Warning

 

Close

Confirm Action

Are you sure you wish to do this?

Confirm Cancel
Member Login

Site Notices
4/22/2019 5:32:20 PM
Posted: 4/26/2015 1:12:55 PM EDT
[Last Edit: 4/26/2015 1:13:15 PM EDT by geegee]
Wow, this is annoying. I use free Malwarebytes to remove it, but then it reappears. Also tried Junkware Removal Tool and then found out that JRT will add PUP as it runs.

Am I using the wrong programs or is it just because I'm only using the free anti-malware programs and not those fully paid, which might defeat this crap?
Link Posted: 4/26/2015 3:08:26 PM EDT
[Last Edit: 4/26/2015 3:09:20 PM EDT by Angry-American]
More than likely you have a browser plugin still running in chrome or firefox that is reinfecting you. Anther thing I have seen is the browser shortcut in windows is changed by the AV and will reinfect you just by clicking the button.

JRT does not add pups as it runs, it is a very GTG tool, I used it daily for years. If you downloaded it from somewhere other than bleeping computer.com then you may have downloaded a version with a wrapper.

Open Firefox and chrome and uninstall/disable all extensions that you don't know about. If your not sure, ask, I will let you know if they are safe. Reset IE back to defaults. Then:

http://www.bleepingcomputer.com/download/rkill/dl/10/

http://www.bleepingcomputer.com/download/junkware-removal-tool/dl/131/

http://www.bleepingcomputer.com/download/adwcleaner/dl/125/

Download and run those three, in order. After the final reboot, run malware bytes in full scan mode. Once done, to be sure you are clean, run this:

https://www.emsisoft.com/en/software/eek/download/

Once you download it, run the update, then run the full scan, it may take several hours to run.

If it comes back after this, then you will probably need a pro to look at your machine.

Link Posted: 4/26/2015 3:40:05 PM EDT
Thanks for that detailed answer. I should have said I use Chrome, but I'm off to put this in motion and will report back.
Link Posted: 4/26/2015 6:59:38 PM EDT
The ONLY appropriate response to a malware infection is to wipe and reload. That's it. running AV software and hoping you're clean afterwards is ill-advised.
Link Posted: 4/26/2015 7:19:08 PM EDT
Still there.
Link Posted: 4/26/2015 10:03:58 PM EDT
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By Josh:
The ONLY appropriate response to a malware infection is to wipe and reload. That's it. running AV software and hoping you're clean afterwards is ill-advised.
View Quote
I did this kind of thing for over 10 years, very rarely did it warrant a reload.
Link Posted: 4/26/2015 10:06:15 PM EDT
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By geegee:
Still there.
View Quote
Sorry its still there. I know I could kill it, however I am several states north of you.

My suggestion is to either go to this forum and ask for help, or take it to a pro to get cleaned up.

This is the only forum I would trust for advice, they have some damn good people there. Let us know how it goes.

http://www.bleepingcomputer.com/forums/f/103/am-i-infected-what-do-i-do/
Link Posted: 4/26/2015 10:13:06 PM EDT
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By Angry-American:
I did this kind of thing for over 10 years, very rarely did it warrant a reload.
View Quote View All Quotes
View All Quotes
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By Angry-American:
Originally Posted By Josh:
The ONLY appropriate response to a malware infection is to wipe and reload. That's it. running AV software and hoping you're clean afterwards is ill-advised.
I did this kind of thing for over 10 years, very rarely did it warrant a reload.


I've done it for 25, it always warrants a reload. You may take other actions, you may even think your other actions are justified and fixed the problem. Sometimes you might actually have fixed the problem -- many times you did not, you simply removed the infection vector that put the real compromise in place, and the machine remains compromised and continues to do what its master in Russia or China wants it to do.

Link Posted: 4/26/2015 10:28:21 PM EDT
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By Josh:


I've done it for 25, it always warrants a reload. You may take other actions, you may even think your other actions are justified and fixed the problem. Sometimes you might actually have fixed the problem -- many times you did not, you simply removed the infection vector that put the real compromise in place, and the machine remains compromised and continues to do what its master in Russia or China wants it to do.

View Quote View All Quotes
View All Quotes
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By Josh:
Originally Posted By Angry-American:
Originally Posted By Josh:
The ONLY appropriate response to a malware infection is to wipe and reload. That's it. running AV software and hoping you're clean afterwards is ill-advised.
I did this kind of thing for over 10 years, very rarely did it warrant a reload.


I've done it for 25, it always warrants a reload. You may take other actions, you may even think your other actions are justified and fixed the problem. Sometimes you might actually have fixed the problem -- many times you did not, you simply removed the infection vector that put the real compromise in place, and the machine remains compromised and continues to do what its master in Russia or China wants it to do.


While frustrating, this is true.

Unless you absolutely know what you're doing and are confident in your registry and process searches (manual) there's just no way to be certain.

Even ID you were capable of 100% removal, many times it's faster to wipe & reinstall.


Having said that, on most client PC's I repair, I knock out the symptomatic issues and anything else that catches my attention and they're happy. Many people simply don't have backups or don't understand why a wipe is recommended.
Link Posted: 4/27/2015 7:15:26 AM EDT
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By Josh:


I've done it for 25, it always warrants a reload. You may take other actions, you may even think your other actions are justified and fixed the problem. Sometimes you might actually have fixed the problem -- many times you did not, you simply removed the infection vector that put the real compromise in place, and the machine remains compromised and continues to do what its master in Russia or China wants it to do.

View Quote View All Quotes
View All Quotes
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By Josh:
Originally Posted By Angry-American:
Originally Posted By Josh:
The ONLY appropriate response to a malware infection is to wipe and reload. That's it. running AV software and hoping you're clean afterwards is ill-advised.
I did this kind of thing for over 10 years, very rarely did it warrant a reload.


I've done it for 25, it always warrants a reload. You may take other actions, you may even think your other actions are justified and fixed the problem. Sometimes you might actually have fixed the problem -- many times you did not, you simply removed the infection vector that put the real compromise in place, and the machine remains compromised and continues to do what its master in Russia or China wants it to do.

I will just have to agree to disagree then, this isnt GD after all ;-) It's pretty easy to know whether a machine is clean or not. I am just damn glad I don't have to do it as my bread and butter any more.
Link Posted: 4/27/2015 7:48:50 AM EDT
If the system will run programs try IObITS without the system cleaner or some other decent uninstaller, reveo works here also.
If it shows up as an installed program you can whack it and clean out most of its leftover registry crap, most of the time.
You can also use IOBITS to uninstall toobars and plugins.
Then you can hit the system with malwarebytes and syperantispyware.
Doing a cleanup like this is also a good time to toss all the preloaded crapware overboard.

I balance cleanups with dynamite and rebuilds.
Sometimes it's cheaper for me to rebuild than to spend hours trying to clean up a trashed system.

Link Posted: 4/27/2015 9:52:24 PM EDT
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By Angry-American:
I will just have to agree to disagree then, this isnt GD after all ;-) It's pretty easy to know whether a machine is clean or not. I am just damn glad I don't have to do it as my bread and butter any more.
View Quote View All Quotes
View All Quotes
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By Angry-American:
Originally Posted By Josh:
Originally Posted By Angry-American:
Originally Posted By Josh:
The ONLY appropriate response to a malware infection is to wipe and reload. That's it. running AV software and hoping you're clean afterwards is ill-advised.
I did this kind of thing for over 10 years, very rarely did it warrant a reload.


I've done it for 25, it always warrants a reload. You may take other actions, you may even think your other actions are justified and fixed the problem. Sometimes you might actually have fixed the problem -- many times you did not, you simply removed the infection vector that put the real compromise in place, and the machine remains compromised and continues to do what its master in Russia or China wants it to do.

I will just have to agree to disagree then, this isnt GD after all ;-) It's pretty easy to know whether a machine is clean or not. I am just damn glad I don't have to do it as my bread and butter any more.


The statement I highlighted makes assumptions that are unfounded and incorrect.

I'm an expert with the majority of my life spent in this field, and I'm telling you that even I cannot determine that to any degree of certainty -- especially not on a machine that has no configuration control prior to the compromise. The only way to determine that is to have a full record of every file on the machine, hash values for every file on the machine prior to the compromise, and be able to compare every one of those afterwards to find out what changed -- and even that isn't enough, as there are types of compromise that leave no traces in the filesystem of the machine now (you can't really fix those at all, unfortunately -- even a wipe and reload won't correct a bios compromise or a drive firmware compromise).

Wipe and reload remains the only correct answer to any compromise, and even that is now just a start and not a final solution.
Link Posted: 4/27/2015 10:31:18 PM EDT
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By geegee:
Thanks for that detailed answer. I should have said I use Chrome, but I'm off to put this in motion and will report back.
View Quote



If you are logged in to chrome in multiple places it can be h-ll to get rid of. Log out of ALL. Log in to one. Clean it up. Then when you log in to the others, it wont reinfect your settings.
Link Posted: 4/27/2015 10:44:22 PM EDT
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By Josh:


The statement I highlighted makes assumptions that are unfounded and incorrect.

I'm an expert with the majority of my life spent in this field, and I'm telling you that even I cannot determine that to any degree of certainty -- especially not on a machine that has no configuration control prior to the compromise. The only way to determine that is to have a full record of every file on the machine, hash values for every file on the machine prior to the compromise, and be able to compare every one of those afterwards to find out what changed -- and even that isn't enough, as there are types of compromise that leave no traces in the filesystem of the machine now (you can't really fix those at all, unfortunately -- even a wipe and reload won't correct a bios compromise or a drive firmware compromise).

Wipe and reload remains the only correct answer to any compromise, and even that is now just a start and not a final solution.
View Quote View All Quotes
View All Quotes
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By Josh:
Originally Posted By Angry-American:
Originally Posted By Josh:
Originally Posted By Angry-American:
Originally Posted By Josh:
The ONLY appropriate response to a malware infection is to wipe and reload. That's it. running AV software and hoping you're clean afterwards is ill-advised.
I did this kind of thing for over 10 years, very rarely did it warrant a reload.


I've done it for 25, it always warrants a reload. You may take other actions, you may even think your other actions are justified and fixed the problem. Sometimes you might actually have fixed the problem -- many times you did not, you simply removed the infection vector that put the real compromise in place, and the machine remains compromised and continues to do what its master in Russia or China wants it to do.

I will just have to agree to disagree then, this isnt GD after all ;-) It's pretty easy to know whether a machine is clean or not. I am just damn glad I don't have to do it as my bread and butter any more.


The statement I highlighted makes assumptions that are unfounded and incorrect.

I'm an expert with the majority of my life spent in this field, and I'm telling you that even I cannot determine that to any degree of certainty -- especially not on a machine that has no configuration control prior to the compromise. The only way to determine that is to have a full record of every file on the machine, hash values for every file on the machine prior to the compromise, and be able to compare every one of those afterwards to find out what changed -- and even that isn't enough, as there are types of compromise that leave no traces in the filesystem of the machine now (you can't really fix those at all, unfortunately -- even a wipe and reload won't correct a bios compromise or a drive firmware compromise).

Wipe and reload remains the only correct answer to any compromise, and even that is now just a start and not a final solution.


In consumer/residential sphere, you do the best you can and make them sign your terms and conditions. I agree with you, but you still gotta be practical.
Link Posted: 4/28/2015 12:13:00 AM EDT
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By Enigma102083:

In consumer/residential sphere, you do the best you can and make them sign your terms and conditions. I agree with you, but you still gotta be practical.
View Quote


That's a fair point and why I refuse to work on people's windows machines...
Link Posted: 4/28/2015 11:45:00 AM EDT
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By Josh:


That's a fair point and why I refuse to work on people's windows machines...
View Quote View All Quotes
View All Quotes
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By Josh:
Originally Posted By Enigma102083:

In consumer/residential sphere, you do the best you can and make them sign your terms and conditions. I agree with you, but you still gotta be practical.


That's a fair point and why I refuse to work on people's windows machines...
As I suspected. There is a difference between working in the IT field, and actually removing malware as 80 percent or better of your job for over 10 years. I am by no means saying I am close to an expert, but most of my time was spent repairing Windows machines used by consumers and to a smaller extent small business users. I wont try to justify my experience and my techniques. Suffice it to say, what I have done, although considered by the rest of the IT world as the bottom of the IT barrel, has given me a ton more experience than someone who has been a network administrator, programmer, or the like in the area of malware removal. I can easily say that the number of machines I have cleaned over the years has to be in the 5 figure range somewhere.

I no longer do what I used to, took a job working as a network admin for a small company about a month ago and I am enjoying the change immensely. I appreciate your input, I hope you have a great week.
Link Posted: 4/28/2015 9:23:36 PM EDT
See I'm kinda in the middle on this because I know that Josh is right from a technical perspective. You really cannot be 100% sure the machine is clean; there are things out there that would make you piss yourself with their capabilities. But at the same time, I've been that guy who's cleaned up thousands and thousands of machines infected with generic malware. In the corporate/government spheres that can support the infrastructure to do it, absolutely nuke/pave with your MDS/PXE/SCCM/whatever solution where you just kill it and deploy your golden image. No sense wasting the time cleaning the machine and running the risk of missing a targeted highly evolved surveillance package. However, Granny Smith really can't afford what it costs to have a tech inventory the software/files, pull backups of them, nuke/pave, and restore everything when your typical shop rate is 75-100 bucks an hour. So you charge her a flat rate of $150 bucks, and you slap it on your bench and throw in TechWARU or D7 and run your bank of automated clean-up/removal tools have her sign the terms and conditions and send her on her way with a working laptop that may or may not be spying on her for the KGB.

And don't kid yourself about Macs either, there are plenty of them that come in for virus clean up, sure it's around 7-10% (I could pull the actual metrics if you're curious Josh) the number of Windows boxes, but it does happen often enough that the tools are included with your Tech Repair solutions now.
Link Posted: 4/28/2015 9:46:35 PM EDT
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By Enigma102083:
See I'm kinda in the middle on this because I know that Josh is right from a technical perspective. You really cannot be 100% sure the machine is clean; there are things out there that would make you piss yourself with their capabilities. But at the same time, I've been that guy who's cleaned up thousands and thousands of machines infected with generic malware. In the corporate/government spheres that can support the infrastructure to do it, absolutely nuke/pave with your MDS/PXE/SCCM/whatever solution where you just kill it and deploy your golden image. No sense wasting the time cleaning the machine and running the risk of missing a targeted highly evolved surveillance package. However, Granny Smith really can't afford what it costs to have a tech inventory the software/files, pull backups of them, nuke/pave, and restore everything when your typical shop rate is 75-100 bucks an hour. So you charge her a flat rate of $150 bucks, and you slap it on your bench and throw in TechWARU or D7 and run your bank of automated clean-up/removal tools have her sign the terms and conditions and send her on her way with a working laptop that may or may not be spying on her for the KGB.

And don't kid yourself about Macs either, there are plenty of them that come in for virus clean up, sure it's around 7-10% (I could pull the actual metrics if you're curious Josh) the number of Windows boxes, but it does happen often enough that the tools are included with your Tech Repair solutions now.
View Quote


I know there's malware out there for Macs, it's just such a small amount and most of it requires that the user actually manually intervene and enter passwords to escalate privileges to load it... I have little sympathy for stupidity, even in users -- I expect it, but I don't really cater to it.

I've had to do a fuckton of Windows as well, it's so much easier for me to just wipe it and be done with it. I'm kind of an asshole at that, I just explain to the user that they're going to lose files, maybe I can do a backup of their my documents folder and get rid of all executables (which even now is becoming a pain as pdf files are executables, and there are so many ways to get executable code into office and other files).

Link Posted: 4/28/2015 9:47:17 PM EDT
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By Angry-American:
As I suspected. There is a difference between working in the IT field, and actually removing malware as 80 percent or better of your job for over 10 years. I am by no means saying I am close to an expert, but most of my time was spent repairing Windows machines used by consumers and to a smaller extent small business users. I wont try to justify my experience and my techniques. Suffice it to say, what I have done, although considered by the rest of the IT world as the bottom of the IT barrel, has given me a ton more experience than someone who has been a network administrator, programmer, or the like in the area of malware removal. I can easily say that the number of machines I have cleaned over the years has to be in the 5 figure range somewhere.

I no longer do what I used to, took a job working as a network admin for a small company about a month ago and I am enjoying the change immensely. I appreciate your input, I hope you have a great week.
View Quote View All Quotes
View All Quotes
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By Angry-American:
Originally Posted By Josh:
Originally Posted By Enigma102083:

In consumer/residential sphere, you do the best you can and make them sign your terms and conditions. I agree with you, but you still gotta be practical.


That's a fair point and why I refuse to work on people's windows machines...
As I suspected. There is a difference between working in the IT field, and actually removing malware as 80 percent or better of your job for over 10 years. I am by no means saying I am close to an expert, but most of my time was spent repairing Windows machines used by consumers and to a smaller extent small business users. I wont try to justify my experience and my techniques. Suffice it to say, what I have done, although considered by the rest of the IT world as the bottom of the IT barrel, has given me a ton more experience than someone who has been a network administrator, programmer, or the like in the area of malware removal. I can easily say that the number of machines I have cleaned over the years has to be in the 5 figure range somewhere.

I no longer do what I used to, took a job working as a network admin for a small company about a month ago and I am enjoying the change immensely. I appreciate your input, I hope you have a great week.


Just because I won't do it now doesn't mean I never did it...

Link Posted: 4/28/2015 9:52:07 PM EDT
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By Josh:


I know there's malware out there for Macs, it's just such a small amount and most of it requires that the user actually manually intervene and enter passwords to escalate privileges to load it... I have little sympathy for stupidity, even in users -- I expect it, but I don't really cater to it.

I've had to do a fuckton of Windows as well, it's so much easier for me to just wipe it and be done with it. I'm kind of an asshole at that, I just explain to the user that they're going to lose files, maybe I can do a backup of their my documents folder and get rid of all executables (which even now is becoming a pain as pdf files are executables, and there are so many ways to get executable code into office and other files).

View Quote View All Quotes
View All Quotes
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By Josh:
Originally Posted By Enigma102083:
See I'm kinda in the middle on this because I know that Josh is right from a technical perspective. You really cannot be 100% sure the machine is clean; there are things out there that would make you piss yourself with their capabilities. But at the same time, I've been that guy who's cleaned up thousands and thousands of machines infected with generic malware. In the corporate/government spheres that can support the infrastructure to do it, absolutely nuke/pave with your MDS/PXE/SCCM/whatever solution where you just kill it and deploy your golden image. No sense wasting the time cleaning the machine and running the risk of missing a targeted highly evolved surveillance package. However, Granny Smith really can't afford what it costs to have a tech inventory the software/files, pull backups of them, nuke/pave, and restore everything when your typical shop rate is 75-100 bucks an hour. So you charge her a flat rate of $150 bucks, and you slap it on your bench and throw in TechWARU or D7 and run your bank of automated clean-up/removal tools have her sign the terms and conditions and send her on her way with a working laptop that may or may not be spying on her for the KGB.

And don't kid yourself about Macs either, there are plenty of them that come in for virus clean up, sure it's around 7-10% (I could pull the actual metrics if you're curious Josh) the number of Windows boxes, but it does happen often enough that the tools are included with your Tech Repair solutions now.


I know there's malware out there for Macs, it's just such a small amount and most of it requires that the user actually manually intervene and enter passwords to escalate privileges to load it... I have little sympathy for stupidity, even in users -- I expect it, but I don't really cater to it.

I've had to do a fuckton of Windows as well, it's so much easier for me to just wipe it and be done with it. I'm kind of an asshole at that, I just explain to the user that they're going to lose files, maybe I can do a backup of their my documents folder and get rid of all executables (which even now is becoming a pain as pdf files are executables, and there are so many ways to get executable code into office and other files).



The automated solutions a great these days, you stick in a USB stick, you enter a customer name and ticket number, click start and walk away. Every 15 seconds a screen shot pushes to your dashboard so you can keep an eye on what's going on, when it's done it will reboot itself and the ticket is automatically updated. You can do as many at a time as you want, and at $150 bucks each you can turn it into a real money making racket.
Link Posted: 4/28/2015 9:55:56 PM EDT
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By Enigma102083:


The automated solutions a great these days, you stick in a USB stick, you enter a customer name and ticket number, click start and walk away. Every 15 seconds a screen shot pushes to your dashboard so you can keep an eye on what's going on, when it's done it will reboot itself and the ticket is automatically updated. You can do as many at a time as you want, and at $150 bucks each you can turn it into a real money making racket.
View Quote View All Quotes
View All Quotes
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By Enigma102083:
Originally Posted By Josh:
Originally Posted By Enigma102083:
See I'm kinda in the middle on this because I know that Josh is right from a technical perspective. You really cannot be 100% sure the machine is clean; there are things out there that would make you piss yourself with their capabilities. But at the same time, I've been that guy who's cleaned up thousands and thousands of machines infected with generic malware. In the corporate/government spheres that can support the infrastructure to do it, absolutely nuke/pave with your MDS/PXE/SCCM/whatever solution where you just kill it and deploy your golden image. No sense wasting the time cleaning the machine and running the risk of missing a targeted highly evolved surveillance package. However, Granny Smith really can't afford what it costs to have a tech inventory the software/files, pull backups of them, nuke/pave, and restore everything when your typical shop rate is 75-100 bucks an hour. So you charge her a flat rate of $150 bucks, and you slap it on your bench and throw in TechWARU or D7 and run your bank of automated clean-up/removal tools have her sign the terms and conditions and send her on her way with a working laptop that may or may not be spying on her for the KGB.

And don't kid yourself about Macs either, there are plenty of them that come in for virus clean up, sure it's around 7-10% (I could pull the actual metrics if you're curious Josh) the number of Windows boxes, but it does happen often enough that the tools are included with your Tech Repair solutions now.


I know there's malware out there for Macs, it's just such a small amount and most of it requires that the user actually manually intervene and enter passwords to escalate privileges to load it... I have little sympathy for stupidity, even in users -- I expect it, but I don't really cater to it.

I've had to do a fuckton of Windows as well, it's so much easier for me to just wipe it and be done with it. I'm kind of an asshole at that, I just explain to the user that they're going to lose files, maybe I can do a backup of their my documents folder and get rid of all executables (which even now is becoming a pain as pdf files are executables, and there are so many ways to get executable code into office and other files).



The automated solutions a great these days, you stick in a USB stick, you enter a customer name and ticket number, click start and walk away. Every 15 seconds a screen shot pushes to your dashboard so you can keep an eye on what's going on, when it's done it will reboot itself and the ticket is automatically updated. You can do as many at a time as you want, and at $150 bucks each you can turn it into a real money making racket.


Nice...
Link Posted: 4/28/2015 9:58:26 PM EDT
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By Enigma102083:


The automated solutions a great these days, you stick in a USB stick, you enter a customer name and ticket number, click start and walk away. Every 15 seconds a screen shot pushes to your dashboard so you can keep an eye on what's going on, when it's done it will reboot itself and the ticket is automatically updated. You can do as many at a time as you want, and at $150 bucks each you can turn it into a real money making racket.
View Quote View All Quotes
View All Quotes
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By Enigma102083:
Originally Posted By Josh:
Originally Posted By Enigma102083:
See I'm kinda in the middle on this because I know that Josh is right from a technical perspective. You really cannot be 100% sure the machine is clean; there are things out there that would make you piss yourself with their capabilities. But at the same time, I've been that guy who's cleaned up thousands and thousands of machines infected with generic malware. In the corporate/government spheres that can support the infrastructure to do it, absolutely nuke/pave with your MDS/PXE/SCCM/whatever solution where you just kill it and deploy your golden image. No sense wasting the time cleaning the machine and running the risk of missing a targeted highly evolved surveillance package. However, Granny Smith really can't afford what it costs to have a tech inventory the software/files, pull backups of them, nuke/pave, and restore everything when your typical shop rate is 75-100 bucks an hour. So you charge her a flat rate of $150 bucks, and you slap it on your bench and throw in TechWARU or D7 and run your bank of automated clean-up/removal tools have her sign the terms and conditions and send her on her way with a working laptop that may or may not be spying on her for the KGB.

And don't kid yourself about Macs either, there are plenty of them that come in for virus clean up, sure it's around 7-10% (I could pull the actual metrics if you're curious Josh) the number of Windows boxes, but it does happen often enough that the tools are included with your Tech Repair solutions now.


I know there's malware out there for Macs, it's just such a small amount and most of it requires that the user actually manually intervene and enter passwords to escalate privileges to load it... I have little sympathy for stupidity, even in users -- I expect it, but I don't really cater to it.

I've had to do a fuckton of Windows as well, it's so much easier for me to just wipe it and be done with it. I'm kind of an asshole at that, I just explain to the user that they're going to lose files, maybe I can do a backup of their my documents folder and get rid of all executables (which even now is becoming a pain as pdf files are executables, and there are so many ways to get executable code into office and other files).



The automated solutions a great these days, you stick in a USB stick, you enter a customer name and ticket number, click start and walk away. Every 15 seconds a screen shot pushes to your dashboard so you can keep an eye on what's going on, when it's done it will reboot itself and the ticket is automatically updated. You can do as many at a time as you want, and at $150 bucks each you can turn it into a real money making racket.
I never did anything so fancy. A few batch files to automate things, other than that it was hands on between scans. I having found anything that will automate removing the bad programs first before scanning. I always found hands on was a good way to play with the machine to see how it was doing on the cleanup as well.

We have two machines at work that I found are fubared from previous malware cleanup attempts, they are getting nuked. The only problem is work uses so much specialized and one off software that the reinstall is going to be a bitch. I have found out why the new job requires 1.5 IT techs for such a small network. Its keeping the damn software running. between all the SQL databases that the various softwares use along with all the customizations and virtually no documentation the next few days should be fun. The vendors don't like to help much either, so its learn and document the hard way.
Link Posted: 4/28/2015 10:09:40 PM EDT
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By Josh:


Nice...
View Quote View All Quotes
View All Quotes
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By Josh:
Originally Posted By Enigma102083:
Originally Posted By Josh:
Originally Posted By Enigma102083:
See I'm kinda in the middle on this because I know that Josh is right from a technical perspective. You really cannot be 100% sure the machine is clean; there are things out there that would make you piss yourself with their capabilities. But at the same time, I've been that guy who's cleaned up thousands and thousands of machines infected with generic malware. In the corporate/government spheres that can support the infrastructure to do it, absolutely nuke/pave with your MDS/PXE/SCCM/whatever solution where you just kill it and deploy your golden image. No sense wasting the time cleaning the machine and running the risk of missing a targeted highly evolved surveillance package. However, Granny Smith really can't afford what it costs to have a tech inventory the software/files, pull backups of them, nuke/pave, and restore everything when your typical shop rate is 75-100 bucks an hour. So you charge her a flat rate of $150 bucks, and you slap it on your bench and throw in TechWARU or D7 and run your bank of automated clean-up/removal tools have her sign the terms and conditions and send her on her way with a working laptop that may or may not be spying on her for the KGB.

And don't kid yourself about Macs either, there are plenty of them that come in for virus clean up, sure it's around 7-10% (I could pull the actual metrics if you're curious Josh) the number of Windows boxes, but it does happen often enough that the tools are included with your Tech Repair solutions now.


I know there's malware out there for Macs, it's just such a small amount and most of it requires that the user actually manually intervene and enter passwords to escalate privileges to load it... I have little sympathy for stupidity, even in users -- I expect it, but I don't really cater to it.

I've had to do a fuckton of Windows as well, it's so much easier for me to just wipe it and be done with it. I'm kind of an asshole at that, I just explain to the user that they're going to lose files, maybe I can do a backup of their my documents folder and get rid of all executables (which even now is becoming a pain as pdf files are executables, and there are so many ways to get executable code into office and other files).



The automated solutions a great these days, you stick in a USB stick, you enter a customer name and ticket number, click start and walk away. Every 15 seconds a screen shot pushes to your dashboard so you can keep an eye on what's going on, when it's done it will reboot itself and the ticket is automatically updated. You can do as many at a time as you want, and at $150 bucks each you can turn it into a real money making racket.


Nice...


I've seriously kicked around the idea of spinning up a bunch of cloud based tools to facilitate automated malware clean up recruiting a small army of techy teenagers from high schools pay them minimum wage and have them go door-to-door with iPads with bricks and USB sticks and offer Malware cleanup and cloud Managed AV.

I could make millions
Link Posted: 4/29/2015 6:25:51 AM EDT
Link Posted: 4/29/2015 9:44:00 PM EDT
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By blwngazkit:

While frustrating, this is true.


Unless you absolutely know what you're doing and are confident in your registry and process searches (manual) there's just no way to be certain.


Even ID you were capable of 100% removal, many times it's faster to wipe & reinstall.




Having said that, on most client PC's I repair, I knock out the symptomatic issues and anything else that catches my attention and they're happy. Many people simply don't have backups or don't understand why a wipe is recommended.
View Quote View All Quotes
View All Quotes
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By blwngazkit:
Originally Posted By Josh:
Originally Posted By Angry-American:
Originally Posted By Josh:
The ONLY appropriate response to a malware infection is to wipe and reload. That's it. running AV software and hoping you're clean afterwards is ill-advised.
I did this kind of thing for over 10 years, very rarely did it warrant a reload.


I've done it for 25, it always warrants a reload. You may take other actions, you may even think your other actions are justified and fixed the problem. Sometimes you might actually have fixed the problem -- many times you did not, you simply removed the infection vector that put the real compromise in place, and the machine remains compromised and continues to do what its master in Russia or China wants it to do.


While frustrating, this is true.


Unless you absolutely know what you're doing and are confident in your registry and process searches (manual) there's just no way to be certain.


Even ID you were capable of 100% removal, many times it's faster to wipe & reinstall.




Having said that, on most client PC's I repair, I knock out the symptomatic issues and anything else that catches my attention and they're happy. Many people simply don't have backups or don't understand why a wipe is recommended.


If a nuke and pave is quicker than automated removal, you're probably doing it wrong. But I won't definitively say that unless I knew your process.
Link Posted: 4/29/2015 11:20:34 PM EDT
This thread makes me want to stab people. If it wasn't for assholes, I wouldn't be fiddle-fucking my way through power shell trying to configure the firewall for reverse proxy on my little 2012 core VM.

I am in the nuke it camp. But in practical terms, I'm in the get your annoying ass out of my office ASAP camp.

Combo fix ftw!
Link Posted: 4/30/2015 9:42:52 AM EDT
If a nuke and pave is quicker than automated removal, you're probably doing it wrong. But I won't definitively say that unless I knew your process.
View Quote


In the past I've been able to move data off the user's workstation to the network, then push down a new disk image in less time that it takes to perform a full scan. Most of the core user applications are on the image, so only a few programs need hands-on installation or personalization. Even then we had a guy at the helpdesk who was able to script "hands off" installs, so the helpdesk could send a user a list of links to click on to reinstall their applications.
Link Posted: 4/30/2015 10:43:22 AM EDT
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By Moondog:


In the past I've been able to move data off the user's workstation to the network, then push down a new disk image in less time that it takes to perform a full scan. Most of the core user applications are on the image, so only a few programs need hands-on installation or personalization. Even then we had a guy at the helpdesk who was able to script "hands off" installs, so the helpdesk could send a user a list of links to click on to reinstall their applications.
View Quote View All Quotes
View All Quotes
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By Moondog:
If a nuke and pave is quicker than automated removal, you're probably doing it wrong. But I won't definitively say that unless I knew your process.


In the past I've been able to move data off the user's workstation to the network, then push down a new disk image in less time that it takes to perform a full scan. Most of the core user applications are on the image, so only a few programs need hands-on installation or personalization. Even then we had a guy at the helpdesk who was able to script "hands off" installs, so the helpdesk could send a user a list of links to click on to reinstall their applications.

Bingo!

Pushing a clean disk image with everything installed and then transferring user docs is pretty fast; much faster than 1+ full system scans.
Link Posted: 4/30/2015 10:53:21 AM EDT
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By Moondog:


In the past I've been able to move data off the user's workstation to the network, then push down a new disk image in less time that it takes to perform a full scan. Most of the core user applications are on the image, so only a few programs need hands-on installation or personalization. Even then we had a guy at the helpdesk who was able to script "hands off" installs, so the helpdesk could send a user a list of links to click on to reinstall their applications.
View Quote View All Quotes
View All Quotes
Discussion ForumsJump to Quoted PostQuote History
Originally Posted By Moondog:
If a nuke and pave is quicker than automated removal, you're probably doing it wrong. But I won't definitively say that unless I knew your process.


In the past I've been able to move data off the user's workstation to the network, then push down a new disk image in less time that it takes to perform a full scan. Most of the core user applications are on the image, so only a few programs need hands-on installation or personalization. Even then we had a guy at the helpdesk who was able to script "hands off" installs, so the helpdesk could send a user a list of links to click on to reinstall their applications.

See there you go. That's the right way to do it. Have your Corp image and just use folder redirection or profile backup script.
Top Top