Trojan.Win32.Delf.aam is a Trojan downloader that also steals credentials associated with Yahoo online services. Trojan.Win32.Delf.aam generally drops a copy of itself to the %temp% folder as services.exe. %Temp% is a variable that refers to the Windows temp folder. By default, the location of the temp folder in Windows XP is C:\Documents and Settings\<username>\Local Settings]\Temp (where <username> is the account name of the logged in user). To load each time Windows starts, Trojan.Win32.Delf.aam modifies the registry as follows (Note: HKLM is an abbreviation for HKEY_LOCAL_MACHINE):
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell = "explorer.exe "%temp%\services.exe""
This instructs Windows to load services.exe instead of explorer.exe, thus allowing the trojan to manipulate the view of files and folders on the system.
Trojan.Win32.Delf.aam hides legitimate folders and creates a copy of itself using the original folder name. This can cause some users to believe their original folders have been deleted. Further, when antivirus software encounters the copy of the trojan and rightfully deletes it, some users believe this is deleting their own data which was contained in the original folders.
To overcome the impact of Trojan.Win32.Delf.aam, allow antivirus software to scan and remove any copies of Trojan.Win32.Delf.aam which are found. You may need to assist the antivirus scanner by stopping the Winlogon process and resetting the Winlogon registry setting to correctly point to:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell = "explorer.exe"
After all instances of Trojan.Win32.Delf.aam have been removed, you should be able to access Windows Explorer (not to be confused with Internet Explorer). Ensure the Folder Options menu is accessible and ensure viewing of hidden files and folders is enabled. You should now be able to see the folders previously hidden by Trojan.Win32.Delf.aam. These folders may have been moved to a new location, in which case restoring is simply a matter of moving them back to the original location.