For most previous variants of this malware, McAfee provides protection via signatures. Please ensure to have the most up to date DATs and Engine. For the most recent variant where McAfee (or your security product) may be disabled, please follow the following manual cleaning instructions. A standalone tool may be provided in the near future to help remediate this Threat.
NTFS Folder Permission Alteration
Besides killing any security tool trying to access its files or processes, newer variants of ZeroAccess implemented a new protection method to disable security tools.
Once the process is killed, the rootkit will remove all NTFS permissions disallowing the execution of the file afterwards. This method of disabling security tools has been seen before in malware families like W32/Pinkslipbot and W32/Simfect.
The file permissions may be restored by running the following actions.
Manual Remediation steps:
The malicious code is loaded by the patched system driver. In order to clean the system manually, its necessary to identify the malicious .SYS file and replace it with a good copy from installation media.
In order to identify which system driver was replaced, the user is going to need the following tool:
Standalone Removal Tool Instructions:
Alternatively, McAfee is making available a standalone tool to detect and remove ZeroAccess rootkit from customers infected machines. The tool is available for download here
NOTE: McAfee has prepared this standalone tool to assist with the remediation of this Threat. McAfee Quality Assurance team has NOT tested or approved these files for release. McAfee Makes no warranty that these files will be free from errors or other interruptions or that they will meet your requirements. In the meantime, users are requested to use caution when utilizing it to combat ZeroAccess.
Extract the tool to a temporary folder. Run it by simply executing it from the command line. The following image shows what is expected in case the tool successfully detect and remove the malware:
ZeroAccess has been known to be accompanied by other malware. Therefore, as an option, customer may use the latest Beta DATs available here which may be used with the csscan.exe command line scanner as shown on the instructions above.