Home / Removal Guide / Ransomware / ZeroAccess rootkit removal

ZeroAccess rootkit removal

[Total: 0    Average: 0/5]

ZeroAccess rootkit is a Trojan horse that roots deeply in the system. Mostly, this trojan is employed to open the backdoors of the compromised PC, “invite” malware programs and even create a hidden file system which allows it to store all its components. Additionally it is able to update itself through peer-to-peer networks It is a great opportunity for the authors to improve ZeroAccess rootkit add more functionality. It’s titled as Zeroaccess because of the string found in its kernel driver code, which points to the ZeroAccess, the original project’s folder. It is also known as max++.

There are methods how you can get infected with this nasty thing. It may squeeses from the websites that host Trojan.Zeroaccess, by means of browser redirections to the same compromised websites, Blackhole Exploit Toolkit or the Bleeding Life Toolkit that both have powerful set of exploits. Take into account that there are many versions of this trojan, like:

  • Trojan.Zeroaccess!kmem
  • Trojan.Zeroaccess.B, Trojan.zeroaccess!inf
  • Trojan.Zeroaccess!inf2
  • Trojan.Zeroaccess!inf3
  • Trojan.Zeroaccess.C
  • Trojan.Zeroaccess!inf4
  • or the latest Trojan.Zeroaccess!gen10
  • and Trojan.Zeroaccess!gen11

At once upon reaching the target PC, ZeroAccess rootkit downloads an application that starts learning victim’s browser habits and redirects search results. This is done for making the money through pay-per-click advertising. Besides, Trojan.ZeroAccess is also capable to invite other “unwanted guest”, like rogue applications or malware. Opening a back door of the system and connecting it to a command and control (C&C) server is also a simple task for this trojan. The attacker gains the access to the compromised computer and does a lot of bad things. If you have noticed the described symptoms on your PC, do not sit with your armed folded. Start removing this badware, performing all steps shown below:

The ZeroAccess rootkit effective removal guide

  1. “Start > Run” and Write “Regedit.exe” and hit Enter (This will run the Registry-Editor)

  3. Go to “HKEY_CLASSES_ROOTCLSID{FBEB8A05-BEEE-4442-804E-409D6C4515E9}InProcServer32”
  4. Right-Click on “(Default)” Key and Click “Modify” and Change it to “%SystemRoot%system32shell32.dll” and click OK
  5. Go to “HKEY_CLASSES_ROOTCLSID{5839FCA9-774D-42A1-ACDA-D6A79037F57F}InprocServer32”
  6. Right-Click on “(Default)” Key and Click “Modify” and Change it to “%systemroot%system32wbemfastprox.dll” and click OK
  7. WARNING: Please look “Other Keys” and Reset them too!

  8. Restart your Computer!
  9. You are back on your Desktop? Good! Goto “Start >> Control Panel >> Folder Options” switch to the Tab “View” and Uncheck the Checkbox “Hide protected operating system files (Recommended)”

  11. Go to the ZeroAccess location with Windows Explorer: “C:RECYCLER” (You can find this location in the Registry-Keys that you need to Reset! Like “C:RECYCLERS-1-5-18$185db5aec15e26bc266ad9b652037153n.”)
  12. Right-Click on the folder “S-1-5-18” and Click “CUT” (Not “DELETE”! Because you can’t delete it “Directory is not empty!”
  13. If you have WINDOWS XP:

  14. Right-Click on your Desktop and click “PASTE” NOW you have Access to this Folder and Delete the folder “S-1-5-18”!
  15. Done!

If you have WINDOWS VISTA (or higher):

  1. Right-Click on your Desktop and click “PASTE”
  2. Right-Click on the folder”S-1-5-18″ (on your Desktop where you Paste it) and click “Properties”
  3. Switch to the Tab “Security” and click “Edit…”
  4. Select “Everyone” and Check the Checkbox “Full control” on the “Allow” side and click OK
  5. Click OK again to Close the Properties-Window
  6. Go inside “S-1-5-18” and go back to step 11) and do that again for ALL Subdirectorys inside “S-1-5-18
  7. Finished? Good! NOW you have Access to this Folder and Delete the folder “S-1-5-18”!
  8. Done!

Check Also

How to detect Anatova Ransomware?

[Total: 0    Average: 0/5] Anatova malware is not a typical bot or keylogger, this …

.Tfudeq (_openme.txt) scary alerts (removal instructions)

[Total: 0    Average: 0/5] .Tfudeq (_openme.txt) malware is not a typical bot or keylogger, …

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.