Endpoint Protection

 View Only
  • 1.  Infection: network protocol installed, file kernelx86.sys detected

    Posted Dec 02, 2009 01:23 PM
      |   view attached
    Hi,
    I have a new infection in 2 PCs, comming from a MSN Messenger chat.

    The sintoms are that a new network protocol is installed, called "Client for Microsoft Sharing" (we use Spanish WinXP),
    service name Passthru, Infpath netsf.ini, ComponentId ms_passthru

    Also, this file is detected by SEP and quarantined, but more info about it:
    kernelx86.sys

    Anyone has more info about it?

    Mcafee and Kaspersky does not detect the file after submiting to their webpages

    Thanks
    Oliver


  • 2.  RE: Infection: network protocol installed, file kernelx86.sys detected

    Posted Dec 02, 2009 01:30 PM
     What does Symantec detect it as ?


  • 3.  RE: Infection: network protocol installed, file kernelx86.sys detected

    Posted Dec 02, 2009 01:38 PM
    can you post a screen shot?


  • 4.  RE: Infection: network protocol installed, file kernelx86.sys detected

    Posted Dec 02, 2009 02:11 PM
    Just attached the screenshots, te file is detected as Hacktool in SEP.

    Filenames are:
    C:\windows\system32\drivers\kernelx86.sys

    usernit added to a random 4 letter file in:
    C:\documents and settings\username\abcd.exe

    I had to do a "net int ip reset resetlog.txt" too

    Seems to me that its a sniffer trojan :(

    HTH
    Oliver



  • 5.  RE: Infection: network protocol installed, file kernelx86.sys detected

    Posted Dec 02, 2009 02:24 PM
    please create a centralized exception
    Creating Centralized Exception policies in Symantec Endpoint Protection Manager as per the document

    http://service1.symantec.com/support/ent-security.nsf/docid/2008030423280248


  • 6.  RE: Infection: network protocol installed, file kernelx86.sys detected

    Posted Dec 02, 2009 02:31 PM
     Wow..English virus on Spanish Computer..but it looks very intruding..


  • 7.  RE: Infection: network protocol installed, file kernelx86.sys detected

    Posted Dec 03, 2009 05:30 PM
    Got some names of the virus:
    Kaspersky: Backdoor.Win32.Inject.cvj
    Mcafee: Generic BackDoor!bgj
    Symantec: Backdoor.trojan

    Still can not delete the network client from the network card properties. Should I delete the network client from the registry?

    Also, all items in the network card properties are greyed out, seems that a policy is bloquing the modifications. how can I solve this?

    Thanks
    Oliver


  • 8.  RE: Infection: network protocol installed, file kernelx86.sys detected

    Posted Dec 03, 2009 05:34 PM
    Here is the image:


  • 9.  RE: Infection: network protocol installed, file kernelx86.sys detected
    Best Answer

    Posted Dec 04, 2009 04:07 AM
    https://www-secure.symantec.com/connect/downloads/lsp-fix

    check if the tool above helps removing it.. 


  • 10.  RE: Infection: network protocol installed, file kernelx86.sys detected

    Posted Dec 04, 2009 04:34 AM
    Try this
    How to repair Winsock if it gets corrupt 

    Also assure that no Group policy settings is denying you from doing this...