How-To

Windows XP Security: Manually Remove Viruses from Your PC

Updated

If you have a lot of popups or an advertisement for fake antispyware,  you have malware of on your PC. Here’s how to manually remove the virus from running in the first place. The majority of viruses in Windows XP are easy to find — and they’re more conspicuous than you would think.

Start in the registry. Most viruses launch when you log into Windows — they typically call an executable from the registry. In fact, that call will tell you exactly where the virus resides.

Click Start. Click Run and type: regedit.exe

Click OK.

open regedit.exe

Registry Editor opens. Expand HKEY_CURRENT_USER.

registry editor hkey_current_user

Then, expand the Software tree.

software

Next, expand Microsoft.

microsoft registry hive

Now expand Windows.

windows

Then expand CurrentVersion.

windows currentversion

Click on the Run folder. Here, you’ll find some of the programs that launch on startup. A rule of thumb: a virus is a randomly generated string that makes no sense. Usually, software writers title their files with names that describe what they do. At first glance — this is an example from a real virus I uprooted — it’s VpKspPwxlCbXa. This is likely a virus.

The real giveaway that this is a virus is the location of the application it’s calling. It’s in the Application Data folder. It launches every time you log in. So, no matter how many times you reboot, it comes right back.

Write down where the virus resides. In this case, it’s in the All Users Application Data folder. Then, simply right-click the registry key and delete it. Now, you haven’t actually deleted the virus; you’ve only deleted the call that launches it, which is doing the minimum. A virus is just a program, after all, so if the virus doesn’t launch, it does no harm. But delete the file system anyway.

Now, it’s time to go to the Application Data Folder. There is more than one — follow the path exactly as you wrote it down.

registry run key

Now right-click My Computer. Select Explore.

Launch windows explorer

Expand Documents and Settings.

expand documents and settings

Expand All Users

expand all users

Click on Application Data.

click application data

Try to delete the virus — just right-click and delete it.  It’s not likely you can because it’s running in memory. Do rename it, though. You want to rename that .exe to anything else.

rename file

After you rename it, reboot the PC and return to the same location.

Because you’ve deleted the call from the registry, the virus won’t run in memory. Now, you are able to delete it. Do it!

image

This set of steps comes in really handy when you have a virus or malware that your antivirus software doesn’t catch. Remember to always keep your PC and antivirus software up-to-date.

17 Comments

17 Comments

  1. johnl

    October 29, 2011 at 11:54 am

    Great information. I have never seen it laid out like this. Fortunately I do not have a virus to test it on but it is easy enough to remember. As I don’t tend to get these viruses I normally end up getting calls from those that have and every time I recommend them putting Malwarebytes Free Edition, it is certainly worth paying for, updating it and running it following its suggestions and it has worked every time.
    A little tip that may help. When you are surfing and you suddenly get a warning screen, about a virus on your computer, that is in the middle of the screen then it is highly likely to be a virus. Your antivirus software usually pops up in the bottom right corner if it finds something so if it is in the middle DO NOT click on it. Shut your browser, use the Task Manager if necessary, but do not click on it at all even to shut it as that sets some of them off. I have usually found that when I restart the browser the problem has gone. Hope it helps.

  2. Pete Hepple

    October 29, 2011 at 2:55 pm

    Thanks for this. Very clear. Will try it.

  3. Rich

    October 31, 2011 at 11:08 am

    If a virus is running in memory these steps will not work. When you delete the registry key or try to rename the file, the running virus may thwart your attempts. For example the virus could recreate the key or the file will be in use. Reboot in safe mode and perform these steps to work around the issue on the more simple viruses. You may need to remove your hard drive and use another computer via a USB adapter or internal connection. If the author is advanced enough you may still have trouble with these methods.

    • Dino Londis

      November 2, 2011 at 6:22 am

      Rich, I have found that when you cannot delete a virus file, you can often rename it. Then when you reboot it can be deleted because it isn’t running in memory.

  4. BPM

    October 31, 2011 at 7:24 pm

    I have had good luck with HitMan Pro. It’s cloud based AV. Pretty neat, and you can run it along side your regular AV.

    • Steve Krause

      October 31, 2011 at 9:07 pm

      Never actually tried Hitman Pro. Is that a free service?

  5. Dilan Gilluly

    November 9, 2011 at 7:50 am

    I use this method a lot, but sometimes it doesn’t work when the virus blocks or removes regedit.exe and regedt32.exe

    • Dino Londis

      November 10, 2011 at 6:30 am

      Dilan, If you’re on a network, even a home network, you can run regedit from another PC and connect to the infected PC. That’ll get you in every time.

      • Dilan Gilluly

        March 6, 2012 at 12:30 pm

        I never played around with remote regedit, if the virus blocks regedit, I have a copy of it named as “explorer.exe” on my flash drive. It usually works for me.

  6. Bruce Conley

    March 6, 2012 at 8:22 am

    Dino,

    There is a faster and more safe way to do this. Download from Microsoft Autoruns. It shows in the logon tab the startup nasties and you can double click the entry to take you to the registry entry.

    FYI, Bruce

  7. jas

    April 28, 2012 at 6:07 pm

    a better article would be showing how to boot up with a live linux cd/dvd , backing up files to dvd or removable drive, then reinstalling an OS with antivirus software so this does not happen again.

    pruning the registry doesn’t always cut it.

  8. ChicagoMom

    August 7, 2012 at 8:26 am

    For those of us that are not as smart as some of the other’s on this comment list, I for one appreciate the information and found it very easy to follow.
    Thank you for taking the time to post it.

    • Austin Krause

      August 7, 2012 at 9:13 am

      Thanks ChicagoMom, welcome to groovypost!

  9. rohit mishra

    March 12, 2013 at 12:05 am

    thank you!! very helpful for beginners like me.

  10. Tom

    May 3, 2013 at 5:48 pm

    Great info, but this virus takes over my screen right after startup and I cannot use any of your steps. I need to be able to stop it from running, but I am not fast enough to do anything before it starts.

    • Brian Burgess

      May 3, 2013 at 9:11 pm

      Hi Tom. For stubborn viruses like that, check out our article on using the Windows Defender Offline tool.

      You boot to a disc or flash drive, then it will scan your system and get rid of the malware — hopefully. I would definitely give this a try.

      https://www.groovypost.com/howto/remove-viruses-malicious-code-windows-defender-offline-security/

    • Dilan Gilluly

      May 3, 2013 at 9:19 pm

      What you’re going to have to do is boot from a virus scanner CD such as AVG. Make sure you run the definition update before proceeding. A typical scan usually takes 2-3 hours.

Related Items:, ,

Recommended for you

To Top