Extremely few removal tools run their own OS. Instead, they rely on the computer having an installed and functioning OS. As a result, even though they will work well enough most of the time, they are not to be trusted themselves.

Why? Consider this:
If the OS has been compromised, and a root kit installed (which is the direction much malware is going these days), then the root kit is in ultimate control of the operating system. The root kit can lie to any operating system call, including those which list directories, files, running processes, even the ones that verify passwords. Not only can it be done, it has been done.

Under such circumstances, the only safe option to ensure the removal of the malware is a reformat/reinstall.

Strike one against any tech who isn't aware of the very real danger that poses.

Most of the best scanners and specialized removal tools (Smitfraudfix and SDFix come to mind) remove rootkits when they clean. My point was at least try before just going straight to a format...

Here's the layers you have to deal with on a computer, normally:

Operating System runs Applications

Here's the (effective) layers of a compromised system:

Root kit runs Operating System runs Applications

Any of the scanners you've mentioned will be an application running on top of the operating system. This makes them susceptible to any faults in the underlying operating system.

If the rootkit says "No such file abc.exe", then the operating system will tell the application "No such file abc.exe", and the application will be unable to tell if "abc.exe" actually exists or not.

If the rootkit says "No task running named foo.exe", then operating system tells the application "No task running named foo.exe", and the application will be unable to tell if "foo.exe" actually is running or not.

When the application says "How much memory do I have available right now?" to the operating system, the root kit has the option of stepping in and saying "No free memory available" or "Plenty of free memory available", and only telling it to that specific application.

When the application says "delete bar.exe" to the operating system, the root kit can tell the operating system that "bar.exe" has been removed, without actually doing anything to the file. And can even report (on subsequent runs) that the file has been deleted, even though it still exists!

That's the point of what root kits do: They take over and subvert a chunk of your operating system. Once they've done this, there is no reliable way to use that operating system to detect them. You must use a separate operating system to check for and remove them (generally speaking, boot from a live cd or install the hard drive in another machine).

If that is not an option for some reason, then the only option remaining to be absolutely sure of the removal of that root kit is a reformat/reinstall. It sucks, but that's the reality of malware, and the damage it actually does.

Not only is a reformat the only way to guarantee you get rid of the process, but also, how many infected machines have you seen that only had one thing on them? Most of them have multiple viruses/spyware/trojans/etc. and would be faster to reformat than try to track down and remove everything.

Speaking of which, gotta go reformat the rent's compy.

Well according to Sunbelt Software and the research team at 2-spyware.com, the most common malware that people get these days by far are those stupid "fake alert" trojans that constantly pop up with "you are infected!" and try to goad people into buying a bogus spyware scanner.

I can back this up because 85% of our virus removal calls are for this malware. The reason why people get this virus is because they visit a site that claims to be hosting a video but in order to view it you need to download a plug-in, and the plug-in turns out to be the fake alert virus.

Now if these malwares use rootkits I'd be surprised, because these viruses want you to see them (for the fake alerts), not hide in the background.

As far as removing them the most effective tools are three specialized removers that take 3 minutes or less to run: Smitfraudfix, SDFix and Antipuper. All 3 tools are not on our call center's approved software list, so we can't use them. (Although the chat techs frequently use them because their PCs aren't being monitored so they can't get caught using an unapproved tool, that's how I know they work.)

BTW, the reason why there are so many of those fake alerts (started with Spyaxe in '06) is because malware vendors figure out of 100 people who get infested 25 of them will fall for the scam and buy the bogus software. They must be correct due to the MANY variations of this pest. One malware news website said it best: "Malware vendors don't really write viruses like sasser anymore, now it's all about frauds."

Side story here: I had a woman once that paid for the bogus software, and when I went to remove it she said, "Don't remove that I paid for it!" She was shocked when I pulled up a website showing her it's a scam. The funniest part? In the purchase confirmation email she was sent by them, it said "Please do not contact your credit card company to do a chargeback otherwise it will lower your credit score." I told her that was false, and to go ahead and do it because getting a refund will be a mission all in itself. Not to mention change your card # because once those crooks get ahold of it, there's no telling what they'll do.

Any tech, working as such, should have a second machine available for testing, specificially in case a second OS is needed. You can then slave the old drive out and scan it for virii or malware. (Actually, I've never attempted to remove a root kit myself, so I don't know if even *that* would work)

The fact that he did not install the drivers on the machine really shows his incompetence. It means he didn't even *attempt* to use the machine after blowing away all the customer data. I would bet money he doesn't even know what a root kit is, let alone what it does to a machine.

A USB key or CD with a bootable, no-install linux version works wonders as well. Make sure you've got the latest updates for your AV and Anti spy\mal ware preference sorted and your set.

Wouldn't a machine need to be able to boot from USB for the flashdrive option to work? Many older machines can't do this.

Formatting

1) I am of the reformat it school myself. I just like a cleaned up system - they tend to run faster.

2) No drivers installed means this guy was no tech.

3) After wiping the system and restoring the main data folders I like to review every single program that I am reinstalling. If I have not made use of it in the last year it does not get installed at all. If I used it a few times I may add an archive of the program to the computer, but I still don't install it as active code on my system.

4) Backup, Backup, Backup. All the files I consider important are copied onto multiple drives.

5) If he did not give a lecture on backups, that is just another point to prove he was not a real tech.

If you look closely I said "USB key or CD" , Bart PE is a popular CD one

Flashdrive = USB key (at least in my neck of the woods) IME it doesn't matter what's on the key if the system won't see USB as bootable.

You can put the bart pe on to USB, too. It doesn't have to be CD. Also, any PC produced with a Vista sticker on it -must- be able to boot from USB. It's part of the requirements for certification to get that sticker, or it was when I last read the requirements during beta.

Regional jargon aside you still missed the "or CD" bit of the line

He definitely isn't as good as Dr. PC.