DonaldD.Trojan - Removal

How you remove this Trojan depends on your version of Windows.

Windows 95/98
If you are running Windows 95/98, then follow these instructions. You will need an uninfected DOS boot disk or a Windows Startup disk.

Run a full system scan
Make sure that you have the most recent virus definitions, and run a full system scan, making sure that Norton AntiVirus (NAV) is set to scan all files. Write down the names of any files infected with the DonaldD.Trojan. Have NAV delete them if possible; in most cases it will not be able to do so. When finished, go on to the next section.

Delete files in DOS
Follow these steps to remove any infected files that could not be deleted by NAV:

1. Shut down Windows, turn off the power, and then wait thirty seconds. Do not simply press the reset button.
2. Insert a clean DOS boot disk or Windows Startup disk into the floppy disk drive.
3. Restart the computer. It will boot to a DOS prompt.
4. Type the following, and then press Enter:
   
   cd \windows\system
   
   NOTE: If Windows is installed in a folder other than C:\Windows, change the prededing command accordingly.
   
5. Type the following, and then press Enter:
   
   del <filename>
   
   where <filename> is the name of the file that you wrote down when you ran the scan. For example, if NAV found an infected file named Badthing.exe, then type del badthing.exe
   
6. Remove the floppy disk, and then restart the computer.

Edit the Windows registry
Follow these steps to remove a registry entry that was added by the Trojan:

CAUTION: We strongly recommend that you back up the system registry before making any changes to it. Incorrect changes to the registry may result in permanent data loss or corrupted files. Be sure to modify the specified keys only. See the document How to back up the Windows registry before proceeding.

1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to and select the following subkey:
   
   HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\VMLDR
   
4. Press Delete, and then click Yes to confirm.
5. Click the Registry menu, and click Exit to save the changes and close the Registry Editor.

Windows NT

If you are running Windows NT, then follow these instructions. You will need an uninfected DOS boot disk or a Windows Startup disk.

Run a full system scan
Make sure that you have the most recent virus definitions, and run a full system scan, making sure that Norton AntiVirus (NAV) is set to scan all files. Write down the names of any files infected with the DonaldD.Trojan. Have NAV delete them if possible; in most cases it will not be able to do so. When finished, go on to the next section.

Edit the Windows registry
Follow these steps to remove a registry entry that was added by the Trojan:

CAUTION: We strongly recommend that you back up the system registry before making any changes to it. Incorrect changes to the registry may result in permanent data loss or corrupted files. Be sure to modify the specified keys only. See the document How to back up the Windows registry before proceeding.

NOTE: You must be logged on as Administrator.

1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to and select the following subkey:
   
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
   
4. In the right pane, double-click BootExecute.
5. In the Edit Binary Value box, look for and select the following hexadecimal numbers:
   
   00 62 6F 6F 74 65 78 65 63
   
   
6. Select these numbers only, and then delete them.
7. Click OK.
8. In the right pane, select and delete the following values:
   
   Pdata0
   Pdata1
   
9. Exit the Registry Editor, and then restart the computer.

Delete files
Use Find Files to locate and delete any files that NAV could not delete.

Technical Details