Manual Removal - con't
Step 3: Deleting the Malware's Winlogon References
As a precaution, be careful when deleting files used by the Registry for it may render your PC unable to boot.
The malware also modified the Userinit in HKEY_LOCAL_MACHINE. This was done so that if any user account logs in the PC, the fake anti-spyware will run.
Since we have found the path to the malicious file, we then verify next if there is the same entry in HKEY_LOCAL_MACHINE.
With the regedit still open, go find the Userinit's entry in:
Find if it has the same malware's file path that we found in Step 1.
Once it has been verified that both exists, we can now remove those malware's Userinit references, both in HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE, by replacing them with blanks.
But be careful not to modify or remove the default HKEY_LOCAL_MACHINE Userinit's setting having the following content:
Step 4: Deleting the Files
With the malware process still running, deleting its executable file is restricted.
Opening the Task Manager has been disabled also, but we can use taskkill to do the same thing we need.
Click Start > Run > and type the following command in the input box:
taskkill /F /IM mgmrwmrv.exe
The mgmrwmrv.exe filename is just an example I've used, it should match the filename from the filepath you found earlier.
With the process already terminated, we can then delete the file.
Additionally, delete the HTML file it uses as its background is located in Windows folder as:
Step 5: Enable Task Manager
With the regedit still open, go find and delete the DisableTaskMgr entry in:
and also in:
You can now open the Task Manager window.