Affected Operating Systems
Recovery Instructions:
Please follow the instructions for removing Trojans.
Windows 95/98/Me
If Sophos Anti-Virus is not already installed on the computer either use the DOS version from the DOS folder on the Sophos CD, or download it and extract it. Copy the files into a C:\Sophtemp directory on your computer.
Restart the computer in DOS mode
- On Windows 95/98 go to the Start menu and select Shut Down. Choose the option 'Restart the computer in DOS mode'.
- On Windows Me create a startup disk and boot from that. Go to Start|Settings|Control Panel. Click 'Add/Remove Programs', select the 'Startup Disk' tab and click the 'Create Disk' button. When you have created the startup disk, write-protect it and boot from it. Remove the floppy disk from the A: drive.
Change to the SWEEP directory.
- If you have a full Sophos Anti-Virus installation type
CD C:\PROGRA~1\SOPHOS~1
(alternatively CD C:\PROGRA~1\SOPHOS~2). Type DIR *.TXT to check that the file READ95.TXT is listed (if it is not, try the alternative directory). - If you are using the Sophtemp directory type
CD C:\SOPHTEMP
To delete the Trojan files type
SWEEP C: -REMOVEF -P=LOGFILE.TXT
Reboot to Windows.
You will need to edit the following registry entry, if it is present. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
and remove any reference to any file you deleted.
Close the registry editor.
Windows 2000/XP
Restart the computer in Safe Mode. Go to Start|Shut Down. Select Restart from the drop down list and click OK. Windows will restart. Press F8 when you see the following text at the bottom of the screen "For troubleshooting and advanced startup options for Windows 2000, press F8". In the Windows 2000 Advanced Options Menu select the third option 'Safe Mode with Command Prompt'.
If Sophos Anti-Virus is not already installed on the computer either use SAV32CLI from the Sophos CD or download an emergency copy on an uninfected computer, extract it and write it to CD.
At the command prompt type
CD C:\Program files\Sophos SWEEP for NT
(or, if you are using a CD, insert it and type CD D:\WIN32\I386\SAV32CLI or CD D:\SAV32CLI).
Then type:
SAV32CLI -REMOVE -P=C:\LOGFILE.TXT
to remove the Trojan.
Check to see if all of the Trojan files have been deleted. If they have not, the file names and paths will be in LOGFILE.TXT. Change to the directory where each Trojan file is and type
ATTRIB -S -H TROJAN.EXE
where 'TROJAN.EXE' is the name of the Trojan.
Then run another scan with SAV32CLI as above to remove the remaining files.
You will need to edit the following registry entry, if it is present. Please read the warning about editing the registry.
Type
REGEDIT
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
and remove any reference to any file you deleted.
Close the registry editor.
Windows NT
Please contact technical support.
Other platforms
Please read the instructions for removing Trojans.