Home Malware Programs Backdoors Zlob


Posted: March 28, 2006

Threat Metric

Threat Level: 8/10
Infected PCs: 75
First Seen: July 24, 2009
OS(es) Affected: Windows

ScreenshotZlob is a large family of multiple-component trojans that use several threats in coordination to hijack your web browsers and install malicious programs. Zlob is particularly closely-associated with rogue security applications like Windows AV Component that create fake infection warnings and other inaccurate system alerts. The goal of any rogue security program is to steal your credit card information and money, and Zlob assists them in that endeavor through a variety of methods that attack your web browser and potentially your security programs. If you've found an unusual security program installed on your PC for no reason, you may be the victim of a Zlob attack. Despite the wide variety of Zlob in the wild, any good anti-virus program can remove Zlob from your computer along with any related threats.

Learning the Signs of a Possible Zlob Infection Attack

Zlob trojans can occur in an almost countless number of slight variations that are designed to attack your computer in slightly different ways or are affiliated with slightly different types of rogue security programs. Some common types of Zlob threats include Trojan:Win32/Zlob.gen!S, TrojanDownloader:Win32/Zlob.AMP, TrojanDownloader:Win32/Zlob.gen!AU, Trojan:Win32/Zlob.AU and TrojanDownloader:Win32/Zlob.gen!T. Zlob Trojan constantly updates and switches to whatever rogue anti-spyware program the rogue creator wants to distribute at any given time. Zlob may pop up a message saying that your computer is infected with the following infections: Spyware.CyberLog-X, W32.Myzor.FK@yf, and Trojan-Spy.Win32.mx. Zlob installs many popular rogue anti-spyware programs, among them are XP Antivirus 2012, Win 7 Security 2012, XP Security 2012, IEDefender, AntiVirGear, SpyShredder, WinAntiVirus Pro 2007, Ultimate Cleaner, and SecurePCCleaner.

Zlob Trojan is still widely distributed by at least two distinct methods:

  • You may install a Zlob Trojan unwittingly by downloading a fake codec or other video player update from a dangerous website.
  • In other cases, visiting a dangerous website will cause Zlob to be installed onto your PC even if you don't install anything. This is usually managed via script exploits; disabling Java and Flash for untrustworthy sites can improve your defense against this type of Zlob attack.

Some types of Zlob are even installed by other Zlob variations, and different Zlob trojans can vary widely in the forms they take. Some Zlob trojans are installed in the form of Browser Help Objects or BHOs, and although most Zlob attacks place preference on hijacking Internet Explorer, other Zlob trojans may hijack other types of web browsers.

Since rogue security programs are closely linked to Zlob, you should assume that the presence of one may indicate the presence of the other. Using anti-virus software to scan your entire PC for Zlob and other threats should detect all possible dangers to your PC. Updating your anti-virus software prior to a scan will help you detect Zlob, which may be vital, given that Zlob is available in dozens of variations and has seen updated versions as recently as June 2011.

Zlob - The Trojan That Wants You to Have a False Sense of Security

Despite their many possible differences, almost all Zlob versions have two traits in common with regards to their intended attacks or payload:

  • Zlob will attempt to install other threats onto your computer, most prominently including rogue security programs. Rogue programs create a fake impression of being useful security software while indicating that your PC is highly infected.

    However, rogueware, including recent examples like Windows Proofness Guarantor, Windows Inviolability System, Windows Necessary Firewall and Windows Inviolability System, can't detect or delete real PC threats. The only purpose of these rogue programs is to steal your money and credit card information.

    Zlob may use fake error messages while installing its rogue programs to trick you into thinking that these rogue programs are legitimate. Fake Microsoft Security Essential Alert variants will even imitate Microsoft's Security Essentials Alert windows. Remember that Microsoft will never ask you to install security software from an unusual source or ask you to install software without specifying what the software is.

  • The second factor most Zlob threats have in common is their tendency to attack your web browser with hijacking techniques. Hijacks can perform many different browser-related functions, including changing your homepage to a malicious one, displaying fake error screens, altering online content or redirecting you from one website to another one.

    In the usual case, Zlob will use these hijacks to reinforce the rogue program that it's designed to support. You may find that your homepage is changed to a rogue program's website. Alternately, you may be unable to access real security websites. In extreme cases, all websites except the one for the rogue threat will be blocked by Zlob.



Troj/Zlobie-Gen [Sophos]Trojan.eCodec [Prevx1]Adware/GoldCodec [Panda]Zlob (threat-c) [Microsoft]Puper.dll.gen [McAfee]Trojan-Downloader.Win32.Zlob.bba [Kaspersky]Zlobie!tr [Fortinet]Downloader.Zlob.bba [eWido]Win32.Win32.Zlob.bba [eSafe]Trojan.Fakealert.217 [DrWeb]TrojanDownloader.Zlob.ako [CAT-QuickHeal]Trojan.Downloader.Zlob.IX [BitDefender]Downloader.Zlob.FPT [AVG]Win32:Zlob-OO [Avast]TR/Dldr.Zlob.IX.7 [AntiVir]
More aliases (20)

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

iesplugin.dll File name: iesplugin.dll
Size: 25.6 KB (25600 bytes)
MD5: e46bbd7733738efa1a3516ef1d4b19d3
Detection count: 69
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
Last Updated: December 11, 2009
iesplugin.dll File name: iesplugin.dll
Size: 25.6 KB (25600 bytes)
MD5: ebfa464c1338269f7e7730b7f4624df0
Detection count: 31
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
Last Updated: December 11, 2009

Related Posts


  • Rebecca says:

    Thanks for posting this, I've found 3 Zlob's already.

  • Ellen Botelho says:

    You repeated entries for the registry and command prompt, which made copying this information tedious. Also, it is customary to write registry locations using the back slash\ between folders. You didn't do this, which makes following to the proper location difficult.

  • tiziano says:

    Thank you

  • Sebi says:

    I AM USING AVAST 4.7 LATEST VERSION and detects a "sample" of win32:Zlob [Drp] alware everytime i connect to the internet i've tried to remove it but it is really a great nuisance could anybody help me?

  • Scott says:

    All removal comments assume you can gain access to the windows command prompt. My sons computer immediately boots to the html page to renew or update the false blocker. I cannot gain access to the operating system. Cannot start Task Manager, cannot get to desktop at all.... What is the best course of action? I was thinking of removing the drive, slaving it to another and proceede with removal instructions then, however I am cautious as I do not wish to propogate the zlob on my drive. Thank you in advance, any help would be greatly appreciated. Scott

  • bbrecken says:

    Ok, I have Spyhunter and have run it, finding zlob files and removed them. But it keeps coming back! When I search for the files listed in the manual instructions, I find them. It seems the files listed as zlob files in the manual removal instructions do not match the files found and removed by Spyhunter. Any ideas?

  • ghostrider01 says:


    Zlob files are regenerating themselves very often and it may be very hard to remove this parasite from your computer. If you're having full SpyHunter version, you should contact our support team and they will solve your problems.

  • Dave says:

    regeneration is the least of my worries. I have 5 junk pc's. I guess i have a lethal version that has written to the HD in a supposed unwritable area "8 meg buffer" and as well written an unrecoverable write to the BIOS. Ive tried flashing and hard reset. Still there!!!! Any ideas would be great!! I am going to try the Spyhunter but i thnk it has its limitations.

  • Tom says:

    I'm only getting zlob in the registry, and not finding any files. I'm following the instructions with removing, but it keeps coming back. Any thoughts?

  • velocity says:

    i recently bought a computer from a friend and took the harddrive out of it and put it into mine as a second drive as it was much larger, it was eat up with virus, worms, spyware, etc. i have bitdefender and removed everything except for "Trojan.Downloader.Zlob.ABMT" which is in "D:\System Volume Information\_restore{980765FE-9B1B-4382-B1B3-DA0C645CD6A0}\RP245\A0160591.exe=](NSIS o)=]bzip2_solid_nsis0000" ...bitdefender will not delete, move or do no action as it is in the system restore folder...i tried to turn off system restore, ran bitdefender again and again it found it. so i turned system restore back on, and still bitdefender finds it....is there no way to get rid of this? i know it is inactive because it is in the system restore folder but if i ever have to restore my computer i am afraid it will activate it. any hlep on this matter would be appriciated.

  • luke says:

    if your having trouble with the zlob virus, why dont you back up your file's and do a full reinstall!! thanks luke

  • Ed says:

    Is there any truth to turning off the system restore, booting up in safe mode, running the scan/removal, then rebooting in normal mode?

  • risky says:

    keep up the good work man u really saved me and gave me tons of info i did not know millions of thanks to the guy that did all this 😀

  • risky says:

    rofl thanks for the info i found 16 zlobs ROFL

  • Micheal Hamberg says:

    I advise before you all begin to scan using any antivirus... make sure to turn off System Restore (For Windows XP). Then erase all the files in Windows\Prefetch. If this can't be workin, the try go to safe mode and scan again.

  • adrian says:

    thank you very much for making this info available , it helped me out greatly as this trojan (ZLob) was particularly nasty and difficult to remove , i no next to nothing about computers but in my attempts to remove the dll files mainly iebt.dll i found i oculdnt even from the command line it would always give me error messages i figured out a trick , i cpied and zipped the file , then it let me remove it right from the folder directory for some reason , i dont understand why this worked maybe i tricked it into thinking it had copied itself , also another trick i figured out when it mutates after you remove it , it will reapear other places it seems if you catch it erlay enough you can remove dll filed while the search command is still in progress , but you cant once it has completed , once again i do not understand why this worked , but while it was still searching i simply dragged it to the recycle bin , and this worked , hope this info helps someone.....

  • darko says:

    It is all about finding infection files. Sometimes it is hard to remove them, because they are in memory as a process that you can\'t kill so file couldn\'t be removed. But, I have managed to remove it once before with next procedure (it takes me about 8 hours of work, until I get to this \"formula\")

    1. I use Spyhunter, but it didn\'t removed all files, there was a wm.exe that was unremovable in any possible way.
    2. Then I burn one Linux live distribution, and boot the system as a Linux live OS. Under the coverage of Linux, I located malicious file and erase it successfully.
    3. I boot once again Windows and make system restore to the day before (when infection wasn\'t present), and it help. There is no more signs of infection.

  • Samantha says:

    First of all: THANK YOU.

    As of an hour ago I became infected with my FIRST trojan! Yay I guess? After all these years, it was actually a site for updating the look of your myspace that duped me into download the Zlob, which then led to installing the Rogue.Perfect Defender. Criminy!

    Two steps from fulling my hair out (and quite literally about the 6th antivirus I tried) I came across here and it ACTUALLY WORKS!!! Thank you thank you is all I can say. It was so incredibly easy to use, it works QUICKLY, effective, and up-to-date. I am DEFINITELY going to remember to recommend this to anyone that becomes infected with trojanware or anything of the sorts.

  • wje66 says:

    i keep having a security center alert pop-up on my screen every 5minutes or so. this ad says its trojan.zlob.g and is going to stop infro. theft.nothing has stop it from continuely popping back-up? any help ?thanks.

  • anselmo Banos says:


  • l.alwayswins says:

    had virus respone lab and a folder appeared on desktop that i cant delete saying that there is a directory but the folder states no files or folders avg detected zlop but there r other files how can i dlete folder and all other files

  • alphonso says:

    if i purchased the personal antivirus without knowing it was a fake how do i get my money back

  • Ike says:

    Some software and it seems like it can Take hold of other systems also IT has GOTTEN into Avast systems then it must be "skipping" into or "Pbacking" into systems thru worm or Trojan probably Must Backup and Reinstall a Consensus from research..

  • AngryPacman says:

    i get what you're all trying to say, but i'm at a loss. when I attempt to open Task Manager as you so willingly suggest, it says that, "Task Manager has been disabled by your administrator." I'm quite sure this is part of the virus, and I can't remove it without using it. Any suggestions?

  • setitoffbb says:

    Thank you but all my programs including Task Manager are infected and won't open except for Mozilla Firefox

  • Puma says:

    Hi all. I was using Avira Antivirus when 1 day I saw I have an unusual security program.
    Which I haven't installed. Then I told to 1 of my friends. He is hacker and he sent me BitDefender TotalSecurity, when I installed it. It found 843 viruses
    including Trojan.Zlob. And Avira didn't found even 1 :S.
    I had to restart my computer once. And it was all done! Everything was cleared, the program told me that 819 infected programs are disinfected,
    23 infected files are deleted and Trojan.Zlob3394 is at Quarantine untill absorbing its power and deleting it.When I scanned my computer for second time I saw that it is free from viruses. Everything was running very fast and easy. I was happy and I wanted to share it with you!
    I wish you good luck!!! ;]]

  • Mahum says:

    Reaidng posts like this make surfing such a pleasure