ZeroAccess Rootkit - How to remove?
ZeroAccess rootkit, also known as Max++, is a nasty piece of malware which is designed to start its persistent campaign just after infiltration. The infiltration of this malware is quite simple and done through security holes together with infected downloads, often Adobe Reader or Java fake updates. It can be said that additional purpose of ZeroAccess rootkit is to set up a stealthy, undetectable and un-removable platform which should help to download malware into the target PC. As you can see, it’s a rootkit which is advanced and sophisticated. As it is rootkit, it will hide its own and other malicious processes from being detected or removed.
ZeroAccess rootkit is quite similar to TDSS rootkit, and shares both functionality and even some portions of code. They both hide from anti-malware program scans, stop legitimate programs from working by killing their processes or stopping them from execution. In fact, it is quite hard to distinguish between these two trojans for the victim without a scan. Zero Access is one of the trojans responsible for hijacked Google results. The symptoms are search engine search results and various other pages redirecting to pages promoting various products, unrelated to searches. Additionally, 0Access might block legitimate anti-malware and antivirus vendor sites.
Zero Access is used for multiple malicious purposes. The first purpose is stopping legitimate anti-virus programs from execution and thus limiting chances for removal. The second purpose is making money for malware makers by redirecting your searches to their partners. Note, that some websites are victims too: they are not aware that the visitors on website are forced to see their content by help of ZeroAccess. Lastly, this rootkit will download additional programs like trojans, adware or fake antiviruses. ZeroAccess might download semi-legitimate software as well, and try to gain money by charging unsuspecting software makers for “software installs”. All these things make this rootkit extremely dangerous. You should scan and remove ZeroAccess under first symptoms of its presence.
Different antiviruses have separate names for ZeroAccess. Even same antiviruses can name several related versions of this rootkit differently. Names used include:
Trojan.Zeroaccess.X (Ikarus, Symantec)
ZeroAccess.XX (AVG, McAffee)
Backdoor.Maxplus.XX (Dr.Web )
Remember, ZeroAccess rootkit uses advanced rootkit technology to hide its presence in a system. It will try to block legitimate software from being downloaded and launched. Depending on ZeroAccess version, there are different things to do.
1. Remove ZeroAccess with regular Anti-Malware and Antivirus programs
Some Anti-Malware programs might be not blocked and delete ZeroAccess from the system. This depends from its version and definition database. You should try downloading multiple tools, and try scanning with each of them, for example Spyhunter, Hitman Pro, Kaspersky, Avast, etc. This is easiest and best (when works) approach to remove ZeroAccess, as regular scans have the least chance to destroy your system.
2. Using anti-Rootkit tools for ZeroAccess removal
Zero Access can be be removed with some dedicated anti-rootkit tools (as long as they launch). Good choice is TDSS killer, which works with this family of rootkits as well, and runs on both 32bit and 64 bit systems. However, there are other tools as well. For full list, visit our anti-rootkit tools link section.
3. Using Bootable CDs to delete ZeroAccess
This is the most cumbersome process to remove rootkits like Zero Access. for that, you will have to make bootable CD or USB stick and boot computer from it. This CD should be burned on clean PC. Scanning with Alternate OS scanners might cause system malfunctions later on, especially when drivers are removed (like with ZeroAccess). After scanning with any of these CDs, you should write down which files are removed. Driver files should be redownloaded into same places or copied from driver cache before system is rebooted normally again. You might have to run Windows repair install as well. Here is the introduction to Alternate OS scanners.
If you have to go with options 2 or 3, scan your system with anti-malware programs afterwards to delete leftovers of ZeroAccess infection : other trojans, malware or fake AVs are not deleted by dedicated anti-rootkit tools and might survive Boot CD scan.