"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
While in most cases it is possible to remove threats centrally with Enterprise Console, or locally with Sophos Anti-Virus and/or SAV32CLI, sometimes the problem keeps coming back.
Applies to the following Sophos product(s) and version(s) Sophos Anti-Virus for Windows 2000+ 7.6.21
While cleaning the infected computer, use an uninfected computer for internet searches, downloading utilities, etc. Save any tools to CD-Rs or write-protected thumb drives or memory cards before taking the write-protected media to the affected computer.
First, you need to know whether the computer is being reinfected from outside, or if the Trojan has somehow survived the scan on the computer. Read the virus analysis for possible clues to the problem, and check the following:
Unplug the computer from any networks, including the internet, and remove any cards, drives, disks and peripherals. Then repeat the scan. If the Trojan is removed, ensure that your computer is fully patched, and that all of your security software is up to date. See Returning your computer to normal use.
If the computer is already completely isolated from other computers and external media, and it is still infected when rebooted, or files can't be removed in Safe Mode with Command Prompt, go straight to part 5.
It is possible that the source of infection is on media that you may not be scanning, and that access to that medium takes place when the computer starts up. Media to check for include USB cards and removable drives. To be completely safe, also detach mobile phones, digital cameras, printers, and other peripherals with memories.
If the problem appears to be another piece of equipment, restart it. Then check any memory cards, etc. that it uses. Backup any data on the card (e.g., photos to CD), then reformat the memory card.
If the Trojan is removed, ensure that your computer is fully patched, and that all of your security software is up to date. See Returning your computer to normal use.
If there are any other computers on your network, check them for Trojans. Ensure that you scan shared folders or directories used by other computers, for example, shared folders on Macs, Samba shares on Linux computers, or NetWare shares.
If the infection appears to have come from the internet via a network connection (cable or WiFi), you will need to block the source of infection before going back to the internet.
If a browser hijacker has infected your computer, you could install an alternative web browser before using the internet again. Do not import settings and saved pages when doing this.
See below for other hints on counteracting the effects of browser hijackers.
If the problem file lies on the local computer, you need to know if it could not be deleted, or if it is somehow recreating itself.
Before you follow the advice below:
It may prove quicker to back up your data and reinstate your computer to its original state than to fully reverse the effects of a Trojan. See reinstalling Windows.
For more information on using Safe Mode with Command Prompt, see article 21486.
If the file could not be deleted by a scan in Safe Mode with Command Prompt, it is being held open by the operating system, or it is in System Restore.
You might be able to remove the file manually by using the Windows recovery console:
Alternatively, in some circumstances you can prevent the file from starting when the computer boots. See registry entries below.
Threat files are usually executables (programs). However, there are some tricks that can be used to convert another file type into an executable file before running it. If a scan of executable files in Safe Mode with Command Prompt does not detect the threat file, try an 'all files' scan that does not delete anything first time around.
To run a logged 'all files' scan with SAV32CLI type
SAV32CLI -ALL -P=C:\LOGFILE1.TXT
Take care if you remove files with an 'all files' scan. You might remove mailboxes with one infected email in them, or archive files containing only one infected file among many others. Moreover, such files are unlikely to have been the source of infection. To remove and log files with an 'all files' scan, type
SAV32CLI -ALL -REMOVE -P=C:\LOGFILE2.TXT
For extra information on using SAV32CLI, see Scanning options with SAV32CLI.
Once you have got rid of the file, you should still try to find out what was starting it. This will reduce the chance of reinfection. See below.
Registry entries will probably have been added or changed by the Trojan. These could call something that you can't find.
If you cannot remove any particular registry entry, change the permissions on that entry, and then remove it.
If you cannot open the registry, and the virus analysis says that a particular registry entry might prevent you from doing so, copy and import that entry from an unaffected computer. If you can now get access, remove the other entries.
Where the Trojan has changed a registry entry
Ensure that you import the entry from a computer with exactly the same operating system as the affected computer.
This may work even if you cannot otherwise obtain access to the registry.
Check any copies of the following files for references either to the Trojan, or to websites it uses:
If necessary, copy them to a floppy disk, make a backup, edit them in Notepad on another computer, and then replace the originals on the affected computer.
Use Disk Cleanup to remove the temporary files that something might be hiding in. Type the following at the command prompt, then follow the on-screen instructions:
Example of the Disk Cleanup program running
Ensure that the following are selected for removal:
Trojans can also hide in the System Restore files. To access System Restore in Safe Mode with Command Prompt on Windows XP, type
where <Windows_folder> is the name of your Windows folder (usually 'Windows' on Windows XP). Then purge and reset System Restore.
When you restart your computer in Windows for the first time after disinfecting, you can disable the startup applications by holding down the shift key when logging on. Check your startup folder and start menu.
Run another scan with anti-virus software for a final check.
Before returning your computer to normal use, check the following:
If necessary, use another computer or browser to download the patches and service packs that you need from the Microsoft Download Center. Then save them to CD, and install them from there.
Some Trojans hijack your web browser (usually Internet Explorer) so that your computer will visit their website and become reinfected.
Try the following
The following Windows tools are useful when troubleshooting:
This configuration tool is available in Windows XP and Windows 98, but not in Windows 2000. To run it in Windows, select Start | Run, and type
Example of opening msconfig on Windows 8 (search the Start screen for the program name):
Msconfig allows you to do the following
Msinfo32 and Winmsd
Msinfo32 and Winmsd will generate detailed reports on your system that can be useful in troubleshooting. One or the other works in Windows 2000, XP and 2003. To run them in Safe Mode with Command Prompt, type 'Msinfo32' or 'Winmsd'.
The following Microsoft articles and tools can be used to help secure your computer:
Finding files at the command prompt
If you need to find a file in Safe Mode with Command Prompt, type:
C: CD \ DIR <filename> /S
DIR <filename> /S
This takes you to the root of the C: drive, then searches for the file <filename> the root folder and all its subfolders. To search for the file <filename> in all folders even if it has the attribute 'hidden', type: DIR <filename> /S /AH
DIR <filename> /S /AH
For more information on using the command prompt, see basic DOS commands.
If you still cannot remove the Trojan, and are contacting Sophos about it, answer as many of the following questions as possible when contacting us. This will enable faster analysis of the problem.
Method of survival
Logs and other information sources
If you think that you have got a new type of Trojan, or the file that you are having problems with is of the type '-Fam' or '-Gen', send us a sample.
You might find it easier to reinstall Windows than to cope with the side effects of Trojan infection. Before reinstalling, back up all of your data (e.g. to CD or DVD) - you never know which bits you will need.
You could have three different types of original system disk
The last two types will remove all of your existing data when you restore your computer. This will get rid of the Trojan, but it will also remove all work that you have done on that computer, and any programs, drivers, service packs and patches that you installed.
If you 'reinstall' from a Microsoft Windows CD, it may perform a repair, rather than running a reinstallation. This could leave an active Trojan on the hard drive. In these circumstances, reformat your hard drive before installing Windows. This will remove the Trojan along with any programs, drivers, service packs and patches that you installed.
Once you have re-installed Windows, ensure that your computer is adequately protected before returning it to normal use.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.