Hacktool.Rootkit - Not found by Avast!

I sent the file to avast! two weeks ago and still no reply or anything. :cry: As you can see, I did a scan at VirusTotal and NAV and VBA32 were the only ones that detected it.

Oh and its in C:\WINDOWS\SYSTEM32\SVKP.sys

AntiVir 6.32.0.6 10.20.2005 no virus found
Avast 4.6.695.0 10.20.2005 no virus found
AVG 718 10.18.2005 no virus found
Avira 6.32.0.6 10.20.2005 no virus found
BitDefender 7.2 10.20.2005 no virus found
CAT-QuickHeal 8.00 10.20.2005 no virus found
ClamAV devel-20050917 10.20.2005 no virus found
DrWeb 4.32b 10.21.2005 no virus found
eTrust-Iris 7.1.194.0 10.21.2005 no virus found
eTrust-Vet 11.9.1.0 10.20.2005 no virus found
Fortinet 2.48.0.0 10.21.2005 no virus found
F-Prot 3.16c 10.20.2005 no virus found
Ikarus 0.2.59.0 10.20.2005 no virus found
Kaspersky 4.0.2.24 10.21.2005 no virus found
McAfee 4609 10.20.2005 no virus found
NOD32v2 1.1262 10.20.2005 no virus found
Norman 5.70.10 10.20.2005 no virus found
Panda 8.02.00 10.20.2005 no virus found
Sophos 3.98.0 10.20.2005 no virus found
Symantec 8.0 10.20.2005 Hacktool.Rootkit
TheHacker 5.8.4.126 10.20.2005 no virus found
VBA32 3.10.4 10.20.2005 Virtool.SVKProtector

C’mon… better and faster detection! :frowning:

Rootkits by their nature are very difficult to detect, but they must first get established.

I’m not sure if ‘VirusTotal’ inform the AVs that don’t detect a virus (after they confirm it is a correct detection, which it looks like), I know that Jotti do pass this information/samples on - Jotti - Multi engine on-line virus scanner

Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. Wit limited rights the malware can’t put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done.

Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator.

Prevention is much less painful than cure, I assume that you have been able to remove this?

I scanned at Jotti too. Only VBA32 detected it.

Nope, I hadn’t removed it yet.

Check the links in this thread http://forum.avast.com/index.php?topic=16982.0

It doesn’t refer directly to hacktool.rootkit but it should give you a good idea of the procedures.

Also useful as a diagnostic tool - Download HiJackThis.zip - HJT Information HiJackThis Tutorial 1 or HiJackThis Tutorial 2

Post the contents of the hijackthis log here and we will try and offer some more help, some other members might still be up and around, I’m about to call it a night, rather morning 5:21 a.m here.

If you haven’t already downloaded and set-up the DropMyRights I would do that as a matter of urgency, to hopefully stop you getting further infected.

I guess the question is are you trying to remove it ?
its obvious you know what it is and where it is if you cant kill it try killbox http://www.subratam.org/main/index.php?option=com_content&task=view&id=19&Itemid=41 its no 17 on the list .
good luck

SVKP.sys is not a rootkit.
It’s a driver of SVKP Protector. SVKP is a special packer meant to protect unauthorized copying. While it is possible that malware authors use SVKP to pack their stuff, it doesn’t make the packer guilty. So, it’s correct that it’s not detected.

:slight_smile: For CREDIBLE rootkit detection, I would use the FREE
Rootkit Revealer from www.sysinternals.com ; it will NOT
solve any detection, but will let you know if one is there.

There are more tools to reveal rootkits (and many that the information is very difficult to analyse, that is when the real work starts), but few that will deal with them. One of these is a commercial product, UnHackMe, which I believe has a trial period that allows for removal even during the trial.

However, as Igor said this may well just be the driver for a legitimate program (that has to be established), did they install it?

I have been running NAV for ages. Today i downloaded Avast4 Home and then aborted the instal. Assoon as i did NAV reported detection of a Hacktool.rootkit in /Windows/System32/SVKP.sys
This seems more than a coincidence. If it was there before then why did NAV not detect earlier? Perhaps SVKP.sys is coming with Avast4. Not as a rootkit but to protect against unauthourised copying?
Would be interested to know.

As far as I’m aware avast doesn’t use the SVK Protector so there shouldn’t be any SVKP.sys with or in avast. However this would have to be confirmed by one of the Alwil team.

Where did you download avast from?
I haven’t heard of this detection in these forums relating to avast. It may have been a coincidence that it occurred at the same time you were installing avast.
When svkp.sys is heard of in relation to a trojan detection is is using IRC as the means of entry.

It is never a good idea to have two resident AVs on your system at one time as this is likely to cause conflict, this would also stop avast from installing correctly/fully.

I downloaded from the Avast site. And i do not use IRC. And i realise that it is not wise to run 2 antivirus programs, that is why i aborted the instal :).
But, as i said earlier, NAV runs all the time, had not detected it before, and it was at the very instant of working with avast. I doenloaded and ran avast virus cleaner afterwards and it detected nothing. I also used a link from one reply in the forum and downloaded Rootkit revealer and that incdicated no problem either. So it does seem to be benign. (well fingers crossed)

If I were you, I’ll try antispywares and antitrojans applications like Ad-Aware, Spybot Search and Destroy, A-squared, Ewido or Microsoft AntiSpyware or TrojanHunter (shareware) to be sure…