1. To disable System Restore (Windows Me/XP):
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.
Windows prevents outside programs, including Antivirus programs, from modifying System Restore. Therefore, Antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.
Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.
For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:
How to disable or enable Windows Me System Restore
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001012513122239?OpenDocument&src=sec_doc_nam
How to turn off or turn on Windows XP System Restore
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam
Note:When you are completely finished with the removal procedure and are satisfied that the threat has been removed, reenable System Restore by following the instructions in the aforementioned documents.
For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article: Antivirus Tools Cannot Clean Infected Files in the _Restore Folder (Article ID: Q263455).
http://support.microsoft.com/kb/q263455/
2.To remove all the entries that the risk added to the hosts file
1.Navigate to the following location:
Windows 95/98/Me:
%Windir%
2.Windows NT/2000/XP:
%Windir%\System32\drivers\etc
Notes:
The location of the hosts file may vary and some computers may not have this file. There may also be multiple copies of this file in different locations. If the file is not located in these folders, search your disk drives for the hosts file, and then complete the following steps for each instance found.
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).
3.Double-click the hosts file.
4.If necessary, deselect the "Always use this program to open this program" check box.
5.Scroll through the list of programs and double-click Notepad.
6.When the file opens, delete all the entries added by the risk.
7.Close Notepad and save your changes when prompted.
3.Locations Where the infection gets frequency
C:\Documents and Settings\All Users\Application Data\ (Delete the Suspious folders)
C:\Windows
C:\Windows\System32
C:windows\System32\Drivers
Note: Before ways of searching the infected or suspicious files is by changing view to Details and Sorting them by Dates modified and find the latest modified files and delete them.
Before deleting them make sure no suspious programs are running in the background {In task manager and msconfig(after stopping the start item delete the registry key as shown below in the location HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tool\Msconfig\startupreg )}.
4.To delete the value from the registry
Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. For instructions refer to the document:
How to make a backup of the Windows registry.
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/199762382617?OpenDocument&src=sec_doc_nam
1.Click Start > Run.
2.Type regedit
3.Click OK.
Navigate to and delete the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
Delete all the keys below this key.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
Delete all the keys below this key.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ Notify\
If you see any unknown or suspious files running deleted them.
HKEY_CURRENT_USER\Software\Microsoft\Search assistant\acmru\5603
HKEY_CURRENT_USER\Software\Microsoft\Search assistant\acmru\5604
HKEY_CURRENT_USER\Software\Microsoft\Search assistant\acmru\5647
Any folder with number understand Acmru should throughly serach for the infected keys and deleted them.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tool\Msconfig\startupreg
If you see any unknown or suspious files running deleted them.
Exit the Registry Editor.