On Windows NT/2000/XP/2003, Sophos Anti-Virus may be unable to delete files because they are held open by the operating system. To delete these files, you might need to use the command line scanner SAV32CLI.
Note: Please read Scanning options with SAV32CLI for more information about the other options you can use when running SAV32CLI.
What to do
1. Back up important data
If the infected computer has valuable data on it, back up the data to CD or DVD or a USB device before removing any malicious software. The infection might deteriorate to a point where you could no longer access the operating system, or you may damage the computer during disinfection.
2. Remove the computer from the network
Unplug the network cable or internet device from the computer.
3. Prepare the files necessary to run SAV32CLI
Move to an uninfected Windows computer, and do as follows:
- Click this link to download sav32sfx.exe, a self extracting zip file which contains SAV32CLI. (See step 3 below.)
- Download the latest virus identity (IDE) files.
- If the infected computer is running Windows NT/2000, download the self-extracting executable file as you may not have a locally installed unzipping utility.
- If the infected computer is running Windows XP/2003/Vista, download either the self-extracting executable file or the zip file.
- Double-click the sav32sfx.exe file and extract to C:\SAV32CLI\ (this folder will be created).
- Add the latest IDEs to the C:\SAV32CLI\ folder. Depending on which file you downloaded move either the self-extracting executable file or the zip file to the newly created C:\SAV32CLI folder.
- If you downloaded the self-extracting executable file, double-click the downloaded file to extract the contents into the SAV32CLI folder.
- If you downloaded the zip file, double-click the downloaded file and to extract the contents into a SAV32CLI folder using a local unzipping utility.
- Copy C:\SAV32CLI folder to a medium that can be write-protected (the example here uses a CD - be sure to close the session once you've written the CD).
Note: If you do not have access to a CD or DVD rewriter device and Sophos is already installed on the infected machine, please restart the computer in minimal system or safe mode from a command prompt (see Step 4 below) then follow the instructions in step 5. This option is not as secure as running SAV32CLI from a CD-R or DVD-R, as no data can be altered.
4. Using a minimal system or Safe Mode with Command Prompt
Move to the infected computer.
If it is not already running in Safe Mode with Command Prompt, switch to that mode now, as follows:
- Confirm you know the username and password of a local administrator account on the infected computer.
- Restart the computer.
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually. Instead of Windows loading normally, the Advanced Options Menu will appear.
- Select the option to run 'Windows in Safe Mode with Command Prompt' and press Enter.
- Select your account if it has administrator privileges, or click on Administrator and enter the administrator password.
Now run SAV32CLI as described below.
5a. To run SAV32CLI from a CD-ROM from safe mode
Place the CD you made in the CD drive (D: in this example).
- At the command prompt type
to access the CD drive.
to move to the SAV32CLI directory.
- Then type:
SAV32CLI -REMOVE -P=
to remove the malicious file(s) and create a log file of the scan in the root of the C: drive.
- Press 'Y' when asked if you want to remove files.
5b. To run the locally installed copy of SAV32CLI from safe mode
NOTE: Please follow the steps from point four above to enter safe mode
- At the command prompt type
cd c:\ to access the C: drive.
cd program files \sophos\sophos anti-virus to move to the Sophos Anti-Virus program folder.
SAV32CLI -REMOVE -P=C:\LOGFILE2.TXT to remove the malicious file(s) and create a log file of the scan in the root of the C: drive.
- Press Y when asked if you want to remove the files.
6. Other instructions
Before leaving Safe Mode, edit any registry entries mentioned in the virus analysis recovery instructions. (To open the Registry Editor, type '
regedit'.) Please read the warning about editing the registry.
If problems persist on the infected computer, read the troubleshooting article on removing problem files.