How to Remove Win32/ZeroAccess: Step-by-Step Remover Guide

Manual & Automated Methods to Remove Win32/ZeroAccess Malware

Overview

Win32/ZeroAccess (also known as Sirefef/ZeroAccess/Max++) is a persistent malware family that has used rootkit techniques and service/registry manipulation. Removal can require both manual cleanup and specialized automated tools; follow the automated-first approach and use manual steps only if needed.

Automated removal (recommended — run in this order)

1. Boot to Safe Mode with Networking (hold Shift while clicking Restart → Troubleshoot → Advanced options → Startup Settings → Safe Mode with Networking).
2. Update signatures for a reputable antimalware product (ESET, Malwarebytes, Bitdefender, Microsoft Defender, etc.).
3. Run a full system scan and let the product remove/quarantine detections.
4. Use vendor-specific ZeroAccess/Sirefef removal tools if standard scans leave remnants:
   • ESET SirefefCleaner (ESETSirefefCleaner.exe) with /r or /f switches as needed.
   • Vendor removal tools from Bitdefender, Kaspersky TDSSKiller, or RogueKiller (for variants that use Unicode tricks).
5. Reboot and run a second full scan.
6. If available, run an offline rescue disk scan (bootable rescue ISO from Bitdefender, Kaspersky, or Microsoft Defender Offline) and scan from outside Windows.

Manual removal (only if automated tools fail)

1. Disconnect from the network and boot to Safe Mode or use a known-clean recovery environment (Windows PE or rescue disk).
2. Identify malicious persistence points: check autoruns (Sysinternals Autoruns), Services (services.msc), and Run keys in registry (HKLM/HKCU\Software\Microsoft\Windows\CurrentVersion\Run).
3. Use Autoruns to uncheck/delete suspicious entries and note file paths.
4. Inspect and, if needed, delete malicious files from disk (Program Files, %APPDATA%, Windows\Installer, System32). If files are protected, schedule deletions at reboot or delete from an offline environment.
5. Repair substituted system files and drivers: restore overwritten drivers or system DLLs from known-good sources (DISM /Online /Cleanup-Image /RestoreHealth and SFC /scannow from an elevated command prompt) or restore from backup.
6. Clean registry remnants carefully: remove only confirmed malicious entries (export keys before editing).
7. Re-enable and repair legitimate services if the cleaner prompted restoration.
8. Reboot and run a full antimalware scan to verify.

Post‑removal actions

• Change all account passwords from a clean device.
• Apply all Windows updates and update software.
• Review installed programs and browser extensions; remove unknown items.
• Enable reputable real‑time antimalware and consider periodic offline scans.
• If system integrity cannot be proven or infections persist, back up personal data (files only), wipe the disk, and perform a clean OS reinstall.

Quick safety notes

• Prefer automated vendor tools and offline rescue disks to avoid manual mistakes.
• If unsure, seek professional help or consult vendor support (ESET, Malwarebytes, etc.).
• Preserve logs from removal tools (they help diagnostics).