A malware infection can exhibit a number of symptoms, or none at all. In fact, the most insidious threats (password stealers and data-stealing Trojans) rarely show telltale signs of infection. In other cases, such as scareware, you may experience system slowdown or an inability to access certain utilities, such as Task Manager.
Depending on your level of experience, there are several options you can try. Below is a list of options starting with the easiest and ending with the most advanced.
Try your antivirus software first
If your Windows computer is infected with a virus, your first step should be to update your antivirus software and run a full system scan. Be sure to close all programs before running the scan. This scan can take several hours, so perform this task when you don’t need to use your computer for a while. (If your computer is already infected, you shouldn’t use it anyway.)
If malware is found, the antivirus scanner typically does one of three things: clean, quarantine, or delete. If after running the scan the malware is removed but you get system errors or a blue screen of death, you may need to restore the missing system files.
Boot into Safe Mode
Safe mode prevents applications from loading and allows you to interact with the operating system in a more controlled environment. Although not all antivirus software supports it, try booting into Safe Mode and running an antivirus scan from there. If Safe Mode won’t start or your antivirus doesn’t run in Safe Mode, try booting normally, but hold down the Shift key when Windows starts to load. Doing so will prevent applications (including malware) from loading when Windows starts.
If the apps (or malware) keep loading, the malware may have changed the ShiftOveride setting. To avoid this, see How to disable ShiftOveride.
Attempt to manually locate and remove the malware
Much of today’s malware can disable antivirus software and thus prevent it from removing the infection. In that case, you can try to manually remove the virus from your system. However, attempting to manually remove a virus requires a certain level of skill and knowledge of Windows. At a minimum, you’ll need to know how to:
- Use the system registry
- Navigate using environment variables
- Browse folders and locate files
- Locate AutoStart entry points
- Get a hash (MD5/SHA1/CRC) of a file
- Access Windows Task Manager
- Boot into Safe Mode
You’ll also need to make sure that file extension display is enabled (by default it isn’t, so this is an extremely important step). You’ll also need to make sure autorun is turned off.
You can also try to close malware processes using Task Manager. Just right-click on the process you want to stop and choose “end process”. If you are unable to locate running processes via Task Manager, you can inspect common AutoStart entry points to find the location from which the malware is loading. However, keep in mind that much of today’s malware may be rootkit-enabled and thus hidden from view.
If you are unable to locate running processes using Task Manager or by inspecting AutoStart entry points, run a rootkit scan to try to identify the files/processes involved. Malware can also prevent access to folder options, so you can’t change those options to view hidden files or file extensions. In that case, you will also need to turn the folder display option back on.
If you can successfully locate the suspicious files, get the MD5 or SHA1 hash for the files and use a search engine to find details about them using the hash. This is particularly useful in determining whether a suspicious file is actually malicious or legitimate. You can also send the file to an online scanner for diagnosis.
Once you have identified the malicious files, the next step is to remove them. This can be tricky, as malware often employs multiple files that monitor and prevent malicious files from being removed. If you are unable to remove a malicious file, try unregistering the dll associated with the file or stop the winlogon process and try to remove the files again.
Create a bootable rescue CD
If none of the above steps work, you may need to create a rescue CD that provides latent access to the infected drive. Options include BartPE (Windows XP), VistaPE (Windows Vista), and WindowsPE (Windows 7).
After booting the rescue CD, re-inspect the common AutoStart entry points to find the location from which the malware is loading. Find the locations provided in these AutoStart entry points and remove the malicious files. (If you’re not sure, get the MD5 or SHA1 hash and use your favorite search engine to search for files using that hash.
Last resort: Reformat and reinstall
The last, but most often granted, is to reformat the infected computer’s hard drive and reinstall the operating system and all programs. Although tedious, this method ensures the safest possible recovery from the infection. Be sure to change the login passwords for your computer and sensitive online sites (including banking, social networking, email, etc.) after you complete the system restore.
Please note that although it is generally safe to restore data files (ie those you have created yourself), you must first ensure that they are not harboring an infection. If the backup files are stored on a USB drive, do not reconnect them to the newly restored computer until you have disabled Autorun. Otherwise, the chance of reinfection via an autorun worm is extremely high.
After disabling autorun, plug in your backup drive and scan it using a couple of different online scanners. If you receive a clean bill of health from two or more online scanners, you can feel confident restoring those files to your restored PC.