Showing results for 
Search instead for 
Did you mean: 
Level 7

Managed to remove ZeroAccess.hg trojan

I'm posting my recent experiences with a trojan which I eventually magaged to remove (at least, that's my hope).

I am using McAfee Internet Security 11.6. A few days ago I mindless ran a suspicious program downloaded from the Internet which contained a trojan.

When I ran the program McAfee reported it as infected but evidently did NOT prevent the  trojan to run and install itself (disappointing).

Since then the McAfee firewall started turning itself off every 10 minutes or so. I performed a full system scan with McAfee but the system was found clean.

Even when explicitly scanning (right-click on the file name, Scan) the original infected executable McAfee said it was clean.

I uploaded the executable to and here are the results:

AntiVir                              BDS/ZAccess.yrh.1

Avast                              Win32:ZAccess-JH

BitDefender                    Trojan.Agent.AWXR

Comodo                              TrojWare.Win32.Trojan.Agent.Gen

DrWeb                              Trojan.DownLoader6.62544

ESET-NOD32                    Win32/Sirefef.EV

F-Secure                    Trojan.Agent.AWXR

Fortinet                    W32/ZAccess.YRH!tr.bdr

GData                              Trojan.Agent.AWXR

K7AntiVirus                    Backdoor

Kaspersky                    Backdoor.Win32.ZAccess.yrh


McAfee                              ZeroAccess.hg

Microsoft                    Trojan:Win32/Sirefef.P

Norman                              W32/ZAccess.PDF

nProtect                    Trojan.Agent.AWXR

Panda                              Trj/CI.A

Sophos                              Mal/EncPk-ACO

Symantec                    WS.Reputation.1

VIPRE                              Trojan.Win32.Generic!BT

ViRobot                              Backdoor.Win32.A.ZAccess.165888.X

I then downloaded and scanned my system (all files for each scan, it's taken ages!) with these programs (the latest versions available):

McAfee RootKit remover

McAfee Stinger

Sophos Virus Removal Tool

Kasperky TDSSKiller

SpyBot search and destroy


Malwarebytes Anti-Malware

NONE of these programs found any infected file on my system, so this sucker of a trojan was hiding very well indeed!

I also tried scanning after rebooting windows in Safe mode (with or without network) but nothing changed.

As a last resort I  physically took out the hard disk from my laptop and then used an external USB hard disk bay to access it from another computer and then scanned it using F-Prot security. This scan too didn't find anything; however I realised that several directories (including the directory where the original infected executable was) were not accessible from Explorer due to Window's privacy controls, so this scan probably doesn't really count.

Eventually I found threads on the McAfee forums reporting similar problems; in one of the messages there is a link to this guide "How to completely remove ZeroAccess/Sirefef rootkit". I followed the instruction to the letter and (I think!) I managed to get rid of the flipping trojan.

Essentially I downloaded and executed EZ_SireFix.exe, ServicesRepair.exe and ComboFix.exe (following the instructions) and having done that the problem with the McAfee firewall turning off stopped.

I downloaded and ran HitmanPro, and ESET online scanner and neither of them found any problem on my system (for what it's worth).

Over the following week I didn't notice any suspicious behaviours in my computer so I assume it is clean.

0 Kudos
6 Replies
Level 21

Re: Managed to remove ZeroAccess.hg trojan

That's interesting.  When McAfee first detected the problem did it indicate action taken or that a reboot was required?    I'm wondering if you had then rebooted into Safe Mode and run a scan if that would have cleaned it out.  (Safe Mode scans are different - you can only right-click the taskbar icon and select 'Run a Scan' and the SecurityCenter wont open).

The fact that none of those additional programs found anything would indicate that it had removed whatever it was, although now of course we can't be certain.    But usually when it detects something it quarantines it immediately.   Was or is there anything in the Quarantine folders?

0 Kudos
Level 7

Re: Managed to remove ZeroAccess.hg trojan

Unfortunately I don't remember exactly what McAfee said when it encountered the Trojan. For sure it didn't give me any option to reboot & delete, or I'd certainly have selected that. I seem to remember it said that the thret had been removed, or something to this extent.

McAfee and all the other security program failed to detect the Trojan if if the original infected executable (the one I sent to was present in the system.

0 Kudos
Level 21

Re: Managed to remove ZeroAccess.hg trojan

Open SecurityCenter

Click Navigation

Scroll down to Quarantined and Trusted Items

Click on those 'drawers' and see if anything is in there.

It is rather curious I must admit.

0 Kudos
Level 18

Re: Managed to remove ZeroAccess.hg trojan

Thread moved into Top Threats

0 Kudos
Level 7

Re: Managed to remove ZeroAccess.hg trojan

Hi, sorry for the late reply. I have checked in the quarantined items and I have 4 items relative to ZeroAccess and with the date/time I first came across the virus (1 October). The first (oldest) of these lines looks like this:

@     ZeroAccess!cfg     01/10/2012     17:21

Clicking on the "+" sign I see a path to C:\$Recycle.Bin\(string of numbers)

The second line is looks like this:

N     ZeroAccess     01/10/2012     17:21

The path is the same as the previous line

There are two more of such lines, one labelled with @ and one with N, but pointing to a different file (folder?) in the recycle bin.

What do you think this means?

0 Kudos
Level 20

Re: Managed to remove ZeroAccess.hg trojan

Time to clean the recycle bin maybe. Also Delete them from quarantine area.

0 Kudos