Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept . Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install . A message will appear " Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now ". Click Yes . Make sure the following are checked: Running processes Windows Registry Local Hard Drives Click Start scan . Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel. When the scan is complete, a pop-up screen will appear with " Rootkit Scan Results ". Click OK to continue. Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal. Files tagged as Removable: No are not marked for removal and cannot be removed. Files tagged as Removable: Yes (clean up recommended) are marked for removal by default . Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation. Select only items recommended for removal , then click " Clean up checked items ". You will be asked to confirm, click Yes . A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now . After reboot, a dialog box displays the files you selected for removal and the action taken. Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned. When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\<username>\Local Settings\Temp\. Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections. Disconnect from the Internet or physically unplug you Internet cable connection. Clean out your temporary files . Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver. Temporarily disable your anti-virus and real-time anti-spyware protection. After starting the scan, do not use the computer until the scan has completed. When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet. Please review this documentation in: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/ntcmds.mspx?mfr=true :4548

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How remove hidden windows registry when msivxi rootkit is detected with sophos Anti-root kit?

Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now". Click Yes.
Make sure the following are checked:
Running processes
Windows Registry
Local Hard Drives

Click Start scan.
Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
- Files tagged as Removable: No are not marked for removal and cannot be removed.
- Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
- Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
After reboot, a dialog box displays the files you selected for removal and the action taken.
Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\<username>\Local Settings\Temp\.

Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.

Disconnect from the Internet or physically unplug you Internet cable connection.
Clean out your temporary files.
Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
Temporarily disable your anti-virus and real-time anti-spyware protection.
After starting the scan, do not use the computer until the scan has completed.
When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

Please review this documentation in:

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/ntcmds.mspx?mfr=true

This thread was automatically locked due to age.