Best Security Search
Trojans

Zeus Trojan Virus Removal Guide for Windows PCs

Zeus Trojan is a malware first detected in July 2007. Then it had been used to steal information from the United States Department of Transportation. Тhe malware is also known under the names ZeuS and Zbot. It is part of one of the most successful botnet software in the world and until its first release till now is has infected millions of machines. Furthermore, its code was used for other similar pieces of malware like Floki Bot. Zeus Trojan is a sophisticated threat that can cause massive damage to the computer and gain access to critical privacy data.

Further Information About Zeus Trojan Virus

Zeus, also known as Zbot Trojan is a nasty malware that can perform various system modifications once it’s running on the computer. It can be used to steal personally identifiable information as well as banking credentials, usernames and passwords for trading accounts, social networks accounts, and online payment accounts. Once it gathers the information, Zeus can employ remote commands and send it to its Command and Control server.

It can also be dropped by Sundown or RIG exploit kits as a way of ransomware or other malware distribution.

Computers that are running different Microsoft Windows versions are primarily affected by Zeus Trojan. However, security researchers have found some new versions of the malware on Android, BlackBerry and Symbian devices. The threat has evolved over time and currently continues to be used in various attack campaigns.

Traits of Zeus Trojan Virus Infection

Let’s reveal some technical consequences of Zeus infection. The location it chooses for its installation is determined by the account level privileges of the logged-in user at the time of the attack. When it access admin user profile it places the files in the %System% folder otherwise the files are copied to %UserProfile%\Application Data. The files will possibly have set the HIDDEN attribute that will hide them from casual inspection.

The executable file that triggers Zeus virus may vary. Past records of its samples reveal the usage of following file names:

  • twext.exe
  • sdra64.exe
  • ntos.exe
  • oembios.exe
  • pdfupd.exe

Latest payloads of ZeuS Chthonic variant are detected to be using the malicious executable file 73mendjd.exe.

The Zeus Trojan can further inject itself into currently running services like winlogon.exe and explorer.exe (depending on the user account privileges). It also can compromise the svchost.exe service which will later allow it to steal banking information.

Infected users who are using an account with Administrator rights may witness the presence of the following files created in the pointed out directories:

  • %systemroot%\system32\sdra64.exe (the malware)
  • %systemroot%\system32\lowsec
  • %systemroot%\system32\lowsec\user.ds
  • %systemroot%\system32\lowsec\user.ds.lll
  • %systemroot%\system32\lowsec\local.ds

Victims who are using an account without Administrator rights may check for the following malicious files:

  • %appdata%\sdra64.exe
  • %appdata%\lowsec
  • %appdata%\lowsec\local.ds
  • %appdata%\lowsec\user.ds
  • %appdata%\lowsec\user.ds.lll

Additionally, Zeus adds registry keys that allow it starts on every Windows boot-up. The modifications again depend on the account privileges. If the account has administrative privileges, Zeus uses the subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

When the account has limited privileges, Zeus uses the subkey:

HKEY_CURRENT_USER\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\

Zeus Trojan can also be used as part of a toolkit. In this case, the attacker can establish a connection with his command and control server and control the Trojan’s malicious actions. So it can shut down or reboot the computer, download and execute further files, or even delete system files which may cause permanent system damage.

Chthonic Trojan is the latest Zeus version

Zeus Trojan has evolved over time and there are many variants of the threat. The latest version of Zeus Trojan is called Chthonic. It was used in a large-scale attack against 150 banks in 15 countries back in 2015. The malicious Chthonic code is able to insert itself into the msiexec.exe process. Once this happens, it installs various malicious modules on the infected computer. These modules can collect system information, steal passwords that have been saved, record log keystrokes, enable remote access and then send the data to crooks command and control servers.

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

How the Zeus Trojan Infects Computers

Zeus Trojan infects victims’ machines via several techniques. It is mainly spread through phishing schemes and drive-by-download attacks. Phishing schemes often guide users to enter a fake website that is much similar to the legitimate one. Typically spam emails, instant messages on social networks and pop-up messages are used to exploit the weaknesses in current web and PC security.

The spam emails may spoof you claiming that the message is sent by any social website, bank, IT administrator, online payment service, Microsoft, PayPal, etc. Any interaction with the presented content in the email may redirect you to a website infected with malware. The result will be a stealth download of the malicious Zeus Trojan virus on your computer.

Phishing PayPay emails and MSG files are spreading Zeus virus Trojan bestsecuritysearch

Last year we reported about several techniques used for Zeus virus spreading. At the end of July, PayPal spam email campaigns were spreading Chthonic – the latest Zeus virus variant. After that in October MSG images were also employed by hackers as a way to infect users with the devastating Zeus Trojan.

The customized spam emails may also have an attached file that is designed to exploit specified vulnerabilities in any installed app or the Windows OS. The crafted file can trigger a Zeus infection once it is opened.

Security Tip:
Whenever you are wondering whether to act further with a suspicious content either links or attachments or not, you can use the help of online malware scanning services like VirusTotal and ZipeZip. They will analyze the component and provide information about its security status. The usage of such kind of services will help you prevent eventual infections with Zeus and other malware.

Remove Zeus Trojan Virus from Windows PC

Zeus Trojan is not an easy malware to remove. Its manual removal can be challenging even for the tech savvy guys due to its complicatedness. However, there is no doubt that you should delete the threat as soon as possible from your computer. Otherwise, your sensitive data, the whole system as well as other computer systems are exposed to a significant risk of Zeus infection. Security specialists recommend the usage of an anti-malware tool for the best removal results.

Prevention is Better Than a Cure

Make sure that your operating system, as well as any installed software, is fully patched. You can select the automatic update preferences if they are available. Do also a check of your antivirus and firewall software and update them if there are any recent updates. Otherwise, you left your computer vulnerable to Zeus Trojan attacks.

Zeus Trojan Virus Removal

STEP I: Start the PC in Safe Mode with Network
This will isolate all files and objects created by the Trojan so they will be removed efficiently.

    1) Hit WIN Key + R

Windows-key-plus-R-button-launch-Run-Box-in-Windows-illustrated

    2) A Run window will appear. In it, write “msconfig” and then press Enter
    3) A Configuration box shall appear. In it Choose the tab named “Boot
    4) Mark “Safe Boot” option and then go to “Network” under it to tick it too
    5) Apply -> OK

Or check our video guide – “How to start PC in Safe Mode with Networking

STEP II: Show Hidden Files

    1) Open My Computer/This PC
    2) Windows 7

      – Click on “Organize” button
      – Select “Folder and search options
      – Select the “View” tab
      – Go under “Hidden files and folders” and mark “Show hidden files and folders” option

    3) Windows 8/ 10

      – Open “View” tab
      – Mark “Hidden items” option

    show-hidden-files-win8-10

    4) Click “Apply” and then “OK” button

STEP III: Enter Windows Task Manager and Stop Malicious Processes

    1) Hit the following key combination: CTRL+SHIFT+ESC
    2) Get over to “Processes
    3) When you find suspicious process right click on it and select “Open File Location
    4) Go back to Task Manager and end the malicious process. Right click on it again and choose “End Process
    5) Next you should go folder where the malicious file is located and delete it

STEP IV: Remove Completely Zeus Trojan Virus Using SpyHunter Anti-Malware Tool

Manual removal of Zeus Trojan requires being familiar with system files and registries. Removal of any important data can lead to permanent system damage. Prevent this troublesome effect – delete Zeus Trojan with the help of a malware removal tool.

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

STEP V: Repair Windows Registry

    1) Again type simultaneously the Windows Button + R key combination
    2) In the box, write “regedit”(without the inverted commas) and hit Enter
    3) Type the CTRL+F and then write the malicious name in the search type field to locate the malicious executable
    4) In case you have discovered registry keys and values related to the name, you should delete them, but be careful not to delete legitimate keys

Further help for Windows Registry repair

Gergana Ivanova

Gergana Ivanova is computer security enthusiast. She is a member of Best Security Search team and enjoys presenting the latest news on cyber-security and cyber-threat issues.