Who here actually knows how to cleanup spyware and viruses?

[PcTek9]

See, this is exactly the reason that many of the large pc repair companies, just remove the drive, copy the entire data to another drive. Then they wipe the original drive and reinstall windows and add the users data back. Because of LEGALITY. Once a system is compromised you simply cannot guarantee that (you) found every virus, every trojan, ever piece of malware on that system.
As I have explained to you all, file dates, sizes, etc. are easily changeable. I can directly access that information from inside many languages.
Personally, you will take a LOT of time to clean a system like this manually. WHAT I STRONGLY ADVISE if you are doing this manual method, is to look at the scripts created by Methical (Lord of the scripts) and AtYourService (Script Genius). They have made these scripts available on technibble.com in the scripting forum. Some of them automate the process of removing viruses and trojans by launching scanners, turning off indexing, system restore, uac, etc so the system will run faster (maybe even be usable at all). So that it can be cleaned and you can get any speed to clean it.
Yes you can clean a pc manually. But it absolutely does not guarantee a 100% clean machine. This is why (because of legal reasons) that most big chains simply copy user data and settings, then format and reinstall then scan all user data then put it back on the pc.
I can be more clear by saying: Antivirus companies dont usually find every virus. They might find all of them on most of the systems you work on, but for example, an individual antivirus company might only successfully find 73% of test viruses in a folder. Because people do create a viruses and trojans all over the world and some of these won't be detected right out of the box. This means you may think you got every virus, b/c you scanned a system with avast, avira, kaspersky, fprot, etc... but the system could have a virus that none of these scanners pick up yet. With that said, someone could say "how can you guarantee that you completely cleaned the users data, couldn't it contain an unknown virus, even if you wipe the drive and scan the users data?" That's a legitimate argument, and the answer is yes, it could. The difference is, the virus/trojan is not active on the system when you give the system back to the user. Whereas if you don't format and reinstall -technically- there is the remote possibility that something could be remaining active and unseen by you the technician. So without sounding absolutely hopeless about it, it is better to hand back a system with an inactive virus/trojan hidden in the user data than an active one.

 

[Wheelie]

But if you simply do a search of the customer's "my docs" folders for exe's, bat files, dll's, sys files, etc ... you will greatly reduce the chance of giving back his/her PC with any potentially harmful content. (obviously you'd do this from a "clean" PC)

Why are your scripts any better than AVG or Malwarebytes? (for instance). Why would we blindly accept your coding is safe?

 

[PcTek9]

O you completely misunderstand. The scripts are not mine, they are created by some very smart guys on this forum like Methical, and AtYourService. They are also technicians like us. The scripts they created are for different purposes. Don't trust what I am telling you, simply go to the scripting forum on this website, and 'hunt' their scripts, open them and read them.
Their scripts run many different programs and I beleive Bryce even mentioned Methical's scripts in a technibble article. Anyway, you are missing out on much if you miss the work these guys have done to make the job easier for all of us.
I highly recommend Methicals batch scripts, also there is a script called techtoolkit which downloads a lot of software to a usb stick for repairing pc's. I recommend you find the link for that and give it a spin as well, it uses ketarin to get the latest packages and updates all of them when you ask it to. You are really missing out, if you dont use these guys scripts. But you won't know that unless you investigate it for yourself, it really speeds up fixing computers.
As far as why would blindly accept the scripts are safe? I hope you wouldn't do that. You see they are .bat files you can open them in notepad, read them, see what they do, and gain a better understanding of scripting. I know from your previous posts that you are a very smart person, and I can also see that it would be no problem at all for you to open a batch script and understand what it does.

 

[Wheelie]

Ah. OK. I'll look into it. Thanks. Speeding up pc repairs in my hectic world would be very nice ...

 

[Methical]

O you completely misunderstand. The scripts are not mine, they are created by some very smart guys on this forum like Methical, and AtYourService. They are also technicians like us. The scripts they created are for different purposes. Don't trust what I am telling you, simply go to the scripting forum on this website, and 'hunt' their scripts, open them and read them.
Their scripts run many different programs and I beleive Bryce even mentioned Methical's scripts in a technibble article. Anyway, you are missing out on much if you miss the work these guys have done to make the job easier for all of us.
I highly recommend Methicals batch scripts, also there is a script called techtoolkit which downloads a lot of software to a usb stick for repairing pc's. I recommend you find the link for that and give it a spin as well, it uses ketarin to get the latest packages and updates all of them when you ask it to. You are really missing out, if you dont use these guys scripts. But you won't know that unless you investigate it for yourself, it really speeds up fixing computers.
As far as why would blindly accept the scripts are safe? I hope you wouldn't do that. You see they are .bat files you can open them in notepad, read them, see what they do, and gain a better understanding of scripting. I know from your previous posts that you are a very smart person, and I can also see that it would be no problem at all for you to open a batch script and understand what it does.

Thanks for that

Yes all my scripts are open-source. So you can see what is happening, and change them at free-will to suit your own needs. And yes, I do put alot of time into them. Probably to much ..

My scripting inspiration comes from when I'm workin' on a PC, whether its personal use or not, and I'm doing repetitive and tedious tasks. My folder now consists of over 60 .bat and .vbs scripts.

70% through my new script.. rough estimate. Most of the code is in place. I'll test it on my 4 machines, alter anything thats needs to be, and release it to the wild.... you lot

 

[copparedds]

I have only been able to find 2 scripts
Speed up xp and kill tasks xp

I have been lookin for the tech toolkit but only find this http://www.technibble.com/forums/showthread.php?t=10165&highlight=techtoolkit

Does anyone know where to finds these hidden jems?

 

[NickCat11]

They took the toolkit down I believe because of distribution legalities.

 

[studiot]

Absolutely. You can scan the data after you're done and any remaining dirty files will then very easily show up. You should carefully examine any exe, bat, dll, sys, etc

What about rogue code hiding in .doc, .pdf, .jpg, .avi etc etc?

How long does this 'easy scan' take and how does that square with techs who

'clean a pc manually inside 1 hour?'

I just had one that an automated in depth scan to find 1 piece of such rogue code took 16 hours.

I have a reputation in this area for thoroughness. That means that 'difficult' cases get referred to me. I often see a pc that has been 'cleaned' in 1 hour by someone else. Usually the main debilitating malware has been eliminated but often there is soething left behind which soon invites its friends to play.

 

[Wheelie]

What about rougue code hiding in .doc, .pdf, .jpg, .avi etc etc?

How long does this 'easy scan' take and how does that square with techs who

'clean a pc manually inside 1 hour?'

I just had one that an automated in depth scan to find 1 piece of such rogue code took 16 hours.

I have a reputation in this area for thoroughness. That means that 'difficult' cases get referred to me. I often see a pc that has been 'cleaned' in 1 hour by someone else. Usually the main debilitating malware has been eliminated but often there is something left behind which soon invites its friends to play.

I'll ask you the same question: "what about rogue code hiding in doc, .pdf, .jpg, .avi etc" files? Are you saying that you're going to inspect the binary code of each file in their data folders before you restore it because you don't trust your Anti-Virus/Anti-Malware programs? That would take 16 months (if not 16 years). There is no easy solution to the "rootkit mess" that is going on but I can tell you that you'll go out of business spending 16 hours to clean a PC of viruses. I can reload Windows in about 2 or 3 hours and be done with it. There is nothing you can do about a given virus that is in the "blackout period". If AVG/Norton/Trend/Kaspersky (or whatever you use) won't find it - you won't find it either!

I do virus cleanings in about an hour. If it requires an insane amount of registry cleanup/SFCScannow/tcip stack rebuild/group permissions resets/yada yada AND/OR if it has a Rootkit ----> I'm doing a data backup and OS reload. I can guarantee a clean/good running pc that way.

 

[studiot]

Well at least you are discussing, even if a mite peremptory and holier than thou.

I said the scan took 16 hours, not that I sat and twiddled my thumbs while it scanned. I was actually trying out a russian linux boot disk suggested by someone here, which has some attractive features. I have also seen the the AV in TrinityRD take this long.

As to nuke and pave this was a business client who specifically refused this option.

But my question was actually what do do do against such hidden rogues.

Answer nothing, yet in an earlier post you reported that you were prepared to guarantee the rogue virus free. A business suing you in the event of subsequent problems would 'have your ass'

My question was about your guarantee. I usually avoid this by saying to the client that anything put back is a risk. I cannot weigh the risk against the benefits, only the client can do this so I either give the data on a DVD for the client to check and do with as he wills or invoke a disclaimer.

In regard to registry stuff anyone who can manually scan the class ID sections of it and guarantee to remove rogue references is a genius of the first order.

In an earlier thread I posted how to hide code in the registry so that it can't be seen by regedit.
This did not generate much interest here.

 

[Wheelie]

... A business suing you in the event of subsequent problems would 'have your ass' ...

In almost all of my business customer's cases I recommend a Windows reload (when a virus is present). If it is a rootkit it is a reload. Whether they take that advice or not is their choice. Either way my $2MM general liability policy would help me keep a small portion of "my ass" in the event of a reinfection. The T&C's on the back of my invoices tells my customers many things but here are the highlights: I do NOT guarantee their data, not responsible for force majure downtimes due to PC after I fix it, and they are responsible for backing up and preserving their data before I take it. I'm about as covered as one needs to be in this business.

My question was about your guarantee. I usually avoid this by saying to the client that anything put back is a risk. I cannot weigh the risk against the benefits, only the client can do this so I either give the data on a DVD for the client to check and do with as he wills or invoke a disclaimer.

see above

In regard to registry stuff anyone who can manually scan the class ID sections of it and guarantee to remove rogue references is a genius of the first order.

In an earlier thread I posted how to hide code in the registry so that it can't be seen by regedit.
This did not generate much interest here.

What's your point? Common knowlegdge. If/when a rootkit is invloved we should always advise a data backup and OS reload. There is no other choice in my opinion. Tinkering around with hidden files and processes and regitry keys for hours and hours is simply not feasible when you look at what you're faced with.

 

[PcTek9]

http://www.whatsmypass.com/tech-toolkit-10
It basically uses ketarin, now file-hippo uses these file ID's to let you download stuff, so if authors of software want to complain they have to take it up with file-hippo. Aside from that, "AtYourService" is a genius, and this toolkit that you unzip on a usb stick and run ketarin on is pure magic.
If you have methical's scripts and AtYourServices toolkit, you are going to soar through repairs.

 

[copparedds]

http://www.whatsmypass.com/tech-toolkit-10
It basically uses ketarin, now file-hippo uses these file ID's to let you download stuff, so if authors of software want to complain they have to take it up with file-hippo. Aside from that, "AtYourService" is a genius, and this toolkit that you unzip on a usb stick and run ketarin on is pure magic.
If you have methical's scripts and AtYourServices toolkit, you are going to soar through repairs.

Thankx pctech! (Words to meet the minimum posting requirements)

 

[Duke]

I scan with NOD32 in Safe Mode with System Restore off. If its obvious it would need a lot more work than the usual scanning and clean up, I would most likely just reload the system. I don't really know why some people spend hours and hours, if not days trying to remove that last piece of malware, when if they have their software discs, a quick backup and reload guarantees all removal and is obviously much quicker to use after anyway.

 

[iisjman07]

I scan with NOD32 in Safe Mode

Just a thought - have you tried using an ESET Rescue cd? That way, it would be quicker to scan the offline OS, you'd always be able to get updates and malware cannot stop you.

 

[trapped]

I look at the hours I have spent figuring out how to remove these things as an investment. I've got basic removal down to about 20-30 minutes and complete removal plus a basic system cleanup in about an hour.

 

[Wheelie]

I look at the hours I have spent figuring out how to remove these things as an investment. I've got basic removal down to about 20-30 minutes and complete removal plus a basic system cleanup in about an hour.

Yep. Agreed. It is a good (wise) investment of a technician's time to learn how infections manifest themselves and how they stay in place.

I think there is probably a time in every good technician's career where he/she spends an inordinate amount of time "playing" with infections ... the end result of that excess time spent can help build the skill necessary to become fast & efficient at removing viruses.

... I don't really know why some people spend hours and hours, if not days trying to remove that last piece of malware, when if they have their software discs, a quick backup and reload guarantees all removal and is obviously much quicker to use after anyway.

Agreed. The skill from spending that inordinate amount of time playing with viruses will speed the process of knowing when to fix or reload.

With every virus infected PC you have to make the decision to:
1) repair, or
2) reload

Your profitability is directly tied to this.

 

[GeeksInKhakis]

Because it's what the customer wants...

I don't really know why some people spend hours and hours, if not days trying to remove that last piece of malware, when if they have their software discs, a quick backup and reload guarantees all removal and is obviously much quicker to use after anyway.

Because it's what the customer wants!

They don't want to reload everything. They don't know how. Most customers do NOT have their system discs, backups, program discs. Most of them had their 'friend' install their software, so they don't have the 'real CD'. What happens is you spend more time reconfiguring their system, setting up email, etc. Only to tell them that they also now have to go buy Office, etc. Heck, from my experience, 1/2 the customers think that Office XP came with EVERY COPY OF WINDOWS XP.

Once you really learn how the Windows registry works, etc. then it's not rocket science to get rid of viruses / spyware.

 

[forge]

I do a combo of manual and scanners as well.

When I first started I would spend hours doing the work simply because I now use the knowledge that I learned then to be faster and more efficient
I now know which files do not belong in the system folders and which do. (tho of course not all of them) It took me months to learn that simply renaming some scanners to random names would allow them to run. I was so ticked at myself for not knowing that sooner.

The main apps I use are ComboFix, MBAM, AVG, CCleaner and sometimes SuperAntiSpyware. Occasionally something other than avg.
I also manually remove files, startups, fix sys restore, run updates, restore IE8 to default if installed, install Firefox with adblock plus and add websites to the host file. http://www.mvps.org/winhelp2002/hosts.htm. As well as uninstall other antivirus and file sharing apps. If they use limewire i install or suggest/show them Utorrent.

I do use utility disc's on really infected machines and do manual removal and reg editors. Also Kapersky live or Ubuntu with Avira slipstreamed but usually those machines need to be formatted if I have to use them. But I always format as a last resort because usually no one wants that. If they do they either can do it their selves or say so up front.

30 day guarantee which I rarely have to do. Tho porno sites and not following my advice will void that.

 

[JosephLeo]

Because it's what the customer wants!

They don't want to reload everything. They don't know how. Most customers do NOT have their system discs, backups, program discs. Most of them had their 'friend' install their software, so they don't have the 'real CD'. What happens is you spend more time reconfiguring their system, setting up email, etc. Only to tell them that they also now have to go buy Office, etc. Heck, from my experience, 1/2 the customers think that Office XP came with EVERY COPY OF WINDOWS XP.

Once you really learn how the Windows registry works, etc. then it's not rocket science to get rid of viruses / spyware.

+2. The customer gets what the customer wants and the registry can be a scary place for someone who doesn't know how it works but once you really understand how it works you'll be surprised by how easy it is to navigate. However I still believe a registry system is a bit archaic, but Microsoft loves their backwards compatibility and overall compatibility with third party hardware so we're stuck with it for eternity.