Removing malicious files with SAV32CLI
After disinfecting infected files with SAV32CLI on Windows NT/2000/XP/2003/Vista, Sophos
Note: Please read Scanning options with SAV32CLI for more information about the other options you can use when running SAV32CLI.
What to do
1. Back up important data
If the infected computer has valuable data on it, back up the data to CD or DVD or a USB device before removing any malicious software. The infection might deteriorate to a point where you could no longer access the operating system, or you might damage the computer during disinfection.
2. Remove the computer from the network
Unplug the network cable or internet device from the computer.
3. Prepare the files necessary to run SAV32CLI
Move to an uninfected Windows computer, and do as follows:
- Download an emergency copy of SAV32CLI.
- Download the latest virus identity (IDE) files.
- If the infected computer is running Windows NT/2000, download the self-extracting executable file.
- If the infected computer is running Windows XP/2003/Vista, download the zip file.
- If you downloaded the zip file, double-click the downloaded file to extract the contents into a SAV32CLI folder.
- Copy SAV32CLI.exe and the *_ide.exe file or the SAV32CLI folder to a medium that can be write-protected (the example here uses a CD - be sure to close the session once you've written the CD).
Note: If you do not have access to a CD or DVD rewriter device and Sophos is already installed on the infected machine, please restart the computer in minimal system or safe mode from a command prompt (see Step 4 below) then follow the instructions in step 5. This option is not as secure as running SAV32CLI from a CD-R or DVD-R, as no data can be altered.
4. Using a minimal system or Safe Mode with Command Prompt
Move to the infected computer.
If it is not already running in Safe Mode with Command Prompt, switch to that mode now, as follows:
- Restart the computer.
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually. Instead of Windows loading normally, the Advanced Options Menu will appear.
- Select the option to run 'Windows in Safe Mode with Command Prompt' and press Enter.
- Select your account if it has administrator privileges, or click on Administrator and enter the administrator password.
Now run SAV32CLI as described below.
5. Run SAV32CLI
Place the CD you made in the CD drive (D: in this example).
- At the command prompt type
D:
to access the CD drive. - Type:
CD SAV32CLI - Then type:
SAV32CLI -REMOVE -P=C:\LOGFILE.TXT
to remove the malicious file(s) and create a log file of the scan in the root of the C: drive. - Press 'Y' when asked if you want to remove files.
6. Running SAV32CLI from safe mode
- At the command prompt type
cd c:\to access the C: drive. - Type
cd program files \sophos\sophos anti-virusto move to the Sophos Anti-Virus program folder. - Type
SAV32CLI -REMOVE -P=C:\LOGFILE2.TXTto remove the malicious file(s) and create a log file of the scan in the root of the C: drive. - Press Y when asked if you want to remove the files.
7. Other instructions
Before leaving Safe Mode, edit any registry entries mentioned in the virus analysis recovery instructions. (To open the Registry Editor, type 'regedit'.) Please read the warning about editing the registry.
If problems persist on the infected computer, read the troubleshooting article on removing problem files.
If you need more information or guidance, then please contact technical support.
- Article ID: 13251
- Created: 20 Jun 2005
- Last updated: 14 Oct 2008
