You discovered that your Windows computer has been compromised by a virus or malware. You tried to get rid of it with your antivirus scanner, but to no avail. You know it’s still there because random messages still pop up, files are missing or have been replaced with suspicious-looking ones, and the computer sporadically freezes or shuts down. When a virus is smart enough to hide its tracks from your security software, it’s your time to step up and do the removal manually.

To clean a persistent virus or malware infection, you must reboot your computer into Safe Mode. Unveil all files by going to the Folder Options in the Control Panel and toggling the Show hidden files, folders and drives option. Search your computer for infected files and delete them.

But what files should you look for? And where exactly in the computer should you look? Many kinds of virus behave differently, which means they may reside in different places in the computer. Starting places you should check are the following:

  • %APPDATA%
  • C:\ProgramData\
  • C:\Users\Username\AppData\Local
  • C:\Users\Username\AppData\Roaming

If you tried scanning with antivirus, it may have given away the name of the virus. In many cases, you can discover its location by going to the Task Manager. See if there are any processes or applications with suspicious names. Viruses may also appear in the list of startup programs. For advanced users, try searching for clues in the Windows Registry. Search the following folders in the registry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

If you still can’t identify the virus through the suggestions above, try searching online about the symptoms that your computer is experiencing. Try to note down any error/pop-up messages that you think may have been caused by the virus and look them up online.