Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 1 subscriber
  • Views 3308 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Continually picking up same virus...

Londongirl

Hi Everyone,

this is my first time on here, so apologies if this is in the wrong place...

I would like to get some advice on Sophos (as my IT Dept seem woefully inadequate!)

Have had ongoing virus issues on our network , and recently upgraded our virus system and had sophos installed on the computers.

I know it is continually scanning, but it appear to be picking up the same virus over and over again. Each time the message says that it has been deleted, but then seems to pick it up again.

For example, I had all applications closed, so just sitting in windows, and ran a virus scan. it picked up items and says all were deleted. One file was quarantined, and then cleaned up using the function in Sophos.

Without opening anything, or doing anything at all, I ran another scan. And it picked up the same (or what appeared to be the same) problems in the same places.

How is this possible?

IT were no help at all. Is there a problem with Sophos and it isn't deleting the items properly? Or is there another cause?

It is driving me mad!

Any advice would be gratefully received!

Londongirl (UK)

:1415


This thread was automatically locked due to age.
  • 0

    Hello Londongirl,

    computers (not only those with windows) continually do things "on their own" - so you don't have to run an application to contract something. Many things are possible ...

    So what did Sophos find and where?

    Christian

    :1418
  • 0

    Hi Christian,

    Thanks for your prompt reply.

    It keeps saying it has found files belonging to Mal/VBInject-D in C:\docs & settings\me as user\ then variations on ddaqaeXX.exe where XX is a letter then number (e.g. ddaqaeq1.exe) but then it'll say it has deleted them. But it finds the same files (so q1.exe) each time - there are a number of them coming up.

    At the end of the scan it will say that the Mal has been quarantined, so I then cleanup with Sophos. Then next scan will then do the same thing - finding it say it has been quarantined and then 'clean up'.

    It also appears to be continually coming up with a file that is in the temp internet files \content.IE5\S36IOU4S\feb3[1].jpg - It seem to always have the exact same location string before the file.

    I've also tried doing system clean up and deleting temp internet files, and emptying recycle bin, and then running virus scan again, but I'm not sure if that is just a waste of time!

    Any advice would be greatly appreciated!!

    If you need more info please let me know,

    many thanks,

    Londongirl

    :1420
  • 0

    Hi again,

    I'm not an expert (I haven't contracted such things in the last years) but there are a number of things I'd do:

    1) get the machine off the net, scan, clean and scan again after some time - if it stays clean the something's downloading the stuff

    2) turn on on-access scanning for read and write

    3) if it still is detected by on-demand scans next I'd reboot (still off the net) 

    Then it's time to think of something else. And - there's always a minor chance you've encountered something really new :smileywink: 

    Sorry that I have no specific advice

    Christian

    :1424
  • 0

    That's really helpful.

    I'll give that a try to start with and see what I come up with!

    Many thanks,

    Londongirl

    :1425
  • 0

    Hello, these files are created by the trojan that is on your machine, as soon as you delete the file it will be recreated, you need to find the root cause.

    There will be a program that is running, 1st look in the startup folder. 2nd check all the processes, you are better to use winmsd (from start,run or start, programs, accessories, system information) . Look at all of the processes running, you should find one that stands out, likely to be called msoffice.exe or something that is trying to hide itself as a normal application.

    This will also have embedded itself in your registry so you can also look in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run then do a search through the registry.

    Unfortunately this type of virus is a pain to remove, you find the source malware that is creating everything else.

    :1437
  • 0

    Thank you for your info.

    SOunds like it's a bit out of my computer knowledge (I had a look at the processes but there were loads there and wasn't really sure what I was looking for).

    I guess I may have to just admit defeat on this one until the computer stops working completely, then maybe IT will give me a new machine :)

    Thank you for your advice!

    Londongirl

    :1447
  • 0

    then maybe IT will give me a new machine

    Good to hear they at least can give you a (hopefully clean) new machine :smileywink:

    Anyway - Sophos asks to send a sample for Mal/VBInject-D (see how to prepare it). And maybe someone from IT should contact support - they don't bite and might have some advice on using Sophos).

    Christian

    :1449