how to clean/delete an uncleanable virus

Hi Macoy,

It sounds like you should contact Technical Support with this one, to be sure of getting a speedy resolution.

Before calling or emailing, I'd suggest you take a look at the customer checklist article in the knowledgebase. It lists some of the information you'll be asked for when explaining your situation to the Support teams. It also gives you the contact information you'll need, as well as explaining how to submit a sample of the malware you've found, should that be necessary.

Good luck.

spike

Not all threats can be cleaned up using the console. And, if I may add, the current behaviour is a little bit confusing. 

First of all it depends on your AV policy - whether you enable automatic cleanup and what Sophos should do if cleanup fails or is disabled. Then an item may show up as cleanable but cleanup fails or times out (even though the client is online - never found out what this signifies) or results in some other error. See chapters 11 and 12 in SEC Help. Look at the computer details where it has been detected and which action has been taken (right now I see Troj/Badsrc-H on a client with both cleaned up for the URL and blocked for the Content.IE5 subdirectory ... it's no longer present on the machine, if it ever was). 

As you noticed you are referred to the Security Analyses (which you can also access by clicking the alert in Computer Details) but more often than not you enter a loop at this point unless you decide to pay the client a visit. Check the client's sav.txt - it should tell you where the threat has been found, this information is not always in SEC. You could then take a look if it's still there. Open the quarantine manager on the client - is it there? What actions are available?

If it is indeed gone acknowledge the alert from the console. If it recurs it could be the user re-visiting a malicious or hacked site. Sorry if this seems even more confusing.

In short - forget SEC for the moment and try to clean the client locally. If you then can't find out why it recurs, contact support. 

And another tip: To get a feeling how the various settings (On-access, Web-scanning, cleanup options and so on) affect the results (and alerts you will receive) take a client and play with it. Visit www.eicar.org for a nonhazardous sample.

Christian       

I find this quite a common occurance with SAV. My resolution is to view the SAV log file held in (on win XP) C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\logs then from that, obtain the offending files and simply delete them if I deem them unecessary or submit them to Sophos if I feel it's a false positive.

In general I can do the above remotely. Many times, if the bug has tripped and gets going, I simply map a network drive to the users pc then from a DOS command prompt, go in and rename the offending file (yep, you can do that from dos but not from windows). Get the user to reboot and away I go again this time deleting the renamed file. TDSS virus is probably the one that really causes problems more than most though, it implants as a system driver and may cause boot issues. A bit harder to sort. SAV cleanup doesn't work correctly for TDSS variants.

It's not unusual to be faced with your situation. Just watch the logs and you'll see enough data to deal with problems manually. Sophos should really be a bit more on top of infections though. Cleanups should be much better IMHO.

Here's a thought. Why don't Sophos put access to the SAV.txt log file in the EM Console. So we can just click to view.

Matt

This is all very fine until it infects a file like the iastor.sys. Delete this and the Pc/laptop will not boot.

I had a XP home laptop recently that had me up to the small hours trying to figure out what was going on.

I recieved the laptop with a  "desktop would not load" problem

I removed the disk and scanned it using a PC.It had a few instances of rootkits and the dreaded TSSR.

They were deleted and all seemed ok. when doing the usual checks and all seemed ok.

However I could not access windows update page. Try as I might I could not open the update page or search using the words "windows update".Everthing else worked fine.

I installed Fire fox and no luck, google chrome and still no luck.  This ruled out active X issues.

I scanned the Laptop and it found a threat and said it quarantined it but there was nothing in Quarantine.

I then rebooted the Laptop and found antivirus software was disabled and I could not access the anti virus software due to lack of privileges.

I removed the disk again and scanned it from a pc and this is the result

****************** Sophos Anti-Virus Log - 04/04/2010 23:27:04 **************

    ...
20100404 200258 File "G:\WINDOWS\system32\drivers\iaStor.sys" belongs to virus/spyware 'Mal/TDSSRt-A'.
20100404 200352 File "G:\WINDOWS\system32\drivers\iaStor.sys" has been cleaned up.
20100404 200352 Virus/spyware 'Mal/TDSSRt-A' has been removed.
    ...
      (3 items)

However the iastor.sys is necessary for the laptop to boot from its sata drive, but there was a uninfected version of the file on the drive as a backup. I copied it back to the appropriate place and all was fine.

I did not realise the the TDSS variant could infect a file like the iastor.sys.

The war goes on 

Pat

Hi Pat,

Yes, I did say that TDSS was a little more tricky. iAstore is one of the files it can infect. I've also seen it bolt into other system drivers. In these instances, your method is the only effective removal i.e. take the drive out, replace the file with a clean version and replace the drive. You can also do the same thing from the recovery console in XP or the repair features of Vista and 7.

TDSS is a real peach of a virus and well though out by it's authors. Sadly, the only protetion we have is the proactive 'on access' so its clearly vital nowadays to keep up to date with software udpates both SAV and Windows.

Matt