[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 419
  • Last Modified:

Symantec AntiVirus Problem: W32.Sober.I@mm!enc Virus in Exchange folder D:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\

My problem is similar to another post regarding the error message given here;

Event Type:     Error
Event Source:     Symantec AntiVirus
Event Category:     None
Event ID:     5
Date:          24/12/2004
Time:          9:32:57 PM
User:          N/A
Computer:    
Description:
 

Virus Found!Virus name: W32.Sober.I@mm!enc in File: D:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_e1470e4a01c4e9a30000c276.EML by: Realtime Protection scan.  Action: Clean failed : Quarantine failed : Access denied

I have run Symantec scans and the virus removal tool from Symantec for W32.Sober and others I have gotten the same message for. When I try to scan the NTFS files directly they are not present in the Queue folder. What can I do about cleaning this up?
0
ridgeang
Asked:
ridgeang
  • 5
  • 4
  • 2
  • +2
1 Solution
 
joedoe58Commented:
Did you try the manual delete from symantec's page? http://securityresponse.symantec.com/avcenter/venc/data/w32.sober.i@mm.html
0
 
ridgeangAuthor Commented:
I have found the key, but am not familiar enough with what should be there to feel comfortable making a deletion. There are currently 5 keys in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run location;
Name                    Type              Data
(default)               REG_SZ           (value not set)
ccApp                   REG_SZ           "C:\Program Files\Common Files\Symantec Shared\...
CPQTEAM             REG_SZ           cpqteam.exe
Symantec NetDriver Monitor REG_SZ C:\PROGRA~1\SYMNET~1...
vptray                   REG_SZ           C:\PROGRA~1\SYMNET~2...

Which one am I looking for? None of them really fit symantec's response

"[random value name]" = "%System%\[random worm file name].exe"
"[random value name]" = "%System%\[random worm file name].exe %srun%"
0
 
mlemanCommented:
are you running compaq/hp servers cpqteam sounds like a compaq service i have similar named process, dont delete that until you know what it is.

also the file stopped by the antivirus is an email that exchange is trying to access hence the access denied, you could shutdown the exchnage and antivirus services and delete it manually, and restart the servers again
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
joedoe58Commented:
none of them match the string from symantec
0
 
mlemanCommented:
have you tryied restarting all the services
0
 
ridgeangAuthor Commented:
Yes mleman I am running a compaq/hp server and CPQTEAM is another registry entry on an identical server we have stationed here. vptray is located in the registry of the other server as well.

The file I am concerned about does not stay in the vsi folder for me to delete.
0
 
mlemanCommented:
have you tryied restarting the antivirus
0
 
ridgeangAuthor Commented:
I just did.
0
 
mlemanCommented:
does searching for the file manually, or using search, find the file at all. also, have you looked in the quarintine folder on the antivirus.
look in the folder with hidden files visable, if its there stop the antivirus services, go into dos and delete it from there
0
 
ridgeangAuthor Commented:
It does not show up at all, even when viewing files that are hidden.
0
 
mlemanCommented:
if you scan the machine from another pc or from the virus scan off the symantec site can they see the virus,
i think i would start thinkinmg about uninstalling and reinstallaing the antivirus, if another antivurs scanning the server externally does not find anything
0
 
Exchange_AdminCommented:
This was an email message that was either coming in or going out. The reason you can't find it is that it is no longer in the queue.

If you run a file level AV product on an Exchange server, you should exclude the EXCHSRVR folders and all its subdirectories.

You should run an Exchange Aware AV product to pick up viruses in Exchange emails.
0
 
miroofi75Commented:
I recomend you to use F-Port AV for exchange very nice.

regards


imran
0

Featured Post

Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

  • 5
  • 4
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now