Re: Hacktool.Rootkit ??



'DLBWizard' wrote:
| Thanks for pointing out things that I did forget to include in my
| initial post ...
|
| Windows Server 2003 Service Pack 1
| Norton AntiVirus Corp Edition 7.60.962
| Virus Definition File: Version 5/31/2007 rev. 19
|
| This server is connected to the internet behind a Linksys Wireless G
| Router with ports 21, 80 forwarded to it.
|
| But you are still being obscure. What issues do seem to think that I
| have with the way that Norton operates? Are you telling me that these
| entries in the History are normal and to be expected?
_____

I assure you I am to trying to be obscure, nor to insult you.

Symantec, the publisher, is not very forth comming about problems with its
products but there can be installation and
operational errors NOT caused by malware. (The log you posted and the
behavior you describe seems much more
likely to be an operational problem than the result of active infection.)

From the additional information you provided, it seems that you have an old
version of Symantec Corporate Antivirus. The current version is 10.2.
There is a patch for your version 7.60.962 to raise the version to 7.61.
There may be additional patches, but Symantec for all practical purposes no
longer offers much support for version 7.xx other than options for
purchasing an upgrade.

By all means use the tool 'David H. Lipman' provides to ensure your system
is free of malware, but Symantec would probably like to see the color of
your money fix the log behavior.

Phil Weldon


"DBLWizard" <ibflyfishin@xxxxxxxxx> wrote in message
news:1180707227.018332.217450@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
| Thanks for pointing out things that I did forget to include in my
| initial post ...
|
| Windows Server 2003 Service Pack 1
| Norton AntiVirus Corp Edition 7.60.962
| Virus Definition File: Version 5/31/2007 rev. 19
|
| This server is connected to the internet behind a Linksys Wireless G
| Router with ports 21, 80 forwarded to it.
|
| But you are still being obscure. What issues do seem to think that I
| have with the way that Norton operates? Are you telling me that these
| entries in the History are normal and to be expected?
|
| Thanks
|
| dbl
|
| On Jun 1, 2:04 am, "Phil Weldon" <not.disclo...@xxxxxxxxxxx> wrote:
| > 'DBLWizard' wrote, in part:
| > | Phil, Do you spend time on these groups just to try and insult people
| > | or is there a purpose to your ramblings.
| > _____
| >
| > Gee, what was not instructive in my post?
| > I thought it was pretty straightfoward.
| >
| > I am glad you have decided to download and use the script and collection
of
| > antimalware scanners 'David H. Lipman' posted, but issues you have with
the
| > operating characteristics of Norton AntiVirus are best resolved with the
| > publisher; I suggest you try 'Live Chat' available
throughhttp://www.symantec.com/home_homeoffice/support/selectproduct_ts.jsp.
| >
| > You posted a request for help; the more work you do yourself before
posting
| > the easier it will be for a newsgroup participant to help.
| > An example of additional useful information you might have posted would
be
| > the VERSION of Norton Antivirus and the update state, and perhaps the
| > Operating System used on the 'development server' and its
interconnectivity.
| >
| > Phil Weldon
| >
| > "DBLWizard" <ibflyfis...@xxxxxxxxx> wrote in message
| >
| > news:1180675534.783286.297370@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
| > | Phil, Do you spend time on these groups just to try and insult people
| > | or is there a purpose to your ramblings.
| > |
| > | I concluded that I "Might" have the Hacktool.Rootkit becuase that is
| > | what I got from Symantec's website when I did a search of their virus
| > | database.
| > |
| > | I posted the complete list becuase I thought it might be important ...
| > | figured that those that knew enough about these things could ignore
| > | what wasn't important.
| > |
| > | And as for reading the manual ... what manual ... I did look through
| > | the help files and could find no reason why I would have all these
| > | entries show up in my "Virus History" especially at the same time
| > | every night and none of the files that it says it "left alone" could
| > | be found anywhere on the system.
| > |
| > | If I'm ignorant then forgive me and educate me. If you have nothing
| > | instructive to say then shut up and sit down.
| > |
| > | dbl
| > |
| > | On May 31, 9:03 pm, "Phil Weldon" <not.disclo...@xxxxxxxxxxx> wrote:
| > | > 'DBLWizard' wrote, in part:
| > | > | I am looking for a little help here. I think one of my
Development
| > | > | servers is infected with Rootkit possibly called Hacktool.Rootkit.
| > | > | The reason I say this is I have Norton Antivirus Corp Edition
| > | > | installed and every night @ 12:03 for 2 minutes or if I do a "Scan
| > | > | Computer" I get the following entries in the log but no prompts or
| > | > | anything.
| > | > |
| > | > | Is there anyway to actually remove this or do I just need to
rebuild
| > | > | this system?
| > | > |
| > | > | Here are the entries in the log:
| > | > .
| > | > .
| > | > 5/31/2007 14:59 regger.exe Hacktool File Left alone REVELATIONS
SYSTEM
| > | > C:\WINDOWS\system32\ Infected C:\WINDOWS\system32\ Clean virus from
| > | > file Leave alone (log only) Manual scan
| > | > .
| > | > .
| > | > _____
| > | >
| > | > Was it really necessary to post ALL the duplicate Swen worm log
entries?
| > | > That worm hasn't been active for four years. As for your concern
about
| > | > 'Hacktool.Rootkit', the log you posted does not include that
finding;
| > what
| > | > Symantec identifies as 'Hacktool' is NOT the same as
'Hacktool.Rootkit',
| > and
| > | > is not viral. Symantec identifies 'Hacktool' as generic for tools
that
| > can
| > | > be used to attack OTHER systems.
| > | >
| > | > You now have the 'sourmilk'problem. Since the question has been
raised
| > of
| > | > possible infection, by all means follow the suggestions posted by
'David
| > H.
| > | > Lipman'. And you might want to contact Symnatec also (and possibly
read
| > the
| > | > manual.)
| > | >
| > | > Phil Weldon
| > | >
| > | > "DBLWizard" <ibflyfis...@xxxxxxxxx> wrote in message
| > | >
| > | >news:1180646048.620294.106330@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
| > | > | Howdy,
| > | > |
| > | > | I am looking for a little help here. I think one of my
Development
| > | > | servers is infected with Rootkit possibly called Hacktool.Rootkit.
| > | > | The reason I say this is I have Norton Antivirus Corp Edition
| > | > | installed and every night @ 12:03 for 2 minutes or if I do a "Scan
| > | > | Computer" I get the following entries in the log but no prompts or
| > | > | anything.
| > | > |
| > | > | Is there anyway to actually remove this or do I just need to
rebuild
| > | > | this system?
| > | > |
| > | > | Here are the entries in the log:
| > | > |
| > | > | Date Filename Virus Name Virus Type Action Taken Computer User
| > | > | Original Location Status Current Location Primary Action Secondary
| > | > | Action Scan Type
| > | > | 5/31/2007 14:59 tmp.edb IRC.Family.Gen File Left alone REVELATIONS
| > | > | SYSTEM C:\WINDOWS\SoftwareDistribution\DataStore\Logs\ Infected C:
| > | > | \WINDOWS\SoftwareDistribution\DataStore\Logs\ Clean virus from
file
| > | > | Leave alone (log only) Manual scan
| > | > | 5/31/2007 14:59 pack1771.exe W32.Swen.A@mm File Left alone
REVELATIONS
| > | > | SYSTEM C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ActiveSync\ Infected C:
| > | > | \DOCUME~1\ADMINI~1\LOCALS~1\Temp\ActiveSync\ Clean virus from file
| > | > | Leave alone (log only) Manual scan
| > | >
| > | > <additional W32.Swen.A@mm snipped as redundant>
| > | >
| > | > 5/31/2007 14:59 regger.exe Hacktool File Left alone REVELATIONS
SYSTEM
| > | > C:\WINDOWS\system32\ Infected C:\WINDOWS\system32\ Clean virus from
| > | > file Leave alone (log only) Manual scan
| > | > 5/31/2007 14:59 pack1771.exe W32.Swen.A@mm File Left alone
REVELATIONS
| > | > SYSTEM C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ActiveSync\ Infected C:
| > | > \DOCUME~1\ADMINI~1\LOCALS~1\Temp\ActiveSync\ Clean virus from file
| > | > Leave alone (log only) Manual scan
| > | > 5/31/2007 14:59 pack1771.exe W32.Swen.A@mm File Left alone
REVELATIONS
| > | > SYSTEM C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ActiveSync\ Infected C:
| > | > \DOCUME~1\ADMINI~1\LOCALS~1\Temp\ActiveSync\ Clean virus from file
| > | > Leave alone (log only) Manual scan
| > | > 5/31/2007 14:59 mspool.exe Backdoor.Usirf File Left alone
REVELATIONS
| > | > SYSTEM C:\WINDOWS\system32\ Infected C:\WINDOWS\system32\ Clean
virus
| > | > from file Leave alone (log only) Manual scan
| > | >
| > | > <additional W32.Swen.A@mm snipped as redundant>
| > | >
| > | > | 5/31/2007 14:58 MSOffExport[1].exe Trojan Horse File Left alone
| > | > | REVELATIONS SYSTEM P:\CDrive\Documents and Settings\Default
User\Local
| > | > | Settings\Temporary Internet Files\Content.IE5\O9AVGDQZ\ Infected
P:
| > | > | \CDrive\Documents and Settings\Default User\Local
Settings\Temporary
| > | > | Internet Files\Content.IE5\O9AVGDQZ\ Clean virus from file Leave
alone
| > | > | (log only) Manual scan
| > | > | 5/31/2007 14:58 MSOffExport[1].exe Trojan Horse File Left alone
| > | > | REVELATIONS SYSTEM P:\CDrive\Documents and Settings\ASPNET\Local
| > | > | Settings\Temporary Internet Files\Content.IE5\O9AVGDQZ\ Infected
P:
| > | > | \CDrive\Documents and Settings\ASPNET\Local Settings\Temporary
| > | > | Internet Files\Content.IE5\O9AVGDQZ\ Clean virus from file Leave
alone
| > | > | (log only) Manual scan
| > | > | 5/31/2007 14:58 MSOffExport[1].exe Trojan Horse File Left alone
| > | > | REVELATIONS SYSTEM P:\CDrive\Documents and Settings\sshadmin\Local
| > | > | Settings\Temporary Internet Files\Content.IE5\O9AVGDQZ\ Infected
P:
| > | > | \CDrive\Documents and Settings\sshadmin\Local Settings\Temporary
| > | > | Internet Files\Content.IE5\O9AVGDQZ\ Clean virus from file Leave
alone
| > | > | (log only) Manual scan
| > | > | 5/31/2007 14:58 pack1771.exe W32.Swen.A@mm File Left alone
REVELATIONS
| > | > | SYSTEM C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ActiveSync\ Infected C:
| > | > | \DOCUME~1\ADMINI~1\LOCALS~1\Temp\ActiveSync\ Clean virus from file
| > | > | Leave alone (log only) Manual scan
| > | >
| > | > <additional W32.SWEN.A@mm entries snipped as redundant>
| > |
| > |
|
|



.



Relevant Pages

  • Re: Cant insert Object files (excel) nor open a workbook object
    ... Use Windows Explorer or My Computer to search your hard drive for a Norton AntiVirus file named OFFICEAV.DLL. ... delphos1 wrote: ... An error ocurred and this feature is no longer funtioning properly. ... The server application, source file, or item can't be found, or returned an unknown error. ...
    (microsoft.public.powerpoint)
  • Re: Attachment questions
    ... >On my network I have a 'Server' which runs Norton Antivirus 2002 and Norton ... On top of this sits a proxy server which I ... then) ask the author of Mailwasher if he could add it as a feature - ...
    (comp.security.firewalls)
  • Re: error 0x800ccc19
    ... >> In some cases it is necessary to re-enter the server names, ... >> Tim K.>> aka Kuay Tim ... > This problem may occur when the following conditions are true:> You have Norton AntiVirus 2003 or Norton AntiVirus 2002 installed. ... > To prevent this problem when you use Norton AntiVirus and Outlook or> Outlook Express, turn off e-mail scanning in Norton AntiVirus:> Quit Outlook or Outlook Express. ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
  • Re: Cant access shared folders on network
    ... That error can be caused by Norton Antivirus. ... > permission to use this network resource. ... > access permissions. ... > Not enough server storage is available to process this ...
    (microsoft.public.windowsxp.network_web)
  • RE: Lab OS Choices
    ... You also want to have a variety of operating ... somewhere...then you lab can grow. ... I think I'd start with an unpatched Windows 2000 server. ... wipe the drives before you mess with 'em. ...
    (Pen-Test)