ZeroAccess

ZeroAccess Description


ZeroAccess is a rootkit that uses advanced techniques to conceal itself and thwart your PC security software. Afterwards, ZeroAccess may also be used to open a backdoor on your system in the fashion of a backdoor Trojan. As is true of other rootkits that SpywareRemove.com malware researchers have analyzed, ZeroAccess has negligible symptoms of its activities, although you may be able to find ZeroAccess by watching for malfunctions in your anti-malware and security programs. ZeroAccess has been updated several times throughout its life and is sufficiently advanced and potentially damaging that only specialized and up-to-date anti-malware programs should be used to delete any ZeroAccess infection on your PC. Refraining from doing so will leave your computer open to attack by criminals and other forms of harmful software, and can cause lose of private information or destruction of files on your PC.

The Hidden ZeroAccess Threat to Your Computer


ZeroAccess is considered a highly-sophisticated kernel mode rootkit due to its use of multiple methods to obscure itself and attack programs that could find or remove ZeroAccess and similar rootkits. Although ZeroAccess isn’t considered quite as advanced as a TDL3 Rootkit, it remains comparable to such rootkits (including Rootkit.Boot.Mybios.a, TDSS.e!rootkit, TDSS Rootkit and Rootkit.Win32.Agent.bhnc) in terms of potential damage to your PC.

Since SpywareRemove.com malware researchers have found that ZeroAccess, like many other rootkits, prefers to load itself without an independent process that can be seen and shut down, you may not be able to tell when ZeroAccess is active unless its related attacks give off visible signals, such as browser hijacks, system slowdown or visibly-altered network settings.

However, the attack that ZeroAccess is most well-known for is its ability to shut down any program that engages in behavior that ZeroAccess feels would be a threat to ZeroAccess.
DOWNLOAD NOW

» Learn more about SpyHunter's Spyware Detection Tool
and steps to uninstall SpyHunter.

This includes most forms of standard system scans that are used by anti-malware and security programs. Since ZeroAccess has received multiple updates since its origin in July of 2011, keeping your anti-malware software equally up-to-date is important for removing ZeroAccess.

You may also be able to infer the existence of ZeroAccess by noting the presence of related PC infections, particularly dropper Trojans. These Trojans, such asTrojan-Downloader.Agent-BFJ, Trojan-Dropper.Win32.Delf.br, Trojan-dropper.win32.VB.agtq, Trojan-Dropper.Win32.HDrop.apo or Trojan-Downloader.Agent-FCX can install ZeroAccess and may also install spyware, ransomware Trojans, worms or other PC threats.

Why ZeroAccess is a Great Big Zero for Your Computer’s Safety


Besides its notable security program-disabling traits, any particular ZeroAccess variant may also possess any or all of the following attributes:
  • In all instances that SpywareRemove.com malware experts have observed thus far, ZeroAccess chooses a system driver to infect for its base of operations. This allows ZeroAccess to launch without your consent and makes it extremely difficult to remove ZeroAccess, which can restore itself even when partially deleted. Improper removal of ZeroAccess is almost certain to cause harm to your operating system, which is why the use of a dedicated anti-malware program to delete ZeroAccess is strongly encouraged.
  • ZeroAccess may be used to steal private information. This can include account login data or passwords, Social Security numbers, credit card numbers or even all keyboard input, monitor output and webcam footage.
  • ZeroAccess may install other types of harmful programs onto your PC just as a standard dropper Trojan would do; these programs can include Remote Administration Tools, worms, viruses and many other forms of malicious software.
  • ZeroAccess may allow remote criminals to access and control your PC; the level of control that ZeroAccess potentially can allow to a criminal may be effectively unlimited.
  • Your system may also experience undesirable setting changes while ZeroAccess is on your PC. While open network ports and exceptions added to your firewall are the most likely changes, ZeroAccess may also cause any number of other alterations, such as concealing files, hijacking your browser or changing your desktop image.

Confirmed aliases for ZeroAccess include Dropper.Sirefef.B, Generic Dropper!dvy and Trojan-Dropper.Win32.Sireref.b.

ZeroAccess Automatic Detection Tool (Recommended)


Is your PC infected with ZeroAccess? To safely & quickly detect ZeroAccess we highly recommend you run the malware scanner listed below.



File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.
  • The following files were created in the system:
    # File Name
    1 %System%\Drivers\classpnp.sys
    2 %System%\Drivers\win32k.sys

Registry Modifications

Tutorial: To edit and delete registry entries manually, read the tutorial on how to remove malicious registry entries.

Tip & Warning: Editing and removing the wrong registry keys can severely damage your PC, so remember to backup your Windows Registry! To optimize your Windows Registry and speed up your PC, download RegHunter's registry cleaner.
  • The following newly produced Registry Values are:
    HKEY..\..\{Value}HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[FILE NAME OF INFESTED DRIVER]\"ImagePath" = "\*"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[FILE NAME OF INFESTED DRIVER]\"Start" = "3"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[FILE NAME OF INFESTED DRIVER]\"Type" = "1"

Related Posts

Posted: August 23, 2011 | By
Share:
Rate this article:
1 Star2 Stars3 Stars4 Stars5 Stars (3 votes, average: 5.00 out of 5)
Loading ... Loading ...
Threat Metric
Threat Level: 10/10
Detection Count: 191

2 Comments

  • Dwire says:

    It’s actually a cool and useful piece of info. I’m happy that you simply shared this helpful info with us. Please keep us informed like this. Thanks for sharing.

  • Mary says:

    saying system admin will not allow download. I am sys admin and can not find where i have this blocked.

Leave a Reply

What is 14 + 13 ?
Please leave these two fields as-is:
IMPORTANT! To be able to proceed, you need to solve the following simple math (so we know that you are a human) :-)