These instructions tell you how to use Sophos Anti-Virus for Windows to remove viruses, Trojans, worms, spyware and similar programs on the local computer. Other articles cover:
Note: In the notes below, 'virus' is used to refer to any virus, spyware, Trojan, worm or other malicious software.
Applies to the following Sophos product(s) and version(s)
Sophos Anti-Virus for Windows 2000+ 7.6.21
What To Do
If the virus has just arrived in an email, or has been dropped by another computer (e.g., written to disk but not run), it may not have infected your computer. Delete the file or email, either manually or with Sophos Anti-Virus. Then run a scan to check that there are no further virus files.
More than one infected file
If you find more than one infected file, you should review the situation before further action. You may need access to the internet from an uninfected computer to check the virus analysis for disinfection instructions.
- If the files have come from an internet or local network connection, and the problem appears to be getting worse, break the connection. For example, shut down your modem, or unplug your internet or LAN connection.
- If the problem appears to be a virus (not a Trojan or worm) which is infecting system files fast, concentrate on getting rid of that virus first. Find out its name, and check the virus analysis for the disinfection instructions. Follow those instructions.
- If you have no backups, and the problem does not appear to be getting progressively worse, you should back up your important files to CD (or something else) immediately. Then disinfect. You can recover uninfected files from that CD later.
Run a scan with Sophos Anti-Virus. Use the default settings for this scan. Take note of what is infected, and where it is. Check through the relevant virus analyses.
- If your computer is connected to the internet, you can click on the name of the virus in the on-screen log to get access to the virus analysis.
- If your computer is disconnected from the internet, save the log file to the hard drive or floppy disk. You can then print it out, or read it from a text editor.
Having assessed the virus problem, or if the scan appears to be taking a very long time, check the following:
- Run a scan with cleanup. In most cases this will remove the virus, and rectify any changes it made.
- Do you have a large number of infected files in your Temporary Internet Files? If so, remove those files before disinfecting. It will save you a lot of time. See article 39303 or, for a more thorough clean up of your computer's temporary folders, see step 11 in article 14443.
- Do the disinfection instructions in the virus analysis tell you to contact support? If so, contact support before removing any other files.
- If you broke off scanning to do the above, now run a scan of the complete system. If this scan still runs extremely slowly, disinfect the computer with a command line scanner (e.g., SAV32CLI).
Disinfecting and deleting files
Disinfect and remove files in the following order:
- If the virus analysis mentions one of the following
disinfect or remove that virus with a command line scanner, e.g. SAV32CLI, using the instructions in the virus analysis. Do not delete any other virus files with that scan, as you may remove useful files that could have been disinfected.
- Disabling the registry editor (or registry tools)
- Disabling the task manager
- If the virus runs itself before running any executable (.EXE) file
- Disinfect any program files that can be disinfected. A program file can be infected more than once, so you should run a series of scans. Make a log for each scan.
- Note how many infected files remain.
- If the number of files has increased, contact technical support.
- Make a note of any files with macro viruses disinfected during this scan. You should check the virus analysis later to see if your data might have been corrupted.
- If the number of infected files has decreased, repeat the scan.
- If the number of infected files is the same as after the last scan, you must delete the remaining files. See the next section.
- Delete the remaining virus, worm and Trojan files.
- Set Sophos Anti-Virus to delete the remaining infected files.
- If any files remain after this, delete them with a command line scanner.
After disinfection, install any necessary patches. It may be best to download them and write them to CD on another computer which is not vulnerable to infection.
- Logging a scan - see 'Logging: Viewing the log for an on-demand scan' in the user manual or help system.
- Deleting or disinfecting files - see 'Cleaning up' in the user manual or help system.
- Using quarantine - see 'Managing quarantine items' in the user manual or help system.