Solution 1
To remove this Trojan, most of the steps are performed in Safe mode. Please follow the instructions in each section.
NOTE: The following procedure instructs you to delete files, file entries, and registry values. In some cases, they may have already been removed by NAV, or they were never added by the Trojan. If you do not find a particular file or entry, make sure that you followed the instructions exactly. If the file or entry does not exist, then proceed to the next step or section.
Enable show all files
Follow these steps to configure Windows to show all files:
Start Windows Explorer.
Click View (Windows 95/98) or Tools (Windows Me), and click Options or Folder Options.
Click the View tab, and uncheck "Hide file extensions for known file types" if it is checked.
Click Show all files, and click OK.
Restart the computer in Safe mode
If you are running Windows 95:
Exit all programs, and then shut down the computer. If the computer will not shut down normally, then proceed to the next step.
Turn off the computer, and wait 30 seconds. You must turn off the computer to remove the virus from memory. Do not use the reset button.
Turn on the computer. When you see the "Starting Windows 95" message, press F8.
Press the number for Safe mode, and then press Enter.
If you are running Windows 98:
Click Start, and click Run.
Type msconfig and click OK. The System Configuration Utility dialog box appears.
Click the General tab, and click Advanced.
Check Enable Startup Menu, click OK, and then click OK again.
Exit all programs, and then shut down the computer. If the computer will not shut down normally, proceed to the next step.
Turn off the computer, and wait 30 seconds. You must turn off the computer to remove the virus from memory. Do not use the reset button.
Turn on the computer, and wait for the menu to appear.
Press the number for Safe mode, and then press Enter.
Find and delete files
Follow these steps to locate and delete the files that were placed on your hard disk by the Trojan:
Click Start, point to Find or Search, and then click Files or Folders.
Make sure that "Look in" is set to (C:) and that "Include subfolders" is checked.
In the Named box, type (or copy and paste) the following file names:
CAUTIONS:
The next step is to delete these files from your computer. Make sure that you delete only the files listed, and if you typed the file names, that they were typed exactly as shown. Deleting the wrong file could prevent your system from starting. (The entry mi*.zip may result in several files being found, such as Mi29.zip, or Mine.zip. All such files should be deleted.)
If you are running Windows Me, the search may find the Winmine.exe file. This is the executable for the Windows Minesweeper game, and it is not necessary to delete this file.
This search will almost certainly find several files named Readme.txt. Each will be in a different location. Make sure that you delete only the one in the C:\Windows\System folder.
Delete each file in the Results pane; click Yes to confirm each deletion.
NOTE: If you see a message saying that the file is in use when you try to delete the Msdos98.exe file, then you cannot remove it at this point. Complete as many of the Solution 1 instructions as possible, and then proceed to Solution 2. Follow the instructions in the first two sections of that solution. You only need to enter the first two commands in the section Remove infected files. When the Msdos98.exe file has been deleted, restart the computer.
Right-click the Recycle Bin icon on your desktop, and click Empty Recycle Bin.
Click New Search, and then go on to the next section.
Find and change a file
Make sure that "Look in" is set to (C:) and that "Include subfolders" is checked.
Type win.ini in the Named box, and then press Enter.
Right-click the Win.ini file in the results pane, and click Properties.
NOTE: If you find more than one Win.ini file, make all changes to the one that is located in the folder in which Windows is installed; for example, C:\Windows.
Uncheck Read-only, and then click OK.
Double-click the Win.ini file to open it in Notepad.
Locate the entry that begins with run=. It should look similar to this:
run= C:\Windows\uninstallms.exe
NOTE: There is a large space between run= and the C:\Windows\uninstallms.exe entry. If you cannot locate the C:\Windows\uninstallms.exe entry, then click the Search menu and click Find. Type uninstallms.exe and then click Find next.
Place the cursor after run= , and then press Shift+End to select the rest of the line. Repeat this until the entire line is selected. You may have to press Shift+End four or five times.
Press Delete.
NOTE: A new variant of this Trojan has been found that does not add the text C:\Windows\uninstallms.exe.
Underneath run= , look for an entry that begins with RUNRESTORE=. It should look similar to this:
RUNRESTORE=C:\Windows\uninstallms.exe
If you find this entry, move the cursor to the beginning of the line, press Shift+End to select the entire line, and then press Delete.
To make sure that none of these entries remains, click the Search menu and click Find. Type uninstallms.exe and then click Find next. Remove any entries that refer to this file.
Click the File menu, and click Save.
Exit Notepad.
Remove an entry from the registry
CAUTION: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure you modify only the keys specified. See the document How to back up the Windows registry before proceeding.
Click Start, and click Run. The Run dialog box appears.
Type regedit and then click OK. The Registry Editor opens.
Navigate to the following key: