Endpoint Protection

 View Only

  • 1.  sysdrv32.sys

    Posted Jul 29, 2011 07:38 AM

    Symantec please help.

    I wonder how this hacktool.rootkit can enter my fresh newest installed Windows XP SP3. After I install the OS, the first program I install is Symantec Endpoint with newest update (for tha AV def file).

    Sudently, after I restart my PC, joined the PC to a domain, i got a messege :

    Symantec Antivirus Detection Result : Hacktool.Rootkit sysdrv32.sys

    after this file cleaned by deletation, my app like SAP, Firefox, IE can't browse the internal network and internet. SAP can't print, etc

    Need this fix urgently.... thanks



  • 2.  RE: sysdrv32.sys

    Trusted Advisor
    Posted Jul 29, 2011 07:59 AM

    Hello,

    Symantec Detected this Threat as soon as you connected the computer on the Network.

    This indicates the Threat is on the network and the Threat tried to access this machine. Are there any machines on the Network without SEP?

    Make sure you have installed SEP on all machines with Latest Virus Definitions and Run a Full Scan on all of them.

     

    As far as your issue is concerned, you can check the Link below and Run a Power Eraser to confirm of any suspcious files on the machine..

     

    Here are few Articles from Symantec go get rid of this Threat ---

    1) Hacktool.Rootkit

    http://www.symantec.com/security_response/writeup.jsp?docid=2002-011710-0057-99

    2) Power Eraser

    https://www-secure.symantec.com/connect/articles/how-symantec-power-eraser

    3) Power Eraser Overview

    https://www-secure.symantec.com/connect/videos/power-eraser-overview

     

    Hope this Helps!!!



  • 3.  RE: sysdrv32.sys

    Posted Jul 29, 2011 08:07 AM

    Follow the above procedure for removing the root kit. Even after that if those programs are not working, you may need to reinstall them.



  • 4.  RE: sysdrv32.sys

    Posted Aug 01, 2011 12:54 AM

    NPE didn't work.

    Well i believe if the infected PC in my network trying to infecting my fresh installed pc, Endpoint network thread protection will protect it.

    The point is, i wonder how the virus can "bypass" endpoint right after i joined the pc into my domain.

    i've check OS, driver of my PC are clean.



  • 5.  RE: sysdrv32.sys
    Best Answer

    Posted Aug 05, 2011 11:17 PM

    I guess i found the answer....

    This is the way how i setup my pc :

    1. Setup windows OS
    2. Setup Endpoint & Update to the newest virus def (offline)
    3. Setup My applications
    4. Setting my PC
    5. Join my PC to domain
    6. Create recovery partition using hiren boot CD

    And my PC running well without detected the virus from step 1 to 5. But when i reboot my pc right after point 6, and leave the PC about 10 or 20 minutes, the virus detection windows poped up.

    So i believe this Hacktool.Rootkit sysdrv32.sys comes from Hiren Boot CD v14.

    I creating a recovery partition using Acronis True Image Enterprise Server that comes with the CD. And when i've stop doing step 6, I found my 4 PC running well.

    Hope this answer someone else problem too.