Zlob
Posted: March 28, 2006
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 8/10 |
|---|---|
| Infected PCs: | 75 |
| First Seen: | July 24, 2009 |
|---|---|
| OS(es) Affected: | Windows |
Zlob is a large family of multiple-component trojans that use several threats in coordination to hijack your web browsers and install malicious programs. Zlob is particularly closely-associated with rogue security applications like Windows AV Component that create fake infection warnings and other inaccurate system alerts. The goal of any rogue security program is to steal your credit card information and money, and Zlob assists them in that endeavor through a variety of methods that attack your web browser and potentially your security programs. If you've found an unusual security program installed on your PC for no reason, you may be the victim of a Zlob attack. Despite the wide variety of Zlob in the wild, any good anti-virus program can remove Zlob from your computer along with any related threats.
Learning the Signs of a Possible Zlob Infection Attack
Zlob trojans can occur in an almost countless number of slight variations that are designed to attack your computer in slightly different ways or are affiliated with slightly different types of rogue security programs. Some common types of Zlob threats include Trojan:Win32/Zlob.gen!S, TrojanDownloader:Win32/Zlob.AMP, TrojanDownloader:Win32/Zlob.gen!AU, Trojan:Win32/Zlob.AU and TrojanDownloader:Win32/Zlob.gen!T. Zlob Trojan constantly updates and switches to whatever rogue anti-spyware program the rogue creator wants to distribute at any given time. Zlob may pop up a message saying that your computer is infected with the following infections: Spyware.CyberLog-X, W32.Myzor.FK@yf, and Trojan-Spy.Win32.mx. Zlob installs many popular rogue anti-spyware programs, among them are XP Antivirus 2012, Win 7 Security 2012, XP Security 2012, IEDefender, AntiVirGear, SpyShredder, WinAntiVirus Pro 2007, Ultimate Cleaner, and SecurePCCleaner.
Zlob Trojan is still widely distributed by at least two distinct methods:
- You may install a Zlob Trojan unwittingly by downloading a fake codec or other video player update from a dangerous website.
- In other cases, visiting a dangerous website will cause Zlob to be installed onto your PC even if you don't install anything. This is usually managed via script exploits; disabling Java and Flash for untrustworthy sites can improve your defense against this type of Zlob attack.
Some types of Zlob are even installed by other Zlob variations, and different Zlob trojans can vary widely in the forms they take. Some Zlob trojans are installed in the form of Browser Help Objects or BHOs, and although most Zlob attacks place preference on hijacking Internet Explorer, other Zlob trojans may hijack other types of web browsers.
Since rogue security programs are closely linked to Zlob, you should assume that the presence of one may indicate the presence of the other. Using anti-virus software to scan your entire PC for Zlob and other threats should detect all possible dangers to your PC. Updating your anti-virus software prior to a scan will help you detect Zlob, which may be vital, given that Zlob is available in dozens of variations and has seen updated versions as recently as June 2011.
Zlob - The Trojan That Wants You to Have a False Sense of Security
Despite their many possible differences, almost all Zlob versions have two traits in common with regards to their intended attacks or payload:
- Zlob will attempt to install other threats onto your computer, most prominently including rogue security programs. Rogue programs create a fake impression of being useful security software while indicating that your PC is highly infected.
However, rogueware, including recent examples like Windows Proofness Guarantor, Windows Inviolability System, Windows Necessary Firewall and Windows Inviolability System, can't detect or delete real PC threats. The only purpose of these rogue programs is to steal your money and credit card information.
Zlob may use fake error messages while installing its rogue programs to trick you into thinking that these rogue programs are legitimate. Fake Microsoft Security Essential Alert variants will even imitate Microsoft's Security Essentials Alert windows. Remember that Microsoft will never ask you to install security software from an unusual source or ask you to install software without specifying what the software is.
- The second factor most Zlob threats have in common is their tendency to attack your web browser with hijacking techniques. Hijacks can perform many different browser-related functions, including changing your homepage to a malicious one, displaying fake error screens, altering online content or redirecting you from one website to another one.
In the usual case, Zlob will use these hijacks to reinforce the rogue program that it's designed to support. You may find that your homepage is changed to a rogue program's website. Alternately, you may be unable to access real security websites. In extreme cases, all websites except the one for the rogue threat will be blocked by Zlob.
Aliases
More aliases (20)
Technical Details
File System Modifications
Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.
The following files were created in the system:iesplugin.dll
File name: iesplugin.dllSize: 25.6 KB (25600 bytes)
MD5: e46bbd7733738efa1a3516ef1d4b19d3
Detection count: 69
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
Last Updated: December 11, 2009
iesplugin.dll
File name: iesplugin.dllSize: 25.6 KB (25600 bytes)
MD5: ebfa464c1338269f7e7730b7f4624df0
Detection count: 31
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
Last Updated: December 11, 2009
Thanks for posting this, I've found 3 Zlob's already.
You repeated entries for the registry and command prompt, which made copying this information tedious. Also, it is customary to write registry locations using the back slash\ between folders. You didn't do this, which makes following to the proper location difficult.
Thank you
I AM USING AVAST 4.7 LATEST VERSION and detects a "sample" of win32:Zlob [Drp] alware everytime i connect to the internet i've tried to remove it but it is really a great nuisance could anybody help me?
All removal comments assume you can gain access to the windows command prompt. My sons computer immediately boots to the html page to renew or update the false blocker. I cannot gain access to the operating system. Cannot start Task Manager, cannot get to desktop at all.... What is the best course of action? I was thinking of removing the drive, slaving it to another and proceede with removal instructions then, however I am cautious as I do not wish to propogate the zlob on my drive. Thank you in advance, any help would be greatly appreciated. Scott
Ok, I have Spyhunter and have run it, finding zlob files and removed them. But it keeps coming back! When I search for the files listed in the manual instructions, I find them. It seems the files listed as zlob files in the manual removal instructions do not match the files found and removed by Spyhunter. Any ideas?
bbrecken,
Zlob files are regenerating themselves very often and it may be very hard to remove this parasite from your computer. If you're having full SpyHunter version, you should contact our support team and they will solve your problems.
regeneration is the least of my worries. I have 5 junk pc's. I guess i have a lethal version that has written to the HD in a supposed unwritable area "8 meg buffer" and as well written an unrecoverable write to the BIOS. Ive tried flashing and hard reset. Still there!!!! Any ideas would be great!! I am going to try the Spyhunter but i thnk it has its limitations.
I'm only getting zlob in the registry, and not finding any files. I'm following the instructions with removing, but it keeps coming back. Any thoughts?
i recently bought a computer from a friend and took the harddrive out of it and put it into mine as a second drive as it was much larger, it was eat up with virus, worms, spyware, etc. i have bitdefender and removed everything except for "Trojan.Downloader.Zlob.ABMT" which is in "D:\System Volume Information\_restore{980765FE-9B1B-4382-B1B3-DA0C645CD6A0}\RP245\A0160591.exe=](NSIS o)=]bzip2_solid_nsis0000" ...bitdefender will not delete, move or do no action as it is in the system restore folder...i tried to turn off system restore, ran bitdefender again and again it found it. so i turned system restore back on, and still bitdefender finds it....is there no way to get rid of this? i know it is inactive because it is in the system restore folder but if i ever have to restore my computer i am afraid it will activate it. any hlep on this matter would be appriciated.
if your having trouble with the zlob virus, why dont you back up your file's and do a full reinstall!! thanks luke
Is there any truth to turning off the system restore, booting up in safe mode, running the scan/removal, then rebooting in normal mode?
keep up the good work man u really saved me and gave me tons of info i did not know millions of thanks to the guy that did all this 😀
rofl thanks for the info i found 16 zlobs ROFL
I advise before you all begin to scan using any antivirus... make sure to turn off System Restore (For Windows XP). Then erase all the files in Windows\Prefetch. If this can't be workin, the try go to safe mode and scan again.
thank you very much for making this info available , it helped me out greatly as this trojan (ZLob) was particularly nasty and difficult to remove , i no next to nothing about computers but in my attempts to remove the dll files mainly iebt.dll i found i oculdnt even from the command line it would always give me error messages i figured out a trick , i cpied and zipped the file , then it let me remove it right from the folder directory for some reason , i dont understand why this worked maybe i tricked it into thinking it had copied itself , also another trick i figured out when it mutates after you remove it , it will reapear other places it seems if you catch it erlay enough you can remove dll filed while the search command is still in progress , but you cant once it has completed , once again i do not understand why this worked , but while it was still searching i simply dragged it to the recycle bin , and this worked , hope this info helps someone.....
It is all about finding infection files. Sometimes it is hard to remove them, because they are in memory as a process that you can\'t kill so file couldn\'t be removed. But, I have managed to remove it once before with next procedure (it takes me about 8 hours of work, until I get to this \"formula\")
1. I use Spyhunter, but it didn\'t removed all files, there was a wm.exe that was unremovable in any possible way.
2. Then I burn one Linux live distribution, and boot the system as a Linux live OS. Under the coverage of Linux, I located malicious file and erase it successfully.
3. I boot once again Windows and make system restore to the day before (when infection wasn\'t present), and it help. There is no more signs of infection.
First of all: THANK YOU.
As of an hour ago I became infected with my FIRST trojan! Yay I guess? After all these years, it was actually a site for updating the look of your myspace that duped me into download the Zlob, which then led to installing the Rogue.Perfect Defender. Criminy!
Two steps from fulling my hair out (and quite literally about the 6th antivirus I tried) I came across here and it ACTUALLY WORKS!!! Thank you thank you is all I can say. It was so incredibly easy to use, it works QUICKLY, effective, and up-to-date. I am DEFINITELY going to remember to recommend this to anyone that becomes infected with trojanware or anything of the sorts.
i keep having a security center alert pop-up on my screen every 5minutes or so. this ad says its trojan.zlob.g and is going to stop infro. theft.nothing has stop it from continuely popping back-up? any help ?thanks.
TANKS SO MUCH
had virus respone lab and a folder appeared on desktop that i cant delete saying that there is a directory but the folder states no files or folders avg detected zlop but there r other files how can i dlete folder and all other files
if i purchased the personal antivirus without knowing it was a fake how do i get my money back
Some software and it seems like it can Take hold of other systems also IT has GOTTEN into Avast systems then it must be "skipping" into or "Pbacking" into systems thru worm or Trojan probably Must Backup and Reinstall a Consensus from research..
i get what you're all trying to say, but i'm at a loss. when I attempt to open Task Manager as you so willingly suggest, it says that, "Task Manager has been disabled by your administrator." I'm quite sure this is part of the virus, and I can't remove it without using it. Any suggestions?
Thank you but all my programs including Task Manager are infected and won't open except for Mozilla Firefox
Hi all. I was using Avira Antivirus when 1 day I saw I have an unusual security program.
Which I haven't installed. Then I told to 1 of my friends. He is hacker and he sent me BitDefender TotalSecurity, when I installed it. It found 843 viruses
including Trojan.Zlob. And Avira didn't found even 1 :S.
I had to restart my computer once. And it was all done! Everything was cleared, the program told me that 819 infected programs are disinfected,
23 infected files are deleted and Trojan.Zlob3394 is at Quarantine untill absorbing its power and deleting it.When I scanned my computer for second time I saw that it is free from viruses. Everything was running very fast and easy. I was happy and I wanted to share it with you!
I wish you good luck!!! ;]]
Reaidng posts like this make surfing such a pleasure