Root kit or what ?

[Fogey]

For some time now I've had activity between my one computer and the internet while I'm doing nothing. I've thought for a while I may have a root kit on here somewhere. Norton Anti Virus says I'm good to go and I'm sitting behind a hardware firewall. When the activity starts, If I pull up Windows Task manager it stops. I've done some reasearch on Root kits so I have an idea what they are. Norton Security itself has a root kit installer in it's software as I found it without to much trouble. I understand them having one on here. This is one I found this morning all by accident. I wanted to delete a item in my recycle bin. I hit the wrong button on my mouse and pulled up info from Norton Unerase wizzard Protected files. No big deal there as I understand what it's there for. However this is what I did find a big deal. Every time I start this computer up Norton Keeps trying to delete a program called sndmonprivtest by Nortons program named sndmon. The sndmonprivtest is located in C:Program files and C: Program files/Common files, It's a data file 0.01 kb in size. When I did a search on sndmon on goggle it gave me lots of info on it being a Norton program and what it does. When I did a goggle search on sndmonprivtest, it pulls up pages linking to E bay. I haven't been on/or at E bay in months. I haven't bought anything there in better than a year. I'm not happy to say the least. I'm about ready to wipe C drive and start all over. I know some code but it's all in old q basic . I don't know any windows code and have not had time to look deeply into C++ but understand it to a small degree.
Any of you guys with a great deal of know how on code and root kits got any ideas? I don't want to wipe C drive and start over do to the number of hours it's going to take to do it over. I have a number of backups as I back up every week, but I understand the backups will have this no doubt. I would be very thankfull on any info on this . Thanks

[Fogey]

Started over. Re did C drive from scratch. What a Pain in the arsh. Dang........................................................................................

[Fogey]

The Delima of "sndmonprivtest" is not fully over. I have since re formating my machine and did some more research on this subject. Last week when I did a search on google of " sndmonprivtest" I got 12 hit pages with links to various E bay pages. Now I do the search, I only get five. But doing a search of Norton root kit did give me some usefull info. Norton claims no known use of their hidden root kit was used by any one via a trojan program, so I 'm going to E Mail them on this one and the behaviour of my machine untill I re formated. Interesting how once the Sony root kit was let out of the bag, trojan programs were in the wild in less than a week to exploit the file. Here's a quote from the one article:

"He explained that the feature, called Norton Protected Recycle Bin, was built into Norton SystemWorks with a director called NProtect that is hidden from Windows APIs. Because it is cloaked, files in the NProtect directory might not be scanned during scheduled or manual virus scans."

Wow, interesting as I found the file by accident in Norton protected Recycle Bin when I clicked the wrong mouse button by mistake or I still wouldn't know. The quest goes on...........................

No luck for a E Mail address for Norton so I'll try another route

[Apoptosis]

what a pain!

[kenc51]

I've never liked norton....but this "NProtect" thing

I hope you find out what in the heck sndmonprivtest is/does...

[Fogey]

I sent an E mail to "the Inquirer" in the UK as I know those guys like looking into that sort of thing. Nothing from them so far.

So, today I sent E Bay this E mail:

"Go to Google and type in this filename <sndmonprivtest>
Today it gave me two hits. Last week I got five. The week before that I got 12. All were linked to E-Bay. I found this file on my computer via Norton Protected Recycle bin. Every time I would start up my computer, this file was running in the background. No, It's not the same file as Norton IS 2004 file <sndmon>. I found it interesting that this file only links to various E bay pages. For about six months I have had strange activity on my computer when there should be none. Norton scan came up clean. Everything was pointing towards a hidden Root Kit. I have since re formatted my computer and deleted all back ups and gone with a fresh/clean install. Perhaps you could help me out and explain what this file is all about and why it only links back to various E-Bay pages.
Any help in this matter would be very helpfull. Thanks "


I have a theory on what all of this is, but for right now, I'm in on hold till I do more research on this matter.

[Apoptosis]

I did a search on http://www.dogpile.com and found several sites that are not ebay listed that contain "sndmonprivtest"

looks like the file is SNDMonPrivTest.dat

Which is....

Process File: SNDMon or SNDMon.exe
Process Name: Symantec Security Drivers

SNDMon.exe is a process associated with Norton Antivirus application from Symantec. This process should not be removed to ensure that your system security is not breached.

I think it's the part of Norton Antivirus that detects when you are online so updates can be downloaded... Just what my research showed

Is that what you are also thinking?

[Fogey]

My very early research showed that sndmon was part of Norton AV/IS. No problem there. The fact that sndmonprivtest.dat didn't seem linked to Norton other than Norton would place it in the Protected Recycle bin didn't seem right. Then when I did a search on google and all I got was various web page hits all leading to E Bay. I not a expert/pro when it comes to coding, but I have done enough to have a basic understanding of it. I learnt Q basic and was writing small/medium progarms with it. Was starting to learn C++ but just don't have the time to learn a new language. So many languages, so little time to learn them. Anyhow, Once the hidden rootkit Sony was placing on peoples machine via their music CD without their knowledge became public knowledge, within a week hackers were using Sonys rootkit as a way in. With Norton IS 2004 having a root kit, I was just curious if someone had found a way "in" and was using E Bay as a un knowing host to pass along private information gleemed from unsuspecting folks via Nortons Rootkit. What better of a place than E Bay to use as a gopher for the passing along of information remotely. With the volume of folks that are using E Bay, on line at any time, how hard it would be to track someone using E Bay as a unknowing host. I don't have the skills to find out, so I thought I'd put it out for someone in the know that might give mean answer. Rootkits seem to be the best written programs so far to date for gathering info and eluding detection via your AV programs/spyware programs. So, with my issues I've had for the last six months with my one computer, I wanted to look into it. This whole issue reminds me of the old cold wars with the soviets.
One side comes out with a new weapon, then a new counter measure for it and the race of one up manship goes on.....................................

[Mortious]

Actually if you hover over the links you will see that they are directed to different web sites (not ebay). The first one I hoved over was going to http://www.brenhamshopping.com/10218612/, but they do end up redirecting back to ebay...

I clicked the link with my work computer so if something goes boom IT can handle it...

[Fogey]

I tried your link and it gave me "Service Unavailable". Then I did a search on Google of <sndmonprivtest>, I got three hits, every one took me to E bay. Lot of ways this is really no big deal anymore as I re formatted my computer. Just was interested in a little more info. It's just that stuff like this gets me interested in knowing more:
http://www.wired.com/news/privacy/0,1848,69601,00.html

[Mortious]

Right the links end up there, but take a look at the URL that you get when you hover over (also at the bottom of the google entry). Guess Ill do a bit of sleauthing and see who those domains belong to.

They all belong to the same person:

Registrant Contact:
Sarah Whiting
Sarah Whiting ([email protected])
+1.8499345893
Fax: +1.8484741143
15 East Pleaseant St
Pleaseville, IL 34293
US

Whats all this mean? Havn't a clue, just kinda fun to look up....

[Fogey]

I saw the different address at the bottom of every hit goggle showed. I'm curious to know, but will also admit I'm only willing to put only so much time into looking into this real deeply. I've got a Folding machine I want to put togeather once I get the new PS for it, not to mention my Asus [now Watercooled] SLI gaming rig is up and ready for some action and is calling to me as I type this on my P4-3.4 EE machine. I'm trying to resist its calling, but in a strange way I seem to be slowley drawn towards it. Must not give in.... Must fight the urge to fire it up and game........... Noooooooo..................
Thanks for your help on this matter.