starred/Sophos-Removal-Tool
1
0
Fork 0
mirror of https://github.com/ayeskatalas/Sophos-Removal-Tool.git synced 2026-04-25 02:35:52 +03:00
Code Issues 3 Projects Releases Packages Wiki Activity

[GH-ISSUE #3] ie, edge, chrome, ff all report exe file has virus, worked in the end though #3

New issue
Open
opened 2026-02-25 20:34:22 +03:00 by kerem · 2 comments
kerem commented 2026-02-25 20:34:22 +03:00
Owner
Copy link

Originally created by @xenek on GitHub (Sep 2, 2020).
Original GitHub issue: https://github.com/ayeskatalas/Sophos-Removal-Tool/issues/3

on system with broken sophos install

(3.1.1,
can't remove via programs & features, says failed to stop the autoupdate service,
can't install over top, says pending installer requires restart)

when downloading exe, reports virus detected

was able to still download the zip with firefox, unzip with 7zip,
after using this reg file, https://www.tenforums.com/tutorials/64349-run-administrator-add-ps1-file-context-menu-windows-10-a.html
was able to run as admin,
still get heaps of 'access denied'

no matter if I run the exe or the ps1 as admin

errors follow:

ERROR: ERROR: Access is denied.
ERROR:

ERROR: ERROR: Access is denied.
ERROR:

ERROR: ERROR: Access is denied.
ERROR:

ERROR: ERROR: Access is denied.
ERROR:

ERROR: ERROR: Access is denied.
ERROR:

ERROR: The requested pause, continue, or stop is not valid for this service.
ERROR:
More help is available by typing NET HELPMSG 2191.

ERROR: The service name is invalid.
ERROR:
More help is available by typing NET HELPMSG 2185.

ERROR: The requested pause, continue, or stop is not valid for this service.
ERROR:
More help is available by typing NET HELPMSG 2191.

ERROR: The requested pause, continue, or stop is not valid for this service.
ERROR:
More help is available by typing NET HELPMSG 2191.

ERROR: The service name is invalid.
ERROR:
More help is available by typing NET HELPMSG 2185.

ERROR: The requested pause, continue, or stop is not valid for this service.
ERROR:
More help is available by typing NET HELPMSG 2191.

ERROR: The requested pause, continue, or stop is not valid for this service.
ERROR:
More help is available by typing NET HELPMSG 2191.

ERROR: The service name is invalid.
ERROR:
More help is available by typing NET HELPMSG 2185.

ERROR: The requested pause, continue, or stop is not valid for this service.
ERROR:
More help is available by typing NET HELPMSG 2191.

ERROR: The requested pause, continue, or stop is not valid for this service.
ERROR:
More help is available by typing NET HELPMSG 2191.

ERROR: The requested pause, continue, or stop is not valid for this service.
ERROR:
More help is available by typing NET HELPMSG 2191.

ERROR: The requested pause, continue, or stop is not valid for this service.
ERROR:
More help is available by typing NET HELPMSG 2191.

Executing (\ASUS\ROOT\CIMV2:Win32_Service.Name="SAVAdminService")->stopservice()

Method execution successful.

Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 5;
};
ERROR: System.Management.Automation.RemoteException
Executing (\ASUS\ROOT\CIMV2:Win32_Service.Name="SAVService")->stopservice()

Method execution successful.

ERROR:

Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 5;
};
Executing (\ASUS\ROOT\CIMV2:Win32_Service.Name="SntpService")->stopservice()

Method execution successful.

Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 5;
};
ERROR:

Executing (\ASUS\ROOT\CIMV2:Win32_Service.Name="Sophos AutoUpdate Service")->stopservice()

Method execution successful.

Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 5;
};
ERROR:

Executing (\ASUS\ROOT\CIMV2:Win32_Service.Name="Sophos Clean Service")->stopservice()

Method execution successful.

ERROR:

Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 5;
};
Executing (\ASUS\ROOT\CIMV2:Win32_Service.Name="Sophos Endpoint Defense Service")->stopservice()

Method execution successful.

ERROR:

Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 5;
};
Executing (\ASUS\ROOT\CIMV2:Win32_Service.Name="Sophos File Scanner Service")->stopservice()

Method execution successful.

Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 5;
};
ERROR:

Executing (\ASUS\ROOT\CIMV2:Win32_Service.Name="Sophos Health Service")->stopservice()

Method execution successful.

Out Parameters:
ERROR:

instance of __PARAMETERS
{
ReturnValue = 5;
};
Executing (\ASUS\ROOT\CIMV2:Win32_Service.Name="Sophos MCS Agent")->stopservice()

Method execution successful.

Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 5;
ERROR:

};
Executing (\ASUS\ROOT\CIMV2:Win32_Service.Name="Sophos MCS Client")->stopservice()

Method execution successful.

ERROR:

Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 5;
};
Executing (\ASUS\ROOT\CIMV2:Win32_Service.Name="Sophos Safestore Service")->stopservice()

Method execution successful.

Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 5;
};
ERROR:

Executing (\ASUS\ROOT\CIMV2:Win32_Service.Name="Sophos System Protection Service")->stopservice()

Method execution successful.

ERROR:

Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 5;
};
Executing (\ASUS\ROOT\CIMV2:Win32_Service.Name="Sophos Web Control Service")->stopservice()

Method execution successful.

ERROR:

Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 5;
};
Executing (\ASUS\ROOT\CIMV2:Win32_Service.Name="swi_filter")->stopservice()

Method execution successful.

ERROR:

Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 5;
};
Executing (\ASUS\ROOT\CIMV2:Win32_Service.Name="swi_service")->stopservice()

Method execution successful.

ERROR:

Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 5;
};
ERROR: ERROR: The process "ALMon.exe" not found.
ERROR: ERROR: The process "ALsvc.exe" with PID 6408 could not be terminated.
ERROR: Reason: Access is denied.

SUCCESS: The process "swi_fc.exe" with PID 4716 has been terminated.
ERROR: ERROR: The process "swi_filter.exe" with PID 6744 could not be terminated.
ERROR: Reason: Access is denied.

ERROR: ERROR: The process "spa.exe" not found.

Originally created by @xenek on GitHub (Sep 2, 2020). Original GitHub issue: https://github.com/ayeskatalas/Sophos-Removal-Tool/issues/3 on system with broken sophos install (3.1.1, can't remove via programs & features, says failed to stop the autoupdate service, can't install over top, says pending installer requires restart) when downloading exe, reports virus detected was able to still download the zip with firefox, unzip with 7zip, after using this reg file, https://www.tenforums.com/tutorials/64349-run-administrator-add-ps1-file-context-menu-windows-10-a.html was able to run as admin, still get heaps of 'access denied' no matter if I run the exe or the ps1 as admin errors follow: ERROR: ERROR: Access is denied. ERROR: ERROR: ERROR: Access is denied. ERROR: ERROR: ERROR: Access is denied. ERROR: ERROR: ERROR: Access is denied. ERROR: ERROR: ERROR: Access is denied. ERROR: ERROR: The requested pause, continue, or stop is not valid for this service. ERROR: More help is available by typing NET HELPMSG 2191. ERROR: The service name is invalid. ERROR: More help is available by typing NET HELPMSG 2185. ERROR: The requested pause, continue, or stop is not valid for this service. ERROR: More help is available by typing NET HELPMSG 2191. ERROR: The requested pause, continue, or stop is not valid for this service. ERROR: More help is available by typing NET HELPMSG 2191. ERROR: The service name is invalid. ERROR: More help is available by typing NET HELPMSG 2185. ERROR: The requested pause, continue, or stop is not valid for this service. ERROR: More help is available by typing NET HELPMSG 2191. ERROR: The requested pause, continue, or stop is not valid for this service. ERROR: More help is available by typing NET HELPMSG 2191. ERROR: The service name is invalid. ERROR: More help is available by typing NET HELPMSG 2185. ERROR: The requested pause, continue, or stop is not valid for this service. ERROR: More help is available by typing NET HELPMSG 2191. ERROR: The requested pause, continue, or stop is not valid for this service. ERROR: More help is available by typing NET HELPMSG 2191. ERROR: The requested pause, continue, or stop is not valid for this service. ERROR: More help is available by typing NET HELPMSG 2191. ERROR: The requested pause, continue, or stop is not valid for this service. ERROR: More help is available by typing NET HELPMSG 2191. Executing (\\ASUS\ROOT\CIMV2:Win32_Service.Name="SAVAdminService")->stopservice() Method execution successful. Out Parameters: instance of __PARAMETERS { ReturnValue = 5; }; ERROR: System.Management.Automation.RemoteException Executing (\\ASUS\ROOT\CIMV2:Win32_Service.Name="SAVService")->stopservice() Method execution successful. ERROR: Out Parameters: instance of __PARAMETERS { ReturnValue = 5; }; Executing (\\ASUS\ROOT\CIMV2:Win32_Service.Name="SntpService")->stopservice() Method execution successful. Out Parameters: instance of __PARAMETERS { ReturnValue = 5; }; ERROR: Executing (\\ASUS\ROOT\CIMV2:Win32_Service.Name="Sophos AutoUpdate Service")->stopservice() Method execution successful. Out Parameters: instance of __PARAMETERS { ReturnValue = 5; }; ERROR: Executing (\\ASUS\ROOT\CIMV2:Win32_Service.Name="Sophos Clean Service")->stopservice() Method execution successful. ERROR: Out Parameters: instance of __PARAMETERS { ReturnValue = 5; }; Executing (\\ASUS\ROOT\CIMV2:Win32_Service.Name="Sophos Endpoint Defense Service")->stopservice() Method execution successful. ERROR: Out Parameters: instance of __PARAMETERS { ReturnValue = 5; }; Executing (\\ASUS\ROOT\CIMV2:Win32_Service.Name="Sophos File Scanner Service")->stopservice() Method execution successful. Out Parameters: instance of __PARAMETERS { ReturnValue = 5; }; ERROR: Executing (\\ASUS\ROOT\CIMV2:Win32_Service.Name="Sophos Health Service")->stopservice() Method execution successful. Out Parameters: ERROR: instance of __PARAMETERS { ReturnValue = 5; }; Executing (\\ASUS\ROOT\CIMV2:Win32_Service.Name="Sophos MCS Agent")->stopservice() Method execution successful. Out Parameters: instance of __PARAMETERS { ReturnValue = 5; ERROR: }; Executing (\\ASUS\ROOT\CIMV2:Win32_Service.Name="Sophos MCS Client")->stopservice() Method execution successful. ERROR: Out Parameters: instance of __PARAMETERS { ReturnValue = 5; }; Executing (\\ASUS\ROOT\CIMV2:Win32_Service.Name="Sophos Safestore Service")->stopservice() Method execution successful. Out Parameters: instance of __PARAMETERS { ReturnValue = 5; }; ERROR: Executing (\\ASUS\ROOT\CIMV2:Win32_Service.Name="Sophos System Protection Service")->stopservice() Method execution successful. ERROR: Out Parameters: instance of __PARAMETERS { ReturnValue = 5; }; Executing (\\ASUS\ROOT\CIMV2:Win32_Service.Name="Sophos Web Control Service")->stopservice() Method execution successful. ERROR: Out Parameters: instance of __PARAMETERS { ReturnValue = 5; }; Executing (\\ASUS\ROOT\CIMV2:Win32_Service.Name="swi_filter")->stopservice() Method execution successful. ERROR: Out Parameters: instance of __PARAMETERS { ReturnValue = 5; }; Executing (\\ASUS\ROOT\CIMV2:Win32_Service.Name="swi_service")->stopservice() Method execution successful. ERROR: Out Parameters: instance of __PARAMETERS { ReturnValue = 5; }; ERROR: ERROR: The process "ALMon.exe" not found. ERROR: ERROR: The process "ALsvc.exe" with PID 6408 could not be terminated. ERROR: Reason: Access is denied. SUCCESS: The process "swi_fc.exe" with PID 4716 has been terminated. ERROR: ERROR: The process "swi_filter.exe" with PID 6744 could not be terminated. ERROR: Reason: Access is denied. ERROR: ERROR: The process "spa.exe" not found.
kerem commented 2026-02-25 20:34:22 +03:00
Author
Owner
Copy link

@xenek commented on GitHub (Sep 2, 2020):

To try something different, I restarted in safe mode command prompt only, (btw this is win10 home, w/latest updates as of 20200903 afaik)

then I ran the exe a few times, (failed, had to ctrl-c the stopped removal process each time)
then I typed in explorer and from the desktop in safe mode tried to remove sophos through apps & features a few times (failed, no internet)
then..
restarted in normal mode,
then I tried to reinstall sophos, and it worked!
full install went through
sophos now fully functional, and has been added to personal sophos client list in web app

now to try remove again, and see if full uninstaller removes correctly...

<!-- gh-comment-id:686096500 --> @xenek commented on GitHub (Sep 2, 2020): To try something different, I restarted in safe mode command prompt only, (btw this is win10 home, w/latest updates as of 20200903 afaik) then I ran the exe a few times, (failed, had to ctrl-c the stopped removal process each time) then I typed in explorer and from the desktop in safe mode tried to remove sophos through apps & features a few times (failed, no internet) then.. restarted in normal mode, then I tried to reinstall sophos, and it worked! full install went through sophos now fully functional, and has been added to personal sophos client list in web app now to try remove again, and see if full uninstaller removes correctly...
kerem commented 2026-02-25 20:34:22 +03:00
Author
Owner
Copy link

@xenek commented on GitHub (Sep 3, 2020):

Confirming that sophos removal was successful, and also - that it didn't detect the removal tool as a virus prior to running it. Ran malwarebytes, it didn't find any threats. Ran Trend Micro, it identified the exe in this github acc as a virus.

TROJ_GEN.R002C0DG520

trend micro also detected another file - unRlG+wx.exe.part - in appdata/local/temp with a timestamp that's pretty close to when I ran the exe.

Anyway, back to the main removal exe here,
Virustotal says 47/67, so there's some opportunity for it not being a virus, and the fact that it's trying to remove and disable Sophos (even though there's a pretty transparent powershell script that I could have run) suggests it's a good candidate for a false positive.

image

Other interesting incidentals, Trend Micro hasn't stopped me from restoring it from quarantine, and I've been able to upload it to a few sites now, perhaps of most interest is the CAPE tool, which I've not used before. It seems to provide an analysis that's easy to interpret, relatively speaking.

https://www.capesandbox.com/analysis/54577/

Even though much of the analysis seems alarming, at the end it looks mostly legit.

A quick note to ayeskatalas - thanks - I didn't have to reinstall windows to remove the broken AV. Could you add some notes about what the exe is for though?

<!-- gh-comment-id:686248503 --> @xenek commented on GitHub (Sep 3, 2020): Confirming that sophos removal was successful, and also - that it didn't detect the removal tool as a virus prior to running it. Ran malwarebytes, it didn't find any threats. Ran Trend Micro, it identified the exe in this github acc as a virus. TROJ_GEN.R002C0DG520 trend micro also detected another file - unRlG+wx.exe.part - in appdata/local/temp with a timestamp that's pretty close to when I ran the exe. Anyway, back to the main removal exe here, Virustotal says 47/67, so there's some opportunity for it not being a virus, and the fact that it's trying to remove and disable Sophos (even though there's a pretty transparent powershell script that I could have run) suggests it's a good candidate for a false positive. ![image](https://user-images.githubusercontent.com/27728244/92071333-c79bd000-edf1-11ea-804f-c0e9ab83e613.png) Other interesting incidentals, Trend Micro hasn't stopped me from restoring it from quarantine, and I've been able to upload it to a few sites now, perhaps of most interest is the CAPE tool, which I've not used before. It seems to provide an analysis that's easy to interpret, relatively speaking. https://www.capesandbox.com/analysis/54577/ Even though much of the analysis seems alarming, at the end it looks mostly legit. A quick note to ayeskatalas - thanks - I didn't have to reinstall windows to remove the broken AV. Could you add some notes about what the exe is for though?
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
No results found.
Labels
Clear labels   
pull-request

Mirrored from GitHub Pull Request

No labels
pull-request
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/Sophos-Removal-Tool#3
No description provided.