How to disinfect PE viruses (Portable Executable)

  • Article ID: 112991
  • Rating:
  • 6 customers rated this article 3.2 out of 6
  • Updated: 11 Apr 2013
The Sophos Malware Remediation Tool (SMaRT) provides a detailed step- through process for cleaning up malware infections on Windows 2000 and above. Details in the knowledgebase article 116418.

Note: The instructions below do not apply to all executable file viruses.

For more general information, refer to the following:

Check the virus analysis of any individual virus for full details of how it should be treated. If a virus identity file (IDE) is necessary, download and save it to floppy disk/CD.

  1. Using Enterprise Console, Enterprise Manager, or Sophos Control Center
  2. Disinfecting PE viruses with Sophos Anti-Virus for Windows, versions 7 and 9
  3. Disinfecting PE viruses in Windows NT/2000/XP/2003
  4. Disinfecting or removing PE viruses on other platforms

1. Using Enterprise Console, Enterprise Manager or Sophos Control Center

You can disinfect PE viruses over a network using Enterprise Console/Enterprise Manager or Sophos Control Center.

2. Disinfecting PE viruses with Sophos Anti-Virus for Windows, versions 7 and 9

To disinfect a PE virus, on the affected computer:

  • Close down all programs.
  • Go to Start|Programs|Sophos|Sophos Anti-Virus and run the 'Sophos Anti-Virus' program.
  • In the 'Available scans' list, select the scan for which you want to enable removal, or use 'Setup a new scan' to scan your local disks. (Do not select a scheduled scan, as you will not be able to run this manually.)
  • Click Edit|Configure this Scan.
  • Select the Cleanup tab and select 'Automatically clean up items that virus/spyware'. Click Apply|OK.
  • Click 'Save and Start' to save the scan, and run it immediately.
  • At the end of the scan, click the link in 'Items passed to Quarantine' and open Quarantine manager.
  • Select any items needing disinfection.
    • From the 'Perform action' dropdown, select 'Cleanup'.
    • Select 'Yes' or 'Yes to all' to disinfect files.
  • Any remaining items should be deleted.
    • From the 'Perform action' dropdown, select 'Delete'.
    • Select 'Yes' or 'Yes to all' to delete files.
  • Run another scan to ensure that the virus has been disinfected.
  • Click Edit|Configure this Scan.
  • Select the Cleanup tab and deselect 'Automatically clean up items that contain virus/spyware'. Click Apply|OK.

If Sophos Anti-Virus cannot disinfect files because they are held open by the operating system, make a note of the names of the files, then do as follows.

  1. Download an emergency copy of SAV32CLI. On an uninfected Windows computer, run this file to extract the contents into a SAV32CLI folder on a medium that can be write-protected. Copy the SAV32CLI folder produced onto a medium that can be write-protected. Add any relevant IDEs to this folder and write-protect the disk (on a CD/R or CD/RW close the session).
  2. Restart the computer in Safe Mode with command prompt.
  3. At the infected computer, place the CD in the CD drive (D: in this example). At the command prompt type

    D:

    to access the CD drive. Type:

    CD SAV32CLI

    Then type:

    SAV32CLI -DI -P=C:\LOGFILE.TXT

    to disinfect the virus.

    All other files must be deleted. Some of these were dropped by the virus and need not be restored. Others should be recovered from backups.

    SAV32CLI -REMOVE -P=C:\REMOVLOG.TXT

    This command writes a report to the root of the C: drive. This report can be used to check which deleted files should be restored from backups.

    In Windows 2000/XP/2003/Vista, when disinfection and deletion have finished, restart the computer in Windows.

    Install or reinstall Sophos Anti-Virus then run an 'All files' scan to check that the virus has gone.

  4. Before leaving Safe Mode, check any registry entries mentioned in the virus analysis recovery instructions, and edit them if necessary. If problems persist, contact support.

3. Disinfecting PE viruses in Windows NT/2000/XP/2003

On a lightly infected computer running Windows NT/2000/XP/2003, where no significant services have become infected, it may be possible to run SAV32CLI from a command prompt with the -DI switch.

First, check the recovery instructions in the virus analysis for any extra measures you should take before (and after) disinfecting. Also, check to see if you need an IDE file. If you do, download it and save it to a floppy disk.

Download an emergency copy of SAV32CLI. On an uninfected Windows computer, run this file to extract the contents into a SAV32CLI folder on a medium that can be write-protected. Copy the SAV32CLI folder produced onto a medium that can be write-protected. Add any relevant IDEs to this folder and write-protect the disk (on a CD/R or CD/RW close the session).

Now close down all possible programs and services, then open a command prompt.

On Windows NT

  • Shut down all programs.
  • Go to Start|Settings|Control Panel and double-click 'Services'.
  • Stop as many services as possible using the Stop button.
  • Close and shut down the Control Panel.
  • Press the Ctrl, Alt and Del keys at the same time.
  • Click on 'Task Manager', then select the Processes tab.
  • Select a process and click on 'End Process'. It may or may not end.
  • Repeat this for other processes (including the Windows desktop).
  • After closing all possible programs go to File|New Task (Run) and type 'Cmd'.
  • Close down the Task Manager screen.
  • Insert the write-protected disk from which you are using SAV32CLI.

On Windows 2000 and later

  • Go to Start|Shut Down.
  • Select 'Restart' from the dropdown list and click 'OK'. Windows will restart.
  • Press F8 when you see the following text at the bottom of the screen "For troubleshooting and advanced startup options for Windows 2000, press F8".
  • In the Windows 2000 Advanced Options Menu, select the third option "Safe Mode with Command Prompt".
  • When requested, logon as local administrator.
  • When Windows 2000 (or later) has started in Safe Mode, insert the write-protected disk from which you are using SAV32CLI.

At the command prompt type

E:

where E: is the drive in which you placed the SAV32CLI disk.

Type:

CD SAV32CLI

Now type:

SAV32CLI -DI -P=C:\VIRUSLOG.TXT

to disinfect all fixed drives.

The command above runs SAV32CLI, which scans all of the directories and files on your PC, including subdirectories. Files which the virus has infected are cleaned and a report is made of them in the root of the C: drive. SAV32CLI will disinfect all files that can be disinfected.

All other files must be deleted. Some of these were dropped by the virus and need not be restored. Others should be recovered from backups.

SAV32CLI -REMOVE -P=C:\REMOVLOG.TXT

This command writes a report to the root of the C: drive. This report can be used to check which deleted files should be restored from backups.

In Windows NT when disinfection and deletion have finished, type 'Explorer' to restart the Windows Desktop.

In Windows 2000 or later, when disinfection and deletion have finished, restart the computer in Windows.

Install or reinstall Sophos Anti-Virus, then run an 'All files' scan to check that the virus has gone.

System Restore and Windows XP

Note: This will delete any previously created restore points.

  • Infected files may be found in the System Restore area in Windows XP.
  • Go to Start|Control Panel|Performance and Maintenance.
  • Double-click 'System', then select the System Restore tab.
  • Click to select the 'Turn off System Restore on all drives' box.
  • Click 'Apply'.
  • Click 'Yes'.
  • Now click to clear the 'Turn off System Restore on all drives' box.
  • Click 'OK'.
  • Restart the computer.

If the virus has not gone, contact Sophos technical support.

Infected files may not always be restored to their original state. A file that has been disinfected cannot be guaranteed to function correctly. In order to recover files to their original state, they should be subsequently restored from backups, new media or a clean computer.

[TOP]

4. Disinfecting or removing PE viruses on other platforms

PE executable files are Windows 95/98/NT/2000/XP programs. On other platforms in the majority of circumstances, you should delete the infected files and replace them from backups, new media or a clean computer.

Mac OS X

If you find Windows PE Viruses on a MAC, they can simply be deleted.

NetWare

Contact Sophos technical support.

Linux

  • Use savscan with the -di option
    savscan -di
  • Delete any remaining infected files with the -remove option
    savscan -remove
  • Run a scan to check that all infected files were disinfected or deleted.

UNIX

  • Use SWEEP with the -di option
    sweep -di
  • Delete any remaining infected files with the -remove option
    sweep -remove
  • Run a scan to check that all infected files were disinfected or deleted.

OS/2

  • At the command line type:
    OSWEEP C: -DI
  • Delete any files that could not be disinfected.
    OSWEEP C: -REMOVEF
  • Run a scan to check that all infected files were disinfected or deleted.

OpenVMS

  • Disinfect the infected files by running VSWEEP from DCL using the command line qualifier '/DI'.
  • Delete any files which could not be disinfected by running VSWEEP from DCL using the command line qualifier '/REMOVEF'.
  • Note: '/REMOVEF' does not prompt for confirmation before deletion and should be used with caution.

DOS

  • At the DOS prompt type:
    SWEEP *: -DIPE
  • Delete any files that could not be disinfected.
    SWEEP *: -REMOVEF
  • Run a scan to check that all infected files were disinfected or deleted.

For details on the use of these command line qualifiers and sample batch files using them, see the Sophos Anti-Virus for OpenVMS manual.

Note: If problems persist, contact Sophos technical support.

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments