Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Trojan.Zeroaccess Removal Tool

Created: 16 Dec 2011 • Updated: 16 Dec 2011 | 18 comments
Thomas K's picture

Hi everyone,

You might be interested to know that Symantec has just released a tool for removing infections of Trojan.Zeroaccess.

For a complete summary and download link please visit - http://bit.ly/uyc4MA

Cheers,

Thomas

Discussion Filed Under:

Comments 18 CommentsJump to latest comment

Swapnil khare's picture

Thanks Thomas for the link . smiley

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

DaveCl's picture

Great that there's a tool but it won't work on my 64 Bit system...  Any advice please?

Cheers

Dave

Thomas K's picture

Unfortunately there is only a 32 bit tool. Try running the Norton Power Eraser tool as mentioned in the removal instructions.

http://security.symantec.com/nbrt/npe.aspx?lcid=10...

http://www.symantec.com/security_response/writeup....

Avkash K's picture

Thanks Thomas for sharing such a usefull information!!

Regards,

Avkash K

Techies's picture

Thanx

Thomas for sharing this Removal tool

jdeeganjr's picture

I am running a Dell Dimension 3000 using Microsoft XP Professional with Service Pack 3 and all Microsoft updates installed soon after they have been released. I am currently using, and have used for several years, Symantec Enpoint Protection (SEP) for my anti-virus program with all updates applied and current anti-virus signatures. SEP did not detect or prevent the Rootkit.ZeroAccess intrusion when it occurred. Nor did SEP detect the infection during full system scans that I periodically run.

I have run the Symantec ZeroAccess Removal tool.  This tool only resulted in partial removal of Rootkit.ZeroAccess.  Remants of the Rootkit remain in my system.  The SEP Network Threat Protection traffic log shows that every couple of minutes, Rootkit.ZeroAccess remnants attempt to "call home" and/or answer a call from "home."

A recent scan by GMER reported the folowing:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-03-11 09:14:29
Windows 5.1.2600 Service Pack 3
Running: GMER.exe; Driver: C:\DOCUME~1\jdeegan\LOCALS~1\Temp\ugtdapod.sys

---- System - GMER 1.0.15 ----

SSDT 8A447428 ZwAlertResumeThread
SSDT 899A0C20 ZwAlertThread
SSDT 8A452358 ZwAllocateVirtualMemory
SSDT 8A3D4388 ZwConnectPort
SSDT 8A450A58 ZwCreateMutant
SSDT 8A56B008 ZwCreateThread
SSDT 8A44B978 ZwFreeVirtualMemory
SSDT 8A603728 ZwImpersonateAnonymousToken
SSDT 8A45DE78 ZwImpersonateThread
SSDT 8A45A758 ZwMapViewOfSection
SSDT 8A44D6C8 ZwOpenEvent
SSDT 8A4454C0 ZwOpenProcessToken
SSDT 8A44D7D0 ZwOpenThreadToken
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) ZwProtectVirtualMemory [0xF758CBA0]
SSDT 8A5F8108 ZwResumeThread
SSDT 89A63C50 ZwSetContextThread
SSDT 8A44BEF0 ZwSetInformationProcess
SSDT 8A454CF0 ZwSetInformationThread
SSDT 8A454BE8 ZwSuspendProcess
SSDT 89A681B8 ZwSuspendThread
SSDT 8A42D7B0 ZwTerminateProcess
SSDT 89AA43C0 ZwTerminateThread
SSDT 8A505058 ZwUnmapViewOfSection
SSDT 8A451360 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution + 46A 804E4CC4 8 Bytes [E8, 4B, 45, 8A, B8, 81, A6, ...]
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6BDD380, 0x8D6CD5, 0xE8000020]

---- EOF - GMER 1.0.15 ----

For information purposes I am posting a partial listing of the Network Threat Protection Traffic log from a recent day to illustrate the repeated attempts to communicate by the remnant hooks of Rootkit.ZeroAccess.

The log from Symantec Endpoint Protection:
Symantec Endpoint Protect Ver. 11.0.7101.1056
Virus Definitions dated 03/08/2012

Partial Log of Network Threat Protection Traffic log for 03/07/2012 and 03/08/2012

183517 3/7/2012 11:59:04 PM Blocked 10 Incoming UDP 192.168.1.2 00-1E-2A-47-63-5C 137 192.168.1.255 FF-FF-FF-FF-FF-FF 137 C:\WINDOWS\system32\ntoskrnl.exe jdeegan DEEGAN Default 9 3/7/2012 11:58:03 PM 3/7/2012 11:58:14 PM GUI%GUICONFIG#SRULE@NBBLOCK#BLOCK-UDP
183636 3/8/2012 7:12:07 AM Blocked 10 Outgoing UDP 192.168.1.255 FF-FF-FF-FF-FF-FF 138 192.168.1.2 00-1E-2A-47-63-5C 138 C:\WINDOWS\system32\ntoskrnl.exe jdeegan DEEGAN Default 1 3/8/2012 7:11:05 AM 3/8/2012 7:11:05 AM GUI%GUICONFIG#SRULE@NBBLOCK#BLOCK-UDP

....... more of the same

183657 3/8/2012 8:24:04 AM Blocked 10 Outgoing UDP 192.168.1.255 FF-FF-FF-FF-FF-FF 138 192.168.1.2 00-1E-2A-47-63-5C 138 C:\WINDOWS\system32\ntoskrnl.exe jdeegan DEEGAN Default 1 3/8/2012 8:23:03 AM 3/8/2012 8:23:03 AM GUI%GUICONFIG#SRULE@NBBLOCK#BLOCK-UDP

Any advice about how to remove or disable these hooks left behind by Rootkit.ZeroAcess and not removed by the Symantec tool would be appreciated.

Users of the Symantec ZeroAccess Removal tool should be advised to check carefully to see if the tool has successfully removed all traces of the rootkit.  The ZeroAccess Removal tool needs to be updated to remove any remnant hooks left behind by ZeroAccess or another tool needs to be created to perform this important task.

Thomas K's picture

@jdeeganjr, I suggest you open support case with Symantec ASAP. Lets get the Security Response Team involved to take a closer look at this infection.

http://www.symantec.com/support/contact_techsupp_s...

jdeeganjr's picture

I cannot contact the Security Response Team.  I cannot open a support case.

Although I have U.S. Department of Defense provided Symantec Endpoint Protection (SEP) on my computer (available to all DoD employees for use on their home computers), I do not have a Technical Contact ID, a Support Number or a Technical Case ID registered with my account.  Therefore, I cannot create a support case.

My computer is a Dell Dimension 3000 running Microsoft XP Professional with Service Pack 3 and all Microsoft updates installed soon after they have been released.

My version of SEP is 11.0.7101.1056.  I have had this product (SEP) on my computer for several years.  The antivirus definitions are always up-to-date.  Nonetheless, SEP did not detect the very recent infection by Rootkit.ZeroAccess.  The infection was first detected by Kaspersky's TDSSKiller, but this tool was not able to remove the rootkit.   

I found and then ran the Symantec ZeroAccess Removal tool.  This tool only resulted in partial removal of Rootkit.ZeroAccess.  Remants of the Rootkit remain in my system.  The SEP Network Threat Protection traffic log shows that every couple of minutes, Rootkit.ZeroAccess remnants attempt to "call home" and/or answer a call from "home."

The Symantec Power Eraser tool does not rid my system of the hooks created in my system by Rootkit.ZeroAccess.  From what I have been able to learn, the System Service Descriptor Table (SSDT) shows that hooks have been created in ntoskrnl.exe by Rootkit.ZeroAccess.  I believe these hooks, which are not readily detectable, are at the heart of the communication attempts blocked by SEP.

A recent scan by GMER reported the folowing:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-03-11 09:14:29
Windows 5.1.2600 Service Pack 3
Running: GMER.exe; Driver: C:\DOCUME~1\jdeegan\LOCALS~1\Temp\ugtdapod.sys

---- System - GMER 1.0.15 ----

SSDT 8A447428 ZwAlertResumeThread
SSDT 899A0C20 ZwAlertThread
SSDT 8A452358 ZwAllocateVirtualMemory
SSDT 8A3D4388 ZwConnectPort
SSDT 8A450A58 ZwCreateMutant
SSDT 8A56B008 ZwCreateThread
SSDT 8A44B978 ZwFreeVirtualMemory
SSDT 8A603728 ZwImpersonateAnonymousToken
SSDT 8A45DE78 ZwImpersonateThread
SSDT 8A45A758 ZwMapViewOfSection
SSDT 8A44D6C8 ZwOpenEvent
SSDT 8A4454C0 ZwOpenProcessToken
SSDT 8A44D7D0 ZwOpenThreadToken
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) ZwProtectVirtualMemory [0xF758CBA0]
SSDT 8A5F8108 ZwResumeThread
SSDT 89A63C50 ZwSetContextThread
SSDT 8A44BEF0 ZwSetInformationProcess
SSDT 8A454CF0 ZwSetInformationThread
SSDT 8A454BE8 ZwSuspendProcess
SSDT 89A681B8 ZwSuspendThread
SSDT 8A42D7B0 ZwTerminateProcess
SSDT 89AA43C0 ZwTerminateThread
SSDT 8A505058 ZwUnmapViewOfSection
SSDT 8A451360 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution + 46A 804E4CC4 8 Bytes [E8, 4B, 45, 8A, B8, 81, A6, ...]
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6BDD380, 0x8D6CD5, 0xE8000020]

---- EOF - GMER 1.0.15 ----

As is plainly seen, SSDT shows the presence of hooks in ntoskrnl.exe created by Rootkit.ZeroAccess (or by other code that it may have downloaded).  Thus far, I have been unable to eradicate the hooks and prevent the communication attempts by the residual rootkit infection.  Fortunately (I hope), SEP Network Threat Protection is preventing the communication attempts.

I suspect this problem might be quite extensive.  A systematic search on the internet reveals many similar issues with rootkits and many purported "cures" of the malware.  However, I suspect that at least some of the so-called "cures" for rootkits of this variety are not really cures at all.  Rather, the "under the radar" communication simply continues in the background undetected, even though the original source may have been removed.

A recent log from the SEP Network Threat Protection module on my computer illustrates the stealth of this rootkit infection.  The communication attempts occur very frequently, at 1 to 3 minutes intervals.

The log from Symantec Endpoint Protection:
Symantec Endpoint Protect Ver. 11.0.7101.1056
Virus Definitions dated 03/08/2012

Partial Log of Network Threat Protection Traffic log for 03/07/2012 and 03/08/2012

183517 3/7/2012 11:59:04 PM Blocked 10 Incoming UDP 192.168.1.2 00-1E-2A-47-63-5C 137 192.168.1.255 FF-FF-FF-FF-FF-FF 137 C:\WINDOWS\system32\ntoskrnl.exe jdeegan DEEGAN Default 9 3/7/2012 11:58:03 PM 3/7/2012 11:58:14 PM GUI%GUICONFIG#SRULE@NBBLOCK#BLOCK-UDP
183636 3/8/2012 7:12:07 AM Blocked 10 Outgoing UDP 192.168.1.255 FF-FF-FF-FF-FF-FF 138 192.168.1.2 00-1E-2A-47-63-5C 138 C:\WINDOWS\system32\ntoskrnl.exe jdeegan DEEGAN Default 1 3/8/2012 7:11:05 AM 3/8/2012 7:11:05 AM GUI%GUICONFIG#SRULE@NBBLOCK#BLOCK-UDP

....... more of the same

183657 3/8/2012 8:24:04 AM Blocked 10 Outgoing UDP 192.168.1.255 FF-FF-FF-FF-FF-FF 138 192.168.1.2 00-1E-2A-47-63-5C 138 C:\WINDOWS\system32\ntoskrnl.exe jdeegan DEEGAN Default 1 3/8/2012 8:23:03 AM 3/8/2012 8:23:03 AM GUI%GUICONFIG#SRULE@NBBLOCK#BLOCK-UDP

Any advice about how to remove or disable these hooks left behind by Rootkit.ZeroAcess and not removed by the Symantec tool would be appreciated.

Users of the Symantec ZeroAccess Removal tool should be advised to check carefully to see if the tool has successfully removed all traces of the rootkit.  The ZeroAccess Removal tool needs to be updated to remove any remnant hooks left behind by ZeroAccess or another tool needs to be created to perform this important task.

Thomas K's picture

Hi,

If you cannot open a case, there are a couple other utilities you might try.

1. The SERT (Symantec Endpoint Recovery Tool) is useful in situations where computers are too heavily infected for the Symantec Endpoint Protection client installed upon them to clean effectively.

2. The Load point Analysis Tool generates a detailed report of the programs loaded on your system. It is helpful in listing common loadpoints where threats can live.

How To Use the Symantec Endpoint Recovery Tool with the Latest Virus Definitions – http://www.symantec.com/business/support/index?page=content&id=TECH131732&locale=en_US

How to use the Load Point Analysis within the Symantec Support Tool to help locate suspicious files http://www.symantec.com/business/support/index?page=content&id=TECH141402

Let us know how it goes for you.

Good luck,

Thomas
 

jdeeganjr's picture

Thank you, Thomas, for recommending the Symantec Endpoint Recovery Tool (SERT) and the Symantec Support Tool (SST).  I have both tools and will use them today.  I'll post the results for those who may be interested.

John

jdeeganjr's picture

I ran the Symantec Endpoint Recovery Tool (SERT) today on my system and it reports that there are absolutely no infected files on my system.  This, however, is no surprise as all other previous scans by multiple products report the same.  I am convinced, however, that this is simply a false positive caused by the remnant code in my system hiding itself from detection.  After all, GMER was able to identify the fact that my ntoskrnl.exe file was "hooked" by ZeroAccess-related code (see my previous post on this subject).

Additionally, my SEP Network Threat Protection Traffic log shows no change - the remnants of the Rootki.ZeroAccess (or other software it may have downloaded and installed on my system) continue to "call home" and receive calls from "home."  I think this is pretty persuasive evidence that my system is still infected.  I also hope that all traffic from this malware is being blocked by SEP.

I tried replacing my current version of ntoskrnl.exe with the original one from my Windows XP Professional install disk.  I used the Recovery Console to perform this operation.  After re-booting my system with the original ntoskrnl.exe in place, I found my computer was now in a perpetual loop of re-booting.  Perhaps the MBR or some other malicious piece of code was preventing my system from booting with the clean ntoskrnl.exe file in place.  Eventually, I had to restore what I think is my compromised version of ntoskrnl.exe in order for my system to boot up again into normal mode.

Today, I submitted a copy of my "compromised" ntoskrnl.exe to Microsoft for analysis.  No results yet.

Thomas K's picture

Please submit a sample to Symantec. This will help our the Symantec team create the definitions to protect others in the future.

http://www.symantec.com/security_response/submitsa...

http://www.threatexpert.com/submit.aspx

jdeeganjr's picture

I submitted today three files to Symantec for analysis.  The files submitted were: ntoskrnl.exe (part of Windows XP Professional); wpsdrvnt.sys (from SEP); and my master boot record.

I suspect all three files may have been compromised by Rootkit.ZeroAccess.

By the way, I had to Repair my Windows XP Professional (SP3) operating system.  It wasn't fun and the Repaired install required re-validation and activation by Microsoft.  Sadly, I continue to suspect that remnants of Rootkit.ZeroAccess remain in my system.

My SEP (version 11.0.7101.1056) continues to report the occurrence of blocked incoming traffic.  Happily, I report, SEP does not identify any more outgoing traffic has been blocked.   It is my fervent hope that no outgoing Rootkit.ZeroAccess related traffic is somehow evading detection by SEP.  Rather, I hope that I have been able to prevent the Rootkit from originating outgoing traffic.

Mick2009's picture

Followers of this thread may be interested to know that Symantec Security Response has just released a new white paper:

Trojan.ZeroAccess Infection Analysis 

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/trojan_zeroaccess_infection_analysis.pdf

With thanks and best regards,

Mick

jdeeganjr's picture

Thanks for posting the URL for Symantec's latest analysis of the Rootkit ZeroAccess.  The information provided is informative and sobering.  Most troubling, is the abiility of this infection to morph and elude detection.  And even when detected, it has the ability to re-create itself whenever a non-fatal anti-virus attack has neutralized a portion of it.  It also has the ability to hook anti-virus code (such as SEP) to help it evade detection or eradication. 

Unless I missed it, I think one of the overlooked and very malicious aspects of Rootkit ZeroAccess is its ability to inject itself into multiple recorable media such as attached hard drives and USB drives and thereby propogate itself and help protect itself.  Certainly this must have been one of the mechanisms by which our Department of Defense and other critical networks have been attacked.

I have tried, unsuccessfully to remove the ZeroAccess Rootkit from my system.  Nothing seems to work (the list of things I have tried is, sadly, very long).  Certainly, the Symantec Endpoint Recovery Tool (SERT) is ineffective aganist this virus as of the date of this writing (March 30, 2012).  I trust tools will soon be developed to both locate and eradicate this plague which must infect an astonishingly large number of computer systems.  Where is Microsoft when you need them?  Come on, Symantec, help solve this problem!

jdeeganjr's picture

It appears that Microsoft has attempted to take some action against vulnerabilities in their Windows XP operating system and other Microsoft applications (such as the Office suite) by releasing an out-of-cycle collection of patches to help protect their software from attack.  I suspect this action may have been motivated, at least in part, by the latest variant of the ZeroAccess Rootkit that is rapidly infecting a large number of systems around the world.  Too bad this is after the fact and does nothing to help remove ZeroAccess from infected systems.  Why doesn't Microsoft provide a tool to fix the already existing ZeroAccess hooks in the kernel of their operating system?

And where is Symantec in helping to solve this problem?  Clearly the Symantec Endpoint Recovery Tool needs to be updated as does the Symantec ZeroAccess Removal tool.  The analysis in the Symantec Security Response paper regarding the ZeroAccess Rootkit certainly points to avenues whereby the infection can be neutralized and deleted.  See: Trojan.ZeroAccess Infection Analysis:

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/trojan_zeroaccess_infection_analysis.pdf

Further, the fact that ZeroAccess was able to hook SEP (see my GMER log above) suggests that SEP has vulnerabilities that also need to be addressed.
 
We users need help from Symantec and we need it now!
 
jdeeganjr's picture

Well, another week has elapsed and still no clear path to the removal of Rootkit ZeroAccess can be found by me.  But perhaps others are more knowledgable than I.  Does anyone know if Symantec has made any progress in neutralizing and removing this highly malicious Trojan?  Have any new tools been developed or have any of the existing tools been updated to deal with this problem?  Please advise.

I tried running Kaspersky's latest release of TDSSKiller today.  No luck.  Not surprisingly, it found no evidence of the malicious code.  Not surprisingly, my SSDT is still hooked by the infection code as is ntoskrnl.exe.

By the way, I can't help but wonder if the Rootkit ZeroAccess is able to inject itself into burned CD's and DVD's.  Wouldn't that be something if it could! 

jdeeganjr's picture

I thought readers might be interested to learn about my continuing attempts to remove the Rootkit ZeroAccess from my system.  None of what I have to report is encouraging.

As I reported previously, I tried many different tools to detect and rid my system of the Rootkit ZeroAccess.  Only a small handful of tools were even able to indirectly detect the presence of the Rootkit by virtue of my system’s kernel being hooked; none detected it directly; and none were able to help remove the infection.

I thought that if I reinstalled my operating system I might rid my computer of the Rootkit ZeroAccess infection.  Numerous times I reformatted my hard drive and reinstalled Windows XP.  No progress.  The Rootkit ZeroAccess remained entangled in my system.

Even after reformatting and a clean install of Windows XP, ZeroAccess somehow managed to remain on my hard drive and re-infect the operating system as soon as it was installed.  I even tried “scrubbing” my hard drive (over-writing every sector of the disk) with a variety of tools, both DOS-based and Linux-based (to avoid using anything related to Windows), and discovered that after I once again installed Windows XP, the Rootkit ZeroAccess was still on my system. 

I also tried rewriting the Master Boot Record with clean code (which I did many times using a Linux program).  This didn’t work either.  The Rootkit ZeroAccess seems able to hijack Windows before it even starts up, uses its own version of the Master Boot Record, and then injects its own code to prevent detection by Symantec Endpoint Protection (SEP) and virtually every other tool available.

Tonight, I upgraded my version of SEP from 11.0.7101.1056 to 11.0.7200.1147 which Symantec released around April 26, 2012.  I did this hoping that the latest version of SEP would be able to detect and remove the Rootkit ZeroAccess.  Wrong.  After installing and immediately performing a full scan, SEP found nothing; SEP removed nothing.  But the Rootkit ZeroAccess remains on my system.

I also tried using the updated version of the SEP Support Tool and Symantec Power Eraser, version 1.0.6020.294, which Symantec released recently.  Again, I had hoped that Symantec might have developed a tool to detect and delete the Rootkit ZeroAccess.  Wrong.  SEPT and Symantec Power Eraser found nothing.  But the Rootkit ZeroAccess remains on my system.

I also tried installing and running another tool called Webroot SecureAnywhere AntiVirus.  This product is by Prevx (http://www.prevx.com) which touts itself as at the leading edge of rootkit detection and removal.  Incidentally, blog posts by their staff are very informative and provide important information about the techniques used by ZeroAccess to elude detection and persist within an infected system.  I found interesting blog posts dated December 12, 2010, April 11, 2011, and May 1, 2011, all by Marco Giuliani (http://www.prevx.com/blog.asp).  I especially encourage interested readers to look at the Prevx paper by Marco Giuliani, “ZeroAccess – an Advanced Kernel Mode Rootkit".

See http://pxnow.prevx.com/content/blog/zeroaccess_analysis.pdf.

Although I was hopeful that Prevx might actually have developed a tool that would rid my system of the Rootkit ZeroAccess, I was wrong.  I found that their tool Webroot SecureAnywhere was no more effective at detecting or removing ZeroAccess than was SEP.  It found nothing; it removed nothing.

The reason for this is simple.  The Rootkit ZeroAccess immediately hooked and neutralized the new version of SEP, 11.0.7200.1147, that I installed tonight as well as the tool developed by Prevx, Webroot SecureAnywhere, that I also installed tonight.  GMER provides the grizzly details as reported below.

GMER 1.0.15.15641 - http://www.gmer.net

Rootkit scan 2012-04-29 20:27:41

Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 Maxtor_6Y120P0 rev.YAR41BW0

Running: crrp5xot.exe; Driver: C:\DOCUME~1\jdeegan\LOCALS~1\Temp\ugtdapod.sys

---- System - GMER 1.0.15 ----

SSDT  89C7E2D8      ZwAlertResumeThread

SSDT  899B41A8      ZwAlertThread

SSDT  8A501270       ZwAllocateVirtualMemory

SSDT  WRkrn.sys (Webroot SecureAnywhere/Webroot)     ZwAssignProcessToJobObject [0xF7458B30]

SSDT  89C15EC0      ZwConnectPort

SSDT  89BE9EA8     ZwCreateMutant

SSDT  8A4E2BE0     ZwCreateThread

SSDT  WRkrn.sys (Webroot SecureAnywhere/Webroot)     ZwDebugActiveProcess [0xF7458A30]

SSDT  WRkrn.sys (Webroot SecureAnywhere/Webroot)     ZwDeleteKey [0xF7459250]

SSDT  WRkrn.sys (Webroot SecureAnywhere/Webroot)     ZwDeleteValueKey [0xF7459350]

SSDT  WRkrn.sys (Webroot SecureAnywhere/Webroot)     ZwDuplicateObject [0xF7458790]

SSDT  89CB1960       ZwFreeVirtualMemory

SSDT  8A5164B0      ZwImpersonateAnonymousToken

SSDT  8A5163D8      ZwImpersonateThread

SSDT  8A1D7CC0     ZwMapViewOfSection

SSDT  89C8A818      ZwOpenEvent

SSDT  WRkrn.sys (Webroot SecureAnywhere/Webroot)     ZwOpenProcess [0xF7458F70]

SSDT  8A587810       ZwOpenProcessToken

SSDT  WRkrn.sys (Webroot SecureAnywhere/Webroot)     ZwOpenSection [0xF7459080]

SSDT  WRkrn.sys (Webroot SecureAnywhere/Webroot)     ZwOpenThread [0xF7458E40]

SSDT  8A500918       ZwOpenThreadToken

SSDT  \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)            ZwProtectVirtualMemory [0xB66D8E80]

SSDT  89C39F10       ZwResumeThread

SSDT  8A539A88      ZwSetContextThread

SSDT  8A1D4420      ZwSetInformationProcess

SSDT  8A49B8C0      ZwSetInformationThread

SSDT  WRkrn.sys (Webroot SecureAnywhere/Webroot)     ZwSetValueKey [0xF7459470]

SSDT  89C8B428       ZwSuspendProcess

SSDT  8A5162F8       ZwSuspendThread

SSDT  WRkrn.sys (Webroot SecureAnywhere/Webroot)     ZwSystemDebugControl [0xF74591F0]

SSDT  89C32C18       ZwTerminateProcess

SSDT  8A522978       ZwTerminateThread

SSDT  8A5153F8       ZwUnmapViewOfSection

SSDT  8A50F4A0      ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text     ntoskrnl.exe!ZwYieldExecution + 46A    804E4CC4 12 Bytes  [28, B4, C8, 89, F8, 62, 51, ...]

.text     C:\WINDOWS\system32\DRIVERS\nv4_mini.sys    section is writeable [0xB6DC83C0, 0x95B7EA, 0xE8000020]

init       C:\WINDOWS\system32\drivers\senfilt.sys   entry point in "init" section [0xB6CEAF80]

So, the odyssey sadly continues.  As the reader can see plainly, ZeroAccess has hooked the kernel and thereby rendered my antivirus systems impotent against it.

Doesn’t anyone know of a tool that will actually detect and deleted the Rootkit ZeroAccess?!