How to remove ZeroAccess Rootkit?
What is ZeroAccess Rootkit?
ZeroAccess rootkit, also known as Max++, is a nasty piece of malware which is designed to start its persistent campaign just after infiltration. The infiltration of this malware is quite simple and done through security holes together with infected downloads, often Adobe Reader or Java fake updates. It can be said that additional purpose of ZeroAccess rootkit is to set up a stealthy, undetectable and un-removable platform which should help to download malware into the target PC. As you can see, it’s a rootkit which is advanced and sophisticated.
ZeroAccess rootkit is quite similar to TDSS rootkit, and shares both functionality and even some portions of code. They both hide from anti-malware program scans, stop legitimate programs from working by killing their processes or stopping them from execution. In fact, it is quite hard to distinguish between these two trojans for the victim without a scan. Zero Access is one of the trojans responsible for hijacked Google results. The symptoms are search engine search results and various other pages redirecting to pages promoting various products, unrelated to searches. Additionally, 0Access might block legitimate anti-malware and antivirus vendor sites.
Zero Access is used for multiple malicious purposes. The first purpose is stopping legitimate anti-virus programs from execution and thus limiting chances for removal. The second purpose is making money for malware makers by redirecting your searches to their partners. Note, that some websites are victims too: they are not aware that the visitors on website are forced to see their content by help of ZeroAccess. Lastly, this rootkit will download additional programs like trojans, adware or fake antiviruses. ZeroAccess might download semi-legitimate software as well, and try to gain money by charging unsuspecting software makers for “software installs”. All these things make this rootkit extremely dangerous. You should scan and remove ZeroAccess under first symptoms of its presence.
Remember, ZeroAccess rootkit uses advanced rootkit technology to hide its presence in a system. It will try to block legitimate software from being downloaded and launched. Depending on ZeroAccess version, there are different things to do.
1. Remove ZeroAccess with regular Anti-Malware and Antivirus programs
Some Anti-Malware programs might be not blocked and delete ZeroAccess from the system. This depends from its version and definition database. You should try downloading multiple tools, and try scanning with each of them, for example Spyhunter, Hitman Pro, Spyware Doctor Kaspersky, Avast, etc. This is easiest and best (when works) approach to remove ZeroAccess, as regular scans have the least chance to destroy your system.
2. Using anti-Rootkit tools for ZeroAccess removal
Zero Access can be be removed with some dedicated anti-rootkit tools (as long as they launch). Good choice is TDSS killer, which works with this family of rootkits as well, and runs on both 32bit and 64 bit systems. However, there are other tools as well. For full list, visit our anti-rootkit tools link section.
3. Using Bootable CDs to delete ZeroAccess
This is the most cumbersome process to remove rootkits like Zero Access. for that, you will have to make bootable CD or USB stick and boot computer from it. This CD should be burned on clean PC. Scanning with Alternate OS scanners might cause system malfunctions later on, especially when drivers are removed (like with ZeroAccess). After scanning with any of these CDs, you should write down which files are removed. Driver files should be redownloaded into same places or copied from driver cache before system is rebooted normally again. You might have to run Windows repair install as well. Here is the introduction to Alternate OS scanners.
If you have to go with options 2 or 3, scan your system with anti-malware programs afterwards to delete leftovers of ZeroAccess infection : other trojans, malware or fake AVs are not deleted by dedicated anti-rootkit tools and might survive Boot CD scan.
ZeroAccess Rootkit is Dangerous
ZeroAccess Rootkit is a Trojan parasite ZeroAccess Rootkit may display fake security & messages ZeroAccess Rootkit may display numerous annoying advertisements ZeroAccess Rootkit may be remotely controlled by a malicious person ZeroAccess Rootkit may spread additional spyware ZeroAccess Rootkit may repair its files, spread or update by itself ZeroAccess Rootkit may prove difficult or impossible to remove ZeroAccess Rootkit violates your privacy and compromises your security
for ZeroAccess Rootkit detection
Note: Spyhunter trial provides detection of parasite like ZeroAccess Rootkit and assists in its removal for free. You can remove detected files, processes and registry entries yourself or purchase a full version.
Manual ZeroAccess Rootkit removal
Important Note: Although it is possible to manually remove ZeroAccess Rootkit, such activity can permanently damage your system if any mistakes are made in the process, as advanced spyware parasites are able to automatically repair themselves if not completely removed. Thus, manual spyware removal is recommended for experienced users only, such as IT specialists or highly qualified system administrators. For other users, we recommend using Spyhunter or other malware and spyware removal applications found on 2-viruses.com.
Stop these ZeroAccess Rootkit processes:
Remove these ZeroAccess Rootkit files:
It is impossible to list all file names and locations of modern parasites. You can identify remaining parasites, other ZeroAccess Rootkit infected files and get help in ZeroAccess Rootkit removal by using free Spyhunter scanner. It comes with free real-time protection module that helps preventing ZeroAccess Rootkit and similar threats.
Such Trojans as ZeroAccess Rootkit generally infect your system while you are installing a game, opening a picture or playing a video file.
Some Trojans such as ZeroAccess Rootkit masquerade themselves as useful freeware programs or plug-ins, but are actually bundled Trojans.
As soon as it infects your system, Trojan ZeroAccess Rootkit gives COMPLETE control over your system to a hacker using the Trojan, who may cause serious damage to your system. A Trojan may alter your desktop or add undesirable shortcuts to various commercial and marketing sites; ZeroAccess Rootkit is no exception. It may create a backdoor to your system, allowing the hacker to control your system and steal your personal information. Unlike viruses and worms, Trojans like ZeroAccess Rootkit do not reproduce by infecting other files nor do they self-replicate and each new victim must run the infected file.
nice,simple and sharp………….
ZeroAccess is an extremely malicious rootkit.after removal, network connectivity is next to impossible. XP users are encouraged to upgrade to SP3 to safeguard against infection. Does anyone have a fix that works? FOrmatting and reinstalling OS is A drainer.
Randall : in most cases It is quite similar to TDSS, and anti-TDSS tools work.
Try this tool to remove zero Access Rootkit
This tool was created by Webroot security.
Salvator: I recommend pasting links to official websites only. We can not review each link visitors paste in comments, and in most of the cases we delete direct download links that point to 3rd party websites or spam/advertising comments.
For me ComboFix did the trick. After running ComboFix it found that a number of Network Connectivity related system files had been replaced. ComboFix was kind enough to restore these files from the ServicePackFiles directory on the PC so after the repair the infected PC still had network connectivity. The PC in question already had Service Pack 3 installed so that’s not a sure fire way to keep protected.
ComboFix will do it combined with console recovery and “fixmbr” function. One thing to keep in mind is to remove old System restore files aswell
IEC: In most cases, i would recommend TDSS Killer over Combofix due to more automated process.
TDSS Killer was the first app to diagnose the infection. But it didnt clean everything. I used Avast FixMBR (still not enough) and finally ComboFix which thoroughly scanned and cleaned my pc.
@admin
Exactly! This worked for me, thanks.
I use webroot and when I contacted their support they sent me some programs to remove zeroacess then repair damage done to the antivirus program – this appears to have solved the problem
@Will
Combofix just worked for me, too.
For people who removed the rootkit and have no internet afterward, try replacing c:\windows\system32\drivers\afd.sys with a clean copy. One can be obtained by downloading KB article KB958752. I’m sure there’s other ways of obtaining the adf.sys file. I am working on an infected pc right now, ran ComboFix to remove it, and had no internet. I do not know if it was still installed in other places. Gonna try TDDS killer to make sure it’s gone. Also, there appears to be malware still on the system. Probably from when adf.sys wasn’t properly cleaned.
Spork Schivago
It might be different file, and still cause internet malfunction. The best is to write down files that Combofix/TDSS Killer removes.
I was infected some time ago and used Combofix (great app) but it wiped out my internet connection all together. I mean I had nothing in my network connections so I did a repair install over top of my existing system which got my connection back and all was good for about 2 months. Last night I noticed I was being redirected to advertising sites regardless of what links I was trying to access and also couldn’t get to windows updates as well. You should be able to type in a web address and get to the site you WANT rather than try to click on a Google result which will redirect you to a crap site. I used majorgeeks.com to get the newest version of Combofix. Combofix warned me that I had the nasty Zeroaccess Rootkit and that I may lose my internet connection once again but I didn’t this time
:):) I can also now access Windows Updates so I don’t know what happened the first time but this last go around worked for me:)
I ultimately decided to reinstall Windows to overcome this problem. (Combofix identified Zero Access but couldn’t seem to remove it (no progress over long period). Then it disabled all network access.)
I backed up some files to an external drive. Now I wonder, could this virus have copied itself to the external drive?
Sonny: don’t think so. Zeroaccess infect specific places, including MBR record of your hard disk (you should do full format of disk and rewrite mbr record). I think TDSS killer is better against ZeroAccess by far.
I’ve got one on the bench right now. TDSS killer ran and didn’t see a thing. Dr Web Cureit found parts of it, didn’t fix it. Combofix detected more than anything else, still didn’t get rid of it. Trendmicro Rootkit buster has detected several copies, still won’t completely clean the system.
I guess my next attempt will be recovery console, fixmbr then pull the drive and clean it from another PC.
The new variant is quite resilient.
Thank you so much. A redirect virus was driving me crazy and seriously interfering with my work. Symantec could detect it, but could not do anything about it. Following your suggestion, I used an uninfected computer to download the tdsskiller.zip and then moved it to the desktop of the infected computer and ran it. There are no more redirects and Symantec Endpoint Protection scan no longer detects the Trojan zeroacess file.
Thank you so much! I will look to you first the next time I have a problem.
Dealing with this for a neighbor. Tried S&D, Malwarebytes, and now moving on to combofix. It’s a toughie.
Pastramiking: TDSS Killer would be first tool to try. THEN S&D/MBAM, SD to clean up remaining infections
had this virus, it distroyed my windows registry, and changed the mbr, and did something to my sata drivers, so while I could boot to windows safe mode, booting into windows caused a 0x0000007B, 0xF78D2524, 0xC0000034, blue screen error, couldn’t find a fix, re-installed windows xp in the end to fix it. Only lost my game saves, still got all my files. it seams to have a distroy the computer its on program built into it if you try to remove it.
The worked for us to clear ZeroAccess from WinXP
1) Run ComboFix http://www.combofix.org/download.php — This program takes about 23 minutes to run when affected and about 10 minutes when running good. It took at least 5 runs of the application to clean it. Run enough times until it takes about 10 minutes to complete.
2) After running ComboFix You will not have internet access it removes some of the registry for TCPIP when it is cleaning up the Zeroaccess. Run this application WinSockxpfix to restore the Registry http://www.snapfiles.com/get/winsockxpfix.html and after a reboot you should have internet access
Rich Liddell : Generally, I do not recommend Combofix for average user. TDSS killer when only rootkit, or Spyhunter when there are additional infections. Spyhunter has pretty good rootkit detector/remover, though it is commercial program.
Why not combofix? Well, it is targeted for PC repair people mostly, and might cause problems.
Whoever unleashed this terror unto the internet deserves a slow, painful end…