The order to remove this trojan is complicated by the depth to which the trojan hooks the operating system.
One trick that AVERT has discovered is to rename the registry editing program from their original .EXE to a .COM extension (as in REGEDIT.COM). This will by pass the limitations created by removing the trojan prior to editing the registry. This will allow you to remove references of trojans and Internet worms.
To repair the registry via a registry script file, download this UNDO.REG file, and open it.
--- Manual Removal Instructions ---
1) Identify and note the files associated with this trojan as detected by the scanner.
2) Click START|RUN, type
COMMAND /C COPY %WINDIR%\REGEDIT.EXE %WINDIR%\REGEDIT.COMand hit ENTER
3) Click START|RUN, type REGEDIT.COM and hit ENTER
4) Remove references to the trojan from these keys of the registry
They should contain only the value not including brackets
5) If applicable, remove any keys that run the main trojan under
6) If applicable, delete the registry key if it exists
and exit Regedit
7) If applicable, edit WIN.INI and remove the reference to the trojan from the run= line in the [windows] section.
8) If applicable, edit SYSTEM.INI and remove the reference to the trojan from the shell= line in the [boot] section. It should just contain the file EXPLORER.EXE.
9) Restart the system.
10) Delete the trojan program(s). If all is well the files should be deleted OK. If you get an error message saying that windows is unable to delete the file because it is in use, then you have made an error in the above procedure. Repeat steps 1 to 9 and try again.