greggh
New Member
- Reaction score
- 3
- Location
- Boston, MA
I have been reading a lot of posts lately about malware that has someone stumped. Usually they start off by listing the scanners they have tried and the ones that helped or didnt. Its a bit strange to me since scanners are a last measure and really slow down the simple process. Good techs should be able to remove most viruses, including rootkits and other nasties, by hand with no scanner needed until the very end.
The one thing I have noticed in response to my comments like that is a lack of confidence. The big answer, even in real life when I am talking to a local tech, seems to be that they dont feel comfortable deleting files from system directories by hand. They fear messing the system up worse. It is an ok fear to have. But after a couple months of doing it the right way you should have a very good idea of what stays and what goes.
Most viruses, spyware, rootkits, malware, and so on can be removed by hand in about 15 minutes time. A lot of that time is actually boot time into PE based environments to do the actual work. In many years of doing it this way I have only run into a virus that I could not remove without a scanner or some other crutch once. Thousands of systems. And in the end that system was actually corrupt beyond simple repair and Reimage from www.reimage.com fixed the problem for me.
My typical process on xp:
1. Boot into their environment if it will. Just to get a view of the problem. at this point 9 times out of 10 its a fake antivirus or something similar.
2. Boot into a custom windows pe environment, but ubcd4win could be used just as easily.
3. EZ-PC-FIX to list off the startup items and registry key entries that I need to focus on first.
4. Remove everything from within EZ-PC-FIX then go find all the files it was listing and make sure they are deleted, if not then I delete them.
5. Go through the registry startup locations, there is a great list of them here in a thread. This takes only a couple minutes. Delete any entries that dont belong and if needed delete the associated file.
6. Go into the program files directory, look for bad directories such as "Home Antivirus 2009" or any of the 63256325 others that will be in there. Delete those directories.
7. Go into the windows directory, sort by date. Check for any files newer than a few weeks. Some are amazingly easy to tell that they are bad like "asdfkjhasdfhjkasdf.dll" and so on. Others might not be, load up a web browser and search for those few files. Good ones keep, bad ones, make a directory at the root of C and put them in there.
8. Repeat #7 for windows\system32 and windows\system32\drivers
9. Also in windows\system32 in explorer add the company column so each file shows what company it came from. Sort by this column and look at all the files (very few) that dont have a company. Ignore the .nls files and look at the rest. Those are usually suspicious files. Go through a process like #7 again with those files.
10. Use any registry and file cleaner (I use EZ-PC-FIX from PE for temp file cleaning, but there are many others like Avasts tools.) This should get any leftover entries that pointed to the bad files you already deleted. This should also get any bad files sitting in your temporary directories.
11. Reboot. At this point I am about 15 minutes in and probably done. If everything looks good I will start some simple optimization to get the system running faster.
12. At the very end I will run malwarebytes full scan just to make sure nothing sneaky got by. But it is very much just a final check to make sure things are clean. It will usually find useless leftover files sitting at the root of C:\ or in c:\documents and settings\user\ and whatnot. Things that arent active or where the malware install files. Nothing that is actually running anymore. But its good to let it cleanup the rest of the mess.
13. Remeber that directory you made on C to backup any files you were removing from windows, system32 and drivers? If everything is working fine then those files were not needed. Delete that directory as you were probably right and those were indeed bad files. If something is going wrong such as a broken driver then you have some investigation to do. But usually this is not the case.
14. While malwarebytes is running, if the customer is there we can then talk about everything that happened, what was wrong and what I have done. We can also talk about backup solutions and other upsells.
That simplified it a bit, but that is the basic procedure and it fixes things a LOT faster than relying on a few scanners to do the work. It also keeps me from staring at the screen while tools do the work for me. So the customer sees more value in what I am doing.
The one thing I have noticed in response to my comments like that is a lack of confidence. The big answer, even in real life when I am talking to a local tech, seems to be that they dont feel comfortable deleting files from system directories by hand. They fear messing the system up worse. It is an ok fear to have. But after a couple months of doing it the right way you should have a very good idea of what stays and what goes.
Most viruses, spyware, rootkits, malware, and so on can be removed by hand in about 15 minutes time. A lot of that time is actually boot time into PE based environments to do the actual work. In many years of doing it this way I have only run into a virus that I could not remove without a scanner or some other crutch once. Thousands of systems. And in the end that system was actually corrupt beyond simple repair and Reimage from www.reimage.com fixed the problem for me.
My typical process on xp:
1. Boot into their environment if it will. Just to get a view of the problem. at this point 9 times out of 10 its a fake antivirus or something similar.
2. Boot into a custom windows pe environment, but ubcd4win could be used just as easily.
3. EZ-PC-FIX to list off the startup items and registry key entries that I need to focus on first.
4. Remove everything from within EZ-PC-FIX then go find all the files it was listing and make sure they are deleted, if not then I delete them.
5. Go through the registry startup locations, there is a great list of them here in a thread. This takes only a couple minutes. Delete any entries that dont belong and if needed delete the associated file.
6. Go into the program files directory, look for bad directories such as "Home Antivirus 2009" or any of the 63256325 others that will be in there. Delete those directories.
7. Go into the windows directory, sort by date. Check for any files newer than a few weeks. Some are amazingly easy to tell that they are bad like "asdfkjhasdfhjkasdf.dll" and so on. Others might not be, load up a web browser and search for those few files. Good ones keep, bad ones, make a directory at the root of C and put them in there.
8. Repeat #7 for windows\system32 and windows\system32\drivers
9. Also in windows\system32 in explorer add the company column so each file shows what company it came from. Sort by this column and look at all the files (very few) that dont have a company. Ignore the .nls files and look at the rest. Those are usually suspicious files. Go through a process like #7 again with those files.
10. Use any registry and file cleaner (I use EZ-PC-FIX from PE for temp file cleaning, but there are many others like Avasts tools.) This should get any leftover entries that pointed to the bad files you already deleted. This should also get any bad files sitting in your temporary directories.
11. Reboot. At this point I am about 15 minutes in and probably done. If everything looks good I will start some simple optimization to get the system running faster.
12. At the very end I will run malwarebytes full scan just to make sure nothing sneaky got by. But it is very much just a final check to make sure things are clean. It will usually find useless leftover files sitting at the root of C:\ or in c:\documents and settings\user\ and whatnot. Things that arent active or where the malware install files. Nothing that is actually running anymore. But its good to let it cleanup the rest of the mess.
13. Remeber that directory you made on C to backup any files you were removing from windows, system32 and drivers? If everything is working fine then those files were not needed. Delete that directory as you were probably right and those were indeed bad files. If something is going wrong such as a broken driver then you have some investigation to do. But usually this is not the case.
14. While malwarebytes is running, if the customer is there we can then talk about everything that happened, what was wrong and what I have done. We can also talk about backup solutions and other upsells.
That simplified it a bit, but that is the basic procedure and it fixes things a LOT faster than relying on a few scanners to do the work. It also keeps me from staring at the screen while tools do the work for me. So the customer sees more value in what I am doing.
Last edited:
