Severity scale:  

Zeus Trojan. How to remove? (Uninstall guide)

removal by Jake Doevan - - | Type: Viruses

Zeus virus is a malicious cyber infection, which name is actively used in Tech Support Scam alerts

Fake Zeus detection alert
Examples of Tech Support Scam warnings that may hide Zeus Trojan.

Questions about Zeus Trojan

Zeus virus is a malicious banking trojan[1], which is also known as Zbot Trojan. It shares many similar traits with  it Terdot virus, Coinminer malware, and many others Trojan horses. First detected in 2007, this Trojan malware was considered on the the most successful piece of malware that managed to infect millions of PCs worldwide and make a huge profit. However, the source code of the virus has been leaked in 2011[2] and the activity of the Trojan has been suspended. Nevertheless, cyber criminals developed many Zeus Trojan offsprings, the most active of which currently is Zeus virus scams. 


Name Zeus virus
Type Banking Trojan
Danger level High. Can cause the leakage of credit card details and other personal information
Versions Zbot, GameOver Zeus, CryptoLocker ransomware, ZuesPanda virus, Terdot
First detected in 2007
Distribution Spam emails (from Fedex, Royal Mail, etc.), malicious PDF file attachments, malvertising, BlackHat SEO (malicious links appear in Google search results)
Symptoms Random system's shutdowns, unknown programs and files downloaded without user's permission, slowdowns, crashes, and similar abnormal system's behavior
Malware type 2 Malware. Zeus virus scams are actively spreading on the Internet. 
Current Zeus virus scam versions “You Have A ZEUS Virus. Call for support,”  “Windows Detected ZEUS Virus,” “Windows Defender Alert: Zeus Virus,” “Security Update Error: Zeus virus,” and “Your System Has Detected Zeus Virus”
Danger level of scam Low. Can try to foist potentially dangerous programs or gather Search Data, but cannot affect system directly
Elimination The original Zeus virus and its versions can be removed with Reimage or similar security tools. 

Scammers started using the name of Zeus virus in their tech support scams and other rip-offs. Beware that there are numerous tech support scams trying to misuse users' trustworthiness for their own needs, for example:

  • “You Have A ZEUS Virus. Call for support”
  • “Windows Detected ZEUS Virus”
  • “Windows Defender Alert: Zeus Virus”
  • “Security Update Error: Zeus virus”
  • “Your System Has Detected Zeus Virus.”

Computer users should keep in mind that they can ignore Zeus virus popup because such virus no longer exists. Then, they should find malware that is causing such fake message on their computers. Typically, this should be an adware-type program.

Keep in mind that security programs do not deliver alerts about detected viruses in the browser’s window or pop-up. No matter which version you have encountered – the real or the fake one that scammers warn you about, it is important to begin Zeus virus removal as shortly as possible.

Modus operandi of Zeus trojan

This virus was one of the first malware variants developed for taking over people's banking details, so it is not surprising that there are hundreds of sources claiming that almost every banking Trojan has a part of Zeus virus[3] in them. In fact, by altering the configuration files in the Trojan’s toolkit, this virus can be customized to gather virtually any information that the cybercriminals desire to collect.

The are multiple ways through which Zeus Trojan can gather information. The experts agree on two most prominent ones:

  • The FTP, POP3 or Internet Explorer passwords are automatically gathered from a Protected Storage (PStore) once the virus infects the computer.
  • Zeus also monitors the websites you are visiting and, once in a while, adds extra fields to the fill-in forms, requiring the users to enter additional information which is not actually present in the original website. For instance, in these additional fields you may be asked to provide information about your day of birth or a telephone number, instead of the originally requested username and password.

Apart from these functions, Zeus can also contact command-and-control server which allows it to carry out other malicious activities on the infected computers. It can download files, shut down and reboot your device, also, delete the system files, which may cause your operating system to crash. As a result, the virus victim may have to be forced to the full operating system reinstall.

It is recommended to remove Zeus virus as soon as possible because it silently steals essential information the entire time it operates on the compromised host. The removal procedure is challenging, and we do not recommend trying to identify and delete it manually – it is simply nearly impossible to do so. Consider using a trustworthy malware “eraser” such as Reimage or Plumbytes Anti-MalwareNorton Internet Security.

The name of Zeus virus is used in scams to scare victims

As malware researchers and analysts, we have noticed a new tendency in the world of cyber crime. Scammers keep advertising fake tech support services by infecting victim's device with scareware that displays pop-ups via user's default web browser.

Researchers detected several versions of these scams that use different phone numbers, such as 1-800-014-8826, 1-844-324-6233, 1-844-680-1071, 44-800-090-3820. However, scammers might use hundreds of different number that you should never call.

The main principle of these attacks is the same. People are warned about detected Zeus virus on the system and user have to call the number to get needed help. Scammers might ask to purchase useless programs, services, or even provide personal information or remote access to the computer. Do not share any of these details with scammers because they are definitely going to use it for malevolent purposes!

The list of current tech support scams that warn about fake Zeus attack:

“Windows Detected ZEUS Virus” Tech support scam 

Example of “Windows Detected ZEUS Virus” Tech support scam

This scam operation relies on phishing websites that display deceptive information for whoever enters them. Usually, the victim experiences redirections to such fraudulent websites after being infected with certain adware or tech support scam malware. The full text of the message:

Security Warning
Windows Defender Alert: Zeus Virus
Detected in Your Computer!!
Please Do Not Shut Down or Reset Your Computer.
The following data will be compromised if you continue:
1. Passwords
2. Browser History
3. Credit Card Information
4. Local Hard Disk Files.
This virus is well known for complete identity and credit card theft. Further action through this computer or any computer on the network will reveal private information and involve serious risks.
Call Microsoft Technical Department (866) 249-2994 (Toll Free)

The deceptive website typically plays an audio message, displays a warning and urges to call support at 0800-014-8826 “Windows Detected ZEUS Virus” on the system. Such web pages display the warning despite if the computer is infected with the indicated malware or not.

Scammers working behind this scam seek to swindle money from computer users by convincing them to buy bogus security software or asking to provide sensitive information.

“You Have A ZEUS Virus” Tech support scam

Screenshot of

It is another Zeus scam that urges victims to call tech support scammers at 1-844-859-0337 and possibly other similar numbers. Once such malicious program compromises victim's system, it starts causing redirects to bogus websites that show various alerts. There are few versions of the virus. One of them delivers a pop-up message saying:

WARNING! Your Hard drive will be DELETED if your close this page. You have a ZEUS Virus! Please call Support Now!. Call Toll-Free: 1-844-859-0337 To Stop This Process

Another version of scam delivers this threatening message:

****Dont Restart Your Computer ****
Windows Detected ZEUS Virus, The Infections detected, indicate some recent downloads on the computer which in turn has created problems on the computer.Call technical support 1-844-859-0337 and share this code B2957E to the Agent to Fix This.

Experts from[4] say that “You Have A ZEUS Virus” scam aims to convince the victim to call fraudsters immediately by stating that the entire hard drive will be deleted if the victim closes the web page that displays the warning. There is no logic there, and victims should close such site immediately to begin malware removal using reputable anti-malware tools. This virus is very similar to “Your Computer Has Been Infected With Virus” malware.

“Windows Defender Alert: Zeus Virus” Tech Support Scam

Screenshot of

This malicious virus triggers redirects to fake websites that are designed to look like Windows Blue Screen of Death; these websites contain Windows logos and display a list of information that will be stolen by the Zeus virus if the victim won't contact technical support immediately. The message says:

Security Warning
Windows Defender Alert: Zeus Virus
Detected in Your Computer!!
Please Do Not Shut Down or Reset Your Computer.
The following data will be compromised if you continue:
1. Passwords
2. Browser History
3. Credit Card Information
4. Local Hard Disk Files.
This virus is well known for complete identity and credit card theft. Further action through this computer or any computer on the network will reveal private information and involve serious risks.
Call Microsoft Technical Department (866) 249-2994 (Toll Free)

There are hundreds of sites that display such deceptive warnings and suggest calling +1-844-313-7003, (866) 249-2994, (888) 202-7560 and other numbers for “help.” If such alerts started bothering you, perform a system check using anti-malware software to delete the tech support malware. Most likely there is no Zeus virus in the system, and the malicious program is simply trying to put you in touch with fraudsters.

“Security Update Error” virus

Screenshot of “Security Update Error” virus

Technical support scammers continue using the name of Zeus to perform their malicious activities. This time, crooks take advantage of adware program to redirect users to the website which triggers a pop-up informing about Zeus virus attack and danger of the files and personal information. The warning says:

Windows Defender Alert: Zeus Virus Detected In Your Computer!!
Please Do Not shutdown or Reset Your Computer.
** Windows Warning Alert **
Malicious Spyware/Riskware Detected
Error # 0x80072ee7
Please call us immediately at: 44-800-090-3820
Do not ignore this critical alert.
If you close this page, your computer access will be disabled to prevent further damage to our network.
Your computer has alerted us that it has been infected with a Spyware and risk ware.
The following information is being stolen…
Financial Data
Facebook Logins
Credit Card Details
Email Account Logins
Photos stored on this computer
You must constant us immediately so that our expert engineers can walk you through the removal process over the phone to protect your identity. Please call us within the next 5 minutes to prevent your computer from being disabled or from any information loss.
Call Technical Support Immediately at 44-800-090-3820

The malicious site pretends to be a notification from Windows Defender and has the design that resembles Microsoft's. The scam warns about Security Update Error 0xB6201879 which is a non-existent problem. Scammers want victims to call their tech support staff via 44-800-090-3820 (or +1 (888) 944-5714) toll-free number to get the necessary help. It goes without saying that calling scammers is not recommended.

“Your System Has Detected Zeus Virus” Tech-Support-Scam.

Zeus Trojan

This technical support scam trying to scare people into thinking that their PCs are infected with Zeus virus has been detected in the second half of March 2018. Potential victims of the scam can be exposed to the “Your System Has Detected Zeus Virus” new tab URL on a regular basis if the system is infected with an adware program. In some of the cases, people can be redirected to this fake domain after clicking on a malicious link or advertisement. 

The “Your System Has Detected Zeus Virus” pop-up mimics the design of official Windows Support Alerts. Besides, it pretends to be generated by domain and claims that Microsoft's support detected Zeus virus on the system, which might lead to identity theft. The warning says:

Windows Support Alert

Your System Has Detected Zeus Virus
It might harm your computer data and track your financial activities.
Please report this activity to +1-877-224-2995.

Crooks are trying to intimidate PC users to make them call for a supposed Microsoft Support staff member. However, dialing the provided toll-free number can end up in one of the following scenarios: 

  • The number may feature higher charges than usually, so you may receive an increased telephone bill;
  • Scammers on the other side of the handset can trick you into subscribing useless services;
  • Inexperience users might provide scammers with the information required to establish a remote connection with the PC;

The “Your System Has Detected Zeus Virus” scam is typically displayed in a new tab window. It consists of several layers. The background is usually covered with Microsoft-related or neutral tech-related information. The second layer is the most explicit. It indicates the Zeus detection, provides an error code (0x80072ee7) and explains all the possible consequence that the current PC's condition can end up with. However, keep in mind that the “Your System Has Detected Zeus Virus” pop-up is a hoax that can be removed by running a scan with Reimage or another security tool and resetting the web browser that displays it. 

The list of Zeus versions

Zeus virus. The malicious program is called either a virus or a Trojan. Its name has also been used in various scams. After infecting the system, it remains on the computer and silently monitors your online activities, steals system information, banking details and more. Its keylogging capabilities allow to record every key stroke and send it to attacker's database.

This way, the malware can eventually find out all passwords used by the victim, including all credit card codes. There is no doubt that attackers can use such data for malevolent purposes and loss of financial information lead to disastrous consequences. Unfortunately, such malware operates silently, and it is unlikely that you will spot it on your system without having a strong anti-malware software.

Zbot. Zbot is another name for Zeus Trojan that is used by many security experts. If your security software detects Zbot in your system, it means that you have been infected with a serious malware that silently tracks your activities, records passwords, and other sensitive information. You must remove Zbot immediately and change all your passwords as soon as possible!

GameOver Zeus. Another malicious Trojan horse that is based on components of Zeus virus. According to reports, this malicious software is distributed using Cutwaii botnet. The Trojan employs encrypted peer-to-peer communication scheme to communicate between its noted and C&C servers. The deceptive malware was used for distribution of the infamous CryptoLocker ransomware.

The activity of GameOverZeus was suspended in June 2014, once the communication between the Trojan and the C&C servers was intercepted and shut down. A year later, FBI announced a $3 million reward for information about Russian hacker Evgeniy Mikhailovich Bohachev[5]. The hacker hasn't been caught yet.

Zeus Panda virus. Zeus Panda Trojan is also known as Panda Banker, and it is known to be the version of the infamous Zeus Trojan. This virus is hazardous as it intercepts network traffic and uses legitimate processes to inject its malicious scripts. The Trojan aims to steal victim's bank credentials and login details associated with as many online accounts as possible.

Zeus Panda Trojan first emerged in 2016, but its distribution continues in 2017. Lately, security researchers discovered a new technique that virus' authors use for its distribution. This time, fraudsters were caught using BlackHat SEO strategies to make malicious Trojan-serving links appear in the top Google search results' positions. The new technique adds to previously known ones – malvertising and malicious spam.

Terdot virus. The virus emerged in the mid-2016 as a banking trojan. The virus aimed at customers of banks and financial organizations in the US, Canada, the UK, Germany, and Australia. However, the trojan was updated and since November 2017 steals social media credentials.

Terdot spreads via malicious spam emails that are usually pushed by Sundown exploit kit. These phishing emails include malicious PDF file that has a malicious code. Once clicked or opened, it starts malware's installation to the device. This data-stealing trojan also operates as man-in-the-middle proxy and can change information of the visited websites in order to steal sensitive information.

Methods used for spreading banking trojan

Zeus is actively spread via misleading emails[6] that report about undelivered items. Beware that they look very trustworthy and present themselves as Fedex, Royal Mail and other reputable courier companies. However, you should also be aware of emails that include PDF files or icons because it's the main distribution method of Zeus variant Terdot.

If you received such mail, be sure to ignore it and never click on the link, which leads to the infiltration of Zeus Trojan. However, this malware is known to be distributed using some other techniques, including:

  • Malvertising;
  • BlackHat SEO tactics (making malicious links appear in Google search results).

In addition, we also recommend avoiding illegal websites, unlicensed programs and misleading messages on social networks[7] because they may also be involved in the distribution of this Trojan. As soon as it enters the system, it modifies its settings and starts initiating dangerous activities. For avoiding the loss of your credit card details and money, you should waste no time and remove the virus from the system.

Guide for Zeus Trojan removal

If you want to remove Zeus virus from your computer, you should scan your system with Reimage or Plumbytes Anti-MalwareNorton Internet Security. Be sure to use updated versions in order to be sure that these anti-malware tools will not miss this trojan horse. It is also beneficial to disconnect your computer from the network when uninstalling viruses.

This strategy may help to tame the processes this malicious virus may be executing on your computer and result in a quicker and more thorough Zeus virus removal.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove Zeus Trojan you agree to our privacy policy and agreement of use.
do it now!
Reimage (remover) Happiness
Reimage (remover) Happiness
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall Zeus Trojan. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

Note: Manual assistance required means that one or all of removers were unable to remove parasite without some manual intervention, please read manual removal instructions below.

More information about this program can be found in Reimage review.
Press mentions on Reimage
Alternate Software
Plumbytes Anti-Malware
We have tested Plumbytes Anti-Malware's efficiency in removing Zeus Trojan (2018-08-01)
We have tested Malwarebytes's efficiency in removing Zeus Trojan (2018-08-01)
Hitman Pro
We have tested Hitman Pro's efficiency in removing Zeus Trojan (2018-08-01)
We have tested Malwarebytes's efficiency in removing Zeus Trojan (2018-08-01)

Zeus Trojan manual removal:

Kill processes:

To remove Zeus Trojan, follow these steps:

Remove Zeus Trojan using Safe Mode with Networking

One way to stop Zeus Trojan malicious processes is to run your device in Safe Mode. Below, our experts explain how to enable Safe Mode properly. Do not forget to scan your device afterward.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Zeus Trojan

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Zeus Trojan removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Zeus Trojan using System Restore

Another method that will facilitate the removal process is provided in the step-by-step tutorial below:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Zeus Trojan. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Zeus Trojan removal is performed successfully.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Zeus Trojan and other ransomwares, use a reputable anti-spyware, such as Reimage, Malwarebytes Malwarebytes or Plumbytes Anti-MalwareNorton Internet Security

About the author

Jake Doevan
Jake Doevan - Computer technology expert

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Jake Doevan
About the company Esolutions


Removal guides in other languages