Additional Info

Share

Trojan.Zeroaccess.B

When Trojan.Zeroaccess.B infects a computer, it messes up the system by injecting code to Windows processes. This technique also hides the Trojan actions while inside the PC.

Trojan.Zeroaccess.B is a dangerous computer parasite that uses a very complex technique to conceal itself. This threat may also allow malware author to access the infected computer from a remote location. Its entry does not need computer user’s permission, instead, its forces the entry by taking advantage of system and software faults. Trojan.Zeroaccess.B has all means to control the infected system. It can inject codes to several processes and runs on its own on every start of Windows.

Damage Level: Medium

Systems Affected: Windows 9x, 2000, XP, Windows Vista/7

Characteristics
When Trojan.Zeroaccess.B loads on the computer, it will drop malicious files and obscure its presence while it remains inside the system. It completes this method by injecting codes on to legal Windows processes. This Trojan also creates hidden file system where it stores most of the files. To further fasten the infection, Trojan.Zeroaccess appends its code to legitimate Windows driver to avoid detection and removal.

When this Trojan is activated on 32-bit systems, it replaces several driver files under “C:\Windows\System32\Drivers\” with its own code.

While on 64-bit computers, it looks for the following folder and creates them if found nothing.
%Windir%\assembly\tmp\U
%Windir%\assembly\GAC_64
%Windir%\assembly\GAC_32
%Windir%\assembly\GAC_MSIL

Trojan.Zeroaccess.B will drop and load the following files as part of its operation.
%Windir%\assembly\tmp\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
%System%\consrv.dll

Trojan.Zeroaccess.B constantly connects with a remote computer to download more malware and update itself. This action will improve the Trojan’s existence and performs additional malicious tasks. Allowing an unauthorized remote access is also possible through the backdoor established by the Trojan.

Distribution
This threat is spread in several ways. Most common contact with Trojan.Zeroaccess.B is through infected legitimate valid web sites. These web sites will redirect visitor’s Internet traffic to assigned web address that hosts other kind of malware, which will exploit security and software weak spot to penetrate the PC.

How to Remove Trojan.Zeroaccess.B

Step 1 : Restart Windows in SafeMode with Networking

Starting Windows is Safe Mode only loads minimal sets of files and drivers. Most start-up malware and viruses don't run in this mode because Windows only loads basic components to initiate the system.

NOTE: You will need to PRINT or BOOKMARK this procedure, as we have to restart the computer during the removal process.

To start Windows in Safe Mode with Networking, please do the following:

1. Remove all media such as floppy drive, cd, dvd, and USB devices. Then, restart the computer.

Boot in Safe Mode on Windows XP, Windows Vista, and Windows 7 system
a) Before Windows begins to load, press F8 on your keyboard.
b) It will display the Advanced Boot Options menu. Select Safe Mode.

Start computer in Safe Mode using Windows 8
a) Before Windows begins to load, press Shift and F8 on your keyboard.
b) On Recovery interface, click on 'See advanced repair options'.
c) Next, click on Troubleshoot option.
d) Then, select Advanced options from the list.
e) Lastly, please choose Windows Startup Settings and click on Restart. When Windows restarts, you will be send to a familiar Advanced Boot Options screen.
f) Select Safe Mode from the selections menu.

Safe Mode

2. Once the computer boots into Safe Mode with Networking, please proceed with the steps below.

Step 2 : Scan the Computer with TDSSKiller to Remove Trojan.Zeroaccess.B

Anti-rootkit utility called TDSSKiller is a free tool from Kasperksy that neutralizes complicated malware which effectively hides its process, folders, files and registry entries.

1. Download TDSSKiller and save the file on your desktop or any accessible spot.

Download TDSSKiller

2. Extract the contents of downloaded file (tdsskiller.zip) using archiver programs like Winzip or Winrar.
3. Locate the folder where you extracted tdsskiller.zip and double-click the file TDSSKiller.exe to launch the scanner.
4. Once TDSSKiller is open, please mark Services and drivers as well as Boot Sectors. Picking these options ensures that the program will inspect boot sector and system files that are infected with Trojan.Zeroaccess.B. Please refer to attached image.

TDSSKiller

5. Click on Start Scan button to begin scanning your system. This may take a while. You need to complete this process to make sure that the program detects and delete all components of Trojan.Zeroaccess.B.
6. When scan has finished, you may restart Windows normally. This part of the removal process using TDSSKiller is now complete.

Step 3: Run Another Scan with ZeroAccess Fix Tool

This additional step will guarantee that no more components of Trojan.Zeroaccess.B are present inside the computer. If in case the first scan fails to catch all threats, running ZeroAccess Fix Tool ensures that all remaining Trojans, viruses, and malware will be deleted.

1. Download the file FixZeroAccess.exe from the provided link. Save the file to accessible location like Windows desktop. This is a free tool created by Symantec to remove variants of Zeroaccess Trojan.

Download ZeroAccess Fix Tool

2. Close all open programs.
3. Browse for the location of the file FixZeroAccess.exe. Double-click on the file to run it. If it prompts for a security warning and ask if you want to run the file, please choose Run.
4. It will open a Zero Access Fix Tool End User License Agreement (EULA). You must accept this license agreement in order to proceed with Trojan.Zeroaccess.B removal. Please click I Accept.
5. Finally, it displays a message and prepares the computer to restart. Please click on Proceed.

Zeroaccess Fix Tool

6. When it shows a message about 'Restarting System' please click on OK button.
7. After restarting the computer, the tool will display information about identified threats. Continue running the tool by following the prompts.
8. When it reaches the final step, the tool will show the scan result containing deleted components of Trojan.Zeroaccess.B. Your computer is now free from any harm.

Ways to Prevent Trojan.Zeroaccess.B Infection

Here are some guidelines to help defend your computer from virus attack and malware activities. Being fully protected does not have to be expensive.

Install protection software to block Trojan.Zeroaccess.B and other threats

Having an effective anti-malware program is the best way to guard your computer against malware and threats. Although full version of anti-malware will cost some penny to obtain, it is still worthy to buy one. With real-time scan, it will be safer for you to browse the web, download files, and do more things online.

Get Protection Software

Keep all programs up to date

It is important to download critical update for installed programs. Software updates includes patches for security flaw that may utilize by an attacker to enter the computer. This flaw may be taken advantage by Trojan.Zeroaccess.B, viruses, and malware to attack the computer. Crucial programs to watch for updates are MS Windows, MS Office, Adobe Flash, Adobe Acrobat, and Java Runtime.

Activate security features of your Internet browser

SmartScreen Filter, Phishing and Malware Protection, and Block Attack Sites are the respective security features of Internet Explorer, Google Chrome, and Mozilla Firefox. Although, it may not fully guard your computer from online attack, at least it can lessen the risk. Enabling these features also helps to secure your private data and avoid identity theft.

Be a responsible Internet user

Antivirus programs and security features of Internet browser facilitates real-time protection and monitors harmful activities online. However, it tends to malfunction for some reasons. Thus, you do not have to be fully dependent on these tools. It is always best to practice safety measures when using the Internet.


11 Comments

  1. Kyler
    Jan 11, 2012 @ 01:25:04

    I went through the steps up until I got stuck at step 9 because Norton Power Eraser could not find anything. I am running Windows 7, and I don’t know if I should try to disable system restore to get rid of it.

  2. justin_b98
    Jan 11, 2012 @ 04:26:12

    @Kyler, you may want to restore Windows to an earlier date of System Restore instead of disabling it. I think disabling System Restore will delete all restore points.

    About NPE, in my experience, after execution it will update itself. Try to wait for a couple of minutes before running the scan. Another thing that can remove rootkit like Trojan.Zeroaccess.B is TDSS killer. A product of Kaspersky.

  3. Kyler
    Jan 12, 2012 @ 00:36:55

    @justin_b98
    Advice didn’t help. NPE didn’t update, TDSSkiller didn’t find anything either. I did try selecting “Include Rootkit Scan” outside of safe mode before I came across this article, and some files were removed, but the virus is still there.

  4. Hanns
    Jan 13, 2012 @ 00:38:45

    Thanks for this procedure. However, there are some additional steps I did to remove Zeroaccess.B Trojan.

    While in Safe Mode, I manage to remove the following registry:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\”Windows” = “consrv:ConServerDllInitialization”

    Press CTRL + ALT +DEL to access Task Manager and stop the following process:
    consrv.dll

    Then delete the following file:
    C:\Windows\System32\ consrv.dll

    I also have to overwrite some files. I boot-up with my Win 7 Installation CD. Once the computer boots-up in CD, choose “Repair your computer” then select the infected system, click “Next”. Choose “Startup Repair” from System Recovery Options. From there on just proceed with the instructions and let Windows replaces all infected system files.

    Please note that I perform this method while my computer is disconnected from the Internet.

  5. Aryan
    Jan 20, 2012 @ 04:44:38

    For my computer, I have that Trojan but the problem is that the consrv.dll process is not listed in my processes in task manager soo is that a good thing or a bad thing….

    Please reply this problem has been nagging me for some time now.

  6. paralax
    Jan 20, 2012 @ 12:25:48

    Aryan,

    It is normal for Trojan ZeroAccess to hide the main process. Remember that it is a rootkit one, which means it hides itself onto legitimate system process.

    For this type of threat, it is best to run antirootkit tool like Norton Power Eraser and TDSS Killer. Remember to run these tools in safe mode and be sure that your Internet is disconnected.

  7. Shay
    Feb 02, 2012 @ 07:14:34

    Will this process work on a 64 bit system running windows 7?

  8. Marc
    Jun 24, 2012 @ 02:30:53

    I’ve had this thing for a couple of days. My Norton Antivirus auto-protect keeps popping up saying the risk was “partially” removed. I’ve tried some of the things mentioned here. (system is 32 bit). I don’t have a consrv.dll running in task manager. When I ran NPE as soon as I tell it to run it just says it will have to reboot.It doesn’t do a scan it says it will need to reboot. When it does there is no delay like its looking for rootkits before windows starts reloading. Yes I did it in safe mode. How do I get rid of this damn thing. Now with the auto-protect results I’m seeing another thing show up (I assume that’s via the back door talked about to allow other infections). What also shows up now is Trojan.Gen.2.

  9. alaa
    Jun 29, 2012 @ 08:23:24

    ive tried those steps but when it detected the virous i would try deleting it and it would say ( symantec endpoint protection cannot perform this action on 1 of the files you detected)
    and than it would say
    possible causes:
    -the files have been removed or deleted
    – you are trying to clean files located in an email message
    – you are trying to clean a compressed file in a cointainer
    what should i do as it keeps poping up its really annoying

  10. Jim
    Aug 19, 2012 @ 02:55:29

    If you get this virus you can either not use your computer on the Internet ever again, or you can format and re install everything. No fixes works including Norton, TDSS Killer, Combofix etc. It keeps coming back, and even gets worse when trying to remove it as it shoots the CPU to 100% via Ping.exe, then if you remove that error several svchosts steals up to 50% of the CPU which can only be fixed by a system restore point to get the CPU back down to 0%. I’ve had this now since February and computer works fine once the System Check virus is removed as long as I don’t connect it to the Internet so I use another computer online. I have years of experience removing viruses but can’t get rid of this one, and it’s the first time I haven’t been able to. Would love if someone proves me wrong though :)…but yeah just came here to say that if your computer infected with this it’s in serious trouble.

  11. jt
    Oct 15, 2012 @ 21:52:59

    use scanspyware, also called scan spyware net,it detects it ,zillya too,some files will have to be removed manually,between the 2 softwares you can figure it out ,tdss only removes some of it,

Leave a Reply

*