Severity scale:  
  (57/100)

Zeus Trojan. How to remove? (Uninstall guide)

removal by Jake Doevan - - | Type: Trojans
12

Zeus virus and its spin-offs: main facts and operation peculiarities

Fake Zeus detection alert

Zeus is the most popular banking trojan[1] that has been spotted about a decade ago. Also known as Zbot Trojan, it gave a background to numerous other data-stealing viruses to emerge because its source code was released in 2011.[2]. One of the recently emerged variants is an updated version of Terdot virus that currently steals social media credentials instead of financial information. However, there are many more spin-offs.

Scammers also use the name of the Zeus Trojan. Numerous tech support scams try to trick users that their machines are infected with banking trojan by delivering these fake alerts:

  • “Security Update Error,”
  • “Windows Defender Alert: Zeus Virus,”
  • “You Have A ZEUS Virus,”
  • “Windows Detected ZEUS Virus.”

Computer users should learn about malware and recognize the real cyber attack. Keep in mind that security programs do not deliver alerts about detected viruses in the browser’s window or pop-up. No matter which version you have encountered – the real or the fake one that scammers warn you about, it is important to begin Zeus Trojan removal as shortly as possible.

Modus operandi of Zeus trojan

This virus was one of the first malware variants developed for taking over people's banking details, so it is not surprising that there are hundreds of sources claiming that almost every banking Trojan has a part of Zeus virus[3] in them. In fact, by altering the configuration files in the Trojan’s toolkit, this virus can be customized to gather virtually any information that the cybercriminals desire to collect.

The are multiple ways through which Zeus Trojan can gather information. The experts agree on two most prominent ones:

  • The FTP, POP3 or Internet Explorer passwords are automatically gathered from a Protected Storage (PStore) once the virus infects the computer.
  • Zeus also monitors the websites you are visiting and, once in a while, adds extra fields to the fill-in forms, requiring the users to enter additional information which is not actually present in the original website. For instance, in these additional fields you may be asked to provide information about your day of birth or a telephone number, instead of the originally requested username and password.

Apart from these functions, Zeus Trojan can also contact command-and-control server which allows it to carry out other malicious activities on the infected computers. It can download files, shut down and reboot your device, also, delete the system files, which may cause your operating system to crash. As a result, the virus victim may have to be forced to the full operating system reinstall.

It is recommended to remove Zeus virus as soon as possible because it silently steals essential information the entire time it operates on the compromised host. The removal procedure is challenging, and we do not recommend trying to identify and delete it manually – it is simply nearly impossible to do so. Consider using a trustworthy malware “eraser” such as Reimage or Malwarebytes Anti Malware.

The name of Zeus virus is used in scams to scare victims

As malware researchers and analysts, we have noticed a new tendency in the world of cyber crime. Scammers keep advertising fake tech support services by infecting victim's device with scareware that displays pop-ups via user's default web browser.

Researchers detected several versions of these scams that use different phone numbers, such as 1-800-014-8826, 1-844-324-6233, 1-844-680-1071, 44-800-090-3820. However, scammers might use hundreds of different number that you should never call.

The main principle of these attacks is the same. People are warned about detected Zeus virus on the system and user have to call the number to get needed help. Scammers might ask to purchase useless programs, services, or even provide personal information or remote access to the computer. Do not share any of these details with scammers because they are definitely going to use it for malevolent purposes!

The list of current tech support scams that warn about fake Zeus attack:

“Windows Detected ZEUS Virus” Tech support scam

 Example of “Windows Detected ZEUS Virus” Tech support scam

This scam operation relies on phishing websites that display deceptive information for whoever enters them. Usually, the victim experiences redirections to such fraudulent websites after being infected with certain adware or tech support scam malware. The full text of the message:

Security Warning
Windows Defender Alert: Zeus Virus
Detected in Your Computer!!
Please Do Not Shut Down or Reset Your Computer.
The following data will be compromised if you continue:
1. Passwords
2. Browser History
3. Credit Card Information
4. Local Hard Disk Files.
This virus is well known for complete identity and credit card theft. Further action through this computer or any computer on the network will reveal private information and involve serious risks.
Call Microsoft Technical Department (866) 249-2994 (Toll Free)

The deceptive website typically plays an audio message, displays a warning and urges to call support at 0800-014-8826 “Windows Detected ZEUS Virus” on the system. Such web pages display the warning despite if the computer is infected with the indicated malware or not.

Scammers working behind this scam seek to swindle money from computer users by convincing them to buy bogus security software or asking to provide sensitive information.

“You Have A ZEUS Virus” Tech support scam

Screenshot of

It is another scam that urges victims to call tech support scammers at 1-844-859-0337 and possibly other similar numbers. Once such malicious program compromises victim's system, it starts causing redirects to bogus websites that show various alerts. There are few versions of the virus. One of them delivers a pop-up message saying:

WARNING! Your Hard drive will be DELETED if your close this page. You have a ZEUS Virus! Please call Support Now!. Call Toll-Free: 1-844-859-0337 To Stop This Process

Another version of scam delivers this threatening message:

****Dont Restart Your Computer ****
Windows Detected ZEUS Virus, The Infections detected, indicate some recent downloads on the computer which in turn has created problems on the computer.Call technical support 1-844-859-0337 and share this code B2957E to the Agent to Fix This.

Experts from senzavirus.it[4] say that “You Have A ZEUS Virus” scam aims to convince the victim to call fraudsters immediately by stating that the entire hard drive will be deleted if the victim closes the web page that displays the warning. There is no logic there, and victims should close such site immediately to begin malware removal using reputable anti-malware tools. This virus is very similar to “Your Computer Has Been Infected With Virus” malware.

“Windows Defender Alert: Zeus Virus” Tech Support Scam

Screenshot of

This malicious virus triggers redirects to fake websites that are designed to look like Windows Blue Screen of Death; these websites contain Windows logos and display a list of information that will be stolen by the Zeus virus if the victim won't contact technical support immediately. The message says:

Security Warning
Windows Defender Alert: Zeus Virus
Detected in Your Computer!!
Please Do Not Shut Down or Reset Your Computer.
The following data will be compromised if you continue:
1. Passwords
2. Browser History
3. Credit Card Information
4. Local Hard Disk Files.
This virus is well known for complete identity and credit card theft. Further action through this computer or any computer on the network will reveal private information and involve serious risks.
Call Microsoft Technical Department (866) 249-2994 (Toll Free)

There are hundreds of sites that display such deceptive warnings and suggest calling +1-844-313-7003, (866) 249-2994, (888) 202-7560 and other numbers for “help.” If such alerts started bothering you, perform a system check using anti-malware software to delete the tech support malware. Most likely there is no Zeus virus in the system, and the malicious program is simply trying to put you in touch with fraudsters.

“Security Update Error” virus

Screenshot of “Security Update Error” virus

Technical support scammers continue using the name of Zeus to perform their malicious activities. This time, crooks take advantage of adware program to redirect users to the website which triggers a pop-up informing about Zeus virus attack and danger of the files and personal information. The warning says:

Windows Defender Alert: Zeus Virus Detected In Your Computer!!
Please Do Not shutdown or Reset Your Computer.
** Windows Warning Alert **
Malicious Spyware/Riskware Detected
Error # 0x80072ee7
Please call us immediately at: 44-800-090-3820
Do not ignore this critical alert.
If you close this page, your computer access will be disabled to prevent further damage to our network.
Your computer has alerted us that it has been infected with a Spyware and risk ware.
The following information is being stolen…
Financial Data
Facebook Logins
Credit Card Details
Email Account Logins
Photos stored on this computer
You must constant us immediately so that our expert engineers can walk you through the removal process over the phone to protect your identity. Please call us within the next 5 minutes to prevent your computer from being disabled or from any information loss.
Call Technical Support Immediately at 44-800-090-3820

The malicious site pretends to be a notification from Windows Defender and has the design that resembles Microsoft's. The scam warns about Security Update Error 0xB6201879 which is a non-existent problem. Scammers want victims to call their tech support staff via 44-800-090-3820 (or +1 (888) 944-5714) toll-free number to get the necessary help. It goes without saying that calling scammers is not recommended.

The list of Zeus versions

Zeus virus. The malicious program is called either a virus or a Trojan. After infecting the system, it remains on the computer and silently monitors your online activities, steals system information, banking details and more. Its keylogging capabilities allow to record every key stroke and send it to attacker's database.

This way, the malware can eventually find out all passwords used by the victim, including all credit card codes. There is no doubt that attackers can use such data for malevolent purposes and loss of financial information lead to disastrous consequences. Unfortunately, such malware operates silently, and it is unlikely that you will spot it on your system without having a strong anti-malware software.

Zbot. Zbot is another name for Zeus Trojan that is used by many security experts. If your security software detects Zbot in your system, it means that you have been infected with a serious malware that silently tracks your activities, records passwords, and other sensitive information. You must remove Zbot immediately and change all your passwords as soon as possible!

GameOver Zeus. Another malicious Trojan horse that is based on components of Zeus virus. According to reports, this malicious software is distributed using Cutwaii botnet. The Trojan employs encrypted peer-to-peer communication scheme to communicate between its noted and C&C servers. The deceptive malware was used for distribution of the infamous CryptoLocker ransomware.

The activity of GameOverZeus was suspended in June 2014, once the communication between the Trojan and the C&C servers was intercepted and shut down. A year later, FBI announced a $3 million reward for information about Russian hacker Evgeniy Mikhailovich Bohachev[5]. The hacker hasn't been caught yet.

Zeus Panda virus. Zeus Panda Trojan is also known as Panda Banker, and it is known to be the version of the infamous Zeus Trojan. This virus is hazardous as it intercepts network traffic and uses legitimate processes to inject its malicious scripts. The Trojan aims to steal victim's bank credentials and login details associated with as many online accounts as possible.

Zeus Panda Trojan first emerged in 2016, but its distribution continues in 2017. Lately, security researchers discovered a new technique that virus' authors use for its distribution. This time, fraudsters were caught using BlackHat SEO strategies to make malicious Trojan-serving links appear in the top Google search results' positions. The new technique adds to previously known ones – malvertising and malicious spam.

Terdot virus. The virus emerged in the mid-2016 as a banking trojan. The virus aimed at customers of banks and financial organizations in the US, Canada, the UK, Germany, and Australia. However, the trojan was updated and since November 2017 steals social media credentials.

Terdot spreads via malicious spam emails that are usually pushed by Sundown exploit kit. These phishing emails include malicious PDF file that has a malicious code. Once clicked or opened, it starts malware's installation to the device. This data-stealing trojan also operates as man-in-the-middle proxy and can change information of the visited websites in order to steal sensitive information.

Methods used for spreading banking trojan

Zeus Trojan is actively spread via misleading emails[6] that report about undelivered items. Beware that they look very trustworthy and present themselves as Fedex, Royal Mail and other reputable courier companies. However, you should also be aware of emails that include PDF files or icons because it's the main distribution method of Zeus variant Terdot.

If you received such mail, be sure to ignore it and never click on the link, which leads to the infiltration of Zeus Trojan. However, this malware is known to be distributed using some other techniques, including:

  • Malvertising;
  • BlackHat SEO tactics (making malicious links appear in Google search results).

In addition, we also recommend avoiding illegal websites, unlicensed programs and misleading messages on social networks[7] because they may also be involved in the distribution of this Trojan. As soon as it enters the system, it modifies its settings and starts initiating dangerous activities. For avoiding the loss of your credit card details and money, you should waste no time and remove the virus from the system.

Guide for Zeus Trojan removal

If you want to remove Zeus Trojan from your computer, you should scan your system with Reimage or Malwarebytes Anti Malware. Be sure to use updated versions in order to be sure that these anti-malware tools will not miss this trojan horse. It is also beneficial to disconnect your computer from the network when uninstalling viruses.

This strategy may help to tame the processes this malicious virus may be executing on your computer and result in a quicker and more thorough Zeus Trojan removal.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove Zeus Trojan you agree to our privacy policy and agreement of use.
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall Zeus Trojan. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

Note: Manual assistance required means that one or all of removers were unable to remove parasite without some manual intervention, please read manual removal instructions below.

More information about this program can be found in Reimage review.

More information about this program can be found in Reimage review.

Zeus Trojan manual removal:

Kill processes:
sdra64.exe

Manual Zeus Trojan Removal Guide:

Remove Zeus Trojan using Safe Mode with Networking

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

One way to stop Zeus Trojan malicious processes is to run your device in Safe Mode. Below, our experts explain how to enable Safe Mode properly. Do not forget to scan your device afterward.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Zeus Trojan

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Zeus Trojan removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Zeus Trojan using System Restore

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

Another method that will facilitate the removal process is provided in the step-by-step tutorial below:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Zeus Trojan. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Zeus Trojan removal is performed successfully.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Zeus Trojan and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Jake Doevan
Jake Doevan - Computer technology expert

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Jake Doevan
About the company Esolutions

References

Removal guides in other languages


  • PlaySkool

    This isn't “a harmless trojan, which is able to perform annoying actions only”, it's a powerful bank info stealing botnet.

  • Alex

    I have spy hunter, but I still have Zeus Trojan, what should I do?

  • Pam

    Is the hard drive virus and Zeus virus the same thing??