I thought readers might be interested to learn about my continuing attempts to remove the Rootkit ZeroAccess from my system. None of what I have to report is encouraging.
As I reported previously, I tried many different tools to detect and rid my system of the Rootkit ZeroAccess. Only a small handful of tools were even able to indirectly detect the presence of the Rootkit by virtue of my system’s kernel being hooked; none detected it directly; and none were able to help remove the infection.
I thought that if I reinstalled my operating system I might rid my computer of the Rootkit ZeroAccess infection. Numerous times I reformatted my hard drive and reinstalled Windows XP. No progress. The Rootkit ZeroAccess remained entangled in my system.
Even after reformatting and a clean install of Windows XP, ZeroAccess somehow managed to remain on my hard drive and re-infect the operating system as soon as it was installed. I even tried “scrubbing” my hard drive (over-writing every sector of the disk) with a variety of tools, both DOS-based and Linux-based (to avoid using anything related to Windows), and discovered that after I once again installed Windows XP, the Rootkit ZeroAccess was still on my system.
I also tried rewriting the Master Boot Record with clean code (which I did many times using a Linux program). This didn’t work either. The Rootkit ZeroAccess seems able to hijack Windows before it even starts up, uses its own version of the Master Boot Record, and then injects its own code to prevent detection by Symantec Endpoint Protection (SEP) and virtually every other tool available.
Tonight, I upgraded my version of SEP from 11.0.7101.1056 to 11.0.7200.1147 which Symantec released around April 26, 2012. I did this hoping that the latest version of SEP would be able to detect and remove the Rootkit ZeroAccess. Wrong. After installing and immediately performing a full scan, SEP found nothing; SEP removed nothing. But the Rootkit ZeroAccess remains on my system.
I also tried using the updated version of the SEP Support Tool and Symantec Power Eraser, version 1.0.6020.294, which Symantec released recently. Again, I had hoped that Symantec might have developed a tool to detect and delete the Rootkit ZeroAccess. Wrong. SEPT and Symantec Power Eraser found nothing. But the Rootkit ZeroAccess remains on my system.
I also tried installing and running another tool called Webroot SecureAnywhere AntiVirus. This product is by Prevx (http://www.prevx.com) which touts itself as at the leading edge of rootkit detection and removal. Incidentally, blog posts by their staff are very informative and provide important information about the techniques used by ZeroAccess to elude detection and persist within an infected system. I found interesting blog posts dated December 12, 2010, April 11, 2011, and May 1, 2011, all by Marco Giuliani (http://www.prevx.com/blog.asp). I especially encourage interested readers to look at the Prevx paper by Marco Giuliani, “ZeroAccess – an Advanced Kernel Mode Rootkit".
See http://pxnow.prevx.com/content/blog/zeroaccess_analysis.pdf.
Although I was hopeful that Prevx might actually have developed a tool that would rid my system of the Rootkit ZeroAccess, I was wrong. I found that their tool Webroot SecureAnywhere was no more effective at detecting or removing ZeroAccess than was SEP. It found nothing; it removed nothing.
The reason for this is simple. The Rootkit ZeroAccess immediately hooked and neutralized the new version of SEP, 11.0.7200.1147, that I installed tonight as well as the tool developed by Prevx, Webroot SecureAnywhere, that I also installed tonight. GMER provides the grizzly details as reported below.
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-04-29 20:27:41
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 Maxtor_6Y120P0 rev.YAR41BW0
Running: crrp5xot.exe; Driver: C:\DOCUME~1\jdeegan\LOCALS~1\Temp\ugtdapod.sys
---- System - GMER 1.0.15 ----
SSDT 89C7E2D8 ZwAlertResumeThread
SSDT 899B41A8 ZwAlertThread
SSDT 8A501270 ZwAllocateVirtualMemory
SSDT WRkrn.sys (Webroot SecureAnywhere/Webroot) ZwAssignProcessToJobObject [0xF7458B30]
SSDT 89C15EC0 ZwConnectPort
SSDT 89BE9EA8 ZwCreateMutant
SSDT 8A4E2BE0 ZwCreateThread
SSDT WRkrn.sys (Webroot SecureAnywhere/Webroot) ZwDebugActiveProcess [0xF7458A30]
SSDT WRkrn.sys (Webroot SecureAnywhere/Webroot) ZwDeleteKey [0xF7459250]
SSDT WRkrn.sys (Webroot SecureAnywhere/Webroot) ZwDeleteValueKey [0xF7459350]
SSDT WRkrn.sys (Webroot SecureAnywhere/Webroot) ZwDuplicateObject [0xF7458790]
SSDT 89CB1960 ZwFreeVirtualMemory
SSDT 8A5164B0 ZwImpersonateAnonymousToken
SSDT 8A5163D8 ZwImpersonateThread
SSDT 8A1D7CC0 ZwMapViewOfSection
SSDT 89C8A818 ZwOpenEvent
SSDT WRkrn.sys (Webroot SecureAnywhere/Webroot) ZwOpenProcess [0xF7458F70]
SSDT 8A587810 ZwOpenProcessToken
SSDT WRkrn.sys (Webroot SecureAnywhere/Webroot) ZwOpenSection [0xF7459080]
SSDT WRkrn.sys (Webroot SecureAnywhere/Webroot) ZwOpenThread [0xF7458E40]
SSDT 8A500918 ZwOpenThreadToken
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) ZwProtectVirtualMemory [0xB66D8E80]
SSDT 89C39F10 ZwResumeThread
SSDT 8A539A88 ZwSetContextThread
SSDT 8A1D4420 ZwSetInformationProcess
SSDT 8A49B8C0 ZwSetInformationThread
SSDT WRkrn.sys (Webroot SecureAnywhere/Webroot) ZwSetValueKey [0xF7459470]
SSDT 89C8B428 ZwSuspendProcess
SSDT 8A5162F8 ZwSuspendThread
SSDT WRkrn.sys (Webroot SecureAnywhere/Webroot) ZwSystemDebugControl [0xF74591F0]
SSDT 89C32C18 ZwTerminateProcess
SSDT 8A522978 ZwTerminateThread
SSDT 8A5153F8 ZwUnmapViewOfSection
SSDT 8A50F4A0 ZwWriteVirtualMemory
---- Kernel code sections - GMER 1.0.15 ----
.text ntoskrnl.exe!ZwYieldExecution + 46A 804E4CC4 12 Bytes [28, B4, C8, 89, F8, 62, 51, ...]
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6DC83C0, 0x95B7EA, 0xE8000020]
init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xB6CEAF80]
So, the odyssey sadly continues. As the reader can see plainly, ZeroAccess has hooked the kernel and thereby rendered my antivirus systems impotent against it.
Doesn’t anyone know of a tool that will actually detect and deleted the Rootkit ZeroAccess?!