1. Shutdown and restart the computer in Safe Mode
A. If your computer is on click on the Start button. The Start
will appear. (If your computer is off skip to step E.)
B. Select Shut Down from the menu. The 'Shut Down Windows' dialog
C. Select 'Shut down' and click the Yes (or OK) button.
of a Trojan Virus
D. Wait until the "It is now safe to turn off the computer" message
appears and turn the computer off. Read steps E-H before continuing.
E. Turn the computer back on.
F. Immediately begin pressing the F8 key, every other second,
Windows Startup menu appears.
G. Press 3 and then Enter to start the computer in Safe Mode.
H. Once Windows starts, an information message will appear explaining
Safe Mode. Click the OK button to clear this message.
The computer is now in Safe Mode.
2. Click on the Start button, then on Find, then on Find Files
3. Type in "win.ini" into the Named line, select C: in the Look
by clicking on the down arrow next to the line and press Find Now.
4. Once the file has been found it will appear below. Right
it and click on properties.
5. On the bottom of the window a section titled Attributes gives
several options. Be sure the Read-only box is unchecked.
6. Click on OK to exit the properties window.
7. Click on the Start button, then click on Run. Type "sysedit"
run field and click on Ok.
8. The System Configuration Editor will appear with six windows
stacked on top of one another. Close the first two windows by clicking
the "X" in the upper-right-hand corner. The "C:\windows\WIN.INI" window
be selected for editing.
9. Locate the line that begins with "load=". Place a semicolon
front of the line so that it reads:
;load=(other text may remain here) Write this line
down. You will be
using this information later.
NOTE: Many trojan viruses use the load= line. This line
is also used
occasionally by other programs, so it could contain both trojans and
programs. Inserting a semicolon will prevent trojan files from
it may also disable functions of other programs. After completing
process and rebooting Windows, if you recognize that a valid program
not load normally contact the manufacturer of that program. When
them, ask if an entry for their program should be placed in the load=
10. Locate the line that begins with "run=". Place a semicolon
front of the line so that it reads:
;run=(other text may remain here) Write this
line down also. You will
be using this information later.
NOTE: The above note also applies to the run= line.
11. Click on File in the upper-left corner and click Save.
12. If you do not see anything next to "load=" or "run=", close the
WIN.INI by clicking on the "X" in the upper-right corner.
"C:\windows\SYSTEM.INI" will be the window open for editing.
13. Locate the line that begins with "shell=explorer.exe".
14. If there is anything written after "shell=explorer.exe" write it
down (usually something like: Winsyst.exe). If there, "Winsyst.exe"
name of a trojan that is infecting your computer and you will need
for it in step 18 below. Now with that written down, erase everything
written after "shell=explorer.exe" on that line. (Be absolutely sure
leave "shell=explorer.exe" and subsequent lines).
15. Click on File in the upper left hand corner and then click save.
16. Close the system configuration editor by clicking on the "X" in
17. For complete disinfection, you need to remove the virus files.
After rebooting the computer, click the Start button, click on Find,
click on Files or folders. This opens the Find utility on your
NOTE: To determine the name of the infecting trojan file so you can
into the Find utility, refer to the lines you wrote down in steps 9
above. Entries in the load= and run= lines are paths that point
specific file and tell it to run. A path starts with a drive
ends with the name of the file being run. For example, if you
"C:\windows\temp\pkg3243.exe", then pkg3243.exe is what you would enter
the Find box. This is the name of the trojan infecting your computer.
Check the list below to see if one of the files appears on your load=
run= line. If so, go to step 18 to delete that file. The
list below does
not contain the names of all possible trojans, just the most common