Re: hacktool.rootkit HELP

From: Phil Weldon (notdiscosed_at_example.com)
Date: 10/22/05 

Date: Sat, 22 Oct 2005 18:25:44 GMT

'Shawn E. Hale' wrote:
| Thanks for the advice. Not to beat this AOL IM thing to death, but the
link
| was from someone she knew. I (and she) thought we were safe by never
| clicking on an "install" or "run" option but we have both been educated
now
| that sometimes no matter what you click, you may be doomed or, worse yet,
by
| just simply following a link, problems may be encountered. The best
advice
| re: this is restricting the kids' user privileges which I am working on.
| Meanwhile, we have all learned a valuable lesson
_____

A better malware solution than restricting user privledges is to work with
childeren to understand the risks of the internet so they learn enough about
security to maintain the systems better than their parents do.

The lesson is not learned once, but over and over. Malware is an active
threat, growing and changing, that feeds on oversights and vulnerabilities
built into operating systems and applications, gullibility, greed, and
loneliness. The 'pigeon drop' and 'Publisher's Clearinghouse' in a new
medium.

Phil Weldon

"Shawn E. Hale" <SEHaleNOSPAM1@comcast.net> wrote in message
news:eYWHTGy1FHA.908@tk2msftngp13.phx.gbl...
| Thanks for the advice. Not to beat this AOL IM thing to death, but the
link
| was from someone she knew. I (and she) thought we were safe by never
| clicking on an "install" or "run" option but we have both been educated
now
| that sometimes no matter what you click, you may be doomed or, worse yet,
by
| just simply following a link, problems may be encountered. The best
advice
| re: this is restricting the kids' user privileges which I am working on.
| Meanwhile, we have all learned a valuable lesson.
|
|
| "Stephen V." <MBPsupport00@comcast.net> wrote in message
| news:435A52F5.7030709@comcast.net...
| > Shawn E. Hale wrote:
| >> I am trying to be as detailed about this as I can. Sorry if it is too
| >> long
| >> but I figure more info is better than less. Using a new Dell laptop
with
| >> XP
| >> Home, SP2 and all updates. Norton Antivirus 2005 installed and set for
| >> automatic updates. It is also set for real time (constant) scanning.
| >>
| >> 2 weeks ago (10/3/05) my daughter was using AOL IM when someone
| >> inadvertently sent her a link which she followed and ran. Immediately
| >> all
| >> of her other buddies on IM got the same link from her even though she
| >> didn't
| >> manually forward it. Sensing something was wrong, she disconnected
from
| >> the
| >> IM. Norton Antivirus reported the following:
| >>
| >> Auto-Protect, Hacktool.rootkit, Access Denied. Source:
| >> c:\windows\system32\msdirectx.sys
| >> Auto-Protect, Hacktool.rootkit, Repair failed. Source:
| >> c:\windows\system32\msdirectx.sys
| >>
| >> I did some research and deleted all references in the registry, and all
| >> files relative to, lock1.exe, xz.bat, and msdirectx.sys (although that
| >> particular file was not found). I found a lock1 exception added to my
| >> Windows firewall so I removed that. I rebooted several times, ran
| >> various
| >> online virus scanners and Norton antivirus numerous times and all
seemed
| >> to
| >> be fine. No error messages, no computer slowdowns, no vulnerabilities
| >> according to Shields Up!. Nothing odd looking in the MSCONFIG startup.
| >>
| >> Yesterday, 10/19/05, Norton Antivirus downloaded the latest definitions
| >> and
| >> I came home to find this pop-up warning from Norton (no one had been on
| >> the
| >> computer all day and it was fine when I left in the morning):
| >>
| >> Virus scanner, Hacktool.rootkit, Quarantined file, Virus Source:
| >> C:\windows\system32\svkp.sys. (A related registry key was also
removed).
| >> The virus definitions date that found this problem was 10/19/05.
| >>
| >> I did some more research and found that SVKP.sys may be a legitimate
| >> file,
| >> or it may not (depending on the source). There were registry entries
for
| >> Legacy_SVKP which I deleted. Rebooted several times, ran Norton full
| >> virus
| >> scan a few times, no problems or error messages.
| >>
| >> Here are my questions/concerns:
| >>
| >> In the original Norton message about msdirectx, what does it actually
| >> mean
| >> "repair failed" and "access denied." Is that a good thing that Norton
| >> stopped it or is it a bad thing that Norton didn't catch it in time?
| >>
| >> Would I be correct in assuming that the new virus definitions
downloaded
| >> on
| >> 10/19 simply found a remnant of the original hacktool.rootkit and
| >> scrubbed
| >> it out OR is this thing still in my system and somehow regenerating
| >> itself?
| >>
| >> If it is regenerating itself, should I really be too concerned or is it
| >> more
| >> of an annoyance? We have the XP firewall running and WEP encryption on
| >> our
| >> home wifi network.
| >>
| >> I don't want to go thru the process of re-formatting and re-installing
if
| >> I
| >> don't have to. I guess I am looking for confirmation of my suspicion
| >> that
| >> the new anti-virus definitions took out a remnant/orphan of the
original
| >> problem and that since I am having no other problems (before or now
| >> after),
| >> I am OK. Am I just wishful thinking?
| >>
| >> Thanks for any advice.
| >>
| >>
| > My home job is to handle digital complaints such as virus threats and
| > security holes. Being so busy I didn't have time to read the other
| > people's responses. It seems that your computer is of high risk now.
| >
| > -Update Norton (You are screwed with Norton, [I and my group prooved it
| > somewhat malicious and corrupt in 2003] because it doesn't detect all
| > virus threats.)
| >
| > -Temporarily free scan with AVG website www.grisoft.com or just disable
| > Norton and get AVG free. No problems with AVG, much more secure, and
| > better. Just a little less customer-support friendly.
| >
| > -Make sure you add restricted sites and actions in Internet Security. My
| > recommendation is to have your daughter NEVER accept IMs from people she
| > doesn't no. Although I don't enforce that rule, I no never to take weird
| > messages such as "hey check this link out we want ur opinion."
| >
| > If you need more information on the AVG proble, call me at my cell at
| > 630-370-0013. Thanks. Also check my services page on the website for
other
| > digital services regarding security.
| >
| > -Stephen V.
|
|