My virus removal procedure sheet..

I think PCTek makes some excellent points.

What opened my eyes to the current malware situation was deliberately infecting VMs. Most were pretty straightforward to remove but a couple of them simply could not be found using the scanning tools. Now if I hadn't known for a fact they were there, I dare say I would not have have spotted them. But since I did I aked around on forums where they know a lot more about the subject and used the tools I mentioed earlier which are nothing more than convenient ways to see which files and processes have been hooked. So then I could see there were problems. But will newer rootkits find ways around this? Quite probably.

So the more I think about it, the more I'm inclined to agree that N&P is a very sensible choice.
 
MobileTechie said:
I think PCTek makes some excellent points.

What opened my eyes to the current malware situation was deliberately infecting VMs. Most were pretty straightforward to remove but a couple of them simply could not be found using the scanning tools. Now if I hadn't known for a fact they were there, I dare say I would not have have spotted them. But since I did I aked around on forums where they know a lot more about the subject and used the tools I mentioed earlier which are nothing more than convenient ways to see which files and processes have been hooked. So then I could see there were problems. But will newer rootkits find ways around this? Quite probably.

So the more I think about it, the more I'm inclined to agree that N&P is a very sensible choice.
Click to expand...

There are many security people out there that say once a computer is infected there is no 100% way of being sure you are able to remove all the viruses, spyware, rootkits, etc etc. And that the best way to get rid of it is to Nuke and Pave.

Granted some people here will disagree with that, but nothing is 100% anymore.
 
<begin rant> One of the best examples of someone willing to share their knowledge for good & free for so many years are Mark Russinovich and Bryce Cogswell, the founders of Sysinternals. Their tools have been used for years and despite being acquired by Microsoft they continue to crank out great tools, many of which are still free.

There are frankly no "trade secrets" among computer repair people and unless you're in the same area with another tech I think freely sharing info is fantastic. The reality is that the service aspect of a business will win out even if you have two techs using the same tools.

Virus & malware removal have changed over the years, since the Peter Norton versus John McAfee controversy in the 1980s, of which I wrote one of my first college papers on. Relying on "one method, one program" has never been the right course and in fact are one of the biggest reasons why people end up being infected and re-infected. Programs like Spybot were the rage a few years ago, but it fell behind simply because one programmer couldn't stay ahead of the infections being churned out by the union of hackers & organized crime. There are a lot of tools available today to assist the process of malware removal, but like any other service the use of them & process depends on the situation.

I've been in the computer game for 20 years and yet I would say that the shelf-life of the knowledge & techniques I use is about three years. That's to say that things change so quickly that the process you use today will evolve as techniques, programs and virus/malware/crapware/etc, operating systems change themselves.

Great places, along with Technibble to read up and stay current with virus/malware removal are (not an inclusive list):


A good example that we all know, but I'll share again, of improper use of removal tools that can create a "false sense of security" is the TDSS family of rootkits. You can run Malwarebytes or Superantispyware and detect the rootkit, and have the program "remove" the virus, but a reboot and rescan and it appears again. Running TDSSKiller then running the scan & removal will remove the infection. The reality is that computer repair is like most occupations, an evolving trade. I liken myself to my brother who is a otolarnygologist (ear-nose-throat doctor) in that some techniques remain virtually the same (ie, CPR) while others (ie, surgical techniques, medicines) evolve. It's up to us to stay up with them as the "experts".

Oh, and my experience is that those who hold tightly to their "secrets" are usually the first in line to "scarf up" the knowledge of others. Usually that smugness comes across in their customer relations too and hinders their business.

<end rant>
 
Nothing works everytime

I will stay away from the flames (former 27 year firefighter)!

I like having a process when I start and I have gleaned good info from some here. An Example

Old pc comes in today. Start

UBCD4Win
EZfix - remove prefetch, temp files , look at the registry
SuperAntiSpyware -finds several
reboot into safe mode
find Security ???? , Saw this the first time last week, A rouge, buy me, pop up. Easy to find, easy to kill (what is this one really up to???to easy???)
Run malwarebytes, Clean - nothing (so the rouges are handled???)
Remove AVG which has been really poor this year at stopping things (see what happens when you are the number 1 download antivirus)
Put on Microsoft Security Essentials, about time m$ took responsibility for giving us all so much work! :)
Meanwhile install and update Spybot S&D (old school).
MSE updates and runs a check. Finds stuff right away. Check all the auto starts and services and turn off anything not required. Go out on job. Come back MSE found much. Clean
Run Spybot S&D, Dang, lots of bad boys - keyloggers, Machine is probably a bot.

So I have some time in it but mostly just on the bench running. The scanners allow me save time (=$$) as I can see what kind of bugs have infected it and can make choices. So do I N&P to save money or go commando on it? Either way there is only so much I can charge for this job. Every job is different. But without a process where would one begin?
 
hardtoremember said:
It really has too. I have uninstalled from all of my own and from everyone I can so far.
Click to expand...
The latest research supports this as well. Problematically they have always weighed detection of older "zoo" malware specimens far too heavily, but now that AV-Comparatives has started to correct this shortfall, some interesting trends are beginning to arise.
 
Who ever said Malwarebytes is going downhill is stupid lol. Malwarebytes is amazing! Fast scans, good removal & great detection. Plus it's free and saves you alot of time.
 
hi

Once infected with new rootkits its the best to reformat!

Why?

Because rootkits modify security settings and make computer vulnerable, there are so many different ones that does different modifications that its not realistic to expect to fix the PC properly.

Interesting is that nobody use Prevx, A-Squared and AVZ Antiviral Toolkit :rolleyes:

My tools:

  1. AVZ Antiviral Toolkit (no 1!)
  2. MalwareBytes
  3. ComboFix
  4. A-Squared
  5. Prevx (control check)

For hardcore infections (if customer is willling to pay for this):

  • HijackThis 2.0.3
  • Avira BootDisk
  • Rootkit Repeal
  • Gmer
  • VBA32 Antirootkit (this is nice one)

Final stage:

Update Windows, full removal of Java, Flash and Adobe Reader, reinstallation, installing FoxIt Reader instead of Adobe Reader.
These 3 are very common way for malware to install (and IE :p).

Protection:

We recommend and resale MalwareBytes + Prevx combination. It does not slow PC and is by far the best zero-day protection combination.

+

  • MVPS Hosts
  • SpywareBlaster
  • Firefox with AdBlockPlus


I think that everybody should sit and learn in details how to use your rootkit scanner. The same we did with HijackThis long time ago.
RootkitRepeal, AVZ or Gmer are good ones.

If you master AVZ you would be able to remove many infections that are not detected by antivirus programs.
 
Last edited:
zaoka said:
Once infected with new rootkits its the best to reformat!

Why?

Because rootkits modify security settings and make computer vulnerable, there are so many different ones that does different modifications that its not realistic to expect to fix the PC properly.
Click to expand...

zaoka said:
I think that everybody should sit and learn in details how to use your rootkit scanner. The same we did with HijackThis long time ago.
RootkitRepeal, AVZ or Gmer are good ones.

If you master AVZ you would be able to remove many infections that are not detected by antivirus programs.
Click to expand...
I hope you're more positive with your virus removal procedure! Why bother to learn how to use a rootkit scanner if you recommend nuke 'n' pave as the definitive solution? :confused:
 
hi

Because most of AV vendors recommend reformat after rootkit infections.

Durimng last 2 years high number of infections are rootkit based, before that it was not that often.

So my professional advice is to reformat, however, I like to do manual virus removal and thats why I do it :)
 
I always nuke and pave

I always let the customer know what the implications are

"I can backup your documents, pictures, music but any software you have will have to be re-installed, by you. It's also obvious that the current anti-virus software you've been using is useless, let me sell you some"

Nuke and pave guarantee's a 100% clean PC. In many cases there system will run a lot faster than at the time of purchase (no bloatware)

Never had a system back or complaint.

The best tip I can tell is use a eSATA toaster device to backup the data - this cuts out a lot of time backing up customer's data and restoring compared to USB.
 
rkill vs safemode

It's always been my practice when I deal with an infected computer to immediately boot to safe mode and then run the various scanning/cleaning tools and manual steps from there. Any thoughts? Am I asking for trouble?
 
You must log in or register to reply here.

Similar threads

Appletax
[TIP] Manually Resize Recovery Partition in Win 10 so Updates Do Not Fail
Replies
5
Views
511
Appletax
Appletax
Appletax
[SOLVED] Can't remove fake BSOD that might use mshta.exe
Replies
5
Views
263
NviGate Systems
NviGate Systems
Rigo
Flaky browsers especially on new tabs
2
Replies
26
Views
2K
GTP
GTP
YeOldeStonecat
script help...for WaveBrowser removal
Replies
1
Views
824
YeOldeStonecat
YeOldeStonecat
YeOldeStonecat
FLASH uninstall script
Replies
2
Views
877
Sky-Knight
Sky-Knight
Back
Top