ZeroAccess is a sophisticated kernel-mode rootkit that is rapidly becoming one of the most widespread threats in the current malware ecosystem. ZeroAccess’ ability to run on both 32-bit and 64-bit versions of Windows, resilient peer-to-peer command and control infrastructure and constant updates to its functionality over time show that ZeroAccess is a modern threat capable of thriving on modern networks and modern Operating Systems.
ZeroAccess remains hidden on an infected machine while downloading more visible components that generate revenue for the botnet owners. Currently the downloaded malware is mostly aimed at sending spam and carrying out click fraud, but previously the botnet has been instructed to download other malware and it is likely that this will be the case again in the future. ZeroAccess should be considered an advanced and dangerous threat that requires a fully featured, multi-layered protection strategy.
ZeroAccess employs mechanisms that are themselves hard to remove such as a kernel-mode rootkit and patched driver files, patched system files such as services.exe and data hidden in NTFS Extended Attributes, removal of NTFS permissions on files used; and because ZeroAccess often employs several autostart points on an infected machine and usually other files that can re-install the malware.
ZeroAccess Rootkit Removal Guide
STEP 1: Remove the ZeroAccess rootkit with Kaspersky TDSSKiller
ZeroAccess has installed a rootkit to protect itself from being removed.To remove the ZeroAccess rootkit, we need to run a system scan with Kaspersky TDSSKiller.
- Please download the latest official version of Kaspersky TDSSKiller.
KASPERSKY TDSSKILLER DOWNLOAD LINK(This link will automatically download Kaspersky TDSSKiller on your computer.)
- Before you can run Kaspersky TDSSKiller, you first need to rename it so that
you can get it to run. To do this, right-click on the TDSSKiller.exe icon and select Rename.
Edit the name of the file from TDSSKiller.exe to iexplore.exe, and then double-click on it to launch.
- Kaspersky TDSSKiller will now start and display the welcome screen as shown below.In order to start a system scan , press the ‘Start Scan’ button.
- Kaspersky TDSSKiller will now scan your computer for the ZeroAccess rootkit.
- When the scan has finished it will display a result screen stating whether or not the infection was found on your computer. If it was found it will display a screen similar to the one below.
- To remove the infection simply click on the Continue button and TDSSKiller will attempt to clean the infection.A reboot will be require to completely remove this rootkit from your system.
STEP 2 : Remove the malicious files and replace the infected services.exe file
The ZeroAccess rootkit will infect services.exe Windows file,so we need to run Combofix to replace this file.
- Download Combofix from any of the below links.
COMBOFIX DOWNLOAD LINK #1 (This link will automatically download Combofix on your computer)
COMBOFIX DOWNLOAD LINK #2 (This link will automatically download Combofix on your computer)
- Before running this utiltiy,please follow the below instructions:
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection beforeperforming a scan. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
- Start the Combofix scan:
- Double click on ComboFix.exe and then follow the prompts.
- Accept the disclaimer and allow to update if it asks.
- When finished, it shall produce a log for you.
- Restart your computer
- DO NOT mouse-click Combofix’s window while it is running. That may cause it to stall.
- DO NOT “re-run” Combofix. If you have a problem, reply back for further instructions.
- IF after the reboot you get errors about programms being marked for deletion then reboot, that will cure it.
STEP 3 : Remove the malicious registry keys added by the ZeroAccess rootkit
ZeroAccess has added some malicious registry keys to your Windows installation,to remove them we will need to perform a scan with RogueKiller.
- Please download the latest official version of RogueKiller.
ROGUEKILLER DOWNLOAD LINK (This link will automatically download RogueKiller on your computer)
- Double click on RogueKiller.exe to start this utility and then wait for the Prescan to complete.This should take only a few seconds and then you can click the Start button to perform a system scan.
- After the scan has completed, press the Delete button to remove any malicious registry keys.
STEP 4: Remove ZeroAccess malicious files with Malwarebytes Anti-Malware FREE
- Download the latest official version of Malwarebytes Anti-Malware FREE.
MALWAREBYTES ANTI-MALWARE DOWNLOAD LINK (This link will open a download page in a new window from where you can download Malwarebytes Anti-Malware Free)
- You can start the Malwarebytes’ Anti-Malware installation process by double clicking on mbam-setup file.
- When the installation begins, keep following the prompts in order to continue with the setup process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware checked. Then click on the Finish button. If Malwarebytes’ prompts you to reboot, please do not do so.
- Malwarebytes Anti-Malware will now start and you’ll be prompted to start a trial period , please select ‘Decline‘ as we just want to use the on-demand scanner.
- On the Scanner tab,select Perform full scan and then click on the Scanbutton to start scanning your computer.
- Malwarebytes’ Anti-Malware will now start scanning your computer for ZeroAccess malicious files as shown below.
- When the scan is finished a message box will appear, click OK to continue.
- You will now be presented with a screen showing you the malware infections that Malwarebytes’ Anti-Malware has detected.Please note that the infections found may be different than what is shown in the image.Make sure that everything is Checked (ticked) and click on the Remove Selected button.
- Malwarebytes’ Anti-Malware will now start removing the malicious files.After completing this task it will display a message stating that it needs to reboot,please allow this request and then let your PC boot in Normal mode.
STEP 5: Run a scan with HitmanPro
- Download the latest official version of HitmanPro from the below link.
HITMANPRO DOWNLOAD LINK(This link will open a download page in a new window from where you can download HitmanPro)
- Double click on the previously downloaded fileto start the HitmanPro installation.
IF you are experiencing problems while trying to starting HitmanPro, you can use the “Force Breach” mode.To start this program in Force Breach mode, hold down the left CTRL-key when you start HitmanPro and all non-essential processes are terminated, including the malware process. (How to start HitmanPro in Force Breach mode – Video)
- Click on Next to install HitmanPro on your system.
- The setup screen is displayed, from which you can decide whether you wish to install HitmanPro on your machine or just perform a one-time scan, select a option then click on Next to start a system scan.
- HitmanPro will start scanning your system for malicious files as seen in the image below.
- Once the scan is complete,you’ll see a screen which will display all the malicious files that the program has found.Click on Next to remove this malicious files.
- Click Activate free license to start the free 30 days trial and remove the malicious files.
- HitmanPro will now start removing the infected objects.If this program will ask you to restart your computer,please allow this request.
STEP 6: Double check for any left over infections on your computer
If want to make another check for any left over malicious files,you can run a scan with the following tools:
STEP A: Run a scan with Eset Online Scanner.
- Download ESET Online Scanner utility.
ESET Online Scanner Download Link (This link will automatically download ESET Online Scanner on your computer.)
- Double click on the Eset installer program (esetsmartinstaller_enu.exe).
- Click the Start button.
- Check Scan archives
- Push the Start button.
- ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
- When the scan completes, push Finish
STEP B: Run a scan with Emsisoft Emergency Kit.
- Please download the latest official version of Emsisoft Emergency Kit.
EMSISOFT EMERGENCY KIT DOWNLOAD LINK (This link will open a download page in a new window from where you can download Emsisoft Emergency Kit)
- After the download process will finish , you’ll need to unpack EmsisoftEmergencyKit.zip and then double click on EmergencyKitScanner.bat
- A pop-up will prompt you to update Emsisoft Emergency Kit , please click the “Yes” button.After the Update process has completed , put the mouse cursor over the “Menu” tab on the left and click-on “Scan PC“.
- Select “Smart scan” and click-on the below “SCAN” button.When the scan will be completed , you will be presented with a screen showing you the malware infections that Emsisoft Emergency Kit has detected.Make sure that everything is Checked (ticked) and click on the ‘Quarantine selected objects‘ button.
Next,we will remove Combofix from your machine and in addition,you can uninstall any of the tools that we’ve used:
Lets remove ComboFix from your computer:
- Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
- In the Run box, type in ComboFix /Uninstall (Notice the space between the “x” and “/”) then click OK
- Follow the prompts on the screen
- A message should appear confirming that ComboFix was uninstalled
Delete the following files: (If they exist)
Delete the following folders: (If they exist)
Kaspersky TDSSKiller and RogueKiller can be removed by deleting the utilities.
We strongly recommend that you keep Malwarebytes Anti-Malware and HitmanPro installed on your machine and run regular scans with this tools.If you however,wish to remove them,you can go into the Add or Remove programs and uninstall this two on-demand scanners.