Current Version: 2.0.1

NEWS: KillZA is dated and does not work on the latest variants.  There are other tools out there like Bitdefender’s tool and another I’m not thinking of right now, and they seem to do a good job at both removal and repair.  No reason to reinvent the wheel until the next time we have a new ZeroAccess variant and no tool to remove it easily.

NEWS: KillZA v2.x now performs Windows repairs after the removal is complete!!!

KillZA is a quick and dirty tool I wrote to remove the newer ZeroAccess (Sirefef) user mode variants, those that hide in a subdir of Windows, and some of the Recycle Bin variants.

Currently this is the Sirefef.P dropper with .X – .Z and other misc. payload, but may work for others.  NOTE on 5/2013 that KillZA does not handle complete cleanup of the most current revisions of Zero Access, so your mileage may vary depending on the particular variant..  The actual *repair* process performed by KillZA still proves effective at the time of this writing.

The removal procedure takes care of the hidden files in your %temp% directory, anything found in %windir%Installer, anything found in a hidden dir within the Recycle Bin, as well as replacing a potentially infected services.exe file, and repairing infected registry entries.

SIDE EFFECT NOTE: On Vista/7, this utility will remove the current user’s Windows logon password, if set – don’t ask why it’s not important…  Also when Windows has multiple user accounts, you must log in to the same user account where you first started KillZA from on all subsequent reboots, until the utility is finished.

This tool is NOT for earlier versions of ZA (the old rootkit versions that used an NTFS junction point to mask its files.)


Download at!


These Youtube videos demonstrate the latest infection techniques and showcases removal with KillZA, and repair with D7. NOTE: These videos showcase v1.x of KillZA – where repair with D7 was required after removal – this is no longer the case as KillZA v2.x now performs the repairs!