Hacker News new | past | comments | ask | show | jobs | submit login

I disagree with this procedure.

1) Rebooting the computer can spread the infection. You should try to clean it with 0 reboots. Ignore safemode. Kill adwcleaner with taskmanager.

2)ComboxFix is unnecessary. Malwarebytes/ESET work most of the time, and if not there are about 3 other scans to use.

Anyone who wants to buy a new laptop for speed purposes should be talked into trying an SSD first. A cheap laptop comes with a mechanical hard drive and doesnt alleviate disk io bottlenecks.




>Kill adwcleaner with taskmanager.

AdwCleaner requires a restart to finish up, as I understand it. If you know differently, I'm genuinely interested.

>ComboxFix is unnecessary.

Respectfully, I disagree. It's caught things that the others have missed. Anecdotal evidence, sure, but in my experience it's proven useful.

Most of the time new laptops are not for speed purposes - there is a misconception that a new laptop is a fresh start, not necessarily a much faster computer.

The thought process invariably is: this laptop is slow and full of ads, I need a new laptop to start over without the ads and _new is best_. My clients are mostly non-technical, that's why they call me; technical clients (say, 1 in 10) are more willing to explore SSD and appropriate RAM.

TV-advertised laptops for 200-250GBP are very appealing for my client demographic. It irks me, sure, but then sometimes people have to learn by doing. The tide is very slowly turning.


> It's caught things that the others have missed.

What other things? Did you run FSecure, Panda, ESET, Emsisoft, Avira, Avast, Herdprotect? It might be useful, but it is dangerous. It should be an absolute last ditch effort, not standard procedure.

>AdwCleaner requires a restart to finish up, as I understand it.

Try running it twice in a row without a restart. Try running it before and after a malwarebytes scan, without a restart. Does it find things?

>technical clients (say, 1 in 10) are more willing to explore SSD and appropriate RAM.

Thats why you word it "would you like me to make your computer much faster for $100 dollars. I can replace the moving parts with electrical ones."


> What other things? Did you run FSecure, Panda, ESET, Emsisoft, Avira, Avast, Herdprotect? It might be useful, but it is dangerous. It should be an absolute last ditch effort, not standard procedure.

I should clarify. I am predominantly dealing with annoyances, adware and unwanted applications – not viruses or malware, in the main. It's junk, not malicious or infecting - at least in the vast majority of cases.

Removing the non-viral noise makes the process of cleaning up anything else far easier. Number of rootkits encountered in 3+ years of domestic and small business technical support: zero. Number of file infecting viruses encountered in the same period: 2. Number of ransomware (Trojan horse, worm at a push) infestations: dozens. Number of adware and miscellaneous browser infestations dealt with: hundreds.

>Try running it twice in a row without a restart. Try running it before and after a malwarebytes scan, without a restart. Does it find things?

That's a really interesting question, and not one I can answer right now. I do intend to try this in a VM a la the OP link. I will endeavour to find out and report back.


Don't forget TDSSKiller and Norton Power Eraser. Super useful tools for checking MBRs.


ive found malwarebytes rootkit detection to be roughly as effective as tdsskiller. it's not enabled by default, or you can download it as a separate product. mcafee has one too. rootkit buster has never detected a thing in my experience. i still run it first just to see if it ever will.

https://www.malwarebytes.org/antirootkit/


I'm not familiar with Malwarebytes Antirootkit, but TDSSKiller from Kaspersky searches for 1 single rootkit, TDSS, and performs a removal. I haven't done this type of work in a while but 3-4 years ago it was the defacto tool of choice for dealing with MBR infections.


TDSSKiller removes the following.

List of malicious programs: Rootkit.Win32.TDSS, Rootkit.Win32.Stoned.d, Rootkit.Boot.Cidox.a, Rootkit.Boot.SST.a, Rootkit.Boot.Pihar.a,b,c, Rootkit.Boot.CPD.a, Rootkit.Boot.Bootkor.a, Rootkit.Boot.MyBios.b, Rootkit.Win32.TDSS.mbr, Rootkit.Boot.Wistler.a, Rootkit.Win32.ZAccess.aml,c,e,f,g,h,i,j,k, Rootkit.Boot.SST.b, Rootkit.Boot.Fisp.a, Rootkit.Boot.Nimnul.a, Rootkit.Boot.Batan.a, Rootkit.Boot.Lapka.a, Rootkit.Boot.Goodkit.a, Rootkit.Boot.Clones.a, Rootkit.Boot.Xpaj.a, Rootkit.Boot.Yurn.a, Rootkit.Boot.Prothean.a, Rootkit.Boot.Plite.a, Rootkit.Boot.Geth.a, Rootkit.Boot.CPD.b, Backdoor.Win32.Trup.a,b, Backdoor.Win32.Sinowal.knf,kmy, Backdoor.Win32.Phanta.a,b, Virus.Win32.TDSS.a,b,c,d,e, Virus.Win32.Rloader.a, Virus.Win32.Cmoser.a, Virus.Win32.Zhaba.a,b,c, Trojan-Clicker.Win32.Wistler.a,b,c, Trojan-Dropper.Boot.Niwa.a, Trojan-Ransom.Boot.Mbro.d, e, Trojan-Ransom.Boot.Siob.a, Trojan-Ransom.Boot.Mbro.f.


I would assume it has grown in the last few years, I also would wager a guess that most of these are related/derivatives of each other.


I was under the impression it sort of grew into a multipurpose rootkit tool


"TV-advertised laptops for 200-250GBP are very appealing for my client demographic. It irks me, sure, but then sometimes people have to learn by doing. The tide is very slowly turning."

At least 'formerly-known-as netbooks' aren't selling for twice that, anymore. Although, they are still excruciatingly painful to work on if you're used to anything faster...like an x86 Celeron.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: