Vista ARTICLES TOP 50 Spyware Virus Vista SOFT Vista HELP

Removal

You are currently browsing the articles from MS Windows Vista Compatible Software matching the category Removal.

Manual Removal of Backdoor.Graybird Trojan Spyware

Manual Removal of Backdoor.Graybird Trojan Spyware

Other names of Backdoor.Graybird Trojan:
This Trojan is also known as Trojan-Dropper.Win32.Agent.aang.

Damage Level : High/Medium
Distribution Level: Unknown

No Auto Removal Tool for Backdoor.Graybird Trojan Spyware
Worm Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.

The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal

%AppData%\key folder\filewin.exe
%CommonFavorites%\netservice.exe
%CommonFavorites%\plug\001.dll
%DownloadedProgramFiles%\usbkey.exe
%InternetCache%\qq.exe
%ProgramFiles%\advanced invisible keylogger\win16sys.dll
%ProgramFiles%\bbs.hksxs.com.exe
%ProgramFiles%\common files\360safe\qq.com
%ProgramFiles%\common files\directdb.com
%ProgramFiles%\common files\iugaq.exe
%ProgramFiles%\common files\netdde.dll
%ProgramFiles%\common files\netdde.exe
%ProgramFiles%\common files\netddekey.dll
%ProgramFiles%\common files\syskey.dll
%ProgramFiles%\common files\system\msadc\nettps.dll
%ProgramFiles%\common files\system\msadc\nettps.exe
%ProgramFiles%\common files\system\msasp32.exe
%ProgramFiles%\common files\system\nvcpl.exe
%ProgramFiles%\common files\system\services.exe
%ProgramFiles%\common files\system\svchostsers.com
%ProgramFiles%\hacke.cn.exe
%ProgramFiles%\hgzserver\adminis.exe
%ProgramFiles%\hgzserver\g_server2006.dll
%ProgramFiles%\hgzserver\g_server2006key.dll
%ProgramFiles%\hgzserver\hacker.com.cn.exe
%ProgramFiles%\hgzserver\shuibai8.exe
%ProgramFiles%\hgzuerver\hacker.com.cn.exe
%ProgramFiles%\intel\intel.exe
%ProgramFiles%\intel\intell.dll
%ProgramFiles%\internet explorer\connection wizard\auiyg.exe
%ProgramFiles%\internet explorer\connection wizard\svchosi.exe
%ProgramFiles%\internet explorer\inexplore.com
%ProgramFiles%\internet explorer\svchosi.exe
%ProgramFiles%\internet explorer\svchost.dll
%ProgramFiles%\internet explorer\svchostkey.dll
%ProgramFiles%\internet explorer\update.dll
%ProgramFiles%\java\javs.exe
%ProgramFiles%\meteors\svchost.dll
%ProgramFiles%\meteors\svchost.exe
%ProgramFiles%\meteors\svchostkey.dll
%ProgramFiles%\outlook express\ghost.exe
%ProgramFiles%\personal pc spy\win16sys.dll
%ProgramFiles%\qq.exe
%ProgramFiles%\rtlcpli.exe
%ProgramFiles%\server.exe
%ProgramFiles%\windows media player\wowuc.exe
%ProgramFiles%\windows nt\accessories\vbs.exe
%ProgramFiles%\windowsupdate\svchost.exe
%ProgramFiles%\xunjie.cn.exe
%System%\_msinfo.exe
%System%\_publishing.exe
%System%\_usb.exe
%System%\0.exe
%System%\0309c26e.exe
%System%\36dbc900.dll
%System%\3800hk.dll
%System%\487c0a80.exe
%System%\4e17c240.exe
%System%\a340d383.exe
%System%\alxres061230.exe
%System%\anti.dll
%System%\appen.exe
%System%\applictie.exe
%System%\aws.exe
%System%\bifrost\server.exe
%System%\bluefire.exe
%System%\brc_server.exe
%System%\btcrackdll.dll
%System%\btcrackdllfpga.dll
%System%\c2c.dll
%System%\ccevtsvc.exe
%System%\clipbook.exe
%System%\closeapp.exe
%System%\cnxcis.dll
%System%\comsvcs.exe
%System%\cs.exe
%System%\cybertv.exe
%System%\d249ad80.exe
%System%\d249ad80t.exe
%System%\dbmssocns.dll
%System%\ddos.exe
%System%\dhcpserver.dll
%System%\dllcache\msyow.exe
%System%\dllcache\vba.dll
%System%\doskeys.exe
%System%\drivers\etc\l68z386i.dll
%System%\drivers\lpd.sys
%System%\drivers\spoclsv.exe
%System%\drivers\spools.exe
%System%\drivers\svchost.exe
%System%\drivers\system.exe
%System%\dxdiag.com
%System%\enqueue.exe
%System%\expl0rer.exe
%System%\fe.exe
%System%\frundlll.exe
%System%\fservice.exe
%System%\hyyk.dll
%System%\hz_sys_temtray.dll
%System%\iexplqre.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
In the right pane, delete the value:
“g.exe” = “%Windir%\g.exe”
Navigate to and delete the following subkeys:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
\GrayPigeonServer
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root
\LEGACY_GrayPigeonServer

Search Registry For Virus File Names listed above to remove completely,
Edit Menu - Find, enter Keyword and remove all value that find in search.
Exit the Registry Editor,

Restart your Computer.
Recommended Removal Tools:
Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)
Killbox (Freeware)

Written by FireFly on December 18th, 2008 with no comments.
Read more articles on Backdoor.Graybird and backdoor removal and W32/Agent.AANG and manual removal and otherSoftware and Removal and Windows.

Manual Removal of W32/Agent.AANG Trojan

Manual Removal of W32/Agent.AANG Trojan

W32/Agent.AANG Trojan. The Trojan will infect Windows systems.
This Trojan first appeared on December 17, 2008.
Other names of W32/Agent.AANG Trojan:
This Trojan is also known as Troj/Dropr-AE, Trojan-Dropper.Win32.Agent.aang.

Damage Level : High/ Medium
Distribution Level: High/ Medium
There is NO Auto Removal Tool for W32/Agent.AANG Trojan

Trojan Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.

The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal

%Temp%\emp_03.exe
%Temp%\Setup+Patch.exe
%System%\doskeys.exe [ 614,400 bytes ]
%Temp%\TEMP01.RAR
%System%\gh14rs.txt
%System%\rar.exe [ 98,304 bytes ]
[ The file “rar.exe” is known to be created under the following filenames: ]
%AppData%\rar.exe
%ProgramFiles%\hypermegabundler\rar.exe
%ProgramFiles%\winrar\original_files_and_patch\rar.exe
%ProgramFiles%\winrar\rar.exe
%System%\extract to winrar directory\rar.exe
%System%\winrar\rar.exe
%Temp%\lupen-pen-drive\rar.exe
%Temp%\rar.exe
%Temp%\rarsfx0\bpki.dll
%Temp%\rarsfx0\rar.exe
%Temp%\rarsfx1\bpki.dll
%Temp%\wrar362pl\rar.exe
%UserProfile%\rar.exe

If you have any of these files in running process from task manger, end the process before removal.
Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg

Manual Removal From Registry
Click Start, Run,Type regedit,Click OK.
Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Download and run this UnHookExec.inf, and then continue with the removal.

[Delete This Entry] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Windows Printing Driver = “doskeys.exe”

_+ Any of the Above Listed Files +_

Search Registry For Virus File Names listed above to remove completely,
Edit Menu - Find, enter Keyword and remove all value that find in search.
Exit the Registry Editor,
Restart your Computer.
Recommended Removal Tools:
Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)
Killbox (Freeware)

Written by FireFly on December 17th, 2008 with no comments.
Read more articles on rar.exe and doskeys.exe and W32/Agent.AANG and trojan removal and manual removal and otherSoftware and removal of trojan and Removal and Windows.

Manual Removal of W32/IRCBot.ECT Trojan

Manual Removal of W32/IRCBot.ECT Trojan

W32/IRCBot.ECT is a Trojan. The Trojan will infect Windows systems.
The trojan may be dropped by other malware or may be downloaded from remote website by other malware.
This Trojan first appeared on December 16, 2008.
Other names of W32/IRCBot.ECT Trojan:
This Trojan is also known as W32/Sdbot.worm, Troj/Agent-ILB.

Damage Level : High/ Medium
Distribution Level: High/ Medium
There is NO Auto Removal Tool for W32/IRCBot.ECT Trojan

The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal

%System32\gettyvennes.exe
%System32\douquuwubouc.exe
If you have any of these files in running process from task manger, end the process before removal.
Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg

Try This removal Tool : IRCBOT REMOVER by Panda Soft
Manually Remove From Registry
Click Start, Run,Type regedit,Click OK.
Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Download and run this UnHookExec.inf, and then continue with the removal.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

_+ Any of the Above Listed Files +_

Written by FireFly on December 16th, 2008 with no comments.
Read more articles on trojan removal and W32/IRCBot.ECT and manual removal and Removal and otherSoftware and removal of trojan and Windows.

Manual Removal of W32/XPAntivirus.TF Trojan

Manual Removal of W32/XPAntivirus.TF Trojan

W32/XPAntivirus.TF is a Trojan. The Trojan will infect Windows systems.
The trojan may be dropped by other malware or may be downloaded from remote website by other malware.
It may also be downloaded unknowingly by a user while visiting malicious Website.
This Trojan first appeared on October 8, 2008.
Other names of W32/XPAntivirus.TF Trojan:
This Trojan is also known as
VirTool:Win32/Obfuscator.BI, Mal/EncPk-CZ, not-a-Virus:FraudTool.Win32.XPAntivirus.tf.

Damage Level : Highly Dangerous
Distribution Level: High/ Medium
There is NO Auto Removal Tool for W32/XPAntivirus.TF Trojan

The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal

%Program Files%\rhcjg7j0e38v\rhcjg7j0e38v.exe
%Program Files%\rhcjg7j0e38v\msvcp71.dll
%Documents and Settings\[User Name]\Local Settings\Temporary Internet Files\Recent\images of xpantivirus2008.lnk
%Documents and Settings\[User Name]\Local Settings\Temporary Internet Files\Recent\New Text Document.txt.lnk
Task Manager Running Processes
XPAntivirus.exe
xpa.exe
xpa2008.exe
XPAntivirusUpdate.exe
%Program Files\XPAntivirus\
xpa.exe
xpa2008.exe
XPAntivirus.exe
XPAntivirusUpdate.exe
shlwapi.dll
wininet.dll
XP antivirus
XPAntivirus.lnk
Uninstall XPAntivirus.lnk
XPAntivirus on the Web.lnk
XPAntivirus.url
XPAntivirus2008.lnk
Uninstall XPAntivirus2008.lnk

If you have any of these files in running process from task manger, end the process before removal.
Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg

To un-register the .dll Files
Click Start, and then click Run.
Type, or copy and paste, the following text:
regsvr32 /u shlwapi.dll
then click OK.
regsvr32 /u wininet.dll
then click OK.
Manually Remove From Registry
Click Start, Run,Type regedit,Click OK.
Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Download and run this UnHookExec.inf, and then continue with the removal.

HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XPAntivirusFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\XP antivirus_is1
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run\”XP antivirus” = “C:\Program Files\XPAntivirus\XPAntivirus.exe”
XP antivirus
HKEY_USERS\Software\XP antivirus

_+ Any of the Above Listed Files +_

Written by FireFly on December 15th, 2008 with no comments.
Read more articles on manual removal and trojan removal and W32/XPAntivirus.TF Trojan and Removal and removal of trojan and antivirus and otherSoftware and Windows.

Manual Removal of W32/OnLineGames.TRQA Trojan

Manual Removal of W32/OnLineGames.TRQA Trojan

W32/OnLineGames.TRQA is a Trojan. The trojan will infect Windows systems.
The trojan may be dropped by other malware or may be downloaded from remote website by other malware.
This trojan first appeared on December 12, 2008.Other names of W32/OnLineGames.TRQA Trojan:
This trojan is also known as GameThief.Win32.OnLineGames.trqa, TSPY_MMORPG.CE.

Damage Level : High/ Medium
Distribution Level: High/ Medium
There is NO Auto Removal Tool for W32/OnLineGames.TRQA Trojan

The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal

%System32%\msupdt.exe
If you have any of these files in running process from task manger, end the process before removal.
Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg

Manually Remove From Registry
Click Start, Run,Type regedit,Click OK.
Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Download and run this UnHookExec.inf, and then continue with the removal.
Registry Entries are Unknown
_+ Any of the Above Listed Files +_
Search Registry For Virus File Names listed above to remove completely,
Edit Menu - Find, enter Keyword and remove all value that find in search.
Exit the Registry Editor,
Restart your Computer.
Recommended Removal Tools:
Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)
Killbox (Freeware)

Written by FireFly on December 14th, 2008 with no comments.
Read more articles on trojan removal and W32/OnLineGames.TBRQ and W32/OnLineGames.TRQA and manual removal and Removal and otherSoftware and removal of trojan and Windows.

Manual Removal of W32.Sality.aa Trojan

Manual Removal of W32.Sality.aa Trojan

W32/Sality-AA is a virus that also acts as a keylogger.
The virus logs keystrokes to certain windows, as well as information about the infected computer. This logged data is periodically submitted to a remote website.
W32/Sality-AA has been seen spreading itself via email by piggy-backing on W32/Netsky-T. W32/Sality-AA is a virus that also acts as a keylogger.
The virus logs keystrokes to certain windows, as well as information about the infected computer. This logged data is periodically submitted to a remote website.
W32/Sality-AA has been seen spreading itself via email by piggy-backing on W32/Netsky-T.
Aliases: Virus.Win32.Sality.aa (Kaspersky), Virus:Win32/Sality.AM (Microsoft), W32/Sality.ah (McAfee)
Type of infiltration: Virus
Size: Variable
Affected platforms: Windows
Signature database version: 3267 (20080714)
Short description: Win32/Sality.NAR is a polymorphic file infector.

Damage Level : Highly Dangerous
Distribution Level: High/Medium
There is NO Auto Removal Tool for W32.Sality.aa Trojan

The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal

%System%\amvo.exe
%System%\blastclnnn.exe
%System%\scvhsot.exe
%Temp%\00055a0e_rar\scvhsot.exe
%Temp%\000592b2_rar\scvhsot.exe
%Temp%\0005934e_rar\hinhem.scr
%Temp%\0005938d_rar\blastclnnn.exe
%Windir%\hinhem.scr
%Windir%\scvhsot.exe
c:\rdsfk.com
%System%\drivers\.sys
%temp%\win%name%.exe
%temp%\%name%.exe

Kill the following processes and delete the appropriate files:
antzom.exe, ax.exe, bomryuc.dll, drlbqse.dll, egjjen.sys, fmgonn.sys, hehmu.sys, hsgfrn.sys, idlrrh.sys, impnn.sys, jnjpvn.sys, loader174.exe, mAO3q2B7r6.exe, mm2emt.exe, ogmkmn.sys, omdftn.sys, vwservice.exe, vwsrv.exe, vwsrv[1].exe, win13652.dll, win21309.dll, win25709.dll, win27388.dll, win28610.dll, win29788.dll, win3096.dll, win31324.dll, win33848.dll, win35482.dll, win36587.dll, win37763.dll, win40320.dll, win40346.dll, win44025.dll, win46721.dll, win48684.dll, win63279.dll, win7320.dll, windjnvr.exe, winibqs.exe, winjepm.exe, winkrqpx.exe, winkxggjh.exe, winnmswkj.exe, winrlwmt.exe, winxotbiy.exe, wmdrtc32.dll, wmdrtc32.dl_, x1001[1].exe, x2000[1].exe, x2007.exe, x2011.exe, x2011[1].exe, x3000[1].exe, ywsnkhb.dll

Spreading on removable media
The virus copies itself into the root folders of removable drives using a random filename. The filename has one of the following extensions:
.exe
.pif
.cmd
The following file is dropped in the same folder:
autorun.inf
Thus, the virus ensures it is started each time infected media is inserted into the computer.

If you have any of these files in running process from task manger, end the process before removal.
Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg

Manually Remove From Registry
Click Start, Run,Type regedit,Click OK.
Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Download and run this UnHookExec.inf, and then continue with the removal.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
“GlobalUserOffline” = 0
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system
“EnableLUA” = 0
The following Registry entries are deleted:
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aouei
Key: CLSID\{1CE21416-0B8D-8CF6-1FCB-099B30C628BB}\InprocServer32
Value: ThreadingModel
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_VWSERVICE
Value: NextInstance
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_VWSERVICE\0000
Value: Class
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_VWSERVICE\0000\Control
Value: ActiveService
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vwservice
Value: DisplayName
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vwservice\Enum
Value: Count
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vwservice\Security
Value: Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NdisFileServices32
Value: Type
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NdisFileServices32
Value: Start
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NdisFileServices32
Value: ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NdisFileServices32
Value: ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NdisFileServices32
Value: DisplayName
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NdisFileServices32\Security
Value: Security
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32
Value: NextInstance
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32\0000\Control
Value: *NewlyCreated*
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32\0000
Value: Service
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32\0000
Value: Legacy
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32\0000
Value: ConfigFlags
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32\0000
Value: Class
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32\0000
Value: ClassGUID
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32\0000
Value: DeviceDesc
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\NdisFileServices32\Enum
Value: 0
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\NdisFileServices32\Enum
Value: Count
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\NdisFileServices32\Enum
Value: NextInstance
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\Root\LEGACY_NDISFILESERVICES32\0000\Control
Value: ActiveService

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
Value: d
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
Value: {06DB7430-7430-6DB1-306D-430DB4306DB1}
HKEY_CURRENT_USER\Software\CurrentControlSet\Services\NdisFileServices32
Value: ImagePath
HKEY_CURRENT_USER\Software\CurrentControlSet\Services\NdisFileServices32
Value: DeleteFlag
HKEY_CURRENT_USER\Software\CurrentControlSet\Services\NdisFileServices32
Value: ImagePath
HKEY_CURRENT_USER\Software\CurrentControlSet\Enum\Root\Legacy_VWSERVICE\0000
Value: ClassGUID
HKEY_CURRENT_USER\Software\CurrentControlSet\Enum\Root\Legacy_VWSERVICE\0000
Value: DeviceDesc
HKEY_CURRENT_USER\Software\CurrentControlSet\Enum\Root\Legacy_VWSERVICE\0000
Value: Service
HKEY_CURRENT_USER\Software\CurrentControlSet\Enum\Root\Legacy_VWSERVICE\0000
Value: ConfigFlag
HKEY_CURRENT_USER\Software\CurrentControlSet\Enum\Root\Legacy_VWSERVICE\0000
Value: Legacy
HKEY_CURRENT_USER\Software\CurrentControlSet\Services\vwservice
Value: ImagePath
HKEY_CURRENT_USER\Software\CurrentControlSet\Services\vwservice
Value: ObjectName
HKEY_CURRENT_USER\Software\CurrentControlSet\Services\vwservice
Value: ErrorControl
HKEY_CURRENT_USER\Software\CurrentControlSet\Services\vwservice
Value: Start
HKEY_CURRENT_USER\Software\CurrentControlSet\Services\vwservice
Value: Type
HKEY_CURRENT_USER\Software\CurrentControlSet\Services\vwservice
Value: FailureActions
HKEY_CURRENT_USER\Software\CurrentControlSet\Services\vwservice\Enum
Value: NextInstance
HKEY_CURRENT_USER\Software\CurrentControlSet\Services\vwservice\Enum
Value: 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
Value: s
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
Value: f
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
Value: d
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
Value: f
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
Value: d
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
Value: s
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Value: Start Page

_+ Any of the Above Listed Files +_
Search Registry For Virus File Names listed above to remove completely,
Edit Menu - Find, enter Keyword and remove all value that find in search.
Exit the Registry Editor,
Restart your Computer.
Recommended Removal Tools:
Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)
Killbox (Freeware)