Viruses are a nuisance, but usually a quick scan with an anti-virus program will take care of it quickly and efficiently. New types of rogue infections are learning to hide themselves from even the best online scanners, making deleting the file manually the only way of getting rid of them.
A rogue infection is a special type of virus that can display itself on a computer screen, pretending to be an anti-virus program, a fake registry cleaner, or a hard drive optimization program. These programs will tell you that you have errors on the computer and that they can fix them if you buy the program. They will use scare tactics like saying your computer is in critical or poor condition, that errors were found, or that there is a hard drive boot sector error, and will try to lure unsuspecting users into buying their software to fix these problems. These rogue viruses take control of the computer, disable the current anti-virus, Task Manager, and sometimes can even break the .exe File Association, making it to where programs cannot be run on the computer. This guide will give some tips on manually removing these viruses and what to do afterward.
The first thing that should be done when a virus pops up on the screen is to shut the computer down. Make sure to write down the name of the virus if it has one. Once the computer is off, you can bring the computer back into Safe Mode with Networking by turning the computer back on and immediately hitting F8 repeatedly on the keyboard until the Advanced Boot Menu comes up on the screen. Use the arrow keys to highlight Safe Mode with Networking and hit enter. Log in to windows like normal and wait for everything to load. Most of the time the virus will not be able to run in safe mode. If the virus is still on the screen in safe mode, the best option would be to either make a new user account using Control Panel, use a program designed to find the virus process to stop it temporarily, or to use System Restore to restore the computer to an earlier time if possible. Sometimes System Restore can be disabled by the virus.
Once Safe Mode with Networking is finished loading, the best thing to do is to look through the Desktop icons or Start Menu list for the virus name. If you wrote down the name of the infection earlier, check to see if the virus made an icon or Start Menu item for itself. If it did, right click the icon and hit properties. In Windows Vista or Windows 7, it will have a place that says Target. This is where the infection is located. Most of the time it will be a random mix of letters and numbers and will have an .exe file association. If you click on Open File Location, it will open the exact folder that the virus is located and already have it highlighted. When you get into this folder, right click the virus and hit delete. If there are any other suspicious files with recent dates next to it, usually again with random letters and numbers, delete those as well.
If the virus did not make an icon for itself, which is fairly rare for most modern rogue infections, the best thing to do is to look in the most common folders that they hide themselves in. Go to Start, click on My Computer, and open the drive that your files are on, usually C: is where it’s located. Hit Alt on your keyboard to bring up the File menu that has File, Edit, View, etc. and click on Tools, then click on Folder Options. Go to the View tab and in the Advanced Settings box and navigate down to Hidden Files and Folders. From there, make sure that Show Hidden Files, Folders, and Drives is highlighted and hit ok. This will show the hidden folders that the viruses like to hide themselves in. In Windows Vista and Windows 7 there are three main folders that you will find most rogue infections located in %APPDATA% and C:\ProgramData\
For Windows XP: C:\Documents and Settings\Username\Local Settings\AppData
Make sure to check AppData Local and Roaming folders for every user account on the computer, including All Users. One virus that is out right now has Protector-.exe as its name. Another one is just 33 random letters and numbers, so it’s nearly impossible to tell what they are going to be called exactly. The main things that you need to know are that they will be in AppData or ProgramData mainly and that the dates for these files are usually very recent.
Once the main .exe file is removed from the computer, you should now be able to run your normal anti-virus program to take care of any registry issues and minor infections that are lingering. If the virus is accompanied with a Rootkit infection, a rootkit scanner will be needed to scan to avoid reinfection. Make sure to create a system restore point once the infection is removed. If something goes wrong, system restore or even reinstalling Windows is always an option. Viruses do not mess around, but just remember, if your anti-virus doesn’t remove it, you can always manually remove it.