Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 1 subscriber
  • Views 6245 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

W32/Autorun-AMP

Fazlur_SDTL

Hi,

We are infected by W32/Autorun-AMP malware. SOPHOS can detect and can clean partially. It shows reboot required which we have done several times but no luck.

Attached I have given several screenshots. Suggest how to clean those?

:45821


This thread was automatically locked due to age.
virus status.pdf
  • 0

    Hello Fazlur_SDTL,

    many clients report error 0xa0250026 on the removal attempt - please check the SAV.txt log if there are any details.

    It's best to work with one client first (perhaps one where a xx.scr file is flagged). Please check if the files is still there after the reboot - if not, then clear the alerts and errors from the console and request a Full system scan. If the threat reappears or if the file hasn't been removed then I suggest you follow the SMaRT process.

    Christian

    :45829
  • 0

    Hi Christian.

    Out of 470 PCs, today we found 220 PCs showing the same error. The client shut down all PCs by 7 pm and open again at 10 am next day. We found the files are still there as SOPHOS is unable to clean/delete those.

    :45843
  • 0

    Hello Fazlur_SDTL,

    please let SMaRT guide you through the steps to determine whether there are recurring infections (and perhaps additional  hidden "somethings") or "just" a scenario which prevents cleanup/removal. In this situation SMaRT recommends that you send samples (and the logs and information collected by SDU). Do not be shy of contacting Labs/Support - it's not your task (and likely beyond your means) to perform an in-depth analysis first.

    Christian

    :45869
  • 0
    Hi,

    We tried to run source of infection tool in 2 PCs with different parameters to see whether the files are recreating/dropping from remote computers or from local machine (locally).
     
    We found that the files are generating/dropping locally by svchost.exe process.

    Attached please find screenshots, SDU and the log file of SOI (source of infection).

    Suggest how to solve the issue.

    :45873
  • 0

    Hello Fazlur_SDTL,

    the SOI trace shows just the starting messages.

    Anyway, please contact Support directly. I'm neither with Sophos nor a specialist and this forum is not the right place to submit logs and samples (if you want to do so before calling Support use the links in the left-hand Contact Support menu on any Support page.

    Christian

    :45875