In this section

• Home
• Support
• Knowledgebase
• Articles

• Global support information
• Contact support
• Knowledgebase
• Virus disinfection
• Downloads and updates
• Documentation
• Software lifecycle
• Send a sample

• Global Support Services
• Technical Support
• Professional Services
• Technical Training

Removing malicious files with SAV32CLI

After disinfecting infected files with SAV32CLI on Windows NT/2000/XP/2003/Vista, Sophos Anti-Virus may be unable to delete some files because they are held open by the operating system.

Note: Please read Scanning options with SAV32CLI for more information about the other options you can use when running SAV32CLI.

What to do

1. Back up important data

If the infected computer has valuable data on it, back up the data to CD or DVD before removing any malicious software. The infection might deteriorate to a point where you could no longer access the operating system, or you might damage the computer during disinfection.

2. Prepare the files necessary to run SAV32CLI

If you have not already tried disinfecting the computer, move to an uninfected Windows computer, and do as follows:

1. Download an emergency copy of SAV32CLI.
2. Download the latest virus identity (IDE) files.
• If the infected computer is running Windows NT/2000, download the self-extracting executable file.
• If the infected computer is running Windows XP/2003/Vista, download the zip file.
3. If you downloaded the zip file, double-click the downloaded file to extract the contents into a SAV32CLI folder.
4. Copy SAV32CLI.exe and the *_ide.exe file or the SAV32CLI folder to a medium that can be write-protected (the example here uses a CD - be sure to close the session once you've written the CD).

3. Use a minimal system or Safe Mode with Command Prompt

Move to the infected computer.

If it is not already running in Safe Mode with Command Prompt, switch to that mode now. For more details, see Restarting a Windows computer in Safe Mode with Command Prompt. 

4. Run SAV32CLI

Place the CD you made in the CD drive (D: in this example).

• At the command prompt type
  D:
  to access the CD drive.
• Type:
CD SAV32CLI
to move to the SAV32CLI directory.
• Then type:
  SAV32CLI -REMOVE -P=C:\LOGFILE.TXT
  to remove the malicious file(s) and create a log file of the scan in the root of the C: drive.
• Press 'Y' when asked if you want to remove files.

3. Other instructions

Before leaving Safe Mode, edit any registry entries mentioned in the virus analysis recovery instructions. (To open the Registry Editor, type 'regedit'.) Please read the warning about editing the registry.

If problems persist on the infected computer, read the troubleshooting article on removing problem files.

If you need more information or guidance, then please contact technical support.

• Article ID: 13251
• Created: 20 Jun 2005
• Last updated: 5 Feb 2008

Rate this article Choose a rating Very useful Quite useful Moderately useful Not very useful Not useful at all

•  Read our search tips
• Contact one of our experts
• Suggest an improvement