Remove Zeus Trojan virus (Removal Instructions)

Zeus Trojan (or Zbot Trojan)  is a computer virus that attempts to steal confidential information from the compromised computer.
The Trojan itself is primarily distributed through spam campaigns and drive-by downloads, though given its versatility, other vectors may also be utilized. The user may receive an email message purporting to be from organizations such as the FDIC, IRS, MySpace, Facebook, or Microsoft. The message body warns the user of a problem with their financial information, online account, or software and suggests they visit a link provided in the email. The computer is compromised if the user visits the link, if it is not protected.

The Zeus Trojan has primarily been designed to steal confidential information from the computers it compromises. It specifically targets system information, online credentials, and banking details, but can be customized through the toolkit to gather any sort of information. This is done by tailoring configuration files that are compiled into the Trojan installer by the attacker. These can later be updated to target other information, if the attacker so wishes.

Confidential information is gathered through multiple methods. Upon execution the Trojan automatically gathers any Internet Explorer, FTP, or POP3 passwords that are contained within Protected Storage (PStore). However, its most effective method for gathering information is by monitoring Web sites included in the configuration file, sometimes intercepting the legitimate Web pages and inserting extra fields (e.g. adding a date of birth field to a banking Web page that originally only requested a user name and password).
Additionally, Zeus Trojan contacts a command-and-control (C&C) server and makes itself available to perform additional functions. This allows a remote attacker to command the Trojan to download and execute further files, shutdown or reboot the computer, or even delete system files, rendering the computer unusable without reinstalling the operating system.
Symantec has observed the following geographic distribution of this threat:
Zeus Trojan virus
Zeus Trojan can be detected by the security products as: Trojan-Spy:W32/Zbot [F-Secure],PWS-Zbot [McAfee],Trojan-Spy.Win32.Zbot [Kaspersky], Win32/Zbot [Microsoft],Infostealer.Monstres [Symantec], Infostealer.Banker.C [Symantec],Trojan.Wsnpoem [Symantec] or Troj/Zbot-LG [Sophos].

How to remove Zeus Trojan virus (Removal Guide)

This page is a comprehensive guide, which will remove the Zeus Trojan infection from your computer. Please perform all the steps in the correct order. If you have any questions or doubt at any point, STOP and ask for our assistance.
STEP 1: Remove Zeus Trojan Master Boot Record infection with Kaspersky TDSSKiller
STEP 2: Run RKill to terminate Zeus Trojan malicious processes
STEP 3: Remove Zeus Trojan virus with Malwarebytes Anti-Malware Free
STEP 4:  Remove Zeus Trojan infection with HitmanPro
STEP 5: Double check for any left over infections with Emsisoft Emergency Kit
STEP 6: Remove Zeus Trojan adware with AdwCleaner
STEP 7: Remove Zeus Trojan browser hijacker with Junkware Removal Tool

STEP 1:  Remove Zeus Trojan trojan with Kaspersky TDSSKiller

As part of its self-defense mechanism, Zeus Trojan virus will install a ZeroAccess rootkit on the infected computer.In this first step, we will run a system scan with Kaspersky TDSSKiller to remove this rookit.

  1. Please download the latest official version of Kaspersky TDSSKiller.
    KASPERSKY TDSSKILLER DOWNLOAD LINK(This link will automatically download Kaspersky TDSSKiller on your computer.)
  2. Double-click on tdsskiller.exe to open this utility, then click on Change Parameters.
    Kaspersky TDSSKiller change settings
  3. In the new open window,we will need to enable Detect TDLFS file system, then click on OK.
    Kaspersky TDSSKiller Detect TDLFS file system
  4. Next,we will need to start a scan with Kaspersky, so you’ll need to press the Start Scan button.
    Kaspersky TDSSKiller start scan
  5. Kaspersky TDSSKiller will now scan your computer for Trojan Zeus Trojan infection.
    Kaspersky TDSSKiller scan
  6. When the scan has finished it will display a result screen stating whether or not the infection was found on your computer. If it was found it will display a screen similar to the one below.
    Kaspersky TDSSKiller results
  7. To remove the infection simply click on the Continue button and TDSSKiller will attempt to clean the infection.A reboot will be require to completely remove any infection from your system.

STEP 2: Run RKill to terminate Zeus Trojan malicious processes

RKill is a program that will attempt to terminate all malicious processes associated with Zeus Trojan infection, so that we will be able to perform the next step without being interrupted by this malicious software.
Because this utility will only stop Zeus Trojan running process, and does not delete any files, after running it you should not reboot your computer as any malware processes that are configured to start automatically will just be started again.

  1. While your computer is in Safe Mode with Networking ,please download the latest official version of RKill.Please note that we will use a renamed version of RKILL so that Proven Antivirus Protection won’t block this utility from running.
    RKILL DOWNLOAD LINK (This link will automatically download RKILL renamed as iExplore.exe)
  2. Double click on iExplore.exe to start RKill and stop any processes associated with Zeus Trojan.
    [Image: RKILL Program]
  3. RKill will now start working in the background, please be patient while the program looks for Zeus Trojan malicious process and tries to end them.
    [Image: RKILL stoping malware]
  4. When the Rkill utility has completed its task, it will generate a log. Do not reboot your computer after running RKill as the malware programs will start again.
    [Image: RKill Report]

STEP 3: Remove Zeus Trojan virus with Malwarebytes Anti-Malware FREE

Malwarebytes Anti-Malware Free uses industry-leading technology to detect and remove all traces of malware, including worms, Trojans, rootkits, rogues, dialers, spyware, and more.
It is important to note that Malwarebytes Anti-Malware works well and should run alongside antivirus software without conflicts.

  1. You can download download Malwarebytes Anti-Malware from the below link.
    MALWAREBYTES ANTI-MALWARE DOWNLOAD LINK (This link will open a new web page from where you can download Malwarebytes Anti-Malware Free)
  2. Once downloaded, close all programs, then double-click on the icon on your desktop named “mbam-setup-consumer-2.00.xx” to start the installation of Malwarebytes Anti-Malware.
    [Image: Malwarebytes Anti-Malware setup program]
    Picture of User Account Control You may be presented with a User Account Control dialog asking you if you want to run this file. If this happens, you should click “Yes” to continue with the installation.
  3. When the installation begins, you will see the Malwarebytes Anti-Malware Setup Wizard which will guide you through the installation process.
    [Image: Malwarebytes Anti-Malware Setup Wizard]
    To install Malwarebytes Anti-Malware on your machine, keep following the prompts by clicking the “Next” button.
    [Image: Malwarebytes Anti-Malware Final Setup Screen]
  4. Once installed, Malwarebytes Anti-Malware will automatically start and you will see a message stating that you should update the program, and that a scan has never been run on your system. To start a system scan you can click on the “Fix Now” button.
    [Image: Click on the Fix Now button to start a scan]
    Alternatively, you can click on the “Scan” tab and select “Threat Scan“, then click on the “Scan Now” button.
    [Image: Malwarebytes Anti-Malware Threat Scan]
  5. Malwarebytes Anti-Malware will now check for updates, and if there are any, you will need to click on the “Update Now” button.
    [Image: Click on Update Now to update Malwarebytes Anti-Malware]
  6. Malwarebytes Anti-Malware will now start scanning your computer for the Zeus Trojan virus. When Malwarebytes Anti-Malware is scanning it will look like the image below.
    [Image: Malwarebytes Anti-Malware while performing a scan]
  7. When the scan has completed, you will now be presented with a screen showing you the malware infections that Malwarebytes’ Anti-Malware has detected. To remove the malicious programs that Malwarebytes Anti-malware has found, click on the “Quarantine All” button, and then click on the “Apply Now” button.
    [Image: Remove the malware that Malwarebytes Anti-Malware has found]
    Please note that the infections found may be different than what is shown in the image.
  8. Malwarebytes Anti-Malware will now quarantine all the malicious files and registry keys that it has found. When removing the files, Malwarebytes Anti-Malware may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot your computer, please allow it to do so.
    [Image: Malwarebytes Anti-Malware while removing viruses]
    After your computer will restart, you should open Malwarebytes Anti-Malware and perform another “Threat Scan” scan to verify that there are no remaining threats

STEP 4: Remove Zeus Trojan infection with HitmanPro

HitmanPro is a second opinion scanner, designed to rescue your computer from malware (viruses, trojans, rootkits, etc.) that have infected your computer despite all the security measures you have taken (such as anti-virus software, firewalls, etc.). HitmanPro is designed to work alongside existing security programs without any conflicts. It scans the computer quickly (less than 5 minutes) and does not slow down the computer.

  1. You can download HitmanPro from the below link:
    HITMANPRO DOWNLOAD LINK (This link will open a new web page from where you can download HitmanPro)
  2. Double-click on the file named “HitmanPro.exe” (for 32-bit versions of Windows) or “HitmanPro_x64.exe” (for 64-bit versions of Windows). When the program starts you will be presented with the start screen as shown below.
    [Image: HitmanPro start-up screen]
    Click on the “Next” button, to install HitmanPro on your computer.
    [Image: HitmanPro setup options]
  3. HitmanPro will now begin to scan your computer for Zeus Trojan malicious files.
    [Image: HitmanPro scanning for malware]
  4. When it has finished it will display a list of all the malware that the program found as shown in the image below. Click on the “Next” button, to remove Zeus Trojan virus.
    [Image: HitmanPro scan results]
  5. Click on the “Activate free license” button to begin the free 30 days trial, and remove all the malicious files from your computer.
    [Image: HitmanPro Activate Free License]

STEP 5: Double check for any left over infections with Emsisoft Emergency Kit

The Emsisoft Emergency Kit Scanner includes the powerful Emsisoft Scanner complete with graphical user interface. Scan the infected PC for Viruses, Trojans, Spyware, Adware, Worms, Dialers, Keyloggers and other malicious programs.

  1. You can download Emsisoft Emergency Kit from the below link,then extract it to a folder in a convenient location.
    EMSISOFT EMERGENCY KIT DOWNLOAD LINK ((This link will open a new web page from where you can download Emsisoft Emergency Kit)
  2. Open the Emsisoft Emergency Kit folder and double-click EmergencyKitScanner.bat, then allow this program to update itself.
    EmergencyKitScanner.bat file
  3. After the Emsisoft Emergency Kit has update has completed,click on the Menu tab,then select Scan PC.
    Emsisoft Emergency Kit scan tab
  4. Select Smart scan and click on the SCAN button to search for “Antivirus Security 2013″ malicious files.
    Emsisoft Emergency Kit smart scan
  5. When the scan will be completed,you will be presented with a screen reporting which malicious files has Emsisoft detected on your computer, and you’ll need to click on Quarantine selected objects to remove them.
    Emsisoft Emergency Kit removing malware

STEP 6: Remove Zeus Trojan adware with AdwCleaner

The AdwCleaner utility will scan your computer for Zeus Trojan malicious files and registry keys, that may have been installed on your computer without your knowledge.

  1. You can download AdwCleaner utility from the below link.
    ADWCLEANER DOWNLOAD LINK (This link will automatically download AdwCleaner on your computer)
  2. Before starting AdwCleaner, close all open programs and internet browsers, then double-click on the AdwCleaner icon.
    AdwCleaner Icon
    If Windows prompts you as to whether or not you wish to run AdwCleaner, please allow it to run.
  3. When the AdwCleaner program will open, click on the “Scan” button as shown below.
    Click on Scan button to find Zeus Trojan virus
    AdwCleaner will now start to search for the “Zeus Trojan” malicious files that may be installed on your computer.
  4. To remove the “Zeus Trojan” malicious files that were detected in the previous step, please click on the “Clean” button.
    Remove Zeus Trojan virus with AdwCleaner
  5. AdwCleaner will now prompt you to save any open files or documents, as the program will need to reboot the computer. Please do so and then click on the OK button.
    AdwCleaner removing Zeus Trojan virus

STEP 7: Remove Zeus Trojan browser hijack with Junkware Removal Tool

Junkware Removal Tool is a powerful utility, which will remove Zeus Trojan virus from Internet Explorer, Firefox or Google Chrome.

  1. You can download the Junkware Removal Tool utility from the below link:
    JUNKWARE REMOVAL TOOL DOWNLOAD LINK (This link will automatically download the Junkware Removal Tool utility on your computer)
  2. Once Junkware Removal Tool has finished downloading, please double-click on the JRT.exe icon as seen below.
    [Image: Junkware Removal Tool]
    If Windows prompts you as to whether or not you wish to run Junkware Removal Tool, please allow it to run.
  3. Junkware Removal Tool will now start, and at the Command Prompt, you’ll need to press any key to perform a scan for the Zeus Trojan.
    [Image: Junkware Removal Tool scanning for Zeus Trojan virus]
    Please be patient as this can take a while to complete (up to 10 minutes) depending on your system’s specifications.
  4. When the scan Junkware Removal Tool will be completed, this utility will display a log with the malicious files and registry keys that were removed from your computer.
    [Image: Junkware Removal Tool final log]

Your computer should now be free of the Zeus Trojan infection. If your current anti-virus solution let this infection through, you may want to consider purchasing the Premium version of Malwarebytes Anti-Malware to protect against these types of threats in the future, and perform regular computer scans with HitmanPro.
If you are still experiencing problems while trying to remove Adware Generic_r.KG from your machine, please start a new thread in our Malware Removal Assistance forum.

IT’S YOUR TURN TO HELP!

If we have managed to help with your computer issues, then please let other people know that this article will help them!
You can share this article on Facebook,Twitter or Google Plus by using the below buttons.

ABOUT STELIAN PILICI

I am the creator and owner of MalwareTips.com.
My area of expertise includes malware removal and computer forensics. I'm active in the various online anti-malware communities where I do researches for new malware threats as they are released.
I live in Bucharest (Romania), where I run my own local computer repair shop.
I repair both hardware and other operating systems related issues, however most of my business is malware related problems.

You can follow me on Google+ , and I will keep you up-to-date with the latest computer infections and malware threats.

SUPPORT MALWARETIPS! (OPTIONAL)

All our malware removal guides and utilities are completely free!
We do not request any kind of payment for our services, however if you like to support us with our website costs, you can make a small donation. Any amount is appreciated, and will support our fight against malware.
  • Deborah A. Davis

    this was a great cleanup, awesome step by step, only thing is I couldn’t start in safe mode for number 2 because we couldn’t disable my password we tried, I have windows 8.1, how the heck do you start in safemode, I tried F9, didn’t work on this computer, Asus is retarded, but my computer is working well now and im only done with step 5 thus far. thank you so much did it by myself and saved a ton of money.

  • Debbie

    this was a great cleanup, awesome step by step, only thing is I couldn’t start in safe mode for number 2 because we couldn’t disable my password we tried, I have windows 8.1, how the heck do you start in safemode, I tried F9, didn’t work on this computer, Asus is retarded, but my computer is working well now and im only done with step 5 thus far. thank you so much did it by myself and saved a ton of money.

  • Robert

    Hold Down “0” then turn on your computer. As simple as that.

  • Sara

    Thank you very much for the step by step instruction and guided support to remove Zeus Trojan ad virus from my Windows 8.1 It was such a pain to run my system before. It’s good that you provided multiple software to remove virus from my comp

  • les

    if kaspersky step 1 does not find anything, do you need to do the other steps

    • http://malwaretips.com/ Stelian Pilici

      Hello,
      Yes, there are several types of Zeus bots and the removal can be quite difficult, this is why we recommend multiple scans…:)

    • Deborah A. Davis

      you need to make sure everything is checked, after I did that it found 3 problems.

  • mark

    is it o.k too removal these programs after completion is done ? as i have avast antivirus .thanks.

    • http://malwaretips.com/ Stelian Pilici

      Hello,
      All the tools can be uninstalled when the removal process is complete! :D

  • Ian Ballard

    Emsisoft emergency kit link is broken. Here is one that works: https://www.emsisoft.com/en/software/eek/
    …as usual, check its provenance.

  • Freddie

    Thanks man! This really helped!

  • Trudy

    dooooooooooooooooooooooooooooode!! thanks sausage xxx

  • Heidi

    Thank you – this is a brilliant guide. Although I used McAfee Virus Removal to remove Tatanga Zeuss I am using your software to keep a check on my laptop. Thanks

  • http://malwaretips.com/ Stelian Pilici

    Hello,
    You’ve got a really nasty piece of malware on your machine. Most like it should be gone with the first 2 scans, however there are so many variants that you can never be to sure.
    I highly recommend that you perform this guide, however if you do not wish, then it’s your choice.

    Stay safe!

    • Deborah A. Davis

      thanks these steps really helped and I did it myself, didn’t have to pay a large fee for Best Buy Geek Squad to do it. lol Thanks for the help, excellent coverage in all areas, all 7 steps.

  • Darryl Gittins

    If your system has been compromised by something like Zeus, don’t even try removing it. You’ll find yourself spiraling down an endless rabbit hole of problem after problem, and you can’t ever trust any system that has been compromised by something like this. Save yourself headaches, frustration and time: Just back up your files, and format the system. Reinstall the OS. Much easier, and faster.
    http://www.microsoft.com/security/portal/shared/prevention.aspx

  • Lori

    Worked great…Thank you…Thank you!!!!!!!!

  • Blackken Dargo

    THANK YOU THANK YOU THANK YOU!
    I’m free from Zeus/Z-Bot! I can finally use my PC again!

  • Jemy Scot

    Thank you for your post. The zeus Trojan has so far stolen 46 m $ from Banks. Your post may be helpful to fight against it. I also had come across with a latest technology in banking system. It works with Biometric Finger Print Scan and Connects you Directly to your Bank accounts. It is the latest security approach to prevent from Spam and Hacking.
    thanks

    • Deborah A. Davis

      follow the steps and it works great. just be careful in the future. Stelian what virus protection do you recommend?

  • Liviu Varcu

    Thank you!!This is the only guide that actually works! \