Hacker News new | past | comments | ask | show | jobs | submit login

Mobile computer tech, here. War story follows.

I handle high single-figures of these adware and/or potentially unwanted programs (PUPs) infestations every week.

Mostly it's Windows 7 and 90% adware/PUPs-centric, occasionally ransomware. In the huge majority of cases, the following will get a computer back up and sorted in a sensible amount of (billable) time:

First, bring known-good copies of AdwCleaner, Junkware Removal Tool, RKill and ComboFix on a thumb drive. Same-day downloads are preferred as some detect out-of-date versions and don't play nice. Shut down computer. Restart in safe mode with command prompt. Run explorer.exe from command prompt. USB typically works as usual, even in safe mode. Run each of the applications above as administrator in the order they are listed. Some will require a reboot to complete their work. The reboot should be in normal mode, subsequent restart(s) to run other cleaner(s) should be in safe mode with command prompt. Diminishing returns will take place after the third of fourth cleaner, and allow 15 minutes for a typical infection.

The longest it's taken me to completely clean a computer of was 7 hours, comprising around 18GB of tat. If it's a severe infection, I will recommend a rebuild from known-good factory media after a Windows Easy Transfer export, assuming there's not too much in the way of user content.

As an up-sell, I also offer a better-than-factory reset where there's a clean Windows 7 installed and no vendor-specific junk on there. Computer vendors aren't as bad as free-to-use software vendors, but there's a reason why a adequate Lenovo laptop can be bought in the UK for 230GBP (including sales tax at 20%). Install, updates, and Windows Easy Transfer will typically be around 2 to 3 hours. It's a hard sell with a cheap laptop, especially since some clients are already preparing to buy a new laptop rather than fix the old one.




The problem with using cleaning tools like the ones you mention is that I'm always left wondering, "What did I miss?" when they've finished. Since it's a long process that's always potentially incomplete, I abandoned that approach years ago. The first thing I ask a client is "What data do you want to keep?" Then I scan the drive offline (mostly for my own curiosity, but also to get an idea of what I'm dealing with), save the data, reinstall the OS from scratch, then restore the data (sometimes with additional scans). This is the only way I feel comfortable handing the computer back to the client.


I agree there's an element of wondering with the tools. Part of the reason I use a bunch is to remove as much as possible. Even on the fifth scan, there are still things found. That's the cutoff where, in my experience, subsequent scans by other tools just don't find things.

I second the `what do you want to keep` sentiment, too. The downside to this is having them effectively sign off on what they want, and then they forget something until 6 months down the line. I have provision for keeping a drive image of their drives for 28 days, with prior permission, and I check in with them after 7, 14 and 21 days to make sure all is well. The comfort of a familiar desktop is a powerful thing, and the Windows Easy Transfer process makes it easy and straightforward.


Agree. The moment you infected - you never know which closet the garbage hides the copy of itself in.

Burn everything and build afresh.

Hopefully lesson learned.


I would, and do, take the further step and repartition & reformat in DOS to eliminate rootkits. Have seen them carryover through new installs before, even after reformatting; TDSS I believe it was, but not 100%.


Addendum: I save a ninite.com installer to their desktops, renaming it to `Run this every Wednesday`. If they see any `You need to update Flash Player` dialogues, I advise them to close them and only run the desktop icon - this in and of itself saves most people from reinfection.

Edit: typo and formatting.


I cannot say enough about ninite. They are brilliant. I moved to the Mac a year ago, and I miss it dearly. I wish they had a Mac version. It's so convenient. And safe. And easy. I paid them for something just because I wanted them to be successful. Single best product I used on Windows!


That's so nice to hear. Thank you!

I'd love to make a Mac version someday, but the problems are so much worse on Windows so we're focusing there.


Wow, the co-found of ninite :D

I can't thank you enough! That program is _always_ the absolute first i download on every windows machine, period.

I think i've told all my friend about ninite by now, and everyone is super impressed.

Would you care to elaborate on how it works? do you download from each software homepage, or do you constantly have to download latests versions and then serve from your own server?

Any way you could make a free or cheap one-time pay, for a version that can use a private server to host, and then deliver programs to it this way.


Wouldn't homebrew-cask be helpful with this? It's basically homebrew for apps. Haven't tried it yet, but I always wanted to start using it with my next clean install/mac purchase.

https://github.com/caskroom/homebrew-cask


Hmm, interesting. I'll check it out, thanks.


Have you tried GetMacApps? http://www.getmacapps.com/ I have a coworker who uses it, and it seems to be exactly like a Ninite for Mac.


I hadn't seen that. Thanks. What I was talking about above is the updater, which doesn't have an analog, AFAIK.


Adobe forced ninite to remove the Flash installer, so that won't help. You can set Flash to auto-update in Control Panel > Flash Player > Advanced > Automatic Updates. (I've heard it's more complex in Win8 though.)


Late edit: The only place you can reliably get unbundled Flash installers (without the toolbar crap) is here: https://www.adobe.com/products/flashplayer/distribution3.htm...


This is a brilliant idea.


You have the worst job on the planet. Thanks for doing it.


Is there any particular reason you don't just backup all of the user's personal files/configurations, note what programs they have installed and then reformat/reinstall?

Doing this you would be 100% adware free and the client might even notice/appreciate the speed boost of a fresh install.


> Is there any particular reason you don't just backup all of the user's personal files/configurations, note what programs they have installed and then reformat/reinstall?

Mostly down to client feedback. Personally, I'd much prefer to have the nuke and rebuild approach. I offer this as a preference (safer, faster, etc), but the familiarity of these pokey vendor-supplied apps for photos and the like is a very strong draw for folks.

The burden of technical knowledge doesn't run deep. They want a low-price laptop, and all their stuff safe and sound. The value they place in their data is, in my experience/anecdotally, proportional to their purchasing habits.

Most don't have hard drive backups, despite my continued insistence. Years of photos just get stockpiled without any recourse to a backup. There's some interesting psychology at stake, too; knowing that photos are there and actually referring to them are too entirely different things.


I disagree with this procedure.

1) Rebooting the computer can spread the infection. You should try to clean it with 0 reboots. Ignore safemode. Kill adwcleaner with taskmanager.

2)ComboxFix is unnecessary. Malwarebytes/ESET work most of the time, and if not there are about 3 other scans to use.

Anyone who wants to buy a new laptop for speed purposes should be talked into trying an SSD first. A cheap laptop comes with a mechanical hard drive and doesnt alleviate disk io bottlenecks.


>Kill adwcleaner with taskmanager.

AdwCleaner requires a restart to finish up, as I understand it. If you know differently, I'm genuinely interested.

>ComboxFix is unnecessary.

Respectfully, I disagree. It's caught things that the others have missed. Anecdotal evidence, sure, but in my experience it's proven useful.

Most of the time new laptops are not for speed purposes - there is a misconception that a new laptop is a fresh start, not necessarily a much faster computer.

The thought process invariably is: this laptop is slow and full of ads, I need a new laptop to start over without the ads and _new is best_. My clients are mostly non-technical, that's why they call me; technical clients (say, 1 in 10) are more willing to explore SSD and appropriate RAM.

TV-advertised laptops for 200-250GBP are very appealing for my client demographic. It irks me, sure, but then sometimes people have to learn by doing. The tide is very slowly turning.


> It's caught things that the others have missed.

What other things? Did you run FSecure, Panda, ESET, Emsisoft, Avira, Avast, Herdprotect? It might be useful, but it is dangerous. It should be an absolute last ditch effort, not standard procedure.

>AdwCleaner requires a restart to finish up, as I understand it.

Try running it twice in a row without a restart. Try running it before and after a malwarebytes scan, without a restart. Does it find things?

>technical clients (say, 1 in 10) are more willing to explore SSD and appropriate RAM.

Thats why you word it "would you like me to make your computer much faster for $100 dollars. I can replace the moving parts with electrical ones."


> What other things? Did you run FSecure, Panda, ESET, Emsisoft, Avira, Avast, Herdprotect? It might be useful, but it is dangerous. It should be an absolute last ditch effort, not standard procedure.

I should clarify. I am predominantly dealing with annoyances, adware and unwanted applications – not viruses or malware, in the main. It's junk, not malicious or infecting - at least in the vast majority of cases.

Removing the non-viral noise makes the process of cleaning up anything else far easier. Number of rootkits encountered in 3+ years of domestic and small business technical support: zero. Number of file infecting viruses encountered in the same period: 2. Number of ransomware (Trojan horse, worm at a push) infestations: dozens. Number of adware and miscellaneous browser infestations dealt with: hundreds.

>Try running it twice in a row without a restart. Try running it before and after a malwarebytes scan, without a restart. Does it find things?

That's a really interesting question, and not one I can answer right now. I do intend to try this in a VM a la the OP link. I will endeavour to find out and report back.


Don't forget TDSSKiller and Norton Power Eraser. Super useful tools for checking MBRs.


ive found malwarebytes rootkit detection to be roughly as effective as tdsskiller. it's not enabled by default, or you can download it as a separate product. mcafee has one too. rootkit buster has never detected a thing in my experience. i still run it first just to see if it ever will.

https://www.malwarebytes.org/antirootkit/


I'm not familiar with Malwarebytes Antirootkit, but TDSSKiller from Kaspersky searches for 1 single rootkit, TDSS, and performs a removal. I haven't done this type of work in a while but 3-4 years ago it was the defacto tool of choice for dealing with MBR infections.


TDSSKiller removes the following.

List of malicious programs: Rootkit.Win32.TDSS, Rootkit.Win32.Stoned.d, Rootkit.Boot.Cidox.a, Rootkit.Boot.SST.a, Rootkit.Boot.Pihar.a,b,c, Rootkit.Boot.CPD.a, Rootkit.Boot.Bootkor.a, Rootkit.Boot.MyBios.b, Rootkit.Win32.TDSS.mbr, Rootkit.Boot.Wistler.a, Rootkit.Win32.ZAccess.aml,c,e,f,g,h,i,j,k, Rootkit.Boot.SST.b, Rootkit.Boot.Fisp.a, Rootkit.Boot.Nimnul.a, Rootkit.Boot.Batan.a, Rootkit.Boot.Lapka.a, Rootkit.Boot.Goodkit.a, Rootkit.Boot.Clones.a, Rootkit.Boot.Xpaj.a, Rootkit.Boot.Yurn.a, Rootkit.Boot.Prothean.a, Rootkit.Boot.Plite.a, Rootkit.Boot.Geth.a, Rootkit.Boot.CPD.b, Backdoor.Win32.Trup.a,b, Backdoor.Win32.Sinowal.knf,kmy, Backdoor.Win32.Phanta.a,b, Virus.Win32.TDSS.a,b,c,d,e, Virus.Win32.Rloader.a, Virus.Win32.Cmoser.a, Virus.Win32.Zhaba.a,b,c, Trojan-Clicker.Win32.Wistler.a,b,c, Trojan-Dropper.Boot.Niwa.a, Trojan-Ransom.Boot.Mbro.d, e, Trojan-Ransom.Boot.Siob.a, Trojan-Ransom.Boot.Mbro.f.


I would assume it has grown in the last few years, I also would wager a guess that most of these are related/derivatives of each other.


I was under the impression it sort of grew into a multipurpose rootkit tool


"TV-advertised laptops for 200-250GBP are very appealing for my client demographic. It irks me, sure, but then sometimes people have to learn by doing. The tide is very slowly turning."

At least 'formerly-known-as netbooks' aren't selling for twice that, anymore. Although, they are still excruciatingly painful to work on if you're used to anything faster...like an x86 Celeron.




Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: