SEARCH :

Custom Search

Monday, March 28, 2011

How to remove Win32.Mebroot.U manually

1. First, Boot your computer into safe mode to close all running processes.
2. Don't forget to back up your system before making any changes for future restore job when necessary.
3. Remove these Win32.Mebroot.U files:
  1. %UserProfile%\Application Data\PAV
  2. %UserProfile%\Local Settings\Temp\kjkkklklj.bat
4. Open Registry Editor to delete the following registry entries:
  1. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 'SelfdelNT'
  2. HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon 'Shell'='%UserProfile%\Application Data\antispy.exe'
  3. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
  4. HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\SimpleShlExt
  5. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run '[random string]'
  6. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings 'ProxyServer' = 'http=127.0.0.1:5555'
  7. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings 'ProxyOverride' = ' '
5. It is possibly for Win32.Mebroot.U to load by hiding within the system WIN.INI file and the strings "run=" and "load=". So you must check carefully in order to thoroughly remove it from your computer.
6. It is necessary for you to clean the IE temporary files where the original carrier may store.

Or you can download malware removal here:
Win32/Mebroot removal

No comments: