Xuetr is a powerfull tool for hide_code/rootkit detection (available for download from http://www.xuetr.com/download/XueTr.zip).
Run it on machine that was infected of latest ZeroAccess rootkit.
![]()
After we run it, shows alert.
Next, look to "Kernel module" tab.
![]()
Xuetr found two drivers of ZeroAccess, we can dumped it...
Next, checking kernel on suspicious actions - Kernel->Object Hijack.
![]()
Look that system driver - ipsec.sys was hijacked, also some pointers in device object of hard drive disk were hijacked.
![]()
IPsec service in registry, from where rootkit started...
![]()
Run it on machine that was infected of latest ZeroAccess rootkit.
Next, look to "Kernel module" tab.
Xuetr found two drivers of ZeroAccess, we can dumped it...
Next, checking kernel on suspicious actions - Kernel->Object Hijack.
Look that system driver - ipsec.sys was hijacked, also some pointers in device object of hard drive disk were hijacked.
IPsec service in registry, from where rootkit started...
