Now that you mention it, that did happen occassionally. For me it was more like 1 time out of ten that the system wouldn't boot. Perhaps the scanners I was using (Kaspersky, NOD32 and Malwarebytes) did a better job than some others, perhaps viruses were less-destructive back then, or perhaps I was just lucky.It was about 4 years ago I stopped doing this type of work, and the vast majority of machines I worked on were Windows XP. This meant if the machine didn't boot I just had to run a repair install. This was generally pretty quick, and was pretty much guaranteed to get the machine working again. As you would know, Windows Vista and 7 (and I presume 8) removed the ability to do a repair install (unless the OS already boots). I do recall booting from MS DaRT CDs for these OS' and running SFC, and also having tried copying the missing files in place while the drive was a slave. I had some success with these techiniques on Vitsa/7, but it was nowhere near as full-proof as a repair install on XP was.Even so, I would still advocate removing the drive and scanning it as a slave. Sometimes it will remove the virus and the job will be mostly done, and in the times when it leaves the machine non-bootable then you know it's time to do a fresh install (without having wasted time running other tools in the infected machine).I agree with your comments re being fast about deciding whether to format and reload or not. It's very easy to get trapped into thinking the next change you make or tool you run will fix the problem. Then suddenly you've spent 4 hours on the machine and need to format & reload anyway. I didn't want us to become a shop that formats and reloads every machine we saw, and there's always the problem that when you reload the machine will never be the same as it was before. There are always programs that the user no longer has the installer for, or customisations the user made that you can't get back, or passwords that the computer remembered but the user no longer does. So I would spend longer than it sometimes warranted trying to fix the issue without reformatting. I found over time that I got much better at knowing the registry entries and folders that malware typically infects, and I was able to fix more and more machines quickly and without needing a reformat. (This worked for TDSS - it took me 4 hours to figure it out initially, but I saw it 20 more times in the next few weeks and was able to fix it in 10 minutes and without reformatting). This also kept me sane (problem-solving is fun, reformatting is boring). But from a cost point-of-view, I have to agree that formatting early and often is a good strategy.I developed a few programs and processes to speed up the format and reload process, and to record and restore things like passwords and settings. If you're interested I can give you a rundown, and copies of what I have. Email me - gareth@it_resourc_ing.com.au (remove the underscores).
↧