W32.Silly Removal

  1. Discover the worm. Notice suspicious services in task manager and locate their executables. Useful tool: Process Explorer from sysinternals.com or a command line version tasklist.exe
  2. Location c:\windows\system\svchost.exe and c:\windows\system\_sv_scv_\_U_.exe (backup)
  3. Remove start entry from registery: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon
  4. Safe boot
  5. Remove with: del /a:h /f svchost.exe (attribute:hidden force)
  6. Alternative solution schedule file for deletion on next reboot with MoveFileEx (Didnt work for me) Dr Delete is available to do the trick here