Is there *any* decent way to remove viruses and spyware from massively infected PCs?

[godsdog]

Yeah; I've no doubt it's *possible* to do it, but it depends on the amount of time it takes. If it's the sort of things that's going to take several hours then not many people are going to want to pay the cost of several hour's labour when they could just pay 1-2 hours for a backup/reinstallation/AVG install/Windows update depending on how much stuff they need doing.

You're in the driving seat. You explain whats happened, what needs doing, what the options are. Be up front and let them decide. Usually you can tell how long a job is going take by the time you've run a few diagonostic tools. I'd have said if you can't nail an infected box using HJT etc, etc in an hour and a bit and it's going to seriously disrupt your schedule, then that conversation takes place and it's a take it from there job.

An updated spywareblaster is a pretty good preventative tool. But you are trusting the owner to regularly update programs that need manually updating.

[Mike Fishcake]

Fuddam - done, done and done

All this advice is good though; if anything to give any other people reading ideas about what they can do!

Godsdog - Yep, that's pretty much the way we stand at the moment - run several tests on it to find out what's going on and whether it's appropriate to sort stuff out that way; then end up swearing at it and doing a reinstall anyway

[Paul Adams]

The only way to be sure a machine is cleansed is to reinstall, then optionally restore from a recent backup.

This is the course of action I recommend to all customers that get infected - there is no way to be certain everything was found & removed, that data is intact, services/permissions changed or other malicious damage was done that no security product under the sun can point out for you.

Because of this, it would be impossible to guarantee an infected machine is 100% clean when returning it to an end-user, and it might be considered leaving yourself liable if such a claim was made and it gets reinfected.

[iranu]

I would look at it from another perspective. How long does it take you to backup a customer's data, format and reinstall the OS?(and anything else) If dealing with the infection by trying to remove all the nasties is going to take longer then nuke it.

So on an individual basis it's a case of examining the extent of infection and estimating the time needed to deal with it against the time it takes to backup, format, reinstall. Bearing in mind that after all the time you have spent so far you still haven't gotten rid of the worst cases then you can never know how long it will take on any machine. On a £/hr basis then the customer is never going to know what the total cost will be and nor will you until you are satisfied it's virus/malware free.

From a business point of view I'd have a backup, format and reinstall policy. It's easier to cost and easier to manage and therefore the customer knows exactly where they stand as would you. By all means run the tests to see how bad the infection maybe, but make the judgement at that point.

Then flog them a router, your time to install anti-spyware/antivirus and configure the machine. Perhaps give them an A4 information sheet of internet security advice etc.

[tigerboyce]

1. unplug modem
2. format, re-install
3. leave modem out, cancel isp subscription.

lol j/k, but its the only way tbh. there isnt alot you can really do from what you havnt already done. removing all the culprit programms, running various anti viruses and spywares and thats all you can really do apart from formating and really keeping the security tight to improve prevention. I just think its the general persons unawareness of whats really needed.

[godsdog]

The only way to be sure a machine is cleansed is to reinstall, then optionally restore from a recent backup.

This is the course of action I recommend to all customers that get infected - there is no way to be certain everything was found & removed, that data is intact, services/permissions changed or other malicious damage was done that no security product under the sun can point out for you.

Because of this, it would be impossible to guarantee an infected machine is 100% clean when returning it to an end-user, and it might be considered leaving yourself liable if such a claim was made and it gets reinfected.

I'd go along with that for the most part, especially these days with the level of deviousness / sophistication of malware, it kinda makes it a complete waste of time all round not reinstalling. And like you said, leave yourself wide open. It depends on individual circumstances, nature/level of infection(s). I'm not likely to do a complete reinstall of steady, safe-surfing Grannies XP Home Ed complete with family photo albums (no back up) just because her only 6 year old granddaughter has managed to download a couple of annoying and messy bonzibuddy type mal/ad/spy/crapware. Horses for courses. Before embarking on any course of action you should be explaining things straight up front to avoid any ambiguity or confusion. ...a blanket reinstall policy certainly does that.

[peterb]

Format.. reinstall.. lock down permissions... don't install shareware/p0rnware/dodgy freeware. Some worms might still creep in through badly designed core services or whatnot. For a true piece of mind, you need an OS that doesn't have the virus feature built in.

And NEVER use admin privileges unless you really need them (for adminpurposes. Use a low privilege account for every day use.

[bydandie]

And NEVER use admin privileges unless you really need them (for adminpurposes. Use a low privilege account for every day use.

of course that only works in vista. try getting most AV progs or Windows update to automatically update with a restricted user under XP.

my recommendation would be to create a Linux live CD with Kaspersky running. boot from the live CD to bypass the need to remove the HDD. failing that check the runonce reg keys use netstat -AOB to find the errant processes with a backup of important imformation scan that info and reinstall.

[aidanjt]

of course that only works in vista. try getting most AV progs or Windows update to automatically update with a restricted user under XP.

my recommendation would be to create a Linux live CD with Kaspersky running. boot from the live CD to bypass the need to remove the HDD. failing that check the runonce reg keys use netstat -AOB to find the errant processes with a backup of important imformation scan that info and reinstall.

Then you should email ${AV_AUTHOR} and tell them their software is a bit pile of bovine excrement, and that it doesn't work properly with proper use of permissions. The fact that nearly every idiot with a Windows computer runs around with full administrative privileges is why there's so many viruses for Windows, and horribly insecure software just makes matters worse. It's also half the reason why UAC exists in vista (and UAC is recommended in place where common sense should). In fact, it seems Microsoft is planning to do away with the Administrator user in the long run.

[bydandie]

Then you should email ${AV_AUTHOR} and tell them their software is a bit pile of bovine excrement, and that it doesn't work properly with proper use of permissions. The fact that nearly every idiot with a Windows computer runs around with full administrative privileges is why there's so many viruses for Windows, and horribly insecure software just makes matters worse.

Welcome to the world of software development!

You may have misread what I was meaning, as I am more than aware of the issues caused by developers creating applications on their systems with full admin privileges and then this means that you need admin rights to run them. Vista has at least started to change from a default local admin account of Adminstrator, but I'd also like it so ask for a normal user account to be created at the same time, explaining the reasons why.

The fact remains that all corporates and public systems use apps that require local admin privileges, not microsoft's fault per se although they should look at allowing windows update to run from a normal user account in XP if they plan to extend support further still with Sp3. Sp2 causes so much headache as most of the business-critical apps require admin rights.

Another point is relating to the vendors, with most companies requiring that customers reduce their security (eg For most NAS's where they lower the NTLM security which is what a number of malicious apps are doing too!) or have no security (Linksys for example, which states that connection issues are due to hiding the SSID, changing the SSID from the default and having encryption switched on!). How do the normal users have a chance? QNAP works for me as a NAS with Vista, but most people won't spend £360 to be more secure. Having said that, most UK businesses won't spend the extra time and money to be secure as they rely on their customers to blame the evil hacker rather than the negligent company.

[MarcLister]

An updated spywareblaster is a pretty good preventative tool. But you are trusting the owner to regularly update programs that need manually updating.

Top tip.

Spywareblaster does have an automatic update feature though. I know what I'm doing so I don't bother but for a customer's PC this could easily be set up.

Sorry I can't be of more help to the OP. Can't really improve on the advice in this thread so far. Formatting is the best option I'd say but obviously that can be something you don't want. As for when to stop trying to fix viruses and reformat I'd say just when you feel you can't do anything about it within a reasonable time then tell the customer and give them their options.

[godsdog]

Top tip.

Spywareblaster does have an automatic update feature though. I know what I'm doing so I don't bother but for a customer's PC this could easily be set up.

http://www.javacoolsoftware.com/sbhowtoupdate.html

"If you would like the convenience of the AutoUpdate feature, more information can be found in SpywareBlaster itself. (Click on the "Updates" tab, and then the "AutoUpdate" tab.)

A SpywareBlaster AutoUpdate subscription is $9.95 (US) per computer, per year, and is good on the computer from which it is purchased."


Spywareblaster does indeed have an auto update feature but getting people to shell out for it's subscription is another matter altogether. Mind you, getting people to shell out for software full stop is another matter altogether.

[MarcLister]

Ah thanks for that godsdog. Didn't realise it was a paid for service. I suppose some customers would be happy to pay that if it reduces the risk of spyware getting on to their computer.

[Mike Fishcake]

Cheers for all the opinions in this thread. Everyone's pretty much said what I've been feeling; I just didn't want to feel like it was me being a cop-out by recommending a reinstall after a brief diagnosis.

[Lucio]

Oh, if you haven't done already, try selling them a copy of System Mechanic, it's been helpful in the past in getting rid of some really persistant pieces of spyware.

Between the program uninstaller, registry optimiser and startup controls it can save a lot of time in sorting out viruses rather than having to figure out how to use window's commands to get it done.

[Fabula]

Having had similar experiences trying to sort out friends spyware-laden pcs, I agree a format and reinstall is probably simplest.
But you may also want to try out the freeware trojan-remover, as it did once help me (along with the others programs mentioned and extra tools from hiren's) sort out a computer that I would otherwise have formatted.