When Spyware Wins

If you're reading this, you're probably that guy. You know, the one whose friends and neighbors and family members call when their computers stop working. When you arrive, you often discover that the PC isn't just infected with viruses and spyware but rather overwhelmed with them. So what do you do? Format and start over? Try to clean out the machine? Hard Drive Transplant?

Share your experiences in the comment area and we'll do a follow-up with some of the best suggestions!

View: CNET Spyware horror stories

Report a problem with article
Previous Story

Queen Elizabeth embraces YouTube

Next Story

Apple to Launch iPod with Automatic Volume Control

73 Comments

Commenting is disabled on this article.

true, however if you have a rootkit steps 5 and 6 alone will not be sufficient. microsoft has an internal program that works better than their own rootkit revealer that detects rootkits. this article is old but if you read through it winlogon.exe was compromised and there is no real way to remove it unless you remove it and do a repair of the os (non destructive)
http://blogs.technet.com/robert_hensing/ar.../17/354471.aspx

windows hides programs that the average user/technician will not be able to find unless he develops his eye. microsofts official stand as far a rootkits go is to format the machine as there are too many files that can be compromised and if you really do not have a clue what to look for you are best off to format and go on. wolf will confirm that you have a rootkit but it can not repair it. programmers are real good at hiding thing right under your nose and you really need to pay attention to the details.

For those that don't know how to do this properly and effectively, I will post this method as it has worked for me many many times over without fail. rootkits ha.....

Windows hides files, remember this, not everything is shown in the host computer. For example look for the banana registry key in the host computer. o u can't find it, then put your noob hat on and pay attention. here is a directory that gets hidden, try to unhide it, c:/documents and settings/%the user that you are logged in with%/local settings/temporary internet files/content.ie5 (hint type in the path at a run prompt and user your username that you are logged in with as your user will be able to browse it under a different user logged in, the point is you can't see it natively)

You will need a known good, clean computer to do what I do, a bootable utilities disk (erd commander or barts are my favorites that I carry with me), and several scanning software̢۪s (symantec antivirus (not the norton branded home crap that has useless utilites that take up processor time and memory), webroot spysweeper, pctools spyware doctor, spy bot, hijackthis, cwshredder, a few other small utilities but this is the brunt of it not giving out all of my tricks but you may want to look for software that can see kernel processes) and your eyes. It will take a little bit of figuring out what files you need and don't need, but these programmers are getting a little better with coding their files. You also need to know about when the issues started happening as this tends to make life a little easier.

The whole process can take 2-3 hours once you get good at it.
First what I do is take the hard drive out of the infected computer, put in into the known good computer and run the scanning utilities on the good known computer (all of them). You will find that not one of them picks up everything.

2nd delete all folders in the system recovery folder assume that all data in there is compromised, these files aren't needed for the system to operate. You may have to take ownership.

3rd in each profile (2nd drive letter this is in the good computer still, ex. e:/documents and settings/every user profile) go to the local settings/temp and clear that out, go to the local settings/temporary internet files/content.ie5 and clear out any folders; this must be done in each profile. Look at the root of each user and make sure there isn't anything obscure in there, should be 3 files in there if you are looking at all system files and everything is unhidden.

4th go into e:/windows/temp and delete everything in there, and same in e:/windows/prefetch.

5th go back into the e:/windows directory and view by company (you will have to enable the company field) look for dll's and exe's that do not have companies associated with them. You may have to google these files to verify their existence as whether or not they are truely system files (there won't be many if any that are legit that have blank company names). now arrange by date and look for obscure names (ex. zxshteklsi.dll, jsdhalakj.dll, yahrtean.dll) these are randomly generated dlls in most cases put in by viruses, spyware or adware) and look for files around the dates and later that these issues started occurring. Then sort by attributes (you will have to enable this field as well) look for hidden files and system files, you may have to google these as well to verify their validity. Now that the easy directory is scanned through, move on to system32 and do the same. (Do this on the root of the drive as well)

6th now that the hard part in the windows scan process is over we will move on to the next step. e:/program files/common files. All i can say is look for things in here that don̢۪t seem logical; once you develop the eye for it you will know. Same thing in e:/documents and settings/all users/application data.

At this point once you are pretty comfortable that everything has been cleaned to the best of your knowledge you can take the hard drive out and put it back in to the "infected computer"

7th take a boot disk like erd commander, repeat steps 5 and 6 as best as the software will let you. Look at the registry with the registry tools that the software provides. go to hklm/software/Microsoft/windows/run and look for files trying to run there that don't make sense. go to hklm/software/Microsoft/windows nt/curentversion/winlogon and check out the userinit string to make sure that is right (if you want to fk with someone try renaming it and give the computer back to someone with that string obscured, try and boot if you want).

8th boot the computer into safe mode, run msconfig look for services that don't look right and look for startup programs that don't seem right. Run regedit go into each profile under hku and look in their software/Microsoft/windows/run and look for obscure programs trying to run

9th boot the computer up normally. Load up your utilities on this computer and run scans again once this is online. hijackthis should be ran at this point and so should spybot as a matter of fact run these first. (there is a process that if you run certain things before others that will help matters as far as time goes) this is where a kernel process viewer would come in hand as well, to see what dlls and exes are in use (no the windows task manager is not enough, remember windows hides things and you may have to boot to erd commander to see these files).

10th if you followed everything properly and have the eyes to see what is real and what is not, and you have used all of the utilities your system should be clean. do a netstat -a -n at a dos prompt to see if the machine is connecting to an outside source that is unknown (if you are running logmein for example you know that it is connecting to a server registered to logmein). anything in the 127.0.0.1, 0.0.0.0, or your local subnet (192.168.1.x for example) you can ignore, the ones that you should pay attention to are the outside addresses. google reverse dns lookup to find sites that can change the numerical address to find who owns it.

Now go out to the internet if everything looks good you won't have one popup or a system that runs sluggish. If you get about 20 machines that are infected with crap you should be able to figure out what is wrong or right by then. When the programmers get better at hiding things or putting them in different directories than what i have mentioned then this process will need to be tweaked. However for now it seems to be pretty good, and I myself have only had 1 computer that has gone out with a file that has not been deleted (before I incorporated a kernel process viewer) that has come back. One out of ~2000 isn't too bad i guess. Please recommend a program like drive shield once this process is complete so that they don't come back.

Formatting is for Wusses. I've never had to do that with any machine I have been called to repair. (And i've repaired MORE than my fair share) Worst I had to deal with was fixing a MBR, Replacing corrupt in %windir%/system32 & soending days seeking and killing viruses. (Makes me feel like a techie Steve Irwin). I like to remove most viruses and spyware all by hand. No adaware, Spybot or AVG which are all brilliant tools. Sometimes I use a pre enviroment disc. I love getting my techie hands dirty.

I actually get clients because I don't reformat unless I ABSOLUTELY have to. I find that a combination of SmitFraudFix, VundoFix, SuperAntiSpyware, SpyBot, and NOD32 usually takes care of virtually everything. Even IF there are hidden remnants left, the clients I deal with will have more problems no matter if I reformat or not. Most clients tell me "horror stories" about another company reformatting their drive.

I try and avoid formatting when possible. Usually, I'll reboot into safe mode, start with lavasoft, hijackthis and msconfig and try and ferret out what shouldn't be starting. I've cleaned systems with 1400 pieces of spyware without reformatting, but then again, some of the stuff you do see is so invasive that you have no choice but to dynamite it all and restart.

warwagon said,
if you found that many on the system, think about all the stuff you didn't find

True. In that case, I cleaned the system, but the integrity of system files was so complete that I ended up recommending a reformat. It would be nice to see Windows File Protection kick in and repair the files, but that'd be the case in a perfect world.

In an ideal situation I'd just say "It's ****ed, let's do a format and reinstall" but often the problem manifests itself just right before the person needs their PC the most (next day deadline etc) and has tons of things customized and so on. So I end up removing all Norton software (yeah, those always seem to do their job SOOO well), running through a few antivirus/spyware scanners and often finally have to track down the malware and remove it manually because none of the AV/anti-spyware scanners can find it.

Our company policy (since we MUST keep data secured by law) is that if we get a virus or spyware... the entire system is rebuilt... we take no risk in the chance it could still be there...

if a computer is too crappy, even the cleaning won't fix the corrupted files generated by virus infections. usually i decide based on the user experience:
totally dumb -> format and reinstall anyway he doesn't have any doc, except a couple of bmp done with paint and some porn
mid user -> save the game saving (he has the CDs), then try to fix the problem, if fails (after 30 mins work), then just reformat
good user -> fix the only virus and/or few spywere he got by mistake

Any work that takes more than 1 hour, isn't worth a reinstallation of the OS. I've a couple of recovery CDs/DVDs that install everything in 1 setup, so makes my life easier to redo the machine than try to fix it (only worth to try if the pc is used as a pc and not as a porn/toy/game)

Well, I fix loads of spyware/viruses/etc for almost everyone around, primarily the institution I'm studying in, and... also via e-mail. Get loads and loads of such requests. In fact, I've made a few virus "fixes" based on some pretty interesting algorithms for some common worms and spyware.

It's all fun, and gains you a rep pretty fast, and of course... a reason to head over to that *FRIEND*'s (wink) place............ to fix the computer, of course.

Still, sometimes I see "experts" who do around 100 scans with Norton, Mcafee, and other mainstream crap, and when all else fails, they tell their "clients" - or whoever is helping, ****loads of crap - "oh, its too late. oh, its infected so bad" and stuff.

Frankly, several years back, I worked with/for/together with a large spyware/internet-marketing company. We had a monthly turnover of millions, and of course, all of us had a pretty tidy sum each month (- around 10k$ to 20k$ to push around... those were the days...) - and our objective was to create spyware which was undetectable for *at least a week*... hence, put it this way:

If the spyware changes every few days, what makes you think any mainstream crap will pick it up?

Go with the guys who say use HijackThis, Autoruns, Silent Runners, or manually sift through startup points. That's the way things work, not through some click through GUI saying "SCAN ME", or "FIX ME".

^ my 2 and a half.. dollars/cents.

If the malware cannot be removed or the OS has become too corrupt, then I'd:

1. Use a Windows disk to open Recovery Console
2. Set allowallpaths=true
3. Rename Program Files, Documents and Settings, and Windows to Program.old, Documents.old, and Windows.old
4. Start a new installation of Windows without formatting the drive.
5. Copy back across the data from the .old folders

Only one hard drive required and no data loss!

Virus Scan, Registry Scan, Spyware Scan, Malware Scan, Tweaks.

If none of the above do any good, then format

I always reformat, there is just no way to be 100% sure you got it all by doing it manually. Once all the updates and such are done, I usually make an image of that machine right then and there so if it happens again I got something to go back to.

first thing for everyone is to turn off System Restore then Back everything up, then do a "check Disk", "Disk Cleanup", then clear all (I mean all) internet cache, Including passwords saved and History. Then reset IE7 to its defaults. Next is to perform an online virus check from places like "Trend Micro's" house call or Microsoft's "One Care" online scan. Then update the Virus scanner that is installed on the computer and perform a full scan. For spyware, I would use 3 scanners. Those scanners are Microsoft's Defender, Spybot S&D, and Ad-Aware. Also it would be good to install Spyware Blaster and update it. I would then run a rootkit scanner and remove any rootkits.

If, none of that works, then I can take the drive out and back everything up and use a dedicated machine that is used to clean drive from viruses and spyware.

Sometimes when a virus, spyware/adware or rootkit is deleted the system can become unusable. This is where a Scan disk / system repair from the windows CD is necessary. If that doesn't work then the last resort is needed....that is a reformat

Typically I won't waste my time trying to clean up an infected machine, but if I somehow don't have that luxury for any reason, I'll put the drive as a slave in another machine, do a full scan from that machine's OS and let the AV delete anything it finds. Of course since the infected OS isn't running, the AV won't attempt to clean anything in the registry. That's also a good opportunity to backup any file I might want to get off of that drive.

Then I put the drive back in the original machine, reboot and have SysInternals' autoruns have a look at the registry. Viruses that set themselves up to autorun stand out like a sore thumb (the files will be labeled as referenced in the registry but missing from the file system), which you can then delete. Then I run another full virus scan, this time using the original machine's own OS. If it still finds something, then at that point I'm probably better off nuking everything.

It's crude, but surprisingly effective. Of course it all depends on exactly what the virus does and how it does it.

I don't know about the rest of you at first i would actually help save their files and stuff and clean them out, but after so many calls I stopped caring and now just tell them to reformat. After that fresh install I put an anti virus program on there as well as a spy ware removal tools like spybot.

If it's a software problem, I can fix anything. As long as it doesn't involve writing code. Around town, that's what I'm known for.

I've seen PC's loaded down with Spyware, those people call me now. Fixing computers is probable the one thing that I'm actually acutely attuned to and nobody can ever take that away from me.

A boring day for me, is not having a computer to fix or update. So bring me your tired, your old, and your sick computers and allow me to be Dr. Frett and make your day a happier day.

But yeah, if 50% of your drive is Spyware, let's have an ice cream and wait for the format to complete. By the way, you'd be surprised at how many people don't update their computer, it's scary. People like me, and the peeps "in the know" here, are in the minority.

Don't assume everybody knows as much as we do, they don't. That's why I get ticked when a topic is posted here to the general effect of "How do I do a format?." and people reply harshly, like the OP should have been born knowing how to do a format.

It all depends on who's machine you're attempting to fix, and how far along the damages are.

Obviously a clean format is the way to go in most cases. Many times I have helped people fix up their machines by adding a good anti-virus + spy\mal ware remover program. But once a machine gets so messed up it never works the same again, so the clean format is usually the way to go.

Also I have found that alot of people don't know about windows updates, and either don't have them enabled to automatic or never even knew about them in the first place.

The thing that gets me is when I look at one of these machines, and its specced out about 50X better than my laptop, and runs like a snail. Of course they're running XP Pro, or Vista Ultimate, which was obviously pirated, along with Microsoft Office 2003 which they got from a friend of a friend, Photoshop CS 5 from a neighbor, Zonealarm and three different Antivirus software suites from "oh gosh, I don't know where that came from", 250 gigs of music and videos that they can't live without, a dodgy screensaver downloader program that a friend put onto their computer, and Bitcomet, Bittorrent, and Azareus running among their 150 background processes. And of course they'll have a hideously stretched out wallpaper of their cat, dog, or themselves naked (its always a guy, or an ugly girl) on a desktop covered in icons and folders with glorious names such as New Folder, New Folder (1), New Folder (2), etc, for you to stare at while you're waiting for Windows Explorer to open up and finish installing the drivers for your backup harddrive. You know it will be hours before all their crap is backed up, and then they'll tell you that they don't have their original installation disks for Windows.

Well, ****.

For other peoples' PCs, backup data and drivers then format C.
For mine, on the once-in-a-blue-moon time I might get some trojan from a presumed safe torrent, I will try and remove it manually, then if not then look for a specific removal tool designed for it (Vundo Fix for example) and if that's doesn't work then restore with Acronis and I'm back as good as can be 5 minutes later.

Yes,
The full format and reinstall IS the best way, but, usually 99% of the people don't want you to erase everything and I'm not doing a backup for them.

If I can't talk them into a format/reinstall, there isn't much other choice but run cleaners to death.
Then manually clean what's left over, if possible.

I clean up computers for family and friends as sort of a side-job, and I can usually do a decent enough job with NOD32, Ad-Aware, and HijackThis. It cleans it up enough for them to notice a massive speed difference and also the fact that their computer works as it should without closing programs the second they are opened... Depending on the case, you may or may not need additional virus removal programs such as VundoFix... stupid vundo...

But yea, NOD32, Ad-Aware, and HijackThis works like a charm for me

This article is BS, or readers of Neowin are more foolish than some posts let on! CCleaner (freeware) is effective at removing much garbage very simply. The early version of Adaware SE (freeware) is good at locating registry entries. Rootkit Revealer is useful, if a bit crude. Then there's the magic tool Barts PEBuilder BartPE (freeware) a "pre-installation environment" that has all sorts of useful (if often dubious licensed) utilities. Create a boot CD, and add an AV scanner (many AV manufacturers have "free" utilities, and signature files that work with the PE environment) for stubborn rootkits. Once free of malware, get them to use Firefox!

Reformatting and reloading the o\s is fraught with pitfalls (program or data loss mainly) and is quick way of loosing friends, so a ghost image (or the like) is essential anyway.

NTFS is a double edge sword, which acts against you when a machine is corrupted. I hate NTFS on home machines, along with those manufacturers who insist on having their 200 GD HDD formatted as one whapping partition. 20 GB for the O/S, the rest as a data partition!

I run XP SP2 with NO UPDATES, I have suffered no problems, the next update will be SP3, that will be it! I stopped messing about with windows updates on my computer years ago. The updates cause as many problems as they fix!

Hate to bug, but how does NTFS act against anybody? It's just a filesystem, and for the end user, it means that Scandisk isn't going to pop up at every bootup (until they forget to hit spacebar one day). For the technical crowd it means larger files, better reliability, and proper permission control. You can read it from any operating system worth running, and with recent developments in Linux, write to it as well.

Also, I can't agree with your take on updates. I hope you at least keep your Firefox current, and don't go turning off anybody else's automatic updates without their full awareness of all that it entails.

Its pretty ironic how you call people foolish and then say that you run a XP SP2 system with no updates. I'm not going to argue why as its probably a waste of time but still.

NTFS is a double edge sword, which acts against you when a machine is corrupted.

No, NTFS is way WAY more fault tolerant and resistant/reliable than Fat32 ever was. The only time I'd agree with you about it acting against you is if your using some 3/4 year old bootable linux to recover stuff that had poor NTFS support. Other than that there is no reason not to use NTFS.
along with those manufacturers who insist on having their 200 GD HDD formatted as one whapping partition. 20 GB for the O/S,the rest as a data partition!

Its set that way so that joe sixpack doesn't run into "Disk full" errors when installing software/downloading stuff/photos whatever. The average person wouldn't have a clue about installing/putting files on another drive/partition. Tho it would make it easier to recover someones system if the OS dies.

In those situations I just shudder and move along. Fixing the computer means I'll be asked to fix it again next time it gets infested (which will happen without doubt).

I've no problem with doing a favor or two, but free tech service for life is not my thing.

This reminds me of my college days and a workshop we did on Spyware.

We had intentionally infected a box via just about every malware ad you could click on. When it came time to clean it we threw everything at it: Spybot, Adaware, Giant (now Microsoft), other misc apps, and about two to three antivirus products. For the most part it cleaned up nicely, but every time we kept plugging it in to the net, it'd keep getting reinfected. Not one of us in the group doing the workshop presentation were dummies, but we could not figure out what was going on for the life of us. We checked every trick in the book for an additional program in the background that was causing the machine to get reinfected. Finally, out of desperation, I resorted to checking the file sizes on the few services and apps left running on the machine. I was stunned when I realized Explorer.exe was different. A quick check in a hex-editor confirmed my suspicions: it had hard-coded URLs and IP addresses in it - my first encounter with a rootkit. Once I replaced the infected explorer.exe with a clean one, the box's own AV program could tell the old one was infected, but not until I had already repaired the damage.

If that had been any normal person's box there would be no way to guarantee it was clean without a complete reformatting. The level of the infection still bothers me to this day.

What if you get jacked by rootkits? Those will certainly help removing the obvious spyware files and whatnot, but system files that were altered by the rootkit will most possibly get your system to behave strangely (ex: svchost crashing every 10 minutes for no apparent reason).

So this may work, but it depends on the nature of the infection.

My preference is a cleaning of the registry using an offline environment (Bart's Boot CD, add the HDD to another system, etc), then I use information gleaned from the registry and file dates of known infected files to clean off the filesystem. Last, a repair install to wipe any infected Microsoft binaries, and a good scan with NOD32 (which pretty well never turns anything up outside of the System Restore directory for when I forget to flush it beforehand). You wind up with a nice clean system, and all your (desirable) crap is still there. Total time is typically around one hour.

Of course, if there is a backup available, or the guy actually has his installation CDs, I'll go the format route. You know; nuke it from orbit. It's the only way to be sure.

The first try is to run some antivirus and spyware cleaner (two or more of the latter is best). If the cleaning doesnt reach 100% a clean reformat is the best way to have a clean and faster machine.

For installs at work use HDD Images or Unattended Install for XP or Vista. For home users i always use Unattended DVD's with XP and Vista which i always have up to date with windows updates and programs.

Sorry, not trying to troll but ALL malware wins when you don't have a Mac. Your friends and family would never call you over about spyware if you had a better platform. Heck, even crappy Vista is less prone to malware. My sister in law just got a new computer running Windows Vista in which I setup everything for her. I made sure the firewall was working properly and in addition to Windows Defender I installed avast! antivirus on it. I'm pretty positive she'll never get infected. Windows XP? Let's not even get started. Security is much better on Vista and perfect on a Mac.

Oh that's right... Macs never had any security issues. That's soooo true.

Unless you provide evidence of your claims, I cannot see this as anything else than trolling.

Adequate said,
Oh that's right... Macs never had any security issues. That's soooo true.

Unless you provide evidence of your claims, I cannot see this as anything else than trolling.

While it's true that Macs have vulnerabilities, they are still considered more secure. At the least the US Army thinks so.

US Army buys Macs to increase security.

I'm surprised the US Army doesn't want to use Linux, because it's an even better solution than using Macs. They could build their own distro and put army stuff in it. Like maybe a camouflage wallpaper, and a patriotic cursor scheme?

toadeater said,

I'm surprised the US Army doesn't want to use Linux, because it's an even better solution than using Macs.

Linux with an exception of about 2 distros are still NOT user friendly or intuitive. It is still the choice of the uber geek only. It's still not ready for the masses. I tried Ubuntu and Kubuntu on several occasions, they were terrible. Perhaps in the next 5 to 10 years this will change but of course by that time can you imagine how god like the Macintosh platform will be? Chills run down my spine just thinking about it! :cheeky:

If it were true that Mac security is "perfect", then why the hell does Apple say this?

Last Modified on: June 08, 2007 Article: 4454
Apple encourages the widespread use of multiple antivirus utilities so that virus programmers have more than one program to circumvent, thus making the whole virus writing process more difficult.

If "perfect", shouldn't zero antivirus utilities be enough? They're not recommending that you have one anti-virus installed...they're recommending multiple.

Oh yeah...if Mac is so "perfect", why did Apple release two updates just last week covering 41 different vulnerabilities? And am I the only person who has lost count of the number of times Apple has patched QuickTime alone for vulnerabilities?

Your evidence wouldn't do much more in a courtroom than to give the judge a good chuckle...

internetworld7 said,

Here's my evidence --> http://www.apple.com/getamac/viruses.html Read it, become educated and know what it is to be immune to malware once and for all.

i take it you didnt pay attention to what it read, let me quote a line from the opening paragraph

"While no computer connected to the Internet will ever be 100% immune from attack, Mac OS X has helped the Mac keep its clean bill of health with a superior
UNIX foundation "

and of course MAc is going to say they are great on their own website. thats what they do best

I think this has to be taken on a case-by-case basis. My experience isn't vast, but I have encountered these situations in a lot of different systems. I find the steps differ based on the problem and the system configuration itself.

Some systems, like OEM systems with preinstalled software, are simple to just restore using their built-in or supplied recovery software. It resets them to factory defaults and lets the customer start over from where they bought it. Combined with a USB hard drive (for basic backup), this can be very effective and efficient. Afterwards, most people (not power users) only require a few updates, a couple of web passwords/favorites, and some pictures/music to be backed up and they're ready to rock.

Other systems, especially with tons of added software and configuration, are a major pain to restore back to "working condition" depending on the user needs. These require a lot of work to clean manually. Sadly, most of their problems can be prevented with an external hard drive (or secondary partition) and a $39 copy of Acronis True Image (and this software is provided in a more limited version for free if you own a Seagate or Maxtor hard drive). Whether you start over from scratch, or manually clean these systems, recovery can be a time-waster and a big pain in the ass if you don't plan ahead.

Bare systems, which only have Office/Windows and maybe a few other programs, are simpler to just reinstall. Get a copy of the drivers and keep them on a CD or USB drive, and a quick install of this software can be restored in almost no time at all.

Like I said, just my personal experience, but I'd say these methods work pretty well for me.

Gnome

Working on their hard drive is the big money maker. I usually make the situation look worse than it really is and have them fork over the dough to perform a backup and clean install. You can get some good pocket change doing this. Most I made in a visit was $120. Sure that may be dishonest, but we all know it's about the money! Always for my precious... my... precious...

It's guys like you that make people weary of techs. Thanks a lot.

+1

There is a lot to be said for HONESTY. If you clean them out every time for even the most simple job, they'll end up wanting to go to someone else. Also, if someone else tech savvy in their family finds out how much you've been charging for simple jobs, you might be getting a knock at your door.

RAID 0 said,
It's guys like you that make people weary of techs. Thanks a lot.

+1

reminds me of the guy that charged a friend of my moms $400 to fix her crappy old printer, hello new printer $100

clean install is obviously the only way, but if its someone else machine then do you really trust they know there ISP account details, do you know if they still have there original apps cd/serials etc etc...

Clean install is almost always quicker, easier and safer. Sure, you can try and fix it, but why? This way you'll make sure that that person who has an infected computer gets all the proper updates for their OS and software anyway.

anything short of the blaster virus and the old 500GB external comes out and I backup all their stuff (very few people who ask me to help have more than 200GB of space anyway, let alone documents...(!)) and get involved. Especially on Windows which, when infected, has a lovely tendency to slow right down, nothing feels nicer than a fresh install. The speed, oh the speed!!

I have tried to remove the crap before but it never really works the same again. It faster and easier to just back up all their stuff, and format it. After that I have to give them the lecture about how those "Cool free emotes" they downloaded really ****ed up their computer and how they shouldnt do it again lol. I actually managed to educate one of my Sister's friends mom enough that she doesnt do it anymore! :D.

I would attempt to fix it there and then, the OneCare safety scan... the registry and clean disk etc.. usually do he trick, but if the computer is completely messed up, a good clean install is the easiest and least time consuming way to go. I found that any attempt to fix completely messed computers will lead to corrupt files and system, etc.

If they bring it to me it's usually for overnight so I always reformat. Might as well do it right since I have it at home with all the stuff I need to fix it and plenty time to do so. If I go to their house (which I don't do anymore but that's another story) I would just do whatever it took to clean it up.

Been in this situation many times both professionally, and when helping friends / family out.

It really depends on the situation and how badly trashed the PC is. There is something quite rewarding about rolling your sleeves up and cleaning the system up without having to reinstall..

I tend to gauge it on how cluttered the system is. If they've got documents EVERYWHERE, millions of files, lots of favourites and loads of applications installed i'll generally do my best to clean the system up and make sure once its cleaned up and fully patched.

If there is hardly anything on there and they've got original install discs for everythings its usually quicker to just hose the system and reinstall it from fresh after having backed up their documents, so I can put them back on afterwards.

From a work point of view, when I used to do tech support I almost always used to do the reinstall from an image option. Reasons are fairly obvious. Firstly most of their documents are on network storage anyway.. though I always used to do a sweep for anything stored locally. Secondly.. the time wasted on examining the machine, trying to fix it, etc - the user just wants their computer back so if a fresh install from an image is the quickest way to do that, why waste mine (and their) time with troubleshooting? Now I work as a System Admin so desktop support is (thankfully) a thing of the past

If a machine has ever been compromised then nothing but a full format can ensure it is safe once again as you never know what's truely on it no matter what scanner you use

This is the safest way to go. Once the scanner or av says something is amiss, you can use scanners and whatever to clear the system as much as possible to recover and backup their data. Then a reformat is essential, then you usually also have to install a proper firewall and antivirus and whatever, get them onto Firefox or Opera and give them a lesson in how to avoid this sort of problem in future. Otherwise they'll be back bothering you again in a few months. That's what I do anyways, not saying bad things about IE, it's just I think FF and Opera are safer, especially for noobs.

I disagree. I've fixed computers completely before. Most of the time I do it manually, especially when it's a rather new piece of malware.

Slimy said,
I disagree. I've fixed computers completely before. Most of the time I do it manually, especially when it's a rather new piece of malware.

And how do you know it's completely clean? You don't. Malware writers can write stuff that never gets picked up by scanners and that you might never pick up either - rootkit anyone?

creamhackered said,

And how do you know it's completely clean? You don't. Malware writers can write stuff that never gets picked up by scanners and that you might never pick up either - rootkit anyone?

I track what the malware did, and reverse all its actions. Scanners are good for initial cleanup, but I find cleaning up manually finishes up the job best.

Slimy said,

I track what the malware did, and reverse all its actions. Scanners are good for initial cleanup, but I find cleaning up manually finishes up the job best.

Ah ok, i forgot that all malware leaves nice verbose log files of all its actions so it's easy to remove. Silly me.

creamhackered said,

Ah ok, i forgot that all malware leaves nice verbose log files of all its actions so it's easy to remove. Silly me.

That'd be nice

creamhackered said,
If a machine has ever been compromised then nothing but a full format can ensure it is safe once again as you never know what's truely on it no matter what scanner you use

100% Correct. I work as a PC tech in a retail environment so I see these PC's 2-3 times a day. Ultimately it comes down to efficency and 100% erradication. 2-3 hours for a full system restore + updates (and 100% sure its gone) versus 10+ hours of running scanner after scanner only to find you still havent gotten all of it.

Yes, you CAN in fact track down and eliminate malware from a system; However its slow and you can never be certain you didn't overlook something somewhere. So why waste the time doing it unless there is a critically important reason to? Important data can usually be backed up onto an external hard drive then scanned/cleaned while the PC restore's, afterwards you copy the "safe" data back onto the restored PC.

If you were getting paid to do this for a living and you had a choice of spending 10+ hours manually doing it or 2-3 hours doing a restore, both for the same $130, which would you do? Customer satisfaction in the fast turn around time + 100% gaurantee its gone... its a no brainer.

i have to agree with a full system fomat on this one, i tend to disagree withh the fact it is possible to clean up a system completely once its been compromised, maybe with a whole bunch of effort which simply aint worth it considering there is never a guarantee its clean, who knows whats got itself hidden away, unless u do a full format.