Safely Removing Malware: A Step-by-Step Guide to Using a Bootable USB and Regedit

Malware can wreak havoc on your computer, compromising sensitive data and causing performance issues. While traditional antivirus software can help, some malware can be particularly stubborn to remove.

Here are the steps:

Create a Boot Disk
Booting from USB Disk
Start regedit program
Loading registry data into regedit
Removing Traces of Malware in Hard Disk
Reboot to Check if Virus is Cleared

One effective method is to boot up from a USB disk and then use the Registry Editor (Regedit) to locate and eliminate traces of the malware hidden deep within the system. In this article, we will guide you through the process of using a bootable USB and Regedit to rid your computer of malware.

Step 1: Create a Bootable USB Disk:

  1. Obtain a clean and reliable USB flash drive with sufficient storage capacity (at least 8GB).
    (Use USB3 flash disk is available as they are relatively cheap and boots up a lot faster)
  2. Download a reputable bootable USB creation tool from a trusted source.
    (While there are free tools available, we recommend EaseUS OS2Go as it not only allow installation of a WinPE version and full version of Windows but also not having to deal with BIOS/UEFI issues on Preinstallation Environment)
  3. Insert the USB drive into your computer and run the bootable USB creation tool.
    (exFAT or FAT32 volume is required for UEFI boot.
    You may need to create GPT partition if booting from USB disk larger than 32GB – FAT32’s size limit.
    Legacy BIOS boot supports booting up from NTFS but if infected system’s hard disk is configure for secure boot, it may be inaccessible to it.)
  4. Create a Windows bootable USB disk using ISO image from a media disk or from Microsoft Win10 Media Creation link.

Step 2: Booting Up from the USB Disk:

  1. Shut down your infected computer completely.
  2. Insert the bootable USB disk into a USB port.
  3. Power on the computer and immediately access the boot menu.
    (Usually, F1 for Lenovo, F2 for Dell/IBM, F10 for HP, for others you can try F12, DEL or Esc as each has their own shortcut key to access custom Boot or UEFI/BIOS menu.
    You can also check if the USB disk is detected in BIOS first before attempting to boot from it.)
  4. You can either select custom boot and select the USB drive from the boot menu and press Enter to boot from it or in UEFI/BIOS, set the detect USB disk as primary boot device by press + to move it to the top.

Step 3: Accessing the Registry Editor (Regedit):

  1. Once the computer boots up from the USB disk, select the appropriate language and keyboard layout.
  2. Choose “Repair your computer” or similar options, depending on the operating system.
  3. Select “Troubleshoot” > “Advanced options” > “Command Prompt.”
  4. In the Command Prompt, type “regedit” and press Enter to open the Registry Editor.
  5. Before making any changes, create a backup of the Registry by selecting “File” > “Export” in the Registry Editor. Save the backup to a safe location.

Step 4: Locating NTUSER.DAT and loading it into the registry:

  1. Click on a subfolder – (e.g. HKEY_USERS), click File, click Load Hive and browser to your user profile in c:\users\username and look for a hidden file named NTUSER.DAT.
  2. Select that file, click load and give it a random name – (e.g. ntuser)
  3. Click > sign to expand the loaded registry module and browse to \Software\Microsoft\Windows\CurrentVersion\Run
  4. Right-click and delete any registry entries that you find suspicious. Take note of the location of the files which you have deleted the registry entries.
  5. Look for suspicious-looking entries with random names or unfamiliar paths. Malicious programs often use deceptive names to evade detection.
  6. Double-check that the entries you intend to remove are indeed related to the malware. You can Google for more information on the filenames.
  7. Continue searching for traces of malware in other sections of the Registry, such as “RunOnce” and “RunOnceEx.” You may want to look through the services inside SYSTEM\CurrentControlSet\Services too.
  8. Unload the registry from File, Unload Hive so that the changes can be committed.
  9. Repeat the above steps for each registry file (SYSTEM, SOFTWARE, DEFAULT) inside c:\Windows\system32\config folder.
    Remember to make a copy of the files so that you can restore in case you encounter any issues.

Step 5: Searching for Traces of Malware:

  1. Look in C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup for Windows 10/11 for traces of any malicious software that is set to run on startup.
  2. Delete temp files inside for all profiles in C:\Users:
    C:\Users\username\AppData\Local\Temp
    C:\Users\username\AppData\LocalLow\Temp
    C:\Windows\temp\
    (This is done via File Explorer or by going to CMD, cd to each folder, cd .. one level up then do a rd temp /s /q command.

Step 6: Reboot and Verify:

  1. Once you have removed the suspicious entries, exit the Registry Editor and Command Prompt.
  2. Reboot your computer from its regular internal storage (hard drive or SSD) to see if the malware has been successfully removed.
  3. Repeat the steps if suspicious files deleted reappears. This is an indication that there is still virus files not properly deleted that is regenerating the payloads.
  4. You can also create bootable USB disks from ISO images provided by antivirus companies to scan and clean any traces of virus you have missed out. Links below for 2 of them.
    https://support.kaspersky.com/krd18/howto/14226
    https://free.drweb.com/aid_admin/
  5. Once you have completed the clean-up, you may want to do a scan of your system files by going to CMD and running sfc /scannow to repair any damaged system files.
  6. Windows image can also be checked using DISM /online /cleanup-image /checkhealth to detect error, followed by DISM /online /cleanup-image /restorehealth to restore image.

Booting up from a USB disk and using the Registry Editor to remove malware is an advanced method that requires caution and technical expertise.

Try the above steps if the only other option is to reinstall the OS, especially in cases of rootkits.

If you are unsure or uncomfortable with performing these steps yourself, consider seeking assistance from us at +65 9694 4441 or email us at info@simplifyit.com.sg.

With the right approach and careful Registry editing, you can effectively eradicate malware and restore your computer’s health and security.