hacktool.rootkit
in [Windows Viruses]
|
Prev: HotPOP.com infected
Next: locate.exe
From: Splinter on 20 Oct 2005 15:29 In article <#$nXQ9Y1FHA.3256(a)TK2MSFTNGP09.phx.gbl>, Shawn E. Hale <SEHale(a)NOSPAMcomcast.net> wrote: > I am trying to be as detailed about this as I can. Sorry if it is too long > but I figure more info is better than less. Using a new Dell laptop with XP > Home, SP2 and all updates. Norton Antivirus 2005 installed and set for > automatic updates. It is also set for real time (constant) scanning. > > 2 weeks ago (10/3/05) my daughter was using AOL IM when someone > inadvertently sent her a link which she followed and ran. Immediately all > of her other buddies on IM got the same link from her even though she didn't > manually forward it. Sensing something was wrong, she disconnected from the > IM. Norton Antivirus reported the following: > > Auto-Protect, Hacktool.rootkit, Access Denied. Source: > c:\windows\system32\msdirectx.sys > Auto-Protect, Hacktool.rootkit, Repair failed. Source: > c:\windows\system32\msdirectx.sys > > I did some research and deleted all references in the registry, and all > files relative to, lock1.exe, xz.bat, and msdirectx.sys (although that > particular file was not found). I found a lock1 exception added to my > Windows firewall so I removed that. I rebooted several times, ran various > online virus scanners and Norton antivirus numerous times and all seemed to > be fine. No error messages, no computer slowdowns, no vulnerabilities > according to Shields Up!. Nothing odd looking in the MSCONFIG startup. > > Yesterday, 10/19/05, Norton Antivirus downloaded the latest definitions and > I came home to find this pop-up warning from Norton (no one had been on the > computer all day and it was fine when I left in the morning): > > Virus scanner, Hacktool.rootkit, Quarantined file, Virus Source: > C:\windows\system32\svkp.sys. (A related registry key was also removed). > The virus definitions date that found this problem was 10/19/05. > > I did some more research and found that SVKP.sys may be a legitimate file, > or it may not (depending on the source). There were registry entries for > Legacy_SVKP which I deleted. Rebooted several times, ran Norton full virus > scan a few times, no problems or error messages. > > Here are my questions/concerns: > > In the original Norton message about msdirectx, what does it actually mean > "repair failed" and "access denied." Is that a good thing that Norton > stopped it or is it a bad thing that Norton didn't catch it in time? > > Would I be correct in assuming that the new virus definitions downloaded on > 10/19 simply found a remnant of the original hacktool.rootkit and scrubbed > it out OR is this thing still in my system and somehow regenerating itself? > > If it is regenerating itself, should I really be too concerned or is it more > of an annoyance? We have the XP firewall running and WEP encryption on our > home wifi network. > > I don't want to go thru the process of re-formatting and re-installing if I > don't have to. I guess I am looking for confirmation of my suspicion that > the new anti-virus definitions took out a remnant/orphan of the original > problem and that since I am having no other problems (before or now after), > I am OK. Am I just wishful thinking? > > Thanks for any advice. > > We used Trend Online (housecall.trendmicro.com) in safe mode (under Administrator) with networking. HijackThis; Ad-Aware; Registry Mechanic and RegEdit to get rid of our variant. You'll need to do every machine on your network and even then its touch and go. -- Splinter
From: Splinter on 20 Oct 2005 15:34 In article <#$nXQ9Y1FHA.3256(a)TK2MSFTNGP09.phx.gbl>, Shawn E. Hale <SEHale(a)NOSPAMcomcast.net> wrote: > I am trying to be as detailed about this as I can. Sorry if it is too long > but I figure more info is better than less. Using a new Dell laptop with XP > Home, SP2 and all updates. Norton Antivirus 2005 installed and set for > automatic updates. It is also set for real time (constant) scanning. > > 2 weeks ago (10/3/05) my daughter was using AOL IM when someone > inadvertently sent her a link which she followed and ran. Immediately all > of her other buddies on IM got the same link from her even though she didn't > manually forward it. Sensing something was wrong, she disconnected from the > IM. Norton Antivirus reported the following: > > Auto-Protect, Hacktool.rootkit, Access Denied. Source: > c:\windows\system32\msdirectx.sys > Auto-Protect, Hacktool.rootkit, Repair failed. Source: > c:\windows\system32\msdirectx.sys > > I did some research and deleted all references in the registry, and all > files relative to, lock1.exe, xz.bat, and msdirectx.sys (although that > particular file was not found). I found a lock1 exception added to my > Windows firewall so I removed that. I rebooted several times, ran various > online virus scanners and Norton antivirus numerous times and all seemed to > be fine. No error messages, no computer slowdowns, no vulnerabilities > according to Shields Up!. Nothing odd looking in the MSCONFIG startup. > > Yesterday, 10/19/05, Norton Antivirus downloaded the latest definitions and > I came home to find this pop-up warning from Norton (no one had been on the > computer all day and it was fine when I left in the morning): > > Virus scanner, Hacktool.rootkit, Quarantined file, Virus Source: > C:\windows\system32\svkp.sys. (A related registry key was also removed). > The virus definitions date that found this problem was 10/19/05. > > I did some more research and found that SVKP.sys may be a legitimate file, > or it may not (depending on the source). There were registry entries for > Legacy_SVKP which I deleted. Rebooted several times, ran Norton full virus > scan a few times, no problems or error messages. > > Here are my questions/concerns: > > In the original Norton message about msdirectx, what does it actually mean > "repair failed" and "access denied." Is that a good thing that Norton > stopped it or is it a bad thing that Norton didn't catch it in time? > > Would I be correct in assuming that the new virus definitions downloaded on > 10/19 simply found a remnant of the original hacktool.rootkit and scrubbed > it out OR is this thing still in my system and somehow regenerating itself? > > If it is regenerating itself, should I really be too concerned or is it more > of an annoyance? We have the XP firewall running and WEP encryption on our > home wifi network. > > I don't want to go thru the process of re-formatting and re-installing if I > don't have to. I guess I am looking for confirmation of my suspicion that > the new anti-virus definitions took out a remnant/orphan of the original > problem and that since I am having no other problems (before or now after), > I am OK. Am I just wishful thinking? > > Thanks for any advice. > > Oh and go into your HD under safe mode/admin, get rid of your temp files under every profile, get rid of your temp internet files under every profile, delete your "downloaded applications" folder under windows/winnt, check and delete the temp files under windows/winnt. -- Splinter
From: Panda_man on 20 Oct 2005 17:24 May be your daughter didn't clicked Install or Run because most viruses just enters when you open the page.As you described in your first post someone has given her a link so she has visited that page and that's it. I meant if she had used a limited user account ,no virus or spyware would have been able to get into your computer because this is ^Windows protection^.Windows XP's limited users can only do basic computer activities-listening to music,web browsing,chatting and simple things. Limited users can download everything but cannot install anything. Because they are not able to install or modify such a thing they cannot install any spyware/virus in the family's computer.Viruses are programs,too , but bad programs....So ,in general ,a computer with limited user account is more secure while online...Limited accounts best fits to children. More info in the file how to set up a computer... Panda_man "Shawn E. Hale" wrote: > I told the daughter all about never hitting "install" or "run" but this darn > thing came up with what appeared to be a benign message of "you must have > admin privileges to continue" and an "OK" button. Would have fooled me too. > But you are correct about the accounts. I will work on that too when I get > home. With the other stuff you recommended (looks like a long night ahead > of me...). > > Thanks again. I will post back results. >
From: David H. Lipman on 20 Oct 2005 17:50 From: "Shawn E. Hale" <SEHale(a)NOSPAMcomcast.net> | I am trying to be as detailed about this as I can. Sorry if it is too long | but I figure more info is better than less. Using a new Dell laptop with XP | Home, SP2 and all updates. Norton Antivirus 2005 installed and set for | automatic updates. It is also set for real time (constant) scanning. | | 2 weeks ago (10/3/05) my daughter was using AOL IM when someone | inadvertently sent her a link which she followed and ran. Immediately all | of her other buddies on IM got the same link from her even though she didn't | manually forward it. Sensing something was wrong, she disconnected from the | IM. Norton Antivirus reported the following: | | Auto-Protect, Hacktool.rootkit, Access Denied. Source: | c:\windows\system32\msdirectx.sys | Auto-Protect, Hacktool.rootkit, Repair failed. Source: | c:\windows\system32\msdirectx.sys | | I did some research and deleted all references in the registry, and all | files relative to, lock1.exe, xz.bat, and msdirectx.sys (although that | particular file was not found). I found a lock1 exception added to my | Windows firewall so I removed that. I rebooted several times, ran various | online virus scanners and Norton antivirus numerous times and all seemed to | be fine. No error messages, no computer slowdowns, no vulnerabilities | according to Shields Up!. Nothing odd looking in the MSCONFIG startup. | | Yesterday, 10/19/05, Norton Antivirus downloaded the latest definitions and | I came home to find this pop-up warning from Norton (no one had been on the | computer all day and it was fine when I left in the morning): | | Virus scanner, Hacktool.rootkit, Quarantined file, Virus Source: | C:\windows\system32\svkp.sys. (A related registry key was also removed). | The virus definitions date that found this problem was 10/19/05. | | I did some more research and found that SVKP.sys may be a legitimate file, | or it may not (depending on the source). There were registry entries for | Legacy_SVKP which I deleted. Rebooted several times, ran Norton full virus | scan a few times, no problems or error messages. | | Here are my questions/concerns: | | In the original Norton message about msdirectx, what does it actually mean | "repair failed" and "access denied." Is that a good thing that Norton | stopped it or is it a bad thing that Norton didn't catch it in time? | | Would I be correct in assuming that the new virus definitions downloaded on | 10/19 simply found a remnant of the original hacktool.rootkit and scrubbed | it out OR is this thing still in my system and somehow regenerating itself? | | If it is regenerating itself, should I really be too concerned or is it more | of an annoyance? We have the XP firewall running and WEP encryption on our | home wifi network. | | I don't want to go thru the process of re-formatting and re-installing if I | don't have to. I guess I am looking for confirmation of my suspicion that | the new anti-virus definitions took out a remnant/orphan of the original | problem and that since I am having no other problems (before or now after), | I am OK. Am I just wishful thinking? | | Thanks for any advice. | Shawn: Please excute; %SystemRoot%\system32\services.msc Then examine *all* services. Look for NON Microsoft services with oddball names. Lsets say that you find a service called; meaoi Use the Resource Kit utility, DELSRV.EXE, and execute; delsrv meaoi Reboot and then scan the system using the following Multi AV scanning tool. I posted the DELSERV.EXE utility in a ZIP file... Post Subject: DELSRV for Hacktool.Rootkit Posted in: alt.binaries.comp.virus Download MULTI_AV.EXE from the URL -- http://www.ik-cs.com/programs/virtools/Multi_AV.exe It is a self-extracting ZIP file that contains the Kixtart Script Interpreter { http://kixtart.org Kixtart is CareWare } 4 batch files, 6 Kixtart scripts, one Link (.LNK) file, a PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will simplify the process of using; Sophos, Trend, Kasperski and McAfee Anti Virus Command Line Scanners to remove viruses, Trojans and various other malware. C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS} This will bring up the initial menu of choices and should be executed in Normal Mode. This way all the components can be downloaded from each AV vendor's web site. The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC. You can choose to go to each menu item and just download the needed files or you can download the files and perform a scan in Normal Mode. Once you have downloaded the files needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key during boot] and re-run the menu again and choose which scanner you want to run in Safe Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode. When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help file. To use this utility, perform the following... Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS } Choose; Unzip Choose; Close Execute; C:\AV-CLS\StartMenu.BAT { or Double-click on 'Start Menu' in C:\AV-CLS } NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your FireWall to allow it to download the needed AV vendor related files. * * * Please report back your results * * * -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm
From: Grzegorz Wiktorowski on 21 Oct 2005 04:16
> > Use the Resource Kit utility, DELSRV.EXE, and execute; delsrv meaoi > Reboot and then scan the system using the following Multi AV scanning > tool. > > I posted the DELSERV.EXE utility in a ZIP file... > > Post Subject: DELSRV for Hacktool.Rootkit > Posted in: alt.binaries.comp.virus > FYI Windows XP has SC console application to manage (delete) services. -- Grzegorz Wiktorowski |