In this section

• Home
• Support
• Knowledgebase
• Articles

• Global support information
• Contact support
• Knowledgebase
• Virus disinfection
• Downloads and updates
• Documentation
• Software lifecycle
• Send a sample

• Global Support Services
• Technical Support
• Professional Services
• Technical Training

Sophos Anti-Virus: removing viruses on the local computer

These instructions tell you how to use Sophos Anti-Virus for Windows to remove viruses, Trojans, worms, spyware and similar programs on the local computer. Other articles cover:

• removing viruses over a network with Enterprise Console or Sophos Control Center
• removing viruses in Safe Mode with SAV32CLI.

What to do

In the notes below, 'virus' is used to refer to any virus, spyware, Trojan, worm or other malicious software.

Dropped files

If the virus has just arrived in an email, or has been dropped by another computer, it may not have infected your computer. Delete the file or email, either manually or with Sophos Anti-Virus. Then run a scan to check that there are no further virus files.

More than one infected file

If you find more than one infected file, you should review the situation before further action. You may need access to the internet from an uninfected computer to check the virus analysis for disinfection instructions.

• If the files have come from an internet or local network connection, and the problem appears to be getting worse, break the connection. For example, shut down your modem, or unplug your internet or LAN connection.
• If the problem appears to be a virus (not a Trojan or worm) which is infecting system files fast, concentrate on getting rid of that virus first. Find out its name, and check the virus analysis for the disinfection instructions. Follow those instructions.
• If you have no backups, and the problem does not appear to be getting progressively worse, you should back up your important files to CD (or something else) immediately. Then disinfect. You can recover uninfected files from that CD later.

Run a scan with Sophos Anti-Virus. Use the default settings for this scan. Take note of what is infected, and where it is. Check through the relevant virus analyses.

• If your computer is connected to the internet, you can click on the name of the virus in the on-screen log to get access to the virus analysis.
• If your computer is disconnected from the internet, save the log file to the hard drive or floppy disk. You can then print it out, or read it from a text editor.

Having assessed the virus problem, or if the scan appears to be taking a very long time, check the following:

1. Are you using Sophos Anti-Virus for Windows 2000+ version 6 or above? If so, run a scan with cleanup. In most cases this will remove the virus, and rectify any changes it made.
2. Is there a Resolve tool for any virus, Trojan or worm on your computer? If so, use it to get rid of the virus.
3. Do you have a large number of infected files in your Temporary Internet Files? If so, remove those files before disinfecting. It will save you a lot of time:
   • In Internet Explorer, from the menu bar select Tools|Internet Options.
   • In the General tab select 'Delete Files'.
   • Select 'Delete all offline content'.
   • Click 'OK'.
   You could also delete other unnecessary temporary files.
4. Do the disinfection instructions in the virus analysis tell you to contact support? If so, contact support before removing any other files.
5. If you broke off scanning to do the above, now run a scan of the complete system. If this scan still runs extremely slowly, disinfect the computer with a command line scanner (e.g. SAV32CLI).

Disinfecting and deleting files

Disinfect and remove files in the following order:

1. If the virus analysis mentions one of the following
   • Disabling the registry editor (or registry tools)
   • Disabling the task manager
   • If the virus runs itself before running any executable (.EXE) file
   disinfect or remove that virus with a command line scanner, e.g. SAV32CLI, using the instructions in the virus analysis. Do not delete any other virus files with that scan, as you may remove useful files that could have been disinfected.
2. Disinfect any program files that can be disinfected. A program file can be infected more than once, so you should run a series of scans. Make a log for each scan.
   • Note how many infected files remain.
   • If the number of files has increased, contact technical support.
   • Make a note of any files with macro viruses disinfected during this scan. You should check the virus analysis later to see if your data might have been corrupted.
   • If the number of infected files has decreased, repeat the scan.
   • If the number of infected files is the same as after the last scan, you must delete the remaining files. See the next section.
3. Delete the remaining virus, worm and Trojan files.
   • Set Sophos Anti-Virus to delete the remaining infected files.
   • If any files remain after this, delete them with a command line scanner.

After disinfection, install any necessary patches. It may be best to download them and write them to CD on another computer which is not vulnerable to infection.

---

Supplementary documentation

Windows 2000/XP/2003/Vista

• Logging a scan - see 'Logging: Viewing the log for an on-demand scan' in the user manual or help system.
• Deleting or disinfecting files - see 'Cleaning up' in the user manual or help system.
• Using quarantine - see 'Managing quarantine items' in the user manual or help system.

Windows NT and Windows 95/98/Me

• Logging a scan in Sophos Anti-Virus 4.5 and above - see 'Logging' in the user manual or help system.
• Deleting or disinfecting files - see 'Disinfection' in the user manual or help system.

If you need more information or guidance, then please contact technical support.

• Article ID: 13282
• Created: 29 Jun 2005
• Last updated: 5 Jul 2007

Rate this article Choose a rating Very useful Quite useful Moderately useful Not very useful Not useful at all

•  Read our search tips
• Contact one of our experts
• Suggest an improvement