Security

Battling the Google Redirect virus

Consultant Bob Eisenhardt recounts his frustrating experience trying to track down and get rid of a client's search-redirect virus. Here's how he finally ditched it.

Ever go to Reno, Nevada?  Well, if you have not, there is a terrific little virus making its way around the net that instantly takes you there from your search engine. About a month ago, one of my accounts in Manhattan reported that something was re-directing searches to odd websites, one of them coming up as SEARCH RENO. I tested the search on-site and it was indeed true.

All of the standard defense protocols such as a scan with MalwareBytes and ComboFix came up clean. Although the bug is commonly referred to as TDSS, the software fix that a co-consultant I work with totally trusted, TDSSKiller, came up equally clean. This was a surprise.

Sophos has a rootkit killer that also found no infections. ComboFix came up empty handed as did Gmer. Having thus exhausted the standard solutions, I was mightily frustrated.

Further research led me to a persistent link that indicated a services search for RANDOM.EXE running. It was not running on my client's system. The random.exe link also advertises a paid software product to remove the virus, with a live chat concurrent with somebody (probably in India). I ignored that option instantly. (I have come to believe that some blogs pose question and answers by the same user under different names, an ingenious idea for the uninitiated to download an infected product.)

So where does this one come from? The redirect URL takes users to the IP address 63.209.69.107. If you google that IP, you are off on a hunt of severe frustration. This virus has been around awhile, but finding a solution remains confusing. Let's look at that IP address for moment. It is related to SCOUR.COM as a redirect agent. This is either a real or a fake site and the virus itself uses complex methods to hide from traditional removal methods as I undertook above. There seem to be two threats here - a search hijacker and Trojans hiding in the links on the redirect page. The former just slows down your system and makes life frustrating, which is common enough with Windows itself. The Trojan is an open door for someone far away to control your computer and steal information. In a worst-case scenario, malware of this type can steal your financial information and then wipe out your drive. This is precisely what happened to 30,000 systems in Saudi Arabia recently. Trojans must be removed quickly and that is the devilish part to do.

I am heavily qualifying my certainties because this is such an odd entry into the virus and malware world; for instance, I do not know exactly where the infection comes from. We can be reasonably certain that some (not all) porn sites will infect your system as well as other compromised sites that include links to sketchy destinations.

If memory serves, there was also a quick re-direct agent running when a Google search was initiated and before "Reno" arrived. It was hard to catch, maybe on bar for 2 seconds or so. I believe it was "myfreesearch" or similar. The category of MYFREE something has always been an annoyance, such as MY FREE WEBSEARCH, which is horrible. But this one came and went very quickly. I strongly urge security experts to use good eyesight to catch these momentary leads.

There is a variant of the redirect virus that attacks just Firefox. Mozilla Support lists a php script running on a different server (where, I know not) that kicks you over to "realgamerz.net" and similar shady sites. As above, traditional methods of elimination failed and Mozilla really has no clear cut answer. Nor does the voyage always take you to Reno -- one user reported being directed to bargainmatch.com when trying to find the Weather Channel.

All of which leads me to suspect that many variants abound of this virus, but I am almost beginning to think we are entering something beyond traditional virus and malware problems. This one, at least the one I hit, is very slick. We may be seeing a whole new breed of invasive tools come into play. A co-consultant was absolutely shocked that TDSSKiller did not find anything. Running HiJackthis produced a log that can be copied into an effective website, HIJACKTHIS.DE which will run an in-depth analysis and highlight potential issues. Even though several irregularities were spotted, again and again my client's system visited Reno.

Resolution was draconian but very simple - I gave up trying to remove the virus and used Revo uninstaller to remove Firefox entirely, trusting that I am confronted with a variant that infects just Firefox. After saving bookmarks, using Revo, a cold reboot, and then a reinstall, my client has confirmed that the problem has gone away. I am relieved of one more burden. (If I run into this virus again, I will try GOOREDFIX as some have suggested).

Hackers and thieves are, by now, well aware of the tools most professionals use to remove their products, and it would not be surprising at all to see them working their evil deeds around these tools. I generally believe that in the world of security I can stay ahead of the thieves by minus five minutes or so -- that there is always somebody out there already ahead of the game by just that much.

Have you run into this virus or a similar search hijacker? How did you get rid of it? Let us know what you found out in the comments below.

40 comments
article reviewer
article reviewer

yea Kasperskys Tdsskiller is free a few others are Norton Power Eraser, Super Anti Spyware (which will find redirects sometimes) its nice to do a full virus removal and tune up though since many of the settings get messed up. I also enjoy http://gerardcomputer.com/ with the videos you can do a little pause and then do some other stuff and the tutorials are right there, as well as links to the free tools the pros use

John Alias
John Alias

So I have used scanners to try to get rid of the redirect but have found the manual way best. It is not to complicated but a scam free site called http://fix-redirect-virus.com/ has a virus removal tutorial that is free on the site (for sale elsewhere on the web) anyway they walk you through the steps of "do it yourself" free virus removal.

randy.savage
randy.savage

This guy Anup Raman is good. I opted to get his professional help and now everything works fine.Infection was much complicated in my case with more infected files detected other than the redirecting ones. In total I had around 126 infection detected, but it seems most of them were there inside even before my computer started redirecting. Norton did nothing to protect my computer. Never ever no Symantec in my computer. http://atechjourney.com/google-redirect-virus-remove-manually.html/

dlschuch
dlschuch

Sorry What I meant to say: I have been on a week long excursion to get rid o that God Awful redirect virus. I have a blog on OpenSalon where I begged for help with a post and the answers in comments never work. Since it seems to be Google Redirect, most my readers, recommend just get off google use a different search engine. But that means something is still running in my brand new computer. I used Nortons and it worked for maybe a few hours then it was back. I cannot find any common denominator as to how it is coming on board. So I used Norton Power Erase and I thought I blasted my system. That was worse than the virus. So now I am back to peg one. Google must be going under if they are not doing more than this. WHAT TO DO?????

dlschuch
dlschuch

I have been on a week long excursion to get rid o that God Awful redirect virus. I have a blog on OpenSalon where I begged or help and the answers never work. Since it seems to be Google Redirect, most people say, just get off google. But that means something is still running in my brand new computer. I used Nortons and it worked for maybe a few hours then it was back. I cannot ind any common denominator as to how it is coming on board. So I used Norton Power Erase and I thought I blasted my system. That was worse than the virus. So now I am back to peg one. WHAT TO DO?????

Terry781
Terry781

The google redirect virus could modify the browser’s home page, searching page, search results and the default settings through the DLL plug-ins, BHO, WinsockLsp in order to hijack the victim computers to the specified website. The easiest method you can try in order to restore your PC performance is downloading an instant fix. You can also check this guide: http://freshdigitalproducts.com/?page_id=80

viasue
viasue

The first thing i would like to share IS: When ever you have a very stuburn Virus or Malware / Spyware you do not try to get rid of the issue while running windows. These programs can hide, yes hide from anti programs used to clean them from your system. Even if reported a cleaned they can hide in your memory which by todays standards is a huge place to hide, they can redownload thenselves if your pc has a constant internet connection just by turning on most pc or pads..once the internet is available the mlaware or virus can update itself or even rintroduce itself into your pc once it detect a scan is at work. This way when you reboot the instructions left in your registry by the viral program or its newly self downloaded updates will then reinstall itself.....causing you to chase and rechase it with no true removal. even though your trustworthy program says it found and cleane the bugger. What to do with programs that can hide or rename or reinstall themselves once a clean effeort has been detected by the malware.....Its simple VERY SIMPLE....Shut down , disconnect your internert modem / internet router ...you want the internet OFF with no path to a connection. Also turn OFF any and all programs that are running on the tool bar ( right click on the tool bar icon and close them or disable them including any programs in use...do not scan while running any program except the Anti Program). Please Shut down any and all porgrams all but your anti virus or anti spyware...then Run your scan in windows as usual ...likley with the same results, virus not found or virus contained or cleaned...but this time when th escan is done shut down the only program running the anti virus unless it auto reboots which is what you want ....to reboot. But this time, just after the reboot starts press your F8 key on some pc's it might be another F Key but you want to be in the DOS or black screen where you have a choice to boot into windows under safe mode with networking....This is very impolrtant < You Do Not Want To Restore your system if asked > You Only want to get into windows in Safe Mode with networking. If given the choice of going into windows as Administrator please make that choice ( Admin when ever possible ) Even though you ran Anti programs just a moment ago in windows you have only cleaned the tip of the iceburge that you can see ....To clean the other 2/3rds you cant see please do this: While in safe mode run your anti malware/spyware and anti Virus programs in that order......and do a full scan not a speed scan or quick scan do a full, how ever long it takes, scan...Once the scan programs are done any and all viruses or Malware / Spyware programs should be removed...... To make sure run yet another Full Scan ( not quick scan ) while in regular Windows as mentioned with the internet unpluged from your pc and if wireless internet is available turn off your wireless router....Once done you will have run in this order a full scan while in windows, reboot into safe mode via Fkey run a full scan of anti spyware / malware / virus programs in that order..then reboot into windows as normal...with you rinternet disconnected run your final full scan..... All this takes time but once you are done so should the virus be done , dead, Fanito, ....now if the problem comes back it is possible A rootkit virus is reinstalling once it finds an internet connection that either you are using or is always available after Windows boots up. In some cases...that is right after you have done the above in the correct order and all signs of the virus are gone you can go into Windows Settings and do a system capture so you can do a system restore as another way to get things back as they were prior to the redirect virus reintroduction / reinstall .....This is an advanced short cut to avoid doing the above but system restores are not to be done casually and quite frankly done mostly as a last resort to reinstalling windows ans everthing you have built into your pc..... A system restore is a rather desperate effort and should be concidered in the same way as doing a windows uninstall and reinstall .......As the last thing you would willing want to do :>( A final word about the registry....do not mess with it unless you are an advanced tech person and have done a system capture and are prepaired for the worst a system restore or windows reinstall...but for the very advanced user they would be able to find a good rootkit program or actually find the offending script in the registry and rename &/or remove the offending malware scripts by hand.....not suggested or recommended for the untrained !! VIASUE

IndiraSoman
IndiraSoman

This problem was driving me nuts for almost a month now.Imagine considering yourself tech savvy working for IT dept. and there is nothing you can do to get rid of this infection.Forget all the AntiVirus Antispyware AntiMalware softwares that I tried.I can just go on and on naming them.After a lot of research, yesterday I was finally victorious.Thanks to the genius solution provided by Anup Raman. This guy surely know what he is doing and did a good job in explaining. The problem was narrowed down to 4DW4R3c.dll, a dll file inside system32.This was only possible cos I tried his method of checking ntbtlog. I have never heard or seen anyone using ntbtlog for fixing rootkit issues.Not even once I heard anyone using this method on any websites.The steps he mentioned is right to the point and the video he created is so user friendly that anybody should be able to follow.No wonder why he got so many likes on youtube. Most probably I might do a presentation on this topic in my IT dept :-) This is the link for reference http://atechjourney.com/google-redirect-virus-remove-manually.html/ .Highly recommended.

red789
red789

As a sympton this has been around for years, but, as the author points out, this variant is incredibly resistant to virus checkers. I had this for about a month and fiddled sporadically with virus checkers of various sorts and nothing suspicuous flagged up. Eventually I found a dll manually in the C:windows\system 32 with a "date modified" of 2008 but a date created of 2012. I renamed it ( it was wmpns.dll ) and to date Ive not experienced any more problems. wmpns is the name of a legitimate windows media player applet, but as I never use media player, and other sites say it can be used as a threat filename, I would be curious if you find a similar file.

ldclancy
ldclancy

I've just finished battling a similar virus on Dad's laptop. I worked through a similar list to the author and had to persist, because it takes a while to (manually) rebuild that machine. I was interested that the redirect infected both Bing and Google on IE, Firefox and Chrome. Eventually got it with the AVG Rescue CD http://www.avg.com/us-en/avg-rescue-cd

hillelana
hillelana

maybe try Superantispyware free. It's found things Malwarebytes hasn't (the reverse also happens)

flyingpig325
flyingpig325

I have the exact same problem on my laptop (IE, firefox, chrome with same redirect) but only at home and not at work. I suspected my home wireless router but there was no problems. Interestingly, since I ring 64-bit windows 7, only the 32-bit version of IE is affected and not the 64-bit. Also ran TDSSKiller, COMBOFIX as well as a bunch of malware dectectors and everything came up clean. Any thoughts?

gechurch
gechurch

I'm surprised the author tried so many steps - it must have taken ages to resolve the issue. I admire his persistence and documentation of what he found, but others have already posted some good (and often very quick/simple) troubleshooting steps that may have resolved the issue much faster. I used to work at a nan and pop computer store and dealt with virus infections all day long. I remember the first time I saw TDSS - it stumped me for a few hours. It was about that time that I changed strategy. It seems stupid to me to run rootkit scanners. Trying to check for infections on a machine where the infection already has control just seems like a bad way of handling the situation. We just made it a rule to pull the hard drive, plug it into another machine as slave and run virus scanners from there. We did this for any machine where we suspected a virus was a possibility. Since we didn't have to fix the machines Right Now, we would stop work 20 minutes before the end of the day to look at the PCs on the To Do shelf and would set them up and leave them scanning overnight. This worked wonders. By the morning the scans had run, and half the time the job was complete without needing to do any more work. As others have mentioned, if you're in a corporate environment then reimaging the machine is probably a good idea. It feels like a cheap/defeatist thing to do and it isn't as rewarding as tracking down the problem, but it sure is fast and effective.

trog7
trog7

DO NOT uninstall firefox. in browser url window type in about:config and hit enter if you have not been here already- it will give a warning page . agree to it to proceed . then in search window, type in the word SEARCH it will then display all the related protocols to do with search parameters. now, on EVERY LINE in the window, Right Click and select RESET. - Could be 20 to 30 lines or more to do with search - you MUST RESET ALL lines. once you have done that close the tab, and close Firefox. Click on Start, RUN then in the window type the word DRIVERS and hit enter this will take you to the "C:\Windows\System32\drivers" folder click on the "etc" folder and look for HOSTS file this file should display as about 1kb in size - some infected files can be quite large. Right click on the hosts file and select open with - and then select wordpad [ or notepad] . it will display MS copyright info and some info on the host file ... a healthy host file looks like this: # Copyright (c) 1993-2006 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host 127.0.0.1 localhost ::1 localhost and should not contain anything more. If any other entries e.g. 105.76.83.90 advert.buyers.com delete them. and save file open firefox again. select TOOLS - options go to the GENERAL tab and check the home page - for the moment type in about:blank and apply this gives a blank window when the browser starts. select the ADVANCED tab then Network - and check for proxy settings. [ sometimes a proxy jump is inserted here !] unless you know the proxy for your ISP - select NO Proxy then clear out the internet cache, and the offline cache. then go back to tools, and select add-ons. and remove any browser helpers and add on toolbars - especially babylon bar, ask bar and google bar, etc. [ these are NOT needed anyway !!! just waste internet bandwidth and memory - and some like babylon toolbar are malware !] once you have done all that. close the browser. go to Control Panel - internet options. and clear all the caching there - and also check the Internet Explorer home page as well. re-start the computer. load the browser and do a search - firefox has the handy search window at the top right - and see if it still re-directs. once it looks clear - if you want , you can now re-establish your original browser home page. PS go to control panel - add remove programs and make sure to uninstall the helper bars from there as well ... ... ... PPS in case you can not see the hosts file: go to Start - RUN - then in that window type CONTROL FOLDERS ,and hit enter. this opens Folder Options. go to View. make sure to select "Show HIDDEN files" Un-tick the next couple of HIDE options, especially the system files - this will display a warning - say ok to this . and hit apply ... ... ... then try looking at the HOSTS file - as this MAY be where the redirects are hidden - so it is pointless trying to re-install the browser if this has been altered. ALSO. For Google Chrome, and MSIE browsers - a similar path is needed to rid the RE-directs - IF your computer has the problem - go to another one to do a search for "Internet Explorer Google re-direct ", or "Google browser hi-jack" ETC, PPPS for a more thorough process go to : http://atechjourney.com/google-redirect-virus-remove-manually.html/ [ I see some one else has also referenced this link ;^) ]

lehnerus2000
lehnerus2000

Did you try setting the suspect sites to 127.0.0.1 in your "hosts" file?

anupraman
anupraman

Google redirect virus may not be the deadliest but undoubtedly the most annoying one because of redirecting search results. Another major highlight of this infection is that no security software can claim 100% protection against this infection. The viral code has gone through lot of changes periodically making it difficult for any security software to give a final fix. Check the link which explains the manual removal of google redirect virus. The troubleshooting steps is bit technical, but there is a step by step video which makes the job easier. http://atechjourney.com/google-redirect-virus-remove-manually.html/ Good Luck

MZeke
MZeke

I will normally spend about 30 minutes trying to get rid of the infection. If that fails, I resort to using Active Kill Disk to wipe the hard drive (to ensure EVERYTHING is gone) then I re-image it. That is of course after I remove whatever data is needed from the machine. You cannot beat re-imaging as long as you have a current image. I create a new image file (using Norton Ghost) every couple of weeks.

roger.ramey
roger.ramey

I have always found Trend Micro Titanium Internet Security 2012 to be very effective in removing these types of threats. The good thing about this is they give you a free trial that is fully functional that will remove the threats if you just need to resolve the issue. After my stress with getting rid of a trojan that not of the other programs were able to clean, I installed Trend and never looked back since. No regrets. Another option is to download and use their housecall program to assist in removing the pest.

Jaytmoon
Jaytmoon

working in the public sector, my workstations (25) are exposed to all kinds of malware. The only solution that I've found works is "DeepFreeze" enterprise version. No matter what the client users do on our system, thier activities and files are tossed out when they are logged off, leaving the pc's os and files pristine and malware free.

Yaffeweb
Yaffeweb

I had a very similar redirect virus and I went through all the things you have mentioned above. Scan with this, check with that.. The solution I found to the problem was to just Reset Firefox back to default settings. Mozilla has a walkthrough http://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-most-problems or you can access it by typing about:support in your firefox address bar. There is a button that says Reset Firefox as well as alot of system information in case you just like looking at stats.

Clendanielc
Clendanielc

"Some people are ghosters and some people are fighters, I happen to be both." I'm curious to see if anyone else battles viruses/malware/etc anymore. Our machines don't store anything on them and run a citrix type of environment. If someone gets a virus, we either run the virus scan and malwarebytes if we believe that is the easy fix or ghost the machine. The ghosting takes ten minutes and the virus scan takes 30 - 45 minutes. We find that ghosting is easier. What does everyone else do?

Greenknight_z
Greenknight_z

Haven't met this myself, but on the Firefox help forum it was reported removing the add-on "Printing Helper 2.5" cured the problem. The user who discovered this didn't recall installing the add-on; I'd looked for any add-on that doesn't belong, since the malware creator could easily change the name of the fake add-on. Firefox has an option "Restart with Add-ons Disabled", it's under Help. Always try this as a diagnostic step, you may need only remove an add-on to fix a problem.

article reviewer
article reviewer

Thank You for that site, I have been there and it appears to be totally legit. regards

anupraman
anupraman

Try doing an IE optimization. http://atechjourney.com/how-to-do-a-complete-internet-explorer-optimization.html/ This should help you fix it, if the problem is because of a corrupt browser. Please try the steps mentioned in my blog http://atechjourney.com/google-redirect-virus-remove-manually.html/ to fix the issue.Lot of people had success using this method.You can also contact me using the comments section in my website.I will do my best to help you with this infection. Regarding Norton Power Eraser. There are lot of people who had success in fixing the issue, but frankly it had screwed up more computer than any other software.I am an ex-symantech tech support and I know the effectiveness of the software first hand.This software is nothing but crap. Anyways, good luck with troubleshooting.Feel free to contact me if you need any further assistance.

SmartAceW0LF
SmartAceW0LF

Sometimes I find it necessary to use this to rid the system of unwanted files that load. Basically, I remove everything that is not from a recognized Vendor of my installed apps. One last noteworthy suggestion is in the observation that these types of issues can often be due to the use of "FunWebProducts" or the "MyWebSearch" variants. I imagine there are enough droves of totally ignorant users of these products whose opposition to them being included in Malwarebytes removal process has warranted the coders of MBAM to remove them from their list of default products to be cleaned. You now must go into Settings/Scanner Settings of mbam to make them be selected in the list of things to remove. This can prove to be easy to overlook and on some systems a major pita to select the sheer numbers of them. Generally, in the case of REDIRECTS I check Internet Options to make sure it hasnt been changed to use a Proxy, check the hosts file for suspicious entries, use HiJackThis to remove suspicious entries and finally if necessary, reset the IP/Winsock stacks/catalogs through command line. If there is a particularly problematic issue with the winsock, while Hijackthis will not remove it, it will at very least report its presence.

SmartAceW0LF
SmartAceW0LF

in using the above laid out procedure wherein the disk is removed and scanned outside the installed OS, almost invariably it has been my experience that doing what you describe hoses the OS. Perhaps 1 out of 10 has proven to rid the system of infection without destroying essential system files. I only bring this up as a matter of curiosity due to so many suggestions in using this procedure. So, my thoughts are, "Why does this continue to be suggested? Is it old news for older malware variants? Perhaps a case of ones choice in utilities used?" Either way, in this day and time I find it to be an unacceptable procedure as opposed to backing up user data and reinstallation of the OS and user Apps (which incidentally I find to be a major P.I.T.A). Today, and indeed since its arrival on the scene, if Malwarebytes and/or Combofix and occasionally HiJackThis fail to fix the issue, I generally move on to what I call the Answer To Everything or ATE procedure. By this time I usually have a little less than an hour in troubleshooting the matter and can accomplish the ATE process within enough time to avoid pricing myself out of business. Just saying, for one whose livelihood depends on this (Outside of the Corporate Environment where the ability to direct choices of hardware/OS/Application plays a major role in choosing to use an image) it seems to me to be a fruitless endeavor. Also, please do not misunderstand my post as an invitation to flame. I am always up for suggestions and seeking new avenues to efficiently achieve the same goals. Edited to note, +1 on TDSS issue though. This is one I spent a good deal of time on myself. Sometimes, though it costs you time which in turn equates to money, you just don't want to give in to the bastids (malware coders).

ldclancy
ldclancy

Agree (now) that it is futile running a scanner on the system while under control of the infection. Have a look at rescue/boot disks if you don't have access to another computer.

SmartAceW0LF
SmartAceW0LF

netsh winsock reset catalog in the command line

Gisabun
Gisabun

Norton Ghost? Reminds me of a seminar I went to and the speaker said "who uses Ghost" and very few lifted their hands. It's a dead product. Symantec barely supports it - if they still do.

joetron2030
joetron2030

Until you find that your images are most likely infected too. That happened to me recently. I could not get rid of a persistent infection that kept showing up no matter what tool I used to try and remove it. In the end, I decided to restore from my most recent image. All seemed fine until it wasn't. That image was also infected. Same for the prior image to that (I always keep two revisions of Ghost Image sets around). In the end, I couldn't trust my system so I reinstalled everything. On the plus side, I now have way more free space on my C: drive because I didn't reinstall everything that I had previously installed.

Gisabun
Gisabun

Exceept some malware will block you from running an AV product or updating.

gechurch
gechurch

Now that you mention it, that did happen occassionally. For me it was more like 1 time out of ten that the system wouldn't boot. Perhaps the scanners I was using (Kaspersky, NOD32 and Malwarebytes) did a better job than some others, perhaps viruses were less-destructive back then, or perhaps I was just lucky. It was about 4 years ago I stopped doing this type of work, and the vast majority of machines I worked on were Windows XP. This meant if the machine didn't boot I just had to run a repair install. This was generally pretty quick, and was pretty much guaranteed to get the machine working again. As you would know, Windows Vista and 7 (and I presume 8) removed the ability to do a repair install (unless the OS already boots). I do recall booting from MS DaRT CDs for these OS' and running SFC, and also having tried copying the missing files in place while the drive was a slave. I had some success with these techiniques on Vitsa/7, but it was nowhere near as full-proof as a repair install on XP was. Even so, I would still advocate removing the drive and scanning it as a slave. Sometimes it will remove the virus and the job will be mostly done, and in the times when it leaves the machine non-bootable then you know it's time to do a fresh install (without having wasted time running other tools in the infected machine). I agree with your comments re being fast about deciding whether to format and reload or not. It's very easy to get trapped into thinking the next change you make or tool you run will fix the problem. Then suddenly you've spent 4 hours on the machine and need to format & reload anyway. I didn't want us to become a shop that formats and reloads every machine we saw, and there's always the problem that when you reload the machine will never be the same as it was before. There are always programs that the user no longer has the installer for, or customisations the user made that you can't get back, or passwords that the computer remembered but the user no longer does. So I would spend longer than it sometimes warranted trying to fix the issue without reformatting. I found over time that I got much better at knowing the registry entries and folders that malware typically infects, and I was able to fix more and more machines quickly and without needing a reformat. (This worked for TDSS - it took me 4 hours to figure it out initially, but I saw it 20 more times in the next few weeks and was able to fix it in 10 minutes and without reformatting). This also kept me sane (problem-solving is fun, reformatting is boring). But from a cost point-of-view, I have to agree that formatting early and often is a good strategy. I developed a few programs and processes to speed up the format and reload process, and to record and restore things like passwords and settings. If you're interested I can give you a rundown, and copies of what I have. Email me - gareth@it_resourc_ing.com.au (remove the underscores).