Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_update.exe". Cleanup unavailable. This is trickling in as alerts but at an alarming rate.
' Script to copy back files identified as infected using the SAV log files.
' It will parse all files called SAV* in the SAV log directory for copy actions
' by default logs to: "\Users\[User]\AppData\Local\Temp\CopyPDFBack.txt" or
' \documents and settings\[User]\Local Settings\Temp\CopyPDFBack.txt" depending on OS.
const WOW_KEY = "Wow6432Node"
const FOR_READING = 1
const MESSAGE_STRING = "wurde verschoben nach"
const SAV_LOG_PRE_FIX = "SAV"
const VIRUS_NAME = "Virus/Spyware 'Shh/"
dim strWow6432Node, strLogPath, objFSO, objFile, strLogFileName
dim strSAVLogLocation, strSAVLogLocationDir, strRes, objLogFile, strRegPath
strLogFileName = "CopyFilesBack.txt" 'Lines contain the text in the constant "MESSAGE_STRING"
'Setup global objects
set objFSO = CreateObject("Scripting.FileSystemObject")
'Get script log file location to write to
strLogPath = GetLogLocation() & "\" & strLogFileName
set objLogFile = objFSO.CreateTextFile(strLogPath, true)
WriteToLog 0, "Starting script to recover quarantined files where: log contains the line: '" & MESSAGE_STRING
strWow6432Node = "\"
if Is64(".") then
strWow6432Node = "\" & WOW_KEY & "\"
WriteToLog 0, "64-bit machine."
else
strWow6432Node = "\"
WriteToLog 0, "32-bit machine."
end if
strRegPath = "HKEY_LOCAL_MACHINE\SOFTWARE" & strWow6432Node & "Sophos\SAVService\Application\LogDir"
strRes = GetKey(strRegPath)
if strRes = "0" then
WriteToLog 1, "Failed to get SAV log location from registry."
WriteToLog 1, "Exiting script."
wscript.quit (1)
else
WriteToLog 0, "Read the SAV log location from registry."
end if
strSAVLogLocationDir = strRes
WriteToLog 0, "Location of log directory: " & strSAVLogLocationDir
'For each file starts with 'SAV_LOG_PRE_FIX'
WriteToLog 0, "For each file in the directory that starts '" & SAV_LOG_PRE_FIX & "'."
set objFolder = objFSO.GetFolder(strSAVLogLocationDir).files
intFound = 0
for each SAVFile in objFolder
if instr(SAVFile.name, SAV_LOG_PRE_FIX) > 0 then
set objFile = objFSO.OpenTextFile (strSAVLogLocationDir & "\" & SAVFile.name, FOR_READING, false, -1)
WriteToLog 0, "=================Processing: '" & SAVFile.name & "'========================"
do While objFile.AtEndOfStream <> true
strLineIn = trim(objFile.ReadLine)
if instr(strLineIn, VIRUS_NAME) > 0 then
intFound=1
WriteToLog 0, "The next line will have info on " & VIRUS_NAME
End if
if intFound = 1 then
strLineIn = trim(objFile.ReadLine)
WriteToLog 0, strLineIn
intFound=0
if (instr (strLineIn, MESSAGE_STRING) > 0) then
'Interested in the lines as it matches our requirements.
arrOfLine = split(strLineIn, """")
strOrigFilePath = trim (arrOfLine(1))
strNewFilePath = trim (arrOfLine(3))
WriteToLog 0, strOrigFilePath & " -> " & strNewFilePath
if CopyFileBack (strNewFilePath, strOrigFilePath) then
WriteToLog 0, "File restored."
else
WriteToLog 0, "File restore failed."
end if
end if
end if
loop
end if
next
'***********************************************************************************************************
WriteToLog 0, "Script finished."
set objFolder = nothing
set objLogFile = nothing
set objFSO = nothing
'***********************************************************************************************************
'Functions
'***********************************************************************************************************
Function GetLogLocation()
on error resume next
Set objTempFolder = objFSO.GetSpecialFolder(2)
if objTempFolder = "" then
GetLogLocation = "C:\windows\temp\" 'Set to Windows temp if can't get the dir.
else
GetLogLocation = objTempFolder
end if
Set objTempFolder = nothing
End function
'***********************************************************************************************************
'***********************************************************************************************************
Function CopyFileBack (strCurrentLocation, srcOrigLocation)
WriteToLog 0, "-->CopyFileBack()"
on error resume next
err.clear
If objFSO.FileExists(strCurrentLocation) Then
WriteToLog 0, "File exists: " & strCurrentLocation & " attempt to copy back to: " & srcOrigLocation
objFSO.moveFile strCurrentLocation, srcOrigLocation
if err.number <> 0 then
WriteToLog 1, "Failed to copy file: " & err.number & " : " & err.description
CopyFileBack = false
else
CopyFileBack = true
end if
else
WriteToLog 1, "Copying file back failed as file " & strCurrentLocation & " doesn't exist."
CopyFileBack = false
End If
WriteToLog 0, "<--CopyFileBack()"
End Function
'***********************************************************************************************************
'***********************************************************************************************************
Function Is64(strMachineName)
WriteToLog 0, "-->Is64(" & strMachineName & ")"
on error resume next
err.clear
dim objWMIService, objColSettings, strDesc, objProcessor
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strMachineName & "\root\cimv2")
Set objColSettings = objWMIService.ExecQuery ("SELECT AddressWidth FROM Win32_Processor")
if err.number <> 0 then
WriteToLog 1, "Error Number: " & err.number & " Error Description: " & err.description, 1
wscript.quit(1)
end if
For Each objProcessor In objColSettings
strDesc = objProcessor.AddressWidth
Next
if strDesc = "32" then
Is64 = false
end if
if strDesc = "64" then
Is64 = true
end if
Set objWMIService = nothing
set objColSettings = nothing
WriteToLog 0, "<--Is64()"
End Function
'***********************************************************************************************************
'***********************************************************************************************************
Function WriteToLog (strSev, strLogLine)
dim strToWrite
strToWrite = ""
select case strSev
case 0
strToWrite = "INF: "
case 1
strToWrite = "ERR: "
case else
strToWrite = "UNKNOWN: "
end select
objLogFile.WriteLine Date() & " " & Time() & " " & strToWrite & " " & strLogLine
End Function
'***********************************************************************************************************
'***********************************************************************************************************
Function GetKey(strPath)
on error resume next
dim strPathToLog
dim objReg
set objReg = wscript.createobject("wscript.shell")
err.clear
strPathToLog = objReg.RegRead (strPath)
if err.number = 0 then
GetKey = strPathToLog
else
GetKey = 0
end if
set objReg = nothing
End Function
Here's the problem... Instead of trying to fix the problem through the forums by one tech.. Sophos needs to be more proactive. There are sooo many rabbit trails of fixes in these 80 pages its ridculous. try this, try that blahh blahh
dreec - that is exactly where I am at...
I did call my sales rep that gave me another secret support line but I am still onhold for the past 30+ mins but I did not get a busy signal..
script worked for me! after rebuilding autoupdate folder.
hvala do nebesa!
thanks!
this script from 76th page:
@echo off
echo.
echo --------------------------------------------------?------------------
ECHO Sophos Bad-Update Fixer Batch File -
ECHO removes bad definition and rebuilds the auto-updater
ECHO Written by Stewart Moss from Accumulo Consulting (Pty) Ltd.
Echo Version 1.0.1 - 20-Sept-2012 - Fixed for 32bit and 64bit detection
echo --------------------------------------------------?------------------
echo.
REM This script is for Sophos, Sophos Agents and their customers only and is to be used at your own RISK.
REM Neither Accumulo Consulting (Pty) Ltd nor the Author will take any responsibility to
REM any damages done by this script
REM
REM Please change the paths which say "\\MyServer\Staging\AutoUpdate\" to point to a copy of the
REM autoupdater which you have placed into a staging area.
REM
REM The autoupdater folder in the staging area is the entire folder copied from the CIDs
REM "\\MyServer\SophosUpdate\CIDs\S000\SAVSCFXP\s?au\program files\Sophos\AutoUpdate"
REM
REM History: 1.0.1 Fixed the script because it thought all Windows 7 machines were 64 bit!
REM
REM Copyright 2012 by Accumulo Conuslting (Pty) Ltd. All rights reserved.
REM All copyright information needs to remain as it is.
REM http://www.accumulo.co.za/
Echo Stopping Services
NET STOP "Sophos Agent"
NET STOP "Sophos Anti-Virus"
NET STOP "Sophos Anti-Virus status reporter"
NET STOP "Sophos AutoUpdate Service"
NET STOP "Sophos Message Router"
NET STOP "Sophos Web Control Service"
NET STOP "Sophos Web Intelligence Service"
REM Operating System Detection to copy to the right location
REM Windows 5.1 is Windows XP
ver | findstr /i "5\.1\." > nul
IF %ERRORLEVEL% EQU 0 goto WindowsXp
REM Server 2003 has the same paths as Windows XP
REM Windows 5.2 is Windows 2003 server
ver | findstr /i "5\.2\." > nul
IF %ERRORLEVEL% EQU 0 goto WindowsXp
REM Ok so only Windows Vista, Windows 7 and Server 2008 have made it to here
REM Now we need to work out if we are 32 bit or 64 bit Windows. We use the registry and read the
REM attributes of the first logical CPU. If it contains the characters "x86" it is 32 bit.
REG.exe Query "HKLM\Hardware\Description\System\CentralProc?essor\0" | Find /i "x86" > nul
If %ERRORLEVEL% == 0 Goto Windows732Bit
goto Windows764bit
:Windows732Bit
:WindowsXp
echo Processing for 32bit operating systems or Windows XP
xcopy "\\FBA-dc3\SophosUpdate\CIDs\CIDs\S000\SAVSCFXP\sau\program files\Sophos\AutoUpdate\*.*" "C:\program files\sophos\AutoUpdate\" /S /E /Y /H /R /K /C
echo Deleting offending definition
cd \"program files\Sophos\sophos anti-virus"
del /f "agen-xuv.ide"
Echo Starting 32bit Services
NET START "Sophos Agent"
NET START "Sophos Anti-Virus"
NET START "Sophos Anti-Virus status reporter"
NET START "Sophos AutoUpdate Service"
NET START "Sophos Message Router"
NET START "Sophos Web Control Service"
NET START "Sophos Web Intelligence Service"
Echo Starting ALMON.EXE to bring shield back
Echo If the batch file hangs here, check the shield is loaded and you can close this batch file.
echo Our work is done.
echo.
"C:\program files\sophos\AutoUpdate\ALMON.EXE"
goto DoneStartServices
:Windows764bit
echo Processing for 64bit operating systems (Windows Vista, Windows 7 and Server 2008)
xcopy "\\FBA-dc3\SophosUpdate\CIDs\CIDs\S000\SAVSCFXP\sau\program files\Sophos\AutoUpdate\*.*" "C:\program files (x86)\sophos\AutoUpdate\" /S /E /C /Y /H /R /K
echo Deleting offending definition
cd \"program files (x86)\Sophos\sophos anti-virus"
del /f "agen-xuv.ide"
Echo Starting 64bit Services
NET START "Sophos Agent"
NET START "Sophos Anti-Virus"
NET START "Sophos Anti-Virus status reporter"
NET START "Sophos AutoUpdate Service"
NET START "Sophos Message Router"
NET START "Sophos Web Control Service"
NET START "Sophos Web Intelligence Service"
Echo Starting ALMON.EXE to bring shield back
Echo If the batch file hangs here, check the shield is loaded and you can close this batch file.
echo Our work is done.
echo.
start /d "C:\program files (x86)\sophos\AutoUpdate\" ALMON.EXE
exit
Jeff1527 wrote:Here's the problem... Instead of trying to fix the problem through the forums by one tech.. Sophos needs to be more proactive. There are sooo many rabbit trails of fixes in these 80 pages its ridculous. try this, try that blahh blahh
dreec - that is exactly where I am at...
I did call my sales rep that gave me another secret support line but I am still onhold for the past 30+ mins but I did not get a busy signal..
We are aware that the advisory won't work for everyone. My goal here is to provide answers to the more simple questions and pitfalls so that we can avoid a situation where someone has to wait on the phone for a long time only to discover that the answer is a quick 5 second fix. It would be helpful for me if you could provide a few more details regarding what the specific issue is (e.g. obtaining the updated ide, clearing the QM, restoring moved or deleted files, etc.). I'll do my best to get you going from there.
My server is updating with no issues now. It also downloaded the new javaab-jd.ide. Problem still having is my clients still show they have virus. Some of my computers are updating and still have a virus other computers lost the shield and not updating. Also it is breaking other programs such as our payroll program, ABRA, adobe reader, are just a couple. I tried logging into a local machine stopping service deleteing the quaratine.xml file, starting service then ran update then acknowledged the virus and that seemed to work. Is there not a better fix than doing everything manual? I have systems in 170 different locations in three different states. Would be hard to do that manually.
Let's see if I can type this a little clearer for the 3rd time...
After following the advisory, my SUM will not update the new files. It does nothing. It would at least give me a fail error prior to following the advisory. I have tried all parts of the advisory. I have tried repairing my updater, installing it from scratch and it will not update.
