1.  Shutdown and restart the computer in Safe Mode
 

A.  If your computer is on click on the Start button. The Start menu
will appear. (If your computer is off skip to step E.)
B.  Select Shut Down from the menu. The 'Shut Down Windows' dialog box
will appear.
C.  Select 'Shut down' and click the Yes (or OK) button.  Manual Removal
of a Trojan Virus
D.  Wait until the "It is now safe to turn off the computer" message
appears and turn the computer off.  Read steps E-H before continuing.
E.  Turn the computer back on.
F.  Immediately begin pressing the F8 key, every other second, until the
Windows Startup menu appears.
G.  Press 3 and then Enter to start the computer in Safe Mode.
H.  Once Windows starts, an information message will appear explaining
Safe Mode. Click the OK button to clear this message.

    The computer is now in Safe Mode.
 

2.  Click on the Start button, then on Find, then on Find Files or
Folders.
3.  Type in "win.ini" into the Named line, select C: in the Look In line
by clicking on the down arrow next to the line and press Find Now.
4.  Once the file has been found it will appear below.  Right click on
it and click on properties.
5.  On the bottom of the window a section titled Attributes gives
several options.  Be sure the Read-only box is unchecked.
6.  Click on OK to exit the properties window.
7.  Click on the Start button, then click on Run. Type "sysedit" in the
run field and click on Ok.
8.  The System Configuration Editor will appear with six windows found
stacked on top of one another. Close the first two windows by clicking on
the "X" in the upper-right-hand corner. The "C:\windows\WIN.INI" window will
be selected for editing.
9.  Locate the line that begins with "load=".  Place a semicolon (;) in
front of the line so that it reads:
;load=(other text may remain here)    Write this line down.  You will be
using this information later.

NOTE:  Many trojan viruses use the load= line.  This line is also used
occasionally by other programs, so it could contain both trojans and valid
programs.  Inserting a semicolon will prevent trojan files from loading but
it may also disable functions of other programs.  After completing this
process and rebooting Windows, if you recognize that a valid program will
not load normally contact the manufacturer of that program.  When contacting
them, ask if an entry for their program should be placed in the load= line.

10. Locate the line that begins with "run=".  Place a semicolon (;) in
front of the line so that it reads:
;run=(other text may remain here)     Write this line down also.  You will
be using this information later.

NOTE: The above note also applies to the run= line.

11. Click on File in the upper-left corner and click Save.
12. If you do not see anything next to "load=" or "run=", close the
WIN.INI by clicking on the "X" in the upper-right corner.
"C:\windows\SYSTEM.INI" will be the window open for editing.
13. Locate the line that begins with "shell=explorer.exe".
14. If there is anything written after "shell=explorer.exe" write it
down (usually something like: Winsyst.exe). If there, "Winsyst.exe" is the
name of a trojan that is infecting your computer and you will need to search
for it in step 18 below. Now with that written down, erase everything
written after "shell=explorer.exe" on that line. (Be absolutely sure you
leave "shell=explorer.exe" and subsequent lines).
15. Click on File in the upper left hand corner and then click save.
16. Close the system configuration editor by clicking on the "X" in the
upper-right corner.
17. For complete disinfection, you need to remove the virus files.
After rebooting the computer, click the Start button, click on Find, then
click on Files or folders.  This opens the Find utility on your screen.

NOTE: To determine the name of the infecting trojan file so you can type it
into the Find utility, refer to the lines you wrote down in steps 9 and 10
above.  Entries in the load= and run= lines are paths that point to a
specific file and tell it to run.  A path starts with a drive letter and
ends with the name of the file being run.  For example, if you see
"C:\windows\temp\pkg3243.exe", then pkg3243.exe is what you would enter into
the Find box.  This is the name of the trojan infecting your computer.

Check the list below to see if one of the files appears on your load= or
run= line.  If so, go to step 18 to delete that file.  The list below does
not contain the names of all possible trojans, just the most common ones.