Trojan.Zeroaccess.B
Trojan.Zeroaccess.B is a dangerous computer parasite. The Trojan uses a very complex technique to conceal itself. The Trojan may also allow malware author to access the infected computer from a remote location. This entry does not need computer user’s permission. Trojan.Zeroaccess.B has all means to control the infected system. It can inject codes to several processes and runs on its own on every start of Windows.
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Windows Vista/7
Characteristics
When Trojan.Zeroaccess.B is loaded on the computer, it will drop malicious files to obscure its presence. It completes this process by injecting codes on to legal Windows processes. This Trojan also creates hidden file system where most of its files are restored.
When this Trojan is activated on 32-bit systems, it replaces several driver files under “C:\Windows\System32\Drivers\” with its own code.
While on 64-bit computers, it looks for the following folder and creates them if found nothing.
%Windir%\assembly\tmp\U
%Windir%\assembly\GAC_64
%Windir%\assembly\GAC_32
%Windir%\assembly\GAC_MSIL
Trojan.Zeroaccess.B will drop and load the following files as part of its operation.
%Windir%\assembly\tmp\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
%System%\consrv.dll
Trojan.Zeroaccess.B constantly connects with a remote computer to download more malware and update itself. This action will improve the Trojan’s existence and performs additional malicious tasks. Allowing an unauthorized remote access is also possible through the backdoor established by the Trojan.
Distribution
This threat is spread in several ways. Most common contact with Trojan.Zeroaccess.B is through infected legitimate valid web sites. These web sites will redirect visitor’s Internet traffic to assigned web address that hosts other kind of malware, which will exploit security and software weak spot to penetrate the PC.
%Windir%\assembly\tmp\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
%System%\consrv.dll
%Windir%\assembly\tmp\U\80000000.@
%Windir%\assembly\tmp\U\800000cb.@
%Windir%\assembly\tmp\U\800000cf.@
How to Remove Trojan.Zeroaccess.B
1. Temporarily Disable System Restore (Windows Me/XP). [how to]
2. To be able to identify even the most recent variant of Trojan.Zeroaccess.B, open your antivirus application and update the virus definition file.
3. Start Windows in Safe Mode with Networking.
- From a power-off state, turn on the computer and press F8 on your keyboard repeatedly.
- Your computer will display Windows Advanced Boot Options menu. Please select Safe Mode with Networking.
- The system will now boot Windows and loads only necessary drivers and files.
4. Open your antivirus program and run a full system scan. After the scan, delete all infected items. If unable to delete, better place them in quarantine. Once the scan is complete, please proceed with the next step.
Scan with Norton Power Eraser:
Additional virus removal tool like Norton Power Eraser provides deep scanning technology to eliminate other threats not detected by a normal virus scan. Use this tool with extra caution.
5. Go to Norton Power Eraser web page and download the tool.
6. Once the download completes, double click on the file NPE.exe to run the program.
7. It will prompt for End User License Agreement, click on Accept to continue.
8. On NPE main window, click on Scan. Then select Include Rootkit Scan. Click on Continue to proceed.
9. Virus scanning may take some time. After running the scan, NPE will display the scan result.
Important! If there are any detected threats under Suspicious, remove the check mark. Only threats in Detected category are necessary to remove at this point. Make sure that you mark the Create System Restore Point before proceeding with the fix.
10. Now click on Fix to start removing the threats including Trojan.Zeroaccess.B remnants if there are any.
11. When done, Norton Power Eraser will restart the computer. Then after a reboot, it will initialize and display the eliminated threats.
12. You may now close Norton Power Eraser.
Kyler
Jan 11, 2012 @ 01:25:04
I went through the steps up until I got stuck at step 9 because Norton Power Eraser could not find anything. I am running Windows 7, and I don’t know if I should try to disable system restore to get rid of it.
justin_b98
Jan 11, 2012 @ 04:26:12
@Kyler, you may want to restore Windows to an earlier date of System Restore instead of disabling it. I think disabling System Restore will delete all restore points.
About NPE, in my experience, after execution it will update itself. Try to wait for a couple of minutes before running the scan. Another thing that can remove rootkit like Trojan.Zeroaccess.B is TDSS killer. A product of Kaspersky.
Kyler
Jan 12, 2012 @ 00:36:55
@justin_b98
Advice didn’t help. NPE didn’t update, TDSSkiller didn’t find anything either. I did try selecting “Include Rootkit Scan” outside of safe mode before I came across this article, and some files were removed, but the virus is still there.
Hanns
Jan 13, 2012 @ 00:38:45
Thanks for this procedure. However, there are some additional steps I did to remove Zeroaccess.B Trojan.
While in Safe Mode, I manage to remove the following registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\”Windows” = “consrv:ConServerDllInitialization”
Press CTRL + ALT +DEL to access Task Manager and stop the following process:
consrv.dll
Then delete the following file:
C:\Windows\System32\ consrv.dll
I also have to overwrite some files. I boot-up with my Win 7 Installation CD. Once the computer boots-up in CD, choose “Repair your computer” then select the infected system, click “Next”. Choose “Startup Repair” from System Recovery Options. From there on just proceed with the instructions and let Windows replaces all infected system files.
Please note that I perform this method while my computer is disconnected from the Internet.
Aryan
Jan 20, 2012 @ 04:44:38
For my computer, I have that Trojan but the problem is that the consrv.dll process is not listed in my processes in task manager soo is that a good thing or a bad thing….
Please reply this problem has been nagging me for some time now.
paralax
Jan 20, 2012 @ 12:25:48
Aryan,
It is normal for Trojan ZeroAccess to hide the main process. Remember that it is a rootkit one, which means it hides itself onto legitimate system process.
For this type of threat, it is best to run antirootkit tool like Norton Power Eraser and TDSS Killer. Remember to run these tools in safe mode and be sure that your Internet is disconnected.
Shay
Feb 02, 2012 @ 07:14:34
Will this process work on a 64 bit system running windows 7?