Zeus Trojan (or Zbot Trojan) is a computer virus that attempts to steal confidential information from the compromised computer.
The Trojan itself is primarily distributed through spam campaigns and drive-by downloads, though given its versatility, other vectors may also be utilized. The user may receive an email message purporting to be from organizations such as the FDIC, IRS, MySpace, Facebook, or Microsoft. The message body warns the user of a problem with their financial information, online account, or software and suggests they visit a link provided in the email. The computer is compromised if the user visits the link, if it is not protected.
The Zeus Trojan has primarily been designed to steal confidential information from the computers it compromises. It specifically targets system information, online credentials, and banking details, but can be customized through the toolkit to gather any sort of information. This is done by tailoring configuration files that are compiled into the Trojan installer by the attacker. These can later be updated to target other information, if the attacker so wishes.
Confidential information is gathered through multiple methods. Upon execution the Trojan automatically gathers any Internet Explorer, FTP, or POP3 passwords that are contained within Protected Storage (PStore). However, its most effective method for gathering information is by monitoring Web sites included in the configuration file, sometimes intercepting the legitimate Web pages and inserting extra fields (e.g. adding a date of birth field to a banking Web page that originally only requested a username and password).
Additionally, Zeus Trojan contacts a command-and-control (C&C) server and makes itself available to perform additional functions. This allows a remote attacker to command the Trojan to download and execute further files, shutdown or reboot the computer, or even delete system files, rendering the computer unusable without reinstalling the operating system.
Symantec has observed the following geographic distribution of this threat:

Zeus Trojan can be detected by the security products as: Trojan-Spy:W32/Zbot [F-Secure],PWS-Zbot [McAfee],Trojan-Spy.Win32.Zbot [Kaspersky], Win32/Zbot [Microsoft],Infostealer.Monstres [Symantec], Infostealer.Banker.C [Symantec],Trojan.Wsnpoem [Symantec] or Troj/Zbot-LG [Sophos].
How to remove Zeus trojan(Removal Guide)
This page is a comprehensive guide which will remove Zeus trojan from your machine.
Please perform all the steps in the correct order. If you have any questions or doubt at any point, STOP and ask for our assistance
To remove the Zeus trojan, follow these steps:
STEP 1: Scan your computer with Kaspersky TDSSKiller
STEP 2: Stop the malicious processes with Rkill
STEP 3: Scan your computer with Malwarebytes Anti-Malware
STEP 4: Scan your computer with HitmanPro
STEP 5: Scan your computer with Zemana AntiMalware
STEP 1: Scan your computer with Kaspersky TDSSKiller
As part of its self-defense mechanism, Zeus Trojan might install a ZeroAccess rootkit on the infected computer.In this first step, we will run a system scan with Kaspersky TDSSKiller to remove this rootkit.
- Please download the latest official version of Kaspersky TDSSKiller.
KASPERSKY TDSSKILLER DOWNLOAD LINK(This link will automatically download Kaspersky TDSSKiller on your computer.) - Double-click on tdsskiller.exe to open this utility, then click on Change Parameters.

- In the new open window,we will need to enable Detect TDLFS file system, then click on OK.

- Next,we will need to start a scan with Kaspersky, so you’ll need to press the Start Scan button.

- Kaspersky TDSSKiller will now scan your computer for Zeus trojan infection.

- When the scan has finished it will display a result screen stating whether or not the infection was found on your computer. If it was found it will display a screen similar to the one below.

- To remove the infection simply click on the Continue button and TDSSKiller will attempt to clean the infection.A reboot will be require to completely remove any infection from your system.
STEP 2: Stop the malicious processes with Rkill
RKill is a program that will attempt to terminate all malicious processes associated with Zeus Trojan, so that we will be able to perform the next step without being interrupted by this malicious software.
Because this utility will only stop Zeus Trojan running process and does not delete any files, after running it you should not reboot your computer as any malware processes that are configured to start automatically will just be started again.
- You can download Rkill from the below link.
RKILL DOWNLOAD LINK (his link will open a new web page from where you can download “RKill”) - Double click on Rkill program to stop the malicious programs from running.

- RKill will now start working in the background, please be patient while this utiltiy looks for malicious process and tries to end them.

- When the Rkill tool has completed its task, it will generate a log. Do not reboot your computer after running RKill as the malware programs will start again.

STEP 3: Scan your computer with Malwarebytes Anti-Malware
Malwarebytes Anti-Malware Free uses industry-leading technology to detect and remove all traces of malware, including worms, Trojans, rootkits, rogues, dialers, spyware, and more.
It is important to note that Malwarebytes Anti-Malware works well and should run alongside antivirus software without conflicts.
- You can download download Malwarebytes Anti-Malware from the below link.
MALWAREBYTES ANTI-MALWARE DOWNLOAD LINK (This link will open a new web page from where you can download “Malwarebytes Anti-Malware Free”) - Once downloaded, close all programs, then double-click on the icon on your desktop named “mbam-setup” to start the installation of Malwarebytes Anti-Malware.

You may be presented with a User Account Control dialog asking you if you want to run this file. If this happens, you should click “Yes” to continue with the installation. - When the installation begins, you will see the Malwarebytes Anti-Malware Setup Wizard which will guide you through the installation process.

To install Malwarebytes Anti-Malware on your machine, keep following the prompts by clicking the “Next” button.

- Once installed, Malwarebytes Anti-Malware will automatically start and you will see a message stating that you should update the program, and that a scan has never been run on your system. To start a system scan you can click on the “Scan Now” button.

- Malwarebytes Anti-Malware will now start scanning your computer for malware. When Malwarebytes Anti-Malware is scanning it will look like the image below.

- When the scan has completed, you will be presented with a screen showing the malware infections that Malwarebytes Anti-Malware has detected. To remove the malicious programs that Malwarebytes Anti-malware has found, click on the “Remove Selected” button.

Please note that the infections found may be different than what is shown in the image. - Malwarebytes Anti-Malware will now quarantine all the malicious files and registry keys that it has found. When removing the files, Malwarebytes Anti-Malware may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot your computer, please allow it to do so.

After your computer will restart, you should open Malwarebytes Anti-Malware and perform another “Threat Scan” scan to verify that there are no remaining threats
STEP 4: Scan your computer with HitmanPro
HitmanPro is a second opinion scanner, designed to rescue your computer from malware (viruses, trojans, rootkits, etc.) that have infected your computer despite all the security measures you have taken (such as anti-virus software, firewalls, etc.). HitmanPro is designed to work alongside existing security programs without any conflicts. It scans the computer quickly (less than 5 minutes) and does not slow down the computer.
- You can download HitmanPro from the below link:
HITMANPRO DOWNLOAD LINK (This link will open a new web page from where you can download “HitmanPro”) - Double-click on the file named “HitmanPro.exe” (for 32-bit versions of Windows) or “HitmanPro_x64.exe” (for 64-bit versions of Windows). When the program starts you will be presented with the start screen as shown below.

Click on the “Next” button, to install HitmanPro on your computer.

- HitmanPro will now begin to scan your computer for malicious files.

- When it has finished it will display a list of all the malware that the program found as shown in the image below. Click on the “Next” button, to remove malware.

- Click on the “Activate free license” button to begin the free 30 days trial, and remove all the malicious files from your computer.

STEP 5: Scan your computer with Zemana AntiMalware
Zemana AntiMalware is a powerful utility which will check your machine for any left over malware.
- You can download Zemana AntiMalware from the below link:
ZEMANA ANTIMALWARE DOWNLOAD LINK (This link will start the download of “Zemana AntiMalware”) - Double-click on the file named “Zemana.AntiMalware.Setup.exe” to install Zemana AntiMalware on your computer. When the program starts you will be presented with the start screen as seen below.

Click on the “Next” button, to install Zemana AntiMalware on your computer.

- When Zemana AntiMalware will start, click on the “Scan” button.

- Zemana AntiMalware will now scan computer for any malicious files. This process can take up to 10 minutes.

- When Zemana AntiMalware has finished it will display a list of all the malware that the program found. Click on the “Next” button, to remove the malicious files from your computer.

- Zemana AntiMalware will now remove all the detected malicious files, and at the end a system reboot may be required to remove all traces of malware.

Your computer should now be free of the Zeus trojan infection.
If you are still experiencing problems while trying to remove Zeus trojan from your machine, pleases tart a new thread in our Malware Removal Assistance forum.
I am the creator and owner of MalwareTips. I am passionate about computer security and technology. I have an experience of 9 years working as a security researcher.