Symantec AntiVirus Problem: W32.Sober.I@mm!enc Virus in Exchange folder D:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\

My problem is similar to another post regarding the error message given here;

Event Type:     Error
Event Source:     Symantec AntiVirus
Event Category:     None
Event ID:     5
Date:          24/12/2004
Time:          9:32:57 PM
User:          N/A
Computer:    
Description:
 

Virus Found!Virus name: W32.Sober.I@mm!enc in File: D:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_e1470e4a01c4e9a30000c276.EML by: Realtime Protection scan.  Action: Clean failed : Quarantine failed : Access denied

I have run Symantec scans and the virus removal tool from Symantec for W32.Sober and others I have gotten the same message for. When I try to scan the NTFS files directly they are not present in the Queue folder. What can I do about cleaning this up?
ridgeangAsked:
Who is Participating?
 
Exchange_AdminCommented:
This was an email message that was either coming in or going out. The reason you can't find it is that it is no longer in the queue.

If you run a file level AV product on an Exchange server, you should exclude the EXCHSRVR folders and all its subdirectories.

You should run an Exchange Aware AV product to pick up viruses in Exchange emails.
0
 
joedoe58Commented:
Did you try the manual delete from symantec's page? http://securityresponse.symantec.com/avcenter/venc/data/w32.sober.i@mm.html
0
 
ridgeangAuthor Commented:
I have found the key, but am not familiar enough with what should be there to feel comfortable making a deletion. There are currently 5 keys in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run location;
Name                    Type              Data
(default)               REG_SZ           (value not set)
ccApp                   REG_SZ           "C:\Program Files\Common Files\Symantec Shared\...
CPQTEAM             REG_SZ           cpqteam.exe
Symantec NetDriver Monitor REG_SZ C:\PROGRA~1\SYMNET~1...
vptray                   REG_SZ           C:\PROGRA~1\SYMNET~2...

Which one am I looking for? None of them really fit symantec's response

"[random value name]" = "%System%\[random worm file name].exe"
"[random value name]" = "%System%\[random worm file name].exe %srun%"
0
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
mlemanCommented:
are you running compaq/hp servers cpqteam sounds like a compaq service i have similar named process, dont delete that until you know what it is.

also the file stopped by the antivirus is an email that exchange is trying to access hence the access denied, you could shutdown the exchnage and antivirus services and delete it manually, and restart the servers again
0
 
joedoe58Commented:
none of them match the string from symantec
0
 
mlemanCommented:
have you tryied restarting all the services
0
 
ridgeangAuthor Commented:
Yes mleman I am running a compaq/hp server and CPQTEAM is another registry entry on an identical server we have stationed here. vptray is located in the registry of the other server as well.

The file I am concerned about does not stay in the vsi folder for me to delete.
0
 
mlemanCommented:
have you tryied restarting the antivirus
0
 
ridgeangAuthor Commented:
I just did.
0
 
mlemanCommented:
does searching for the file manually, or using search, find the file at all. also, have you looked in the quarintine folder on the antivirus.
look in the folder with hidden files visable, if its there stop the antivirus services, go into dos and delete it from there
0
 
ridgeangAuthor Commented:
It does not show up at all, even when viewing files that are hidden.
0
 
mlemanCommented:
if you scan the machine from another pc or from the virus scan off the symantec site can they see the virus,
i think i would start thinkinmg about uninstalling and reinstallaing the antivirus, if another antivurs scanning the server externally does not find anything
0
 
miroofi75Commented:
I recomend you to use F-Port AV for exchange very nice.

regards


imran
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.