Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 1 subscriber
  • Views 3258 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos keeps showing "Sophos Protection Disabled"

Mattpengwern

Hi, im new here so any help greatly appreciated.  Following having a fake AV virus (Internet Protection Virus), i think i have finally cleared most of it off, i now have two isuses.

Sophos keeps showing "Sophos Protection Disabled" - i have read the various threads and the programme shows it turned on when i open it, i have re fun the almon.exe but after a few seconds its back to disabled.

the second issue is that the scanner will not allow me to do a rootkit scan, it hangs on 2% and goes no further.

I have run a normal scan excluding the root kit and there are no viruses detected but it says that it cant access the c:\users ntuser.log1 file or ntuser.log2 file.

Any ideas would be appreciated. Mat

:12377


This thread was automatically locked due to age.
  • 0

    HI,  

    Based on the rootkit scan stopping at 2% I would suspect that the machine still has an active infection.

    I would suggest it might be worth trying to scan the drive "outside" of Windows maybe using SBAV http://www.sophos.com/support/knowledgebase/article/52011.html.  

    Otherwise maybe you can connect the HD to another machine and scan it from there?

    Regards,

    Jak

    :12381
  • 0

    Hello Mattpengwern,

    not only is the hang suspicious but from what you say it is very likely that there's still some component active. Having seen these things in action I surmise there will be other symptoms too. Are you able to run the Task Manager and Sysinternal's Process Explorer? Also check the Sophos services - if some are stopped are you able to start them? If not - check the NTFS permissions on the executables. You should also check the driver details for the disks.

    Note that an external scan might or might not detect "something". FakeAV is often complex and the scareware is only one component. New variants of the different parts of the threat are quite common and often a specific identity is needed to detect them. This is why it's important to send samples whenever possible. If in the meantime an updated identity has been made available and Sophos is still updating whatever lurks on the disk might be detected after a reboot. 

    Please note: when enquiring about a detection/infection always tell the specific name(s) for the threat(s) as reported by Sophos or if it hasn't detected it at all.

    Christian

    :12405
Unfiltered HTML