Detecting a Zeus Infection
When considering protecting a computer from a Zeus virus, keep in mind that the malware masquerades under a number of monikers, which perhaps contributes to the difficulty of getting rid of it. It is also known as Zbot and Kneber, among many other names.
The easiest way to determine whether a computer is infected with the Zeus virus is to examine the operating system processes for any anomalies. Typically, the virus processes will have file names like one of the following examples:
Alternatively, these files can be located in the file system of the infected computer and a search should easily reveal them. If the files and processes are hidden from a user, a sure-fire way to detect an infection is to examine the registry key:
- HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit.
If the key has an entry for ntos.exe, the computer is infected with Zeus.
A user should be suspicious if a website suddenly asks for private information, in the midst of a transaction, for example. There are legitimate reasons why a site would require authentication from time to time, however, there is always a logical sequence. If the user encounters a request for information, it is best to try logging in from another machine to be absolutely sure of legitimacy.