Remove ZeroAccess rootkit (Removal Instructions)

The ZeroAccess rootkit also known as Sirefef, is a malicious program that has as a primary motivation of to make money through pay per click advertising. It does this by downloading an application that conducts Web searches and clicks on the results. This is known as click fraud, which is a very lucrative business for malware creators.

The threat is also capable of downloading other threats on to the compromised computer, some of which may be Misleading Applications that display bogus information about threats found on the computer and scare the user into purchasing fake antivirus software to remove the bogus threats. It is also capable of downloading updates of itself to improve and/or fix functionality of the threat.

The ZeroAccess rootkit is distributed through several means. Some websites have been compromised, redirecting traffic to malicious websites that host Trojan.Zeroaccess and distribute it using the Blackhole Exploit Toolkit and the Bleeding Life Toolkit. This is the classic “drive-by download” scenario. It also updates itself through peer-to-peer networks, which makes it possible for the authors to improve it as well as potentially add new functionality.

If your antivirus is detecting any of the below files as malicious and it can’t remove them , then you’ll  know that you have a ZeroAccess infection:

C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
C:\WINDOWS\services.exe << INFECTED
C:\windows\Installer\{random number sequence}\U\80000032.@
C:\windows\Installer\{random number sequence}\U\80000064.@
C:\windows\Installer\{random number sequence}\L\00000004.@
C:\windows\Installer\{random number sequence}\U\80000000.@
C:\windows\Installer\{random number sequence}\U\000000cb.@

ZeroAccess rootkit


Removal Instructions for ZeroAccess rootkit

STEP 1:  Remove the ZeroAccess rootkit with Kaspersky TDSSKiller

ZeroAccess has installed a  rootkit to protect itself from being removed.To remove the ZeroAccess  rootkit, we need to run a system scan with Kaspersky TDSSKiller.

  1. Please download the latest official version of Kaspersky TDSSKiller.
    KASPERSKY TDSSKILLER DOWNLOAD LINK(This link will automatically download Kaspersky TDSSKiller on your computer.)
  2. Before you can run Kaspersky TDSSKiller, you first need to rename it so that
    you can get it to run. To do this, right-click on the TDSSKiller.exe icon and select Rename.
    Edit the name of the file from TDSSKiller.exe to iexplore.exe, and then double-click on it to launch.
    Kaspersky Tdsskiller renamed
  3. Kaspersky TDSSKiller will now start and display the welcome screen as shown below.In order to start a system scan , press the ‘Start Scan’ button.
    Start a Kaspersky scan
  4. Kaspersky TDSSKiller will now scan your computer for the ZeroAccess rootkit.
    Kaspersky TDSSKiller scanning
  5. When the scan has finished it will display a result screen stating whether or not the infection was found on your computer. If it was found it will display a screen similar to the one below.
    Kaspersky TDSSKiller results
  6. To remove the infection simply click on the Continue button and TDSSKiller will attempt to clean the infection.A reboot will be require to completely remove this rootkit from your system.

STEP 2 : Remove the malicious files and replace the infected services.exe file

The ZeroAccess rootkit will infect services.exe Windows file,so we need to run Combofix to replace this file.

  1. Download Combofix from any of the below links.
    COMBOFIX DOWNLOAD LINK #1 (This link will automatically download Combofix on your computer)
    COMBOFIX DOWNLOAD LINK #2  (This link will automatically download Combofix on your computer)
  2. Before running this utiltiy,please follow the below instructions:
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      Temporarily disable your anti-virusscript blocking and any anti-malware real-time protection beforeperforming a scan. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  3. Start the Combofix scan:
    1. Double click on ComboFix.exe and then follow the prompts.
    2. Accept the disclaimer and allow to update if it asks.
    3. When finished, it shall produce a log for you.
    4. Restart your computer

    Additional Notes:

    • DO NOT mouse-click Combofix’s window while it is running. That may cause it to stall.
    • DO NOT “re-run” Combofix. If you have a problem, reply back for further instructions.
    • IF after the reboot you get errors about programms being marked for deletion then reboot, that will cure it.

STEP 3 : Remove the malicious registry keys added by the ZeroAccess rootkit

ZeroAccess has added some malicious registry keys to your Windows installation,to remove them we will need to perform a scan with RogueKiller.

  1. Please download the latest official version of RogueKiller.
    ROGUEKILLER DOWNLOAD LINK (This link will automatically download RogueKiller on your computer)
  2. Double click on RogueKiller.exe to start this utility and then wait for the Prescan to complete.This should take only a few seconds and then you can click the Start button to perform a system scan.
    RogueKiller scanning after ZeroAccess virus virus
  3. After the scan has completed, press the Delete button to remove any malicious registry keys.
    Remove ZeroAccess virus  infection with RogueKiller

STEP 4: Remove ZeroAccess malicious files with Malwarebytes Anti-Malware FREE

  1. Download the latest official version of Malwarebytes Anti-Malware FREE.
    MALWAREBYTES ANTI-MALWARE DOWNLOAD LINK (This link will open a download page in a new window from where you can download Malwarebytes Anti-Malware Free)
  2. You can start the Malwarebytes’ Anti-Malware installation process by double clicking on mbam-setup file.
    [Image: Malwarebytes Installer]
  3. When the installation begins, keep following the prompts in order to continue with the setup process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware checked. Then click on the Finish button. If Malwarebytes’ prompts you to reboot, please do not do so.
    [Image: Finishing Malwarebytes installation]
  4. Malwarebytes Anti-Malware will now start and you’ll be prompted to start a trial period , please select ‘Decline‘ as we just want to use the on-demand scanner.
    [Image: Decline Malwarebytes trial]
  5. On the Scanner tab,select Perform full scan and then click on the Scanbutton to start scanning your computer.
    [Image: Starting a full system sca]
  6. Malwarebytes’ Anti-Malware will now start scanning your computer for ZeroAccess malicious files as shown below.
    [Image: Malwarebytes scanning for malicious files]
  7. When the scan is finished a message box will appear, click OK to continue.[Image: Malwarebytes scan results]
  8. You will now be presented with a screen showing you the malware infections that Malwarebytes’ Anti-Malware has detected.Please note that the infections found may be different than what is shown in the image.Make sure that everything is Checked (ticked) and click on the Remove Selected button.
    [Image: Infections found by Malwarebytes]
  9. Malwarebytes’ Anti-Malware will now start removing the malicious files.After completing this task it will display a message stating that it needs to reboot,please allow this request and then let your PC boot in Normal mode.

STEP 5: Run a scan with HitmanPro

  1. Download the latest official version of HitmanPro from the below link.
    HITMANPRO DOWNLOAD LINK(This link will open a download page in a new window from where you can download HitmanPro)
  2. Double click on the previously downloaded fileto start the HitmanPro installation.
    [Image: HitmanPro Icon]
    IF you are experiencing problems while trying to starting HitmanPro, you can use the “Force Breach” mode.To start this program in Force Breach mode, hold down the left CTRL-key when you start HitmanPro and all non-essential processes are terminated, including the malware process. (How to start HitmanPro in Force Breach mode – Video)
  3. Click on Next to install HitmanPro on your system.
    [Image: Starting HitmanPro]
  4. The setup screen is displayed, from which you can decide whether you wish to install HitmanPro on your machine or just perform a one-time scan, select a option then click on Next to start a system scan.
    [Image: HitmanPro installation screen]
  5. HitmanPro will start scanning your system for malicious files as seen in the image below.
    [Image: HitmanPron scanning for ZeroAccess virus]
  6. Once the scan is complete,you’ll see a screen which will display all the malicious files that the program has found.Click on Next to remove this malicious files.
    [Image: HitmanPro scan results]
  7. Click Activate free license to start the free 30 days trial and remove the malicious files.
    [Image: Activate HitmanPro license]
  8. HitmanPro will now start removing the infected objects.If this program will ask you to restart your computer,please allow this request.

STEP 6: Double check for any left over infections on your computer

If want to make another check for any left over malicious files,you can run a scan with the following tools:

STEP A: Run a scan with Eset Online Scanner.

  1. Download ESET Online Scanner utility.
    ESET Online Scanner Download Link (This link will automatically download ESET Online Scanner on your computer.)
  2. Double click on the Eset installer program (esetsmartinstaller_enu.exe).
  3. Check Yes, I accept the Terms of Use
  4. Click the Start button.
  5. Check Scan archives
  6. Push the Start button.
  7. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  8. When the scan completes, push Finish

STEP B: Run a scan with Emsisoft Emergency Kit.

  1. Please download the latest official version of Emsisoft Emergency Kit.
    EMSISOFT EMERGENCY KIT DOWNLOAD LINK (This link will open a download page in a new window from where you can download Emsisoft Emergency Kit)
  2. After the download process will finish , you’ll need to unpack EmsisoftEmergencyKit.zip and then double click on EmergencyKitScanner.bat
  3. A pop-up will prompt you to update Emsisoft Emergency Kit , please click the “Yes” button.After the Update process has completed , put the mouse cursor over the “Menu” tab on the left and click-on “Scan PC“.
  4. Select “Smart scan” and click-on the below “SCAN” button.When the scan will be completed , you will be presented with a screen showing you the malware infections that Emsisoft Emergency Kit has detected.Make sure that everything is Checked (ticked) and click on the ‘Quarantine selected objects‘ button.

Next,we will remove Combofix from your machine and in addition,you can uninstall any of the tools that we’ve used:

Lets remove ComboFix from your computer:

  1. Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
  2. In the Run box, type in ComboFix /Uninstall (Notice the space between the “x” and “/”) then click OK Combofix uninstall command
  3. Follow the prompts on the screen
  4. A message should appear confirming that ComboFix was uninstalled

Delete the following files: (If they exist)
C:\ComboFix.txt

Delete the following folders: (If they exist)
C:\ComboFix
C:\Qoobox
Kaspersky TDSSKiller and RogueKiller can be removed by deleting the utilities.
We strongly recommend that you keep Malwarebytes Anti-Malware and HitmanPro installed on your machine and run regular scans with this tools.If you however,wish to remove them,you can go into the Add or Remove programs and uninstall this two on-demand scanners.

If you are still experiencing problems while trying to remove ZeroAccess rootkit from your machine, please start a new thread in our Malware Removal Assistance forum.

IT’S YOUR TURN TO HELP!

If we have managed to help you with your computer issues, then it's your duty to let other people know that this article will help them!
You can share this article on Facebook,Twitter or Google Plus by using the below buttons.

SUPPORT MALWARETIPS! (OPTIONAL)

All our malware removal guides and utilities are completely free!
We do not request any kind of payment for our services, however if you like to support us with our website costs, you can make a small donation. Any amount is appreciated, and will support our fight against malware.

ABOUT STELIAN PILICI

I am the creator and owner of MalwareTips.com.
My area of expertise includes malware removal and computer forensics. I'm active in the various online anti-malware communities where I do researches for new malware threats as they are released.
I live in Bucharest (Romania), where I run my own local computer repair shop.
I repair both hardware and other operating systems related issues, however most of my business is malware related problems.

You can follow me on Google+ and I will keep you up-to-date with the latest computer infections and malware threats.