Re: hacktool.rootkit

From: Panda_man (Pandaman_at_discussions.microsoft.com)
Date: 10/21/05 

Date: Fri, 21 Oct 2005 11:51:10 -0700

Yeah,I think you have it beaten !
My congratulations !!!

Panda_man

"Shawn E. Hale" wrote:

> Thanks to you guys who replied with a wealth of advice and information. I
> appreciate that and the patience you have taken.
>
> There is a lot to work through but so far, in addition to what I already
> listed, I did the things that were suggested in the Symantec site (re: safe
> mode virus scanning, registry entry purging, etc.). I also ran the Panda
> and Micro Trend online scans, safe mode virus scanning, system restore
> purging and turning back on, deleting temp files, and checking the
> downloaded applications folder. I also checked the running services and if
> I could not identify something, I googled it to see what it was. Everything
> was clean with no infected files and no bad services. I am leaning towards
> believing that I had initially wiped it out and the latest Symantec
> definitions caught an orphan. I was able to find a list of what was in the
> Symantec definitions that were downloaded on 10/19 and there was a piece
> that looked for the SVKP.sys file. Since I am not having any other slow
> downs and issues, I think I have it beat. I will get to Mr. Lipman's advice
> this weekend.
>
> Thanks again.
>
>
> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
> news:uDFBPBc1FHA.2792@tk2msftngp13.phx.gbl...
> > From: "Shawn E. Hale" <SEHale@NOSPAMcomcast.net>
> >
> > | I am trying to be as detailed about this as I can. Sorry if it is too
> long
> > | but I figure more info is better than less. Using a new Dell laptop
> with XP
> > | Home, SP2 and all updates. Norton Antivirus 2005 installed and set for
> > | automatic updates. It is also set for real time (constant) scanning.
> > |
> > | 2 weeks ago (10/3/05) my daughter was using AOL IM when someone
> > | inadvertently sent her a link which she followed and ran. Immediately
> all
> > | of her other buddies on IM got the same link from her even though she
> didn't
> > | manually forward it. Sensing something was wrong, she disconnected from
> the
> > | IM. Norton Antivirus reported the following:
> > |
> > | Auto-Protect, Hacktool.rootkit, Access Denied. Source:
> > | c:\windows\system32\msdirectx.sys
> > | Auto-Protect, Hacktool.rootkit, Repair failed. Source:
> > | c:\windows\system32\msdirectx.sys
> > |
> > | I did some research and deleted all references in the registry, and all
> > | files relative to, lock1.exe, xz.bat, and msdirectx.sys (although that
> > | particular file was not found). I found a lock1 exception added to my
> > | Windows firewall so I removed that. I rebooted several times, ran
> various
> > | online virus scanners and Norton antivirus numerous times and all seemed
> to
> > | be fine. No error messages, no computer slowdowns, no vulnerabilities
> > | according to Shields Up!. Nothing odd looking in the MSCONFIG startup.
> > |
> > | Yesterday, 10/19/05, Norton Antivirus downloaded the latest definitions
> and
> > | I came home to find this pop-up warning from Norton (no one had been on
> the
> > | computer all day and it was fine when I left in the morning):
> > |
> > | Virus scanner, Hacktool.rootkit, Quarantined file, Virus Source:
> > | C:\windows\system32\svkp.sys. (A related registry key was also
> removed).
> > | The virus definitions date that found this problem was 10/19/05.
> > |
> > | I did some more research and found that SVKP.sys may be a legitimate
> file,
> > | or it may not (depending on the source). There were registry entries
> for
> > | Legacy_SVKP which I deleted. Rebooted several times, ran Norton full
> virus
> > | scan a few times, no problems or error messages.
> > |
> > | Here are my questions/concerns:
> > |
> > | In the original Norton message about msdirectx, what does it actually
> mean
> > | "repair failed" and "access denied." Is that a good thing that Norton
> > | stopped it or is it a bad thing that Norton didn't catch it in time?
> > |
> > | Would I be correct in assuming that the new virus definitions downloaded
> on
> > | 10/19 simply found a remnant of the original hacktool.rootkit and
> scrubbed
> > | it out OR is this thing still in my system and somehow regenerating
> itself?
> > |
> > | If it is regenerating itself, should I really be too concerned or is it
> more
> > | of an annoyance? We have the XP firewall running and WEP encryption on
> our
> > | home wifi network.
> > |
> > | I don't want to go thru the process of re-formatting and re-installing
> if I
> > | don't have to. I guess I am looking for confirmation of my suspicion
> that
> > | the new anti-virus definitions took out a remnant/orphan of the original
> > | problem and that since I am having no other problems (before or now
> after),
> > | I am OK. Am I just wishful thinking?
> > |
> > | Thanks for any advice.
> > |
> >
> > Shawn:
> >
> > Please excute; %SystemRoot%\system32\services.msc
> >
> > Then examine *all* services. Look for NON Microsoft services with oddball
> names.
> > Lsets say that you find a service called; meaoi
> >
> > Use the Resource Kit utility, DELSRV.EXE, and execute; delsrv meaoi
> > Reboot and then scan the system using the following Multi AV scanning
> tool.
> >
> > I posted the DELSERV.EXE utility in a ZIP file...
> >
> > Post Subject: DELSRV for Hacktool.Rootkit
> > Posted in: alt.binaries.comp.virus
> >
> >
> > Download MULTI_AV.EXE from the URL --
> > http://www.ik-cs.com/programs/virtools/Multi_AV.exe
> >
> > It is a self-extracting ZIP file that contains the Kixtart Script
> Interpreter {
> > http://kixtart.org Kixtart is CareWare } 4 batch files, 6 Kixtart scripts,
> one Link
> > (.LNK) file, a PDF instruction file and two utilities; UNZIP.EXE and
> WGET.EXE. It will
> > simplify the process of using; Sophos, Trend, Kasperski and McAfee Anti
> Virus Command
> > Line Scanners to remove viruses, Trojans and various other malware.
> >
> > C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
> > This will bring up the initial menu of choices and should be executed in
> Normal Mode.
> > This way all the components can be downloaded from each AV vendor's web
> site.
> > The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and
> Reboot the PC.
> >
> > You can choose to go to each menu item and just download the needed files
> or you can
> > download the files and perform a scan in Normal Mode. Once you have
> downloaded the files
> > needed for each scanner you want to use, you should reboot the PC into
> Safe Mode [F8 key
> > during boot] and re-run the menu again and choose which scanner you want
> to run in Safe
> > Mode. It is suggested to run the scanners in both Safe Mode and Normal
> Mode.
> >
> > When the menu is displayed hitting 'H' or 'h' will bring up a more
> comprehensive PDF help
> > file.
> >
> > To use this utility, perform the following...
> > Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
> > Choose; Unzip
> > Choose; Close
> >
> > Execute; C:\AV-CLS\StartMenu.BAT
> > { or Double-click on 'Start Menu' in C:\AV-CLS }
> >
> > NOTE: You may have to disable your software FireWall or allow WGET.EXE to
> go through your
> > FireWall to allow it to download the needed AV vendor related files.
> >
> > * * * Please report back your results * * *
> >
> >
> > --
> > Dave
> > http://www.claymania.com/removal-trojan-adware.html
> > http://www.ik-cs.com/got-a-virus.htm
> >
> >
>
>
>