Zeus Trojan

Zeus Trojan Description

Zeus Trojan Image 1The Zeus Trojan is the most widespread and common banking Trojan today. There are countless variants of the Zeus Trojan, also known as Zbot and Zitmo. There are regional variants that target computers in specific areas of the world as well as mobile-specific variants designed to attack mobile operating systems such as Android or BlackBerry platforms. In all cases, the Zeus Trojan is used to steal banking information. This dangerous malware infection can be used to steal account names and numbers, banking account passwords, and credit card numbers. The Zeus Trojan can also be utilized to capture particular information that can then be used to steal a victim's identity. ESG security researchers consider that the Zeus Trojan and its many variants are severe threats to a computer and to your security. Protect yourself by using reliable anti-malware software and keeping it constantly updated.

Understanding the Zeus Trojan Infection

In its most basic form, the Zeus Trojan steals banking information and then sends this information to a remote host. Formerly, the Zeus Trojan was linked to a very large botnet. Although there are still very large botnets associated with the Zeus Trojan, these have diminished in size in the last few years. The most common tactic to distribute the Zeus Trojan is through malicious email messages which are often sent out by these very same botnets. Zeus Trojan infections spread through phishing email messages as well as social media scams. Often, the Zeus Trojan will be used in conjunction with the Black Hole Exploit Kit. Using this dangerous utility, criminals can set up attack websites that then infect a computer with the Zeus Trojan.

Dealing with a Zeus Trojan Infection

The main danger of a Zeus Trojan infection is that a computer user will rarely be aware of the presence of this threat. The Zeus Trojan and most of its variants are designed to reside on the victim's computer without causing overt symptoms. Apart from a slight increase in system resource usage, computer users will probably not notice the presence of a Zeus Trojan infection. This is why it is so important to update your security software. In most cases, the first sign of a Zeus Trojan infection will be its detection by an anti-virus application. To prevent a Zeus Trojan infection in the future, ESG malware analysts recommend never downloading unsolicited email attachments or clicking on embedded links contained in unsolicited email messages.

Infected with Zeus Trojan? Scan Your PC

Download SpyHunter's Spyware Scanner
to Detect Zeus Trojan
* SpyHunter's scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware removal tool to remove the malware threats. Read more on SpyHunter. If you no longer wish to have SpyHunter installed on your computer, follow these steps to uninstall SpyHunter.

Security Doesn't Let You Download SpyHunter or Access the Internet?


Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
  • Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
  • Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
  • Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in "Safe Mode with Networking" and install SpyHunter in Safe Mode.
  • IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.

If you still can't install SpyHunter? View other possible causes of installation issues.

Technical Information

File System Details

Zeus Trojan creates the following file(s):
# File Name
1 088709.exe
2 C:\WINDOWS\System32\ntos.exe
3 C:\WINDOWS\System32\sdra64.exe
4 C:\WINDOWS\System32\oembios.exe
5 C:\WINDOWS\System32\sysproc64\sysproc86.sys
6 C:\WINDOWS\System32\sysproc64\sysproc32.sys
7 C:\WINDOWS\System32\wsnpoem\video.dll
8 C:\WINDOWS\System32\wsnpoem\audio.dll
9 C:\WINDOWS\System32\twext.exe
10 C:\WINDOWS\System32\twain_32\local.ds
11 C:\WINDOWS\System32\twain_32\user.ds
12 C:\WINDOWS\System32\lowsec\user.ds
13 C:\WINDOWS\System32\lowsec\local.ds

Registry Details

Zeus Trojan creates the following registry entry or registry entries:
HKEY..\..\{Value}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network "UID" = "[USERNAME]_[UNIQUE_ID]"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer "{6780A29E-6A18-0C70-1DFF-1610DDE00108}" = "[HEXADECIMAL VALUE]"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer "{F710FA10-2031-3106-8872-93A2B5C5C620}" = "[HEXADECIMAL VALUE]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\..{RunKeys}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "userinit" = "%System%ntos.exe"
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run "userinit" = "%System%ntos.exe”

Site Disclaimer

9 Comments

  • Reid:

    I almost got the ZEUS virus 2 times. Really the only you can do is restart because it locks up your computer. Just a tip, don’t click on mysterious links.

  • james:

    do not call the number they will ask you to pay and shut down your pc until you pay and more then likely not allow access again what you should do is force close your browser when this window pops up then bring up this site your on now copy the file names and search for each individual one in the designated area and scan your pc at the same time if nothing comes up you should be fine and if the zeus pops up again just close window it is the start of the virus if you take the actions it tells you to the virus will be released into your systems and if not properly taken care of will embed itself in your pc and continue to steal your personal info until removed which will become harder to do as time goes by

  • Fraser Reid:

    I have a virus called ZEUS flashing on my pc screen. I’m running Windows 10
    It tells me not to shut down pc.
    It gives me a telephone no. 1 855 739 5486 to call
    Is this a safe number for Microsoft?
    Can I safely shut down my pc?

  • Pietersz, Tyrone:

    I have two left hands with ten thumbs when it comes to computers. Today I received a pop up informing me that the Zeus virus had been down loaded, and to call a specific phonenumber. No response whatsoever… It (the warning) keeps poping up in the middle of my work, and is very annoying.
    All I could do up to now was restart my computer every time it appeared, and I am now desperate. What do I do? I do not understand the computer jargon anyway. Please help

  • Ben:

    I GOT STRUCK BY THE ZEUS VIRUS!! Right now it’s done the Hard Drive Safety Delete, but Scanning is still in progress when i posted this message! PLEASE HALP! Any tips on how to avoid it in the future? (other than avoid pages that have it)

  • william:

    i got a warning about the zeus virus on my chromebook but it seems my computer cannot download an anti virus program what do i do about this?

  • May Reilly:

    Is it normal for a voice along with a pop-up appearing to tell me to phone 0800-011-9684 to deal with this ZEUS virus?

  • AnnaG:

    I wish there was an option to print the page. The info is so valuable. SpyHunter is one of my favorites…I always felt it did a great job.

  • Chyna:

    That’s a genuinely impressive answer.

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.

IMPORTANT! To be able to proceed, you need to solve the following simple math.
Please leave these two fields as is:
What is 14 + 10 ?