You’re infected. You know it for sure. Maybe all of your icons are gone. Maybe you’re getting strange messages popping up telling you you’re infected and if you just pay one time fee, the software you don’t recognize will clean things up for you. Perhaps your system has slowed to a crawl and you have exhausted all other possible reasons. Or maybe the anti-malware software you normally use is telling you you are infected but can’t seem to actually clean it up.
Regardless, you’re going to need to do something. There are some steps you can take in order to check for and possibly fix infections of even the worst variety. The fact is that in many cases you are going to want to contact a professional about your computer problem anyway. But if you want to try it on your own, or you are a computer professional and are looking for some extra tools to get rid of some nasty malware, you can give the following tools a try.
To begin with, you probably want to try to boot into Safe Mode. Safe Mode starts your Windows machine up with a minimal set of drivers loaded which decreases the likelihood that malware will be loaded as well. Most anti-malware toolkits will work just fine in Safe Mode, including those listed here. Of course, sometimes you will try to get into Safe Mode and something has happened that essentially causes your machine to crater when you do. If that is the case, you’ll have to use a regular startup. To enter Safe Mode, repeatedly press the F8 key while your computer is starting up. You will be provided several startup options. The two of interest will be Safe Mode as well as Safe Mode With Networking. If you do not already have any of these tools on a USB flash drive or CD, fully up to date, then you will want Safe Mode With Networking so as to be able to grab the most recent copy. Otherwise, you can start up in plain Safe Mode. If you try Safe Mode but the tools still won’t load because they say they need an update, try Safe Mode With Networking.
Before going to far, consider emptying your trash as well as any cached Internet files. Quite a bit of malware tries for the simple approach of residing in your Internet cache. You can do this by entering your Control Panel, opening your Internet Settings and choosing to Delete Files. You may want to reboot after doing so. This doesn’t help often, but it’s not a bad starting point and it might help later scan times.
For most anti-malware troubleshooting, you should try beginning with something like Malwarebytes’ Anti-Malware. When you install the software it will check to see if the definitions are up to date. Many times an update will be needed. You can, however, download the mbam-setup.exe file separately and then go here for the mbam-rules.exe. The rules definitions are kept up to date, or should be, so if you download the two files you can then install them (mbam-setup.exe first, then mbam-rules.exe) and have an up to date MBAM installation. Then perform a Quick Scan first thing. You most likely do not need a Full Scan. If any threats are found, remove them, reboot, and see how things look.
In addition to MBAM, you should check if your regular anti-virus application can scan in Safe Mode. It’s possible that the scan will find and be able to remove the threat in Safe Mode where it couldn’t during a normal boot. Again, if it does, reboot and check your system out.
Another useful tool is ComboFix from bleepingcomputers. While the page states not to use this tool unless specifically instructed to by a professional in the process of helping you fix your computer, the choice ultimately is yours. It will attempt to find and eliminate detected threats on your system and if used improperly might leave your system unusable. There are instructions on that same page for posting your problems in specific forums if you want to have guidance in the use of this tool.
If you have tried removing the threat but it still seems to come back, you might have what is called a rootkit installed. Also known as an MBR infection, these types of infections are actually based at a level lower than the operating system, meaning that normal methods of detection and removal might not work. You can visit GMER.net and scroll down to find their mbr.exe utility which will try to inform you whether or not you have a rootkit installation. From the same page you can also try catchme.exe. The difference has to do with how the potential rootkits are loaded. Another useful tool is TDSS Killer from Kaspersky Labs. There is also aswMBR from Avast!. These tools are for detecting and removing rootkits. As such they are not useful for active defenses. They can really only be called in to clean up the damage after the fact.
I should mention one other utility that is quite helpful. Some malware will attempt to hide your desktop icons, start menu items and so on. Then they will claim they can “find” them and “fix” them for you. It is malware and needs to be removed before any attempt can be made to actually fix what it’s done with the files. Once you are satisfied that you have managed to remove the malware, you’ll need to fix that damage. You can try the unhide.exe from bleepingcomputer to, as the name suggests, unhide everything that once was hidden. Remember, you have to eliminate the malware first or else you will fix your files only to have them hidden again.
This by no means an exhaustive list, but it’s a reasonably good first start, or even useful as a starting point before contacting an computer support professional.