Instructions for Manually Removing ‘MyDoom’

Published on February 3, 2004 By Parvin In Pure Technology

Manually removing MyDoom requires editing the registry as outlined in the following steps:

Step 1. Disable System Restore if you're using Windows Me/XP.

When you make changes to your system, Windows does a restoration checkpoint. If it does this while the system is infected, it may come back to re-infect later.

For Windows XP (http://support.microsoft.com/default.aspx?kbid=283073) or ME (http://support.microsoft.com/default.aspx?kbid=264887)

Step 2. Restart the computer in "Safe Mode" (or VGA mode on Windows NT).

Since MyDoom creates running processes, and Windows doesn't allow you to delete files connected with running processes, restarting is necessary. Using "Safe Mode" prevents Windows from loading drivers and autorun entries so your system boots relatively clean.

Step 3. Run a full system scan with an updated Antivirus scanner.

If your scanner does not remove everything, follow the next few steps.

Step 4. Your antivirus software should, during detection, produce a list of files associated with the MyDoom virus.

Delete all these files.

The files will typically be the ones mentioned in the description above.

Step 5. Make a backup of the registry before you edit.

For Windows 95/98Parvin go to http://support.microsoft.com/default.aspx?scid=kb;en-us;322754. For Windows XP/2000/2003 go to http://support.microsoft.com/default.aspx?scid=kb;en-us;322756.

Delete the entries associated with MyDoom from the registry as listed above.

Delete any entries flagged by your antivirus program.

Step 5a. The following instructions from the Symantec site outline the exact keys that are modified and need to be edited:

Click "Start," and then click "Run." (The Run dialog box appears.)

Step 5b. Type "regedit," then click "OK." (The Registry Editor opens.)

Step 5c. Navigate to the keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Step 5d. In the right pane, delete the value:

"Taskmon"="%System%\taskmon.exe"

Step 5e. Delete the key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersionExplorer\ComDlg32\Version

Step 5f. Delete the key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersionExplorer\ComDlg32\Version

Step 5g. Navigate to the key:

HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32

Step 5h. In the right pane, modify the value as follows:

"(Default)"="%System%\webcheck.dll"

Step 5i. Exit the Registry Editor.

Step 6. Re-enable System Restore (Windows ME, XP), reboot machine.

Comments

No one has commented on this article. Be the first!

Welcome Guest! Please take the time to register with us.
There are many great features available to you once you register, including:

Richer content, access to many features that are disabled for guests like commenting on the forums.
Access to a great community, with a massive database of many, many areas of interest.
Access to contests & subscription offers like exclusive emails.
It's simple, and FREE!