Page tree
Viewable by the world
Skip to end of metadata
Go to start of metadata

Sophos Messages, Interpretations, and Recommended Resolutions

The following is a selection of Sophos messages that are representative of those most commonly encountered by Lab employees, along with details of what the messages mean and how you should respond.

Probable Viruses

  • Sophos Example Message 1: File "C:\WINNT\SYSTEM32*_c003AB93.dat" belongs to virus/spyware 'Troj/BHO-GN'. The attempt to move the infected file "C:\WINNT\SYSTEM32_*c003AB93.dat" failed due to unknown error 0x800700b7.
  • Sophos Example Message 2: File "C:\Users\jekrous.LBL\AppData\Local\Mozilla\Firefox\Profiles\khqv1llf.default\Cache\ADD36FE0d01" belongs to virus/spyware 'Troj/Bckdr-QNP'. Infected file "C:\Users\jekrous.LBL\AppData\Local\Mozilla\Firefox\Profiles\khqv1llf.default\Cache\ADD36FE0d01" has been moved to "C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED\ADD36FE0d01.000".
    • Interpretation: Whenever a message includes the text "belongs to virus/spyware," it usually indicates that it is a virus. In the first examle, the unknown error that caused Sophos to fail in its attempt to move could have resulted from the file being open (and therefore in use) when Sophos attempted to do the move. In the second example, the virus was successfully quarantined by Sophos.
    • Recommended Resolution: Go into Windows Explorer, locate the file and delete it. Then run a full scan of your computer so that the anti-virus program can check to make sure that the virus has been completely eliminated from your system.

Viruses in System Locations

Example: Virus/spyware 'Mal/EncPk-EU' has been detected in "\\.\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\A0040682.exe.000". Cleanup unavailable. The attempt to move the infected file "\\.\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\A0040682.exe.000" failed due to unknown error 0x80070013.

Example: File "\\.\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\A0040682.exe.000" belongs to virus/spyware 'Mal/EncPk-EU'.

Example: "C:\RECYCLER\S-1-5-21-1715567821-1060284298-725345543-19125\Dc88.pdf" belongs to virus/spyware 'Troj/FTPDL-A'

Example: Information_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1431\A0133016.exe" belongs to adware/PUA 'PsKill' (of type Hacking tool)

  • Interpretation: A copy of an infected file is in a "restore point," which could cause a problem if Windows tries to restore a file. Windows maintains these automated restore points so that it can replace files in the event that the current copy is lost or corrupted.
  • Recommended Resolution: Turn off system restores and then turn it back on. This will cause all prior restore points (including the one with the infected file) to be removed.

Legitimate Applications Flagged by Sophos

Example: Process 'c:\cxro\csrc\Classes\lpt32\WinIo\Examples\C\winiotest\Release\WinIo.sys' exhibiting suspicious behavior pattern 'HIPS/RegMod-013'.

Example: File "C:\Documents and Settings\wbou\Desktop\Desktop 10.2.2008\Test Softwares\Pstools\pskill.exe" belongs to adware/PUA 'PsKill' (of type Hacking tool)

  • Interpretation: These messages are probably triggered by legitimate software.
  • Recommended Resolution: If you know that the program is legit, you can either authorize it from the Quarantine Manager or add it to the list of programs to exclude from anti-virus scans so the message alerts will not continue to display. If you have concerns about the program, you can enter the message into the Sophos search engine to see if it is a possible virus, or ask the IT Help Desk for advice.

Example: Process 'c:\Options\client491psp2r2\redir\setupw2k.exe' exhibiting suspicious behavior pattern 'HIPS/FileMod-005'.

  • Interpretation: This message is generated during the installation of the Novell client. The HIPS/FileMod-005 is letting you know that a network driver was inserted. Since the Novell client installs a network drive, Sophos sends an alert of suspicious behavior.
  • Recommended Resolution: Ignore this message; it should only occur once upon the installation of Novell. Alternatively, you can authorize the program or add it to the  exclusion list.

Example: Process 'c:\oracle\Janusprd\bin\vercheck.exe' exhibiting suspicious behavior pattern 'HIPS/ProcMod-005'

  • Interpretation: This message appears to have been generated by the Oracle Calendar program.

Adware that Requires Manual Removal

Example: File "C:\Program Files\Starware343\bin\Starware343.dll" belongs to adware/PUA 'CometSys' (of type Adware).

Example: File "C:\WINDOWS\system32\f3PSSavr.scr" belongs to adware/PUA 'MyWebSearch' (of type Adware)

  • Interpretation: These message alerts were likely triggered by adware. By default, Sophos does not automatically quarantine adware, suspicious files, and other potentially unwanted applications (PUAs). If you try to change the default setting, the server will over-ride your changes and restore the default setting.

Unknown Programs that Require Investigation

Example: File "\\FILECLU2I_VSERVER\USERS_IJKL\JNKono\MyDocs\SAM\Survey.exe" belongs to adware/PUA 'BadJoke' (of type Other).

  • Interpretation: The character of this program is ambiguous.
  • Recommended Resolution: Copy and paste the file name into the Sophos search engine to see if it is a possible virus.