Backroom Secrets of the Security Tech Support Experts Revealed

Honesty is the best policy, they say. Certainly I appreciated the honesty displayed during my recent review of Emsisoft Anti-Malware 7.0. When the antivirus scanner couldn't completely remove the malware it found, it honestly admitted that fact, and advised me to get tech support help for finishing the cleanup process. Little did I know that by doing so I'd embark on a weeklong trek, experiencing first-hand just how far a malware cleanup expert will go.

For my malware removal test, I install an antivirus product on a dozen malware-infested virtual machines (always the same virtual machine snapshot) and challenge it to clean up the mess. Emsisoft's antivirus reported an inability to fully clean up ten of these twelve systems. In some cases a virus had infected essential Windows files, and in one case the infected file belonged to Emsisoft itself. It also reported that removing any rootkits would require help from tech support.

By the Numbers
I had no idea when I began this project that it would grow to take over 30 hours of my time, involve well over a hundred email messages, and require exchanging over 150 diagnostic logs and scripts. When it was all over, I combed through the email conversations to analyze just what happened.

During the course of the week, on instructions from my tech support contact, I used fifteen different diagnostic and cleanup tools, only one of which was an Emsisoft product. I submitted 120 diagnostic logs and ran over 30 cleanup scripts. In a couple cases I had to download the Windows XP SP3 update, for recovery of corrupted system files.

I wound up running 11 of the 15 tools on the two systems with the most persistent problems. In the course of getting the very worst one cleaned up, I submitted 30 diagnostic logs and ran 10 cleanup scripts. I managed to keep up with my email and advance a few other projects during the rare moments when all active tests systems were busy running some kind of scan, but most of my time was spent downloading tools and exchanging files with tech support.

Tools the Experts Use
So, just what tools does a malware cleanup expert use? I'm sure each expert has particular favorites, but I can report on what I observed. Here they are, in descending order of the number of times they were needed.

OldTimer's List-It, or OTL, was by far the most-used of all the security tools. I submitted over 50 OTL logs to my tech expert, and ran over 25 cleanup scripts that he supplied after analyzing the logs. On one test system I had to run OTL a dozen times, in between using other tools.

The extremely powerful ComboFix tool also got a workout. ComboFix isn't for the faint of heart. You can't use the computer while it's running, and it's supplied "as is" for use by experts only. Creating a fix-up script based on the utility's log files takes training and expertise. I supplied 28 ComboFix logs during my grueling week, and ran fix-up scripts six times.

As I mentioned, Emsisoft Anti-Malware reported itself unable to automatically remove malicious programs that use rootkit technology to hide their activities. Kaspersky's TDSSKiller exists for the sole purpose of removing certain rootkits, and tech support had me use it nine times. They also called on Panda Anti-Rootkit three times.

Emsisoft has its own targeted malware cleanup tool, Emsisoft Emergency Kit. Tech support did have me run this tool five times, near the beginning of the week, but apparently decided it wasn't doing the job. They never asked me to run it again after the first day of working on the problem.

McAfee constantly updates the Stinger utility to address specific infestations that are hard to remove. McAfee's Stinger got a chance at fixing four of the test systems, and a less-known tool called Avenger had a whack at three.

As for the remaining tools, I was instructed to use them just once or twice. These included: Avast!'s aswMBR, Kaspersky's AVZ AntiViral Toolkit, the Farbar Service Scanner, Windows Repair from Tweaking.com, AdwCleaner by xPlode, Junkware Removal Tool, and RunScanner. I also supplied logs from the built-in Windows SIGVERIF tool on a couple of occasions.

Handle With Care
So, if you encounter malware that your antivirus can't remove, should you start downloading this collection of tools? Probably not, as it turns out. Almost all are intended for use by experts, and some actively require the intervention of a trained technician who can analyze the logs and manually write cleanup scripts.

Using these tools without proper understanding, you can do more harm than good. Even while strictly following instruction from a security expert, I managed to "kill" two systems, rendering them unbootable. My test systems have System Recovery turned off, to save space, and I don't have a Windows XP SP3 disk. The only way to rescue those two would have been to create an arcane tool called a BartPE rescue disk. I don't think the average user could manage that, so I gave up, with some relief.

So what can you do if your antivirus fails to completely clean up a malware infestation? Your safest bet would be to run Malwarebytes, our Editors' Choice for free, cleanup-only antivirus. In our own testing, Malwarebytes beat out all other products, both free and paid. For suspenders-and-belt protection, run Comodo Cleaning Essentials too.

A Matter of Confidence
In a recent review of Kaspersky PURE 3.0 Total Security, I had a tough time getting the product to install and run on my infested systems. Tech support brought out an array of tools to solve the problem—Kaspersky Rescue Disk, Kaspersky TDSSKiller, Kaspersky NetTest, Kaspersky Anti-Viral Toolkit, Kaspersky ReportMaker, and so on. That felt right; Kaspersky tools solving a Kaspersky problem.

I'm immensely impressed by the perseverance and dedication of the Emsisoft support agent who worked through the arduous process of cleaning the ten systems that weren't handled automatically by the Emsisoft antivirus. However, the fact that almost all of the tools used came from other vendors doesn't fill me with confidence, nor does the fact that many of them had to be applied over and over again.

An antivirus program ought to identify all malware that's present, disinfect valid files that have been corrupted by a virus, and quarantine all non-virus malware. If help from tech support is needed, a definitive response using the vendor's own tools and not requiring too much user participation will surely inspire the highest degree of confidence.