When a virus or malware is active on the computer, meaning that is it running in background, it can do a lot of damage to your computer. They can stop antivirus or antispyware from working, enable restriction on the computer by disabling task manager, sending keylogs to the hacker and etc. Since a virus needs to be active and running in background all the time, there is surely a method that it uses to auto run itself whenever Windows is booted up. Locating the auto startup entry is not difficult using Sysinternals Autoruns but virus makers have made it possible to auto re-add the startup entry whenever it is deleted.
That means you now have to first locate the virus process and terminate it, then only remove the startup entry. A virus disabling Windows Task Manager to prevent itself from being killed is no longer efficient since we can always use a third party task manager such as Process Explorer, Anvir Task Manager and etc to find the virus and terminate it. Some virus programmers have gotten smarter by protecting its process either through injection (firewall bypass) or a smart piece of code that creates a blue screen of death if you ever try to terminate the process in Windows.
Here is a screenshot of a bot creator where it has the “Protect Process” option.
If I try to end the process in Windows Task Manager, I get a warning saying “Ending this process will shut down the operating system immediately. You will lose all unsaved data. Are you sure you want to continue?”. Checking the Abandon unsaved data and shut down checkbox and then clicking the Shut down button causes a blue screen with crash dump and auto restarting Windows. To be honest, even “some” antivirus is unable to clean this virus because it kept on trying to terminate the process which ends up crashing Windows. If you encounter a similar case, it doesn’t mean you have to reformat your computer and waste hours to reinstall Windows and all your applications.
First you will need to know where the file is. The Task Manager in Windows 7 is already capable of doing that. Right click on the taskbar and select Start Task Manager. Locate the process that you cannot kill, right click on it and select Properties. Take note of the Location that is shown in the properties window. If Windows Task Manager has been disabled, use Process Explorer instead.
Now download BlitzBlank and run it. At the designer tab, click once at Type column and select File. Then click once at the < File path > which will reveal the … button. Click on the … button and locate the executable file. Make sure the action is Delete, you can change it to Move if you want. If you wish to backup the file, click once on the checkbox for Backup. Finally click Execute Now button which will prompt you to save all your work and close all running applications to avoid data loss followed by a reboot. Before Windows is even loaded, BlitzBlank will delete the file that was specified earlier by working at a very low level.
There are other similar free tools that can do the same thing as BlitzBlank such as Unlocker and EMCO MoveOnBoot. I prefer BlitzBlank because it is portable and small in size. EMCO MoveOnBoot requires installation and is 24.1MB in size. Unlocker also requires installation although there are unofficial portable versions.
Another manual method of deleting file that cannot be deleted or terminated without using any third party tool is via Command Prompt from Windows System Recovery. Restart your computer and start tapping the F8 key. When you see the Advanced Boot Options menu, select Repair Your Computer and hit enter. Select a keyboard (by default is US) and click Next. When you see the System Recovery Options, select Command Prompt. The default current directory should show X:\windows\system32. Try changing the drive letter until you find one that is the same as your C: drive in Windows. For example, the C: drive when I am in Windows ended up as D: in System Recovery command prompt. Now all I need to do is use the cd command to navigate to the file that I want to delete and then use del command to delete the file. To move, use the move command.