A malware infection can exhibit an array of symptoms - or none at all. Indeed, the most insidious threats (password stealers and data theft trojans) seldom show any tell-tale signs of infection. In other cases, such as scareware, you may experience system slowdown or an inability to access certain utilities such as Task Manager.
Depending on your experience level, there are various options you can try. Following is a list of those options beginning with the easiest and working through to the more advanced.
Option 1: Try Your Antivirus Software First.
If your Windows computer is infected with a virus, your first step should be to update your antivirus software and run a full system scan. Make sure you close all programs before running the scan. This scan may take several hours, so perform this task when you don't need to use the computer for awhile. (If your computer is already infected, you really shouldn't be using it anyway.)
If malware is found, the antivirus scanner will generally take one of three actions: clean, quarantine, or delete. If after running the scan, the malware is removed but you are receiving system errors or a blue screen of death, you may need to restore missing system files.
Option 2: Boot into Safe Mode.
Safe Mode prevents applications from loading and lets you interact with the operating system in a more controlled environment. Though not all antivirus software will support it, try booting into Safe Mode and running an antivirus scan from there. If Safe Mode will not boot or your antivirus won't run in Safe Mode, try booting normally but press and hold the shift key when Windows starts to load. Doing so should prevent any applications (including some malware) from loading when Windows is started.
If applications (or the malware) still loads, then the ShiftOveride setting may have been changed by the malware. To workaround that, see How to Disable ShiftOveride.
Option 3: Attempt to Manually Locate and Remove the Malware.
Much of today's malware can disable antivirus software and thus prevent it from removing the infection. In that case, you can attempt to manually remove the virus from your system. However, attempting to manually remove a virus requires a certain level of skill and Windows savvy. At a minimum, you'll need to know how to:
- Use the system registry
- Navigate using environment variables
- Browse folders and locate files
- Locate AutoStart entry points
- Obtain a hash (MD5/SHA1/CRC) of a file
- Access the Windows Task Manager
- Boot into Safe Mode
You can also attempt to close the malware processes by using Task Manager. Simply right-click the process you want to stop and choose "end process". If you are unable to locate the running processes via Task Manager, you can inspect common AutoStart entry points to find the location from which the malware is loading. Note however that much of today's malware may be rootkit-enabled and thus will be hidden from view.
If you are unable to locate the running process(es) using Task Manager or by inspecting the AutoStart entry points, run a rootkit scanner to try and identify the files/processes involved. Malware also may prevent access to folder options so that you're unable to change those options to view hidden files or file extensions. In that case, you'll also need to re-enable folder option viewing.
If you are able to successfully locate the suspicious file(s), obtain the MD5 or SHA1 hash for the file(s) and use a search engine to search for details about it using the hash. This is particularly useful in determining whether a suspect file is indeed malicious or legitimate. You can also submit the file to an online scanner for diagnostics.
Once you've identified the malicious files, your next step will be to delete them. This can be tricky, as malware typically employs multiple files that monitor and prevent the malicious files from being deleted. If you are unable to delete a malicious file, try to unregister the dll associated with the file or stop the winlogon process and try deleting the file(s) again.
Option 4: Create a Bootable Rescue CD.
If none of the above steps works, you may need to create a rescue CD that provides dormant access to the infected drive. Options include BartPE (Windows XP), VistaPE (Windows Vista), and WindowsPE (Windows 7).
After booting to the rescue CD, again inspect the common AutoStart entry points to find the location from which the malware is loading. Browse to the locations provided in these AutoStart entry points and delete the malicious files. (If unsure, obtain the MD5 or SHA1 hash and use your favorite search engine to investigate the files using that hash.
Last Resort: Reformat and Reinstall.
The final, but often the best, option is to reformat the infected computer's hard drive and reinstall the operating system and all programs. While tedious, this method ensures the safest possible recovery from the infection. Be sure to change your login passwords for the computer and any sensitive online sites (including banking, social networking, email, etc), after you've completed restoring your system.
Keep in mind that while it is generally safe to restore data files (i.e. files you have created yourself), you first need to ensure they aren't also harboring an infection. If your backup files are stored on a USB drive, do not plug it back into your newly restored computer until you have disabled autorun. Otherwise, the chance of reinfection via an autorun worm is extremely high.
After disabling autorun, plugin your bakcup drive and scan it using a couple of different online scanners. If you get a clean bill of health from two or more online scanners, then you can feel safe restoring those files to your restored PC.