What program do you use to remove rogueware?

B

bytebuster

New Member
Reaction score
1
Location
Sacramento, CA
I WAS using Avast! BART, since it's CD-R based and portable. But it doesn't always catch everything. Now that I'm going for an approach where I mount infected HDD's on my bench machine as slave drives and clean them that way, I'd like the best cleaner I can get. I looked at Malwarebytes's website and they only update it every few months. Do they use a different detection method (not definition based) that makes this feasible? What do YOU use on your bench machine?
 
I normally do a manual removal to get rid of the rootkit and then a MBAM quick scan. There are a variety of other tools I will use depending on the difficulty including ComboFix, Autoruns, TDSS Killer, etc.
 
If it's easy enough to grab the hard drive out of the desktop/laptop, I hot swap it to my bench machine, run MSE on the drive, and then a safe mode ComboFix.

That's just half of one method. I uses dozens of different counter-attack measures that include a mix of manual removal, ComboFix, MBAM, SAS, TDSSKiller, offline MSE scans, Avast BART, MBR rebuilds, etc. usually I do all the above since there's lots of time to do it, working in-shop rather than onsite.
 
Kind of disappointed in some post here.

Nuke and Pave is not the way to repair computers. It is a lot easier to clean an infected computer than to have to worry about all of the customers files and programs. The risk of losing their data is another concern.

Hooking up a hard drive to another computer and letting that computer do the removal is NOT the best thing to do. It is always best to run removal software within the environment of the infected computer.

I have a file server that i keep my removal programs on, I map that drive on the infected computer and run my programs from that.
 
Knightsman said:
Kind of disappointed in some post here.

Nuke and Pave is not the way to repair computers. It is a lot easier to clean an infected computer than to have to worry about all of the customers files and programs. The risk of losing their data is another concern.

Hooking up a hard drive to another computer and letting that computer do the removal is NOT the best thing to do. It is always best to run removal software within the environment of the infected computer.

I have a file server that i keep my removal programs on, I map that drive on the infected computer and run my programs from that.
Click to expand...

Yup. That's why it's up to the customer. It takes me longer to cleanly remove malware than it does to do an N&P. If the customer wants it cleaned up, I'll do it. If they don't, I'll do that, too. Customer's choice, and many of them really appreciate the option.
 
parker.casey said:
Yup. That's why it's up to the customer. It takes me longer to cleanly remove malware than it does to do an N&P. If the customer wants it cleaned up, I'll do it. If they don't, I'll do that, too. Customer's choice, and many of them really appreciate the option.
Click to expand...

No offense...but the customer has NO IDEA what your talking about. If they did, they would not be bringing it to you.

The proper way to remove a virus is to remove it, not nuke the drive.
 
Knightsman said:
No offense...but the customer has NO IDEA what your talking about. If they did, they would not be bringing it to you.

The proper way to remove a virus is to remove it, not nuke the drive.
Click to expand...

Oy. Not again. Do you have a cite for that? Microsoft themselves say somewhat differently.

Rick
 
red12049 said:
Here's one, there are more out there.

http://www.eweek.com/c/a/Security/Microsoft-Says-Recovery-from-Malware-Becoming-Impossible/

Rick
Click to expand...


First, this is a link for a business environment...not residential. Of course its best for a IT Guy to wipe a drive that doesn't have important files (pictures, emails, etc. Most businesses should have all of these files on the server. In this regard it saves time. Wiping a residential drive for a mildly infected computer is the "easy" route for the tech, but is not the best for the customer.

I don't believe that recovery from malware is impossible, and in most cases it is faster to remove it than wiping the drive. I only believe in wiping the drive on severely infected machines. Most techs will agree with this method.
 
Knightsman said:
First, this is a link for a business environment...not residential. Of course its best for a IT Guy to wipe a drive that doesn't have important files (pictures, emails, etc. Most businesses should have all of these files on the server. In this regard it saves time. Wiping a residential drive for a mildly infected computer is the "easy" route for the tech, but is not the best for the customer.

I don't believe that recovery from malware is impossible, and in most cases it is faster to remove it than wiping the drive. I only believe in wiping the drive on severely infected machines. Most techs will agree with this method.
Click to expand...

As do I. But that does not make it the one true "right" way. The "right" way is the one that benefits the customer the most, whichever that may be in any given case.

Rick
 
To each his own guys, some people have methods which are frowned upon and others just outright quirky, the debate on a "Nuke'n'Pave" is really one that can hold its own on both sides of the fence. In my opinion the cons outweigh the pro's so I've taught myself how to remove even the most stubborn malware.

The biggest benefits of a Nuke & Pave is the fact that the computer is "fresh" no need for a tune-up and no need for a virus removal, unless the virus is embedded in a hard drive's MBR or hardware's BIOS. (Very rare, but not impossible.)

The biggest cons of a Nuke & Pave is, well...a lot of inconvenience for both you and your customer. On the clients side you have the fact that usually they don't save their software product keys, system preferences (from display to wireless network settings, etc.) and most important of all, personal data. On your side you have to take into the account the fact you will need to find drivers which can sometimes be more time consuming than manually removing malware, backing up and restoring data, personal files, etc. Reinstalling clients software and if you're smart enough- backing up and restoring clients settings. Then of course you will have to deal with laptops with their "media keys" and proprietary stuff which is always just another hassle and FINALLY the biggest con of them all- Dealing with customers complaining about "where is x thing" or "why doesn't y work anymore" or "what did you do to z!?"

Anyway, to go back onto topic. I use ComboFix, RogueFix, Malwarebytes' and SuperAntiSpyware. Before I do all of that though I always boot into a linux based PE and manually check for viruses and then proceed to doing the "automated" way.
 
red12049 said:
As do I. But that does not make it the one true "right" way. The "right" way is the one that benefits the customer the most, whichever that may be in any given case.

Rick
Click to expand...

This is what im saying, Most of the time, it is best for the customer NOT wipe the drive. I am simply disagreeing with is way of always wiping the drive because that's what works best for him.
 
Knightsman said:
This is what im saying, Most of the time, it is best for the customer NOT wipe the drive. I am simply disagreeing with is way of always wiping the drive because that's what works best for him.
Click to expand...

A few thoughts here. You are making a lot of assumptions. You don't deal with his customers, nor do you know what his "intent" is.

With my customers, it's split about 50/50. As long as many of them can get their email or surf, they're quite content. For those that do want N&P, we do a fabs or Windows easy file transfer, and frequently an image of their drive.

As Joseph said above, there ARE advantages to a N&P, along with the disadvantages.

Rick
 
red12049 said:
A few thoughts here. You are making a lot of assumptions. You don't deal with his customers, nor do you know what his "intent" is.

With my customers, it's split about 50/50. As long as many of them can get their email or surf, they're quite content. For those that do want N&P, we do a fabs or Windows easy file transfer, and frequently an image of their drive.

As Joseph said above, there ARE advantages to a N&P, along with the disadvantages.

Rick
Click to expand...



What assumptions am I making? I'm going by experience, not assumptions. Why would I need to know his customers or his intent. If he is in the same business as us, he has the same type as us. Most don't know what he would be talking about.

If they do know what he or we would be talking about, ok, cool that's what the customer wants and doesn't fall into what we are talking about. Which is the best way to remove rogueware as the OP asked.
The only time it is an advantage is if the customer totally understands what will happen. Otherwise your risking your image.
 
FWIW here's my 5c:

1. agree not a good idea to slave an infected drive to another machine. Especially a working machine that will have access to other customer's data

2. Agree N&P is a second-rate fix. Too much inconvenience for customers GENERALLY SPEAKING (for some customers this may be preferable). I think best practice is to at least canvas this with customers as an option and see if thats a solution they want. Gives them the choice.

3. I think a 'best program' for blanket 'malware removal' is really problematic. Different tools in different situations. No one tool is going to give results on all machines.
 
Here we go again.

The entire process for N&P can be automated. That includes backing up files, settings, drivers, installing an image, drivers, restoring data, and even to some degree, programs. 5 Seconds to kick it off, and an hour later, a fresh clean machine with all the files and settings, and some to all of the programs.

Now I'm not saying N&P every time. If anyone has ever dealt with a lawyer, you'll know the worst kind of people to deal with from an IT perspective; anything out of place gets scrutinized. Unless absolutely necessary, you never N&P their system. There are however, plenty of people in which an N&P is going to be a better option, especially if you automate the process.

I'll repeat myself, N&P isn't what you should be looking at first whenever you tackle a malware issue. It's also not something you should look at as a "second rate" repair. When you first look at a system, you should consider the amount of time it's going to take you, the probable return rate, the client's attitude, and how inconvenienced they would be with a N&P over a removal. You can weigh the factors and made an education decision on the best course of action for you and your client.
 
16k_zx81 said:
FWIW here's my 5c:

1. agree not a good idea to slave an infected drive to another machine. Especially a working machine that will have access to other customer's data
Click to expand...

Slaving a drive to another machine presents pretty much zero risk of cross infection.
 
You must log in or register to reply here.

Similar threads

Phillip Manning
What do people use for office PC cases?
Replies
14
Views
1K
Sky-Knight
Sky-Knight
H
What software do you use for temp file cleanup?
2
Replies
21
Views
4K
britechguy
britechguy
HCHTech
What tool for this project?
Replies
11
Views
2K
Tech Savvy
Tech Savvy
sapphirescales
Soooo...do you guys think Microsoft will ever fix the underlying problems with Windows?
2 3
Replies
55
Views
7K
britechguy
britechguy
britechguy
Video outputs and Monitor Inputs - What do you commonly encounter?
2
Replies
21
Views
3K
Porthos
Porthos
Back
Top