Here you go
http://wiki.answers.com/Q/How_do_you...virus_manually
Answer
Manual removal steps: Disconnect your computer from the network and disable file sharings, if any.
Disable System Restore (for Windows XP/Windows Me only).
For Windows XP:
Click Start.
Right-click My Computer, and then click Properties.
Click the System Restore tab.
Select "Turn off System Restore" or "Turn off System Restore on all drives" check box. Start your machine in Safe mode.
How to start a computer in safe mode, pls refer to:
http://service1.symantec.com/SUPPORT...rc=sec_doc_nam
Update your Anti-virus software with the latest signature files and scan your computer withthe Anti-virus to detect the worm and delete any files detected as the worm by clicking the DELETE button.
Delete the value from the registry.
You need to back up the registry before making any changes to it. In correct changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only.
How to make a backup of the Windows registry, pls refer at:
http://service1.symantec.com/SUPPORT...rc=sec_doc_nam
Click Start > Run. Type regedit Click OK.
Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. You can used a tool to resolve this problem.
Download this tool. Once downloaded, �right-click� the UnHookExec.inf file and click install. Then continue with the removal steps.
http://securityresponse.symantec.com...stry.keys.html
Other alternative way to enable registry, please refer to:
http://www.patheticcockroach.com/mpam4/index.php?p=28
Navigate to the subkey that was detected by the anti-virus and delete the value.
Exit the Registry Editor.
If you are still unable to open your registry, you may try the following steps.
Boot up the infected computer, but do not login to the server, leave it at the login prompt.
Start up another clean computer, worm-free computer which has an updated anti-virus software running and an active firewall running preventing all inbound connections.
From the clean computer, start REGEDIT.EXE and click on File -> File -> Connect Network Registry. Connect to the infected computer.
Modify the following values in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\NT\C urrentVersion\Winlogon to the following values:
"Userinit" = "C:\WINNT\system32\userinit.exe," "Shell" = "Explorer.exe"
(make sure that you enter the correct path to where Windows is installed. For example on NT4.0 it is WINNT)
After completing the above steps, reboot the infected computer.
Using the clean computer, map the C$ share and scan it using the up to date anti-virus to remove any infected files on the infected computer. Then, you should be able to boot to the computer and then follow Steps 6 - Steps 11.
Run a full system scan using an updated version of Anti-virus software and delete any files detected as worm.
Download and run a process management tool or process viewer to kill all worm processes running on the infected machine. The process management tool or the process viewer is available according to the machine's platform and can be downloaded free from the Internet. For example users can download and use the following process viewer:
http://www.sysinternals.com/Utilitie...sExplorer.html
Delete the scheduled tasks added by the worm. Click Start, and then click Control Panel. (In Windows XP, switch to Classic View.) In the Control Panel window, double click Scheduled Tasks. Right click the task icon and select Properties from pop-up menu. The properties of the task is displayed. Delete the task if the contents of the Run text box in the task pane matches the worm.
Enable the System Restore (for Windows XP/Windows Me only).
Re-scan your computer with an updated version of Anti-virus to confirm the computer is clean.
Re-connect your computer to the network once confirmed clean.
