Ran Windows Update today and after it finished got a virus from it

At around 1:00 am I ran windows update on my home computer according to the
prompt from the toolbar. Nothing was unusual until after it finished
installing, when I was informed that Norton Antivirus had suddenly detected
Hacktool.Rootkit on my system.

Contained in C:\WINDOWS\system32\SVKP.sys, I was told that the repair failed
and access was denied. Norton tried again with the same result. Let me say
that my virus definitions are indeed up to date.

I was able to manually scan my system and tell it to quarantine the file.
What I'm concerened about is the description on Norton's site.

"Hacktool.Rootkit comprises a set of programs and scripts that work together
to allow attackers to break into a system. If Hacktool.Rootkit is detected on
a system, it is very likely that an attacker has gained complete control of
that system. All files that are detected as Hacktool.Rootkit should be
deleted. Infected systems may need to be restored from backups or patched to
restore security."

Sadly, I do not have backups on my computer.

What should I do?

Travis;
It is extremely unlikely you got this from Windows Update.
More likely, you already had it and something made it show itself.

Reboot to Safe Mode and scan for viruses:
Reboot tapping F8 each second.
Select Safe Mode at the menu.

Did you look here:
http://securityresponse.symantec.com...l.rootkit.html
But, it is recommended you wait until issue is resolved before disabling
System Restore.
If you disable Windows during the repair, even an infected Restore Point may
be better than no Restore Point.
Then, once the computer is clean, disable System Restore to remove the
Restore Points with their corruption.

--
Jupiter Jones [MVP]
http://www3.telus.net/dandemar
http://www.dts-l.org


"Travis" <> wrote in message
news:0A5FCC5E-C61C-4B8F-8E8C-...
> At around 1:00 am I ran windows update on my home computer according to
> the
> prompt from the toolbar. Nothing was unusual until after it finished
> installing, when I was informed that Norton Antivirus had suddenly
> detected
> Hacktool.Rootkit on my system.
>
> Contained in C:\WINDOWS\system32\SVKP.sys, I was told that the repair
> failed
> and access was denied. Norton tried again with the same result. Let me
> say
> that my virus definitions are indeed up to date.
>
> I was able to manually scan my system and tell it to quarantine the file.
> What I'm concerened about is the description on Norton's site.
>
> "Hacktool.Rootkit comprises a set of programs and scripts that work
> together
> to allow attackers to break into a system. If Hacktool.Rootkit is detected
> on
> a system, it is very likely that an attacker has gained complete control
> of
> that system. All files that are detected as Hacktool.Rootkit should be
> deleted. Infected systems may need to be restored from backups or patched
> to
> restore security."
>
> Sadly, I do not have backups on my computer.
>
> What should I do?

Jupiter Jones [MVP] wrote:
> Travis;
> It is extremely unlikely you got this from Windows Update.
> More likely, you already had it and something made it show itself.
>
> Reboot to Safe Mode and scan for viruses:
> Reboot tapping F8 each second.
> Select Safe Mode at the menu.
>
> Did you look here:
> http://securityresponse.symantec.com...l.rootkit.html
> But, it is recommended you wait until issue is resolved before disabling
> System Restore.
> If you disable Windows during the repair, even an infected Restore Point may
> be better than no Restore Point.
> Then, once the computer is clean, disable System Restore to remove the
> Restore Points with their corruption.
>

Standard antivirus software packages such as Norton and McAfee are
unable to find many types of rootkit, because of the way rootkits work.

Rootkit revealer works differently to these antivirus packages and is
much more likely to find this type of malware. Its freeware and is one
of the only tools that can detect the types of rootkits which standard
antivirus software cannot.

It may be worth running rootkit revealer before trying to fix the
problem, just to check whether your antivirus software has missed
anything. Here's the link:

http://www.sysinternals.com/Utilitie...tRevealer.html

Hi Travis,

Came on here looking for a solution to not being able to access the Windows
Update site but couldn`t help noticing your post.

Thought it might be worth a mention but I had exactly the same problem with
NAV 2005 yesterday telling me it had detected Hacktool.Rootkit on my system -
presumeably through the real time protection since I had not scanned. Only
difference was this happened immediately after I had updated to the 19/10
defs. At no time had I visited the Windows Update site. I have since scanned
my system in both Normal and safe mode and have come up with nothing. Finger
of suspicion may be with NAV I think.

That said. Does anyone know if the Windows Update site is down today? I keep
getting an error No. 0x800A1391 with the following message:

"The website has encountered a problem and cannot display the page you are
trying to view. The options provided below might help you solve the problem."
etc etc.

Stu

"Travis" wrote:

> At around 1:00 am I ran windows update on my home computer according to the
> prompt from the toolbar. Nothing was unusual until after it finished
> installing, when I was informed that Norton Antivirus had suddenly detected
> Hacktool.Rootkit on my system.
>
> Contained in C:\WINDOWS\system32\SVKP.sys, I was told that the repair failed
> and access was denied. Norton tried again with the same result. Let me say
> that my virus definitions are indeed up to date.
>
> I was able to manually scan my system and tell it to quarantine the file.
> What I'm concerened about is the description on Norton's site.
>
> "Hacktool.Rootkit comprises a set of programs and scripts that work together
> to allow attackers to break into a system. If Hacktool.Rootkit is detected on
> a system, it is very likely that an attacker has gained complete control of
> that system. All files that are detected as Hacktool.Rootkit should be
> deleted. Infected systems may need to be restored from backups or patched to
> restore security."
>
> Sadly, I do not have backups on my computer.
>
> What should I do?

"Travis" <> schrieb:

> At around 1:00 am I ran windows update on my home computer according to the
> prompt from the toolbar. Nothing was unusual until after it finished
> installing, when I was informed that Norton Antivirus had suddenly detected
> Hacktool.Rootkit on my system.
>
> Contained in C:\WINDOWS\system32\SVKP.sys,

You can defintly shoot out NAV beeing hypernervous and beeing updated
with new virus definition the same time? I can assure you, that there's
absolutly *no* virus or any other malware spreading through Windows
Update. You may find http://vil.nai.com/vil/content/v_101134.htm#Symptoms
useful anyway:

| The presence of SVKP.SYS does not necessarily mean that this trojan
| is installed. SVKP.SYS is part of SVK Protector, which this trojan
| is packed with. SVK Protector is used in innocent programs as well

Bye,
Freudi
--
Macht euer Windows sicherer: http://windowsupdate.microsoft.com - jetzt!
http://www.microsoft.com/germany/sicherheit/
Infos zu aktuellen Patches für IE, OE und WinXP: http://patch-info.de
Letzte Aktualisierung: IE - 11.10.05 / OE - 17.06.05 / WinXP - 11.10.05