Think you're infected with malware? Check the common symptoms and take action
Published: December 30, 2005
By Sandi Hardmeier
Ive been working with users of Internet Explorer for around 7 years now. During that time, I have seen the program improve by leaps and bounds. Back in the late 90s, the biggest problems faced by Internet Explorer users were a corrupt cache, problems with their History, Cookie or Favorites folders, or problems caused by third-party software such as video drivers. Then things changed. Malware (malicious software) started to appear, and became more prolific as time went on.
I think its fair to say that malware has completely changed the technical support landscape. Sometimes it feels like all I do is help users get rid of such rubbish, and I find myself missing the challenge of more traditional problems. I realized that we were becoming so used to seeing malware infections that we were sometimes forgetting to check for other problems. My recently published article "It's Not Always Malware: How to Fix the Top 10 Internet Explorer Issues," published back in June 2005, discussed the flood of malware and how traditional troubleshooting steps applicable to Internet Explorer were sometimes being missed. The article reminds us that we should not blame everything that goes wrong with our computers on malware and it described the symptoms of, and fixes for, non-malware issues with Internet Explorer.
There's another side to the malware issue. Im not only seeing support professionals who assume that problems are always caused by malware, sadly, I sometimes see new users whose machines are infected and who are so new to the computer world that they do not realize that what they are seeing is not normal. So, instead of considering non-malware Internet Explorer issues, lets look at the most common issues caused by malware.
Home page hijacking
Home page hijacking is when malware changes the Internet Explorer home page, and then locks down a system so that the user cannot change their home page back to their original choice. Or, the home page will be changeable, but additional malware will be installed as soon as the victim dares to exercise their right to choose. For example, some malware will allow you to change your home page to your URL of choice, but the price to be paid is the loss of screen space to over-large search toolbars that cannot be turned off permanently and even display on a victims desktop.
It should be noted that some home page locking is legitimate; for example, by computer suppliers, ISPs, and employerswho may also lock Internet Explorers home page to their preferred URL, which might be a company home page or a technical support page. Such home page locking is often instantly recognizable to the user, and should not be classified as malware. Malware is often indicated by a sudden change, that is, a user may have always been able to change their home page but is suddenly no longer able to.
A classic symptom of malware infection is the sudden inability to change Internet Explorers home page.
Tip: If your computers home page has been locked you may be able to unlock it by following the instructions at this URL:
http://inetexplorer.mvps.org/answers/41.html
Search engine shenanigans
Internet Explorer has several built-in search facilities that use well known, legitimate, search engines. There is the Explorer Pane that appears to the left of screen, as well as the ability to search from the address bar.
One of the most popular forms of malware is search engine hijacking. Suddenly your well known search engine in Internet Explorer will disappear to be replaced by an unfamiliar stranger. Often the Customize button in the Explorer pane will no longer work, or if it does, the options that are offered will not include the normal search engines (if anything is offered at all).
Another common symptom of malware is the appearance of a new toolbar that invariably claims to provide a Web search service. It may appear at top or bottom of screen and often cannot be turned off, either temporarily or at all.
Pop up advertisements
Pop-up advertisements can be a normal part of internet surfing. Many sites use them. However, pop-up advertisements that appear even when we are not actively surfing the web are not normal, nor is it normal to see so many advertisements that normal Web surfing is hampered, or our systems collapse under the load. Nor is it normal to see non-family friendly pop-ups during casual Web surfing. Nor is it normal to see pop-up windows that fill the entire screen and cannot be closed.
Crashes
Ok, Internet Explorer can crash. It always has, although crashes now are rarer than they were, say, 5 years ago. Seriously. The Internet Explorer team and third-party vendors have done a lot of work to improve the stability of IE. Kernel32.dll errors, classically caused by video drivers, have become positively rare.
So what is a normal crash, and what is a malware crash? Well, first of all, malware crashes often involve unusual file names such as aodxyz3256.dll or may refer to unknown modules (files).
It can be difficult to work out what is a legitimate file, and what is possible malware. The best place to start is a Web search, because there are several sites on the Web that have started to catalogue and describe legitimate Windows files.
Secondly, malware crashes may occur when you are not actually doing anything. Your PC may be turned on, but idle.
Tip: Advice on how to read Internet Explorer error messages, and how to extract essential information for support professionals, can be found here:
http://inetexplorer.mvps.org/answers/4.html
Synopsis
We now know that unexpected home page changes, unexpected search engine changes, new toolbars, pop-up windows, and some Internet Explorer crashes are not normal and can be caused by malware. What do we do now? Well, we check our system for infection.
My standard troubleshooting advice can be found at this URL:
http://inetexplorer.mvps.org/tshoot.html
CastleCops also provides effective troubleshooting advice at http://wiki.castlecops.com/MRP. (This Web site refers users to programs that automate many of the cleaning steps at http://inetexplorer.mvps.org.)
In the end, this article cannot say, for certain, that your computer is or is not infected with malware. All it can do is provide pointers to suspicious behavior. If you are concerned, follow the troubleshooting advice listed above, and ask for further assistance in one of the following support newsgroups. Good luck.
