Your virus removal process...when to nuke?

Appleby

Appleby

New Member
Reaction score
3
Location
Texas
My virus removal process is probably not the best and with viruses getting worse and worse I don't think this is going to continue to be a good option.

Usually first thing I do is boot up and see how bad the visible damage is. If it's really bad, I go to safe mode and (hopefully) get Malwarebytes installed and do a quick scan. If I can't get Malwarebytes or Superantispyware installed, I will try to get HiJackThis installed and do a quick cleaning of anything I recognize as bad right off the bat. If that doesn't work, I try to get UnhackMe installed and do a reboot so it will scan before Windows fully loads. Obviously if nothing at all can be installed I've got a bad one and I take some other steps, but those seem to be the exception and not the rule.

So assuming I can get Malwarebytes or UnhackMe running, I do their scan/cleanup then go with a quick scan with Superantispyware. Cleanup, reboot, then Malwarebytes will usually update, full scan, clean if infections found, reboot, Superantispyware full scan...you get the idea. I want the three programs mentioned all coming back clean after full scans and HiJackThis coming back clean also. If I see no visible signs of infection, so odd processes in taskmanager, I usually call it clean.

I know this process is not the best, especially with some more of the nastier stuff coming on scene. It is also VERY VERY time consuming on a severely infected computer. Some of these scans on an old and infected computer can take 2-3 hours each! Ridiculous. After a day of this and I see I've still got problems and the scanners are coming back clean I kind of run into a brick wall and wish I'd just backed up and nuked the customer's system. It would have been MUCH quicker and they would have come out with a better running pc with a fresh install of Windows.

So I guess I'd just like to see what ya'll's feelings are and what you are doing. On some badly infected drives, I've been removing them and hooking them up to one of my laptops via SATA/IDE to USB adapters and doing a Malwarebytes scan on them. I have Kaspersky on my systems and immediately flips out and starts trying to quarantine all the infected files on the customer's drive. Problem is, in the last two weeks I've had two customers Windows installations damaged after this process and I had to do a repair install to get them back up and booting to the user's deskop again. I'm not sure whether to blame Kaspersky, Malwarebytes or the viruses, but I'm really leaning towards Kasperksy.

Thoughts? I need help here because my phone is ringing off the hook with virus jobs the last few weeks and I'm spending WAY too much time on each of them and not charging for it.
 
Most of us here use Process Explorer, Autoruns and Hijack This to manually remove viruses then follow up with a few to scans to get rid of any lingering remnants. You might wanna take a look at Bryce's podcast on How to Remove a Virus Without a Virus Scanner and this video as well http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=359. Both are very good. The second goes into more detail on the tools that we all use. Only if there are a lot of system files corrupted should you nuke which should always be your last resort.
 
Last edited:
Most of the rogue antivirus programs I have been seeing lately are super easy specifically Security Tool and Antivirus Live. Rename the folder where the virus is being launched (usually in c:\documents and settings\%users folder%\local settings\application data\%some suspicious folder name with a bunch of random characters%, log off, log on, run MBAM.

If it is more infected boot from UBCD4WIN and do a manual removal. All these rogue antivirus programs hide in the same locations its just a matter of becoming familiar with what should and shouldn't be there.
 
Just a few comments.

You MUST get adept at manual virus removal as that is the way to speed up your work (read $$) and set you apart in the marketplace. Last week I got an unbootable machine that was quoted $300 from another shop to N/P without data backup. I was able to clean and restore to full function and already have two word-of-mouth referrals from it.

You will find many discussions about Nuke and Pave here in the forums and the consensus is that for home users it is a bad solution. It disappoints the customer in many ways, change to everything they got used to and leads to many call backs such as "where is that picture of the little man I used to click on to talk to my cousin in Minnesota?" "How come when I look at my pictures it looks different, I want it the same" (file extension linked to some default viewer instead of the proprietary one that installed when they installed their printer . . . yes . . I am talking about you HP). No MS Office installation disk 'cause it was a pirated copy from their old girlfriend's IT guy. It goes on and on and on.

The exception is the office machine with excellent backup and all necessary program install disks. There the N/P solution is expected.

Next point. MBAM is designed to work in a normally booted environment. Slave the drive and MBAM will only remove a portion of the offending rogue because it has not generated the random exe files that cause the rogue's behavior.

On my bench machine I have realtime scanning disabled. There is no good reason for it to be in place since I know what I am accessing, it slows everything down and when an infected drive is connected it does freak out.

If you are going to be learning manual virus removal, optimize your time by taking the virus jobs all together and only in the shop. Have three machines running your MBAM/Roguefix/UnHackme/DrWeb/SuperAntispyware/et. al. while you spend your time with one machine in "Manual Virus Removal University". (Multitasking = $$)

Welcome to the forums Appleby, sounds like you will fit right in here.
 
Thanks for all the help guys. I really need to learn more on the manual removal. I'm going to read all I can on how to do this. Where can I find a link to Bryce's podcast with this info?

I did try something a little different today and I don't know if it was a fluke or if it really worked.lol I've got a couple more infected machines waiting for me at my office to try it on again. Basically as soon as the machine booted I ran the rkill app which then allowed for the easy install of HiJackThis. I'm not HiJackThis expert but most of the really bad stuff is obvious to me, so I can quickly remove it that way. Trapped mentioned looking in the Application Folder which I did but I did't find anything. However, I did find some very suspicious folders in the Temp folder which I renamed for the time. Then I found a folder in the Program Files for one of the fake scanners and I was able to delete it since all the processes had been killed. I rebooted to what looked like a much cleaner pc. I ran Mbam, HiJackThis again and Mbam found a few minor adware problems. Reboot, Superantispyware installed and ran, found nothing, mbam ran found nothing, ran Ccleaner and reset all the IE settings to default, the user's Trend Mirco AV was back up and running and everything looked great. Wow talk about easy!

I think it was a fluke.:D I really need some OJT on autoruns and process manager though. Thanks guys.
 
I should also add that the full blown nuke and reinstall is my very last option because of the headache, trouble and risk of unsatisfied customers due to all the reasons mentioned above. I have never had an unhappy customer after a reformat but I've sweated it many times. I make them verbally tell me multiple times that "yes" I've backed up everything they care about and "yes" they understand they will have to reinstall printers, software etc. Honestly most of the time, when I see the customers again, they tell me the computer is running so much faster etc that they are happy we did the reformat, reinstall, but I still don't like doing it for obvious reasons.

I just didn't want it to come across like I'm reformatting 50% of the machines coming in my office for virus infections. I haven't had one that bad in a couple months.
 
At this point in my career (and that can change in a heartbeat, with some new type of infection), the only thing that beats me is Virut. Right now, the only thing that seems to touch Virut is Dr. Web, and IMO, its boot CD environment takes too frickin' long (hours and hours), and is NOT cureable manually, unless you won't to remove every exe, pif, scr, and/or html file from said computer. Then, you'll have a non-bootable OS, plus non-working programs that you have to reinstall. Which means you might as well...nuke and pave.

In these cases, I'll back up what I can, but I think that's dicey as well. What if it rides along with the stuff you backed up?

The moment I see Virut, I punt, currently. Hopefully, someone will come up with an answer to Virut/Sality that will indeed be a fix, not a "disenfected some/deleted others" solution like Dr. Web.

I don't understand that myself; why can't Dr. Web disinfect ALL if it's the same infection? Weird, in my book.
 
Iladelf, just curious, how do you determine that a system is infected with virut?

I just finished watching the MS manual virus removal video that was linked to by Wheels earlier in this thread. Oh my goodness!:eek: That was over my head. I was sort of excited early in the video when he started showing how to use Process Explorer and I was really keeping up pretty well but it went down hill from there for me. I am not ashamed to admit, that after watching that I realize I know NOTHING about the deep workings of computers.lol Seriously, that made me want to change careers.ha As difficult as all that looked to me, it seems like a nuke and reinstall would be 10x easier/quicker/cheaper than doing all the manual cleaning he was doing of rootkits. Seriously, that looked like a nightmare to me!
 
I never N & P unless I absolutely have to

I never N & P unless I absolutely have to, here is some reasons why:

Most users just backup My Documents, well there is a lot more user files than that, I have files all over my drives. What about their mail and what about all the stuff in %appdata% I've had more than one user backup their shortcuts thinking they were backing up their files and then they give you the discs and look at you like your stupid when you tell them you can't install these.

Most users don't have their keys and/or software discs. With most PCs they don't come with disc, the user has the option of make one set of recovery discs to restore the pc back to when they bought it but how many users do you know that makes the discs after they buy a new PC.

Most users don't know their passwords or email settings or favorites or cookies or etc. I just know if I back any of these up that I am going to backup malware with them or at the very least miss something and not back it up.


Removing malware is not that hard once you learn how to use the standard programs and learn what should be running and what shouldn't be running. Most malware run by changing registry settings, don't be afraid of the registry. Do this get yourself a test machine and run ERUNT to backup the registry and then run AutoRun and look at the places where things startup. If you find something like:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "ccagent.exe"
or
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "ccagent.exe"
Go to that key after you've stopped as much as you can by exiting things and running programs like rkill and Process Explorer, then delete that value. (ccagent.exe stands for Control Center which is a malware program)

Lots of malware now remove the safe mode registry keys, if you're having trouble getting into safe mode then check on them by going to:
HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Control \SafeBoot \Minimal
Most of the standard programs are portable so you just run them without even have to install them so put them on a CD or a USB drive with a write protect switch, also you you can download the most recent updates for anti malware programs so put them on the CD too. www.filehippo.com is a good place to find most of the programs you will need,


There is all kinds of stuff you can do like holding down the Shift key immediately after login and until after the desktop icons load, doing this will stop some startup items. I also recommend having a good setup like having a PC on one side of you with Firefox running with Google and Technibble tapped and on the other side of you have a test PC to run scans on slaved drives.


Also use the Recovery Consoles and live boot CDs like:
Avira Rescue
Dr. Web
UBCD
UBCD4WIN
FSECURE
Here a link to Bryce's videos:Sorry for making this so long, I could go on and on, I love to remove malware.
 
Last edited:
atlanticjim said:
Just a few comments.

Last week I got an unbootable machine that was quoted $300 from another shop to N/P without data backup. I was able to clean and restore to full function and already have two word-of-mouth referrals from it.
Click to expand...

Man I wish stores near me where charging that sort of money to install an OS. That is insane. Put the disk in, let it run. That'll be $300 please.

Appleby - Mark Russinovitch, from that vid, is one of the world's foremost authorities on Windows internals. So I wouldn't feel too bad!

Re: the OP - I don't think it just about skill vs ignorance. You have to look at it from the customer's benefit angle. If it's a simple removal and a well-used, customised, data-filled system is restored then manual removal is of major benefit. If it's a new laptop used for web surfing and full data backup that is heavily infested, then a restore from the restore partition could be the better solution for the customer. Same with a very old installation which was getting super slow anyway.
 
just curious, how do you determine that a system is infected with virut?
Click to expand...

Dr web live cd does a good job of cleaning this up so far the only machines i had to nuke are ones that customers asked to be nuked using process explorer and autoruns is easy once you know what to look for.

Most of it is visual really security tool is very easy to remove all you need is autoruns and safe mode the icon for the program shows besides the random number file.
 
Appleby, regarding how I determine if a computer has Virut, it's mostly by feel. If I can't run any removal programs, plus can't start other programs on a machine, I'll slave the drive into my removal machine. The moment a Virut file is found, then I know what I'm dealing with.

My intuition has been right 100% of the time when suspecting Virut. Just comes with experience, that's all.
 
Just curious, when was the last time you guys got a machine with virut on it?

I haven't seen virut in my shop for about a year.
 
I had one about 4 months ago. This to do date has been my hard virus removal ever. Gave up an entire weekend trying to remove it, in the end economics told me that my only option was to nude and pave.

All I can remember about is that eventualy I got the scanners to come back clean, SFC replaced infected files, but the machine still behaved like it was full of viruses (sending out spam etc). I figured that everything from office etc must have been infected. I don't remember it exactly though.
 
I've done a couple of nukes in the last year, one of which was a virut which I tried to clean but failed, and the other was a machine that had obviously been infected for months and gradually declined until the point where the operating system was utterly trashed. They were both very happy though because their new installs were 20x faster than before...
 
We usually recommend a system rebuild if the infection level + tuneup is going to take more than 3 or 4 hours. This is because we charge hourly for cleaning and flat fee for rebuild.
 
You must log in or register to reply here.

Similar threads

Blue House Computer Help
Rootkit scanning and removal
2
Replies
20
Views
598
Sky-Knight
Sky-Knight
DRPCNZ
Scanning to email from Printer
Replies
17
Views
384
DRPCNZ
DRPCNZ
thecomputerguy
Where the heck is the Ricoh scan software?
2
Replies
26
Views
738
HCHTech
HCHTech
johnrobert
Mac Mail
Replies
6
Views
203
timeshifter
timeshifter
Rigo
Assessing and cleaning up scam compromised computer-phones
Replies
19
Views
1K
britechguy
britechguy
Back
Top