Basic Malware Troubleshooting

Published on
99,549 Points
33 Endorsements
Last Modified:
"Details Matter"

Too often I will respond to a malware 'Question Alert' in my In-box and find that the entire question is something along the lines of "My computer is running slow", or "I think I have a virus". (Right now, some of you are shaking your heads in disbelief, but those who hang out in these Zones are *nodding* - because they know it is true.)

More than most other Zones on EE, I think the typical Asker in these Zones is not an IT professional. As such, they are going to have neither the knowledge to fully describe the problem - nor the skill-set to follow "Geek-Speak" kinds of advice.

When I see a question as described above, I will start playing "20 Questions" with the Asker to find out what the actual symptoms are, what OS they are running, if the OS is fully patched/current with updates, what flavor anti-malware application they are running (NONE? Oh my ... well, no surprise.), etc.

The primary rule in any situation where we are trying to solve a problem is: "Identify the problem". That sounds pretty basic, but trying to get the details can often involve a lot of extra effort.

Not until we have pulled enough information out of the Asker to narrow our focus, can we start posting specific, targeted advice about what actions to take.

It is easy to simply post some links to various malware removers that are easily searched on the Internet. It is also easy to post some kind of generic laundry list of a wide variety of suggested steps. With many Members, advice that is not tailored to them will be (a) too daunting to attempt and (b) not understood to begin with.

Although it is true that malware will often exhibit 'typical' symptoms, the malware writers are constantly updating what they do - and what was 'typical' a few days ago may be wildly different today.

After we have established a few facts and details, we can start the "fixing" process.

If we have been able to identify a specific piece of malware, there may be a special tool developed to target it. If so, it makes sense for me to recommend using that tool - with the proviso that I have tested it and am comfortable recommending it to others. I have learned the hard way to never recommend a tool that I haven't personally used - and can help the Asker trouble-shoot any problems that may come up.

For broad spectrum identification and cleaning, my favorites are:

"Malwarebytes' Anti-Malware" (http://www.malwarebytes.org/mbam.php) and "ComboFix" (http://www.bleepingcomputer.com/combofix/how-to-use-combofix).

I personally use both of these programs just about every day and cannot imagine continuing my rate of work (small computer repair business) without them. They are both maintained (updated) on a regular basis and have been a mainstay for fighting malware.

These programs generate LOGS (text files) that contain a great deal of information about the computer system and the files, processes, and services that are running. In the hands of an experienced user (or a "Certified Helper" in the case of ComboFix), these logs are invaluable for targeting exactly the actions that are needed to be taken.

Please note that some variants of malware will recognize the executable file name for both MBAM and CF. To prevent interference, you should use the "Save As" function (IE) and assign a random name to these files BEFORE downloading them.
For an on-going discussion about the proper use of ComboFix (and the proper way to recommend how it is used), please see the open question at: http://www.experts-exchange.com/Q_26933025.html

The best source for proper use of Malwarebytes is their Member forum at: http://www.malwarebytes.org/forums/

I find that helping solve malware problems to be the most rewarding work I do on EE. The Members posting questions are in trouble and with a little extra work we can identify the problem, provide specific targeted advice and get them back up and running.

Some other valid Articles here on Experts-Exchange that I highly recommend you read are:

MALWARE - "An Ounce of Prevention..."

Viruses in System Volume Information (System Restore)
Can't Install an Antivirus - Windows Security Center still detects previous AV:
HijackThis - Some Tips & Tricks:
HijackThis reports missing files on 64-bit Systems:
"Google Hijack" - Google Search Gets Redirected:
Ask questions about what you read
If you have a question about something within an article, you can receive help directly from the article author. Experts Exchange article authors are available to answer questions and further the discussion.
Get 7 days free