Safely Removing Malware: A Step-by-Step Guide to Using a Bootable USB and Regedit
Malware can wreak havoc on your computer, compromising sensitive data and causing performance issues. While traditional antivirus software can help, some malware can be particularly stubborn to remove.
One effective method is to boot up from a USB disk and then use the Registry Editor (Regedit) to locate and eliminate traces of the malware hidden deep within the system. In this article, we will guide you through the process of using a bootable USB and Regedit to rid your computer of malware.
Obtain a clean and reliable USB flash drive with sufficient storage capacity (at least 8GB). (Use USB3 flash disk is available as they are relatively cheap and boots up a lot faster)
Download a reputable bootable USB creation tool from a trusted source. (While there are free tools available, we recommend EaseUS OS2Go as it not only allow installation of a WinPE version and full version of Windows but also not having to deal with BIOS/UEFI issues on Preinstallation Environment)
Insert the USB drive into your computer and run the bootable USB creation tool. (exFAT or FAT32 volume is required for UEFI boot. You may need to create GPT partition if booting from USB disk larger than 32GB – FAT32’s size limit. Legacy BIOS boot supports booting up from NTFS but if infected system’s hard disk is configure for secure boot, it may be inaccessible to it.)
Power on the computer and immediately access the boot menu. (Usually, F1 for Lenovo, F2 for Dell/IBM, F10 for HP, for others you can try F12, DEL or Esc as each has their own shortcut key to access custom Boot or UEFI/BIOS menu. You can also check if the USB disk is detected in BIOS first before attempting to boot from it.)
You can either select custom boot and select the USB drive from the boot menu and press Enter to boot from it or in UEFI/BIOS, set the detect USB disk as primary boot device by press + to move it to the top.
Click on a subfolder – (e.g. HKEY_USERS), click File, click Load Hive and browser to your user profile in c:\users\username and look for a hidden file named NTUSER.DAT.
Select that file, click load and give it a random name – (e.g. ntuser)
Click > sign to expand the loaded registry module and browse to \Software\Microsoft\Windows\CurrentVersion\Run
Right-click and delete any registry entries that you find suspicious. Take note of the location of the files which you have deleted the registry entries.
Look for suspicious-looking entries with random names or unfamiliar paths. Malicious programs often use deceptive names to evade detection.
Double-check that the entries you intend to remove are indeed related to the malware. You can Google for more information on the filenames.
Continue searching for traces of malware in other sections of the Registry, such as “RunOnce” and “RunOnceEx.” You may want to look through the services inside SYSTEM\CurrentControlSet\Services too.
Unload the registry from File, Unload Hive so that the changes can be committed.
Repeat the above steps for each registry file (SYSTEM, SOFTWARE, DEFAULT) inside c:\Windows\system32\config folder. Remember to make a copy of the files so that you can restore in case you encounter any issues.
Look in C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup for Windows 10/11 for traces of any malicious software that is set to run on startup.
Delete temp files inside for all profiles in C:\Users: C:\Users\username\AppData\Local\Temp C:\Users\username\AppData\LocalLow\Temp C:\Windows\temp\ (This is done via File Explorer or by going to CMD, cd to each folder, cd .. one level up then do a rd temp /s /q command.