MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.

Thread Tools Display Modes
Old 09-14-11, 12:17
Blizzardess Blizzardess is offline
Private E-2
Join Date: Sep 2011
Posts: 6
Thanks: 5
Thanked 0 Times in 0 Posts
Default 0 access (zero access) rootkit discussion

I wanted to discuss this particular one because in some cases it is not completely removable.

A few things I noticed running tests on a seperate system (xp sp3 32 bit) wich some might or might not know.
- Process appears in task manager and shouts out to you "I am not healthy" (figuratively).
- Can still kill explorer and internet explorer processes (so far in early stages).
- Appears to use IE (doesn't matter the version) to get instructions. Regularily pins cpu usage when connected to internet.
- The sooner you disconnect internet the better.
- Does not seem to degrade system seriously if infected when there is no internet connection. Still cannot use AV and such but easy to get tdss killer to remove.
- Kills all AV's / Anit-Malware programs very quickly reguardless of internet connection.
- TDSS killer works great especially if found in early stages.
- Gmer can find it but not clean. Will not be disabled either.
- Windows firewall pops up wanting you to unblock IE. Will not give you any info or details.
- If Malware Bytes is in the process of running a scan during infection it will not kill it immediately. Initiating scans after infection trigger the rootkit to disable.
I am still going through testing and need to add more variables and time to the equation.

As far as real world sightings and exp. I haven't seen it much and is usually associated with naughty vids, cracking, and keygens etc. I had a hard time finding a real infection source. Alot of sites with that particular rootkit have been taken down quickly but there are sites that have also been up for months which still have it.

I hope ppl can add to this with their own exp. / brainpower.

Thx in advance.
Reply With Quote
Sponsored links
Old 09-14-11, 16:50
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 79,712
Thanks: 61
Thanked 7,413 Times in 3,965 Posts
Default Re: 0 access (zero access) rootkit discussion

Welcome to Major Geeks!

We have been removing it successfully for a few weeks already as you can see by reading the threads in this forum. There are multiple forms of this infection and various levels of residual damage that it may cause. For example in some instances, it is corrupting the TCP/IP stack which results in no internet connection being available.
"There are 10 types of people in this world. Those who understand binary and those who don't."

Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
Old 09-14-11, 23:00
thisisu's Avatar
thisisu thisisu is offline
Malware Consultant
Join Date: Apr 2006
Location: Houston, TX
Posts: 8,162
Thanks: 269
Thanked 1,432 Times in 1,355 Posts
Default Re: 0 access (zero access) rootkit discussion

Hi Blizzardess,

Originally Posted by Blizzardess View Post
I had a hard time finding a real infection source. Alot of sites with that particular rootkit have been taken down quickly but there are sites that have also been up for months which still have it.
Quick question about this, are its effects immediate -- as in, as soon as you visit the infected site, you start getting errors about opening certain programs? Or did you have to reboot before the system starting acting up? I still have not found a site with it, and no computers at work have come in with it. I have been trying to get infected with one of the newer ZA variants on a VM but no luck yet.

Once again, welcome to Major Geeks!
Reply With Quote
Old 09-15-11, 10:39
Blizzardess Blizzardess is offline
Private E-2
Join Date: Sep 2011
Posts: 6
Thanks: 5
Thanked 0 Times in 0 Posts
Default Re: 0 access (zero access) rootkit discussion

Well. with this particular one I found it wasn't on an advertisement, it was in a keygen. I had to actually run the keygen to get infected. Requires no reboot to be infected, but does require internet connection for other commands and effect is immediate. Errors with opening already installed AV's is also immediate. If i cut off internet connection it kind of just sits there, weather it is actually doing anything or not is another question that I am trying to figure out. Mabe length of time with internet connection is a variable in the severity of infection or mabe not. As for this being a newer variant, no, it is at least a few months old and the newer variant places for known infection were taken down within 36 hours. From a normal windows user perspective I don't believe they would know that they are infected. It is just in the backround doing it's own thing, letting you go to websites and letting you download. I read somewhere that it would also be great for removing TDL .
Reply With Quote

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
rootkit.win32.z Access.C wrightm99 Malware Removal 7 08-30-11 15:08
Access wireless router settings w/o internet access alexsleat Hardware 4 09-04-08 04:52
no access to email/forbidden to access firewall/new administrator account made (?) grfd#711 Malware Removal 1 10-05-06 16:56
No access to WWW but all progs can access the net ok. SnOzZ Software 5 10-29-05 16:34
Trying to gain access to access denied directories in dos William Software 7 10-27-04 19:46

All times are GMT -5. The time now is 14:53.

MajorGeeks.Com Home Page
| Admin Tools | All In One | Anti-Spyware | Anti-Virus | Appearance | Backup | Benchmarking | BIOS | Browsers | Covert Ops |
Data Recovery | Diagnostics | Drive Cleaners | Drive Utilities | Drivers | Driver Tools Ergonomics | Firewalls | Games | Game Tweaks | Graphics | Input Devices | Internet Tools | Macintosh | Mail Utilities | Memory | Messaging | Monitoring | Microsoft | Multimedia | Networking | Office Tools | Process Management | Processor | Registry | Security | System Info | Toys | Video | Miscellaneous
Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger