Recently there has been a rash of spyware that is capable of infecting Windows 2000, Windows XP and Windows Vista with one payload. In most observed cases, these infections owe their lineage to the rogue malware engine Trojan.Zlob which is ancient, prolific and ruthless. As a spyware platform it has given birth to many of computing’s more endearing infections, including Spylocked, which we wrote about on July 30th, Smitfraud and Spydawn. On 2000 and XP, the symptoms of infection are fairly benign — a tray app, fake alerts and a false program — but Vista users will find that their explorer.exe process is stuck in an infinitely-looping sequence of crashing.
As we noted we covered one of the more common strains of Trojan.Zlob in July, and this week we’re back to take a swing at the entire Zlob clade. This process has five immediate steps which dovetails into several more, depending on the severity of your infection. This procedure may also be effective against Vundo and Virtumonde.
Preliminary Step 1: Safe Mode
Restart your computer while pressing F8. Select “Safe mode with networking” from the menu that appears, and log into the Administrator user account.
Preliminary Step 2: Kill Explorer.exe
Press CTRL+ALT+DEL and launch the task manager. Find Explorer.exe in the process list and kill the task. Do not close the task manager.
Step 3: Obtain and Install RogueRemover
The RogueRemover utility from MalwareBytes is explicitly designed to target malware that is based on an infection platform like those noted above. Most malware is a one-off; it is pushed into the wild, peaks and then falls into obsolescence. Malware platforms, on the other hand, provide the building blocks for new variants, new engines and new methods of infection. Because of this rapidly-changing pathology, these types of infections are notoriously hard to identify and treat, but RogueRemover is an amazing step and a fantastic tool.
With the tool loaded onto a flash drive and placed in the infected machine, hit “New task…” on the “Applications” tab of the task manager and run the installer from the flash drive. Let the application launch itself after the installer is finished.
Step 4: Run RogueRemover
The program will automagically prompt you to update the first time you run the application. Hit the “Check for” button to ensure the program is of the newest version. At this point, hit “Scan” and wait a minute. When the scan is done, you will be presented with a list of infected items, so remove all of them. This quick and efficient process should, for the most part, yield the functionality of your machine back to you. At this point, a healthy dose of step 5 is in order.
Step 5: Clean up the Mess
Now that explorer.exe is back under your control, you can reboot the computer and head to our Security, Virus and Trojan forum to receive expert help in finishing off the infection. Some of the steps may not be applicable to Vista, so proceed with those steps which you are able, and follow closely. We promise to help you get squeaky in a jiff.
As a kind friend might have once printed to chat: “Your PC skills have improved slightly!” Those were good times.