My virus removal procedure sheet..

[Cambridge PC Support]

Its not cool to take personal shots at someone else's methods.

If I was to state here that I just use Spybot on any infected PC and then consider it job done, I think it would be absolutely fine for someone to take a personal shot at me for being crap at cleaning infected PCs.

 

[brownie]

My method for years now has been to run hijackthis and check through the log, after a while you quickly notice the dodgy stuff.

A common area I've seen malware in is IE's BHO's or Browser Helper Objects.

As has been said, we all have our preferred methods which work for us.

 

[xxsilk109xx]

Well I saw where it was posted above that one person recommends
GMER
TDSSKiller
Kernal Detective
Rootkit Unhooker
Rootkit Repeal

Do you use all of these everytime? If not, which ones do you use the most of. I just cant see using 5 programs to scan for rootkits, but maybe thats how its done.

 

[MobileTechie]

Well I saw where it was posted above that one person recommends
GMER
TDSSKiller
Kernal Detective
Rootkit Unhooker
Rootkit Repeal

Do you use all of these everytime? If not, which ones do you use the most of. I just cant see using 5 programs to scan for rootkits, but maybe thats how its done.

It was me

TDSSKiller is a tiny app you run once to find a specific type of rootkit so I run that everytime. Gmer seems to be amongst the best at semi-automatically finding them. Kernel Detective and Rootkit Unhooker are a different type of app that show you which kernel files have been hooked or altered. I will run one of these to see if there is anything suspicous going on and both if I know there is an infection but cannot find it.

 

[itmgr]

experience experience experience

You start out with a basic plan in the beginning, and then with experience you change, add, remove steps. We don't treat any to removal jobs exactly the same, you have to develop a feel for what is going on with the computer, and react accordingly form your experience. Learn from every job you do!

 

[@ncient geek]

Strong statement, @ncient Geek! I'm trying to learn how to use Process Explorer right now. Can you show us a better way or direct us to reading material which will show us a better way?

No flaming was intended, nor can my comment be in any way interpreted as flaming. I have two reasons for posting in this way :

1) I believe it to be preposterous to post if you are not really an expert, and there are very few experts in virus removal around. If you are really interested in how to remove the more complicated stuff, come to the various forums, several of which are free. You will encounter some real experts, and, while reading, you will notice that virus removal is very far from "installing AV or MB software and clicking on 'scan'". I have been posting of several of the forums, on one for at least a decade, and I can assure you that the combined knowledge there is just amazing, and can not be reduced to the simple experience of an everyday technician. If you have questions about virus removal, these are the places to go !

2) This, and similar forums, are places where essentially newbies and start-outs linger, and well so. I can not believe that simplifying technology to an extreme can be in the interest of someone "taking the big step to independence". Quality primes above all, and misleading information can easily ruin a small business.

Personally, I refuse to give any information about technique or technology. Such information is your most precious asset in this business and is invaluable. If you are making a living with your knowledge, you have no interest to share your most precious business asset.
I have been in this business for almost 35 years, and have seen many come and go. Big businesses and small, geniuses and morons.

One more thing to think about, for all the people sucking up information on this forum : If you have a successful business, you don't have time to post massively. Be very careful about what people post about business strategy if their post number is very high. No one can buy time, and running a successful business is extremely time consuming.

 

[hardtoremember]

I really don't want to be rude but I think that you are misunderstanding the point of this forum. If you are not here to "either share your wisdom or ask legitimate questions" what value does Technibble have to you as a professional?

 

[pc-wiz]

If you have a successful business, you don't have time to post massively. Be very careful about what people post about business strategy if their post number is very high. No one can buy time, and running a successful business is extremely time consuming.

Just because you run a successful business doesn't mean you have to have a crazy busy life. If you manage your business properly, you will put the right people in the right positions and get your business running by itself.

 

[iptech]

One more thing to think about, for all the people sucking up information on this forum : If you have a successful business, you don't have time to post massively. Be very careful about what people post about business strategy if their post number is very high. No one can buy time, and running a successful business is extremely time consuming.

I'd stop digging now if I were you. You're really not coming across as being very credible, just haughty and arrogant. It's not right of you to lambast other practising members of this forum if you're not prepared to offer up anything more than patronising drivel about giving away trade secrets or not having the time.

As you have previously stated you retired a year ago, I wonder how many real-time virus infections you now encounter?

 

[Styxbound]

Virus removal

I have known a few people in various fields who were very jealous of their
knowledge and refused to share it. But basically they were few. When I
first got involved with computers I was lucky enough to find someone who was
willing to pass along what he knew, though frankly it wasn't a lot about
pcs; he'd worked with mainframes all his adult life. One of the things he
told me was that "computer people" were very stingy about giving infor-
mation. Until I found the forums I certainly found that to be true; I learned
early on to appreciate any bit thrown my way.
It is true in many fields professionals are probably hurt to some extent
by wannabes who are learning the craft and there is some justification
for their attitude. BUT:
To begin with most of those professionals_if not all_ were at some point
wannabes. Secondly, and far more important, technology advances on
the shoulders of those who have come before. It seems to me that using
the pre-existing technology incurs a certain amount of obligation to pass
it along. Without that we'd still be living in caves; it is what mostly
separates us from animals.
Finally, I have to ask, if someone doesn't want to be involved in the
process of sharing information why would he even bother with this forum.
Isn't that its' purpose or have I missed something?

 

[J-Bob]

@ncient geek, are you for real? (did a rookie computer tech set your dolls on fire as a kid?)

You've never gone to Google for an answer, you've never asked someone for help and you've never assisted anyone with a problem?
If you answered yes to all of these, that would make you an arrogant idiot (who I wouldn't trust with a machine).

Sharing technique and troubleshooting methods is vital to this field of work!
Not one of us is 100% self-taught... that's impossible with computers!

The industry is constantly changing and methods are constantly in need of adapting- hope that doesn't hurt your feelings.

I do consider myself a virus removal expert! Automated tools, manually removing files, recovery console, live discs, external removals, copying/overwriting files using the Command Prompt, hitting the registry, msconfig, changing Windows services- whatever it takes!
If I remove the infection, isn't that what matters the most?
Who cares if I used one measure over another- I manage my business well enough where I can use more timely and intensive methods (if I want).

And you said ""One more thing to think about, for all the people sucking up information on this forum : If you have a successful business, you don't have time to post massively. Be very careful about what people post about business strategy if their post number is very high. No one can buy time, and running a successful business is extremely time consuming.""
You just proved that you don't know what you're talking about right there. That statement there is complete tripe!

I am currently an owner of a successful computer business, a Board Member for my town's Chamber of Commerce, a youth leader at my youth group and am constantly involved in other activities in my church and community! The only reason I don't post more on Technibble is because I can't think of stuff to write most of the time. Otherwise, I'd be on Technibble way more often!
Like pc-wiz said, proper managing skills allow you to *gasp* post stuff online without being detrimental to your business. (I know, crazy, isn't it?)

--Please, oh so wise and all-powerful @ncient geek, enlighten us with where we may get knowledge from the TRUE experts! We are all worms, and can only pray that you'll shower us with the grace to actually back up what you're saying!--

--------

 

[kagman]

I come here like many of you, to share what you know and also to learn from others.

Besides ever since I was a little techie baby, I was told to share!!!!!!!!!!!

 

[gunslinger]

Yes, absolutely. You are missing ALL of the more interesting malware and rootkits as well as several of the newer fake antivirus software crap. You definately got to read up.

None of the better stuff will show up in Process Explorer
Only the really crappy stuff will show in Autoruns
Malwarebytes has been a goner for a couple of months now (unfortunately). It was never REALLY good, but a helpful tool all the while.

Funny, I have been reading quite a lot of garbage about malware removal, especially manual removal, recently on Technibble. I hope this will change quickly. I get the creeps when I hear people talking about manual malware removal and the methods employed. I would immediately fire any one of my technicians if they went about malware removal in this manner. Read up people, and stop posting crap !! There are people here who are going to take you seriously and who are going to f... up their business.

Are you out of your mind? About 99% of the time if malwarebytes, Spybot and superantispyware wont remove it chances are good you will ended up doing a reinstall. In have only had these programs fail me 3-4 times in years.

You would fire a tech for using Autoruns,Process Explorer, and Malwarebytes? Maybe you need to be in a different business.

you will notice that virus removal is very far from "installing AV or MB software and clicking on 'scan'

Yeah sometimes you have to get down and dirty with the more complex stuff but the programs I named off with nuke about 95% of the malware ever created other than a few bad viruses, rootkits or firmware infection. Again if a system is that far gone why not back up and reinstall?


I was going to ask you to please enlighten us morons as to how to properly remove infections but then you posted this gem:

Personally, I refuse to give any information about technique or technology. Such information is your most precious asset in this business and is invaluable. If you are making a living with your knowledge, you have no interest to share your most precious business asset.
I have been in this business for almost 35 years, and have seen many come and go. Big businesses and small, geniuses and morons.

 

[PcTek9]

back to the old addage...

It is very time consuming to remove viruses manually. But I do it using different techniques. I've programmed a lot in assembly language for intel pc's, but there are many other languages that viruses can be written on, and ways for them to slip by. We all know this.
One shop I know, that is privately owned, simply remove the drive, slave the drive, copy the data files. Obtain cd's for programs, cd's for os, cd's for all drivers. Erase the drive, reinstall windows and all the customers os files, reinstall programs, printers, devices from cd's, and finally customer data.
Yeah, you can overwrite a root kit. What if it's in the bios of the pc... well, you know how to clear the bios.
If this procedure is used everytime, a pc will never come back to you.
Yet, since I like pain, I usually go the other route 95% of the time, I manually remove stuff using my scripts, and my special server to backup and encrypt files and scan for viruses on the fly, etc. If it's taking entirely too much time to use my automated script system, I simply nuke & pave. Certainly I prefer an easier solution, but if you get good at both methods, and follow a procedure, and definitely uses the scripts in the script forum by Methical & atYourService and others, you will get more done faster. I never want anyone to bring one back and say "it's doing it agian..."
Now... my friend that runs another shop, he never ever has had a single pc brought back, but... He always nuke & paves, and restores drivers, printers, and "cleaned data" . There is nothing wrong with his method, The pc is definitely clean, and he never works late in the night on a single pc, he also knows exactly how long it will take to complete that procedure ( within limitations of course... ) He's been in business for years and never had a pc brought back by ANY customer, ever.
My big point about this is simply ::: There are new viruses that YOU can't always know about, and neither can your scanners. You could think you have a pc completely repaired, but there is a virus or trojan still active on that system. If it's new enough and not spread far enough, the antivirus people will not know about it either... So manual removal is actually the riskiest method, and the most time consuming. With that said, N&P is the safest method, and usually the least time consuming on a heavily infected system. I have actually cleaned over 1100 infections off of a system and it took forever (like all night long.) So think about that, decide what's best, what's riskiest, etc for yourself.
Yes there are people on the forum who will call you a pizza tech, and jump down your throat if you nuke & pave, but in all honesty, I've never heard a good reason why it's not the best method to use, for your clients and yourself. It should not be guess work, it should be 100% so n&p is the best method. People who say otherwise may not want you to know or practice a faster method of getting a pc clean without all the stress and headache. Now me, I enjoy it, if I have the time. using an automated system can give you that time, so that you can spend more time on more interesting cases. But there are N&P techs who can do the same thing I do, with 1/500th of my knowledge, and that's fine. I am smart enough to know that I may encounter a virus that no antivirus or antitrojan people know about, and had I nuked and paved, my customer would be happy, instead of sitting in my office with a question mark on their face.
what do you know about disks? an infected floppy for example... is the 3rd hex digit anything but 90? which is hex for assembly code no operation, if it's a jmp command it's probably a virus or a special bootsector for something proprietary. But really none of us have the time, to fire up sourcer, hackers view by sen, masm, tasm, softice, windows disassemblers, and search through a mountain of assembly code to figure out why 1 program out of hundreds of thousands on a personal pc is misbehaving, it's just not profitable enough... Even a short tiny utility can generate thousands of lines of disassembly code. Not to mention that windows can be programmed in so many languages, scripts, and codes, that exploits, viruses, trojans, and other malware can be anywhere. It's not even comparable to a needle in a haystack, it's more like... a needle in the desert.
So in reality who is smarter? The person that slaves the drive, backs up the data simultaneously scanning it for viruses and trojans, backs up drivers, and reinstalls the os and all drivers, printers, and data. Or the one who does the guessing game (me), that spends more time doing it? In the end, the result is that the n&p tech's solution is the best. It's the best for speed, the best for security, the best for you and the client every time. So you say, "what if it's something simple?" my only answer can be, "how do you know it's something simple?" You don't. You can't. They could have the worst virus on their pc in the history of the world, and all you are seeing is a few tracking cookies, and an alexa reference. New things come out all the time. Everytime we think we can use integrity checkers, crc, heuristics, signature scanners, etc, something new comes along. For example, there are viruses that target antivirus software programs and turn them off. Think about this deeply, and you will see why my method is not as good as the n&p tech. B/c I can never be 100% sure.

 

[Bullfighter]

I was going to ask you to please enlighten us morons as to how to properly remove infections but then you posted this gem:

+1 If you don't need to aquire information, @ncient geek, and you don't want to share it. Why are you on a forum? You must have better things to do...

PcTek9, dude, now that was a rant I was looking for a Table of Contents...

 

[maclaptech]

No flaming was intended, nor can my comment be in any way interpreted as flaming. I have two reasons for posting in this way :

1) I believe it to be preposterous to post if you are not really an expert, and there are very few experts in virus removal around. If you are really interested in how to remove the more complicated stuff, come to the various forums, several of which are free. You will encounter some real experts, and, while reading, you will notice that virus removal is very far from "installing AV or MB software and clicking on 'scan'". I have been posting of several of the forums, on one for at least a decade, and I can assure you that the combined knowledge there is just amazing, and can not be reduced to the simple experience of an everyday technician. If you have questions about virus removal, these are the places to go !

2) This, and similar forums, are places where essentially newbies and start-outs linger, and well so. I can not believe that simplifying technology to an extreme can be in the interest of someone "taking the big step to independence". Quality primes above all, and misleading information can easily ruin a small business.

Personally, I refuse to give any information about technique or technology. Such information is your most precious asset in this business and is invaluable. If you are making a living with your knowledge, you have no interest to share your most precious business asset.
I have been in this business for almost 35 years, and have seen many come and go. Big businesses and small, geniuses and morons.

One more thing to think about, for all the people sucking up information on this forum : If you have a successful business, you don't have time to post massively. Be very careful about what people post about business strategy if their post number is very high. No one can buy time, and running a successful business is extremely time consuming.

If you don't want to share with the rest of us and think you are better than us "morons", please stay off of these forum then.

 

[Styxbound]

Virus removal

PcTek9, I tremble to post this because I know it sounds like little green men from Mars, but I once had some sort of Norton thing pop-up at boot which survived 2 ntfs full formats. I knew so little at the time the only thing I could think of was formatting to fat32; that did finally get rid of it. Of course then I formatted back to ntfs. I still use that occasionally; it seems to work. I don't much like Dban; I feel it really stresses the hd.

 

[iisjman07]

I've started using Trinity Rescue Kit for removals now; you can scan using the five automated scanners on the disk or with the press of a single button turn it into a file server and scan it from accross the network and slave the registry and remove stuff manually. There's a lot more features as well, definitely worth looking into it.

 

[othersteve]

I have a custom WinPE boot image which is part of my multiboot device that I can use to hook into the remote registry with nearly any tool I choose (I've created shortcuts and right-click integration to this effect in the local Explorer replacement). From there, I:

1. create a precautionary drive image
2. remove autostarts (without interference from rootkit activity)
3. delete files in question
4. run a quick Windows/Program Files scan
5. clear temp files
6. check system file integrity by hand and using a script that I wrote specifically for my boot disk to ensure no kernel-mode rootkits are active
7. boot into the local Windows OS and run a scan to produce a log about filesystem activity to reveal any hidden threats
8. Follow up with a Malwarebytes' scan and final rootkit check

Never fails me. Of course, a lot of the process is intuition and experience; I'll add/remove steps based on the nature of the infection if need be. But I am ridiculously quick and incredibly thorough. I love disinfection and I wouldn't mind doing 30 computers a week if I could muster the business.

 

[gunslinger]

If you don't want to share with the rest of us and think you are better than us "morons", please stay off of these forum then.

+1

I thought that was why we were all here. There is nothing secret about what us techs do. About 80-90% of the fixes I do on a regular basis could have been googled by the owner. The difference is most of it I don't have to google because of years of dealing with the same issues over and over. I can get it done in a more timely manner and handle problems that might come up if something goes wrong.

@ncient geek

You say you have been at this for 35 years? Is this true? If so you should be a wealth of information. Even more so when it comes to batch files, scripts and DOS. You should really try sharing a little of that knowledge instead of being an arrogant elitist.