Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 1 subscriber
  • Views 3258 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos keeps showing "Sophos Protection Disabled"

Mattpengwern

Hi, im new here so any help greatly appreciated.  Following having a fake AV virus (Internet Protection Virus), i think i have finally cleared most of it off, i now have two isuses.

Sophos keeps showing "Sophos Protection Disabled" - i have read the various threads and the programme shows it turned on when i open it, i have re fun the almon.exe but after a few seconds its back to disabled.

the second issue is that the scanner will not allow me to do a rootkit scan, it hangs on 2% and goes no further.

I have run a normal scan excluding the root kit and there are no viruses detected but it says that it cant access the c:\users ntuser.log1 file or ntuser.log2 file.

Any ideas would be appreciated. Mat

:12377


This thread was automatically locked due to age.
Parents
  • 0

    Hello Mattpengwern,

    not only is the hang suspicious but from what you say it is very likely that there's still some component active. Having seen these things in action I surmise there will be other symptoms too. Are you able to run the Task Manager and Sysinternal's Process Explorer? Also check the Sophos services - if some are stopped are you able to start them? If not - check the NTFS permissions on the executables. You should also check the driver details for the disks.

    Note that an external scan might or might not detect "something". FakeAV is often complex and the scareware is only one component. New variants of the different parts of the threat are quite common and often a specific identity is needed to detect them. This is why it's important to send samples whenever possible. If in the meantime an updated identity has been made available and Sophos is still updating whatever lurks on the disk might be detected after a reboot. 

    Please note: when enquiring about a detection/infection always tell the specific name(s) for the threat(s) as reported by Sophos or if it hasn't detected it at all.

    Christian

    :12405
Reply
  • 0

    Hello Mattpengwern,

    not only is the hang suspicious but from what you say it is very likely that there's still some component active. Having seen these things in action I surmise there will be other symptoms too. Are you able to run the Task Manager and Sysinternal's Process Explorer? Also check the Sophos services - if some are stopped are you able to start them? If not - check the NTFS permissions on the executables. You should also check the driver details for the disks.

    Note that an external scan might or might not detect "something". FakeAV is often complex and the scareware is only one component. New variants of the different parts of the threat are quite common and often a specific identity is needed to detect them. This is why it's important to send samples whenever possible. If in the meantime an updated identity has been made available and Sophos is still updating whatever lurks on the disk might be detected after a reboot. 

    Please note: when enquiring about a detection/infection always tell the specific name(s) for the threat(s) as reported by Sophos or if it hasn't detected it at all.

    Christian

    :12405
Children
No Data
Unfiltered HTML