What malware does the Sophos Removal tool remove?
Details of the specific pieces of malware that this tool will remove are listed on the Sophos Website as follows:
Mal/Conficker-A, Mal/Confick-Dam, Mal/Conficker-B, Mal/ConfInf-A, Troj/ConfData-A, Troj/ConfDr-B, Troj/ConfDr-C, Troj/ConfDr-Gen , W32/ConfDr-Gen, W32/Confick-A, W32/Confick-B, W32/Confick-C, W32/Confick-D, W32/Confick-F, W32/Confick-G, W32/Confick-H, W32/Confick-I, W32/Confick-K, W32/Confick-L, W32/Confick-M, W32/ConfikMem-A, W32/ConfikMem-B
How to install and run the Conficker removal tool on a single computer
- Download the file Sophos Conficker Removal Tool.msi and save it to a convenient location on your computer, e.g. your Desktop.
- Double-click the icon and work through the installation wizard. After you have clicked 'Finish' a shortcut is placed on your Desktop.
- You have 3 options for running the tool:
- The installation GUI allows you to run it immediately.
- You can run the GUI version by double-clicking the icon on your desktop.
- There is a command line version which can be found in Program Files\Sophos\Sophos <threat name> Cleanup Tool\cli.exe. NOTE: You may prefer to run the tool when your computer is not busy with other tasks. Details on how to run it as a script are given in the article Deploying the Sophos Removal tool over a network.
- When you open the GUI version of the tool, it displays the 'Sophos Removal Tool' window. It displays the name and location of the log file it is creating.
- Click 'Start Scan' and it will scan the predefined areas for malware. If it finds any malware it will automatically remove it following the scan. The software will prompt you if a reboot is required following malware removal.
If you want to deploy the tool across a network,
- Download the tool as described above.
- Read the following section of this article, entitled 'IMPORTANT'.
- Go to the knowledgebase article Deploying the Sophos Removal tool over a network for instructions on deploying the tool across a network.
You may see any of the following possible issues:
- Occasional failure to remove Conficker service key: The tool will report a failure to cleanup but only a service key will remain. This happens when Conficker has executed for the first time and there has not been a reboot since. It happens because the service key, which has odd permissions restricted to the local user, has not yet been registered in the Service Control Manager. The OS does not have complete knowledge about this service until the next reboot so de-registering the service may not function as expected. Once a reboot has occurred the service is registered and there are no issues with complete removal. Please note that the existence of stray service entries that do not point to Conficker are not detrimental to the functioning of the computer. The same information applies to Sophos Anti-Virus. NB: If the binary component of Conficker has already been removed, the service will not be removed because detection of the service is context-based because it references Conficker.
- Removal of scheduled tasks: The Conficker removal tool removes scheduled tasks based on context, i.e. they point to Conficker. If the Conficker binary has been removed already then the context for the scheduled tasks is lost and so they will not be removed. We do this context-based cleanup to ensure that we do not remove scheduled tasks which are not created by Conficker.
- Conficker coming back: The Conficker removal tool does not have on-access scanning. It will not prevent other infected computers on the network from re-infecting the computer which has just been cleaned with the tool. This is a common occurrence with network worms so you must ensure that you take precautions to prevent re-infection form other computers on your network. For more advice on this, refer to the Knowledgebase article Sophos Anti-Virus for Windows 2000+: Removing W32/Confick and Mal/Conficker, see the sections describing how to lock down your network and prevent re-infection.
Uninstalling the tool
Following use, you can remove the tool using Windows Add/Remove programs.
Source : http://www.sophos.com/