09-21-2011 11:56 AM - last edited on 09-25-2011 07:09 PM by shannons
on one of computers I installed NIS 22.214.171.124, computer have no internet connection, so i can not to update it, as i know I only can update virus definitions file (and that is all???)
on that machine I have undetectable rootkit, detected by GMER (high-lighted red with "hidden service" and close to "svchost.exe -netsvc" process) exactly this process in %windir%/system32 is Norton trusted.
HitmanPro displays a note that somethat have direct access to HDD and usually it is a threat.
probably it is not new rootkit (connection between computers are only by local network and usb sticks and CD/DVD discs)
Rootkit is detected by that software while non updated (only virus definitions) are running.
Do Symantec need this sample? What to do to catch it on that machine to transfer it to you with tracking number in further?
From Team: offer of instruments and tactic of sample catching, from me - submitted sample offer.
WinXP SP:unknown probably 2, 32 bit
Solved! Go to Solution.
09-22-2011 03:56 PM
09-22-2011 04:16 PM
svchost.exe is norton trusted as i said, I think it is not infected. I will not repost all I wrote about what said HitmanPro and GMER about my situation - you can see it above. I need instruments and tactics if Symantec want to get sample. If not - I can not force to do that, it is not for my situation. I will only understand that. I will reinstall windows anyway to be away from something undetected else, if it is.
09-22-2011 04:23 PM
09-23-2011 01:21 PM - edited 09-23-2011 01:36 PM
here came the snapshots illustrated given situation:
HitmanPro (my translate): Present of "invisible" HDD driver detected. At most cases it means that rootkit is present.
copied from infected machine atapi.sys:
other detected by hitman pro:
pivot.sys - Norton trusted file
pivotmou.sys - Norton trusted file
sondman.exe - Norton trusted file
other listed are just plugins to total commander (can be infected, but probably none of them is rootkit, at most trojan horse)
All files taken to further analyse are gathered via typical Explorer.exe - may be real atapi.sys or svchost.exe was hiden from direct access and instead of them rootkit has given clean files to cover infection fact?