
First, the tools you will need:
- Combofix – This free application combines several different cleaners and is updated frequently.  Make sure you grab the latest copy.  It can be downloaded from bleepingcomputer.com.
 I usually do an Internet search on “download combofix” and it pulls up as the 1st or 2nd hit.
- Malwarebytes Antimalware – also known as MBAM. Another free download available from many sources, including www.download.com.
- The operating system’s system recovery CD. This may be the Installation CD for some OS’s (like Windows XP). It doesn’t have to be specific to this computer, as long as it is from the same OS.
That’s all you need. Go ahead and collect them. I’ll be here when you get back.

Scenario 1 – Computer still works, even though infected.
If you can get to a desktop and run programs, you can often clean the computer before it gets more severely infected.
- Copy Combofix to the computer and run it. Combofix will check for Windows System Recovery and install it if it is missing. You want to allow it to do that, and it will need Internet access to do do. When it is done, it may also want to reboot to finish cleaning up. You want to do that too.
- Install MBAM and update it (the pattern files update every couple of days, this is critical). Then run a full scan. It takes longer, but it doesn’t skip other user profiles, where some infected files might be residing.
- Continue to run MBAM until it comes back with zero infected files. If you repeat the scans and see the same files over and over, you should have enough control of your computer at this point to research those infections and take specific action against those files.
- Finally, you can repair any specific damage caused by the infections.
Scenario 2 – Normal boot doesn’t work, the Internet is blocked, or you can’t run programs
Quite often these days, the infection will block your access to your desktop, or prevent programs from running, or reconfigure your Internet settings so that you can’t successfully run the spyware removal tools. Booting to safe mode quite often prevents the spyware from blocking you.
- Reboot the computer
- Press the F8 key about twice a second until you get the Safe Mode menu. Then select “Safe Mode with Networking”.
- Once the computer boots up, you will have access to your Start Menu and can proceed with the steps from Scenario 1.
Scenario 3 – Safe Mode isn’t working
The trickiest solution is when the infection has blocked your access to the desktop in safe mode. In this case we have to reset a couple of registry settings to re-enable access to the desktop for safe mode to work. WARNING! This routine involves modifying the registry.
- Insert the System Recovery CD in the computer’s CD drive.
- Boot the computer from the System Recovery disk.
- Use the menu to open a command prompt.
- Run the registry editor from the command prompt by typing regedit.exe.
- Hightlight HKEY_LOCAL_MACHINE, click on File menu, then Load Hive
- Browse to the WindowsSystem32Config folder on your system drive (It probably will not be labelled the C drive in Safe Mode) and open the Software file
- Back in the registry, browse to SoftwareMicrosoftWindows NTCurrentVersionWinLogonShell under the loaded hive.
- Remove everything listed there, then add back in Explorer.exe (Anything else you see here was added by the infection)
- Close the file and power off the computer, then Proceed with the steps in Scenario 2.
Because Windows always checks that registry key when it boots, it will now use the built in Explorer you are used to using, allowing you to proceed with the rest of your cleanup without too much difficulty.
If none of these techniques work, you can always check back with us to see if new techniques have been developed.



Leave a comment!
You must be logged in to post a comment.