Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.
Here is an updated version of my cleanup script.
This has improved 64bit detection thanks to an earlier posting.
This script stops all the services (using their long names) and deletes the bad definition. It then recreates the autoupdater by copying the files fro ma clean staging area and then restarts the services and re-fires the sophos shield icon.
@ECHO off ECHO. ECHO --------------------------------------------------?------------------ ECHO Sophos Bad-Update Fixer Batch File - ECHO removes bad definition and rebuilds the auto-updater ECHO Written by Stewart Moss from Accumulo Consulting (Pty) Ltd. ECHO Version 1.0.2 - 20-Sept-2012 - Improved 32bit and 64bit detection ECHO --------------------------------------------------?------------------ REM This script is for Sophos, Sophos Agents and their customers and intended to simplyfying REM cleaning up from a bad update definition. This script is to be used at your own RISK. REM Neither Accumulo Consulting (Pty) Ltd nor the Author will take any responsibility to REM any damage done by this script REM REM NOTE: Please change the paths which say "\\MyServer\Staging\AutoUpdate\" to point to a REM copy of the autoupdater which you have placed into a staging area. REM REM The autoupdater folder in the staging area is the entire folder copied from the CIDs REM "\\MyServer\SophosUpdate\CIDs\S000\SAVSCFXP\sau\program files\Sophos\AutoUpdate" REM REM History: 1.0.2 Script detects between 32bit and 64bit o/s only. Not interested REM in which operating system version. REM REM Known issues... Does not kill the ALMON.EXE process and the shield does not show. REM The system would still been rebuilt correctly with this process running. REM Workaround: Using taskmgr.exe to kill ALMON.EXE process and re-fire this script. REM ECHO Copyright 2012 by Accumulo Conuslting (Pty) Ltd. All rights reserved. REM All copyright information needs to remain as it is. ECHO Visit us at: http://www.accumulo.co.za/ ECHO. ECHO Stopping Services NET STOP "Sophos Agent" NET STOP "Sophos Anti-Virus" NET STOP "Sophos Anti-Virus status reporter" NET STOP "Sophos AutoUpdate Service" NET STOP "Sophos Message Router" NET STOP "Sophos Web Control Service" NET STOP "Sophos Web Intelligence Service" REM 32 bit or 64 bit Operating System Detection to copy to the right location IF EXIST "%ProgramFiles(x86)%" Goto Windows64bit :Windows32Bit ECHO Processing for 32bit operating systems. ECHO Copying AutoUpdate xcopy "\\MyServer\Staging\AutoUpdate\*.*" "C:\program files\sophos\AutoUpdate\" /S /E /Y /H /R /K /C ECHO Deleting offending definition cd \"program files\Sophos\sophos anti-virus" del /f "agen-xuv.ide" ECHO Starting 32bit Services NET START "Sophos Agent" NET START "Sophos Anti-Virus" NET START "Sophos Anti-Virus status reporter" NET START "Sophos AutoUpdate Service" NET START "Sophos Message Router" NET START "Sophos Web Control Service" NET START "Sophos Web Intelligence Service" ECHO Starting ALMON.EXE to bring shield back ECHO If the batch file hangs here, check the sophos shield is loaded and you can close this window. ECHO Our work is done. ECHO. "C:\program files\sophos\AutoUpdate\ALMON.EXE" goto NowDoneStartServices :Windows64bit ECHO Processing for 64bit operating systems. ECHO Copying AutoUpdate xcopy "\\MyServer\Staging\AutoUpdate\*.*" "C:\program files (x86)\sophos\AutoUpdate\" /S /E /C /Y /H /R /K ECHO Deleting offending definition cd \"program files (x86)\Sophos\sophos anti-virus" del /f "agen-xuv.ide" ECHO Starting 64bit Services NET START "Sophos Agent" NET START "Sophos Anti-Virus" NET START "Sophos Anti-Virus status reporter" NET START "Sophos AutoUpdate Service" NET START "Sophos Message Router" NET START "Sophos Web Control Service" NET START "Sophos Web Intelligence Service" ECHO Starting ALMON.EXE to bring shield back ECHO If the batch file hangs here, check the sophos shield is loaded and you can close this window. ECHO Our work is done. ECHO. start /d "C:\program files (x86)\sophos\AutoUpdate\" ALMON.EXE :NowDoneStartServices
Here is an updated version of my cleanup script.
This has improved 64bit detection thanks to an earlier posting.
This script stops all the services (using their long names) and deletes the bad definition. It then recreates the autoupdater by copying the files fro ma clean staging area and then restarts the services and re-fires the sophos shield icon.
@ECHO off ECHO. ECHO --------------------------------------------------?------------------ ECHO Sophos Bad-Update Fixer Batch File - ECHO removes bad definition and rebuilds the auto-updater ECHO Written by Stewart Moss from Accumulo Consulting (Pty) Ltd. ECHO Version 1.0.2 - 20-Sept-2012 - Improved 32bit and 64bit detection ECHO --------------------------------------------------?------------------ REM This script is for Sophos, Sophos Agents and their customers and intended to simplyfying REM cleaning up from a bad update definition. This script is to be used at your own RISK. REM Neither Accumulo Consulting (Pty) Ltd nor the Author will take any responsibility to REM any damage done by this script REM REM NOTE: Please change the paths which say "\\MyServer\Staging\AutoUpdate\" to point to a REM copy of the autoupdater which you have placed into a staging area. REM REM The autoupdater folder in the staging area is the entire folder copied from the CIDs REM "\\MyServer\SophosUpdate\CIDs\S000\SAVSCFXP\sau\program files\Sophos\AutoUpdate" REM REM History: 1.0.2 Script detects between 32bit and 64bit o/s only. Not interested REM in which operating system version. REM REM Known issues... Does not kill the ALMON.EXE process and the shield does not show. REM The system would still been rebuilt correctly with this process running. REM Workaround: Using taskmgr.exe to kill ALMON.EXE process and re-fire this script. REM ECHO Copyright 2012 by Accumulo Conuslting (Pty) Ltd. All rights reserved. REM All copyright information needs to remain as it is. ECHO Visit us at: http://www.accumulo.co.za/ ECHO. ECHO Stopping Services NET STOP "Sophos Agent" NET STOP "Sophos Anti-Virus" NET STOP "Sophos Anti-Virus status reporter" NET STOP "Sophos AutoUpdate Service" NET STOP "Sophos Message Router" NET STOP "Sophos Web Control Service" NET STOP "Sophos Web Intelligence Service" REM 32 bit or 64 bit Operating System Detection to copy to the right location IF EXIST "%ProgramFiles(x86)%" Goto Windows64bit :Windows32Bit ECHO Processing for 32bit operating systems. ECHO Copying AutoUpdate xcopy "\\MyServer\Staging\AutoUpdate\*.*" "C:\program files\sophos\AutoUpdate\" /S /E /Y /H /R /K /C ECHO Deleting offending definition cd \"program files\Sophos\sophos anti-virus" del /f "agen-xuv.ide" ECHO Starting 32bit Services NET START "Sophos Agent" NET START "Sophos Anti-Virus" NET START "Sophos Anti-Virus status reporter" NET START "Sophos AutoUpdate Service" NET START "Sophos Message Router" NET START "Sophos Web Control Service" NET START "Sophos Web Intelligence Service" ECHO Starting ALMON.EXE to bring shield back ECHO If the batch file hangs here, check the sophos shield is loaded and you can close this window. ECHO Our work is done. ECHO. "C:\program files\sophos\AutoUpdate\ALMON.EXE" goto NowDoneStartServices :Windows64bit ECHO Processing for 64bit operating systems. ECHO Copying AutoUpdate xcopy "\\MyServer\Staging\AutoUpdate\*.*" "C:\program files (x86)\sophos\AutoUpdate\" /S /E /C /Y /H /R /K ECHO Deleting offending definition cd \"program files (x86)\Sophos\sophos anti-virus" del /f "agen-xuv.ide" ECHO Starting 64bit Services NET START "Sophos Agent" NET START "Sophos Anti-Virus" NET START "Sophos Anti-Virus status reporter" NET START "Sophos AutoUpdate Service" NET START "Sophos Message Router" NET START "Sophos Web Control Service" NET START "Sophos Web Intelligence Service" ECHO Starting ALMON.EXE to bring shield back ECHO If the batch file hangs here, check the sophos shield is loaded and you can close this window. ECHO Our work is done. ECHO. start /d "C:\program files (x86)\sophos\AutoUpdate\" ALMON.EXE :NowDoneStartServices
