Alerts

How to Remove ZeroAccess (Rootkit.Sirefef) from your PC as Easy as 1, 2, 3

There is no doubt, 2011 has been a rich year for rootkit malware creators. Following in the footsteps of the TDSS / TDL4 rootkit that has been touted as

ZeroAccess, or Sirefef, is a piece of malware that replaces some critical files belonging to the operating system and hooks some kernel structures to make itself invisible to both the OS and security software.

We have seen samples of the ZeroAccess dropper disguised as cracks and key generators for a wide range of applications, from Microsoft Office 2010 to porn downloaders or games. Once the user downloads and executes the infected crack or patch in an attempt to pirate a commercial application, the dropper silently installs the ZeroAccess rootkit by overwriting a random driver. It then stores its data in %SYSTEMROOT%system32config under a random name. Upon successful overwriting the legit driver, Rootkit.Sirefef will be executed at each boot, instead of the genuine driver. To further protect itself, it also infects a random executable file located in the system32 folder, which will reinfect the system, should the rootkit become inactive.

I’m not going to insist on the internal workings of Rootkit.Sirefef. Suffice to say that this piece of malware creates a harmless executable file that acts like a tripwire: whenever it is scanned by a security solution, the rootkit tries to kill the antivirus. Some AV products are unable to protect their processes against the killing routine and are inactivated, thus rendering the system vulnerable to other malware attacks.

Bitdefender customers are not vulnerable to Rootkit.Sirefef, as all security products in the Bitdefender family can detect and remove the e-threat. Computer users who are not protected by a Bitdefender antivirus can disinfect their computer in three simple steps:

1. Download the Rootkit.Sirefef free removal tool (the rootkit does not work in 64-bit operating systems);

2. Run the removal tool

3. Reboot the PC to complete the disinfection procedure.

The removal tool is provided courtesy of Bitdefender malware researchers Balazs Biro and Mihail Andronic.

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.

About the author

Bogdan BOTEZATU

Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.

9 Comments

Click here to post a comment
  • I think the download link for the zeroaccess tool is broken. I can get to the site, but when I click “download” nothing happens, no blocked pop ups/files or anything. Just sits there.

  • You should update this. Sirefef is now infecting 64bit systems. Removing it is a real bear as it kills critical processes and causes your machine to shut down, stopping the removal process.

  • Hiya! Quick question that’s totally off topic. Do you know how to make your site mobile friendly? My site looks weird when browsing from my iphone4. I’m trying to find a template or plugin that might be able to correct this issue. If you have any suggestions, please share. Thanks!

  • I was able to remove it using a variety of tools, from MBAM to a Symantec specifically designed tool. Once you get rid of the nasty part with MBAM that disables MSE, you must re-install it and that’s when I used the Symantec tool to finish it off. Machine seems to be fine, for now.

  • Go here and download it =

    http://www.hotforsecurity.com/download/sirefef-zeroaccess-removal-tool-32-bit

    good luck folks

  • Greetings! I know this is kinda off topic however I’d figured I’d ask.
    Would you be interested in exchanging links or maybe guest writing a blog post or vice-versa?
    My website addresses a lot of the same topics as yours and I think we
    could greatly benefit from each other. If you’re interested feel free to send me an e-mail. I look forward to hearing from you! Great blog by the way!

  • I have found that alot of the cleanout tools mentioned here does not fix the issue.
    (atleast not for me)

    What fixed it for me was Malewarebytes
    http://www.malwarebytes.org/
    (get the free version)