Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Need help eliminating Trojan.ZeroAccess.B

  • Please log in to reply
2 replies to this topic

#1 LavosKiller


  • Members
  • 19 posts
  • Local time:03:24 AM

Posted 13 January 2012 - 01:49 PM

Hello, this is my first time posting here. I am in need of assistance eliminating this Trojan.ZeroAccess.B rootkit from my mom's friend's laptop. The laptop model is a Toshiba C655D-S5300 and it is running Windows 7. I have been at this for several days. What I have tried thus far is the following, to the best of my memory:

Note that one of the traits of this variation is that whenever I try to run a .exe program, a dialog box appears asking which program I would like to open the .exe program with. (It treats these programs like files) I am able to fix this much of the problem by taking a clean EXE.reg from a DVD to the desktop and merging.

Attempt 1:
Merged EXE.reg file. Ran Full Scan on Norton AntiVirus. It found a misleading application and several viruses, including FakeAVCloud, Trojan.Gen.2 (I think) and Trojan.Backdoor. Those were removed, but Trojan.ZeroAccess.B could not be removed. Setup an internet connection to get advice. Downloaded Norton Power Eraser to the computer and ran it. I clicked Accept, Scan, and Include Rootkit Scan, in that order, the latter most requiring a restart. However, upon reboot Windows failed to startup and had to go to Startup Repair. Startup Repair used System restore to fix the machine, but once it finished rebooting, the virus was restored. Internet connection settings were lost and EXE.reg was not on the desktop.

Attempt 2:
Was able to run some of the .exe programs, but not all of them, for some odd reason. Fake AV software "Win 7 Security 2012" is appearing with pop-ups. Notifications of ping.exe using up a lot of CPU resources appeared twice during this next attempt. Was able to open Norton AntiVirus, but it had to be updated. Setup an internet connection again and updated Norton. Ran Full Scan again. Malware found is mostly the same. Trojan.ZeroAccess.B still persists. Ran NPE again. (Which was still among the downloaded files, odd considering other downloads were missing.) Again clicked Accept, Scan, and Include Rootkit Scan. This time the restart was successful. The NPE found three malicious files, including consrv.dll. (I would look in the log to get their exact filenames, but the damn thing writes them as .xml files and the data is hard to read.) The computer restarted again, but went back to the Startup Repair screen. This time it had to go through the same repair process twice. Upon successful restart, Internet connection settings are saved, and the Fake AntiVirus and ping.exe notifications are gone. However, all .exe files bring up the "Open With" dialog box again. Merged the EXE.reg file again. Opened and updated Norton. Ran Full Scan. Mostly same viruses again, including Trojan.ZeroAccess.B. Shutdown for now

Attempt 3:
Used another computer to search for possible solutions. Came across this: http://www.precisesecurity.com/trojan/trojan-zeroaccess-b

Booted up the laptop, had to go through the same Startup Repair process once again. Merged EXE.reg again. Following the instructions, opened and updated Norton. This time I shutdown without scanning, then booted into Safe Mode with Networking. Everything started fine. Opened up Norton and ran a full scan. Mostly the same risks again, though this time three Heuristic Viruses were also found, two of which were partially infected .cab files, a Data1 and one other. (can't recall name). Deleted both of the infected files, leaving only Zeroaccess.B. Opened NPE again, clicked Accept, Scan, and this time Exclude Rootkit Scan. Nothing was found after the scan, however. Tried again with Include Rootkit Scan, thinking Safe Mode might make it work. The laptop restarted, only to once again enter Startup Repair, forcing me to use System Restore's data to reset it again. Shut down after successful boot.

Attempt 4:
Sought help at the same information source. (That's me in the comments, right there) Taking the advice, repeated the same steps in attempt 3 until opening NPE, at which point I waited for it to update, but it never happened. Clicked Accept, Scan, Exclude Rootkit Scan. Nothing was found. Downloaded TDSSkiller onto the laptop. Ran and scanned twice, once as is and once all parameters checked. Both times nothing was found. Laptop is currently sleeping.

As you can see, this rootkit is extremely resilient. I am here because I need expert help eliminating this bug. Any help is deeply appreciated.

Edited by LavosKiller, 13 January 2012 - 01:53 PM.

BC AdBot (Login to Remove)


#2 Broni


    The Coolest BC Computer

  • BC Advisor
  • 42,771 posts
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:24 AM

Posted 13 January 2012 - 02:22 PM

Please follow the instructions in ==>This Guide<== starting at Step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE


#3 LavosKiller

  • Topic Starter

  • Members
  • 19 posts
  • Local time:03:24 AM

Posted 14 January 2012 - 02:10 PM

Finished creating the new topic:


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users