That said, I don’t use roaming profiles, and therefore this process is still very disruptive for users. There are literally thousands of settings that go into a user profile, and while most will never change from the default, over time the cumulative effect of a setting here, an option there, can make a real difference. Additionally, just because you have a few pop-ups, it doesn’t mean you have a rootkit.
Therefore the policy I follow at work is that we do allow some clean-up before resorting wiping or replacing a computer. However, I limit the techniques I’ll use. Here is the full enumerated list:
- Uninstalling unwanted items via the Control Panel
- Editing specific registry keys where startup programs are kept
- Manually disabling Services and Scheduled Tasks
- Using MSConfig or the StartUp tab in the Task Manager (Windows 8 and later)
- Editing the registry to remove a stubborn IE Addon or Chrome Extension
- Manually deleting any files or folders left behind from an uninstall process
- Using existing Antivirus software already on the computer
This is the extent of it. If these don’t get the job done, it’s time for a wipe. Some notable items that are not in the list include rebooting to safe mode, installing an anti-malware tool, and running an anti-virus scan in a clean environment. If I have to do those things, I usually figure I’m better off wiping the machine.
Even with the tools I will use, there’s a catch: I’ll only do this once for a given infection. If, after an initial clean-up attempt, there are still pop-ups or other signs of infection, or if the symptoms return, that’s it. It’s time to nuke the machine and start over.
The other philosophy I follow is regard administrator rights. I do allow staff to have administrator access on their own machines by default. This is a practice that pre-dates my time here, and one I was not fond of when I started. However, over time I’ve come to accept it as more helpful than hurtful… especially since the introduction of UAC. Under no circumstances do I permit UAC to be disabled, and there are some settings that are enforced through Active Directory Group Policy as well. But the main thing is that, by and large, I do permit administrator rights on end-user PCs.
This is important because I’m only will to wipe a machine for free once. For an end user, if it’s to the point where we’re replacing your machine for the second time, you’ll find you no longer have administrator rights to your computer when the third machine arrives. I worry that eventually this policy will lead to unreported infections, especially if it’s ever embraced by non-technical management to the point that maintaining the ability to have administrative access is necessary to being able to do your job. However, to date I’ve only had to enforce this one time.