Removing Trojans
1. Using Enterprise Console2. Sophos Anti-Virus for Windows, version 7
3. Windows 95/98/Me
4. Macintosh OS X computers
5. NetWare
6. Linux
7. UNIX
8. OpenVMS
Trojans infect computers, but do not infect files. They can simply be identified and deleted. However, they often make registry or startup file changes so that they are executed on boot-up. Check the threat analysis for details of such behavior.
1. Using Enterprise Console
You can remove Trojans over a network using Enterprise Console.
2. Sophos Anti-Virus for Windows, version 7
To remove a Trojan:
- Close down all programs.
- Go to Start|Programs|Sophos|Sophos Anti-Virus and run the 'Sophos Anti-Virus' program.
- In the 'Available scans' list, select the scan for which you want to enable removal, or use 'Setup a new scan' to scan your local disks. (Do not select a scheduled scan, as you will not be able to run this manually.)
- Click Edit|Configure this Scan.
- Select the Cleanup tab and select 'Automatically clean up items that contain virus/spyware'. Click Apply|OK.
- Click 'Save and Start' to save the scan, and run it immediately.
- At the end of the scan, click the link in 'Items passed to Quarantine' to open Quarantine manager.
- Select any items needing removal.
- From the 'Perform action' dropdown, select 'Delete'.
- Select 'Yes' or 'Yes to all' to delete files.
- Run another scan to ensure that the file has been removed.
- Click Edit|Configure this Scan.
- Select the Cleanup tab and deselect 'Automatically clean up items that contain virus/spyware'. Click Apply|OK.
If Sophos Anti-Virus cannot delete files because they are held open by the operating system, make a note of the names of the files, then do as follows.
- Download an emergency copy of SAV32CLI. On an uninfected Windows computer, run this file to extract the contents into a SAV32CLI folder on a medium that can be write-protected. Copy the SAV32CLI folder produced onto a medium that can be write-protected. Add any relevant IDEs to this folder and write-protect the disk (on a CD/R or CD/RW close the session).
- Restart the computer in Safe Mode. Go to Start|Shut Down. Select 'Restart' from the dropdown list and click 'OK'. Windows will restart. Press F8 when you see the following text at the bottom of the screen "For troubleshooting and advanced startup options for Windows 2000, press F8". In the Windows 2000 Advanced Options Menu, select the third option 'Safe Mode with Command Prompt'.
- At the affected computer, place the CD in the CD drive (D: in this example).
At the command prompt type
D:
to access the CD drive. Type:CD SAV32CLI
Then type:SAV32CLI -REMOVE -P=C:\LOGFILE.TXT
to remove the file. - Before leaving Safe Mode, edit any registry entries mentioned in the analysis recovery instructions. If problems persist, contact support.
3. Windows 95/98/Me
To remove a Trojan:
- Check the threat analysis for details on the Trojan and its removal.
- Go to Start|Programs|Sophos Anti-Virus and run the Sophos Anti-Virus program.
- Select the Immediate tab.
- Go to Options|Configuration. Select the 'Disinfection' or the 'Action' tab, (according to what is displayed in your window) select 'Infected files', select 'Delete' then click 'OK'.
- Click the green 'scan' arrow, or the 'GO' button (as appropriate) to run the scan.
- Delete the files. Run another scan to check it has gone.
- Go back to Options|Configuration. Select the 'Disinfection' or the 'Action' tab, then deselect 'Infected files' and 'Delete'. Click 'OK'.
- Reboot and run a final scan to be certain it has gone.
If the Trojan cannot be removed because the files are held open by the operating system:
- Reboot the computer from a clean startup or system disk.
- Delete the file manually, or using the following DOS instructions:
You will need SWEEP for DOS on floppy disk. To do this, make a set of Emergency SAV disks.
- Check the threat analysis for details on the Trojan and its removal.
- Reboot your PC from a clean system disk, put the SWEEP for DOS disk in the floppy drive and at the A: prompt type:
SWEEP *: -REMOVEF
4. Macintosh OS X computers
To remove a Trojan:
- Check the threat analysis for details on the Trojan and its removal.
- Close down all programs.
- Run the Sophos Anti-Virus program.
- Go to 'Sophos Anti-Virus|Preferences'.
- Choose 'Disinfection' from the 'Immediate Mode' menu.
- Select 'Action on Infected Files' and 'Delete'.
- Close 'Sophos Anti-Virus preferences'.
- Click the green 'Play' arrow button.
- Click 'OK' when asked if files should be deleted.
- Run another scan to ensure that the Trojan has been removed.
- Go back to 'Disinfection settings' and deselect 'Action on Infected Files' and Delete.
- If problems persist, contact support.
5. NetWare
Note: This will delete any documents infected with macro viruses. Deal with them first.
- Check the threat analysis for details on the Trojan horse and its removal.
- Run a scan to locate all Trojan files.
- Select 'Delete' in the Removal mode option of the Immediate Mode menu.
- Delete the Trojan files.
6. Linux
- Check the threat analysis for details on the Trojan and its removal.
- Use savscan with the -remove option
savscan -remove
- Run a scan to check that Trojan infected files were deleted.
7. UNIX
- Check the threat analysis for details on the Trojan and its removal.
- Use SWEEP with the -remove option
sweep -remove
- Run a scan to check that Trojan infected files were deleted.
8. OpenVMS
- Check the threat analysis for details on the Trojan and its removal.
- Delete the Trojan files by running VSWEEP from DCL using the command line qualifier '/REMOVEF'.
- Note: '/REMOVEF' does not prompt for confirmation before deletion and should be used with caution.
For details on the use of these command line qualifiers and sample batch files using them, see the Sophos Anti-Virus for OpenVMS
