How to completely remove ZeroAccess/Sirefef rootkit (Removal Guide)

[Jack]

What is ZeroAccess/Sirefef rootkit?

ZeroAccess is a family of Rootkits, capable of infecting the Windows Operating System.On infection, it replaces Windows System Files and installs Kernel Hooks in an attempt to remain stealthy. Once the hooks are installed, the target operating system falls under control of the rootkit, which is then able to hide processes, files, networks connections, as well as to kill any security tools trying to access its files or processes. This rootkit is known to infect both 32 and 64 bit Windows operating systems.
ZeroAccess also patches system files to load its malicious code. The original file name is then kept inside an encrypted virtual file system the rootkit creates. The virtual file system is stored in a file on disk.

You can find more details here and here.

BEFORE YOU START: It's really important to understand that this rootkit is very hard to remove as it affects critical Windows system files, so you'll need to pay attention on which infected files your are removing.
Please be aware that removing Malware is a potentially hazardous undertaking.
We strongly recommend to backup your personal files and folders before you start the malware removal process.
This is a risk at your own risk guide!

ZeroAccess/Sirefef rootkit Removal Instructions

These instructions should remove any remaining traces of this adware. If you are still experiencing problems on your PC or would like to have one of our staff members guide you through the process, please start a new thread in our Malware Removal Assistance forum.

STEP 1: Remove ZeroAccess/Sirefef malicious files and restore the compromised system files

1. Run the ESET Sirefef malware removal tool
   
   • Downoload ESET Sirefef malware removal tool and save it on your desktop.
     ESET Sirefef malware removal tool (EZ_SireFix.exe) DOWNLOAD LINK (This link will automatically download ESET Sirefef malware removal tool on your computer)
   • From your Desktop, double-click the Sirefef malware removal tool (EZ_SireFix.exe) that you downloaded in the previous step.
   • If security notifications appear, click Continue or Run.
   • Read the disclaimer and then click Yes to clean your system.
   • Once the tool has finished, you will be prompted to restart your computer. Click Yes to restart.Once your computer has restarted, continue with the next step.
2. Run the Services repair tool and perform a computer scan
   
   • Download ESET Services repair tool and save it to your desktop.
      ESET Services repair tool (ServicesRepair.exe) DOWNLOAD LINK (This link will automatically download  ESET Services repair tool on your computer)
   • Double-click the services repair tool (ServicesRepair.exe) that you downloaded in the previous step.
   • If security notifications appear, click Continue or Run and then click Yes when asked if you want to proceed.
   • Once the tool has finished, you will be prompted to restart your computer. Click Yes to restart.

---

STEP 2 : Run a scan with Combofix

 
Download ComboFix from one of the following locations: 

COMBOFIX DOWNLOAD LINK #1 (This link will automatically download Combofix on your computer)
COMBOFIX DOWNLOAD LINK #2  (This link will automatically download Combofix on your computer)
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop  
 

• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  -----------------------------------------------------------
  
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection beforeperforming a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    -----------------------------------------------------------
  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  -----------------------------------------------------------

1. Double click on ComboFix.exe & follow the prompts.
2. Accept the disclaimer and allow to update if it asks
3. When finished, it shall produce a log for you.
4. Restart your computer[b] 
   

Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programms being marked for deletion then reboot, that will cure it.

---

STEP 3: Run a system scan with HitmanPro

1. Download the latest official version of HitmanPro.
   HITMANPRO DOWNLOAD LINK (This link will open a download page in a new window from where you can download HitmanPro)
2. Double click on the previously downloaded fileto start the HitmanPro installation.
   
   IF you are experiencing problems while trying to start HitmanPro, you can use the Force Breach mode.To start HitmanPro in Force Breach mode, hold down the left CTRL-key when you start HitmanPro and all non-essential processes are terminated, including the malware process. (How to start HitmanPro in Force Breach mode - Video)
3. Click on Next to install HitmanPro on your system.
   
4. The setup screen is displayed, from which you can decide whether you wish to install HitmanPro on your machine or just perform a one-time scan, select a option then click on Next to start a system scan.
   
5. HitmanPro will start scanning your system for malicious files as seen in the image below.
   
6. Once the scan is complete,you'll see a screen which will display all the malicious files that the program has found.Click on Next to remove this malicious files.
   
7. Click Activate free license to start the free 30 days trial and remove the malicious files.
   
8. HitmanPro will now start removing the infected objects.If this program will ask you to restart your computer,please allow this request.

---

STEP 4: Perform a scan with Malwarebytes Anti-Malware FREE

1. Download the latest official version of Malwarebytes Anti-Malware FREE.
   MALWAREBYTES ANTI-MALWARE DOWNLOAD LINK (This link will open a download page in a new window from where you can download Malwarebytes Anti-Malware Free)
2. Start the Malwarebytes' Anti-Malware installation process by double clicking on mbam-setup file.
   
3. When the installation begins, keep following the prompts in order to continue with the setup process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button. If Malwarebytes' prompts you to reboot, please do not do so.
   
4. Malwarebytes Anti-Malware will now start and you'll be prompted to start a trial period , please select 'Decline' as we just want to use the on-demand scanner.
   
5. On the Scanner tab,select Perform full scan and then click on the Scanbutton to start scanning your computer.
   
6. Malwarebytes' Anti-Malware will now start scanning your computer for ZeroAccess rootkit malicious files as shown below.
   
7. When the scan is finished a message box will appear, click OK to continue.
8. You will now be presented with a screen showing you the malware infections that Malwarebytes' Anti-Malware has detected.Please note that the infections found may be different than what is shown in the image.Make sure that everything is Checked (ticked) and click on the Remove Selected button.
   
9. Malwarebytes' Anti-Malware will now start removing the malicious files.After completing this task it will display a message stating that it needs to reboot,please allow this request and then let your PC boot in Normal mode.

---

STEP 5: Optional,but highly recommended scans

1.Run a scan with Kaspersky Virus Removal Tool
Click here to download the Kaspersky Virus Removal Tool.

1. Save it to your desktop.
2. Double click the setup file to run it.
3. Follow the onscreen prompts until it is installed
4. Click the Options button (the 'Gear' icon), then make sure only the following are ticked:
   
   • System Memory
   • Hidden startup objects
   • Disk boot sectors
   • Local Disk (C:)
   • Also any other drives (Removable that you may have)
5. Then click on Actions on the left hand side
6. Click Select Action, then make sure both Disinfect and Delete if disinfection fails are ticked
7. Click on Automatic Scan
8. Now click the Start Scanning button, to run the scan
9. After the scan is complete, click the reports button ('Paper icon', next to the 'cog' icon) on the right hand side
10. Click Detected threats on the left
11. Now click the Save button, and save it as kaslog.txt to your Desktop
12. Please copy and paste the contents of kaslog.txt in your next reply.

2.Run a scan with Eset Online Scanner.

1. Download ESET Online Scanner utility.
   ESET Online Scanner Download Link (This link will automatically download ESET Online Scanner on your computer.)
2. Double click on the Eset installer program (esetsmartinstaller_enu.exe).
3. Check Yes, I accept the Terms of Use
4. Click the Start button.
5. Check Scan archives
6. Push the Start button.
7. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
8. When the scan completes, push List of found threats
9. Push Export to Text file  and save the file to your desktop using a unique name, such as ESET Scan. Include the contents of this report in your next reply.Note - when ESET doesn't find any threats, no report will be created.
10. Push the back button.
11. Push Finish

---

STEP 6: Remove the residual damage from ZeroAccess/Sirefef rootkit

1. Download Windows Repair All in One by Tweaking.com to your computer.
   Windows Repair All in One DOWNLOAD LINK (This link will open a web page from where you can download Windows Repair All in One Portable version)
   
2. Double-click tweaking.com_windows_repair_aio.zip and extract the Tweaking.com - Windows Repair folder to your desktop.
3. Now open this folder and double-click Repair_Windows.exe.
4. Click the Start Repairs tab on the far right.
5. Click the Start button (bottom right)
   Note: When asked if you would like to create a restore point. It is recommended just in-case something does not go as planned.
6. Click Unselect All
7. Put a checkmark in the following items:
   
   • Repair Hosts File
   • Repair Temp Files
   • Remove Policies Set By Infections
   • Set Windows Services To Default Startup
   Note: Leave everything else unchecked
8. Put a checkmark in Restart System When Finished
9. Now click the Start button (bottom right)

---

Lets remove most of the tools that we have used to fix your machine:

• Download OTC to your desktop and run it
• A list of tool components used in the cleanup of malware will be downloaded.
• If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
• Click Yes to begin the cleanup process and remove these components, including this application.
• You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.

Delete the following files: (If they exist)
C:\ComboFix.txt

Delete the following folders: (If they exist)
C:\ComboFix
C:\Qoobox

If you want you can uninstall the other tools that we have used.Stay safe!