hacktool.rootkit
in [Windows Viruses]
|
Prev: HotPOP.com infected
Next: locate.exe
From: Shawn E. Hale on 20 Oct 2005 11:59 I am trying to be as detailed about this as I can. Sorry if it is too long but I figure more info is better than less. Using a new Dell laptop with XP Home, SP2 and all updates. Norton Antivirus 2005 installed and set for automatic updates. It is also set for real time (constant) scanning. 2 weeks ago (10/3/05) my daughter was using AOL IM when someone inadvertently sent her a link which she followed and ran. Immediately all of her other buddies on IM got the same link from her even though she didn't manually forward it. Sensing something was wrong, she disconnected from the IM. Norton Antivirus reported the following: Auto-Protect, Hacktool.rootkit, Access Denied. Source: c:\windows\system32\msdirectx.sys Auto-Protect, Hacktool.rootkit, Repair failed. Source: c:\windows\system32\msdirectx.sys I did some research and deleted all references in the registry, and all files relative to, lock1.exe, xz.bat, and msdirectx.sys (although that particular file was not found). I found a lock1 exception added to my Windows firewall so I removed that. I rebooted several times, ran various online virus scanners and Norton antivirus numerous times and all seemed to be fine. No error messages, no computer slowdowns, no vulnerabilities according to Shields Up!. Nothing odd looking in the MSCONFIG startup. Yesterday, 10/19/05, Norton Antivirus downloaded the latest definitions and I came home to find this pop-up warning from Norton (no one had been on the computer all day and it was fine when I left in the morning): Virus scanner, Hacktool.rootkit, Quarantined file, Virus Source: C:\windows\system32\svkp.sys. (A related registry key was also removed). The virus definitions date that found this problem was 10/19/05. I did some more research and found that SVKP.sys may be a legitimate file, or it may not (depending on the source). There were registry entries for Legacy_SVKP which I deleted. Rebooted several times, ran Norton full virus scan a few times, no problems or error messages. Here are my questions/concerns: In the original Norton message about msdirectx, what does it actually mean "repair failed" and "access denied." Is that a good thing that Norton stopped it or is it a bad thing that Norton didn't catch it in time? Would I be correct in assuming that the new virus definitions downloaded on 10/19 simply found a remnant of the original hacktool.rootkit and scrubbed it out OR is this thing still in my system and somehow regenerating itself? If it is regenerating itself, should I really be too concerned or is it more of an annoyance? We have the XP firewall running and WEP encryption on our home wifi network. I don't want to go thru the process of re-formatting and re-installing if I don't have to. I guess I am looking for confirmation of my suspicion that the new anti-virus definitions took out a remnant/orphan of the original problem and that since I am having no other problems (before or now after), I am OK. Am I just wishful thinking? Thanks for any advice.
From: Panda_man on 20 Oct 2005 13:48 Well,my congratulations about having this Hacking tool... :( No seriously... :-) This is very bad and awful...You probably know what are hackers and what do they do and what the hacking tools are. Here is an information about RootKit: http://securityresponse.symantec.com/avcenter/venc/data/hacktool.rootkit.html And also removal instructions which you need to follow Then you can also get this file with general malware removal instrcutions written by me. http://free.hit.bg/fightmalware/Malware%20removal%20instructions.rtf ( Scanning in Safe Mode is important) I also would recommend you to scan with Panda free Active Scan when you have done all Norton things and recommendations. The link is written in the file which you'll download. If something is found by Panda's scanner but Norton didn't find (I mean Hacking tool or another malware,you may get Panda Titanium free trial -link it the files. When you are clean,goto throught these (tell you child how to use the computer correctly ) http://free.hit.bg/fightmalware/Set%20up%20a%20PC.rtf Special look at the Parental control http://www.microsoft.com/athome/security/children/default.mspx Now about your questions: My reply is mixed with your words > In the original Norton message about msdirectx, what does it actually mean > "repair failed" and "access denied." Is that a good thing that Norton > stopped it or is it a bad thing that Norton didn't catch it in time? Panda_man >>>Repair failed means that Norton was not able to disinfect the file/to remove the junk because the junk was probably in use (things in use cannot be removed) Access denied means that access to the infected file is stopped.Useful... > Would I be correct in assuming that the new virus definitions downloaded on > 10/19 simply found a remnant of the original hacktool.rootkit and scrubbed > it out OR is this thing still in my system and somehow regenerating itself? Panda_man >>> You are correct. > If it is regenerating itself, should I really be too concerned or is it more > of an annoyance? We have the XP firewall running and WEP encryption on our > home wifi network. Panda_man >>>To stop hacking tools to connect to the hacker,you'll need another software firewall with either incoming and outgoing protection.Windows SP2 Firewall has only incoming protection which is the most important and does the basics. > I don't want to go thru the process of re-formatting and re-installing if I > don't have to. Panda_man >>> Although it is not recommended in most cases you must be sure that it is the only 100 % sure way to clean an infected computer. Panda_man " Let's beat malware black and blue" " No new epidemics of all kind of malware -> Panda TruPrevent" "Shawn E. Hale" wrote: > I am trying to be as detailed about this as I can. Sorry if it is too long > but I figure more info is better than less. Using a new Dell laptop with XP > Home, SP2 and all updates. Norton Antivirus 2005 installed and set for > automatic updates. It is also set for real time (constant) scanning. > > 2 weeks ago (10/3/05) my daughter was using AOL IM when someone > inadvertently sent her a link which she followed and ran. Immediately all > of her other buddies on IM got the same link from her even though she didn't > manually forward it. Sensing something was wrong, she disconnected from the > IM. Norton Antivirus reported the following: > > Auto-Protect, Hacktool.rootkit, Access Denied. Source: > c:\windows\system32\msdirectx.sys > Auto-Protect, Hacktool.rootkit, Repair failed. Source: > c:\windows\system32\msdirectx.sys > > I did some research and deleted all references in the registry, and all > files relative to, lock1.exe, xz.bat, and msdirectx.sys (although that > particular file was not found). I found a lock1 exception added to my > Windows firewall so I removed that. I rebooted several times, ran various > online virus scanners and Norton antivirus numerous times and all seemed to > be fine. No error messages, no computer slowdowns, no vulnerabilities > according to Shields Up!. Nothing odd looking in the MSCONFIG startup. > > Yesterday, 10/19/05, Norton Antivirus downloaded the latest definitions and > I came home to find this pop-up warning from Norton (no one had been on the > computer all day and it was fine when I left in the morning): > > Virus scanner, Hacktool.rootkit, Quarantined file, Virus Source: > C:\windows\system32\svkp.sys. (A related registry key was also removed). > The virus definitions date that found this problem was 10/19/05. > > I did some more research and found that SVKP.sys may be a legitimate file, > or it may not (depending on the source). There were registry entries for > Legacy_SVKP which I deleted. Rebooted several times, ran Norton full virus > scan a few times, no problems or error messages. > > Here are my questions/concerns: > > In the original Norton message about msdirectx, what does it actually mean > "repair failed" and "access denied." Is that a good thing that Norton > stopped it or is it a bad thing that Norton didn't catch it in time? > > Would I be correct in assuming that the new virus definitions downloaded on > 10/19 simply found a remnant of the original hacktool.rootkit and scrubbed > it out OR is this thing still in my system and somehow regenerating itself? > > If it is regenerating itself, should I really be too concerned or is it more > of an annoyance? We have the XP firewall running and WEP encryption on our > home wifi network. > > I don't want to go thru the process of re-formatting and re-installing if I > don't have to. I guess I am looking for confirmation of my suspicion that > the new anti-virus definitions took out a remnant/orphan of the original > problem and that since I am having no other problems (before or now after), > I am OK. Am I just wishful thinking? > > Thanks for any advice. > > >
From: Shawn E. Hale on 20 Oct 2005 14:08 Thanks for the info and taking the time to reply. I will follow up on that when I get home and on the affected computer. If I could ask a couple more things for clarification: > Access denied means that access to the infected file is stopped.Useful... What is stopped from accessing the affected file? Norton or the bad process? > > Would I be correct in assuming that the new virus definitions downloaded on > > 10/19 simply found a remnant of the original hacktool.rootkit and scrubbed > > it out OR is this thing still in my system and somehow regenerating itself? > > Panda_man >>> You are correct. Which part was I correct about? That the 10/19 download rooted out the orphan or that the thing is regenerating itself? Thanks again for help (and patience). I will post back after the Panda scan. "Panda_man" <Pandaman(a)discussions.microsoft.com> wrote in message news:261111A5-AC12-4A8F-B5FC-FC069B0CF0B0(a)microsoft.com... > Well,my congratulations about having this Hacking tool... :( > > No seriously... :-) > This is very bad and awful...You probably know what are hackers and what do > they do and what the hacking tools are. > > Here is an information about RootKit: > http://securityresponse.symantec.com/avcenter/venc/data/hacktool.rootkit.html > > And also removal instructions which you need to follow > > > Then you can also get this file with general malware removal instrcutions > written by me. > http://free.hit.bg/fightmalware/Malware%20removal%20instructions.rtf > ( Scanning in Safe Mode is important) > > > I also would recommend you to scan with Panda free Active Scan when you have > done all Norton things and recommendations. > The link is written in the file which you'll download. > If something is found by Panda's scanner but Norton didn't find (I mean > Hacking tool or another malware,you may get Panda Titanium free trial -link > it the files. > > > When you are clean,goto throught these (tell you child how to use the > computer correctly ) > > > http://free.hit.bg/fightmalware/Set%20up%20a%20PC.rtf > Special look at the Parental control > > http://www.microsoft.com/athome/security/children/default.mspx > > > > Now about your questions: > My reply is mixed with your words > > > > > In the original Norton message about msdirectx, what does it actually mean > > "repair failed" and "access denied." Is that a good thing that Norton > > stopped it or is it a bad thing that Norton didn't catch it in time? > > Panda_man >>>Repair failed means that Norton was not able to disinfect the > file/to remove the junk because the junk was probably in use (things in use > cannot be removed) > > Access denied means that access to the infected file is stopped.Useful... > > > > Would I be correct in assuming that the new virus definitions downloaded on > > 10/19 simply found a remnant of the original hacktool.rootkit and scrubbed > > it out OR is this thing still in my system and somehow regenerating itself? > > Panda_man >>> You are correct. > > > > If it is regenerating itself, should I really be too concerned or is it more > > of an annoyance? We have the XP firewall running and WEP encryption on our > > home wifi network. > > Panda_man >>>To stop hacking tools to connect to the hacker,you'll need > another software firewall with either incoming and outgoing > protection.Windows SP2 Firewall has only incoming protection which is the > most important and does the basics. > > > I don't want to go thru the process of re-formatting and re-installing if I > > don't have to. > > Panda_man >>> Although it is not recommended in most cases you must be sure > that it is the only 100 % sure way to clean an infected computer. > > > Panda_man > " Let's beat malware black and blue" > " No new epidemics of all kind of malware -> Panda TruPrevent" > > > > > "Shawn E. Hale" wrote: > > > I am trying to be as detailed about this as I can. Sorry if it is too long > > but I figure more info is better than less. Using a new Dell laptop with XP > > Home, SP2 and all updates. Norton Antivirus 2005 installed and set for > > automatic updates. It is also set for real time (constant) scanning. > > > > 2 weeks ago (10/3/05) my daughter was using AOL IM when someone > > inadvertently sent her a link which she followed and ran. Immediately all > > of her other buddies on IM got the same link from her even though she didn't > > manually forward it. Sensing something was wrong, she disconnected from the > > IM. Norton Antivirus reported the following: > > > > Auto-Protect, Hacktool.rootkit, Access Denied. Source: > > c:\windows\system32\msdirectx.sys > > Auto-Protect, Hacktool.rootkit, Repair failed. Source: > > c:\windows\system32\msdirectx.sys > > > > I did some research and deleted all references in the registry, and all > > files relative to, lock1.exe, xz.bat, and msdirectx.sys (although that > > particular file was not found). I found a lock1 exception added to my > > Windows firewall so I removed that. I rebooted several times, ran various > > online virus scanners and Norton antivirus numerous times and all seemed to > > be fine. No error messages, no computer slowdowns, no vulnerabilities > > according to Shields Up!. Nothing odd looking in the MSCONFIG startup. > > > > Yesterday, 10/19/05, Norton Antivirus downloaded the latest definitions and > > I came home to find this pop-up warning from Norton (no one had been on the > > computer all day and it was fine when I left in the morning): > > > > Virus scanner, Hacktool.rootkit, Quarantined file, Virus Source: > > C:\windows\system32\svkp.sys. (A related registry key was also removed). > > The virus definitions date that found this problem was 10/19/05. > > > > I did some more research and found that SVKP.sys may be a legitimate file, > > or it may not (depending on the source). There were registry entries for > > Legacy_SVKP which I deleted. Rebooted several times, ran Norton full virus > > scan a few times, no problems or error messages. > > > > Here are my questions/concerns: > > > > In the original Norton message about msdirectx, what does it actually mean > > "repair failed" and "access denied." Is that a good thing that Norton > > stopped it or is it a bad thing that Norton didn't catch it in time? > > > > Would I be correct in assuming that the new virus definitions downloaded on > > 10/19 simply found a remnant of the original hacktool.rootkit and scrubbed > > it out OR is this thing still in my system and somehow regenerating itself? > > > > If it is regenerating itself, should I really be too concerned or is it more > > of an annoyance? We have the XP firewall running and WEP encryption on our > > home wifi network. > > > > I don't want to go thru the process of re-formatting and re-installing if I > > don't have to. I guess I am looking for confirmation of my suspicion that > > the new anti-virus definitions took out a remnant/orphan of the original > > problem and that since I am having no other problems (before or now after), > > I am OK. Am I just wishful thinking? > > > > Thanks for any advice. > > > > > >
From: Panda_man on 20 Oct 2005 15:03 Well,access denied can meant both two things ,the things you suggested,but in your case I think it means that Norton cannot access the file,as I said ,files in use cannot be "touched". And may be you're right (correct) about the two things. It could have been regenerated from System Restore (not by itself) In the Syamntec's link I posted in my previous post you can find instrctions how to disable it.And also in my file you'll download ... And it is important to learn your kid/kids how to use the computer safely. If your daughter had had a limited user account ,there would have been no chance (no way) for the junk to infect the computer. Kids sometimes don't think and just click,it is important not to click on EVERYBODY's links,only to people you really know and really trust !!! More info on my file ( how to set up a computer -> Parental control and keep a close eye how to password-protect your admin account and your hidden one admin account in Safe Mode) Panda_man "Shawn E. Hale" wrote: > Thanks for the info and taking the time to reply. > > I will follow up on that when I get home and on the affected computer. > > If I could ask a couple more things for clarification: > > > Access denied means that access to the infected file is stopped.Useful... > What is stopped from accessing the affected file? Norton or the bad > process? > > > > Would I be correct in assuming that the new virus definitions downloaded > on > > > 10/19 simply found a remnant of the original hacktool.rootkit and > scrubbed > > > it out OR is this thing still in my system and somehow regenerating > itself? > > > > Panda_man >>> You are correct. > > Which part was I correct about? That the 10/19 download rooted out the > orphan or that the thing is regenerating itself? > > Thanks again for help (and patience). > > I will post back after the Panda scan. > > > "Panda_man" <Pandaman(a)discussions.microsoft.com> wrote in message > news:261111A5-AC12-4A8F-B5FC-FC069B0CF0B0(a)microsoft.com... > > Well,my congratulations about having this Hacking tool... :( > > > > No seriously... :-) > > This is very bad and awful...You probably know what are hackers and what > do > > they do and what the hacking tools are. > > > > Here is an information about RootKit: > > > http://securityresponse.symantec.com/avcenter/venc/data/hacktool.rootkit.html > > > > And also removal instructions which you need to follow > > > > > > Then you can also get this file with general malware removal instrcutions > > written by me. > > http://free.hit.bg/fightmalware/Malware%20removal%20instructions.rtf > > ( Scanning in Safe Mode is important) > > > > > > I also would recommend you to scan with Panda free Active Scan when you > have > > done all Norton things and recommendations. > > The link is written in the file which you'll download. > > If something is found by Panda's scanner but Norton didn't find (I mean > > Hacking tool or another malware,you may get Panda Titanium free > trial -link > > it the files. > > > > > > When you are clean,goto throught these (tell you child how to use the > > computer correctly ) > > > > > > http://free.hit.bg/fightmalware/Set%20up%20a%20PC.rtf > > Special look at the Parental control > > > > http://www.microsoft.com/athome/security/children/default.mspx > > > > > > > > Now about your questions: > > My reply is mixed with your words > > > > > > > > > In the original Norton message about msdirectx, what does it actually > mean > > > "repair failed" and "access denied." Is that a good thing that Norton > > > stopped it or is it a bad thing that Norton didn't catch it in time? > > > > Panda_man >>>Repair failed means that Norton was not able to disinfect > the > > file/to remove the junk because the junk was probably in use (things in > use > > cannot be removed) > > > > Access denied means that access to the infected file is stopped.Useful... > > > > > > > Would I be correct in assuming that the new virus definitions downloaded > on > > > 10/19 simply found a remnant of the original hacktool.rootkit and > scrubbed > > > it out OR is this thing still in my system and somehow regenerating > itself? > > > > Panda_man >>> You are correct. > > > > > > > If it is regenerating itself, should I really be too concerned or is it > more > > > of an annoyance? We have the XP firewall running and WEP encryption on > our > > > home wifi network. > > > > Panda_man >>>To stop hacking tools to connect to the hacker,you'll need > > another software firewall with either incoming and outgoing > > protection.Windows SP2 Firewall has only incoming protection which is the > > most important and does the basics. > > > > > I don't want to go thru the process of re-formatting and re-installing > if I > > > don't have to. > > > > Panda_man >>> Although it is not recommended in most cases you must be > sure > > that it is the only 100 % sure way to clean an infected computer. > > > > > > Panda_man > > " Let's beat malware black and blue" > > " No new epidemics of all kind of malware -> Panda TruPrevent" > > > > > > > > > > "Shawn E. Hale" wrote: > > > > > I am trying to be as detailed about this as I can. Sorry if it is too > long > > > but I figure more info is better than less. Using a new Dell laptop > with XP > > > Home, SP2 and all updates. Norton Antivirus 2005 installed and set for > > > automatic updates. It is also set for real time (constant) scanning. > > > > > > 2 weeks ago (10/3/05) my daughter was using AOL IM when someone > > > inadvertently sent her a link which she followed and ran. Immediately > all > > > of her other buddies on IM got the same link from her even though she > didn't > > > manually forward it. Sensing something was wrong, she disconnected from > the > > > IM. Norton Antivirus reported the following: > > > > > > Auto-Protect, Hacktool.rootkit, Access Denied. Source: > > > c:\windows\system32\msdirectx.sys > > > Auto-Protect, Hacktool.rootkit, Repair failed. Source: > > > c:\windows\system32\msdirectx.sys > > > > > > I did some research and deleted all references in the registry, and all > > > files relative to, lock1.exe, xz.bat, and msdirectx.sys (although that > > > particular file was not found). I found a lock1 exception added to my > > > Windows firewall so I removed that. I rebooted several times, ran > various > > > online virus scanners and Norton antivirus numerous times and all seemed > to > > > be fine. No error messages, no computer slowdowns, no vulnerabilities > > > according to Shields Up!. Nothing odd looking in the MSCONFIG startup. > > > > > > Yesterday, 10/19/05, Norton Antivirus downloaded the latest definitions > and > > > I came home to find this pop-up warning from Norton (no one had been on > the > > > computer all day and it was fine when I left in the morning): > > > > > > Virus scanner, Hacktool.rootkit, Quarantined file, Virus Source: > > > C:\windows\system32\svkp.sys. (A related registry key was also > removed). > > > The virus definitions date that found this problem was 10/19/05. > > > > > > I did some more research and found that SVKP.sys may be a legitimate > file, > > > or it may not (depending on the source). There were registry entries > for > > > Legacy_SVKP which I deleted. Rebooted several times, ran Norton full > virus > > > scan a few times, no problems or error messages. > > > > > > Here are my questions/concerns: > > > > > > In the original Norton message about msdirectx, what does it actually > mean > > > "repair failed" and "access denied." Is that a good thing that Norton > > > stopped it or is it a bad thing that Norton didn't catch it in time? > > > > > > Would I be correct in assuming that the new virus definitions downloaded > on > > > 10/19 simply found a remnant of the original hacktool.rootkit and > scrubbed > > > it out OR is this thing still in my system and somehow regenerating > itself? > > > > > > If it is regenerating itself, should I really be too concerned or is it > more > > > of an annoyance? We have the XP firewall running and WEP encryption on > our > > > home wifi network. > > > > > > I don't want to go thru the process of re-formatting and re-installing > if I > > > don't have to. I guess I am looking for confirmation of my suspicion > that > > > the new anti-virus definitions took out a remnant/orphan of the original > > > problem and that since I am having no other problems (before or now > after), > > > I am OK. Am I just wishful thinking? > > > > > > Thanks for any advice. > > > > > > > > > > > >
From: Shawn E. Hale on 20 Oct 2005 15:10
I told the daughter all about never hitting "install" or "run" but this darn thing came up with what appeared to be a benign message of "you must have admin privileges to continue" and an "OK" button. Would have fooled me too. But you are correct about the accounts. I will work on that too when I get home. With the other stuff you recommended (looks like a long night ahead of me...). Thanks again. I will post back results. "Panda_man" <Pandaman(a)discussions.microsoft.com> wrote in message news:AD1EE642-BFB9-4A0C-AE9F-9D5CA687D7F9(a)microsoft.com... > Well,access denied can meant both two things ,the things you suggested,but in > your case I think it means that Norton cannot access the file,as I said > ,files in use cannot be "touched". > > And may be you're right (correct) about the two things. > It could have been regenerated from System Restore (not by itself) > > In the Syamntec's link I posted in my previous post you can find instrctions > how to disable it.And also in my file you'll download ... > > > And it is important to learn your kid/kids how to use the computer safely. > If your daughter had had a limited user account ,there would have been no > chance (no way) for the junk to infect the computer. > > Kids sometimes don't think and just click,it is important not to click on > EVERYBODY's links,only to people you really know and really trust !!! > More info on my file ( how to set up a computer -> Parental control and keep > a close eye how to password-protect your admin account and your hidden one > admin account in Safe Mode) > > > Panda_man > > > "Shawn E. Hale" wrote: > > > Thanks for the info and taking the time to reply. > > > > I will follow up on that when I get home and on the affected computer. > > > > If I could ask a couple more things for clarification: > > > > > Access denied means that access to the infected file is stopped.Useful... > > What is stopped from accessing the affected file? Norton or the bad > > process? > > > > > > Would I be correct in assuming that the new virus definitions downloaded > > on > > > > 10/19 simply found a remnant of the original hacktool.rootkit and > > scrubbed > > > > it out OR is this thing still in my system and somehow regenerating > > itself? > > > > > > Panda_man >>> You are correct. > > > > Which part was I correct about? That the 10/19 download rooted out the > > orphan or that the thing is regenerating itself? > > > > Thanks again for help (and patience). > > > > I will post back after the Panda scan. > > > > > > "Panda_man" <Pandaman(a)discussions.microsoft.com> wrote in message > > news:261111A5-AC12-4A8F-B5FC-FC069B0CF0B0(a)microsoft.com... > > > Well,my congratulations about having this Hacking tool... :( > > > > > > No seriously... :-) > > > This is very bad and awful...You probably know what are hackers and what > > do > > > they do and what the hacking tools are. > > > > > > Here is an information about RootKit: > > > > > http://securityresponse.symantec.com/avcenter/venc/data/hacktool.rootkit.html > > > > > > And also removal instructions which you need to follow > > > > > > > > > Then you can also get this file with general malware removal instrcutions > > > written by me. > > > http://free.hit.bg/fightmalware/Malware%20removal%20instructions.rtf > > > ( Scanning in Safe Mode is important) > > > > > > > > > I also would recommend you to scan with Panda free Active Scan when you > > have > > > done all Norton things and recommendations. > > > The link is written in the file which you'll download. > > > If something is found by Panda's scanner but Norton didn't find (I mean > > > Hacking tool or another malware,you may get Panda Titanium free > > trial -link > > > it the files. > > > > > > > > > When you are clean,goto throught these (tell you child how to use the > > > computer correctly ) > > > > > > > > > http://free.hit.bg/fightmalware/Set%20up%20a%20PC.rtf > > > Special look at the Parental control > > > > > > http://www.microsoft.com/athome/security/children/default.mspx > > > > > > > > > > > > Now about your questions: > > > My reply is mixed with your words > > > > > > > > > > > > > In the original Norton message about msdirectx, what does it actually > > mean > > > > "repair failed" and "access denied." Is that a good thing that Norton > > > > stopped it or is it a bad thing that Norton didn't catch it in time? > > > > > > Panda_man >>>Repair failed means that Norton was not able to disinfect > > the > > > file/to remove the junk because the junk was probably in use (things in > > use > > > cannot be removed) > > > > > > Access denied means that access to the infected file is stopped.Useful... > > > > > > > > > > Would I be correct in assuming that the new virus definitions downloaded > > on > > > > 10/19 simply found a remnant of the original hacktool.rootkit and > > scrubbed > > > > it out OR is this thing still in my system and somehow regenerating > > itself? > > > > > > Panda_man >>> You are correct. > > > > > > > > > > If it is regenerating itself, should I really be too concerned or is it > > more > > > > of an annoyance? We have the XP firewall running and WEP encryption on > > our > > > > home wifi network. > > > > > > Panda_man >>>To stop hacking tools to connect to the hacker,you'll need > > > another software firewall with either incoming and outgoing > > > protection.Windows SP2 Firewall has only incoming protection which is the > > > most important and does the basics. > > > > > > > I don't want to go thru the process of re-formatting and re-installing > > if I > > > > don't have to. > > > > > > Panda_man >>> Although it is not recommended in most cases you must be > > sure > > > that it is the only 100 % sure way to clean an infected computer. > > > > > > > > > Panda_man > > > " Let's beat malware black and blue" > > > " No new epidemics of all kind of malware -> Panda TruPrevent" > > > > > > > > > > > > > > > "Shawn E. Hale" wrote: > > > > > > > I am trying to be as detailed about this as I can. Sorry if it is too > > long > > > > but I figure more info is better than less. Using a new Dell laptop > > with XP > > > > Home, SP2 and all updates. Norton Antivirus 2005 installed and set for > > > > automatic updates. It is also set for real time (constant) scanning. > > > > > > > > 2 weeks ago (10/3/05) my daughter was using AOL IM when someone > > > > inadvertently sent her a link which she followed and ran. Immediately > > all > > > > of her other buddies on IM got the same link from her even though she > > didn't > > > > manually forward it. Sensing something was wrong, she disconnected from > > the > > > > IM. Norton Antivirus reported the following: > > > > > > > > Auto-Protect, Hacktool.rootkit, Access Denied. Source: > > > > c:\windows\system32\msdirectx.sys > > > > Auto-Protect, Hacktool.rootkit, Repair failed. Source: > > > > c:\windows\system32\msdirectx.sys > > > > > > > > I did some research and deleted all references in the registry, and all > > > > files relative to, lock1.exe, xz.bat, and msdirectx.sys (although that > > > > particular file was not found). I found a lock1 exception added to my > > > > Windows firewall so I removed that. I rebooted several times, ran > > various > > > > online virus scanners and Norton antivirus numerous times and all seemed > > to > > > > be fine. No error messages, no computer slowdowns, no vulnerabilities > > > > according to Shields Up!. Nothing odd looking in the MSCONFIG startup. > > > > > > > > Yesterday, 10/19/05, Norton Antivirus downloaded the latest definitions > > and > > > > I came home to find this pop-up warning from Norton (no one had been on > > the > > > > computer all day and it was fine when I left in the morning): > > > > > > > > Virus scanner, Hacktool.rootkit, Quarantined file, Virus Source: > > > > C:\windows\system32\svkp.sys. (A related registry key was also > > removed). > > > > The virus definitions date that found this problem was 10/19/05. > > > > > > > > I did some more research and found that SVKP.sys may be a legitimate > > file, > > > > or it may not (depending on the source). There were registry entries > > for > > > > Legacy_SVKP which I deleted. Rebooted several times, ran Norton full > > virus > > > > scan a few times, no problems or error messages. > > > > > > > > Here are my questions/concerns: > > > > > > > > In the original Norton message about msdirectx, what does it actually > > mean > > > > "repair failed" and "access denied." Is that a good thing that Norton > > > > stopped it or is it a bad thing that Norton didn't catch it in time? > > > > > > > > Would I be correct in assuming that the new virus definitions downloaded > > on > > > > 10/19 simply found a remnant of the original hacktool.rootkit and > > scrubbed > > > > it out OR is this thing still in my system and somehow regenerating > > itself? > > > > > > > > If it is regenerating itself, should I really be too concerned or is it > > more > > > > of an annoyance? We have the XP firewall running and WEP encryption on > > our > > > > home wifi network. > > > > > > > > I don't want to go thru the process of re-formatting and re-installing > > if I > > > > don't have to. I guess I am looking for confirmation of my suspicion > > that > > > > the new anti-virus definitions took out a remnant/orphan of the original > > > > problem and that since I am having no other problems (before or now > > after), > > > > I am OK. Am I just wishful thinking? > > > > > > > > Thanks for any advice. > > > > > > > > > > > > > > > > > > |