Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1178 replies
  • Subscribers 1 subscriber
  • Views 3260840 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is any one else seing this alert - Shh/Updater-B False positives

leftout

Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.

:29723


This thread was automatically locked due to age.
Parents
  • 0

    Here's a quick VB script to restore files that were moved by quarantine to "Infected" folder.

    Disclaimer: Works for me, but use at your own risk.

    Set objFSO = CreateObject("Scripting.FileSystemObject")

infectedPath = "C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED\"
If objFSO.FolderExists("C:\Program Files (x86)\Sophos\AutoUpdate\") Then
    progPath = "C:\Program Files (x86)\Sophos\AutoUpdate\"
ElseIf objFSO.FolderExists("C:\Program Files\Sophos\AutoUpdate\") Then
    progPath = "C:\Program Files\Sophos\AutoUpdate\"
Else
    Wscript.Quit()
End If

If objFSO.FileExists(infectedPath & "ALsvc.exe.000") And Not objFSO.FileExists(progPath & "ALsvc.exe") Then
  objFSO.MoveFile infectedPath & "ALsvc.exe.000" , progPath & "ALsvc.exe"
End If

If objFSO.FileExists(infectedPath & "ALUpdate.exe.000") And Not objFSO.FileExists(progPath & "ALUpdate.exe") Then
  objFSO.MoveFile infectedPath & "ALUpdate.exe.000" , progPath & "ALUpdate.exe"
End If

If objFSO.FileExists(infectedPath & "inetconn.dll.000") And Not objFSO.FileExists(progPath & "inetconn.dll") Then
  objFSO.MoveFile infectedPath & "inetconn.dll.000" , progPath & "inetconn.dll"
End If

If objFSO.FileExists(infectedPath & "AUAdapter.dll.000") And Not objFSO.FileExists(progPath & "AUAdapter.dll") Then
  objFSO.MoveFile infectedPath & "AUAdapter.dll.000" , progPath & "AUAdapter.dll"
End If

If objFSO.FileExists(infectedPath & "ChannelUpdater.dll.000") And Not objFSO.FileExists(progPath & "ChannelUpdater.dll") Then
  objFSO.MoveFile infectedPath & "ChannelUpdater.dll.000" , progPath & "ChannelUpdater.dll"
End If

If objFSO.FileExists(infectedPath & "cidsync.dll.000") And Not objFSO.FileExists(progPath & "cidsync.dll") Then
  objFSO.MoveFile infectedPath & "cidsync.dll.000" , progPath & "cidsync.dll"
End If

If objFSO.FileExists(infectedPath & "Logger.dll.000") And Not objFSO.FileExists(progPath & "Logger.dll") Then
  objFSO.MoveFile infectedPath & "Logger.dll.000" , progPath & "Logger.dll"
End If

If objFSO.FileExists(infectedPath & "SingleGUIPlugin.dll.000") And Not objFSO.FileExists(progPath & "SingleGUIPlugin.dll") Then
  objFSO.MoveFile infectedPath & "SingleGUIPlugin.dll.000" , progPath & "SingleGUIPlugin.dll"
End If

strServiceName = "Sophos AutoUpdate Service"
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
Set colListOfServices = objWMIService.ExecQuery ("Select * from Win32_Service Where Name ='" & strServiceName & "'")
For Each objService in colListOfServices
    objService.StopService()
Next
For Each objService in colListOfServices
    objService.StartService()
Next
    :30711
Reply
  • 0

    Here's a quick VB script to restore files that were moved by quarantine to "Infected" folder.

    Disclaimer: Works for me, but use at your own risk.

    Set objFSO = CreateObject("Scripting.FileSystemObject")

infectedPath = "C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED\"
If objFSO.FolderExists("C:\Program Files (x86)\Sophos\AutoUpdate\") Then
    progPath = "C:\Program Files (x86)\Sophos\AutoUpdate\"
ElseIf objFSO.FolderExists("C:\Program Files\Sophos\AutoUpdate\") Then
    progPath = "C:\Program Files\Sophos\AutoUpdate\"
Else
    Wscript.Quit()
End If

If objFSO.FileExists(infectedPath & "ALsvc.exe.000") And Not objFSO.FileExists(progPath & "ALsvc.exe") Then
  objFSO.MoveFile infectedPath & "ALsvc.exe.000" , progPath & "ALsvc.exe"
End If

If objFSO.FileExists(infectedPath & "ALUpdate.exe.000") And Not objFSO.FileExists(progPath & "ALUpdate.exe") Then
  objFSO.MoveFile infectedPath & "ALUpdate.exe.000" , progPath & "ALUpdate.exe"
End If

If objFSO.FileExists(infectedPath & "inetconn.dll.000") And Not objFSO.FileExists(progPath & "inetconn.dll") Then
  objFSO.MoveFile infectedPath & "inetconn.dll.000" , progPath & "inetconn.dll"
End If

If objFSO.FileExists(infectedPath & "AUAdapter.dll.000") And Not objFSO.FileExists(progPath & "AUAdapter.dll") Then
  objFSO.MoveFile infectedPath & "AUAdapter.dll.000" , progPath & "AUAdapter.dll"
End If

If objFSO.FileExists(infectedPath & "ChannelUpdater.dll.000") And Not objFSO.FileExists(progPath & "ChannelUpdater.dll") Then
  objFSO.MoveFile infectedPath & "ChannelUpdater.dll.000" , progPath & "ChannelUpdater.dll"
End If

If objFSO.FileExists(infectedPath & "cidsync.dll.000") And Not objFSO.FileExists(progPath & "cidsync.dll") Then
  objFSO.MoveFile infectedPath & "cidsync.dll.000" , progPath & "cidsync.dll"
End If

If objFSO.FileExists(infectedPath & "Logger.dll.000") And Not objFSO.FileExists(progPath & "Logger.dll") Then
  objFSO.MoveFile infectedPath & "Logger.dll.000" , progPath & "Logger.dll"
End If

If objFSO.FileExists(infectedPath & "SingleGUIPlugin.dll.000") And Not objFSO.FileExists(progPath & "SingleGUIPlugin.dll") Then
  objFSO.MoveFile infectedPath & "SingleGUIPlugin.dll.000" , progPath & "SingleGUIPlugin.dll"
End If

strServiceName = "Sophos AutoUpdate Service"
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
Set colListOfServices = objWMIService.ExecQuery ("Select * from Win32_Service Where Name ='" & strServiceName & "'")
For Each objService in colListOfServices
    objService.StopService()
Next
For Each objService in colListOfServices
    objService.StartService()
Next
    :30711
Children
No Data