There are fewer types of malware infections more frustrating and annoying than a rootkit with backdoor capabilities. Over the past couple of years, we’ve seen the emergence of this new, tough-to-fight infectious code, and its transformation from nuisance to severe threat.
With the hard work and perseverance of Threat Research Analyst and master reverse-engineer Marco Giuliani, we’re proud to release the latest build of a tool we’ve used internally to clean the infections from the notable ZeroAccess rootkit off of victims’ computers. AntiZeroAccess exploits many of the vulnerabilities that Marco discovered in the rootkit to cleanly remove the rootkit code from infected machines.
The free tool removes the rootkit but does not restore the Access Control Lists (ACLs) that have been modified by the rootkit. For that, you’ll probably want to use a free tool like SetACL, which can make software functional that ZeroAccess disabled by modifying its ACL.
is this tool 32bit only? i tried running this on a windows 7 64bit system and the tool gave many errors.
Yes, the tool is for 32 bit only because the main infection of ZeroAccess does infect only 32 bit versions of Windows. About the 64 bit infection of ZeroAccess – which is completely different from the 32 bit one – Windows SecureAnywhere has been updated to remove this threat as well
Fine, this article charmed me. A lot of thanks for you
Where does one go about downloading Set ACL?
Try this link
What does it mean if the end of the program always states:
“Your system is not infected by ZeroAccess/Max++ Rootkit!”
but the beginning of the log shows:
Check rootkit device: Found!
System Disk class driver state: Infected!
Current analysis path: C:WINDOWSsystem32Drivers
Check file “abp480n5.sys”… Clean!
…
Can’t get rid of this bugger!
I had big hopes for this new tool, unfortunately it did little to fix the problem. The tool has no problem detecting
the rootkit Zeroaccess. However, it does not remove, stop or delete the associated .sys files or the Zerroaccess rootkit. I continue to see through the system process tree a system file that I’ve identified as the problem. 2655147966:1101577569.exe
After running the tool I received the following message in the log file.
Checkfile “725E.sys is infected!
Checkfile “acpi.sys error
I’ve run he tool several times with the same outcome.
Any help would be greatly appreciated.
Hi Justin,
please give again the new online tool a try, we have updated it to remove latest release of ZeroAccess.
Thanks!
What’s the link to the online tool that you refer to? Thanks.
The link to download this ZeroAccess remover is located on the right side of this blog and is labeled “Download the ZeroAccess/Max++ rootkit remover”.
Is there a version of this that works on 64-bit systems?
ZeroAccess 64 bit is a totally different infection from the 32 bit one. We are going to release the fix embedded in our Webroot SecureAnywhere product
For all those interested in the permission that have been changed, your security tab can be restored by opening up your folder options(windows XP, Vista, 7), select the “view” tab, and scroll all the way to the bottom and uncheck “use simple file sharing”. This will allow the security tab to show again enabling you to change ACL permissions through the GUI rather than a 3rd party tool.
Cheers 🙂
Hey, great work on the ZeroAccess removal tool. I used AntiZeroAccess on an infected machine and it did the job. I noticed that the fake windows updates folder is still there after the removal (C:WINDOWS$NtUninstallKBxxxxx$). Is is nessary to remove this folder? If so, how?
Hi,
thanks for your comment! The folder itself contains just crypted unused code, so it is actually harmless. Anyway it’s not easy to manually remove it because of the uncommon settings used by the rootkit to set it up. I’m looking for the easiest way to remove it, and I’ll write the needed steps here below. Stay tuned. Thanks!
Thanks Marco!
The new update is working great! Thanks Marco for all your hard work!
Great to hear this! Thanks for your positive comment!
Cheers,
Marco
I tried the new update and whenever the process is finished the files infected are cleaned but , after the restart a different file is infected and so on.
Any help?
Cheers 🙂
Hi Joseph — Could you please email security@webroot.com with a log of AntiZeroAccess and be sure to send it attention to Marco Giuliani so we can forward it to him for analysis and response? Thanks very much.
Check rootkit device: Found!
System Disk class driver state: Infected!!!
but in the end “not infected”
process numbers:numbers.exe still exists
Here is the log
“Check rootkit device: Not Found!
System Disk class driver state: Infected!”
Then all files are clean. And in the end:
“Your system is not infected by ZeroAccess/Max++ Rootkit!”
How to get rid off “System Disk class driver state: Infected!”
Thanks
Glad to see that Webroot has released an effective tool for removing this. I was part of the very beginning of Webroot’s AMR team and am happy to be able to promote a Webroot tool.