How to Manually Remove Win32.Gosys

By   /   Nov 13, 2009

Win32. Gosys is a worm that allows a remote attacker to record keystrokes, download files, and execute commands on an infected computer by using a backdoor port it created. It also quickly spreads on all local drives/shared folders and other removable media like USB.

Win32. Gosys Manual Removal Instructions

Step1
Most of the viruses/worms save their back up in system restore so in order to proceed with the complete removal of this worm, temporarily disable System Restore.

Step2
Win32.Gosys has been detected by Virus Scanners and most probably been cured. So first thing that you should do, is to update your Virus definitions to let your anti virus remove this worm if by any chance.

Step3
Now that you have done first two steps, restart your computer in safe mode to do some dirty work manually.

Step4
Run Full System Scan to clean/delete all infected files.

Step5
After you have cleaned up your system doing a full system scan, in any case even if your antivirus supposedly got all the infected files and deleted them. You must make sure to navigate and delete/restore these registry entries.

Delete These Registry Entries

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\”StubPath” = “%UserProfile%\Local Settings\Application Data\mrsys.exe MR”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\”StubPath” = “%UserProfile%\Local Settings\Application Data\mrsys.exe MR”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\RunOnce\”Explorer” = “c:\windows\system32\explorer.exe RO”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\RunOnce\”Svchost” = “c:\windows\svchost.exe RO”

HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\”LO” = “0″

HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\”BL” = “c:\tools\regshot.exe”

HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\”NF” = “0″

HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Svchost\Process\”BL” = “c:\tools\regshot.exe”

Restore the Following Registry Entries to Previous Values if Required

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\”Shell” = “%Windir%\explorer.exe, c:\windows\system32\explorer.exe”

HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Explorer\Advanced\”ShowSuperHidden” = “0″

Step6
Exit registry editor and Restart your computer.

Now that you have deleted these registry entries manually and had a full system scan, you have completely removed Win32.Gosys.

Featured Videos