Re: hacktool.rootkit

From: Shawn E. Hale (SEHale_at_NOSPAMcomcast.net)
Date: 10/21/05 

Date: Fri, 21 Oct 2005 10:12:47 -0400

Thanks to you guys who replied with a wealth of advice and information. I
appreciate that and the patience you have taken.

There is a lot to work through but so far, in addition to what I already
listed, I did the things that were suggested in the Symantec site (re: safe
mode virus scanning, registry entry purging, etc.). I also ran the Panda
and Micro Trend online scans, safe mode virus scanning, system restore
purging and turning back on, deleting temp files, and checking the
downloaded applications folder. I also checked the running services and if
I could not identify something, I googled it to see what it was. Everything
was clean with no infected files and no bad services. I am leaning towards
believing that I had initially wiped it out and the latest Symantec
definitions caught an orphan. I was able to find a list of what was in the
Symantec definitions that were downloaded on 10/19 and there was a piece
that looked for the SVKP.sys file. Since I am not having any other slow
downs and issues, I think I have it beat. I will get to Mr. Lipman's advice
this weekend.

Thanks again.

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:uDFBPBc1FHA.2792@tk2msftngp13.phx.gbl...
> From: "Shawn E. Hale" <SEHale@NOSPAMcomcast.net>
>
> | I am trying to be as detailed about this as I can. Sorry if it is too
long
> | but I figure more info is better than less. Using a new Dell laptop
with XP
> | Home, SP2 and all updates. Norton Antivirus 2005 installed and set for
> | automatic updates. It is also set for real time (constant) scanning.
> |
> | 2 weeks ago (10/3/05) my daughter was using AOL IM when someone
> | inadvertently sent her a link which she followed and ran. Immediately
all
> | of her other buddies on IM got the same link from her even though she
didn't
> | manually forward it. Sensing something was wrong, she disconnected from
the
> | IM. Norton Antivirus reported the following:
> |
> | Auto-Protect, Hacktool.rootkit, Access Denied. Source:
> | c:\windows\system32\msdirectx.sys
> | Auto-Protect, Hacktool.rootkit, Repair failed. Source:
> | c:\windows\system32\msdirectx.sys
> |
> | I did some research and deleted all references in the registry, and all
> | files relative to, lock1.exe, xz.bat, and msdirectx.sys (although that
> | particular file was not found). I found a lock1 exception added to my
> | Windows firewall so I removed that. I rebooted several times, ran
various
> | online virus scanners and Norton antivirus numerous times and all seemed
to
> | be fine. No error messages, no computer slowdowns, no vulnerabilities
> | according to Shields Up!. Nothing odd looking in the MSCONFIG startup.
> |
> | Yesterday, 10/19/05, Norton Antivirus downloaded the latest definitions
and
> | I came home to find this pop-up warning from Norton (no one had been on
the
> | computer all day and it was fine when I left in the morning):
> |
> | Virus scanner, Hacktool.rootkit, Quarantined file, Virus Source:
> | C:\windows\system32\svkp.sys. (A related registry key was also
removed).
> | The virus definitions date that found this problem was 10/19/05.
> |
> | I did some more research and found that SVKP.sys may be a legitimate
file,
> | or it may not (depending on the source). There were registry entries
for
> | Legacy_SVKP which I deleted. Rebooted several times, ran Norton full
virus
> | scan a few times, no problems or error messages.
> |
> | Here are my questions/concerns:
> |
> | In the original Norton message about msdirectx, what does it actually
mean
> | "repair failed" and "access denied." Is that a good thing that Norton
> | stopped it or is it a bad thing that Norton didn't catch it in time?
> |
> | Would I be correct in assuming that the new virus definitions downloaded
on
> | 10/19 simply found a remnant of the original hacktool.rootkit and
scrubbed
> | it out OR is this thing still in my system and somehow regenerating
itself?
> |
> | If it is regenerating itself, should I really be too concerned or is it
more
> | of an annoyance? We have the XP firewall running and WEP encryption on
our
> | home wifi network.
> |
> | I don't want to go thru the process of re-formatting and re-installing
if I
> | don't have to. I guess I am looking for confirmation of my suspicion
that
> | the new anti-virus definitions took out a remnant/orphan of the original
> | problem and that since I am having no other problems (before or now
after),
> | I am OK. Am I just wishful thinking?
> |
> | Thanks for any advice.
> |
>
> Shawn:
>
> Please excute; %SystemRoot%\system32\services.msc
>
> Then examine *all* services. Look for NON Microsoft services with oddball
names.
> Lsets say that you find a service called; meaoi
>
> Use the Resource Kit utility, DELSRV.EXE, and execute; delsrv meaoi
> Reboot and then scan the system using the following Multi AV scanning
tool.
>
> I posted the DELSERV.EXE utility in a ZIP file...
>
> Post Subject: DELSRV for Hacktool.Rootkit
> Posted in: alt.binaries.comp.virus
>
>
> Download MULTI_AV.EXE from the URL --
> http://www.ik-cs.com/programs/virtools/Multi_AV.exe
>
> It is a self-extracting ZIP file that contains the Kixtart Script
Interpreter {
> http://kixtart.org Kixtart is CareWare } 4 batch files, 6 Kixtart scripts,
one Link
> (.LNK) file, a PDF instruction file and two utilities; UNZIP.EXE and
WGET.EXE. It will
> simplify the process of using; Sophos, Trend, Kasperski and McAfee Anti
Virus Command
> Line Scanners to remove viruses, Trojans and various other malware.
>
> C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
> This will bring up the initial menu of choices and should be executed in
Normal Mode.
> This way all the components can be downloaded from each AV vendor's web
site.
> The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and
Reboot the PC.
>
> You can choose to go to each menu item and just download the needed files
or you can
> download the files and perform a scan in Normal Mode. Once you have
downloaded the files
> needed for each scanner you want to use, you should reboot the PC into
Safe Mode [F8 key
> during boot] and re-run the menu again and choose which scanner you want
to run in Safe
> Mode. It is suggested to run the scanners in both Safe Mode and Normal
Mode.
>
> When the menu is displayed hitting 'H' or 'h' will bring up a more
comprehensive PDF help
> file.
>
> To use this utility, perform the following...
> Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
> Choose; Unzip
> Choose; Close
>
> Execute; C:\AV-CLS\StartMenu.BAT
> { or Double-click on 'Start Menu' in C:\AV-CLS }
>
> NOTE: You may have to disable your software FireWall or allow WGET.EXE to
go through your
> FireWall to allow it to download the needed AV vendor related files.
>
> * * * Please report back your results * * *
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>