Affected Operating Systems
Recovery Instructions:
Please follow the instructions for removing Trojans.
Please read the instructions for removing Trojans.
Renaming the registry editor
- Using Windows explorer, browse to the Windows folder (usually C:\Windows or C:\Winnt) right-click Regedit.exe and make a copy of it.
- Rename the copy of Regedit.exe to Regedit.scr.
- At the taskbar, click Start|Run. Type 'Regedit.scr' and press Return. The registry editor opens.
Editing the registry
You will need to edit the following registry entries, if they are present.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
HKEY_LOCAL_MACHINE
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
and remove any references to any files you deleted. Note: the entries may be in subfolders, remove the complete entry.
HKEY_USERS
The HKEY_USERS section will have to be edited for all users who ran the Trojan. Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entries:
HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run
HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\RunServices
and remove any references to any files you deleted.
HKEY_CLASSES_ROOT
Locate the following HKEY_CLASSES_ROOT entries:
HKCR\batfile\Shell\Open\Command
HKCR\comfile\Shell\Open\Command
HKCR\exefile\Shell\Open\Command
HKCR\piffile\Shell\Open\Command
Typically an unaltered registry entry will be set to
HKCR\???file\shell\open\command\
(default) = "%1" %*
the altered registry entry will be
HKCR\???file\shell\open\command\(
default) = C:\WINDOWS\<filename>.exe /exec:"%1" %*
delete only the text C:\WINDOWS\<filename>.exe /exec: where <filename> is the name of the Trojan file. Do not delete anything else.
Locate the following HKEY_CLASSES_ROOT entries:
HKCR\giffile\Shell\Open\Command
HKCR\htmlfile\Shell\Open\Command
HKCR\jpegfile\Shell\Open\Command
HKCR\txtfile\Shell\Open\Command
HKCR\Word.Document.?\Shell\Open\Command (where ? is any number or a blank)
Delete the Data within the entries. Delete only the Data, do not delete anything else.
Close the registry editor.
Editing other configuration files
At the taskbar, right-click Start and select Explore.
Search for System.ini in the Windows folder and open it in Notepad. Search for any references to the files you deleted. Delete the references.
Search for Win.ini in the Windows folder and open it in Notepad. Search for any references to the files you deleted. Delete the references.
Search for Wininit.ini in the Windows folder and open it in Notepad. Search for any references to the files you deleted. Delete the references.
Search for Winstart.bat in the Windows folder and open it in Notepad. (Note: this file is only present in early versions of Windows). Search for any references to the files you deleted. Delete the references.
Search for Autoexec.bat in the root directory and open it in Notepad. Search for any references to the files you deleted. Delete the references.
Reboot your computer.