In a previous post on the subject of malware removal, I suggested booting into the Windows Safe Mode to run anti-malware scans to remove those threats — conventional tech wisdom being that no malware can load when booted to Safe Mode.
Well, for severe malware infestations, Safe Mode is no longer safe. The newer variants of some malware all load even when Safe Mode is used. There are a few different ways of accomplishing this, the most common being that the malware registers itself as a critical system process. This ensures that it is loaded regardless of what happens, and makes it much harder to shut down.
To make matters worse, these threats will often shut down all critical Windows Services, preventing you from going into the Task Manager, starting the msconfig or registry utility, and changing the properties of the Desktop wallpaper settings (more on this in a moment).
So how does the average computer user combat these attacks? If you are experiencing an attack of this kind, where even Safe Mode loads the malware, then the resolution is beyond the reach of the average user. At this point, the computer needs to be taken to a reputable computer service center or IT Consultant, but you must be firm and assertive as to what you want them to do to resolve the problem.
You need to confirm whether they have the necessary tools to boot the computer into a separate Windows environment. There are third-party tools that allow you to boot into a Windows environment from a CD. One such tool is Barts PE, a stripped-down version of Windows XP. It boots completely from a CD, and loads a simple graphical user interface. Coupled with plugins, McAfee, for example, you can scan your entire computer without the fear that your nifty little infection has somehow loaded.
Once your tech-support confirms that they have such a tool, insist that they use that tool to run an anti-malware scan on your computer. That will allow them to employ additional corrective measures, once Safe Mode is safe again. When you go to pick up your computer, don’t leave without first confirming that the following processes and features work:
- Have the technician confirm that the Task Manager, the Windows Registry and msconfig utilities can load
- Have the technician confirm that Internet browser searches using Google (or any other search engine), do not redirect to non-related sites or pages
- Have the technician confirm that the Windows Display properties allow for the changing of Desktop wallpaper settings. (Some malware will often display a fake threat warning on the Desktop wallpaper. Any attempts to change the wallpaper back to default settings will prove futile, as the malware will block the settings to make that change possible.)
- Have the technician confirm that the Windows Services panel (accessed by typing services.msc from the Run command window) does not show most or all services disabled
Once you are satisfied that the malware threat has been removed, you should run your own scan by following the steps from my previous post on malware removal.
Should the malware threat persist, reply back here with your comments.