Saturday, December 31, 2011

Remove System CheckRemove System Check

Remove System Check
System Check is a program that is used to cheat the money of people by showing error message in the computer hard drive, memory and system. System Check adds a registry entries to make itself to start automatically when Windows boot. After that, System Check will do fake scan on the computer and then issue fake warning by showing pop ups to tell the the user that the hard drive, memory and system have serious errors which can only be solved by using the full version of System Check. Thus, the user is urged to purchase it. Do not believe any report given by System Check even the warning look so real. In fact, System Check cannot detect and remove any error of computer.


System Check can be uninstalled by by stopping all processes with random name and also kill its files. Then, all registry entries added and modified by System Check must be cleared by using Windows Registry Editor.

System Check provide fake features such as Computer status, RAM Memory Status, System Drive and System Registry Status. None of them can really protect computer from any kind of malware.

System Check should be removed immediately!


System Check Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe

Unregister DLL files

Delete Registry
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use FormSuggest" = 'Yes'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "CertificateRevocation" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnonBadCertRecving" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop "NoChangingWallPaper" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '.zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;.scr;'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoDesktop" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ".exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "DisableTaskMgr" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "Hidden" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "ShowSuperHidden" = '0'

Remove Folders and Files
%LocalAppData%\[random]
%LocalAppData%\[random].exe
%LocalAppData%\~[random]
%LocalAppData%\~[random]
%StartMenu%\Programs\System Check
%Temp%\smtmp
%UserProfile%\Desktop\System Check.lnk
File Location Notes:

%UserProfile% refers to the current user's profile folder. By default, this is C:\Documents and Settings\[Current User] for Windows 2000/XP, C:\Users\[Current User] for Windows Vista/7, and c:\winnt\profiles\[Current User] for Windows NT.

%Temp% refers to the Windows Temp folder. By default, this is C:\Windows\Temp for Windows 95/98/ME, C:\DOCUMENTS AND SETTINGS\[Current User]\LOCAL SETTINGS\Temp for Windows 2000/XP, and C:\Users\[Current User]\AppData\Local\Temp for Windows Vista and Windows 7.

%LocalAppData% refers to the current users Local settings Application Data folder. By default, this is C:\Documents and Settings\[Current User]\Local Settings\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\[Current User]\AppData\Local.

%StartMenu% refers to the Windows Start Menu. For Windows 95/98/ME it refers to C:\windows\start menu\, for Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\[Current User]\Start Menu\, and for Windows Vista/7 it is C:\Users\[Current User]\AppData\Roaming\Microsoft\Windows\Start Menu.
Friday, December 30, 2011

Don't disable UAC or your computer will be attacked by malwares!Don't disable UAC or your computer will be attacked by malwares!

Don't disable UAC or your computer will be attacked by malwares!UAC or User Account Control is one of the very good features provided by Windows Vista and Windows 7. However, many people try to disable it as they think that UAC is useless!

Malwares attack computers by modifying the system files and registry so that it will be executed automatically every time the computer turn on. UAC will ask our permission before letting the malwares attack our computers.
Malwares will never have the chance to attack our computer if we do not disable UAC and click "No / Cancel" button when the UAC ask our permission. Don't simply click "Yes / Continue" button if we don't really know what the program is!





Most people try to disable UAC as they feel angry to the UAC prompt asking them the permission to execute the program. However, when we disable UAC, no more UAC prompt to prevent malware from attacking our computer. Don't trust anti-virus that it can protect our computer from malwares as malwares always update faster than anti-virus! Anti-virus update its definition after new malwares are reported. However, the fact is that there are so many malwares which are undetectable by the best updated anti-virus (like kaspersky) as they grow very very very fast.

Thus, don't ever disable UAC or you will become one of the victim attacked by malwares!

Don't ever click "Yes / Continue" button (in UAC prompt) if you don't really know what the program is!

Click "No / Cancel" button (in UAC prompt) if you don't know the program is malware or not.

The best policy is:
Set the UAC settings to the highest level:

Wednesday, December 28, 2011

Remove Super AVRemove Super AV

Super AV Removal Guide
Super AV is a fake antispyware that will pretend to protect the system from spyware but eventually will definitely state the user that there are a lot of spyware in hard drive, memory and the system. Super AV produce fake results. Super AV cannot anti, detect or remove any spyware. Super AV is just a SCAM. Super AV continuously produce fake alert to urge the user to purchase the full version of Super AV so that to remove all the spyware. In fact, Super AV cannot detect and remove any spyware.

Super AV can be remove by using Emsisoft HiJackFree to stop and remove the processes ([random].exe]), remove the autorun setting and finally all related folders and files stated in the removal guide below.
Super AV should be removed immediately!
Super AV Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe
atexbees.exe

Unregister DLL files
%Temp%\[random].dll

Delete Registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "security" = "C:\Windows\atexbees.exe"

Remove Folders and Files
C:\Windows\atexbees.exe
Monday, December 26, 2011

Remove Home Security SolutionsRemove Home Security Solutions

Home Security Solutions Removal Guide
Home Security Solutions is a fake antivirus program that CANNOT DETECT AND REMOVE any kind of virus, malware and trojan. Home Security Solutions can do nothing but just show pop ups to convince the user that the computer has been infected by malwares and urge the user to purchase the full version of Home Security Solutions. Home Security Solutions infections are known to spread by means of fake online system alerts that warn the user about infections that require the user to download Home Security Solutions to remove them. Home Security Solutions will start automatically when Windows boot. Then Home Security Solutions will do a fake scan on the computer and then it will show the fake report. Do not purchase Home Security Solutions as it can do nothing.The user should switch to Safe Mode to make sure any scans detect Home Security Solutions and remove Home Security Solutions with anti-malware applications that are designed to handle such threats.

Home Security Solutions can be removed by using Emsisoft HiJackFree to stop the processes and kill the files from the hard drive. Then, the user has to restore the registry entries added and modified by Home Security Solutions. Finally, all the file related to Home Security Solutions must be deleted from the hard drive. All of them has been shown in the removal guide below.

The computer users should remember that any time when they encounter a web page that states that the computer is infected, they should not believe them as the majority of these pages are scams trying to get them to install the actual infection. The second method that can be used to install this fake antivirus is through hacked web sites that install Home Security Solutions on to the computer without their knowledge by exploiting vulnerabilities in the outdated programs.

Home Security Solutions should be removed immediately!


Home Security Solutions Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe

Delete Registry

HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\91\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid {137E7700-3573-11CF-AE69-08002B2E1262}
HKEY_CURRENT_USER\Software\Classes\Software\Microsoft\Internet Explorer\SearchScopes\URL http://findgala.com/?&uid=231&q={searchTerms}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures "no"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PRS http://127.0.0.1:27777/?inj=%ORIGINAL%
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\URL http://findgala.com/?&uid=231&q={searchTerms}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform\89770803
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform\lib/5.00231
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\UID 231
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HS2d7_231.DocHostUIHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin "2"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Enable LUA "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Home Security Solutions"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}


Remove Folders and Files

%AllUsersProfile%\[RANDOM]
%AllUsersProfile%\HSYITSQGE
%AppData%\Home Security Solutions
%AppData%\Microsoft\Windows\Recent\DBOLE.dll
%AppData%\Microsoft\Windows\Recent\CLSV.tmp
%AppData%\Microsoft\Windows\Recent\gid.tmp
%AppData%\Microsoft\Windows\Recent\eb.dll
%AppData%\Microsoft\Windows\Recent\delfile.dll
%AppData%\Microsoft\Windows\Recent\eb.sys
%AppData%\Microsoft\Windows\Recent\energy.dll
%AppData%\Microsoft\Internet Explorer\Quick Launch\Home Security Solutions.lnk


Friday, December 23, 2011

Remove Click SystemRemove Click System

Remove Click System
Click System is a program that is used to cheat the money of people by showing error message in the computer hard drive, memory and system. Click System adds a registry entries to make itself to start automatically when Windows boot. After that, Click System will do fake scan on the computer and then issue fake warning by showing pop ups to tell the the user that the hard drive, memory and system have serious errors which can only be solved by using the full version of Click System. Thus, the user is urged to purchase it. Do not believe any report given by Click System even the warning look so real. In fact, Click System cannot detect and remove any error of computer.


Click System can be uninstalled by by stopping all processes with random name and also kill its files. Then, all registry entries added and modified by Click System must be cleared by using Windows Registry Editor.

Click System provide fake features such as Computer status, RAM Memory Status, System Drive and System Registry Status. None of them can really protect computer from any kind of malware.

Click System should be removed immediately!


Click System Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe

Unregister DLL files

Delete Registry
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use FormSuggest" = 'Yes'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "CertificateRevocation" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnonBadCertRecving" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop "NoChangingWallPaper" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '.zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;.scr;'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoDesktop" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ".exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "DisableTaskMgr" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "Hidden" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "ShowSuperHidden" = '0'

Remove Folders and Files
%LocalAppData%\[random]
%LocalAppData%\[random].exe
%LocalAppData%\~[random]
%LocalAppData%\~[random]
%StartMenu%\Programs\Click System
%Temp%\smtmp
%UserProfile%\Desktop\Click System.lnk
File Location Notes:

%UserProfile% refers to the current user's profile folder. By default, this is C:\Documents and Settings\[Current User] for Windows 2000/XP, C:\Users\[Current User] for Windows Vista/7, and c:\winnt\profiles\[Current User] for Windows NT.

%Temp% refers to the Windows Temp folder. By default, this is C:\Windows\Temp for Windows 95/98/ME, C:\DOCUMENTS AND SETTINGS\[Current User]\LOCAL SETTINGS\Temp for Windows 2000/XP, and C:\Users\[Current User]\AppData\Local\Temp for Windows Vista and Windows 7.

%LocalAppData% refers to the current users Local settings Application Data folder. By default, this is C:\Documents and Settings\[Current User]\Local Settings\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\[Current User]\AppData\Local.

%StartMenu% refers to the Windows Start Menu. For Windows 95/98/ME it refers to C:\windows\start menu\, for Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\[Current User]\Start Menu\, and for Windows Vista/7 it is C:\Users\[Current User]\AppData\Roaming\Microsoft\Windows\Start Menu.
Tuesday, December 20, 2011

Remove Best AntivirusRemove Best Antivirus

Best Antivirus Removal Guide
Best Antivirus is another type of fake antivirus program which will definitely show pop ups to tell the user that the computer has been infected by malwares, trojans and viruses. Best Antivirus CANNOT detect and remove any kind of malware, trojan and virus. Best Antivirus can only cheat the user to purchase the full version of Best Antivirus so that to removed the detected threats. Do not believe any pop ups or report shown by Best Antivirus. All of them is a lie.

Best Antivirus can be uninstalled by by stopping all processes with random name and also kill its files. Then, all registry entries added and modified by Best Antivirus must be cleared by using Windows Registry Editor.

Best Antivirus should be removed immediately!


Best Antivirus Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe
BestAntivirusUpdater.exe

Delete Registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[random]"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[random]"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Best Antivirus"

Remove Folders and Files
C:\Documents and Settings\All Users\Application Data\13077d\[RANDOM CHARACTERS].exe
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Best Antivirus.lnk
%UserProfile%\Start Menu\Programs\Best Antivirus.lnk
%UserProfile%\Start Menu\Best Antivirus.lnk
%UserProfile%\Desktop\Best Antivirus.lnk
%UserProfile%\Application Data\Best Antivirus\cookies.sqlite
%UserProfile%\Application Data\Best Antivirus\Instructions.ini
%UserProfile%\Application Data\Best Antivirus
Thursday, December 15, 2011

How to delete trojan virus, open hidden filesHow to delete trojan virus, open hidden files

How to delete trojan virus, open hidden files?
First of all, we need to use the latest updated anti-virus to scan the drive so that to detect the name of the Trojan. After getting the name of the Trojan, we should do a search in Google or other search engine of the name of the Trojan. Usually, we will get the way to remove the trojan manually or by using the removal tool provided.

It will tell us the processes of the trojan. Every trojan must have at least a process running behind the OS. Hence, we should Terminate all the processes of the trojans. You can also let me know the name of the trojan and I will show you on how to remove it manually if possible.

Most virus will disable the showing hidden files feature so that we cannot remove it easily. To show hidden file after infected by trojan, we should first kill the trojan first by following the method stated above. Then we need to use some tools to remove the restriction of showing hidden file. The tool I recommend is Remove Restriction Tool (RRT). After removing the restriction, we should kill all the files of the processes of the trojan.

However, you can also terminate the process and at the same time delete the file too by using a-squared HiJackFree
Wednesday, December 14, 2011

Remove Security Monitor 2012Remove Security Monitor 2012

Remove Security Monitor 2012
Security Monitor 2012 is a fake antivirus program which come with a rootkit to prevent many program from running on the computer. Security Monitor 2012 cannot detect and remove any kind of virus, malware and trojan. What Security Monitor 2012 can do is displaying fake report to tell the user that the computer has been infected by many malwares, trojans and viruses. Security Monitor 2012 will urge the user to purchase the full version of Security Monitor 2012 to remove all the detected malwares, viruses and trojan. Bare in mind that Security Monitor 2012 CANNOT detect and remove any malware, virus and trojan. Security Monitor 2012 may spread through its affiliated Trojans and invades the affected computer system without a PC user owner’s consent and knowledge. .

Security Monitor 2012 provide fake features such as system scan, firewall, scan option, settings and updates. It scares the users with a lot of malwares detected on the computer such as Adware.Win32/Wheresphere, W32/Rimecud, Exploit-PDF.w etc. It claims itself that it can protect your PC just simple one-click solution. It ask the user to activate Security Monitor 2012 so that to have auto protection on computer. All of them is a lie. Do not believe it.

Security Monitor 2012 should be removed immediately!


Security Monitor 2012Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe
securityhelper.exe
Security Monitor.exe
securitymanager.exe
%Temp%\02c9c3c35bdx5.exe%Temp%\17dkf.exe%Temp%\1iowieoo.exe%Temp%\472a10e2ebxd9.exe%Temp%\56493.exe%Temp%\8gmsed-bd.exe%Temp%\ae0965a7157cd.exe%Temp%\al3erfa3.exe%Temp%\alerfa.exe%Temp%\alerfa2.exe%Temp%\altedf.exe%Temp%\bzqa43d.exe%Temp%\cocksucker.exe%Temp%\cosock.exe%Temp%\format.exe%Temp%\g_dx234.exe%Temp%\ggwwef9752.exe%Temp%\lkhgg_ea.exe%Temp%\lols.exe%Temp%\ploper.exe%Temp%\timem.exe%Temp%\tryh-blv.exe%Temp%\w32-reno-c.exe%Temp%\wrfwe_di.exe%Temp%\wwautrsd.exe%Temp%\wwwsssgen.exeDelete Registry
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform "(Default)" = ""
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Security Monitor 2012"
HKEY_CURRENT_USER\Software\Security Monitor 2012

Remove Folders and Files
%userprofile%\Desktop\Security Monitor 2012.lnk
%userprofile%\Local Settings\Temp\[random].*
%userprofile%\Application Data\Security Monitor 2012
%userprofile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Security Monitor 2012.lnk
%userprofile%\Start Menu\Programs\Security Monitor 2012.lnk
%userprofile%\Start Menu\Programs\Security Monitor 2012
%Temp%\02c9c3c35bdx5.exe
%Temp%\17dkf.exe
%Temp%\1iowieoo.exe
%Temp%\472a10e2ebxd9.exe
%Temp%\56493.exe
%Temp%\8gmsed-bd.exe
%Temp%\ae0965a7157cd.exe
%Temp%\al3erfa3.exe
%Temp%\alerfa.exe
%Temp%\alerfa2.exe
%Temp%\altedf.exe
%Temp%\bzqa43d.exe
%Temp%\cocksucker.exe
%Temp%\cosock.exe
%Temp%\format.exe
%Temp%\g_dx234.exe
%Temp%\ggwwef9752.exe
%Temp%\lkhgg_ea.exe
%Temp%\lols.exe
%Temp%\ploper.exe
%Temp%\timem.exe
%Temp%\tryh-blv.exe
%Temp%\w32-reno-c.exe
%Temp%\wrfwe_di.exe
%Temp%\wwautrsd.exe
%Temp%\wwwsssgen.exe
Monday, December 12, 2011

Remove Antivirii 2011Remove Antivirii 2011

Remove Antivirii 2011
Antivirii 2011 is another type of fake antivirus program which will definitely show pop ups to tell the user that the computer has been infected by malwares, trojans and viruses. Antivirii 2011 CANNOT detect and remove any kind of malware, trojan and virus. Antivirii 2011 can only cheat the user to purchase the full version of Antivirii 2011 so that to removed the detected threats. Do not believe any pop ups or report shown by Antivirii 2011. All of them is a lie.

Antivirii 2011 can be uninstalled by by stopping all processes with random name and also kill its files. Then, all registry entries added and modified by Antivirii 2011 must be cleared by using Windows Registry Editor.

Antivirii 2011, after installed, usually will display a lot of pop-up alerts that attempt to make users believe that it has detected multiple threats on the system that it is installed on. Naturally, some computer users will try to take action to remove those threats simply by purchasing a full edition of Antivirii 2011. After doing so, users will later find out that Antivirii 2011 is incapable of ridding their system of any type of malware threats and will continually bombard them with deceptive pop-up messages. The only thing to do with Antivirii 2011 is remove either manually or by using an updated spyware detection tool.

Antivirii 2011 should be removed immediately!


Antivirii 2011 Removal Guide
Kill Process
(How to kill a process effectively?)
[random].exe
antivirii.exe

Delete Registry
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[random]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[random]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Security"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe "Debugger"

Remove Folders and Files
remove the files stated in the autorun setting.
%WinDir%\antivirii.exe
%WinDir%\[random].exe