I handle high single-figures of these adware and/or potentially unwanted programs (PUPs) infestations every week.
Mostly it's Windows 7 and 90% adware/PUPs-centric, occasionally ransomware. In the huge majority of cases, the following will get a computer back up and sorted in a sensible amount of (billable) time:
First, bring known-good copies of AdwCleaner, Junkware Removal Tool, RKill and ComboFix on a thumb drive. Same-day downloads are preferred as some detect out-of-date versions and don't play nice. Shut down computer. Restart in safe mode with command prompt. Run explorer.exe from command prompt. USB typically works as usual, even in safe mode. Run each of the applications above as administrator in the order they are listed. Some will require a reboot to complete their work. The reboot should be in normal mode, subsequent restart(s) to run other cleaner(s) should be in safe mode with command prompt. Diminishing returns will take place after the third of fourth cleaner, and allow 15 minutes for a typical infection.
The longest it's taken me to completely clean a computer of was 7 hours, comprising around 18GB of tat. If it's a severe infection, I will recommend a rebuild from known-good factory media after a Windows Easy Transfer export, assuming there's not too much in the way of user content.
As an up-sell, I also offer a better-than-factory reset where there's a clean Windows 7 installed and no vendor-specific junk on there. Computer vendors aren't as bad as free-to-use software vendors, but there's a reason why a adequate Lenovo laptop can be bought in the UK for 230GBP (including sales tax at 20%). Install, updates, and Windows Easy Transfer will typically be around 2 to 3 hours. It's a hard sell with a cheap laptop, especially since some clients are already preparing to buy a new laptop rather than fix the old one.
I second the `what do you want to keep` sentiment, too. The downside to this is having them effectively sign off on what they want, and then they forget something until 6 months down the line. I have provision for keeping a drive image of their drives for 28 days, with prior permission, and I check in with them after 7, 14 and 21 days to make sure all is well. The comfort of a familiar desktop is a powerful thing, and the Windows Easy Transfer process makes it easy and straightforward.
Burn everything and build afresh.
Hopefully lesson learned.
Edit: typo and formatting.
I'd love to make a Mac version someday, but the problems are so much worse on Windows so we're focusing there.
I can't thank you enough! That program is _always_ the absolute first i download on every windows machine, period.
I think i've told all my friend about ninite by now, and everyone is super impressed.
Would you care to elaborate on how it works? do you download from each software homepage, or do you constantly have to download latests versions and then serve from your own server?
Any way you could make a free or cheap one-time pay, for a version that can use a private server to host, and then deliver programs to it this way.
Doing this you would be 100% adware free and the client might even notice/appreciate the speed boost of a fresh install.
Mostly down to client feedback. Personally, I'd much prefer to have the nuke and rebuild approach. I offer this as a preference (safer, faster, etc), but the familiarity of these pokey vendor-supplied apps for photos and the like is a very strong draw for folks.
The burden of technical knowledge doesn't run deep. They want a low-price laptop, and all their stuff safe and sound. The value they place in their data is, in my experience/anecdotally, proportional to their purchasing habits.
Most don't have hard drive backups, despite my continued insistence. Years of photos just get stockpiled without any recourse to a backup. There's some interesting psychology at stake, too; knowing that photos are there and actually referring to them are too entirely different things.
1) Rebooting the computer can spread the infection. You should try to clean it with 0 reboots. Ignore safemode. Kill adwcleaner with taskmanager.
2)ComboxFix is unnecessary. Malwarebytes/ESET work most of the time, and if not there are about 3 other scans to use.
Anyone who wants to buy a new laptop for speed purposes should be talked into trying an SSD first. A cheap laptop comes with a mechanical hard drive and doesnt alleviate disk io bottlenecks.
AdwCleaner requires a restart to finish up, as I understand it. If you know differently, I'm genuinely interested.
>ComboxFix is unnecessary.
Respectfully, I disagree. It's caught things that the others have missed. Anecdotal evidence, sure, but in my experience it's proven useful.
Most of the time new laptops are not for speed purposes - there is a misconception that a new laptop is a fresh start, not necessarily a much faster computer.
The thought process invariably is: this laptop is slow and full of ads, I need a new laptop to start over without the ads and _new is best_. My clients are mostly non-technical, that's why they call me; technical clients (say, 1 in 10) are more willing to explore SSD and appropriate RAM.
TV-advertised laptops for 200-250GBP are very appealing for my client demographic. It irks me, sure, but then sometimes people have to learn by doing. The tide is very slowly turning.
What other things? Did you run FSecure, Panda, ESET, Emsisoft, Avira, Avast, Herdprotect? It might be useful, but it is dangerous. It should be an absolute last ditch effort, not standard procedure.
>AdwCleaner requires a restart to finish up, as I understand it.
Try running it twice in a row without a restart. Try running it before and after a malwarebytes scan, without a restart. Does it find things?
>technical clients (say, 1 in 10) are more willing to explore SSD and appropriate RAM.
Thats why you word it "would you like me to make your computer much faster for $100 dollars. I can replace the moving parts with electrical ones."
I should clarify. I am predominantly dealing with annoyances, adware and unwanted applications – not viruses or malware, in the main. It's junk, not malicious or infecting - at least in the vast majority of cases.
Removing the non-viral noise makes the process of cleaning up anything else far easier. Number of rootkits encountered in 3+ years of domestic and small business technical support: zero. Number of file infecting viruses encountered in the same period: 2. Number of ransomware (Trojan horse, worm at a push) infestations: dozens. Number of adware and miscellaneous browser infestations dealt with: hundreds.
>Try running it twice in a row without a restart. Try running it before and after a malwarebytes scan, without a restart. Does it find things?
That's a really interesting question, and not one I can answer right now. I do intend to try this in a VM a la the OP link. I will endeavour to find out and report back.
List of malicious programs: Rootkit.Win32.TDSS, Rootkit.Win32.Stoned.d, Rootkit.Boot.Cidox.a, Rootkit.Boot.SST.a, Rootkit.Boot.Pihar.a,b,c, Rootkit.Boot.CPD.a, Rootkit.Boot.Bootkor.a, Rootkit.Boot.MyBios.b, Rootkit.Win32.TDSS.mbr, Rootkit.Boot.Wistler.a, Rootkit.Win32.ZAccess.aml,c,e,f,g,h,i,j,k, Rootkit.Boot.SST.b, Rootkit.Boot.Fisp.a, Rootkit.Boot.Nimnul.a, Rootkit.Boot.Batan.a, Rootkit.Boot.Lapka.a, Rootkit.Boot.Goodkit.a, Rootkit.Boot.Clones.a, Rootkit.Boot.Xpaj.a, Rootkit.Boot.Yurn.a, Rootkit.Boot.Prothean.a, Rootkit.Boot.Plite.a, Rootkit.Boot.Geth.a, Rootkit.Boot.CPD.b, Backdoor.Win32.Trup.a,b, Backdoor.Win32.Sinowal.knf,kmy, Backdoor.Win32.Phanta.a,b, Virus.Win32.TDSS.a,b,c,d,e, Virus.Win32.Rloader.a, Virus.Win32.Cmoser.a, Virus.Win32.Zhaba.a,b,c, Trojan-Clicker.Win32.Wistler.a,b,c, Trojan-Dropper.Boot.Niwa.a, Trojan-Ransom.Boot.Mbro.d, e, Trojan-Ransom.Boot.Siob.a, Trojan-Ransom.Boot.Mbro.f.
At least 'formerly-known-as netbooks' aren't selling for twice that, anymore. Although, they are still excruciatingly painful to work on if you're used to anything faster...like an x86 Celeron.