[Burndoubt]

I've been researching how to clear up Zlob.Trojan infection reported by SpyHunter on a brand new installation of Windows. Since this was a recovery operation, there could have been remnant files in the system, so I started digging.

SpyHunter 3 reported 252 Zlob.Trojan and Zlob.Video infections in my registry. These actually turned out to be 126 duplicate website references in the HKCU and HKLM portions of the registry, in the portion used to identify Enhanced Security zones for Internet Explorer security settings.

From what I have found, I do not actually have any Zlob infections. Spybot - Search & Destroy performs an Immunize function which modified my hosts file upon installation (which I rejected when my Sygate firewall complained about the changes) and must also inserts the Enhanced Security Zone websites as keys in the HKCU and HKLM sections (search for ESCDOMAIN). Other complaints I have found online seem to indicate that clearing up the ESCdomains will only be temporary, if Spybot is run and reimmunizes, these values can be reinserted. The intent with host file changes redirects any URL references to these domains back to the IP 127.0.0.1 for your own machine. These registry settings would place any of the web domains in the Enhanced Security zone, and restrict many ActiveX and Script functions from playing with your IE browser.

Hope this gives someone a head start on their similar questions.

Edited by Burndoubt, 27 October 2009 - 11:04 PM.