Thanks Thomas for the link .

Great that there's a tool but it won't work on my 64 Bit system...  Any advice please?

Cheers

Dave

Unfortunately there is only a 32 bit tool. Try running the Norton Power Eraser tool as mentioned in the removal instructions.

http://security.symantec.com/nbrt/npe.aspx?lcid=10...

http://www.symantec.com/security_response/writeup....

Thanks Thomas for sharing such a usefull information!!

Thanx

Thomas for sharing this Removal tool

I am running a Dell Dimension 3000 using Microsoft XP Professional with Service Pack 3 and all Microsoft updates installed soon after they have been released. I am currently using, and have used for several years, Symantec Enpoint Protection (SEP) for my anti-virus program with all updates applied and current anti-virus signatures. SEP did not detect or prevent the Rootkit.ZeroAccess intrusion when it occurred. Nor did SEP detect the infection during full system scans that I periodically run.

I have run the Symantec ZeroAccess Removal tool.  This tool only resulted in partial removal of Rootkit.ZeroAccess.  Remants of the Rootkit remain in my system.  The SEP Network Threat Protection traffic log shows that every couple of minutes, Rootkit.ZeroAccess remnants attempt to "call home" and/or answer a call from "home."

A recent scan by GMER reported the folowing:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-03-11 09:14:29
Windows 5.1.2600 Service Pack 3
Running: GMER.exe; Driver: C:\DOCUME~1\jdeegan\LOCALS~1\Temp\ugtdapod.sys

---- System - GMER 1.0.15 ----

SSDT 8A447428 ZwAlertResumeThread
SSDT 899A0C20 ZwAlertThread
SSDT 8A452358 ZwAllocateVirtualMemory
SSDT 8A3D4388 ZwConnectPort
SSDT 8A450A58 ZwCreateMutant
SSDT 8A56B008 ZwCreateThread
SSDT 8A44B978 ZwFreeVirtualMemory
SSDT 8A603728 ZwImpersonateAnonymousToken
SSDT 8A45DE78 ZwImpersonateThread
SSDT 8A45A758 ZwMapViewOfSection
SSDT 8A44D6C8 ZwOpenEvent
SSDT 8A4454C0 ZwOpenProcessToken
SSDT 8A44D7D0 ZwOpenThreadToken
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) ZwProtectVirtualMemory [0xF758CBA0]
SSDT 8A5F8108 ZwResumeThread
SSDT 89A63C50 ZwSetContextThread
SSDT 8A44BEF0 ZwSetInformationProcess
SSDT 8A454CF0 ZwSetInformationThread
SSDT 8A454BE8 ZwSuspendProcess
SSDT 89A681B8 ZwSuspendThread
SSDT 8A42D7B0 ZwTerminateProcess
SSDT 89AA43C0 ZwTerminateThread
SSDT 8A505058 ZwUnmapViewOfSection
SSDT 8A451360 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution + 46A 804E4CC4 8 Bytes [E8, 4B, 45, 8A, B8, 81, A6, ...]
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6BDD380, 0x8D6CD5, 0xE8000020]

---- EOF - GMER 1.0.15 ----

For information purposes I am posting a partial listing of the Network Threat Protection Traffic log from a recent day to illustrate the repeated attempts to communicate by the remnant hooks of Rootkit.ZeroAccess.

The log from Symantec Endpoint Protection:
Symantec Endpoint Protect Ver. 11.0.7101.1056
Virus Definitions dated 03/08/2012

Partial Log of Network Threat Protection Traffic log for 03/07/2012 and 03/08/2012

183517 3/7/2012 11:59:04 PM Blocked 10 Incoming UDP 192.168.1.2 00-1E-2A-47-63-5C 137 192.168.1.255 FF-FF-FF-FF-FF-FF 137 C:\WINDOWS\system32\ntoskrnl.exe jdeegan DEEGAN Default 9 3/7/2012 11:58:03 PM 3/7/2012 11:58:14 PM GUI%GUICONFIG#SRULE@NBBLOCK#BLOCK-UDP
183636 3/8/2012 7:12:07 AM Blocked 10 Outgoing UDP 192.168.1.255 FF-FF-FF-FF-FF-FF 138 192.168.1.2 00-1E-2A-47-63-5C 138 C:\WINDOWS\system32\ntoskrnl.exe jdeegan DEEGAN Default 1 3/8/2012 7:11:05 AM 3/8/2012 7:11:05 AM GUI%GUICONFIG#SRULE@NBBLOCK#BLOCK-UDP

....... more of the same

183657 3/8/2012 8:24:04 AM Blocked 10 Outgoing UDP 192.168.1.255 FF-FF-FF-FF-FF-FF 138 192.168.1.2 00-1E-2A-47-63-5C 138 C:\WINDOWS\system32\ntoskrnl.exe jdeegan DEEGAN Default 1 3/8/2012 8:23:03 AM 3/8/2012 8:23:03 AM GUI%GUICONFIG#SRULE@NBBLOCK#BLOCK-UDP

Any advice about how to remove or disable these hooks left behind by Rootkit.ZeroAcess and not removed by the Symantec tool would be appreciated.

Users of the Symantec ZeroAccess Removal tool should be advised to check carefully to see if the tool has successfully removed all traces of the rootkit.  The ZeroAccess Removal tool needs to be updated to remove any remnant hooks left behind by ZeroAccess or another tool needs to be created to perform this important task.

@jdeeganjr, I suggest you open support case with Symantec ASAP. Lets get the Security Response Team involved to take a closer look at this infection.

http://www.symantec.com/support/contact_techsupp_s...

I cannot contact the Security Response Team.  I cannot open a support case.

Although I have U.S. Department of Defense provided Symantec Endpoint Protection (SEP) on my computer (available to all DoD employees for use on their home computers), I do not have a Technical Contact ID, a Support Number or a Technical Case ID registered with my account.  Therefore, I cannot create a support case.

My computer is a Dell Dimension 3000 running Microsoft XP Professional with Service Pack 3 and all Microsoft updates installed soon after they have been released.

My version of SEP is 11.0.7101.1056.  I have had this product (SEP) on my computer for several years.  The antivirus definitions are always up-to-date.  Nonetheless, SEP did not detect the very recent infection by Rootkit.ZeroAccess.  The infection was first detected by Kaspersky's TDSSKiller, but this tool was not able to remove the rootkit.   

I found and then ran the Symantec ZeroAccess Removal tool.  This tool only resulted in partial removal of Rootkit.ZeroAccess.  Remants of the Rootkit remain in my system.  The SEP Network Threat Protection traffic log shows that every couple of minutes, Rootkit.ZeroAccess remnants attempt to "call home" and/or answer a call from "home."

The Symantec Power Eraser tool does not rid my system of the hooks created in my system by Rootkit.ZeroAccess.  From what I have been able to learn, the System Service Descriptor Table (SSDT) shows that hooks have been created in ntoskrnl.exe by Rootkit.ZeroAccess.  I believe these hooks, which are not readily detectable, are at the heart of the communication attempts blocked by SEP.

A recent scan by GMER reported the folowing:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-03-11 09:14:29
Windows 5.1.2600 Service Pack 3
Running: GMER.exe; Driver: C:\DOCUME~1\jdeegan\LOCALS~1\Temp\ugtdapod.sys

---- System - GMER 1.0.15 ----

SSDT 8A447428 ZwAlertResumeThread
SSDT 899A0C20 ZwAlertThread
SSDT 8A452358 ZwAllocateVirtualMemory
SSDT 8A3D4388 ZwConnectPort
SSDT 8A450A58 ZwCreateMutant
SSDT 8A56B008 ZwCreateThread
SSDT 8A44B978 ZwFreeVirtualMemory
SSDT 8A603728 ZwImpersonateAnonymousToken
SSDT 8A45DE78 ZwImpersonateThread
SSDT 8A45A758 ZwMapViewOfSection
SSDT 8A44D6C8 ZwOpenEvent
SSDT 8A4454C0 ZwOpenProcessToken
SSDT 8A44D7D0 ZwOpenThreadToken
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) ZwProtectVirtualMemory [0xF758CBA0]
SSDT 8A5F8108 ZwResumeThread
SSDT 89A63C50 ZwSetContextThread
SSDT 8A44BEF0 ZwSetInformationProcess
SSDT 8A454CF0 ZwSetInformationThread
SSDT 8A454BE8 ZwSuspendProcess
SSDT 89A681B8 ZwSuspendThread
SSDT 8A42D7B0 ZwTerminateProcess
SSDT 89AA43C0 ZwTerminateThread
SSDT 8A505058 ZwUnmapViewOfSection
SSDT 8A451360 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution + 46A 804E4CC4 8 Bytes [E8, 4B, 45, 8A, B8, 81, A6, ...]
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6BDD380, 0x8D6CD5, 0xE8000020]

---- EOF - GMER 1.0.15 ----

As is plainly seen, SSDT shows the presence of hooks in ntoskrnl.exe created by Rootkit.ZeroAccess (or by other code that it may have downloaded).  Thus far, I have been unable to eradicate the hooks and prevent the communication attempts by the residual rootkit infection.  Fortunately (I hope), SEP Network Threat Protection is preventing the communication attempts.

I suspect this problem might be quite extensive.  A systematic search on the internet reveals many similar issues with rootkits and many purported "cures" of the malware.  However, I suspect that at least some of the so-called "cures" for rootkits of this variety are not really cures at all.  Rather, the "under the radar" communication simply continues in the background undetected, even though the original source may have been removed.

A recent log from the SEP Network Threat Protection module on my computer illustrates the stealth of this rootkit infection.  The communication attempts occur very frequently, at 1 to 3 minutes intervals.

The log from Symantec Endpoint Protection:
Symantec Endpoint Protect Ver. 11.0.7101.1056
Virus Definitions dated 03/08/2012

Partial Log of Network Threat Protection Traffic log for 03/07/2012 and 03/08/2012

183517 3/7/2012 11:59:04 PM Blocked 10 Incoming UDP 192.168.1.2 00-1E-2A-47-63-5C 137 192.168.1.255 FF-FF-FF-FF-FF-FF 137 C:\WINDOWS\system32\ntoskrnl.exe jdeegan DEEGAN Default 9 3/7/2012 11:58:03 PM 3/7/2012 11:58:14 PM GUI%GUICONFIG#SRULE@NBBLOCK#BLOCK-UDP
183636 3/8/2012 7:12:07 AM Blocked 10 Outgoing UDP 192.168.1.255 FF-FF-FF-FF-FF-FF 138 192.168.1.2 00-1E-2A-47-63-5C 138 C:\WINDOWS\system32\ntoskrnl.exe jdeegan DEEGAN Default 1 3/8/2012 7:11:05 AM 3/8/2012 7:11:05 AM GUI%GUICONFIG#SRULE@NBBLOCK#BLOCK-UDP

....... more of the same

183657 3/8/2012 8:24:04 AM Blocked 10 Outgoing UDP 192.168.1.255 FF-FF-FF-FF-FF-FF 138 192.168.1.2 00-1E-2A-47-63-5C 138 C:\WINDOWS\system32\ntoskrnl.exe jdeegan DEEGAN Default 1 3/8/2012 8:23:03 AM 3/8/2012 8:23:03 AM GUI%GUICONFIG#SRULE@NBBLOCK#BLOCK-UDP

Any advice about how to remove or disable these hooks left behind by Rootkit.ZeroAcess and not removed by the Symantec tool would be appreciated.

Users of the Symantec ZeroAccess Removal tool should be advised to check carefully to see if the tool has successfully removed all traces of the rootkit.  The ZeroAccess Removal tool needs to be updated to remove any remnant hooks left behind by ZeroAccess or another tool needs to be created to perform this important task.

Hi,

If you cannot open a case, there are a couple other utilities you might try.

1. The SERT (Symantec Endpoint Recovery Tool) is useful in situations where computers are too heavily infected for the Symantec Endpoint Protection client installed upon them to clean effectively.

2. The Load point Analysis Tool generates a detailed report of the programs loaded on your system. It is helpful in listing common loadpoints where threats can live.

How To Use the Symantec Endpoint Recovery Tool with the Latest Virus Definitions – http://www.symantec.com/business/support/index?page=content&id=TECH131732&locale=en_US

How to use the Load Point Analysis within the Symantec Support Tool to help locate suspicious files http://www.symantec.com/business/support/index?page=content&id=TECH141402

Let us know how it goes for you.

Good luck,

Thomas
 

Thank you, Thomas, for recommending the Symantec Endpoint Recovery Tool (SERT) and the Symantec Support Tool (SST).  I have both tools and will use them today.  I'll post the results for those who may be interested.

John

I ran the Symantec Endpoint Recovery Tool (SERT) today on my system and it reports that there are absolutely no infected files on my system.  This, however, is no surprise as all other previous scans by multiple products report the same.  I am convinced, however, that this is simply a false positive caused by the remnant code in my system hiding itself from detection.  After all, GMER was able to identify the fact that my ntoskrnl.exe file was "hooked" by ZeroAccess-related code (see my previous post on this subject).

Additionally, my SEP Network Threat Protection Traffic log shows no change - the remnants of the Rootki.ZeroAccess (or other software it may have downloaded and installed on my system) continue to "call home" and receive calls from "home."  I think this is pretty persuasive evidence that my system is still infected.  I also hope that all traffic from this malware is being blocked by SEP.

I tried replacing my current version of ntoskrnl.exe with the original one from my Windows XP Professional install disk.  I used the Recovery Console to perform this operation.  After re-booting my system with the original ntoskrnl.exe in place, I found my computer was now in a perpetual loop of re-booting.  Perhaps the MBR or some other malicious piece of code was preventing my system from booting with the clean ntoskrnl.exe file in place.  Eventually, I had to restore what I think is my compromised version of ntoskrnl.exe in order for my system to boot up again into normal mode.

Today, I submitted a copy of my "compromised" ntoskrnl.exe to Microsoft for analysis.  No results yet.

Please submit a sample to Symantec. This will help our the Symantec team create the definitions to protect others in the future.

http://www.symantec.com/security_response/submitsa...

http://www.threatexpert.com/submit.aspx

I submitted today three files to Symantec for analysis.  The files submitted were: ntoskrnl.exe (part of Windows XP Professional); wpsdrvnt.sys (from SEP); and my master boot record.

I suspect all three files may have been compromised by Rootkit.ZeroAccess.

By the way, I had to Repair my Windows XP Professional (SP3) operating system.  It wasn't fun and the Repaired install required re-validation and activation by Microsoft.  Sadly, I continue to suspect that remnants of Rootkit.ZeroAccess remain in my system.

My SEP (version 11.0.7101.1056) continues to report the occurrence of blocked incoming traffic.  Happily, I report, SEP does not identify any more outgoing traffic has been blocked.   It is my fervent hope that no outgoing Rootkit.ZeroAccess related traffic is somehow evading detection by SEP.  Rather, I hope that I have been able to prevent the Rootkit from originating outgoing traffic.

Followers of this thread may be interested to know that Symantec Security Response has just released a new white paper:

Trojan.ZeroAccess Infection Analysis 

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/trojan_zeroaccess_infection_analysis.pdf

Thanks for posting the URL for Symantec's latest analysis of the Rootkit ZeroAccess.  The information provided is informative and sobering.  Most troubling, is the abiility of this infection to morph and elude detection.  And even when detected, it has the ability to re-create itself whenever a non-fatal anti-virus attack has neutralized a portion of it.  It also has the ability to hook anti-virus code (such as SEP) to help it evade detection or eradication. 

Unless I missed it, I think one of the overlooked and very malicious aspects of Rootkit ZeroAccess is its ability to inject itself into multiple recorable media such as attached hard drives and USB drives and thereby propogate itself and help protect itself.  Certainly this must have been one of the mechanisms by which our Department of Defense and other critical networks have been attacked.

I have tried, unsuccessfully to remove the ZeroAccess Rootkit from my system.  Nothing seems to work (the list of things I have tried is, sadly, very long).  Certainly, the Symantec Endpoint Recovery Tool (SERT) is ineffective aganist this virus as of the date of this writing (March 30, 2012).  I trust tools will soon be developed to both locate and eradicate this plague which must infect an astonishingly large number of computer systems.  Where is Microsoft when you need them?  Come on, Symantec, help solve this problem!

It appears that Microsoft has attempted to take some action against vulnerabilities in their Windows XP operating system and other Microsoft applications (such as the Office suite) by releasing an out-of-cycle collection of patches to help protect their software from attack.  I suspect this action may have been motivated, at least in part, by the latest variant of the ZeroAccess Rootkit that is rapidly infecting a large number of systems around the world.  Too bad this is after the fact and does nothing to help remove ZeroAccess from infected systems.  Why doesn't Microsoft provide a tool to fix the already existing ZeroAccess hooks in the kernel of their operating system?

And where is Symantec in helping to solve this problem?  Clearly the Symantec Endpoint Recovery Tool needs to be updated as does the Symantec ZeroAccess Removal tool.  The analysis in the Symantec Security Response paper regarding the ZeroAccess Rootkit certainly points to avenues whereby the infection can be neutralized and deleted.  See: Trojan.ZeroAccess Infection Analysis:

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/trojan_zeroaccess_infection_analysis.pdf

Well, another week has elapsed and still no clear path to the removal of Rootkit ZeroAccess can be found by me.  But perhaps others are more knowledgable than I.  Does anyone know if Symantec has made any progress in neutralizing and removing this highly malicious Trojan?  Have any new tools been developed or have any of the existing tools been updated to deal with this problem?  Please advise.

I tried running Kaspersky's latest release of TDSSKiller today.  No luck.  Not surprisingly, it found no evidence of the malicious code.  Not surprisingly, my SSDT is still hooked by the infection code as is ntoskrnl.exe.

By the way, I can't help but wonder if the Rootkit ZeroAccess is able to inject itself into burned CD's and DVD's.  Wouldn't that be something if it could!