Removing Zlob aka SmitFraud, SpySheriff, Infections

Discussion in 'Malware Removal FAQ' started by chaslang, Oct 5, 2005.

Thread Status:
Not open for further replies.
  1. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    PLEASE NOTE: This is a generic procedure meant to cover multiple infection types which are typically classified as part of SmitFraud or Zlob infections.



    This cleanup procedure should work for removing malware problems related to any of the below (and and many more):
    • AntiVirusGold
    • AntiVirusXP 2007. 2008, 2009
    • MalwareWipe
    • PSGuard
    • safetydefender.com
    • Search Maid
    • SecurityBulletin.net
    • Security IGuard
    • Smitfraud
    • SpyAxe
    • SpyFalcon
    • SpySheriff
    • SpywareQuake
    • SpywareStrike
    • syssecuritysite.com
    • SystemAntiVirus 2008
    • Search Maid
    • Virtual Maid
    • Virus Response 2009
    • XPAntiVirus 2007, 2008, 2009
    • Zlob aka Trojan.Zlob aka Trojan-Downloader.Zlob.Media-Codec aka DNS Changer aka
    Download SmitFraudFix to your Desktip from one of the below links and use the steps indicated for either link which are slightly different.




    Primary Download Link: SmitfraudFix (by S!Ri)
    1. The above link is to a file named SmitFraudFix.zip. Save this file to your Desktop.
    2. Now double click the ZIP file on your Desktop and Extract the contents to your Desktop too. This will create a SmitFraudFix folder on your Desktop.
    3. Double click the SmitFraudFix folder to open the folder.
    4. There will be two parts to how we will use SmitFraudFix
      • Searching
      • Cleaning
    5. Double click the smitfraudfix.cmd file to start the tool.
    6. Now jump down to Step 1 below.
    Alternate Download Link: SmitFraudFix (byS!ri)
    1. The above link is to a file named SmitFraudFix.exe. Save this file to your Desktop.
    2. There will be two parts to how we will use SmitFraudFix
      • Searching
      • Cleaning
    3. Double click SmitFraudFix.exe to extract all the files to your Destop. This will create a SmitFraudFix folder on your Desktop. And it will automatically start running the program..
    4. Now jump down to Step 1 below.
    Note: process.exe ( which is used my SmitFraudFIx ) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. The below is a link to what process.exe is.
    STEP 1: Searching for the infection!

    • You should now see the below window on your monitor (click to enlarge the thumbnail).
    sff1.jpg
    • Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt
    • Attach this current C:\rapport.txt log file to a message in your thread now before before doing the second step of the procedure or you will overwrite and loose this info. (See: HOW TO: Attach Items To Your Post )
    STEP 2: Cleaning the infection!



    Please print out or copy these instructions to Notepad as the internet may not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.
    • Reboot your computer into Safe Mode : Starting your computer in Safe mode
    • Open the SmitfraudFix Folder of your Desktop, then double-click smitfraudfix.cmd file to start the tool.
    • Select 2 and hit Enter to delete infect files.
    • You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
    • The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
    • A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt Don't forget to attach this new log to your next message after you finish running the cleaning step and reboot into normal mode.
    • While the tool is cleaning you will see a window like below:
    sff2.jpg


    SmitFraudFix has other optional steps that you do not need to run unless specified. They are:

    Step 3 to Restore Trusted and Restricted Zones
    Step 4 to Search for and Clean DNS Hijacks
     
    Last edited: Oct 9, 2008
Thread Status:
Not open for further replies.

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds