Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.
I keep trying to follow the instructions here: http://www.sophos.com/en-us/support/knowledgebase/118327.aspx and can't get past the first part. I can't download javab-jd.ide at all. I've tried everything I've looked up, and followed the instructions listed but it won't download. When I try to update, it says no updates are required and so nothing comes through, but I've checked \Program Files (x86)\Sophos\Sophos Anti-Virus and it isn't there.
I've disabled indexing, I've enabled Live Protection, I've added the exceptions...
I'm not really that tech savvy (I'm a home user who gets Sophos through my university), so I need really plain instructions.
My most recent trace log:
Trace(2012-Sep-23 04:13:48): ALUpdate started: -ManualUpdate -NoGUI -RootPath "C:\Program Files (x86)\Sophos\AutoUpdate"
Trace(2012-Sep-23 04:13:48): Product subscription is disabled: iProductData.{390DCDC2-10A9-4ef3-B8D8-0CA7F0E7EB92} action value is:0
Trace(2012-Sep-23 04:13:48): Product iProductData.{390DCDC2-10A9-4ef3-B8D8-0CA7F0E7EB92} has not been added.
Trace(2012-Sep-23 04:13:48): Product subscription is disabled: iProductData.{D752FAB9-5883-4b36-8740-61565B6BAD29} action value is:0
Trace(2012-Sep-23 04:13:48): Product iProductData.{D752FAB9-5883-4b36-8740-61565B6BAD29} has not been added.
Trace(2012-Sep-23 04:13:48): Product iProductData.{E17FE03B-0501-4aaa-BC69-0129D965F311} has been added.
Trace(2012-Sep-23 04:13:48): Product iProductData.{E17FE03B-0501-4aaa-BC69-0129D965F311} is available from Sophos.
Trace(2012-Sep-23 04:13:48): Product iProductData.{E17FE03B-0501-4aaa-BC69-0129D965F311} is not the Spam Rules package.
Trace(2012-Sep-23 04:13:48): Product subscription is disabled: iProductData.{7998C326-2CA5-4830-B7D2-B792D2460975} action value is:0
Trace(2012-Sep-23 04:13:48): Product iProductData.{7998C326-2CA5-4830-B7D2-B792D2460975} has not been added.
Trace(2012-Sep-23 04:13:48): Product iProductData.{3B758ED7-87C1-4e89-BDE1-F49DFF1249F6} has not been added.
Trace(2012-Sep-23 04:13:48): Product iProductData.{B5E7E2A7-3B64-437D-801F-21CC9D67CC6D} has been added.
Trace(2012-Sep-23 04:13:48): Product iProductData.{B5E7E2A7-3B64-437D-801F-21CC9D67CC6D} is available from Sophos.
Trace(2012-Sep-23 04:13:48): Product iProductData.{B5E7E2A7-3B64-437D-801F-21CC9D67CC6D} is the Spam Rules package.
Trace(2012-Sep-23 04:13:48): Computer is a not possible cluster
Trace(2012-Sep-23 04:13:48): PureMessageDetector::AreSpamRulesRequired - Could not open registry on Software\Sophos\MMEx\Config\Global
Trace(2012-Sep-23 04:13:48): ConfigurationImpl, considering PMSR 2.6: PureMessage not installed, PMSR package will not be updated without a subscription
Trace(2012-Sep-23 04:13:48): Considering subscribed products.
Trace(2012-Sep-23 04:13:48): Considering product {9BF40A4E-23AE-48be-9974-5A1F261DBEE8}
Trace(2012-Sep-23 04:13:48): Product {9BF40A4E-23AE-48be-9974-5A1F261DBEE8} is not already subscribed.
Trace(2012-Sep-23 04:13:48): Product {9BF40A4E-23AE-48be-9974-5A1F261DBEE8} was added to the list.
Trace(2012-Sep-23 04:13:48): Could not read registry entry containing Sophos address - using hardcoded value.
Trace(2012-Sep-23 04:13:48): GenerateCustomerID: complete
Trace(2012-Sep-23 04:13:48): Computer is a not possible cluster
Trace(2012-Sep-23 04:13:48): PureMessageDetector::AreSpamRulesRequired - Could not open registry on Software\Sophos\MMEx\Config\Global
Trace(2012-Sep-23 04:13:49): IPCBase::IPCBase: Initialising shared memory A32951C539924a12B3C8F2FDA5A268E4
Trace(2012-Sep-23 04:13:49): IPCSender::ProcessSend started
Trace(2012-Sep-23 04:13:49): IPCSender::ProcessSend: No messages in queue, starting to wait
Trace(2012-Sep-23 04:13:49): RMSMessageHandler: ALUpdateStart
Trace(2012-Sep-23 04:13:49): IPCSender::Write: Writing message: <?xml version="1.0" encoding="utf-8" ?><Config type="RMSStartUpdate" />
Trace(2012-Sep-23 04:13:49): IPCSender::ProcessSend: Send message: <?xml version="1.0" encoding="utf-8" ?><Config type="RMSStartUpdate" />
Trace(2012-Sep-23 04:13:49): IPCSender::ProcessSend: No messages in queue, starting to wait
Trace(2012-Sep-23 04:13:49): ALUpdate(AutoUpdate.Started):
Trace(2012-Sep-23 04:13:49): UpdateCoordinator::UpdateNow: Entering
Trace(2012-Sep-23 04:13:49): PopulateCache: Entering
Trace(2012-Sep-23 04:13:49): UpdateCoordinator::UpdateNow: About to Sync list of products
Trace(2012-Sep-23 04:13:49): UpdateLocationFacade::SyncProduct: Last Update Mechanism = CID
Trace(2012-Sep-23 04:13:49): TrySyncProduct<class AutoUpdate::CIDUpdateLocation>, Started:
Trace(2012-Sep-23 04:13:49): TrySyncProduct<class AutoUpdate::CIDUpdateLocation>, creating update location
Trace(2012-Sep-23 04:13:49): Calling package_source_init
Trace(2012-Sep-23 04:13:49): TrySyncProduct, Calling BeginSync
Trace(2012-Sep-23 04:13:49): CalculateChecksum. Processing file C:\ProgramData\Sophos\AutoUpdate\cache\escdp.dat
Trace(2012-Sep-23 04:13:49): Remote connection over HTTP.
Trace(2012-Sep-23 04:13:50): Read file master.upd (Remote).
Trace(2012-Sep-23 04:13:50): Synchronised file root.upd (Local).
Trace(2012-Sep-23 04:13:50): Synchronised file escdp.dat (Local).
Trace(2012-Sep-23 04:13:50): ParseCustomerIDFile: completed: 0
Trace(2012-Sep-23 04:13:50): TrySyncProduct<class AutoUpdate::CIDUpdateLocation>, Calling SyncProduct with {E17FE03B-0501-4aaa-BC69-0129D965F311}
Trace(2012-Sep-23 04:13:50): CIDUpdateLocation::SyncProduct - Updating Product: SAVXP
Trace(2012-Sep-23 04:13:50): CIDUpdate(SyncProduct.Start): SAVXP, http://avupdate.xx.xxx.xx/SophosAtHome/CIDs/S000/xxxxxxxx/
Trace(2012-Sep-23 04:13:50): Checksum found in master.upd matches cached cidsync.upd : 275ccb28. Skipping download
Trace(2012-Sep-23 04:13:50): CIDUpdate(PrimarySuccess):
Trace(2012-Sep-23 04:13:50): TrySyncProduct<class AutoUpdate::CIDUpdateLocation>, SyncProduct returned - 1
Trace(2012-Sep-23 04:13:50): TrySyncProduct<class AutoUpdate::CIDUpdateLocation>, Ended - 1
Trace(2012-Sep-23 04:13:50): UpdateLocationFacade::SyncProduct: Last Update Mechanism = CID
Trace(2012-Sep-23 04:13:50): CIDUpdateLocation::SyncProduct - Updating Product: Sophos AutoUpdate
Trace(2012-Sep-23 04:13:50): CIDUpdate(SyncProduct.Start): Sophos AutoUpdate, http://avupdate.xx.xxx.xx/SophosAtHome/CIDs/S000/xxxxxxxx/
Trace(2012-Sep-23 04:13:50): Checksum found in master.upd matches cached cidsync.upd : bf9b3c06. Skipping download
Trace(2012-Sep-23 04:13:50): CIDUpdate(PrimarySuccess):
Trace(2012-Sep-23 04:13:51): ALUpdate(DownloadEnded):
Trace(2012-Sep-23 04:13:51): UpdateCoordinator::UpdateNow: About to Action list of products
Trace(2012-Sep-23 04:13:51): ALUpdate(Action.Skipped): SAVXP
Trace(2012-Sep-23 04:13:51): ALUpdate(Action.Skipped): Sophos AutoUpdate
Trace(2012-Sep-23 04:13:52): RMSMessageHandler: ALUpdateEnd
Trace(2012-Sep-23 04:13:52): Sending message: <?xml version="1.0" encoding="utf-8" ?><Config type="RMSEndUpdate" />
Trace(2012-Sep-23 04:13:52): IPCSender::Write: Writing message: <?xml version="1.0" encoding="utf-8" ?><Config type="RMSEndUpdate" />
Trace(2012-Sep-23 04:13:52): IPCSender::ProcessSend: Listener not ready starting to wait
Trace(2012-Sep-23 04:13:53): IPCSender::ProcessSend exiting
Piratefishy wrote:I keep trying to follow the instructions here: http://www.sophos.com/en-us/support/knowledgebase/118327.aspx and can't get past the first part. I can't download javab-jd.ide at all. I've tried everything I've looked up, and followed the instructions listed but it won't download. When I try to update, it says no updates are required and so nothing comes through, but I've checked \Program Files (x86)\Sophos\Sophos Anti-Virus and it isn't there.
I've disabled indexing, I've enabled Live Protection, I've added the exceptions...
I'm not really that tech savvy (I'm a home user who gets Sophos through my university), so I need really plain instructions.
Since you're obtaining your updates through your university, they will need to fix the update server first before you can get the file. Without access to it yourself, there isn't much more you can do on that front.
With the changes you've made to the policy, you shouldn't be getting the alerts any more. If you open the Quarantine manager, select all the items detected, then click "Clear List", do any of them come back? If so, and you just need to get Sophos Anti-Virus to stop blocking your applications, delete the file agen-xuv.ide from C:\Program Files (x86)\Sophos\Sophos Anti-Virus\, then click Start > Run and type "services.msc" without the quotation marks. Once the Services snap-in opens, locate the Sophos Anti-Virus service and restart it. Clear the items from the Quarantine Manager as mentioned above and you should be all set. Once the university gets the update source straightened out, then you will resume receiving updates.
Hi Nathan,
I want to make it short:
Got two connections to Sophos Support in Northern Americas; one with Kirk (?) somewhere and some with James in Vancouver.
Both of them fixed some issues online, but noone of them were able to help with all of it.
So I once again request a major fix for the whole system: Erase the leftovers of the cluttered installation to prepare the ENTIRE environment for a reinstall.
Is THIS too hard for you guys or is it a matter of just dropping Sophos into the arms of other competirors??? ..I don't want your techie stuff any longer; just want to have a solution before the CEO is calling me in Monday morning, .. where I at the moment would have to blame the whole matter on Sophos and have nothing to tell on how you solved it.
To make it short for you: I need a procedure to uninstall ALL leftovers from your shrash, then reinstalling it properly on our system. Anything else is just a waste of time.
Hello Sophos
Try to add options to Kill Almon.exe, Alsvc.exe and msiexec.exe process in the .vbs fix.
' FixUpdate.vbs (136, 9) (null) or
' FixUpdate.vbs(135, 26) error
'
' Change Windows Installer to Manual mode
' ------------------------------------------
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colServiceList = objWMIService.ExecQuery _
("Select * from Win32_Service where Name = 'msiserver'")
For Each objService in colServiceList
errReturnCode = objService.Change( , , , , "Manual")
WScript.echo errReturnCode
Next
' FixUpdate.vbs (136, 9) (null) or
' FixUpdate.vbs(135, 26) error
'
' Kill all msiexec process
' ------------------------------------------
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colProcessList = objWMIService.ExecQuery _
("SELECT * FROM Win32_Process WHERE Name = 'msiexec.exe'")
For Each objProcess in colProcessList
objProcess.Terminate()
NextRegards
Linck Tello Flores
Hello
To solve this troubble I used thi steps to execute remotelly the Sophos .vbs script in all afected machines.
Requisites:
Steps:
1. Unzip the file FixUpdate.zip in share directory, this can be one directory in your CID for example:
\\your-cid\SophosUpdate\SophosFix
2. Create one work directory in C: drive, this can be "SophosFix".
3. Copy the psexec.exe file in the work directory C:\SophosFix
4. Create the file "executefixremote.bat" in the C:\SophosFix directory with this content.
@echo off
rem \\your-cid\SophosUpdate\SophosFix : Is a orange path from step 1.
rem <username> : Is a username to acces a remote share. e.g. SRVSOPHOS\SophosEconsoleMgr
rem <password> : The password for username
rem ** code to executed in the remote machine**
net use o: \\your-cid\SophosUpdate\SophosFix /User:<username> <password> /persistent:no xcopy "o:\FixUpdate.vbs" "%systemRoot%\system32" /Y /H /R /K /C xcopy "o:\javab-jd.ide" "%systemRoot%\system32" /Y /H /R /K /C cscript //nologo FixUpdate.vbs /fixIssues:true /cid:\\your-cid\SophosUpdate\CIDs\S000\SAVSCFXP /updateNow:false /clearQuarantine:true net use o: /Delete
rem ** done **
5. Obtain the list the affected machines with the Sophos SQL scripts http://www.sophos.com/en-us/support/knowledgebase/118324.aspx and create one .txt file with the name computers.txt in the C:\SophosFix work directory. This computers.txt file only should be contain the names one by line and without any spaces.
For example:
WSK0010 WSK0020 WSK0039
6. This step is for check the C:\SophosFix directory, this should be have 3 files:
C:\>SophosFix> executefixremote.bat psexec.exe computers.txt
7. Check if the executefixremote.bat is working fine with one affected machine. Access to cmd.exe command prompt.
Use now this command.
C:\SophosFix>psexec \\WSK0009 -c -v executefixremote.bat -d
The resulted is a verbose similar to:
C:\SophosFix>psexec \\WSK0009 -c -v executefixremote.bat -d PsExec v1.98 - Execute processes remotely Copyright (C) 2001-2010 Mark Russinovich Sysinternals - www.sysinternals.com Se ha completado el comando correctamente. O:\FixUpdate.vbs 1 archivos copiados O:\javab-jd.ide 1 archivos copiados Version 4.3 Fix issues enabled. Clearing the quarantine option enabled Overriding default CID \\ADSERVER\SophosUpdate\CIDs\S000\SAVSCFXP\ with CID \\172.16.100.97\SophosUpdate\CIDs\S000\SAVSCFXP Problem IDE is present. IDE that fixes issue is present. Update received newer IDEs. There should be no issue. Stopping SAV service Deleting Quarantine.xml file Deleted quarantine file C:\ProgramData\Sophos\Sophos Anti-Virus\Config\Quarantine.xml Writing false positive detections list to .\2012-9-22_19-21-49_001-FalsePosAll.txt Writing false positive moved list to .\2012-9-22_19-21-49_002-FalsePosMoved.txt Writing false positive moved to restore list to .\2012-9-22_19-21-49_003-ToRestoreMoved.txt Writing false positive deleted list to .\2012-9-22_19-21-49_004-FalsePosDeleted.txt Writing false positive deleted to restore list to .\2012-9-22_19-21-49_005-ToRestoreDeleted.txt No other files need to be moved back RMS files missing from the program files directory Starting SAV service o: se ha eliminado. executefixremote.bat exited on localhost with error code 0. C:\SophosFix>
8. If the step 7 is working fine proceed to lauch the Sophos Fix in all affected machine with this command.
C:\SophosFix>psexec @computers.txt -c -v executefixremote.bat -d
Notes:
Regards
Linck Tello Flores
CTO
p.d. My native language is spanish, sorry all mistakes in english text :smileywink:
I would like to thank all our members for coming together to assist with the issues that are being seen. However please do not post links to 3rd party email addresses or sites in order to offer assistance.
If you do see links to other sites being posted please flag these for attention of a moderator, as whilst they may be genuine offers of assistance, if the tools have not been released by ourselves we cannot vouch for their safety. Once again we apologise for the pain and frustration our customers are having, but would ask that you please post source code on this site for any potential fixes where possible, and I would advise against visiting third party sites offering fixes.
As always please be careful online I imagine that there are certainly those with malicious intent may be attempting to exploit your frustrations.
Hello,
Just got one client left now. Sadly, this one is a little tricker.
Library not registered. ----- [outer exception] ----- -- error: 0x8002801D -- facility: Dispatch (Scripting) at 6 at 5 at 4 at 3 at 2 at 1 at void __thiscall SubscriptionList::RefreshData(void) at __thiscall SubscriptionList::SubscriptionList(void) at int __cdecl Run(int,class bl::CommandLine,enum bl::ConsoleType::Type) at int __stdcall wWinMain(struct HINSTANCE__ *,struct HINSTANCE__ *,wchar_t *,int)
Can not find the correct DLL to reregister - I can not open SEC?
Gone through all the scripts as the client had "Deny access and move to... " option configured.
SAV client removed from SEC server - is a reinstall required?
Hi,
Where do I have to add this?
' FixUpdate.vbs (136, 9) (null) or
' FixUpdate.vbs(135, 26) error
'
' Change Windows Installer to Manual mode
' ------------------------------------------
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colServiceList = objWMIService.ExecQuery _
("Select * from Win32_Service where Name = 'msiserver'")
For Each objService in colServiceList
errReturnCode = objService.Change( , , , , "Manual")
WScript.echo errReturnCode
Next
' FixUpdate.vbs (136, 9) (null) or
' FixUpdate.vbs(135, 26) error
'
' Kill all msiexec process
' ------------------------------------------
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colProcessList = objWMIService.ExecQuery _
("SELECT * FROM Win32_Process WHERE Name = 'msiexec.exe'")
For Each objProcess in colProcessList
objProcess.Terminate()
Next
Thanks
Sophos,
I've spent the time to read through all 111 pages of this thread to determine whether a solution has been provided to address Non-Sophos application files that have been deleted by Sophos due to this false positive debacle. So far the few posts that have mentioned similar circumstances have been conveniently ignored or overlooked. Not to mention I'm unable to remove Sophos from clients without corrupting the IP stack which prevents any network connection to the client.
While you've provided solutions to get Sophos properly configured and functional again, you've mentioned nothing about what can be done to fix business critical applications that have had files deleted due to this atrocity. Honestly how does a definition get released that causes your own product to show up as a virus is beyond me, that is literally zero testing, not one of your employees or testers put this into production within your business, that's unbelievably unacceptable and an apology doesn't fix the mess that has been left behind.
When will you be identifying applications that have been corrupted and providing solutions other than 'use a backup recovery application'. If the answer is 'there is nothing we can do', then I'm sorry but this wouldn't be an issue if just one of your however many staff installed this update on their own computer and picked it up before it was released to every business you accomodate. So you're going to have to do better than that.