[cdaarch]

Hi,

well, just when I decided everything was ok from the last WinFixer problem, Norton AntiVirus found the following:

Hacktool.Rootkit

residing in C\WINDOWS\system32\SVKP.sys

Deleted with TREND MICRO Anti-Spyware for the Web:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zone Map\Ranges\Range 1\

and WebPosition - C:\Program Files\Web Position 3\

Need help urgently.

Linda

Edited by cdaarch, 20 October 2005 - 08:53 AM.

[Advertisements]

Hi Linda,

The applications known as Download Accelerator Plus (DAP.EXE) and AquaMark Benchmark (AQUAMARK.EXE) are known to trigger this incorrect identification.

Are any of these applications on this machine?

[g2i2r4]

Hi Linda,

The applications known as Download Accelerator Plus (DAP.EXE) and AquaMark Benchmark (AQUAMARK.EXE) are known to trigger this incorrect identification.

Are any of these applications on this machine?

[g2i2r4]

Also:

The presence of SVKP.SYS does not necessarily mean that this trojan is installed. SVKP.SYS is part of SVK Protector, which this trojan is packed with. SVK Protector is used in innocent programs as well.

Let me know if that's on the computer. If not, we will look into a rootkit infection.

Edited by g2i2r4, 20 October 2005 - 01:39 PM.

[cdaarch]

Hi,

I had Download Accelerator installed when I got the last infection and uninstalled it when trying to find programs that may have been spyware; I am not familiar with the other program and never had it installed on my computer.

I found the SVKP.sys in the C:\WINDOWS\System32\ folder as was indicated by Norton Antivirus.

Thanks,
Linda

[g2i2r4]

Norton may warn you on a script trying to run. Please allow the entire script to run.

***

Download AIMfix. Double-click it and let it run.

***

Please download LQfix.exe and save it to your desktop.

• Double-Click LQfix.exe and click Next > Next > Install.
• Leave the default settings, if you change them, the fix will Fail!
• Now make sure the "Launch LQfix" box is checked.
• Click the Finish button, after clicking the Finish button the fix will start.
• Follow the on-screen prompts.
• Your system will now reboot afterwards.
• Please be patient after the reboot, there is a script running in the background that needs to complete.

***

Reboot the computer.

Let me know what Panda thinks now.

[cdaarch]

Hi,

I let the AIMfix run though it seems to have found nothing; I installed the LQfix.exe, everything happened as you said, the computer re-booted.

I am not sure what 'Panda' is; are you talking about LQfix.exe?

I did a Norton Anti-Virus scan which brought up the Hacktool.Rootkit as present but I was able to choose quarantine which I did (and was anot able to do previously) and another scan (by Norton) resulted in no notice of infection.

Does this tell me that everything is ok? Just need to know what you meant by 'Panda'.

Regards

[g2i2r4]

Sorry for that, I thought I mentioned it in this topic before.

Run the Free use Panda Active Scan
use the free use active scan link in the right hand corner.
You need to use Internet Explorer for this scan.

• Click on Check Now!
• A new window will appear; fill in the boxes (Country, State, email addy)
• Click on Scan Now! >
  If you have never used ActiveScan before, you will be prompted to install an ActiveX control (asinst.cab) : click on Install. Panda will install the component, and then install the latest signature files.
• From "Select a device to scan...", choose "My Computer"
• Allow the scan to run. It'll take a while.
• When complete, click on "See Report", and then on "Save report"; save it to a convenient location.
• I will need you to post that report in your next reply; simply open the text file, then copy/paste the content here.

[g2i2r4]

Linda, can you do this one too?

Trend-Micro Housecall Scan

• Please go HERE to run Housecall.
• Note: you must use Internet Explorer, other browsers will not work.
• Under "Scan your PC", please click Scan now. It's free!
• Select your location and click the Go button.
• Click the red magnifying glass button.
• Select Complete Scan.
• Please be patient while Housecall downloads.
• Please allow the ActiveX Control and when prompted click install
• Put a check next to My Computer
• Leave the following checked:
  • Scan for Spyware
    Check security vulnerabilities
• Click the Next button.
• It will download the latest scan engine and pattern files.
• When the definitions have been downloaded, the scan will start.
• After it's done scanning it will take you to the summary page.
• Click the Next button.
• Click the drop-down to choose delete or remove on each bad guy found, if you receive a prompt click OK.
• Click the Next button to move onto the recovery (final) portion of the scan.
• After everything has been removed, please click the show button on everything.
• Highlight all the of text and press CTRL + C to copy the text.
• Please post the contents into your next reply.

[cdaarch]

Hi,

here are the results; oh, and I believe Panda was mentioned by you in my last post regarding a different infection (I seem to remember); got a sieve brain here.


TREND MICRO RESULTS

Virus Scan 0 virus cleaned, 0 virus deleted


Results:
We have detected 0 infected file(s) with 0 virus(es) on your computer. Only 0 out of 0 infected files are displayed: - 0 virus(es) passed, 0 virus(es) no action available
- 0 virus(es) cleaned, 0 virus(es) uncleanable
- 0 virus(es) deleted, 0 virus(es) undeletable
- 0 virus(es) not found, 0 virus(es) unaccessible
Detected File Associated Virus Name Action Taken




Trojan/Worm Check 0 worm/Trojan horse deleted

What we checked:
Malicious activity by a Trojan horse program. Although a Trojan seems like a harmless program, it contains malicious code and once installed can cause damage to your computer.
Results:
We have detected 0 Trojan horse program(s) and worm(s) on your computer. Only 0 out of 0 Trojan horse programs and worms are displayed: - 0 worm(s)/Trojan(s) passed, 0 worm(s)/Trojan(s) no action available
- 0 Worm(s)/Trojan(s) deleted, 0 worm(s)/Trojan(s) undeletable
Trojan/Worm Name Trojan/Worm Type Action Taken




Spyware Check 5 spyware programs removed

What we checked:
Whether personal information was tracked and reported by spyware. Spyware is often installed secretly with legitimate programs downloaded from the Internet.
Results:
We have detected 5 spyware(s) on your computer. Only 0 out of 0 spywares are displayed: - 0 spyware(s) passed, 0 spyware(s) no action available
- 5 spyware(s) removed, 0 spyware(s) unremovable
Spyware Name Spyware Type Action Taken
COOKIE_45 Cookie Removal successful
COOKIE_1513 Cookie Removal successful
COOKIE_1619 Cookie Removal successful
COOKIE_2095 Cookie Removal successful
COOKIE_2513 Cookie Removal successful




Microsoft Vulnerability Check No vulnerability detected

What we checked:
Microsoft known security vulnerabilities. These are issues Microsoft has identified and released Critical Updates to fix.
Results:
We have detected 0 vulnerability/vulnerabilities on your computer. Only 0 out of 0 vulnerabilities are displayed.

ACTIVE SCAN RESULTS


Incident Status Location

Adware:adware/powerstrip No disinfected Windows Registry


----------------------------------------------------------------------------------------

Everything seems to be ok? let's hope this doesn't happen again; can you figure out why I am getting these so often? (apart from the fact I might be going to sites that cause these); is the question rather stupid? duh? chuckle

[g2i2r4]

Well, that looks good. Like you say, it might just be the sites you're visiting whistling.gif

Let's see if we can clean up that extra last bit.

• Open HijackThis
• Click on the configure button on the bottom right
• Click on the tab "Misc Tools"
• Click on the Box that says "Uninstall Manager"
• Click on the button "Save list"
• Copy and past the List from notepad into your post

[g2i2r4]

Linda, I've been doing some checking around. It looks like it's just a false positive by Norton.

[cdaarch]

Hi,

thanks for all your help.

I will do the last check that you sent me as soon as possible.

Regards,
Linda

[g2i2r4]

I'll be around somewhere.

[cdaarch]

Hi,

finally got around to this:

HIJACKTHIS UNINSTALL LIST 03-NOV-2005

Adobe Acrobat - Reader 6.0.2 Update
Adobe Acrobat 5.0
Adobe Acrobat 6.0.1 Standard
Adobe Acrobat and Reader 6.0.3 Update
Adobe Acrobat and Reader 6.0.4 Update
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Illustrator 10.0.3
Adobe Photoshop 7.0.1
Adobe SVG Viewer 3.0
Ahead InCD
AMD Athlon 64 Processor Driver
ATI - Software Uninstall Utility
AutoCAD 2004
Autodesk Express Viewer
CC_ccStart
ccCommon
CleanUp!
Cloudmark SafetyBar 4.1
Creative MediaSource
Creative MediaSource CD-ROM Burner Plugin
CuteFTP Pro 3.0
EPSON Scan! II
EPSON TWAIN 5
ewido security suite
Free Download Manager 1.8
GIANT AntiSpyware
Google Toolbar for Internet Explorer
Group Mail
HijackThis 1.99.1
hp deskjet 9300 series
Java 2 Runtime Environment, SE v1.4.2_05
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
LQfix 2.1
Macromedia ColdFusion MX
Macromedia Dreamweaver MX
Macromedia Dreamweaver MX 2004
Macromedia Extension Manager
Macromedia Shockwave Player
Magic Workstation 0.94e
Microsoft Data Access Components KB870669
Microsoft Office XP Professional with FrontPage
MM-Exporter 2.0
Mozilla Firefox (1.0.7)
MSN Messenger 7.0
MSN Music Assistant
MSRedist
MTG GamePack for Magic Workstation
Nero OEM
NeroVision Express
Norton AntiVirus 2004 Professional
Norton AntiVirus 2004 Professional (Symantec Corporation)
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
Norton WMI Update
NVIDIA Drivers
Panda ActiveScan
PowerDVD
PowerStrip 3 (remove only)
QuickTime
RealPlayer
SafeCast Shared Components
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
SpeechRedist
Spybot - Search & Destroy 1.4
Symantec Script Blocking Installer
SymNet
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Ventrilo
VIA Platform Device Manager
Viewpoint Manager (Remove Only)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
WinZip
Yahoo! Companion

Let me know whether everything looks ok and thanks again.

[g2i2r4]

You can remove the LQfix 2.1. Other than that I don't see anything that needs removing.

Guess you're clean to go.

Shall I post you the tips for the future and close the topic?