Sophos Anti-Virus for Windows: further steps when removing problem files
While in most cases it is possible to remove threats centrally with Enterprise Console, or locally with Sophos
These instructions assume that the affected computer is running Windows 2000, Windows XP or Windows 2003, but many of the steps are similar for Windows 95/98/Me and Windows NT. The methodology would also be similar for other operating systems.
The word Trojan is used here to cover any worm, virus, Trojan or other unwanted application that is proving difficult to remove.
What to do
While cleaning the infected computer, use an uninfected computer for internet searches, downloading utilities, etc. Save any tools to floppy disk or CD, then write-protect the disk or, on a CD, close the session before taking the CD to the affected computer.
1. Survival or reinfection?
First, you need to know whether the computer is being reinfected from outside, or if the Trojan has somehow survived the scan on the computer. Read the virus analysis for possible clues to the problem, and check the following:
- Is the computer linked to the internet?
- Is the computer linked to the local network (LAN)?
- Have you removed or disabled any wireless network cards?
- Is a USB card, removable drive, or other peripheral with a memory, plugged into the computer?
- Have you checked that there are no CDs or floppy disks in its drives?
Unplug the computer from any networks, including the internet, and remove any cards, drives, disks and peripherals. Then repeat the scan. If the Trojan is removed, ensure that your computer is fully patched, and that all of your security software is up to date. See Returning your computer to normal use.
If the computer is already completely isolated from other computers and external media, and it is still infected when rebooted, or files can't be removed in Safe Mode with Command Prompt, go straight to part 5.
2. USB card or removable drive
It is possible that the source of infection is on media that you may not be scanning, and that access to that medium takes place when the computer starts up. Media to check for include USB cards and removable drives. To be completely safe, also detach mobile phones, digital cameras, printers, and other peripherals with memories.
- Remove the medium.
- Run another scan.
- Check to see if the computer is reinfected when it reboots.
- If it is not, either reformat the relevant card or drive, or carefully disinfect it on another computer. Where possible, use a computer with a different operating system, like a Mac.
If the problem appears to be another piece of equipment, restart it. Then check any memory cards, etc. that it uses. Backup any data on the card (e.g. photos to CD), then reformat the memory card.
Your phone, camera, etc. cannot be affected by the Trojan; it is acting as an immune 'carrier'. So take your time when backing up your data.
If the Trojan is removed, ensure that your computer is fully patched, and that all of your security software is up to date. See Returning your computer to normal use.
3. Local network
If there are any other computers on your network, check them for Trojans. Ensure that you scan shared folders or directories used by other computers, for example, shared folders on Macs, Samba shares on Linux computers, or NetWare shares.
If the Trojan is removed, ensure that your computer is fully patched, and that all of your security software is up to date. See Returning your computer to normal use.
4. Reinfection from the internet
If infection appears to have come from the internet via a wireless card, or through a cable, you will need to block the source of infection before going back to the internet.
- Wireless cards and networks
You will need to perform a complete security check of your network. For a start, change the username and password from the defaults for your router, and ensure that you use a strong password. Check your wireless system documentation, the Microsoft website, and the internet generally for hints on hardening your wireless network. This is a fast moving sector. Useful search terms are 'wireless', 'security' and 'wi-fi'. - Internet connections
If your computer is becoming reinfected from the internet, check the security of your internet connection. As well as anti-virus software, you should also use a firewall, particularly with 'always on' connections like ADSL or other broadband systems. Either use a software personal firewall, or a use router which also acts as a firewall. Do not get a firewall/router with wireless networking unless you need this feature.
If a browser hijacker has infected your computer, you could install an alternative web browser before using the internet again. Do not import settings and saved pages when doing this.
See below for other hints on counteracting the effects of browser hijackers.
5. Problems resident on the local computer
If the problem file lies on the local computer, you need to know if it could not be deleted, or if it is somehow recreating itself.
Before you follow the advice below:
- Where possible, back up all of your data (documents, spreadsheets, photographs, email address book etc.) to CD or other media.
- Print out the full description (including the advanced section) of the analysis for the threat that is affecting your computer.
It may prove quicker to back up your data and reinstate your computer to its original state than to fully reverse the effects of a Trojan. See reinstalling Windows.
- When you run a scan with SAV32CLI in Safe Mode with Command Prompt, can you detect the Trojan? If you can't, go to part 7.
- If the Trojan is detected, can you delete the file? If you can't, go to part 6.
- If you have got rid of the files, but problems persist, go to part 8.
For more information on using Safe Mode with Command Prompt, see basic DOS commands.
6. File not deleted
If the file could not be deleted by a scan in Safe Mode with Command Prompt, it is being held open by the operating system, or it is in System Restore.
On Windows XP or Windows Me, you can purge System Restore at the command prompt.
You might be able to remove the file manually by using the Windows recovery console:
Alternatively, in some circumstances you can prevent the file from starting when the computer boots. See registry entries below.
7. File not detected
Threat files are usually executables (programs). However, there are some tricks that can be used to convert another file type into an executable file before running it. If a scan of executable files in Safe Mode with Command Prompt does not detect the threat file, try an 'all files' scan that does not delete anything first time around.
To run a logged 'all files' scan with SAV32CLI type
SAV32CLI -ALL -P=C:\LOGFILE1.TXT
Take care if you remove files with an 'all files' scan. You might remove mailboxes with one infected email in them, or archive files containing only one infected file among many others. Moreover, such files are unlikely to have been the source of infection. To remove and log files with an 'all files' scan, type
SAV32CLI -ALL -REMOVE -P=C:\LOGFILE2.TXT
For extra information on using SAV32CLI, see Scanning options with SAV32CLI.
Once you have got rid of the file, you should still try to find out what was starting it. This will reduce the chance of reinfection. See below.
8. Removing registry entries
Registry entries will probably have been added or changed by the Trojan. These could call something that you can't find.
- Please read the warning about editing the registry.
- You can access the registry in Safe Mode with Command Prompt by typing '
regedit', or 'regedt32'. - Check the virus analysis and remove any entries that are said to have been created by the Trojan.
If you cannot remove any particular registry entry, change the permissions on that entry, and then remove it.
If you can't open the registry, and the virus analysis says that a particular registry entry might prevent you from doing so, copy and import that entry from an unaffected computer. If you can now get access, remove the other entries.
9. Changing registry entries
Where the Trojan has changed a registry entry
- check the virus analysis for which registry entries are affected
- copy the changed entries from another computer
- import the entries.
Ensure that you import the entry from a computer with exactly the same operating system as the affected computer.
This may work even if you cannot otherwise obtain access to the registry.
10. Other methods of starting
Check any copies of the following files for references either to the Trojan, or to websites it uses:
- autorun.inf
- HOSTS
- autoexec.bat
- config.sys
If necessary, copy them to a floppy disk, make a backup, edit them in Notepad on another computer, and then replace the originals on the affected computer.
11. Disk Cleanup and System Restore
Use Disk Cleanup to remove the temporary files that something might be hiding in. Type the following at the command prompt, then follow the on-screen instructions:
Cleanmgr
Ensure that the following are selected for removal:
- Downloaded Program Files
- Temporary Internet Files
- Temporary Files
- Recycle Bin
Trojans can also hide in the System Restore files on Windows XP and Windows Me. To access System Restore in Safe Mode with Command Prompt on Windows XP, type
<Windows_folder>\system32\restore\rstrui.exe
where <Windows_folder> is the name of your Windows folder (usually 'Windows' on Windows XP). Then purge and reset System Restore.
12. Returning your computer to Windows
When you restart your computer in Windows for the first time after disinfecting, you can disable the startup applications by holding down the shift key when logging on. Check your startup folder and start menu.
Run another scan with anti-virus software for a final check.
13. Returning your computer to normal use
Before returning your computer to normal use, check the following:
- ensure that your computer is fully patched (use Windows Update and the Microsoft Baseline Analyzer)
- check that all of your security software is up to date
- check your firewall (install a hardware or personal firewall if you haven't already got one)
- check that your shared folders are only accessible to the people you want to use them
- check the Windows Security Center settings in Windows XP, including those of the Windows Firewall.
You can only use Windows Update with Internet Explorer version 5 or above. If necessary, use another computer or browser to download the patches and service packs that you need from the Microsoft Download Center. Then save them to CD, and install them from there.
14. Browser hijackers
Some Trojans hijack your web browser (usually Internet Explorer) so that your computer will visit their website and become reinfected.
Try the following
- Temporarily install a different web browser, and set it as your default browser, until you have sorted out the problem. Do not import any settings or saved pages when installing.
- Search for the file 'Iereset.inf' and replace it with a copy from another computer with exactly the same operating system. If present, this file will be in one of the Windows folders.
- You can access many of the Internet Explorer settings from within Safe Mode with Command Prompt. At the command prompt, type:
Inetcpl.cpl
Select the Programs tab and click 'Manage Add-ons' to disable unwanted plug-ins.
15. Useful tools and information
The following Windows tools are useful when troubleshooting:
Msconfig
This configuration tool is available in Windows XP and Windows 98, but not in Windows 2000. To run it in Windows, select Start|Run, and type
Msconfig
Msconfig allows you to do the following
- You can disable programs that run on startup in the Startup tab.
- To identify all non-Windows services, click the Services tab and select 'Hide All Microsoft Services'. The remaining services do not belong to Windows (most of them will belong to your legitimate software).
- If Windows will not restart in Safe Mode, you can set this in the BOOT.INI tab. Select '/SAFEBOOT/' and 'Minimal'.
Msinfo32 and Winmsd
Msinfo32 and Winmsd will generate detailed reports on your system that can be useful in troubleshooting. One or the other works in Windows 2000, XP and 2003. To run them in Safe Mode with Command Prompt, type 'Msinfo32' or 'Winmsd'.
Information sources
The following Microsoft articles and tools can be used to help secure your computer:
- Improve the safety of your browsing and e-mail activities
- Setting Up Security Zones
- Malicious Software Removal Tool
- Microsoft Baseline Security Analyzer
- Description of Windows XP and Windows Server 2003 System File Checker (Sfc.exe)
- How to: Use a Script to Change Registry Permissions from the Command Line
- How To Set Advanced Settings In Internet Explorer by Using Group Policy Objects
Finding files at the command prompt
If you need to find a file in Safe Mode with Command Prompt, type:
C:CD \DIR <filename> /S
This takes you to the root of the C: drive, then searches for the file <filename> the root folder and all its subfolders. To search for the file <filename> in all folders even if it has the attribute 'hidden', type:DIR <filename> /S /AH
For more information on using the command prompt, see basic DOS commands.
16. If you need to contact Sophos
If you still can't remove the Trojan, and are contacting Sophos about it, answer as many of the following questions as possible when contacting us. This will enable faster analysis of the problem.
Basics
- What does Sophos
Anti-Virus detect the problem file(s) as? - What operating systems are the computers running?
- How many computers are affected?
- Where (which folder) is the problem file detected?
Method of survival
- If the Trojan can be removed but comes back, when does it come back?
- even when the computer is isolated from all networks?
- at the point when the computer is reconnected to the network?
- when an application (e.g. Internet Explorer) is launched?
- Is the file locked so it can't be removed (either with SAV32CLI or manually)?
Other points
- Can you kill (stop) the Trojan process in Task Manager? Does the Trojan then restart?
Logs and other information sources
- Include any relevant Msinfo32 or Winmsd report.
- Include your SAV32CLI or other scan logs.
New threats
If you think that you have got a new type of Trojan, or the file that you are having problems with is of the type '-Fam' or '-Gen', send us a sample.
Reinstalling Windows
You might find it easier to reinstall Windows than to cope with the side effects of Trojan infection. Before reinstalling, back up all of your data (e.g. to CD or DVD) - you never know which bits you will need.
You could have three different types of original system disk
- a Windows CD from Microsoft
- a manufacturer's recovery CD
- recovery CDs or DVDs that you made yourself when you first installed the computer.
The last two types will remove all of your existing data when you restore your computer. This will get rid of the Trojan, but it will also remove all work that you have done on that computer, and any programs, drivers, service packs and patches that you installed.
If you 'reinstall' from a Microsoft Windows CD, it may perform a repair, rather than running a reinstallation. This could leave an active Trojan on the hard drive. In these circumstances, reformat your hard drive before installing Windows. This will remove the Trojan along with any programs, drivers, service packs and patches that you installed.
Once you have reinstalled Windows, ensure that your computer is adequately protected before returning it to normal use.
If you need more information or guidance, then please contact technical support.
- Article ID: 14443
- Created: 14 Feb 2006
- Last updated: 3 Mar 2006
