Removing Win32 Macro’s/Virii/Trojans/Worms

Overclockers is supported by our readers. When you click a link to make a purchase, we may earn a commission. Learn More.

If you think you have a virus or a trojan, your first thought is probably
to to use a virus scanner. However, that isn’t much fun, and it doesn’t
necessarily detect all intruders. If it doesn’t detect it, you may think you have
no choice but to format, but that isn’t always necessary if you know where to look so as to remove the threat.

Note: If you think you have a trojan, block all internet access using the
firewall, or just disconnect ;).

Startup places:

First, let’s find it, then we’ll talk about how to remove it.

Let’s start off with the basic places. First, go into My Computer –> View –> View folder options. Go to
the View tab, and select ‘View all files’. This will let you see files
with the hidden or system attribute.

We need to find out where the unwelcomed visitor has manifested himself. Check your startup folder (Right click
Start –>Open –>Programs –>Startup). Now, move on to your win.ini file.

Check the [windows] section, under load. This will give the path of any potential
startup programs. This is the first place a trojan programmer would place his warez.
So if you find an oddly named program, or one that has a name slightly different than
a regular Windows file, listed in there, odds are that’s your culprit.

That’s too easy to get rid of, so odds are, you won’t find that bad boy there and will have
to look deeper. The next place any trojan programmer would put a path is in the Registry.

So go to Start –>Run, and type ‘regedit’. This will open the Registry Editor. Go
to [HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion].

Here, you will find a number of possible folders that activate such programs. These are Run, RunOnce, RunOnceEX
(used by install and uninstall programs, it shoudn’t be in here), RunServices and RunServicesOnce.

Recognising the file:

You have looked through all those places, and have come accros a file
which you don’t recognise. However, you may not recognise any of them. The
solution to this is to find out which programs are running. Press
Ctrl-Alt-Del and see if anything suspicious pops out. Don’t be surprised
if it doesn’t, since most malicious programs can hide from this.

Next, download Regmon and Filemon from

Run regmon, and you will be faced with a lot of registry entries. Have a look at them and note any
suspicious ones. (On the menu bar, there is a button with an X on it to stop the list
scrolling; you will probably need to use it).

If you’ve found a program which you don’t recognise, run Filemon, and check it. You
should find your program here, accessing other files. All of the places I have
described have paths to the file. So the next step would be to find those
files by their path. Note: If you are in any doubt of whether the file is
a system one or not, use the Win98 RSC Kit (if you use Win98); it comes with a file list.
Otherwise, simply search through your OS CD (or hard drive equivalent) using your Search
function. Don’t type in the extension of the file name, though (most Windows files are compressed).

Removing them:

You will not be able to delete the file while it is in use. If the file is
in the Ctrl-Alt-Del menu, do not close it, since some programs will force
a restart on your computer if the service is terminated.

Go into safe mode and then delete the file and any other files in the folder (ssftp for
example created it’s own folder with cracked dll’s in it). Now go into
Find Files, and do a search for files created during the day you received the

If there are any files you don’t recognise created at the time
of the program being activated, send it to the recycle bin, and restart.
Hopefully, you haven’t deleted a system file ;).

Some virri will manifest themselves in certain files. Use the find file method
and check for modified files. They can include dll’s (kernel32.dll, which
means that every single program that you run could be infected), or exe’s (such
as user.exe). Use the Win98 Rsc kit (or search on MSN for other versions) to
find the potentially infected file, and to see which cab file it is in. Use the
extract command in DOS, and extract the file, overwrting the infected one.
For other programs, games and so on, perform a reinstall.


You can get these simply by opening an Office file format. Now you are
probably thinking “well, my Office has a macro protection that doesn’t
let macros run?” Confident? I woudn’t be.

That feature can be bypassed (For information purposes only, the code to bypass it internally is Options.Virusprotection
= False (this is for information purposes only, and isn’t a big secret, anyhow).

These macros can be activated when a document closes, or is opened, or any other event it chooses. To
ensure that it passes itself on, it will copy itself to your normal

To get rid of them, go to the code editor in Tools. Open the code section for the
current document and delete the code present. Now open the normal template
code window and delete the code there also. Exit and save. The next
step is to either delete all files you have opened (Office files) since you got the
virus or open every single one of them up, and delete the
macro codes as described above. Up to you.

Anything Else?

Some of these actions can lead to big problems if you do something wrong, so backup your data (though don’t forget if applicable that some of what you backup may be infected).

I hold no responsibility for any damage caused. I hope you liked this guide. Please send any feedback to the email address listed below

Thank you!

Zealot God


Leave a Reply