suspicious file unable to delete with Sophos

loocy23 · 04-14-2008, 09:56 AM

I have a suspicious file in quarantine by Sophos that it labels "sus/unpacker" and is located in "memory". I would send off a sample to Sophos but "memory" is not a file path, clicking on it takes me to C:\Program Files\Sophos\AutoUpdate

The only options are "authorise", which I do not want to do because I don't know what it is.

I am running vista home premuim, 32-bit, with Sophos Anti-Virus version 7.3.0, which I update regularly. I also use Spybot Seek and Destroy, but this hasn't found anything.

Additional information that may be helpful:

In february I was infected with what Sophos categorised as "Mal/generic -A", trojan, infecting a folder it created with the file path C:\program files\net project. It infected an .exe file- waumdl.exe I believe it was. This too, I was unable to clean up until I booted in safe mode, which did the trick. I deleted manually (just sent to recycle bin and then emptied it) the net project file. From mal/generic-A's behaviour and the manner in which I acquired it (accepting a fake active-x pop up), I think it was probably the zlob trojan.

A few weeks later "mal/generic-A" came back, this time infected a .dll file within program files\net project, which it had recreated. This was even though I had not accepted any dubious active-x pop ups or any other installers. However I booted in safe mode and deleted it again, and it hasn't been back since.

The other day I was infected with a trojan Sophos quarantined and called "Troj/Zlob-AJY" but was able to clean up in normal mode without any trouble. This again, was without visiting any sort of malware host or downloading anything.

This suspicous file has been in my quarantine ever since the second mal/generic-a infection. I have been in contact with Sophos support and emailed them some .zip folders of my registry and start up programs, apparently there is nothing malicious either of these, but they are at loss as to how to remove the suspicious file.

The only solution I can think of at the minute is to remove Sophos and try a different anti-virus? But I am not sure if removing Sophos would perhaps release the quarantined suspicious file and make it a threat?

Any advice?

Many thanks,
Lucy

tetonbob · 04-14-2008, 02:44 PM

Sounds to me like you've never been rid of the zlob infection completely.

You can try the self-help removal thread here:

http://www.techsupportforum.com/secu...tml#post519929

Or, if you'd rather have someone look at your system, do this:

Please follow our 5 Step process outlined here:

http://www.techsupportforum.com/secu...oval-help.html

After running through all the steps, please post the requested logs in the HijackThis Log Help forum, not here.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

Please note that the HijackThis Log Help forum is extremely busy, and it may take a while to receive a reply.

04-14-2008, 09:56 AM	#1 (permalink)
loocy23 Registered User Join Date: Apr 2008 Posts: 8 OS: Vista (Home Premium 32-bit)	suspicious file unable to delete with Sophos I have a suspicious file in quarantine by Sophos that it labels "sus/unpacker" and is located in "memory". I would send off a sample to Sophos but "memory" is not a file path, clicking on it takes me to C:\Program Files\Sophos\AutoUpdate The only options are "authorise", which I do not want to do because I don't know what it is. I am running vista home premuim, 32-bit, with Sophos Anti-Virus version 7.3.0, which I update regularly. I also use Spybot Seek and Destroy, but this hasn't found anything. Additional information that may be helpful: In february I was infected with what Sophos categorised as "Mal/generic -A", trojan, infecting a folder it created with the file path C:\program files\net project. It infected an .exe file- waumdl.exe I believe it was. This too, I was unable to clean up until I booted in safe mode, which did the trick. I deleted manually (just sent to recycle bin and then emptied it) the net project file. From mal/generic-A's behaviour and the manner in which I acquired it (accepting a fake active-x pop up), I think it was probably the zlob trojan. A few weeks later "mal/generic-A" came back, this time infected a .dll file within program files\net project, which it had recreated. This was even though I had not accepted any dubious active-x pop ups or any other installers. However I booted in safe mode and deleted it again, and it hasn't been back since. The other day I was infected with a trojan Sophos quarantined and called "Troj/Zlob-AJY" but was able to clean up in normal mode without any trouble. This again, was without visiting any sort of malware host or downloading anything. This suspicous file has been in my quarantine ever since the second mal/generic-a infection. I have been in contact with Sophos support and emailed them some .zip folders of my registry and start up programs, apparently there is nothing malicious either of these, but they are at loss as to how to remove the suspicious file. The only solution I can think of at the minute is to remove Sophos and try a different anti-virus? But I am not sure if removing Sophos would perhaps release the quarantined suspicious file and make it a threat? Any advice? Many thanks, Lucy Last edited by koala; 04-14-2008 at 10:05 AM. Reason: removed email to prevent spambots

04-14-2008, 02:44 PM	#2 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,593 OS: 2000 Pro; XP Pro; XP Home	Re: suspicious file unable to delete with Sophos Sounds to me like you've never been rid of the zlob infection completely. You can try the self-help removal thread here: http://www.techsupportforum.com/secu...tml#post519929 Or, if you'd rather have someone look at your system, do this: Please follow our 5 Step process outlined here: http://www.techsupportforum.com/secu...oval-help.html After running through *all* the steps, please post the requested logs in the HijackThis Log Help forum, not here. If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply. Please note that the HijackThis Log Help forum is extremely busy, and it may take a while to receive a reply. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009