Basic Malware Troubleshooting

Published on
99,094 Points
33 Endorsements
Last Modified:
"Details Matter"

Too often I will respond to a malware 'Question Alert' in my In-box and find that the entire question is something along the lines of "My computer is running slow", or "I think I have a virus". (Right now, some of you are shaking your heads in disbelief, but those who hang out in these Zones are *nodding* - because they know it is true.)

More than most other Zones on EE, I think the typical Asker in these Zones is not an IT professional. As such, they are going to have neither the knowledge to fully describe the problem - nor the skill-set to follow "Geek-Speak" kinds of advice.

When I see a question as described above, I will start playing "20 Questions" with the Asker to find out what the actual symptoms are, what OS they are running, if the OS is fully patched/current with updates, what flavor anti-malware application they are running (NONE? Oh my ... well, no surprise.), etc.

The primary rule in any situation where we are trying to solve a problem is: "Identify the problem". That sounds pretty basic, but trying to get the details can often involve a lot of extra effort.

Not until we have pulled enough information out of the Asker to narrow our focus, can we start posting specific, targeted advice about what actions to take.

It is easy to simply post some links to various malware removers that are easily searched on the Internet. It is also easy to post some kind of generic laundry list of a wide variety of suggested steps. With many Members, advice that is not tailored to them will be (a) too daunting to attempt and (b) not understood to begin with.

Although it is true that malware will often exhibit 'typical' symptoms, the malware writers are constantly updating what they do - and what was 'typical' a few days ago may be wildly different today.

After we have established a few facts and details, we can start the "fixing" process.

If we have been able to identify a specific piece of malware, there may be a special tool developed to target it. If so, it makes sense for me to recommend using that tool - with the proviso that I have tested it and am comfortable recommending it to others. I have learned the hard way to never recommend a tool that I haven't personally used - and can help the Asker trouble-shoot any problems that may come up.

For broad spectrum identification and cleaning, my favorites are:

"Malwarebytes' Anti-Malware" (http://www.malwarebytes.org/mbam.php) and "ComboFix" (http://www.bleepingcomputer.com/combofix/how-to-use-combofix).

I personally use both of these programs just about every day and cannot imagine continuing my rate of work (small computer repair business) without them. They are both maintained (updated) on a regular basis and have been a mainstay for fighting malware.

These programs generate LOGS (text files) that contain a great deal of information about the computer system and the files, processes, and services that are running. In the hands of an experienced user (or a "Certified Helper" in the case of ComboFix), these logs are invaluable for targeting exactly the actions that are needed to be taken.

Please note that some variants of malware will recognize the executable file name for both MBAM and CF. To prevent interference, you should use the "Save As" function (IE) and assign a random name to these files BEFORE downloading them.
For an on-going discussion about the proper use of ComboFix (and the proper way to recommend how it is used), please see the open question at: http://www.experts-exchange.com/Q_26933025.html

The best source for proper use of Malwarebytes is their Member forum at: http://www.malwarebytes.org/forums/

I find that helping solve malware problems to be the most rewarding work I do on EE. The Members posting questions are in trouble and with a little extra work we can identify the problem, provide specific targeted advice and get them back up and running.

Some other valid Articles here on Experts-Exchange that I highly recommend you read are:

MALWARE - "An Ounce of Prevention..."

Viruses in System Volume Information (System Restore)
Can't Install an Antivirus - Windows Security Center still detects previous AV:
HijackThis - Some Tips & Tricks:
HijackThis reports missing files on 64-bit Systems:
"Google Hijack" - Google Search Gets Redirected:
  • 5
  • 4
  • 2
  • +9
LVL 58

Expert Comment

Thanks younghv! Voted yes above.
LVL 40

Expert Comment

Nice article younghv.

Voted yes, above.
LVL 47

Expert Comment

It's a good article younghv.

I agree that we should only recommend scanners that we ourselves have used and very familiar with.

Some members who suggest Combofix with that .org link certainly have never even tried running CF otherwise they would know from the CF disclaimer that the link is one of the 2 sites users of ComboFix should stay away from.

Voted 'Yes' to your article.

We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

LVL 61

Expert Comment

by:Kevin Cross
Thank you!
Voted yes above.
LVL 40

Expert Comment

younghv, rpggamergirl,

I have an idea for an article for you both...

May I respectfully request together you come up with a top 10 list of things to do if you think you are infected? A lot of inexperienced people will try things before seeking help and some of these just plain make the situation worse. For example, one of the first things to do is unplug the network cable to limit the viruses chance to spread, whereas one of the last things you should do is reboot the machine as this gives a virus that is currently not memory resident the chance to do so.

Maybe this guide could include a top 10 of things to make you suspicious that you might be infected (vs. just Window's being it's normal useless self)? For example, system files that are not quite the right size or files that have a double extension such as porn.jog.exe for example.

I'd suggest this should be targeted at the absolute noob and doesn't need to contain advice on how to clean, just how to prevent making matters any worse, with the ultimate tip of if you don't know what to do find someone who does.

I would love to read such an article from such esteemed AV experts as yourselves.

Best regards

LVL 15

Expert Comment

by:Eric AKA Netminder
Voted Yes. I think this is the kind of article we need a lot more of.

LVL 70

Expert Comment

by:Jason C. Levine
Nicely done.  This one gets printed out and stuck in the mailboxes at the day job.

Expert Comment


for "basic malware" we use spybot search & destroy ! please check this solution out.
LVL 40

Expert Comment

>> for "basic malware" we use spybot search & destroy ! please check this solution out.
SBSD is not an anti-malware package, it is an anti-spyware/adware package. The two things are very different (spyware is a special case for malware, a very small sub-class).

Please be careful what you advise, especially with malware, as your good intentions could harm others.!

LVL 38

Author Comment

Please note that this Article is written for the steps to help with known infected computers. Years ago I was a real fan of Spybot, but - at best - it can only be used as a semi-effective filter against known malware variants.

There is no way that I would ever attempt to use it to salvage a 'known infected' system.

Administrative Comment

Good article and a lot of readers have already found it very useful.

Deserves EEA award.

Page Editor
LVL 51

Expert Comment

by:Keith Alabaster
Good stuff Vic - Voted Yes.
LVL 38

Author Comment

Nice surprise!
Thank you and Happy Mother's Day (not to you Keith).

Expert Comment

Great article.  My first line of defense lately has been your basic Windows System Restore!  
LVL 38

Author Comment

Thank you for voting and commenting.
One of the things to concern yourself with by using a "System Restore" is that you may not have addressed the actual problem - only the symptom.

In almost all situations, the freely available tools will identify the actual problem and correct it.

Doing a "System Restore" while leaving infectors in your "Temporary" Folders will not be a solution.

I am doing a couple more Articles and will update my "Prevention" Article to include some new recommendations.

http://www.experts-exchange.com/A_1958.html (MALWARE - "An Ounce of Prevention...")

Thank you again for your comment.

Expert Comment

by:Reinert Wentzel
Hi younghv,

1. you mention both malware bytes and combofix above- should both be run?
2. In your other article http://www.experts-exchange.com/Software/Internet_Email/Anti_Spyware/A_5124-Stop-the-Bleeding-First-Aid-for-Malware.html you did not mention combofix and mentioned rogue killer?

Which should be run and in what order?
LVL 38

Author Comment

ReinerWentzel -
The primary intent of this article is to describe for askers and experts the steps we all need to follow for asking and answering malware-related questions.

The askers need to initially provide the right kind of information and the experts need to ask the right questions to specifically identify the variant we are trying to fix.

The idea was to eliminate a lot of the back-and-forth responses we tend to go through - before we can even get started on figuring out the problem and solution.

For me, the order for tools/scanners is to start with some kind of rogue process killer and then Malwarebytes. At that point I review the logs generated and decide what to do next.

ComboFix is indeed one of the greatest anti-malware tools ever created, but should only be used under the guidance of a trusted 'helper' who is certified to evaluate the logs and generate the follow-on scripts that may be needed.

Expert Comment

by:Reinert Wentzel
Thx alot for your reply above- really find it very helpfull- and super article- so looking at these 3 articles
http://www.experts-exchange.com/A_1940.html (Basic Malware Troubleshooting)
http://www.experts-exchange.com/A_5124.html (Stop-the-Bleeding-First-Aid-for-Malware)
http://www.experts-exchange.com/A_4922.html (Rogue-Killer-What-a-great-name)

To summarize all you have said and correct me if i am wrong(Also do you mind answering any questions below):

RUN Rogue killer/MBAM in normal mode at all times if possible
Would you say it is better to first make sure Windows is fully updated/firewall enabled/AV loaded/updated and running before actually removing the virus?
1. User complains pc is slow and strange redirects etc- but name of malware is not yet identified. It is obviously impossible to always know what malware you are dealing with, as you need to run MBAM/AV scans before this can be done? And by the time the scans are run the malware is normally removed?
2. User has updated Antivirus installed - say for example Norton Antivirus 2012 and fully udpated- a. do i run a full NAV scan first? b. If virus removed with NAV and no issues, do i still run Roguekiller/MBAM?
3. If answer is "Yes" for point 2 above, or if virusses still present after AV scan then run roguekiller to kill processes c. Are any other of the other functions required to be run of Rogue killer besides the prescan that kills the malicious process? Then run MBAM full
4. If MBAM find various malwares and successfully removes it d. Is ComboFix still required to be run if MBAM said it removed all infections? Here is a reference to one of your articles (One of the cautions in fighting malware is to use the minimum number of tools possible. If you can effectively stop the rogue processes (1) and clean the infection with Malwarebytes (2), the only other routine tool I would load would be CCleaner (www.ccleaner.com) to delete all of the Temp/Junk files that accumulate in your browser.)
5. My endgoal is to minimize the time spent on virus removal with the most effective methods possible. I need to compile a general checklist/guide which i can apply as a standard for removing malware on any pc i find infected. Can one apply all the above as a general guideline and if issues still persist then perhaps post in EE?
LVL 40

Expert Comment


This would be much better placed as a question in the Q&A area of the site such that others can see and benefit from the information gleaned here.

Just a thought :)
LVL 38

Author Comment

I saw your comments/questions and will respond when I get some spare time.
Really appreciate your pointing out that I left in the "CCleaner" comments in a couple of places.

That advice went bad with the malware variants that started moving system/user files into the 'Temp' directories.

Noone should manually delete any files until the system is cleaned and back to normal - then do a careful look at those files/folders before taking any action.

Expert Comment

younghv and rpggamergirl,

First off, I've read about a dozen articles from you both in order to come up with my current "Best Practices" procedure for removing malware. All of your info is excellent, thank you.

One thing I remain confused on is the best practice for the "rootkit". I understand that there is a lot of overlap in what certain tools do and many say they remove or detect rootkits. But your malware removal guides that I read seem to focus on staying in Normal Mode and not using a Linux Boot CD for offline scanning. You state or imply there are exceptions. I'm wondering if you can go into some detail on that.

From what I understand of a true rootkit, it is actively evading detection by changing its properties or location so a scanner can *never* get a hold of it in Windows. This would seem to indicate a need to run a Linux anti-rootkit scan.

Question: Is "never" an accurate assessment? Or can some utilities really find and remove (all or some) rootkits in Windows?

Question: When *do* you recommend using a live Linux boot CD to remove rootkits and which one?

In your article, "Malware Fighting - Best Practices" [http://www.experts-exchange.com/Software/Internet_Email/Anti_Spyware/A_6650-Malware-Fighting-Best-Practices.html]
you state that in using a BootCD, "The virus scanner's database on the BootCD is most likely outdated." I wouldn't consider that a valid reason not to use one because I use scanners that can load a network card, get online and update their databases. The two that I've been using are Kaspersky Rescue Disk and Bitdefender Rescue CD.

I'd be interested to get your views on this.

Thank you.

Featured Post

WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!

Join & Write a Comment

Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month