Symantec Power Eraser is the latest Symantec Recovery tool. The tool is aimed at the detection and clean-up of "zero-day" threats as well as other threats which may have infected the user’s system. Zero-day threats are those that take advantage of a newly discovered hole in a program or operating system before the developers have made a fix available – or before they are even aware that a hole exists.

http://www.symantec.com/theme.jsp?themeid=spe-user-guide

Are you using this utility as Admin User? If not please do so. It should Gather Log from Host.

http://www.symantec.com/business/support/index?page=content&id=TECH134803&actp=search&viewlocale=en_US&searchid=1343985648932

Hello,

Answering to Kashish33: 

• we would like to  use Symantec Power Eraser to find new variants of existing threats that are not detected by the current definition sets,  this seems to be one of the goals of Symantec Power Eraser

• as you may know a lot of virus ensure persistence through a HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Run registry key  (here,  CURRENT_USER = the infected user)

Answering to Ajit Jha:

Yes we use an admin account.

Symantec Power Eraser successfully examines  some Load Points like:

hkey_local_machine\software\microsoft\windows\current version\run

and

hkey_current_user\software\microsoft\windows\current version\run   (here,  current_user = the admin account)

But it doesn't seem to examine user profile registry hive for users different than the current user.

Best regards,

Antoine

You may Contact Symantec Customer Care on 

http://www.symantec.com/support/assistance_care.jsp

Regional Support Telephone Numbers:

United States: 800-342-0652 (407-357-7600 from outside the United States)

Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)

United Kingdom: +44 (0) 870 606 6000

Additional contact numbers: http://www.symantec.com/business/support/contact_techsupp_static.jsp

Hi Antoine B,

Actually no need to call support on this issue.

You are correct that Symantec power eraser examine only load points of the current user & it's by design.

By default windows loads one profile at a time.

There are few common load point it can be specific to user profile.

Check following article to know more about it.

http://www.Symantec.com/docs/TECH99331

As per your comment -(the people doing the investigation in our company are not the same as the people that are infected,  they do not use the same account etc.)- In this case people that are infected should run power eraser, investigation person should not use his login credential to run this tool.

However you can give request to product enhancement:

http://www.Symantec.com/business/support/index?pag...

Hi,

You can add it under an idea section also.

https://www-secure.symantec.com/connect/node/add/idea

Thanks Chetan Savade,  I will open an idea.

For your suggestion about the infected user running the tool,  this doesn't work:

• they are not working in IT
• they do not have administrator rights  (best practice)  and Symantec Power Eraser doesn't seem to work fine with non administrator account

Hi Antonie B,

With this situation you need to temporarily elevate the user rights and fix the issue and revert the permissions.

OR

Run complete scan using SEP /NSS /SERT.

How To Use the Symantec Endpoint Recovery Tool with the Latest Virus Definitions

http://www.symantec.com/business/support/index?page=content&id=TECH131732&locale=en_US

Nice point there Antoine.

Let us know if you already pushing the idea.