atlanticjim
Well-Known Member
- Reaction score
- 36
- Location
- Long Island, New York
Here is a post from me about a year ago. I have had good commments on it so I am repeating.
What program do you use to remove rogueware?
- Thread starter bytebuster
- Start date
AdamsAPlus
Member
- Reaction score
- 0
- Location
- Portland TN
Why is it every time on this forums someone asks a question about virus removal, it has to become a discussion on N&P vs Removal. Come on guys. Put this issue to rest. It's like the Christian arguing with the Atheist. There ends up being a lot of yelling and nothing changes. The Christian still believes he is right and so does the Atheist. So why bother trying to fight. It goes nowhere.
I believe in the removal. I would even go as far to say, that I enjoy the battle. Who is going to win, me or the virus. But then again I do offer N&P at a cheaper rate than a removal. (Only $10 cheaper) Then I do charge for back up so I could end up being more. If I loose the battle and have to N&P for a virus removal then the N&P + the back up will be charged at the Removal price. I do my best to explain all this to the customer and let them decide. 75% of the time they agree to the Removal.
Anyways to answer the OP. I use to many different methods to describe. But normally I start with Hirens. Boot to MiniXP. Look at the auto runs and run a quick scan of SAS. Then go from there.
I believe in the removal. I would even go as far to say, that I enjoy the battle. Who is going to win, me or the virus. But then again I do offer N&P at a cheaper rate than a removal. (Only $10 cheaper) Then I do charge for back up so I could end up being more. If I loose the battle and have to N&P for a virus removal then the N&P + the back up will be charged at the Removal price. I do my best to explain all this to the customer and let them decide. 75% of the time they agree to the Removal.
Anyways to answer the OP. I use to many different methods to describe. But normally I start with Hirens. Boot to MiniXP. Look at the auto runs and run a quick scan of SAS. Then go from there.
PC-MOT
Member
- Reaction score
- 3
- Location
- Northampton, UK
Atlanticjim,
you got any recommended reading / good links on the subject of manual removal tecniques??
you got any recommended reading / good links on the subject of manual removal tecniques??
vdub12
New Member
- Reaction score
- 2
I have to agree with the comments that this subject has been beaten to death. However, I think many of the people that are defending N&P are not using relevant examples. Yes there are many situation where N&P is the way to go. A few would be bad hard drive, giving the system to charity, used system, nothings important and want it fresh, and maybe even badly corrupted system post virus. However, if you are N&Ping a system for run of the mill rogueware then all I have to say is does that come with pepperoni and pineapple.
My point is rogueware is just that. Its not hard. Even if a completely crippled machine takes me 2 hours to clean, which is very rare, its still worth cleaning it to give a system back to the customer the same as it was. If I do a N&P its because I don't trust that the system can be made right again not because I think it will be quicker. What this does for me is when a customer gets there system back they tell there friends "you would not believe it, I thought this system was a goner. When I got it back it was exactly the way it was and worked great" and not "You would not believe it I got my system back and all my files where gone and I had to buy another copy of office, I still can't find that recipe site I had bookmarked, and whats this fox fire here. I would have been better off buying a new computer" I don't know about you but I think this is why I get the referrals and i here the stories about the later. I here this story all the time. Customers don't understand they just want there computer fixed and they want it back the way they had it. A fresh OS to a customer is like a brand new thing that now they have to learn all over again and every time they can't find something "Its that dam techs fault"
My point is rogueware is just that. Its not hard. Even if a completely crippled machine takes me 2 hours to clean, which is very rare, its still worth cleaning it to give a system back to the customer the same as it was. If I do a N&P its because I don't trust that the system can be made right again not because I think it will be quicker. What this does for me is when a customer gets there system back they tell there friends "you would not believe it, I thought this system was a goner. When I got it back it was exactly the way it was and worked great" and not "You would not believe it I got my system back and all my files where gone and I had to buy another copy of office, I still can't find that recipe site I had bookmarked, and whats this fox fire here. I would have been better off buying a new computer" I don't know about you but I think this is why I get the referrals and i here the stories about the later. I here this story all the time. Customers don't understand they just want there computer fixed and they want it back the way they had it. A fresh OS to a customer is like a brand new thing that now they have to learn all over again and every time they can't find something "Its that dam techs fault"
Just my 2 cents but I run everything ON the host machine. I'll pull the drive to do backups if necessary. Nuking the drive is a last resort, usually reserved for machines from certain teenagers I know... 
No I haven't done anywhere near the number of machines most of you have done but I've only absolutely had to nuke a couple of machines over the years.
No I haven't done anywhere near the number of machines most of you have done but I've only absolutely had to nuke a couple of machines over the years.
coco3_man
Member
- Reaction score
- 0
- Location
- Upstate New York
"I" remove the virus/spyware.
Software is used to assist removing stray entries in the registry and any left over program files.
Tom
Software is used to assist removing stray entries in the registry and any left over program files.
Tom
Vicenarian
Active Member
- Reaction score
- 19
Ok, Chuck Norris joke.
How does Chuck Norris remove malware?
He doesn't have to. He looks at the machine, and the malware's gone. POOF!
How does Chuck Norris remove malware?
He doesn't have to. He looks at the machine, and the malware's gone. POOF!
Cybjun
Member
- Reaction score
- 7
- Location
- Sacramento, CA
safe-mode w/ networking > Autoruns > Combofix > SAS Portable > Malwarebytes > manual check > NPE. if that doesn't get the system clean, then I look at the windows load and see if its what would be better continue the malware/virus removal or suggest a reload. If its a simple install with nothing install is it really worth the time to me to keep going.
To refuse to reload windows is a dis-service to your clients as much as just doing a nuke & pave. there is a time and a place for every service.
To refuse to reload windows is a dis-service to your clients as much as just doing a nuke & pave. there is a time and a place for every service.
timmymacs
New Member
- Reaction score
- 0
- Location
- Perth, Western Australia
ComboFix is the King! It fixes 90% of the virus problems i get called out to. Sometimes you have to play around with admin settings, and disable/uninstall Anti-virus, but Combofix wins!
MobileTechie
Well-Known Member
- Reaction score
- 32
- Location
- UK
The real answer, I suspect is that N&Pers get the impression that the "manual" removal guys like to think they're going something elite and don't like the implied put down that they are not as good techs.
But let's face it, most manual removal revolves around checking a few reg keys and common directories for anomalous files. Not exactly breaking into the CIA's computer system. And even the most die-hard manual remover admits to doing a scan afterwards because it's a fact that nobody has the time to check all the possible reg keys and locations manually that a scanner can do. Afterall, it's a computer so it's DESIGNED to do things automated. So it kind of comes down to the timing of your scan which is pretty ludicrous thing to row about.
However the N&P guys probably ARE wimping out from digging just a bit deeper to find out about spotting rootkit hooks and unsigned drivers etc which might convince them that they are capable of declaring a system clean with some confidence afterall.
I of course, being perfect, trot along the pragmatic line between the two on my high-horse
joydivision
Well-Known Member
- Reaction score
- 58
- Location
- Manchester, UK
I am the same, I am not completly against N&P for virus removals but this year I don't think I have done a single N&P because of a virus 
That said I am finding a lot of the time these days I can remove it within 5 minutes because a lot of systems are just the fake AV with Windows 7 64-bit, not come across a rootkit with these yet.
It seems to be XP which Vista 32-bit which suffer from all the major rootkit head aches.
That said I am finding a lot of the time these days I can remove it within 5 minutes because a lot of systems are just the fake AV with Windows 7 64-bit, not come across a rootkit with these yet.
It seems to be XP which Vista 32-bit which suffer from all the major rootkit head aches.
Cambridge PC Support
Well-Known Member
- Reaction score
- 73
- Location
- Cambridge UK
this year I don't think I have done a single N&P because of a virus
same here, but I have done a few N&P's from the after effects of a virus, ie a trashed Vista network config
Ccomp5950
Member
- Reaction score
- 13
- Location
- Marshall, Texas
I use a server setup to PXE boot Plop Linux which automounts the hard drive and begins a scan using Avira's Antivir.
From there it pulls installers and other programs from the shared folder and places it on the hard drive C:\HC_Toolbox and adds a batch script the startup folder of all users to run TDSSKiller, Spybot and it starts Malware bytes.
This is my "If I need to just push a button and walk away" scenario.
For the ones where I don't have other computers to work on I do manual removal 90% of the time with a follow up of Malware bytes overnight. This is mainly so I keep up with what the common problems are and how to fix them should I not have my server available to me. I also have that same setup on a netbook that I can take on site and network boot computers with a cross over cable, customers like to watch and enjoy the custom boot art in the PXE menu.
From there it pulls installers and other programs from the shared folder and places it on the hard drive C:\HC_Toolbox and adds a batch script the startup folder of all users to run TDSSKiller, Spybot and it starts Malware bytes.
This is my "If I need to just push a button and walk away" scenario.
For the ones where I don't have other computers to work on I do manual removal 90% of the time with a follow up of Malware bytes overnight. This is mainly so I keep up with what the common problems are and how to fix them should I not have my server available to me. I also have that same setup on a netbook that I can take on site and network boot computers with a cross over cable, customers like to watch and enjoy the custom boot art in the PXE menu.
kagman
Active Member
- Reaction score
- 0
We each have our own methods of getting rid of viruses. We can Nuke & Pave a system or try to remove the virus with various tools in our toolkits.
Home users do not want to lose anything they have on the hard drive because they don't have backups of that data. They don't have the software that is on the computer. Etc Etc.. Besides they usually think that MSoffice comes with the computer since its already on there lol... In cases like that a Nuke and Pave will not work for the client.
Before I start scanning and removing a virus I sit down with the customer and ask them simple questions. Do you have backups, cds/dvds that came with the computer, product keys, etc etc. I give them the worst case scenario to prepare them for the worst. Plus I take an added step of making an image of the computer first.
I'd rather not nuke and pave, but if thats my only option then I do it. Again this is just how I do things...
Home users do not want to lose anything they have on the hard drive because they don't have backups of that data. They don't have the software that is on the computer. Etc Etc.. Besides they usually think that MSoffice comes with the computer since its already on there lol... In cases like that a Nuke and Pave will not work for the client.
Before I start scanning and removing a virus I sit down with the customer and ask them simple questions. Do you have backups, cds/dvds that came with the computer, product keys, etc etc. I give them the worst case scenario to prepare them for the worst. Plus I take an added step of making an image of the computer first.
I'd rather not nuke and pave, but if thats my only option then I do it. Again this is just how I do things...
Runscout
New Member
- Reaction score
- 0
- Location
- California, US
Tools that I use are Rkill/SAS/Malwarebytes/Eset Online Scanner/MSE/Kaspersky Rescue disk/Avira Rescue Disk/ Autoruns and Process Monitor. Now I admit I'm sure as far as skills I have nothing on all of you. I'm still learning which is why I apologize for changing the topic but is there any resources you can all kindly direct me to in educating myself on manual removal. I have no idea what I'm looking for in registries or which folders I should be reviewing? I would genuinely appreciate it.
Xander
Banned
- Reaction score
- 66
- Location
- Niagara region, Ontario
Runscout, one way is to look up every new malware you hear about, and recent ones, too. BleepingComputer is quick to put up removal tutorials. Start getting a feel for the patterns of where they try to hide things; in which folders. e.g. Using Autoruns, if I spot a program set to start from ProgramData or Application Data, that raises an immediate eyebrow. Same with Temp/Recycling.
Most malware do this. The exceptions are harder to spot and I'd bet most of us use scanners to find these. But by finding the common ones, you can usually get a system back to 'usable' so that you can get the slower work done.
Most malware do this. The exceptions are harder to spot and I'd bet most of us use scanners to find these. But by finding the common ones, you can usually get a system back to 'usable' so that you can get the slower work done.
Runscout
New Member
- Reaction score
- 0
- Location
- California, US
@eHousecalls.ca Thank you very much buddy. I appreciate your advice. I admit I've visited Bleepingcomputer a ton of times but it never occurred to me to look over the guides in finer detail. For instance I never actually even looked over the "Associated (malwarevirus name) files" section or "Associated (malwarevirus name) Windows registry information files" in those guides. I see your point now. As I review them I do notice some patterns. So far appdata, and temp like you mentioned yourself. I will be reviewing these from here on.
uprighttech
Active Member
- Reaction score
- 30
- Location
- Kentucky
We normally start with a manual scan in Safe Mode or Linux/PE bootable environment. After that, we scan with ComboFix, TDSSKiller, Malwarebytes' and SuperAntiSpyware and antivirus at a minimum. Occasionally we will use additional tools such as Spybot, Kaspersky or AVG Rescue CD, RKill, etc.
We normally find that removal is the quickest, easiest and cheapest fix. However, we are definitely not opposed to a nuke and pave if it looks like it will be easier and the customer doesn't have a lot of data that will need to be backed up/restored or installed application that we will have to reloaded. If a customer has a very infected system, only a few documents that need to be backed up and there is a recovery partition, we are fairly likely to wipe and reload.
We normally find that removal is the quickest, easiest and cheapest fix. However, we are definitely not opposed to a nuke and pave if it looks like it will be easier and the customer doesn't have a lot of data that will need to be backed up/restored or installed application that we will have to reloaded. If a customer has a very infected system, only a few documents that need to be backed up and there is a recovery partition, we are fairly likely to wipe and reload.
uberjew
New Member
- Reaction score
- 0
- Location
- The Mohave Wasteland, AZ
There is some great info in this post.
I almost always remove spyware locally. First, I uninstall any junk software in normal mode(if possible). Then boot safe w/net, run ccleaner portable, MBAM, combofix (rebooting back into safe w/net), and then HJT. Then I boot normal mode, surf Google News a bit to help make sure it's fixed and then flush System Restore. Repeat if necessary. I've usually had good luck with it.
If I spend more than 2 hrs on removing spyware, I recommend a reformat on simple installations or keep going on more complicated ones. Sometimes the time required isn't worth it on complicated installs either, and reformatting is the better way to go financially. I haven't had to reformat a PC because of spyware for a long time, though.
I almost always remove spyware locally. First, I uninstall any junk software in normal mode(if possible). Then boot safe w/net, run ccleaner portable, MBAM, combofix (rebooting back into safe w/net), and then HJT. Then I boot normal mode, surf Google News a bit to help make sure it's fixed and then flush System Restore. Repeat if necessary. I've usually had good luck with it.
If I spend more than 2 hrs on removing spyware, I recommend a reformat on simple installations or keep going on more complicated ones. Sometimes the time required isn't worth it on complicated installs either, and reformatting is the better way to go financially. I haven't had to reformat a PC because of spyware for a long time, though.
Similar threads
