Removing malicious files with SAV32CLI

  • Article ID: 13251
  • Rating:
  • 37 customers rated this article 4.6 out of 6
  • Updated: 06 Mar 2014

On Windows operating systems, Sophos Anti-Virus may be unable to delete files because they are held open by the operating system. To delete these files, you might need to use the command line scanner SAV32CLI.

Note: Please read Scanning options with SAV32CLI for more information about the other options you can use when running SAV32CLI.

What to do

1. Back up important data

If the infected computer has valuable data on it, back up the data to CD or DVD or a USB device before removing any malicious software. The infection might deteriorate to a point where you could no longer access the operating system, or you may damage the computer during disinfection.

2. Remove the computer from the network

Unplug the network cable or internet device from the computer.

3. Prepare the files necessary to run SAV32CLI

Move to an uninfected Windows computer, and do as follows:

  1. Click this link to download sav32sfx.exe, a self extracting zip file which contains SAV32CLI. (See step 3 below.)
  2. Download the latest virus identity (IDE) files.
    • If the infected computer is running Windows NT/2000, download the self-extracting executable file as you may not have a locally installed unzipping utility.
    • If the infected computer is running Windows XP/2003 or above, download either the self-extracting executable file or the zip file.
  3. Double-click the sav32sfx.exe file and extract to C:\SAV32CLI\ (this folder will be created).
  4. Add the latest IDEs to the C:\SAV32CLI\ folder. Depending on which file you downloaded move either the self-extracting executable file or the zip file to the newly created C:\SAV32CLI folder.
    • If you downloaded the self-extracting executable file, double-click the downloaded file to extract the contents into the SAV32CLI folder.
    • If you downloaded the zip file, double-click the downloaded file and to extract the contents into a SAV32CLI folder using a local unzipping utility.
  5. Copy C:\SAV32CLI folder to a medium that can be write-protected (the example here uses a CD - be sure to close the session once you've written the CD).

Note: If you do not have access to a CD or DVD rewriter device and Sophos is already installed on the infected machine, please restart the computer in minimal system or safe mode from a command prompt (see Step 4 below) then follow the instructions in step 5. This option is not as secure as running SAV32CLI from a CD-R or DVD-R, as no data can be altered.

4. Using a minimal system or Safe Mode with Command Prompt

Move to the infected computer.

If it is not already running in Safe Mode with Command Prompt, switch to that mode now, as follows:

  1. Confirm you know the username and password of a local administrator account on the infected computer.
  2. Restart the computer.
  3. After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually. Instead of Windows loading normally, the Advanced Options Menu will appear.
  4. Select the option to run 'Windows in Safe Mode with Command Prompt' and press Enter.
  5. Select your account if it has administrator privileges, or click on Administrator and enter the administrator password.

Now run SAV32CLI as described below.

5a. To run SAV32CLI from a CD-ROM from safe mode

Place the CD you made in the CD drive (D: in this example).

  • At the command prompt type
    D:
    to access the CD drive.
  • Type:
    CD SAV32CLI
    to move to the SAV32CLI directory.
  • Then type:
    SAV32CLI -REMOVE -P=%TEMP%\SOPHOS_LOGFILE.TXT
    to remove the malicious file(s) and create a log file of the scan in the root of the C: drive.
  • Press 'Y' when asked if you want to remove files.

5b. To run the locally installed copy of SAV32CLI from safe mode

NOTE: Please follow the steps from point four above to enter safe mode

  1. At the command prompt type cd c:\ to access the C: drive.
  2. Type cd program files \sophos\sophos anti-virus to move to the Sophos Anti-Virus program folder.
  3. Type SAV32CLI -REMOVE -P=C:\LOGFILE2.TXT to remove the malicious file(s) and create a log file of the scan in the root of the C: drive.
  4. Press Y when asked if you want to remove the files.

6. Other instructions

Before leaving Safe Mode, edit any registry entries mentioned in the virus analysis recovery instructions. (To open the Registry Editor, type 'regedit'.) Please read the warning about editing the registry.

If problems persist on the infected computer, read the troubleshooting article on removing problem files.

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments