[KB2895] How do I remove Sirefef (ZeroAccess) trojan?

Issue

  • Your ESET product detects the threat Win32/Sirefef, Patched.B.Gen, or Conedex
  • You believe that you are infected with a rogue antivirus such as "Open Cloud Security"
  • You receive the message "Error communicating with kernel"

Details

  • This malware is also known as "ZeroAccess" or "Max++" and ESET detects all variants of this threat as Win32/Sirefef

Solution

Video Tutorial

I. Download the ESETSirfefCleaner tool

Click the link below to download the ESETSirefefCleaner tool. Save the file to your Desktop and continue to part II.

ESETSirefefCleaner tool

Unable to download "ESETSirefefCleaner.exe contained a virus and was deleted"

More recent variants of Sirefef might prevent you from downloading our removal tool. If you cannot download the tool, follow the steps below:

  1. Click StartComputerLocal Disk (C:)Program Files.
  2. Right-click the Windows Defender folder and select Rename from the context menu.
  3. Add a unique variation to the filename, such as .old (for example, Windows Defender.old).
  4. Click the link above to download the ESETSirefefCleaner tool.
  5. When the download is complete, make sure to rename the Windows Defender folder back to its original filename before running the ESET SirefefCleaner tool. When you are finished, proceed to part II.

 

II. Run the ESETSirefefCleaner tool

  1. From your Desktop, double-click ESETSirefefCleaner, which you downloaded in part I.
  2. If security notifications appear, click Continue or Run.
  3. The message "Win32/Sirefef.EV found in your system" will be displayed If an infection is found. Press Y on your keyboard to remove the infection.

Figure 1-1

  1. Once the tool has run, you will be prompted to restore system services after you restart your computer. Press Y on your keyboard to restore system services and restart your computer.

Figure 1-2

  1. Once your computer has restarted, if you are presented with a security notification click Yes or Allow. and then continue to part III below.

 

III. Perform a computer scan

  1. Open ESET Smart Security or ESET NOD32 Antivirus. How do I open my ESET product?
  2. Click Computer Scan → Custom scan... and select In-depth scan from the Scan profile drop-down menu.

Figure 1-3

  1. Select the check box next to Computer and click Scan. The scan will remove any remnants of the malware still left on your system.

    Windows XP users: Select the check box next to My Computer and then click Scan.

Figure 1-4

 

IV. Troubleshooting

If after performing the steps in parts I-III above the issue is not resolved, follow the instructions below:

    1. Click Start → All Programs → Accessories. Right-click Command Prompt and choose Run as administrator from the context menu.
      • Windows 8 users: Press the Windows key + Q to open an app search and type cmd into the Search field. Right-click the cmd application when it appears in results and select Run as administrator from the context menu.
  1. In the command prompt, type CD %userprofile%\desktop. The directory will change to indicate that you are accessing files from your Desktop.
  2. To run the ESETSirefefCleaner tool in manual repair mode, type the command ESETSirefefCleaner.exe /f

    The following switches can be used with ESETSirefefCleaner.exe:
    1. /d => Generate log: The scanner will produce a log of its activity which can be submitted to ESET for further analysis. We recommend that you use this switch so that ESET technical support agents can examine these logs if needed.
    2. /s => Silent mode: Files will be cleaned/decrypted in the background with no logs created.
    3. /f => Force cleaning: Any infected files will be cleaned or decrypted without any prompt from the user.
    4. /r => Restore system services: Attempts to restore any system components that have been disabled or damaged by the malware.
  1. Once the tool is finished you will be prompted to restart your computer. Click Yes to restart.
  2. Once your computer has restarted, follow the instructions from part III of this article to perform a computer scan.

Need Assistance in North America?

If you are a North American ESET customer and need assistance, view product documentation or visit helpus.eset.com to chat with a live technician.