VIRUS/ Trojan: How to remove Win32:OnLineGames -SR / Win32:Delf-HSQ

This article is about the removal of the super annoying, reoccurring, self-generating trojans, namely: Win32: OnLineGames-SR / Win32: Delf-HSQ / Win32: OnLineGames-BUK / Win32: OnLineGames-BSI / Win32: OnLineGames-BYS / Win32.OnLineGames / Win32.Delf.

Symptoms: Anti-virus software such as Avast and Spyware Doctor cannot completely remove the virus or trojan, because the source (the origin) of the problem is not identified. Instead, these anti-virus programs continuously detect the secondary viral (trojan) files that are derived from the problem source, such as Local Settings\Temp\tmp1.tmp, tmp2.tmp, Temporary Internet Files\Content.IE5\xxxx, which can never really get removed because they are continuously generated from the source. When a thorough scan is done in safe mode, you would find viral/trojan files such as DiskMan32.exe, Kvsc3.exe, AVPSrv.exe, mppds.exe, MsIMMs32.exe, NVDispDrv.exe, cmdbcs.exe, upxdnd.exe, msccrt.exe and DbgHlp32.exe in C:\windows, and their corresponding dll files (e.g. DiskMan32.dll) in c:\windows\system32. They can be removed, but similar viral files will be generated by the source in subsequent reboots.

Infection medium: I personally got the virus from a real player file, probably through some built-in plugins. So I learnt to make sure File>Work offline is checked before watching any movies and to disable any features related to plugins.

Solution: This is what I did to remove the virus:

1. Check if c:\autorun.inf and c:\autoRun.exe exist. Remove them if they do. Do the same for drive d:\, e:\, etc (all other local hard drives). Then remove all detectable virus/trojan files in safe mode. (See this site)
2. Uninstall Internet Explorer (just use Firefox or reinstall IE later) in Control Panel>Add or Remove Programs>Add/Remove Windows Components.
   
3. Go to Start>Run>msconfig>startup. Uncheck ctfmon.exe (the probable source). According to Microsoft, a process called ctfmon.exe is used by Office XP (not windows xp, not office 2003 or other versions). However, I am using Office 03, so I believe this process is not neccessary for my system (office still runs well after disabling this). If you have Office XP, you may keep this process and just carry out point 3 below.
4. Go to Start>Run>regedit and remove the following registry entries (based on my inspection with RegMon):
• HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
• HKLM\SOFTWARE\Microsoft\Tracing\RASAPI32
  (if you are chicken, you can do a right-click>export to make a backup before doing a right-click>delete)

This should solve the problem. Some static infected files may still exist in your system, but your anti-virus software will have no problem in handling them. (BTW, avast is free... so no excuse for not having a anti-virus software in your windows; also, remember to keep your firewall UP running!)