Community Pick: Many members of our community have endorsed this article.
Editor's Choice: This article has been selected by our editors as an exceptional contribution.

Basic Malware Troubleshooting

younghv
CERTIFIED EXPERT
Published:
Updated:
"Details Matter"

Too often I will respond to a malware 'Question Alert' in my In-box and find that the entire question is something along the lines of "My computer is running slow", or "I think I have a virus". (Right now, some of you are shaking your heads in disbelief, but those who hang out in these Zones are *nodding* - because they know it is true.)

More than most other Zones on EE, I think the typical Asker in these Zones is not an IT professional. As such, they are going to have neither the knowledge to fully describe the problem - nor the skill-set to follow "Geek-Speak" kinds of advice.

When I see a question as described above, I will start playing "20 Questions" with the Asker to find out what the actual symptoms are, what OS they are running, if the OS is fully patched/current with updates, what flavor anti-malware application they are running (NONE? Oh my ... well, no surprise.), etc.

The primary rule in any situation where we are trying to solve a problem is: "Identify the problem". That sounds pretty basic, but trying to get the details can often involve a lot of extra effort.

Not until we have pulled enough information out of the Asker to narrow our focus, can we start posting specific, targeted advice about what actions to take.

It is easy to simply post some links to various malware removers that are easily searched on the Internet. It is also easy to post some kind of generic laundry list of a wide variety of suggested steps. With many Members, advice that is not tailored to them will be (a) too daunting to attempt and (b) not understood to begin with.

Although it is true that malware will often exhibit 'typical' symptoms, the malware writers are constantly updating what they do - and what was 'typical' a few days ago may be wildly different today.

After we have established a few facts and details, we can start the "fixing" process.

If we have been able to identify a specific piece of malware, there may be a special tool developed to target it. If so, it makes sense for me to recommend using that tool - with the proviso that I have tested it and am comfortable recommending it to others. I have learned the hard way to never recommend a tool that I haven't personally used - and can help the Asker trouble-shoot any problems that may come up.

For broad spectrum identification and cleaning, my favorites are:

"Malwarebytes' Anti-Malware" (http://www.malwarebytes.org/mbam.php) and "ComboFix" (http://www.bleepingcomputer.com/combofix/how-to-use-combofix).

I personally use both of these programs just about every day and cannot imagine continuing my rate of work (small computer repair business) without them. They are both maintained (updated) on a regular basis and have been a mainstay for fighting malware.

These programs generate LOGS (text files) that contain a great deal of information about the computer system and the files, processes, and services that are running. In the hands of an experienced user (or a "Certified Helper" in the case of ComboFix), these logs are invaluable for targeting exactly the actions that are needed to be taken.

Please note that some variants of malware will recognize the executable file name for both MBAM and CF. To prevent interference, you should use the "Save As" function (IE) and assign a random name to these files BEFORE downloading them.
For an on-going discussion about the proper use of ComboFix (and the proper way to recommend how it is used), please see the open question at: https://www.experts-exchange.com/Q_26933025.html

The best source for proper use of Malwarebytes is their Member forum at: http://www.malwarebytes.org/forums/

I find that helping solve malware problems to be the most rewarding work I do on EE. The Members posting questions are in trouble and with a little extra work we can identify the problem, provide specific targeted advice and get them back up and running.

Some other valid Articles here on Experts-Exchange that I highly recommend you read are:

2012-Malware-Variants
MALWARE - "An Ounce of Prevention..."
Rogue-Killer-What-a-great-name
Stop-the-Bleeding-First-Aid-for-Malware
Latest-Malware-Threat-Windows-Stability-Center

Viruses in System Volume Information (System Restore)
THINGS YOU NEED TO DO WHEN YOUR PC IS INFECTED:
IF YOU CAN'T RUN .EXES IN AN INFECTED SYSTEM:
Can't Install an Antivirus - Windows Security Center still detects previous AV:
HijackThis - Some Tips & Tricks:
HijackThis reports missing files on 64-bit Systems:
"Google Hijack" - Google Search Gets Redirected:
33
9,602 Views
younghv
CERTIFIED EXPERT

Comments (21)

CERTIFIED EXPERT
Author of the Year 2011
Top Expert 2006

Author

Commented:
ReinerWentzel -
The primary intent of this article is to describe for askers and experts the steps we all need to follow for asking and answering malware-related questions.

The askers need to initially provide the right kind of information and the experts need to ask the right questions to specifically identify the variant we are trying to fix.

The idea was to eliminate a lot of the back-and-forth responses we tend to go through - before we can even get started on figuring out the problem and solution.

For me, the order for tools/scanners is to start with some kind of rogue process killer and then Malwarebytes. At that point I review the logs generated and decide what to do next.

ComboFix is indeed one of the greatest anti-malware tools ever created, but should only be used under the guidance of a trusted 'helper' who is certified to evaluate the logs and generate the follow-on scripts that may be needed.
CodeforlifeDeveloper

Commented:
Thx alot for your reply above- really find it very helpfull- and super article- so looking at these 3 articles
https://www.experts-exchange.com/A_1940.html (Basic Malware Troubleshooting)
https://www.experts-exchange.com/A_5124.html (Stop-the-Bleeding-First-Aid-for-Malware)
https://www.experts-exchange.com/A_4922.html (Rogue-Killer-What-a-great-name)

To summarize all you have said and correct me if i am wrong(Also do you mind answering any questions below):

RUN Rogue killer/MBAM in normal mode at all times if possible
Would you say it is better to first make sure Windows is fully updated/firewall enabled/AV loaded/updated and running before actually removing the virus?
1. User complains pc is slow and strange redirects etc- but name of malware is not yet identified. It is obviously impossible to always know what malware you are dealing with, as you need to run MBAM/AV scans before this can be done? And by the time the scans are run the malware is normally removed?
2. User has updated Antivirus installed - say for example Norton Antivirus 2012 and fully udpated- a. do i run a full NAV scan first? b. If virus removed with NAV and no issues, do i still run Roguekiller/MBAM?
3. If answer is "Yes" for point 2 above, or if virusses still present after AV scan then run roguekiller to kill processes c. Are any other of the other functions required to be run of Rogue killer besides the prescan that kills the malicious process? Then run MBAM full
4. If MBAM find various malwares and successfully removes it d. Is ComboFix still required to be run if MBAM said it removed all infections? Here is a reference to one of your articles (One of the cautions in fighting malware is to use the minimum number of tools possible. If you can effectively stop the rogue processes (1) and clean the infection with Malwarebytes (2), the only other routine tool I would load would be CCleaner (www.ccleaner.com) to delete all of the Temp/Junk files that accumulate in your browser.)
5. My endgoal is to minimize the time spent on virus removal with the most effective methods possible. I need to compile a general checklist/guide which i can apply as a standard for removing malware on any pc i find infected. Can one apply all the above as a general guideline and if issues still persist then perhaps post in EE?
evilrixSenior Software Engineer (Avast)
CERTIFIED EXPERT

Commented:
ReinerWentzel,

This would be much better placed as a question in the Q&A area of the site such that others can see and benefit from the information gleaned here.

Just a thought :)
CERTIFIED EXPERT
Author of the Year 2011
Top Expert 2006

Author

Commented:
ReinerWentzel,
I saw your comments/questions and will respond when I get some spare time.
Really appreciate your pointing out that I left in the "CCleaner" comments in a couple of places.

That advice went bad with the malware variants that started moving system/user files into the 'Temp' directories.

Noone should manually delete any files until the system is cleaned and back to normal - then do a careful look at those files/folders before taking any action.

Commented:
younghv and rpggamergirl,

First off, I've read about a dozen articles from you both in order to come up with my current "Best Practices" procedure for removing malware. All of your info is excellent, thank you.

One thing I remain confused on is the best practice for the "rootkit". I understand that there is a lot of overlap in what certain tools do and many say they remove or detect rootkits. But your malware removal guides that I read seem to focus on staying in Normal Mode and not using a Linux Boot CD for offline scanning. You state or imply there are exceptions. I'm wondering if you can go into some detail on that.

From what I understand of a true rootkit, it is actively evading detection by changing its properties or location so a scanner can *never* get a hold of it in Windows. This would seem to indicate a need to run a Linux anti-rootkit scan.

Question: Is "never" an accurate assessment? Or can some utilities really find and remove (all or some) rootkits in Windows?

Question: When *do* you recommend using a live Linux boot CD to remove rootkits and which one?

In your article, "Malware Fighting - Best Practices" [https://www.experts-exchange.com/Software/Internet_Email/Anti_Spyware/A_6650-Malware-Fighting-Best-Practices.html]
you state that in using a BootCD, "The virus scanner's database on the BootCD is most likely outdated." I wouldn't consider that a valid reason not to use one because I use scanners that can load a network card, get online and update their databases. The two that I've been using are Kaspersky Rescue Disk and Bitdefender Rescue CD.

I'd be interested to get your views on this.

Thank you.

View More

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.

Get access with a 7-day free trial.
You Belong in the World's Smartest IT Community