Tackled a zeroacces variant on a laptop (x86) took a bit of time and 3 restarts and still not all files can be shifted. People love to bag Norton (Symantec) with stating to use even like Avast or AVG etc. but I had a laugh as Zeroaccess on this system selected to infect AVG (Haha, no anti-tamper protection).

list

c:\users\Marewa\AppData\Local\31868fd4\U
c:\users\Marewa\AppData\Local\31868fd4\U\00000001.@
c:\users\Marewa\AppData\Local\31868fd4\U\000000c0.@
c:\users\Marewa\AppData\Local\31868fd4\U\000000cb.@
c:\users\Marewa\AppData\Local\31868fd4\U\000000cf.@
c:\users\Marewa\AppData\Local\31868fd4\U\80000000.@
c:\users\Marewa\AppData\Local\31868fd4\U\800000c0.@
c:\users\Marewa\AppData\Local\31868fd4\U\800000cb.@
c:\users\Marewa\AppData\Local\31868fd4\U\800000cf.@
c:\windows\$NtUninstallKB16813$\206546423
c:\windows\$NtUninstallKB16813$\830902228\@
c:\windows\$NtUninstallKB16813$\830902228\L\xadqgnnk
c:\windows\$NtUninstallKB16813$\830902228\loader.tlb
c:\windows\$NtUninstallKB16813$\830902228\U\@00000001
c:\windows\$NtUninstallKB16813$\830902228\U\@000000c0
c:\windows\$NtUninstallKB16813$\830902228\U\@000000cb
c:\windows\$NtUninstallKB16813$\830902228\U\@000000cf
c:\windows\$NtUninstallKB16813$\830902228\U\@80000000
c:\windows\$NtUninstallKB16813$\830902228\U\@800000c0
c:\windows\$NtUninstallKB16813$\830902228\U\@800000cb
c:\windows\$NtUninstallKB16813$\830902228\U\@800000cf
c:\windows\system32\service
c:\windows\system32\service\05022011_TIS17_SfFniAU.log
c:\windows\system32\service\18072011_TIS17_SfFniAU.log
c:\windows\$NtUninstallKB16813$       Could not delete folder, had to manually powertool force delete

C:\Windows\system32\DRIVERS\avgtdix.sys  infected!!

Still to force delete below, but have copied.

C:\Windows\system32\FreeTdi.dll

C:\Windows\system32\tsp.dll

C:\Windows\system32\GTPTSER.dll

C:\Windows\system32\motmodem.dll

Quads