Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.
Here is a chunk of VBScript that can help script moving files back in the case of moved files. Please note that this was originally written to move PDF files back. I'm not well versed in VB, so I've not edited this for this particular situation. Please be sure to edit and test before using as I would hate for any of you to have to deal with more headaches then you already have. I provide this merely as a kick-off point to help those that need to pursue this option.
' Script to move back files identified as infected using the SAV log files.
' It will parse all files called SAV* in the SAV log directory for move actions
' by default logs to: "\Users\[User]\AppData\Local\Temp\MovePDFBack.txt" or
' \documents and settings\[User]\Local Settings\Temp\MovePDFBack.txt" depending on OS.
const WOW_KEY = "Wow6432Node"
const FOR_READING = 1
const MESSAGE_STRING = "has been moved to"
const SAV_LOG_PRE_FIX = "SAV"
dim strWow6432Node, strLogPath, objFSO, objFile, strLogFileName, strPathContains
dim strSAVLogLocation, strSAVLogLocationDir, strRes, objLogFile, strRegPath
strLogFileName = "MovePDFBack.txt" 'Lines contain the text in the constant "MESSAGE_STRING"
strPathContains = ".pdf" 'Lines contain the text PDF
'Setup global objects
set objFSO = CreateObject("Scripting.FileSystemObject")
'Get script log file location to write to
strLogPath = GetLogLocation() & "\" & strLogFileName
set objLogFile = objFSO.CreateTextFile(strLogPath, true)
WriteToLog 0, "Starting script to recover quarantined files where: log contains the line: '" & MESSAGE_STRING & "' and path contains: '" & strPathContains & "'."
strWow6432Node = "\"
if Is64(".") then
strWow6432Node = "\" & WOW_KEY & "\"
WriteToLog 0, "64-bit machine."
else
strWow6432Node = "\"
WriteToLog 0, "32-bit machine."
end if
strRegPath = "HKEY_LOCAL_MACHINE\SOFTWARE" & strWow6432Node & "Sophos\SAVService\Application\LogDir"
strRes = GetKey(strRegPath)
if strRes = "0" then
WriteToLog 1, "Failed to get SAV log location from registry."
WriteToLog 1, "Exiting script."
wscript.quit (1)
else
WriteToLog 0, "Read the SAV log location from registry."
end if
strSAVLogLocationDir = strRes
WriteToLog 0, "Location of log directory: " & strSAVLogLocationDir
'For each file starts with 'SAV_LOG_PRE_FIX'
WriteToLog 0, "For each file in the directory that starts '" & SAV_LOG_PRE_FIX & "'."
set objFolder = objFSO.GetFolder(strSAVLogLocationDir).files
for each SAVFile in objFolder
if instr(SAVFile.name, SAV_LOG_PRE_FIX) > 0 then
set objFile = objFSO.OpenTextFile (strSAVLogLocationDir & "\" & SAVFile.name, FOR_READING, false, -1)
WriteToLog 0, "=================Processing: '" & SAVFile.name & "'========================"
do While objFile.AtEndOfStream <> true
strLineIn = trim(objFile.ReadLine)
if (instr (strLineIn, MESSAGE_STRING) > 0) and (instr(strLineIn, strPathContains) > 0) then
'Interested in the lines as it matches our requirements.
arrOfLine = split(strLineIn, """")
strOrigFilePath = trim (arrOfLine(1))
strNewFilePath = trim (arrOfLine(3))
WriteToLog 0, strOrigFilePath & " -> " & strNewFilePath
if MoveFileBack (strNewFilePath, strOrigFilePath) then
WriteToLog 0, "File restored."
else
WriteToLog 0, "File restore failed."
end if
end if
loop
end if
next
'***********************************************************************************************************
WriteToLog 0, "Script finished."
set objFolder = nothing
set objLogFile = nothing
set objFSO = nothing
'***********************************************************************************************************
'Functions
'***********************************************************************************************************
Function GetLogLocation()
on error resume next
Set objTempFolder = objFSO.GetSpecialFolder(2)
if objTempFolder = "" then
GetLogLocation = "C:\windows\temp\" 'Set to Windows temp if can't get the dir.
else
GetLogLocation = objTempFolder
end if
Set objTempFolder = nothing
End function
'***********************************************************************************************************
'***********************************************************************************************************
Function MoveFileBack (strCurrentLocation, srcOrigLocation)
WriteToLog 0, "-->MoveFileBack()"
on error resume next
err.clear
If objFSO.FileExists(strCurrentLocation) Then
WriteToLog 0, "File exists: " & strCurrentLocation & " attempt to move back to: " & srcOrigLocation
objFSO.moveFile strCurrentLocation, srcOrigLocation
if err.number <> 0 then
WriteToLog 1, "Failed to move file: " & err.number & " : " & err.description
MoveFileBack = false
else
MoveFileBack = true
end if
else
WriteToLog 1, "Moving file back failed as file " & strCurrentLocation & " doesn't exist."
MoveFileBack = false
End If
WriteToLog 0, "<--MoveFileBack()"
End Function
'***********************************************************************************************************
'***********************************************************************************************************
Function Is64(strMachineName)
WriteToLog 0, "-->Is64(" & strMachineName & ")"
on error resume next
err.clear
dim objWMIService, objColSettings, strDesc, objProcessor
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strMachineName & "\root\cimv2")
Set objColSettings = objWMIService.ExecQuery ("SELECT AddressWidth FROM Win32_Processor")
if err.number <> 0 then
WriteToLog 1, "Error Number: " & err.number & " Error Description: " & err.description, 1
wscript.quit(1)
end if
For Each objProcessor In objColSettings
strDesc = objProcessor.AddressWidth
Next
if strDesc = "32" then
Is64 = false
end if
if strDesc = "64" then
Is64 = true
end if
Set objWMIService = nothing
set objColSettings = nothing
WriteToLog 0, "<--Is64()"
End Function
'***********************************************************************************************************
'***********************************************************************************************************
Function WriteToLog (strSev, strLogLine)
dim strToWrite
strToWrite = ""
select case strSev
case 0
strToWrite = "INF: "
case 1
strToWrite = "ERR: "
case else
strToWrite = "UNKNOWN: "
end select
objLogFile.WriteLine Date() & " " & Time() & " " & strToWrite & " " & strLogLine
End Function
'***********************************************************************************************************
'***********************************************************************************************************
Function GetKey(strPath)
on error resume next
dim strPathToLog
dim objReg
set objReg = wscript.createobject("wscript.shell")
err.clear
strPathToLog = objReg.RegRead (strPath)
if err.number = 0 then
GetKey = strPathToLog
else
GetKey = 0
end if
set objReg = nothing
End Function
'***********************************************************************************************************Here is a chunk of VBScript that can help script moving files back in the case of moved files. Please note that this was originally written to move PDF files back. I'm not well versed in VB, so I've not edited this for this particular situation. Please be sure to edit and test before using as I would hate for any of you to have to deal with more headaches then you already have. I provide this merely as a kick-off point to help those that need to pursue this option.
' Script to move back files identified as infected using the SAV log files.
' It will parse all files called SAV* in the SAV log directory for move actions
' by default logs to: "\Users\[User]\AppData\Local\Temp\MovePDFBack.txt" or
' \documents and settings\[User]\Local Settings\Temp\MovePDFBack.txt" depending on OS.
const WOW_KEY = "Wow6432Node"
const FOR_READING = 1
const MESSAGE_STRING = "has been moved to"
const SAV_LOG_PRE_FIX = "SAV"
dim strWow6432Node, strLogPath, objFSO, objFile, strLogFileName, strPathContains
dim strSAVLogLocation, strSAVLogLocationDir, strRes, objLogFile, strRegPath
strLogFileName = "MovePDFBack.txt" 'Lines contain the text in the constant "MESSAGE_STRING"
strPathContains = ".pdf" 'Lines contain the text PDF
'Setup global objects
set objFSO = CreateObject("Scripting.FileSystemObject")
'Get script log file location to write to
strLogPath = GetLogLocation() & "\" & strLogFileName
set objLogFile = objFSO.CreateTextFile(strLogPath, true)
WriteToLog 0, "Starting script to recover quarantined files where: log contains the line: '" & MESSAGE_STRING & "' and path contains: '" & strPathContains & "'."
strWow6432Node = "\"
if Is64(".") then
strWow6432Node = "\" & WOW_KEY & "\"
WriteToLog 0, "64-bit machine."
else
strWow6432Node = "\"
WriteToLog 0, "32-bit machine."
end if
strRegPath = "HKEY_LOCAL_MACHINE\SOFTWARE" & strWow6432Node & "Sophos\SAVService\Application\LogDir"
strRes = GetKey(strRegPath)
if strRes = "0" then
WriteToLog 1, "Failed to get SAV log location from registry."
WriteToLog 1, "Exiting script."
wscript.quit (1)
else
WriteToLog 0, "Read the SAV log location from registry."
end if
strSAVLogLocationDir = strRes
WriteToLog 0, "Location of log directory: " & strSAVLogLocationDir
'For each file starts with 'SAV_LOG_PRE_FIX'
WriteToLog 0, "For each file in the directory that starts '" & SAV_LOG_PRE_FIX & "'."
set objFolder = objFSO.GetFolder(strSAVLogLocationDir).files
for each SAVFile in objFolder
if instr(SAVFile.name, SAV_LOG_PRE_FIX) > 0 then
set objFile = objFSO.OpenTextFile (strSAVLogLocationDir & "\" & SAVFile.name, FOR_READING, false, -1)
WriteToLog 0, "=================Processing: '" & SAVFile.name & "'========================"
do While objFile.AtEndOfStream <> true
strLineIn = trim(objFile.ReadLine)
if (instr (strLineIn, MESSAGE_STRING) > 0) and (instr(strLineIn, strPathContains) > 0) then
'Interested in the lines as it matches our requirements.
arrOfLine = split(strLineIn, """")
strOrigFilePath = trim (arrOfLine(1))
strNewFilePath = trim (arrOfLine(3))
WriteToLog 0, strOrigFilePath & " -> " & strNewFilePath
if MoveFileBack (strNewFilePath, strOrigFilePath) then
WriteToLog 0, "File restored."
else
WriteToLog 0, "File restore failed."
end if
end if
loop
end if
next
'***********************************************************************************************************
WriteToLog 0, "Script finished."
set objFolder = nothing
set objLogFile = nothing
set objFSO = nothing
'***********************************************************************************************************
'Functions
'***********************************************************************************************************
Function GetLogLocation()
on error resume next
Set objTempFolder = objFSO.GetSpecialFolder(2)
if objTempFolder = "" then
GetLogLocation = "C:\windows\temp\" 'Set to Windows temp if can't get the dir.
else
GetLogLocation = objTempFolder
end if
Set objTempFolder = nothing
End function
'***********************************************************************************************************
'***********************************************************************************************************
Function MoveFileBack (strCurrentLocation, srcOrigLocation)
WriteToLog 0, "-->MoveFileBack()"
on error resume next
err.clear
If objFSO.FileExists(strCurrentLocation) Then
WriteToLog 0, "File exists: " & strCurrentLocation & " attempt to move back to: " & srcOrigLocation
objFSO.moveFile strCurrentLocation, srcOrigLocation
if err.number <> 0 then
WriteToLog 1, "Failed to move file: " & err.number & " : " & err.description
MoveFileBack = false
else
MoveFileBack = true
end if
else
WriteToLog 1, "Moving file back failed as file " & strCurrentLocation & " doesn't exist."
MoveFileBack = false
End If
WriteToLog 0, "<--MoveFileBack()"
End Function
'***********************************************************************************************************
'***********************************************************************************************************
Function Is64(strMachineName)
WriteToLog 0, "-->Is64(" & strMachineName & ")"
on error resume next
err.clear
dim objWMIService, objColSettings, strDesc, objProcessor
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strMachineName & "\root\cimv2")
Set objColSettings = objWMIService.ExecQuery ("SELECT AddressWidth FROM Win32_Processor")
if err.number <> 0 then
WriteToLog 1, "Error Number: " & err.number & " Error Description: " & err.description, 1
wscript.quit(1)
end if
For Each objProcessor In objColSettings
strDesc = objProcessor.AddressWidth
Next
if strDesc = "32" then
Is64 = false
end if
if strDesc = "64" then
Is64 = true
end if
Set objWMIService = nothing
set objColSettings = nothing
WriteToLog 0, "<--Is64()"
End Function
'***********************************************************************************************************
'***********************************************************************************************************
Function WriteToLog (strSev, strLogLine)
dim strToWrite
strToWrite = ""
select case strSev
case 0
strToWrite = "INF: "
case 1
strToWrite = "ERR: "
case else
strToWrite = "UNKNOWN: "
end select
objLogFile.WriteLine Date() & " " & Time() & " " & strToWrite & " " & strLogLine
End Function
'***********************************************************************************************************
'***********************************************************************************************************
Function GetKey(strPath)
on error resume next
dim strPathToLog
dim objReg
set objReg = wscript.createobject("wscript.shell")
err.clear
strPathToLog = objReg.RegRead (strPath)
if err.number = 0 then
GetKey = strPathToLog
else
GetKey = 0
end if
set objReg = nothing
End Function
'***********************************************************************************************************