W32 Morto is a very dangerous false anti spyware. It is basically designed to get the money from the innocent users by showing them false facts and figures. W32 Morto enters into your computer system illegally, thus you need to make your computer system very secure. It spreads through the spam email attachments, Trojans and many times it came along with the set of downloaded software. So avoid opening the spam emails and do not download software from the unreliable web sites. Once you suspect the presence of W32 Morto in your system, you should delete it immediately. Removing W32 Morto is a very difficult task and you must be an expert, if you want to do it manually. However, with this article you can remove the malicious program easily.

Remove W32 Morto processes

  1. To rapidly and directly press the keys CTRL + Shift + ESC or ALT+CTRL+DEL at a time to open the Windows task manger.
  2. In the windows task manager you will see that there are many tabs at the top of the windows task manager windows.
  3. Select the tab which is called ‘processes’.
  4. Find the W32 Morto process random.exe under the column ‘image name’.
  5. All the processes are arranged alphabetically so you will find the required process easily.
  6. Right click on the required process and select the option Delete among other available choices.

Remove W32 Morto registry key values

  1. Click on Start then go the option Run.
  2. Write regedit and click Ok to open the registry editor.
  3. The registry editor is divided in two sections you will need to go in the left pane of the registry editor.
  4. From the file menu click on the option edit.
  5. Now click on Find write down the below mentioned W32 Morto registry key values and press enter.
  6. Right click on the registry values and Press Delete from the keyboard.

The W32 Morto registry key values are:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\”DontshowUI” = “1”

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wmicucltsvc\”(Default)” = “Service”

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Windows\”NoPopUpsOnBoot” = “1”

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\360rp\”Start” = “4”

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\a2AntiMalware\”Start” = “4”

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\AntiVirService\”Start” = “4”

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\AVGwd\”Start” = “4”

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ekrn\”Start” = “4”

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\F-Secure Gatekeeper Handler Starter\”Start” = “4”

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FSMA\”Start” = “4”

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FSORSPClient\”Start” = “4”H

KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\kxesapp\”Start” = “4”

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\kxescore\”Start” = “4”

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MsMpSvc\”Start” = “4”

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\V3 Service\”Start” = “4”

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wmicucltsvc\”Description” = “Stores security information for local user accounts.”

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wmicucltsvc\”DisplayName” = “Remote Access Connection Service”

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wmicucltsvc\”ErrorControl” = “0”

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wmicucltsvc\”ImagePath” = “%System%\wmicuclt.exe”

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wmicucltsvc\”ObjectName” = “Local System”

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wmicucltsvc\”Start” = “2”

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wmicucltsvc\”Type” = “20”

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wmicucltsvc\”WOW64″ = “2”

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wmicucltsvc\Security\”Security” = “[WORM BODY IN HEXADECIMAL CHARACTERS]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\zhudongfangyu\”Start” = “4”




HKEY_CURRENT_USER\Software\Microsoft\Windows NT\Current

Version\AppCompatFlags\Layers\”[drive letter]:\\windows\\system32\\rundll32.exe” =


HKEY_CURRENT_USER\Software\Microsoft\Windows NT\Current

Version\AppCompatFlags\Layers\”[drive letter]:\\winnt\\system32\\rundll32.exe” = “RUNASADMIN”

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\Current Version\AppCompatFlags\Layers\”[drive letter]:\\win2008\\system32\\rundll32.exe” =


HKEY_CURRENT_USER\Software\Microsoft\Windows NT\Current

Version\AppCompatFlags\Layers\”[drive letter]:\\win2k8\\system32\\rundll32.exe” = “RUNASADMIN”

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\Current

Version\AppCompatFlags\Layers\”[drive letter]:\\win7\\system32\\rundll32.exe” = “RUNASADMIN”

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\Current

Version\AppCompatFlags\Layers\”[drive letter]:\\windows7\\system32\\rundll32.exe” =


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Windows\”NoPopUpsOnBoot” = “1?


Manager\”PendingFileRenameOperations” = “multi:”\00?”

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\6to4\”@” =



Version\Policies\System\”ConsentPromptBehaviorAdmin” = “0?


Version\Policies\System\”EnableLUA” = “0?

Remove W32 Morto other files

  1. Go to start and select Run.
  2. Type cmd in the given empty space and press enter to open the command prompt.
  3. If you do not know the complete path of the following files use the command ‘dir’.
  4. Now type the complete path of the file and press enter.
  5. When you found out the file type “regsvr32 /u SampleName.exe” and replace SampleName.exe with the following W32 Morto file names:





How to remove W32 Morto?
Tagged on:             

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>