Wednesday, December 28, 2011

Remove Trojan.Zeroaccess.B as a typical trojan that benefits on java vulnerabilities

Trojan.Zeroaccess.B lurks among temporary files of compromised computer system. The infection makes use of imperfections in Java environment.
Computers get the infection when their users browse suspicious websites. Among such sites there are many that contain malicious code for drive-by download.
The exploit does not have a payload of special complexity. It is but a typical infection of its class and is dedicated to another infection. this cyber addiction is specified in its internal instructions. The instructions vary from case to case as the exploit is used to drop multiple infections.
Remove Trojan.Zeroaccess.B along with other infections, click the free scanner link as the first step to Trojan.Zeroaccess.B removal. 



Manual removal guide:
Delete infected files:
%Windir%\assembly\tmp
%Windir%\assembly\U
%Windir%\assembly\GAC_64
%Windir%\assembly\GAC_32
%Windir%\assembly\tmp\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
%System%\consrv.dll
Delete infected registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\"Windows" = "consrv:ConServerDllInitialization"

 Rename the remover to "explorer.exe" or try to install from Safe Mode if virus blocks download\installation

2 comments:

Anonymous said...

I removed te registry and now my windows does not work......... Screw you

--Karan

Anonymous said...

Deleting consrv.dll makes the screen go black right before the logon screen where you can pick your user to log in with. I think it forces the system to go to sleep.

The workaround to this is to hit F8 right before that to go into Safe Mode with Networking, which will let you log in and get to the desktop.

To run any programs (such as antivirus, regedit, etc), you must search for the executable, right-click it, and choose Run as Administrator. Double-clicking won't work.

Norton Antivirus (with the latest definitions) detects this virus and all the other viruses it downloads, and removes the other viruses but cannot remove this. It says manual removal is necessary.

They then suggest Norton Power Eraser as a removal tool. Norton Power Eraser needs to reboot the system in order to scan for rootkits, and you have to go through the whole F8 - safe mode with networking bit for it to reboot properly. Then Norton Power Eraser doesn't detect any threats.

www.norton.com describes how the virus loads consrv.dll from the registry, HKLM/System/CCS/Control/Session Manager/SubSystems/"Windows", and when I checked the value of that key vs. a non-infected system, I did notice that somewhere in the middle the infected system says "ServerDLL=consrv:ConServerDLLInitialization" and the clean system says "ServerDLL=winsrv:ConServerDLLInitialization".

However, changing "consrv" to "winsrv" doesn't fix the black screen. I have a feeling that several system files including csrss.exe, service.exe, svchost.exe, cress.exe, winlogin.exe, and all the web browser.exes must be restored from the Windows 7 installation CD.