Rootkit.ZeroAccess Leaves Remnant Hooks in System

I am running a Dell Dimension 3000 using Microsoft XP Professional with Service Pack 3 and all Microsoft updates installed soon after they have been released. I am currently using, and have used for several years, Symantec Enpoint Protection (SEP) for my anti-virus program with all updates applied and current anti-virus signatures. SEP did not detect or prevent the Rootkit.ZeroAccess intrusion when it occurred. Nor did SEP detect the infection during full system scans that I periodically run.

 

I have run the Symantec ZeroAccess Removal tool.  This tool only resulted in partial removal of Rootkit.ZeroAccess.  Remants of the Rootkit remain in my system.  The SEP Network Threat Protection traffic log shows that every couple of minutes, Rootkit.ZeroAccess remnants attempt to "call home" and/or answer a call from "home."

A recent scan by GMER reported the folowing:


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-03-11 09:14:29
Windows 5.1.2600 Service Pack 3
Running: GMER.exe; Driver: C:\DOCUME~1\jdeegan\LOCALS~1\Temp\ugtdapod.sys


---- System - GMER 1.0.15 ----

SSDT 8A447428 ZwAlertResumeThread
SSDT 899A0C20 ZwAlertThread
SSDT 8A452358 ZwAllocateVirtualMemory
SSDT 8A3D4388 ZwConnectPort
SSDT 8A450A58 ZwCreateMutant
SSDT 8A56B008 ZwCreateThread
SSDT 8A44B978 ZwFreeVirtualMemory
SSDT 8A603728 ZwImpersonateAnonymousToken
SSDT 8A45DE78 ZwImpersonateThread
SSDT 8A45A758 ZwMapViewOfSection
SSDT 8A44D6C8 ZwOpenEvent
SSDT 8A4454C0 ZwOpenProcessToken
SSDT 8A44D7D0 ZwOpenThreadToken
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) ZwProtectVirtualMemory [0xF758CBA0]
SSDT 8A5F8108 ZwResumeThread
SSDT 89A63C50 ZwSetContextThread
SSDT 8A44BEF0 ZwSetInformationProcess
SSDT 8A454CF0 ZwSetInformationThread
SSDT 8A454BE8 ZwSuspendProcess
SSDT 89A681B8 ZwSuspendThread
SSDT 8A42D7B0 ZwTerminateProcess
SSDT 89AA43C0 ZwTerminateThread
SSDT 8A505058 ZwUnmapViewOfSection
SSDT 8A451360 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution + 46A 804E4CC4 8 Bytes [E8, 4B, 45, 8A, B8, 81, A6, ...]
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6BDD380, 0x8D6CD5, 0xE8000020]

---- EOF - GMER 1.0.15 ----

 

For information purposes I am posting a partial listing of the Network Threat Protection Traffic log from a recent day to illustrate the repeated attempts to communicate by the remnant hooks of Rootkit.ZeroAccess.

The log from Symantec Endpoint Protection:
Symantec Endpoint Protect Ver. 11.0.7101.1056
Virus Definitions dated 03/08/2012

Partial Log of Network Threat Protection Traffic log for 03/07/2012 and 03/08/2012


183517 3/7/2012 11:59:04 PM Blocked 10 Incoming UDP 192.168.1.2 00-1E-2A-47-63-5C 137 192.168.1.255 FF-FF-FF-FF-FF-FF 137 C:\WINDOWS\system32\ntoskrnl.exe jdeegan DEEGAN Default 9 3/7/2012 11:58:03 PM 3/7/2012 11:58:14 PM GUI%GUICONFIG#SRULE@NBBLOCK#BLOCK-UDP
183636 3/8/2012 7:12:07 AM Blocked 10 Outgoing UDP 192.168.1.255 FF-FF-FF-FF-FF-FF 138 192.168.1.2 00-1E-2A-47-63-5C 138 C:\WINDOWS\system32\ntoskrnl.exe jdeegan DEEGAN Default 1 3/8/2012 7:11:05 AM 3/8/2012 7:11:05 AM GUI%GUICONFIG#SRULE@NBBLOCK#BLOCK-UDP

....... more of the same

183657 3/8/2012 8:24:04 AM Blocked 10 Outgoing UDP 192.168.1.255 FF-FF-FF-FF-FF-FF 138 192.168.1.2 00-1E-2A-47-63-5C 138 C:\WINDOWS\system32\ntoskrnl.exe jdeegan DEEGAN Default 1 3/8/2012 8:23:03 AM 3/8/2012 8:23:03 AM GUI%GUICONFIG#SRULE@NBBLOCK#BLOCK-UDP


Any advice about how to remove or disable these hooks left behind by Rootkit.ZeroAcess and not removed by the Symantec tool would be appreciated.

Users of the Symantec ZeroAccess Removal tool should be advised to check carefully to see if the tool has successfully removed all traces of the rootkit.  The ZeroAccess Removal tool needs to be updated to remove any remnant hooks left behind by ZeroAccess or another tool needs to be created to perform this important task.