Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 1 subscriber
  • Views 2778 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Interchk.chk infected with W32/NetskyP-Dam

Almi

Hi there,

My server is indicating that under C:\ProgramData\Sophos\Sophos Anti-Virus\Cofing path the file "Interchk.chk" is infected with W32/NetskyP-Dam.

As availiable action is to clean it up manually.

What Should I Do?

Regards./

:17383


This thread was automatically locked due to age.
  • 0

    Hello Almi,

    strange, could you post a snippet of the log (SAV.txt in the adjacent Logs folder)? This file has no read permissions and if you attempt to scan it (or the Config folder) it should give error 0xa0040210 .

    Christian

    :17387
  • 0

     Hi Christian.

    Thank you for your prompt reply.

    Please find a part of SAV.txt

    --------------------------------------------

    20111003 140321 Virus/spyware 'W32/Netsky-P' needs a reboot to complete cleanup.
    20111003 140357 Scanning "C:\SCOM32\IN\Line 19\xhkvn44y.ok0.RCV_undeliver_parcel_TIC_I_0765332211.zip" returned SAV Interface error 0xa0040210: The file could not be accessed.
    20111003 140358 File "C:\SCOM32\IN\Line 19\5bif4uqg.njk.RCV_undeliver_parcel_TIC_I_0765332211.zip" belongs to virus/spyware 'Mal/BredoZp-B'.
    20111003 140359 File "C:\SCOM32\IN\Line 19\ffbseo2h.sa0.RCV_undeliver_parcel_TIC_I_0765332211.zip" belongs to virus/spyware 'Mal/BredoZp-B'.
    20111003 140400 File "C:\SCOM32\IN\Line 19\fxah5dng.lhr.RCV_undeliver_parcel_TIC_I_0765332211.zip" belongs to virus/spyware 'Mal/BredoZp-B'.
    20111003 140400 File "C:\SCOM32\IN\Line 19\ogm1lhi2.yh0.RCV_undeliver_parcel_TIC_I_0765332211.zip" belongs to virus/spyware 'Mal/BredoZp-B'.
    20111003 140401 File "C:\SCOM32\IN\Line 19\y2vh5up2.vbo.RCV_undeliver_parcel_TIC_I_0765332211.zip" belongs to virus/spyware 'Mal/BredoZp-B'.
    20111003 140402 File "C:\SCOM32\IN\Line 19\diga0oew.iv3.RCV_undeliver_parcel_TIC_I_0765332211.zip" belongs to virus/spyware 'Mal/BredoZp-B'.
    20111003 140403 File "C:\SCOM32\IN\Line 19\fbf5goff.p4b.RCV_undeliver_parcel_TIC_I_0765332211.zip" belongs to virus/spyware 'Mal/BredoZp-B'.
    20111003 140404 File "C:\SCOM32\IN\Line 19\uv2yl5nf.2j4.RCV_undeliver_parcel_TIC_I_0765332211.zip" belongs to virus/spyware 'Mal/BredoZp-B'.
    20111003 140405 File "C:\SCOM32\IN\Line 19\haj0ilff.fpu.RCV_undeliver_parcel_TIC_I_0765332211.zip" belongs to virus/spyware 'Mal/BredoZp-B'.
    20111003 140405 File "C:\SCOM32\IN\Line 19\o45s2cra.20t.RCV_undeliver_parcel_TIC_I_0765332211.zip" belongs to virus/spyware 'Mal/BredoZp-B'.
    20111003 140406 File "C:\SCOM32\IN\Line 19\cx2zbzhw.ity.RCV_undeliver_parcel_TIC_I_0765332211.zip" belongs to virus/spyware 'Mal/BredoZp-B'.
    20111003 140407 File "C:\SCOM32\IN\Line 19\mcbtvtje.ajf.RCV_undeliver_parcel_TIC_I_0765332211.zip" belongs to virus/spyware 'Mal/BredoZp-B'.
    20111003 140408 File "C:\SCOM32\IN\Line 19\sotoohcn.5nr.RCV_undeliver_parcel_TIC_I_0765332211.zip" belongs to virus/spyware 'Mal/BredoZp-B'.
    20111003 140409 File "C:\SCOM32\IN\Line 19\02yrr3ea.2er.RCV_undeliver_parcel_TIC_I_0765332211.zip" belongs to virus/spyware 'Mal/BredoZp-B'.
    20111003 140409 File "C:\SCOM32\IN\Line 19\5vlitcoy.ghd.RCV_undeliver_parcel_TIC_I_0765332211.zip" belongs to virus/spyware 'Mal/BredoZp-B'.
    20111003 140410 File "C:\SCOM32\IN\Line 19\nrytco0c.b51.RCV_undeliver_parcel_TIC_I_0765332211.zip" belongs to virus/spyware 'Mal/BredoZp-B'.
    20111003 140411 File "C:\SCOM32\IN\Line 19\ou3fqm0t.ajk.RCV_undeliver_parcel_TIC_I_0765332211.zip" belongs to virus/spyware 'Mal/BredoZp-B'.
    20111003 140411 File "C:\SCOM32\IN\Line 19\q10wsqcq.pms.RCV_undeliver_parcel_TIC_I_0765332211.zip" belongs to virus/spyware 'Mal/BredoZp-B'.
    20111003 140412 File "C:\SCOM32\IN\Line 19\vgahw0tl.nrp.RCV_undeliver_parcel_TIC_I_0765332211.zip" belongs to virus/spyware 'Mal/BredoZp-B'.
    20111003 140413 File "C:\SCOM32\IN\Line 19\y1zschqo.r0b.RCV_undeliver_parcel_TIC_I_0765332211.zip" belongs to virus/spyware 'Mal/BredoZp-B'.
    20111003 140414 File "C:\SCOM32\IN\Line 19\2vgbz3vk.wjt.RCV_undeliver_parcel_TIC_I_0765332211.zip" belongs to virus/spyware 'Mal/BredoZp-B'.
    20111003 140415 File "C:\SCOM32\IN\Line 19\4wbvuzo2.a3x.RCV_undeliver_parcel_TIC_I_0765332211.zip" belongs to virus/spyware 'Mal/BredoZp-B'.
    20111003 140415 File "C:\SCOM32\IN\Line 19\dhnf4ord.cvz.RCV_undeliver_parcel_TIC_I_0765332211.zip" belongs to virus/spyware 'Mal/BredoZp-B'.
    20111003 140416 File "C:\SCOM32\IN\Line 19\ditm35mt.vmz.RCV_undeliver_parcel_TIC_I_0765332211.zip" belongs to virus/spyware 'Mal/BredoZp-B'.
    20111003 140417 File "C:\SCOM32\IN\Line 19\ejz0uit5.niw.RCV_undeliver_parcel_TIC_I_0765332211.zip" belongs to virus/spyware 'Mal/BredoZp-B'.
    20111003 140418 File "C:\SCOM32\IN\Line 19\phdm24n3.dyy.RCV_undeliver_parcel_TIC_I_0765332211.zip" belongs to virus/spyware 'Mal/BredoZp-B'.
    20111003 140418 File "C:\SCOM32\IN\Line 19\5vlcimox.cv3.RCV_undeliver_parcel_TIC_I_0765332211.zip" belongs to virus/spyware 'Mal/BredoZp-B'.
    20111003 140419 File "C:\SCOM32\IN\Line 19\ognibb1x.5vd.RCV_undeliver_parcel_TIC_I_0765332211.zip" belongs to virus/spyware 'Mal/BredoZp-B'.
    20111003 140420 File "C:\SCOM32\IN\Line 19\5bif4uqg.njk.RCV_undeliver_parcel_TIC_I_0765332211.zip" has been cleaned up.
    20111003 140420 File "C:\SCOM32\IN\Line 19\ffbseo2h.sa0.RCV_undeliver_parcel_TIC_I_0765332211.zip" has been cleaned up.
    20111003 140421 File "C:\SCOM32\IN\Line 19\fxah5dng.lhr.RCV_undeliver_parcel_TIC_I_0765332211.zip" has been cleaned up.
    20111003 140422 File "C:\SCOM32\IN\Line 19\ogm1lhi2.yh0.RCV_undeliver_parcel_TIC_I_0765332211.zip" has been cleaned up.
    20111003 140422 File "C:\SCOM32\IN\Line 19\y2vh5up2.vbo.RCV_undeliver_parcel_TIC_I_0765332211.zip" has been cleaned up.
    20111003 140423 File "C:\SCOM32\IN\Line 19\diga0oew.iv3.RCV_undeliver_parcel_TIC_I_0765332211.zip" has been cleaned up.
    20111003 140424 File "C:\SCOM32\IN\Line 19\fbf5goff.p4b.RCV_undeliver_parcel_TIC_I_0765332211.zip" has been cleaned up.
    20111003 140424 File "C:\SCOM32\IN\Line 19\uv2yl5nf.2j4.RCV_undeliver_parcel_TIC_I_0765332211.zip" has been cleaned up.
    20111003 140425 File "C:\SCOM32\IN\Line 19\haj0ilff.fpu.RCV_undeliver_parcel_TIC_I_0765332211.zip" has been cleaned up.
    20111003 140426 File "C:\SCOM32\IN\Line 19\o45s2cra.20t.RCV_undeliver_parcel_TIC_I_0765332211.zip" has been cleaned up.
    20111003 140426 File "C:\SCOM32\IN\Line 19\cx2zbzhw.ity.RCV_undeliver_parcel_TIC_I_0765332211.zip" has been cleaned up.
    20111003 140427 File "C:\SCOM32\IN\Line 19\mcbtvtje.ajf.RCV_undeliver_parcel_TIC_I_0765332211.zip" has been cleaned up.
    20111003 140428 File "C:\SCOM32\IN\Line 19\sotoohcn.5nr.RCV_undeliver_parcel_TIC_I_0765332211.zip" has been cleaned up.
    20111003 140428 File "C:\SCOM32\IN\Line 19\02yrr3ea.2er.RCV_undeliver_parcel_TIC_I_0765332211.zip" has been cleaned up.
    20111003 140429 File "C:\SCOM32\IN\Line 19\5vlitcoy.ghd.RCV_undeliver_parcel_TIC_I_0765332211.zip" has been cleaned up.
    20111003 140430 File "C:\SCOM32\IN\Line 19\nrytco0c.b51.RCV_undeliver_parcel_TIC_I_0765332211.zip" has been cleaned up.
    20111003 140430 File "C:\SCOM32\IN\Line 19\ou3fqm0t.ajk.RCV_undeliver_parcel_TIC_I_0765332211.zip" has been cleaned up.
    20111003 140431 File "C:\SCOM32\IN\Line 19\q10wsqcq.pms.RCV_undeliver_parcel_TIC_I_0765332211.zip" has been cleaned up.
    20111003 140432 File "C:\SCOM32\IN\Line 19\vgahw0tl.nrp.RCV_undeliver_parcel_TIC_I_0765332211.zip" has been cleaned up.
    20111003 140432 File "C:\SCOM32\IN\Line 19\y1zschqo.r0b.RCV_undeliver_parcel_TIC_I_0765332211.zip" has been cleaned up.
    20111003 140433 File "C:\SCOM32\IN\Line 19\2vgbz3vk.wjt.RCV_undeliver_parcel_TIC_I_0765332211.zip" has been cleaned up.
    20111003 140434 File "C:\SCOM32\IN\Line 19\4wbvuzo2.a3x.RCV_undeliver_parcel_TIC_I_0765332211.zip" has been cleaned up.
    20111003 140435 File "C:\SCOM32\IN\Line 19\dhnf4ord.cvz.RCV_undeliver_parcel_TIC_I_0765332211.zip" has been cleaned up.
    20111003 140435 File "C:\SCOM32\IN\Line 19\ditm35mt.vmz.RCV_undeliver_parcel_TIC_I_0765332211.zip" has been cleaned up.
    20111003 140436 File "C:\SCOM32\IN\Line 19\ejz0uit5.niw.RCV_undeliver_parcel_TIC_I_0765332211.zip" has been cleaned up.
    20111003 140436 File "C:\SCOM32\IN\Line 19\phdm24n3.dyy.RCV_undeliver_parcel_TIC_I_0765332211.zip" has been cleaned up.
    20111003 140437 File "C:\SCOM32\IN\Line 19\5vlcimox.cv3.RCV_undeliver_parcel_TIC_I_0765332211.zip" has been cleaned up.
    20111003 140438 File "C:\SCOM32\IN\Line 19\ognibb1x.5vd.RCV_undeliver_parcel_TIC_I_0765332211.zip" has been cleaned up.
    20111003 140438 Virus/spyware 'Mal/BredoZp-B' has been removed.
    20111003 140501 File "C:\SCOM32\IN\Line 19\vt0uvrvn.tgw.RCV_undeliver_parcel_TIC_I_0765332211.zip" belongs to virus/spyware 'Mal/BredoZp-B'.
    20111003 140501 On-access scanner has denied access to location "C:\SCOM32\IN\Line 19\vt0uvrvn.tgw.RCV_undeliver_parcel_TIC_I_0765332211.zip" for user NT AUTHORITY\SYSTEM
    20111003 145436 Scan 'Right-Click Scan' started.
    20111003 145438 File "C:\$Recycle.Bin\S-1-5-21-2439876396-3522550223-64047180-500\$R91N1I5.scr" belongs to virus/spyware 'W32/Netsky-P'.
    20111003 145438 Virus/spyware 'W32/Netsky-P' has been detected.
    20111003 145438 Scan 'Right-Click Scan' completed.
    20111003 145438 Summary of results for scan 'Right-Click Scan':
      Items scanned: 3
      Errors: 0
      Items quarantined: 1
      Items dealt with: 0
    20111003 145442 File "C:\$Recycle.Bin\S-1-5-21-2439876396-3522550223-64047180-500\$R91N1I5.scr" belongs to virus/spyware 'W32/Netsky-P'.
    20111003 145442 On-access scanner has denied access to location "C:\$Recycle.Bin\S-1-5-21-2439876396-3522550223-64047180-500\$R91N1I5.scr" for user

    ----------------------------------------------------------------------------------------------

    Please note that sometimes when I am opening Main App it is crashing.

    Please also note that the folder SCOM32 that you will find under SAV.txt is a folder of ours email communication program.

    These days we have received a message from a fake address of DHL, containing an attachment with virus.

    Thanks in Advance

    :17397
  • 0

    Hello Almi,

    this part does not contain interchk.chk. It looks like the malicious archives have been cleaned up and there's one malicious item in $Recycle.Bin . Do you right-click scan the C: drive? It also says Virus/spyware 'W32/Netsky-P' needs a reboot to complete cleanup - you should do this. I'd suggest you run another scan after reboot.

    Please note that sometimes when I am opening Main App it is crashing

    Do you mean Sophos? If this is the case you should contact Support.

    Christian

    :17423
  • 0

    Hi there Christian,

    Yes I rebooted the system and then I did a full scan.

    Still the record of interchk.chk appears.

    Now I use a tool from Sophos called Resolve for W32/Netsky
    in order to scan and remove any Netsky infected file.

    Yes, sometimes when I open sophos main console it crushes.

    Please find the below screenshot from yesterdays found
    viruses.

    http://imageshack.us/photo/my-images/269/screenshotzz.jpg/

    So what's the next step to solve my problem?

    :17429
  • 0

    Hello Almi,

    you should contact Support - you can't manually clean up interchk.chk. You could remove the entry from the list and it might not reappear but there shouldn't be a detection in the first place. Can't say what this signifies and therefore please give them a call.

    Christian

    :17431
  • 0

    Thank you Christian for your Support I will contact my local Retailer.

    Regards,
    Almi

    :17445