What do you do when someone brings you a computer to fix and you find that
the only problem is a Major infestation of adware and virus then they say
they do not want to have to reinstall all of their programs or loose their
stuff.
I friend ask me to fix his and when I start it there are 86 processes
running and CPU usage stays at 100% . I can not even get it to run well
enough to use a removal tool.

Any thoughts?

Joe

Joe wrote:
>(snip)
>... I can not even get it to run well
> enough to use a removal tool.

Have you tried using the removal tools in safe mode?


Jon

Joe wrote:
> What do you do when someone brings you a computer to fix and you find that
> the only problem is a Major infestation of adware and virus then they say
> they do not want to have to reinstall all of their programs or loose their
> stuff.
> I friend ask me to fix his and when I start it there are 86 processes
> running and CPU usage stays at 100% . I can not even get it to run well
> enough to use a removal tool.
>
> Any thoughts?
>
> Joe
>
>
boot to safe mode...
run msconfig and take *everything* out of startup
then reboot.
if you can get the machine fixed...
about all you need running at startup would be the virus checker
and firewall

I tried, I got it down from 86 to 53 process after running Avast antivirus
and Sybot. Sybot said about a dozen errors were running in memory even in
safe mode.
Joe

"Jon" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Joe wrote:
>>(snip)
>>... I can not even get it to run well
>> enough to use a removal tool.
>
> Have you tried using the removal tools in safe mode?
>
>
> Jon
>

On Wed, 4 Jan 2006 18:46:56 -0600, "Joe"
<(E-Mail Removed)> wrote:

>What do you do when someone brings you a computer to fix and you find that
>the only problem is a Major infestation of adware and virus

Well, until you get rid of it all you can't really be sure
that is the only problem. LIkely it is but until then...

> then they say
>they do not want to have to reinstall all of their programs or loose their
>stuff.

Yes, that's their desire. Desire not always equal to
necessity. You do what you can, and when it looks like it's
going to take a dozen hours to do what you were charging $10
for or for free, you either renegotiate, learn from this not
to jump to an estimate beforehand, or inform them that it's
necessary to reinstall. Reinstall does not mean losing
"all" their stuff though, there's no reason any data that is
intact can't be salvaged. I'll make a few suggestions
below.

> I friend ask me to fix his and when I start it there are 86 processes
>running and CPU usage stays at 100% . I can not even get it to run well
>enough to use a removal tool.

Boot system to safe mode, never have it hooked up to a
network (nor internet) when networking is working
(non-safe-mode, but really, never).

Uncheck all items in MSCONFIG that load at boot time. Get a
CDR or thumbdrive or whatever to get tools onto the system.
Google for some of the software if you dont' have it yet.

"Hijack This" should be ran. It'll find a lot of stuff...
you may need to contact the owner to find out what printer
and scanner they use, as there's no need to
remove/disable/etc their needed software, only that left
over from the past or unwanted stuff. Hijack This needs run
on the system, as will portions of programs that scan the
registry or windows OS related files, but sometimes it can
help to pull the drive and put in another system, NOT
booting to it ever, just to scan it as a secondary drive.

If some programs do multiple types of scans, for example
Adaware scans registry and files, you may need to run it on
their system, but after you'd put the drive in another
system and ran adaware (and likewise, antivirus and other
scanners) to remove the files first. Key to getting rid of
stuff is to keep that stuff from loading, as some are rather
sophisticated and will even repair themselves.

Identification of the infectious agents is useful, if you
suspect there's more to be rid of sometimes a scanner can
find part but not all as it's a different strain of malware.
Multiple antivirus scanners should be used, with current
updates of course. Sometimes there are specific tools to
remove things, or classes of things (like CWShredder).

As silly as it might seem, i also suggest checking
add/remove programs. Some stuff is plainly listed there as
the malware company wants to pretend they're legitimate, or
might rightly be if the system owner installed software that
required (through the license/EULA) adware or similar to be
installed in parallel. This may also mean that some
software the user "thought" they wanted, needs reconsidered.

When all else fails, if you simply can't get system running
properly and find it necessary to reinstall everything, you
can easily enough dump off the files onto a CDR or a few,
all the data and favorites, shortcuts, stuff on desktop,
whatever... there is no need to lose any data, at most they
might need reinstall applications and set user preferences
(tweak the OS).

If it becomes necessary to do more antivirus scans, isolate
the system from the rest of the lan if you allow IT to
connect to internet, but first do as suggested above, scan
the drive while in another system so none of the code is
running. There are several online antivirus scanners, the
following is not meant as a comprehensive list,
http://security.symantec.com/ssc/hom...KVYRMHCGVRVRMN
http://www.pandasoftware.com/actives...&Ref=PR-AS-107
http://housecall.trendmicro.com/
http://www.ravantivirus.com/scan/
http://www.trojanscan.com/trojanscan/trojanscan.htm

"Joe" <(E-Mail Removed)> wrote in message
news:sZZuf.21266$(E-Mail Removed)...
> What do you do when someone brings you a computer to fix and you find that
> the only problem is a Major infestation of adware and virus then they say
> they do not want to have to reinstall all of their programs or loose their
> stuff.
> I friend ask me to fix his and when I start it there are 86 processes
> running and CPU usage stays at 100% . I can not even get it to run well
> enough to use a removal tool.
>
> Any thoughts?
>
> Joe
>
>


What do you say? "If you stand in the middle of the information
superhighway, you will get run over."

What do you think? "It ought to be illegal to sell Internet-capable
computers to idiots."

What do you do?

Stop a bunch of those processes.
(1) Can you interrupt the computer with Ctrl+alt+delete? Then end a bunch
of those processes so that the machine is running a little cleaner in the
short run. Yes, you have to end one at a time, sux, donut?

(2) Then start>run>msconfig and select the Startup tab. Uncheck everything
you don't recognize, just be sure to leave Explorer checked. Now restart
the computer and go back to step (1) and maybe you can get it reined in
enough to run a removal tool.

While you're in that Startup tab, write down some of the names you see and
google them to see what they do to your friend's computer. Make sure the
owner gets to see the results. Have beer available, because you will be
undermining someone's confidence in human nature.

Once you get it running clean enough, download and install Microsoft's beta
version of Giant Anti-Spyware and run it.

I untangled one like this last week. It took all evening, but the difference
in the computer was dramatic to say the least. Unfortunately, the user is
particularly attached to two of the most malicious programs on his machine,
AIM and the Yahoo Toolbar. Oh well.

--
P.

I have gave up. I just informed the dude that he has lost it all and I am
reinstalling windows. I am saving all his files but programs and everything
else is gone. I have almost 6 hours in this now and I have managed to get
rid of maybe 75% of the junk. process are down from 86 to the low 40s and
the cpu no longer stays maxed out but I still can not get a browser to run
for over a minute without crashing and trying to start with popups all on
its own.
Just a curiosity question for any of you in the business for a living.
1) What would you charge to reinstall XP? I am thinking about a hundred
dollars.
2) What would your charge to attempt to get rid of all the crapware and
viruses? I do not know how you could do this aside from just with an hourly
charge.I would think this would be more, a lot more.
3) Would you offer any guaranty to the person as to functionality of
everything else once the viruses and adware is gone.

I just see this as a computer techs worst nightmare. I would think most
customers would not be happy with the results or the price and likely go
home and do whatever they did to create the problem all over again and then
bring the computer back saying that you had not done the job properly and
want you to do it again for free.

Joe


"Erick" <(E-Mail Removed)> wrote in message
news:kGivf.611$(E-Mail Removed)...
> Thsi is actually the most common issue we see where I work. We use an
> arsenal of tools to get the job done while keeping everything intact.
> Here's
> what we use, and most, if not all, are freely available:
>
> 1. Ad-Aware SE Personal (cleans only)
> 2. Spybot Search and Destroy (cleans and immunizes)
> 3. Spyware Blaster (immunizes only)
> 4. AVG Free Antivirus
> 5. HiJack This (Use with EXTREME caustion)
> 6. StartupCPL
> 7. TrendMicro's CWWWShredder
> 8. Symantec's Vundo and Look2Me Removal tools (others as needed).
> 9. TrendMicro's online Housecall
> 10. RegEdit (built-in to Windows)
> 11. RegScrubXP
> 12. SafeXP
> 13. Webroot Spysweeper (as needed; removed after use due to trial).
> 14. Windows Services (type services.msc into the Run... box)
> 15. A good, working version of every Windows OS, in all releases (OEM,
> retial, etc.)
> 16. Liberal use of the Shift-Del combination in Windows Explorer.
> 17. SmitRem (Trojan.SmitFraud removal tool; as needed; after successful
> cleaning, desktop background is plain blue.)
>
> All cleaning is done in Safe Mode, in ALL accounts, with System Restore
> turned off. We also delete the entire contents of all temporary folders.
> Sometimes it's necessary to remove files using the command console. It
> takes
> time, but once done, the systems are back in good shape again, and fairly
> well protected against future problems.
>
> "Joe" <(E-Mail Removed)> wrote in message
> news:sZZuf.21266$(E-Mail Removed)...
> What do you do when someone brings you a computer to fix and you find that
> the only problem is a Major infestation of adware and virus then they say
> they do not want to have to reinstall all of their programs or loose their
> stuff.
> I friend ask me to fix his and when I start it there are 86 processes
> running and CPU usage stays at 100% . I can not even get it to run well
> enough to use a removal tool.
>
> Any thoughts?
>
> Joe
>
>
>

"Joe" <(E-Mail Removed)> wrote in message
newsAFvf.46839$(E-Mail Removed)...
>
> I just see this as a computer techs worst nightmare. I would think most
> customers would not be happy with the results or the price and likely go
> home and do whatever they did to create the problem all over again and
then
> bring the computer back saying that you had not done the job properly and
> want you to do it again for free.
>

I don't do this for a living, though I've thought about it. The reason it
hasn't gotten past thinking about it is that I'm not knowledgeable enough
yet to feel I'm giving the customer a sound product.

It's a little bit different for people who do it for a living, though.

First, you would not necessarily be working on only one computer. If it's
necessary to reinstall Windows, there is a lot of waiting involved, and you
wouldn't sit there and wait on the customer's nickel. You'd move down the
bench and work on another one.

Secondly, you wouldn't go into it without suitable tools. Mechanics have
wrenches, computer techs have disks full of utilities. The secret would be
to get them to run relatively unattended using batch files or shell
programs. Then you could get that waiting thing going again and move down
the bench to work on another one.

Finding efficient ways of dealing with the predictable, repeating problems
would be an essential part of success as a tech. Remember, you and I
probably see a given worm once in one setting, but techs see the same one
all over town. When you've cleaned it out of one computer, you have a
better idea how to approach it in the next one.

If I were doing this, consumer education would be a central part of the
product. Unfortunately, most consumers are not going to want to think they
caused the problem, and constant vigilance sounds like a lot of trouble to
people. The challenge would be to get across the same thing dentists
struggle with: you can take care of your stuff routinely, or come now and
then and pay me lots of money to bring it almost back to what you would have
had if you took care of it.

--
P.

On Fri, 6 Jan 2006 20:24:02 -0600, "Joe"
<(E-Mail Removed)> wrote:

>I have gave up. I just informed the dude that he has lost it all and I am
>reinstalling windows. I am saving all his files but programs and everything
>else is gone. I have almost 6 hours in this now and I have managed to get
>rid of maybe 75% of the junk. process are down from 86 to the low 40s and
>the cpu no longer stays maxed out but I still can not get a browser to run
>for over a minute without crashing and trying to start with popups all on
>its own.

While I sympathize for your lost time, I recommend that next
time you take an all-or-nothing approach, to not spend even
20 minutes before deciding if you're going to stick it out
and fix whole thing or stop then and copy off data and do
the clean install.

Most useful is to have a antivirus/utilities/etc CD or
thumbdrive prepared ahead of time, not only for their system
but general purpose, there's always a chance that you too
are at risk even with safe computing practices if you are
exposed to certain common scenarios (like IE and the recent
WMF vulnerability, fortunately patched now).

Any, often it's best to state up front to (a customer?) that
it "might" (emphasize might) be possible to recover the
system but that it will cost more than a clean reinstall
would, then let them decide if they'd foot the bill, and
then if you find problems, you also may have the decision of
whether to stick it out and spend more time for the $
difference, or not.


> Just a curiosity question for any of you in the business for a living.
>1) What would you charge to reinstall XP? I am thinking about a hundred
>dollars.

That sounds a bit steep for a generic windows install,
unless they don't have the driver cds or anything and you
have to hunt all that down yourself, but you may not know
this until you've reinstalled windows to see which devices
it might support with built-in drivers. Personally I always
prefer getting newest drivers from the respective chipset
manufacturer, but if someone wanted the cheapest possible
just-get-it-running fix, I would do as asked.

A typical windows reinstall should be closer to $50 if they
have the drivers. If it's an OEM quickrestore, even less,
maybe $25 as all you have to do is pop the CDs in. If they
expect to supply printer drivers and have you set up the
internet account and 3rd party appliations too, there's a
wide variation in how long that can take, $100 might be
about right.


>2) What would your charge to attempt to get rid of all the crapware and
>viruses? I do not know how you could do this aside from just with an hourly
>charge.I would think this would be more, a lot more.

Hourly is hard to do with such things as there's alot of
just letting scanners do their thing. Maybe $100 if you
have a good relationship with them, BUT some infections are
a simple one-thing-gone-wrong which takes only minutes to
fix if you had a prepared media with tools, while others
turn into this marathon multi-hour situation instead.
Better to give a ballpark figure with the stipulation that
you'll contact them after taking a first look at it.


>3) Would you offer any guaranty to the person as to functionality of
>everything else once the viruses and adware is gone.

Guarantee that you do the job specified, removing the
malware. Note the date and time it's completed as well,
since their personal use of the system might just reinfect
it soon afterwards, but these new files will typically have
newer timestamps.

If you are comfortable with their assertation that the
system worked hardware wise, then you should make sure all
the core hardware functions work when reinstalling windows,
ie- sound, lan, 3D video, etc. If they had installed a
bunch of USB drivers and they impaired that functionality
AND you only cleaned malware off, not a clean reinstall, of
course you should not be required to fix their USB for the
price of a malware removal job. Then again, some people are
purely customers and others are closer to friends, I can
only assume not good friends or family since the $100 is
already mentioned.

>
>I just see this as a computer techs worst nightmare. I would think most
>customers would not be happy with the results or the price and likely go
>home and do whatever they did to create the problem all over again and then
>bring the computer back saying that you had not done the job properly and
>want you to do it again for free.

Well, yes. Some people can easily be convinced that it's in
their best interest to pay you an extra $300 to get their
system upgraded, so you've doing more of a pull-old-parts
and clean windows install than a clean-off & fix old
install, job. Of course it varies per situation, they
might need to buy windows again if they had an OEM copy, or
not need more performance, or whatever... and the more
experience you gain cleaning off systems, the better you
will get at it... half of it is knowing common places to
look, things like identifiying the timestamps on at least
"some" of the malware and then seeking other questionable
files with similar timestamp... often one can look in the
windows subdirectory for these files and get rid of a ton of
stuff with the good ole delete button. Not necessarily all
of it, but there's a momentum to it as well, that if you
keep system disconnected from the internet and get rid of
the self-repairing stuff, you can then at least whittle away
at the rest one at a time, making sure nothing is loading
with windows whether it be from RUN command in registry, or
a service, or wherever.