Rootkit Found

[codyw]

I have NIS 2010 installed on my PC and I do a couple scans a day with Norton, Malwarebytes, and Hitman Pro 3.5.5. I just did a scan with Hitman Pro and it found a Rootkit in C:\Windows\system32\DRIVERS\

Isn't Norton supposed to detect and block these kind of malware attacks?????

Not very happy right now since Rootkits can do many things...

 

[Capt.Jack Sparrow]

I have NIS 2010 installed on my PC and I do a couple scans a day with Norton, Malwarebytes, and Hitman Pro 3.5.5. I just did a scan with Hitman Pro and it found a Rootkit in C:\Windows\system32\DRIVERS\

Isn't Norton supposed to detect and block these kind of malware attacks?????

Not very happy right now since Rootkits can do many things...

Hello !!

What is File name that was detected ?? Maybe it's just a False Positive

- Captain

 

[codyw]

File name is elxstor.sys
Does Hitman Pro tend to get known good files mixed up?

 

[Capt.Jack Sparrow]

File name is elxstor.sys
Does Hitman Pro tend to get known good files mixed up?

It's not a virus look this webiste Elxstor.sys Analysis Report If you're wanting to individually scan this file for a virus, use VirusTotal and upload elxstor.sys to have it scanned with dozens of different anti-virus scanners at once.

Hope this helps,
Captain

 

[Corrine]

File name is elxstor.sys
Does Hitman Pro tend to get known good files mixed up?

It's not a virus look this webiste Elxstor.sys Analysis Report If you're wanting to individually scan this file for a virus, use VirusTotal and upload elxstor.sys to have it scanned with dozens of different anti-virus scanners at once.

Hope this helps,
Captain

Agreed. Also see elxstor.sys - Greatis Software

 

[codyw]

After viewing that website, I have 2 questions:

1. Does Hitman Pro conflict with virus protection?
2. Why did Hitman clissify this as malware when it's a perfectly good file?

Symantec is telling me that Hitman Pro will conflict.

 

[codyw]

I went to the DRIVERS folder under the C drive and manually scanned the folder with Norton and it said everything was fine.

 

[codyw]

What would happen if I told Hitman Pro to quarantine/delete the infection and this WAS a false positive. I have Symantec Support saying it's an infection. What would happen if I was to delete the said file?

 

[Corrine]

After viewing that website, I have 2 questions:

1. Does Hitman Pro conflict with virus protection?
2. Why did Hitman clissify this as malware when it's a perfectly good file?

Symantec is telling me that Hitman Pro will conflict.

1. Hitman Pro is an malware scanner and should not conflict with Symantec.
2. It is not unusual for false/positives to occur. Thus, the need to pay attention to what is happening on your computer.

I went to the DRIVERS folder under the C drive and manually scanned the folder with Norton and it said everything was fine.

What would happen if I told Hitman Pro to quarantine/delete the infection and this WAS a false positive. I have Symantec Support saying it's an infection. What would happen if I was to delete the said file?

Your two posts have conflicting information. One indicates that NAV said the Drivers folder is fine and the second indicates Symantec Supports indicates an infection. Which is it?

Did you scan the specific file at VirusTotal as suggested by Capt.Jack Sparrow?

As to what would happen if you delete the driver, you would no longer have a driver for LightPulse Host Bus Adapters (HBAs).

 

[codyw]

No, I did not go to VirusTotal. But I still have my Kaspersky 2010 license. What I'm going to do is put it on after wiping Norton. If it finds the infection, then I'll know it was bad. Because Hitman Pro is cloud based leads me to thinking it has to be some kind of infection. I was reading up on Rootkits too since I never really had experience with them. Exactly, how do they act as malware? Do they come through your firewall or how do they get in?

 

[Corrine]

Rather than attempting to break it down for you, it would be easier if you read about Rootkits at Rootkit - Wikipedia, the free encyclopedia. Lately, we've seen a lot of rootkits accompanying rogues. For example, Defense Center and Protection Center are bundled with the Pragma TDSS Rootkit. There are any number of ways that infections occur, whether it be a drive-by, installing an infected program from a P2P site, falling for a phish, clicking on a file "sent by a friend' (whose computer is infected).

 

[codyw]

I don't think it's a rogue - at least I hope not. Once Kaspersky is done updating to the latest databases, I am doing a complete scan to see if it finds anything. All I can say about Norton is, I'm very surprised and very shocked that it did what it did considering the have been on the market for such a long time.

 

[codyw]

Kaspersky is still scanning the system but I told Kaspersky to scan the infected area and it didn't find anything infected. I tried uploading the folder contents to VirusTotal and it came back with an error because it could not connect to some URL.

 

[Corrine]

You don't upload the folder to Virus Total, just the file that was detected. You could also try Jotti -- Jotti's malware scan

 

[codyw]

Kaspersky didn't find anything infected!

 

[Capt.Jack Sparrow]

Kaspersky didn't find anything infected!

Hello !!

I think it's good that your not infected !!

 

[codyw]

The only thing I can't understand is I didn't tell Hitman Pro to get rid of the infection. Not unless Kaspersky found it but didn't alert me of it. Who knows...

 

[Capt.Jack Sparrow]

The only thing I can't understand is I didn't tell Hitman Pro to get rid of the infection. Not unless Kaspersky found it but didn't alert me of it. Who knows...

As we mentioned before it was just a false positive. Maybe that driver might have a behavior of a RootKit which it not a bad thing because the publisher is Microsoft. Report this to Hitman Pro Forum or E-mail them at [email protected]

Here is a review about it My Review on Hitman Pro 3.5 the Cloud Based Malware Scanner » Raymond.CC Blog

- Captain

 

[Adrian]

The only thing I can't understand is I didn't tell Hitman Pro to get rid of the infection. Not unless Kaspersky found it but didn't alert me of it. Who knows...

Good morning Codyw, how many A/V programs do you have on your system?

 

[malexous]

In the cloud, Hitman Pro scans with G Data (BitDefender + Avast! engines), Emsisoft (Emsisoft + IKARUS engines), ESET, Prevx, and Dr. Web (unofficial).

The false positive is from one of these, usually Prevx these days. You can check in Hitman Pro which engine(s) have detected the threat (or false positive in this case).

The best thing would be to report the false positive to the vendor(s) that detected it but if you were to email Hitman Pro they would fix it on their end.