ZeroAccess Rootkit - How to remove?

 

What is ZeroAccess Rootkit?

ZeroAccess rootkit, also known as Max++, is a nasty piece of malware which is designed to start its persistent campaign just after infiltration. The infiltration of this malware is quite simple and done through security holes together with infected downloads, often Adobe Reader or Java fake updates. It can be said that additional purpose of ZeroAccess rootkit is to set up a stealthy, undetectable and un-removable platform which should help to download malware into the target PC. As you can see, it’s a rootkit which is advanced and sophisticated. As it is rootkit, it will hide its own and other malicious processes from being detected or removed.

ZeroAccess rootkit is quite similar to TDSS rootkit, and shares both functionality and even some portions of code. They both hide from anti-malware program scans, stop legitimate programs from working by killing their processes or stopping them from execution. In fact, it is quite hard to distinguish between these two trojans for the victim without a scan. Zero Access is one of the trojans responsible for hijacked Google results. The symptoms are search engine search results and various other pages redirecting to pages promoting various products, unrelated to searches. Additionally, 0Access might block legitimate anti-malware and antivirus vendor sites.

Zero Access is used for multiple malicious purposes. The first purpose is stopping legitimate anti-virus programs from execution and thus limiting chances for removal. The second purpose is making money for malware makers by redirecting your searches to their partners. Note, that some websites are victims too: they are not aware that the visitors on website are forced to see their content by help of ZeroAccess. Lastly, this rootkit will download additional programs like trojans, adware or fake antiviruses. ZeroAccess might download semi-legitimate software as well, and try to gain money by charging unsuspecting software makers for “software installs”. All these things make this rootkit extremely dangerous. You should scan and remove ZeroAccess under first symptoms of its presence.

Different antiviruses have separate names for ZeroAccess. Even same antiviruses can name several related versions of this rootkit differently. Names used include:

Trojan.Zeroaccess.X (Ikarus, Symantec)

ZeroAccess.XX (AVG, McAffee)

Backdoor.Maxplus.XX (Dr.Web )

sometimes is is detected as Sirefef or Jorik as well. In many cases these versions include specific payloads, though not always there are bigger differences.

Remember, ZeroAccess rootkit uses advanced rootkit technology to hide its presence in a system. It will try to block legitimate software from being downloaded and launched. Depending on ZeroAccess version, there are different things to do.

1. Remove ZeroAccess with regular Anti-Malware and Antivirus programs

Some Anti-Malware programs might be not blocked and delete ZeroAccess from the system. This depends from its version and definition database. You should try downloading multiple tools, and try scanning with each of them, for example Spyhunter, Hitman Pro, Kaspersky, Avast, etc. This is easiest and best (when works) approach to remove ZeroAccess, as regular scans have the least chance to destroy your system.

2. Using anti-Rootkit tools for ZeroAccess removal

Zero Access can be be removed with some dedicated anti-rootkit tools (as long as they launch). Good choice is TDSS killer, which works with this family of rootkits as well, and runs on both 32bit and 64 bit systems. However, there are other tools as well. For full list, visit our anti-rootkit tools link section.

3. Using Bootable CDs to delete ZeroAccess

This is the most cumbersome process to remove rootkits like Zero Access. for that, you will have to make bootable CD or USB stick and boot computer from it. This CD should be burned on clean PC. Scanning with Alternate OS scanners might cause system malfunctions later on, especially when drivers are removed (like with ZeroAccess). After scanning with any of these CDs, you should write down which files are removed. Driver files should be redownloaded into same places or copied from driver cache before system is rebooted normally again. You might have to run Windows repair install as well. Here is the introduction to Alternate OS scanners.

If you have to go with options 2 or 3, scan your system with anti-malware programs afterwards to delete leftovers of ZeroAccess infection : other trojans, malware or fake AVs are not deleted by dedicated anti-rootkit tools and might survive Boot CD scan.

 

Automatic ZeroAccess Rootkit removal tools

 

Other tools

 
  1   0
    Spyhunter
  1   0
    Malwarebytes anti-rootkit
 
 
 
 
* Support is performed by Callstream.
 
 

Manual ZeroAccess Rootkit removal

 

Important Note: Although it is possible to manually remove ZeroAccess Rootkit, such activity can permanently damage your system if any mistakes are made in the process, as advanced spyware parasites are able to automatically repair themselves if not completely removed. Thus, manual spyware removal is recommended for experienced users only, such as IT specialists or highly qualified system administrators. For other users, we recommend using TDSSKiller or other tools found on 2-viruses.com.

Processes:
Files:

It is impossible to list all file names and locations of modern parasites. You can identify remaining parasites, other ZeroAccess Rootkit infected files and get help in ZeroAccess Rootkit removal by using TDSSKiller scanner. 

 
 
 
 
 
 
 
 
 
 
 
 

43 thoughts on “ZeroAccess Rootkit

  1. Reegun Richard
     

    nice,simple and sharp………….

     
  2. randall
     

    ZeroAccess is an extremely malicious rootkit.after removal, network connectivity is next to impossible. XP users are encouraged to upgrade to SP3 to safeguard against infection. Does anyone have a fix that works? FOrmatting and reinstalling OS is A drainer.

     
    1. admin
       
       
      Post author

      Randall : in most cases It is quite similar to TDSS, and anti-TDSS tools work.

       
  3. Salvator
     

    Try this tool to remove zero Access Rootkit

    This tool was created by Webroot security.

     
    1. admin
       
       
      Post author

      Salvator: I recommend pasting links to official websites only. We can not review each link visitors paste in comments, and in most of the cases we delete direct download links that point to 3rd party websites or spam/advertising comments.

       
  4. Will
     

    For me ComboFix did the trick. After running ComboFix it found that a number of Network Connectivity related system files had been replaced. ComboFix was kind enough to restore these files from the ServicePackFiles directory on the PC so after the repair the infected PC still had network connectivity. The PC in question already had Service Pack 3 installed so that’s not a sure fire way to keep protected.

     
  5. IEC
     

    ComboFix will do it combined with console recovery and “fixmbr” function. One thing to keep in mind is to remove old System restore files aswell

     
    1. admin
       
       
      Post author

      IEC: In most cases, i would recommend TDSS Killer over Combofix due to more automated process.

       
  6. eytan
     

    TDSS Killer was the first app to diagnose the infection. But it didnt clean everything. I used Avast FixMBR (still not enough) and finally ComboFix which thoroughly scanned and cleaned my pc.

     
  7. Kes
     

    @admin
    Exactly! This worked for me, thanks.

     
  8. Don
     

    I use webroot and when I contacted their support they sent me some programs to remove zeroacess then repair damage done to the antivirus program – this appears to have solved the problem :)

     
  9. val
     

    @Will
    Combofix just worked for me, too.

     
  10. Spork Schivago
     

    For people who removed the rootkit and have no internet afterward, try replacing c:\windows\system32\drivers\afd.sys with a clean copy. One can be obtained by downloading KB article KB958752. I’m sure there’s other ways of obtaining the adf.sys file. I am working on an infected pc right now, ran ComboFix to remove it, and had no internet. I do not know if it was still installed in other places. Gonna try TDDS killer to make sure it’s gone. Also, there appears to be malware still on the system. Probably from when adf.sys wasn’t properly cleaned.

     
    1. admin
       
       
      Post author

      Spork Schivago
      It might be different file, and still cause internet malfunction. The best is to write down files that Combofix/TDSS Killer removes.

       
  11. Denise
     

    I was infected some time ago and used Combofix (great app) but it wiped out my internet connection all together. I mean I had nothing in my network connections so I did a repair install over top of my existing system which got my connection back and all was good for about 2 months. Last night I noticed I was being redirected to advertising sites regardless of what links I was trying to access and also couldn’t get to windows updates as well. You should be able to type in a web address and get to the site you WANT rather than try to click on a Google result which will redirect you to a crap site. I used majorgeeks.com to get the newest version of Combofix. Combofix warned me that I had the nasty Zeroaccess Rootkit and that I may lose my internet connection once again but I didn’t this time :):):) I can also now access Windows Updates so I don’t know what happened the first time but this last go around worked for me:)

     
  12. Sonny
     

    I ultimately decided to reinstall Windows to overcome this problem. (Combofix identified Zero Access but couldn’t seem to remove it (no progress over long period). Then it disabled all network access.)

    I backed up some files to an external drive. Now I wonder, could this virus have copied itself to the external drive?

     
    1. admin
       
       
      Post author

      Sonny: don’t think so. Zeroaccess infect specific places, including MBR record of your hard disk (you should do full format of disk and rewrite mbr record). I think TDSS killer is better against ZeroAccess by far.

       
  13. 0ldman
     

    I’ve got one on the bench right now. TDSS killer ran and didn’t see a thing. Dr Web Cureit found parts of it, didn’t fix it. Combofix detected more than anything else, still didn’t get rid of it. Trendmicro Rootkit buster has detected several copies, still won’t completely clean the system.

    I guess my next attempt will be recovery console, fixmbr then pull the drive and clean it from another PC.

    The new variant is quite resilient.

     
  14. Michael Wade
     

    Thank you so much. A redirect virus was driving me crazy and seriously interfering with my work. Symantec could detect it, but could not do anything about it. Following your suggestion, I used an uninfected computer to download the tdsskiller.zip and then moved it to the desktop of the infected computer and ran it. There are no more redirects and Symantec Endpoint Protection scan no longer detects the Trojan zeroacess file.

    Thank you so much! I will look to you first the next time I have a problem.

     
  15. Pastramiking
     

    Dealing with this for a neighbor. Tried S&D, Malwarebytes, and now moving on to combofix. It’s a toughie.

     
    1. admin
       
       
      Post author

      Pastramiking: TDSS Killer would be first tool to try. THEN S&D/MBAM, SD to clean up remaining infections

       
  16. alien
     

    had this virus, it distroyed my windows registry, and changed the mbr, and did something to my sata drivers, so while I could boot to windows safe mode, booting into windows caused a 0x0000007B, 0xF78D2524, 0xC0000034, blue screen error, couldn’t find a fix, re-installed windows xp in the end to fix it. Only lost my game saves, still got all my files. it seams to have a distroy the computer its on program built into it if you try to remove it.

     
  17. Rich Liddell
     

    The worked for us to clear ZeroAccess from WinXP
    1) Run ComboFix http://www.combofix.org/download.php — This program takes about 23 minutes to run when affected and about 10 minutes when running good. It took at least 5 runs of the application to clean it. Run enough times until it takes about 10 minutes to complete.
    2) After running ComboFix You will not have internet access it removes some of the registry for TCPIP when it is cleaning up the Zeroaccess. Run this application WinSockxpfix to restore the Registry http://www.snapfiles.com/get/winsockxpfix.html and after a reboot you should have internet access

     
    1. Rich Liddell : Generally, I do not recommend Combofix for average user. TDSS killer when only rootkit, or Spyhunter when there are additional infections. Spyhunter has pretty good rootkit detector/remover, though it is commercial program.
      Why not combofix? Well, it is targeted for PC repair people mostly, and might cause problems.

       
  18. anomylous
     

    Whoever unleashed this terror unto the internet deserves a slow, painful end…

     
  19. Michael
     

    Thanks! I ran into this nasty little bugger today. Now I know why Norton Security Suite is one of the best virus protectors on the market.

     
  20. Mike
     

    I had this attack after entering a gasket company website from a google result around the start of June.

    Microsoft used all the Virus removal tools listed above in the narative and nothing worked. Which is basically due to the amount of time the virus permits the computer to be on at one time (3 minutes)before re-booting under the influence of this virus. The problem with all the virus removal software tools is that each time the computer re-booted, so did the software and this gave it no time for the removal tools to complete the task and I would recommend to those programmers to please come up with a persistante virus removal software that wold take up where it left at the time the computer started its re-booting process.

    In the end, I had to re-formatt my had drive and since my files were stored on an external disc, the only thing that was lost was my e-mail files. Others might not be so lucky.

    Still, I think its time to not only develop a better removal tool as mentioned above, but also introduce into legislation some rules that would punish the people who perform this type of extorsion, which is really what it is.

    From this point on, I will define any Trojan virus as a “Cyber-extorsion” and it should be treated the same way any other person would be treated when found guilty of extorsion in any form or fashion, with many years of jail time and hugh hefty fines, plain and simple.
    .

     
    1. Mike : In the worst case, Alternate OS scanners do their job. Zeroaccess can not reboot PC if it is not active.

       
  21. Mike
     

    @Giedrius: Sorry to contradict you, but, I was there watching this happen while Microsoft tried their best (remote)to eliminate it. The virus was accessing the file in the Systems 32 used to re-boot the computer. After 2 minutes a warning window would pop up stating that the computer would shut off and to save any files, 2 minuts after that, the computer would shut down and then reboot.

    When this happened, every tool kit used, regardless of the name, also had to restart. After 12 hours of this MS gave up and gave me a refund and I had to re-formatt my hard drive.

    Yes, Zeroaccess did reboot the computer, it was just like the movie ground hog day with Bill Murray.

     
    1. Mike : Alternate OS Scanners can not be used remotely, that is why Microsoft had not used them. These are bootable CDs /DVDs/ USBs. You boot your PC from them. As you boot from non-writable and safe environment, the malware does not load and thus antiviruses would work from that CD.

      There are very few parasites (none of them are distributed now, in fact) that could theoretically load even when using such CD, and ZeroAccess is not one of them.

      http://www.2-viruses.com/alternate-os-scanners-introduction

       
  22. Karla
     

    I was running a McAfee quick scan then a full scan but it was unable to remove it. Malwarebytes said it removed it but when I ran another McAfee scan it’s still showing “2 Issues (zeroaccess)” that can’t be removed. I downloaded TDSS from a clean computer and ran it on the infected one and it found nothing……?

    Is it gone or still there?

     
    1. Karla: in your case, hard to tell. TDSS Killer has best results at removing this parasite, but it is not 100% too. on other hand mcafee can detect non-dangerous leftovers of this parasite (though it should handle them with ease). I would recommend running Hitman Pro (5 antivirus engines) and Spyhunter anti-rootkit (just after install it runs free anti-rootkit scan/removal which is quite good)

       
  23. Jeff
     

    I too have become infected with the ZeroAccess bug. After reading these responses I tried TDSSKiller. After it ran it reported “No infections found” yet MS Security Essentials is churning away quarantining this thing. I am just an average user and the ComboFix option sort of freaked me out a bit so I did not try that one. I then tried Hitman Pro and it found the trojan and quarantined it and removed 20 or so other traces. My questions are: Is it possible that Hitman Pro took care of this after just one pass? And, should I have removed the trojan instead of the recommended quarantine by Hitman Pro? If so, what should I do next?

     
    1. Jeff: Yes. Late versions of ZeroAccess does not have significant rootkit functionalities (aka does not hide from OS functions), but are nerveless a trojan. Thus TDSS Killer (anti-rootkit tool) does not detect it, but Hitman Pro (broader range tool) detects it. For making sure, I recommend scanning with MSE again, and then maybe other anti-malware applications too.

       
  24. Jeff
     

    Well,I scanned my machine with everything I had, Hitman Pro, MSE, Spybot S&D, McAfee Stinger, and just for grins TDSS Killer all reported clean. Now my issues are I cannot execute MS updates or access Windows Firewall settings, which is all I have found so far. I am sure there must be files corrupted or Reg entries missing or altered. Are there any options to repair this wihtout a clean install?

     
    1. Jeff : Regedit :) or Try using some registry cleaners, like CCleaner.

       
  25. Carol
     

    Jeff – go to http://blogs.technet.com/b/networking/archive/2011/06/14/the-windows-firewall-service-fails-to-start-registry-permissions.aspx

    We were also infected with ZeroAccess, removed with several tools, but had the same probs with firewall and updates. This showed us which keys were missing and the permissions they needed.

     
  26. Simon s
     

    Just got this swine from an Adobe update. Luckily don’t keep much data on the laptop so reformating and reinstalling windows.

     
  27. Lucas
     

    ComboFix was the only thing that was able to get it for me after trying everything else.

     
  28. anonytech
     

    adw cleaner did he trick. coupled with hitman pro, on a windows 8 machine it infected explorer nd kept refreshing, pu the pprograms on a flash drive and ran them from cmd. well hitman from flash drive, ran iexplore.exe from run and was able to download adw from cnet. worked famously.

     
    1. I would guess Hitman did the trick, as adwcleaner removes far more narrow type of parasites :)

       
  29. Tim H
     

    I had this virus zeroaccess and I gave up with the fixes. Kept freezing my computer even in safe mode trying load the numerous antivirus suggestions. I went out bought an external drive. Did a system recovery saving all my files. Reinstalled the factory settings. Did a Hard drive disk and repair file check. I then downloaded all the Windows updates. I chit canned Norton 360 and loaded Webroot secure anywhere plus security. Ran a scan and it found 1 windows 32 registry infection removing it before going on the internet. I then reloaded all my files and my computer now works great. I don’t know why that infection was there after doing a system recovery.

    I am not a comp tech guy. Just going by info provided by sites like this. Yes it took all weekend to do this. I realize it’s a pain but I think best course is to save all you’re files to an external drive and do a system recovery reinstalling windows. I have never seen such a nasty zero root malware virus. It freezed up my computer within minutes of going online. Could not download any exe files etc… One thing I noticed that was a tip off that computer was infected. When I started up my computer and the windows password entry came on screen. When I typed in the password. If I clicked on the arrow windows should load. But when I clicked on the arrow and windows did not load and I had to click in the space again where I typed in my password. Then I hit the arrow and windows loaded. knew then my computer was infected. Should not have do that. Clicking arrow should have immediately started the windows load. Just thought I’d provide my experience. My computer is now running better than before. I won’t buy Norton 360 again. It will not find that zero access malware.

     
    1. Tim : There are too many ZeroAccess versions. So ALL antivirus programs might miss one version and then get disabled. Thats the problem. Not that I would advocate using Norton 360 or not.

       

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>