Troj/DocDrop-TJ

Hi Guys,

I´m using Sophos anti virus Home edition 9.6.1.

For the last couple of months, I get a "Threat detected by Sophos" message for every scan I make.

It reads: `virus/spywarre` Troj/docDrop-TJ has been detected and moved to quarantine.

I then open the quarantine manager, and can see several thousand (!) locations.

The pathname is almost the same for all of them:
/user/mortenryberg/desktop/sophos/scan_003_6309024125.doc_1_1_4

The next one reads:
/user/mortenryberg/desktop/sophos/scan_003_6309024125.doc_1_1_4_1 and so on and on

I then manually delete all the files in:
/user/mortenryberg/desktop/sophos/

I empty my Thrash bin afterwards.

Then in my next scan, the same happens.....

Can any one tell me whats going on, since I can't get ride of the malware? Where can I find the path to the original source of the malware, so I can delete it?

  • Hi Morten,

    That is quite odd behaviour to be honest, I am going to need some more informatuon.

    If you go to c:/programdata/sophos/Sophos antivirus/logs

    You should find a sav.txt log file. Can you open that and find one of these detections listed. Then copy and paste about 10 lines from the log before and after the detection and paste them on here for me to take a look please.

  • In reply to PeterM:

    Hi Peter, thx for answering!

    I´m on a mac, so where should I look for the log?

    I did  a search for sav.txt but got nothing.

    I dont have the "show scan log" option prop because a use the free version.

  • In reply to Morten Ryberg:

    Hello Morten Ryberg,

    the equivalent log on a Mac is /Library/Logs/Sophos Anti-Virus.log.

    Christian

  • In reply to PeterM:

    com.sophos.oas: Sophos Anti-Virus
    com.sophos.oas: Product Version: 9.6.1
    com.sophos.oas: Engine Version: 3.68.0
    com.sophos.oas: Threat Data Version 5.41, 27 June 2017
    com.sophos.oas: Includes detection for 13607390 threats
    com.sophos.oas: Copyright (c) 1989-2016 Sophos Ltd, www.sophos.com
    com.sophos.oas:
    com.sophos.oas: Using IDE files:
    com.sophos.oas: age-awlw.ide age-awmh.ide age-awmi.ide age-awmr.ide age-awpx.ide age-awpz.ide age-awqx.ide age-awrs.ide age-awsn.ide
    com.sophos.oas: andro-sv.ide auto-cah.ide auto-cal.ide auto-cav.ide bank-gtr.ide bank-gtv.ide bank-gtw.ide banl-cqt.ide bckd-ruq.ide
    com.sophos.oas: betab-bb.ide betab-bc.ide betab-be.ide betab-bf.ide blada-eo.ide blada-ey.ide blada-fa.ide cerb-amv.ide cerb-anb.ide
    com.sophos.oas: cerb-ani.ide chisb-rq.ide coinmi-t.ide darkc-fn.ide decep-ab.ide docd-jdz.ide docd-jei.ide docd-jej.ide docd-jfm.ide
    com.sophos.oas: docd-jge.ide docd-jhl.ide docd-jho.ide docd-jjh.ide docd-jjl.ide docd-jlm.ide docd-jly.ide docd-jmc.ide docd-jmz.ide
    com.sophos.oas: docdr-ae.ide docdr-wv.ide docdr-wy.ide docdr-xo.ide docdr-yd.ide docdr-zl.ide docdr-zr.ide dofoi-fr.ide dride-yd.ide
    com.sophos.oas: dride-ye.ide dride-yo.ide dride-ys.ide dwnl-tmw.ide equgrp-h.ide fare-dcl.ide fare-dcx.ide fare-ddr.ide fare-ddw.ide
    com.sophos.oas: fare-deu.ide fare-dex.ide fare-dfn.ide fare-dgg.ide fare-dgn.ide fare-dgy.ide fare-dhr.ide fare-dhz.ide fare-dia.ide
    com.sophos.oas: fare-dic.ide fare-did.ide fare-dif.ide fare-diu.ide gepys-s.ide gozi-ib.ide gozi-ig.ide gozi-ii.ide gozi-ij.ide
    com.sophos.oas: hawke-pa.ide hawke-pc.ide hawke-pe.ide htadl-ab.ide html-bz.ide htmld-ac.ide htmld-dt.ide htmldl-j.ide htmldr-b.ide
    com.sophos.oas: inje-cpv.ide inje-cqk.ide injec-si.ide jsdld-xc.ide konni-c.ide kovte-hh.ide lethi-br.ide lethi-bs.ide lethi-bt.ide
    com.sophos.oas: limit-ps.ide locky-xc.ide mdro-hxa.ide mdro-hxg.ide mdro-hxk.ide mdro-hxn.ide mdro-hyi.ide mdro-hyk.ide mdro-hyr.ide
    com.sophos.oas: miner-ce.ide miner-cp.ide miner-cr.ide miner-cu.ide miure-fc.ide msil-jvv.ide msil-jwc.ide msil-jwd.ide msil-jwe.ide
    com.sophos.oas: msil-jwt.ide msil-jxf.ide msil-jyh.ide msil-jzo.ide msil-kar.ide msil-kas.ide msil-kat.ide msil-kau.ide msil-kax.ide
    com.sophos.oas: msili-ob.ide msilkl-c.ide nanoc-ql.ide nanoc-qr.ide netwi-lt.ide netwi-lu.ide netwi-lx.ide netwi-ly.ide neutri-b.ide
    com.sophos.oas: nymai-eo.ide nymai-es.ide nymai-fd.ide nymai-fo.ide nymai-ft.ide nymai-gb.ide nymai-gf.ide pdfdw-an.ide pdfdw-aq.ide
    com.sophos.oas: pdfdwn-f.ide pdfu-ble.ide pdfu-bmv.ide pdfu-bmz.ide pdfu-bph.ide pdfu-bqu.ide pdfu-bri.ide pdfu-brm.ide pdfu-bto.ide
    com.sophos.oas: pdfu-btw.ide pdfu-buw.ide pdfu-bvi.ide pdfu-bvm.ide pdfu-bxi.ide pdfu-bxj.ide pdfu-bxo.ide pdfu-byp.ide pdfu-bzg.ide
    com.sophos.oas: petya-bh.ide petya-bi.ide petya-bk.ide petya-bl.ide petya-bn.ide phis-ajw.ide phis-alc.ide phis-ald.ide phis-ale.ide
    com.sophos.oas: phis-amo.ide phis-amr.ide phis-ams.ide phis-anv.ide phis-ape.ide phis-apg.ide phis-aph.ide phis-apk.ide phis-apm.ide
    com.sophos.oas: phis-apx.ide phis-apz.ide ps-d.ide pws-cja.ide qakbo-cd.ide qbot-da.ide qbot-dm.ide ramni-fi.ide rans-enl.ide
    com.sophos.oas: rans-enn.ide rans-enu.ide rans-eob.ide rans-eoe.ide rans-eof.ide rans-eom.ide rans-eot.ide rans-eou.ide rans-eov.ide
    com.sophos.oas: rans-eow.ide rans-epb.ide rans-epl.ide rat-j.ide recam-f.ide recam-i.ide recam-l.ide remcos-m.ide shiot-cb.ide
    com.sophos.oas: shiot-cc.ide shiot-ce.ide spora-an.ide talmad-c.ide trickb-q.ide ursni-bb.ide vb-jnh.ide vbs-op.ide vdl.dat
    com.sophos.oas: vortex-c.ide waucho-m.ide wont-aam.ide wont-aan.ide wont-aar.ide xtbl-ag.ide xtbl-ah.ide zbot-lsj.ide zbot-lsv.ide
    com.sophos.oas:
    com.sophos.oas:
    com.sophos.oas:
    com.sophos.oas: Started On-access protection within ScanD at 14:12 on 15 July 2017
    com.sophos.oas:
    com.sophos.oas:
    com.sophos.oas: 2017-07-15 14:17:25 +0200 Threat: 'Troj/DocDrop-TJ' detected in '/Users/mortenryberg/Desktop/Sophos/Scan_003_6309024125.doc_5_3'
    com.sophos.oas: Access to the file denied
    com.sophos.oas:
    com.sophos.oas: 2017-07-15 14:17:25 +0200 Threat: 'Troj/DocDrop-TJ' detected in '/Users/mortenryberg/Desktop/Sophos/Scan_003_6309024125.doc_5_4'
    com.sophos.oas: Access to the file denied
    com.sophos.oas:
    com.sophos.oas: 2017-07-15 14:17:25 +0200 Threat: 'Troj/DocDrop-TJ' detected in '/Users/mortenryberg/Desktop/Sophos/Scan_003_6309024125.doc_5_5'
    com.sophos.oas: Access to the file denied
    com.sophos.oas:
    com.sophos.oas: 2017-07-15 14:17:25 +0200 Threat: 'Troj/DocDrop-TJ' detected in '/Users/mortenryberg/Desktop/Sophos/Scan_003_6309024125.doc_6_1'
    com.sophos.oas: Access to the file denied
    com.sophos.oas:
    com.sophos.oas: 2017-07-15 14:17:26 +0200 Threat: 'Troj/DocDrop-TJ' detected in '/Users/mortenryberg/Desktop/Sophos/Scan_003_6309024125.doc_6_1_1'
    com.sophos.oas: Access to the file denied

     

    There are no lines after the above. It ends with the above, but as written before after several thousands lines...

    The Sophos folder on my desktop is empty when the scan starts.

  • In reply to Morten Ryberg:

    Have I copy/paste the right information guys?

  • In reply to Morten Ryberg:

    I dont know if this is helpful, but my sophos folder (for items in quarantine) looks like this:

     

    The scan is from today.

  • In reply to Morten Ryberg:

    Hello Morten Ryberg,

    you are running an on-demand scan (manually or scheduled)? What are its When a threat is found settings and what's in its log (please note that it has its own log in ~/Library/Logs/Sophos Anti-Virus/Scans/, either browse to this location in Finder or access the log from the Scans window). Also - what's the size of these files?

    Christian

  • In reply to QC:

    Hi ,

    Sophos Dashboard, could you check the alert and post its location.

  • In reply to PeterM:

    Thanks for such wonderful solution...gr8 work