TechSpot

Update for 8 step malware removal

By adweston
Jan 12, 2009
  1. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Why do you have the impression that you introduced TechSpot to CombeFix. You did not. Nor did you introduce TechSpot to the other programs you mentioned.

    What you DID do was suggest a user run ALL of those cleaning programs up front and frankly, that is a bad idea! When people come to us with a malware infection, they already have a system that is crippled to some extent. Adding multiple programs to that-if there is no specific need- is a bad idea.

    Some malware infections make it more difficult to find and remove all of the files-THAT'S when the additional program should be used. If the malware can be handled using the suggested Malwarebytes, SuperAntispyware and HijackThis, then no more programs should be loaded onto the system.

    The biggest problem those of you who try to clean malware, then recommend multiple additional programs to the user, is that you do not open and read the logs, recommend entries to be removed. When you don't, the threads go on for days, sometimes weeks, while you try to have malware cleaning programs do YOUR job! Frequently, the user will end up in worse shape, with a system that is not functioning at all due to the added burden of unnecessary programs.

    There are people here who are trained in malware removal. They don't just stop by and think they can do it because they worked in IT for a few years. They know the best steps to use, the order of the steps and the additional programs to recommend IF any are needed.

    Edit: you might also like to refer to this post from 10-17-2007 by a board regular where Combofix is recommended:
    http://www.techspot.com/vb/post519097-2.html

    And by the way, this isn't the first reference to using Combofix on TechSpot. The other programs you listed can also be found here using the search feature..
     
  2. raybay

    raybay TS Evangelist Posts: 10,716   +6

    Thanks, Bobbye. Needed to be said.
     
  3. adweston

    adweston Banned Topic Starter Posts: 333

    I realize that. Kimsland pointed it out. It's also immaterial. It's an important first step and should be added. Besides. It renders a fantastic log that's very useful in further troubleshooting, rather than "no action taken. Update Malwarebytes and run it again. And again. And again".

    And actually, the threads that I've worked on in the malware forum were cleared up in three to five posts.. I've seen you guys muck up threads, in one case total the guy's hard drive... and I've seen dozens of threads of "recommendations" go on for days and several pages. So....

    There seems to be a big difference between "malware trained" and "a dozen years of hands on experience in owning a computer business/a quarter of a century field experience".. Despite all the moaning and groaning of citing examples. The difference? Experience caught that a hard drive was in trouble. "Training" insisted the guy persist on "their *training*" until the computer barely booted at all.

    I leave the recommendation stand. My track record here speaks for itself. Whether it was the first, dozenth or hundredth time it was mentioned (and yes, I discovered that Julio even made mention of it in 2007 when they had that glitch in it).
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

     
  5. momok

    momok TS Rookie Posts: 2,272

    The sheer amount of problems dealt with in a board easily outnumbers that of any IT shop any day because of the nature of a forum. Every channel (be it a forum or an IT person operating a shop) faces its own fare proportion of tricky problems.

    Bear in mind that the absolute amount of tricky/time-consuming problems encountered on a forum is greater than that in a shop simply because of the statistical increase of number of problems. Whilst there may be the occasional screw-up, it is not fair to judge and undermine the rest of the volunteers work on this board for that.

    As for combofix, it used to be the removal instruction thread, back then it was 15 steps. However this was streamlined to promote greater efficiency in dealing with malware problems. Combofix should not be used as the first-tool-in-line for all malware related problems because of various reasons that the author states on the Malware Removal University, which he endorses and leaves regular updates to the program for.

    Please be assured that the moderators and volunteers work together to regularly review the 8 step thread to promote efficiency and proficiency in dealing with malware problems. It is worthy to note that we often emphasize that the 8 step thread is definitely not an answer-all for every malware related problem, and the volunteers have in their arsenal a list of other tools to help them depending on circumstances.
     
  6. adweston

    adweston Banned Topic Starter Posts: 333

    No problems. Report this one as well:

    And then point them to this botch job and this one.

    Then for the flip side, point them to this thread and this one. Certainly point them to this post made to me and this thread.

    Cheers :)
     
  7. momok

    momok TS Rookie Posts: 2,272

    To all: Please refer to my last post.

    The posts on this thread are veering off topic.
    I'll monitor this thread further and will moderate all subsequent posts that I deem are off topic regardless of user.

    Unless you have anything to say related to the recommendation of the said programs for the purpose of updating the 8-step thread, I hope all parties keep their opinions of each other to themselves.
     
  8. adweston

    adweston Banned Topic Starter Posts: 333

    momok. I agree... to an extent. When we examine infections (and believe me I spend a lot of time doing so) they all follow a basic pattern. Over the last three years I developed a strategy to blast infections to the hell they belong in after cleaning up hundreds of computers with as many as 14,000 infections on one computer (my personal record).

    Because my clients pay by the hour, efficiency is of utmost importance. As my invoices (and my track record in your malware forum) prove, my strategy is very efficient. Combofix is a deadly tool and will eliminate many infections before Malwarebytes, etc gets to them, catches several that it misses and even encompasses many other tools, such as Virtumondo removal tool, rootkit tools like McAfee Stinger, Smitfraudfix, etc.

    Then, as an icing on the cake, it gives a nice little log, pointing out files that I know for a fact Malwarebytes misses. Don't get me wrong, Malwarebytes is an excellent, excellent tool. One of my personal favorites. However, Combofix is an essential step that should be not overlooked.

    For a guest that really, for the most part, doesn't understand what's going on, efficiency and simplicity is key (as evidenced in this thread where the guest gave up and formatted his hard drive). It's the same thing as a patient going to a doctor for a malady. Their head hurts. They'd swear they were dying. They're panicking. They have no idea what's going on. The doctor listens, nodding empathetically, smiles in a caring fashion and hands the patient two Tylenols.

    The threads that I pointed out in my previous post stand testimony to the brutal efficiency of my method, and testimony to the fact that it would only serve your guest's best interest in including it in the 8 step process (which, by the way is really good. I'm not knocking it, although Combofix should replace Superantispyware).

    Also, I'm not knocking the volunteer help, per se, but I'm knocking the flawed opinion that "malware training" supercedes experience and is therefore just cause to "bash" those with an alternate approach.

    Even kimsland knocked my approach and use of combofix in one thread, only to be silenced by the deadly efficiency in which the posters issues were resolved. I also question where knocking an IT guy, persisting in malware removal and pretty much totalling the guest's hard drive is the best tack to take. Experience always trumps "paper smarts". It's always a good idea to remember that a client's data is by far the most valuable asset on the computer in question and to look critically at the post before diving in gung-ho/willy nilly and causing a far greater damage.

    All of that notwithstanding, the volunteers deserve much credit for devoting so much of their time, efforts and energies to helping complete and total strangers that they've never met and probably never will. Kudos. :)
     
  9. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    The reason combofix wasn't included in the preliminary removal thread, is for a few reasons:

    1) What if sUbs were to say there is a rootkit going around that targets combofix users and tricks the program into deleting system files? A number of times, the creator of the tool has asked for the tool not to be used and he has pulled it until the problem was resolved.

    2) Until you see what OS the user has and other vital information you should not be running a tool with this power on their machine. For example when Vista first came out it was not compatible

    3) You should check to see what security the user has on their system before requesting them to use combofix - if they have a specific script blocking program such as Mcafee Script blocking service - you may want to disable that prior to running combofix. There may be other programs that need stopped other than their real time monitoring on the AV
     
  10. adweston

    adweston Banned Topic Starter Posts: 333

    Great points.. If that's the case, running it in safe mode will resolve the issue. That should probably be put in the tutorial.

    And yes, you would have to monitor the tool. That's why you would link to the page on bleeping computer that offers the tutorial and download link. When the rootkit was an issue in 2007 sUbs posted it in that thread and pulled the tool. Linking to the file itself will of course fail if they pull it due to faults you mentioned or otherwise.
     
     
  11. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    In my opinion, if you are going to add to the 8 steps - why not use another of sUbs tools - DDS

    or I would use RSIT by random/random
     
  12. Julio Franco

    Julio Franco TechSpot Editor Posts: 6,590   +351

    Along with momok's warning I want to make one of my own, personal flaming will no longer be tolerated. In the middle of helping users you are starting to disservice the forum by setting out such a war so please try to bring the best of you in those circumstances.

    I appreciate your collaboration.
     
  13. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    The answer to this thread would seem to be a definite NO to having those multiple programs included on the 8-Step Guide (as first thought)

    I'd like to add that if a user states (and I quote):
    Then certainly I advise all support members to acknowledge that this is a Member's choice. Obviously, I would not stop the Member from deciding on such personal choice. But rather, help and advise them in pursuing this (if not destructive) Note: "backing up all my pictures music and videos and reinstalling windows" is not destructive

    My replies to members posts are always in respect to the information they provide
    If any Member decided on continuing the Virus\Malware removal process -> so would I, again obviously

    As a support helper, we are not here to demand or dictate what we feel is best
    We are here to help the Member resolve their issues, be that Virus\Malware removal or backup and format, it all comes down to the original thread starters choice (not ours) Many thread starter Members, during their threads, may decide on a different form of tactic. Again, their choice.

    I note, I have not "flamed" anyone in this post
    But I would like to answer 1 BIG response to my postings on all threads, I post on (including all links to other threads quoted in this thread)
    Everything I stated I stand by 100%
    I have re-read all threads (linked above) in ALL cases I believe I have posted correctly and accurately, I also do not understand why they have been mentioned, in a thread regarding "Update for 8 step malware removal"
    Further, I believe posting incorrectly ie off topic; including "flaming" members, will no longer be tolerated by myself either.

    The 8-Step Removal Thread stands. And should always be quoted as the first line of defense in removal of Virus\Malware issues. I expect all will agree to that, and continue to help other Members resolve their issues
     
  14. adweston

    adweston Banned Topic Starter Posts: 333

    It's ok. It doesn't matter to me, just thought I'd make the suggestion. The linked threads demonstrate very clearly the difference between strategies. There's simply no comparison. We can also keep in mind that neither SAS or MBAM will point out rootkits. In fact, none of your listed strategies have an effective rootkit component, nor will they even list them. As a highly skilled "IT pro" as I've been lambasted as, I can tell you that without dealing with the rootkit aspect you're simply farting in the wind so to speak. lol :D

    So, the odds are highly stacked against the end user for reinfection in very short order. Rootkits are a very common component of infections and are indeed becoming more so every day.

    However, I can also understand the maintenance component of it. I think it can be dealt with, but if you don't want to put that extra in to make sure it's constantly up to date I can respect that as well. Part of the inclusion would be the importance of running in safe mode, as even the 8 suggestions given are completely powerless against certain forms of attack (edit: in normal mode).

    I don't quite get the SAS recommendation over Combofix, as the SAS/MBAM combination suggestion is actually redundant.. But I do get not wanting to constantly monitor the status of Combofix and the desire to manually guide them through it afterwards for making more thread content material.
     
  15. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Almost every infected machines logs will show that MBAM and SAS remove separate infections.

    Combofix should not be run on every machine until somebody has looked at the logs, it is simply not good practice to suggest a user run this tool without direct supervision.

    As I was saying if you want more complete logs, trade out hijackthis for - RSIT by random or DDS by sUbs
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Regarding recent ComboFix suggestion

    It was recently suggested by one member that Combofix be included in the basic malware cleaning programs- the ones the user does before posting the results on the board. The suggestion was overruled as not appropriate.

    I found these two comments today on other malware cleaning boards and thought it would further support the decision NOT to add ComboFix:

    I have no doubt that checking additional boards would produce the same result.
     
  17. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Thanks Bobbye, as BD mentioned 2 other tools instead of HJT. I just wanted to say that HJT (similar to Combofix) requires specialized support attention, which not all support members seem to use, even though they should

    Running extra programs is not the way (including Combofix) The best way is for an experienced specialized Malware removalist to start with checking the HJT log. Failing doing this critical area, will highly likely (actually it will) cause a poor analysis of removing Malwares from a user's system

    By the way, because your thread was titled so specifically, it has caused me to refer to Combofix many times. But in all cases users should always be directed to the proven: UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions

    I was thinking of writing up a Support Guide for members wishing to help in the ratification of Virus\Malware; but because of the huge extent of this, especially if I need to go over basic areas, such as avoiding Combofix, until the HJT log is viewed, has caused me to stop writing this up. We need a guide, but not a book, so as other "wantabees" can have a basic understanding. I have certainly noticed many wantabees not having, even though trying to support Members Virus\Malware issues

    Using such programs as Combofix, or even "Rootkit" removals (ie some reported Rootkits are not actually Malwares strangely) Requires specialized knowledge and experience, before attempting to help others, just by willy nilly posting these tools (by less experienced members) is not ideal

    Your input on a "guide" may help me resolve this issue
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Yes, I noticed the original tread closed- which is why I posted this new one. But I specifically didn't include that URL.

    About this:
    It saddens me to say that the people who are in the most need of this guide are the very ones who won't read it! They do not understand that what they do in IT, in the shop, getting paid by the hour, is NOT the same as we do here.

    The approach is different> we are involving the user, whereas the techs do not. The user drops the system off as the shop and says 'fix it'. Unfortunately, some get their system home to find programs installed or uninstalled and/or setting changed and rarely have they been told about this.

    We tell the users: 1. This is where you start 2. This is what you do next. 3. Then we check the logs and determine what the next steps are. And our time is volunteered so the only time schedule we are on is our own.

    We have tried to explain that to some of those who pickup the malware threads. But as you know well, they do no want to listen and have no intent of changing their ways. Which, in many cases, why a cleaning goes on for days, with a user being told to load one program after another, while the 'helper' is hopping that the programs clean everything out! Sometimes it ends in a hard drive crash.

    We know there is a better way. If the situation ever changes to where the specific guidelines will HAVE to be followed, I will be glad to contribute in any way I can to "The Guide".
     
  19. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Due to the small amount of Malware removal specialist members at TechSpot (including Blind Dragon who seems to have stopped helping members as he use to do on TechSpot) We presently cannot have a "specific guidelines will HAVE to be followed" here, sadly :(

    I suspect this will remain a losing battle
    I believe the only answer is to place note in the 8-step guide that any member can reply with support, but this support may not be from an experienced member. (kinda like a disclaimer) I haven't got the wording right, just yet, but feel this may be best noted in the guide.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.