it kicked in and took it out It hadn't detected it all week-end...it was a TROJAN.FAKEAVALERT, presenting itself as that trojan.zlob window alert. anway after 5 harrowing days of trying to rid my computer of it,its gone. I guess you have to let Norton catch up on the definitions...as I am sure same is true with the rest of the anti virus/spyware...run your updates and rescan everyone...OH HAPPY DAY!

Anonymous said...

Ok, I rebooted my computer and everything went back to normal! I want to thank you all for your help. I was really freaking out when I got the trojan... Luckily there's a solution for every problem, and there are still nice people who try to help you out! Thank you so much!! And I really hope that those Russian criminals get punished some day.

Anonymous said...

I have the popup for Trojan.Zlob.G on my pc now and I don't have this "google" folder under application data...any suggestions? I found smax4pnp.exe in my task manager but nothing named cftmon...I also tried safe mode but since there is no google folder im not sure what to do...someone help!

Anonymous said...

I ended up finding the folder, and removed it...I think. Thanks

Anonymous said...

I was able to delete the kjzna1562565.exe file after a bit of searching and name changing. But I'm still having some problems trying to delete the dlxovk.dll file that was next also in the data/google folder.

I wasn't able to find any file with cftmon in the Registry Editor or in the Task Manager. I didn't see Smax4 either.

I tried changing the name and looking for a process to end, but to no avail. I am still getting an error message saying the disk may be full or in-use.

Any suggestions?

Anonymous said...

for my case,i follow all the above instruction like: end related processes in "task manager", delete all related registries,turn off system restore, reboot window in safe mode,delete "Google" folder

to reboot in safe mode and delete Google folder: start->run->type "msconfig" -> tab "boot.ini" -> checked "/safemode" -> restart window

in safe mode->go to [C:\Documents and Settings\{username}\Application Data\Google]
->delete "Google" folder

Unknown said...

Hello I have Vista and I am unable to find the folder ! It doesn't work like XP ! Could you please tell me where to find the 2 files to delete please ?

Thanks.

Anonymous said...

Hello,

How does it works with Vista ? I am unable to find the folder !

Thanks !

Anonymous said...

A previous Vista user posted that they had the google file just like XP user the files were named differenty. Addiotionally, the files are not always in a google folder under application data. Can you see an application data folder C:\Documents and Settings\{username}\Application Data)? If not you likely don't have your folder options set to see hidden files and folders. If the folder just isn't there you will have to look elsewhere. The files have been found in other folders sometimes with names that are a variation or abbreviation of Perfect Defender.

Files you may want to look for:
PDInstall2009[1].exe, pdfndr.exe, kjzna1562565.exe, pdmonitor.exe, Smax4v.exe,Smax4.exe (Watch out on these they can be associated with your audio but if they are in in a system directory delete them.), WinDep.exe (found on Vista), PDefender.exe, Project Defender 2009.exe, pd.dll, spcffwl.dll, dplsmjk.dll (found on Vista).

If you cannot get the files to delete even by name changing and delete and you are having problems getting into safe mode. You could try downloading
Unlocker 1.8.7 as a previous poster used.

Anonymous said...

I have entered my pc in the safe mode, looked under C:/Document&Settings/username ... but then there was no application data folder,

where else could i find it to be able to delete the files spcffwl.dll and ect

Anonymous said...

I've got this too. Such a pain.

Anonymous said...

I fixed it through Vista, too. I found the Application Data folder in Vista by searching in the Start menu for AppData, then clicking on it in the results, clicking into the Roaming folder and then the Google folder. Good luck!

Anonymous said...

I cannot find the google folder within the application data folder. my hidden folders are enabled. What am I doing wrong?

Anonymous said...

I had the same symptoms as everyone else. I tried Hemant's method and it worked like a charm (although the .dll had a different name).

It's already been said but I'll repeat it since it stumped me at first: if you don't see the "Application Data\Google" folders, make sure you are viewing Hidden Folders. You can find this under Tools/Folder Options/View.

jmattimore said...

Nice work Hemant - The files had slightly different names, but it was obvious once I got there. Thanks!!

Anonymous said...

I got this Trojan.Zlob.G alert a week ago and couldn't figure out how to get rid of it. I must have been one of the first to be infected with it since I couldn't find any remedy at first. I went through several AV and Anti spyware scanners including.....AVG, AVIRA, AVAST, Malwarebytes, AdAware and so on and so on. The only one that came up with something was Avast but it was not related to this one.

I finally went through anything loaded in control panel and googled each unknown item to me. This whole process including running all AV's took 2 days but I finally found it.

I also had trouble getting anywhere with my browser. I used Opera, Firefox and IE7. I finally ran it as Administrator in Vista and could go to other websites without crashing. It even crashed my skype and Msn Messenger unless I ran it in Admin mode. Hope this helps anybody else out there.

P.s. I believe I downloaded it as an Adobe Flash update.

Anonymous said...

Hemant's instructions worked for me, as well. The file names were different, but still the obvious culprits. Thanks so much for posting this fix!

Anonymous said...

Hemant's instructions worked 100% for me. I had no idea it would be so simple, especially since most of the places I checked for information were going to have me alter my registry. Very dangerous. Thanks, Hemant!