By Sergey Skudaev
I want to share my experience with deleting files infected with trojan. Once upon a time I connected to Internet and got this message that my computer is infected with spy ware and all my personal information is accessible by some one evil. When I tried to close the message it appeared again. I have Norton firewall, but, probably, it was not updated and did not stop the intruder. I scanned my computer with Norton and found five files infected with Trojan horse. I tried to delete infected files. Some of them were deleted, but some of them I could not delete. I got message that I cannot delete the file, because it is in use. These files were oleext.dll, wininet.dll, msserachnet.exe.
I tried to rename the files or move them but without success. Then I decided to try to delete infected files in DOS. I have Windows 2000. When it starts, I press F8 and Windows are loaded in safe mode. I selected safe mode with command prompt option and Windows open in DOS prompt. I selected WINNT\system32 directory by typing C:\> cd WINNT\system32 and got in the system32 directory. Then I tried to delete the files by typing del command.
To my great surprise, I got message "Access denied."
Then I tried to move infected files from system32 directory to some innocent directory. Before, I created "infected" directory. So, I tried to move infected files to "infected" directory typing move command
C:\WINNT\system32>move winnet.dll C:\infected.
It was moved!!!
I felt excited!
I moved all the rest files. Then I downloaded wininet.dll and copied it in system32 directory. System allowed me to delete moved files in DOS.
I started Windows and open windows registry.
If you do not have any knowledge and experience of editing windows registry, please do not follow steps described how to delete windows registry key values. Even if you have experience, back up windows registry before you do something with it. Read in Windows help how to back up windows registry Author is not responsible for any damage that you cause to your Windows Operating system by deleting wrong windows registry key values. Hover mouse over a thumbnail to see a large image.
I clicked Start, Run and typed regedit.
I clicked OK. Windows Registry opened. I selected My Computer. Then I selected Edit, View, Find
Find window displays. I marked "Look at" check boxes.
I typed infected file name and click Find next When I find a key with value of infected file name , I deleted it. Then I repeated the procedure for every infected file.
When I finished, I connected to Internet, only to discover that the wicked message was displayed again. I understood, that some infected files still exist on my computer. So, I decided to find all files that were created today and delete all of them.
To find all files created today, Open Windows explorer and select Tools, Folder options. Mark "Show hidden files and folder". Unmark "Hide file extensions for known file types". Unmark "Hide protected operating system files". That way you will see all files and folders, but be careful. Do not delete anything that must not be deleted.
Select View, Explorer Bar, Search from drop down menu.
Then click Search Options>> link under the Search Now button. Mark "Date" check box. Select "Files Created" option
Set today date for both date fields, if you got virus today and click Search Now button. Files that were created today including files that were created by you and intruder's files will be found and displayed.
When I performed search, I discovered that much more files were created than that found by Norton Scan. Besides, some files that I deleted were downloaded again.
I copied all file names and paths in notepad and print the list. Then I started computer in DOS mode and delet the files which I could delete or moved them to "infected" directory.
Then, I cleaned windows registry. This time, when I connected to Internet, no messages were displayed. My Computer was clean.