Home > Trojan > Remove Zeus Trojan Virus

Remove Zeus Trojan Virus

In this Article you will find out how to remove Zeus Trojan virus and get rid of infected files. Zeus Trojan horse virus is spread on a large scale via the RIG Exploit Kit. That new version is dubbed “Chthonic” and it first emerged a couple of years ago, when it hit 150 banks all over the world. That activity is still ongoing, although the Trojan is also used for the distribution of ransomware. The malware has had many names over the years, and a very notable one is Zbot.

Threat Summary

Name ZeuS also known as Trojan.Zeus.C
Type Trojan horse, Virus
Short Description The Zeus Trojan horse virus is used in a variety of ways, which involve stealing of information, dispersing other malware online or as a payload dropper for ransomware and other malware.
Symptoms An infection with the Zeus Virus might be silent, if it’s used as an infostealer or a loud one, if used to infect you with more malware. Your PC is quite likely to slow down either way, if it gets infected.
Distribution Method Fake Tech Support, Spam Emails, Email Attachments, Executable Files
Detection Tool See If Your System Has Been Affected by malware


Malware Removal Tool

User Experience Join Our Forum to Discuss ZeuS.
Data Recovery Tool Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

What Is a Zeus Trojan Virus?

Before revealing what the ZeuS Trojan virus is, you should first get familiar with what is a Trojan Virus. That is a combination of terms that are used to describe malware that is both a Trojan horse and a virus.

A Trojan horse is a piece of malware that injects itself into a computer device, under false pretenses, for instance presenting itself as the famous program Skype. You won’t be surprised to find out that the term Trojan horse in computing comes from the ancient Greek story of how Greek soldiers stealthily invaded Troy, by using a giant wooden horse, presented as a gift. A virus is a malicious program that once executed, will blatantly start replicating itself and infecting other programs by modifying them without the user’s permission.

Thus, a combination of the two types of malware described above, will be a malicious program that could do some or all of the following:

  • pretends to be a known or a useful program, so you give it initial access
  • uses other stealth tactics to sneak into your computer
  • modifies/infects other programs and processes on your PC
  • copies itself in different locations on your PC

Zeus Trojan Virus – Chronological Background

The Zeus Trojan Virus has spread over the whole world, and probably mostly known for delivering the infamous CryptoLocker encrypting virus. Below you will find a brief history of the malware in all its forms, since its first appearance to early 2017.

2007 – ZeuS and Its First Appearance

The year 2007 marked the beginning of the ZeuS malware that later became known as the Zeus Trojan horse. Back then it was used to steal information from the United States Department of Transportation. After that it began gathering momentum.

2009 – ZeuS Becomes Widespread

In 2009, Zeus became widespread for the first time, and it was seen as a major threat. It had compromised over 74.000 FTP accounts, on websites of big companies, such as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek.

2010 – ZeuS The Worldwide Threat

2010 was the year in which the FBI announced that the Zeus virus was used to infect computers across the whole globe. In this form, Zeus was mainly used as a banking Trojan, to steal information by registering keystrokes made when using a browser or by form grabbing. Also, e-mails were used to reach individuals at municipalities and firms, so it can grab any data related to online banking accounts.

2013 – ZeuS The CryptoLocker Helper

Late 2011 set new heights for ZeuS as it led its code to be used for the creation of the Gameover ZeuS botnet. The botnet was less vulnerable to law enforcement operations, since it used an encrypted peer-to-peer system to communicate with its C2 (Command&Control) servers. Banking fraud was once again a primary aim for the Zeus malware family. In 2013, everything escalated when Gameover ZeuS was responsible for the mass distribution of [wplinkpreview url=”https://sensorstechforum.com/remove-cryptolocker-ransomware-virus/”] CryptoLocker Ransomware Virus around the World.

2015 – ZeuS Evolves Into Chthonic

2015 was also an emblematic year for Zeus as it evolved even further into Chthonic – a new variant discovered by malware researchers from Kaspersky. The same encryption technique is used by this variant as the “Zeus V2” and “Zeus AES” Trojans. [wplinkpreview url=”https://sensorstechforum.com/chthonic-a-new-version-of-the-zeus-banking-trojan-hits-150-banks-in-15-countries/”] Chthonic is known to have hit over 150 banks in 15 countries, back in 2015.

2016 – ZeuS and the Sphinx

In August 2015, the code of ZeuS was used to create a custom variant for it, called the [wplinkpreview url=”https://sensorstechforum.com/rio-2016-malware-sphinx-banking-trojan-targets-brazilian-banks/”] “Sphinx Banking Trojan”, sold on the black market for $500. The TOR network was used by it, to the fullest. To the last quarter of 2016, there were detections of the Trojan, proving that is still active. Mainly Brazilian banks were hit, including Boleto payment methods used in Brazil.

2017 – ZeuS Trojan

Zeus Virus – Technical Insight Update 2017 : ZeuS is still one of the biggest computer infections with many of its variants still spreading in 2017. Read below to find out more.

Zeus Trojan Virus – Ways of Distribution

The ZeuS malware had many forms of distribution over the years for the original and for later variants. One of the first ways for it to get onto your computer system, was with the help of redirects. Lots of redirects could be triggered by clicking something online as a link or a button. One of the redirects contains a script which downloads the malware. Another way to download is by clicking an advertisement that poses a question, and whether you click “Yes” or “No” will both result in getting the ZeuS Trojan Virus on your PC.

As the source code for Zeus was leaked in 2011, a toolkit builder was offered for free that looked like the following:

Tweaked versions of the toolkit and the malware in the form of either a Trojan horse or a Botnet soon followed. The abovementioned versions, featuring specific functions, are still sold to this day, with prices typically ranging from $700 to $15.000.

Spam e-mails with attachments were and still are a prominent way of distribution for ZeuS. Inside the attachment there is an executable file that is obfuscated and hidden as some sort of a document file, with an extension like .pdf or .doc as seen in the screenshot below:

Image Source: SecureList.com

Another distribution way is with the ZeuS being sent worldwide with a malvertising chain. You can see the last reported such attack (April 2017) and the detections of security vendors for it on the VirusTotal service right here:

The last attack consisted of over 300 redirects, which results into loading a compromised site with the [wplinkpreview url=”https://sensorstechforum.com/new-version-rig-exploit-kit-developed/”] RIG Exploit Kit on it. Once you find yourself on the landing page, vulnerabilities based on Adobe’s “Flash” will be exploited when finally the payload will be dropped. The payload shown in the image above, is originally named “73mendjd.exe”.

As you can see the ways of distribution for Zeus can vary, and even other ones could be utilized as the malware continues to evolve.

Zeus Trojan Virus – Update November 2018

Zeus keeps being sold on Dark Net forums in some shape or form even in late 2018. Some Banking Trojans stem from the code of the original Zeus as you already may know. Some of the most common names given to the virus by various anti-malware companies are the following:

  • Trojan-Spy:W32/Zbot
  • PWS-Zbot
  • Trojan-Spy.Win32.Zbot
  • Trojan.Wsnpoem
  • Troj/Zbot-LG
  • Troj/Agent-MDL
  • Troj/Zbot-LM
  • Troj/TDSS-BY
  • Troj/Zbot-LO
  • Troj/Buzus-CE
  • Sinowal.WUR Troj/QakBot-D
  • Troj/Agent-MIR
  • Troj/Qakbot-E
  • Troj/QakBot-G

If you see any of the above listed names to pop up as a notification from your security software, make sure that it can remove it. Otherwise, change your tool immediately.

Zeus Trojan Virus – Update November 2017

In November the [wplinkpreview url=”https://sensorstechforum.com/panda-zeus-trojan-black-hat-seo/”] Panda ZeuS Trojan horse returns with the help of black-hat SEO and malvertising techniques instead of phishing and spam campaigns. These techniques are new for the distribution of malware overall. The attackers hacked websites and used a network of spam botnets to boost their SEO rating of other sites in a black-hat way.

When a user visits one of these sites, now appearing at the top search results, he is redirected and a document containing the payload of the ZeuS Panda virus is sent to his computer system. The user had to enable macros for the virus to take effect, but that doesn’t take much effort. The ZeuS Trojan virus was quite successful with its attacks and continues to spread over the Internet. Beware and check the URL, before trusting a website.

Zeus Trojan Virus – Update September 2017

The Zeus variant Chthonic has been detected recently by malware researchers as one that is still active. The following domain was spreading it:

  • dako.gov(.)ua/files/text/load.exe

That domain has been known to be “The State Archive of the Kiev region” and after the payload dropper has downloaded the malware, the virus drops a copy of itself inside the %appdata%\roaming directory of the Windows operating system. The Panda Banker Trojan still remains active as another counterpart of the notorious Zeus Trojan. As the source code of the virus has been sold for quite some time now, more variants are very likely to be active as well.

Zeus Trojan Virus – Update August 2017

Update August 2017 Now, in August 2017 the Zeus trojan is spreading in its newest form – the [wplinkpreview url=”https://sensorstechforum.com/zeus-panda-banker-trojan-suchka-exe-remove-it-completely/”] ZeuS Panda Banker Trojan. That variant has been seen in multiple languages, most notable of which is in Italian. It is currently trying to infect systems of banks worldwide. It is spread with spam e-mail campaigns. The ZeuS Panda Trojan is also known as suchka.exe because of that same name used for the payload obfuscated inside the spam e-mails. The interesting thing is that the virus poses to be a ticket from your local Police Departament. The attached file in the emails is inside a .ZIP file to try and hide it from security software.

Zeus Trojan – Technical Insight Update June 2017

The module files unifying all the malicious activity behind the latest variants of ZeuS Trojan malware are with a similar behavior and even similar names for some of the variants of the virus, as you will see in this update. The executables and the malicious functions behind them which are of interest for the latest Zeus variants are believed to be the same as the original v2 variant as reported by Sysforensics. They are reported to be the following:

  • Kernell32.dll
  • Advapi32.dll
  • User32.dll

These so-called support modules of Zeus Torjan’s main executable all have multiple functions that aim to modify different aspects of the infected computer and we will thoroughly review them.


In this file, the first function of interest is called GetModuleHandleA. Researchers believed that it is utilized tin order to modify code of the OS so that an injection of malicious code while undetected is possible. Another similar function is GetModuleFileName. It aims to roll back the name of modules which are active as system processes. It can be used to insert processes in Windows Task Manager as if they were legitimate ones. There is also the OpenMutexA function in this file, primariy responsible for handling mutex objects. It can be used so that a second infection with Zeus Trojan is impossible and there is only one infection present. Commonly met function for most malware.


This module has two functions that aim to act as a unique identifier of the infection, most likely serving as an easier way for the hacker to manage many infections, by having their unique names. The two functions are GetUserNameA and GetAuditedPermissionsFromAclW. The two most interesting functions for us, however are CreateServiceA as well as CreateProcessAsUserW. They are used primarily to create processes and for monitoring.


This module uses the function GetDesktopWindow and GetKeyboardState. They point out to the monitoring part of the malware, which may be:

  • Logging keystrokes (keylogger feature).
  • Screen capture or screenshot ability.

This is definitely a serious virus that continues to evolve. If new information is found the article will be duly updated.

Zeus Trojan Virus – Further Information

The Zeus Trojan virus has taken many forms over the years and has infected as many as 3.6 million computers in the United States alone, not to mention the ones worldwide. Now, in April 2017, the malware is still actively infecting computer systems. The Chthonic variant is back and this time is delivered by the RIG Exploit Kit. The distribution is with a malvertising chain and described above.

Below you can see a list with IPs involved in that attack:


And here are some of the URLs that serve as the last redirect to the landing page with RIG:

  • dfg.twitttwoo.co.uk
  • https://dfg.twitttwoo.co.uk/
  • pationare.bit
  • https://pationare.bit/
  • avaneredge.bit
  • https://avaneredge.bit/

Since the leak of the ZeuS source code back in 2011, new variants have kept infecting computer machines. The common use of the Trojan involved, injecting code in browsers, which would show phishing web pages, in order to steal passwords, credentials and similar data related to banking. The Trojan is utilized under other purposes, like being the payload dropper for ransomware viruses. A sample analyzed on the VirusTotal service:

For that ransomware, the following rule is added to the Windows Firewall:

→netsh advfirewall firewall add rule name=”explore” dir=in action=allow program=”%APPDATA%\Wiezycr\itetiwe.exe”

The command makes the Windows Firewall to unlock the particular executable that is written there, which will give it Internet access for sending and receiving traffic online. Thus, data can be stolen from the infected system and commands could be sent from a hacker through that newly-created backdoor.

In January 2017, another variant of Zeus was detected, namely Terdot Zloader/Zbot. Here, the Sundown Exploit Kit is used for the distribution. The Trojan has also integrated legitimate applications inside its package to further avoid detection and to use those apps for malicious reasons. Interestingly enough, people who have the Russian language on their computer will not get infected.

What Is ZeuS Virus Alert?

From 2016 to this day, lots of technical support scams have been using an alert message that claims that you have been infected with the ZeuS Virus, such as the example provided in the screenshot down here:

The following tech support scams and one ransomware have also written that your PC is infected with ZeuS as a scare tactic:

In the above three cases however, you should not worry as much, because the real ZeuS Trojan virus will probably not have infected your computer and the ZeuS virus alert message is fake.

Besides those fraudulent detections which were exhibited, there are also several other detections which were reported to be associated with browser hijacking software otherwise known as Potentially Unwanted Applications. Such software is usually slithered onto your computer via what many refer to as bundling, which is modifying the setup of a free program to add an installation step to the unwanted software. Usually, bundling began as a marketing tool, but now it is also used in suspicious websites as a tool, which aims to slither such applications in computers:

Since the apps are essentially classified as low-level type of threats, they remain active on the computer, and may begin to modify the settings on it’s web browsers, for example Google Chrome, Microsoft Edge, Mozilla Firefox, Internet Explorer and others. As soon as these settings are modified, the web browsers may have different suspicious browser extensions added to them that may cause:

  • Online pop-ups.
  • Browser redirects.
  • Highlighted text.
  • Taken over banners.

Once those have been performed, one of the redirections may lead to third-party web links that simply lock the user out of his browser and display a pop-up with a message claiming the computer has been infected with the Zeus virus. But this is actually a fake tech support scam, aiming to get users to call the numbers provided in the fake messages. The messages are very convincing and may even be accompanied by a robotic sound notification:

Here are some examples of such notifications:

“Windows Detected ZEUS Virus. The infections detected indicate some recent downloads on the computer which in turn has created problems on the computer. Call technical support 0800-014-8826, 1-844-557-5460 and share this code B2957E to the Agent to Fix This.”

When such tech support scams are encountered, we strongly advise you to check out our removal video to help you get rid of the tech support scam and any potentially untanted programs related to it.

What Is a Zbot Virus?

In case you were wondering what the ZeuS malware is, or otherwise also known as Zbot Virus, here is the right place to find out. Below, you will see the files of the virus and what they might be, how you can detect it if it’s put on your computer silently and waiting to receive a command to steal your data. Here is how to find it, step by step:

With Administrator rights, look for these directories and files:

  • %systemroot%\system32\sdra64.exe (malware)
  • %systemroot%\system32\lowsec
  • %systemroot%\system32\lowsec\user.ds (stolen data file – encrypted)
  • %systemroot%\system32\lowsec\user.ds.lll (file for stolen data – temporary)
  • %systemroot%\system32\lowsec\local.ds (configuration file – encrypted)

Without Administrator rights, look for these directories and files:

  • %appdata%\sdra64.exe
  • %appdata%\lowsec
  • %appdata%\lowsec\user.ds
  • %appdata%\lowsec\user.ds.lll
  • %appdata%\lowsec\local.ds

The ZeuS virus will also tamper with the Windows Registry, changing the following two registry entries to ensure that it loads with Administrator privileges:

→HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

The default is:
“Userinit” = “C:\WINDOWS\system32\userinit.exe”

and it is changed to:
“Userinit” = “C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe”

If you do not have Administrator rights, look for this string here:


The ZeuS Trojan horse virus adds the following:
“Userinit” = “C:\Documents and Settings\<user>\Application Data\sdra64.exe”

Note! As there are many variants of ZeuS the executable file may vary. Except the one described above (sdra64.exe), the following ones are recorded to be used in the past, as well:

  • ntos.exe
  • oembios.exe
  • twext.exe
  • pdfupd.exe
  • 73mendjd.exe (used in 2017)
  • onlineservicesw.exe (used in 2017)

Afterward, the Zeus Trojan horse will use one of the above mentioned executables to inject code into one of the following two processes (depending on what privileges it succeeded to acquire): winlogon.exe or explorer.exe. That code-injection is made with the aim to hide Zeus among other processes, so you as the user to not suspect a thing. Code is then injected into other processes as well, in order to steal data. If you notice a spike of activity in a general process from the Task Manager, check it out, as you might have been infected and unaware of the fact.

How Do I Remove Trojan ZeuS?

If your computer got infected with the Zeus Trojan horse virus, you should have a bit of experience in removing malware. You should get rid of this Trojan horse as quickly as possible before it can have the chance to spread further and infect other computer systems. You should remove the virus and follow the step-by-step instructions guide provided down below.

Tsetso Mihailov

Tsetso Mihailov is a tech-geek and loves everything that is tech-related, while observing the latest news surrounding technologies. He has worked in IT before, as a system administrator and a computer repair technician. Dealing with malware since his teens, he is determined to spread word about the latest threats revolving around computer security.

More Posts

Follow Me:

Windows Mac OS X Google Chrome Mozilla Firefox Microsoft Edge Safari Internet Explorer Stop Push Pop-ups

About the ZeuS Research

The content we publish on SensorsTechForum.com, this ZeuS how-to removal guide included, is the outcome of extensive research, hard work and our team’s devotion to help you remove the specific, adware-related problem, and restore your browser and computer system.

How did we conduct the research on ZeuS?

Please note that our research is based on independent investigation. We are in contact with independent security researchers, thanks to which we receive daily updates on the latest malware, adware, and browser hijacker definitions.
Furthermore, the research behind the ZeuS threat is backed with VirusTotal https://www.virustotal.com/gui/home/upload.
To better understand this online threat, please refer to the following articles which provide knowledgeable details.


1.Browser Redirect – What Is It?
2.Adware Is Malicious, and It Uses Advanced Techniques to Infect
3.The Thin Red Line Between Potentially Unwanted Programs and Malware
4.The Pay-Per-Install Affiliate Business – Making Millions out of Adware
5.Malicious Firefox Extensions Installed by 455,000 Users Blocked Updates

How to Remove ZeuS from Windows.

Step 1: Boot Your PC In Safe Mode to isolate and remove ZeuS


Manual Removal Usually Takes Time and You Risk Damaging Your Files If Not Careful!
We Recommend To Scan Your PC with SpyHunter

Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter's EULA, Privacy Policy and Threat Assessment Criteria

1. Hold Windows key + R

2. The "Run" Window will appear. In it, type "msconfig" and click OK.

3. Go to the "Boot" tab. There select "Safe Boot" and then click "Apply" and "OK".
Tip: Make sure to reverse those changes by unticking Safe Boot after that, because your system will always boot in Safe Boot from now on.

4. When prompted, click on "Restart" to go into Safe Mode.

5. You can recognise Safe Mode by the words written on the corners of your screen.

Step 2: Uninstall ZeuS and related software from Windows

Here is a method in few easy steps that should be able to uninstall most programs. No matter if you are using Windows 10, 8, 7, Vista or XP, those steps will get the job done. Dragging the program or its folder to the recycle bin can be a very bad decision. If you do that, bits and pieces of the program are left behind, and that can lead to unstable work of your PC, errors with the file type associations and other unpleasant activities. The proper way to get a program off your computer is to Uninstall it. To do that:

1. Hold the Windows Logo Button and "R" on your keyboard. A Pop-up window will appear.

2. In the field type in "appwiz.cpl" and press ENTER.

3. This will open a window with all the programs installed on the PC. Select the program that you want to remove, and press "Uninstall"
Follow the instructions above and you will successfully uninstall most programs.

Step 3: Clean any registries, created by ZeuS on your computer.

The usually targeted registries of Windows machines are the following:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

You can access them by opening the Windows registry editor and deleting any values, created by ZeuS there. This can happen by following the steps underneath:

1. Open the Run Window again, type "regedit" and click OK.

2. When you open it, you can freely navigate to the Run and RunOnce keys, whose locations are shown above.

3. You can remove the value of the virus by right-clicking on it and removing it.

Tip: To find a virus-created value, you can right-click on it and click "Modify" to see which file it is set to run. If this is the virus file location, remove the value.

Before starting "Step 4", please boot back into Normal mode, in case you are currently in Safe Mode.
This will enable you to install and use SpyHunter 5 successfully.

Step 4: Scan for ZeuS with SpyHunter Anti-Malware Tool

1. Click on the "Download" button to proceed to SpyHunter's download page.

It is recommended to run a scan before purchasing the full version of the software to make sure that the current version of the malware can be detected by SpyHunter. Click on the corresponding links to check SpyHunter's EULA, Privacy Policy and Threat Assessment Criteria.

2. After you have installed SpyHunter, wait for it to update automatically.


3. After the update process has finished, click on the 'Malware/PC Scan' tab. A new window will appear. Click on 'Start Scan'.


4. After SpyHunter has finished scanning your PC for any files of the associated threat and found them, you can try to get them removed automatically and permanently by clicking on the 'Next' button.


If any threats have been removed, it is highly recommended to restart your PC.

Video Removal Guide for ZeuS (Windows).

Windows Mac OS X Google Chrome Mozilla Firefox Microsoft Edge Safari Internet Explorer Stop Push Pop-ups

Get rid of ZeuS from Mac OS X.

Step 1: Uninstall ZeuS and remove related files and objects

Manual Removal Usually Takes Time and You Risk Damaging Your Files If Not Careful!
We Recommend To Scan Your Mac with SpyHunter for Mac
Keep in mind, that SpyHunter for Mac needs to purchased to remove the malware threats. Click on the corresponding links to check SpyHunter’s EULA and Privacy Policy

1.Hit the ⇧+⌘+U keys to open Utilities. Another way is to click on “Go” and then click “Utilities”, like the image below shows:

2. Find Activity Monitor and double-click it:

3.In the Activity Monitor look for any suspicious processes, belonging or related to ZeuS:

Tip: To quit a process completely, choose the “Force Quit” option.

4.Click on the "Go" button again, but this time select Applications. Another way is with the ⇧+⌘+A buttons.

5.In the Applications menu, look for any suspicious app or an app with a name, similar or identical to ZeuS. If you find it, right-click on the app and select “Move to Trash”.

6: Select Accounts, after which click on the Login Items preference.

Your Mac will then show you a list of items that start automatically when you log in. Look for any suspicious apps identical or similar to ZeuS. Check the app you want to stop from running automatically and then select on the Minus (“-“) icon to hide it.

7: Remove any left-over files that might be related to this threat manually by following the sub-steps below:

  • Go to Finder.
  • In the search bar type the name of the app that you want to remove.
  • Above the search bar change the two drop down menus to “System Files” and “Are Included” so that you can see all of the files associated with the application you want to remove. Bear in mind that some of the files may not be related to the app so be very careful which files you delete.
  • If all of the files are related, hold the ⌘+A buttons to select them and then drive them to “Trash”.

In case you cannot remove ZeuS via Step 1 above:

In case you cannot find the virus files and objects in your Applications or other places we have shown above, you can manually look for them in the Libraries of your Mac. But before doing this, please read the disclaimer below:

Disclaimer! If you are about to tamper with Library files on Mac, be sure to know the name of the virus file, because if you delete the wrong file, it may cause irreversible damage to your MacOS. Continue on your own responsibility!

1: Click on "Go" and Then "Go to Folder" as shown underneath:

2: Type in "/Library/LauchAgents/" and click Ok:

3: Delete all of the virus files that have similar or the same name as ZeuS. If you believe there is no such file, do not delete anything.

You can repeat the same procedure with the following other Library directories:

→ ~/Library/LaunchAgents

Tip: ~ is there on purpose, because it leads to more LaunchAgents.

Step 2: Scan for and remove ZeuS files from your Mac

When you are facing problems on your Mac as a result of unwanted scripts and programs such as ZeuS, the recommended way of eliminating the threat is by using an anti-malware program. SpyHunter for Mac offers advanced security features along with other modules that will improve your Mac’s security and protect it in the future.

Click the button below below to download SpyHunter for Mac and scan for ZeuS:


SpyHunter for Mac

Video Removal Guide for ZeuS (Mac)

Windows Mac OS X Google Chrome Mozilla Firefox Microsoft Edge Safari Internet Explorer Stop Push Pop-ups

Remove ZeuS from Google Chrome.

Step 1: Start Google Chrome and open the drop menu

Step 2:Move the cursor over "Tools" and then from the extended menu choose "Extensions"

Step 3: From the opened "Extensions" menu locate the unwanted extension and click on its "Remove" button.

Step 4: After the extension is removed, restart Google Chrome by closing it from the red "X" button at the top right corner and start it again.

Windows Mac OS X Google Chrome Mozilla Firefox Microsoft Edge Safari Internet Explorer Stop Push Pop-ups

Erase ZeuS from Mozilla Firefox.

Step 1: Start Mozilla Firefox. Open the menu window

Step 2: Select the "Add-ons" icon from the menu.

Step 3: Select the unwanted extension and click "Remove"

Step 4: After the extension is removed, restart Mozilla Firefox by closing it from the red "X" button at the top right corner and start it again.

Windows Mac OS X Google Chrome Mozilla Firefox Microsoft Edge Safari Internet Explorer Stop Push Pop-ups

Uninstall ZeuS from Microsoft Edge.

Step 1: Start Edge browser.

Step 2: Open the drop menu by clicking on the icon at the top right corner.

Step 3: From the drop menu select "Extensions".

Step 4: Choose the suspected malicious extension you want to remove and then click on the gear icon.

Step 5: Remove the malicious extension by scrolling down and then clicking on Uninstall.

Windows Mac OS X Google Chrome Mozilla Firefox Microsoft Edge Safari Internet Explorer Stop Push Pop-ups

Remove ZeuS from Safari.

Step 1: Start the Safari app.

Step 2: After hovering your mouse cursor to the top of the screen, click on the Safari text to open its drop down menu.

Step 3: From the menu, click on "Preferences".

stf-safari preferences

Step 4: After that, select the 'Extensions' Tab.


Step 5: Click once on the extension you want to remove.

Step 6: Click 'Uninstall'.

stf-safari uninstall

A pop-up window will appear asking for confirmation to uninstall the extension. Select 'Uninstall' again, and the ZeuS will be removed.

How to Reset Safari
IMPORTANT: Before resetting Safari make sure you back up all your saved passwords within the browser in case you forget them.

Start Safari and then click on the gear leaver icon.

Click the Reset Safari button and you will reset the browser.

Windows Mac OS X Google Chrome Mozilla Firefox Microsoft Edge Safari Internet Explorer Stop Push Pop-ups

Eliminate ZeuS from Internet Explorer.

Step 1: Start Internet Explorer.

Step 2: Click on the gear icon labeled 'Tools' to open the drop menu and select 'Manage Add-ons'

Step 3: In the 'Manage Add-ons' window.

Step 4: Select the extension you want to remove and then click 'Disable'. A pop-up window will appear to inform you that you are about to disable the selected extension, and some more add-ons might be disabled as well. Leave all the boxes checked, and click 'Disable'.

Step 5: After the unwanted extension has been removed, restart Internet Explorer by closing it from the red 'X' button located at the top right corner and start it again.

Remove Push Notifications caused by ZeuS from Your Browsers.

Turn Off Push Notifications from Google Chrome

To disable any Push Notices from Google Chrome browser, please follow the steps below:

Step 1: Go to Settings in Chrome.


Step 2: In Settings, select “Advanced Settings”:

advanced settings

Step 3: Click “Content Settings”:

Content Settings

Step 4: Open “Notifications”:


Step 5: Click the three dots and choose Block, Edit or Remove options:

Block, Edit or Remove

Remove Push Notifications on Firefox

Step 1: Go to Firefox Options.


Step 2: Go to “Settings”, type “notifications” in the search bar and click "Settings":


Step 3: Click “Remove” on any site you wish notifications gone and click “Save Changes”

remove push notifications firefox

Stop Push Notifications on Opera

Step 1: In Opera, press ALT+P to go to Settings.


Step 2: In Setting search, type “Content” to go to Content Settings.

content settings

Step 3: Open Notifications:


Step 4: Do the same as you did with Google Chrome (explained below):

three dots

Eliminate Push Notifications on Safari

Step 1: Open Safari Preferences.


Step 2: Choose the domain from where you like push pop-ups gone and change to "Deny" from "Allow".


What is ZeuS?

The ZeuS threat is adware or browser redirect virus. It may slow your computer down siginficantly and display advertisements. The main idea is for your information to likely get stolen or more ads to appear on your device.

The creators of such unwanted apps work with pay-per-click schemes to get your computer to visit risky or different types of websites that may generate them funds. This is why they do not even care what types of websites show up on the ads. This makes their unwanted software indirectly risky for your OS.

What are the symptoms of ZeuS?

There are several symptoms to look for when this particular threat and also unwanted apps in general are active:

Symptom #1: Your computer may become slow and has poor performance in general.

Symtpom #2: You have toolbars, add-ons or extensions on your web browsers that you don't remember adding.

Symptom #3: You see all types of ads, like ad-supported search results, pop-ups and redirects to randomly appear.

Symptom #4: You see installed apps on your Mac running automatically and you do not remember installing them.

Symptom #5: You see suspicious processes running in your Task Manager.

If you see one or more of those symptoms, then security experts reccomend that you check your computer for viruses.

What types of Unwanted Programs are there?

According to most malware researchers and cyber-security experts, the threats that can currently affect your Mac can be the following types:

  • Rogue Antivirus programs.
  • Adware.
  • Browser hijackers.
  • Clickers.
  • Fake optimizers.

What to do if I have a "virus" like ZeuS?

Do not panic! You can easily get rid of most adware or unwanted program threats by firstly isolating them and then removing them from your browser and computer. One reccomended way to do that is by using a reputable malware removal software that can take care of the removal automatically for you. There are many anti-malware apps out there that you can choose from. SpyHunter is one of the reccomended anti-malware apps, that can scan your computer for free and detect any viruses, tracking cookies and unwanted adware apps and eliminate them quickly. This saves time when compared to doing the removal manually.

How to secure my passwords and other data from ZeuS?

With few simple actions. First and foremost, it is imperative that you follow these steps:

Step 1: Find a safe computer and connect it to another network, not the one that your Mac was infected in.

Step 2: Change all of your passwords, starting from your e-mail passwords.

Step 3: Enable two-factor authentication for protection of your important accounts.

Step 4: Call your bank to change your credit card details (secret code, etc.) if you have saved your credit card for online shopping or have done online activiites with your card.

Step 5: Make sure to call your ISP (Internet provider or carrier) and ask them to change your IP address.

Step 6: Change your Wi-Fi password.

Step 7: (Optional): Make sure to scan all of the devices connected to your network for viruses and repeat these steps for them if they are affected.

Step 8: Install anti-malware software with real-time protection on every device you have.

Step 9: Try not to download software from sites you know nothing about and stay away from low-reputation websites in general.

If you follow these reccomendations, your network and all devices will become significantly more secure against any threats or information invasive software and be virus free and protected in the future too.

More tips you can find on our website, where you can also ask any questions and comment underneath the articles about your computer problems. We will try to respond as fast as possible.

Leave a Comment

Your email address will not be published.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share