How to Remove Regsvr.

exe
By Colette Larson, eHow Contributor

Regsvr.exe, also known as the new folder.exe virus, is a component of several Trojans and worms
such as WebMoney-G Trojan, Worm_Delf.FKZ and W32.Imaut that are spread through removable
storage devices. The worms typically create an autorun.inf file for automatic execution, random
folders and a registry entry to enable its automatic execution upon system startup, in addition to
scheduling a task for automatic launch at specific dates and times.
Difficulty: Moderately Challenging
Instructions
1. 1
Turn off System Restore if the operating system of the infected computer is either Windows Me or Windows
XP. To turn off System Restore within Windows Me, click "Start," "Settings" and "Control Panel." Double-
click on the "System" icon and select "File System" from the "Performance" tab. Left-click on the
"Troubleshooting" tab and check the "Disable System Restore" box. Click "OK". To turn off System Restore
within Windows XP, log in as an administrator and click "Start." Right-click on "My Computer" and select
"Properties" from the shortcut menu. Check the "Turn off System Restore" option for each drive on the
"System Restore" tab. Click "Apply" and "Yes" to confirm when prompted. Click "OK."
2. 2
Restart the computer in safe mode and log in as an administrator. Press "F8" after the first beep occurs during
startup, before the display of the Microsoft Windows logo. Select the first option to run "Windows in Safe
Mode" from the selection menu.
3. 3
Remove any regsvr program files from the computer. Go to "Start," "Control Panel" and "Add/Remove
Programs." Remove any programs referencing regsvr. If none is listed, continue to Step 4.
4. 4
Use the Windows Search tool to determine if "regsvr.exe" exists on the hard drive. Go to "Start," "Search" and
"All Files and Folders." Type "regsvr.exe" in the "All or Part of the File Name" section. Select "All Local Hard
Drives" from the "Look in:" drop-down list for the best results. Click "Search." Repeat this process for "new
folder.exe" and "autorun.inf."
5. 5
Right click on the "autorun.inf" file, select "Properties," remove the check from the read only option, click
"Apply" and click "OK".
6. 6
Right click on the "autorun.inf" file, select "Open With" and "Notepad." Delete all of the contents of the file
and save.
7. 7
Right click on the "autorun.inf" file, select "Properties," check the box for the read only option, click "Apply"
and click "OK". This will prevent the virus from accessing the file.
8. 8
 Use the Windows Task Manager to end any regsvr.exe processes that are running. Press "Ctrl," "Alt" and
"Delete" to open Task Manager. Click "regsvr.exe" within the "Processes" tab and click "End Process." Do the
same with "new folder.exe."
9. 9
Click on "Start" and "Run," type "msconfig" and press "Enter." Remove checkmarks next to any regsvr entries
on the "Startup" tab. Save changes and exit to the desktop.
10. 10
Click on "Start," "Control Panel" and "Scheduled Tasks." Right-click on the "At1" task and select "Delete."
11. 11
Click on "Start" and "Run," type "regedit" and press "Enter." Press "Ctrl" and "F," type "regsvr.exe" in the
search field and delete all related entries.
12. 12
Locate the entry "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon" and modify the entry "Shell = Explorer.exe regsvr.exe" by deleting the
"regsvr.exe" value from the entry.
13. 13
Double click on "My Computer" and the "C:" drive. Click on "Folder Options" and access the "View" tab.
Activate the radio button to view hidden files and folders. Click "Apply" and "OK."
14. 14
Use the Windows Search tool to locate "regsvr.exe". Go to "Start," "Search" and "All Files and Folders." Type
"regsvr.exe" in the "All or Part of the File Name" section. Select "All Local Hard Drives" from the "Look in:"
drop-down list for the best results. Click "Search." Right click on each occurrence of the file and select
"Delete" from the shortcut menu. Repeat this process for "new folder.exe" and "autorun.inf."
15. 15
Reboot the PC.
16. 16
Repeat the steps above if regsvr.exe still resides on the computer, or try using a free automatic removal
program from Trend Micro or AVG listed in References. If the files have been successfully removed, System
Restore may be reactivated. To turn on System Restore within Windows Me, click "Start," "Settings" and
"Control Panel." Double-click on the "System" icon and select "File System" from the "Performance" tab.
Left-click on the "Troubleshooting" tab and remove the check from the "Disable System Restore" box. Click
"OK". To turn on System Restore within Windows XP, log in as an administrator and click "Start." Right-click
on "My Computer" and select "Properties" from the shortcut menu. Check the "Turn on System Restore"
option for each drive on the "System Restore" tab. Left-click "Apply" and "Yes" to confirm when prompted.
Click "OK."
.

Tips & Warnings

 Manual removal of regsvr.exe may be difficult as the removal process requires knowledge of
the operating system command prompt and registry editor. In addition, different versions of this
malware rename and relocate various file components. If not performed properly, your computer
system might experience permanent damage. There are also similarly named programs that
legitimately use regsvr32.exe to register DLL files and create registry entries. Consequently, manual
removal might be best for experienced users. Less experienced users might want to consider using
an automatic spyware removal application such as that offered by Trend Micro or AVG. The
Windows registry contains extensive information about how your computer runs. Because removal of
the virus requires extensive changes to the Windows registry via the registry editor, it is important to
back up the registry prior to editing any of its files.