New Tool Released: Kiss (or Kick) ZeroAccess Goodbye

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

There are fewer types of malware infections more frustrating and annoying than a rootkit with backdoor capabilities. Over the past couple of years, we’ve seen the emergence of this new, tough-to-fight infectious code, and its transformation from nuisance to severe threat.

With the hard work and perseverance of Threat Research Analyst and master reverse-engineer Marco Giuliani, we’re proud to release the latest build of a tool we’ve used internally to clean the infections from the notable ZeroAccess rootkit off of victims’ computers. AntiZeroAccess exploits many of the vulnerabilities that Marco discovered in the rootkit to cleanly remove the rootkit code from infected machines.

The free tool removes the rootkit but does not restore the Access Control Lists (ACLs) that have been modified by the rootkit. For that, you’ll probably want to use a free tool like SetACL, which can make software functional that ZeroAccess disabled by modifying its ACL.

26 thoughts on “New Tool Released: Kiss (or Kick) ZeroAccess Goodbye

    • Yes, the tool is for 32 bit only because the main infection of ZeroAccess does infect only 32 bit versions of Windows. About the 64 bit infection of ZeroAccess – which is completely different from the 32 bit one – Windows SecureAnywhere has been updated to remove this threat as well

  1. What does it mean if the end of the program always states:
    “Your system is not infected by ZeroAccess/Max++ Rootkit!”

    but the beginning of the log shows:
    Check rootkit device: Found!
    System Disk class driver state: Infected!
    Current analysis path: C:\WINDOWS\system32\Drivers\
    Check file “abp480n5.sys”… Clean!

    Can’t get rid of this bugger!

    • I had big hopes for this new tool, unfortunately it did little to fix the problem. The tool has no problem detecting
      the rootkit Zeroaccess. However, it does not remove, stop or delete the associated .sys files or the Zerroaccess rootkit. I continue to see through the system process tree a system file that I’ve identified as the problem. 2655147966:1101577569.exe
      After running the tool I received the following message in the log file.
      Checkfile “725E.sys is infected!
      Checkfile “acpi.sys error
      I’ve run he tool several times with the same outcome.
      Any help would be greatly appreciated.

    • Hi Justin,
      please give again the new online tool a try, we have updated it to remove latest release of ZeroAccess.


    • The link to download this ZeroAccess remover is located on the right side of this blog and is labeled “Download the ZeroAccess/Max++ rootkit remover”.

    • ZeroAccess 64 bit is a totally different infection from the 32 bit one. We are going to release the fix embedded in our Webroot SecureAnywhere product

  2. For all those interested in the permission that have been changed, your security tab can be restored by opening up your folder options(windows XP, Vista, 7), select the “view” tab, and scroll all the way to the bottom and uncheck “use simple file sharing”. This will allow the security tab to show again enabling you to change ACL permissions through the GUI rather than a 3rd party tool.

    Cheers 🙂

  3. Hey, great work on the ZeroAccess removal tool. I used AntiZeroAccess on an infected machine and it did the job. I noticed that the fake windows updates folder is still there after the removal (C:\WINDOWS\$NtUninstallKBxxxxx$). Is is nessary to remove this folder? If so, how?

    • Hi,
      thanks for your comment! The folder itself contains just crypted unused code, so it is actually harmless. Anyway it’s not easy to manually remove it because of the uncommon settings used by the rootkit to set it up. I’m looking for the easiest way to remove it, and I’ll write the needed steps here below. Stay tuned. Thanks!

  4. Pingback: ZeroAccess APC: My First blog post « AaLl86 Security

  5. I tried the new update and whenever the process is finished the files infected are cleaned but , after the restart a different file is infected and so on.
    Any help?

    Cheers 🙂

    • Hi Joseph — Could you please email with a log of AntiZeroAccess and be sure to send it attention to Marco Giuliani so we can forward it to him for analysis and response? Thanks very much.

  6. Check rootkit device: Found!
    System Disk class driver state: Infected!!!

    but in the end “not infected”
    process numbers:numbers.exe still exists

  7. Here is the log

    “Check rootkit device: Not Found!
    System Disk class driver state: Infected!”
    Then all files are clean. And in the end:
    “Your system is not infected by ZeroAccess/Max++ Rootkit!”

    How to get rid off “System Disk class driver state: Infected!”


  8. Glad to see that Webroot has released an effective tool for removing this. I was part of the very beginning of Webroot’s AMR team and am happy to be able to promote a Webroot tool.

  9. Pingback: How to Clean An Infected Computer « Codes Work

  10. Pingback: Sécurité | Informatique

Join the Conversation

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s