How To Remove A Password Stealer/Virus 1. Shutdown and Restart the computer in Safe Mode. A. If your computer is on click on the Start button. The Start menu will appear. (If your computer is off skip to step E.) B. Select Shut Down from the menu. The 'Shut Down Windows' dialog box will appear. C. Select 'Shut down' and click the Yes (or OK) button. D. Wait until the "It is now safe to turn off the computer" message appears and turn the computer off. Read steps E-H before continuing. E. Turn the computer back on. F. Immediately begin pressing the F8 key, every other second, until the Windows Startup menu appears. G. Press 3 and then Enter to start the computer in Safe Mode. H. Once Windows starts, an information message will appear explaining Safe Mode. Click the OK button to clear this message. The computer is now in Safe Mode. 2. Click on the Start button, then on Find, then on Find Files or Folders. 3. Type in "win.ini" into the Named line, select C: in the Look In line by clicking on the down arrow next to the line and press Find Now. 4. Once the file has been found it will appear below. Right click on it and click on properties. 5. On the bottom of the window a section titled Attributes gives several options. Be sure the Read-only box is unchecked. 6. Click on OK to exit the properties window. 7. Click on the Start button, then click on Run. Type "sysedit" in the run field and click on Ok. 8. The System Configuration Editor will appear with six windows found stacked on top of one another. Close the first two windows by clicking on the "X" in the upper-right-hand corner. The "C:\windows\WIN.INI" window will be selected for editing. 9. Locate the line that begins with "load=". Place a semicolon (;) in front of the line so that it reads: ;load=(other text may remain here) Write this line down. You will be using this information later. NOTE: Many trojan viruses use the load= line. This line is also used occasionally by other programs, so it could contain both trojans and valid programs. Inserting a semicolon will prevent trojan files from loading but it may also disable functions of other programs. After completing this process and rebooting Windows, if you recognize that a valid program will not load normally contact the manufacturer of that program. When contacting them, ask if an entry for their program should be placed in the load= line. 10. Locate the line that begins with "run=". Place a semicolon (;) in front of the line so that it reads: ;run=(other text may remain here) Write this line down also. You will be using this information later. NOTE: The above note also applies to the run= line. 11. Click on File in the upper-left corner and click Save. 12. If you do not see anything next to "load=" or "run=", close the WIN.INI by clicking on the "X" in the upper-right corner. "C:\windows\SYSTEM.INI" will be the window open for editing. 13. Locate the line that begins with "shell=explorer.exe". 14. If there is anything written after "shell=explorer.exe" write it down (usually something like: Winsyst.exe). If there, "Winsyst.exe" is the name of a trojan that is infecting your computer and you will need to search for it in step 18 below. Now with that written down, erase everything written after "shell=explorer.exe" on that line. (Be absolutely sure you leave "shell=explorer.exe" and subsequent lines). 15. Click on File in the upper left hand corner and then click save. 16. Close the system configuration editor by clicking on the "X" in the upper-right corner. 17. For complete disinfection, you need to remove the virus files. After rebooting the computer, click the Start button, click on Find, then click on Files or folders. This opens the Find utility on your screen. NOTE: To determine the name of the infecting trojan file so you can type it into the Find utility, refer to the lines you wrote down in steps 9 and 10 above. Entries in the load= and run= lines are paths that point to a specific file and tell it to run. A path starts with a drive letter and ends with the name of the file being run. For example, if you see "C:\windows\temp\pkg3243.exe", then pkg3243.exe is what you would enter into the Find box. This is the name of the trojan infecting your computer. Check the list below to see if one of the files appears on your load= or run= line. If so, go to step 18 to delete that file. The list below does not contain the names of all possible trojans, just the most common ones.