Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

sysdrv32.sys

Created: 29 Jul 2011 • Updated: 05 Aug 2011 | 4 comments
This issue has been solved. See solution.

Symantec please help.

I wonder how this hacktool.rootkit can enter my fresh newest installed Windows XP SP3. After I install the OS, the first program I install is Symantec Endpoint with newest update (for tha AV def file).

Sudently, after I restart my PC, joined the PC to a domain, i got a messege :

Symantec Antivirus Detection Result : Hacktool.Rootkit sysdrv32.sys

after this file cleaned by deletation, my app like SAP, Firefox, IE can't browse the internal network and internet. SAP can't print, etc

Need this fix urgently.... thanks

Comments 4 CommentsJump to latest comment

Mithun Sanghavi's picture

Hello,

Symantec Detected this Threat as soon as you connected the computer on the Network.

This indicates the Threat is on the network and the Threat tried to access this machine. Are there any machines on the Network without SEP?

Make sure you have installed SEP on all machines with Latest Virus Definitions and Run a Full Scan on all of them.

 

As far as your issue is concerned, you can check the Link below and Run a Power Eraser to confirm of any suspcious files on the machine..

 

Here are few Articles from Symantec go get rid of this Threat ---

1) Hacktool.Rootkit

http://www.symantec.com/security_response/writeup.jsp?docid=2002-011710-0057-99

2) Power Eraser

https://www-secure.symantec.com/connect/articles/how-symantec-power-eraser

3) Power Eraser Overview

https://www-secure.symantec.com/connect/videos/power-eraser-overview

 

Hope this Helps!!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

AravindKM's picture

Follow the above procedure for removing the root kit. Even after that if those programs are not working, you may need to reinstall them.

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

sang6iru's picture

NPE didn't work.

Well i believe if the infected PC in my network trying to infecting my fresh installed pc, Endpoint network thread protection will protect it.

The point is, i wonder how the virus can "bypass" endpoint right after i joined the pc into my domain.

i've check OS, driver of my PC are clean.

sang6iru's picture

I guess i found the answer....

This is the way how i setup my pc :

  1. Setup windows OS
  2. Setup Endpoint & Update to the newest virus def (offline)
  3. Setup My applications
  4. Setting my PC
  5. Join my PC to domain
  6. Create recovery partition using hiren boot CD

And my PC running well without detected the virus from step 1 to 5. But when i reboot my pc right after point 6, and leave the PC about 10 or 20 minutes, the virus detection windows poped up.

So i believe this Hacktool.Rootkit sysdrv32.sys comes from Hiren Boot CD v14.

I creating a recovery partition using Acronis True Image Enterprise Server that comes with the CD. And when i've stop doing step 6, I found my 4 PC running well.

Hope this answer someone else problem too.

SOLUTION